1 2016-03-01 Filip Pizlo <fpizlo@apple.com>
3 Unreviewed, fix CLOOP build.
7 2016-03-01 Skachkov Oleksandr <gskachkov@gmail.com>
9 [ES6] Arrow function. Some not used byte code is emited
10 https://bugs.webkit.org/show_bug.cgi?id=154639
12 Reviewed by Saam Barati.
14 Currently bytecode that is generated for arrow function is not optimal.
15 Current fix removed following unnecessary bytecode:
16 1.create_lexical_environment not emited always for arrow function, only if some of
17 features(this/super/arguments/eval) is used inside of the arrow function.
18 2.load 'this' from arrow function scope in constructor is done only if super
19 contains in arrow function
21 * bytecompiler/BytecodeGenerator.cpp:
22 (JSC::BytecodeGenerator::BytecodeGenerator):
23 (JSC::BytecodeGenerator::isSuperCallUsedInInnerArrowFunction):
24 * bytecompiler/BytecodeGenerator.h:
25 * bytecompiler/NodesCodegen.cpp:
26 (JSC::ThisNode::emitBytecode):
27 (JSC::FunctionNode::emitBytecode):
29 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseAnyFeature):
30 * tests/stress/arrowfunction-lexical-bind-supercall-4.js:
32 2016-02-29 Filip Pizlo <fpizlo@apple.com>
34 Turn String.prototype.replace into an intrinsic
35 https://bugs.webkit.org/show_bug.cgi?id=154835
37 Reviewed by Michael Saboff.
39 Octane/regexp spends a lot of time in String.prototype.replace(). That function does a lot
40 of checks to see if the parameters are what they are likely to often be (a string, a
41 regexp, and a string). The intuition of this patch is that it's good to remove those checks
42 and it's good to call the native function as directly as possible.
44 This yields a 10% speed-up on a replace microbenchmark and a 3% speed-up on Octane/regexp.
45 It also improves Octane/jquery.
47 This is only the beginning of what I want to do with replace optimizations. The other
48 optimizations will rely on StringReplace being revealed as a construct in DFG IR.
50 * JavaScriptCore.xcodeproj/project.pbxproj:
51 * bytecode/SpeculatedType.cpp:
52 (JSC::dumpSpeculation):
53 (JSC::speculationToAbbreviatedString):
54 (JSC::speculationFromClassInfo):
55 * bytecode/SpeculatedType.h:
56 (JSC::isStringOrStringObjectSpeculation):
57 (JSC::isRegExpObjectSpeculation):
58 (JSC::isBoolInt32Speculation):
59 * dfg/DFGAbstractInterpreterInlines.h:
60 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
61 * dfg/DFGByteCodeParser.cpp:
62 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
63 * dfg/DFGClobberize.h:
64 (JSC::DFG::clobberize):
67 * dfg/DFGFixupPhase.cpp:
68 (JSC::DFG::FixupPhase::fixupNode):
70 (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
71 (JSC::DFG::Node::shouldSpeculateRegExpObject):
72 (JSC::DFG::Node::shouldSpeculateSymbol):
74 * dfg/DFGPredictionPropagationPhase.cpp:
75 (JSC::DFG::PredictionPropagationPhase::propagate):
76 * dfg/DFGSafeToExecute.h:
77 (JSC::DFG::SafeToExecuteEdge::operator()):
78 (JSC::DFG::safeToExecute):
79 * dfg/DFGSpeculativeJIT.cpp:
80 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
81 (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
82 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
83 (JSC::DFG::SpeculativeJIT::speculate):
84 * dfg/DFGSpeculativeJIT.h:
85 * dfg/DFGSpeculativeJIT32_64.cpp:
86 (JSC::DFG::SpeculativeJIT::compile):
87 * dfg/DFGSpeculativeJIT64.cpp:
88 (JSC::DFG::SpeculativeJIT::compile):
92 (JSC::DFG::typeFilterFor):
94 * ftl/FTLCapabilities.cpp:
95 (JSC::FTL::canCompile):
96 * ftl/FTLLowerDFGToB3.cpp:
97 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
98 (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
99 (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
100 (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
101 (JSC::FTL::DFG::LowerDFGToB3::speculate):
102 (JSC::FTL::DFG::LowerDFGToB3::speculateFinalObject):
103 (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject):
104 (JSC::FTL::DFG::LowerDFGToB3::speculateString):
105 * jit/JITOperations.h:
106 * runtime/Intrinsic.h:
108 * runtime/RegExpObject.h:
109 (JSC::RegExpObject::createStructure):
110 * runtime/StringPrototype.cpp:
111 (JSC::StringPrototype::finishCreation):
112 (JSC::removeUsingRegExpSearch):
113 (JSC::replaceUsingRegExpSearch):
114 (JSC::operationStringProtoFuncReplaceRegExpString):
115 (JSC::replaceUsingStringSearch):
116 (JSC::stringProtoFuncRepeat):
118 (JSC::stringProtoFuncReplace):
119 (JSC::operationStringProtoFuncReplaceGeneric):
120 (JSC::stringProtoFuncToString):
121 * runtime/StringPrototype.h:
123 2016-03-01 Commit Queue <commit-queue@webkit.org>
125 Unreviewed, rolling out r197056.
126 https://bugs.webkit.org/show_bug.cgi?id=154870
128 broke win ews (Requested by alexchristensen on #webkit).
132 "[cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK."
133 https://bugs.webkit.org/show_bug.cgi?id=154651
134 http://trac.webkit.org/changeset/197056
136 2016-02-29 Saam barati <sbarati@apple.com>
138 [[PreventExtensions]] should be a virtual method in the method table.
139 https://bugs.webkit.org/show_bug.cgi?id=154800
141 Reviewed by Yusuke Suzuki.
143 This patch makes us more consistent with how the ES6 specification models the
144 [[PreventExtensions]] trap. Moving this method into ClassInfo::methodTable
145 is a prerequisite for implementing Proxy.[[PreventExtensions]].
147 * runtime/ClassInfo.h:
148 * runtime/JSCell.cpp:
149 (JSC::JSCell::getGenericPropertyNames):
150 (JSC::JSCell::preventExtensions):
152 * runtime/JSModuleNamespaceObject.cpp:
153 (JSC::JSModuleNamespaceObject::JSModuleNamespaceObject):
154 (JSC::JSModuleNamespaceObject::finishCreation):
155 (JSC::JSModuleNamespaceObject::destroy):
156 * runtime/JSModuleNamespaceObject.h:
157 (JSC::JSModuleNamespaceObject::create):
158 (JSC::JSModuleNamespaceObject::moduleRecord):
159 * runtime/JSObject.cpp:
160 (JSC::JSObject::freeze):
161 (JSC::JSObject::preventExtensions):
162 (JSC::JSObject::reifyAllStaticProperties):
163 * runtime/JSObject.h:
164 (JSC::JSObject::isSealed):
165 (JSC::JSObject::isFrozen):
166 (JSC::JSObject::isExtensible):
167 * runtime/ObjectConstructor.cpp:
168 (JSC::objectConstructorSeal):
169 (JSC::objectConstructorFreeze):
170 (JSC::objectConstructorPreventExtensions):
171 (JSC::objectConstructorIsSealed):
172 * runtime/ReflectObject.cpp:
173 (JSC::reflectObjectPreventExtensions):
174 * runtime/Structure.cpp:
175 (JSC::Structure::Structure):
176 (JSC::Structure::preventExtensionsTransition):
177 * runtime/Structure.h:
179 2016-02-29 Yusuke Suzuki <utatane.tea@gmail.com>
181 [JSC] Private symbols should not be trapped by proxy handler
182 https://bugs.webkit.org/show_bug.cgi?id=154817
184 Reviewed by Mark Lam.
186 Since the runtime has some assumptions on the properties associated with the private symbols, ES6 Proxy should not trap these property operations.
187 For example, in ArrayIteratorPrototype.js
189 var itemKind = this.@arrayIterationKind;
190 if (itemKind === @undefined)
191 throw new @TypeError("%ArrayIteratorPrototype%.next requires that |this| be an Array Iterator instance");
193 Here, we assume that only the array iterator has the @arrayIterationKind property that value is non-undefined.
194 But If we implement Proxy with the get handler, that returns a non-undefined value for every operations, we accidentally assumes that the given value is an array iterator.
196 To avoid these situation, we perform the default operations onto property operations with private symbols.
198 * runtime/ProxyObject.cpp:
199 (JSC::performProxyGet):
200 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
201 (JSC::ProxyObject::performHasProperty):
202 (JSC::ProxyObject::performPut):
203 (JSC::ProxyObject::performDelete):
204 (JSC::ProxyObject::deleteProperty):
205 (JSC::ProxyObject::deletePropertyByIndex):
206 * tests/stress/proxy-basic.js:
207 * tests/stress/proxy-with-private-symbols.js: Added.
209 (let.handler.getOwnPropertyDescriptor):
211 2016-02-29 Filip Pizlo <fpizlo@apple.com>
213 regress/script-tests/double-pollution-putbyoffset.js.ftl-eager timed out because of a lock ordering deadlock involving InferredType and CodeBlock
214 https://bugs.webkit.org/show_bug.cgi?id=154841
216 Reviewed by Benjamin Poulain.
221 1) Change an InferredType. This acquires InferredType::m_lock.
222 2) Fire watchpoint set. This triggers CodeBlock invalidation, which acquires
226 1) Iterate over the information in a CodeBlock. This acquires CodeBlock::m_lock.
227 2) Ask an InferredType for its descriptor(). This acquires InferredType::m_lock.
229 I think that the DFG thread's ordering should be legal, because the best logic for lock
230 hierarchies is that locks that protect the largest set of stuff should be acquired first.
232 This means that the main thread shouldn't be holding the InferredType::m_lock when firing
233 watchpoint sets. That's what this patch ensures.
235 At the time of writing, this test was deadlocking for me on trunk 100% of the time. With
236 this change I cannot get it to deadlock.
238 * runtime/InferredType.cpp:
239 (JSC::InferredType::willStoreValueSlow):
240 (JSC::InferredType::makeTopSlow):
241 (JSC::InferredType::set):
242 (JSC::InferredType::removeStructure):
243 (JSC::InferredType::InferredStructureWatchpoint::fireInternal):
244 * runtime/InferredType.h:
246 2016-02-29 Yusuke Suzuki <utatane.tea@gmail.com>
248 [DFG][FTL][B3] Support floor and ceil
249 https://bugs.webkit.org/show_bug.cgi?id=154683
251 Reviewed by Filip Pizlo.
253 This patch implements and fixes the following things.
255 1. Implement Ceil and Floor in DFG, FTL and B3
257 x86 SSE 4.2 and ARM64 have round instructions that can directly perform Ceil or Floor.
258 This patch leverages this functionality. We introduce ArithFloor and ArithCeil.
259 During DFG phase, these nodes attempt to convert itself to Identity (in Fixup phase).
260 As the same to ArithRound, it tracks arith rounding mode.
261 And if these nodes are required to emit machine codes, we emit rounding machine code
262 if it is supported in the current machine. For example, in x86, we emit `round`.
264 This `Floor` functionality is nice for @toInteger in builtin.
265 That is used for Array.prototype.{forEach, map, every, some, reduce...}
266 And according to the benchmark results, Kraken audio-oscillator is slightly improved
267 due to its frequent Math.round and Math.floor calls.
269 2. Implement Floor in B3 and Air
271 As the same to Ceil in B3, we add a new B3 IR and Air opcode, Floor.
272 This Floor is leveraged to implement ArithFloor in DFG.
274 3. Fix ArithRound operation
276 Currently, we used cvtsd2si (in x86) to convert double value to int32.
277 And we also used this to implement Math.round, like, cvtsd2si(value + 0.5).
278 However, this implementation is not correct. Because cvtsd2si is not floor operation.
279 It is trucate operation. This is OK for positive numbers. But NG for negative numbers.
280 For example, the current implementation accidentally rounds `-0.6` to `-0.0`. This should be `-1.0`.
281 Using Ceil and Floor instructions, we implement correct ArithRound.
283 * assembler/MacroAssemblerARM.h:
284 (JSC::MacroAssemblerARM::supportsFloatingPointRounding):
285 (JSC::MacroAssemblerARM::ceilDouble):
286 (JSC::MacroAssemblerARM::floorDouble):
287 (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Deleted.
288 * assembler/MacroAssemblerARM64.h:
289 (JSC::MacroAssemblerARM64::supportsFloatingPointRounding):
290 (JSC::MacroAssemblerARM64::floorFloat):
291 (JSC::MacroAssemblerARM64::supportsFloatingPointCeil): Deleted.
292 * assembler/MacroAssemblerARMv7.h:
293 (JSC::MacroAssemblerARMv7::supportsFloatingPointRounding):
294 (JSC::MacroAssemblerARMv7::ceilDouble):
295 (JSC::MacroAssemblerARMv7::floorDouble):
296 (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil): Deleted.
297 * assembler/MacroAssemblerMIPS.h:
298 (JSC::MacroAssemblerMIPS::ceilDouble):
299 (JSC::MacroAssemblerMIPS::floorDouble):
300 (JSC::MacroAssemblerMIPS::supportsFloatingPointRounding):
301 (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil): Deleted.
302 * assembler/MacroAssemblerSH4.h:
303 (JSC::MacroAssemblerSH4::supportsFloatingPointRounding):
304 (JSC::MacroAssemblerSH4::ceilDouble):
305 (JSC::MacroAssemblerSH4::floorDouble):
306 (JSC::MacroAssemblerSH4::supportsFloatingPointCeil): Deleted.
307 * assembler/MacroAssemblerX86Common.h:
308 (JSC::MacroAssemblerX86Common::floorDouble):
309 (JSC::MacroAssemblerX86Common::floorFloat):
310 (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
311 (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil): Deleted.
