Source/JavaScriptCore/ChangeLog

   1 2018-01-04  Keith Miller  <keith_miller@apple.com>
   2
   3         Array Storage operations sometimes did not update the indexing mask correctly.
   4         https://bugs.webkit.org/show_bug.cgi?id=181301
   5
   6         Reviewed by Mark Lam.
   7
   8         I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
   9
  10         * runtime/JSArray.cpp:
  11         (JSC::JSArray::shiftCountWithArrayStorage):
  12         * runtime/JSObject.cpp:
  13         (JSC::JSObject::increaseVectorLength):
  14
  15 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
  16
  17         [DFG] Define defs for MapSet/SetAdd to participate in CSE
  18         https://bugs.webkit.org/show_bug.cgi?id=179911
  19
  20         Reviewed by Saam Barati.
  21
  22         With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
  23         To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
  24         produce added bucket as its result. Subsequent GetMapBucket will
  25         be removed by CSE.
  26
  27         * dfg/DFGAbstractInterpreterInlines.h:
  28         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
  29         * dfg/DFGClobberize.h:
  30         (JSC::DFG::clobberize):
  31         * dfg/DFGNodeType.h:
  32         * dfg/DFGOperations.cpp:
  33         * dfg/DFGOperations.h:
  34         * dfg/DFGPredictionPropagationPhase.cpp:
  35         * dfg/DFGSpeculativeJIT.cpp:
  36         (JSC::DFG::SpeculativeJIT::compileSetAdd):
  37         (JSC::DFG::SpeculativeJIT::compileMapSet):
  38         * dfg/DFGSpeculativeJIT.h:
  39         (JSC::DFG::SpeculativeJIT::callOperation):
  40         * ftl/FTLLowerDFGToB3.cpp:
  41         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
  42         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
  43         * jit/JITOperations.h:
  44         * runtime/HashMapImpl.h:
  45         (JSC::HashMapImpl::addNormalized):
  46         (JSC::HashMapImpl::addNormalizedInternal):
  47
  48 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
  49
  50         [JSC] Remove LocalScope
  51         https://bugs.webkit.org/show_bug.cgi?id=181206
  52
  53         Reviewed by Geoffrey Garen.
  54
  55         The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
  56         This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
  57         and LocalScope.
  58
  59         We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
  60         JSObject* directly in their fields.
  61
  62         * JavaScriptCore.xcodeproj/project.pbxproj:
  63         * Sources.txt:
  64         * heap/HandleStack.cpp: Removed.
  65         * heap/HandleStack.h: Removed.
  66         * heap/Heap.cpp:
  67         (JSC::Heap::addCoreConstraints):
  68         * heap/Heap.h:
  69         (JSC::Heap::handleSet):
  70         (JSC::Heap::handleStack): Deleted.
  71         * heap/Local.h: Removed.
  72         * heap/LocalScope.h: Removed.
  73         * runtime/JSONObject.cpp:
  74         (JSC::Stringifier::Holder::object const):
  75         (JSC::gap):
  76         (JSC::Stringifier::Stringifier):
  77         (JSC::Stringifier::stringify):
  78         (JSC::Stringifier::appendStringifiedValue):
  79         (JSC::Stringifier::Holder::Holder):
  80         (JSC::Stringifier::Holder::appendNextProperty):
  81         (JSC::Walker::Walker):
  82         (JSC::Walker::callReviver):
  83         (JSC::Walker::walk):
  84         (JSC::JSONProtoFuncParse):
  85         (JSC::JSONProtoFuncStringify):
  86         (JSC::JSONParse):
  87         (JSC::JSONStringify):
  88
  89 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
  90
  91         [FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
  92         https://bugs.webkit.org/show_bug.cgi?id=180238
  93
  94         Reviewed by Saam Barati.
  95
  96         We can optimize ObjectAllocationSinking a bit by using removeIf.
  97
  98         * dfg/DFGObjectAllocationSinkingPhase.cpp:
  99
 100 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
 101
 102         [JSC] Create parallel SlotVisitors apriori
 103         https://bugs.webkit.org/show_bug.cgi?id=180907
 104
 105         Reviewed by Saam Barati.
 106
 107         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
 108         If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
 109         Then we do not need to grab locks while iterating all the SlotVisitors.
 110
 111         In addition, we do not need to consider the case that the number of SlotVisitors increases
 112         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
 113         does not increase any more.
 114
 115         * heap/Heap.cpp:
 116         (JSC::Heap::Heap):
 117         (JSC::Heap::runBeginPhase):
 118         * heap/Heap.h:
 119         * heap/HeapInlines.h:
 120         (JSC::Heap::forEachSlotVisitor):
 121         (JSC::Heap::numberOfSlotVisitors): Deleted.
