1 2018-01-08 Michael Saboff <msaboff@apple.com>
3 Add a DOM gadget for Spectre testing
4 https://bugs.webkit.org/show_bug.cgi?id=181351
6 Reviewed by Michael Saboff.
8 Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
13 2018-01-08 Mark Lam <mark.lam@apple.com>
15 Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
16 https://bugs.webkit.org/show_bug.cgi?id=181403
17 <rdar://problem/36359789>
19 Rubber-stamped by JF Bastien.
21 * bytecode/CodeBlock.cpp:
22 (JSC::CodeBlock::CodeBlock):
23 (JSC::CodeBlock::~CodeBlock):
24 (JSC::CodeBlock::setConstantRegisters):
25 (JSC::CodeBlock::propagateTransitions):
26 (JSC::CodeBlock::finalizeLLIntInlineCaches):
27 (JSC::CodeBlock::jettison):
28 (JSC::CodeBlock::predictedMachineCodeSize):
29 * bytecode/CodeBlock.h:
30 (JSC::CodeBlock::vm const):
31 (JSC::CodeBlock::addConstant):
32 (JSC::CodeBlock::heap const):
33 (JSC::CodeBlock::replaceConstant):
34 * llint/LowLevelInterpreter.asm:
35 * llint/LowLevelInterpreter32_64.asm:
36 * llint/LowLevelInterpreter64.asm:
38 2018-01-07 Mark Lam <mark.lam@apple.com>
40 Apply poisoning to more pointers in JSC.
41 https://bugs.webkit.org/show_bug.cgi?id=181096
42 <rdar://problem/36182970>
44 Reviewed by JF Bastien.
46 * assembler/MacroAssembler.h:
47 (JSC::MacroAssembler::xorPtr):
48 * assembler/MacroAssemblerARM64.h:
49 (JSC::MacroAssemblerARM64::xor64):
50 * assembler/MacroAssemblerX86_64.h:
51 (JSC::MacroAssemblerX86_64::xor64):
52 - Add xorPtr implementation.
54 * bytecode/CodeBlock.cpp:
55 (JSC::CodeBlock::inferredName const):
56 (JSC::CodeBlock::CodeBlock):
57 (JSC::CodeBlock::finishCreation):
58 (JSC::CodeBlock::~CodeBlock):
59 (JSC::CodeBlock::setConstantRegisters):
60 (JSC::CodeBlock::visitWeakly):
61 (JSC::CodeBlock::visitChildren):
62 (JSC::CodeBlock::propagateTransitions):
63 (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
64 (JSC::CodeBlock::finalizeLLIntInlineCaches):
65 (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
66 (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
67 (JSC::CodeBlock::jettison):
68 (JSC::CodeBlock::predictedMachineCodeSize):
69 (JSC::CodeBlock::findPC):
70 * bytecode/CodeBlock.h:
71 (JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer):
72 (JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester):
73 (JSC::CodeBlock::stubInfoBegin):
74 (JSC::CodeBlock::stubInfoEnd):
75 (JSC::CodeBlock::callLinkInfosBegin):
76 (JSC::CodeBlock::callLinkInfosEnd):
77 (JSC::CodeBlock::instructions):
78 (JSC::CodeBlock::instructions const):
79 (JSC::CodeBlock::vm const):
80 * dfg/DFGOSRExitCompilerCommon.h:
81 (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
83 * llint/LLIntOfflineAsmConfig.h:
84 * llint/LowLevelInterpreter.asm:
85 * llint/LowLevelInterpreter64.asm:
86 * parser/UnlinkedSourceCode.h:
87 * runtime/JSCPoison.h:
88 * runtime/JSGlobalObject.cpp:
89 (JSC::JSGlobalObject::init):
90 * runtime/JSGlobalObject.h:
91 * runtime/JSScriptFetchParameters.h:
92 * runtime/JSScriptFetcher.h:
93 * runtime/StructureTransitionTable.h:
94 * wasm/js/JSWebAssemblyCodeBlock.cpp:
95 (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
96 (JSC::JSWebAssemblyCodeBlock::visitChildren):
97 (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
98 * wasm/js/JSWebAssemblyCodeBlock.h:
100 2018-01-06 Yusuke Suzuki <utatane.tea@gmail.com>
102 Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
103 https://bugs.webkit.org/show_bug.cgi?id=181321
105 Reviewed by Saam Barati.
107 According to ECMA262 16.2[1], functions created using the bind method must not have
108 "caller" and "arguments" own properties.