312 * b3/B3ConstDoubleValue.cpp:
313 (JSC::B3::ConstDoubleValue::floorConstant):
314 * b3/B3ConstDoubleValue.h:
315 * b3/B3ConstFloatValue.cpp:
316 (JSC::B3::ConstFloatValue::floorConstant):
317 * b3/B3ConstFloatValue.h:
318 * b3/B3LowerMacrosAfterOptimizations.cpp:
319 * b3/B3LowerToAir.cpp:
320 (JSC::B3::Air::LowerToAir::lower):
322 (WTF::printInternal):
324 * b3/B3ReduceDoubleToFloat.cpp:
325 * b3/B3ReduceStrength.cpp:
328 (JSC::B3::Value::floorConstant):
329 (JSC::B3::Value::isRounded):
330 (JSC::B3::Value::effects):
331 (JSC::B3::Value::key):
332 (JSC::B3::Value::typeFor):
334 * b3/air/AirFixPartialRegisterStalls.cpp:
335 * b3/air/AirOpcode.opcodes:
337 (JSC::B3::testFloorCeilArg):
338 (JSC::B3::testFloorArg):
339 (JSC::B3::testFloorImm):
340 (JSC::B3::testFloorMem):
341 (JSC::B3::testFloorFloorArg):
342 (JSC::B3::testCeilFloorArg):
343 (JSC::B3::testFloorIToD64):
344 (JSC::B3::testFloorIToD32):
345 (JSC::B3::testFloorArgWithUselessDoubleConversion):
346 (JSC::B3::testFloorArgWithEffectfulDoubleConversion):
348 * dfg/DFGAbstractInterpreterInlines.h:
349 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
350 * dfg/DFGArithMode.cpp:
351 (WTF::printInternal):
352 * dfg/DFGArithMode.h:
353 * dfg/DFGByteCodeParser.cpp:
354 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
355 * dfg/DFGClobberize.h:
356 (JSC::DFG::clobberize):
359 * dfg/DFGFixupPhase.cpp:
360 (JSC::DFG::FixupPhase::fixupNode):
362 (JSC::DFG::Graph::dump):
364 (JSC::DFG::Graph::roundShouldSpeculateInt32):
366 (JSC::DFG::Node::arithNodeFlags):
367 (JSC::DFG::Node::hasHeapPrediction):
368 (JSC::DFG::Node::hasArithRoundingMode):
370 * dfg/DFGPredictionPropagationPhase.cpp:
371 (JSC::DFG::PredictionPropagationPhase::propagate):
372 * dfg/DFGSafeToExecute.h:
373 (JSC::DFG::safeToExecute):
374 * dfg/DFGSpeculativeJIT.cpp:
375 (JSC::DFG::SpeculativeJIT::compileArithRounding):
376 (JSC::DFG::SpeculativeJIT::compileArithRound): Deleted.
377 * dfg/DFGSpeculativeJIT.h:
378 * dfg/DFGSpeculativeJIT32_64.cpp:
379 (JSC::DFG::SpeculativeJIT::compile):
380 * dfg/DFGSpeculativeJIT64.cpp:
381 (JSC::DFG::SpeculativeJIT::compile):
382 * ftl/FTLCapabilities.cpp:
383 (JSC::FTL::canCompile):
384 * ftl/FTLLowerDFGToB3.cpp:
385 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
386 (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
387 (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
388 (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
390 (JSC::FTL::Output::doubleFloor):
391 * jit/ThunkGenerators.cpp:
392 (JSC::ceilThunkGenerator):
393 * tests/stress/math-ceil-arith-rounding-mode.js: Added.
394 (firstCareAboutZeroSecondDoesNot):
395 (firstDoNotCareAboutZeroSecondDoes):
397 (verifyNegativeZeroIsPreserved):
398 * tests/stress/math-ceil-basics.js: Added.
399 (mathCeilOnIntegers):
401 (mathCeilOnBooleans):
403 (mathCeilWithOverflow):
404 (mathCeilConsumedAsDouble):
405 (mathCeilDoesNotCareAboutMinusZero):
406 (mathCeilNoArguments):
407 (mathCeilTooManyArguments):
408 (testMathCeilOnConstants):
409 (mathCeilStructTransition):
411 * tests/stress/math-floor-arith-rounding-mode.js: Added.
412 (firstCareAboutZeroSecondDoesNot):
413 (firstDoNotCareAboutZeroSecondDoes):
415 (verifyNegativeZeroIsPreserved):
416 * tests/stress/math-floor-basics.js: Added.
417 (mathFloorOnIntegers):
418 (mathFloorOnDoubles):
419 (mathFloorOnBooleans):
421 (mathFloorWithOverflow):
422 (mathFloorConsumedAsDouble):
423 (mathFloorDoesNotCareAboutMinusZero):
424 (mathFloorNoArguments):
425 (mathFloorTooManyArguments):
426 (testMathFloorOnConstants):
427 (mathFloorStructTransition):
429 * tests/stress/math-round-should-not-use-truncate.js: Added.
430 (mathRoundDoesNotCareAboutMinusZero):
431 * tests/stress/math-rounding-infinity.js: Added.
436 * tests/stress/math-rounding-nan.js: Added.
441 * tests/stress/math-rounding-negative-zero.js: Added.
446 (testRoundNonNegativeZero):
447 (testRoundNonNegativeZero2):
449 2016-02-29 Joseph Pecoraro <pecoraro@apple.com>
451 Add new MethodTable method to get an estimated size for a cell
452 https://bugs.webkit.org/show_bug.cgi?id=154838
454 Reviewed by Filip Pizlo.
456 The new class method estimatedSize(JSCell*) estimates the size for a single cell.
457 As the name implies, this is meant to be an approximation. It is more important
458 that big objects report a large size, then to get perfect size information for
459 all objects in the heap.
461 Base implementation (JSCell):
462 - returns the MarkedBlock bucket size for this cell.
463 - This gets us the object size include inline storage. Basically a better sizeof.
465 Subclasses with "Extra Memory Cost":
466 - Any class that reports extra memory (reportExtraMemoryVisited) should include that in the estimated size.
467 - E.g. CodeBlock, JSGenericTypedArrayView, WeakMapData, etc.
469 Subclasses with "Copied Space" storage:
470 - Any class with data in copied space (copyBackingStore) should include that in the estimated size.
471 - E.g. JSObject, JSGenericTypedArrayView, JSMap, JSSet, DirectArguments, etc.
473 Add reportExtraMemoryVisited for UnlinkedCodeBlock's compressed unlinked
474 instructions because this can be larger than 1kb, which is significant.
476 This has one special case for RegExp generated bytecode / JIT code, which
477 does not currently fall into the extra memory cost or copied space storage.
478 In practice I haven't seen this grow to a significant cost.
480 * runtime/ClassInfo.h:
481 Add the new estimatedSize method to the table.
483 * bytecode/UnlinkedCodeBlock.cpp:
484 (JSC::UnlinkedCodeBlock::visitChildren):
485 (JSC::UnlinkedCodeBlock::estimatedSize):
486 (JSC::UnlinkedCodeBlock::setInstructions):
487 * bytecode/UnlinkedCodeBlock.h:
488 Report an extra memory cost for unlinked code blocks like
489 we do for linked code blocks.
491 * bytecode/CodeBlock.cpp:
492 (JSC::CodeBlock::estimatedSize):
493 * bytecode/CodeBlock.h:
494 * bytecode/UnlinkedInstructionStream.cpp:
495 (JSC::UnlinkedInstructionStream::sizeInBytes):
496 * bytecode/UnlinkedInstructionStream.h:
497 * runtime/DirectArguments.cpp:
498 (JSC::DirectArguments::estimatedSize):
499 * runtime/DirectArguments.h:
500 * runtime/JSCell.cpp:
501 (JSC::JSCell::estimatedSizeInBytes):
502 (JSC::JSCell::estimatedSize):
504 * runtime/JSGenericTypedArrayView.h:
505 * runtime/JSGenericTypedArrayViewInlines.h:
506 (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
508 (JSC::JSMap::estimatedSize):
510 * runtime/JSObject.cpp:
511 (JSC::JSObject::visitButterfly):
512 * runtime/JSObject.h:
514 (JSC::JSSet::estimatedSize):
516 * runtime/JSString.cpp:
517 (JSC::JSString::estimatedSize):
518 * runtime/JSString.h:
520 (JSC::MapDataImpl::capacityInBytes):
521 * runtime/WeakMapData.cpp:
522 (JSC::WeakMapData::estimatedSize):
523 (JSC::WeakMapData::visitChildren):
524 * runtime/WeakMapData.h:
525 Implement estimated size following the pattern of reporting
526 extra visited size, or copy space memory.
528 * runtime/RegExp.cpp:
529 (JSC::RegExp::estimatedSize):
531 * yarr/YarrInterpreter.h:
532 (JSC::Yarr::ByteDisjunction::estimatedSizeInBytes):
533 (JSC::Yarr::BytecodePattern::estimatedSizeInBytes):
535 (JSC::Yarr::YarrCodeBlock::size):
536 Include generated bytecode / JITCode to a RegExp's size.
538 2016-02-29 Filip Pizlo <fpizlo@apple.com>
540 SpeculatedType should be easier to edit
541 https://bugs.webkit.org/show_bug.cgi?id=154840
543 Reviewed by Mark Lam.
545 We used to specify the bitmasks in SpeculatedType.h using hex codes. This used to work
546 great because we didn't have so many masks and you could use the mask to visually see
547 which ones overlapped. It also made it easy to visualize subset relationships.
549 But now we have a lot of masks with a lot of confusing overlaps, and it's no longer
550 possible to just see their relationship by looking at hex codes. Worse, the use of hex
551 codes makes it super annoying to move the bits around. For example, right now we have two
552 bits free, but if we wanted to reclaim them by editing the old hex masks, it would be a
555 So this patch replaces the hex masks with shift expressions (1u << 15 for example) and it
556 makes any derived masks (i.e. masks that are the bit-or of other masks) be expressed using
557 an or expression (SpecFoo | SpecBar | SpecBaz for example).
559 This makes it easier to see the relationships and it makes it easier to take bits for new
562 * bytecode/SpeculatedType.h:
564 2016-02-29 Keith Miller <keith_miller@apple.com>
566 OverridesHasInstance constant folding is wrong
567 https://bugs.webkit.org/show_bug.cgi?id=154833
569 Reviewed by Filip Pizlo.
571 The current implementation of OverridesHasInstance constant folding
572 is incorrect. Since it relies on OSR exit information it has been
573 moved to the StrengthReductionPhase. Normally, such an optimazation would be
574 put in FixupPhase, however, there are a number of cases where we don't
575 determine an edge of OverridesHasInstance is a constant until after fixup.
576 Performing the optimization during StrengthReductionPhase means we can defer
577 our decision until later.
579 In the future we should consider creating a version of this optimization
580 that does not depend on OSR exit information and move the optimization back
581 to ConstantFoldingPhase.
583 * dfg/DFGConstantFoldingPhase.cpp:
584 (JSC::DFG::ConstantFoldingPhase::foldConstants): Deleted.
585 * dfg/DFGStrengthReductionPhase.cpp:
586 (JSC::DFG::StrengthReductionPhase::handleNode):
588 2016-02-28 Filip Pizlo <fpizlo@apple.com>
590 B3 should have global store elimination
591 https://bugs.webkit.org/show_bug.cgi?id=154658
593 Reviewed by Benjamin Poulain.
595 Implements fairly comprehensive global store elimination:
597 1) If you store the result of a load with no interference in between, remove the store.
599 2) If you store the same thing you stored previously, remove the store.
601 3) If you store something that you either loaded previously or stored previously along
602 arbitrarily many paths, remove the store.
604 4) If you store to something that is stored to again in the future with no interference in
605 between, remove the store.
607 Rule (4) is super relevant to FTL since the DFG does not eliminate redundant PutStructures.
608 A constructor that produces a large object will have many redundant stores to the same base
609 pointer, offset, and heap range, with no code to observe that heap raneg in between.
611 This doesn't have a decisive effect on major benchmarks, but it's an enormous win for
614 - 30% faster to construct an object with many fields.
616 - 5x faster to do many stores to a global variable.
618 The compile time cost should be very small. Although the optimization is global, it aborts as
619 soon as it sees anything that would confound store elimination. For rules (1)-(3), we
620 piggy-back the existing load elimination, which gives up on interfering stores. For rule (4),
621 we search forward through the current block and then globally a block at a time (skipping
622 block contents thanks to summary data), which could be expensive. But rule (4) aborts as soon
623 as it sees a read, write, or end block (Return or Oops). Any Check will claim to read TOP. Any
624 Patchpoint that results from an InvalidationPoint will claim to read TOP, as will any
625 Patchpoints for ICs. Those are usually sprinkled all over the program.
627 In other words, this optimization rarely kicks in. When it does kick in, it makes programs run
628 faster. When it doesn't kick in, it's usually O(1) because there are reasons for aborting all
629 over a "normal" program so the search will halt almost immediately. This of course raises the
630 question: how much more in compile time do we pay when the optimization does kick in? The
631 optimization kicks in the most for the microbenchmarks I wrote for this patch. Amazingly, the
632 effect of the optimization a wash for compile time: whatever cost we pay doing the O(n^2)
633 searches is balanced by the massive reduction in work in the backend. On one of the two
634 microbenchmarks, overall compile time actually shrank with this optimization even though CSE
635 itself cost more. That's not too surprising - the backend costs much more per instruction, so
636 things that remove instructions before we get to the backend tend to be a good idea.
638 We could consider adding a more aggressive version of this in the future, which could sink
639 stores into checks. That could be crazy fun: https://bugs.webkit.org/show_bug.cgi?id=152162#c3
641 But mainly, I'm adding this optimization because it was super fun to implement during the
642 WebAssembly CG summit.
644 * b3/B3EliminateCommonSubexpressions.cpp:
645 * b3/B3MemoryValue.h:
646 * b3/B3SuccessorCollection.h:
647 (JSC::B3::SuccessorCollection::begin):
648 (JSC::B3::SuccessorCollection::end):
649 (JSC::B3::SuccessorCollection::const_iterator::const_iterator):
650 (JSC::B3::SuccessorCollection::const_iterator::operator*):
651 (JSC::B3::SuccessorCollection::const_iterator::operator++):
652 (JSC::B3::SuccessorCollection::const_iterator::operator==):
653 (JSC::B3::SuccessorCollection::const_iterator::operator!=):
655 2016-02-29 Filip Pizlo <fpizlo@apple.com>
657 Make it cheap to #include "JITOperations.h"
658 https://bugs.webkit.org/show_bug.cgi?id=154836
660 Reviewed by Mark Lam.
662 Prior to this change, this header included the whole world even though it did't have any
663 definitions. This patch turns almost all of the includes into forward declarations. Right
664 now this header is very cheap to include.
666 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
667 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
668 * JavaScriptCore.xcodeproj/project.pbxproj:
669 * dfg/DFGSpeculativeJIT.h:
670 * jit/JITOperations.cpp:
671 * jit/JITOperations.h:
673 * runtime/CommonSlowPaths.h:
674 (JSC::encodeResult): Deleted.
675 (JSC::decodeResult): Deleted.
676 * runtime/SlowPathReturnType.h: Added.
680 2016-02-28 Filip Pizlo <fpizlo@apple.com>
682 FTL should be able to run everything in Octane/regexp
683 https://bugs.webkit.org/show_bug.cgi?id=154266
685 Reviewed by Saam Barati.
687 Adds FTL support for NewRegexp, RegExpTest, and RegExpExec. I couldn't figure out how to
688 make the RegExpExec peephole optimization work in FTL. This optimizations shouldn't be a
689 DFG backend optimization anyway - if we need this optimization then it should be a
690 strength reduction rule over IR. That way, it can be shared by all backends.
692 I measured whether removing that optimization had any effect on performance separately
693 from measuring the performance of this patch. Removing that optimization did not change
694 our score on any benchmarks.
696 This patch does have an overall negative effect on the Octane/regexp score. This is
697 presumably because tiering up to the FTL has no value to the code in the regexp test. Or
698 maybe it's something else. No matter - the overall effect on the Octane score is not
699 statistically significant and we don't want this kind of coverage blocked by the fact
700 that adding coverage hurts a benchmark.
702 * dfg/DFGByteCodeParser.cpp:
703 (JSC::DFG::ByteCodeParser::parseBlock):
705 (JSC::DFG::Node::setIndexingType):
706 (JSC::DFG::Node::hasRegexpIndex):
707 * dfg/DFGSpeculativeJIT.cpp:
708 (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
709 (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
710 (JSC::DFG::SpeculativeJIT::compileRegExpExec): Deleted.
