1 2016-02-28 Filip Pizlo <fpizlo@apple.com>
3 FTL should be able to run everything in Octane/regexp
4 https://bugs.webkit.org/show_bug.cgi?id=154266
6 Reviewed by Saam Barati.
8 Adds FTL support for NewRegexp, RegExpTest, and RegExpExec. I couldn't figure out how to
9 make the RegExpExec peephole optimization work in FTL. This optimizations shouldn't be a
10 DFG backend optimization anyway - if we need this optimization then it should be a
11 strength reduction rule over IR. That way, it can be shared by all backends.
13 I measured whether removing that optimization had any effect on performance separately
14 from measuring the performance of this patch. Removing that optimization did not change
15 our score on any benchmarks.
17 This patch does have an overall negative effect on the Octane/regexp score. This is
18 presumably because tiering up to the FTL has no value to the code in the regexp test. Or
19 maybe it's something else. No matter - the overall effect on the Octane score is not
20 statistically significant and we don't want this kind of coverage blocked by the fact
21 that adding coverage hurts a benchmark.
23 * dfg/DFGByteCodeParser.cpp:
24 (JSC::DFG::ByteCodeParser::parseBlock):
26 (JSC::DFG::Node::setIndexingType):
27 (JSC::DFG::Node::hasRegexpIndex):
28 * dfg/DFGSpeculativeJIT.cpp:
29 (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
30 (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
31 (JSC::DFG::SpeculativeJIT::compileRegExpExec): Deleted.
32 * dfg/DFGSpeculativeJIT32_64.cpp:
33 (JSC::DFG::SpeculativeJIT::compile):
34 * dfg/DFGSpeculativeJIT64.cpp:
35 (JSC::DFG::SpeculativeJIT::compile):
36 * ftl/FTLCapabilities.cpp:
37 (JSC::FTL::canCompile):
38 * ftl/FTLLowerDFGToB3.cpp:
39 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
40 (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
41 (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
42 (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
43 (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
44 (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
45 * tests/stress/ftl-regexp-exec.js: Added.
46 * tests/stress/ftl-regexp-test.js: Added.
48 2016-02-28 Andreas Kling <akling@apple.com>
50 Make JSFunction.name allocation fully lazy.
51 <https://webkit.org/b/154806>
53 Reviewed by Saam Barati.
55 We were reifying the "name" field on functions lazily, but created the string
56 value itself up front. This patch gets rid of the up-front allocation,
57 saving us a JSString allocation per function in most cases.
59 * builtins/BuiltinExecutables.cpp:
60 (JSC::createExecutableInternal):
61 * bytecode/UnlinkedFunctionExecutable.cpp:
62 (JSC::UnlinkedFunctionExecutable::visitChildren):
63 * bytecode/UnlinkedFunctionExecutable.h:
64 * runtime/CodeCache.cpp:
65 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
66 * runtime/Executable.h:
67 * runtime/JSFunction.cpp:
68 (JSC::JSFunction::reifyName):
70 2016-02-28 Andreas Kling <akling@apple.com>
72 REGRESSION(r197303): 4 jsc tests failing on bots.
74 Unreviewed follow-up fix.
76 * bytecode/UnlinkedCodeBlock.cpp:
77 (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): This function
78 can still get called with !m_rareData, in case the type profiler is active but this
79 particular code block doesn't have type profiler data. Handle it gracefully.
81 2016-02-28 Andreas Kling <akling@apple.com>
83 Shrink UnlinkedCodeBlock a bit.
84 <https://webkit.org/b/154797>
86 Reviewed by Anders Carlsson.
88 Move profiler-related members of UnlinkedCodeBlock into its RareData
89 structure, saving 40 bytes, and then reorder the other members of
90 UnlinkedCodeBlock to save another 24 bytes, netting a nice total 64.
92 The VM member was removed entirely since UnlinkedCodeBlock is a cell
93 and can retrieve its VM through MarkedBlock header lookup.
95 * bytecode/UnlinkedCodeBlock.cpp:
96 (JSC::UnlinkedCodeBlock::vm):
97 (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
98 (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
99 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
100 * bytecode/UnlinkedCodeBlock.h:
101 (JSC::UnlinkedCodeBlock::addRegExp):
102 (JSC::UnlinkedCodeBlock::addConstant):
103 (JSC::UnlinkedCodeBlock::addFunctionDecl):
104 (JSC::UnlinkedCodeBlock::addFunctionExpr):
105 (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
106 (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
107 (JSC::UnlinkedCodeBlock::vm): Deleted.
109 2016-02-27 Filip Pizlo <fpizlo@apple.com>
111 FTL should lower its abstract heaps to B3 heap ranges
112 https://bugs.webkit.org/show_bug.cgi?id=154782
114 Reviewed by Saam Barati.
116 The FTL can describe the abstract heaps (points-to sets) that a memory operation will
117 affect. The abstract heaps are arranged as a hierarchy. We used to transform this into
118 TBAA hierarchies in LLVM, but we never got around to wiring this up to B3's equivalent
119 notion - the HeapRange. That's what this patch fixes.
121 B3 has a minimalistic alias analysis. It represents abstract heaps using unsigned 32-bit
122 integers. There are 1<<32 abstract heaps. The B3 client can describe what an operation
123 affects by specifying a heap range: a begin...end pair that says that the operation
124 affects all abstract heaps H such that begin <= H < end.
126 This peculiar scheme was a deliberate attempt to distill what the abstract heap
127 hierarchy is all about. We can assign begin...end numbers to abstract heaps so that:
129 - A heap's end is greater than its begin.
130 - A heap's begin is greater than or equal to its parent's begin.
131 - A heap's end is less than or equal to its parent's end.
133 This is easy to do using a recursive traversal of the abstract heap hierarchy. I almost
134 went for the iterative traversal, which is a splendid algorithm, but it's totally
135 unnecessary here since we tightly control the height of the heap hierarchy.
137 Because abstract heaps are produced on-the-fly by FTL lowering, due to the fact that we
138 generate new ones for field names and constant indices we encounter, we can't actually
139 decorate the B3 instructions we create in lowering until all lowering is done. Adding a
140 new abstract heap to the hierarchy after ranges were already computed would require
141 updating the ranges of any heaps "to the right" of that heap in the hierarchy. This
142 patch solves that problem by recording the associations between abstract heaps and their
143 intended roles in the generated IR, and then decorating all of the relevant B3 values
144 after we compute the ranges of the hierarchy after lowering.
146 This is perf-neutral. I was hoping for a small speed-up, but I could not detect a
147 speed-up on any benchmark. That's not too surprising. We already have very precise CSE
148 in the DFG, so there aren't many opportunities left for the B3 CSE and it may have
149 already been getting the big ones even without alias analysis.
151 Even without a speed-up, this patch is valuable because it makes it easier to implement
152 other optimizations, like store elimination.
155 (JSC::B3::HeapRange::HeapRange):
156 * ftl/FTLAbstractHeap.cpp:
157 (JSC::FTL::AbstractHeap::AbstractHeap):
158 (JSC::FTL::AbstractHeap::changeParent):
159 (JSC::FTL::AbstractHeap::compute):
160 (JSC::FTL::AbstractHeap::shallowDump):
161 (JSC::FTL::AbstractHeap::dump):
162 (JSC::FTL::AbstractHeap::deepDump):
163 (JSC::FTL::AbstractHeap::badRangeError):
164 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
165 (JSC::FTL::IndexedAbstractHeap::baseIndex):
166 (JSC::FTL::IndexedAbstractHeap::atSlow):
167 (JSC::FTL::IndexedAbstractHeap::initialize):
168 (JSC::FTL::AbstractHeap::decorateInstruction): Deleted.
169 (JSC::FTL::AbstractField::dump): Deleted.
170 * ftl/FTLAbstractHeap.h:
171 (JSC::FTL::AbstractHeap::AbstractHeap):
172 (JSC::FTL::AbstractHeap::isInitialized):
173 (JSC::FTL::AbstractHeap::initialize):
174 (JSC::FTL::AbstractHeap::parent):
175 (JSC::FTL::AbstractHeap::heapName):
176 (JSC::FTL::AbstractHeap::range):
177 (JSC::FTL::AbstractHeap::offset):
178 (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
179 (JSC::FTL::IndexedAbstractHeap::at):
180 (JSC::FTL::IndexedAbstractHeap::operator[]):
181 (JSC::FTL::IndexedAbstractHeap::returnInitialized):
182 (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::constructDeletedValue):
183 (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::isDeletedValue):
184 (JSC::FTL::AbstractHeap::changeParent): Deleted.
185 (JSC::FTL::AbstractField::AbstractField): Deleted.
186 (JSC::FTL::AbstractField::initialize): Deleted.
187 (JSC::FTL::AbstractField::offset): Deleted.
188 * ftl/FTLAbstractHeapRepository.cpp:
189 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
190 (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
191 (JSC::FTL::AbstractHeapRepository::decorateMemory):
192 (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
193 (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
194 (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
195 (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
196 (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
197 * ftl/FTLAbstractHeapRepository.h:
198 (JSC::FTL::AbstractHeapRepository::forArrayType):
199 (JSC::FTL::AbstractHeapRepository::HeapForValue::HeapForValue):
200 * ftl/FTLLowerDFGToB3.cpp:
201 (JSC::FTL::DFG::LowerDFGToB3::lower):
203 (JSC::FTL::Output::load):
204 (JSC::FTL::Output::load8SignExt32):
205 (JSC::FTL::Output::load8ZeroExt32):
206 (JSC::FTL::Output::load16SignExt32):
207 (JSC::FTL::Output::load16ZeroExt32):
208 (JSC::FTL::Output::store):
209 (JSC::FTL::Output::store32As8):
210 (JSC::FTL::Output::store32As16):
211 (JSC::FTL::Output::baseIndex):
213 (JSC::FTL::Output::address):
214 (JSC::FTL::Output::absolute):
215 (JSC::FTL::Output::load8SignExt32):
216 (JSC::FTL::Output::load8ZeroExt32):
217 (JSC::FTL::Output::load16SignExt32):
218 (JSC::FTL::Output::load16ZeroExt32):
219 (JSC::FTL::Output::load32):
220 (JSC::FTL::Output::load64):
221 (JSC::FTL::Output::loadPtr):
222 (JSC::FTL::Output::loadDouble):
223 (JSC::FTL::Output::store32):
224 (JSC::FTL::Output::store64):
225 (JSC::FTL::Output::storePtr):
226 (JSC::FTL::Output::storeDouble):
227 (JSC::FTL::Output::ascribeRange):
228 (JSC::FTL::Output::nonNegative32):
229 (JSC::FTL::Output::load32NonNegative):
230 (JSC::FTL::Output::equal):
231 (JSC::FTL::Output::notEqual):
232 * ftl/FTLTypedPointer.h:
233 (JSC::FTL::TypedPointer::operator!):
234 (JSC::FTL::TypedPointer::heap):
235 (JSC::FTL::TypedPointer::value):
237 2016-02-28 Skachkov Oleksandr <gskachkov@gmail.com>
239 [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
240 https://bugs.webkit.org/show_bug.cgi?id=153981
242 Reviewed by Saam Barati.
244 In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
245 'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function.
246 Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
247 During syntax analyze parser store information about using variables in arrow function inside of
248 the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
250 * bytecompiler/BytecodeGenerator.cpp:
251 (JSC::BytecodeGenerator::BytecodeGenerator):
252 (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
253 (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
254 (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
255 (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
256 (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
257 (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
258 (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
259 (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
260 (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
261 (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
262 (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
263 (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
264 * bytecompiler/BytecodeGenerator.h:
265 * bytecompiler/NodesCodegen.cpp:
266 (JSC::ThisNode::emitBytecode):
267 (JSC::EvalFunctionCallNode::emitBytecode):
268 (JSC::FunctionNode::emitBytecode):
269 * parser/ASTBuilder.h:
270 (JSC::ASTBuilder::createBracketAccess):
271 (JSC::ASTBuilder::createDotAccess):
272 (JSC::ASTBuilder::usesSuperCall):
273 (JSC::ASTBuilder::usesSuperProperty):
274 (JSC::ASTBuilder::makeFunctionCallNode):
276 (JSC::ScopeNode::ScopeNode):
277 (JSC::ProgramNode::ProgramNode):
278 (JSC::ModuleProgramNode::ModuleProgramNode):
279 (JSC::EvalNode::EvalNode):
280 (JSC::FunctionNode::FunctionNode):
282 (JSC::ScopeNode::innerArrowFunctionCodeFeatures):
283 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseArguments):
284 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperCall):
285 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperProperty):
286 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseEval):
287 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseThis):
288 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseNewTarget):
289 (JSC::ScopeNode::doAnyInnerArrowFunctionUseAnyFeature):
290 (JSC::ScopeNode::usesSuperCall):
291 (JSC::ScopeNode::usesSuperProperty):
293 (JSC::Parser<LexerType>::parseProperty):
294 (JSC::Parser<LexerType>::parsePrimaryExpression):
295 (JSC::Parser<LexerType>::parseMemberExpression):
298 (JSC::Scope::isArrowFunctionBoundary):
299 (JSC::Scope::innerArrowFunctionFeatures):
300 (JSC::Scope::setInnerArrowFunctionUsesSuperCall):
301 (JSC::Scope::setInnerArrowFunctionUsesSuperProperty):
302 (JSC::Scope::setInnerArrowFunctionUsesEval):
303 (JSC::Scope::setInnerArrowFunctionUsesThis):
304 (JSC::Scope::setInnerArrowFunctionUsesNewTarget):
305 (JSC::Scope::setInnerArrowFunctionUsesArguments):
306 (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
307 (JSC::Scope::collectFreeVariables):
308 (JSC::Scope::mergeInnerArrowFunctionFeatures):
309 (JSC::Scope::fillParametersForSourceProviderCache):
310 (JSC::Scope::restoreFromSourceProviderCache):
311 (JSC::Scope::setIsFunction):
312 (JSC::Scope::setIsArrowFunction):
313 (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
314 (JSC::Parser::pushScope):
315 (JSC::Parser::popScopeInternal):
316 (JSC::Parser<LexerType>::parse):
317 * parser/ParserModes.h:
318 * parser/SourceProviderCacheItem.h:
319 (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
320 * parser/SyntaxChecker.h:
321 (JSC::SyntaxChecker::createFunctionMetadata):
322 * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
323 * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
324 * tests/stress/arrowfunction-lexical-bind-newtarget.js:
325 * tests/stress/arrowfunction-lexical-bind-superproperty.js:
326 * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
328 2016-02-28 Saam barati <sbarati@apple.com>
330 ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot
331 https://bugs.webkit.org/show_bug.cgi?id=154768
333 Reviewed by Ryosuke Niwa.
335 This fixes a big bug with ProxyObject.[[GetOwnProperty]]:
336 http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
337 We weren't correctly propagating the result of this operation to the
338 out PropertySlot& parameter. This patch fixes that and adds tests.
340 * runtime/ObjectConstructor.cpp:
341 (JSC::objectConstructorGetOwnPropertyDescriptor):
342 I added a missing exception check after object allocation
343 because I saw that it was missing while reading the code.
345 * runtime/PropertyDescriptor.cpp:
346 (JSC::PropertyDescriptor::setUndefined):
347 (JSC::PropertyDescriptor::slowGetterSetter):
348 (JSC::PropertyDescriptor::getter):
349 * runtime/PropertyDescriptor.h:
350 (JSC::PropertyDescriptor::attributes):
351 (JSC::PropertyDescriptor::value):
352 * runtime/ProxyObject.cpp:
353 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
355 * tests/stress/proxy-get-own-property.js:
356 (let.handler.getOwnPropertyDescriptor):
357 (set get let.handler.return):
358 (set get let.handler.getOwnPropertyDescriptor):
365 2016-02-27 Andy VanWagoner <thetalecrafter@gmail.com>
367 Intl.Collator uses POSIX locale (detected by js/intl-collator.html on iOS Simulator)
368 https://bugs.webkit.org/show_bug.cgi?id=152448
370 Reviewed by Darin Adler.
372 Add defaultLanguage to the globalObjectMethodTable and use it for the
373 default locale in Intl object initializations. Fall back to ICU default
374 locale only if the defaultLanguage function is null, or returns an
378 * runtime/IntlCollator.cpp:
379 (JSC::IntlCollator::initializeCollator):
380 * runtime/IntlDateTimeFormat.cpp:
381 (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
382 * runtime/IntlNumberFormat.cpp:
383 (JSC::IntlNumberFormat::initializeNumberFormat):
384 * runtime/IntlObject.cpp:
385 (JSC::defaultLocale):
386 (JSC::lookupMatcher):
387 (JSC::bestFitMatcher):
388 (JSC::resolveLocale):
389 * runtime/IntlObject.h:
390 * runtime/JSGlobalObject.cpp:
391 * runtime/JSGlobalObject.h:
392 * runtime/StringPrototype.cpp:
395 2016-02-27 Oliver Hunt <oliver@apple.com>
399 * jit/ExecutableAllocatorFixedVMPool.cpp:
401 2016-02-26 Oliver Hunt <oliver@apple.com>
403 Remove the on demand executable allocator
404 https://bugs.webkit.org/show_bug.cgi?id=154749
406 Reviewed by Geoffrey Garen.
408 Remove all the DemandExecutable code and executable allocator ifdefs.
411 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
412 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
413 * JavaScriptCore.xcodeproj/project.pbxproj:
414 * jit/ExecutableAllocator.cpp: Removed.
