ChangeLog-2018-09-11 [plain text]
2018-09-10 Michael Saboff <msaboff@apple.com>
Test262 failure with Named Capture Groups - using a reference before the group is defined
https://bugs.webkit.org/show_bug.cgi?id=189407
Reviewed by Alex Christensen.
Added code to save the named forward references we see during parsing and validating that
they are all present when parsing the RegExp is complete. If there are unnamed references,
we reparse with some variation of behavior. Just like for numeric references, the
behavior is different depending on whether or not the unicode (u flag) is present.
For non-unicode patterns, we treat the \k<...> as a literal pattern. For a unicode
pattern we throw an exception.
Did some refactoring, renaming YarrPattern::reset() and YarrPatternConstructor::reset()
resetForReparsing() as that is the only use for those methods. Also changed
all the delegate methods that take a String to take a const String& to eliminate
copy churn.
* yarr/YarrParser.h:
(JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
(JSC::Yarr::Parser::CharacterClassParserDelegate::isValidNamedForwardReference):
(JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedForwardReference):
(JSC::Yarr::Parser::parseEscape):
* yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::resetForReparsing):
(JSC::Yarr::YarrPatternConstructor::saveUnmatchedNamedForwardReferences):
(JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
(JSC::Yarr::YarrPatternConstructor::isValidNamedForwardReference):
(JSC::Yarr::YarrPatternConstructor::atomNamedForwardReference):
(JSC::Yarr::YarrPattern::compile):
(JSC::Yarr::YarrPatternConstructor::reset): Deleted.
* yarr/YarrPattern.h:
(JSC::Yarr::YarrPattern::resetForReparsing):
(JSC::Yarr::YarrPattern::containsIllegalNamedForwardReferences):
(JSC::Yarr::YarrPattern::reset): Deleted.
* yarr/YarrSyntaxChecker.cpp:
(JSC::Yarr::SyntaxChecker::atomNamedBackReference):
(JSC::Yarr::SyntaxChecker::isValidNamedForwardReference):
(JSC::Yarr::SyntaxChecker::atomNamedForwardReference):
2018-09-08 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove loadModule function in jsc.cpp
https://bugs.webkit.org/show_bug.cgi?id=184808
Reviewed by Darin Adler.
Since we have `import`, we do not need to have `loadModule` function for testing purpose.
* jsc.cpp:
(GlobalObject::finishCreation):
(functionLoadModule): Deleted.
2018-09-07 Mark Lam <mark.lam@apple.com>
Ensure that handleIntrinsicCall() is only applied on op_call shaped instructions.
https://bugs.webkit.org/show_bug.cgi?id=189317
<rdar://problem/44152198>
Reviewed by Filip Pizlo.
handleIntrinsicCall() is normally used for checking if an op_call is a call to
an intrinsic function, and inlining it if it's a match.
However, getter and setter functions also does calls, and uses handleCall()
to implement the call. handleCall() eventually calls handleIntrinsicCall() to
check for intrinsics. This results in a bug because handleIntrinsicCall()
sometimes relies on the ArrayProfile* of the instruction, and is always assuming
that the instruction is op_call shaped. This turns out to be not true: getters
and setters can get there with op_get_by_val and op_put_by_val instead.
Since the intrinsic functions handled by handleIntrinsicCall() are never
intended to be used as getter / setter functions anyway, we can prevent this
whole class of bugs by having handleIntrinsicCall() fail early if the
instruction is not op_call shaped.
To implement this fix, we did the following:
1. Introduced the OpcodeShape enum.
2. Introduced isOpcodeShape<OpcodeShape>() for testing if a instruction of the
shape of the specified OpcodeShape.
3. Introduced arrayProfileFor<OpcodeShape>() for fetching the ArrayProfile* from
the instruction given the OpcodeShape.
Using this arrayProfileFor template has the following benefits:
1. Centralizes the definition of which instructions has an ArrayProfile* operand.
2. Centralizes the definition of which operand is the ArrayProfile*.
3. Asserts that the instruction is of the expected shape when retrieving the
ArrayProfile*.
4. Added ArrayProfile::m_typeName and ArrayProfile::s_typeName which are used
in ArrayProfile::isValid() as a sanity check that a retrieved ArrayProfile*
indeed does point to an ArrayProfile.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/ArrayProfile.cpp:
* bytecode/ArrayProfile.h:
(JSC::ArrayProfile::isValid const):
* bytecode/OpcodeInlines.h: Added.
(JSC::isOpcodeShape):
(JSC::arrayProfileFor):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
(JSC::DFG::ByteCodeParser::parseBlock):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_has_indexed_property):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_has_indexed_property):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::getByVal):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
2018-09-06 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[DFG] DFG should handle String#toString
https://bugs.webkit.org/show_bug.cgi?id=189151
Reviewed by Saam Barati.
We handle String#toString and String#valueOf in DFG by introducing StringValueOf node.
In the fixup phase, we attempt to lower StringValueOf to the existing ToString or Identity
nodes. If we fail to lower it, we have StringValueOf(UntypedUse), which may raise an error
if an argument is neither String nor StringObject. The error message in String#toString and
String#valueOf is poor, which will be handled in a separate bug[1].
It improves simple microbenchmarks by 53.4 - 67.6%.
baseline patched
string-object-to-string 21.7308+-3.3147 ^ 12.9655+-0.0527 ^ definitely 1.6760x faster
string-object-value-of 20.1122+-0.0691 ^ 13.1134+-0.2482 ^ definitely 1.5337x faster
[1]: https://bugs.webkit.org/show_bug.cgi?id=189357
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupStringValueOf):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToToString):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOrStringValueOf):
(JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor): Deleted.
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
(JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor): Deleted.
2018-09-07 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[WebAssembly] Optimize JS to Wasm call by using pointer of Signature as SignatureIndex
https://bugs.webkit.org/show_bug.cgi?id=189401
Reviewed by Mark Lam.
SignatureInformation is a global repository for Signature to make Signature atomic.
It takes Ref<Signature>&& and generates SignatureIndex. And we get const Signature&
by using this SignatureIndex. However, converting SignatureIndex to const Signature&
always looks up a hash table. This is costly since JS to Wasm calls always use
Signature& to check types of arguments.
Instead of using this hash table, this patch uses a pointer of Signature as SignatureIndex.
This allows us to convert SignatureIndex to Signature by just casting it.
We also optimize SignatureInformation::singleton by making an accessor function inlined.
And we move ProtoCallFrame::init to the header since it's just setting values.
This change significantly optimizes JS to wasm calls (1e7 times) from 600ms to 320ms.
In the future, we can remove SignatureIndex by directly handling Ref<Signature>: adding
deref() of Signature which unregisters itself from SignatureInformation carefully. Or we can
make SignatureIndex uint32_t by introducing a mechanism similar to StructureID.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* interpreter/ProtoCallFrame.h:
(JSC::ProtoCallFrame::init):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBBQPlan.cpp:
* wasm/WasmFormat.h:
(JSC::Wasm::WasmToWasmImportableFunction::offsetOfSignatureIndex):
* wasm/WasmFunctionParser.h:
* wasm/WasmModule.h:
* wasm/WasmOMGPlan.cpp:
* wasm/WasmSectionParser.cpp:
(JSC::Wasm::SectionParser::parseType):
* wasm/WasmSignature.cpp:
(JSC::Wasm::SignatureInformation::adopt):
(JSC::Wasm::SignatureInformation::tryCleanup):
(JSC::Wasm::SignatureInformation::singleton): Deleted.
(JSC::Wasm::SignatureInformation::get): Deleted.
* wasm/WasmSignature.h:
(JSC::Wasm::Signature::index const):
(JSC::Wasm::SignatureHash::SignatureHash):
(JSC::Wasm::SignatureHash::hash):
(JSC::Wasm::SignatureHash::isHashTableDeletedValue const):
(JSC::Wasm::SignatureHash::empty): Deleted.
(JSC::Wasm::SignatureHash::deleted): Deleted.
* wasm/WasmSignatureInlines.h: Renamed from Source/JavaScriptCore/interpreter/ProtoCallFrame.cpp.
(JSC::Wasm::SignatureInformation::singleton):
(JSC::Wasm::SignatureInformation::get):
* wasm/js/JSToWasm.cpp:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunction.cpp:
* wasm/js/WebAssemblyModuleRecord.cpp:
* wasm/js/WebAssemblyWrapperFunction.cpp:
2018-09-07 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] Put .throwStackOverflow code after the fast path in LLInt doVMEntry
https://bugs.webkit.org/show_bug.cgi?id=189410
Reviewed by Mark Lam.
Put .throwStackOverflow code after the fast path in LLInt doVMEntry to
make doVMEntry code tight.
* llint/LLIntThunks.cpp:
(JSC::vmEntryToWasm): Deleted.
* llint/LLIntThunks.h:
(JSC::vmEntryToWasm):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2018-09-06 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[WebAssembly] Optimize JS to Wasm call by removing Vector allocation
https://bugs.webkit.org/show_bug.cgi?id=189353
Reviewed by Mark Lam.
JS to Wasm call always allocates Vector for the arguments. This is really costly if the wasm function is small.
This patch adds an initial size parameter to the Vector to avoid allocations for small sized arguments.
* runtime/ArgList.h:
* wasm/js/WebAssemblyFunction.cpp:
(JSC::callWebAssemblyFunction):
2018-08-31 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] Clean up StructureStubClearingWatchpoint
https://bugs.webkit.org/show_bug.cgi?id=189156
Reviewed by Saam Barati.
Cleaning up StructureStubClearingWatchpoint by holding StructureStubClearingWatchpoint in Bag
in WatchpointsOnStructureStubInfo. This removes hacky linked list code for StructureStubClearingWatchpoint.
* bytecode/StructureStubClearingWatchpoint.cpp:
(JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
(JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint): Deleted.
(JSC::StructureStubClearingWatchpoint::push): Deleted.
(JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo): Deleted.
* bytecode/StructureStubClearingWatchpoint.h:
(JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
2018-09-06 Michael Saboff <msaboff@apple.com>
Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
https://bugs.webkit.org/show_bug.cgi?id=189380
Reviewed by Saam Barati.
Account for the case where in Math.pow(NaN, y) where y could be 0.
* bytecode/SpeculatedType.cpp:
(JSC::typeOfDoublePow):
2018-09-06 Mark Lam <mark.lam@apple.com>
Gardening: only visit m_cachedStructureID if it's not null.
https://bugs.webkit.org/show_bug.cgi?id=189124
<rdar://problem/43863605>
Not reviewed.
* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::visitChildren):
2018-09-06 Tomas Popela <tpopela@redhat.com>
[JSC] Build broken after r234975 on s390x, ppc64le, armv7hl
https://bugs.webkit.org/show_bug.cgi?id=189078
Reviewed by Mark Lam.
Caused by the GCC bug - https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70124.
Using the ternary operator instead of std::max() fixes it.
* heap/RegisterState.h:
2018-09-05 Mark Lam <mark.lam@apple.com>
JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
https://bugs.webkit.org/show_bug.cgi?id=189124
<rdar://problem/43863605>
Reviewed by Filip Pizlo.
It is assumed that the Structure for the m_cachedStructureID will remain alive
while the m_cachedStructureID is in use. This prevents the structureID from being
re-used for a different Structure.
* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::visitChildren):
2018-09-05 Ross Kirsling <ross.kirsling@sony.com>
[ESNext] Symbol.prototype.description
https://bugs.webkit.org/show_bug.cgi?id=186686
Reviewed by Keith Miller.
Symbol.prototype.description was implemented in r232404, but has one small bug:
It should return undefined for a null symbol.
* runtime/Symbol.cpp:
(JSC::Symbol::description const):
* runtime/SymbolPrototype.cpp:
(JSC::symbolProtoGetterDescription):
Address the null symbol case.
2018-09-04 Keith Miller <keith_miller@apple.com>
RELEASE_ASSERT at ../../Source/JavaScriptCore/heap/MarkedSpace.h:83
https://bugs.webkit.org/show_bug.cgi?id=188917
Reviewed by Mark Lam.
Our allocators should be able to handle allocating a zero-sized object.
Zero-sized objects will be allocated into the smallest size class.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
* heap/MarkedSpace.h:
(JSC::MarkedSpace::sizeClassToIndex):
(JSC::MarkedSpace::indexToSizeClass):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitAllocateVariableSized):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2018-09-05 Mark Lam <mark.lam@apple.com>
Fix DeferredSourceDump to capture the caller bytecodeIndex instead of CodeOrigin.
https://bugs.webkit.org/show_bug.cgi?id=189300
<rdar://problem/39681779>
Reviewed by Saam Barati.
At the time a DeferredSourceDump is instantiated, it captures a CodeOrigin value
which points to a InlineCallFrame in the DFG::Plan's m_inlineCallFrames set. The
DeferredSourceDump is later used to dump source even if the compilation fails.
This is intentional so that we can use this tool to see what source fails to
compile as well.
The DFG::Plan may have been destructed by then, and since the compilation failed,
the InlineCallFrame is also destructed. This means DeferredSourceDump::dump()
may be end up accessing freed memory.
DeferredSourceDump doesn't really need a CodeOrigin. All it wants is the caller
bytecodeIndex for the call to an inlined function. Hence, we can fix this issue
by changing DeferredSourceDump to capture the caller bytecodeIndex instead.
In this patch, we also change DeferredSourceDump's m_codeBlock and m_rootCodeBlock
to be Strong references to ensure that the CodeBlocks are kept alive until they
can be dumped.
* bytecode/DeferredCompilationCallback.cpp:
(JSC::DeferredCompilationCallback::dumpCompiledSourcesIfNeeded):
* bytecode/DeferredSourceDump.cpp:
(JSC::DeferredSourceDump::DeferredSourceDump):
(JSC::DeferredSourceDump::dump):
* bytecode/DeferredSourceDump.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseCodeBlock):
2018-09-05 David Kilzer <ddkilzer@apple.com>
REGRESSION (r235419): DFGCFG.h is missing from JavaScriptCore Xcode project
Found using `tidy-Xcode-project-file --missing` (see Bug
188754). Fix was made manually.
* JavaScriptCore.xcodeproj/project.pbxproj:
(dfg/DFGCFG.h): Revert accidental change in r235419 by restoring
`name` and `path` values to file reference.
2018-09-05 Mark Lam <mark.lam@apple.com>
isAsyncGeneratorMethodParseMode() should check for SourceParseMode::AsyncGeneratorWrapperMethodMode.
https://bugs.webkit.org/show_bug.cgi?id=189292
<rdar://problem/38907433>
Reviewed by Saam Barati.
Previously, isAsyncGeneratorMethodParseMode() was checking for AsyncGeneratorWrapperFunctionMode
instead of AsyncGeneratorWrapperMethodMode. This patch fixes it
to check for AsyncGeneratorWrapperMethodMode (to match what is expected as indicated
in the name isAsyncGeneratorMethodParseMode).
* parser/ParserModes.h:
(JSC::isAsyncGeneratorMethodParseMode):
2018-09-04 Michael Saboff <msaboff@apple.com>
Unreviewed indentations change.
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::matchBackreference):
2018-09-04 Michael Saboff <msaboff@apple.com>
JSC Build error when changing CPU type: offlineasm: No magic values found. Skipping assembly file generation
https://bugs.webkit.org/show_bug.cgi?id=189274
Reviewed by Saam Barati.
Put the derived file LLIntDesiredOffsets.h in an architecture specific subdirectory to make them unique.
Some I got this change mixed up with the change for r235636. The changes to JavaScriptCore.xcodeproj/project.pbxproj
where landed there.
* JavaScriptCore.xcodeproj/project.pbxproj:
2018-09-04 Michael Saboff <msaboff@apple.com>
YARR: JIT RegExps with back references
https://bugs.webkit.org/show_bug.cgi?id=180874
Reviewed by Filip Pizlo.
Implemented JIT'ed back references for all counted types. The only type of back references
not handled in the JIT are 16bit matches that ignore case. Such support would require the
canonicalization that is currently handled in the Yarr interpreter via a C funtion call.
The back reference processing for surrogate pairs is implemented by individually comparing
each surrogate ala memcmp.
Added a generated canonicalization table for the LChar (8bit) domain to process case
ignored back references.
Added macro assembler load16(ExtendedAddress) for indexed access to the canonicalization table.
Added a new JIT failure reason for forward references as the check to JIT expressions with
forward references we're handled synonimously those containing back references.
This change is only enabled for 64 bit platforms.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::load16):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::load16):
* runtime/RegExp.cpp:
(JSC::RegExp::compile):
(JSC::RegExp::compileMatchOnly):
* yarr/YarrCanonicalize.h:
* yarr/YarrCanonicalizeUCS2.cpp:
* yarr/YarrCanonicalizeUCS2.js:
(set characters.hex.set string_appeared_here):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::checkNotEnoughInput):
(JSC::Yarr::YarrGenerator::readCharacterDontDecodeSurrogates):
(JSC::Yarr::YarrGenerator::matchBackreference):
(JSC::Yarr::YarrGenerator::generateBackReference):
(JSC::Yarr::YarrGenerator::backtrackBackReference):
(JSC::Yarr::YarrGenerator::generateTerm):
(JSC::Yarr::YarrGenerator::backtrackTerm):
(JSC::Yarr::YarrGenerator::compile):
(JSC::Yarr::dumpCompileFailure):
* yarr/YarrJIT.h:
* yarr/YarrPattern.h:
(JSC::Yarr::BackTrackInfoBackReference::beginIndex):
(JSC::Yarr::BackTrackInfoBackReference::matchAmountIndex):
2018-09-04 Mark Lam <mark.lam@apple.com>
Make the jsc shell print, printErr, and debug functions more robust.
https://bugs.webkit.org/show_bug.cgi?id=189268
<rdar://problem/41192690>
Reviewed by Keith Miller.
We'll now check for UTF8 conversion errors.
* jsc.cpp:
(cStringFromViewWithString):
(printInternal):
(functionDebug):
2018-09-04 Michael Catanzaro <mcatanzaro@igalia.com>
[WPE][GTK] Add more unused result warnings to JSC API
https://bugs.webkit.org/show_bug.cgi?id=189243
Reviewed by Carlos Garcia Campos.
The jsc_context_evaluate() family of functions has a (transfer full) return value, but the
caller may be tempted to not inspect it if uninterested in the return value. This would be
an error, because it must be freed.
* API/glib/JSCContext.h:
2018-09-03 Mark Lam <mark.lam@apple.com>
The watchdog sometimes fails to terminate a script.
https://bugs.webkit.org/show_bug.cgi?id=189227
<rdar://problem/39932857>
Reviewed by Saam Barati.
Consider the following scenario:
1. We have an infinite loop bytecode sequence as follows:
[ 13] loop_hint
[ 14] check_traps
[ 15] jmp -2(->13)
2. The VM tiers up from LLInt -> BaselineJIT -> DFG -> FTL.
Note that op_check_traps is represented as a CheckTraps node in the DFG and FTL.
When we're not using pollingTraps (JSC_usePollingTraps is false by default),
we emit no code for CheckTraps, but only record an InvalidationPoint there.
3. The watchdog fires, and invalidates all InvalidationPoints in the FTL CodeBlock.
InvalidationPoints OSR exits to the next instruction by design. In this case,
that means the VM will resumes executing at the op_jmp, which jumps to the
op_loop_hint opcode. At the loop_hint, the VM discovers that the function is
already hot, and attempts to tier up. It immediately discovers that a replacement
CodeBlock is available because we still haven't jettisoned the DFG CodeBlock
nor the FTL CodeBlock that was previously compiled for this function.
Note that jettisoning a CodeBlock necessarily means the VM will invalidate
its InvalidationPoints (if the CodeBlock is DFG/FTL). However, the reverse
is not true: merely invalidating the InvalidationPoints does not necessarily
mean that the CodeBlock is jettisoned.
VMTraps::tryInstallTrapBreakpoints() runs from a separate thread. Hence,
it is only safe for it to invalidate a CodeBlock's InvalidationPoints. It
is not safe for the CodeBlock to be jettisoned from another thread. Instead,
the VMTraps mechanism relies on the script thread running to an op_check_traps
in the baseline JIT code where it will do the necessary jettisoning of optimized
CodeBlocks.
Since the op_check_traps never get executed, the VM will perpetually tier up in
the op_loop_hint, OSR exit to the op_jmp, jump to the op_loop_hint, and repeat.
Consequently, the watchdog fails to terminate this script.
In this patch, we fix this by making the DFG BytecodeParser emit an InvalidationPoint
node directly (when the VM is not configured to use polling traps). This ensures
that the check traps invalidation point will OSR exit to the op_check_traps opcode
in the baseline JIT.
In this patch, we also change VMTraps::tryInstallTrapBreakpoints() to use
CallFrame::unsafeCodeBlock() instead of CallFrame::codeBlock(). This is because
we don't really know if the frame is properly set up. We're just conservatively
probing the stack. ASAN does not like this probing. Using unsafeCodeBlock() here
will suppress the false positive ASAN complaint.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCheckTraps):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
* runtime/VMTraps.cpp:
(JSC::VMTraps::tryInstallTrapBreakpoints):
2018-09-03 Mark Lam <mark.lam@apple.com>
CallFrame::unsafeCallee() should use an ASAN suppressed Register::asanUnsafePointer().
https://bugs.webkit.org/show_bug.cgi?id=189247
Reviewed by Saam Barati.
* interpreter/CallFrame.h:
(JSC::ExecState::unsafeCallee const):
* interpreter/Register.h:
(JSC::Register::asanUnsafePointer const):
(JSC::Register::unsafePayload const):
2018-09-02 Yusuke Suzuki <yusukesuzuki@slowstart.org>
Implement Object.fromEntries
https://bugs.webkit.org/show_bug.cgi?id=188481
Reviewed by Darin Adler.
Object.fromEntries becomes stage 3[1]. This patch implements it by using builtin JS.
[1]: https://tc39.github.io/proposal-object-from-entries/
* builtins/ObjectConstructor.js:
(fromEntries):
* runtime/ObjectConstructor.cpp:
2018-08-24 Yusuke Suzuki <yusukesuzuki@slowstart.org>
Function object should convert params to string before throw a parsing error
https://bugs.webkit.org/show_bug.cgi?id=188874
Reviewed by Darin Adler.
ToString operation onto the `body` of the Function constructor should be performed
before checking syntax correctness of the parameters.
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
2018-08-31 Mark Lam <mark.lam@apple.com>
Fix exception check accounting in constructJSWebAssemblyCompileError().
https://bugs.webkit.org/show_bug.cgi?id=189185
<rdar://problem/39786007>
Reviewed by Michael Saboff.
Also add an exception check in JSWebAssemblyModule::createStub() so that we don't
inadvertently overwrite a pre-existing exception (if present).
* wasm/js/JSWebAssemblyModule.cpp:
(JSC::JSWebAssemblyModule::createStub):
* wasm/js/WebAssemblyCompileErrorConstructor.cpp:
(JSC::constructJSWebAssemblyCompileError):
2018-08-31 Mark Lam <mark.lam@apple.com>
Gardening: ARMv7 build fix.
https://bugs.webkit.org/show_bug.cgi?id=158911
Not reviewed.
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::patchableBranch8):
2018-08-31 Mark Lam <mark.lam@apple.com>
Fix exception check accounting in JSDataView::defineOwnProperty().
https://bugs.webkit.org/show_bug.cgi?id=189186
<rdar://problem/39786049>
Reviewed by Michael Saboff.
* runtime/JSDataView.cpp:
(JSC::JSDataView::defineOwnProperty):
2018-08-31 Mark Lam <mark.lam@apple.com>
Add missing exception check in arrayProtoFuncLastIndexOf().
https://bugs.webkit.org/show_bug.cgi?id=189184
<rdar://problem/39785959>
Reviewed by Yusuke Suzuki.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncLastIndexOf):
2018-08-31 Saam barati <sbarati@apple.com>
convertToRegExpMatchFastGlobal must use KnownString as the child use kind
https://bugs.webkit.org/show_bug.cgi?id=189173
<rdar://problem/43501645>
Reviewed by Michael Saboff.
We were crashing during validation because mayExit returned true
at a point in the program when we weren't allowed to exit.
The issue was is in StrengthReduction: we end up emitting code that
had a StringUse on an edge after a node that did side effects and before
an ExitOK/bytecode number transition. However, StrenghReduction did the
right thing here and also emitted the type checks before the node with
side effects. It just did bad bookkeeping. The node we convert to needs
to use KnownStringUse instead of StringUse for the child edge.
* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
(JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
(JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
(JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
* dfg/DFGNode.h:
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
2018-08-30 Saam barati <sbarati@apple.com>
Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
https://bugs.webkit.org/show_bug.cgi?id=189166
Reviewed by Mark Lam.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/GetterSetterAccessCase.cpp:
(JSC::GetterSetterAccessCase::emitDOMJITGetter):
* bytecode/InlineAccess.cpp:
(JSC::getScratchRegister):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* bytecode/StructureStubInfo.h:
(JSC::StructureStubInfo::valueRegs const):
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITByIdGenerator::JITByIdGenerator):
(JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
(JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
2018-08-30 Saam barati <sbarati@apple.com>
InlineAccess should do StringLength
https://bugs.webkit.org/show_bug.cgi?id=158911
Reviewed by Yusuke Suzuki.
This patch extends InlineAccess to support StringLength. This patch also
fixes AccessCase::fromStructureStubInfo to support ArrayLength and StringLength.
I forgot to implement this for ArrayLength in the initial InlineAccess
implementation. Supporting StringLength is a natural extension of the
InlineAccess machinery.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::patchableBranch8):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::patchableBranch8):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::fromStructureStubInfo):
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
* bytecode/InlineAccess.cpp:
(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::getScratchRegister):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):
(JSC::InlineAccess::generateSelfInAccess):
(JSC::InlineAccess::generateStringLength):
* bytecode/InlineAccess.h:
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::initStringLength):
(JSC::StructureStubInfo::deref):
(JSC::StructureStubInfo::aboutToDie):
(JSC::StructureStubInfo::propagateTransitions):
* bytecode/StructureStubInfo.h:
(JSC::StructureStubInfo::baseGPR const):
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
2018-08-30 Saam barati <sbarati@apple.com>
CSE DataViewGet* DFG nodes
https://bugs.webkit.org/show_bug.cgi?id=188768
Reviewed by Yusuke Suzuki.
This patch makes it so that we CSE DataViewGet* accesses. To do this,
I needed to add a third descriptor to HeapLocation to represent the
isLittleEndian child. This patch is neutral on compile time benchmarks,
and is a 50% speedup on a trivial CSE microbenchmark that I added.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
(JSC::DFG::HeapLocation::HeapLocation):
(JSC::DFG::HeapLocation::hash const):
(JSC::DFG::HeapLocation::operator== const):
(JSC::DFG::indexedPropertyLocForResultType):
2018-08-30 Yusuke Suzuki <yusukesuzuki@slowstart.org>
output of toString() of Generator is wrong
https://bugs.webkit.org/show_bug.cgi?id=188952
Reviewed by Saam Barati.
Function#toString does not respect generator and async generator.
This patch fixes them and supports all the function types.
* runtime/FunctionPrototype.cpp:
(JSC::functionProtoFuncToString):
2018-08-29 Mark Lam <mark.lam@apple.com>
Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
https://bugs.webkit.org/show_bug.cgi?id=189132
<rdar://problem/42513068>
Reviewed by Saam Barati.
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::toPropertyKey const):
* runtime/JSString.cpp:
(JSC::JSRopeString::resolveRopeToAtomicString const):
2018-08-29 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r235432 and r235436.
https://bugs.webkit.org/show_bug.cgi?id=189086
Is a Swift source breaking change. (Requested by keith_miller
on #webkit).
Reverted changesets:
"Add nullablity attributes to JSValue"
https://bugs.webkit.org/show_bug.cgi?id=189047
https://trac.webkit.org/changeset/235432
"Add nullablity attributes to JSValue"
https://bugs.webkit.org/show_bug.cgi?id=189047
https://trac.webkit.org/changeset/235436
2018-08-28 Mark Lam <mark.lam@apple.com>
Fix bit-rotted Interpreter::dumpRegisters() and move it to the VMInspector.
https://bugs.webkit.org/show_bug.cgi?id=189059
<rdar://problem/40335354>
Reviewed by Saam Barati.
1. Moved Interpreter::dumpRegisters() to VMInspector::dumpRegisters().
2. Added $vm.dumpRegisters().
Usage: $vm.dumpRegisters(N) // dump the registers of the Nth CallFrame.
Usage: $vm.dumpRegisters() // dump the registers of the current CallFrame.
Note: Currently, $vm.dumpRegisters() only dump registers in the physical frame.
It will treat inlined frames content as registers in the bounding physical frame.
Here's an example of such a dump on a DFG frame:
Register frame:
-----------------------------------------------------------------------------
use | address | value
-----------------------------------------------------------------------------
[r 12 arguments[ 7]] | 0x7ffeefbfd330 | 0xa Undefined
[r 11 arguments[ 6]] | 0x7ffeefbfd328 | 0x10bbb3e80 Object: 0x10bbb3e80 with butterfly 0x0 (Structure 0x10bbf20d0:[Object, {}, NonArray, Proto:0x10bbb4000]), StructureID: 76
[r 10 arguments[ 5]] | 0x7ffeefbfd320 | 0xa Undefined
[r 9 arguments[ 4]] | 0x7ffeefbfd318 | 0xa Undefined
[r 8 arguments[ 3]] | 0x7ffeefbfd310 | 0xa Undefined
[r 7 arguments[ 2]] | 0x7ffeefbfd308 | 0xffff0000000a5eaa Int32: 679594
[r 6 arguments[ 1]] | 0x7ffeefbfd300 | 0x10bbd00f0 Object: 0x10bbd00f0 with butterfly 0x8000f8248 (Structure 0x10bba4700:[Function, {name:100, prototype:101, length:102, Symbol.species:103, isArray:104}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 160
[r 5 this] | 0x7ffeefbfd2f8 | 0x10bbe0000 Object: 0x10bbe0000 with butterfly 0x8000d8808 (Structure 0x10bb35340:[global, {parseInt:100, parseFloat:101, Object:102, Function:103, Array:104, RegExp:105, RangeError:106, TypeError:107, PrivateSymbol.Object:108, PrivateSymbol.Array:109, ArrayBuffer:110, String:111, Symbol:112, Number:113, Boolean:114, Error:115, Map:116, Set:117, Promise:118, eval:119, Reflect:121, $vm:122, WebAssembly:123, debug:124, describe:125, describeArray:126, print:127, printErr:128, quit:129, gc:130, fullGC:131, edenGC:132, forceGCSlowPaths:133, gcHeapSize:134, addressOf:135, version:136, run:137, runString:138, load:139, loadString:140, readFile:141, read:142, checkSyntax:143, sleepSeconds:144, jscStack:145, readline:146, preciseTime:147, neverInlineFunction:148, noInline:149, noDFG:150, noFTL:151, numberOfDFGCompiles:153, jscOptions:154, optimizeNextInvocation:155, reoptimizationRetryCount:156, transferArrayBuffer:157, failNextNewCodeBlock:158, OSRExit:159, isFinalTier:160, predictInt32:161, isInt32:162, isPureNaN:163, fiatInt52:164, effectful42:165, makeMasquerader:166, hasCustomProperties:167, createGlobalObject:168, dumpTypesForAllVariables:169, drainMicrotasks:170, getRandomSeed:171, setRandomSeed:172, isRope:173, callerSourceOrigin:174, is32BitPlatform:175, loadModule:176, checkModuleSyntax:177, platformSupportsSamplingProfiler:178, generateHeapSnapshot:179, resetSuperSamplerState:180, ensureArrayStorage:181, startSamplingProfiler:182, samplingProfilerStackTraces:183, maxArguments:184, asyncTestStart:185, asyncTestPassed:186, WebAssemblyMemoryMode:187, console:188, $:189, $262:190, waitForReport:191, heapCapacity:192, flashHeapAccess:193, disableRichSourceInfo:194, mallocInALoop:195, totalCompileTime:196, Proxy:197, uneval:198, WScript:199, failWithMessage:200, triggerAssertFalse:201, isNaN:202, isFinite:203, escape:204, unescape:205, decodeURI:206, decodeURIComponent:207, encodeURI:208, encodeURIComponent:209, EvalError:210, ReferenceError:211, SyntaxError:212, URIError:213, JSON:214, Math:215, Int8Array:216, PrivateSymbol.Int8Array:217, Int16Array:218, PrivateSymbol.Int16Array:219, Int32Array:220, PrivateSymbol.Int32Array:221, Uint8Array:222, PrivateSymbol.Uint8Array:223, Uint8ClampedArray:224, PrivateSymbol.Uint8ClampedArray:225, Uint16Array:226, PrivateSymbol.Uint16Array:227, Uint32Array:228, PrivateSymbol.Uint32Array:229, Float32Array:230, PrivateSymbol.Float32Array:231, Float64Array:232, PrivateSymbol.Float64Array:233, DataView:234, Date:235, WeakMap:236, WeakSet:237, Intl:120, desc:238}, NonArray, Proto:0x10bbb4000, UncacheableDictionary, Leaf]), StructureID: 474
-----------------------------------------------------------------------------
[ArgumentCount] | 0x7ffeefbfd2f0 | 7
[ReturnVPC] | 0x7ffeefbfd2f0 | 164 (line 57)
[Callee] | 0x7ffeefbfd2e8 | 0x10bb68db0 Object: 0x10bb68db0 with butterfly 0x0 (Structure 0x10bbf1c00:[Function, {}, NonArray, Proto:0x10bbd0000, Shady leaf]), StructureID: 65
[CodeBlock] | 0x7ffeefbfd2e0 | 0x10bb2f8e0 __callRandomFunction#DmVXnv:[0x10bb2f8e0->0x10bbfd1e0, LLIntFunctionCall, 253]
[ReturnPC] | 0x7ffeefbfd2d8 | 0x10064d14c
[CallerFrame] | 0x7ffeefbfd2d0 | 0x7ffeefbfd380
-----------------------------------------------------------------------------
[r -1 CalleeSaveReg] | 0x7ffeefbfd2c8 | 0xffff000000000002 Int32: 2
[r -2 CalleeSaveReg] | 0x7ffeefbfd2c0 | 0xffff000000000000 Int32: 0
[r -3 CalleeSaveReg] | 0x7ffeefbfd2b8 | 0x10baf1608
[r -4 ] | 0x7ffeefbfd2b0 | 0x10bbcc000 Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
[r -5 ] | 0x7ffeefbfd2a8 | 0x10bbcc000 Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
[r -6 ] | 0x7ffeefbfd2a0 | 0xa Undefined
-----------------------------------------------------------------------------
[r -7] | 0x7ffeefbfd298 | 0x10bb6fdc0 String (atomic) (identifier): length, StructureID: 4
[r -8] | 0x7ffeefbfd290 | 0x10bbb7ec0 Object: 0x10bbb7ec0 with butterfly 0x8000e0008 (Structure 0x10bbf2ae0:[Array, {}, ArrayWithContiguous, Proto:0x10bbc8080]), StructureID: 99
[r -9] | 0x7ffeefbfd288 | 0x10bbc33f0 Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
[r-10] | 0x7ffeefbfd280 | 0xffff000000000004 Int32: 4
[r-11] | 0x7ffeefbfd278 | 0x10bbb4290 Object: 0x10bbb4290 with butterfly 0x8000e8408 (Structure 0x10bb74850:[DollarVM, {abort:100, crash:101, breakpoint:102, dfgTrue:103, ftlTrue:104, cpuMfence:105, cpuRdtsc:106, cpuCpuid:107, cpuPause:108, cpuClflush:109, llintTrue:110, jitTrue:111, noInline:112, gc:113, edenGC:114, callFrame:115, codeBlockFor:116, codeBlockForFrame:117, dumpSourceFor:118, dumpBytecodeFor:119, dataLog:120, print:121, dumpCallFrame:122, dumpStack:123, dumpRegisters:124, dumpCell:125, indexingMode:126, inlineCapacity:127, value:128, getpid:129, createProxy:130, createRuntimeArray:131, createImpureGetter:132, createCustomGetterObject:133, createDOMJITNodeObject:134, createDOMJITGetterObject:135, createDOMJITGetterComplexObject:136, createDOMJITFunctionObject:137, createDOMJITCheckSubClassObject:138, createDOMJITGetterBaseJSObject:139, createBuiltin:140, getPrivateProperty:141, setImpureGetterDelegate:142, Root:143, Element:144, getElement:145, SimpleObject:146, getHiddenValue:147, setHiddenValue:148, shadowChickenFunctionsOnStack:149, setGlobalConstRedeclarationShouldNotThrow:150, findTypeForExpression:151, returnTypeFor:152, flattenDictionaryObject:153, dumpBasicBlockExecutionRanges:154, hasBasicBlockExecuted:155, basicBlockExecutionCount:156, enableDebuggerModeWhenIdle:158, disableDebuggerModeWhenIdle:159, globalObjectCount:160, globalObjectForObject:161, getGetterSetter:162, loadGetterFromGetterSetter:163, createCustomTestGetterSetter:164, deltaBetweenButterflies:165, totalGCTime:166}, NonArray, Proto:0x10bbb4000, Dictionary, Leaf]), StructureID: 306
[r-12] | 0x7ffeefbfd270 | 0x100000001
[r-13] | 0x7ffeefbfd268 | 0x10bbc33f0 Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
[r-14] | 0x7ffeefbfd260 | 0x0
[r-15] | 0x7ffeefbfd258 | 0x10064d14c
[r-16] | 0x7ffeefbfd250 | 0x7ffeefbfd2d0
[r-17] | 0x7ffeefbfd248 | 0x67ec87ee177 INVALID
[r-18] | 0x7ffeefbfd240 | 0x7ffeefbfd250
-----------------------------------------------------------------------------
3. Removed dumpCallFrame() from the jsc shell. We have the following tools that
we can use in its place:
$vm.dumpCallFrame()
$vm.dumpBytecodeFor()
$vm.dumpRegisters() // Just added in this patch.
4. Also fixed a bug in BytecodeDumper: it should only access
CallLinkInfo::haveLastSeenCallee() only if CallLinkInfo::isDirect() is false.
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::printCallOp):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::dumpCallFrame): Deleted.
(JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor): Deleted.
(JSC::DumpReturnVirtualPCFunctor::operator() const): Deleted.
(JSC::Interpreter::dumpRegisters): Deleted.
* interpreter/Interpreter.h:
* jsc.cpp:
(GlobalObject::finishCreation):
(functionDumpCallFrame): Deleted.
* tools/JSDollarVM.cpp:
(JSC::functionDumpRegisters):
(JSC::JSDollarVM::finishCreation):
* tools/VMInspector.cpp:
(JSC::VMInspector::dumpRegisters):
* tools/VMInspector.h:
2018-08-28 Keith Miller <keith_miller@apple.com>
Add nullablity attributes to JSValue
https://bugs.webkit.org/show_bug.cgi?id=189047
Reviewed by Dan Bernstein.
Switch to using NS_ASSUME_NONNULL_BEGIN/END.
* API/JSValue.h:
2018-08-28 Keith Miller <keith_miller@apple.com>
Add nullablity attributes to JSValue
https://bugs.webkit.org/show_bug.cgi?id=189047
Reviewed by Geoffrey Garen.
* API/JSValue.h:
2018-08-27 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[WebAssembly] Parse wasm modules in a streaming fashion
https://bugs.webkit.org/show_bug.cgi?id=188943
Reviewed by Mark Lam.
This patch adds Wasm::StreamingParser, which parses wasm binary in a streaming fashion.
Currently, this StreamingParser is not enabled and integrated. In subsequent patches,
we start integrating it into BBQPlan and dropping the old ModuleParser.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* tools/JSDollarVM.cpp:
(WTF::WasmStreamingParser::WasmStreamingParser):
(WTF::WasmStreamingParser::create):
(WTF::WasmStreamingParser::createStructure):
(WTF::WasmStreamingParser::streamingParser):
(WTF::WasmStreamingParser::finishCreation):
(WTF::functionWasmStreamingParserAddBytes):
(WTF::functionWasmStreamingParserFinalize):
(JSC::functionCreateWasmStreamingParser):
(JSC::JSDollarVM::finishCreation):
The $vm Wasm::StreamingParser object is introduced for testing purpose. Added new stress test uses
this interface to test streaming parser in the JSC shell.
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::BBQPlan):
(JSC::Wasm::BBQPlan::parseAndValidateModule):
(JSC::Wasm::BBQPlan::prepare):
(JSC::Wasm::BBQPlan::compileFunctions):
(JSC::Wasm::BBQPlan::complete):
(JSC::Wasm::BBQPlan::work):
* wasm/WasmBBQPlan.h:
BBQPlan has m_source, but once ModuleInformation is parsed, it is no longer necessary.
In subsequent patches, we will remove this, and stream the data into the BBQPlan.
* wasm/WasmFormat.h:
* wasm/WasmModuleInformation.cpp:
(JSC::Wasm::ModuleInformation::ModuleInformation):
* wasm/WasmModuleInformation.h:
One of the largest change in this patch is that ModuleInformation no longer holds source bytes,
since source bytes can be added in a streaming fashion. Instead of holding all the source bytes
in ModuleInformation, each function (ModuleInformation::functions, FunctionData) should have
Vector<uint8_t> for its data. This data is eventually filled by StreamingParser, and compiling
a function with this data can be done concurrently with StreamingParser.
(JSC::Wasm::ModuleInformation::create):
(JSC::Wasm::ModuleInformation::memoryCount const):
(JSC::Wasm::ModuleInformation::tableCount const):
memoryCount and tableCount should be recorded in ModuleInformation.
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parse):
(JSC::Wasm::makeI32InitExpr): Deleted.
(JSC::Wasm::ModuleParser::parseType): Deleted.
(JSC::Wasm::ModuleParser::parseImport): Deleted.
(JSC::Wasm::ModuleParser::parseFunction): Deleted.
(JSC::Wasm::ModuleParser::parseResizableLimits): Deleted.
(JSC::Wasm::ModuleParser::parseTableHelper): Deleted.
(JSC::Wasm::ModuleParser::parseTable): Deleted.
(JSC::Wasm::ModuleParser::parseMemoryHelper): Deleted.
(JSC::Wasm::ModuleParser::parseMemory): Deleted.
(JSC::Wasm::ModuleParser::parseGlobal): Deleted.
(JSC::Wasm::ModuleParser::parseExport): Deleted.
(JSC::Wasm::ModuleParser::parseStart): Deleted.
(JSC::Wasm::ModuleParser::parseElement): Deleted.
(JSC::Wasm::ModuleParser::parseCode): Deleted.
(JSC::Wasm::ModuleParser::parseInitExpr): Deleted.
(JSC::Wasm::ModuleParser::parseGlobalType): Deleted.
(JSC::Wasm::ModuleParser::parseData): Deleted.
(JSC::Wasm::ModuleParser::parseCustom): Deleted.
Extract section parsing code out from ModuleParser. We create SectionParser and ModuleParser uses it.
SectionParser is also used by StreamingParser.
* wasm/WasmModuleParser.h:
(): Deleted.
* wasm/WasmNameSection.h:
(JSC::Wasm::NameSection::NameSection):
(JSC::Wasm::NameSection::create):
(JSC::Wasm::NameSection::setHash):
Hash calculation is deferred since all the source is not available in streaming parsing.
* wasm/WasmNameSectionParser.cpp:
(JSC::Wasm::NameSectionParser::parse):
* wasm/WasmNameSectionParser.h:
Use Ref<NameSection>.
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
Wasm::Plan no longer have m_source since data will be eventually filled in a streaming fashion.
OMGPlan can get data of the function by using ModuleInformation::functions.
* wasm/WasmParser.h:
(JSC::Wasm::Parser::source const):
(JSC::Wasm::Parser::length const):
(JSC::Wasm::Parser::offset const):
(JSC::Wasm::Parser::fail const):
(JSC::Wasm::makeI32InitExpr):
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::Plan):
Wasm::Plan should not have all the source apriori. Streamed data will be pumped from the provider.
* wasm/WasmPlan.h:
* wasm/WasmSectionParser.cpp: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.cpp.
SectionParser is extracted from ModuleParser. And it is used by both the old (currently working)
ModuleParser and the new StreamingParser.
(JSC::Wasm::SectionParser::parseType):
(JSC::Wasm::SectionParser::parseImport):
(JSC::Wasm::SectionParser::parseFunction):
(JSC::Wasm::SectionParser::parseResizableLimits):
(JSC::Wasm::SectionParser::parseTableHelper):
(JSC::Wasm::SectionParser::parseTable):
(JSC::Wasm::SectionParser::parseMemoryHelper):
(JSC::Wasm::SectionParser::parseMemory):
(JSC::Wasm::SectionParser::parseGlobal):
(JSC::Wasm::SectionParser::parseExport):
(JSC::Wasm::SectionParser::parseStart):
(JSC::Wasm::SectionParser::parseElement):
(JSC::Wasm::SectionParser::parseCode):
(JSC::Wasm::SectionParser::parseInitExpr):
(JSC::Wasm::SectionParser::parseGlobalType):
(JSC::Wasm::SectionParser::parseData):
(JSC::Wasm::SectionParser::parseCustom):
* wasm/WasmSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.h.
* wasm/WasmStreamingParser.cpp: Added.
(JSC::Wasm::parseUInt7):
(JSC::Wasm::StreamingParser::fail):
(JSC::Wasm::StreamingParser::StreamingParser):
(JSC::Wasm::StreamingParser::parseModuleHeader):
(JSC::Wasm::StreamingParser::parseSectionID):
(JSC::Wasm::StreamingParser::parseSectionSize):
(JSC::Wasm::StreamingParser::parseCodeSectionSize):
Code section in Wasm binary is specially handled compared with the other sections since it includes
a bunch of functions. StreamingParser extracts each function in a streaming fashion and enable
streaming validation / compilation of Wasm functions.
(JSC::Wasm::StreamingParser::parseFunctionSize):
(JSC::Wasm::StreamingParser::parseFunctionPayload):
(JSC::Wasm::StreamingParser::parseSectionPayload):
(JSC::Wasm::StreamingParser::consume):
(JSC::Wasm::StreamingParser::consumeVarUInt32):
(JSC::Wasm::StreamingParser::addBytes):
(JSC::Wasm::StreamingParser::failOnState):
(JSC::Wasm::StreamingParser::finalize):
* wasm/WasmStreamingParser.h: Added.
(JSC::Wasm::StreamingParser::addBytes):
(JSC::Wasm::StreamingParser::errorMessage const):
This is our new StreamingParser implementation. StreamingParser::consumeXXX functions get data, and
StreamingParser::parseXXX functions parse consumed data. The user of StreamingParser calls
StreamingParser::addBytes() to pump the bytes stream into the parser. And once all the data is pumped,
the user calls StreamingParser::finalize. StreamingParser is a state machine which feeds on the
incoming byte stream.
* wasm/js/JSWebAssemblyModule.cpp:
(JSC::JSWebAssemblyModule::source const): Deleted.
All the source should not be held.
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::webAssemblyValidateFunc):
2018-08-27 Mark Lam <mark.lam@apple.com>
Fix exception throwing code so that topCallFrame and topEntryFrame stay true to their names.
https://bugs.webkit.org/show_bug.cgi?id=188577
<rdar://problem/42985684>
Reviewed by Saam Barati.
1. Introduced CallFrame::convertToStackOverflowFrame() which converts the current
(top) CallFrame (which may not have a valid callee) into a StackOverflowFrame.
The StackOverflowFrame is a sentinel frame that the low level code (exception
throwing code, stack visitor, and stack unwinding code) will know to skip
over. The StackOverflowFrame will also have a valid JSCallee so that client
code can compute the globalObject or VM from this frame.
As a result, client code that throws StackOverflowErrors no longer need to
compute the caller frame to throw from: it just converts the top frame into
a StackOverflowFrame and everything should *Just Work*.
2. NativeCallFrameTracerWithRestore is now obsolete.
Instead, client code should always call convertToStackOverflowFrame() on the
frame before instantiating a NativeCallFrameTracer with it.
This means that topCallFrame will always point to the top CallFrame (which
may be a StackOverflowFrame), and topEntryFrame will always point to the top
EntryFrame. We'll never temporarily point them to the previous EntryFrame
(which we used to do with NativeCallFrameTracerWithRestore).
3. genericUnwind() and Interpreter::unwind() will now always unwind from the top
CallFrame, and will know how to handle a StackOverflowFrame if they see one.
This obsoletes the UnwindStart flag.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* debugger/Debugger.cpp:
(JSC::Debugger::pauseIfNeeded):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::callerFrame const):
(JSC::CallFrame::unsafeCallerFrame const):
(JSC::CallFrame::convertToStackOverflowFrame):
(JSC::CallFrame::callerFrame): Deleted.
(JSC::CallFrame::unsafeCallerFrame): Deleted.
* interpreter/CallFrame.h:
(JSC::ExecState::iterate):
* interpreter/CallFrameInlines.h: Added.
(JSC::CallFrame::isStackOverflowFrame const):
(JSC::CallFrame::isWasmFrame const):
* interpreter/EntryFrame.h: Added.
(JSC::EntryFrame::vmEntryRecordOffset):
(JSC::EntryFrame::calleeSaveRegistersBufferOffset):
* interpreter/FrameTracers.h:
(JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): Deleted.
(JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): Deleted.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::unwind):
* interpreter/Interpreter.h:
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::StackVisitor):
* interpreter/StackVisitor.h:
(JSC::StackVisitor::visit):
(JSC::StackVisitor::topEntryFrameIsEmpty const):
* interpreter/VMEntryRecord.h:
(JSC::VMEntryRecord::callee const):
(JSC::EntryFrame::vmEntryRecordOffset): Deleted.
(JSC::EntryFrame::calleeSaveRegistersBufferOffset): Deleted.
* jit/AssemblyHelpers.h:
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
* jit/JITExceptions.h:
* jit/JITOperations.cpp:
* llint/LLIntOffsetsExtractor.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CallData.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::throwArityCheckStackOverflowError):
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPathsExceptions.cpp: Removed.
* runtime/CommonSlowPathsExceptions.h: Removed.
* runtime/Completion.cpp:
(JSC::evaluateWithScopeExtension):
* runtime/JSGeneratorFunction.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::stackOverflowFrameCallee const):
* runtime/VM.cpp:
(JSC::VM::throwException):
* runtime/VM.h:
* runtime/VMInlines.h:
(JSC::VM::topJSCallFrame const):
2018-08-27 Keith Rollin <krollin@apple.com>
Unreviewed build fix -- disable LTO for production builds
* Configurations/Base.xcconfig:
2018-08-27 Aditya Keerthi <akeerthi@apple.com>
Consolidate ENABLE_INPUT_TYPE_COLOR and ENABLE_INPUT_TYPE_COLOR_POPOVER
https://bugs.webkit.org/show_bug.cgi?id=188931
Reviewed by Wenson Hsieh.
* Configurations/FeatureDefines.xcconfig: Removed ENABLE_INPUT_TYPE_COLOR_POPOVER.
2018-08-27 Devin Rousso <drousso@apple.com>
Web Inspector: provide autocompletion for event breakpoints
https://bugs.webkit.org/show_bug.cgi?id=188717
Reviewed by Brian Burg.
* inspector/protocol/DOM.json:
Add `getSupportedEventNames` command.
2018-08-27 Keith Rollin <krollin@apple.com>
Build system support for LTO
https://bugs.webkit.org/show_bug.cgi?id=187785
<rdar://problem/42353132>
Reviewed by Dan Bernstein.
Update Base.xcconfig and DebugRelease.xcconfig to optionally enable
LTO.
* Configurations/Base.xcconfig:
* Configurations/DebugRelease.xcconfig:
2018-08-27 Patrick Griffis <pgriffis@igalia.com>
[GTK][JSC] Add warn_unused_result attribute to some APIs
https://bugs.webkit.org/show_bug.cgi?id=188983
Reviewed by Michael Catanzaro.
* API/glib/JSCValue.h:
2018-08-24 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] Array.prototype.reverse modifies JSImmutableButterfly
https://bugs.webkit.org/show_bug.cgi?id=188794
Reviewed by Saam Barati.
While Array.prototype.reverse modifies the butterfly of the given Array,
it does not account JSImmutableButterfly case. So it accidentally modifies
the content of JSImmutableButterfly.
This patch converts CoW arrays to writable arrays before reversing.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncReverse):
* runtime/JSObject.h:
(JSC::JSObject::ensureWritable):
2018-08-24 Michael Saboff <msaboff@apple.com>
YARR: Update UCS canonicalization tables for Unicode 11
https://bugs.webkit.org/show_bug.cgi?id=188928
Reviewed by Mark Lam.
Generated YarrCanonicalizeUCS2.cpp from YarrCanonicalizeUCS2.js.
This passes JavaScriptCore and test262 tests.
* yarr/YarrCanonicalizeUCS2.cpp:
* yarr/YarrCanonicalizeUCS2.js:
(printHeader):
2018-08-24 Michael Saboff <msaboff@apple.com>
YARR: JIT RegExps with non-greedy parenthesized sub patterns
https://bugs.webkit.org/show_bug.cgi?id=180876
Reviewed by Filip Pizlo.
Implemented the non-greedy nested parenthesis based on the prior greedy nested parenthesis work.
For the matching code, the greedy path was correct except that we don't try matching for the
non-greedy case. Added a jump out to the term after the parenthesis and a label to perform the
first / next match when we backtrack. The backtracking code needs to check to see if we have
tried the first match or if we can do another match.
Updated the disassembly annotations to include parenthesis capturing info, quantifier type and
count. Did other minor cleanup as well.
Fixed function name typo, added missing 't' in "setUsesPaternContextBuffer()".
Updated the text in some comments, both for this change as well as accuracy for existing code.
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generate):
(JSC::Yarr::YarrGenerator::backtrack):
(JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
(JSC::Yarr::YarrGenerator::compile):
(JSC::Yarr::dumpCompileFailure):
(JSC::Yarr::jitCompile):
* yarr/YarrJIT.h:
(JSC::Yarr::YarrCodeBlock::setUsesPatternContextBuffer):
(JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): Deleted.
2018-08-23 Simon Fraser <simon.fraser@apple.com>
Add support for dumping GC heap snapshots, and a viewer
https://bugs.webkit.org/show_bug.cgi?id=186416
Reviewed by Joseph Pecoraro.
Make a way to dump information about the GC heap that is useful for looking for leaked
or abandoned objects. This dump is obtained (on Apple platforms) via:
notifyutil -p com.apple.WebKit.dumpGCHeap
which writes a JSON file to /tmp which can then be loaded into the viewer in Tools/GCHeapInspector.
This leverages the heap snapshot used by Web Inspector, adding an alternate format for
the snapshot JSON that adds additional data about objects and why they are GC roots.
SlotVisitor maintains a RootMarkReason (via SetRootMarkReasonScope) that allows
the HeapSnapshotBuilder to keep track of why a JSCell was treated as a GC root. For
objects visited via opaque roots, we record the reason why via a new out param to
isReachableFromOpaqueRoots().
HeapSnapshotBuilder is enhanced to produce GCDebuggingSnapshot JSON output. This contains
additional information including the address of the JSCell* and the wrapped object (for
JSDOMWrappers), the root reasons, and for some objects like JSDocument a label which can
be the document URL.
GCDebuggingSnapshots are always full snapshots (previous snapshots are not kept around).
* API/JSAPIWrapperObject.mm:
(JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
* API/JSManagedValue.mm:
(JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
* API/glib/JSAPIWrapperObjectGLib.cpp:
(JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
* CMakeLists.txt:
* heap/ConservativeRoots.h:
(JSC::ConservativeRoots::size const):
(JSC::ConservativeRoots::size): Deleted.
* heap/Heap.cpp:
(JSC::Heap::addCoreConstraints):
* heap/HeapSnapshotBuilder.cpp:
(JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
(JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
(JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
(JSC::HeapSnapshotBuilder::buildSnapshot):
(JSC::HeapSnapshotBuilder::appendNode):
(JSC::HeapSnapshotBuilder::appendEdge):
(JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
(JSC::HeapSnapshotBuilder::setWrappedObjectForCell):
(JSC::HeapSnapshotBuilder::previousSnapshotHasNodeForCell):
(JSC::snapshotTypeToString):
(JSC::rootTypeToString):
(JSC::HeapSnapshotBuilder::setLabelForCell):
(JSC::HeapSnapshotBuilder::descriptionForCell const):
(JSC::HeapSnapshotBuilder::json):
(JSC::HeapSnapshotBuilder::hasExistingNodeForCell): Deleted.
* heap/HeapSnapshotBuilder.h:
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::appendSlow):
* heap/SlotVisitor.h:
(JSC::SlotVisitor::heapSnapshotBuilder const):
(JSC::SlotVisitor::rootMarkReason const):
(JSC::SlotVisitor::setRootMarkReason):
(JSC::SetRootMarkReasonScope::SetRootMarkReasonScope):
(JSC::SetRootMarkReasonScope::~SetRootMarkReasonScope):
* heap/WeakBlock.cpp:
(JSC::WeakBlock::specializedVisit):
* heap/WeakHandleOwner.cpp:
(JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
* heap/WeakHandleOwner.h:
* runtime/SimpleTypedArrayController.cpp:
(JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
* runtime/SimpleTypedArrayController.h:
* tools/JSDollarVM.cpp:
2018-08-23 Saam barati <sbarati@apple.com>
JSRunLoopTimer may run part of a member function after it's destroyed
https://bugs.webkit.org/show_bug.cgi?id=188426
Reviewed by Mark Lam.
When I was reading the JSRunLoopTimer code, I noticed that it is possible
to end up running timer code after the class had been destroyed.
The issue I spotted was in this function:
```
void JSRunLoopTimer::timerDidFire()
{
JSLock* apiLock = m_apiLock.get();
if (!apiLock) {
// Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
return;
}
// HERE
std::lock_guard<JSLock> lock(*apiLock);
RefPtr<VM> vm = apiLock->vm();
if (!vm) {
// The VM has been destroyed, so we should just give up.
return;
}
doWork();
}
```
Look at the comment 'HERE'. Let's say that the timer callback thread gets context
switched before grabbing the API lock. Then, some other thread destroys the VM.
And let's say that the VM owns (perhaps transitively) this timer. Then, the
timer would run code and access member variables after it was destroyed.
This patch fixes this issue by introducing a new timer manager class.
This class manages timers on a per VM basis. When a timer is scheduled,
this class refs the timer. It also calls the timer callback while actively
maintaining a +1 ref to it. So, it's no longer possible to call the timer
callback after the timer has been destroyed. However, calling a timer callback
can still race with the VM being destroyed. We continue to detect this case and
bail out of the callback early.
This patch also removes a lot of duplicate code between GCActivityCallback
and JSRunLoopTimer.
* heap/EdenGCActivityCallback.cpp:
(JSC::EdenGCActivityCallback::doCollection):
(JSC::EdenGCActivityCallback::lastGCLength):
(JSC::EdenGCActivityCallback::deathRate):
* heap/EdenGCActivityCallback.h:
* heap/FullGCActivityCallback.cpp:
(JSC::FullGCActivityCallback::doCollection):
(JSC::FullGCActivityCallback::lastGCLength):
(JSC::FullGCActivityCallback::deathRate):
* heap/FullGCActivityCallback.h:
* heap/GCActivityCallback.cpp:
(JSC::GCActivityCallback::doWork):
(JSC::GCActivityCallback::scheduleTimer):
(JSC::GCActivityCallback::didAllocate):
(JSC::GCActivityCallback::willCollect):
(JSC::GCActivityCallback::cancel):
(JSC::GCActivityCallback::cancelTimer): Deleted.
(JSC::GCActivityCallback::nextFireTime): Deleted.
* heap/GCActivityCallback.h:
* heap/Heap.cpp:
(JSC::Heap::reportAbandonedObjectGraph):
(JSC::Heap::notifyIncrementalSweeper):
(JSC::Heap::updateAllocationLimits):
(JSC::Heap::didAllocate):
* heap/IncrementalSweeper.cpp:
(JSC::IncrementalSweeper::scheduleTimer):
(JSC::IncrementalSweeper::doWork):
(JSC::IncrementalSweeper::doSweep):
(JSC::IncrementalSweeper::sweepNextBlock):
(JSC::IncrementalSweeper::startSweeping):
(JSC::IncrementalSweeper::stopSweeping):
* heap/IncrementalSweeper.h:
* heap/StopIfNecessaryTimer.cpp:
(JSC::StopIfNecessaryTimer::doWork):
(JSC::StopIfNecessaryTimer::scheduleSoon):
* heap/StopIfNecessaryTimer.h:
* runtime/JSRunLoopTimer.cpp:
(JSC::epochTime):
(JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
(JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
(JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
(JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
(JSC::JSRunLoopTimer::Manager::timerDidFire):
(JSC::JSRunLoopTimer::Manager::shared):
(JSC::JSRunLoopTimer::Manager::registerVM):
(JSC::JSRunLoopTimer::Manager::unregisterVM):
(JSC::JSRunLoopTimer::Manager::scheduleTimer):
(JSC::JSRunLoopTimer::Manager::cancelTimer):
(JSC::JSRunLoopTimer::Manager::timeUntilFire):
(JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
(JSC::JSRunLoopTimer::timerDidFire):
(JSC::JSRunLoopTimer::JSRunLoopTimer):
(JSC::JSRunLoopTimer::timeUntilFire):
(JSC::JSRunLoopTimer::setTimeUntilFire):
(JSC::JSRunLoopTimer::cancelTimer):
(JSC::JSRunLoopTimer::setRunLoop): Deleted.
(JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
(JSC::JSRunLoopTimer::scheduleTimer): Deleted.
* runtime/JSRunLoopTimer.h:
(JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
* runtime/PromiseDeferredTimer.cpp:
(JSC::PromiseDeferredTimer::doWork):
(JSC::PromiseDeferredTimer::runRunLoop):
(JSC::PromiseDeferredTimer::addPendingPromise):
(JSC::PromiseDeferredTimer::hasPendingPromise):
(JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
(JSC::PromiseDeferredTimer::cancelPendingPromise):
(JSC::PromiseDeferredTimer::scheduleWorkSoon):
* runtime/PromiseDeferredTimer.h:
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::~VM):
(JSC::VM::setRunLoop):
(JSC::VM::registerRunLoopTimer): Deleted.
(JSC::VM::unregisterRunLoopTimer): Deleted.
* runtime/VM.h:
(JSC::VM::runLoop const):
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::webAssemblyModuleValidateAsyncInternal):
(JSC::instantiate):
(JSC::compileAndInstantiate):
(JSC::webAssemblyModuleInstantinateAsyncInternal):
(JSC::webAssemblyCompileStreamingInternal):
(JSC::webAssemblyInstantiateStreamingInternal):
2018-08-23 Mark Lam <mark.lam@apple.com>
Move vmEntryGlobalObject() to VM from CallFrame.
https://bugs.webkit.org/show_bug.cgi?id=188900
<rdar://problem/43655753>
Reviewed by Michael Saboff.
Also introduced CallFrame::isGlobalExec() which makes use of one property of
GlobalExecs to identify them i.e. GlobalExecs have null callerFrame and returnPCs.
CallFrame::initGlobalExec() ensures this.
In contrast, normal CallFrames always have a callerFrame (because they must at
least be preceded by a VM EntryFrame) and a returnPC (at least return to the
VM entry glue).
* API/APIUtils.h:
(handleExceptionIfNeeded):
(setException):
* API/JSBase.cpp:
(JSEvaluateScript):
(JSCheckScriptSyntax):
* API/JSContextRef.cpp:
(JSGlobalContextRetain):
(JSGlobalContextRelease):
(JSGlobalContextCopyName):
(JSGlobalContextSetName):
(JSGlobalContextGetRemoteInspectionEnabled):
(JSGlobalContextSetRemoteInspectionEnabled):
(JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
(JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
(JSGlobalContextGetDebuggerRunLoop):
(JSGlobalContextSetDebuggerRunLoop):
(JSGlobalContextGetAugmentableInspectorController):
* API/JSValue.mm:
(reportExceptionToInspector):
* API/glib/JSCClass.cpp:
(jscContextForObject):
* API/glib/JSCContext.cpp:
(jsc_context_evaluate_in_object):
* debugger/Debugger.cpp:
(JSC::Debugger::pauseIfNeeded):
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::vmEntryGlobalObject const):
(JSC::DebuggerCallFrame::evaluateWithScopeExtension):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::vmEntryGlobalObject): Deleted.
* interpreter/CallFrame.h:
(JSC::ExecState::scope const):
(JSC::ExecState::noCaller):
(JSC::ExecState::isGlobalExec const):
* interpreter/Interpreter.cpp:
(JSC::notifyDebuggerOfUnwinding):
(JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
(JSC::Interpreter::debug):
* runtime/CallData.cpp:
(JSC::profiledCall):
* runtime/Completion.cpp:
(JSC::evaluate):
(JSC::profiledEvaluate):
(JSC::evaluateWithScopeExtension):
(JSC::loadAndEvaluateModule):
(JSC::loadModule):
(JSC::linkAndEvaluateModule):
(JSC::importModule):
* runtime/ConstructData.cpp:
(JSC::profiledConstruct):
* runtime/Error.cpp:
(JSC::getStackTrace):
* runtime/VM.cpp:
(JSC::VM::throwException):
(JSC::VM::vmEntryGlobalObject const):
* runtime/VM.h:
2018-08-23 Andy Estes <aestes@apple.com>
[Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave
https://bugs.webkit.org/show_bug.cgi?id=188829
Reviewed by Tim Horton.
* Configurations/FeatureDefines.xcconfig:
2018-08-23 Devin Rousso <drousso@apple.com>
Web Inspector: support breakpoints for timers and animation-frame events
https://bugs.webkit.org/show_bug.cgi?id=188778
Reviewed by Brian Burg.
* inspector/protocol/Debugger.json:
Add `AnimationFrame` and `Timer` types to the list of pause reasons.
* inspector/protocol/DOMDebugger.json:
Introduced `setEventBreakpoint` and `removeEventBreakpoint` to replace the more specific:
- `setEventListenerBreakpoint`
- `removeEventListenerBreakpoint`
- `setInstrumentationBreakpoint`
- `removeInstrumentationBreakpoint`
Also created an `EventBreakpointType` to enumerate the available types of event breakpoints.
* inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
(CppProtocolTypesHeaderGenerator.generate_output):
(CppProtocolTypesHeaderGenerator._generate_forward_declarations_for_binding_traits):
(CppProtocolTypesHeaderGenerator._generate_declarations_for_enum_conversion_methods):
(CppProtocolTypesHeaderGenerator._generate_hash_declarations): Added.
Generate `DefaultHash` for all `enum class` used by inspector protocols.
* inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/generic/expected/enum-values.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
* inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2018-08-23 Michael Saboff <msaboff@apple.com>
YARR: Need to JIT compile a RegExp before using containsNestedSubpatterns flag
https://bugs.webkit.org/show_bug.cgi?id=188895
Reviewed by Mark Lam.
Found while working on another change. This will allow processing of nested
parenthesis that require saved ParenContext structures.
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::compile):
2018-08-22 Michael Saboff <msaboff@apple.com>
https://bugs.webkit.org/show_bug.cgi?id=188859
Eliminate dead code operationThrowDivideError() and operationThrowOutOfBoundsAccessError()
Rubber-stamped by Saam Barati.
Deleted these two functions.
* jit/JITOperations.cpp:
* jit/JITOperations.h:
2018-08-22 Mark Lam <mark.lam@apple.com>
The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
https://bugs.webkit.org/show_bug.cgi?id=188298
<rdar://problem/42888427>
Reviewed by Saam Barati.
In the event that both targets of a Branch is the same block, then even if we'll
always take one path of the branch, the other target is not unreachable because
it is the same target as the one in the taken path. Hence, it should not be
jettisoned.
* JavaScriptCore.xcodeproj/project.pbxproj:
- Added DFGCFG.h which is in use and should have been added to the project.
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::run):
2018-08-20 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] HeapUtil should care about pointer overflow
https://bugs.webkit.org/show_bug.cgi?id=188740
Reviewed by Saam Barati.
`pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
2018-08-19 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] Should not rotate constant with 64
https://bugs.webkit.org/show_bug.cgi?id=188556
Reviewed by Saam Barati.
To defend against JIT splaying, we rotate a constant with a randomly generated seed.
But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::generateRotationSeed):
(JSC::MacroAssembler::rotationBlindConstant):
2018-08-21 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r235107.
https://bugs.webkit.org/show_bug.cgi?id=188832
"It revealed bugs in Blob code as well as regressed JS
performance tests" (Requested by saamyjoon on #webkit).
Reverted changeset:
"JSRunLoopTimer may run part of a member function after it's
destroyed"
https://bugs.webkit.org/show_bug.cgi?id=188426
https://trac.webkit.org/changeset/235107
2018-08-21 Saam barati <sbarati@apple.com>
JSRunLoopTimer may run part of a member function after it's destroyed
https://bugs.webkit.org/show_bug.cgi?id=188426
Reviewed by Mark Lam.
When I was reading the JSRunLoopTimer code, I noticed that it is possible
to end up running timer code after the class had been destroyed.
The issue I spotted was in this function:
```
void JSRunLoopTimer::timerDidFire()
{
JSLock* apiLock = m_apiLock.get();
if (!apiLock) {
// Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
return;
}
// HERE
std::lock_guard<JSLock> lock(*apiLock);
RefPtr<VM> vm = apiLock->vm();
if (!vm) {
// The VM has been destroyed, so we should just give up.
return;
}
doWork();
}
```
Look at the comment 'HERE'. Let's say that the timer callback thread gets context
switched before grabbing the API lock. Then, some other thread destroys the VM.
And let's say that the VM owns (perhaps transitively) this timer. Then, the
timer would run code and access member variables after it was destroyed.
This patch fixes this issue by introducing a new timer manager class.
This class manages timers on a per VM basis. When a timer is scheduled,
this class refs the timer. It also calls the timer callback while actively
maintaining a +1 ref to it. So, it's no longer possible to call the timer
callback after the timer has been destroyed. However, calling a timer callback
can still race with the VM being destroyed. We continue to detect this case and
bail out of the callback early.
This patch also removes a lot of duplicate code between GCActivityCallback
and JSRunLoopTimer.
* heap/EdenGCActivityCallback.cpp:
(JSC::EdenGCActivityCallback::doCollection):
(JSC::EdenGCActivityCallback::lastGCLength):
(JSC::EdenGCActivityCallback::deathRate):
* heap/EdenGCActivityCallback.h:
* heap/FullGCActivityCallback.cpp:
(JSC::FullGCActivityCallback::doCollection):
(JSC::FullGCActivityCallback::lastGCLength):
(JSC::FullGCActivityCallback::deathRate):
* heap/FullGCActivityCallback.h:
* heap/GCActivityCallback.cpp:
(JSC::GCActivityCallback::doWork):
(JSC::GCActivityCallback::scheduleTimer):
(JSC::GCActivityCallback::didAllocate):
(JSC::GCActivityCallback::willCollect):
(JSC::GCActivityCallback::cancel):
(JSC::GCActivityCallback::cancelTimer): Deleted.
(JSC::GCActivityCallback::nextFireTime): Deleted.
* heap/GCActivityCallback.h:
* heap/Heap.cpp:
(JSC::Heap::reportAbandonedObjectGraph):
(JSC::Heap::notifyIncrementalSweeper):
(JSC::Heap::updateAllocationLimits):
(JSC::Heap::didAllocate):
* heap/IncrementalSweeper.cpp:
(JSC::IncrementalSweeper::scheduleTimer):
(JSC::IncrementalSweeper::doWork):
(JSC::IncrementalSweeper::doSweep):
(JSC::IncrementalSweeper::sweepNextBlock):
(JSC::IncrementalSweeper::startSweeping):
(JSC::IncrementalSweeper::stopSweeping):
* heap/IncrementalSweeper.h:
* heap/StopIfNecessaryTimer.cpp:
(JSC::StopIfNecessaryTimer::doWork):
(JSC::StopIfNecessaryTimer::scheduleSoon):
* heap/StopIfNecessaryTimer.h:
* runtime/JSRunLoopTimer.cpp:
(JSC::epochTime):
(JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
(JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
(JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
(JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
(JSC::JSRunLoopTimer::Manager::timerDidFire):
(JSC::JSRunLoopTimer::Manager::shared):
(JSC::JSRunLoopTimer::Manager::registerVM):
(JSC::JSRunLoopTimer::Manager::unregisterVM):
(JSC::JSRunLoopTimer::Manager::scheduleTimer):
(JSC::JSRunLoopTimer::Manager::cancelTimer):
(JSC::JSRunLoopTimer::Manager::timeUntilFire):
(JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
(JSC::JSRunLoopTimer::timerDidFire):
(JSC::JSRunLoopTimer::JSRunLoopTimer):
(JSC::JSRunLoopTimer::timeUntilFire):
(JSC::JSRunLoopTimer::setTimeUntilFire):
(JSC::JSRunLoopTimer::cancelTimer):
(JSC::JSRunLoopTimer::setRunLoop): Deleted.
(JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
(JSC::JSRunLoopTimer::scheduleTimer): Deleted.
* runtime/JSRunLoopTimer.h:
(JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
* runtime/PromiseDeferredTimer.cpp:
(JSC::PromiseDeferredTimer::doWork):
(JSC::PromiseDeferredTimer::runRunLoop):
(JSC::PromiseDeferredTimer::addPendingPromise):
(JSC::PromiseDeferredTimer::hasPendingPromise):
(JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
(JSC::PromiseDeferredTimer::cancelPendingPromise):
(JSC::PromiseDeferredTimer::scheduleWorkSoon):
* runtime/PromiseDeferredTimer.h:
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::~VM):
(JSC::VM::setRunLoop):
(JSC::VM::registerRunLoopTimer): Deleted.
(JSC::VM::unregisterRunLoopTimer): Deleted.
* runtime/VM.h:
(JSC::VM::runLoop const):
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::webAssemblyModuleValidateAsyncInternal):
(JSC::instantiate):
(JSC::compileAndInstantiate):
(JSC::webAssemblyModuleInstantinateAsyncInternal):
(JSC::webAssemblyCompileStreamingInternal):
(JSC::webAssemblyInstantiateStreamingInternal):
2018-08-20 Saam barati <sbarati@apple.com>
Inline DataView accesses into DFG/FTL
https://bugs.webkit.org/show_bug.cgi?id=188573
<rdar://problem/43286746>
Reviewed by Michael Saboff.
This patch teaches the DFG/FTL to inline DataView accesses. The approach is
straight forward. We inline the various get*/set* operations as intrinsics.
This patch takes the most obvious approach for now. We OSR exit when:
- An isLittleEndian argument is provided, and is not a boolean.
- The index isn't an integer.
- The |this| isn't a DataView.
- We do an OOB access (or see a neutered array)
To implement this change in a performant way, this patch teaches the macro
assembler how to emit byte swap operations. The semantics of the added functions
are byteSwap + zero extend. This means for the 16bit byte swaps, we need
to actually emit zero extend instructions. For the 32/64bit byte swaps,
the instructions already have these semantics.
This patch is just a lightweight initial implementation. There are some easy
extensions we can do in future changes:
- Teach B3 how to byte swap: https://bugs.webkit.org/show_bug.cgi?id=188759
- CSE DataViewGet* nodes: https://bugs.webkit.org/show_bug.cgi?id=188768
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::byteSwap16):
(JSC::MacroAssemblerARM64::byteSwap32):
(JSC::MacroAssemblerARM64::byteSwap64):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::byteSwap32):
(JSC::MacroAssemblerX86Common::byteSwap16):
(JSC::MacroAssemblerX86Common::byteSwap64):
* assembler/X86Assembler.h:
(JSC::X86Assembler::bswapl_r):
(JSC::X86Assembler::bswapq_r):
(JSC::X86Assembler::shiftInstruction16):
(JSC::X86Assembler::rolw_i8r):
(JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
* assembler/testmasm.cpp:
(JSC::testByteSwap):
(JSC::run):
* bytecode/DataFormat.h:
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationFromClassInfo):
(JSC::speculationFromJSType):
(JSC::speculationFromString):
* bytecode/SpeculatedType.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::dataViewData):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateDataViewObject):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isCell):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::byteSwap32):
(JSC::FTL::DFG::LowerDFGToB3::byteSwap64):
(JSC::FTL::DFG::LowerDFGToB3::emitCodeBasedOnEndiannessBranch):
(JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
(JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
(JSC::FTL::DFG::LowerDFGToB3::lowDataViewObject):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::speculateDataViewObject):
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/JSDataViewPrototype.cpp:
2018-08-20 Yusuke Suzuki <utatane.tea@gmail.com>
[YARR] Extend size of fixed characters bulk matching in 64bit platform
https://bugs.webkit.org/show_bug.cgi?id=181989
Reviewed by Michael Saboff.
This patch extends bulk matching style for fixed-sized characters.
In 64bit environment, the GPR can hold up to 8 characters. This change
reduces the code size since we can fuse multiple `mov` operations into one.
* assembler/LinkBuffer.h:
* runtime/Options.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
(JSC::Yarr::YarrGenerator::compile):
2018-08-20 Devin Rousso <drousso@apple.com>
Web Inspector: allow breakpoints to be set for specific event listeners
https://bugs.webkit.org/show_bug.cgi?id=183138
Reviewed by Joseph Pecoraro.
* inspector/protocol/DOM.json:
Add `setBreakpointForEventListener` and `removeBreakpointForEventListener`, each of which
takes an `eventListenerId` and toggles whether that specific usage of that event listener
should have a breakpoint and pause before running.
2018-08-20 Mark Lam <mark.lam@apple.com>
Fix the LLInt so that btjs shows vmEntryToJavaScript instead of llintPCRangeStart for the entry frame.
https://bugs.webkit.org/show_bug.cgi?id=188769
Reviewed by Michael Saboff.
* llint/LowLevelInterpreter.asm:
- Just put an unused instruction between llintPCRangeStart and vmEntryToJavaScript
so that libunwind doesn't get confused by the 2 labels pointing to the same
code address.
2018-08-19 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Add API to throw exceptions using printf formatted strings
https://bugs.webkit.org/show_bug.cgi?id=188698
Reviewed by Michael Catanzaro.
Add jsc_context_throw_printf() and jsc_context_throw_with_name_printf(). Also add new public constructors of
JSCException using printf formatted string.
* API/glib/JSCContext.cpp:
(jsc_context_throw_printf):
(jsc_context_throw_with_name_printf):
* API/glib/JSCContext.h:
* API/glib/JSCException.cpp:
(jsc_exception_new_printf):
(jsc_exception_new_vprintf):
(jsc_exception_new_with_name_printf):
(jsc_exception_new_with_name_vprintf):
* API/glib/JSCException.h:
* API/glib/docs/jsc-glib-4.0-sections.txt:
2018-08-19 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Complete the JSCException API
https://bugs.webkit.org/show_bug.cgi?id=188695
Reviewed by Michael Catanzaro.
Add more API to JSCException:
- New function to get the column number
- New function get exception as string (toString())
- Add the possibility to create exceptions with a custom error name.
- New function to get the exception error name
- New function to get the exception backtrace.
- New convenience function to report a exception by returning a formatted string with all the exception
details, to be shown as a user error message.
* API/glib/JSCContext.cpp:
(jsc_context_throw_with_name):
* API/glib/JSCContext.h:
* API/glib/JSCException.cpp:
(jscExceptionEnsureProperties):
(jsc_exception_new):
(jsc_exception_new_with_name):
(jsc_exception_get_name):
(jsc_exception_get_column_number):
(jsc_exception_get_back_trace_string):
(jsc_exception_to_string):
(jsc_exception_report):
* API/glib/JSCException.h:
* API/glib/docs/jsc-glib-4.0-sections.txt:
2018-08-19 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r234852.
https://bugs.webkit.org/show_bug.cgi?id=188736
Workaround is not correct (Requested by yusukesuzuki on
#webkit).
Reverted changeset:
"[JSC] Should not rotate constant with 64"
https://bugs.webkit.org/show_bug.cgi?id=188556
https://trac.webkit.org/changeset/234852
2018-08-19 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[WTF] Add WTF::unalignedLoad and WTF::unalignedStore
https://bugs.webkit.org/show_bug.cgi?id=188716
Reviewed by Darin Adler.
Use WTF::unalignedLoad and WTF::unalignedStore to avoid undefined behavior.
The compiler can emit appropriate mov operations in x86 even if we use these
helper functions.
* assembler/AssemblerBuffer.h:
(JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
(JSC::AssemblerBuffer::putIntegral):
(JSC::AssemblerBuffer::putIntegralUnchecked):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::readCallTarget):
* assembler/X86Assembler.h:
(JSC::X86Assembler::linkJump):
(JSC::X86Assembler::readPointer):
(JSC::X86Assembler::replaceWithHlt):
(JSC::X86Assembler::replaceWithJump):
(JSC::X86Assembler::setPointer):
(JSC::X86Assembler::setInt32):
(JSC::X86Assembler::setInt8):
* interpreter/InterpreterInlines.h:
(JSC::Interpreter::getOpcodeID): Embedded opcode may be misaligned. Actually UBSan detects misaligned accesses here.
2018-08-17 Saam barati <sbarati@apple.com>
intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
https://bugs.webkit.org/show_bug.cgi?id=188707
<rdar://problem/43015442>
Reviewed by Mark Lam.
We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
OSR enter at the head of a block. We verify it's safe to OSR enter by checking
that each incoming value is compatible with its corresponding AbstractValue.
The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
with abstract values that were clobbererd. This meant that the value we're
verifying with at OSR entry effectively has an infinite structure set because
it's clobbered. So, imagine we have code like this:
```
---> We OSR enter here, and we're clobbered here
InvalidationPoint
GetByOffset(@base)
```
The abstract value for @base inside intersectionOfPastValuesAtHead has a
clobberred structure set, so we'd allow an incoming object with any
structure. However, this is wrong because the invalidation point is no
longer fulfilling its promise that it filters the structure that @base has.
We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
as if the incoming value may be live past an InvalidationPoint.
This places a stricter requirement that to safely OSR enter at any basic
block, all incoming values must be compatible as if they lived past
the execution of an invalidation point.
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run):
2018-08-17 Yusuke Suzuki <yusukesuzuki@slowstart.org> and Fujii Hironori <Hironori.Fujii@sony.com>
[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
https://bugs.webkit.org/show_bug.cgi?id=188589
Reviewed by Mark Lam.
And reviewed by Yusuke Suzuki for Hironori's change.
Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
- We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
- We make GPRReg and FPRReg int8_t enums.
- We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
- We add operator+/- definition for RegisterIDs as a MSVC workaround. MSVC fails to resolve operator+ and operator-
if `enum : int8_t` is used instead of `enum`.
* assembler/ARM64Assembler.h:
* assembler/ARMAssembler.h:
* assembler/ARMv7Assembler.h:
* assembler/MIPSAssembler.h:
* assembler/MacroAssembler.h:
* assembler/X86Assembler.h:
* jit/CCallHelpers.h:
(JSC::CCallHelpers::clampArrayToSize):
* jit/FPRInfo.h:
* jit/GPRInfo.h:
(JSC::JSValueRegs::JSValueRegs):
(JSC::JSValueRegs::tagGPR const):
(JSC::JSValueRegs::payloadGPR const):
(JSC::JSValueSource::JSValueSource):
(JSC::JSValueSource::unboxedCell):
(JSC::JSValueSource::operator bool const):
(JSC::JSValueSource::base const):
(JSC::JSValueSource::tagGPR const):
(JSC::JSValueSource::payloadGPR const):
(JSC::JSValueSource::hasKnownTag const):
2018-08-16 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] alignas for RegisterState should respect alignof(RegisterState) too
https://bugs.webkit.org/show_bug.cgi?id=188686
Reviewed by Saam Barati.
RegisterState would have larger alignment than `alignof(void*)`. We use the larger alignment value
for `alignof` for RegisterState.
* heap/RegisterState.h:
2018-08-14 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[YARR] Align allocation size in BumpPointerAllocator with sizeof(void*)
https://bugs.webkit.org/show_bug.cgi?id=188571
Reviewed by Saam Barati.
UBSan finds YarrInterpreter performs misaligned accesses. This is because YarrInterpreter
allocates DisjunctionContext and ParenthesesDisjunctionContext from BumpPointerAllocator
without considering alignment of them. This patch adds DisjunctionContext::allocationSize
and ParenthesesDisjunctionContext::allocationSize to calculate allocation sizes for them.
The size is always rounded to `sizeof(void*)` so that these classes are always allocated
with `sizeof(void*)` alignment. We also ensure the alignments of both classes are less
than or equal to `sizeof(void*)` by `static_assert`.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
(JSC::Yarr::Interpreter::allocDisjunctionContext):
(JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
(JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::getDisjunctionContext):
(JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
(JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
(JSC::Yarr::Interpreter::Interpreter):
(JSC::Yarr::Interpreter::DisjunctionContext::DisjunctionContext): Deleted.
2018-08-15 Keith Miller <keith_miller@apple.com>
Remove evernote hacks
https://bugs.webkit.org/show_bug.cgi?id=188591
Reviewed by Joseph Pecoraro.
The hack was added in 2012 and the evernote app seems to work now.
It's probably not needed anymore.
* API/JSValueRef.cpp:
(JSValueUnprotect):
(evernoteHackNeeded): Deleted.
2018-08-14 Fujii Hironori <Hironori.Fujii@sony.com>
Unreviewed, rolling out r234874 and r234876.
WinCairo port can't compile
Reverted changesets:
"[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg"
https://bugs.webkit.org/show_bug.cgi?id=188589
https://trac.webkit.org/changeset/234874
"Unreviewed, attempt to fix CLoop build"
https://bugs.webkit.org/show_bug.cgi?id=188589
https://trac.webkit.org/changeset/234876
2018-08-14 Saam barati <sbarati@apple.com>
HashMap<Ref<P>, V> asserts when V is not zero for its empty value
https://bugs.webkit.org/show_bug.cgi?id=188582
Reviewed by Sam Weinig.
* runtime/SparseArrayValueMap.h:
2018-08-14 Yusuke Suzuki <yusukesuzuki@slowstart.org>
Unreviewed, attempt to fix CLoop build
https://bugs.webkit.org/show_bug.cgi?id=188589
* assembler/MacroAssembler.h:
2018-08-14 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
https://bugs.webkit.org/show_bug.cgi?id=188589
Reviewed by Mark Lam.
Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1. We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
2. We make GPRReg and FPRReg int8_t enums.
3. We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
* assembler/ARM64Assembler.h:
* assembler/ARMAssembler.h:
* assembler/ARMv7Assembler.h:
* assembler/MIPSAssembler.h:
* assembler/X86Assembler.h:
* jit/FPRInfo.h:
* jit/GPRInfo.h:
(JSC::JSValueRegs::JSValueRegs):
(JSC::JSValueRegs::tagGPR const):
(JSC::JSValueRegs::payloadGPR const):
(JSC::JSValueSource::JSValueSource):
(JSC::JSValueSource::unboxedCell):
(JSC::JSValueSource::operator bool const):
(JSC::JSValueSource::base const):
(JSC::JSValueSource::tagGPR const):
(JSC::JSValueSource::payloadGPR const):
(JSC::JSValueSource::hasKnownTag const):
2018-08-14 Keith Miller <keith_miller@apple.com>
Add missing availability macro.
https://bugs.webkit.org/show_bug.cgi?id=188563
Reviewed by Mark Lam.
* API/JSValueRef.h:
2018-08-14 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
https://bugs.webkit.org/show_bug.cgi?id=188560
Reviewed by Keith Miller.
While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT,
it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the
uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer
`m_wasSeenInJIT { false }`.
* bytecode/GetByIdStatus.h:
2018-08-14 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants
https://bugs.webkit.org/show_bug.cgi?id=188557
Reviewed by Mark Lam.
DFGPredictionPropagationPhase should set PrimaryPass before processing invariants since
processing for ArithRound etc.'s invariants requires `m_pass` load. This issue is found
in UBSan's result.
* dfg/DFGPredictionPropagationPhase.cpp:
2018-08-14 Yusuke Suzuki <yusukesuzuki@slowstart.org>
[JSC] Should not rotate constant with 64
https://bugs.webkit.org/show_bug.cgi?id=188556
Reviewed by Mark Lam.
To defend against JIT splaying, we rotate a constant with a randomly generated seed.
But if a seed becomes 64, the following code performs `value << 64` where value's type
is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
range of [0, 64) not to generate code causing UBs. This is found by UBSan.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::generateRotationSeed):
(JSC::MacroAssembler::rotationBlindConstant):
2018-08-12 Karo Gyoker <karogyoker2+webkit@gmail.com>
Disable JIT on IA-32 without SSE2
https://bugs.webkit.org/show_bug.cgi?id=188476
Reviewed by Michael Catanzaro.
Including missing header (MacroAssembler.h) in case of other
operating systems than Windows too.
* runtime/Options.cpp:
2018-08-11 Karo Gyoker <karogyoker2+webkit@gmail.com>
Disable JIT on IA-32 without SSE2
https://bugs.webkit.org/show_bug.cgi?id=188476
Reviewed by Yusuke Suzuki.
On IA-32 CPUs without SSE2 most of the webpages cannot load
if the JIT is turned on.
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2018-08-10 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: console.log fires getters for deep properties
https://bugs.webkit.org/show_bug.cgi?id=187542
<rdar://problem/42873158>
Reviewed by Saam Barati.
* inspector/InjectedScriptSource.js:
(RemoteObject.prototype._isPreviewableObject):
Avoid getters/setters when checking for simple properties to preview.
Here we avoid invoking `object[property]` if it could be a user getter.
2018-08-10 Keith Miller <keith_miller@apple.com>
Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
https://bugs.webkit.org/show_bug.cgi?id=185127
Reviewed by Saam Barati.
Previously, we would truncate the indicies passed to slice to an
int. This meant that the value was not getting properly clamped
later.
This patch also removes a non-spec compliant check that slice was
passed at least one argument.
* runtime/ArrayBuffer.cpp:
(JSC::ArrayBuffer::clampValue):
(JSC::ArrayBuffer::clampIndex const):
(JSC::ArrayBuffer::slice const):
* runtime/ArrayBuffer.h:
(JSC::ArrayBuffer::clampValue): Deleted.
(JSC::ArrayBuffer::clampIndex const): Deleted.
* runtime/JSArrayBufferPrototype.cpp:
(JSC::arrayBufferProtoFuncSlice):
2018-08-10 Yusuke Suzuki <yusukesuzuki@slowstart.org>
Date.UTC should not return NaN with only Year param
https://bugs.webkit.org/show_bug.cgi?id=188378
Reviewed by Keith Miller.
Date.UTC requires one argument for |year|. But the other ones are optional.
This patch fix this handling.
* runtime/DateConstructor.cpp:
(JSC::millisecondsFromComponents):
2018-08-08 Keith Miller <keith_miller@apple.com>
Array.prototype.sort should call @toLength instead of ">>> 0"
https://bugs.webkit.org/show_bug.cgi?id=188430
Reviewed by Saam Barati.
Also add a new function to $vm that will fetch a private
property. This can be useful for running builtin helper functions.
* builtins/ArrayPrototype.js:
(sort):
* tools/JSDollarVM.cpp:
(JSC::functionGetPrivateProperty):
(JSC::JSDollarVM::finishCreation):
2018-08-08 Keith Miller <keith_miller@apple.com>
Array.prototype.sort should throw TypeError if param is a not callable object
https://bugs.webkit.org/show_bug.cgi?id=188382
Reviewed by Saam Barati.
Improve spec compatability by checking if the Array.prototype.sort comparator is a function
before doing anything else.
Also, refactor the various helper functions to use let instead of var.
* builtins/ArrayPrototype.js:
(sort.stringComparator):
(sort.compactSparse):
(sort.compactSlow):
(sort.compact):
(sort.merge):
(sort.mergeSort):
(sort.bucketSort):
(sort.comparatorSort):
(sort.stringSort):
(sort):
2018-08-08 Michael Saboff <msaboff@apple.com>
Yarr JIT should include annotations with dumpDisassembly=true
https://bugs.webkit.org/show_bug.cgi?id=188415
Reviewed by Yusuke Suzuki.
Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
then the backtracking code through the YarrPattern ops in reverse order, the disassembler
needs to do the same think.
Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
out simple methods for what was needed by the YarrDisassembler.
Here is abbreviated sample output after this change.
Generated JIT code for 8-bit regular expression /ab*c/:
Code at [0x469561c03720, 0x469561c03840):
0x469561c03720: push %rbp
0x469561c03721: mov %rsp, %rbp
...
0x469561c03762: sub $0x40, %rsp
== Matching ==
0:OpBodyAlternativeBegin minimum size 2
0x469561c03766: add $0x2, %esi
0x469561c03769: cmp %edx, %esi
0x469561c0376b: ja 0x469561c037fa
1:OpTerm TypePatternCharacter 'a'
0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
0x469561c03776: cmp $0x61, %eax
0x469561c03779: jnz 0x469561c037e9
2:OpTerm TypePatternCharacter 'b' {0,...} greedy
0x469561c0377f: xor %r9d, %r9d
0x469561c03782: cmp %edx, %esi
0x469561c03784: jz 0x469561c037a2
...
0x469561c0379d: jmp 0x469561c03782
0x469561c037a2: mov %r9, 0x8(%rsp)
3:OpTerm TypePatternCharacter 'c'
0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
0x469561c037ac: cmp $0x63, %eax
0x469561c037af: jnz 0x469561c037d1
4:OpBodyAlternativeEnd
0x469561c037b5: add $0x40, %rsp
...
0x469561c037cf: pop %rbp
0x469561c037d0: ret
== Backtracking ==
4:OpBodyAlternativeEnd
3:OpTerm TypePatternCharacter 'c'
2:OpTerm TypePatternCharacter 'b' {0,...} greedy
0x469561c037d1: mov 0x8(%rsp), %r9
...
0x469561c037e4: jmp 0x469561c037a2
1:OpTerm TypePatternCharacter 'a'
0:OpBodyAlternativeBegin minimum size 2
0x469561c037e9: mov %rsi, %rax
...
0x469561c0382f: pop %rbp
0x469561c03830: ret
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* runtime/RegExp.cpp:
(JSC::RegExp::compile):
(JSC::RegExp::compileMatchOnly):
* yarr/YarrDisassembler.cpp: Added.
(JSC::Yarr::YarrDisassembler::indentString):
(JSC::Yarr::YarrDisassembler::YarrDisassembler):
(JSC::Yarr::YarrDisassembler::~YarrDisassembler):
(JSC::Yarr::YarrDisassembler::dump):
(JSC::Yarr::YarrDisassembler::dumpHeader):
(JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
(JSC::Yarr::YarrDisassembler::dumpForInstructions):
(JSC::Yarr::YarrDisassembler::dumpDisassembly):
* yarr/YarrDisassembler.h: Added.
(JSC::Yarr::YarrJITInfo::~YarrJITInfo):
(JSC::Yarr::YarrDisassembler::setStartOfCode):
(JSC::Yarr::YarrDisassembler::setForGenerate):
(JSC::Yarr::YarrDisassembler::setForBacktrack):
(JSC::Yarr::YarrDisassembler::setEndOfGenerate):
(JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
(JSC::Yarr::YarrDisassembler::setEndOfCode):
(JSC::Yarr::YarrDisassembler::indentString):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generate):
(JSC::Yarr::YarrGenerator::backtrack):
(JSC::Yarr::YarrGenerator::YarrGenerator):
(JSC::Yarr::YarrGenerator::compile):
(JSC::Yarr::jitCompile):
* yarr/YarrJIT.h:
* yarr/YarrPattern.cpp:
(JSC::Yarr::dumpCharacterClass):
(JSC::Yarr::PatternTerm::dump):
(JSC::Yarr::YarrPattern::dumpPatternString):
(JSC::Yarr::YarrPattern::dumpPattern):
* yarr/YarrPattern.h:
2018-08-05 Darin Adler <darin@apple.com>
[Cocoa] More tweaks and refactoring to prepare for ARC
https://bugs.webkit.org/show_bug.cgi?id=188245
Reviewed by Dan Bernstein.
* API/JSValue.mm: Use __unsafe_unretained.
(JSContainerConvertor::convert): Use auto for compatibility with the above.
* API/JSWrapperMap.mm:
(allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
(-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.
* heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.
2018-08-07 Yusuke Suzuki <yusukesuzuki@slowstart.org>
Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
https://bugs.webkit.org/show_bug.cgi?id=188328
Reviewed by Saam Barati.
Shrinking the size of PropertyCondition can improve memory consumption by a lot.
For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
as a member field.
This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
are within 48bit, we can put PropertyCondition::Kind in this unused bits.
To make it easy, we add WTF::CompactPointerTuple<PointerType, Type>, which automatically
folds a pointer and 1byte type into 64bit data.
This change shrinks PropertyCondition from 24bytes to 16bytes.
* bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::dumpInContext const):
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
(JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
(JSC::PropertyCondition::isStillValid const):
(JSC::PropertyCondition::isWatchableWhenValid const):
* bytecode/PropertyCondition.h:
(JSC::PropertyCondition::PropertyCondition):
(JSC::PropertyCondition::presenceWithoutBarrier):
(JSC::PropertyCondition::absenceWithoutBarrier):
(JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
(JSC::PropertyCondition::equivalenceWithoutBarrier):
(JSC::PropertyCondition::hasPrototypeWithoutBarrier):
(JSC::PropertyCondition::operator bool const):
(JSC::PropertyCondition::kind const):
(JSC::PropertyCondition::uid const):
(JSC::PropertyCondition::hasOffset const):
(JSC::PropertyCondition::hasAttributes const):
(JSC::PropertyCondition::hasPrototype const):
(JSC::PropertyCondition::hasRequiredValue const):
(JSC::PropertyCondition::hash const):
(JSC::PropertyCondition::operator== const):
(JSC::PropertyCondition::isHashTableDeletedValue const):
(JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):
2018-08-07 Mark Lam <mark.lam@apple.com>
Use a more specific PtrTag for PlatformRegisters PC and LR.
https://bugs.webkit.org/show_bug.cgi?id=188366
<rdar://problem/42984123>
Reviewed by Keith Miller.
Also fixed a bug in linkRegister(), which was previously returning the PC instead
of LR. It now returns LR.
* runtime/JSCPtrTag.h:
* runtime/MachineContext.h:
(JSC::MachineContext::instructionPointer):
(JSC::MachineContext::linkRegister):
* runtime/VMTraps.cpp:
(JSC::SignalContext::SignalContext):
* tools/SigillCrashAnalyzer.cpp:
(JSC::SignalContext::SignalContext):
2018-08-07 Karo Gyoker <karogyoker2+webkit@gmail.com>
Hardcoded LFENCE instruction
https://bugs.webkit.org/show_bug.cgi?id=188145
Reviewed by Filip Pizlo.
Remove lfence instruction because it is crashing systems without SSE2 and
this is not the way how WebKit mitigates Spectre.
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
(JSC::JSLock::willReleaseLock):
2018-08-04 David Kilzer <ddkilzer@apple.com>
REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
<https://webkit.org/b/188331>
Reviewed by Yusuke Suzuki.
* runtime/TemplateObjectDescriptor.h:
(JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
Use `m_rawstrings` instead of `rawStrings` to calculate hash.
2018-08-03 Saam Barati <sbarati@apple.com>
Give the `jsc` shell the JIT entitlement
https://bugs.webkit.org/show_bug.cgi?id=188324
<rdar://problem/42885806>
Reviewed by Dan Bernstein.
This should help us in ensuring the system jsc is able to JIT.
* Configurations/JSC.xcconfig:
* JavaScriptCore.xcodeproj/project.pbxproj:
* allow-jit-macOS.entitlements: Added.
2018-08-03 Alex Christensen <achristensen@webkit.org>
Fix spelling of "overridden"
https://bugs.webkit.org/show_bug.cgi?id=188315
Reviewed by Darin Adler.
* API/JSExport.h:
* inspector/InjectedScriptSource.js:
2018-08-02 Saam Barati <sbarati@apple.com>
Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
https://bugs.webkit.org/show_bug.cgi?id=188271
<rdar://problem/42850884>
Reviewed by Michael Saboff.
This patch defends against the instructionPointer containing garbage bits.
See radar for details.
* runtime/MachineContext.h:
(JSC::MachineContext::instructionPointer):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::takeSample):
* runtime/VMTraps.cpp:
(JSC::SignalContext::SignalContext):
(JSC::SignalContext::tryCreate):
* tools/CodeProfiling.cpp:
(JSC::profilingTimer):
* tools/SigillCrashAnalyzer.cpp:
(JSC::SignalContext::SignalContext):
(JSC::SignalContext::tryCreate):
(JSC::SignalContext::dump):
(JSC::installCrashHandler):
* wasm/WasmFaultSignalHandler.cpp:
(JSC::Wasm::trapHandler):
2018-08-02 David Fenton <david_fenton@apple.com>
Unreviewed, rolling out r234489.
Caused 50+ crashes and 60+ API failures on iOS
Reverted changeset:
"[WTF] Rename String::format to String::deprecatedFormat"
https://bugs.webkit.org/show_bug.cgi?id=188191
https://trac.webkit.org/changeset/234489
2018-08-01 Yusuke Suzuki <utatane.tea@gmail.com>
Add self.queueMicrotask(f) on DOMWindow
https://bugs.webkit.org/show_bug.cgi?id=188212
Reviewed by Ryosuke Niwa.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* runtime/JSGlobalObject.cpp:
(JSC::enqueueJob):
* runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
(JSC::createJSMicrotask):
Export them to WebCore.
(JSC::JSMicrotask::run):
* runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
Add another version of JSMicrotask which does not have arguments.
2018-08-01 Tomas Popela <tpopela@redhat.com>
[WTF] Rename String::format to String::deprecatedFormat
https://bugs.webkit.org/show_bug.cgi?id=188191
Reviewed by Darin Adler.
It should be replaced with string concatenation.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::nameForRegister):
* inspector/InjectedScriptBase.cpp:
(Inspector::InjectedScriptBase::makeCall):
* inspector/InspectorBackendDispatcher.cpp:
(Inspector::BackendDispatcher::getPropertyValue):
* inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::enable):
(Inspector::InspectorConsoleAgent::stopTiming):
* jsc.cpp:
(FunctionJSCStackFunctor::operator() const):
* parser/Lexer.cpp:
(JSC::Lexer<T>::invalidCharacterMessage const):
* runtime/IntlDateTimeFormat.cpp:
(JSC::IntlDateTimeFormat::initializeDateTimeFormat):
* runtime/IntlObject.cpp:
(JSC::canonicalizeLocaleList):
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::Lexer::lex):
(JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
(JSC::LiteralParser<CharType>::parse):
* runtime/LiteralParser.h:
(JSC::LiteralParser::getErrorMessage):
2018-08-01 Andy VanWagoner <andy@vanwagoner.family>
[INTL] Allow "unknown" formatToParts types
https://bugs.webkit.org/show_bug.cgi?id=188176
Reviewed by Darin Adler.
Originally extra unexpected field types were marked as "literal", since
the spec did not account for these. The ECMA 402 spec has since been updated
to specify "unknown" should be used in these cases.
Currently there is no known way to reach these cases, so no tests can
account for them. Theoretically they shoudn't exist, but they are specified,
just to be safe. Marking them as "unknown" instead of "literal" hopefully
will make such cases easy to identify if they ever happen.
* runtime/IntlDateTimeFormat.cpp:
(JSC::IntlDateTimeFormat::partTypeString):
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::partTypeString):
2018-08-01 Andy VanWagoner <andy@vanwagoner.family>
[INTL] Implement hourCycle in DateTimeFormat
https://bugs.webkit.org/show_bug.cgi?id=188006
Reviewed by Darin Adler.
Implemented hourCycle, updating both the skeleton and the final pattern.
Changed resolveLocale to assume undefined options are not given and null
strings actually mean null, which removes the tag extension.
* runtime/CommonIdentifiers.h:
* runtime/IntlCollator.cpp:
(JSC::IntlCollator::initializeCollator):
* runtime/IntlDateTimeFormat.cpp:
(JSC::IntlDTFInternal::localeData):
(JSC::IntlDateTimeFormat::setFormatsFromPattern):
(JSC::IntlDateTimeFormat::initializeDateTimeFormat):
(JSC::IntlDateTimeFormat::resolvedOptions):
* runtime/IntlDateTimeFormat.h:
* runtime/IntlObject.cpp:
(JSC::resolveLocale):
2018-08-01 Keith Miller <keith_miller@apple.com>
JSArrayBuffer should have its own JSType
https://bugs.webkit.org/show_bug.cgi?id=188231
Reviewed by Saam Barati.
* runtime/JSArrayBuffer.cpp:
(JSC::JSArrayBuffer::createStructure):
* runtime/JSCast.h:
* runtime/JSType.h:
2018-07-31 Keith Miller <keith_miller@apple.com>
Unreviewed 32-bit build fix...
* dfg/DFGSpeculativeJIT32_64.cpp:
2018-07-31 Keith Miller <keith_miller@apple.com>
Long compiling JSC files should not be unified
https://bugs.webkit.org/show_bug.cgi?id=188205
Reviewed by Saam Barati.
The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
to compile. Unifying them means touching anything in the same
bundle as those files takes a long time to incrementally build.
This patch separates those files so they build standalone.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* dfg/DFGSpeculativeJIT64.cpp:
2018-07-31 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
https://bugs.webkit.org/show_bug.cgi?id=188201
Reviewed by Keith Miller.
We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
never becomes broken state. This patch removes unnecessary locking.
* runtime/JSObject.cpp:
(JSC::JSObject::visitButterflyImpl):
2018-07-31 Guillaume Emont <guijemont@igalia.com>
[JSC] Remove gcc warnings for 32-bit platforms
https://bugs.webkit.org/show_bug.cgi?id=187803
Reviewed by Yusuke Suzuki.
* assembler/MacroAssemblerPrinter.cpp:
(JSC::Printer::printPCRegister):
(JSC::Printer::printRegisterID):
(JSC::Printer::printAddress):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateMisc):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::calculatePokeOffset):
* runtime/Options.cpp:
(JSC::parse):
2018-07-30 Wenson Hsieh <wenson_hsieh@apple.com>
watchOS engineering build is broken after r234227
https://bugs.webkit.org/show_bug.cgi?id=188180
Reviewed by Keith Miller.
In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
`JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
`JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
entirely, since there's no relevant version to replace them with.
* postprocess-headers.sh:
2018-07-30 Keith Miller <keith_miller@apple.com>
Clarify conversion rules for JSValue property access API
https://bugs.webkit.org/show_bug.cgi?id=188179
Reviewed by Geoffrey Garen.
* API/JSValue.h:
2018-07-30 Keith Miller <keith_miller@apple.com>
Rename some JSC API functions/types.
https://bugs.webkit.org/show_bug.cgi?id=188173
Reviewed by Saam Barati.
* API/JSObjectRef.cpp:
(JSObjectHasPropertyForKey):
(JSObjectGetPropertyForKey):
(JSObjectSetPropertyForKey):
(JSObjectDeletePropertyForKey):
(JSObjectHasPropertyKey): Deleted.
(JSObjectGetPropertyKey): Deleted.
(JSObjectSetPropertyKey): Deleted.
(JSObjectDeletePropertyKey): Deleted.
* API/JSObjectRef.h:
* API/JSValue.h:
* API/JSValue.mm:
(-[JSValue valueForProperty:]):
(-[JSValue setValue:forProperty:]):
(-[JSValue deleteProperty:]):
(-[JSValue hasProperty:]):
(-[JSValue defineProperty:descriptor:]):
* API/tests/testapi.cpp:
(TestAPI::run):
2018-07-30 Mark Lam <mark.lam@apple.com>
Add a debugging utility to dump the memory layout of a JSCell.
https://bugs.webkit.org/show_bug.cgi?id=188157
Reviewed by Yusuke Suzuki.
This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
dump the memory contents of a cell and if present, its butterfly for debugging
purposes.
Example usage for JS code when JSC_useDollarVM=true:
$vm.dumpCell(obj);
Example usage from C++ code or from lldb:
(lldb) p JSC::VMInspector::dumpCellMemory(obj)
Some examples of dumps:
<0x104bc8260, Object>
[0] 0x104bc8260 : 0x010016000000016c header
structureID 364 0x16c structure 0x104b721b0
indexingTypeAndMisc 0 0x0 NonArray
type 22 0x16
flags 0 0x0
cellState 1
[1] 0x104bc8268 : 0x0000000000000000 butterfly
[2] 0x104bc8270 : 0xffff000000000007
[3] 0x104bc8278 : 0xffff000000000008
<0x104bb4360, Array>
[0] 0x104bb4360 : 0x0108210b00000171 header
structureID 369 0x171 structure 0x104b723e0
indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
type 33 0x21
flags 8 0x8
cellState 1
[1] 0x104bb4368 : 0x00000008000f4718 butterfly
base 0x8000f46e0
hasIndexingHeader YES hasAnyArrayStorage YES
publicLength 4 vectorLength 7 indexBias 2
preCapacity 2 propertyCapacity 4
<--- preCapacity
[0] 0x8000f46e0 : 0x0000000000000000
[1] 0x8000f46e8 : 0x0000000000000000
<--- propertyCapacity
[2] 0x8000f46f0 : 0x0000000000000000
[3] 0x8000f46f8 : 0x0000000000000000
[4] 0x8000f4700 : 0xffff00000000000d
[5] 0x8000f4708 : 0xffff00000000000c
<--- indexingHeader
[6] 0x8000f4710 : 0x0000000700000004
<--- butterfly
<--- arrayStorage
[7] 0x8000f4718 : 0x0000000000000000
[8] 0x8000f4720 : 0x0000000400000002
<--- indexedProperties
[9] 0x8000f4728 : 0xffff000000000008
[10] 0x8000f4730 : 0xffff000000000009
[11] 0x8000f4738 : 0xffff000000000005
[12] 0x8000f4740 : 0xffff000000000006
[13] 0x8000f4748 : 0x0000000000000000
[14] 0x8000f4750 : 0x0000000000000000
[15] 0x8000f4758 : 0x0000000000000000
<--- unallocated capacity
[16] 0x8000f4760 : 0x0000000000000000
[17] 0x8000f4768 : 0x0000000000000000
[18] 0x8000f4770 : 0x0000000000000000
[19] 0x8000f4778 : 0x0000000000000000
* runtime/JSObject.h:
* tools/JSDollarVM.cpp:
(JSC::functionDumpCell):
(JSC::JSDollarVM::finishCreation):
* tools/VMInspector.cpp:
(JSC::VMInspector::dumpCellMemory):
(JSC::IndentationScope::IndentationScope):
(JSC::IndentationScope::~IndentationScope):
(JSC::VMInspector::dumpCellMemoryToStream):
* tools/VMInspector.h:
2018-07-27 Mark Lam <mark.lam@apple.com>
Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
https://bugs.webkit.org/show_bug.cgi?id=188123
<rdar://problem/42672268>
Reviewed by Keith Miller.
1. Add VM::m_id and Heap::m_lastPhase fields. Both of these fit within existing
padding space in VM and Heap, and should not cost any measurable perf to
initialize and update.
2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
worldState tells us the value we failed the assertion on.
m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
that led us here.
VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
VM::isEntered() tells us if the current VM is currently executing JS code.
Some of this data may be redundant, but the redundancy is intentional so that
we can double check what is really happening at the time of crash.
* heap/Heap.cpp:
(JSC::asInt):
(JSC::Heap::checkConn):
(JSC::Heap::changePhase):
* heap/Heap.h:
* runtime/VM.cpp:
(JSC::VM::nextID):
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::numberOfIDs):
(JSC::VM::id const):
(JSC::VM::isEntered const):
2018-07-25 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Record CoW status in ArrayProfile correctly
https://bugs.webkit.org/show_bug.cgi?id=187949
Reviewed by Saam Barati.
In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
This is important since our OSR exit compiler records m_observedArrayModes by calculating
ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
Array::Generic DFG nodes.
* bytecode/ArrayProfile.h:
(JSC::asArrayModes):
(JSC::ArrayProfile::ArrayProfile):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::compileExit):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* runtime/IndexingType.h:
2018-07-26 Andy VanWagoner <andy@vanwagoner.family>
[INTL] Remove INTL sub-feature compile flags
https://bugs.webkit.org/show_bug.cgi?id=188081
Reviewed by Michael Catanzaro.
Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
The runtime flags are still present, and should be relied on instead.
The defines for ICU features have also been updated to match HAVE() style.
* Configurations/FeatureDefines.xcconfig:
* runtime/IntlPluralRules.cpp:
(JSC::IntlPluralRules::resolvedOptions):
(JSC::IntlPluralRules::select):
* runtime/IntlPluralRules.h:
* runtime/Options.h:
2018-07-26 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Dump IndexingMode in Structure
https://bugs.webkit.org/show_bug.cgi?id=188085
Reviewed by Keith Miller.
Dump IndexingMode instead of IndexingType.
* runtime/Structure.cpp:
(JSC::Structure::dump const):
2018-07-26 Ross Kirsling <ross.kirsling@sony.com>
String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
https://bugs.webkit.org/show_bug.cgi?id=187963
Reviewed by Alex Christensen.
* inspector/InspectorBackendDispatcher.cpp:
(Inspector::BackendDispatcher::dispatch):
* jsc.cpp:
(ModuleName::ModuleName):
(resolvePath):
* runtime/IntlObject.cpp:
(JSC::canonicalizeLanguageTag):
(JSC::removeUnicodeLocaleExtension):
Update split/splitAllowingEmptyEntries usage.
2018-07-26 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r234181 and r234189.
https://bugs.webkit.org/show_bug.cgi?id=188075
These are not needed right now (Requested by thorton on
#webkit).
Reverted changesets:
"Enable Web Content Filtering on watchOS"
https://bugs.webkit.org/show_bug.cgi?id=187979
https://trac.webkit.org/changeset/234181
"HAVE(PARENTAL_CONTROLS) should be true on watchOS"
https://bugs.webkit.org/show_bug.cgi?id=187985
https://trac.webkit.org/changeset/234189
2018-07-26 Mark Lam <mark.lam@apple.com>
arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
https://bugs.webkit.org/show_bug.cgi?id=188065
<rdar://problem/42515726>
Reviewed by Saam Barati.
* runtime/ArrayPrototype.cpp:
(JSC::clearElement):
(JSC::copyElements):
(JSC::arrayProtoPrivateFuncConcatMemcpy):
2018-07-26 Andy VanWagoner <andy@vanwagoner.family>
JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
https://bugs.webkit.org/show_bug.cgi?id=167991
Reviewed by Michael Catanzaro.
Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
Checked locale.isEmpty() before returning it from defaultLocale, so there should be
no more cases where you might have an invalid locale come back from resolveLocale.
* runtime/IntlObject.cpp:
(JSC::convertICULocaleToBCP47LanguageTag):
(JSC::defaultLocale):
(JSC::lookupMatcher):
* runtime/IntlObject.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::intlCollatorAvailableLocales):
(JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
(JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
(JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
2018-07-26 Fujii Hironori <Hironori.Fujii@sony.com>
REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
https://bugs.webkit.org/show_bug.cgi?id=188040
Unreviewed build fix for AppleWin port.
* API/tests/testapi.c: Disabled warning C4204.
(testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
2018-07-26 Fujii Hironori <Hironori.Fujii@sony.com>
[JSC API] We should support the symbol type in our C/Obj-C API
https://bugs.webkit.org/show_bug.cgi?id=175836
Unreviewed build fix for Windows port.
r234227 introduced a compilation error unresolved external symbol
"int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
Windows ports are compiling testapi.c as C++ by using /TP switch.
* API/tests/testapi.c:
(main): Removed `::` prefix of ::SetErrorMode Windows API.
(dllLauncherEntryPoint): Converted into C style.
* shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
2018-07-25 Keith Miller <keith_miller@apple.com>
[JSC API] We should support the symbol type in our C/Obj-C API
https://bugs.webkit.org/show_bug.cgi?id=175836
Reviewed by Filip Pizlo.
This patch makes the following API additions:
1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
2) Create a symbol on both APIs.
3) Get/Set/Delete/Define property now take ids in the Obj-C API.
4) Add Get/Set/Delete in the C API.
We can do 3 because it is both binary and source compatable with
the existing API. I added (4) because the current property access
APIs only have the ability to get Strings. It was possible to
merge symbols into JSStringRef but that felt confusing and exposes
implementation details of our engine. The new functions match the
same meaning that they have in JS, thus should be forward
compatible with any future language extensions.
Lastly, this patch adds the same availability preproccessing phase
in WebCore to JavaScriptCore, which enables TBA features for
testing on previous releases.
* API/APICast.h:
* API/JSBasePrivate.h:
* API/JSContext.h:
* API/JSContextPrivate.h:
* API/JSContextRef.h:
* API/JSContextRefInternal.h:
* API/JSContextRefPrivate.h:
* API/JSManagedValue.h:
* API/JSObjectRef.cpp:
(JSObjectHasPropertyKey):
(JSObjectGetPropertyKey):
(JSObjectSetPropertyKey):
(JSObjectDeletePropertyKey):
* API/JSObjectRef.h:
* API/JSRemoteInspector.h:
* API/JSTypedArray.h:
* API/JSValue.h:
* API/JSValue.mm:
(+[JSValue valueWithNewSymbolFromDescription:inContext:]):
(performPropertyOperation):
(-[JSValue valueForProperty:valueForProperty:]):
(-[JSValue setValue:forProperty:setValue:forProperty:]):
(-[JSValue deleteProperty:deleteProperty:]):
(-[JSValue hasProperty:hasProperty:]):
(-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
(-[JSValue isSymbol]):
(-[JSValue objectForKeyedSubscript:]):
(-[JSValue setObject:forKeyedSubscript:]):
(-[JSValue valueForProperty:]): Deleted.
(-[JSValue setValue:forProperty:]): Deleted.
(-[JSValue deleteProperty:]): Deleted.
(-[JSValue hasProperty:]): Deleted.
(-[JSValue defineProperty:descriptor:]): Deleted.
* API/JSValueRef.cpp:
(JSValueGetType):
(JSValueIsSymbol):
(JSValueMakeSymbol):
* API/JSValueRef.h:
* API/WebKitAvailability.h:
* API/tests/CurrentThisInsideBlockGetterTest.mm:
* API/tests/CustomGlobalObjectClassTest.c:
* API/tests/DateTests.mm:
* API/tests/JSExportTests.mm:
* API/tests/JSNode.c:
* API/tests/JSNodeList.c:
* API/tests/Node.c:
* API/tests/NodeList.c:
* API/tests/minidom.c:
* API/tests/testapi.c:
(main):
* API/tests/testapi.cpp: Added.
(APIString::APIString):
(APIString::~APIString):
(APIString::operator JSStringRef):
(APIContext::APIContext):
(APIContext::~APIContext):
(APIContext::operator JSGlobalContextRef):
(APIVector::APIVector):
(APIVector::~APIVector):
(APIVector::append):
(testCAPIViaCpp):
(TestAPI::evaluateScript):
(TestAPI::callFunction):
(TestAPI::functionReturnsTrue):
(TestAPI::check):
(TestAPI::checkJSAndAPIMatch):
(TestAPI::interestingObjects):
(TestAPI::interestingKeys):
(TestAPI::run):
* API/tests/testapi.mm:
(testObjectiveCAPIMain):
* JavaScriptCore.xcodeproj/project.pbxproj:
* config.h:
* postprocess-headers.sh:
* shell/CMakeLists.txt:
* testmem/testmem.mm:
2018-07-25 Andy VanWagoner <andy@vanwagoner.family>
[INTL] Call Typed Array elements toLocaleString with locale and options
https://bugs.webkit.org/show_bug.cgi?id=185796
Reviewed by Keith Miller.
Improve ECMA 402 compliance of typed array toLocaleString, passing along
the locale and options to element toLocaleString calls.
* builtins/TypedArrayPrototype.js:
(toLocaleString):
2018-07-25 Andy VanWagoner <andy@vanwagoner.family>
[INTL] Intl constructor lengths should be configurable
https://bugs.webkit.org/show_bug.cgi?id=187960
Reviewed by Saam Barati.
Removed DontDelete from Intl constructor lengths.
Fixed DateTimeFormat formatToParts length.
