Ensure that ForInContexts are invalidated if their loop local is over-written.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-09-18  Mark Lam  <mark.lam@apple.com>
2
3         Ensure that ForInContexts are invalidated if their loop local is over-written.
4         https://bugs.webkit.org/show_bug.cgi?id=189571
5         <rdar://problem/44402277>
6
7         Reviewed by Saam Barati.
8
9         Instead of hunting down every place in the BytecodeGenerator that potentially
10         needs to invalidate an enclosing ForInContext (if one exists), we simply iterate
11         the bytecode range of the loop body when the ForInContext is popped, and
12         invalidate the context if we ever find the loop temp variable over-written.
13
14         This has 2 benefits:
15         1. It ensures that every type of opcode that can write to the loop temp will be
16            handled appropriately, not just the op_mov that we've hunted down.
17         2. It avoids us having to check the BytecodeGenerator's m_forInContextStack
18            every time we emit an op_mov (or other opcodes that can write to a local)
19            even when we're not inside a for-in loop.
20
21         JSC benchmarks show that that this change is performance neutral.
22
23         * bytecompiler/BytecodeGenerator.cpp:
24         (JSC::BytecodeGenerator::pushIndexedForInScope):
25         (JSC::BytecodeGenerator::popIndexedForInScope):
26         (JSC::BytecodeGenerator::pushStructureForInScope):
27         (JSC::BytecodeGenerator::popStructureForInScope):
28         (JSC::ForInContext::finalize):
29         (JSC::StructureForInContext::finalize):
30         (JSC::IndexedForInContext::finalize):
31         (JSC::BytecodeGenerator::invalidateForInContextForLocal): Deleted.
32         * bytecompiler/BytecodeGenerator.h:
33         (JSC::ForInContext::ForInContext):
34         (JSC::ForInContext::bodyBytecodeStartOffset const):
35         (JSC::StructureForInContext::StructureForInContext):
36         (JSC::IndexedForInContext::IndexedForInContext):
37         * bytecompiler/NodesCodegen.cpp:
38         (JSC::PostfixNode::emitResolve):
39         (JSC::PrefixNode::emitResolve):
40         (JSC::ReadModifyResolveNode::emitBytecode):
41         (JSC::AssignResolveNode::emitBytecode):
42         (JSC::EmptyLetExpression::emitBytecode):
43         (JSC::ForInNode::emitLoopHeader):
44         (JSC::ForOfNode::emitBytecode):
45         (JSC::BindingNode::bindValue const):
46         (JSC::AssignmentElementNode::bindValue const):
47         * runtime/CommonSlowPaths.cpp:
48         (JSC::SLOW_PATH_DECL):
49
50 2018-09-17  Devin Rousso  <drousso@apple.com>
51
52         Web Inspector: generate CSSKeywordCompletions from backend values
53         https://bugs.webkit.org/show_bug.cgi?id=189041
54
55         Reviewed by Joseph Pecoraro.
56
57         * inspector/protocol/CSS.json:
58         Include an optional `aliases` array and `inherited` boolean for `CSSPropertyInfo`.
59
60 2018-09-17  Saam barati  <sbarati@apple.com>
61
62         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
63         https://bugs.webkit.org/show_bug.cgi?id=189676
64         <rdar://problem/39682897>
65
66         Reviewed by Michael Saboff.
67
68         Because the incoming value may be TDZ, CheckStructure may end up crashing.
69         Since the Type Profile does not currently record TDZ values in any of its
70         data structures, this is not a semantic change in how it will show you data.
71         It just fixes crashes when we emit a CheckStructure and the incoming value
72         is TDZ.
73
74         * dfg/DFGFixupPhase.cpp:
75         (JSC::DFG::FixupPhase::fixupNode):
76         * dfg/DFGNode.h:
77         (JSC::DFG::Node::convertToCheckStructureOrEmpty):
78
79 2018-09-17  Darin Adler  <darin@apple.com>
80
81         Use OpaqueJSString rather than JSRetainPtr inside WebKit
82         https://bugs.webkit.org/show_bug.cgi?id=189652
83
84         Reviewed by Saam Barati.
85
86         * API/JSCallbackObjectFunctions.h: Removed an uneeded include of
87         JSStringRef.h.
88
89         * API/JSContext.mm:
90         (-[JSContext evaluateScript:withSourceURL:]): Use OpaqueJSString::create rather
91         than JSStringCreateWithCFString, simplifying the code and also obviating the
92         need for explicit JSStringRelease.
93         (-[JSContext setName:]): Ditto.