 122         * heap/MarkingConstraintSolver.cpp:
 123         (JSC::MarkingConstraintSolver::didVisitSomething const):
 124
 125 2018-01-03  Ting-Wei Lan  <lantw44@gmail.com>
 126
 127         Replace hard-coded paths in shebangs with #!/usr/bin/env
 128         https://bugs.webkit.org/show_bug.cgi?id=181040
 129
 130         Reviewed by Alex Christensen.
 131
 132         * Scripts/UpdateContents.py:
 133         * Scripts/cssmin.py:
 134         * Scripts/generate-combined-inspector-json.py:
 135         * Scripts/xxd.pl:
 136         * create_hash_table:
 137         * generate-bytecode-files:
 138         * wasm/generateWasm.py:
 139         * wasm/generateWasmOpsHeader.py:
 140         * yarr/generateYarrCanonicalizeUnicode:
 141
 142 2018-01-03  Michael Saboff  <msaboff@apple.com>
 143
 144         Disable SharedArrayBuffers from Web API
 145         https://bugs.webkit.org/show_bug.cgi?id=181266
 146
 147         Reviewed by Saam Barati.
 148
 149         Removed SharedArrayBuffer prototype and structure from GlobalObject creation
 150         to disable.
 151
 152         * runtime/JSGlobalObject.cpp:
 153         (JSC::JSGlobalObject::init):
 154         (JSC::JSGlobalObject::visitChildren):
 155         * runtime/JSGlobalObject.h:
 156         (JSC::JSGlobalObject::arrayBufferPrototype const):
 157         (JSC::JSGlobalObject::arrayBufferStructure const):
 158
 159 2018-01-03  Michael Saboff  <msaboff@apple.com>
 160
 161         Add "noInline" to $vm
 162         https://bugs.webkit.org/show_bug.cgi?id=181265
 163
 164         Reviewed by Mark Lam.
 165
 166         This would be useful for web based tests.
 167
 168         * tools/JSDollarVM.cpp:
 169         (JSC::getExecutableForFunction):
 170         (JSC::functionNoInline):
 171         (JSC::JSDollarVM::finishCreation):
 172
 173 2018-01-03  Michael Saboff  <msaboff@apple.com>
 174
 175         Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
 176         https://bugs.webkit.org/show_bug.cgi?id=181263
 177
 178         Reviewed by Mark Lam.
 179
 180         Flushing the butterfly pointer provides no benefit and slows this function.
 181
 182         * tools/JSDollarVM.cpp:
 183         (JSC::functionCpuClflush):
 184
 185 2018-01-03  Saam Barati  <sbarati@apple.com>
 186
 187         Fix BytecodeParser op_catch assert to work with useProfiler=1
 188         https://bugs.webkit.org/show_bug.cgi?id=181260
 189
 190         Reviewed by Keith Miller.
 191
 192         op_catch was asserting that the current block was empty. This is only true
 193         if the profiler isn't enabled. When the profiler is enabled, we will
 194         insert a CountExecution node before each bytecode. This patch fixes the
 195         assert to work with the profiler.
 196
 197         * dfg/DFGByteCodeParser.cpp:
 198         (JSC::DFG::ByteCodeParser::parseBlock):
 199
 200 2018-01-03  Per Arne Vollan  <pvollan@apple.com>
 201
 202         [Win][Debug] testapi link error.
 203         https://bugs.webkit.org/show_bug.cgi?id=181247
 204         <rdar://problem/36166729>
 205
 206         Reviewed by Brent Fulgham.
 207
 208         Do not set the runtime library compile flag for C files, it is already set to the correct value.
 209
 210         * shell/PlatformWin.cmake:
 211
 212 2018-01-03  Robin Morisset  <rmorisset@apple.com>
 213
 214         Inlining of a function that ends in op_unreachable crashes
 215         https://bugs.webkit.org/show_bug.cgi?id=181027
 216
 217         Reviewed by Filip Pizlo.
 218
 219         * dfg/DFGByteCodeParser.cpp:
 220         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
 221         (JSC::DFG::ByteCodeParser::inlineCall):
 222
 223 2018-01-02  Saam Barati  <sbarati@apple.com>
 224
 225         Incorrect assertion inside AccessCase
 226         https://bugs.webkit.org/show_bug.cgi?id=181200
 227         <rdar://problem/35494754>
 228
 229         Reviewed by Yusuke Suzuki.
 230
 231         Consider a PutById compiled to a setter in a function like so:
 232
 233         ```
 234         function foo(o) { o.f = o; }
 235         ```
 236
 237         The DFG will often assign the same registers to the baseGPR (o in o.f) and the
 238         valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
 239         to the same register. However, we're asserting that they're not the same register.