415 (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
416 (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
417 (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
418 (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
419 (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
420 (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
421 (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
422 (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
423 (JSC::DemandExecutableAllocator::allocators): Deleted.
424 (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
425 (JSC::ExecutableAllocator::initializeAllocator): Deleted.
426 (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
427 (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
428 (JSC::ExecutableAllocator::isValid): Deleted.
429 (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
430 (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
431 (JSC::ExecutableAllocator::allocate): Deleted.
432 (JSC::ExecutableAllocator::committedByteCount): Deleted.
433 (JSC::ExecutableAllocator::dumpProfile): Deleted.
434 (JSC::ExecutableAllocator::getLock): Deleted.
435 (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
436 (JSC::ExecutableAllocator::reprotectRegion): Deleted.
437 * jit/ExecutableAllocator.h:
438 * jit/ExecutableAllocatorFixedVMPool.cpp:
439 * jit/JITStubRoutine.h:
440 (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
441 (JSC::JITStubRoutine::filteringStartAddress): Deleted.
442 (JSC::JITStubRoutine::filteringExtentSize): Deleted.
444 2016-02-26 Joseph Pecoraro <pecoraro@apple.com>
446 Reduce direct callers of Structure::findStructuresAndMapForMaterialization
447 https://bugs.webkit.org/show_bug.cgi?id=154751
449 Reviewed by Mark Lam.
451 * runtime/Structure.cpp:
452 (JSC::Structure::toStructureShape):
453 This property name iteration is identical to Structure::forEachPropertyConcurrently.
454 Share the code and reduce callers to the subtle findStructuresAndMapForMaterialization.
456 2016-02-26 Mark Lam <mark.lam@apple.com>
458 Function.name and Function.length should be configurable.
459 https://bugs.webkit.org/show_bug.cgi?id=154604
461 Reviewed by Saam Barati.
463 According to https://tc39.github.io/ecma262/#sec-ecmascript-language-functions-and-classes,
464 "Unless otherwise specified, the name property of a built-in Function object,
465 if it exists, has the attributes { [[Writable]]: false, [[Enumerable]]: false,
466 [[Configurable]]: true }."
468 Similarly, "the length property of a built-in Function object has the attributes
469 { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }."
471 This patch makes Function.name and Function.length configurable.
473 We do this by lazily reifying the JSFunction name and length properties on first
474 access. We track whether each of these properties have been reified using flags
475 in the FunctionRareData. On first access, if not already reified, we will put
476 the property into the object with its default value and attributes and set the
477 reified flag. Thereafter, we rely on the base JSObject to handle access to the
480 Also, lots of test results have to be re-baselined because the old Function.length
481 has attribute DontDelete, which is in conflict with the ES6 requirement that it
484 * runtime/FunctionRareData.h:
485 (JSC::FunctionRareData::hasReifiedLength):
486 (JSC::FunctionRareData::setHasReifiedLength):
487 (JSC::FunctionRareData::hasReifiedName):
488 (JSC::FunctionRareData::setHasReifiedName):
489 - Flags for tracking whether each property has been reified.
491 * runtime/JSFunction.cpp:
492 (JSC::JSFunction::finishCreation):
493 (JSC::JSFunction::createBuiltinFunction):
494 - Host and builtin functions currently always reify their name and length
495 properties. Currently, for builtins, the default names that are used may
496 differ from the executable name. For now, we'll stay with keeping this
497 alternate approach to getting the name and length properties for host and
499 However, we need their default attribute to be configurable as well.
501 (JSC::JSFunction::getOwnPropertySlot):
502 (JSC::JSFunction::getOwnNonIndexPropertyNames):
503 (JSC::JSFunction::put):
504 (JSC::JSFunction::deleteProperty):
505 (JSC::JSFunction::defineOwnProperty):
506 (JSC::JSFunction::reifyLength):
507 (JSC::JSFunction::reifyName):
508 (JSC::JSFunction::reifyLazyPropertyIfNeeded):
509 (JSC::JSFunction::lengthGetter): Deleted.
510 (JSC::JSFunction::nameGetter): Deleted.
511 * runtime/JSFunction.h:
512 * runtime/JSFunctionInlines.h:
513 (JSC::JSFunction::hasReifiedLength):
514 (JSC::JSFunction::hasReifiedName):
517 - 4 new passing tests.
519 * tests/mozilla/ecma/Array/15.4.4.3-1.js:
520 * tests/mozilla/ecma/Array/15.4.4.4-1.js:
521 * tests/mozilla/ecma/Array/15.4.4.4-2.js:
522 * tests/mozilla/ecma/GlobalObject/15.1.2.1-1.js:
523 * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
524 * tests/mozilla/ecma/GlobalObject/15.1.2.3-1.js:
525 * tests/mozilla/ecma/GlobalObject/15.1.2.4.js:
526 * tests/mozilla/ecma/GlobalObject/15.1.2.5-1.js:
527 * tests/mozilla/ecma/GlobalObject/15.1.2.6.js:
528 * tests/mozilla/ecma/GlobalObject/15.1.2.7.js:
529 * tests/mozilla/ecma/String/15.5.4.10-1.js:
530 * tests/mozilla/ecma/String/15.5.4.11-1.js:
531 * tests/mozilla/ecma/String/15.5.4.11-5.js:
532 * tests/mozilla/ecma/String/15.5.4.12-1.js:
533 * tests/mozilla/ecma/String/15.5.4.6-2.js:
534 * tests/mozilla/ecma/String/15.5.4.7-2.js:
535 * tests/mozilla/ecma/String/15.5.4.8-1.js:
536 * tests/mozilla/ecma/String/15.5.4.9-1.js:
537 - Rebase expected test results.
539 * tests/stress/function-configurable-properties.js: Added.
541 2016-02-26 Keith Miller <keith_miller@apple.com>
543 Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup
544 https://bugs.webkit.org/show_bug.cgi?id=154743
546 Reviewed by Mark Lam.
548 * dfg/DFGConstantFoldingPhase.cpp:
549 (JSC::DFG::ConstantFoldingPhase::foldConstants):
550 * dfg/DFGFixupPhase.cpp:
551 (JSC::DFG::FixupPhase::fixupNode):
553 2016-02-26 Keith Miller <keith_miller@apple.com>
555 Native Typed Array functions should use Symbol.species
556 https://bugs.webkit.org/show_bug.cgi?id=154569
558 Reviewed by Michael Saboff.
560 This patch adds support for Symbol.species in the native Typed Array prototype
561 functions. Additionally, now that other types of typedarrays are creatable inside
562 the slice we use the JSGenericTypedArrayView::set function, which has been beefed
563 up, to put everything into the correct place.
565 * runtime/JSDataView.cpp:
566 (JSC::JSDataView::set):
567 * runtime/JSDataView.h:
568 * runtime/JSGenericTypedArrayView.h:
569 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
570 (JSC::constructGenericTypedArrayViewFromIterator):
571 (JSC::constructGenericTypedArrayViewWithArguments):
572 (JSC::constructGenericTypedArrayView):
573 * runtime/JSGenericTypedArrayViewInlines.h:
574 (JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
575 (JSC::JSGenericTypedArrayView<Adaptor>::set):
576 * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
577 (JSC::speciesConstruct):
578 (JSC::genericTypedArrayViewProtoFuncSet):
579 (JSC::genericTypedArrayViewProtoFuncSlice):
580 (JSC::genericTypedArrayViewProtoFuncSubarray):
581 * tests/stress/typedarray-slice.js:
582 (subclasses.typedArrays.map):
585 (subclasses.forEach):
586 (testSpeciesRemoveConstructor):
587 (testSpeciesWithSameBuffer):
588 * tests/stress/typedarray-subarray.js: Added.
589 (subclasses.typedArrays.map):
592 (subclasses.forEach):
593 (testSpeciesRemoveConstructor):
595 2016-02-26 Benjamin Poulain <bpoulain@apple.com>
597 [JSC] Add32(Imm, Tmp, Tmp) does not ZDef the destination if Imm is zero
598 https://bugs.webkit.org/show_bug.cgi?id=154704
600 Reviewed by Geoffrey Garen.
602 If the Imm is zero, we should still zero the top bits
603 to match the definition in AirOpcodes.
605 * assembler/MacroAssemblerX86Common.h:
606 (JSC::MacroAssemblerX86Common::add32):
609 2016-02-26 Oliver Hunt <oliver@apple.com>
611 Make testRegExp not crash when given an invalid regexp
612 https://bugs.webkit.org/show_bug.cgi?id=154732
614 Reviewed by Mark Lam.
619 2016-02-26 Benjamin Poulain <benjamin@webkit.org>
621 [JSC] Add the test for r197155
622 https://bugs.webkit.org/show_bug.cgi?id=154715
624 Reviewed by Mark Lam.
626 Silly me. I forgot the test in the latest patch update.
628 * tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.
630 2016-02-26 Yusuke Suzuki <utatane.tea@gmail.com>
632 [DFG] Drop unnecessary proved type branch in ToPrimitive
633 https://bugs.webkit.org/show_bug.cgi?id=154716
635 Reviewed by Geoffrey Garen.
637 This branching based on the proved types is unnecessary because this is already handled in constant folding phase.
638 In fact, the DFGSpeculativeJIT64.cpp case is already removed in r164243.
639 This patch removes the remaining JIT32_64 case.
641 * dfg/DFGSpeculativeJIT32_64.cpp:
642 (JSC::DFG::SpeculativeJIT::compile):
644 2016-02-25 Benjamin Poulain <bpoulain@apple.com>
646 [JSC] Be aggressive with OSR Entry to FTL if the DFG function was only used for OSR Entry itself
647 https://bugs.webkit.org/show_bug.cgi?id=154575
649 Reviewed by Filip Pizlo.
651 I noticed that imaging-gaussian-blur spends most of its
652 samples in DFG code despite executing most of the loop
655 On this particular test, the main function is only entered
656 once and have a very heavy loop there. What happens is DFG
657 starts by compiling the full function in FTL. That takes about
658 8 to 10 milliseconds during which the DFG code makes very little
659 progress. The calls to triggerOSREntryNow() try to OSR Enter
660 for a while then finally start compiling something. By the time
661 the function is ready, we have wasted a lot of time in DFG code.
663 What this patch does is set a flag when a DFG function is entered.
664 If we try to triggerOSREntryNow() and the flag was never set,
665 we start compiling both the full function and the one for OSR Entry.
668 * dfg/DFGJITCompiler.cpp:
669 (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
670 (JSC::DFG::JITCompiler::compile):
671 (JSC::DFG::JITCompiler::compileFunction):
672 * dfg/DFGJITCompiler.h:
673 * dfg/DFGOperations.cpp:
675 (JSC::DFG::Plan::Plan): Deleted.
677 * dfg/DFGTierUpCheckInjectionPhase.cpp:
678 (JSC::DFG::TierUpCheckInjectionPhase::run):
680 2016-02-25 Benjamin Poulain <benjamin@webkit.org>
682 [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
683 https://bugs.webkit.org/show_bug.cgi?id=154664
685 Reviewed by Saam Barati.
687 When doing OSR Enter into a constructor, we lose the information
688 that this may have been set to empty by a previously executed block.
690 All the code just assumed the type for a FlushedJS value and thus
691 not an empty value. It was then okay to eliminate the TDZ checks.
693 In this patch, the values on root entry now assume they may be empty.
694 As a result, the SetArgument() for "this" has "empty" as possible
695 type and the TDZ checks are no longer eliminated.
697 * dfg/DFGInPlaceAbstractState.cpp:
698 (JSC::DFG::InPlaceAbstractState::initialize):
700 2016-02-25 Ada Chan <adachan@apple.com>
702 Update the definition of ENABLE_VIDEO_PRESENTATION_MODE for Mac platform
703 https://bugs.webkit.org/show_bug.cgi?id=154702
705 Reviewed by Dan Bernstein.
707 * Configurations/FeatureDefines.xcconfig:
709 2016-02-25 Saam barati <sbarati@apple.com>
711 [ES6] for...in iteration doesn't comply with the specification
712 https://bugs.webkit.org/show_bug.cgi?id=154665
714 Reviewed by Michael Saboff.
716 If you read ForIn/OfHeadEvaluation inside the spec:
717 https://tc39.github.io/ecma262/#sec-runtime-semantics-forin-div-ofheadevaluation-tdznames-expr-iterationkind
718 It calls EnumerateObjectProperties(obj) to get a set of properties
719 to enumerate over (it models this "set" as en ES6 generator function).
720 EnumerateObjectProperties is defined in section 13.7.5.15:
721 https://tc39.github.io/ecma262/#sec-enumerate-object-properties
722 The implementation calls Reflect.getOwnPropertyDescriptor(.) on the
723 properties it sees. We must do the same by modeling the operation as
724 a [[GetOwnProperty]] instead of a [[HasProperty]] internal method call.
726 * jit/JITOperations.cpp:
727 * jit/JITOperations.h:
728 * runtime/CommonSlowPaths.cpp:
729 (JSC::SLOW_PATH_DECL):
730 * runtime/JSObject.cpp:
731 (JSC::JSObject::hasProperty):
732 (JSC::JSObject::hasPropertyGeneric):
733 * runtime/JSObject.h:
734 * tests/stress/proxy-get-own-property.js:
736 (let.handler.getOwnPropertyDescriptor):
739 2016-02-25 Saam barati <sbarati@apple.com>
741 [ES6] Implement Proxy.[[Set]]
742 https://bugs.webkit.org/show_bug.cgi?id=154511
744 Reviewed by Filip Pizlo.
746 This patch is mostly an implementation of
747 Proxy.[[Set]] with respect to section 9.5.9
748 of the ECMAScript spec.
749 https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-set-p-v-receiver
751 This patch also changes JSObject::putInline and JSObject::putByIndex
752 to be aware that a Proxy in the prototype chain will intercept
755 * runtime/JSObject.cpp:
756 (JSC::JSObject::putInlineSlow):
757 (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
758 * runtime/JSObject.h:
759 * runtime/JSObjectInlines.h:
760 (JSC::JSObject::canPerformFastPutInline):
761 (JSC::JSObject::putInline):
763 * runtime/ProxyObject.cpp:
764 (JSC::ProxyObject::getOwnPropertySlotByIndex):
765 (JSC::ProxyObject::performPut):
766 (JSC::ProxyObject::put):
767 (JSC::ProxyObject::putByIndexCommon):
768 (JSC::ProxyObject::putByIndex):
769 (JSC::performProxyCall):
770 (JSC::ProxyObject::getCallData):
771 (JSC::performProxyConstruct):
772 (JSC::ProxyObject::deletePropertyByIndex):
773 (JSC::ProxyObject::visitChildren):
774 * runtime/ProxyObject.h:
775 (JSC::ProxyObject::create):
776 (JSC::ProxyObject::createStructure):
777 (JSC::ProxyObject::target):
778 (JSC::ProxyObject::handler):
780 * tests/stress/proxy-set.js: Added.
782 (throw.new.Error.let.handler.set 45):
788 2016-02-25 Benjamin Poulain <bpoulain@apple.com>
790 [JSC] Remove a useless "Move" in the lowering of Select
791 https://bugs.webkit.org/show_bug.cgi?id=154670
793 Reviewed by Geoffrey Garen.
795 I left the Move instruction when creating the aliasing form
798 On ARM64, that meant a useless move for any case that can't
801 On x86, that meant an extra constraint on child2, making it
802 stupidly hard to alias child1.