110 [1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions
112 * runtime/JSBoundFunction.cpp:
113 (JSC::JSBoundFunction::finishCreation):
115 2018-01-05 JF Bastien <jfbastien@apple.com>
117 WebAssembly: poison JS object's secrets
118 https://bugs.webkit.org/show_bug.cgi?id=181339
119 <rdar://problem/36325001>
121 Reviewed by Mark Lam.
123 Separating WebAssembly's JS objects from their non-JS
124 implementation means that all interesting information lives
125 outside of the JS object itself. This patch poisons each JS
126 object's pointer to non-JS implementation using the poisoning
127 mechanism and a unique key per JS object type origin.
129 * runtime/JSCPoison.h:
130 * wasm/js/JSToWasm.cpp:
131 (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
132 object in a stack slot when fast TLS is disabled. This requires
133 that we unpoison the Wasm::Instance.
134 * wasm/js/JSWebAssemblyCodeBlock.h:
135 * wasm/js/JSWebAssemblyInstance.h:
136 (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
137 be explicit that the pointer is poisoned.
138 * wasm/js/JSWebAssemblyMemory.h:
139 * wasm/js/JSWebAssemblyModule.h:
140 * wasm/js/JSWebAssemblyTable.h:
142 2018-01-05 Michael Saboff <msaboff@apple.com>
144 Add ability to disable indexed property masking for testing
145 https://bugs.webkit.org/show_bug.cgi?id=181350
147 Reviewed by Keith Miller.
149 Made the masking of indexed properties runtime controllable via a new JSC::Option
150 named disableSpectreMitigations. This is done to test the efficacy of that mitigation.
152 The new option has a generic name as it will probably be used to disable future mitigations.
154 * dfg/DFGSpeculativeJIT.cpp:
155 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
156 (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
157 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
158 * dfg/DFGSpeculativeJIT.h:
159 * dfg/DFGSpeculativeJIT64.cpp:
160 (JSC::DFG::SpeculativeJIT::compile):
161 * ftl/FTLLowerDFGToB3.cpp:
162 (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
163 (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
164 (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
168 * jit/JITPropertyAccess.cpp:
169 (JSC::JIT::emitDoubleLoad):
170 (JSC::JIT::emitContiguousLoad):
171 (JSC::JIT::emitArrayStorageLoad):
173 * wasm/WasmB3IRGenerator.cpp:
174 (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
176 2018-01-05 Michael Saboff <msaboff@apple.com>
178 Allow JSC Config Files to set Restricted Options
179 https://bugs.webkit.org/show_bug.cgi?id=181352
181 Reviewed by Mark Lam.
183 * runtime/ConfigFile.cpp:
184 (JSC::ConfigFile::parse):
186 2018-01-04 Keith Miller <keith_miller@apple.com>
188 TypedArrays and Wasm should use index masking.
189 https://bugs.webkit.org/show_bug.cgi?id=181313
191 Reviewed by Michael Saboff.
193 We should have index masking for our TypedArray code in the
194 DFG/FTL and for Wasm when doing bounds checking. Index masking for
195 Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any
196 WasmBoundsCheckValues we don't need to worry about combining a
197 bounds check for a load and a store. I went with fusing the
198 pointer masking in the WasmBoundsCheckValue since it should reduce
199 additional compiler overhead.
201 * b3/B3LowerToAir.cpp:
203 * b3/B3WasmBoundsCheckValue.cpp:
204 (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
205 (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
206 * b3/B3WasmBoundsCheckValue.h:
207 (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const):
208 * b3/air/AirCustom.h:
209 (JSC::B3::Air::WasmBoundsCheckCustom::generate):
211 (JSC::B3::testWasmBoundsCheck):
212 * dfg/DFGSpeculativeJIT.cpp:
213 (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
214 (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
215 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
216 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
217 (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
218 * dfg/DFGSpeculativeJIT.h:
219 * dfg/DFGSpeculativeJIT64.cpp:
220 (JSC::DFG::SpeculativeJIT::compile):
221 * ftl/FTLLowerDFGToB3.cpp:
222 (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
223 (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
224 (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
225 (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
226 * jit/JITPropertyAccess.cpp:
227 (JSC::JIT::emitIntTypedArrayGetByVal):
228 * runtime/Butterfly.h:
229 (JSC::Butterfly::computeIndexingMask const):
230 (JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted.
