1 2017-12-14 Michael Saboff <msaboff@apple.com>
3 REGRESSION (r225695): Repro crash on yahoo login page
4 https://bugs.webkit.org/show_bug.cgi?id=180761
6 Reviewed by JF Bastien.
8 Relanding r225695 with a fix.
10 The fix is that we need to save the return address for a parentheses in
11 the ParenContext because it is actually used by any immediately contained
14 Also did a little refactoring, changing occurances of PatternContext to
15 ParenContext since that is the name of the structure.
18 (JSC::byteCodeCompilePattern):
19 (JSC::RegExp::byteCodeCompileIfNecessary):
20 (JSC::RegExp::compile):
21 (JSC::RegExp::compileMatchOnly):
23 * runtime/RegExpInlines.h:
24 (JSC::RegExp::matchInline):
29 * yarr/YarrInterpreter.cpp:
30 (JSC::Yarr::ByteCompiler::compile):
31 (JSC::Yarr::ByteCompiler::dumpDisjunction):
33 (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
34 (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
35 (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
36 (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
37 (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
38 (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
39 (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
40 (JSC::Yarr::YarrGenerator::ParenContext::returnAddressOffset):
41 (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
42 (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
43 (JSC::Yarr::YarrGenerator::initParenContextFreeList):
44 (JSC::Yarr::YarrGenerator::allocateParenContext):
45 (JSC::Yarr::YarrGenerator::freeParenContext):
46 (JSC::Yarr::YarrGenerator::saveParenContext):
47 (JSC::Yarr::YarrGenerator::restoreParenContext):
48 (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
49 (JSC::Yarr::YarrGenerator::storeToFrame):
50 (JSC::Yarr::YarrGenerator::generateJITFailReturn):
51 (JSC::Yarr::YarrGenerator::clearMatches):
52 (JSC::Yarr::YarrGenerator::generate):
53 (JSC::Yarr::YarrGenerator::backtrack):
54 (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
55 (JSC::Yarr::YarrGenerator::generateEnter):
56 (JSC::Yarr::YarrGenerator::generateReturn):
57 (JSC::Yarr::YarrGenerator::YarrGenerator):
58 (JSC::Yarr::YarrGenerator::compile):
60 (JSC::Yarr::YarrCodeBlock::execute):
61 * yarr/YarrPattern.cpp:
62 (JSC::Yarr::indentForNestingLevel):
63 (JSC::Yarr::dumpUChar32):
64 (JSC::Yarr::dumpCharacterClass):
65 (JSC::Yarr::PatternTerm::dump):
66 (JSC::Yarr::YarrPattern::dumpPattern):
68 (JSC::Yarr::PatternTerm::containsAnyCaptures):
69 (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
70 (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
71 (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
72 (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
73 (JSC::Yarr::BackTrackInfoParentheses::parenContextHeadIndex):
74 (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
76 2017-12-13 Keith Miller <keith_miller@apple.com>
78 JSObjects should have a mask for loading indexed properties
79 https://bugs.webkit.org/show_bug.cgi?id=180768
83 This patch adds a new member to JSObject that holds an indexing
84 mask. The indexing mask is bitwise anded with the index used to
85 load a property. If for whatever reason an attacker is able to
86 clobber the vectorLength of our butterfly they still won't be able
87 to read substantially past the end of the buttefly. For
88 performance reasons we don't use the indexing masking for
89 TypedArrays. Since TypedArrays are already gigacaged the risk of
90 wild reads is still restricted.
92 This patch is a <1% regression on Speedometer and ~3% regression
93 on JetStream in my testing.
95 * assembler/MacroAssembler.h:
96 (JSC::MacroAssembler::urshiftPtr):
97 * bytecode/AccessCase.cpp:
98 (JSC::AccessCase::generateImpl):
99 * dfg/DFGAbstractHeap.h:
100 * dfg/DFGClobberize.h:
101 (JSC::DFG::clobberize):
102 * dfg/DFGSpeculativeJIT.cpp:
103 (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
104 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
105 (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
106 (JSC::DFG::SpeculativeJIT::compileCreateActivation):
107 (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
108 (JSC::DFG::SpeculativeJIT::compileArraySlice):
109 (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
110 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
111 (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
112 * dfg/DFGSpeculativeJIT.h:
113 (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
114 (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
115 * dfg/DFGSpeculativeJIT32_64.cpp:
116 (JSC::DFG::SpeculativeJIT::compile):
117 (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
118 * dfg/DFGSpeculativeJIT64.cpp:
119 (JSC::DFG::SpeculativeJIT::compile):
120 (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
121 * ftl/FTLAbstractHeap.cpp:
122 (JSC::FTL::IndexedAbstractHeap::baseIndex):
123 * ftl/FTLAbstractHeap.h:
124 * ftl/FTLAbstractHeapRepository.h:
125 * ftl/FTLLowerDFGToB3.cpp:
126 (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
127 (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
128 (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
129 (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
130 (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
131 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
132 (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
133 (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
134 (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
135 (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
136 (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask):
137 (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
138 (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
139 (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
140 (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
142 (JSC::FTL::Output::baseIndex):
143 * jit/AssemblyHelpers.h:
144 (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
145 (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
146 (JSC::AssemblyHelpers::emitAllocateJSObject):
147 (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
148 (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
149 (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
150 (JSC::AssemblyHelpers::storeButterfly): Deleted.
151 * jit/JITOpcodes.cpp:
152 (JSC::JIT::emit_op_new_object):
153 (JSC::JIT::emit_op_create_this):
154 * jit/JITOpcodes32_64.cpp:
155 (JSC::JIT::emit_op_new_object):
156 (JSC::JIT::emit_op_create_this):
157 * jit/JITPropertyAccess.cpp:
158 (JSC::JIT::emitDoubleLoad):
159 (JSC::JIT::emitContiguousLoad):
160 (JSC::JIT::emitArrayStorageLoad):
161 * llint/LowLevelInterpreter32_64.asm:
162 * llint/LowLevelInterpreter64.asm:
163 * runtime/ArrayStorage.h:
164 (JSC::ArrayStorage::availableVectorLength):
165 * runtime/Butterfly.h:
166 (JSC::ContiguousData::ContiguousData):
167 (JSC::ContiguousData::at const):
168 (JSC::ContiguousData::at):
169 (JSC::Butterfly::publicLength const):
170 (JSC::Butterfly::vectorLength const):
171 (JSC::Butterfly::computeIndexingMaskForVectorLength):
172 (JSC::Butterfly::computeIndexingMask):
173 (JSC::Butterfly::contiguousInt32):
174 (JSC::ContiguousData::operator[] const): Deleted.
175 (JSC::ContiguousData::operator[]): Deleted.
176 (JSC::Butterfly::publicLength): Deleted.
177 (JSC::Butterfly::vectorLength): Deleted.
178 * runtime/ButterflyInlines.h:
179 (JSC::ContiguousData<T>::at const):
180 (JSC::ContiguousData<T>::at):
181 * runtime/ClonedArguments.cpp:
182 (JSC::ClonedArguments::createEmpty):
183 * runtime/JSArray.cpp:
184 (JSC::JSArray::tryCreateUninitializedRestricted):
185 (JSC::JSArray::appendMemcpy):
186 (JSC::JSArray::setLength):
188 (JSC::JSArray::fastSlice):
189 (JSC::JSArray::shiftCountWithArrayStorage):
190 (JSC::JSArray::shiftCountWithAnyIndexingType):
191 (JSC::JSArray::unshiftCountWithAnyIndexingType):
192 (JSC::JSArray::fillArgList):
193 (JSC::JSArray::copyToArguments):
194 * runtime/JSArrayBufferView.cpp:
195 (JSC::JSArrayBufferView::JSArrayBufferView):
196 * runtime/JSArrayInlines.h:
197 (JSC::JSArray::pushInline):
198 * runtime/JSFixedArray.h:
199 (JSC::JSFixedArray::createFromArray):
200 * runtime/JSGenericTypedArrayViewInlines.h:
201 (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
202 * runtime/JSObject.cpp:
203 (JSC::JSObject::getOwnPropertySlotByIndex):
204 (JSC::JSObject::putByIndex):
205 (JSC::JSObject::createInitialInt32):
206 (JSC::JSObject::createInitialDouble):
207 (JSC::JSObject::createInitialContiguous):
208 (JSC::JSObject::convertUndecidedToInt32):
209 (JSC::JSObject::convertUndecidedToDouble):
210 (JSC::JSObject::convertUndecidedToContiguous):
211 (JSC::JSObject::convertInt32ToDouble):
212 (JSC::JSObject::convertInt32ToArrayStorage):
213 (JSC::JSObject::convertDoubleToContiguous):
214 (JSC::JSObject::convertDoubleToArrayStorage):
215 (JSC::JSObject::convertContiguousToArrayStorage):
216 (JSC::JSObject::createInitialForValueAndSet):
217 (JSC::JSObject::deletePropertyByIndex):
218 (JSC::JSObject::getOwnPropertyNames):
219 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
220 (JSC::JSObject::countElements):
221 (JSC::JSObject::ensureLengthSlow):
222 (JSC::JSObject::reallocateAndShrinkButterfly):
223 (JSC::JSObject::getEnumerableLength):
224 * runtime/JSObject.h:
225 (JSC::JSObject::canGetIndexQuickly):
226 (JSC::JSObject::getIndexQuickly):
227 (JSC::JSObject::tryGetIndexQuickly const):
228 (JSC::JSObject::setIndexQuickly):
229 (JSC::JSObject::initializeIndex):
230 (JSC::JSObject::initializeIndexWithoutBarrier):
231 (JSC::JSObject::butterflyIndexingMaskOffset):
232 (JSC::JSObject::butterflyIndexingMask const):
233 (JSC::JSObject::setButterflyWithIndexingMask):
234 (JSC::JSObject::setButterfly):
235 (JSC::JSObject::nukeStructureAndSetButterfly):
236 (JSC::JSObject::JSObject):
237 * runtime/RegExpMatchesArray.h:
238 (JSC::tryCreateUninitializedRegExpMatchesArray):
239 * runtime/Structure.cpp:
240 (JSC::Structure::flattenDictionaryStructure):
242 2017-12-14 David Kilzer <ddkilzer@apple.com>
244 REGRESSION (r225799/r225887): Remove duplicate entries for JSCPoisonedPtr.h in Xcode project
246 Fixes the following warning during builds:
248 Warning: Multiple build commands for output file WebKitBuild/Release/JavaScriptCore.framework/Versions/A/PrivateHeaders/JSCPoisonedPtr.h
250 * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicate
251 entries for JSCPoisonedPtr.h.
253 2017-12-14 David Kilzer <ddkilzer@apple.com>
255 REGRESSION (r225887): Build broke due to missing includes in InferredValue.h
256 <https://bugs.webkit.org/show_bug.cgi?id=180738>
258 * runtime/InferredValue.h: Attempt to fix build by adding
259 missing #include statements.
261 2017-12-13 Filip Pizlo <fpizlo@apple.com>
263 Octane/richards regressed by a whopping 20% because eliminateCommonSubexpressions has a weird fixpoint requirement
264 https://bugs.webkit.org/show_bug.cgi?id=180783
266 Reviewed by Saam Barati.
268 This fixes the regression by fixpointing CSE. We need to fixpoint CSE because of this case:
279 Lets assume that #3 loops around to #2, so to eliminate @d, we need to prove that it's redundant
280 with both @c and @e. The problem is that by the time we get to @d, the CSE state will look like
287 memoryAtTail: {@x=>@a, @a=>@c}
290 memoryAtTail: {@b=>@d}
293 memoryAtTail: {@b=>@e} [sic]
295 Note that #3's atTail map is keyed on @b, which was the old (no longer canonical) version of @a.
296 But @d's children were already substituted, so it refers to @a. Since @a is not in #3's atTail
297 map, we don't find it and leave the redundancy.
299 I think that the cleanest solution is to fixpoint. CSE is pretty cheap, so hopefully we can afford
300 this. It fixes the richards regression, since richards is super dependent on B3 CSE.
302 * b3/B3EliminateCommonSubexpressions.cpp: Logging.
304 (JSC::B3::generateToAir): Fix the bug.
305 * b3/air/AirReportUsedRegisters.cpp:
306 (JSC::B3::Air::reportUsedRegisters): Logging.
307 * dfg/DFGByteCodeParser.cpp:
308 * dfg/DFGSSAConversionPhase.cpp:
309 (JSC::DFG::SSAConversionPhase::run): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
310 * ftl/FTLLowerDFGToB3.cpp:
311 (JSC::FTL::DFG::LowerDFGToB3::lower): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
313 2017-12-13 Joseph Pecoraro <pecoraro@apple.com>
315 REGRESSION: Web Inspector: Opening inspector crashes page if there are empty resources
316 https://bugs.webkit.org/show_bug.cgi?id=180787
317 <rdar://problem/35934838>
319 Reviewed by Brian Burg.
321 * inspector/ContentSearchUtilities.cpp:
322 (Inspector::ContentSearchUtilities::findMagicComment):
323 For empty / null strings just return. There is no use
324 trying to search them for a long common syntax.
326 2017-12-13 Saam Barati <sbarati@apple.com>
328 Arrow functions need their own structure because they have different properties than sloppy functions
329 https://bugs.webkit.org/show_bug.cgi?id=180779
330 <rdar://problem/35814591>
332 Reviewed by Mark Lam.
334 We were using the same structure for sloppy functions and
335 arrow functions. This broke our IC caching machinery because
336 these two types of functions actually have different properties.
337 This patch gives them different structures.
339 * dfg/DFGAbstractInterpreterInlines.h:
340 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
341 * dfg/DFGSpeculativeJIT.cpp:
342 (JSC::DFG::SpeculativeJIT::compileNewFunction):
343 * ftl/FTLLowerDFGToB3.cpp:
344 (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
345 * runtime/FunctionConstructor.cpp:
346 (JSC::constructFunctionSkippingEvalEnabledCheck):
347 * runtime/JSFunction.cpp:
348 (JSC::JSFunction::selectStructureForNewFuncExp):
349 (JSC::JSFunction::create):
350 * runtime/JSFunction.h:
351 * runtime/JSFunctionInlines.h:
352 (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
353 * runtime/JSGlobalObject.cpp:
354 (JSC::JSGlobalObject::init):
355 (JSC::JSGlobalObject::visitChildren):
356 * runtime/JSGlobalObject.h:
357 (JSC::JSGlobalObject::arrowFunctionStructure const):
359 2017-12-12 Filip Pizlo <fpizlo@apple.com>
361 InferredValue should use IsoSubspace
362 https://bugs.webkit.org/show_bug.cgi?id=180738
364 Reviewed by Keith Miller.
366 This moves InferredValue into an IsoSubspace and then takes advantage of this to get rid of
367 its UnconditionalFinalizer.
369 * JavaScriptCore.xcodeproj/project.pbxproj:
371 (JSC::Heap::finalizeUnconditionalFinalizers):
372 * runtime/InferredValue.cpp:
373 (JSC::InferredValue::visitChildren):
374 (JSC::InferredValue::ValueCleanup::ValueCleanup): Deleted.
375 (JSC::InferredValue::ValueCleanup::~ValueCleanup): Deleted.
376 (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): Deleted.
377 * runtime/InferredValue.h:
378 (JSC::InferredValue::subspaceFor):
379 * runtime/InferredValueInlines.h: Added.
380 (JSC::InferredValue::finalizeUnconditionally):
385 2017-12-13 Devin Rousso <webkit@devinrousso.com>
387 Web Inspector: add instrumentation for ImageBitmapRenderingContext
388 https://bugs.webkit.org/show_bug.cgi?id=180736
390 Reviewed by Joseph Pecoraro.
392 * inspector/protocol/Canvas.json:
393 * inspector/scripts/codegen/generator.py:
395 2017-12-13 Saam Barati <sbarati@apple.com>
397 Take a value driven approach to how we emit structure checks in TypeCheckHoistingPhase to obviate the need for static_assert guards
398 https://bugs.webkit.org/show_bug.cgi?id=180771
400 Reviewed by JF Bastien.
402 * dfg/DFGTypeCheckHoistingPhase.cpp:
403 (JSC::DFG::TypeCheckHoistingPhase::run):
405 2017-12-13 Saam Barati <sbarati@apple.com>
407 REGRESSION(r225844): Around 850 new JSC failures on 32-bit
408 https://bugs.webkit.org/show_bug.cgi?id=180764
410 Unreviewed. We should only emit CheckStructureOrEmpty on 64 bit platforms.
412 * dfg/DFGTypeCheckHoistingPhase.cpp:
413 (JSC::DFG::TypeCheckHoistingPhase::run):
415 2017-12-13 Michael Saboff <msaboff@apple.com>
417 Unreviewed rollout of r225695. Caused a crash on yahoo login page.
419 That bug tracked in https://bugs.webkit.org/show_bug.cgi?id=180761.
421 * runtime/RegExp.cpp:
422 (JSC::RegExp::compile):
423 (JSC::RegExp::compileMatchOnly):
424 (JSC::byteCodeCompilePattern): Deleted.
425 (JSC::RegExp::byteCodeCompileIfNecessary): Deleted.
427 * runtime/RegExpInlines.h:
428 (JSC::RegExp::matchInline):
433 * yarr/YarrInterpreter.cpp:
434 (JSC::Yarr::ByteCompiler::compile):
435 (JSC::Yarr::ByteCompiler::dumpDisjunction):
436 (JSC::Yarr::ByteCompiler::emitDisjunction):
438 (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
439 (JSC::Yarr::YarrGenerator::generate):
440 (JSC::Yarr::YarrGenerator::backtrack):
441 (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
442 (JSC::Yarr::YarrGenerator::generateEnter):
443 (JSC::Yarr::YarrGenerator::generateReturn):
444 (JSC::Yarr::YarrGenerator::YarrGenerator):
445 (JSC::Yarr::YarrGenerator::compile):
446 (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes): Deleted.