804 * b3/B3LowerToAir.cpp:
805 (JSC::B3::Air::LowerToAir::createSelect): Deleted.
807 2016-02-24 Joseph Pecoraro <pecoraro@apple.com>
809 Web Inspector: Expose Proxy target and handler internal properties to Inspector
810 https://bugs.webkit.org/show_bug.cgi?id=154663
812 Reviewed by Timothy Hatcher.
814 * inspector/JSInjectedScriptHost.cpp:
815 (Inspector::JSInjectedScriptHost::getInternalProperties):
816 Expose the ProxyObject's target and handler.
818 2016-02-24 Nikos Andronikos <nikos.andronikos-webkit@cisra.canon.com.au>
820 [web-animations] Add AnimationTimeline, DocumentTimeline and add extensions to Document interface
821 https://bugs.webkit.org/show_bug.cgi?id=151688
823 Reviewed by Dean Jackson.
825 Enables the WEB_ANIMATIONS compiler switch.
827 * Configurations/FeatureDefines.xcconfig:
829 2016-02-24 Konstantin Tokarev <annulen@yandex.ru>
831 [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
832 https://bugs.webkit.org/show_bug.cgi?id=154651
834 Reviewed by Alex Christensen.
836 * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
838 2016-02-24 Commit Queue <commit-queue@webkit.org>
840 Unreviewed, rolling out r197033.
841 https://bugs.webkit.org/show_bug.cgi?id=154649
843 "It broke JSC tests when 'this' was loaded from global scope"
844 (Requested by saamyjoon on #webkit).
848 "[ES6] Arrow function syntax. Emit loading&putting this/super
849 only if they are used in arrow function"
850 https://bugs.webkit.org/show_bug.cgi?id=153981
851 http://trac.webkit.org/changeset/197033
853 2016-02-24 Saam Barati <sbarati@apple.com>
855 [ES6] Implement Proxy.[[Delete]]
856 https://bugs.webkit.org/show_bug.cgi?id=154607
858 Reviewed by Mark Lam.
860 This patch implements Proxy.[[Delete]] with respect to section 9.5.10 of the ECMAScript spec.
861 https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-delete-p
863 * runtime/ProxyObject.cpp:
864 (JSC::ProxyObject::getConstructData):
865 (JSC::ProxyObject::performDelete):
866 (JSC::ProxyObject::deleteProperty):
867 (JSC::ProxyObject::deletePropertyByIndex):
868 * runtime/ProxyObject.h:
870 * tests/stress/proxy-delete.js: Added.
872 (throw.new.Error.let.handler.get deleteProperty):
874 (assert.let.handler.deleteProperty):
875 (let.handler.deleteProperty):
877 2016-02-24 Filip Pizlo <fpizlo@apple.com>
879 Stackmaps have problems with double register constraints
880 https://bugs.webkit.org/show_bug.cgi?id=154643
882 Reviewed by Geoffrey Garen.
884 This is currently a benign bug. I found it while playing.
886 * b3/B3LowerToAir.cpp:
887 (JSC::B3::Air::LowerToAir::fillStackmap):
889 (JSC::B3::testURShiftSelf64):
890 (JSC::B3::testPatchpointDoubleRegs):
894 2016-02-24 Skachkov Oleksandr <gskachkov@gmail.com>
896 [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
897 https://bugs.webkit.org/show_bug.cgi?id=153981
899 Reviewed by Saam Barati.
901 In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
902 'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function.
903 Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
904 During syntax analyze parser store information about using variables in arrow function inside of
905 the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
907 * bytecode/ExecutableInfo.h:
908 (JSC::ExecutableInfo::ExecutableInfo):
909 (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
910 * bytecode/UnlinkedCodeBlock.cpp:
911 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
912 * bytecode/UnlinkedCodeBlock.h:
913 (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
914 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
915 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
916 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
917 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
918 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
919 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
920 * bytecode/UnlinkedFunctionExecutable.cpp:
921 (JSC::generateUnlinkedFunctionCodeBlock):
922 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
923 * bytecode/UnlinkedFunctionExecutable.h:
924 * bytecompiler/BytecodeGenerator.cpp:
925 (JSC::BytecodeGenerator::BytecodeGenerator):
926 (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
927 (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
928 (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
929 (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
930 (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
931 (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
932 (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
933 (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
934 (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
935 (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
936 (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
937 (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
938 * bytecompiler/BytecodeGenerator.h:
939 * bytecompiler/NodesCodegen.cpp:
940 (JSC::ThisNode::emitBytecode):
941 (JSC::EvalFunctionCallNode::emitBytecode):
942 (JSC::FunctionCallValueNode::emitBytecode):
943 (JSC::FunctionNode::emitBytecode):
944 * parser/ASTBuilder.h:
945 (JSC::ASTBuilder::createFunctionMetadata):
947 (JSC::FunctionMetadataNode::FunctionMetadataNode):
950 (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
951 (JSC::Parser<LexerType>::parseFunctionBody):
952 (JSC::Parser<LexerType>::parseFunctionInfo):
953 (JSC::Parser<LexerType>::parseProperty):
954 (JSC::Parser<LexerType>::parsePrimaryExpression):
955 (JSC::Parser<LexerType>::parseMemberExpression):
958 (JSC::Scope::isArrowFunctionBoundary):
959 (JSC::Scope::innerArrowFunctionFeatures):
960 (JSC::Scope::setInnerArrowFunctionUseSuperCall):
961 (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
962 (JSC::Scope::setInnerArrowFunctionUseEval):
963 (JSC::Scope::setInnerArrowFunctionUseThis):
964 (JSC::Scope::setInnerArrowFunctionUseNewTarget):
965 (JSC::Scope::setInnerArrowFunctionUseArguments):
966 (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
967 (JSC::Scope::collectFreeVariables):
968 (JSC::Scope::mergeInnerArrowFunctionFeatures):
969 (JSC::Scope::fillParametersForSourceProviderCache):
970 (JSC::Scope::restoreFromSourceProviderCache):
971 (JSC::Scope::setIsFunction):
972 (JSC::Scope::setIsArrowFunction):
973 (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
974 (JSC::Parser::pushScope):
975 (JSC::Parser::popScopeInternal):
976 * parser/ParserModes.h:
977 * parser/SourceProviderCacheItem.h:
978 (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
979 * parser/SyntaxChecker.h:
980 (JSC::SyntaxChecker::createFunctionMetadata):
981 * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
982 * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
983 * tests/stress/arrowfunction-lexical-bind-newtarget.js:
984 * tests/stress/arrowfunction-lexical-bind-superproperty.js:
985 * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
987 2016-02-23 Brian Burg <bburg@apple.com>
989 Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
990 https://bugs.webkit.org/show_bug.cgi?id=154615
991 <rdar://problem/24804330>
993 Reviewed by Timothy Hatcher.
995 Some of the generated Objective-C bindings are only relevant to code acting as the
996 protocol backend. Add a per-generator setting mechanism and propagate --frontend and
997 --backend to all generators. Use the setting in a few generators to omit code that's
1000 Also fix a few places where the code emits the wrong Objective-C class prefix.
1001 There is some common non-generated code that must always have the RWIProtocol prefix.
1003 Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
1004 macros defined in the internal header now need to be used outside of the framework.
1006 * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1007 Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
1008 depending on the target framework.
1010 * inspector/scripts/codegen/generate_objc_header.py:
1011 (ObjCHeaderGenerator.generate_output):
1012 For now, omit generating command protocol and event dispatchers when generating for --frontend.
1014 (ObjCHeaderGenerator._generate_type_interface):
1015 Use OBJC_STATIC_PREFIX along with the unprefixed file name.
1017 * inspector/scripts/codegen/generate_objc_internal_header.py:
1018 Use RWIProtocolJSONObjectPrivate.h instead.
1020 * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1021 (ObjCProtocolTypesImplementationGenerator.generate_output):
1022 Include the Internal header if it's being generated (only for --backend).
1024 * inspector/scripts/codegen/generator.py:
1025 (Generator.__init__):
1026 (Generator.set_generator_setting):
1028 (Generator.get_generator_setting):
1029 Crib a simple setting system from the Framework class. Make the names more obnoxious.
1031 (Generator.string_for_file_include):
1032 Inspired by the replay input generator, this is a function that uses the proper syntax
1033 for a file include depending on the file's framework and target framework.
1035 * inspector/scripts/codegen/objc_generator.py:
1036 (ObjCGenerator.and):
1037 (ObjCGenerator.and.objc_prefix):
1039 (ObjCGenerator.objc_type_for_raw_name):
1040 (ObjCGenerator.objc_class_for_raw_name):
1041 Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
1043 * inspector/scripts/generate-inspector-protocol-bindings.py:
1044 (generate_from_specification):
1045 Change the generators to use for the frontend. Propagate --frontend and --backend.
1047 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1048 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1049 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1050 * inspector/scripts/tests/expected/enum-values.json-result:
1051 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1052 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1053 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1054 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1055 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1056 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1057 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1058 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1059 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1060 Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
1062 2016-02-23 Saam barati <sbarati@apple.com>
1064 arrayProtoFuncConcat doesn't check for an exception after allocating an array
1065 https://bugs.webkit.org/show_bug.cgi?id=154621
1067 Reviewed by Michael Saboff.
1069 * runtime/ArrayPrototype.cpp:
1070 (JSC::arrayProtoFuncConcat):
1072 2016-02-23 Dan Bernstein <mitz@apple.com>
1074 [Xcode] Linker errors display mangled names, but no longer should
1075 https://bugs.webkit.org/show_bug.cgi?id=154632
1077 Reviewed by Sam Weinig.
1079 * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
1081 2016-02-23 Gavin Barraclough <barraclough@apple.com>
1083 Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
1084 https://bugs.webkit.org/show_bug.cgi?id=112323
1086 Reviewed by Chris Dumez.
1088 This feature is controlled by a runtime switch, and defaults off.
1090 * Configurations/FeatureDefines.xcconfig:
1092 2016-02-23 Keith Miller <keith_miller@apple.com>
1094 JSC stress tests' standalone-pre.js should exit on the first failure by default
1095 https://bugs.webkit.org/show_bug.cgi?id=154565
1097 Reviewed by Mark Lam.
1099 Currently, if a test writer does not call finishJSTest() at the end of
1100 any test using stress/resources/standalone-pre.js then the test can fail
1101 without actually reporting an error to the harness. By default, we
1102 should throw on the first error so, in the event someone does not call
1103 finishJSTest() the harness will still notice the error.
1105 * tests/stress/regress-151324.js:
1106 * tests/stress/resources/standalone-pre.js:
1109 2016-02-23 Saam barati <sbarati@apple.com>
1111 Make JSObject::getMethod have fewer branches
1112 https://bugs.webkit.org/show_bug.cgi?id=154603
1114 Reviewed by Mark Lam.
1116 Writing code with fewer branches is almost always better.
1118 * runtime/JSObject.cpp:
1119 (JSC::JSObject::getMethod):
1121 2016-02-23 Filip Pizlo <fpizlo@apple.com>
1123 B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
1124 https://bugs.webkit.org/show_bug.cgi?id=154592
1126 Reviewed by Saam Barati.
1128 If Foo has a virtual destructor, then:
1130 foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
1131 subclass of Foo that overrides the destructor, this syntax will not call that override.
1133 foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
1134 get the subclass's override.
1136 In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
1137 This caused leaks because this didn't actually call the subclass's override. This fixes the
1138 problem by using this->~Value() instead.
1140 * b3/B3ControlValue.cpp:
1141 (JSC::B3::ControlValue::convertToJump):
1142 (JSC::B3::ControlValue::convertToOops):
1144 (JSC::B3::Value::replaceWithIdentity):
1145 (JSC::B3::Value::replaceWithNop):
1146 (JSC::B3::Value::replaceWithPhi):
1148 2016-02-23 Brian Burg <bburg@apple.com>
1150 Web Inspector: the protocol generator's Objective-C name prefix should be configurable
1151 https://bugs.webkit.org/show_bug.cgi?id=154596
1152 <rdar://problem/24794962>
1154 Reviewed by Timothy Hatcher.
1156 In order to support different generated protocol sets that don't have conflicting
1157 file and type names, allow the Objective-C prefix to be configurable based on the
1158 target framework. Each name also has the implicit prefix 'Protocol' appended to the
1159 per-target framework prefix.
1161 For example, the existing protocol for remote inspection has the prefix 'RWI'
1162 and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
1163 and is generated as 'AutomationProtocol'.
1165 To make this change, convert ObjCGenerator to be a subclass of Generator and use
1166 the instance method model() to find the target framework and its setting for
1167 'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
1168 these instance methods that used to be static methods. This is a large but
1169 mechanical change to use self instead of ObjCGenerator.
1171 * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1172 (ObjCBackendDispatcherHeaderGenerator):
1173 (ObjCBackendDispatcherHeaderGenerator.__init__):
1174 (ObjCBackendDispatcherHeaderGenerator.output_filename):
1175 (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
1176 (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
1177 * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1178 (ObjCConfigurationImplementationGenerator):
1179 (ObjCConfigurationImplementationGenerator.__init__):
1180 (ObjCConfigurationImplementationGenerator.output_filename):
1181 (ObjCConfigurationImplementationGenerator.generate_output):
1182 (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
1183 (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
1184 (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
1185 * inspector/scripts/codegen/generate_objc_configuration_header.py:
1186 (ObjCConfigurationHeaderGenerator):
1187 (ObjCConfigurationHeaderGenerator.__init__):
1188 (ObjCConfigurationHeaderGenerator.output_filename):
1189 (ObjCConfigurationHeaderGenerator.generate_output):
1190 (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1191 (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
1192 * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1193 (ObjCBackendDispatcherImplementationGenerator):
1194 (ObjCBackendDispatcherImplementationGenerator.__init__):
1195 (ObjCBackendDispatcherImplementationGenerator.output_filename):
1196 (ObjCBackendDispatcherImplementationGenerator.generate_output):
1197 (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1198 (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
1199 (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
1200 (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
1201 * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1202 (ObjCConversionHelpersGenerator):
1203 (ObjCConversionHelpersGenerator.__init__):
1204 (ObjCConversionHelpersGenerator.output_filename):
1205 (ObjCConversionHelpersGenerator.generate_output):
1206 (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
1207 (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
1208 (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
1209 * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1210 (ObjCFrontendDispatcherImplementationGenerator):
1211 (ObjCFrontendDispatcherImplementationGenerator.__init__):
1212 (ObjCFrontendDispatcherImplementationGenerator.output_filename):
1213 (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1214 (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
1215 (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1216 (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
1217 (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
1218 (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1219 * inspector/scripts/codegen/generate_objc_header.py:
1220 (ObjCHeaderGenerator):
1221 (ObjCHeaderGenerator.__init__):
1222 (ObjCHeaderGenerator.output_filename):
1223 (ObjCHeaderGenerator.generate_output):
1224 (ObjCHeaderGenerator._generate_forward_declarations):
1225 (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
1226 (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
1227 (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
1228 (ObjCHeaderGenerator._generate_type_interface):
1229 (ObjCHeaderGenerator._generate_init_method_for_required_members):
1230 (ObjCHeaderGenerator._generate_member_property):
1231 (ObjCHeaderGenerator._generate_command_protocols):
1232 (ObjCHeaderGenerator._generate_single_command_protocol):
1233 (ObjCHeaderGenerator._callback_block_for_command):
1234 (ObjCHeaderGenerator._generate_event_interfaces):
1235 (ObjCHeaderGenerator._generate_single_event_interface):
1236 * inspector/scripts/codegen/generate_objc_internal_header.py:
1237 (ObjCInternalHeaderGenerator):
1238 (ObjCInternalHeaderGenerator.__init__):
1239 (ObjCInternalHeaderGenerator.output_filename):
1240 (ObjCInternalHeaderGenerator.generate_output):
1241 (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
1242 * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1243 (ObjCProtocolTypesImplementationGenerator):
1244 (ObjCProtocolTypesImplementationGenerator.__init__):
1245 (ObjCProtocolTypesImplementationGenerator.output_filename):
1246 (ObjCProtocolTypesImplementationGenerator.generate_output):
1247 (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1248 (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
1249 (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
1250 (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
1251 (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
1252 (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
1253 * inspector/scripts/codegen/models.py:
1254 * inspector/scripts/codegen/objc_generator.py:
1255 (ObjCTypeCategory.category_for_type):
1257 (ObjCGenerator.__init__):
1258 (ObjCGenerator.objc_prefix):
1259 (ObjCGenerator.objc_name_for_type):
1260 (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
1261 (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
1262 (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
1263 (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
1264 (ObjCGenerator.objc_class_for_type):
1265 (ObjCGenerator.objc_class_for_array_type):
1266 (ObjCGenerator.objc_accessor_type_for_member):
1267 (ObjCGenerator.objc_accessor_type_for_member_internal):
1268 (ObjCGenerator.objc_type_for_member):
1269 (ObjCGenerator.objc_type_for_member_internal):
1270 (ObjCGenerator.objc_type_for_param):
1271 (ObjCGenerator.objc_type_for_param_internal):
1272 (ObjCGenerator.objc_protocol_export_expression_for_variable):
1273 (ObjCGenerator.objc_protocol_import_expression_for_member):
1274 (ObjCGenerator.objc_protocol_import_expression_for_parameter):
1275 (ObjCGenerator.objc_protocol_import_expression_for_variable):
1276 (ObjCGenerator.objc_to_protocol_expression_for_member):
1277 (ObjCGenerator.protocol_to_objc_expression_for_member):
1279 Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
1281 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1282 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1283 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1284 * inspector/scripts/tests/expected/enum-values.json-result:
1285 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1286 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1287 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1288 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1289 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1290 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1291 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1292 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1293 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1295 2016-02-23 Mark Lam <mark.lam@apple.com>
1297 Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
1298 https://bugs.webkit.org/show_bug.cgi?id=154542
1300 Reviewed by Saam Barati.
1302 According to the spec, the constructors of the following types "are not intended
1303 to be called as a function and will throw an exception". These types are:
1304 TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
1305 Map - https://tc39.github.io/ecma262/#sec-map-constructor
1306 Set - https://tc39.github.io/ecma262/#sec-set-constructor
1307 WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
1308 WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
1309 ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
1310 DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
1311 Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
1312 Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
1314 This patch does the foillowing:
1315 1. Ensures that these constructors can be called but will throw a TypeError
1317 2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
1318 in their implementation to be consistent.
