1 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
3 [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
4 https://bugs.webkit.org/show_bug.cgi?id=180190
8 If DFG HasIndexedProperty node observes negative index, it goes to a slow
9 path by calling operationHasIndexedProperty. The problem is that
10 operationHasIndexedProperty does not account negative index. Negative index
11 was used as uint32 array index.
13 In this patch we add a path for negative index in operationHasIndexedProperty.
14 And rename it to operationHasIndexedPropertyByInt to make intension clear.
15 We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
16 since it is only used in DFG and FTL.
18 While fixing this bug, we found that our op_in does not record OutOfBound feedback.
19 This causes repeated OSR exit and significantly regresses the performance. We opened
20 a bug to track this issue[1].
22 [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
24 * dfg/DFGOperations.cpp:
25 * dfg/DFGOperations.h:
26 * dfg/DFGSpeculativeJIT32_64.cpp:
27 (JSC::DFG::SpeculativeJIT::compile):
28 * dfg/DFGSpeculativeJIT64.cpp:
29 (JSC::DFG::SpeculativeJIT::compile):
30 * ftl/FTLLowerDFGToB3.cpp:
31 (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
32 * jit/JITOperations.cpp:
33 * jit/JITOperations.h:
35 2017-11-30 Michael Saboff <msaboff@apple.com>
37 Allow JSC command line tool to accept UTF8
38 https://bugs.webkit.org/show_bug.cgi?id=180205
40 Reviewed by Keith Miller.
42 This unifies the UTF8 handling of interactive mode with that of source files.
47 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
49 REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
50 https://bugs.webkit.org/show_bug.cgi?id=180185
52 Reviewed by Carlos Garcia Campos.
54 After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
55 But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
56 can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
57 And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
58 DFG node can be emitted if we see untaken path includes String + String code.
60 This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
61 As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
62 I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
63 original code used before r225314.
65 * dfg/DFGSpeculativeJIT.cpp:
66 (JSC::DFG::SpeculativeJIT::compileMakeRope):
67 * ftl/FTLLowerDFGToB3.cpp:
68 (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
70 2017-11-28 Filip Pizlo <fpizlo@apple.com>
72 CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
73 https://bugs.webkit.org/show_bug.cgi?id=180108
75 Reviewed by Saam Barati.
77 This was creating a vector of things to remove and then removing them. I think I remember writing
78 this code, and I did that because at the time we did not have removeAllMatching, which is
79 definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
80 obvious improvement before I did more fundamental things to this code.
82 * heap/CodeBlockSet.cpp:
83 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
85 2017-11-29 Filip Pizlo <fpizlo@apple.com>
87 GC should support isoheaps
88 https://bugs.webkit.org/show_bug.cgi?id=179288
90 Reviewed by Saam Barati.
92 This expands the power of the Subspace API in JSC:
94 - Everything associated with describing the types of objects is now part of the HeapCellType class.
95 We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
96 HeapCellType; these are orthogonal things.
98 - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
99 any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
100 special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
101 pages but releases the physical pages as part of the respective allocator's scavenging policy
102 (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
105 So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
108 This does not have any effect on JetStream (0.18% faster with p = 0.69).
110 * JavaScriptCore.xcodeproj/project.pbxproj:
112 * bytecode/AccessCase.cpp:
113 (JSC::AccessCase::generateImpl):
114 * bytecode/ObjectAllocationProfileInlines.h:
115 (JSC::ObjectAllocationProfile::initializeProfile):
116 * dfg/DFGSpeculativeJIT.cpp:
117 (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
118 (JSC::DFG::SpeculativeJIT::compileMakeRope):
119 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
120 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
121 * dfg/DFGSpeculativeJIT64.cpp:
122 (JSC::DFG::SpeculativeJIT::compile):
123 * ftl/FTLAbstractHeapRepository.h:
124 * ftl/FTLLowerDFGToB3.cpp:
125 (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
126 (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
127 (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
128 (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
129 (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
130 * heap/AlignedMemoryAllocator.cpp:
131 (JSC::AlignedMemoryAllocator::registerAllocator):
132 (JSC::AlignedMemoryAllocator::registerSubspace):
133 * heap/AlignedMemoryAllocator.h:
134 (JSC::AlignedMemoryAllocator::firstAllocator const):
135 * heap/AllocationFailureMode.h: Added.
136 * heap/CompleteSubspace.cpp: Added.
137 (JSC::CompleteSubspace::CompleteSubspace):
138 (JSC::CompleteSubspace::~CompleteSubspace):
139 (JSC::CompleteSubspace::allocatorFor):
140 (JSC::CompleteSubspace::allocate):
141 (JSC::CompleteSubspace::allocateNonVirtual):
142 (JSC::CompleteSubspace::allocatorForSlow):
143 (JSC::CompleteSubspace::allocateSlow):
144 (JSC::CompleteSubspace::tryAllocateSlow):
145 * heap/CompleteSubspace.h: Added.
146 (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
147 (JSC::CompleteSubspace::allocatorForSizeStep):
148 (JSC::CompleteSubspace::allocatorForNonVirtual):
149 * heap/HeapCellType.cpp: Added.
150 (JSC::HeapCellType::HeapCellType):
151 (JSC::HeapCellType::~HeapCellType):
152 (JSC::HeapCellType::finishSweep):
153 (JSC::HeapCellType::destroy):
154 * heap/HeapCellType.h: Added.
155 (JSC::HeapCellType::attributes const):
156 * heap/IsoAlignedMemoryAllocator.cpp: Added.
157 (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
158 (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
159 (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
160 (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
161 (JSC::IsoAlignedMemoryAllocator::dump const):
162 * heap/IsoAlignedMemoryAllocator.h: Added.
163 * heap/IsoSubspace.cpp: Added.
164 (JSC::IsoSubspace::IsoSubspace):
165 (JSC::IsoSubspace::~IsoSubspace):
166 (JSC::IsoSubspace::allocatorFor):
167 (JSC::IsoSubspace::allocatorForNonVirtual):
168 (JSC::IsoSubspace::allocate):
169 (JSC::IsoSubspace::allocateNonVirtual):
170 * heap/IsoSubspace.h: Added.
171 (JSC::IsoSubspace::size const):
172 * heap/MarkedAllocator.cpp:
173 (JSC::MarkedAllocator::MarkedAllocator):
174 (JSC::MarkedAllocator::setSubspace):
175 (JSC::MarkedAllocator::allocateSlowCase):
176 (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
177 (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
178 * heap/MarkedAllocator.h:
179 (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
180 (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
181 * heap/MarkedAllocatorInlines.h:
182 (JSC::MarkedAllocator::allocate):
183 (JSC::MarkedAllocator::tryAllocate): Deleted.
184 * heap/MarkedBlock.h:
185 * heap/MarkedBlockInlines.h:
186 (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
187 (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
188 * heap/MarkedSpace.cpp:
189 (JSC::MarkedSpace::addMarkedAllocator):
190 * heap/MarkedSpace.h:
192 (JSC::Subspace::Subspace):
193 (JSC::Subspace::initialize):
194 (JSC::Subspace::finishSweep):
195 (JSC::Subspace::destroy):
196 (JSC::Subspace::prepareForAllocation):
197 (JSC::Subspace::findEmptyBlockToSteal):
199 (JSC::Subspace::allocate): Deleted.
200 (JSC::Subspace::tryAllocate): Deleted.
201 (JSC::Subspace::allocatorForSlow): Deleted.
202 (JSC::Subspace::allocateSlow): Deleted.
203 (JSC::Subspace::tryAllocateSlow): Deleted.
204 (JSC::Subspace::didAllocate): Deleted.
206 (JSC::Subspace::heapCellType const):
207 (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
208 (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
209 (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
210 (JSC::Subspace::allocatorForSizeStep): Deleted.
211 (JSC::Subspace::tryAllocatorFor): Deleted.
212 (JSC::Subspace::allocatorFor): Deleted.
213 * jit/AssemblyHelpers.h:
214 (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
215 (JSC::AssemblyHelpers::emitAllocateVariableSized):
216 (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
217 * jit/JITOpcodes.cpp:
218 (JSC::JIT::emit_op_new_object):
219 * runtime/ButterflyInlines.h:
220 (JSC::Butterfly::createUninitialized):
221 (JSC::Butterfly::tryCreate):
222 (JSC::Butterfly::growArrayRight):
223 * runtime/DirectArguments.cpp:
224 (JSC::DirectArguments::overrideThings):
225 * runtime/DirectArguments.h:
226 (JSC::DirectArguments::subspaceFor):
227 * runtime/DirectEvalExecutable.h:
228 * runtime/EvalExecutable.h:
229 * runtime/ExecutableBase.h:
230 (JSC::ExecutableBase::subspaceFor):
231 * runtime/FunctionExecutable.h:
232 * runtime/GenericArgumentsInlines.h:
233 (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
234 * runtime/HashMapImpl.h:
235 (JSC::HashMapBuffer::create):
236 * runtime/IndirectEvalExecutable.h:
237 * runtime/JSArray.cpp:
238 (JSC::JSArray::tryCreateUninitializedRestricted):
239 (JSC::JSArray::unshiftCountSlowCase):
241 (JSC::JSArray::tryCreate):
242 * runtime/JSArrayBufferView.cpp:
243 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
246 * runtime/JSCellInlines.h:
247 (JSC::JSCell::subspaceFor):
248 (JSC::tryAllocateCellHelper):
250 (JSC::tryAllocateCell):
251 * runtime/JSDestructibleObject.h:
252 (JSC::JSDestructibleObject::subspaceFor):
253 * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
254 (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
255 (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
256 (JSC::JSDestructibleObjectHeapCellType::finishSweep):
257 (JSC::JSDestructibleObjectHeapCellType::destroy):
258 (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
259 (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
260 (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
261 (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
262 * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
263 * runtime/JSDestructibleObjectSubspace.cpp: Removed.
264 * runtime/JSDestructibleObjectSubspace.h: Removed.
265 * runtime/JSLexicalEnvironment.h:
266 (JSC::JSLexicalEnvironment::subspaceFor):
267 * runtime/JSSegmentedVariableObject.h:
268 (JSC::JSSegmentedVariableObject::subspaceFor):
269 * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
270 (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
271 (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
272 (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
273 (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
274 (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
275 (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
276 (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
277 (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
278 * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
279 * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
280 * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
281 * runtime/JSString.h:
282 (JSC::JSString::subspaceFor):
283 * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
284 (JSC::JSStringHeapCellType::JSStringHeapCellType):
285 (JSC::JSStringHeapCellType::~JSStringHeapCellType):
286 (JSC::JSStringHeapCellType::finishSweep):
287 (JSC::JSStringHeapCellType::destroy):
288 (JSC::JSStringSubspace::JSStringSubspace): Deleted.
289 (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
290 (JSC::JSStringSubspace::finishSweep): Deleted.
291 (JSC::JSStringSubspace::destroy): Deleted.
292 * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
293 * runtime/JSStringSubspace.cpp: Removed.
294 * runtime/JSStringSubspace.h: Removed.
295 * runtime/ModuleProgramExecutable.h:
296 * runtime/NativeExecutable.h:
297 * runtime/ProgramExecutable.h:
298 * runtime/RegExpMatchesArray.h:
299 (JSC::tryCreateUninitializedRegExpMatchesArray):
300 * runtime/ScopedArguments.h:
301 (JSC::ScopedArguments::subspaceFor):
305 (JSC::VM::gigacageAuxiliarySpace):
306 * wasm/js/JSWebAssemblyCodeBlock.h:
307 * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
308 (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
309 (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
310 (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
311 (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
312 (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
313 (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
314 (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
315 (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
316 * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
317 * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
318 * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
319 * wasm/js/JSWebAssemblyMemory.h:
320 (JSC::JSWebAssemblyMemory::subspaceFor):
322 2017-11-29 Saam Barati <sbarati@apple.com>
324 Remove pointer caging for double arrays
325 https://bugs.webkit.org/show_bug.cgi?id=180163
327 Reviewed by Mark Lam.
329 This patch removes pointer caging from double arrays. Like
330 my previous removals of pointer caging, this is a security vs
331 performance tradeoff. We believe that butterflies being allocated
332 in the cage and with a 32GB runway gives us enough security that
333 pointer caging the butterfly just for double arrays does not add
334 enough security benefit for the performance hit it incurs.
336 This patch also removes the GetButterflyWithoutCaging node and
337 the FixedButterflyAccessUncaging phase. The node is no longer needed
338 because now all GetButterfly nodes are not caged. The phase is removed
339 since we no longer have two nodes.
341 * dfg/DFGAbstractInterpreterInlines.h:
342 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
343 * dfg/DFGArgumentsEliminationPhase.cpp:
344 * dfg/DFGClobberize.h:
345 (JSC::DFG::clobberize):
348 * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
349 * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
350 * dfg/DFGFixupPhase.cpp:
351 (JSC::DFG::FixupPhase::fixupNode):
352 * dfg/DFGHeapLocation.cpp:
353 (WTF::printInternal):
354 * dfg/DFGHeapLocation.h:
357 (JSC::DFG::Plan::compileInThreadImpl):
358 * dfg/DFGPredictionPropagationPhase.cpp:
359 * dfg/DFGSafeToExecute.h:
360 (JSC::DFG::safeToExecute):
361 * dfg/DFGSpeculativeJIT.cpp:
362 (JSC::DFG::SpeculativeJIT::compileSpread):
363 (JSC::DFG::SpeculativeJIT::compileArraySlice):
364 (JSC::DFG::SpeculativeJIT::compileGetButterfly):
365 * dfg/DFGSpeculativeJIT32_64.cpp:
366 (JSC::DFG::SpeculativeJIT::compile):
367 * dfg/DFGSpeculativeJIT64.cpp:
368 (JSC::DFG::SpeculativeJIT::compile):
369 * dfg/DFGTypeCheckHoistingPhase.cpp:
370 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
371 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
372 * ftl/FTLCapabilities.cpp:
373 (JSC::FTL::canCompile):
374 * ftl/FTLLowerDFGToB3.cpp:
375 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
376 (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
377 * jit/JITPropertyAccess.cpp:
378 (JSC::JIT::emitDoubleLoad):
379 (JSC::JIT::emitGenericContiguousPutByVal):
380 * runtime/Butterfly.h:
381 (JSC::Butterfly::pointer):
382 (JSC::Butterfly::contiguousDouble):
383 (JSC::Butterfly::caged): Deleted.
384 * runtime/ButterflyInlines.h:
385 (JSC::Butterfly::createOrGrowPropertyStorage):
386 * runtime/JSObject.cpp:
387 (JSC::JSObject::ensureLengthSlow):
388 (JSC::JSObject::reallocateAndShrinkButterfly):
390 2017-11-29 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com>
392 [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
393 https://bugs.webkit.org/show_bug.cgi?id=175447
395 Reviewed by Carlos Alberto Lopez Perez.
397 This patch allows DFG JIT to be enabled on MIPS platforms.
400 * assembler/MIPSAssembler.h:
401 (JSC::MIPSAssembler::lastSPRegister):
402 (JSC::MIPSAssembler::numberOfSPRegisters):
403 (JSC::MIPSAssembler::sprName):
404 * assembler/MacroAssemblerMIPS.cpp: Added.
405 (JSC::MacroAssembler::probe):
406 * assembler/ProbeContext.cpp:
407 (JSC::Probe::executeProbe):
408 * assembler/ProbeContext.h:
409 (JSC::Probe::CPUState::pc):
410 * assembler/testmasm.cpp:
412 (JSC::testProbePreservesGPRS):
413 (JSC::testProbeModifiesStackPointer):
414 (JSC::testProbeModifiesStackValues):
416 2017-11-29 Matt Lewis <jlewis3@apple.com>
418 Unreviewed, rolling out r225286.
420 The source files within this patch have been marked as
425 "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
426 https://bugs.webkit.org/show_bug.cgi?id=175447
427 https://trac.webkit.org/changeset/225286
429 2017-11-29 Alex Christensen <achristensen@webkit.org>
435 2017-11-29 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com>
437 [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
438 https://bugs.webkit.org/show_bug.cgi?id=175447
440 Reviewed by Carlos Alberto Lopez Perez.
442 This patch allows DFG JIT to be enabled on MIPS platforms.
445 * assembler/MIPSAssembler.h:
446 (JSC::MIPSAssembler::lastSPRegister):
447 (JSC::MIPSAssembler::numberOfSPRegisters):
448 (JSC::MIPSAssembler::sprName):
449 * assembler/MacroAssemblerMIPS.cpp: Added.
450 (JSC::MacroAssembler::probe):
451 * assembler/ProbeContext.cpp:
452 (JSC::Probe::executeProbe):
453 * assembler/ProbeContext.h:
454 (JSC::Probe::CPUState::pc):
455 * assembler/testmasm.cpp:
457 (JSC::testProbePreservesGPRS):
458 (JSC::testProbeModifiesStackPointer):
459 (JSC::testProbeModifiesStackValues):
461 2017-11-28 JF Bastien <jfbastien@apple.com>
463 Strict and sloppy functions shouldn't share structure
464 https://bugs.webkit.org/show_bug.cgi?id=180103
465 <rdar://problem/35667847>
467 Reviewed by Saam Barati.
469 Sloppy and strict functions don't act the same when it comes to
470 arguments, caller, and callee. Sharing a structure means that
471 anything that is cached gets shared, and that's incorrect.
