1 2017-12-14 Saam Barati <sbarati@apple.com>
3 The CleanUp after LICM is erroneously removing a Check
4 https://bugs.webkit.org/show_bug.cgi?id=180852
5 <rdar://problem/36063494>
7 Reviewed by Filip Pizlo.
9 There was a bug where CleanUp phase relied on isProved() bits and LICM
10 changed them in an invalid way. The bug is as follows:
12 We have two loops, L1 and L2, and two preheaders, P1 and P2. L2 is nested
13 inside of L1. We have a Check inside a node inside L1, say in basic block BB,
14 and that Check dominates all of L2. This is also a hoisting candidate, so we
15 hoist it outside of L1 and put it inside P1. Then, when we run AI, we look at
16 the preheader for each loop inside L1, so P1 and P2. When considering P2,
17 we execute the Check. Inside P2, before any hoisting is done, this Check
18 is dead code, because BB dominates P2. When we use AI to "execute" the
19 Check, it'll set its proof status to proved. This is because inside P2,
20 in the program before LICM runs, the Check is indeed proven at P2. But
21 it is not proven inside P1. This "execute" call will set our proof status
22 for the node inside *P1*, hence, we crash.
24 The fix here is to make LICM precise when updating the ProofStatus of an edge.
25 It can trust the AI state at the preheader it hoists the node to, but it can't
26 trust the state when executing effects inside inner loops's preheaders.
29 (JSC::DFG::Plan::compileInThreadImpl):
31 2017-12-14 David Kilzer <ddkilzer@apple.com>
33 Enable -Wstrict-prototypes for WebKit
34 <https://webkit.org/b/180757>
35 <rdar://problem/36024132>
37 Rubber-stamped by Joseph Pecoraro.
39 * API/tests/CompareAndSwapTest.h:
40 (testCompareAndSwap): Add 'void' to C function declaration.
41 * API/tests/ExecutionTimeLimitTest.h:
42 (testExecutionTimeLimit): Ditto.
43 * API/tests/FunctionOverridesTest.h:
44 (testFunctionOverrides): Ditto.
45 * API/tests/GlobalContextWithFinalizerTest.h:
46 (testGlobalContextWithFinalizer): Ditto.
47 * API/tests/JSONParseTest.h:
48 (testJSONParse): Ditto.
49 * API/tests/MultithreadedMultiVMExecutionTest.h:
50 (startMultithreadedMultiVMExecutionTest): Ditto.
51 (finalizeMultithreadedMultiVMExecutionTest): Ditto.
52 * API/tests/PingPongStackOverflowTest.h:
53 (testPingPongStackOverflow): Ditto.
54 * Configurations/Base.xcconfig:
55 (CLANG_WARN_STRICT_PROTOTYPES): Add. Set to YES.
57 2017-12-14 Yusuke Suzuki <utatane.tea@gmail.com>
59 [DFG] Reduce register pressure of WeakMapGet to be used for 32bit
60 https://bugs.webkit.org/show_bug.cgi?id=180804
62 Reviewed by Saam Barati.
64 This fixes 32bit failures of JSC by reducing register pressure of WeakMapGet.
66 * dfg/DFGRegisterBank.h:
67 (JSC::DFG::RegisterBank::lockedCount const):
68 * dfg/DFGSpeculativeJIT.cpp:
69 (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
71 2017-12-14 Keith Miller <keith_miller@apple.com>
73 Unreviewed, forgot to add { }
76 (JSC::JSObject::setButterfly):
77 (JSC::JSObject::nukeStructureAndSetButterfly):
79 2017-12-14 Devin Rousso <webkit@devinrousso.com>
81 Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
82 https://bugs.webkit.org/show_bug.cgi?id=180770
84 Reviewed by Joseph Pecoraro.
86 * inspector/protocol/Canvas.json:
88 2017-12-14 Keith Miller <keith_miller@apple.com>
90 Fix assertion in JSObject's structure setting methods
91 https://bugs.webkit.org/show_bug.cgi?id=180840
95 I forgot that when Typed Arrays have non-indexed properties
96 added to them, they call the generic code. The generic code
97 in turn calls the regular structure setting methods. Thus,
98 these assertions were invalid and we should just avoid setting
99 the indexing mask if we have a Typed Array.
101 * runtime/JSObject.h:
102 (JSC::JSObject::setButterfly):
103 (JSC::JSObject::nukeStructureAndSetButterfly):
105 2017-12-14 Michael Saboff <msaboff@apple.com>
107 REGRESSION (r225695): Repro crash on yahoo login page
108 https://bugs.webkit.org/show_bug.cgi?id=180761
110 Reviewed by JF Bastien.
112 Relanding r225695 with a fix.
114 The fix is that we need to save the return address for a parentheses in
115 the ParenContext because it is actually used by any immediately contained
118 Also did a little refactoring, changing occurances of PatternContext to
119 ParenContext since that is the name of the structure.
121 * runtime/RegExp.cpp:
122 (JSC::byteCodeCompilePattern):
123 (JSC::RegExp::byteCodeCompileIfNecessary):
124 (JSC::RegExp::compile):
125 (JSC::RegExp::compileMatchOnly):
127 * runtime/RegExpInlines.h:
128 (JSC::RegExp::matchInline):
133 * yarr/YarrInterpreter.cpp:
134 (JSC::Yarr::ByteCompiler::compile):
135 (JSC::Yarr::ByteCompiler::dumpDisjunction):
137 (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
138 (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
139 (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
140 (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
141 (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
142 (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
143 (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
144 (JSC::Yarr::YarrGenerator::ParenContext::returnAddressOffset):
145 (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
146 (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
147 (JSC::Yarr::YarrGenerator::initParenContextFreeList):
148 (JSC::Yarr::YarrGenerator::allocateParenContext):
149 (JSC::Yarr::YarrGenerator::freeParenContext):
150 (JSC::Yarr::YarrGenerator::saveParenContext):
151 (JSC::Yarr::YarrGenerator::restoreParenContext):
152 (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
153 (JSC::Yarr::YarrGenerator::storeToFrame):
154 (JSC::Yarr::YarrGenerator::generateJITFailReturn):
155 (JSC::Yarr::YarrGenerator::clearMatches):
156 (JSC::Yarr::YarrGenerator::generate):
157 (JSC::Yarr::YarrGenerator::backtrack):
158 (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
159 (JSC::Yarr::YarrGenerator::generateEnter):
160 (JSC::Yarr::YarrGenerator::generateReturn):
161 (JSC::Yarr::YarrGenerator::YarrGenerator):
162 (JSC::Yarr::YarrGenerator::compile):
164 (JSC::Yarr::YarrCodeBlock::execute):
165 * yarr/YarrPattern.cpp:
166 (JSC::Yarr::indentForNestingLevel):
167 (JSC::Yarr::dumpUChar32):
168 (JSC::Yarr::dumpCharacterClass):
169 (JSC::Yarr::PatternTerm::dump):
170 (JSC::Yarr::YarrPattern::dumpPattern):
171 * yarr/YarrPattern.h:
172 (JSC::Yarr::PatternTerm::containsAnyCaptures):
173 (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
174 (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
175 (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
176 (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
177 (JSC::Yarr::BackTrackInfoParentheses::parenContextHeadIndex):
178 (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
180 2017-12-13 Keith Miller <keith_miller@apple.com>
182 JSObjects should have a mask for loading indexed properties
183 https://bugs.webkit.org/show_bug.cgi?id=180768
185 Reviewed by Mark Lam.
187 This patch adds a new member to JSObject that holds an indexing
188 mask. The indexing mask is bitwise anded with the index used to
189 load a property. If for whatever reason an attacker is able to
190 clobber the vectorLength of our butterfly they still won't be able
191 to read substantially past the end of the buttefly. For
192 performance reasons we don't use the indexing masking for
193 TypedArrays. Since TypedArrays are already gigacaged the risk of
194 wild reads is still restricted.
196 This patch is a <1% regression on Speedometer and ~3% regression
197 on JetStream in my testing.
199 * assembler/MacroAssembler.h:
200 (JSC::MacroAssembler::urshiftPtr):
201 * bytecode/AccessCase.cpp:
202 (JSC::AccessCase::generateImpl):
203 * dfg/DFGAbstractHeap.h:
204 * dfg/DFGClobberize.h:
205 (JSC::DFG::clobberize):
206 * dfg/DFGSpeculativeJIT.cpp:
207 (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
208 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
209 (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
210 (JSC::DFG::SpeculativeJIT::compileCreateActivation):
211 (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
212 (JSC::DFG::SpeculativeJIT::compileArraySlice):
213 (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
214 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
215 (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
216 * dfg/DFGSpeculativeJIT.h:
217 (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
218 (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
219 * dfg/DFGSpeculativeJIT32_64.cpp:
220 (JSC::DFG::SpeculativeJIT::compile):
221 (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
222 * dfg/DFGSpeculativeJIT64.cpp:
223 (JSC::DFG::SpeculativeJIT::compile):
224 (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
225 * ftl/FTLAbstractHeap.cpp:
226 (JSC::FTL::IndexedAbstractHeap::baseIndex):
227 * ftl/FTLAbstractHeap.h:
228 * ftl/FTLAbstractHeapRepository.h:
229 * ftl/FTLLowerDFGToB3.cpp:
230 (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
231 (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
232 (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
233 (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
234 (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
235 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
236 (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
237 (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
238 (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
239 (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
240 (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask):
241 (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
242 (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
243 (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
244 (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
246 (JSC::FTL::Output::baseIndex):
247 * jit/AssemblyHelpers.h:
248 (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
249 (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
250 (JSC::AssemblyHelpers::emitAllocateJSObject):
251 (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
252 (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
253 (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
254 (JSC::AssemblyHelpers::storeButterfly): Deleted.
255 * jit/JITOpcodes.cpp:
256 (JSC::JIT::emit_op_new_object):
257 (JSC::JIT::emit_op_create_this):
258 * jit/JITOpcodes32_64.cpp:
259 (JSC::JIT::emit_op_new_object):
260 (JSC::JIT::emit_op_create_this):
261 * jit/JITPropertyAccess.cpp:
262 (JSC::JIT::emitDoubleLoad):
263 (JSC::JIT::emitContiguousLoad):
264 (JSC::JIT::emitArrayStorageLoad):
265 * llint/LowLevelInterpreter32_64.asm:
266 * llint/LowLevelInterpreter64.asm:
267 * runtime/ArrayStorage.h:
268 (JSC::ArrayStorage::availableVectorLength):
269 * runtime/Butterfly.h:
270 (JSC::ContiguousData::ContiguousData):
271 (JSC::ContiguousData::at const):
272 (JSC::ContiguousData::at):
273 (JSC::Butterfly::publicLength const):
274 (JSC::Butterfly::vectorLength const):
275 (JSC::Butterfly::computeIndexingMaskForVectorLength):
276 (JSC::Butterfly::computeIndexingMask):
277 (JSC::Butterfly::contiguousInt32):
278 (JSC::ContiguousData::operator[] const): Deleted.
279 (JSC::ContiguousData::operator[]): Deleted.
280 (JSC::Butterfly::publicLength): Deleted.
281 (JSC::Butterfly::vectorLength): Deleted.
282 * runtime/ButterflyInlines.h:
283 (JSC::ContiguousData<T>::at const):
284 (JSC::ContiguousData<T>::at):
285 * runtime/ClonedArguments.cpp:
286 (JSC::ClonedArguments::createEmpty):
287 * runtime/JSArray.cpp:
288 (JSC::JSArray::tryCreateUninitializedRestricted):
289 (JSC::JSArray::appendMemcpy):
290 (JSC::JSArray::setLength):
292 (JSC::JSArray::fastSlice):
293 (JSC::JSArray::shiftCountWithArrayStorage):
294 (JSC::JSArray::shiftCountWithAnyIndexingType):
295 (JSC::JSArray::unshiftCountWithAnyIndexingType):
296 (JSC::JSArray::fillArgList):
297 (JSC::JSArray::copyToArguments):
298 * runtime/JSArrayBufferView.cpp:
299 (JSC::JSArrayBufferView::JSArrayBufferView):
300 * runtime/JSArrayInlines.h:
301 (JSC::JSArray::pushInline):
302 * runtime/JSFixedArray.h:
303 (JSC::JSFixedArray::createFromArray):
304 * runtime/JSGenericTypedArrayViewInlines.h:
305 (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
306 * runtime/JSObject.cpp:
307 (JSC::JSObject::getOwnPropertySlotByIndex):
308 (JSC::JSObject::putByIndex):
309 (JSC::JSObject::createInitialInt32):
310 (JSC::JSObject::createInitialDouble):
311 (JSC::JSObject::createInitialContiguous):
312 (JSC::JSObject::convertUndecidedToInt32):
313 (JSC::JSObject::convertUndecidedToDouble):
314 (JSC::JSObject::convertUndecidedToContiguous):
315 (JSC::JSObject::convertInt32ToDouble):
316 (JSC::JSObject::convertInt32ToArrayStorage):
317 (JSC::JSObject::convertDoubleToContiguous):
318 (JSC::JSObject::convertDoubleToArrayStorage):
319 (JSC::JSObject::convertContiguousToArrayStorage):
320 (JSC::JSObject::createInitialForValueAndSet):
321 (JSC::JSObject::deletePropertyByIndex):
322 (JSC::JSObject::getOwnPropertyNames):
323 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
324 (JSC::JSObject::countElements):
325 (JSC::JSObject::ensureLengthSlow):
326 (JSC::JSObject::reallocateAndShrinkButterfly):
327 (JSC::JSObject::getEnumerableLength):
328 * runtime/JSObject.h:
329 (JSC::JSObject::canGetIndexQuickly):
330 (JSC::JSObject::getIndexQuickly):
331 (JSC::JSObject::tryGetIndexQuickly const):
332 (JSC::JSObject::setIndexQuickly):
333 (JSC::JSObject::initializeIndex):
334 (JSC::JSObject::initializeIndexWithoutBarrier):
335 (JSC::JSObject::butterflyIndexingMaskOffset):
336 (JSC::JSObject::butterflyIndexingMask const):
337 (JSC::JSObject::setButterflyWithIndexingMask):
338 (JSC::JSObject::setButterfly):
339 (JSC::JSObject::nukeStructureAndSetButterfly):
340 (JSC::JSObject::JSObject):
341 * runtime/RegExpMatchesArray.h:
342 (JSC::tryCreateUninitializedRegExpMatchesArray):
343 * runtime/Structure.cpp:
344 (JSC::Structure::flattenDictionaryStructure):
346 2017-12-14 David Kilzer <ddkilzer@apple.com>
348 REGRESSION (r225799/r225887): Remove duplicate entries for JSCPoisonedPtr.h in Xcode project
350 Fixes the following warning during builds:
352 Warning: Multiple build commands for output file WebKitBuild/Release/JavaScriptCore.framework/Versions/A/PrivateHeaders/JSCPoisonedPtr.h
354 * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicate
355 entries for JSCPoisonedPtr.h.
357 2017-12-14 David Kilzer <ddkilzer@apple.com>
359 REGRESSION (r225887): Build broke due to missing includes in InferredValue.h
360 <https://bugs.webkit.org/show_bug.cgi?id=180738>
362 * runtime/InferredValue.h: Attempt to fix build by adding
363 missing #include statements.
365 2017-12-13 Filip Pizlo <fpizlo@apple.com>
367 Octane/richards regressed by a whopping 20% because eliminateCommonSubexpressions has a weird fixpoint requirement
368 https://bugs.webkit.org/show_bug.cgi?id=180783
370 Reviewed by Saam Barati.
372 This fixes the regression by fixpointing CSE. We need to fixpoint CSE because of this case:
383 Lets assume that #3 loops around to #2, so to eliminate @d, we need to prove that it's redundant
384 with both @c and @e. The problem is that by the time we get to @d, the CSE state will look like
391 memoryAtTail: {@x=>@a, @a=>@c}
394 memoryAtTail: {@b=>@d}
397 memoryAtTail: {@b=>@e} [sic]
399 Note that #3's atTail map is keyed on @b, which was the old (no longer canonical) version of @a.
400 But @d's children were already substituted, so it refers to @a. Since @a is not in #3's atTail
401 map, we don't find it and leave the redundancy.
403 I think that the cleanest solution is to fixpoint. CSE is pretty cheap, so hopefully we can afford
404 this. It fixes the richards regression, since richards is super dependent on B3 CSE.
406 * b3/B3EliminateCommonSubexpressions.cpp: Logging.
408 (JSC::B3::generateToAir): Fix the bug.
409 * b3/air/AirReportUsedRegisters.cpp:
410 (JSC::B3::Air::reportUsedRegisters): Logging.
411 * dfg/DFGByteCodeParser.cpp:
412 * dfg/DFGSSAConversionPhase.cpp:
413 (JSC::DFG::SSAConversionPhase::run): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
414 * ftl/FTLLowerDFGToB3.cpp:
415 (JSC::FTL::DFG::LowerDFGToB3::lower): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
417 2017-12-13 Joseph Pecoraro <pecoraro@apple.com>
419 REGRESSION: Web Inspector: Opening inspector crashes page if there are empty resources
420 https://bugs.webkit.org/show_bug.cgi?id=180787
421 <rdar://problem/35934838>
423 Reviewed by Brian Burg.
425 * inspector/ContentSearchUtilities.cpp:
426 (Inspector::ContentSearchUtilities::findMagicComment):
427 For empty / null strings just return. There is no use
428 trying to search them for a long common syntax.
