1 2017-05-31 Yusuke Suzuki <utatane.tea@gmail.com>
3 [JSC] Implement String.prototype.concat in JS builtins
4 https://bugs.webkit.org/show_bug.cgi?id=172798
6 Reviewed by Sam Weinig.
8 Since we have highly effective + operation for strings,
9 implementing String.prototype.concat in JS simplifies the
10 implementation and improves performance by using speculated
13 Added microbenchmarks show performance improvement.
15 string-concat-long-convert 1063.2787+-12.9101 ^ 109.0855+-2.8083 ^ definitely 9.7472x faster
16 string-concat-convert 1111.1366+-12.2363 ^ 99.3402+-1.9874 ^ definitely 11.1852x faster
17 string-concat 131.7377+-3.8359 ^ 54.3949+-0.9580 ^ definitely 2.4219x faster
18 string-concat-long 79.4726+-1.9644 ^ 64.6301+-1.4941 ^ definitely 1.2297x faster
20 * builtins/StringPrototype.js:
21 (globalPrivate.stringConcatSlowPath):
23 * runtime/StringPrototype.cpp:
24 (JSC::StringPrototype::finishCreation):
25 (JSC::stringProtoFuncConcat): Deleted.
27 2017-05-31 Mark Lam <mark.lam@apple.com>
29 Remove overrides of visitChildren() that do not add any functionality.
30 https://bugs.webkit.org/show_bug.cgi?id=172789
31 <rdar://problem/32500865>
33 Reviewed by Andreas Kling.
35 * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
36 (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
37 * bytecode/UnlinkedModuleProgramCodeBlock.h:
38 * bytecode/UnlinkedProgramCodeBlock.cpp:
39 (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
40 * bytecode/UnlinkedProgramCodeBlock.h:
41 * wasm/js/WebAssemblyFunction.cpp:
42 (JSC::WebAssemblyFunction::visitChildren): Deleted.
43 * wasm/js/WebAssemblyFunction.h:
44 * wasm/js/WebAssemblyInstanceConstructor.cpp:
45 (JSC::WebAssemblyInstanceConstructor::visitChildren): Deleted.
46 * wasm/js/WebAssemblyInstanceConstructor.h:
47 * wasm/js/WebAssemblyMemoryConstructor.cpp:
48 (JSC::WebAssemblyMemoryConstructor::visitChildren): Deleted.
49 * wasm/js/WebAssemblyMemoryConstructor.h:
50 * wasm/js/WebAssemblyModuleConstructor.cpp:
51 (JSC::WebAssemblyModuleConstructor::visitChildren): Deleted.
52 * wasm/js/WebAssemblyModuleConstructor.h:
53 * wasm/js/WebAssemblyTableConstructor.cpp:
54 (JSC::WebAssemblyTableConstructor::visitChildren): Deleted.
55 * wasm/js/WebAssemblyTableConstructor.h:
57 2017-05-31 Commit Queue <commit-queue@webkit.org>
59 Unreviewed, rolling out r217611 and r217631.
60 https://bugs.webkit.org/show_bug.cgi?id=172785
62 "caused wasm-hashset-many.html to become flaky." (Requested by
63 keith_miller on #webkit).
67 "Reland r216808, underlying lldb bug has been fixed."
68 https://bugs.webkit.org/show_bug.cgi?id=172759
69 http://trac.webkit.org/changeset/217611
71 "Use dispatch queues for mach exceptions"
72 https://bugs.webkit.org/show_bug.cgi?id=172775
73 http://trac.webkit.org/changeset/217631
75 2017-05-31 Oleksandr Skachkov <gskachkov@gmail.com>
77 Rolling out: Prevent async methods named 'function'
78 https://bugs.webkit.org/show_bug.cgi?id=172776
82 Rolling out https://bugs.webkit.org/show_bug.cgi?id=172660 r217578,
83 https://bugs.webkit.org/show_bug.cgi?id=172598 r217478
84 PR to spec was closed, so changes need to roll out. See
85 https://github.com/tc39/ecma262/pull/884#issuecomment-305212494
88 (JSC::Parser<LexerType>::parseClass):
89 (JSC::Parser<LexerType>::parsePropertyMethod):
91 2017-05-31 Andy Estes <aestes@apple.com>
93 Rename ENABLE_APPLE_PAY_DELEGATE to ENABLE_APPLE_PAY_SESSION_V3 and bump the supported version number
94 https://bugs.webkit.org/show_bug.cgi?id=172366
96 Reviewed by Daniel Bates.
98 * Configurations/FeatureDefines.xcconfig:
100 2017-05-31 Keith Miller <keith_miller@apple.com>
102 Reland r216808, underlying lldb bug has been fixed.
103 https://bugs.webkit.org/show_bug.cgi?id=172759
106 Unreviewed, relanding old patch. See: rdar://problem/31183352
108 * API/tests/ExecutionTimeLimitTest.cpp:
109 (dispatchTermitateCallback):
110 (testExecutionTimeLimit):
111 * runtime/JSLock.cpp:
112 (JSC::JSLock::didAcquireLock):
113 * runtime/Options.cpp:
114 (JSC::overrideDefaults):
115 (JSC::Options::initialize):
117 * runtime/VMTraps.cpp:
118 (JSC::SignalContext::SignalContext):
119 (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
120 (JSC::installSignalHandler):
121 (JSC::VMTraps::SignalSender::send):
122 * tools/SigillCrashAnalyzer.cpp:
123 (JSC::SignalContext::SignalContext):
124 (JSC::SignalContext::dump):
125 (JSC::installCrashHandler):
126 * wasm/WasmBBQPlan.cpp:
127 (JSC::Wasm::BBQPlan::compileFunctions):
128 * wasm/WasmFaultSignalHandler.cpp:
129 (JSC::Wasm::trapHandler):
130 (JSC::Wasm::enableFastMemory):
131 * wasm/WasmMachineThreads.cpp:
132 (JSC::Wasm::resetInstructionCacheOnAllThreads):
134 2017-05-31 Keith Miller <keith_miller@apple.com>
136 Fix leak in PromiseDeferredTimer
137 https://bugs.webkit.org/show_bug.cgi?id=172755
139 Reviewed by JF Bastien.
141 We were not properly freeing the list of dependencies if we were already tracking the promise before.
142 This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
143 where we were already tracking the promise we append the provided dependency list to the existing list.
144 Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
147 * runtime/PromiseDeferredTimer.cpp:
148 (JSC::PromiseDeferredTimer::addPendingPromise):
150 2017-05-30 Oleksandr Skachkov <gskachkov@gmail.com>
152 Prevent async methods named 'function' in Object literal
153 https://bugs.webkit.org/show_bug.cgi?id=172660
155 Reviewed by Saam Barati.
157 Prevent async method named 'function' in object.
158 https://github.com/tc39/ecma262/pull/884
161 (JSC::Parser<LexerType>::parsePropertyMethod):
163 2017-05-30 Oleksandr Skachkov <gskachkov@gmail.com>
165 ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
166 https://bugs.webkit.org/show_bug.cgi?id=171274
168 Reviewed by Saam Barati.
170 Current patch allow to use async arrow function within constructor,
171 and allow to access to `this`. Current patch force load 'this' from
172 virtual scope each time as we access to `this` in async arrow function
173 within constructor it is neccessary because async function can be
174 suspended and `superCall` can be called and async function resumed.
176 * bytecompiler/BytecodeGenerator.cpp:
177 (JSC::BytecodeGenerator::emitPutGeneratorFields):
178 (JSC::BytecodeGenerator::ensureThis):
179 * bytecompiler/BytecodeGenerator.h:
180 (JSC::BytecodeGenerator::makeFunction):
182 2017-05-30 Ali Juma <ajuma@chromium.org>
184 [CredentialManagement] Incorporate IDL updates from latest spec
185 https://bugs.webkit.org/show_bug.cgi?id=172011
187 Reviewed by Daniel Bates.
189 * runtime/CommonIdentifiers.h:
191 2017-05-30 Alex Christensen <achristensen@webkit.org>
193 Update libwebrtc configuration
194 https://bugs.webkit.org/show_bug.cgi?id=172727
196 Reviewed by Geoffrey Garen.
198 * Configurations/FeatureDefines.xcconfig:
200 2017-05-28 Dan Bernstein <mitz@apple.com>
202 [Xcode] ALWAYS_SEARCH_USER_PATHS is set to YES
203 https://bugs.webkit.org/show_bug.cgi?id=172691
205 Reviewed by Tim Horton.
207 * Configurations/Base.xcconfig: Set ALWAYS_SEARCH_USER_PATHS to NO.
208 * JavaScriptCore.xcodeproj/project.pbxproj: Added ParseInt.h to the JavaScriptCore target.
210 2017-05-28 Yusuke Suzuki <utatane.tea@gmail.com>
212 [JSC] Provide better type information of toLength and tighten bytecode
213 https://bugs.webkit.org/show_bug.cgi?id=172690
215 Reviewed by Sam Weinig.
217 In this patch, we carefully leverage operator + in order to
221 operator+ emits to_number bytecode. What this bytecode does is the same
222 to @Number() call. It is more efficient, and it is smaller bytecode
223 than @Number() call (load global variable @Number, set up arguments, and
226 2. offer better type prediction data
228 Now, we have code like
230 length > 0 ? (length < @MAX_SAFE_INTEGER ? length : @MAX_SAFE_INTEGER) : 0
232 This is not good because DFG prediction propagation phase predicts as Double
233 since @MAX_SAFE_INTEGER is double. But actually it rarely becomes Double.
234 Usually, the result becomes Int32. This patch leverages to_number in a bit
235 interesting way: to_number has value profiling to offer better type prediction.
236 This value profiling can offer a chance to change the prediction to Int32 efficiently.
237 It is a bit tricky. But it is worth doing to speed up our builtin functions,
238 which should leverage all the JSC's tricky things to be optimized.
240 Related microbenchmarks show performance improvement.
244 array-prototype-forEach 50.2348+-2.2331 49.7568+-2.3507
245 array-prototype-map 51.0574+-1.8166 47.9531+-2.1653 might be 1.0647x faster
246 array-prototype-some 52.3926+-1.8882 ^ 48.3632+-2.0852 ^ definitely 1.0833x faster
247 array-prototype-every 52.7394+-2.0712 50.2896+-2.1480 might be 1.0487x faster
248 array-prototype-reduce 54.9994+-2.3638 51.8716+-2.6253 might be 1.0603x faster
249 array-prototype-reduceRight 209.7594+-9.2594 ^ 51.5867+-2.5745 ^ definitely 4.0662x faster
252 * builtins/GlobalOperations.js:
253 (globalPrivate.toInteger):
254 (globalPrivate.toLength):
256 2017-05-28 Sam Weinig <sam@webkit.org>
258 [WebIDL] @@iterator should only be accessed once when disambiguating a union type
259 https://bugs.webkit.org/show_bug.cgi?id=172684
261 Reviewed by Yusuke Suzuki.
263 * runtime/IteratorOperations.cpp:
264 (JSC::iteratorMethod):
265 (JSC::iteratorForIterable):
266 * runtime/IteratorOperations.h:
267 (JSC::forEachInIterable):
268 Add additional iterator helpers to allow union + sequence conversion code
269 to check for iterability by getting the iterator method, and iterate using
270 that method later on.
272 2017-05-28 Yusuke Suzuki <utatane.tea@gmail.com>
274 Unreviewed, build fix for Windows
275 https://bugs.webkit.org/show_bug.cgi?id=172413
277 Optimized jsDynamicCast for JSMap and JSSet will be handled in [1].
279 [1]: https://bugs.webkit.org/show_bug.cgi?id=172685
283 (JSC::jsDynamicCast): Deleted.
287 (JSC::jsDynamicCast): Deleted.
289 * runtime/MapConstructor.cpp:
291 * runtime/SetConstructor.cpp:
294 2017-05-28 Mark Lam <mark.lam@apple.com>
296 Implement a faster Interpreter::getOpcodeID().
297 https://bugs.webkit.org/show_bug.cgi?id=172669
299 Reviewed by Saam Barati.
301 We can implement Interpreter::getOpcodeID() without a hash table lookup by always
302 embedding the OpcodeID in the 32-bit word just before the start of the LLInt
303 handler code that executes each opcode. getOpcodeID() can therefore just read
304 the 32-bits before the opcode address to get its OpcodeID.
306 This is currently only enabled for CPU(X86), CPU(X86_64), CPU(ARM64),
307 CPU(ARM_THUMB2), and only for OS(DARWIN). It'll probably just work for linux as
308 well, but I'll let the Linux folks turn that on after they have verified that it
311 I'll also take this opportunity to clean up how we initialize the opcodeIDTable:
312 1. we only need to initialize it once per process, not once per VM / interpreter
314 2. we can initialize it in the Interpreter constructor instead of requiring a
315 separate call to an initialize() function.
317 On debug builds, the Interpreter constructor will also verify that getOpcodeID()
318 is working correctly for each opcode when USE(LLINT_EMBEDDED_OPCODE_ID).
320 * bytecode/BytecodeList.json:
321 * generate-bytecode-files:
322 * interpreter/Interpreter.cpp:
323 (JSC::Interpreter::Interpreter):
324 (JSC::Interpreter::opcodeIDTable):
325 (JSC::Interpreter::initialize): Deleted.
326 * interpreter/Interpreter.h:
327 (JSC::Interpreter::getOpcode):
328 (JSC::Interpreter::getOpcodeID):
329 * llint/LowLevelInterpreter.cpp:
333 2017-05-27 Yusuke Suzuki <utatane.tea@gmail.com>
335 [JSC] Map and Set constructors should have fast path for cloning
336 https://bugs.webkit.org/show_bug.cgi?id=172413
338 Reviewed by Saam Barati.
340 In this patch, we add a fast path for cloning in Set and Map constructors.
342 In ARES-6 Air, we have code like `new Set(set)` to clone the given set.
343 At that time, our generic path just iterates the given set object and add
344 it to the newly created one. It is quite slow because we need to follow
345 the iterator protocol inside C++ and we need to call set.add() repeatedly
346 while the given set guarantees the elements are unique.
348 This patch implements clone() function to JSMap and JSSet. Cloning JSMap
349 and JSSet are done really fast without invoking any observable JS functions.
350 To check whether we can use this clone() function in Set and Map constructors,
351 we set several watchpoints.
355 1. Set.prototype[Symbol.iterator] is not changed.
356 2. SetIterator.prototype.next is not changed.
357 3. Set.prototype.add is not changed.
358 4. The given Set does not have [Symbol.iterator] function in its instance.
359 5. The given Set's [[Prototype]] is Set.prototype.
360 6. Newly created set's [[Prototype]] is Set.prototype.
362 If the above requirements are met, cloning the given Set is not observable to users.
363 Thus we can take a fast path.
365 Currently, we do not integrate this optimization into DFG and FTL.
366 And we do not optimize other iterables. For example, we can optimize Set
367 constructor taking Int32 Array. And we should optimize generic iterator cases too.
368 They are planned as part of a separate bug[1].
370 This change improves ARES-6 Air by 5.3% in steady state.
373 Running... Air ( 1 to go)
374 firstIteration: 76.41 +- 15.60 ms
375 averageWorstCase: 40.63 +- 7.54 ms
376 steadyState: 9.13 +- 0.51 ms
380 Running... Air ( 1 to go)
381 firstIteration: 75.00 +- 22.54 ms
382 averageWorstCase: 39.18 +- 8.45 ms
383 steadyState: 8.67 +- 0.28 ms
385 [1]: https://bugs.webkit.org/show_bug.cgi?id=172419
388 * JavaScriptCore.xcodeproj/project.pbxproj:
389 * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Removed.
390 * runtime/HashMapImpl.h:
391 (JSC::HashMapBucket::extractValue):
392 (JSC::HashMapImpl::finishCreation):
393 (JSC::HashMapImpl::add):
394 (JSC::HashMapImpl::setUpHeadAndTail):
395 (JSC::HashMapImpl::addNormalizedNonExistingForCloning):
396 (JSC::HashMapImpl::addNormalizedInternal):
397 * runtime/InternalFunction.cpp:
398 (JSC::InternalFunction::createSubclassStructureSlow):
399 (JSC::InternalFunction::createSubclassStructure): Deleted.
400 * runtime/InternalFunction.h:
401 (JSC::InternalFunction::createSubclassStructure):
402 * runtime/JSGlobalObject.cpp:
403 (JSC::JSGlobalObject::JSGlobalObject):
404 (JSC::JSGlobalObject::init):
405 (JSC::JSGlobalObject::visitChildren):
406 * runtime/JSGlobalObject.h:
407 (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint):
408 (JSC::JSGlobalObject::setIteratorProtocolWatchpoint):
409 (JSC::JSGlobalObject::mapSetWatchpoint):
410 (JSC::JSGlobalObject::setAddWatchpoint):
411 (JSC::JSGlobalObject::mapPrototype):
412 (JSC::JSGlobalObject::jsSetPrototype):
413 (JSC::JSGlobalObject::setStructure):
414 * runtime/JSGlobalObjectInlines.h:
415 (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable):
416 (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable):
417 (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable):
418 (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable):
421 (JSC::JSMap::canCloneFastAndNonObservable):
423 (JSC::jsDynamicCast):
425 (JSC::JSMap::createStructure): Deleted.
426 (JSC::JSMap::create): Deleted.
427 (JSC::JSMap::set): Deleted.
428 (JSC::JSMap::JSMap): Deleted.
431 (JSC::JSSet::canCloneFastAndNonObservable):
433 (JSC::jsDynamicCast):
435 (JSC::JSSet::createStructure): Deleted.
436 (JSC::JSSet::create): Deleted.
437 (JSC::JSSet::JSSet): Deleted.
438 * runtime/MapConstructor.cpp:
440 * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorAdaptiveWatchpoint.h.
441 (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
442 * runtime/SetConstructor.cpp:
445 2017-05-27 Yusuke Suzuki <utatane.tea@gmail.com>
447 [DOMJIT] Move DOMJIT patchpoint infrastructure out of domjit
448 https://bugs.webkit.org/show_bug.cgi?id=172260
450 Reviewed by Filip Pizlo.
452 DOMJIT::Patchpoint is now used for generalized CheckSubClass. And it becomes mature enough
453 to be used as a general-purpose injectable compiler over all the JIT tiers.
455 We extract DOMJIT::Patchpoint to jit/ and rename it JSC::Snippet.
458 * JavaScriptCore.xcodeproj/project.pbxproj:
459 * bytecode/AccessCaseSnippetParams.cpp: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.cpp.