1319 3. Change the error message to "calling XXX constructor without new is invalid".
1320 This is clearer because the error is likely due to the user forgetting to use
1321 the new operator on these constructors.
1324 * runtime/Error.cpp:
1325 (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
1326 - Added a convenience function to throw the TypeError.
1328 * runtime/JSArrayBufferConstructor.cpp:
1329 (JSC::constructArrayBuffer):
1330 (JSC::callArrayBuffer):
1331 (JSC::JSArrayBufferConstructor::getCallData):
1332 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1333 (JSC::callGenericTypedArrayView):
1334 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
1335 * runtime/JSPromiseConstructor.cpp:
1337 * runtime/MapConstructor.cpp:
1339 * runtime/ProxyConstructor.cpp:
1341 (JSC::ProxyConstructor::getCallData):
1342 * runtime/SetConstructor.cpp:
1344 * runtime/WeakMapConstructor.cpp:
1346 * runtime/WeakSetConstructor.cpp:
1350 - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
1352 * tests/stress/call-non-calleable-constructors-as-function.js: Added.
1355 * tests/stress/map-constructor.js:
1356 (testCallTypeError):
1357 * tests/stress/promise-cannot-be-called.js:
1359 * tests/stress/proxy-basic.js:
1360 * tests/stress/set-constructor.js:
1361 * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
1363 * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
1365 * tests/stress/throw-from-ftl-call-ic-slow-path.js:
1367 * tests/stress/weak-map-constructor.js:
1368 (testCallTypeError):
1369 * tests/stress/weak-set-constructor.js:
1370 - Updated error message string.
1372 2016-02-23 Alexey Proskuryakov <ap@apple.com>
1376 Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
1378 * inspector/InspectorBackendDispatcher.h:
1380 2016-02-23 Brian Burg <bburg@apple.com>
1382 Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
1383 https://bugs.webkit.org/show_bug.cgi?id=154518
1384 <rdar://problem/24761096>
1386 Reviewed by Timothy Hatcher.
1388 * inspector/InspectorBackendDispatcher.h:
1389 Export all the classes since they are used by WebKit::WebAutomationSession.
1391 2016-02-22 Brian Burg <bburg@apple.com>
1393 Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
1394 https://bugs.webkit.org/show_bug.cgi?id=154509
1395 <rdar://problem/24759098>
1397 Reviewed by Timothy Hatcher.
1399 Add a new 'WebKit' framework, which is used to generate protocol code
1402 Add --backend and --frontend flags to the main generator script.
1403 These allow a framework to trigger two different sets of generators
1404 so they can be separately generated and compiled.
1406 * inspector/scripts/codegen/models.py:
1407 (Framework.fromString):
1408 (Frameworks): Add new framework.
1410 * inspector/scripts/generate-inspector-protocol-bindings.py:
1411 If neither --backend or --frontend is specified, assume both are wanted.
1412 This matches the behavior for JavaScriptCore and WebInspector frameworks.
1414 (generate_from_specification):
1415 Generate C++ files for the backend and Objective-C files for the frontend.
1417 2016-02-22 Saam barati <sbarati@apple.com>
1419 JSGlobalObject doesn't visit ProxyObjectStructure during GC
1420 https://bugs.webkit.org/show_bug.cgi?id=154564
1422 Rubber stamped by Mark Lam.
1424 * runtime/JSGlobalObject.cpp:
1425 (JSC::JSGlobalObject::visitChildren):
1427 2016-02-22 Saam barati <sbarati@apple.com>
1429 InternalFunction::createSubclassStructure doesn't take into account that get() might throw
1430 https://bugs.webkit.org/show_bug.cgi?id=154548
1432 Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
1434 InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw
1435 an exception. Neither the function nor the call sites of the function took this into
1436 account. This patch audits the call sites of the function to make it work in
1437 the event that an exception is thrown.
1439 * runtime/BooleanConstructor.cpp:
1440 (JSC::constructWithBooleanConstructor):
1441 * runtime/DateConstructor.cpp:
1442 (JSC::constructDate):
1443 * runtime/ErrorConstructor.cpp:
1444 (JSC::Interpreter::constructWithErrorConstructor):
1445 * runtime/FunctionConstructor.cpp:
1446 (JSC::constructFunctionSkippingEvalEnabledCheck):
1447 * runtime/InternalFunction.cpp:
1448 (JSC::InternalFunction::createSubclassStructure):
1449 * runtime/JSArrayBufferConstructor.cpp:
1450 (JSC::constructArrayBuffer):
1451 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1452 (JSC::constructGenericTypedArrayView):
1453 * runtime/JSGlobalObject.h:
1454 (JSC::constructEmptyArray):
1455 (JSC::constructArray):
1456 (JSC::constructArrayNegativeIndexed):
1457 * runtime/JSPromiseConstructor.cpp:
1458 (JSC::constructPromise):
1459 * runtime/MapConstructor.cpp:
1460 (JSC::constructMap):
1461 * runtime/NativeErrorConstructor.cpp:
1462 (JSC::Interpreter::constructWithNativeErrorConstructor):
1463 * runtime/NumberConstructor.cpp:
1464 (JSC::constructWithNumberConstructor):
1465 * runtime/RegExpConstructor.cpp:
1466 (JSC::getRegExpStructure):
1467 (JSC::constructRegExp):
1468 (JSC::constructWithRegExpConstructor):
1469 * runtime/SetConstructor.cpp:
1470 (JSC::constructSet):
1471 * runtime/StringConstructor.cpp:
1472 (JSC::constructWithStringConstructor):
1473 (JSC::StringConstructor::getConstructData):
1474 * runtime/WeakMapConstructor.cpp:
1475 (JSC::constructWeakMap):
1476 * runtime/WeakSetConstructor.cpp:
1477 (JSC::constructWeakSet):
1478 * tests/stress/create-subclass-structure-might-throw.js: Added.
1481 2016-02-22 Ting-Wei Lan <lantw44@gmail.com>
1483 Fix build and implement functions to retrieve registers on FreeBSD
1484 https://bugs.webkit.org/show_bug.cgi?id=152258
1486 Reviewed by Michael Catanzaro.
1488 * heap/MachineStackMarker.cpp:
1489 (pthreadSignalHandlerSuspendResume):
1490 struct ucontext is not specified in POSIX and it is not available on
1491 FreeBSD. Replacing it with ucontext_t fixes the build problem.
1492 (JSC::MachineThreads::Thread::Registers::stackPointer):
1493 (JSC::MachineThreads::Thread::Registers::framePointer):
1494 (JSC::MachineThreads::Thread::Registers::instructionPointer):
1495 (JSC::MachineThreads::Thread::Registers::llintPC):
1496 * heap/MachineStackMarker.h:
1498 2016-02-22 Saam barati <sbarati@apple.com>
1500 JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
1501 https://bugs.webkit.org/show_bug.cgi?id=154552
1503 Reviewed by Mark Lam.
1505 ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
1506 They return false on a Proxy with internal [[Call]] and [[Construct]]
1507 properties. It seems safest, most forward looking, and most adherent
1508 to the specification to check getCallData() and getConstructData() to
1509 implement these functions.
1511 * runtime/InternalFunction.cpp:
1512 (JSC::InternalFunction::createSubclassStructure):
1513 * runtime/JSCJSValueInlines.h:
1514 (JSC::JSValue::isFunction):
1515 (JSC::JSValue::isConstructor):
1517 2016-02-22 Keith Miller <keith_miller@apple.com>
1519 Bound functions should use the prototype of the function being bound
1520 https://bugs.webkit.org/show_bug.cgi?id=154195
1522 Reviewed by Geoffrey Garen.
1524 Per ES6, the result of Function.prototype.bind should have the same
1525 prototype as the the function being bound. In order to avoid creating
1526 a new structure each time a function is bound we store the new
1527 structure in our structure map. However, we cannot currently store
1528 structures that have a different GlobalObject than their prototype.
1529 In the rare case that the GlobalObject differs or the prototype of
1530 the bindee is null we create a new structure each time. To further
1531 minimize new structures, as well as making structure lookup faster,
1532 we also store the structure in the RareData of the function we
1535 * runtime/FunctionRareData.cpp:
1536 (JSC::FunctionRareData::visitChildren):
1537 * runtime/FunctionRareData.h:
1538 (JSC::FunctionRareData::getBoundFunctionStructure):
1539 (JSC::FunctionRareData::setBoundFunctionStructure):
1540 * runtime/JSBoundFunction.cpp:
1541 (JSC::getBoundFunctionStructure):
1542 (JSC::JSBoundFunction::create):
1544 * tests/stress/bound-function-uses-prototype.js: Added.
1545 (testChangeProto.foo):
1548 * tests/stress/class-subclassing-function.js:
1550 2016-02-22 Keith Miller <keith_miller@apple.com>
1552 Unreviewed, fix stress test to not print on success.
1554 * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
1557 2016-02-22 Keith Miller <keith_miller@apple.com>
1559 Use Symbol.species in the builtin TypedArray.prototype functions
1560 https://bugs.webkit.org/show_bug.cgi?id=153384
1562 Reviewed by Geoffrey Garen.
1564 This patch adds the use of species constructors to the TypedArray.prototype map and filter
1565 functions. It also adds a new private function typedArrayGetOriginalConstructor that
1566 returns the TypedArray constructor used to originally create a TypedArray instance.
1568 There are no ES6 tests to update for this patch as species creation for these functions is
1569 not tested in the compatibility table.
1571 * builtins/TypedArrayPrototype.js:
1574 * bytecode/BytecodeIntrinsicRegistry.cpp:
1575 (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1576 * bytecode/BytecodeIntrinsicRegistry.h:
1577 * runtime/CommonIdentifiers.h:
1578 * runtime/JSGlobalObject.cpp:
1579 (JSC::JSGlobalObject::init):
1580 (JSC::JSGlobalObject::visitChildren):
1581 * runtime/JSGlobalObject.h:
1582 (JSC::JSGlobalObject::typedArrayConstructor):
1583 * runtime/JSTypedArrayViewPrototype.cpp:
1584 (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
1585 * runtime/JSTypedArrayViewPrototype.h:
1586 * tests/stress/typedarray-filter.js:
1587 (subclasses.typedArrays.map):
1592 (subclasses.forEach):
1593 (testSpeciesRemoveConstructor):
1594 * tests/stress/typedarray-map.js:
1595 (subclasses.typedArrays.map):
1600 (subclasses.forEach):
1601 (testSpeciesRemoveConstructor):
1603 2016-02-22 Keith Miller <keith_miller@apple.com>
1605 Builtins that should not rely on iteration do.
1606 https://bugs.webkit.org/show_bug.cgi?id=154475
1608 Reviewed by Geoffrey Garen.
1610 When changing the behavior of varargs calls to use ES6 iterators the
1611 call builtin function's use of a varargs call was overlooked. The use
1612 of iterators is observable outside the scope of the the call function,
1613 thus it must be reimplemented.
1615 * builtins/FunctionPrototype.js:
1617 * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
1622 2016-02-22 Konstantin Tokarev <annulen@yandex.ru>
1624 [JSC shell] Don't put empty arguments array to VM.
1625 https://bugs.webkit.org/show_bug.cgi?id=154516
1627 Reviewed by Geoffrey Garen.
1629 This allows arrowfunction-lexical-bind-arguments-top-level test to pass
1630 in jsc as well as in browser.
1633 (GlobalObject::finishCreation):
1635 2016-02-22 Konstantin Tokarev <annulen@yandex.ru>
1637 [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
1638 https://bugs.webkit.org/show_bug.cgi?id=154450
1640 Reviewed by Alex Christensen.
1644 2016-02-22 Commit Queue <commit-queue@webkit.org>
1646 Unreviewed, rolling out r196891.
1647 https://bugs.webkit.org/show_bug.cgi?id=154539
1649 it broke Production builds (Requested by brrian on #webkit).
1653 "Web Inspector: add 'Automation' protocol domain and generate
1654 its backend classes separately in WebKit2"
1655 https://bugs.webkit.org/show_bug.cgi?id=154509
1656 http://trac.webkit.org/changeset/196891
1658 2016-02-21 Joseph Pecoraro <pecoraro@apple.com>
1660 CodeBlock always visits its unlinked code twice
1661 https://bugs.webkit.org/show_bug.cgi?id=154494
1663 Reviewed by Saam Barati.
1665 * bytecode/CodeBlock.cpp:
1666 (JSC::CodeBlock::visitChildren):
1667 The unlinked code is always visited in stronglyVisitStrongReferences.
1669 2016-02-21 Brian Burg <bburg@apple.com>
1671 Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
1672 https://bugs.webkit.org/show_bug.cgi?id=154509
1673 <rdar://problem/24759098>
1675 Reviewed by Timothy Hatcher.
1677 Add a new 'WebKit' framework, which is used to generate protocol code
1680 Add --backend and --frontend flags to the main generator script.
1681 These allow a framework to trigger two different sets of generators
1682 so they can be separately generated and compiled.
1684 * inspector/scripts/codegen/models.py:
1685 (Framework.fromString):
1686 (Frameworks): Add new framework.
1688 * inspector/scripts/generate-inspector-protocol-bindings.py:
1689 If neither --backend or --frontend is specified, assume both are wanted.
1690 This matches the behavior for JavaScriptCore and WebInspector frameworks.
1692 (generate_from_specification):
1693 Generate C++ files for the backend and Objective-C files for the frontend.
1695 2016-02-21 Sukolsak Sakshuwong <sukolsak@gmail.com>
1697 Improvements to Intl code
1698 https://bugs.webkit.org/show_bug.cgi?id=154486
1700 Reviewed by Darin Adler.
1702 This patch does several things:
1703 - Use std::unique_ptr to store ICU objects.
1704 - Pass Vector::size() to ICU functions that take a buffer size instead
1705 of Vector::capacity().
1706 - If U_SUCCESS(status) is true, it means there is no error, but there
1707 could be warnings. ICU functions ignore warnings. So, there is no need
1708 to reset status to U_ZERO_ERROR.
1709 - Remove the initialization of the String instance variables of
1710 IntlDateTimeFormat. These values are never read and cause unnecessary
1713 - Some small optimization.
1715 * runtime/IntlCollator.cpp:
1716 (JSC::IntlCollator::UCollatorDeleter::operator()):
1717 (JSC::IntlCollator::createCollator):
1718 (JSC::IntlCollator::compareStrings):
1719 (JSC::IntlCollator::~IntlCollator): Deleted.