473 * dfg/DFGAbstractInterpreterInlines.h:
474 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
475 * dfg/DFGSpeculativeJIT.cpp:
476 (JSC::DFG::SpeculativeJIT::compileNewFunction):
477 * ftl/FTLLowerDFGToB3.cpp:
478 (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
479 * runtime/FunctionConstructor.cpp:
480 (JSC::constructFunctionSkippingEvalEnabledCheck):
481 * runtime/JSFunction.cpp:
482 (JSC::JSFunction::create): the second ::create is always strict
483 because it applies to native functions.
484 * runtime/JSFunctionInlines.h:
485 (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
486 * runtime/JSGlobalObject.cpp:
487 (JSC::JSGlobalObject::init):
488 (JSC::JSGlobalObject::visitChildren):
489 * runtime/JSGlobalObject.h:
490 (JSC::JSGlobalObject::strictFunctionStructure const):
491 (JSC::JSGlobalObject::sloppyFunctionStructure const):
492 (JSC::JSGlobalObject::nativeStdFunctionStructure const):
493 (JSC::JSGlobalObject::functionStructure const): Deleted. Renamed.
494 (JSC::JSGlobalObject::namedFunctionStructure const): Deleted. Drive-by, unused.
496 2017-11-29 Yusuke Suzuki <utatane.tea@gmail.com>
498 [JSC] Add MacroAssembler::getEffectiveAddress in all platforms
499 https://bugs.webkit.org/show_bug.cgi?id=180070
501 Reviewed by Saam Barati.
503 This patch adds getEffectiveAddress in all JIT platforms.
504 This is abstracted version of x86 lea.
506 We also fix a bug in Yarr that uses branch32 instead of branchPtr for addresses.
508 * assembler/MacroAssemblerARM.h:
509 (JSC::MacroAssemblerARM::getEffectiveAddress):
510 * assembler/MacroAssemblerARM64.h:
511 (JSC::MacroAssemblerARM64::getEffectiveAddress):
512 (JSC::MacroAssemblerARM64::getEffectiveAddress64): Deleted.
513 * assembler/MacroAssemblerARMv7.h:
514 (JSC::MacroAssemblerARMv7::getEffectiveAddress):
515 * assembler/MacroAssemblerMIPS.h:
516 (JSC::MacroAssemblerMIPS::getEffectiveAddress):
517 * assembler/MacroAssemblerX86.h:
518 (JSC::MacroAssemblerX86::getEffectiveAddress):
519 * assembler/MacroAssemblerX86_64.h:
520 (JSC::MacroAssemblerX86_64::getEffectiveAddress):
521 (JSC::MacroAssemblerX86_64::getEffectiveAddress64): Deleted.
522 * assembler/testmasm.cpp:
523 (JSC::testGetEffectiveAddress):
525 * dfg/DFGSpeculativeJIT.cpp:
526 (JSC::DFG::SpeculativeJIT::compileArrayPush):
528 (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
529 (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
531 2017-11-29 Robin Morisset <rmorisset@apple.com>
533 The recursive tail call optimisation is wrong on closures
534 https://bugs.webkit.org/show_bug.cgi?id=179835
536 Reviewed by Saam Barati.
538 The problem is that we only check the executable of the callee, not whatever variables might have been captured.
539 As a stopgap measure this patch just does not do the optimisation for closures.
541 * dfg/DFGByteCodeParser.cpp:
542 (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
544 2017-11-28 Joseph Pecoraro <pecoraro@apple.com>
546 Web Inspector: Cleanup Inspector classes be more consistent about using fast malloc / noncopyable
547 https://bugs.webkit.org/show_bug.cgi?id=180119
549 Reviewed by Devin Rousso.
551 * inspector/InjectedScriptManager.h:
552 * inspector/JSGlobalObjectScriptDebugServer.h:
553 * inspector/agents/InspectorHeapAgent.h:
554 * inspector/agents/InspectorRuntimeAgent.h:
555 * inspector/agents/InspectorScriptProfilerAgent.h:
556 * inspector/agents/JSGlobalObjectRuntimeAgent.h:
558 2017-11-28 Joseph Pecoraro <pecoraro@apple.com>
560 ServiceWorker Inspector: Frontend changes to support Network tab and sub resources
561 https://bugs.webkit.org/show_bug.cgi?id=179642
562 <rdar://problem/35517704>
564 Reviewed by Brian Burg.
566 * inspector/protocol/Network.json:
567 Expose the NetworkAgent for a Service Worker inspector.
569 2017-11-28 Brian Burg <bburg@apple.com>
571 [Cocoa] Clean up names of conversion methods after renaming InspectorValue to JSON::Value
572 https://bugs.webkit.org/show_bug.cgi?id=179696
574 Reviewed by Timothy Hatcher.
576 * inspector/scripts/codegen/generate_objc_header.py:
577 (ObjCHeaderGenerator._generate_type_interface):
578 * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
579 (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
580 (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_protocol_object):
581 (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Deleted.
582 * inspector/scripts/codegen/objc_generator.py:
583 (ObjCGenerator.protocol_type_for_raw_name):
584 (ObjCGenerator.objc_protocol_export_expression_for_variable):
585 (ObjCGenerator.objc_protocol_export_expression_for_variable.is):
586 (ObjCGenerator.objc_protocol_import_expression_for_variable):
587 (ObjCGenerator.objc_protocol_import_expression_for_variable.is):
588 (ObjCGenerator.objc_to_protocol_expression_for_member.is):
589 (ObjCGenerator.objc_to_protocol_expression_for_member):
590 (ObjCGenerator.protocol_to_objc_expression_for_member.is):
591 (ObjCGenerator.protocol_to_objc_expression_for_member):
592 (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
593 (ObjCGenerator.objc_setter_method_for_member_internal):
594 (ObjCGenerator.objc_getter_method_for_member_internal):
595 * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
596 * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
597 * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
598 * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
599 * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
600 * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
601 * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
602 * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
603 * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
604 * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
606 2017-11-27 JF Bastien <jfbastien@apple.com>
608 JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
609 https://bugs.webkit.org/show_bug.cgi?id=180051
610 <rdar://problem/35614371>
612 Reviewed by Saam Barati.
614 Checking for int32 isn't sufficient when uint32 is expected
615 afterwards. While we're here, also use Checked<>.
617 * dfg/DFGAbstractInterpreterInlines.h:
618 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
620 2017-11-14 Carlos Garcia Campos <cgarcia@igalia.com>
622 Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
623 https://bugs.webkit.org/show_bug.cgi?id=173793
625 Reviewed by Joseph Pecoraro.
627 Based on patch by Brian Burg.
629 * JavaScriptCore.xcodeproj/project.pbxproj:
631 * bindings/ScriptValue.cpp:
632 (Inspector::jsToInspectorValue):
633 (Inspector::toInspectorValue):
634 (Deprecated::ScriptValue::toInspectorValue const):
635 * bindings/ScriptValue.h:
636 * inspector/AsyncStackTrace.cpp:
637 * inspector/ConsoleMessage.cpp:
638 * inspector/ContentSearchUtilities.cpp:
639 * inspector/DeprecatedInspectorValues.cpp: Added.
640 * inspector/DeprecatedInspectorValues.h: Added.
641 Keep the old symbols around in JavaScriptCore so that builds with the
642 public iOS SDK continue to work. These older SDKs include a version of
643 WebInspector.framework that expects to find InspectorArray and other
644 symbols in JavaScriptCore.framework.
646 * inspector/InjectedScript.cpp:
647 (Inspector::InjectedScript::getFunctionDetails):
648 (Inspector::InjectedScript::functionDetails):
649 (Inspector::InjectedScript::getPreview):
650 (Inspector::InjectedScript::getProperties):
651 (Inspector::InjectedScript::getDisplayableProperties):
652 (Inspector::InjectedScript::getInternalProperties):
653 (Inspector::InjectedScript::getCollectionEntries):
654 (Inspector::InjectedScript::saveResult):
655 (Inspector::InjectedScript::wrapCallFrames const):
656 (Inspector::InjectedScript::wrapObject const):
657 (Inspector::InjectedScript::wrapTable const):
658 (Inspector::InjectedScript::previewValue const):
659 (Inspector::InjectedScript::setExceptionValue):
660 (Inspector::InjectedScript::clearExceptionValue):
661 (Inspector::InjectedScript::inspectObject):
662 (Inspector::InjectedScript::releaseObject):
663 * inspector/InjectedScriptBase.cpp:
664 (Inspector::InjectedScriptBase::makeCall):
665 (Inspector::InjectedScriptBase::makeEvalCall):
666 * inspector/InjectedScriptBase.h:
667 * inspector/InjectedScriptManager.cpp:
668 (Inspector::InjectedScriptManager::injectedScriptForObjectId):
669 * inspector/InspectorBackendDispatcher.cpp:
670 (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
671 (Inspector::BackendDispatcher::dispatch):
672 (Inspector::BackendDispatcher::sendResponse):
673 (Inspector::BackendDispatcher::sendPendingErrors):
674 (Inspector::BackendDispatcher::getPropertyValue):
675 (Inspector::castToInteger):
676 (Inspector::castToNumber):
677 (Inspector::BackendDispatcher::getInteger):
678 (Inspector::BackendDispatcher::getDouble):
679 (Inspector::BackendDispatcher::getString):
680 (Inspector::BackendDispatcher::getBoolean):
681 (Inspector::BackendDispatcher::getObject):
682 (Inspector::BackendDispatcher::getArray):
683 (Inspector::BackendDispatcher::getValue):
684 * inspector/InspectorBackendDispatcher.h:
685 We need to keep around the sendResponse() variant with a parameter that
686 has the InspectorObject type, as older WebInspector.framework versions
687 expect this symbol to exist. Introduce a variant with arity 3 that can
688 be used in TOT so as to avoid having two methods with the same name, arity, and
689 different parameter types.
691 When system WebInspector.framework is updated, we can remove the legacy
692 method variant that uses the InspectorObject type. At that point, we can
693 transition TOT to use the 2-arity variant, and delete the 3-arity variant
694 when system WebInspector.framework is updated once more to use the 2-arity one.
696 * inspector/InspectorProtocolTypes.h:
697 (Inspector::Protocol::Array::openAccessors):
698 (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
699 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
700 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
701 (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
702 * inspector/ScriptCallFrame.cpp:
703 * inspector/ScriptCallStack.cpp:
704 * inspector/agents/InspectorAgent.cpp:
705 (Inspector::InspectorAgent::inspect):
706 * inspector/agents/InspectorAgent.h:
707 * inspector/agents/InspectorDebuggerAgent.cpp:
708 (Inspector::buildAssertPauseReason):
709 (Inspector::buildCSPViolationPauseReason):
710 (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
711 (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
712 (Inspector::buildObjectForBreakpointCookie):
713 (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
714 (Inspector::parseLocation):
715 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
716 (Inspector::InspectorDebuggerAgent::setBreakpoint):
717 (Inspector::InspectorDebuggerAgent::continueToLocation):
718 (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
719 (Inspector::InspectorDebuggerAgent::didParseSource):
720 (Inspector::InspectorDebuggerAgent::breakProgram):
721 * inspector/agents/InspectorDebuggerAgent.h:
722 * inspector/agents/InspectorRuntimeAgent.cpp:
723 (Inspector::InspectorRuntimeAgent::callFunctionOn):
724 (Inspector::InspectorRuntimeAgent::saveResult):
725 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
726 * inspector/agents/InspectorRuntimeAgent.h:
727 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
728 (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
729 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
730 (CppBackendDispatcherImplementationGenerator.generate_output):
731 (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
732 * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
733 (CppFrontendDispatcherHeaderGenerator.generate_output):
734 * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
735 (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
736 * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
737 (_generate_unchecked_setter_for_member):
738 * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
739 (CppProtocolTypesImplementationGenerator):
740 * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
741 (ObjCBackendDispatcherImplementationGenerator.generate_output):
742 (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
743 * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
744 (ObjCFrontendDispatcherImplementationGenerator.generate_output):
745 (ObjCFrontendDispatcherImplementationGenerator._generate_event):
746 (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
747 * inspector/scripts/codegen/generate_objc_internal_header.py:
748 (ObjCInternalHeaderGenerator.generate_output):
749 * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
750 (ObjCProtocolTypesImplementationGenerator.generate_output):
751 * inspector/scripts/codegen/generator.py:
752 * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
753 * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
754 * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
755 * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
756 * inspector/scripts/tests/generic/expected/domain-availability.json-result:
757 * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
758 * inspector/scripts/tests/generic/expected/enum-values.json-result:
759 * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
760 * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
761 * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
762 * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
763 * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
764 * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
765 * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
766 * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
767 * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
768 * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
769 * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
770 * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
771 * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
773 2017-11-28 Robin Morisset <rmorisset@apple.com>
775 Support recursive tail call optimization for polymorphic calls
776 https://bugs.webkit.org/show_bug.cgi?id=178390
778 Reviewed by Saam Barati.
780 Comes with a large but fairly simple refactoring: the inlining path for varargs and non-varargs calls now converge a lot later,
781 eliminating some redundant checks, and simplifying a few parts of the inlining pipeline.
783 Also removes some dead code from inlineCall(): there was a special path for when m_continuationBlock is null, but it should never be (now checked with RELEASE_ASSERT).
785 * dfg/DFGByteCodeParser.cpp:
786 (JSC::DFG::ByteCodeParser::handleCall):
787 (JSC::DFG::ByteCodeParser::handleVarargsCall):
788 (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
789 (JSC::DFG::ByteCodeParser::inlineCall):
790 (JSC::DFG::ByteCodeParser::handleCallVariant):
791 (JSC::DFG::ByteCodeParser::handleVarargsInlining):
792 (JSC::DFG::ByteCodeParser::getInliningBalance):
793 (JSC::DFG::ByteCodeParser::handleInlining):
794 (JSC::DFG::ByteCodeParser::attemptToInlineCall): Deleted.
796 2017-11-27 Saam Barati <sbarati@apple.com>
798 Spread can escape when CreateRest does not
799 https://bugs.webkit.org/show_bug.cgi?id=180057
800 <rdar://problem/35676119>
802 Reviewed by JF Bastien.
804 We previously did not handle Spread(PhantomCreateRest) only because I did not
805 think it was possible to generate this IR. I was wrong. We can generate
806 such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
807 This IR is rare to generate since we normally don't PutStack(Spread) because
808 the SetLocal almost always gets eliminated because of how our bytecode generates
809 op_spread. However, there exists a test case showing it is possible. Supporting
810 this IR pattern in FTLLower is trivial. This patch implements it and rewrites
811 the Validation rule for Spread.
813 * dfg/DFGOperations.cpp:
814 * dfg/DFGOperations.h:
815 * dfg/DFGValidate.cpp:
816 * ftl/FTLLowerDFGToB3.cpp:
817 (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
818 * runtime/JSFixedArray.h:
819 (JSC::JSFixedArray::tryCreate):
821 2017-11-27 Don Olmstead <don.olmstead@sony.com>
823 [CMake][Win] Conditionally select DLL CRT or static CRT
824 https://bugs.webkit.org/show_bug.cgi?id=170594
826 Reviewed by Alex Christensen.
828 * shell/PlatformWin.cmake:
830 2017-11-27 Saam Barati <sbarati@apple.com>
832 Having a bad time watchpoint firing during compilation revealed a racy assertion
833 https://bugs.webkit.org/show_bug.cgi?id=180048
834 <rdar://problem/35700009>
836 Reviewed by Mark Lam.
838 While a DFG compilation is watching the having a bad time watchpoint, it was
839 asserting that the rest parameter structure has indexing type ArrayWithContiguous.
840 However, if the having a bad time watchpoint fires during the compilation,
841 this particular structure will no longer have ArrayWithContiguous indexing type.
842 This patch fixes this racy assertion to be aware that the watchpoint may fire
845 * dfg/DFGSpeculativeJIT.cpp:
846 (JSC::DFG::SpeculativeJIT::compileCreateRest):
847 (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
849 2017-11-27 Tim Horton <timothy_horton@apple.com>
851 One too many zeroes in macOS version number in FeatureDefines
852 https://bugs.webkit.org/show_bug.cgi?id=180011
854 Reviewed by Dan Bernstein.
856 * Configurations/FeatureDefines.xcconfig:
858 2017-11-27 Robin Morisset <rmorisset@apple.com>
860 Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
861 https://bugs.webkit.org/show_bug.cgi?id=179821
863 Reviewed by Saam Barati.
865 * dfg/DFGSafeToExecute.h:
866 (JSC::DFG::safeToExecute):
868 2017-11-21 Yusuke Suzuki <utatane.tea@gmail.com>
870 [DFG] Add NormalizeMapKey DFG IR
871 https://bugs.webkit.org/show_bug.cgi?id=179912
873 Reviewed by Saam Barati.
875 This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
876 By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
877 do not need to call normalizeMapKey conservatively in DFG operations.