447 (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns): Deleted.
448 (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots): Deleted.
449 (JSC::Yarr::YarrGenerator::ParenContext::sizeFor): Deleted.
450 (JSC::Yarr::YarrGenerator::ParenContext::nextOffset): Deleted.
451 (JSC::Yarr::YarrGenerator::ParenContext::beginOffset): Deleted.
452 (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset): Deleted.
453 (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset): Deleted.
454 (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset): Deleted.
455 (JSC::Yarr::YarrGenerator::initParenContextFreeList): Deleted.
456 (JSC::Yarr::YarrGenerator::allocatePatternContext): Deleted.
457 (JSC::Yarr::YarrGenerator::freePatternContext): Deleted.
458 (JSC::Yarr::YarrGenerator::savePatternContext): Deleted.
459 (JSC::Yarr::YarrGenerator::restorePatternContext): Deleted.
460 (JSC::Yarr::YarrGenerator::generateJITFailReturn): Deleted.
461 (JSC::Yarr::YarrGenerator::clearMatches): Deleted.
463 (JSC::Yarr::YarrCodeBlock::execute):
464 * yarr/YarrPattern.cpp:
465 (JSC::Yarr::indentForNestingLevel):
466 (JSC::Yarr::dumpUChar32):
467 (JSC::Yarr::PatternTerm::dump):
468 (JSC::Yarr::YarrPattern::dumpPattern):
469 (JSC::Yarr::dumpCharacterClass): Deleted.
470 * yarr/YarrPattern.h:
471 (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
472 (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
473 (JSC::Yarr::PatternTerm::containsAnyCaptures): Deleted.
474 (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex): Deleted.
475 (JSC::Yarr::BackTrackInfoParentheses::beginIndex): Deleted.
476 (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex): Deleted.
477 (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex): Deleted.
478 (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex): Deleted.
480 2017-12-13 Mark Lam <mark.lam@apple.com>
482 Fill out some Poisoned APIs, fix some bugs, and add some tests.
483 https://bugs.webkit.org/show_bug.cgi?id=180724
484 <rdar://problem/36006884>
486 Reviewed by JF Bastien.
488 * runtime/StructureTransitionTable.h:
490 2017-12-13 Caio Lima <ticaiolima@gmail.com>
492 [ESNext][BigInt] Breking tests on Debug build and 32-bits due to missing Exception check
493 https://bugs.webkit.org/show_bug.cgi?id=180746
495 Reviewed by Saam Barati.
497 We have some uncatched exceptions that could happen due to OOM into
498 JSBigInt::allocateFor and JSBigInt::toStringGeneric. This patching is
499 catching such exceptions properly.
501 * runtime/JSBigInt.cpp:
502 (JSC::JSBigInt::allocateFor):
503 (JSC::JSBigInt::parseInt):
504 * runtime/JSCJSValue.cpp:
505 (JSC::JSValue::toStringSlowCase const):
507 2017-12-13 Saam Barati <sbarati@apple.com>
509 Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
510 https://bugs.webkit.org/show_bug.cgi?id=163579
511 <rdar://problem/35455798>
513 Reviewed by Mark Lam.
515 Some functions in JavaScript do not have the "caller" and "arguments" properties.
516 For example, strict functions do not. When reading our code that dealt with these
517 types of functions, it was simply all wrong. We were doing weird things depending
518 on the method table hook. This patch fixes this by doing what we should've been
519 doing all along: when the JSFunction does not own the "caller"/"arguments" property,
520 it should defer to its base class implementation for the various method table hooks.
522 * runtime/JSFunction.cpp:
523 (JSC::JSFunction::put):
524 (JSC::JSFunction::deleteProperty):
525 (JSC::JSFunction::defineOwnProperty):
527 2017-12-13 Saam Barati <sbarati@apple.com>
529 TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
530 https://bugs.webkit.org/show_bug.cgi?id=180734
531 <rdar://problem/35640547>
533 Reviewed by Yusuke Suzuki.
535 The |this| value may be TDZ. If type check hoisting phase
536 hoists a CheckStructure to it, it will crash. This patch
537 makes it so we emit CheckStructureOrEmpty for |this|.
539 * dfg/DFGTypeCheckHoistingPhase.cpp:
540 (JSC::DFG::TypeCheckHoistingPhase::run):
542 2017-12-12 Yusuke Suzuki <utatane.tea@gmail.com>
544 [JSC] Optimize Object.assign by single transition acceleration
545 https://bugs.webkit.org/show_bug.cgi?id=180644
547 Reviewed by Saam Barati.
549 Handling single transition is critical. Since this get() function is only used
550 in Structure.cpp's 2 functions and it is quite small, we can annotate `inline`
553 This improves SixSpeed/object-assign.es6 by 2.8%.
557 object-assign.es6 382.3548+-8.0461 371.6496+-5.7439 might be 1.0288x faster
559 * runtime/Structure.cpp:
560 (JSC::StructureTransitionTable::get const):
562 2017-12-12 Filip Pizlo <fpizlo@apple.com>
564 Structure, StructureRareData, and PropertyTable should be in IsoSubspaces
565 https://bugs.webkit.org/show_bug.cgi?id=180732
567 Rubber stamped by Mark Lam.
569 We should eventually move all fixed-size cells into IsoSubspaces. I don't know if they are
570 scalable enough to support that, so we should do it carefully.
572 * heap/MarkedSpace.cpp:
573 * runtime/PropertyMapHashTable.h:
574 * runtime/Structure.h:
575 * runtime/StructureRareData.h:
580 2017-12-12 Saam Barati <sbarati@apple.com>
582 We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
583 https://bugs.webkit.org/show_bug.cgi?id=180725
584 <rdar://problem/35970511>
586 Reviewed by Michael Saboff.
588 * dfg/DFGClobberize.h:
589 (JSC::DFG::clobberize):
590 * dfg/DFGPreciseLocalClobberize.h:
591 (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
593 2017-12-12 Yusuke Suzuki <utatane.tea@gmail.com>
595 [JSC] Implement optimized WeakMap and WeakSet
596 https://bugs.webkit.org/show_bug.cgi?id=179929
598 Reviewed by Saam Barati.
600 This patch introduces WeakMapImpl to optimize WeakMap and WeakSet.
601 This is similar to HashMapImpl. But,
603 1. WeakMapImpl's bucket is not allocated in GC heap since WeakMap
604 do not need to have iterators.
606 2. WeakMapImpl's buffer is allocated in JSValue Gigacage instead
607 of auxiliary buffer. This is because we would like to allocate buffer
608 when finalizing GC. At that time, WeakMapImpl prunes dead entries and
609 shrink it if necessary. However, allocating from the GC heap during
610 finalization is not allowed.
612 In particular, (2) is important since it ensures any WeakMap operations
613 do not cause GC. Since GC may collect dead keys in WeakMap, rehash WeakMap,
614 and reallocate/change WeakMap's buffer, ensuring that any WeakMap operations
615 do not cause GC makes our implementation simple. To ensure this, we place
616 DisallowGC for each WeakMap's interface.
618 In DFG, we introduce WeakMapGet and ExtractValueFromWeakMapGet nodes.
619 WeakMapGet looks up entry in WeakMapImpl and returns value. If it is
620 WeakMap, it returns value. And it returns key if it is WeakSet. If it
621 does not find a corresponding entry, it returns JSEmpty.
622 ExtractValueFromWeakMapGet converts JSEmpty to JSUndefined.
624 This patch improves WeakMap and WeakSet operations.
628 weak-set-key 240.6932+-10.4923 ^ 148.7606+-6.1784 ^ definitely 1.6180x faster
629 weak-map-key 174.3176+-8.2680 ^ 151.7053+-6.8723 ^ definitely 1.1491x faster
631 * JavaScriptCore.xcodeproj/project.pbxproj:
633 * dfg/DFGAbstractHeap.h:
634 * dfg/DFGAbstractInterpreterInlines.h:
635 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
636 * dfg/DFGByteCodeParser.cpp:
637 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
638 * dfg/DFGClobberize.h:
639 (JSC::DFG::clobberize):
642 * dfg/DFGFixupPhase.cpp:
643 (JSC::DFG::FixupPhase::fixupNode):
645 (JSC::DFG::Node::hasHeapPrediction):
647 * dfg/DFGOperations.cpp:
648 * dfg/DFGOperations.h:
649 * dfg/DFGPredictionPropagationPhase.cpp:
650 * dfg/DFGSafeToExecute.h:
651 (JSC::DFG::safeToExecute):
652 * dfg/DFGSpeculativeJIT.cpp:
653 (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
654 (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
655 * dfg/DFGSpeculativeJIT.h:
656 * dfg/DFGSpeculativeJIT32_64.cpp:
657 (JSC::DFG::SpeculativeJIT::compile):
658 * dfg/DFGSpeculativeJIT64.cpp:
659 (JSC::DFG::SpeculativeJIT::compile):
660 * ftl/FTLAbstractHeapRepository.h:
661 * ftl/FTLCapabilities.cpp:
662 (JSC::FTL::canCompile):
663 * ftl/FTLLowerDFGToB3.cpp:
664 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
665 (JSC::FTL::DFG::LowerDFGToB3::compileExtractValueFromWeakMapGet):
666 (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
667 * inspector/JSInjectedScriptHost.cpp:
668 (Inspector::JSInjectedScriptHost::weakMapEntries):
669 (Inspector::JSInjectedScriptHost::weakSetEntries):
670 Existing code is incorrect. They can run GC and break WeakMap's iterator.
671 We introduce takeSnapshot function to WeakMapImpl, which retrieves live
672 entries without causing any GC.
674 * runtime/HashMapImpl.h:
676 (JSC::shouldRehashAfterAdd):
678 (JSC::HashMapImpl::shouldRehashAfterAdd const):
679 (JSC::HashMapImpl::shouldShrink const):
680 (JSC::HashMapImpl::rehash):
681 (JSC::WeakMapHash::hash): Deleted.
682 (JSC::WeakMapHash::equal): Deleted.
683 * runtime/Intrinsic.cpp:
684 (JSC::intrinsicName):
685 * runtime/Intrinsic.h:
686 * runtime/JSWeakMap.cpp:
687 * runtime/JSWeakMap.h:
688 * runtime/JSWeakSet.cpp:
689 * runtime/JSWeakSet.h:
691 * runtime/WeakGCMap.h:
692 (JSC::WeakGCMap::forEach): Deleted.
693 * runtime/WeakMapBase.cpp: Removed.
694 * runtime/WeakMapBase.h: Removed.
695 * runtime/WeakMapConstructor.cpp:
696 (JSC::constructWeakMap):
697 * runtime/WeakMapImpl.cpp: Added.
698 (JSC::WeakMapImpl<WeakMapBucket>::destroy):
699 (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
700 (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
701 (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences):
702 (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences):
703 (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
704 (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::takeSnapshot):
705 (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::takeSnapshot):
706 * runtime/WeakMapImpl.h: Added.
707 (JSC::jsWeakMapHash):
708 (JSC::nextCapacityAfterRemoveBatching):
709 (JSC::WeakMapBucket::setKey):
710 (JSC::WeakMapBucket::setValue):
711 (JSC::WeakMapBucket::key const):
712 (JSC::WeakMapBucket::value const):
713 (JSC::WeakMapBucket::copyFrom):
714 (JSC::WeakMapBucket::offsetOfKey):
715 (JSC::WeakMapBucket::offsetOfValue):
716 (JSC::WeakMapBucket::extractValue):
717 (JSC::WeakMapBucket::isEmpty):
718 (JSC::WeakMapBucket::deletedKey):
719 (JSC::WeakMapBucket::isDeleted):
720 (JSC::WeakMapBucket::makeDeleted):
721 (JSC::WeakMapBucket::visitAggregate):
722 (JSC::WeakMapBucket::clearValue):
723 (JSC::WeakMapBuffer::allocationSize):
724 (JSC::WeakMapBuffer::buffer const):
725 (JSC::WeakMapBuffer::create):
726 (JSC::WeakMapBuffer::reset):
727 (JSC::WeakMapImpl::WeakMapImpl):
728 (JSC::WeakMapImpl::finishCreation):
729 (JSC::WeakMapImpl::get):
730 (JSC::WeakMapImpl::has):
731 (JSC::WeakMapImpl::add):
732 (JSC::WeakMapImpl::remove):
733 (JSC::WeakMapImpl::size const):
734 (JSC::WeakMapImpl::offsetOfBuffer):
735 (JSC::WeakMapImpl::offsetOfCapacity):
736 (JSC::WeakMapImpl::findBucket):
737 (JSC::WeakMapImpl::buffer const):
738 (JSC::WeakMapImpl::forEach):
739 (JSC::WeakMapImpl::shouldRehashAfterAdd const):
740 (JSC::WeakMapImpl::shouldShrink const):
741 (JSC::WeakMapImpl::canUseBucket):
742 (JSC::WeakMapImpl::addInternal):
743 (JSC::WeakMapImpl::findBucketAlreadyHashed):
744 (JSC::WeakMapImpl::rehash):
745 (JSC::WeakMapImpl::checkConsistency const):
746 (JSC::WeakMapImpl::makeAndSetNewBuffer):
747 (JSC::WeakMapImpl::assertBufferIsEmpty const):
748 (JSC::WeakMapImpl::DeadKeyCleaner::target):
749 * runtime/WeakMapPrototype.cpp:
750 (JSC::WeakMapPrototype::finishCreation):
751 (JSC::protoFuncWeakMapGet):
752 (JSC::protoFuncWeakMapHas):
753 * runtime/WeakSetConstructor.cpp:
754 (JSC::constructWeakSet):
755 * runtime/WeakSetPrototype.cpp:
756 (JSC::WeakSetPrototype::finishCreation):
757 (JSC::protoFuncWeakSetHas):
758 (JSC::protoFuncWeakSetAdd):
760 2017-12-11 Filip Pizlo <fpizlo@apple.com>
762 It should be possible to flag a cell for unconditional finalization
763 https://bugs.webkit.org/show_bug.cgi?id=180636
765 Reviewed by Saam Barati.
767 UnconditionalFinalizers were annoying - you had to allocate them and you had to manage a
768 global linked list - but they had some nice properties:
770 - You only did the hardest work (creating the UnconditionalFinalizer) on first GC where you
771 survived and needed it.
772 -> Just needing it wasn't enough.
773 -> Just surviving wasn't enough.
775 The new API based on IsoSubspaces meant that just surviving was enough to cause unconditional
776 finalizer logic to be invoked. I think that's not great. InferredType got around this by
777 making InferredStructure a cell, but this was a gross hack. For one, it meant that
778 InferredStructure would survive during the GC in which its finalizer obviated the need for its
779 existence. It's not really an idiom I want us to repeat because it sounds like the sort of
780 thing that turns out to be subtly broken.
782 We really need to have a way of indicating when you have entered into the state that requires
783 your unconditional finalizer to be invoked. Basically, we want to be able to track the set of
784 objects that need unconditional finalizers. Only the subset of that set that overlaps with the
785 set of marked objects needs to be accurate. The easiest way to do this is a hierarchy of
786 bitvectors: one to say which MarkedBlocks have objects that have unconditional finalizers, and
787 another level to say which atoms within a MarkedBlock have unconditional finalizers.
789 This change introduces IsoCellSet, which couples itself to the MarkedAllocator of some
790 IsoSubspace to allow maintaining a set of objects (well, cells - you could do this with
791 auxiliaries) that belong to that IsoSubspace. It'll have undefined behavior if you try to
792 add/remove/contains an object that isn't in that IsoSubspace. For objects in that subspace,
793 you can add/remove/contains and forEachMarkedCell. The cost of each IsoCellSet is at worst
794 about 0.8% increase in size to every object in the subspace that the set is attached to. So,
795 it makes sense to have a handful per subspace max. This change only needs one per subspace,
796 but you could imagine more if we do this for WeakReferenceHarvester.
798 To absolutely minimize the possibility that this incurs costs, the add/remove/contains
799 functions can be used from any thread so long as forEachMarkedCell isn't running. This means
800 that InferredType only needs to add itself to the set during visitChildren. Thus, it needs to
801 both survive and need it for the hardest work to take place. The work of adding does involve
802 a gnarly load chain that ends in a CAS: load block handle from block, load index, load
803 segment, load bitvector, load bit -> if not set, then CAS. That's five dependent loads!
804 However, it's perfect for running in parallel since the only write operations are to widely
805 dispersed cache lines that contain the bits underlying the set.
807 The best part is how forEachMarkedCell works. That skips blocks that don't have any objects
808 that need unconditional finalizers, and only touches the memory of marked objects that have
809 the unconditional finalizer bit set. It will walk those objects in roughly address order. I
810 previously found that this speeds up walking over a lot of objects when I made similar changes
811 for DOM GC (calling visitAdditionalChildren via forEachMarkedCell rather than by walking a
814 This change makes InferredStructure be a malloc object again, but now it's in an IsoHeap.
816 My expectation for this change is that it's perf-neutral. Long-term, it gives us a path
817 forward for eliminating UnconditionalFinalizer and WeakReferenceHarvester while using
818 IsoSubspace in more places.
820 * JavaScriptCore.xcodeproj/project.pbxproj:
822 * heap/AtomIndices.h: Added.
823 (JSC::AtomIndices::AtomIndices):
825 (JSC::Heap::finalizeUnconditionalFinalizers):
827 * heap/IsoCellSet.cpp: Added.