1720 * runtime/IntlCollator.h:
1721 * runtime/IntlDateTimeFormat.cpp:
1722 (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
1723 (JSC::defaultTimeZone):
1724 (JSC::canonicalizeTimeZoneName):
1725 (JSC::toDateTimeOptionsAnyDate):
1726 (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1727 (JSC::IntlDateTimeFormat::weekdayString):
1728 (JSC::IntlDateTimeFormat::format):
1729 (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
1730 (JSC::localeData): Deleted.
1731 * runtime/IntlDateTimeFormat.h:
1732 * runtime/IntlDateTimeFormatConstructor.cpp:
1733 * runtime/IntlNumberFormatConstructor.cpp:
1734 * runtime/IntlObject.cpp:
1735 (JSC::numberingSystemsForLocale):
1737 2016-02-21 Skachkov Oleksandr <gskachkov@gmail.com>
1739 Remove arrowfunction test cases that rely on arguments variable in jsc
1740 https://bugs.webkit.org/show_bug.cgi?id=154517
1742 Reviewed by Yusuke Suzuki.
1744 Allow to jsc has the same behavior in javascript as browser has
1746 * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1747 * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1749 2016-02-21 Brian Burg <bburg@apple.com>
1751 Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
1752 https://bugs.webkit.org/show_bug.cgi?id=154508
1753 <rdar://problem/24759077>
1755 Reviewed by Timothy Hatcher.
1757 In preparation for being able to generate protocol files for WebKit2,
1758 make it possible to not emit generated code that's guarded by
1759 ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
1760 backend dispatchers generated outside of JavaScriptCore. We can't just
1761 define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
1762 in the configurations where the code is actually used.
1764 Add a new opt-in Framework configuration option that turns on generating
1765 this code. Adjust how the code is generated so that it can be easily excluded.
1767 * inspector/scripts/codegen/cpp_generator_templates.py:
1768 Make a separate template for the declarations that are guarded.
1769 Add an initializer expression so the order of initalizers doesn't matter.
1771 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1772 (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
1773 (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1774 If the declarations are needed, they will be appended to the end of the
1777 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1778 (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
1779 (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
1781 * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
1782 to True for Framework.JavaScriptCore only. It's not needed elsewhere.
1784 Rebaseline affected tests.
1786 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1787 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1788 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1789 * inspector/scripts/tests/expected/enum-values.json-result:
1790 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1792 2016-02-21 Brian Burg <bburg@apple.com>
1794 Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
1795 https://bugs.webkit.org/show_bug.cgi?id=154505
1796 <rdar://problem/24758042>
1798 Reviewed by Timothy Hatcher.
1800 It should be possible to generate code for a framework using some generators
1801 that other frameworks also use. Right now the generator selection code assumes
1802 that use of a generator is mutually exclusive among non-test frameworks.
1804 Make this code explicitly switch on the framework. Reorder generators
1805 alpabetically within each case.
1807 * inspector/scripts/generate-inspector-protocol-bindings.py:
1808 (generate_from_specification):
1810 Rebaseline tests that are affected by generator reorderings.
1812 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1813 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1814 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1815 * inspector/scripts/tests/expected/enum-values.json-result:
1816 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1817 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1818 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1819 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1820 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1821 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1822 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1823 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1824 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1826 2016-02-19 Saam Barati <sbarati@apple.com>
1828 [ES6] Implement Proxy.[[Construct]]
1829 https://bugs.webkit.org/show_bug.cgi?id=154440
1831 Reviewed by Oliver Hunt.
1833 This patch is mostly an implementation of
1834 Proxy.[[Construct]] with respect to section 9.5.13
1835 of the ECMAScript spec.
1836 https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
1838 This patch also changes op_create_this to accept new.target's
1839 that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]]
1840 because we might construct a JSFunction with a new.target being
1841 a Proxy. This will also be needed when we implement Reflect.construct.
1843 * dfg/DFGOperations.cpp:
1844 * dfg/DFGSpeculativeJIT32_64.cpp:
1845 (JSC::DFG::SpeculativeJIT::compile):
1846 * dfg/DFGSpeculativeJIT64.cpp:
1847 (JSC::DFG::SpeculativeJIT::compile):
1848 * jit/JITOpcodes.cpp:
1849 (JSC::JIT::emit_op_create_this):
1850 (JSC::JIT::emitSlow_op_create_this):
1851 * jit/JITOpcodes32_64.cpp:
1852 (JSC::JIT::emit_op_create_this):
1853 (JSC::JIT::emitSlow_op_create_this):
1854 * llint/LLIntData.cpp:
1855 (JSC::LLInt::Data::performAssertions):
1856 * llint/LowLevelInterpreter.asm:
1857 * llint/LowLevelInterpreter32_64.asm:
1858 * llint/LowLevelInterpreter64.asm:
1859 * runtime/CommonSlowPaths.cpp:
1860 (JSC::SLOW_PATH_DECL):
1861 * runtime/ProxyObject.cpp:
1862 (JSC::ProxyObject::finishCreation):
1863 (JSC::ProxyObject::visitChildren):
1864 (JSC::performProxyConstruct):
1865 (JSC::ProxyObject::getConstructData):
1866 * runtime/ProxyObject.h:
1868 * tests/stress/proxy-construct.js: Added.
1870 (throw.new.Error.let.target):
1872 (assert.let.target):
1873 (assert.let.handler.get construct):
1875 (let.handler.construct):
1877 (assert.let.handler.construct):
1878 (assert.let.construct):
1879 (assert.else.assert.let.target):
1880 (assert.else.assert.let.construct):
1881 (assert.else.assert):
1882 (new.proxy.let.target):
1883 (new.proxy.let.construct):
1886 2016-02-19 Sukolsak Sakshuwong <sukolsak@gmail.com>
1888 [INTL] Implement Number Format Functions
1889 https://bugs.webkit.org/show_bug.cgi?id=147605
1891 Reviewed by Darin Adler.
1893 This patch implements Intl.NumberFormat.prototype.format() according
1894 to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
1896 * runtime/IntlNumberFormat.cpp:
1897 (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
1898 (JSC::IntlNumberFormat::initializeNumberFormat):
1899 (JSC::IntlNumberFormat::createNumberFormat):
1900 (JSC::IntlNumberFormat::formatNumber):
1901 (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
1902 * runtime/IntlNumberFormat.h:
1903 * runtime/IntlNumberFormatPrototype.cpp:
1904 (JSC::IntlNumberFormatFuncFormatNumber):
1906 2016-02-18 Gavin Barraclough <barraclough@apple.com>
1908 JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
1909 https://bugs.webkit.org/show_bug.cgi?id=154416
1911 Reviewed by Geoff Garen.
1913 Here's the bug. Suppose you call JSObject::getOwnProperty and -
1914 - PropertyName contains an index,
1915 - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
1916 - The base of the access (or another object on the prototype chain) shadows that property.
1918 JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
1919 index, and as such walks up the prototype chain looking for non-index properties before it
1920 tries calling parseIndex.
1922 At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
1923 would potentially return the property) we may have already skipped over non-overriding
1924 objects that contain the property in index storage.
1926 * runtime/JSObject.h:
1927 (JSC::JSObject::getOwnNonIndexPropertySlot):
1928 - renamed from inlineGetOwnPropertySlot to better describe behaviour;
1929 added ASSERT guarding that this method never returns index properties -
1930 if it ever does, this is unsafe for getPropertySlot.
1931 (JSC::JSObject::getOwnPropertySlot):
1932 - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
1933 (JSC::JSObject::getPropertySlot):
1934 - In case of object overriding getOwnPropertySlot check if propertyName is an index.
1935 (JSC::JSObject::getNonIndexPropertySlot):
1936 - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
1937 in order to avoid repeated calls to parseIndex.
1938 (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
1939 - this was renamed to getOwnNonIndexPropertySlot.
1940 (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
1941 - this was folded back in to getPropertySlot.
1943 2016-02-19 Saam Barati <sbarati@apple.com>
1945 [ES6] Implement Proxy.[[Call]]
1946 https://bugs.webkit.org/show_bug.cgi?id=154425
1948 Reviewed by Mark Lam.
1950 This patch is a straight forward implementation of
1951 Proxy.[[Call]] with respect to section 9.5.12
1952 of the ECMAScript spec.
1953 https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
1955 * runtime/ProxyObject.cpp:
1956 (JSC::ProxyObject::finishCreation):
1957 (JSC::performProxyGet):
1958 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1959 (JSC::ProxyObject::performHasProperty):
1960 (JSC::ProxyObject::getOwnPropertySlotByIndex):
1961 (JSC::performProxyCall):
1962 (JSC::ProxyObject::getCallData):
1963 (JSC::ProxyObject::visitChildren):
1964 * runtime/ProxyObject.h:
1965 (JSC::ProxyObject::create):
1967 * tests/stress/proxy-call.js: Added.
1969 (throw.new.Error.let.target):
1970 (throw.new.Error.let.handler.apply):
1972 (assert.let.target):
1973 (assert.let.handler.get apply):
1975 (let.handler.apply):
1977 (assert.let.handler.apply):
1979 2016-02-19 Csaba Osztrogonác <ossy@webkit.org>
1981 Remove more LLVM related dead code after r196729
1982 https://bugs.webkit.org/show_bug.cgi?id=154387
1984 Reviewed by Filip Pizlo.
1986 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
1987 * Configurations/LLVMForJSC.xcconfig: Removed.
1988 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
1989 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
1990 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
1991 * JavaScriptCore.xcodeproj/project.pbxproj:
1992 * disassembler/X86Disassembler.cpp:
1994 2016-02-19 Joseph Pecoraro <pecoraro@apple.com>
1996 Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
1997 https://bugs.webkit.org/show_bug.cgi?id=154442
1999 Reviewed by Saam Barati.
2001 * runtime/JSString.h:
2004 2016-02-19 Joseph Pecoraro <pecoraro@apple.com>
2006 Remove unused SymbolTable::createNameScopeTable
2007 https://bugs.webkit.org/show_bug.cgi?id=154443
2009 Reviewed by Saam Barati.
2011 * runtime/SymbolTable.h:
2013 2016-02-18 Benjamin Poulain <bpoulain@apple.com>
2015 [JSC] Improve the instruction selection of Select
2016 https://bugs.webkit.org/show_bug.cgi?id=154432
2018 Reviewed by Filip Pizlo.
2020 Plenty of code but this patch is pretty dumb:
2021 -On ARM64: use the 3 operand form of CSEL instead of forcing a source
2022 to be alised to the destination. This gives more freedom to the register
2023 allocator and it is one less Move to process per Select.
2024 -On x86, introduce a fake 3 operands form and use aggressive aliasing
2025 to try to alias both sources to the destination.
2027 If aliasing succeed on the "elseCase", the condition of the Select
2028 is reverted in the MacroAssembler.
2030 If no aliasing is possible and we end up with 3 registers, the missing
2031 move instruction is generated by the MacroAssembler.
2033 The missing move is generated after testing the values because the destination
2034 can use the same register as one of the test operand.
2035 Experimental testing seems to indicate there is no macro-fusion on CMOV,
2036 there is no measurable cost to having the move there.
2038 * assembler/MacroAssembler.h:
2039 (JSC::MacroAssembler::isInvertible):
2040 (JSC::MacroAssembler::invert):
2041 * assembler/MacroAssemblerARM64.h:
2042 (JSC::MacroAssemblerARM64::moveConditionallyDouble):
2043 (JSC::MacroAssemblerARM64::moveConditionallyFloat):
2044 (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
2045 (JSC::MacroAssemblerARM64::moveConditionally32):
2046 (JSC::MacroAssemblerARM64::moveConditionally64):
2047 (JSC::MacroAssemblerARM64::moveConditionallyTest32):
2048 (JSC::MacroAssemblerARM64::moveConditionallyTest64):
2049 * assembler/MacroAssemblerX86Common.h:
2050 (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2051 (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2052 (JSC::MacroAssemblerX86Common::moveConditionally32):
2053 (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
2054 (JSC::MacroAssemblerX86Common::invert):
2055 (JSC::MacroAssemblerX86Common::isInvertible):
2056 * assembler/MacroAssemblerX86_64.h:
2057 (JSC::MacroAssemblerX86_64::moveConditionally64):
2058 (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
2059 * b3/B3LowerToAir.cpp:
2060 (JSC::B3::Air::LowerToAir::createSelect):
2061 (JSC::B3::Air::LowerToAir::lower):
2062 * b3/air/AirInstInlines.h:
2063 (JSC::B3::Air::Inst::shouldTryAliasingDef):
2064 * b3/air/AirOpcode.opcodes:
2066 2016-02-18 Gyuyoung Kim <gyuyoung.kim@webkit.org>
2068 [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
2069 https://bugs.webkit.org/show_bug.cgi?id=154430
2071 Reviewed by Saam Barati.
2073 llvm isn't used anymore.
2075 * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
2077 2016-02-18 Saam Barati <sbarati@apple.com>
2079 Implement Proxy.[[HasProperty]]
2080 https://bugs.webkit.org/show_bug.cgi?id=154313
2082 Reviewed by Filip Pizlo.
2084 This patch is a straight forward implementation of
2085 Proxy.[[HasProperty]] with respect to section 9.5.7
2086 of the ECMAScript spec.
2087 https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
2089 * runtime/ProxyObject.cpp:
2090 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2091 (JSC::ProxyObject::performHasProperty):
2092 (JSC::ProxyObject::getOwnPropertySlotCommon):
2093 * runtime/ProxyObject.h:
2095 * tests/stress/proxy-basic.js:
2098 * tests/stress/proxy-has-property.js: Added.
2100 (throw.new.Error.let.handler.get has):
2102 (assert.let.handler.has):
2104 (getOwnPropertyDescriptor):
2107 2016-02-18 Saam Barati <sbarati@apple.com>
2109 Proxy's don't properly handle Symbols as PropertyKeys.
2110 https://bugs.webkit.org/show_bug.cgi?id=154385
2112 Reviewed by Mark Lam and Yusuke Suzuki.
2114 We were converting all PropertyKeys to strings, even when
2115 the PropertyName was a Symbol. In the spec, PropertyKeys are
2116 either a Symbol or a String. We now respect that in Proxy.[[Get]] and
2117 Proxy.[[GetOwnProperty]].
2119 * runtime/Completion.cpp:
2120 (JSC::profiledEvaluate):
2121 (JSC::createSymbolForEntryPointModule):
2122 (JSC::identifierToJSValue): Deleted.
2123 * runtime/Identifier.h:
2125 * runtime/IdentifierInlines.h:
2126 (JSC::Identifier::fromString):
2127 (JSC::identifierToJSValue):
2128 (JSC::identifierToSafePublicJSValue):
2129 * runtime/ProxyObject.cpp:
2130 (JSC::performProxyGet):
2131 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2133 * tests/stress/proxy-basic.js:
2134 (let.handler.getOwnPropertyDescriptor):
2136 2016-02-18 Saam Barati <sbarati@apple.com>
2138 Follow up fix to Implement Proxy.[[GetOwnProperty]]
2139 https://bugs.webkit.org/show_bug.cgi?id=154314
2141 Reviewed by Filip Pizlo.
2143 Part of the implementation was broken because
2144 of how JSObject::getOwnPropertyDescriptor worked.
2145 I've fixed JSObject::getOwnPropertyDescriptor to
2146 be able to handle ProxyObject.
2148 * runtime/JSObject.cpp:
2149 (JSC::JSObject::getOwnPropertyDescriptor):
2150 * runtime/ProxyObject.cpp:
2151 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2152 * tests/stress/proxy-get-own-property.js:
2154 (assert.let.handler.get getOwnPropertyDescriptor):
2156 2016-02-18 Saam Barati <sbarati@apple.com>
2158 Implement Proxy.[[GetOwnProperty]]
2159 https://bugs.webkit.org/show_bug.cgi?id=154314
2161 Reviewed by Filip Pizlo.
2163 This patch implements Proxy.[[GetOwnProperty]].
2164 It's a straight forward implementation as described
2165 in section 9.5.5 of the specification:
2166 http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
2168 * runtime/FunctionPrototype.cpp:
2169 (JSC::functionProtoFuncBind):
2170 * runtime/JSObject.cpp:
2171 (JSC::validateAndApplyPropertyDescriptor):
2172 (JSC::JSObject::defineOwnNonIndexProperty):
2173 (JSC::JSObject::defineOwnProperty):
2174 (JSC::JSObject::getGenericPropertyNames):
2175 (JSC::JSObject::getMethod):
2176 * runtime/JSObject.h:
2177 (JSC::JSObject::butterflyAddress):
2178 (JSC::makeIdentifier):
2179 * runtime/ProxyObject.cpp:
2180 (JSC::performProxyGet):
2181 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2182 (JSC::ProxyObject::getOwnPropertySlotCommon):
2183 (JSC::ProxyObject::getOwnPropertySlot):
2184 (JSC::ProxyObject::getOwnPropertySlotByIndex):
2185 (JSC::ProxyObject::visitChildren):
2186 * runtime/ProxyObject.h:
2188 * tests/stress/proxy-basic.js:
2189 (let.handler.get null):
2190 * tests/stress/proxy-get-own-property.js: Added.