460 (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
461 (JSC::AccessCaseSnippetParams::emitSlowPathCalls):
462 * bytecode/AccessCaseSnippetParams.h: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.h.
463 (JSC::AccessCaseSnippetParams::AccessCaseSnippetParams):
464 * bytecode/GetterSetterAccessCase.cpp:
465 (JSC::GetterSetterAccessCase::emitDOMJITGetter):
466 * dfg/DFGAbstractInterpreterInlines.h:
467 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
468 * dfg/DFGByteCodeParser.cpp:
469 (JSC::DFG::blessCallDOMGetter):
470 (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
471 * dfg/DFGClobberize.h:
472 (JSC::DFG::clobberize):
473 * dfg/DFGFixupPhase.cpp:
474 (JSC::DFG::FixupPhase::fixupNode):
477 * dfg/DFGSnippetParams.cpp: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.cpp.
478 * dfg/DFGSnippetParams.h: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
479 (JSC::DFG::SnippetParams::SnippetParams):
480 * dfg/DFGSpeculativeJIT.cpp:
481 (JSC::DFG::allocateTemporaryRegistersForSnippet):
482 (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
483 (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
484 (JSC::DFG::allocateTemporaryRegistersForPatchpoint): Deleted.
485 * domjit/DOMJITCallDOMGetterSnippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITCallDOMGetterPatchpoint.h.
486 (JSC::DOMJIT::CallDOMGetterSnippet::create):
487 * domjit/DOMJITGetterSetter.h:
488 * domjit/DOMJITSignature.h:
489 * domjit/DOMJITValue.h: Removed.
490 * ftl/FTLLowerDFGToB3.cpp:
491 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
492 (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
493 * ftl/FTLSnippetParams.cpp: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.cpp.
494 * ftl/FTLSnippetParams.h: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h.
495 (JSC::FTL::SnippetParams::SnippetParams):
496 * jit/Snippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpoint.h.
497 (JSC::Snippet::create):
498 (JSC::Snippet::setGenerator):
499 (JSC::Snippet::generator):
500 * jit/SnippetParams.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
501 (JSC::SnippetParams::~SnippetParams):
502 (JSC::SnippetParams::Value::Value):
503 (JSC::SnippetParams::Value::isGPR):
504 (JSC::SnippetParams::Value::isFPR):
505 (JSC::SnippetParams::Value::isJSValueRegs):
506 (JSC::SnippetParams::Value::gpr):
507 (JSC::SnippetParams::Value::fpr):
508 (JSC::SnippetParams::Value::jsValueRegs):
509 (JSC::SnippetParams::Value::reg):
510 (JSC::SnippetParams::Value::value):
511 (JSC::SnippetParams::SnippetParams):
512 * jit/SnippetReg.h: Renamed from Source/JavaScriptCore/domjit/DOMJITReg.h.
513 (JSC::SnippetReg::SnippetReg):
514 * jit/SnippetSlowPathCalls.h: Renamed from Source/JavaScriptCore/domjit/DOMJITSlowPathCalls.h.
516 (WTF::DOMJITNode::checkSubClassSnippet):
517 (WTF::DOMJITFunctionObject::checkSubClassSnippet):
518 (WTF::DOMJITNode::checkSubClassPatchpoint): Deleted.
519 (WTF::DOMJITFunctionObject::checkSubClassPatchpoint): Deleted.
520 * runtime/ClassInfo.h:
522 2017-05-26 Keith Miller <keith_miller@apple.com>
524 REEGRESSION(r217459): testapi fails in JSExportTest's wrapperForNSObjectisObject().
525 https://bugs.webkit.org/show_bug.cgi?id=172654
527 Reviewed by Mark Lam.
529 The test's intent is to assert that an exception has not been
530 thrown (as indicated by the message string), but the test was
531 erroneously checking for ! the right condition. This is now fixed.
533 * API/tests/JSExportTests.mm:
534 (wrapperForNSObjectisObject):
536 2017-05-26 Joseph Pecoraro <pecoraro@apple.com>
538 JSContext Inspector: Improve the reliability of automatically pausing in auto-attach
539 https://bugs.webkit.org/show_bug.cgi?id=172664
540 <rdar://problem/32362933>
542 Reviewed by Matt Baker.
544 Automatically pause on connection was triggering a pause before the
545 frontend may have initialized. Often during frontend initialization
546 the frontend may perform an action that clears the pause state requested
547 by the developer. This change defers the pause until after the frontend
548 has initialized, right before returning to the application's code.
550 * inspector/remote/RemoteControllableTarget.h:
551 * inspector/remote/RemoteInspectionTarget.h:
552 * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
553 (Inspector::RemoteConnectionToTarget::setup):
554 * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
555 (Inspector::RemoteConnectionToTarget::setup):
556 * runtime/JSGlobalObjectDebuggable.cpp:
557 (JSC::JSGlobalObjectDebuggable::connect):
558 (JSC::JSGlobalObjectDebuggable::pause): Deleted.
559 * runtime/JSGlobalObjectDebuggable.h:
560 Pass an immediatelyPause boolean on to the controller. Remove
561 the current path that invokes a pause before initialization.
563 * inspector/JSGlobalObjectInspectorController.h:
564 * inspector/JSGlobalObjectInspectorController.cpp:
565 (Inspector::JSGlobalObjectInspectorController::connectFrontend):
566 (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
567 Manage should immediately pause state.
569 (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
570 (Inspector::JSGlobalObjectInspectorController::pause): Deleted.
571 When initialized, trigger a pause if requested.
573 2017-05-26 Mark Lam <mark.lam@apple.com>
575 Temporarily commenting out a JSExportTest test until webkit.org/b/172654 is fixed.
576 https://bugs.webkit.org/show_bug.cgi?id=172655
578 Reviewed by Saam Barati.
580 * API/tests/JSExportTests.mm:
581 (wrapperForNSObjectisObject):
583 2017-05-26 Mark Lam <mark.lam@apple.com>
585 REGRESSION(216914): testCFStrings encounters an invalid ExecState callee pointer.
586 https://bugs.webkit.org/show_bug.cgi?id=172651
588 Reviewed by Saam Barati.
590 This is because the assertion utility functions used in testCFStrings() expects
591 to get the JSGlobalContextRef from the global context variable. However,
592 testCFStrings() creates its own JSGlobalContextRef but does not set the global
593 context variable to it.
595 The fix is to make testCFStrings() initialize the global context variable properly.
597 * API/tests/testapi.c:
600 2017-05-26 Yusuke Suzuki <utatane.tea@gmail.com>
602 Give ModuleProgram the same treatment that we did for ProgramCode in bug#167725
603 https://bugs.webkit.org/show_bug.cgi?id=167805
605 Reviewed by Saam Barati.
607 Since ModuleProgramExecutable is executed only once, we can skip compiling
608 code unreachable from the current program count. This can skip massive
611 We already do this for global code in bug#167725. This patch extends it to
614 * interpreter/Interpreter.cpp:
615 (JSC::Interpreter::executeModuleProgram):
616 * interpreter/Interpreter.h:
618 (JSC::JIT::privateCompileMainPass):
619 * runtime/JSModuleRecord.cpp:
620 (JSC::JSModuleRecord::evaluate):
621 * runtime/JSModuleRecord.h:
622 (JSC::JSModuleRecord::moduleProgramExecutable): Deleted.
624 2017-05-26 Oleksandr Skachkov <gskachkov@gmail.com>
626 Prevent async methods named 'function'
627 https://bugs.webkit.org/show_bug.cgi?id=172598
629 Reviewed by Mark Lam.
631 Prevent async method named 'function' in class.
632 Link to change in ecma262 specification
633 https://github.com/tc39/ecma262/pull/884
636 (JSC::Parser<LexerType>::parseClass):
638 2017-05-25 Yusuke Suzuki <utatane.tea@gmail.com>
640 Unreviewed, build fix for GCC
642 std::tuple does not have implicit constructor.
643 Thus, we cannot use implicit construction with initializer brace.
644 We should specify the name like `GetInst { }`.
646 * bytecompiler/BytecodeGenerator.h:
647 (JSC::StructureForInContext::addGetInst):
649 2017-05-25 Keith Miller <keith_miller@apple.com>
651 Cleanup tests after r217240
652 https://bugs.webkit.org/show_bug.cgi?id=172466
654 Reviewed by Mark Lam.
656 I forgot to make my test an actual test. Also, remove second call runJSExportTests()
658 * API/tests/JSExportTests.mm:
659 (wrapperForNSObjectisObject):
660 * API/tests/testapi.mm:
661 (testObjectiveCAPIMain):
663 2017-05-25 Michael Saboff <msaboff@apple.com>
665 The default setting of Option::criticalGCMemoryThreshold is too high for iOS
666 https://bugs.webkit.org/show_bug.cgi?id=172617
668 Reviewed by Mark Lam.
670 Reducing criticalGCMemoryThreshold to 0.80 eliminated jetsam on iOS devices
671 when tested running JetStream.
675 2017-05-25 Saam Barati <sbarati@apple.com>
677 Our for-in optimization in the bytecode generator does its static analysis incorrectly
678 https://bugs.webkit.org/show_bug.cgi?id=172532
679 <rdar://problem/32369452>
681 Reviewed by Mark Lam.
683 Our static analysis for when a for-in induction variable
684 is written to tried to its analysis as we generate
685 bytecode. This has issues, since it does not account for
686 the dynamic execution path of the program. Let's consider
687 a program where our old analysis worked:
691 o[p]; // We can transform this into a fast get_direct_pname
693 o[p]; // We cannot transform this since p has been changed.
697 However, our static analysis did not account for loops, which exist
698 in JavaScript. e.g, it would incorrectly compile this program as:
701 for (let i = 0; i < 20; ++i) {
702 o[p]; // It transforms this to use get_direct_pname even though p will be over-written if we get here from the inner loop back edge!
704 o[p]; // We correctly do not transform this.
709 Because of this flaw, I've made the optimization more conservative.
710 We now optimistically emit code for the optimized access. However,
711 if a for-in context is *ever* invalidated, before we pop it off
712 the stack, we rewrite the program's optimized accesses to no longer
713 be optimized. To do this, each context keeps track of its optimized
716 This patch also adds a new bytecode, op_nop, which is just a no-op.
717 It was helpful to add this because reverting get_direct_pname to get_by_val
718 will leave us with an extra instruction word because get_direct_pname is
719 has a length of 7 where get_by_val has a length of 6. This leaves us with
720 an extra slot that we fill with an op_nop.
722 * bytecode/BytecodeDumper.cpp:
723 (JSC::BytecodeDumper<Block>::dumpBytecode):
724 * bytecode/BytecodeList.json:
725 * bytecode/BytecodeUseDef.h:
726 (JSC::computeUsesForBytecodeOffset):
727 (JSC::computeDefsForBytecodeOffset):
728 * bytecompiler/BytecodeGenerator.cpp:
729 (JSC::BytecodeGenerator::emitGetByVal):
730 (JSC::BytecodeGenerator::popIndexedForInScope):
731 (JSC::BytecodeGenerator::popStructureForInScope):
732 (JSC::BytecodeGenerator::invalidateForInContextForLocal):
733 (JSC::StructureForInContext::pop):
734 (JSC::IndexedForInContext::pop):
735 * bytecompiler/BytecodeGenerator.h:
736 (JSC::StructureForInContext::addGetInst):
737 (JSC::IndexedForInContext::addGetInst):
738 * dfg/DFGByteCodeParser.cpp:
739 (JSC::DFG::ByteCodeParser::parseBlock):
740 * dfg/DFGCapabilities.cpp:
741 (JSC::DFG::capabilityLevel):
743 (JSC::JIT::privateCompileMainPass):
745 * jit/JITOpcodes.cpp:
746 (JSC::JIT::emit_op_nop):
747 * llint/LowLevelInterpreter.asm:
749 2017-05-25 Mark Lam <mark.lam@apple.com>
751 ObjectToStringAdaptiveInferredPropertyValueWatchpoint should not reinstall itself nor handleFire if it's dying shortly.
752 https://bugs.webkit.org/show_bug.cgi?id=172548
753 <rdar://problem/31458393>
755 Reviewed by Filip Pizlo.
757 Consider the following scenario:
759 1. A ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1, watches for
760 structure transitions, e.g. structure S2 transitioning to structure S3.
761 In this case, O1 would be installed in S2's watchpoint set.
762 2. When the structure transition happens, structure S2 will fire watchpoint O1.
763 3. O1's handler will normally re-install itself in the watchpoint set of the new
764 "transitioned to" structure S3.
765 4. "Installation" here requires writing into the StructureRareData SD3 of the new
766 structure S3. If SD3 does not exist yet, the installation process will trigger
767 the allocation of StructureRareData SD3.
768 5. It is possible that the Structure S1, and StructureRareData SD1 that owns the
769 ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1 is no longer reachable
770 by the GC, and therefore will be collected soon.
771 6. The allocation of SD3 in (4) may trigger the sweeping of the StructureRareData
772 SD1. This, in turn, triggers the deletion of the
773 ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1.
775 After O1 is deleted in (6) and SD3 is allocated in (4), execution continues in
776 AdaptiveInferredPropertyValueWatchpointBase::fire() where O1 gets installed in
777 structure S3's watchpoint set. This is obviously incorrect because O1 is already
778 deleted. The result is that badness happens later when S3's watchpoint set fires
779 its watchpoints and accesses the deleted O1.
781 The fix is to enhance AdaptiveInferredPropertyValueWatchpointBase::fire() to
782 check if "this" is still valid before proceeding to re-install itself or to
783 invoke its handleFire() method.
785 ObjectToStringAdaptiveInferredPropertyValueWatchpoint (which extends
786 AdaptiveInferredPropertyValueWatchpointBase) will override its isValid() method,
787 and return false its owner StructureRareData is no longer reachable by the GC.
788 This ensures that it won't be deleted while it's installed to any watchpoint set.
790 Additional considerations and notes:
791 1. In the above, I talked about the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
792 being installed in watchpoint sets. What actually happens is that
793 ObjectToStringAdaptiveInferredPropertyValueWatchpoint has 2 members
794 (m_structureWatchpoint and m_propertyWatchpoint) which may be installed in
795 watchpoint sets. The ObjectToStringAdaptiveInferredPropertyValueWatchpoint is
796 not itself a Watchpoint object.
798 But for brevity, in the above, I refer to the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
799 instead of its Watchpoint members. The description of the issue is still
800 accurate given the life-cycle of the Watchpoint members are embedded in the
801 enclosing ObjectToStringAdaptiveInferredPropertyValueWatchpoint object, and
802 hence, they share the same life-cycle.
804 2. The top of AdaptiveInferredPropertyValueWatchpointBase::fire() removes its
805 m_structureWatchpoint and m_propertyWatchpoint if they have been added to any
806 watchpoint sets. This is safe to do even if the owner StructureRareData is no
807 longer reachable by the GC.
809 This is because the only way we can get to AdaptiveInferredPropertyValueWatchpointBase::fire()
810 is if its Watchpoint members are still installed in some watchpoint set that
811 fired. This means that the AdaptiveInferredPropertyValueWatchpointBase
812 instance has not been deleted yet, because its destructor will automatically
813 remove the Watchpoint members from any watchpoint sets.
815 * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
816 (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
817 (JSC::AdaptiveInferredPropertyValueWatchpointBase::isValid):
818 * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
820 (JSC::FreeList::contains):
823 * heap/HeapCellInlines.h:
824 (JSC::HeapCell::isLive):
825 * heap/MarkedAllocator.h:
826 (JSC::MarkedAllocator::isFreeListedCell):
827 * heap/MarkedBlock.h:
828 * heap/MarkedBlockInlines.h:
829 (JSC::MarkedBlock::Handle::isFreeListedCell):
830 * runtime/StructureRareData.cpp:
831 (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid):
833 2017-05-23 Saam Barati <sbarati@apple.com>
835 We should not mmap zero bytes for a memory in Wasm
836 https://bugs.webkit.org/show_bug.cgi?id=172528
837 <rdar://problem/32257076>
839 Reviewed by Mark Lam.
841 This patch fixes a bug where we would call into mmap with zero bytes
842 when creating a slow WasmMemory with zero initial page size. This fix
843 is simple: if we don't have any initial bytes, we just call the constructor
844 in WasmMemory that's meant to handle this case.
846 * wasm/WasmMemory.cpp:
847 (JSC::Wasm::Memory::create):
849 2017-05-23 Brian Burg <bburg@apple.com>
851 REGRESSION(r217051): Automation sessions fail to complete bootstrap
852 https://bugs.webkit.org/show_bug.cgi?id=172513
853 <rdar://problem/32338354>
855 Reviewed by Joseph Pecoraro.
857 The changes to be more strict about typechecking messages were too strict.
859 * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
860 (Inspector::RemoteInspector::receivedSetupMessage):
861 WIRAutomatically is an optional key in the setup message. In the relay, this key gets copied
862 into an NSDictionary as NSNull if the key isn't present in a forwarded command.
863 We need to revert NSNull values to nil, since it's valid to call [nil boolValue] but not
864 [[NSNull null] boolValue]. We also need to allow for nil in the typecheck for this key.
866 2017-05-23 Myles C. Maxfield <mmaxfield@apple.com>
868 Remove dead ENABLE(FONT_LOAD_EVENTS) code
869 https://bugs.webkit.org/show_bug.cgi?id=172517
871 Rubber-stamped by Simon Fraser.
873 * Configurations/FeatureDefines.xcconfig:
875 2017-05-23 Saam Barati <sbarati@apple.com>
877 CFGSimplificationPhase should not merge a block with itself
878 https://bugs.webkit.org/show_bug.cgi?id=172508
879 <rdar://problem/28424006>
881 Reviewed by Keith Miller.
883 CFGSimplificationPhase can run into or create IR that ends up with a
884 block that has a Jump to itself, and no other predecessors. It should
885 gracefully handle such IR. Before this patch, it would not. The only criteria
886 for merging 'block' with 'targetBlock' used to be that 'targetBlock.predecessors.size() == 1'.
887 The code is written in such a way that if we merge a block with itself, we
888 will infinite loop until we run out of memory.
890 Merging a block with itself does not make sense for a few reasons. First,
891 we're joining the contents of two blocks. What is the definition of joining
892 a block with itself? I suppose we could simply unroll this self loop
893 one level, but that would not be wise because this self loop is by definition
894 unreachable unless it's the root block in the graph (which I think is
895 invalid IR since we'd never generate bytecode that would do this).