231 * runtime/JSArrayBufferView.cpp:
232 (JSC::JSArrayBufferView::JSArrayBufferView):
233 * wasm/WasmB3IRGenerator.cpp:
234 (JSC::Wasm::B3IRGenerator::B3IRGenerator):
235 (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
236 (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
237 (JSC::Wasm::B3IRGenerator::load):
238 (JSC::Wasm::B3IRGenerator::store):
239 (JSC::Wasm::B3IRGenerator::addCallIndirect):
240 * wasm/WasmBinding.cpp:
241 (JSC::Wasm::wasmToWasm):
242 * wasm/WasmMemory.cpp:
243 (JSC::Wasm::Memory::Memory):
244 (JSC::Wasm::Memory::grow):
246 (JSC::Wasm::Memory::offsetOfIndexingMask):
247 * wasm/WasmMemoryInformation.cpp:
248 (JSC::Wasm::PinnedRegisterInfo::get):
249 (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
250 * wasm/WasmMemoryInformation.h:
251 (JSC::Wasm::PinnedRegisterInfo::toSave const):
252 * wasm/js/JSToWasm.cpp:
253 (JSC::Wasm::createJSToWasmWrapper):
255 2018-01-05 Commit Queue <commit-queue@webkit.org>
257 Unreviewed, rolling out r226434.
258 https://bugs.webkit.org/show_bug.cgi?id=181322
260 32bit JSC failure in x86 (Requested by yusukesuzuki on
265 "[DFG] Unify ToNumber implementation in 32bit and 64bit by
266 changing 32bit Int32Tag and LowestTag"
267 https://bugs.webkit.org/show_bug.cgi?id=181134
268 https://trac.webkit.org/changeset/226434
270 2018-01-04 Devin Rousso <webkit@devinrousso.com>
272 Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
273 https://bugs.webkit.org/show_bug.cgi?id=180770
275 Reviewed by Joseph Pecoraro.
277 * inspector/protocol/Canvas.json:
279 2018-01-04 Commit Queue <commit-queue@webkit.org>
281 Unreviewed, rolling out r226405.
282 https://bugs.webkit.org/show_bug.cgi?id=181318
284 Speculative rollout due to Octane/SplayLatency,Octane/Splay
285 regressions (Requested by yusukesuzuki on #webkit).
289 "[JSC] Create parallel SlotVisitors apriori"
290 https://bugs.webkit.org/show_bug.cgi?id=180907
291 https://trac.webkit.org/changeset/226405
293 2018-01-04 Saam Barati <sbarati@apple.com>
295 Do value profiling in to_this
296 https://bugs.webkit.org/show_bug.cgi?id=181299
298 Reviewed by Filip Pizlo.
300 This patch adds value profiling to to_this. We use the result of the value
301 profiling only for strict mode code when we don't predict that the input is
302 of a specific type. This helps when the input is SpecCellOther. Such cells
303 might implement a custom ToThis, which can produce an arbitrary result. Before
304 this patch, in prediction propagation, we were saying that a ToThis with a
305 SpecCellOther input also produced SpecCellOther. However, this is incorrect,
306 given that the input may implement ToThis that produces an arbitrary result.
307 This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer.
309 Interestingly, this patch only does value profiling on the slow path. The fast
310 path of to_this in the LLInt/baseline just perform a structure check. If it
311 passes, the result is the same as the input. Therefore, doing value profiling
312 from the fast path wouldn't actually produce new information for the ValueProfile.
314 * bytecode/BytecodeDumper.cpp:
315 (JSC::BytecodeDumper<Block>::dumpBytecode):
316 * bytecode/BytecodeList.json:
317 * bytecode/CodeBlock.cpp:
318 (JSC::CodeBlock::finishCreation):
319 * bytecompiler/BytecodeGenerator.cpp:
320 (JSC::BytecodeGenerator::BytecodeGenerator):
321 (JSC::BytecodeGenerator::emitToThis):
322 * bytecompiler/BytecodeGenerator.h:
323 * dfg/DFGByteCodeParser.cpp:
324 (JSC::DFG::ByteCodeParser::parseBlock):
326 (JSC::DFG::Node::hasHeapPrediction):
327 * dfg/DFGPredictionPropagationPhase.cpp:
328 * runtime/CommonSlowPaths.cpp:
329 (JSC::SLOW_PATH_DECL):
331 2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
333 [DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
334 https://bugs.webkit.org/show_bug.cgi?id=181134
336 Reviewed by Mark Lam.
338 We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that
339 branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires
340 an additional scratch register. We do not want to allocate an unnecessary register in 64bit
343 This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit
344 and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By
345 setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking
346 `<= LowestTag(Int32Tag)`.