430 2017-12-13 Saam Barati <sbarati@apple.com>
432 Arrow functions need their own structure because they have different properties than sloppy functions
433 https://bugs.webkit.org/show_bug.cgi?id=180779
434 <rdar://problem/35814591>
436 Reviewed by Mark Lam.
438 We were using the same structure for sloppy functions and
439 arrow functions. This broke our IC caching machinery because
440 these two types of functions actually have different properties.
441 This patch gives them different structures.
443 * dfg/DFGAbstractInterpreterInlines.h:
444 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
445 * dfg/DFGSpeculativeJIT.cpp:
446 (JSC::DFG::SpeculativeJIT::compileNewFunction):
447 * ftl/FTLLowerDFGToB3.cpp:
448 (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
449 * runtime/FunctionConstructor.cpp:
450 (JSC::constructFunctionSkippingEvalEnabledCheck):
451 * runtime/JSFunction.cpp:
452 (JSC::JSFunction::selectStructureForNewFuncExp):
453 (JSC::JSFunction::create):
454 * runtime/JSFunction.h:
455 * runtime/JSFunctionInlines.h:
456 (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
457 * runtime/JSGlobalObject.cpp:
458 (JSC::JSGlobalObject::init):
459 (JSC::JSGlobalObject::visitChildren):
460 * runtime/JSGlobalObject.h:
461 (JSC::JSGlobalObject::arrowFunctionStructure const):
463 2017-12-12 Filip Pizlo <fpizlo@apple.com>
465 InferredValue should use IsoSubspace
466 https://bugs.webkit.org/show_bug.cgi?id=180738
468 Reviewed by Keith Miller.
470 This moves InferredValue into an IsoSubspace and then takes advantage of this to get rid of
471 its UnconditionalFinalizer.
473 * JavaScriptCore.xcodeproj/project.pbxproj:
475 (JSC::Heap::finalizeUnconditionalFinalizers):
476 * runtime/InferredValue.cpp:
477 (JSC::InferredValue::visitChildren):
478 (JSC::InferredValue::ValueCleanup::ValueCleanup): Deleted.
479 (JSC::InferredValue::ValueCleanup::~ValueCleanup): Deleted.
480 (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): Deleted.
481 * runtime/InferredValue.h:
482 (JSC::InferredValue::subspaceFor):
483 * runtime/InferredValueInlines.h: Added.
484 (JSC::InferredValue::finalizeUnconditionally):
489 2017-12-13 Devin Rousso <webkit@devinrousso.com>
491 Web Inspector: add instrumentation for ImageBitmapRenderingContext
492 https://bugs.webkit.org/show_bug.cgi?id=180736
494 Reviewed by Joseph Pecoraro.
496 * inspector/protocol/Canvas.json:
497 * inspector/scripts/codegen/generator.py:
499 2017-12-13 Saam Barati <sbarati@apple.com>
501 Take a value driven approach to how we emit structure checks in TypeCheckHoistingPhase to obviate the need for static_assert guards
502 https://bugs.webkit.org/show_bug.cgi?id=180771
504 Reviewed by JF Bastien.
506 * dfg/DFGTypeCheckHoistingPhase.cpp:
507 (JSC::DFG::TypeCheckHoistingPhase::run):
509 2017-12-13 Saam Barati <sbarati@apple.com>
511 REGRESSION(r225844): Around 850 new JSC failures on 32-bit
512 https://bugs.webkit.org/show_bug.cgi?id=180764
514 Unreviewed. We should only emit CheckStructureOrEmpty on 64 bit platforms.
516 * dfg/DFGTypeCheckHoistingPhase.cpp:
517 (JSC::DFG::TypeCheckHoistingPhase::run):
519 2017-12-13 Michael Saboff <msaboff@apple.com>
521 Unreviewed rollout of r225695. Caused a crash on yahoo login page.
523 That bug tracked in https://bugs.webkit.org/show_bug.cgi?id=180761.
525 * runtime/RegExp.cpp:
526 (JSC::RegExp::compile):
527 (JSC::RegExp::compileMatchOnly):
528 (JSC::byteCodeCompilePattern): Deleted.
529 (JSC::RegExp::byteCodeCompileIfNecessary): Deleted.
531 * runtime/RegExpInlines.h:
532 (JSC::RegExp::matchInline):
537 * yarr/YarrInterpreter.cpp:
538 (JSC::Yarr::ByteCompiler::compile):
539 (JSC::Yarr::ByteCompiler::dumpDisjunction):
540 (JSC::Yarr::ByteCompiler::emitDisjunction):
542 (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
543 (JSC::Yarr::YarrGenerator::generate):
544 (JSC::Yarr::YarrGenerator::backtrack):
545 (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
546 (JSC::Yarr::YarrGenerator::generateEnter):
547 (JSC::Yarr::YarrGenerator::generateReturn):
548 (JSC::Yarr::YarrGenerator::YarrGenerator):
549 (JSC::Yarr::YarrGenerator::compile):
550 (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes): Deleted.
551 (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns): Deleted.
552 (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots): Deleted.
553 (JSC::Yarr::YarrGenerator::ParenContext::sizeFor): Deleted.
554 (JSC::Yarr::YarrGenerator::ParenContext::nextOffset): Deleted.
555 (JSC::Yarr::YarrGenerator::ParenContext::beginOffset): Deleted.
556 (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset): Deleted.
557 (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset): Deleted.
558 (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset): Deleted.
559 (JSC::Yarr::YarrGenerator::initParenContextFreeList): Deleted.
560 (JSC::Yarr::YarrGenerator::allocatePatternContext): Deleted.
561 (JSC::Yarr::YarrGenerator::freePatternContext): Deleted.
562 (JSC::Yarr::YarrGenerator::savePatternContext): Deleted.
563 (JSC::Yarr::YarrGenerator::restorePatternContext): Deleted.
564 (JSC::Yarr::YarrGenerator::generateJITFailReturn): Deleted.
565 (JSC::Yarr::YarrGenerator::clearMatches): Deleted.
567 (JSC::Yarr::YarrCodeBlock::execute):
568 * yarr/YarrPattern.cpp:
569 (JSC::Yarr::indentForNestingLevel):
570 (JSC::Yarr::dumpUChar32):
571 (JSC::Yarr::PatternTerm::dump):
572 (JSC::Yarr::YarrPattern::dumpPattern):
573 (JSC::Yarr::dumpCharacterClass): Deleted.
574 * yarr/YarrPattern.h:
575 (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
576 (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
577 (JSC::Yarr::PatternTerm::containsAnyCaptures): Deleted.
578 (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex): Deleted.
579 (JSC::Yarr::BackTrackInfoParentheses::beginIndex): Deleted.
580 (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex): Deleted.
581 (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex): Deleted.
582 (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex): Deleted.
584 2017-12-13 Mark Lam <mark.lam@apple.com>
586 Fill out some Poisoned APIs, fix some bugs, and add some tests.
587 https://bugs.webkit.org/show_bug.cgi?id=180724
588 <rdar://problem/36006884>
590 Reviewed by JF Bastien.
592 * runtime/StructureTransitionTable.h:
594 2017-12-13 Caio Lima <ticaiolima@gmail.com>
596 [ESNext][BigInt] Breking tests on Debug build and 32-bits due to missing Exception check
597 https://bugs.webkit.org/show_bug.cgi?id=180746
599 Reviewed by Saam Barati.
601 We have some uncatched exceptions that could happen due to OOM into
602 JSBigInt::allocateFor and JSBigInt::toStringGeneric. This patching is
603 catching such exceptions properly.
605 * runtime/JSBigInt.cpp:
606 (JSC::JSBigInt::allocateFor):
607 (JSC::JSBigInt::parseInt):
608 * runtime/JSCJSValue.cpp:
609 (JSC::JSValue::toStringSlowCase const):
611 2017-12-13 Saam Barati <sbarati@apple.com>
613 Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
614 https://bugs.webkit.org/show_bug.cgi?id=163579
615 <rdar://problem/35455798>
617 Reviewed by Mark Lam.
619 Some functions in JavaScript do not have the "caller" and "arguments" properties.
620 For example, strict functions do not. When reading our code that dealt with these
621 types of functions, it was simply all wrong. We were doing weird things depending
622 on the method table hook. This patch fixes this by doing what we should've been
623 doing all along: when the JSFunction does not own the "caller"/"arguments" property,
624 it should defer to its base class implementation for the various method table hooks.
626 * runtime/JSFunction.cpp:
627 (JSC::JSFunction::put):
628 (JSC::JSFunction::deleteProperty):
629 (JSC::JSFunction::defineOwnProperty):
631 2017-12-13 Saam Barati <sbarati@apple.com>
633 TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
634 https://bugs.webkit.org/show_bug.cgi?id=180734
635 <rdar://problem/35640547>
637 Reviewed by Yusuke Suzuki.
639 The |this| value may be TDZ. If type check hoisting phase
640 hoists a CheckStructure to it, it will crash. This patch
641 makes it so we emit CheckStructureOrEmpty for |this|.
643 * dfg/DFGTypeCheckHoistingPhase.cpp:
644 (JSC::DFG::TypeCheckHoistingPhase::run):
646 2017-12-12 Yusuke Suzuki <utatane.tea@gmail.com>
648 [JSC] Optimize Object.assign by single transition acceleration
649 https://bugs.webkit.org/show_bug.cgi?id=180644
651 Reviewed by Saam Barati.
653 Handling single transition is critical. Since this get() function is only used
654 in Structure.cpp's 2 functions and it is quite small, we can annotate `inline`
657 This improves SixSpeed/object-assign.es6 by 2.8%.
661 object-assign.es6 382.3548+-8.0461 371.6496+-5.7439 might be 1.0288x faster
663 * runtime/Structure.cpp:
664 (JSC::StructureTransitionTable::get const):
666 2017-12-12 Filip Pizlo <fpizlo@apple.com>
668 Structure, StructureRareData, and PropertyTable should be in IsoSubspaces
669 https://bugs.webkit.org/show_bug.cgi?id=180732
671 Rubber stamped by Mark Lam.
673 We should eventually move all fixed-size cells into IsoSubspaces. I don't know if they are
674 scalable enough to support that, so we should do it carefully.
676 * heap/MarkedSpace.cpp:
677 * runtime/PropertyMapHashTable.h:
678 * runtime/Structure.h:
679 * runtime/StructureRareData.h:
684 2017-12-12 Saam Barati <sbarati@apple.com>
686 We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
687 https://bugs.webkit.org/show_bug.cgi?id=180725
688 <rdar://problem/35970511>
690 Reviewed by Michael Saboff.
692 * dfg/DFGClobberize.h:
693 (JSC::DFG::clobberize):
694 * dfg/DFGPreciseLocalClobberize.h:
695 (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
697 2017-12-12 Yusuke Suzuki <utatane.tea@gmail.com>
699 [JSC] Implement optimized WeakMap and WeakSet
700 https://bugs.webkit.org/show_bug.cgi?id=179929
702 Reviewed by Saam Barati.
704 This patch introduces WeakMapImpl to optimize WeakMap and WeakSet.
705 This is similar to HashMapImpl. But,
707 1. WeakMapImpl's bucket is not allocated in GC heap since WeakMap
708 do not need to have iterators.
710 2. WeakMapImpl's buffer is allocated in JSValue Gigacage instead
711 of auxiliary buffer. This is because we would like to allocate buffer
712 when finalizing GC. At that time, WeakMapImpl prunes dead entries and
713 shrink it if necessary. However, allocating from the GC heap during
714 finalization is not allowed.
716 In particular, (2) is important since it ensures any WeakMap operations
717 do not cause GC. Since GC may collect dead keys in WeakMap, rehash WeakMap,
718 and reallocate/change WeakMap's buffer, ensuring that any WeakMap operations
719 do not cause GC makes our implementation simple. To ensure this, we place
720 DisallowGC for each WeakMap's interface.
722 In DFG, we introduce WeakMapGet and ExtractValueFromWeakMapGet nodes.
723 WeakMapGet looks up entry in WeakMapImpl and returns value. If it is
724 WeakMap, it returns value. And it returns key if it is WeakSet. If it
725 does not find a corresponding entry, it returns JSEmpty.
726 ExtractValueFromWeakMapGet converts JSEmpty to JSUndefined.
728 This patch improves WeakMap and WeakSet operations.
732 weak-set-key 240.6932+-10.4923 ^ 148.7606+-6.1784 ^ definitely 1.6180x faster
733 weak-map-key 174.3176+-8.2680 ^ 151.7053+-6.8723 ^ definitely 1.1491x faster
735 * JavaScriptCore.xcodeproj/project.pbxproj:
737 * dfg/DFGAbstractHeap.h:
738 * dfg/DFGAbstractInterpreterInlines.h:
739 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
740 * dfg/DFGByteCodeParser.cpp:
741 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
742 * dfg/DFGClobberize.h:
743 (JSC::DFG::clobberize):
746 * dfg/DFGFixupPhase.cpp:
747 (JSC::DFG::FixupPhase::fixupNode):
749 (JSC::DFG::Node::hasHeapPrediction):
751 * dfg/DFGOperations.cpp:
752 * dfg/DFGOperations.h:
753 * dfg/DFGPredictionPropagationPhase.cpp:
754 * dfg/DFGSafeToExecute.h:
755 (JSC::DFG::safeToExecute):
756 * dfg/DFGSpeculativeJIT.cpp:
757 (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
758 (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
759 * dfg/DFGSpeculativeJIT.h:
760 * dfg/DFGSpeculativeJIT32_64.cpp:
761 (JSC::DFG::SpeculativeJIT::compile):
762 * dfg/DFGSpeculativeJIT64.cpp:
763 (JSC::DFG::SpeculativeJIT::compile):
764 * ftl/FTLAbstractHeapRepository.h:
765 * ftl/FTLCapabilities.cpp:
766 (JSC::FTL::canCompile):
767 * ftl/FTLLowerDFGToB3.cpp:
768 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
769 (JSC::FTL::DFG::LowerDFGToB3::compileExtractValueFromWeakMapGet):
770 (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
771 * inspector/JSInjectedScriptHost.cpp:
772 (Inspector::JSInjectedScriptHost::weakMapEntries):
773 (Inspector::JSInjectedScriptHost::weakSetEntries):
774 Existing code is incorrect. They can run GC and break WeakMap's iterator.
775 We introduce takeSnapshot function to WeakMapImpl, which retrieves live
776 entries without causing any GC.
778 * runtime/HashMapImpl.h:
780 (JSC::shouldRehashAfterAdd):
782 (JSC::HashMapImpl::shouldRehashAfterAdd const):
783 (JSC::HashMapImpl::shouldShrink const):
784 (JSC::HashMapImpl::rehash):
785 (JSC::WeakMapHash::hash): Deleted.
786 (JSC::WeakMapHash::equal): Deleted.
787 * runtime/Intrinsic.cpp:
788 (JSC::intrinsicName):
789 * runtime/Intrinsic.h:
790 * runtime/JSWeakMap.cpp:
791 * runtime/JSWeakMap.h:
792 * runtime/JSWeakSet.cpp:
793 * runtime/JSWeakSet.h:
795 * runtime/WeakGCMap.h:
796 (JSC::WeakGCMap::forEach): Deleted.
797 * runtime/WeakMapBase.cpp: Removed.
798 * runtime/WeakMapBase.h: Removed.
799 * runtime/WeakMapConstructor.cpp:
800 (JSC::constructWeakMap):
801 * runtime/WeakMapImpl.cpp: Added.
802 (JSC::WeakMapImpl<WeakMapBucket>::destroy):
803 (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
804 (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
805 (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences):
806 (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences):
807 (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
808 (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::takeSnapshot):
809 (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::takeSnapshot):
810 * runtime/WeakMapImpl.h: Added.
811 (JSC::jsWeakMapHash):
812 (JSC::nextCapacityAfterRemoveBatching):
813 (JSC::WeakMapBucket::setKey):
814 (JSC::WeakMapBucket::setValue):
815 (JSC::WeakMapBucket::key const):
816 (JSC::WeakMapBucket::value const):
817 (JSC::WeakMapBucket::copyFrom):
818 (JSC::WeakMapBucket::offsetOfKey):
819 (JSC::WeakMapBucket::offsetOfValue):
820 (JSC::WeakMapBucket::extractValue):
821 (JSC::WeakMapBucket::isEmpty):
822 (JSC::WeakMapBucket::deletedKey):
823 (JSC::WeakMapBucket::isDeleted):
824 (JSC::WeakMapBucket::makeDeleted):
825 (JSC::WeakMapBucket::visitAggregate):
826 (JSC::WeakMapBucket::clearValue):
827 (JSC::WeakMapBuffer::allocationSize):
828 (JSC::WeakMapBuffer::buffer const):
829 (JSC::WeakMapBuffer::create):
830 (JSC::WeakMapBuffer::reset):
831 (JSC::WeakMapImpl::WeakMapImpl):
832 (JSC::WeakMapImpl::finishCreation):
833 (JSC::WeakMapImpl::get):
834 (JSC::WeakMapImpl::has):
835 (JSC::WeakMapImpl::add):
836 (JSC::WeakMapImpl::remove):
837 (JSC::WeakMapImpl::size const):
838 (JSC::WeakMapImpl::offsetOfBuffer):
839 (JSC::WeakMapImpl::offsetOfCapacity):
840 (JSC::WeakMapImpl::findBucket):
841 (JSC::WeakMapImpl::buffer const):
842 (JSC::WeakMapImpl::forEach):
843 (JSC::WeakMapImpl::shouldRehashAfterAdd const):
844 (JSC::WeakMapImpl::shouldShrink const):
845 (JSC::WeakMapImpl::canUseBucket):
846 (JSC::WeakMapImpl::addInternal):
847 (JSC::WeakMapImpl::findBucketAlreadyHashed):
848 (JSC::WeakMapImpl::rehash):
849 (JSC::WeakMapImpl::checkConsistency const):
850 (JSC::WeakMapImpl::makeAndSetNewBuffer):
851 (JSC::WeakMapImpl::assertBufferIsEmpty const):
852 (JSC::WeakMapImpl::DeadKeyCleaner::target):
853 * runtime/WeakMapPrototype.cpp:
854 (JSC::WeakMapPrototype::finishCreation):
855 (JSC::protoFuncWeakMapGet):
856 (JSC::protoFuncWeakMapHas):
857 * runtime/WeakSetConstructor.cpp:
858 (JSC::constructWeakSet):
859 * runtime/WeakSetPrototype.cpp:
860 (JSC::WeakSetPrototype::finishCreation):
861 (JSC::protoFuncWeakSetHas):
862 (JSC::protoFuncWeakSetAdd):
864 2017-12-11 Filip Pizlo <fpizlo@apple.com>
866 It should be possible to flag a cell for unconditional finalization
867 https://bugs.webkit.org/show_bug.cgi?id=180636
869 Reviewed by Saam Barati.
871 UnconditionalFinalizers were annoying - you had to allocate them and you had to manage a
872 global linked list - but they had some nice properties:
874 - You only did the hardest work (creating the UnconditionalFinalizer) on first GC where you
875 survived and needed it.