878 This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.
880 * dfg/DFGAbstractInterpreterInlines.h:
881 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
882 * dfg/DFGByteCodeParser.cpp:
883 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
884 * dfg/DFGClobberize.h:
885 (JSC::DFG::clobberize):
888 * dfg/DFGFixupPhase.cpp:
889 (JSC::DFG::FixupPhase::fixupNode):
890 (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
892 * dfg/DFGOperations.cpp:
893 * dfg/DFGPredictionPropagationPhase.cpp:
894 * dfg/DFGSafeToExecute.h:
895 (JSC::DFG::safeToExecute):
896 * dfg/DFGSpeculativeJIT.cpp:
897 (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
898 * dfg/DFGSpeculativeJIT.h:
899 * dfg/DFGSpeculativeJIT32_64.cpp:
900 (JSC::DFG::SpeculativeJIT::compile):
901 * dfg/DFGSpeculativeJIT64.cpp:
902 (JSC::DFG::SpeculativeJIT::compile):
903 * ftl/FTLCapabilities.cpp:
904 (JSC::FTL::canCompile):
905 * ftl/FTLLowerDFGToB3.cpp:
906 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
907 (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
908 (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
909 (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
910 * runtime/HashMapImpl.h:
912 2017-11-26 Yusuke Suzuki <utatane.tea@gmail.com>
914 [FTL] Support DeleteById and DeleteByVal
915 https://bugs.webkit.org/show_bug.cgi?id=180022
917 Reviewed by Saam Barati.
919 We should increase the coverage of FTL. Even if the code includes DeleteById,
920 it does not mean that remaining part of the code should not be optimized in FTL.
921 Right now, even CallEval and `with` scope are handled in FTL.
923 This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
926 * ftl/FTLCapabilities.cpp:
927 (JSC::FTL::canCompile):
928 * ftl/FTLLowerDFGToB3.cpp:
929 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
930 (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
931 (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
933 2017-11-26 Yusuke Suzuki <utatane.tea@gmail.com>
935 [DFG] Introduce {Set,Map,WeakMap}Fields
936 https://bugs.webkit.org/show_bug.cgi?id=179925
938 Reviewed by Saam Barati.
940 SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
941 writes readonly MiscFields which is used by various nodes and make optimization
944 We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
946 * dfg/DFGAbstractHeap.h:
947 * dfg/DFGByteCodeParser.cpp:
948 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
949 * dfg/DFGClobberize.h:
950 (JSC::DFG::clobberize):
951 * dfg/DFGHeapLocation.cpp:
952 (WTF::printInternal):
953 * dfg/DFGHeapLocation.h:
955 (JSC::DFG::Node::hasBucketOwnerType):
957 2017-11-26 Yusuke Suzuki <utatane.tea@gmail.com>
959 [JSC] Remove JSStringBuilder
960 https://bugs.webkit.org/show_bug.cgi?id=180016
962 Reviewed by Saam Barati.
964 JSStringBuilder is replaced with WTF::StringBuilder.
965 This patch removes remaning uses and drop JSStringBuilder.
967 * JavaScriptCore.xcodeproj/project.pbxproj:
968 * runtime/ArrayPrototype.cpp:
969 * runtime/AsyncFunctionPrototype.cpp:
970 * runtime/AsyncGeneratorFunctionPrototype.cpp:
971 * runtime/ErrorPrototype.cpp:
972 * runtime/FunctionPrototype.cpp:
973 * runtime/GeneratorFunctionPrototype.cpp:
974 * runtime/JSGlobalObjectFunctions.cpp:
976 (JSC::globalFuncEscape):
977 * runtime/JSStringBuilder.h: Removed.
978 * runtime/JSStringInlines.h:
979 (JSC::jsMakeNontrivialString):
980 * runtime/RegExpPrototype.cpp:
981 * runtime/StringPrototype.cpp:
983 2017-11-26 Yusuke Suzuki <utatane.tea@gmail.com>
985 [DFG] Remove GetLocalUnlinked
986 https://bugs.webkit.org/show_bug.cgi?id=180017
988 Reviewed by Saam Barati.
990 Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
991 This patch just removes it.
993 * dfg/DFGAbstractInterpreterInlines.h:
994 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
995 * dfg/DFGClobberize.h:
996 (JSC::DFG::clobberize):
1000 * dfg/DFGFixupPhase.cpp:
1001 (JSC::DFG::FixupPhase::fixupNode):
1003 (JSC::DFG::Graph::dump):
1005 (JSC::DFG::Node::hasUnlinkedLocal):
1006 (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
1007 (JSC::DFG::Node::convertToGetLocal): Deleted.
1008 (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
1009 (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
1010 (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
1011 * dfg/DFGNodeType.h:
1012 * dfg/DFGPredictionPropagationPhase.cpp:
1013 * dfg/DFGSafeToExecute.h:
1014 (JSC::DFG::safeToExecute):
1015 * dfg/DFGSpeculativeJIT32_64.cpp:
1016 (JSC::DFG::SpeculativeJIT::compile):
1017 * dfg/DFGSpeculativeJIT64.cpp:
1018 (JSC::DFG::SpeculativeJIT::compile):
1019 * dfg/DFGStackLayoutPhase.cpp:
1020 (JSC::DFG::StackLayoutPhase::run):
1021 * dfg/DFGValidate.cpp:
1023 2017-11-26 Yusuke Suzuki <utatane.tea@gmail.com>
1025 Make ArgList::data() private again when we can remove callWasmFunction().
1026 https://bugs.webkit.org/show_bug.cgi?id=168582
1028 Reviewed by JF Bastien.
1030 Make ArgList::data() private since we already removed callWasmFunction.
1032 * runtime/ArgList.h:
1034 2016-08-05 Darin Adler <darin@apple.com>
1036 Fix some minor problems in the StringImpl header
1037 https://bugs.webkit.org/show_bug.cgi?id=160630
1039 Reviewed by Brent Fulgham.
1041 * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
1042 Yarr namespacing since we use "using namespace" in this file.
1044 2017-11-24 Mark Lam <mark.lam@apple.com>
1046 Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
1047 https://bugs.webkit.org/show_bug.cgi?id=179936
1048 <rdar://problem/35623998>
1050 Reviewed by Saam Barati.
1052 This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
1053 See https://bugs.webkit.org/show_bug.cgi?id=179684.
1055 Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
1056 was allocating stack space to stash arguments (to be forwarded) and new frame
1057 info. The location of this new stash space happens to lie beyond the top of frame
1058 of the tail call caller frame. After stashing the arguments, the code proceeded
1059 to load the callee codeBlock. This triggered an allocation, which in turn,
1060 triggered stack sanitization. The CLoop stack sanitizer was relying on
1061 frame->topOfFrame() to tell it where the top of the used stack is. In this case,
1062 that turned out to be inadequate. As a result, part of the stashed data was
1063 zeroed out, and subsequently led to a crash.
1065 This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
1066 1. JIT builds do stack sanitization in the LLInt code itself (different from the
1067 CLoop implementation), and the sanitizer there is aware of the true top of
1068 stack value (i.e. the stack pointer).
1069 2. JIT builds don't use a parallel stack like the CLoop. The presence of the
1070 parallel stack is one condition necessary for reproducing this issue.
1072 The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
1073 every time before it calls out to native C++ code. This also brings the CLoop's
1074 behavior closer to hardware behavior where we can know where the stack pointer
1075 is after calling from JS back into native C++ code, which makes it easier to
1076 reason about correctness.
1078 Also simplified the various stack boundary calculations (removed the +1 and -1
1079 adjustments). The CLoopStack bounds are now:
1081 reservationTop(): the lowest reserved address that can be within stack bounds.
1082 m_commitTop: the lowest address within stack bounds that has been committed.
1083 lowAddress() aka m_end: the lowest stack address that JS code can use.
1084 m_lastStackPointer: cache of the last m_currentStackPointer value.
1085 m_currentStackPointer: the CLoopStack stack pointer value when calling from JS into C++ code.
1086 highAddress(): the highest address just beyond the bounds of the stack.
1088 Also deleted some unneeded code.
1090 * interpreter/CLoopStack.cpp:
1091 (JSC::CLoopStack::CLoopStack):
1092 (JSC::CLoopStack::gatherConservativeRoots):
1093 (JSC::CLoopStack::sanitizeStack):
1094 (JSC::CLoopStack::setSoftReservedZoneSize):
1095 * interpreter/CLoopStack.h:
1096 (JSC::CLoopStack::setCurrentStackPointer):
1097 (JSC::CLoopStack::lowAddress const):
1099 (JSC::CLoopStack::baseOfStack const): Deleted.
1100 - Not needed after we simplified the code and removed all the +1/-1 adjustments.
1101 Now, it has the exact same value as highAddress() and can be removed.
1103 * interpreter/CLoopStackInlines.h:
1104 (JSC::CLoopStack::ensureCapacityFor):
1105 (JSC::CLoopStack::currentStackPointer):
1106 (JSC::CLoopStack::setCLoopStackLimit):
1108 (JSC::CLoopStack::topOfFrameFor): Deleted.
1111 (JSC::CLoopStack::topOfStack): Deleted.
1112 - Supplanted by currentStackPointer().
1114 (JSC::CLoopStack::shrink): Deleted.
1117 * llint/LowLevelInterpreter.cpp:
1118 (JSC::CLoop::execute):
1119 - Introduce a StackPointerScope to restore the original CLoopStack::m_currentStackPointer
1120 upon exitting the interpreter loop.
1122 * offlineasm/cloop.rb:
1123 - Added setting of CLoopStack::m_currentStackPointer at boundary points where we
1124 call from JS into C++ code.
1126 * tools/VMInspector.h:
1127 - Added some default argument values. These were being used while debugging this
1130 2017-11-24 Yusuke Suzuki <utatane.tea@gmail.com>
1132 [JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field
1133 https://bugs.webkit.org/show_bug.cgi?id=179923
1135 Reviewed by Darin Adler.
1137 We do not set empty as a key in HashMapBucket since JSMap / JSSet can expose it to users.
1138 So we can use it as a marker of deleted bucket.
1140 This patch uses empty key as a deleted flag, and drop m_deleted field of HashMapBucket.
1141 It shrinks the size of HashMapBucket much.
1143 * dfg/DFGSpeculativeJIT.cpp:
1144 (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
1145 * ftl/FTLAbstractHeapRepository.h:
1146 * ftl/FTLLowerDFGToB3.cpp:
1147 (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1148 * runtime/HashMapImpl.h:
1149 (JSC::HashMapBucket::createSentinel):
1150 We make sentinel bucket as (undefined, undefined) since DFG/FTL can load a value from sentinels.
1151 While the sentinel's deleted flag becomes false since key is set, it is not a problem since deleted
1152 flag of sentinel bucket is not used.
1154 (JSC::HashMapBucket::HashMapBucket):
1155 (JSC::HashMapBucket::deleted const):
1156 (JSC::HashMapBucket::makeDeleted):
1157 (JSC::HashMapImpl::remove):
1158 (JSC::HashMapImpl::clear):
1159 (JSC::HashMapImpl::setUpHeadAndTail):
1160 (JSC::HashMapImpl::addNormalizedInternal):
1161 (JSC::HashMapBucket::setDeleted): Deleted.
1162 (JSC::HashMapBucket::offsetOfDeleted): Deleted.
1165 2017-11-24 Mark Lam <mark.lam@apple.com>
1167 Move unsafe jsc shell test functions to the $vm object.
1168 https://bugs.webkit.org/show_bug.cgi?id=179980
1170 Reviewed by Yusuke Suzuki.
1172 Also removed setElementRoot() which was not used.
1175 (GlobalObject::finishCreation):
1176 (WTF::Element::Element): Deleted.
1177 (WTF::Element::root const): Deleted.
1178 (WTF::Element::setRoot): Deleted.
1179 (WTF::Element::create): Deleted.
1180 (WTF::Element::visitChildren): Deleted.
1181 (WTF::Element::createStructure): Deleted.
1182 (WTF::Root::Root): Deleted.
1183 (WTF::Root::element): Deleted.
1184 (WTF::Root::setElement): Deleted.
1185 (WTF::Root::create): Deleted.
1186 (WTF::Root::createStructure): Deleted.
1187 (WTF::Root::visitChildren): Deleted.
1188 (WTF::ImpureGetter::ImpureGetter): Deleted.
1189 (WTF::ImpureGetter::createStructure): Deleted.
1190 (WTF::ImpureGetter::create): Deleted.
1191 (WTF::ImpureGetter::finishCreation): Deleted.
1192 (WTF::ImpureGetter::getOwnPropertySlot): Deleted.
1193 (WTF::ImpureGetter::visitChildren): Deleted.
1194 (WTF::ImpureGetter::setDelegate): Deleted.
1195 (WTF::CustomGetter::CustomGetter): Deleted.
1196 (WTF::CustomGetter::createStructure): Deleted.
1197 (WTF::CustomGetter::create): Deleted.
1198 (WTF::CustomGetter::getOwnPropertySlot): Deleted.
1199 (WTF::CustomGetter::customGetter): Deleted.
1200 (WTF::CustomGetter::customGetterAcessor): Deleted.
1201 (WTF::RuntimeArray::create): Deleted.
1202 (WTF::RuntimeArray::~RuntimeArray): Deleted.
1203 (WTF::RuntimeArray::destroy): Deleted.
1204 (WTF::RuntimeArray::getOwnPropertySlot): Deleted.
1205 (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
1206 (WTF::RuntimeArray::put): Deleted.
1207 (WTF::RuntimeArray::deleteProperty): Deleted.
1208 (WTF::RuntimeArray::getLength const): Deleted.
1209 (WTF::RuntimeArray::createPrototype): Deleted.
1210 (WTF::RuntimeArray::createStructure): Deleted.
1211 (WTF::RuntimeArray::finishCreation): Deleted.
1212 (WTF::RuntimeArray::RuntimeArray): Deleted.
1213 (WTF::RuntimeArray::lengthGetter): Deleted.
1214 (WTF::SimpleObject::SimpleObject): Deleted.
1215 (WTF::SimpleObject::create): Deleted.
1216 (WTF::SimpleObject::visitChildren): Deleted.
1217 (WTF::SimpleObject::createStructure): Deleted.
1218 (WTF::SimpleObject::hiddenValue): Deleted.
1219 (WTF::SimpleObject::setHiddenValue): Deleted.
1220 (WTF::DOMJITNode::DOMJITNode): Deleted.
1221 (WTF::DOMJITNode::createStructure): Deleted.
1222 (WTF::DOMJITNode::checkSubClassSnippet): Deleted.
1223 (WTF::DOMJITNode::create): Deleted.
1224 (WTF::DOMJITNode::value const): Deleted.
1225 (WTF::DOMJITNode::offsetOfValue): Deleted.
1226 (WTF::DOMJITGetter::DOMJITGetter): Deleted.
1227 (WTF::DOMJITGetter::createStructure): Deleted.
1228 (WTF::DOMJITGetter::create): Deleted.
1229 (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
1230 (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
1231 (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
1232 (WTF::DOMJITGetter::customGetter): Deleted.
1233 (WTF::DOMJITGetter::finishCreation): Deleted.
1234 (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
1235 (WTF::DOMJITGetterComplex::createStructure): Deleted.
1236 (WTF::DOMJITGetterComplex::create): Deleted.
1237 (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
1238 (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
1239 (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
1240 (WTF::DOMJITGetterComplex::functionEnableException): Deleted.
1241 (WTF::DOMJITGetterComplex::customGetter): Deleted.
1242 (WTF::DOMJITGetterComplex::finishCreation): Deleted.
1243 (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
1244 (WTF::DOMJITFunctionObject::createStructure): Deleted.
1245 (WTF::DOMJITFunctionObject::create): Deleted.
1246 (WTF::DOMJITFunctionObject::safeFunction): Deleted.
1247 (WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
1248 (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
1249 (WTF::DOMJITFunctionObject::finishCreation): Deleted.
1250 (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
1251 (WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
1252 (WTF::DOMJITCheckSubClassObject::create): Deleted.
1253 (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
1254 (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
1255 (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
1256 (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
1257 (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
1258 (WTF::DOMJITGetterBaseJSObject::create): Deleted.
1259 (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
1260 (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
1261 (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
1262 (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
1263 (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
1264 (WTF::Element::handleOwner): Deleted.
1265 (WTF::Element::finishCreation): Deleted.
1266 (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
1267 (JSTestCustomGetterSetter::create): Deleted.
1268 (JSTestCustomGetterSetter::createStructure): Deleted.
1269 (customGetAccessor): Deleted.
1270 (customGetValue): Deleted.
1271 (customSetAccessor): Deleted.
1272 (customSetValue): Deleted.
1273 (JSTestCustomGetterSetter::finishCreation): Deleted.
1274 (GlobalObject::addConstructableFunction): Deleted.
1275 (functionCreateRoot): Deleted.
1276 (functionCreateElement): Deleted.
1277 (functionGetElement): Deleted.
1278 (functionSetElementRoot): Deleted.
1279 (functionCreateSimpleObject): Deleted.
1280 (functionGetHiddenValue): Deleted.
1281 (functionSetHiddenValue): Deleted.
1282 (functionCreateProxy): Deleted.
1283 (functionCreateRuntimeArray): Deleted.
1284 (functionCreateImpureGetter): Deleted.