897 This patch employs an easy fix: we can't merge a block with itself.
899 * dfg/DFGCFGSimplificationPhase.cpp:
900 (JSC::DFG::CFGSimplificationPhase::canMergeBlocks):
901 (JSC::DFG::CFGSimplificationPhase::run):
902 (JSC::DFG::CFGSimplificationPhase::convertToJump):
903 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
905 2017-05-22 Brian Burg <bburg@apple.com>
907 Web Inspector: webkit reload policy should match default behavior
908 https://bugs.webkit.org/show_bug.cgi?id=171385
909 <rdar://problem/31871515>
911 Reviewed by Joseph Pecoraro.
913 Add a new option to Page.reload that allows the test harness
914 to reload its test page using the old reload behavior.
916 The new behavior of revalidating expired cached subresources only
917 is the current default, since only the test harness needs the old behavior.
919 * inspector/protocol/Page.json:
921 2017-05-22 Keith Miller <keith_miller@apple.com>
923 [Cocoa] An exported Objective C class’s prototype and constructor don't persist across JSContext deallocation
924 https://bugs.webkit.org/show_bug.cgi?id=167708
926 Reviewed by Geoffrey Garen.
928 This patch moves the Objective C wrapper map to the global object. In order to make this work the JSWrapperMap
929 class no longer holds a reference to the JSContext. Instead, the context must be provided when getting a wrapper.
931 Also, this patch fixes a "bug" where we would observe changes to the Object property on the global object when
932 creating a wrapper for NSObject.
937 (-[JSContext ensureWrapperMap]):
938 (-[JSContext initWithVirtualMachine:]):
939 (-[JSContext dealloc]):
940 (-[JSContext wrapperMap]):
941 (-[JSContext initWithGlobalContextRef:]):
942 (-[JSContext wrapperForObjCObject:]):
943 (-[JSContext wrapperForJSObject:]):
944 * API/JSWrapperMap.h:
945 * API/JSWrapperMap.mm:
946 (-[JSObjCClassInfo initForClass:]):
947 (-[JSObjCClassInfo allocateConstructorAndPrototypeInContext:]):
948 (-[JSObjCClassInfo wrapperForObject:inContext:]):
949 (-[JSObjCClassInfo constructorInContext:]):
950 (-[JSObjCClassInfo prototypeInContext:]):
951 (-[JSWrapperMap initWithGlobalContextRef:]):
952 (-[JSWrapperMap classInfoForClass:]):
953 (-[JSWrapperMap jsWrapperForObject:inContext:]):
954 (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
955 (-[JSObjCClassInfo initWithContext:forClass:]): Deleted.
956 (-[JSObjCClassInfo allocateConstructorAndPrototype]): Deleted.
957 (-[JSObjCClassInfo wrapperForObject:]): Deleted.
958 (-[JSObjCClassInfo constructor]): Deleted.
959 (-[JSObjCClassInfo prototype]): Deleted.
960 (-[JSWrapperMap initWithContext:]): Deleted.
961 (-[JSWrapperMap jsWrapperForObject:]): Deleted.
962 (-[JSWrapperMap objcWrapperForJSValueRef:]): Deleted.
963 * API/tests/JSExportTests.mm:
964 (wrapperLifetimeIsTiedToGlobalObject):
966 * API/tests/testapi.mm:
967 * runtime/JSGlobalObject.h:
968 (JSC::JSGlobalObject::wrapperMap):
969 (JSC::JSGlobalObject::setWrapperMap):
971 2017-05-22 Filip Pizlo <fpizlo@apple.com>
973 FTL stack overflow handling should not assume that B3 never selects callee-saves in the prologue
974 https://bugs.webkit.org/show_bug.cgi?id=172455
976 Reviewed by Mark Lam.
978 The FTL needs to run B3's callee-save register restoration before it runs the exception
979 handler's callee-save register restoration. This exposes B3's callee-save register
980 algorithm in AssemblyHelpers so that the FTL can call it.
982 * b3/air/AirGenerate.cpp:
983 (JSC::B3::Air::generate):
984 * ftl/FTLLowerDFGToB3.cpp:
985 (JSC::FTL::DFG::LowerDFGToB3::lower): Fix the bug.
986 * heap/Subspace.cpp: Added some debugging support.
987 (JSC::Subspace::allocate):
988 (JSC::Subspace::tryAllocate):
989 (JSC::Subspace::didAllocate):
991 * jit/AssemblyHelpers.h:
992 (JSC::AssemblyHelpers::addressFor):
993 (JSC::AssemblyHelpers::emitSave):
994 (JSC::AssemblyHelpers::emitRestore):
996 2017-05-20 Yusuke Suzuki <utatane.tea@gmail.com>
998 [FTL] Support GetByVal with ArrayStorage and SlowPutArrayStorage
999 https://bugs.webkit.org/show_bug.cgi?id=172216
1001 Reviewed by Saam Barati.
1003 This patch adds GetByVal support for ArrayStorage and SlowPutArrayStorage.
1004 To lower CheckInBounds in FTL, we add a new GetVectorLength op. It only accepts
1005 ArrayStorage and SlowPutArrayStorage, then it produces vector length.
1006 CheckInBounds uses this vector length to perform bound checking for ArrayStorage
1007 and SlowPutArrayStorage.
1009 * dfg/DFGAbstractInterpreterInlines.h:
1010 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1011 * dfg/DFGArrayMode.cpp:
1012 (JSC::DFG::permitsBoundsCheckLowering):
1013 * dfg/DFGClobberize.h:
1014 (JSC::DFG::clobberize):
1015 * dfg/DFGDoesGC.cpp:
1017 * dfg/DFGFixupPhase.cpp:
1018 (JSC::DFG::FixupPhase::fixupNode):
1019 * dfg/DFGHeapLocation.cpp:
1020 (WTF::printInternal):
1021 * dfg/DFGHeapLocation.h:
1022 * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1024 (JSC::DFG::Node::hasArrayMode):
1025 * dfg/DFGNodeType.h:
1026 * dfg/DFGPredictionPropagationPhase.cpp:
1027 * dfg/DFGSSALoweringPhase.cpp:
1028 (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1029 * dfg/DFGSafeToExecute.h:
1030 (JSC::DFG::safeToExecute):
1031 * dfg/DFGSpeculativeJIT32_64.cpp:
1032 (JSC::DFG::SpeculativeJIT::compile):
1033 * dfg/DFGSpeculativeJIT64.cpp:
1034 (JSC::DFG::SpeculativeJIT::compile):
1035 * ftl/FTLAbstractHeapRepository.h:
1036 (JSC::FTL::AbstractHeapRepository::forIndexingType):
1037 (JSC::FTL::AbstractHeapRepository::forArrayType):
1038 * ftl/FTLCapabilities.cpp:
1039 (JSC::FTL::canCompile):
1040 * ftl/FTLLowerDFGToB3.cpp:
1041 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1042 (JSC::FTL::DFG::LowerDFGToB3::compileGetVectorLength):
1043 (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1044 * jit/JITPropertyAccess.cpp:
1045 (JSC::JIT::emitArrayStoragePutByVal):
1046 * jit/JITPropertyAccess32_64.cpp:
1047 (JSC::JIT::emitArrayStorageLoad):
1048 (JSC::JIT::emitArrayStoragePutByVal):
1050 2017-05-21 Saam Barati <sbarati@apple.com>
1052 We incorrectly throw a syntax error when declaring a top level for-loop iteration variable the same as a parameter
1053 https://bugs.webkit.org/show_bug.cgi?id=171041
1054 <rdar://problem/32082516>
1056 Reviewed by Yusuke Suzuki.
1058 We were treating a for-loop variable declaration potentially as a top
1059 level statement, e.g, in a program like this:
1062 for (let variable of expr) { }
1065 But we should not be. This had the consequence of making this type of program
1066 throw a syntax error:
1069 for (let arg of expr) { }
1072 even though it should not. The fix is simple, we just need to increment the
1073 statement depth before parsing anything inside the for loop.
1075 * parser/Parser.cpp:
1076 (JSC::Parser<LexerType>::parseForStatement):
1078 2017-05-19 Yusuke Suzuki <utatane.tea@gmail.com>
1080 [JSC] Make get_by_val & string "499" to number 499
1081 https://bugs.webkit.org/show_bug.cgi?id=172225
1083 Reviewed by Saam Barati.
1085 Property subscript will be converted by ToString. So JS code is not aware of
1086 the original type of the subscript value. But our get_by_val can leverage
1087 information if the given subscript is number. Thus, passing number instead of
1088 string can improve the performance of get_by_val in all the tiers.
1090 In this patch, we add BytecodeGenerator::emitNodeForProperty. It attempts to
1091 convert the given value to Int32 index constant if the given value is a string
1092 that can be converted to Int32.
1094 This patch improves SixSpeed map-string.es5 by 9.8x. This accessing form can
1095 appear in some code like accessing the result of JSON.
1097 map-string.es5 1640.6738+-110.9182 ^ 167.4121+-23.8328 ^ definitely 9.8002x faster
1099 * bytecompiler/BytecodeGenerator.h:
1100 (JSC::BytecodeGenerator::emitNodeForProperty):
1101 (JSC::BytecodeGenerator::emitNodeForLeftHandSideForProperty):
1102 * bytecompiler/NodesCodegen.cpp:
1103 (JSC::TaggedTemplateNode::emitBytecode):
1104 (JSC::BracketAccessorNode::emitBytecode):
1105 (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
1106 (JSC::FunctionCallBracketNode::emitBytecode):
1107 (JSC::PostfixNode::emitBracket):
1108 (JSC::PrefixNode::emitBracket):
1109 (JSC::AssignBracketNode::emitBytecode):
1110 (JSC::ReadModifyBracketNode::emitBytecode):
1111 (JSC::ForInNode::emitLoopHeader):
1112 (JSC::ForOfNode::emitBytecode):
1113 (JSC::ObjectPatternNode::bindValue):
1114 (JSC::AssignmentElementNode::bindValue):
1116 2017-05-21 Saam Barati <sbarati@apple.com>
1118 We overwrite the callee save space on the stack when throwing stack overflow from wasm
1119 https://bugs.webkit.org/show_bug.cgi?id=172316
1121 Reviewed by Mark Lam.
1123 When throwing a stack overflow exception, the overflow
1124 thunk would do the following:
1126 populate argument registers
1129 However, the C function is allowed to clobber our spilled
1130 callee saves that live below fp. The reason I did this move is that
1131 when we jump to this code, we've proven that sp is out of bounds on
1132 the stack. So we're not allowed to just use its value or keep growing
1133 the stack from that point. However, this patch revises this approach
1134 to be the same in spirit, but actually correct. We conservatively assume
1135 the B3 function we're coming from could have saved all callee saves.
1136 So we emit code like this now:
1137 add -maxNumCalleeSaveSpace, fp, sp
1138 populate argument registers
1141 This ensures our callee saves will not be overwritten. Note
1142 that fp is still in a valid stack range here, since the thing
1143 calling the wasm code did a stack check. Also note that maxNumCalleeSaveSpace
1144 is less than our redzone size, so it's safe to decrement sp by
1147 The previously added wasm stack overflow test is an instance crash
1148 without this change on arm64. It also appears that this test crashed
1149 on some other x86 devices.
1151 * wasm/WasmThunks.cpp:
1152 (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
1154 2017-05-20 Chris Dumez <cdumez@apple.com>
1156 Drop [NoInterfaceObject] from RTCDTMFSender and RTCStatsReport
1157 https://bugs.webkit.org/show_bug.cgi?id=172418
1159 Reviewed by Youenn Fablet.
1161 Add CommonIdentifiers that are now needed.
1163 * runtime/CommonIdentifiers.h:
1165 2017-05-20 Yusuke Suzuki <utatane.tea@gmail.com>
1167 Unreviewed, add scope.release() to propertyIsEnumerable functions.
1168 https://bugs.webkit.org/show_bug.cgi?id=172411
1170 * runtime/JSGlobalObjectFunctions.cpp:
1171 (JSC::globalFuncPropertyIsEnumerable):
1172 * runtime/ObjectPrototype.cpp:
1173 (JSC::objectProtoFuncPropertyIsEnumerable):
1175 2017-05-20 Yusuke Suzuki <utatane.tea@gmail.com>
1178 https://bugs.webkit.org/show_bug.cgi?id=172417
1180 Reviewed by Sam Weinig.
1182 MapBase is a purely additional indirection. JSMap and JSSet can directly inherit HashMapImpl.
1183 Thus MapBase is unnecessary. This patch drops it.
1184 It is good because we can eliminate one indirection when accessing to map implementation.
1185 Moreover, we can drop one unnecessary allocation per Map and Set.
1188 * JavaScriptCore.xcodeproj/project.pbxproj:
1189 * dfg/DFGSpeculativeJIT64.cpp:
1190 (JSC::DFG::SpeculativeJIT::compile):
1191 * ftl/FTLAbstractHeapRepository.h:
1192 * ftl/FTLLowerDFGToB3.cpp:
1193 (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1194 * runtime/HashMapImpl.cpp:
1195 (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
1196 (JSC::getHashMapImplKeyClassInfo): Deleted.
1197 (JSC::getHashMapImplKeyValueClassInfo): Deleted.
1198 * runtime/HashMapImpl.h:
1199 (JSC::HashMapImpl::finishCreation):
1200 (JSC::HashMapImpl::get):
1201 (JSC::HashMapImpl::info): Deleted.
1202 (JSC::HashMapImpl::createStructure): Deleted.
1203 (JSC::HashMapImpl::create): Deleted.
1206 (JSC::JSMap::get): Deleted.
1207 * runtime/JSMapIterator.cpp:
1208 (JSC::JSMapIterator::finishCreation):
1210 (JSC::JSSet::add): Deleted.
1211 * runtime/JSSetIterator.cpp:
1212 (JSC::JSSetIterator::finishCreation):
1213 * runtime/MapBase.cpp: Removed.
1214 * runtime/MapBase.h: Removed.
1215 * runtime/MapPrototype.cpp:
1216 (JSC::mapProtoFuncSize):
1217 * runtime/SetConstructor.cpp:
1218 (JSC::constructSet):
1219 * runtime/SetPrototype.cpp:
1220 (JSC::setProtoFuncSize):
1224 2017-05-20 Yusuke Suzuki <utatane.tea@gmail.com>
1226 [JSC] Speedup Object.assign for slow case by using propertyIsEnumerable
1227 https://bugs.webkit.org/show_bug.cgi?id=172411
1229 Reviewed by Sam Weinig.
1231 We use @Reflect.@getOwnPropertyDescriptor() to check
1233 1. the descriptor exists,
1234 2. and the descriptor.enumrable is true
1236 But Object::propertyIsEnumerable does the completely same thing without
1237 allocating a new object for property descriptor.
1239 In this patch, we add a new private function @propertyIsEnumerable, and
1240 use it in Object.assign implementation. It does not allocate unnecessary
1241 objects. It is good for GC-pressure and performance.
1243 This patch improves SixSpeed object-assign.es6 by 1.7x. While this patch
1244 does not introduce a fast path for objects that do not have accessors,
1245 and it could speed up things further, this patch can speed up the common
1246 slow path cases that is the current implementation of Object.assign.
1248 object-assign.es6 1103.2487+-21.5602 ^ 621.8478+-34.9875 ^ definitely 1.7741x faster
1250 * builtins/BuiltinNames.h:
1251 * builtins/ObjectConstructor.js:
1252 (globalPrivate.enumerableOwnProperties):
1254 * runtime/JSGlobalObject.cpp:
1255 (JSC::JSGlobalObject::init):
1256 * runtime/JSGlobalObjectFunctions.cpp:
1257 (JSC::globalFuncPropertyIsEnumerable):
1258 * runtime/JSGlobalObjectFunctions.h:
1260 2017-05-19 Yusuke Suzuki <utatane.tea@gmail.com>
1262 [JSC] Enable testapi on Mac CMake build
1263 https://bugs.webkit.org/show_bug.cgi?id=172354
1265 Reviewed by Alex Christensen.
1267 This patch makes testapi buildable and runnable for Mac CMake port.
1269 * API/tests/DateTests.mm:
1270 (+[DateTests JSDateToNSDateTest]):
1271 (+[DateTests roundTripThroughJSDateTest]):
1272 This test only works with the en_US locale.
1274 * shell/CMakeLists.txt:
1275 * shell/PlatformMac.cmake:
1276 Some of tests rely on ARC. We enable ARC for those files.
1278 * shell/PlatformWin.cmake:
1281 2017-05-19 Mark Lam <mark.lam@apple.com>
1283 [Re-landing] DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
1284 https://bugs.webkit.org/show_bug.cgi?id=172383
1285 <rdar://problem/31418651>
1287 Reviewed by Filip Pizlo.
1289 pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
1290 available as a scratch register. This assumption is wrong if this canTrample
1291 register is used for a silentFill() after an operation that returns a result in
1294 Turns out the only reason we need the canTrample register is for
1295 SetDoubleConstant. We can remove the need for this canTrample register by
1296 introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
1297 job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
1298 ARM64. In so doing, we can simplify the silentFill() code and eliminate the bug.
1300 Update for re-landing: Changed ARM64 to use scratchRegister() as well.
1301 scratchRegister() is the proper way to get the underlying dataMemoryTempRegister()
1302 as a scratch register.