2192 (throw.new.Error.let.handler.getOwnPropertyDescriptor):
2194 (let.handler.getOwnPropertyDescriptor):
2196 (assert.let.handler.getOwnPropertyDescriptor):
2198 2016-02-18 Andreas Kling <akling@apple.com>
2200 JSString resolution of substrings should use StringImpl sharing optimization.
2201 <https://webkit.org/b/154068>
2202 <rdar://problem/24629358>
2204 Reviewed by Antti Koivisto.
2206 When resolving a JSString that's actually a substring of another JSString,
2207 use the StringImpl sharing optimization to create a new string pointing into
2208 the parent one, instead of copying out the bytes of the string.
2210 This dramatically reduces peak memory usage on Gerrit diff viewer pages.
2212 Another approach to this would be to induce GC far more frequently due to
2213 the added cost of copying out these substrings. It would reduce the risk
2214 of prolonging the life of strings only kept alive by substrings.
2216 This patch chooses to trade that risk for less GC and lower peak memory.
2218 * runtime/JSString.cpp:
2219 (JSC::JSRopeString::resolveRope):
2221 2016-02-18 Chris Dumez <cdumez@apple.com>
2223 Crash on SES selftest page when loading the page while WebInspector is open
2224 https://bugs.webkit.org/show_bug.cgi?id=154378
2225 <rdar://problem/24713422>
2227 Reviewed by Mark Lam.
2229 Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
2230 returns early again if it detects that getOwnPropertySlot() returns a
2231 non-own property. This check was removed in r196676 because we assumed that
2232 only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
2233 However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
2236 Not having the check would lead to crashes when using the debugger because
2237 we would get a slot with the CustomAccessor attribute but getDirect() would
2238 then fail to return the property (because it is not an own property). We
2239 would then cast the value returned by getDirect() to a CustomGetterSetter*
2242 * runtime/JSObject.cpp:
2243 (JSC::JSObject::getOwnPropertyDescriptor):
2245 2016-02-18 Filip Pizlo <fpizlo@apple.com>
2247 Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
2250 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2251 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2253 2016-02-18 Filip Pizlo <fpizlo@apple.com>
2255 Unreviewed, fix CMake build. This got messed up when rebasing.
2259 2016-02-18 Csaba Osztrogonác <ossy@webkit.org>
2261 Fix the !ENABLE(DFG_JIT) build after r195865
2262 https://bugs.webkit.org/show_bug.cgi?id=154391
2264 Reviewed by Filip Pizlo.
2266 * runtime/SamplingProfiler.cpp:
2267 (JSC::tryGetBytecodeIndex):
2269 2016-02-17 Filip Pizlo <fpizlo@apple.com>
2271 Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
2272 https://bugs.webkit.org/show_bug.cgi?id=154383
2274 Reviewed by Saam Barati.
2276 I did a grep -i llvm of all of our code and did one of the following for each occurence:
2278 - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
2281 - Removed the reference because I found it to be dead. In some cases it was a dead
2282 comment: it was telling us things about what LLVM did and that's just not relevant
2283 anymore. In other cases it was dead code that I forgot to delete in a previous patch.
2285 - Edited the comment in some smart way. There were comments talking about what LLVM did
2286 that were still of interest. In some cases, I added a FIXME to consider changing the
2287 code below the comment on the grounds that it was written in a weird way to placate
2288 LLVM and so we can do it better now.
2291 * JavaScriptCore.xcodeproj/project.pbxproj:
2292 * dfg/DFGArgumentsEliminationPhase.cpp:
2293 * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2295 (JSC::DFG::Plan::compileInThread):
2296 (JSC::DFG::Plan::compileInThreadImpl):
2297 (JSC::DFG::Plan::compileTimeStats):
2298 * dfg/DFGPutStackSinkingPhase.cpp:
2299 * dfg/DFGSSAConversionPhase.h:
2300 * dfg/DFGStaticExecutionCountEstimationPhase.h:
2301 * dfg/DFGUnificationPhase.cpp:
2302 (JSC::DFG::UnificationPhase::run):
2303 * disassembler/ARM64Disassembler.cpp:
2304 (JSC::tryToDisassemble): Deleted.
2305 * disassembler/X86Disassembler.cpp:
2306 (JSC::tryToDisassemble):
2307 * ftl/FTLAbstractHeap.cpp:
2308 (JSC::FTL::IndexedAbstractHeap::initialize):
2309 * ftl/FTLAbstractHeap.h:
2310 * ftl/FTLFormattedValue.h:
2311 * ftl/FTLJITFinalizer.cpp:
2312 (JSC::FTL::JITFinalizer::finalizeFunction):
2315 * ftl/FTLLocation.cpp:
2316 (JSC::FTL::Location::restoreInto):
2317 * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
2318 (JSC::FTL::DFG::ftlUnreachable):
2319 (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2320 (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
2321 (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2322 (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
2323 (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
2324 (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
2325 (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
2326 (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
2327 (JSC::FTL::lowerDFGToB3):
2328 (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
2329 (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
2330 (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
2331 (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
2332 (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
2333 (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
2334 (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
2335 (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
2336 (JSC::FTL::lowerDFGToLLVM): Deleted.
2337 * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
2338 * ftl/FTLLowerDFGToLLVM.cpp: Removed.
2339 * ftl/FTLLowerDFGToLLVM.h: Removed.
2340 * ftl/FTLOSRExitCompiler.cpp:
2341 (JSC::FTL::compileStub):
2343 (JSC::FTL::Weight::frequencyClass):
2344 (JSC::FTL::Weight::inverse):
2345 (JSC::FTL::Weight::scaleToTotal): Deleted.
2346 * ftl/FTLWeightedTarget.h:
2349 * jit/CallFrameShuffler64.cpp:
2350 (JSC::CallFrameShuffler::emitDisplace):
2351 * jit/RegisterSet.cpp:
2352 (JSC::RegisterSet::ftlCalleeSaveRegisters):
2354 * llvm/InitializeLLVMLinux.cpp: Removed.
2355 * llvm/InitializeLLVMWin.cpp: Removed.
2356 * llvm/library: Removed.
2357 * llvm/library/LLVMTrapCallback.h: Removed.
2358 * llvm/library/libllvmForJSC.version: Removed.
2359 * runtime/Options.cpp:
2360 (JSC::recomputeDependentOptions):
2361 (JSC::Options::initialize):
2362 * runtime/Options.h:
2363 * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
2364 * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
2365 * wasm/WASMFunctionParser.cpp:
2367 2016-02-18 Csaba Osztrogonác <ossy@webkit.org>
2369 [cmake] Build system cleanup
2370 https://bugs.webkit.org/show_bug.cgi?id=154337
2372 Reviewed by Žan Doberšek.
2376 2016-02-17 Mark Lam <mark.lam@apple.com>
2378 Callers of JSString::value() should check for exceptions thereafter.
2379 https://bugs.webkit.org/show_bug.cgi?id=154346
2381 Reviewed by Geoffrey Garen.
2383 JSString::value() can throw an exception if the JS string is a rope and value()
2384 needs to resolve the rope but encounters an OutOfMemory error. If value() is not
2385 able to resolve the rope, it will return a null string (in addition to throwing
2386 the exception). If a caller does not check for exceptions after calling
2387 JSString::value(), they may eventually use the returned null string and crash the
2390 The fix is to add all the necessary exception checks, and do the appropriate
2397 (functionCheckSyntax):
2398 (functionLoadWebAssembly):
2399 (functionLoadModule):
2400 (functionCheckModuleSyntax):
2401 * runtime/DateConstructor.cpp:
2404 * runtime/JSGlobalObjectFunctions.cpp:
2405 (JSC::globalFuncEval):
2406 * tools/JSDollarVMPrototype.cpp:
2407 (JSC::functionPrint):
2409 2016-02-17 Benjamin Poulain <bpoulain@apple.com>
2411 [JSC] ARM64: Support the immediate format used for bit operations in Air
2412 https://bugs.webkit.org/show_bug.cgi?id=154327
2414 Reviewed by Filip Pizlo.
2416 ARM64 supports a pretty rich form of immediates for bit operation.
2417 There are two formats used to encode repeating patterns and common
2418 input in a dense form.
2420 In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
2421 Those represents the valid immediate forms for bit operation.
2422 On x86, any 32bits value is valid. On ARM64, all the encoding
2423 form are tried and the immediate is used when possible.
2425 The arg type Imm64 is renamed to BigImm to better represent what
2426 it is: an immediate that does not fit into Imm.
2428 * assembler/ARM64Assembler.h:
2429 (JSC::LogicalImmediate::create32): Deleted.
2430 (JSC::LogicalImmediate::create64): Deleted.
2431 (JSC::LogicalImmediate::value): Deleted.
2432 (JSC::LogicalImmediate::isValid): Deleted.
2433 (JSC::LogicalImmediate::is64bit): Deleted.
2434 (JSC::LogicalImmediate::LogicalImmediate): Deleted.
2435 (JSC::LogicalImmediate::mask): Deleted.
2436 (JSC::LogicalImmediate::partialHSB): Deleted.
2437 (JSC::LogicalImmediate::highestSetBit): Deleted.
2438 (JSC::LogicalImmediate::findBitRange): Deleted.
2439 (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
2440 * assembler/AssemblerCommon.h:
2441 (JSC::ARM64LogicalImmediate::create32):
2442 (JSC::ARM64LogicalImmediate::create64):
2443 (JSC::ARM64LogicalImmediate::value):
2444 (JSC::ARM64LogicalImmediate::isValid):
2445 (JSC::ARM64LogicalImmediate::is64bit):
2446 (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
2447 (JSC::ARM64LogicalImmediate::mask):
2448 (JSC::ARM64LogicalImmediate::partialHSB):
2449 (JSC::ARM64LogicalImmediate::highestSetBit):
2450 (JSC::ARM64LogicalImmediate::findBitRange):
2451 (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
2452 * assembler/MacroAssemblerARM64.h:
2453 (JSC::MacroAssemblerARM64::and64):
2454 (JSC::MacroAssemblerARM64::or64):
2455 (JSC::MacroAssemblerARM64::xor64):
2456 * b3/B3LowerToAir.cpp:
2457 (JSC::B3::Air::LowerToAir::bitImm):
2458 (JSC::B3::Air::LowerToAir::bitImm64):
2459 (JSC::B3::Air::LowerToAir::appendBinOp):
2460 * b3/air/AirArg.cpp:
2461 (JSC::B3::Air::Arg::dump):
2462 (WTF::printInternal):
2464 (JSC::B3::Air::Arg::bitImm):
2465 (JSC::B3::Air::Arg::bitImm64):
2466 (JSC::B3::Air::Arg::isBitImm):
2467 (JSC::B3::Air::Arg::isBitImm64):
2468 (JSC::B3::Air::Arg::isSomeImm):
2469 (JSC::B3::Air::Arg::value):
2470 (JSC::B3::Air::Arg::isGP):
2471 (JSC::B3::Air::Arg::isFP):
2472 (JSC::B3::Air::Arg::hasType):
2473 (JSC::B3::Air::Arg::isValidBitImmForm):
2474 (JSC::B3::Air::Arg::isValidBitImm64Form):
2475 (JSC::B3::Air::Arg::isValidForm):
2476 (JSC::B3::Air::Arg::asTrustedImm32):
2477 (JSC::B3::Air::Arg::asTrustedImm64):
2478 * b3/air/AirOpcode.opcodes:
2479 * b3/air/opcode_generator.rb:
2481 2016-02-17 Keith Miller <keith_miller@apple.com>
2483 Spread operator should be allowed when not the first argument of parameter list
2484 https://bugs.webkit.org/show_bug.cgi?id=152721
2486 Reviewed by Saam Barati.
2488 Spread arguments to functions should now be ES6 compliant. Before we
2489 would only take a spread operator if it was the sole argument to a
2490 function. Additionally, we would not use the Symbol.iterator on the
2491 object to generate the arguments. Instead we would do a loop up to the
2492 length mapping indexed properties to the corresponding argument. We fix
2493 both these issues by doing an AST transformation from foo(...a, b, ...c, d)
2494 to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
2495 old spread semantics). This solution has the downside of requiring the
2496 allocation of another object and copying each element twice but avoids a
2497 large change to the vm calling convention.
2499 * interpreter/Interpreter.cpp:
2501 * parser/ASTBuilder.h:
2502 (JSC::ASTBuilder::createElementList):
2503 * parser/Parser.cpp:
2504 (JSC::Parser<LexerType>::parseArguments):
2505 (JSC::Parser<LexerType>::parseArgument):
2506 (JSC::Parser<LexerType>::parseMemberExpression):
2508 * parser/SyntaxChecker.h:
2509 (JSC::SyntaxChecker::createElementList):
2511 * tests/stress/spread-calling.js: Added.
2515 (otherIterator.return.next):
2518 (throwingIter.return.next):
2522 2016-02-17 Brian Burg <bburg@apple.com>
2524 Remove a wrong cast in RemoteInspector::receivedSetupMessage
2525 https://bugs.webkit.org/show_bug.cgi?id=154361
2526 <rdar://problem/24709281>
2528 Reviewed by Joseph Pecoraro.
2530 * inspector/remote/RemoteInspector.mm:
2531 (Inspector::RemoteInspector::receivedSetupMessage):
2532 Not only is this cast unnecessary (the constructor accepts the base class),
2533 but it is wrong since the target could be an automation target. Remove it.
2535 2016-02-17 Filip Pizlo <fpizlo@apple.com>
2537 Rename FTLB3Blah to FTLBlah
2538 https://bugs.webkit.org/show_bug.cgi?id=154365
2540 Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
2543 * JavaScriptCore.xcodeproj/project.pbxproj:
2544 * ftl/FTLB3Compile.cpp: Removed.
2545 * ftl/FTLB3Output.cpp: Removed.
2546 * ftl/FTLB3Output.h: Removed.
2547 * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
2548 * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
2549 * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
2551 2016-02-17 Filip Pizlo <fpizlo@apple.com>
2553 Remove LLVM dependencies from WebKit
2554 https://bugs.webkit.org/show_bug.cgi?id=154323
2556 Reviewed by Antti Koivisto and Benjamin Poulain.
2558 We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
2559 LLVM-related code dead, including the disassembler, which was only reachable when you were on
2560 a platform that already had an in-tree disassembler.
2563 * JavaScriptCore.xcodeproj/project.pbxproj:
2566 (JSC::DFG::Plan::compileInThread):
2567 (JSC::DFG::Plan::compileInThreadImpl):
2568 (JSC::DFG::Plan::compileTimeStats):
2569 * disassembler/ARM64Disassembler.cpp:
2570 (JSC::tryToDisassemble):
2571 * disassembler/ARMv7Disassembler.cpp:
2572 (JSC::tryToDisassemble):
2573 * disassembler/Disassembler.cpp:
2575 (JSC::disassembleAsynchronously):
2576 * disassembler/Disassembler.h:
2577 (JSC::tryToDisassemble):
2578 * disassembler/LLVMDisassembler.cpp: Removed.
2579 * disassembler/LLVMDisassembler.h: Removed.
2580 * disassembler/UDis86Disassembler.cpp:
2581 (JSC::tryToDisassembleWithUDis86):
2582 * disassembler/UDis86Disassembler.h:
2583 (JSC::tryToDisassembleWithUDis86):
2584 * disassembler/X86Disassembler.cpp:
2585 (JSC::tryToDisassemble):
2586 * ftl/FTLAbbreviatedTypes.h:
2587 * ftl/FTLAbbreviations.h: Removed.