1285 (functionCreateCustomGetterObject): Deleted.
1286 (functionCreateDOMJITNodeObject): Deleted.
1287 (functionCreateDOMJITGetterObject): Deleted.
1288 (functionCreateDOMJITGetterComplexObject): Deleted.
1289 (functionCreateDOMJITFunctionObject): Deleted.
1290 (functionCreateDOMJITCheckSubClassObject): Deleted.
1291 (functionCreateDOMJITGetterBaseJSObject): Deleted.
1292 (functionSetImpureGetterDelegate): Deleted.
1293 (functionGetGetterSetter): Deleted.
1294 (functionShadowChickenFunctionsOnStack): Deleted.
1295 (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
1296 (functionGlobalObjectForObject): Deleted.
1297 (functionLoadGetterFromGetterSetter): Deleted.
1298 (functionCreateCustomTestGetterSetter): Deleted.
1299 (functionAbort): Deleted.
1300 (functionFindTypeForExpression): Deleted.
1301 (functionReturnTypeFor): Deleted.
1302 (functionDumpBasicBlockExecutionRanges): Deleted.
1303 (functionHasBasicBlockExecuted): Deleted.
1304 (functionBasicBlockExecutionCount): Deleted.
1305 (functionEnableExceptionFuzz): Deleted.
1306 (functionCreateBuiltin): Deleted.
1307 * runtime/JSGlobalObject.cpp:
1308 (JSC::JSGlobalObject::init):
1309 * tools/JSDollarVM.cpp:
1310 (WTF::Element::Element):
1311 (WTF::Element::root const):
1312 (WTF::Element::setRoot):
1313 (WTF::Element::create):
1314 (WTF::Element::visitChildren):
1315 (WTF::Element::createStructure):
1317 (WTF::Root::element):
1318 (WTF::Root::setElement):
1319 (WTF::Root::create):
1320 (WTF::Root::createStructure):
1321 (WTF::Root::visitChildren):
1322 (WTF::SimpleObject::SimpleObject):
1323 (WTF::SimpleObject::create):
1324 (WTF::SimpleObject::visitChildren):
1325 (WTF::SimpleObject::createStructure):
1326 (WTF::SimpleObject::hiddenValue):
1327 (WTF::SimpleObject::setHiddenValue):
1328 (WTF::ImpureGetter::ImpureGetter):
1329 (WTF::ImpureGetter::createStructure):
1330 (WTF::ImpureGetter::create):
1331 (WTF::ImpureGetter::finishCreation):
1332 (WTF::ImpureGetter::getOwnPropertySlot):
1333 (WTF::ImpureGetter::visitChildren):
1334 (WTF::ImpureGetter::setDelegate):
1335 (WTF::CustomGetter::CustomGetter):
1336 (WTF::CustomGetter::createStructure):
1337 (WTF::CustomGetter::create):
1338 (WTF::CustomGetter::getOwnPropertySlot):
1339 (WTF::CustomGetter::customGetter):
1340 (WTF::CustomGetter::customGetterAcessor):
1341 (WTF::RuntimeArray::create):
1342 (WTF::RuntimeArray::~RuntimeArray):
1343 (WTF::RuntimeArray::destroy):
1344 (WTF::RuntimeArray::getOwnPropertySlot):
1345 (WTF::RuntimeArray::getOwnPropertySlotByIndex):
1346 (WTF::RuntimeArray::put):
1347 (WTF::RuntimeArray::deleteProperty):
1348 (WTF::RuntimeArray::getLength const):
1349 (WTF::RuntimeArray::createPrototype):
1350 (WTF::RuntimeArray::createStructure):
1351 (WTF::RuntimeArray::finishCreation):
1352 (WTF::RuntimeArray::RuntimeArray):
1353 (WTF::RuntimeArray::lengthGetter):
1354 (WTF::DOMJITNode::DOMJITNode):
1355 (WTF::DOMJITNode::createStructure):
1356 (WTF::DOMJITNode::checkSubClassSnippet):
1357 (WTF::DOMJITNode::create):
1358 (WTF::DOMJITNode::value const):
1359 (WTF::DOMJITNode::offsetOfValue):
1360 (WTF::DOMJITGetter::DOMJITGetter):
1361 (WTF::DOMJITGetter::createStructure):
1362 (WTF::DOMJITGetter::create):
1363 (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
1364 (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
1365 (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
1366 (WTF::DOMJITGetter::customGetter):
1367 (WTF::DOMJITGetter::finishCreation):
1368 (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
1369 (WTF::DOMJITGetterComplex::createStructure):
1370 (WTF::DOMJITGetterComplex::create):
1371 (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
1372 (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
1373 (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
1374 (WTF::DOMJITGetterComplex::functionEnableException):
1375 (WTF::DOMJITGetterComplex::customGetter):
1376 (WTF::DOMJITGetterComplex::finishCreation):
1377 (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
1378 (WTF::DOMJITFunctionObject::createStructure):
1379 (WTF::DOMJITFunctionObject::create):
1380 (WTF::DOMJITFunctionObject::safeFunction):
1381 (WTF::DOMJITFunctionObject::unsafeFunction):
1382 (WTF::DOMJITFunctionObject::checkSubClassSnippet):
1383 (WTF::DOMJITFunctionObject::finishCreation):
1384 (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
1385 (WTF::DOMJITCheckSubClassObject::createStructure):
1386 (WTF::DOMJITCheckSubClassObject::create):
1387 (WTF::DOMJITCheckSubClassObject::safeFunction):
1388 (WTF::DOMJITCheckSubClassObject::unsafeFunction):
1389 (WTF::DOMJITCheckSubClassObject::finishCreation):
1390 (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
1391 (WTF::DOMJITGetterBaseJSObject::createStructure):
1392 (WTF::DOMJITGetterBaseJSObject::create):
1393 (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
1394 (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
1395 (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
1396 (WTF::DOMJITGetterBaseJSObject::customGetter):
1397 (WTF::DOMJITGetterBaseJSObject::finishCreation):
1398 (WTF::Message::releaseContents):
1399 (WTF::Message::index const):
1400 (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
1401 (WTF::JSTestCustomGetterSetter::create):
1402 (WTF::JSTestCustomGetterSetter::createStructure):
1403 (WTF::customGetAccessor):
1404 (WTF::customGetValue):
1405 (WTF::customSetAccessor):
1406 (WTF::customSetValue):
1407 (WTF::JSTestCustomGetterSetter::finishCreation):
1408 (WTF::Element::handleOwner):
1409 (WTF::Element::finishCreation):
1410 (JSC::functionCrash):
1411 (JSC::functionCreateProxy):
1412 (JSC::functionCreateRuntimeArray):
1413 (JSC::functionCreateImpureGetter):
1414 (JSC::functionCreateCustomGetterObject):
1415 (JSC::functionCreateDOMJITNodeObject):
1416 (JSC::functionCreateDOMJITGetterObject):
1417 (JSC::functionCreateDOMJITGetterComplexObject):
1418 (JSC::functionCreateDOMJITFunctionObject):
1419 (JSC::functionCreateDOMJITCheckSubClassObject):
1420 (JSC::functionCreateDOMJITGetterBaseJSObject):
1421 (JSC::functionSetImpureGetterDelegate):
1422 (JSC::functionCreateBuiltin):
1423 (JSC::functionCreateRoot):
1424 (JSC::functionCreateElement):
1425 (JSC::functionGetElement):
1426 (JSC::functionCreateSimpleObject):
1427 (JSC::functionGetHiddenValue):
1428 (JSC::functionSetHiddenValue):
1429 (JSC::functionShadowChickenFunctionsOnStack):
1430 (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
1431 (JSC::functionFindTypeForExpression):
1432 (JSC::functionReturnTypeFor):
1433 (JSC::functionDumpBasicBlockExecutionRanges):
1434 (JSC::functionHasBasicBlockExecuted):
1435 (JSC::functionBasicBlockExecutionCount):
1436 (JSC::functionEnableExceptionFuzz):
1437 (JSC::functionGlobalObjectForObject):
1438 (JSC::functionGetGetterSetter):
1439 (JSC::functionLoadGetterFromGetterSetter):
1440 (JSC::functionCreateCustomTestGetterSetter):
1441 (JSC::JSDollarVM::finishCreation):
1442 (JSC::JSDollarVM::addFunction):
1443 (JSC::JSDollarVM::addConstructibleFunction):
1444 * tools/JSDollarVM.h:
1445 (JSC::JSDollarVM::create):
1447 2017-11-23 Simon Fraser <simon.fraser@apple.com>
1449 Minor ArrayBufferView cleanup
1450 https://bugs.webkit.org/show_bug.cgi?id=179966
1452 Reviewed by Darin Adler.
1454 Use void* for data pointers when we don't need to do offset math. Use const for
1457 Prefer uint8_t* to char*.
1459 Add comments noting that the assertions should not be made release assertions
1460 as recommended by the style checker, since the point is to avoid the virtual byteLength()
1463 * runtime/ArrayBufferView.h:
1464 (JSC::ArrayBufferView::setImpl):
1465 (JSC::ArrayBufferView::setRangeImpl):
1466 (JSC::ArrayBufferView::getRangeImpl):
1467 (JSC::ArrayBufferView::zeroRangeImpl):
1469 2017-11-23 Darin Adler <darin@apple.com>
1471 Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII
1472 https://bugs.webkit.org/show_bug.cgi?id=179907
1474 Reviewed by Sam Weinig.
1476 * inspector/agents/InspectorDebuggerAgent.cpp:
1477 (Inspector::matches): Removed explicit TextCaseSensitive because RegularExpression now
1480 * runtime/StringPrototype.cpp:
1481 (JSC::stringIncludesImpl): Use String::find since there is no overload of
1482 String::contains that takes a start offset now that we removed the one that took a
1483 caseSensitive boolean. We can add one later if we like, but this should do for now.
1485 * yarr/RegularExpression.h: Moved the TextCaseSensitivity enumeration here from
1486 the StringImpl.h header because it is only used here.
1488 2017-11-22 Simon Fraser <simon.fraser@apple.com>
1490 Followup after r225084: if anyone called GenericTypedArrayView() it didn't compile,
1491 because of a getRangeUnchecked/getRangeImpl name mismatch; fixed to use getRangeImpl().
1493 Also name the argument to zeroRange() to 'count' since it's an item count.
1495 * runtime/GenericTypedArrayView.h:
1496 (JSC::GenericTypedArrayView::zeroRange):
1497 (JSC::GenericTypedArrayView::getRange):
1499 2017-11-21 Simon Fraser <simon.fraser@apple.com>
1501 Allow for more efficient use of GenericTypedArrayView
1502 https://bugs.webkit.org/show_bug.cgi?id=179899
1504 Reviewed by Sam Weinig.
1506 Fix ArrayBufferView::setRange() to not make two virtual function calls to byteLength()
1507 under setRangeImpl(). There is only one caller in GenericTypedArrayView, and it can pass
1510 Add GenericTypedArrayView::getRange() to fetch a range of elements, also without virtual
1513 Renamed 'dataLength' to 'count' in setRange() to be clearer.
1515 Added setNative() for callers who don't need clamping of doubles.
1517 * runtime/ArrayBufferView.h:
1518 (JSC::ArrayBufferView::setRangeImpl):
1519 (JSC::ArrayBufferView::getRangeImpl):
1520 * runtime/GenericTypedArrayView.h:
1521 (JSC::GenericTypedArrayView::setRange):
1522 (JSC::GenericTypedArrayView::setNative const):
1523 (JSC::GenericTypedArrayView::getRange):
1524 (JSC::GenericTypedArrayView::checkInboundData const):
1525 (JSC::GenericTypedArrayView::internalByteLength const):
1527 2017-11-21 Yusuke Suzuki <utatane.tea@gmail.com>
1529 [DFG][FTL] Support MapSet / SetAdd intrinsics
1530 https://bugs.webkit.org/show_bug.cgi?id=179858
1532 Reviewed by Saam Barati.
1534 Map.prototype.set and Set.prototype.add uses MapHash value anyway.
1535 By handling them as MapSet and SetAdd DFG nodes and decoupling
1536 MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
1537 remove duplicate MapHash calculation for the same key.
1539 One story is *set-if-not-exists*.
1542 map.set(key, value);
1544 In the above code, both `has` and `set` require hash value for `key`.
1545 If we can change `set` to the series of DFG nodes:
1548 2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
1550 we can remove duplicate @1 produced by `has` operation.
1552 This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
1556 map-set.es6 246.2413+-15.2084 ^ 204.3679+-11.2408 ^ definitely 1.2049x faster
1557 map-set-object.es6 266.5075+-17.2289 ^ 221.2792+-12.2948 ^ definitely 1.2044x faster
1561 map-has-and-set 148.1522+-7.6665 ^ 131.4552+-7.8846 ^ definitely 1.1270x faster
1563 * dfg/DFGAbstractInterpreterInlines.h:
1564 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1565 * dfg/DFGByteCodeParser.cpp:
1566 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1567 * dfg/DFGClobberize.h:
1568 (JSC::DFG::clobberize):
1569 * dfg/DFGDoesGC.cpp:
1571 * dfg/DFGFixupPhase.cpp:
1572 (JSC::DFG::FixupPhase::fixupNode):
1573 * dfg/DFGNodeType.h:
1574 * dfg/DFGOperations.cpp:
1575 * dfg/DFGOperations.h:
1576 * dfg/DFGPredictionPropagationPhase.cpp:
1577 * dfg/DFGSafeToExecute.h:
1578 (JSC::DFG::safeToExecute):
1579 * dfg/DFGSpeculativeJIT.cpp:
1580 (JSC::DFG::SpeculativeJIT::compileSetAdd):
1581 (JSC::DFG::SpeculativeJIT::compileMapSet):
1582 * dfg/DFGSpeculativeJIT.h:
1583 (JSC::DFG::SpeculativeJIT::callOperation):
1584 * dfg/DFGSpeculativeJIT32_64.cpp:
1585 (JSC::DFG::SpeculativeJIT::compile):
1586 * dfg/DFGSpeculativeJIT64.cpp:
1587 (JSC::DFG::SpeculativeJIT::compile):
1588 * ftl/FTLCapabilities.cpp:
1589 (JSC::FTL::canCompile):
1590 * ftl/FTLLowerDFGToB3.cpp:
1591 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1592 (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
1593 (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
1594 * jit/JITOperations.h:
1595 * runtime/HashMapImpl.h:
1596 (JSC::HashMapImpl::addNormalized):
1597 (JSC::HashMapImpl::addNormalizedInternal):
1598 * runtime/Intrinsic.cpp:
1599 (JSC::intrinsicName):
1600 * runtime/Intrinsic.h:
1601 * runtime/MapPrototype.cpp:
1602 (JSC::MapPrototype::finishCreation):
1603 * runtime/SetPrototype.cpp:
1604 (JSC::SetPrototype::finishCreation):
1606 2017-11-21 Yusuke Suzuki <utatane.tea@gmail.com>
1608 [JSC] Allow poly proto for intrinsic getters
1609 https://bugs.webkit.org/show_bug.cgi?id=179550
1611 Reviewed by Saam Barati.
1613 This patch allows intrinsic getters to accept poly proto.
1614 We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
1615 poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
1616 code for poly proto case.
1618 * bytecode/IntrinsicGetterAccessCase.cpp:
1619 (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
1620 (JSC::IntrinsicGetterAccessCase::create):
1621 * bytecode/IntrinsicGetterAccessCase.h:
1622 * jit/IntrinsicEmitter.cpp:
1623 (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
1624 (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
1626 (JSC::tryCacheGetByID):
1628 2017-11-20 Don Olmstead <don.olmstead@sony.com>
1630 Detect __declspec within JSBase.h
1631 https://bugs.webkit.org/show_bug.cgi?id=179892
1633 Reviewed by Darin Adler.
1637 2017-11-19 Tim Horton <timothy_horton@apple.com>
1639 Remove unused TOUCH_ICON_LOADING feature flag
1640 https://bugs.webkit.org/show_bug.cgi?id=179873
1642 Reviewed by Simon Fraser.
1644 * Configurations/FeatureDefines.xcconfig:
1646 2017-11-19 Yusuke Suzuki <utatane.tea@gmail.com>
1648 Add CPU(UNKNOWN) to cover all the unknown CPU types
1649 https://bugs.webkit.org/show_bug.cgi?id=179243
1651 Reviewed by JF Bastien.
1655 2017-11-19 Tim Horton <timothy_horton@apple.com>
1657 Remove unused LEGACY_VENDOR_PREFIXES feature flag
1658 https://bugs.webkit.org/show_bug.cgi?id=179872
1660 Reviewed by Darin Adler.
1662 * Configurations/FeatureDefines.xcconfig:
1664 2017-11-18 Tim Horton <timothy_horton@apple.com>
1666 Fix typos in closing ENABLE() comments
1667 https://bugs.webkit.org/show_bug.cgi?id=179869
1671 * wasm/WasmMemory.h:
1672 * wasm/WasmMemoryMode.h:
1674 2017-11-17 JF Bastien <jfbastien@apple.com>
1676 NFC update ClassInfo to C++14
1677 https://bugs.webkit.org/show_bug.cgi?id=179783
1679 Reviewed by Mark Lam.
1681 Forked from #179734, use `using` instead of `typedef`. It's easier
1684 * runtime/ClassInfo.h:
1686 2017-11-17 JF Bastien <jfbastien@apple.com>
1688 WebAssembly JS API: throw when a promise can't be created
1689 https://bugs.webkit.org/show_bug.cgi?id=179826
1690 <rdar://problem/35455813>
1692 Reviewed by Mark Lam.
1694 Failure *in* a promise causes rejection, but failure to create a
1695 promise (because of stack overflow) isn't really spec'd (as all
1696 stack things JS). This applies to WebAssembly.compile and
1697 WebAssembly.instantiate.
1699 Dan's current proposal says:
1701 https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
1703 Whenever a stack overflow occurs in WebAssembly code, the same
1704 class of exception is thrown as for a stack overflow in
1705 JavaScript. The particular exception here is
1706 implementation-defined in both cases.