711 * dfg/DFGSpeculativeJIT32_64.cpp:
712 (JSC::DFG::SpeculativeJIT::compile):
713 * dfg/DFGSpeculativeJIT64.cpp:
714 (JSC::DFG::SpeculativeJIT::compile):
715 * ftl/FTLCapabilities.cpp:
716 (JSC::FTL::canCompile):
717 * ftl/FTLLowerDFGToB3.cpp:
718 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
719 (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
720 (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
721 (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
722 (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
723 (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
724 * tests/stress/ftl-regexp-exec.js: Added.
725 * tests/stress/ftl-regexp-test.js: Added.
727 2016-02-28 Andreas Kling <akling@apple.com>
729 Make JSFunction.name allocation fully lazy.
730 <https://webkit.org/b/154806>
732 Reviewed by Saam Barati.
734 We were reifying the "name" field on functions lazily, but created the string
735 value itself up front. This patch gets rid of the up-front allocation,
736 saving us a JSString allocation per function in most cases.
738 * builtins/BuiltinExecutables.cpp:
739 (JSC::createExecutableInternal):
740 * bytecode/UnlinkedFunctionExecutable.cpp:
741 (JSC::UnlinkedFunctionExecutable::visitChildren):
742 * bytecode/UnlinkedFunctionExecutable.h:
743 * runtime/CodeCache.cpp:
744 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
745 * runtime/Executable.h:
746 * runtime/JSFunction.cpp:
747 (JSC::JSFunction::reifyName):
749 2016-02-28 Andreas Kling <akling@apple.com>
751 REGRESSION(r197303): 4 jsc tests failing on bots.
753 Unreviewed follow-up fix.
755 * bytecode/UnlinkedCodeBlock.cpp:
756 (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): This function
757 can still get called with !m_rareData, in case the type profiler is active but this
758 particular code block doesn't have type profiler data. Handle it gracefully.
760 2016-02-28 Andreas Kling <akling@apple.com>
762 Shrink UnlinkedCodeBlock a bit.
763 <https://webkit.org/b/154797>
765 Reviewed by Anders Carlsson.
767 Move profiler-related members of UnlinkedCodeBlock into its RareData
768 structure, saving 40 bytes, and then reorder the other members of
769 UnlinkedCodeBlock to save another 24 bytes, netting a nice total 64.
771 The VM member was removed entirely since UnlinkedCodeBlock is a cell
772 and can retrieve its VM through MarkedBlock header lookup.
774 * bytecode/UnlinkedCodeBlock.cpp:
775 (JSC::UnlinkedCodeBlock::vm):
776 (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
777 (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
778 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
779 * bytecode/UnlinkedCodeBlock.h:
780 (JSC::UnlinkedCodeBlock::addRegExp):
781 (JSC::UnlinkedCodeBlock::addConstant):
782 (JSC::UnlinkedCodeBlock::addFunctionDecl):
783 (JSC::UnlinkedCodeBlock::addFunctionExpr):
784 (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
785 (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
786 (JSC::UnlinkedCodeBlock::vm): Deleted.
788 2016-02-27 Filip Pizlo <fpizlo@apple.com>
790 FTL should lower its abstract heaps to B3 heap ranges
791 https://bugs.webkit.org/show_bug.cgi?id=154782
793 Reviewed by Saam Barati.
795 The FTL can describe the abstract heaps (points-to sets) that a memory operation will
796 affect. The abstract heaps are arranged as a hierarchy. We used to transform this into
797 TBAA hierarchies in LLVM, but we never got around to wiring this up to B3's equivalent
798 notion - the HeapRange. That's what this patch fixes.
800 B3 has a minimalistic alias analysis. It represents abstract heaps using unsigned 32-bit
801 integers. There are 1<<32 abstract heaps. The B3 client can describe what an operation
802 affects by specifying a heap range: a begin...end pair that says that the operation
803 affects all abstract heaps H such that begin <= H < end.
805 This peculiar scheme was a deliberate attempt to distill what the abstract heap
806 hierarchy is all about. We can assign begin...end numbers to abstract heaps so that:
808 - A heap's end is greater than its begin.
809 - A heap's begin is greater than or equal to its parent's begin.
810 - A heap's end is less than or equal to its parent's end.
812 This is easy to do using a recursive traversal of the abstract heap hierarchy. I almost
813 went for the iterative traversal, which is a splendid algorithm, but it's totally
814 unnecessary here since we tightly control the height of the heap hierarchy.
816 Because abstract heaps are produced on-the-fly by FTL lowering, due to the fact that we
817 generate new ones for field names and constant indices we encounter, we can't actually
818 decorate the B3 instructions we create in lowering until all lowering is done. Adding a
819 new abstract heap to the hierarchy after ranges were already computed would require
820 updating the ranges of any heaps "to the right" of that heap in the hierarchy. This
821 patch solves that problem by recording the associations between abstract heaps and their
822 intended roles in the generated IR, and then decorating all of the relevant B3 values
823 after we compute the ranges of the hierarchy after lowering.
825 This is perf-neutral. I was hoping for a small speed-up, but I could not detect a
826 speed-up on any benchmark. That's not too surprising. We already have very precise CSE
827 in the DFG, so there aren't many opportunities left for the B3 CSE and it may have
828 already been getting the big ones even without alias analysis.
830 Even without a speed-up, this patch is valuable because it makes it easier to implement
831 other optimizations, like store elimination.
834 (JSC::B3::HeapRange::HeapRange):
835 * ftl/FTLAbstractHeap.cpp:
836 (JSC::FTL::AbstractHeap::AbstractHeap):
837 (JSC::FTL::AbstractHeap::changeParent):
838 (JSC::FTL::AbstractHeap::compute):
839 (JSC::FTL::AbstractHeap::shallowDump):
840 (JSC::FTL::AbstractHeap::dump):
841 (JSC::FTL::AbstractHeap::deepDump):
842 (JSC::FTL::AbstractHeap::badRangeError):
843 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
844 (JSC::FTL::IndexedAbstractHeap::baseIndex):
845 (JSC::FTL::IndexedAbstractHeap::atSlow):
846 (JSC::FTL::IndexedAbstractHeap::initialize):
847 (JSC::FTL::AbstractHeap::decorateInstruction): Deleted.
848 (JSC::FTL::AbstractField::dump): Deleted.
849 * ftl/FTLAbstractHeap.h:
850 (JSC::FTL::AbstractHeap::AbstractHeap):
851 (JSC::FTL::AbstractHeap::isInitialized):
852 (JSC::FTL::AbstractHeap::initialize):
853 (JSC::FTL::AbstractHeap::parent):
854 (JSC::FTL::AbstractHeap::heapName):
855 (JSC::FTL::AbstractHeap::range):
856 (JSC::FTL::AbstractHeap::offset):
857 (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
858 (JSC::FTL::IndexedAbstractHeap::at):
859 (JSC::FTL::IndexedAbstractHeap::operator[]):
860 (JSC::FTL::IndexedAbstractHeap::returnInitialized):
861 (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::constructDeletedValue):
862 (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::isDeletedValue):
863 (JSC::FTL::AbstractHeap::changeParent): Deleted.
864 (JSC::FTL::AbstractField::AbstractField): Deleted.
865 (JSC::FTL::AbstractField::initialize): Deleted.
866 (JSC::FTL::AbstractField::offset): Deleted.
867 * ftl/FTLAbstractHeapRepository.cpp:
868 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
869 (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
870 (JSC::FTL::AbstractHeapRepository::decorateMemory):
871 (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
872 (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
873 (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
874 (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
875 (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
876 * ftl/FTLAbstractHeapRepository.h:
877 (JSC::FTL::AbstractHeapRepository::forArrayType):
878 (JSC::FTL::AbstractHeapRepository::HeapForValue::HeapForValue):
879 * ftl/FTLLowerDFGToB3.cpp:
880 (JSC::FTL::DFG::LowerDFGToB3::lower):
882 (JSC::FTL::Output::load):
883 (JSC::FTL::Output::load8SignExt32):
884 (JSC::FTL::Output::load8ZeroExt32):
885 (JSC::FTL::Output::load16SignExt32):
886 (JSC::FTL::Output::load16ZeroExt32):
887 (JSC::FTL::Output::store):
888 (JSC::FTL::Output::store32As8):
889 (JSC::FTL::Output::store32As16):
890 (JSC::FTL::Output::baseIndex):
892 (JSC::FTL::Output::address):
893 (JSC::FTL::Output::absolute):
894 (JSC::FTL::Output::load8SignExt32):
895 (JSC::FTL::Output::load8ZeroExt32):
896 (JSC::FTL::Output::load16SignExt32):
897 (JSC::FTL::Output::load16ZeroExt32):
898 (JSC::FTL::Output::load32):
899 (JSC::FTL::Output::load64):
900 (JSC::FTL::Output::loadPtr):
901 (JSC::FTL::Output::loadDouble):
902 (JSC::FTL::Output::store32):
903 (JSC::FTL::Output::store64):
904 (JSC::FTL::Output::storePtr):
905 (JSC::FTL::Output::storeDouble):
906 (JSC::FTL::Output::ascribeRange):
907 (JSC::FTL::Output::nonNegative32):
908 (JSC::FTL::Output::load32NonNegative):
909 (JSC::FTL::Output::equal):
910 (JSC::FTL::Output::notEqual):
911 * ftl/FTLTypedPointer.h:
912 (JSC::FTL::TypedPointer::operator!):
913 (JSC::FTL::TypedPointer::heap):
914 (JSC::FTL::TypedPointer::value):
916 2016-02-28 Skachkov Oleksandr <gskachkov@gmail.com>
918 [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
919 https://bugs.webkit.org/show_bug.cgi?id=153981
921 Reviewed by Saam Barati.
923 In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
924 'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function.
925 Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
926 During syntax analyze parser store information about using variables in arrow function inside of
927 the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
929 * bytecompiler/BytecodeGenerator.cpp:
930 (JSC::BytecodeGenerator::BytecodeGenerator):
931 (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
932 (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
933 (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
934 (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
935 (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
936 (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
937 (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
938 (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
939 (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
940 (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
941 (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
942 (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
943 * bytecompiler/BytecodeGenerator.h:
944 * bytecompiler/NodesCodegen.cpp:
945 (JSC::ThisNode::emitBytecode):
946 (JSC::EvalFunctionCallNode::emitBytecode):
947 (JSC::FunctionNode::emitBytecode):
948 * parser/ASTBuilder.h:
949 (JSC::ASTBuilder::createBracketAccess):
950 (JSC::ASTBuilder::createDotAccess):
951 (JSC::ASTBuilder::usesSuperCall):
952 (JSC::ASTBuilder::usesSuperProperty):
953 (JSC::ASTBuilder::makeFunctionCallNode):
955 (JSC::ScopeNode::ScopeNode):
956 (JSC::ProgramNode::ProgramNode):
957 (JSC::ModuleProgramNode::ModuleProgramNode):
958 (JSC::EvalNode::EvalNode):
959 (JSC::FunctionNode::FunctionNode):
961 (JSC::ScopeNode::innerArrowFunctionCodeFeatures):
962 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseArguments):
963 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperCall):
964 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperProperty):
965 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseEval):
966 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseThis):
967 (JSC::ScopeNode::doAnyInnerArrowFunctionsUseNewTarget):
968 (JSC::ScopeNode::doAnyInnerArrowFunctionUseAnyFeature):
969 (JSC::ScopeNode::usesSuperCall):
970 (JSC::ScopeNode::usesSuperProperty):
972 (JSC::Parser<LexerType>::parseProperty):
973 (JSC::Parser<LexerType>::parsePrimaryExpression):
974 (JSC::Parser<LexerType>::parseMemberExpression):
977 (JSC::Scope::isArrowFunctionBoundary):
978 (JSC::Scope::innerArrowFunctionFeatures):
979 (JSC::Scope::setInnerArrowFunctionUsesSuperCall):
980 (JSC::Scope::setInnerArrowFunctionUsesSuperProperty):
981 (JSC::Scope::setInnerArrowFunctionUsesEval):
982 (JSC::Scope::setInnerArrowFunctionUsesThis):
983 (JSC::Scope::setInnerArrowFunctionUsesNewTarget):
984 (JSC::Scope::setInnerArrowFunctionUsesArguments):
985 (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
986 (JSC::Scope::collectFreeVariables):
987 (JSC::Scope::mergeInnerArrowFunctionFeatures):
988 (JSC::Scope::fillParametersForSourceProviderCache):
989 (JSC::Scope::restoreFromSourceProviderCache):
990 (JSC::Scope::setIsFunction):
991 (JSC::Scope::setIsArrowFunction):
992 (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
993 (JSC::Parser::pushScope):
994 (JSC::Parser::popScopeInternal):
995 (JSC::Parser<LexerType>::parse):
996 * parser/ParserModes.h:
997 * parser/SourceProviderCacheItem.h:
998 (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
999 * parser/SyntaxChecker.h:
1000 (JSC::SyntaxChecker::createFunctionMetadata):
1001 * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1002 * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1003 * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1004 * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1005 * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1007 2016-02-28 Saam barati <sbarati@apple.com>
1009 ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot
1010 https://bugs.webkit.org/show_bug.cgi?id=154768
1012 Reviewed by Ryosuke Niwa.
1014 This fixes a big bug with ProxyObject.[[GetOwnProperty]]:
1015 http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
1016 We weren't correctly propagating the result of this operation to the
1017 out PropertySlot& parameter. This patch fixes that and adds tests.
1019 * runtime/ObjectConstructor.cpp:
1020 (JSC::objectConstructorGetOwnPropertyDescriptor):
1021 I added a missing exception check after object allocation
1022 because I saw that it was missing while reading the code.
1024 * runtime/PropertyDescriptor.cpp:
1025 (JSC::PropertyDescriptor::setUndefined):
1026 (JSC::PropertyDescriptor::slowGetterSetter):
1027 (JSC::PropertyDescriptor::getter):
1028 * runtime/PropertyDescriptor.h:
1029 (JSC::PropertyDescriptor::attributes):
1030 (JSC::PropertyDescriptor::value):
1031 * runtime/ProxyObject.cpp:
1032 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1034 * tests/stress/proxy-get-own-property.js:
1035 (let.handler.getOwnPropertyDescriptor):
1036 (set get let.handler.return):
1037 (set get let.handler.getOwnPropertyDescriptor):
1044 2016-02-27 Andy VanWagoner <thetalecrafter@gmail.com>
1046 Intl.Collator uses POSIX locale (detected by js/intl-collator.html on iOS Simulator)
1047 https://bugs.webkit.org/show_bug.cgi?id=152448
1049 Reviewed by Darin Adler.
1051 Add defaultLanguage to the globalObjectMethodTable and use it for the
1052 default locale in Intl object initializations. Fall back to ICU default
1053 locale only if the defaultLanguage function is null, or returns an
1057 * runtime/IntlCollator.cpp:
1058 (JSC::IntlCollator::initializeCollator):
1059 * runtime/IntlDateTimeFormat.cpp:
1060 (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1061 * runtime/IntlNumberFormat.cpp:
1062 (JSC::IntlNumberFormat::initializeNumberFormat):
1063 * runtime/IntlObject.cpp:
1064 (JSC::defaultLocale):
1065 (JSC::lookupMatcher):
1066 (JSC::bestFitMatcher):
1067 (JSC::resolveLocale):
1068 * runtime/IntlObject.h:
1069 * runtime/JSGlobalObject.cpp:
1070 * runtime/JSGlobalObject.h:
1071 * runtime/StringPrototype.cpp:
1072 (JSC::toLocaleCase):
1074 2016-02-27 Oliver Hunt <oliver@apple.com>
1078 * jit/ExecutableAllocatorFixedVMPool.cpp:
1080 2016-02-26 Oliver Hunt <oliver@apple.com>
1082 Remove the on demand executable allocator
1083 https://bugs.webkit.org/show_bug.cgi?id=154749
1085 Reviewed by Geoffrey Garen.
1087 Remove all the DemandExecutable code and executable allocator ifdefs.
1090 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1091 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1092 * JavaScriptCore.xcodeproj/project.pbxproj:
1093 * jit/ExecutableAllocator.cpp: Removed.