* runtime/IntlCollatorConstructor.cpp:
(JSC::IntlCollatorConstructor::finishCreation):
* runtime/IntlDateTimeFormatConstructor.cpp:
(JSC::IntlDateTimeFormatConstructor::finishCreation):
* runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::IntlDateTimeFormatPrototype::finishCreation):
* runtime/IntlNumberFormatConstructor.cpp:
(JSC::IntlNumberFormatConstructor::finishCreation):
* runtime/IntlPluralRulesConstructor.cpp:
(JSC::IntlPluralRulesConstructor::finishCreation):
2018-07-24 Fujii Hironori <Hironori.Fujii@sony.com>
runJITThreadLimitTests is failing
https://bugs.webkit.org/show_bug.cgi?id=187886
<rdar://problem/42561966>
Unreviewed build fix for MSVC.
MSVC doen't support ternary operator without second operand.
* dfg/DFGWorklist.cpp:
(JSC::DFG::getNumberOfDFGCompilerThreads):
(JSC::DFG::getNumberOfFTLCompilerThreads):
2018-07-24 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r234183.
https://bugs.webkit.org/show_bug.cgi?id=187983
cause regression in Kraken gaussian blur and desaturate
(Requested by yusukesuzuki on #webkit).
Reverted changeset:
"[JSC] Record CoW status in ArrayProfile"
https://bugs.webkit.org/show_bug.cgi?id=187949
https://trac.webkit.org/changeset/234183
2018-07-24 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Record CoW status in ArrayProfile
https://bugs.webkit.org/show_bug.cgi?id=187949
Reviewed by Saam Barati.
Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
CoW arrays.
In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
baseline patched
stanford-crypto-aes 60.893+-1.346 ^ 57.412+-1.298 ^ definitely 1.0606x faster
stanford-crypto-ccm 62.124+-1.992 58.921+-1.844 might be 1.0544x faster
* bytecode/ArrayProfile.cpp:
(JSC::ArrayProfile::briefDescriptionWithoutUpdating):
* bytecode/ArrayProfile.h:
(JSC::asArrayModes):
We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
(JSC::ArrayProfile::ArrayProfile):
(JSC::ArrayProfile::addressOfObservedIndexingModes):
(JSC::ArrayProfile::observedIndexingModes const):
Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
So storing the union of seen IndexingMode in `unsigned` instead.
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::fromObserved):
* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::withProfile const):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
* jit/JITInlines.h:
(JSC::JIT::emitArrayProfilingSiteWithCell):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2018-07-24 Tim Horton <timothy_horton@apple.com>
Enable Web Content Filtering on watchOS
https://bugs.webkit.org/show_bug.cgi?id=187979
<rdar://problem/42559346>
Reviewed by Wenson Hsieh.
* Configurations/FeatureDefines.xcconfig:
2018-07-24 Tadeu Zagallo <tzagallo@apple.com>
Don't modify Options when setting JIT thread limits
https://bugs.webkit.org/show_bug.cgi?id=187886
Reviewed by Filip Pizlo.
Previously, when setting the JIT thread limit prior to the worklist
initialization, it'd be set via Options, which didn't work if Options
hadn't been initialized yet. Change it to use a static variable in the
Worklist instead.
* API/JSVirtualMachine.mm:
(+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
(+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
* API/tests/testapi.mm:
(testObjectiveCAPIMain):
* dfg/DFGWorklist.cpp:
(JSC::DFG::getNumberOfDFGCompilerThreads):
(JSC::DFG::getNumberOfFTLCompilerThreads):
(JSC::DFG::setNumberOfDFGCompilerThreads):
(JSC::DFG::setNumberOfFTLCompilerThreads):
(JSC::DFG::ensureGlobalDFGWorklist):
(JSC::DFG::ensureGlobalFTLWorklist):
* dfg/DFGWorklist.h:
2018-07-24 Mark Lam <mark.lam@apple.com>
Refactoring: make DFG::Plan a class.
https://bugs.webkit.org/show_bug.cgi?id=187968
Reviewed by Saam Barati.
This patch makes all the DFG::Plan fields private, and provide accessor methods
for them. This makes it easier to reason about how these fields are used and
modified.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::handleVarargsCall):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
(JSC::DFG::ByteCodeParser::handleDOMJITGetter):
(JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parseCodeBlock):
(JSC::DFG::ByteCodeParser::parse):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run):
(JSC::DFG::CFAPhase::injectOSR):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::notifyCompilingStructureTransition):
* dfg/DFGCommonData.h:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
* dfg/DFGFinalizer.h:
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::watchCondition):
(JSC::DFG::Graph::inferredTypeFor):
(JSC::DFG::Graph::requiredRegisterCountForExit):
(JSC::DFG::Graph::registerFrozenValues):
(JSC::DFG::Graph::registerStructure):
(JSC::DFG::Graph::registerAndWatchStructureTransition):
(JSC::DFG::Graph::assertIsRegistered):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::compilation):
(JSC::DFG::Graph::identifiers):
(JSC::DFG::Graph::watchpoints):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::JITCompiler):
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::compile):
(JSC::DFG::JITCompiler::compileFunction):
(JSC::DFG::JITCompiler::disassemble):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::addWeakReference):
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::finalize):
(JSC::DFG::JITFinalizer::finalizeFunction):
(JSC::DFG::JITFinalizer::finalizeCommon):
* dfg/DFGOSREntrypointCreationPhase.cpp:
(JSC::DFG::OSREntrypointCreationPhase::run):
* dfg/DFGPhase.cpp:
(JSC::DFG::Phase::beginPhase):
* dfg/DFGPhase.h:
(JSC::DFG::runAndLog):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::Plan):
(JSC::DFG::Plan::computeCompileTimes const):
(JSC::DFG::Plan::reportCompileTimes const):
(JSC::DFG::Plan::compileInThread):
(JSC::DFG::Plan::compileInThreadImpl):
(JSC::DFG::Plan::isStillValid):
(JSC::DFG::Plan::reallyAdd):
(JSC::DFG::Plan::notifyCompiling):
(JSC::DFG::Plan::notifyReady):
(JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
(JSC::DFG::Plan::finalizeAndNotifyCallback):
(JSC::DFG::Plan::key):
(JSC::DFG::Plan::checkLivenessAndVisitChildren):
(JSC::DFG::Plan::finalizeInGC):
(JSC::DFG::Plan::isKnownToBeLiveDuringGC):
(JSC::DFG::Plan::cancel):
(JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
* dfg/DFGPlan.h:
(JSC::DFG::Plan::canTierUpAndOSREnter const):
(JSC::DFG::Plan::vm const):
(JSC::DFG::Plan::codeBlock):
(JSC::DFG::Plan::mode const):
(JSC::DFG::Plan::osrEntryBytecodeIndex const):
(JSC::DFG::Plan::mustHandleValues const):
(JSC::DFG::Plan::threadData const):
(JSC::DFG::Plan::compilation const):
(JSC::DFG::Plan::finalizer const):
(JSC::DFG::Plan::setFinalizer):
(JSC::DFG::Plan::inlineCallFrames const):
(JSC::DFG::Plan::watchpoints):
(JSC::DFG::Plan::identifiers):
(JSC::DFG::Plan::weakReferences):
(JSC::DFG::Plan::transitions):
(JSC::DFG::Plan::recordedStatuses):
(JSC::DFG::Plan::willTryToTierUp const):
(JSC::DFG::Plan::setWillTryToTierUp):
(JSC::DFG::Plan::tierUpInLoopHierarchy):
(JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
(JSC::DFG::Plan::stage const):
(JSC::DFG::Plan::callback const):
(JSC::DFG::Plan::setCallback):
* dfg/DFGPlanInlines.h:
(JSC::DFG::Plan::iterateCodeBlocksForGC):
* dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
* dfg/DFGPredictionInjectionPhase.cpp:
(JSC::DFG::PredictionInjectionPhase::run):
* dfg/DFGSafepoint.cpp:
(JSC::DFG::Safepoint::Safepoint):
(JSC::DFG::Safepoint::~Safepoint):
(JSC::DFG::Safepoint::begin):
* dfg/DFGSafepoint.h:
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
* dfg/DFGStackLayoutPhase.cpp:
(JSC::DFG::StackLayoutPhase::run):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* dfg/DFGTierUpCheckInjectionPhase.cpp:
(JSC::DFG::TierUpCheckInjectionPhase::run):
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::isActiveForVM const):
(JSC::DFG::Worklist::compilationState):
(JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
(JSC::DFG::Worklist::removeAllReadyPlansForVM):
(JSC::DFG::Worklist::completeAllReadyPlansForVM):
(JSC::DFG::Worklist::visitWeakReferences):
(JSC::DFG::Worklist::removeDeadPlans):
(JSC::DFG::Worklist::removeNonCompilingPlansForVM):
* dfg/DFGWorklistInlines.h:
(JSC::DFG::Worklist::iterateCodeBlocksForGC):
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLFail.cpp:
(JSC::FTL::fail):
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeCommon):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
(JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
(JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
* ftl/FTLState.cpp:
(JSC::FTL::State::State):
2018-07-24 Saam Barati <sbarati@apple.com>
Make VM::canUseJIT an inlined function
https://bugs.webkit.org/show_bug.cgi?id=187583
Reviewed by Mark Lam.
We know the answer to this query in initializeThreading after initializing
the executable allocator. This patch makes it so that we just hold this value
in a static variable and have an inlined function that just returns the value
of that static variable.
* runtime/InitializeThreading.cpp:
(JSC::initializeThreading):
* runtime/VM.cpp:
(JSC::VM::computeCanUseJIT):
(JSC::VM::canUseJIT): Deleted.
* runtime/VM.h:
(JSC::VM::canUseJIT):
2018-07-24 Mark Lam <mark.lam@apple.com>
Placate exception check verification after recent changes.
https://bugs.webkit.org/show_bug.cgi?id=187961
<rdar://problem/42545394>
Reviewed by Saam Barati.
* runtime/IntlObject.cpp:
(JSC::intlNumberOption):
2018-07-23 Saam Barati <sbarati@apple.com>
need to didFoldClobberWorld when we constant fold GetByVal
https://bugs.webkit.org/show_bug.cgi?id=187917
<rdar://problem/42505095>
Reviewed by Yusuke Suzuki.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2018-07-23 Andy VanWagoner <andy@vanwagoner.family>
[INTL] Language tags are not canonicalized
https://bugs.webkit.org/show_bug.cgi?id=185836
Reviewed by Keith Miller.
Canonicalize language tags, replacing deprecated tag parts with the
preferred values. Remove broken support for algorithmic numbering systems,
that can cause an error in icu, and are not supported in other engines.
Generate the lookup functions from the language-subtag-registry.
Also initialize the UNumberFormat in initializeNumberFormat so any
failures are thrown immediately instead of failing to format later.
* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Scripts/generateIntlCanonicalizeLanguage.py: Added.
* runtime/IntlDateTimeFormat.cpp:
(JSC::IntlDateTimeFormat::initializeDateTimeFormat):
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::initializeNumberFormat):
(JSC::IntlNumberFormat::formatNumber):
(JSC::IntlNumberFormat::formatToParts):
(JSC::IntlNumberFormat::createNumberFormat): Deleted.
* runtime/IntlNumberFormat.h:
* runtime/IntlObject.cpp:
(JSC::intlNumberOption):
(JSC::intlDefaultNumberOption):
(JSC::preferredLanguage):
(JSC::preferredRegion):
(JSC::canonicalLangTag):
(JSC::canonicalizeLanguageTag):
(JSC::defaultLocale):
(JSC::removeUnicodeLocaleExtension):
(JSC::numberingSystemsForLocale):
(JSC::grandfatheredLangTag): Deleted.
* runtime/IntlObject.h:
* runtime/IntlPluralRules.cpp:
(JSC::IntlPluralRules::initializePluralRules):
* runtime/JSGlobalObject.cpp:
(JSC::addMissingScriptLocales):
(JSC::JSGlobalObject::intlCollatorAvailableLocales):
(JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
(JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
(JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
* ucd/language-subtag-registry.txt: Added.
2018-07-23 Mark Lam <mark.lam@apple.com>
Add some asserts to help diagnose a crash.
https://bugs.webkit.org/show_bug.cgi?id=187915
<rdar://problem/42508166>
Reviewed by Michael Saboff.
Add some asserts to verify that an CodeBlock alternative should always have a
non-null jitCode. Also change a RELEASE_ASSERT_NOT_REACHED() in
CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
so that we'll retain the state of the variables that failed the assertion (again
to help with diagnosis).
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setAlternative):
(JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::Plan):
2018-07-23 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix no-JIT build.
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFor):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finalizeUnconditionally):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFor):
(JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
* bytecode/InByIdStatus.cpp:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeForStubInfo):
2018-07-22 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
https://bugs.webkit.org/show_bug.cgi?id=187891
Reviewed by Saam Barati.
When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
two variants are mergeable but they have "Miss" status. We make merging failed if
the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
which patch have more chances to merge variants.
This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
is not related since it does not use this check in Transition case.
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::attemptToMerge):
* bytecode/InByIdVariant.cpp:
(JSC::InByIdVariant::attemptToMerge):
2018-07-22 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Fold GetByVal if the indexed value is non configurable and non writable
https://bugs.webkit.org/show_bug.cgi?id=186462
Reviewed by Saam Barati.
Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
changed and we can safely use it. We arrange our existing code to use this protocol.
Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
This patch improves SixSpeed/template_string_tag.es6.
baseline patched
template_string_tag.es6 237.0301+-4.8374 ^ 9.8779+-0.3628 ^ definitely 23.9960x faster
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* runtime/JSArray.cpp:
(JSC::JSArray::setLengthWithArrayStorage):
* runtime/JSObject.cpp:
(JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
(JSC::JSObject::deletePropertyByIndex):
(JSC::JSObject::getOwnPropertyNames):
(JSC::putIndexedDescriptor):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
(JSC::JSObject::putIndexedDescriptor): Deleted.
* runtime/JSObject.h:
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::SparseArrayValueMap):
(JSC::SparseArrayValueMap::add):
(JSC::SparseArrayValueMap::putDirect):
(JSC::SparseArrayValueMap::getConcurrently):
(JSC::SparseArrayEntry::get const):
(JSC::SparseArrayEntry::getConcurrently const):
(JSC::SparseArrayEntry::put):
(JSC::SparseArrayEntry::getNonSparseMode const):
(JSC::SparseArrayValueMap::visitChildren):
(JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
* runtime/SparseArrayValueMap.h:
(JSC::SparseArrayEntry::SparseArrayEntry):
(JSC::SparseArrayEntry::attributes const):
(JSC::SparseArrayEntry::forceSet):
(JSC::SparseArrayEntry::asValue):
2018-06-02 Filip Pizlo <fpizlo@apple.com>
We should support CreateThis in the FTL
https://bugs.webkit.org/show_bug.cgi?id=164904
Reviewed by Yusuke Suzuki.
This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
inference adventure.
CreateThis in the FTL was a massive regression in raytrace because it disturbed that
benchmark's extremely perverse way of winning at type inference:
- The benchmark wanted polyvariant devirtualization of an object construction helper. But,
the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
benchmark was falling back to other mechanisms...
- The construction helper could not tier up into the FTL. When the DFG compiled it, it would
see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
helper because it had a CreateThis.
- Compilations that inlined the construction helper would have gotten super lucky with
parse-time constant folding, so they knew what structure the input to the get_by_id would
have at parse time. This is only profitable if the get_by_id parsing computed a
GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
cases, we would indeed get a finite number of cases. The parser would then prune those
cases to just one - based on its knowledge of the structure - and that would result in that
get_by_id being folded at parse time to a constant.
- The subsequent op_call would inline based on parse-time knowledge of that constant.
This patch comprehensively fixes these issues, as well as other issues that come up along the
way. The short version is that raytrace was revealing sloppiness in our use of profiling for
type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
i.e. the profiling that considers call context. I was encouraged to do this by the fact that
even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
attack raytrace's problem as a shortcoming of polyvariant profiling.
- Polyvariant profiling now consults every DFG or FTL code block that participated in any
subset of the inline stack that includes the IC we're profiling. For example, if we have
an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
from polyvariant profling. Previously, the polyvariant profiler would only look at the
previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
had inlined bar and then baz. It may not have done that, because those calls could have
required polyvariant profiling that was only available in the FTL.
- A particularly interesting case is when some IC in foo-baseline is also available in
foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
because it warns us of historical polymorphism. Historical polymorphism usually means
future polymorphism. IC status code already had some merging functionality, but I needed to
beef it up a lot to make this work right.
- Inlining an inline cache now preserves as much information as profiling. One challenge of
polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
(that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
say "I don't have such an IC". At this point the DFG compilation that included that IC that
gave us the information that we used to inline the IC is no longer alive. To keep us from
losing the information we learned about the IC, there is now a RecordedStatuses data
structure that preserves the statuses we use for inlining ICs. We also filter those
statuses according to things we learn from AI. This further reduces the risk of information
about an IC being forgotten.
- Exit profiling now considers whether or not an exit happened from inline code. This
protects us in the case where the not-inlined version of an IC exited a lot because of
polymorphism that doesn't exist in the inlined version. So, when using polyvariant
profiling data, we consider only inlined exits.
- CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
surprising that we've had this bug.
Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
prototype access folding in the bytecode parser and constant folder. That would require some
significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
have a test that captures raytrace's behavior in the case that the parser cannot fold the
get_by_id.
This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
compile time regression anytime we fill in FTL coverage.
This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
speeds up and that raytrace slows down, but these changes balance out and don't affect the
overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
see a significant difference. In all three cases the difference is <0.5% with a high p value,
with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
an insignificant infinitesimal slow-down.
Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
flow in a polymorphic constructor while having a bad time, and we'll still compile it.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/ByValInfo.h:
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
(JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
(JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
(JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
(JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
(JSC::BytecodeDumper<Block>::printCallOp):
(JSC::BytecodeDumper<Block>::dumpBytecode):
(JSC::BytecodeDumper<Block>::dumpBlock):
* bytecode/BytecodeDumper.h:
* bytecode/CallLinkInfo.h:
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFor):
(JSC::CallLinkStatus::computeExitSiteData):
(JSC::CallLinkStatus::computeFromCallLinkInfo):
(JSC::CallLinkStatus::accountForExits):
(JSC::CallLinkStatus::finalize):
(JSC::CallLinkStatus::filter):
(JSC::CallLinkStatus::computeDFGStatuses): Deleted.
* bytecode/CallLinkStatus.h:
(JSC::CallLinkStatus::operator bool const):
(JSC::CallLinkStatus::operator! const): Deleted.
* bytecode/CallVariant.cpp:
(JSC::CallVariant::finalize):
(JSC::CallVariant::filter):
* bytecode/CallVariant.h:
(JSC::CallVariant::operator bool const):
(JSC::CallVariant::operator! const): Deleted.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::getICStatusMap):
(JSC::CodeBlock::resetJITData):
(JSC::CodeBlock::getStubInfoMap): Deleted.
(JSC::CodeBlock::getCallLinkInfoMap): Deleted.
(JSC::CodeBlock::getByValInfoMap): Deleted.
* bytecode/CodeBlock.h:
* bytecode/CodeOrigin.cpp:
(JSC::CodeOrigin::isApproximatelyEqualTo const):
(JSC::CodeOrigin::approximateHash const):
* bytecode/CodeOrigin.h:
(JSC::CodeOrigin::exitingInlineKind const):
* bytecode/DFGExitProfile.cpp:
(JSC::DFG::FrequentExitSite::dump const):
(JSC::DFG::ExitProfile::add):
* bytecode/DFGExitProfile.h:
(JSC::DFG::FrequentExitSite::FrequentExitSite):
(JSC::DFG::FrequentExitSite::operator== const):
(JSC::DFG::FrequentExitSite::subsumes const):
(JSC::DFG::FrequentExitSite::hash const):
(JSC::DFG::FrequentExitSite::inlineKind const):
(JSC::DFG::FrequentExitSite::withInlineKind const):
(JSC::DFG::QueryableExitProfile::hasExitSite const):
(JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
(JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
* bytecode/ExitFlag.cpp: Added.
(JSC::ExitFlag::dump const):
* bytecode/ExitFlag.h: Added.
(JSC::ExitFlag::ExitFlag):
(JSC::ExitFlag::operator| const):
(JSC::ExitFlag::operator|=):
(JSC::ExitFlag::operator& const):
(JSC::ExitFlag::operator&=):
(JSC::ExitFlag::operator bool const):
(JSC::ExitFlag::isSet const):
* bytecode/ExitingInlineKind.cpp: Added.
(WTF::printInternal):
* bytecode/ExitingInlineKind.h: Added.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFor):
(JSC::GetByIdStatus::computeForStubInfo):
(JSC::GetByIdStatus::slowVersion const):
(JSC::GetByIdStatus::markIfCheap):
(JSC::GetByIdStatus::finalize):
(JSC::GetByIdStatus::hasExitSite): Deleted.
* bytecode/GetByIdStatus.h:
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::markIfCheap):
(JSC::GetByIdVariant::finalize):
* bytecode/GetByIdVariant.h:
* bytecode/ICStatusMap.cpp: Added.
(JSC::ICStatusContext::get const):
(JSC::ICStatusContext::isInlined const):
(JSC::ICStatusContext::inlineKind const):
* bytecode/ICStatusMap.h: Added.
* bytecode/ICStatusUtils.cpp: Added.
(JSC::hasBadCacheExitSite):
* bytecode/ICStatusUtils.h:
* bytecode/InstanceOfStatus.cpp:
(JSC::InstanceOfStatus::computeFor):
* bytecode/InstanceOfStatus.h:
* bytecode/PolyProtoAccessChain.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::hasExitSite):
(JSC::PutByIdStatus::computeFor):
(JSC::PutByIdStatus::slowVersion const):
(JSC::PutByIdStatus::markIfCheap):
(JSC::PutByIdStatus::finalize):
(JSC::PutByIdStatus::filter):
* bytecode/PutByIdStatus.h:
* bytecode/PutByIdVariant.cpp:
(JSC::PutByIdVariant::markIfCheap):
(JSC::PutByIdVariant::finalize):
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::structureSet const):
* bytecode/RecordedStatuses.cpp: Added.
(JSC::RecordedStatuses::operator=):
(JSC::RecordedStatuses::RecordedStatuses):
(JSC::RecordedStatuses::addCallLinkStatus):
(JSC::RecordedStatuses::addGetByIdStatus):
(JSC::RecordedStatuses::addPutByIdStatus):
(JSC::RecordedStatuses::markIfCheap):
(JSC::RecordedStatuses::finalizeWithoutDeleting):
(JSC::RecordedStatuses::finalize):
(JSC::RecordedStatuses::shrinkToFit):
* bytecode/RecordedStatuses.h: Added.
(JSC::RecordedStatuses::RecordedStatuses):
(JSC::RecordedStatuses::forEachVector):
* bytecode/StructureSet.cpp:
(JSC::StructureSet::markIfCheap const):
(JSC::StructureSet::isStillAlive const):
* bytecode/StructureSet.h:
* bytecode/TerminatedCodeOrigin.h: Added.
(JSC::TerminatedCodeOrigin::TerminatedCodeOrigin):
(JSC::TerminatedCodeOriginHashTranslator::hash):
(JSC::TerminatedCodeOriginHashTranslator::equal):
* bytecode/Watchpoint.cpp:
(WTF::printInternal):
* bytecode/Watchpoint.h:
* dfg/DFGAbstractInterpreter.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::handleVarargsCall):
(JSC::DFG::ByteCodeParser::handleDOMJITGetter):
(JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
(JSC::DFG::ByteCodeParser::parse):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
* dfg/DFGCommonData.h:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDesiredWatchpoints.h:
(JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasCallLinkStatus):
(JSC::DFG::Node::callLinkStatus):
(JSC::DFG::Node::hasGetByIdStatus):
(JSC::DFG::Node::getByIdStatus):
(JSC::DFG::Node::hasPutByIdStatus):
(JSC::DFG::Node::putByIdStatus):
* dfg/DFGNodeType.h:
* dfg/DFGOSRExitBase.cpp:
(JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::reallyAdd):
(JSC::DFG::Plan::checkLivenessAndVisitChildren):
(JSC::DFG::Plan::finalizeInGC):
* dfg/DFGPlan.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::removeDeadPlans):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
(JSC::FTL::DFG::LowerDFGToB3::compileFilterICStatus):
* jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallStubRoutine::hasEdges const):
(JSC::PolymorphicCallStubRoutine::edges const):
* jit/PolymorphicCallStubRoutine.h:
* profiler/ProfilerBytecodeSequence.cpp:
(JSC::Profiler::BytecodeSequence::BytecodeSequence):
* runtime/FunctionRareData.cpp:
(JSC::FunctionRareData::initializeObjectAllocationProfile):
* runtime/Options.h:
2018-07-21 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Use Function / ScopedLambda / RecursableLambda instead of std::function
https://bugs.webkit.org/show_bug.cgi?id=187472
Reviewed by Mark Lam.
std::function allocates memory from standard malloc instead of bmalloc. Instead of
using that, we should use WTF::{Function,ScopedLambda,RecursableLambda}.
This patch attempts to replace std::function with the above WTF function types.
If the function's lifetime can be the same to the stack, we can use ScopedLambda, which
is really efficient. Otherwise, we should use WTF::Function.
For recurring use cases, we can use RecursableLambda.
* assembler/MacroAssembler.cpp:
(JSC::stdFunctionCallback):
(JSC::MacroAssembler::probe):
* assembler/MacroAssembler.h:
* b3/air/AirDisassembler.cpp:
(JSC::B3::Air::Disassembler::dump):
* b3/air/AirDisassembler.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
(JSC::BytecodeGenerator::emitEnumeration):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
(JSC::ApplyFunctionCallDotNode::emitBytecode):
(JSC::ForOfNode::emitBytecode):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda):
(JSC::DFG::SpeculativeJIT::compileMathIC):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGValidate.cpp:
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* heap/HeapSnapshotBuilder.cpp:
(JSC::HeapSnapshotBuilder::json):
* heap/HeapSnapshotBuilder.h:
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::dump const):
* interpreter/StackVisitor.h:
* runtime/PromiseDeferredTimer.h:
* runtime/VM.cpp:
(JSC::VM::whenIdle):
(JSC::enableProfilerWithRespectToCount):
(JSC::disableProfilerWithRespectToCount):
* runtime/VM.h:
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::addDidPopListener):
* runtime/VMEntryScope.h:
* tools/HeapVerifier.cpp:
(JSC::HeapVerifier::verifyCellList):
(JSC::HeapVerifier::validateCell):
(JSC::HeapVerifier::validateJSCell):
* tools/HeapVerifier.h:
2018-07-20 Michael Saboff <msaboff@apple.com>
DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
https://bugs.webkit.org/show_bug.cgi?id=187827
rdar://problem/42146858
Reviewed by Saam Barati.
When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
We can't end up with other shapes, Int32, Double, etc because GenericArguments sets
InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
putByIndex() path that doesn't change the shape.
* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
2018-07-20 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Fold GetByVal if Array is CoW
https://bugs.webkit.org/show_bug.cgi?id=186459
Reviewed by Saam Barati.
CoW indexing type means that we now tracks the changes in CoW Array by structure. So DFG has a chance to
fold GetByVal if the given array is CoW. This patch folds GetByVal onto the CoW Array. If the structure
is watched and the butterfly is JSImmutableButterfly, we can load the value from this butterfly.
This can be useful since these CoW arrays are used for a storage for constants. Constant-indexed access
to these constant arrays can be folded into an actual constant by this patch.
baseline patched
template_string.es6 4993.9853+-147.5308 ^ 824.1685+-44.1839 ^ definitely 6.0594x faster
template_string_tag.es5 67.0822+-2.0100 ^ 9.3540+-0.5376 ^ definitely 7.1715x faster
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2018-07-20 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=186602
Reviewed by Saam Barati.
JSObject::convertContiguousToArrayStorage's cellLock() is not necessary since we do not
change the part of the butterfly, length etc. We prove that our procedure is safe, and
drop the cellLock() here.
* runtime/JSObject.cpp:
(JSC::JSObject::convertContiguousToArrayStorage):
2018-07-20 Saam Barati <sbarati@apple.com>
CompareEq should be using KnownOtherUse instead of OtherUse
https://bugs.webkit.org/show_bug.cgi?id=186814
<rdar://problem/39720030>
Reviewed by Filip Pizlo.
CompareEq in fixup phase was doing this:
insertCheck(child, OtherUse)
setUseKind(child, OtherUse)
And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
lead to edge verification crashing because a phase may optimize the check out
by removing the node. However, AI may not be privy to that optimization, and
AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
backend to actually emit a check here, but it does not.
This exact pattern is why we have KnownXYZ use kinds. This patch introduces
KnownOtherUse and changes the above pattern to be:
insertCheck(child, OtherUse)
setUseKind(child, KnownOtherUse)
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::shouldNotHaveTypeCheck):
(JSC::DFG::checkMayCrashIfInputIsEmpty):
* dfg/DFGWatchpointCollectionPhase.cpp:
(JSC::DFG::WatchpointCollectionPhase::handle):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
2018-07-20 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] A bit performance improvement for Object.assign by cleaning up code
https://bugs.webkit.org/show_bug.cgi?id=187852
Reviewed by Saam Barati.
We clean up Object.assign code a bit.
1. Vector and MarkedArgumentBuffer are extracted out from the loop since repeatedly creating MarkedArgumentBuffer is costly.
2. canDoFastPath is not necessary. Restructuring the code to clean up things.
It improves the performance a bit.
baseline patched
object-assign.es6 237.7719+-5.5175 231.2856+-4.6907 might be 1.0280x faster
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorAssign):
2018-07-19 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] jsc_context_evaluate_in_object() should receive an instance when a JSCClass is given
https://bugs.webkit.org/show_bug.cgi?id=187798
Reviewed by Michael Catanzaro.
Because a JSCClass is pretty much useless without an instance in this case. It should be similar to
jsc_value_new_object() because indeed we are creating a new object. This makes destroy function and vtable
functions to work. We can't use JSAPIWrapperObject to wrap this object, because it's a global object, so this
patch adds JSAPIWrapperGlobalObject or that.
* API/glib/JSAPIWrapperGlobalObject.cpp: Added.
(jsAPIWrapperGlobalObjectHandleOwner):
(JSAPIWrapperGlobalObjectHandleOwner::finalize):
(JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::createStructure):
(JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::create):
(JSC::JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject):
(JSC::JSAPIWrapperGlobalObject::finishCreation):
(JSC::JSAPIWrapperGlobalObject::visitChildren):
* API/glib/JSAPIWrapperGlobalObject.h: Added.
(JSC::JSAPIWrapperGlobalObject::wrappedObject const):
(JSC::JSAPIWrapperGlobalObject::setWrappedObject):
* API/glib/JSCClass.cpp:
(isWrappedObject): Helper to check if the given object is a JSAPIWrapperObject or JSAPIWrapperGlobalObject.
(wrappedObjectClass): Return the class of a wrapped object.
(jscContextForObject): Get the execution context of an object. If the object is a JSAPIWrapperGlobalObject, the
scope extension global object is used instead.
(getProperty): Use isWrappedObject, wrappedObjectClass and jscContextForObject.
(setProperty): Ditto.
(hasProperty): Ditto.
(deleteProperty): Ditto.
(getPropertyNames): Ditto.
(jscClassCreateContextWithJSWrapper): Call jscContextCreateContextWithJSWrapper().
* API/glib/JSCClassPrivate.h:
* API/glib/JSCContext.cpp:
(jscContextCreateContextWithJSWrapper): Call WrapperMap::createContextWithJSWrappper().
(jsc_context_evaluate_in_object): Use jscClassCreateContextWithJSWrapper() when a JSCClass is given.
* API/glib/JSCContext.h:
* API/glib/JSCContextPrivate.h:
* API/glib/JSCWrapperMap.cpp:
(JSC::WrapperMap::createContextWithJSWrappper): Create the new context for jsc_context_evaluate_in_object() here
when a JSCClass is used to create the JSAPIWrapperGlobalObject.
(JSC::WrapperMap::wrappedObject const): Return the wrapped object also in case of JSAPIWrapperGlobalObject.
* API/glib/JSCWrapperMap.h:
* GLib.cmake:
2018-07-19 Saam Barati <sbarati@apple.com>
Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash
https://bugs.webkit.org/show_bug.cgi?id=187836
<rdar://problem/42409527>
Reviewed by Mark Lam.
We have crash reports that we're crashing on source->getDirect in Object.assign's
fast path. Mark investigated this and determined we end up with a nullptr for
butterfly. This is curious, because source's Structure indicated that it has
out of line properties. My leading hypothesis for this at the moment is a bit
handwavy, but it's essentially:
- We end up firing a watchpoint when assigning to the target (this can happen
if a watchpoint was set up for storing to that particular field)
- When we fire that watchpoint, we end up doing some kind work on the source,
perhaps causing it to flattenDictionaryStructure. Therefore, we end up
mutating source.
I'm not super convinced this is what we're running into, but just by reading
the code, I think it needs to be something similar to this. Seeing if this change
fixes the crasher will give us good data to determine if something like this is
happening or if the bug is something else entirely.
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorAssign):
2018-07-19 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r233998.
https://bugs.webkit.org/show_bug.cgi?id=187815
Not needed. (Requested by mlam|a on #webkit).
Reverted changeset:
"Temporarily mitigate a bug where a source provider is null
when it shouldn't be."
https://bugs.webkit.org/show_bug.cgi?id=187812
https://trac.webkit.org/changeset/233998
2018-07-19 Mark Lam <mark.lam@apple.com>
Temporarily mitigate a bug where a source provider is null when it shouldn't be.
https://bugs.webkit.org/show_bug.cgi?id=187812
<rdar://problem/41192691>
Reviewed by Michael Saboff.
Adding a null check to temporarily mitigate https://bugs.webkit.org/show_bug.cgi?id=187811.
* runtime/Error.cpp:
(JSC::addErrorInfo):
2018-07-19 Keith Rollin <krollin@apple.com>
Adjust WEBCORE_EXPORT annotations for LTO
https://bugs.webkit.org/show_bug.cgi?id=187781
<rdar://problem/42351124>
Reviewed by Alex Christensen.
Continuation of Bug 186944. This bug addresses issues not caught
during the first pass of adjustments. The initial work focussed on
macOS; this one addresses issues found when building for iOS. From
186944:
Adjust a number of places that result in WebKit's
'check-for-weak-vtables-and-externals' script reporting weak external
symbols:
ERROR: WebCore has a weak external symbol in it (/Volumes/Data/dev/webkit/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore)
ERROR: A weak external symbol is generated when a symbol is defined in multiple compilation units and is also marked as being exported from the library.
ERROR: A common cause of weak external symbols is when an inline function is listed in the linker export file.
...
These cases are caused by inline methods being marked with WTF_EXPORT
(or related macro) or with an inline function being in a class marked
as such, and when enabling LTO builds.
For the most part, address these by removing the WEBCORE_EXPORT
annotation from inline methods. In some cases, move the implementation
out-of-line because it's the class that has the WEBCORE_EXPORT on it
and removing the annotation from the class would be too disruptive.
Finally, in other cases, move the implementation out-of-line because
check-for-weak-vtables-and-externals still complains when keeping the
implementation inline and removing the annotation; this seems to
typically (but not always) happen with destructors.
* inspector/remote/RemoteAutomationTarget.cpp:
(Inspector::RemoteAutomationTarget::~RemoteAutomationTarget):
* inspector/remote/RemoteAutomationTarget.h:
* inspector/remote/RemoteInspector.cpp:
(Inspector::RemoteInspector::Client::~Client):
* inspector/remote/RemoteInspector.h:
2018-07-19 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, check scope after performing getPropertySlot in JSON.stringify
https://bugs.webkit.org/show_bug.cgi?id=187807
Properly putting EXCEPTION_ASSERT to tell our exception checker mechanism
that we know that exception occurrence and handle it well.
* runtime/JSONObject.cpp:
(JSC::Stringifier::Holder::appendNextProperty):
2018-07-18 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Reduce size of AST nodes
https://bugs.webkit.org/show_bug.cgi?id=187689
Reviewed by Mark Lam.
We clean up AST nodes to reduce size. By doing so, we can reduce the memory consumption
of ParserArena at peak state.
1. Annotate `final` to AST nodes to make them solid. And it allows the compiler to
devirtualize a call to the function which are implemented in a final class.
2. Use default member initializers more.
3. And use `nullptr` instead of `0`.
4. Arrange the layout of AST nodes to reduce the size. It includes changing the order
of classes in multiple inheritance. In particular, StatementNode is decreased from 48
to 40. This decreases the sizes of all the derived Statement nodes.
* parser/NodeConstructors.h:
(JSC::Node::Node):
(JSC::StatementNode::StatementNode):
(JSC::ElementNode::ElementNode):
(JSC::ArrayNode::ArrayNode):
(JSC::PropertyListNode::PropertyListNode):
(JSC::ObjectLiteralNode::ObjectLiteralNode):
(JSC::ArgumentListNode::ArgumentListNode):
(JSC::ArgumentsNode::ArgumentsNode):
(JSC::NewExprNode::NewExprNode):
(JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
(JSC::BinaryOpNode::BinaryOpNode):
(JSC::LogicalOpNode::LogicalOpNode):
(JSC::CommaNode::CommaNode):
(JSC::SourceElements::SourceElements):
(JSC::ClauseListNode::ClauseListNode):
* parser/Nodes.cpp:
(JSC::FunctionMetadataNode::FunctionMetadataNode):
(JSC::FunctionMetadataNode::operator== const):
(JSC::FunctionMetadataNode::dump const):
* parser/Nodes.h:
(JSC::BooleanNode::value): Deleted.
(JSC::StringNode::value): Deleted.
(JSC::TemplateExpressionListNode::value): Deleted.
(JSC::TemplateExpressionListNode::next): Deleted.
(JSC::TemplateStringNode::cooked): Deleted.
(JSC::TemplateStringNode::raw): Deleted.
(JSC::TemplateStringListNode::value): Deleted.
(JSC::TemplateStringListNode::next): Deleted.
(JSC::TemplateLiteralNode::templateStrings const): Deleted.
(JSC::TemplateLiteralNode::templateExpressions const): Deleted.
(JSC::TaggedTemplateNode::templateLiteral const): Deleted.
(JSC::ResolveNode::identifier const): Deleted.
(JSC::ElementNode::elision const): Deleted.
(JSC::ElementNode::value): Deleted.
(JSC::ElementNode::next): Deleted.
(JSC::ArrayNode::elements const): Deleted.
(JSC::PropertyNode::expressionName const): Deleted.
(JSC::PropertyNode::name const): Deleted.
(JSC::PropertyNode::type const): Deleted.
(JSC::PropertyNode::needsSuperBinding const): Deleted.
(JSC::PropertyNode::isClassProperty const): Deleted.
(JSC::PropertyNode::isStaticClassProperty const): Deleted.
(JSC::PropertyNode::isInstanceClassProperty const): Deleted.
(JSC::PropertyNode::isOverriddenByDuplicate const): Deleted.
(JSC::PropertyNode::setIsOverriddenByDuplicate): Deleted.
(JSC::PropertyNode::putType const): Deleted.
(JSC::BracketAccessorNode::base const): Deleted.
(JSC::BracketAccessorNode::subscript const): Deleted.
(JSC::BracketAccessorNode::subscriptHasAssignments const): Deleted.
(JSC::DotAccessorNode::base const): Deleted.
(JSC::DotAccessorNode::identifier const): Deleted.
(JSC::SpreadExpressionNode::expression const): Deleted.
(JSC::ObjectSpreadExpressionNode::expression const): Deleted.
(JSC::BytecodeIntrinsicNode::type const): Deleted.
(JSC::BytecodeIntrinsicNode::emitter const): Deleted.
(JSC::BytecodeIntrinsicNode::identifier const): Deleted.
(JSC::TypeOfResolveNode::identifier const): Deleted.
(JSC::BitwiseNotNode::expr): Deleted.
(JSC::BitwiseNotNode::expr const): Deleted.
(JSC::AssignResolveNode::identifier const): Deleted.
(JSC::ExprStatementNode::expr const): Deleted.
(JSC::ForOfNode::isForAwait const): Deleted.
(JSC::ReturnNode::value): Deleted.
(JSC::ProgramNode::startColumn const): Deleted.
(JSC::ProgramNode::endColumn const): Deleted.
(JSC::EvalNode::startColumn const): Deleted.
(JSC::EvalNode::endColumn const): Deleted.
(JSC::ModuleProgramNode::startColumn const): Deleted.
(JSC::ModuleProgramNode::endColumn const): Deleted.
(JSC::ModuleProgramNode::moduleScopeData): Deleted.
(JSC::ModuleNameNode::moduleName): Deleted.
(JSC::ImportSpecifierNode::importedName): Deleted.
(JSC::ImportSpecifierNode::localName): Deleted.
(JSC::ImportSpecifierListNode::specifiers const): Deleted.
(JSC::ImportSpecifierListNode::append): Deleted.
(JSC::ImportDeclarationNode::specifierList const): Deleted.
(JSC::ImportDeclarationNode::moduleName const): Deleted.
(JSC::ExportAllDeclarationNode::moduleName const): Deleted.
(JSC::ExportDefaultDeclarationNode::declaration const): Deleted.
(JSC::ExportDefaultDeclarationNode::localName const): Deleted.
(JSC::ExportLocalDeclarationNode::declaration const): Deleted.
(JSC::ExportSpecifierNode::exportedName): Deleted.
(JSC::ExportSpecifierNode::localName): Deleted.
(JSC::ExportSpecifierListNode::specifiers const): Deleted.
(JSC::ExportSpecifierListNode::append): Deleted.
(JSC::ExportNamedDeclarationNode::specifierList const): Deleted.
(JSC::ExportNamedDeclarationNode::moduleName const): Deleted.
(JSC::ArrayPatternNode::appendIndex): Deleted.
(JSC::ObjectPatternNode::appendEntry): Deleted.
(JSC::ObjectPatternNode::setContainsRestElement): Deleted.
(JSC::ObjectPatternNode::setContainsComputedProperty): Deleted.
(JSC::DestructuringAssignmentNode::bindings): Deleted.
(JSC::FunctionParameters::size const): Deleted.
(JSC::FunctionParameters::append): Deleted.
(JSC::FunctionParameters::isSimpleParameterList const): Deleted.
(JSC::FuncDeclNode::metadata): Deleted.
(JSC::CaseClauseNode::expr const): Deleted.
(JSC::CaseClauseNode::setStartOffset): Deleted.
(JSC::ClauseListNode::getClause const): Deleted.
(JSC::ClauseListNode::getNext const): Deleted.
* runtime/ExceptionHelpers.cpp:
* runtime/JSObject.cpp:
2018-07-18 Yusuke Suzuki <utatane.tea@gmail.com>
JSON.stringify should emit non own properties if second array argument includes
https://bugs.webkit.org/show_bug.cgi?id=187724
Reviewed by Mark Lam.
According to the spec[1], JSON.stringify needs to retrieve properties by using [[Get]],
instead of [[GetOwnProperty]]. It means that we would look up a properties defined
in [[Prototype]] or upper objects in the prototype chain. While enumeration is done
by using EnumerableOwnPropertyNames typically, we can pass replacer array including
property names which does not reside in the own properties. Or we can modify the
own properties by deleting properties while JSON.stringify is calling a getter. So,
using [[Get]] instead of [[GetOwnProperty]] is user-visible.
This patch changes getOwnPropertySlot to getPropertySlot to align the behavior to the spec.
The performance of Kraken/json-stringify-tinderbox is neutral.
[1]: https://tc39.github.io/ecma262/#sec-serializejsonproperty
* runtime/JSONObject.cpp:
(JSC::Stringifier::toJSON):
(JSC::Stringifier::toJSONImpl):
(JSC::Stringifier::appendStringifiedValue):
(JSC::Stringifier::Holder::Holder):
(JSC::Stringifier::Holder::appendNextProperty):
2018-07-18 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks
https://bugs.webkit.org/show_bug.cgi?id=187755
Reviewed by Mark Lam.
JSON.stringify used `inherits<JSArray>(vm)` to determine whether the given replacer is an array replacer.
But this is wrong. According to the spec, we should use `isArray`[1], which accepts Proxies. This difference
makes one test262 test failed.
This patch changes the code to using `isArray()`. And we reorder the evaluations of replacer check and ident space check
to align these checks to the spec's order.
[1]: https://tc39.github.io/ecma262/#sec-json.stringify
* runtime/JSONObject.cpp:
(JSC::Stringifier::Stringifier):
2018-07-18 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Root wrapper object in JSON.stringify is not necessary if replacer is not callable
https://bugs.webkit.org/show_bug.cgi?id=187752
Reviewed by Mark Lam.
JSON.stringify has an implicit root wrapper object since we would like to call replacer
with a wrapper object and a property name. While we always create this wrapper object,
it is unnecessary if the given replacer is not callable.
This patch removes wrapper object creation when a replacer is not callable to avoid unnecessary
allocations. This change slightly improves the performance of Kraken/json-stringify-tinderbox.
baseline patched
json-stringify-tinderbox 39.730+-0.590 ^ 38.853+-0.266 ^ definitely 1.0226x faster
* runtime/JSONObject.cpp:
(JSC::Stringifier::isCallableReplacer const):
(JSC::Stringifier::Stringifier):
(JSC::Stringifier::stringify):
(JSC::Stringifier::appendStringifiedValue):
2018-07-18 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Add jsc_context_check_syntax() to GLib API
https://bugs.webkit.org/show_bug.cgi?id=187694
Reviewed by Yusuke Suzuki.
A new function to be able to check for syntax errors without actually evaluating the code.
* API/glib/JSCContext.cpp:
(jsc_context_check_syntax):
* API/glib/JSCContext.h:
* API/glib/docs/jsc-glib-4.0-sections.txt:
2018-07-17 Keith Miller <keith_miller@apple.com>
Revert r233630 since it broke internal wasm benchmarks
https://bugs.webkit.org/show_bug.cgi?id=187746
Unreviewed revert.
This patch seems to have broken internal Wasm benchmarks. This
issue is likely due to an underlying bug but let's rollout while
we investigate.
* bytecode/CodeType.h:
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::codeType const):
(JSC::UnlinkedCodeBlock::didOptimize const):
(JSC::UnlinkedCodeBlock::setDidOptimize):
* bytecode/VirtualRegister.h:
(JSC::VirtualRegister::VirtualRegister):
(): Deleted.
2018-07-17 Mark Lam <mark.lam@apple.com>
CodeBlock::baselineVersion() should account for executables with purged codeBlocks.
https://bugs.webkit.org/show_bug.cgi?id=187736
<rdar://problem/42114371>
Reviewed by Michael Saboff.
CodeBlock::baselineVersion() currently checks for a null replacement but does not
account for the fact that that the replacement can also be null due to the
executable having being purged of its codeBlocks due to a memory event (see
ExecutableBase::clearCode()). This patch adds code to account for this.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::baselineVersion):
2018-07-16 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] UnlinkedCodeBlock::shrinkToFit miss m_constantIdentifierSets
https://bugs.webkit.org/show_bug.cgi?id=187709
Reviewed by Mark Lam.
UnlinkedCodeBlock::shrinkToFit accidentally misses m_constantIdentifierSets shrinking.
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::shrinkToFit):
2018-07-16 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Make SourceParseMode small
https://bugs.webkit.org/show_bug.cgi?id=187705
Reviewed by Mark Lam.
Each SourceParseMode is distinct. So we do not need to make it a set-style (power of 2 style).
Originally, this is done to make SourceParseModeSet faster because it is critical in our parser.
But we can keep SourceParseModeSet fast by `1U << mode | set`. And we can make SourceParseMode
within 5 bits. This reduces the size of UnlinkedCodeBlock from 288 to 280.
* parser/ParserModes.h:
(JSC::SourceParseModeSet::SourceParseModeSet):
(JSC::SourceParseModeSet::contains):
(JSC::SourceParseModeSet::mergeSourceParseModes):
2018-07-12 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Generator and AsyncGeneratorMethod's prototype is incorrect
https://bugs.webkit.org/show_bug.cgi?id=187585
Reviewed by Darin Adler.
This patch fixes Generator and AsyncGenerator's prototype issues.
1. Generator's default prototype is incorrect when `generator.prototype = null` is performed.
We fix this by changing JSFunction::prototypeForConstruction.
2. AsyncGeneratorMethod is not handled. We change the name isAsyncGeneratorFunctionParseMode
to isAsyncGeneratorWrapperParseMode since it is aligned to Generator's code. And use it well
to fix `prototype` issues for AsyncGeneratorMethod.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
(JSC::BytecodeGenerator::emitNewFunction):
* bytecompiler/NodesCodegen.cpp:
(JSC::FunctionNode::emitBytecode):
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createFunctionMetadata):
* parser/Parser.cpp:
(JSC::getAsynFunctionBodyParseMode):
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
* parser/ParserModes.h:
(JSC::isAsyncGeneratorParseMode):
(JSC::isAsyncGeneratorWrapperParseMode):
(JSC::isAsyncGeneratorFunctionParseMode): Deleted.
* runtime/FunctionExecutable.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::prototypeForConstruction):
(JSC::JSFunction::getOwnPropertySlot):
2018-07-16 Mark Lam <mark.lam@apple.com>
jsc shell's noFTL utility test function should be more robust.
https://bugs.webkit.org/show_bug.cgi?id=187704
<rdar://problem/42231988>
Reviewed by Michael Saboff and Keith Miller.
* jsc.cpp:
(functionNoFTL):
- only setNeverFTLOptimize() if the function is actually a JS function.
2018-07-15 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Add API to evaluate code using a given object to store global symbols
https://bugs.webkit.org/show_bug.cgi?id=187639
Reviewed by Michael Catanzaro.
Add jsc_context_evaluate_in_object(). It returns a new object as an out parameter. Global symbols in the
evaluated script are added as properties to the new object instead of to the context global object. This is
similar to JS::Evaluate in spider monkey when a scopeChain parameter is passed, but JSC doesn't support using a
scope for assignments, so we have to create a new context and get its global object. This patch also updates
jsc_context_evaluate_with_source_uri() to receive the starting line number for consistency with the new
jsc_context_evaluate_in_object().
* API/glib/JSCContext.cpp:
(jsc_context_evaluate): Pass 0 as line number to jsc_context_evaluate_with_source_uri().
(evaluateScriptInContext): Helper function to evaluate a script in a JSGlobalContextRef.
(jsc_context_evaluate_with_source_uri): Use evaluateScriptInContext().
(jsc_context_evaluate_in_object): Create a new context and set the main context global object as extension
scope of it. Evaluate the script in the new context and get its global object to be returned as parameter.
* API/glib/JSCContext.h:
* API/glib/docs/jsc-glib-4.0-sections.txt:
2018-07-13 Yusuke Suzuki <utatane.tea@gmail.com>
[32bit JSC tests] stress/cow-convert-double-to-contiguous.js and stress/cow-convert-int32-to-contiguous.js are failing
https://bugs.webkit.org/show_bug.cgi?id=187561
Reviewed by Darin Adler.
This patch fixes the issue that CoW array handling is not introduced in 32bit put_by_val code.
We clean up 32bit put_by_val code.
1. We remove inline out-of-bounds recording code since it is done in C operation code. This change
aligns 32bit implementation to 64bit implementation.
2. We add CoW array checking, which is done in 64bit implementation.
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_put_by_val):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitSlow_op_put_by_val):
2018-07-12 Mark Lam <mark.lam@apple.com>
Need to handle CodeBlock::replacement() being null.
https://bugs.webkit.org/show_bug.cgi?id=187569
<rdar://problem/41468692>
Reviewed by Saam Barati.
CodeBlock::replacement() may return a nullptr. Some of our code already checks
for this while others do not. We should add null checks in all the places that
need it.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::hasOptimizedReplacement):
(JSC::CodeBlock::jettison):
(JSC::CodeBlock::numberOfDFGCompiles):
(JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
* dfg/DFGOperations.cpp:
* dfg/DFGToFTLDeferredCompilationCallback.cpp:
(JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
(JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
* jit/JITOperations.cpp:
2018-07-12 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Thread VM& to JSCell::methodTable(VM&)
https://bugs.webkit.org/show_bug.cgi?id=187548
Reviewed by Saam Barati.
This patch threads VM& to methodTable(VM&) and remove methodTable().
We add VM& parameter to estimatedSize() to thread VM& in estimatedSize implementations.
* API/APICast.h:
(toJS):
* API/JSCallbackObject.h:
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::className):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::estimatedSize):
* bytecode/CodeBlock.h:
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::estimatedSize):
* bytecode/UnlinkedCodeBlock.h:
* debugger/DebuggerScope.cpp:
(JSC::DebuggerScope::className):
* debugger/DebuggerScope.h:
* heap/Heap.cpp:
(JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
(JSC::GatherHeapSnapshotData::operator() const):
(JSC::Heap::gatherExtraHeapSnapshotData):
* heap/HeapSnapshotBuilder.cpp:
(JSC::HeapSnapshotBuilder::json):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncToString):
* runtime/ClassInfo.h:
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::estimatedSize):
* runtime/DirectArguments.h:
* runtime/HashMapImpl.cpp:
(JSC::HashMapImpl<HashMapBucket>::estimatedSize):
* runtime/HashMapImpl.h:
* runtime/JSArrayBuffer.cpp:
(JSC::JSArrayBuffer::estimatedSize):
* runtime/JSArrayBuffer.h:
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::estimatedSize):
* runtime/JSBigInt.h:
* runtime/JSCell.cpp:
(JSC::JSCell::dump const):
(JSC::JSCell::estimatedSizeInBytes const):
(JSC::JSCell::estimatedSize):
(JSC::JSCell::className):
* runtime/JSCell.h:
* runtime/JSCellInlines.h:
* runtime/JSGenericTypedArrayView.h:
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
* runtime/JSObject.cpp:
(JSC::JSObject::estimatedSize):
(JSC::JSObject::className):
(JSC::JSObject::toStringName):
(JSC::JSObject::calculatedClassName):
* runtime/JSObject.h:
* runtime/JSProxy.cpp:
(JSC::JSProxy::className):
* runtime/JSProxy.h:
* runtime/JSString.cpp:
(JSC::JSString::estimatedSize):
* runtime/JSString.h:
* runtime/RegExp.cpp:
(JSC::RegExp::estimatedSize):
* runtime/RegExp.h:
* runtime/WeakMapImpl.cpp:
(JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
* runtime/WeakMapImpl.h:
2018-07-11 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r233714.
https://bugs.webkit.org/show_bug.cgi?id=187579
it made tests time out (Requested by pizlo on #webkit).
Reverted changeset:
"Change the reoptimization backoff base to 1.3 from 2"
https://bugs.webkit.org/show_bug.cgi?id=187540
https://trac.webkit.org/changeset/233714
2018-07-11 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Add API to allow creating variadic functions
https://bugs.webkit.org/show_bug.cgi?id=187517
Reviewed by Michael Catanzaro.
Add a _variadic alternate method for jsc_class_add_constructor, jsc_class_add_method and
jsc_value_new_function. In that case the callback always receives a GPtrArray of JSCValue.
* API/glib/JSCCallbackFunction.cpp:
(JSC::JSCCallbackFunction::create): Make the parameters optional.
(JSC::JSCCallbackFunction::JSCCallbackFunction): Ditto.
(JSC::JSCCallbackFunction::call): Handle the case of parameters being nullopt by creating a GPtrArray of
JSCValue for the arguments.
(JSC::JSCCallbackFunction::construct): Ditto.
* API/glib/JSCCallbackFunction.h:
* API/glib/JSCClass.cpp:
(jscClassCreateConstructor): Make the parameters optional.
(jsc_class_add_constructor_variadic): Pass nullopt as parameters to jscClassCreateConstructor.
(jscClassAddMethod): Make the parameters optional.
(jsc_class_add_method_variadic): Pass nullopt as parameters to jscClassAddMethod.
* API/glib/JSCClass.h:
* API/glib/JSCValue.cpp:
(jsc_value_object_define_property_accessor): Update now that parameters are optional.
(jscValueFunctionCreate): Make the parameters optional.
(jsc_value_new_function_variadic): Pass nullopt as parameters to jscValueFunctionCreate.
* API/glib/JSCValue.h:
* API/glib/docs/jsc-glib-4.0-sections.txt:
2018-07-11 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Add jsc_context_get_global_object() to GLib API
https://bugs.webkit.org/show_bug.cgi?id=187515
Reviewed by Michael Catanzaro.
This wasn't exposed because we have convenient methods in JSCContext to get and set properties on the global
object. However, getting the global object could be useful in some cases, for example to give it a well known
name like 'window' in browsers and GJS.
* API/glib/JSCContext.cpp:
(jsc_context_get_global_object):
* API/glib/JSCContext.h:
* API/glib/docs/jsc-glib-4.0-sections.txt:
2018-07-11 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Handle G_TYPE_STRV in glib API
https://bugs.webkit.org/show_bug.cgi?id=187512
Reviewed by Michael Catanzaro.
Add jsc_value_new_array_from_strv() and handle G_TYPE_STRV types in function parameters.
* API/glib/JSCContext.cpp:
(jscContextGValueToJSValue):
(jscContextJSValueToGValue):
* API/glib/JSCValue.cpp:
(jsc_value_new_array_from_strv):
* API/glib/JSCValue.h:
* API/glib/docs/jsc-glib-4.0-sections.txt:
2018-07-11 Yusuke Suzuki <utatane.tea@gmail.com>
Iterator of Array.keys() returns object in wrong order
https://bugs.webkit.org/show_bug.cgi?id=185197
Reviewed by Keith Miller.
* builtins/ArrayIteratorPrototype.js:
(globalPrivate.arrayIteratorValueNext):
(globalPrivate.arrayIteratorKeyNext):
(globalPrivate.arrayIteratorKeyValueNext):
* builtins/AsyncFromSyncIteratorPrototype.js:
* builtins/AsyncGeneratorPrototype.js:
(globalPrivate.asyncGeneratorResolve):
* builtins/GeneratorPrototype.js:
(globalPrivate.generatorResume):
* builtins/MapIteratorPrototype.js:
(globalPrivate.mapIteratorNext):
* builtins/SetIteratorPrototype.js:
(globalPrivate.setIteratorNext):
* builtins/StringIteratorPrototype.js:
(next):
* runtime/IteratorOperations.cpp:
(JSC::createIteratorResultObjectStructure):
(JSC::createIteratorResultObject):
2018-07-10 Mark Lam <mark.lam@apple.com>
constructArray() should always allocate the requested length.
https://bugs.webkit.org/show_bug.cgi?id=187543
<rdar://problem/41947884>
Reviewed by Saam Barati.
Currently, it does not when we're having a bad time. We fix this by switching
back to using tryCreateUninitializedRestricted() exclusively in constructArray().
If we detect that a structure transition is possible before we can initialize
the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
We will introduce JSArray::eagerlyInitializeButterfly() to handle this.
Also enhanced the DisallowScope and ObjectInitializationScope to support this
eager initialization when needed.
* dfg/DFGOperations.cpp:
- the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
the array allocation to always succeed. Adding this RELEASE_ASSERT here makes
it clearer that we encountered an OutOfMemory condition instead of failing in FTL
generated code, which will appear as a generic null pointer dereference.
* runtime/ArrayPrototype.cpp:
(JSC::concatAppendOne):
- the code here clearly wants to check for an allocation failure. Switched to
using JSArray::tryCreate() instead of JSArray::create().
* runtime/DisallowScope.h:
(JSC::DisallowScope::disable):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::JSArray::eagerlyInitializeButterfly):
(JSC::constructArray):
* runtime/JSArray.h:
* runtime/ObjectInitializationScope.cpp:
(JSC::ObjectInitializationScope::notifyInitialized):
* runtime/ObjectInitializationScope.h:
(JSC::ObjectInitializationScope::notifyInitialized):
2018-07-05 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove getTypedArrayImpl
https://bugs.webkit.org/show_bug.cgi?id=187338
Reviewed by Mark Lam.
getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.
* runtime/ClassInfo.h:
* runtime/GenericTypedArrayView.h:
(JSC::GenericTypedArrayView::data const): Deleted.
(JSC::GenericTypedArrayView::set): Deleted.
(JSC::GenericTypedArrayView::setRange): Deleted.
(JSC::GenericTypedArrayView::zeroRange): Deleted.
(JSC::GenericTypedArrayView::zeroFill): Deleted.
(JSC::GenericTypedArrayView::length const): Deleted.
(JSC::GenericTypedArrayView::item const): Deleted.
(JSC::GenericTypedArrayView::set const): Deleted.
(JSC::GenericTypedArrayView::setNative const): Deleted.
(JSC::GenericTypedArrayView::getRange): Deleted.
(JSC::GenericTypedArrayView::checkInboundData const): Deleted.
(JSC::GenericTypedArrayView::internalByteLength const): Deleted.
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::possiblySharedImpl):
* runtime/JSArrayBufferView.h:
* runtime/JSArrayBufferViewInlines.h:
(JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
* runtime/JSCell.cpp:
(JSC::JSCell::getTypedArrayImpl): Deleted.
* runtime/JSCell.h:
* runtime/JSDataView.cpp:
(JSC::JSDataView::getTypedArrayImpl): Deleted.
* runtime/JSDataView.h:
* runtime/JSGenericTypedArrayView.h:
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.
2018-07-10 Keith Miller <keith_miller@apple.com>
hasOwnProperty returns true for out of bounds property index on TypedArray
https://bugs.webkit.org/show_bug.cgi?id=187520
Reviewed by Saam Barati.
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2018-07-10 Michael Saboff <msaboff@apple.com>
DFG JIT: compileMathIC produces incorrect machine code
https://bugs.webkit.org/show_bug.cgi?id=187537
Reviewed by Saam Barati.
Added checks for constant multipliers in JITMulGenerator::generateInline(). If we have a constant multiplier,
fall back to the fast path generator which handles such cases.
* jit/JITMulGenerator.cpp:
(JSC::JITMulGenerator::generateInline):
2018-07-10 Filip Pizlo <fpizlo@apple.com>
Change the reoptimization backoff base to 1.3 from 2
https://bugs.webkit.org/show_bug.cgi?id=187540
Reviewed by Saam Barati.
I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
I also have data that hints that a backoff base of 1 might be even better, but I think that
we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::reoptimizationRetryCounter const):
(JSC::CodeBlock::countReoptimization):
(JSC::CodeBlock::adjustedCounterValue):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
* runtime/Options.h:
2018-07-10 Mark Lam <mark.lam@apple.com>
[32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
https://bugs.webkit.org/show_bug.cgi?id=187362
<rdar://problem/42027210>
Reviewed by Saam Barati.
On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
value to use for initializing unused properties. Updated an assertion to account
for this.
* runtime/ObjectInitializationScope.cpp:
(JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2018-07-10 Michael Saboff <msaboff@apple.com>
YARR: . doesn't match non-BMP Unicode characters in some cases
https://bugs.webkit.org/show_bug.cgi?id=187248
Reviewed by Geoffrey Garen.
The safety check in optimizeAlternative() for moving character classes that only consist of BMP
characters did not take into account that the character class is inverted. In this case, we
represent '.' as "not a newline" using the newline character class with an inverted check.
Clearly that includes non-BMP characters.
The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
inverted use of that character class.
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::optimizeAlternative):
2018-07-09 Mark Lam <mark.lam@apple.com>
Add --traceLLIntExecution and --traceLLIntSlowPath options.
https://bugs.webkit.org/show_bug.cgi?id=187479
Reviewed by Yusuke Suzuki and Saam Barati.
These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
The details:
1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
This makes it such that enabling LLINT_TRACING doesn't means that we'll
continually spammed with logging until we rebuild.
3. Fixed slow path LLINT tracing to work with exception check validation.
* llint/LLIntCommon.h:
* llint/LLIntExceptions.cpp:
(JSC::LLInt::returnToThrow):
(JSC::LLInt::callToThrow):
* llint/LLIntOfflineAsmConfig.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::slowPathLog):
(JSC::LLInt::slowPathLn):
(JSC::LLInt::slowPathLogF):
(JSC::LLInt::slowPathLogLn):
(JSC::LLInt::llint_trace_operand):
(JSC::LLInt::llint_trace_value):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::traceFunctionPrologue):
(JSC::LLInt::handleHostCall):
(JSC::LLInt::setUpCall):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* runtime/CommonSlowPathsExceptions.cpp:
(JSC::CommonSlowPaths::interpreterThrowInCaller):
* runtime/Options.cpp:
(JSC::Options::isAvailable):
* runtime/Options.h:
2018-07-09 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
https://bugs.webkit.org/show_bug.cgi?id=187477
Reviewed by Mark Lam.
Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
However, it is not necessary since JSCells can be reside in a constant buffer.
This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
vector from RareData.
We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::dumpBytecode):
(JSC::BytecodeDumper<Block>::dumpBlock):
(JSC::regexpToSourceString): Deleted.
(JSC::regexpName): Deleted.
(JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
* bytecode/BytecodeDumper.h:
* bytecode/CodeBlock.h:
(JSC::CodeBlock::regexp const): Deleted.
(JSC::CodeBlock::numberOfRegExps const): Deleted.
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::visitChildren):
(JSC::UnlinkedCodeBlock::shrinkToFit):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::addRegExp): Deleted.
(JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
(JSC::UnlinkedCodeBlock::regexp const): Deleted.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitNewRegExp):
(JSC::BytecodeGenerator::addRegExp): Deleted.
* bytecompiler/BytecodeGenerator.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_regexp):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::dumpInContextAssumingStructure const):
* runtime/RegExp.cpp:
(JSC::regexpToSourceString):
(JSC::RegExp::dumpToStream):
* runtime/RegExp.h:
2018-07-09 Brian Burg <bburg@apple.com>
REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
https://bugs.webkit.org/show_bug.cgi?id=187350
<rdar://problem/41728249>
Reviewed by Matt Baker.
Add a new command that toggles whether or not to blackbox internal scripts.
If blackboxed, the scripts will not be shown to the frontend and the debugger will
not pause in source frames from blackboxed scripts. Sometimes we want to break into
those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
that injects scripts.
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
(Inspector::InspectorDebuggerAgent::didParseSource):
* inspector/agents/InspectorDebuggerAgent.h:
* inspector/protocol/Debugger.json:
2018-07-09 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Make some data members of UnlinkedCodeBlock private
https://bugs.webkit.org/show_bug.cgi?id=187467
Reviewed by Mark Lam.
This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
We also remove m_numCapturedVars since it is no longer used.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
* bytecode/CodeBlock.h:
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
* bytecode/UnlinkedCodeBlock.h:
2018-07-09 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
https://bugs.webkit.org/show_bug.cgi?id=187465
Reviewed by Keith Miller.
ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
from 104 to 96 since it inherits ProxyableAccessCase.
* bytecode/AccessCase.h:
(JSC::AccessCase::viaProxy const):
(JSC::AccessCase::AccessCase):
* bytecode/ProxyableAccessCase.cpp:
(JSC::ProxyableAccessCase::ProxyableAccessCase):
* bytecode/ProxyableAccessCase.h:
2018-07-08 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, build fix for debug builds after r233630
https://bugs.webkit.org/show_bug.cgi?id=187441
* jit/JIT.cpp:
(JSC::JIT::frameRegisterCountFor):
* llint/LLIntEntrypoint.cpp:
(JSC::LLInt::frameRegisterCountFor):
2018-07-08 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Optimize layout of CodeBlock to reduce padding
https://bugs.webkit.org/show_bug.cgi?id=187441
Reviewed by Mark Lam.
Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.
We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::dumpBlock):
* bytecode/BytecodeUseDef.h:
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::numVars const):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::numVars const):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::ByteCodeParser):
(JSC::DFG::ByteCodeParser::flushForTerminalImpl):
(JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
(JSC::DFG::ByteCodeParser::inlineCall):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::forAllLocalsLiveInBytecode):
* dfg/DFGOSREntrypointCreationPhase.cpp:
(JSC::DFG::OSREntrypointCreationPhase::run):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::reconstruct const):
* ftl/FTLOSREntry.cpp:
(JSC::FTL::prepareOSREntry):
* ftl/FTLState.cpp:
(JSC::FTL::State::State):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::dumpRegisters):
* jit/JIT.cpp:
(JSC::JIT::frameRegisterCountFor):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_enter):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_enter):
* jit/JITOperations.cpp:
* llint/LLIntEntrypoint.cpp:
(JSC::LLInt::frameRegisterCountFor):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::traceFunctionPrologue):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/JSCJSValue.h:
2018-07-08 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Optimize padding of UnlinkedCodeBlock to shrink
https://bugs.webkit.org/show_bug.cgi?id=187448
Reviewed by Saam Barati.
We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
* bytecode/CodeType.h:
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::codeType const):
(JSC::UnlinkedCodeBlock::didOptimize const):
(JSC::UnlinkedCodeBlock::setDidOptimize):
* bytecode/VirtualRegister.h:
2018-07-08 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Optimize padding of InferredTypeTable by using cellLock
https://bugs.webkit.org/show_bug.cgi?id=187447
Reviewed by Mark Lam.
Use cellLock() in InferredTypeTable to guard changes of internal structures.
This is the same usage to SparseArrayValueMap. By using cellLock(), we can
reduce the size of InferredTypeTable from 40 to 32.
* runtime/InferredTypeTable.cpp:
(JSC::InferredTypeTable::visitChildren):
(JSC::InferredTypeTable::get):
(JSC::InferredTypeTable::willStoreValue):
(JSC::InferredTypeTable::makeTop):
* runtime/InferredTypeTable.h:
Using enum class and using. And remove `isEmpty()` since it is not used.
* runtime/Structure.h:
2018-07-07 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Optimize layout of SourceProvider to reduce padding
https://bugs.webkit.org/show_bug.cgi?id=187440
Reviewed by Mark Lam.
Arrange members of SourceProvider to reduce the size from 80 to 72.
* parser/SourceProvider.cpp:
(JSC::SourceProvider::SourceProvider):
* parser/SourceProvider.h:
2018-07-08 Mark Lam <mark.lam@apple.com>
PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
https://bugs.webkit.org/show_bug.cgi?id=187444
<rdar://problem/41282849>
Reviewed by Saam Barati.
PropertyTable supports C++ iteration by offering begin() and end() methods, and
an iterator class. The begin() methods and the iterator operator++() method uses
PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
However, PropertyTable::skipDeletedEntries() does not prevent the iteration
pointer from being incremented past the end of the table. As a result, we can
iterate past the end of the table. Note that the C++ iteration protocol tests
for the iterator not being equal to the end() value. It does not do a <= test.
If the iterator ever shoots past end, the loop will effectively not terminate.
This issue can manifest if and only if the last entry in the table is a deleted
one, and the key field of the PropertyMapEntry shaped space at the end of the
table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
value.
No test because manifesting this issue requires uncontrollable happenstance where
memory just beyond the end of the table looks like a deleted entry.
* runtime/PropertyMapHashTable.h:
(JSC::PropertyTable::begin):
(JSC::PropertyTable::end):
(JSC::PropertyTable::begin const):
(JSC::PropertyTable::end const):
(JSC::PropertyTable::skipDeletedEntries):
2018-07-07 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Optimize layout of SymbolTable to reduce padding
https://bugs.webkit.org/show_bug.cgi?id=187437
Reviewed by Mark Lam.
Arrange the layout of SymbolTable to reduce the size from 88 to 72.
* runtime/SymbolTable.h:
2018-07-07 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Optimize layout of RegExp to reduce padding
https://bugs.webkit.org/show_bug.cgi?id=187438
Reviewed by Mark Lam.
Reduce the size of RegExp from 168 to 144.
* runtime/RegExp.cpp:
(JSC::RegExp::RegExp):
* runtime/RegExp.h:
* runtime/RegExpKey.h:
* yarr/YarrErrorCode.h:
2018-07-07 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Optimize layout of ValueProfile to reduce padding
https://bugs.webkit.org/show_bug.cgi?id=187439
Reviewed by Mark Lam.
Reduce the size of ValueProfile from 40 to 32 by reordering members.
* bytecode/ValueProfile.h:
(JSC::ValueProfileBase::ValueProfileBase):
2018-07-05 Saam Barati <sbarati@apple.com>
ProgramExecutable may be collected as we checkSyntax on it
https://bugs.webkit.org/show_bug.cgi?id=187359
<rdar://problem/41832135>
Reviewed by Mark Lam.
The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
the ProgramExecutable itself may be collected. The fix here is to make a copy
of the field instead of passing in a reference inside of ParserError::toErrorObject.
No new tests here as this was already caught by our iOS JSC testers.
* parser/ParserError.h:
(JSC::ParserError::toErrorObject):
2018-07-04 Tim Horton <timothy_horton@apple.com>
Introduce PLATFORM(IOSMAC)
https://bugs.webkit.org/show_bug.cgi?id=187315
Reviewed by Dan Bernstein.
* Configurations/Base.xcconfig:
* Configurations/FeatureDefines.xcconfig:
2018-07-03 Mark Lam <mark.lam@apple.com>
[32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
https://bugs.webkit.org/show_bug.cgi?id=187255
<rdar://problem/41785257>
Reviewed by Saam Barati.
The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
too: basically, do what the 64-bit code is doing. At present, this change only
serves to pacify an assertion. It is not needed for correctness because the
concurrent GC is not used on 32-bit builds.
This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
test.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_create_this):
2018-07-03 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
https://bugs.webkit.org/show_bug.cgi?id=187290
Reviewed by Saam Barati.
slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
easily calculated from JSType.
This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
* runtime/ClassInfo.h:
* runtime/JSArrayBufferView.cpp:
(JSC::elementSize):
(JSC::JSArrayBufferView::slowDownAndWasteMemory):
* runtime/JSArrayBufferView.h:
* runtime/JSArrayBufferViewInlines.h:
(JSC::JSArrayBufferView::possiblySharedBuffer):
* runtime/JSCell.cpp:
(JSC::JSCell::slowDownAndWasteMemory): Deleted.
* runtime/JSCell.h:
* runtime/JSDataView.cpp:
(JSC::JSDataView::slowDownAndWasteMemory): Deleted.
* runtime/JSDataView.h:
* runtime/JSGenericTypedArrayView.h:
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
2018-07-02 Sukolsak Sakshuwong <sukolsak@gmail.com>
Regular expressions with ".?" expressions at the start and the end match the entire string
https://bugs.webkit.org/show_bug.cgi?id=119191
Reviewed by Michael Saboff.
r90962 optimized regular expressions in the form of /.*abc.*/ by looking
for "abc" first and then processing the leading and trailing dot stars
to find the beginning and the end of the match. However, it erroneously
enabled this optimization for regular expressions whose leading or
trailing dots had quantifiers that were not of arbitrary length, e.g.,
/.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
match the entire string when it shouldn't. This patch disables the
optimization for those cases.
* yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2018-07-02 Sukolsak Sakshuwong <sukolsak@gmail.com>
RegExp.exec returns wrong value with a long integer quantifier
https://bugs.webkit.org/show_bug.cgi?id=187042
Reviewed by Saam Barati.
Prior to this patch, the Yarr parser checked for integer overflow when
parsing quantifiers in regular expressions by adding one digit at a time
to a number and checking if the result got larger. This is wrong;
The parser would fail to detect overflow when parsing, for example,
10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
Another issue was that once it detected overflow, it stopped consuming
the remaining digits. Since it didn't find the closing bracket, it
parsed the quantifier as a normal string instead.
This patch fixes these issues by reading all the digits and checking for
overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
returns the largest possible value (quantifyInfinite in this case). This
matches Chrome [1], Firefox [2], and Edge [3].
[1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
[2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
[3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
* yarr/YarrParser.h:
(JSC::Yarr::Parser::consumeNumber):
2018-07-02 Keith Miller <keith_miller@apple.com>
InstanceOf IC should do generic if the prototype is not an object.
https://bugs.webkit.org/show_bug.cgi?id=187250
Reviewed by Mark Lam.
The old code was wrong for two reasons. First, the AccessCase expected that
the prototype value would be non-null. Second, we would end up returning
false instead of throwing an exception.
* jit/Repatch.cpp:
(JSC::tryCacheInstanceOf):
2018-07-01 Mark Lam <mark.lam@apple.com>
Builtins and host functions should get their own structures.
https://bugs.webkit.org/show_bug.cgi?id=187211
<rdar://problem/41646336>
Reviewed by Saam Barati.
JSFunctions do lazy reification of properties, but ordinary functions applies
different rules of property reification than builtin and host functions. Hence,
we should give builtins and host functions their own structures.
* runtime/JSFunction.cpp:
(JSC::JSFunction::selectStructureForNewFuncExp):
(JSC::JSFunction::create):
(JSC::JSFunction::getOwnPropertySlot):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::hostFunctionStructure const):
(JSC::JSGlobalObject::arrowFunctionStructure const):
(JSC::JSGlobalObject::sloppyFunctionStructure const):
(JSC::JSGlobalObject::strictFunctionStructure const):
2018-07-01 David Kilzer <ddkilzer@apple.com>
JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
<https://webkit.org/b/187233>
Reviewed by Mark Lam.
* b3/air/AirEliminateDeadCode.cpp:
(JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
* parser/ParserTokens.h:
(JSC::JSTextPosition::JSTextPosition): Add struct member
initialization. Simplify default constructor.
(JSC::JSTokenLocation::JSTokenData): Move largest struct in the
union to the beginning to make it easy to zero out all fields.
(JSC::JSTokenLocation::JSTokenLocation): Add struct member
initialization. Simplify default constructor. Note that
`endOffset` was not being initialized previously.
(JSC::JSTextPosition::JSToken): Add struct member initialization
where necessary.
* runtime/IntlObject.cpp:
(JSC::MatcherResult): Add struct member initialization.
2018-06-23 Darin Adler <darin@apple.com>
[Cocoa] Improve ARC compatibility of more code in JavaScriptCore
https://bugs.webkit.org/show_bug.cgi?id=186973
Reviewed by Dan Bernstein.
* API/JSContext.mm:
(WeakContextRef::WeakContextRef): Deleted.
(WeakContextRef::~WeakContextRef): Deleted.
(WeakContextRef::get): Deleted.
(WeakContextRef::set): Deleted.
* API/JSContextInternal.h: Removed unneeded header guards since this is
an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
since neither is used outside the class implementation.
* API/JSManagedValue.mm:
(-[JSManagedValue initWithValue:]): Use a bridging cast.
(-[JSManagedValue dealloc]): Ditto.
(-[JSManagedValue didAddOwner:]): Ditto.
(-[JSManagedValue didRemoveOwner:]): Ditto.
(JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
(JSManagedValueHandleOwner::finalize): Ditto.
* API/JSValue.mm:
(+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
(+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
(-[JSValue valueForProperty:]): Ditto.
(-[JSValue setValue:forProperty:]): Ditto.
(-[JSValue deleteProperty:]): Ditto.
(-[JSValue hasProperty:]): Ditto.
(-[JSValue invokeMethod:withArguments:]): Ditto.
(valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
(valueToArray): Ditto.
(valueToDictionary): Ditto.
(objectToValueWithoutCopy): Ditto.
(objectToValue): Ditto.
* API/JSVirtualMachine.mm:
(+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
(+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
(-[JSVirtualMachine isOldExternalObject:]): Ditto.
(-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
(-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
(-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
(-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
(scanExternalObjectGraph): Ditto.
(scanExternalRememberedSet): Ditto.
* API/JSWrapperMap.mm:
(makeWrapper): Ditto.
(-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
(-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
(tryUnwrapObjcObject): Ditto.
* API/ObjCCallbackFunction.mm:
(blockSignatureContainsClass): Ditto.
(objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
sure we will be keeping this the same way under ARC.
(objCCallbackFunctionForBlock): Use a bridging cast.
* API/ObjcRuntimeExtras.h:
(protocolImplementsProtocol): Use a more specific type that includes the
explicit __unsafe_unretained for copied protocol lists.
(forEachProtocolImplementingProtocol): Ditto.
* inspector/remote/cocoa/RemoteInspectorCocoa.mm:
(Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
(Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
* inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
(auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
(Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
(Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
2018-06-30 Adam Barth <abarth@webkit.org>
Port JavaScriptCore to OS(FUCHSIA)
https://bugs.webkit.org/show_bug.cgi?id=187223
Reviewed by Daniel Bates.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
* runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
(JSC::MachineContext::stackPointerImpl):
(JSC::MachineContext::framePointerImpl):
(JSC::MachineContext::instructionPointerImpl):
(JSC::MachineContext::argumentPointer<1>):
(JSC::MachineContext::llintInstructionPointer):
2018-06-30 David Kilzer <ddkilzer@apple.com>
Fix clang static analyzer warnings: Garbage return value
<https://webkit.org/b/187224>
Reviewed by Eric Carlson.
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
- Use brace initialization for local variables.
* debugger/DebuggerCallFrame.cpp:
(class JSC::LineAndColumnFunctor):
- Use class member initialization for member variables.
2018-06-29 Saam Barati <sbarati@apple.com>
Unreviewed. Try to fix Windows build after r233377
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::createExecutable):
2018-06-29 Saam Barati <sbarati@apple.com>
Don't use tracePoints in JS/Wasm entry
https://bugs.webkit.org/show_bug.cgi?id=187196
Reviewed by Mark Lam.
This puts VM entry and Wasm entry tracePoints behind a runtime
option. This is a ~4x speedup on a soon to be released Wasm
benchmark. tracePoints should basically never run more than 50
times a second. Entering the VM and entering Wasm are user controlled,
and can happen hundreds of thousands of times in a second. Depending
on how the Wasm/JS code is structured, this can be disastrous for
performance.
* runtime/Options.h:
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
(JSC::VMEntryScope::~VMEntryScope):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::compileFunctions):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::callWebAssemblyFunction):
2018-06-29 Saam Barati <sbarati@apple.com>
We shouldn't recurse into the parser when gathering metadata about various function offsets
https://bugs.webkit.org/show_bug.cgi?id=184074
<rdar://problem/37165897>
Reviewed by Mark Lam.
Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
for that builtin. This required calling into the parser. However, the parser
may throw a stack overflow. We were not able to recover from that. The only
reason we called into the parser here is that we were gathering text offsets
and various metadata for things in the builtin function. This patch writes a
mini parser that figures this information out without calling into the full
parser. (I've also added a debug assert that verifies the mini parser stays in
sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
always succeeds.
* builtins/AsyncFromSyncIteratorPrototype.js:
(globalPrivate.createAsyncFromSyncIterator):
(globalPrivate.AsyncFromSyncIteratorConstructor):
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::createExecutable):
* builtins/GlobalOperations.js:
(globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
(globalPrivate.speciesConstructor):
(globalPrivate.copyDataProperties):
(globalPrivate.copyDataPropertiesNoExclusions):
* builtins/PromiseOperations.js:
(globalPrivate.newHandledRejectedPromise):
* builtins/RegExpPrototype.js:
(globalPrivate.hasObservableSideEffectsForRegExpMatch):
(globalPrivate.hasObservableSideEffectsForRegExpSplit):
* builtins/StringPrototype.js:
(globalPrivate.hasObservableSideEffectsForStringReplace):
(globalPrivate.getDefaultCollator):
* parser/Nodes.cpp:
(JSC::FunctionMetadataNode::FunctionMetadataNode):
(JSC::FunctionMetadataNode::operator== const):
(JSC::FunctionMetadataNode::dump const):
* parser/Nodes.h:
* parser/Parser.h:
(JSC::parse):
* parser/ParserError.h:
(JSC::ParserError::type const):
* parser/ParserTokens.h:
(JSC::JSTextPosition::operator== const):
(JSC::JSTextPosition::operator!= const):
* parser/SourceCode.h:
(JSC::SourceCode::operator== const):
(JSC::SourceCode::operator!= const):
(JSC::SourceCode::subExpression const):
(JSC::SourceCode::subExpression): Deleted.
2018-06-28 Michael Saboff <msaboff@apple.com>
IsoCellSet::sweepToFreeList() not safe when Full GC in process
https://bugs.webkit.org/show_bug.cgi?id=187157
Reviewed by Mark Lam.
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
is in MarkedBlock::Handle::specializedSweep where it takes into account whether
or not we are in the process of marking during a full GC.
* heap/MarkedBlock.h:
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
2018-06-27 Saam Barati <sbarati@apple.com>
Add some more register state information when we crash in repatchPutById
https://bugs.webkit.org/show_bug.cgi?id=187112
Reviewed by Mark Lam.
This will help us gather info when we end up seeing a ObjectPropertyConditionSet
with an offset that is different than what the put tells us.
* jit/Repatch.cpp:
(JSC::tryCachePutByID):
2018-06-27 Mark Lam <mark.lam@apple.com>
Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
https://bugs.webkit.org/show_bug.cgi?id=187119
Reviewed by Keith Miller.
$vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
should be checking for codeBlock instead of !codeBlock
before using the codeBlock.
I also renamed some other "print" functions to use "dump" instead
to match their underlying C++ code that they will call e.g.
CodeBlock::dumpSource().
* tools/JSDollarVM.cpp:
(WTF::JSDollarVMCallFrame::finishCreation):
(JSC::functionDumpSourceFor):
(JSC::functionDumpBytecodeFor):
(JSC::doPrint):
(JSC::functionDataLog):
(JSC::functionPrint):
(JSC::functionDumpCallFrame):
(JSC::functionDumpStack):
(JSC::JSDollarVM::finishCreation):
(JSC::functionPrintSourceFor): Deleted.
(JSC::functionPrintBytecodeFor): Deleted.
(JSC::doPrintln): Deleted.
(JSC::functionPrintln): Deleted.
(JSC::functionPrintCallFrame): Deleted.
(JSC::functionPrintStack): Deleted.
* tools/VMInspector.cpp:
(JSC::DumpFrameFunctor::DumpFrameFunctor):
(JSC::DumpFrameFunctor::operator() const):
(JSC::VMInspector::dumpCallFrame):
(JSC::VMInspector::dumpStack):
(JSC::VMInspector::dumpValue):
(JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
(JSC::PrintFrameFunctor::operator() const): Deleted.
(JSC::VMInspector::printCallFrame): Deleted.
(JSC::VMInspector::printStack): Deleted.
(JSC::VMInspector::printValue): Deleted.
* tools/VMInspector.h:
2018-06-27 Keith Miller <keith_miller@apple.com>
Add logging to try to diagnose where we get a null structure.
https://bugs.webkit.org/show_bug.cgi?id=187106
Reviewed by Mark Lam.
Add a logging to JSObject::toPrimitive to help diagnose a nullptr
structure crash.
This code should be removed when we fix <rdar://problem/33451840>
* runtime/JSObject.cpp:
(JSC::callToPrimitiveFunction):
* runtime/JSObject.h:
(JSC::JSObject::getPropertySlot):
2018-06-27 Mark Lam <mark.lam@apple.com>
DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
https://bugs.webkit.org/show_bug.cgi?id=187091
<rdar://problem/41395624>
Reviewed by Yusuke Suzuki.
Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
take their slow paths, the slow path would jump back to the fast path right after
the emitted code which clears the unused property values. As a result, the
unused properties are not initialized. We've fixed this by adding the slow path
generators before we emit the code to clear the unused properties.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2018-06-27 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
https://bugs.webkit.org/show_bug.cgi?id=185943
Reviewed by Mark Lam.
ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
but it should be done in a separate patch since it would be performance sensitive.
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayPatternNode::emitDirectBinding):
2018-06-26 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Pass VM& to functions more
https://bugs.webkit.org/show_bug.cgi?id=186241
Reviewed by Mark Lam.
This patch threads VM& to functions requiring VM& more.
* API/JSObjectRef.cpp:
(JSObjectIsConstructor):
* bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
(JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
(JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
(JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
(JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
* bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
* bytecode/CodeBlockJettisoningWatchpoint.cpp:
(JSC::CodeBlockJettisoningWatchpoint::fireInternal):
* bytecode/CodeBlockJettisoningWatchpoint.h:
* bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
* bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
* bytecode/StructureStubClearingWatchpoint.cpp:
(JSC::StructureStubClearingWatchpoint::fireInternal):
* bytecode/StructureStubClearingWatchpoint.h:
* bytecode/Watchpoint.cpp:
(JSC::Watchpoint::fire):
(JSC::WatchpointSet::fireAllWatchpoints):
* bytecode/Watchpoint.h:
* dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
(JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
* dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
* dfg/DFGAdaptiveStructureWatchpoint.cpp:
(JSC::DFG::AdaptiveStructureWatchpoint::install):
(JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
* dfg/DFGAdaptiveStructureWatchpoint.h:
* dfg/DFGDesiredWatchpoints.cpp:
(JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setupGetByIdPrototypeCache):
* runtime/ArrayPrototype.cpp:
(JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
(JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
* runtime/ECMAScriptSpecInternalFunctions.cpp:
(JSC::esSpecIsConstructor):
* runtime/FunctionRareData.cpp:
(JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
* runtime/FunctionRareData.h:
* runtime/InferredStructureWatchpoint.cpp:
(JSC::InferredStructureWatchpoint::fireInternal):
* runtime/InferredStructureWatchpoint.h:
* runtime/InternalFunction.cpp:
(JSC::InternalFunction::createSubclassStructureSlow):
* runtime/InternalFunction.h:
(JSC::InternalFunction::createSubclassStructure):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::isConstructor const):
* runtime/JSCell.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::isConstructor):
(JSC::JSCell::methodTable const):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
(JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::finishCreation):
* runtime/ReflectObject.cpp:
(JSC::reflectObjectConstruct):
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::setObjectToStringValue):
(JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
(JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
(JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
2018-06-26 Mark Lam <mark.lam@apple.com>
eval() is wrong about the LiteralParser never throwing any exceptions.
https://bugs.webkit.org/show_bug.cgi?id=187074
<rdar://problem/41461099>
Reviewed by Saam Barati.
Added the missing exception check, and removed an erroneous assertion.
* interpreter/Interpreter.cpp:
(JSC::eval):
2018-06-26 Saam Barati <sbarati@apple.com>
JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
https://bugs.webkit.org/show_bug.cgi?id=186878
<rdar://problem/40568659>
Reviewed by Filip Pizlo.
This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
our stress GC bots. Before this patch, JSImmutableButterfly was allocated
with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
conservative scan knows to treat it like a butterfly in when we we may be
pointing into the middle of it.
The way we were crashing on the stress GC bots is that our conservative marking
won't do cell visiting for things that are Auxiliary. This meant that if the
stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
that JSImmutableButterfly would not be visited. This is now fixed.
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
* debugger/Debugger.cpp:
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::genericAddPointer):
* heap/Heap.cpp:
(JSC::GatherHeapSnapshotData::operator() const):
(JSC::RemoveDeadHeapSnapshotNodes::operator() const):
(JSC::Heap::globalObjectCount):
(JSC::Heap::objectTypeCounts):
(JSC::Heap::deleteAllCodeBlocks):
* heap/HeapCell.cpp:
(WTF::printInternal):
* heap/HeapCell.h:
(JSC::isJSCellKind):
(JSC::hasInteriorPointers):
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
(JSC::HeapUtil::isPointerGCObjectJSCell):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToDirectory):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::appendJSCellOrAuxiliary):
* runtime/JSGlobalObject.cpp:
* runtime/JSImmutableButterfly.h:
(JSC::JSImmutableButterfly::subspaceFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* tools/CellProfile.h:
(JSC::CellProfile::CellProfile):
(JSC::CellProfile::isJSCell const):
* tools/HeapVerifier.cpp:
(JSC::HeapVerifier::validateCell):
2018-06-26 Mark Lam <mark.lam@apple.com>
Skip some unnecessary work in Interpreter::getStackTrace().
https://bugs.webkit.org/show_bug.cgi?id=187070
Reviewed by Michael Saboff.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::getStackTrace):
2018-06-26 Mark Lam <mark.lam@apple.com>
ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
https://bugs.webkit.org/show_bug.cgi?id=187060
<rdar://problem/41452767>
Reviewed by Keith Miller.
JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
write conversion. Hence, we can return early after the conversion if the vector
length is already sufficient to cover the requested length.
* runtime/JSObject.cpp:
(JSC::JSObject::ensureLengthSlow):
2018-06-26 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r233184.
https://bugs.webkit.org/show_bug.cgi?id=187059
"It regressed JetStream between 5-8%" (Requested by saamyjoon
on #webkit).
Reverted changeset:
"JSImmutableButterfly can't be allocated from a subspace with
HeapCell::Kind::Auxiliary"
https://bugs.webkit.org/show_bug.cgi?id=186878
https://trac.webkit.org/changeset/233184
2018-06-26 Carlos Alberto Lopez Perez <clopez@igalia.com>
REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
https://bugs.webkit.org/show_bug.cgi?id=187051
Reviewed by Mark Lam.
Revert r233065 changes over UnlinkedCodeBlock.h to allow
clang-3.8 to be able to compile this back (with libstdc++5)
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
2018-06-26 Tadeu Zagallo <tzagallo@apple.com>
Fix testapi build when DFG_JIT is disabled
https://bugs.webkit.org/show_bug.cgi?id=187038
Reviewed by Mark Lam.
r233158 added a new API and tests for configuring the number of JIT threads, but
the API is only available when DFG_JIT is enabled and so should the tests.
* API/tests/testapi.mm:
(runJITThreadLimitTests):
2018-06-25 Saam Barati <sbarati@apple.com>
JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
https://bugs.webkit.org/show_bug.cgi?id=186878
<rdar://problem/40568659>
Reviewed by Mark Lam.
This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
our stress GC bots. Before this patch, JSImmutableButterfly was allocated
with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
bots is that our conservative marking won't do cell marking for things that
are Auxiliary. This means that if the stack is the only thing pointing to a
JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
not be visited. This patch fixes this bug. This patch also extends our conservative
marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
* runtime/JSImmutableButterfly.h:
(JSC::JSImmutableButterfly::subspaceFor):
2018-06-25 Mark Lam <mark.lam@apple.com>
constructArray() should set m_numValuesInVector to the specified length.
https://bugs.webkit.org/show_bug.cgi?id=187010
<rdar://problem/41392167>
Reviewed by Filip Pizlo.
Its client will fill in the storage vector with some values using initializeIndex()
and expects m_numValuesInVector to be set to the length i.e. the number of values
to be initialized.
* runtime/JSArray.cpp:
(JSC::constructArray):
2018-06-25 Mark Lam <mark.lam@apple.com>
Add missing exception check in RegExpObjectInlines.h's collectMatches.
https://bugs.webkit.org/show_bug.cgi?id=187006
<rdar://problem/41418412>
Reviewed by Keith Miller.
* runtime/RegExpObjectInlines.h:
(JSC::collectMatches):
2018-06-25 Tadeu Zagallo <tzagallo@apple.com>
Add API for configuring the number of threads used by DFG and FTL
https://bugs.webkit.org/show_bug.cgi?id=186859
<rdar://problem/41093519>
Reviewed by Filip Pizlo.
Add new private APIs for limiting the number of threads to be used by
the DFG and FTL compilers. It was already possible to configure the
limit through JSC Options, but now it can be changed at runtime, even
in the case when the VM is already running.
Add a test for both cases: when trying to configure the limit before
and after the Worklist has been created, but in order to simulate the
first scenario, we must guarantee that the test runs at the very
beginning, so I also added a check for that.
* API/JSVirtualMachine.mm:
(+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
(+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
* API/JSVirtualMachinePrivate.h:
* API/tests/testapi.mm:
(runJITThreadLimitTests):
(testObjectiveCAPIMain):
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::finishCreation):
(JSC::DFG::Worklist::createNewThread):
(JSC::DFG::Worklist::setNumberOfThreads):
* dfg/DFGWorklist.h:
2018-06-25 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove unnecessary PLATFORM guards
https://bugs.webkit.org/show_bug.cgi?id=186995
Reviewed by Mark Lam.
* assembler/AssemblerCommon.h:
(JSC::isIOS):
Add constexpr.
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
StackFrame works in all the platforms. If StackFrame::demangle failed,
it just returns std::nullopt. And it is correctly handled in this code.
2018-06-23 Mark Lam <mark.lam@apple.com>
Add more debugging features to $vm.
https://bugs.webkit.org/show_bug.cgi?id=186947
Reviewed by Keith Miller.
Adding the following features:
// We now have println in addition to print.
// println automatically adds a '\n' at the end.
$vm.println("Hello");
// We can now capture some info about a stack frame.
var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
var callerCallerFrame = $vm.callFrame(2);
// We can inspect the following values associated with the frame:
if (currentFrame.valid) {
$vm.println("name is ", currentFrame.name));
// Note: For a WASM frame, all of these will be undefined.
$vm.println("callee is ", $vm.value(currentFrame.callee));
$vm.println("codeBlock is ", currentFrame.codeBlock);
$vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
$vm.println("executable is ", currentFrame.executable);
}
// Note that callee is a JSObject. I printed its $vm.value() because I wanted
// to dataLog its JSValue instead of its toString() result.
// Note that $vm.println() (and $vm.print()) can now print internal JSCells
// (and Symbols) as JSValue dumps. It won't just fail on trying to do a
// toString on a non-object.
// Does what it says about enabling/disabling debugger mode.
$vm.enableDebuggerModeWhenIdle();
$vm.disableDebuggerModeWhenIdle();
* tools/JSDollarVM.cpp:
(WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
(WTF::JSDollarVMCallFrame::createStructure):
(WTF::JSDollarVMCallFrame::create):
(WTF::JSDollarVMCallFrame::finishCreation):
(WTF::JSDollarVMCallFrame::addProperty):
(JSC::functionCallFrame):
(JSC::functionCodeBlockForFrame):
(JSC::codeBlockFromArg):
(JSC::doPrintln):
(JSC::functionPrint):
(JSC::functionPrintln):
(JSC::changeDebuggerModeWhenIdle):
(JSC::functionEnableDebuggerModeWhenIdle):
(JSC::functionDisableDebuggerModeWhenIdle):
(JSC::JSDollarVM::finishCreation):
2018-06-22 Keith Miller <keith_miller@apple.com>
We need to have a getDirectConcurrently for use in the compilers
https://bugs.webkit.org/show_bug.cgi?id=186954
Reviewed by Mark Lam.
It used to be that the propertyStorage of an object never shrunk
so if you called getDirect with some offset it would never be an
OOB read. However, this property storage can shrink when calling
flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
holds the Structure's ConcurrentJSLock while shrinking. This patch,
adds a getDirectConcurrently that will safely try to load from the
butterfly.
* bytecode/ObjectPropertyConditionSet.cpp:
* bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
(JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::tryGetConstantProperty):
* runtime/JSObject.h:
(JSC::JSObject::getDirectConcurrently const):
2018-06-22 Yusuke Suzuki <utatane.tea@gmail.com>
[WTF] Use Ref<> for the result type of non-failing factory functions
https://bugs.webkit.org/show_bug.cgi?id=186920
Reviewed by Darin Adler.
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::ThreadBody::ThreadBody):
(JSC::DFG::Worklist::finishCreation):
* dfg/DFGWorklist.h:
* heap/Heap.cpp:
(JSC::Heap::Thread::Thread):
* heap/Heap.h:
* jit/JITWorklist.cpp:
(JSC::JITWorklist::Thread::Thread):
* jit/JITWorklist.h:
* runtime/VMTraps.cpp:
* runtime/VMTraps.h:
* wasm/WasmWorklist.cpp:
* wasm/WasmWorklist.h:
2018-06-23 Yusuke Suzuki <utatane.tea@gmail.com>
[WTF] Add user-defined literal for ASCIILiteral
https://bugs.webkit.org/show_bug.cgi?id=186839
Reviewed by Darin Adler.
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::staticFunctionGetter):
(JSC::JSCallbackObject<Parent>::callbackGetter):
* API/JSObjectRef.cpp:
(JSObjectMakeFunctionWithCallback):
* API/JSTypedArray.cpp:
(JSObjectGetArrayBufferBytesPtr):
* API/JSValue.mm:
(valueToArray):
(valueToDictionary):
* API/ObjCCallbackFunction.mm:
(JSC::objCCallbackFunctionCallAsFunction):
(JSC::objCCallbackFunctionCallAsConstructor):
(JSC::ObjCCallbackFunctionImpl::call):
* API/glib/JSCCallbackFunction.cpp:
(JSC::JSCCallbackFunction::call):
(JSC::JSCCallbackFunction::construct):
* API/glib/JSCContext.cpp:
(jscContextJSValueToGValue):
* API/glib/JSCValue.cpp:
(jsc_value_object_define_property_accessor):
(jscValueFunctionCreate):
* builtins/BuiltinUtils.h:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::nameForRegister):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitEnumeration):
(JSC::BytecodeGenerator::emitIteratorNext):
(JSC::BytecodeGenerator::emitIteratorClose):
(JSC::BytecodeGenerator::emitDelegateYield):
* bytecompiler/NodesCodegen.cpp:
(JSC::FunctionCallValueNode::emitBytecode):
(JSC::PostfixNode::emitBytecode):
(JSC::PrefixNode::emitBytecode):
(JSC::AssignErrorNode::emitBytecode):
(JSC::ForInNode::emitBytecode):
(JSC::ForOfNode::emitBytecode):
(JSC::ClassExprNode::emitBytecode):
(JSC::ObjectPatternNode::bindValue const):
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
* dfg/DFGOperations.cpp:
(JSC::DFG::newTypedArrayWithSize):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::addToFrontend):
(Inspector::ConsoleMessage::clear):
* inspector/ContentSearchUtilities.cpp:
(Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
* inspector/InjectedScript.cpp:
(Inspector::InjectedScript::InjectedScript):
(Inspector::InjectedScript::evaluate):
(Inspector::InjectedScript::callFunctionOn):
(Inspector::InjectedScript::evaluateOnCallFrame):
(Inspector::InjectedScript::getFunctionDetails):
(Inspector::InjectedScript::functionDetails):
(Inspector::InjectedScript::getPreview):
(Inspector::InjectedScript::getProperties):
(Inspector::InjectedScript::getDisplayableProperties):
(Inspector::InjectedScript::getInternalProperties):
(Inspector::InjectedScript::getCollectionEntries):
(Inspector::InjectedScript::saveResult):
(Inspector::InjectedScript::wrapCallFrames const):
(Inspector::InjectedScript::wrapObject const):
(Inspector::InjectedScript::wrapJSONString const):
(Inspector::InjectedScript::wrapTable const):
(Inspector::InjectedScript::previewValue const):
(Inspector::InjectedScript::setExceptionValue):
(Inspector::InjectedScript::clearExceptionValue):
(Inspector::InjectedScript::findObjectById const):
(Inspector::InjectedScript::inspectObject):
(Inspector::InjectedScript::releaseObject):
(Inspector::InjectedScript::releaseObjectGroup):
* inspector/InjectedScriptBase.cpp:
(Inspector::InjectedScriptBase::makeEvalCall):
* inspector/InjectedScriptManager.cpp:
(Inspector::InjectedScriptManager::injectedScriptForObjectId):
* inspector/InjectedScriptModule.cpp:
(Inspector::InjectedScriptModule::ensureInjected):
* inspector/InspectorBackendDispatcher.cpp:
(Inspector::BackendDispatcher::dispatch):
(Inspector::BackendDispatcher::sendResponse):
(Inspector::BackendDispatcher::sendPendingErrors):
* inspector/JSGlobalObjectConsoleClient.cpp:
(Inspector::JSGlobalObjectConsoleClient::profile):
(Inspector::JSGlobalObjectConsoleClient::profileEnd):
(Inspector::JSGlobalObjectConsoleClient::timeStamp):
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
* inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
(Inspector::JSInjectedScriptHost::subtype):
(Inspector::JSInjectedScriptHost::getInternalProperties):
* inspector/JSJavaScriptCallFrame.cpp:
(Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
(Inspector::JSJavaScriptCallFrame::type const):
* inspector/ScriptArguments.cpp:
(Inspector::ScriptArguments::getFirstArgumentAsString):
* inspector/ScriptCallStackFactory.cpp:
(Inspector::extractSourceInformationFromException):
* inspector/agents/InspectorAgent.cpp:
(Inspector::InspectorAgent::InspectorAgent):
* inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
(Inspector::InspectorConsoleAgent::clearMessages):
(Inspector::InspectorConsoleAgent::count):
(Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
(Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
(Inspector::buildObjectForBreakpointCookie):
(Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
(Inspector::parseLocation):
(Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
(Inspector::InspectorDebuggerAgent::setBreakpoint):
(Inspector::InspectorDebuggerAgent::continueToLocation):
(Inspector::InspectorDebuggerAgent::searchInContent):
(Inspector::InspectorDebuggerAgent::getScriptSource):
(Inspector::InspectorDebuggerAgent::getFunctionDetails):
(Inspector::InspectorDebuggerAgent::resume):
(Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
(Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
(Inspector::InspectorDebuggerAgent::didParseSource):
(Inspector::InspectorDebuggerAgent::assertPaused):
* inspector/agents/InspectorHeapAgent.cpp:
(Inspector::InspectorHeapAgent::InspectorHeapAgent):
(Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
(Inspector::InspectorHeapAgent::getPreview):
(Inspector::InspectorHeapAgent::getRemoteObject):
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
(Inspector::InspectorRuntimeAgent::callFunctionOn):
(Inspector::InspectorRuntimeAgent::getPreview):
(Inspector::InspectorRuntimeAgent::getProperties):
(Inspector::InspectorRuntimeAgent::getDisplayableProperties):
(Inspector::InspectorRuntimeAgent::getCollectionEntries):
(Inspector::InspectorRuntimeAgent::saveResult):
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
(Inspector::InspectorRuntimeAgent::getBasicBlocks):
* inspector/agents/InspectorScriptProfilerAgent.cpp:
(Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
* inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
(Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
* inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
(Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
* inspector/scripts/codegen/cpp_generator_templates.py:
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
(CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
(CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
* inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
(CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
* inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
* inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
(CppProtocolTypesImplementationGenerator):
* inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
(ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
(ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
* inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
(ObjCFrontendDispatcherImplementationGenerator._generate_event):
(ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
* inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
(ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
* inspector/scripts/codegen/objc_generator_templates.py:
* inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/generic/expected/domain-availability.json-result:
* inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
* inspector/scripts/tests/generic/expected/enum-values.json-result:
* inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
* inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
* inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
* inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
* inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
* inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
* inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
* interpreter/CallFrame.cpp:
(JSC::CallFrame::friendlyFunctionName):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::functionName const):
(JSC::StackVisitor::Frame::sourceURL const):
* jit/JIT.cpp:
(JSC::JIT::doMainThreadPreparationBeforeCompile):
* jit/JITOperations.cpp:
* jsc.cpp:
(resolvePath):
(GlobalObject::moduleLoaderImportModule):
(GlobalObject::moduleLoaderResolve):
(functionDescribeArray):
(functionRun):
(functionLoad):
(functionCheckSyntax):
(functionDollarEvalScript):
(functionDollarAgentStart):
(functionDollarAgentReceiveBroadcast):
(functionDollarAgentBroadcast):
(functionTransferArrayBuffer):
(functionLoadModule):
(functionSamplingProfilerStackTraces):
(functionAsyncTestStart):
(functionWebAssemblyMemoryMode):
(runWithOptions):
* parser/Lexer.cpp:
(JSC::Lexer<T>::invalidCharacterMessage const):
(JSC::Lexer<T>::parseString):
(JSC::Lexer<T>::parseComplexEscape):
(JSC::Lexer<T>::parseStringSlowCase):
(JSC::Lexer<T>::parseTemplateLiteral):
(JSC::Lexer<T>::lex):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
* parser/Parser.h:
(JSC::Parser::setErrorMessage):
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::finishCreation):
* runtime/ArrayBuffer.cpp:
(JSC::errorMesasgeForTransfer):
* runtime/ArrayBufferSharingMode.h:
(JSC::arrayBufferSharingModeName):
* runtime/ArrayConstructor.cpp:
(JSC::constructArrayWithSizeQuirk):
(JSC::isArraySlowInline):
* runtime/ArrayPrototype.cpp:
(JSC::setLength):
(JSC::shift):
(JSC::unshift):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncUnShift):
* runtime/AtomicsObject.cpp:
(JSC::atomicsFuncWait):
(JSC::atomicsFuncWake):
* runtime/BigIntConstructor.cpp:
(JSC::BigIntConstructor::finishCreation):
(JSC::toBigInt):
(JSC::callBigIntConstructor):
* runtime/BigIntObject.cpp:
(JSC::BigIntObject::toStringName):
* runtime/BigIntPrototype.cpp:
(JSC::bigIntProtoFuncToString):
(JSC::bigIntProtoFuncValueOf):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/ConsoleClient.cpp:
(JSC::ConsoleClient::printConsoleMessageWithArguments):
* runtime/ConsoleObject.cpp:
(JSC::valueOrDefaultLabelString):
(JSC::consoleProtoFuncTime):
(JSC::consoleProtoFuncTimeEnd):
* runtime/DatePrototype.cpp:
(JSC::formatLocaleDate):
(JSC::formateDateInstance):
(JSC::DatePrototype::finishCreation):
(JSC::dateProtoFuncToISOString):
(JSC::dateProtoFuncToJSON):
* runtime/Error.cpp:
(JSC::createNotEnoughArgumentsError):
(JSC::throwSyntaxError):
(JSC::createTypeError):
(JSC::createOutOfMemoryError):
* runtime/Error.h:
(JSC::throwVMError):
* runtime/ErrorConstructor.cpp:
(JSC::ErrorConstructor::finishCreation):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::sanitizedToString):
* runtime/ErrorPrototype.cpp:
(JSC::ErrorPrototype::finishCreation):
(JSC::errorProtoFuncToString):
* runtime/ExceptionFuzz.cpp:
(JSC::doExceptionFuzzing):
* runtime/ExceptionHelpers.cpp:
(JSC::TerminatedExecutionError::defaultValue):
(JSC::createStackOverflowError):
(JSC::createNotAConstructorError):
(JSC::createNotAFunctionError):
(JSC::createNotAnObjectError):
* runtime/GetterSetter.cpp:
(JSC::callSetter):
* runtime/IntlCollator.cpp:
(JSC::sortLocaleData):
(JSC::searchLocaleData):
(JSC::IntlCollator::initializeCollator):
(JSC::IntlCollator::compareStrings):
(JSC::IntlCollator::usageString):
(JSC::IntlCollator::sensitivityString):
(JSC::IntlCollator::caseFirstString):
(JSC::IntlCollator::resolvedOptions):
* runtime/IntlCollator.h:
* runtime/IntlCollatorConstructor.cpp:
(JSC::IntlCollatorConstructor::finishCreation):
* runtime/IntlCollatorPrototype.cpp:
(JSC::IntlCollatorPrototypeGetterCompare):
(JSC::IntlCollatorPrototypeFuncResolvedOptions):
* runtime/IntlDateTimeFormat.cpp:
(JSC::defaultTimeZone):
(JSC::canonicalizeTimeZoneName):
(JSC::IntlDTFInternal::localeData):
(JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
(JSC::IntlDateTimeFormat::initializeDateTimeFormat):
(JSC::IntlDateTimeFormat::weekdayString):
(JSC::IntlDateTimeFormat::eraString):
(JSC::IntlDateTimeFormat::yearString):
(JSC::IntlDateTimeFormat::monthString):
(JSC::IntlDateTimeFormat::dayString):
(JSC::IntlDateTimeFormat::hourString):
(JSC::IntlDateTimeFormat::minuteString):
(JSC::IntlDateTimeFormat::secondString):
(JSC::IntlDateTimeFormat::timeZoneNameString):
(JSC::IntlDateTimeFormat::resolvedOptions):
(JSC::IntlDateTimeFormat::format):
(JSC::IntlDateTimeFormat::partTypeString):
(JSC::IntlDateTimeFormat::formatToParts):
* runtime/IntlDateTimeFormat.h:
* runtime/IntlDateTimeFormatConstructor.cpp:
(JSC::IntlDateTimeFormatConstructor::finishCreation):
* runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::IntlDateTimeFormatPrototypeGetterFormat):
(JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
(JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::initializeNumberFormat):
(JSC::IntlNumberFormat::formatNumber):
(JSC::IntlNumberFormat::styleString):
(JSC::IntlNumberFormat::currencyDisplayString):
(JSC::IntlNumberFormat::resolvedOptions):
(JSC::IntlNumberFormat::partTypeString):
(JSC::IntlNumberFormat::formatToParts):
* runtime/IntlNumberFormat.h:
* runtime/IntlNumberFormatConstructor.cpp:
(JSC::IntlNumberFormatConstructor::finishCreation):
* runtime/IntlNumberFormatPrototype.cpp:
(JSC::IntlNumberFormatPrototypeGetterFormat):
(JSC::IntlNumberFormatPrototypeFuncFormatToParts):
(JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
* runtime/IntlObject.cpp:
(JSC::grandfatheredLangTag):
(JSC::canonicalizeLocaleList):
(JSC::resolveLocale):
(JSC::supportedLocales):
* runtime/IntlPluralRules.cpp:
(JSC::IntlPluralRules::initializePluralRules):
(JSC::IntlPluralRules::resolvedOptions):
(JSC::IntlPluralRules::select):
* runtime/IntlPluralRulesConstructor.cpp:
(JSC::IntlPluralRulesConstructor::finishCreation):
* runtime/IntlPluralRulesPrototype.cpp:
(JSC::IntlPluralRulesPrototypeFuncSelect):
(JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
* runtime/IteratorOperations.cpp:
(JSC::iteratorNext):
(JSC::iteratorClose):
(JSC::hasIteratorMethod):
(JSC::iteratorMethod):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::JSArray::defineOwnProperty):
(JSC::JSArray::put):
(JSC::JSArray::setLengthWithArrayStorage):
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::pop):
* runtime/JSArray.h:
* runtime/JSArrayBufferConstructor.cpp:
(JSC::JSArrayBufferConstructor::finishCreation):
* runtime/JSArrayBufferPrototype.cpp:
(JSC::arrayBufferProtoFuncSlice):
(JSC::arrayBufferProtoGetterFuncByteLength):
(JSC::sharedArrayBufferProtoGetterFuncByteLength):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::toStringName):
* runtime/JSArrayInlines.h:
(JSC::JSArray::pushInline):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::divide):
(JSC::JSBigInt::remainder):
(JSC::JSBigInt::toNumber const):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
(JSC::JSValue::putToPrimitiveByIndex):
(JSC::JSValue::toStringSlowCase const):
* runtime/JSCJSValueInlines.h:
(JSC::toPreferredPrimitiveType):
* runtime/JSDataView.cpp:
(JSC::JSDataView::create):
(JSC::JSDataView::put):
(JSC::JSDataView::defineOwnProperty):
* runtime/JSDataViewPrototype.cpp:
(JSC::getData):
(JSC::setData):
* runtime/JSFunction.cpp:
(JSC::JSFunction::callerGetter):
(JSC::JSFunction::put):
(JSC::JSFunction::defineOwnProperty):
* runtime/JSGenericTypedArrayView.h:
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewWithArguments):
(JSC::constructGenericTypedArrayView):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::speciesConstruct):
(JSC::genericTypedArrayViewProtoFuncSet):
(JSC::genericTypedArrayViewProtoFuncIndexOf):
(JSC::genericTypedArrayViewProtoFuncLastIndexOf):
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObjectDebuggable.cpp:
(JSC::JSGlobalObjectDebuggable::name const):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::encode):
(JSC::decode):
(JSC::globalFuncProtoSetter):
* runtime/JSGlobalObjectFunctions.h:
* runtime/JSMap.cpp:
(JSC::JSMap::toStringName):
* runtime/JSModuleEnvironment.cpp:
(JSC::JSModuleEnvironment::put):
* runtime/JSModuleNamespaceObject.cpp:
(JSC::JSModuleNamespaceObject::put):
(JSC::JSModuleNamespaceObject::putByIndex):
(JSC::JSModuleNamespaceObject::defineOwnProperty):
* runtime/JSONObject.cpp:
(JSC::Stringifier::appendStringifiedValue):
(JSC::JSONProtoFuncParse):
(JSC::JSONProtoFuncStringify):
* runtime/JSObject.cpp:
(JSC::getClassPropertyNames):
(JSC::JSObject::calculatedClassName):
(JSC::ordinarySetSlow):
(JSC::JSObject::putInlineSlow):
(JSC::JSObject::setPrototypeWithCycleCheck):
(JSC::callToPrimitiveFunction):
(JSC::JSObject::ordinaryToPrimitive const):
(JSC::JSObject::defaultHasInstance):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
(JSC::validateAndApplyPropertyDescriptor):
* runtime/JSObject.h:
* runtime/JSObjectInlines.h:
(JSC::JSObject::putInlineForJSObject):
* runtime/JSPromiseConstructor.cpp:
(JSC::JSPromiseConstructor::finishCreation):
* runtime/JSSet.cpp:
(JSC::JSSet::toStringName):
* runtime/JSSymbolTableObject.h:
(JSC::symbolTablePut):
* runtime/JSTypedArrayViewConstructor.cpp:
(JSC::constructTypedArrayView):
* runtime/JSTypedArrayViewPrototype.cpp:
(JSC::typedArrayViewPrivateFuncLength):
(JSC::typedArrayViewProtoFuncSet):
(JSC::typedArrayViewProtoFuncCopyWithin):
(JSC::typedArrayViewProtoFuncLastIndexOf):
(JSC::typedArrayViewProtoFuncIndexOf):
(JSC::typedArrayViewProtoFuncJoin):
(JSC::typedArrayViewProtoGetterFuncBuffer):
(JSC::typedArrayViewProtoGetterFuncLength):
(JSC::typedArrayViewProtoGetterFuncByteLength):
(JSC::typedArrayViewProtoGetterFuncByteOffset):
(JSC::typedArrayViewProtoFuncReverse):
(JSC::typedArrayViewPrivateFuncSubarrayCreate):
(JSC::typedArrayViewProtoFuncSlice):
(JSC::JSTypedArrayViewPrototype::finishCreation):
* runtime/JSWeakMap.cpp:
(JSC::JSWeakMap::toStringName):
* runtime/JSWeakSet.cpp:
(JSC::JSWeakSet::toStringName):
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::Lexer::lex):
(JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
(JSC::LiteralParser<CharType>::Lexer::lexNumber):
(JSC::LiteralParser<CharType>::parse):
* runtime/LiteralParser.h:
(JSC::LiteralParser::getErrorMessage):
* runtime/Lookup.cpp:
(JSC::reifyStaticAccessor):
* runtime/Lookup.h:
(JSC::putEntry):
* runtime/MapPrototype.cpp:
(JSC::getMap):
* runtime/NullSetterFunction.cpp:
(JSC::NullSetterFunctionInternal::callReturnUndefined):
* runtime/NumberPrototype.cpp:
(JSC::numberProtoFuncToExponential):
(JSC::numberProtoFuncToFixed):
(JSC::numberProtoFuncToPrecision):
(JSC::extractToStringRadixArgument):
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorSetPrototypeOf):
(JSC::objectConstructorAssign):
(JSC::objectConstructorValues):
(JSC::toPropertyDescriptor):
(JSC::objectConstructorDefineProperty):
(JSC::objectConstructorDefineProperties):
(JSC::objectConstructorCreate):
(JSC::objectConstructorSeal):
(JSC::objectConstructorFreeze):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncDefineGetter):
(JSC::objectProtoFuncDefineSetter):
* runtime/Operations.cpp:
(JSC::jsAddSlowCase):
* runtime/Operations.h:
(JSC::jsSub):
(JSC::jsMul):
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::initializeGlobalProperties):
* runtime/ProxyConstructor.cpp:
(JSC::makeRevocableProxy):
(JSC::proxyRevocableConstructorThrowError):
(JSC::ProxyConstructor::finishCreation):
(JSC::constructProxyObject):
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::toStringName):
(JSC::ProxyObject::finishCreation):
(JSC::performProxyGet):
(JSC::ProxyObject::performInternalMethodGetOwnProperty):
(JSC::ProxyObject::performHasProperty):
(JSC::ProxyObject::performPut):
(JSC::performProxyCall):
(JSC::performProxyConstruct):
(JSC::ProxyObject::performDelete):
(JSC::ProxyObject::performPreventExtensions):
(JSC::ProxyObject::performIsExtensible):
(JSC::ProxyObject::performDefineOwnProperty):
(JSC::ProxyObject::performGetOwnPropertyNames):
(JSC::ProxyObject::performSetPrototype):
(JSC::ProxyObject::performGetPrototype):
* runtime/ReflectObject.cpp:
(JSC::reflectObjectConstruct):
(JSC::reflectObjectDefineProperty):
(JSC::reflectObjectGet):
(JSC::reflectObjectGetOwnPropertyDescriptor):
(JSC::reflectObjectGetPrototypeOf):
(JSC::reflectObjectIsExtensible):
(JSC::reflectObjectOwnKeys):
(JSC::reflectObjectPreventExtensions):
(JSC::reflectObjectSet):
(JSC::reflectObjectSetPrototypeOf):
* runtime/RegExpConstructor.cpp:
(JSC::RegExpConstructor::finishCreation):
(JSC::toFlags):
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::defineOwnProperty):
* runtime/RegExpObject.h:
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncCompile):
(JSC::regExpProtoGetterGlobal):
(JSC::regExpProtoGetterIgnoreCase):
(JSC::regExpProtoGetterMultiline):
(JSC::regExpProtoGetterDotAll):
(JSC::regExpProtoGetterSticky):
(JSC::regExpProtoGetterUnicode):
(JSC::regExpProtoGetterFlags):
(JSC::regExpProtoGetterSourceInternal):
(JSC::regExpProtoGetterSource):
* runtime/RuntimeType.cpp:
(JSC::runtimeTypeAsString):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::StackFrame::displayName):
(JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::prepareForExecutionImpl):
* runtime/SetPrototype.cpp:
(JSC::getSet):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::putEntry):
(JSC::SparseArrayValueMap::putDirect):
(JSC::SparseArrayEntry::put):
* runtime/StackFrame.cpp:
(JSC::StackFrame::sourceURL const):
(JSC::StackFrame::functionName const):
* runtime/StringConstructor.cpp:
(JSC::stringFromCodePoint):
* runtime/StringObject.cpp:
(JSC::StringObject::put):
(JSC::StringObject::putByIndex):
* runtime/StringPrototype.cpp:
(JSC::StringPrototype::finishCreation):
(JSC::toLocaleCase):
(JSC::stringProtoFuncNormalize):
* runtime/Symbol.cpp:
(JSC::Symbol::toNumber const):
* runtime/SymbolConstructor.cpp:
(JSC::symbolConstructorKeyFor):
* runtime/SymbolObject.cpp:
(JSC::SymbolObject::toStringName):
* runtime/SymbolPrototype.cpp:
(JSC::SymbolPrototype::finishCreation):
* runtime/TypeSet.cpp:
(JSC::TypeSet::dumpTypes const):
(JSC::TypeSet::displayName const):
(JSC::StructureShape::leastCommonAncestor):
* runtime/TypeSet.h:
(JSC::StructureShape::setConstructorName):
* runtime/VM.cpp:
(JSC::VM::dumpTypeProfilerData):
* runtime/WeakMapPrototype.cpp:
(JSC::getWeakMap):
(JSC::protoFuncWeakMapSet):
* runtime/WeakSetPrototype.cpp:
(JSC::getWeakSet):
(JSC::protoFuncWeakSetAdd):
* tools/JSDollarVM.cpp:
(WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
(WTF::DOMJITGetterComplex::customGetter):
(JSC::functionSetImpureGetterDelegate):
(JSC::functionCreateElement):
(JSC::functionGetHiddenValue):
(JSC::functionSetHiddenValue):
(JSC::functionFindTypeForExpression):
(JSC::functionReturnTypeFor):
(JSC::functionLoadGetterFromGetterSetter):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::fail const):
* wasm/WasmIndexOrName.cpp:
(JSC::Wasm::makeString):
* wasm/WasmParser.h:
(JSC::Wasm::FailureHelper::makeString):
(JSC::Wasm::Parser::fail const):
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
* wasm/WasmValidate.cpp:
(JSC::Wasm::Validate::fail const):
* wasm/js/JSWebAssemblyCodeBlock.cpp:
(JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
* wasm/js/JSWebAssemblyHelpers.h:
(JSC::toNonWrappingUint32):
(JSC::getWasmBufferFromValue):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyMemory.cpp:
(JSC::JSWebAssemblyMemory::grow):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
* wasm/js/WebAssemblyCompileErrorConstructor.cpp:
(JSC::WebAssemblyCompileErrorConstructor::finishCreation):
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
(JSC::WebAssemblyInstanceConstructor::finishCreation):
* wasm/js/WebAssemblyInstancePrototype.cpp:
(JSC::getInstance):
* wasm/js/WebAssemblyLinkErrorConstructor.cpp:
(JSC::WebAssemblyLinkErrorConstructor::finishCreation):
* wasm/js/WebAssemblyMemoryConstructor.cpp:
(JSC::constructJSWebAssemblyMemory):
(JSC::WebAssemblyMemoryConstructor::finishCreation):
* wasm/js/WebAssemblyMemoryPrototype.cpp:
(JSC::getMemory):
* wasm/js/WebAssemblyModuleConstructor.cpp:
(JSC::webAssemblyModuleCustomSections):
(JSC::webAssemblyModuleImports):
(JSC::webAssemblyModuleExports):
(JSC::WebAssemblyModuleConstructor::finishCreation):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
(JSC::dataSegmentFail):
(JSC::WebAssemblyModuleRecord::evaluate):
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::resolve):
(JSC::webAssemblyInstantiateFunc):
(JSC::webAssemblyInstantiateStreamingInternal):
* wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
(JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
* wasm/js/WebAssemblyTableConstructor.cpp:
(JSC::constructJSWebAssemblyTable):
(JSC::WebAssemblyTableConstructor::finishCreation):
* wasm/js/WebAssemblyTablePrototype.cpp:
(JSC::getTable):
(JSC::webAssemblyTableProtoFuncGrow):
(JSC::webAssemblyTableProtoFuncGet):
(JSC::webAssemblyTableProtoFuncSet):
2018-06-22 Keith Miller <keith_miller@apple.com>
unshift should zero unused property storage
https://bugs.webkit.org/show_bug.cgi?id=186960
Reviewed by Saam Barati.