876 -> Just needing it wasn't enough.
877 -> Just surviving wasn't enough.
879 The new API based on IsoSubspaces meant that just surviving was enough to cause unconditional
880 finalizer logic to be invoked. I think that's not great. InferredType got around this by
881 making InferredStructure a cell, but this was a gross hack. For one, it meant that
882 InferredStructure would survive during the GC in which its finalizer obviated the need for its
883 existence. It's not really an idiom I want us to repeat because it sounds like the sort of
884 thing that turns out to be subtly broken.
886 We really need to have a way of indicating when you have entered into the state that requires
887 your unconditional finalizer to be invoked. Basically, we want to be able to track the set of
888 objects that need unconditional finalizers. Only the subset of that set that overlaps with the
889 set of marked objects needs to be accurate. The easiest way to do this is a hierarchy of
890 bitvectors: one to say which MarkedBlocks have objects that have unconditional finalizers, and
891 another level to say which atoms within a MarkedBlock have unconditional finalizers.
893 This change introduces IsoCellSet, which couples itself to the MarkedAllocator of some
894 IsoSubspace to allow maintaining a set of objects (well, cells - you could do this with
895 auxiliaries) that belong to that IsoSubspace. It'll have undefined behavior if you try to
896 add/remove/contains an object that isn't in that IsoSubspace. For objects in that subspace,
897 you can add/remove/contains and forEachMarkedCell. The cost of each IsoCellSet is at worst
898 about 0.8% increase in size to every object in the subspace that the set is attached to. So,
899 it makes sense to have a handful per subspace max. This change only needs one per subspace,
900 but you could imagine more if we do this for WeakReferenceHarvester.
902 To absolutely minimize the possibility that this incurs costs, the add/remove/contains
903 functions can be used from any thread so long as forEachMarkedCell isn't running. This means
904 that InferredType only needs to add itself to the set during visitChildren. Thus, it needs to
905 both survive and need it for the hardest work to take place. The work of adding does involve
906 a gnarly load chain that ends in a CAS: load block handle from block, load index, load
907 segment, load bitvector, load bit -> if not set, then CAS. That's five dependent loads!
908 However, it's perfect for running in parallel since the only write operations are to widely
909 dispersed cache lines that contain the bits underlying the set.
911 The best part is how forEachMarkedCell works. That skips blocks that don't have any objects
912 that need unconditional finalizers, and only touches the memory of marked objects that have
913 the unconditional finalizer bit set. It will walk those objects in roughly address order. I
914 previously found that this speeds up walking over a lot of objects when I made similar changes
915 for DOM GC (calling visitAdditionalChildren via forEachMarkedCell rather than by walking a
918 This change makes InferredStructure be a malloc object again, but now it's in an IsoHeap.
920 My expectation for this change is that it's perf-neutral. Long-term, it gives us a path
921 forward for eliminating UnconditionalFinalizer and WeakReferenceHarvester while using
922 IsoSubspace in more places.
924 * JavaScriptCore.xcodeproj/project.pbxproj:
926 * heap/AtomIndices.h: Added.
927 (JSC::AtomIndices::AtomIndices):
929 (JSC::Heap::finalizeUnconditionalFinalizers):
931 * heap/IsoCellSet.cpp: Added.
932 (JSC::IsoCellSet::IsoCellSet):
933 (JSC::IsoCellSet::~IsoCellSet):
934 (JSC::IsoCellSet::addSlow):
935 (JSC::IsoCellSet::didResizeBits):
936 (JSC::IsoCellSet::didRemoveBlock):
937 (JSC::IsoCellSet::sweepToFreeList):
938 * heap/IsoCellSet.h: Added.
939 * heap/IsoCellSetInlines.h: Added.
940 (JSC::IsoCellSet::add):
941 (JSC::IsoCellSet::remove):
942 (JSC::IsoCellSet::contains const):
943 (JSC::IsoCellSet::forEachMarkedCell):
944 * heap/IsoSubspace.cpp:
945 (JSC::IsoSubspace::didResizeBits):
946 (JSC::IsoSubspace::didRemoveBlock):
947 (JSC::IsoSubspace::didBeginSweepingToFreeList):
948 * heap/IsoSubspace.h:
949 * heap/MarkedAllocator.cpp:
950 (JSC::MarkedAllocator::addBlock):
951 (JSC::MarkedAllocator::removeBlock):
952 * heap/MarkedAllocator.h:
953 * heap/MarkedAllocatorInlines.h:
954 * heap/MarkedBlock.cpp:
955 (JSC::MarkedBlock::Handle::sweep):
956 (JSC::MarkedBlock::Handle::isEmpty): Deleted.
957 * heap/MarkedBlock.h:
958 (JSC::MarkedBlock::marks const):
959 (JSC::MarkedBlock::Handle::newlyAllocated const):
960 * heap/MarkedBlockInlines.h:
961 (JSC::MarkedBlock::Handle::isAllocated):
962 (JSC::MarkedBlock::Handle::isEmpty):
963 (JSC::MarkedBlock::Handle::emptyMode):
964 (JSC::MarkedBlock::Handle::forEachMarkedCell):
966 (JSC::Subspace::didResizeBits):
967 (JSC::Subspace::didRemoveBlock):
968 (JSC::Subspace::didBeginSweepingToFreeList):
970 * heap/SubspaceInlines.h:
971 (JSC::Subspace::forEachMarkedCell):
972 * runtime/InferredStructure.cpp:
973 (JSC::InferredStructure::InferredStructure):
974 (JSC::InferredStructure::create): Deleted.
975 (JSC::InferredStructure::destroy): Deleted.
976 (JSC::InferredStructure::createStructure): Deleted.
977 (JSC::InferredStructure::visitChildren): Deleted.
978 (JSC::InferredStructure::finalizeUnconditionally): Deleted.
979 (JSC::InferredStructure::finishCreation): Deleted.
980 * runtime/InferredStructure.h:
981 * runtime/InferredStructureWatchpoint.cpp:
982 (JSC::InferredStructureWatchpoint::fireInternal):
983 * runtime/InferredType.cpp:
984 (JSC::InferredType::visitChildren):
985 (JSC::InferredType::willStoreValueSlow):
986 (JSC::InferredType::makeTopSlow):
987 (JSC::InferredType::set):
988 (JSC::InferredType::removeStructure):
989 (JSC::InferredType::finalizeUnconditionally):
990 * runtime/InferredType.h:
995 2017-12-12 Saam Barati <sbarati@apple.com>
997 ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
998 https://bugs.webkit.org/show_bug.cgi?id=180723
999 <rdar://problem/35859726>
1001 Reviewed by JF Bastien.
1003 * dfg/DFGConstantFoldingPhase.cpp:
1004 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1006 2017-12-04 Brian Burg <bburg@apple.com>
1008 Web Inspector: modernize InjectedScript a bit
1009 https://bugs.webkit.org/show_bug.cgi?id=180367
1011 Reviewed by Timothy Hatcher.
1013 Stop using out parameters passed by pointer, use references instead.
1014 Stop using OptOutput<T> in favor of std::optional where possible.
1015 If there is only one out-parameter and a void return type, then return the value.
1017 * inspector/InjectedScript.h:
1018 * inspector/InjectedScript.cpp:
1019 (Inspector::InjectedScript::evaluate):
1020 (Inspector::InjectedScript::callFunctionOn):
1021 (Inspector::InjectedScript::evaluateOnCallFrame):
1022 (Inspector::InjectedScript::getFunctionDetails):
1023 (Inspector::InjectedScript::functionDetails):
1024 (Inspector::InjectedScript::getPreview):
1025 (Inspector::InjectedScript::getProperties):
1026 (Inspector::InjectedScript::getDisplayableProperties):
1027 (Inspector::InjectedScript::getInternalProperties):
1028 (Inspector::InjectedScript::getCollectionEntries):
1029 (Inspector::InjectedScript::saveResult):
1030 (Inspector::InjectedScript::setExceptionValue):
1031 (Inspector::InjectedScript::clearExceptionValue):
1032 (Inspector::InjectedScript::inspectObject):
1033 (Inspector::InjectedScript::releaseObject):
1035 * inspector/InjectedScriptBase.h:
1036 * inspector/InjectedScriptBase.cpp:
1037 (Inspector::InjectedScriptBase::InjectedScriptBase):
1038 Declare m_environment with a default initializer.
1040 (Inspector::InjectedScriptBase::makeCall):
1041 (Inspector::InjectedScriptBase::makeEvalCall):
1042 Just return the result, no need for an out-parameter.
1043 Rearrange some code paths now that we can just return a result.
1044 Return a Ref<JSON::Value> since it is either a result value or error value.
1045 Use out_ prefixes in a few places to improve readability.
1047 * inspector/agents/InspectorDebuggerAgent.cpp:
1048 (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1049 (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1050 * inspector/agents/InspectorHeapAgent.cpp:
1051 (Inspector::InspectorHeapAgent::getPreview):
1052 * inspector/agents/InspectorRuntimeAgent.cpp:
1053 (Inspector::InspectorRuntimeAgent::evaluate):
1054 (Inspector::InspectorRuntimeAgent::callFunctionOn):
1055 (Inspector::InspectorRuntimeAgent::getPreview):
1056 (Inspector::InspectorRuntimeAgent::getProperties):
1057 (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1058 (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1059 (Inspector::InspectorRuntimeAgent::saveResult):
1060 Adapt to InjectedScript changes. In some cases we need to bridge OptOutput<T>
1061 and std::optional until the former is removed from generated method signatures.
1063 2017-12-12 Caio Lima <ticaiolima@gmail.com>
1065 [ESNext][BigInt] Implement BigInt literals and JSBigInt
1066 https://bugs.webkit.org/show_bug.cgi?id=179000
1068 Reviewed by Darin Adler and Yusuke Suzuki.
1070 This patch starts the implementation of BigInt primitive on
1071 JavaScriptCore. We are introducing BigInt primitive and
1072 implementing it on JSBigInt as a subclass of JSCell with [[BigIntData]]
1073 field implemented contiguosly on memory as inline storage of JSBigInt to
1074 take advantages on performance due to cache locality. The
1075 implementation allows 64 or 32 bitwise arithmetic operations.
1076 JSBigInt also has m_sign to store the sign of [[BigIntData]] and
1077 m_length that keeps track of BigInt length.
1078 The implementation is following the V8 one. [[BigIntData]] is manipulated
1079 by JSBigInt::setDigit(index, value) and JSBigInt::digit(index) operations.
1080 We also have some operations to support arithmetics over digits.
1082 It is important to notice that on our representation,
1083 JSBigInt::dataStorage()[0] represents the least significant digit and
1084 JSBigInt::dataStorage()[m_length - 1] represents the most siginificant digit.
1086 We are also introducing into this Patch the BigInt literals lexer and
1087 syntax parsing support. The operation Strict Equals on BigInts is also being
1088 implemented to enable tests.
1089 These features are being implemented behind a runtime flage "--useBigInt" and
1090 are disabled by default.
1092 * JavaScriptCore.xcodeproj/project.pbxproj:
1094 * bytecode/CodeBlock.cpp:
1095 * bytecompiler/BytecodeGenerator.cpp:
1096 (JSC::BytecodeGenerator::emitEqualityOp):
1097 (JSC::BytecodeGenerator::addBigIntConstant):
1098 * bytecompiler/BytecodeGenerator.h:
1099 (JSC::BytecodeGenerator::BigIntEntryHash::hash):
1100 (JSC::BytecodeGenerator::BigIntEntryHash::equal):
1101 * bytecompiler/NodesCodegen.cpp:
1102 (JSC::BigIntNode::jsValue const):
1103 * dfg/DFGAbstractInterpreterInlines.h:
1104 (JSC::DFG::isToThisAnIdentity):
1105 * interpreter/Interpreter.cpp:
1106 (JSC::sizeOfVarargs):
1107 * llint/LLIntData.cpp:
1108 (JSC::LLInt::Data::performAssertions):
1109 * llint/LowLevelInterpreter.asm:
1110 * parser/ASTBuilder.h:
1111 (JSC::ASTBuilder::createBigInt):
1113 (JSC::Lexer<T>::parseBinary):
1114 (JSC::Lexer<T>::parseOctal):
1115 (JSC::Lexer<T>::parseDecimal):
1116 (JSC::Lexer<T>::lex):
1117 (JSC::Lexer<T>::parseHex): Deleted.
1119 * parser/NodeConstructors.h:
1120 (JSC::BigIntNode::BigIntNode):
1122 (JSC::ExpressionNode::isBigInt const):
1123 (JSC::BigIntNode::value):
1124 * parser/Parser.cpp:
1125 (JSC::Parser<LexerType>::parsePrimaryExpression):
1126 * parser/ParserTokens.h:
1127 * parser/ResultType.h:
1128 (JSC::ResultType::definitelyIsBigInt const):
1129 (JSC::ResultType::mightBeBigInt const):
1130 (JSC::ResultType::isNotBigInt const):
1131 (JSC::ResultType::addResultType):
1132 (JSC::ResultType::bigIntType):
1133 (JSC::ResultType::forAdd):
1134 (JSC::ResultType::forLogicalOp):
1135 * parser/SyntaxChecker.h:
1136 (JSC::SyntaxChecker::createBigInt):
1137 * runtime/CommonIdentifiers.h:
1138 * runtime/JSBigInt.cpp: Added.
1139 (JSC::JSBigInt::visitChildren):
1140 (JSC::JSBigInt::JSBigInt):
1141 (JSC::JSBigInt::initialize):
1142 (JSC::JSBigInt::createStructure):
1143 (JSC::JSBigInt::createZero):
1144 (JSC::JSBigInt::allocationSize):
1145 (JSC::JSBigInt::createWithLength):
1146 (JSC::JSBigInt::finishCreation):
1147 (JSC::JSBigInt::toPrimitive const):
1148 (JSC::JSBigInt::singleDigitValueForString):
1149 (JSC::JSBigInt::parseInt):
1150 (JSC::JSBigInt::toString):
1151 (JSC::JSBigInt::isZero):
1152 (JSC::JSBigInt::inplaceMultiplyAdd):
1153 (JSC::JSBigInt::digitAdd):
1154 (JSC::JSBigInt::digitSub):
1155 (JSC::JSBigInt::digitMul):
1156 (JSC::JSBigInt::digitPow):
1157 (JSC::JSBigInt::digitDiv):
1158 (JSC::JSBigInt::internalMultiplyAdd):
1159 (JSC::JSBigInt::equalToBigInt):
1160 (JSC::JSBigInt::absoluteDivSmall):
1161 (JSC::JSBigInt::calculateMaximumCharactersRequired):
1162 (JSC::JSBigInt::toStringGeneric):
1163 (JSC::JSBigInt::rightTrim):
1164 (JSC::JSBigInt::allocateFor):
1165 (JSC::JSBigInt::estimatedSize):
1166 (JSC::JSBigInt::toNumber const):
1167 (JSC::JSBigInt::getPrimitiveNumber const):
1168 * runtime/JSBigInt.h: Added.