1094 (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
1095 (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
1096 (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
1097 (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
1098 (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
1099 (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
1100 (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
1101 (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
1102 (JSC::DemandExecutableAllocator::allocators): Deleted.
1103 (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
1104 (JSC::ExecutableAllocator::initializeAllocator): Deleted.
1105 (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
1106 (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
1107 (JSC::ExecutableAllocator::isValid): Deleted.
1108 (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
1109 (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
1110 (JSC::ExecutableAllocator::allocate): Deleted.
1111 (JSC::ExecutableAllocator::committedByteCount): Deleted.
1112 (JSC::ExecutableAllocator::dumpProfile): Deleted.
1113 (JSC::ExecutableAllocator::getLock): Deleted.
1114 (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
1115 (JSC::ExecutableAllocator::reprotectRegion): Deleted.
1116 * jit/ExecutableAllocator.h:
1117 * jit/ExecutableAllocatorFixedVMPool.cpp:
1118 * jit/JITStubRoutine.h:
1119 (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
1120 (JSC::JITStubRoutine::filteringStartAddress): Deleted.
1121 (JSC::JITStubRoutine::filteringExtentSize): Deleted.
1123 2016-02-26 Joseph Pecoraro <pecoraro@apple.com>
1125 Reduce direct callers of Structure::findStructuresAndMapForMaterialization
1126 https://bugs.webkit.org/show_bug.cgi?id=154751
1128 Reviewed by Mark Lam.
1130 * runtime/Structure.cpp:
1131 (JSC::Structure::toStructureShape):
1132 This property name iteration is identical to Structure::forEachPropertyConcurrently.
1133 Share the code and reduce callers to the subtle findStructuresAndMapForMaterialization.
1135 2016-02-26 Mark Lam <mark.lam@apple.com>
1137 Function.name and Function.length should be configurable.
1138 https://bugs.webkit.org/show_bug.cgi?id=154604
1140 Reviewed by Saam Barati.
1142 According to https://tc39.github.io/ecma262/#sec-ecmascript-language-functions-and-classes,
1143 "Unless otherwise specified, the name property of a built-in Function object,
1144 if it exists, has the attributes { [[Writable]]: false, [[Enumerable]]: false,
1145 [[Configurable]]: true }."
1147 Similarly, "the length property of a built-in Function object has the attributes
1148 { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }."
1150 This patch makes Function.name and Function.length configurable.
1152 We do this by lazily reifying the JSFunction name and length properties on first
1153 access. We track whether each of these properties have been reified using flags
1154 in the FunctionRareData. On first access, if not already reified, we will put
1155 the property into the object with its default value and attributes and set the
1156 reified flag. Thereafter, we rely on the base JSObject to handle access to the
1159 Also, lots of test results have to be re-baselined because the old Function.length
1160 has attribute DontDelete, which is in conflict with the ES6 requirement that it
1163 * runtime/FunctionRareData.h:
1164 (JSC::FunctionRareData::hasReifiedLength):
1165 (JSC::FunctionRareData::setHasReifiedLength):
1166 (JSC::FunctionRareData::hasReifiedName):
1167 (JSC::FunctionRareData::setHasReifiedName):
1168 - Flags for tracking whether each property has been reified.
1170 * runtime/JSFunction.cpp:
1171 (JSC::JSFunction::finishCreation):
1172 (JSC::JSFunction::createBuiltinFunction):
1173 - Host and builtin functions currently always reify their name and length
1174 properties. Currently, for builtins, the default names that are used may
1175 differ from the executable name. For now, we'll stay with keeping this
1176 alternate approach to getting the name and length properties for host and
1178 However, we need their default attribute to be configurable as well.
1180 (JSC::JSFunction::getOwnPropertySlot):
1181 (JSC::JSFunction::getOwnNonIndexPropertyNames):
1182 (JSC::JSFunction::put):
1183 (JSC::JSFunction::deleteProperty):
1184 (JSC::JSFunction::defineOwnProperty):
1185 (JSC::JSFunction::reifyLength):
1186 (JSC::JSFunction::reifyName):
1187 (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1188 (JSC::JSFunction::lengthGetter): Deleted.
1189 (JSC::JSFunction::nameGetter): Deleted.
1190 * runtime/JSFunction.h:
1191 * runtime/JSFunctionInlines.h:
1192 (JSC::JSFunction::hasReifiedLength):
1193 (JSC::JSFunction::hasReifiedName):
1196 - 4 new passing tests.
1198 * tests/mozilla/ecma/Array/15.4.4.3-1.js:
1199 * tests/mozilla/ecma/Array/15.4.4.4-1.js:
1200 * tests/mozilla/ecma/Array/15.4.4.4-2.js:
1201 * tests/mozilla/ecma/GlobalObject/15.1.2.1-1.js:
1202 * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
1203 * tests/mozilla/ecma/GlobalObject/15.1.2.3-1.js:
1204 * tests/mozilla/ecma/GlobalObject/15.1.2.4.js:
1205 * tests/mozilla/ecma/GlobalObject/15.1.2.5-1.js:
1206 * tests/mozilla/ecma/GlobalObject/15.1.2.6.js:
1207 * tests/mozilla/ecma/GlobalObject/15.1.2.7.js:
1208 * tests/mozilla/ecma/String/15.5.4.10-1.js:
1209 * tests/mozilla/ecma/String/15.5.4.11-1.js:
1210 * tests/mozilla/ecma/String/15.5.4.11-5.js:
1211 * tests/mozilla/ecma/String/15.5.4.12-1.js:
1212 * tests/mozilla/ecma/String/15.5.4.6-2.js:
1213 * tests/mozilla/ecma/String/15.5.4.7-2.js:
1214 * tests/mozilla/ecma/String/15.5.4.8-1.js:
1215 * tests/mozilla/ecma/String/15.5.4.9-1.js:
1216 - Rebase expected test results.
1218 * tests/stress/function-configurable-properties.js: Added.
1220 2016-02-26 Keith Miller <keith_miller@apple.com>
1222 Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup
1223 https://bugs.webkit.org/show_bug.cgi?id=154743
1225 Reviewed by Mark Lam.
1227 * dfg/DFGConstantFoldingPhase.cpp:
1228 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1229 * dfg/DFGFixupPhase.cpp:
1230 (JSC::DFG::FixupPhase::fixupNode):
1232 2016-02-26 Keith Miller <keith_miller@apple.com>
1234 Native Typed Array functions should use Symbol.species
1235 https://bugs.webkit.org/show_bug.cgi?id=154569
1237 Reviewed by Michael Saboff.
1239 This patch adds support for Symbol.species in the native Typed Array prototype
1240 functions. Additionally, now that other types of typedarrays are creatable inside
1241 the slice we use the JSGenericTypedArrayView::set function, which has been beefed
1242 up, to put everything into the correct place.
1244 * runtime/JSDataView.cpp:
1245 (JSC::JSDataView::set):
1246 * runtime/JSDataView.h:
1247 * runtime/JSGenericTypedArrayView.h:
1248 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1249 (JSC::constructGenericTypedArrayViewFromIterator):
1250 (JSC::constructGenericTypedArrayViewWithArguments):
1251 (JSC::constructGenericTypedArrayView):
1252 * runtime/JSGenericTypedArrayViewInlines.h:
1253 (JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
1254 (JSC::JSGenericTypedArrayView<Adaptor>::set):
1255 * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1256 (JSC::speciesConstruct):
1257 (JSC::genericTypedArrayViewProtoFuncSet):
1258 (JSC::genericTypedArrayViewProtoFuncSlice):
1259 (JSC::genericTypedArrayViewProtoFuncSubarray):
1260 * tests/stress/typedarray-slice.js:
1261 (subclasses.typedArrays.map):
1264 (subclasses.forEach):
1265 (testSpeciesRemoveConstructor):
1266 (testSpeciesWithSameBuffer):
1267 * tests/stress/typedarray-subarray.js: Added.
1268 (subclasses.typedArrays.map):
1271 (subclasses.forEach):
1272 (testSpeciesRemoveConstructor):
1274 2016-02-26 Benjamin Poulain <bpoulain@apple.com>
1276 [JSC] Add32(Imm, Tmp, Tmp) does not ZDef the destination if Imm is zero
1277 https://bugs.webkit.org/show_bug.cgi?id=154704
1279 Reviewed by Geoffrey Garen.
1281 If the Imm is zero, we should still zero the top bits
1282 to match the definition in AirOpcodes.
1284 * assembler/MacroAssemblerX86Common.h:
1285 (JSC::MacroAssemblerX86Common::add32):
1288 2016-02-26 Oliver Hunt <oliver@apple.com>
1290 Make testRegExp not crash when given an invalid regexp
1291 https://bugs.webkit.org/show_bug.cgi?id=154732
1293 Reviewed by Mark Lam.
1298 2016-02-26 Benjamin Poulain <benjamin@webkit.org>
1300 [JSC] Add the test for r197155
1301 https://bugs.webkit.org/show_bug.cgi?id=154715
1303 Reviewed by Mark Lam.
1305 Silly me. I forgot the test in the latest patch update.
1307 * tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.
1309 2016-02-26 Yusuke Suzuki <utatane.tea@gmail.com>
1311 [DFG] Drop unnecessary proved type branch in ToPrimitive
1312 https://bugs.webkit.org/show_bug.cgi?id=154716
1314 Reviewed by Geoffrey Garen.
1316 This branching based on the proved types is unnecessary because this is already handled in constant folding phase.
1317 In fact, the DFGSpeculativeJIT64.cpp case is already removed in r164243.
1318 This patch removes the remaining JIT32_64 case.
1320 * dfg/DFGSpeculativeJIT32_64.cpp:
1321 (JSC::DFG::SpeculativeJIT::compile):
1323 2016-02-25 Benjamin Poulain <bpoulain@apple.com>
1325 [JSC] Be aggressive with OSR Entry to FTL if the DFG function was only used for OSR Entry itself
1326 https://bugs.webkit.org/show_bug.cgi?id=154575
1328 Reviewed by Filip Pizlo.
1330 I noticed that imaging-gaussian-blur spends most of its
1331 samples in DFG code despite executing most of the loop
1334 On this particular test, the main function is only entered
1335 once and have a very heavy loop there. What happens is DFG
1336 starts by compiling the full function in FTL. That takes about
1337 8 to 10 milliseconds during which the DFG code makes very little
1338 progress. The calls to triggerOSREntryNow() try to OSR Enter
1339 for a while then finally start compiling something. By the time
1340 the function is ready, we have wasted a lot of time in DFG code.
1342 What this patch does is set a flag when a DFG function is entered.
1343 If we try to triggerOSREntryNow() and the flag was never set,
1344 we start compiling both the full function and the one for OSR Entry.
1347 * dfg/DFGJITCompiler.cpp:
1348 (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
1349 (JSC::DFG::JITCompiler::compile):
1350 (JSC::DFG::JITCompiler::compileFunction):
1351 * dfg/DFGJITCompiler.h:
1352 * dfg/DFGOperations.cpp:
1354 (JSC::DFG::Plan::Plan): Deleted.
1356 * dfg/DFGTierUpCheckInjectionPhase.cpp:
1357 (JSC::DFG::TierUpCheckInjectionPhase::run):
1359 2016-02-25 Benjamin Poulain <benjamin@webkit.org>
1361 [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
1362 https://bugs.webkit.org/show_bug.cgi?id=154664
1364 Reviewed by Saam Barati.
1366 When doing OSR Enter into a constructor, we lose the information
1367 that this may have been set to empty by a previously executed block.
1369 All the code just assumed the type for a FlushedJS value and thus
1370 not an empty value. It was then okay to eliminate the TDZ checks.
1372 In this patch, the values on root entry now assume they may be empty.
1373 As a result, the SetArgument() for "this" has "empty" as possible
1374 type and the TDZ checks are no longer eliminated.
1376 * dfg/DFGInPlaceAbstractState.cpp:
1377 (JSC::DFG::InPlaceAbstractState::initialize):
1379 2016-02-25 Ada Chan <adachan@apple.com>
1381 Update the definition of ENABLE_VIDEO_PRESENTATION_MODE for Mac platform
1382 https://bugs.webkit.org/show_bug.cgi?id=154702
1384 Reviewed by Dan Bernstein.
1386 * Configurations/FeatureDefines.xcconfig:
1388 2016-02-25 Saam barati <sbarati@apple.com>
1390 [ES6] for...in iteration doesn't comply with the specification
1391 https://bugs.webkit.org/show_bug.cgi?id=154665
1393 Reviewed by Michael Saboff.
1395 If you read ForIn/OfHeadEvaluation inside the spec:
1396 https://tc39.github.io/ecma262/#sec-runtime-semantics-forin-div-ofheadevaluation-tdznames-expr-iterationkind
1397 It calls EnumerateObjectProperties(obj) to get a set of properties
1398 to enumerate over (it models this "set" as en ES6 generator function).
1399 EnumerateObjectProperties is defined in section 13.7.5.15:
1400 https://tc39.github.io/ecma262/#sec-enumerate-object-properties
1401 The implementation calls Reflect.getOwnPropertyDescriptor(.) on the
1402 properties it sees. We must do the same by modeling the operation as
1403 a [[GetOwnProperty]] instead of a [[HasProperty]] internal method call.
1405 * jit/JITOperations.cpp:
1406 * jit/JITOperations.h:
1407 * runtime/CommonSlowPaths.cpp:
1408 (JSC::SLOW_PATH_DECL):
1409 * runtime/JSObject.cpp:
1410 (JSC::JSObject::hasProperty):
1411 (JSC::JSObject::hasPropertyGeneric):
1412 * runtime/JSObject.h:
1413 * tests/stress/proxy-get-own-property.js:
1415 (let.handler.getOwnPropertyDescriptor):
1418 2016-02-25 Saam barati <sbarati@apple.com>
1420 [ES6] Implement Proxy.[[Set]]
1421 https://bugs.webkit.org/show_bug.cgi?id=154511
1423 Reviewed by Filip Pizlo.
1425 This patch is mostly an implementation of
1426 Proxy.[[Set]] with respect to section 9.5.9
1427 of the ECMAScript spec.