Also, this patch adds the zeroed unused property storage assertion
to one more place it was missing.
* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountSlowCase):
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectInternal):
2018-06-22 Mark Lam <mark.lam@apple.com>
PropertyCondition::isValidValueForAttributes() should also consider deleted values.
https://bugs.webkit.org/show_bug.cgi?id=186943
<rdar://problem/41370337>
Reviewed by Saam Barati.
PropertyCondition::isValidValueForAttributes() should check if the passed in value
is a deleted one before it does a jsDynamicCast on it.
* bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isValidValueForAttributes):
* runtime/JSCJSValueInlines.h:
- removed an unnecessary #if.
2018-06-22 Keith Miller <keith_miller@apple.com>
performProxyCall should toThis the value passed to its handler
https://bugs.webkit.org/show_bug.cgi?id=186951
Reviewed by Mark Lam.
* runtime/ProxyObject.cpp:
(JSC::performProxyCall):
2018-06-22 Saam Barati <sbarati@apple.com>
ensureWritableX should only convert away from CoW when it will succeed
https://bugs.webkit.org/show_bug.cgi?id=186898
Reviewed by Keith Miller.
Otherwise, when we OSR exit, we'll end up profiling the array after
it has been converted away from CoW. It's better for the ArrayProfile
to see the array as it's still in CoW mode.
This patch also renames ensureWritableX to tryMakeWritableX since these
were never really "ensure" operations -- they may fail and return null.
* dfg/DFGOperations.cpp:
* runtime/JSObject.cpp:
(JSC::JSObject::tryMakeWritableInt32Slow):
(JSC::JSObject::tryMakeWritableDoubleSlow):
(JSC::JSObject::tryMakeWritableContiguousSlow):
(JSC::JSObject::ensureWritableInt32Slow): Deleted.
(JSC::JSObject::ensureWritableDoubleSlow): Deleted.
(JSC::JSObject::ensureWritableContiguousSlow): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::tryMakeWritableInt32):
(JSC::JSObject::tryMakeWritableDouble):
(JSC::JSObject::tryMakeWritableContiguous):
(JSC::JSObject::ensureWritableInt32): Deleted.
(JSC::JSObject::ensureWritableDouble): Deleted.
(JSC::JSObject::ensureWritableContiguous): Deleted.
2018-06-22 Keith Miller <keith_miller@apple.com>
We should call visitChildren on Base not the exact typename
https://bugs.webkit.org/show_bug.cgi?id=186928
Reviewed by Mark Lam.
A lot of places were not properly calling visitChildren on their
superclass. For most of them it didn't matter because they had
immortal structures. If code changed in the future this might
break things however.
Also, block off more of the MethodTable for GetterSetter objects.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::visitChildren):
* bytecode/ExecutableToCodeBlockEdge.cpp:
(JSC::ExecutableToCodeBlockEdge::visitChildren):
* debugger/DebuggerScope.cpp:
(JSC::DebuggerScope::visitChildren):
* runtime/EvalExecutable.cpp:
(JSC::EvalExecutable::visitChildren):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::visitChildren):
* runtime/FunctionRareData.cpp:
(JSC::FunctionRareData::visitChildren):
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::visitChildren):
* runtime/GetterSetter.cpp:
(JSC::GetterSetter::visitChildren):
* runtime/GetterSetter.h:
* runtime/InferredType.cpp:
(JSC::InferredType::visitChildren):
* runtime/InferredTypeTable.cpp:
(JSC::InferredTypeTable::visitChildren):
* runtime/InferredValue.cpp:
(JSC::InferredValue::visitChildren):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::visitChildren):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
* runtime/ModuleProgramExecutable.cpp:
(JSC::ModuleProgramExecutable::visitChildren):
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::visitChildren):
* runtime/ScopedArguments.cpp:
(JSC::ScopedArguments::visitChildren):
* runtime/ScopedArguments.h:
* runtime/Structure.cpp:
(JSC::Structure::visitChildren):
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::visitChildren):
* runtime/SymbolTable.cpp:
(JSC::SymbolTable::visitChildren):
2018-06-20 Darin Adler <darin@apple.com>
[Cocoa] Use the isDirectory: variants of NSURL methods more to eliminate unnecessary file system activity
https://bugs.webkit.org/show_bug.cgi?id=186875
Reviewed by Anders Carlsson.
* API/tests/testapi.mm:
(testObjectiveCAPIMain): Use isDirectory:NO when creating a URL for a JavaScript file.
2018-06-22 Carlos Garcia Campos <cgarcia@igalia.com>
[GTK] WebDriver: use a dictionary for session capabilities in StartAutomationSession message
https://bugs.webkit.org/show_bug.cgi?id=186915
Reviewed by Žan Doberšek.
Update StartAutomationSession message handling to receive a dictionary of session capabilities.
* inspector/remote/glib/RemoteInspectorServer.cpp:
(Inspector::processSessionCapabilities): Helper method to process the session capabilities.
2018-06-21 Mark Lam <mark.lam@apple.com>
WebKit (JavaScriptCore) compilation error with Clang ≥ 6.
https://bugs.webkit.org/show_bug.cgi?id=185947
<rdar://problem/40131933>
Reviewed by Saam Barati.
Newer Clang versions (due to C++17 support) is not happy with how I implemented
conversions between CodeLocation types. We'll fix this by adding a conversion
operator for converting between CodeLocation types.
* assembler/CodeLocation.h:
(JSC::CodeLocationCommon::operator T):
2018-06-21 Saam Barati <sbarati@apple.com>
Do some CoW cleanup
https://bugs.webkit.org/show_bug.cgi?id=186896
Reviewed by Mark Lam.
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
We don't need to WTFMove() ints
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
remove a TODO.
* runtime/JSObject.cpp:
(JSC::JSObject::putByIndex):
We were checking for isCopyOnWrite even after we converted away
from CoW in above code.
(JSC::JSObject::ensureWritableInt32Slow):
Model this in the same way the other ensureWritableXSlow are modeled.
2018-06-20 Keith Miller <keith_miller@apple.com>
flattenDictionaryStruture needs to zero inline storage.
https://bugs.webkit.org/show_bug.cgi?id=186869
Reviewed by Saam Barati.
This patch also adds the assetion that unused property storage is
zero or JSValue() to putDirectInternal. Additionally, functions
have been added to $vm that flatten dictionary objects and return
the inline capacity of an object.
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectInternal):
* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
* tools/JSDollarVM.cpp:
(JSC::functionInlineCapacity):
(JSC::functionFlattenDictionaryObject):
(JSC::JSDollarVM::finishCreation):
2018-06-21 Mark Lam <mark.lam@apple.com>
Use IsoCellSets to track Executables with clearable code.
https://bugs.webkit.org/show_bug.cgi?id=186877
Reviewed by Filip Pizlo.
Here’s an example of the results that this fix may yield:
1. The workload: load cnn.com, wait for it to fully load, scroll down and up.
2. Statistics on memory touched and memory freed by VM::deleteAllCode():
Visiting Executables:
Old New
Number of objects visited: 70897 14264
Number of objects with deletable code: 14264 (20.1%) 14264 (100%)
Number of memory pages visited: 3224 1602
Number of memory pages with deletable code: 1602 (49.7%) 1602 (100%)
Visitng UnlinkedFunctionExecutables:
Old New
Number of objects visited: 105454 17231
Number of objects with deletable code: 42319 (20.1%) 17231 (100%) **
Number of memory pages visited: 4796 1349
Number of memory pages with deletable code: 4013 (83.7%) 1349 (100%)
** The number of objects differ because the old code only visit unlinked
executables indirectly via linked executables, whereas the new behavior visit
all unlinked executables with deletable code directly. This means:
a. we used to not visit unlinked executables that have not been linked yet
i.e. deleteAllCode() may not delete all code (especially code that is not
used).
b. we had to visit all linked executables to check if they of type
FunctionExecutable, before going on to visit their unlinked executable, and
this includes the ones that do not have deletable code. This means that we
would touch more memory in the process.
Both of these these issues are now fixed with the new code.
This code was tested with manually inserted instrumentation to track the above
statistics. It is not feasible to write an automated test for this without
leaving a lot of invasive instrumentation in the code.
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
* bytecode/UnlinkedFunctionExecutable.h:
* heap/CodeBlockSetInlines.h:
(JSC::CodeBlockSet::iterateViaSubspaces):
* heap/Heap.cpp:
(JSC::Heap::deleteAllCodeBlocks):
(JSC::Heap::deleteAllUnlinkedCodeBlocks):
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::clearUnmarkedExecutables): Deleted.
(JSC::Heap::addExecutable): Deleted.
* heap/Heap.h:
* runtime/DirectEvalExecutable.h:
* runtime/ExecutableBase.cpp:
(JSC::ExecutableBase::hasClearableCode const):
- this is written based on the implementation of ExecutableBase::clearCode().
* runtime/ExecutableBase.h:
* runtime/FunctionExecutable.h:
* runtime/IndirectEvalExecutable.h:
* runtime/ModuleProgramExecutable.h:
* runtime/ProgramExecutable.h:
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::clearCode):
(JSC::ScriptExecutable::installCode):
* runtime/ScriptExecutable.h:
(JSC::ScriptExecutable::finishCreation):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet):
(JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor):
(JSC::VM::forEachScriptExecutableSpace):
(JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet):
(JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor):
2018-06-21 Zan Dobersek <zdobersek@igalia.com>
[GTK] WebDriver: allow applying host-specific TLS certificates for automated sessions
https://bugs.webkit.org/show_bug.cgi?id=186884
Reviewed by Carlos Garcia Campos.
Add a tuple array input parameter to the StartAutomationSession DBus
message, representing a list of host-and-certificate pairs that have to
be allowed for a given session. This array is then unpacked and used to
fill out the certificates Vector object in the SessionCapabilities
struct.
* inspector/remote/RemoteInspector.h: Add a GLib-specific Vector of
String pairs representing hosts and the certificate file paths.
* inspector/remote/glib/RemoteInspectorServer.cpp:
2018-06-20 Keith Miller <keith_miller@apple.com>
Expand concurrent GC assertion to accept JSValue() or 0
https://bugs.webkit.org/show_bug.cgi?id=186855
Reviewed by Mark Lam.
We tend to set unused property slots to either JSValue() or 0
depending on the context. On 64-bit these are the same but on
32-bit JSValue() has a NaN tag. This patch makes it so we
the accept either JSValue() or 0.
* runtime/JSObjectInlines.h:
(JSC::JSObject::prepareToPutDirectWithoutTransition):
2018-06-20 Guillaume Emont <guijemont@igalia.com>
[Armv7] Linkbuffer: executableOffsetFor() fails for location 2
https://bugs.webkit.org/show_bug.cgi?id=186765
Reviewed by Michael Saboff.
This widens the check for 0 so that we handle that case more correctly.
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::executableOffsetFor):
2018-06-19 Keith Miller <keith_miller@apple.com>
Fix broken assertion on 32-bit
https://bugs.webkit.org/show_bug.cgi?id=186830
Reviewed by Mark Lam.
The assertion was intended to catch concurrent GC issues. We don't
run them on 32-bit so we don't need this assertion there. The
assertion was broken because zero is not JSValue() on 32-bit.
* runtime/JSObjectInlines.h:
(JSC::JSObject::prepareToPutDirectWithoutTransition):
2018-06-19 Keith Miller <keith_miller@apple.com>
flattenDictionaryStructure needs to zero properties that have been compressed away
https://bugs.webkit.org/show_bug.cgi?id=186828
Reviewed by Mark Lam.
This patch fixes a bunch of crashing Mozilla tests on the bots.
* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
2018-06-19 Saam Barati <sbarati@apple.com>
DirectArguments::create needs to initialize to undefined instead of the empty value
https://bugs.webkit.org/show_bug.cgi?id=186818
<rdar://problem/38415177>
Reviewed by Filip Pizlo.
The bug here is that we will emit code that just loads from DirectArguments as
long as the index is within the known capacity of the arguments object (op_get_from_arguments).
The arguments object has at least enough capacity to hold the declared parameters.
When we materialized this object in OSR exit, we initialized up to to the capacity
with JSValue(). In OSR exit, though, we only filled up to the length of the
object with actual values. So we'd end up with a DirectArguments object with
capacity minus length slots of JSValue(). To fix this, we need initialize up to
capacity with jsUndefined during construction. The invariant of this object is
that the capacity minus length slots at the end are filled in with jsUndefined.
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::create):
2018-06-19 Michael Saboff <msaboff@apple.com>
Crash in sanitizeStackForVMImpl sometimes when switching threads with same VM
https://bugs.webkit.org/show_bug.cgi?id=186827
Reviewed by Saam Barati.
Need to set VM::lastStackTop before any possible calls to sanitizeStack().
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
2018-06-19 Tadeu Zagallo <tzagallo@apple.com>
ShadowChicken crashes with stack overflow in the LLInt
https://bugs.webkit.org/show_bug.cgi?id=186540
<rdar://problem/39682133>
Reviewed by Saam Barati.
Stack overflows in the LLInt were crashing in ShadowChicken when compiling
with debug opcodes because it was accessing the scope of the incomplete top
frame, which hadn't been set yet. Check that we have moved past the first
opcode (enter) and that the scope is not undefined (enter will
initialize it to undefined).
* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::update):
2018-06-19 Keith Miller <keith_miller@apple.com>
constructArray variants should take the slow path for subclasses of Array
https://bugs.webkit.org/show_bug.cgi?id=186812
Reviewed by Saam Barati and Mark Lam.
This patch fixes a crashing test in ObjectInitializationScope where we would
allocate a new structure for an indexing type change while initializing
a subclass of Array. Since the new array hasn't been fully initialized
if the GC ran it would see garbage and we might crash.
* runtime/JSArray.cpp:
(JSC::constructArray):
(JSC::constructArrayNegativeIndexed):
* runtime/JSArray.h:
(JSC::constructArray): Deleted.
(JSC::constructArrayNegativeIndexed): Deleted.
2018-06-19 Saam Barati <sbarati@apple.com>
Wasm: Any function argument of type Void should be a validation error
https://bugs.webkit.org/show_bug.cgi?id=186794
<rdar://problem/41140257>
Reviewed by Keith Miller.
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parseType):
2018-06-18 Keith Miller <keith_miller@apple.com>
JSImmutableButterfly should assert m_header is adjacent to the data
https://bugs.webkit.org/show_bug.cgi?id=186795
Reviewed by Saam Barati.
* runtime/JSImmutableButterfly.cpp:
* runtime/JSImmutableButterfly.h:
2018-06-18 Keith Miller <keith_miller@apple.com>
Unreviewed, fix the build...
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
2018-06-18 Keith Miller <keith_miller@apple.com>
Unreviewed, remove bad assertion.
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
2018-06-18 Keith Miller <keith_miller@apple.com>
Properly zero unused property storage offsets
https://bugs.webkit.org/show_bug.cgi?id=186692
Reviewed by Filip Pizlo.
Since the concurrent GC might see a property slot before the mutator has actually
stored the value there, we need to ensure that slot doesn't have garbage in it.
Right now when calling constructConvertedArrayStorageWithoutCopyingElements
or creating a RegExp matches array, we never cleared the unused
property storage. ObjectIntializationScope has also been upgraded
to look for our invariants around property storage. Additionally,
a new assertion has been added to check for JSValue() when adding
a new property.
We used to put undefined into deleted property offsets. To
make things simpler, this patch causes us to store JSValue() there
instead.
Lastly, this patch fixes an issue where we would initialize the
array storage of RegExpMatchesArray twice. First with 0 and
secondly with the actual result. Now we only zero memory between
vector length and public length.
* runtime/Butterfly.h:
(JSC::Butterfly::offsetOfVectorLength):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::tryCreateUninitialized):
(JSC::Butterfly::createUninitialized):
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::create):
(JSC::Butterfly::createOrGrowPropertyStorage):
(JSC::Butterfly::createOrGrowArrayRight):
(JSC::Butterfly::growArrayRight):
(JSC::Butterfly::resizeArray):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
* runtime/JSArray.h:
(JSC::tryCreateArrayButterfly):
* runtime/JSObject.cpp:
(JSC::JSObject::createArrayStorageButterfly):
(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::shiftButterflyAfterFlattening):
* runtime/JSObject.h:
* runtime/JSObjectInlines.h:
(JSC::JSObject::prepareToPutDirectWithoutTransition):
* runtime/ObjectInitializationScope.cpp:
(JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
* runtime/ObjectInitializationScope.h:
(JSC::ObjectInitializationScope::release):
* runtime/RegExpMatchesArray.h:
(JSC::tryCreateUninitializedRegExpMatchesArray):
(JSC::createRegExpMatchesArray):
* runtime/Butterfly.h:
(JSC::Butterfly::offsetOfVectorLength):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::tryCreateUninitialized):
(JSC::Butterfly::createUninitialized):
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::create):
(JSC::Butterfly::createOrGrowPropertyStorage):
(JSC::Butterfly::createOrGrowArrayRight):
(JSC::Butterfly::growArrayRight):
(JSC::Butterfly::resizeArray):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
* runtime/JSArray.h:
(JSC::tryCreateArrayButterfly):
* runtime/JSObject.cpp:
(JSC::JSObject::createArrayStorageButterfly):
(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::shiftButterflyAfterFlattening):
* runtime/JSObject.h:
* runtime/JSObjectInlines.h:
(JSC::JSObject::prepareToPutDirectWithoutTransition):
* runtime/ObjectInitializationScope.cpp:
(JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
* runtime/RegExpMatchesArray.cpp:
(JSC::createEmptyRegExpMatchesArray):
* runtime/RegExpMatchesArray.h:
(JSC::tryCreateUninitializedRegExpMatchesArray):
(JSC::createRegExpMatchesArray):
2018-06-18 Tadeu Zagallo <tzagallo@apple.com>
Share structure across instances of classes exported through the ObjC API
https://bugs.webkit.org/show_bug.cgi?id=186579
<rdar://problem/40969212>
Reviewed by Saam Barati.
A new structure was being created for each instance of exported ObjC
classes due to setting the prototype in the structure for every object,
since prototype transitions are not cached by the structure. Cache the
Structure in the JSObjcClassInfo to avoid the transition.
* API/JSWrapperMap.mm:
(-[JSObjCClassInfo wrapperForObject:inContext:]):
(-[JSObjCClassInfo structureInContext:]):
* API/tests/JSWrapperMapTests.h: Added.
* API/tests/JSWrapperMapTests.mm: Added.
(+[JSWrapperMapTests testStructureIdentity]):
(runJSWrapperMapTests):
* API/tests/testapi.mm:
(testObjectiveCAPIMain):
* JavaScriptCore.xcodeproj/project.pbxproj:
2018-06-18 Michael Saboff <msaboff@apple.com>
Support Unicode 11 in RegExp
https://bugs.webkit.org/show_bug.cgi?id=186685
Reviewed by Mark Lam.
Updated the UCD tables used to generate RegExp property tables to version 11.0.
* Scripts/generateYarrUnicodePropertyTables.py:
* ucd/CaseFolding.txt:
* ucd/DerivedBinaryProperties.txt:
* ucd/DerivedCoreProperties.txt:
* ucd/DerivedNormalizationProps.txt:
* ucd/PropList.txt:
* ucd/PropertyAliases.txt:
* ucd/PropertyValueAliases.txt:
* ucd/ScriptExtensions.txt:
* ucd/Scripts.txt:
* ucd/UnicodeData.txt:
* ucd/emoji-data.txt:
2018-06-18 Carlos Alberto Lopez Perez <clopez@igalia.com>
[WTF] Remove workarounds needed to support libstdc++-4
https://bugs.webkit.org/show_bug.cgi?id=186762
Reviewed by Michael Catanzaro.
Revert r226299, r226300 r226301 and r226302.
* API/tests/TypedArrayCTest.cpp:
(assertEqualsAsNumber):
2018-06-16 Michael Catanzaro <mcatanzaro@igalia.com>
REGRESSION(r227717): Hardcoded page size causing JSC crashes on platforms with page size bigger than 16 KB
https://bugs.webkit.org/show_bug.cgi?id=182923
Reviewed by Mark Lam.
The blockSize used by MarkedBlock is incorrect on platforms with pages larger than 16 KB.
Upstream Fedora's patch to use a safer 64 KB default. This fixes PowerPC and s390x.
* heap/MarkedBlock.h:
2018-06-16 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Inline JSArray::pushInline and Structure::nonPropertyTransition
https://bugs.webkit.org/show_bug.cgi?id=186723
Reviewed by Mark Lam.
Now, CoW -> non-CoW transition is heavy path. We inline the part of Structure::nonPropertyTransition
to catch the major path. And we also inline JSArray::pushInline well to spread this in operationArrayPushMultiple.
This patch improves SixSpeed/spread-literal.es5.
baseline patched
spread-literal.es5 114.4140+-4.5146 ^ 104.5475+-3.6157 ^ definitely 1.0944x faster
* runtime/JSArrayInlines.h:
(JSC::JSArray::pushInline):
* runtime/Structure.cpp:
(JSC::Structure::nonPropertyTransitionSlow):
(JSC::Structure::nonPropertyTransition): Deleted.
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::nonPropertyTransition):
2018-06-16 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Reduce OSRExit for Kraken/crypto-aes due to CoW array
https://bugs.webkit.org/show_bug.cgi?id=186721
Reviewed by Keith Miller.
We still have several other OSRExits, but this patch reduces that.
1. While ArraySlice code accepts CoW arrays, it always emits CheckStructure without CoW Array structures.
So DFG emits ArraySlice onto CoW arrays, and always performs OSRExits.
2. The CoW patch removed ArrayAllocationProfile updates. This makes allocated JSImmutableButterfly
non-appropriate.
These changes a bit fix Kraken/crypto-aes regression.
baseline patched
stanford-crypto-aes 63.718+-2.312 ^ 56.140+-0.966 ^ definitely 1.1350x faster
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
2018-06-15 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned
https://bugs.webkit.org/show_bug.cgi?id=186460
Reviewed by Saam Barati.
Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.
We should return JSFixedArray for Spread. This patch adds a code generating
a JSFixedArray from JSImmutableButterfly.
Merging JSFixedArray into JSImmutableButterfly is possible future extension.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileSpread):
* runtime/JSFixedArray.h:
2018-06-15 Saam Barati <sbarati@apple.com>
Annotate shrinkFootprintWhenIdle with NS_AVAILABLE
https://bugs.webkit.org/show_bug.cgi?id=186687
<rdar://problem/40071332>
Reviewed by Keith Miller.
* API/JSVirtualMachinePrivate.h:
2018-06-15 Saam Barati <sbarati@apple.com>
Make ForceOSRExit CFG pruning in bytecode parser more aggressive by making the original block to ignore be the plan's osrEntryBytecodeIndex
https://bugs.webkit.org/show_bug.cgi?id=186648
Reviewed by Michael Saboff.
This patch is neutral on SunSpider/bitops-bitwise-and. That test originally
regressed with my first version of ForceOSRExit CFG pruning. This patch makes
ForceOSRExit CFG pruning more aggressive by not ignoring everything that
can reach any loop_hint, but only ignoring blocks that can reach a loop_hint
if it's the plan's osr entry bytecode target. The goal is to get a speedometer
2 speedup with this change on iOS.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parse):
2018-06-15 Michael Catanzaro <mcatanzaro@igalia.com>
Unreviewed, rolling out r232816.
Suggested by Caitlin:
"this patch clearly does get some things wrong, and it's not
easy to find what those things are"
Reverted changeset:
"[LLInt] use loadp consistently for
get_from_scope/put_to_scope"
https://bugs.webkit.org/show_bug.cgi?id=132333
https://trac.webkit.org/changeset/232816
2018-06-14 Michael Saboff <msaboff@apple.com>
REGRESSION(232741): Crash running ARES-6
https://bugs.webkit.org/show_bug.cgi?id=186630
Reviewed by Saam Barati.
The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
treated edges between identical predecessor->successor pairs independently.
This fixes the issue by handling such edges once, using the added intermediate
pad for all instances of the edges between the same pairs.
* dfg/DFGCriticalEdgeBreakingPhase.cpp:
(JSC::DFG::CriticalEdgeBreakingPhase::run):
(JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.
2018-06-14 Carlos Garcia Campos <cgarcia@igalia.com>
[GTK][WPE] WebDriver: handle acceptInsecureCertificates capability
https://bugs.webkit.org/show_bug.cgi?id=186560
Reviewed by Brian Burg.
Add SessionCapabilities struct to Client class and unify requestAutomationSession() methods into a single one
that always receives the session capabilities.
* inspector/remote/RemoteInspector.h:
* inspector/remote/RemoteInspectorConstants.h:
* inspector/remote/cocoa/RemoteInspectorCocoa.mm:
(Inspector::RemoteInspector::receivedAutomationSessionRequestMessage): Move the parsing of mac capabilities from
WebKit here and fill the SessionCapabilities instead.
* inspector/remote/glib/RemoteInspectorGlib.cpp:
(Inspector::RemoteInspector::requestAutomationSession): Pass SessionCapabilities to the client.
* inspector/remote/glib/RemoteInspectorServer.cpp:
(Inspector::RemoteInspectorServer::startAutomationSession): Process SessionCapabilities.
* inspector/remote/glib/RemoteInspectorServer.h:
2018-06-13 Adrian Perez de Castro <aperez@igalia.com>
[WPE] Trying to access the remote inspector hits an assertion in the UIProcess
https://bugs.webkit.org/show_bug.cgi?id=186588
Reviewed by Carlos Garcia Campos.
Make both the WPE and GTK+ ports use /org/webkit/inspector as base prefix
for resource paths, which avoids needing a switcheroo depending on the port.
* inspector/remote/glib/RemoteInspectorUtils.cpp:
2018-06-13 Caitlin Potter <caitp@igalia.com>
[LLInt] use loadp consistently for get_from_scope/put_to_scope
https://bugs.webkit.org/show_bug.cgi?id=132333
Reviewed by Mark Lam.
Using `loadis` for register indexes and `loadp` for constant scopes /
symboltables makes sense, but is problematic for big-endian
architectures.
Consistently treating the operand as a pointer simplifies determining
how to access the operand, and helps avoid bad accesses and crashes on
big-endian ports.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecode/Instruction.h:
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
(JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2018-06-13 Keith Miller <keith_miller@apple.com>
AutomaticThread should have a way to provide a thread name
https://bugs.webkit.org/show_bug.cgi?id=186604
Reviewed by Filip Pizlo.
Add names for JSC's automatic threads.
* dfg/DFGWorklist.cpp:
* heap/Heap.cpp:
* jit/JITWorklist.cpp:
* runtime/VMTraps.cpp:
* wasm/WasmWorklist.cpp:
2018-06-13 Saam Barati <sbarati@apple.com>
CFGSimplificationPhase should de-dupe jettisonedBlocks
https://bugs.webkit.org/show_bug.cgi?id=186583
Reviewed by Filip Pizlo.
When making the predecessors list unique in r232741, it revealed a bug inside
of CFG simplification, where we try to remove the same predecessor more than
once from a blocks predecessors list. We built the list of blocks to remove
from the list of successors, which is not unique, causing us to try to remove
the same predecessor more than once. The solution here is to just add to this
list of blocks to remove only if the block is not already in the list.
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::run):
2018-06-13 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Always use Nuke & Set procedure for x86
https://bugs.webkit.org/show_bug.cgi?id=186592
Reviewed by Keith Miller.
We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
threads.
* runtime/JSObject.cpp:
(JSC::JSObject::convertContiguousToArrayStorage):
2018-06-12 Saam Barati <sbarati@apple.com>
Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle
https://bugs.webkit.org/show_bug.cgi?id=186071
Reviewed by Mark Lam.
* API/JSVirtualMachine.mm:
(-[JSVirtualMachine shrinkFootprint]): Deleted.
* API/JSVirtualMachinePrivate.h:
2018-06-11 Saam Barati <sbarati@apple.com>
Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
https://bugs.webkit.org/show_bug.cgi?id=181409
<rdar://problem/36383749>
Reviewed by Keith Miller.
This patch is me redoing r226655. This is a patch I wrote when
profiling Speedometer. Fil rolled this change out in r230928. He
showed this slowed down a sunspider tests by ~2x. This sunspider
regression revealed a real performance bug in the original change:
we would kill blocks that reached OSR entry targets, sometimes leading
us to not do OSR entry into the DFG, since we could end up deleting
entire loops from the CFG. The reason for this is that code that has run
~once and that reaches loops often has ForceOSRExits inside of it. The
solution to this is to not perform this optimization on blocks that can
reach OSR entry targets.
The reason I'm redoing this patch is that it turns out Fil rolling
out the change was a Speedometer 2 regression.
This is a modified version of the original ChangeLog I wrote in r226655:
When I was looking at profiler data for Speedometer, I noticed that one of
the hottest functions in Speedometer is around 1100 bytecode operations long.
Only about 100 of those bytecode ops ever execute. However, we ended up
spending a lot of time compiling basic blocks that never executed. We often
plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
This is the case when such a node never executes.
This patch makes it so that anytime a block has a ForceOSRExit, and that block
can not reach an OSR entry target, we replace its terminal node with an Unreachable
node, and remove all nodes after the ForceOSRExit. This cuts down the graph
size since it removes control flow edges from the CFG. This allows us to get
rid of huge chunks of the CFG in certain programs. When doing this transformation,
we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode
live-in to the ForceOSRExit.
Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
does not get rid of all the CFG that it could. If we decide it's worth
it, we could use additional inputs into this mechanism. For example, we could
profile if a basic block ever executes inside the LLInt/Baseline, and
remove parts of the CFG based on that.
When running Speedometer with the concurrent JIT turned off, this patch
improves DFG/FTL compile times by around 5%.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addToGraph):
(JSC::DFG::ByteCodeParser::inlineCall):
(JSC::DFG::ByteCodeParser::parse):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::blocksInPostOrder):
2018-06-11 Saam Barati <sbarati@apple.com>
The NaturalLoops algorithm only works when the list of blocks in a loop is de-duplicated
https://bugs.webkit.org/show_bug.cgi?id=184829
Reviewed by Michael Saboff.
This patch codifies that a BasicBlock's list of predecessors is de-duplicated.
In B3/Air, this just meant writing a validation rule. In DFG, this meant
ensuring this property when building up the predecessors list, and also adding
a validation rule. The NaturalLoops algorithm relies on this property.
* b3/B3Validate.cpp:
* b3/air/AirValidate.cpp:
* b3/testb3.cpp:
(JSC::B3::testLoopWithMultipleHeaderEdges):
(JSC::B3::run):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::handleSuccessor):
* dfg/DFGValidate.cpp:
2018-06-11 Keith Miller <keith_miller@apple.com>
Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire which churns 65KB of memory
https://bugs.webkit.org/show_bug.cgi?id=186467
Reviewed by Simon Fraser.
This patch adds a LazyFireDetail that wraps ScopedLambda so that
we don't actually malloc any strings for firing unless those
Strings are actually going to be printed.
* bytecode/Watchpoint.h:
(JSC::LazyFireDetail::LazyFireDetail):
* dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
(JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
* dfg/DFGAdaptiveStructureWatchpoint.cpp:
(JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
* runtime/ArrayPrototype.cpp:
(JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2018-06-11 Mark Lam <mark.lam@apple.com>
Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner.
https://bugs.webkit.org/show_bug.cgi?id=186451
<rdar://problem/40875792>
Reviewed by Tim Horton.
Enhance setOptions() to be able to take a comma separated options string in
addition to white space separated options strings.
* runtime/Options.cpp:
(JSC::isSeparator):
(JSC::Options::setOptions):
2018-06-11 Michael Saboff <msaboff@apple.com>
JavaScriptCore: Disable 32-bit JIT on Windows
https://bugs.webkit.org/show_bug.cgi?id=185989
Reviewed by Mark Lam.
Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported.
* llint/LLIntData.h:
(JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int.
* llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not
have a case label because these aren't opcodes.
* runtime/Options.cpp: Made assembler related Windows conditional code also conditional
on the JIT being enabled.
(JSC::recomputeDependentOptions):
2018-06-11 Michael Saboff <msaboff@apple.com>
Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled
https://bugs.webkit.org/show_bug.cgi?id=186477
Reviewed by Filip Pizlo.
Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin
YARR interpreter nodes. This caused us to overwrite other frame information.
Added frame offset debugging code to YARR interpreter.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::ByteCompiler::emitDisjunction):
(JSC::Yarr::ByteCompiler::dumpDisjunction):
2018-06-10 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Array.prototype.sort should rejects null comparator
https://bugs.webkit.org/show_bug.cgi?id=186458
Reviewed by Keith Miller.
This relaxed behavior is once introduced in r216169 to fix some pages by aligning
the behavior to Chrome and Firefox.
However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore
accepts it. This patch reverts r216169 to align JSC to the other engines and fix
the spec issue.
* builtins/ArrayPrototype.js:
(sort):
2018-06-09 Dan Bernstein <mitz@apple.com>
[Xcode] Clean up and modernize some build setting definitions
https://bugs.webkit.org/show_bug.cgi?id=186463
Reviewed by Sam Weinig.
* Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the
definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS
is true for all supported Xcode versions.
* Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11.
* Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and
ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version.
* Configurations/Version.xcconfig: Removed definition for macOS 10.11.
* Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11.
2018-06-09 Dan Bernstein <mitz@apple.com>
Added missing file references to the Configuration group.
* JavaScriptCore.xcodeproj/project.pbxproj:
2018-06-08 Darin Adler <darin@apple.com>
[Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC
https://bugs.webkit.org/show_bug.cgi?id=186436
Reviewed by Anders Carlsson.
* heap/Heap.cpp: Include FoundationSPI.h rather than directly including
objc-internal.h and explicitly declaring the alternative.
2018-06-08 Wenson Hsieh <wenson_hsieh@apple.com>
[WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1)
https://bugs.webkit.org/show_bug.cgi?id=186442
<rdar://problem/40879364>
Reviewed by Tim Horton.
* Configurations/FeatureDefines.xcconfig:
2018-06-08 Tadeu Zagallo <tzagallo@apple.com>
jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt
https://bugs.webkit.org/show_bug.cgi?id=186446
<rdar://problem/40949995>
Reviewed by Mark Lam.
On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for
boolean literals, but it would only work for false. Change it so that it
takes the fast path for true, false, null and undefined.
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
2018-06-08 Brian Burg <bburg@apple.com>
[Cocoa] Web Automation: include browser name and version in listing for automation targets
https://bugs.webkit.org/show_bug.cgi?id=186204
<rdar://problem/36950423>
Reviewed by Darin Adler.
Ask the client what the reported browser name and version should be, then
send this as part of the listing for an automation target.
* inspector/remote/RemoteInspectorConstants.h:
* inspector/remote/cocoa/RemoteInspectorCocoa.mm:
(Inspector::RemoteInspector::listingForAutomationTarget const):
2018-06-07 Chris Dumez <cdumez@apple.com>
Add base class to get WeakPtrFactory member and avoid some boilerplate code
https://bugs.webkit.org/show_bug.cgi?id=186407
Reviewed by Brent Fulgham.
Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in
order to avoid some boilerplate code in every class needing a WeakPtrFactory.
This also gets rid of old-style createWeakPtr() methods in favor of the newer
makeWeakPtr().
* wasm/WasmInstance.h:
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::registerInstance):
2018-06-07 Tadeu Zagallo <tzagallo@apple.com>
Don't try to allocate JIT memory if we don't have the JIT entitlement
https://bugs.webkit.org/show_bug.cgi?id=182605
<rdar://problem/38271229>
Reviewed by Mark Lam.
Check that the current process has the correct entitlements before
trying to allocate JIT memory to silence warnings.
* jit/ExecutableAllocator.cpp:
(JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms
(JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate
2018-06-07 Saam Barati <sbarati@apple.com>
TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops
https://bugs.webkit.org/show_bug.cgi?id=186386
Reviewed by Filip Pizlo.
This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest.
* dfg/DFGTierUpCheckInjectionPhase.cpp:
(JSC::DFG::TierUpCheckInjectionPhase::run):
2018-06-02 Filip Pizlo <fpizlo@apple.com>
FunctionRareData::m_objectAllocationProfileWatchpoint is racy
https://bugs.webkit.org/show_bug.cgi?id=186237
Reviewed by Saam Barati.
We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but
that means that we never notice that it fired if it fires between when the DFG decides to
watch it and when it actually adds the watchpoint.
Most watchpoints are initialized watched for this purpose. This one had a somewhat good
reason for being initialized blind: that's how we knew to ignore changes to the prototype
before the first allocation. However, that functionality also arose out of the fact that the
rare data is created lazily and usually won't exist until the first allocation.
The fix here is to make the watchpoint go into watched mode as soon as we initialize the
object allocation profile.
It's hard to repro this race, however it started causing spurious test failures for me after
bug 164904.
* runtime/FunctionRareData.cpp:
(JSC::FunctionRareData::FunctionRareData):
(JSC::FunctionRareData::initializeObjectAllocationProfile):
2018-06-07 Saam Barati <sbarati@apple.com>
Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones
https://bugs.webkit.org/show_bug.cgi?id=186218
<rdar://problem/38449540>
Reviewed by Filip Pizlo.
This patch makes tierUpCommon a tad bit more sane. There are a few things
that I did:
- There were a few release asserts that were crashing. Those release asserts
were incorrect. They were making assumptions about how the code and data
structures were ordered that were wrong. This patch removes them. The code
was using the loop hierarchy vector to make assumptions about which loop we
were currently executing in, which is incorrect. The only information that
can be used about where we're currently executing is the bytecode index we're
at.
- This makes it so that we go back to trying to compile outer loops before
inner loops. JF accidentally reverted this behavior that Ben implemented.
JF made it so that we just compiled the inner most loop. I make this
functionality work by first triggering a compile for the outer most loop
that the code is currently executing in and that can perform OSR entry.
However, some programs can get stuck in inner loops. The code works by
progressively asking inner loops to compile if program execution has not
yet reached an outer loop.
* dfg/DFGOperations.cpp:
2018-06-06 Guillaume Emont <guijemont@igalia.com>
ArityFixup should adjust SP first on 32-bit platforms too
https://bugs.webkit.org/show_bug.cgi?id=186351
Reviewed by Yusuke Suzuki.
* jit/ThunkGenerators.cpp:
(JSC::arityFixupGenerator):
2018-06-06 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Compare operations do not respect negative zeros
https://bugs.webkit.org/show_bug.cgi?id=183729
Reviewed by Saam Barati.
Compare operations do not respect negative zeros. So propagating this can
reduce the size of the produced code for negative zero case. This pattern
can be seen in Kraken stanford-crypto-aes.
This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false.
However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero.
This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this.
* bytecode/SpeculatedType.cpp:
(JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0.
To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of
SpecDoubleReal.
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
2018-06-06 Saam Barati <sbarati@apple.com>
generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
https://bugs.webkit.org/show_bug.cgi?id=186363
Rubber-stamped by Filip Pizlo.
The code was assuming that the object it was creating an OPC for always
had a non-poly-proto structure. However, this assumption was wrong. For
example, an object in the prototype chain could be poly proto. That type
of object graph would cause a crash in this code. This patch makes it so
that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
object as we traverse the prototype chain.
* bytecode/ObjectPropertyConditionSet.cpp:
(JSC::generateConditionsForInstanceOf):
2018-06-05 Brent Fulgham <bfulgham@apple.com>
Adjust compile and runtime flags to match shippable state of features
https://bugs.webkit.org/show_bug.cgi?id=186319
<rdar://problem/40352045>
Reviewed by Maciej Stachowiak, Jon Lee, and others.
This patch revises the compile time and runtime state for various features to match their
suitability for end-user releases.
* Configurations/DebugRelease.xcconfig: Update to match WebKit definition of
WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for
Cocoa builds.
* Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR
or ENABLE_INPUT_TYPE_COLOR_POPOVER.
* runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES
at runtime for non-production builds.
2018-06-05 Brent Fulgham <bfulgham@apple.com>
Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds
https://bugs.webkit.org/show_bug.cgi?id=186286
<rdar://problem/40782992>
Reviewed by Dan Bernstein.
Use the WK_RELOCATABLE_FRAMEWORKS flag (which is always defined for non-production builds)
to define ENABLE(EXPERIMENTAL_FEATURES) so that we do not need to manually
change this flag when preparing for a production release.
* Configurations/FeatureDefines.xcconfig: Use WK_RELOCATABLE_FRAMEWORKS to determine
whether experimental features should be enabled, and use it to properly define the
feature flag.
2018-06-05 Darin Adler <darin@apple.com>
[Cocoa] Update some JavaScriptCore code to be more ready for ARC
https://bugs.webkit.org/show_bug.cgi?id=186301
Reviewed by Anders Carlsson.
* API/JSContext.mm:
(-[JSContext evaluateScript:withSourceURL:]): Use __bridge for typecast.
(-[JSContext setName:]): Removed unnecessary call to copy, since the
JSStringCreateWithCFString function already reads the characters out
of the string and does not retain the string, so there is no need to
make an immutable copy. And used __bridge for typecast.
* inspector/remote/cocoa/RemoteInspectorCocoa.mm:
(Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
Ditto.
* inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
(Inspector::RemoteInspectorXPCConnection::deserializeMessage):
Use CFBridgingRelease instead of autorelease for a CF dictionary that
we return as an NSDictionary.
2018-06-04 Keith Miller <keith_miller@apple.com>
Remove missing files from JavaScriptCore Xcode project
https://bugs.webkit.org/show_bug.cgi?id=186297
Reviewed by Saam Barati.
* JavaScriptCore.xcodeproj/project.pbxproj:
2018-06-04 Keith Miller <keith_miller@apple.com>
Add test for CoW conversions in the DFG/FTL
https://bugs.webkit.org/show_bug.cgi?id=186295
Reviewed by Saam Barati.
Add a function to $vm that returns a JSString containing the
dataLog dump of the indexingMode of an Object.
* tools/JSDollarVM.cpp:
(JSC::functionIndexingMode):
(JSC::JSDollarVM::finishCreation):
2018-06-04 Saam Barati <sbarati@apple.com>
Set the activeLength of all ScratchBuffers to zero when exiting the VM
https://bugs.webkit.org/show_bug.cgi?id=186284
<rdar://problem/40780738>
Reviewed by Keith Miller.
Simon recently found instances where we leak global objects from the
ScratchBuffer. Yusuke found that we forgot to set the active length
back to zero when doing catch OSR entry in the DFG/FTL. His solution
to this was adding a node that cleared the active length. This is
a good node to have, but it's not a complete solution: the DFG/FTL
could OSR exit before that node executes, which would cause us to leak
the data in it.
This patch makes it so that we set each scratch buffer's active length
to zero on VM exit. This helps prevent leaks for JS code that eventually
exits the VM (which is essentially all code on the web and all API users).
* runtime/VM.cpp:
(JSC::VM::clearScratchBuffers):
* runtime/VM.h:
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::~VMEntryScope):
2018-06-04 Keith Miller <keith_miller@apple.com>
JSLock should clear last exception when releasing the lock
https://bugs.webkit.org/show_bug.cgi?id=186277
Reviewed by Mark Lam.
If we don't clear the last exception we essentially leak the
object and everything referenced by it until another exception is
thrown.
* runtime/JSLock.cpp:
(JSC::JSLock::willReleaseLock):
2018-06-04 Yusuke Suzuki <utatane.tea@gmail.com>
Get rid of UnconditionalFinalizers and WeakReferenceHarvesters
https://bugs.webkit.org/show_bug.cgi?id=180248
Reviewed by Sam Weinig.
As a final step, this patch removes ListableHandler from JSC.
Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/Heap.h:
* heap/ListableHandler.h: Removed.
2018-06-03 Yusuke Suzuki <utatane.tea@gmail.com>
LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
https://bugs.webkit.org/show_bug.cgi?id=186223
Reviewed by Keith Miller.
After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.
This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
this ClearCatchLocals valid.
The existing tests for ExtractCatchLocal just pass.
* dfg/DFGAbstractHeap.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGMayExit.cpp:
* dfg/DFGNodeType.h:
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareCatchOSREntry):
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):
2018-06-02 Darin Adler <darin@apple.com>
[Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
https://bugs.webkit.org/show_bug.cgi?id=186227
Reviewed by Dan Bernstein.
* API/JSContext.mm:
(-[JSContext name]): Use CFBridgingRelease instead of autorelease.
* API/JSValue.mm:
(valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease.
(containerValueToObject): Use adoptCF instead of autorelease. This is not only more
ARC-compatible, but more efficient.
(valueToString): Use CFBridgingRelease instead of autorelease.
2018-06-02 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for addition operations
https://bugs.webkit.org/show_bug.cgi?id=179002
Reviewed by Yusuke Suzuki.
This patch is implementing support to BigInt Operands into binary "+"
and binary "-" operators. Right now, we have limited support to DFG
and FTL JIT layers, but we plan to fix this support in future
patches.
* jit/JITOperations.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::parseInt):
(JSC::JSBigInt::stringToBigInt):
(JSC::JSBigInt::toString):
(JSC::JSBigInt::multiply):
(JSC::JSBigInt::divide):
(JSC::JSBigInt::remainder):
(JSC::JSBigInt::add):
(JSC::JSBigInt::sub):
(JSC::JSBigInt::absoluteAdd):
(JSC::JSBigInt::absoluteSub):
(JSC::JSBigInt::toStringGeneric):
(JSC::JSBigInt::allocateFor):
(JSC::JSBigInt::toNumber const):
(JSC::JSBigInt::getPrimitiveNumber const):
* runtime/JSBigInt.h:
* runtime/JSCJSValueInlines.h:
* runtime/Operations.cpp:
(JSC::jsAddSlowCase):
* runtime/Operations.h:
(JSC::jsSub):
2018-06-02 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r232439.
https://bugs.webkit.org/show_bug.cgi?id=186238
It breaks gtk-linux-32-release (Requested by caiolima on
#webkit).
Reverted changeset:
"[ESNext][BigInt] Implement support for addition operations"
https://bugs.webkit.org/show_bug.cgi?id=179002
https://trac.webkit.org/changeset/232439
2018-06-01 Yusuke Suzuki <utatane.tea@gmail.com>
Baseline op_jtrue emits an insane amount of code
https://bugs.webkit.org/show_bug.cgi?id=185708
Reviewed by Filip Pizlo.
op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by,
1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey}
to jump directly. This tightens the code.
2. Align our emitConvertValueToBoolean implementation to FTL's boolify function. It emits less code.
This reduces the code size of op_jtrue in x64 from 220 bytes to 164 bytes.
[ 12] jtrue arg1, 6(->18)
0x7f233170162c: mov 0x30(%rbp), %rax
0x7f2331701630: mov %rax, %rsi
0x7f2331701633: xor $0x6, %rsi
0x7f2331701637: test $0xfffffffffffffffe, %rsi
0x7f233170163e: jnz 0x7f2331701654
0x7f2331701644: cmp $0x7, %eax
0x7f2331701647: setz %sil
0x7f233170164b: movzx %sil, %esi
0x7f233170164f: jmp 0x7f2331701705
0x7f2331701654: test %rax, %r14
0x7f2331701657: jz 0x7f233170169c
0x7f233170165d: cmp %r14, %rax
0x7f2331701660: jb 0x7f2331701675
0x7f2331701666: test %eax, %eax
0x7f2331701668: setnz %sil
0x7f233170166c: movzx %sil, %esi
0x7f2331701670: jmp 0x7f2331701705
0x7f2331701675: lea (%r14,%rax), %rsi
0x7f2331701679: movq %rsi, %xmm0
0x7f233170167e: xorps %xmm1, %xmm1
0x7f2331701681: ucomisd %xmm1, %xmm0
0x7f2331701685: jz 0x7f2331701695
0x7f233170168b: mov $0x1, %esi
0x7f2331701690: jmp 0x7f2331701705
0x7f2331701695: xor %esi, %esi
0x7f2331701697: jmp 0x7f2331701705
0x7f233170169c: test %rax, %r15
0x7f233170169f: jnz 0x7f2331701703
0x7f23317016a5: cmp $0x1, 0x5(%rax)
0x7f23317016a9: jnz 0x7f23317016c1
0x7f23317016af: mov 0x8(%rax), %esi
0x7f23317016b2: test %esi, %esi
0x7f23317016b4: setnz %sil
0x7f23317016b8: movzx %sil, %esi
0x7f23317016bc: jmp 0x7f2331701705
0x7f23317016c1: test $0x1, 0x6(%rax)
0x7f23317016c5: jz 0x7f23317016f9
0x7f23317016cb: mov (%rax), %esi
0x7f23317016cd: mov $0x7f23315000c8, %rdx
0x7f23317016d7: mov (%rdx), %rdx
0x7f23317016da: mov (%rdx,%rsi,8), %rsi
0x7f23317016de: mov $0x7f2330de0000, %rdx
0x7f23317016e8: cmp %rdx, 0x18(%rsi)
0x7f23317016ec: jnz 0x7f23317016f9
0x7f23317016f2: xor %esi, %esi
0x7f23317016f4: jmp 0x7f2331701705
0x7f23317016f9: mov $0x1, %esi
0x7f23317016fe: jmp 0x7f2331701705
0x7f2331701703: xor %esi, %esi
0x7f2331701705: test %esi, %esi
0x7f2331701707: jnz 0x7f233170171b
[ 12] jtrue arg1, 6(->18)
0x7f6c8710156c: mov 0x30(%rbp), %rax
0x7f6c87101570: test %rax, %r15
0x7f6c87101573: jnz 0x7f6c871015c8
0x7f6c87101579: cmp $0x1, 0x5(%rax)
0x7f6c8710157d: jnz 0x7f6c87101592
0x7f6c87101583: cmp $0x0, 0x8(%rax)
0x7f6c87101587: jnz 0x7f6c87101623
0x7f6c8710158d: jmp 0x7f6c87101615
0x7f6c87101592: test $0x1, 0x6(%rax)
0x7f6c87101596: jz 0x7f6c87101623
0x7f6c8710159c: mov (%rax), %esi
0x7f6c8710159e: mov $0x7f6c86f000e0, %rdx
0x7f6c871015a8: mov (%rdx), %rdx
0x7f6c871015ab: mov (%rdx,%rsi,8), %rsi
0x7f6c871015af: mov $0x7f6c867e0000, %rdx
0x7f6c871015b9: cmp %rdx, 0x18(%rsi)
0x7f6c871015bd: jnz 0x7f6c87101623
0x7f6c871015c3: jmp 0x7f6c87101615
0x7f6c871015c8: cmp %r14, %rax
0x7f6c871015cb: jb 0x7f6c871015de
0x7f6c871015d1: test %eax, %eax
0x7f6c871015d3: jnz 0x7f6c87101623
0x7f6c871015d9: jmp 0x7f6c87101615
0x7f6c871015de: test %rax, %r14
0x7f6c871015e1: jz 0x7f6c87101602
0x7f6c871015e7: lea (%r14,%rax), %rsi
0x7f6c871015eb: movq %rsi, %xmm0
0x7f6c871015f0: xorps %xmm1, %xmm1
0x7f6c871015f3: ucomisd %xmm1, %xmm0
0x7f6c871015f7: jz 0x7f6c87101615
0x7f6c871015fd: jmp 0x7f6c87101623
0x7f6c87101602: mov $0x7, %r11
0x7f6c8710160c: cmp %r11, %rax
0x7f6c8710160f: jz 0x7f6c87101623
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitBranch):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitBranch):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitConvertValueToBoolean):
(JSC::AssemblyHelpers::branchIfValue):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfTruthy):
(JSC::AssemblyHelpers::branchIfFalsey):
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::addJump):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_jfalse):
(JSC::JIT::emit_op_jtrue):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_jfalse):
(JSC::JIT::emit_op_jtrue):
2018-06-02 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove WeakReferenceHarvester
https://bugs.webkit.org/show_bug.cgi?id=186102
Reviewed by Filip Pizlo.
After several cleanups, now JSWeakMap becomes the last user of WeakReferenceHarvester.
Since JSWeakMap is already managed in IsoSubspace, we can iterate marked JSWeakMap
by using output constraints & Subspace iteration.
This patch removes WeakReferenceHarvester. Instead of managing this linked-list, our
output constraint set iterates marked JSWeakMap by using Subspace.
And we also add locking for JSWeakMap's rehash and output constraint visiting.
Attached microbenchmark does not show any regression.
* API/JSAPIWrapperObject.h:
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/Heap.cpp:
(JSC::Heap::endMarking):
(JSC::Heap::addCoreConstraints):
* heap/Heap.h:
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::addWeakReferenceHarvester): Deleted.
* heap/SlotVisitor.h:
* heap/WeakReferenceHarvester.h: Removed.
* runtime/WeakMapImpl.cpp:
(JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
(JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitOutputConstraints):
(JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
(JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences): Deleted.
(JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences): Deleted.
* runtime/WeakMapImpl.h:
(JSC::WeakMapImpl::WeakMapImpl):
(JSC::WeakMapImpl::finishCreation):
(JSC::WeakMapImpl::rehash):
(JSC::WeakMapImpl::makeAndSetNewBuffer):
(JSC::WeakMapImpl::DeadKeyCleaner::target): Deleted.
2018-06-02 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Object.create should have intrinsic
https://bugs.webkit.org/show_bug.cgi?id=186200
Reviewed by Filip Pizlo.
Object.create is used in various JS code. `Object.create(null)` is particularly used
to create empty plain object with null [[Prototype]]. We can find `Object.create(null)`
call in ARES-6/Babylon code.
This patch adds ObjectCreateIntrinsic to JSC. DFG recognizes it and produces ObjectCreate
DFG node. DFG AI and constant folding attempt to convert it to NewObject when prototype
object is null. It offers significant performance boost for `Object.create(null)`.
baseline patched
object-create-null 53.7940+-1.5297 ^ 19.8846+-0.6584 ^ definitely 2.7053x faster
object-create-unknown-object-prototype 38.9977+-1.1364 ^ 37.2207+-0.6143 ^ definitely 1.0477x faster
object-create-untyped-prototype 22.5632+-0.6917 22.2539+-0.6876 might be 1.0139x faster
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToNewObject):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileObjectCreate):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::nullPrototypeObjectStructure const):
* runtime/ObjectConstructor.cpp:
2018-06-02 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for addition operations
https://bugs.webkit.org/show_bug.cgi?id=179002
Reviewed by Yusuke Suzuki.
This patch is implementing support to BigInt Operands into binary "+"
and binary "-" operators. Right now, we have limited support to DFG
and FTL JIT layers, but we plan to fix this support in future
patches.
* jit/JITOperations.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::parseInt):
(JSC::JSBigInt::stringToBigInt):
(JSC::JSBigInt::toString):
(JSC::JSBigInt::multiply):
(JSC::JSBigInt::divide):
(JSC::JSBigInt::remainder):
(JSC::JSBigInt::add):
(JSC::JSBigInt::sub):
(JSC::JSBigInt::absoluteAdd):
(JSC::JSBigInt::absoluteSub):
(JSC::JSBigInt::toStringGeneric):
(JSC::JSBigInt::allocateFor):
(JSC::JSBigInt::toNumber const):
(JSC::JSBigInt::getPrimitiveNumber const):
* runtime/JSBigInt.h:
* runtime/JSCJSValueInlines.h:
* runtime/Operations.cpp:
(JSC::jsAddSlowCase):
* runtime/Operations.h:
(JSC::jsSub):
2018-06-01 Wenson Hsieh <wenson_hsieh@apple.com>
Fix the watchOS build after r232385
https://bugs.webkit.org/show_bug.cgi?id=186203
Reviewed by Keith Miller.
Add a missing header include for JSImmutableButterfly.
* runtime/ArrayPrototype.cpp:
2018-05-29 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add Symbol.prototype.description getter
https://bugs.webkit.org/show_bug.cgi?id=186053
Reviewed by Keith Miller.
Symbol.prototype.description accessor is now stage 3[1].
This adds a getter to retrieve [[Description]] value from Symbol.
Previously, Symbol#toString() returns `Symbol(${description})` value.
So users need to extract `description` part if they want it.
[1]: https://tc39.github.io/proposal-Symbol-description/
* runtime/Symbol.cpp:
(JSC::Symbol::description const):
* runtime/Symbol.h:
* runtime/SymbolPrototype.cpp:
(JSC::tryExtractSymbol):
(JSC::symbolProtoGetterDescription):
(JSC::symbolProtoFuncToString):
(JSC::symbolProtoFuncValueOf):
2018-06-01 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Correct values and members of JSBigInt appropriately
https://bugs.webkit.org/show_bug.cgi?id=186196
Reviewed by Darin Adler.
This patch cleans up a bit to select more appropriate values and members of JSBigInt.
1. JSBigInt's structure should be StructureIsImmortal.
2. JSBigInt::allocationSize should be annotated with `inline`.
3. Remove JSBigInt::visitChildren since it is completely the same to JSCell::visitChildren.
4. Remove JSBigInt::finishCreation since it is completely the same to JSCell::finishCreation.
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::allocationSize):
(JSC::JSBigInt::allocateFor):
(JSC::JSBigInt::compareToDouble):
(JSC::JSBigInt::visitChildren): Deleted.
(JSC::JSBigInt::finishCreation): Deleted.
* runtime/JSBigInt.h:
2018-05-30 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] InById should be converted to MatchStructure
https://bugs.webkit.org/show_bug.cgi?id=185803
Reviewed by Keith Miller.
MatchStructure is introduced for instanceof optimization. But this node
is also useful for InById node. This patch converts InById to MatchStructure
node with CheckStructures if possible by using InByIdStatus.
Added microbenchmarks show improvements.
baseline patched
in-by-id-removed 18.1196+-0.8108 ^ 16.1702+-0.9773 ^ definitely 1.1206x faster
in-by-id-match 16.3912+-0.2608 ^ 15.2736+-0.8173 ^ definitely 1.0732x faster
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/InByIdStatus.cpp: Added.
(JSC::InByIdStatus::appendVariant):
(JSC::InByIdStatus::computeFor):
(JSC::InByIdStatus::hasExitSite):
(JSC::InByIdStatus::computeForStubInfo):
(JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::InByIdStatus::filter):
(JSC::InByIdStatus::dump const):
* bytecode/InByIdStatus.h: Added.
(JSC::InByIdStatus::InByIdStatus):
(JSC::InByIdStatus::state const):
(JSC::InByIdStatus::isSet const):
(JSC::InByIdStatus::operator bool const):
(JSC::InByIdStatus::isSimple const):
(JSC::InByIdStatus::numVariants const):
(JSC::InByIdStatus::variants const):
(JSC::InByIdStatus::at const):
(JSC::InByIdStatus::operator[] const):
(JSC::InByIdStatus::takesSlowPath const):
* bytecode/InByIdVariant.cpp: Added.
(JSC::InByIdVariant::InByIdVariant):
(JSC::InByIdVariant::attemptToMerge):
(JSC::InByIdVariant::dump const):
(JSC::InByIdVariant::dumpInContext const):
* bytecode/InByIdVariant.h: Added.
(JSC::InByIdVariant::isSet const):
(JSC::InByIdVariant::operator bool const):
(JSC::InByIdVariant::structureSet const):
(JSC::InByIdVariant::structureSet):
(JSC::InByIdVariant::conditionSet const):
(JSC::InByIdVariant::offset const):
(JSC::InByIdVariant::isHit const):
* bytecode/PolyProtoAccessChain.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
2018-06-01 Keith Miller <keith_miller@apple.com>
move should only emit the move if it's actually needed
https://bugs.webkit.org/show_bug.cgi?id=186123
Reviewed by Saam Barati.
This patch relpaces move with moveToDestinationIfNeeded. This
will prevent us from emiting moves to the same location. The old
move, has been renamed to emitMove and made private.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitMove):
(JSC::BytecodeGenerator::emitGetGlobalPrivate):
(JSC::BytecodeGenerator::emitGetAsyncIterator):
(JSC::BytecodeGenerator::move): Deleted.
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::move):
(JSC::BytecodeGenerator::moveToDestinationIfNeeded): Deleted.
* bytecompiler/NodesCodegen.cpp:
(JSC::ThisNode::emitBytecode):
(JSC::SuperNode::emitBytecode):
(JSC::NewTargetNode::emitBytecode):
(JSC::ResolveNode::emitBytecode):
(JSC::TaggedTemplateNode::emitBytecode):
(JSC::ArrayNode::emitBytecode):
(JSC::ObjectLiteralNode::emitBytecode):
(JSC::EvalFunctionCallNode::emitBytecode):
(JSC::FunctionCallResolveNode::emitBytecode):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_toString):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet):
(JSC::CallFunctionCallDotNode::emitBytecode):
(JSC::ApplyFunctionCallDotNode::emitBytecode):
(JSC::emitPostIncOrDec):
(JSC::PostfixNode::emitBracket):
(JSC::PostfixNode::emitDot):
(JSC::PrefixNode::emitResolve):
(JSC::PrefixNode::emitBracket):
(JSC::PrefixNode::emitDot):
(JSC::LogicalOpNode::emitBytecode):
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::AssignDotNode::emitBytecode):
(JSC::AssignBracketNode::emitBytecode):
(JSC::FunctionNode::emitBytecode):
(JSC::ClassExprNode::emitBytecode):
(JSC::DestructuringAssignmentNode::emitBytecode):
(JSC::ArrayPatternNode::emitDirectBinding):
(JSC::ObjectPatternNode::bindValue const):
(JSC::AssignmentElementNode::bindValue const):
(JSC::ObjectSpreadExpressionNode::emitBytecode):
2018-05-31 Yusuke Suzuki <utatane.tea@gmail.com>
[Baseline] Store constant directly in emit_op_mov
https://bugs.webkit.org/show_bug.cgi?id=186182
Reviewed by Saam Barati.
In the old code, we first move a constant to a register and store it to the specified address.
But in 64bit JSC, we can directly store a constant to the specified address. This reduces the
generated code size. Since the old code was emitting a constant in a code anyway, this change
never increases the size of the generated code.
* jit/JITInlines.h:
(JSC::JIT::emitGetVirtualRegister):
We remove this obsolete comment. Our OSR relies on the fact that values are stored and loaded
from the stack. If we transfer values in registers without loading values from the stack, it
breaks this assumption.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_mov):
2018-05-31 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for "=<" and ">=" relational operation
https://bugs.webkit.org/show_bug.cgi?id=185929
Reviewed by Yusuke Suzuki.
This patch is introducing support to BigInt operands into ">=" and
"<=" operators.
Here we introduce ```bigIntCompareResult``` that is a helper function
to reuse code between "less than" and "less than or equal" operators.
* runtime/JSBigInt.h:
* runtime/Operations.h:
(JSC::bigIntCompareResult):
(JSC::bigIntCompare):
(JSC::jsLess):
(JSC::jsLessEq):
(JSC::bigIntCompareLess): Deleted.
2018-05-31 Saam Barati <sbarati@apple.com>
Cache toString results for CoW arrays
https://bugs.webkit.org/show_bug.cgi?id=186160
Reviewed by Keith Miller.
This patch makes it so that we cache the result of toString on
arrays with a CoW butterfly. This cache lives on Heap and is
cleared after every GC. We only cache the toString result when
the CoW butterfly doesn't have a hole (currently, all CoW arrays
have a hole, but this isn't an invariant we want to rely on). The
reason for this is that if there is a hole, the value may be loaded
from the prototype, and the cache may produce a stale result.
This is a ~4% speedup on the ML subtest in ARES. And is a ~1% overall
progression on ARES.
* heap/Heap.cpp:
(JSC::Heap::finalize):
(JSC::Heap::addCoreConstraints):
* heap/Heap.h:
* runtime/ArrayPrototype.cpp:
(JSC::canUseFastJoin):
(JSC::holesMustForwardToPrototype):
(JSC::isHole):
(JSC::containsHole):
(JSC::fastJoin):
(JSC::arrayProtoFuncToString):
2018-05-31 Saam Barati <sbarati@apple.com>
PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
https://bugs.webkit.org/show_bug.cgi?id=186169
Reviewed by Mark Lam.
If we don't do this, the CFA validation rule about StructureID being
clobbered but AI not clobbering or folding a clobber will cause us
to crash. Simon was running into this yesterday on arstechnica.com.
I couldn't come up with a test case for this, but it's obvious
what the issue is by looking at the IR dump at the time of the crash.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2018-05-31 Saam Barati <sbarati@apple.com>
JSImmutableButterfly should align its variable storage
https://bugs.webkit.org/show_bug.cgi?id=186159
Reviewed by Mark Lam.
I'm also making the use of reinterpret_cast and bitwise_cast consistent
inside of JSImmutableButterfly. I switched everything to use bitwise_cast.
* runtime/JSImmutableButterfly.h:
(JSC::JSImmutableButterfly::toButterfly const):
(JSC::JSImmutableButterfly::fromButterfly):
(JSC::JSImmutableButterfly::offsetOfData):
(JSC::JSImmutableButterfly::allocationSize):
2018-05-31 Keith Miller <keith_miller@apple.com>
DFGArrayModes needs to know more about CoW arrays
https://bugs.webkit.org/show_bug.cgi?id=186162
Reviewed by Filip Pizlo.
This patch fixes two issues in DFGArrayMode.
1) fromObserved was missing switch cases for when the only observed ArrayModes are CopyOnWrite.
2) DFGArrayModes needs to track if the ArrayClass is an OriginalCopyOnWriteArray in order
to vend an accurate original structure.
Additionally, this patch fixes some places in Bytecode parsing where we told the array mode
we were doing a read but actually doing a write. Also, DFGArrayMode will now print the
action it is expecting when being dumped.
* bytecode/ArrayProfile.h:
(JSC::hasSeenWritableArray):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::fromObserved):
(JSC::DFG::ArrayMode::refine const):
(JSC::DFG::ArrayMode::originalArrayStructure const):
(JSC::DFG::arrayActionToString):
(JSC::DFG::arrayClassToString):
(JSC::DFG::ArrayMode::dump const):
(WTF::printInternal):
* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::withProfile const):
(JSC::DFG::ArrayMode::isJSArray const):
(JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure const):
(JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
2018-05-30 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Pass VM& parameter as much as possible
https://bugs.webkit.org/show_bug.cgi?id=186085
Reviewed by Saam Barati.
JSCell::vm() is slow compared to ExecState::vm(). That's why we have bunch of functions in JSCell/JSObject that take VM& as a parameter.
For example, we have JSCell::structure() and JSCell::structure(VM&), the former retrieves VM& from the cell and invokes structure(VM&).
If we can get VM& from ExecState* or the other place, it reduces the inlined code size.
This patch attempts to pass VM& parameter to such functions as much as possible.
* API/APICast.h:
(toJS):
(toJSForGC):
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
(JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
(JSC::JSCallbackObject<Parent>::staticFunctionGetter):
* API/JSObjectRef.cpp:
(JSObjectIsConstructor):
* API/JSTypedArray.cpp:
(JSObjectGetTypedArrayBuffer):
* API/JSValueRef.cpp:
(JSValueIsInstanceOfConstructor):
* bindings/ScriptFunctionCall.cpp:
(Deprecated::ScriptFunctionCall::call):
* bindings/ScriptValue.cpp:
(Inspector::jsToInspectorValue):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
* bytecode/ObjectPropertyConditionSet.cpp:
(JSC::generateConditionsForInstanceOf):
* bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isWatchableWhenValid const):
(JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
* bytecode/StructureStubClearingWatchpoint.cpp:
(JSC::StructureStubClearingWatchpoint::fireInternal):
* debugger/Debugger.cpp:
(JSC::Debugger::detach):
* debugger/DebuggerScope.cpp:
(JSC::DebuggerScope::create):
(JSC::DebuggerScope::put):
(JSC::DebuggerScope::deleteProperty):
(JSC::DebuggerScope::getOwnPropertyNames):
(JSC::DebuggerScope::defineOwnProperty):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::mergeOSREntryValue):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine const):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
(JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::ByteCodeParser::check):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::tryGetConstantProperty):
* dfg/DFGOperations.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationPopulateObjectInOSR):
* inspector/InjectedScriptManager.cpp:
(Inspector::InjectedScriptManager::createInjectedScript):
* inspector/JSJavaScriptCallFrame.cpp:
(Inspector::JSJavaScriptCallFrame::caller const):
(Inspector::JSJavaScriptCallFrame::scopeChain const):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::wasmAwareLexicalGlobalObject):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeProgram):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::execute):
(JSC::Interpreter::executeModuleProgram):
* jit/JITOperations.cpp:
(JSC::getByVal):
* jit/Repatch.cpp:
(JSC::tryCacheInByID):
* jsc.cpp:
(functionDollarAgentReceiveBroadcast):
(functionHasCustomProperties):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::setupGetByIdPrototypeCache):
(JSC::LLInt::getByVal):
(JSC::LLInt::handleHostCall):
(JSC::LLInt::llint_throw_stack_overflow_error):
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::finishCreation):
* runtime/ArrayConstructor.cpp:
(JSC::constructArrayWithSizeQuirk):
* runtime/ArrayPrototype.cpp:
(JSC::speciesWatchpointIsValid):
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncToLocaleString):
(JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
* runtime/AsyncFunctionConstructor.cpp:
(JSC::callAsyncFunctionConstructor):
(JSC::constructAsyncFunctionConstructor):
* runtime/AsyncGeneratorFunctionConstructor.cpp:
(JSC::callAsyncGeneratorFunctionConstructor):
(JSC::constructAsyncGeneratorFunctionConstructor):
* runtime/BooleanConstructor.cpp:
(JSC::constructWithBooleanConstructor):
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createEmpty):
(JSC::ClonedArguments::createWithInlineFrame):
(JSC::ClonedArguments::createWithMachineFrame):
(JSC::ClonedArguments::createByCopyingFrom):
(JSC::ClonedArguments::getOwnPropertySlot):
(JSC::ClonedArguments::materializeSpecials):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
(JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
(JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
* runtime/ConstructData.cpp:
(JSC::construct):
* runtime/DateConstructor.cpp:
(JSC::constructWithDateConstructor):
* runtime/DatePrototype.cpp:
(JSC::dateProtoFuncToJSON):
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::overrideThings):
* runtime/Error.cpp:
(JSC::getStackTrace):
* runtime/ErrorConstructor.cpp:
(JSC::Interpreter::constructWithErrorConstructor):
(JSC::Interpreter::callErrorConstructor):
* runtime/FunctionConstructor.cpp:
(JSC::constructWithFunctionConstructor):
(JSC::callFunctionConstructor):
* runtime/GeneratorFunctionConstructor.cpp:
(JSC::callGeneratorFunctionConstructor):
(JSC::constructGeneratorFunctionConstructor):
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::getOwnPropertySlot):
* runtime/InferredStructureWatchpoint.cpp:
(JSC::InferredStructureWatchpoint::fireInternal):
* runtime/InferredType.cpp:
(JSC::InferredType::removeStructure):
* runtime/InferredType.h:
* runtime/InferredTypeInlines.h:
(JSC::InferredType::finalizeUnconditionally):
* runtime/IntlCollator.cpp:
(JSC::IntlCollator::initializeCollator):
* runtime/IntlCollatorConstructor.cpp:
(JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
* runtime/IntlCollatorPrototype.cpp:
(JSC::IntlCollatorPrototypeGetterCompare):
* runtime/IntlDateTimeFormat.cpp:
(JSC::IntlDateTimeFormat::initializeDateTimeFormat):
(JSC::IntlDateTimeFormat::formatToParts):
* runtime/IntlDateTimeFormatConstructor.cpp:
(JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
* runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::IntlDateTimeFormatPrototypeGetterFormat):
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::initializeNumberFormat):
(JSC::IntlNumberFormat::formatToParts):
* runtime/IntlNumberFormatConstructor.cpp:
(JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
* runtime/IntlNumberFormatPrototype.cpp:
(JSC::IntlNumberFormatPrototypeGetterFormat):
* runtime/IntlObject.cpp:
(JSC::canonicalizeLocaleList):
(JSC::defaultLocale):
(JSC::lookupSupportedLocales):
(JSC::intlObjectFuncGetCanonicalLocales):
* runtime/IntlPluralRules.cpp:
(JSC::IntlPluralRules::initializePluralRules):
(JSC::IntlPluralRules::resolvedOptions):
* runtime/IntlPluralRulesConstructor.cpp:
(JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
* runtime/IteratorOperations.cpp:
(JSC::iteratorNext):
(JSC::iteratorClose):
(JSC::iteratorForIterable):
* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::unshiftCountWithArrayStorage):
(JSC::JSArray::isIteratorProtocolFastAndNonObservable):
* runtime/JSArrayBufferConstructor.cpp:
(JSC::JSArrayBufferConstructor::finishCreation):
(JSC::constructArrayBuffer):
* runtime/JSArrayBufferPrototype.cpp:
(JSC::arrayBufferProtoFuncSlice):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::unsharedJSBuffer):
(JSC::JSArrayBufferView::possiblySharedJSBuffer):
* runtime/JSAsyncFunction.cpp:
(JSC::JSAsyncFunction::createImpl):
(JSC::JSAsyncFunction::create):
(JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
* runtime/JSAsyncGeneratorFunction.cpp:
(JSC::JSAsyncGeneratorFunction::createImpl):
(JSC::JSAsyncGeneratorFunction::create):
(JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
* runtime/JSBoundFunction.cpp:
(JSC::boundThisNoArgsFunctionCall):
(JSC::boundFunctionCall):
(JSC::boundThisNoArgsFunctionConstruct):
(JSC::boundFunctionConstruct):
(JSC::getBoundFunctionStructure):
(JSC::JSBoundFunction::create):
(JSC::JSBoundFunction::boundArgsCopy):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
* runtime/JSCellInlines.h:
(JSC::JSCell::setStructure):
(JSC::JSCell::methodTable const):
(JSC::JSCell::toBoolean const):
* runtime/JSFunction.h:
(JSC::JSFunction::createImpl):
* runtime/JSGeneratorFunction.cpp:
(JSC::JSGeneratorFunction::createImpl):
(JSC::JSGeneratorFunction::create):
(JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewWithArguments):
(JSC::constructGenericTypedArrayView):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
(JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
(JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
* runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncSlice):
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::exposeDollarVM):
(JSC::JSGlobalObject::finishCreation):
* runtime/JSGlobalObject.h:
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncEval):
* runtime/JSInternalPromise.cpp:
(JSC::JSInternalPromise::then):
* runtime/JSInternalPromiseConstructor.cpp:
(JSC::constructPromise):
* runtime/JSJob.cpp:
(JSC::JSJobMicrotask::run):
* runtime/JSLexicalEnvironment.cpp:
(JSC::JSLexicalEnvironment::getOwnPropertySlot):
(JSC::JSLexicalEnvironment::put):
* runtime/JSMap.cpp:
(JSC::JSMap::isIteratorProtocolFastAndNonObservable):
* runtime/JSMapIterator.cpp:
(JSC::JSMapIterator::createPair):
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::provideFetch):
(JSC::JSModuleLoader::loadAndEvaluateModule):
(JSC::JSModuleLoader::loadModule):
(JSC::JSModuleLoader::linkAndEvaluateModule):
(JSC::JSModuleLoader::requestImportModule):
* runtime/JSONObject.cpp:
(JSC::JSONProtoFuncParse):
* runtime/JSObject.cpp:
(JSC::JSObject::putInlineSlow):
(JSC::JSObject::putByIndex):
(JSC::JSObject::notifyPresenceOfIndexedAccessors):
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::convertUndecidedToArrayStorage):
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::convertDoubleToArrayStorage):
(JSC::JSObject::convertContiguousToArrayStorage):
(JSC::JSObject::convertFromCopyOnWrite):
(JSC::JSObject::ensureWritableInt32Slow):
(JSC::JSObject::ensureWritableDoubleSlow):
(JSC::JSObject::ensureWritableContiguousSlow):
(JSC::JSObject::ensureArrayStorageSlow):
(JSC::JSObject::setPrototypeDirect):
(JSC::JSObject::deleteProperty):
(JSC::callToPrimitiveFunction):
(JSC::JSObject::hasInstance):
(JSC::JSObject::getOwnNonIndexPropertyNames):
(JSC::JSObject::preventExtensions):
(JSC::JSObject::isExtensible):
(JSC::JSObject::reifyAllStaticProperties):
(JSC::JSObject::fillGetterPropertySlot):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
(JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
(JSC::JSObject::putByIndexBeyondVectorLength):
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
(JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
(JSC::JSObject::getNewVectorLength):
(JSC::JSObject::increaseVectorLength):
(JSC::JSObject::reallocateAndShrinkButterfly):
(JSC::JSObject::shiftButterflyAfterFlattening):
(JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
(JSC::JSObject::prototypeChainMayInterceptStoreTo):
(JSC::JSObject::needsSlowPutIndexing const):
(JSC::JSObject::suggestedArrayStorageTransition const):
* runtime/JSObject.h:
(JSC::JSObject::mayInterceptIndexedAccesses):
(JSC::JSObject::hasIndexingHeader const):
(JSC::JSObject::hasCustomProperties):
(JSC::JSObject::hasGetterSetterProperties):
(JSC::JSObject::hasCustomGetterSetterProperties):
(JSC::JSObject::isExtensibleImpl):
(JSC::JSObject::isStructureExtensible):
(JSC::JSObject::indexingShouldBeSparse):
(JSC::JSObject::staticPropertiesReified):
(JSC::JSObject::globalObject const):
(JSC::JSObject::finishCreation):
(JSC::JSNonFinalObject::finishCreation):
(JSC::getCallData):
(JSC::getConstructData):
(JSC::JSObject::getOwnNonIndexPropertySlot):
(JSC::JSObject::putOwnDataProperty):
(JSC::JSObject::putOwnDataPropertyMayBeIndex):
(JSC::JSObject::butterflyPreCapacity):
(JSC::JSObject::butterflyTotalSize):
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectInternal):
* runtime/JSPromise.cpp:
(JSC::JSPromise::initialize):
(JSC::JSPromise::resolve):
* runtime/JSPromiseConstructor.cpp:
(JSC::constructPromise):
* runtime/JSPromiseDeferred.cpp:
(JSC::newPromiseCapability):
(JSC::callFunction):
* runtime/JSScope.cpp:
(JSC::abstractAccess):
* runtime/JSScope.h:
(JSC::JSScope::globalObject): Deleted.
Remove this JSScope::globalObject function since it is completely the same to JSObject::globalObject().
* runtime/JSSet.cpp:
(JSC::JSSet::isIteratorProtocolFastAndNonObservable):
* runtime/JSSetIterator.cpp:
(JSC::JSSetIterator::createPair):
* runtime/JSStringIterator.cpp:
(JSC::JSStringIterator::clone):
* runtime/Lookup.cpp:
(JSC::reifyStaticAccessor):
(JSC::setUpStaticFunctionSlot):
* runtime/Lookup.h:
(JSC::getStaticPropertySlotFromTable):
(JSC::replaceStaticPropertySlot):
(JSC::reifyStaticProperty):
* runtime/MapConstructor.cpp:
(JSC::constructMap):
* runtime/NumberConstructor.cpp:
(JSC::NumberConstructor::finishCreation):
* runtime/ObjectConstructor.cpp:
(JSC::constructObject):
(JSC::objectConstructorAssign):
(JSC::toPropertyDescriptor):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncDefineGetter):
(JSC::objectProtoFuncDefineSetter):
(JSC::objectProtoFuncToLocaleString):
* runtime/Operations.cpp:
(JSC::jsIsFunctionType): Deleted.
Replace it with JSValue::isFunction(VM&).
* runtime/Operations.h:
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::initializeGlobalProperties):
* runtime/RegExpConstructor.cpp:
(JSC::constructWithRegExpConstructor):
(JSC::callRegExpConstructor):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::processUnverifiedStackTraces):
(JSC::SamplingProfiler::StackFrame::nameFromCallee):
* runtime/ScopedArguments.cpp:
(JSC::ScopedArguments::overrideThings):
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::newCodeBlockFor):
(JSC::ScriptExecutable::prepareForExecutionImpl):
* runtime/SetConstructor.cpp:
(JSC::constructSet):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::putEntry):
(JSC::SparseArrayValueMap::putDirect):
* runtime/StringConstructor.cpp:
(JSC::constructWithStringConstructor):
* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
(JSC::replaceUsingStringSearch):
(JSC::stringProtoFuncIterator):
* runtime/Structure.cpp:
(JSC::Structure::materializePropertyTable):
(JSC::Structure::willStoreValueSlow):
* runtime/StructureCache.cpp:
(JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
* runtime/StructureInlines.h:
(JSC::Structure::get):
* runtime/WeakMapConstructor.cpp:
(JSC::constructWeakMap):
* runtime/WeakSetConstructor.cpp:
(JSC::constructWeakSet):
* tools/HeapVerifier.cpp:
(JSC::HeapVerifier::reportCell):
* tools/JSDollarVM.cpp:
(JSC::functionGlobalObjectForObject):
(JSC::JSDollarVM::finishCreation):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::finalizeCreation):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJSException):
* wasm/js/WebAssemblyCompileErrorConstructor.cpp:
(JSC::constructJSWebAssemblyCompileError):
(JSC::callJSWebAssemblyCompileError):
* wasm/js/WebAssemblyLinkErrorConstructor.cpp:
(JSC::constructJSWebAssemblyLinkError):
(JSC::callJSWebAssemblyLinkError):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::evaluate):
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::instantiate):
* wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
(JSC::constructJSWebAssemblyRuntimeError):
(JSC::callJSWebAssemblyRuntimeError):
* wasm/js/WebAssemblyToJSCallee.cpp:
(JSC::WebAssemblyToJSCallee::create):
2018-05-30 Saam Barati <sbarati@apple.com>
DFG combined liveness needs to say that the machine CodeBlock's arguments are live
https://bugs.webkit.org/show_bug.cgi?id=186121
<rdar://problem/39377796>
Reviewed by Keith Miller.
DFG's combined liveness was reporting that the machine CodeBlock's |this|
argument was dead at certain points in the program. However, a CodeBlock's
arguments are considered live for the entire function. This fixes a bug
where object allocation sinking phase skipped materializing an allocation
because it thought that the argument it was associated with, |this|, was dead.
* dfg/DFGCombinedLiveness.cpp:
(JSC::DFG::liveNodesAtHead):
2018-05-30 Daniel Bates <dabates@apple.com>
Web Inspector: Annotate Same-Site cookies
https://bugs.webkit.org/show_bug.cgi?id=184897
<rdar://problem/35178209>
Reviewed by Brian Burg.
Update protocol to include cookie Same-Site policy.
* inspector/protocol/Page.json:
2018-05-29 Keith Miller <keith_miller@apple.com>
Error instances should not strongly hold onto StackFrames
https://bugs.webkit.org/show_bug.cgi?id=185996
Reviewed by Mark Lam.
Previously, we would hold onto all the StackFrames until the the user
looked at one of the properties on the Error object. This patch makes us
only weakly retain the StackFrames and collect all the information
if we are about to collect any frame.
This patch also adds a method to $vm that returns the heaps count
of live global objects.
* heap/Heap.cpp:
(JSC::Heap::finalizeUnconditionalFinalizers):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::stackTraceAsString):
* interpreter/Interpreter.h:
* runtime/Error.cpp:
(JSC::addErrorInfo):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::finalizeUnconditionally):
(JSC::ErrorInstance::computeErrorInfo):
(JSC::ErrorInstance::materializeErrorInfoIfNeeded):
(JSC::ErrorInstance::visitChildren): Deleted.
* runtime/ErrorInstance.h:
(JSC::ErrorInstance::subspaceFor):
* runtime/JSFunction.cpp:
(JSC::getCalculatedDisplayName):
* runtime/StackFrame.h:
(JSC::StackFrame::isMarked const):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* tools/JSDollarVM.cpp:
(JSC::functionGlobalObjectCount):
(JSC::JSDollarVM::finishCreation):
2018-05-30 Keith Miller <keith_miller@apple.com>
LLInt get_by_id prototype caching doesn't properly handle changes
https://bugs.webkit.org/show_bug.cgi?id=186112
Reviewed by Filip Pizlo.
The caching would sometimes fail to track that a prototype had changed
and wouldn't update its set of watchpoints.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finalizeLLIntInlineCaches):
* bytecode/CodeBlock.h:
* bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const):
* bytecode/ObjectPropertyConditionSet.h:
(JSC::ObjectPropertyConditionSet::size const):
* bytecode/Watchpoint.h:
(JSC::Watchpoint::Watchpoint): Deleted.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setupGetByIdPrototypeCache):
2018-05-30 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for "%" operation
https://bugs.webkit.org/show_bug.cgi?id=184327
Reviewed by Yusuke Suzuki.
We are introducing the support of BigInt into remainder (a.k.a mod)
operation.
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::remainder):
(JSC::JSBigInt::rightTrim):
* runtime/JSBigInt.h:
2018-05-30 Saam Barati <sbarati@apple.com>
AI for Atomics.load() is too conservative in always clobbering world
https://bugs.webkit.org/show_bug.cgi?id=185738
<rdar://problem/40342214>
Reviewed by Yusuke Suzuki.
It fails the assertion that Fil added for catching disagreements between
AI and clobberize. This patch fixes that. You'd run into this if you
manually enabled SAB in a build and ran any SAB tests.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2018-05-30 Michael Saboff <msaboff@apple.com>
REGRESSION(r232212): Broke Win32 Builds
https://bugs.webkit.org/show_bug.cgi?id=186061
Reviewed by Yusuke Suzuki.
Changed Windows builds with the JIT disabled to generate and use LLIntAssembly.h
instead of LowLevelInterpreterWin.asm.
* CMakeLists.txt:
2018-05-30 Dominik Infuehr <dinfuehr@igalia.com>
[MIPS] Fix build on MIPS32r1
https://bugs.webkit.org/show_bug.cgi?id=185944
Reviewed by Yusuke Suzuki.
Only use instructions on MIPS32r2 or later. mthc1 and mfhc1 are not supported
on MIPS32r1.
* offlineasm/mips.rb:
2018-05-29 Saam Barati <sbarati@apple.com>
Add a version of JSVirtualMachine shrinkFootprint that runs when the VM goes idle
https://bugs.webkit.org/show_bug.cgi?id=186064
Reviewed by Mark Lam.
shrinkFootprint was implemented as:
```
sanitizeStackForVM(this);
deleteAllCode(DeleteAllCodeIfNotCollecting);
heap.collectNow(Synchronousness::Sync);
WTF::releaseFastMallocFreeMemory();
```
However, for correctness reasons, deleteAllCode is implemented to do
work when the VM is idle: no JS is running on the stack. This means
that if shrinkFootprint is called when JS is running on the stack, it
ends up freeing less memory than it could have if it waited to run until
the VM goes idle.
This patch makes it so we wait until idle before doing work. I'm seeing a
10% footprint progression when testing this against a client of the JSC SPI.
Because this is a semantic change in how the SPI works, this patch
adds new SPI named shrinkFootprintWhenIdle. The plan is to move
all clients of the shrinkFootprint SPI to shrinkFootprintWhenIdle.
Once that happens, we will delete shrinkFootprint. Until then,
we make shrinkFootprint do exactly what shrinkFootprintWhenIdle does.
* API/JSVirtualMachine.mm:
(-[JSVirtualMachine shrinkFootprint]):
(-[JSVirtualMachine shrinkFootprintWhenIdle]):
* API/JSVirtualMachinePrivate.h:
* runtime/VM.cpp:
(JSC::VM::shrinkFootprintWhenIdle):
(JSC::VM::shrinkFootprint): Deleted.
* runtime/VM.h:
2018-05-29 Saam Barati <sbarati@apple.com>
shrinkFootprint needs to request a full collection
https://bugs.webkit.org/show_bug.cgi?id=186069
Reviewed by Mark Lam.
* runtime/VM.cpp:
(JSC::VM::shrinkFootprint):
2018-05-29 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for "<" and ">" relational operation
https://bugs.webkit.org/show_bug.cgi?id=185379
Reviewed by Yusuke Suzuki.
This patch is changing the ``jsLess``` operation to follow the
semantics of Abstract Relational Comparison[1] that supports BigInt.
For that, we create 2 new helper functions ```bigIntCompareLess``` and
```toPrimitiveNumeric``` that considers BigInt as a valid type to be
compared.
[1] - https://tc39.github.io/proposal-bigint/#sec-abstract-relational-comparison
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::unequalSign):
(JSC::JSBigInt::absoluteGreater):
(JSC::JSBigInt::absoluteLess):
(JSC::JSBigInt::compare):
(JSC::JSBigInt::absoluteCompare):
* runtime/JSBigInt.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::isPrimitive const):
* runtime/Operations.h:
(JSC::bigIntCompareLess):
(JSC::toPrimitiveNumeric):
(JSC::jsLess):
2018-05-29 Yusuke Suzuki <utatane.tea@gmail.com>
[Baseline] Merge loading functionalities
https://bugs.webkit.org/show_bug.cgi?id=185907
Reviewed by Saam Barati.
This patch unifies emitXXXLoad functions in 32bit and 64bit.
* jit/JITInlines.h:
(JSC::JIT::emitDoubleGetByVal):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
Define register usage first, and share the same code in 32bit and 64bit.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitSlow_op_put_by_val):
Now C-stack is always enabled in JIT platform and temporary registers increases from 5 to 6 in x86.
We can remove this special handling.
(JSC::JIT::emitContiguousLoad): Deleted.
(JSC::JIT::emitDoubleLoad): Deleted.
(JSC::JIT::emitArrayStorageLoad): Deleted.
2018-05-29 Saam Barati <sbarati@apple.com>
JSC should put bmalloc's scavenger into mini mode
https://bugs.webkit.org/show_bug.cgi?id=185988
Reviewed by Michael Saboff.
When we InitializeThreading, we'll now enable bmalloc's mini mode
if the VM is in mini mode. This is an 8-10% progression on the footprint
at end score in run-testmem, making it a 4-5% memory score progression.
It's between a 0-1% regression in its time score.
* runtime/InitializeThreading.cpp:
(JSC::initializeThreading):
2018-05-29 Caitlin Potter <caitp@igalia.com>
[JSC] Fix Array.prototype.concat fast case when single argument is Proxy
https://bugs.webkit.org/show_bug.cgi?id=184267
Reviewed by Saam Barati.
Before this patch, the fast case for Array.prototype.concat was taken if
there was a single argument passed to the function, which is either a
non-JSCell, or an ObjectType JSCell not marked as concat-spreadable.
This incorrectly prevented Proxy objects from being spread when
they were the only argument passed to A.prototype.concat(), violating ECMA-262.
* builtins/ArrayPrototype.js:
(concat):
2018-05-27 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] JSBigInt::digitDiv has undefined behavior which causes test failures
https://bugs.webkit.org/show_bug.cgi?id=186022
Reviewed by Darin Adler.
digitDiv performs Value64Bit >> 64 / Value32Bit >> 32, which is undefined behavior. And zero mask
creation has an issue (`s` should be casted to signed one before negating). They cause test failures
in non x86 / x86_64 environments. x86 and x86_64 work well since they have a fast path written
in asm.
This patch fixes digitDiv by carefully avoiding undefined behaviors. We mask the left value of the
rshift with `digitBits - 1`, which makes `digitBits` 0 while it keeps 0 <= n < digitBits values.
This makes the target rshift well-defined in C++. While produced value by the rshift covers 0 <= `s` < 64 (32
in 32bit envirnoment) cases, this rshift does not shift if `s` is 0. sZeroMask clears the value
if `s` is 0, so that `s == 0` case is also covered. Note that `s == 64` never happens since `divisor`
is never 0 here. We add assertion for that. We also fixes `sZeroMask` calculation.
This patch also fixes naming convention for constant values.
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::digitMul):
(JSC::JSBigInt::digitDiv):
* runtime/JSBigInt.h:
2018-05-27 Yusuke Suzuki <utatane.tea@gmail.com>
[WTF] Add clz32 / clz64 for MSVC
https://bugs.webkit.org/show_bug.cgi?id=186023
Reviewed by Daniel Bates.
Move clz32 and clz64 to WTF.
* runtime/MathCommon.h:
(JSC::clz32): Deleted.
(JSC::clz64): Deleted.
2018-05-27 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement "+" and "-" unary operation
https://bugs.webkit.org/show_bug.cgi?id=182214
Reviewed by Yusuke Suzuki.
This Patch is implementing support to "-" unary operation on BigInt.
It is also changing the logic of ASTBuilder::makeNegateNode to
calculate BigInt literals with properly sign, avoiding
unecessary operation. It required a refactoring into
JSBigInt::parseInt to consider the sign as parameter.
We are also introducing a new DFG Node called ValueNegate to handle BigInt negate
operations. With the introduction of BigInt, it is not true
that every negate operation returns a Number. As ArithNegate is a
node that considers its result is always a Number, like all other
Arith<Operation>, we decided to keep this consistency and use ValueNegate when
speculation indicates that the operand is a BigInt.
This design is following the same distinction between ArithAdd and
ValueAdd. Also, this new node will make simpler the introduction of
optimizations when we create speculation paths for BigInt in future
patches.
In the case of "+" unary operation on BigInt, the current semantic we already have
is correctly, since it needs to throw TypeError because of ToNumber call[1].
In such case, we are adding tests to verify other edge cases.
[1] - https://tc39.github.io/proposal-bigint/#sec-unary-plus-operator
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::addBigIntConstant):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::BigIntNode::jsValue const):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::makeSafe):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::arithNodeFlags):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueNegate):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
(JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
* jit/JITOperations.cpp:
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createBigIntWithSign):
(JSC::ASTBuilder::createBigIntFromUnaryOperation):
(JSC::ASTBuilder::makeNegateNode):
* parser/NodeConstructors.h:
(JSC::BigIntNode::BigIntNode):
* parser/Nodes.h:
* runtime/CommonSlowPaths.cpp:
(JSC::updateArithProfileForUnaryArithOp):
(JSC::SLOW_PATH_DECL):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::parseInt):
* runtime/JSBigInt.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::strictEqualSlowCaseInline):
2018-05-27 Dan Bernstein <mitz@apple.com>
Tried to fix the 32-bit !ASSERT_DISABLED build after r232211.
* jit/JITOperations.cpp:
2018-05-26 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Rename Array#flatten to flat
https://bugs.webkit.org/show_bug.cgi?id=186012
Reviewed by Saam Barati.
Rename Array#flatten to Array#flat. This rename is done in TC39 since flatten
conflicts with the mootools' function name.
* builtins/ArrayPrototype.js:
(globalPrivate.flatIntoArray):
(flat):
(globalPrivate.flatIntoArrayWithCallback):
(flatMap):
(globalPrivate.flattenIntoArray): Deleted.
(flatten): Deleted.
(globalPrivate.flattenIntoArrayWithCallback): Deleted.
* runtime/ArrayPrototype.cpp:
(JSC::ArrayPrototype::finishCreation):
2018-05-25 Mark Lam <mark.lam@apple.com>
for-in loops should preserve and restore the TDZ stack for each of its internal loops.
https://bugs.webkit.org/show_bug.cgi?id=185995
<rdar://problem/40173142>
Reviewed by Saam Barati.
This is because there's no guarantee that any of the loop bodies will be
executed. Hence, there's no guarantee that the TDZ variables will have been
initialized after each loop body.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::preserveTDZStack):
(JSC::BytecodeGenerator::restoreTDZStack):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ForInNode::emitBytecode):
2018-05-25 Mark Lam <mark.lam@apple.com>
MachineContext's instructionPointer() should handle null PCs correctly.
https://bugs.webkit.org/show_bug.cgi?id=186004
<rdar://problem/40570067>
Reviewed by Saam Barati.
instructionPointer() returns a MacroAssemblerCodePtr<CFunctionPtrTag>. However,
MacroAssemblerCodePtr's constructor does not accept a null pointer value and will
assert accordingly with a debug ASSERT. This is inconsequential for release
builds, but to avoid this assertion failure, we should check for a null PC and
return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr) instead (which uses the
MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead).
Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check
for null pointers, but I rather not do that yet. In general,
MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to
leave it that way for now.
Note: this assertion failure only manifests when we have signal traps enabled,
and encounter a null pointer deref.
* runtime/MachineContext.h:
(JSC::MachineContext::instructionPointer):
2018-05-25 Mark Lam <mark.lam@apple.com>
Enforce invariant that GetterSetter objects are invariant.
https://bugs.webkit.org/show_bug.cgi?id=185968
<rdar://problem/40541416>
Reviewed by Saam Barati.
The code already assumes the invariant that GetterSetter objects are immutable.
For example, the use of @tryGetById in builtins expect this invariant to be true.
The existing code mostly enforces this except for one case: JSObject's
validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter
object.
This patch enforces this invariant by removing the setGetter and setSetter methods
of GetterSetter, and requiring the getter/setter callback functions to be
specified at construction time.
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/GetterSetter.cpp:
(JSC::GetterSetter::withGetter): Deleted.
(JSC::GetterSetter::withSetter): Deleted.
* runtime/GetterSetter.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSObject.cpp:
(JSC::JSObject::putIndexedDescriptor):
(JSC::JSObject::putDirectNativeIntrinsicGetter):
(JSC::putDescriptor):
(JSC::validateAndApplyPropertyDescriptor):
* runtime/JSTypedArrayViewPrototype.cpp:
(JSC::JSTypedArrayViewPrototype::finishCreation):
* runtime/Lookup.cpp:
(JSC::reifyStaticAccessor):
* runtime/PropertyDescriptor.cpp:
(JSC::PropertyDescriptor::slowGetterSetter):
2018-05-25 Saam Barati <sbarati@apple.com>
Make JSC have a mini mode that kicks in when the JIT is disabled
https://bugs.webkit.org/show_bug.cgi?id=185931
Reviewed by Mark Lam.
This patch makes JSC have a mini VM mode. This currently only kicks in
when the process can't JIT. Mini VM now means a few things:
- We always use a 1.27x heap growth factor. This number was the best tradeoff
between memory use progression and time regression in run-testmem. We may
want to tune this more in the future as we make other mini VM changes.
- We always sweep synchronously.
- We disable generational GC.
I'm going to continue to extend what mini VM mode means in future changes.
This patch is a 50% memory progression and an ~8-9% time regression
on run-testmem when running in mini VM mode with the JIT disabled.
* heap/Heap.cpp:
(JSC::Heap::collectNow):
(JSC::Heap::finalize):
(JSC::Heap::useGenerationalGC):
(JSC::Heap::shouldSweepSynchronously):
(JSC::Heap::shouldDoFullCollection):
* heap/Heap.h:
* runtime/Options.h:
* runtime/VM.cpp:
(JSC::VM::isInMiniMode):
* runtime/VM.h:
2018-05-25 Saam Barati <sbarati@apple.com>
Have a memory test where we can validate JSCs mini memory mode
https://bugs.webkit.org/show_bug.cgi?id=185932
Reviewed by Mark Lam.
This patch adds the testmem CLI. It takes as input a file to run
and the number of iterations to run it (by default it runs it
20 times). Each iteration runs in a new JSContext. Each JSContext
belongs to a VM that is created once. When finished, the CLI dumps
out the peak memory usage of the process, the memory usage at the end
of running all the iterations of the process, and the total time it
took to run all the iterations.
* JavaScriptCore.xcodeproj/project.pbxproj:
* testmem: Added.
* testmem/testmem.mm: Added.
(description):
(Footprint::now):
(main):
2018-05-25 David Kilzer <ddkilzer@apple.com>
Fix issues with -dealloc methods found by clang static analyzer
<https://webkit.org/b/185887>
Reviewed by Joseph Pecoraro.
* API/JSValue.mm:
(-[JSValue dealloc]):
(-[JSValue description]):
- Move method implementations from (Internal) category to the
main category since these are public API. This fixes the
false positive warning about a missing -dealloc method.
2018-05-24 Yusuke Suzuki <utatane.tea@gmail.com>
[Baseline] Remove a hack for DCE removal of NewFunction
https://bugs.webkit.org/show_bug.cgi?id=185945
Reviewed by Saam Barati.
This `undefined` check in baseline is originally introduced in r177871. The problem was,
when NewFunction is removed in DFG DCE, its referencing scope DFG node is also removed.
While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot
retrieve this into the stack since the scope is not referenced from anywhere.
In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx
implementation. But rather than that, just emitting `Phantom` for this scope is clean
and consistent to the other DFG nodes like GetClosureVar.
This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline.
While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which
is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction
if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice
since it conservatively guards the scope, and it does not introduce any additional overhead
compared to the current status.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* jit/JITOpcodes.cpp:
(JSC::JIT::emitNewFuncExprCommon):
2018-05-23 Keith Miller <keith_miller@apple.com>
Expose $vm if window.internals is exposed
https://bugs.webkit.org/show_bug.cgi?id=185900
Reviewed by Mark Lam.
This is useful for testing vm internals when running LayoutTests.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
(JSC::JSGlobalObject::exposeDollarVM):
* runtime/JSGlobalObject.h:
2018-05-23 Keith Miller <keith_miller@apple.com>
Define length on CoW array should properly convert to writable
https://bugs.webkit.org/show_bug.cgi?id=185927
Reviewed by Yusuke Suzuki.
* runtime/JSArray.cpp:
(JSC::JSArray::setLength):
2018-05-23 Keith Miller <keith_miller@apple.com>
InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
https://bugs.webkit.org/show_bug.cgi?id=185923
Reviewed by Saam Barati.
Previously, we could confuse AI by overly broadening a type. This happens when a block in a
loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example,
Block 1:
@1: GetLocal(loc42, FlushedInt32);
@2: PutStructure(Check: Cell: @1);
@3: Jump(Block 1);
Would cause us to claim that loc42 could be either an int32 or a some cell. However,
the type of an local cannot change without writing to it.
This fixes a crash in destructuring-rest-element.js
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::endBasicBlock):
2018-05-23 Filip Pizlo <fpizlo@apple.com>
Speed up JetStream/base64
https://bugs.webkit.org/show_bug.cgi?id=185914
Reviewed by Michael Saboff.
Make allocation fast paths ALWAYS_INLINE.
This is a 1% speed-up on SunSpider, mostly because of base64. It also speeds up pdfjs by
~6%.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/AllocatorInlines.h:
(JSC::Allocator::allocate const):
* heap/CompleteSubspace.cpp:
(JSC::CompleteSubspace::allocateNonVirtual): Deleted.
* heap/CompleteSubspace.h:
* heap/CompleteSubspaceInlines.h: Added.
(JSC::CompleteSubspace::allocateNonVirtual):
* heap/FreeListInlines.h:
(JSC::FreeList::allocate):
* heap/IsoSubspace.cpp:
(JSC::IsoSubspace::allocateNonVirtual): Deleted.
* heap/IsoSubspace.h:
(JSC::IsoSubspace::allocatorForNonVirtual):
* heap/IsoSubspaceInlines.h: Added.
(JSC::IsoSubspace::allocateNonVirtual):
* runtime/JSCellInlines.h:
* runtime/VM.h:
2018-05-23 Rick Waldron <waldron.rick@gmail.com>
Conversion misspelled "Convertion" in error message string
https://bugs.webkit.org/show_bug.cgi?id=185436
Reviewed by Saam Barati, Michael Saboff
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::toNumber const):
2018-05-22 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Clean up stringGetByValStubGenerator
https://bugs.webkit.org/show_bug.cgi?id=185864
Reviewed by Saam Barati.
We clean up stringGetByValStubGenerator.
1. Unify 32bit and 64bit implementations.
2. Rename stringGetByValStubGenerator to stringGetByValGenerator, move it to ThunkGenerators.cpp.
3. Remove string type check since this code is invoked only when we know regT0 is JSString*.
4. Do not tag Cell in stringGetByValGenerator side. 32bit code stores Cell with tag in JITPropertyAccess32_64 side.
5. Fix invalid use of loadPtr for StringImpl::flags. Should use load32.
* jit/JIT.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::stringGetByValStubGenerator): Deleted.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::stringGetByValStubGenerator): Deleted.
* jit/ThunkGenerators.cpp:
(JSC::stringGetByValGenerator):
* jit/ThunkGenerators.h:
2018-05-22 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Use branchIfString/branchIfNotString instead of structure checkings
https://bugs.webkit.org/show_bug.cgi?id=185810
Reviewed by Saam Barati.
Let's use branchIfString/branchIfNotString helper functions instead of
checking structure with jsString's structure. It's easy to read. And
it emits less code since we do not need to embed string structure's
raw pointer in 32bit environment.
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::emitLoadCharacterString):
(JSC::JIT::checkStructure): Deleted.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emitSlow_op_eq):
(JSC::JIT::compileOpEqJumpSlow):
(JSC::JIT::emitSlow_op_neq):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emitByValIdentifierCheck):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::emitSlow_op_get_by_val):
* jit/JSInterfaceJIT.h:
(JSC::ThunkHelpers::jsStringLengthOffset): Deleted.
(JSC::ThunkHelpers::jsStringValueOffset): Deleted.
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::loadJSStringArgument):
* jit/ThunkGenerators.cpp:
(JSC::stringCharLoad):
(JSC::charCodeAtThunkGenerator):
(JSC::charAtThunkGenerator):
* runtime/JSString.h:
2018-05-22 Mark Lam <mark.lam@apple.com>
BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled.
https://bugs.webkit.org/show_bug.cgi?id=185896
<rdar://problem/40471403>
Reviewed by Saam Barati.
* bytecode/BytecodeGeneratorification.cpp:
(JSC::BytecodeGeneratorification::run):
2018-05-22 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Fix CachedCall's argument count if RegExp has named captures
https://bugs.webkit.org/show_bug.cgi?id=185587
Reviewed by Mark Lam.
If the given RegExp has named captures, the argument count of CachedCall in String#replace
should be increased by one. This causes crash with assertion in test262. This patch corrects
the argument count.
This patch also unifies source.is8Bit()/!source.is8Bit() code since they are now completely
the same.
* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
2018-05-22 Mark Lam <mark.lam@apple.com>
StringImpl utf8 conversion should not fail silently.
https://bugs.webkit.org/show_bug.cgi?id=185888
<rdar://problem/40464506>
Reviewed by Filip Pizlo.
* dfg/DFGLazyJSValue.cpp:
(JSC::DFG::LazyJSValue::dumpInContext const):
* runtime/DateConstructor.cpp:
(JSC::constructDate):
(JSC::dateParse):
* runtime/JSDateMath.cpp:
(JSC::parseDate):
* runtime/JSDateMath.h:
2018-05-22 Keith Miller <keith_miller@apple.com>
Remove the UnconditionalFinalizer class
https://bugs.webkit.org/show_bug.cgi?id=185881
Reviewed by Filip Pizlo.
The only remaining user of this API is
JSWebAssemblyCodeBlock. This patch changes, JSWebAssemblyCodeBlock
to use the newer template based API and removes the old class.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.h:
* heap/Heap.cpp:
(JSC::Heap::finalizeUnconditionalFinalizers):
* heap/Heap.h:
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
* heap/SlotVisitor.h:
* heap/UnconditionalFinalizer.h: Removed.
* wasm/js/JSWebAssemblyCodeBlock.cpp:
(JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
(JSC::JSWebAssemblyCodeBlock::visitChildren):
(JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
(JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyModule.h:
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.h:
* heap/Heap.cpp:
(JSC::Heap::finalizeUnconditionalFinalizers):
* heap/Heap.h:
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
* heap/SlotVisitor.h:
* heap/UnconditionalFinalizer.h: Removed.
* wasm/js/JSWebAssemblyCodeBlock.cpp:
(JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
(JSC::JSWebAssemblyCodeBlock::visitChildren):
(JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
(JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyModule.h:
2018-05-22 Keith Miller <keith_miller@apple.com>
Unreviewed, fix internal build.
* runtime/JSImmutableButterfly.cpp:
2018-05-22 Saam Barati <sbarati@apple.com>
DFG::LICMPhase should attempt to hoist edge type checks if hoisting the whole node fails
https://bugs.webkit.org/show_bug.cgi?id=144525
Reviewed by Filip Pizlo.
This patch teaches LICM to fall back to hoisting a node's type checks when
hoisting the entire node fails.
This patch follow the same principles we use when deciding to hoist nodes in general:
- If the pre header is control equivalent to where the current check is, we
go ahead and hoist the check.
- Otherwise, if hoisting hasn't failed before, we go ahead and gamble and
hoist the check. If hoisting failed in the past, we will not hoist the check.
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGUseKind.h:
(JSC::DFG::checkMayCrashIfInputIsEmpty):
2018-05-21 Filip Pizlo <fpizlo@apple.com>
Get rid of TLCs
https://bugs.webkit.org/show_bug.cgi?id=185846
Rubber stamped by Geoffrey Garen.
This removes support for thread-local caches from the GC in order to speed up allocation a
bit.
We added TLCs as part of Spectre mitigations, which we have since removed.
We will want some kind of TLCs eventually, since they allow us to:
- have a global GC, which may be a perf optimization at some point.
- allocate objects from JIT threads, which we've been wanting to do for a while.
This change keeps the most interesting aspect of TLCs, which is the
LocalAllocator/BlockDirectory separation. This means that it ought to be easy to implement
TLCs again in the future if we wanted this feature.
This change removes the part of TLCs that causes a perf regression, namely that Allocator is
an offset that requires a bounds check and lookup that makes the rest of the allocation fast
path dependent on the load of the TLC. Now, Allocator is really just a LocalAllocator*, so
you can directly use it to allocate. This removes two loads and a check from the allocation
fast path. In hindsight, I probably could have made that whole thing more efficient, had I
allowed us to have a statically known set of LocalAllocators. This would have removed the
bounds check (one load and one branch) and it would have made it possible to CSE the load of
the TLC data structure, since that would no longer resize. But that's a harder change that
this patch, and we don't need it right now.
While reviewing the allocation hot paths, I found that CreateThis had an unnecessary branch
to check if the allocator is null. I removed that check. AssemblyHelpers::emitAllocate() does
that check already. Previously, the TLC bounds check doubled as this check.
This is a 1% speed-up on Octane and a 2.3% speed-up on TailBench. However, the Octane
speed-up on my machine includes an 8% regexp speed-up. I've found that sometimes regexp
speeds up or slows down by 8% depending on which path I build JSC from. Without that 8%, this
is still an Octane speed-up due to 2-4% speed-ups in earley, boyer, raytrace, and splay.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCreateThis):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
* heap/Allocator.cpp:
(JSC::Allocator::cellSize const):
* heap/Allocator.h:
(JSC::Allocator::Allocator):
(JSC::Allocator::localAllocator const):
(JSC::Allocator::operator== const):
(JSC::Allocator::offset const): Deleted.
* heap/AllocatorInlines.h:
(JSC::Allocator::allocate const):
(JSC::Allocator::tryAllocate const): Deleted.
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::BlockDirectory):
(JSC::BlockDirectory::~BlockDirectory):
* heap/BlockDirectory.h:
(JSC::BlockDirectory::allocator const): Deleted.
* heap/CompleteSubspace.cpp:
(JSC::CompleteSubspace::allocateNonVirtual):
(JSC::CompleteSubspace::allocatorForSlow):
(JSC::CompleteSubspace::tryAllocateSlow):
* heap/CompleteSubspace.h:
* heap/Heap.cpp:
(JSC::Heap::Heap):
* heap/Heap.h:
(JSC::Heap::threadLocalCacheLayout): Deleted.
* heap/IsoSubspace.cpp:
(JSC::IsoSubspace::IsoSubspace):
(JSC::IsoSubspace::allocateNonVirtual):
* heap/IsoSubspace.h:
(JSC::IsoSubspace::allocatorForNonVirtual):
* heap/LocalAllocator.cpp:
(JSC::LocalAllocator::LocalAllocator):
(JSC::LocalAllocator::~LocalAllocator):
* heap/LocalAllocator.h:
(JSC::LocalAllocator::cellSize const):
(JSC::LocalAllocator::tlc const): Deleted.
* heap/ThreadLocalCache.cpp: Removed.
* heap/ThreadLocalCache.h: Removed.
* heap/ThreadLocalCacheInlines.h: Removed.
* heap/ThreadLocalCacheLayout.cpp: Removed.
* heap/ThreadLocalCacheLayout.h: Removed.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
(JSC::AssemblyHelpers::emitAllocate):
(JSC::AssemblyHelpers::emitAllocateVariableSized):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_create_this):
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::~VM):
* runtime/VM.h:
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::~VMEntryScope):
* runtime/VMEntryScope.h:
2018-05-22 Keith Miller <keith_miller@apple.com>
We should have a CoW storage for NewArrayBuffer arrays.
https://bugs.webkit.org/show_bug.cgi?id=185003
Reviewed by Filip Pizlo.
This patch adds copy on write storage for new array buffers. In
order to do this there needed to be significant changes to the
layout of IndexingType. The new indexing type has the following
shape:
struct IndexingTypeAndMisc {
struct IndexingModeIncludingHistory {
struct IndexingMode {
struct IndexingType {
uint8_t isArray:1; // bit 0
uint8_t shape:3; // bit 1 - 3
};
uint8_t copyOnWrite:1; // bit 4
};
uint8_t mayHaveIndexedAccessors:1; // bit 5
};
uint8_t cellLockBits:2; // bit 6 - 7
};
For simplicity ArrayStorage shapes cannot be CoW. So the only
valid CoW indexing shapes are ArrayWithInt32, ArrayWithDouble, and
ArrayWithContiguous.
The backing store for a CoW array is a new class
JSImmutableButterfly, which looks exactly the same as a normal
butterfly except that it has a JSCell header. Like other
butterflies, JSImmutableButterfies are allocated out of the
Auxiliary Gigacage and are pointed to by JSCells in the same
way. However, when marking JSImmutableButterflies they are marked
as if they were a property.
With CoW arrays, the new_array_buffer bytecode will reallocate the
shared JSImmutableButterfly if it sees from the allocation profile
that the last array it allocated has transitioned to a different
indexing type. From then on, all arrays created by that
new_array_buffer bytecode will have the promoted indexing
type. This is more or less the same as what we used to do. The
only difference is that we don't promote all the way to array
storage even if we have seen it before.
Transitioning from a CoW indexing mode occurs whenever someone
tries to store to an element, grow the array, or add properties.
Storing or growing the array will call into code that does the
stupid thing of copying the butterfly then continue into the old
code. This doesn't end up costing us as future allocations will
use any upgraded indexing shape. We get adding properties for
free by just changing the indexing mode on transition (our C++
code always updates the indexing mode).