1169 (JSC::JSBigInt::setSign):
1170 (JSC::JSBigInt::sign const):
1171 (JSC::JSBigInt::setLength):
1172 (JSC::JSBigInt::length const):
1173 (JSC::JSBigInt::parseInt):
1174 (JSC::JSBigInt::offsetOfData):
1175 (JSC::JSBigInt::dataStorage):
1176 (JSC::JSBigInt::digit):
1177 (JSC::JSBigInt::setDigit):
1179 * runtime/JSCJSValue.cpp:
1180 (JSC::JSValue::synthesizePrototype const):
1181 (JSC::JSValue::toStringSlowCase const):
1182 * runtime/JSCJSValue.h:
1183 * runtime/JSCJSValueInlines.h:
1184 (JSC::JSValue::isBigInt const):
1185 (JSC::JSValue::strictEqualSlowCaseInline):
1186 * runtime/JSCell.cpp:
1188 (JSC::JSCell::putByIndex):
1189 (JSC::JSCell::toPrimitive const):
1190 (JSC::JSCell::getPrimitiveNumber const):
1191 (JSC::JSCell::toNumber const):
1192 (JSC::JSCell::toObjectSlow const):
1194 * runtime/JSCellInlines.h:
1195 (JSC::JSCell::isBigInt const):
1197 * runtime/MathCommon.h:
1199 * runtime/NumberPrototype.cpp:
1200 * runtime/Operations.cpp:
1201 (JSC::jsTypeStringForValue):
1202 (JSC::jsIsObjectTypeOrNull):
1203 * runtime/Options.h:
1204 * runtime/ParseInt.h:
1205 * runtime/SmallStrings.h:
1206 (JSC::SmallStrings::typeString const):
1207 * runtime/StructureInlines.h:
1208 (JSC::prototypeForLookupPrimitiveImpl):
1209 * runtime/TypeofType.cpp:
1210 (WTF::printInternal):
1211 * runtime/TypeofType.h:
1216 2017-12-12 Guillaume Emont <guijemont@igalia.com>
1218 LLInt: reserve 16 bytes of stack on MIPS for native calls
1219 https://bugs.webkit.org/show_bug.cgi?id=180653
1221 Reviewed by Carlos Alberto Lopez Perez.
1223 * llint/LowLevelInterpreter32_64.asm:
1224 On MIPS, substract 24 from the stack pointer (16 for calling
1225 convention + 8 to be 16-aligned) instead of the 8 on other platforms
1228 2017-12-12 Yusuke Suzuki <utatane.tea@gmail.com>
1230 [WTF] Thread::create should have Thread::tryCreate
1231 https://bugs.webkit.org/show_bug.cgi?id=180333
1233 Reviewed by Darin Adler.
1235 * assembler/testmasm.cpp:
1237 * b3/air/testair.cpp:
1241 (functionDollarAgentStart):
1243 2017-12-11 Michael Saboff <msaboff@apple.com>
1245 REGRESSION(r225683): Chakra test failure in es6/regex-unicode.js for 32bit builds
1246 https://bugs.webkit.org/show_bug.cgi?id=180685
1248 Reviewed by Saam Barati.
1250 The characterClass->m_anyCharacter check at the top of checkCharacterClass() caused
1251 the character class check to return true without reading the character. Given that
1252 the character could be a surrogate pair, we need to read the character even if we
1253 don't have the check it.
1255 * yarr/YarrInterpreter.cpp:
1256 (JSC::Yarr::Interpreter::testCharacterClass):
1257 (JSC::Yarr::Interpreter::checkCharacterClass):
1259 2017-12-11 Saam Barati <sbarati@apple.com>
1261 We need to disableCaching() in ErrorInstance when we materialize properties
1262 https://bugs.webkit.org/show_bug.cgi?id=180343
1263 <rdar://problem/35833002>
1265 Reviewed by Mark Lam.
1267 This patch fixes a bug in ErrorInstance where we forgot to call PutPropertySlot::disableCaching
1268 on puts() to a property that we lazily materialized. Forgetting to do this goes against the
1269 PutPropertySlot's caching API. This lazy materialization caused the ErrorInstance to transition
1270 from a Structure A to a Structure B. However, we were telling the IC that we were caching an
1271 existing property only found on Structure B. This is obviously wrong as it would lead to an
1272 OOB store if we didn't already crash when generating the IC.
1275 (JSC::tryCachePutByID):
1276 * runtime/ErrorInstance.cpp:
1277 (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1278 (JSC::ErrorInstance::put):
1279 * runtime/ErrorInstance.h:
1280 * runtime/Structure.cpp:
1281 (JSC::Structure::didCachePropertyReplacement):
1283 2017-12-11 Fujii Hironori <Hironori.Fujii@sony.com>
1285 [WinCairo] DLLLauncherMain should use SetDllDirectory
1286 https://bugs.webkit.org/show_bug.cgi?id=180642
1288 Reviewed by Alex Christensen.
1290 Windows have icuuc.dll in the system directory. WebKit should find
1291 one in WebKitLibraries directory, not one in the system directory.
1293 * shell/DLLLauncherMain.cpp:
1294 (modifyPath): Use SetDllDirectory for WebKitLibraries directory instead of modifying path.
1296 2017-12-11 Eric Carlson <eric.carlson@apple.com>
1298 Web Inspector: Optionally log WebKit log parameters as JSON
1299 https://bugs.webkit.org/show_bug.cgi?id=180529
1300 <rdar://problem/35909462>
1302 Reviewed by Joseph Pecoraro.
1304 * inspector/ConsoleMessage.cpp:
1305 (Inspector::ConsoleMessage::ConsoleMessage): New constructor that takes a vector of JSON log
1306 values. Concatenate all adjacent strings to make logging cleaner.
1307 (Inspector::ConsoleMessage::addToFrontend): Process WebKit logging arguments.
1308 (Inspector::ConsoleMessage::scriptState const):
1309 * inspector/ConsoleMessage.h:
1311 * inspector/InjectedScript.cpp:
1312 (Inspector::InjectedScript::wrapJSONString const): Wrap JSON string log arguments.
1313 * inspector/InjectedScript.h:
1314 * inspector/InjectedScriptSource.js:
1315 (let.InjectedScript.prototype.wrapJSONString):
1317 2017-12-11 Joseph Pecoraro <pecoraro@apple.com>
1319 Remove unused builtin names
1320 https://bugs.webkit.org/show_bug.cgi?id=180673
1322 Reviewed by Keith Miller.
1324 * builtins/BuiltinNames.h:
1326 2017-12-11 David Quesada <david_quesada@apple.com>
1328 Turn on ENABLE_APPLICATION_MANIFEST
1329 https://bugs.webkit.org/show_bug.cgi?id=180562
1330 rdar://problem/35924737
1332 Reviewed by Geoffrey Garen.
1334 * Configurations/FeatureDefines.xcconfig:
1336 2017-12-10 Filip Pizlo <fpizlo@apple.com>
1338 Harden a few assertions in GC sweep
1339 https://bugs.webkit.org/show_bug.cgi?id=180634
1341 Reviewed by Saam Barati.
1343 This turns one dynamic check into a release assertion and upgrades another assertion to a release
1346 * heap/MarkedBlock.cpp:
1347 (JSC::MarkedBlock::Handle::sweep):
1349 2017-12-10 Konstantin Tokarev <annulen@yandex.ru>
1351 [python] Modernize "except" usage for python3 compatibility
1352 https://bugs.webkit.org/show_bug.cgi?id=180612
1354 Reviewed by Michael Catanzaro.
1356 * inspector/scripts/generate-inspector-protocol-bindings.py:
1358 2017-12-05 Filip Pizlo <fpizlo@apple.com>
1360 InferredType should not use UnconditionalFinalizer
1361 https://bugs.webkit.org/show_bug.cgi?id=180456
1363 Reviewed by Saam Barati.
1365 This turns InferredStructure into a cell so that we can unconditionally finalize them without
1366 having to add things to the UnconditionalFinalizer list. I'm removing all uses of
1367 UnconditionalFinalizers and WeakReferenceHarvesters because the data structures used to manage
1368 them are a top cause of lock contention in the parallel GC. Also, we don't need those data
1369 structures if we use IsoSubspaces, subspace iteration, and marking constraints.
1371 * JavaScriptCore.xcodeproj/project.pbxproj:
1374 (JSC::Heap::finalizeUnconditionalFinalizers):
1376 * runtime/InferredStructure.cpp: Added.
1377 (JSC::InferredStructure::create):
1378 (JSC::InferredStructure::destroy):
1379 (JSC::InferredStructure::createStructure):
1380 (JSC::InferredStructure::visitChildren):
1381 (JSC::InferredStructure::finalizeUnconditionally):
1382 (JSC::InferredStructure::InferredStructure):
1383 (JSC::InferredStructure::finishCreation):
1384 * runtime/InferredStructure.h: Added.
1385 * runtime/InferredStructureWatchpoint.cpp: Added.
1386 (JSC::InferredStructureWatchpoint::fireInternal):
1387 * runtime/InferredStructureWatchpoint.h: Added.
1388 * runtime/InferredType.cpp:
1389 (JSC::InferredType::visitChildren):
1390 (JSC::InferredType::willStoreValueSlow):
1391 (JSC::InferredType::makeTopSlow):
1392 (JSC::InferredType::set):
1393 (JSC::InferredType::removeStructure):
1394 (JSC::InferredType::InferredStructureWatchpoint::fireInternal): Deleted.
1395 (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally): Deleted.
1396 (JSC::InferredType::InferredStructure::InferredStructure): Deleted.
1397 * runtime/InferredType.h:
1402 2017-12-09 Konstantin Tokarev <annulen@yandex.ru>
1404 [python] Replace print >> operator with print() function for python3 compatibility
1405 https://bugs.webkit.org/show_bug.cgi?id=180611
1407 Reviewed by Michael Catanzaro.
1409 * Scripts/make-js-file-arrays.py:
1412 2017-12-08 Joseph Pecoraro <pecoraro@apple.com>
1414 ServiceWorker Inspector: Various issues inspecting service worker on mobile.twitter.com
1415 https://bugs.webkit.org/show_bug.cgi?id=180520
1416 <rdar://problem/35900764>
1418 Reviewed by Brian Burg.
1420 * inspector/protocol/ServiceWorker.json:
1421 Include content script content in the initialization info.
1423 2017-12-08 Konstantin Tokarev <annulen@yandex.ru>
1425 [python] Replace print operator with print() function for python3 compatibility
1426 https://bugs.webkit.org/show_bug.cgi?id=180592
1428 Reviewed by Michael Catanzaro.
1430 * Scripts/generateYarrUnicodePropertyTables.py:
1432 (verifyUCDFilesExist):
1433 (Aliases.parsePropertyAliasesFile):
1434 (Aliases.parsePropertyValueAliasesFile):
1435 * Scripts/make-js-file-arrays.py:
1437 * generate-bytecode-files:
1439 2017-12-08 Mark Lam <mark.lam@apple.com>
1441 Need to unpoison native function pointers for CLoop.
1442 https://bugs.webkit.org/show_bug.cgi?id=180601
1443 <rdar://problem/35942028>
1445 Reviewed by JF Bastien.
1447 * llint/LowLevelInterpreter64.asm:
1449 2017-12-08 Michael Saboff <msaboff@apple.com>
1451 YARR: JIT RegExps with greedy parenthesized sub patterns
1452 https://bugs.webkit.org/show_bug.cgi?id=180538
1454 Reviewed by JF Bastien.
1456 This patch adds JIT support for regular expressions containing greedy counted
1457 parenthesis. An example expression that couldn't be JIT'ed before is /q(a|b)*q/.
1459 Just like in the interpreter, expressions with nested parenthetical subpatterns
1460 require saving the results of previous matches of the parentheses contents along
1461 with any associated state. This saved state is needed in the case that we need
1462 to backtrack. This state is called ParenContext within the code space allocated
1463 for this ParenContext is managed using a simple block allocator within the JIT'ed
1464 code. The raw space managed by this allocator is passed into the JIT'ed function.
1466 Since this fixed sized space may be exceeded, this patch adds a fallback mechanism.
1467 If the JIT'ed code exhausts all its ParenContext space, it returns a new error
1468 JSRegExpJITCodeFailure. The caller will then bytecompile and interpret the
1471 Due to increased register usage by the parenthesis handling code, the use of
1472 registers by the JIT engine was restructured, with registers used for Unicode
1473 pattern matching replaced with constants.
1475 Reworked some of the context structures that are used across the interpreter
1476 and JIT implementations to make them a little more uniform and to handle the
1477 needs of JIT'ing the new parentheses forms.
1479 To help with development and debugging of this code, compiled patterns dumping
1480 code was enhanced. Also added the ability to also dump interpreter ByteCodes.
1482 * runtime/RegExp.cpp:
1483 (JSC::byteCodeCompilePattern):
1484 (JSC::RegExp::byteCodeCompileIfNecessary):
1485 (JSC::RegExp::compile):
1486 (JSC::RegExp::compileMatchOnly):
1488 * runtime/RegExpInlines.h:
1489 (JSC::RegExp::matchInline):
1494 * yarr/YarrInterpreter.cpp:
1495 (JSC::Yarr::ByteCompiler::compile):
1496 (JSC::Yarr::ByteCompiler::dumpDisjunction):
1498 (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
1499 (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
1500 (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
1501 (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
1502 (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
1503 (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
1504 (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
1505 (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
1506 (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
1507 (JSC::Yarr::YarrGenerator::initParenContextFreeList):
1508 (JSC::Yarr::YarrGenerator::allocatePatternContext):
1509 (JSC::Yarr::YarrGenerator::freePatternContext):
1510 (JSC::Yarr::YarrGenerator::savePatternContext):
1511 (JSC::Yarr::YarrGenerator::restorePatternContext):
1512 (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1513 (JSC::Yarr::YarrGenerator::storeToFrame):
1514 (JSC::Yarr::YarrGenerator::generateJITFailReturn):
1515 (JSC::Yarr::YarrGenerator::clearMatches):
1516 (JSC::Yarr::YarrGenerator::generate):
1517 (JSC::Yarr::YarrGenerator::backtrack):
1518 (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1519 (JSC::Yarr::YarrGenerator::generateEnter):
1520 (JSC::Yarr::YarrGenerator::generateReturn):
1521 (JSC::Yarr::YarrGenerator::YarrGenerator):
1522 (JSC::Yarr::YarrGenerator::compile):
1524 (JSC::Yarr::YarrCodeBlock::execute):
1525 * yarr/YarrPattern.cpp:
1526 (JSC::Yarr::indentForNestingLevel):
1527 (JSC::Yarr::dumpUChar32):
1528 (JSC::Yarr::dumpCharacterClass):
1529 (JSC::Yarr::PatternTerm::dump):
1530 (JSC::Yarr::YarrPattern::dumpPattern):
1531 * yarr/YarrPattern.h:
1532 (JSC::Yarr::PatternTerm::containsAnyCaptures):
1533 (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
1534 (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
1535 (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
1536 (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
1537 (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex):
1538 (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
1540 2017-12-08 Joseph Pecoraro <pecoraro@apple.com>
1542 Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages
1543 https://bugs.webkit.org/show_bug.cgi?id=180590
1544 <rdar://problem/35882767>
1546 Reviewed by Mark Lam.
1548 * inspector/agents/InspectorConsoleAgent.cpp:
1549 (Inspector::InspectorConsoleAgent::enable):
1550 Swap the messages to a Vector that won't change during iteration.
1552 2017-12-08 Michael Saboff <msaboff@apple.com>
1554 YARR: Coalesce constructed character classes
1555 https://bugs.webkit.org/show_bug.cgi?id=180537
1557 Reviewed by JF Bastien.
1559 When adding characters or character ranges to a character class being constructed,
1560 we now coalesce adjacent characters and character ranges. When we create a
1561 character class after construction is complete, we do a final coalescing pass
1562 across the character list and ranges to catch any remaining coalescing
1565 Added an optimization for character classes that will match any character.
1566 This is somewhat common in code created before the /s (dotAll) flag was added
1569 * yarr/YarrInterpreter.cpp:
1570 (JSC::Yarr::Interpreter::checkCharacterClass):
1572 (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1573 (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1574 (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1575 (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1576 * yarr/YarrPattern.cpp:
1577 (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
1578 (JSC::Yarr::CharacterClassConstructor::reset):
1579 (JSC::Yarr::CharacterClassConstructor::charClass):
1580 (JSC::Yarr::CharacterClassConstructor::addSorted):
1581 (JSC::Yarr::CharacterClassConstructor::addSortedRange):
1582 (JSC::Yarr::CharacterClassConstructor::mergeRangesFrom):
1583 (JSC::Yarr::CharacterClassConstructor::coalesceTables):
1584 (JSC::Yarr::CharacterClassConstructor::anyCharacter):
1585 (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
1586 (JSC::Yarr::PatternTerm::dump):
1587 (JSC::Yarr::anycharCreate):
1588 * yarr/YarrPattern.h:
1589 (JSC::Yarr::CharacterClass::CharacterClass):
1591 2017-12-07 Saam Barati <sbarati@apple.com>
1593 Modify our dollar VM clflush intrinsic to aid in some perf testing
1594 https://bugs.webkit.org/show_bug.cgi?id=180559
1596 Reviewed by Mark Lam.
1598 * tools/JSDollarVM.cpp:
1599 (JSC::functionCpuClflush):
1600 (JSC::functionDeltaBetweenButterflies):
1601 (JSC::JSDollarVM::finishCreation):
1603 2017-12-07 Eric Carlson <eric.carlson@apple.com>
1605 Simplify log channel configuration UI
1606 https://bugs.webkit.org/show_bug.cgi?id=180527
1607 <rdar://problem/35908382>
1609 Reviewed by Joseph Pecoraro.
1611 * inspector/protocol/Console.json:
1613 2017-12-07 Mark Lam <mark.lam@apple.com>
1615 Apply poisoning to some native code pointers.
1616 https://bugs.webkit.org/show_bug.cgi?id=180541
1617 <rdar://problem/35916875>
1619 Reviewed by Filip Pizlo.
1621 Renamed g_classInfoPoison to g_globalDataPoison.
1622 Renamed g_masmPoison to g_jitCodePoison.
1623 Introduced g_nativeCodePoison.
1624 Applied g_nativeCodePoison to poisoning some native code pointers.
1626 Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
1627 to malloc allocated data structures (where needed).
1629 * API/JSCallbackFunction.h:
1630 (JSC::JSCallbackFunction::functionCallback):
1631 * JavaScriptCore.xcodeproj/project.pbxproj:
1632 * jit/ThunkGenerators.cpp:
1633 (JSC::nativeForGenerator):
1634 * llint/LowLevelInterpreter64.asm:
1635 * runtime/CustomGetterSetter.h:
1636 (JSC::CustomGetterSetter::getter const):
1637 (JSC::CustomGetterSetter::setter const):
1638 * runtime/InternalFunction.cpp:
1639 (JSC::InternalFunction::getCallData):
1640 (JSC::InternalFunction::getConstructData):
1641 * runtime/InternalFunction.h:
1642 (JSC::InternalFunction::nativeFunctionFor):
1643 * runtime/JSCPoison.h: Added.