1428 https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-set-p-v-receiver
1430 This patch also changes JSObject::putInline and JSObject::putByIndex
1431 to be aware that a Proxy in the prototype chain will intercept
1434 * runtime/JSObject.cpp:
1435 (JSC::JSObject::putInlineSlow):
1436 (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
1437 * runtime/JSObject.h:
1438 * runtime/JSObjectInlines.h:
1439 (JSC::JSObject::canPerformFastPutInline):
1440 (JSC::JSObject::putInline):
1442 * runtime/ProxyObject.cpp:
1443 (JSC::ProxyObject::getOwnPropertySlotByIndex):
1444 (JSC::ProxyObject::performPut):
1445 (JSC::ProxyObject::put):
1446 (JSC::ProxyObject::putByIndexCommon):
1447 (JSC::ProxyObject::putByIndex):
1448 (JSC::performProxyCall):
1449 (JSC::ProxyObject::getCallData):
1450 (JSC::performProxyConstruct):
1451 (JSC::ProxyObject::deletePropertyByIndex):
1452 (JSC::ProxyObject::visitChildren):
1453 * runtime/ProxyObject.h:
1454 (JSC::ProxyObject::create):
1455 (JSC::ProxyObject::createStructure):
1456 (JSC::ProxyObject::target):
1457 (JSC::ProxyObject::handler):
1459 * tests/stress/proxy-set.js: Added.
1461 (throw.new.Error.let.handler.set 45):
1467 2016-02-25 Benjamin Poulain <bpoulain@apple.com>
1469 [JSC] Remove a useless "Move" in the lowering of Select
1470 https://bugs.webkit.org/show_bug.cgi?id=154670
1472 Reviewed by Geoffrey Garen.
1474 I left the Move instruction when creating the aliasing form
1477 On ARM64, that meant a useless move for any case that can't
1480 On x86, that meant an extra constraint on child2, making it
1481 stupidly hard to alias child1.
1483 * b3/B3LowerToAir.cpp:
1484 (JSC::B3::Air::LowerToAir::createSelect): Deleted.
1486 2016-02-24 Joseph Pecoraro <pecoraro@apple.com>
1488 Web Inspector: Expose Proxy target and handler internal properties to Inspector
1489 https://bugs.webkit.org/show_bug.cgi?id=154663
1491 Reviewed by Timothy Hatcher.
1493 * inspector/JSInjectedScriptHost.cpp:
1494 (Inspector::JSInjectedScriptHost::getInternalProperties):
1495 Expose the ProxyObject's target and handler.
1497 2016-02-24 Nikos Andronikos <nikos.andronikos-webkit@cisra.canon.com.au>
1499 [web-animations] Add AnimationTimeline, DocumentTimeline and add extensions to Document interface
1500 https://bugs.webkit.org/show_bug.cgi?id=151688
1502 Reviewed by Dean Jackson.
1504 Enables the WEB_ANIMATIONS compiler switch.
1506 * Configurations/FeatureDefines.xcconfig:
1508 2016-02-24 Konstantin Tokarev <annulen@yandex.ru>
1510 [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
1511 https://bugs.webkit.org/show_bug.cgi?id=154651
1513 Reviewed by Alex Christensen.
1515 * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
1517 2016-02-24 Commit Queue <commit-queue@webkit.org>
1519 Unreviewed, rolling out r197033.
1520 https://bugs.webkit.org/show_bug.cgi?id=154649
1522 "It broke JSC tests when 'this' was loaded from global scope"
1523 (Requested by saamyjoon on #webkit).
1527 "[ES6] Arrow function syntax. Emit loading&putting this/super
1528 only if they are used in arrow function"
1529 https://bugs.webkit.org/show_bug.cgi?id=153981
1530 http://trac.webkit.org/changeset/197033
1532 2016-02-24 Saam Barati <sbarati@apple.com>
1534 [ES6] Implement Proxy.[[Delete]]
1535 https://bugs.webkit.org/show_bug.cgi?id=154607
1537 Reviewed by Mark Lam.
1539 This patch implements Proxy.[[Delete]] with respect to section 9.5.10 of the ECMAScript spec.
1540 https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-delete-p
1542 * runtime/ProxyObject.cpp:
1543 (JSC::ProxyObject::getConstructData):
1544 (JSC::ProxyObject::performDelete):
1545 (JSC::ProxyObject::deleteProperty):
1546 (JSC::ProxyObject::deletePropertyByIndex):
1547 * runtime/ProxyObject.h:
1549 * tests/stress/proxy-delete.js: Added.
1551 (throw.new.Error.let.handler.get deleteProperty):
1553 (assert.let.handler.deleteProperty):
1554 (let.handler.deleteProperty):
1556 2016-02-24 Filip Pizlo <fpizlo@apple.com>
1558 Stackmaps have problems with double register constraints
1559 https://bugs.webkit.org/show_bug.cgi?id=154643
1561 Reviewed by Geoffrey Garen.
1563 This is currently a benign bug. I found it while playing.
1565 * b3/B3LowerToAir.cpp:
1566 (JSC::B3::Air::LowerToAir::fillStackmap):
1568 (JSC::B3::testURShiftSelf64):
1569 (JSC::B3::testPatchpointDoubleRegs):
1573 2016-02-24 Skachkov Oleksandr <gskachkov@gmail.com>
1575 [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
1576 https://bugs.webkit.org/show_bug.cgi?id=153981
1578 Reviewed by Saam Barati.
1580 In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
1581 'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function.
1582 Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
1583 During syntax analyze parser store information about using variables in arrow function inside of
1584 the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
1586 * bytecode/ExecutableInfo.h:
1587 (JSC::ExecutableInfo::ExecutableInfo):
1588 (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
1589 * bytecode/UnlinkedCodeBlock.cpp:
1590 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1591 * bytecode/UnlinkedCodeBlock.h:
1592 (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
1593 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
1594 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
1595 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
1596 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
1597 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
1598 (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
1599 * bytecode/UnlinkedFunctionExecutable.cpp:
1600 (JSC::generateUnlinkedFunctionCodeBlock):
1601 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1602 * bytecode/UnlinkedFunctionExecutable.h:
1603 * bytecompiler/BytecodeGenerator.cpp:
1604 (JSC::BytecodeGenerator::BytecodeGenerator):
1605 (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1606 (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
1607 (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
1608 (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
1609 (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
1610 (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
1611 (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
1612 (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
1613 (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
1614 (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
1615 (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
1616 (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
1617 * bytecompiler/BytecodeGenerator.h:
1618 * bytecompiler/NodesCodegen.cpp:
1619 (JSC::ThisNode::emitBytecode):
1620 (JSC::EvalFunctionCallNode::emitBytecode):
1621 (JSC::FunctionCallValueNode::emitBytecode):
1622 (JSC::FunctionNode::emitBytecode):
1623 * parser/ASTBuilder.h:
1624 (JSC::ASTBuilder::createFunctionMetadata):
1626 (JSC::FunctionMetadataNode::FunctionMetadataNode):
1628 * parser/Parser.cpp:
1629 (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
1630 (JSC::Parser<LexerType>::parseFunctionBody):
1631 (JSC::Parser<LexerType>::parseFunctionInfo):
1632 (JSC::Parser<LexerType>::parseProperty):
1633 (JSC::Parser<LexerType>::parsePrimaryExpression):
1634 (JSC::Parser<LexerType>::parseMemberExpression):
1636 (JSC::Scope::Scope):
1637 (JSC::Scope::isArrowFunctionBoundary):
1638 (JSC::Scope::innerArrowFunctionFeatures):
1639 (JSC::Scope::setInnerArrowFunctionUseSuperCall):
1640 (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
1641 (JSC::Scope::setInnerArrowFunctionUseEval):
1642 (JSC::Scope::setInnerArrowFunctionUseThis):
1643 (JSC::Scope::setInnerArrowFunctionUseNewTarget):
1644 (JSC::Scope::setInnerArrowFunctionUseArguments):
1645 (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
1646 (JSC::Scope::collectFreeVariables):
1647 (JSC::Scope::mergeInnerArrowFunctionFeatures):
1648 (JSC::Scope::fillParametersForSourceProviderCache):
1649 (JSC::Scope::restoreFromSourceProviderCache):
1650 (JSC::Scope::setIsFunction):
1651 (JSC::Scope::setIsArrowFunction):
1652 (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
1653 (JSC::Parser::pushScope):
1654 (JSC::Parser::popScopeInternal):
1655 * parser/ParserModes.h:
1656 * parser/SourceProviderCacheItem.h:
1657 (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1658 * parser/SyntaxChecker.h:
1659 (JSC::SyntaxChecker::createFunctionMetadata):
1660 * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1661 * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1662 * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1663 * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1664 * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1666 2016-02-23 Brian Burg <bburg@apple.com>
1668 Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
1669 https://bugs.webkit.org/show_bug.cgi?id=154615
1670 <rdar://problem/24804330>
1672 Reviewed by Timothy Hatcher.
1674 Some of the generated Objective-C bindings are only relevant to code acting as the
1675 protocol backend. Add a per-generator setting mechanism and propagate --frontend and
1676 --backend to all generators. Use the setting in a few generators to omit code that's
1679 Also fix a few places where the code emits the wrong Objective-C class prefix.
1680 There is some common non-generated code that must always have the RWIProtocol prefix.
1682 Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
1683 macros defined in the internal header now need to be used outside of the framework.
1685 * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1686 Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
1687 depending on the target framework.
1689 * inspector/scripts/codegen/generate_objc_header.py:
1690 (ObjCHeaderGenerator.generate_output):
1691 For now, omit generating command protocol and event dispatchers when generating for --frontend.
1693 (ObjCHeaderGenerator._generate_type_interface):
1694 Use OBJC_STATIC_PREFIX along with the unprefixed file name.
1696 * inspector/scripts/codegen/generate_objc_internal_header.py:
1697 Use RWIProtocolJSONObjectPrivate.h instead.
1699 * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1700 (ObjCProtocolTypesImplementationGenerator.generate_output):
1701 Include the Internal header if it's being generated (only for --backend).
1703 * inspector/scripts/codegen/generator.py:
1704 (Generator.__init__):
1705 (Generator.set_generator_setting):
1707 (Generator.get_generator_setting):
1708 Crib a simple setting system from the Framework class. Make the names more obnoxious.
1710 (Generator.string_for_file_include):
1711 Inspired by the replay input generator, this is a function that uses the proper syntax
1712 for a file include depending on the file's framework and target framework.
1714 * inspector/scripts/codegen/objc_generator.py:
1715 (ObjCGenerator.and):
1716 (ObjCGenerator.and.objc_prefix):
1718 (ObjCGenerator.objc_type_for_raw_name):
1719 (ObjCGenerator.objc_class_for_raw_name):
1720 Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
1722 * inspector/scripts/generate-inspector-protocol-bindings.py:
1723 (generate_from_specification):
1724 Change the generators to use for the frontend. Propagate --frontend and --backend.
1726 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1727 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1728 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1729 * inspector/scripts/tests/expected/enum-values.json-result:
1730 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1731 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1732 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1733 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1734 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1735 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1736 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1737 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1738 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1739 Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
1741 2016-02-23 Saam barati <sbarati@apple.com>
1743 arrayProtoFuncConcat doesn't check for an exception after allocating an array
1744 https://bugs.webkit.org/show_bug.cgi?id=154621
1746 Reviewed by Michael Saboff.
1748 * runtime/ArrayPrototype.cpp:
1749 (JSC::arrayProtoFuncConcat):
1751 2016-02-23 Dan Bernstein <mitz@apple.com>
1753 [Xcode] Linker errors display mangled names, but no longer should
1754 https://bugs.webkit.org/show_bug.cgi?id=154632
1756 Reviewed by Sam Weinig.
1758 * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
1760 2016-02-23 Gavin Barraclough <barraclough@apple.com>
1762 Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
1763 https://bugs.webkit.org/show_bug.cgi?id=112323
1765 Reviewed by Chris Dumez.
1767 This feature is controlled by a runtime switch, and defaults off.
1769 * Configurations/FeatureDefines.xcconfig:
1771 2016-02-23 Keith Miller <keith_miller@apple.com>
1773 JSC stress tests' standalone-pre.js should exit on the first failure by default
1774 https://bugs.webkit.org/show_bug.cgi?id=154565
1776 Reviewed by Mark Lam.
1778 Currently, if a test writer does not call finishJSTest() at the end of
1779 any test using stress/resources/standalone-pre.js then the test can fail
1780 without actually reporting an error to the harness. By default, we
1781 should throw on the first error so, in the event someone does not call
1782 finishJSTest() the harness will still notice the error.
1784 * tests/stress/regress-151324.js:
1785 * tests/stress/resources/standalone-pre.js:
1788 2016-02-23 Saam barati <sbarati@apple.com>
1790 Make JSObject::getMethod have fewer branches
1791 https://bugs.webkit.org/show_bug.cgi?id=154603
1793 Reviewed by Mark Lam.
1795 Writing code with fewer branches is almost always better.
1797 * runtime/JSObject.cpp:
1798 (JSC::JSObject::getMethod):
1800 2016-02-23 Filip Pizlo <fpizlo@apple.com>
1802 B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
1803 https://bugs.webkit.org/show_bug.cgi?id=154592
1805 Reviewed by Saam Barati.
1807 If Foo has a virtual destructor, then:
1809 foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
1810 subclass of Foo that overrides the destructor, this syntax will not call that override.
1812 foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
1813 get the subclass's override.
1815 In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
1816 This caused leaks because this didn't actually call the subclass's override. This fixes the
1817 problem by using this->~Value() instead.
1819 * b3/B3ControlValue.cpp:
1820 (JSC::B3::ControlValue::convertToJump):
1821 (JSC::B3::ControlValue::convertToOops):
1823 (JSC::B3::Value::replaceWithIdentity):
1824 (JSC::B3::Value::replaceWithNop):
1825 (JSC::B3::Value::replaceWithPhi):
1827 2016-02-23 Brian Burg <bburg@apple.com>
1829 Web Inspector: the protocol generator's Objective-C name prefix should be configurable
1830 https://bugs.webkit.org/show_bug.cgi?id=154596
1831 <rdar://problem/24794962>
1833 Reviewed by Timothy Hatcher.
1835 In order to support different generated protocol sets that don't have conflicting
1836 file and type names, allow the Objective-C prefix to be configurable based on the
1837 target framework. Each name also has the implicit prefix 'Protocol' appended to the
1838 per-target framework prefix.
1840 For example, the existing protocol for remote inspection has the prefix 'RWI'
1841 and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
1842 and is generated as 'AutomationProtocol'.
1844 To make this change, convert ObjCGenerator to be a subclass of Generator and use
1845 the instance method model() to find the target framework and its setting for
1846 'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
1847 these instance methods that used to be static methods. This is a large but
1848 mechanical change to use self instead of ObjCGenerator.