94
95         * API/JSStringRef.cpp:
96         (JSStringIsEqualToUTF8CString): Use adoptRef rather than explicit JSStringRelease.
97         It seems that additional optimization is possible, obviating the need to allocate
98         an OpaqueJSString, but that's true almost everywhere else in this patch, too.
99
100         * API/JSValue.mm:
101         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Use
102         OpaqueJSString::create and adoptRef as appropriate.
103         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
104         (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Ditto.
105         (performPropertyOperation): Ditto.
106         (-[JSValue invokeMethod:withArguments:]): Ditto.
107         (valueToObjectWithoutCopy): Ditto.
108         (containerValueToObject): Ditto.
109         (valueToString): Ditto.
110         (objectToValueWithoutCopy): Ditto.
111         (objectToValue): Ditto.
112
113 2018-09-08  Darin Adler  <darin@apple.com>
114
115         Streamline JSRetainPtr, fix leaks of JSString and JSGlobalContext
116         https://bugs.webkit.org/show_bug.cgi?id=189455
117
118         Reviewed by Keith Miller.
119
120         * API/JSObjectRef.cpp:
121         (OpaqueJSPropertyNameArray): Use Ref<OpaqueJSString> instead of
122         JSRetainPtr<JSStringRef>.
123         (JSObjectCopyPropertyNames): Remove now-unneeded use of leakRef and
124         adopt constructor.
125         (JSPropertyNameArrayGetNameAtIndex): Use ptr() instead of get() since
126         the array elements are now Ref.
127
128         * API/JSRetainPtr.h: While JSRetainPtr is written as a template,
129         it only works for two specific unrelated types, JSStringRef and
130         JSGlobalContextRef. Simplified the default constructor using data
131         member initialization. Prepared to make the adopt constructor private
132         (got everything compiling that way, then made it public again so that
133         Apple internal software will still build). Got rid of unneeded
134         templated constructor and assignment operator, since it's not relevant
135         since there is no inheritance between JSRetainPtr template types.
136         Added WARN_UNUSED_RETURN to leakRef as in RefPtr and RetainPtr.
137         Added move constructor and move assignment operator for slightly better
138         performance. Simplified implementations of various member functions
139         so they are more obviously correct, by using leakPtr in more of them
140         and using std::exchange to make the flow of values more obvious.
141
142         * API/JSValue.mm:
143         (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Added a
144         missing JSStringRelease to fix a leak.
145
146         * API/tests/CustomGlobalObjectClassTest.c:
147         (customGlobalObjectClassTest): Added a JSGlobalContextRelease to fix a leak.
148         (globalObjectSetPrototypeTest): Ditto.
149         (globalObjectPrivatePropertyTest): Ditto.
150
151         * API/tests/ExecutionTimeLimitTest.cpp:
152         (testResetAfterTimeout): Added a call to JSStringRelease to fix a leak.
153         (testExecutionTimeLimit): Ditto, lots more.
154
155         * API/tests/FunctionOverridesTest.cpp:
156         (testFunctionOverrides): Added a call to JSStringRelease to fix a leak.
157
158         * API/tests/JSObjectGetProxyTargetTest.cpp:
159         (testJSObjectGetProxyTarget): Added a call to JSGlobalContextRelease to fix
160         a leak.
161
162         * API/tests/PingPongStackOverflowTest.cpp:
163         (testPingPongStackOverflow): Added calls to JSGlobalContextRelease and
164         JSStringRelease to fix leaks.
165
166         * API/tests/testapi.c:
167         (throwException): Added. Helper function for repeated idiom where we want
168         to throw an exception, but with additional JSStringRelease calls so we don't
169         have to leak just to keep the code simpler to read.
170         (MyObject_getProperty): Use throwException.
171         (MyObject_setProperty): Ditto.
172         (MyObject_deleteProperty): Ditto.
173         (isValueEqualToString): Added. Helper function for an idiom where we check
174         if something is a string and then if it's equal to a particular string
175         constant, but a version that has an additional JSStringRelease call so we
176         don't have to leak just to keep the code simpler to read.
177         (MyObject_callAsFunction): Use isValueEqualToString and throwException.
178         (MyObject_callAsConstructor): Ditto.
179         (MyObject_hasInstance): Ditto.
180         (globalContextNameTest): Added a JSGlobalContextRelease to fix a leak.
181         (testMarkingConstraintsAndHeapFinalizers): Ditto.