1304 * assembler/MacroAssembler.h:
1305 (JSC::MacroAssembler::moveDouble):
1306 * dfg/DFGArrayifySlowPathGenerator.h:
1307 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1308 (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
1309 * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1310 * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
1311 * dfg/DFGSlowPathGenerator.h:
1312 (JSC::DFG::CallSlowPathGenerator::tearDown):
1313 * dfg/DFGSpeculativeJIT.cpp:
1314 (JSC::DFG::SpeculativeJIT::silentFill):
1315 (JSC::DFG::SpeculativeJIT::compileToLowerCase):
1316 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1317 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1318 (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
1319 (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
1320 (JSC::DFG::SpeculativeJIT::compileArithDiv):
1321 (JSC::DFG::SpeculativeJIT::compileArraySlice):
1322 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1323 (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1324 (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1325 * dfg/DFGSpeculativeJIT.h:
1326 (JSC::DFG::SpeculativeJIT::silentFill):
1327 (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
1328 (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
1329 (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
1330 * dfg/DFGSpeculativeJIT32_64.cpp:
1331 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1332 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1333 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1334 (JSC::DFG::SpeculativeJIT::emitCall):
1335 (JSC::DFG::SpeculativeJIT::compile):
1336 * dfg/DFGSpeculativeJIT64.cpp:
1337 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1338 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1339 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1340 (JSC::DFG::SpeculativeJIT::emitCall):
1341 (JSC::DFG::SpeculativeJIT::compile):
1342 (JSC::DFG::SpeculativeJIT::convertAnyInt):
1344 2017-05-19 Ryan Haddad <ryanhaddad@apple.com>
1346 Unreviewed, rolling out r217156.
1348 This change broke the iOS build.
1352 "DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring
1354 https://bugs.webkit.org/show_bug.cgi?id=172383
1355 http://trac.webkit.org/changeset/217156
1357 2017-05-19 Mark Lam <mark.lam@apple.com>
1359 Add missing exception check.
1360 https://bugs.webkit.org/show_bug.cgi?id=172346
1361 <rdar://problem/32289640>
1363 Reviewed by Geoffrey Garen.
1365 * runtime/JSObject.cpp:
1366 (JSC::JSObject::hasInstance):
1368 2017-05-19 Mark Lam <mark.lam@apple.com>
1370 DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
1371 https://bugs.webkit.org/show_bug.cgi?id=172383
1372 <rdar://problem/31418651>
1374 Reviewed by Filip Pizlo.
1376 pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
1377 available as a scratch register. This assumption is wrong if this canTrample
1378 register is used for a silentFill() after an operation that returns a result in
1381 Turns out the only reason we need the canTrample register is for
1382 SetDoubleConstant. We can remove the need for this canTrample register by
1383 introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
1384 job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
1385 ARM64. In so doing, we can simplify the silentFill() code and eliminate the bug.
1387 * assembler/MacroAssembler.h:
1388 (JSC::MacroAssembler::moveDouble):
1389 * dfg/DFGArrayifySlowPathGenerator.h:
1390 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1391 (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
1392 * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
1393 * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
1394 * dfg/DFGSlowPathGenerator.h:
1395 (JSC::DFG::CallSlowPathGenerator::tearDown):
1396 * dfg/DFGSpeculativeJIT.cpp:
1397 (JSC::DFG::SpeculativeJIT::silentFill):
1398 (JSC::DFG::SpeculativeJIT::compileToLowerCase):
1399 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1400 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1401 (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
1402 (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
1403 (JSC::DFG::SpeculativeJIT::compileArithDiv):
1404 (JSC::DFG::SpeculativeJIT::compileArraySlice):
1405 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1406 (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1407 (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
1408 * dfg/DFGSpeculativeJIT.h:
1409 (JSC::DFG::SpeculativeJIT::silentFill):
1410 (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
1411 (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
1412 (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
1413 * dfg/DFGSpeculativeJIT32_64.cpp:
1414 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1415 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1416 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1417 (JSC::DFG::SpeculativeJIT::emitCall):
1418 (JSC::DFG::SpeculativeJIT::compile):
1419 * dfg/DFGSpeculativeJIT64.cpp:
1420 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1421 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1422 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1423 (JSC::DFG::SpeculativeJIT::emitCall):
1424 (JSC::DFG::SpeculativeJIT::compile):
1425 (JSC::DFG::SpeculativeJIT::convertAnyInt):
1427 2017-05-19 Filip Pizlo <fpizlo@apple.com>
1429 Deduplicate some code in arrayProtoPrivateFuncConcatMemcpy
1430 https://bugs.webkit.org/show_bug.cgi?id=172382
1432 Reviewed by Saam Barati.
1434 This is just a small clean-up - my last patch here created some unnecessary code duplication.
1436 * runtime/ArrayPrototype.cpp:
1437 (JSC::arrayProtoPrivateFuncConcatMemcpy):
1439 2017-05-19 Filip Pizlo <fpizlo@apple.com>
1441 arrayProtoPrivateFuncConcatMemcpy needs to be down with firstArray being undecided
1442 https://bugs.webkit.org/show_bug.cgi?id=172369
1444 Reviewed by Mark Lam.
1446 * heap/Subspace.cpp: Reshaped the code a bit to aid debugging.
1447 (JSC::Subspace::allocate):
1448 (JSC::Subspace::tryAllocate):
1449 * runtime/ArrayPrototype.cpp:
1450 (JSC::arrayProtoPrivateFuncConcatMemcpy): Fix the bug!
1451 * runtime/ObjectInitializationScope.cpp: Provide even better feedback.
1452 (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
1454 2017-05-18 Filip Pizlo <fpizlo@apple.com>
1456 B3::Value::effects() says that having a fence range implies the fence bit, but on x86_64 we lower loadAcq/storeRel to load/store so the store-before-load fence bit orderings won't be honored
1457 https://bugs.webkit.org/show_bug.cgi?id=172306
1459 Reviewed by Michael Saboff.
1461 This changes B3 to emit xchg and its variants for fenced stores on x86. This ensures that
1462 fenced stores cannot be reordered around other fenced instructions. Previously, B3 emitted
1463 normal store instructions for fenced stores. That's wrong because then you get reorderings
1464 that are possible in TSO but impossible in SC. Fenced instructions are supposed to be SC
1465 with respect for each other.
1467 This is imprecise. If you really just wanted a store-release, then every X86 store does this.
1468 But, in B3, fenced stores are ARM-style store-release, meaning that they are fenced with
1469 respect to all other fences. If we ever did want to say that something is a store release in
1470 the traditional sense, then we'd want MemoryValue to have a fence flag. Then, having a fence
1471 range without the fence flag would mean the traditional store-release, which lowers to a
1472 normal store on x86. But to my knowledge, that traditional store-release is only useful for
1473 unlocking spinlocks. We don't use spinlocks in JSC. Adaptive locks require CAS for unlock,
1474 and B3 CAS is plenty fast. I think it's OK to have this small imprecision of giving clients
1475 an ARM-style store-release on x86 using xchg.
1477 The implication of this change is that the FTL no longer violates the SAB memory model.
1479 * assembler/MacroAssemblerX86Common.h:
1480 (JSC::MacroAssemblerX86Common::xchg8):
1481 (JSC::MacroAssemblerX86Common::xchg16):
1482 (JSC::MacroAssemblerX86Common::xchg32):
1483 (JSC::MacroAssemblerX86Common::loadAcq8): Deleted.
1484 (JSC::MacroAssemblerX86Common::loadAcq8SignedExtendTo32): Deleted.
1485 (JSC::MacroAssemblerX86Common::loadAcq16): Deleted.
1486 (JSC::MacroAssemblerX86Common::loadAcq16SignedExtendTo32): Deleted.
1487 (JSC::MacroAssemblerX86Common::loadAcq32): Deleted.
1488 (JSC::MacroAssemblerX86Common::storeRel8): Deleted.
1489 (JSC::MacroAssemblerX86Common::storeRel16): Deleted.
1490 (JSC::MacroAssemblerX86Common::storeRel32): Deleted.
1491 * assembler/MacroAssemblerX86_64.h:
1492 (JSC::MacroAssemblerX86_64::xchg64):
1493 (JSC::MacroAssemblerX86_64::loadAcq64): Deleted.
1494 (JSC::MacroAssemblerX86_64::storeRel64): Deleted.
1495 * b3/B3LowerToAir.cpp:
1496 (JSC::B3::Air::LowerToAir::ArgPromise::inst):
1497 (JSC::B3::Air::LowerToAir::trappingInst):
1498 (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
1499 (JSC::B3::Air::LowerToAir::createStore):
1500 (JSC::B3::Air::LowerToAir::storeOpcode):
1501 (JSC::B3::Air::LowerToAir::appendStore):
1502 (JSC::B3::Air::LowerToAir::append):
1503 (JSC::B3::Air::LowerToAir::appendTrapping):
1504 (JSC::B3::Air::LowerToAir::fillStackmap):
1505 (JSC::B3::Air::LowerToAir::lower):
1506 * b3/air/AirKind.cpp:
1507 (JSC::B3::Air::Kind::dump):
1509 (JSC::B3::Air::Kind::Kind):
1510 (JSC::B3::Air::Kind::operator==):
1511 (JSC::B3::Air::Kind::hash):
1512 * b3/air/AirLowerAfterRegAlloc.cpp:
1513 (JSC::B3::Air::lowerAfterRegAlloc):
1514 * b3/air/AirLowerMacros.cpp:
1515 (JSC::B3::Air::lowerMacros):
1516 * b3/air/AirOpcode.opcodes:
1517 * b3/air/AirValidate.cpp:
1518 * b3/air/opcode_generator.rb:
1520 (JSC::B3::correctSqrt):
1521 (JSC::B3::testSqrtArg):
1522 (JSC::B3::testSqrtImm):
1523 (JSC::B3::testSqrtMem):
1524 (JSC::B3::testSqrtArgWithUselessDoubleConversion):
1525 (JSC::B3::testSqrtArgWithEffectfulDoubleConversion):
1526 (JSC::B3::testStoreRelAddLoadAcq32):
1527 (JSC::B3::testTrappingLoad):
1528 (JSC::B3::testTrappingStore):
1529 (JSC::B3::testTrappingLoadAddStore):
1530 (JSC::B3::testTrappingLoadDCE):
1532 2017-05-19 Don Olmstead <don.olmstead@am.sony.com>
1534 [JSC] Remove PLATFORM(WIN) references
1535 https://bugs.webkit.org/show_bug.cgi?id=172294
1537 Reviewed by Yusuke Suzuki.
1539 * heap/MachineStackMarker.cpp:
1540 (JSC::MachineThreads::removeThread):
1541 * llint/LLIntOfflineAsmConfig.h:
1542 * runtime/ConfigFile.h:
1544 (JSC::VM::updateStackLimits):
1546 2017-05-19 Yusuke Suzuki <utatane.tea@gmail.com>
1548 [JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
1549 https://bugs.webkit.org/show_bug.cgi?id=172098
1551 Reviewed by Saam Barati.
1553 In this patch, we generalize CheckDOM to CheckSubClass.
1554 It can accept any ClassInfo and perform ClassInfo check
1555 in DFG / FTL. Now, we add a new function pointer to ClassInfo,
1556 checkSubClassPatchpoint. It can create DOMJIT patchpoint
1557 for that ClassInfo. It it natural that ClassInfo holds the
1558 way to emit DOMJIT::Patchpoint to perform CheckSubClass
1559 rather than having it in each DOMJIT getter / function
1560 signature annotation.
1562 One problem is that it enlarges the size of ClassInfo.
1563 But this is the best place to put this function pointer.
1564 By doing so, we can add a patchpoint for CheckSubClass
1565 in an non-intrusive manner: WebCore can inject patchpoints
1566 without interactive JSC.
1568 We still have a way to reduce the size of ClassInfo if
1569 we move ArrayBuffer related methods out to the other places.
1571 This patch touches many files because we add a new function
1572 pointer to ClassInfo. But they are basically mechanical change.
1574 * API/JSAPIWrapperObject.mm:
1575 * API/JSCallbackConstructor.cpp:
1576 * API/JSCallbackFunction.cpp:
1577 * API/JSCallbackObject.cpp:
1578 * API/ObjCCallbackFunction.mm:
1580 * JavaScriptCore.xcodeproj/project.pbxproj:
1581 * bytecode/CodeBlock.cpp:
1582 * bytecode/DOMJITAccessCasePatchpointParams.h:
1583 (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
1584 * bytecode/EvalCodeBlock.cpp:
1585 * bytecode/FunctionCodeBlock.cpp:
1586 * bytecode/GetterSetterAccessCase.cpp:
1587 (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1588 * bytecode/ModuleProgramCodeBlock.cpp:
1589 * bytecode/ProgramCodeBlock.cpp:
1590 * bytecode/UnlinkedCodeBlock.cpp:
1591 * bytecode/UnlinkedEvalCodeBlock.cpp:
1592 * bytecode/UnlinkedFunctionCodeBlock.cpp:
1593 * bytecode/UnlinkedFunctionExecutable.cpp:
1594 * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
1595 * bytecode/UnlinkedProgramCodeBlock.cpp:
1596 * debugger/DebuggerScope.cpp:
1597 * dfg/DFGAbstractInterpreterInlines.h:
1598 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1599 * dfg/DFGByteCodeParser.cpp:
1600 (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
1601 * dfg/DFGClobberize.h:
1602 (JSC::DFG::clobberize):
1603 * dfg/DFGConstantFoldingPhase.cpp:
1604 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1605 * dfg/DFGDOMJITPatchpointParams.h:
1606 (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
1607 * dfg/DFGDoesGC.cpp:
1609 * dfg/DFGFixupPhase.cpp:
1610 (JSC::DFG::FixupPhase::fixupNode):
1611 (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
1612 (JSC::DFG::FixupPhase::fixupCheckSubClass):
1613 (JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.
1615 (JSC::DFG::Graph::dump):
1617 (JSC::DFG::Node::hasClassInfo):
1618 (JSC::DFG::Node::classInfo):
1619 (JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
1620 (JSC::DFG::Node::checkDOMPatchpoint): Deleted.
1621 * dfg/DFGNodeType.h:
1622 * dfg/DFGPredictionPropagationPhase.cpp:
1623 * dfg/DFGSafeToExecute.h:
1624 (JSC::DFG::safeToExecute):
1625 * dfg/DFGSpeculativeJIT.cpp:
1626 (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1627 (JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.
1628 * dfg/DFGSpeculativeJIT.h:
1629 (JSC::DFG::SpeculativeJIT::vm):
1630 * dfg/DFGSpeculativeJIT32_64.cpp:
1631 (JSC::DFG::SpeculativeJIT::compile):
1632 * dfg/DFGSpeculativeJIT64.cpp:
1633 (JSC::DFG::SpeculativeJIT::compile):
1634 * domjit/DOMJITGetterSetter.h:
1635 * domjit/DOMJITPatchpointParams.h:
1636 (JSC::DOMJIT::PatchpointParams::PatchpointParams):
1637 (JSC::DOMJIT::PatchpointParams::vm):
1638 * domjit/DOMJITSignature.h:
1639 (JSC::DOMJIT::Signature::Signature):
1640 (JSC::DOMJIT::Signature::checkDOM): Deleted.
1641 * ftl/FTLAbstractHeapRepository.h:
1642 * ftl/FTLCapabilities.cpp:
1643 (JSC::FTL::canCompile):
1644 * ftl/FTLDOMJITPatchpointParams.h:
1645 (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
1646 * ftl/FTLLowerDFGToB3.cpp:
1647 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1648 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1649 (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.
1650 * inspector/JSInjectedScriptHost.cpp:
1651 * inspector/JSInjectedScriptHostPrototype.cpp:
1652 * inspector/JSJavaScriptCallFrame.cpp:
1653 * inspector/JSJavaScriptCallFramePrototype.cpp:
1655 (WTF::DOMJITNode::checkSubClassPatchpoint):
1656 (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
1657 (WTF::DOMJITFunctionObject::finishCreation):
1658 (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
1659 (WTF::DOMJITCheckSubClassObject::createStructure):
1660 (WTF::DOMJITCheckSubClassObject::create):
1661 (WTF::DOMJITCheckSubClassObject::safeFunction):
1662 (WTF::DOMJITCheckSubClassObject::unsafeFunction):
1663 (WTF::DOMJITCheckSubClassObject::finishCreation):
1664 (GlobalObject::finishCreation):
1665 (functionCreateDOMJITCheckSubClassObject):
1666 (WTF::DOMJITNode::checkDOMJITNode): Deleted.
1667 (WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.
1668 * runtime/AbstractModuleRecord.cpp:
1669 * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1670 * runtime/ArrayConstructor.cpp:
1671 * runtime/ArrayIteratorPrototype.cpp:
1672 * runtime/ArrayPrototype.cpp:
1673 * runtime/AsyncFunctionConstructor.cpp:
1674 * runtime/AsyncFunctionPrototype.cpp:
1675 * runtime/AtomicsObject.cpp:
1676 * runtime/BooleanConstructor.cpp:
1677 * runtime/BooleanObject.cpp:
1678 * runtime/BooleanPrototype.cpp:
1679 * runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.