1850 * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1851 (ObjCBackendDispatcherHeaderGenerator):
1852 (ObjCBackendDispatcherHeaderGenerator.__init__):
1853 (ObjCBackendDispatcherHeaderGenerator.output_filename):
1854 (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
1855 (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
1856 * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1857 (ObjCConfigurationImplementationGenerator):
1858 (ObjCConfigurationImplementationGenerator.__init__):
1859 (ObjCConfigurationImplementationGenerator.output_filename):
1860 (ObjCConfigurationImplementationGenerator.generate_output):
1861 (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
1862 (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
1863 (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
1864 * inspector/scripts/codegen/generate_objc_configuration_header.py:
1865 (ObjCConfigurationHeaderGenerator):
1866 (ObjCConfigurationHeaderGenerator.__init__):
1867 (ObjCConfigurationHeaderGenerator.output_filename):
1868 (ObjCConfigurationHeaderGenerator.generate_output):
1869 (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1870 (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
1871 * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1872 (ObjCBackendDispatcherImplementationGenerator):
1873 (ObjCBackendDispatcherImplementationGenerator.__init__):
1874 (ObjCBackendDispatcherImplementationGenerator.output_filename):
1875 (ObjCBackendDispatcherImplementationGenerator.generate_output):
1876 (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1877 (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
1878 (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
1879 (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
1880 * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1881 (ObjCConversionHelpersGenerator):
1882 (ObjCConversionHelpersGenerator.__init__):
1883 (ObjCConversionHelpersGenerator.output_filename):
1884 (ObjCConversionHelpersGenerator.generate_output):
1885 (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
1886 (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
1887 (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
1888 * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1889 (ObjCFrontendDispatcherImplementationGenerator):
1890 (ObjCFrontendDispatcherImplementationGenerator.__init__):
1891 (ObjCFrontendDispatcherImplementationGenerator.output_filename):
1892 (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1893 (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
1894 (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1895 (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
1896 (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
1897 (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1898 * inspector/scripts/codegen/generate_objc_header.py:
1899 (ObjCHeaderGenerator):
1900 (ObjCHeaderGenerator.__init__):
1901 (ObjCHeaderGenerator.output_filename):
1902 (ObjCHeaderGenerator.generate_output):
1903 (ObjCHeaderGenerator._generate_forward_declarations):
1904 (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
1905 (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
1906 (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
1907 (ObjCHeaderGenerator._generate_type_interface):
1908 (ObjCHeaderGenerator._generate_init_method_for_required_members):
1909 (ObjCHeaderGenerator._generate_member_property):
1910 (ObjCHeaderGenerator._generate_command_protocols):
1911 (ObjCHeaderGenerator._generate_single_command_protocol):
1912 (ObjCHeaderGenerator._callback_block_for_command):
1913 (ObjCHeaderGenerator._generate_event_interfaces):
1914 (ObjCHeaderGenerator._generate_single_event_interface):
1915 * inspector/scripts/codegen/generate_objc_internal_header.py:
1916 (ObjCInternalHeaderGenerator):
1917 (ObjCInternalHeaderGenerator.__init__):
1918 (ObjCInternalHeaderGenerator.output_filename):
1919 (ObjCInternalHeaderGenerator.generate_output):
1920 (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
1921 * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1922 (ObjCProtocolTypesImplementationGenerator):
1923 (ObjCProtocolTypesImplementationGenerator.__init__):
1924 (ObjCProtocolTypesImplementationGenerator.output_filename):
1925 (ObjCProtocolTypesImplementationGenerator.generate_output):
1926 (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1927 (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
1928 (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
1929 (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
1930 (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
1931 (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
1932 * inspector/scripts/codegen/models.py:
1933 * inspector/scripts/codegen/objc_generator.py:
1934 (ObjCTypeCategory.category_for_type):
1936 (ObjCGenerator.__init__):
1937 (ObjCGenerator.objc_prefix):
1938 (ObjCGenerator.objc_name_for_type):
1939 (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
1940 (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
1941 (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
1942 (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
1943 (ObjCGenerator.objc_class_for_type):
1944 (ObjCGenerator.objc_class_for_array_type):
1945 (ObjCGenerator.objc_accessor_type_for_member):
1946 (ObjCGenerator.objc_accessor_type_for_member_internal):
1947 (ObjCGenerator.objc_type_for_member):
1948 (ObjCGenerator.objc_type_for_member_internal):
1949 (ObjCGenerator.objc_type_for_param):
1950 (ObjCGenerator.objc_type_for_param_internal):
1951 (ObjCGenerator.objc_protocol_export_expression_for_variable):
1952 (ObjCGenerator.objc_protocol_import_expression_for_member):
1953 (ObjCGenerator.objc_protocol_import_expression_for_parameter):
1954 (ObjCGenerator.objc_protocol_import_expression_for_variable):
1955 (ObjCGenerator.objc_to_protocol_expression_for_member):
1956 (ObjCGenerator.protocol_to_objc_expression_for_member):
1958 Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
1960 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1961 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1962 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1963 * inspector/scripts/tests/expected/enum-values.json-result:
1964 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1965 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1966 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1967 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1968 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1969 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1970 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1971 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1972 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1974 2016-02-23 Mark Lam <mark.lam@apple.com>
1976 Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
1977 https://bugs.webkit.org/show_bug.cgi?id=154542
1979 Reviewed by Saam Barati.
1981 According to the spec, the constructors of the following types "are not intended
1982 to be called as a function and will throw an exception". These types are:
1983 TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
1984 Map - https://tc39.github.io/ecma262/#sec-map-constructor
1985 Set - https://tc39.github.io/ecma262/#sec-set-constructor
1986 WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
1987 WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
1988 ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
1989 DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
1990 Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
1991 Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
1993 This patch does the foillowing:
1994 1. Ensures that these constructors can be called but will throw a TypeError
1996 2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
1997 in their implementation to be consistent.
1998 3. Change the error message to "calling XXX constructor without new is invalid".
1999 This is clearer because the error is likely due to the user forgetting to use
2000 the new operator on these constructors.
2003 * runtime/Error.cpp:
2004 (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
2005 - Added a convenience function to throw the TypeError.
2007 * runtime/JSArrayBufferConstructor.cpp:
2008 (JSC::constructArrayBuffer):
2009 (JSC::callArrayBuffer):
2010 (JSC::JSArrayBufferConstructor::getCallData):
2011 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2012 (JSC::callGenericTypedArrayView):
2013 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
2014 * runtime/JSPromiseConstructor.cpp:
2016 * runtime/MapConstructor.cpp:
2018 * runtime/ProxyConstructor.cpp:
2020 (JSC::ProxyConstructor::getCallData):
2021 * runtime/SetConstructor.cpp:
2023 * runtime/WeakMapConstructor.cpp:
2025 * runtime/WeakSetConstructor.cpp:
2029 - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
2031 * tests/stress/call-non-calleable-constructors-as-function.js: Added.
2034 * tests/stress/map-constructor.js:
2035 (testCallTypeError):
2036 * tests/stress/promise-cannot-be-called.js:
2038 * tests/stress/proxy-basic.js:
2039 * tests/stress/set-constructor.js:
2040 * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
2042 * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
2044 * tests/stress/throw-from-ftl-call-ic-slow-path.js:
2046 * tests/stress/weak-map-constructor.js:
2047 (testCallTypeError):
2048 * tests/stress/weak-set-constructor.js:
2049 - Updated error message string.
2051 2016-02-23 Alexey Proskuryakov <ap@apple.com>
2055 Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
2057 * inspector/InspectorBackendDispatcher.h:
2059 2016-02-23 Brian Burg <bburg@apple.com>
2061 Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
2062 https://bugs.webkit.org/show_bug.cgi?id=154518
2063 <rdar://problem/24761096>
2065 Reviewed by Timothy Hatcher.
2067 * inspector/InspectorBackendDispatcher.h:
2068 Export all the classes since they are used by WebKit::WebAutomationSession.
2070 2016-02-22 Brian Burg <bburg@apple.com>
2072 Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
2073 https://bugs.webkit.org/show_bug.cgi?id=154509
2074 <rdar://problem/24759098>
2076 Reviewed by Timothy Hatcher.
2078 Add a new 'WebKit' framework, which is used to generate protocol code
2081 Add --backend and --frontend flags to the main generator script.
2082 These allow a framework to trigger two different sets of generators
2083 so they can be separately generated and compiled.
2085 * inspector/scripts/codegen/models.py:
2086 (Framework.fromString):
2087 (Frameworks): Add new framework.
2089 * inspector/scripts/generate-inspector-protocol-bindings.py:
2090 If neither --backend or --frontend is specified, assume both are wanted.
2091 This matches the behavior for JavaScriptCore and WebInspector frameworks.
2093 (generate_from_specification):
2094 Generate C++ files for the backend and Objective-C files for the frontend.
2096 2016-02-22 Saam barati <sbarati@apple.com>
2098 JSGlobalObject doesn't visit ProxyObjectStructure during GC
2099 https://bugs.webkit.org/show_bug.cgi?id=154564
2101 Rubber stamped by Mark Lam.
2103 * runtime/JSGlobalObject.cpp:
2104 (JSC::JSGlobalObject::visitChildren):
2106 2016-02-22 Saam barati <sbarati@apple.com>
2108 InternalFunction::createSubclassStructure doesn't take into account that get() might throw
2109 https://bugs.webkit.org/show_bug.cgi?id=154548
2111 Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
2113 InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw
2114 an exception. Neither the function nor the call sites of the function took this into
2115 account. This patch audits the call sites of the function to make it work in
2116 the event that an exception is thrown.
2118 * runtime/BooleanConstructor.cpp:
2119 (JSC::constructWithBooleanConstructor):
2120 * runtime/DateConstructor.cpp:
2121 (JSC::constructDate):
2122 * runtime/ErrorConstructor.cpp:
2123 (JSC::Interpreter::constructWithErrorConstructor):
2124 * runtime/FunctionConstructor.cpp:
2125 (JSC::constructFunctionSkippingEvalEnabledCheck):
2126 * runtime/InternalFunction.cpp:
2127 (JSC::InternalFunction::createSubclassStructure):
2128 * runtime/JSArrayBufferConstructor.cpp:
2129 (JSC::constructArrayBuffer):
2130 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2131 (JSC::constructGenericTypedArrayView):
2132 * runtime/JSGlobalObject.h:
2133 (JSC::constructEmptyArray):
2134 (JSC::constructArray):
2135 (JSC::constructArrayNegativeIndexed):
2136 * runtime/JSPromiseConstructor.cpp:
2137 (JSC::constructPromise):
2138 * runtime/MapConstructor.cpp:
2139 (JSC::constructMap):
2140 * runtime/NativeErrorConstructor.cpp:
2141 (JSC::Interpreter::constructWithNativeErrorConstructor):
2142 * runtime/NumberConstructor.cpp:
2143 (JSC::constructWithNumberConstructor):
2144 * runtime/RegExpConstructor.cpp:
2145 (JSC::getRegExpStructure):
2146 (JSC::constructRegExp):
2147 (JSC::constructWithRegExpConstructor):
2148 * runtime/SetConstructor.cpp:
2149 (JSC::constructSet):
2150 * runtime/StringConstructor.cpp:
2151 (JSC::constructWithStringConstructor):
2152 (JSC::StringConstructor::getConstructData):
2153 * runtime/WeakMapConstructor.cpp:
2154 (JSC::constructWeakMap):
2155 * runtime/WeakSetConstructor.cpp:
2156 (JSC::constructWeakSet):
2157 * tests/stress/create-subclass-structure-might-throw.js: Added.
2160 2016-02-22 Ting-Wei Lan <lantw44@gmail.com>
2162 Fix build and implement functions to retrieve registers on FreeBSD
2163 https://bugs.webkit.org/show_bug.cgi?id=152258
2165 Reviewed by Michael Catanzaro.
2167 * heap/MachineStackMarker.cpp:
2168 (pthreadSignalHandlerSuspendResume):
2169 struct ucontext is not specified in POSIX and it is not available on
2170 FreeBSD. Replacing it with ucontext_t fixes the build problem.
2171 (JSC::MachineThreads::Thread::Registers::stackPointer):
2172 (JSC::MachineThreads::Thread::Registers::framePointer):
2173 (JSC::MachineThreads::Thread::Registers::instructionPointer):
2174 (JSC::MachineThreads::Thread::Registers::llintPC):
2175 * heap/MachineStackMarker.h:
2177 2016-02-22 Saam barati <sbarati@apple.com>
2179 JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
2180 https://bugs.webkit.org/show_bug.cgi?id=154552
2182 Reviewed by Mark Lam.
2184 ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
2185 They return false on a Proxy with internal [[Call]] and [[Construct]]
2186 properties. It seems safest, most forward looking, and most adherent
2187 to the specification to check getCallData() and getConstructData() to
2188 implement these functions.
2190 * runtime/InternalFunction.cpp:
2191 (JSC::InternalFunction::createSubclassStructure):
2192 * runtime/JSCJSValueInlines.h:
2193 (JSC::JSValue::isFunction):
2194 (JSC::JSValue::isConstructor):
2196 2016-02-22 Keith Miller <keith_miller@apple.com>
2198 Bound functions should use the prototype of the function being bound
2199 https://bugs.webkit.org/show_bug.cgi?id=154195
2201 Reviewed by Geoffrey Garen.
2203 Per ES6, the result of Function.prototype.bind should have the same
2204 prototype as the the function being bound. In order to avoid creating
2205 a new structure each time a function is bound we store the new
2206 structure in our structure map. However, we cannot currently store
2207 structures that have a different GlobalObject than their prototype.
2208 In the rare case that the GlobalObject differs or the prototype of
2209 the bindee is null we create a new structure each time. To further
2210 minimize new structures, as well as making structure lookup faster,
2211 we also store the structure in the RareData of the function we
2214 * runtime/FunctionRareData.cpp:
2215 (JSC::FunctionRareData::visitChildren):
2216 * runtime/FunctionRareData.h:
2217 (JSC::FunctionRareData::getBoundFunctionStructure):
2218 (JSC::FunctionRareData::setBoundFunctionStructure):
2219 * runtime/JSBoundFunction.cpp:
2220 (JSC::getBoundFunctionStructure):
2221 (JSC::JSBoundFunction::create):
2223 * tests/stress/bound-function-uses-prototype.js: Added.
2224 (testChangeProto.foo):
2227 * tests/stress/class-subclassing-function.js:
2229 2016-02-22 Keith Miller <keith_miller@apple.com>
2231 Unreviewed, fix stress test to not print on success.
2233 * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
2236 2016-02-22 Keith Miller <keith_miller@apple.com>
2238 Use Symbol.species in the builtin TypedArray.prototype functions
2239 https://bugs.webkit.org/show_bug.cgi?id=153384
2241 Reviewed by Geoffrey Garen.
2243 This patch adds the use of species constructors to the TypedArray.prototype map and filter
2244 functions. It also adds a new private function typedArrayGetOriginalConstructor that
2245 returns the TypedArray constructor used to originally create a TypedArray instance.
2247 There are no ES6 tests to update for this patch as species creation for these functions is
2248 not tested in the compatibility table.