2588 * ftl/FTLAbstractHeap.cpp:
2589 (JSC::FTL::AbstractHeap::decorateInstruction):
2590 (JSC::FTL::AbstractHeap::dump):
2591 (JSC::FTL::AbstractField::dump):
2592 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
2593 (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
2594 (JSC::FTL::IndexedAbstractHeap::baseIndex):
2595 (JSC::FTL::IndexedAbstractHeap::dump):
2596 (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
2597 (JSC::FTL::NumberedAbstractHeap::dump):
2598 (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
2599 (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
2600 * ftl/FTLAbstractHeap.h:
2601 (JSC::FTL::AbstractHeap::AbstractHeap):
2602 (JSC::FTL::AbstractHeap::heapName):
2603 (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
2604 (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
2605 (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
2606 (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
2607 * ftl/FTLAbstractHeapRepository.cpp:
2608 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2609 * ftl/FTLAbstractHeapRepository.h:
2610 * ftl/FTLB3Compile.cpp:
2611 * ftl/FTLB3Output.cpp:
2612 (JSC::FTL::Output::Output):
2613 (JSC::FTL::Output::check):
2614 (JSC::FTL::Output::load):
2615 (JSC::FTL::Output::store):
2616 * ftl/FTLB3Output.h:
2617 * ftl/FTLCommonValues.cpp:
2618 (JSC::FTL::CommonValues::CommonValues):
2619 (JSC::FTL::CommonValues::initializeConstants):
2620 * ftl/FTLCommonValues.h:
2621 (JSC::FTL::CommonValues::initialize): Deleted.
2622 * ftl/FTLCompile.cpp: Removed.
2623 * ftl/FTLCompileBinaryOp.cpp: Removed.
2624 * ftl/FTLCompileBinaryOp.h: Removed.
2625 * ftl/FTLDWARFDebugLineInfo.cpp: Removed.
2626 * ftl/FTLDWARFDebugLineInfo.h: Removed.
2627 * ftl/FTLDWARFRegister.cpp: Removed.
2628 * ftl/FTLDWARFRegister.h: Removed.
2629 * ftl/FTLDataSection.cpp: Removed.
2630 * ftl/FTLDataSection.h: Removed.
2631 * ftl/FTLExceptionHandlerManager.cpp: Removed.
2632 * ftl/FTLExceptionHandlerManager.h: Removed.
2633 * ftl/FTLExceptionTarget.cpp:
2634 * ftl/FTLExceptionTarget.h:
2635 * ftl/FTLExitThunkGenerator.cpp: Removed.
2636 * ftl/FTLExitThunkGenerator.h: Removed.
2639 * ftl/FTLInlineCacheDescriptor.h: Removed.
2640 * ftl/FTLInlineCacheSize.cpp: Removed.
2641 * ftl/FTLInlineCacheSize.h: Removed.
2642 * ftl/FTLIntrinsicRepository.cpp: Removed.
2643 * ftl/FTLIntrinsicRepository.h: Removed.
2644 * ftl/FTLJITCode.cpp:
2645 (JSC::FTL::JITCode::~JITCode):
2646 (JSC::FTL::JITCode::initializeB3Code):
2647 (JSC::FTL::JITCode::initializeB3Byproducts):
2648 (JSC::FTL::JITCode::initializeAddressForCall):
2649 (JSC::FTL::JITCode::contains):
2650 (JSC::FTL::JITCode::ftl):
2651 (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2652 (JSC::FTL::JITCode::initializeExitThunks): Deleted.
2653 (JSC::FTL::JITCode::addHandle): Deleted.
2654 (JSC::FTL::JITCode::addDataSection): Deleted.
2655 (JSC::FTL::JITCode::exitThunks): Deleted.
2657 (JSC::FTL::JITCode::b3Code):
2658 (JSC::FTL::JITCode::handles): Deleted.
2659 (JSC::FTL::JITCode::dataSections): Deleted.
2660 * ftl/FTLJITFinalizer.cpp:
2661 (JSC::FTL::JITFinalizer::codeSize):
2662 (JSC::FTL::JITFinalizer::finalizeFunction):
2663 * ftl/FTLJITFinalizer.h:
2664 * ftl/FTLJSCall.cpp: Removed.
2665 * ftl/FTLJSCall.h: Removed.
2666 * ftl/FTLJSCallBase.cpp: Removed.
2667 * ftl/FTLJSCallBase.h: Removed.
2668 * ftl/FTLJSCallVarargs.cpp: Removed.
2669 * ftl/FTLJSCallVarargs.h: Removed.
2670 * ftl/FTLJSTailCall.cpp: Removed.
2671 * ftl/FTLJSTailCall.h: Removed.
2672 * ftl/FTLLazySlowPath.cpp:
2673 (JSC::FTL::LazySlowPath::LazySlowPath):
2674 (JSC::FTL::LazySlowPath::generate):
2675 * ftl/FTLLazySlowPath.h:
2676 (JSC::FTL::LazySlowPath::createGenerator):
2677 (JSC::FTL::LazySlowPath::patchableJump):
2678 (JSC::FTL::LazySlowPath::done):
2679 (JSC::FTL::LazySlowPath::usedRegisters):
2680 (JSC::FTL::LazySlowPath::callSiteIndex):
2681 (JSC::FTL::LazySlowPath::stub):
2682 (JSC::FTL::LazySlowPath::patchpoint): Deleted.
2685 * ftl/FTLLocation.cpp:
2686 (JSC::FTL::Location::forValueRep):
2687 (JSC::FTL::Location::dump):
2688 (JSC::FTL::Location::forStackmaps): Deleted.
2689 * ftl/FTLLocation.h:
2690 (JSC::FTL::Location::forRegister):
2691 (JSC::FTL::Location::forIndirect):
2692 (JSC::FTL::Location::forConstant):
2693 (JSC::FTL::Location::kind):
2694 (JSC::FTL::Location::hasReg):
2695 * ftl/FTLLowerDFGToLLVM.cpp:
2696 (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM):
2697 (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2698 (JSC::FTL::DFG::LowerDFGToLLVM::createPhiVariables):
2699 (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2700 (JSC::FTL::DFG::LowerDFGToLLVM::compileUpsilon):
2701 (JSC::FTL::DFG::LowerDFGToLLVM::compilePhi):
2702 (JSC::FTL::DFG::LowerDFGToLLVM::compileDoubleConstant):
2703 (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
2704 (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
2705 (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
2706 (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2707 (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
2708 (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
2709 (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
2710 (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
2711 (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
2712 (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
2713 (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
2714 (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
2715 (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
2716 (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
2717 (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
2718 (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
2719 (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
2720 (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
2721 (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadVarargs):
2722 (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
2723 (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
2724 (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2725 (JSC::FTL::DFG::LowerDFGToLLVM::getById):
2726 (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
2727 (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
2728 (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
2729 (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2730 (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
2731 (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
2732 (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
2733 (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
2734 (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
2735 (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
2736 (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2737 (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
2738 (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
2739 (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForAvailability):
2740 (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
2741 (JSC::FTL::DFG::LowerDFGToLLVM::probe):
2742 (JSC::FTL::DFG::LowerDFGToLLVM::crash):
2743 (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp): Deleted.
2744 (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException): Deleted.
2745 (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall): Deleted.
2746 (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap): Deleted.
2747 * ftl/FTLOSRExit.cpp:
2748 (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
2749 (JSC::FTL::OSRExitDescriptor::validateReferences):
2750 (JSC::FTL::OSRExitDescriptor::emitOSRExit):
2751 (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
2752 (JSC::FTL::OSRExit::OSRExit):
2753 (JSC::FTL::OSRExit::codeLocationForRepatch):
2754 (JSC::FTL::OSRExit::gatherRegistersToSpillForCallIfException): Deleted.
2755 (JSC::FTL::OSRExit::spillRegistersToSpillSlot): Deleted.
2756 (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot): Deleted.
2757 (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck): Deleted.
2758 (JSC::FTL::OSRExit::willArriveAtOSRExitFromCallOperation): Deleted.
2759 (JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath): Deleted.
2761 (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2762 (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl): Deleted.
2763 * ftl/FTLOSRExitCompilationInfo.h: Removed.
2764 * ftl/FTLOSRExitCompiler.cpp:
2765 (JSC::FTL::compileRecovery):
2766 (JSC::FTL::compileStub):
2767 (JSC::FTL::compileFTLOSRExit):
2768 * ftl/FTLOSRExitHandle.cpp:
2769 * ftl/FTLOSRExitHandle.h:
2770 * ftl/FTLOutput.cpp: Removed.
2771 * ftl/FTLOutput.h: Removed.
2772 * ftl/FTLPatchpointExceptionHandle.cpp:
2773 * ftl/FTLPatchpointExceptionHandle.h:
2774 * ftl/FTLStackMaps.cpp: Removed.
2775 * ftl/FTLStackMaps.h: Removed.
2777 (JSC::FTL::State::State):
2778 (JSC::FTL::State::~State):
2779 (JSC::FTL::State::dumpState): Deleted.
2781 * ftl/FTLUnwindInfo.cpp: Removed.
2782 * ftl/FTLUnwindInfo.h: Removed.
2783 * ftl/FTLValueRange.cpp:
2784 (JSC::FTL::ValueRange::decorateInstruction):
2785 * ftl/FTLValueRange.h:
2786 (JSC::FTL::ValueRange::ValueRange):
2787 (JSC::FTL::ValueRange::begin):
2788 (JSC::FTL::ValueRange::end):
2790 (JSC::FTL::Weight::value):
2791 (JSC::FTL::Weight::frequencyClass):
2792 (JSC::FTL::Weight::scaleToTotal):
2793 * llvm/InitializeLLVM.cpp: Removed.
2794 * llvm/InitializeLLVM.h: Removed.
2795 * llvm/InitializeLLVMMac.cpp: Removed.
2796 * llvm/InitializeLLVMPOSIX.cpp: Removed.
2797 * llvm/InitializeLLVMPOSIX.h: Removed.
2798 * llvm/LLVMAPI.cpp: Removed.
2799 * llvm/LLVMAPI.h: Removed.
2800 * llvm/LLVMAPIFunctions.h: Removed.
2801 * llvm/LLVMHeaders.h: Removed.
2802 * llvm/library/LLVMAnchor.cpp: Removed.
2803 * llvm/library/LLVMExports.cpp: Removed.
2804 * llvm/library/LLVMOverrides.cpp: Removed.
2805 * llvm/library/config_llvm.h: Removed.
2807 2016-02-17 Benjamin Poulain <bpoulain@apple.com>
2809 [JSC] Remove the overflow check on ArithAbs when possible
2810 https://bugs.webkit.org/show_bug.cgi?id=154325
2812 Reviewed by Filip Pizlo.
2814 This patch adds support for ArithMode for ArithAbs.
2816 It is useful for kraken tests where Math.abs() is used
2817 on values for which the range is known.
2819 For example, imaging-gaussian-blur has two Math.abs() with
2820 integers that are always in a small range around zero.
2821 The IntegerRangeOptimizationPhase detects the range correctly
2822 so we can just update the ArithMode depending on the input.
2824 * dfg/DFGFixupPhase.cpp:
2825 (JSC::DFG::FixupPhase::fixupNode):
2826 * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2828 (JSC::DFG::Node::convertToArithNegate):
2829 (JSC::DFG::Node::hasArithMode):
2830 * dfg/DFGSpeculativeJIT64.cpp:
2831 (JSC::DFG::SpeculativeJIT::compile):
2832 * ftl/FTLLowerDFGToLLVM.cpp:
2833 (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAbs):
2834 * tests/stress/arith-abs-integer-range-optimization.js: Added.
2836 (negativeRangeIncludingZero):
2837 (negativeRangeWithOverflow):
2839 (positiveRangeIncludingZero):
2840 (rangeWithoutOverflow):
2841 * tests/stress/arith-abs-with-bitwise-or-zero.js: Added.
2844 2016-02-17 Chris Dumez <cdumez@apple.com>
2846 SES selftest page crashes on nightly r196694
2847 https://bugs.webkit.org/show_bug.cgi?id=154350
2848 <rdar://problem/24704334>
2850 Reviewed by Mark Lam.
2852 SES selftest page crashes after r196001 / r196145 when calling
2853 Object.getOwnPropertyDescriptor(window, "length") after the window
2854 has been reified and "length" has been shadowed by a value property.
2856 It was crashing in JSObject::getOwnPropertyDescriptor() because
2857 we are getting a slot that has attribute "CustomAccessor" but
2858 the property is not a CustomGetterSetter. In this case, since
2859 window.length is [Replaceable] and has been set to a numeric value,
2860 it makes that the property is not a CustomGetterSetter. However,
2861 the "CustomAccessor" attribute should have been dropped from the
2862 slot when window.length was shadowed. Therefore, this code path
2863 should not be exercised at all when calling
2864 getOwnPropertyDescriptor().
2866 The issue was that putDirectInternal() was updating the slot
2867 attributes only if the "Accessor" flag has changed, but not
2868 the "customAccessor" flag. This patch fixes the issue.
2870 * runtime/JSObject.h:
2871 (JSC::JSObject::putDirectInternal):
2873 2016-02-17 Saam barati <sbarati@apple.com>
2875 Implement Proxy [[Get]]
2876 https://bugs.webkit.org/show_bug.cgi?id=154081
2878 Reviewed by Michael Saboff.
2880 This patch implements ProxyObject and ProxyConstructor. Their
2881 implementations are straight forward and follow the spec.
2882 The largest change in this patch is adding a second parameter
2883 to PropertySlot's constructor that specifies the internal method type of
2884 the getOwnPropertySlot inquiry. We use getOwnPropertySlot to
2885 implement more than one Internal Method in the spec. Because
2886 of this, we need InternalMethodType to give us context about
2887 which Internal Method we're executing. Specifically, Proxy will
2888 call into different handlers based on this information.
2890 InternalMethodType is an enum with the following values:
2892 This corresponds to [[Get]] internal method in the spec.
2894 This corresponds to [[GetOwnProperty]] internal method in the spec.
2896 This corresponds to [[HasProperty]] internal method in the spec.
2898 This is basically everything else that isn't one of the above
2899 types. This value also mandates that getOwnPropertySlot does
2900 not perform any user observable effects. I.e, it can't call
2903 The other non-VMInquiry InternalMethodTypes are allowed to perform user
2904 observable effects. I.e, in future patches, ProxyObject will implement
2905 InternalMethodType::HasProperty and InternalMethodType::GetOwnProperty, which will both be defined
2906 to call user defined JS functions, which clearly have the right to perform
2907 user observable effects.
2909 This patch implements getOwnPropertySlot of ProxyObject under
2910 InternalMethodType::Get.
2912 * API/JSCallbackObjectFunctions.h:
2913 (JSC::JSCallbackObject<Parent>::put):
2914 (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2916 * JavaScriptCore.xcodeproj/project.pbxproj:
2917 * debugger/DebuggerScope.cpp:
2918 (JSC::DebuggerScope::caughtValue):
2919 * interpreter/Interpreter.cpp:
2920 (JSC::Interpreter::execute):
2921 * jit/JITOperations.cpp:
2922 * llint/LLIntSlowPaths.cpp:
2923 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2924 * runtime/ArrayPrototype.cpp:
2926 * runtime/CommonIdentifiers.h:
2927 * runtime/JSCJSValueInlines.h:
2928 (JSC::JSValue::get):
2929 * runtime/JSFunction.cpp:
2930 (JSC::JSFunction::getOwnNonIndexPropertyNames):
2931 (JSC::JSFunction::put):
2932 (JSC::JSFunction::defineOwnProperty):
2933 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2934 (JSC::constructGenericTypedArrayViewWithArguments):
2935 * runtime/JSGlobalObject.cpp:
2936 (JSC::JSGlobalObject::init):
2937 (JSC::JSGlobalObject::defineOwnProperty):
2938 * runtime/JSGlobalObject.h:
2939 (JSC::JSGlobalObject::regExpMatchesArrayStructure):
2940 (JSC::JSGlobalObject::moduleRecordStructure):
2941 (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
2942 (JSC::JSGlobalObject::proxyObjectStructure):
2943 (JSC::JSGlobalObject::wasmModuleStructure):
2944 * runtime/JSModuleEnvironment.cpp:
2945 (JSC::JSModuleEnvironment::getOwnPropertySlot):
2946 * runtime/JSModuleNamespaceObject.cpp:
2947 (JSC::callbackGetter):
2948 * runtime/JSONObject.cpp:
2949 (JSC::Stringifier::Holder::appendNextProperty):
2950 (JSC::Walker::walk):
2951 * runtime/JSObject.cpp:
2952 (JSC::JSObject::calculatedClassName):
2953 (JSC::JSObject::putDirectNonIndexAccessor):
2954 (JSC::JSObject::hasProperty):
2955 (JSC::JSObject::deleteProperty):
2956 (JSC::JSObject::hasOwnProperty):
2957 (JSC::JSObject::getOwnPropertyDescriptor):
2958 * runtime/JSObject.h:
2959 (JSC::JSObject::getDirectIndex):
2960 (JSC::JSObject::get):
2961 * runtime/JSScope.cpp:
2962 (JSC::abstractAccess):
2963 * runtime/ObjectConstructor.cpp:
2964 (JSC::toPropertyDescriptor):
2965 * runtime/ObjectPrototype.cpp:
2966 (JSC::objectProtoFuncLookupGetter):
2967 (JSC::objectProtoFuncLookupSetter):
2968 (JSC::objectProtoFuncToString):
2969 * runtime/PropertySlot.h:
2970 (JSC::attributesForStructure):
2971 (JSC::PropertySlot::PropertySlot):
2972 (JSC::PropertySlot::isCacheableGetter):
2973 (JSC::PropertySlot::isCacheableCustom):
2974 (JSC::PropertySlot::internalMethodType):
2975 (JSC::PropertySlot::disableCaching):
2976 (JSC::PropertySlot::getValue):
2977 * runtime/ProxyConstructor.cpp: Added.