1680 (JSC::ClassInfo::dump):
1681 * runtime/ClassInfo.h:
1682 (JSC::ClassInfo::offsetOfParentClass):
1683 * runtime/ClonedArguments.cpp:
1684 * runtime/ConsoleObject.cpp:
1685 * runtime/CustomGetterSetter.cpp:
1686 * runtime/DateConstructor.cpp:
1687 * runtime/DateInstance.cpp:
1688 * runtime/DatePrototype.cpp:
1689 * runtime/DirectArguments.cpp:
1690 * runtime/Error.cpp:
1691 * runtime/ErrorConstructor.cpp:
1692 * runtime/ErrorInstance.cpp:
1693 * runtime/ErrorPrototype.cpp:
1694 * runtime/EvalExecutable.cpp:
1695 * runtime/Exception.cpp:
1696 * runtime/ExceptionHelpers.cpp:
1697 * runtime/ExecutableBase.cpp:
1698 * runtime/FunctionConstructor.cpp:
1699 * runtime/FunctionExecutable.cpp:
1700 * runtime/FunctionPrototype.cpp:
1701 * runtime/FunctionRareData.cpp:
1702 * runtime/GeneratorFunctionConstructor.cpp:
1703 * runtime/GeneratorFunctionPrototype.cpp:
1704 * runtime/GeneratorPrototype.cpp:
1705 * runtime/GetterSetter.cpp:
1706 * runtime/HashMapImpl.cpp:
1707 * runtime/HashMapImpl.h:
1708 * runtime/InferredType.cpp:
1709 (JSC::InferredType::create):
1710 * runtime/InferredTypeTable.cpp:
1711 * runtime/InferredValue.cpp:
1712 * runtime/InspectorInstrumentationObject.cpp:
1713 * runtime/InternalFunction.cpp:
1714 * runtime/IntlCollator.cpp:
1715 * runtime/IntlCollatorConstructor.cpp:
1716 * runtime/IntlCollatorPrototype.cpp:
1717 * runtime/IntlDateTimeFormat.cpp:
1718 * runtime/IntlDateTimeFormatConstructor.cpp:
1719 * runtime/IntlDateTimeFormatPrototype.cpp:
1720 * runtime/IntlNumberFormat.cpp:
1721 * runtime/IntlNumberFormatConstructor.cpp:
1722 * runtime/IntlNumberFormatPrototype.cpp:
1723 * runtime/IntlObject.cpp:
1724 * runtime/IteratorPrototype.cpp:
1725 * runtime/JSAPIValueWrapper.cpp:
1726 * runtime/JSArray.cpp:
1727 * runtime/JSArrayBuffer.cpp:
1728 * runtime/JSArrayBufferConstructor.cpp:
1729 * runtime/JSArrayBufferPrototype.cpp:
1730 * runtime/JSArrayBufferView.cpp:
1731 * runtime/JSAsyncFunction.cpp:
1732 * runtime/JSBoundFunction.cpp:
1733 * runtime/JSCallee.cpp:
1734 * runtime/JSCustomGetterSetterFunction.cpp:
1735 * runtime/JSDataView.cpp:
1736 * runtime/JSDataViewPrototype.cpp:
1737 * runtime/JSEnvironmentRecord.cpp:
1738 * runtime/JSFixedArray.cpp:
1739 * runtime/JSFunction.cpp:
1740 * runtime/JSGeneratorFunction.cpp:
1741 * runtime/JSGlobalLexicalEnvironment.cpp:
1742 * runtime/JSGlobalObject.cpp:
1743 * runtime/JSInternalPromise.cpp:
1744 * runtime/JSInternalPromiseConstructor.cpp:
1745 * runtime/JSInternalPromiseDeferred.cpp:
1746 * runtime/JSInternalPromisePrototype.cpp:
1747 * runtime/JSLexicalEnvironment.cpp:
1748 * runtime/JSMap.cpp:
1749 * runtime/JSMapIterator.cpp:
1750 * runtime/JSModuleEnvironment.cpp:
1751 * runtime/JSModuleLoader.cpp:
1752 * runtime/JSModuleNamespaceObject.cpp:
1753 * runtime/JSModuleRecord.cpp:
1754 * runtime/JSNativeStdFunction.cpp:
1755 * runtime/JSONObject.cpp:
1756 * runtime/JSObject.cpp:
1757 * runtime/JSPromise.cpp:
1758 * runtime/JSPromiseConstructor.cpp:
1759 * runtime/JSPromiseDeferred.cpp:
1760 * runtime/JSPromisePrototype.cpp:
1761 * runtime/JSPropertyNameEnumerator.cpp:
1762 * runtime/JSPropertyNameIterator.cpp:
1763 * runtime/JSProxy.cpp:
1764 * runtime/JSScriptFetcher.cpp:
1765 * runtime/JSSet.cpp:
1766 * runtime/JSSetIterator.cpp:
1767 * runtime/JSSourceCode.cpp:
1768 * runtime/JSString.cpp:
1769 * runtime/JSStringIterator.cpp:
1770 * runtime/JSSymbolTableObject.cpp:
1771 * runtime/JSTemplateRegistryKey.cpp:
1772 * runtime/JSTypedArrayConstructors.cpp:
1773 * runtime/JSTypedArrayPrototypes.cpp:
1774 * runtime/JSTypedArrayViewConstructor.cpp:
1775 * runtime/JSTypedArrays.cpp:
1776 * runtime/JSWeakMap.cpp:
1777 * runtime/JSWeakSet.cpp:
1778 * runtime/JSWithScope.cpp:
1779 * runtime/MapConstructor.cpp:
1780 * runtime/MapIteratorPrototype.cpp:
1781 * runtime/MapPrototype.cpp:
1782 * runtime/MathObject.cpp:
1783 * runtime/ModuleLoaderPrototype.cpp:
1784 * runtime/ModuleProgramExecutable.cpp:
1785 * runtime/NativeErrorConstructor.cpp:
1786 * runtime/NativeExecutable.cpp:
1787 * runtime/NativeStdFunctionCell.cpp:
1788 * runtime/NullGetterFunction.cpp:
1789 * runtime/NullSetterFunction.cpp:
1790 * runtime/NumberConstructor.cpp:
1791 * runtime/NumberObject.cpp:
1792 * runtime/NumberPrototype.cpp:
1793 * runtime/ObjectConstructor.cpp:
1794 * runtime/ObjectPrototype.cpp:
1795 * runtime/ProgramExecutable.cpp:
1796 * runtime/PropertyTable.cpp:
1797 * runtime/ProxyConstructor.cpp:
1798 * runtime/ProxyObject.cpp:
1799 * runtime/ProxyRevoke.cpp:
1800 * runtime/ReflectObject.cpp:
1801 * runtime/RegExp.cpp:
1802 * runtime/RegExpConstructor.cpp:
1803 * runtime/RegExpObject.cpp:
1804 * runtime/RegExpPrototype.cpp:
1805 * runtime/ScopedArguments.cpp:
1806 * runtime/ScopedArgumentsTable.cpp:
1807 * runtime/ScriptExecutable.cpp:
1808 * runtime/SetConstructor.cpp:
1809 * runtime/SetIteratorPrototype.cpp:
1810 * runtime/SetPrototype.cpp:
1811 * runtime/SparseArrayValueMap.cpp:
1812 * runtime/StrictEvalActivation.cpp:
1813 * runtime/StringConstructor.cpp:
1814 * runtime/StringIteratorPrototype.cpp:
1815 * runtime/StringObject.cpp:
1816 * runtime/StringPrototype.cpp:
1817 * runtime/Structure.cpp:
1818 * runtime/StructureChain.cpp:
1819 * runtime/StructureRareData.cpp:
1820 * runtime/Symbol.cpp:
1821 * runtime/SymbolConstructor.cpp:
1822 * runtime/SymbolObject.cpp:
1823 * runtime/SymbolPrototype.cpp:
1824 * runtime/SymbolTable.cpp:
1825 * runtime/WeakMapConstructor.cpp:
1826 * runtime/WeakMapData.cpp:
1827 * runtime/WeakMapPrototype.cpp:
1828 * runtime/WeakSetConstructor.cpp:
1829 * runtime/WeakSetPrototype.cpp:
1831 * tools/JSDollarVM.cpp:
1832 * tools/JSDollarVMPrototype.cpp:
1833 * wasm/JSWebAssembly.cpp:
1834 * wasm/js/JSWebAssemblyCodeBlock.cpp:
1835 * wasm/js/JSWebAssemblyCompileError.cpp:
1836 * wasm/js/JSWebAssemblyInstance.cpp:
1837 * wasm/js/JSWebAssemblyLinkError.cpp:
1838 * wasm/js/JSWebAssemblyMemory.cpp:
1839 * wasm/js/JSWebAssemblyModule.cpp:
1840 * wasm/js/JSWebAssemblyRuntimeError.cpp:
1841 * wasm/js/JSWebAssemblyTable.cpp:
1842 * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1843 * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
1844 * wasm/js/WebAssemblyFunction.cpp:
1845 * wasm/js/WebAssemblyFunctionBase.cpp:
1846 * wasm/js/WebAssemblyInstanceConstructor.cpp:
1847 * wasm/js/WebAssemblyInstancePrototype.cpp:
1848 * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1849 * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
1850 * wasm/js/WebAssemblyMemoryConstructor.cpp:
1851 * wasm/js/WebAssemblyMemoryPrototype.cpp:
1852 * wasm/js/WebAssemblyModuleConstructor.cpp:
1853 * wasm/js/WebAssemblyModulePrototype.cpp:
1854 * wasm/js/WebAssemblyModuleRecord.cpp:
1855 * wasm/js/WebAssemblyPrototype.cpp:
1856 * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1857 * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
1858 * wasm/js/WebAssemblyTableConstructor.cpp:
1859 * wasm/js/WebAssemblyTablePrototype.cpp:
1860 * wasm/js/WebAssemblyToJSCallee.cpp:
1861 * wasm/js/WebAssemblyWrapperFunction.cpp:
1863 2017-05-18 JF Bastien <jfbastien@apple.com>
1865 WebAssembly: exports is a getter
1866 https://bugs.webkit.org/show_bug.cgi?id=172129
1868 Reviewed by Saam Barati.
1870 As updated here: https://github.com/WebAssembly/design/pull/1062
1872 * wasm/js/JSWebAssemblyInstance.cpp:
1873 (JSC::JSWebAssemblyInstance::finishCreation): don't putDirect here anymore
1874 * wasm/js/JSWebAssemblyInstance.h:
1875 (JSC::JSWebAssemblyInstance::moduleNamespaceObject): add accessor
1876 * wasm/js/WebAssemblyFunctionBase.cpp: squelch causing a warning
1877 * wasm/js/WebAssemblyInstancePrototype.cpp: use LUT
1878 (JSC::getInstance): helper, as in surrounding files
1879 (JSC::webAssemblyInstanceProtoFuncExports): instead of putDirect
1880 * wasm/js/WebAssemblyMemoryPrototype.cpp: pass VM around as for Table
1882 (JSC::webAssemblyMemoryProtoFuncGrow):
1883 (JSC::webAssemblyMemoryProtoFuncBuffer):
1884 * wasm/js/WebAssemblyTablePrototype.cpp: static everywhere as with other code
1885 (JSC::webAssemblyTableProtoFuncLength):
1886 (JSC::webAssemblyTableProtoFuncGrow):
1887 (JSC::webAssemblyTableProtoFuncGet):
1888 (JSC::webAssemblyTableProtoFuncSet):
1890 2017-05-18 Saam Barati <sbarati@apple.com>
1892 Proxy's [[Get]] passes incorrect receiver
1893 https://bugs.webkit.org/show_bug.cgi?id=164849
1894 <rdar://problem/31767058>
1896 Reviewed by Yusuke Suzuki.
1898 * runtime/ProxyObject.cpp:
1899 (JSC::performProxyGet):
1901 2017-05-18 Andy Estes <aestes@apple.com>
1903 ENABLE(APPLE_PAY_DELEGATE) should be NO on macOS Sierra and earlier
1904 https://bugs.webkit.org/show_bug.cgi?id=172305
1906 Reviewed by Anders Carlsson.
1908 * Configurations/FeatureDefines.xcconfig:
1910 2017-05-18 Saam Barati <sbarati@apple.com>
1912 We need to destroy worker threads in jsc.cpp
1913 https://bugs.webkit.org/show_bug.cgi?id=170751
1914 <rdar://problem/31800412>
1916 Reviewed by Filip Pizlo.
1918 This patch fixes a bug where a $ agent worker would still
1919 have compilation threads running after the thread the worker
1920 was created on dies. This manifested itself inside DFG AI where
1921 we would notice a string constant is atomic, then the worker
1922 thread would die, destroying its atomic string table, then
1923 we'd notice the same string is no longer atomic, and we'd crash
1924 because we'd fail to see the same speculated type for the same
1927 This patch makes it so that $ agent workers destroy their VM when
1928 they're done executing. Before a VM gets destroyed, it ensures that
1929 all its compilation threads finish.
1932 (functionDollarAgentStart):
1936 2017-05-18 Michael Saboff <msaboff@apple.com>
1938 Add FTL whitelist debugging option
1939 https://bugs.webkit.org/show_bug.cgi?id=172321
1941 Reviewed by Saam Barati.
1943 * dfg/DFGTierUpCheckInjectionPhase.cpp:
1944 (JSC::DFG::ensureGlobalFTLWhitelist):
1945 (JSC::DFG::TierUpCheckInjectionPhase::run):
1946 * runtime/Options.h:
1947 * tools/FunctionWhitelist.cpp:
1948 (JSC::FunctionWhitelist::contains):
1950 2017-05-18 Filip Pizlo <fpizlo@apple.com>
1952 Constructor calls set this too early
1953 https://bugs.webkit.org/show_bug.cgi?id=172302
1955 Reviewed by Saam Barati.
1957 We were setting this before evaluating the arguments, so this code:
1960 new x(x = function() { });
1962 Would crash because we would pass 42 as this, and create_this would treat it as a cell.
1963 Dereferencing a non-cell is guaranteed to crash.
1965 * bytecompiler/BytecodeGenerator.cpp:
1966 (JSC::BytecodeGenerator::emitConstruct):
1967 * bytecompiler/BytecodeGenerator.h:
1968 * bytecompiler/NodesCodegen.cpp:
1969 (JSC::NewExprNode::emitBytecode):
1970 (JSC::FunctionCallValueNode::emitBytecode):
1972 2017-05-18 Saam Barati <sbarati@apple.com>
1974 WebAssembly: perform stack checks
1975 https://bugs.webkit.org/show_bug.cgi?id=165546
1976 <rdar://problem/29760307>
1978 Reviewed by Filip Pizlo.
1980 This patch adds stack checks to wasm. It implements it by storing the stack
1981 bounds on the Context.
1983 Stack checking works as normal, except we do a small optimization for terminal
1984 nodes in the call tree (nodes that don't make any calls). These nodes will
1985 only do a stack check if their frame size is beyond 1024 bytes. Otherwise,
1986 it's assumed the parent that called them did their stack check for them.
1987 This is because all things that make calls make sure to do an extra 1024
1988 bytes whenever doing a stack check.
1990 We also take into account stack size for potential JS calls when doing
1991 stack checks since our JS stubs don't do this on their own. Each frame
1992 will ensure it does a stack check large enough for any potential JS call
1993 stubs it'll execute.
1995 Surprisingly, this patch is neutral on WasmBench and TitzerBench.
1997 * llint/LLIntData.cpp:
1998 (JSC::LLInt::Data::performAssertions):
1999 * llint/LowLevelInterpreter.asm:
2000 * runtime/Error.cpp:
2001 (JSC::createRangeError):
2002 (JSC::addErrorInfoAndGetBytecodeOffset):
2003 I fixed a bug here where we assumed that the first frame that has line
2004 and column info would be in our stack trace. This is not correct
2005 since we limit our stack trace size. If everything in our limited
2006 size stack trace is Wasm, then we won't have any frames with line
2009 * runtime/ExceptionHelpers.cpp:
2010 (JSC::createStackOverflowError):
2011 * runtime/ExceptionHelpers.h:
2012 * runtime/JSGlobalObject.cpp:
2013 (JSC::JSGlobalObject::init):
2014 (JSC::JSGlobalObject::visitChildren):
2015 * runtime/JSGlobalObject.h:
2016 (JSC::JSGlobalObject::webAssemblyToJSCalleeStructure):
2018 * runtime/Options.h: I've added a new option that controls
2019 whether or not we use fast TLS for the wasm context.
2023 * wasm/WasmB3IRGenerator.cpp:
2024 (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2025 * wasm/WasmBinding.cpp:
2026 (JSC::Wasm::wasmToWasm):
2027 * wasm/WasmContext.cpp:
2028 (JSC::Wasm::loadContext):
2029 (JSC::Wasm::storeContext):
2030 * wasm/WasmContext.h:
2031 (JSC::Wasm::useFastTLSForContext):
2032 * wasm/WasmExceptionType.h:
2033 * wasm/WasmMemoryInformation.h:
2034 (JSC::Wasm::PinnedRegisterInfo::toSave):
2035 * wasm/WasmThunks.cpp:
2036 (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2037 (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2038 (JSC::Wasm::Thunks::stub):
2039 * wasm/WasmThunks.h:
2040 * wasm/js/JSWebAssemblyInstance.h:
2041 (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit):
2042 (JSC::JSWebAssemblyInstance::cachedStackLimit):
2043 (JSC::JSWebAssemblyInstance::setCachedStackLimit):
2044 * wasm/js/JSWebAssemblyModule.cpp:
2045 (JSC::JSWebAssemblyModule::finishCreation):
2046 * wasm/js/WebAssemblyFunction.cpp:
2047 (JSC::callWebAssemblyFunction):
2048 * wasm/js/WebAssemblyToJSCallee.cpp: Make this a descendent of object.
2049 This is needed for correctness because we may call into JS,
2050 and then the first JS frame could stack overflow. When it stack
2051 overflows, it rolls back one frame to the wasm->js call stub with
2052 the wasm->js callee. It gets the lexical global object from this
2053 frame, meaning it gets the global object from the callee. Therefore,
2054 we must make it an object since all objects have global objects.
2055 (JSC::WebAssemblyToJSCallee::create):
2056 * wasm/js/WebAssemblyToJSCallee.h:
2058 2017-05-18 Keith Miller <keith_miller@apple.com>
2060 WebAssembly API: test with neutered inputs
2061 https://bugs.webkit.org/show_bug.cgi?id=163899
2063 Reviewed by JF Bastien.
2065 Add tests to check that we properly throw a type error when
2066 we get a transferred ArrayBuffer. Also, we should make sure
2067 we cannot post message a wasm memory's ArrayBuffer.
2069 * API/JSTypedArray.cpp:
2070 (JSObjectGetArrayBufferBytesPtr):
2071 * runtime/ArrayBuffer.cpp:
2072 (JSC::ArrayBuffer::makeShared):
2073 (JSC::ArrayBuffer::makeWasmMemory):
2074 (JSC::ArrayBuffer::transferTo):
2075 (JSC::ArrayBuffer::neuter):
2076 (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
2077 (JSC::errorMesasgeForTransfer):
2078 * runtime/ArrayBuffer.h:
2079 (JSC::ArrayBuffer::isLocked):
2080 (JSC::ArrayBuffer::isWasmMemory):
2081 * wasm/js/JSWebAssemblyMemory.cpp:
2082 (JSC::JSWebAssemblyMemory::buffer):
2083 (JSC::JSWebAssemblyMemory::grow):
2085 2017-05-18 Joseph Pecoraro <pecoraro@apple.com>
2087 Remote Inspector: Be stricter about checking message types
2088 https://bugs.webkit.org/show_bug.cgi?id=172259
2089 <rdar://problem/32264839>
2091 Reviewed by Brian Burg.
2093 * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2094 (Inspector::RemoteInspector::receivedSetupMessage):
2095 (Inspector::RemoteInspector::receivedDataMessage):
2096 (Inspector::RemoteInspector::receivedDidCloseMessage):
2097 (Inspector::RemoteInspector::receivedIndicateMessage):
2098 (Inspector::RemoteInspector::receivedConnectionDiedMessage):
2099 (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
2100 (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
2101 (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
2102 * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
2103 (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
2104 (Inspector::RemoteInspectorXPCConnection::handleEvent):
2105 (Inspector::RemoteInspectorXPCConnection::sendMessage):
2106 Bail if we don't receive the expected types for message data.
2108 2017-05-18 Filip Pizlo <fpizlo@apple.com>
2110 DFG inlining should be hardened for the no-result case
2111 https://bugs.webkit.org/show_bug.cgi?id=172290
2113 Reviewed by Saam Barati.
2115 Previously, if we were inlining a setter call, we might have a bad time because the setter's
2116 result register is the invalid VirtualRegister(), and much of the intrinsic handling code
2117 assumes that the result register is valid.
2119 This doesn't usually cause problems because people don't usually point a setter at something
2120 that we recognize as an intrinsic.
2123 * JavaScriptCore.xcodeproj/project.pbxproj:
2124 * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: Fix a comment.
2125 * dfg/DFGByteCodeParser.cpp: Make RELEASE_ASSERT give accurate stacks. I was getting an absurd stack from the assert I added in DelayedSetLocal.