1708 Note: ECMAScript doesn’t specify any sort of behavior on stack
1709 overflow; implementations have been observed to throw RangeError,
1710 InternalError or Error. Any is valid here.
1712 This is for general stack overflow within WebAssembly, not
1713 specifically for promise creation within JavaScript, but it seems
1714 like a stack overflow in promise creation should follow the same
1715 rule instead of, say, swallowing the overflow and returning
1718 * wasm/js/WebAssemblyPrototype.cpp:
1719 (JSC::webAssemblyCompileFunc):
1720 (JSC::webAssemblyInstantiateFunc):
1722 2017-11-16 Daniel Bates <dabates@apple.com>
1724 Add feature define for alternative presentation button element
1725 https://bugs.webkit.org/show_bug.cgi?id=179692
1726 Part of <rdar://problem/34917108>
1728 Reviewed by Andy Estes.
1730 Only enabled on Cocoa platforms by default.
1732 * Configurations/FeatureDefines.xcconfig:
1734 2017-11-16 Saam Barati <sbarati@apple.com>
1736 Fix a bug with cpuid in the FTL.
1738 Rubber stamped by Mark Lam.
1740 Before uploading the previous patch, I tried to condense the code. I
1741 accidentally removed a crucial line saying that CPUID clobbers various
1744 * ftl/FTLLowerDFGToB3.cpp:
1745 (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
1747 2017-11-16 Saam Barati <sbarati@apple.com>
1749 Add some X86 intrinsics to $vm to help with some perf testing
1750 https://bugs.webkit.org/show_bug.cgi?id=179693
1752 Reviewed by Mark Lam.
1754 I've been doing some local perf testing of various ideas and have
1755 had these come in handy. I'm going to land them to dollarVM to prevent
1756 having to add them to my local build every time I do perf testing.
1758 * assembler/MacroAssemblerX86Common.h:
1759 (JSC::MacroAssemblerX86Common::mfence):
1760 (JSC::MacroAssemblerX86Common::rdtsc):
1761 (JSC::MacroAssemblerX86Common::pause):
1762 (JSC::MacroAssemblerX86Common::cpuid):
1763 * assembler/X86Assembler.h:
1764 (JSC::X86Assembler::rdtsc):
1765 (JSC::X86Assembler::pause):
1766 (JSC::X86Assembler::cpuid):
1767 * dfg/DFGAbstractInterpreterInlines.h:
1768 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1769 * dfg/DFGByteCodeParser.cpp:
1770 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1771 * dfg/DFGClobberize.h:
1772 (JSC::DFG::clobberize):
1773 * dfg/DFGDoesGC.cpp:
1775 * dfg/DFGFixupPhase.cpp:
1776 (JSC::DFG::FixupPhase::fixupNode):
1778 (JSC::DFG::Graph::dump):
1780 (JSC::DFG::Node::intrinsic):
1781 * dfg/DFGNodeType.h:
1782 * dfg/DFGPredictionPropagationPhase.cpp:
1783 * dfg/DFGSafeToExecute.h:
1784 (JSC::DFG::safeToExecute):
1785 * dfg/DFGSpeculativeJIT32_64.cpp:
1786 (JSC::DFG::SpeculativeJIT::compile):
1787 * dfg/DFGSpeculativeJIT64.cpp:
1788 (JSC::DFG::SpeculativeJIT::compile):
1789 * dfg/DFGValidate.cpp:
1790 * ftl/FTLCapabilities.cpp:
1791 (JSC::FTL::canCompile):
1792 * ftl/FTLLowerDFGToB3.cpp:
1793 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1794 (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
1795 * runtime/Intrinsic.cpp:
1796 (JSC::intrinsicName):
1797 * runtime/Intrinsic.h:
1798 * tools/JSDollarVM.cpp:
1799 (JSC::functionCpuMfence):
1800 (JSC::functionCpuRdtsc):
1801 (JSC::functionCpuCpuid):
1802 (JSC::functionCpuPause):
1803 (JSC::functionCpuClflush):
1804 (JSC::JSDollarVM::finishCreation):
1806 2017-11-16 JF Bastien <jfbastien@apple.com>
1808 It should be easier to reify lazy property names
1809 https://bugs.webkit.org/show_bug.cgi?id=179734
1810 <rdar://problem/35492521>
1812 Reviewed by Keith Miller.
1814 We reify lazy property names in a few different ways, each
1815 specific to the JSCell implementation, in put() instead of having
1816 a special function to do reification. Let's make that simpler.
1818 This patch makes it easier to reify property names in a uniform
1819 manner, and does so in JSFunction. As a follow up I'll use the
1822 ClonedArguments callee, iteratorSymbol (Symbol.iterator)
1823 ErrorConstructor stackTraceLimit
1824 ErrorInstance line, column, sourceURL, stack
1825 GenericArguments length, callee, iteratorSymbol (Symbol.iterator)
1826 GetterSetter RELEASE_ASSERT_NOT_REACHED()
1828 RegExpObject lastIndex
1831 * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
1832 * runtime/JSCell.cpp:
1833 (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
1835 * runtime/JSFunction.cpp: `name` and `length` can be reified.
1836 (JSC::JSFunction::reifyPropertyNameIfNeeded):
1837 (JSC::JSFunction::put):
1838 (JSC::JSFunction::reifyLength):
1839 (JSC::JSFunction::reifyName):
1840 (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1841 (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
1842 (JSC::JSFunction::reifyLazyLengthIfNeeded):
1843 (JSC::JSFunction::reifyLazyNameIfNeeded):
1844 (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
1845 * runtime/JSFunction.h:
1846 (JSC::JSFunction::isLazy):
1847 (JSC::JSFunction::isReified):
1848 * runtime/JSObjectInlines.h:
1849 (JSC::JSObject::putDirectInternal): do the reification here.
1851 2017-11-16 Robin Morisset <rmorisset@apple.com>
1853 Provide a runtime option for disabling the optimization of recursive tail calls
1854 https://bugs.webkit.org/show_bug.cgi?id=179765
1856 Reviewed by Mark Lam.
1858 * bytecode/PreciseJumpTargets.cpp:
1859 (JSC::getJumpTargetsForBytecodeOffset):
1860 * bytecompiler/BytecodeGenerator.cpp:
1861 (JSC::BytecodeGenerator::emitEnter):
1862 * dfg/DFGByteCodeParser.cpp:
1863 (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1864 * runtime/Options.h:
1866 2017-11-16 Robin Morisset <rmorisset@apple.com>
1868 Fix null pointer dereference in bytecodeDumper
1869 https://bugs.webkit.org/show_bug.cgi?id=179764
1871 Reviewed by Mark Lam.
1873 The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
1875 * bytecode/BytecodeDumper.cpp:
1876 (JSC::BytecodeDumper<Block>::printCallOp):
1878 2017-11-16 Robin Morisset <rmorisset@apple.com>
1880 REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
1881 https://bugs.webkit.org/show_bug.cgi?id=179763
1882 <rdar://problem/35550513>
1884 Reviewed by Keith Miller.
1886 Fix null pointer dereference caused by an eliminated tdz_check
1888 The problem was when doing an OSR entry in DFG while |this| was null
1889 (because super() had not yet been called in the constructor of this
1890 subclass), it would be marked as non-null, and the tdz_check eliminated.
1892 * dfg/DFGInPlaceAbstractState.cpp:
1893 (JSC::DFG::InPlaceAbstractState::initialize):
1895 2017-11-15 Ryan Haddad <ryanhaddad@apple.com>
1897 Unreviewed, rolling out r224863.
1899 Introduced LayoutTest crashes on iOS Simulator.
1903 "Move JSONValues to WTF and convert uses of InspectorValues.h
1905 https://bugs.webkit.org/show_bug.cgi?id=173793
1906 https://trac.webkit.org/changeset/224863
1908 2017-11-14 Mark Lam <mark.lam@apple.com>
1910 Gardening: CLoop build fix after r224862.
1911 https://bugs.webkit.org/show_bug.cgi?id=179699
1915 * bytecode/CodeBlock.h:
1916 (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1918 2017-11-14 Carlos Garcia Campos <cgarcia@igalia.com>
1920 Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
1921 https://bugs.webkit.org/show_bug.cgi?id=173793
1923 Reviewed by Brian Burg.
1925 Based on patch by Brian Burg.
1927 * JavaScriptCore.xcodeproj/project.pbxproj:
1929 * bindings/ScriptValue.cpp:
1930 (Inspector::jsToInspectorValue):
1931 (Inspector::toInspectorValue):
1932 (Deprecated::ScriptValue::toInspectorValue const):
1933 * bindings/ScriptValue.h:
1934 * inspector/AsyncStackTrace.cpp:
1935 * inspector/ConsoleMessage.cpp:
1936 * inspector/ContentSearchUtilities.cpp:
1937 * inspector/InjectedScript.cpp:
1938 (Inspector::InjectedScript::getFunctionDetails):
1939 (Inspector::InjectedScript::functionDetails):
1940 (Inspector::InjectedScript::getPreview):
1941 (Inspector::InjectedScript::getProperties):
1942 (Inspector::InjectedScript::getDisplayableProperties):
1943 (Inspector::InjectedScript::getInternalProperties):
1944 (Inspector::InjectedScript::getCollectionEntries):
1945 (Inspector::InjectedScript::saveResult):
1946 (Inspector::InjectedScript::wrapCallFrames const):
1947 (Inspector::InjectedScript::wrapObject const):
1948 (Inspector::InjectedScript::wrapTable const):
1949 (Inspector::InjectedScript::previewValue const):
1950 (Inspector::InjectedScript::setExceptionValue):
1951 (Inspector::InjectedScript::clearExceptionValue):
1952 (Inspector::InjectedScript::inspectObject):
1953 (Inspector::InjectedScript::releaseObject):
1954 * inspector/InjectedScriptBase.cpp:
1955 (Inspector::InjectedScriptBase::makeCall):
1956 (Inspector::InjectedScriptBase::makeEvalCall):
1957 * inspector/InjectedScriptBase.h:
1958 * inspector/InjectedScriptManager.cpp:
1959 (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1960 * inspector/InspectorBackendDispatcher.cpp:
1961 (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1962 (Inspector::BackendDispatcher::dispatch):
1963 (Inspector::BackendDispatcher::sendResponse):
1964 (Inspector::BackendDispatcher::sendPendingErrors):
1965 (Inspector::BackendDispatcher::getPropertyValue):
1966 (Inspector::castToInteger):
1967 (Inspector::castToNumber):
1968 (Inspector::BackendDispatcher::getInteger):
1969 (Inspector::BackendDispatcher::getDouble):
1970 (Inspector::BackendDispatcher::getString):
1971 (Inspector::BackendDispatcher::getBoolean):
1972 (Inspector::BackendDispatcher::getObject):
1973 (Inspector::BackendDispatcher::getArray):
1974 (Inspector::BackendDispatcher::getValue):
1975 * inspector/InspectorBackendDispatcher.h:
1976 * inspector/InspectorProtocolTypes.h:
1977 (Inspector::Protocol::Array::openAccessors):
1978 (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
1979 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
1980 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
1981 (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
1982 * inspector/ScriptCallFrame.cpp:
1983 * inspector/ScriptCallStack.cpp:
1984 * inspector/agents/InspectorAgent.cpp:
1985 (Inspector::InspectorAgent::inspect):
1986 * inspector/agents/InspectorAgent.h:
1987 * inspector/agents/InspectorDebuggerAgent.cpp:
1988 (Inspector::buildAssertPauseReason):
1989 (Inspector::buildCSPViolationPauseReason):
1990 (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
1991 (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
1992 (Inspector::buildObjectForBreakpointCookie):
1993 (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1994 (Inspector::parseLocation):
1995 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1996 (Inspector::InspectorDebuggerAgent::setBreakpoint):
1997 (Inspector::InspectorDebuggerAgent::continueToLocation):
1998 (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1999 (Inspector::InspectorDebuggerAgent::didParseSource):
2000 (Inspector::InspectorDebuggerAgent::breakProgram):
2001 * inspector/agents/InspectorDebuggerAgent.h:
2002 * inspector/agents/InspectorRuntimeAgent.cpp:
2003 (Inspector::InspectorRuntimeAgent::callFunctionOn):
2004 (Inspector::InspectorRuntimeAgent::saveResult):
2005 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2006 * inspector/agents/InspectorRuntimeAgent.h:
2007 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2008 (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
2009 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2010 (CppBackendDispatcherImplementationGenerator.generate_output):
2011 (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2012 * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2013 (CppFrontendDispatcherHeaderGenerator.generate_output):
2014 * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2015 (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2016 * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2017 (_generate_unchecked_setter_for_member):
2018 * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2019 (CppProtocolTypesImplementationGenerator):
2020 * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2021 (ObjCBackendDispatcherImplementationGenerator.generate_output):
2022 (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
2023 * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2024 (ObjCFrontendDispatcherImplementationGenerator.generate_output):
2025 (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2026 (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
2027 * inspector/scripts/codegen/generate_objc_internal_header.py:
2028 (ObjCInternalHeaderGenerator.generate_output):
2029 * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2030 (ObjCProtocolTypesImplementationGenerator.generate_output):
2031 * inspector/scripts/codegen/generator.py:
2032 * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2033 * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2034 * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2035 * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2036 * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2037 * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2038 * inspector/scripts/tests/generic/expected/enum-values.json-result:
2039 * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2040 * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2041 * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2042 * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2043 * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2044 * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2045 * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2046 * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2047 * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2048 * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2049 * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2050 * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2051 * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2053 2017-11-14 Mark Lam <mark.lam@apple.com>
2055 Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
2056 https://bugs.webkit.org/show_bug.cgi?id=179699
2057 <rdar://problem/35462346>
2059 Reviewed by Michael Saboff.
2061 * interpreter/Interpreter.cpp:
2062 (JSC::Interpreter::dumpRegisters):
2063 - Need to skip the callee saved registers
2065 2017-11-14 Guillaume Emont <guijemont@igalia.com>
2067 REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
2068 https://bugs.webkit.org/show_bug.cgi?id=179563
2070 Reviewed by Carlos Alberto Lopez Perez.
2072 When run with BranchIfTruncateSuccessful,
2073 branchTruncateDoubleToInt32() should set the destination register
2075 This change also removes branchTruncateDoubleToUInt32() as it is
2076 deprecated (see r160205), merges branchOnTruncateResult() into
2077 branchTruncateDoubleToInt32() and adds test cases in testmasm.
2079 * assembler/MacroAssemblerMIPS.h:
2080 (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
2081 (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
2082 Properly set dest before branching.
2083 (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
2084 * assembler/testmasm.cpp:
2085 (JSC::testBranchTruncateDoubleToInt32):
2087 Add tests for branchTruncateDoubleToInt32().
2089 2017-11-14 Daniel Bates <dabates@apple.com>
2091 Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
2094 Following r195498 and r201917 the Visual Studio property files for feature defines have
2095 moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
2096 Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
2099 * Configurations/FeatureDefines.xcconfig:
2101 2017-11-14 Mark Lam <mark.lam@apple.com>
2103 Remove JSDollarVMPrototype.
2104 https://bugs.webkit.org/show_bug.cgi?id=179685
2106 Reviewed by Saam Barati.
2108 1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
2110 This allows us to call these functions during lldb debugging sessions using
2111 VMInspector::foo() instead of JSDollarVMPrototype::foo(). It makes sense that
2112 VMInspector provides VM debugging utility methods. It doesn't make sense to
2113 have a JSDollarVMPrototype object provide these methods.
2115 Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
2117 2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
2119 JSDollarVM is a special object used only for debugging purposes. There's no
2120 gain in requiring its methods to be stored in a prototype object other than to
2121 conform to typical JS convention. We can remove this complexity.