1644 * runtime/JSCPoisonedPtr.cpp:
1645 (JSC::initializePoison):
1646 * runtime/JSCPoisonedPtr.h:
1648 * runtime/NativeExecutable.cpp:
1649 (JSC::NativeExecutable::hashFor const):
1650 * runtime/NativeExecutable.h:
1651 * runtime/Structure.cpp:
1652 (JSC::StructureTransitionTable::setSingleTransition):
1653 * runtime/StructureTransitionTable.h:
1654 (JSC::StructureTransitionTable::StructureTransitionTable):
1655 (JSC::StructureTransitionTable::isUsingSingleSlot const):
1656 (JSC::StructureTransitionTable::map const):
1657 (JSC::StructureTransitionTable::weakImpl const):
1658 (JSC::StructureTransitionTable::setMap):
1660 2017-12-07 Joseph Pecoraro <pecoraro@apple.com>
1662 Web Inspector: Fix style in remote inspector classes
1663 https://bugs.webkit.org/show_bug.cgi?id=180545
1665 Reviewed by Youenn Fablet.
1667 * inspector/remote/RemoteControllableTarget.h:
1668 * inspector/remote/RemoteInspectionTarget.h:
1669 * runtime/JSGlobalObjectDebuggable.h:
1671 2017-12-07 Per Arne Vollan <pvollan@apple.com>
1673 Use fastAlignedFree to free aligned memory.
1674 https://bugs.webkit.org/show_bug.cgi?id=180540
1676 Reviewed by Saam Barati.
1678 * heap/IsoAlignedMemoryAllocator.cpp:
1679 (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1681 2017-12-07 Matt Lewis <jlewis3@apple.com>
1683 Unreviewed, rolling out r225634.
1685 This caused layout tests to time out.
1689 "Simplify log channel configuration UI"
1690 https://bugs.webkit.org/show_bug.cgi?id=180527
1691 https://trac.webkit.org/changeset/225634
1693 2017-12-07 Eric Carlson <eric.carlson@apple.com>
1695 Simplify log channel configuration UI
1696 https://bugs.webkit.org/show_bug.cgi?id=180527
1697 <rdar://problem/35908382>
1699 Reviewed by Joseph Pecoraro.
1701 * inspector/protocol/Console.json:
1703 2017-12-07 Mark Lam <mark.lam@apple.com>
1705 [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
1706 https://bugs.webkit.org/show_bug.cgi?id=180514
1708 Reviewed by Saam Barati and JF Bastien.
1710 Re-landing r225620 with speculative build fix for GCC 7.
1712 * API/JSCallbackObject.h:
1713 * API/JSObjectRef.cpp:
1715 * JavaScriptCore.xcodeproj/project.pbxproj:
1717 * assembler/MacroAssemblerCodeRef.h:
1718 (JSC::FunctionPtr::FunctionPtr):
1719 (JSC::FunctionPtr::value const):
1720 (JSC::FunctionPtr::executableAddress const):
1721 (JSC::ReturnAddressPtr::ReturnAddressPtr):
1722 (JSC::ReturnAddressPtr::value const):
1723 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1724 (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1725 (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1726 (JSC::MacroAssemblerCodePtr:: const):
1727 (JSC::MacroAssemblerCodePtr::operator! const):
1728 (JSC::MacroAssemblerCodePtr::operator== const):
1729 (JSC::MacroAssemblerCodePtr::emptyValue):
1730 (JSC::MacroAssemblerCodePtr::deletedValue):
1731 (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1732 * b3/B3LowerMacros.cpp:
1734 (JSC::B3::testInterpreter):
1735 * dfg/DFGSpeculativeJIT.cpp:
1736 (JSC::DFG::SpeculativeJIT::checkArray):
1737 (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1738 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1739 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1740 * ftl/FTLLowerDFGToB3.cpp:
1741 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1742 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1743 * jit/AssemblyHelpers.h:
1744 (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1745 * jit/SpecializedThunkJIT.h:
1746 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1747 * jit/ThunkGenerators.cpp:
1748 (JSC::virtualThunkFor):
1749 (JSC::boundThisNoArgsFunctionCallGenerator):
1750 * llint/LLIntSlowPaths.cpp:
1751 (JSC::LLInt::handleHostCall):
1752 (JSC::LLInt::setUpCall):
1753 * llint/LowLevelInterpreter64.asm:
1754 * runtime/InitializeThreading.cpp:
1755 (JSC::initializeThreading):
1756 * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1757 (JSC::initializePoison):
1758 (JSC::initializeScrambledPtrKeys): Deleted.
1759 * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1760 * runtime/JSCScrambledPtr.cpp: Removed.
1761 * runtime/JSCScrambledPtr.h: Removed.
1762 * runtime/JSDestructibleObject.h:
1763 (JSC::JSDestructibleObject::classInfo const):
1764 * runtime/JSSegmentedVariableObject.h:
1765 (JSC::JSSegmentedVariableObject::classInfo const):
1766 * runtime/Structure.h:
1769 2017-12-07 Michael Catanzaro <mcatanzaro@igalia.com>
1771 Unreviewed, rolling out r225620
1772 https://bugs.webkit.org/show_bug.cgi?id=180514
1773 <rdar://problem/35901694>
1775 It broke the build with GCC 7, and I don't know how to fix it.
1777 * API/JSCallbackObject.h:
1778 * API/JSObjectRef.cpp:
1780 * JavaScriptCore.xcodeproj/project.pbxproj:
1782 * assembler/MacroAssemblerCodeRef.h:
1783 (JSC::FunctionPtr::FunctionPtr):
1784 (JSC::FunctionPtr::value const):
1785 (JSC::FunctionPtr::executableAddress const):
1786 (JSC::ReturnAddressPtr::ReturnAddressPtr):
1787 (JSC::ReturnAddressPtr::value const):
1788 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1789 (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1790 (JSC::MacroAssemblerCodePtr::scrambledPtr const):
1791 (JSC::MacroAssemblerCodePtr:: const):
1792 (JSC::MacroAssemblerCodePtr::operator! const):
1793 (JSC::MacroAssemblerCodePtr::operator== const):
1794 (JSC::MacroAssemblerCodePtr::emptyValue):
1795 (JSC::MacroAssemblerCodePtr::deletedValue):
1796 (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
1797 * b3/B3LowerMacros.cpp:
1799 (JSC::B3::testInterpreter):
1800 * dfg/DFGSpeculativeJIT.cpp:
1801 (JSC::DFG::SpeculativeJIT::checkArray):
1802 (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1803 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1804 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1805 * ftl/FTLLowerDFGToB3.cpp:
1806 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1807 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1808 * jit/AssemblyHelpers.h:
1809 (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1810 * jit/SpecializedThunkJIT.h:
1811 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1812 * jit/ThunkGenerators.cpp:
1813 (JSC::virtualThunkFor):
1814 (JSC::boundThisNoArgsFunctionCallGenerator):
1815 * llint/LLIntSlowPaths.cpp:
1816 (JSC::LLInt::handleHostCall):
1817 (JSC::LLInt::setUpCall):
1818 * llint/LowLevelInterpreter64.asm:
1819 * runtime/InitializeThreading.cpp:
1820 (JSC::initializeThreading):
1821 * runtime/JSCScrambledPtr.cpp: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
1822 (JSC::initializeScrambledPtrKeys):
1823 * runtime/JSCScrambledPtr.h: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.h.
1824 * runtime/JSDestructibleObject.h:
1825 (JSC::JSDestructibleObject::classInfo const):
1826 * runtime/JSSegmentedVariableObject.h:
1827 (JSC::JSSegmentedVariableObject::classInfo const):
1828 * runtime/Structure.h:
1831 2017-12-06 Mark Lam <mark.lam@apple.com>
1833 Refactoring: Rename ScrambledPtr to Poisoned.
1834 https://bugs.webkit.org/show_bug.cgi?id=180514
1836 Reviewed by Saam Barati.
1838 * API/JSCallbackObject.h:
1839 * API/JSObjectRef.cpp:
1841 * JavaScriptCore.xcodeproj/project.pbxproj:
1843 * assembler/MacroAssemblerCodeRef.h:
1844 (JSC::FunctionPtr::FunctionPtr):
1845 (JSC::FunctionPtr::value const):
1846 (JSC::FunctionPtr::executableAddress const):
1847 (JSC::ReturnAddressPtr::ReturnAddressPtr):
1848 (JSC::ReturnAddressPtr::value const):
1849 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1850 (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1851 (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1852 (JSC::MacroAssemblerCodePtr:: const):
1853 (JSC::MacroAssemblerCodePtr::operator! const):
1854 (JSC::MacroAssemblerCodePtr::operator== const):
1855 (JSC::MacroAssemblerCodePtr::emptyValue):
1856 (JSC::MacroAssemblerCodePtr::deletedValue):
1857 (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1858 * b3/B3LowerMacros.cpp:
1860 (JSC::B3::testInterpreter):
1861 * dfg/DFGSpeculativeJIT.cpp:
1862 (JSC::DFG::SpeculativeJIT::checkArray):
1863 (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1864 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1865 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1866 * ftl/FTLLowerDFGToB3.cpp:
1867 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1868 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1869 * jit/AssemblyHelpers.h:
1870 (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1871 * jit/SpecializedThunkJIT.h:
1872 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1873 * jit/ThunkGenerators.cpp:
1874 (JSC::virtualThunkFor):
1875 (JSC::boundThisNoArgsFunctionCallGenerator):
1876 * llint/LLIntSlowPaths.cpp:
1877 (JSC::LLInt::handleHostCall):
1878 (JSC::LLInt::setUpCall):
1879 * llint/LowLevelInterpreter64.asm:
1880 * runtime/InitializeThreading.cpp:
1881 (JSC::initializeThreading):
1882 * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1883 (JSC::initializePoison):
1884 (JSC::initializeScrambledPtrKeys): Deleted.
1885 * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1886 * runtime/JSCScrambledPtr.cpp: Removed.
1887 * runtime/JSCScrambledPtr.h: Removed.
1888 * runtime/JSDestructibleObject.h:
1889 (JSC::JSDestructibleObject::classInfo const):
1890 * runtime/JSSegmentedVariableObject.h:
1891 (JSC::JSSegmentedVariableObject::classInfo const):
1892 * runtime/Structure.h:
1895 2017-12-02 Darin Adler <darin@apple.com>
1897 Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
1898 https://bugs.webkit.org/show_bug.cgi?id=180009
1900 Reviewed by Alex Christensen.
1902 * bytecode/ArrayProfile.cpp: Removed include of StringExtras.h.
1903 * bytecode/CodeBlock.cpp: Ditto.
1904 * bytecode/ExecutionCounter.cpp: Ditto.
1905 * runtime/ConfigFile.cpp: Ditto.
1906 * runtime/DatePrototype.cpp: Ditto.
1907 * runtime/IndexingType.cpp: Ditto.
1908 * runtime/JSCJSValue.cpp: Ditto.
1909 * runtime/JSDateMath.cpp: Ditto.
1910 * runtime/JSGlobalObjectFunctions.cpp: Ditto.
1911 * runtime/Options.cpp: Ditto.
1912 (JSC::parse): Use equalLettersIgnoringASCIICase instead of strcasecmp.
1914 2017-12-06 Saam Barati <sbarati@apple.com>
1916 ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
1917 https://bugs.webkit.org/show_bug.cgi?id=180438
1918 <rdar://problem/35862342>
1920 Reviewed by Yusuke Suzuki.
1922 A couple inspector methods that take stacktraces need
1925 * inspector/ScriptCallStackFactory.cpp:
1926 (Inspector::createScriptCallStack):
1927 (Inspector::createScriptCallStackForConsole):
1929 2017-12-05 Stephan Szabo <stephan.szabo@sony.com>
1931 Switch windows build to Visual Studio 2017
1932 https://bugs.webkit.org/show_bug.cgi?id=172412
1934 Reviewed by Per Arne Vollan.
1936 * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1938 2017-12-05 JF Bastien <jfbastien@apple.com>
1940 WebAssembly: don't eagerly checksum
1941 https://bugs.webkit.org/show_bug.cgi?id=180441
1942 <rdar://problem/35156628>
1944 Reviewed by Saam Barati.
1946 Make checksumming of module optional for now. The bots think the
1947 checksum hurt compile-time. I'd measured it and couldn't see a
1948 difference, and still can't at this point in time, but we'll see
1949 if disabling it fixes the bots. If so then I can make it lazy upon
1950 first backtrace construction, or I can try out MD5 instead of
1953 * runtime/Options.h:
1954 * wasm/WasmModuleInformation.cpp:
1955 (JSC::Wasm::ModuleInformation::ModuleInformation):
1956 * wasm/WasmModuleInformation.h:
1957 * wasm/WasmNameSection.h:
1958 (JSC::Wasm::NameSection::NameSection):
1960 2017-12-05 Filip Pizlo <fpizlo@apple.com>
1962 IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
1963 https://bugs.webkit.org/show_bug.cgi?id=180425
1965 Reviewed by Saam Barati.
1967 Failure to do so causes leaks after starting workers.
1969 * heap/IsoAlignedMemoryAllocator.cpp:
1970 (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1971 (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
1973 2017-12-05 Per Arne Vollan <pvollan@apple.com>
1975 [Win64] Compile error in testmasm.cpp.
1976 https://bugs.webkit.org/show_bug.cgi?id=180436
1978 Reviewed by Mark Lam.
1980 Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
1982 * assembler/testmasm.cpp:
1983 (JSC::testGetEffectiveAddress):
1985 2017-12-01 Filip Pizlo <fpizlo@apple.com>
1987 GC constraint solving should be parallel
1988 https://bugs.webkit.org/show_bug.cgi?id=179934
1990 Reviewed by JF Bastien.
1992 This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
1993 speed-up. It's more than 1% on trunk-Speedometer.
1995 The constraint solver supports running constraints in parallel in two different ways:
1997 - Run multiple constraints in parallel to each other. This only works for constraints that can
1998 tolerate other constraints running concurrently to them (constraint.concurrency() ==
1999 ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
2000 constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
2001 could probably make them concurrent, but I'm playing it safe for now.
2003 - A constraint can create parallel work for itself, which the constraint solver will interleave
2004 with other stuff. A constraint can report that it has parallel work by returning
2005 ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
2006 constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
2007 for as long as that function wants to run.
2009 It's not possible to have a non-concurrent constraint that creates parallel work.
2011 The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
2012 most natural for two reasons:
2014 - No need to start any other threads.
2016 - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
2017 access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
2018 create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
2019 thread, that thread will have work it can start doing immediately. Before this change, we had to
2020 contribute the work found by the constraint solver to the global worklist so that it could be
2021 distributed to the marker threads by load balancing. This change probably helps to avoid that
2022 load balancing step.
2024 A lot of this change is about making it easy to iterate GC data structures in parallel. This
2025 change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
2026 the parallel work API. That constraint iterates the marked cells in two subspaces. This change
2027 makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
2028 The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
2029 iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
2030 RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
2031 when it returns a falsish version of ... (in the current code, that's always a pointer type, so
2032 done is indicated by null).
2034 * API/JSMarkingConstraintPrivate.cpp:
2035 (JSContextGroupAddMarkingConstraint):
2036 * API/JSVirtualMachine.mm:
2037 (scanExternalObjectGraph):
2038 (scanExternalRememberedSet):
2039 * JavaScriptCore.xcodeproj/project.pbxproj:
2041 * bytecode/AccessCase.cpp:
2042 (JSC::AccessCase::propagateTransitions const):
2043 * bytecode/CodeBlock.cpp:
2044 (JSC::CodeBlock::visitWeakly):
2045 (JSC::CodeBlock::shouldJettisonDueToOldAge):
2046 (JSC::shouldMarkTransition):
2047 (JSC::CodeBlock::propagateTransitions):
2048 (JSC::CodeBlock::determineLiveness):
2049 * dfg/DFGWorklist.cpp:
2050 * ftl/FTLCompile.cpp:
2051 (JSC::FTL::compile):
2052 * heap/ConstraintParallelism.h: Added.
2053 (WTF::printInternal):
2056 (JSC::Heap::addToRememberedSet):
2057 (JSC::Heap::runFixpointPhase):
2058 (JSC::Heap::stopThePeriphery):
2059 (JSC::Heap::resumeThePeriphery):
2060 (JSC::Heap::addCoreConstraints):
2061 (JSC::Heap::setBonusVisitorTask):
2062 (JSC::Heap::runTaskInParallel):
2063 (JSC::Heap::forEachSlotVisitor): Deleted.
2065 (JSC::Heap::worldIsRunning const):
2066 (JSC::Heap::runFunctionInParallel):
2067 * heap/HeapInlines.h:
2068 (JSC::Heap::worldIsStopped const):
2069 (JSC::Heap::isMarked):
2070 (JSC::Heap::incrementDeferralDepth):
2071 (JSC::Heap::decrementDeferralDepth):
2072 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2073 (JSC::Heap::forEachSlotVisitor):
2074 (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
2075 (JSC::Heap::isMarkedConcurrently): Deleted.