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/ArrayAllocationProfile.cpp:
(JSC::ArrayAllocationProfile::updateProfile):
* bytecode/ArrayAllocationProfile.h:
(JSC::ArrayAllocationProfile::initializeIndexingMode):
* bytecode/ArrayProfile.cpp:
(JSC::dumpArrayModes):
(JSC::ArrayProfile::briefDescriptionWithoutUpdating):
* bytecode/ArrayProfile.h:
(JSC::asArrayModes):
(JSC::arrayModeFromStructure):
(JSC::arrayModesInclude):
(JSC::hasSeenCopyOnWriteArray):
* bytecode/BytecodeList.json:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecode/InlineAccess.cpp:
(JSC::InlineAccess::generateArrayLength):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
(JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::newArrayAllocationProfile):
(JSC::BytecodeGenerator::emitNewArrayBuffer):
(JSC::BytecodeGenerator::emitNewArray):
(JSC::BytecodeGenerator::emitNewArrayWithSize):
(JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
(JSC::ArrayPatternNode::bindValue const):
(JSC::ArrayPatternNode::emitDirectBinding):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGArgumentsUtilities.cpp:
(JSC::DFG::emitCodeToGetArgumentsArrayLength):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::fromObserved):
(JSC::DFG::ArrayMode::refine const):
(JSC::DFG::ArrayMode::alreadyChecked const):
* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::ArrayMode):
(JSC::DFG::ArrayMode::action const):
(JSC::DFG::ArrayMode::withSpeculation const):
(JSC::DFG::ArrayMode::withArrayClass const):
(JSC::DFG::ArrayMode::withType const):
(JSC::DFG::ArrayMode::withConversion const):
(JSC::DFG::ArrayMode::withTypeAndConversion const):
(JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
(JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
(JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
(JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGNode.h:
(JSC::DFG::Node::indexingType):
(JSC::DFG::Node::indexingMode):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::compileExit):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
(JSC::DFG::SpeculativeJIT::arrayify):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):
(JSC::DFG::SpeculativeJIT::compileCreateRest):
(JSC::DFG::SpeculativeJIT::compileArraySlice):
(JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGValidate.cpp:
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
(JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
(JSC::FTL::DFG::LowerDFGToB3::storeStructure):
(JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):
* generate-bytecode-files:
* interpreter/Interpreter.cpp:
(JSC::sizeOfVarargs):
(JSC::loadVarargs):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
* jit/JITOperations.cpp:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitSlow_op_put_by_val):
* jit/Repatch.cpp:
(JSC::tryCachePutByID):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/Butterfly.h:
(JSC::ContiguousData::Data::Data):
(JSC::ContiguousData::Data::operator bool const):
(JSC::ContiguousData::Data::operator=):
(JSC::ContiguousData::Data::operator const T& const):
(JSC::ContiguousData::Data::set):
(JSC::ContiguousData::Data::setWithoutWriteBarrier):
(JSC::ContiguousData::Data::clear):
(JSC::ContiguousData::Data::get const):
(JSC::ContiguousData::atUnsafe):
(JSC::ContiguousData::at const): Deleted.
(JSC::ContiguousData::at): Deleted.
* runtime/ButterflyInlines.h:
(JSC::ContiguousData<T>::at const):
(JSC::ContiguousData<T>::at):
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createEmpty):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::allocateNewArrayBuffer):
* runtime/IndexingType.cpp:
(JSC::leastUpperBoundOfIndexingTypeAndType):
(JSC::leastUpperBoundOfIndexingTypeAndValue):
(JSC::dumpIndexingType):
* runtime/IndexingType.h:
(JSC::hasIndexedProperties):
(JSC::hasUndecided):
(JSC::hasInt32):
(JSC::hasDouble):
(JSC::hasContiguous):
(JSC::hasArrayStorage):
(JSC::hasAnyArrayStorage):
(JSC::hasSlowPutArrayStorage):
(JSC::shouldUseSlowPut):
(JSC::isCopyOnWrite):
(JSC::arrayIndexFromIndexingType):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::JSArray::put):
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::fastSlice):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):
* runtime/JSArrayInlines.h:
(JSC::JSArray::pushInline):
* runtime/JSCell.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::JSCell):
(JSC::JSCell::finishCreation):
(JSC::JSCell::indexingType const):
(JSC::JSCell::indexingMode const):
(JSC::JSCell::setStructure):
* runtime/JSFixedArray.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::haveABadTime):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::originalArrayStructureForIndexingType const):
(JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
(JSC::JSGlobalObject::isOriginalArrayStructure):
* runtime/JSImmutableButterfly.cpp: Added.
(JSC::JSImmutableButterfly::visitChildren):
(JSC::JSImmutableButterfly::copyToArguments):
* runtime/JSImmutableButterfly.h: Added.
(JSC::JSImmutableButterfly::createStructure):
(JSC::JSImmutableButterfly::tryCreate):
(JSC::JSImmutableButterfly::create):
(JSC::JSImmutableButterfly::publicLength const):
(JSC::JSImmutableButterfly::vectorLength const):
(JSC::JSImmutableButterfly::length const):
(JSC::JSImmutableButterfly::toButterfly const):
(JSC::JSImmutableButterfly::fromButterfly):
(JSC::JSImmutableButterfly::get const):
(JSC::JSImmutableButterfly::subspaceFor):
(JSC::JSImmutableButterfly::setIndex):
(JSC::JSImmutableButterfly::allocationSize):
(JSC::JSImmutableButterfly::JSImmutableButterfly):
* runtime/JSObject.cpp:
(JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties):
(JSC::JSObject::visitButterflyImpl):
(JSC::JSObject::getOwnPropertySlotByIndex):
(JSC::JSObject::putByIndex):
(JSC::JSObject::createInitialInt32):
(JSC::JSObject::createInitialDouble):
(JSC::JSObject::createInitialContiguous):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::convertUndecidedToDouble):
(JSC::JSObject::convertUndecidedToContiguous):
(JSC::JSObject::convertInt32ToDouble):
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::convertDoubleToContiguous):
(JSC::JSObject::convertDoubleToArrayStorage):
(JSC::JSObject::convertContiguousToArrayStorage):
(JSC::JSObject::createInitialForValueAndSet):
(JSC::JSObject::convertInt32ForValue):
(JSC::JSObject::convertFromCopyOnWrite):
(JSC::JSObject::ensureWritableInt32Slow):
(JSC::JSObject::ensureWritableDoubleSlow):
(JSC::JSObject::ensureWritableContiguousSlow):
(JSC::JSObject::ensureArrayStorageSlow):
(JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
(JSC::JSObject::switchToSlowPutArrayStorage):
(JSC::JSObject::deletePropertyByIndex):
(JSC::JSObject::getOwnPropertyNames):
(JSC::canDoFastPutDirectIndex):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
(JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
(JSC::JSObject::putByIndexBeyondVectorLength):
(JSC::JSObject::countElements):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::getEnumerableLength):
(JSC::JSObject::ensureInt32Slow): Deleted.
(JSC::JSObject::ensureDoubleSlow): Deleted.
(JSC::JSObject::ensureContiguousSlow): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::putDirectIndex):
(JSC::JSObject::canGetIndexQuickly):
(JSC::JSObject::getIndexQuickly):
(JSC::JSObject::tryGetIndexQuickly const):
(JSC::JSObject::canSetIndexQuickly):
(JSC::JSObject::setIndexQuickly):
(JSC::JSObject::initializeIndex):
(JSC::JSObject::initializeIndexWithoutBarrier):
(JSC::JSObject::ensureWritableInt32):
(JSC::JSObject::ensureWritableDouble):
(JSC::JSObject::ensureWritableContiguous):
(JSC::JSObject::ensureLength):
(JSC::JSObject::ensureInt32): Deleted.
(JSC::JSObject::ensureDouble): Deleted.
(JSC::JSObject::ensureContiguous): Deleted.
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectInternal):
* runtime/JSType.h:
* runtime/RegExpMatchesArray.h:
(JSC::tryCreateUninitializedRegExpMatchesArray):
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::Structure::addNewPropertyTransition):
(JSC::Structure::nonPropertyTransition):
* runtime/Structure.h:
* runtime/StructureIDBlob.h:
(JSC::StructureIDBlob::StructureIDBlob):
(JSC::StructureIDBlob::indexingModeIncludingHistory const):
(JSC::StructureIDBlob::setIndexingModeIncludingHistory):
(JSC::StructureIDBlob::indexingModeIncludingHistoryOffset):
(JSC::StructureIDBlob::indexingTypeIncludingHistory const): Deleted.
(JSC::StructureIDBlob::setIndexingTypeIncludingHistory): Deleted.
(JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset): Deleted.
* runtime/StructureTransitionTable.h:
(JSC::newIndexingType):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2018-05-22 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r232052.
Breaks internal builds.
Reverted changeset:
"Use more C++17"
https://bugs.webkit.org/show_bug.cgi?id=185176
https://trac.webkit.org/changeset/232052
2018-05-22 Alberto Garcia <berto@igalia.com>
[CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
https://bugs.webkit.org/show_bug.cgi?id=182622
<rdar://problem/40292317>
Reviewed by Michael Catanzaro.
We were linking JavaScriptCore against libatomic in MIPS because
in that architecture __atomic_fetch_add_8() is not a compiler
intrinsic and is provided by that library instead. However other
architectures (e.g armel) are in the same situation, so we need a
generic test.
That test already exists in WebKit/CMakeLists.txt, so we just have
to move it to a common file (WebKitCompilerFlags.cmake) and use
its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
* CMakeLists.txt:
2018-05-22 Michael Catanzaro <mcatanzaro@igalia.com>
Unreviewed, rolling out r231843.
Broke cross build
Reverted changeset:
"[CMake] Properly detect compiler flags, needed libs, and
fallbacks for usage of 64-bit atomic operations"
https://bugs.webkit.org/show_bug.cgi?id=182622
https://trac.webkit.org/changeset/231843
2018-05-21 Yusuke Suzuki <utatane.tea@gmail.com>
Use more C++17
https://bugs.webkit.org/show_bug.cgi?id=185176
Reviewed by JF Bastien.
* Configurations/Base.xcconfig:
2018-05-21 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove duplicate methods in JSInterfaceJIT
https://bugs.webkit.org/show_bug.cgi?id=185813
Reviewed by Saam Barati.
Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones.
This patch removes these ones and use AssemblyHelpers' ones instead.
This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::tagFor):
(JSC::AssemblyHelpers::payloadFor):
* jit/JIT.h:
* jit/JITArithmetic.cpp:
(JSC::JIT::emit_op_unsigned):
(JSC::JIT::emit_compareUnsigned):
(JSC::JIT::emit_op_inc):
(JSC::JIT::emit_op_dec):
(JSC::JIT::emit_op_mod):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
* jit/JITInlines.h:
(JSC::JIT::emitPutIntToCallFrameHeader):
(JSC::JIT::updateTopCallFrame):
(JSC::JIT::emitInitRegister):
(JSC::JIT::emitLoad):
(JSC::JIT::emitStore):
(JSC::JIT::emitStoreInt32):
(JSC::JIT::emitStoreCell):
(JSC::JIT::emitStoreBool):
(JSC::JIT::emitGetVirtualRegister):
(JSC::JIT::emitPutVirtualRegister):
(JSC::JIT::emitTagBool): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_overrides_has_instance):
(JSC::JIT::emit_op_is_empty):
(JSC::JIT::emit_op_is_undefined):
(JSC::JIT::emit_op_is_boolean):
(JSC::JIT::emit_op_is_number):
(JSC::JIT::emit_op_is_cell_with_type):
(JSC::JIT::emit_op_is_object):
(JSC::JIT::emit_op_eq):
(JSC::JIT::emit_op_neq):
(JSC::JIT::compileOpStrictEq):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
(JSC::JIT::emitSlow_op_eq):
(JSC::JIT::emitSlow_op_neq):
(JSC::JIT::emitSlow_op_instanceof_custom):
(JSC::JIT::emitNewFuncExprCommon):
* jit/JSInterfaceJIT.h:
(JSC::JSInterfaceJIT::emitLoadInt32):
(JSC::JSInterfaceJIT::emitLoadDouble):
(JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
(JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
(JSC::JSInterfaceJIT::tagFor): Deleted.
(JSC::JSInterfaceJIT::payloadFor): Deleted.
(JSC::JSInterfaceJIT::intPayloadFor): Deleted.
(JSC::JSInterfaceJIT::intTagFor): Deleted.
(JSC::JSInterfaceJIT::emitTagInt): Deleted.
(JSC::JSInterfaceJIT::addressFor): Deleted.
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::returnDouble):
* jit/ThunkGenerators.cpp:
(JSC::nativeForGenerator):
(JSC::arityFixupGenerator):
2018-05-21 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, reland InById cache
https://bugs.webkit.org/show_bug.cgi?id=185682
Includes Dominik's 32bit fix.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::fromStructureStubInfo):
(JSC::AccessCase::generateWithGuard):
(JSC::AccessCase::generateImpl):
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
(JSC::BytecodeDumper<Block>::dumpBytecode):
* bytecode/BytecodeDumper.h:
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecode/InlineAccess.cpp:
(JSC::InlineAccess::generateSelfInAccess):
* bytecode/InlineAccess.h:
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::initInByIdSelf):
(JSC::StructureStubInfo::deref):
(JSC::StructureStubInfo::aboutToDie):
(JSC::StructureStubInfo::reset):
(JSC::StructureStubInfo::visitWeakReferences):
(JSC::StructureStubInfo::propagateTransitions):
* bytecode/StructureStubInfo.h:
(JSC::StructureStubInfo::patchableJump):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitInByVal):
(JSC::BytecodeGenerator::emitInById):
(JSC::BytecodeGenerator::emitIn): Deleted.
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::InNode::emitBytecode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::addInById):
(JSC::DFG::InRecord::InRecord): Deleted.
(JSC::DFG::JITCompiler::addIn): Deleted.
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToInById):
(JSC::DFG::Node::hasIdentifier):
(JSC::DFG::Node::hasArrayMode):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileInById):
(JSC::DFG::SpeculativeJIT::compileInByVal):
(JSC::DFG::SpeculativeJIT::compileIn): Deleted.
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileInById):
(JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::boxBoolean):
* jit/ICStats.h:
* jit/JIT.cpp:
(JSC::JIT::JIT):
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::link):
* jit/JIT.h:
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITInByIdGenerator::JITInByIdGenerator):
(JSC::JITInByIdGenerator::generateFastPath):
* jit/JITInlineCacheGenerator.h:
(JSC::JITInByIdGenerator::JITInByIdGenerator):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_in_by_id):
(JSC::JIT::emitSlow_op_in_by_id):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_in_by_id):
(JSC::JIT::emitSlow_op_in_by_id):
* jit/Repatch.cpp:
(JSC::tryCacheInByID):
(JSC::repatchInByID):
(JSC::resetInByID):
(JSC::tryCacheIn): Deleted.
(JSC::repatchIn): Deleted.
(JSC::resetIn): Deleted.
* jit/Repatch.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* parser/NodeConstructors.h:
(JSC::InNode::InNode):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::opInByVal):
(JSC::CommonSlowPaths::opIn): Deleted.
2018-05-21 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r231998 and r232017.
https://bugs.webkit.org/show_bug.cgi?id=185842
causes crashes on 32 JSC bot (Requested by realdawei on
#webkit).
Reverted changesets:
"[JSC] JSC should have consistent InById IC"
https://bugs.webkit.org/show_bug.cgi?id=185682
https://trac.webkit.org/changeset/231998
"Unreviewed, fix 32bit and scope release"
https://bugs.webkit.org/show_bug.cgi?id=185682
https://trac.webkit.org/changeset/232017
2018-05-21 Jer Noble <jer.noble@apple.com>
Complete fix for enabling modern EME by default
https://bugs.webkit.org/show_bug.cgi?id=185770
<rdar://problem/40368220>
Reviewed by Eric Carlson.
* Configurations/FeatureDefines.xcconfig:
2018-05-21 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, fix 32bit and scope release
https://bugs.webkit.org/show_bug.cgi?id=185682
* jit/JITOperations.cpp:
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitSlow_op_in_by_id):
2018-05-20 Filip Pizlo <fpizlo@apple.com>
Revert the B3 compiler pipeline's treatment of taildup
https://bugs.webkit.org/show_bug.cgi?id=185808
Reviewed by Yusuke Suzuki.
While trying to implement path specialization (bug 185060), I reorganized the B3 pass pipeline.
But then path specialization turned out to be a negative result. This reverts the pipeline to the
way it was before that work.
1.5% progression on V8Spider-CompileTime.
* b3/B3Generate.cpp:
(JSC::B3::generateToAir):
2018-05-20 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase
https://bugs.webkit.org/show_bug.cgi?id=185802
Reviewed by Saam Barati.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
2018-05-18 Filip Pizlo <fpizlo@apple.com>
DFG should inline InstanceOf ICs
https://bugs.webkit.org/show_bug.cgi?id=185695
Reviewed by Yusuke Suzuki.
This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then
be folded to a CheckStructure + JSConstant.
In the process of testing this, I found a bug where LICM was not hoisting things that
depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching
LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed.
This is a ~5% speed-up on boyer.
~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and
instanceof-sometimes-hit microbenchmarks.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::appendVariant):
(JSC::GetByIdStatus::filter):
* bytecode/GetByIdStatus.h:
(JSC::GetByIdStatus::operator bool const):
(JSC::GetByIdStatus::operator! const): Deleted.
* bytecode/GetByIdVariant.h:
(JSC::GetByIdVariant::operator bool const):
(JSC::GetByIdVariant::operator! const): Deleted.
* bytecode/ICStatusUtils.h: Added.
(JSC::appendICStatusVariant):
(JSC::filterICStatusVariants):
* bytecode/InstanceOfStatus.cpp: Added.
(JSC::InstanceOfStatus::appendVariant):
(JSC::InstanceOfStatus::computeFor):
(JSC::InstanceOfStatus::computeForStubInfo):
(JSC::InstanceOfStatus::commonPrototype const):
(JSC::InstanceOfStatus::filter):
* bytecode/InstanceOfStatus.h: Added.
(JSC::InstanceOfStatus::InstanceOfStatus):
(JSC::InstanceOfStatus::state const):
(JSC::InstanceOfStatus::isSet const):
(JSC::InstanceOfStatus::operator bool const):
(JSC::InstanceOfStatus::isSimple const):
(JSC::InstanceOfStatus::takesSlowPath const):
(JSC::InstanceOfStatus::numVariants const):
(JSC::InstanceOfStatus::variants const):
(JSC::InstanceOfStatus::at const):
(JSC::InstanceOfStatus::operator[] const):
* bytecode/InstanceOfVariant.cpp: Added.
(JSC::InstanceOfVariant::InstanceOfVariant):
(JSC::InstanceOfVariant::attemptToMerge):
(JSC::InstanceOfVariant::dump const):
(JSC::InstanceOfVariant::dumpInContext const):
* bytecode/InstanceOfVariant.h: Added.
(JSC::InstanceOfVariant::InstanceOfVariant):
(JSC::InstanceOfVariant::operator bool const):
(JSC::InstanceOfVariant::structureSet const):
(JSC::InstanceOfVariant::structureSet):
(JSC::InstanceOfVariant::conditionSet const):
(JSC::InstanceOfVariant::prototype const):
(JSC::InstanceOfVariant::isHit const):
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::StructureStubInfo):
* bytecode/StructureStubInfo.h:
(JSC::StructureStubInfo::considerCaching):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGGraph.h:
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGNode.cpp:
(JSC::DFG::Node::remove):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasMatchStructureData):
(JSC::DFG::Node::matchStructureData):
* dfg/DFGNodeType.h:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileMatchStructure):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileMatchStructure):
2018-05-19 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] JSC should have consistent InById IC
https://bugs.webkit.org/show_bug.cgi?id=185682
Reviewed by Filip Pizlo.
Current our op_in IC is adhoc: It is only emitted in DFG and FTL layers,
when we found that DFG::In's parameter is constant string. We should
align this IC to the other ById ICs to clean up and remove adhoc code
in DFG and FTL.
This patch cleans up our "In" IC by aligning it to the other ById ICs.
We split op_in bytecode to op_in_by_id and op_in_by_val. op_in_by_val
is the same to the original op_in. For op_in_by_id, we use JITInByIdGenerator
to emit InById IC code. In addition, our JITInByIdGenerator and op_in_by_id
has a inline access cache for own property case, which is the same to
JITGetByIdGenerator.
And we split DFG::In to DFG::InById and DFG::InByVal. InByVal is the same
to the original In DFG node. DFG AI attempts to lower InByVal to InById
if AI figured out that the property name is a constant string. And in
InById node, we use JITInByIdGenerator code.
This patch cleans up DFG and FTL's adhoc In IC code.
In a subsequent patch, we should introduce InByIdStatus to optimize
InById in DFG and FTL. We would like to have a new InByIdStatus instead of
reusing GetByIdStatus since GetByIdStatus becomes too complicated, and
AccessCase::Types are different from them (AccessCase::InHit / InMiss).
* bytecode/AccessCase.cpp:
(JSC::AccessCase::fromStructureStubInfo):
(JSC::AccessCase::generateWithGuard):
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
(JSC::BytecodeDumper<Block>::dumpBytecode):
* bytecode/BytecodeDumper.h:
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecode/InlineAccess.cpp:
(JSC::InlineAccess::generateSelfInAccess):
* bytecode/InlineAccess.h:
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::initInByIdSelf):
(JSC::StructureStubInfo::deref):
(JSC::StructureStubInfo::aboutToDie):
(JSC::StructureStubInfo::reset):
(JSC::StructureStubInfo::visitWeakReferences):
(JSC::StructureStubInfo::propagateTransitions):
* bytecode/StructureStubInfo.h:
(JSC::StructureStubInfo::patchableJump):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitInByVal):
(JSC::BytecodeGenerator::emitInById):
(JSC::BytecodeGenerator::emitIn): Deleted.
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::InNode::emitBytecode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::addInById):
(JSC::DFG::InRecord::InRecord): Deleted.
(JSC::DFG::JITCompiler::addIn): Deleted.
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToInById):
(JSC::DFG::Node::hasIdentifier):
(JSC::DFG::Node::hasArrayMode):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileInById):
(JSC::DFG::SpeculativeJIT::compileInByVal):
(JSC::DFG::SpeculativeJIT::compileIn): Deleted.
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileInById):
(JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
* jit/ICStats.h:
* jit/JIT.cpp:
(JSC::JIT::JIT):
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::link):
* jit/JIT.h:
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITInByIdGenerator::JITInByIdGenerator):
(JSC::JITInByIdGenerator::generateFastPath):
* jit/JITInlineCacheGenerator.h:
(JSC::JITInByIdGenerator::JITInByIdGenerator):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_in_by_id):
(JSC::JIT::emitSlow_op_in_by_id):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_in_by_id):
(JSC::JIT::emitSlow_op_in_by_id):
* jit/Repatch.cpp:
(JSC::tryCacheInByID):
(JSC::repatchInByID):
(JSC::resetInByID):
(JSC::tryCacheIn): Deleted.
(JSC::repatchIn): Deleted.
(JSC::resetIn): Deleted.
* jit/Repatch.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* parser/NodeConstructors.h:
(JSC::InNode::InNode):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::opInByVal):
(JSC::CommonSlowPaths::opIn): Deleted.
2018-05-18 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r231982.
https://bugs.webkit.org/show_bug.cgi?id=185793
Caused layout test failures (Requested by realdawei on
#webkit).
Reverted changeset:
"Complete fix for enabling modern EME by default"
https://bugs.webkit.org/show_bug.cgi?id=185770
https://trac.webkit.org/changeset/231982
2018-05-18 Keith Miller <keith_miller@apple.com>
op_in should mark if it sees out of bounds accesses
https://bugs.webkit.org/show_bug.cgi?id=185792
Reviewed by Filip Pizlo.
This would used to cause us to OSR loop since we would always speculate
we were in bounds in HasIndexedProperty.
* bytecode/ArrayProfile.cpp:
(JSC::ArrayProfile::observeIndexedRead):
* bytecode/ArrayProfile.h:
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::opIn):
2018-05-18 Mark Lam <mark.lam@apple.com>
Add missing exception check.
https://bugs.webkit.org/show_bug.cgi?id=185786
<rdar://problem/35686560>
Reviewed by Michael Saboff.
* runtime/JSPropertyNameEnumerator.h:
(JSC::propertyNameEnumerator):
2018-05-18 Jer Noble <jer.noble@apple.com>
Complete fix for enabling modern EME by default
https://bugs.webkit.org/show_bug.cgi?id=185770
<rdar://problem/40368220>
Reviewed by Eric Carlson.
* Configurations/FeatureDefines.xcconfig:
2018-05-18 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, fix exception checking, part 2
https://bugs.webkit.org/show_bug.cgi?id=185350
* dfg/DFGOperations.cpp:
(JSC::DFG::putByValInternal):
* jit/JITOperations.cpp:
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::putDirectAccessorWithReify):
2018-05-16 Filip Pizlo <fpizlo@apple.com>
JSC should have InstanceOf inline caching
https://bugs.webkit.org/show_bug.cgi?id=185652
Reviewed by Saam Barati.
This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the
existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate
too many cases, we emit the generic instanceof implementation instead.
All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator
abstraction.
This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on
Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache.
* API/tests/testapi.mm:
(testObjectiveCAPIMain):
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* b3/B3Effects.h:
(JSC::B3::Effects::forReadOnlyCall):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::guardedByStructureCheck const):
(JSC::AccessCase::canReplace const):
(JSC::AccessCase::visitWeak const):
(JSC::AccessCase::generateWithGuard):
(JSC::AccessCase::generateImpl):
* bytecode/AccessCase.h:
* bytecode/InstanceOfAccessCase.cpp: Added.
(JSC::InstanceOfAccessCase::create):
(JSC::InstanceOfAccessCase::dumpImpl const):
(JSC::InstanceOfAccessCase::clone const):
(JSC::InstanceOfAccessCase::~InstanceOfAccessCase):
(JSC::InstanceOfAccessCase::InstanceOfAccessCase):
* bytecode/InstanceOfAccessCase.h: Added.
(JSC::InstanceOfAccessCase::prototype const):
* bytecode/ObjectPropertyCondition.h:
(JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier):
(JSC::ObjectPropertyCondition::hasPrototype):
* bytecode/ObjectPropertyConditionSet.cpp:
(JSC::generateConditionsForInstanceOf):
* bytecode/ObjectPropertyConditionSet.h:
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::addCases):
(JSC::PolymorphicAccess::regenerate):
(WTF::printInternal):
* bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::dumpInContext const):
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
(JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
(WTF::printInternal):
* bytecode/PropertyCondition.h:
(JSC::PropertyCondition::absenceWithoutBarrier):
(JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
(JSC::PropertyCondition::hasPrototypeWithoutBarrier):
(JSC::PropertyCondition::hasPrototype):
(JSC::PropertyCondition::hasPrototype const):
(JSC::PropertyCondition::prototype const):
(JSC::PropertyCondition::hash const):
(JSC::PropertyCondition::operator== const):
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::StructureStubInfo):
(JSC::StructureStubInfo::reset):
* bytecode/StructureStubInfo.h:
(JSC::StructureStubInfo::considerCaching):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGInlineCacheWrapper.h:
* dfg/DFGInlineCacheWrapperInlines.h:
(JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::addInstanceOf):
* dfg/DFGOperations.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::usedRegisters):
(JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
(JSC::DFG::SpeculativeJIT::compileInstanceOf):
(JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted.
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
(JSC::FTL::DFG::LowerDFGToB3::compilePutById):
(JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
(JSC::FTL::DFG::LowerDFGToB3::compileIn):
(JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
(JSC::FTL::DFG::LowerDFGToB3::getById):
(JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
* jit/ICStats.h:
* jit/JIT.cpp:
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::link):
* jit/JIT.h:
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
(JSC::JITInlineCacheGenerator::finalize):
(JSC::JITByIdGenerator::JITByIdGenerator):
(JSC::JITByIdGenerator::finalize):
(JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
(JSC::JITInstanceOfGenerator::generateFastPath):
(JSC::JITInstanceOfGenerator::finalize):
* jit/JITInlineCacheGenerator.h:
(JSC::JITInlineCacheGenerator::reportSlowPathCall):
(JSC::JITInlineCacheGenerator::slowPathBegin const):
(JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
(JSC::finalizeInlineCaches):
(JSC::JITByIdGenerator::reportSlowPathCall): Deleted.
(JSC::JITByIdGenerator::slowPathBegin const): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emitSlow_op_instanceof):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/RegisterSet.cpp:
(JSC::RegisterSet::stubUnavailableRegisters):
* jit/Repatch.cpp:
(JSC::tryCacheIn):
(JSC::tryCacheInstanceOf):
(JSC::repatchInstanceOf):
(JSC::resetPatchableJump):
(JSC::resetIn):
(JSC::resetInstanceOf):
* jit/Repatch.h:
* runtime/Options.h:
* runtime/Structure.h:
2018-05-18 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, fix exception checking
https://bugs.webkit.org/show_bug.cgi?id=185350
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::putDirectWithReify):
(JSC::CommonSlowPaths::putDirectAccessorWithReify):
2018-05-17 Michael Saboff <msaboff@apple.com>
We don't throw SyntaxErrors for runtime generated regular expressions with errors
https://bugs.webkit.org/show_bug.cgi?id=185755
Reviewed by Keith Miller.
Added a new helper that creates the correct exception to throw for each type of error when
compiling a RegExp. Using that new helper, added missing checks for RegExp for the cases
where we create a new RegExp from an existing one. Also refactored other places that we
throw SyntaxErrors after a failed RegExp compile to use the new helper.
* runtime/RegExp.h:
* runtime/RegExpConstructor.cpp:
(JSC::regExpCreate):
(JSC::constructRegExp):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncCompile):
* yarr/YarrErrorCode.cpp:
(JSC::Yarr::errorToThrow):
* yarr/YarrErrorCode.h:
2018-05-17 Saam Barati <sbarati@apple.com>
Remove shrinkFootprint test from apitests since it's flaky
https://bugs.webkit.org/show_bug.cgi?id=185754
Reviewed by Mark Lam.
This test is flaky as it keeps failing on certain people's machines.
Having a test about OS footprint seems like it'll forever be doomed
to being flaky.
* API/tests/testapi.mm:
(testObjectiveCAPIMain):
2018-05-17 Saam Barati <sbarati@apple.com>
defaultConstructorSourceCode needs to makeSource every time it's called
https://bugs.webkit.org/show_bug.cgi?id=185753
Rubber-stamped by Mark Lam.
The bug here is multiple VMs can be running concurrently to one another
in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
if we copy a static SourceCode. instead, we create a new one each time
this function is called.
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::defaultConstructorSourceCode):
2018-05-17 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Use AssemblyHelpers' type checking functions as much as possible
https://bugs.webkit.org/show_bug.cgi?id=185730
Reviewed by Saam Barati.
Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex
bit and register operations for type tagging of JSValue. It is really useful when we would like
to tweak type tagging representation since the code is collected into AssemblyHelpers. And
the named function is more readable than some branching operations.
We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate
to AssemblyHelpers' one.
We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg)
functions even for 32bit environment. In 32bit environment, this function takes tag register. This
semantics is aligned to the existing branchIfCell / branchIfNotCell.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileDoubleRep):
(JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
(JSC::DFG::SpeculativeJIT::compileSpread):
(JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
(JSC::DFG::SpeculativeJIT::speculateCellType):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateMisc):
(JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
(JSC::DFG::SpeculativeJIT::compileCreateThis):
(JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
(JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::convertAnyInt):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfInt32):
(JSC::AssemblyHelpers::branchIfNotInt32):
(JSC::AssemblyHelpers::branchIfNumber):
(JSC::AssemblyHelpers::branchIfNotNumber):
(JSC::AssemblyHelpers::branchIfBoolean):
(JSC::AssemblyHelpers::branchIfNotBoolean):
(JSC::AssemblyHelpers::branchIfEmpty):
(JSC::AssemblyHelpers::branchIfNotEmpty):
(JSC::AssemblyHelpers::branchIfUndefined):
(JSC::AssemblyHelpers::branchIfNotUndefined):
(JSC::AssemblyHelpers::branchIfNull):
(JSC::AssemblyHelpers::branchIfNotNull):
* jit/JIT.h:
* jit/JITArithmetic.cpp:
(JSC::JIT::emit_compareAndJump):
(JSC::JIT::emit_compareAndJumpSlow):
* jit/JITArithmetic32_64.cpp:
(JSC::JIT::emit_compareAndJump):
(JSC::JIT::emit_op_unsigned):
(JSC::JIT::emit_op_inc):
(JSC::JIT::emit_op_dec):
(JSC::JIT::emitBinaryDoubleOp):
(JSC::JIT::emit_op_mod):
* jit/JITCall.cpp:
(JSC::JIT::compileCallEval):
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileCallEval):
(JSC::JIT::compileOpCall):
* jit/JITInlines.h:
(JSC::JIT::emitJumpSlowCaseIfNotJSCell):
(JSC::JIT::emitJumpIfBothJSCells):
(JSC::JIT::emitJumpSlowCaseIfJSCell):
(JSC::JIT::emitJumpIfNotInt):
(JSC::JIT::emitJumpSlowCaseIfNotInt):
(JSC::JIT::emitJumpSlowCaseIfNotNumber):
(JSC::JIT::emitJumpIfCellObject): Deleted.
(JSC::JIT::emitJumpIfCellNotObject): Deleted.
(JSC::JIT::emitJumpIfJSCell): Deleted.
(JSC::JIT::emitJumpIfInt): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emit_op_is_undefined):
(JSC::JIT::emit_op_is_cell_with_type):
(JSC::JIT::emit_op_is_object):
(JSC::JIT::emit_op_to_primitive):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::compileOpStrictEq):
(JSC::JIT::compileOpStrictEqJump):
(JSC::JIT::emit_op_to_number):
(JSC::JIT::emit_op_to_string):
(JSC::JIT::emit_op_to_object):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
(JSC::JIT::emit_op_to_this):
(JSC::JIT::emit_op_create_this):
(JSC::JIT::emit_op_check_tdz):
(JSC::JIT::emitNewFuncExprCommon):
(JSC::JIT::emit_op_profile_type):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emit_op_is_undefined):
(JSC::JIT::emit_op_is_cell_with_type):
(JSC::JIT::emit_op_is_object):
(JSC::JIT::emit_op_to_primitive):
(JSC::JIT::emit_op_not):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emit_op_jneq_ptr):
(JSC::JIT::emit_op_eq):
(JSC::JIT::emit_op_jeq):
(JSC::JIT::emit_op_neq):
(JSC::JIT::emit_op_jneq):
(JSC::JIT::compileOpStrictEq):
(JSC::JIT::compileOpStrictEqJump):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
(JSC::JIT::emit_op_to_number):
(JSC::JIT::emit_op_to_string):
(JSC::JIT::emit_op_to_object):
(JSC::JIT::emit_op_create_this):
(JSC::JIT::emit_op_to_this):
(JSC::JIT::emit_op_check_tdz):
(JSC::JIT::emit_op_profile_type):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitGetByValWithCachedId):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitPutByValWithCachedId):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitWriteBarrier):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitGetByValWithCachedId):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitPutByValWithCachedId):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
* jit/JSInterfaceJIT.h:
(JSC::JSInterfaceJIT::emitLoadJSCell):
(JSC::JSInterfaceJIT::emitLoadInt32):
(JSC::JSInterfaceJIT::emitLoadDouble):
(JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted.
(JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted.
(JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted.
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::absThunkGenerator):
* tools/JSDollarVM.cpp:
(WTF::DOMJITNode::checkSubClassSnippet):
(WTF::DOMJITFunctionObject::checkSubClassSnippet):
2018-05-17 Saam Barati <sbarati@apple.com>
Unreviewed. Fix the build after my attempted build fix broke the build.
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::defaultConstructorSourceCode):
(JSC::BuiltinExecutables::createDefaultConstructor):
* builtins/BuiltinExecutables.h:
2018-05-17 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove reifyPropertyNameIfNeeded
https://bugs.webkit.org/show_bug.cgi?id=185350
Reviewed by Saam Barati.
reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path.
This is a virtual call, and it is only used by JSFunction right now. Since this causes too much
cost, we should remove this from the critical path.
This patch removes this function call from the critical path. And in our slow paths, we call
helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction.
While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls
and care the edge cases. The other callsites of putDirect should know the type of the given
object and the name of the property (And avoid these edge cases).
This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause
regressions of the existing tests.
baseline patched
Kraken:
json-parse-financial 35.522+-0.069 ^ 34.708+-0.097 ^ definitely 1.0234x faster
SixSpeed:
object-assign.es6 145.8779+-0.2838 ^ 140.1019+-0.8007 ^ definitely 1.0412x faster
* dfg/DFGOperations.cpp:
(JSC::DFG::putByValInternal):
(JSC::DFG::putByValCellInternal):
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/ClassInfo.h:
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::putDirectWithReify):
(JSC::CommonSlowPaths::putDirectAccessorWithReify):
* runtime/JSCell.cpp:
(JSC::JSCell::reifyPropertyNameIfNeeded): Deleted.
* runtime/JSCell.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted.
* runtime/JSFunction.h:
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectAccessor):
(JSC::JSObject::putDirectNonIndexAccessor):
* runtime/JSObject.h:
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectInternal):
2018-05-17 Saam Barati <sbarati@apple.com>
Unreviewed. Try to fix windows build.
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::defaultConstructorSourceCode):
2018-05-16 Saam Barati <sbarati@apple.com>
UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors
https://bugs.webkit.org/show_bug.cgi?id=185637
Reviewed by Keith Miller.
We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent
source code. However, we were only using this for default class constructors. There
are only two types of default class constructors. This patch makes it so that
we just store this information inside of a single bit, and ask for the source
code as needed instead of holding it in a nullable field that is 24 bytes in size.
This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes.
This has the consequence of making it allocated out of a 160 byte size class
instead of a 224 byte size class. This should bring down its memory footprint
by ~40%.
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::defaultConstructorSourceCode):
(JSC::BuiltinExecutables::createDefaultConstructor):
(JSC::BuiltinExecutables::createExecutable):
* builtins/BuiltinExecutables.h:
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
(JSC::UnlinkedFunctionExecutable::link):
* bytecode/UnlinkedFunctionExecutable.h:
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2018-05-16 Saam Barati <sbarati@apple.com>
VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps
https://bugs.webkit.org/show_bug.cgi?id=185707
Reviewed by Mark Lam.
* runtime/VM.cpp:
(JSC::VM::shrinkFootprint):
2018-05-16 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for "/" operation
https://bugs.webkit.org/show_bug.cgi?id=183996
Reviewed by Yusuke Suzuki.
This patch is introducing the support for BigInt into divide
operation int LLInt and JIT layers.
* dfg/DFGOperations.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::divide):
(JSC::JSBigInt::copy):
(JSC::JSBigInt::unaryMinus):
(JSC::JSBigInt::absoluteCompare):
(JSC::JSBigInt::absoluteDivLarge):
(JSC::JSBigInt::productGreaterThan):
(JSC::JSBigInt::inplaceAdd):
(JSC::JSBigInt::inplaceSub):
(JSC::JSBigInt::inplaceRightShift):
(JSC::JSBigInt::specialLeftShift):
(JSC::JSBigInt::digit):
(JSC::JSBigInt::setDigit):
* runtime/JSBigInt.h:
2018-05-16 Saam Barati <sbarati@apple.com>
Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
https://bugs.webkit.org/show_bug.cgi?id=185670
Reviewed by Yusuke Suzuki.
This patch makes it so that we constant fold CheckTypeInfoFlags for
ImplementsDefaultHasInstance inside of AI/constant folding. We constant
fold in three ways:
- When the incoming value is a constant, we just look at its inline type
flags. Since those flags never change after an object is created, this
is sound.
- Based on the incoming value having a finite structure set. We just iterate
all structures and ensure they have the bit set.
- Based on speculated type. To do this, I split up SpecFunction into two
subheaps where one is for functions that have the bit set, and one for
functions that don't have the bit set. The latter is currently only comprised
of JSBoundFunctions. To constant fold, we check that the incoming
value only has the SpecFunction type with ImplementsDefaultHasInstance set.
* bytecode/SpeculatedType.cpp:
(JSC::speculationFromClassInfo):
* bytecode/SpeculatedType.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* runtime/JSFunction.cpp:
(JSC::JSFunction::JSFunction):
(JSC::JSFunction::assertTypeInfoFlagInvariants):
* runtime/JSFunction.h:
(JSC::JSFunction::assertTypeInfoFlagInvariants):
* runtime/JSFunctionInlines.h:
(JSC::JSFunction::JSFunction):
2018-05-16 Devin Rousso <webkit@devinrousso.com>
Web Inspector: create a navigation item for toggling the overlay rulers/guides
https://bugs.webkit.org/show_bug.cgi?id=185644
Reviewed by Matt Baker.
* inspector/protocol/OverlayTypes.json:
* inspector/protocol/Page.json:
2018-05-16 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r231845.
https://bugs.webkit.org/show_bug.cgi?id=185702
it is breaking Apple High Sierra 32-bit JSC bot (Requested by
caiolima on #webkit).
Reverted changeset:
"[ESNext][BigInt] Implement support for "/" operation"
https://bugs.webkit.org/show_bug.cgi?id=183996
https://trac.webkit.org/changeset/231845
2018-05-16 Filip Pizlo <fpizlo@apple.com>
DFG models InstanceOf incorrectly
https://bugs.webkit.org/show_bug.cgi?id=185694
Reviewed by Keith Miller.
Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
hoist it.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGNodeType.h:
2018-05-16 Andy VanWagoner <andy@vanwagoner.family>
Add support for Intl NumberFormat formatToParts
https://bugs.webkit.org/show_bug.cgi?id=185375
Reviewed by Yusuke Suzuki.
Add flag for NumberFormat formatToParts. Implement formatToParts using
unum_formatDoubleForFields. Because the fields are nested and come back
in no guaranteed order, the simple algorithm to convert them to the
desired format is roughly O(n^2). However, even with Number.MAX_VALUE
it appears to perform well enough for the initial implementation. Another
issue has been created to improve this algorithm.
This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
on macOS, since only v57 is available.
* Configurations/FeatureDefines.xcconfig:
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
(JSC::IntlNumberFormat::partTypeString):
(JSC::IntlNumberFormat::formatToParts):
* runtime/IntlNumberFormat.h:
* runtime/IntlNumberFormatPrototype.cpp:
(JSC::IntlNumberFormatPrototype::create):
(JSC::IntlNumberFormatPrototype::finishCreation):
(JSC::IntlNumberFormatPrototypeFuncFormatToParts):
* runtime/IntlNumberFormatPrototype.h:
* runtime/Options.h:
2018-05-16 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for "/" operation
https://bugs.webkit.org/show_bug.cgi?id=183996
Reviewed by Yusuke Suzuki.
This patch is introducing the support for BigInt into divide
operation int LLInt and JIT layers.
* dfg/DFGOperations.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::divide):
(JSC::JSBigInt::copy):
(JSC::JSBigInt::unaryMinus):
(JSC::JSBigInt::absoluteCompare):
(JSC::JSBigInt::absoluteDivLarge):
(JSC::JSBigInt::productGreaterThan):
(JSC::JSBigInt::inplaceAdd):
(JSC::JSBigInt::inplaceSub):
(JSC::JSBigInt::inplaceRightShift):
(JSC::JSBigInt::specialLeftShift):
(JSC::JSBigInt::digit):
(JSC::JSBigInt::setDigit):
* runtime/JSBigInt.h:
2018-05-16 Alberto Garcia <berto@igalia.com>
[CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
https://bugs.webkit.org/show_bug.cgi?id=182622
Reviewed by Michael Catanzaro.
We were linking JavaScriptCore against libatomic in MIPS because
in that architecture __atomic_fetch_add_8() is not a compiler
intrinsic and is provided by that library instead. However other
architectures (e.g armel) are in the same situation, so we need a
generic test.
That test already exists in WebKit/CMakeLists.txt, so we just have
to move it to a common file (WebKitCompilerFlags.cmake) and use
its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
* CMakeLists.txt:
2018-05-15 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
https://bugs.webkit.org/show_bug.cgi?id=185601
Reviewed by Saam Barati.
Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
before calling getCallData when we would like to check whether a given object is callable
since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
is fine. But if we would like to check whether the object is callable, we can have non
callable objects frequently. In that case, we should not call getCallData if we can avoid it.
To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
OverridesGetCallData checking before calling getCallData.
We found that this virtual call exists in JSON.stringify's critial path. Checking
OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
baseline patched
json-stringify-tinderbox 38.807+-0.350 ^ 37.216+-0.337 ^ definitely 1.0427x faster
In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
since major cases are covered by this fast JSFunctionType checking.
* API/JSCallbackObject.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGOperations.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
(JSC::DFG::SpeculativeJIT::compileIsFunction):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitTypeOf):
* runtime/ExceptionHelpers.cpp:
(JSC::createError):
(JSC::createInvalidFunctionApplyParameterError):
* runtime/FunctionPrototype.cpp:
(JSC::functionProtoFuncToString):
* runtime/InternalFunction.h:
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::isFunction const):
(JSC::JSValue::isCallable const):
* runtime/JSCell.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::isFunction):
ALWAYS_INLINE works well for my environment.
(JSC::JSCell::isCallable):
* runtime/JSFunction.h:
* runtime/JSONObject.cpp:
(JSC::Stringifier::toJSON):
(JSC::Stringifier::toJSONImpl):
(JSC::Stringifier::appendStringifiedValue):
* runtime/JSObjectInlines.h:
(JSC::createListFromArrayLike):
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::overridesGetCallData const):
(JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
* runtime/Operations.cpp:
(JSC::jsTypeStringForValue):
(JSC::jsIsObjectTypeOrNull):
* runtime/ProxyObject.h:
* runtime/RuntimeType.cpp:
(JSC::runtimeTypeForValue):
* runtime/RuntimeType.h:
* runtime/Structure.cpp:
(JSC::Structure::Structure):
* runtime/TypeProfilerLog.cpp:
(JSC::TypeProfilerLog::TypeProfilerLog):
(JSC::TypeProfilerLog::processLogEntries):
* runtime/TypeProfilerLog.h:
* runtime/VM.cpp:
(JSC::VM::enableTypeProfiler):
* tools/JSDollarVM.cpp:
(JSC::functionFindTypeForExpression):
(JSC::functionReturnTypeFor):
(JSC::functionHasBasicBlockExecuted):
(JSC::functionBasicBlockExecutionCount):
* wasm/js/JSWebAssemblyHelpers.h:
(JSC::getWasmBufferFromValue):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::create):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::callWebAssemblyFunction):
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::webAssemblyInstantiateFunc):
(JSC::webAssemblyInstantiateStreamingInternal):
* wasm/js/WebAssemblyWrapperFunction.cpp:
(JSC::WebAssemblyWrapperFunction::finishCreation):
2018-05-15 Devin Rousso <webkit@devinrousso.com>
Web Inspector: Add rulers and guides
https://bugs.webkit.org/show_bug.cgi?id=32263
<rdar://problem/19281564>
Reviewed by Matt Baker.
* inspector/protocol/OverlayTypes.json:
2018-05-14 Keith Miller <keith_miller@apple.com>
Remove butterflyMask from DFGAbstractHeap
https://bugs.webkit.org/show_bug.cgi?id=185640
Reviewed by Saam Barati.
We don't have a butterfly indexing mask anymore so we don't need
the abstract heap information for it anymore.
* dfg/DFGAbstractHeap.h:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
2018-05-14 Andy VanWagoner <andy@vanwagoner.family>
[INTL] Handle error in defineProperty for supported locales length
https://bugs.webkit.org/show_bug.cgi?id=185623
Reviewed by Saam Barati.
Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
length of the supported locales array.
* runtime/IntlObject.cpp:
(JSC::supportedLocales):
2018-05-14 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Tweak LiteralParser to improve lexing performance
https://bugs.webkit.org/show_bug.cgi?id=185541
Reviewed by Saam Barati.
This patch attemps to improve LiteralParser performance.
This patch improves Kraken/json-parse-financial by roughly ~10%.
baseline patched
json-parse-financial 65.810+-1.591 ^ 59.943+-1.784 ^ definitely 1.0979x faster
* parser/Lexer.cpp:
(JSC::Lexer<T>::Lexer):
* runtime/ArgList.h:
(JSC::MarkedArgumentBuffer::takeLast):
Add takeLast() for idiomatic last() + removeLast() calls.
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::Lexer::lex):
Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
We should not include this mode in its template parameter to reduce the code size.
And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
Also, we construct TokenType table to remove bunch of unnecessary switch cases.
(JSC::LiteralParser<CharType>::Lexer::next):
(JSC::isSafeStringCharacter):
Take mode in its template parameter. But do not take terminator character in its template parameter.
(JSC::LiteralParser<CharType>::Lexer::lexString):
(JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
Duplicate while statements manually since this is a critical path.
(JSC::LiteralParser<CharType>::parse):
Use takeLast().
* runtime/LiteralParser.h:
2018-05-14 Dominik Infuehr <dinfuehr@igalia.com>
[MIPS] Use btpz to compare against 0 instead of bpeq
https://bugs.webkit.org/show_bug.cgi?id=185607
Reviewed by Yusuke Suzuki.
Fixes build on MIPS since MIPS doesn't have an instruction to
compare a register against an immediate. Since the immediate is just 0
in this case the simplest solution is just to use btpz instead of bpeq
to compare to 0.
* llint/LowLevelInterpreter.asm:
2018-05-12 Filip Pizlo <fpizlo@apple.com>
CachedCall::call() should be faster
https://bugs.webkit.org/show_bug.cgi?id=185583
Reviewed by Yusuke Suzuki.
CachedCall is an optimization for String.prototype.replace(r, f) where f is a function.
Unfortunately, because of a combination of abstraction and assertions, this code path had a
lot of overhead. This patch reduces this overhead by:
- Turning off some assertions. These assertions don't look to have security value; they're
mostly for sanity. I turned off stack alignment checks and VM state checks having to do
with whether the JSLock is held. The JSLock checks are not relevant when doing a cached
call, considering that the caller would have already been strongly assuming that the JSLock
is held.
- Making more things inlineable.
This looks like a small (4% ish) speed-up on SunSpider/string-unpack-code.
* JavaScriptCore.xcodeproj/project.pbxproj:
* interpreter/CachedCall.h:
(JSC::CachedCall::call):
* interpreter/Interpreter.cpp:
(JSC::checkedReturn): Deleted.
* interpreter/Interpreter.h:
(JSC::Interpreter::checkedReturn):
* interpreter/InterpreterInlines.h:
(JSC::Interpreter::execute):
* jit/JITCode.cpp:
(JSC::JITCode::execute): Deleted.
* jit/JITCodeInlines.h: Added.
(JSC::JITCode::execute):
* llint/LowLevelInterpreter.asm:
* runtime/StringPrototype.cpp:
2018-05-13 Andy VanWagoner <andy@vanwagoner.family>
[INTL] Improve spec & test262 compliance for Intl APIs
https://bugs.webkit.org/show_bug.cgi?id=185578
Reviewed by Yusuke Suzuki.
Use putDirectIndex over push for lists to arrays.
Update default options to construct with a null prototype.
Define constructor and toStringTag on prototypes.
Add proper time clipping.
Remove some outdated comment spec text, use url instead.
* runtime/IntlCollator.cpp:
(JSC::IntlCollator::initializeCollator):
* runtime/IntlCollatorConstructor.cpp:
(JSC::IntlCollatorConstructor::finishCreation):
* runtime/IntlCollatorPrototype.cpp:
(JSC::IntlCollatorPrototype::finishCreation):
* runtime/IntlDateTimeFormatConstructor.cpp:
(JSC::IntlDateTimeFormatConstructor::finishCreation):
* runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::IntlDateTimeFormatPrototype::finishCreation):
(JSC::IntlDateTimeFormatFuncFormatDateTime):
(JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::initializeNumberFormat):
* runtime/IntlNumberFormatConstructor.cpp:
(JSC::IntlNumberFormatConstructor::finishCreation):
* runtime/IntlNumberFormatPrototype.cpp:
(JSC::IntlNumberFormatPrototype::finishCreation):
* runtime/IntlObject.cpp:
(JSC::lookupSupportedLocales):
(JSC::supportedLocales):
(JSC::intlObjectFuncGetCanonicalLocales):
* runtime/IntlPluralRules.cpp:
(JSC::IntlPluralRules::resolvedOptions):
* runtime/IntlPluralRulesConstructor.cpp:
(JSC::IntlPluralRulesConstructor::finishCreation):
2018-05-11 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for "*" operation
https://bugs.webkit.org/show_bug.cgi?id=183721
Reviewed by Yusuke Suzuki.
Added BigInt support into times binary operator into LLInt and on
JITOperations profiledMul and unprofiledMul. We are also replacing all
uses of int to unsigned when there is no negative values for
variables.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* jit/JITOperations.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::JSBigInt):
(JSC::JSBigInt::allocationSize):
(JSC::JSBigInt::createWithLength):
(JSC::JSBigInt::toString):
(JSC::JSBigInt::multiply):
(JSC::JSBigInt::digitDiv):
(JSC::JSBigInt::internalMultiplyAdd):
(JSC::JSBigInt::multiplyAccumulate):
(JSC::JSBigInt::equals):
(JSC::JSBigInt::absoluteDivSmall):
(JSC::JSBigInt::calculateMaximumCharactersRequired):
(JSC::JSBigInt::toStringGeneric):
(JSC::JSBigInt::rightTrim):
(JSC::JSBigInt::allocateFor):
(JSC::JSBigInt::parseInt):
(JSC::JSBigInt::digit):
(JSC::JSBigInt::setDigit):
* runtime/JSBigInt.h:
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::toNumeric const):
* runtime/Operations.h:
(JSC::jsMul):
2018-05-11 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r231316 and r231332.
https://bugs.webkit.org/show_bug.cgi?id=185564
Appears to be a Speedometer2/MotionMark regression (Requested
by keith_miller on #webkit).
Reverted changesets:
"Remove the prototype caching for get_by_id in the LLInt"
https://bugs.webkit.org/show_bug.cgi?id=185226
https://trac.webkit.org/changeset/231316
"Unreviewed, fix 32-bit profile offset for change in bytecode"
https://trac.webkit.org/changeset/231332
2018-05-11 Michael Saboff <msaboff@apple.com>
[DFG] Compiler uses incorrect output register for NumberIsInteger operation
https://bugs.webkit.org/show_bug.cgi?id=185328
Reviewed by Keith Miller.
Fixed a typo from when this code was added in r228968 where resultGPR
was assigned the input register instead of the result.gpr().
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2018-05-11 Saam Barati <sbarati@apple.com>
Don't use inferred types when the JIT is disabled
https://bugs.webkit.org/show_bug.cgi?id=185539
Reviewed by Yusuke Suzuki.
There are many JSC API clients that run with the JIT disabled. They were
all allocating and tracking inferred types for no benefit. Inferred types
only benefit programs when they make it to the DFG/FTL. I was seeing cases
where the inferred type machinery used ~0.5MB. This patch makes is so we
don't allocate that machinery when the JIT is disabled.
* runtime/Structure.cpp:
(JSC::Structure::willStoreValueSlow):
* runtime/Structure.h:
2018-05-11 Saam Barati <sbarati@apple.com>
Don't allocate value profiles when the JIT is disabled
https://bugs.webkit.org/show_bug.cgi?id=185525
Reviewed by Michael Saboff.
There are many JSC API clients that run with the JIT disabled. We were
still allocating a ton of value profiles in this use case even though
these clients get no benefit from doing value profiling. This patch makes
it so that we don't allocate value profiles or argument value profiles
when we're not using the JIT. We now just make all value profiles in
the instruction stream point to a global value profile that the VM owns.
And we make the argument value profile array have zero length and teach
the LLInt how to handle that. Heap clears the global value profile on each GC.
In an app that I'm testing this against, this saves ~1MB of memory.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::setNumParameters):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::numberOfArgumentValueProfiles):
(JSC::CodeBlock::valueProfileForArgument):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitProfiledOpcode):
* heap/Heap.cpp:
(JSC::Heap::runEndPhase):
* llint/LowLevelInterpreter.asm:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2018-05-10 Carlos Garcia Campos <cgarcia@igalia.com>
[JSC][GLIB] Add introspectable alternatives to functions using vargars
https://bugs.webkit.org/show_bug.cgi?id=185508
Reviewed by Michael Catanzaro.
* API/glib/JSCClass.cpp:
(jscClassCreateConstructor):
(jsc_class_add_constructor):
(jsc_class_add_constructorv):
(jscClassAddMethod):
(jsc_class_add_method):
(jsc_class_add_methodv):
* API/glib/JSCClass.h:
* API/glib/JSCValue.cpp:
(jsObjectCall):
(jscValueCallFunction):
(jsc_value_object_invoke_methodv):
(jscValueFunctionCreate):
(jsc_value_new_function):
(jsc_value_new_functionv):
(jsc_value_function_callv):
(jsc_value_constructor_callv):
* API/glib/JSCValue.h:
* API/glib/docs/jsc-glib-4.0-sections.txt:
2018-05-10 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Make return types of construction functions tight
https://bugs.webkit.org/show_bug.cgi?id=185509
Reviewed by Saam Barati.
Array and Object construction functions should return strict types instead of returning JSObject*/JSValue.
* runtime/ArrayConstructor.cpp:
(JSC::constructArrayWithSizeQuirk):
* runtime/ArrayConstructor.h:
* runtime/ObjectConstructor.h:
(JSC::constructEmptyObject):
2018-05-09 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Object.assign for final objects should be faster
https://bugs.webkit.org/show_bug.cgi?id=185348
Reviewed by Saam Barati.
Object.assign is so heavily used to clone an object. For example, speedometer react-redux can be significantly
improved if Object.assign becomes fast. It is worth adding a complex fast path to accelerate the major use cases.
If enumerating properties of source objects and putting properties to target object are non observable,
we can avoid hash table looking up of source object properties. We can enumerate object property entries,
and put them to target object. This patch adds this fast path to Object.assign implementation.
When enumerating properties, we need to ensure that the given |source| object does not include "__proto__"
property since we cannot perform fast [[Put]] for the |target| object. We add a new flag
"HasUnderscoreProtoPropertyExcludingOriginalProto" to Structure to track this state.
This improves object-assign.es6 by 1.85x.
baseline patched
object-assign.es6 368.6132+-8.3508 ^ 198.8775+-4.9042 ^ definitely 1.8535x faster
And Speedometer2.0 React-Redux-TodoMVC's total time is improved from 490ms to 431ms.
* runtime/JSObject.h:
* runtime/JSObjectInlines.h:
(JSC::JSObject::canPerformFastPutInlineExcludingProto):
(JSC::JSObject::canPerformFastPutInline):
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorAssign):
* runtime/Structure.cpp:
(JSC::Structure::Structure):
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::forEachProperty):
(JSC::Structure::add):
2018-05-10 Filip Pizlo <fpizlo@apple.com>
DFG CFA should pick the right time to inject OSR entry data
https://bugs.webkit.org/show_bug.cgi?id=185530
Reviewed by Saam Barati.
Previously, we would do a bonus run of CFA to inject OSR entry data. This patch makes us inject
OSR entry data as part of the normal flow of CFA, which reduces the total number of CFA
reexecutions while minimizing the likelihood that we have CFA execute constants in paths that
would eventually LUB to non-constant.
This looks like almost a 1% speed-up on SunSpider-CompileTime. All of the logic for preventing
execution over constants is for V8Spider-CompileTime/regexp, which would otherwise do a lot of
useless regexp/string execution in the compiler.
* dfg/DFGBlockSet.h:
(JSC::DFG::BlockSet::remove):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run):
(JSC::DFG::CFAPhase::injectOSR):
(JSC::DFG::CFAPhase::performBlockCFA):
2018-05-09 Filip Pizlo <fpizlo@apple.com>
InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time
https://bugs.webkit.org/show_bug.cgi?id=185452
Reviewed by Michael Saboff.
We were spending a lot of time in beginBasicBlock() just copying the state of all variables
from the block head to InPlaceAbstractState::m_variables. It is necessary for
InPlaceAbstractState to have its own copy since we need to mutate it separately from
block->valuesAtHead. But most variables are untouched by most basic blocks, so this was a lot
of superfluous work.
This change adds a bitvector called m_activeVariables that tracks which variables have been
copied. We lazily copy the variables on first use. Variables that were never copied also have
a simplified merging path, which just needs to consider if the variable got clobbered between
head and tail.
This is a 1.5% speed-up on SunSpider-CompileTime and a 1.7% speed-up on V8Spider-CompileTime.
* bytecode/Operands.h:
(JSC::Operands::argumentIndex const):
(JSC::Operands::localIndex const):
(JSC::Operands::argument):
(JSC::Operands::argument const):
(JSC::Operands::local):
(JSC::Operands::local const):
(JSC::Operands::operandIndex const):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::fastForwardFromTo):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::performForwardCFA):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::beginBasicBlock):
(JSC::DFG::InPlaceAbstractState::variablesForDebugging):
(JSC::DFG::InPlaceAbstractState::activateAllVariables):
(JSC::DFG::InPlaceAbstractState::endBasicBlock):
(JSC::DFG::InPlaceAbstractState::activateVariable):
(JSC::DFG::InPlaceAbstractState::mergeStateAtTail): Deleted.
* dfg/DFGInPlaceAbstractState.h:
(JSC::DFG::InPlaceAbstractState::variableAt):
(JSC::DFG::InPlaceAbstractState::operand):
(JSC::DFG::InPlaceAbstractState::local):
(JSC::DFG::InPlaceAbstractState::argument):
(JSC::DFG::InPlaceAbstractState::activateVariableIfNecessary):
(JSC::DFG::InPlaceAbstractState::variablesForDebugging): Deleted.
2018-05-09 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for "==" operation
https://bugs.webkit.org/show_bug.cgi?id=184474
Reviewed by Yusuke Suzuki.
This patch is implementing support of BigInt for equals operator
following the spec semantics[1].
[1] - https://tc39.github.io/proposal-bigint/#sec-abstract-equality-comparison
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::parseInt):
(JSC::JSBigInt::stringToBigInt):
(JSC::JSBigInt::toString):
(JSC::JSBigInt::setDigit):
(JSC::JSBigInt::equalsToNumber):
(JSC::JSBigInt::compareToDouble):
* runtime/JSBigInt.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::equalSlowCaseInline):
2018-05-09 Filip Pizlo <fpizlo@apple.com>
Speed up AbstractInterpreter::executeEdges
https://bugs.webkit.org/show_bug.cgi?id=185457
Reviewed by Saam Barati.
This patch started out with the desire to make executeEdges() faster by making filtering faster.
However, when I studied the disassembly, I found that there are many opportunities for
improvement and I implemented all of them:
- Filtering itself now has an inline fast path for when the filtering didn't change the value or
for non-cells.
- Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded,
since fast-forwarding is only interesting for cells and only if we have a clobbered value.
- Similarly, edge verification doesn't need to fast-forward in the common case.
- A bunch of stuff related to Graph::doToChildren is now inlined properly.
- The edge doesn't even have to be considered for execution if it's UntypedUse.
That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the
abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because
it means proving that the value could either be formatted as a double (with impure NaN values),
or as any JSValue, or as an Int52. There is no value that could possibly hold all of those
states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To
make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need
to be careful about picking either SpecFullDouble (if returning a DoubleRep) or
SpecBytecodeNumber (if returning a JSValueRep).
But that fix revealed an amazing timeout in
stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting
stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without
ever realizing that we should jettison something. The problem was with how
triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using
baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks.
This is a 1% improvement in V8Spider-CompileTime.
* bytecode/ExitKind.cpp:
(JSC::exitKindMayJettison):
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::filterEdgeByUse):
(JSC::DFG::AbstractInterpreter::filterByType): Deleted.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc):
(JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByType):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::filterSlow):
(JSC::DFG::AbstractValue::fastForwardToAndFilterSlow):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::filter):
(JSC::DFG::AbstractValue::fastForwardToAndFilter):
(JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven):
(JSC::DFG::AbstractValue::makeTop):
* dfg/DFGAtTailAbstractState.h:
(JSC::DFG::AtTailAbstractState::fastForward):
(JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
(JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::doToChildren):
* dfg/DFGInPlaceAbstractState.h:
(JSC::DFG::InPlaceAbstractState::fastForward):
(JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven):
(JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::executeOSRExit):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::handleExitCounts):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
2018-05-09 Saam Barati <sbarati@apple.com>
Add JSVirtualMachine SPI to shrink the memory footprint of the VM
https://bugs.webkit.org/show_bug.cgi?id=185441
<rdar://problem/39999414>
Reviewed by Keith Miller.
This patch adds JSVirtualMachine SPI to release as much memory as possible.
The SPI does:
- Deletes all code caches.
- Synchronous GC.
- Run the scavenger.
* API/JSVirtualMachine.mm:
(-[JSVirtualMachine shrinkFootprint]):
* API/JSVirtualMachinePrivate.h: Added.
* API/tests/testapi.mm:
(testObjectiveCAPIMain):
* JavaScriptCore.xcodeproj/project.pbxproj:
* runtime/VM.cpp:
(JSC::VM::shrinkFootprint):
* runtime/VM.h:
2018-05-09 Leo Balter <leonardo.balter@gmail.com>
[JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
Error found in the following Test262 tests:
- test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js
- test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js
- test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js
The ArraySpeciesCreate should throw a RangeError with non-Array custom objects
presenting a length > 2**32-1
https://bugs.webkit.org/show_bug.cgi?id=185476
Reviewed by Yusuke Suzuki.
* runtime/ArrayPrototype.cpp:
2018-05-09 Michael Catanzaro <mcatanzaro@igalia.com>
[WPE] Build cleanly with GCC 8 and ICU 60
https://bugs.webkit.org/show_bug.cgi?id=185462
Reviewed by Carlos Alberto Lopez Perez.
* API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings.
(jsc_class_add_constructor):
(jsc_class_add_method):
* API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings.
(jsc_value_object_define_property_accessor):
(jsc_value_new_function):
* CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a
problem with GCC 7 too, but might as well fix it now.
* assembler/ProbeContext.h:
(JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning.
(JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber.
* b3/air/AirArg.h:
(JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning.
* builtins/BuiltinNames.cpp:
(JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag.
* builtins/BuiltinNames.h:
(JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp.
* dfg/DFGDoubleFormatState.h:
(JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings.
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings.
* runtime/ConfigFile.cpp:
(JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called
with the wrong length parameter and the result is not null-terminated. Also, silence a
-Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX.
* runtime/IntlDateTimeFormat.cpp:
(JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident.
(JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed.
2018-05-09 Yusuke Suzuki <utatane.tea@gmail.com>
[ARMv7] Drop ARMv7 disassembler in favor of capstone
https://bugs.webkit.org/show_bug.cgi?id=185423
Reviewed by Michael Catanzaro.
This patch removes ARMv7Disassembler in our tree.
We already adopted Capstone, and it is already used in ARMv7 JIT environments.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* disassembler/ARMv7/ARMv7DOpcode.cpp: Removed.
* disassembler/ARMv7/ARMv7DOpcode.h: Removed.
* disassembler/ARMv7Disassembler.cpp: Removed.
2018-05-09 Srdjan Lazarevic <srdjan.lazarevic@rt-rk.com>
[MIPS] Optimize generated JIT code using r2
https://bugs.webkit.org/show_bug.cgi?id=184584
Reviewed by Yusuke Suzuki.
EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible.
Also, done some code size optimizations that were discovered in meantime.
* assembler/MIPSAssembler.h:
(JSC::MIPSAssembler::ext):
(JSC::MIPSAssembler::mfhc1):
* assembler/MacroAssemblerMIPS.cpp:
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::isPowerOf2):
(JSC::MacroAssemblerMIPS::bitPosition):
(JSC::MacroAssemblerMIPS::loadAddress):
(JSC::MacroAssemblerMIPS::getEffectiveAddress):
(JSC::MacroAssemblerMIPS::load8):
(JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
(JSC::MacroAssemblerMIPS::load32):
(JSC::MacroAssemblerMIPS::load16Unaligned):
(JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
(JSC::MacroAssemblerMIPS::load16):
(JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
(JSC::MacroAssemblerMIPS::store8):
(JSC::MacroAssemblerMIPS::store16):
(JSC::MacroAssemblerMIPS::store32):
(JSC::MacroAssemblerMIPS::branchTest32):
(JSC::MacroAssemblerMIPS::loadFloat):
(JSC::MacroAssemblerMIPS::loadDouble):
(JSC::MacroAssemblerMIPS::storeFloat):
(JSC::MacroAssemblerMIPS::storeDouble):
2018-05-06 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC][GTK][JSCONLY] Use capstone disassembler
https://bugs.webkit.org/show_bug.cgi?id=185283
Reviewed by Michael Catanzaro.
Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler.
And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports.
And we remove ARM LLVM disassembler.
Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree.
* CMakeLists.txt:
* Sources.txt:
* disassembler/ARMLLVMDisassembler.cpp: Removed.
* disassembler/CapstoneDisassembler.cpp: Added.
(JSC::tryToDisassemble):
2018-05-09 Dominik Infuehr <dinfuehr@igalia.com>
[MIPS] Use mfhc1 and mthc1 to fix assembler error
https://bugs.webkit.org/show_bug.cgi?id=185464
Reviewed by Yusuke Suzuki.
The binutils-assembler started to report failures for copying words between
GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead
of mfc1 and mtc1 for conversion.
* offlineasm/mips.rb:
2018-05-08 Dominik Infuehr <dinfuehr@igalia.com>
[MIPS] Collect callee-saved register using inline assembly
https://bugs.webkit.org/show_bug.cgi?id=185428
Reviewed by Yusuke Suzuki.
MIPS used setjmp instead of collecting registers with inline assembly like
other architectures.
* heap/RegisterState.h:
2018-05-07 Yusuke Suzuki <utatane.tea@gmail.com>
[BigInt] Simplifying JSBigInt by using bool addition
https://bugs.webkit.org/show_bug.cgi?id=185374
Reviewed by Alex Christensen.
Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub.
Just adding overflow flag to carry/borrow produces setb + add in x86.
Also we annotate small helper functions and accessors with `inline` not to call these functions
inside internalMultiplyAdd loop.
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::isZero):
(JSC::JSBigInt::inplaceMultiplyAdd):
(JSC::JSBigInt::digitAdd):
(JSC::JSBigInt::digitSub):
(JSC::JSBigInt::digitMul):
(JSC::JSBigInt::digitPow):
(JSC::JSBigInt::digitDiv):
(JSC::JSBigInt::offsetOfData):
(JSC::JSBigInt::dataStorage):
(JSC::JSBigInt::digit):
(JSC::JSBigInt::setDigit):
2018-05-08 Michael Saboff <msaboff@apple.com>
Replace multiple Watchpoint Set fireAll() methods with templates
https://bugs.webkit.org/show_bug.cgi?id=185456
Reviewed by Saam Barati.
Refactored to minimize duplicate code.
* bytecode/Watchpoint.h:
(JSC::WatchpointSet::fireAll):
(JSC::InlineWatchpointSet::fireAll):
2018-05-08 Filip Pizlo <fpizlo@apple.com>
DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA
https://bugs.webkit.org/show_bug.cgi?id=185453
Reviewed by Michael Saboff.
Tiny improvement for compile times.
* dfg/DFGFlowMap.h:
(JSC::DFG::FlowMap::resize): Remove one Vector::resize() when we're not in SSA.
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::beginBasicBlock): Record some data about how long we spend in different parts of this and add a FIXME linking bug 185452.
2018-05-08 Michael Saboff <msaboff@apple.com>
Deferred firing of structure transition watchpoints is racy
https://bugs.webkit.org/show_bug.cgi?id=185438
Reviewed by Saam Barati.
Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire
and fire them in the destructor. When the watchpoints are taken from the
original WatchpointSet, that WatchpointSet if marked invalid.
* bytecode/Watchpoint.cpp:
(JSC::WatchpointSet::fireAllSlow):
(JSC::WatchpointSet::take):
(JSC::DeferredWatchpointFire::DeferredWatchpointFire):
(JSC::DeferredWatchpointFire::~DeferredWatchpointFire):
(JSC::DeferredWatchpointFire::fireAll):
(JSC::DeferredWatchpointFire::takeWatchpointsToFire):
* bytecode/Watchpoint.h:
(JSC::WatchpointSet::fireAll):
(JSC::InlineWatchpointSet::fireAll):
* runtime/JSObject.cpp:
(JSC::JSObject::setPrototypeDirect):
(JSC::JSObject::convertToDictionary):
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectInternal):
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire):
(JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
(JSC::DeferredStructureTransitionWatchpointFire::dump const):
(JSC::Structure::didTransitionFromThisStructure const):
(JSC::DeferredStructureTransitionWatchpointFire::add): Deleted.
* runtime/Structure.h:
(JSC::DeferredStructureTransitionWatchpointFire::structure const):
2018-05-08 Eric Carlson <eric.carlson@apple.com>
Consecutive messages logged as JSON are coalesced
https://bugs.webkit.org/show_bug.cgi?id=185432
Reviewed by Joseph Pecoraro.
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::isEqual const): Messages with JSON arguments are not equal.
2018-05-06 Filip Pizlo <fpizlo@apple.com>
InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
https://bugs.webkit.org/show_bug.cgi?id=185365
Reviewed by Saam Barati.
This patch does three things to improve compile times:
- Fixes some inlining goofs.
- Adds the ability to measure compile times with run-jsc-benchmarks.
- Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
code that clears abstract values. It turns out that on constant folding "needed" this, in the
sense that this was the only thing protecting it from loading the abstract value of a no-result
node and then concluding that because it had a non-empty m_value, it could be constant-folded.
Any node that produces a result will explicitly set its abstract value, so this problem can
also be guarded by just having constant folding check if the node it wants to fold returns any
result.
Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
Rolling back in after fixing cloop build.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::set):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::merge):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::doToChildrenWithNode):
(JSC::DFG::Graph::doToChildren):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::beginBasicBlock):
* jit/JIT.cpp:
(JSC::JIT::totalCompileTime):
* jit/JIT.h:
* jsc.cpp:
(GlobalObject::finishCreation):
(functionTotalCompileTime):
2018-05-08 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r231468.
Broke the CLoop build
Reverted changeset:
"InPlaceAbstractState::beginBasicBlock shouldn't have to clear
any abstract values"
https://bugs.webkit.org/show_bug.cgi?id=185365
https://trac.webkit.org/changeset/231468
2018-05-07 Daniel Bates <dabates@apple.com>
Check X-Frame-Options and CSP frame-ancestors in network process
https://bugs.webkit.org/show_bug.cgi?id=185410
<rdar://problem/37733934>
Reviewed by Ryosuke Niwa.
Add enum traits for MessageSource and MessageLevel so that we can encode and decode them for IPC.
* runtime/ConsoleTypes.h:
2018-05-07 Saam Barati <sbarati@apple.com>
Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them
https://bugs.webkit.org/show_bug.cgi?id=185329
<rdar://problem/39961536>
Reviewed by Michael Saboff.
I was made aware of a memory goof inside of JSC where we would inefficiently
use space to represent an UnlinkedFunctionExecutable's parent TDZ variables.
We did two things badly:
1. We used a HashMap instead of a Vector to represent the environment. Having
a HashMap is useful when looking things up when generating bytecode, but it's
space inefficient. Because UnlinkedFunctionExecutables live a long time because
of the code cache, we should have them store this information efficiently
inside of a Vector.
2. We didn't hash-cons these environments together. If you think about how
some programs are structured, hash-consing these together is hugely profitable.
Consider some code like this:
```
const/let V_1 = ...;
const/let V_2 = ...;
...
const/let V_n = ...;
function f_1() { ... };
function f_2() { ... };
...
function f_n() { ... };
```
Each f_i would store an identical hash map for its parent TDZ variables
consisting of {V_1, ..., V_n}. This was incredibly dumb. With hash-consing,
each f_i just holds onto a reference to the environment.
I benchmarked this change against an app that made heavy use of the
above code pattern and it reduced its peak memory footprint from ~220MB
to ~160MB.
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::generateUnlinkedFunctionCodeBlock):
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
* bytecode/UnlinkedFunctionExecutable.h:
* parser/VariableEnvironment.cpp:
(JSC::CompactVariableEnvironment::CompactVariableEnvironment):
(JSC::CompactVariableEnvironment::operator== const):
(JSC::CompactVariableEnvironment::toVariableEnvironment const):
(JSC::CompactVariableMap::get):
(JSC::CompactVariableMap::Handle::~Handle):
* parser/VariableEnvironment.h:
(JSC::VariableEnvironmentEntry::bits const):
(JSC::VariableEnvironmentEntry::operator== const):
(JSC::VariableEnvironment::isEverythingCaptured const):
(JSC::CompactVariableEnvironment::hash const):
(JSC::CompactVariableMapKey::CompactVariableMapKey):
(JSC::CompactVariableMapKey::hash):
(JSC::CompactVariableMapKey::equal):
(JSC::CompactVariableMapKey::makeDeletedValue):
(JSC::CompactVariableMapKey::isHashTableDeletedValue const):
(JSC::CompactVariableMapKey::isHashTableEmptyValue const):
(JSC::CompactVariableMapKey::environment):
(WTF::HashTraits<JSC::CompactVariableMapKey>::emptyValue):
(WTF::HashTraits<JSC::CompactVariableMapKey>::isEmptyValue):
(WTF::HashTraits<JSC::CompactVariableMapKey>::constructDeletedValue):
(WTF::HashTraits<JSC::CompactVariableMapKey>::isDeletedValue):
(JSC::CompactVariableMap::Handle::Handle):
(JSC::CompactVariableMap::Handle::environment const):
(JSC::VariableEnvironment::VariableEnvironment): Deleted.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2018-05-06 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers
https://bugs.webkit.org/show_bug.cgi?id=185371
Reviewed by Mark Lam.
Since MIPS GPRInfo claims it has only 7 registers, some of DFG code exhausts registers.
As a result, we need to maintain separated code for MIPS. This increases DFG maintenance burden,
but actually MIPS have much more registers.
This patch adds $a0 - $a3 to temporary registers. This is OK since our temporary registers can be overlapped with
argument registers (see ARM, X86 implementations). These registers are caller-save ones, so we do not need to
have extra mechanism.
Then, we remove several unnecessary MIPS code in our JIT infrastructure.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/CCallHelpers.h:
* jit/GPRInfo.h:
(JSC::GPRInfo::toRegister):
(JSC::GPRInfo::toIndex):
* offlineasm/mips.rb:
2018-05-05 Filip Pizlo <fpizlo@apple.com>
DFG AI should have O(1) clobbering
https://bugs.webkit.org/show_bug.cgi?id=185287
Reviewed by Saam Barati.
This fixes an old scalability probem in AI. Previously, if we did clobberWorld(), then we
would traverse all of the state available to the AI at that time and clobber it.
This changes clobberWorld() to be O(1). It just does some math to a clobber epoch.
This is a ~1% speed-up for compile times.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::forNode):
(JSC::DFG::AbstractInterpreter::setForNode):
(JSC::DFG::AbstractInterpreter::clearForNode):
(JSC::DFG::AbstractInterpreter::variables): Deleted.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::fastForwardToSlow):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::fastForwardTo):
(JSC::DFG::AbstractValue::clobberStructuresFor): Deleted.
(JSC::DFG::AbstractValue::observeInvalidationPoint): Deleted.
(JSC::DFG::AbstractValue::observeInvalidationPointFor): Deleted.
* dfg/DFGAbstractValueClobberEpoch.cpp: Added.
(JSC::DFG::AbstractValueClobberEpoch::dump const):
* dfg/DFGAbstractValueClobberEpoch.h: Added.
(JSC::DFG::AbstractValueClobberEpoch::AbstractValueClobberEpoch):
(JSC::DFG::AbstractValueClobberEpoch::first):
(JSC::DFG::AbstractValueClobberEpoch::clobber):
(JSC::DFG::AbstractValueClobberEpoch::observeInvalidationPoint):
(JSC::DFG::AbstractValueClobberEpoch::operator== const):
(JSC::DFG::AbstractValueClobberEpoch::operator!= const):
(JSC::DFG::AbstractValueClobberEpoch::structureClobberState const):
(JSC::DFG::AbstractValueClobberEpoch::clobberEpoch const):
* dfg/DFGAtTailAbstractState.h:
(JSC::DFG::AtTailAbstractState::setForNode):
(JSC::DFG::AtTailAbstractState::clearForNode):
(JSC::DFG::AtTailAbstractState::numberOfArguments const):
(JSC::DFG::AtTailAbstractState::numberOfLocals const):
(JSC::DFG::AtTailAbstractState::operand):
(JSC::DFG::AtTailAbstractState::local):
(JSC::DFG::AtTailAbstractState::argument):
(JSC::DFG::AtTailAbstractState::clobberStructures):
(JSC::DFG::AtTailAbstractState::observeInvalidationPoint):
(JSC::DFG::AtTailAbstractState::variables): Deleted.
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::performBlockCFA):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFlowMap.h:
(JSC::DFG::FlowMap::at):
(JSC::DFG::FlowMap::atShadow):
(JSC::DFG::FlowMap::at const):
(JSC::DFG::FlowMap::atShadow const):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::beginBasicBlock):
(JSC::DFG::InPlaceAbstractState::endBasicBlock):
* dfg/DFGInPlaceAbstractState.h:
(JSC::DFG::InPlaceAbstractState::forNode):
(JSC::DFG::InPlaceAbstractState::setForNode):
(JSC::DFG::InPlaceAbstractState::clearForNode):
(JSC::DFG::InPlaceAbstractState::variablesForDebugging):
(JSC::DFG::InPlaceAbstractState::numberOfArguments const):
(JSC::DFG::InPlaceAbstractState::numberOfLocals const):
(JSC::DFG::InPlaceAbstractState::operand):
(JSC::DFG::InPlaceAbstractState::local):
(JSC::DFG::InPlaceAbstractState::argument):
(JSC::DFG::InPlaceAbstractState::variableAt):
(JSC::DFG::InPlaceAbstractState::clobberStructures):
(JSC::DFG::InPlaceAbstractState::observeInvalidationPoint):
(JSC::DFG::InPlaceAbstractState::fastForward):
(JSC::DFG::InPlaceAbstractState::variables): Deleted.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
2018-05-06 Filip Pizlo <fpizlo@apple.com>
InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
https://bugs.webkit.org/show_bug.cgi?id=185365
Reviewed by Saam Barati.
This patch does three things to improve compile times:
- Fixes some inlining goofs.
- Adds the ability to measure compile times with run-jsc-benchmarks.
- Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
code that clears abstract values. It turns out that on constant folding "needed" this, in the
sense that this was the only thing protecting it from loading the abstract value of a no-result
node and then concluding that because it had a non-empty m_value, it could be constant-folded.
Any node that produces a result will explicitly set its abstract value, so this problem can
also be guarded by just having constant folding check if the node it wants to fold returns any
result.
Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::set):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::merge):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::doToChildrenWithNode):
(JSC::DFG::Graph::doToChildren):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::beginBasicBlock):
* jit/JIT.cpp:
(JSC::JIT::totalCompileTime):
* jit/JIT.h:
* jsc.cpp:
(GlobalObject::finishCreation):
(functionTotalCompileTime):
2018-05-05 Filip Pizlo <fpizlo@apple.com>
DFG AI doesn't need to merge valuesAtTail - it can just assign them
https://bugs.webkit.org/show_bug.cgi?id=185355
Reviewed by Mark Lam.
This is a further attempt to improve compile times. Assigning AbstractValue ought to always
be faster than merging. There's no need to merge valuesAtTail. In most cases, assigning and
merging will get the same answer because the value computed this time will be either the same
as or more general than the value computed last time. If the value does change for some
reason, then valuesAtHead are already merged, which ensures monotonicity. Also, if the value
changes, then we have no reason to believe that this new value is less right than the last
one we computed. Finally, the one client of valuesAtTail (AtTailAbstractState) doesn't care
if it's getting the merged valuesAtTail or just some correct answer for valuesAtTail.
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::endBasicBlock):
2018-05-07 Andy VanWagoner <andy@vanwagoner.family>
Remove defunct email address
https://bugs.webkit.org/show_bug.cgi?id=185396
Reviewed by Mark Lam.
The email address thetalecrafter@gmail.com is no longer valid, as the
associated google account has been closed. This updates the email
address so questions about these Intl contributions go to the right
place.
* builtins/DatePrototype.js:
* builtins/NumberPrototype.js:
* builtins/StringPrototype.js:
* runtime/IntlCollator.cpp:
* runtime/IntlCollator.h:
* runtime/IntlCollatorConstructor.cpp:
* runtime/IntlCollatorConstructor.h:
* runtime/IntlCollatorPrototype.cpp:
* runtime/IntlCollatorPrototype.h:
* runtime/IntlDateTimeFormat.cpp:
* runtime/IntlDateTimeFormat.h:
* runtime/IntlDateTimeFormatConstructor.cpp:
* runtime/IntlDateTimeFormatConstructor.h:
* runtime/IntlDateTimeFormatPrototype.cpp:
* runtime/IntlDateTimeFormatPrototype.h:
* runtime/IntlNumberFormat.cpp:
* runtime/IntlNumberFormat.h:
* runtime/IntlNumberFormatConstructor.cpp:
* runtime/IntlNumberFormatConstructor.h:
* runtime/IntlNumberFormatPrototype.cpp:
* runtime/IntlNumberFormatPrototype.h:
* runtime/IntlObject.cpp:
* runtime/IntlObject.h:
* runtime/IntlPluralRules.cpp:
* runtime/IntlPluralRules.h:
* runtime/IntlPluralRulesConstructor.cpp:
* runtime/IntlPluralRulesConstructor.h:
* runtime/IntlPluralRulesPrototype.cpp:
* runtime/IntlPluralRulesPrototype.h:
2018-05-06 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove "using namespace std;" from JSC, bmalloc, WTF
https://bugs.webkit.org/show_bug.cgi?id=185362
Reviewed by Sam Weinig.
"namespace std" may include many names. It can conflict with names defined by our code,
and the other platform provided headers. For example, std::byte conflicts with Windows'
::byte.
This patch removes "using namespace std;" from JSC and bmalloc.
* API/JSClassRef.cpp:
(OpaqueJSClass::create):
* bytecode/Opcode.cpp:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::newRegister):
* heap/Heap.cpp:
(JSC::Heap::updateAllocationLimits):
* interpreter/Interpreter.cpp:
* jit/JIT.cpp:
* parser/Parser.cpp:
* runtime/JSArray.cpp:
* runtime/JSLexicalEnvironment.cpp:
* runtime/JSModuleEnvironment.cpp:
* runtime/Structure.cpp:
* shell/DLLLauncherMain.cpp:
(getStringValue):
(applePathFromRegistry):
(appleApplicationSupportDirectory):
(copyEnvironmentVariable):
(prependPath):
(fatalError):
(directoryExists):
(modifyPath):
(getLastErrorString):
(wWinMain):
2018-05-05 Filip Pizlo <fpizlo@apple.com>
DFG CFA phase should only do clobber asserts in debug
https://bugs.webkit.org/show_bug.cgi?id=185354
Reviewed by Saam Barati.
Clobber asserts are responsible for 1% of compile time. That's too much. This disables them
unless asserts are enabled.
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::performBlockCFA):
2018-05-04 Keith Miller <keith_miller@apple.com>
isCacheableArrayLength should return true for undecided arrays
https://bugs.webkit.org/show_bug.cgi?id=185309
Reviewed by Michael Saboff.
Undecided arrays have butterflies so there is no reason why we
should not be able to cache their length.
* bytecode/InlineAccess.cpp:
(JSC::InlineAccess::isCacheableArrayLength):
2018-05-03 Yusuke Suzuki <utatane.tea@gmail.com>
Remove std::random_shuffle
https://bugs.webkit.org/show_bug.cgi?id=185292
Reviewed by Darin Adler.
std::random_shuffle is deprecated in C++14 and removed in C++17,
since std::random_shuffle relies on rand and srand.
Use std::shuffle instead.
* jit/BinarySwitch.cpp:
(JSC::RandomNumberGenerator::RandomNumberGenerator):
(JSC::RandomNumberGenerator::operator()):
(JSC::RandomNumberGenerator::min):
(JSC::RandomNumberGenerator::max):
(JSC::BinarySwitch::build):
2018-05-03 Saam Barati <sbarati@apple.com>
Don't prevent CreateThis being folded to NewObject when the structure is poly proto
https://bugs.webkit.org/show_bug.cgi?id=185177
Reviewed by Filip Pizlo.
This patch teaches the DFG/FTL how to constant fold CreateThis with
a known poly proto Structure to NewObject. We do it by emitting a NewObject
followed by a PutByOffset for the prototype value.
We make it so that ObjectAllocationProfile holds the prototype value.
This is sound because JSFunction clears that profile when its 'prototype'
field changes.
This patch also renames underscoreProtoPrivateName to polyProtoName since
that name was nonsensical: it was only used for poly proto.
This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
regressed that benchmark when I first introduced poly proto.
* builtins/BuiltinNames.cpp:
* builtins/BuiltinNames.h:
(JSC::BuiltinNames::BuiltinNames):
(JSC::BuiltinNames::polyProtoName const):
(JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
* bytecode/ObjectAllocationProfile.h:
(JSC::ObjectAllocationProfile::prototype):
(JSC::ObjectAllocationProfile::clear):
(JSC::ObjectAllocationProfile::visitAggregate):
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGOperations.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/FunctionRareData.h:
* runtime/Structure.cpp:
(JSC::Structure::create):
2018-05-03 Michael Saboff <msaboff@apple.com>
OSR entry pruning of Program Bytecodes doesn't take into account try/catch
https://bugs.webkit.org/show_bug.cgi?id=185281
Reviewed by Saam Barati.
When we compute bytecode block reachability, we need to take into account blocks
containing try/catch.
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
2018-05-03 Dominik Infuehr <dinfuehr@igalia.com>
ARM: Wrong offset for operand rt in disassembler
https://bugs.webkit.org/show_bug.cgi?id=184083
Reviewed by Yusuke Suzuki.
* disassembler/ARMv7/ARMv7DOpcode.h:
(JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
2018-05-03 Dominik Infuehr <dinfuehr@igalia.com>
ARM: Support vstr in disassembler
https://bugs.webkit.org/show_bug.cgi?id=184084
Reviewed by Yusuke Suzuki.
* disassembler/ARMv7/ARMv7DOpcode.cpp:
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
* disassembler/ARMv7/ARMv7DOpcode.h:
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.
2018-05-03 Dominik Infuehr <dinfuehr@igalia.com>
Invoke ensureArrayStorage for all arguments
https://bugs.webkit.org/show_bug.cgi?id=185247
Reviewed by Yusuke Suzuki.
ensureArrayStorage was only invoked for first argument in each loop iteration.
* jsc.cpp:
(functionEnsureArrayStorage):
2018-05-03 Filip Pizlo <fpizlo@apple.com>
Make it easy to log compile times for all optimizing tiers
https://bugs.webkit.org/show_bug.cgi?id=185270
Reviewed by Keith Miller.
This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
it.
This should help us reduce compile times by telling us where to look. So, far, it looks like
CFA is the worst.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* b3/B3Common.cpp:
(JSC::B3::shouldMeasurePhaseTiming): Deleted.
* b3/B3Common.h:
* b3/B3TimingScope.cpp: Removed.
* b3/B3TimingScope.h:
(JSC::B3::TimingScope::TimingScope):
* dfg/DFGPhase.h:
(JSC::DFG::runAndLog):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThread):
* tools/CompilerTimingScope.cpp: Added.
(JSC::CompilerTimingScope::CompilerTimingScope):
(JSC::CompilerTimingScope::~CompilerTimingScope):
* tools/CompilerTimingScope.h: Added.
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
* runtime/Options.h:
2018-05-03 Filip Pizlo <fpizlo@apple.com>
Strings should not be allocated in a gigacage
https://bugs.webkit.org/show_bug.cgi?id=185218
Reviewed by Saam Barati.
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::toStringGeneric):
* runtime/JSString.cpp:
(JSC::JSRopeString::resolveRopeToAtomicString const):
(JSC::JSRopeString::resolveRope const):
* runtime/JSString.h:
(JSC::JSString::create):
(JSC::JSString::createHasOtherOwner):
* runtime/VM.h:
(JSC::VM::gigacageAuxiliarySpace):
2018-05-03 Keith Miller <keith_miller@apple.com>
Unreviewed, fix 32-bit profile offset for change in bytecode
length of the get_by_id and get_array_length opcodes.
* llint/LowLevelInterpreter32_64.asm:
2018-05-03 Michael Saboff <msaboff@apple.com>
WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
https://bugs.webkit.org/show_bug.cgi?id=185231
Reviewed by Saam Barati.
We weren't clearing the scratch register cache when switching back and forth between
allowing scratch register usage. We disallow scratch register usage when we are in
code that will freely allocate and use any register. Such usage can change the
contents of scratch registers. For ARM64, where we cache the contents of scratch
registers to reuse some or all of the contained values, we need to invalidate these
caches. We do this when re-enabling scratch register usage, that is when we transition
from disallow to allow scratch register usage.
Added a new Air regression test.
* assembler/AllowMacroScratchRegisterUsage.h:
(JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
* assembler/AllowMacroScratchRegisterUsageIf.h:
(JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
* assembler/DisallowMacroScratchRegisterUsage.h:
(JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
* b3/air/testair.cpp:
2018-05-03 Keith Miller <keith_miller@apple.com>
Remove the prototype caching for get_by_id in the LLInt
https://bugs.webkit.org/show_bug.cgi?id=185226
Reviewed by Michael Saboff.
There is no evidence that this is actually a speedup and we keep
getting bugs with it. At this point it seems like we should just
remove this code.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::printGetByIdOp):
(JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
(JSC::BytecodeDumper<Block>::dumpBytecode):
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finalizeLLIntInlineCaches):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt):
* bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
* bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitGetById):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/Options.h:
2018-05-03 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r231197.
The test added with this change crashes on the 32-bit JSC bot.
Reverted changeset:
"Correctly detect string overflow when using the 'Function'
constructor"
https://bugs.webkit.org/show_bug.cgi?id=184883
https://trac.webkit.org/changeset/231197
2018-05-03 Dominik Infuehr <dinfuehr@igalia.com>
Disable usage of fused multiply-add instructions for JSC with compiler flag
https://bugs.webkit.org/show_bug.cgi?id=184909
Reviewed by Yusuke Suzuki.
Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
like parseInt() do not return slightly different results depending on whether the
compiler was able to use fused multiply-add instructions or not.
* CMakeLists.txt:
2018-05-02 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, fix build failure in ARM, ARMv7 and MIPS
https://bugs.webkit.org/show_bug.cgi?id=185192
compareDouble relies on MacroAssembler::invert function.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::compareDouble):
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::compareDouble): Deleted.
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::compareDouble): Deleted.
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::compareDouble): Deleted.
2018-05-02 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add MacroAssembler::and16 and store16
https://bugs.webkit.org/show_bug.cgi?id=185188
Reviewed by Mark Lam.
r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
This patch adds these methods for ARM.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::and16):
(JSC::MacroAssemblerARM::store16):
2018-05-02 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Unify compare related code in 32bit and 64bit
https://bugs.webkit.org/show_bug.cgi?id=185189
Reviewed by Mark Lam.
This patch unifies some part of compare related code in 32bit and 64bit
to reduce the size of 32bit specific DFG code.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileInt32Compare):
(JSC::DFG::SpeculativeJIT::compileDoubleCompare):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
(JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
(JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
2018-05-02 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
https://bugs.webkit.org/show_bug.cgi?id=185192
Reviewed by Mark Lam.
Now Object.is starts using compareDouble. So we would like to have
efficient implementation for compareDouble and compareFloat for
major architectures, ARM64, X86, and X86_64.
This patch adds compareDouble and compareFloat implementations for
these architectures. And generic implementation is moved to each
architecture's MacroAssembler implementation.
We also add tests for them in testmasm. To implement this test
easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
major architectures.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::compareDouble): Deleted.
(JSC::MacroAssembler::compareFloat): Deleted.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::compareDouble):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::compareDouble):
(JSC::MacroAssemblerARM64::compareFloat):
(JSC::MacroAssemblerARM64::loadFloat):
(JSC::MacroAssemblerARM64::floatingPointCompare):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::compareDouble):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::compareDouble):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::loadFloat):
(JSC::MacroAssemblerX86Common::compareDouble):
(JSC::MacroAssemblerX86Common::compareFloat):
(JSC::MacroAssemblerX86Common::floatingPointCompare):
* assembler/X86Assembler.h:
(JSC::X86Assembler::movss_mr):
(JSC::X86Assembler::movss_rm):
* assembler/testmasm.cpp:
(JSC::floatOperands):
(JSC::testCompareFloat):
(JSC::run):
2018-05-02 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, fix 32bit DFG code
https://bugs.webkit.org/show_bug.cgi?id=185065
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileSameValue):
2018-05-02 Filip Pizlo <fpizlo@apple.com>
JSC should know how to cache custom getter accesses on the prototype chain
https://bugs.webkit.org/show_bug.cgi?id=185213
Reviewed by Keith Miller.
This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
2018-05-01 Filip Pizlo <fpizlo@apple.com>
JSC should be able to cache custom setter calls on the prototype chain
https://bugs.webkit.org/show_bug.cgi?id=185174
Reviewed by Saam Barati.
We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
custom accessors because it won't find the custom property in the structure.
The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().
This is a 4x speed-up on assign-custom-setter.js.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::hasAlternateBase const):
(JSC::AccessCase::alternateBase const):
(JSC::AccessCase::generateImpl):
* bytecode/AccessCase.h:
(JSC::AccessCase::alternateBase const): Deleted.
* bytecode/GetterSetterAccessCase.cpp:
(JSC::GetterSetterAccessCase::hasAlternateBase const):
(JSC::GetterSetterAccessCase::alternateBase const):
* bytecode/GetterSetterAccessCase.h:
* bytecode/ObjectPropertyConditionSet.cpp:
(JSC::generateConditionsForPrototypePropertyHitCustom):
* bytecode/ObjectPropertyConditionSet.h:
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
(JSC::tryCachePutByID):
2018-05-02 Dominik Infuehr <dinfuehr@igalia.com>
[MIPS] Implement and16 and store16 for MacroAssemblerMIPS
https://bugs.webkit.org/show_bug.cgi?id=185195
Reviewed by Mark Lam.
This implements the given function for MIPS, such that it builds again.
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::and16):
(JSC::MacroAssemblerMIPS::store16):
2018-05-02 Rick Waldron <waldron.rick@gmail.com>
Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts
https://bugs.webkit.org/show_bug.cgi?id=185043
Reviewed by Filip Pizlo.
* jsc.cpp:
(GlobalObject::finishCreation):
(functionDollarAgentMonotonicNow):
2018-05-02 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] Implement and16 and store16 for MacroAssemblerARMv7
https://bugs.webkit.org/show_bug.cgi?id=185196
Reviewed by Mark Lam.
This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again.
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::and16):
(JSC::MacroAssemblerARMv7::store16):
2018-05-02 Robin Morisset <rmorisset@apple.com>
emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
https://bugs.webkit.org/show_bug.cgi?id=183172
Reviewed by Filip Pizlo.
DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength,
but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength.
I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength.
Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating
a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit.
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGArgumentsUtilities.cpp:
(JSC::DFG::emitCodeToGetArgumentsArrayLength):
2018-05-02 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, stackPointer signature is different from declaration
https://bugs.webkit.org/show_bug.cgi?id=184790
* runtime/MachineContext.h:
(JSC::MachineContext::stackPointer):
2018-05-01 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add SameValue DFG node
https://bugs.webkit.org/show_bug.cgi?id=185065
Reviewed by Saam Barati.
This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
implementations for these SameValue nodes.
This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.
Added microbenchmark shows performance improvement.
object-is 651.0053+-38.8204 ^ 241.3467+-15.8753 ^ definitely 2.6974x faster
* assembler/MacroAssembler.h:
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::compareDouble):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::compareDouble): Deleted.
* assembler/testmasm.cpp:
(JSC::doubleOperands):
(JSC::testCompareDouble):
(JSC::run):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileSameValue):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGValidate.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/ObjectConstructor.cpp:
2018-04-30 Filip Pizlo <fpizlo@apple.com>
B3::demoteValues should be able to handle patchpoint terminals
https://bugs.webkit.org/show_bug.cgi?id=185151
Reviewed by Saam Barati.
If we try to demote a patchpoint terminal then prior to this change we would append a Set to
the basic block that the patchpoint terminated. That's wrong because then the terminal is no
longer the last thing in the block.
Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't
really do that because demotion happens as a prerequisite to other transformations.
One solution might have been to make demoteValues insert a basic block whenever it encounters
this problem. But that would break clients that do CFG analysis before demoteValues and use
the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup
also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges,
so it's not bad to introduce that requirement.
So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint
terminal as if it had multiple successors. This means that a patchpoint terminal's successors
will only have it as their predecessor. Then, demoteValues just prepends the Set to the
successors of the patchpoint terminal.
This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added
a unit test in testb3.
* b3/B3BreakCriticalEdges.cpp:
(JSC::B3::breakCriticalEdges):
* b3/B3BreakCriticalEdges.h:
* b3/B3FixSSA.cpp:
(JSC::B3::demoteValues):
(JSC::B3::fixSSA):
* b3/B3FixSSA.h:
* b3/B3Value.cpp:
(JSC::B3::Value::foldIdentity const):
(JSC::B3::Value::performSubstitution):
* b3/B3Value.h:
* b3/testb3.cpp:
(JSC::B3::testDemotePatchpointTerminal):
(JSC::B3::run):
2018-05-01 Robin Morisset <rmorisset@apple.com>
Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
https://bugs.webkit.org/show_bug.cgi?id=184772
<rdar://problem/39146327>
Reviewed by Filip Pizlo.
Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
This patch now makes sure that the check correctly detects if there is an integer overflow.
* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountWithAnyIndexingType):
2018-05-01 Robin Morisset <rmorisset@apple.com>
Correctly detect string overflow when using the 'Function' constructor
https://bugs.webkit.org/show_bug.cgi?id=184883
<rdar://problem/36320331>
Reviewed by Filip Pizlo.
The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.
I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
* runtime/JSONObject.cpp:
(JSC::Stringifier::appendStringifiedValue):
2018-05-01 Robin Morisset <rmorisset@apple.com>
IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
https://bugs.webkit.org/show_bug.cgi?id=185162
Reviewed by Filip Pizlo.
* runtime/IntlObject.cpp:
(JSC::removeUnicodeLocaleExtension):
2018-05-01 Dominik Infuehr <dinfuehr@igalia.com>
Add SetCallee as DFG-Operation
https://bugs.webkit.org/show_bug.cgi?id=184582
Reviewed by Filip Pizlo.
For recursive tail calls not only the argument count can change but also the
callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
Also update the callee when optimizing a recursive tail call.
Enable recursive tail call optimization also for closures.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
(JSC::DFG::ByteCodeParser::handleCallVariant):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGMayExit.cpp:
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileSetCallee):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
2018-05-01 Oleksandr Skachkov <gskachkov@gmail.com>
WebAssembly: add support for stream APIs - JavaScript API
https://bugs.webkit.org/show_bug.cgi?id=183442
Reviewed by Yusuke Suzuki and JF Bastien.
Add WebAssembly stream API. Current patch only add functions
WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
does not add streaming way of the implementation. So in current version it
only wait for load whole module, than start to parse.
* CMakeLists.txt:
* Configurations/FeatureDefines.xcconfig:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* builtins/BuiltinNames.h:
* builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
(compileStreaming):
(instantiateStreaming):
* jsc.cpp:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObject.h:
* runtime/Options.h:
* runtime/PromiseDeferredTimer.cpp:
(JSC::PromiseDeferredTimer::hasPendingPromise):
(JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
* runtime/PromiseDeferredTimer.h:
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::webAssemblyModuleValidateAsyncInternal):
(JSC::webAssemblyCompileFunc):
(JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
(JSC::webAssemblyModuleInstantinateAsyncInternal):
(JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
(JSC::webAssemblyCompileStreamingInternal):
(JSC::webAssemblyInstantiateStreamingInternal):
(JSC::WebAssemblyPrototype::create):
(JSC::WebAssemblyPrototype::finishCreation):
* wasm/js/WebAssemblyPrototype.h:
2018-04-30 Saam Barati <sbarati@apple.com>
ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
https://bugs.webkit.org/show_bug.cgi?id=185149
<rdar://problem/39455917>
Reviewed by Filip Pizlo.
The bug was that we were deleting checks that we shouldn't have deleted.
This patch makes a helper inside strength reduction that converts to
a LazyJSConstant while maintaining checks, and switches users of the
node API inside strength reduction to instead call the helper function.
This patch also fixes a potential bug where StringReplace and
StringReplaceRegExp may not preserve all their checks.
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
(JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
2018-04-29 Filip Pizlo <fpizlo@apple.com>
LICM shouldn't hoist nodes if hoisted nodes exited in that code block
https://bugs.webkit.org/show_bug.cgi?id=185126
Reviewed by Saam Barati.
This change is just restoring functionality that we've already had for a while. It had been
accidentally broken due to an unrelated CodeBlock refactoring.
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
2018-04-30 Mark Lam <mark.lam@apple.com>
Apply PtrTags to the MetaAllocator and friends.
https://bugs.webkit.org/show_bug.cgi?id=185110
<rdar://problem/39533895>
Reviewed by Saam Barati.
1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
and add a sanity check to verify that allocated code buffers are within those
bounds.
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
(JSC::LinkBuffer::copyCompactAndLinkCode):
(JSC::LinkBuffer::linkCode):
(JSC::LinkBuffer::allocate):
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::LinkBuffer):
(JSC::LinkBuffer::debugAddress):
(JSC::LinkBuffer::code):
* assembler/MacroAssemblerCodeRef.h:
(JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
* bytecode/InlineAccess.cpp:
(JSC::linkCodeInline):
(JSC::InlineAccess::rewireStubAsJump):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::findPC):
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::findPC):
* jit/ExecutableAllocator.cpp:
(JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
(JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
(JSC::ExecutableAllocator::allocate):
* jit/ExecutableAllocator.h:
(JSC::isJITPC):
(JSC::performJITMemcpy):
* jit/JIT.cpp:
(JSC::JIT::link):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* runtime/JSCPtrTag.h:
* wasm/WasmCallee.cpp:
(JSC::Wasm::Callee::Callee):
* wasm/WasmFaultSignalHandler.cpp:
(JSC::Wasm::trapHandler):
2018-04-30 Keith Miller <keith_miller@apple.com>
Move the MayBePrototype JSCell header bit to InlineTypeFlags
https://bugs.webkit.org/show_bug.cgi?id=185143
Reviewed by Mark Lam.
* runtime/IndexingType.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::setStructure):
(JSC::JSCell::mayBePrototype const):
(JSC::JSCell::didBecomePrototype):
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::mayBePrototype):
(JSC::TypeInfo::mergeInlineTypeFlags):
2018-04-30 Keith Miller <keith_miller@apple.com>
Remove unneeded exception check from String.fromCharCode
https://bugs.webkit.org/show_bug.cgi?id=185083
Reviewed by Mark Lam.
* runtime/StringConstructor.cpp:
(JSC::stringFromCharCode):
2018-04-30 Keith Miller <keith_miller@apple.com>
Move StructureIsImmortal to out of line flags.
https://bugs.webkit.org/show_bug.cgi?id=185101
Reviewed by Saam Barati.
This will free up a bit in the inline flags where we can move the
isPrototype bit to. This will, in turn, free a bit for use in
implementing copy on write butterflies.
Also, this patch removes an assertion from Structure::typeInfo()
that inadvertently makes the function invalid to call while
cleaning up the vm.
* heap/HeapCellType.cpp:
(JSC::DefaultDestroyFunc::operator() const):
* runtime/JSCell.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::callDestructor): Deleted.
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::hasStaticPropertyTable):
(JSC::TypeInfo::structureIsImmortal const):
* runtime/Structure.h:
2018-04-30 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove arity fixup check if the number of parameters is 1
https://bugs.webkit.org/show_bug.cgi?id=183984
Reviewed by Mark Lam.
If the number of parameters is one (|this|), we never hit arity fixup check.
We do not need to emit arity fixup check code.
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileFunction):
* dfg/DFGJITCompiler.h:
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
2018-04-30 Yusuke Suzuki <utatane.tea@gmail.com>
Use WordLock instead of std::mutex for Threading
https://bugs.webkit.org/show_bug.cgi?id=185121
Reviewed by Geoffrey Garen.
ThreadGroup starts using WordLock.
* heap/MachineStackMarker.h:
(JSC::MachineThreads::getLock):
2018-04-29 Filip Pizlo <fpizlo@apple.com>
B3 should run tail duplication at the bitter end
https://bugs.webkit.org/show_bug.cgi?id=185123
Reviewed by Geoffrey Garen.
Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
everywhere else.
The goal of this change is to allow us to run path specialization after switch lowering but
before tail duplication.
* b3/B3Generate.cpp:
(JSC::B3::generateToAir):
* runtime/Options.h:
2018-04-29 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r231137.
https://bugs.webkit.org/show_bug.cgi?id=185118
It is breaking Test262 language/expressions/multiplication
/order-of-evaluation.js (Requested by caiolima on #webkit).
Reverted changeset:
"[ESNext][BigInt] Implement support for "*" operation"
https://bugs.webkit.org/show_bug.cgi?id=183721
https://trac.webkit.org/changeset/231137
2018-04-28 Saam Barati <sbarati@apple.com>
We don't model regexp effects properly
https://bugs.webkit.org/show_bug.cgi?id=185059
<rdar://problem/39736150>
Reviewed by Filip Pizlo.
RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
the regexp is global.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
2018-04-28 Rick Waldron <waldron.rick@gmail.com>
Token misspelled "tocken" in error message string
https://bugs.webkit.org/show_bug.cgi?id=185030
Reviewed by Saam Barati.
* parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
(JSC::Parser<LexerType>::Parser):
(JSC::Parser<LexerType>::didFinishParsing):
(JSC::Parser<LexerType>::parseSourceElements):
(JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
(JSC::Parser<LexerType>::parseVariableDeclaration):
(JSC::Parser<LexerType>::parseWhileStatement):
(JSC::Parser<LexerType>::parseVariableDeclarationList):
(JSC::Parser<LexerType>::createBindingPattern):
(JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
(JSC::Parser<LexerType>::parseObjectRestElement):
(JSC::Parser<LexerType>::parseDestructuringPattern):
(JSC::Parser<LexerType>::parseForStatement):
(JSC::Parser<LexerType>::parseBreakStatement):
(JSC::Parser<LexerType>::parseContinueStatement):
(JSC::Parser<LexerType>::parseThrowStatement):
(JSC::Parser<LexerType>::parseWithStatement):
(JSC::Parser<LexerType>::parseSwitchStatement):
(JSC::Parser<LexerType>::parseSwitchClauses):
(JSC::Parser<LexerType>::parseTryStatement):
(JSC::Parser<LexerType>::parseBlockStatement):
(JSC::Parser<LexerType>::parseFormalParameters):
(JSC::Parser<LexerType>::parseFunctionParameters):
(JSC::Parser<LexerType>::parseFunctionInfo):
(JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
(JSC::Parser<LexerType>::parseExpressionStatement):
(JSC::Parser<LexerType>::parseIfStatement):
(JSC::Parser<LexerType>::parseAssignmentExpression):
(JSC::Parser<LexerType>::parseConditionalExpression):
(JSC::Parser<LexerType>::parseBinaryExpression):
(JSC::Parser<LexerType>::parseObjectLiteral):
(JSC::Parser<LexerType>::parseStrictObjectLiteral):
(JSC::Parser<LexerType>::parseArrayLiteral):
(JSC::Parser<LexerType>::parseArguments):
(JSC::Parser<LexerType>::parseMemberExpression):
(JSC::operatorString):
(JSC::Parser<LexerType>::parseUnaryExpression):
(JSC::Parser<LexerType>::printUnexpectedTokenText):
2018-04-28 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for "*" operation
https://bugs.webkit.org/show_bug.cgi?id=183721
Reviewed by Saam Barati.
Added BigInt support into times binary operator into LLInt and on
JITOperations profiledMul and unprofiledMul. We are also replacing all
uses of int to unsigned when there is no negative values for
variables.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* jit/JITOperations.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::JSBigInt):
(JSC::JSBigInt::allocationSize):
(JSC::JSBigInt::createWithLength):
(JSC::JSBigInt::toString):
(JSC::JSBigInt::multiply):
(JSC::JSBigInt::digitDiv):
(JSC::JSBigInt::internalMultiplyAdd):
(JSC::JSBigInt::multiplyAccumulate):
(JSC::JSBigInt::equals):
(JSC::JSBigInt::absoluteDivSmall):
(JSC::JSBigInt::calculateMaximumCharactersRequired):
(JSC::JSBigInt::toStringGeneric):
(JSC::JSBigInt::rightTrim):
(JSC::JSBigInt::allocateFor):
(JSC::JSBigInt::parseInt):
(JSC::JSBigInt::digit):
(JSC::JSBigInt::setDigit):
* runtime/JSBigInt.h:
* runtime/Operations.h:
(JSC::jsMul):
2018-04-28 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r231131.
https://bugs.webkit.org/show_bug.cgi?id=185112
It is breaking Debug build due to unchecked exception
(Requested by caiolima on #webkit).
Reverted changeset:
"[ESNext][BigInt] Implement support for "*" operation"
https://bugs.webkit.org/show_bug.cgi?id=183721
https://trac.webkit.org/changeset/231131
2018-04-27 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for "*" operation
https://bugs.webkit.org/show_bug.cgi?id=183721
Reviewed by Saam Barati.
Added BigInt support into times binary operator into LLInt and on
JITOperations profiledMul and unprofiledMul. We are also replacing all
uses of int to unsigned when there is no negative values for
variables.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* jit/JITOperations.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::JSBigInt):
(JSC::JSBigInt::allocationSize):
(JSC::JSBigInt::createWithLength):
(JSC::JSBigInt::toString):
(JSC::JSBigInt::multiply):
(JSC::JSBigInt::digitDiv):
(JSC::JSBigInt::internalMultiplyAdd):
(JSC::JSBigInt::multiplyAccumulate):
(JSC::JSBigInt::equals):
(JSC::JSBigInt::absoluteDivSmall):
(JSC::JSBigInt::calculateMaximumCharactersRequired):
(JSC::JSBigInt::toStringGeneric):
(JSC::JSBigInt::rightTrim):
(JSC::JSBigInt::allocateFor):
(JSC::JSBigInt::parseInt):
(JSC::JSBigInt::digit):
(JSC::JSBigInt::setDigit):
* runtime/JSBigInt.h:
* runtime/Operations.h:
(JSC::jsMul):
2018-04-27 JF Bastien <jfbastien@apple.com>
Make the first 64 bits of JSString look like a double JSValue
https://bugs.webkit.org/show_bug.cgi?id=185081
Reviewed by Filip Pizlo.
We can be clever about how we lay out JSString so that, were it
reinterpreted as a JSValue, it would look like a double.
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::and16):
* assembler/X86Assembler.h:
(JSC::X86Assembler::andw_mr):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileMakeRope):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
* ftl/FTLOutput.h:
(JSC::FTL::Output::store32As8):
(JSC::FTL::Output::store32As16):
* runtime/JSString.h:
(JSC::JSString::JSString):
2018-04-27 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
https://bugs.webkit.org/show_bug.cgi?id=185055
Reviewed by JF Bastien.
This patch is paving the way to emitting jscvt instruction if possible.
To do that, we need to determine jscvt instruction is supported in the
given CPU.
We add a function collectCPUFeatures, which is responsible to collect
CPU features if necessary. In Linux, we can use auxiliary vector to get
the information without parsing /proc/cpuinfo.
Currently, nobody calls this function. It is later called when we emit
jscvt instruction. To make it possible, we also need to add disassembler
support too.
* assembler/AbstractMacroAssembler.h:
* assembler/MacroAssemblerARM64.cpp:
(JSC::MacroAssemblerARM64::collectCPUFeatures):
* assembler/MacroAssemblerARM64.h:
* assembler/MacroAssemblerX86Common.h:
2018-04-26 Filip Pizlo <fpizlo@apple.com>
Also run foldPathConstants before mussing up SSA
https://bugs.webkit.org/show_bug.cgi?id=185069
Reviewed by Saam Barati.
This isn't needed now, but will be once I implement the phase in bug 185060.
This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
be landed separately and measured separately from that phase.
It's probably nice for sanity to have this and reduceStrength run before tail duplication and
another round of reduceStrength, since that make for something that is closer to a fixpoint. But
it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
neutral. It all depends on what programs typically look like.
* b3/B3Generate.cpp:
(JSC::B3::generateToAir):
2018-04-27 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r231086.
Caused JSC test failures due to an unchecked exception.
Reverted changeset:
"[ESNext][BigInt] Implement support for "*" operation"
https://bugs.webkit.org/show_bug.cgi?id=183721
https://trac.webkit.org/changeset/231086
2018-04-26 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement support for "*" operation
https://bugs.webkit.org/show_bug.cgi?id=183721
Reviewed by Saam Barati.
Added BigInt support into times binary operator into LLInt and on
JITOperations profiledMul and unprofiledMul. We are also replacing all
uses of int to unsigned when there is no negative values for
variables.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* jit/JITOperations.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::JSBigInt):
(JSC::JSBigInt::allocationSize):
(JSC::JSBigInt::createWithLength):
(JSC::JSBigInt::toString):
(JSC::JSBigInt::multiply):
(JSC::JSBigInt::digitDiv):
(JSC::JSBigInt::internalMultiplyAdd):
(JSC::JSBigInt::multiplyAccumulate):
(JSC::JSBigInt::equals):
(JSC::JSBigInt::absoluteDivSmall):
(JSC::JSBigInt::calculateMaximumCharactersRequired):
(JSC::JSBigInt::toStringGeneric):
(JSC::JSBigInt::rightTrim):
(JSC::JSBigInt::allocateFor):
(JSC::JSBigInt::parseInt):
(JSC::JSBigInt::digit):
(JSC::JSBigInt::setDigit):
* runtime/JSBigInt.h:
* runtime/Operations.h:
(JSC::jsMul):
2018-04-26 Mark Lam <mark.lam@apple.com>
Gardening: Speculative build fix for Windows.
https://bugs.webkit.org/show_bug.cgi?id=184976
<rdar://problem/39723901>
Not reviewed.
* runtime/JSCPtrTag.h:
2018-04-26 Mark Lam <mark.lam@apple.com>
Gardening: Windows build fix.
Not reviewed.
* runtime/Options.cpp:
2018-04-26 Jer Noble <jer.noble@apple.com>
WK_COCOA_TOUCH all the things.
https://bugs.webkit.org/show_bug.cgi?id=185006
<rdar://problem/39736025>
Reviewed by Tim Horton.
* Configurations/Base.xcconfig:
2018-04-26 Per Arne Vollan <pvollan@apple.com>
Disable content filtering in minimal simulator mode
https://bugs.webkit.org/show_bug.cgi?id=185027
<rdar://problem/39736091>
Reviewed by Jer Noble.
* Configurations/FeatureDefines.xcconfig:
2018-04-26 Andy VanWagoner <thetalecrafter@gmail.com>
[INTL] Implement Intl.PluralRules
https://bugs.webkit.org/show_bug.cgi?id=184312
Reviewed by JF Bastien.
Use UNumberFormat to enforce formatting, and then UPluralRules to find
the correct plural rule for the given number. Relies on ICU v59+ for
resolvedOptions().pluralCategories and trailing 0 detection.
Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
* CMakeLists.txt:
* Configurations/FeatureDefines.xcconfig:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* builtins/BuiltinNames.h:
* runtime/BigIntObject.cpp:
(JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
* runtime/BigIntObject.h:
* runtime/CommonIdentifiers.h:
* runtime/IntlObject.cpp:
(JSC::IntlObject::finishCreation):
* runtime/IntlObject.h:
* runtime/IntlPluralRules.cpp: Added.
(JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
(JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
(JSC::UEnumerationDeleter::operator() const):
(JSC::IntlPluralRules::create):
(JSC::IntlPluralRules::createStructure):
(JSC::IntlPluralRules::IntlPluralRules):
(JSC::IntlPluralRules::finishCreation):
(JSC::IntlPluralRules::destroy):
(JSC::IntlPluralRules::visitChildren):
(JSC::IntlPRInternal::localeData):
(JSC::IntlPluralRules::initializePluralRules):
(JSC::IntlPluralRules::resolvedOptions):
(JSC::IntlPluralRules::select):
* runtime/IntlPluralRules.h: Added.
* runtime/IntlPluralRulesConstructor.cpp: Added.
(JSC::IntlPluralRulesConstructor::create):
(JSC::IntlPluralRulesConstructor::createStructure):
(JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
(JSC::IntlPluralRulesConstructor::finishCreation):
(JSC::constructIntlPluralRules):
(JSC::callIntlPluralRules):
(JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
(JSC::IntlPluralRulesConstructor::visitChildren):
* runtime/IntlPluralRulesConstructor.h: Added.
* runtime/IntlPluralRulesPrototype.cpp: Added.