2126 (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal): Assert so we catch the problem sooner.
2127 (JSC::DFG::ByteCodeParser::handleIntrinsicCall): Fix the bug.
2128 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): Fix the bug if constant internal functions were setter-inlineable (they ain't, because the bytecode parser doesn't fold GetSetter).
2129 * runtime/Intrinsic.cpp: Added. I needed this to debug.
2130 (JSC::intrinsicName):
2131 (WTF::printInternal):
2132 * runtime/Intrinsic.h:
2134 2017-05-18 Commit Queue <commit-queue@webkit.org>
2136 Unreviewed, rolling out r217031, r217032, and r217037.
2137 https://bugs.webkit.org/show_bug.cgi?id=172293
2139 cause linking errors in Windows (Requested by yusukesuzuki on
2142 Reverted changesets:
2144 "[JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass"
2145 https://bugs.webkit.org/show_bug.cgi?id=172098
2146 http://trac.webkit.org/changeset/217031
2148 "Unreviewed, rebaseline for newly added ClassInfo"
2149 https://bugs.webkit.org/show_bug.cgi?id=172098
2150 http://trac.webkit.org/changeset/217032
2152 "Unreviewed, fix debug and non-JIT build"
2153 https://bugs.webkit.org/show_bug.cgi?id=172098
2154 http://trac.webkit.org/changeset/217037
2156 2017-05-17 Yusuke Suzuki <utatane.tea@gmail.com>
2158 Unreviewed, fix debug and non-JIT build
2159 https://bugs.webkit.org/show_bug.cgi?id=172098
2162 (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
2164 2017-05-17 Yusuke Suzuki <utatane.tea@gmail.com>
2166 Unreviewed, rebaseline for newly added ClassInfo
2167 https://bugs.webkit.org/show_bug.cgi?id=172098
2169 * wasm/js/WebAssemblyFunctionBase.cpp:
2171 2017-05-16 Yusuke Suzuki <utatane.tea@gmail.com>
2173 [JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
2174 https://bugs.webkit.org/show_bug.cgi?id=172098
2176 Reviewed by Saam Barati.
2178 In this patch, we generalize CheckDOM to CheckSubClass.
2179 It can accept any ClassInfo and perform ClassInfo check
2180 in DFG / FTL. Now, we add a new function pointer to ClassInfo,
2181 checkSubClassPatchpoint. It can create DOMJIT patchpoint
2182 for that ClassInfo. It it natural that ClassInfo holds the
2183 way to emit DOMJIT::Patchpoint to perform CheckSubClass
2184 rather than having it in each DOMJIT getter / function
2185 signature annotation.
2187 One problem is that it enlarges the size of ClassInfo.
2188 But this is the best place to put this function pointer.
2189 By doing so, we can add a patchpoint for CheckSubClass
2190 in an non-intrusive manner: WebCore can inject patchpoints
2191 without interactive JSC.
2193 We still have a way to reduce the size of ClassInfo if
2194 we move ArrayBuffer related methods out to the other places.
2196 This patch touches many files because we add a new function
2197 pointer to ClassInfo. But they are basically mechanical change.
2199 * API/JSAPIWrapperObject.mm:
2200 * API/JSCallbackConstructor.cpp:
2201 * API/JSCallbackFunction.cpp:
2202 * API/JSCallbackObject.cpp:
2203 * API/ObjCCallbackFunction.mm:
2205 * JavaScriptCore.xcodeproj/project.pbxproj:
2206 * bytecode/CodeBlock.cpp:
2207 * bytecode/DOMJITAccessCasePatchpointParams.h:
2208 (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
2209 * bytecode/EvalCodeBlock.cpp:
2210 * bytecode/FunctionCodeBlock.cpp:
2211 * bytecode/GetterSetterAccessCase.cpp:
2212 (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2213 * bytecode/ModuleProgramCodeBlock.cpp:
2214 * bytecode/ProgramCodeBlock.cpp:
2215 * bytecode/UnlinkedCodeBlock.cpp:
2216 * bytecode/UnlinkedEvalCodeBlock.cpp:
2217 * bytecode/UnlinkedFunctionCodeBlock.cpp:
2218 * bytecode/UnlinkedFunctionExecutable.cpp:
2219 * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
2220 * bytecode/UnlinkedProgramCodeBlock.cpp:
2221 * debugger/DebuggerScope.cpp:
2222 * dfg/DFGAbstractInterpreterInlines.h:
2223 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2224 * dfg/DFGByteCodeParser.cpp:
2225 (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2226 * dfg/DFGClobberize.h:
2227 (JSC::DFG::clobberize):
2228 * dfg/DFGConstantFoldingPhase.cpp:
2229 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2230 * dfg/DFGDOMJITPatchpointParams.h:
2231 (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
2232 * dfg/DFGDoesGC.cpp:
2234 * dfg/DFGFixupPhase.cpp:
2235 (JSC::DFG::FixupPhase::fixupNode):
2236 (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
2237 (JSC::DFG::FixupPhase::fixupCheckSubClass):
2238 (JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.
2240 (JSC::DFG::Graph::dump):
2242 (JSC::DFG::Node::hasClassInfo):
2243 (JSC::DFG::Node::classInfo):
2244 (JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
2245 (JSC::DFG::Node::checkDOMPatchpoint): Deleted.
2246 * dfg/DFGNodeType.h:
2247 * dfg/DFGPredictionPropagationPhase.cpp:
2248 * dfg/DFGSafeToExecute.h:
2249 (JSC::DFG::safeToExecute):
2250 * dfg/DFGSpeculativeJIT.cpp:
2251 (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2252 (JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.
2253 * dfg/DFGSpeculativeJIT.h:
2254 (JSC::DFG::SpeculativeJIT::vm):
2255 * dfg/DFGSpeculativeJIT32_64.cpp:
2256 (JSC::DFG::SpeculativeJIT::compile):
2257 In DFG, we rename CheckDOM to CheckSubClass. It just holds ClassInfo.
2258 And ClassInfo knows how to perform CheckSubClass efficiently.
2259 If ClassInfo does not have a way to perform CheckSubClass efficiently,
2260 we just perform jsDynamicCast thing in ASM.
2261 * dfg/DFGSpeculativeJIT64.cpp:
2262 (JSC::DFG::SpeculativeJIT::compile):
2263 * domjit/DOMJITGetterSetter.h:
2264 * domjit/DOMJITPatchpointParams.h:
2265 (JSC::DOMJIT::PatchpointParams::PatchpointParams):
2266 (JSC::DOMJIT::PatchpointParams::vm):
2267 * domjit/DOMJITSignature.h:
2268 (JSC::DOMJIT::Signature::Signature):
2269 (JSC::DOMJIT::Signature::checkDOM): Deleted.
2270 * ftl/FTLAbstractHeapRepository.h:
2271 * ftl/FTLCapabilities.cpp:
2272 (JSC::FTL::canCompile):
2273 * ftl/FTLDOMJITPatchpointParams.h:
2274 (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
2275 * ftl/FTLLowerDFGToB3.cpp:
2276 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2277 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2278 (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.
2279 * inspector/JSInjectedScriptHost.cpp:
2280 * inspector/JSInjectedScriptHostPrototype.cpp:
2281 * inspector/JSJavaScriptCallFrame.cpp:
2282 * inspector/JSJavaScriptCallFramePrototype.cpp:
2284 (WTF::DOMJITNode::checkSubClassPatchpoint):
2285 (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
2286 (WTF::DOMJITFunctionObject::finishCreation):
2287 (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
2288 (WTF::DOMJITCheckSubClassObject::createStructure):
2289 (WTF::DOMJITCheckSubClassObject::create):
2290 (WTF::DOMJITCheckSubClassObject::safeFunction):
2291 (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2292 (WTF::DOMJITCheckSubClassObject::finishCreation):
2293 (GlobalObject::finishCreation):
2294 (functionCreateDOMJITCheckSubClassObject):
2295 (WTF::DOMJITNode::checkDOMJITNode): Deleted.
2296 (WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.
2297 * runtime/AbstractModuleRecord.cpp:
2298 * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2299 * runtime/ArrayConstructor.cpp:
2300 * runtime/ArrayIteratorPrototype.cpp:
2301 * runtime/ArrayPrototype.cpp:
2302 * runtime/AsyncFunctionConstructor.cpp:
2303 * runtime/AsyncFunctionPrototype.cpp:
2304 * runtime/AtomicsObject.cpp:
2305 * runtime/BooleanConstructor.cpp:
2306 * runtime/BooleanObject.cpp:
2307 * runtime/BooleanPrototype.cpp:
2308 * runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.
2309 (JSC::ClassInfo::dump):
2310 * runtime/ClassInfo.h:
2311 (JSC::ClassInfo::offsetOfParentClass):
2312 * runtime/ClonedArguments.cpp:
2313 * runtime/ConsoleObject.cpp:
2314 * runtime/CustomGetterSetter.cpp:
2315 * runtime/DateConstructor.cpp:
2316 * runtime/DateInstance.cpp:
2317 * runtime/DatePrototype.cpp:
2318 * runtime/DirectArguments.cpp:
2319 * runtime/Error.cpp:
2320 * runtime/ErrorConstructor.cpp:
2321 * runtime/ErrorInstance.cpp:
2322 * runtime/ErrorPrototype.cpp:
2323 * runtime/EvalExecutable.cpp:
2324 * runtime/Exception.cpp:
2325 * runtime/ExceptionHelpers.cpp:
2326 * runtime/ExecutableBase.cpp:
2327 * runtime/FunctionConstructor.cpp:
2328 * runtime/FunctionExecutable.cpp:
2329 * runtime/FunctionPrototype.cpp:
2330 * runtime/FunctionRareData.cpp:
2331 * runtime/GeneratorFunctionConstructor.cpp:
2332 * runtime/GeneratorFunctionPrototype.cpp:
2333 * runtime/GeneratorPrototype.cpp:
2334 * runtime/GetterSetter.cpp:
2335 * runtime/HashMapImpl.cpp:
2336 * runtime/HashMapImpl.h:
2337 * runtime/InferredType.cpp:
2338 (JSC::InferredType::create):
2339 * runtime/InferredTypeTable.cpp:
2340 * runtime/InferredValue.cpp:
2341 * runtime/InspectorInstrumentationObject.cpp:
2342 * runtime/InternalFunction.cpp:
2343 * runtime/IntlCollator.cpp:
2344 * runtime/IntlCollatorConstructor.cpp:
2345 * runtime/IntlCollatorPrototype.cpp:
2346 * runtime/IntlDateTimeFormat.cpp:
2347 * runtime/IntlDateTimeFormatConstructor.cpp:
2348 * runtime/IntlDateTimeFormatPrototype.cpp:
2349 * runtime/IntlNumberFormat.cpp:
2350 * runtime/IntlNumberFormatConstructor.cpp:
2351 * runtime/IntlNumberFormatPrototype.cpp:
2352 * runtime/IntlObject.cpp:
2353 * runtime/IteratorPrototype.cpp:
2354 * runtime/JSAPIValueWrapper.cpp:
2355 * runtime/JSArray.cpp:
2356 * runtime/JSArrayBuffer.cpp:
2357 * runtime/JSArrayBufferConstructor.cpp:
2358 * runtime/JSArrayBufferPrototype.cpp:
2359 * runtime/JSArrayBufferView.cpp:
2360 * runtime/JSAsyncFunction.cpp:
2361 * runtime/JSBoundFunction.cpp:
2362 * runtime/JSCallee.cpp:
2363 * runtime/JSCustomGetterSetterFunction.cpp:
2364 * runtime/JSDataView.cpp:
2365 * runtime/JSDataViewPrototype.cpp:
2366 * runtime/JSEnvironmentRecord.cpp:
2367 * runtime/JSFixedArray.cpp:
2368 * runtime/JSFunction.cpp:
2369 * runtime/JSGeneratorFunction.cpp:
2370 * runtime/JSGlobalLexicalEnvironment.cpp:
2371 * runtime/JSGlobalObject.cpp:
2372 * runtime/JSInternalPromise.cpp:
2373 * runtime/JSInternalPromiseConstructor.cpp:
2374 * runtime/JSInternalPromiseDeferred.cpp:
2375 * runtime/JSInternalPromisePrototype.cpp:
2376 * runtime/JSLexicalEnvironment.cpp:
2377 * runtime/JSMap.cpp:
2378 * runtime/JSMapIterator.cpp:
2379 * runtime/JSModuleEnvironment.cpp:
2380 * runtime/JSModuleLoader.cpp:
2381 * runtime/JSModuleNamespaceObject.cpp:
2382 * runtime/JSModuleRecord.cpp:
2383 * runtime/JSNativeStdFunction.cpp:
2384 * runtime/JSONObject.cpp:
2385 * runtime/JSObject.cpp:
2386 * runtime/JSPromise.cpp:
2387 * runtime/JSPromiseConstructor.cpp:
2388 * runtime/JSPromiseDeferred.cpp:
2389 * runtime/JSPromisePrototype.cpp:
2390 * runtime/JSPropertyNameEnumerator.cpp:
2391 * runtime/JSPropertyNameIterator.cpp:
2392 * runtime/JSProxy.cpp:
2393 * runtime/JSScriptFetcher.cpp:
2394 * runtime/JSSet.cpp:
2395 * runtime/JSSetIterator.cpp:
2396 * runtime/JSSourceCode.cpp:
2397 * runtime/JSString.cpp:
2398 * runtime/JSStringIterator.cpp:
2399 * runtime/JSSymbolTableObject.cpp:
2400 * runtime/JSTemplateRegistryKey.cpp:
2401 * runtime/JSTypedArrayConstructors.cpp:
2402 * runtime/JSTypedArrayPrototypes.cpp:
2403 * runtime/JSTypedArrayViewConstructor.cpp:
2404 * runtime/JSTypedArrays.cpp:
2405 * runtime/JSWeakMap.cpp:
2406 * runtime/JSWeakSet.cpp:
2407 * runtime/JSWithScope.cpp:
2408 * runtime/MapConstructor.cpp:
2409 * runtime/MapIteratorPrototype.cpp:
2410 * runtime/MapPrototype.cpp:
2411 * runtime/MathObject.cpp:
2412 * runtime/ModuleLoaderPrototype.cpp:
2413 * runtime/ModuleProgramExecutable.cpp:
2414 * runtime/NativeErrorConstructor.cpp:
2415 * runtime/NativeExecutable.cpp:
2416 * runtime/NativeStdFunctionCell.cpp:
2417 * runtime/NullGetterFunction.cpp:
2418 * runtime/NullSetterFunction.cpp:
2419 * runtime/NumberConstructor.cpp:
2420 * runtime/NumberObject.cpp:
2421 * runtime/NumberPrototype.cpp:
2422 * runtime/ObjectConstructor.cpp:
2423 * runtime/ObjectPrototype.cpp:
2424 * runtime/ProgramExecutable.cpp:
2425 * runtime/PropertyTable.cpp:
2426 * runtime/ProxyConstructor.cpp:
2427 * runtime/ProxyObject.cpp:
2428 * runtime/ProxyRevoke.cpp:
2429 * runtime/ReflectObject.cpp:
2430 * runtime/RegExp.cpp:
2431 * runtime/RegExpConstructor.cpp:
2432 * runtime/RegExpObject.cpp:
2433 * runtime/RegExpPrototype.cpp:
2434 * runtime/ScopedArguments.cpp:
2435 * runtime/ScopedArgumentsTable.cpp:
2436 * runtime/ScriptExecutable.cpp:
2437 * runtime/SetConstructor.cpp:
2438 * runtime/SetIteratorPrototype.cpp:
2439 * runtime/SetPrototype.cpp:
2440 * runtime/SparseArrayValueMap.cpp:
2441 * runtime/StrictEvalActivation.cpp:
2442 * runtime/StringConstructor.cpp:
2443 * runtime/StringIteratorPrototype.cpp:
2444 * runtime/StringObject.cpp:
2445 * runtime/StringPrototype.cpp:
2446 * runtime/Structure.cpp:
2447 * runtime/StructureChain.cpp:
2448 * runtime/StructureRareData.cpp:
2449 * runtime/Symbol.cpp:
2450 * runtime/SymbolConstructor.cpp:
2451 * runtime/SymbolObject.cpp:
2452 * runtime/SymbolPrototype.cpp:
2453 * runtime/SymbolTable.cpp:
2454 * runtime/WeakMapConstructor.cpp:
2455 * runtime/WeakMapData.cpp:
2456 * runtime/WeakMapPrototype.cpp:
2457 * runtime/WeakSetConstructor.cpp:
2458 * runtime/WeakSetPrototype.cpp:
2460 * tools/JSDollarVM.cpp:
2461 * tools/JSDollarVMPrototype.cpp:
2462 * wasm/JSWebAssembly.cpp:
2463 * wasm/js/JSWebAssemblyCodeBlock.cpp:
2464 * wasm/js/JSWebAssemblyCompileError.cpp:
2465 * wasm/js/JSWebAssemblyInstance.cpp:
2466 * wasm/js/JSWebAssemblyLinkError.cpp:
2467 * wasm/js/JSWebAssemblyMemory.cpp:
2468 * wasm/js/JSWebAssemblyModule.cpp:
2469 * wasm/js/JSWebAssemblyRuntimeError.cpp:
2470 * wasm/js/JSWebAssemblyTable.cpp:
2471 * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2472 * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
2473 * wasm/js/WebAssemblyFunction.cpp:
2474 * wasm/js/WebAssemblyInstanceConstructor.cpp:
2475 * wasm/js/WebAssemblyInstancePrototype.cpp:
2476 * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2477 * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
2478 * wasm/js/WebAssemblyMemoryConstructor.cpp:
2479 * wasm/js/WebAssemblyMemoryPrototype.cpp:
2480 * wasm/js/WebAssemblyModuleConstructor.cpp:
2481 * wasm/js/WebAssemblyModulePrototype.cpp:
2482 * wasm/js/WebAssemblyModuleRecord.cpp:
2483 * wasm/js/WebAssemblyPrototype.cpp:
2484 * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2485 * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
2486 * wasm/js/WebAssemblyTableConstructor.cpp:
2487 * wasm/js/WebAssemblyTablePrototype.cpp:
2488 * wasm/js/WebAssemblyToJSCallee.cpp:
2489 * wasm/js/WebAssemblyWrapperFunction.cpp:
2491 2017-05-17 Saam Barati <sbarati@apple.com>
2493 We don't do context switches for Wasm->Wasm call indirect
2494 https://bugs.webkit.org/show_bug.cgi?id=172188
2495 <rdar://problem/32231828>
2497 Reviewed by Keith Miller.
2499 We did not do a context switch when doing an indirect call.
2500 This is clearly wrong, since the thing we're making an indirect
2501 call to could be from another instance. This patch fixes this
2502 oversight by doing a very simple context switch. I've also opened
2503 a bug to make indirect calls fast: https://bugs.webkit.org/show_bug.cgi?id=172197
2504 since this patch adds yet another branch to the indirect call path.