2978 (JSC::ProxyConstructor::create):
2979 (JSC::ProxyConstructor::ProxyConstructor):
2980 (JSC::ProxyConstructor::finishCreation):
2981 (JSC::constructProxyObject):
2982 (JSC::ProxyConstructor::getConstructData):
2983 (JSC::ProxyConstructor::getCallData):
2984 * runtime/ProxyConstructor.h: Added.
2985 (JSC::ProxyConstructor::createStructure):
2986 * runtime/ProxyObject.cpp: Added.
2987 (JSC::ProxyObject::ProxyObject):
2988 (JSC::ProxyObject::finishCreation):
2989 (JSC::performProxyGet):
2990 (JSC::ProxyObject::getOwnPropertySlotCommon):
2991 (JSC::ProxyObject::getOwnPropertySlot):
2992 (JSC::ProxyObject::getOwnPropertySlotByIndex):
2993 (JSC::ProxyObject::visitChildren):
2994 * runtime/ProxyObject.h: Added.
2995 (JSC::ProxyObject::create):
2996 (JSC::ProxyObject::createStructure):
2997 (JSC::ProxyObject::target):
2998 (JSC::ProxyObject::handler):
2999 * runtime/ReflectObject.cpp:
3000 (JSC::reflectObjectGet):
3001 * runtime/SamplingProfiler.cpp:
3002 (JSC::SamplingProfiler::StackFrame::nameFromCallee):
3004 * tests/stress/proxy-basic.js: Added.
3006 (let.handler.get null):
3008 (let.handler.get switch):
3010 (let.theTarget.get x):
3011 * tests/stress/proxy-in-proto-chain.js: Added.
3013 * tests/stress/proxy-of-a-proxy.js: Added.
3016 * tests/stress/proxy-property-descriptor.js: Added.
3019 * wasm/WASMModuleParser.cpp:
3020 (JSC::WASMModuleParser::getImportedValue):
3022 2016-02-17 Mark Lam <mark.lam@apple.com>
3024 StringPrototype functions should check for exceptions after calling JSString::value().
3025 https://bugs.webkit.org/show_bug.cgi?id=154340
3027 Reviewed by Filip Pizlo.
3029 JSString::value() can throw an exception if the JS string is a rope and value()
3030 needs to resolve the rope but encounters an OutOfMemory error. If value() is not
3031 able to resolve the rope, it will return a null string (in addition to throwing
3032 the exception). If StringPrototype functions do not check for exceptions after
3033 calling JSString::value(), they may eventually use the returned null string and
3036 The fix is to add all the necessary exception checks, and do the appropriate
3039 Also in a few place where when an exception is detected, we return JSValue(), I
3040 changed it to return jsUndefined() instead to be consistent with the rest of the
3043 * runtime/StringPrototype.cpp:
3044 (JSC::replaceUsingRegExpSearch):
3045 (JSC::stringProtoFuncMatch):
3046 (JSC::stringProtoFuncSlice):
3047 (JSC::stringProtoFuncSplit):
3048 (JSC::stringProtoFuncLocaleCompare):
3049 (JSC::stringProtoFuncBig):
3050 (JSC::stringProtoFuncSmall):
3051 (JSC::stringProtoFuncBlink):
3052 (JSC::stringProtoFuncBold):
3053 (JSC::stringProtoFuncFixed):
3054 (JSC::stringProtoFuncItalics):
3055 (JSC::stringProtoFuncStrike):
3056 (JSC::stringProtoFuncSub):
3057 (JSC::stringProtoFuncSup):
3058 (JSC::stringProtoFuncFontcolor):
3059 (JSC::stringProtoFuncFontsize):
3060 (JSC::stringProtoFuncAnchor):
3061 (JSC::stringProtoFuncLink):
3064 2016-02-17 Commit Queue <commit-queue@webkit.org>
3066 Unreviewed, rolling out r196675.
3067 https://bugs.webkit.org/show_bug.cgi?id=154344
3069 "Causes major slowdowns on deltablue-varargs" (Requested by
3070 keith_miller on #webkit).
3074 "Spread operator should be allowed when not the first argument
3076 https://bugs.webkit.org/show_bug.cgi?id=152721
3077 http://trac.webkit.org/changeset/196675
3079 2016-02-17 Gavin Barraclough <barraclough@apple.com>
3081 JSDOMWindow::put should not do the same thing twice
3082 https://bugs.webkit.org/show_bug.cgi?id=154334
3084 Reviewed by Chris Dumez.
3086 It either calls JSGlobalObject::put or Base::put. Hint: these are basically the same thing.
3087 In the latter case it might call lookupPut. That's redundant; JSObject::put handles static
3090 * runtime/JSGlobalObject.h:
3091 (JSC::JSGlobalObject::hasOwnPropertyForWrite): Deleted.
3094 2016-02-16 Filip Pizlo <fpizlo@apple.com>
3096 FTL_USES_B3 should be unconditionally true
3097 https://bugs.webkit.org/show_bug.cgi?id=154324
3099 Reviewed by Benjamin Poulain.
3103 2016-02-16 Filip Pizlo <fpizlo@apple.com>
3105 FTL should support CompareEq(String:, String:)
3106 https://bugs.webkit.org/show_bug.cgi?id=154269
3107 rdar://problem/24499921
3109 Reviewed by Benjamin Poulain.
3111 Looks like a slight pdfjs slow-down, probably because we're having some recompilations. I
3112 think we should land the increased coverage first and fix the issues after, especially since
3113 the regression is so small and doesn't have a statistically significant effect on the overall
3116 * ftl/FTLCapabilities.cpp:
3117 (JSC::FTL::canCompile):
3118 * ftl/FTLLowerDFGToLLVM.cpp:
3119 (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
3120 (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
3121 (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
3122 (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
3123 * tests/stress/ftl-string-equality.js: Added.
3124 * tests/stress/ftl-string-ident-equality.js: Added.
3125 * tests/stress/ftl-string-strict-equality.js: Added.
3127 2016-02-16 Filip Pizlo <fpizlo@apple.com>
3129 FTL should support NewTypedArray
3130 https://bugs.webkit.org/show_bug.cgi?id=154268
3132 Reviewed by Saam Barati.
3134 3% speed-up on pdfjs. This was already covered by many different tests.
3136 Rolling this back in after fixing the butterfly argument.
3138 * ftl/FTLCapabilities.cpp:
3139 (JSC::FTL::canCompile):
3140 * ftl/FTLLowerDFGToLLVM.cpp:
3141 (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3142 (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
3143 (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
3144 (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
3145 (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
3146 (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
3147 (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
3149 2016-02-16 Gavin Barraclough <barraclough@apple.com>
3151 JSDOMWindow::getOwnPropertySlot should just call getStaticPropertySlot
3152 https://bugs.webkit.org/show_bug.cgi?id=154257
3154 Reviewed by Chris Dumez.
3157 (JSC::getStaticPropertySlot):
3158 (JSC::getStaticFunctionSlot):
3159 (JSC::getStaticValueSlot):
3160 - this could all do with a little more love.
3161 But enforce the basic precedence:
3162 (1) regular storage properties always win over static table properties.
3163 (2) if properties have been reified, don't consult the static tables.
3164 (3) only if the property is not present on the object & not reified
3165 should the static hashtable be consulted.
3167 2016-02-16 Gavin Barraclough <barraclough@apple.com>
3169 JSDOMWindow::getOwnPropertySlot should not search photo chain
3170 https://bugs.webkit.org/show_bug.cgi?id=154102
3172 Reviewed by Chris Dumez.
3174 Should only return *own* properties.
3176 * runtime/JSObject.cpp:
3177 (JSC::JSObject::getOwnPropertyDescriptor):
3178 - remove hack/special-case for DOMWindow; we no longer need this.
3180 2016-02-16 Keith Miller <keith_miller@apple.com>
3182 Spread operator should be allowed when not the first argument of parameter list
3183 https://bugs.webkit.org/show_bug.cgi?id=152721
3185 Reviewed by Saam Barati.
3187 Spread arguments to functions should now be ES6 compliant. Before we
3188 would only take a spread operator if it was the sole argument to a
3189 function. Additionally, we would not use the Symbol.iterator on the
3190 object to generate the arguments. Instead we would do a loop up to the
3191 length mapping indexed properties to the corresponding argument. We fix
3192 both these issues by doing an AST transformation from foo(...a, b, ...c, d)
3193 to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
3194 old spread semantics). This solution has the downside of requiring the
3195 allocation of another object and copying each element twice but avoids a
3196 large change to the vm calling convention.
3198 * interpreter/Interpreter.cpp:
3200 * parser/ASTBuilder.h:
3201 (JSC::ASTBuilder::createElementList):
3202 * parser/Parser.cpp:
3203 (JSC::Parser<LexerType>::parseArguments):
3204 (JSC::Parser<LexerType>::parseArgument):
3205 (JSC::Parser<LexerType>::parseMemberExpression):
3207 * parser/SyntaxChecker.h:
3208 (JSC::SyntaxChecker::createElementList):
3210 * tests/stress/spread-calling.js: Added.
3214 (otherIterator.return.next):
3217 (throwingIter.return.next):
3221 2016-02-16 Benjamin Poulain <bpoulain@apple.com>
3223 [JSC] Enable B3 on ARM64
3224 https://bugs.webkit.org/show_bug.cgi?id=154275
3226 Reviewed by Mark Lam.
3228 The port passes more tests than LLVM now, let's use it by default.
3232 2016-02-16 Commit Queue <commit-queue@webkit.org>
3234 Unreviewed, rolling out r196652.
3235 https://bugs.webkit.org/show_bug.cgi?id=154315
3237 This change caused LayoutTest crashes (Requested by ryanhaddad
3242 "FTL should support NewTypedArray"
3243 https://bugs.webkit.org/show_bug.cgi?id=154268
3244 http://trac.webkit.org/changeset/196652
3246 2016-02-16 Brian Burg <bburg@apple.com>
3248 RemoteInspector should forward new automation session requests to its client
3249 https://bugs.webkit.org/show_bug.cgi?id=154260
3250 <rdar://problem/24663313>
3252 Reviewed by Timothy Hatcher.
3254 * inspector/remote/RemoteInspector.h:
3255 * inspector/remote/RemoteInspector.mm:
3256 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3257 (Inspector::RemoteInspector::listingForAutomationTarget):
3258 Use the correct key for the session identifier in the listing. The name()
3259 override for RemoteAutomationTarget is actually the session identifier.
3261 (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
3262 * inspector/remote/RemoteInspectorConstants.h: Add new constants.
3264 2016-02-16 Saam barati <sbarati@apple.com>
3266 SamplingProfiler still fails with ASan enabled
3267 https://bugs.webkit.org/show_bug.cgi?id=154301
3268 <rdar://problem/24679502>
3270 Reviewed by Filip Pizlo.
3272 To fix this issue, I've come up with unsafe versions
3273 of all operations that load memory from the thread's call
3274 frame. All these new unsafe methods are marked with SUPPRESS_ASAN.
3276 * interpreter/CallFrame.cpp:
3277 (JSC::CallFrame::callSiteAsRawBits):
3278 (JSC::CallFrame::unsafeCallSiteAsRawBits):
3279 (JSC::CallFrame::callSiteIndex):
3280 (JSC::CallFrame::unsafeCallSiteIndex):
3281 (JSC::CallFrame::stack):
3282 (JSC::CallFrame::callerFrame):
3283 (JSC::CallFrame::unsafeCallerFrame):
3284 (JSC::CallFrame::friendlyFunctionName):
3285 * interpreter/CallFrame.h:
3286 (JSC::ExecState::calleeAsValue):
3287 (JSC::ExecState::callee):
3288 (JSC::ExecState::unsafeCallee):
3289 (JSC::ExecState::codeBlock):
3290 (JSC::ExecState::unsafeCodeBlock):
3291 (JSC::ExecState::scope):
3292 (JSC::ExecState::callerFrame):
3293 (JSC::ExecState::callerFrameOrVMEntryFrame):
3294 (JSC::ExecState::unsafeCallerFrameOrVMEntryFrame):
3295 (JSC::ExecState::callerFrameOffset):
3296 (JSC::ExecState::callerFrameAndPC):
3297 (JSC::ExecState::unsafeCallerFrameAndPC):
3298 * interpreter/Register.h:
3299 (JSC::Register::codeBlock):
3300 (JSC::Register::asanUnsafeCodeBlock):
3301 (JSC::Register::unboxedInt32):
3302 (JSC::Register::tag):
3303 (JSC::Register::unsafeTag):
3304 (JSC::Register::payload):
3305 * interpreter/VMEntryRecord.h:
3306 (JSC::VMEntryRecord::prevTopCallFrame):
3307 (JSC::VMEntryRecord::unsafePrevTopCallFrame):
3308 (JSC::VMEntryRecord::prevTopVMEntryFrame):
3309 (JSC::VMEntryRecord::unsafePrevTopVMEntryFrame):
3310 * runtime/SamplingProfiler.cpp:
3311 (JSC::FrameWalker::walk):
3312 (JSC::FrameWalker::advanceToParentFrame):
3313 (JSC::FrameWalker::isAtTop):
3314 (JSC::FrameWalker::resetAtMachineFrame):
3316 2016-02-16 Filip Pizlo <fpizlo@apple.com>
3318 FTL should support NewTypedArray
3319 https://bugs.webkit.org/show_bug.cgi?id=154268
3321 Reviewed by Saam Barati.
3323 3% speed-up on pdfjs. This was already covered by many different tests.
3325 * ftl/FTLCapabilities.cpp:
3326 (JSC::FTL::canCompile):
3327 * ftl/FTLLowerDFGToLLVM.cpp:
3328 (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3329 (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
3330 (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
3331 (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
3332 (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
3333 (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
3334 (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
3336 2016-02-16 Saam barati <sbarati@apple.com>
3338 stress/sampling-profiler-deep-stack.js fails on ARM 32bit
3339 https://bugs.webkit.org/show_bug.cgi?id=154255
3340 <rdar://problem/24662996>
3342 Reviewed by Mark Lam.
3344 The bug here wasn't in the implementation of the sampling profiler
3345 itself. Rather, it was a bug in the test. JSC wasn't spending a lot
3346 of time in a function that the test assumed a lot of time was spent in.
3347 That's because the DFG was doing a good job at optimizing the function
3348 at the leaf of the recursion. Because of that, we often wouldn't sample it.
3349 I fixed this by making the leaf function do more work.
3351 * tests/stress/sampling-profiler-deep-stack.js:
3352 (platformSupportsSamplingProfiler.foo):
3354 2016-02-16 Chris Dumez <cdumez@apple.com>
3356 [Web IDL] Operations should be on the instance for global objects or if [Unforgeable]
3357 https://bugs.webkit.org/show_bug.cgi?id=154120
3358 <rdar://problem/24613231>
3360 Reviewed by Gavin Barraclough.
3362 Have putEntry() take a thisValue parameter in addition to the base,
3363 instead of relying on PropertySlot::thisValue() because this did not
3364 always do the right thing. In particular, when JSDOMWindow::put() was
3365 called to set a function, it would end up setting the new value on the
3366 JSDOMWindowShell instead of the actual JSDOMWindow.
3367 JSDOMWindow::getOwnPropertySlot() would then&n
git://git.webkit.org / WebKit-https.git / blob