(JSC::IntlPluralRulesPrototype::create):
(JSC::IntlPluralRulesPrototype::createStructure):
(JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
(JSC::IntlPluralRulesPrototype::finishCreation):
(JSC::IntlPluralRulesPrototypeFuncSelect):
(JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
* runtime/IntlPluralRulesPrototype.h: Added.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
* runtime/JSGlobalObject.h:
* runtime/Options.h:
* runtime/RegExpPrototype.cpp: Added inlines header.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2018-04-26 Dominik Infuehr <dinfuehr@igalia.com>
[MIPS] Fix branch offsets in branchNeg32
https://bugs.webkit.org/show_bug.cgi?id=185025
Reviewed by Yusuke Suzuki.
Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::branchNeg32):
2018-04-25 Robin Morisset <rmorisset@apple.com>
In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
https://bugs.webkit.org/show_bug.cgi?id=184773
<rdar://problem/37773612>
Reviewed by Filip Pizlo.
We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2018-04-25 Mark Lam <mark.lam@apple.com>
Push the definition of PtrTag down to the WTF layer.
https://bugs.webkit.org/show_bug.cgi?id=184976
<rdar://problem/39723901>
Reviewed by Saam Barati.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/ARM64Assembler.h:
* assembler/AbstractMacroAssembler.h:
* assembler/MacroAssemblerCodeRef.cpp:
* assembler/MacroAssemblerCodeRef.h:
* b3/B3MathExtras.cpp:
* bytecode/LLIntCallLinkInfo.h:
* disassembler/Disassembler.h:
* ftl/FTLJITCode.cpp:
* interpreter/InterpreterInlines.h:
* jit/ExecutableAllocator.h:
* jit/JITOperations.cpp:
* jit/ThunkGenerator.h:
* jit/ThunkGenerators.h:
* llint/LLIntOffsetsExtractor.cpp:
* llint/LLIntPCRanges.h:
* runtime/JSCPtrTag.h: Added.
* runtime/NativeFunction.h:
* runtime/PtrTag.h: Removed.
* runtime/VMTraps.cpp:
2018-04-25 Keith Miller <keith_miller@apple.com>
getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
https://bugs.webkit.org/show_bug.cgi?id=184998
Reviewed by Saam Barati.
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
2018-04-25 Keith Miller <keith_miller@apple.com>
Add missing scope release to functionProtoFuncToString
https://bugs.webkit.org/show_bug.cgi?id=184995
Reviewed by Saam Barati.
* runtime/FunctionPrototype.cpp:
(JSC::functionProtoFuncToString):
2018-04-25 Yusuke Suzuki <utatane.tea@gmail.com>
REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
https://bugs.webkit.org/show_bug.cgi?id=184730
Reviewed by Mark Lam.
Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
ARMv7 implementation.
* assembler/ARMAssembler.h:
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::add32):
(JSC::MacroAssemblerARM::and32):
(JSC::MacroAssemblerARM::lshift32):
(JSC::MacroAssemblerARM::mul32):
(JSC::MacroAssemblerARM::or32):
(JSC::MacroAssemblerARM::rshift32):
(JSC::MacroAssemblerARM::urshift32):
(JSC::MacroAssemblerARM::sub32):
(JSC::MacroAssemblerARM::xor32):
(JSC::MacroAssemblerARM::load8):
(JSC::MacroAssemblerARM::abortWithReason):
(JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
(JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
(JSC::MacroAssemblerARM::store8):
(JSC::MacroAssemblerARM::store32):
(JSC::MacroAssemblerARM::push):
(JSC::MacroAssemblerARM::swap):
(JSC::MacroAssemblerARM::branch8):
(JSC::MacroAssemblerARM::branchPtr):
(JSC::MacroAssemblerARM::branch32):
(JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
(JSC::MacroAssemblerARM::branchTest8):
(JSC::MacroAssemblerARM::branchTest32):
(JSC::MacroAssemblerARM::jump):
(JSC::MacroAssemblerARM::branchAdd32):
(JSC::MacroAssemblerARM::mull32):
(JSC::MacroAssemblerARM::branchMul32):
(JSC::MacroAssemblerARM::patchableBranch32):
(JSC::MacroAssemblerARM::nearCall):
(JSC::MacroAssemblerARM::compare32):
(JSC::MacroAssemblerARM::compare8):
(JSC::MacroAssemblerARM::test32):
(JSC::MacroAssemblerARM::test8):
(JSC::MacroAssemblerARM::add64):
(JSC::MacroAssemblerARM::load32):
(JSC::MacroAssemblerARM::call):
(JSC::MacroAssemblerARM::branchPtrWithPatch):
(JSC::MacroAssemblerARM::branch32WithPatch):
(JSC::MacroAssemblerARM::storePtrWithPatch):
(JSC::MacroAssemblerARM::loadDouble):
(JSC::MacroAssemblerARM::storeDouble):
(JSC::MacroAssemblerARM::addDouble):
(JSC::MacroAssemblerARM::divDouble):
(JSC::MacroAssemblerARM::subDouble):
(JSC::MacroAssemblerARM::mulDouble):
(JSC::MacroAssemblerARM::convertInt32ToDouble):
(JSC::MacroAssemblerARM::branchDouble):
(JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
(JSC::MacroAssemblerARM::truncateDoubleToInt32):
(JSC::MacroAssemblerARM::truncateDoubleToUint32):
(JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
(JSC::MacroAssemblerARM::branchDoubleNonZero):
(JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
(JSC::MacroAssemblerARM::call32):
(JSC::MacroAssemblerARM::internalCompare32):
2018-04-25 Ross Kirsling <ross.kirsling@sony.com>
[WinCairo] Fix js/regexp-unicode.html crash.
https://bugs.webkit.org/show_bug.cgi?id=184891
Reviewed by Yusuke Suzuki.
On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateEnter):
(JSC::Yarr::YarrGenerator::generateReturn):
Unconditionally save and restore RDI on 64-bit Windows.
2018-04-25 Michael Catanzaro <mcatanzaro@igalia.com>
[GTK] Miscellaneous build cleanups
https://bugs.webkit.org/show_bug.cgi?id=184399
Reviewed by Žan Doberšek.
* PlatformGTK.cmake:
2018-04-24 Keith Miller <keith_miller@apple.com>
fromCharCode is missing some exception checks
https://bugs.webkit.org/show_bug.cgi?id=184952
Reviewed by Saam Barati.
I also removed the pointless slow path function and moved it into the
main function.
* runtime/StringConstructor.cpp:
(JSC::stringFromCharCode):
(JSC::stringFromCharCodeSlowCase): Deleted.
2018-04-24 Filip Pizlo <fpizlo@apple.com>
MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
https://bugs.webkit.org/show_bug.cgi?id=184923
Reviewed by Saam Barati.
If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
(i.e. we know that the object has one of those structures), then previously we would still emit a
switch with a case per structure along with a default case. That would mean one extra redundant
branch to check that whatever structure we wound up with belongs to the set. In that case, we
were already making the default case be an Oops.
One possible solution would be to say that the default case being Oops means that B3 doesn't need
to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
trap.
So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
extra branch.
This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
read.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
(JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
2018-04-24 Filip Pizlo <fpizlo@apple.com>
DFG CSE should know how to decay a MultiGetByOffset
https://bugs.webkit.org/show_bug.cgi?id=159859
Reviewed by Keith Miller.
This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
clobberize() can report a def() for MultiGetByOffset.
This is a slight improvement to codegen in splay because splay is a heavy user of
MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
"splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
splay's time.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGNode.cpp:
(JSC::DFG::Node::remove):
(JSC::DFG::Node::removeWithoutChecks):
(JSC::DFG::Node::replaceWith):
(JSC::DFG::Node::replaceWithWithoutChecks):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToMultiGetByOffset):
(JSC::DFG::Node::replaceWith): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
2018-04-24 Keith Miller <keith_miller@apple.com>
Update API docs with information on which run loop the VM will use
https://bugs.webkit.org/show_bug.cgi?id=184900
<rdar://problem/39166054>
Reviewed by Mark Lam.
* API/JSContextRef.h:
* API/JSVirtualMachine.h:
2018-04-24 Filip Pizlo <fpizlo@apple.com>
$vm.totalGCTime() should be a thing
https://bugs.webkit.org/show_bug.cgi?id=184916
Reviewed by Sam Weinig.
When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
time spent in GC to determine if the regression is because the GC got slower.
This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
* heap/Heap.cpp:
(JSC::Heap::runEndPhase):
* heap/Heap.h:
(JSC::Heap::totalGCTime const):
* tools/JSDollarVM.cpp:
(JSC::functionTotalGCTime):
(JSC::JSDollarVM::finishCreation):
2018-04-23 Zalan Bujtas <zalan@apple.com>
[LayoutFormattingContext] Initial commit.
https://bugs.webkit.org/show_bug.cgi?id=184896
Reviewed by Antti Koivisto.
* Configurations/FeatureDefines.xcconfig:
2018-04-23 Filip Pizlo <fpizlo@apple.com>
Unreviewed, revert accidental change to verbose flag.
* dfg/DFGByteCodeParser.cpp:
2018-04-23 Filip Pizlo <fpizlo@apple.com>
Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
Rubber stamped by Saam Barati.
This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
Seems sensible to just roll it out.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addToGraph):
(JSC::DFG::ByteCodeParser::parse):
2018-04-22 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove ModuleLoaderPrototype
https://bugs.webkit.org/show_bug.cgi?id=184784
Reviewed by Mark Lam.
When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::proxyRevokeStructure const):
(JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
* runtime/JSModuleLoader.cpp:
(JSC::moduleLoaderParseModule):
(JSC::moduleLoaderRequestedModules):
(JSC::moduleLoaderModuleDeclarationInstantiation):
(JSC::moduleLoaderResolve):
(JSC::moduleLoaderResolveSync):
(JSC::moduleLoaderFetch):
(JSC::moduleLoaderGetModuleNamespaceObject):
(JSC::moduleLoaderEvaluate):
* runtime/JSModuleLoader.h:
* runtime/ModuleLoaderPrototype.cpp: Removed.
* runtime/ModuleLoaderPrototype.h: Removed.
2018-04-20 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] All API tests fail in debug builds
https://bugs.webkit.org/show_bug.cgi?id=184813
Reviewed by Mark Lam.
This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
* API/glib/JSCContext.cpp:
(JSCContextExceptionHandler::JSCContextExceptionHandler):
(JSCContextExceptionHandler::~JSCContextExceptionHandler):
(jscContextConstructed):
(ExceptionHandler::ExceptionHandler): Deleted.
(ExceptionHandler::~ExceptionHandler): Deleted.
2018-04-20 Tim Horton <timothy_horton@apple.com>
Adjust geolocation feature flag
https://bugs.webkit.org/show_bug.cgi?id=184856
Reviewed by Wenson Hsieh.
* Configurations/FeatureDefines.xcconfig:
2018-04-20 Brian Burg <bburg@apple.com>
Web Inspector: remove some dead code in IdentifiersFactory
https://bugs.webkit.org/show_bug.cgi?id=184839
Reviewed by Timothy Hatcher.
This was never used on non-Chrome ports, so the identifier always has a
prefix of '0.'. We may change this in the future, but for now remove this.
Using a PID for this purpose is problematic anyway.
* inspector/IdentifiersFactory.cpp:
(Inspector::addPrefixToIdentifier):
(Inspector::IdentifiersFactory::createIdentifier):
(Inspector::IdentifiersFactory::requestId):
(Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
* inspector/IdentifiersFactory.h:
2018-04-20 Mark Lam <mark.lam@apple.com>
Add the ability to use a hash for setting PtrTag enum values.
https://bugs.webkit.org/show_bug.cgi?id=184852
<rdar://problem/39613891>
Reviewed by Saam Barati.
* runtime/PtrTag.h:
2018-04-20 Mark Lam <mark.lam@apple.com>
Some JSEntryPtrTags should actually be JSInternalPtrTags.
https://bugs.webkit.org/show_bug.cgi?id=184712
<rdar://problem/39507381>
Reviewed by Michael Saboff.
1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
only when needed.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/ByValInfo.h:
(JSC::ByValInfo::ByValInfo):
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::callReturnLocation):
(JSC::CallLinkInfo::patchableJump):
(JSC::CallLinkInfo::hotPathBegin):
(JSC::CallLinkInfo::slowPathStart):
* bytecode/CallLinkInfo.h:
(JSC::CallLinkInfo::setCallLocations):
(JSC::CallLinkInfo::hotPathOther):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* bytecode/StructureStubInfo.h:
(JSC::StructureStubInfo::doneLocation):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* ftl/FTLLazySlowPath.cpp:
(JSC::FTL::LazySlowPath::initialize):
* ftl/FTLLazySlowPath.h:
(JSC::FTL::LazySlowPath::done const):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileIn):
(JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
* jit/JIT.cpp:
(JSC::JIT::link):
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
(JSC::LLInt::getCodePtr):
(JSC::LLInt::getExecutableAddress): Deleted.
* llint/LLIntExceptions.cpp:
(JSC::LLInt::callToThrow):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
2018-04-18 Jer Noble <jer.noble@apple.com>
Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
https://bugs.webkit.org/show_bug.cgi?id=184762
Reviewed by Dan Bernstein.
* Configurations/Base.xcconfig:
* JavaScriptCore.xcodeproj/project.pbxproj:
2018-04-20 Daniel Bates <dabates@apple.com>
Remove code for compilers that did not support NSDMI for aggregates
https://bugs.webkit.org/show_bug.cgi?id=184599
Reviewed by Per Arne Vollan.
Remove workaround for earlier Visual Studio versions that did not support non-static data
member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
and EWS bots to a newer version that supports this feature.
* domjit/DOMJITEffect.h:
(JSC::DOMJIT::Effect::Effect): Deleted.
* runtime/HasOwnPropertyCache.h:
(JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
* wasm/WasmFormat.h:
(JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
2018-04-20 Mark Lam <mark.lam@apple.com>
Build fix for internal builds after r230826.
https://bugs.webkit.org/show_bug.cgi?id=184790
<rdar://problem/39301369>
Not reviewed.
* runtime/Options.cpp:
(JSC::overrideDefaults):
* tools/SigillCrashAnalyzer.cpp:
(JSC::SignalContext::dump):
2018-04-19 Tadeu Zagallo <tzagallo@apple.com>
REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
https://bugs.webkit.org/show_bug.cgi?id=184254
<rdar://problem/39140200>
Reviewed by Daniel Bates.
Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
* runtime/ArrayBuffer.h:
(JSC::ArrayBufferContents::ArrayBufferContents):
2018-04-19 Mark Lam <mark.lam@apple.com>
Apply pointer profiling to Signal pointers.
https://bugs.webkit.org/show_bug.cgi?id=184790
<rdar://problem/39301369>
Reviewed by Michael Saboff.
1. Change stackPointer, framePointer, and instructionPointer accessors to
be a pair of getter/setter functions.
2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
a pointer profiling variants of these accessors.
3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
* JavaScriptCorePrefix.h:
* runtime/MachineContext.h:
(JSC::MachineContext::stackPointerImpl):
(JSC::MachineContext::stackPointer):
(JSC::MachineContext::setStackPointer):
(JSC::MachineContext::framePointerImpl):
(JSC::MachineContext::framePointer):
(JSC::MachineContext::setFramePointer):
(JSC::MachineContext::instructionPointerImpl):
(JSC::MachineContext::instructionPointer):
(JSC::MachineContext::setInstructionPointer):
(JSC::MachineContext::linkRegisterImpl):
(JSC::MachineContext::linkRegister):
(JSC::MachineContext::setLinkRegister):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::takeSample):
* runtime/VMTraps.cpp:
(JSC::SignalContext::SignalContext):
(JSC::VMTraps::tryInstallTrapBreakpoints):
* tools/CodeProfiling.cpp:
(JSC::profilingTimer):
* tools/SigillCrashAnalyzer.cpp:
(JSC::SignalContext::dump):
(JSC::installCrashHandler):
(JSC::SigillCrashAnalyzer::analyze):
* wasm/WasmFaultSignalHandler.cpp:
(JSC::Wasm::trapHandler):
2018-04-19 David Kilzer <ddkilzer@apple.com>
Enable Objective-C weak references
<https://webkit.org/b/184789>
<rdar://problem/39571716>
Reviewed by Dan Bernstein.
* Configurations/Base.xcconfig:
(CLANG_ENABLE_OBJC_WEAK): Enable.
* Configurations/ToolExecutable.xcconfig:
(CLANG_ENABLE_OBJC_ARC): Simplify.
2018-04-17 Filip Pizlo <fpizlo@apple.com>
The InternalFunction hierarchy should be in IsoSubspaces
https://bugs.webkit.org/show_bug.cgi?id=184721
Reviewed by Saam Barati.
This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
but subclasses that are the same size as InternalFunction share its subspace. I did this
because the subclasses appear to just override methods, which are called dynamically via the
structure or class of the object. So, I don't see a type confusion risk if UAF is used to
allocate one kind of InternalFunction over another.
* API/JSBase.h:
* API/JSCallbackFunction.h:
* API/ObjCCallbackFunction.h:
(JSC::ObjCCallbackFunction::subspaceFor):
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* heap/IsoSubspacePerVM.cpp: Added.
(JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
(JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
(JSC::IsoSubspacePerVM::IsoSubspacePerVM):
(JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
(JSC::IsoSubspacePerVM::forVM):
* heap/IsoSubspacePerVM.h: Added.
(JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
* runtime/Error.h:
* runtime/ErrorConstructor.h:
* runtime/InternalFunction.h:
(JSC::InternalFunction::subspaceFor):
* runtime/IntlCollatorConstructor.h:
* runtime/IntlDateTimeFormatConstructor.h:
* runtime/IntlNumberFormatConstructor.h:
* runtime/JSArrayBufferConstructor.h:
* runtime/NativeErrorConstructor.h:
* runtime/ProxyRevoke.h:
* runtime/RegExpConstructor.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2018-04-19 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, Fix jsc shell
https://bugs.webkit.org/show_bug.cgi?id=184600
WebAssembly module loading does not finish with drainMicrotasks().
So JSNativeStdFunction's capturing variables become invalid.
This patch fixes this issue.
* jsc.cpp:
(functionDollarAgentStart):
(runWithOptions):
(runJSC):
(jscmain):
2018-04-18 Ross Kirsling <ross.kirsling@sony.com>
REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
https://bugs.webkit.org/show_bug.cgi?id=184725
Reviewed by Mark Lam.
* jit/JIT.h:
2018-04-18 Yusuke Suzuki <utatane.tea@gmail.com>
[WebAssembly][Modules] Import tables in wasm modules
https://bugs.webkit.org/show_bug.cgi?id=184738
Reviewed by JF Bastien.
This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
just works.
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::create):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
2018-04-18 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] Fix build error and crash after PtrTag change
https://bugs.webkit.org/show_bug.cgi?id=184732
Reviewed by Mark Lam.
Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
twice with ARM-Thumb2.
* assembler/MacroAssemblerCodeRef.h:
(JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitSlow_op_put_by_val):
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
2018-04-18 Yusuke Suzuki <utatane.tea@gmail.com>
[WebAssembly][Modules] Import globals from wasm modules
https://bugs.webkit.org/show_bug.cgi?id=184736
Reviewed by JF Bastien.
This patch implements a feature importing globals to/from wasm modules.
Since we are not supporting mutable globals now, we can just copy the
global data when importing. Currently we do not support importing/exporting
i64 globals. This will be supported once (1) mutable global bindings are
specified and (2) BigInt based i64 importing/exporting is specified.
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::create):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
2018-04-18 Tomas Popela <tpopela@redhat.com>
Unreviewed, fix build on ARM
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::readCallTarget):
2018-04-18 Tomas Popela <tpopela@redhat.com>
Unreviewed, fix build with GCC
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::finalizeCodeWithDisassembly):
2018-04-18 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, reland r230697, r230720, and r230724.
https://bugs.webkit.org/show_bug.cgi?id=184600
With CatchScope check.
* JavaScriptCore.xcodeproj/project.pbxproj:
* builtins/ModuleLoaderPrototype.js:
(globalPrivate.newRegistryEntry):
(requestInstantiate):
(link):
* jsc.cpp:
(convertShebangToJSComment):
(fillBufferWithContentsOfFile):
(fetchModuleFromLocalFileSystem):
(GlobalObject::moduleLoaderFetch):
(functionDollarAgentStart):
(checkException):
(runWithOptions):
* parser/NodesAnalyzeModule.cpp:
(JSC::ImportDeclarationNode::analyzeModule):
* parser/SourceProvider.h:
(JSC::WebAssemblySourceProvider::create):
(JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::hostResolveImportedModule):
(JSC::AbstractModuleRecord::resolveImport):
(JSC::AbstractModuleRecord::link):
(JSC::AbstractModuleRecord::evaluate):
(JSC::identifierToJSValue): Deleted.
* runtime/AbstractModuleRecord.h:
(JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
(JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
* runtime/JSModuleEnvironment.cpp:
(JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::evaluate):
* runtime/JSModuleRecord.cpp:
(JSC::JSModuleRecord::link):
(JSC::JSModuleRecord::instantiateDeclarations):
* runtime/JSModuleRecord.h:
* runtime/ModuleLoaderPrototype.cpp:
(JSC::moduleLoaderPrototypeParseModule):
(JSC::moduleLoaderPrototypeRequestedModules):
(JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
* wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
* wasm/js/JSWebAssemblyHelpers.h:
(JSC::getWasmBufferFromValue):
(JSC::createSourceBufferFromValue):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::finalizeCreation):
(JSC::JSWebAssemblyInstance::createPrivateModuleKey):
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyInstance.h:
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::prepareLink):
(JSC::WebAssemblyModuleRecord::link):
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::resolve):
(JSC::instantiate):
(JSC::compileAndInstantiate):
(JSC::WebAssemblyPrototype::instantiate):
(JSC::webAssemblyInstantiateFunc):
(JSC::webAssemblyValidateFunc):
* wasm/js/WebAssemblyPrototype.h:
2018-04-17 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Make it possible to handle JSCClass external properties not added to the prototype
https://bugs.webkit.org/show_bug.cgi?id=184687
Reviewed by Michael Catanzaro.
Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
JSClassDefinition. This is required to implement dynamic properties that can't be added with
jsc_class_add_property() for example to implement something like imports object in seed/gjs.
* API/glib/JSCClass.cpp:
(VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
can throw exceptions.
(VTableExceptionHandler::~VTableExceptionHandler):
(getProperty): Iterate the class chain to call get_property function.
(setProperty): Iterate the class chain to call set_property function.
(hasProperty): Iterate the class chain to call has_property function.
(deleteProperty): Iterate the class chain to call delete_property function.
(getPropertyNames): Iterate the class chain to call enumerate_properties function.
(jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
jscClassCreate now.
(jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
* API/glib/JSCClass.h:
* API/glib/JSCClassPrivate.h:
* API/glib/JSCContext.cpp:
(jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
(jsc_context_register_class): Add JSCClassVTable parameter.
* API/glib/JSCContext.h:
* API/glib/JSCContextPrivate.h:
* API/glib/JSCWrapperMap.cpp:
(JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
* API/glib/JSCWrapperMap.h:
* API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
2018-04-17 Mark Lam <mark.lam@apple.com>
Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
https://bugs.webkit.org/show_bug.cgi?id=184702
<rdar://problem/35391681>
Reviewed by Filip Pizlo and Saam Barati.
1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
to take a PtrTag template argument.
2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
(JSC::AbstractMacroAssembler::linkJump):
(JSC::AbstractMacroAssembler::linkPointer):
(JSC::AbstractMacroAssembler::getLinkerAddress):
(JSC::AbstractMacroAssembler::repatchJump):
(JSC::AbstractMacroAssembler::repatchJumpToNop):
(JSC::AbstractMacroAssembler::repatchNearCall):
(JSC::AbstractMacroAssembler::repatchCompact):
(JSC::AbstractMacroAssembler::repatchInt32):
(JSC::AbstractMacroAssembler::repatchPointer):
(JSC::AbstractMacroAssembler::readPointer):
(JSC::AbstractMacroAssembler::replaceWithLoad):
(JSC::AbstractMacroAssembler::replaceWithAddressComputation):
* assembler/CodeLocation.h:
(JSC::CodeLocationCommon:: const):
(JSC::CodeLocationCommon::CodeLocationCommon):
(JSC::CodeLocationInstruction::CodeLocationInstruction):
(JSC::CodeLocationLabel::CodeLocationLabel):
(JSC::CodeLocationLabel::retagged):
(JSC::CodeLocationLabel:: const):
(JSC::CodeLocationJump::CodeLocationJump):
(JSC::CodeLocationJump::retagged):
(JSC::CodeLocationCall::CodeLocationCall):
(JSC::CodeLocationCall::retagged):
(JSC::CodeLocationNearCall::CodeLocationNearCall):
(JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
(JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
(JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
(JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
(JSC::CodeLocationCommon<tag>::instructionAtOffset):
(JSC::CodeLocationCommon<tag>::labelAtOffset):
(JSC::CodeLocationCommon<tag>::jumpAtOffset):
(JSC::CodeLocationCommon<tag>::callAtOffset):
(JSC::CodeLocationCommon<tag>::nearCallAtOffset):
(JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
(JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
(JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
(JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
(JSC::CodeLocationCommon::instructionAtOffset): Deleted.
(JSC::CodeLocationCommon::labelAtOffset): Deleted.
(JSC::CodeLocationCommon::jumpAtOffset): Deleted.
(JSC::CodeLocationCommon::callAtOffset): Deleted.
(JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
(JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
(JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
(JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
(JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
(JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
(JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
(JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::link):
(JSC::LinkBuffer::patch):
(JSC::LinkBuffer::entrypoint):
(JSC::LinkBuffer::locationOf):
(JSC::LinkBuffer::locationOfNearCall):
(JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
(JSC::LinkBuffer::finalizeCodeWithDisassembly):
(JSC::LinkBuffer::trampolineAt):
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::readCallTarget):
(JSC::MacroAssemblerARM::replaceWithJump):
(JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
(JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
(JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
(JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
(JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
(JSC::MacroAssemblerARM::repatchCall):
(JSC::MacroAssemblerARM::linkCall):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::readCallTarget):
(JSC::MacroAssemblerARM64::replaceWithVMHalt):
(JSC::MacroAssemblerARM64::replaceWithJump):
(JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
(JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
(JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
(JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
(JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
(JSC::MacroAssemblerARM64::repatchCall):
(JSC::MacroAssemblerARM64::linkCall):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::replaceWithJump):
(JSC::MacroAssemblerARMv7::readCallTarget):
(JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
(JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
(JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
(JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
(JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
(JSC::MacroAssemblerARMv7::repatchCall):
(JSC::MacroAssemblerARMv7::linkCall):
* assembler/MacroAssemblerCodeRef.cpp:
(JSC::MacroAssemblerCodePtrBase::dumpWithName):
(JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
(JSC::MacroAssemblerCodeRefBase::disassembly):
(JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
(JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
(JSC::MacroAssemblerCodePtr::dump const): Deleted.
(JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
(JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
(JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
(JSC::MacroAssemblerCodeRef::dump const): Deleted.
* assembler/MacroAssemblerCodeRef.h:
(JSC::FunctionPtr::FunctionPtr):
(JSC::FunctionPtr::retagged const):
(JSC::FunctionPtr::retaggedExecutableAddress const):
(JSC::FunctionPtr::operator== const):
(JSC::FunctionPtr::operator!= const):
(JSC::ReturnAddressPtr::ReturnAddressPtr):
(JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
(JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
(JSC::MacroAssemblerCodePtr::retagged const):
(JSC::MacroAssemblerCodePtr:: const):
(JSC::MacroAssemblerCodePtr::dumpWithName const):
(JSC::MacroAssemblerCodePtr::dump const):
(JSC::MacroAssemblerCodePtrHash::hash):
(JSC::MacroAssemblerCodePtrHash::equal):
(JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
(JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
(JSC::MacroAssemblerCodeRef::code const):
(JSC::MacroAssemblerCodeRef::retaggedCode const):
(JSC::MacroAssemblerCodeRef::retagged const):
(JSC::MacroAssemblerCodeRef::tryToDisassemble const):
(JSC::MacroAssemblerCodeRef::disassembly const):
(JSC::MacroAssemblerCodeRef::dump const):
(JSC::FunctionPtr<tag>::FunctionPtr):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::readCallTarget):
(JSC::MacroAssemblerMIPS::replaceWithJump):
(JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
(JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
(JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
(JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
(JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
(JSC::MacroAssemblerMIPS::repatchCall):
(JSC::MacroAssemblerMIPS::linkCall):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::readCallTarget):
(JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
(JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
(JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
(JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
(JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
(JSC::MacroAssemblerX86::repatchCall):
(JSC::MacroAssemblerX86::linkCall):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::repatchCompact):
(JSC::MacroAssemblerX86Common::replaceWithVMHalt):
(JSC::MacroAssemblerX86Common::replaceWithJump):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::readCallTarget):
(JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
(JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
(JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
(JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
(JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
(JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
(JSC::MacroAssemblerX86_64::repatchCall):
(JSC::MacroAssemblerX86_64::linkCall):
* assembler/testmasm.cpp:
(JSC::compile):
(JSC::invoke):
(JSC::testProbeModifiesProgramCounter):
* b3/B3Compilation.cpp:
(JSC::B3::Compilation::Compilation):
* b3/B3Compilation.h:
(JSC::B3::Compilation::code const):
(JSC::B3::Compilation::codeRef const):
* b3/B3Compile.cpp:
(JSC::B3::compile):
* b3/B3LowerMacros.cpp:
* b3/air/AirDisassembler.cpp:
(JSC::B3::Air::Disassembler::dump):
* b3/air/testair.cpp:
* b3/testb3.cpp:
(JSC::B3::invoke):
(JSC::B3::testInterpreter):
(JSC::B3::testEntrySwitchSimple):
(JSC::B3::testEntrySwitchNoEntrySwitch):
(JSC::B3::testEntrySwitchWithCommonPaths):
(JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
(JSC::B3::testEntrySwitchLoop):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/AccessCaseSnippetParams.cpp:
(JSC::SlowPathCallGeneratorWithArguments::generateImpl):
* bytecode/ByValInfo.h:
(JSC::ByValInfo::ByValInfo):
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::callReturnLocation):
(JSC::CallLinkInfo::patchableJump):
(JSC::CallLinkInfo::hotPathBegin):
(JSC::CallLinkInfo::slowPathStart):
* bytecode/CallLinkInfo.h:
(JSC::CallLinkInfo::setCallLocations):
(JSC::CallLinkInfo::hotPathOther):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::GetByIdVariant):
(JSC::GetByIdVariant::dumpInContext const):
* bytecode/GetByIdVariant.h:
(JSC::GetByIdVariant::customAccessorGetter const):
* bytecode/GetterSetterAccessCase.cpp:
(JSC::GetterSetterAccessCase::create):
(JSC::GetterSetterAccessCase::GetterSetterAccessCase):
(JSC::GetterSetterAccessCase::dumpImpl const):
* bytecode/GetterSetterAccessCase.h:
(JSC::GetterSetterAccessCase::customAccessor const):
(): Deleted.
* bytecode/HandlerInfo.h:
(JSC::HandlerInfo::initialize):
* bytecode/InlineAccess.cpp:
(JSC::linkCodeInline):
(JSC::InlineAccess::rewireStubAsJump):
* bytecode/InlineAccess.h:
* bytecode/JumpTable.h:
(JSC::StringJumpTable::ctiForValue):
(JSC::SimpleJumpTable::ctiForValue):
* bytecode/LLIntCallLinkInfo.h:
(JSC::LLIntCallLinkInfo::unlink):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessGenerationState::emitExplicitExceptionHandler):
(JSC::PolymorphicAccess::regenerate):
* bytecode/PolymorphicAccess.h:
(JSC::AccessGenerationResult::AccessGenerationResult):
(JSC::AccessGenerationResult::code const):
* bytecode/StructureStubInfo.h:
(JSC::StructureStubInfo::slowPathCallLocation):
(JSC::StructureStubInfo::doneLocation):
(JSC::StructureStubInfo::slowPathStartLocation):
(JSC::StructureStubInfo::patchableJumpForIn):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::appendCatchEntrypoint):
* dfg/DFGDisassembler.cpp:
(JSC::DFG::Disassembler::dumpDisassembly):
* dfg/DFGDriver.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::linkOSRExits):
(JSC::DFG::JITCompiler::compileExceptionHandlers):
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::compileFunction):
(JSC::DFG::JITCompiler::noticeCatchEntrypoint):
* dfg/DFGJITCompiler.h:
(JSC::DFG::CallLinkRecord::CallLinkRecord):
(JSC::DFG::JITCompiler::appendCall):
(JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
(JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
(JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::JITFinalizer):
(JSC::DFG::JITFinalizer::finalize):
(JSC::DFG::JITFinalizer::finalizeFunction):
* dfg/DFGJITFinalizer.h:
* dfg/DFGJumpReplacement.h:
(JSC::DFG::JumpReplacement::JumpReplacement):
* dfg/DFGNode.h:
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
(JSC::DFG::prepareCatchOSREntry):
* dfg/DFGOSREntry.h:
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::executeOSRExit):
(JSC::DFG::reifyInlinedCallFrames):
(JSC::DFG::adjustAndJumpToTarget):
(JSC::DFG::OSRExit::codeLocationForRepatch const):
(JSC::DFG::OSRExit::emitRestoreArguments):
(JSC::DFG::OSRExit::compileOSRExit):
* dfg/DFGOSRExit.h:
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::handleExitCounts):
(JSC::DFG::reifyInlinedCallFrames):
(JSC::DFG::osrWriteBarrier):
(JSC::DFG::adjustAndJumpToTarget):
* dfg/DFGOperations.cpp:
* dfg/DFGSlowPathGenerator.h:
(JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
(JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
(JSC::DFG::slowPathCall):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileMathIC):
(JSC::DFG::SpeculativeJIT::compileCallDOM):
(JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
(JSC::DFG::SpeculativeJIT::emitSwitchImm):
(JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
(JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
(JSC::DFG::SpeculativeJIT::compileGetDirectPname):
(JSC::DFG::SpeculativeJIT::cachedPutById):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
(JSC::DFG::SpeculativeJIT::appendCall):
(JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
(JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
(JSC::DFG::SpeculativeJIT::appendCallSetResult):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitThunkGenerator):
(JSC::DFG::osrExitGenerationThunkGenerator):
(JSC::DFG::osrEntryThunkGenerator):
* dfg/DFGThunks.h:
* disassembler/ARM64Disassembler.cpp:
(JSC::tryToDisassemble):
* disassembler/ARMv7Disassembler.cpp:
(JSC::tryToDisassemble):
* disassembler/Disassembler.cpp:
(JSC::disassemble):
(JSC::disassembleAsynchronously):
* disassembler/Disassembler.h:
(JSC::tryToDisassemble):
* disassembler/UDis86Disassembler.cpp:
(JSC::tryToDisassembleWithUDis86):
* disassembler/UDis86Disassembler.h:
(JSC::tryToDisassembleWithUDis86):
* disassembler/X86Disassembler.cpp:
(JSC::tryToDisassemble):
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLExceptionTarget.cpp:
(JSC::FTL::ExceptionTarget::label):
(JSC::FTL::ExceptionTarget::jumps):
* ftl/FTLExceptionTarget.h:
* ftl/FTLGeneratedFunction.h:
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::initializeB3Code):
(JSC::FTL::JITCode::initializeAddressForCall):
(JSC::FTL::JITCode::initializeArityCheckEntrypoint):
(JSC::FTL::JITCode::addressForCall):
(JSC::FTL::JITCode::executableAddressAtOffset):
* ftl/FTLJITCode.h:
(JSC::FTL::JITCode::b3Code const):
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeCommon):
* ftl/FTLLazySlowPath.cpp:
(JSC::FTL::LazySlowPath::initialize):
(JSC::FTL::LazySlowPath::generate):
* ftl/FTLLazySlowPath.h:
(JSC::FTL::LazySlowPath::patchableJump const):
(JSC::FTL::LazySlowPath::done const):
(JSC::FTL::LazySlowPath::stub const):
* ftl/FTLLazySlowPathCall.h:
(JSC::FTL::createLazyCallGenerator):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
(JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
(JSC::FTL::DFG::LowerDFGToB3::compileIn):
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
(JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExit::codeLocationForRepatch const):
* ftl/FTLOSRExit.h:
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
(JSC::FTL::compileFTLOSRExit):
* ftl/FTLOSRExitHandle.cpp:
(JSC::FTL::OSRExitHandle::emitExitThunk):
* ftl/FTLOperations.cpp:
(JSC::FTL::compileFTLLazySlowPath):
* ftl/FTLPatchpointExceptionHandle.cpp:
(JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
* ftl/FTLSlowPathCall.cpp:
(JSC::FTL::SlowPathCallContext::keyWithTarget const):
(JSC::FTL::SlowPathCallContext::makeCall):
* ftl/FTLSlowPathCall.h:
(JSC::FTL::callOperation):
* ftl/FTLSlowPathCallKey.cpp:
(JSC::FTL::SlowPathCallKey::dump const):
* ftl/FTLSlowPathCallKey.h:
(JSC::FTL::SlowPathCallKey::SlowPathCallKey):
(JSC::FTL::SlowPathCallKey::callTarget const):
(JSC::FTL::SlowPathCallKey::withCallTarget):
(JSC::FTL::SlowPathCallKey::hash const):
(JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
* ftl/FTLState.cpp:
(JSC::FTL::State::State):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
(JSC::FTL::osrExitGenerationThunkGenerator):
(JSC::FTL::lazySlowPathGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* ftl/FTLThunks.h:
(JSC::FTL::generateIfNecessary):
(JSC::FTL::keyForThunk):
(JSC::FTL::Thunks::getSlowPathCallThunk):
(JSC::FTL::Thunks::keyForSlowPathCallThunk):
* interpreter/InterpreterInlines.h:
(JSC::Interpreter::getOpcodeID):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::callExceptionFuzz):
(JSC::AssemblyHelpers::emitDumbVirtualCall):
(JSC::AssemblyHelpers::debugCall):
* jit/CCallHelpers.cpp:
(JSC::CCallHelpers::ensureShadowChickenPacket):
* jit/ExecutableAllocator.cpp:
(JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
(JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
* jit/ExecutableAllocator.h:
(JSC::performJITMemcpy):
* jit/GCAwareJITStubRoutine.cpp:
(JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
(JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
(JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
(JSC::createJITStubRoutine):
* jit/GCAwareJITStubRoutine.h:
(JSC::createJITStubRoutine):
* jit/JIT.cpp:
(JSC::ctiPatchCallByReturnAddress):
(JSC::JIT::compileWithoutLinking):
(JSC::JIT::link):
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JIT.h:
(JSC::CallRecord::CallRecord):
* jit/JITArithmetic.cpp:
(JSC::JIT::emitMathICFast):
(JSC::JIT::emitMathICSlow):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCallSlowCase):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCallSlowCase):
* jit/JITCode.cpp:
(JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
(JSC::JITCodeWithCodeRef::executableAddressAtOffset):
(JSC::DirectJITCode::DirectJITCode):
(JSC::DirectJITCode::initializeCodeRef):
(JSC::DirectJITCode::addressForCall):
(JSC::NativeJITCode::NativeJITCode):
(JSC::NativeJITCode::initializeCodeRef):
(JSC::NativeJITCode::addressForCall):
* jit/JITCode.h:
* jit/JITCodeMap.h:
(JSC::JITCodeMap::Entry::Entry):
(JSC::JITCodeMap::Entry::codeLocation):
(JSC::JITCodeMap::append):
(JSC::JITCodeMap::find const):
* jit/JITDisassembler.cpp:
(JSC::JITDisassembler::dumpDisassembly):
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITByIdGenerator::finalize):
* jit/JITInlines.h:
(JSC::JIT::emitNakedCall):
(JSC::JIT::emitNakedTailCall):
(JSC::JIT::appendCallWithExceptionCheck):
(JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
(JSC::JIT::appendCallWithCallFrameRollbackOnException):
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emitSlow_op_has_indexed_property):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITOperations.cpp:
(JSC::getByVal):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::emitGetByValWithCachedId):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emitPutByValWithCachedId):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::emitSlow_op_try_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id_direct):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id_with_this):
(JSC::JIT::emitSlow_op_put_by_id):
(JSC::JIT::privateCompileGetByVal):
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emitSlow_op_put_by_val):
* jit/JITStubRoutine.h:
(JSC::JITStubRoutine::JITStubRoutine):
(JSC::JITStubRoutine::createSelfManagedRoutine):
(JSC::JITStubRoutine::code const):
(JSC::JITStubRoutine::asCodePtr):
* jit/JITThunks.cpp:
(JSC::JITThunks::ctiNativeCall):
(JSC::JITThunks::ctiNativeConstruct):
(JSC::JITThunks::ctiNativeTailCall):
(JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
(JSC::JITThunks::ctiInternalFunctionCall):
(JSC::JITThunks::ctiInternalFunctionConstruct):
(JSC::JITThunks::ctiStub):
(JSC::JITThunks::existingCTIStub):
(JSC::JITThunks::hostFunctionStub):
* jit/JITThunks.h:
* jit/PCToCodeOriginMap.cpp:
(JSC::PCToCodeOriginMap::PCToCodeOriginMap):
* jit/PCToCodeOriginMap.h:
* jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
* jit/PolymorphicCallStubRoutine.h:
* jit/Repatch.cpp:
(JSC::readPutICCallTarget):
(JSC::ftlThunkAwareRepatchCall):
(JSC::appropriateOptimizingGetByIdFunction):
(JSC::appropriateGetByIdFunction):
(JSC::tryCacheGetByID):
(JSC::repatchGetByID):
(JSC::tryCachePutByID):
(JSC::repatchPutByID):
(JSC::tryCacheIn):
(JSC::repatchIn):
(JSC::linkSlowFor):
(JSC::linkFor):
(JSC::linkDirectFor):
(JSC::revertCall):
(JSC::unlinkFor):
(JSC::linkVirtualFor):
(JSC::linkPolymorphicCall):
(JSC::resetGetByID):
(JSC::resetPutByID):
* jit/Repatch.h:
* jit/SlowPathCall.h:
(JSC::JITSlowPathCall::call):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::finalize):
(JSC::SpecializedThunkJIT::callDoubleToDouble):
(JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
* jit/ThunkGenerator.h:
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::slowPathFor):
(JSC::linkCallThunkGenerator):
(JSC::linkPolymorphicCallThunkGenerator):
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::nativeCallGenerator):
(JSC::nativeTailCallGenerator):
(JSC::nativeTailCallWithoutSavedTagsGenerator):
(JSC::nativeConstructGenerator):
(JSC::internalFunctionCallGenerator):
(JSC::internalFunctionConstructGenerator):
(JSC::arityFixupGenerator):
(JSC::unreachableGenerator):
(JSC::charCodeAtThunkGenerator):
(JSC::charAtThunkGenerator):
(JSC::fromCharCodeThunkGenerator):
(JSC::clz32ThunkGenerator):
(JSC::sqrtThunkGenerator):
(JSC::floorThunkGenerator):
(JSC::ceilThunkGenerator):
(JSC::truncThunkGenerator):
(JSC::roundThunkGenerator):
(JSC::expThunkGenerator):
(JSC::logThunkGenerator):
(JSC::absThunkGenerator):
(JSC::imulThunkGenerator):
(JSC::randomThunkGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* jit/ThunkGenerators.h:
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
(JSC::LLInt::getExecutableAddress):
(JSC::LLInt::getCodePtr):
(JSC::LLInt::getCodeRef):
(JSC::LLInt::getCodeFunctionPtr):
* llint/LLIntEntrypoint.cpp:
(JSC::LLInt::setFunctionEntrypoint):
(JSC::LLInt::setEvalEntrypoint):
(JSC::LLInt::setProgramEntrypoint):
(JSC::LLInt::setModuleProgramEntrypoint):
* llint/LLIntExceptions.cpp:
(JSC::LLInt::callToThrow):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::setUpCall):
* llint/LLIntThunks.cpp:
(JSC::vmEntryToWasm):
(JSC::LLInt::generateThunkWithJumpTo):
(JSC::LLInt::functionForCallEntryThunkGenerator):
(JSC::LLInt::functionForConstructEntryThunkGenerator):
(JSC::LLInt::functionForCallArityCheckThunkGenerator):
(JSC::LLInt::functionForConstructArityCheckThunkGenerator):
(JSC::LLInt::evalEntryThunkGenerator):
(JSC::LLInt::programEntryThunkGenerator):
(JSC::LLInt::moduleProgramEntryThunkGenerator):
* llint/LLIntThunks.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* profiler/ProfilerCompilation.cpp:
(JSC::Profiler::Compilation::addOSRExitSite):
* profiler/ProfilerCompilation.h:
* profiler/ProfilerOSRExitSite.cpp:
(JSC::Profiler::OSRExitSite::toJS const):
* profiler/ProfilerOSRExitSite.h:
(JSC::Profiler::OSRExitSite::OSRExitSite):
(JSC::Profiler::OSRExitSite::codeAddress const):
(JSC::Profiler::OSRExitSite:: const): Deleted.
* runtime/ExecutableBase.cpp:
(JSC::ExecutableBase::clearCode):
* runtime/ExecutableBase.h:
(JSC::ExecutableBase::entrypointFor):
* runtime/NativeExecutable.cpp:
(JSC::NativeExecutable::finishCreation):
* runtime/NativeFunction.h:
(JSC::TaggedNativeFunction::TaggedNativeFunction):
(JSC::TaggedNativeFunction::operator NativeFunction):
* runtime/PtrTag.h:
(JSC::tagCodePtr):
(JSC::untagCodePtr):
(JSC::retagCodePtr):
(JSC::tagCFunctionPtr):
(JSC::untagCFunctionPtr):
(JSC::nextPtrTagID): Deleted.
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::PutPropertySlot):
(JSC::PutPropertySlot::setCustomValue):
(JSC::PutPropertySlot::setCustomAccessor):
(JSC::PutPropertySlot::customSetter const):
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::installCode):
* runtime/VM.cpp:
(JSC::VM::getHostFunction):
(JSC::VM::getCTIInternalFunctionTrampolineFor):
* runtime/VM.h:
(JSC::VM::getCTIStub):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::emitExceptionCheck):
(JSC::Wasm::B3IRGenerator::emitTierUpCheck):
(JSC::Wasm::B3IRGenerator::addCall):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::prepare):
(JSC::Wasm::BBQPlan::complete):
* wasm/WasmBBQPlan.h:
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmBinding.h:
* wasm/WasmCallee.h:
(JSC::Wasm::Callee::entrypoint const):
* wasm/WasmCallingConvention.h:
(JSC::Wasm::CallingConvention::setupFrameInPrologue const):
* wasm/WasmCodeBlock.h:
(JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
* wasm/WasmFaultSignalHandler.cpp:
(JSC::Wasm::trapHandler):
* wasm/WasmFormat.h:
* wasm/WasmInstance.h:
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmThunks.cpp:
(JSC::Wasm::throwExceptionFromWasmThunkGenerator):
(JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
(JSC::Wasm::triggerOMGTierUpThunkGenerator):
(JSC::Wasm::Thunks::stub):
(JSC::Wasm::Thunks::existingStub):
* wasm/WasmThunks.h:
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* wasm/js/WasmToJS.h:
* wasm/js/WebAssemblyFunction.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
(JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
(JSC::Yarr::YarrGenerator::compile):
* yarr/YarrJIT.h:
(JSC::Yarr::YarrCodeBlock::set8BitCode):
(JSC::Yarr::YarrCodeBlock::set16BitCode):
(JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
(JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
(JSC::Yarr::YarrCodeBlock::execute):
(JSC::Yarr::YarrCodeBlock::clear):
2018-04-17 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r230697, r230720, and r230724.
https://bugs.webkit.org/show_bug.cgi?id=184717
These caused multiple failures on the Test262 testers.
(Requested by mlewis13 on #webkit).
Reverted changesets:
"[WebAssembly][Modules] Prototype wasm import"
https://bugs.webkit.org/show_bug.cgi?id=184600
https://trac.webkit.org/changeset/230697
"[WebAssembly][Modules] Implement function import from wasm
modules"
https://bugs.webkit.org/show_bug.cgi?id=184689
https://trac.webkit.org/changeset/230720
"[JSC] Rename runWebAssembly to runWebAssemblySuite"
https://bugs.webkit.org/show_bug.cgi?id=184703
https://trac.webkit.org/changeset/230724
2018-04-17 JF Bastien <jfbastien@apple.com>
A put is not an ExistingProperty put when we transition a structure because of an attributes change
https://bugs.webkit.org/show_bug.cgi?id=184706
<rdar://problem/38871451>
Reviewed by Saam Barati.
When putting a property on a structure and the slot is a different
type, the slot can't be said to have already been existing.
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectInternal):
2018-04-17 Filip Pizlo <fpizlo@apple.com>
JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
https://bugs.webkit.org/show_bug.cgi?id=184705
Reviewed by Michael Saboff.
My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
while testing an unrelated patch, a concurrent GC thread crashed inside
JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
mode and another vector.
The fix is to lock inside visitChildren and anyone who changes those fields.
I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
this.
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::neuter):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2018-04-16 Filip Pizlo <fpizlo@apple.com>
PutStackSinkingPhase should know that KillStack means ConflictingFlush
https://bugs.webkit.org/show_bug.cgi?id=184672
Reviewed by Michael Saboff.
We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
intentional - I don't know.
Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
its stack slot for the purpose of clobberize.
* dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
* dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
* ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
(JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2018-04-17 Filip Pizlo <fpizlo@apple.com>
JSWebAssemblyCodeBlock should be in an IsoSubspace
https://bugs.webkit.org/show_bug.cgi?id=184704
Reviewed by Mark Lam.
Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
protection.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* wasm/js/JSWebAssemblyCodeBlock.h:
2018-04-17 Jer Noble <jer.noble@apple.com>
Only enable useSeparatedWXHeap on ARM64.
https://bugs.webkit.org/show_bug.cgi?id=184697
Reviewed by Saam Barati.
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2018-04-17 Yusuke Suzuki <utatane.tea@gmail.com>
[WebAssembly][Modules] Implement function import from wasm modules
https://bugs.webkit.org/show_bug.cgi?id=184689
Reviewed by JF Bastien.
This patch implements function import from wasm modules. We move function importing part
from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
is because linking these functions requires that all the dependent modules are created.
While we want to move all the linking functionality from JSWebAssemblyInstance to
WebAssemblyModuleRecord::link, we do not that in this patch. In this patch, we move only
function importing part because efficient compilation of WebAssembly needs to know
the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
or attached WebAssembly memory object. So we cannot defer this linking to
WebAssemblyModuleRecord::link now.
The largest difference from JS module linking is that WebAssembly module linking links
function from the module by snapshotting. When you have a cyclic module graph like this,
-> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
^ |
+--------------------------------------------------+
we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
is described in [1], and tested in this patch.
[1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
* JavaScriptCore.xcodeproj/project.pbxproj:
* jsc.cpp:
(functionDollarAgentStart):
(checkException):
(runWithOptions):
Small fixes for wasm module loading.
* parser/NodesAnalyzeModule.cpp:
(JSC::ImportDeclarationNode::analyzeModule):
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::resolveImport):
(JSC::AbstractModuleRecord::link):
* runtime/AbstractModuleRecord.h:
(JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
(JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
Now, wasm modules can have import which is named "*". So this function does not work.
Since wasm modules never have namespace importing, we check this in JS's module analyzer.
* runtime/JSModuleEnvironment.cpp:
(JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
* runtime/JSModuleRecord.cpp:
(JSC::JSModuleRecord::instantiateDeclarations):
* wasm/WasmCreationMode.h: Added.
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::finalizeCreation):
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyInstance.h:
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::resolve):
(JSC::instantiate):
(JSC::compileAndInstantiate):
(JSC::WebAssemblyPrototype::instantiate):
(JSC::webAssemblyInstantiateFunc):
2018-04-17 Dominik Infuehr <dinfuehr@igalia.com>
Implement setupArgumentsImpl for ARM and MIPS
https://bugs.webkit.org/show_bug.cgi?id=183786
Reviewed by Yusuke Suzuki.
Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
registers used for 64-bit values on 32-bit architectures. numCrossSources
keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::moveDouble):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::moveDouble):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupStubCrossArgs):
(JSC::CCallHelpers::ArgCollection::ArgCollection):
(JSC::CCallHelpers::ArgCollection::pushRegArg):
(JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
(JSC::CCallHelpers::ArgCollection::addGPRArg):
(JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
(JSC::CCallHelpers::ArgCollection::addStackArg):
(JSC::CCallHelpers::ArgCollection::addPoke):
(JSC::CCallHelpers::ArgCollection::argCount):
(JSC::CCallHelpers::calculatePokeOffset):
(JSC::CCallHelpers::pokeForArgument):
(JSC::CCallHelpers::stackAligned):
(JSC::CCallHelpers::marshallArgumentRegister):
(JSC::CCallHelpers::setupArgumentsImpl):
(JSC::CCallHelpers::pokeArgumentsAligned):
(JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
(JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
(JSC::CCallHelpers::setupArguments):
* jit/FPRInfo.h:
(JSC::FPRInfo::toArgumentRegister):
2018-04-17 Saam Barati <sbarati@apple.com>
Add system trace points for process launch and for initializeWebProcess
https://bugs.webkit.org/show_bug.cgi?id=184669
Reviewed by Simon Fraser.
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
(JSC::VMEntryScope::~VMEntryScope):
2018-04-17 Jer Noble <jer.noble@apple.com>
Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
https://bugs.webkit.org/show_bug.cgi?id=184602
Reviewed by Beth Dakin.
* JavaScriptCore.xcodeproj/project.pbxproj:
2018-04-17 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Add API to clear JSCContext uncaught exception
https://bugs.webkit.org/show_bug.cgi?id=184685
Reviewed by Žan Doberšek.
Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
* API/glib/JSCContext.cpp:
(jsc_context_clear_exception):
* API/glib/JSCContext.h:
* API/glib/docs/jsc-glib-4.0-sections.txt:
2018-04-17 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Add API to query, delete and enumerate properties
https://bugs.webkit.org/show_bug.cgi?id=184647
Reviewed by Michael Catanzaro.
Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
* API/glib/JSCValue.cpp:
(jsc_value_object_has_property):
(jsc_value_object_delete_property):
(jsc_value_object_enumerate_properties):
* API/glib/JSCValue.h:
* API/glib/docs/jsc-glib-4.0-sections.txt:
2018-04-16 Yusuke Suzuki <utatane.tea@gmail.com>
[WebAssembly][Modules] Prototype wasm import
https://bugs.webkit.org/show_bug.cgi?id=184600
Reviewed by JF Bastien.
This patch is an initial attempt to implement Wasm loading in module pipeline.
Currently,
1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
in whatwg HTML, we should integrate this into WebCore.
2. We only support exporting values from Wasm. Wasm module cannot import anything from
the other modules now.
When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
module loader pipeline just handles it as the same to JS. When parsing a module, we
checks the type of JSSourceCode. If the source code is Wasm source code, we create a
WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
* builtins/ModuleLoaderPrototype.js:
(globalPrivate.newRegistryEntry):
(requestInstantiate):
(link):
* jsc.cpp:
(convertShebangToJSComment):
(fillBufferWithContentsOfFile):
(fetchModuleFromLocalFileSystem):
(GlobalObject::moduleLoaderFetch):
* parser/SourceProvider.h:
(JSC::WebAssemblySourceProvider::create):
(JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::hostResolveImportedModule):
(JSC::AbstractModuleRecord::link):
(JSC::AbstractModuleRecord::evaluate):
(JSC::identifierToJSValue): Deleted.
* runtime/AbstractModuleRecord.h:
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::evaluate):
* runtime/JSModuleRecord.cpp:
(JSC::JSModuleRecord::link):
(JSC::JSModuleRecord::instantiateDeclarations):
* runtime/JSModuleRecord.h:
* runtime/ModuleLoaderPrototype.cpp:
(JSC::moduleLoaderPrototypeParseModule):
(JSC::moduleLoaderPrototypeRequestedModules):
(JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
* wasm/js/JSWebAssemblyHelpers.h:
(JSC::getWasmBufferFromValue):
(JSC::createSourceBufferFromValue):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::finalizeCreation):
(JSC::JSWebAssemblyInstance::createPrivateModuleKey):
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyInstance.h:
* wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::constructJSWebAssemblyInstance):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::prepareLink):
(JSC::WebAssemblyModuleRecord::link):
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::resolve):
(JSC::instantiate):
(JSC::compileAndInstantiate):
(JSC::WebAssemblyPrototype::instantiate):
(JSC::webAssemblyInstantiateFunc):
(JSC::webAssemblyValidateFunc):
* wasm/js/WebAssemblyPrototype.h:
2018-04-14 Filip Pizlo <fpizlo@apple.com>
Function.prototype.caller shouldn't return generator bodies
https://bugs.webkit.org/show_bug.cgi?id=184630
Reviewed by Yusuke Suzuki.
Function.prototype.caller no longer returns generator bodies. Those are meant to be
private.
Also added some builtin debugging tools so that it's easier to do the investigation that I
did.
* builtins/BuiltinNames.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::callerGetter):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncBuiltinDescribe):
* runtime/JSGlobalObjectFunctions.h:
2018-04-13 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Remove duplicate 32bit ProfileType implementation
https://bugs.webkit.org/show_bug.cgi?id=184536
Reviewed by Saam Barati.
This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileProfileType):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfUndefined):
(JSC::AssemblyHelpers::branchIfNull):
2018-04-12 Mark Lam <mark.lam@apple.com>
Consolidate some PtrTags.
https://bugs.webkit.org/show_bug.cgi?id=184552
<rdar://problem/39389404>
Reviewed by Filip Pizlo.
Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::repatchNearCall):
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::readCallTarget):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::readCallTarget):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::readCallTarget):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::readCallTarget):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::readCallTarget):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/InlineAccess.cpp:
(JSC::InlineAccess::rewireStubAsJump):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::linkOSRExits):
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::compileFunction):
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::finalize):
(JSC::DFG::JITFinalizer::finalizeFunction):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::executeOSRExit):
(JSC::DFG::adjustAndJumpToTarget):
(JSC::DFG::OSRExit::compileOSRExit):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::adjustAndJumpToTarget):
* dfg/DFGOperations.cpp:
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::executableAddressAtOffset):
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeCommon):
* ftl/FTLLazySlowPath.cpp:
(JSC::FTL::LazySlowPath::generate):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileFTLOSRExit):
* ftl/FTLOSRExitHandle.cpp:
(JSC::FTL::OSRExitHandle::emitExitThunk):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitDumbVirtualCall):
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
(JSC::JIT::link):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCallSlowCase):
* jit/JITCode.cpp:
(JSC::JITCodeWithCodeRef::executableAddressAtOffset):
(JSC::NativeJITCode::addressForCall):
* jit/JITInlines.h:
(JSC::JIT::emitNakedCall):
(JSC::JIT::emitNakedTailCall):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* jit/JITOpcodes.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITOperations.cpp:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::privateCompileGetByVal):
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/JITThunks.cpp:
(JSC::JITThunks::hostFunctionStub):
* jit/Repatch.cpp:
(JSC::linkSlowFor):
(JSC::linkFor):
(JSC::linkPolymorphicCall):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::finalize):
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntEntrypoint.cpp:
(JSC::LLInt::setEvalEntrypoint):
(JSC::LLInt::setProgramEntrypoint):
(JSC::LLInt::setModuleProgramEntrypoint):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::setUpCall):
* llint/LLIntThunks.cpp:
(JSC::LLInt::generateThunkWithJumpTo):
(JSC::LLInt::functionForCallEntryThunkGenerator):
(JSC::LLInt::functionForConstructEntryThunkGenerator):
(JSC::LLInt::functionForCallArityCheckThunkGenerator):
(JSC::LLInt::functionForConstructArityCheckThunkGenerator):
(JSC::LLInt::evalEntryThunkGenerator):
(JSC::LLInt::programEntryThunkGenerator):
(JSC::LLInt::moduleProgramEntryThunkGenerator):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/NativeExecutable.cpp:
(JSC::NativeExecutable::finishCreation):
* runtime/NativeFunction.h:
(JSC::TaggedNativeFunction::TaggedNativeFunction):
(JSC::TaggedNativeFunction::operator NativeFunction):
* runtime/PtrTag.h:
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::complete):
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmThunks.cpp:
(JSC::Wasm::throwExceptionFromWasmThunkGenerator):
(JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
(JSC::Wasm::triggerOMGTierUpThunkGenerator):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunction.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::compile):
2018-04-12 Michael Catanzaro <mcatanzaro@igalia.com>
[WPE] Move libWPEWebInspectorResources.so to pkglibdir
https://bugs.webkit.org/show_bug.cgi?id=184379
Reviewed by Žan Doberšek.
Load the module from the new location.
* PlatformWPE.cmake:
* inspector/remote/glib/RemoteInspectorUtils.cpp:
(Inspector::backendCommands):
2018-04-12 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Remove compileBigIntEquality in DFG 32bit
https://bugs.webkit.org/show_bug.cgi?id=184535
Reviewed by Saam Barati.
We can have the unified implementation for compileBigIntEquality.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileBigIntEquality):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2018-04-12 Michael Catanzaro <mcatanzaro@igalia.com>
[WPE] Improve include hierarchy
https://bugs.webkit.org/show_bug.cgi?id=184376
Reviewed by Žan Doberšek.
Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
/usr/include/wpe-0.1/WPE/jsc.
* PlatformWPE.cmake:
2018-04-11 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Handle strings containing null characters
https://bugs.webkit.org/show_bug.cgi?id=184450
Reviewed by Michael Catanzaro.
We should be able to evaluate scripts containing null characters and to handle strings that contains them
too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
contain null characters.
* API/OpaqueJSString.cpp:
(OpaqueJSString::create): Add a create constructor that takes the String.
* API/OpaqueJSString.h:
(OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
* API/glib/JSCContext.cpp:
(jsc_context_evaluate): Add length parameter.
(jsc_context_evaluate_with_source_uri): Ditto.
* API/glib/JSCContext.h:
* API/glib/JSCValue.cpp:
(jsc_value_new_string_from_bytes):
(jsc_value_to_string):
(jsc_value_to_string_as_bytes):
(jsc_value_object_is_instance_of): Pass length to evaluate.
* API/glib/JSCValue.h:
* API/glib/docs/jsc-glib-4.0-sections.txt:
2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
https://bugs.webkit.org/show_bug.cgi?id=184500
Reviewed by Mark Lam.
Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
poke held GPR. The benefit from this CellValue is that we can use the same code
for 32bit and 64bit. This patch removes several ifdefs.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
(JSC::DFG::SpeculativeJIT::compileGetDirectPname):
(JSC::DFG::SpeculativeJIT::cachedPutById):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::CellValue::CellValue):
(JSC::CCallHelpers::CellValue::gpr const):
(JSC::CCallHelpers::setupArgumentsImpl):
2018-04-11 Mark Lam <mark.lam@apple.com>
[Build fix] Replace CompactJITCodeMap with JITCodeMap.
https://bugs.webkit.org/show_bug.cgi?id=184512
<rdar://problem/35391728>
Not reviewed.
* bytecode/CodeBlock.h:
* jit/JITCodeMap.h:
2018-04-11 Mark Lam <mark.lam@apple.com>
Replace CompactJITCodeMap with JITCodeMap.
https://bugs.webkit.org/show_bug.cgi?id=184512
<rdar://problem/35391728>
Reviewed by Filip Pizlo.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.h:
(JSC::CodeBlock::setJITCodeMap):
(JSC::CodeBlock::jitCodeMap const):
(JSC::CodeBlock::jitCodeMap): Deleted.
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::executeOSRExit):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::adjustAndJumpToTarget):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
* jit/AssemblyHelpers.h:
* jit/CompactJITCodeMap.h: Removed.
* jit/JIT.cpp:
(JSC::JIT::link):
* jit/JITCodeMap.h: Added.
(JSC::JITCodeMap::Entry::Entry):
(JSC::JITCodeMap::Entry::bytecodeIndex const):
(JSC::JITCodeMap::Entry::codeLocation):
(JSC::JITCodeMap::append):
(JSC::JITCodeMap::finish):
(JSC::JITCodeMap::find const):
(JSC::JITCodeMap::operator bool const):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Remove CompareSlowPathGenerator
https://bugs.webkit.org/show_bug.cgi?id=184492
Reviewed by Mark Lam.
Now CompareSlowPathGenerator is just calling a specified function.
This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
introducing a new constructor for GPRTemporary.
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGCompareSlowPathGenerator.h: Removed.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::GPRTemporary::GPRTemporary):
(JSC::DFG::SpeculativeJIT::compileIsCellWithType):
(JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
(JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
(JSC::DFG::SpeculativeJIT::compileIsObject):
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::GPRTemporary::GPRTemporary):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, build fix for 32bit
https://bugs.webkit.org/show_bug.cgi?id=184236
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Remove duplicate 32bit code more
https://bugs.webkit.org/show_bug.cgi?id=184236
Reviewed by Mark Lam.
Remove duplicate 32bit code more aggressively part 2.
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGCompareSlowPathGenerator.h: Added.
(JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
(JSC::DFG::SpeculativeJIT::compileLoadVarargs):
(JSC::DFG::SpeculativeJIT::compileIsObject):
(JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
(JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
(JSC::DFG::SpeculativeJIT::compilePutById):
(JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
(JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
(JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
(JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
(JSC::DFG::SpeculativeJIT::compileGetDirectPname):
(JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
(JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
(JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
(JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
(JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
(JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
(JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
(): Deleted.
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
(JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
(JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::loadValue):
(JSC::AssemblyHelpers::selectScratchGPR):
(JSC::AssemblyHelpers::constructRegisterSet):
* jit/RegisterSet.h:
(JSC::RegisterSet::setAny):
Clean up selectScratchGPR code to pass JSValueRegs.
2018-04-10 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Add support for BigInt in SpeculatedType
https://bugs.webkit.org/show_bug.cgi?id=182470
Reviewed by Saam Barati.
This patch introduces the SpecBigInt type to DFG to enable BigInt
speculation into DFG and FTL.
With SpecBigInt introduction, we can then specialize "===" operations
to BigInts. As we are doing for some cells, we first check if operands
are pointing to the same JSCell, and if it is false, we
fallback to "operationCompareStrictEqCell". The idea in further
patches is to implement BigInt equality check directly in
assembly.
We are also adding support for BigInt constant folding into
TypeOf operation.
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationFromClassInfo):
(JSC::speculationFromStructure):
(JSC::speculationFromJSType):
(JSC::speculationFromString):
* bytecode/SpeculatedType.h:
(JSC::isBigIntSpeculation):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::set):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupToThis):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
* dfg/DFGInferredTypeCheck.cpp:
(JSC::DFG::insertInferredTypeCheck):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateBigInt):
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateBigInt):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compileBigIntEquality):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileBigIntEquality):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isCell):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
(JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
(JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::branchIfNotType):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfBigInt):
(JSC::AssemblyHelpers::branchIfNotBigInt):
* runtime/InferredType.cpp:
(JSC::InferredType::Descriptor::forValue):
(JSC::InferredType::Descriptor::putByIdFlags const):
(JSC::InferredType::Descriptor::merge):
(WTF::printInternal):
* runtime/InferredType.h:
* runtime/JSBigInt.h:
2018-04-10 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix cloop build.
* dfg/DFGAbstractInterpreterClobberState.cpp:
2018-04-10 Mark Lam <mark.lam@apple.com>
Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
https://bugs.webkit.org/show_bug.cgi?id=184464
<rdar://problem/39323947>
Reviewed by Saam Barati.
* heap/MarkedSpace.h:
(JSC::MarkedSpace::sizeClassToIndex):
2018-04-09 Filip Pizlo <fpizlo@apple.com>
DFG AI and clobberize should agree with each other
https://bugs.webkit.org/show_bug.cgi?id=184440
Reviewed by Saam Barati.
One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
agree with each other. That's what this patch does: it adds an assertion that AI's structure
state tracking must be equivalent to JSCell_structureID being clobbered.
One subtlety is that AI sometimes folds away structure clobbering using information that
clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
ObservedTransitions).
This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
clobberize missing a write(Heap).
This also makes some cases more precise in order to appease the assertion. Making things more
precise might make things faster, but I didn't measure it because that wasn't the goal.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* dfg/DFGAbstractInterpreter.h:
* dfg/DFGAbstractInterpreterClobberState.cpp: Added.
(WTF::printInternal):
* dfg/DFGAbstractInterpreterClobberState.h: Added.
(JSC::DFG::mergeClobberStates):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
* dfg/DFGAtTailAbstractState.h:
(JSC::DFG::AtTailAbstractState::setClobberState):
(JSC::DFG::AtTailAbstractState::mergeClobberState):
(JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::performBlockCFA):
* dfg/DFGClobberSet.cpp:
(JSC::DFG::writeSet):
* dfg/DFGClobberSet.h:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGInPlaceAbstractState.h:
(JSC::DFG::InPlaceAbstractState::clobberState const):
(JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
(JSC::DFG::InPlaceAbstractState::didClobber const):
(JSC::DFG::InPlaceAbstractState::setClobberState):
(JSC::DFG::InPlaceAbstractState::mergeClobberState):
(JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
2018-04-10 Filip Pizlo <fpizlo@apple.com>
ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
https://bugs.webkit.org/show_bug.cgi?id=184460
<rdar://problem/37610966>
Reviewed by Mark Lam.
* bytecode/ExecutableToCodeBlockEdge.cpp:
(JSC::ExecutableToCodeBlockEdge::visitChildren):
2018-04-10 Filip Pizlo <fpizlo@apple.com>
REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
https://bugs.webkit.org/show_bug.cgi?id=184455
Reviewed by Michael Saboff.
LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
(AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
the thing being hoisted does have effects, then we get a crash.
In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
effectful.
Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
clobberize to also think that CompareEq(Untyped:, _) is effectful.
This fixes the whole situation by teaching both clobberize and AI that the only effectful form
of CompareEq is ComapreEq(Untyped:, Untyped:).
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
2018-04-09 Filip Pizlo <fpizlo@apple.com>
Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
https://bugs.webkit.org/show_bug.cgi?id=184372
Reviewed by Saam Barati.
We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
have already proved, using techniques that are more precise than AI, that the edge has type
Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
other than a check - so we think we can call those just because we should have already
bailed. It's better to think of them as the result of folding a check. Therefore, we should
only do it if there had been a check to begin with.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lowInt32):
(JSC::FTL::DFG::LowerDFGToB3::lowInt52):
(JSC::FTL::DFG::LowerDFGToB3::lowCell):
(JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
(JSC::FTL::DFG::LowerDFGToB3::lowDouble):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
(JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Introduce @putByIdDirectPrivate
https://bugs.webkit.org/show_bug.cgi?id=184400
Reviewed by Saam Barati.
This patch adds @putByIdDirectPrivate() to use it for builtin JS.
@getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
accessing to ECMAScript internal fields.
This change removes accidental [[Put]] operation to an object whose [[Prototype]]
has internal fields (not direct properties). By using @getByIdDirectPrivate() and
@putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
fields that accessing to the internal fields does not traverse prototype chains.
* builtins/ArrayIteratorPrototype.js:
(globalPrivate.arrayIteratorValueNext):
(globalPrivate.arrayIteratorKeyNext):
(globalPrivate.arrayIteratorKeyValueNext):
* builtins/ArrayPrototype.js:
(globalPrivate.createArrayIterator):
* builtins/AsyncFromSyncIteratorPrototype.js:
(globalPrivate.AsyncFromSyncIteratorConstructor):
* builtins/AsyncFunctionPrototype.js:
(globalPrivate.asyncFunctionResume):
* builtins/AsyncGeneratorPrototype.js:
(globalPrivate.asyncGeneratorQueueEnqueue):
(globalPrivate.asyncGeneratorQueueDequeue):
(asyncGeneratorYieldAwaited):
(globalPrivate.asyncGeneratorYield):
(globalPrivate.doAsyncGeneratorBodyCall):
(globalPrivate.asyncGeneratorResumeNext):
* builtins/GeneratorPrototype.js:
(globalPrivate.generatorResume):
* builtins/MapIteratorPrototype.js:
(globalPrivate.mapIteratorNext):
* builtins/MapPrototype.js:
(globalPrivate.createMapIterator):
* builtins/ModuleLoaderPrototype.js:
(forceFulfillPromise):
* builtins/PromiseOperations.js:
(globalPrivate.newHandledRejectedPromise):
(globalPrivate.rejectPromise):
(globalPrivate.fulfillPromise):
(globalPrivate.initializePromise):
* builtins/PromisePrototype.js:
(then):
* builtins/SetIteratorPrototype.js:
(globalPrivate.setIteratorNext):
* builtins/SetPrototype.js:
(globalPrivate.createSetIterator):
* builtins/StringIteratorPrototype.js:
(next):
* bytecode/BytecodeIntrinsicRegistry.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
2018-04-09 Mark Lam <mark.lam@apple.com>
Decorate method table entries to support pointer profiling.
https://bugs.webkit.org/show_bug.cgi?id=184430
<rdar://problem/39296190>
Reviewed by Saam Barati.
* runtime/ClassInfo.h:
2018-04-09 Michael Catanzaro <mcatanzaro@igalia.com>
[WPE] Don't install JSC C API headers
https://bugs.webkit.org/show_bug.cgi?id=184375
Reviewed by Žan Doberšek.
None of the functions declared in these headers are exported in WPE. Use the new jsc API
instead.
* PlatformWPE.cmake:
2018-04-08 Mark Lam <mark.lam@apple.com>
Add pointer profiling to the FTL and supporting code.
https://bugs.webkit.org/show_bug.cgi?id=184395
<rdar://problem/39264019>
Reviewed by Michael Saboff and Filip Pizlo.
* assembler/CodeLocation.h:
(JSC::CodeLocationLabel::retagged):
(JSC::CodeLocationJump::retagged):
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::locationOf):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::linkOSRExits):
(JSC::DFG::JITCompiler::link):
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLExceptionTarget.cpp:
(JSC::FTL::ExceptionTarget::label):
(JSC::FTL::ExceptionTarget::jumps):
* ftl/FTLExceptionTarget.h:
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::executableAddressAtOffset):
* ftl/FTLLazySlowPath.cpp:
(JSC::FTL::LazySlowPath::~LazySlowPath):
(JSC::FTL::LazySlowPath::initialize):
(JSC::FTL::LazySlowPath::generate):
(JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
* ftl/FTLLazySlowPath.h:
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
(JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
(JSC::FTL::compileFTLOSRExit):
* ftl/FTLOSRExitHandle.cpp:
(JSC::FTL::OSRExitHandle::emitExitThunk):
* ftl/FTLOperations.cpp:
(JSC::FTL::compileFTLLazySlowPath):
* ftl/FTLOutput.h:
(JSC::FTL::Output::callWithoutSideEffects):
(JSC::FTL::Output::operation):
* ftl/FTLPatchpointExceptionHandle.cpp:
(JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
* ftl/FTLSlowPathCall.cpp:
(JSC::FTL::SlowPathCallContext::makeCall):
* ftl/FTLSlowPathCallKey.h:
(JSC::FTL::SlowPathCallKey::withCallTarget):
(JSC::FTL::SlowPathCallKey::callPtrTag const):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
(JSC::FTL::osrExitGenerationThunkGenerator):
(JSC::FTL::lazySlowPathGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* jit/Repatch.cpp:
(JSC::readPutICCallTarget):
(JSC::ftlThunkAwareRepatchCall):
(JSC::tryCacheGetByID):
(JSC::repatchGetByID):
(JSC::tryCachePutByID):
(JSC::repatchPutByID):
(JSC::repatchIn):
(JSC::resetGetByID):
(JSC::resetPutByID):
(JSC::readCallTarget): Deleted.
* jit/Repatch.h:
* runtime/PtrTag.h:
2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, attempt to fix Windows build
https://bugs.webkit.org/show_bug.cgi?id=183508
* jit/JIT.h:
2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, build fix for Windows by suppressing padding warning for JIT
https://bugs.webkit.org/show_bug.cgi?id=183508
* jit/JIT.h:
2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
Use alignas instead of compiler-specific attributes
https://bugs.webkit.org/show_bug.cgi?id=183508
Reviewed by Mark Lam.
Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
* heap/RegisterState.h:
* jit/JIT.h:
(JSC::JIT::compile): Deleted.
(JSC::JIT::compileGetByVal): Deleted.
(JSC::JIT::compileGetByValWithCachedId): Deleted.
(JSC::JIT::compilePutByVal): Deleted.
(JSC::JIT::compileDirectPutByVal): Deleted.
(JSC::JIT::compilePutByValWithCachedId): Deleted.
(JSC::JIT::compileHasIndexedProperty): Deleted.
(JSC::JIT::appendCall): Deleted.
(JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
(JSC::JIT::exceptionCheck): Deleted.
(JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
(JSC::JIT::emitInt32Load): Deleted.
(JSC::JIT::emitInt32GetByVal): Deleted.
(JSC::JIT::emitInt32PutByVal): Deleted.
(JSC::JIT::emitDoublePutByVal): Deleted.
(JSC::JIT::emitContiguousPutByVal): Deleted.
(JSC::JIT::emitStoreCell): Deleted.
(JSC::JIT::getSlowCase): Deleted.
(JSC::JIT::linkSlowCase): Deleted.
(JSC::JIT::linkDummySlowCase): Deleted.
(JSC::JIT::linkAllSlowCases): Deleted.
(JSC::JIT::callOperation): Deleted.
(JSC::JIT::callOperationWithProfile): Deleted.
(JSC::JIT::callOperationWithResult): Deleted.
(JSC::JIT::callOperationNoExceptionCheck): Deleted.
(JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
(JSC::JIT::emitEnterOptimizationCheck): Deleted.
(JSC::JIT::sampleCodeBlock): Deleted.
(JSC::JIT::canBeOptimized): Deleted.
(JSC::JIT::canBeOptimizedOrInlined): Deleted.
(JSC::JIT::shouldEmitProfiling): Deleted.
* runtime/VM.h:
2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, follow-up patch for DFG 32bit
https://bugs.webkit.org/show_bug.cgi?id=183970
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Fix incorrect assertion for VM's regexp buffer lock
https://bugs.webkit.org/show_bug.cgi?id=184398
Reviewed by Mark Lam.
isLocked check before taking a lock is incorrect.
* runtime/VM.cpp:
(JSC::VM::acquireRegExpPatternContexBuffer):
2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Introduce op_get_by_id_direct
https://bugs.webkit.org/show_bug.cgi?id=183970
Reviewed by Filip Pizlo.
This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
in all the tiers, so using this opcode does not lead to inefficiency.
Main purpose of this op_get_by_id_direct is using it for private properties. We are using
properties indexed with private symbols to implement ECMAScript internal fields. Before this
patch, we just use get and put operations. However, it is not the correct semantics: accessing
to the internal fields should not traverse prototype chain, which is specified in the spec.
We use op_get_by_id_direct to access to properties which are used internal fields, so that
prototype chains are not traversed.
To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
bytecode `op_get_by_id_direct, object, @name`.
* builtins/ArrayIteratorPrototype.js:
(next):
(globalPrivate.arrayIteratorValueNext):
(globalPrivate.arrayIteratorKeyNext):
(globalPrivate.arrayIteratorKeyValueNext):
* builtins/AsyncFromSyncIteratorPrototype.js:
* builtins/AsyncFunctionPrototype.js:
(globalPrivate.asyncFunctionResume):
* builtins/AsyncGeneratorPrototype.js:
(globalPrivate.asyncGeneratorQueueIsEmpty):
(globalPrivate.asyncGeneratorQueueEnqueue):
(globalPrivate.asyncGeneratorQueueDequeue):
(globalPrivate.asyncGeneratorDequeue):
(globalPrivate.isExecutionState):
(globalPrivate.isSuspendYieldState):
(globalPrivate.asyncGeneratorReject):
(globalPrivate.asyncGeneratorResolve):
(globalPrivate.doAsyncGeneratorBodyCall):
(globalPrivate.asyncGeneratorEnqueue):
* builtins/GeneratorPrototype.js:
(globalPrivate.generatorResume):
(next):
(return):
(throw):
* builtins/MapIteratorPrototype.js:
(next):
* builtins/PromiseOperations.js:
(globalPrivate.isPromise):
(globalPrivate.rejectPromise):
(globalPrivate.fulfillPromise):
* builtins/PromisePrototype.js:
(then):
* builtins/SetIteratorPrototype.js:
(next):
* builtins/StringIteratorPrototype.js:
(next):
* builtins/TypedArrayConstructor.js:
(of):
(from):
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::dumpBytecode):
* bytecode/BytecodeIntrinsicRegistry.h:
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::finalizeLLIntInlineCaches):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt):
(JSC::GetByIdStatus::computeFor):
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::reset):
* bytecode/StructureStubInfo.h:
(JSC::appropriateOptimizingGetByIdFunction):
(JSC::appropriateGenericGetByIdFunction):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitDirectGetById):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToGetByOffset):
(JSC::DFG::Node::convertToMultiGetByOffset):
(JSC::DFG::Node::hasIdentifier):
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetById):
(JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
(JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetById):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
(JSC::FTL::DFG::LowerDFGToB3::getById):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_id_direct):
(JSC::JIT::emitSlow_op_get_by_id_direct):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_id_direct):
(JSC::JIT::emitSlow_op_get_by_id_direct):
* jit/Repatch.cpp:
(JSC::appropriateOptimizingGetByIdFunction):
(JSC::appropriateGetByIdFunction):
(JSC::tryCacheGetByID):
(JSC::repatchGetByID):
(JSC::appropriateGenericGetByIdFunction): Deleted.
* jit/Repatch.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::getOwnPropertySlot const):
* runtime/JSObject.h:
* runtime/JSObjectInlines.h:
(JSC::JSObject::getOwnPropertySlotInline):
2018-04-07 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove several asXXX functions
https://bugs.webkit.org/show_bug.cgi?id=184355
Reviewed by JF Bastien.
Remove asActivation, asInternalFunction, and asGetterSetter.
Use jsCast<> / jsDynamicCast<> consistently.
* runtime/ArrayConstructor.cpp:
(JSC::constructArrayWithSizeQuirk):
* runtime/AsyncFunctionConstructor.cpp:
(JSC::callAsyncFunctionConstructor):
(JSC::constructAsyncFunctionConstructor):
* runtime/AsyncGeneratorFunctionConstructor.cpp:
(JSC::callAsyncGeneratorFunctionConstructor):
(JSC::constructAsyncGeneratorFunctionConstructor):
* runtime/BooleanConstructor.cpp:
(JSC::constructWithBooleanConstructor):
* runtime/DateConstructor.cpp:
(JSC::constructWithDateConstructor):
* runtime/ErrorConstructor.cpp:
(JSC::Interpreter::constructWithErrorConstructor):
(JSC::Interpreter::callErrorConstructor):
* runtime/FunctionConstructor.cpp:
(JSC::constructWithFunctionConstructor):
(JSC::callFunctionConstructor):
* runtime/FunctionPrototype.cpp:
(JSC::functionProtoFuncToString):
* runtime/GeneratorFunctionConstructor.cpp:
(JSC::callGeneratorFunctionConstructor):
(JSC::constructGeneratorFunctionConstructor):
* runtime/GetterSetter.h:
(JSC::asGetterSetter): Deleted.
* runtime/InternalFunction.h:
(JSC::asInternalFunction): Deleted.
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayView):
* runtime/JSLexicalEnvironment.h:
(JSC::asActivation): Deleted.
* runtime/JSObject.cpp:
(JSC::validateAndApplyPropertyDescriptor):
* runtime/MapConstructor.cpp:
(JSC::constructMap):
* runtime/PropertyDescriptor.cpp:
(JSC::PropertyDescriptor::setDescriptor):
* runtime/RegExpConstructor.cpp:
(JSC::constructWithRegExpConstructor):
(JSC::callRegExpConstructor):
* runtime/SetConstructor.cpp:
(JSC::constructSet):
* runtime/StringConstructor.cpp:
(JSC::constructWithStringConstructor):
* runtime/WeakMapConstructor.cpp:
(JSC::constructWeakMap):
* runtime/WeakSetConstructor.cpp:
(JSC::constructWeakSet):
* wasm/js/WebAssemblyCompileErrorConstructor.cpp:
(JSC::constructJSWebAssemblyCompileError):
(JSC::callJSWebAssemblyCompileError):
* wasm/js/WebAssemblyLinkErrorConstructor.cpp:
(JSC::constructJSWebAssemblyLinkError):
(JSC::callJSWebAssemblyLinkError):
* wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
(JSC::constructJSWebAssemblyRuntimeError):
(JSC::callJSWebAssemblyRuntimeError):
2018-04-05 Mark Lam <mark.lam@apple.com>
MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7.
https://bugs.webkit.org/show_bug.cgi?id=184347
<rdar://problem/39183165>
Reviewed by Michael Saboff.
* assembler/MacroAssemblerCodeRef.h:
(JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
(JSC::MacroAssemblerCodePtr::retagged const):
2018-04-05 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com>
[MIPS] Optimize generated JIT code for branches
https://bugs.webkit.org/show_bug.cgi?id=183130
Reviewed by Yusuke Suzuki.
The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to
branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch()
to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump.
However, this adds a significant overhead for all other types of branches. Since these nop's
protect the code that is generated by branchPtrWithPatch, this function seems like a better
place to add them.
* assembler/MIPSAssembler.h:
(JSC::MIPSAssembler::repatchInt32):
(JSC::MIPSAssembler::revertJumpToMove):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::branchAdd32):
(JSC::MacroAssemblerMIPS::branchMul32):
(JSC::MacroAssemblerMIPS::branchSub32):
(JSC::MacroAssemblerMIPS::branchNeg32):
(JSC::MacroAssemblerMIPS::branchPtrWithPatch):
(JSC::MacroAssemblerMIPS::branchEqual):
(JSC::MacroAssemblerMIPS::branchNotEqual):
2018-04-05 Yusuke Suzuki <utatane.tea@gmail.com>
[WTF] Remove StaticLock
https://bugs.webkit.org/show_bug.cgi?id=184332
Reviewed by Mark Lam.
* API/JSValue.mm:
(handerForStructTag):
* API/JSVirtualMachine.mm:
(+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
(+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
* API/glib/JSCVirtualMachine.cpp:
(addWrapper):
(removeWrapper):
* assembler/testmasm.cpp:
* b3/air/testair.cpp:
* b3/testb3.cpp:
* bytecode/SuperSampler.cpp:
* dfg/DFGCommon.cpp:
* dfg/DFGCommonData.cpp:
* dynbench.cpp:
* heap/MachineStackMarker.cpp:
(JSC::MachineThreads::tryCopyOtherThreadStacks):
* inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
(Inspector::RemoteTargetHandleRunSourceGlobal):
(Inspector::RemoteTargetQueueTaskOnGlobalQueue):
* interpreter/CLoopStack.cpp:
* parser/SourceProvider.cpp:
* profiler/ProfilerDatabase.cpp:
* profiler/ProfilerUID.cpp:
(JSC::Profiler::UID::create):
* runtime/IntlObject.cpp:
(JSC::numberingSystemsForLocale):
* runtime/JSLock.cpp:
* runtime/JSLock.h:
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::registerForReportAtExit):
* runtime/VM.cpp:
* wasm/WasmFaultSignalHandler.cpp:
2018-04-04 Mark Lam <mark.lam@apple.com>
Add pointer profiling support to the DFG and supporting files.
https://bugs.webkit.org/show_bug.cgi?id=184316
<rdar://problem/39188524>
Reviewed by Filip Pizlo.
1. Profile lots of pointers with PtrTags.
2. Remove PtrTag.cpp and make ptrTagName() into an inline function. It's only
used for debugging anyway, and not normally called in the code. Making it
an inline function prevents it from taking up code space in builds when not in
use.
3. Change the call to the the arityFixupThunk in DFG code to be a near call.
It doesn't need to be a far call.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* assembler/testmasm.cpp:
(JSC::testProbeModifiesProgramCounter):
* b3/B3LowerMacros.cpp:
* b3/air/AirCCallSpecial.cpp:
(JSC::B3::Air::CCallSpecial::generate):
* b3/air/AirCCallSpecial.h:
* b3/testb3.cpp:
(JSC::B3::testInterpreter):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/HandlerInfo.h:
(JSC::HandlerInfo::initialize):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileExceptionHandlers):
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::compileFunction):
(JSC::DFG::JITCompiler::noticeCatchEntrypoint):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::appendCall):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::reifyInlinedCallFrames):
(JSC::DFG::adjustAndJumpToTarget):
(JSC::DFG::OSRExit::emitRestoreArguments):
(JSC::DFG::OSRExit::compileOSRExit):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::handleExitCounts):
(JSC::DFG::reifyInlinedCallFrames):
(JSC::DFG::osrWriteBarrier):
(JSC::DFG::adjustAndJumpToTarget):
* dfg/DFGOperations.cpp:
* dfg/DFGSlowPathGenerator.h:
(JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
(JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
(JSC::DFG::slowPathCall):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileMathIC):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
(JSC::DFG::SpeculativeJIT::appendCall):
(JSC::DFG::SpeculativeJIT::appendCallSetResult):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitThunkGenerator):
(JSC::DFG::osrExitGenerationThunkGenerator):
(JSC::DFG::osrEntryThunkGenerator):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitDumbVirtualCall):
* jit/JIT.cpp:
(JSC::JIT::emitEnterOptimizationCheck):
(JSC::JIT::compileWithoutLinking):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCallSlowCase):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_catch):
(JSC::JIT::emitSlow_op_loop_hint):
* jit/JITOperations.cpp:
* jit/Repatch.cpp:
(JSC::linkSlowFor):
(JSC::linkFor):
(JSC::revertCall):
(JSC::unlinkFor):
(JSC::linkVirtualFor):
(JSC::linkPolymorphicCall):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::linkCallThunkGenerator):
(JSC::linkPolymorphicCallThunkGenerator):
(JSC::virtualThunkFor):
(JSC::arityFixupGenerator):
(JSC::unreachableGenerator):
* runtime/PtrTag.cpp: Removed.
* runtime/PtrTag.h:
(JSC::ptrTagName):
* runtime/VMEntryScope.cpp:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
2018-04-04 Filip Pizlo <fpizlo@apple.com>
REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
https://bugs.webkit.org/show_bug.cgi?id=184319
Reviewed by Saam Barati.
In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with
assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before
the ArrayPush.
But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds
GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to
eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that
with a GetByVal(SaneChain), then we will hit the assertion.
This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets
tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more
than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain.
* dfg/DFGCSEPhase.cpp:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArrayPush):
2018-04-04 Filip Pizlo <fpizlo@apple.com>
Remove poisoning of typed array vector
https://bugs.webkit.org/show_bug.cgi?id=184313
Reviewed by Saam Barati.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::checkArray):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
(JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
* jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/arm64.rb:
* offlineasm/x86.rb:
* runtime/CagedBarrierPtr.h:
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::JSArrayBufferView):
(JSC::JSArrayBufferView::finalize):
(JSC::JSArrayBufferView::neuter):
* runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::vector const):
(JSC::JSArrayBufferView::offsetOfVector):
(JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
(JSC::JSArrayBufferView::poisonFor): Deleted.
(JSC::JSArrayBufferView::Poison::key): Deleted.
* runtime/JSCPoison.cpp:
(JSC::initializePoison):
* runtime/JSCPoison.h:
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
* runtime/JSObject.h:
2018-04-03 Filip Pizlo <fpizlo@apple.com>
Don't do index masking or poisoning for DirectArguments
https://bugs.webkit.org/show_bug.cgi?id=184280
Reviewed by Saam Barati.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
* dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
(JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
* dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):
(JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetFromArguments):
(JSC::DFG::SpeculativeJIT::compilePutToArguments):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
(JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
(JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
* heap/SecurityKind.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_from_arguments):
(JSC::JIT::emit_op_put_to_arguments):
(JSC::JIT::emitDirectArgumentsGetByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_from_arguments):
(JSC::JIT::emit_op_put_to_arguments):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::DirectArguments):
(JSC::DirectArguments::createUninitialized):
(JSC::DirectArguments::create):
(JSC::DirectArguments::createByCopying):
(JSC::DirectArguments::estimatedSize):
(JSC::DirectArguments::visitChildren):
(JSC::DirectArguments::overrideThings):
(JSC::DirectArguments::copyToArguments):
(JSC::DirectArguments::mappedArgumentsSize):
* runtime/DirectArguments.h:
* runtime/JSCPoison.h:
* runtime/JSLexicalEnvironment.h:
* runtime/JSSymbolTableObject.h:
2018-04-03 Filip Pizlo <fpizlo@apple.com>
JSArray::appendMemcpy seems to be missing a barrier
https://bugs.webkit.org/show_bug.cgi?id=184290
Reviewed by Mark Lam.
If you write to an array that may contain pointers and you didn't just allocate it, then you need to
barrier right after.
I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):
2018-04-03 Filip Pizlo <fpizlo@apple.com>
GC shouldn't do object distancing
https://bugs.webkit.org/show_bug.cgi?id=184195
Reviewed by Saam Barati.
This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems
to be a small speed-up.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::findBlockForAllocation):
(JSC::BlockDirectory::addBlock):
* heap/BlockDirectory.h:
* heap/CellAttributes.cpp:
(JSC::CellAttributes::dump const):
* heap/CellAttributes.h:
(JSC::CellAttributes::CellAttributes):
* heap/LocalAllocator.cpp:
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToDirectory):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::Handle::securityOriginToken const): Deleted.
* heap/SecurityKind.cpp: Removed.
* heap/SecurityKind.h: Removed.
* heap/SecurityOriginToken.cpp: Removed.
* heap/SecurityOriginToken.h: Removed.
* heap/ThreadLocalCache.cpp:
(JSC::ThreadLocalCache::create):
(JSC::ThreadLocalCache::ThreadLocalCache):
* heap/ThreadLocalCache.h:
(JSC::ThreadLocalCache::securityOriginToken const): Deleted.
* runtime/JSDestructibleObjectHeapCellType.cpp:
(JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::threadLocalCache const): Deleted.
* runtime/JSSegmentedVariableObjectHeapCellType.cpp:
(JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
* runtime/JSStringHeapCellType.cpp:
(JSC::JSStringHeapCellType::JSStringHeapCellType):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
* wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
(JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
2018-04-02 Saam Barati <sbarati@apple.com>
bmalloc should compute its own estimate of its footprint
https://bugs.webkit.org/show_bug.cgi?id=184121
Reviewed by Filip Pizlo.
* heap/IsoAlignedMemoryAllocator.cpp:
(JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
(JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
(JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
2018-04-02 Mark Lam <mark.lam@apple.com>
We should not trash the stack pointer on OSR entry.
https://bugs.webkit.org/show_bug.cgi?id=184243
<rdar://problem/39114319>
Reviewed by Filip Pizlo.
In the DFG OSR entry path, we momentarily over-write the stack pointer with
returnValueGPR2. returnValueGPR2 contains a pointer to a side buffer we malloc'ed.
Hence, this assignment is wrong, and it turns out to be unnecessary as well.
The stack pointer does get corrected later in the thunk (generated by
osrEntryThunkGenerator()) that we jump to. This is why we don't see ill-effects
so far.
This bug only poses an issue if interrupts use the user stack for their stack
frame (e.g. linux), and when we do stack alignment tests during debugging.
The fix is simply to remove the assignment.
* dfg/DFGThunks.cpp:
(JSC::DFG::osrEntryThunkGenerator):
* jit/JIT.cpp:
(JSC::JIT::emitEnterOptimizationCheck):
2018-04-02 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com>
[MIPS] Optimize JIT code generated by methods with TrustedImm32 operand
https://bugs.webkit.org/show_bug.cgi?id=183740
Reviewed by Yusuke Suzuki.
In many macro assembler methods with TrustedImm32 operand a move imm, immTemp (pseudo)instruction is
first generated and a register operand variant of the same method is called to generate the rest
of the code. If the immediate value can fit in 16 bits then we can skip the move instruction and
generate more efficient code using MIPS instructions with immediate operand.
* assembler/MIPSAssembler.h:
(JSC::MIPSAssembler::slti):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::lshift32):
(JSC::MacroAssemblerMIPS::xor32):
(JSC::MacroAssemblerMIPS::branch8):
(JSC::MacroAssemblerMIPS::compare8):
(JSC::MacroAssemblerMIPS::branch32):
(JSC::MacroAssemblerMIPS::branch32WithUnalignedHalfWords):
(JSC::MacroAssemblerMIPS::branchTest32):
(JSC::MacroAssemblerMIPS::mask8OnTest):
(JSC::MacroAssemblerMIPS::branchTest8):
(JSC::MacroAssemblerMIPS::branchAdd32):
(JSC::MacroAssemblerMIPS::branchNeg32):
(JSC::MacroAssemblerMIPS::compare32):
(JSC::MacroAssemblerMIPS::test8):
2018-04-02 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] More aggressive removal of duplicate 32bit DFG code
https://bugs.webkit.org/show_bug.cgi?id=184089
Reviewed by Saam Barati.
This patch more aggressively removes duplicate 32bit DFG code
by leveraging JSValueRegs and meta-programmed callOperation.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValWithThis):
(JSC::DFG::SpeculativeJIT::compileArithMinMax):
(JSC::DFG::SpeculativeJIT::compileNewArray):
(JSC::DFG::SpeculativeJIT::compileCheckCell):
(JSC::DFG::SpeculativeJIT::compileGetGlobalVariable):
(JSC::DFG::SpeculativeJIT::compilePutGlobalVariable):
(JSC::DFG::SpeculativeJIT::compileGetClosureVar):
(JSC::DFG::SpeculativeJIT::compilePutClosureVar):
(JSC::DFG::SpeculativeJIT::compileGetByOffset):
(JSC::DFG::SpeculativeJIT::compilePutByOffset):
(JSC::DFG::SpeculativeJIT::compileGetExecutable):
(JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
(JSC::DFG::SpeculativeJIT::compileToThis):
(JSC::DFG::SpeculativeJIT::compileIdentity):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2018-04-01 Filip Pizlo <fpizlo@apple.com>
Raise the for-call inlining threshold to 190 to fix JetStream/richards regression
https://bugs.webkit.org/show_bug.cgi?id=184228
Reviewed by Yusuke Suzuki.
* runtime/Options.h:
2018-03-31 Filip Pizlo <fpizlo@apple.com>
JSObject shouldn't do index masking
https://bugs.webkit.org/show_bug.cgi?id=184194
Reviewed by Yusuke Suzuki.
Remove index masking, because it's not the way we'll mitigate Spectre.
* API/tests/JSObjectGetProxyTargetTest.cpp:
(testJSObjectGetProxyTarget):
* b3/B3LowerToAir.cpp:
* b3/B3Validate.cpp:
* b3/B3WasmBoundsCheckValue.cpp:
(JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
(JSC::B3::WasmBoundsCheckValue::dumpMeta const):
* b3/B3WasmBoundsCheckValue.h:
(JSC::B3::WasmBoundsCheckValue::bounds const):
(JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const): Deleted.
* b3/testb3.cpp:
(JSC::B3::testWasmBoundsCheck):
(JSC::B3::run):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSSALoweringPhase.cpp:
(JSC::DFG::SSALoweringPhase::handleNode):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
(JSC::DFG::SpeculativeJIT::compileCreateActivation):
(JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
(JSC::DFG::SpeculativeJIT::compileArraySlice):
(JSC::DFG::SpeculativeJIT::compileNewStringObject):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
(JSC::DFG::SpeculativeJIT::compileNewRegexp):
(JSC::DFG::SpeculativeJIT::compileCreateThis):
(JSC::DFG::SpeculativeJIT::compileNewObject):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
(JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
(JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
(JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
(JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
(JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::maskedIndex): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask): Deleted.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitAllocateJSObject):
(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
(JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
(JSC::AssemblyHelpers::emitAllocateDestructibleObject):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):
* jit/JITOperations.cpp:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/Butterfly.h:
(JSC::ContiguousData::at const):
(JSC::ContiguousData::at):
(JSC::Butterfly::computeIndexingMask const): Deleted.
* runtime/ButterflyInlines.h:
(JSC::ContiguousData<T>::at const): Deleted.
(JSC::ContiguousData<T>::at): Deleted.
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createEmpty):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::JSArrayBufferView):
* runtime/JSArrayInlines.h:
(JSC::JSArray::pushInline):
* runtime/JSFixedArray.h:
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
* runtime/JSObject.cpp:
(JSC::JSObject::getOwnPropertySlotByIndex):
(JSC::JSObject::putByIndex):
(JSC::JSObject::createInitialUndecided):
(JSC::JSObject::createInitialInt32):
(JSC::JSObject::createInitialDouble):
(JSC::JSObject::createInitialContiguous):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::convertUndecidedToDouble):
(JSC::JSObject::convertUndecidedToContiguous):
(JSC::JSObject::convertUndecidedToArrayStorage):
(JSC::JSObject::convertInt32ToDouble):
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::convertDoubleToContiguous):
(JSC::JSObject::convertDoubleToArrayStorage):
(JSC::JSObject::convertContiguousToArrayStorage):
(JSC::JSObject::createInitialForValueAndSet):
(JSC::JSObject::deletePropertyByIndex):
(JSC::JSObject::getOwnPropertyNames):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
(JSC::JSObject::countElements):
(JSC::JSObject::increaseVectorLength):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::reallocateAndShrinkButterfly):
(JSC::JSObject::getEnumerableLength):
* runtime/JSObject.h:
(JSC::JSObject::canGetIndexQuickly):
(JSC::JSObject::getIndexQuickly):
(JSC::JSObject::tryGetIndexQuickly const):
(JSC::JSObject::setIndexQuickly):
(JSC::JSObject::initializeIndex):
(JSC::JSObject::initializeIndexWithoutBarrier):
(JSC::JSObject::butterflyOffset):
(JSC::JSObject::setButterfly):
(JSC::JSObject::nukeStructureAndSetButterfly):
(JSC::JSObject::JSObject):
(JSC::JSObject::butterflyIndexingMaskOffset): Deleted.
(JSC::JSObject::butterflyIndexingMask const): Deleted.
(JSC::JSObject::setButterflyWithIndexingMask): Deleted.
* runtime/JSObjectInlines.h:
(JSC::JSObject::prepareToPutDirectWithoutTransition):
(JSC::JSObject::putDirectInternal):
* runtime/RegExpMatchesArray.h:
(JSC::tryCreateUninitializedRegExpMatchesArray):
* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
(JSC::Wasm::B3IRGenerator::load):
(JSC::Wasm::B3IRGenerator::store):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmInstance.h:
(JSC::Wasm::Instance::updateCachedMemory):
(JSC::Wasm::Instance::offsetOfCachedMemorySize):
(JSC::Wasm::Instance::offsetOfCachedIndexingMask): Deleted.
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::Memory):
(JSC::Wasm::Memory::grow):
* wasm/WasmMemory.h:
(JSC::Wasm::Memory::size const):
(JSC::Wasm::Memory::offsetOfSize):
(JSC::Wasm::Memory::indexingMask): Deleted.
(JSC::Wasm::Memory::offsetOfIndexingMask): Deleted.
* wasm/WasmMemoryInformation.cpp:
(JSC::Wasm::PinnedRegisterInfo::get):
(JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
* wasm/WasmMemoryInformation.h:
(JSC::Wasm::PinnedRegisterInfo::toSave const):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
2018-03-31 Filip Pizlo <fpizlo@apple.com>
JSC crash in JIT code with for-of loop and Array/Set iterators
https://bugs.webkit.org/show_bug.cgi?id=183174
Reviewed by Saam Barati.
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.
2018-03-30 Filip Pizlo <fpizlo@apple.com>
Strings and Vectors shouldn't do index masking
https://bugs.webkit.org/show_bug.cgi?id=184193
Reviewed by Mark Lam.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
* jit/ThunkGenerators.cpp:
(JSC::stringCharLoad):
2018-03-30 Mark Lam <mark.lam@apple.com>
Add pointer profiling support in baseline JIT and supporting files.
https://bugs.webkit.org/show_bug.cgi?id=184200
<rdar://problem/39057300>
Reviewed by Filip Pizlo.
1. To simplify pointer profiling support, vmEntryToJavaScript() now always enters
the code via the arity check entry.
2. To accommodate (1), all JITCode must now populate their arity check entry code
pointers as well. For native code, programs, evals, and modules that don't
do arity check, we set the normal entry as the arity check entry (though with
the CodeEntryWithArityCheckPtrTag profile instead).
* assembler/AbstractMacroAssembler.h:
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::locationOfNearCall):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::readCallTarget):
(JSC::MacroAssemblerARM64::linkCall):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/AccessCaseSnippetParams.cpp:
(JSC::SlowPathCallGeneratorWithArguments::generateImpl):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::addJITAddIC):
(JSC::CodeBlock::addJITMulIC):
(JSC::CodeBlock::addJITSubIC):
(JSC::CodeBlock::addJITNegIC):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::addMathIC):
* bytecode/InlineAccess.cpp:
(JSC::InlineAccess::rewireStubAsJump):
* bytecode/LLIntCallLinkInfo.h:
(JSC::LLIntCallLinkInfo::unlink):
(): Deleted.
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessGenerationState::emitExplicitExceptionHandler):
(JSC::PolymorphicAccess::regenerate):
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::finalize):
(JSC::DFG::JITFinalizer::finalizeFunction):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::compileArithMul):
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
(JSC::DFG::SpeculativeJIT::emitSwitchImm):
(JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
* disassembler/ARM64Disassembler.cpp:
(JSC::tryToDisassemble):
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeCommon):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
(JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
(JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
(JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
* heap/JITStubRoutineSet.h:
(JSC::JITStubRoutineSet::mark):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::callExceptionFuzz):
(JSC::AssemblyHelpers::debugCall):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitFunctionPrologue):
* jit/CCallHelpers.cpp:
(JSC::CCallHelpers::ensureShadowChickenPacket):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::prepareForTailCallSlow):
* jit/CallFrameShuffler.cpp:
(JSC::CallFrameShuffler::prepareForTailCall):
* jit/ExecutableAllocator.cpp:
(JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
* jit/ExecutableAllocator.h:
(JSC::performJITMemcpy):
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
(JSC::JIT::link):
* jit/JITArithmetic.cpp:
(JSC::JIT::emit_op_negate):
(JSC::JIT::emit_op_add):
(JSC::JIT::emitMathICFast):
(JSC::JIT::emitMathICSlow):
(JSC::JIT::emit_op_mul):
(JSC::JIT::emit_op_sub):
* jit/JITCode.cpp:
(JSC::JITCode::execute):
(JSC::JITCodeWithCodeRef::executableAddressAtOffset):
(JSC::DirectJITCode::DirectJITCode):
(JSC::DirectJITCode::initializeCodeRef):
(JSC::NativeJITCode::addressForCall):
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
(JSC::JITBinaryMathIC::JITBinaryMathIC):
(JSC::JITUnaryMathIC::JITUnaryMathIC):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emitSlow_op_has_indexed_property):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITOperations.cpp:
(JSC::getByVal):
(JSC::tryGetByValOptimize):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::emitGetByValWithCachedId):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emitPutByValWithCachedId):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::emitSlow_op_try_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id_with_this):
(JSC::JIT::emitSlow_op_put_by_id):
(JSC::JIT::privateCompileGetByVal):
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/JITThunks.cpp:
(JSC::JITThunks::hostFunctionStub):
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
(JSC::repatchGetByID):
(JSC::appropriateOptimizingPutByIdFunction):
(JSC::tryCachePutByID):
(JSC::repatchPutByID):
(JSC::linkFor):
(JSC::revertCall):
(JSC::linkPolymorphicCall):
(JSC::resetGetByID):
(JSC::resetPutByID):
* jit/Repatch.h:
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::finalize):
(JSC::SpecializedThunkJIT::callDoubleToDouble):
* jit/ThunkGenerators.cpp:
(JSC::emitPointerValidation):
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::slowPathFor):
(JSC::linkCallThunkGenerator): Deleted.
(JSC::linkPolymorphicCallThunkGenerator): Deleted.
(JSC::virtualThunkFor): Deleted.
(JSC::nativeForGenerator): Deleted.
(JSC::nativeCallGenerator): Deleted.
(JSC::nativeTailCallGenerator): Deleted.
(JSC::nativeTailCallWithoutSavedTagsGenerator): Deleted.
(JSC::nativeConstructGenerator): Deleted.
(JSC::internalFunctionCallGenerator): Deleted.
(JSC::internalFunctionConstructGenerator): Deleted.
(JSC::arityFixupGenerator): Deleted.
(JSC::unreachableGenerator): Deleted.
(JSC::stringCharLoad): Deleted.
(JSC::charToString): Deleted.
(JSC::charCodeAtThunkGenerator): Deleted.
(JSC::charAtThunkGenerator): Deleted.
(JSC::fromCharCodeThunkGenerator): Deleted.
(JSC::clz32ThunkGenerator): Deleted.
(JSC::sqrtThunkGenerator): Deleted.
(JSC::floorThunkGenerator): Deleted.
(JSC::ceilThunkGenerator): Deleted.
(JSC::truncThunkGenerator): Deleted.
(JSC::roundThunkGenerator): Deleted.
(JSC::expThunkGenerator): Deleted.
(JSC::logThunkGenerator): Deleted.
(JSC::absThunkGenerator): Deleted.
(JSC::imulThunkGenerator): Deleted.
(JSC::randomThunkGenerator): Deleted.
(JSC::boundThisNoArgsFunctionCallGenerator): Deleted.
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
(JSC::LLInt::getCodePtr):
* llint/LLIntEntrypoint.cpp:
(JSC::LLInt::setEvalEntrypoint):
(JSC::LLInt::setProgramEntrypoint):
(JSC::LLInt::setModuleProgramEntrypoint):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setUpCall):
* llint/LLIntThunks.cpp:
(JSC::LLInt::generateThunkWithJumpTo):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/ExecutableBase.h:
* runtime/NativeExecutable.cpp:
(JSC::NativeExecutable::finishCreation):
* runtime/NativeFunction.h:
(JSC::TaggedNativeFunction::TaggedNativeFunction):
(JSC::TaggedNativeFunction::operator NativeFunction):
* runtime/PropertySlot.h:
(JSC::PropertySlot::setCustom):
(JSC::PropertySlot::setCacheableCustom):
* runtime/PtrTag.h:
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::setCustomValue):
(JSC::PutPropertySlot::setCustomAccessor):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::takeSample):
* runtime/VMTraps.cpp:
(JSC::SignalContext::SignalContext):
(JSC::VMTraps::tryInstallTrapBreakpoints):
* tools/SigillCrashAnalyzer.cpp:
(JSC::installCrashHandler):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
(JSC::Yarr::YarrGenerator::generateEnter):
2018-03-30 Devin Rousso <webkit@devinrousso.com>
Web Inspector: tint all pixels drawn by shader program when hovering ShaderProgramTreeElement
https://bugs.webkit.org/show_bug.cgi?id=175223
Reviewed by Matt Baker.
* inspector/protocol/Canvas.json:
Add `setShaderProgramHighlighted` command that will cause a blend to be applied to the
canvas if the given shader program is active immediately before `drawArrays` or `drawElements`
is called. The blend is removed and the previous value is applied once the draw is complete.
2018-03-30 JF Bastien <jfbastien@apple.com>
WebAssembly: support DataView compilation
https://bugs.webkit.org/show_bug.cgi?id=183342
Reviewed by Mark Lam.
Compiling a module from a DataView was incorrectly dealing with
DataView's offset.
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parse):
* wasm/js/JSWebAssemblyHelpers.h:
(JSC::getWasmBufferFromValue):
(JSC::createSourceBufferFromValue):
* wasm/js/WebAssemblyPrototype.cpp:
(JSC::webAssemblyValidateFunc):
2018-03-30 Filip Pizlo <fpizlo@apple.com>
Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
https://bugs.webkit.org/show_bug.cgi?id=184189
Reviewed by JF Bastien.
* bytecompiler/NodesCodegen.cpp:
(JSC::ResolveNode::emitBytecode):
2018-03-30 Mark Lam <mark.lam@apple.com>
Add pointer profiling support to Wasm.
https://bugs.webkit.org/show_bug.cgi?id=184175
<rdar://problem/39027923>
Reviewed by JF Bastien.
* runtime/PtrTag.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addGrowMemory):
(JSC::Wasm::B3IRGenerator::addCall):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::prepare):
(JSC::Wasm::BBQPlan::complete):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmBinding.h:
* wasm/WasmFaultSignalHandler.cpp:
(JSC::Wasm::trapHandler):
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmThunks.cpp:
(JSC::Wasm::throwExceptionFromWasmThunkGenerator):
(JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
(JSC::Wasm::triggerOMGTierUpThunkGenerator):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::callWebAssemblyFunction):
* wasm/js/WebAssemblyFunction.h:
2018-03-30 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r230102.
Caused assertion failures on JSC bots.
Reverted changeset:
"A stack overflow in the parsing of a builtin (called by
createExecutable) cause a crash instead of a catchable js
exception"
https://bugs.webkit.org/show_bug.cgi?id=184074
https://trac.webkit.org/changeset/230102
2018-03-30 Robin Morisset <rmorisset@apple.com>
Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
https://bugs.webkit.org/show_bug.cgi?id=183812
Reviewed by Keith Miller.
The fix I landed for https://bugs.webkit.org/show_bug.cgi?id=181027 was flawed: I tried setting the bytecodeIndex for the new block on line 1679 (at the end of inlineCall), but it is going to be reset on line 6612 (in parseCodeBlock).
The fix is simply to make the block untargetable by default, and let parseCodeBlock make it targetable afterwards if it is a jump target.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::allocateTargetableBlock):
(JSC::DFG::ByteCodeParser::inlineCall):
2018-03-30 Robin Morisset <rmorisset@apple.com>
A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
https://bugs.webkit.org/show_bug.cgi?id=184074
<rdar://problem/37165897>
Reviewed by Keith Miller.
Fixing this requires getting the ParserError (with information about the failure) and an ExecState* (to throw an exception) in the same place.
It is surprisingly painful, with quite a long call stack between the last function with an access to an ExecState* and the first function with the ParserError.
Even worse, many of these functions are generated by macros, themselves generated by a maze of python scripts.
As a result, this patch is grotesquely large, while all it does is adding enough plumbing to throw a proper exception in this specific case.
There are now bare calls to '.value()' on several paths that may crash. It is not a problem in my opinion, since we previously crashed in every case regardless of the path that took us to createExecutable when encountering a stack overflow.
If we ever find an example that can cause these calls to fail, it should be doable to throw a proper exception there too.
Two other minor changes:
- I removed BuiltinExecutableCreator.{cpp, h} as it was nearly empty, and only used in one place. That place now includes BuiltinExecutables.h directly instead.
- I moved code from ParserError.h into a newly created ParserError.cpp, as I see no need to inline functions that are only used when encountering a parser error, and ParserError.h is now included in quite a few places.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Scripts/builtins/builtins_generate_combined_header.py:
(BuiltinsCombinedHeaderGenerator.generate_forward_declarations):
(ParserError):
(generate_section_for_object): Deleted.
(generate_externs_for_object): Deleted.
(generate_macros_for_object): Deleted.
(generate_section_for_code_table_macro): Deleted.
(generate_section_for_code_name_macro): Deleted.
(generate_section_for_global_private_code_name_macro): Deleted.
* Scripts/builtins/builtins_generate_separate_header.py:
(generate_secondary_header_includes):
* Scripts/builtins/builtins_templates.py:
* Sources.txt:
* builtins/BuiltinExecutableCreator.cpp: Removed.
* builtins/BuiltinExecutableCreator.h: Removed.
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::createDefaultConstructor):
(JSC::BuiltinExecutables::createBuiltinExecutable):
(JSC::createBuiltinExecutable):
(JSC::BuiltinExecutables::createExecutableOrCrash):
(JSC::BuiltinExecutables::createExecutable):
* builtins/BuiltinExecutables.h:
* bytecompiler/BytecodeGenerator.h:
* parser/ParserError.cpp: Added.
(JSC::ParserError::toErrorObject):
(JSC::ParserError::throwStackOverflowOrOutOfMemory):
(WTF::printInternal):
* parser/ParserError.h:
(JSC::ParserError::toErrorObject): Deleted.
(WTF::printInternal): Deleted.
* runtime/AsyncIteratorPrototype.cpp:
(JSC::AsyncIteratorPrototype::finishCreation):
* runtime/FunctionPrototype.cpp:
(JSC::FunctionPrototype::addFunctionProperties):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSObject.cpp:
(JSC::JSObject::getOwnStaticPropertySlot):
(JSC::JSObject::reifyAllStaticProperties):
* runtime/JSObject.h:
(JSC::JSObject::getOwnNonIndexPropertySlot):
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::getPropertySlot):
* runtime/JSObjectInlines.h:
(JSC::JSObject::getNonIndexPropertySlot):
* runtime/JSTypedArrayViewPrototype.cpp:
(JSC::JSTypedArrayViewPrototype::finishCreation):
* runtime/Lookup.cpp:
(JSC::reifyStaticAccessor):
(JSC::setUpStaticFunctionSlot):
* runtime/Lookup.h:
(JSC::getStaticPropertySlotFromTable):
(JSC::reifyStaticProperty):
* runtime/MapPrototype.cpp:
(JSC::MapPrototype::finishCreation):
* runtime/SetPrototype.cpp:
(JSC::SetPrototype::finishCreation):
* tools/JSDollarVM.cpp:
(JSC::functionCreateBuiltin):
2018-03-30 Robin Morisset <rmorisset@apple.com>
Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
https://bugs.webkit.org/show_bug.cgi?id=183657
<rdar://problem/38464399>
Reviewed by Keith Miller.
There was just a missing check in unshiftCountForIndexingType.
I've also replaced 'return false' by 'return true' in the case of an 'out-of-memory' exception, because 'return false' means 'please continue to the slow path',
and the slow path has an assert that there is no unhandled exception (line 360 of ArrayPrototype.cpp).
Finally, I made the assert in ensureLength a release assert as it would have caught this bug and prevented it from being a security risk.
* runtime/ArrayPrototype.cpp:
(JSC::unshift):
* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountWithAnyIndexingType):
* runtime/JSObject.h:
(JSC::JSObject::ensureLength):
2018-03-29 Mark Lam <mark.lam@apple.com>
Add some pointer profiling support to B3 and Air.
https://bugs.webkit.org/show_bug.cgi?id=184165
<rdar://problem/39022125>
Reviewed by JF Bastien.
* b3/B3LowerMacros.cpp:
* b3/B3LowerMacrosAfterOptimizations.cpp:
* b3/B3MathExtras.cpp:
* b3/B3ReduceStrength.cpp:
* b3/air/AirCCallSpecial.cpp:
(JSC::B3::Air::CCallSpecial::generate):
* b3/air/AirCCallSpecial.h:
* b3/testb3.cpp:
(JSC::B3::testCallSimple):
(JSC::B3::testCallRare):
(JSC::B3::testCallRareLive):
(JSC::B3::testCallSimplePure):
(JSC::B3::testCallFunctionWithHellaArguments):
(JSC::B3::testCallFunctionWithHellaArguments2):
(JSC::B3::testCallFunctionWithHellaArguments3):
(JSC::B3::testCallSimpleDouble):
(JSC::B3::testCallSimpleFloat):
(JSC::B3::testCallFunctionWithHellaDoubleArguments):
(JSC::B3::testCallFunctionWithHellaFloatArguments):
(JSC::B3::testLinearScanWithCalleeOnStack):
(JSC::B3::testInterpreter):
(JSC::B3::testLICMPure):
(JSC::B3::testLICMPureSideExits):
(JSC::B3::testLICMPureWritesPinned):
(JSC::B3::testLICMPureWrites):
(JSC::B3::testLICMReadsLocalState):
(JSC::B3::testLICMReadsPinned):
(JSC::B3::testLICMReads):
(JSC::B3::testLICMPureNotBackwardsDominant):
(JSC::B3::testLICMPureFoiledByChild):
(JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
(JSC::B3::testLICMExitsSideways):
(JSC::B3::testLICMWritesLocalState):
(JSC::B3::testLICMWrites):
(JSC::B3::testLICMFence):
(JSC::B3::testLICMWritesPinned):
(JSC::B3::testLICMControlDependent):
(JSC::B3::testLICMControlDependentNotBackwardsDominant):
(JSC::B3::testLICMControlDependentSideExits):
(JSC::B3::testLICMReadsPinnedWritesPinned):
(JSC::B3::testLICMReadsWritesDifferentHeaps):
(JSC::B3::testLICMReadsWritesOverlappingHeaps):
(JSC::B3::testLICMDefaultCall):
(JSC::B3::testShuffleDoesntTrashCalleeSaves):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
* jit/GPRInfo.h:
* runtime/PtrTag.h:
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
2018-03-29 JF Bastien <jfbastien@apple.com>
Use Forward.h instead of forward-declaring WTF::String
https://bugs.webkit.org/show_bug.cgi?id=184172
<rdar://problem/39026146>
Reviewed by Yusuke Suzuki.