2123 * JavaScriptCore.xcodeproj/project.pbxproj:
2125 * runtime/JSGlobalObject.cpp:
2126 (JSC::JSGlobalObject::init):
2127 * tools/JSDollarVM.cpp:
2128 (JSC::JSDollarVM::addFunction):
2129 (JSC::functionCrash):
2130 (JSC::functionDFGTrue):
2131 (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
2132 (JSC::CallerFrameJITTypeFunctor::operator() const):
2133 (JSC::CallerFrameJITTypeFunctor::jitType):
2134 (JSC::functionLLintTrue):
2135 (JSC::functionJITTrue):
2137 (JSC::functionEdenGC):
2138 (JSC::functionCodeBlockForFrame):
2139 (JSC::codeBlockFromArg):
2140 (JSC::functionCodeBlockFor):
2141 (JSC::functionPrintSourceFor):
2142 (JSC::functionPrintBytecodeFor):
2143 (JSC::functionPrint):
2144 (JSC::functionPrintCallFrame):
2145 (JSC::functionPrintStack):
2146 (JSC::functionValue):
2147 (JSC::functionGetPID):
2148 (JSC::JSDollarVM::finishCreation):
2149 * tools/JSDollarVM.h:
2150 (JSC::JSDollarVM::create):
2151 * tools/JSDollarVMPrototype.cpp: Removed.
2152 * tools/JSDollarVMPrototype.h: Removed.
2153 * tools/VMInspector.cpp:
2154 (JSC::VMInspector::currentThreadOwnsJSLock):
2155 (JSC::ensureCurrentThreadOwnsJSLock):
2156 (JSC::VMInspector::gc):
2157 (JSC::VMInspector::edenGC):
2158 (JSC::VMInspector::isInHeap):
2159 (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
2160 (JSC::CellAddressCheckFunctor::operator() const):
2161 (JSC::VMInspector::isValidCell):
2162 (JSC::VMInspector::isValidCodeBlock):
2163 (JSC::VMInspector::codeBlockForFrame):
2164 (JSC::PrintFrameFunctor::PrintFrameFunctor):
2165 (JSC::PrintFrameFunctor::operator() const):
2166 (JSC::VMInspector::printCallFrame):
2167 (JSC::VMInspector::printStack):
2168 (JSC::VMInspector::printValue):
2169 * tools/VMInspector.h:
2171 2017-11-14 Joseph Pecoraro <pecoraro@apple.com>
2173 Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
2174 https://bugs.webkit.org/show_bug.cgi?id=179640
2175 <rdar://problem/35517361>
2177 Reviewed by Devin Rousso.
2180 * DerivedSources.make:
2181 Gate the ServiceWorker domain on the ENABLE feature flag.
2183 * inspector/protocol/ServiceWorker.json: Added.
2184 New domain to be made available inside of a ServiceWorker target.
2186 2017-11-14 Yusuke Suzuki <utatane.tea@gmail.com>
2188 [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2189 https://bugs.webkit.org/show_bug.cgi?id=179594
2191 Reviewed by Saam Barati.
2193 Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
2194 If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
2195 `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
2196 to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
2197 PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
2199 This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
2200 accept this type, and emit optimized code compared to Array::Generic case.
2202 We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
2203 exit instead of ExoticObjectMode.
2205 This change significantly improves SixSpeed rest.es5 since it uses OOB access.
2206 Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
2208 rest.es5 59.6719+-2.2440 ^ 3.1634+-0.5507 ^ definitely 18.8635x faster
2210 * dfg/DFGArgumentsEliminationPhase.cpp:
2211 * dfg/DFGArrayMode.cpp:
2212 (JSC::DFG::ArrayMode::refine const):
2213 * dfg/DFGClobberize.h:
2214 (JSC::DFG::clobberize):
2215 * dfg/DFGSpeculativeJIT.cpp:
2216 (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2217 * ftl/FTLLowerDFGToB3.cpp:
2218 (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2219 (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2221 2017-11-14 Saam Barati <sbarati@apple.com>
2223 We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2224 https://bugs.webkit.org/show_bug.cgi?id=179639
2225 <rdar://problem/35513018>
2227 Reviewed by JF Bastien.
2229 Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
2230 walk the stack for ShadowChicken (and maybe other things). We weren't updating
2231 topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
2232 use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
2233 this bug by giving Wasm::Instance a lambda that is called when we need to store
2234 the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
2235 Currently, JSWebAssemblyInstance passes in a lambda that stores to
2238 * wasm/WasmB3IRGenerator.cpp:
2239 (JSC::Wasm::B3IRGenerator::addGrowMemory):
2240 * wasm/WasmInstance.cpp:
2241 (JSC::Wasm::Instance::Instance):
2242 (JSC::Wasm::Instance::create):
2243 * wasm/WasmInstance.h:
2244 (JSC::Wasm::Instance::storeTopCallFrame):
2245 * wasm/js/JSWebAssemblyInstance.cpp:
2246 (JSC::JSWebAssemblyInstance::create):
2247 * wasm/js/JSWebAssemblyInstance.h:
2248 * wasm/js/WasmToJS.cpp:
2249 (JSC::Wasm::wasmToJSException):
2250 * wasm/js/WebAssemblyInstanceConstructor.cpp:
2251 (JSC::constructJSWebAssemblyInstance):
2252 * wasm/js/WebAssemblyPrototype.cpp:
2255 2017-11-13 Saam Barati <sbarati@apple.com>
2257 Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
2258 https://bugs.webkit.org/show_bug.cgi?id=179203
2260 Reviewed by Yusuke Suzuki.
2262 This patch only removes the pointer caging for the described types in the title.
2263 These types still allocate out of the gigacage. This is a just a cost vs benefit
2264 tradeoff of performance vs security.
2266 * dfg/DFGSpeculativeJIT.cpp:
2267 (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2268 (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2269 * ftl/FTLLowerDFGToB3.cpp:
2270 (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2271 * jit/JITPropertyAccess.cpp:
2272 (JSC::JIT::emitDirectArgumentsGetByVal):
2273 (JSC::JIT::emitScopedArgumentsGetByVal):
2274 * runtime/DirectArguments.h:
2275 (JSC::DirectArguments::storage):
2276 * runtime/HashMapImpl.cpp:
2277 (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2278 * runtime/HashMapImpl.h:
2279 * runtime/JSLexicalEnvironment.h:
2280 (JSC::JSLexicalEnvironment::variables):
2281 * runtime/ScopedArguments.h:
2282 (JSC::ScopedArguments::overflowStorage const):
2284 2017-11-08 Keith Miller <keith_miller@apple.com>
2286 Async iteration should only fetch the next method once and add feature flag
2287 https://bugs.webkit.org/show_bug.cgi?id=179451
2289 Reviewed by Geoffrey Garen.
2291 Add feature flag for Async iteration. Also, change async iteration to match
2292 the expected behavior of the proposal.
2294 * Configurations/FeatureDefines.xcconfig:
2295 * builtins/AsyncFromSyncIteratorPrototype.js:
2296 (globalPrivate.createAsyncFromSyncIterator):
2297 (globalPrivate.AsyncFromSyncIteratorConstructor):
2298 * builtins/BuiltinNames.h:
2299 * bytecompiler/BytecodeGenerator.cpp:
2300 (JSC::BytecodeGenerator::emitGetAsyncIterator):
2301 * runtime/Options.h:
2303 2017-11-13 Mark Lam <mark.lam@apple.com>
2305 Add more overflow check book-keeping for MarkedArgumentBuffer.
2306 https://bugs.webkit.org/show_bug.cgi?id=179634
2307 <rdar://problem/35492517>
2309 Reviewed by Saam Barati.
2311 * runtime/ArgList.h:
2312 (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
2313 * runtime/JSJob.cpp:
2314 (JSC::JSJobMicrotask::run):
2315 * runtime/ObjectConstructor.cpp:
2316 (JSC::defineProperties):
2317 * runtime/ReflectObject.cpp:
2318 (JSC::reflectObjectConstruct):
2320 2017-11-13 Guillaume Emont <guijemont@igalia.com>
2322 [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
2323 https://bugs.webkit.org/show_bug.cgi?id=179542
2325 Reviewed by Alex Christensen.
2327 * assembler/MacroAssemblerARM.h:
2328 (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
2330 2017-11-13 Mark Lam <mark.lam@apple.com>
2332 Make the jsc shell loadGetterFromGetterSetter() function more robust.
2333 https://bugs.webkit.org/show_bug.cgi?id=179619
2334 <rdar://problem/35492518>
2336 Reviewed by Saam Barati.
2339 (functionLoadGetterFromGetterSetter):
2341 2017-11-12 Darin Adler <darin@apple.com>
2343 More is<> and downcast<>, less static_cast<>
2344 https://bugs.webkit.org/show_bug.cgi?id=179600
2346 Reviewed by Chris Dumez.
2348 * runtime/JSString.h:
2349 (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
2350 (JSC::jsSubstringOfResolved): Ditto.
2352 2017-11-12 Mark Lam <mark.lam@apple.com>
2354 We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2355 https://bugs.webkit.org/show_bug.cgi?id=179562
2356 <rdar://problem/35467022>
2358 Reviewed by Saam Barati.
2360 * dfg/DFGFixupPhase.cpp:
2361 (JSC::DFG::FixupPhase::fixupNode):
2362 * dfg/DFGOperations.cpp:
2363 * dfg/DFGSafeToExecute.h:
2364 (JSC::DFG::SafeToExecuteEdge::operator()):
2365 * dfg/DFGSpeculativeJIT.cpp:
2366 (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
2367 (JSC::DFG::SpeculativeJIT::speculate):
2368 * dfg/DFGSpeculativeJIT.h:
2369 * dfg/DFGUseKind.cpp:
2370 (WTF::printInternal):
2372 (JSC::DFG::typeFilterFor):
2373 * ftl/FTLCapabilities.cpp:
2374 (JSC::FTL::canCompile):
2375 * ftl/FTLLowerDFGToB3.cpp:
2376 (JSC::FTL::DFG::LowerDFGToB3::speculate):
2377 (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
2379 2017-11-11 Devin Rousso <webkit@devinrousso.com>
2381 Web Inspector: Canvas tab: show detailed status during canvas recording
2382 https://bugs.webkit.org/show_bug.cgi?id=178185
2383 <rdar://problem/34939862>
2385 Reviewed by Brian Burg.
2387 * inspector/protocol/Canvas.json:
2388 Add a `recordingProgress` event that is sent to the frontend that contains all the frame
2389 payloads since the last Canvas.recordingProgress event and the current buffer usage.
2391 * inspector/protocol/Recording.json:
2392 Remove the required `frames` parameter from the Recording protocol object, as they will be
2393 sent in batches via the Canvas.recordingProgress event.
2395 2017-11-10 Joseph Pecoraro <pecoraro@apple.com>
2397 Web Inspector: Make http status codes be "integer" instead of "number" in protocol
2398 https://bugs.webkit.org/show_bug.cgi?id=179543
2400 Reviewed by Antoine Quint.
2402 * inspector/protocol/Network.json:
2403 Use a better type for the status code.
2405 2017-11-10 Robin Morisset <rmorisset@apple.com>
2407 The memory consumption of DFG::BasicBlock can be easily reduced a bit
2408 https://bugs.webkit.org/show_bug.cgi?id=179528
2410 Reviewed by Saam Barati.
2413 - Reordering some fields of DFG::BasicBlock to reduce padding
2414 - Making the enum fields that are glorified booleans fit into a u8
2415 - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
2416 This change works because we never increase the number of arguments after allocating an Operands object.
2417 It lets us avoid one extra capacity field and one extra pointer field per Operands,
2418 and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
2419 Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
2420 we have a chance to avoid an allocation.
2421 - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
2423 * bytecode/Operands.h:
2424 (JSC::Operands::Operands):
2425 (JSC::Operands::numberOfArguments const):
2426 (JSC::Operands::numberOfLocals const):
2427 (JSC::Operands::argument):
2428 (JSC::Operands::argument const):
2429 (JSC::Operands::local):
2430 (JSC::Operands::local const):
2431 (JSC::Operands::ensureLocals):
2432 (JSC::Operands::setLocal):
2433 (JSC::Operands::getLocal):
2434 (JSC::Operands::setArgumentFirstTime):
2435 (JSC::Operands::setLocalFirstTime):
2436 (JSC::Operands::operand):
2437 (JSC::Operands::setOperand):
2438 (JSC::Operands::size const):
2439 (JSC::Operands::at const):
2440 (JSC::Operands::at):
2441 (JSC::Operands::isArgument const):
2442 (JSC::Operands::isVariable const):
2443 (JSC::Operands::virtualRegisterForIndex const):
2444 (JSC::Operands::fill):
2445 (JSC::Operands::operator== const):
2446 (JSC::Operands::argumentForIndex const): Deleted.
2447 (JSC::Operands::variableForIndex const): Deleted.
2448 (JSC::Operands::indexForOperand const): Deleted.
2449 * dfg/DFGBasicBlock.cpp:
2450 (JSC::DFG::BasicBlock::BasicBlock):
2451 * dfg/DFGBasicBlock.h:
2452 * dfg/DFGBranchDirection.h:
2453 * dfg/DFGStructureClobberState.h:
2455 2017-11-09 Yusuke Suzuki <utatane.tea@gmail.com>
2457 [JSC] Retry module fetching if previous request fails
2458 https://bugs.webkit.org/show_bug.cgi?id=178168
2460 Reviewed by Saam Barati.
2462 According to the latest spec, the failed fetching operation can be retried if it is requested again.
2465 <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
2466 <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
2468 When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
2469 But when loading the second module, we do not use the cached failure result in the first module loading.
2470 We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
2471 This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
2473 Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
2474 like to cache modules based on their URLs. As a result,
2476 <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
2477 <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
2479 In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
2480 instantiation are cached in the module pipeline.
2482 This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
2483 failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
2484 if the previous one fails. As an overview of our change,
2486 1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
2487 be unified. But if currently executing one fails, other attempts should retry fetching.
2489 2. Instantiation should be cached if fetching succeeds.
2491 3. Satisfying should be cached if it succeeds.
2493 [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
2495 * builtins/ModuleLoaderPrototype.js:
2497 (requestInstantiate):
2501 * runtime/JSGlobalObject.cpp:
2502 (JSC::JSGlobalObject::init):
2504 2017-11-09 Devin Rousso <webkit@devinrousso.com>
2506 Web Inspector: support undo/redo of insertAdjacentHTML
2507 https://bugs.webkit.org/show_bug.cgi?id=179283
2509 Reviewed by Joseph Pecoraro.
2511 * inspector/protocol/DOM.json:
2512 Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
2515 2017-11-09 Joseph Pecoraro <pecoraro@apple.com>
2517 Web Inspector: Make domain availability a list of types instead of a single type
2518 https://bugs.webkit.org/show_bug.cgi?id=179457
2520 Reviewed by Brian Burg.
2522 * inspector/scripts/codegen/generate_js_backend_commands.py:
2523 (JSBackendCommandsGenerator.generate_domain):
2524 Update output of `InspectorBackend.activateDomain` to include the list.
2526 * inspector/scripts/codegen/models.py:
2527 (Protocol.parse_domain):
2528 Parse `availability` as a list and include a new supported value of "service-worker".
2530 * inspector/protocol/ApplicationCache.json:
2531 * inspector/protocol/CSS.json:
2532 * inspector/protocol/Canvas.json:
2533 * inspector/protocol/DOM.json:
2534 * inspector/protocol/DOMDebugger.json:
2535 * inspector/protocol/DOMStorage.json:
2536 * inspector/protocol/Database.json:
2537 * inspector/protocol/IndexedDB.json:
2538 * inspector/protocol/LayerTree.json:
2539 * inspector/protocol/Memory.json:
2540 * inspector/protocol/Network.json:
2541 * inspector/protocol/Page.json:
2542 * inspector/protocol/Timeline.json:
2543 * inspector/protocol/Worker.json:
2544 Update `availability` to be a list.
2546 * inspector/scripts/tests/generic/domain-availability.json:
2547 * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2548 * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
2549 * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
2550 * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
2551 * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
2552 * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
2553 Update tests to include a test for the type and an invalid value.
2555 2017-11-03 Yusuke Suzuki <utatane.tea@gmail.com>
2557 [JSC][JIT] Clean up SlowPathCall stubs
2558 https://bugs.webkit.org/show_bug.cgi?id=179247
2560 Reviewed by Saam Barati.
2562 We have bunch of duplicate functions that just call a slow path function.
2563 This patch cleans up the above duplication.
2566 (JSC::JIT::emitSlowCaseCall):
2567 (JSC::JIT::privateCompileSlowCases):
2569 * jit/JITArithmetic.cpp:
2570 (JSC::JIT::emitSlow_op_unsigned): Deleted.
2571 (JSC::JIT::emitSlow_op_inc): Deleted.
2572 (JSC::JIT::emitSlow_op_dec): Deleted.
2573 (JSC::JIT::emitSlow_op_bitand): Deleted.
2574 (JSC::JIT::emitSlow_op_bitor): Deleted.
2575 (JSC::JIT::emitSlow_op_bitxor): Deleted.
2576 (JSC::JIT::emitSlow_op_lshift): Deleted.
2577 (JSC::JIT::emitSlow_op_rshift): Deleted.
2578 (JSC::JIT::emitSlow_op_urshift): Deleted.
2579 (JSC::JIT::emitSlow_op_div): Deleted.
2580 * jit/JITArithmetic32_64.cpp:
2581 (JSC::JIT::emitSlow_op_unsigned): Deleted.
2582 (JSC::JIT::emitSlow_op_inc): Deleted.
2583 (JSC::JIT::emitSlow_op_dec): Deleted.