2505 I've also added tests that either throw or crash before this change.
2508 * JavaScriptCore.xcodeproj/project.pbxproj:
2509 * wasm/WasmB3IRGenerator.cpp:
2510 * wasm/js/JSWebAssemblyTable.h:
2511 (JSC::JSWebAssemblyTable::offsetOfJSFunctions):
2512 * wasm/js/WebAssemblyFunction.cpp:
2513 (JSC::WebAssemblyFunction::visitChildren):
2514 (JSC::WebAssemblyFunction::finishCreation): Deleted.
2515 * wasm/js/WebAssemblyFunction.h:
2516 (JSC::WebAssemblyFunction::instance): Deleted.
2517 (JSC::WebAssemblyFunction::offsetOfInstance): Deleted.
2518 * wasm/js/WebAssemblyFunctionBase.cpp: Added.
2519 (JSC::WebAssemblyFunctionBase::WebAssemblyFunctionBase):
2520 (JSC::WebAssemblyFunctionBase::visitChildren):
2521 (JSC::WebAssemblyFunctionBase::finishCreation):
2522 * wasm/js/WebAssemblyFunctionBase.h: Added.
2523 (JSC::WebAssemblyFunctionBase::instance):
2524 (JSC::WebAssemblyFunctionBase::offsetOfInstance):
2525 * wasm/js/WebAssemblyModuleRecord.cpp:
2526 (JSC::WebAssemblyModuleRecord::link):
2527 (JSC::WebAssemblyModuleRecord::evaluate):
2528 * wasm/js/WebAssemblyWrapperFunction.cpp:
2529 (JSC::WebAssemblyWrapperFunction::create):
2530 (JSC::WebAssemblyWrapperFunction::finishCreation):
2531 (JSC::WebAssemblyWrapperFunction::visitChildren):
2532 * wasm/js/WebAssemblyWrapperFunction.h:
2534 2017-05-17 Filip Pizlo <fpizlo@apple.com>
2536 JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform
2537 https://bugs.webkit.org/show_bug.cgi?id=172208
2539 Reviewed by Saam Barati.
2541 * dfg/DFGArgumentsEliminationPhase.cpp:
2543 2017-05-17 Don Olmstead <don.olmstead@am.sony.com>
2545 [Win] Support $vm.getpid()
2546 https://bugs.webkit.org/show_bug.cgi?id=172248
2548 Reviewed by Mark Lam.
2550 * tools/JSDollarVMPrototype.cpp:
2551 (JSC::functionGetPID):
2552 (JSC::JSDollarVMPrototype::finishCreation):
2554 2017-05-17 Michael Saboff <msaboff@apple.com>
2556 [iOS] The Garbage Collector shouldn't rely on the bmalloc scavenger for up to date memory footprint info
2557 https://bugs.webkit.org/show_bug.cgi?id=172186
2559 Reviewed by Geoffrey Garen.
2561 The calls to bmalloc::api::memoryFootprint() and ::percentAvailableMemoryInUse() now call
2562 the OS to get up to date values. In overCriticalMemoryThreshold(), we get the current value every
2563 100th call and use a cached value the rest of the time. When colleciton is done, we start with
2564 a new overCriticalMemoryThreshold value for the next cycle.
2566 The choice of 1 out of 100 calls was validated by using JetStream and verifying that it didn't impact
2567 performance and still provides timely memory footprint data. With additional debug logging, I
2568 determined that we call overCriticalMemoryThreshold() over 20,000 times/second running JetStream.
2569 Other logging showed that there were over 1700 calls to overCriticalMemoryThreshold() on average per
2570 GC cycle. Dividing both of these numbers by 100 seems reasonable.
2573 (JSC::Heap::overCriticalMemoryThreshold):
2574 (JSC::Heap::updateAllocationLimits):
2575 (JSC::Heap::shouldDoFullCollection):
2578 2017-05-17 Saam Barati <sbarati@apple.com>
2580 PinnedRegisters should be better modeled in IRC/Briggs
2581 https://bugs.webkit.org/show_bug.cgi?id=171955
2583 Reviewed by Filip Pizlo.
2585 This patch fixes a bug in Briggs/IRC with respect to pinned registers.
2586 Pinned registers were not part of the assignable register file in IRC/Briggs,
2587 and this would lead to an asymmetry because they were modeled in the
2588 interference graph. The bug is that we use registerCount() to move various
2589 Tmps between various lists in the different allocators, and if a Tmp
2590 interfered with a pinned register (usually via a Patchpoint's clobbered set),
2591 we'd have an interference edge modeled in the degree for that Tmp, but the registerCount()
2592 would make us think that this particular Tmp is not assignable. This would
2593 lead us to fail to color a colorable graph. Specifically, this happened in
2594 our various patchpoint tests that stress the register allocator by forcing
2595 the entire register file into arguments for the patchpoint and then doing
2596 interesting things with the result, arguments, etc.
2598 This patch fixes the bug by coming up with an more natural way to model pinned
2599 registers. Pinned registers are now part of the register file. However,
2600 pinned registers are live at every point in the program (this is a defining
2601 property of a pinned register). In practice, this means that the only Tmps
2602 that can be assigned to pinned registers are ones that are coalescing
2603 candidates. This means the program has some number of defs for a Tmp T like:
2604 MoveType pinnedReg, T
2606 Note, if any other defs for T happen, like:
2608 T will have an interference edge with pinnedReg, since pinnedReg is live
2609 at every point in the program. Modeling pinned registers this way allows
2610 IRC/Briggs to have no special casing for them. It treats it like any other
2611 precolored Tmp. This allows us to do coalescing, biased coloring, etc, which
2612 could all lead to a Tmp being assigned to a pinned register.
2614 Interestingly, we used to have special handling for the frame pointer
2615 register, which in many ways, acts like a pinned register, since FP is
2616 always live, and we wanted it to take place in coalescing. The allocator
2617 had a side-table interference graph with FP. Interestingly, we didn't even
2618 handle this properly everywhere since we could rely on a patchpoint never
2619 claiming to clobber FP (this would be illegal). So the code only handled
2620 the pseudo-pinned register properties of FP in various places. This patch
2621 drops this special casing and pins FP since all pinned registers can take
2624 * b3/B3PatchpointSpecial.h:
2625 * b3/B3Procedure.cpp:
2626 (JSC::B3::Procedure::mutableGPRs):
2627 (JSC::B3::Procedure::mutableFPRs):
2629 * b3/air/AirAllocateRegistersByGraphColoring.cpp:
2630 * b3/air/AirCode.cpp:
2631 (JSC::B3::Air::Code::Code):
2632 (JSC::B3::Air::Code::pinRegister):
2633 (JSC::B3::Air::Code::mutableGPRs):
2634 (JSC::B3::Air::Code::mutableFPRs):
2636 (JSC::B3::Air::Code::pinnedRegisters):
2637 * b3/air/AirSpecial.h:
2638 * b3/air/testair.cpp:
2640 (JSC::B3::testSimplePatchpointWithOuputClobbersGPArgs):
2641 (JSC::B3::testSpillDefSmallerThanUse):
2642 (JSC::B3::testLateRegister):
2643 (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled):
2644 (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled2):
2645 (JSC::B3::testMoveConstants):
2647 2017-05-16 Yusuke Suzuki <utatane.tea@gmail.com>
2649 [DFG] Constant Folding Phase should convert MakeRope("", String) => Identity(String)
2650 https://bugs.webkit.org/show_bug.cgi?id=172115
2652 Reviewed by Saam Barati.
2654 In Fixup phase, we attempt to fold MakeRope to Identity (or reduce arguments) by dropping
2655 empty strings. However, when we are in Fixup phase, we do not have much information about
2658 In ARES-6 Babylon, we find that we can constant-fold MakeRope by using constants figured
2659 out by CFA. Without it, Babylon repeatedly produces rope strings. To fix this, we introduce
2660 MakeRope handling in constant folding phase.
2662 It shows 7.5% performance improvement in ARES-6 Babylon steadyState.
2666 firstIteration: 50.02 +- 14.56 ms
2667 averageWorstCase: 26.52 +- 4.52 ms
2668 steadyState: 8.15 +- 0.23 ms
2672 firstIteration: 49.08 +- 12.90 ms
2673 averageWorstCase: 25.16 +- 3.82 ms
2674 steadyState: 7.58 +- 0.21 ms
2676 * dfg/DFGAbstractInterpreterInlines.h:
2677 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2678 * dfg/DFGConstantFoldingPhase.cpp:
2679 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2681 2017-05-16 Yusuke Suzuki <utatane.tea@gmail.com>
2683 Unreviewed, add Objective C files to CMake Mac port
2684 https://bugs.webkit.org/show_bug.cgi?id=172103
2686 * shell/PlatformMac.cmake: Added.
2688 2017-05-16 JF Bastien <jfbastien@apple.com>
2690 WebAssembly: enforce size limits
2691 https://bugs.webkit.org/show_bug.cgi?id=165833
2692 <rdar://problem/29760219>
2694 Reviewed by Keith Miller.
2696 Use the same limits as V8.
2698 * JavaScriptCore.xcodeproj/project.pbxproj:
2699 * wasm/WasmLimits.h: Added.
2700 * wasm/WasmModuleParser.cpp:
2701 * wasm/WasmParser.h:
2702 (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
2704 2017-05-15 Yusuke Suzuki <utatane.tea@gmail.com>
2706 [JSC] Build testapi in non Apple ports
2707 https://bugs.webkit.org/show_bug.cgi?id=172103
2709 Reviewed by Filip Pizlo.
2711 This patch makes JSC testapi buildable in non-Apple ports.
2712 We isolate CF related tests in testapi.c. If we do not use
2713 CF, we include JavaScript.h instead of JavaScriptCore.h.
2715 By running the testapi in Linux, we found that contraints
2716 test have a bug: If constraint marker runs after WeakRefs
2717 are destroyed, it accesses destroyed WeakRef. This patch
2720 * API/tests/CurrentThisInsideBlockGetterTest.h:
2721 * API/tests/CustomGlobalObjectClassTest.c:
2722 * API/tests/ExecutionTimeLimitTest.cpp:
2723 * API/tests/FunctionOverridesTest.cpp:
2724 * API/tests/GlobalContextWithFinalizerTest.cpp:
2725 * API/tests/JSObjectGetProxyTargetTest.cpp:
2726 * API/tests/MultithreadedMultiVMExecutionTest.cpp:
2727 * API/tests/PingPongStackOverflowTest.cpp:
2728 * API/tests/TypedArrayCTest.cpp:
2729 * API/tests/testapi.c:
2730 (assertEqualsAsCharactersPtr):
2731 (markingConstraint):
2732 (testMarkingConstraintsAndHeapFinalizers):
2735 * shell/CMakeLists.txt:
2737 2017-05-16 JF Bastien <jfbastien@apple.com>
2739 WebAssembly: report Memory usage to GC
2740 https://bugs.webkit.org/show_bug.cgi?id=170690
2741 <rdar://problem/31965310>
2743 Reviewed by Keith Miller.
2745 * wasm/js/JSWebAssemblyMemory.cpp:
2746 (JSC::JSWebAssemblyMemory::grow):
2747 (JSC::JSWebAssemblyMemory::finishCreation):
2748 (JSC::JSWebAssemblyMemory::visitChildren):
2750 2017-05-16 JF Bastien <jfbastien@apple.com>
2752 WebAssembly: validate load / store alignment
2753 https://bugs.webkit.org/show_bug.cgi?id=168836
2754 <rdar://problem/31965349>
2756 Reviewed by Keith Miller.
2758 * wasm/WasmFunctionParser.h: check the alignment
2759 * wasm/generateWasm.py: generate the log2 alignment helper
2762 (memoryLog2Alignment):
2763 * wasm/generateWasmOpsHeader.py:
2764 (memoryLog2AlignmentGenerator):
2765 * wasm/wasm.json: fix formatting
2767 2017-05-15 Mark Lam <mark.lam@apple.com>
2769 Rolling out r214038 and r213697: Crashes when using computed properties with rest destructuring and object spread.
2770 https://bugs.webkit.org/show_bug.cgi?id=172147
2772 Rubber-stamped by Saam Barati.
2774 I rolled out every thing in those 2 patches except for the change to make
2775 CodeBlock::finishCreation() return a bool plus its clients that depend on this.
2776 I made this exception because r214931 relies on this change, and this part of
2777 the change looks correct.
2779 * builtins/BuiltinNames.h:
2780 * builtins/GlobalOperations.js:
2781 (globalPrivate.speciesConstructor):
2782 (globalPrivate.copyDataProperties): Deleted.
2783 * bytecode/CodeBlock.cpp:
2784 (JSC::CodeBlock::finishCreation):
2785 (JSC::CodeBlock::setConstantIdentifierSetRegisters): Deleted.
2786 * bytecode/CodeBlock.h:
2787 * bytecode/UnlinkedCodeBlock.h:
2788 (JSC::UnlinkedCodeBlock::addBitVector):
2789 (JSC::UnlinkedCodeBlock::constantRegisters):
2790 (JSC::UnlinkedCodeBlock::addSetConstant): Deleted.
2791 (JSC::UnlinkedCodeBlock::constantIdentifierSets): Deleted.
2792 * bytecompiler/BytecodeGenerator.cpp:
2793 * bytecompiler/BytecodeGenerator.h:
2794 * bytecompiler/NodesCodegen.cpp:
2795 (JSC::PropertyListNode::emitBytecode):
2796 (JSC::ObjectPatternNode::bindValue):
2797 (JSC::ObjectSpreadExpressionNode::emitBytecode): Deleted.
2798 * parser/ASTBuilder.h:
2799 (JSC::ASTBuilder::createProperty):
2800 (JSC::ASTBuilder::appendObjectPatternEntry):
2801 (JSC::ASTBuilder::createObjectSpreadExpression): Deleted.
2802 (JSC::ASTBuilder::appendObjectPatternRestEntry): Deleted.
2803 (JSC::ASTBuilder::setContainsObjectRestElement): Deleted.
2804 * parser/NodeConstructors.h:
2805 (JSC::PropertyNode::PropertyNode):
2806 (JSC::SpreadExpressionNode::SpreadExpressionNode):
2807 (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode): Deleted.
2809 (JSC::ObjectPatternNode::appendEntry):
2810 (JSC::ObjectSpreadExpressionNode::expression): Deleted.
2811 (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
2812 * parser/Parser.cpp:
2813 (JSC::Parser<LexerType>::parseDestructuringPattern):
2814 (JSC::Parser<LexerType>::parseProperty):
2815 * parser/SyntaxChecker.h:
2816 (JSC::SyntaxChecker::createSpreadExpression):
2817 (JSC::SyntaxChecker::createProperty):
2818 (JSC::SyntaxChecker::operatorStackPop):
2819 (JSC::SyntaxChecker::createObjectSpreadExpression): Deleted.
2820 * runtime/ObjectConstructor.cpp:
2821 (JSC::ObjectConstructor::finishCreation):
2822 * runtime/SetPrototype.cpp:
2823 (JSC::SetPrototype::finishCreation):
2825 2017-05-15 David Kilzer <ddkilzer@apple.com>
2827 JSEnvironmentRecord::allocationSizeForScopeSize() and offsetOfVariable(ScopeOffset) should used checked arithmetic
2828 <https://webkit.org/b/172134>
2830 Reviewed by Saam Barati.
2832 * runtime/JSEnvironmentRecord.h:
2833 (JSC::JSEnvironmentRecord::offsetOfVariable): Change to return
2834 size_t and use checked arithmetic.
2835 (JSC::JSEnvironmentRecord::allocationSizeForScopeSize): Change
2836 to use checked arithmetic.
2838 2017-05-15 Mark Lam <mark.lam@apple.com>
2840 WorkerRunLoop::Task::performTask() should check !scriptController->isTerminatingExecution().
2841 https://bugs.webkit.org/show_bug.cgi?id=171775
2842 <rdar://problem/30975761>
2844 Reviewed by Filip Pizlo.
2846 Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
2847 from 25 to 100. From experience, I found that 25 is sometimes not sufficient
2848 for our debugging needs.
2850 Also added VM::throwingThread() to track which thread an exception was thrown in.
2851 This may be useful if the client is entering the VM from different threads.
2853 * runtime/ExceptionScope.cpp:
2854 (JSC::ExceptionScope::unexpectedExceptionMessage):
2855 * runtime/ExceptionScope.h:
2856 (JSC::ExceptionScope::exception):
2857 (JSC::ExceptionScope::unexpectedExceptionMessage):
2858 * runtime/Options.h:
2859 - Added the unexpectedExceptionStackTraceLimit option.
2861 (JSC::VM::throwException):
2863 (JSC::VM::throwingThread):
2864 (JSC::VM::clearException):
2866 2017-05-13 David Kilzer <ddkilzer@apple.com>
2868 Unused lambda capture in JSContextGroupAddMarkingConstraint()
2869 <https://webkit.org/b/172084>
2871 Reviewed by Saam Barati.
2873 Fixes the following warning with newer clang:
2875 Source/JavaScriptCore/API/JSMarkingConstraintPrivate.cpp:78:11: error: lambda capture 'vm' is not used [-Werror,-Wunused-lambda-capture]
2876 [&vm, constraintCallback, userData]
2879 * API/JSMarkingConstraintPrivate.cpp:
2880 (JSContextGroupAddMarkingConstraint): Remove unused lambda
2883 2017-05-13 David Kilzer <ddkilzer@apple.com>
2885 [JSC] config.rb fails when checking some clang versions
2886 <https://webkit.org/b/172082>
2888 Reviewed by Mark Lam.
2890 * offlineasm/config.rb:
2891 - Add support for quad-dotted version of Apple clang (800.0.12.1).
2892 - Add support for checking open source clang version (5.0.0).
2894 2017-05-13 Commit Queue <commit-queue@webkit.org>
2896 Unreviewed, rolling out r216808.
2897 https://bugs.webkit.org/show_bug.cgi?id=172075
2899 caused lldb to hang when debugging (Requested by smfr on
2904 "Use Mach exceptions instead of signals where possible"
2905 https://bugs.webkit.org/show_bug.cgi?id=171865
2906 http://trac.webkit.org/changeset/216808
2908 2017-05-13 Commit Queue <commit-queue@webkit.org>
2910 Unreviewed, rolling out r216801.
2911 https://bugs.webkit.org/show_bug.cgi?id=172072
2913 Many memory corruption crashes on worker threads (Requested by
2918 "WorkerRunLoop::Task::performTask() should check
2919 !scriptController->isTerminatingExecution()."