As part of #184164 I'm changing WTF::String, and the forward
declarations are just wrong because I'm making it templated. We
should use Forward.h anyways, so do that instead.
* runtime/DateConversion.h:
2018-03-29 Mark Lam <mark.lam@apple.com>
Use MacroAssemblerCodePtr in Wasm code for code pointers instead of void*.
https://bugs.webkit.org/show_bug.cgi?id=184163
<rdar://problem/39020397>
Reviewed by JF Bastien.
With the use of MacroAssemblerCodePtr, we now get poisoning for Wasm code pointers.
Also renamed some structs, methods, and variable names to be more accurate.
Previously, there is some confusion between a code pointer and the address of a
code pointer (sometimes referred to in the code as a "LoadLocation"). We now name
the LoadLocation variables appropriately to distinguish them from code pointers.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addCall):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmCodeBlock.cpp:
(JSC::Wasm::CodeBlock::CodeBlock):
* wasm/WasmCodeBlock.h:
(JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
(JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace): Deleted.
* wasm/WasmFormat.h:
(JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction):
(JSC::Wasm::WasmToWasmImportableFunction::offsetOfEntrypointLoadLocation):
(JSC::Wasm::CallableFunction::CallableFunction): Deleted.
(JSC::Wasm::CallableFunction::offsetOfWasmEntrypointLoadLocation): Deleted.
* wasm/WasmInstance.h:
(JSC::Wasm::Instance::offsetOfWasmEntrypointLoadLocation):
(JSC::Wasm::Instance::offsetOfWasmToEmbedderStub):
(JSC::Wasm::Instance::offsetOfWasmEntrypoint): Deleted.
(JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmTable.cpp:
(JSC::Wasm::Table::Table):
(JSC::Wasm::Table::grow):
(JSC::Wasm::Table::clearFunction):
(JSC::Wasm::Table::setFunction):
* wasm/WasmTable.h:
(JSC::Wasm::Table::offsetOfFunctions):
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::finalizeCreation):
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::setFunction):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::create):
(JSC::WebAssemblyFunction::WebAssemblyFunction):
* wasm/js/WebAssemblyFunction.h:
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
(JSC::WebAssemblyModuleRecord::evaluate):
* wasm/js/WebAssemblyWrapperFunction.cpp:
(JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
(JSC::WebAssemblyWrapperFunction::create):
* wasm/js/WebAssemblyWrapperFunction.h:
2018-03-29 Yusuke Suzuki <utatane.tea@gmail.com>
Remove WTF_EXPORTDATA and JS_EXPORTDATA
https://bugs.webkit.org/show_bug.cgi?id=184170
Reviewed by JF Bastien.
Replace WTF_EXPORTDATA and JS_EXPORTDATA with
WTF_EXPORT_PRIVATE and JS_EXPORT_PRIVATE respectively.
* heap/WriteBarrierSupport.h:
* jit/ExecutableAllocator.cpp:
* jit/ExecutableAllocator.h:
* runtime/JSCPoison.h:
* runtime/JSCell.h:
* runtime/JSExportMacros.h:
* runtime/JSGlobalObject.h:
* runtime/JSObject.h:
* runtime/Options.h:
* runtime/PropertyDescriptor.h:
* runtime/PropertyMapHashTable.h:
* runtime/SamplingCounter.h:
2018-03-29 Ross Kirsling <ross.kirsling@sony.com>
MSVC __forceinline slows down JSC release build fivefold after r229391
https://bugs.webkit.org/show_bug.cgi?id=184062
Reviewed by Alex Christensen.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::marshallArgumentRegister):
Exempt MSVC from a single forced inline used within recursive templates.
2018-03-29 Keith Miller <keith_miller@apple.com>
ArrayMode should not try to get the DFG to think it can convert TypedArrays
https://bugs.webkit.org/show_bug.cgi?id=184137
Reviewed by Saam Barati.
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::fromObserved):
2018-03-29 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r230062.
https://bugs.webkit.org/show_bug.cgi?id=184128
Broke mac port. web content process crashes while loading any
web page (Requested by rniwa on #webkit).
Reverted changeset:
"MSVC __forceinline slows down JSC release build fivefold
after r229391"
https://bugs.webkit.org/show_bug.cgi?id=184062
https://trac.webkit.org/changeset/230062
2018-03-28 Ross Kirsling <ross.kirsling@sony.com>
MSVC __forceinline slows down JSC release build fivefold after r229391
https://bugs.webkit.org/show_bug.cgi?id=184062
Reviewed by Alex Christensen.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::marshallArgumentRegister):
Exempt MSVC from a single forced inline used within recursive templates.
2018-03-28 Mark Lam <mark.lam@apple.com>
Enhance ARM64 probe to support pointer profiling.
https://bugs.webkit.org/show_bug.cgi?id=184069
<rdar://problem/38939879>
Reviewed by JF Bastien.
* assembler/MacroAssemblerARM64.cpp:
(JSC::MacroAssembler::probe):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::popPair):
(JSC::MacroAssemblerX86Common::pushPair):
* assembler/testmasm.cpp:
(JSC::testProbeReadsArgumentRegisters):
(JSC::testProbeWritesArgumentRegisters):
* runtime/PtrTag.h:
(JSC::tagForPtr):
2018-03-28 Robin Morisset <rmorisset@apple.com>
appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
https://bugs.webkit.org/show_bug.cgi?id=183894
Reviewed by Saam Barati.
Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
* runtime/JSONObject.cpp:
(JSC::Stringifier::appendStringifiedValue):
2018-03-28 Carlos Garcia Campos <cgarcia@igalia.com>
[JSC] Move WeakValueRef class to its own file and use it from Objc and GLib
https://bugs.webkit.org/show_bug.cgi?id=184073
Reviewed by Yusuke Suzuki.
We currently have duplicated code in Obj and GLib implementations.
* API/JSManagedValue.mm:
(managedValueHandleOwner):
(-[JSManagedValue initWithValue:]):
* API/JSWeakValue.cpp: Added.
(JSC::JSWeakValue::~JSWeakValue):
(JSC::JSWeakValue::clear):
(JSC::JSWeakValue::isClear const):
(JSC::JSWeakValue::setPrimitive):
(JSC::JSWeakValue::setObject):
(JSC::JSWeakValue::setString):
* API/JSWeakValue.h: Added.
(JSC::JSWeakValue::isSet const):
(JSC::JSWeakValue::isPrimitive const):
(JSC::JSWeakValue::isObject const):
(JSC::JSWeakValue::isString const):
(JSC::JSWeakValue::object const):
(JSC::JSWeakValue::primitive const):
(JSC::JSWeakValue::string const):
* API/glib/JSCWeakValue.cpp:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
2018-03-27 Carlos Garcia Campos <cgarcia@igalia.com>
[GLIB] Add JSCWeakValue to JavaScriptCore GLib API
https://bugs.webkit.org/show_bug.cgi?id=184041
Reviewed by Michael Catanzaro.
This allows to keep a reference to a JavaSCript value without protecting it, and without having a strong
reference of the context. When the value is cleared the JSCWeakValue::cleared signal is emitted and
jsc_weak_value_get_value() will always return nullptr.
* API/glib/JSCWeakValue.cpp: Added.
(WeakValueRef::~WeakValueRef):
(WeakValueRef::clear):
(WeakValueRef::isClear const):
(WeakValueRef::isSet const):
(WeakValueRef::isPrimitive const):
(WeakValueRef::isObject const):
(WeakValueRef::isString const):
(WeakValueRef::setPrimitive):
(WeakValueRef::setObject):
(WeakValueRef::setString):
(WeakValueRef::object const):
(WeakValueRef::primitive const):
(WeakValueRef::string const):
(weakValueHandleOwner):
(jscWeakValueInitialize):
(jscWeakValueSetProperty):
(jscWeakValueDispose):
(jsc_weak_value_class_init):
(jsc_weak_value_new):
(jsc_weak_value_get_value):
* API/glib/JSCWeakValue.h: Added.
* API/glib/docs/jsc-glib-4.0-sections.txt:
* API/glib/docs/jsc-glib-docs.sgml:
* API/glib/jsc.h:
* GLib.cmake:
2018-03-27 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Remove unnecessary USE(JSVALUE32_64) / USE(JSVALUE64)
https://bugs.webkit.org/show_bug.cgi?id=181292
Reviewed by Saam Barati.
By using JSValueRegs abstraction, we can simplify DFGSpeculativeJIT.cpp code.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
(JSC::DFG::SpeculativeJIT::compileCreateRest):
(JSC::DFG::SpeculativeJIT::compileArraySlice):
(JSC::DFG::SpeculativeJIT::emitSwitchImm):
(JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
(JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
2018-03-27 Yusuke Suzuki <utatane.tea@gmail.com>
Add Load16Z for B3 and use it in WebAssembly
https://bugs.webkit.org/show_bug.cgi?id=165884
Reviewed by JF Bastien.
We already support Load16Z in B3. Use it for i32.load16_u / i64.load16_u in WebAssembly.
spec-tests/memory.wast.js already covered this change.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitLoadOp):
2018-03-24 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove repeated iteration of ElementNode
https://bugs.webkit.org/show_bug.cgi?id=183987
Reviewed by Keith Miller.
BytecodeGenerator repeatedly iterates ElementNode to emit the efficient code.
While it is OK for small arrays, this repeated iteration takes much time
if the array is very large. For example, Kraken's initialization code includes
very large array with numeric literals. This makes bytecode compiling so long.
This patch carefully removes unnecessary iteration when emitting arrays.
This reduces one of Kraken/imaging-darkroom's bytecode compiling from 13.169856 ms
to 9.988050 ms.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitNewArrayBuffer):
(JSC::BytecodeGenerator::emitNewArray):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
(JSC::ArrayPatternNode::bindValue const):
(JSC::ArrayPatternNode::emitDirectBinding):
2018-03-26 Ross Kirsling <ross.kirsling@sony.com>
JIT callOperation() needs to support operations that return SlowPathReturnType differently on Windows.
https://bugs.webkit.org/show_bug.cgi?id=183655
Reviewed by Keith Miller.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::ArgCollection::argCount):
(JSC::CCallHelpers::marshallArgumentRegister):
(JSC::CCallHelpers::setupArgumentsImpl):
On Win64, ensure that argCount always includes GPRs and FPRs and that counting starts from 1 for SlowPathReturnType.
* jit/JIT.h:
(JSC::JIT::callOperation):
(JSC::JIT::is64BitType):
(JSC::JIT::is64BitType<void>):
On Win64, ensure special call is used for SlowPathReturnType.
* jit/JITOperations.h:
Update changed type.
2018-03-26 Yusuke Suzuki <utatane.tea@gmail.com>
We should have SSE4 detection in the X86 MacroAssembler.
https://bugs.webkit.org/show_bug.cgi?id=165363
Reviewed by JF Bastien.
This patch adds popcnt support to WASM in x86_64 environment.
To use it, we refactor our CPUID feature detection in MacroAssemblerX86Common.
Our spec-tests already cover popcnt.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::supportsCountPopulation):
* assembler/MacroAssemblerX86Common.cpp:
(JSC::MacroAssemblerX86Common::getCPUID):
(JSC::MacroAssemblerX86Common::getCPUIDEx):
(JSC::MacroAssemblerX86Common::collectCPUFeatures):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::countPopulation32):
(JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
(JSC::MacroAssemblerX86Common::supportsCountPopulation):
(JSC::MacroAssemblerX86Common::supportsAVX):
(JSC::MacroAssemblerX86Common::supportsLZCNT):
(JSC::MacroAssemblerX86Common::supportsBMI1):
(JSC::MacroAssemblerX86Common::isSSE2Present):
(JSC::MacroAssemblerX86Common::updateEax1EcxFlags): Deleted.
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::countPopulation64):
* assembler/X86Assembler.h:
(JSC::X86Assembler::popcnt_rr):
(JSC::X86Assembler::popcnt_mr):
(JSC::X86Assembler::popcntq_rr):
(JSC::X86Assembler::popcntq_mr):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addOp<OpType::I32Popcnt>):
(JSC::Wasm::B3IRGenerator::addOp<OpType::I64Popcnt>):
2018-03-26 Filip Pizlo <fpizlo@apple.com>
DFG should know that CreateThis can be effectful
https://bugs.webkit.org/show_bug.cgi?id=184013
Reviewed by Saam Barati.
As shown in the tests added in JSTests, CreateThis can be effectful if the constructor this
is a proxy.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
2018-03-25 Saam Barati <sbarati@apple.com>
Fix typo in JSC option name
https://bugs.webkit.org/show_bug.cgi?id=184001
Reviewed by Mark Lam.
enableJITDebugAssetions => enableJITDebugAssertions.
* assembler/MacroAssembler.cpp:
(JSC::MacroAssembler::jitAssert):
* runtime/Options.h:
2018-03-25 Saam Barati <sbarati@apple.com>
r228149 accidentally removed code that resets m_emptyCursor at the end of a GC
https://bugs.webkit.org/show_bug.cgi?id=183995
Reviewed by Filip Pizlo.
The removal of this line of code was unintended and happened during some
refactoring Fil was doing. The consequence of removing this line of code
is that the m_emptyCursor became a monotonically increasing integer, leading
the cursor to usually being out of bounds of the block range (depending on
what the program is doing). This made the functionality of finding an empty
block to steal almost always fail.
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::prepareForAllocation):
2018-03-22 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Introduces fused compare and jump
https://bugs.webkit.org/show_bug.cgi?id=177100
Reviewed by Mark Lam.
This patch introduces op_jeq, op_jneq, op_jstricteq, and op_jnstricteq.
It offers 3 benefit.
1. They are introduced due to the similar purpose to op_jless etc. It aligns
op_eq families to op_jless families.
2. It reduces the size of bytecode to represent the typical code sequence.
3. It offers the way to fuse check and jump in DFG code generation. Since
we have MovHint between Branch and CompareEq/CompareStrictEq previously,
we cannot do this optimization. It reduces the machine code size in DFG too.
It slightly improves Octane/boyer.
boyer 6.18038+-0.05002 ^ 6.06990+-0.04176 ^ definitely 1.0182x faster
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::dumpBytecode):
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/Opcode.h:
(JSC::isBranch):
* bytecode/PreciseJumpTargetsInlines.h:
(JSC::extractStoredJumpTargetsForBytecodeOffset):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitJumpIfTrue):
(JSC::BytecodeGenerator::emitJumpIfFalse):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileStrictEq):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_jeq):
(JSC::JIT::emit_op_neq):
(JSC::JIT::emit_op_jneq):
(JSC::JIT::compileOpStrictEq):
(JSC::JIT::emit_op_stricteq):
(JSC::JIT::emit_op_nstricteq):
(JSC::JIT::compileOpStrictEqJump):
(JSC::JIT::emit_op_jstricteq):
(JSC::JIT::emit_op_jnstricteq):
(JSC::JIT::emitSlow_op_jstricteq):
(JSC::JIT::emitSlow_op_jnstricteq):
(JSC::JIT::emitSlow_op_jeq):
(JSC::JIT::emitSlow_op_jneq):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emitSlow_op_eq):
(JSC::JIT::emit_op_jeq):
(JSC::JIT::compileOpEqJumpSlow):
(JSC::JIT::emitSlow_op_jeq):
(JSC::JIT::emit_op_jneq):
(JSC::JIT::emitSlow_op_jneq):
(JSC::JIT::compileOpStrictEq):
(JSC::JIT::emit_op_stricteq):
(JSC::JIT::emit_op_nstricteq):
(JSC::JIT::compileOpStrictEqJump):
(JSC::JIT::emit_op_jstricteq):
(JSC::JIT::emit_op_jnstricteq):
(JSC::JIT::emitSlow_op_jstricteq):
(JSC::JIT::emitSlow_op_jnstricteq):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2018-03-24 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Improve constants and add comments for CodeBlockHash
https://bugs.webkit.org/show_bug.cgi?id=183982
Rubber-stamped by Mark Lam.
* bytecode/CodeBlockHash.cpp:
(JSC::CodeBlockHash::CodeBlockHash):
* bytecode/ParseHash.cpp:
(JSC::ParseHash::ParseHash):
2018-03-24 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add options to report parsing and bytecode compiling times
https://bugs.webkit.org/show_bug.cgi?id=183982
Reviewed by Mark Lam.
This patch adds reportParseTimes and reportBytecodeCompileTimes options.
When they are enabled, JSC reports times consumed for parsing and bytecode
compiling.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/ParseHash.cpp: Added.
(JSC::ParseHash::ParseHash):
* bytecode/ParseHash.h: Added.
(JSC::ParseHash::hashForCall const):
(JSC::ParseHash::hashForConstruct const):
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::generateUnlinkedFunctionCodeBlock):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::generate):
* parser/Parser.h:
(JSC::parse):
* runtime/CodeCache.h:
(JSC::generateUnlinkedCodeBlock):
* runtime/Options.h:
2018-03-24 Yusuke Suzuki <utatane.tea@gmail.com>
[JIT] Drop ENABLE_JIT_VERBOSE flag
https://bugs.webkit.org/show_bug.cgi?id=183983
Reviewed by Mark Lam.
Just use JITInternal::verbose value.
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::link):
2018-03-23 Tim Horton <timothy_horton@apple.com>
Fix the build with no pasteboard
https://bugs.webkit.org/show_bug.cgi?id=183973
Reviewed by Dan Bernstein.
* Configurations/FeatureDefines.xcconfig:
2018-03-23 Mark Lam <mark.lam@apple.com>
LLInt TypeArray pointer poisoning should not pick its poison dynamically.
https://bugs.webkit.org/show_bug.cgi?id=183942
<rdar://problem/38798018>
Reviewed by JF Bastien.
1. Move the LLInt TypedArray unpoisoning to just before the array access after
all the branches.
2. Renamed FirstArrayType to FirstTypedArrayType to match the symbol in C++ code.
3. Remove a useless instruction in the implementation of emitX86Lea for a global
label.
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/x86.rb:
2018-03-23 Mark Lam <mark.lam@apple.com>
Add more support for pointer profiling.
https://bugs.webkit.org/show_bug.cgi?id=183943
<rdar://problem/38799068>
Reviewed by JF Bastien.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::linkJumpOrCall):
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::repatchNearCall):
(JSC::AbstractMacroAssembler::tagReturnAddress):
(JSC::AbstractMacroAssembler::untagReturnAddress):
2018-03-23 Yusuke Suzuki <utatane.tea@gmail.com>
[WTF] Add standard containers with FastAllocator specialization
https://bugs.webkit.org/show_bug.cgi?id=183789
Reviewed by Darin Adler.
* b3/air/testair.cpp:
* b3/testb3.cpp:
(JSC::B3::testDoubleLiteralComparison):
(JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
* dfg/DFGGraph.h:
* dfg/DFGIntegerCheckCombiningPhase.cpp:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
* runtime/FunctionHasExecutedCache.h:
* runtime/TypeLocationCache.h:
2018-03-23 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Fix ArrayPush(ArrayStorage)'s abstract heap
https://bugs.webkit.org/show_bug.cgi?id=182960
Reviewed by Saam Barati.
This patch fixes ArrayPush(ArrayStorage)'s abstract heap.
It should always touch ArrayStorage_vector. To unify
vector setting code for the real ArrayStorage_vector and
ScratchBuffer, we use ArrayStorage_vector.atAnyIndex() to
annotate this.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
2018-03-23 Zan Dobersek <zdobersek@igalia.com>
Unreviewed build fix for GCC 4.9 builds.
* assembler/MacroAssemblerCodeRef.h: std::is_trivially_copyable<> isn't
supported in 4.9 libstdc++, so wrap the static assert using it in a
COMPILER_SUPPORTS() macro, and use __is_trivially_copyable() builtin,
as is done in bitwise_cast() in StdLibExtras.h.
2018-03-22 Tim Horton <timothy_horton@apple.com>
Adopt WK_ALTERNATE_FRAMEWORKS_DIR in WebCore
https://bugs.webkit.org/show_bug.cgi?id=183930
<rdar://problem/38782249>
Reviewed by Dan Bernstein.
* JavaScriptCore.xcodeproj/project.pbxproj:
2018-03-22 Mark Lam <mark.lam@apple.com>
Add placeholder call and jump MacroAssembler emitters that take PtrTag in a register.
https://bugs.webkit.org/show_bug.cgi?id=183914
<rdar://problem/38763536>
Reviewed by Saam Barati and JF Bastien.
This is in preparation for supporting pointer profiling work.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::jump):
(JSC::MacroAssemblerARM::call):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::call):
(JSC::MacroAssemblerARM64::jump):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::jump):
(JSC::MacroAssemblerARMv7::call):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::jump):
(JSC::MacroAssemblerMIPS::call):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::call):
(JSC::MacroAssemblerX86::jump):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::jump):
(JSC::MacroAssemblerX86Common::call):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::call):
(JSC::MacroAssemblerX86_64::jump):
2018-03-22 Tim Horton <timothy_horton@apple.com>
Improve readability of WebCore's OTHER_LDFLAGS
https://bugs.webkit.org/show_bug.cgi?id=183909
<rdar://problem/38760992>
Reviewed by Dan Bernstein.
* Configurations/Base.xcconfig:
* Configurations/FeatureDefines.xcconfig:
2018-03-22 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] Thumb: Do not decorate bottom bit twice
https://bugs.webkit.org/show_bug.cgi?id=183906
Reviewed by Mark Lam.
Use MacroAssemblerCodePtr::createFromExecutableAddress instead of
MacroAssemblerCodePtr(void*) to avoid decorating the pointer twice as
a thumb pointer.
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
2018-03-22 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
https://bugs.webkit.org/show_bug.cgi?id=183559
Reviewed by Mark Lam.
When converting NumberToStringWithRadix to ToString(Int52/Int32/Double), we forget
to clear NodeMustGenerate for this ToString. It should be since it does not have
any user-observable side effect. This patch clears NodeMustGenerate.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
2018-03-22 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] List up all candidates in DFGCapabilities and FTLCapabilities
https://bugs.webkit.org/show_bug.cgi?id=183897
Reviewed by Mark Lam.
We should not use `default:` clause here since it accidentally catches
the opcode and DFG nodes which should be optimized. For example,
op_super_sampler_begin and op_super_sampler_end are not listed while
they have DFG and FTL backend.
This patch lists up all candiates in DFGCapabilities and FTLCapabilities.
And we also clean up unnecessary checks in FTLCapabilities. Since we
already handles all the possible array types for these nodes (which can
be checked in DFG's code), we do not need to check array types.
We also fix FTLLowerDFGToB3' PutByVal code to use modeForPut.
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
2018-03-22 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Drop op_put_by_index
https://bugs.webkit.org/show_bug.cgi?id=183899
Reviewed by Mark Lam.
This patch drops op_put_by_index.
1. This functionality can be just covered by direct put_by_val.
2. put_by_index is not well optimized. It is just calling a C
function. And it does not have DFG handling.
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::dumpBytecode):
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitPutByIndex): Deleted.
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
(JSC::ArrayPatternNode::emitDirectBinding):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JIT.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_put_by_index): Deleted.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_by_index): Deleted.
* llint/LLIntSlowPaths.cpp:
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
2018-03-22 Michael Saboff <msaboff@apple.com>
Race Condition in arrayProtoFuncReverse() causes wrong results or crash
https://bugs.webkit.org/show_bug.cgi?id=183901
Reviewed by Keith Miller.
Added write barriers to ensure the reversed contents are properly marked.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncReverse):
2018-03-21 Filip Pizlo <fpizlo@apple.com>
ScopedArguments should do poisoning and index masking
https://bugs.webkit.org/show_bug.cgi?id=183863
Reviewed by Mark Lam.
This outlines the ScopedArguments overflow storage and adds poisoning.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitScopedArgumentsGetByVal):
* runtime/JSCPoison.h:
* runtime/ScopedArguments.cpp:
(JSC::ScopedArguments::ScopedArguments):
(JSC::ScopedArguments::createUninitialized):
(JSC::ScopedArguments::visitChildren):
* runtime/ScopedArguments.h:
2018-03-21 Mark Lam <mark.lam@apple.com>
Refactor the PtrTag list as a macro so that we can auto-generate code that enumerates each PtrTag.
https://bugs.webkit.org/show_bug.cgi?id=183861
<rdar://problem/38716822>
Reviewed by Filip Pizlo.
Also added ptrTagName() to aid debugging. ptrTagName() is implemented using this
new PtrTag macro list.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* runtime/PtrTag.cpp: Added.
(JSC::ptrTagName):
* runtime/PtrTag.h:
2018-03-21 Mark Lam <mark.lam@apple.com>
Use CodeBlock::instructions()[] and CodeBlock::bytecodeOffset() instead of doing own pointer math.
https://bugs.webkit.org/show_bug.cgi?id=183857
<rdar://problem/38712184>
Reviewed by JF Bastien.
We should avoid doing pointer math with CodeBlock::instructions().begin().
Instead, we should use the operator[] that comes with CodeBlock::instructions()
for computing an Instruction*, and use CodeBlock::bytecodeOffset() for computing
the bytecode offset of a given Instruction*. These methods will do assertions
which helps catch bugs sooner, plus they are more descriptive of the operation
we're trying to do.
* bytecode/BytecodeKills.h:
(JSC::BytecodeKills::operandIsKilled const):
(JSC::BytecodeKills::forEachOperandKilledAt const):
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFromLLInt):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::arithProfileForBytecodeOffset):
(JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFromLLInt):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::callSiteBitsAsBytecodeOffset const):
(JSC::CallFrame::currentVPC const):
(JSC::CallFrame::setCurrentVPC):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/JITInlines.h:
(JSC::JIT::updateTopCallFrame):
(JSC::JIT::copiedInstruction):
* jit/JITOpcodes.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::privateCompileGetByVal):
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/SlowPathCall.h:
(JSC::JITSlowPathCall::call):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::llint_trace_operand):
(JSC::LLInt::llint_trace_value):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
(JSC::LLInt::getByVal): Deleted.
(JSC::LLInt::handleHostCall): Deleted.
(JSC::LLInt::setUpCall): Deleted.
(JSC::LLInt::genericCall): Deleted.
(JSC::LLInt::varargsSetup): Deleted.
(JSC::LLInt::llint_throw_stack_overflow_error): Deleted.
(JSC::LLInt::llint_stack_check_at_vm_entry): Deleted.
(JSC::LLInt::llint_write_barrier_slow): Deleted.
(JSC::LLInt::llint_crash): Deleted.
* runtime/SamplingProfiler.cpp:
(JSC::tryGetBytecodeIndex):
2018-03-21 Keith Miller <keith_miller@apple.com>
btjs should print the bytecode offset in the stack trace for JS frames
https://bugs.webkit.org/show_bug.cgi?id=183856
Reviewed by Filip Pizlo.
* interpreter/CallFrame.cpp:
(JSC::CallFrame::bytecodeOffset):
(JSC::CallFrame::dump):
2018-03-21 Carlos Garcia Campos <cgarcia@igalia.com>
Unreviewed. Fix GTK and WPE debug build after r229798.
Fix a typo in an ASSERT. Also convert several RELEASE_ASSERT to ASSERT that I forgot to do before landing.
* API/glib/JSCCallbackFunction.cpp:
(JSC::JSCCallbackFunction::JSCCallbackFunction):
* API/glib/JSCContext.cpp:
(jscContextSetVirtualMachine):
(jscContextGetJSContext):
(wrapperMap):
(jscContextHandleExceptionIfNeeded):
* API/glib/JSCValue.cpp:
(jscValueCallFunction):
* API/glib/JSCVirtualMachine.cpp:
(addWrapper):
(removeWrapper):
(jscVirtualMachineSetContextGroup):
(jscVirtualMachineAddContext):
(jscVirtualMachineRemoveContext):
* API/glib/JSCWrapperMap.cpp:
(JSC::WrapperMap::gobjectWrapper):
(JSC::WrapperMap::unwrap):
(JSC::WrapperMap::registerClass):
(JSC::WrapperMap::createJSWrappper):
(JSC::WrapperMap::wrappedObject const):
2018-03-21 Carlos Garcia Campos <cgarcia@igalia.com>
[GTK][WPE] JSC bindings not introspectable
https://bugs.webkit.org/show_bug.cgi?id=136989
Reviewed by Michael Catanzaro.
Make it possible to include individual headers when building WebKit layer.
* API/glib/JSCAutocleanups.h:
* API/glib/JSCClass.h:
* API/glib/JSCContext.h:
* API/glib/JSCException.h:
* API/glib/JSCValue.h:
* API/glib/JSCVersion.h.in:
* API/glib/JSCVirtualMachine.h:
2018-03-21 Carlos Garcia Campos <cgarcia@igalia.com>
[GTK][WPE] Initial implementation of JavaScriptCore glib bindings
https://bugs.webkit.org/show_bug.cgi?id=164061
Reviewed by Michael Catanzaro.
Add initial GLib API for JavaScriptCore.
* API/JSAPIWrapperObject.h:
* API/glib/JSAPIWrapperObjectGLib.cpp: Added.
(jsAPIWrapperObjectHandleOwner):
(JSAPIWrapperObjectHandleOwner::finalize):
(JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
(JSC::JSCallbackObject<JSAPIWrapperObject>::createStructure):
(JSC::JSAPIWrapperObject::JSAPIWrapperObject):
(JSC::JSAPIWrapperObject::finishCreation):
(JSC::JSAPIWrapperObject::setWrappedObject):
(JSC::JSAPIWrapperObject::visitChildren):
* API/glib/JSCAutocleanups.h: Added.
* API/glib/JSCCallbackFunction.cpp: Added.
(JSC::callAsFunction):
(JSC::callAsConstructor):
(JSC::JSCCallbackFunction::create):
(JSC::JSCCallbackFunction::JSCCallbackFunction):
(JSC::JSCCallbackFunction::call):
(JSC::JSCCallbackFunction::construct):
(JSC::JSCCallbackFunction::destroy):
* API/glib/JSCCallbackFunction.h: Added.
(JSC::JSCCallbackFunction::createStructure):
(JSC::JSCCallbackFunction::functionCallback):
(JSC::JSCCallbackFunction::constructCallback):
* API/glib/JSCClass.cpp: Added.
(jscClassGetProperty):
(jscClassSetProperty):
(jscClassDispose):
(jscClassConstructed):
(jsc_class_class_init):
(jscClassCreate):
(jscClassGetJSClass):
(jscClassGetOrCreateJSWrapper):
(jscClassInvalidate):
(jsc_class_get_name):
(jsc_class_get_parent):
(jsc_class_add_constructor):
(jsc_class_add_method):
(jsc_class_add_property):
* API/glib/JSCClass.h: Added.
* API/glib/JSCClassPrivate.h: Added.
* API/glib/JSCContext.cpp: Added.
(ExceptionHandler::ExceptionHandler):
(ExceptionHandler::~ExceptionHandler):
(jscContextSetVirtualMachine):
(jscContextGetProperty):
(jscContextSetProperty):
(jscContextConstructed):
(jscContextDispose):
(jsc_context_class_init):
(jscContextGetOrCreate):
(jscContextGetJSContext):
(wrapperMap):
(jscContextGetOrCreateValue):
(jscContextValueDestroyed):
(jscContextGetJSWrapper):
(jscContextGetOrCreateJSWrapper):
(jscContextWrappedObject):
(jscContextPushCallback):
(jscContextPopCallback):
(jscContextGArrayToJSArray):
(jscContextJSArrayToGArray):
(jscContextGValueToJSValue):
(jscContextJSValueToGValue):
(jsc_context_new):
(jsc_context_new_with_virtual_machine):
(jsc_context_get_virtual_machine):
(jsc_context_get_exception):
(jsc_context_throw):
(jsc_context_throw_exception):
(jsc_context_push_exception_handler):
(jsc_context_pop_exception_handler):
(jscContextHandleExceptionIfNeeded):
(jsc_context_get_current):
(jsc_context_evaluate):
(jsc_context_evaluate_with_source_uri):
(jsc_context_set_value):
(jsc_context_get_value):
(jsc_context_register_class):
* API/glib/JSCContext.h: Added.
* API/glib/JSCContextPrivate.h: Added.
* API/glib/JSCDefines.h: Copied from Source/JavaScriptCore/API/JSAPIWrapperObject.h.
* API/glib/JSCException.cpp: Added.
(jscExceptionDispose):
(jsc_exception_class_init):
(jscExceptionCreate):
(jscExceptionGetJSValue):
(jscExceptionEnsureProperties):
(jsc_exception_new):
(jsc_exception_get_message):
(jsc_exception_get_line_number):
(jsc_exception_get_source_uri):
* API/glib/JSCException.h: Added.
* API/glib/JSCExceptionPrivate.h: Added.
* API/glib/JSCGLibWrapperObject.h: Added.
(JSC::JSCGLibWrapperObject::JSCGLibWrapperObject):
(JSC::JSCGLibWrapperObject::~JSCGLibWrapperObject):
(JSC::JSCGLibWrapperObject::object const):
* API/glib/JSCValue.cpp: Added.
(jscValueGetProperty):
(jscValueSetProperty):
(jscValueDispose):
(jsc_value_class_init):
(jscValueGetJSValue):
(jscValueCreate):
(jsc_value_get_context):
(jsc_value_new_undefined):
(jsc_value_is_undefined):
(jsc_value_new_null):
(jsc_value_is_null):
(jsc_value_new_number):
(jsc_value_is_number):
(jsc_value_to_double):
(jsc_value_to_int32):
(jsc_value_new_boolean):
(jsc_value_is_boolean):
(jsc_value_to_boolean):
(jsc_value_new_string):
(jsc_value_is_string):
(jsc_value_to_string):
(jsc_value_new_array):
(jsc_value_new_array_from_garray):
(jsc_value_is_array):
(jsc_value_new_object):
(jsc_value_is_object):
(jsc_value_object_is_instance_of):
(jsc_value_object_set_property):
(jsc_value_object_get_property):
(jsc_value_object_set_property_at_index):
(jsc_value_object_get_property_at_index):
(jscValueCallFunction):
(jsc_value_object_invoke_method):
(jsc_value_object_define_property_data):
(jsc_value_object_define_property_accessor):
(jsc_value_new_function):
(jsc_value_is_function):
(jsc_value_function_call):
(jsc_value_is_constructor):
(jsc_value_constructor_call):
* API/glib/JSCValue.h: Added.
* API/glib/JSCValuePrivate.h: Added.
* API/glib/JSCVersion.cpp: Added.
(jsc_get_major_version):
(jsc_get_minor_version):
(jsc_get_micro_version):
* API/glib/JSCVersion.h.in: Added.
* API/glib/JSCVirtualMachine.cpp: Added.
(addWrapper):
(removeWrapper):
(jscVirtualMachineSetContextGroup):
(jscVirtualMachineEnsureContextGroup):
(jscVirtualMachineDispose):
(jsc_virtual_machine_class_init):
(jscVirtualMachineGetOrCreate):
(jscVirtualMachineGetContextGroup):
(jscVirtualMachineAddContext):
(jscVirtualMachineRemoveContext):
(jscVirtualMachineGetContext):
(jsc_virtual_machine_new):
* API/glib/JSCVirtualMachine.h: Added.
* API/glib/JSCVirtualMachinePrivate.h: Added.
* API/glib/JSCWrapperMap.cpp: Added.
(JSC::WrapperMap::WrapperMap):
(JSC::WrapperMap::~WrapperMap):
(JSC::WrapperMap::gobjectWrapper):
(JSC::WrapperMap::unwrap):
(JSC::WrapperMap::registerClass):
(JSC::WrapperMap::createJSWrappper):
(JSC::WrapperMap::jsWrapper const):
(JSC::WrapperMap::wrappedObject const):
* API/glib/JSCWrapperMap.h: Added.
* API/glib/docs/jsc-glib-4.0-sections.txt: Added.
* API/glib/docs/jsc-glib-4.0.types: Added.
* API/glib/docs/jsc-glib-docs.sgml: Added.
* API/glib/jsc.h: Added.
* CMakeLists.txt:
* GLib.cmake: Added.
* JavaScriptCore.gir.in: Removed.
* PlatformGTK.cmake:
* PlatformWPE.cmake:
* heap/Heap.cpp:
(JSC::Heap::releaseDelayedReleasedObjects):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::releaseSoon):
* javascriptcoregtk.pc.in:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
(JSC::JSGlobalObject::setWrapperMap):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::glibCallbackFunctionStructure const):
(JSC::JSGlobalObject::glibWrapperObjectStructure const):
(JSC::JSGlobalObject::wrapperMap const):
2018-03-21 Christopher Reid <chris.reid@sony.com>
Windows 64-bit build fix after r229767
https://bugs.webkit.org/show_bug.cgi?id=183810
Reviewed by Mark Lam.
Removing an extra parameter in the call to m_assember::call.
* assembler/MacroAssemblerX86_64.h:
2018-03-20 Dan Bernstein <mitz@apple.com>
[Xcode] JSVALUE_MODEL is unused
https://bugs.webkit.org/show_bug.cgi?id=183809
Reviewed by Tim Horton.
* Configurations/JavaScriptCore.xcconfig: Removed the unused definition.
2018-03-20 Tim Horton <timothy_horton@apple.com>
Update the install name for JavaScriptCore when built with WK_ALTERNATE_FRAMEWORKS_DIR
https://bugs.webkit.org/show_bug.cgi?id=183808
<rdar://problem/38692079>
Reviewed by Dan Bernstein.
* Configurations/JavaScriptCore.xcconfig:
2018-03-20 Tim Horton <timothy_horton@apple.com>
Enable the minimal simulator feature flag when appropriate
https://bugs.webkit.org/show_bug.cgi?id=183807
Reviewed by Dan Bernstein.
* Configurations/FeatureDefines.xcconfig:
2018-03-20 Saam Barati <sbarati@apple.com>
We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
https://bugs.webkit.org/show_bug.cgi?id=183795
<rdar://problem/38298694>
Reviewed by JF Bastien.
We were just assuming that the constants we were inserting were
always exitOK=true. However, this breaks validation. The exitOK
we emit for the constants in the NewArrayBuffer should respect
the current exit state of the IR we've emitted. This is just IR
bookkeeping since JSConstant is a non-exiting node.
* dfg/DFGArgumentsEliminationPhase.cpp:
2018-03-20 Guillaume Emont <guijemont@igalia.com>
MIPS+Armv7 builds are broken since r229391
https://bugs.webkit.org/show_bug.cgi?id=183474
Reviewed by Yusuke Suzuki.
Add missing armv7 and mips operations and fix arguments to a call to
operationGetByValCell. This should fix compilation on MIPS and Armv7
(though it does not implement the missing setupArguments stuff in
CCallHelpers).
* assembler/MacroAssembler.h:
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::swap):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::swap):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/FPRInfo.h:
2018-03-20 Tim Horton <timothy_horton@apple.com>
Add and adopt WK_PLATFORM_NAME and adjust default feature defines
https://bugs.webkit.org/show_bug.cgi?id=183758
<rdar://problem/38017644>
Reviewed by Dan Bernstein.
* Configurations/FeatureDefines.xcconfig:
2018-03-20 Mark Lam <mark.lam@apple.com>
Improve FunctionPtr and use it in the JIT CallRecord.
https://bugs.webkit.org/show_bug.cgi?id=183756
<rdar://problem/38641335>
Reviewed by JF Bastien.
1. FunctionPtr hold a C/C++ function pointer by default. Change its default
PtrTag to reflect that.
2. Delete the FunctionPtr::value() method. It is effectively a duplicate of
executableAddress().
3. Fix the FunctionPtr constructor that takes arbitrary pointers to be able to
take "any" pointer. "any" in this case means that the pointer may not be typed
as a C/C++ function to the C++ compiler (due to upstream casting or usage of
void* as a storage type), but it is still expected to be pointing to a C/C++
function.
4. Added a FunctionPtr constructor that takes another FunctionPtr. This is a
convenience constructor that lets us retag the underlying pointer. The other
FunctionPtr is still expected to point to a C/C++ function.
5. Added PtrTag assertion placeholder functions to be implemented later.
6. Change the JIT CallRecord to embed a FunctionPtr callee instead of a void* to
pointer. This improves type safety, and assists in getting pointer tagging
right later.
7. Added versions of JIT callOperations methods that will take a PtrTag.
This is preparation for more more pointer tagging work later.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::linkCall):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::linkCall):
* assembler/MacroAssemblerCodeRef.h:
(JSC::FunctionPtr::FunctionPtr):
(JSC::FunctionPtr::operator bool const):
(JSC::FunctionPtr::operator! const):
(JSC::ReturnAddressPtr::ReturnAddressPtr):
(JSC::MacroAssemblerCodePtr::retagged const):
(JSC::MacroAssemblerCodeRef::retaggedCode const):
(JSC::FunctionPtr::value const): Deleted.
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::linkCall):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::linkCall):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
(JSC::MacroAssemblerX86_64::linkCall):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* ftl/FTLSlowPathCall.cpp:
(JSC::FTL::SlowPathCallContext::makeCall):
* ftl/FTLSlowPathCall.h:
(JSC::FTL::callOperation):
* ftl/FTLThunks.cpp:
(JSC::FTL::osrExitGenerationThunkGenerator):
(JSC::FTL::lazySlowPathGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* jit/JIT.cpp:
(JSC::JIT::link):
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JIT.h:
(JSC::CallRecord::CallRecord):
(JSC::JIT::appendCall):
(JSC::JIT::appendCallWithSlowPathReturnType):
(JSC::JIT::callOperation):
(JSC::JIT::callOperationWithProfile):
(JSC::JIT::callOperationWithResult):
(JSC::JIT::callOperationNoExceptionCheck):
(JSC::JIT::callOperationWithCallFrameRollbackOnException):
* jit/JITArithmetic.cpp:
(JSC::JIT::emitMathICFast):
(JSC::JIT::emitMathICSlow):
* jit/JITInlines.h:
(JSC::JIT::emitNakedCall):
(JSC::JIT::emitNakedTailCall):
(JSC::JIT::appendCallWithExceptionCheck):
(JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
(JSC::JIT::appendCallWithCallFrameRollbackOnException):
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitSlow_op_put_by_val):
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jit/SlowPathCall.h:
(JSC::JITSlowPathCall::JITSlowPathCall):
(JSC::JITSlowPathCall::call):
* jit/ThunkGenerators.cpp:
(JSC::nativeForGenerator):
* runtime/PtrTag.h:
(JSC::nextPtrTagID):
(JSC::assertIsCFunctionPtr):
(JSC::assertIsNullOrCFunctionPtr):
(JSC::assertIsNotTagged):
(JSC::assertIsTagged):
(JSC::assertIsNullOrTagged):
(JSC::assertIsTaggedWith):
(JSC::assertIsNullOrTaggedWith):
(JSC::uniquePtrTagID): Deleted.
2018-03-20 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com>
[MIPS] Optimize generated JIT code for loads/stores
https://bugs.webkit.org/show_bug.cgi?id=183243
Reviewed by Yusuke Suzuki.
JIT generates three MIPS instructions for a load/store from/to an absolute address:
lui adrTmpReg, address >> 16
ori adrTmpReg, address & 0xffff
lw dataReg, 0(adrTmpReg)
Since load/store instructions on MIPS have a 16-bit offset, lower 16 bits of the address can
be encoded into the load/store and ori instruction can be removed:
lui adrTmpReg, (address + 0x8000) >> 16
lw dataReg, (address & 0xffff)(adrTmpReg)
Also, in loads/stores with BaseIndex address, the left shift can be omitted if address.scale is 0.
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::add32):
(JSC::MacroAssemblerMIPS::add64):
(JSC::MacroAssemblerMIPS::or32):
(JSC::MacroAssemblerMIPS::sub32):
(JSC::MacroAssemblerMIPS::convertibleLoadPtr):
(JSC::MacroAssemblerMIPS::load8):
(JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
(JSC::MacroAssemblerMIPS::load32):
(JSC::MacroAssemblerMIPS::store8):
(JSC::MacroAssemblerMIPS::store32):
(JSC::MacroAssemblerMIPS::branchTest8):
(JSC::MacroAssemblerMIPS::branchAdd32):
(JSC::MacroAssemblerMIPS::loadDouble):
(JSC::MacroAssemblerMIPS::storeDouble):
2018-03-16 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG][FTL] Add vectorLengthHint for NewArray
https://bugs.webkit.org/show_bug.cgi?id=183694
Reviewed by Saam Barati.
While the following code is a common, it is not so efficient.
var array = [];
for (...) {
...
array.push(...);
}
The array is always allocated with 0 vector length. And it is eventually grown.
We have ArrayAllocationProfile, and it tells us that the vector length hint for
the allocated arrays. This hint is already used for NewArrayBuffer. This patch
extends this support for NewArray DFG node.
This patch improves Kraken/stanford-crypto-aes 4%.
baseline patched
stanford-crypto-aes 64.069+-1.352 61.589+-1.274 might be 1.0403x faster
NewArray can be optimized.
baseline patched
vector-length-hint-new-array 21.8157+-0.0882 ^ 13.1764+-0.0942 ^ definitely 1.6557x faster
vector-length-hint-array-constructor 21.9076+-0.0987 ? 22.1168+-0.4814 ?
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasVectorLengthHint):
(JSC::DFG::Node::vectorLengthHint):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2018-03-13 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG][FTL] Make ArraySlice(0) code tight
https://bugs.webkit.org/show_bug.cgi?id=183590
Reviewed by Saam Barati.
This patch tightens ArraySlice code, in particular, startIndex = 0 case.
1. We support array.slice() call. This is a well-used way to clone array.
For example, underscore.js uses this technique.
2. We remove several checks if the given index value is a proven constant.
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
(JSC::DFG::SpeculativeJIT::compileArraySlice):
We can skip some of checks if the given value is a proven constant.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
Change below to belowOrEqual. It does not change meaning in the code. But it allows us
to fold BelowEqual(0, x) to true.
2018-03-19 Yusuke Suzuki <utatane.tea@gmail.com>
Drop s_exceptionInstructions static initializer
https://bugs.webkit.org/show_bug.cgi?id=183732
Reviewed by Darin Adler.
Make Instruction constructor constexpr to drop the static constructor
of LLInt::Data::s_exceptionInstructions.
* bytecode/Instruction.h:
(JSC::Instruction::Instruction):
2018-03-19 Dan Bernstein <mitz@apple.com>
Investigate why __cpu_indicator_init is used
https://bugs.webkit.org/show_bug.cgi?id=183736
Reviewed by Tim Horton.
__cpu_indicator_init, which is a global initializer, was included in JavaScriptCore because
we were passing the -all_load option to the linker, causing it to bring in all members of
every static library being linked in, including the compiler runtime library. We only need
to load all members of WTF. The linker option for doing that is -force_load, and it requires
a path to the library. To support building against libWTF.a built locally as well as against
the copy that is in the SDK, we add a script build phase that palces a symbolic link to the
appropriate libWTF.a under the DerivedSources directory, and pass the path to that symlink
to the linker. Also, while cleaning up linker flags, make OTHER_LDFLAGS_HIDE_SYMBOLS less
verbose by eliminating every other -Wl, remove redundant -lobjc (libobjc is already listed
in the Link Binary With Libraries build phase), remove long-unsupported -Y,3, and stop
reexporting libobjc.
* Configurations/JavaScriptCore.xcconfig:
* JavaScriptCore.xcodeproj/project.pbxproj:
2018-03-19 Jiewen Tan <jiewen_tan@apple.com>
Unreviewed, another quick fix for r229699
Restricts ENABLE_WEB_AUTHN to only macOS and iOS.
* Configurations/FeatureDefines.xcconfig:
2018-03-19 Mark Lam <mark.lam@apple.com>
FunctionPtr should be passed by value.
https://bugs.webkit.org/show_bug.cgi?id=183746
<rdar://problem/38625311>
Reviewed by JF Bastien.
It's meant to be an encapsulation of a C/C++ function pointer. There are cases
where we use it to pass JIT compiled code (e.g. the VM thunks/stubs), but they are
treated as if they are C/C++ functions.
Regardless, there's no need to pass it by reference.
* assembler/MacroAssemblerCodeRef.h:
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::appendCall):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::appendCall):
(JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
(JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
(JSC::DFG::SpeculativeJIT::appendCallSetResult):
* jit/JIT.h:
(JSC::JIT::appendCall):
(JSC::JIT::appendCallWithSlowPathReturnType):
* jit/JITInlines.h:
(JSC::JIT::appendCallWithExceptionCheck):
(JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
(JSC::JIT::appendCallWithCallFrameRollbackOnException):
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
2018-03-15 Ross Kirsling <ross.kirsling@sony.com>
Fix MSVC run-time check after r229391.
https://bugs.webkit.org/show_bug.cgi?id=183673
Reviewed by Keith Miller.
Replaces attempted fix from r229424/r229432.
Apparently MSVC doesn't like it when a zero-length std::array is defined without explicit braces.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::clampArrayToSize):
2018-03-15 Tim Horton <timothy_horton@apple.com>
Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in ANGLE
https://bugs.webkit.org/show_bug.cgi?id=183675
<rdar://problem/38515281>
Reviewed by Dan Bernstein.
* JavaScriptCore.xcodeproj/project.pbxproj:
Don't install the JSC alias if we're installing to an alternate location.
This should have been a part of r229637.
2018-03-15 Tim Horton <timothy_horton@apple.com>
Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in JavaScriptCore
https://bugs.webkit.org/show_bug.cgi?id=183649
<rdar://problem/38480526>
Reviewed by Dan Bernstein.
* Configurations/Base.xcconfig:
* JavaScriptCore.xcodeproj/project.pbxproj:
2018-03-14 Mark Lam <mark.lam@apple.com>
Enhance the MacroAssembler and LinkBuffer to support pointer profiling.
https://bugs.webkit.org/show_bug.cgi?id=183623
<rdar://problem/38443314>
Reviewed by Michael Saboff.
1. Added a PtrTag argument to indirect call() and indirect jump() MacroAssembler
emitters to support pointer profiling.
2. Also added tagPtr(), untagPtr(), and removePtrTag() placeholder methods.
3. Added a PtrTag to LinkBuffer finalizeCodeWithoutDisassembly() and clients.
4. Updated clients to pass a PtrTag. For the most part, I just apply NoPtrTag as
a placeholder until we have time to analyze what pointer profile each client
site has later.
5. Apply PtrTags to the YarrJIT.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::linkJumpOrCall):
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::getLinkerAddress):
(JSC::AbstractMacroAssembler::tagPtr):
(JSC::AbstractMacroAssembler::untagPtr):
(JSC::AbstractMacroAssembler::removePtrTag):
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
(JSC::LinkBuffer::finalizeCodeWithDisassembly):
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::link):
(JSC::LinkBuffer::locationOfNearCall):
(JSC::LinkBuffer::locationOf):
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::jump):
(JSC::MacroAssemblerARM::call):
(JSC::MacroAssemblerARM::readCallTarget):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::call):
(JSC::MacroAssemblerARM64::jump):
(JSC::MacroAssemblerARM64::readCallTarget):
(JSC::MacroAssemblerARM64::linkCall):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::jump):
(JSC::MacroAssemblerARMv7::relativeTableJump):
(JSC::MacroAssemblerARMv7::call):
(JSC::MacroAssemblerARMv7::readCallTarget):
* assembler/MacroAssemblerCodeRef.cpp:
(JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
(JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
* assembler/MacroAssemblerCodeRef.h:
(JSC::FunctionPtr::FunctionPtr):
(JSC::FunctionPtr::value const):
(JSC::MacroAssemblerCodePtr:: const):
(JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
(JSC::MacroAssemblerCodeRef::retaggedCode const):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::jump):
(JSC::MacroAssemblerMIPS::call):
(JSC::MacroAssemblerMIPS::readCallTarget):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::call):
(JSC::MacroAssemblerX86::jump):
(JSC::MacroAssemblerX86::readCallTarget):
* assembler/MacroAssemblerX86Common.cpp:
(JSC::MacroAssembler::probe):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::jump):
(JSC::MacroAssemblerX86Common::call):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::call):
(JSC::MacroAssemblerX86_64::jump):
(JSC::MacroAssemblerX86_64::readCallTarget):
* assembler/testmasm.cpp:
(JSC::compile):
(JSC::invoke):
* b3/B3Compile.cpp:
(JSC::B3::compile):
* b3/B3LowerMacros.cpp:
* b3/air/AirCCallSpecial.cpp:
(JSC::B3::Air::CCallSpecial::generate):
* b3/air/testair.cpp:
* b3/testb3.cpp:
(JSC::B3::invoke):
(JSC::B3::testInterpreter):
(JSC::B3::testEntrySwitchSimple):
(JSC::B3::testEntrySwitchNoEntrySwitch):
(JSC::B3::testEntrySwitchWithCommonPaths):
(JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
(JSC::B3::testEntrySwitchLoop):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/AccessCaseSnippetParams.cpp:
(JSC::SlowPathCallGeneratorWithArguments::generateImpl):
* bytecode/InlineAccess.cpp:
(JSC::linkCodeInline):
(JSC::InlineAccess::rewireStubAsJump):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessGenerationState::emitExplicitExceptionHandler):
(JSC::PolymorphicAccess::regenerate):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileExceptionHandlers):
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::compileFunction):
(JSC::DFG::JITCompiler::noticeCatchEntrypoint):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::appendCall):
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::finalize):
(JSC::DFG::JITFinalizer::finalizeFunction):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::emitRestoreArguments):
(JSC::DFG::OSRExit::compileOSRExit):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::handleExitCounts):
(JSC::DFG::osrWriteBarrier):
(JSC::DFG::adjustAndJumpToTarget):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
(JSC::DFG::SpeculativeJIT::emitSwitchImm):
(JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitThunkGenerator):
(JSC::DFG::osrExitGenerationThunkGenerator):
(JSC::DFG::osrEntryThunkGenerator):
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeCommon):
* ftl/FTLLazySlowPath.cpp:
(JSC::FTL::LazySlowPath::generate):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
(JSC::FTL::compileFTLOSRExit):
* ftl/FTLSlowPathCall.cpp:
(JSC::FTL::SlowPathCallContext::makeCall):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
(JSC::FTL::osrExitGenerationThunkGenerator):
(JSC::FTL::lazySlowPathGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::callExceptionFuzz):
(JSC::AssemblyHelpers::debugCall):
* jit/CCallHelpers.cpp:
(JSC::CCallHelpers::ensureShadowChickenPacket):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::jumpToExceptionHandler):
* jit/ExecutableAllocator.cpp:
(JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
* jit/JIT.cpp:
(JSC::JIT::emitEnterOptimizationCheck):
(JSC::JIT::link):
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JIT.h:
(JSC::JIT::appendCall):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
(JSC::JIT::emitSlow_op_loop_hint):
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::privateCompileGetByVal):
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::stringGetByValStubGenerator):
* jit/JITStubRoutine.h:
* jit/Repatch.cpp:
(JSC::readCallTarget):
(JSC::appropriateOptimizingPutByIdFunction):
(JSC::linkPolymorphicCall):
(JSC::resetPutByID):
* jit/SlowPathCall.h:
(JSC::JITSlowPathCall::call):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::finalize):
(JSC::SpecializedThunkJIT::callDoubleToDouble):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::slowPathFor):
(JSC::linkCallThunkGenerator):
(JSC::linkPolymorphicCallThunkGenerator):
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::arityFixupGenerator):
(JSC::unreachableGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* llint/LLIntThunks.cpp:
(JSC::LLInt::generateThunkWithJumpTo):
(JSC::LLInt::functionForCallEntryThunkGenerator):
(JSC::LLInt::functionForConstructEntryThunkGenerator):
(JSC::LLInt::functionForCallArityCheckThunkGenerator):
(JSC::LLInt::functionForConstructArityCheckThunkGenerator):
(JSC::LLInt::evalEntryThunkGenerator):
(JSC::LLInt::programEntryThunkGenerator):
(JSC::LLInt::moduleProgramEntryThunkGenerator):
* runtime/PtrTag.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addCall):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::complete):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmThunks.cpp:
(JSC::Wasm::throwExceptionFromWasmThunkGenerator):
(JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
(JSC::Wasm::triggerOMGTierUpThunkGenerator):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
(JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
(JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
(JSC::Yarr::YarrGenerator::generateEnter):
(JSC::Yarr::YarrGenerator::YarrGenerator):
(JSC::Yarr::YarrGenerator::compile):
(JSC::Yarr::jitCompile):
* yarr/YarrJIT.h:
(JSC::Yarr::YarrCodeBlock::execute):
2018-03-14 Caitlin Potter <caitp@igalia.com>
[JSC] fix order of evaluation for ClassDefinitionEvaluation
https://bugs.webkit.org/show_bug.cgi?id=183523
Reviewed by Keith Miller.
Computed property names need to be evaluated in source order during class
definition evaluation, as it's observable (and specified to work this way).
This change improves compatibility with Chromium.
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitDefineClassElements):
* bytecompiler/NodesCodegen.cpp:
(JSC::PropertyListNode::emitBytecode):
(JSC::ClassExprNode::emitBytecode):
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createClassExpr):
(JSC::ASTBuilder::createGetterOrSetterProperty):
(JSC::ASTBuilder::createProperty):
* parser/NodeConstructors.h:
(JSC::PropertyNode::PropertyNode):
(JSC::ClassExprNode::ClassExprNode):
* parser/Nodes.cpp:
(JSC::PropertyListNode::hasStaticallyNamedProperty):
* parser/Nodes.h:
(JSC::PropertyNode::isClassProperty const):
(JSC::PropertyNode::isStaticClassProperty const):
(JSC::PropertyNode::isInstanceClassProperty const):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseClass):
(JSC::Parser<LexerType>::parseProperty):
(JSC::Parser<LexerType>::parseGetterSetter):
* parser/Parser.h:
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::createClassExpr):
(JSC::SyntaxChecker::createProperty):
(JSC::SyntaxChecker::createGetterOrSetterProperty):
2018-03-14 Keith Miller <keith_miller@apple.com>
Move jsc CLI breakpoint function to $vm
https://bugs.webkit.org/show_bug.cgi?id=183512
Reviewed by Yusuke Suzuki.
* jsc.cpp:
(GlobalObject::finishCreation):
(functionBreakpoint): Deleted.
* tools/JSDollarVM.cpp:
(JSC::functionBreakpoint):
(JSC::JSDollarVM::finishCreation):
2018-03-14 Tim Horton <timothy_horton@apple.com>
Fix the build after r229567
* Configurations/FeatureDefines.xcconfig:
2018-03-12 Mark Lam <mark.lam@apple.com>
Gardening: speculative build fix for WinCairo.
https://bugs.webkit.org/show_bug.cgi?id=183573
Not reviewed.
* runtime/NativeFunction.h:
(JSC::TaggedNativeFunction::TaggedNativeFunction):
2018-03-12 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, fix obsolete ASSERT
https://bugs.webkit.org/show_bug.cgi?id=183310
Now NewObject can be conereted from CallObjectConstructor and CreateThis.
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToNewObject):
2018-03-12 Tim Horton <timothy_horton@apple.com>
Stop using SDK conditionals to control feature definitions
https://bugs.webkit.org/show_bug.cgi?id=183430
<rdar://problem/38251619>
Reviewed by Dan Bernstein.
* Configurations/FeatureDefines.xcconfig:
* Configurations/WebKitTargetConditionals.xcconfig: Renamed.
2018-03-12 Yoav Weiss <yoav@yoav.ws>
Runtime flag for link prefetch and remove link subresource.
https://bugs.webkit.org/show_bug.cgi?id=183540
Reviewed by Chris Dumez.
Remove the LINK_PREFETCH build time flag.
* Configurations/FeatureDefines.xcconfig:
2018-03-12 Mark Lam <mark.lam@apple.com>
Gardening: speculative build fix for Windows.
https://bugs.webkit.org/show_bug.cgi?id=183573
Not reviewed.
* runtime/NativeFunction.h:
(JSC::TaggedNativeFunction::TaggedNativeFunction):
2018-03-12 Mark Lam <mark.lam@apple.com>
Add another PtrTag.
https://bugs.webkit.org/show_bug.cgi?id=183580
<rdar://problem/38390584>
Reviewed by Keith Miller.
* runtime/PtrTag.h:
2018-03-12 Mark Lam <mark.lam@apple.com>
Make a NativeFunction into a class to support pointer profiling.
https://bugs.webkit.org/show_bug.cgi?id=183573
<rdar://problem/38384697>
Reviewed by Filip Pizlo.
1. NativeFunction is now a class, and introducing RawNativeFunction and
TaggedNativeFunction.
RawNativeFunction is the raw pointer type (equivalent
to the old definition of NativeFunction). This is mainly used for underlying
storage inside the NativeFunction class, and also for global data tables that
cannot embed non-trivially constructed objects.
NativeFunction's role is mainly to encapsulate a pointer to a C function that
we pass into the VM.
TaggedNativeFunction encapsulates the tagged version of a pointer to a C
function that we track in the VM.
2. Added a convenience constructor for TrustedImmPtr so that we don't have to
cast function pointers to void* anymore when constructing a TrustedImmPtr.
3. Removed the unused CALL_RETURN macro in CommonSlowPaths.cpp.
4. Added more PtrTag utility functions.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
* create_hash_table:
* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
* interpreter/InterpreterInlines.h:
(JSC::Interpreter::getOpcodeID):
* jit/JITThunks.cpp:
(JSC::JITThunks::hostFunctionStub):
* jit/JITThunks.h:
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setUpCall):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter.cpp:
(JSC::CLoop::execute):
* llint/LowLevelInterpreter64.asm:
* offlineasm/ast.rb:
* runtime/CallData.h:
* runtime/CommonSlowPaths.cpp:
* runtime/ConstructData.h:
* runtime/InternalFunction.h:
(JSC::InternalFunction::nativeFunctionFor):
* runtime/JSCell.cpp:
(JSC::JSCell::getCallData):
(JSC::JSCell::getConstructData):
* runtime/JSFunction.h:
* runtime/JSFunctionInlines.h:
(JSC::JSFunction::nativeFunction):
(JSC::JSFunction::nativeConstructor):
(JSC::isHostFunction):
* runtime/Lookup.h:
(JSC::HashTableValue::function const):
(JSC::HashTableValue::accessorGetter const):
(JSC::HashTableValue::accessorSetter const):
(JSC::nonCachingStaticFunctionGetter):
* runtime/NativeExecutable.cpp:
(JSC::NativeExecutable::create):
(JSC::NativeExecutable::NativeExecutable):
* runtime/NativeExecutable.h:
* runtime/NativeFunction.h: Added.
(JSC::NativeFunction::NativeFunction):
(JSC::NativeFunction::operator intptr_t const):
(JSC::NativeFunction::operator bool const):
(JSC::NativeFunction::operator! const):
(JSC::NativeFunction::operator== const):
(JSC::NativeFunction::operator!= const):
(JSC::NativeFunction::operator()):
(JSC::NativeFunction::rawPointer const):
(JSC::NativeFunctionHash::hash):
(JSC::NativeFunctionHash::equal):
(JSC::TaggedNativeFunction::TaggedNativeFunction):
(JSC::TaggedNativeFunction::operator bool const):
(JSC::TaggedNativeFunction::operator! const):
(JSC::TaggedNativeFunction::operator== const):
(JSC::TaggedNativeFunction::operator!= const):
(JSC::TaggedNativeFunction::operator()):
(JSC::TaggedNativeFunction::operator NativeFunction):
(JSC::TaggedNativeFunction::rawPointer const):
(JSC::TaggedNativeFunctionHash::hash):
(JSC::TaggedNativeFunctionHash::equal):
* runtime/PtrTag.h:
(JSC::tagCFunctionPtr):
(JSC::untagCFunctionPtr):
* runtime/VM.h:
(JSC::VM::targetMachinePCForThrowOffset): Deleted.
2018-03-12 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix simple goof that was causing 32-bit DFG crashes.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2018-03-11 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] AI should convert CreateThis to NewObject if the prototype object is proved
https://bugs.webkit.org/show_bug.cgi?id=183310
Reviewed by Filip Pizlo.
This patch implements CreateThis -> NewObject conversion in AI if the given function is constant.
This contributes to 6% win in Octane/raytrace.
baseline patched
raytrace x2 1.19915+-0.01862 ^ 1.13156+-0.01589 ^ definitely 1.0597x faster
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
2018-03-11 Wenson Hsieh <wenson_hsieh@apple.com>
Disable Sigill crash analyzer on watchOS
https://bugs.webkit.org/show_bug.cgi?id=183548
<rdar://problem/38338032>
Reviewed by Mark Lam.
Sigill is not supported on watchOS.
* runtime/Options.cpp:
(JSC::overrideDefaults):
2018-03-09 Filip Pizlo <fpizlo@apple.com>
Split DirectArguments into JSValueOOB and JSValueStrict parts
https://bugs.webkit.org/show_bug.cgi?id=183458
Reviewed by Yusuke Suzuki.
Our Spectre plan for JSValue objects is to allow inline JSValue stores and loads guarded by
unmitigated structure checks. This works because objects reachable from JSValues (i.e. JSValue
objects, like String, Symbol, and any descendant of JSObject) will only contain fields that it's OK
to read and write within a Spectre mitigation window. Writes are important, because within the
window, a write could appear to be made speculatively and rolled out later. This means that:
- JSValue objects cannot have lengths, masks, or anything else inline.
- JSValue objects cannot have an inline type that is used as part of a Spectre mitigation for a type
check, unless that type is in the form of a poison key.
This means that the dynamic poisoning that I previously landed for DirectArguments is wrong. It also
means that it's wrong for DirectArguments to have an inline length.
This changes DirectArguments to use poisoning according to the universal formula:
- The random accessed portions are out-of-line, pointed to by a poisoned pointer.
- No inline length.
Surprisingly, this is perf-neutral. It's probably perf-neutral because our compiler optimizations
amortize whatever cost there was.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
* dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
(JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
* dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Added.
(JSC::DFG::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):
(JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetFromArguments):
(JSC::DFG::SpeculativeJIT::compilePutToArguments):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
(JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
(JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
* heap/SecurityKind.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_from_arguments):
(JSC::JIT::emit_op_put_to_arguments):
(JSC::JIT::emitDirectArgumentsGetByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_from_arguments):
(JSC::JIT::emit_op_put_to_arguments):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::DirectArguments):
(JSC::DirectArguments::createUninitialized):
(JSC::DirectArguments::create):
(JSC::DirectArguments::createByCopying):
(JSC::DirectArguments::estimatedSize):
(JSC::DirectArguments::visitChildren):
(JSC::DirectArguments::overrideThings):
(JSC::DirectArguments::copyToArguments):
(JSC::DirectArguments::mappedArgumentsSize):
* runtime/DirectArguments.h:
* runtime/JSCPoison.h:
* runtime/JSLexicalEnvironment.h:
* runtime/JSSymbolTableObject.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2018-03-11 Yusuke Suzuki <utatane.tea@gmail.com>
[B3] Above/Below should be strength-reduced for comparison with 0
https://bugs.webkit.org/show_bug.cgi?id=183543
Reviewed by Filip Pizlo.
Above(0, x) and BelowEqual(0, x) can be converted to constants false and true respectively.
This can be seen in ArraySlice(0) case: `Select(Above(0, length), length, 0)` this should
be converted to `0`. This patch adds such a folding to comparisons.
We also fix B3ReduceStrength issue creating an orphan value. If a flipped value is folded to
a constant, we do not insert flipped value and make it an orphan. This issue causes JSC test
failure with this B3Const32/64Value change. With this patch, we create a flipped value only
when we fail to fold it to a constant.
* b3/B3Const32Value.cpp:
(JSC::B3::Const32Value::lessThanConstant const):
(JSC::B3::Const32Value::greaterThanConstant const):
(JSC::B3::Const32Value::lessEqualConstant const):
(JSC::B3::Const32Value::greaterEqualConstant const):
(JSC::B3::Const32Value::aboveConstant const):
(JSC::B3::Const32Value::belowConstant const):
(JSC::B3::Const32Value::aboveEqualConstant const):
(JSC::B3::Const32Value::belowEqualConstant const):
* b3/B3Const64Value.cpp:
(JSC::B3::Const64Value::lessThanConstant const):
(JSC::B3::Const64Value::greaterThanConstant const):
(JSC::B3::Const64Value::lessEqualConstant const):
(JSC::B3::Const64Value::greaterEqualConstant const):
(JSC::B3::Const64Value::aboveConstant const):
(JSC::B3::Const64Value::belowConstant const):
(JSC::B3::Const64Value::aboveEqualConstant const):
(JSC::B3::Const64Value::belowEqualConstant const):
* b3/B3ReduceStrength.cpp:
* b3/testb3.cpp:
(JSC::B3::int64Operands):
(JSC::B3::int32Operands):
2018-03-10 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
https://bugs.webkit.org/show_bug.cgi?id=181848
Reviewed by Sam Weinig.
In r181535, we support `string.match(/nonglobal/)` code. However, `string.match(/global/g)` is not
optimized since it sets `lastIndex` value before performing RegExp operation.
This patch optimizes the above "with a global flag" case by emitting `SetRegExpObjectLastIndex` properly.
RegExpMatchFast is converted to SetRegExpObjectLastIndex and RegExpMatchFastGlobal. The latter node
just holds RegExp (not RegExpObject) cell so that it can offer a chance to make NewRegexp PhantomNewRegexp
in object allocation sinking phase.
Added microbenchmarks shows that this patch makes NewRegexp PhantomNewRegexp even if the given RegExp
has a global flag. And it improves the performance.
baseline patched
regexp-u-global-es5 44.1298+-4.6128 ^ 33.7920+-2.0110 ^ definitely 1.3059x faster
regexp-u-global-es6 182.3272+-2.2861 ^ 154.3414+-7.6769 ^ definitely 1.1813x faster
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToRegExpMatchFastGlobal):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasCellOperand):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileRegExpMatchFastGlobal):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal):
* runtime/RegExpObject.cpp:
(JSC::collectMatches): Deleted.
* runtime/RegExpObject.h:
* runtime/RegExpObjectInlines.h:
(JSC::RegExpObject::execInline):
(JSC::RegExpObject::matchInline):
(JSC::advanceStringUnicode):
(JSC::collectMatches):
(JSC::RegExpObject::advanceStringUnicode): Deleted.
* runtime/RegExpPrototype.cpp:
(JSC::advanceStringIndex):
2018-03-10 Yusuke Suzuki <utatane.tea@gmail.com>
B3::reduceStrength should canonicalize integer comparisons
https://bugs.webkit.org/show_bug.cgi?id=150958
Reviewed by Filip Pizlo.
This patch sorts operands of comparisons by flipping opcode. For example, `Above(0, @2)` is
converted to `Below(@2, 0)`. This sorting is the same to handleCommutativity rule. Since we
canonicalize comparisons to have constant value at least on the right hand side, we can
remove pattern matchings checking leftImm in B3LowerToAir.
Since this flipping changes the opcode of the value, to achieve safely, we just create a
new value which has flipped opcode and swapped operands. If we can fold it to a constant,
we replace m_value with this constant. If we fail to fold it to constant, we replace
m_value with the flipped one.
These comparisons are already handled in testb3.
* b3/B3LowerToAir.cpp:
* b3/B3ReduceStrength.cpp:
2018-03-09 Mark Lam <mark.lam@apple.com>
offlineasm should reset the Assembler's working state before doing another pass for a new target.
https://bugs.webkit.org/show_bug.cgi?id=183538
<rdar://problem/38325955>
Reviewed by Michael Saboff.
* llint/LowLevelInterpreter.cpp:
* offlineasm/asm.rb:
* offlineasm/cloop.rb:
2018-03-09 Brian Burg <bburg@apple.com>
Web Inspector: there should only be one way for async backend commands to send failure
https://bugs.webkit.org/show_bug.cgi?id=183524
Reviewed by Timothy Hatcher.
If this is an async command, errors should be reported with BackendDispatcher::CallbackBase::sendFailure.
To avoid mixups, don't include the ErrorString out-parameter in generated async command signatures.
This change only affects interfaces generated for C++ backend dispatchers.
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
(CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
(CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
* inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2018-03-09 Mark Lam <mark.lam@apple.com>
Build fix after r229476.
https://bugs.webkit.org/show_bug.cgi?id=183488
Not reviewed.
* runtime/StackAlignment.h:
2018-03-09 Mark Lam <mark.lam@apple.com>
[Re-landing] Add support for ARM64E.
https://bugs.webkit.org/show_bug.cgi?id=183398
<rdar://problem/38212621>
Reviewed by Michael Saboff.
* assembler/MacroAssembler.h:
* llint/LLIntOfflineAsmConfig.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/backends.rb:
2018-03-09 Mark Lam <mark.lam@apple.com>
[Re-landing] Prepare LLInt code to support pointer profiling.
https://bugs.webkit.org/show_bug.cgi?id=183387
<rdar://problem/38199678>
Reviewed by JF Bastien.
1. Introduced PtrTag enums for supporting pointer profiling later.
2. Also introduced tagging, untagging, retagging, and tag removal placeholder
template functions for the same purpose.
3. Prepare the offlineasm for supporting pointer profiling later.
4. Tagged some pointers in LLInt asm code. Currently, these should have no
effect on behavior.
5. Removed returnToThrowForThrownException() because it is not used anywhere.
6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
easier to view and edit these files in Xcode.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/LLIntCallLinkInfo.h:
(JSC::LLIntCallLinkInfo::unlink):
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
* llint/LLIntExceptions.cpp:
(JSC::LLInt::returnToThrowForThrownException): Deleted.
* llint/LLIntExceptions.h:
* llint/LLIntOfflineAsmConfig.h:
* llint/LLIntOffsetsExtractor.cpp:
* llint/LLIntPCRanges.h:
(JSC::LLInt::isLLIntPC):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::handleHostCall):
(JSC::LLInt::setUpCall):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/ast.rb:
* offlineasm/instructions.rb:
* offlineasm/risc.rb:
* runtime/PtrTag.h: Added.
(JSC::uniquePtrTagID):
(JSC::ptrTag):
(JSC::tagCodePtr):
(JSC::untagCodePtr):
(JSC::retagCodePtr):
(JSC::removeCodePtrTag):
2018-03-09 Mark Lam <mark.lam@apple.com>
Remove unused LLINT_STATS feature.
https://bugs.webkit.org/show_bug.cgi?id=183522
<rdar://problem/38313139>
Rubber-stamped by Keith Miller.
We haven't used this in a while, and it is one more option that makes offlineasm
build slower. We can always re-introduce this later if we need it.
* jsc.cpp:
* llint/LLIntCommon.h:
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
(JSC::LLInt::Data::finalizeStats): Deleted.
(JSC::LLInt::compareStats): Deleted.
(JSC::LLInt::Data::dumpStats): Deleted.
(JSC::LLInt::Data::ensureStats): Deleted.
(JSC::LLInt::Data::loadStats): Deleted.
(JSC::LLInt::Data::resetStats): Deleted.
(JSC::LLInt::Data::saveStats): Deleted.
* llint/LLIntData.h:
(): Deleted.
(JSC::LLInt::Data::opcodeStats): Deleted.
* llint/LLIntOfflineAsmConfig.h:
* llint/LLIntSlowPaths.cpp:
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/Options.cpp:
(JSC::Options::isAvailable):
(JSC::recomputeDependentOptions):
* runtime/Options.h:
* runtime/TestRunnerUtils.cpp:
(JSC::finalizeStatsAtEndOfTesting):
2018-03-09 Michael Saboff <msaboff@apple.com>
Relanding "testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64"
https://bugs.webkit.org/show_bug.cgi?id=183488
It applied and built just fine locally.
* assembler/testmasm.cpp:
(JSC::testBranchTruncateDoubleToInt32):
2018-03-09 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, remove WebAssemblyFunctionType
https://bugs.webkit.org/show_bug.cgi?id=183429
Drop WebAssemblyFunctionType since it is no longer used. This breaks
JSCast assumption that all the derived classes of JSFunction use
JSFunctionType. We also add ASSERT for JSFunction::finishCreation.
* runtime/JSFunction.cpp:
(JSC::JSFunction::finishCreation):
* runtime/JSType.h:
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::createStructure):
* wasm/js/WebAssemblyFunction.h:
2018-03-09 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r229446.
This change relies on changes that have been rolled out.
Reverted changeset:
"testmasm crashes in testBranchTruncateDoubleToInt32() on
ARM64"
https://bugs.webkit.org/show_bug.cgi?id=183488
https://trac.webkit.org/changeset/229446
2018-03-08 Chris Dumez <cdumez@apple.com>
Safari not handling undefined global variables with same name as element Id correctly.
https://bugs.webkit.org/show_bug.cgi?id=183087
<rdar://problem/37927596>
Reviewed by Ryosuke Niwa.
global variables (var foo;) should not be hidden by:
- Named properties
- Properties on the prototype chain
Therefore, we now have JSGlobalObject::addVar() call JSGlobalObject::addGlobalVar()
if !hasOwnProperty() instead of !hasProperty.
This aligns our behavior with Chrome and Firefox.
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::addVar):
2018-03-08 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r229354 and r229364.
https://bugs.webkit.org/show_bug.cgi?id=183492
Breaks internal builds (Requested by ryanhaddad on #webkit).
Reverted changesets:
"Prepare LLInt code to support pointer profiling."
https://bugs.webkit.org/show_bug.cgi?id=183387
https://trac.webkit.org/changeset/229354
"Add support for ARM64E."
https://bugs.webkit.org/show_bug.cgi?id=183398
https://trac.webkit.org/changeset/229364
2018-03-08 Michael Saboff <msaboff@apple.com>
testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64
https://bugs.webkit.org/show_bug.cgi?id=183488
Reviewed by Mark Lam.
Using stackAlignmentBytes() will keep the stack properly aligned.
* assembler/testmasm.cpp:
(JSC::testBranchTruncateDoubleToInt32):
2018-03-08 Michael Saboff <msaboff@apple.com>
Emit code to zero the stack frame on function entry
Nhttps://bugs.webkit.org/show_bug.cgi?id=183391
Reviewed by Mark Lam.
Added code to zero incoming stack frame behind a new JSC option, zeroStackFrame.
The default setting of the option is off.
Did some minor refactoring of the YarrJIT stack alignment code.
* b3/air/AirCode.cpp:
(JSC::B3::Air::defaultPrologueGenerator):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compile):
(JSC::DFG::JITCompiler::compileFunction):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrEntryThunkGenerator):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::clearStackFrame):
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
* llint/LowLevelInterpreter.asm:
* runtime/Options.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::ialignCallFrameSizeInBytesnitCallFrame):
(JSC::Yarr::YarrGenerator::initCallFrame):
(JSC::Yarr::YarrGenerator::removeCallFrame):
2018-03-08 Keith Miller <keith_miller@apple.com>
Unreviewed, another attempt at fixing the Windows build.
I guess the pragma must be outside the function...
* jit/CCallHelpers.h:
(JSC::CCallHelpers::clampArrayToSize):
2018-03-08 Keith Miller <keith_miller@apple.com>
Unreviewed, one last try at fixing the windows build before rollout.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::clampArrayToSize):
2018-03-08 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Optimize inherits<T> if T is final type
https://bugs.webkit.org/show_bug.cgi?id=183435
Reviewed by Mark Lam.
If the type T is a final type (`std::is_final<T>::value == true`), there is no
classes which is derived from T. It means that `jsDynamicCast<T>` only needs
to check the given cell's `classInfo(vm)` is `T::info()`.
This patch adds a new specialization for jsDynamicCast<T> / inherits<T> for a
final type. And we also add `final` annotations to JS cell types in JSC. This
offers,
1. Readability. If the given class is annotated with `final`, we do not need to
consider about the derived classes of T.
2. Static Checking. If your class is not intended to be used as a base class, attaching
`final` can ensure this invariant.
3. Performance. jsDynamicCast<T> and inherits<T> can be optimized and the code size should
be smaller.
* API/JSCallbackConstructor.h:
(JSC::JSCallbackConstructor::create): Deleted.
(JSC::JSCallbackConstructor::classRef const): Deleted.
(JSC::JSCallbackConstructor::callback const): Deleted.
(JSC::JSCallbackConstructor::createStructure): Deleted.
(JSC::JSCallbackConstructor::constructCallback): Deleted.
* API/JSCallbackFunction.h:
(JSC::JSCallbackFunction::createStructure): Deleted.
(JSC::JSCallbackFunction::functionCallback): Deleted.
* API/JSCallbackObject.h:
(JSC::JSCallbackObject::create): Deleted.
(JSC::JSCallbackObject::destroy): Deleted.
(JSC::JSCallbackObject::classRef const): Deleted.
(JSC::JSCallbackObject::getPrivateProperty const): Deleted.
(JSC::JSCallbackObject::setPrivateProperty): Deleted.
(JSC::JSCallbackObject::deletePrivateProperty): Deleted.
(JSC::JSCallbackObject::visitChildren): Deleted.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setConstantRegisters):
* bytecode/ExecutableToCodeBlockEdge.h:
(JSC::ExecutableToCodeBlockEdge::subspaceFor): Deleted.
(JSC::ExecutableToCodeBlockEdge::codeBlock const): Deleted.
(JSC::ExecutableToCodeBlockEdge::unwrap): Deleted.
* bytecode/FunctionCodeBlock.h:
(JSC::FunctionCodeBlock::subspaceFor): Deleted.
(JSC::FunctionCodeBlock::create): Deleted.
(JSC::FunctionCodeBlock::createStructure): Deleted.
(JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
* debugger/DebuggerScope.h:
(JSC::DebuggerScope::createStructure): Deleted.
(JSC::DebuggerScope::iterator::iterator): Deleted.
(JSC::DebuggerScope::iterator::get): Deleted.
(JSC::DebuggerScope::iterator::operator++): Deleted.
(JSC::DebuggerScope::iterator::operator== const): Deleted.
(JSC::DebuggerScope::iterator::operator!= const): Deleted.
(JSC::DebuggerScope::isValid const): Deleted.
(JSC::DebuggerScope::jsScope const): Deleted.
* inspector/JSInjectedScriptHost.h:
(Inspector::JSInjectedScriptHost::createStructure): Deleted.
(Inspector::JSInjectedScriptHost::create): Deleted.
(Inspector::JSInjectedScriptHost::impl const): Deleted.
* inspector/JSInjectedScriptHostPrototype.h:
(Inspector::JSInjectedScriptHostPrototype::create): Deleted.
(Inspector::JSInjectedScriptHostPrototype::createStructure): Deleted.
(Inspector::JSInjectedScriptHostPrototype::JSInjectedScriptHostPrototype): Deleted.
* inspector/JSJavaScriptCallFrame.h:
(Inspector::JSJavaScriptCallFrame::createStructure): Deleted.
(Inspector::JSJavaScriptCallFrame::create): Deleted.
(Inspector::JSJavaScriptCallFrame::impl const): Deleted.
* inspector/JSJavaScriptCallFramePrototype.h:
(Inspector::JSJavaScriptCallFramePrototype::create): Deleted.
(Inspector::JSJavaScriptCallFramePrototype::createStructure): Deleted.
(Inspector::JSJavaScriptCallFramePrototype::JSJavaScriptCallFramePrototype): Deleted.
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
* runtime/ArrayConstructor.h:
(JSC::ArrayConstructor::create): Deleted.
(JSC::ArrayConstructor::createStructure): Deleted.
* runtime/ArrayIteratorPrototype.h:
(JSC::ArrayIteratorPrototype::create): Deleted.
(JSC::ArrayIteratorPrototype::createStructure): Deleted.
(JSC::ArrayIteratorPrototype::ArrayIteratorPrototype): Deleted.
* runtime/ArrayPrototype.h:
(JSC::ArrayPrototype::createStructure): Deleted.
* runtime/AsyncFromSyncIteratorPrototype.h:
(JSC::AsyncFromSyncIteratorPrototype::createStructure): Deleted.
* runtime/AsyncFunctionConstructor.h:
(JSC::AsyncFunctionConstructor::create): Deleted.
(JSC::AsyncFunctionConstructor::createStructure): Deleted.
* runtime/AsyncFunctionPrototype.h:
(JSC::AsyncFunctionPrototype::create): Deleted.
(JSC::AsyncFunctionPrototype::createStructure): Deleted.
* runtime/AsyncGeneratorFunctionConstructor.h:
(JSC::AsyncGeneratorFunctionConstructor::create): Deleted.
(JSC::AsyncGeneratorFunctionConstructor::createStructure): Deleted.
* runtime/AsyncGeneratorFunctionPrototype.h:
(JSC::AsyncGeneratorFunctionPrototype::create): Deleted.
(JSC::AsyncGeneratorFunctionPrototype::createStructure): Deleted.
* runtime/AsyncGeneratorPrototype.h:
(JSC::AsyncGeneratorPrototype::create): Deleted.
(JSC::AsyncGeneratorPrototype::createStructure): Deleted.
(JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype): Deleted.
* runtime/AsyncIteratorPrototype.h:
(JSC::AsyncIteratorPrototype::create): Deleted.
(JSC::AsyncIteratorPrototype::createStructure): Deleted.
(JSC::AsyncIteratorPrototype::AsyncIteratorPrototype): Deleted.
* runtime/AtomicsObject.h:
* runtime/BigIntConstructor.h:
(JSC::BigIntConstructor::create): Deleted.
(JSC::BigIntConstructor::createStructure): Deleted.
* runtime/BigIntObject.h:
(JSC::BigIntObject::create): Deleted.
(JSC::BigIntObject::internalValue const): Deleted.
(JSC::BigIntObject::createStructure): Deleted.
* runtime/BigIntPrototype.h:
(JSC::BigIntPrototype::create): Deleted.
(JSC::BigIntPrototype::createStructure): Deleted.
* runtime/BooleanConstructor.h:
(JSC::BooleanConstructor::create): Deleted.
(JSC::BooleanConstructor::createStructure): Deleted.
* runtime/BooleanPrototype.h:
(JSC::BooleanPrototype::create): Deleted.
(JSC::BooleanPrototype::createStructure): Deleted.
* runtime/ConsoleObject.h:
(JSC::ConsoleObject::create): Deleted.
(JSC::ConsoleObject::createStructure): Deleted.
* runtime/DOMAttributeGetterSetter.h:
(JSC::isDOMAttributeGetterSetter): Deleted.
* runtime/DateConstructor.h:
(JSC::DateConstructor::create): Deleted.
(JSC::DateConstructor::createStructure): Deleted.
* runtime/DateInstance.h:
(JSC::DateInstance::create): Deleted.
(JSC::DateInstance::internalNumber const): Deleted.
(JSC::DateInstance::gregorianDateTime const): Deleted.
(JSC::DateInstance::gregorianDateTimeUTC const): Deleted.
(JSC::DateInstance::createStructure): Deleted.
* runtime/DatePrototype.h:
(JSC::DatePrototype::create): Deleted.
(JSC::DatePrototype::createStructure): Deleted.
* runtime/Error.h:
(JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): Deleted.
(JSC::StrictModeTypeErrorFunction::create): Deleted.
(JSC::StrictModeTypeErrorFunction::constructThrowTypeError): Deleted.
(JSC::StrictModeTypeErrorFunction::callThrowTypeError): Deleted.
(JSC::StrictModeTypeErrorFunction::createStructure): Deleted.
* runtime/ErrorConstructor.h:
(JSC::ErrorConstructor::create): Deleted.
(JSC::ErrorConstructor::createStructure): Deleted.
(JSC::ErrorConstructor::stackTraceLimit const): Deleted.
* runtime/Exception.h:
(JSC::Exception::valueOffset): Deleted.
(JSC::Exception::value const): Deleted.
(JSC::Exception::stack const): Deleted.
(JSC::Exception::didNotifyInspectorOfThrow const): Deleted.
(JSC::Exception::setDidNotifyInspectorOfThrow): Deleted.
* runtime/FunctionConstructor.h:
(JSC::FunctionConstructor::create): Deleted.
(JSC::FunctionConstructor::createStructure): Deleted.
* runtime/FunctionPrototype.h:
(JSC::FunctionPrototype::create): Deleted.
(JSC::FunctionPrototype::createStructure): Deleted.
* runtime/FunctionRareData.h:
(JSC::FunctionRareData::offsetOfObjectAllocationProfile): Deleted.
(JSC::FunctionRareData::objectAllocationProfile): Deleted.
(JSC::FunctionRareData::objectAllocationStructure): Deleted.
(JSC::FunctionRareData::allocationProfileWatchpointSet): Deleted.
(JSC::FunctionRareData::isObjectAllocationProfileInitialized): Deleted.
(JSC::FunctionRareData::internalFunctionAllocationStructure): Deleted.
(JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase): Deleted.
(JSC::FunctionRareData::clearInternalFunctionAllocationProfile): Deleted.
(JSC::FunctionRareData::getBoundFunctionStructure): Deleted.
(JSC::FunctionRareData::setBoundFunctionStructure): Deleted.
(JSC::FunctionRareData::hasReifiedLength const): Deleted.
(JSC::FunctionRareData::setHasReifiedLength): Deleted.
(JSC::FunctionRareData::hasReifiedName const): Deleted.
(JSC::FunctionRareData::setHasReifiedName): Deleted.
(JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const): Deleted.
(JSC::FunctionRareData::createAllocationProfileClearingWatchpoint): Deleted.
(JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint): Deleted.
* runtime/GeneratorFunctionConstructor.h:
(JSC::GeneratorFunctionConstructor::create): Deleted.
(JSC::GeneratorFunctionConstructor::createStructure): Deleted.
* runtime/GeneratorFunctionPrototype.h:
(JSC::GeneratorFunctionPrototype::create): Deleted.
(JSC::GeneratorFunctionPrototype::createStructure): Deleted.
* runtime/GeneratorPrototype.h:
(JSC::GeneratorPrototype::create): Deleted.
(JSC::GeneratorPrototype::createStructure): Deleted.
(JSC::GeneratorPrototype::GeneratorPrototype): Deleted.
* runtime/InferredValue.h:
(JSC::InferredValue::subspaceFor): Deleted.
(JSC::InferredValue::inferredValue): Deleted.
(JSC::InferredValue::state const): Deleted.
(JSC::InferredValue::isStillValid const): Deleted.
(JSC::InferredValue::hasBeenInvalidated const): Deleted.
(JSC::InferredValue::add): Deleted.
(JSC::InferredValue::notifyWrite): Deleted.
(JSC::InferredValue::invalidate): Deleted.
* runtime/InspectorInstrumentationObject.h:
(JSC::InspectorInstrumentationObject::create): Deleted.
(JSC::InspectorInstrumentationObject::createStructure): Deleted.
* runtime/IntlCollator.h:
(JSC::IntlCollator::boundCompare const): Deleted.
* runtime/IntlCollatorConstructor.h:
(JSC::IntlCollatorConstructor::collatorStructure const): Deleted.
* runtime/IntlCollatorPrototype.h:
* runtime/IntlDateTimeFormat.h:
(JSC::IntlDateTimeFormat::boundFormat const): Deleted.
* runtime/IntlDateTimeFormatConstructor.h:
(JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure const): Deleted.
* runtime/IntlDateTimeFormatPrototype.h:
* runtime/IntlNumberFormat.h:
(JSC::IntlNumberFormat::boundFormat const): Deleted.
* runtime/IntlNumberFormatConstructor.h:
(JSC::IntlNumberFormatConstructor::numberFormatStructure const): Deleted.
* runtime/IntlNumberFormatPrototype.h:
* runtime/IntlObject.h:
* runtime/IteratorPrototype.h:
(JSC::IteratorPrototype::create): Deleted.
(JSC::IteratorPrototype::createStructure): Deleted.
(JSC::IteratorPrototype::IteratorPrototype): Deleted.
* runtime/JSAPIValueWrapper.h:
(JSC::JSAPIValueWrapper::value const): Deleted.
(JSC::JSAPIValueWrapper::createStructure): Deleted.
(JSC::JSAPIValueWrapper::create): Deleted.
(JSC::JSAPIValueWrapper::finishCreation): Deleted.
(JSC::JSAPIValueWrapper::JSAPIValueWrapper): Deleted.
* runtime/JSArrayBufferConstructor.h:
(JSC::JSArrayBufferConstructor::sharingMode const): Deleted.
* runtime/JSArrayBufferPrototype.h:
* runtime/JSAsyncFunction.h:
(JSC::JSAsyncFunction::subspaceFor): Deleted.
(JSC::JSAsyncFunction::allocationSize): Deleted.
(JSC::JSAsyncFunction::createStructure): Deleted.
* runtime/JSAsyncGeneratorFunction.h:
(JSC::JSAsyncGeneratorFunction::subspaceFor): Deleted.
(JSC::JSAsyncGeneratorFunction::allocationSize): Deleted.
(JSC::JSAsyncGeneratorFunction::createStructure): Deleted.
* runtime/JSBigInt.h:
(JSC::JSBigInt::setSign): Deleted.
(JSC::JSBigInt::sign const): Deleted.
(JSC::JSBigInt::setLength): Deleted.
(JSC::JSBigInt::length const): Deleted.
* runtime/JSBoundFunction.h:
(JSC::JSBoundFunction::subspaceFor): Deleted.
(JSC::JSBoundFunction::targetFunction): Deleted.
(JSC::JSBoundFunction::boundThis): Deleted.
(JSC::JSBoundFunction::boundArgs): Deleted.
(JSC::JSBoundFunction::createStructure): Deleted.
(JSC::JSBoundFunction::offsetOfTargetFunction): Deleted.
(JSC::JSBoundFunction::offsetOfBoundThis): Deleted.
* runtime/JSCast.h:
(JSC::JSCastingHelpers::FinalTypeDispatcher::inheritsGeneric):
(JSC::JSCastingHelpers::inheritsJSTypeImpl):
(JSC::JSCastingHelpers::InheritsTraits::inherits):
(JSC::JSCastingHelpers::inheritsGenericImpl): Deleted.
* runtime/JSCustomGetterSetterFunction.cpp:
(JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
* runtime/JSCustomGetterSetterFunction.h:
(JSC::JSCustomGetterSetterFunction::subspaceFor): Deleted.
(JSC::JSCustomGetterSetterFunction::createStructure): Deleted.
(JSC::JSCustomGetterSetterFunction::customGetterSetter const): Deleted.
(JSC::JSCustomGetterSetterFunction::isSetter const): Deleted.
(JSC::JSCustomGetterSetterFunction::propertyName const): Deleted.
* runtime/JSDataView.h:
(JSC::JSDataView::possiblySharedBuffer const): Deleted.
(JSC::JSDataView::unsharedBuffer const): Deleted.
* runtime/JSDataViewPrototype.h:
* runtime/JSFixedArray.h:
(JSC::JSFixedArray::createStructure): Deleted.
(JSC::JSFixedArray::tryCreate): Deleted.
(JSC::JSFixedArray::create): Deleted.
(JSC::JSFixedArray::createFromArray): Deleted.
(JSC::JSFixedArray::get const): Deleted.
(JSC::JSFixedArray::set): Deleted.
(JSC::JSFixedArray::buffer): Deleted.
(JSC::JSFixedArray::buffer const): Deleted.
(JSC::JSFixedArray::values const): Deleted.
(JSC::JSFixedArray::size const): Deleted.
(JSC::JSFixedArray::length const): Deleted.
(JSC::JSFixedArray::offsetOfSize): Deleted.
(JSC::JSFixedArray::offsetOfData): Deleted.
(JSC::JSFixedArray::JSFixedArray): Deleted.
(JSC::JSFixedArray::allocationSize): Deleted.
* runtime/JSGeneratorFunction.h:
(JSC::JSGeneratorFunction::subspaceFor): Deleted.
(JSC::JSGeneratorFunction::allocationSize): Deleted.
(JSC::JSGeneratorFunction::createStructure): Deleted.
* runtime/JSGenericTypedArrayView.h:
(JSC::JSGenericTypedArrayView::byteLength const): Deleted.
(JSC::JSGenericTypedArrayView::byteSize const): Deleted.
(JSC::JSGenericTypedArrayView::typedVector const): Deleted.
(JSC::JSGenericTypedArrayView::typedVector): Deleted.
(JSC::JSGenericTypedArrayView::canGetIndexQuickly): Deleted.
(JSC::JSGenericTypedArrayView::canSetIndexQuickly): Deleted.
(JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue): Deleted.
(JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble): Deleted.
(JSC::JSGenericTypedArrayView::getIndexQuickly): Deleted.
(JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue): Deleted.
(JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble): Deleted.
(JSC::JSGenericTypedArrayView::setIndexQuickly): Deleted.
(JSC::JSGenericTypedArrayView::setIndex): Deleted.
(JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue): Deleted.
(JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion): Deleted.
(JSC::JSGenericTypedArrayView::sort): Deleted.
(JSC::JSGenericTypedArrayView::canAccessRangeQuickly): Deleted.
(JSC::JSGenericTypedArrayView::createStructure): Deleted.
(JSC::JSGenericTypedArrayView::info): Deleted.
(JSC::JSGenericTypedArrayView::purifyArray): Deleted.
(JSC::JSGenericTypedArrayView::sortComparison): Deleted.
(JSC::JSGenericTypedArrayView::sortFloat): Deleted.
* runtime/JSGenericTypedArrayViewConstructor.h:
* runtime/JSGenericTypedArrayViewPrototype.h:
* runtime/JSInternalPromise.h:
* runtime/JSInternalPromiseConstructor.h:
* runtime/JSInternalPromisePrototype.h:
* runtime/JSMapIterator.h:
(JSC::JSMapIterator::createStructure): Deleted.
(JSC::JSMapIterator::create): Deleted.
(JSC::JSMapIterator::advanceIter): Deleted.
(JSC::JSMapIterator::next): Deleted.
(JSC::JSMapIterator::nextKeyValue): Deleted.
(JSC::JSMapIterator::kind const): Deleted.
(JSC::JSMapIterator::iteratedValue const): Deleted.
(JSC::JSMapIterator::JSMapIterator): Deleted.
(JSC::JSMapIterator::setIterator): Deleted.
* runtime/JSModuleLoader.h:
(JSC::JSModuleLoader::create): Deleted.
(JSC::JSModuleLoader::createStructure): Deleted.
* runtime/JSModuleNamespaceObject.h:
(JSC::isJSModuleNamespaceObject): Deleted.
* runtime/JSModuleRecord.h:
(JSC::JSModuleRecord::sourceCode const): Deleted.
(JSC::JSModuleRecord::declaredVariables const): Deleted.
(JSC::JSModuleRecord::lexicalVariables const): Deleted.
* runtime/JSNativeStdFunction.h:
(JSC::JSNativeStdFunction::subspaceFor): Deleted.
(JSC::JSNativeStdFunction::createStructure): Deleted.
(JSC::JSNativeStdFunction::nativeStdFunctionCell): Deleted.
* runtime/JSONObject.h:
(JSC::JSONObject::create): Deleted.
(JSC::JSONObject::createStructure): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::fillCustomGetterPropertySlot):
* runtime/JSScriptFetchParameters.h:
(JSC::JSScriptFetchParameters::createStructure): Deleted.
(JSC::JSScriptFetchParameters::create): Deleted.
(JSC::JSScriptFetchParameters::parameters const): Deleted.
(JSC::JSScriptFetchParameters::JSScriptFetchParameters): Deleted.
* runtime/JSScriptFetcher.h:
(JSC::JSScriptFetcher::createStructure): Deleted.
(JSC::JSScriptFetcher::create): Deleted.
(JSC::JSScriptFetcher::fetcher const): Deleted.
(JSC::JSScriptFetcher::JSScriptFetcher): Deleted.
* runtime/JSSetIterator.h:
(JSC::JSSetIterator::createStructure): Deleted.
(JSC::JSSetIterator::create): Deleted.
(JSC::JSSetIterator::advanceIter): Deleted.
(JSC::JSSetIterator::next): Deleted.
(JSC::JSSetIterator::kind const): Deleted.
(JSC::JSSetIterator::iteratedValue const): Deleted.
(JSC::JSSetIterator::JSSetIterator): Deleted.
(JSC::JSSetIterator::setIterator): Deleted.
* runtime/JSSourceCode.h:
(JSC::JSSourceCode::createStructure): Deleted.
(JSC::JSSourceCode::create): Deleted.
(JSC::JSSourceCode::sourceCode const): Deleted.
(JSC::JSSourceCode::JSSourceCode): Deleted.
* runtime/JSStringIterator.h:
(JSC::JSStringIterator::createStructure): Deleted.
(JSC::JSStringIterator::create): Deleted.
(JSC::JSStringIterator::JSStringIterator): Deleted.
* runtime/JSTemplateObjectDescriptor.h:
(JSC::isTemplateObjectDescriptor): Deleted.
* runtime/JSTypedArrayViewConstructor.h:
(JSC::JSTypedArrayViewConstructor::create): Deleted.
* runtime/JSTypedArrayViewPrototype.h:
* runtime/MapConstructor.h:
(JSC::MapConstructor::create): Deleted.
(JSC::MapConstructor::createStructure): Deleted.
* runtime/MapIteratorPrototype.h:
(JSC::MapIteratorPrototype::create): Deleted.
(JSC::MapIteratorPrototype::createStructure): Deleted.
(JSC::MapIteratorPrototype::MapIteratorPrototype): Deleted.
* runtime/MapPrototype.h:
(JSC::MapPrototype::create): Deleted.
(JSC::MapPrototype::createStructure): Deleted.
(JSC::MapPrototype::MapPrototype): Deleted.
* runtime/MathObject.h:
(JSC::MathObject::create): Deleted.
(JSC::MathObject::createStructure): Deleted.
* runtime/ModuleLoaderPrototype.h:
(JSC::ModuleLoaderPrototype::create): Deleted.
(JSC::ModuleLoaderPrototype::createStructure): Deleted.
* runtime/NativeErrorConstructor.h:
(JSC::NativeErrorConstructor::create): Deleted.
(JSC::NativeErrorConstructor::createStructure): Deleted.
(JSC::NativeErrorConstructor::errorStructure): Deleted.
* runtime/NativeErrorPrototype.h:
(JSC::NativeErrorPrototype::create): Deleted.
* runtime/NativeStdFunctionCell.h:
(JSC::NativeStdFunctionCell::createStructure): Deleted.
(JSC::NativeStdFunctionCell::function const): Deleted.
* runtime/NullGetterFunction.h:
(JSC::NullGetterFunction::create): Deleted.
(JSC::NullGetterFunction::createStructure): Deleted.
* runtime/NullSetterFunction.h:
(JSC::NullSetterFunction::create): Deleted.
(JSC::NullSetterFunction::createStructure): Deleted.
* runtime/NumberConstructor.h:
(JSC::NumberConstructor::create): Deleted.
(JSC::NumberConstructor::createStructure): Deleted.
(JSC::NumberConstructor::isIntegerImpl): Deleted.
* runtime/NumberPrototype.h:
(JSC::NumberPrototype::create): Deleted.
(JSC::NumberPrototype::createStructure): Deleted.
* runtime/ObjectConstructor.h:
(JSC::ObjectConstructor::create): Deleted.
(JSC::ObjectConstructor::createStructure): Deleted.
* runtime/ObjectPrototype.h:
(JSC::ObjectPrototype::createStructure): Deleted.
* runtime/ProxyConstructor.h:
(JSC::ProxyConstructor::createStructure): Deleted.
* runtime/ProxyRevoke.h:
(JSC::ProxyRevoke::createStructure): Deleted.
(JSC::ProxyRevoke::proxy): Deleted.
(JSC::ProxyRevoke::setProxyToNull): Deleted.
* runtime/ReflectObject.h:
(JSC::ReflectObject::create): Deleted.
(JSC::ReflectObject::createStructure): Deleted.
* runtime/RegExpConstructor.cpp:
(JSC::regExpConstructorDollar):
(JSC::regExpConstructorInput):
(JSC::regExpConstructorMultiline):
(JSC::regExpConstructorLastMatch):
(JSC::regExpConstructorLastParen):
(JSC::regExpConstructorLeftContext):
(JSC::regExpConstructorRightContext):
* runtime/RegExpConstructor.h:
(JSC::RegExpConstructor::create): Deleted.
(JSC::RegExpConstructor::createStructure): Deleted.
(JSC::RegExpConstructor::setMultiline): Deleted.
(JSC::RegExpConstructor::multiline const): Deleted.
(JSC::RegExpConstructor::setInput): Deleted.
(JSC::RegExpConstructor::input): Deleted.
(JSC::RegExpConstructor::offsetOfCachedResult): Deleted.
(JSC::asRegExpConstructor): Deleted.
* runtime/RegExpPrototype.h:
(JSC::RegExpPrototype::create): Deleted.
(JSC::RegExpPrototype::createStructure): Deleted.
(JSC::RegExpPrototype::emptyRegExp const): Deleted.
* runtime/SetConstructor.h:
(JSC::SetConstructor::create): Deleted.
(JSC::SetConstructor::createStructure): Deleted.
* runtime/SetIteratorPrototype.h:
(JSC::SetIteratorPrototype::create): Deleted.
(JSC::SetIteratorPrototype::createStructure): Deleted.
(JSC::SetIteratorPrototype::SetIteratorPrototype): Deleted.
* runtime/SetPrototype.h:
(JSC::SetPrototype::create): Deleted.
(JSC::SetPrototype::createStructure): Deleted.
(JSC::SetPrototype::SetPrototype): Deleted.
* runtime/StringConstructor.h:
(JSC::StringConstructor::create): Deleted.
(JSC::StringConstructor::createStructure): Deleted.
* runtime/StringIteratorPrototype.h:
(JSC::StringIteratorPrototype::create): Deleted.
(JSC::StringIteratorPrototype::createStructure): Deleted.
(JSC::StringIteratorPrototype::StringIteratorPrototype): Deleted.
* runtime/StringPrototype.h:
(JSC::StringPrototype::createStructure): Deleted.
* runtime/SymbolConstructor.h:
(JSC::SymbolConstructor::create): Deleted.
(JSC::SymbolConstructor::createStructure): Deleted.
* runtime/SymbolObject.h:
(JSC::SymbolObject::create): Deleted.
(JSC::SymbolObject::internalValue const): Deleted.
(JSC::SymbolObject::createStructure): Deleted.
* runtime/SymbolPrototype.h:
(JSC::SymbolPrototype::create): Deleted.
(JSC::SymbolPrototype::createStructure): Deleted.
* runtime/WeakMapConstructor.h:
(JSC::WeakMapConstructor::create): Deleted.
(JSC::WeakMapConstructor::createStructure): Deleted.
* runtime/WeakMapPrototype.h:
(JSC::WeakMapPrototype::create): Deleted.
(JSC::WeakMapPrototype::createStructure): Deleted.
(JSC::WeakMapPrototype::WeakMapPrototype): Deleted.
* runtime/WeakSetConstructor.h:
(JSC::WeakSetConstructor::create): Deleted.
(JSC::WeakSetConstructor::createStructure): Deleted.
* runtime/WeakSetPrototype.h:
(JSC::WeakSetPrototype::create): Deleted.
(JSC::WeakSetPrototype::createStructure): Deleted.
(JSC::WeakSetPrototype::WeakSetPrototype): Deleted.
* tools/JSDollarVM.h:
(JSC::JSDollarVM::createStructure): Deleted.
(JSC::JSDollarVM::create): Deleted.
(JSC::JSDollarVM::JSDollarVM): Deleted.
* wasm/js/JSWebAssembly.h:
* wasm/js/JSWebAssemblyCompileError.h:
(JSC::JSWebAssemblyCompileError::create): Deleted.
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::instance): Deleted.
(JSC::JSWebAssemblyInstance::moduleNamespaceObject): Deleted.
(JSC::JSWebAssemblyInstance::webAssemblyToJSCallee): Deleted.
(JSC::JSWebAssemblyInstance::memory): Deleted.
(JSC::JSWebAssemblyInstance::setMemory): Deleted.
(JSC::JSWebAssemblyInstance::memoryMode): Deleted.
(JSC::JSWebAssemblyInstance::table): Deleted.
(JSC::JSWebAssemblyInstance::setTable): Deleted.
(JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): Deleted.
(JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee): Deleted.
(JSC::JSWebAssemblyInstance::module const): Deleted.
* wasm/js/JSWebAssemblyLinkError.h:
(JSC::JSWebAssemblyLinkError::create): Deleted.
* wasm/js/JSWebAssemblyMemory.h:
(JSC::JSWebAssemblyMemory::subspaceFor): Deleted.
(JSC::JSWebAssemblyMemory::memory): Deleted.
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyRuntimeError.h:
(JSC::JSWebAssemblyRuntimeError::create): Deleted.
* wasm/js/JSWebAssemblyTable.h:
(JSC::JSWebAssemblyTable::isValidLength): Deleted.
(JSC::JSWebAssemblyTable::maximum const): Deleted.
(JSC::JSWebAssemblyTable::length const): Deleted.
(JSC::JSWebAssemblyTable::allocatedLength const): Deleted.
(JSC::JSWebAssemblyTable::table): Deleted.
* wasm/js/WebAssemblyCompileErrorConstructor.h:
* wasm/js/WebAssemblyCompileErrorPrototype.h:
* wasm/js/WebAssemblyInstanceConstructor.h:
* wasm/js/WebAssemblyInstancePrototype.h:
* wasm/js/WebAssemblyLinkErrorConstructor.h:
* wasm/js/WebAssemblyLinkErrorPrototype.h:
* wasm/js/WebAssemblyMemoryConstructor.h:
* wasm/js/WebAssemblyMemoryPrototype.h:
* wasm/js/WebAssemblyModuleConstructor.h:
* wasm/js/WebAssemblyModulePrototype.h:
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyPrototype.h:
* wasm/js/WebAssemblyRuntimeErrorConstructor.h:
* wasm/js/WebAssemblyRuntimeErrorPrototype.h:
* wasm/js/WebAssemblyTableConstructor.h:
* wasm/js/WebAssemblyTablePrototype.h:
2018-03-07 Filip Pizlo <fpizlo@apple.com>
Make it possible to randomize register allocation
https://bugs.webkit.org/show_bug.cgi?id=183416
Reviewed by Keith Miller.
This is disabled by default for now, because it reveals a regalloc bug in wasm.
* b3/air/AirCode.cpp:
(JSC::B3::Air::Code::Code):
* b3/air/AirCode.h:
(JSC::B3::Air::Code::weakRandom):
* runtime/Options.h:
2018-03-08 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add inherits<T>(VM&) leveraging JSCast fast path
https://bugs.webkit.org/show_bug.cgi?id=183429
Reviewed by Mark Lam.
Add new member function, JSCell::inherits<T>(VM&) and JSValue::inherits<T>(VM&).
They depends on jsDynamicCast<T> implementation and leverage JSType-based fast
paths defined in JSCast.h. We extract checking part as `JSCastingHelpers::inherit`
and construct jsDynamicCast and JSCell::inherits based on this.
And we remove several unnecessary casting functions (asRegExpObject, asDateInstance etc.).
In addition, we add jsDynamicCast fast path for RegExpObject by using existing RegExpObjectType.
We also fix the implementation of jsDynamicCast for JSObject since it uses LastJSCObjectType.
The embedder can add their extended object types after that.
* API/JSObjectRef.cpp:
(JSObjectGetPrivateProperty):
(JSObjectSetPrivateProperty):
(JSObjectDeletePrivateProperty):
* API/JSValue.mm:
(isDate):
(isArray):
* API/JSValueRef.cpp:
(JSValueIsArray):
(JSValueIsDate):
(JSValueIsObjectOfClass):
* API/JSWeakObjectMapRefPrivate.cpp:
* API/JSWrapperMap.mm:
(tryUnwrapObjcObject):
* API/ObjCCallbackFunction.mm:
(tryUnwrapConstructor):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGOperations.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
(JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):
* inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::subtype):
(Inspector::JSInjectedScriptHost::functionDetails):
* inspector/agents/InspectorHeapAgent.cpp:
(Inspector::InspectorHeapAgent::getPreview):
* interpreter/Interpreter.cpp:
(JSC::notifyDebuggerOfUnwinding):
* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::update):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JITOperations.cpp:
(JSC::operationNewFunctionCommon):
* jsc.cpp:
(checkException):
* runtime/BooleanObject.h:
(JSC::asBooleanObject): Deleted.
* runtime/BooleanPrototype.cpp:
(JSC::booleanProtoFuncToString):
(JSC::booleanProtoFuncValueOf):
* runtime/DateConstructor.cpp:
(JSC::constructDate):
* runtime/DateInstance.h:
(JSC::asDateInstance): Deleted.
* runtime/DatePrototype.cpp:
(JSC::formateDateInstance):
(JSC::dateProtoFuncToISOString):
(JSC::dateProtoFuncToLocaleString):
(JSC::dateProtoFuncToLocaleDateString):
(JSC::dateProtoFuncToLocaleTimeString):
(JSC::dateProtoFuncGetTime):
(JSC::dateProtoFuncGetFullYear):
(JSC::dateProtoFuncGetUTCFullYear):
(JSC::dateProtoFuncGetMonth):
(JSC::dateProtoFuncGetUTCMonth):
(JSC::dateProtoFuncGetDate):
(JSC::dateProtoFuncGetUTCDate):
(JSC::dateProtoFuncGetDay):
(JSC::dateProtoFuncGetUTCDay):
(JSC::dateProtoFuncGetHours):
(JSC::dateProtoFuncGetUTCHours):
(JSC::dateProtoFuncGetMinutes):
(JSC::dateProtoFuncGetUTCMinutes):
(JSC::dateProtoFuncGetSeconds):
(JSC::dateProtoFuncGetUTCSeconds):
(JSC::dateProtoFuncGetMilliSeconds):
(JSC::dateProtoFuncGetUTCMilliseconds):
(JSC::dateProtoFuncGetTimezoneOffset):
(JSC::dateProtoFuncSetTime):
(JSC::setNewValueFromTimeArgs):
(JSC::setNewValueFromDateArgs):
(JSC::dateProtoFuncSetYear):
(JSC::dateProtoFuncGetYear):
* runtime/ExceptionHelpers.cpp:
(JSC::isTerminatedExecutionException):
* runtime/FunctionPrototype.cpp:
(JSC::functionProtoFuncToString):
* runtime/InternalFunction.h:
(JSC::asInternalFunction):
* runtime/JSArray.h:
(JSC::asArray):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::dumpForBacktrace const):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::inherits const):
* runtime/JSCast.h:
(JSC::JSCastingHelpers::inheritsGenericImpl):
(JSC::JSCastingHelpers::inheritsJSTypeImpl):
(JSC::JSCastingHelpers::InheritsTraits::inherits):
(JSC::JSCastingHelpers::inherits):
(JSC::jsDynamicCast):
(JSC::JSCastingHelpers::jsDynamicCastGenericImpl): Deleted.
(JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl): Deleted.
(JSC::JSCastingHelpers::JSDynamicCastTraits::cast): Deleted.
* runtime/JSCell.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::inherits const):
* runtime/JSFunction.cpp:
(JSC::RetrieveCallerFunctionFunctor::operator() const):
(JSC::JSFunction::callerGetter):
(JSC::JSFunction::getOwnNonIndexPropertyNames):
(JSC::JSFunction::reifyLazyBoundNameIfNeeded):
* runtime/JSGlobalObject.cpp:
(JSC::enqueueJob):
* runtime/JSGlobalObject.h:
(JSC::asGlobalObject): Deleted.
* runtime/JSInternalPromiseDeferred.cpp:
(JSC::JSInternalPromiseDeferred::create):
* runtime/JSLexicalEnvironment.h:
(JSC::asActivation):
* runtime/JSONObject.cpp:
(JSC::unwrapBoxedPrimitive):
(JSC::Stringifier::Stringifier):
(JSC::Walker::walk):
* runtime/JSPromise.cpp:
(JSC::JSPromise::resolve):
* runtime/JSPromiseDeferred.cpp:
(JSC::JSPromiseDeferred::create):
* runtime/JSType.h:
* runtime/ProxyObject.h:
(JSC::ProxyObject::create): Deleted.
(JSC::ProxyObject::createStructure): Deleted.
(JSC::ProxyObject::target const): Deleted.
(JSC::ProxyObject::handler const): Deleted.
* runtime/RegExpConstructor.cpp:
(JSC::constructRegExp):
* runtime/RegExpConstructor.h:
(JSC::asRegExpConstructor):
(JSC::isRegExp):
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::finishCreation):
(JSC::RegExpObject::getOwnPropertySlot):
(JSC::RegExpObject::defineOwnProperty):
(JSC::regExpObjectSetLastIndexStrict):
(JSC::regExpObjectSetLastIndexNonStrict):
(JSC::RegExpObject::put):
* runtime/RegExpObject.h:
(JSC::RegExpObject::create): Deleted.
(JSC::RegExpObject::setRegExp): Deleted.
(JSC::RegExpObject::regExp const): Deleted.
(JSC::RegExpObject::setLastIndex): Deleted.
(JSC::RegExpObject::getLastIndex const): Deleted.
(JSC::RegExpObject::test): Deleted.
(JSC::RegExpObject::testInline): Deleted.
(JSC::RegExpObject::createStructure): Deleted.
(JSC::RegExpObject::offsetOfRegExp): Deleted.
(JSC::RegExpObject::offsetOfLastIndex): Deleted.
(JSC::RegExpObject::offsetOfLastIndexIsWritable): Deleted.
(JSC::RegExpObject::allocationSize): Deleted.
(JSC::asRegExpObject): Deleted.
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncTestFast):
(JSC::regExpProtoFuncExec):
(JSC::regExpProtoFuncMatchFast):
(JSC::regExpProtoFuncCompile):
(JSC::regExpProtoGetterGlobal):
(JSC::regExpProtoGetterIgnoreCase):
(JSC::regExpProtoGetterMultiline):
(JSC::regExpProtoGetterDotAll):
(JSC::regExpProtoGetterSticky):
(JSC::regExpProtoGetterUnicode):
(JSC::regExpProtoGetterSource):
(JSC::regExpProtoFuncSearchFast):
(JSC::regExpProtoFuncSplitFast):
* runtime/StringObject.h:
(JSC::asStringObject): Deleted.
* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
(JSC::replace):
(JSC::stringProtoFuncReplaceUsingRegExp):
(JSC::stringProtoFuncToString):
* runtime/SymbolPrototype.cpp:
(JSC::symbolProtoFuncToString):
(JSC::symbolProtoFuncValueOf):
* tools/JSDollarVM.cpp:
(WTF::customGetValue):
(WTF::customSetValue):
* wasm/js/JSWebAssemblyHelpers.h:
(JSC::isWebAssemblyHostFunction):
* wasm/js/WebAssemblyWrapperFunction.cpp:
(JSC::WebAssemblyWrapperFunction::create):
2018-03-07 Tim Horton <timothy_horton@apple.com>
Sort and separate FeatureDefines.xcconfig
https://bugs.webkit.org/show_bug.cgi?id=183427
Reviewed by Dan Bernstein.
* Configurations/FeatureDefines.xcconfig:
Sort and split FeatureDefines into paragraphs
(to make it easier to sort later).
2018-03-07 Keith Miller <keith_miller@apple.com>
Unreviewed, fix 32-bit build.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2018-03-07 Keith Miller <keith_miller@apple.com>
Meta-program setupArguments and callOperation
https://bugs.webkit.org/show_bug.cgi?id=183263
Rubber-stamped by Filip Pizlo.
This patch removes all the custom overrides of callOperation and setupArguments
throughout the JITs. In their place there is a new setupArguments that marshalls
the arguments into place based on the type of the operation's function pointer.
There were a couple of design choices in the implementation of setupArguments:
1) We assume that no TrustedImm floating point values are passed.
2) If ExecState* is the first argument the callFrameRegister should be marshalled implicitly.