182
183 2018-09-14  Saam barati  <sbarati@apple.com>
184
185         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
186         https://bugs.webkit.org/show_bug.cgi?id=189628
187         <rdar://problem/39481690>
188
189         Reviewed by Mark Lam.
190
191         An Availability may point to a Node. And that Node may be removed from
192         the graph, e.g, it's freed and its memory is no longer owned by Graph.
193         This patch makes it so we no longer dump this metadata by default. If
194         this metadata is interesting to you, you'll need to go in and change
195         Graph::dump to dump the needed metadata.
196
197         * dfg/DFGGraph.cpp:
198         (JSC::DFG::Graph::dump):
199
200 2018-09-14  Mark Lam  <mark.lam@apple.com>
201
202         Refactor some ForInContext code for better encapsulation.
203         https://bugs.webkit.org/show_bug.cgi?id=189626
204         <rdar://problem/44466415>
205
206         Reviewed by Keith Miller.
207
208         1. Add a ForInContext::m_type field to store the context type.  This does not
209            increase the class size, but eliminates the need for a virtual call to get the
210            type.
211
212            Note: we still need a virtual destructor because we'll be mingling
213            IndexedForInContexts and StructureForInContexts in the BytecodeGenerator::m_forInContextStack.
214
215         2. Add ForInContext::isIndexedForInContext() and ForInContext::isStructureForInContext()
216            convenience methods.
217
218         3. Add ForInContext::asIndexedForInContext() and ForInContext::asStructureForInContext()
219            to do the casting to the subclass types.  This ensures that we'll properly
220            assert that the casting is legal.
221
222         * bytecompiler/BytecodeGenerator.cpp:
223         (JSC::BytecodeGenerator::emitGetByVal):
224         (JSC::BytecodeGenerator::popIndexedForInScope):
225         (JSC::BytecodeGenerator::popStructureForInScope):
226         * bytecompiler/BytecodeGenerator.h:
227         (JSC::ForInContext::type const):
228         (JSC::ForInContext::isIndexedForInContext const):
229         (JSC::ForInContext::isStructureForInContext const):
230         (JSC::ForInContext::asIndexedForInContext):
231         (JSC::ForInContext::asStructureForInContext):
232         (JSC::ForInContext::ForInContext):
233         (JSC::StructureForInContext::StructureForInContext):
234         (JSC::IndexedForInContext::IndexedForInContext):
235         (JSC::ForInContext::~ForInContext): Deleted.
236
237 2018-09-14  Devin Rousso  <webkit@devinrousso.com>
238
239         Web Inspector: Record actions performed on ImageBitmapRenderingContext
240         https://bugs.webkit.org/show_bug.cgi?id=181341
241
242         Reviewed by Joseph Pecoraro.
243
244         * inspector/protocol/Recording.json:
245         * inspector/scripts/codegen/generator.py:
246
247 2018-09-14  Mike Gorse  <mgorse@suse.com>
248
249         builtins directory causes name conflict on Python 3
250         https://bugs.webkit.org/show_bug.cgi?id=189552
251
252         Reviewed by Michael Catanzaro.
253
254         * CMakeLists.txt: builtins -> wkbuiltins.
255         * DerivedSources.make: builtins -> wkbuiltins.
256         * Scripts/generate-js-builtins.py: import wkbuiltins, rather than
257           builtins.
258         * Scripts/wkbuiltins/__init__.py: Renamed from Source/JavaScriptCore/Scripts/builtins/__init__.py.
259         * Scripts/wkbuiltins/builtins_generate_combined_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_combined_header.py.
260         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_internals_wrapper_implementation.py.
261         * Scripts/wkbuiltins/builtins_generate_separate_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_header.py.
262         * Scripts/wkbuiltins/builtins_generate_separate_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_implementation.py.
263         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_header.py.
264         * Scripts/wkbuiltins/builtins_generate_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_implementation.py.
265         * Scripts/wkbuiltins/builtins_generator.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generator.py.
266         * Scripts/wkbuiltins/builtins_model.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_model.py.
267         * Scripts/wkbuiltins/builtins_templates.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_templates.py.
268         * Scripts/wkbuiltins/wkbuiltins.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins.py.
269         * JavaScriptCore.xcodeproj/project.pbxproj: Update for the renaming.