348 We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`.
350 We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc.
352 * dfg/DFGSpeculativeJIT.cpp:
353 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
354 (JSC::DFG::SpeculativeJIT::compileDoubleRep):
355 (JSC::DFG::SpeculativeJIT::speculateNumber):
356 (JSC::DFG::SpeculativeJIT::speculateMisc):
357 (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
358 (JSC::DFG::SpeculativeJIT::compileToNumber):
359 * dfg/DFGSpeculativeJIT.h:
360 * dfg/DFGSpeculativeJIT32_64.cpp:
361 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
362 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
363 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
364 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
365 (JSC::DFG::SpeculativeJIT::compile):
366 * dfg/DFGSpeculativeJIT64.cpp:
367 (JSC::DFG::SpeculativeJIT::compile):
368 * jit/AssemblyHelpers.cpp:
369 (JSC::AssemblyHelpers::branchIfNotType):
370 (JSC::AssemblyHelpers::jitAssertIsJSNumber):
371 (JSC::AssemblyHelpers::emitConvertValueToBoolean):
372 * jit/AssemblyHelpers.h:
373 (JSC::AssemblyHelpers::branchIfMisc):
374 (JSC::AssemblyHelpers::branchIfNotMisc):
375 (JSC::AssemblyHelpers::branchIfNumber):
376 (JSC::AssemblyHelpers::branchIfNotNumber):
377 (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
378 (JSC::AssemblyHelpers::emitTypeOf):
379 * jit/JITAddGenerator.cpp:
380 (JSC::JITAddGenerator::generateFastPath):
381 * jit/JITArithmetic32_64.cpp:
382 (JSC::JIT::emitBinaryDoubleOp):
383 * jit/JITDivGenerator.cpp:
384 (JSC::JITDivGenerator::loadOperand):
385 * jit/JITMulGenerator.cpp:
386 (JSC::JITMulGenerator::generateInline):
387 (JSC::JITMulGenerator::generateFastPath):
388 * jit/JITNegGenerator.cpp:
389 (JSC::JITNegGenerator::generateInline):
390 (JSC::JITNegGenerator::generateFastPath):
391 * jit/JITOpcodes32_64.cpp:
392 (JSC::JIT::emit_op_is_number):
393 (JSC::JIT::emit_op_jeq_null):
394 (JSC::JIT::emit_op_jneq_null):
395 (JSC::JIT::emit_op_to_number):
396 (JSC::JIT::emit_op_profile_type):
397 * jit/JITRightShiftGenerator.cpp:
398 (JSC::JITRightShiftGenerator::generateFastPath):
399 * jit/JITSubGenerator.cpp:
400 (JSC::JITSubGenerator::generateInline):
401 (JSC::JITSubGenerator::generateFastPath):
402 * llint/LLIntData.cpp:
403 (JSC::LLInt::Data::performAssertions):
404 * llint/LowLevelInterpreter.asm:
405 * llint/LowLevelInterpreter32_64.asm:
406 * runtime/JSCJSValue.h:
408 2018-01-04 JF Bastien <jfbastien@apple.com>
410 Add assembler support for x86 lfence and sfence
411 https://bugs.webkit.org/show_bug.cgi?id=181311
412 <rdar://problem/36301780>
414 Reviewed by Michael Saboff.
416 Useful for testing performance of serializing instructions (hint:
419 * assembler/MacroAssemblerX86Common.h:
420 (JSC::MacroAssemblerX86Common::lfence):
421 (JSC::MacroAssemblerX86Common::sfence):
422 * assembler/X86Assembler.h:
423 (JSC::X86Assembler::lfence):
424 (JSC::X86Assembler::sfence):
426 2018-01-04 Saam Barati <sbarati@apple.com>
428 Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction)