828 (JSC::IsoCellSet::IsoCellSet):
829 (JSC::IsoCellSet::~IsoCellSet):
830 (JSC::IsoCellSet::addSlow):
831 (JSC::IsoCellSet::didResizeBits):
832 (JSC::IsoCellSet::didRemoveBlock):
833 (JSC::IsoCellSet::sweepToFreeList):
834 * heap/IsoCellSet.h: Added.
835 * heap/IsoCellSetInlines.h: Added.
836 (JSC::IsoCellSet::add):
837 (JSC::IsoCellSet::remove):
838 (JSC::IsoCellSet::contains const):
839 (JSC::IsoCellSet::forEachMarkedCell):
840 * heap/IsoSubspace.cpp:
841 (JSC::IsoSubspace::didResizeBits):
842 (JSC::IsoSubspace::didRemoveBlock):
843 (JSC::IsoSubspace::didBeginSweepingToFreeList):
844 * heap/IsoSubspace.h:
845 * heap/MarkedAllocator.cpp:
846 (JSC::MarkedAllocator::addBlock):
847 (JSC::MarkedAllocator::removeBlock):
848 * heap/MarkedAllocator.h:
849 * heap/MarkedAllocatorInlines.h:
850 * heap/MarkedBlock.cpp:
851 (JSC::MarkedBlock::Handle::sweep):
852 (JSC::MarkedBlock::Handle::isEmpty): Deleted.
853 * heap/MarkedBlock.h:
854 (JSC::MarkedBlock::marks const):
855 (JSC::MarkedBlock::Handle::newlyAllocated const):
856 * heap/MarkedBlockInlines.h:
857 (JSC::MarkedBlock::Handle::isAllocated):
858 (JSC::MarkedBlock::Handle::isEmpty):
859 (JSC::MarkedBlock::Handle::emptyMode):
860 (JSC::MarkedBlock::Handle::forEachMarkedCell):
862 (JSC::Subspace::didResizeBits):
863 (JSC::Subspace::didRemoveBlock):
864 (JSC::Subspace::didBeginSweepingToFreeList):
866 * heap/SubspaceInlines.h:
867 (JSC::Subspace::forEachMarkedCell):
868 * runtime/InferredStructure.cpp:
869 (JSC::InferredStructure::InferredStructure):
870 (JSC::InferredStructure::create): Deleted.
871 (JSC::InferredStructure::destroy): Deleted.
872 (JSC::InferredStructure::createStructure): Deleted.
873 (JSC::InferredStructure::visitChildren): Deleted.
874 (JSC::InferredStructure::finalizeUnconditionally): Deleted.
875 (JSC::InferredStructure::finishCreation): Deleted.
876 * runtime/InferredStructure.h:
877 * runtime/InferredStructureWatchpoint.cpp:
878 (JSC::InferredStructureWatchpoint::fireInternal):
879 * runtime/InferredType.cpp:
880 (JSC::InferredType::visitChildren):
881 (JSC::InferredType::willStoreValueSlow):
882 (JSC::InferredType::makeTopSlow):
883 (JSC::InferredType::set):
884 (JSC::InferredType::removeStructure):
885 (JSC::InferredType::finalizeUnconditionally):
886 * runtime/InferredType.h:
891 2017-12-12 Saam Barati <sbarati@apple.com>
893 ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
894 https://bugs.webkit.org/show_bug.cgi?id=180723
895 <rdar://problem/35859726>
897 Reviewed by JF Bastien.
899 * dfg/DFGConstantFoldingPhase.cpp:
900 (JSC::DFG::ConstantFoldingPhase::foldConstants):
902 2017-12-04 Brian Burg <bburg@apple.com>
904 Web Inspector: modernize InjectedScript a bit
905 https://bugs.webkit.org/show_bug.cgi?id=180367
907 Reviewed by Timothy Hatcher.
909 Stop using out parameters passed by pointer, use references instead.
910 Stop using OptOutput<T> in favor of std::optional where possible.
911 If there is only one out-parameter and a void return type, then return the value.
913 * inspector/InjectedScript.h:
914 * inspector/InjectedScript.cpp:
915 (Inspector::InjectedScript::evaluate):
916 (Inspector::InjectedScript::callFunctionOn):
917 (Inspector::InjectedScript::evaluateOnCallFrame):
918 (Inspector::InjectedScript::getFunctionDetails):
919 (Inspector::InjectedScript::functionDetails):
920 (Inspector::InjectedScript::getPreview):
921 (Inspector::InjectedScript::getProperties):
922 (Inspector::InjectedScript::getDisplayableProperties):
923 (Inspector::InjectedScript::getInternalProperties):
924 (Inspector::InjectedScript::getCollectionEntries):
925 (Inspector::InjectedScript::saveResult):
926 (Inspector::InjectedScript::setExceptionValue):
927 (Inspector::InjectedScript::clearExceptionValue):
928 (Inspector::InjectedScript::inspectObject):
929 (Inspector::InjectedScript::releaseObject):
931 * inspector/InjectedScriptBase.h:
932 * inspector/InjectedScriptBase.cpp:
933 (Inspector::InjectedScriptBase::InjectedScriptBase):
934 Declare m_environment with a default initializer.
936 (Inspector::InjectedScriptBase::makeCall):
937 (Inspector::InjectedScriptBase::makeEvalCall):
938 Just return the result, no need for an out-parameter.
939 Rearrange some code paths now that we can just return a result.
940 Return a Ref<JSON::Value> since it is either a result value or error value.
941 Use out_ prefixes in a few places to improve readability.
943 * inspector/agents/InspectorDebuggerAgent.cpp:
944 (Inspector::InspectorDebuggerAgent::getFunctionDetails):
945 (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
946 * inspector/agents/InspectorHeapAgent.cpp:
947 (Inspector::InspectorHeapAgent::getPreview):
948 * inspector/agents/InspectorRuntimeAgent.cpp:
949 (Inspector::InspectorRuntimeAgent::evaluate):
950 (Inspector::InspectorRuntimeAgent::callFunctionOn):
951 (Inspector::InspectorRuntimeAgent::getPreview):
952 (Inspector::InspectorRuntimeAgent::getProperties):
953 (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
954 (Inspector::InspectorRuntimeAgent::getCollectionEntries):
955 (Inspector::InspectorRuntimeAgent::saveResult):
956 Adapt to InjectedScript changes. In some cases we need to bridge OptOutput<T>
957 and std::optional until the former is removed from generated method signatures.
959 2017-12-12 Caio Lima <ticaiolima@gmail.com>
961 [ESNext][BigInt] Implement BigInt literals and JSBigInt
962 https://bugs.webkit.org/show_bug.cgi?id=179000
964 Reviewed by Darin Adler and Yusuke Suzuki.
966 This patch starts the implementation of BigInt primitive on
967 JavaScriptCore. We are introducing BigInt primitive and
968 implementing it on JSBigInt as a subclass of JSCell with [[BigIntData]]
969 field implemented contiguosly on memory as inline storage of JSBigInt to
970 take advantages on performance due to cache locality. The
971 implementation allows 64 or 32 bitwise arithmetic operations.
972 JSBigInt also has m_sign to store the sign of [[BigIntData]] and
973 m_length that keeps track of BigInt length.
974 The implementation is following the V8 one. [[BigIntData]] is manipulated
975 by JSBigInt::setDigit(index, value) and JSBigInt::digit(index) operations.
976 We also have some operations to support arithmetics over digits.
978 It is important to notice that on our representation,
979 JSBigInt::dataStorage()[0] represents the least significant digit and
980 JSBigInt::dataStorage()[m_length - 1] represents the most siginificant digit.
982 We are also introducing into this Patch the BigInt literals lexer and
983 syntax parsing support. The operation Strict Equals on BigInts is also being
984 implemented to enable tests.
985 These features are being implemented behind a runtime flage "--useBigInt" and
986 are disabled by default.
988 * JavaScriptCore.xcodeproj/project.pbxproj:
990 * bytecode/CodeBlock.cpp:
991 * bytecompiler/BytecodeGenerator.cpp:
992 (JSC::BytecodeGenerator::emitEqualityOp):
993 (JSC::BytecodeGenerator::addBigIntConstant):
994 * bytecompiler/BytecodeGenerator.h:
995 (JSC::BytecodeGenerator::BigIntEntryHash::hash):
996 (JSC::BytecodeGenerator::BigIntEntryHash::equal):
997 * bytecompiler/NodesCodegen.cpp:
998 (JSC::BigIntNode::jsValue const):
999 * dfg/DFGAbstractInterpreterInlines.h:
1000 (JSC::DFG::isToThisAnIdentity):
1001 * interpreter/Interpreter.cpp:
1002 (JSC::sizeOfVarargs):
1003 * llint/LLIntData.cpp:
1004 (JSC::LLInt::Data::performAssertions):
1005 * llint/LowLevelInterpreter.asm:
1006 * parser/ASTBuilder.h:
1007 (JSC::ASTBuilder::createBigInt):
1009 (JSC::Lexer<T>::parseBinary):
1010 (JSC::Lexer<T>::parseOctal):
1011 (JSC::Lexer<T>::parseDecimal):
1012 (JSC::Lexer<T>::lex):
1013 (JSC::Lexer<T>::parseHex): Deleted.
1015 * parser/NodeConstructors.h:
1016 (JSC::BigIntNode::BigIntNode):
1018 (JSC::ExpressionNode::isBigInt const):
1019 (JSC::BigIntNode::value):
1020 * parser/Parser.cpp:
1021 (JSC::Parser<LexerType>::parsePrimaryExpression):
1022 * parser/ParserTokens.h:
1023 * parser/ResultType.h:
1024 (JSC::ResultType::definitelyIsBigInt const):
1025 (JSC::ResultType::mightBeBigInt const):
1026 (JSC::ResultType::isNotBigInt const):
1027 (JSC::ResultType::addResultType):
1028 (JSC::ResultType::bigIntType):
1029 (JSC::ResultType::forAdd):
1030 (JSC::ResultType::forLogicalOp):
1031 * parser/SyntaxChecker.h:
1032 (JSC::SyntaxChecker::createBigInt):
1033 * runtime/CommonIdentifiers.h:
1034 * runtime/JSBigInt.cpp: Added.
1035 (JSC::JSBigInt::visitChildren):
1036 (JSC::JSBigInt::JSBigInt):
1037 (JSC::JSBigInt::initialize):
1038 (JSC::JSBigInt::createStructure):
1039 (JSC::JSBigInt::createZero):
1040 (JSC::JSBigInt::allocationSize):
1041 (JSC::JSBigInt::createWithLength):
1042 (JSC::JSBigInt::finishCreation):
1043 (JSC::JSBigInt::toPrimitive const):
1044 (JSC::JSBigInt::singleDigitValueForString):
1045 (JSC::JSBigInt::parseInt):
1046 (JSC::JSBigInt::toString):
1047 (JSC::JSBigInt::isZero):
1048 (JSC::JSBigInt::inplaceMultiplyAdd):
1049 (JSC::JSBigInt::digitAdd):
1050 (JSC::JSBigInt::digitSub):
1051 (JSC::JSBigInt::digitMul):
1052 (JSC::JSBigInt::digitPow):
1053 (JSC::JSBigInt::digitDiv):
1054 (JSC::JSBigInt::internalMultiplyAdd):
1055 (JSC::JSBigInt::equalToBigInt):
1056 (JSC::JSBigInt::absoluteDivSmall):
1057 (JSC::JSBigInt::calculateMaximumCharactersRequired):
1058 (JSC::JSBigInt::toStringGeneric):
1059 (JSC::JSBigInt::rightTrim):
1060 (JSC::JSBigInt::allocateFor):
1061 (JSC::JSBigInt::estimatedSize):
1062 (JSC::JSBigInt::toNumber const):
1063 (JSC::JSBigInt::getPrimitiveNumber const):
1064 * runtime/JSBigInt.h: Added.
1065 (JSC::JSBigInt::setSign):
1066 (JSC::JSBigInt::sign const):
1067 (JSC::JSBigInt::setLength):
1068 (JSC::JSBigInt::length const):
1069 (JSC::JSBigInt::parseInt):
1070 (JSC::JSBigInt::offsetOfData):
1071 (JSC::JSBigInt::dataStorage):
1072 (JSC::JSBigInt::digit):
1073 (JSC::JSBigInt::setDigit):
1075 * runtime/JSCJSValue.cpp:
1076 (JSC::JSValue::synthesizePrototype const):
1077 (JSC::JSValue::toStringSlowCase const):
1078 * runtime/JSCJSValue.h:
1079 * runtime/JSCJSValueInlines.h:
1080 (JSC::JSValue::isBigInt const):
1081 (JSC::JSValue::strictEqualSlowCaseInline):
1082 * runtime/JSCell.cpp:
1084 (JSC::JSCell::putByIndex):
1085 (JSC::JSCell::toPrimitive const):
1086 (JSC::JSCell::getPrimitiveNumber const):
1087 (JSC::JSCell::toNumber const):
1088 (JSC::JSCell::toObjectSlow const):
1090 * runtime/JSCellInlines.h:
1091 (JSC::JSCell::isBigInt const):
1093 * runtime/MathCommon.h:
1095 * runtime/NumberPrototype.cpp:
1096 * runtime/Operations.cpp:
1097 (JSC::jsTypeStringForValue):
1098 (JSC::jsIsObjectTypeOrNull):
1099 * runtime/Options.h:
1100 * runtime/ParseInt.h:
1101 * runtime/SmallStrings.h:
1102 (JSC::SmallStrings::typeString const):
1103 * runtime/StructureInlines.h:
1104 (JSC::prototypeForLookupPrimitiveImpl):
1105 * runtime/TypeofType.cpp:
1106 (WTF::printInternal):
1107 * runtime/TypeofType.h:
1112 2017-12-12 Guillaume Emont <guijemont@igalia.com>
1114 LLInt: reserve 16 bytes of stack on MIPS for native calls
1115 https://bugs.webkit.org/show_bug.cgi?id=180653
1117 Reviewed by Carlos Alberto Lopez Perez.
1119 * llint/LowLevelInterpreter32_64.asm:
1120 On MIPS, substract 24 from the stack pointer (16 for calling
1121 convention + 8 to be 16-aligned) instead of the 8 on other platforms
1124 2017-12-12 Yusuke Suzuki <utatane.tea@gmail.com>
1126 [WTF] Thread::create should have Thread::tryCreate
1127 https://bugs.webkit.org/show_bug.cgi?id=180333
1129 Reviewed by Darin Adler.
1131 * assembler/testmasm.cpp:
1133 * b3/air/testair.cpp:
1137 (functionDollarAgentStart):
1139 2017-12-11 Michael Saboff <msaboff@apple.com>
1141 REGRESSION(r225683): Chakra test failure in es6/regex-unicode.js for 32bit builds
1142 https://bugs.webkit.org/show_bug.cgi?id=180685
1144 Reviewed by Saam Barati.
1146 The characterClass->m_anyCharacter check at the top of checkCharacterClass() caused
1147 the character class check to return true without reading the character. Given that
1148 the character could be a surrogate pair, we need to read the character even if we
1149 don't have the check it.
1151 * yarr/YarrInterpreter.cpp:
1152 (JSC::Yarr::Interpreter::testCharacterClass):
1153 (JSC::Yarr::Interpreter::checkCharacterClass):
1155 2017-12-11 Saam Barati <sbarati@apple.com>
1157 We need to disableCaching() in ErrorInstance when we materialize properties
1158 https://bugs.webkit.org/show_bug.cgi?id=180343
1159 <rdar://problem/35833002>
1161 Reviewed by Mark Lam.
1163 This patch fixes a bug in ErrorInstance where we forgot to call PutPropertySlot::disableCaching
1164 on puts() to a property that we lazily materialized. Forgetting to do this goes against the
1165 PutPropertySlot's caching API. This lazy materialization caused the ErrorInstance to transition
1166 from a Structure A to a Structure B. However, we were telling the IC that we were caching an
1167 existing property only found on Structure B. This is obviously wrong as it would lead to an
1168 OOB store if we didn't already crash when generating the IC.
1171 (JSC::tryCachePutByID):
1172 * runtime/ErrorInstance.cpp:
1173 (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1174 (JSC::ErrorInstance::put):
1175 * runtime/ErrorInstance.h:
1176 * runtime/Structure.cpp:
1177 (JSC::Structure::didCachePropertyReplacement):
1179 2017-12-11 Fujii Hironori <Hironori.Fujii@sony.com>
1181 [WinCairo] DLLLauncherMain should use SetDllDirectory
1182 https://bugs.webkit.org/show_bug.cgi?id=180642
1184 Reviewed by Alex Christensen.
1186 Windows have icuuc.dll in the system directory. WebKit should find
1187 one in WebKitLibraries directory, not one in the system directory.
1189 * shell/DLLLauncherMain.cpp:
1190 (modifyPath): Use SetDllDirectory for WebKitLibraries directory instead of modifying path.
1192 2017-12-11 Eric Carlson <eric.carlson@apple.com>
1194 Web Inspector: Optionally log WebKit log parameters as JSON
1195 https://bugs.webkit.org/show_bug.cgi?id=180529
1196 <rdar://problem/35909462>
1198 Reviewed by Joseph Pecoraro.
1200 * inspector/ConsoleMessage.cpp:
1201 (Inspector::ConsoleMessage::ConsoleMessage): New constructor that takes a vector of JSON log
1202 values. Concatenate all adjacent strings to make logging cleaner.
1203 (Inspector::ConsoleMessage::addToFrontend): Process WebKit logging arguments.