2584 * jit/JITOpcodes.cpp:
2585 (JSC::JIT::emitSlow_op_create_this): Deleted.
2586 (JSC::JIT::emitSlow_op_check_tdz): Deleted.
2587 (JSC::JIT::emitSlow_op_to_this): Deleted.
2588 (JSC::JIT::emitSlow_op_to_primitive): Deleted.
2589 (JSC::JIT::emitSlow_op_not): Deleted.
2590 (JSC::JIT::emitSlow_op_stricteq): Deleted.
2591 (JSC::JIT::emitSlow_op_nstricteq): Deleted.
2592 (JSC::JIT::emitSlow_op_to_number): Deleted.
2593 (JSC::JIT::emitSlow_op_to_string): Deleted.
2594 (JSC::JIT::emitSlow_op_to_object): Deleted.
2595 (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
2596 (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
2597 * jit/JITOpcodes32_64.cpp:
2598 (JSC::JIT::emitSlow_op_to_primitive): Deleted.
2599 (JSC::JIT::emitSlow_op_not): Deleted.
2600 (JSC::JIT::emitSlow_op_stricteq): Deleted.
2601 (JSC::JIT::emitSlow_op_nstricteq): Deleted.
2602 (JSC::JIT::emitSlow_op_to_number): Deleted.
2603 (JSC::JIT::emitSlow_op_to_string): Deleted.
2604 (JSC::JIT::emitSlow_op_to_object): Deleted.
2605 (JSC::JIT::emitSlow_op_create_this): Deleted.
2606 (JSC::JIT::emitSlow_op_to_this): Deleted.
2607 (JSC::JIT::emitSlow_op_check_tdz): Deleted.
2608 (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
2609 * jit/JITPropertyAccess.cpp:
2610 (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
2611 * jit/JITPropertyAccess32_64.cpp:
2612 (JSC::JIT::emit_op_resolve_scope):
2613 (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
2614 * jit/SlowPathCall.h:
2615 (JSC::JITSlowPathCall::JITSlowPathCall):
2616 * runtime/CommonSlowPaths.cpp:
2617 (JSC::SLOW_PATH_DECL):
2618 * runtime/CommonSlowPaths.h:
2620 2017-11-09 Guillaume Emont <guijemont@igalia.com>
2622 [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
2623 https://bugs.webkit.org/show_bug.cgi?id=179446
2625 Reviewed by Žan Doberšek.
2627 The trunc.w.d mips instruction should give a 0x7fffffff result when
2628 the source value is Infinity, NaN, or rounds to an integer outside the
2629 range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
2630 branchTruncateDoubleToUInt32() have been relying on. It turns out that
2631 this assumption is not true on some CPUs, including on the ci20 on
2632 which we run the testbot (we get 0x80000000 instead). We should the
2633 invalid operation cause bit instead to check whether the source value
2634 could be properly truncated. This requires the addition of the cfc1
2635 instruction, as well as the special registers that can be used with it
2636 (control registers of CP1).
2638 * assembler/MIPSAssembler.h:
2639 (JSC::MIPSAssembler::firstSPRegister):
2640 (JSC::MIPSAssembler::lastSPRegister):
2641 (JSC::MIPSAssembler::numberOfSPRegisters):
2642 (JSC::MIPSAssembler::sprName):
2643 Added control registers of CP1.
2644 (JSC::MIPSAssembler::cfc1):
2646 * assembler/MacroAssemblerMIPS.h:
2647 (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
2648 (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
2649 (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
2650 Use fcsr to check if the value could be properly truncated.
2652 2017-11-08 Jeremy Jones <jeremyj@apple.com>
2654 HTMLMediaElement should not use element fullscreen on iOS
2655 https://bugs.webkit.org/show_bug.cgi?id=179418
2656 rdar://problem/35409277
2658 Reviewed by Eric Carlson.
2660 Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
2662 * Configurations/FeatureDefines.xcconfig:
2664 2017-11-08 Joseph Pecoraro <pecoraro@apple.com>
2666 Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
2667 https://bugs.webkit.org/show_bug.cgi?id=179276
2669 Reviewed by Andy Estes.
2671 * inspector/InjectedScriptHost.h:
2672 * inspector/JSInjectedScriptHost.cpp:
2673 (Inspector::JSInjectedScriptHost::getInternalProperties):
2674 Call through to virtual implementation so that WebCore can provide custom
2675 internal properties for Web / DOM objects.
2677 2017-11-08 Saam Barati <sbarati@apple.com>
2679 A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2680 https://bugs.webkit.org/show_bug.cgi?id=177792
2682 Reviewed by Yusuke Suzuki.
2684 Before this patch, if a JSFunction's rare data initialized its allocation profile
2685 before its backing Executable's poly proto watchpoint was invalidated, that
2686 JSFunction would continue to allocate non-poly proto objects until its allocation
2687 profile was cleared (which essentially never happens in practice). This patch
2688 improves on this pathology. A JSFunction's rare data will now watch the poly
2689 proto watchpoint if it's still valid and clear its allocation profile when we
2690 detect that we should go poly proto.
2692 * bytecode/ObjectAllocationProfile.h:
2693 * bytecode/ObjectAllocationProfileInlines.h:
2694 (JSC::ObjectAllocationProfile::initializeProfile):
2695 * runtime/FunctionRareData.cpp:
2696 (JSC::FunctionRareData::initializeObjectAllocationProfile):
2697 (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
2698 * runtime/FunctionRareData.h:
2699 (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
2700 (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
2701 (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
2703 2017-11-08 Keith Miller <keith_miller@apple.com>
2705 Add super sampler begin and end bytecodes.
2706 https://bugs.webkit.org/show_bug.cgi?id=179376
2708 Reviewed by Filip Pizlo.
2710 This patch adds a way to measure a narrow range of bytecodes for
2711 performance. This is done using the same infrastructure as the
2712 super sampler. I also added a class that helps do the bytecode
2713 checking with RAII. One problem with the current way this is done
2714 is that we don't handle decrementing early exits, either from
2715 branches or exceptions. So, when using this API users need to
2716 ensure that there are no early exits or that those exits don't
2717 occur on the measure code.
2719 * JavaScriptCore.xcodeproj/project.pbxproj:
2720 * bytecode/BytecodeDumper.cpp:
2721 (JSC::BytecodeDumper<Block>::dumpBytecode):
2722 * bytecode/BytecodeList.json:
2723 * bytecode/BytecodeUseDef.h:
2724 (JSC::computeUsesForBytecodeOffset):
2725 (JSC::computeDefsForBytecodeOffset):
2726 * bytecompiler/BytecodeGenerator.cpp:
2727 (JSC::BytecodeGenerator::emitSuperSamplerBegin):
2728 (JSC::BytecodeGenerator::emitSuperSamplerEnd):
2729 * bytecompiler/BytecodeGenerator.h:
2730 * bytecompiler/SuperSamplerBytecodeScope.h: Added.
2731 (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
2732 (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
2733 * dfg/DFGAbstractInterpreterInlines.h:
2734 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2735 * dfg/DFGByteCodeParser.cpp:
2736 (JSC::DFG::ByteCodeParser::parseBlock):
2737 * dfg/DFGClobberize.h:
2738 (JSC::DFG::clobberize):
2739 * dfg/DFGClobbersExitState.cpp:
2740 (JSC::DFG::clobbersExitState):
2741 * dfg/DFGDoesGC.cpp:
2743 * dfg/DFGFixupPhase.cpp:
2744 (JSC::DFG::FixupPhase::fixupNode):
2745 * dfg/DFGMayExit.cpp:
2746 * dfg/DFGNodeType.h:
2747 * dfg/DFGPredictionPropagationPhase.cpp:
2748 * dfg/DFGSafeToExecute.h:
2749 (JSC::DFG::safeToExecute):
2750 * dfg/DFGSpeculativeJIT.cpp:
2751 * dfg/DFGSpeculativeJIT32_64.cpp:
2752 (JSC::DFG::SpeculativeJIT::compile):
2753 * dfg/DFGSpeculativeJIT64.cpp:
2754 (JSC::DFG::SpeculativeJIT::compile):
2755 * ftl/FTLCapabilities.cpp:
2756 (JSC::FTL::canCompile):
2757 * ftl/FTLLowerDFGToB3.cpp:
2758 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2759 (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
2760 (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
2762 (JSC::JIT::privateCompileMainPass):
2764 * jit/JITOpcodes.cpp:
2765 (JSC::JIT::emit_op_super_sampler_begin):
2766 (JSC::JIT::emit_op_super_sampler_end):
2767 * llint/LLIntSlowPaths.cpp:
2768 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2769 * llint/LLIntSlowPaths.h:
2770 * llint/LowLevelInterpreter.asm:
2772 2017-11-08 Robin Morisset <rmorisset@apple.com>
2774 Turn recursive tail calls into loops
2775 https://bugs.webkit.org/show_bug.cgi?id=176601
2777 Reviewed by Saam Barati.
2779 Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2781 We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
2782 One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
2783 Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
2784 We do this part through modifying the computation of the jump targets.
2785 Importantly, we only do this splitting for functions that have tail calls.
2786 It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
2788 We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
2789 The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
2791 * bytecode/CodeBlock.h:
2792 (JSC::CodeBlock::hasTailCalls const):
2793 * bytecode/PreciseJumpTargets.cpp:
2794 (JSC::getJumpTargetsForBytecodeOffset):
2795 (JSC::computePreciseJumpTargetsInternal):
2796 * bytecode/UnlinkedCodeBlock.cpp:
2797 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2798 * bytecode/UnlinkedCodeBlock.h:
2799 (JSC::UnlinkedCodeBlock::hasTailCalls const):
2800 (JSC::UnlinkedCodeBlock::setHasTailCalls):
2801 * bytecompiler/BytecodeGenerator.cpp:
2802 (JSC::BytecodeGenerator::emitEnter):
2803 (JSC::BytecodeGenerator::emitCallInTailPosition):
2804 * dfg/DFGByteCodeParser.cpp:
2805 (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
2806 (JSC::DFG::ByteCodeParser::makeBlockTargetable):
2807 (JSC::DFG::ByteCodeParser::handleCall):
2808 (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2809 (JSC::DFG::ByteCodeParser::parseBlock):
2810 (JSC::DFG::ByteCodeParser::parse):
2812 2017-11-08 Joseph Pecoraro <pecoraro@apple.com>
2814 Web Inspector: Remove unused Page.ScriptIdentifier protocol type
2815 https://bugs.webkit.org/show_bug.cgi?id=179407
2817 Reviewed by Matt Baker.
2819 * inspector/protocol/Page.json:
2820 Remove unused protocol type.
2822 2017-11-08 Carlos Garcia Campos <cgarcia@igalia.com>
2824 Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
2825 https://bugs.webkit.org/show_bug.cgi?id=173619
2827 Reviewed by Alex Christensen and Brian Burg.
2829 Eventually all classes used for our JSON-RPC message passing should be outside
2830 of the Inspector namespace since the protocol is used outside of Inspector code.
2831 This will also allow us to unify the primitive JSON types with parameteric types
2832 like Inspector::Protocol::Array<T> and other protocol-related types which don't
2833 need to be in the Inspector namespace.
2835 Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
2836 patches, other clients will move to use JSON::Value and friends. When all uses are
2837 changed, the actual implementation will be renamed. This patch just focuses on the typedef
2838 and making changes in generated protocol code.
2840 Original patch by Brian Burg, rebased and updated by me.
2842 * inspector/InspectorValues.cpp:
2843 * inspector/InspectorValues.h:
2844 * inspector/scripts/codegen/cpp_generator.py:
2845 (CppGenerator.cpp_protocol_type_for_type):
2846 (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
2847 (CppGenerator.cpp_type_for_type_with_name):
2848 (CppGenerator.cpp_type_for_stack_in_parameter):
2849 * inspector/scripts/codegen/cpp_generator_templates.py:
2851 * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2852 (_generate_class_for_object_declaration):
2853 (_generate_forward_declarations_for_binding_traits):
2854 * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2855 (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
2856 (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
2857 * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2858 * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2859 * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2860 * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2861 * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2862 * inspector/scripts/tests/generic/expected/enum-values.json-result:
2863 * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2864 * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2865 * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2866 * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2867 * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2868 * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2869 * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2870 * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2872 2017-11-07 Maciej Stachowiak <mjs@apple.com>
2874 Get rid of unsightly hex numbers from unified build object files
2875 https://bugs.webkit.org/show_bug.cgi?id=179410
2877 Reviewed by Saam Barati.
2879 * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
2881 2017-11-07 Saam Barati <sbarati@apple.com>
2883 Only cage double butterfly accesses
2884 https://bugs.webkit.org/show_bug.cgi?id=179202
2886 Reviewed by Mark Lam.
2888 This patch removes caging from all butterfly accesses except double loads/stores.
2889 This is a performance vs security tradeoff. Double loads/stores are the only butterfly
2890 loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
2891 by caging. The other load/stores we are no longer caging to get back performance on
2894 * bytecode/AccessCase.cpp:
2895 (JSC::AccessCase::generateImpl):
2896 * bytecode/InlineAccess.cpp:
2897 (JSC::InlineAccess::dumpCacheSizesAndCrash):
2898 (JSC::InlineAccess::generateSelfPropertyAccess):
2899 (JSC::InlineAccess::generateSelfPropertyReplace):
2900 (JSC::InlineAccess::generateArrayLength):
2901 * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
2902 * dfg/DFGSpeculativeJIT.cpp:
2903 (JSC::DFG::SpeculativeJIT::compileCreateRest):
2904 (JSC::DFG::SpeculativeJIT::compileSpread):
2905 (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2906 * dfg/DFGSpeculativeJIT64.cpp:
2907 (JSC::DFG::SpeculativeJIT::compile):
2908 * ftl/FTLLowerDFGToB3.cpp:
2909 (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2910 * jit/JITPropertyAccess.cpp:
2911 (JSC::JIT::emitContiguousLoad):
2912 (JSC::JIT::emitArrayStorageLoad):
2913 (JSC::JIT::emitGenericContiguousPutByVal):
2914 (JSC::JIT::emitArrayStoragePutByVal):
2915 (JSC::JIT::emit_op_get_from_scope):
2916 (JSC::JIT::emit_op_put_to_scope):
2917 * llint/LowLevelInterpreter64.asm:
2918 * runtime/AuxiliaryBarrier.h:
2919 (JSC::AuxiliaryBarrier::operator-> const):
2920 * runtime/Butterfly.h:
2921 (JSC::Butterfly::caged):
2922 (JSC::Butterfly::contiguousDouble):
2923 * runtime/JSArray.cpp:
2924 (JSC::JSArray::setLength):
2925 (JSC::JSArray::pop):
2926 (JSC::JSArray::shiftCountWithAnyIndexingType):
2927 (JSC::JSArray::unshiftCountWithAnyIndexingType):
2928 (JSC::JSArray::fillArgList):
2929 (JSC::JSArray::copyToArguments):
2930 * runtime/JSArrayInlines.h:
2931 (JSC::JSArray::pushInline):
2932 * runtime/JSObject.cpp:
2933 (JSC::JSObject::heapSnapshot):
2934 (JSC::JSObject::createInitialIndexedStorage):
2935 (JSC::JSObject::createArrayStorage):
2936 (JSC::JSObject::convertUndecidedToInt32):
2937 (JSC::JSObject::ensureLengthSlow):
2938 (JSC::JSObject::reallocateAndShrinkButterfly):
2939 (JSC::JSObject::allocateMoreOutOfLineStorage):
2940 * runtime/JSObject.h:
2941 (JSC::JSObject::canGetIndexQuickly):
2942 (JSC::JSObject::getIndexQuickly):
2943 (JSC::JSObject::tryGetIndexQuickly const):
2944 (JSC::JSObject::canSetIndexQuickly):
2945 (JSC::JSObject::butterfly const):
2946 (JSC::JSObject::butterfly):
2948 2017-11-07 Mark Lam <mark.lam@apple.com>
2950 Introduce a default RegisterSet constructor so that we can use { } notation.
2951 https://bugs.webkit.org/show_bug.cgi?id=179389
2953 Reviewed by Saam Barati.
2955 I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
2956 does not add any code documentation value.