429 https://bugs.webkit.org/show_bug.cgi?id=181296
431 Reviewed by Filip Pizlo.
433 Inside Speedometer's Ember test, there is a recompile loop like:
434 a: GetByVal(..., semanticOriginX)
435 b: SetLocal(Cell:@a, semanticOriginX)
437 where the cell check always fails. For reasons I didn't investigate, the
438 baseline JIT's value profiling doesn't accurately capture the GetByVal's
441 However, when compiling this cell speculation check in the DFG, we get a null
442 MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for
443 this IR pattern because both @a and @b have the same semantic origin. We
444 should not follow the same semantic origin heuristic when dealing with
445 SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern.
446 For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction).
447 For this IR pattern, we will update the value profile for the semantic origin
448 for @nodeWithHeapPrediction. So, for the Speedometer example above, we
449 will correctly update the GetByVal's value profile, which will prevent
453 (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
455 2018-01-04 Keith Miller <keith_miller@apple.com>
457 Array Storage operations sometimes did not update the indexing mask correctly.
458 https://bugs.webkit.org/show_bug.cgi?id=181301
460 Reviewed by Mark Lam.
462 I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
464 * runtime/JSArray.cpp:
465 (JSC::JSArray::shiftCountWithArrayStorage):
466 * runtime/JSObject.cpp:
467 (JSC::JSObject::increaseVectorLength):
469 2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
471 [DFG] Define defs for MapSet/SetAdd to participate in CSE
472 https://bugs.webkit.org/show_bug.cgi?id=179911
474 Reviewed by Saam Barati.
476 With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
477 To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
478 produce added bucket as its result. Subsequent GetMapBucket will
481 * dfg/DFGAbstractInterpreterInlines.h:
482 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
483 * dfg/DFGClobberize.h:
484 (JSC::DFG::clobberize):
486 * dfg/DFGOperations.cpp:
487 * dfg/DFGOperations.h:
488 * dfg/DFGPredictionPropagationPhase.cpp:
489 * dfg/DFGSpeculativeJIT.cpp:
490 (JSC::DFG::SpeculativeJIT::compileSetAdd):
491 (JSC::DFG::SpeculativeJIT::compileMapSet):
492 * dfg/DFGSpeculativeJIT.h:
493 (JSC::DFG::SpeculativeJIT::callOperation):
494 * ftl/FTLLowerDFGToB3.cpp:
495 (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
496 (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
497 * jit/JITOperations.h:
498 * runtime/HashMapImpl.h:
499 (JSC::HashMapImpl::addNormalized):
500 (JSC::HashMapImpl::addNormalizedInternal):
502 2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
504 [JSC] Remove LocalScope
505 https://bugs.webkit.org/show_bug.cgi?id=181206
507 Reviewed by Geoffrey Garen.
509 The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
510 This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
513 We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
514 JSObject* directly in their fields.
516 * JavaScriptCore.xcodeproj/project.pbxproj:
518 * heap/HandleStack.cpp: Removed.
519 * heap/HandleStack.h: Removed.
521 (JSC::Heap::addCoreConstraints):
523 (JSC::Heap::handleSet):
524 (JSC::Heap::handleStack): Deleted.
525 * heap/Local.h: Removed.
526 * heap/LocalScope.h: Removed.
527 * runtime/JSONObject.cpp:
528 (JSC::Stringifier::Holder::object const):
530 (JSC::Stringifier::Stringifier):
531 (JSC::Stringifier::stringify):
532 (JSC::Stringifier::appendStringifiedValue):
533 (JSC::Stringifier::Holder::Holder):
534 (JSC::Stringifier::Holder::appendNextProperty):
535 (JSC::Walker::Walker):
536 (JSC::Walker::callReviver):
538 (JSC::JSONProtoFuncParse):
539 (JSC::JSONProtoFuncStringify):
541 (JSC::JSONStringify):
543 2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
545 [FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
546 https://bugs.webkit.org/show_bug.cgi?id=180238
548 Reviewed by Saam Barati.
550 We can optimize ObjectAllocationSinking a bit by using removeIf.
552 * dfg/DFGObjectAllocationSinkingPhase.cpp:
554 2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
556 [JSC] Create parallel SlotVisitors apriori
557 https://bugs.webkit.org/show_bug.cgi?id=180907
559 Reviewed by Saam Barati.
561 The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
562 If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
563 Then we do not need to grab locks while iterating all the SlotVisitors.
565 In addition, we do not need to consider the case that the number of SlotVisitors increases
566 after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
567 does not increase any more.