1204 (Inspector::ConsoleMessage::scriptState const):
1205 * inspector/ConsoleMessage.h:
1207 * inspector/InjectedScript.cpp:
1208 (Inspector::InjectedScript::wrapJSONString const): Wrap JSON string log arguments.
1209 * inspector/InjectedScript.h:
1210 * inspector/InjectedScriptSource.js:
1211 (let.InjectedScript.prototype.wrapJSONString):
1213 2017-12-11 Joseph Pecoraro <pecoraro@apple.com>
1215 Remove unused builtin names
1216 https://bugs.webkit.org/show_bug.cgi?id=180673
1218 Reviewed by Keith Miller.
1220 * builtins/BuiltinNames.h:
1222 2017-12-11 David Quesada <david_quesada@apple.com>
1224 Turn on ENABLE_APPLICATION_MANIFEST
1225 https://bugs.webkit.org/show_bug.cgi?id=180562
1226 rdar://problem/35924737
1228 Reviewed by Geoffrey Garen.
1230 * Configurations/FeatureDefines.xcconfig:
1232 2017-12-10 Filip Pizlo <fpizlo@apple.com>
1234 Harden a few assertions in GC sweep
1235 https://bugs.webkit.org/show_bug.cgi?id=180634
1237 Reviewed by Saam Barati.
1239 This turns one dynamic check into a release assertion and upgrades another assertion to a release
1242 * heap/MarkedBlock.cpp:
1243 (JSC::MarkedBlock::Handle::sweep):
1245 2017-12-10 Konstantin Tokarev <annulen@yandex.ru>
1247 [python] Modernize "except" usage for python3 compatibility
1248 https://bugs.webkit.org/show_bug.cgi?id=180612
1250 Reviewed by Michael Catanzaro.
1252 * inspector/scripts/generate-inspector-protocol-bindings.py:
1254 2017-12-05 Filip Pizlo <fpizlo@apple.com>
1256 InferredType should not use UnconditionalFinalizer
1257 https://bugs.webkit.org/show_bug.cgi?id=180456
1259 Reviewed by Saam Barati.
1261 This turns InferredStructure into a cell so that we can unconditionally finalize them without
1262 having to add things to the UnconditionalFinalizer list. I'm removing all uses of
1263 UnconditionalFinalizers and WeakReferenceHarvesters because the data structures used to manage
1264 them are a top cause of lock contention in the parallel GC. Also, we don't need those data
1265 structures if we use IsoSubspaces, subspace iteration, and marking constraints.
1267 * JavaScriptCore.xcodeproj/project.pbxproj:
1270 (JSC::Heap::finalizeUnconditionalFinalizers):
1272 * runtime/InferredStructure.cpp: Added.
1273 (JSC::InferredStructure::create):
1274 (JSC::InferredStructure::destroy):
1275 (JSC::InferredStructure::createStructure):
1276 (JSC::InferredStructure::visitChildren):
1277 (JSC::InferredStructure::finalizeUnconditionally):
1278 (JSC::InferredStructure::InferredStructure):
1279 (JSC::InferredStructure::finishCreation):
1280 * runtime/InferredStructure.h: Added.
1281 * runtime/InferredStructureWatchpoint.cpp: Added.
1282 (JSC::InferredStructureWatchpoint::fireInternal):
1283 * runtime/InferredStructureWatchpoint.h: Added.
1284 * runtime/InferredType.cpp:
1285 (JSC::InferredType::visitChildren):
1286 (JSC::InferredType::willStoreValueSlow):
1287 (JSC::InferredType::makeTopSlow):
1288 (JSC::InferredType::set):
1289 (JSC::InferredType::removeStructure):
1290 (JSC::InferredType::InferredStructureWatchpoint::fireInternal): Deleted.
1291 (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally): Deleted.
1292 (JSC::InferredType::InferredStructure::InferredStructure): Deleted.
1293 * runtime/InferredType.h:
1298 2017-12-09 Konstantin Tokarev <annulen@yandex.ru>
1300 [python] Replace print >> operator with print() function for python3 compatibility
1301 https://bugs.webkit.org/show_bug.cgi?id=180611
1303 Reviewed by Michael Catanzaro.
1305 * Scripts/make-js-file-arrays.py:
1308 2017-12-08 Joseph Pecoraro <pecoraro@apple.com>
1310 ServiceWorker Inspector: Various issues inspecting service worker on mobile.twitter.com
1311 https://bugs.webkit.org/show_bug.cgi?id=180520
1312 <rdar://problem/35900764>
1314 Reviewed by Brian Burg.
1316 * inspector/protocol/ServiceWorker.json:
1317 Include content script content in the initialization info.
1319 2017-12-08 Konstantin Tokarev <annulen@yandex.ru>
1321 [python] Replace print operator with print() function for python3 compatibility
1322 https://bugs.webkit.org/show_bug.cgi?id=180592
1324 Reviewed by Michael Catanzaro.
1326 * Scripts/generateYarrUnicodePropertyTables.py:
1328 (verifyUCDFilesExist):
1329 (Aliases.parsePropertyAliasesFile):
1330 (Aliases.parsePropertyValueAliasesFile):
1331 * Scripts/make-js-file-arrays.py:
1333 * generate-bytecode-files:
1335 2017-12-08 Mark Lam <mark.lam@apple.com>
1337 Need to unpoison native function pointers for CLoop.
1338 https://bugs.webkit.org/show_bug.cgi?id=180601
1339 <rdar://problem/35942028>
1341 Reviewed by JF Bastien.
1343 * llint/LowLevelInterpreter64.asm:
1345 2017-12-08 Michael Saboff <msaboff@apple.com>
1347 YARR: JIT RegExps with greedy parenthesized sub patterns
1348 https://bugs.webkit.org/show_bug.cgi?id=180538
1350 Reviewed by JF Bastien.
1352 This patch adds JIT support for regular expressions containing greedy counted
1353 parenthesis. An example expression that couldn't be JIT'ed before is /q(a|b)*q/.
1355 Just like in the interpreter, expressions with nested parenthetical subpatterns
1356 require saving the results of previous matches of the parentheses contents along
1357 with any associated state. This saved state is needed in the case that we need
1358 to backtrack. This state is called ParenContext within the code space allocated
1359 for this ParenContext is managed using a simple block allocator within the JIT'ed
1360 code. The raw space managed by this allocator is passed into the JIT'ed function.
1362 Since this fixed sized space may be exceeded, this patch adds a fallback mechanism.
1363 If the JIT'ed code exhausts all its ParenContext space, it returns a new error
1364 JSRegExpJITCodeFailure. The caller will then bytecompile and interpret the
1367 Due to increased register usage by the parenthesis handling code, the use of
1368 registers by the JIT engine was restructured, with registers used for Unicode
1369 pattern matching replaced with constants.
1371 Reworked some of the context structures that are used across the interpreter
1372 and JIT implementations to make them a little more uniform and to handle the
1373 needs of JIT'ing the new parentheses forms.
1375 To help with development and debugging of this code, compiled patterns dumping
1376 code was enhanced. Also added the ability to also dump interpreter ByteCodes.
1378 * runtime/RegExp.cpp:
1379 (JSC::byteCodeCompilePattern):
1380 (JSC::RegExp::byteCodeCompileIfNecessary):
1381 (JSC::RegExp::compile):
1382 (JSC::RegExp::compileMatchOnly):
1384 * runtime/RegExpInlines.h:
1385 (JSC::RegExp::matchInline):
1390 * yarr/YarrInterpreter.cpp:
1391 (JSC::Yarr::ByteCompiler::compile):
1392 (JSC::Yarr::ByteCompiler::dumpDisjunction):
1394 (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
1395 (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
1396 (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
1397 (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
1398 (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
1399 (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
1400 (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
1401 (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
1402 (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
1403 (JSC::Yarr::YarrGenerator::initParenContextFreeList):
1404 (JSC::Yarr::YarrGenerator::allocatePatternContext):
1405 (JSC::Yarr::YarrGenerator::freePatternContext):
1406 (JSC::Yarr::YarrGenerator::savePatternContext):
1407 (JSC::Yarr::YarrGenerator::restorePatternContext):
1408 (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1409 (JSC::Yarr::YarrGenerator::storeToFrame):
1410 (JSC::Yarr::YarrGenerator::generateJITFailReturn):
1411 (JSC::Yarr::YarrGenerator::clearMatches):
1412 (JSC::Yarr::YarrGenerator::generate):
1413 (JSC::Yarr::YarrGenerator::backtrack):
1414 (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1415 (JSC::Yarr::YarrGenerator::generateEnter):
1416 (JSC::Yarr::YarrGenerator::generateReturn):
1417 (JSC::Yarr::YarrGenerator::YarrGenerator):
1418 (JSC::Yarr::YarrGenerator::compile):
1420 (JSC::Yarr::YarrCodeBlock::execute):
1421 * yarr/YarrPattern.cpp:
1422 (JSC::Yarr::indentForNestingLevel):
1423 (JSC::Yarr::dumpUChar32):
1424 (JSC::Yarr::dumpCharacterClass):
1425 (JSC::Yarr::PatternTerm::dump):
1426 (JSC::Yarr::YarrPattern::dumpPattern):
1427 * yarr/YarrPattern.h:
1428 (JSC::Yarr::PatternTerm::containsAnyCaptures):
1429 (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
1430 (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
1431 (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
1432 (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
1433 (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex):
1434 (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
1436 2017-12-08 Joseph Pecoraro <pecoraro@apple.com>
1438 Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages
1439 https://bugs.webkit.org/show_bug.cgi?id=180590
1440 <rdar://problem/35882767>
1442 Reviewed by Mark Lam.
1444 * inspector/agents/InspectorConsoleAgent.cpp:
1445 (Inspector::InspectorConsoleAgent::enable):
1446 Swap the messages to a Vector that won't change during iteration.
1448 2017-12-08 Michael Saboff <msaboff@apple.com>
1450 YARR: Coalesce constructed character classes
1451 https://bugs.webkit.org/show_bug.cgi?id=180537
1453 Reviewed by JF Bastien.
1455 When adding characters or character ranges to a character class being constructed,
1456 we now coalesce adjacent characters and character ranges. When we create a
1457 character class after construction is complete, we do a final coalescing pass
1458 across the character list and ranges to catch any remaining coalescing
1461 Added an optimization for character classes that will match any character.
1462 This is somewhat common in code created before the /s (dotAll) flag was added
1465 * yarr/YarrInterpreter.cpp:
1466 (JSC::Yarr::Interpreter::checkCharacterClass):
1468 (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1469 (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1470 (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1471 (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1472 * yarr/YarrPattern.cpp:
1473 (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
1474 (JSC::Yarr::CharacterClassConstructor::reset):
1475 (JSC::Yarr::CharacterClassConstructor::charClass):
1476 (JSC::Yarr::CharacterClassConstructor::addSorted):
1477 (JSC::Yarr::CharacterClassConstructor::addSortedRange):
1478 (JSC::Yarr::CharacterClassConstructor::mergeRangesFrom):
1479 (JSC::Yarr::CharacterClassConstructor::coalesceTables):
1480 (JSC::Yarr::CharacterClassConstructor::anyCharacter):
1481 (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
1482 (JSC::Yarr::PatternTerm::dump):
1483 (JSC::Yarr::anycharCreate):
1484 * yarr/YarrPattern.h:
1485 (JSC::Yarr::CharacterClass::CharacterClass):
1487 2017-12-07 Saam Barati <sbarati@apple.com>
1489 Modify our dollar VM clflush intrinsic to aid in some perf testing
1490 https://bugs.webkit.org/show_bug.cgi?id=180559
1492 Reviewed by Mark Lam.
1494 * tools/JSDollarVM.cpp:
1495 (JSC::functionCpuClflush):
1496 (JSC::functionDeltaBetweenButterflies):
1497 (JSC::JSDollarVM::finishCreation):
1499 2017-12-07 Eric Carlson <eric.carlson@apple.com>
1501 Simplify log channel configuration UI
1502 https://bugs.webkit.org/show_bug.cgi?id=180527
1503 <rdar://problem/35908382>
1505 Reviewed by Joseph Pecoraro.
1507 * inspector/protocol/Console.json:
1509 2017-12-07 Mark Lam <mark.lam@apple.com>
1511 Apply poisoning to some native code pointers.
1512 https://bugs.webkit.org/show_bug.cgi?id=180541
1513 <rdar://problem/35916875>
1515 Reviewed by Filip Pizlo.
1517 Renamed g_classInfoPoison to g_globalDataPoison.
1518 Renamed g_masmPoison to g_jitCodePoison.
1519 Introduced g_nativeCodePoison.
1520 Applied g_nativeCodePoison to poisoning some native code pointers.
1522 Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
1523 to malloc allocated data structures (where needed).
1525 * API/JSCallbackFunction.h:
1526 (JSC::JSCallbackFunction::functionCallback):
1527 * JavaScriptCore.xcodeproj/project.pbxproj:
1528 * jit/ThunkGenerators.cpp:
1529 (JSC::nativeForGenerator):
1530 * llint/LowLevelInterpreter64.asm:
1531 * runtime/CustomGetterSetter.h:
1532 (JSC::CustomGetterSetter::getter const):
1533 (JSC::CustomGetterSetter::setter const):
1534 * runtime/InternalFunction.cpp:
1535 (JSC::InternalFunction::getCallData):
1536 (JSC::InternalFunction::getConstructData):
1537 * runtime/InternalFunction.h:
1538 (JSC::InternalFunction::nativeFunctionFor):
1539 * runtime/JSCPoison.h: Added.
1540 * runtime/JSCPoisonedPtr.cpp:
1541 (JSC::initializePoison):
1542 * runtime/JSCPoisonedPtr.h:
1544 * runtime/NativeExecutable.cpp:
1545 (JSC::NativeExecutable::hashFor const):
1546 * runtime/NativeExecutable.h:
1547 * runtime/Structure.cpp:
1548 (JSC::StructureTransitionTable::setSingleTransition):
1549 * runtime/StructureTransitionTable.h:
1550 (JSC::StructureTransitionTable::StructureTransitionTable):
1551 (JSC::StructureTransitionTable::isUsingSingleSlot const):
1552 (JSC::StructureTransitionTable::map const):
1553 (JSC::StructureTransitionTable::weakImpl const):
1554 (JSC::StructureTransitionTable::setMap):
1556 2017-12-07 Joseph Pecoraro <pecoraro@apple.com>
1558 Web Inspector: Fix style in remote inspector classes
1559 https://bugs.webkit.org/show_bug.cgi?id=180545
1561 Reviewed by Youenn Fablet.
1563 * inspector/remote/RemoteControllableTarget.h:
1564 * inspector/remote/RemoteInspectionTarget.h:
1565 * runtime/JSGlobalObjectDebuggable.h:
1567 2017-12-07 Per Arne Vollan <pvollan@apple.com>
1569 Use fastAlignedFree to free aligned memory.
1570 https://bugs.webkit.org/show_bug.cgi?id=180540
1572 Reviewed by Saam Barati.
1574 * heap/IsoAlignedMemoryAllocator.cpp:
1575 (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1577 2017-12-07 Matt Lewis <jlewis3@apple.com>
1579 Unreviewed, rolling out r225634.
1581 This caused layout tests to time out.
1585 "Simplify log channel configuration UI"
1586 https://bugs.webkit.org/show_bug.cgi?id=180527
1587 https://trac.webkit.org/changeset/225634
1589 2017-12-07 Eric Carlson <eric.carlson@apple.com>
1591 Simplify log channel configuration UI
1592 https://bugs.webkit.org/show_bug.cgi?id=180527
1593 <rdar://problem/35908382>
1595 Reviewed by Joseph Pecoraro.
1597 * inspector/protocol/Console.json:
1599 2017-12-07 Mark Lam <mark.lam@apple.com>
1601 [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
1602 https://bugs.webkit.org/show_bug.cgi?id=180514
1604 Reviewed by Saam Barati and JF Bastien.
1606 Re-landing r225620 with speculative build fix for GCC 7.
1608 * API/JSCallbackObject.h:
1609 * API/JSObjectRef.cpp:
1611 * JavaScriptCore.xcodeproj/project.pbxproj:
1613 * assembler/MacroAssemblerCodeRef.h:
1614 (JSC::FunctionPtr::FunctionPtr):
1615 (JSC::FunctionPtr::value const):
1616 (JSC::FunctionPtr::executableAddress const):
1617 (JSC::ReturnAddressPtr::ReturnAddressPtr):
1618 (JSC::ReturnAddressPtr::value const):
1619 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1620 (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1621 (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1622 (JSC::MacroAssemblerCodePtr:: const):
1623 (JSC::MacroAssemblerCodePtr::operator! const):
1624 (JSC::MacroAssemblerCodePtr::operator== const):
1625 (JSC::MacroAssemblerCodePtr::emptyValue):
1626 (JSC::MacroAssemblerCodePtr::deletedValue):
1627 (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1628 * b3/B3LowerMacros.cpp:
1630 (JSC::B3::testInterpreter):
1631 * dfg/DFGSpeculativeJIT.cpp:
1632 (JSC::DFG::SpeculativeJIT::checkArray):
1633 (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1634 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1635 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1636 * ftl/FTLLowerDFGToB3.cpp:
1637 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1638 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1639 * jit/AssemblyHelpers.h:
1640 (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1641 * jit/SpecializedThunkJIT.h:
1642 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1643 * jit/ThunkGenerators.cpp:
1644 (JSC::virtualThunkFor):
1645 (JSC::boundThisNoArgsFunctionCallGenerator):
1646 * llint/LLIntSlowPaths.cpp:
1647 (JSC::LLInt::handleHostCall):
1648 (JSC::LLInt::setUpCall):
1649 * llint/LowLevelInterpreter64.asm:
1650 * runtime/InitializeThreading.cpp:
1651 (JSC::initializeThreading):
1652 * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1653 (JSC::initializePoison):
1654 (JSC::initializeScrambledPtrKeys): Deleted.