2920 https://bugs.webkit.org/show_bug.cgi?id=171775
2921 http://trac.webkit.org/changeset/216801
2923 2017-05-12 Geoffrey Garen <ggaren@apple.com>
2925 [JSC] DFG::Node should not have its own allocator
2926 https://bugs.webkit.org/show_bug.cgi?id=160098
2928 Reviewed by Saam Barati.
2930 I just rebased the patch from <http://trac.webkit.org/changeset/203808>.
2932 I ran Octane and JetStream locally on a MacBook Air and I wasn't able to
2933 reproduce a regression. Let's land this again and see what the bots say.
2935 * JavaScriptCore.xcodeproj/project.pbxproj:
2936 * b3/B3SparseCollection.h:
2937 (JSC::B3::SparseCollection::packIndices):
2938 * dfg/DFGAllocator.h: Removed.
2939 * dfg/DFGDriver.cpp:
2940 (JSC::DFG::compileImpl):
2942 (JSC::DFG::Graph::Graph):
2943 (JSC::DFG::Graph::~Graph):
2944 (JSC::DFG::Graph::deleteNode):
2945 (JSC::DFG::Graph::packNodeIndices):
2946 (JSC::DFG::Graph::addNodeToMapByIndex): Deleted.
2948 (JSC::DFG::Graph::addNode):
2949 (JSC::DFG::Graph::maxNodeCount):
2950 (JSC::DFG::Graph::nodeAt):
2951 * dfg/DFGLongLivedState.cpp: Removed.
2952 * dfg/DFGLongLivedState.h: Removed.
2954 * dfg/DFGNodeAllocator.h:
2956 (JSC::DFG::Plan::compileInThread):
2957 (JSC::DFG::Plan::compileInThreadImpl):
2959 * dfg/DFGWorklist.cpp:
2964 2017-05-12 Keith Miller <keith_miller@apple.com>
2966 Use Mach exceptions instead of signals where possible
2967 https://bugs.webkit.org/show_bug.cgi?id=171865
2969 Reviewed by Mark Lam.
2971 This patch adds some new JSC options. The first is an option that
2972 enables or disables web assembly tier up. The second controls
2973 whether or not we use mach exceptions (where available).
2975 * API/tests/ExecutionTimeLimitTest.cpp:
2976 (dispatchTermitateCallback):
2977 (testExecutionTimeLimit):
2978 * runtime/JSLock.cpp:
2979 (JSC::JSLock::didAcquireLock):
2980 * runtime/Options.cpp:
2981 (JSC::overrideDefaults):
2982 (JSC::Options::initialize):
2983 * runtime/Options.h:
2984 * runtime/VMTraps.cpp:
2985 (JSC::SignalContext::SignalContext):
2986 (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
2987 (JSC::installSignalHandler):
2988 (JSC::VMTraps::SignalSender::send):
2989 * tools/SigillCrashAnalyzer.cpp:
2990 (JSC::SignalContext::SignalContext):
2991 (JSC::SignalContext::dump):
2992 (JSC::installCrashHandler):
2993 * wasm/WasmBBQPlan.cpp:
2994 (JSC::Wasm::BBQPlan::compileFunctions):
2995 * wasm/WasmFaultSignalHandler.cpp:
2996 (JSC::Wasm::trapHandler):
2997 (JSC::Wasm::enableFastMemory):
2998 * wasm/WasmMachineThreads.cpp:
2999 (JSC::Wasm::resetInstructionCacheOnAllThreads):
3001 2017-05-12 Mark Lam <mark.lam@apple.com>
3003 WorkerRunLoop::Task::performTask() should check !scriptController->isTerminatingExecution().
3004 https://bugs.webkit.org/show_bug.cgi?id=171775
3005 <rdar://problem/30975761>
3007 Reviewed by Saam Barati.
3009 Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
3010 from 25 to 100. From experience, I found that 25 is sometimes not sufficient
3011 for our debugging needs.
3013 Also added VM::throwingThread() to track which thread an exception was thrown in.
3014 This may be useful if the client is entering the VM from different threads.
3016 * runtime/ExceptionScope.cpp:
3017 (JSC::ExceptionScope::unexpectedExceptionMessage):
3018 * runtime/ExceptionScope.h:
3019 (JSC::ExceptionScope::exception):
3020 (JSC::ExceptionScope::unexpectedExceptionMessage):
3021 * runtime/Options.h:
3022 - Added the unexpectedExceptionStackTraceLimit option.
3024 (JSC::VM::throwException):
3026 (JSC::VM::throwingThread):
3027 (JSC::VM::clearException):
3029 2017-05-12 Daniel Bates <dabates@apple.com>
3031 Cleanup: Make QueueTaskToEventLoopFunctionPtr take JSGlobalObject&
3032 https://bugs.webkit.org/show_bug.cgi?id=172021
3034 Reviewed by Mark Lam.
3036 Change the function alias for QueueTaskToEventLoopFunctionPtr to take JSGlobalObject&
3037 instead of a const JSGlobalObject* as all implementations expect to be passed a non-
3038 const, non-null JSGlobalObject object.
3040 * runtime/JSGlobalObject.cpp:
3041 (JSC::JSGlobalObject::queueMicrotask):
3042 * runtime/JSGlobalObject.h:
3044 (JSC::VM::queueMicrotask):
3045 * runtime/VM.h: Remove JS_EXPORT_PRIVATE annotation from queueMicrotask() as
3046 it is only called from JavaScriptCore code.
3048 2017-05-12 Michael Saboff <msaboff@apple.com>
3050 [iOS] Use memory footprint to dynamically adjust behavior of allocators
3051 https://bugs.webkit.org/show_bug.cgi?id=171944
3053 Reviewed by Filip Pizlo.
3055 This change is iOS only.
3057 Added the ability to react to when memory usage is critical. This is defined as memory
3058 usage being above the newly added option criticalGCMemoryThreshold. When we are in this
3059 critical state, all collections are Full and we limit the amount of memory we allocate
3060 between collections to 1/4th the memory above the critical threshold.
3062 Changed the calculation of proportionalHeapSize to be based on process memory footprint
3063 and not how big the heap is. Also, the values of Options::smallHeapRAMFraction and
3064 Options::mediumHeapRAMFraction are overriden so that most of the heap growth is happens
3065 using the more agressive Options::smallHeapGrowthFactor.
3069 (JSC::Heap::overCriticalMemoryThreshold):
3070 (JSC::Heap::shouldDoFullCollection):
3071 (JSC::Heap::collectIfNecessaryOrDefer):
3073 * runtime/Options.cpp:
3074 (JSC::overrideDefaults):
3075 (JSC::Options::initialize):
3076 * runtime/Options.h:
3078 2017-05-11 Saam Barati <sbarati@apple.com>
3080 Computing optionalDefArgWidth in CheckSpecial should not consider Scratch roles
3081 https://bugs.webkit.org/show_bug.cgi?id=171962
3083 Reviewed by Filip Pizlo.
3085 The purpose of getting the result width is to get the width of
3086 the result of the arithmetic. It does not care about that the
3087 Check happens to define scratches.
3089 * b3/B3CheckSpecial.cpp:
3090 (JSC::B3::CheckSpecial::forEachArg):
3092 (JSC::B3::testCheckMul):
3093 (JSC::B3::testCheckMulMemory):
3094 (JSC::B3::testCheckMul64):
3095 (JSC::B3::testCheckMulFold):
3096 (JSC::B3::testCheckMulFoldFail):
3097 (JSC::B3::testCheckMulArgumentAliasing64):
3098 (JSC::B3::testCheckMulArgumentAliasing32):
3099 (JSC::B3::testCheckMul64SShr):
3101 2017-05-11 Saam Barati <sbarati@apple.com>
3103 isValidForm for SimpleAddr should use ptr() instead of tmp()
3104 https://bugs.webkit.org/show_bug.cgi?id=171992
3106 Reviewed by Filip Pizlo.
3108 Arg::tmp() asserts that its kind is Tmp. Inst::isValidForm for
3109 SimpleAddr was using Arg::tmp() instead of ptr() to check
3110 if the address Tmp isGP(). It should be using Arg::ptr() instead
3111 of Arg::tmp() since Arg::ptr() is designed for SimpleAddr.
3113 This patch also fixes an incorrect assertion in the ARM64
3114 macro assembler. We were asserting various atomic ops were
3115 only over 32/64 bit operations. However, the code was properly handling
3116 8/16/32/64 bit ops. I changed the assertion to reflect what is
3119 * assembler/ARM64Assembler.h:
3120 (JSC::ARM64Assembler::ldar):
3121 (JSC::ARM64Assembler::ldxr):
3122 (JSC::ARM64Assembler::ldaxr):
3123 (JSC::ARM64Assembler::stxr):
3124 (JSC::ARM64Assembler::stlr):
3125 (JSC::ARM64Assembler::stlxr):
3126 * b3/air/opcode_generator.rb:
3128 (JSC::B3::testLoadAcq42):
3129 (JSC::B3::testStoreRelAddLoadAcq32):
3130 (JSC::B3::testStoreRelAddLoadAcq8):
3131 (JSC::B3::testStoreRelAddFenceLoadAcq8):
3132 (JSC::B3::testStoreRelAddLoadAcq16):
3133 (JSC::B3::testStoreRelAddLoadAcq64):
3134 (JSC::B3::testAtomicWeakCAS):
3135 (JSC::B3::testAtomicStrongCAS):
3136 (JSC::B3::testAtomicXchg):
3138 2017-05-11 Matt Lewis <jlewis3@apple.com>
3140 Unreviewed, rolling out r216677.
3142 Patch caused layout test crashes.
3146 "WorkerThread::stop() should call
3147 scheduleExecutionTermination() last."
3148 https://bugs.webkit.org/show_bug.cgi?id=171775
3149 http://trac.webkit.org/changeset/216677
3151 2017-05-11 Don Olmstead <don.olmstead@am.sony.com>
3153 [CMake] Add HAVE check for regex.h
3154 https://bugs.webkit.org/show_bug.cgi?id=171950
3156 Reviewed by Michael Catanzaro.
3158 * runtime/ConfigFile.cpp:
3159 (JSC::ConfigFile::parse):
3161 2017-05-11 Filip Pizlo <fpizlo@apple.com>
3163 Callers of JSString::unsafeView() should check exceptions
3164 https://bugs.webkit.org/show_bug.cgi?id=171995
3166 Reviewed by Mark Lam.
3168 unsafeView() can throw OOME. So, callers of unsafeView() should check for exceptions before trying
3171 Also, I made the functions surrounding unsafeView() take ExecState* not ExecState&, to comply with
3174 * dfg/DFGOperations.cpp:
3178 * runtime/ArrayPrototype.cpp:
3179 (JSC::arrayProtoFuncJoin):
3180 * runtime/FunctionConstructor.cpp:
3181 (JSC::constructFunctionSkippingEvalEnabledCheck):
3182 * runtime/IntlCollatorPrototype.cpp:
3183 (JSC::IntlCollatorFuncCompare):
3184 * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3185 (JSC::genericTypedArrayViewProtoFuncJoin):
3186 * runtime/JSGlobalObjectFunctions.cpp:
3187 (JSC::globalFuncParseFloat):
3188 * runtime/JSONObject.cpp:
3189 (JSC::JSONProtoFuncParse):
3190 * runtime/JSString.cpp:
3191 (JSC::JSString::getPrimitiveNumber):
3192 (JSC::JSString::toNumber):
3193 * runtime/JSString.h:
3194 (JSC::JSString::getIndex):
3195 (JSC::JSRopeString::unsafeView):
3196 (JSC::JSRopeString::viewWithUnderlyingString):
3197 (JSC::JSString::unsafeView):
3198 (JSC::JSString::viewWithUnderlyingString):
3199 * runtime/JSStringJoiner.h:
3200 (JSC::JSStringJoiner::appendWithoutSideEffects):
3201 (JSC::JSStringJoiner::append):
3202 * runtime/ParseInt.h:
3203 (JSC::toStringView):
3204 * runtime/StringPrototype.cpp:
3205 (JSC::stringProtoFuncRepeatCharacter):
3206 (JSC::stringProtoFuncCharAt):
3207 (JSC::stringProtoFuncCharCodeAt):
3208 (JSC::stringProtoFuncIndexOf):
3209 (JSC::stringProtoFuncNormalize):
3211 2017-05-11 Filip Pizlo <fpizlo@apple.com>
3213 Offer SPI to notify clients that GC has happened
3214 https://bugs.webkit.org/show_bug.cgi?id=171980
3216 Reviewed by Geoffrey Garen.
3218 Sometimes when you're programming with weak references, it's most convenient if the GC tells
3219 you when it finishes. This adds exactly such an API. This API is called at the *flip*: the
3220 moment when the GC knows for sure which objects are dead and has definitely not allocated any
3221 new objects or executed any JS code. The finalization part of the flip, which is where this
3222 callback gets called, runs on the "main" thread - i.e. some thread that is attempting to
3223 execute JS code and holds the JS lock. This will usually run as a side-effect of some
3224 allocation or from the runloop.
3226 This means, for example, that if you implemented a vector of weak references and registered a
3227 callback to prune the vector of null weak references, then aside from the callback, nobody
3228 would ever see a null weak reference in the vector.
3230 * API/JSHeapFinalizerPrivate.cpp: Added.
3231 (JSContextGroupAddHeapFinalizer):
3232 (JSContextGroupRemoveHeapFinalizer):
3233 * API/JSHeapFinalizerPrivate.h: Added.
3234 * API/tests/testapi.c:
3236 (testMarkingConstraintsAndHeapFinalizers):
3238 (testMarkingConstraints): Deleted.
3240 * JavaScriptCore.xcodeproj/project.pbxproj:
3242 (JSC::Heap::finalize):
3243 (JSC::Heap::addHeapFinalizerCallback):
3244 (JSC::Heap::removeHeapFinalizerCallback):
3246 * heap/HeapFinalizerCallback.cpp: Added.
3247 (JSC::HeapFinalizerCallback::dump):
3248 * heap/HeapFinalizerCallback.h: Added.
3249 (JSC::HeapFinalizerCallback::HeapFinalizerCallback):
3250 (JSC::HeapFinalizerCallback::operator==):
3251 (JSC::HeapFinalizerCallback::operator!=):
3252 (JSC::HeapFinalizerCallback::operator bool):
3253 (JSC::HeapFinalizerCallback::run):
3255 2017-05-11 Filip Pizlo <fpizlo@apple.com>
3257 JSWeakCreate/Retain/Release should take a JSContextGroupRef and not a JSContextRef
3258 https://bugs.webkit.org/show_bug.cgi?id=171979
3260 Reviewed by Mark Lam.
3262 Functions that don't execute arbitrary JS but just need access to the VM should take a
3263 JSContextGroupRef, not a JSContextRef.
3265 * API/JSWeakPrivate.cpp:
3269 * API/JSWeakPrivate.h:
3270 * API/tests/testapi.c:
3271 (testMarkingConstraints):
3273 2017-05-11 Mark Lam <mark.lam@apple.com>
3275 WorkerThread::stop() should call scheduleExecutionTermination() last.
3276 https://bugs.webkit.org/show_bug.cgi?id=171775
3277 <rdar://problem/30975761>
3279 Reviewed by Geoffrey Garen.
3281 Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
3282 from 25 to 100. From experience, I found that 25 is sometimes not sufficient
3283 for our debugging needs.
3285 Also added VM::throwingThread() to track which thread an exception was thrown in.
3286 This may be useful if the client is entering the VM from different threads.
3288 * runtime/ExceptionScope.cpp:
3289 (JSC::ExceptionScope::unexpectedExceptionMessage):
3290 (JSC::ExceptionScope::releaseAssertIsTerminatedExecutionException):
3291 * runtime/ExceptionScope.h:
3292 (JSC::ExceptionScope::exception):
3293 (JSC::ExceptionScope::unexpectedExceptionMessage):
3295 (JSC::VM::throwException):
3297 (JSC::VM::throwingThread):
3298 (JSC::VM::clearException):
3300 2017-05-11 JF Bastien <jfbastien@apple.com>
3302 WebAssembly: stop supporting 0xD
3303 https://bugs.webkit.org/show_bug.cgi?id=168788
3304 <rdar://problem/31880922>
3306 Reviewed by Saam Barati.
3308 Only version 1 is supported by other browsers, and there shouldn't
3309 be any 0xD binaries in the wild anymore.
3311 * wasm/WasmModuleParser.cpp:
3313 2017-05-09 Sam Weinig <sam@webkit.org>
3315 Remove support for legacy Notifications
3316 https://bugs.webkit.org/show_bug.cgi?id=171487
3318 Reviewed by Jon Lee.
3320 * Configurations/FeatureDefines.xcconfig:
3321 Remove definition of ENABLE_LEGACY_NOTIFICATIONS.
3323 2017-05-10 Commit Queue <commit-queue@webkit.org>
3325 Unreviewed, rolling out r216635.
3326 https://bugs.webkit.org/show_bug.cgi?id=171953
3328 "Some worker tests are failing". (Requested by mlam on #webkit).
3332 "WorkerThread::stop() should call
3333 scheduleExecutionTermination() last."
3334 https://bugs.webkit.org/show_bug.cgi?id=171775
3335 http://trac.webkit.org/changeset/216635
3337 2017-05-10 Mark Lam <mark.lam@apple.com>
3339 Crash in JavaScriptCore GC when using JSC on dispatch queues (thread_get_state returns NULL stack pointer).
3340 https://bugs.webkit.org/show_bug.cgi?id=160337
3341 <rdar://problem/27611733>
3345 Updated a comment per Geoff's suggestion.
3347 * heap/MachineStackMarker.cpp:
3348 (JSC::MachineThreads::tryCopyOtherThreadStack):
3350 2017-05-10 Mark Lam <mark.lam@apple.com>
3352 WorkerThread::stop() should call scheduleExecutionTermination() last.
3353 https://bugs.webkit.org/show_bug.cgi?id=171775
3354 <rdar://problem/30975761>
3356 Reviewed by Geoffrey Garen.
3358 Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
3359 from 25 to 100. From experience, I found that 25 is sometimes not sufficient
git://git.webkit.org / WebKit-https.git / blob