571 (JSC::Heap::runBeginPhase):
573 * heap/HeapInlines.h:
574 (JSC::Heap::forEachSlotVisitor):
575 (JSC::Heap::numberOfSlotVisitors): Deleted.
576 * heap/MarkingConstraintSolver.cpp:
577 (JSC::MarkingConstraintSolver::didVisitSomething const):
579 2018-01-03 Ting-Wei Lan <lantw44@gmail.com>
581 Replace hard-coded paths in shebangs with #!/usr/bin/env
582 https://bugs.webkit.org/show_bug.cgi?id=181040
584 Reviewed by Alex Christensen.
586 * Scripts/UpdateContents.py:
588 * Scripts/generate-combined-inspector-json.py:
591 * generate-bytecode-files:
592 * wasm/generateWasm.py:
593 * wasm/generateWasmOpsHeader.py:
594 * yarr/generateYarrCanonicalizeUnicode:
596 2018-01-03 Michael Saboff <msaboff@apple.com>
598 Disable SharedArrayBuffers from Web API
599 https://bugs.webkit.org/show_bug.cgi?id=181266
601 Reviewed by Saam Barati.
603 Removed SharedArrayBuffer prototype and structure from GlobalObject creation
606 * runtime/JSGlobalObject.cpp:
607 (JSC::JSGlobalObject::init):
608 (JSC::JSGlobalObject::visitChildren):
609 * runtime/JSGlobalObject.h:
610 (JSC::JSGlobalObject::arrayBufferPrototype const):
611 (JSC::JSGlobalObject::arrayBufferStructure const):
613 2018-01-03 Michael Saboff <msaboff@apple.com>
615 Add "noInline" to $vm
616 https://bugs.webkit.org/show_bug.cgi?id=181265
618 Reviewed by Mark Lam.
620 This would be useful for web based tests.
622 * tools/JSDollarVM.cpp:
623 (JSC::getExecutableForFunction):
624 (JSC::functionNoInline):
625 (JSC::JSDollarVM::finishCreation):
627 2018-01-03 Michael Saboff <msaboff@apple.com>
629 Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
630 https://bugs.webkit.org/show_bug.cgi?id=181263
632 Reviewed by Mark Lam.
634 Flushing the butterfly pointer provides no benefit and slows this function.
636 * tools/JSDollarVM.cpp:
637 (JSC::functionCpuClflush):
639 2018-01-03 Saam Barati <sbarati@apple.com>
641 Fix BytecodeParser op_catch assert to work with useProfiler=1
642 https://bugs.webkit.org/show_bug.cgi?id=181260
644 Reviewed by Keith Miller.
646 op_catch was asserting that the current block was empty. This is only true
647 if the profiler isn't enabled. When the profiler is enabled, we will
648 insert a CountExecution node before each bytecode. This patch fixes the
649 assert to work with the profiler.
651 * dfg/DFGByteCodeParser.cpp:
652 (JSC::DFG::ByteCodeParser::parseBlock):
654 2018-01-03 Per Arne Vollan <pvollan@apple.com>
656 [Win][Debug] testapi link error.
657 https://bugs.webkit.org/show_bug.cgi?id=181247
658 <rdar://problem/36166729>
660 Reviewed by Brent Fulgham.
662 Do not set the runtime library compile flag for C files, it is already set to the correct value.
664 * shell/PlatformWin.cmake:
666 2018-01-03 Robin Morisset <rmorisset@apple.com>
668 Inlining of a function that ends in op_unreachable crashes
669 https://bugs.webkit.org/show_bug.cgi?id=181027
671 Reviewed by Filip Pizlo.
673 * dfg/DFGByteCodeParser.cpp:
674 (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
675 (JSC::DFG::ByteCodeParser::inlineCall):
677 2018-01-02 Saam Barati <sbarati@apple.com>
679 Incorrect assertion inside AccessCase
680 https://bugs.webkit.org/show_bug.cgi?id=181200
681 <rdar://problem/35494754>
683 Reviewed by Yusuke Suzuki.
685 Consider a PutById compiled to a setter in a function like so:
688 function foo(o) { o.f = o; }
691 The DFG will often assign the same registers to the baseGPR (o in o.f) and the
692 valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
693 to the same register. However, we're asserting that they're not the same register.