1655 * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1656 * runtime/JSCScrambledPtr.cpp: Removed.
1657 * runtime/JSCScrambledPtr.h: Removed.
1658 * runtime/JSDestructibleObject.h:
1659 (JSC::JSDestructibleObject::classInfo const):
1660 * runtime/JSSegmentedVariableObject.h:
1661 (JSC::JSSegmentedVariableObject::classInfo const):
1662 * runtime/Structure.h:
1665 2017-12-07 Michael Catanzaro <mcatanzaro@igalia.com>
1667 Unreviewed, rolling out r225620
1668 https://bugs.webkit.org/show_bug.cgi?id=180514
1669 <rdar://problem/35901694>
1671 It broke the build with GCC 7, and I don't know how to fix it.
1673 * API/JSCallbackObject.h:
1674 * API/JSObjectRef.cpp:
1676 * JavaScriptCore.xcodeproj/project.pbxproj:
1678 * assembler/MacroAssemblerCodeRef.h:
1679 (JSC::FunctionPtr::FunctionPtr):
1680 (JSC::FunctionPtr::value const):
1681 (JSC::FunctionPtr::executableAddress const):
1682 (JSC::ReturnAddressPtr::ReturnAddressPtr):
1683 (JSC::ReturnAddressPtr::value const):
1684 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1685 (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1686 (JSC::MacroAssemblerCodePtr::scrambledPtr const):
1687 (JSC::MacroAssemblerCodePtr:: const):
1688 (JSC::MacroAssemblerCodePtr::operator! const):
1689 (JSC::MacroAssemblerCodePtr::operator== const):
1690 (JSC::MacroAssemblerCodePtr::emptyValue):
1691 (JSC::MacroAssemblerCodePtr::deletedValue):
1692 (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
1693 * b3/B3LowerMacros.cpp:
1695 (JSC::B3::testInterpreter):
1696 * dfg/DFGSpeculativeJIT.cpp:
1697 (JSC::DFG::SpeculativeJIT::checkArray):
1698 (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1699 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1700 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1701 * ftl/FTLLowerDFGToB3.cpp:
1702 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1703 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1704 * jit/AssemblyHelpers.h:
1705 (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1706 * jit/SpecializedThunkJIT.h:
1707 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1708 * jit/ThunkGenerators.cpp:
1709 (JSC::virtualThunkFor):
1710 (JSC::boundThisNoArgsFunctionCallGenerator):
1711 * llint/LLIntSlowPaths.cpp:
1712 (JSC::LLInt::handleHostCall):
1713 (JSC::LLInt::setUpCall):
1714 * llint/LowLevelInterpreter64.asm:
1715 * runtime/InitializeThreading.cpp:
1716 (JSC::initializeThreading):
1717 * runtime/JSCScrambledPtr.cpp: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
1718 (JSC::initializeScrambledPtrKeys):
1719 * runtime/JSCScrambledPtr.h: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.h.
1720 * runtime/JSDestructibleObject.h:
1721 (JSC::JSDestructibleObject::classInfo const):
1722 * runtime/JSSegmentedVariableObject.h:
1723 (JSC::JSSegmentedVariableObject::classInfo const):
1724 * runtime/Structure.h:
1727 2017-12-06 Mark Lam <mark.lam@apple.com>
1729 Refactoring: Rename ScrambledPtr to Poisoned.
1730 https://bugs.webkit.org/show_bug.cgi?id=180514
1732 Reviewed by Saam Barati.
1734 * API/JSCallbackObject.h:
1735 * API/JSObjectRef.cpp:
1737 * JavaScriptCore.xcodeproj/project.pbxproj:
1739 * assembler/MacroAssemblerCodeRef.h:
1740 (JSC::FunctionPtr::FunctionPtr):
1741 (JSC::FunctionPtr::value const):
1742 (JSC::FunctionPtr::executableAddress const):
1743 (JSC::ReturnAddressPtr::ReturnAddressPtr):
1744 (JSC::ReturnAddressPtr::value const):
1745 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1746 (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1747 (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1748 (JSC::MacroAssemblerCodePtr:: const):
1749 (JSC::MacroAssemblerCodePtr::operator! const):
1750 (JSC::MacroAssemblerCodePtr::operator== const):
1751 (JSC::MacroAssemblerCodePtr::emptyValue):
1752 (JSC::MacroAssemblerCodePtr::deletedValue):
1753 (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1754 * b3/B3LowerMacros.cpp:
1756 (JSC::B3::testInterpreter):
1757 * dfg/DFGSpeculativeJIT.cpp:
1758 (JSC::DFG::SpeculativeJIT::checkArray):
1759 (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1760 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1761 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1762 * ftl/FTLLowerDFGToB3.cpp:
1763 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1764 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1765 * jit/AssemblyHelpers.h:
1766 (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1767 * jit/SpecializedThunkJIT.h:
1768 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1769 * jit/ThunkGenerators.cpp:
1770 (JSC::virtualThunkFor):
1771 (JSC::boundThisNoArgsFunctionCallGenerator):
1772 * llint/LLIntSlowPaths.cpp:
1773 (JSC::LLInt::handleHostCall):
1774 (JSC::LLInt::setUpCall):
1775 * llint/LowLevelInterpreter64.asm:
1776 * runtime/InitializeThreading.cpp:
1777 (JSC::initializeThreading):
1778 * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1779 (JSC::initializePoison):
1780 (JSC::initializeScrambledPtrKeys): Deleted.
1781 * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1782 * runtime/JSCScrambledPtr.cpp: Removed.
1783 * runtime/JSCScrambledPtr.h: Removed.
1784 * runtime/JSDestructibleObject.h:
1785 (JSC::JSDestructibleObject::classInfo const):
1786 * runtime/JSSegmentedVariableObject.h:
1787 (JSC::JSSegmentedVariableObject::classInfo const):
1788 * runtime/Structure.h:
1791 2017-12-02 Darin Adler <darin@apple.com>
1793 Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
1794 https://bugs.webkit.org/show_bug.cgi?id=180009
1796 Reviewed by Alex Christensen.
1798 * bytecode/ArrayProfile.cpp: Removed include of StringExtras.h.
1799 * bytecode/CodeBlock.cpp: Ditto.
1800 * bytecode/ExecutionCounter.cpp: Ditto.
1801 * runtime/ConfigFile.cpp: Ditto.
1802 * runtime/DatePrototype.cpp: Ditto.
1803 * runtime/IndexingType.cpp: Ditto.
1804 * runtime/JSCJSValue.cpp: Ditto.
1805 * runtime/JSDateMath.cpp: Ditto.
1806 * runtime/JSGlobalObjectFunctions.cpp: Ditto.
1807 * runtime/Options.cpp: Ditto.
1808 (JSC::parse): Use equalLettersIgnoringASCIICase instead of strcasecmp.
1810 2017-12-06 Saam Barati <sbarati@apple.com>
1812 ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
1813 https://bugs.webkit.org/show_bug.cgi?id=180438
1814 <rdar://problem/35862342>
1816 Reviewed by Yusuke Suzuki.
1818 A couple inspector methods that take stacktraces need
1821 * inspector/ScriptCallStackFactory.cpp:
1822 (Inspector::createScriptCallStack):
1823 (Inspector::createScriptCallStackForConsole):
1825 2017-12-05 Stephan Szabo <stephan.szabo@sony.com>
1827 Switch windows build to Visual Studio 2017
1828 https://bugs.webkit.org/show_bug.cgi?id=172412
1830 Reviewed by Per Arne Vollan.
1832 * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1834 2017-12-05 JF Bastien <jfbastien@apple.com>
1836 WebAssembly: don't eagerly checksum
1837 https://bugs.webkit.org/show_bug.cgi?id=180441
1838 <rdar://problem/35156628>
1840 Reviewed by Saam Barati.
1842 Make checksumming of module optional for now. The bots think the
1843 checksum hurt compile-time. I'd measured it and couldn't see a
1844 difference, and still can't at this point in time, but we'll see
1845 if disabling it fixes the bots. If so then I can make it lazy upon
1846 first backtrace construction, or I can try out MD5 instead of
1849 * runtime/Options.h:
1850 * wasm/WasmModuleInformation.cpp:
1851 (JSC::Wasm::ModuleInformation::ModuleInformation):
1852 * wasm/WasmModuleInformation.h:
1853 * wasm/WasmNameSection.h:
1854 (JSC::Wasm::NameSection::NameSection):
1856 2017-12-05 Filip Pizlo <fpizlo@apple.com>
1858 IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
1859 https://bugs.webkit.org/show_bug.cgi?id=180425
1861 Reviewed by Saam Barati.
1863 Failure to do so causes leaks after starting workers.
1865 * heap/IsoAlignedMemoryAllocator.cpp:
1866 (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1867 (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
1869 2017-12-05 Per Arne Vollan <pvollan@apple.com>
1871 [Win64] Compile error in testmasm.cpp.
1872 https://bugs.webkit.org/show_bug.cgi?id=180436
1874 Reviewed by Mark Lam.
1876 Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
1878 * assembler/testmasm.cpp:
1879 (JSC::testGetEffectiveAddress):
1881 2017-12-01 Filip Pizlo <fpizlo@apple.com>
1883 GC constraint solving should be parallel
1884 https://bugs.webkit.org/show_bug.cgi?id=179934
1886 Reviewed by JF Bastien.
1888 This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
1889 speed-up. It's more than 1% on trunk-Speedometer.
1891 The constraint solver supports running constraints in parallel in two different ways:
1893 - Run multiple constraints in parallel to each other. This only works for constraints that can
1894 tolerate other constraints running concurrently to them (constraint.concurrency() ==
1895 ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
1896 constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
1897 could probably make them concurrent, but I'm playing it safe for now.
1899 - A constraint can create parallel work for itself, which the constraint solver will interleave
1900 with other stuff. A constraint can report that it has parallel work by returning
1901 ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
1902 constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
1903 for as long as that function wants to run.
1905 It's not possible to have a non-concurrent constraint that creates parallel work.
1907 The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
1908 most natural for two reasons:
1910 - No need to start any other threads.
1912 - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
1913 access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
1914 create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
1915 thread, that thread will have work it can start doing immediately. Before this change, we had to
1916 contribute the work found by the constraint solver to the global worklist so that it could be
1917 distributed to the marker threads by load balancing. This change probably helps to avoid that
1918 load balancing step.
1920 A lot of this change is about making it easy to iterate GC data structures in parallel. This
1921 change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
1922 the parallel work API. That constraint iterates the marked cells in two subspaces. This change
1923 makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
1924 The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
1925 iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
1926 RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
1927 when it returns a falsish version of ... (in the current code, that's always a pointer type, so
1928 done is indicated by null).
1930 * API/JSMarkingConstraintPrivate.cpp:
1931 (JSContextGroupAddMarkingConstraint):
1932 * API/JSVirtualMachine.mm:
1933 (scanExternalObjectGraph):
1934 (scanExternalRememberedSet):
1935 * JavaScriptCore.xcodeproj/project.pbxproj:
1937 * bytecode/AccessCase.cpp:
1938 (JSC::AccessCase::propagateTransitions const):
1939 * bytecode/CodeBlock.cpp:
1940 (JSC::CodeBlock::visitWeakly):
1941 (JSC::CodeBlock::shouldJettisonDueToOldAge):
1942 (JSC::shouldMarkTransition):
1943 (JSC::CodeBlock::propagateTransitions):
1944 (JSC::CodeBlock::determineLiveness):
1945 * dfg/DFGWorklist.cpp:
1946 * ftl/FTLCompile.cpp:
1947 (JSC::FTL::compile):
1948 * heap/ConstraintParallelism.h: Added.
1949 (WTF::printInternal):
1952 (JSC::Heap::addToRememberedSet):
1953 (JSC::Heap::runFixpointPhase):
1954 (JSC::Heap::stopThePeriphery):
1955 (JSC::Heap::resumeThePeriphery):
1956 (JSC::Heap::addCoreConstraints):
1957 (JSC::Heap::setBonusVisitorTask):
1958 (JSC::Heap::runTaskInParallel):
1959 (JSC::Heap::forEachSlotVisitor): Deleted.
1961 (JSC::Heap::worldIsRunning const):
1962 (JSC::Heap::runFunctionInParallel):
1963 * heap/HeapInlines.h:
1964 (JSC::Heap::worldIsStopped const):
1965 (JSC::Heap::isMarked):
1966 (JSC::Heap::incrementDeferralDepth):
1967 (JSC::Heap::decrementDeferralDepth):
1968 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1969 (JSC::Heap::forEachSlotVisitor):
1970 (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
1971 (JSC::Heap::isMarkedConcurrently): Deleted.
1972 * heap/HeapSnapshotBuilder.cpp:
1973 (JSC::HeapSnapshotBuilder::appendNode):
1974 * heap/LargeAllocation.h:
1975 (JSC::LargeAllocation::isMarked):
1976 (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
1977 * heap/LockDuringMarking.h:
1978 (JSC::lockDuringMarking):
1979 * heap/MarkedAllocator.cpp:
1980 (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
1981 * heap/MarkedAllocator.h:
1982 * heap/MarkedBlock.h:
1983 (JSC::MarkedBlock::aboutToMark):
1984 (JSC::MarkedBlock::isMarked):
1985 (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
1986 (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
1987 * heap/MarkedSpace.h:
1988 (JSC::MarkedSpace::activeWeakSetsBegin):
1989 (JSC::MarkedSpace::activeWeakSetsEnd):
1990 (JSC::MarkedSpace::newActiveWeakSetsBegin):
1991 (JSC::MarkedSpace::newActiveWeakSetsEnd):
1992 * heap/MarkingConstraint.cpp:
1993 (JSC::MarkingConstraint::MarkingConstraint):
1994 (JSC::MarkingConstraint::execute):
1995 (JSC::MarkingConstraint::quickWorkEstimate):
1996 (JSC::MarkingConstraint::workEstimate):
1997 (JSC::MarkingConstraint::doParallelWork):
1998 (JSC::MarkingConstraint::finishParallelWork):
1999 (JSC::MarkingConstraint::doParallelWorkImpl):
2000 (JSC::MarkingConstraint::finishParallelWorkImpl):
2001 * heap/MarkingConstraint.h:
2002 (JSC::MarkingConstraint::lastExecuteParallelism const):
2003 (JSC::MarkingConstraint::parallelism const):
2004 (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
2005 (JSC::MarkingConstraint::workEstimate): Deleted.
2006 * heap/MarkingConstraintSet.cpp:
2007 (JSC::MarkingConstraintSet::MarkingConstraintSet):
2008 (JSC::MarkingConstraintSet::add):
2009 (JSC::MarkingConstraintSet::executeConvergence):
2010 (JSC::MarkingConstraintSet::executeConvergenceImpl):
2011 (JSC::MarkingConstraintSet::executeAll):
2012 (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
2013 (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
2014 (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
2015 (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
2016 (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
2017 (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
2019 * heap/MarkingConstraintSet.h:
2020 * heap/MarkingConstraintSolver.cpp: Added.
2021 (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
2022 (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
2023 (JSC::MarkingConstraintSolver::didVisitSomething const):
2024 (JSC::MarkingConstraintSolver::execute):
2025 (JSC::MarkingConstraintSolver::drain):
2026 (JSC::MarkingConstraintSolver::converge):
2027 (JSC::MarkingConstraintSolver::runExecutionThread):
2028 (JSC::MarkingConstraintSolver::didExecute):
2029 * heap/MarkingConstraintSolver.h: Added.
2030 * heap/OpaqueRootSet.h: Removed.
2031 * heap/ParallelSourceAdapter.h: Added.
2032 (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
2033 (JSC::createParallelSourceAdapter):
2034 * heap/SimpleMarkingConstraint.cpp: Added.
2035 (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
2036 (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
2037 (JSC::SimpleMarkingConstraint::quickWorkEstimate):
2038 (JSC::SimpleMarkingConstraint::executeImpl):
2039 * heap/SimpleMarkingConstraint.h: Added.
2040 * heap/SlotVisitor.cpp:
2041 (JSC::SlotVisitor::didStartMarking):
2042 (JSC::SlotVisitor::reset):
2043 (JSC::SlotVisitor::appendToMarkStack):
2044 (JSC::SlotVisitor::visitChildren):
2045 (JSC::SlotVisitor::updateMutatorIsStopped):
2046 (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
2047 (JSC::SlotVisitor::drain):
2048 (JSC::SlotVisitor::performIncrementOfDraining):
2049 (JSC::SlotVisitor::didReachTermination):
2050 (JSC::SlotVisitor::hasWork):
2051 (JSC::SlotVisitor::drainFromShared):
2052 (JSC::SlotVisitor::drainInParallelPassively):
2053 (JSC::SlotVisitor::waitForTermination):
2054 (JSC::SlotVisitor::addOpaqueRoot): Deleted.
2055 (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
2056 (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
2057 (JSC::SlotVisitor::mergeIfNecessary): Deleted.
2058 (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
2059 (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
2060 * heap/SlotVisitor.h:
2061 * heap/SlotVisitorInlines.h:
2062 (JSC::SlotVisitor::addOpaqueRoot):
2063 (JSC::SlotVisitor::containsOpaqueRoot const):
2064 (JSC::SlotVisitor::vm):
2065 (JSC::SlotVisitor::vm const):
2066 * heap/Subspace.cpp:
2067 (JSC::Subspace::parallelAllocatorSource):
2068 (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
2070 * heap/SubspaceInlines.h:
2071 (JSC::Subspace::forEachMarkedCellInParallel):
2072 * heap/VisitCounter.h: Added.