2250 * builtins/TypedArrayPrototype.js:
2253 * bytecode/BytecodeIntrinsicRegistry.cpp:
2254 (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2255 * bytecode/BytecodeIntrinsicRegistry.h:
2256 * runtime/CommonIdentifiers.h:
2257 * runtime/JSGlobalObject.cpp:
2258 (JSC::JSGlobalObject::init):
2259 (JSC::JSGlobalObject::visitChildren):
2260 * runtime/JSGlobalObject.h:
2261 (JSC::JSGlobalObject::typedArrayConstructor):
2262 * runtime/JSTypedArrayViewPrototype.cpp:
2263 (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
2264 * runtime/JSTypedArrayViewPrototype.h:
2265 * tests/stress/typedarray-filter.js:
2266 (subclasses.typedArrays.map):
2271 (subclasses.forEach):
2272 (testSpeciesRemoveConstructor):
2273 * tests/stress/typedarray-map.js:
2274 (subclasses.typedArrays.map):
2279 (subclasses.forEach):
2280 (testSpeciesRemoveConstructor):
2282 2016-02-22 Keith Miller <keith_miller@apple.com>
2284 Builtins that should not rely on iteration do.
2285 https://bugs.webkit.org/show_bug.cgi?id=154475
2287 Reviewed by Geoffrey Garen.
2289 When changing the behavior of varargs calls to use ES6 iterators the
2290 call builtin function's use of a varargs call was overlooked. The use
2291 of iterators is observable outside the scope of the the call function,
2292 thus it must be reimplemented.
2294 * builtins/FunctionPrototype.js:
2296 * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
2301 2016-02-22 Konstantin Tokarev <annulen@yandex.ru>
2303 [JSC shell] Don't put empty arguments array to VM.
2304 https://bugs.webkit.org/show_bug.cgi?id=154516
2306 Reviewed by Geoffrey Garen.
2308 This allows arrowfunction-lexical-bind-arguments-top-level test to pass
2309 in jsc as well as in browser.
2312 (GlobalObject::finishCreation):
2314 2016-02-22 Konstantin Tokarev <annulen@yandex.ru>
2316 [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
2317 https://bugs.webkit.org/show_bug.cgi?id=154450
2319 Reviewed by Alex Christensen.
2323 2016-02-22 Commit Queue <commit-queue@webkit.org>
2325 Unreviewed, rolling out r196891.
2326 https://bugs.webkit.org/show_bug.cgi?id=154539
2328 it broke Production builds (Requested by brrian on #webkit).
2332 "Web Inspector: add 'Automation' protocol domain and generate
2333 its backend classes separately in WebKit2"
2334 https://bugs.webkit.org/show_bug.cgi?id=154509
2335 http://trac.webkit.org/changeset/196891
2337 2016-02-21 Joseph Pecoraro <pecoraro@apple.com>
2339 CodeBlock always visits its unlinked code twice
2340 https://bugs.webkit.org/show_bug.cgi?id=154494
2342 Reviewed by Saam Barati.
2344 * bytecode/CodeBlock.cpp:
2345 (JSC::CodeBlock::visitChildren):
2346 The unlinked code is always visited in stronglyVisitStrongReferences.
2348 2016-02-21 Brian Burg <bburg@apple.com>
2350 Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
2351 https://bugs.webkit.org/show_bug.cgi?id=154509
2352 <rdar://problem/24759098>
2354 Reviewed by Timothy Hatcher.
2356 Add a new 'WebKit' framework, which is used to generate protocol code
2359 Add --backend and --frontend flags to the main generator script.
2360 These allow a framework to trigger two different sets of generators
2361 so they can be separately generated and compiled.
2363 * inspector/scripts/codegen/models.py:
2364 (Framework.fromString):
2365 (Frameworks): Add new framework.
2367 * inspector/scripts/generate-inspector-protocol-bindings.py:
2368 If neither --backend or --frontend is specified, assume both are wanted.
2369 This matches the behavior for JavaScriptCore and WebInspector frameworks.
2371 (generate_from_specification):
2372 Generate C++ files for the backend and Objective-C files for the frontend.
2374 2016-02-21 Sukolsak Sakshuwong <sukolsak@gmail.com>
2376 Improvements to Intl code
2377 https://bugs.webkit.org/show_bug.cgi?id=154486
2379 Reviewed by Darin Adler.
2381 This patch does several things:
2382 - Use std::unique_ptr to store ICU objects.
2383 - Pass Vector::size() to ICU functions that take a buffer size instead
2384 of Vector::capacity().
2385 - If U_SUCCESS(status) is true, it means there is no error, but there
2386 could be warnings. ICU functions ignore warnings. So, there is no need
2387 to reset status to U_ZERO_ERROR.
2388 - Remove the initialization of the String instance variables of
2389 IntlDateTimeFormat. These values are never read and cause unnecessary
2392 - Some small optimization.
2394 * runtime/IntlCollator.cpp:
2395 (JSC::IntlCollator::UCollatorDeleter::operator()):
2396 (JSC::IntlCollator::createCollator):
2397 (JSC::IntlCollator::compareStrings):
2398 (JSC::IntlCollator::~IntlCollator): Deleted.
2399 * runtime/IntlCollator.h:
2400 * runtime/IntlDateTimeFormat.cpp:
2401 (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
2402 (JSC::defaultTimeZone):
2403 (JSC::canonicalizeTimeZoneName):
2404 (JSC::toDateTimeOptionsAnyDate):
2405 (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2406 (JSC::IntlDateTimeFormat::weekdayString):
2407 (JSC::IntlDateTimeFormat::format):
2408 (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
2409 (JSC::localeData): Deleted.
2410 * runtime/IntlDateTimeFormat.h:
2411 * runtime/IntlDateTimeFormatConstructor.cpp:
2412 * runtime/IntlNumberFormatConstructor.cpp:
2413 * runtime/IntlObject.cpp:
2414 (JSC::numberingSystemsForLocale):
2416 2016-02-21 Skachkov Oleksandr <gskachkov@gmail.com>
2418 Remove arrowfunction test cases that rely on arguments variable in jsc
2419 https://bugs.webkit.org/show_bug.cgi?id=154517
2421 Reviewed by Yusuke Suzuki.
2423 Allow to jsc has the same behavior in javascript as browser has
2425 * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
2426 * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
2428 2016-02-21 Brian Burg <bburg@apple.com>
2430 Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
2431 https://bugs.webkit.org/show_bug.cgi?id=154508
2432 <rdar://problem/24759077>
2434 Reviewed by Timothy Hatcher.
2436 In preparation for being able to generate protocol files for WebKit2,
2437 make it possible to not emit generated code that's guarded by
2438 ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
2439 backend dispatchers generated outside of JavaScriptCore. We can't just
2440 define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
2441 in the configurations where the code is actually used.
2443 Add a new opt-in Framework configuration option that turns on generating
2444 this code. Adjust how the code is generated so that it can be easily excluded.
2446 * inspector/scripts/codegen/cpp_generator_templates.py:
2447 Make a separate template for the declarations that are guarded.
2448 Add an initializer expression so the order of initalizers doesn't matter.
2450 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2451 (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
2452 (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2453 If the declarations are needed, they will be appended to the end of the
2456 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2457 (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
2458 (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
2460 * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
2461 to True for Framework.JavaScriptCore only. It's not needed elsewhere.
2463 Rebaseline affected tests.
2465 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2466 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2467 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2468 * inspector/scripts/tests/expected/enum-values.json-result:
2469 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2471 2016-02-21 Brian Burg <bburg@apple.com>
2473 Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
2474 https://bugs.webkit.org/show_bug.cgi?id=154505
2475 <rdar://problem/24758042>
2477 Reviewed by Timothy Hatcher.
2479 It should be possible to generate code for a framework using some generators
2480 that other frameworks also use. Right now the generator selection code assumes
2481 that use of a generator is mutually exclusive among non-test frameworks.
2483 Make this code explicitly switch on the framework. Reorder generators
2484 alpabetically within each case.
2486 * inspector/scripts/generate-inspector-protocol-bindings.py:
2487 (generate_from_specification):
2489 Rebaseline tests that are affected by generator reorderings.
2491 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2492 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2493 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2494 * inspector/scripts/tests/expected/enum-values.json-result:
2495 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2496 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2497 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2498 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2499 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2500 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2501 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2502 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2503 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2505 2016-02-19 Saam Barati <sbarati@apple.com>
2507 [ES6] Implement Proxy.[[Construct]]
2508 https://bugs.webkit.org/show_bug.cgi?id=154440
2510 Reviewed by Oliver Hunt.
2512 This patch is mostly an implementation of
2513 Proxy.[[Construct]] with respect to section 9.5.13
2514 of the ECMAScript spec.
2515 https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
2517 This patch also changes op_create_this to accept new.target's
2518 that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]]
2519 because we might construct a JSFunction with a new.target being
2520 a Proxy. This will also be needed when we implement Reflect.construct.
2522 * dfg/DFGOperations.cpp:
2523 * dfg/DFGSpeculativeJIT32_64.cpp:
2524 (JSC::DFG::SpeculativeJIT::compile):
2525 * dfg/DFGSpeculativeJIT64.cpp:
2526 (JSC::DFG::SpeculativeJIT::compile):
2527 * jit/JITOpcodes.cpp:
2528 (JSC::JIT::emit_op_create_this):
2529 (JSC::JIT::emitSlow_op_create_this):
2530 * jit/JITOpcodes32_64.cpp:
2531 (JSC::JIT::emit_op_create_this):
2532 (JSC::JIT::emitSlow_op_create_this):
2533 * llint/LLIntData.cpp:
2534 (JSC::LLInt::Data::performAssertions):
2535 * llint/LowLevelInterpreter.asm:
2536 * llint/LowLevelInterpreter32_64.asm:
2537 * llint/LowLevelInterpreter64.asm:
2538 * runtime/CommonSlowPaths.cpp:
2539 (JSC::SLOW_PATH_DECL):
2540 * runtime/ProxyObject.cpp:
2541 (JSC::ProxyObject::finishCreation):
2542 (JSC::ProxyObject::visitChildren):
2543 (JSC::performProxyConstruct):
2544 (JSC::ProxyObject::getConstructData):
2545 * runtime/ProxyObject.h:
2547 * tests/stress/proxy-construct.js: Added.
2549 (throw.new.Error.let.target):
2551 (assert.let.target):
2552 (assert.let.handler.get construct):
2554 (let.handler.construct):
2556 (assert.let.handler.construct):
2557 (assert.let.construct):
2558 (assert.else.assert.let.target):
2559 (assert.else.assert.let.construct):
2560 (assert.else.assert):
2561 (new.proxy.let.target):
2562 (new.proxy.let.construct):
2565 2016-02-19 Sukolsak Sakshuwong <sukolsak@gmail.com>
2567 [INTL] Implement Number Format Functions
2568 https://bugs.webkit.org/show_bug.cgi?id=147605
2570 Reviewed by Darin Adler.
2572 This patch implements Intl.NumberFormat.prototype.format() according
2573 to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
2575 * runtime/IntlNumberFormat.cpp:
2576 (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
2577 (JSC::IntlNumberFormat::initializeNumberFormat):
2578 (JSC::IntlNumberFormat::createNumberFormat):
2579 (JSC::IntlNumberFormat::formatNumber):
2580 (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
2581 * runtime/IntlNumberFormat.h:
2582 * runtime/IntlNumberFormatPrototype.cpp:
2583 (JSC::IntlNumberFormatFuncFormatNumber):
2585 2016-02-18 Gavin Barraclough <barraclough@apple.com>
2587 JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
2588 https://bugs.webkit.org/show_bug.cgi?id=154416
2590 Reviewed by Geoff Garen.
2592 Here's the bug. Suppose you call JSObject::getOwnProperty and -
2593 - PropertyName contains an index,
2594 - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
2595 - The base of the access (or another object on the prototype chain) shadows that property.
2597 JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
2598 index, and as such walks up the prototype chain looking for non-index properties before it
2599 tries calling parseIndex.
2601 At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
2602 would potentially return the property) we may have already skipped over non-overriding
2603 objects that contain the property in index storage.
2605 * runtime/JSObject.h:
2606 (JSC::JSObject::getOwnNonIndexPropertySlot):
2607 - renamed from inlineGetOwnPropertySlot to better describe behaviour;
2608 added ASSERT guarding that this method never returns index properties -
2609 if it ever does, this is unsafe for getPropertySlot.
2610 (JSC::JSObject::getOwnPropertySlot):
2611 - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
2612 (JSC::JSObject::getPropertySlot):
2613 - In case of object overriding getOwnPropertySlot check if propertyName is an index.
2614 (JSC::JSObject::getNonIndexPropertySlot):
2615 - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
2616 in order to avoid repeated calls to parseIndex.
2617 (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
2618 - this was renamed to getOwnNonIndexPropertySlot.
2619 (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
2620 - this was folded back in to getPropertySlot.
2622 2016-02-19 Saam Barati <sbarati@apple.com>
2624 [ES6] Implement Proxy.[[Call]]
2625 https://bugs.webkit.org/show_bug.cgi?id=154425
2627 Reviewed by Mark Lam.
2629 This patch is a straight forward implementation of
2630 Proxy.[[Call]] with respect to section 9.5.12
2631 of the ECMAScript spec.
2632 https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
2634 * runtime/ProxyObject.cpp:
2635 (JSC::ProxyObject::finishCreation):
2636 (JSC::performProxyGet):
2637 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2638 (JSC::ProxyObject::performHasProperty):
2639 (JSC::ProxyObject::getOwnPropertySlotByIndex):
2640 (JSC::performProxyCall):
2641 (JSC::ProxyObject::getCallData):
2642 (JSC::ProxyObject::visitChildren):
2643 * runtime/ProxyObject.h:
2644 (JSC::ProxyObject::create):
2646 * tests/stress/proxy-call.js: Added.
2648 (throw.new.Error.let.target):
2649 (throw.new.Error.let.handler.apply):
2651 (assert.let.target):
2652 (assert.let.handler.get apply):
2654 (let.handler.apply):
2656 (assert.let.handler.apply):
2658 2016-02-19 Csaba Osztrogonác <ossy@webkit.org>
2660 Remove more LLVM related dead code after r196729
2661 https://bugs.webkit.org/show_bug.cgi?id=154387
2663 Reviewed by Filip Pizlo.
2665 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
2666 * Configurations/LLVMForJSC.xcconfig: Removed.
2667 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
2668 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
2669 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
2670 * JavaScriptCore.xcodeproj/project.pbxproj:
2671 * disassembler/X86Disassembler.cpp:
2673 2016-02-19 Joseph Pecoraro <pecoraro@apple.com>
2675 Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
2676 https://bugs.webkit.org/show_bug.cgi?id=154442
2678 Reviewed by Saam Barati.
2680 * runtime/JSString.h:
2683 2016-02-19 Joseph Pecoraro <pecoraro@apple.com>
2685 Remove unused SymbolTable::createNameScopeTable
2686 https://bugs.webkit.org/show_bug.cgi?id=154443
2688 Reviewed by Saam Barati.
2690 * runtime/SymbolTable.h:
2692 2016-02-18 Benjamin Poulain <bpoulain@apple.com>
2694 [JSC] Improve the instruction selection of Select
2695 https://bugs.webkit.org/show_bug.cgi?id=154432
2697 Reviewed by Filip Pizlo.
2699 Plenty of code but this patch is pretty dumb:
2700 -On ARM64: use the 3 operand form of CSEL instead of forcing a source
2701 to be alised to the destination. This gives more freedom to the register
2702 allocator and it is one less Move to process per Select.