2958 * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2959 * b3/air/AirCode.cpp:
2960 (JSC::B3::Air::Code::setRegsInPriorityOrder):
2961 * b3/air/AirPrintSpecial.cpp:
2962 (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
2963 (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
2964 * b3/air/testair.cpp:
2965 * bytecode/PolymorphicAccess.h:
2966 (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
2967 (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
2968 * dfg/DFGJITCode.cpp:
2969 (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2970 * ftl/FTLJITCode.cpp:
2971 (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2973 (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2974 * jit/RegisterSet.cpp:
2975 (JSC::RegisterSet::reservedHardwareRegisters):
2976 (JSC::RegisterSet::runtimeRegisters):
2977 (JSC::RegisterSet::macroScratchRegisters):
2978 * jit/RegisterSet.h:
2979 (JSC::RegisterSet::RegisterSet):
2980 * wasm/WasmB3IRGenerator.cpp:
2981 (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2983 2017-11-07 Mark Lam <mark.lam@apple.com>
2985 AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2986 https://bugs.webkit.org/show_bug.cgi?id=179355
2987 <rdar://problem/35263053>
2989 Reviewed by Saam Barati.
2991 In the Transition case in AccessCase::generateImpl(), we were restoring registers
2992 using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
2993 where we previously stashed the reallocated butterfly. If the generated code is
2994 under heavy register pressure, scratchGPR could have been from the set of preserved
2995 registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
2996 As a result, the restoration would trash the butterfly result we stored there.
2997 This patch fixes the issue by excluding the scratchGPR in the restoration.
2999 * bytecode/AccessCase.cpp:
3000 (JSC::AccessCase::generateImpl):
3002 2017-11-06 Robin Morisset <rmorisset@apple.com>
3004 CodeBlock::usesOpcode() is dead code
3005 https://bugs.webkit.org/show_bug.cgi?id=179316
3007 Reviewed by Yusuke Suzuki.
3009 Remove CodeBlock::usesOpcode which is dead code
3011 * bytecode/CodeBlock.cpp:
3012 * bytecode/CodeBlock.h:
3014 2017-11-05 Yusuke Suzuki <utatane.tea@gmail.com>
3016 JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
3017 https://bugs.webkit.org/show_bug.cgi?id=144458
3019 Reviewed by Saam Barati.
3021 Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
3022 InternalFunction calls are not cached and they always go to the slow path. This is not good because
3024 1. We need to query getCallData/getConstructData every time in the slow path.
3025 2. CallLinkInfo tells nothing in the higher tier JITs.
3027 This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
3028 to hold pointers to the functions for call and construct. We have new stubs that can call/construct
3029 InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
3031 This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
3032 for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
3033 case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
3034 nodes for these InternalFunctions since CallLinkInfo tells us nothing.
3036 Attached microbenchmarks show performance improvement.
3040 dfg-internal-function-construct 1.6439+-0.0826 ^ 1.2829+-0.0727 ^ definitely 1.2813x faster
3041 dfg-internal-function-not-handled-construct 2.1862+-0.1361 2.0696+-0.1201 might be 1.0564x faster
3042 dfg-internal-function-not-handled-call 20.7592+-0.9085 19.7369+-0.7921 might be 1.0518x faster
3043 dfg-internal-function-call 1.6856+-0.0967 ^ 1.2771+-0.0744 ^ definitely 1.3198x faster
3045 [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
3047 * API/JSCallbackFunction.cpp:
3048 (JSC::JSCallbackFunction::JSCallbackFunction):
3049 (JSC::JSCallbackFunction::getCallData): Deleted.
3050 * API/JSCallbackFunction.h:
3051 (JSC::JSCallbackFunction::createStructure):
3052 * API/ObjCCallbackFunction.h:
3053 (JSC::ObjCCallbackFunction::createStructure):
3054 * API/ObjCCallbackFunction.mm:
3055 (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
3056 (JSC::ObjCCallbackFunction::getCallData): Deleted.
3057 (JSC::ObjCCallbackFunction::getConstructData): Deleted.
3058 * bytecode/BytecodeDumper.cpp:
3059 (JSC::BytecodeDumper<Block>::printCallOp):
3060 * bytecode/BytecodeList.json:
3061 * bytecode/CallLinkInfo.cpp:
3062 (JSC::CallLinkInfo::setCallee):
3063 (JSC::CallLinkInfo::callee):
3064 (JSC::CallLinkInfo::setLastSeenCallee):
3065 (JSC::CallLinkInfo::lastSeenCallee):
3066 (JSC::CallLinkInfo::visitWeak):
3067 * bytecode/CallLinkInfo.h:
3068 * bytecode/CallLinkStatus.cpp:
3069 (JSC::CallLinkStatus::computeFromCallLinkInfo):
3070 * bytecode/LLIntCallLinkInfo.h:
3071 * jit/JITOperations.cpp:
3072 * jit/JITThunks.cpp:
3073 (JSC::JITThunks::ctiInternalFunctionCall):
3074 (JSC::JITThunks::ctiInternalFunctionConstruct):
3078 (JSC::linkPolymorphicCall):
3080 * jit/ThunkGenerators.cpp:
3081 (JSC::virtualThunkFor):
3082 (JSC::nativeForGenerator):
3083 (JSC::nativeCallGenerator):
3084 (JSC::nativeTailCallGenerator):
3085 (JSC::nativeTailCallWithoutSavedTagsGenerator):
3086 (JSC::nativeConstructGenerator):
3087 (JSC::internalFunctionCallGenerator):
3088 (JSC::internalFunctionConstructGenerator):
3089 * jit/ThunkGenerators.h:
3090 * llint/LLIntSlowPaths.cpp:
3091 (JSC::LLInt::setUpCall):
3092 * llint/LowLevelInterpreter.asm:
3093 * llint/LowLevelInterpreter32_64.asm:
3094 * llint/LowLevelInterpreter64.asm:
3095 * runtime/ArrayConstructor.cpp:
3096 (JSC::ArrayConstructor::ArrayConstructor):
3097 (JSC::ArrayConstructor::getConstructData): Deleted.
3098 (JSC::ArrayConstructor::getCallData): Deleted.
3099 * runtime/ArrayConstructor.h:
3100 (JSC::ArrayConstructor::createStructure):
3101 * runtime/AsyncFunctionConstructor.cpp:
3102 (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
3103 (JSC::AsyncFunctionConstructor::finishCreation):
3104 (JSC::AsyncFunctionConstructor::getCallData): Deleted.
3105 (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
3106 * runtime/AsyncFunctionConstructor.h:
3107 (JSC::AsyncFunctionConstructor::createStructure):
3108 * runtime/AsyncGeneratorFunctionConstructor.cpp:
3109 (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
3110 (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
3111 (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
3112 (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
3113 * runtime/AsyncGeneratorFunctionConstructor.h:
3114 (JSC::AsyncGeneratorFunctionConstructor::createStructure):
3115 * runtime/BooleanConstructor.cpp:
3116 (JSC::callBooleanConstructor):
3117 (JSC::BooleanConstructor::BooleanConstructor):
3118 (JSC::BooleanConstructor::finishCreation):
3119 (JSC::BooleanConstructor::getConstructData): Deleted.
3120 (JSC::BooleanConstructor::getCallData): Deleted.
3121 * runtime/BooleanConstructor.h:
3122 (JSC::BooleanConstructor::createStructure):
3123 * runtime/DateConstructor.cpp:
3124 (JSC::DateConstructor::DateConstructor):
3125 (JSC::DateConstructor::getConstructData): Deleted.
3126 (JSC::DateConstructor::getCallData): Deleted.
3127 * runtime/DateConstructor.h:
3128 (JSC::DateConstructor::createStructure):
3130 (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
3131 (JSC::StrictModeTypeErrorFunction::createStructure):
3132 (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
3133 (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
3134 * runtime/ErrorConstructor.cpp:
3135 (JSC::ErrorConstructor::ErrorConstructor):
3136 (JSC::ErrorConstructor::getConstructData): Deleted.
3137 (JSC::ErrorConstructor::getCallData): Deleted.
3138 * runtime/ErrorConstructor.h:
3139 (JSC::ErrorConstructor::createStructure):
3140 * runtime/FunctionConstructor.cpp:
3141 (JSC::FunctionConstructor::FunctionConstructor):
3142 (JSC::FunctionConstructor::finishCreation):
3143 (JSC::FunctionConstructor::getConstructData): Deleted.
3144 (JSC::FunctionConstructor::getCallData): Deleted.
3145 * runtime/FunctionConstructor.h:
3146 (JSC::FunctionConstructor::createStructure):
3147 * runtime/FunctionPrototype.cpp:
3148 (JSC::callFunctionPrototype):
3149 (JSC::FunctionPrototype::FunctionPrototype):
3150 (JSC::FunctionPrototype::getCallData): Deleted.
3151 * runtime/FunctionPrototype.h:
3152 (JSC::FunctionPrototype::createStructure):
3153 * runtime/GeneratorFunctionConstructor.cpp:
3154 (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
3155 (JSC::GeneratorFunctionConstructor::finishCreation):
3156 (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
3157 (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
3158 * runtime/GeneratorFunctionConstructor.h:
3159 (JSC::GeneratorFunctionConstructor::createStructure):
3160 * runtime/InternalFunction.cpp:
3161 (JSC::InternalFunction::InternalFunction):
3162 (JSC::InternalFunction::finishCreation):
3163 (JSC::InternalFunction::getCallData):
3164 (JSC::InternalFunction::getConstructData):
3165 * runtime/InternalFunction.h:
3166 (JSC::InternalFunction::createStructure):
3167 (JSC::InternalFunction::nativeFunctionFor):
3168 (JSC::InternalFunction::offsetOfNativeFunctionFor):
3169 * runtime/IntlCollatorConstructor.cpp:
3170 (JSC::IntlCollatorConstructor::createStructure):
3171 (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
3172 (JSC::IntlCollatorConstructor::getConstructData): Deleted.
3173 (JSC::IntlCollatorConstructor::getCallData): Deleted.
3174 * runtime/IntlCollatorConstructor.h:
3175 * runtime/IntlDateTimeFormatConstructor.cpp:
3176 (JSC::IntlDateTimeFormatConstructor::createStructure):
3177 (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
3178 (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
3179 (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
3180 * runtime/IntlDateTimeFormatConstructor.h:
3181 * runtime/IntlNumberFormatConstructor.cpp:
3182 (JSC::IntlNumberFormatConstructor::createStructure):
3183 (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
3184 (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
3185 (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
3186 * runtime/IntlNumberFormatConstructor.h:
3187 * runtime/JSArrayBufferConstructor.cpp:
3188 (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
3189 (JSC::JSArrayBufferConstructor::createStructure):
3190 (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
3191 (JSC::JSArrayBufferConstructor::getCallData): Deleted.
3192 * runtime/JSArrayBufferConstructor.h:
3193 * runtime/JSGenericTypedArrayViewConstructor.h:
3194 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3195 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
3196 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
3197 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
3198 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
3199 * runtime/JSInternalPromiseConstructor.cpp:
3200 (JSC::JSInternalPromiseConstructor::createStructure):
3201 (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
3202 (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
3203 (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
3204 * runtime/JSInternalPromiseConstructor.h:
3205 * runtime/JSPromiseConstructor.cpp:
3206 (JSC::JSPromiseConstructor::createStructure):
3207 (JSC::JSPromiseConstructor::JSPromiseConstructor):
3208 (JSC::JSPromiseConstructor::getConstructData): Deleted.
3209 (JSC::JSPromiseConstructor::getCallData): Deleted.
3210 * runtime/JSPromiseConstructor.h:
3212 * runtime/JSTypedArrayViewConstructor.cpp:
3213 (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
3214 (JSC::JSTypedArrayViewConstructor::createStructure):
3215 (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
3216 (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
3217 * runtime/JSTypedArrayViewConstructor.h:
3218 * runtime/MapConstructor.cpp:
3219 (JSC::MapConstructor::MapConstructor):
3220 (JSC::MapConstructor::getConstructData): Deleted.
3221 (JSC::MapConstructor::getCallData): Deleted.
3222 * runtime/MapConstructor.h:
3223 (JSC::MapConstructor::createStructure):
3224 (JSC::MapConstructor::MapConstructor): Deleted.
3225 * runtime/NativeErrorConstructor.cpp:
3226 (JSC::NativeErrorConstructor::NativeErrorConstructor):
3227 (JSC::NativeErrorConstructor::getConstructData): Deleted.
3228 (JSC::NativeErrorConstructor::getCallData): Deleted.
3229 * runtime/NativeErrorConstructor.h:
3230 (JSC::NativeErrorConstructor::createStructure):
3231 * runtime/NullGetterFunction.cpp:
3232 (JSC::NullGetterFunction::NullGetterFunction):
3233 (JSC::NullGetterFunction::getCallData): Deleted.
3234 (JSC::NullGetterFunction::getConstructData): Deleted.
3235 * runtime/NullGetterFunction.h:
3236 (JSC::NullGetterFunction::createStructure):
3237 (JSC::NullGetterFunction::NullGetterFunction): Deleted.
3238 * runtime/NullSetterFunction.cpp:
3239 (JSC::NullSetterFunction::NullSetterFunction):
3240 (JSC::NullSetterFunction::getCallData): Deleted.
3241 (JSC::NullSetterFunction::getConstructData): Deleted.
3242 * runtime/NullSetterFunction.h:
3243 (JSC::NullSetterFunction::createStructure):
3244 (JSC::NullSetterFunction::NullSetterFunction): Deleted.
3245 * runtime/NumberConstructor.cpp:
3246 (JSC::NumberConstructor::NumberConstructor):
3247 (JSC::constructNumberConstructor):
3248 (JSC::constructWithNumberConstructor): Deleted.
3249 (JSC::NumberConstructor::getConstructData): Deleted.
3250 (JSC::NumberConstructor::getCallData): Deleted.
3251 * runtime/NumberConstructor.h:
3252 (JSC::NumberConstructor::createStructure):
3253 * runtime/ObjectConstructor.cpp:
3254 (JSC::ObjectConstructor::ObjectConstructor):
3255 (JSC::ObjectConstructor::getConstructData): Deleted.
3256 (JSC::ObjectConstructor::getCallData): Deleted.
3257 * runtime/ObjectConstructor.h:
3258 (JSC::ObjectConstructor::createStructure):
3259 * runtime/ProxyConstructor.cpp:
3260 (JSC::ProxyConstructor::ProxyConstructor):
3261 (JSC::ProxyConstructor::getConstructData): Deleted.
3262 (JSC::ProxyConstructor::getCallData): Deleted.
3263 * runtime/ProxyConstructor.h:
3264 (JSC::ProxyConstructor::createStructure):
3265 * runtime/ProxyRevoke.cpp:
3266 (JSC::ProxyRevoke::ProxyRevoke):
3267 (JSC::ProxyRevoke::getCallData): Deleted.
3268 * runtime/ProxyRevoke.h:
3269 (JSC::ProxyRevoke::createStructure):
3270 * runtime/RegExpConstructor.cpp:
3271 (JSC::RegExpConstructor::RegExpConstructor):
3272 (JSC::RegExpConstructor::getConstructData): Deleted.
3273 (JSC::RegExpConstructor::getCallData): Deleted.
3274 * runtime/RegExpConstructor.h:
3275 (JSC::RegExpConstructor::createStructure):
3276 * runtime/SetConstructor.cpp:
3277 (JSC::SetConstructor::SetConstructor):
3278 (JSC::SetConstructor::getConstructData): Deleted.
3279 (JSC::SetConstructor::getCallData): Deleted.
3280 * runtime/SetConstructor.h:
3281 (JSC::SetConstructor::createStructure):
3282 (JSC::SetConstructor::SetConstructor): Deleted.
3283 * runtime/StringConstructor.cpp:
3284 (JSC::StringConstructor::StringConstructor):
3285 (JSC::StringConstructor::getConstructData): Deleted.
3286 (JSC::StringConstructor::getCallData): Deleted.
3287 * runtime/StringConstructor.h:
3288 (JSC::StringConstructor::createStructure):
3289 * runtime/SymbolConstructor.cpp:
3290 (JSC::SymbolConstructor::SymbolConstructor):
3291 (JSC::SymbolConstructor::getConstructData): Deleted.
3292 (JSC::SymbolConstructor::getCallData): Deleted.
3293 * runtime/SymbolConstructor.h:
3294 (JSC::SymbolConstructor::createStructure):
3297 (JSC::VM::getCTIInternalFunctionTrampolineFor):
3299 * runtime/WeakMapConstructor.cpp:
3300 (JSC::WeakMapConstructor::WeakMapConstructor):
3301 (JSC::WeakMapConstructor::getConstructData): Deleted.
3302 (JSC::WeakMapConstructor::getCallData): Deleted.
3303 * runtime/WeakMapConstructor.h:
3304 (JSC::WeakMapConstructor::createStructure):
3305 (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
3306 * runtime/WeakSetConstructor.cpp:
3307 (JSC::WeakSetConstructor::WeakSetConstructor):
3308 (JSC::WeakSetConstructor::getConstructData): Deleted.
3309 (JSC::WeakSetConstructor::getCallData): Deleted.
3310 * runtime/WeakSetConstructor.h:
3311 (JSC::WeakSetConstructor::createStructure):
3312 (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
3313 * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3314 (JSC::WebAssemblyCompileErrorConstructor::createStructure):
3315 (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
3316 (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
3317 (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
3318 * wasm/js/WebAssemblyCompileErrorConstructor.h:
3319 * wasm/js/WebAssemblyInstanceConstructor.cpp:
3320 (JSC::WebAssemblyInstanceConstructor::createStructure):
3321 (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
3322 (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
3323 (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
3324 * wasm/js/WebAssemblyInstanceConstructor.h:
3325 * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3326 (JSC::WebAssemblyLinkErrorConstructor::createStructure):
3327 (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
3328 (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
3329 (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
3330 * wasm/js/WebAssemblyLinkErrorConstructor.h:
3331 * wasm/js/WebAssemblyMemoryConstructor.cpp:
3332 (JSC::WebAssemblyMemoryConstructor::createStructure):
3333 (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
3334 (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
3335 (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.
git://git.webkit.org / WebKit-https.git / blob