2073 (JSC::VisitCounter::VisitCounter):
2074 (JSC::VisitCounter::visitCount const):
2075 * heap/VisitingTimeout.h: Removed.
2076 * heap/WeakBlock.cpp:
2077 (JSC::WeakBlock::specializedVisit):
2078 * runtime/Structure.cpp:
2079 (JSC::Structure::isCheapDuringGC):
2080 (JSC::Structure::markIfCheap):
2082 2017-12-04 JF Bastien <jfbastien@apple.com>
2084 Math: don't redundantly check for exceptions, just release scope
2085 https://bugs.webkit.org/show_bug.cgi?id=180395
2087 Rubber stamped by Mark Lam.
2089 Two of the exceptions checks could just have been exception scope
2090 releases before the return, which is ever-so-slightly more
2091 efficient. The same technically applies where we have loops over
2092 parameters, but doing the scope release there isn't really more
2093 efficient and is way harder to read.
2095 * runtime/MathObject.cpp:
2096 (JSC::mathProtoFuncATan2):
2097 (JSC::mathProtoFuncPow):
2099 2017-12-04 David Quesada <david_quesada@apple.com>
2101 Add a class for parsing application manifests
2102 https://bugs.webkit.org/show_bug.cgi?id=177973
2103 rdar://problem/34747949
2105 Reviewed by Geoffrey Garen.
2107 * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
2109 2017-12-04 JF Bastien <jfbastien@apple.com>
2111 Update std::expected to match libc++ coding style
2112 https://bugs.webkit.org/show_bug.cgi?id=180264
2114 Reviewed by Alex Christensen.
2116 Update various uses of Expected.
2118 * wasm/WasmModule.h:
2119 * wasm/WasmModuleParser.cpp:
2120 (JSC::Wasm::ModuleParser::parseImport):
2121 (JSC::Wasm::ModuleParser::parseTableHelper):
2122 (JSC::Wasm::ModuleParser::parseTable):
2123 (JSC::Wasm::ModuleParser::parseMemoryHelper):
2124 * wasm/WasmParser.h:
2125 * wasm/generateWasmValidateInlinesHeader.py:
2128 * wasm/js/JSWebAssemblyModule.cpp:
2129 (JSC::JSWebAssemblyModule::createStub):
2130 * wasm/js/JSWebAssemblyModule.h:
2132 2017-12-04 Saam Barati <sbarati@apple.com>
2134 We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2135 https://bugs.webkit.org/show_bug.cgi?id=180366
2136 <rdar://problem/35685877>
2138 Reviewed by Michael Saboff.
2140 On the TailCall slow path, the CallFrameShuffler will build the frame with
2141 respect to SP instead of FP. However, this may overwrite slots on the stack
2142 that are needed if the slow path C call does a stack walk. The slow path
2143 C call does a stack walk when it throws an exception. This patch fixes
2144 this bug by ensuring that the top of the stack in the FTL always has enough
2145 space to allow CallFrameShuffler to build a frame without overwriting any
2146 items on the stack that are needed when doing a stack walk.
2148 * ftl/FTLLowerDFGToB3.cpp:
2149 (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2151 2017-12-04 Devin Rousso <webkit@devinrousso.com>
2153 Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
2154 https://bugs.webkit.org/show_bug.cgi?id=175166
2155 <rdar://problem/34040740>
2157 Reviewed by Joseph Pecoraro.
2159 * inspector/protocol/Recording.json:
2160 Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
2162 * inspector/JSGlobalObjectConsoleClient.h:
2163 * inspector/JSGlobalObjectConsoleClient.cpp:
2164 (Inspector::JSGlobalObjectConsoleClient::record):
2165 (Inspector::JSGlobalObjectConsoleClient::recordEnd):
2167 * runtime/ConsoleClient.h:
2168 * runtime/ConsoleObject.cpp:
2169 (JSC::ConsoleObject::finishCreation):
2170 (JSC::consoleProtoFuncRecord):
2171 (JSC::consoleProtoFuncRecordEnd):
2173 2017-12-03 Yusuke Suzuki <utatane.tea@gmail.com>
2175 WTF shouldn't have both Thread and ThreadIdentifier
2176 https://bugs.webkit.org/show_bug.cgi?id=180308
2178 Reviewed by Darin Adler.
2180 * heap/MachineStackMarker.cpp:
2181 (JSC::MachineThreads::tryCopyOtherThreadStacks):
2182 * llint/LLIntSlowPaths.cpp:
2183 (JSC::LLInt::llint_trace_operand):
2184 (JSC::LLInt::llint_trace_value):
2185 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2186 (JSC::LLInt::traceFunctionPrologue):
2187 * runtime/ExceptionScope.cpp:
2188 (JSC::ExceptionScope::unexpectedExceptionMessage):
2190 (JSC::JSLock::currentThreadIsHoldingLock):
2192 (JSC::VM::throwException):
2194 (JSC::VM::throwingThread const):
2195 (JSC::VM::clearException):
2196 * tools/HeapVerifier.cpp:
2197 (JSC::HeapVerifier::printVerificationHeader):
2199 2017-12-03 Caio Lima <ticaiolima@gmail.com>
2201 Rename DestroyFunc to avoid redefinition on unified build
2202 https://bugs.webkit.org/show_bug.cgi?id=180335
2204 Reviewed by Filip Pizlo.
2206 Changing DestroyFunc structures to more specific names to avoid
2207 conflits on unified builds.
2209 * heap/HeapCellType.cpp:
2210 (JSC::HeapCellType::finishSweep):
2211 (JSC::HeapCellType::destroy):
2212 * runtime/JSDestructibleObjectHeapCellType.cpp:
2213 (JSC::JSDestructibleObjectHeapCellType::finishSweep):
2214 (JSC::JSDestructibleObjectHeapCellType::destroy):
2215 * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
2216 (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
2217 (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
2218 * runtime/JSStringHeapCellType.cpp:
2219 (JSC::JSStringHeapCellType::finishSweep):
2220 (JSC::JSStringHeapCellType::destroy):
2221 * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
2222 (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
2223 (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
2225 2017-12-01 JF Bastien <jfbastien@apple.com>
2227 JavaScriptCore: missing exception checks in Math functions that take more than one argument
2228 https://bugs.webkit.org/show_bug.cgi?id=180297
2229 <rdar://problem/35745556>
2231 Reviewed by Mark Lam.
2233 * runtime/MathObject.cpp:
2234 (JSC::mathProtoFuncATan2):
2235 (JSC::mathProtoFuncMax):
2236 (JSC::mathProtoFuncMin):
2237 (JSC::mathProtoFuncPow):
2239 2017-12-01 Mark Lam <mark.lam@apple.com>
2241 Let's scramble ClassInfo pointers in cells.
2242 https://bugs.webkit.org/show_bug.cgi?id=180291
2243 <rdar://problem/35807620>
2245 Reviewed by JF Bastien.
2247 * API/JSCallbackObject.h:
2248 * API/JSObjectRef.cpp:
2250 * JavaScriptCore.xcodeproj/project.pbxproj:
2252 * assembler/MacroAssemblerCodeRef.cpp:
2253 (JSC::MacroAssemblerCodePtr::initialize): Deleted.
2254 * assembler/MacroAssemblerCodeRef.h:
2255 (JSC::MacroAssemblerCodePtr:: const):
2256 (JSC::MacroAssemblerCodePtr::hash const):
2257 * dfg/DFGSpeculativeJIT.cpp:
2258 (JSC::DFG::SpeculativeJIT::checkArray):
2259 (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2260 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2261 * ftl/FTLLowerDFGToB3.cpp:
2262 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2263 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2264 * jit/AssemblyHelpers.h:
2265 (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2266 * jit/SpecializedThunkJIT.h:
2267 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2268 * runtime/InitializeThreading.cpp:
2269 (JSC::initializeThreading):
2270 * runtime/JSCScrambledPtr.cpp: Added.
2271 (JSC::initializeScrambledPtrKeys):
2272 * runtime/JSCScrambledPtr.h: Added.
2273 * runtime/JSDestructibleObject.h:
2274 (JSC::JSDestructibleObject::classInfo const):
2275 * runtime/JSSegmentedVariableObject.h:
2276 (JSC::JSSegmentedVariableObject::classInfo const):
2277 * runtime/Structure.h:
2280 2017-12-01 Brian Burg <bburg@apple.com>
2282 Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
2283 https://bugs.webkit.org/show_bug.cgi?id=173662
2285 Reviewed by Joseph Pecoraro.
2287 Adopt new type names. Fix protocol generator to use correct type names.
2289 * inspector/ConsoleMessage.cpp:
2290 (Inspector::ConsoleMessage::addToFrontend):
2291 Improve namings and use 'auto' when the type is obvious and repeated.
2293 * inspector/ContentSearchUtilities.cpp:
2294 (Inspector::ContentSearchUtilities::searchInTextByLines):
2295 * inspector/ContentSearchUtilities.h:
2296 * inspector/InjectedScript.cpp:
2297 (Inspector::InjectedScript::getProperties):
2298 (Inspector::InjectedScript::getDisplayableProperties):
2299 (Inspector::InjectedScript::getInternalProperties):
2300 (Inspector::InjectedScript::getCollectionEntries):
2301 (Inspector::InjectedScript::wrapCallFrames const):
2302 * inspector/InjectedScript.h:
2303 * inspector/InspectorProtocolTypes.h:
2304 (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
2305 (Inspector::Protocol::Array::Array): Deleted.
2306 (Inspector::Protocol::Array::openAccessors): Deleted.
2307 (Inspector::Protocol::Array::addItem): Deleted.
2308 (Inspector::Protocol::Array::create): Deleted.
2309 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
2310 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
2311 Move the implementation out of this file.
2313 * inspector/ScriptCallStack.cpp:
2314 (Inspector::ScriptCallStack::buildInspectorArray const):
2315 * inspector/ScriptCallStack.h:
2316 * inspector/agents/InspectorAgent.cpp:
2317 (Inspector::InspectorAgent::activateExtraDomain):
2318 (Inspector::InspectorAgent::activateExtraDomains):
2319 * inspector/agents/InspectorAgent.h:
2320 * inspector/agents/InspectorConsoleAgent.cpp:
2321 (Inspector::InspectorConsoleAgent::getLoggingChannels):
2322 * inspector/agents/InspectorConsoleAgent.h:
2323 * inspector/agents/InspectorDebuggerAgent.cpp:
2324 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2325 (Inspector::InspectorDebuggerAgent::searchInContent):
2326 (Inspector::InspectorDebuggerAgent::currentCallFrames):
2327 * inspector/agents/InspectorDebuggerAgent.h:
2328 * inspector/agents/InspectorRuntimeAgent.cpp:
2329 (Inspector::InspectorRuntimeAgent::getProperties):
2330 (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2331 (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2332 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2333 (Inspector::InspectorRuntimeAgent::getBasicBlocks):
2334 * inspector/agents/InspectorRuntimeAgent.h:
2335 * inspector/agents/InspectorScriptProfilerAgent.cpp:
2336 (Inspector::buildSamples):
2337 Use more 'auto' and rename a variable.
2339 * inspector/scripts/codegen/cpp_generator.py:
2340 (CppGenerator.cpp_protocol_type_for_type):
2341 Adopt new type names. This exposed a latent bug where we should have been
2342 unwrapping an AliasedType prior to generating a C++ type for it. The aliased
2343 type may be an array, in which case we would have generated the wrong type.
2345 * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2346 (_generate_typedefs_for_domain.JSON):
2347 (_generate_typedefs_for_domain.Inspector): Deleted.
2348 * inspector/scripts/codegen/objc_generator.py:
2349 (ObjCGenerator.protocol_type_for_type):
2350 (ObjCGenerator.objc_protocol_export_expression_for_variable):
2351 * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2352 * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2353 * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2354 * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2355 * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2356 * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2359 * runtime/TypeSet.cpp:
2360 (JSC::TypeSet::allStructureRepresentations const):
2361 (JSC::StructureShape::inspectorRepresentation):
2362 * runtime/TypeSet.h:
2364 2017-12-01 Saam Barati <sbarati@apple.com>
2366 Having a bad time needs to handle ArrayClass indexing type as well
2367 https://bugs.webkit.org/show_bug.cgi?id=180274
2368 <rdar://problem/35667869>
2370 Reviewed by Keith Miller and Mark Lam.
2372 We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
2373 Otherwise, we'll end up with the wrong Structure, which will lead us to not
2374 adhere to the spec. The bug was that we were not considering ArrayClass inside
2375 hasBrokenIndexing. This patch rewrites that function to automatically opt
2376 in non-empty indexing types as broken, instead of having to opt out all
2377 non-empty indexing types besides SlowPutArrayStorage.
2379 * runtime/IndexingType.h:
2380 (JSC::hasSlowPutArrayStorage):
2381 (JSC::shouldUseSlowPut):
2382 * runtime/JSGlobalObject.cpp:
2383 * runtime/JSObject.cpp:
2384 (JSC::JSObject::switchToSlowPutArrayStorage):
2386 2017-12-01 JF Bastien <jfbastien@apple.com>
2388 WebAssembly: stack trace improvement follow-ups
2389 https://bugs.webkit.org/show_bug.cgi?id=180273
2391 Reviewed by Saam Barati.
2393 * wasm/WasmIndexOrName.cpp:
2394 (JSC::Wasm::makeString):
2395 * wasm/WasmIndexOrName.h:
2396 (JSC::Wasm::IndexOrName::nameSection const):
2397 * wasm/WasmNameSection.h:
2398 (JSC::Wasm::NameSection::NameSection):
2399 (JSC::Wasm::NameSection::get):
2401 2017-12-01 JF Bastien <jfbastien@apple.com>
2403 WebAssembly: restore cached stack limit after out-call
2404 https://bugs.webkit.org/show_bug.cgi?id=179106
2405 <rdar://problem/35337525>
2407 Reviewed by Saam Barati.
2409 We cache the stack limit on the Instance so that we can do fast
2410 stack checks where required. In regular usage the stack limit
2411 never changes because we always run on the same thread, but in
2412 rare cases an API user can totally migrate which thread (and
2413 therefore stack) is used for execution between WebAssembly
2414 traces. For that reason we set the cached stack limit to
2415 UINTPTR_MAX on the outgoing Instance when transitioning back into
2416 a different Instance. We usually restore the cached stack limit in
2417 Context::store, but this wasn't called on all code paths. We had a
2418 bug where an Instance calling into itself indirectly would
2419 therefore fail to restore its cached stack limit properly.
2421 This patch therefore restores the cached stack limit after direct
2422 calls which could be to imports (both wasm->wasm and
2423 wasm->embedder). We have to do all of them because we have no way
2424 of knowing what imports will do (they're known at instantiation
2425 time, not compilation time, and different instances can have
2426 different imports). To make this efficient we also add a pointer
2427 to the canonical location of the stack limit (i.e. the extra
2428 indirection we're trying to save by caching the stack limit on the
2429 Instance in the first place). This is potentially a small perf hit
2430 on imported direct calls.
2432 It's hard to say what the performance cost will be because we
2433 haven't seen much code in the wild which does this. We're adding
2434 two dependent loads and a store of the loaded value, which is
2435 unlikely to get used soon after. It's more code, but on an
2436 out-of-order processor it doesn't contribute to the critical path.
2438 * wasm/WasmB3IRGenerator.cpp:
2439 (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2440 (JSC::Wasm::B3IRGenerator::addGrowMemory):
2441 (JSC::Wasm::B3IRGenerator::addCall):
2442 (JSC::Wasm::B3IRGenerator::addCallIndirect):
2443 * wasm/WasmInstance.cpp:
2444 (JSC::Wasm::Instance::Instance):
2445 (JSC::Wasm::Instance::create):
2446 * wasm/WasmInstance.h:
2447 (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
2448 (JSC::Wasm::Instance::cachedStackLimit const):
2449 (JSC::Wasm::Instance::setCachedStackLimit):
2450 * wasm/js/JSWebAssemblyInstance.cpp:
2451 (JSC::JSWebAssemblyInstance::create):
2452 * wasm/js/WebAssemblyFunction.cpp:
2453 (JSC::callWebAssemblyFunction):
2455 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2457 [JSC] Use JSFixedArray for op_new_array_buffer
2458 https://bugs.webkit.org/show_bug.cgi?id=180084
2460 Reviewed by Saam Barati.
2462 For op_new_array_buffer, we have a special constant buffer in CodeBlock.
2463 But using JSFixedArray is better because,
2465 1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
2466 If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
2468 2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
2469 has JSFixedArray, we can just emit a held JSFixedArray.
2471 3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
2473 4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
2475 5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
2476 DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
2477 will be introduced in [1].
2479 [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
2481 * bytecode/BytecodeDumper.cpp:
2482 (JSC::BytecodeDumper<Block>::dumpBytecode):
2483 * bytecode/BytecodeList.json:
2484 * bytecode/BytecodeUseDef.h:
2485 (JSC::computeUsesForBytecodeOffset):
2486 * bytecode/CodeBlock.cpp:
2487 (JSC::CodeBlock::finishCreation):
2488 * bytecode/CodeBlock.h:
2489 (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
2490 (JSC::CodeBlock::addConstantBuffer): Deleted.
2491 (JSC::CodeBlock::constantBufferAsVector): Deleted.
2492 (JSC::CodeBlock::constantBuffer): Deleted.