3) Types should not be implicitly converted (with the exception of DFG::RegisteredStructure -> Structure*)
The new callOperation/setupArguments do their best to make sure
it's hard to call a function with the wrong parameters. They will
only try to pattern match if the types match up with the next
passed argument. Additionally, the base case should static_assert
of the number of inferred arguments does not match the arity of
the operation's function pointer.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
(JSC::AbstractMacroAssembler::TrustedImmPtr::asPtr):
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::poke):
(JSC::MacroAssembler::move):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::swap):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::storeDouble):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::loadDouble):
(JSC::MacroAssemblerX86Common::swap):
(JSC::MacroAssemblerX86Common::move):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/AccessCaseSnippetParams.cpp:
(JSC::SlowPathCallGeneratorWithArguments::generateImpl):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessGenerationState::emitExplicitExceptionHandler):
* dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
* dfg/DFGNode.h:
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::emitRestoreArguments):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::osrWriteBarrier):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSlowPathGenerator.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
(JSC::DFG::SpeculativeJIT::compileArithMod):
(JSC::DFG::SpeculativeJIT::compileArithRounding):
(JSC::DFG::SpeculativeJIT::compileArithSqrt):
(JSC::DFG::SpeculativeJIT::compileCreateActivation):
(JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
(JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::operator MacroAssembler::TrustedImm const):
(JSC::DFG::SpeculativeJIT::initConstantInfo):
(JSC::DFG::SpeculativeJIT::callOperation):
(JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
(JSC::DFG::SpeculativeJIT::callCustomGetter): Deleted.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLSlowPathCall.h:
(JSC::FTL::callOperation):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
* jit/CCallHelpers.cpp:
(JSC::CCallHelpers::ensureShadowChickenPacket):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgument):
(JSC::CCallHelpers::setupStubArgs):
(JSC::CCallHelpers::ArgCollection::ArgCollection):
(JSC::CCallHelpers::ArgCollection::pushRegArg):
(JSC::CCallHelpers::ArgCollection::addGPRArg):
(JSC::CCallHelpers::ArgCollection::addStackArg):
(JSC::CCallHelpers::ArgCollection::addPoke):
(JSC::CCallHelpers::ArgCollection::argCount):
(JSC::CCallHelpers::clampArrayToSize):
(JSC::CCallHelpers::pokeForArgument):
(JSC::CCallHelpers::marshallArgumentRegister):
(JSC::CCallHelpers::setupArgumentsImpl):
(JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
(JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
(JSC::CCallHelpers::setupArguments):
(JSC::CCallHelpers::prepareForTailCallSlow):
(JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.
(JSC::CCallHelpers::resetCallArguments): Deleted.
(JSC::CCallHelpers::addCallArgument): Deleted.
(JSC::CCallHelpers::setupArgumentsExecState): Deleted.
(JSC::CCallHelpers::setupTwoStubArgsGPR): Deleted.
(JSC::CCallHelpers::setupThreeStubArgsGPR): Deleted.
(JSC::CCallHelpers::setupFourStubArgsGPR): Deleted.
(JSC::CCallHelpers::setupFiveStubArgsGPR): Deleted.
(JSC::CCallHelpers::setupTwoStubArgsFPR): Deleted.
(JSC::CCallHelpers::setupStubArguments): Deleted.
(JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Deleted.
(JSC::CCallHelpers::setupStubArguments134): Deleted.
(JSC::CCallHelpers::setupStubArgsGPR): Deleted.
* jit/FPRInfo.h:
(JSC::toInfoFromReg):
* jit/GPRInfo.h:
(JSC::JSValueRegs::JSValueRegs):
(JSC::toInfoFromReg):
* jit/JIT.h:
(JSC::JIT::callOperation):
(JSC::JIT::callOperationWithProfile):
(JSC::JIT::callOperationWithResult):
(JSC::JIT::callOperationNoExceptionCheck):
(JSC::JIT::callOperationWithCallFrameRollbackOnException):
* jit/JITArithmetic.cpp:
(JSC::JIT::emitMathICFast):
(JSC::JIT::emitMathICSlow):
* jit/JITArithmetic32_64.cpp:
(JSC::JIT::emit_compareAndJumpSlow):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileSetupVarargsFrame):
* jit/JITInlines.h:
(JSC::JIT::callOperation): Deleted.
(JSC::JIT::callOperationNoExceptionCheck): Deleted.
(JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_array_with_size):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::emitSlow_op_instanceof_custom):
(JSC::JIT::emit_op_set_function_name):
(JSC::JIT::emitSlow_op_eq):
(JSC::JIT::emitSlow_op_neq):
(JSC::JIT::emit_op_throw):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
(JSC::JIT::emitSlow_op_has_indexed_property):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitGetByValWithCachedId):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id_with_this):
(JSC::JIT::emitSlow_op_get_from_scope):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_by_index):
(JSC::JIT::emit_op_put_setter_by_id):
(JSC::JIT::emit_op_put_getter_setter_by_id):
(JSC::JIT::emit_op_put_getter_by_val):
(JSC::JIT::emit_op_put_setter_by_val):
(JSC::JIT::emit_op_del_by_id):
(JSC::JIT::emit_op_del_by_val):
(JSC::JIT::emitGetByValWithCachedId):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emitPutByValWithCachedId):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::emitSlow_op_try_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id_with_this):
(JSC::JIT::emitSlow_op_put_by_id):
(JSC::JIT::emitSlow_op_get_from_scope):
* jit/RegisterSet.h:
(JSC::RegisterSet::RegisterSet):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::slowPathFor):
* jsc.cpp:
(GlobalObject::finishCreation):
(functionBreakpoint):
* runtime/JSCJSValue.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
2018-03-07 Mark Lam <mark.lam@apple.com>
Rename ProtoCallFrame::arityMissMatch to hasArityMismatch.
https://bugs.webkit.org/show_bug.cgi?id=183414
<rdar://problem/38231678>
Reviewed by Michael Saboff.
* interpreter/ProtoCallFrame.cpp:
(JSC::ProtoCallFrame::init):
* interpreter/ProtoCallFrame.h:
2018-03-07 Mark Lam <mark.lam@apple.com>
Simplify the variants of FunctionPtr constructors.
https://bugs.webkit.org/show_bug.cgi?id=183399
<rdar://problem/38212980>
Reviewed by Yusuke Suzuki.
* assembler/MacroAssemblerCodeRef.h:
(JSC::FunctionPtr::FunctionPtr):
2018-03-06 Filip Pizlo <fpizlo@apple.com>
MarkedArgumentsBuffer should allocate from the JSValue Gigacage
https://bugs.webkit.org/show_bug.cgi?id=183377
Reviewed by Michael Saboff.
That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap.
* runtime/ArgList.cpp:
(JSC::MarkedArgumentBuffer::expandCapacity):
2018-03-07 Mark Lam <mark.lam@apple.com>
Add support for ARM64E.
https://bugs.webkit.org/show_bug.cgi?id=183398
<rdar://problem/38212621>
Reviewed by Michael Saboff.
* assembler/MacroAssembler.h:
* llint/LLIntOfflineAsmConfig.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/backends.rb:
2018-03-07 Yusuke Suzuki <utatane.tea@gmail.com>
HTML `pattern` attribute should set `u` flag for regular expressions
https://bugs.webkit.org/show_bug.cgi?id=151598
Reviewed by Chris Dumez.
Add UnicodeMode for JSC::Yarr::RegularExpression.
* yarr/RegularExpression.cpp:
(JSC::Yarr::RegularExpression::Private::create):
(JSC::Yarr::RegularExpression::Private::Private):
(JSC::Yarr::RegularExpression::Private::compile):
(JSC::Yarr::RegularExpression::RegularExpression):
* yarr/RegularExpression.h:
2018-03-07 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Add more JSType based fast path for jsDynamicCast
https://bugs.webkit.org/show_bug.cgi?id=183403
Reviewed by Mark Lam.
We add more JSType based fast path for jsDynamicCast. Basically, we add miscellaneous JSTypes which
are used for jsDynamicCast in JSC, arguments types, and scope types.
We also add ClassInfo to JSScope and JSSegmentedVariableObject since they are used with jsDynamicCast.
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setUpCall):
* runtime/ClonedArguments.h:
(JSC::ClonedArguments::specialsMaterialized const): Deleted.
* runtime/DirectArguments.h:
(JSC::DirectArguments::subspaceFor): Deleted.
(JSC::DirectArguments::internalLength const): Deleted.
(JSC::DirectArguments::length const): Deleted.
(JSC::DirectArguments::isMappedArgument const): Deleted.
(JSC::DirectArguments::isMappedArgumentInDFG const): Deleted.
(JSC::DirectArguments::getIndexQuickly const): Deleted.
(JSC::DirectArguments::setIndexQuickly): Deleted.
(JSC::DirectArguments::callee): Deleted.
(JSC::DirectArguments::argument): Deleted.
(JSC::DirectArguments::overrodeThings const): Deleted.
(JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
(JSC::DirectArguments::setModifiedArgumentDescriptor): Deleted.
(JSC::DirectArguments::isModifiedArgumentDescriptor): Deleted.
(JSC::DirectArguments::offsetOfCallee): Deleted.
(JSC::DirectArguments::offsetOfLength): Deleted.
(JSC::DirectArguments::offsetOfMinCapacity): Deleted.
(JSC::DirectArguments::offsetOfMappedArguments): Deleted.
(JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor): Deleted.
(JSC::DirectArguments::storageOffset): Deleted.
(JSC::DirectArguments::offsetOfSlot): Deleted.
(JSC::DirectArguments::allocationSize): Deleted.
(JSC::DirectArguments::storage): Deleted.
* runtime/JSCast.h:
* runtime/JSGlobalLexicalEnvironment.h:
(JSC::JSGlobalLexicalEnvironment::create): Deleted.
(JSC::JSGlobalLexicalEnvironment::isEmpty const): Deleted.
(JSC::JSGlobalLexicalEnvironment::createStructure): Deleted.
(JSC::JSGlobalLexicalEnvironment::JSGlobalLexicalEnvironment): Deleted.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::finishCreation):
* runtime/JSMap.h:
(JSC::isJSMap): Deleted.
* runtime/JSModuleEnvironment.h:
(JSC::JSModuleEnvironment::create): Deleted.
(JSC::JSModuleEnvironment::createStructure): Deleted.
(JSC::JSModuleEnvironment::offsetOfModuleRecord): Deleted.
(JSC::JSModuleEnvironment::allocationSize): Deleted.
(JSC::JSModuleEnvironment::moduleRecord): Deleted.
(JSC::JSModuleEnvironment::moduleRecordSlot): Deleted.
* runtime/JSObject.cpp:
(JSC::canDoFastPutDirectIndex):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
* runtime/JSObject.h:
(JSC::JSFinalObject::allocationSize): Deleted.
(JSC::JSFinalObject::typeInfo): Deleted.
(JSC::JSFinalObject::defaultInlineCapacity): Deleted.
(JSC::JSFinalObject::maxInlineCapacity): Deleted.
(JSC::JSFinalObject::createStructure): Deleted.
(JSC::JSFinalObject::finishCreation): Deleted.
(JSC::JSFinalObject::JSFinalObject): Deleted.
(JSC::isJSFinalObject): Deleted.
* runtime/JSScope.cpp:
* runtime/JSScope.h:
* runtime/JSSegmentedVariableObject.cpp:
* runtime/JSSegmentedVariableObject.h:
* runtime/JSSet.h:
(JSC::isJSSet): Deleted.
* runtime/JSType.h:
* runtime/JSWeakMap.h:
(JSC::isJSWeakMap): Deleted.
* runtime/JSWeakSet.h:
(JSC::isJSWeakSet): Deleted.
* runtime/JSWithScope.h:
(JSC::JSWithScope::object): Deleted.
* runtime/MapConstructor.cpp:
(JSC::constructMap):
(JSC::mapPrivateFuncMapBucketHead):
* runtime/MapPrototype.cpp:
(JSC::getMap):
* runtime/NumberObject.cpp:
(JSC::NumberObject::finishCreation):
* runtime/NumberPrototype.cpp:
(JSC::toThisNumber):
(JSC::numberProtoFuncToExponential):
(JSC::numberProtoFuncToFixed):
(JSC::numberProtoFuncToPrecision):
(JSC::numberProtoFuncToString):
(JSC::numberProtoFuncToLocaleString):
(JSC::numberProtoFuncValueOf):
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorSeal):
(JSC::objectConstructorFreeze):
(JSC::objectConstructorIsSealed):
(JSC::objectConstructorIsFrozen):
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::finishCreation):
* runtime/ScopedArguments.h:
(JSC::ScopedArguments::subspaceFor): Deleted.
(JSC::ScopedArguments::internalLength const): Deleted.
(JSC::ScopedArguments::length const): Deleted.
(JSC::ScopedArguments::isMappedArgument const): Deleted.
(JSC::ScopedArguments::isMappedArgumentInDFG const): Deleted.
(JSC::ScopedArguments::getIndexQuickly const): Deleted.
(JSC::ScopedArguments::setIndexQuickly): Deleted.
(JSC::ScopedArguments::callee): Deleted.
(JSC::ScopedArguments::overrodeThings const): Deleted.
(JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
(JSC::ScopedArguments::setModifiedArgumentDescriptor): Deleted.
(JSC::ScopedArguments::isModifiedArgumentDescriptor): Deleted.
(JSC::ScopedArguments::offsetOfOverrodeThings): Deleted.
(JSC::ScopedArguments::offsetOfTotalLength): Deleted.
(JSC::ScopedArguments::offsetOfTable): Deleted.
(JSC::ScopedArguments::offsetOfScope): Deleted.
(JSC::ScopedArguments::overflowStorageOffset): Deleted.
(JSC::ScopedArguments::allocationSize): Deleted.
(JSC::ScopedArguments::overflowStorage const): Deleted.
* runtime/SetConstructor.cpp:
(JSC::constructSet):
(JSC::setPrivateFuncSetBucketHead):
* runtime/SetPrototype.cpp:
(JSC::getSet):
* runtime/StrictEvalActivation.h:
(JSC::StrictEvalActivation::create): Deleted.
(JSC::StrictEvalActivation::createStructure): Deleted.
* runtime/WeakMapPrototype.cpp:
(JSC::getWeakMap):
* runtime/WeakSetPrototype.cpp:
(JSC::getWeakSet):
2018-03-07 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] offlineasm: fix indentation in armOpcodeReversedOperands
https://bugs.webkit.org/show_bug.cgi?id=183400
Reviewed by Mark Lam.
* offlineasm/arm.rb:
2018-03-06 Mark Lam <mark.lam@apple.com>
Prepare LLInt code to support pointer profiling.
https://bugs.webkit.org/show_bug.cgi?id=183387
<rdar://problem/38199678>
Reviewed by JF Bastien.
1. Introduced PtrTag enums for supporting pointer profiling later.
2. Also introduced tagging, untagging, retagging, and tag removal placeholder
template functions for the same purpose.
3. Prepare the offlineasm for supporting pointer profiling later.
4. Tagged some pointers in LLInt asm code. Currently, these should have no
effect on behavior.
5. Removed returnToThrowForThrownException() because it is not used anywhere.
6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
easier to view and edit these files in Xcode.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/LLIntCallLinkInfo.h:
(JSC::LLIntCallLinkInfo::unlink):
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
* llint/LLIntExceptions.cpp:
(JSC::LLInt::returnToThrowForThrownException): Deleted.
* llint/LLIntExceptions.h:
* llint/LLIntOfflineAsmConfig.h:
* llint/LLIntOffsetsExtractor.cpp:
* llint/LLIntPCRanges.h:
(JSC::LLInt::isLLIntPC):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::handleHostCall):
(JSC::LLInt::setUpCall):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/ast.rb:
* offlineasm/instructions.rb:
* offlineasm/risc.rb:
* runtime/PtrTag.h: Added.
(JSC::uniquePtrTagID):
(JSC::ptrTag):
(JSC::tagCodePtr):
(JSC::untagCodePtr):
(JSC::retagCodePtr):
(JSC::removeCodePtrTag):
2018-03-06 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] Assembler warnings: "use of r13 is deprecated"
https://bugs.webkit.org/show_bug.cgi?id=183286
Reviewed by Mark Lam.
Usage of sp/r13 as operand Rm is deprecated on ARM. offlineasm
sometimes generates assembly code that triggers this warning. Prevent
this by simply switching operands.
* offlineasm/arm.rb:
2018-03-06 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, fix incorrect assertion after r229309
https://bugs.webkit.org/show_bug.cgi?id=182975
* runtime/TypeProfilerLog.cpp:
(JSC::TypeProfilerLog::TypeProfilerLog):
2018-03-05 Yusuke Suzuki <utatane.tea@gmail.com>
Fix std::make_unique / new[] using system malloc
https://bugs.webkit.org/show_bug.cgi?id=182975
Reviewed by JF Bastien.
Use Vector, FAST_ALLOCATED, or UniqueArray instead.
* API/JSStringRefCF.cpp:
(JSStringCreateWithCFString):
* bytecode/BytecodeKills.h:
* bytecode/BytecodeLivenessAnalysis.cpp:
(JSC::BytecodeLivenessAnalysis::computeKills):
* dfg/DFGDisassembler.cpp:
(JSC::DFG::Disassembler::dumpDisassembly):
* jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
* jit/PolymorphicCallStubRoutine.h:
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jsc.cpp:
(currentWorkingDirectory):
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
* runtime/ArgList.h:
* runtime/StructureChain.h:
* runtime/StructureIDTable.cpp:
(JSC::StructureIDTable::StructureIDTable):
(JSC::StructureIDTable::resize):
* runtime/StructureIDTable.h:
* runtime/TypeProfilerLog.cpp:
(JSC::TypeProfilerLog::TypeProfilerLog):
(JSC::TypeProfilerLog::initializeLog): Deleted.
* runtime/TypeProfilerLog.h:
(JSC::TypeProfilerLog::TypeProfilerLog): Deleted.
* runtime/VM.cpp:
(JSC::VM::~VM):
(JSC::VM::acquireRegExpPatternContexBuffer):
* runtime/VM.h:
* testRegExp.cpp:
(runFromFiles):
* tools/HeapVerifier.cpp:
(JSC::HeapVerifier::HeapVerifier):
* tools/HeapVerifier.h:
2018-03-05 Mark Lam <mark.lam@apple.com>
JITThunk functions should only be called when the JIT is enabled.
https://bugs.webkit.org/show_bug.cgi?id=183351
<rdar://problem/38160091>
Reviewed by Keith Miller.
* jit/JITThunks.cpp:
(JSC::JITThunks::ctiNativeCall):
(JSC::JITThunks::ctiNativeConstruct):
(JSC::JITThunks::ctiInternalFunctionCall):
(JSC::JITThunks::ctiInternalFunctionConstruct):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::getCTIInternalFunctionTrampolineFor):
2018-03-05 Mark Lam <mark.lam@apple.com>
Gardening: build fix.
Not reviewed.
* interpreter/AbstractPC.h:
(JSC::AbstractPC::AbstractPC):
2018-03-05 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Use WTF::ArithmeticOperations for CLoop overflow operations
https://bugs.webkit.org/show_bug.cgi?id=183324
Reviewed by JF Bastien.
We have WTF::ArithmeticOperations which has operations with overflow checking.
This is suitable for CLoop's overflow checking operations. This patch emits
WTF::ArithmeticOperations for CLoop's overflow checking operations. And it is
lowered to optimized code using CPU's overflow flag.
* offlineasm/cloop.rb:
2018-03-05 Don Olmstead <don.olmstead@sony.com>
[CMake] Split JSC header copying into public and private targets
https://bugs.webkit.org/show_bug.cgi?id=183251
Reviewed by Konstantin Tokarev.
* CMakeLists.txt:
2018-03-04 Yusuke Suzuki <utatane.tea@gmail.com>
[WTF] Move currentCPUTime and sleep(Seconds) to CPUTime.h and Seconds.h respectively
https://bugs.webkit.org/show_bug.cgi?id=183312
Reviewed by Mark Lam.
Remove wtf/CurrentTime.h include pragma.
* API/tests/ExecutionTimeLimitTest.cpp:
(currentCPUTimeAsJSFunctionCallback):
(testExecutionTimeLimit):
* bytecode/SuperSampler.cpp:
* dfg/DFGPlan.cpp:
* heap/BlockDirectory.cpp:
* heap/Heap.cpp:
* heap/IncrementalSweeper.cpp:
* inspector/agents/InspectorConsoleAgent.cpp:
* inspector/agents/InspectorRuntimeAgent.cpp:
* profiler/ProfilerDatabase.cpp:
* runtime/CodeCache.h:
* runtime/JSDateMath.cpp:
* runtime/TypeProfilerLog.cpp:
* runtime/VM.cpp:
* runtime/Watchdog.cpp:
(JSC::Watchdog::shouldTerminate):
(JSC::Watchdog::startTimer):
* testRegExp.cpp:
* wasm/js/JSWebAssemblyCodeBlock.cpp:
2018-03-04 Tim Horton <timothy_horton@apple.com>
Make !ENABLE(DATA_DETECTION) iOS build actually succeed
https://bugs.webkit.org/show_bug.cgi?id=183283
<rdar://problem/38062148>
Reviewed by Sam Weinig.
* Configurations/FeatureDefines.xcconfig:
2018-03-02 Mark Lam <mark.lam@apple.com>
Make the LLInt probe work for ARM64.
https://bugs.webkit.org/show_bug.cgi?id=183298
<rdar://problem/38077413>
Reviewed by Filip Pizlo.
* llint/LowLevelInterpreter.asm:
2018-03-02 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Annotate more classes with WTF_MAKE_FAST_ALLOCATED
https://bugs.webkit.org/show_bug.cgi?id=183279
Reviewed by JF Bastien.
* bytecode/BytecodeIntrinsicRegistry.h:
* ftl/FTLThunks.h:
* heap/CodeBlockSet.h:
* heap/GCSegmentedArray.h:
* heap/MachineStackMarker.h:
* heap/MarkingConstraintSet.h:
2018-03-01 Yusuke Suzuki <utatane.tea@gmail.com>
Remove monotonicallyIncreasingTime
https://bugs.webkit.org/show_bug.cgi?id=182911
Reviewed by Michael Catanzaro.
* debugger/Debugger.cpp:
(JSC::Debugger::willEvaluateScript):
(JSC::Debugger::didEvaluateScript):
* debugger/Debugger.h:
* debugger/ScriptProfilingScope.h:
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::breakpointActionProbe):
* inspector/agents/InspectorHeapAgent.cpp:
(Inspector::InspectorHeapAgent::snapshot):
(Inspector::InspectorHeapAgent::didGarbageCollect):
(Inspector::InspectorHeapAgent::dispatchGarbageCollectedEvent):
* inspector/agents/InspectorHeapAgent.h:
* inspector/agents/InspectorScriptProfilerAgent.cpp:
(Inspector::InspectorScriptProfilerAgent::startTracking):
(Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
(Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
(Inspector::InspectorScriptProfilerAgent::addEvent):
(Inspector::buildSamples):
* inspector/agents/InspectorScriptProfilerAgent.h:
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::takeSample):
* runtime/SamplingProfiler.h:
2018-03-01 Yusuke Suzuki <utatane.tea@gmail.com>
ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
https://bugs.webkit.org/show_bug.cgi?id=183173
Reviewed by Saam Barati.
Classifier could propagate an error which does not occur at the first token
of the given expression. We should check whether the given token is "async"
instead of assertion.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseAssignmentExpression):
2018-03-01 Saam Barati <sbarati@apple.com>
We need to clear cached structures when having a bad time
https://bugs.webkit.org/show_bug.cgi?id=183256
<rdar://problem/36245022>
Reviewed by Mark Lam.
This patch makes both InternalFunctionAllocationProfile and the VM's
structure cache having-a-bad-time aware. For InternalFunctionAllocationProfile,
we clear them when they'd produce an object with a bad indexing type.
For the VM's Structure cache, we conservatively clear the entire cache
since it may be housing Structures with bad indexing types.
* runtime/FunctionRareData.h:
(JSC::FunctionRareData::clearInternalFunctionAllocationProfile):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::haveABadTime):
* runtime/StructureCache.h:
(JSC::StructureCache::clear):
2018-03-01 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, fix exception check for ExceptionScope
https://bugs.webkit.org/show_bug.cgi?id=183175
* jsc.cpp:
(GlobalObject::moduleLoaderFetch):
2018-02-28 Dominik Infuehr <dinfuehr@igalia.com>
[ARM] Fix compile error in debug builds by invoking unpoisoned().
Reviewed by Mark Lam.
* assembler/MacroAssemblerCodeRef.h:
(JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr): Fix compile error.
(JSC::MacroAssemblerCodePtr::createFromExecutableAddress()): Ditto.
(JSC::MacroAssemblerCodePtr::dataLocation()): Ditto.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::ByteCompiler::dumpDisjunction): use %zu for printf'ing size_t.
2018-02-28 JF Bastien <jfbastien@apple.com>
GC should sweep code block before deleting
https://bugs.webkit.org/show_bug.cgi?id=183229
<rdar://problem/32767615>
Reviewed by Saam Barati, Fil Pizlo.
Stub routines shouldn't get deleted before codeblocks have been
swept, otherwise there's a small race window where the codeblock
thinks it's still reachable.
* heap/Heap.cpp:
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::sweepInFinalize):
2018-02-28 Yusuke Suzuki <utatane.tea@gmail.com>
JSC crash with `import("")`
https://bugs.webkit.org/show_bug.cgi?id=183175
Reviewed by Saam Barati.
Add file existence and file type check for module loader implementation in jsc.cpp.
This is not safe for TOCTOU, but it is OK since this functionality is used for the
JSC shell (jsc.cpp): testing purpose.
* jsc.cpp:
(fillBufferWithContentsOfFile):
(fetchModuleFromLocalFileSystem):
2018-02-27 Keith Miller <keith_miller@apple.com>
Replace TrustedImmPtr(0) with TrustedImmPtr(nullptr)
https://bugs.webkit.org/show_bug.cgi?id=183195
Reviewed by Mark Lam.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::patchableBranchPtr):
(JSC::MacroAssembler::patchableBranchPtrWithPatch):
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::branchPtrWithPatch):
(JSC::MacroAssemblerARM::storePtrWithPatch):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::call):
(JSC::MacroAssemblerARM64::tailRecursiveCall):
(JSC::MacroAssemblerARM64::branchPtrWithPatch):
(JSC::MacroAssemblerARM64::patchableBranchPtrWithPatch):
(JSC::MacroAssemblerARM64::storePtrWithPatch):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::branchPtrWithPatch):
(JSC::MacroAssemblerARMv7::patchableBranchPtr):
(JSC::MacroAssemblerARMv7::patchableBranchPtrWithPatch):
(JSC::MacroAssemblerARMv7::storePtrWithPatch):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::branchPtrWithPatch):
(JSC::MacroAssemblerMIPS::storePtrWithPatch):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::branchPtrWithPatch):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
(JSC::MacroAssemblerX86_64::call):
(JSC::MacroAssemblerX86_64::tailRecursiveCall):
(JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
(JSC::MacroAssemblerX86_64::branchPtrWithPatch):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileToLowerCase):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
(JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
(JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
(JSC::DFG::SpeculativeJIT::compileArraySlice):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitGenerationThunkGenerator):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::debugCall):
(JSC::AssemblyHelpers::sanitizeStackInline):
* jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
* jit/ScratchRegisterAllocator.cpp:
(JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::initParenContextFreeList):
(JSC::Yarr::YarrGenerator::storeToFrameWithPatch):
(JSC::Yarr::YarrGenerator::generate):
2018-02-26 Mark Lam <mark.lam@apple.com>
Modernize FINALIZE_CODE and peer macros to use __VA_ARGS__ arguments.
https://bugs.webkit.org/show_bug.cgi?id=183159
<rdar://problem/37930837>
Reviewed by Keith Miller.
* assembler/LinkBuffer.h:
* assembler/testmasm.cpp:
(JSC::compile):
* b3/B3Compile.cpp:
(JSC::B3::compile):
* b3/air/testair.cpp:
* b3/testb3.cpp:
(JSC::B3::testEntrySwitchSimple):
(JSC::B3::testEntrySwitchNoEntrySwitch):
(JSC::B3::testEntrySwitchWithCommonPaths):
(JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
(JSC::B3::testEntrySwitchLoop):
* bytecode/InlineAccess.cpp:
(JSC::linkCodeInline):
(JSC::InlineAccess::rewireStubAsJump):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::finalize):
(JSC::DFG::JITFinalizer::finalizeFunction):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::compileOSRExit):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitThunkGenerator):
(JSC::DFG::osrExitGenerationThunkGenerator):
(JSC::DFG::osrEntryThunkGenerator):
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeCommon):
* ftl/FTLLazySlowPath.cpp:
(JSC::FTL::LazySlowPath::generate):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLThunks.cpp:
(JSC::FTL::genericGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* jit/ExecutableAllocator.cpp:
* jit/JIT.cpp:
(JSC::JIT::link):
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
* jit/JITOpcodes.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::privateCompileGetByVal):
(JSC::JIT::privateCompileGetByValWithCachedId):
(JSC::JIT::privateCompilePutByVal):
(JSC::JIT::privateCompilePutByValWithCachedId):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::stringGetByValStubGenerator):
* jit/JITStubRoutine.h:
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::finalize):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::linkCallThunkGenerator):
(JSC::linkPolymorphicCallThunkGenerator):
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::arityFixupGenerator):
(JSC::unreachableGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* llint/LLIntThunks.cpp:
(JSC::LLInt::generateThunkWithJumpTo):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::complete):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* wasm/WasmThunks.cpp:
(JSC::Wasm::throwExceptionFromWasmThunkGenerator):
(JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
(JSC::Wasm::triggerOMGTierUpThunkGenerator):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::compile):
2018-02-25 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
https://bugs.webkit.org/show_bug.cgi?id=182965
Reviewed by Saam Barati.
This patch extends FTL coverage for PutByVal by adding ArrayStorage and SlwoPutArrayStorage support.
Basically large part of the patch is porting from DFG code. Since PutByVal already emits CheckInBounds
for InBounds case, we do not have OutOfBounds check for that case.
This is the last change for FTL to support all the types of DFG nodes except for CreateThis.
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
(JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
For consistency, we use operationPutByValXXX and operationPutByValDirectXXX.
But except for SlowPutArrayStorage case, basically it is meaningless since
we do not have indexed accessors.
2018-02-26 Saam Barati <sbarati@apple.com>
validateStackAccess should not validate if the offset is within the stack bounds
https://bugs.webkit.org/show_bug.cgi?id=183067
<rdar://problem/37749988>
Reviewed by Mark Lam.
The validation rule was saying that any load from the stack must be
within the stack bounds of the frame. However, it's natural for a user
of B3 to emit code that may be outside of B3's stack bounds, but guard
such a load with a branch. The FTL does exactly this with GetMyArgumentByVal.
B3 is wrong to assert that this is a static property about all stack loads.
* b3/B3Validate.cpp:
2018-02-23 Saam Barati <sbarati@apple.com>
Make Number.isInteger an intrinsic
https://bugs.webkit.org/show_bug.cgi?id=183088
Reviewed by JF Bastien.
When profiling the ML subtest in ARES, I noticed it was spending some
time in Number.isInteger. This patch makes that operation an intrinsic
in the DFG/FTL. It might be a speedup by 1% or so on that subtest, but
it's likely not an aggregate speedup on ARES. However, it is definitely
faster than calling into a builtin function, so we might as well have
it as an intrinsic.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
(JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/NumberConstructor.cpp:
(JSC::NumberConstructor::finishCreation):
(JSC::numberConstructorFuncIsInteger):
* runtime/NumberConstructor.h:
(JSC::NumberConstructor::isIntegerImpl):
2018-02-23 Oleksandr Skachkov <gskachkov@gmail.com>
WebAssembly: cache memory address / size on instance
https://bugs.webkit.org/show_bug.cgi?id=177305
Reviewed by JF Bastien.
Cache memory address/size in wasm:Instance to avoid load wasm:Memory
object during access to memory and memory size property in JiT
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::addCurrentMemory):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmInstance.h:
(JSC::Wasm::Instance::cachedMemory const):
(JSC::Wasm::Instance::cachedMemorySize const):
(JSC::Wasm::Instance::createWeakPtr):
(JSC::Wasm::Instance::setMemory):
(JSC::Wasm::Instance::updateCachedMemory):
(JSC::Wasm::Instance::offsetOfCachedMemory):
(JSC::Wasm::Instance::offsetOfCachedMemorySize):
(JSC::Wasm::Instance::offsetOfCachedIndexingMask):
(JSC::Wasm::Instance::allocationSize):
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::grow):
(JSC::Wasm::Memory::registerInstance):
* wasm/WasmMemory.h:
(JSC::Wasm::Memory::indexingMask):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::evaluate):
2018-02-23 Saam Barati <sbarati@apple.com>
ArgumentsEliminationPhase has a branch on GetByOffset that should be an assert
https://bugs.webkit.org/show_bug.cgi?id=182982
Reviewed by Yusuke Suzuki.
I don't know why this check was not always an assert. When we see
a GetByOffset on an eliminated allocation, that allocation *must*
be a PhantomClonedArguments. If it weren't, the GetByOffset would
have escaped it. Because this transformation happens by visiting
blocks in pre-order, and by visiting nodes in a block starting from
index zero to index block->size() - 1, we're guaranteed that eliminated
allocations get transformed before users of it, since we visit nodes
in dominator order.
* dfg/DFGArgumentsEliminationPhase.cpp:
2018-02-23 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Implement $vm.ftlTrue function for FTL testing
https://bugs.webkit.org/show_bug.cgi?id=183071
Reviewed by Mark Lam.
Add $vm.ftlTrue, which becomes true if the caller is compiled in FTL.
This is useful for testing whether the caller function is compiled in FTL.
We also remove duplicate DFGTrue function in jsc.cpp. We have $vm.dfgTrue.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* jsc.cpp:
(GlobalObject::finishCreation):
(functionFalse1):
(functionFalse2): Deleted.
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* tools/JSDollarVM.cpp:
(JSC::functionFTLTrue):
(JSC::JSDollarVM::finishCreation):
2018-02-22 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=182792
Reviewed by Mark Lam.
This patch adds HasIndexedProperty for ArrayStorage and SlowPutArrayStorage in FTL.
HasIndexedProperty with ArrayStorage frequently causes FTL compilation failures
in web-tooling-benchmarks.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2018-02-22 Mark Lam <mark.lam@apple.com>
Refactor MacroAssembler code to improve reuse and extensibility.
https://bugs.webkit.org/show_bug.cgi?id=183054
<rdar://problem/37797337>
Reviewed by Saam Barati.
* assembler/ARM64Assembler.h:
* assembler/MacroAssembler.cpp:
* assembler/MacroAssembler.h:
* assembler/MacroAssemblerARM.h:
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::canCompact):
(JSC::MacroAssemblerARM64::computeJumpType):
(JSC::MacroAssemblerARM64::jumpSizeDelta):
(JSC::MacroAssemblerARM64::link):
(JSC::MacroAssemblerARM64::load64):
(JSC::MacroAssemblerARM64::load64WithAddressOffsetPatch):
(JSC::MacroAssemblerARM64::load32):
(JSC::MacroAssemblerARM64::load32WithAddressOffsetPatch):
(JSC::MacroAssemblerARM64::load16):
(JSC::MacroAssemblerARM64::load16SignedExtendTo32):
(JSC::MacroAssemblerARM64::load8):
(JSC::MacroAssemblerARM64::load8SignedExtendTo32):
(JSC::MacroAssemblerARM64::store64):
(JSC::MacroAssemblerARM64::store64WithAddressOffsetPatch):
(JSC::MacroAssemblerARM64::store32):
(JSC::MacroAssemblerARM64::store32WithAddressOffsetPatch):
(JSC::MacroAssemblerARM64::store16):
(JSC::MacroAssemblerARM64::store8):
(JSC::MacroAssemblerARM64::getEffectiveAddress):
(JSC::MacroAssemblerARM64::branchDoubleNonZero):
(JSC::MacroAssemblerARM64::branchDoubleZeroOrNaN):
(JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32):
(JSC::MacroAssemblerARM64::loadDouble):
(JSC::MacroAssemblerARM64::loadFloat):
(JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
(JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
(JSC::MacroAssemblerARM64::storeDouble):
(JSC::MacroAssemblerARM64::storeFloat):
(JSC::MacroAssemblerARM64::call):
(JSC::MacroAssemblerARM64::jump):
(JSC::MacroAssemblerARM64::tailRecursiveCall):
(JSC::MacroAssemblerARM64::setCarry):
(JSC::MacroAssemblerARM64::reemitInitialMoveWithPatch):
(JSC::MacroAssemblerARM64::isBreakpoint):
(JSC::MacroAssemblerARM64::invert):
(JSC::MacroAssemblerARM64::readCallTarget):
(JSC::MacroAssemblerARM64::replaceWithVMHalt):
(JSC::MacroAssemblerARM64::replaceWithJump):
(JSC::MacroAssemblerARM64::maxJumpReplacementSize):
(JSC::MacroAssemblerARM64::patchableJumpSize):
(JSC::MacroAssemblerARM64::repatchCall):
(JSC::MacroAssemblerARM64::makeBranch):
(JSC::MacroAssemblerARM64::makeCompareAndBranch):
(JSC::MacroAssemblerARM64::makeTestBitAndBranch):
(JSC::MacroAssemblerARM64::ARM64Condition):
(JSC::MacroAssemblerARM64::moveWithFixedWidth):
(JSC::MacroAssemblerARM64::load):
(JSC::MacroAssemblerARM64::store):
(JSC::MacroAssemblerARM64::tryLoadWithOffset):
(JSC::MacroAssemblerARM64::tryLoadSignedWithOffset):
(JSC::MacroAssemblerARM64::tryStoreWithOffset):
(JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
(JSC::MacroAssemblerARM64::linkCall):
* assembler/MacroAssemblerARMv7.h:
* assembler/MacroAssemblerMIPS.h:
* assembler/MacroAssemblerX86Common.h:
* assembler/ProbeStack.h:
- Removed a forward declaration of an obsolete class.
2018-02-22 Yusuke Suzuki <utatane.tea@gmail.com>
Remove sleep(double) and sleepMS(double) interfaces
https://bugs.webkit.org/show_bug.cgi?id=183038
Reviewed by Mark Lam.
* bytecode/SuperSampler.cpp:
(JSC::initializeSuperSampler):
2018-02-21 Don Olmstead <don.olmstead@sony.com>
[CMake] Split declaration of JSC headers into public and private
https://bugs.webkit.org/show_bug.cgi?id=182980
Reviewed by Michael Catanzaro.
* CMakeLists.txt:
* PlatformGTK.cmake:
* PlatformMac.cmake:
* PlatformWPE.cmake:
* PlatformWin.cmake:
2018-02-20 Saam Barati <sbarati@apple.com>
DFG::VarargsForwardingPhase should eliminate getting argument length
https://bugs.webkit.org/show_bug.cgi?id=182959
Reviewed by Keith Miller.
This patch teaches the DFG VarargsForwardingPhase to not treat
length accesses on Cloned/Direct Arguments objects as escapes.
It teaches this phase to materialize the length in the same
way the ArgumentsEliminationPhase does.
This is around a 0.5-1% speedup on ARES6 on my iMac. It speeds
up the ML subtest by 2-4%.
This patch also extends compileGetArgumentCountIncludingThis to take
a parameter that is the inline call frame to load from (in the case
where the inline call frame is a varargs frame). This allows the
the emitCodeToGetArgumentsArrayLength helper function to just emit
a GetArgumentCountIncludingThis node instead of a GetLocal. If we
emitted a GetLocal, we'd need to rerun CPS rethreading.
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGArgumentsUtilities.cpp:
(JSC::DFG::emitCodeToGetArgumentsArrayLength):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getArgumentCount):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGNode.h:
(JSC::DFG::Node::argumentsInlineCallFrame):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis):
* dfg/DFGVarargsForwardingPhase.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentCountIncludingThis):
2018-02-14 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Support ArrayPush for ArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=182782
Reviewed by Saam Barati.
This patch adds support for ArrayPush(ArrayStorage). We just port ArrayPush(ArrayStorage) in DFG to FTL.
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
2018-02-14 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Support ArrayPop for ArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=182783
Reviewed by Saam Barati.
This patch adds ArrayPop(ArrayStorage) support to FTL. We port the implementation in DFG to FTL.
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
2018-02-14 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=182731
Reviewed by Saam Barati.
This patch adds support for Arrayify(ArrayStorage/SlowPutArrayStorage) to FTL.
Due to ArrayifyToStructure and CheckArray changes, necessary changes for
supporting Arrayify in FTL are already done. Just allowing it in FTLCapabilities.cpp
is enough.
We fix FTL's CheckArray logic. Previously, CheckArray(SlowPutArrayStorage) does not pass
ArrayStorage in FTL. But now it passes this as DFG does. Moreover, we fix DFG's CheckArray
where CheckArray(ArrayStorage+NonArray) can pass ArrayStorage+Array.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
* dfg/DFGSpeculativeJIT.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
2018-02-19 Saam Barati <sbarati@apple.com>
Don't use JSFunction's allocation profile when getting the prototype can be effectful
https://bugs.webkit.org/show_bug.cgi?id=182942
<rdar://problem/37584764>
Reviewed by Mark Lam.
Prior to this patch, the create_this implementation assumed that anything
that is a JSFunction can use the object allocation profile and go down the
fast path to allocate the |this| object. Implied by this approach is that
accessing the 'prototype' property of the incoming function is not an
effectful operation. This is inherent to the ObjectAllocationProfile
data structure: it caches the prototype field. However, getting the
'prototype' property might be an effectful operation, e.g, it could
be a getter. Many variants of functions in JS have the 'prototype' property
as non-configurable. However, some functions, like bound functions, do not
have the 'prototype' field with these attributes.
This patch adds the notion of 'canUseAllocationProfile' to JSFunction
and threads it through so that we only go down the fast path and use
the allocation profile when the prototype property is non-configurable.
* bytecompiler/NodesCodegen.cpp:
(JSC::ClassExprNode::emitBytecode):
* dfg/DFGOperations.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSFunction.cpp:
(JSC::JSFunction::prototypeForConstruction):
(JSC::JSFunction::allocateAndInitializeRareData):
(JSC::JSFunction::initializeRareData):
(JSC::JSFunction::getOwnPropertySlot):
(JSC::JSFunction::canUseAllocationProfileNonInline):
* runtime/JSFunction.h:
(JSC::JSFunction::ensureRareDataAndAllocationProfile):
* runtime/JSFunctionInlines.h:
(JSC::JSFunction::canUseAllocationProfile):
2018-02-19 Saam Barati <sbarati@apple.com>
Don't mark an array profile out of bounds for the cases where the DFG will convert the access to SaneChain
https://bugs.webkit.org/show_bug.cgi?id=182912
<rdar://problem/37685083>
Reviewed by Keith Miller.
In the baseline JIT and LLInt, when we loading a hole from an original array,
with the array prototype chain being normal, we end up marking the ArrayProfile
for that GetByVal as out of bounds. However, the DFG knows exactly how to
optimize this case by returning undefined when loading from a hole. Currently,
it only does this for Contiguous arrays (and sometimes Double arrays).
This patch just makes sure to not mark the ArrayProfile as out of bounds
in this scenario for Contiguous arrays, since the DFG will always optimize
this case.
However, we should extend this by profiling when a GetByVal loads a hole. By
doing so, we can optimize this for Int32, ArrayStorage, and maybe even Double
arrays. That work will happen in:
https://bugs.webkit.org/show_bug.cgi?id=182940
This patch is a 30-50% speedup on JetStream's hash-map test. This patch
speeds up JetStream by 1% when testing on my iMac.
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine const):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* jit/JITOperations.cpp:
(JSC::getByVal):
(JSC::canAccessArgumentIndexQuickly): Deleted.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::getByVal):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
2018-02-17 Filip Pizlo <fpizlo@apple.com>
GetArrayMask should support constant folding
https://bugs.webkit.org/show_bug.cgi?id=182907
Reviewed by Saam Barati.
Implement constant folding for GetArrayMask. This revealed a bug in tryGetFoldableView, where it was
ignoring the result of a jsDynamicCast<>(). This wasn't a bug before because it would have been
impossible for that function to get called with a non-null value if the value was not an array view,
due to type filtering in CheckArray, the fact that CheckArray had to dominate GetArrayLength, and
the fact that the other tryGetFoldableView overload made sure that the array mode was some typed
array.
This isn't a measurable progression, but it does save a register in the codegen for typed array
accesses. Hopefully these improvements add up.
* assembler/AssemblerBuffer.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::tryGetFoldableView):
2018-02-18 Dominik Inführ <dominik.infuehr@gmail.com>
Offlineasm/MIPS: immediates need to be within 16-bit signed values
https://bugs.webkit.org/show_bug.cgi?id=182890
Reviewed by Michael Catanzaro.
In Sequence.getModifiedListMIPS(), we allow immediate values within
the range -0xffff..0xffff for immediates (addresses and other
immediates), but then in Immediate.mipsOperand() and
Address.mipsOperand() we raise if immediate values are not within
-0x7fff..0x7fff. This is inconsistent, and broke compilation on mips
since r228552 made the VM structure bigger meaning we address values
with bigger offsets in llint. This change restricts the allowed range,
so that a separate load of the value is done for values outside of
that range.
* offlineasm/mips.rb:
2018-02-17 Darin Adler <darin@apple.com>
Web Inspector: get rid of remaining uses of OptOutput<T>
https://bugs.webkit.org/show_bug.cgi?id=180607
Reviewed by Brian Burg.
* inspector/AsyncStackTrace.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/AsyncStackTrace.h: Ditto.
* inspector/ConsoleMessage.cpp: Ditto.
* inspector/ContentSearchUtilities.cpp: More Inspector namespace removal and ...
(Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Use a
Vector instead of a unique_ptr<Vector>.
(Inspector::ContentSearchUtilities::lineEndings): Ditto.
(Inspector::ContentSearchUtilities::stylesheetCommentPattern): Deleted.
(Inspector::ContentSearchUtilities::findMagicComment): Use std::array instead of
a Vector for a fixed size array; also got rid of reinterpret_cast.
(Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): Moved the regular
expression here since it's the only place it was used.
* inspector/ContentSearchUtilities.h: Cut down on unneeded includes.
* inspector/InjectedScript.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/InspectorProtocolTypes.h: Removed OptOutput. Simplified assertions.
Removed base template for BindingTraits; we only need the specializations.
* inspector/ScriptCallFrame.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/ScriptCallFrame.h: Ditto.
* inspector/ScriptCallStack.cpp: Ditto.
* inspector/ScriptCallStack.h: Ditto.
* inspector/agents/InspectorConsoleAgent.cpp: Ditto.
* inspector/agents/InspectorConsoleAgent.h: Ditto.
* inspector/agents/InspectorDebuggerAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use std::optional& intead of
OptOutput* for out arguments.
* inspector/agents/InspectorDebuggerAgent.h: Ditto.
* inspector/agents/InspectorHeapAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorHeapAgent::getPreview): Use std::optional& intead of OptOutput*
for out arguments.
* inspector/agents/InspectorHeapAgent.h: Ditto.
* inspector/agents/InspectorRuntimeAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorRuntimeAgent::parse): Use std::optional& intead of OptOutput*
for out arguments.
(Inspector::InspectorRuntimeAgent::evaluate): Ditto.
(Inspector::InspectorRuntimeAgent::callFunctionOn): Ditto.
(Inspector::InspectorRuntimeAgent::saveResult): Ditto.
* inspector/agents/InspectorRuntimeAgent.h: Ditto.
* inspector/agents/InspectorScriptProfilerAgent.cpp: More Inspector namespace removal
and removed some bogus const.
* inspector/agents/InspectorScriptProfilerAgent.h: Ditto.
* inspector/scripts/codegen/cpp_generator.py:
(CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Removed some bogus const.
(CppGenerator.cpp_type_for_type_with_name): Ditto.
(CppGenerator.cpp_type_for_formal_out_parameter): Use std::optional& instead of
Inspector::Protocol::OptOutput*.
(CppGenerator.cpp_type_for_formal_async_parameter): Ditto.
(CppGenerator.cpp_type_for_stack_in_parameter): Ditto.
(CppGenerator.cpp_type_for_stack_out_parameter): Ditto.
* inspector/scripts/codegen/cpp_generator_templates.py: Removed ASSERT_DISABLED
conditional around assertion code which will now compile to nothing if ASSERT is disabled.
Build strings more simply in a few cases.
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
(CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
Use has_value instead of isAssigned and * operator instead of getValue() since std::optional
replace OptOutput here.
(CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
Pass by reference instead of pointer now.
* inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing
if ASSERT is disabled.
* inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
(CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): Generate
the assertion function unconditionally, but leave out the assertions if ASSERT_DISABLED is true.
(CppProtocolTypesImplementationGenerator): Use auto instead of writing out JSON::Object::iterator.
* inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
(ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): Build strings
more simply.
* inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
Rebaselined.
2018-02-16 Matt Lewis <jlewis3@apple.com>
Unreviewed, rolling out r228318.
The patch that this attempted to fix was rolled out already.
Reverted changeset:
"Fix build on ARMv7 traditional JSCOnly bot after r228306"
https://bugs.webkit.org/show_bug.cgi?id=182563
https://trac.webkit.org/changeset/228318
2018-02-16 Filip Pizlo <fpizlo@apple.com>
Unreviewed, roll out r228306 (custom memcpy/memset) because the bots say that it was not a
progression.
* assembler/AssemblerBuffer.h:
(JSC::AssemblerBuffer::append):
* heap/LargeAllocation.cpp:
(JSC::LargeAllocation::tryCreate):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToDirectory):
* runtime/ArrayBuffer.cpp:
(JSC::ArrayBufferContents::tryAllocate):
(JSC::ArrayBufferContents::copyTo):
(JSC::ArrayBuffer::createInternal):
* runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::zeroRangeImpl):
* runtime/ArrayConventions.cpp:
(JSC::clearArrayMemset):
* runtime/ArrayConventions.h:
(JSC::clearArray):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoPrivateFuncConcatMemcpy):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::createOrGrowPropertyStorage):
(JSC::Butterfly::growArrayRight):
(JSC::Butterfly::resizeArray):
* runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::create):
* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::fastSlice):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::set):
* runtime/JSObject.cpp:
(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::shiftButterflyAfterFlattening):
* runtime/PropertyTable.cpp:
(JSC::PropertyTable::PropertyTable):
2018-02-16 Saam Barati <sbarati@apple.com>
Fix bugs from r228411
https://bugs.webkit.org/show_bug.cgi?id=182851
<rdar://problem/37577732>
Reviewed by JF Bastien.
There was a bug from r228411 where inside the constant folding phase,
we used an insertCheck method that didn't handle varargs. This would
lead to a crash. When thinking about the fix for that function, I realized
a made a couple of mistakes in r228411. One is probably a security bug, and
the other is a performance bug because it'll prevent CSE for certain flavors
of GetByVal nodes. Both blunders are similar in nature.
In r228411, I added code in LICM that inserted a CheckVarargs node with children
of another varargs node. However, to construct this new node's children,
I just copied the AdjacencyList. This does a shallow copy. What we needed
was a deep copy. We needed to create a new vararg AdjacencyList that points
to edges that are deep copies of the original varargs children. This patch
fixes this goof in LICM.
r228411 made it so that PureValue over a varargs node would just compare actual
AdjacencyLists structs. So, if you had two GetByVals that had equal santized
children, their actual AdjacencyList structs are *not* bitwise equal, since they'll
have different firstChild values. Instead, we need to do a deep compare of their
adjacency lists. This patch teaches PureValue how to do that.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::copyVarargChildren):
* dfg/DFGInsertionSet.h:
(JSC::DFG::InsertionSet::insertCheck):
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGPureValue.cpp:
(JSC::DFG::PureValue::dump const):
* dfg/DFGPureValue.h:
(JSC::DFG::PureValue::PureValue):
(JSC::DFG::PureValue::op const):
(JSC::DFG::PureValue::hash const):
(JSC::DFG::PureValue::operator== const):
(JSC::DFG::PureValue::isVarargs const):
(JSC::DFG::PureValue::children const): Deleted.
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
(JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
2018-02-16 Matt Lewis <jlewis3@apple.com>
Unreviewed, rolling out r228546.
This caused a consistent crash on all macOS WK2 platforms.
Reverted changeset:
"Web Inspector: get rid of remaining uses of OptOutput<T>"
https://bugs.webkit.org/show_bug.cgi?id=180607
https://trac.webkit.org/changeset/228546
2018-02-16 Fujii Hironori <Hironori.Fujii@sony.com>
fast/frames/sandboxed-iframe-navigation-top-denied.html is crashing in Inspector::createScriptCallStackForConsole::Exec for GTK
https://bugs.webkit.org/show_bug.cgi?id=172952
Reviewed by Michael Catanzaro.
Null dereference of VM::topCallFrame happens in
Inspector::createScriptCallStackForConsole if the ExecState has no
call frames.
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptCallStack): Do null check of topCallFrame.
(Inspector::createScriptCallStackForConsole): Ditto.
2018-02-15 Filip Pizlo <fpizlo@apple.com>
Objects that contain dangerous things should be allocated far away from objects that can do OOB
https://bugs.webkit.org/show_bug.cgi?id=182843
Reviewed by Saam Barati.
To complete our object distancing plan, we need to put objects that can contain unpoisoned data
far away from objects that cannot. Objects referenceable from JSValues cannot contain
unpoisoned data, but auxiliary data can. This further divides auxiliary data that is meant for
storing mostly JSValues from data that is meant for storing anything.
This is achieved by having three SecurityKinds that are used for MarkedBlock selection and
zeroing sort of the same way SecurityOriginToken already was.
This change shouldn't make anything slower. If anything, it will be a small speed-up because it
removes some cases of MarkedBlock zeroing since we don't need to zero blocks used for two of
the SecurityKinds.
* Sources.txt:
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::addBlock):
* heap/BlockDirectory.h:
* heap/CellAttributes.cpp:
(JSC::CellAttributes::dump const):
* heap/CellAttributes.h:
(JSC::CellAttributes::CellAttributes):
* heap/LocalAllocator.cpp:
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToDirectory):
(JSC::MarkedBlock::Handle::associateWithOrigin): Deleted.
* heap/MarkedBlock.h:
* heap/SecurityKind.cpp: Added.
(WTF::printInternal):
* heap/SecurityKind.h: Added.
* runtime/JSCellInlines.h:
(JSC::JSCell::subspaceFor):
* runtime/JSDestructibleObjectHeapCellType.cpp:
(JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
* runtime/JSObject.h:
(JSC::JSObject::subspaceFor):
* runtime/JSSegmentedVariableObjectHeapCellType.cpp:
(JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
* runtime/JSStringHeapCellType.cpp:
(JSC::JSStringHeapCellType::JSStringHeapCellType):
* runtime/Symbol.h:
(JSC::Symbol::subspaceFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
(JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
2018-02-15 Darin Adler <darin@apple.com>
Web Inspector: get rid of remaining uses of OptOutput<T>
https://bugs.webkit.org/show_bug.cgi?id=180607
Reviewed by Brian Burg.
* inspector/AsyncStackTrace.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/AsyncStackTrace.h: Ditto.
* inspector/ConsoleMessage.cpp: Ditto.
* inspector/ContentSearchUtilities.cpp: More Inspector namespace removal and ...
(Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Use a
Vector instead of a unique_ptr<Vector>.
(Inspector::ContentSearchUtilities::lineEndings): Ditto.
(Inspector::ContentSearchUtilities::stylesheetCommentPattern): Deleted.
(Inspector::ContentSearchUtilities::findMagicComment): Use std::array instead of
a Vector for a fixed size array; also got rid of reinterpret_cast.
(Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): Moved the regular
expression here since it's the only place it was used.
* inspector/ContentSearchUtilities.h: Cut down on unneeded includes.
* inspector/InjectedScript.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/InspectorProtocolTypes.h: Removed OptOutput. Simplified assertions.
Removed base template for BindingTraits; we only need the specializations.
* inspector/ScriptCallFrame.cpp: Removed explicit Inspector prefix from code that
is inside the Inspector namespace already. Also use auto a bit.
* inspector/ScriptCallFrame.h: Ditto.
* inspector/ScriptCallStack.cpp: Ditto.
* inspector/ScriptCallStack.h: Ditto.
* inspector/agents/InspectorConsoleAgent.cpp: Ditto.
* inspector/agents/InspectorConsoleAgent.h: Ditto.
* inspector/agents/InspectorDebuggerAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use std::optional& intead of
OptOutput* for out arguments.
* inspector/agents/InspectorDebuggerAgent.h: Ditto.
* inspector/agents/InspectorHeapAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorHeapAgent::getPreview): Use std::optional& intead of OptOutput*
for out arguments.
* inspector/agents/InspectorHeapAgent.h: Ditto.
* inspector/agents/InspectorRuntimeAgent.cpp: More Inspector namespace removal and ...
(Inspector::InspectorRuntimeAgent::parse): Use std::optional& intead of OptOutput*
for out arguments.
(Inspector::InspectorRuntimeAgent::evaluate): Ditto.
(Inspector::InspectorRuntimeAgent::callFunctionOn): Ditto.
(Inspector::InspectorRuntimeAgent::saveResult): Ditto.
* inspector/agents/InspectorRuntimeAgent.h: Ditto.
* inspector/agents/InspectorScriptProfilerAgent.cpp: More Inspector namespace removal
and removed some bogus const.
* inspector/agents/InspectorScriptProfilerAgent.h: Ditto.
* inspector/scripts/codegen/cpp_generator.py:
(CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Removed some bogus const.
(CppGenerator.cpp_type_for_type_with_name): Ditto.
(CppGenerator.cpp_type_for_formal_out_parameter): Use std::optional& instead of
Inspector::Protocol::OptOutput*.
(CppGenerator.cpp_type_for_formal_async_parameter): Ditto.
(CppGenerator.cpp_type_for_stack_in_parameter): Ditto.
(CppGenerator.cpp_type_for_stack_out_parameter): Ditto.
* inspector/scripts/codegen/cpp_generator_templates.py: Removed ASSERT_DISABLED
conditional around assertion code which will now compile to nothing if ASSERT is disabled.
Build strings more simply in a few cases.
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
(CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
Use has_value instead of isAssigned and * operator instead of getValue() since std::optional
replace OptOutput here.
(CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
Pass by reference instead of pointer now.
* inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing
if ASSERT is disabled.
* inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
(CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): Generate
the assertion function unconditionally, but leave out the assertions if ASSERT_DISABLED is true.
(CppProtocolTypesImplementationGenerator): Use auto instead of writing out JSON::Object::iterator.
* inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
(ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): Build strings
more simply.
* inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
Rebaselined.
2018-02-15 Filip Pizlo <fpizlo@apple.com>
Unreviewed, roll out r228366 since it did not progress anything.
* heap/Heap.cpp:
(JSC::Heap::finalizeUnconditionalFinalizers):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::visitChildren):
(JSC::ErrorInstance::finalizeUnconditionally): Deleted.
* runtime/ErrorInstance.h:
(JSC::ErrorInstance::stackTrace):
(JSC::ErrorInstance::subspaceFor): Deleted.
* runtime/Exception.cpp:
(JSC::Exception::visitChildren):
(JSC::Exception::finalizeUnconditionally): Deleted.
* runtime/Exception.h:
* runtime/StackFrame.cpp:
(JSC::StackFrame::visitChildren):
(JSC::StackFrame::isFinalizationCandidate): Deleted.
(JSC::StackFrame::finalizeUnconditionally): Deleted.
* runtime/StackFrame.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2018-02-15 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove monotonicallyIncreasingTime and currentTime
https://bugs.webkit.org/show_bug.cgi?id=182793
Reviewed by Saam Barati.
We would like to drop monotonicallyIncreasingTime and currentTime from our tree by
replacing them with MonotonicTime and WallTime, which are well-typed alternatives,
compared to double.
This patch removes monotonicallyIncreasingTime and currentTime in JSC.
* b3/testb3.cpp:
(JSC::B3::testComplex):
* dfg/DFGPhase.h:
(JSC::DFG::runAndLog):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThread):
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPlan.h:
* dynbench.cpp:
(JSC::benchmarkImpl):
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::isPagedOut):
* heap/BlockDirectory.h:
* heap/FullGCActivityCallback.cpp:
(JSC::FullGCActivityCallback::doCollection):
* heap/Heap.cpp:
(JSC::Heap::isPagedOut):
(JSC::Heap::sweepSynchronously):
* heap/Heap.h:
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::isPagedOut):
* heap/MarkedSpace.h:
* inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::startTiming):
(Inspector::InspectorConsoleAgent::stopTiming):
* inspector/agents/InspectorConsoleAgent.h:
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
* jit/JIT.cpp:
(JSC::JIT::compileWithoutLinking):
(JSC::JIT::compileTimeStats):
* jit/JIT.h:
* jsc.cpp:
(StopWatch::start):
(StopWatch::stop):
(StopWatch::getElapsedMS):
(functionPreciseTime):
(runJSC):
* profiler/ProfilerDatabase.cpp:
(JSC::Profiler::Database::logEvent):
* profiler/ProfilerEvent.cpp:
(JSC::Profiler::Event::toJS const):
* profiler/ProfilerEvent.h:
(JSC::Profiler::Event::Event):
(JSC::Profiler::Event::time const):
* runtime/CodeCache.cpp:
(JSC::CodeCacheMap::pruneSlowCase):
* runtime/CodeCache.h:
(JSC::CodeCacheMap::CodeCacheMap):
(JSC::CodeCacheMap::prune):
* runtime/DateConstructor.cpp:
(JSC::callDate):
* runtime/TypeProfilerLog.cpp:
(JSC::TypeProfilerLog::processLogEntries):
* testRegExp.cpp:
(StopWatch::start):
(StopWatch::stop):
(StopWatch::getElapsedMS):
2018-02-14 Keith Miller <keith_miller@apple.com>
We should be able to jsDynamicCast from JSType when possible
https://bugs.webkit.org/show_bug.cgi?id=182804
Reviewed by Filip Pizlo and Mark Lam.
This patch beefs up jsDynamicCast in some of the cases where we
can use the JSType to quickly determine if a cell is a subclass of
the desired type. Since all JSCells have a range of JSTypes they support,
if there is a range exclusive to a class and all subclasses we can use
that range to quickly determine if the cast should be successful.
Additionally, the JSValue versions of jsCast and jsDynamicCast now
call the JSCell version after checking the value is a cell.
Finally, the casting functions have been moved to a new header,
JSCast.h
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CallVariant.h:
* bytecode/CodeBlock.h:
* bytecode/ExecutableToCodeBlockEdge.h:
* bytecode/TrackedReferences.h:
* bytecode/UnlinkedCodeBlock.h:
* bytecode/UnlinkedFunctionExecutable.h:
* dfg/DFGAbstractValue.h:
* dfg/DFGCommonData.h:
* dfg/DFGFrozenValue.h:
* dfg/DFGStructureAbstractValue.h:
* heap/CellContainerInlines.h:
* heap/ConservativeRoots.cpp:
* heap/GCLogging.cpp:
* heap/HeapInlines.h:
* heap/HeapSnapshotBuilder.cpp:
* heap/MarkedBlock.cpp:
* heap/MarkedBlockInlines.h:
* heap/SubspaceInlines.h:
* heap/WeakInlines.h:
* jit/JITOpcodes.cpp:
* jit/JITOpcodes32_64.cpp:
* llint/LLIntOffsetsExtractor.cpp:
* runtime/ArrayBufferNeuteringWatchpoint.h:
* runtime/BigIntPrototype.cpp:
* runtime/ClassInfo.h:
* runtime/CustomGetterSetter.h:
* runtime/FunctionRareData.h:
* runtime/GetterSetter.h:
* runtime/InferredType.h:
* runtime/InferredTypeTable.h:
* runtime/InferredValue.h:
* runtime/InternalFunction.cpp:
(JSC::InternalFunction::finishCreation):
* runtime/JSAPIValueWrapper.h:
* runtime/JSArray.h:
(JSC::JSArray::finishCreation):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::finishCreation):
* runtime/JSCast.h: Added.
(JSC::jsCast):
(JSC::JSCastingHelpers::jsDynamicCastGenericImpl):
(JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl):
(JSC::JSCastingHelpers::JSDynamicCastTraits::cast):
(JSC::jsDynamicCast):
* runtime/JSCell.cpp:
* runtime/JSCell.h:
(JSC::jsCast): Deleted.
(JSC::jsDynamicCast): Deleted.
* runtime/JSCellInlines.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::finishCreation):
* runtime/JSJob.h:
* runtime/JSObject.h:
(JSC::JSObject::finishCreation):
* runtime/JSPromiseDeferred.h:
* runtime/JSPropertyNameEnumerator.h:
* runtime/NativeStdFunctionCell.h:
* runtime/ScopedArgumentsTable.h:
* runtime/SparseArrayValueMap.h:
* runtime/Structure.h:
* runtime/StructureChain.h:
* runtime/StructureRareData.h:
* tools/CellProfile.h:
* wasm/js/JSWebAssemblyCodeBlock.h:
2018-02-14 Michael Saboff <msaboff@apple.com>
Crash: triggerOMGTierUpThunkGenerator() doesn't align the stack pointer before calling C++ code
https://bugs.webkit.org/show_bug.cgi?id=182808
Reviewed by Keith Miller.
Set up a proper frame with a prologue and epilogue to align the stack pointer for the rest of the
thunk.
* wasm/WasmThunks.cpp:
(JSC::Wasm::triggerOMGTierUpThunkGenerator):
2018-02-14 Saam Barati <sbarati@apple.com>
Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
https://bugs.webkit.org/show_bug.cgi?id=182801
Reviewed by Keith Miller.
VMTraps would sometimes install traps when it paused the JS thread when it
was in C code. This is wrong, as installing traps mallocs, and the JS thread
may have been holding the malloc lock while in C code. This could lead to a
deadlock when C code was holding the malloc lock.
This patch makes it so that we only install traps when we've proven the PC
is in JIT or LLInt code. If we're in JIT/LLInt code, we are guaranteed that
we're not holding the malloc lock.
* jsc.cpp:
(GlobalObject::finishCreation):
(functionMallocInALoop):
* runtime/VMTraps.cpp:
(JSC::VMTraps::tryInstallTrapBreakpoints):
2018-02-14 Michael Saboff <msaboff@apple.com>
REGRESSION(225695) : com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::RegExp::match + 630 :: stack overflow
https://bugs.webkit.org/show_bug.cgi?id=182705
Reviewed by Mark Lam.
Moved the pattern context buffer used by YARR JIT'ed code from a stack local to a lazily allocated
buffer on the VM. Exposed when the buffer is needed to reduce likelihood that we'd allocated it.
Guarded use of the buffer with a lock since the DFG compiler may call into YARR JIT'ed code on a
compilation thread.
* runtime/RegExpInlines.h:
(JSC::RegExp::matchInline):
* runtime/VM.cpp:
(JSC::VM::~VM):
(JSC::VM::acquireRegExpPatternContexBuffer):
(JSC::VM::releaseRegExpPatternContexBuffer):
* runtime/VM.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generate):
(JSC::Yarr::YarrGenerator::backtrack):
(JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
(JSC::Yarr::YarrGenerator::generateEnter):
(JSC::Yarr::YarrGenerator::generateReturn):
(JSC::Yarr::YarrGenerator::YarrGenerator):
(JSC::Yarr::YarrGenerator::compile):
* yarr/YarrJIT.h:
(JSC::Yarr::YarrCodeBlock::usesPatternContextBuffer):
(JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer):
2018-02-13 Saam Barati <sbarati@apple.com>
putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
https://bugs.webkit.org/show_bug.cgi?id=182755
<rdar://problem/37080864>
Reviewed by Keith Miller.
putDirectIndexSlowOrBeyondVectorLength with non-zero attributes only converted
the object in question to a dictionary indexing mode when the index is less than
the vector length. This makes no sense. If we're defining a getter, setter, or read
only property, we must always enter the dictionary indexing mode irrespective
of the index in relation to the vector length.
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
2018-02-13 Saam Barati <sbarati@apple.com>
Follup fix to r228411 for 32-bit builds. I missed a place where we used non vararg getter for child2().
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2018-02-13 Guillaume Emont <guijemont@igalia.com>
[YarrJIT][ARM] We need to save r8 as it is the initial start register
https://bugs.webkit.org/show_bug.cgi?id=182157
Reviewed by Saam Barati.
Register r8 is the initial start register since r224172, so we need to
save it. We still need to save r6 as well even though it is not the
initial start register any more, since it is used by the
MacroAssembler which we use (we get crashes in some situations if we
don't save r6). This issue was discovered because
stress/regress-174044.js crashes on a raspberry pi 2 when compiled in
-O2.
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateEnter):
(JSC::Yarr::YarrGenerator::generateReturn):
2018-02-13 Caitlin Potter <caitp@igalia.com>
[JSC] cache TaggedTemplate arrays by callsite rather than by contents
https://bugs.webkit.org/show_bug.cgi?id=182717
Reviewed by Yusuke Suzuki.
https://github.com/tc39/ecma262/pull/890 imposes a change to template
literals, to allow template callsite arrays to be collected when the
code containing the tagged template call is collected. This spec change
has received concensus and been ratified.
This change eliminates the eternal map associating template contents
with arrays.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setConstantRegisters):
* bytecode/DirectEvalCodeCache.cpp:
(JSC::DirectEvalCodeCache::setSlow):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::allowDirectEvalCache const):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::addTemplateObjectConstant):
(JSC::BytecodeGenerator::emitGetTemplateObject):
(JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted.
* bytecompiler/BytecodeGenerator.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseMemberExpression):
* parser/Parser.h:
* parser/ParserModes.h:
* runtime/EvalExecutable.h:
(JSC::EvalExecutable::allowDirectEvalCache const):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::templateRegistry): Deleted.
* runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp.
(JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
(JSC::JSTemplateObjectDescriptor::create):
(JSC::JSTemplateObjectDescriptor::destroy):
(JSC::JSTemplateObjectDescriptor::createTemplateObject):
* runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
(JSC::isTemplateObjectDescriptor):
* runtime/JSTemplateRegistryKey.cpp: Removed.
* runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp.
(JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor):
* runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h.
(JSC::TemplateObjectDescriptor::operator== const):
(JSC::TemplateObjectDescriptor::operator!= const):
(JSC::TemplateObjectDescriptor::Hasher::hash):
(JSC::TemplateObjectDescriptor::Hasher::equal):
(JSC::TemplateObjectDescriptor::create):
(JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
(JSC::TemplateObjectDescriptor::calculateHash):
* runtime/TemplateRegistry.h: Removed.
* runtime/TemplateRegistryKeyTable.cpp: Removed.
* runtime/TemplateRegistryKeyTable.h: Removed.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::templateRegistryKeyTable): Deleted.
* runtime/VMEntryScope.cpp:
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setConstantRegisters):
* bytecode/DirectEvalCodeCache.cpp:
(JSC::DirectEvalCodeCache::setSlow):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::allowDirectEvalCache const):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::addTemplateObjectConstant):
(JSC::BytecodeGenerator::emitGetTemplateObject):
(JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted.
* bytecompiler/BytecodeGenerator.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseMemberExpression):
* parser/Parser.h:
* parser/ParserModes.h:
* runtime/EvalExecutable.h:
(JSC::EvalExecutable::allowDirectEvalCache const):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::templateRegistry): Deleted.
* runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp.
(JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
(JSC::JSTemplateObjectDescriptor::create):
(JSC::JSTemplateObjectDescriptor::destroy):
(JSC::JSTemplateObjectDescriptor::createTemplateObject):
* runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
(JSC::isTemplateObjectDescriptor):
* runtime/JSTemplateRegistryKey.cpp: Removed.
* runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp.
(JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor):
* runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h.
(JSC::TemplateObjectDescriptor::operator== const):
(JSC::TemplateObjectDescriptor::operator!= const):
(JSC::TemplateObjectDescriptor::Hasher::hash):
(JSC::TemplateObjectDescriptor::Hasher::equal):
(JSC::TemplateObjectDescriptor::create):
(JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
(JSC::TemplateObjectDescriptor::calculateHash):
* runtime/TemplateRegistry.h: Removed.
* runtime/TemplateRegistryKeyTable.cpp: Removed.
* runtime/TemplateRegistryKeyTable.h: Removed.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::templateRegistryKeyTable): Deleted.
* runtime/VMEntryScope.cpp:
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setConstantRegisters):
* bytecode/DirectEvalCodeCache.cpp:
(JSC::DirectEvalCodeCache::setSlow):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::allowDirectEvalCache const):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::addTemplateObjectConstant):
(JSC::BytecodeGenerator::emitGetTemplateObject):
(JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted.
* bytecompiler/BytecodeGenerator.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseMemberExpression):
* parser/Parser.h:
* parser/ParserModes.h:
* runtime/EvalExecutable.h:
(JSC::EvalExecutable::allowDirectEvalCache const):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::templateRegistry): Deleted.
* runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp.
(JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
(JSC::JSTemplateObjectDescriptor::create):
(JSC::JSTemplateObjectDescriptor::destroy):
(JSC::JSTemplateObjectDescriptor::createTemplateObject):
* runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
(JSC::isTemplateObjectDescriptor):
* runtime/JSTemplateRegistryKey.cpp: Removed.
* runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp.
(JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor):
* runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h.
(JSC::TemplateObjectDescriptor::operator== const):
(JSC::TemplateObjectDescriptor::operator!= const):
(JSC::TemplateObjectDescriptor::Hasher::hash):
(JSC::TemplateObjectDescriptor::Hasher::equal):
(JSC::TemplateObjectDescriptor::create):
(JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
(JSC::TemplateObjectDescriptor::calculateHash):
* runtime/TemplateRegistry.h: Removed.
* runtime/TemplateRegistryKeyTable.cpp: Removed.
* runtime/TemplateRegistryKeyTable.h: Removed.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::templateRegistryKeyTable): Deleted.
* runtime/VMEntryScope.cpp:
2018-02-13 Yusuke Suzuki <utatane.tea@gmail.com>
Support GetArrayLength on ArrayStorage in the FTL
https://bugs.webkit.org/show_bug.cgi?id=182625
Reviewed by Saam Barati.
This patch adds GetArrayLength and CheckArray + ArrayStorage & SlowPutArrayStorage support for FTL.
The implementation is trivial; just porting one in DFG to FTL.
This fixes several FTL compilation failures in web-tooling-benchmarks while we still need to support
ArrayPush, ArrayPop, Arrayify, and PutByVal.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::checkArray):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
(JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForCheckArray):
2018-02-10 Filip Pizlo <fpizlo@apple.com>
Lock down JSFunction
https://bugs.webkit.org/show_bug.cgi?id=182652
Reviewed by Saam Barati.
This poisons pointers in JSFunction and puts all of the types in the JSFunction hierarchy in
isospaces.
This is so neutral on JetStream: 0.01% slower with p = 0.969211.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
(JSC::DFG::SpeculativeJIT::compileNewFunction):
(JSC::DFG::SpeculativeJIT::compileCreateThis):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
(JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
(JSC::FTL::DFG::LowerDFGToB3::weakPointer):
(JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer):
* ftl/FTLOutput.h:
(JSC::FTL::Output::weakPointer):
(JSC::FTL::Output::weakPoisonedPointer):
* heap/MarkedSpace.cpp:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_create_this):
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSAsyncFunction.h:
(JSC::JSAsyncFunction::subspaceFor):
* runtime/JSAsyncGeneratorFunction.h:
(JSC::JSAsyncGeneratorFunction::subspaceFor):
* runtime/JSBoundFunction.h:
(JSC::JSBoundFunction::subspaceFor):
* runtime/JSCPoison.h:
* runtime/JSCustomGetterSetterFunction.h:
(JSC::JSCustomGetterSetterFunction::subspaceFor):
* runtime/JSFunction.h:
(JSC::JSFunction::subspaceFor):
* runtime/JSGeneratorFunction.h:
(JSC::JSGeneratorFunction::subspaceFor):
* runtime/JSNativeStdFunction.h:
(JSC::JSNativeStdFunction::subspaceFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* wasm/js/WebAssemblyFunction.h:
* wasm/js/WebAssemblyWrapperFunction.h:
2018-02-12 Saam Barati <sbarati@apple.com>
Add a GetIndexMask node and make it an input to GetByVal for array and typed array accesses in DFG SSA
https://bugs.webkit.org/show_bug.cgi?id=182633
<rdar://problem/37441037>
Reviewed by Keith Miller.
This patch introduces a GetIndexMask node to DFG SSA. This is an input to
GetByVal for the GetByVal variants that do conservative index masking.
The reason I'm adding this node is I realized there were loads of
the butterfly index mask inside loops that B3 couldn't reason about
because B3 can't arbitrarily hoist loads out of loops if those loops
have side exits (because the side exit might be protecting the safety of the
load). However, for these loops I analyzed, the DFG would be able to hoist
these loads out of loops because it knows about JS semantics to correctly
reason about the safety of hoisting the load.
This is a 1% speedup on JetStream on Mac and iOS in my testing.
This patch also adds some infrastructure for eliminating and doing CSE on
varargs nodes. Because this patch makes GetByVal a varargs node, I ran into
issues we never had before. We never had a varargs node that could be CSEd or be
hoisted out of a loop until I made GetByVal varargs. To make it all work,
I added a CheckVarargs node. This is just like Check, but it's varargs.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAdjacencyList.h:
(JSC::DFG::AdjacencyList::AdjacencyList):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::replaceTerminal):
* dfg/DFGBasicBlock.h:
(JSC::DFG::BasicBlock::findTerminal const):
* dfg/DFGBasicBlockInlines.h:
(JSC::DFG::BasicBlock::replaceTerminal):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::mergeBlocks):
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
(JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
* dfg/DFGCSEPhase.cpp:
* dfg/DFGCleanUpPhase.cpp:
(JSC::DFG::CleanUpPhase::run):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::fixUpsilons):
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::run):
(JSC::DFG::DCEPhase::fixupBlock):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupChecksInBlock):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGIntegerCheckCombiningPhase.cpp:
(JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
* dfg/DFGIntegerRangeOptimizationPhase.cpp:
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.cpp:
(JSC::DFG::Node::remove):
(JSC::DFG::Node::convertToIdentityOn):
* dfg/DFGNode.h:
(JSC::DFG::Node::replaceWith):
* dfg/DFGNodeType.h:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGPureValue.cpp:
(JSC::DFG::PureValue::dump const):
* dfg/DFGPureValue.h:
(JSC::DFG::PureValue::PureValue):
* dfg/DFGPutStackSinkingPhase.cpp:
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run):
* dfg/DFGSSALoweringPhase.cpp:
(JSC::DFG::SSALoweringPhase::handleNode):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
(JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStoreBarrierClusteringPhase.cpp:
* dfg/DFGValidate.cpp:
* dfg/DFGVarargsForwardingPhase.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
(JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
(JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
2018-02-12 Mark Lam <mark.lam@apple.com>
Miscellaneous refactoring of offlineasm.
https://bugs.webkit.org/show_bug.cgi?id=182702
<rdar://problem/37467887>
Reviewed by Filip Pizlo.
1. Refactor out the emission of $asm.comment, $asm.codeOrigin, $asm.annotation,
and $asm.debugAnnotation into a recordMetaData method. This standardizes how
we emit this metadata and makes all backends do it the same way.
2. Add the ability to include custom offlineasm scripts from WebKitAdditions in
the future.
* offlineasm/arm.rb:
* offlineasm/arm64.rb:
* offlineasm/ast.rb:
* offlineasm/backends.rb:
* offlineasm/cloop.rb:
* offlineasm/config.rb:
* offlineasm/mips.rb:
* offlineasm/risc.rb:
* offlineasm/x86.rb:
2018-02-12 Saam Barati <sbarati@apple.com>
DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
https://bugs.webkit.org/show_bug.cgi?id=182706
<rdar://problem/36833681>
Reviewed by Filip Pizlo.
When we added support for PhantomNewArrayBuffer, we forgot to update
the emitCodeToGetArgumentsArrayLength function to handle PhantomNewArrayBuffer.
This patch adds that support. It's trivial to generate the length for
a PhantomNewArrayBuffer node since it's a constant buffer, with a constant
length.
* dfg/DFGArgumentsUtilities.cpp:
(JSC::DFG::emitCodeToGetArgumentsArrayLength):
2018-02-12 Mark Lam <mark.lam@apple.com>
Add more support for pointer preparations.
https://bugs.webkit.org/show_bug.cgi?id=182703
<rdar://problem/37469451>
Reviewed by Saam Barati.
* llint/LLIntData.h:
(JSC::LLInt::getCodePtr):
* llint/LLIntPCRanges.h:
(JSC::LLInt::isLLIntPC):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2018-02-12 Mark Lam <mark.lam@apple.com>
Fix missing exception check in RegExpObject::matchGlobal().
https://bugs.webkit.org/show_bug.cgi?id=182701
<rdar://problem/37465865>
Reviewed by Michael Saboff.
This issue was discovered when running JSC tests on an asm LLInt build with
JSC_useJIT=false.
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::matchGlobal):
2018-02-11 Guillaume Emont <guijemont@igalia.com>
[MIPS] JSC needs to be built with -latomic
https://bugs.webkit.org/show_bug.cgi?id=182610
Reviewed by Žan Doberšek.
Since r228149, on MIPS we need to link with -latomic, because
__atomic_fetch_add_8 is not available as a compiler intrinsic.
* CMakeLists.txt:
2018-02-09 Filip Pizlo <fpizlo@apple.com>
Don't waste memory for error.stack
https://bugs.webkit.org/show_bug.cgi?id=182656
Reviewed by Saam Barati.
This makes the StackFrames in ErrorInstance and Exception weak. We simply forget their
contents if we GC.
This isn't going to happen under normal operation since your callees and code blocks will
still be alive when you ask for .stack.
Bug 182650 tracks improving this so that it's not lossy. For now, I think it's worth it,
since it is likely to recover 3-5 MB on membuster.
* heap/Heap.cpp:
(JSC::Heap::finalizeUnconditionalFinalizers):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::visitChildren):
(JSC::ErrorInstance::finalizeUnconditionally):
* runtime/ErrorInstance.h:
(JSC::ErrorInstance::subspaceFor):
* runtime/Exception.cpp:
(JSC::Exception::visitChildren):
(JSC::Exception::finalizeUnconditionally):
* runtime/Exception.h:
(JSC::Exception::valueOffset): Deleted.
(JSC::Exception::value const): Deleted.
(JSC::Exception::stack const): Deleted.
(JSC::Exception::didNotifyInspectorOfThrow const): Deleted.
(JSC::Exception::setDidNotifyInspectorOfThrow): Deleted.
* runtime/StackFrame.cpp:
(JSC::StackFrame::isFinalizationCandidate):
(JSC::StackFrame::finalizeUnconditionally):
(JSC::StackFrame::visitChildren): Deleted.
* runtime/StackFrame.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2018-02-09 Carlos Alberto Lopez Perez <clopez@igalia.com>
Fix build on ARMv7 traditional JSCOnly bot after r228306
https://bugs.webkit.org/show_bug.cgi?id=182563
Unreviewed build fix.
* assembler/AssemblerBuffer.h:
2018-02-08 Filip Pizlo <fpizlo@apple.com>
Experiment with alternative implementation of memcpy/memset
https://bugs.webkit.org/show_bug.cgi?id=182563
Reviewed by Michael Saboff and Mark Lam.
This adopts new fastCopy/fastZeroFill calls for calls to memcpy/memset that do not take a
constant size argument.
* assembler/AssemblerBuffer.h:
(JSC::AssemblerBuffer::append):
* runtime/ArrayBuffer.cpp:
(JSC::ArrayBufferContents::tryAllocate):
(JSC::ArrayBufferContents::copyTo):
(JSC::ArrayBuffer::createInternal):
* runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::zeroRangeImpl):
* runtime/ArrayConventions.cpp:
* runtime/ArrayConventions.h:
(JSC::clearArray):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoPrivateFuncConcatMemcpy):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::createOrGrowPropertyStorage):
(JSC::Butterfly::growArrayRight):
(JSC::Butterfly::resizeArray):
* runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::create):
* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::fastSlice):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::set):
* runtime/JSObject.cpp:
(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::shiftButterflyAfterFlattening):
* runtime/PropertyTable.cpp:
(JSC::PropertyTable::PropertyTable):
2018-02-08 Don Olmstead <don.olmstead@sony.com>
Remove JavaScriptCore/ForwardingHeaders directory
https://bugs.webkit.org/show_bug.cgi?id=182594
Reviewed by Mark Lam.
* CMakeLists.txt:
* ForwardingHeaders/JavaScriptCore/APICast.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSBase.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSContextRef.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSObjectRef.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSObjectRefPrivate.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSRetainPtr.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSStringRef.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSStringRefCF.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSTypedArray.h: Removed.
* ForwardingHeaders/JavaScriptCore/JSValueRef.h: Removed.
* ForwardingHeaders/JavaScriptCore/JavaScript.h: Removed.
* ForwardingHeaders/JavaScriptCore/JavaScriptCore.h: Removed.
* ForwardingHeaders/JavaScriptCore/OpaqueJSString.h: Removed.
* ForwardingHeaders/JavaScriptCore/WebKitAvailability.h: Removed.
2018-02-06 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
https://bugs.webkit.org/show_bug.cgi?id=182440
Reviewed by Darin Adler.
This patch implements Array.prototype.flatMap and Array.prototype.flatten
since they are now stage 3 [1].
[1]: https://tc39.github.io/proposal-flatMap/#sec-FlattenIntoArray
* builtins/ArrayPrototype.js:
(filter):
(map):
(globalPrivate.concatSlowPath):
(globalPrivate.arraySpeciesCreate):
(globalPrivate.flattenIntoArray):
(flatten):
(globalPrivate.flattenIntoArrayWithCallback):
We separate flattenIntoArray from flattenIntoArrayWithCallback due to performance reason.
We carefully keep both functions small to encourage inlining.
(flatMap):
* runtime/ArrayPrototype.cpp:
(JSC::ArrayPrototype::finishCreation):
2018-01-13 Darin Adler <darin@apple.com>
Event improvements
https://bugs.webkit.org/show_bug.cgi?id=179591
Reviewed by Chris Dumez.
Remove all uses of ScriptValue other than in the implementation of ScriptObject.
* bindings/ScriptFunctionCall.cpp: Removed include of ScriptValue.h.
* bindings/ScriptObject.cpp: Removed unused overload of ScriptObject constructor.
* bindings/ScriptObject.h: Ditto.
* bindings/ScriptValue.cpp:
(Deprecated::ScriptValue::~ScriptValue): Deleted.
(Deprecated::ScriptValue::getString const): Deleted.
(Deprecated::ScriptValue::toString const): Deleted.
(Deprecated::ScriptValue::isEqual const): Deleted.
(Deprecated::ScriptValue::isNull const): Deleted.
(Deprecated::ScriptValue::isUndefined const): Deleted.
(Deprecated::ScriptValue::isObject const): Deleted.
(Deprecated::ScriptValue::isFunction const): Deleted.
(Deprecated::ScriptValue::toInspectorValue const): Deleted.
* bindings/ScriptValue.h: Removed many unused functions. Made the rest
protected since this is now used only in ScriptObject.
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::addToFrontend): Stop using ScriptValue.
(Inspector::ConsoleMessage::isEqual const): Updated for change to ScriptArguments::isEqual.
* inspector/ScriptArguments.cpp:
(Inspector::ScriptArguments::create): Take a Vector of JSC::Strong, not ScriptValue,
use rvalue reference with move instead of lvalue reference with swap, and take execution
state by reference instead of pointer.
(Inspector::ScriptArguments::createEmpty): Deleted. Can now use create instead.
(Inspector::ScriptArguments::ScriptArguments): Ditto.
(Inspector::ScriptArguments::~ScriptArguments): Deleted.
(Inspector::ScriptArguments::argumentAt const): Updated to use JSC::Strong.
(Inspector::ScriptArguments::getFirstArgumentAsString): Ditto.
(Inspector::ScriptArguments::isEqual const): Ditto. Also changed to use JS internals
instead of calling through the C API.
* inspector/ScriptArguments.h: Updated for the above.
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptArguments): Updated for changes to ScriptArguments.
* inspector/ScriptDebugServer.cpp: Removed include of ScriptValue.h.
* inspector/agents/InspectorAgent.cpp: Ditto.
* inspector/agents/InspectorDebuggerAgent.cpp: Ditto.
(Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use JSC::Strong instead
of ScriptValue.
(Inspector::InspectorDebuggerAgent::currentCallFrames): Ditto.
* inspector/agents/InspectorDebuggerAgent.h: Ditto.
* runtime/ConsoleClient.cpp:
(JSC::ConsoleClient::printConsoleMessageWithArguments): Ditto.
(JSC::ConsoleClient::clear): Use ScriptArguments::create and pass an empty vector
instead of calling a separate createEmpty function.
* runtime/VM.cpp:
(JSC::VM::createLeaked): Deleted.
* runtime/VM.h: Deleted createLeaked.
2018-02-06 Brian Burg <bburg@apple.com>
Web Inspector: protocol generator should automatically deduce the correct include style to use
https://bugs.webkit.org/show_bug.cgi?id=182505
Reviewed by Timothy Hatcher.
Currently the generated imports use a mix of system header imports (powered by forwarding headers)
and framework-style includes. Since forwarding headers are going away, this patch stops
using system header includes for headers that are JavaScriptCore private headers. Instead,
use either a relative include or a framework include.
* inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
(CppAlternateBackendDispatcherHeaderGenerator.generate_output):
(CppAlternateBackendDispatcherHeaderGenerator):
(CppAlternateBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
(CppBackendDispatcherHeaderGenerator.generate_output):
(CppBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
(CppBackendDispatcherImplementationGenerator.generate_output):
(CppBackendDispatcherImplementationGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
(CppFrontendDispatcherHeaderGenerator.generate_output):
(CppFrontendDispatcherHeaderGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
(CppFrontendDispatcherImplementationGenerator.generate_output):
(CppFrontendDispatcherImplementationGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
(CppProtocolTypesHeaderGenerator.generate_output):
(CppProtocolTypesHeaderGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
(CppProtocolTypesImplementationGenerator.generate_output):
(CppProtocolTypesImplementationGenerator._generate_secondary_header_includes):
* inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
(ObjCBackendDispatcherHeaderGenerator):
Convert existing header lists to the new entries format, which includes the
allowable target frameworks and the relative path to the header.
* inspector/scripts/codegen/generator.py:
(Generator.generate_includes_from_entries):
Copied from the same in the builtins code generator. It still works great.
* inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/generic/expected/domain-availability.json-result:
* inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
* inspector/scripts/tests/generic/expected/enum-values.json-result:
* inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
* inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
* inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
* inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
* inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
* inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
* inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
Rebaseline.
2018-02-06 Keith Miller <keith_miller@apple.com>
put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
https://bugs.webkit.org/show_bug.cgi?id=182549
<rdar://problem/36189995>
Reviewed by Saam Barati.
Previously, the llint/baseline caching for put_to_scope and
get_from_scope would cache lexical environments when the
varInjectionWatchpoint had been fired for global properties. Code
in the DFG does not follow this same assumption so we could
potentially return the wrong result. Additionally, the baseline
would write barrier the global object rather than the lexical
enviroment object. This patch makes it so that we do not cache
anything other than the global object for when the resolve type is
GlobalPropertyWithVarInjectionChecks or GlobalProperty.
* assembler/MacroAssembler.cpp:
(JSC::MacroAssembler::jitAssert):
* assembler/MacroAssembler.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
(JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
* runtime/Options.h:
2018-01-28 Filip Pizlo <fpizlo@apple.com>
Global objects should be able to use TLCs to allocate from different blocks from each other
https://bugs.webkit.org/show_bug.cgi?id=182227
Reviewed by JF Bastien.
This uses TLCs to create at least `minimumDistanceBetweenCellsFromDifferenOrigins` bytes of
distance between objects from different origins, using the following combination of things. For
short lets refer to that constant as K.
- Since r227721, LargeAllocation puts K bytes padding at the end of each allocation.
- Since r227718, MarkedBlock puts at least K bytes in its footer.
- Since r227617, global objects can have their own TLCs, which make them allocate from a
different set of blocks than other global objects. The TLC of a global object comes into
effect when you enter the VM via that global object.
- With this change, TLCs and blocks both have security origins. A TLC will only use blocks that
share the same security origin or empty blocks (in which case we zero the block and change
its security origin).
WebCore determines the TLC-GlobalObject mapping. By default, global objects would simply use
the VM's default TLC. WebCore makes it so that DOM windows (but not worker global objects) get
a TLC based on their document's SecurityOrigin.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::findBlockForAllocation):
(JSC::BlockDirectory::prepareForAllocation):
* heap/BlockDirectory.h:
* heap/LocalAllocator.cpp:
(JSC::LocalAllocator::LocalAllocator):
(JSC::LocalAllocator::reset):
(JSC::LocalAllocator::~LocalAllocator):
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
* heap/LocalAllocator.h:
(JSC::LocalAllocator::tlc const):
* heap/MarkStackMergingConstraint.cpp:
* heap/MarkStackMergingConstraint.h:
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::associateWithOrigin):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::Handle::securityOriginToken const):
* heap/SecurityOriginToken.cpp: Added.
(JSC::uniqueSecurityOriginToken):
* heap/SecurityOriginToken.h: Added.
* heap/ThreadLocalCache.cpp:
(JSC::ThreadLocalCache::create):
(JSC::ThreadLocalCache::ThreadLocalCache):
(JSC::ThreadLocalCache::allocateData):
(JSC::ThreadLocalCache::installSlow):
* heap/ThreadLocalCache.h:
(JSC::ThreadLocalCache::securityOriginToken const):
* heap/ThreadLocalCacheInlines.h:
(JSC::ThreadLocalCache::install):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::createThreadLocalCache):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::threadLocalCache):
(JSC::JSGlobalObject::threadLocalCache const): Deleted.
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
(JSC::VMEntryScope::~VMEntryScope):
* runtime/VMEntryScope.h:
2018-02-05 Don Olmstead <don.olmstead@sony.com>
JavaScriptCore files should not be included relatively
https://bugs.webkit.org/show_bug.cgi?id=182452
Reviewed by Keith Miller.
* API/JSCallbackConstructor.h:
* CMakeLists.txt:
* disassembler/ARM64Disassembler.cpp:
* disassembler/ARMv7Disassembler.cpp:
* heap/LockDuringMarking.h:
* inspector/InjectedScriptBase.h:
* inspector/InjectedScriptHost.h:
* inspector/JavaScriptCallFrame.h:
* inspector/ScriptArguments.h:
* inspector/ScriptDebugListener.h:
* inspector/ScriptDebugServer.h:
* inspector/agents/InspectorAgent.h:
* inspector/agents/InspectorConsoleAgent.h:
* inspector/agents/InspectorDebuggerAgent.h:
* inspector/agents/InspectorHeapAgent.h:
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/agents/InspectorScriptProfilerAgent.h:
* runtime/RegExp.h:
2018-02-05 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r228012.
https://bugs.webkit.org/show_bug.cgi?id=182493
"It regressed ARES-6 by 2-4%" (Requested by saamyjoon on
#webkit).
Reverted changeset:
"[JSC] Clean up ArraySpeciesCreate"
https://bugs.webkit.org/show_bug.cgi?id=182434
https://trac.webkit.org/changeset/228012
2018-02-02 Ryan Haddad <ryanhaddad@apple.com>
Rebaseline bindings generator tests after r228032.
https://bugs.webkit.org/show_bug.cgi?id=182445
Unreviewed test gardening.
* Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2018-02-02 Saam Barati <sbarati@apple.com>
Make various DFG_ASSERTs provide more data to WTFCrashWithInfo
https://bugs.webkit.org/show_bug.cgi?id=182453
<rdar://problem/37174236>
Reviewed by JF Bastien and Mark Lam.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGArgumentsUtilities.cpp:
(JSC::DFG::emitCodeToGetArgumentsArrayLength):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupChecksInBlock):
* dfg/DFGFlowIndexing.h:
(JSC::DFG::FlowIndexing::shadowIndex const):
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::run):
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGLoopPreHeaderCreationPhase.cpp:
(JSC::DFG::LoopPreHeaderCreationPhase::run):
* dfg/DFGPutStackSinkingPhase.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithAbs):
(JSC::DFG::SpeculativeJIT::compileArithRounding):
(JSC::DFG::SpeculativeJIT::compileToPrimitive):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStoreBarrierClusteringPhase.cpp:
* dfg/DFGStoreBarrierInsertionPhase.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
(JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
(JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
(JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
(JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
(JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
(JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
(JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
(JSC::FTL::DFG::LowerDFGToB3::compilePutById):
(JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
(JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
(JSC::FTL::DFG::LowerDFGToB3::compileIn):
(JSC::FTL::DFG::LowerDFGToB3::compare):
(JSC::FTL::DFG::LowerDFGToB3::switchStringRecurse):
(JSC::FTL::DFG::LowerDFGToB3::lowInt32):
(JSC::FTL::DFG::LowerDFGToB3::lowInt52):
(JSC::FTL::DFG::LowerDFGToB3::lowCell):
(JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
(JSC::FTL::DFG::LowerDFGToB3::lowDouble):
(JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
2018-02-02 Don Olmstead <don.olmstead@sony.com>
JS Builtins should include JavaScriptCore headers directly
https://bugs.webkit.org/show_bug.cgi?id=182445
Reviewed by Yusuke Suzuki.
* Scripts/builtins/builtins_generator.py:
* Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2018-02-02 Saam Barati <sbarati@apple.com>
When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
https://bugs.webkit.org/show_bug.cgi?id=182368
<rdar://problem/36932466>
Reviewed by Mark Lam.
When preserving liveness when inserting Unreachable nodes after ForceOSRExit,
we must add the VariableAccessData to the given argument position. Otherwise,
we may end up with a VariableAccessData that doesn't respect the shouldNeverUnbox bit.
If we end up with such a situation, it can lead to invalid IR after the
arguments elimination phase optimizes a GetByVal to a GetStack.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::flushImpl):
(JSC::DFG::ByteCodeParser::flushForTerminalImpl):
(JSC::DFG::ByteCodeParser::flush):
(JSC::DFG::ByteCodeParser::flushForTerminal):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parse):
2018-02-02 Mark Lam <mark.lam@apple.com>
More ARM64_32 fixes.
https://bugs.webkit.org/show_bug.cgi?id=182441
<rdar://problem/37162310>
Reviewed by Dan Bernstein.
I also disabled more dynamicPoisoning code in ARM64_32. This code assumes a
64-bit pointer which is not applicable here.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitDynamicPoison):
(JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
(JSC::AssemblyHelpers::emitDynamicPoisonOnType):
2018-02-02 Saam Barati <sbarati@apple.com>
MapHash should return true to doesGC in the DFG depending on useKind because it might resolve a rope
https://bugs.webkit.org/show_bug.cgi?id=182402
Reviewed by Yusuke Suzuki.
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
2018-02-02 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Clean up ArraySpeciesCreate
https://bugs.webkit.org/show_bug.cgi?id=182434
Reviewed by Saam Barati.
We have duplicate code in filter, map, concatSlowPath.
This patch creates a new global private function @arraySpeciesCreate,
and use it.
* builtins/ArrayPrototype.js:
(globalPrivate.arraySpeciesCreate):
(filter):
(map):
(globalPrivate.concatSlowPath):
2018-02-01 Mark Lam <mark.lam@apple.com>
Fix broken bounds check in FTL's compileGetMyArgumentByVal().
https://bugs.webkit.org/show_bug.cgi?id=182419
<rdar://problem/37044945>
Reviewed by Saam Barati.
In compileGetMyArgumentByVal(), it computes:
limit = m_out.sub(limit, m_out.constInt32(m_node->numberOfArgumentsToSkip()));
...
LValue isOutOfBounds = m_out.aboveOrEqual(originalIndex, limit);
where the original "limit" is the number of arguments passed in by the caller.
If the original limit is less than numberOfArgumentsToSkip, the resultant limit
will be a large unsigned number. As a result, this will defeat the bounds check
that follows it.
Note: later on in compileGetMyArgumentByVal(), we have to adjust adjust the index
value by adding numberOfArgumentsToSkip to it, in order to determine the actual
entry in the arguments array to get.
The fix is to just add numberOfArgumentsToSkip to index upfront (instead of
subtracting it from limit), and doing an overflow speculation check on that
addition before doing the bounds check.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2018-02-01 Keith Miller <keith_miller@apple.com>
Fix crashes due to mishandling custom sections.
https://bugs.webkit.org/show_bug.cgi?id=182404
<rdar://problem/36935863>
Reviewed by Saam Barati.
This also cleans up some of our validation code. We also
mistakenly, allowed unknown (different from custom sections with
id: 0) section ids.
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parse):
* wasm/WasmModuleParser.h:
* wasm/WasmSections.h:
(JSC::Wasm::isKnownSection):
(JSC::Wasm::decodeSection):
(JSC::Wasm::validateOrder):
(JSC::Wasm::makeString):
(JSC::Wasm::isValidSection): Deleted.
2018-02-01 Michael Catanzaro <mcatanzaro@igalia.com>
-Wreturn-type warning in DFGObjectAllocationSinkingPhase.cpp
https://bugs.webkit.org/show_bug.cgi?id=182389
Reviewed by Yusuke Suzuki.
Fix the warning.
As a bonus, remove a couple unreachable breaks for good measure.
* dfg/DFGObjectAllocationSinkingPhase.cpp:
2018-02-01 Chris Dumez <cdumez@apple.com>
Queue a microtask when a waitUntil() promise is settled
https://bugs.webkit.org/show_bug.cgi?id=182372
<rdar://problem/37101019>
Reviewed by Mark Lam.
Export a symbol so it can be used in WebCore.
* runtime/JSGlobalObject.h:
2018-01-31 Don Olmstead <don.olmstead@sony.com>
[CMake] Make JavaScriptCore headers copies
https://bugs.webkit.org/show_bug.cgi?id=182303
Reviewed by Alex Christensen.
* CMakeLists.txt:
* PlatformGTK.cmake:
* PlatformJSCOnly.cmake:
* PlatformMac.cmake:
* PlatformWPE.cmake:
* PlatformWin.cmake:
* shell/CMakeLists.txt:
* shell/PlatformWin.cmake:
2018-01-31 Saam Barati <sbarati@apple.com>
Replace tryLargeMemalignVirtual with tryLargeZeroedMemalignVirtual and use it to allocate large zeroed memory in Wasm
https://bugs.webkit.org/show_bug.cgi?id=182064
<rdar://problem/36840132>
Reviewed by Geoffrey Garen.
This patch switches WebAssembly Memory to always use bmalloc's
zeroed virtual allocation API. This makes it so that we don't
dirty the memory to zero it. It's a huge compile time speedup
on WasmBench on iOS.
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::create):
(JSC::Wasm::Memory::~Memory):
(JSC::Wasm::Memory::addressIsInActiveFastMemory):
(JSC::Wasm::Memory::grow):
(JSC::Wasm::commitZeroPages): Deleted.
2018-01-31 Mark Lam <mark.lam@apple.com>
Build fix for CLoop after r227874.
https://bugs.webkit.org/show_bug.cgi?id=182155
<rdar://problem/36286266>
Not reviewed.
Just needed support for lea of a LabelReference in cloop.rb (just like those
added for arm64.rb and x86.rb).
* offlineasm/cloop.rb:
2018-01-31 Keith Miller <keith_miller@apple.com>
Canonicalize aquiring the JSCell lock.
https://bugs.webkit.org/show_bug.cgi?id=182320
Reviewed by Michael Saboff.
It's currently kinda annoying to figure out where
we aquire the a JSCell's lock. This patch adds a
helper to make it easier to grep...
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::visitChildren):
(JSC::UnlinkedCodeBlock::setInstructions):
(JSC::UnlinkedCodeBlock::shrinkToFit):
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::finishCreation):
(JSC::ErrorInstance::materializeErrorInfoIfNeeded):
(JSC::ErrorInstance::visitChildren):
* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::unshiftCountWithArrayStorage):
* runtime/JSCell.h:
(JSC::JSCell::cellLock):
* runtime/JSObject.cpp:
(JSC::JSObject::visitButterflyImpl):
(JSC::JSObject::convertContiguousToArrayStorage):
* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::visitChildren):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::add):
(JSC::SparseArrayValueMap::remove):
(JSC::SparseArrayValueMap::visitChildren):
2018-01-31 Saam Barati <sbarati@apple.com>
JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
https://bugs.webkit.org/show_bug.cgi?id=182074
<rdar://problem/36846261>
Reviewed by Mark Lam.
This patch teaches the JSONP evaluator about the global lexical environment.
Before, it was using the global object as the global scope, but that's wrong.
The global lexical environment is the first node in the global scope chain.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeProgram):
* jsc.cpp:
(GlobalObject::finishCreation):
(shellSupportsRichSourceInfo):
(functionDisableRichSourceInfo):
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::tryJSONPParse):
* runtime/LiteralParser.h:
2018-01-31 Saam Barati <sbarati@apple.com>
clean up pushToSaveImmediateWithoutTouchingRegisters a bit
https://bugs.webkit.org/show_bug.cgi?id=181774
Reviewed by JF Bastien.
This function on ARM64 was considering what to do with the scratch
register. And conditionally invalidated what was in it. This is not
relevant though, since the function always recovers what was in that
register. This patch just switches it to using dataTempRegister
directly and updates the comment to describe why it can do so safely.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
2018-01-30 Mark Lam <mark.lam@apple.com>
Apply poisoning to TypedArray vector pointers.
https://bugs.webkit.org/show_bug.cgi?id=182155
<rdar://problem/36286266>
Reviewed by JF Bastien.
The TypeArray's vector pointer is now poisoned. The poison value is chosen based
on a TypeArray's jsType. The JSType must be between FirstTypedArrayType and
LastTypedArrayType. At runtime, we enforce that the index is well-behaved by
masking it against TypedArrayPoisonIndexMask. TypedArrayPoisonIndexMask (16) is
the number of TypedArray types (10) rounded up to the next power of 2.
Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we
can use index masking on the index, and be guaranteed that the masked index will
be within bounds of the poisons array.
1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not
do any unnecessary work if the TypedArray vector is null.
FTL's cagedMayBeNull() is no longer needed because it is only used by
compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning
in a TypedArray specific way. So, might as well do the work inline in
compileGetTypedArrayByteOffset() instead.
2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize()
because there's already a null check above it that ensures that sizeGPR is
never null.
3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the
loading of the vector for unpoisoning and uncaging. We don't need the vector
if the length is 0.
Implementation notes on the need to null check the TypeArray vector:
1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a
m_poisonedVector null check because the function is a null check.
2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a
m_poisonedVector null check because it is followed by a call to
cageTypedArrayStorage() which assumes that storageReg cannot be null.
3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a
m_poisonedVector null check.
4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null
check because the poisoning code is preceded by a sizeGPR null check, which
ensures that the storageGPR (vector to be poisoned) is not null.
5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null
check because it is followed by a call to caged() which assumes that the
vector cannot be null.
6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check.
7. FTL's compileNewTypedArray() does not need a vector null check because the
poisoning code is preceded by a size null check, which ensures that the
storage (vector to be poisoned) is not null.
8. FTL's speculateTypedArrayIsNotNeutered() does not need a
m_poisonedVector null check because the function is a null check.
9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic
case needs a null check so that it does not try to unpoison a null vector.
10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because
we already do a length check even before loading the vector.
11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because
we already do a length check even before loading the vector.
12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because
we already do a length check even before loading the vector.
13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because
we already do a length check even before loading the vector.
14. LLInt's loadTypedArrayCaged() does not need a vector null check because its
client will do a TypedArray length check before calling it.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::checkArray):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasArrayMode):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
(JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
(JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted.
* jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/arm64.rb:
* offlineasm/x86.rb:
* runtime/CagedBarrierPtr.h:
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::JSArrayBufferView):
(JSC::JSArrayBufferView::finalize):
(JSC::JSArrayBufferView::neuter):
* runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::vector const):
(JSC::JSArrayBufferView::offsetOfPoisonedVector):
(JSC::JSArrayBufferView::poisonFor):
(JSC::JSArrayBufferView::Poison::key):
(JSC::JSArrayBufferView::offsetOfVector): Deleted.
* runtime/JSCPoison.cpp:
(JSC::initializePoison):
* runtime/JSCPoison.h:
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
* runtime/JSObject.h:
2018-01-30 Fujii Hironori <Hironori.Fujii@sony.com>
[Win] Warning fix.
https://bugs.webkit.org/show_bug.cgi?id=177007
Reviewed by Yusuke Suzuki.
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::dump const):
Changed the type of locationRawBits from unsigned to uintptr_t.
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::createNumberFormat):
Initialize 'style' to avoid potentially uninitialized local variable warning.
2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Implement trimStart and trimEnd
https://bugs.webkit.org/show_bug.cgi?id=182233
Reviewed by Mark Lam.
String.prototype.{trimStart,trimEnd} are now stage 3[1].
String.prototype.{trimLeft,trimRight} are alias to these functions.
We rename these functions to trimStart and trimEnd, and put them as
trimLeft and trimRight too.
[1]: https://tc39.github.io/proposal-string-left-right-trim/
* runtime/StringPrototype.cpp:
(JSC::StringPrototype::finishCreation):
(JSC::trimString):
(JSC::stringProtoFuncTrim):
(JSC::stringProtoFuncTrimStart):
(JSC::stringProtoFuncTrimEnd):
(JSC::stringProtoFuncTrimLeft): Deleted.
(JSC::stringProtoFuncTrimRight): Deleted.
2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Relax line terminators in String to make JSON subset of JS
https://bugs.webkit.org/show_bug.cgi?id=182232
Reviewed by Keith Miller.
"Subsume JSON" spec is now stage 3[1]. Before this spec change,
JSON can accept \u2028 / \u2029 in string while JS cannot do that.
It accidentally made JSON non subset of JS.
Now we extend our JS string to accept \u2028 / \u2029 to make JSON
subset of JS in this spec change.
[1]: https://github.com/tc39/proposal-json-superset
* parser/Lexer.cpp:
(JSC::Lexer<T>::parseStringSlowCase):
2018-01-29 Jiewen Tan <jiewen_tan@apple.com>
[WebAuthN] Add a compile-time feature flag
https://bugs.webkit.org/show_bug.cgi?id=182211
<rdar://problem/36936365>
Reviewed by Brent Fulgham.
* Configurations/FeatureDefines.xcconfig:
2018-01-29 Michael Saboff <msaboff@apple.com>
REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
https://bugs.webkit.org/show_bug.cgi?id=182249
Reviewed by Keith Miller.
Changed clobberize() handling of CompareEq, et al to properly handle comparisons between
Untyped and Object values when compared against built in types. Such comparisons can
invoke toNumber() or other methods.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
2018-01-29 Matt Lewis <jlewis3@apple.com>
Unreviewed, rolling out r227725.
This caused internal failures.
Reverted changeset:
"JSC Sampling Profiler: Detect tester and testee when sampling
in RegExp JIT"
https://bugs.webkit.org/show_bug.cgi?id=152729
https://trac.webkit.org/changeset/227725
2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
https://bugs.webkit.org/show_bug.cgi?id=152729
Reviewed by Saam Barati.
This patch extends SamplingProfiler to recognize JIT RegExp execution. We record
executing RegExp in VM so that SamplingProfiler can detect it. This is better
than the previous VM::isExecutingInRegExpJIT flag approach since
1. isExecutingInRegExpJIT is set after starting executing JIT RegExp code. Thus,
if we suspend the thread just before executing this flag, or just after clearing
this flag, SamplingProfiler gets invalid frame, and frame validation fails. We
should set such a flag before and after executing JIT RegExp code.
2. This removes VM dependency from YarrJIT which is not essential one.
We add ExecutionContext enum to RegExp::matchInline not to mark execution if it
is done in non JS thread.
* bytecode/BytecodeDumper.cpp:
(JSC::regexpName):
(JSC::BytecodeDumper<Block>::dumpRegExps):
(JSC::regexpToSourceString): Deleted.
* heap/Heap.cpp:
(JSC::Heap::addCoreConstraints):
* runtime/RegExp.cpp:
(JSC::RegExp::compile):
(JSC::RegExp::match):
(JSC::RegExp::matchConcurrently):
(JSC::RegExp::compileMatchOnly):
(JSC::RegExp::toSourceString const):
* runtime/RegExp.h:
* runtime/RegExpInlines.h:
(JSC::RegExp::matchInline):
* runtime/RegExpMatchesArray.h:
(JSC::createRegExpMatchesArray):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::SamplingProfiler):
(JSC::SamplingProfiler::timerLoop):
(JSC::SamplingProfiler::takeSample):
(JSC::SamplingProfiler::processUnverifiedStackTraces):
(JSC::SamplingProfiler::StackFrame::nameFromCallee):
(JSC::SamplingProfiler::StackFrame::displayName):
(JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
(JSC::SamplingProfiler::StackFrame::functionStartLine):
(JSC::SamplingProfiler::StackFrame::functionStartColumn):
(JSC::SamplingProfiler::StackFrame::sourceID):
(JSC::SamplingProfiler::StackFrame::url):
(WTF::printInternal):
(JSC::SamplingProfiler::~SamplingProfiler): Deleted.
* runtime/SamplingProfiler.h:
* runtime/VM.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateEnter):
(JSC::Yarr::YarrGenerator::generateReturn):
(JSC::Yarr::YarrGenerator::YarrGenerator):
(JSC::Yarr::jitCompile):
* yarr/YarrJIT.h:
2018-01-29 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG][FTL] WeakMap#set should have DFG node
https://bugs.webkit.org/show_bug.cgi?id=180015
Reviewed by Saam Barati.
This patch adds WeakMapSet and WeakSetAdd DFG nodes to handle them efficiently in DFG and FTL.
We also define CSE rules for them. Now, WeakMapSet and WeakSetAdd can offer the results of
the subsequent WeakMapGet if CSE allows.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addVarArgChild):
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
WeakMap operations do not cause GC.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileWeakSetAdd):
(JSC::DFG::SpeculativeJIT::compileWeakMapSet):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd):
(JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet):
* jit/JITOperations.h:
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/WeakMapPrototype.cpp:
(JSC::WeakMapPrototype::finishCreation):
* runtime/WeakSetPrototype.cpp:
(JSC::WeakSetPrototype::finishCreation):
2018-01-28 Filip Pizlo <fpizlo@apple.com>
LargeAllocation should do the same distancing as MarkedBlock
https://bugs.webkit.org/show_bug.cgi?id=182226
Reviewed by Saam Barati.
This makes LargeAllocation do the same exact distancing that MarkedBlock promises to do.
To make that possible, this patch first makes MarkedBlock know exactly how much distancing it
is doing:
- I've rationalized the payloadSize calculation. In particular, I made MarkedSpace use the
calculation done in MarkedBlock. MarkedSpace used to do the math a different way. This
keeps the old way just for a static_assert.
- The promised amount of distancing is now codified in HeapCell.h as
minimumDistanceBetweenCellsFromDifferentOrigins. We assert that the footer size is at least
as big as this. I didn't want to just use footer size for this constant because then, if
you increased the size of the footer, you'd also add padding to every large allocation.
Then this patch just adds minimumDistanceBetweenCellsFromDifferentOrigins to each large
allocation. It also zeroes that slice of memory to prevent any information leaks that way.
This is perf neutral. Large allocations start out at ~8000 bytes. The amount of padding is
~300 bytes. That's 3.75% space overhead for objects that are ~8000 bytes, zero overhead for
smaller objects, and diminishing overhead for larger objects. We allocate very few large
objects, so we shouldn't have any real space overhead from this.
* heap/HeapCell.h:
* heap/LargeAllocation.cpp:
(JSC::LargeAllocation::tryCreate):
* heap/MarkedBlock.h:
* heap/MarkedSpace.h:
2018-01-27 Filip Pizlo <fpizlo@apple.com>
Make MarkedBlock::Footer bigger
https://bugs.webkit.org/show_bug.cgi?id=182220
Reviewed by JF Bastien.
This makes the block footer larger by moving the newlyAllocated bits from the handle into
the footer.
It used to be profitable to put anything we could into the handle because that would free up
payload space inside the block. But now that we want to use the footer for padding, it's
profitable to put GC state information - especially data that is used by the GC itself and so
is not useful for a Spectre attack - into the footer to increase object distancing.
* heap/CellContainer.cpp:
(JSC::CellContainer::isNewlyAllocated const):
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::sweepToFreeList):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::Handle):
(JSC::MarkedBlock::Footer::Footer):
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::lastChanceToFinalize):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::resetAllocated):
(JSC::MarkedBlock::Handle::resetAllocated): Deleted.
* heap/MarkedBlock.h:
(JSC::MarkedBlock::newlyAllocatedVersion const):
(JSC::MarkedBlock::isNewlyAllocated):
(JSC::MarkedBlock::setNewlyAllocated):
(JSC::MarkedBlock::clearNewlyAllocated):
(JSC::MarkedBlock::newlyAllocated const):
(JSC::MarkedBlock::Handle::newlyAllocatedVersion const): Deleted.
(JSC::MarkedBlock::Handle::isNewlyAllocated): Deleted.
(JSC::MarkedBlock::Handle::setNewlyAllocated): Deleted.
(JSC::MarkedBlock::Handle::clearNewlyAllocated): Deleted.
(JSC::MarkedBlock::Handle::newlyAllocated const): Deleted.
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::isNewlyAllocatedStale const):
(JSC::MarkedBlock::hasAnyNewlyAllocated):
(JSC::MarkedBlock::Handle::isLive):
(JSC::MarkedBlock::Handle::specializedSweep):
(JSC::MarkedBlock::Handle::newlyAllocatedMode):
(JSC::MarkedBlock::Handle::isNewlyAllocatedStale const): Deleted.
(JSC::MarkedBlock::Handle::hasAnyNewlyAllocated): Deleted.
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::endMarking):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::appendJSCellOrAuxiliary):
2018-01-27 Filip Pizlo <fpizlo@apple.com>
MarkedBlock should have a footer instead of a header
https://bugs.webkit.org/show_bug.cgi?id=182217
Reviewed by JF Bastien.
This moves the MarkedBlock's meta-data from the header to the footer. This doesn't really
change anything except for some compile-time constants, so it should not affect performance.
This change is to help protect against Spectre attacks on structure checks, which allow for
small-offset out-of-bounds access. By putting the meta-data at the end of the block, small
OOBs will only get to other objects in the same block or the block footer. The block footer
is not super interesting. So, if we combine this with the TLC change (r227617), this means we
can use blocks as the mechanism of achieving distance between objects from different origins.
We just need to avoid ever putting objects from different origins in the same block. That's
what bug 181636 is about.
* heap/BlockDirectory.cpp:
(JSC::blockHeaderSize): Deleted.
(JSC::BlockDirectory::blockSizeForBytes): Deleted.
* heap/BlockDirectory.h:
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::MarkedBlock):
(JSC::MarkedBlock::~MarkedBlock):
(JSC::MarkedBlock::Footer::Footer):
(JSC::MarkedBlock::Footer::~Footer):
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::lastChanceToFinalize):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::resetMarks):
(JSC::MarkedBlock::assertMarksNotStale):
(JSC::MarkedBlock::Handle::didConsumeFreeList):
(JSC::MarkedBlock::markCount):
(JSC::MarkedBlock::clearHasAnyMarked):
(JSC::MarkedBlock::Handle::didAddToDirectory):
(JSC::MarkedBlock::Handle::didRemoveFromDirectory):
(JSC::MarkedBlock::Handle::sweep):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::markingVersion const):
(JSC::MarkedBlock::lock):
(JSC::MarkedBlock::subspace const):
(JSC::MarkedBlock::footer):
(JSC::MarkedBlock::footer const):
(JSC::MarkedBlock::handle):
(JSC::MarkedBlock::handle const):
(JSC::MarkedBlock::Handle::blockFooter):
(JSC::MarkedBlock::isAtomAligned):
(JSC::MarkedBlock::Handle::cellAlign):
(JSC::MarkedBlock::blockFor):
(JSC::MarkedBlock::vm const):
(JSC::MarkedBlock::weakSet):
(JSC::MarkedBlock::cellSize):
(JSC::MarkedBlock::attributes const):
(JSC::MarkedBlock::atomNumber):
(JSC::MarkedBlock::areMarksStale):
(JSC::MarkedBlock::aboutToMark):
(JSC::MarkedBlock::isMarkedRaw):
(JSC::MarkedBlock::isMarked):
(JSC::MarkedBlock::testAndSetMarked):
(JSC::MarkedBlock::marks const):
(JSC::MarkedBlock::isAtom):
(JSC::MarkedBlock::Handle::forEachCell):
(JSC::MarkedBlock::hasAnyMarked const):
(JSC::MarkedBlock::noteMarked):
(WTF::MarkedBlockHash::hash):
(JSC::MarkedBlock::firstAtom): Deleted.