270
271 2018-09-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
272
273         [WebAssembly] Inline WasmContext accessor functions
274         https://bugs.webkit.org/show_bug.cgi?id=189416
275
276         Reviewed by Saam Barati.
277
278         WasmContext accessor functions are very small while it resides in the critical path of
279         JS to Wasm function call. This patch makes them inline to improve performance.
280         This change improves a small benchmark (calling JS to Wasm function 1e7 times) from 320ms to 270ms.
281
282         * JavaScriptCore.xcodeproj/project.pbxproj:
283         * Sources.txt:
284         * interpreter/CallFrame.cpp:
285         * jit/AssemblyHelpers.cpp:
286         * wasm/WasmB3IRGenerator.cpp:
287         * wasm/WasmContextInlines.h: Renamed from Source/JavaScriptCore/wasm/WasmContext.cpp.
288         (JSC::Wasm::Context::useFastTLS):
289         (JSC::Wasm::Context::load const):
290         (JSC::Wasm::Context::store):
291         * wasm/WasmMemoryInformation.cpp:
292         * wasm/WasmModuleParser.cpp: Include <wtf/SHA1.h> due to changes of unified source combinations.
293         * wasm/js/JSToWasm.cpp:
294         * wasm/js/WebAssemblyFunction.cpp:
295
296 2018-09-12  David Kilzer  <ddkilzer@apple.com>
297
298         Move JavaScriptCore files to match Xcode project hierarchy
299         <https://webkit.org/b/189574>
300
301         Reviewed by Filip Pizlo.
302
303         * API/JSAPIValueWrapper.cpp: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.cpp.
304         * API/JSAPIValueWrapper.h: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.h.
305         * CMakeLists.txt: Update for new path to
306         generateYarrUnicodePropertyTables.py, hasher.py and
307         JSAPIValueWrapper.h.
308         * DerivedSources.make: Ditto. Add missing dependency on
309         hasher.py captured by CMakeLists.txt.
310         * JavaScriptCore.xcodeproj/project.pbxproj: Update for new file
311         reference paths. Add hasher.py library to project.
312         * Sources.txt: Update for new path to
313         JSAPIValueWrapper.cpp.
314         * runtime/JSImmutableButterfly.h: Add missing includes
315         after changes to Sources.txt and regenerating unified
316         sources.
317         * runtime/RuntimeType.h: Ditto.
318         * yarr/generateYarrUnicodePropertyTables.py: Rename from Source/JavaScriptCore/Scripts/generateYarrUnicodePropertyTables.py.
319         * yarr/hasher.py: Rename from Source/JavaScriptCore/Scripts/hasher.py.
320
321 2018-09-12  David Kilzer  <ddkilzer@apple.com>
322
323         Let Xcode have its way with the JavaScriptCore project
324
325         * JavaScriptCore.xcodeproj/project.pbxproj:
326
327 2018-09-12  Guillaume Emont  <guijemont@igalia.com>
328
329         Add IGNORE_WARNING_.* macros
330         https://bugs.webkit.org/show_bug.cgi?id=188996
331
332         Reviewed by Michael Catanzaro.
333
334         * API/JSCallbackObject.h:
335         * API/tests/testapi.c:
336         * assembler/LinkBuffer.h:
337         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
338         * b3/B3LowerToAir.cpp:
339         * b3/B3Opcode.cpp:
340         * b3/B3Type.h:
341         * b3/B3TypeMap.h:
342         * b3/B3Width.h:
343         * b3/air/AirArg.cpp:
344         * b3/air/AirArg.h:
345         * b3/air/AirCode.h:
346         * bytecode/Opcode.h:
347         (JSC::padOpcodeName):
348         * dfg/DFGSpeculativeJIT.cpp:
349         (JSC::DFG::SpeculativeJIT::speculateNumber):
350         (JSC::DFG::SpeculativeJIT::speculateMisc):
351         * dfg/DFGSpeculativeJIT64.cpp:
352         * ftl/FTLOutput.h:
353         * jit/CCallHelpers.h:
354         (JSC::CCallHelpers::calculatePokeOffset):
355         * llint/LLIntData.cpp:
356         * llint/LLIntSlowPaths.cpp:
357         (JSC::LLInt::slowPathLogF):
358         * runtime/ConfigFile.cpp:
359         (JSC::ConfigFile::canonicalizePaths):
360         * runtime/JSDataViewPrototype.cpp:
361         * runtime/JSGenericTypedArrayViewConstructor.h:
362         * runtime/JSGenericTypedArrayViewPrototype.h:
363         * runtime/Options.cpp:
364         (JSC::Options::setAliasedOption):
365         * tools/CodeProfiling.cpp:
366         * wasm/WasmSections.h:
367         * wasm/generateWasmValidateInlinesHeader.py:
368
369 == Rolled over to ChangeLog-2018-09-11 ==