2076 * heap/HeapSnapshotBuilder.cpp:
2077 (JSC::HeapSnapshotBuilder::appendNode):
2078 * heap/LargeAllocation.h:
2079 (JSC::LargeAllocation::isMarked):
2080 (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
2081 * heap/LockDuringMarking.h:
2082 (JSC::lockDuringMarking):
2083 * heap/MarkedAllocator.cpp:
2084 (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
2085 * heap/MarkedAllocator.h:
2086 * heap/MarkedBlock.h:
2087 (JSC::MarkedBlock::aboutToMark):
2088 (JSC::MarkedBlock::isMarked):
2089 (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
2090 (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
2091 * heap/MarkedSpace.h:
2092 (JSC::MarkedSpace::activeWeakSetsBegin):
2093 (JSC::MarkedSpace::activeWeakSetsEnd):
2094 (JSC::MarkedSpace::newActiveWeakSetsBegin):
2095 (JSC::MarkedSpace::newActiveWeakSetsEnd):
2096 * heap/MarkingConstraint.cpp:
2097 (JSC::MarkingConstraint::MarkingConstraint):
2098 (JSC::MarkingConstraint::execute):
2099 (JSC::MarkingConstraint::quickWorkEstimate):
2100 (JSC::MarkingConstraint::workEstimate):
2101 (JSC::MarkingConstraint::doParallelWork):
2102 (JSC::MarkingConstraint::finishParallelWork):
2103 (JSC::MarkingConstraint::doParallelWorkImpl):
2104 (JSC::MarkingConstraint::finishParallelWorkImpl):
2105 * heap/MarkingConstraint.h:
2106 (JSC::MarkingConstraint::lastExecuteParallelism const):
2107 (JSC::MarkingConstraint::parallelism const):
2108 (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
2109 (JSC::MarkingConstraint::workEstimate): Deleted.
2110 * heap/MarkingConstraintSet.cpp:
2111 (JSC::MarkingConstraintSet::MarkingConstraintSet):
2112 (JSC::MarkingConstraintSet::add):
2113 (JSC::MarkingConstraintSet::executeConvergence):
2114 (JSC::MarkingConstraintSet::executeConvergenceImpl):
2115 (JSC::MarkingConstraintSet::executeAll):
2116 (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
2117 (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
2118 (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
2119 (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
2120 (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
2121 (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
2123 * heap/MarkingConstraintSet.h:
2124 * heap/MarkingConstraintSolver.cpp: Added.
2125 (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
2126 (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
2127 (JSC::MarkingConstraintSolver::didVisitSomething const):
2128 (JSC::MarkingConstraintSolver::execute):
2129 (JSC::MarkingConstraintSolver::drain):
2130 (JSC::MarkingConstraintSolver::converge):
2131 (JSC::MarkingConstraintSolver::runExecutionThread):
2132 (JSC::MarkingConstraintSolver::didExecute):
2133 * heap/MarkingConstraintSolver.h: Added.
2134 * heap/OpaqueRootSet.h: Removed.
2135 * heap/ParallelSourceAdapter.h: Added.
2136 (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
2137 (JSC::createParallelSourceAdapter):
2138 * heap/SimpleMarkingConstraint.cpp: Added.
2139 (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
2140 (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
2141 (JSC::SimpleMarkingConstraint::quickWorkEstimate):
2142 (JSC::SimpleMarkingConstraint::executeImpl):
2143 * heap/SimpleMarkingConstraint.h: Added.
2144 * heap/SlotVisitor.cpp:
2145 (JSC::SlotVisitor::didStartMarking):
2146 (JSC::SlotVisitor::reset):
2147 (JSC::SlotVisitor::appendToMarkStack):
2148 (JSC::SlotVisitor::visitChildren):
2149 (JSC::SlotVisitor::updateMutatorIsStopped):
2150 (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
2151 (JSC::SlotVisitor::drain):
2152 (JSC::SlotVisitor::performIncrementOfDraining):
2153 (JSC::SlotVisitor::didReachTermination):
2154 (JSC::SlotVisitor::hasWork):
2155 (JSC::SlotVisitor::drainFromShared):
2156 (JSC::SlotVisitor::drainInParallelPassively):
2157 (JSC::SlotVisitor::waitForTermination):
2158 (JSC::SlotVisitor::addOpaqueRoot): Deleted.
2159 (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
2160 (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
2161 (JSC::SlotVisitor::mergeIfNecessary): Deleted.
2162 (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
2163 (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
2164 * heap/SlotVisitor.h:
2165 * heap/SlotVisitorInlines.h:
2166 (JSC::SlotVisitor::addOpaqueRoot):
2167 (JSC::SlotVisitor::containsOpaqueRoot const):
2168 (JSC::SlotVisitor::vm):
2169 (JSC::SlotVisitor::vm const):
2170 * heap/Subspace.cpp:
2171 (JSC::Subspace::parallelAllocatorSource):
2172 (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
2174 * heap/SubspaceInlines.h:
2175 (JSC::Subspace::forEachMarkedCellInParallel):
2176 * heap/VisitCounter.h: Added.
2177 (JSC::VisitCounter::VisitCounter):
2178 (JSC::VisitCounter::visitCount const):
2179 * heap/VisitingTimeout.h: Removed.
2180 * heap/WeakBlock.cpp:
2181 (JSC::WeakBlock::specializedVisit):
2182 * runtime/Structure.cpp:
2183 (JSC::Structure::isCheapDuringGC):
2184 (JSC::Structure::markIfCheap):
2186 2017-12-04 JF Bastien <jfbastien@apple.com>
2188 Math: don't redundantly check for exceptions, just release scope
2189 https://bugs.webkit.org/show_bug.cgi?id=180395
2191 Rubber stamped by Mark Lam.
2193 Two of the exceptions checks could just have been exception scope
2194 releases before the return, which is ever-so-slightly more
2195 efficient. The same technically applies where we have loops over
2196 parameters, but doing the scope release there isn't really more
2197 efficient and is way harder to read.
2199 * runtime/MathObject.cpp:
2200 (JSC::mathProtoFuncATan2):
2201 (JSC::mathProtoFuncPow):
2203 2017-12-04 David Quesada <david_quesada@apple.com>
2205 Add a class for parsing application manifests
2206 https://bugs.webkit.org/show_bug.cgi?id=177973
2207 rdar://problem/34747949
2209 Reviewed by Geoffrey Garen.
2211 * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
2213 2017-12-04 JF Bastien <jfbastien@apple.com>
2215 Update std::expected to match libc++ coding style
2216 https://bugs.webkit.org/show_bug.cgi?id=180264
2218 Reviewed by Alex Christensen.
2220 Update various uses of Expected.
2222 * wasm/WasmModule.h:
2223 * wasm/WasmModuleParser.cpp:
2224 (JSC::Wasm::ModuleParser::parseImport):
2225 (JSC::Wasm::ModuleParser::parseTableHelper):
2226 (JSC::Wasm::ModuleParser::parseTable):
2227 (JSC::Wasm::ModuleParser::parseMemoryHelper):
2228 * wasm/WasmParser.h:
2229 * wasm/generateWasmValidateInlinesHeader.py:
2232 * wasm/js/JSWebAssemblyModule.cpp:
2233 (JSC::JSWebAssemblyModule::createStub):
2234 * wasm/js/JSWebAssemblyModule.h:
2236 2017-12-04 Saam Barati <sbarati@apple.com>
2238 We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2239 https://bugs.webkit.org/show_bug.cgi?id=180366
2240 <rdar://problem/35685877>
2242 Reviewed by Michael Saboff.
2244 On the TailCall slow path, the CallFrameShuffler will build the frame with
2245 respect to SP instead of FP. However, this may overwrite slots on the stack
2246 that are needed if the slow path C call does a stack walk. The slow path
2247 C call does a stack walk when it throws an exception. This patch fixes
2248 this bug by ensuring that the top of the stack in the FTL always has enough
2249 space to allow CallFrameShuffler to build a frame without overwriting any
2250 items on the stack that are needed when doing a stack walk.
2252 * ftl/FTLLowerDFGToB3.cpp:
2253 (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2255 2017-12-04 Devin Rousso <webkit@devinrousso.com>
2257 Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
2258 https://bugs.webkit.org/show_bug.cgi?id=175166
2259 <rdar://problem/34040740>
2261 Reviewed by Joseph Pecoraro.
2263 * inspector/protocol/Recording.json:
2264 Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
2266 * inspector/JSGlobalObjectConsoleClient.h:
2267 * inspector/JSGlobalObjectConsoleClient.cpp:
2268 (Inspector::JSGlobalObjectConsoleClient::record):
2269 (Inspector::JSGlobalObjectConsoleClient::recordEnd):
2271 * runtime/ConsoleClient.h:
2272 * runtime/ConsoleObject.cpp:
2273 (JSC::ConsoleObject::finishCreation):
2274 (JSC::consoleProtoFuncRecord):
2275 (JSC::consoleProtoFuncRecordEnd):
2277 2017-12-03 Yusuke Suzuki <utatane.tea@gmail.com>
2279 WTF shouldn't have both Thread and ThreadIdentifier
2280 https://bugs.webkit.org/show_bug.cgi?id=180308
2282 Reviewed by Darin Adler.
2284 * heap/MachineStackMarker.cpp:
2285 (JSC::MachineThreads::tryCopyOtherThreadStacks):
2286 * llint/LLIntSlowPaths.cpp:
2287 (JSC::LLInt::llint_trace_operand):
2288 (JSC::LLInt::llint_trace_value):
2289 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2290 (JSC::LLInt::traceFunctionPrologue):
2291 * runtime/ExceptionScope.cpp:
2292 (JSC::ExceptionScope::unexpectedExceptionMessage):
2294 (JSC::JSLock::currentThreadIsHoldingLock):
2296 (JSC::VM::throwException):
2298 (JSC::VM::throwingThread const):
2299 (JSC::VM::clearException):
2300 * tools/HeapVerifier.cpp:
2301 (JSC::HeapVerifier::printVerificationHeader):
2303 2017-12-03 Caio Lima <ticaiolima@gmail.com>
2305 Rename DestroyFunc to avoid redefinition on unified build
2306 https://bugs.webkit.org/show_bug.cgi?id=180335
2308 Reviewed by Filip Pizlo.
2310 Changing DestroyFunc structures to more specific names to avoid
2311 conflits on unified builds.
2313 * heap/HeapCellType.cpp:
2314 (JSC::HeapCellType::finishSweep):
2315 (JSC::HeapCellType::destroy):
2316 * runtime/JSDestructibleObjectHeapCellType.cpp:
2317 (JSC::JSDestructibleObjectHeapCellType::finishSweep):
2318 (JSC::JSDestructibleObjectHeapCellType::destroy):
2319 * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
2320 (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
2321 (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
2322 * runtime/JSStringHeapCellType.cpp:
2323 (JSC::JSStringHeapCellType::finishSweep):
2324 (JSC::JSStringHeapCellType::destroy):
2325 * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
2326 (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
2327 (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
2329 2017-12-01 JF Bastien <jfbastien@apple.com>
2331 JavaScriptCore: missing exception checks in Math functions that take more than one argument
2332 https://bugs.webkit.org/show_bug.cgi?id=180297
2333 <rdar://problem/35745556>
2335 Reviewed by Mark Lam.
2337 * runtime/MathObject.cpp:
2338 (JSC::mathProtoFuncATan2):
2339 (JSC::mathProtoFuncMax):
2340 (JSC::mathProtoFuncMin):
2341 (JSC::mathProtoFuncPow):
2343 2017-12-01 Mark Lam <mark.lam@apple.com>
2345 Let's scramble ClassInfo pointers in cells.
2346 https://bugs.webkit.org/show_bug.cgi?id=180291
2347 <rdar://problem/35807620>
2349 Reviewed by JF Bastien.
2351 * API/JSCallbackObject.h:
2352 * API/JSObjectRef.cpp:
2354 * JavaScriptCore.xcodeproj/project.pbxproj:
2356 * assembler/MacroAssemblerCodeRef.cpp:
2357 (JSC::MacroAssemblerCodePtr::initialize): Deleted.
2358 * assembler/MacroAssemblerCodeRef.h:
2359 (JSC::MacroAssemblerCodePtr:: const):
2360 (JSC::MacroAssemblerCodePtr::hash const):
2361 * dfg/DFGSpeculativeJIT.cpp:
2362 (JSC::DFG::SpeculativeJIT::checkArray):
2363 (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2364 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2365 * ftl/FTLLowerDFGToB3.cpp:
2366 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2367 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2368 * jit/AssemblyHelpers.h:
2369 (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2370 * jit/SpecializedThunkJIT.h:
2371 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2372 * runtime/InitializeThreading.cpp:
2373 (JSC::initializeThreading):
2374 * runtime/JSCScrambledPtr.cpp: Added.
2375 (JSC::initializeScrambledPtrKeys):
2376 * runtime/JSCScrambledPtr.h: Added.
2377 * runtime/JSDestructibleObject.h:
2378 (JSC::JSDestructibleObject::classInfo const):
2379 * runtime/JSSegmentedVariableObject.h:
2380 (JSC::JSSegmentedVariableObject::classInfo const):
2381 * runtime/Structure.h:
2384 2017-12-01 Brian Burg <bburg@apple.com>
2386 Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
2387 https://bugs.webkit.org/show_bug.cgi?id=173662
2389 Reviewed by Joseph Pecoraro.
2391 Adopt new type names. Fix protocol generator to use correct type names.
2393 * inspector/ConsoleMessage.cpp:
2394 (Inspector::ConsoleMessage::addToFrontend):
2395 Improve namings and use 'auto' when the type is obvious and repeated.
2397 * inspector/ContentSearchUtilities.cpp:
2398 (Inspector::ContentSearchUtilities::searchInTextByLines):
2399 * inspector/ContentSearchUtilities.h:
2400 * inspector/InjectedScript.cpp:
2401 (Inspector::InjectedScript::getProperties):
2402 (Inspector::InjectedScript::getDisplayableProperties):
2403 (Inspector::InjectedScript::getInternalProperties):
2404 (Inspector::InjectedScript::getCollectionEntries):
2405 (Inspector::InjectedScript::wrapCallFrames const):
2406 * inspector/InjectedScript.h:
2407 * inspector/InspectorProtocolTypes.h:
2408 (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
2409 (Inspector::Protocol::Array::Array): Deleted.
2410 (Inspector::Protocol::Array::openAccessors): Deleted.
2411 (Inspector::Protocol::Array::addItem): Deleted.
2412 (Inspector::Protocol::Array::create): Deleted.
2413 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
2414 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
2415 Move the implementation out of this file.
2417 * inspector/ScriptCallStack.cpp:
2418 (Inspector::ScriptCallStack::buildInspectorArray const):
2419 * inspector/ScriptCallStack.h:
2420 * inspector/agents/InspectorAgent.cpp:
2421 (Inspector::InspectorAgent::activateExtraDomain):
2422 (Inspector::InspectorAgent::activateExtraDomains):
2423 * inspector/agents/InspectorAgent.h:
2424 * inspector/agents/InspectorConsoleAgent.cpp:
2425 (Inspector::InspectorConsoleAgent::getLoggingChannels):
2426 * inspector/agents/InspectorConsoleAgent.h:
2427 * inspector/agents/InspectorDebuggerAgent.cpp:
2428 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2429 (Inspector::InspectorDebuggerAgent::searchInContent):
2430 (Inspector::InspectorDebuggerAgent::currentCallFrames):
2431 * inspector/agents/InspectorDebuggerAgent.h:
2432 * inspector/agents/InspectorRuntimeAgent.cpp:
2433 (Inspector::InspectorRuntimeAgent::getProperties):
2434 (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2435 (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2436 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2437 (Inspector::InspectorRuntimeAgent::getBasicBlocks):
2438 * inspector/agents/InspectorRuntimeAgent.h:
2439 * inspector/agents/InspectorScriptProfilerAgent.cpp:
2440 (Inspector::buildSamples):
2441 Use more 'auto' and rename a variable.
2443 * inspector/scripts/codegen/cpp_generator.py:
2444 (CppGenerator.cpp_protocol_type_for_type):
2445 Adopt new type names. This exposed a latent bug where we should have been
2446 unwrapping an AliasedType prior to generating a C++ type for it. The aliased
2447 type may be an array, in which case we would have generated the wrong type.
2449 * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2450 (_generate_typedefs_for_domain.JSON):
2451 (_generate_typedefs_for_domain.Inspector): Deleted.
2452 * inspector/scripts/codegen/objc_generator.py:
2453 (ObjCGenerator.protocol_type_for_type):
2454 (ObjCGenerator.objc_protocol_export_expression_for_variable):
2455 * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2456 * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2457 * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2458 * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2459 * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2460 * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2463 * runtime/TypeSet.cpp:
2464 (JSC::TypeSet::allStructureRepresentations const):
2465 (JSC::StructureShape::inspectorRepresentation):
2466 * runtime/TypeSet.h:
2468 2017-12-01 Saam Barati <sbarati@apple.com>
2470 Having a bad time needs to handle ArrayClass indexing type as well
2471 https://bugs.webkit.org/show_bug.cgi?id=180274
2472 <rdar://problem/35667869>
2474 Reviewed by Keith Miller and Mark Lam.
2476 We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
2477 Otherwise, we'll end up with the wrong Structure, which will lead us to not
2478 adhere to the spec. The bug was that we were not considering ArrayClass inside
2479 hasBrokenIndexing. This patch rewrites that function to automatically opt
2480 in non-empty indexing types as broken, instead of having to opt out all
2481 non-empty indexing types besides SlowPutArrayStorage.