2493 * bytecode/UnlinkedCodeBlock.cpp:
2494 (JSC::UnlinkedCodeBlock::shrinkToFit):
2495 * bytecode/UnlinkedCodeBlock.h:
2496 (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
2497 (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
2498 (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
2499 (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
2500 * bytecompiler/BytecodeGenerator.cpp:
2501 (JSC::BytecodeGenerator::emitNewArray):
2502 (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
2503 * bytecompiler/BytecodeGenerator.h:
2504 * dfg/DFGByteCodeParser.cpp:
2505 (JSC::DFG::ByteCodeParser::parseBlock):
2506 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2507 (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
2508 (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
2509 (JSC::DFG::ConstantBufferKey::hash const): Deleted.
2510 (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
2511 (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
2512 (JSC::DFG::ConstantBufferKey::index const): Deleted.
2513 (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
2514 (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
2515 * dfg/DFGClobberize.h:
2516 (JSC::DFG::clobberize):
2518 (JSC::DFG::Graph::dump):
2521 (JSC::DFG::Node::hasNewArrayBufferData):
2522 (JSC::DFG::Node::newArrayBufferData):
2523 (JSC::DFG::Node::hasVectorLengthHint):
2524 (JSC::DFG::Node::vectorLengthHint):
2525 (JSC::DFG::Node::indexingType):
2526 (JSC::DFG::Node::hasCellOperand):
2527 (JSC::DFG::Node::OpInfoWrapper::operator=):
2528 (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
2529 (JSC::DFG::Node::hasConstantBuffer): Deleted.
2530 (JSC::DFG::Node::startConstant): Deleted.
2531 (JSC::DFG::Node::numConstants): Deleted.
2532 * dfg/DFGOperations.cpp:
2533 * dfg/DFGOperations.h:
2534 * dfg/DFGSpeculativeJIT.h:
2535 (JSC::DFG::SpeculativeJIT::callOperation):
2536 * dfg/DFGSpeculativeJIT32_64.cpp:
2537 (JSC::DFG::SpeculativeJIT::compile):
2538 * dfg/DFGSpeculativeJIT64.cpp:
2539 (JSC::DFG::SpeculativeJIT::compile):
2540 * ftl/FTLLowerDFGToB3.cpp:
2541 (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2543 (JSC::JIT::privateCompileMainPass):
2545 * jit/JITOpcodes.cpp:
2546 (JSC::JIT::emit_op_new_array_buffer): Deleted.
2547 * jit/JITOperations.cpp:
2548 * jit/JITOperations.h:
2549 * llint/LLIntSlowPaths.cpp:
2550 * llint/LLIntSlowPaths.h:
2551 * llint/LowLevelInterpreter.asm:
2552 * runtime/CommonSlowPaths.cpp:
2553 (JSC::SLOW_PATH_DECL):
2554 * runtime/CommonSlowPaths.h:
2555 * runtime/JSFixedArray.cpp:
2556 (JSC::JSFixedArray::dumpToStream):
2557 * runtime/JSFixedArray.h:
2558 (JSC::JSFixedArray::create):
2559 (JSC::JSFixedArray::get const):
2560 (JSC::JSFixedArray::set):
2561 (JSC::JSFixedArray::buffer const):
2562 (JSC::JSFixedArray::values const):
2563 (JSC::JSFixedArray::length const):
2564 (JSC::JSFixedArray::get): Deleted.
2566 2017-11-30 JF Bastien <jfbastien@apple.com>
2568 WebAssembly: improve stack trace
2569 https://bugs.webkit.org/show_bug.cgi?id=179343
2571 Reviewed by Saam Barati.
2573 Stack traces now include:
2575 - Module name, if provided by the name section.
2576 - Module SHA1 hash if no name was provided
2577 - Stub identification, to differentiate from user code
2578 - Slightly different naming to match design from:
2579 https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
2581 * interpreter/StackVisitor.cpp:
2582 (JSC::StackVisitor::Frame::functionName const):
2583 * runtime/StackFrame.cpp:
2584 (JSC::StackFrame::functionName const):
2585 (JSC::StackFrame::visitChildren):
2586 * wasm/WasmIndexOrName.cpp:
2587 (JSC::Wasm::IndexOrName::IndexOrName):
2588 (JSC::Wasm::makeString):
2589 * wasm/WasmIndexOrName.h:
2590 (JSC::Wasm::IndexOrName::nameSection const):
2591 * wasm/WasmModuleInformation.cpp:
2592 (JSC::Wasm::ModuleInformation::ModuleInformation):
2593 * wasm/WasmModuleInformation.h:
2594 * wasm/WasmNameSection.h:
2595 (JSC::Wasm::NameSection::NameSection):
2596 (JSC::Wasm::NameSection::get):
2597 * wasm/WasmNameSectionParser.cpp:
2598 (JSC::Wasm::NameSectionParser::parse):
2600 2017-11-30 Stephan Szabo <stephan.szabo@sony.com>
2602 Make LegacyCustomProtocolManager optional for network process
2603 https://bugs.webkit.org/show_bug.cgi?id=176230
2605 Reviewed by Alex Christensen.
2607 * Configurations/FeatureDefines.xcconfig:
2609 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2611 [JSC] Remove easy toRemove & map.remove() use in OAS phase
2612 https://bugs.webkit.org/show_bug.cgi?id=180208
2614 Reviewed by Mark Lam.
2616 In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2617 to optimize this common pattern. This patch only modifies apparent ones.
2618 But we can apply this refactoring further to OAS phase in the future.
2620 One thing we should care is that predicate of removeIf should not touch the
2621 removing set itself. In this patch, we apply this change to (1) apparently
2622 correct one and (2) things in DFG OAS phase since it is very slow.
2624 * b3/B3MoveConstants.cpp:
2625 * dfg/DFGObjectAllocationSinkingPhase.cpp:
2627 2017-11-30 Commit Queue <commit-queue@webkit.org>
2629 Unreviewed, rolling out r225362.
2630 https://bugs.webkit.org/show_bug.cgi?id=180225
2632 removeIf predicate function can touch remove target set
2633 (Requested by yusukesuzuki on #webkit).
2637 "[JSC] Remove easy toRemove & map.remove() use"
2638 https://bugs.webkit.org/show_bug.cgi?id=180208
2639 https://trac.webkit.org/changeset/225362
2641 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2643 [JSC] Use AllocatorIfExists for MaterializeNewObject
2644 https://bugs.webkit.org/show_bug.cgi?id=180189
2646 Reviewed by Filip Pizlo.
2648 I don't think anyone guarantees this allocator exists at this phase.
2649 And nullptr allocator just works here. We change AllocatorForMode
2650 to AllocatorIfExists to accept nullptr for allocator.
2652 * ftl/FTLLowerDFGToB3.cpp:
2653 (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2655 2017-11-30 Mark Lam <mark.lam@apple.com>
2657 Let's scramble MacroAssemblerCodePtr values.
2658 https://bugs.webkit.org/show_bug.cgi?id=180169
2659 <rdar://problem/35758340>
2661 Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
2663 1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
2665 2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
2666 template argument type that will be used to cast the result. This makes the
2667 client code that uses these functions a little less verbose.
2669 3. Change the code base in general to minimize passing void* code pointers around.
2670 We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
2671 at the last moment when we need the underlying code pointer.
2673 4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
2674 default. I'm leaving them in because they are instrumental in finding bugs
2675 where not all MacroAssemblerCodePtr values were not scrambled as expected.
2676 I expect them to be useful in the near future as we add more scrambling.
2678 5. Also disable the casting operator on MacroAssemblerCodePtr (except for
2679 explicit casts to a boolean). This ensures that clients will always explicitly
2680 use scrambledBits() or executableAddress() to get a value based on which value
2683 5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
2684 This was helpful when debugging tests that ran multiple VMs concurrently on
2687 MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
2688 CLoop). It is not yet supported in 32-bit and Windows because we don't
2689 currently have a way to read a global variable from their LLInt code.
2691 * assembler/AbstractMacroAssembler.h:
2692 (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
2693 (JSC::AbstractMacroAssembler::linkPointer):
2694 * assembler/CodeLocation.h:
2695 (JSC::CodeLocationCommon::instructionAtOffset):
2696 (JSC::CodeLocationCommon::labelAtOffset):
2697 (JSC::CodeLocationCommon::jumpAtOffset):
2698 (JSC::CodeLocationCommon::callAtOffset):
2699 (JSC::CodeLocationCommon::nearCallAtOffset):
2700 (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
2701 (JSC::CodeLocationCommon::dataLabel32AtOffset):
2702 (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
2703 (JSC::CodeLocationCommon::convertibleLoadAtOffset):
2704 * assembler/LinkBuffer.cpp:
2705 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2706 * assembler/LinkBuffer.h:
2707 (JSC::LinkBuffer::link):
2708 (JSC::LinkBuffer::patch):
2709 * assembler/MacroAssemblerCodeRef.cpp:
2710 (JSC::MacroAssemblerCodePtr::initialize):
2711 * assembler/MacroAssemblerCodeRef.h:
2712 (JSC::FunctionPtr::FunctionPtr):
2713 (JSC::FunctionPtr::value const):
2714 (JSC::FunctionPtr::executableAddress const):
2715 (JSC::ReturnAddressPtr::ReturnAddressPtr):
2716 (JSC::ReturnAddressPtr::value const):
2717 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2718 (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2719 (JSC::MacroAssemblerCodePtr::scrambledPtr const):
2720 (JSC::MacroAssemblerCodePtr:: const):
2721 (JSC::MacroAssemblerCodePtr::operator! const):
2722 (JSC::MacroAssemblerCodePtr::operator bool const):
2723 (JSC::MacroAssemblerCodePtr::operator== const):
2724 (JSC::MacroAssemblerCodePtr::hash const):
2725 (JSC::MacroAssemblerCodePtr::emptyValue):
2726 (JSC::MacroAssemblerCodePtr::deletedValue):
2727 (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
2728 (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
2729 * b3/B3LowerMacros.cpp:
2731 (JSC::B3::testInterpreter):
2732 * dfg/DFGDisassembler.cpp:
2733 (JSC::DFG::Disassembler::dumpDisassembly):
2734 * dfg/DFGJITCompiler.cpp:
2735 (JSC::DFG::JITCompiler::link):
2736 (JSC::DFG::JITCompiler::compileFunction):
2737 * dfg/DFGOperations.cpp:
2738 * dfg/DFGSpeculativeJIT.cpp:
2739 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2740 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2741 (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
2742 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2743 * dfg/DFGSpeculativeJIT.h:
2744 * disassembler/Disassembler.cpp:
2746 * disassembler/UDis86Disassembler.cpp:
2747 (JSC::tryToDisassembleWithUDis86):
2748 * ftl/FTLCompile.cpp:
2749 (JSC::FTL::compile):
2750 * ftl/FTLJITCode.cpp:
2751 (JSC::FTL::JITCode::executableAddressAtOffset):
2754 * ftl/FTLLowerDFGToB3.cpp:
2755 (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
2756 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2757 (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2758 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2759 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2760 * interpreter/InterpreterInlines.h:
2761 (JSC::Interpreter::getOpcodeID):
2762 * jit/JITArithmetic.cpp:
2763 (JSC::JIT::emitMathICFast):
2764 (JSC::JIT::emitMathICSlow):
2766 (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2767 (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
2768 (JSC::JITCodeWithCodeRef::offsetOf):
2769 * jit/JITDisassembler.cpp:
2770 (JSC::JITDisassembler::dumpDisassembly):
2771 * jit/PCToCodeOriginMap.cpp:
2772 (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
2774 (JSC::ftlThunkAwareRepatchCall):
2775 * jit/ThunkGenerators.cpp:
2776 (JSC::virtualThunkFor):
2777 (JSC::boundThisNoArgsFunctionCallGenerator):
2778 * llint/LLIntSlowPaths.cpp:
2779 (JSC::LLInt::llint_trace_operand):
2780 (JSC::LLInt::llint_trace_value):
2781 (JSC::LLInt::handleHostCall):
2782 (JSC::LLInt::setUpCall):
2783 * llint/LowLevelInterpreter64.asm:
2784 * offlineasm/cloop.rb:
2785 * runtime/InitializeThreading.cpp:
2786 (JSC::initializeThreading):
2787 * wasm/WasmBBQPlan.cpp:
2788 (JSC::Wasm::BBQPlan::complete):
2789 * wasm/WasmCallee.h:
2790 (JSC::Wasm::Callee::entrypoint const):
2791 * wasm/WasmCodeBlock.cpp:
2792 (JSC::Wasm::CodeBlock::CodeBlock):
2793 * wasm/WasmOMGPlan.cpp:
2794 (JSC::Wasm::OMGPlan::work):
2795 * wasm/js/WasmToJS.cpp:
2796 (JSC::Wasm::wasmToJS):
2797 * wasm/js/WebAssemblyFunction.cpp:
2798 (JSC::callWebAssemblyFunction):
2799 * wasm/js/WebAssemblyFunction.h:
2800 * wasm/js/WebAssemblyWrapperFunction.cpp:
2801 (JSC::WebAssemblyWrapperFunction::create):
2803 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2805 [JSC] Remove easy toRemove & map.remove() use
2806 https://bugs.webkit.org/show_bug.cgi?id=180208
2808 Reviewed by Mark Lam.
2810 In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2811 to optimize this common pattern. This patch only modifies apparent ones.
2812 But we can apply this refactoring further to OAS phase in the future.
2814 * b3/B3MoveConstants.cpp:
2815 * dfg/DFGArgumentsEliminationPhase.cpp:
2816 * dfg/DFGObjectAllocationSinkingPhase.cpp:
2817 * wasm/WasmSignature.cpp:
2818 (JSC::Wasm::SignatureInformation::tryCleanup):
2820 2017-11-29 Yusuke Suzuki <utatane.tea@gmail.com>
2822 [JSC] Use getEffectiveAddress more in JSC
2823 https://bugs.webkit.org/show_bug.cgi?id=180154
2825 Reviewed by Mark Lam.
2827 We can use MacroAssembler::getEffectiveAddress for stack height calculation.
2828 And we also add MacroAssembler::negPtr(src, dest) variation.
2830 * assembler/MacroAssembler.h:
2831 (JSC::MacroAssembler::negPtr):
2832 * assembler/MacroAssemblerARM.h:
2833 (JSC::MacroAssemblerARM::neg32):
2834 * assembler/MacroAssemblerARM64.h:
2835 (JSC::MacroAssemblerARM64::neg32):
2836 (JSC::MacroAssemblerARM64::neg64):
2837 * assembler/MacroAssemblerARMv7.h:
2838 (JSC::MacroAssemblerARMv7::neg32):
2839 * assembler/MacroAssemblerMIPS.h:
2840 (JSC::MacroAssemblerMIPS::neg32):
2841 * assembler/MacroAssemblerX86Common.h:
2842 (JSC::MacroAssemblerX86Common::neg32):
2843 * assembler/MacroAssemblerX86_64.h:
2844 (JSC::MacroAssemblerX86_64::neg64):
2845 * dfg/DFGThunks.cpp:
2846 (JSC::DFG::osrEntryThunkGenerator):
2847 * ftl/FTLLowerDFGToB3.cpp:
2848 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2849 * jit/SetupVarargsFrame.cpp:
2850 (JSC::emitSetVarargsFrame):
2852 2017-11-30 Mark Lam <mark.lam@apple.com>
2854 jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2855 https://bugs.webkit.org/show_bug.cgi?id=180219
2856 <rdar://problem/35696536>
2858 Reviewed by Filip Pizlo.
2861 (functionFlashHeapAccess):
2863 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2865 [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2866 https://bugs.webkit.org/show_bug.cgi?id=180190
2868 Reviewed by Mark Lam.
2870 If DFG HasIndexedProperty node observes negative index, it goes to a slow
2871 path by calling operationHasIndexedProperty. The problem is that
2872 operationHasIndexedProperty does not account negative index. Negative index
2873 was used as uint32 array index.
2875 In this patch we add a path for negative index in operationHasIndexedProperty.
2876 And rename it to operationHasIndexedPropertyByInt to make intension clear.
2877 We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
2878 since it is only used in DFG and FTL.
2880 While fixing this bug, we found that our op_in does not record OutOfBound feedback.
2881 This causes repeated OSR exit and significantly regresses the performance. We opened
2882 a bug to track this issue[1].
2884 [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
2886 * dfg/DFGOperations.cpp:
2887 * dfg/DFGOperations.h:
2888 * dfg/DFGSpeculativeJIT32_64.cpp:
2889 (JSC::DFG::SpeculativeJIT::compile):
2890 * dfg/DFGSpeculativeJIT64.cpp:
2891 (JSC::DFG::SpeculativeJIT::compile):
2892 * ftl/FTLLowerDFGToB3.cpp:
2893 (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2894 * jit/JITOperations.cpp:
2895 * jit/JITOperations.h:
2897 2017-11-30 Michael Saboff <msaboff@apple.com>
2899 Allow JSC command line tool to accept UTF8
2900 https://bugs.webkit.org/show_bug.cgi?id=180205
2902 Reviewed by Keith Miller.
2904 This unifies the UTF8 handling of interactive mode with that of source files.
2909 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2911 REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
2912 https://bugs.webkit.org/show_bug.cgi?id=180185
2914 Reviewed by Carlos Garcia Campos.
2916 After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
2917 But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
2918 can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
2919 And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
2920 DFG node can be emitted if we see untaken path includes String + String code.
2922 This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
2923 As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
2924 I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
2925 original code used before r225314.