694 This patch just removes this invalid assertion.
696 * bytecode/AccessCase.cpp:
697 (JSC::AccessCase::generateImpl):
699 2018-01-02 Caio Lima <ticaiolima@gmail.com>
701 [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
702 https://bugs.webkit.org/show_bug.cgi?id=175359
704 Reviewed by Yusuke Suzuki.
706 This patch is implementing BigIntConstructor and BigIntPrototype
707 following spec[1, 2]. As addition, we are also implementing BigIntObject
708 warapper to handle ToObject(v) abstract operation when "v" is a BigInt
709 primitive. With these classes, now it's possible to syntetize
710 BigInt.prototype and then call "toString", "valueOf" and
711 "toLocaleString" when the primitive is a BigInt.
712 BigIntConstructor exposes an API to parse other primitives such as
713 Number, Boolean and String to BigInt.
714 We decided to skip parseInt implementation, since it was removed from
717 [1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
718 [2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object
721 * DerivedSources.make:
722 * JavaScriptCore.xcodeproj/project.pbxproj:
725 * runtime/BigIntConstructor.cpp: Added.
726 (JSC::BigIntConstructor::BigIntConstructor):
727 (JSC::BigIntConstructor::finishCreation):
728 (JSC::isSafeInteger):
730 (JSC::callBigIntConstructor):
731 (JSC::bigIntConstructorFuncAsUintN):
732 (JSC::bigIntConstructorFuncAsIntN):
733 * runtime/BigIntConstructor.h: Added.
734 (JSC::BigIntConstructor::create):
735 (JSC::BigIntConstructor::createStructure):
736 * runtime/BigIntObject.cpp: Added.
737 (JSC::BigIntObject::BigIntObject):
738 (JSC::BigIntObject::finishCreation):
739 (JSC::BigIntObject::toStringName):
740 (JSC::BigIntObject::defaultValue):
741 * runtime/BigIntObject.h: Added.
742 (JSC::BigIntObject::create):
743 (JSC::BigIntObject::internalValue const):
744 (JSC::BigIntObject::createStructure):
745 * runtime/BigIntPrototype.cpp: Added.
746 (JSC::BigIntPrototype::BigIntPrototype):
747 (JSC::BigIntPrototype::finishCreation):
748 (JSC::toThisBigIntValue):
749 (JSC::bigIntProtoFuncToString):
750 (JSC::bigIntProtoFuncToLocaleString):
751 (JSC::bigIntProtoFuncValueOf):
752 * runtime/BigIntPrototype.h: Added.
753 (JSC::BigIntPrototype::create):
754 (JSC::BigIntPrototype::createStructure):
755 * runtime/IntlCollator.cpp:
756 (JSC::IntlCollator::initializeCollator):
757 * runtime/IntlNumberFormat.cpp:
758 (JSC::IntlNumberFormat::initializeNumberFormat):
759 * runtime/JSBigInt.cpp:
760 (JSC::JSBigInt::createFrom):
761 (JSC::JSBigInt::parseInt):
762 (JSC::JSBigInt::toObject const):
763 * runtime/JSBigInt.h:
764 * runtime/JSCJSValue.cpp:
765 (JSC::JSValue::synthesizePrototype const):
766 * runtime/JSCPoisonedPtr.cpp:
767 * runtime/JSCell.cpp:
768 (JSC::JSCell::toObjectSlow const):
769 * runtime/JSGlobalObject.cpp:
770 (JSC::JSGlobalObject::init):
771 (JSC::JSGlobalObject::visitChildren):
772 * runtime/JSGlobalObject.h:
773 (JSC::JSGlobalObject::bigIntPrototype const):
774 (JSC::JSGlobalObject::bigIntObjectStructure const):
775 * runtime/StructureCache.h:
776 * runtime/StructureInlines.h:
777 (JSC::prototypeForLookupPrimitiveImpl):
779 2018-01-02 Tim Horton <timothy_horton@apple.com>
781 Fix the MathCommon build with a recent compiler
782 https://bugs.webkit.org/show_bug.cgi?id=181216
784 Reviewed by Sam Weinig.
786 * runtime/MathCommon.cpp:
788 This cast drops the 'const' qualifier from the pointer to 'one',
789 but it doesn't have to, and it makes the compiler sad.
791 == Rolled over to ChangeLog-2018-01-01 ==
git://git.webkit.org / WebKit-https.git / blob