2483 * runtime/IndexingType.h:
2484 (JSC::hasSlowPutArrayStorage):
2485 (JSC::shouldUseSlowPut):
2486 * runtime/JSGlobalObject.cpp:
2487 * runtime/JSObject.cpp:
2488 (JSC::JSObject::switchToSlowPutArrayStorage):
2490 2017-12-01 JF Bastien <jfbastien@apple.com>
2492 WebAssembly: stack trace improvement follow-ups
2493 https://bugs.webkit.org/show_bug.cgi?id=180273
2495 Reviewed by Saam Barati.
2497 * wasm/WasmIndexOrName.cpp:
2498 (JSC::Wasm::makeString):
2499 * wasm/WasmIndexOrName.h:
2500 (JSC::Wasm::IndexOrName::nameSection const):
2501 * wasm/WasmNameSection.h:
2502 (JSC::Wasm::NameSection::NameSection):
2503 (JSC::Wasm::NameSection::get):
2505 2017-12-01 JF Bastien <jfbastien@apple.com>
2507 WebAssembly: restore cached stack limit after out-call
2508 https://bugs.webkit.org/show_bug.cgi?id=179106
2509 <rdar://problem/35337525>
2511 Reviewed by Saam Barati.
2513 We cache the stack limit on the Instance so that we can do fast
2514 stack checks where required. In regular usage the stack limit
2515 never changes because we always run on the same thread, but in
2516 rare cases an API user can totally migrate which thread (and
2517 therefore stack) is used for execution between WebAssembly
2518 traces. For that reason we set the cached stack limit to
2519 UINTPTR_MAX on the outgoing Instance when transitioning back into
2520 a different Instance. We usually restore the cached stack limit in
2521 Context::store, but this wasn't called on all code paths. We had a
2522 bug where an Instance calling into itself indirectly would
2523 therefore fail to restore its cached stack limit properly.
2525 This patch therefore restores the cached stack limit after direct
2526 calls which could be to imports (both wasm->wasm and
2527 wasm->embedder). We have to do all of them because we have no way
2528 of knowing what imports will do (they're known at instantiation
2529 time, not compilation time, and different instances can have
2530 different imports). To make this efficient we also add a pointer
2531 to the canonical location of the stack limit (i.e. the extra
2532 indirection we're trying to save by caching the stack limit on the
2533 Instance in the first place). This is potentially a small perf hit
2534 on imported direct calls.
2536 It's hard to say what the performance cost will be because we
2537 haven't seen much code in the wild which does this. We're adding
2538 two dependent loads and a store of the loaded value, which is
2539 unlikely to get used soon after. It's more code, but on an
2540 out-of-order processor it doesn't contribute to the critical path.
2542 * wasm/WasmB3IRGenerator.cpp:
2543 (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2544 (JSC::Wasm::B3IRGenerator::addGrowMemory):
2545 (JSC::Wasm::B3IRGenerator::addCall):
2546 (JSC::Wasm::B3IRGenerator::addCallIndirect):
2547 * wasm/WasmInstance.cpp:
2548 (JSC::Wasm::Instance::Instance):
2549 (JSC::Wasm::Instance::create):
2550 * wasm/WasmInstance.h:
2551 (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
2552 (JSC::Wasm::Instance::cachedStackLimit const):
2553 (JSC::Wasm::Instance::setCachedStackLimit):
2554 * wasm/js/JSWebAssemblyInstance.cpp:
2555 (JSC::JSWebAssemblyInstance::create):
2556 * wasm/js/WebAssemblyFunction.cpp:
2557 (JSC::callWebAssemblyFunction):
2559 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2561 [JSC] Use JSFixedArray for op_new_array_buffer
2562 https://bugs.webkit.org/show_bug.cgi?id=180084
2564 Reviewed by Saam Barati.
2566 For op_new_array_buffer, we have a special constant buffer in CodeBlock.
2567 But using JSFixedArray is better because,
2569 1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
2570 If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
2572 2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
2573 has JSFixedArray, we can just emit a held JSFixedArray.
2575 3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
2577 4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
2579 5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
2580 DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
2581 will be introduced in [1].
2583 [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
2585 * bytecode/BytecodeDumper.cpp:
2586 (JSC::BytecodeDumper<Block>::dumpBytecode):
2587 * bytecode/BytecodeList.json:
2588 * bytecode/BytecodeUseDef.h:
2589 (JSC::computeUsesForBytecodeOffset):
2590 * bytecode/CodeBlock.cpp:
2591 (JSC::CodeBlock::finishCreation):
2592 * bytecode/CodeBlock.h:
2593 (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
2594 (JSC::CodeBlock::addConstantBuffer): Deleted.
2595 (JSC::CodeBlock::constantBufferAsVector): Deleted.
2596 (JSC::CodeBlock::constantBuffer): Deleted.
2597 * bytecode/UnlinkedCodeBlock.cpp:
2598 (JSC::UnlinkedCodeBlock::shrinkToFit):
2599 * bytecode/UnlinkedCodeBlock.h:
2600 (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
2601 (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
2602 (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
2603 (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
2604 * bytecompiler/BytecodeGenerator.cpp:
2605 (JSC::BytecodeGenerator::emitNewArray):
2606 (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
2607 * bytecompiler/BytecodeGenerator.h:
2608 * dfg/DFGByteCodeParser.cpp:
2609 (JSC::DFG::ByteCodeParser::parseBlock):
2610 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2611 (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
2612 (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
2613 (JSC::DFG::ConstantBufferKey::hash const): Deleted.
2614 (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
2615 (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
2616 (JSC::DFG::ConstantBufferKey::index const): Deleted.
2617 (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
2618 (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
2619 * dfg/DFGClobberize.h:
2620 (JSC::DFG::clobberize):
2622 (JSC::DFG::Graph::dump):
2625 (JSC::DFG::Node::hasNewArrayBufferData):
2626 (JSC::DFG::Node::newArrayBufferData):
2627 (JSC::DFG::Node::hasVectorLengthHint):
2628 (JSC::DFG::Node::vectorLengthHint):
2629 (JSC::DFG::Node::indexingType):
2630 (JSC::DFG::Node::hasCellOperand):
2631 (JSC::DFG::Node::OpInfoWrapper::operator=):
2632 (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
2633 (JSC::DFG::Node::hasConstantBuffer): Deleted.
2634 (JSC::DFG::Node::startConstant): Deleted.
2635 (JSC::DFG::Node::numConstants): Deleted.
2636 * dfg/DFGOperations.cpp:
2637 * dfg/DFGOperations.h:
2638 * dfg/DFGSpeculativeJIT.h:
2639 (JSC::DFG::SpeculativeJIT::callOperation):
2640 * dfg/DFGSpeculativeJIT32_64.cpp:
2641 (JSC::DFG::SpeculativeJIT::compile):
2642 * dfg/DFGSpeculativeJIT64.cpp:
2643 (JSC::DFG::SpeculativeJIT::compile):
2644 * ftl/FTLLowerDFGToB3.cpp:
2645 (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2647 (JSC::JIT::privateCompileMainPass):
2649 * jit/JITOpcodes.cpp:
2650 (JSC::JIT::emit_op_new_array_buffer): Deleted.
2651 * jit/JITOperations.cpp:
2652 * jit/JITOperations.h:
2653 * llint/LLIntSlowPaths.cpp:
2654 * llint/LLIntSlowPaths.h:
2655 * llint/LowLevelInterpreter.asm:
2656 * runtime/CommonSlowPaths.cpp:
2657 (JSC::SLOW_PATH_DECL):
2658 * runtime/CommonSlowPaths.h:
2659 * runtime/JSFixedArray.cpp:
2660 (JSC::JSFixedArray::dumpToStream):
2661 * runtime/JSFixedArray.h:
2662 (JSC::JSFixedArray::create):
2663 (JSC::JSFixedArray::get const):
2664 (JSC::JSFixedArray::set):
2665 (JSC::JSFixedArray::buffer const):
2666 (JSC::JSFixedArray::values const):
2667 (JSC::JSFixedArray::length const):
2668 (JSC::JSFixedArray::get): Deleted.
2670 2017-11-30 JF Bastien <jfbastien@apple.com>
2672 WebAssembly: improve stack trace
2673 https://bugs.webkit.org/show_bug.cgi?id=179343
2675 Reviewed by Saam Barati.
2677 Stack traces now include:
2679 - Module name, if provided by the name section.
2680 - Module SHA1 hash if no name was provided
2681 - Stub identification, to differentiate from user code
2682 - Slightly different naming to match design from:
2683 https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
2685 * interpreter/StackVisitor.cpp:
2686 (JSC::StackVisitor::Frame::functionName const):
2687 * runtime/StackFrame.cpp:
2688 (JSC::StackFrame::functionName const):
2689 (JSC::StackFrame::visitChildren):
2690 * wasm/WasmIndexOrName.cpp:
2691 (JSC::Wasm::IndexOrName::IndexOrName):
2692 (JSC::Wasm::makeString):
2693 * wasm/WasmIndexOrName.h:
2694 (JSC::Wasm::IndexOrName::nameSection const):
2695 * wasm/WasmModuleInformation.cpp:
2696 (JSC::Wasm::ModuleInformation::ModuleInformation):
2697 * wasm/WasmModuleInformation.h:
2698 * wasm/WasmNameSection.h:
2699 (JSC::Wasm::NameSection::NameSection):
2700 (JSC::Wasm::NameSection::get):
2701 * wasm/WasmNameSectionParser.cpp:
2702 (JSC::Wasm::NameSectionParser::parse):
2704 2017-11-30 Stephan Szabo <stephan.szabo@sony.com>
2706 Make LegacyCustomProtocolManager optional for network process
2707 https://bugs.webkit.org/show_bug.cgi?id=176230
2709 Reviewed by Alex Christensen.
2711 * Configurations/FeatureDefines.xcconfig:
2713 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2715 [JSC] Remove easy toRemove & map.remove() use in OAS phase
2716 https://bugs.webkit.org/show_bug.cgi?id=180208
2718 Reviewed by Mark Lam.
2720 In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2721 to optimize this common pattern. This patch only modifies apparent ones.
2722 But we can apply this refactoring further to OAS phase in the future.
2724 One thing we should care is that predicate of removeIf should not touch the
2725 removing set itself. In this patch, we apply this change to (1) apparently
2726 correct one and (2) things in DFG OAS phase since it is very slow.
2728 * b3/B3MoveConstants.cpp:
2729 * dfg/DFGObjectAllocationSinkingPhase.cpp:
2731 2017-11-30 Commit Queue <commit-queue@webkit.org>
2733 Unreviewed, rolling out r225362.
2734 https://bugs.webkit.org/show_bug.cgi?id=180225
2736 removeIf predicate function can touch remove target set
2737 (Requested by yusukesuzuki on #webkit).
2741 "[JSC] Remove easy toRemove & map.remove() use"
2742 https://bugs.webkit.org/show_bug.cgi?id=180208
2743 https://trac.webkit.org/changeset/225362
2745 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2747 [JSC] Use AllocatorIfExists for MaterializeNewObject
2748 https://bugs.webkit.org/show_bug.cgi?id=180189
2750 Reviewed by Filip Pizlo.
2752 I don't think anyone guarantees this allocator exists at this phase.
2753 And nullptr allocator just works here. We change AllocatorForMode
2754 to AllocatorIfExists to accept nullptr for allocator.
2756 * ftl/FTLLowerDFGToB3.cpp:
2757 (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2759 2017-11-30 Mark Lam <mark.lam@apple.com>
2761 Let's scramble MacroAssemblerCodePtr values.
2762 https://bugs.webkit.org/show_bug.cgi?id=180169
2763 <rdar://problem/35758340>
2765 Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
2767 1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
2769 2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
2770 template argument type that will be used to cast the result. This makes the
2771 client code that uses these functions a little less verbose.
2773 3. Change the code base in general to minimize passing void* code pointers around.
2774 We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
2775 at the last moment when we need the underlying code pointer.
2777 4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
2778 default. I'm leaving them in because they are instrumental in finding bugs
2779 where not all MacroAssemblerCodePtr values were not scrambled as expected.
2780 I expect them to be useful in the near future as we add more scrambling.
2782 5. Also disable the casting operator on MacroAssemblerCodePtr (except for
2783 explicit casts to a boolean). This ensures that clients will always explicitly
2784 use scrambledBits() or executableAddress() to get a value based on which value
2787 5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
2788 This was helpful when debugging tests that ran multiple VMs concurrently on
2791 MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
2792 CLoop). It is not yet supported in 32-bit and Windows because we don't
2793 currently have a way to read a global variable from their LLInt code.
2795 * assembler/AbstractMacroAssembler.h:
2796 (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
2797 (JSC::AbstractMacroAssembler::linkPointer):
2798 * assembler/CodeLocation.h:
2799 (JSC::CodeLocationCommon::instructionAtOffset):
2800 (JSC::CodeLocationCommon::labelAtOffset):
2801 (JSC::CodeLocationCommon::jumpAtOffset):
2802 (JSC::CodeLocationCommon::callAtOffset):
2803 (JSC::CodeLocationCommon::nearCallAtOffset):
2804 (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
2805 (JSC::CodeLocationCommon::dataLabel32AtOffset):
2806 (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
2807 (JSC::CodeLocationCommon::convertibleLoadAtOffset):
2808 * assembler/LinkBuffer.cpp:
2809 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2810 * assembler/LinkBuffer.h:
2811 (JSC::LinkBuffer::link):
2812 (JSC::LinkBuffer::patch):
2813 * assembler/MacroAssemblerCodeRef.cpp:
2814 (JSC::MacroAssemblerCodePtr::initialize):
2815 * assembler/MacroAssemblerCodeRef.h:
2816 (JSC::FunctionPtr::FunctionPtr):
2817 (JSC::FunctionPtr::value const):
2818 (JSC::FunctionPtr::executableAddress const):
2819 (JSC::ReturnAddressPtr::ReturnAddressPtr):
2820 (JSC::ReturnAddressPtr::value const):
2821 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2822 (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2823 (JSC::MacroAssemblerCodePtr::scrambledPtr const):
2824 (JSC::MacroAssemblerCodePtr:: const):
2825 (JSC::MacroAssemblerCodePtr::operator! const):
2826 (JSC::MacroAssemblerCodePtr::operator bool const):
2827 (JSC::MacroAssemblerCodePtr::operator== const):
2828 (JSC::MacroAssemblerCodePtr::hash const):
2829 (JSC::MacroAssemblerCodePtr::emptyValue):
2830 (JSC::MacroAssemblerCodePtr::deletedValue):
2831 (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
2832 (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
2833 * b3/B3LowerMacros.cpp:
2835 (JSC::B3::testInterpreter):
2836 * dfg/DFGDisassembler.cpp:
2837 (JSC::DFG::Disassembler::dumpDisassembly):
2838 * dfg/DFGJITCompiler.cpp:
2839 (JSC::DFG::JITCompiler::link):
2840 (JSC::DFG::JITCompiler::compileFunction):
2841 * dfg/DFGOperations.cpp:
2842 * dfg/DFGSpeculativeJIT.cpp:
2843 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2844 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2845 (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
2846 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2847 * dfg/DFGSpeculativeJIT.h:
2848 * disassembler/Disassembler.cpp:
2850 * disassembler/UDis86Disassembler.cpp:
2851 (JSC::tryToDisassembleWithUDis86):
2852 * ftl/FTLCompile.cpp:
2853 (JSC::FTL::compile):
2854 * ftl/FTLJITCode.cpp:
2855 (JSC::FTL::JITCode::executableAddressAtOffset):
2858 * ftl/FTLLowerDFGToB3.cpp:
2859 (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
2860 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2861 (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2862 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2863 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2864 * interpreter/InterpreterInlines.h:
2865 (JSC::Interpreter::getOpcodeID):
2866 * jit/JITArithmetic.cpp:
2867 (JSC::JIT::emitMathICFast):
2868 (JSC::JIT::emitMathICSlow):
2870 (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2871 (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
2872 (JSC::JITCodeWithCodeRef::offsetOf):
2873 * jit/JITDisassembler.cpp:
2874 (JSC::JITDisassembler::dumpDisassembly):
2875 * jit/PCToCodeOriginMap.cpp:
2876 (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
2878 (JSC::ftlThunkAwareRepatchCall):
2879 * jit/ThunkGenerators.cpp:
2880 (JSC::virtualThunkFor):
2881 (JSC::boundThisNoArgsFunctionCallGenerator):
2882 * llint/LLIntSlowPaths.cpp:
2883 (JSC::LLInt::llint_trace_operand):
2884 (JSC::LLInt::llint_trace_value):
2885 (JSC::LLInt::handleHostCall):
2886 (JSC::LLInt::setUpCall):
2887 * llint/LowLevelInterpreter64.asm:
2888 * offlineasm/cloop.rb:
2889 * runtime/InitializeThreading.cpp:
2890 (JSC::initializeThreading):
2891 * wasm/WasmBBQPlan.cpp:
2892 (JSC::Wasm::BBQPlan::complete):
2893 * wasm/WasmCallee.h:
2894 (JSC::Wasm::Callee::entrypoint const):
2895 * wasm/WasmCodeBlock.cpp:
2896 (JSC::Wasm::CodeBlock::CodeBlock):
2897 * wasm/WasmOMGPlan.cpp:
2898 (JSC::Wasm::OMGPlan::work):
2899 * wasm/js/WasmToJS.cpp:
2900 (JSC::Wasm::wasmToJS):
2901 * wasm/js/WebAssemblyFunction.cpp:
2902 (JSC::callWebAssemblyFunction):
2903 * wasm/js/WebAssemblyFunction.h:
2904 * wasm/js/WebAssemblyWrapperFunction.cpp:
2905 (JSC::WebAssemblyWrapperFunction::create):
2907 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2909 [JSC] Remove easy toRemove & map.remove() use
2910 https://bugs.webkit.org/show_bug.cgi?id=180208
2912 Reviewed by Mark Lam.
2914 In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2915 to optimize this common pattern. This patch only modifies apparent ones.