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::marksConveyLivenessDuringMarking):
(JSC::MarkedBlock::Handle::isLive):
(JSC::MarkedBlock::Handle::specializedSweep):
(JSC::MarkedBlock::Handle::forEachLiveCell):
(JSC::MarkedBlock::Handle::forEachDeadCell):
(JSC::MarkedBlock::Handle::forEachMarkedCell):
* heap/MarkedSpace.cpp:
* heap/MarkedSpace.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2018-01-27 Yusuke Suzuki <utatane.tea@gmail.com>
DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
https://bugs.webkit.org/show_bug.cgi?id=182213
Reviewed by Mark Lam.
toStringWithRadixInternal is originally used for the slow path if the given value is larger than radix or negative.
As a result, it does not accept 0 correctly, and produces an empty string. Since DFGStrengthReductionPhase uses
this function, it accidentally converts NumberToStringWithValidRadixConstant(0, radix) to an empty string.
This patch fixes toStringWithRadixInternal to accept 0. This change fixes twitch.tv's issue.
We also add a careful cast to avoid `-INT32_MIN`. It does not produce incorrect value in x86 in practice,
but it is UB, and a compiler may assume that the given value is never INT32_MIN and could do an incorrect optimization.
* runtime/NumberPrototype.cpp:
(JSC::toStringWithRadixInternal):
2018-01-26 Saam Barati <sbarati@apple.com>
Fix emitAllocateWithNonNullAllocator to work on arm
https://bugs.webkit.org/show_bug.cgi?id=182187
<rdar://problem/36906550>
Reviewed by Filip Pizlo.
This patch unifies the x86 and ARM paths in emitAllocateWithNonNullAllocator
and makes it so that emitAllocateWithNonNullAllocator uses the macro scratch
register on ARM.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2018-01-26 Joseph Pecoraro <pecoraro@apple.com>
Rebaselining builtin generator tests after r227685.
Unreviewed.
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
* Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
* Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
* Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
It used to be that the builtins generator was minifying by default. That was an accident
and we now only minify on Release builds. The generator tests are now getting the
default unminified output behavior so they need to update their expectations
for some extra whitespace.
2018-01-26 Mark Lam <mark.lam@apple.com>
We should only append ParserArenaDeletable pointers to ParserArena::m_deletableObjects.
https://bugs.webkit.org/show_bug.cgi?id=182180
<rdar://problem/36460697>
Reviewed by Michael Saboff.
Some parser Node subclasses extend ParserArenaDeletable via multiple inheritance,
but not as the Node's first base class. ParserArena::m_deletableObjects is
expecting pointers to objects of the shape of ParserArenaDeletable. We ensure
this by allocating the Node subclass, and casting it to ParserArenaDeletable to
get the correct pointer to append to ParserArena::m_deletableObjects.
To simplify things, we introduce a JSC_MAKE_PARSER_ARENA_DELETABLE_ALLOCATED
(analogous to WTF_MAKE_FAST_ALLOCATED) for use in Node subclasses that extends
ParserArenaDeletable.
* parser/NodeConstructors.h:
(JSC::ParserArenaDeletable::operator new):
* parser/Nodes.h:
* parser/ParserArena.h:
(JSC::ParserArena::allocateDeletable):
2018-01-26 Joseph Pecoraro <pecoraro@apple.com>
JavaScriptCore builtins should be partially minified in Release builds not Debug builds
https://bugs.webkit.org/show_bug.cgi?id=182165
Reviewed by Keith Miller.
* Scripts/builtins/builtins_model.py:
(BuiltinFunction.fromString):
Apply minifications on Release builds instead of Debug builds.
Also eliminate leading whitespace.
2018-01-26 Filip Pizlo <fpizlo@apple.com>
Disable TLS-based TLCs
https://bugs.webkit.org/show_bug.cgi?id=182175
Reviewed by Saam Barati.
Check for the new USE(FAST_TLS_FOR_TLC) flag instead of just ENABLE(FAST_TLS_JIT).
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::~BlockDirectory):
* heap/BlockDirectory.h:
* heap/ThreadLocalCache.cpp:
(JSC::ThreadLocalCache::installSlow):
(JSC::ThreadLocalCache::installData):
* heap/ThreadLocalCache.h:
* heap/ThreadLocalCacheInlines.h:
(JSC::ThreadLocalCache::getImpl):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
* runtime/VM.cpp:
(JSC::VM::~VM):
* runtime/VM.h:
2018-01-25 Yusuke Suzuki <utatane.tea@gmail.com>
imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/errorhandling.html crashes
https://bugs.webkit.org/show_bug.cgi?id=181980
Reviewed by Ryosuke Niwa.
We accidentally failed to propagate errored promise in instantiate and satify phase if entry.{instantiate,satisfy}
promises are set. Since we just returned `entry`, it becomes succeeded promise even if the dependent fetch, instantiate,
and satisfy promises are failed. This patch fixes error propagation by returning `entry.instantiate` and `entry.satisfy`
correctly.
* builtins/ModuleLoaderPrototype.js:
(requestInstantiate):
(requestSatisfy):
2018-01-25 Mark Lam <mark.lam@apple.com>
Gardening: fix 32-bit build after r227643.
https://bugs.webkit.org/show_bug.cgi?id=182086
Not reviewed.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
2018-01-24 Filip Pizlo <fpizlo@apple.com>
DirectArguments should protect itself using dynamic poisoning and precise index masking
https://bugs.webkit.org/show_bug.cgi?id=182086
Reviewed by Saam Barati.
This implements dynamic poisoning and precise index masking in DirectArguments, using the
helpers from <wtf/MathExtras.h> and helpers in AssemblyHelpers and FTL::LowerDFGToB3.
We use dynamic poisoning for DirectArguments since this object did not have any additional
indirection inside it that could have been poisoned. So, we use the xor of the expected type
and the actual type as an additional input into the pointer.
We use precise index masking for bounds checks, because it's not worth doing index masking
unless we know that precise index masking is too slow.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::lshiftPtr):
(JSC::MacroAssembler::rshiftPtr):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
(JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask64):
(JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask32):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitPreciseIndexMask32):
(JSC::AssemblyHelpers::emitDynamicPoison):
(JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
(JSC::AssemblyHelpers::emitDynamicPoisonOnType):
* jit/AssemblyHelpers.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDirectArgumentsGetByVal):
* runtime/DirectArguments.h:
(JSC::DirectArguments::getIndexQuickly const):
(JSC::DirectArguments::setIndexQuickly):
(JSC::DirectArguments::argument):
* runtime/GenericArgumentsInlines.h:
2018-01-25 Mark Lam <mark.lam@apple.com>
Rename some local vars from type to typedArrayType for greater clarity.
https://bugs.webkit.org/show_bug.cgi?id=182148
<rdar://problem/36882310>
Reviewed by Saam Barati.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2018-01-25 Filip Pizlo <fpizlo@apple.com>
JSC GC should support TLCs (thread local caches)
https://bugs.webkit.org/show_bug.cgi?id=181559
Reviewed by Mark Lam and Saam Barati.
This is a big step towards object distancing by site origin. This patch implements TLCs, or
thread-local caches, which allow each thread to allocate from its own free lists. It also
means that any given thread can context-switch TLCs. This will allow us to do separate
allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
will allow us to have a hard distancing constraint between objects from different origins.
In this new design, every "size class" is represented as a BlockDirectory (formerly known as
MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
aligned memory allocator (which roughly represents which cage you came out of), and anyone
using the same allocator can share those blocks - but so long as they are in that
BlockDirectory, they will have the size and type of that directory. Previously, each
BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
LocalAllocators, each of which has a FreeList.
To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
starts by figuring out what Allocator it wants (often we have this information at JIT time).
Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
offsets as opposed to indices to make it easy to do the math on each allocation (if
LocalAllocator had a weird size then every allocation would have to do an imul).
This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
something there, but it's not significant according to our threshold).
Relanding after fixing ARM64 bug in AssemblyHelpers::emitAllocateWithNonNullAllocator(). That
function needs to be careful to avoid using the scratch register because the FTL will call it
in disallow-scratch-register mode.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* b3/B3LowerToAir.cpp:
* b3/B3PatchpointSpecial.cpp:
(JSC::B3::PatchpointSpecial::admitsStack):
* b3/B3StackmapSpecial.cpp:
(JSC::B3::StackmapSpecial::forEachArgImpl):
(JSC::B3::StackmapSpecial::isArgValidForRep):
* b3/B3StackmapValue.cpp:
(JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
* b3/B3StackmapValue.h:
* b3/B3Validate.cpp:
* b3/B3ValueRep.cpp:
(JSC::B3::ValueRep::addUsedRegistersTo const):
(JSC::B3::ValueRep::dump const):
(WTF::printInternal):
* b3/B3ValueRep.h:
(JSC::B3::ValueRep::ValueRep):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/ObjectAllocationProfile.h:
(JSC::ObjectAllocationProfile::ObjectAllocationProfile):
(JSC::ObjectAllocationProfile::clear):
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileCreateThis):
(JSC::DFG::SpeculativeJIT::compileNewObject):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
(JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
* heap/Allocator.cpp: Added.
(JSC::Allocator::cellSize const):
* heap/Allocator.h: Added.
(JSC::Allocator::Allocator):
(JSC::Allocator::offset const):
(JSC::Allocator::operator== const):
(JSC::Allocator::operator!= const):
(JSC::Allocator::operator bool const):
* heap/AllocatorInlines.h: Added.
(JSC::Allocator::allocate const):
(JSC::Allocator::tryAllocate const):
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::BlockDirectory):
(JSC::BlockDirectory::findBlockForAllocation):
(JSC::BlockDirectory::stopAllocating):
(JSC::BlockDirectory::prepareForAllocation):
(JSC::BlockDirectory::stopAllocatingForGood):
(JSC::BlockDirectory::resumeAllocating):
(JSC::BlockDirectory::endMarking):
(JSC::BlockDirectory::isFreeListedCell):
(JSC::BlockDirectory::didConsumeFreeList): Deleted.
(JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
(JSC::BlockDirectory::allocateIn): Deleted.
(JSC::BlockDirectory::tryAllocateIn): Deleted.
(JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
(JSC::BlockDirectory::allocateSlowCase): Deleted.
* heap/BlockDirectory.h:
(JSC::BlockDirectory::cellKind const):
(JSC::BlockDirectory::allocator const):
(JSC::BlockDirectory::freeList const): Deleted.
(JSC::BlockDirectory::offsetOfFreeList): Deleted.
(JSC::BlockDirectory::offsetOfCellSize): Deleted.
* heap/BlockDirectoryInlines.h:
(JSC::BlockDirectory::isFreeListedCell const): Deleted.
(JSC::BlockDirectory::allocate): Deleted.
* heap/CompleteSubspace.cpp:
(JSC::CompleteSubspace::CompleteSubspace):
(JSC::CompleteSubspace::allocatorFor):
(JSC::CompleteSubspace::allocate):
(JSC::CompleteSubspace::allocateNonVirtual):
(JSC::CompleteSubspace::allocatorForSlow):
(JSC::CompleteSubspace::allocateSlow):
(JSC::CompleteSubspace::tryAllocateSlow):
* heap/CompleteSubspace.h:
(JSC::CompleteSubspace::allocatorForSizeStep):
(JSC::CompleteSubspace::allocatorForNonVirtual):
* heap/FreeList.h:
* heap/GCDeferralContext.h:
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::lastChanceToFinalize):
* heap/Heap.h:
(JSC::Heap::threadLocalCacheLayout):
* heap/IsoCellSet.h:
* heap/IsoSubspace.cpp:
(JSC::IsoSubspace::IsoSubspace):
(JSC::IsoSubspace::allocatorFor):
(JSC::IsoSubspace::allocate):
(JSC::IsoSubspace::allocateNonVirtual):
* heap/IsoSubspace.h:
(JSC::IsoSubspace::allocatorForNonVirtual):
* heap/LocalAllocator.cpp: Added.
(JSC::LocalAllocator::LocalAllocator):
(JSC::LocalAllocator::reset):
(JSC::LocalAllocator::~LocalAllocator):
(JSC::LocalAllocator::stopAllocating):
(JSC::LocalAllocator::resumeAllocating):
(JSC::LocalAllocator::prepareForAllocation):
(JSC::LocalAllocator::stopAllocatingForGood):
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::didConsumeFreeList):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
(JSC::LocalAllocator::allocateIn):
(JSC::LocalAllocator::tryAllocateIn):
(JSC::LocalAllocator::doTestCollectionsIfNeeded):
(JSC::LocalAllocator::isFreeListedCell const):
* heap/LocalAllocator.h: Added.
(JSC::LocalAllocator::offsetOfFreeList):
(JSC::LocalAllocator::offsetOfCellSize):
* heap/LocalAllocatorInlines.h: Added.
(JSC::LocalAllocator::allocate):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::stopAllocatingForGood):
* heap/MarkedSpace.h:
* heap/SlotVisitor.cpp:
* heap/SlotVisitor.h:
* heap/Subspace.h:
* heap/ThreadLocalCache.cpp: Added.
(JSC::ThreadLocalCache::create):
(JSC::ThreadLocalCache::ThreadLocalCache):
(JSC::ThreadLocalCache::~ThreadLocalCache):
(JSC::ThreadLocalCache::allocateData):
(JSC::ThreadLocalCache::destroyData):
(JSC::ThreadLocalCache::installSlow):
(JSC::ThreadLocalCache::installData):
(JSC::ThreadLocalCache::allocatorSlow):
(JSC::ThreadLocalCache::destructor):
* heap/ThreadLocalCache.h: Added.
(JSC::ThreadLocalCache::offsetOfSize):
(JSC::ThreadLocalCache::offsetOfFirstAllocator):
* heap/ThreadLocalCacheInlines.h: Added.
(JSC::ThreadLocalCache::getImpl):
(JSC::ThreadLocalCache::get):
(JSC::ThreadLocalCache::install):
(JSC::ThreadLocalCache::allocator):
(JSC::ThreadLocalCache::tryGetAllocator):
* heap/ThreadLocalCacheLayout.cpp: Added.
(JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
(JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
(JSC::ThreadLocalCacheLayout::allocateOffset):
(JSC::ThreadLocalCacheLayout::snapshot):
(JSC::ThreadLocalCacheLayout::directory):
* heap/ThreadLocalCacheLayout.h: Added.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
(JSC::AssemblyHelpers::emitAllocate):
(JSC::AssemblyHelpers::emitAllocateVariableSized):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::vm):
(JSC::AssemblyHelpers::emitAllocateJSCell):
(JSC::AssemblyHelpers::emitAllocateJSObject):
(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
(JSC::AssemblyHelpers::emitAllocate): Deleted.
(JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::createUninitialized):
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::growArrayRight):
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::overrideThings):
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
* runtime/HashMapImpl.h:
(JSC::HashMapBuffer::create):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::JSArray::unshiftCountSlowCase):
* runtime/JSArray.h:
(JSC::JSArray::tryCreate):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
* runtime/JSCellInlines.h:
(JSC::tryAllocateCellHelper):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::threadLocalCache const):
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
* runtime/Options.h:
* runtime/RegExpMatchesArray.h:
(JSC::tryCreateUninitializedRegExpMatchesArray):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
2018-01-25 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r227592.
https://bugs.webkit.org/show_bug.cgi?id=182110
it made ARM64 (Linux and iOS) crash (Requested by pizlo-mbp on
#webkit).
Reverted changeset:
"JSC GC should support TLCs (thread local caches)"
https://bugs.webkit.org/show_bug.cgi?id=181559
https://trac.webkit.org/changeset/227592
2018-01-25 Alejandro G. Castro <alex@igalia.com>
undefined reference to 'JSC::B3::BasicBlock::fallThrough() const
https://bugs.webkit.org/show_bug.cgi?id=180637
Reviewed by Michael Catanzaro.
We need to make sure the implementation of the inline functions is
compiled when we compile the code using the function, now that the
compilation is divided, or we could end up with undefined symbols
when the declaration is not inlined, at least with some compilers
and optimizations enabled -O2.
* b3/B3SwitchValue.cpp: replace the include.
2018-01-20 Filip Pizlo <fpizlo@apple.com>
JSC GC should support TLCs (thread local caches)
https://bugs.webkit.org/show_bug.cgi?id=181559
Reviewed by Mark Lam and Saam Barati.
This is a big step towards object distancing by site origin. This patch implements TLCs, or
thread-local caches, which allow each thread to allocate from its own free lists. It also
means that any given thread can context-switch TLCs. This will allow us to do separate
allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
will allow us to have a hard distancing constraint between objects from different origins.
In this new design, every "size class" is represented as a BlockDirectory (formerly known as
MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
aligned memory allocator (which roughly represents which cage you came out of), and anyone
using the same allocator can share those blocks - but so long as they are in that
BlockDirectory, they will have the size and type of that directory. Previously, each
BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
LocalAllocators, each of which has a FreeList.
To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
starts by figuring out what Allocator it wants (often we have this information at JIT time).
Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
offsets as opposed to indices to make it easy to do the math on each allocation (if
LocalAllocator had a weird size then every allocation would have to do an imul).
This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
something there, but it's not significant according to our threshold).
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* b3/B3LowerToAir.cpp:
* b3/B3PatchpointSpecial.cpp:
(JSC::B3::PatchpointSpecial::admitsStack):
* b3/B3StackmapSpecial.cpp:
(JSC::B3::StackmapSpecial::forEachArgImpl):
(JSC::B3::StackmapSpecial::isArgValidForRep):
* b3/B3StackmapValue.cpp:
(JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
* b3/B3StackmapValue.h:
* b3/B3Validate.cpp:
* b3/B3ValueRep.cpp:
(JSC::B3::ValueRep::addUsedRegistersTo const):
(JSC::B3::ValueRep::dump const):
(WTF::printInternal):
* b3/B3ValueRep.h:
(JSC::B3::ValueRep::ValueRep):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/ObjectAllocationProfile.h:
(JSC::ObjectAllocationProfile::ObjectAllocationProfile):
(JSC::ObjectAllocationProfile::clear):
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileCreateThis):
(JSC::DFG::SpeculativeJIT::compileNewObject):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
(JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
* heap/Allocator.cpp: Added.
(JSC::Allocator::cellSize const):
* heap/Allocator.h: Added.
(JSC::Allocator::Allocator):
(JSC::Allocator::offset const):
(JSC::Allocator::operator== const):
(JSC::Allocator::operator!= const):
(JSC::Allocator::operator bool const):
* heap/AllocatorInlines.h: Added.
(JSC::Allocator::allocate const):
(JSC::Allocator::tryAllocate const):
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::BlockDirectory):
(JSC::BlockDirectory::findBlockForAllocation):
(JSC::BlockDirectory::stopAllocating):
(JSC::BlockDirectory::prepareForAllocation):
(JSC::BlockDirectory::stopAllocatingForGood):
(JSC::BlockDirectory::resumeAllocating):
(JSC::BlockDirectory::endMarking):
(JSC::BlockDirectory::isFreeListedCell):
(JSC::BlockDirectory::didConsumeFreeList): Deleted.
(JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
(JSC::BlockDirectory::allocateIn): Deleted.
(JSC::BlockDirectory::tryAllocateIn): Deleted.
(JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
(JSC::BlockDirectory::allocateSlowCase): Deleted.
* heap/BlockDirectory.h:
(JSC::BlockDirectory::cellKind const):
(JSC::BlockDirectory::allocator const):
(JSC::BlockDirectory::freeList const): Deleted.
(JSC::BlockDirectory::offsetOfFreeList): Deleted.
(JSC::BlockDirectory::offsetOfCellSize): Deleted.
* heap/BlockDirectoryInlines.h:
(JSC::BlockDirectory::isFreeListedCell const): Deleted.
(JSC::BlockDirectory::allocate): Deleted.
* heap/CompleteSubspace.cpp:
(JSC::CompleteSubspace::CompleteSubspace):
(JSC::CompleteSubspace::allocatorFor):
(JSC::CompleteSubspace::allocate):
(JSC::CompleteSubspace::allocateNonVirtual):
(JSC::CompleteSubspace::allocatorForSlow):
(JSC::CompleteSubspace::allocateSlow):
(JSC::CompleteSubspace::tryAllocateSlow):
* heap/CompleteSubspace.h:
(JSC::CompleteSubspace::allocatorForSizeStep):
(JSC::CompleteSubspace::allocatorForNonVirtual):
* heap/FreeList.h:
* heap/GCDeferralContext.h:
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::lastChanceToFinalize):
* heap/Heap.h:
(JSC::Heap::threadLocalCacheLayout):
* heap/IsoCellSet.h:
* heap/IsoSubspace.cpp:
(JSC::IsoSubspace::IsoSubspace):
(JSC::IsoSubspace::allocatorFor):
(JSC::IsoSubspace::allocate):
(JSC::IsoSubspace::allocateNonVirtual):
* heap/IsoSubspace.h:
(JSC::IsoSubspace::allocatorForNonVirtual):
* heap/LocalAllocator.cpp: Added.
(JSC::LocalAllocator::LocalAllocator):
(JSC::LocalAllocator::reset):
(JSC::LocalAllocator::~LocalAllocator):
(JSC::LocalAllocator::stopAllocating):
(JSC::LocalAllocator::resumeAllocating):
(JSC::LocalAllocator::prepareForAllocation):
(JSC::LocalAllocator::stopAllocatingForGood):
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::didConsumeFreeList):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
(JSC::LocalAllocator::allocateIn):
(JSC::LocalAllocator::tryAllocateIn):
(JSC::LocalAllocator::doTestCollectionsIfNeeded):
(JSC::LocalAllocator::isFreeListedCell const):
* heap/LocalAllocator.h: Added.
(JSC::LocalAllocator::offsetOfFreeList):
(JSC::LocalAllocator::offsetOfCellSize):
* heap/LocalAllocatorInlines.h: Added.
(JSC::LocalAllocator::allocate):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::stopAllocatingForGood):
* heap/MarkedSpace.h:
* heap/SlotVisitor.cpp:
* heap/SlotVisitor.h:
* heap/Subspace.h:
* heap/ThreadLocalCache.cpp: Added.
(JSC::ThreadLocalCache::create):
(JSC::ThreadLocalCache::ThreadLocalCache):
(JSC::ThreadLocalCache::~ThreadLocalCache):
(JSC::ThreadLocalCache::allocateData):
(JSC::ThreadLocalCache::destroyData):
(JSC::ThreadLocalCache::installSlow):
(JSC::ThreadLocalCache::installData):
(JSC::ThreadLocalCache::allocatorSlow):
(JSC::ThreadLocalCache::destructor):
* heap/ThreadLocalCache.h: Added.
(JSC::ThreadLocalCache::offsetOfSize):
(JSC::ThreadLocalCache::offsetOfFirstAllocator):
* heap/ThreadLocalCacheInlines.h: Added.
(JSC::ThreadLocalCache::getImpl):
(JSC::ThreadLocalCache::get):
(JSC::ThreadLocalCache::install):
(JSC::ThreadLocalCache::allocator):
(JSC::ThreadLocalCache::tryGetAllocator):
* heap/ThreadLocalCacheLayout.cpp: Added.
(JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
(JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
(JSC::ThreadLocalCacheLayout::allocateOffset):
(JSC::ThreadLocalCacheLayout::snapshot):
(JSC::ThreadLocalCacheLayout::directory):
* heap/ThreadLocalCacheLayout.h: Added.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
(JSC::AssemblyHelpers::emitAllocate):
(JSC::AssemblyHelpers::emitAllocateVariableSized):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::vm):
(JSC::AssemblyHelpers::emitAllocateJSCell):
(JSC::AssemblyHelpers::emitAllocateJSObject):
(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
(JSC::AssemblyHelpers::emitAllocate): Deleted.
(JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::createUninitialized):
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::growArrayRight):
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::overrideThings):
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
* runtime/HashMapImpl.h:
(JSC::HashMapBuffer::create):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::JSArray::unshiftCountSlowCase):
* runtime/JSArray.h:
(JSC::JSArray::tryCreate):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
* runtime/JSCellInlines.h:
(JSC::tryAllocateCellHelper):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::threadLocalCache const):
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
* runtime/Options.h:
* runtime/RegExpMatchesArray.h:
(JSC::tryCreateUninitializedRegExpMatchesArray):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
2018-01-24 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Simplify update-LegacyInspectorBackendCommands.rb
https://bugs.webkit.org/show_bug.cgi?id=182067
Reviewed by Brian Burg.
* inspector/scripts/codegen/models.py:
(Framework.fromString):
(Frameworks):
* inspector/scripts/generate-inspector-protocol-bindings.py:
(generate_from_specification):
Allow framework WebInspectorUI to generate just the backend commands files.
2018-01-23 Mark Lam <mark.lam@apple.com>
Update Poisoned pointers to take a Poison class instead of a uintptr_t&.
https://bugs.webkit.org/show_bug.cgi?id=182017
<rdar://problem/36795513>
Reviewed by Filip Pizlo and JF Bastien.
Removed the POISON() macro. Now that we have Poison types, we can just use the
the Poison type instead and make the code a bit nicer to read.
* API/JSAPIWrapperObject.h:
* API/JSCallbackFunction.h:
* API/JSCallbackObject.h:
* b3/B3LowerMacros.cpp:
* b3/testb3.cpp:
(JSC::B3::testInterpreter):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::instructions):
(JSC::CodeBlock::instructions const):
* dfg/DFGOSRExitCompilerCommon.h:
(JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCheckSubClass):
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
* jit/JIT.h:
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* parser/UnlinkedSourceCode.h:
* runtime/ArrayPrototype.h:
* runtime/CustomGetterSetter.h:
* runtime/DateInstance.h:
* runtime/InternalFunction.h:
* runtime/JSArrayBuffer.h:
* runtime/JSCPoison.cpp:
(JSC::initializePoison):
* runtime/JSCPoison.h:
* runtime/JSGlobalObject.h:
* runtime/JSScriptFetchParameters.h:
* runtime/JSScriptFetcher.h:
* runtime/NativeExecutable.h:
* runtime/StructureTransitionTable.h:
* runtime/WriteBarrier.h:
(JSC::WriteBarrier::poison): Deleted.
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/JSWebAssemblyCodeBlock.cpp:
(JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::poison):
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunctionBase.h:
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyToJSCallee.h:
* wasm/js/WebAssemblyWrapperFunction.h:
2018-01-23 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, suppress GCC warnings
https://bugs.webkit.org/show_bug.cgi?id=181976
* runtime/TypedArrayType.h:
2018-01-23 Yusuke Suzuki <utatane.tea@gmail.com>
[YARR] Add diagnosis for YarrJIT failures
https://bugs.webkit.org/show_bug.cgi?id=181927
Reviewed by Sam Weinig.
It is nice if we can see the reason why YarrJIT fails to compile a given pattern.
This patch introduces Yarr::JITFailureReason and dumps messages if Options::dumpCompiledRegExpPatterns is specified.
* runtime/RegExp.cpp:
(JSC::RegExp::compile):
(JSC::RegExp::compileMatchOnly):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generateTerm):
(JSC::Yarr::YarrGenerator::backtrackTerm):
(JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
(JSC::Yarr::YarrGenerator::YarrGenerator):
(JSC::Yarr::YarrGenerator::compile):
(JSC::Yarr::dumpCompileFailure):
(JSC::Yarr::jitCompile):
* yarr/YarrJIT.h:
(JSC::Yarr::YarrCodeBlock::setFallBack):
(JSC::Yarr::YarrCodeBlock::fallBack):
(JSC::Yarr::YarrCodeBlock::clear):
(JSC::Yarr::YarrCodeBlock::YarrCodeBlock): Deleted.
(JSC::Yarr::YarrCodeBlock::~YarrCodeBlock): Deleted.
(JSC::Yarr::YarrCodeBlock::isFallBack): Deleted.
2018-01-23 Alex Christensen <achristensen@webkit.org>
Remove pre-Sierra-OS-specific code in WTF and JavaScriptCore
https://bugs.webkit.org/show_bug.cgi?id=182028
Reviewed by Keith Miller.
* inspector/remote/cocoa/RemoteInspectorXPCConnection.h:
* inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
(Inspector::RemoteInspectorXPCConnection::handleEvent):
2018-01-23 Filip Pizlo <fpizlo@apple.com>
Use precise index masking for FTL GetByArgumentByVal
https://bugs.webkit.org/show_bug.cgi?id=182006
Reviewed by Keith Miller.
This protects speculative out-of-bounds on arguments[index].
Making this work right involved fixing a possible overflow situation with
numberOfArgumentsToSkip.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasNumberOfArgumentsToSkip):
(JSC::DFG::Node::numberOfArgumentsToSkip):
* dfg/DFGStackLayoutPhase.cpp:
(JSC::DFG::StackLayoutPhase::run):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2018-01-23 David Kilzer <ddkilzer@apple.com>
Follow-up for: oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
<https://webkit.org/b/181871>
<rdar://problem/36669691>
Address feedback for this change.
* CMakeLists.txt: Change "SYSTEM PUBLIC" to "SYSTEM PRIVATE" per
feedback from Konstantin Tokarev.
2018-01-23 Robin Morisset <rmorisset@apple.com>
Rollout r219636
https://bugs.webkit.org/show_bug.cgi?id=181997
<rdar://problem/35883022>
Unreviewed, as it is a rollout.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
* runtime/JSArray.h:
(JSC::JSArray::tryCreate):
* runtime/JSObject.cpp:
(JSC::JSObject::ensureLengthSlow):
2018-01-23 Mark Lam <mark.lam@apple.com>
Re-arrange TypedArray JSTypes to match the order of the TypedArrayType enum list.
https://bugs.webkit.org/show_bug.cgi?id=181976
<rdar://problem/36766936>
Reviewed by Filip Pizlo.
1. The order of TypedArray JSTypes now matches the order the TypedArrayType enum
list. I also added static asserts in TypedArrayType.h to enforce this.
Also redefined FOR_EACH_TYPED_ARRAY_TYPE() in terms of
2. Define 4 new values:
a. FirstTypedArrayType
b. LastTypedArrayType
c. NumberOfTypedArrayTypesExcludingDataView
d. NumberOfTypedArrayTypes
Use these everywhere where we iterate or bisect the TypedArray JSTypes.
3. Removed NUMBER_OF_TYPED_ARRAY_TYPES, and use NumberOfTypedArrayTypes instead.
4. Simplify the code that converts between TypedArrayType and JSType.
Changed typedArrayTypeForType() to be the mirror image of typeForTypedArrayType().
Previously, typedArrayTypeForType() converts DataViewType to NotTypedArray
instead of TypeDataView. Now, it converts to TypeDataView.
This does not result in any change of behavior because typedArrayTypeForType()
is only called in Structure::hasIndexingHeader(), and its result is passed to
isTypedView(), which handles TypeDataView correctly.
5. Also fixed a bug in SpeculativeJIT::compileGetTypedArrayByteOffset().
If the vector is null, we can skip the rest of the checks. While the current
code does not result in incorrect behavior, it is inefficient, and communicates
wrong information to the reader i.e. implying that there's something in the
dataGPR when there's not. The dataGPR should also be null in this case.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView):
* ftl/FTLOSRExit.cpp:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::visitChildren):
* runtime/JSType.h:
* runtime/TypedArrayType.cpp:
(JSC::typeForTypedArrayType): Deleted.
* runtime/TypedArrayType.h:
(JSC::typedArrayTypeForType):
(JSC::typeForTypedArrayType):
2018-01-23 Filip Pizlo <fpizlo@apple.com>
DFG should always flush `this`
https://bugs.webkit.org/show_bug.cgi?id=181999
Reviewed by Saam Barati and Mark Lam.
This is going to make it possible to use precise index masking for arguments-on-the-stack
accesses with an index adjusted so that 0 is this. Without this change, we would have no way
of masking when the argument count is 0, unless we padded the argument area so that there was
always an argument slot after `this` and it was always initialized.
This is neutral on all benchmarks.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::flushImpl):
(JSC::DFG::ByteCodeParser::flushForTerminalImpl):
(JSC::DFG::ByteCodeParser::flush):
(JSC::DFG::ByteCodeParser::flushForTerminal):
(JSC::DFG::ByteCodeParser::parse):
(JSC::DFG::flushImpl): Deleted.
(JSC::DFG::flushForTerminalImpl): Deleted.
* dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2018-01-23 Filip Pizlo <fpizlo@apple.com>
JSC should use a speculation fence on VM entry/exit
https://bugs.webkit.org/show_bug.cgi?id=181991
Reviewed by JF Bastien and Mark Lam.
This adds a WTF::speculationFence on VM entry and exit.
For a microbenchmark that just calls a native function (supplied via an Objective-C block) in a
tight loop from JS is a 0% regression on x86 and a 11% regression on ARM64.
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
(JSC::JSLock::willReleaseLock):
2018-01-23 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] JIT requires sizeof(bool) == 1
https://bugs.webkit.org/show_bug.cgi?id=181150
Reviewed by Saam Barati.
LLInt and JIT assumes that sizeof(bool) == 1. But it is implementation-dependent in C++ spec.
Since this is a mandatory requirement in JSC, we add a static_assert to ensure this.
* runtime/InitializeThreading.cpp:
2018-01-23 Robin Morisset <rmorisset@apple.com>
Update the argument count in DFGByteCodeParser::handleRecursiveCall
https://bugs.webkit.org/show_bug.cgi?id=181739
<rdar://problem/36627662>
Reviewed by Saam Barati.
When calling a function, its number of arguments is set on the stack. When we turn a recursive tail call
into a jump, we should update that stack slot as there is no guarantee that the function was originally
called with the same number of arguments. Forgetting to do this is observable through 'arguments.length'.
It required adding a new DFG node: 'SetArgumentCountIncludingThis', that takes an unsigned int
as its first OpInfo field, and stores it to the stack at the right place.
We must be a bit careful in where we put this new node, as it ClobbersExit.
We must also fix DFGArgumentsEliminationPhase and DFGPutStackSinkingPhase as they assumed that any node that writes to the stack must write to either an argument or a local.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.h:
(JSC::DFG::Node::argumentCountIncludingThis):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGPutStackSinkingPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileSetArgumentCountIncludingThis):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis):
2018-01-22 Michael Saboff <msaboff@apple.com>
DFG abstract interpreter needs to properly model effects of some Math ops
https://bugs.webkit.org/show_bug.cgi?id=181886
Reviewed by Saam Barati.
Reviewed the processing of the various ArithXXX and CompareXXX and found that
several nodes don't handle UntypedUse. Added clobberWorld() for those cases.
* dfg/DFGAbstractInterpreter.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
2018-01-21 Wenson Hsieh <wenson_hsieh@apple.com>
Add a new feature flag for EXTRA_ZOOM_MODE and reintroduce AdditionalFeatureDefines.h
https://bugs.webkit.org/show_bug.cgi?id=181918
Reviewed by Tim Horton.
Add EXTRA_ZOOM_MODE to FeatureDefines.xconfig (off by default).
* Configurations/FeatureDefines.xcconfig:
2018-01-20 Caio Lima <ticaiolima@gmail.com>
[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
https://bugs.webkit.org/show_bug.cgi?id=181182
Reviewed by Darin Adler.
Casting double to integer is undefined behavior when the truncation
results into a value that doesn't fit into integer size,
according C++ spec[1]. Thus, we are changing bigIntProtoFuncToString and
numberProtoFuncToString to remove these source of undefined
behavior.
[1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
* runtime/BigIntPrototype.cpp:
(JSC::bigIntProtoFuncToString):
* runtime/NumberPrototype.cpp:
(JSC::numberProtoFuncToString):
(JSC::extractToStringRadixArgument):
(JSC::extractRadixFromArgs): Deleted.
* runtime/NumberPrototype.h:
2018-01-19 Saam Barati <sbarati@apple.com>
Kill ArithNegate's ArithProfile assert inside BytecodeParser
https://bugs.webkit.org/show_bug.cgi?id=181877
<rdar://problem/36630552>
Reviewed by Mark Lam.
Before this patch, we used to assert that op_negate's result ArithProfile
only produces number. It's logically true that negate only produces a number.
However, the DFG may incorrectly pick this ArithProfile when doing OSR exit
profiling. So we'll end up profiling something that's likely the input to
negate. This patch removes the assert. We cede to the fact that Graph::methodOfGettingAValueProfileFor
is entirely heuristic based, potentially leading to profiling results being imprecise.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::makeSafe):
2018-01-19 David Kilzer <ddkilzer@apple.com>
oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
<https://webkit.org/b/181871>
Rubber-stamped by JF Bastien.
* CMakeLists.txt: Add ICU header search path to
LLIntOffsetsExtractor target by reusing
JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES.
2018-01-19 Saam Barati <sbarati@apple.com>
Spread's effects are modeled incorrectly both in AI and in Clobberize
https://bugs.webkit.org/show_bug.cgi?id=181867
<rdar://problem/36290415>
Reviewed by Michael Saboff.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
2018-01-19 Keith Miller <keith_miller@apple.com>
HaveInternalSDK includes should be "#include?"
https://bugs.webkit.org/show_bug.cgi?id=179670
Reviewed by Dan Bernstein.
* Configurations/Base.xcconfig:
2018-01-18 JF Bastien <jfbastien@apple.com>
Set the minimum executable allocator size properly
https://bugs.webkit.org/show_bug.cgi?id=181816
<rdar://problem/36635533>
Reviewed by Saam Barati.
Executable allocator expects at least two page size's worth of
allocation in certain conditions, and that causes some tests to
now fail because they ask for less. Set that minimum correctly. We
were already rounding up to a page size, so having a minimum of 2
page sizes is fine.
* jit/ExecutableAllocator.cpp:
(JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2018-01-18 Michael Saboff <msaboff@apple.com>
Unreviewed build fix for Windows
* interpreter/FrameTracers.h:
(JSC::assertStackPointerIsAligned): Can't use gcc style inlined assembly
on Windows.
2018-01-18 Mark Lam <mark.lam@apple.com>
Poisons should be initialized after Options are initialized.
https://bugs.webkit.org/show_bug.cgi?id=181807
<rdar://problem/36629138>
Reviewed by Keith Miller.
This is because poison initialization may depend on options.
* runtime/InitializeThreading.cpp:
(JSC::initializeThreading):
2018-01-18 Dan Bernstein <mitz@apple.com>
[Xcode] Streamline and future-proof target-macOS-version-dependent build setting definitions
https://bugs.webkit.org/show_bug.cgi?id=181803
Reviewed by Tim Horton.
* Configurations/Base.xcconfig: Updated.
* Configurations/DebugRelease.xcconfig: Ditto.
* Configurations/FeatureDefines.xcconfig: Adopted macOSTargetConditionals helpers.
* Configurations/Version.xcconfig: Updated.
* Configurations/macOSTargetConditionals.xcconfig: Added. Defines helper build settings
useful for defining settings that depend on the target macOS version.
2018-01-18 Michael Saboff <msaboff@apple.com>
REGRESSION (r226068): [X86] Crash in JavaScriptCore ShadowChicken when handling exceptions
https://bugs.webkit.org/show_bug.cgi?id=181802
Reviewed by Filip Pizlo.
There where a few places where the stack isn't properly aligned for X86 when we call into C++ code.
Two places are where we call into exception handling code, the LLInt and from nativeForGenerator.
The other place was when we call into the operationOSRWriteBarrier().
Added an assert check that the stack is aligned on X86 platforms in the native call tracing code.
This helped find the other cases beyond the original problem.
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::osrWriteBarrier):
* interpreter/FrameTracers.h:
(JSC::assertStackPointerIsAligned):
(JSC::NativeCallFrameTracer::NativeCallFrameTracer):
(JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
* jit/ThunkGenerators.cpp:
(JSC::nativeForGenerator):
* llint/LowLevelInterpreter32_64.asm:
2018-01-18 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r227096.
https://bugs.webkit.org/show_bug.cgi?id=181788
"it caused a 15% octane regression" (Requested by saamyjoon on
#webkit).
Reverted changeset:
"Support MultiGetByOffset in the DFG"
https://bugs.webkit.org/show_bug.cgi?id=181466
https://trac.webkit.org/changeset/227096
2018-01-17 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
https://bugs.webkit.org/show_bug.cgi?id=181535
Reviewed by Saam Barati.
When executing the code like `string.match(/regexp/)`, `/regexp/` object is created every time we execute this code.
However, user rarely cares about this `/regexp/` object. Typically, it is soon discarded even if it has `lastIndex`
information. So we should not create RegExpObject for this typical case.
This patch introduces PhantomNewRegexp. We convert NewRegexp node to PhantomNewRegexp in Object Allocation Sinking (OAS)
phase. We should do this analysis in OAS phase since we track modifications to `lastIndex` in the OAS phase. Even if
`lastIndex` is modified, it may not be read by users. So we have a chance to drop this NewRegexp beacause we carefully model
SetRegExpObjectLastIndex and GetRegExpObjectLastIndex in OAS phase.
This patch is a first attempt to drop NewRegexp. So we start optimizing it with the simple step: we first drop RegExp with
non-global and non-sticky one. We can later extend this optimization for RegExp with global flag. But this is not included
in this patch.
We convert RegExpExec to RegExpExecNonGlobalOrSticky if we find that the given RegExpObject's RegExp is not global/sticky
flagged. Since we do not need to touch `lastIndex` property in this case, RegExpExecNonGlobalOrSticky just takes RegExp
instead of RegExpObject. This offers the chance to make NewRegExp unused.
We also convert RegExpMatchFast to RegExpExecNonGlobalOrSticky if its RegExpObject's RegExp is non-global and non-sticky,
since they are the same behavior.
The above optimization completely removes NewRegexp in SixSpeed's regexp-u.{es5,es6}. The resulted execution time is
somewhat pure execution time of our Yarr implementation.
baseline patched
regex-u.es5 34.8557+-0.5963 ^ 6.1507+-0.5526 ^ definitely 5.6670x faster
regex-u.es6 89.1919+-3.3851 ^ 32.0917+-0.4260 ^ definitely 2.7793x faster
This patch does not change Octane/RegExp so much since it heavily uses String.prototype.replace, which is not handled in
this patch right now. We should support StringReplace node in subsequent patches.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToPhantomNewRegexp):
(JSC::DFG::Node::convertToSetRegExpObjectLastIndex):
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasCellOperand):
(JSC::DFG::Node::isPhantomAllocation):
(JSC::DFG::Node::hasIgnoreLastIndexIsWritable):
(JSC::DFG::Node::ignoreLastIndexIsWritable):
* dfg/DFGNodeType.h:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGPromotedHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGPromotedHeapLocation.h:
(JSC::DFG::PromotedLocationDescriptor::neededForMaterialization const):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewRegexp):
(JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
(JSC::DFG::SpeculativeJIT::compileRegExpExecNonGlobalOrSticky):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* dfg/DFGValidate.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky):
(JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
(JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationPopulateObjectInOSR):
(JSC::FTL::operationMaterializeObjectInOSR):
* jit/JITOperations.h:
* runtime/RegExpObject.h:
(JSC::RegExpObject::create):
2018-01-17 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Remove unused helper functions to convert node to PutHint
https://bugs.webkit.org/show_bug.cgi?id=181775
Reviewed by Saam Barati.
We are using PromotedHeapLocation::createHint. So they are not necessary.
* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToPutHint): Deleted.
(JSC::DFG::Node::convertToPutStructureHint): Deleted.
(JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
(JSC::DFG::Node::convertToPutClosureVarHint): Deleted.
* dfg/DFGNode.h:
2018-01-17 Yusuke Suzuki <utatane.tea@gmail.com>
Unreviewed, suppress warnings on GCC
Since `length` and `p` are always positive or zero,
static_cast<unsigned>() does what we want.
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::parseInt):
2018-01-17 Saam Barati <sbarati@apple.com>
Disable Atomics when SharedArrayBuffer isn’t enabled
https://bugs.webkit.org/show_bug.cgi?id=181572
<rdar://problem/36553206>
Reviewed by Michael Saboff.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::createAtomicsProperty): Deleted.
2018-01-17 Saam Barati <sbarati@apple.com>
Support MultiGetByOffset in the DFG
https://bugs.webkit.org/show_bug.cgi?id=181466
Reviewed by Keith Miller.
This seems to benefit Speedometer in my local testing. It seems like this
might be around a 0.5% improvement.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::supportsMultiGetByOffset):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2018-01-17 Saam Barati <sbarati@apple.com>
DFG::Node::convertToConstant needs to clear the varargs flags
https://bugs.webkit.org/show_bug.cgi?id=181697
<rdar://problem/36497332>
Reviewed by Yusuke Suzuki.
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToConstant):
2018-01-16 JF Bastien <jfbastien@apple.com>
Allow dangerous disabling of poison
https://bugs.webkit.org/show_bug.cgi?id=181685
<rdar://problem/36546265>
Reviewed by Keith Miller.
Some tools such as leak detectors and such like to look at real
pointers, and poisoned ones confuse them. Add a JSC option to
disable poisoning, but log to the console when this is done.
* runtime/JSCPoison.cpp:
(JSC::initializePoison):
* runtime/Options.h:
2018-01-16 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r226937.
Tests added with this change are failing due to a missing
exception check.
Reverted changeset:
"[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
double to int32_t"
https://bugs.webkit.org/show_bug.cgi?id=181182
https://trac.webkit.org/changeset/226937
2018-01-16 Michael Catanzaro <mcatanzaro@igalia.com>
Test programs should only be built in developer mode
https://bugs.webkit.org/show_bug.cgi?id=181653
Reviewed by Carlos Garcia Campos.
Build test programs only in developer mode, and fix code style.
* shell/CMakeLists.txt:
2018-01-15 Michael Catanzaro <mcatanzaro@igalia.com>
Improve use of ExportMacros
https://bugs.webkit.org/show_bug.cgi?id=181652
Reviewed by Konstantin Tokarev.
* API/JSBase.h: Update a comment.
* inspector/InspectorBackendDispatcher.h: Use a better, yet equivalent, WTF macro.
* runtime/JSExportMacros.h: Simplify the #defines in this file.
2018-01-15 JF Bastien <jfbastien@apple.com>
Remove makePoisonedUnique
https://bugs.webkit.org/show_bug.cgi?id=181630
<rdar://problem/36498623>
Reviewed by Mark Lam.
I added a conversion from std::unique_ptr, so we can just use
std::make_unique and it'll auto-poison when converted.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::makePoisonedUnique): Deleted.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::makePoisonedUnique): Deleted.
2018-01-15 Michael Catanzaro <mcatanzaro@igalia.com>
REGRESSION(r226266): [GTK] RELEASE_ASSERT(reservedZoneSize >= minimumReservedZoneSize) in JSC::VM::updateStackLimits
https://bugs.webkit.org/show_bug.cgi?id=181438
<rdar://problem/36376724>
Reviewed by Carlos Garcia Campos.
Roll out the functional changes of r226266. We'll keep the minor CMake library type setting
cleanup, but we have to switch back to building JSC only as a shared library, and we have to
get rid of the version script.
* PlatformGTK.cmake:
* javascriptcoregtk-symbols.map: Removed.
2018-01-14 Saam Barati <sbarati@apple.com>
Unreviewed. r226928 broke the CLOOP build. This patch fixes the CLOOP build.
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFromLLInt):
(JSC::CallLinkStatus::computeExitSiteData):
2018-01-13 Mark Lam <mark.lam@apple.com>
Replace all use of ConstExprPoisoned with Poisoned.
https://bugs.webkit.org/show_bug.cgi?id=181542
<rdar://problem/36442138>
Reviewed by JF Bastien.
1. All JSC poisons are now defined in JSCPoison.h.
2. Change all clients to use the new poison values via the POISON() macro.
3. The LLInt code has been updated to handle CodeBlock poison. Some of this code
uses the t5 temp register, which is not available on the Windows port.
Fortunately, we don't currently do poisoning on the Windows port yet. So,
it will just work for now.
When poisoning is enabled for the Windows port, this LLInt code will need a
Windows specific implementation to workaround its lack of a t5 register.
* API/JSAPIWrapperObject.h:
* API/JSCallbackFunction.h:
* API/JSCallbackObject.h:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* assembler/MacroAssemblerCodeRef.h:
(JSC::MacroAssemblerCodePtr::emptyValue):
(JSC::MacroAssemblerCodePtr::deletedValue):
* b3/B3LowerMacros.cpp:
* b3/testb3.cpp:
(JSC::B3::testInterpreter):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::instructions):
(JSC::CodeBlock::instructions const):
(JSC::CodeBlock::makePoisonedUnique):
* dfg/DFGOSRExitCompilerCommon.h:
(JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCheckSubClass):
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
* jit/JIT.h:
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* parser/UnlinkedSourceCode.h:
* runtime/ArrayPrototype.h:
* runtime/CustomGetterSetter.h:
* runtime/DateInstance.h:
* runtime/InternalFunction.h:
* runtime/JSArrayBuffer.h:
* runtime/JSCPoison.cpp: Copied from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
(JSC::initializePoison):
* runtime/JSCPoison.h:
(): Deleted.
* runtime/JSCPoisonedPtr.cpp: Removed.
* runtime/JSCPoisonedPtr.h: Removed.
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::makePoisonedUnique):
* runtime/JSScriptFetchParameters.h:
* runtime/JSScriptFetcher.h:
* runtime/NativeExecutable.h:
* runtime/StructureTransitionTable.h:
(JSC::StructureTransitionTable::map const):
(JSC::StructureTransitionTable::weakImpl const):
* runtime/WriteBarrier.h:
(JSC::WriteBarrier::poison):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/JSWebAssemblyCodeBlock.cpp:
(JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyInstance.h:
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunctionBase.h:
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyToJSCallee.h:
* wasm/js/WebAssemblyWrapperFunction.h:
2018-01-13 Caio Lima <ticaiolima@gmail.com>
[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
https://bugs.webkit.org/show_bug.cgi?id=181182
Reviewed by Darin Adler.
Casting double to integer is undefined behavior when the truncation
results into a value that doesn't fit into integer size, according C++
spec[1]. Thus, we are changing bigIntProtoFuncToString and
numberProtoFuncToString to remove these source of undefined behavior.
[1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
* runtime/BigIntPrototype.cpp:
(JSC::bigIntProtoFuncToString):
* runtime/NumberPrototype.cpp:
(JSC::numberProtoFuncToString):
(JSC::extractRadixFromArgs): Deleted.
(JSC::extractToStringRadixArgument): Added.
2018-01-12 Saam Barati <sbarati@apple.com>
Move ExitProfile to UnlinkedCodeBlock so it can be shared amongst CodeBlocks backed by the same UnlinkedCodeBlock
https://bugs.webkit.org/show_bug.cgi?id=181545
Reviewed by Michael Saboff.
This patch follows the theme of putting optimization profiling information on
UnlinkedCodeBlock. This allows the unlinked code cache to remember OSR exit data.
This often leads to the first compile of a CodeBlock, backed by an UnlinkedCodeBlock
pulled from the code cache, making better compilation decisions, usually
resulting in fewer exits, and fewer recompilations.
This is a 1% Speedometer progression in my testing.
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<CodeBlock>::dumpProfilesForBytecodeOffset):
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFromLLInt):
(JSC::CallLinkStatus::computeFor):
(JSC::CallLinkStatus::computeExitSiteData):
(JSC::CallLinkStatus::computeDFGStatuses):
* bytecode/CallLinkStatus.h:
* bytecode/CodeBlock.h:
(JSC::CodeBlock::addFrequentExitSite): Deleted.
(JSC::CodeBlock::hasExitSite const): Deleted.
(JSC::CodeBlock::exitProfile): Deleted.
* bytecode/DFGExitProfile.cpp:
(JSC::DFG::ExitProfile::add):
(JSC::DFG::QueryableExitProfile::initialize):
* bytecode/DFGExitProfile.h:
(JSC::DFG::ExitProfile::hasExitSite const):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::hasExitSite):
(JSC::GetByIdStatus::computeFor):
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/GetByIdStatus.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::hasExitSite):
(JSC::PutByIdStatus::computeFor):
(JSC::PutByIdStatus::computeForStubInfo):
* bytecode/PutByIdStatus.h:
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::hasExitSite const):
(JSC::UnlinkedCodeBlock::hasExitSite):
(JSC::UnlinkedCodeBlock::exitProfile):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::hasGlobalExitSite):
(JSC::DFG::Graph::hasExitSite):
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGOSRExitBase.cpp:
(JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
2018-01-12 JF Bastien <jfbastien@apple.com>
PoisonedWriteBarrier
https://bugs.webkit.org/show_bug.cgi?id=181599
<rdar://problem/36474351>
Reviewed by Mark Lam.
Allow poisoning of WriteBarrier objects, and use this for
WebAssembly because it is perf-neutral, at least on WasmBench on
my MBP. If it indeed is perf-neutral according to the bots, start
using it in more performance-sensitive places.
* heap/HandleTypes.h:
* heap/SlotVisitor.h:
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::append):
(JSC::SlotVisitor::appendHidden):
* runtime/JSCJSValue.h:
* runtime/JSCPoison.h:
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::setPrototypeWithoutTransition):
(JSC::Structure::setGlobalObject):
(JSC::Structure::setPreviousID):
* runtime/WriteBarrier.h:
(JSC::WriteBarrierBase::copyFrom):
(JSC::WriteBarrierBase::get const):
(JSC::WriteBarrierBase::operator* const):
(JSC::WriteBarrierBase::operator-> const):
(JSC::WriteBarrierBase::clear):
(JSC::WriteBarrierBase::slot):
(JSC::WriteBarrierBase::operator bool const):
(JSC::WriteBarrierBase::setWithoutWriteBarrier):
(JSC::WriteBarrierBase::unvalidatedGet const):
(JSC::operator==):
* runtime/WriteBarrierInlines.h:
(JSC::Traits>::set):
(JSC::Traits>::setMayBeNull):
(JSC::Traits>::setEarlyValue):
(JSC::DumbValueTraits<Unknown>>::set):
* wasm/WasmInstance.h:
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
(JSC::JSWebAssemblyInstance::finishCreation):
(JSC::JSWebAssemblyInstance::visitChildren):
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee):
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::JSWebAssemblyTable):
(JSC::JSWebAssemblyTable::grow):
(JSC::JSWebAssemblyTable::clearFunction):
* wasm/js/JSWebAssemblyTable.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::materializeImportJSCell):
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunctionBase.h:
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
(JSC::WebAssemblyModuleRecord::evaluate):
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyToJSCallee.h:
* wasm/js/WebAssemblyWrapperFunction.h:
2018-01-12 Saam Barati <sbarati@apple.com>
CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
https://bugs.webkit.org/show_bug.cgi?id=181177
<rdar://problem/36205704>
Reviewed by Yusuke Suzuki.
The semantics of CheckStructure are such that it does not allow the empty value to flow through it.
However, we may eliminate a CheckStructure if it's preceded by a CheckStructureOrEmpty. This doesn't
have semantic consequences when validation is turned off. However, with validation on, this trips up
our OSR exit machinery that says when an exit is allowed to happen.
Consider the following IR:
a: GetClosureVar // Or any other node that produces BytecodeTop
...
c: CheckStructure(Cell:@a, {s2})
d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
In the TypeCheckHoistingPhase, we may insert CheckStructureOrEmptys like this:
a: GetClosureVar
e: CheckStructureOrEmpty(@a, {s1})
...
f: CheckStructureOrEmpty(@a, {s2})
c: CheckStructure(Cell:@a, {s2})
d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
This will cause constant folding to change the IR to:
a: GetClosureVar
e: CheckStructureOrEmpty(@a, {s1})
...
f: CheckStructureOrEmpty(@a, {s2})
d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
Our mayExit analysis determines that the PutByOffset should not exit. Note
that AI will determine the only value the PutByOffset can see in @a is
the empty value. Because KnownCell filters SpecCell and not SpecCellCheck,
when lowering the PutByOffset, we reach a contradiction in AI and emit
an OSR exit. However, because mayExit said we couldn't exit, we assert.
Note that if we did not run the TypeCheckHoistingPhase on this IR, AI
would have determined we would OSR exit at the second CheckStructure.
This patch makes it so constant folding produces the following IR:
a: GetClosureVar
e: CheckStructureOrEmpty(@a, {s1})
g: AssertNotEmpty(@a)
...
f: CheckStructureOrEmpty(@a, {s2})
h: AssertNotEmpty(@a)
d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
This modification will cause AI to know we will OSR exit before even reaching
the PutByOffset. Note that in the original IR, the GetClosureVar won't
actually produce the TDZ value. If it did, bytecode would have caused us
to emit a CheckNotEmpty before the CheckStructure/PutByOffset combo. That's
why this bug is about IR bookkeeping and not an actual error in IR analysis.
This patch introduces AssertNotEmpty instead of using CheckNotEmpty to be
more congruous with CheckStructure's semantics of crashing on the empty value
as input (on 64 bit platforms).
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2018-01-12 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Remove unnecessary raw pointer in InspectorConsoleAgent
https://bugs.webkit.org/show_bug.cgi?id=181579
<rdar://problem/36193759>
Reviewed by Brian Burg.
* inspector/agents/InspectorConsoleAgent.h:
* inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::clearMessages):
(Inspector::InspectorConsoleAgent::addConsoleMessage):
Switch from a raw pointer to m_consoleMessages.last().
Also move the expiration check into the if block since it can only
happen inside here when the number of console messages changes.
(Inspector::InspectorConsoleAgent::discardValues):
Also clear the expired message count when messages are cleared.
2018-01-12 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Create parallel SlotVisitors apriori
https://bugs.webkit.org/show_bug.cgi?id=180907
Reviewed by Saam Barati.
The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
If we create these SlotVisitors apropri, we do not need to create SlotVisitors dynamically.
Then we do not need to grab locks while iterating all the SlotVisitors.
In addition, we do not need to consider the case that the number of SlotVisitors increases
after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
does not increase any more.
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::runBeginPhase):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::forEachSlotVisitor):
(JSC::Heap::numberOfSlotVisitors): Deleted.
* heap/MarkingConstraintSolver.cpp:
(JSC::MarkingConstraintSolver::didVisitSomething const):
2018-01-12 Saam Barati <sbarati@apple.com>
Each variant of a polymorphic inlined call should be exitOK at the top of the block
https://bugs.webkit.org/show_bug.cgi?id=181562
<rdar://problem/36445624>
Reviewed by Yusuke Suzuki.
Before this patch, the very first block in the switch for polymorphic call
inlining will have exitOK at the top. The others are not guaranteed to.
That was just a bug. They're all exitOK at the top. This will lead to crashes
in FixupPhase because we won't have a node in a block that has ExitOK, so
when we fixup various type checks, we assert out.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleInlining):
2018-01-11 Keith Miller <keith_miller@apple.com>
Rename ENABLE_ASYNC_ITERATION to ENABLE_JS_ASYNC_ITERATION
https://bugs.webkit.org/show_bug.cgi?id=181573
Reviewed by Simon Fraser.
* Configurations/FeatureDefines.xcconfig:
* runtime/Options.h:
2018-01-11 Michael Saboff <msaboff@apple.com>
REGRESSION(226788): AppStore Crashed @ JavaScriptCore: JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters
https://bugs.webkit.org/show_bug.cgi?id=181570
Reviewed by Keith Miller.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::abortWithReason):
Reverting these functions to use dataTempRegister and memoryTempRegister as they are
JIT release asserts that will crash the program.
(JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
Changed this so that it invalidates any cached dataTmpRegister contents if temp register
caching is enabled.
2018-01-11 Filip Pizlo <fpizlo@apple.com>
Rename MarkedAllocator to BlockDirectory and AllocatorAttributes to CellAttributes
https://bugs.webkit.org/show_bug.cgi?id=181543
Rubber stamped by Michael Saboff.
In a world that has thread-local caches, the thing we now call the "MarkedAllocator" doesn't
really have anything to do with allocation anymore. The allocation will be done by something
in the TLC. When you move the allocation logic out of MarkedAllocator, it becomes just a
place to find blocks (a "block directory").
Once we do that renaming, the term "allocator attributes" becomes weird. Those are really the
attributes of the HeapCellType. So let's call them CellAttributes.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/ObjectAllocationProfile.h:
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileNewObject):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
(JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
* heap/AlignedMemoryAllocator.cpp:
(JSC::AlignedMemoryAllocator::registerDirectory):
(JSC::AlignedMemoryAllocator::registerAllocator): Deleted.
* heap/AlignedMemoryAllocator.h:
(JSC::AlignedMemoryAllocator::firstDirectory const):
(JSC::AlignedMemoryAllocator::firstAllocator const): Deleted.
* heap/AllocatorAttributes.cpp: Removed.
* heap/AllocatorAttributes.h: Removed.
* heap/BlockDirectory.cpp: Copied from Source/JavaScriptCore/heap/MarkedAllocator.cpp.
(JSC::BlockDirectory::BlockDirectory):
(JSC::BlockDirectory::setSubspace):
(JSC::BlockDirectory::isPagedOut):
(JSC::BlockDirectory::findEmptyBlockToSteal):
(JSC::BlockDirectory::didConsumeFreeList):
(JSC::BlockDirectory::tryAllocateWithoutCollecting):
(JSC::BlockDirectory::allocateIn):
(JSC::BlockDirectory::tryAllocateIn):
(JSC::BlockDirectory::doTestCollectionsIfNeeded):
(JSC::BlockDirectory::allocateSlowCase):
(JSC::BlockDirectory::blockSizeForBytes):
(JSC::BlockDirectory::tryAllocateBlock):
(JSC::BlockDirectory::addBlock):
(JSC::BlockDirectory::removeBlock):
(JSC::BlockDirectory::stopAllocating):
(JSC::BlockDirectory::prepareForAllocation):
(JSC::BlockDirectory::lastChanceToFinalize):
(JSC::BlockDirectory::resumeAllocating):
(JSC::BlockDirectory::beginMarkingForFullCollection):
(JSC::BlockDirectory::endMarking):
(JSC::BlockDirectory::snapshotUnsweptForEdenCollection):
(JSC::BlockDirectory::snapshotUnsweptForFullCollection):
(JSC::BlockDirectory::findBlockToSweep):
(JSC::BlockDirectory::sweep):
(JSC::BlockDirectory::shrink):
(JSC::BlockDirectory::assertNoUnswept):
(JSC::BlockDirectory::parallelNotEmptyBlockSource):
(JSC::BlockDirectory::dump const):
(JSC::BlockDirectory::dumpBits):
(JSC::BlockDirectory::markedSpace const):
(JSC::MarkedAllocator::MarkedAllocator): Deleted.
(JSC::MarkedAllocator::setSubspace): Deleted.
(JSC::MarkedAllocator::isPagedOut): Deleted.
(JSC::MarkedAllocator::findEmptyBlockToSteal): Deleted.
(JSC::MarkedAllocator::didConsumeFreeList): Deleted.
(JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
(JSC::MarkedAllocator::allocateIn): Deleted.
(JSC::MarkedAllocator::tryAllocateIn): Deleted.
(JSC::MarkedAllocator::doTestCollectionsIfNeeded): Deleted.
(JSC::MarkedAllocator::allocateSlowCase): Deleted.
(JSC::MarkedAllocator::blockSizeForBytes): Deleted.
(JSC::MarkedAllocator::tryAllocateBlock): Deleted.
(JSC::MarkedAllocator::addBlock): Deleted.
(JSC::MarkedAllocator::removeBlock): Deleted.
(JSC::MarkedAllocator::stopAllocating): Deleted.
(JSC::MarkedAllocator::prepareForAllocation): Deleted.
(JSC::MarkedAllocator::lastChanceToFinalize): Deleted.
(JSC::MarkedAllocator::resumeAllocating): Deleted.
(JSC::MarkedAllocator::beginMarkingForFullCollection): Deleted.
(JSC::MarkedAllocator::endMarking): Deleted.
(JSC::MarkedAllocator::snapshotUnsweptForEdenCollection): Deleted.
(JSC::MarkedAllocator::snapshotUnsweptForFullCollection): Deleted.
(JSC::MarkedAllocator::findBlockToSweep): Deleted.
(JSC::MarkedAllocator::sweep): Deleted.
(JSC::MarkedAllocator::shrink): Deleted.
(JSC::MarkedAllocator::assertNoUnswept): Deleted.
(JSC::MarkedAllocator::parallelNotEmptyBlockSource): Deleted.
(JSC::MarkedAllocator::dump const): Deleted.
(JSC::MarkedAllocator::dumpBits): Deleted.
(JSC::MarkedAllocator::markedSpace const): Deleted.
* heap/BlockDirectory.h: Copied from Source/JavaScriptCore/heap/MarkedAllocator.h.
(JSC::BlockDirectory::attributes const):
(JSC::BlockDirectory::forEachBitVector):
(JSC::BlockDirectory::forEachBitVectorWithName):
(JSC::BlockDirectory::nextDirectory const):
(JSC::BlockDirectory::nextDirectoryInSubspace const):
(JSC::BlockDirectory::nextDirectoryInAlignedMemoryAllocator const):
(JSC::BlockDirectory::setNextDirectory):
(JSC::BlockDirectory::setNextDirectoryInSubspace):
(JSC::BlockDirectory::setNextDirectoryInAlignedMemoryAllocator):
(JSC::BlockDirectory::offsetOfFreeList):
(JSC::BlockDirectory::offsetOfCellSize):
(JSC::MarkedAllocator::cellSize const): Deleted.
(JSC::MarkedAllocator::attributes const): Deleted.
(JSC::MarkedAllocator::needsDestruction const): Deleted.
(JSC::MarkedAllocator::destruction const): Deleted.
(JSC::MarkedAllocator::cellKind const): Deleted.
(JSC::MarkedAllocator::heap): Deleted.
(JSC::MarkedAllocator::bitvectorLock): Deleted.
(JSC::MarkedAllocator::forEachBitVector): Deleted.
(JSC::MarkedAllocator::forEachBitVectorWithName): Deleted.
(JSC::MarkedAllocator::nextAllocator const): Deleted.
(JSC::MarkedAllocator::nextAllocatorInSubspace const): Deleted.
(JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const): Deleted.
(JSC::MarkedAllocator::setNextAllocator): Deleted.
(JSC::MarkedAllocator::setNextAllocatorInSubspace): Deleted.
(JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator): Deleted.
(JSC::MarkedAllocator::subspace const): Deleted.
(JSC::MarkedAllocator::freeList const): Deleted.
(JSC::MarkedAllocator::offsetOfFreeList): Deleted.
(JSC::MarkedAllocator::offsetOfCellSize): Deleted.
* heap/BlockDirectoryInlines.h: Copied from Source/JavaScriptCore/heap/MarkedAllocatorInlines.h.
(JSC::BlockDirectory::isFreeListedCell const):
(JSC::BlockDirectory::allocate):
(JSC::BlockDirectory::forEachBlock):
(JSC::BlockDirectory::forEachNotEmptyBlock):
(JSC::MarkedAllocator::isFreeListedCell const): Deleted.
(JSC::MarkedAllocator::allocate): Deleted.
(JSC::MarkedAllocator::forEachBlock): Deleted.
(JSC::MarkedAllocator::forEachNotEmptyBlock): Deleted.
* heap/CellAttributes.cpp: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.cpp.
(JSC::CellAttributes::dump const):
(JSC::AllocatorAttributes::dump const): Deleted.
* heap/CellAttributes.h: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.h.
(JSC::CellAttributes::CellAttributes):
(JSC::AllocatorAttributes::AllocatorAttributes): Deleted.
* heap/CompleteSubspace.cpp:
(JSC::CompleteSubspace::allocatorFor):
(JSC::CompleteSubspace::allocateNonVirtual):
(JSC::CompleteSubspace::allocatorForSlow):
(JSC::CompleteSubspace::tryAllocateSlow):
* heap/CompleteSubspace.h:
(JSC::CompleteSubspace::allocatorForSizeStep):
(JSC::CompleteSubspace::allocatorForNonVirtual):
* heap/GCDeferralContext.h:
* heap/Heap.cpp:
(JSC::Heap::updateAllocationLimits):
* heap/Heap.h:
* heap/HeapCell.h:
* heap/HeapCellInlines.h:
(JSC::HeapCell::cellAttributes const):
(JSC::HeapCell::destructionMode const):
(JSC::HeapCell::cellKind const):
(JSC::HeapCell::allocatorAttributes const): Deleted.
* heap/HeapCellType.cpp:
(JSC::HeapCellType::HeapCellType):
* heap/HeapCellType.h:
(JSC::HeapCellType::attributes const):
* heap/IncrementalSweeper.cpp:
(JSC::IncrementalSweeper::IncrementalSweeper):
(JSC::IncrementalSweeper::sweepNextBlock):
(JSC::IncrementalSweeper::startSweeping):
(JSC::IncrementalSweeper::stopSweeping):
* heap/IncrementalSweeper.h:
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::IsoCellSet):
(JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
(JSC::IsoCellSet::addSlow):
(JSC::IsoCellSet::didRemoveBlock):
(JSC::IsoCellSet::sweepToFreeList):
* heap/IsoCellSetInlines.h:
(JSC::IsoCellSet::forEachMarkedCell):
(JSC::IsoCellSet::forEachLiveCell):
* heap/IsoSubspace.cpp:
(JSC::IsoSubspace::IsoSubspace):
(JSC::IsoSubspace::allocatorFor):
(JSC::IsoSubspace::allocateNonVirtual):
* heap/IsoSubspace.h:
(JSC::IsoSubspace::allocatorForNonVirtual):
* heap/LargeAllocation.h:
(JSC::LargeAllocation::attributes const):
* heap/MarkedAllocator.cpp: Removed.
* heap/MarkedAllocator.h: Removed.
* heap/MarkedAllocatorInlines.h: Removed.
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::~Handle):
(JSC::MarkedBlock::Handle::setIsFreeListed):
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::lastChanceToFinalize):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::Handle::didConsumeFreeList):
(JSC::MarkedBlock::noteMarkedSlow):
(JSC::MarkedBlock::Handle::removeFromDirectory):
(JSC::MarkedBlock::Handle::didAddToDirectory):
(JSC::MarkedBlock::Handle::didRemoveFromDirectory):
(JSC::MarkedBlock::Handle::dumpState):
(JSC::MarkedBlock::Handle::subspace const):
(JSC::MarkedBlock::Handle::sweep):
(JSC::MarkedBlock::Handle::isFreeListedCell const):
(JSC::MarkedBlock::Handle::removeFromAllocator): Deleted.
(JSC::MarkedBlock::Handle::didAddToAllocator): Deleted.
(JSC::MarkedBlock::Handle::didRemoveFromAllocator): Deleted.
* heap/MarkedBlock.h:
(JSC::MarkedBlock::Handle::directory const):
(JSC::MarkedBlock::Handle::attributes const):
(JSC::MarkedBlock::attributes const):
(JSC::MarkedBlock::Handle::allocator const): Deleted.
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::isAllocated):
(JSC::MarkedBlock::Handle::isLive):
(JSC::MarkedBlock::Handle::specializedSweep):
(JSC::MarkedBlock::Handle::isEmpty):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::lastChanceToFinalize):
(JSC::MarkedSpace::sweep):
(JSC::MarkedSpace::stopAllocating):
(JSC::MarkedSpace::resumeAllocating):
(JSC::MarkedSpace::isPagedOut):
(JSC::MarkedSpace::freeBlock):
(JSC::MarkedSpace::shrink):
(JSC::MarkedSpace::beginMarking):
(JSC::MarkedSpace::endMarking):
(JSC::MarkedSpace::snapshotUnswept):
(JSC::MarkedSpace::assertNoUnswept):
(JSC::MarkedSpace::dumpBits):
(JSC::MarkedSpace::addBlockDirectory):
(JSC::MarkedSpace::addMarkedAllocator): Deleted.
* heap/MarkedSpace.h:
(JSC::MarkedSpace::firstDirectory const):
(JSC::MarkedSpace::directoryLock):
(JSC::MarkedSpace::forEachBlock):
(JSC::MarkedSpace::forEachDirectory):
(JSC::MarkedSpace::firstAllocator const): Deleted.
(JSC::MarkedSpace::allocatorLock): Deleted.
(JSC::MarkedSpace::forEachAllocator): Deleted.
* heap/MarkedSpaceInlines.h:
* heap/Subspace.cpp:
(JSC::Subspace::initialize):
(JSC::Subspace::prepareForAllocation):
(JSC::Subspace::findEmptyBlockToSteal):
(JSC::Subspace::parallelDirectorySource):
(JSC::Subspace::parallelNotEmptyMarkedBlockSource):
(JSC::Subspace::sweep):
(JSC::Subspace::parallelAllocatorSource): Deleted.
* heap/Subspace.h:
(JSC::Subspace::attributes const):
(JSC::Subspace::didCreateFirstDirectory):
(JSC::Subspace::didCreateFirstAllocator): Deleted.
* heap/SubspaceInlines.h:
(JSC::Subspace::forEachDirectory):
(JSC::Subspace::forEachMarkedBlock):
(JSC::Subspace::forEachNotEmptyMarkedBlock):
(JSC::Subspace::forEachAllocator): Deleted.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
(JSC::AssemblyHelpers::emitAllocate):
(JSC::AssemblyHelpers::emitAllocateJSCell):
(JSC::AssemblyHelpers::emitAllocateJSObject):
(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_object):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_new_object):
* runtime/JSDestructibleObjectHeapCellType.cpp:
(JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
* runtime/JSSegmentedVariableObjectHeapCellType.cpp:
(JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
* runtime/JSStringHeapCellType.cpp:
(JSC::JSStringHeapCellType::JSStringHeapCellType):
* runtime/VM.cpp:
(JSC::VM::VM):
* wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
(JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
2018-01-11 Saam Barati <sbarati@apple.com>
When inserting Unreachable in byte code parser we need to flush all the right things
https://bugs.webkit.org/show_bug.cgi?id=181509
<rdar://problem/36423110>
Reviewed by Mark Lam.
I added code in r226655 that had its own mechanism for preserving liveness when
inserting Unreachable nodes after ForceOSRExit. There are two ways to preserve
liveness: PhantomLocal and Flush. Certain values *must* be flushed to the stack.
I got some of these values wrong, which was leading to a crash when recovering the
callee value from an inlined frame. Instead of making the same mistake and repeating
similar code again, this patch refactors this logic to be shared with the other
liveness preservation code in the DFG bytecode parser. This is what I should have
done in my initial patch.
* bytecode/InlineCallFrame.h:
(JSC::remapOperand):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::flushImpl):
(JSC::DFG::flushForTerminalImpl):
(JSC::DFG::ByteCodeParser::flush):
(JSC::DFG::ByteCodeParser::flushForTerminal):
(JSC::DFG::ByteCodeParser::parse):
2018-01-11 Saam Barati <sbarati@apple.com>
JITMathIC code in the FTL is wrong when code gets duplicated
https://bugs.webkit.org/show_bug.cgi?id=181525
<rdar://problem/36351993>
Reviewed by Michael Saboff and Keith Miller.
B3/Air may duplicate code for various reasons. Patchpoint generators inside
FTLLower must be aware that they can be called multiple times because of this.
The patchpoint for math ICs was not aware of this, and shared state amongst
all invocations of the patchpoint's generator. This patch fixes this bug so
that each invocation of the patchpoint's generator gets a unique math IC.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::addMathIC):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
(JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
(JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
(JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
(JSC::FTL::DFG::LowerDFGToB3::compileMathIC): Deleted.
* jit/JITMathIC.h:
(JSC::isProfileEmpty):
2018-01-11 Michael Saboff <msaboff@apple.com>
Ensure there are no unsafe uses of MacroAssemblerARM64::dataTempRegister
https://bugs.webkit.org/show_bug.cgi?id=181512
Reviewed by Saam Barati.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::abortWithReason):
(JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
All current uses of dataTempRegister in these functions are safe, but it makes sense to
fix them in case they might be used elsewhere.
2018-01-04 Filip Pizlo <fpizlo@apple.com>
CodeBlocks should be in IsoSubspaces
https://bugs.webkit.org/show_bug.cgi?id=180884
Reviewed by Saam Barati.
This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
WeakReferenceHarvester or UnconditionalFinalizer. Instead:
- Code block sweeping is now just eager sweeping. This means that it automatically takes
advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
its eden set for.
- Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
longer has to clear the set of weakly visited code blocks. This also means that
determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
has IsoCellSets to tell us which edges have output constraints (what we used to call
CodeBlock's weak reference harvester) and which have unconditional finalizers.
- CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
- CodeBlockSet still exists! It has one unified HashSet of CodeBlocks that we use to
handle requests from the sampler, debugger, and other facilities. They may want to ask
if some pointer corresponds to a CodeBlock during stages of execution during which the
GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
There is no way that the GC's isLive could tell us of a CodeBlock that had already been
allocated has now been full constructed.
Rolling this back in because it was rolled out by mistake. There was a flaky crash that was
happening before and after this change, but we misread the revision numbers at first and
thought that this was the cause.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::finishCreationCommon):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::determineLiveness):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::stronglyVisitStrongReferences):
(JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
(JSC::CodeBlock::installVMTrapBreakpoints):
(JSC::CodeBlock::dumpMathICStats):
(JSC::CodeBlock::visitWeakly): Deleted.
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::subspaceFor):
(JSC::CodeBlock::ownerEdge const):
(JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
* bytecode/EvalCodeBlock.h:
(JSC::EvalCodeBlock::create): Deleted.
(JSC::EvalCodeBlock::createStructure): Deleted.
(JSC::EvalCodeBlock::variable): Deleted.
(JSC::EvalCodeBlock::numVariables): Deleted.
(JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
(JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
(JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
(JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
* bytecode/ExecutableToCodeBlockEdge.cpp: Added.
(JSC::ExecutableToCodeBlockEdge::createStructure):
(JSC::ExecutableToCodeBlockEdge::create):
(JSC::ExecutableToCodeBlockEdge::visitChildren):
(JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
(JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
(JSC::ExecutableToCodeBlockEdge::activate):
(JSC::ExecutableToCodeBlockEdge::deactivate):
(JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
(JSC::ExecutableToCodeBlockEdge::wrap):
(JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
(JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
(JSC::ExecutableToCodeBlockEdge::runConstraint):
* bytecode/ExecutableToCodeBlockEdge.h: Added.
(JSC::ExecutableToCodeBlockEdge::subspaceFor):
(JSC::ExecutableToCodeBlockEdge::codeBlock const):
(JSC::ExecutableToCodeBlockEdge::unwrap):
* bytecode/FunctionCodeBlock.h:
(JSC::FunctionCodeBlock::subspaceFor):
(JSC::FunctionCodeBlock::createStructure):
* bytecode/ModuleProgramCodeBlock.h:
(JSC::ModuleProgramCodeBlock::create): Deleted.
(JSC::ModuleProgramCodeBlock::createStructure): Deleted.
(JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
* bytecode/ProgramCodeBlock.h:
(JSC::ProgramCodeBlock::create): Deleted.
(JSC::ProgramCodeBlock::createStructure): Deleted.
(JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
* debugger/Debugger.cpp:
(JSC::Debugger::SetSteppingModeFunctor::operator() const):
(JSC::Debugger::ToggleBreakpointFunctor::operator() const):
(JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
(JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::contains):
(JSC::CodeBlockSet::dump const):
(JSC::CodeBlockSet::add):
(JSC::CodeBlockSet::remove):
(JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
(JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
(JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
(JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
* heap/CodeBlockSet.h:
* heap/CodeBlockSetInlines.h:
(JSC::CodeBlockSet::iterate):
(JSC::CodeBlockSet::iterateViaSubspaces):
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::genericAddPointer):
(JSC::DummyMarkHook::markKnownJSCell):
(JSC::CompositeMarkHook::mark):
(JSC::CompositeMarkHook::markKnownJSCell):
* heap/ConservativeRoots.h:
* heap/Heap.cpp:
(JSC::Heap::lastChanceToFinalize):
(JSC::Heap::finalizeMarkedUnconditionalFinalizers):
(JSC::Heap::finalizeUnconditionalFinalizers):
(JSC::Heap::beginMarking):
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::sweepInFinalize):
(JSC::Heap::forEachCodeBlockImpl):
(JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
(JSC::Heap::addCoreConstraints):
(JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
* heap/Heap.h:
* heap/HeapCell.h:
* heap/HeapCellInlines.h:
(JSC::HeapCell::subspace const):
* heap/HeapInlines.h:
(JSC::Heap::forEachCodeBlock):
(JSC::Heap::forEachCodeBlockIgnoringJITPlans):
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
* heap/IsoCellSet.h:
* heap/IsoCellSetInlines.h:
(JSC::IsoCellSet::forEachMarkedCellInParallel):
(JSC::IsoCellSet::forEachLiveCell):
* heap/LargeAllocation.h:
(JSC::LargeAllocation::subspace const):
* heap/MarkStackMergingConstraint.cpp:
(JSC::MarkStackMergingConstraint::executeImpl):
* heap/MarkStackMergingConstraint.h:
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::parallelNotEmptyBlockSource):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToAllocator):
(JSC::MarkedBlock::Handle::didRemoveFromAllocator):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::subspace const):
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::forEachLiveCell):
* heap/MarkedSpaceInlines.h:
(JSC::MarkedSpace::forEachLiveCell):
* heap/MarkingConstraint.cpp:
(JSC::MarkingConstraint::execute):
(JSC::MarkingConstraint::doParallelWork):
(JSC::MarkingConstraint::finishParallelWork): Deleted.
(JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
(JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
* heap/MarkingConstraint.h:
* heap/MarkingConstraintSet.cpp:
(JSC::MarkingConstraintSet::add):
* heap/MarkingConstraintSet.h:
(JSC::MarkingConstraintSet::add):
* heap/MarkingConstraintSolver.cpp:
(JSC::MarkingConstraintSolver::execute):
(JSC::MarkingConstraintSolver::addParallelTask):
(JSC::MarkingConstraintSolver::runExecutionThread):
(JSC::MarkingConstraintSolver::didExecute): Deleted.
* heap/MarkingConstraintSolver.h:
(JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
(JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
* heap/SimpleMarkingConstraint.cpp:
(JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
(JSC::SimpleMarkingConstraint::executeImpl):
* heap/SimpleMarkingConstraint.h:
(JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::addParallelConstraintTask):
* heap/SlotVisitor.h:
* heap/Subspace.cpp:
(JSC::Subspace::sweep):
* heap/Subspace.h:
* heap/SubspaceInlines.h:
(JSC::Subspace::forEachLiveCell):
* llint/LowLevelInterpreter.asm:
* runtime/EvalExecutable.cpp:
(JSC::EvalExecutable::visitChildren):
* runtime/EvalExecutable.h:
(JSC::EvalExecutable::codeBlock):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::baselineCodeBlockFor):
(JSC::FunctionExecutable::visitChildren):
* runtime/FunctionExecutable.h:
* runtime/JSType.h:
* runtime/ModuleProgramExecutable.cpp:
(JSC::ModuleProgramExecutable::visitChildren):
* runtime/ModuleProgramExecutable.h:
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::visitChildren):
* runtime/ProgramExecutable.h:
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::installCode):
(JSC::ScriptExecutable::newReplacementCodeBlockFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
(JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
(JSC::VM::forEachCodeBlockSpace):
* runtime/VMTraps.cpp:
(JSC::VMTraps::handleTraps):
* tools/VMInspector.cpp:
(JSC::VMInspector::codeBlockForMachinePC):
(JSC::VMInspector::isValidCodeBlock):
2018-01-11 Michael Saboff <msaboff@apple.com>
Add a DOM gadget for Spectre testing
https://bugs.webkit.org/show_bug.cgi?id=181351
Reviewed by Ryosuke Niwa.
* runtime/Options.h:
2018-01-11 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG][FTL] regExpMatchFast should be handled
https://bugs.webkit.org/show_bug.cgi?id=180988
Reviewed by Mark Lam.
RegExp.prototype.@@match has a fast path, @regExpMatchFast. This patch annotates this function
with RegExpMatchFastIntrinsic, and introduces RegExpMatch DFG node. This paves the way to
make NewRegexp PhantomNewRegexp if it is not used except for setting/getting its lastIndex property.
To improve RegExp.prototype.@@match's performance more, we make this builtin function small by moving
slow path part to `@matchSlow()` private function.
It improves SixSpeed regex-u.{es5,es6} largely since they stress String.prototype.match, which calls
this regExpMatchFast function.
baseline patched
regex-u.es5 55.3835+-6.3002 ^ 36.2431+-2.0797 ^ definitely 1.5281x faster
regex-u.es6 110.4624+-6.2896 ^ 94.1012+-7.2433 ^ definitely 1.1739x faster
* builtins/RegExpPrototype.js:
(globalPrivate.matchSlow):
(overriddenName.string_appeared_here.match):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileRegExpMatch):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatch):
* runtime/Intrinsic.cpp:
(JSC::intrinsicName):
* runtime/Intrinsic.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncMatchFast):
2018-01-11 Saam Barati <sbarati@apple.com>
Our for-in caching is wrong when we add indexed properties on things in the prototype chain
https://bugs.webkit.org/show_bug.cgi?id=181508
Reviewed by Yusuke Suzuki.
Our for-in caching would cache structure chains that had prototypes with
indexed properties. Clearly this is wrong. This caching breaks when a prototype
adds new indexed properties. We would continue to enumerate the old cached
state of properties, and not include the new indexed properties.
The old code used to prevent caching only if the base structure had
indexed properties. This patch extends it to prevent caching if the
base, or any structure in the prototype chain, has indexed properties.
* runtime/Structure.cpp:
(JSC::Structure::canCachePropertyNameEnumerator const):
2018-01-10 JF Bastien <jfbastien@apple.com>
Poison small JSObject derivatives which only contain pointers
https://bugs.webkit.org/show_bug.cgi?id=181483
<rdar://problem/36407127>
Reviewed by Mark Lam.
I wrote a script that finds interesting things to poison or
generally harden. These stood out because they derive from
JSObject and only contain a few pointer or pointer-like fields,
and could therefore just be poisoned. This also requires some
template "improvements" to our poisoning machinery. Worth noting
is that I'm making PoisonedUniquePtr move-assignable and
move-constructible from unique_ptr, which makes it a better
drop-in replacement because we don't need to use
makePoisonedUniquePtr. This means function-locals can be
unique_ptr and get the nice RAII pattern, and once the function is
done you can just move to the class' PoisonedUniquePtr without
worrying.
* API/JSAPIWrapperObject.h:
(JSC::JSAPIWrapperObject::wrappedObject):
* API/JSAPIWrapperObject.mm:
(JSC::JSAPIWrapperObject::JSAPIWrapperObject):
* API/JSCallbackObject.h:
* runtime/ArrayPrototype.h:
* runtime/DateInstance.h:
* runtime/JSArrayBuffer.cpp:
(JSC::JSArrayBuffer::finishCreation):
(JSC::JSArrayBuffer::isShared const):
(JSC::JSArrayBuffer::sharingMode const):
* runtime/JSArrayBuffer.h:
* runtime/JSCPoison.h:
2018-01-10 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r226667 and r226673.
https://bugs.webkit.org/show_bug.cgi?id=181488
This caused a flaky crash. (Requested by mlewis13 on #webkit).
Reverted changesets:
"CodeBlocks should be in IsoSubspaces"
https://bugs.webkit.org/show_bug.cgi?id=180884
https://trac.webkit.org/changeset/226667
"REGRESSION (r226667): CodeBlocks should be in IsoSubspaces"
https://bugs.webkit.org/show_bug.cgi?id=180884
https://trac.webkit.org/changeset/226673
2018-01-09 David Kilzer <ddkilzer@apple.com>
REGRESSION (r226667): CodeBlocks should be in IsoSubspaces
<https://bugs.webkit.org/show_bug.cgi?id=180884>
Fixes the following build error:
heap/Heap.cpp:2708:10: error: lambda capture 'this' is not used [-Werror,-Wunused-lambda-capture]
* heap/Heap.cpp:
(JSC::Heap::addCoreConstraints): Remove 'this' from lambda to
fix the build.
2018-01-09 Keith Miller <keith_miller@apple.com>
and32 with an Address source on ARM64 did not invalidate dataTempRegister
https://bugs.webkit.org/show_bug.cgi?id=181467
Reviewed by Michael Saboff.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::and32):
2018-01-04 Filip Pizlo <fpizlo@apple.com>
CodeBlocks should be in IsoSubspaces
https://bugs.webkit.org/show_bug.cgi?id=180884
Reviewed by Saam Barati.
This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
WeakReferenceHarvester or UnconditionalFinalizer. Instead:
- Code block sweeping is now just eager sweeping. This means that it automatically takes
advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
its eden set for.
- Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
longer has to clear the set of weakly visited code blocks. This also means that
determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
has IsoCellSets to tell us which edges have output constraints (what we used to call
CodeBlock's weak reference harvester) and which have unconditional finalizers.
- CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
- CodeBlockSet still exists! It has one unified HashSet of CodeBlocks that we use to
handle requests from the sampler, debugger, and other facilities. They may want to ask
if some pointer corresponds to a CodeBlock during stages of execution during which the
GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
There is no way that the GC's isLive could tell us of a CodeBlock that had already been
allocated has now been full constructed.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::finishCreationCommon):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::determineLiveness):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::stronglyVisitStrongReferences):
(JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
(JSC::CodeBlock::installVMTrapBreakpoints):
(JSC::CodeBlock::dumpMathICStats):
(JSC::CodeBlock::visitWeakly): Deleted.
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::subspaceFor):
(JSC::CodeBlock::ownerEdge const):
(JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
* bytecode/EvalCodeBlock.h:
(JSC::EvalCodeBlock::create): Deleted.
(JSC::EvalCodeBlock::createStructure): Deleted.
(JSC::EvalCodeBlock::variable): Deleted.
(JSC::EvalCodeBlock::numVariables): Deleted.
(JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
(JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
(JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
(JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
* bytecode/ExecutableToCodeBlockEdge.cpp: Added.
(JSC::ExecutableToCodeBlockEdge::createStructure):
(JSC::ExecutableToCodeBlockEdge::create):
(JSC::ExecutableToCodeBlockEdge::visitChildren):
(JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
(JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
(JSC::ExecutableToCodeBlockEdge::activate):
(JSC::ExecutableToCodeBlockEdge::deactivate):
(JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
(JSC::ExecutableToCodeBlockEdge::wrap):
(JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
(JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
(JSC::ExecutableToCodeBlockEdge::runConstraint):
* bytecode/ExecutableToCodeBlockEdge.h: Added.
(JSC::ExecutableToCodeBlockEdge::subspaceFor):
(JSC::ExecutableToCodeBlockEdge::codeBlock const):
(JSC::ExecutableToCodeBlockEdge::unwrap):
* bytecode/FunctionCodeBlock.h:
(JSC::FunctionCodeBlock::subspaceFor):
(JSC::FunctionCodeBlock::createStructure):
* bytecode/ModuleProgramCodeBlock.h:
(JSC::ModuleProgramCodeBlock::create): Deleted.
(JSC::ModuleProgramCodeBlock::createStructure): Deleted.
(JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
* bytecode/ProgramCodeBlock.h:
(JSC::ProgramCodeBlock::create): Deleted.
(JSC::ProgramCodeBlock::createStructure): Deleted.
(JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
* debugger/Debugger.cpp:
(JSC::Debugger::SetSteppingModeFunctor::operator() const):
(JSC::Debugger::ToggleBreakpointFunctor::operator() const):
(JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
(JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::contains):
(JSC::CodeBlockSet::dump const):
(JSC::CodeBlockSet::add):
(JSC::CodeBlockSet::remove):
(JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
(JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
(JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
(JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
* heap/CodeBlockSet.h:
* heap/CodeBlockSetInlines.h:
(JSC::CodeBlockSet::iterate):
(JSC::CodeBlockSet::iterateViaSubspaces):
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::genericAddPointer):
(JSC::DummyMarkHook::markKnownJSCell):
(JSC::CompositeMarkHook::mark):
(JSC::CompositeMarkHook::markKnownJSCell):
* heap/ConservativeRoots.h:
* heap/Heap.cpp:
(JSC::Heap::lastChanceToFinalize):
(JSC::Heap::finalizeMarkedUnconditionalFinalizers):
(JSC::Heap::finalizeUnconditionalFinalizers):
(JSC::Heap::beginMarking):
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::sweepInFinalize):
(JSC::Heap::forEachCodeBlockImpl):
(JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
(JSC::Heap::addCoreConstraints):
(JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
* heap/Heap.h:
* heap/HeapCell.h:
* heap/HeapCellInlines.h:
(JSC::HeapCell::subspace const):
* heap/HeapInlines.h:
(JSC::Heap::forEachCodeBlock):
(JSC::Heap::forEachCodeBlockIgnoringJITPlans):
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
* heap/IsoCellSet.h:
* heap/IsoCellSetInlines.h:
(JSC::IsoCellSet::forEachMarkedCellInParallel):
(JSC::IsoCellSet::forEachLiveCell):
* heap/LargeAllocation.h:
(JSC::LargeAllocation::subspace const):
* heap/MarkStackMergingConstraint.cpp:
(JSC::MarkStackMergingConstraint::executeImpl):
* heap/MarkStackMergingConstraint.h:
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::parallelNotEmptyBlockSource):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToAllocator):
(JSC::MarkedBlock::Handle::didRemoveFromAllocator):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::subspace const):
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::forEachLiveCell):
* heap/MarkedSpaceInlines.h:
(JSC::MarkedSpace::forEachLiveCell):
* heap/MarkingConstraint.cpp:
(JSC::MarkingConstraint::execute):
(JSC::MarkingConstraint::doParallelWork):
(JSC::MarkingConstraint::finishParallelWork): Deleted.
(JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
(JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
* heap/MarkingConstraint.h:
* heap/MarkingConstraintSet.cpp:
(JSC::MarkingConstraintSet::add):
* heap/MarkingConstraintSet.h:
(JSC::MarkingConstraintSet::add):
* heap/MarkingConstraintSolver.cpp:
(JSC::MarkingConstraintSolver::execute):
(JSC::MarkingConstraintSolver::addParallelTask):
(JSC::MarkingConstraintSolver::runExecutionThread):
(JSC::MarkingConstraintSolver::didExecute): Deleted.
* heap/MarkingConstraintSolver.h:
(JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
(JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
* heap/SimpleMarkingConstraint.cpp:
(JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
(JSC::SimpleMarkingConstraint::executeImpl):
* heap/SimpleMarkingConstraint.h:
(JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::addParallelConstraintTask):
* heap/SlotVisitor.h:
* heap/Subspace.cpp:
(JSC::Subspace::sweep):
* heap/Subspace.h:
* heap/SubspaceInlines.h:
(JSC::Subspace::forEachLiveCell):
* llint/LowLevelInterpreter.asm:
* runtime/EvalExecutable.cpp:
(JSC::EvalExecutable::visitChildren):
* runtime/EvalExecutable.h:
(JSC::EvalExecutable::codeBlock):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::baselineCodeBlockFor):
(JSC::FunctionExecutable::visitChildren):
* runtime/FunctionExecutable.h:
* runtime/JSType.h:
* runtime/ModuleProgramExecutable.cpp:
(JSC::ModuleProgramExecutable::visitChildren):
* runtime/ModuleProgramExecutable.h:
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::visitChildren):
* runtime/ProgramExecutable.h:
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::installCode):
(JSC::ScriptExecutable::newReplacementCodeBlockFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
(JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
(JSC::VM::forEachCodeBlockSpace):
* runtime/VMTraps.cpp:
(JSC::VMTraps::handleTraps):
* tools/VMInspector.cpp:
(JSC::VMInspector::codeBlockForMachinePC):
(JSC::VMInspector::isValidCodeBlock):
2018-01-09 Michael Saboff <msaboff@apple.com>
Unreviewed, rolling out r226600 and r226603
https://bugs.webkit.org/show_bug.cgi?id=181351
Add a DOM gadget for Spectre testing
* runtime/Options.h:
2018-01-09 Saam Barati <sbarati@apple.com>
Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
https://bugs.webkit.org/show_bug.cgi?id=181409
Reviewed by Keith Miller.
When I was looking at profiler data for Speedometer, I noticed that one of
the hottest functions in Speedometer is around 1100 bytecode operations long.
Only about 100 of those bytecode ops ever execute. However, we ended up
spending a lot of time compiling basic blocks that never executed. We often
plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
This is the case when such a node never executes.
This patch makes it so that anytime a block has a ForceOSRExit, we replace its
terminal node with an Unreachable node (and remove all nodes after the
ForceOSRExit). This will cut down on graph size when such a block dominates
other blocks in the CFG. This allows us to get rid of huge chunks of the CFG
in certain programs. When doing this transformation, we also insert
Flushes/PhantomLocals to ensure we can recover values that are bytecode
live-in to the ForceOSRExit.
Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
does not get rid of all the CFG that it could. If we decide it's worth
it, we could use additional inputs into this mechanism. For example, we could
profile if a basic block ever executes inside the LLInt/Baseline, and
remove parts of the CFG based on that.
When running Speedometer with the concurrent JIT turned off, this patch
improves DFG/FTL compile times by around 5%.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addToGraph):
(JSC::DFG::ByteCodeParser::parse):
2018-01-09 Mark Lam <mark.lam@apple.com>
ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
https://bugs.webkit.org/show_bug.cgi?id=181388
<rdar://problem/36349351>
Reviewed by Saam Barati.
When there are duplicate setters or getters, we may end up overwriting a getter
with a setter, or vice versa. This patch adds tracking for getters/setters that
have been overwritten with duplicates and ignore them.
* bytecompiler/NodesCodegen.cpp:
(JSC::PropertyListNode::emitBytecode):
* parser/NodeConstructors.h:
(JSC::PropertyNode::PropertyNode):
* parser/Nodes.h:
(JSC::PropertyNode::isOverriddenByDuplicate const):
(JSC::PropertyNode::setIsOverriddenByDuplicate):
2018-01-08 Zan Dobersek <zdobersek@igalia.com>
REGRESSION(r225913): about 30 JSC test failures on ARMv7
https://bugs.webkit.org/show_bug.cgi?id=181162
<rdar://problem/36261349>
Unreviewed follow-up to r226298. Enable the fast case in
DFG::SpeculativeJIT::compileArraySlice() for any 64-bit platform,
assuming in good faith that enough GP registers are available on any
such configuration. The accompanying comment is adjusted to describe
this assumption.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArraySlice):
2018-01-08 JF Bastien <jfbastien@apple.com>
WebAssembly: mask indexed accesses to Table
https://bugs.webkit.org/show_bug.cgi?id=181412
<rdar://problem/36363236>
Reviewed by Saam Barati.
WebAssembly Table indexed accesses are user-controlled and
bounds-checked. Force allocations of Table data to be a
power-of-two, and explicitly mask accesses after bounds-check
branches.
Rename misleading usage of "size" when "length" of a Table was
intended.
Rename the Spectre option from "disable" to "enable".
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
* jit/JIT.cpp:
(JSC::JIT::JIT):
* runtime/Options.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmTable.cpp:
(JSC::Wasm::Table::allocatedLength):
(JSC::Wasm::Table::setLength):
(JSC::Wasm::Table::create):
(JSC::Wasm::Table::Table):
(JSC::Wasm::Table::grow):
(JSC::Wasm::Table::clearFunction):
(JSC::Wasm::Table::setFunction):
* wasm/WasmTable.h:
(JSC::Wasm::Table::length const):
(JSC::Wasm::Table::offsetOfLength):
(JSC::Wasm::Table::offsetOfMask):
(JSC::Wasm::Table::mask const):
(JSC::Wasm::Table::isValidLength):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::create):
* wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::JSWebAssemblyTable):
(JSC::JSWebAssemblyTable::visitChildren):
(JSC::JSWebAssemblyTable::grow):
(JSC::JSWebAssemblyTable::getFunction):
(JSC::JSWebAssemblyTable::clearFunction):
(JSC::JSWebAssemblyTable::setFunction):
* wasm/js/JSWebAssemblyTable.h:
(JSC::JSWebAssemblyTable::isValidLength):
(JSC::JSWebAssemblyTable::length const):
(JSC::JSWebAssemblyTable::allocatedLength const):
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::evaluate):
* wasm/js/WebAssemblyTablePrototype.cpp:
(JSC::webAssemblyTableProtoFuncLength):
(JSC::webAssemblyTableProtoFuncGrow):
(JSC::webAssemblyTableProtoFuncGet):
(JSC::webAssemblyTableProtoFuncSet):
2018-01-08 Michael Saboff <msaboff@apple.com>
Add a DOM gadget for Spectre testing
https://bugs.webkit.org/show_bug.cgi?id=181351
Reviewed by Michael Saboff.
Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
Spectre mitigations.
* runtime/Options.h:
2018-01-08 Mark Lam <mark.lam@apple.com>
Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
https://bugs.webkit.org/show_bug.cgi?id=181403
<rdar://problem/36359789>
Rubber-stamped by JF Bastien.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::setConstantRegisters):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::finalizeLLIntInlineCaches):
(JSC::CodeBlock::jettison):
(JSC::CodeBlock::predictedMachineCodeSize):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::vm const):
(JSC::CodeBlock::addConstant):
(JSC::CodeBlock::heap const):
(JSC::CodeBlock::replaceConstant):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2018-01-07 Mark Lam <mark.lam@apple.com>
Apply poisoning to more pointers in JSC.
https://bugs.webkit.org/show_bug.cgi?id=181096
<rdar://problem/36182970>
Reviewed by JF Bastien.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::xorPtr):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::xor64):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::xor64):
- Add xorPtr implementation.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::inferredName const):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::setConstantRegisters):
(JSC::CodeBlock::visitWeakly):
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
(JSC::CodeBlock::finalizeLLIntInlineCaches):
(JSC::CodeBlock::finalizeBaselineJITInlineCaches):
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
(JSC::CodeBlock::jettison):
(JSC::CodeBlock::predictedMachineCodeSize):
(JSC::CodeBlock::findPC):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer):
(JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester):
(JSC::CodeBlock::stubInfoBegin):
(JSC::CodeBlock::stubInfoEnd):
(JSC::CodeBlock::callLinkInfosBegin):
(JSC::CodeBlock::callLinkInfosEnd):
(JSC::CodeBlock::instructions):
(JSC::CodeBlock::instructions const):
(JSC::CodeBlock::vm const):
* dfg/DFGOSRExitCompilerCommon.h:
(JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
* jit/JIT.h:
* llint/LLIntOfflineAsmConfig.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* parser/UnlinkedSourceCode.h:
* runtime/JSCPoison.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObject.h:
* runtime/JSScriptFetchParameters.h:
* runtime/JSScriptFetcher.h:
* runtime/StructureTransitionTable.h:
* wasm/js/JSWebAssemblyCodeBlock.cpp:
(JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
(JSC::JSWebAssemblyCodeBlock::visitChildren):
(JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
* wasm/js/JSWebAssemblyCodeBlock.h:
2018-01-06 Yusuke Suzuki <utatane.tea@gmail.com>
Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
https://bugs.webkit.org/show_bug.cgi?id=181321
Reviewed by Saam Barati.
According to ECMA262 16.2[1], functions created using the bind method must not have
"caller" and "arguments" own properties.
[1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions
* runtime/JSBoundFunction.cpp:
(JSC::JSBoundFunction::finishCreation):
2018-01-05 JF Bastien <jfbastien@apple.com>
WebAssembly: poison JS object's secrets
https://bugs.webkit.org/show_bug.cgi?id=181339
<rdar://problem/36325001>
Reviewed by Mark Lam.
Separating WebAssembly's JS objects from their non-JS
implementation means that all interesting information lives
outside of the JS object itself. This patch poisons each JS
object's pointer to non-JS implementation using the poisoning
mechanism and a unique key per JS object type origin.
* runtime/JSCPoison.h:
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
object in a stack slot when fast TLS is disabled. This requires
that we unpoison the Wasm::Instance.
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
be explicit that the pointer is poisoned.
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.h:
2018-01-05 Michael Saboff <msaboff@apple.com>
Add ability to disable indexed property masking for testing
https://bugs.webkit.org/show_bug.cgi?id=181350
Reviewed by Keith Miller.
Made the masking of indexed properties runtime controllable via a new JSC::Option
named disableSpectreMitigations. This is done to test the efficacy of that mitigation.
The new option has a generic name as it will probably be used to disable future mitigations.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
(JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
(JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
* jit/JIT.cpp:
(JSC::JIT::JIT):
* jit/JIT.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
* runtime/Options.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2018-01-05 Michael Saboff <msaboff@apple.com>
Allow JSC Config Files to set Restricted Options
https://bugs.webkit.org/show_bug.cgi?id=181352
Reviewed by Mark Lam.
* runtime/ConfigFile.cpp:
(JSC::ConfigFile::parse):
2018-01-04 Keith Miller <keith_miller@apple.com>
TypedArrays and Wasm should use index masking.
https://bugs.webkit.org/show_bug.cgi?id=181313
Reviewed by Michael Saboff.
We should have index masking for our TypedArray code in the
DFG/FTL and for Wasm when doing bounds checking. Index masking for
Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any
WasmBoundsCheckValues we don't need to worry about combining a
bounds check for a load and a store. I went with fusing the
pointer masking in the WasmBoundsCheckValue since it should reduce
additional compiler overhead.
* b3/B3LowerToAir.cpp:
* b3/B3Validate.cpp:
* b3/B3WasmBoundsCheckValue.cpp:
(JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
(JSC::B3::WasmBoundsCheckValue::dumpMeta const):
* b3/B3WasmBoundsCheckValue.h:
(JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const):
* b3/air/AirCustom.h:
(JSC::B3::Air::WasmBoundsCheckCustom::generate):
* b3/testb3.cpp:
(JSC::B3::testWasmBoundsCheck):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitIntTypedArrayGetByVal):
* runtime/Butterfly.h:
(JSC::Butterfly::computeIndexingMask const):
(JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted.
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::JSArrayBufferView):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
(JSC::Wasm::B3IRGenerator::load):
(JSC::Wasm::B3IRGenerator::store):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::Memory):
(JSC::Wasm::Memory::grow):
* wasm/WasmMemory.h:
(JSC::Wasm::Memory::offsetOfIndexingMask):
* wasm/WasmMemoryInformation.cpp:
(JSC::Wasm::PinnedRegisterInfo::get):
(JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
* wasm/WasmMemoryInformation.h:
(JSC::Wasm::PinnedRegisterInfo::toSave const):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
2018-01-05 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r226434.
https://bugs.webkit.org/show_bug.cgi?id=181322
32bit JSC failure in x86 (Requested by yusukesuzuki on
#webkit).
Reverted changeset:
"[DFG] Unify ToNumber implementation in 32bit and 64bit by
changing 32bit Int32Tag and LowestTag"
https://bugs.webkit.org/show_bug.cgi?id=181134
https://trac.webkit.org/changeset/226434
2018-01-04 Devin Rousso <webkit@devinrousso.com>
Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
https://bugs.webkit.org/show_bug.cgi?id=180770
Reviewed by Joseph Pecoraro.
* inspector/protocol/Canvas.json:
2018-01-04 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r226405.
https://bugs.webkit.org/show_bug.cgi?id=181318
Speculative rollout due to Octane/SplayLatency,Octane/Splay
regressions (Requested by yusukesuzuki on #webkit).
Reverted changeset:
"[JSC] Create parallel SlotVisitors apriori"
https://bugs.webkit.org/show_bug.cgi?id=180907
https://trac.webkit.org/changeset/226405
2018-01-04 Saam Barati <sbarati@apple.com>
Do value profiling in to_this
https://bugs.webkit.org/show_bug.cgi?id=181299
Reviewed by Filip Pizlo.
This patch adds value profiling to to_this. We use the result of the value
profiling only for strict mode code when we don't predict that the input is
of a specific type. This helps when the input is SpecCellOther. Such cells
might implement a custom ToThis, which can produce an arbitrary result. Before
this patch, in prediction propagation, we were saying that a ToThis with a
SpecCellOther input also produced SpecCellOther. However, this is incorrect,
given that the input may implement ToThis that produces an arbitrary result.
This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer.
Interestingly, this patch only does value profiling on the slow path. The fast
path of to_this in the LLInt/baseline just perform a structure check. If it
passes, the result is the same as the input. Therefore, doing value profiling
from the fast path wouldn't actually produce new information for the ValueProfile.
* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::dumpBytecode):
* bytecode/BytecodeList.json:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitToThis):
* bytecompiler/BytecodeGenerator.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGPredictionPropagationPhase.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
https://bugs.webkit.org/show_bug.cgi?id=181134
Reviewed by Mark Lam.
We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that
branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires
an additional scratch register. We do not want to allocate an unnecessary register in 64bit
implementation.
This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit
and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By
setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking
`<= LowestTag(Int32Tag)`.
We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`.
We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileDoubleRep):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateMisc):
(JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
(JSC::DFG::SpeculativeJIT::compileToNumber):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::branchIfNotType):
(JSC::AssemblyHelpers::jitAssertIsJSNumber):
(JSC::AssemblyHelpers::emitConvertValueToBoolean):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfMisc):
(JSC::AssemblyHelpers::branchIfNotMisc):
(JSC::AssemblyHelpers::branchIfNumber):
(JSC::AssemblyHelpers::branchIfNotNumber):
(JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
(JSC::AssemblyHelpers::emitTypeOf):
* jit/JITAddGenerator.cpp:
(JSC::JITAddGenerator::generateFastPath):
* jit/JITArithmetic32_64.cpp:
(JSC::JIT::emitBinaryDoubleOp):
* jit/JITDivGenerator.cpp:
(JSC::JITDivGenerator::loadOperand):
* jit/JITMulGenerator.cpp:
(JSC::JITMulGenerator::generateInline):
(JSC::JITMulGenerator::generateFastPath):
* jit/JITNegGenerator.cpp:
(JSC::JITNegGenerator::generateInline):
(JSC::JITNegGenerator::generateFastPath):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_is_number):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emit_op_to_number):
(JSC::JIT::emit_op_profile_type):
* jit/JITRightShiftGenerator.cpp:
(JSC::JITRightShiftGenerator::generateFastPath):
* jit/JITSubGenerator.cpp:
(JSC::JITSubGenerator::generateInline):
(JSC::JITSubGenerator::generateFastPath):
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* runtime/JSCJSValue.h:
2018-01-04 JF Bastien <jfbastien@apple.com>
Add assembler support for x86 lfence and sfence
https://bugs.webkit.org/show_bug.cgi?id=181311
<rdar://problem/36301780>
Reviewed by Michael Saboff.
Useful for testing performance of serializing instructions (hint:
it's not good).
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::lfence):
(JSC::MacroAssemblerX86Common::sfence):
* assembler/X86Assembler.h:
(JSC::X86Assembler::lfence):
(JSC::X86Assembler::sfence):
2018-01-04 Saam Barati <sbarati@apple.com>
Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction)
https://bugs.webkit.org/show_bug.cgi?id=181296
Reviewed by Filip Pizlo.
Inside Speedometer's Ember test, there is a recompile loop like:
a: GetByVal(..., semanticOriginX)
b: SetLocal(Cell:@a, semanticOriginX)
where the cell check always fails. For reasons I didn't investigate, the
baseline JIT's value profiling doesn't accurately capture the GetByVal's
result.
However, when compiling this cell speculation check in the DFG, we get a null
MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for
this IR pattern because both @a and @b have the same semantic origin. We
should not follow the same semantic origin heuristic when dealing with
SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern.
For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction).
For this IR pattern, we will update the value profile for the semantic origin
for @nodeWithHeapPrediction. So, for the Speedometer example above, we
will correctly update the GetByVal's value profile, which will prevent
an OSR exit loop.
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2018-01-04 Keith Miller <keith_miller@apple.com>
Array Storage operations sometimes did not update the indexing mask correctly.
https://bugs.webkit.org/show_bug.cgi?id=181301
Reviewed by Mark Lam.
I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage):
* runtime/JSObject.cpp:
(JSC::JSObject::increaseVectorLength):
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Define defs for MapSet/SetAdd to participate in CSE
https://bugs.webkit.org/show_bug.cgi?id=179911
Reviewed by Saam Barati.
With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
produce added bucket as its result. Subsequent GetMapBucket will
be removed by CSE.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileSetAdd):
(JSC::DFG::SpeculativeJIT::compileMapSet):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
(JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
* jit/JITOperations.h:
* runtime/HashMapImpl.h:
(JSC::HashMapImpl::addNormalized):
(JSC::HashMapImpl::addNormalizedInternal):
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Remove LocalScope
https://bugs.webkit.org/show_bug.cgi?id=181206
Reviewed by Geoffrey Garen.
The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
and LocalScope.
We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
JSObject* directly in their fields.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* heap/HandleStack.cpp: Removed.
* heap/HandleStack.h: Removed.
* heap/Heap.cpp:
(JSC::Heap::addCoreConstraints):
* heap/Heap.h:
(JSC::Heap::handleSet):
(JSC::Heap::handleStack): Deleted.
* heap/Local.h: Removed.
* heap/LocalScope.h: Removed.
* runtime/JSONObject.cpp:
(JSC::Stringifier::Holder::object const):
(JSC::gap):
(JSC::Stringifier::Stringifier):
(JSC::Stringifier::stringify):
(JSC::Stringifier::appendStringifiedValue):
(JSC::Stringifier::Holder::Holder):
(JSC::Stringifier::Holder::appendNextProperty):
(JSC::Walker::Walker):
(JSC::Walker::callReviver):
(JSC::Walker::walk):
(JSC::JSONProtoFuncParse):
(JSC::JSONProtoFuncStringify):
(JSC::JSONParse):
(JSC::JSONStringify):
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
https://bugs.webkit.org/show_bug.cgi?id=180238
Reviewed by Saam Barati.
We can optimize ObjectAllocationSinking a bit by using removeIf.
* dfg/DFGObjectAllocationSinkingPhase.cpp:
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[JSC] Create parallel SlotVisitors apriori
https://bugs.webkit.org/show_bug.cgi?id=180907
Reviewed by Saam Barati.
The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
Then we do not need to grab locks while iterating all the SlotVisitors.
In addition, we do not need to consider the case that the number of SlotVisitors increases
after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
does not increase any more.
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::runBeginPhase):
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::forEachSlotVisitor):
(JSC::Heap::numberOfSlotVisitors): Deleted.
* heap/MarkingConstraintSolver.cpp:
(JSC::MarkingConstraintSolver::didVisitSomething const):
2018-01-03 Ting-Wei Lan <lantw44@gmail.com>
Replace hard-coded paths in shebangs with #!/usr/bin/env
https://bugs.webkit.org/show_bug.cgi?id=181040
Reviewed by Alex Christensen.
* Scripts/UpdateContents.py:
* Scripts/cssmin.py:
* Scripts/generate-combined-inspector-json.py:
* Scripts/xxd.pl:
* create_hash_table:
* generate-bytecode-files:
* wasm/generateWasm.py:
* wasm/generateWasmOpsHeader.py:
* yarr/generateYarrCanonicalizeUnicode:
2018-01-03 Michael Saboff <msaboff@apple.com>
Disable SharedArrayBuffers from Web API
https://bugs.webkit.org/show_bug.cgi?id=181266
Reviewed by Saam Barati.
Removed SharedArrayBuffer prototype and structure from GlobalObject creation
to disable.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::arrayBufferPrototype const):
(JSC::JSGlobalObject::arrayBufferStructure const):
2018-01-03 Michael Saboff <msaboff@apple.com>
Add "noInline" to $vm
https://bugs.webkit.org/show_bug.cgi?id=181265
Reviewed by Mark Lam.
This would be useful for web based tests.
* tools/JSDollarVM.cpp:
(JSC::getExecutableForFunction):
(JSC::functionNoInline):
(JSC::JSDollarVM::finishCreation):
2018-01-03 Michael Saboff <msaboff@apple.com>
Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
https://bugs.webkit.org/show_bug.cgi?id=181263
Reviewed by Mark Lam.
Flushing the butterfly pointer provides no benefit and slows this function.
* tools/JSDollarVM.cpp:
(JSC::functionCpuClflush):
2018-01-03 Saam Barati <sbarati@apple.com>
Fix BytecodeParser op_catch assert to work with useProfiler=1
https://bugs.webkit.org/show_bug.cgi?id=181260
Reviewed by Keith Miller.
op_catch was asserting that the current block was empty. This is only true
if the profiler isn't enabled. When the profiler is enabled, we will
insert a CountExecution node before each bytecode. This patch fixes the
assert to work with the profiler.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
2018-01-03 Per Arne Vollan <pvollan@apple.com>
[Win][Debug] testapi link error.
https://bugs.webkit.org/show_bug.cgi?id=181247
<rdar://problem/36166729>
Reviewed by Brent Fulgham.
Do not set the runtime library compile flag for C files, it is already set to the correct value.
* shell/PlatformWin.cmake:
2018-01-03 Robin Morisset <rmorisset@apple.com>
Inlining of a function that ends in op_unreachable crashes
https://bugs.webkit.org/show_bug.cgi?id=181027
Reviewed by Filip Pizlo.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::allocateTargetableBlock):
(JSC::DFG::ByteCodeParser::inlineCall):
2018-01-02 Saam Barati <sbarati@apple.com>
Incorrect assertion inside AccessCase
https://bugs.webkit.org/show_bug.cgi?id=181200
<rdar://problem/35494754>
Reviewed by Yusuke Suzuki.
Consider a PutById compiled to a setter in a function like so:
```
function foo(o) { o.f = o; }
```
The DFG will often assign the same registers to the baseGPR (o in o.f) and the
valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
to the same register. However, we're asserting that they're not the same register.
This patch just removes this invalid assertion.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
2018-01-02 Caio Lima <ticaiolima@gmail.com>
[ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
https://bugs.webkit.org/show_bug.cgi?id=175359
Reviewed by Yusuke Suzuki.
This patch is implementing BigIntConstructor and BigIntPrototype
following spec[1, 2]. As addition, we are also implementing BigIntObject
warapper to handle ToObject(v) abstract operation when "v" is a BigInt
primitive. With these classes, now it's possible to syntetize
BigInt.prototype and then call "toString", "valueOf" and
"toLocaleString" when the primitive is a BigInt.
BigIntConstructor exposes an API to parse other primitives such as
Number, Boolean and String to BigInt.
We decided to skip parseInt implementation, since it was removed from
spec.
[1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
[2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object
* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* jsc.cpp:
* runtime/BigIntConstructor.cpp: Added.
(JSC::BigIntConstructor::BigIntConstructor):
(JSC::BigIntConstructor::finishCreation):
(JSC::isSafeInteger):
(JSC::toBigInt):
(JSC::callBigIntConstructor):
(JSC::bigIntConstructorFuncAsUintN):
(JSC::bigIntConstructorFuncAsIntN):
* runtime/BigIntConstructor.h: Added.
(JSC::BigIntConstructor::create):
(JSC::BigIntConstructor::createStructure):
* runtime/BigIntObject.cpp: Added.
(JSC::BigIntObject::BigIntObject):
(JSC::BigIntObject::finishCreation):
(JSC::BigIntObject::toStringName):
(JSC::BigIntObject::defaultValue):
* runtime/BigIntObject.h: Added.
(JSC::BigIntObject::create):
(JSC::BigIntObject::internalValue const):
(JSC::BigIntObject::createStructure):
* runtime/BigIntPrototype.cpp: Added.
(JSC::BigIntPrototype::BigIntPrototype):
(JSC::BigIntPrototype::finishCreation):
(JSC::toThisBigIntValue):
(JSC::bigIntProtoFuncToString):
(JSC::bigIntProtoFuncToLocaleString):
(JSC::bigIntProtoFuncValueOf):
* runtime/BigIntPrototype.h: Added.
(JSC::BigIntPrototype::create):
(JSC::BigIntPrototype::createStructure):
* runtime/IntlCollator.cpp:
(JSC::IntlCollator::initializeCollator):
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::initializeNumberFormat):
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::createFrom):
(JSC::JSBigInt::parseInt):
(JSC::JSBigInt::toObject const):
* runtime/JSBigInt.h:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::synthesizePrototype const):
* runtime/JSCPoisonedPtr.cpp:
* runtime/JSCell.cpp:
(JSC::JSCell::toObjectSlow const):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::bigIntPrototype const):
(JSC::JSGlobalObject::bigIntObjectStructure const):
* runtime/StructureCache.h:
* runtime/StructureInlines.h:
(JSC::prototypeForLookupPrimitiveImpl):
2018-01-02 Tim Horton <timothy_horton@apple.com>
Fix the MathCommon build with a recent compiler
https://bugs.webkit.org/show_bug.cgi?id=181216
Reviewed by Sam Weinig.
* runtime/MathCommon.cpp:
(JSC::fdlibmPow):
This cast drops the 'const' qualifier from the pointer to 'one',
but it doesn't have to, and it makes the compiler sad.
== Rolled over to ChangeLog-2018-01-01 ==