2927 * dfg/DFGSpeculativeJIT.cpp:
2928 (JSC::DFG::SpeculativeJIT::compileMakeRope):
2929 * ftl/FTLLowerDFGToB3.cpp:
2930 (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2932 2017-11-28 Filip Pizlo <fpizlo@apple.com>
2934 CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
2935 https://bugs.webkit.org/show_bug.cgi?id=180108
2937 Reviewed by Saam Barati.
2939 This was creating a vector of things to remove and then removing them. I think I remember writing
2940 this code, and I did that because at the time we did not have removeAllMatching, which is
2941 definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
2942 obvious improvement before I did more fundamental things to this code.
2944 * heap/CodeBlockSet.cpp:
2945 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2947 2017-11-29 Filip Pizlo <fpizlo@apple.com>
2949 GC should support isoheaps
2950 https://bugs.webkit.org/show_bug.cgi?id=179288
2952 Reviewed by Saam Barati.
2954 This expands the power of the Subspace API in JSC:
2956 - Everything associated with describing the types of objects is now part of the HeapCellType class.
2957 We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
2958 HeapCellType; these are orthogonal things.
2960 - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
2961 any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
2962 special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
2963 pages but releases the physical pages as part of the respective allocator's scavenging policy
2964 (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
2967 So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
2970 This does not have any effect on JetStream (0.18% faster with p = 0.69).
2972 * JavaScriptCore.xcodeproj/project.pbxproj:
2974 * bytecode/AccessCase.cpp:
2975 (JSC::AccessCase::generateImpl):
2976 * bytecode/ObjectAllocationProfileInlines.h:
2977 (JSC::ObjectAllocationProfile::initializeProfile):
2978 * dfg/DFGSpeculativeJIT.cpp:
2979 (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2980 (JSC::DFG::SpeculativeJIT::compileMakeRope):
2981 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2982 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2983 * dfg/DFGSpeculativeJIT64.cpp:
2984 (JSC::DFG::SpeculativeJIT::compile):
2985 * ftl/FTLAbstractHeapRepository.h:
2986 * ftl/FTLLowerDFGToB3.cpp:
2987 (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2988 (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2989 (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2990 (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2991 (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2992 * heap/AlignedMemoryAllocator.cpp:
2993 (JSC::AlignedMemoryAllocator::registerAllocator):
2994 (JSC::AlignedMemoryAllocator::registerSubspace):
2995 * heap/AlignedMemoryAllocator.h:
2996 (JSC::AlignedMemoryAllocator::firstAllocator const):
2997 * heap/AllocationFailureMode.h: Added.
2998 * heap/CompleteSubspace.cpp: Added.
2999 (JSC::CompleteSubspace::CompleteSubspace):
3000 (JSC::CompleteSubspace::~CompleteSubspace):
3001 (JSC::CompleteSubspace::allocatorFor):
3002 (JSC::CompleteSubspace::allocate):
3003 (JSC::CompleteSubspace::allocateNonVirtual):
3004 (JSC::CompleteSubspace::allocatorForSlow):
3005 (JSC::CompleteSubspace::allocateSlow):
3006 (JSC::CompleteSubspace::tryAllocateSlow):
3007 * heap/CompleteSubspace.h: Added.
3008 (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
3009 (JSC::CompleteSubspace::allocatorForSizeStep):
3010 (JSC::CompleteSubspace::allocatorForNonVirtual):
3011 * heap/HeapCellType.cpp: Added.
3012 (JSC::HeapCellType::HeapCellType):
3013 (JSC::HeapCellType::~HeapCellType):
3014 (JSC::HeapCellType::finishSweep):
3015 (JSC::HeapCellType::destroy):
3016 * heap/HeapCellType.h: Added.
3017 (JSC::HeapCellType::attributes const):
3018 * heap/IsoAlignedMemoryAllocator.cpp: Added.
3019 (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
3020 (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
3021 (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
3022 (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
3023 (JSC::IsoAlignedMemoryAllocator::dump const):
3024 * heap/IsoAlignedMemoryAllocator.h: Added.
3025 * heap/IsoSubspace.cpp: Added.
3026 (JSC::IsoSubspace::IsoSubspace):
3027 (JSC::IsoSubspace::~IsoSubspace):
3028 (JSC::IsoSubspace::allocatorFor):
3029 (JSC::IsoSubspace::allocatorForNonVirtual):
3030 (JSC::IsoSubspace::allocate):
3031 (JSC::IsoSubspace::allocateNonVirtual):
3032 * heap/IsoSubspace.h: Added.
3033 (JSC::IsoSubspace::size const):
3034 * heap/MarkedAllocator.cpp:
3035 (JSC::MarkedAllocator::MarkedAllocator):
3036 (JSC::MarkedAllocator::setSubspace):
3037 (JSC::MarkedAllocator::allocateSlowCase):
3038 (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
3039 (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
3040 * heap/MarkedAllocator.h:
3041 (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
3042 (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
3043 * heap/MarkedAllocatorInlines.h:
3044 (JSC::MarkedAllocator::allocate):
3045 (JSC::MarkedAllocator::tryAllocate): Deleted.
3046 * heap/MarkedBlock.h:
3047 * heap/MarkedBlockInlines.h:
3048 (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
3049 (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
3050 * heap/MarkedSpace.cpp:
3051 (JSC::MarkedSpace::addMarkedAllocator):
3052 * heap/MarkedSpace.h:
3053 * heap/Subspace.cpp:
3054 (JSC::Subspace::Subspace):
3055 (JSC::Subspace::initialize):
3056 (JSC::Subspace::finishSweep):
3057 (JSC::Subspace::destroy):
3058 (JSC::Subspace::prepareForAllocation):
3059 (JSC::Subspace::findEmptyBlockToSteal):
3061 (JSC::Subspace::allocate): Deleted.
3062 (JSC::Subspace::tryAllocate): Deleted.
3063 (JSC::Subspace::allocatorForSlow): Deleted.
3064 (JSC::Subspace::allocateSlow): Deleted.
3065 (JSC::Subspace::tryAllocateSlow): Deleted.
3066 (JSC::Subspace::didAllocate): Deleted.
3068 (JSC::Subspace::heapCellType const):
3069 (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
3070 (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
3071 (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
3072 (JSC::Subspace::allocatorForSizeStep): Deleted.
3073 (JSC::Subspace::tryAllocatorFor): Deleted.
3074 (JSC::Subspace::allocatorFor): Deleted.
3075 * jit/AssemblyHelpers.h:
3076 (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3077 (JSC::AssemblyHelpers::emitAllocateVariableSized):
3078 (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
3079 * jit/JITOpcodes.cpp:
3080 (JSC::JIT::emit_op_new_object):
3081 * runtime/ButterflyInlines.h:
3082 (JSC::Butterfly::createUninitialized):
3083 (JSC::Butterfly::tryCreate):
3084 (JSC::Butterfly::growArrayRight):
3085 * runtime/DirectArguments.cpp:
3086 (JSC::DirectArguments::overrideThings):
3087 * runtime/DirectArguments.h:
3088 (JSC::DirectArguments::subspaceFor):
3089 * runtime/DirectEvalExecutable.h:
3090 * runtime/EvalExecutable.h:
3091 * runtime/ExecutableBase.h:
3092 (JSC::ExecutableBase::subspaceFor):
3093 * runtime/FunctionExecutable.h:
3094 * runtime/GenericArgumentsInlines.h:
3095 (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
3096 * runtime/HashMapImpl.h:
3097 (JSC::HashMapBuffer::create):
3098 * runtime/IndirectEvalExecutable.h:
3099 * runtime/JSArray.cpp:
3100 (JSC::JSArray::tryCreateUninitializedRestricted):
3101 (JSC::JSArray::unshiftCountSlowCase):
3102 * runtime/JSArray.h:
3103 (JSC::JSArray::tryCreate):
3104 * runtime/JSArrayBufferView.cpp:
3105 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3108 * runtime/JSCellInlines.h:
3109 (JSC::JSCell::subspaceFor):
3110 (JSC::tryAllocateCellHelper):
3111 (JSC::allocateCell):
3112 (JSC::tryAllocateCell):
3113 * runtime/JSDestructibleObject.h:
3114 (JSC::JSDestructibleObject::subspaceFor):
3115 * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
3116 (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3117 (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
3118 (JSC::JSDestructibleObjectHeapCellType::finishSweep):
3119 (JSC::JSDestructibleObjectHeapCellType::destroy):
3120 (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
3121 (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
3122 (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
3123 (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
3124 * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
3125 * runtime/JSDestructibleObjectSubspace.cpp: Removed.
3126 * runtime/JSDestructibleObjectSubspace.h: Removed.
3127 * runtime/JSLexicalEnvironment.h:
3128 (JSC::JSLexicalEnvironment::subspaceFor):
3129 * runtime/JSSegmentedVariableObject.h:
3130 (JSC::JSSegmentedVariableObject::subspaceFor):
3131 * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
3132 (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3133 (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
3134 (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
3135 (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
3136 (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
3137 (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
3138 (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
3139 (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
3140 * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
3141 * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
3142 * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
3143 * runtime/JSString.h:
3144 (JSC::JSString::subspaceFor):
3145 * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
3146 (JSC::JSStringHeapCellType::JSStringHeapCellType):
3147 (JSC::JSStringHeapCellType::~JSStringHeapCellType):
3148 (JSC::JSStringHeapCellType::finishSweep):
3149 (JSC::JSStringHeapCellType::destroy):
3150 (JSC::JSStringSubspace::JSStringSubspace): Deleted.
3151 (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
3152 (JSC::JSStringSubspace::finishSweep): Deleted.
3153 (JSC::JSStringSubspace::destroy): Deleted.
3154 * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
3155 * runtime/JSStringSubspace.cpp: Removed.
3156 * runtime/JSStringSubspace.h: Removed.
3157 * runtime/ModuleProgramExecutable.h:
3158 * runtime/NativeExecutable.h:
3159 * runtime/ProgramExecutable.h:
3160 * runtime/RegExpMatchesArray.h:
3161 (JSC::tryCreateUninitializedRegExpMatchesArray):
3162 * runtime/ScopedArguments.h:
3163 (JSC::ScopedArguments::subspaceFor):
3167 (JSC::VM::gigacageAuxiliarySpace):
3168 * wasm/js/JSWebAssemblyCodeBlock.h:
3169 * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
3170 (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3171 (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
3172 (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
3173 (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
3174 (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
3175 (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
3176 (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
3177 (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
3178 * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
3179 * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
3180 * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
3181 * wasm/js/JSWebAssemblyMemory.h:
3182 (JSC::JSWebAssemblyMemory::subspaceFor):
3184 2017-11-29 Saam Barati <sbarati@apple.com>
3186 Remove pointer caging for double arrays
3187 https://bugs.webkit.org/show_bug.cgi?id=180163
3189 Reviewed by Mark Lam.
3191 This patch removes pointer caging from double arrays. Like
3192 my previous removals of pointer caging, this is a security vs
3193 performance tradeoff. We believe that butterflies being allocated
3194 in the cage and with a 32GB runway gives us enough security that
3195 pointer caging the butterfly just for double arrays does not add
3196 enough security benefit for the performance hit it incurs.
3198 This patch also removes the GetButterflyWithoutCaging node and
3199 the FixedButterflyAccessUncaging phase. The node is no longer needed
3200 because now all GetButterfly nodes are not caged. The phase is removed
3201 since we no longer have two nodes.
3203 * dfg/DFGAbstractInterpreterInlines.h:
3204 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3205 * dfg/DFGArgumentsEliminationPhase.cpp:
3206 * dfg/DFGClobberize.h:
3207 (JSC::DFG::clobberize):
3208 * dfg/DFGDoesGC.cpp:
3210 * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
3211 * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
3212 * dfg/DFGFixupPhase.cpp:
3213 (JSC::DFG::FixupPhase::fixupNode):
3214 * dfg/DFGHeapLocation.cpp:
3215 (WTF::printInternal):
3216 * dfg/DFGHeapLocation.h:
3217 * dfg/DFGNodeType.h:
3219 (JSC::DFG::Plan::compileInThreadImpl):
3220 * dfg/DFGPredictionPropagationPhase.cpp:
3221 * dfg/DFGSafeToExecute.h:
3222 (JSC::DFG::safeToExecute):
3223 * dfg/DFGSpeculativeJIT.cpp:
3224 (JSC::DFG::SpeculativeJIT::compileSpread):
3225 (JSC::DFG::SpeculativeJIT::compileArraySlice):
3226 (JSC::DFG::SpeculativeJIT::compileGetButterfly):
3227 * dfg/DFGSpeculativeJIT32_64.cpp:
3228 (JSC::DFG::SpeculativeJIT::compile):
3229 * dfg/DFGSpeculativeJIT64.cpp:
3230 (JSC::DFG::SpeculativeJIT::compile):
3231 * dfg/DFGTypeCheckHoistingPhase.cpp:
3232 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3233 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3234 * ftl/FTLCapabilities.cpp:
3235 (JSC::FTL::canCompile):
3236 * ftl/FTLLowerDFGToB3.cpp:
3237 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3238 (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
3239 * jit/JITPropertyAccess.cpp:
3240 (JSC::JIT::emitDoubleLoad):
3241 (JSC::JIT::emitGenericContiguousPutByVal):
3242 * runtime/Butterfly.h:
3243 (JSC::Butterfly::pointer):
3244 (JSC::Butterfly::contiguousDouble):
3245 (JSC::Butterfly::caged): Deleted.
3246 * runtime/ButterflyInlines.h:
3247 (JSC::Butterfly::createOrGrowPropertyStorage):
3248 * runtime/JSObject.cpp:
3249 (JSC::JSObject::ensureLengthSlow):
3250 (JSC::JSObject::reallocateAndShrinkButterfly):
3252 2017-11-29 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com>
3254 [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
3255 https://bugs.webkit.org/show_bug.cgi?id=175447
3257 Reviewed by Carlos Alberto Lopez Perez.
3259 This patch allows DFG JIT to be enabled on MIPS platforms.
3262 * assembler/MIPSAssembler.h:
3263 (JSC::MIPSAssembler::lastSPRegister):
3264 (JSC::MIPSAssembler::numberOfSPRegisters):
3265 (JSC::MIPSAssembler::sprName):
3266 * assembler/MacroAssemblerMIPS.cpp: Added.
3267 (JSC::MacroAssembler::probe):
3268 * assembler/ProbeContext.cpp:
3269 (JSC::Probe::executeProbe):
3270 * assembler/ProbeContext.h:
3271 (JSC::Probe::CPUState::pc):
3272 * assembler/testmasm.cpp:
3273 (JSC::isSpecialGPR):
3274 (JSC::testProbePreservesGPRS):
3275 (JSC::testProbeModifiesStackPointer):
3276 (JSC::testProbeModifiesStackValues):
3278 2017-11-29 Matt Lewis <jlewis3@apple.com>
3280 Unreviewed, rolling out r225286.
3282 The source files within this patch have been marked as
3287 "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
3288 https://bugs.webkit.org/show_bug.cgi?id=175447
3289 https://trac.webkit.org/changeset/225286
3291 2017-11-29 Alex Christensen <achristensen@webkit.org>
3293 Fix Mac CMake build.
3295 * PlatformMac.cmake:
3297 2017-11-29 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com>
3299 [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
3300 https://bugs.webkit.org/show_bug.cgi?id=175447
3302 Reviewed by Carlos Alberto Lopez Perez.
3304 This patch allows DFG JIT to be enabled on MIPS platforms.
3307 * assembler/MIPSAssembler.h:
3308 (JSC::MIPSAssembler::lastSPRegister):
3309 (JSC::MIPSAssembler::numberOfSPRegisters):
3310 (JSC::MIPSAssembler::sprName):
3311 * assembler/MacroAssemblerMIPS.cpp: Added.
3312 (JSC::MacroAssembler::probe):
3313 * assembler/ProbeContext.cpp:
3314 (JSC::Probe::executeProbe):
3315 * assembler/ProbeContext.h:
3316 (JSC::Probe::CPUState::pc):
3317 * assembler/testmasm.cpp:
3318 (JSC::isSpecialGPR):
3319 (JSC::testProbePreservesGPRS):
3320 (JSC::testProbeModifiesStackPointer):
3321 (JSC::testProbeModifiesStackValues):
3323 2017-11-28 JF Bastien <jfbastien@apple.com>
3325 Strict and sloppy functions shouldn't share structure
3326 https://bugs.webkit.org/show_bug.cgi?id=180103
3327 <rdar://problem/35667847>
3329 Reviewed by Saam Barati.
3331 Sloppy and strict functions don't act the same when it comes to
3332 arguments, caller, and callee. Sharing a structure means that
3333 anything that is cached gets shared, and that's incorrect.
3335 * dfg/DFGAbstractInterpreterInlines.h:
3336 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3337 * dfg/DFGSpeculativeJIT.cpp:
3338 (JSC::DFG::SpeculativeJIT::compileNewFunction):
3339 * ftl/FTLLowerDFGToB3.cpp:
3340 (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3341 * runtime/FunctionConstructor.cpp:
3342 (JSC::constructFunctionSkippingEvalEnabledCheck):
3343 * runtime/JSFunction.cpp:
3344 (JSC::JSFunction::create): the second ::create is always strict
3345 because it applies to native functions.
3346 * runtime/JSFunctionInlines.h:
3347 (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
3348 * runtime/JSGlobalObject.cpp:
3349 (JSC::JSGlobalObject::init):
3350 (JSC::JSGlobalObject::visitChildren):
3351 * runtime/JSGlobalObject.h:
3352 (JSC::JSGlobalObject::strictFunctionStructure const):
3353 (JSC::JSGlobalObject::sloppyFunctionStructure const):
3354 (JSC::JSGlobalObject::nativeStdFunctionStructure const):
git://git.webkit.org / WebKit-https.git / blob