2916 But we can apply this refactoring further to OAS phase in the future.
2918 * b3/B3MoveConstants.cpp:
2919 * dfg/DFGArgumentsEliminationPhase.cpp:
2920 * dfg/DFGObjectAllocationSinkingPhase.cpp:
2921 * wasm/WasmSignature.cpp:
2922 (JSC::Wasm::SignatureInformation::tryCleanup):
2924 2017-11-29 Yusuke Suzuki <utatane.tea@gmail.com>
2926 [JSC] Use getEffectiveAddress more in JSC
2927 https://bugs.webkit.org/show_bug.cgi?id=180154
2929 Reviewed by Mark Lam.
2931 We can use MacroAssembler::getEffectiveAddress for stack height calculation.
2932 And we also add MacroAssembler::negPtr(src, dest) variation.
2934 * assembler/MacroAssembler.h:
2935 (JSC::MacroAssembler::negPtr):
2936 * assembler/MacroAssemblerARM.h:
2937 (JSC::MacroAssemblerARM::neg32):
2938 * assembler/MacroAssemblerARM64.h:
2939 (JSC::MacroAssemblerARM64::neg32):
2940 (JSC::MacroAssemblerARM64::neg64):
2941 * assembler/MacroAssemblerARMv7.h:
2942 (JSC::MacroAssemblerARMv7::neg32):
2943 * assembler/MacroAssemblerMIPS.h:
2944 (JSC::MacroAssemblerMIPS::neg32):
2945 * assembler/MacroAssemblerX86Common.h:
2946 (JSC::MacroAssemblerX86Common::neg32):
2947 * assembler/MacroAssemblerX86_64.h:
2948 (JSC::MacroAssemblerX86_64::neg64):
2949 * dfg/DFGThunks.cpp:
2950 (JSC::DFG::osrEntryThunkGenerator):
2951 * ftl/FTLLowerDFGToB3.cpp:
2952 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2953 * jit/SetupVarargsFrame.cpp:
2954 (JSC::emitSetVarargsFrame):
2956 2017-11-30 Mark Lam <mark.lam@apple.com>
2958 jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2959 https://bugs.webkit.org/show_bug.cgi?id=180219
2960 <rdar://problem/35696536>
2962 Reviewed by Filip Pizlo.
2965 (functionFlashHeapAccess):
2967 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2969 [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2970 https://bugs.webkit.org/show_bug.cgi?id=180190
2972 Reviewed by Mark Lam.
2974 If DFG HasIndexedProperty node observes negative index, it goes to a slow
2975 path by calling operationHasIndexedProperty. The problem is that
2976 operationHasIndexedProperty does not account negative index. Negative index
2977 was used as uint32 array index.
2979 In this patch we add a path for negative index in operationHasIndexedProperty.
2980 And rename it to operationHasIndexedPropertyByInt to make intension clear.
2981 We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
2982 since it is only used in DFG and FTL.
2984 While fixing this bug, we found that our op_in does not record OutOfBound feedback.
2985 This causes repeated OSR exit and significantly regresses the performance. We opened
2986 a bug to track this issue[1].
2988 [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
2990 * dfg/DFGOperations.cpp:
2991 * dfg/DFGOperations.h:
2992 * dfg/DFGSpeculativeJIT32_64.cpp:
2993 (JSC::DFG::SpeculativeJIT::compile):
2994 * dfg/DFGSpeculativeJIT64.cpp:
2995 (JSC::DFG::SpeculativeJIT::compile):
2996 * ftl/FTLLowerDFGToB3.cpp:
2997 (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2998 * jit/JITOperations.cpp:
2999 * jit/JITOperations.h:
3001 2017-11-30 Michael Saboff <msaboff@apple.com>
3003 Allow JSC command line tool to accept UTF8
3004 https://bugs.webkit.org/show_bug.cgi?id=180205
3006 Reviewed by Keith Miller.
3008 This unifies the UTF8 handling of interactive mode with that of source files.
3013 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
3015 REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
3016 https://bugs.webkit.org/show_bug.cgi?id=180185
3018 Reviewed by Carlos Garcia Campos.
3020 After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
3021 But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
3022 can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
3023 And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
3024 DFG node can be emitted if we see untaken path includes String + String code.
3026 This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
3027 As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
3028 I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
3029 original code used before r225314.
3031 * dfg/DFGSpeculativeJIT.cpp:
3032 (JSC::DFG::SpeculativeJIT::compileMakeRope):
3033 * ftl/FTLLowerDFGToB3.cpp:
3034 (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3036 2017-11-28 Filip Pizlo <fpizlo@apple.com>
3038 CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
3039 https://bugs.webkit.org/show_bug.cgi?id=180108
3041 Reviewed by Saam Barati.
3043 This was creating a vector of things to remove and then removing them. I think I remember writing
3044 this code, and I did that because at the time we did not have removeAllMatching, which is
3045 definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
3046 obvious improvement before I did more fundamental things to this code.
3048 * heap/CodeBlockSet.cpp:
3049 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
3051 2017-11-29 Filip Pizlo <fpizlo@apple.com>
3053 GC should support isoheaps
3054 https://bugs.webkit.org/show_bug.cgi?id=179288
3056 Reviewed by Saam Barati.
3058 This expands the power of the Subspace API in JSC:
3060 - Everything associated with describing the types of objects is now part of the HeapCellType class.
3061 We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
3062 HeapCellType; these are orthogonal things.
3064 - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
3065 any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
3066 special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
3067 pages but releases the physical pages as part of the respective allocator's scavenging policy
3068 (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
3071 So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
3074 This does not have any effect on JetStream (0.18% faster with p = 0.69).
3076 * JavaScriptCore.xcodeproj/project.pbxproj:
3078 * bytecode/AccessCase.cpp:
3079 (JSC::AccessCase::generateImpl):
3080 * bytecode/ObjectAllocationProfileInlines.h:
3081 (JSC::ObjectAllocationProfile::initializeProfile):
3082 * dfg/DFGSpeculativeJIT.cpp:
3083 (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3084 (JSC::DFG::SpeculativeJIT::compileMakeRope):
3085 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3086 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3087 * dfg/DFGSpeculativeJIT64.cpp:
3088 (JSC::DFG::SpeculativeJIT::compile):
3089 * ftl/FTLAbstractHeapRepository.h:
3090 * ftl/FTLLowerDFGToB3.cpp:
3091 (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3092 (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3093 (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3094 (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3095 (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3096 * heap/AlignedMemoryAllocator.cpp:
3097 (JSC::AlignedMemoryAllocator::registerAllocator):
3098 (JSC::AlignedMemoryAllocator::registerSubspace):
3099 * heap/AlignedMemoryAllocator.h:
3100 (JSC::AlignedMemoryAllocator::firstAllocator const):
3101 * heap/AllocationFailureMode.h: Added.
3102 * heap/CompleteSubspace.cpp: Added.
3103 (JSC::CompleteSubspace::CompleteSubspace):
3104 (JSC::CompleteSubspace::~CompleteSubspace):
3105 (JSC::CompleteSubspace::allocatorFor):
3106 (JSC::CompleteSubspace::allocate):
3107 (JSC::CompleteSubspace::allocateNonVirtual):
3108 (JSC::CompleteSubspace::allocatorForSlow):
3109 (JSC::CompleteSubspace::allocateSlow):
3110 (JSC::CompleteSubspace::tryAllocateSlow):
3111 * heap/CompleteSubspace.h: Added.
3112 (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
3113 (JSC::CompleteSubspace::allocatorForSizeStep):
3114 (JSC::CompleteSubspace::allocatorForNonVirtual):
3115 * heap/HeapCellType.cpp: Added.
3116 (JSC::HeapCellType::HeapCellType):
3117 (JSC::HeapCellType::~HeapCellType):
3118 (JSC::HeapCellType::finishSweep):
3119 (JSC::HeapCellType::destroy):
3120 * heap/HeapCellType.h: Added.
3121 (JSC::HeapCellType::attributes const):
3122 * heap/IsoAlignedMemoryAllocator.cpp: Added.
3123 (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
3124 (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
3125 (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
3126 (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
3127 (JSC::IsoAlignedMemoryAllocator::dump const):
3128 * heap/IsoAlignedMemoryAllocator.h: Added.
3129 * heap/IsoSubspace.cpp: Added.
3130 (JSC::IsoSubspace::IsoSubspace):
3131 (JSC::IsoSubspace::~IsoSubspace):
3132 (JSC::IsoSubspace::allocatorFor):
3133 (JSC::IsoSubspace::allocatorForNonVirtual):
3134 (JSC::IsoSubspace::allocate):
3135 (JSC::IsoSubspace::allocateNonVirtual):
3136 * heap/IsoSubspace.h: Added.
3137 (JSC::IsoSubspace::size const):
3138 * heap/MarkedAllocator.cpp:
3139 (JSC::MarkedAllocator::MarkedAllocator):
3140 (JSC::MarkedAllocator::setSubspace):
3141 (JSC::MarkedAllocator::allocateSlowCase):
3142 (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
3143 (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
3144 * heap/MarkedAllocator.h:
3145 (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
3146 (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
3147 * heap/MarkedAllocatorInlines.h:
3148 (JSC::MarkedAllocator::allocate):
3149 (JSC::MarkedAllocator::tryAllocate): Deleted.
3150 * heap/MarkedBlock.h:
3151 * heap/MarkedBlockInlines.h:
3152 (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
3153 (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
3154 * heap/MarkedSpace.cpp:
3155 (JSC::MarkedSpace::addMarkedAllocator):
3156 * heap/MarkedSpace.h:
3157 * heap/Subspace.cpp:
3158 (JSC::Subspace::Subspace):
3159 (JSC::Subspace::initialize):
3160 (JSC::Subspace::finishSweep):
3161 (JSC::Subspace::destroy):
3162 (JSC::Subspace::prepareForAllocation):
3163 (JSC::Subspace::findEmptyBlockToSteal):
3165 (JSC::Subspace::allocate): Deleted.
3166 (JSC::Subspace::tryAllocate): Deleted.
3167 (JSC::Subspace::allocatorForSlow): Deleted.
3168 (JSC::Subspace::allocateSlow): Deleted.
3169 (JSC::Subspace::tryAllocateSlow): Deleted.
3170 (JSC::Subspace::didAllocate): Deleted.
3172 (JSC::Subspace::heapCellType const):
3173 (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
3174 (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
3175 (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
3176 (JSC::Subspace::allocatorForSizeStep): Deleted.
3177 (JSC::Subspace::tryAllocatorFor): Deleted.
3178 (JSC::Subspace::allocatorFor): Deleted.
3179 * jit/AssemblyHelpers.h:
3180 (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3181 (JSC::AssemblyHelpers::emitAllocateVariableSized):
3182 (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
3183 * jit/JITOpcodes.cpp:
3184 (JSC::JIT::emit_op_new_object):
3185 * runtime/ButterflyInlines.h:
3186 (JSC::Butterfly::createUninitialized):
3187 (JSC::Butterfly::tryCreate):
3188 (JSC::Butterfly::growArrayRight):
3189 * runtime/DirectArguments.cpp:
3190 (JSC::DirectArguments::overrideThings):
3191 * runtime/DirectArguments.h:
3192 (JSC::DirectArguments::subspaceFor):
3193 * runtime/DirectEvalExecutable.h:
3194 * runtime/EvalExecutable.h:
3195 * runtime/ExecutableBase.h:
3196 (JSC::ExecutableBase::subspaceFor):
3197 * runtime/FunctionExecutable.h:
3198 * runtime/GenericArgumentsInlines.h:
3199 (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
3200 * runtime/HashMapImpl.h:
3201 (JSC::HashMapBuffer::create):
3202 * runtime/IndirectEvalExecutable.h:
3203 * runtime/JSArray.cpp:
3204 (JSC::JSArray::tryCreateUninitializedRestricted):
3205 (JSC::JSArray::unshiftCountSlowCase):
3206 * runtime/JSArray.h:
3207 (JSC::JSArray::tryCreate):
3208 * runtime/JSArrayBufferView.cpp:
3209 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3212 * runtime/JSCellInlines.h:
3213 (JSC::JSCell::subspaceFor):
3214 (JSC::tryAllocateCellHelper):
3215 (JSC::allocateCell):
3216 (JSC::tryAllocateCell):
3217 * runtime/JSDestructibleObject.h:
3218 (JSC::JSDestructibleObject::subspaceFor):
3219 * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
3220 (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3221 (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
3222 (JSC::JSDestructibleObjectHeapCellType::finishSweep):
3223 (JSC::JSDestructibleObjectHeapCellType::destroy):
3224 (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
3225 (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
3226 (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
3227 (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
3228 * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
3229 * runtime/JSDestructibleObjectSubspace.cpp: Removed.
3230 * runtime/JSDestructibleObjectSubspace.h: Removed.
3231 * runtime/JSLexicalEnvironment.h:
3232 (JSC::JSLexicalEnvironment::subspaceFor):
3233 * runtime/JSSegmentedVariableObject.h:
3234 (JSC::JSSegmentedVariableObject::subspaceFor):
3235 * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
3236 (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3237 (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
3238 (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
3239 (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
3240 (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
3241 (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
3242 (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
3243 (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
3244 * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
3245 * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
3246 * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
3247 * runtime/JSString.h:
3248 (JSC::JSString::subspaceFor):
3249 * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
3250 (JSC::JSStringHeapCellType::JSStringHeapCellType):
3251 (JSC::JSStringHeapCellType::~JSStringHeapCellType):
3252 (JSC::JSStringHeapCellType::finishSweep):
3253 (JSC::JSStringHeapCellType::destroy):
3254 (JSC::JSStringSubspace::JSStringSubspace): Deleted.
3255 (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
3256 (JSC::JSStringSubspace::finishSweep): Deleted.
3257 (JSC::JSStringSubspace::destroy): Deleted.
3258 * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
3259 * runtime/JSStringSubspace.cpp: Removed.
3260 * runtime/JSStringSubspace.h: Removed.
3261 * runtime/ModuleProgramExecutable.h:
3262 * runtime/NativeExecutable.h:
3263 * runtime/ProgramExecutable.h:
3264 * runtime/RegExpMatchesArray.h:
3265 (JSC::tryCreateUninitializedRegExpMatchesArray):
3266 * runtime/ScopedArguments.h:
3267 (JSC::ScopedArguments::subspaceFor):
3271 (JSC::VM::gigacageAuxiliarySpace):
3272 * wasm/js/JSWebAssemblyCodeBlock.h:
3273 * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
3274 (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3275 (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
3276 (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
3277 (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
3278 (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
3279 (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
3280 (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
3281 (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
3282 * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
3283 * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
3284 * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
3285 * wasm/js/JSWebAssemblyMemory.h:
3286 (JSC::JSWebAssemblyMemory::subspaceFor):
3288 2017-11-29 Saam Barati <sbarati@apple.com>
3290 Remove pointer caging for double arrays
3291 https://bugs.webkit.org/show_bug.cgi?id=180163
3293 Reviewed by Mark Lam.
3295 This patch removes pointer caging from double arrays. Like
3296 my previous removals of pointer caging, this is a security vs
3297 performance tradeoff. We believe that butterflies being allocated
3298 in the cage and with a 32GB runway gives us enough security that
3299 pointer caging the butterfly just for double arrays does not add
3300 enough security benefit for the performance hit it incurs.
3302 This patch also removes the GetButterflyWithoutCaging node and
3303 the FixedButterflyAccessUncaging phase. The node is no longer needed
3304 because now all GetButterfly nodes are not caged. The phase is removed
3305 since we no longer have two nodes.
3307 * dfg/DFGAbstractInterpreterInlines.h:
3308 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3309 * dfg/DFGArgumentsEliminationPhase.cpp:
3310 * dfg/DFGClobberize.h:
3311 (JSC::DFG::clobberize):
3312 * dfg/DFGDoesGC.cpp:
3314 * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
3315 * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
3316 * dfg/DFGFixupPhase.cpp:
3317 (JSC::DFG::FixupPhase::fixupNode):
3318 * dfg/DFGHeapLocation.cpp:
3319 (WTF::printInternal):
3320 * dfg/DFGHeapLocation.h:
3321 * dfg/DFGNodeType.h:
3323 (JSC::DFG::Plan::compileInThreadImpl):
3324 * dfg/DFGPredictionPropagationPhase.cpp:
3325 * dfg/DFGSafeToExecute.h:
3326 (JSC::DFG::safeToExecute):
3327 * dfg/DFGSpeculativeJIT.cpp:
3328 (JSC::DFG::SpeculativeJIT::compileSpread):
3329 (JSC::DFG::SpeculativeJIT::compileArraySlice):
3330 (JSC::DFG::SpeculativeJIT::compileGetButterfly):
3331 * dfg/DFGSpeculativeJIT32_64.cpp:
3332 (JSC::DFG::SpeculativeJIT::compile):
3333 * dfg/DFGSpeculativeJIT64.cpp:
3334 (JSC::DFG::SpeculativeJIT::compile):
3335 * dfg/DFGTypeCheckHoistingPhase.cpp:
3336 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3337 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3338 * ftl/FTLCapabilities.cpp:
3339 (JSC::FTL::canCompile):
3340 * ftl/FTLLowerDFGToB3.cpp:
3341 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3342 (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
3343 * jit/JITPropertyAccess.cpp:
3344 (JSC::JIT::emitDoubleLoad):
3345 (JSC::JIT::emitGenericContiguousPutByVal):
3346 * runtime/Butterfly.h:
3347 (JSC::Butterfly::pointer):
3348 (JSC::Butterfly::contiguousDouble):
3349 (JSC::Butterfly::caged): Deleted.
3350 * runtime/ButterflyInlines.h:
git://git.webkit.org / WebKit-https.git / blob