 240         This patch just removes this invalid assertion.
 241
 242         * bytecode/AccessCase.cpp:
 243         (JSC::AccessCase::generateImpl):
 244
 245 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
 246
 247         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
 248         https://bugs.webkit.org/show_bug.cgi?id=175359
 249
 250         Reviewed by Yusuke Suzuki.
 251
 252         This patch is implementing BigIntConstructor and BigIntPrototype
 253         following spec[1, 2]. As addition, we are also implementing BigIntObject
 254         warapper to handle ToObject(v) abstract operation when "v" is a BigInt
 255         primitive. With these classes, now it's possible to syntetize
 256         BigInt.prototype and then call "toString", "valueOf" and
 257         "toLocaleString" when the primitive is a BigInt.
 258         BigIntConstructor exposes an API to parse other primitives such as
 259         Number, Boolean and String to BigInt.
 260         We decided to skip parseInt implementation, since it was removed from
 261         spec.
 262
 263         [1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
 264         [2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object
 265
 266         * CMakeLists.txt:
 267         * DerivedSources.make:
 268         * JavaScriptCore.xcodeproj/project.pbxproj:
 269         * Sources.txt:
 270         * jsc.cpp:
 271         * runtime/BigIntConstructor.cpp: Added.
 272         (JSC::BigIntConstructor::BigIntConstructor):
 273         (JSC::BigIntConstructor::finishCreation):
 274         (JSC::isSafeInteger):
 275         (JSC::toBigInt):
 276         (JSC::callBigIntConstructor):
 277         (JSC::bigIntConstructorFuncAsUintN):
 278         (JSC::bigIntConstructorFuncAsIntN):
 279         * runtime/BigIntConstructor.h: Added.
 280         (JSC::BigIntConstructor::create):
 281         (JSC::BigIntConstructor::createStructure):
 282         * runtime/BigIntObject.cpp: Added.
 283         (JSC::BigIntObject::BigIntObject):
 284         (JSC::BigIntObject::finishCreation):
 285         (JSC::BigIntObject::toStringName):
 286         (JSC::BigIntObject::defaultValue):
 287         * runtime/BigIntObject.h: Added.
 288         (JSC::BigIntObject::create):
 289         (JSC::BigIntObject::internalValue const):
 290         (JSC::BigIntObject::createStructure):
 291         * runtime/BigIntPrototype.cpp: Added.
 292         (JSC::BigIntPrototype::BigIntPrototype):
 293         (JSC::BigIntPrototype::finishCreation):
 294         (JSC::toThisBigIntValue):
 295         (JSC::bigIntProtoFuncToString):
 296         (JSC::bigIntProtoFuncToLocaleString):
 297         (JSC::bigIntProtoFuncValueOf):
 298         * runtime/BigIntPrototype.h: Added.
 299         (JSC::BigIntPrototype::create):
 300         (JSC::BigIntPrototype::createStructure):
 301         * runtime/IntlCollator.cpp:
 302         (JSC::IntlCollator::initializeCollator):
 303         * runtime/IntlNumberFormat.cpp:
 304         (JSC::IntlNumberFormat::initializeNumberFormat):
 305         * runtime/JSBigInt.cpp:
 306         (JSC::JSBigInt::createFrom):
 307         (JSC::JSBigInt::parseInt):
 308         (JSC::JSBigInt::toObject const):
 309         * runtime/JSBigInt.h:
 310         * runtime/JSCJSValue.cpp:
 311         (JSC::JSValue::synthesizePrototype const):
 312         * runtime/JSCPoisonedPtr.cpp:
 313         * runtime/JSCell.cpp:
 314         (JSC::JSCell::toObjectSlow const):
 315         * runtime/JSGlobalObject.cpp:
 316         (JSC::JSGlobalObject::init):
 317         (JSC::JSGlobalObject::visitChildren):
 318         * runtime/JSGlobalObject.h:
 319         (JSC::JSGlobalObject::bigIntPrototype const):
 320         (JSC::JSGlobalObject::bigIntObjectStructure const):
 321         * runtime/StructureCache.h:
 322         * runtime/StructureInlines.h:
 323         (JSC::prototypeForLookupPrimitiveImpl):
 324
 325 2018-01-02  Tim Horton  <timothy_horton@apple.com>
 326
 327         Fix the MathCommon build with a recent compiler
 328         https://bugs.webkit.org/show_bug.cgi?id=181216
 329
 330         Reviewed by Sam Weinig.
 331
 332         * runtime/MathCommon.cpp:
 333         (JSC::fdlibmPow):
 334         This cast drops the 'const' qualifier from the pointer to 'one',
 335         but it doesn't have to, and it makes the compiler sad.
 336
 337 == Rolled over to ChangeLog-2018-01-01 ==