2703 -On x86, introduce a fake 3 operands form and use aggressive aliasing
2704 to try to alias both sources to the destination.
2706 If aliasing succeed on the "elseCase", the condition of the Select
2707 is reverted in the MacroAssembler.
2709 If no aliasing is possible and we end up with 3 registers, the missing
2710 move instruction is generated by the MacroAssembler.
2712 The missing move is generated after testing the values because the destination
2713 can use the same register as one of the test operand.
2714 Experimental testing seems to indicate there is no macro-fusion on CMOV,
2715 there is no measurable cost to having the move there.
2717 * assembler/MacroAssembler.h:
2718 (JSC::MacroAssembler::isInvertible):
2719 (JSC::MacroAssembler::invert):
2720 * assembler/MacroAssemblerARM64.h:
2721 (JSC::MacroAssemblerARM64::moveConditionallyDouble):
2722 (JSC::MacroAssemblerARM64::moveConditionallyFloat):
2723 (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
2724 (JSC::MacroAssemblerARM64::moveConditionally32):
2725 (JSC::MacroAssemblerARM64::moveConditionally64):
2726 (JSC::MacroAssemblerARM64::moveConditionallyTest32):
2727 (JSC::MacroAssemblerARM64::moveConditionallyTest64):
2728 * assembler/MacroAssemblerX86Common.h:
2729 (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2730 (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2731 (JSC::MacroAssemblerX86Common::moveConditionally32):
2732 (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
2733 (JSC::MacroAssemblerX86Common::invert):
2734 (JSC::MacroAssemblerX86Common::isInvertible):
2735 * assembler/MacroAssemblerX86_64.h:
2736 (JSC::MacroAssemblerX86_64::moveConditionally64):
2737 (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
2738 * b3/B3LowerToAir.cpp:
2739 (JSC::B3::Air::LowerToAir::createSelect):
2740 (JSC::B3::Air::LowerToAir::lower):
2741 * b3/air/AirInstInlines.h:
2742 (JSC::B3::Air::Inst::shouldTryAliasingDef):
2743 * b3/air/AirOpcode.opcodes:
2745 2016-02-18 Gyuyoung Kim <gyuyoung.kim@webkit.org>
2747 [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
2748 https://bugs.webkit.org/show_bug.cgi?id=154430
2750 Reviewed by Saam Barati.
2752 llvm isn't used anymore.
2754 * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
2756 2016-02-18 Saam Barati <sbarati@apple.com>
2758 Implement Proxy.[[HasProperty]]
2759 https://bugs.webkit.org/show_bug.cgi?id=154313
2761 Reviewed by Filip Pizlo.
2763 This patch is a straight forward implementation of
2764 Proxy.[[HasProperty]] with respect to section 9.5.7
2765 of the ECMAScript spec.
2766 https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
2768 * runtime/ProxyObject.cpp:
2769 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2770 (JSC::ProxyObject::performHasProperty):
2771 (JSC::ProxyObject::getOwnPropertySlotCommon):
2772 * runtime/ProxyObject.h:
2774 * tests/stress/proxy-basic.js:
2777 * tests/stress/proxy-has-property.js: Added.
2779 (throw.new.Error.let.handler.get has):
2781 (assert.let.handler.has):
2783 (getOwnPropertyDescriptor):
2786 2016-02-18 Saam Barati <sbarati@apple.com>
2788 Proxy's don't properly handle Symbols as PropertyKeys.
2789 https://bugs.webkit.org/show_bug.cgi?id=154385
2791 Reviewed by Mark Lam and Yusuke Suzuki.
2793 We were converting all PropertyKeys to strings, even when
2794 the PropertyName was a Symbol. In the spec, PropertyKeys are
2795 either a Symbol or a String. We now respect that in Proxy.[[Get]] and
2796 Proxy.[[GetOwnProperty]].
2798 * runtime/Completion.cpp:
2799 (JSC::profiledEvaluate):
2800 (JSC::createSymbolForEntryPointModule):
2801 (JSC::identifierToJSValue): Deleted.
2802 * runtime/Identifier.h:
2804 * runtime/IdentifierInlines.h:
2805 (JSC::Identifier::fromString):
2806 (JSC::identifierToJSValue):
2807 (JSC::identifierToSafePublicJSValue):
2808 * runtime/ProxyObject.cpp:
2809 (JSC::performProxyGet):
2810 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2812 * tests/stress/proxy-basic.js:
2813 (let.handler.getOwnPropertyDescriptor):
2815 2016-02-18 Saam Barati <sbarati@apple.com>
2817 Follow up fix to Implement Proxy.[[GetOwnProperty]]
2818 https://bugs.webkit.org/show_bug.cgi?id=154314
2820 Reviewed by Filip Pizlo.
2822 Part of the implementation was broken because
2823 of how JSObject::getOwnPropertyDescriptor worked.
2824 I've fixed JSObject::getOwnPropertyDescriptor to
2825 be able to handle ProxyObject.
2827 * runtime/JSObject.cpp:
2828 (JSC::JSObject::getOwnPropertyDescriptor):
2829 * runtime/ProxyObject.cpp:
2830 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2831 * tests/stress/proxy-get-own-property.js:
2833 (assert.let.handler.get getOwnPropertyDescriptor):
2835 2016-02-18 Saam Barati <sbarati@apple.com>
2837 Implement Proxy.[[GetOwnProperty]]
2838 https://bugs.webkit.org/show_bug.cgi?id=154314
2840 Reviewed by Filip Pizlo.
2842 This patch implements Proxy.[[GetOwnProperty]].
2843 It's a straight forward implementation as described
2844 in section 9.5.5 of the specification:
2845 http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
2847 * runtime/FunctionPrototype.cpp:
2848 (JSC::functionProtoFuncBind):
2849 * runtime/JSObject.cpp:
2850 (JSC::validateAndApplyPropertyDescriptor):
2851 (JSC::JSObject::defineOwnNonIndexProperty):
2852 (JSC::JSObject::defineOwnProperty):
2853 (JSC::JSObject::getGenericPropertyNames):
2854 (JSC::JSObject::getMethod):
2855 * runtime/JSObject.h:
2856 (JSC::JSObject::butterflyAddress):
2857 (JSC::makeIdentifier):
2858 * runtime/ProxyObject.cpp:
2859 (JSC::performProxyGet):
2860 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2861 (JSC::ProxyObject::getOwnPropertySlotCommon):
2862 (JSC::ProxyObject::getOwnPropertySlot):
2863 (JSC::ProxyObject::getOwnPropertySlotByIndex):
2864 (JSC::ProxyObject::visitChildren):
2865 * runtime/ProxyObject.h:
2867 * tests/stress/proxy-basic.js:
2868 (let.handler.get null):
2869 * tests/stress/proxy-get-own-property.js: Added.
2871 (throw.new.Error.let.handler.getOwnPropertyDescriptor):
2873 (let.handler.getOwnPropertyDescriptor):
2875 (assert.let.handler.getOwnPropertyDescriptor):
2877 2016-02-18 Andreas Kling <akling@apple.com>
2879 JSString resolution of substrings should use StringImpl sharing optimization.
2880 <https://webkit.org/b/154068>
2881 <rdar://problem/24629358>
2883 Reviewed by Antti Koivisto.
2885 When resolving a JSString that's actually a substring of another JSString,
2886 use the StringImpl sharing optimization to create a new string pointing into
2887 the parent one, instead of copying out the bytes of the string.
2889 This dramatically reduces peak memory usage on Gerrit diff viewer pages.
2891 Another approach to this would be to induce GC far more frequently due to
2892 the added cost of copying out these substrings. It would reduce the risk
2893 of prolonging the life of strings only kept alive by substrings.
2895 This patch chooses to trade that risk for less GC and lower peak memory.
2897 * runtime/JSString.cpp:
2898 (JSC::JSRopeString::resolveRope):
2900 2016-02-18 Chris Dumez <cdumez@apple.com>
2902 Crash on SES selftest page when loading the page while WebInspector is open
2903 https://bugs.webkit.org/show_bug.cgi?id=154378
2904 <rdar://problem/24713422>
2906 Reviewed by Mark Lam.
2908 Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
2909 returns early again if it detects that getOwnPropertySlot() returns a
2910 non-own property. This check was removed in r196676 because we assumed that
2911 only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
2912 However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
2915 Not having the check would lead to crashes when using the debugger because
2916 we would get a slot with the CustomAccessor attribute but getDirect() would
2917 then fail to return the property (because it is not an own property). We
2918 would then cast the value returned by getDirect() to a CustomGetterSetter*
2921 * runtime/JSObject.cpp:
2922 (JSC::JSObject::getOwnPropertyDescriptor):
2924 2016-02-18 Filip Pizlo <fpizlo@apple.com>
2926 Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
2929 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2930 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2932 2016-02-18 Filip Pizlo <fpizlo@apple.com>
2934 Unreviewed, fix CMake build. This got messed up when rebasing.
2938 2016-02-18 Csaba Osztrogonác <ossy@webkit.org>
2940 Fix the !ENABLE(DFG_JIT) build after r195865
2941 https://bugs.webkit.org/show_bug.cgi?id=154391
2943 Reviewed by Filip Pizlo.
2945 * runtime/SamplingProfiler.cpp:
2946 (JSC::tryGetBytecodeIndex):
2948 2016-02-17 Filip Pizlo <fpizlo@apple.com>
2950 Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
2951 https://bugs.webkit.org/show_bug.cgi?id=154383
2953 Reviewed by Saam Barati.
2955 I did a grep -i llvm of all of our code and did one of the following for each occurence:
2957 - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
2960 - Removed the reference because I found it to be dead. In some cases it was a dead
2961 comment: it was telling us things about what LLVM did and that's just not relevant
2962 anymore. In other cases it was dead code that I forgot to delete in a previous patch.
2964 - Edited the comment in some smart way. There were comments talking about what LLVM did
2965 that were still of interest. In some cases, I added a FIXME to consider changing the
2966 code below the comment on the grounds that it was written in a weird way to placate
2967 LLVM and so we can do it better now.
2970 * JavaScriptCore.xcodeproj/project.pbxproj:
2971 * dfg/DFGArgumentsEliminationPhase.cpp:
2972 * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2974 (JSC::DFG::Plan::compileInThread):
2975 (JSC::DFG::Plan::compileInThreadImpl):
2976 (JSC::DFG::Plan::compileTimeStats):
2977 * dfg/DFGPutStackSinkingPhase.cpp:
2978 * dfg/DFGSSAConversionPhase.h:
2979 * dfg/DFGStaticExecutionCountEstimationPhase.h:
2980 * dfg/DFGUnificationPhase.cpp:
2981 (JSC::DFG::UnificationPhase::run):
2982 * disassembler/ARM64Disassembler.cpp:
2983 (JSC::tryToDisassemble): Deleted.
2984 * disassembler/X86Disassembler.cpp:
2985 (JSC::tryToDisassemble):
2986 * ftl/FTLAbstractHeap.cpp:
2987 (JSC::FTL::IndexedAbstractHeap::initialize):
2988 * ftl/FTLAbstractHeap.h:
2989 * ftl/FTLFormattedValue.h:
2990 * ftl/FTLJITFinalizer.cpp:
2991 (JSC::FTL::JITFinalizer::finalizeFunction):
2994 * ftl/FTLLocation.cpp:
2995 (JSC::FTL::Location::restoreInto):
2996 * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
2997 (JSC::FTL::DFG::ftlUnreachable):
2998 (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2999 (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
3000 (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
3001 (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
3002 (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
3003 (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
3004 (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
3005 (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
3006 (JSC::FTL::lowerDFGToB3):
3007 (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
3008 (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
3009 (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
3010 (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
3011 (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
3012 (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
3013 (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
3014 (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
3015 (JSC::FTL::lowerDFGToLLVM): Deleted.
3016 * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
3017 * ftl/FTLLowerDFGToLLVM.cpp: Removed.
3018 * ftl/FTLLowerDFGToLLVM.h: Removed.
3019 * ftl/FTLOSRExitCompiler.cpp:
3020 (JSC::FTL::compileStub):
3022 (JSC::FTL::Weight::frequencyClass):
3023 (JSC::FTL::Weight::inverse):
3024 (JSC::FTL::Weight::scaleToTotal): Deleted.
3025 * ftl/FTLWeightedTarget.h:
3028 * jit/CallFrameShuffler64.cpp:
3029 (JSC::CallFrameShuffler::emitDisplace):
3030 * jit/RegisterSet.cpp:
3031 (JSC::RegisterSet::ftlCalleeSaveRegisters):
3033 * llvm/InitializeLLVMLinux.cpp: Removed.
3034 * llvm/InitializeLLVMWin.cpp: Removed.
3035 * llvm/library: Removed.
3036 * llvm/library/LLVMTrapCallback.h: Removed.
3037 * llvm/library/libllvmForJSC.version: Removed.
3038 * runtime/Options.cpp:
3039 (JSC::recomputeDependentOptions):
3040 (JSC::Options::initialize):
3041 * runtime/Options.h:
3042 * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
3043 * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
3044 * wasm/WASMFunctionParser.cpp:
3046 2016-02-18 Csaba Osztrogonác <ossy@webkit.org>
3048 [cmake] Build system cleanup
3049 https://bugs.webkit.org/show_bug.cgi?id=154337
3051 Reviewed by Žan Doberšek.
3055 2016-02-17 Mark Lam <mark.lam@apple.com>
3057 Callers of JSString::value() should check for exceptions thereafter.
3058 https://bugs.webkit.org/show_bug.cgi?id=154346
3060 Reviewed by Geoffrey Garen.
3062 JSString::value() can throw an exception if the JS string is a rope and value()
3063 needs to resolve the rope but encounters an OutOfMemory error. If value() is not
3064 able to resolve the rope, it will return a null string (in addition to throwing
3065 the exception). If a caller does not check for exceptions after calling
3066 JSString::value(), they may eventually use the returned null string and crash the
3069 The fix is to add all the necessary exception checks, and do the appropriate
3076 (functionCheckSyntax):
3077 (functionLoadWebAssembly):
3078 (functionLoadModule):
3079 (functionCheckModuleSyntax):
3080 * runtime/DateConstructor.cpp:
3083 * runtime/JSGlobalObjectFunctions.cpp:
3084 (JSC::globalFuncEval):
3085 * tools/JSDollarVMPrototype.cpp:
3086 (JSC::functionPrint):
3088 2016-02-17 Benjamin Poulain <bpoulain@apple.com>
3090 [JSC] ARM64: Support the immediate format used for bit operations in Air
3091 https://bugs.webkit.org/show_bug.cgi?id=154327
3093 Reviewed by Filip Pizlo.
3095 ARM64 supports a pretty rich form of immediates for bit operation.
3096 There are two formats used to encode repeating patterns and common
3097 input in a dense form.
3099 In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
3100 Those represents the valid immediate forms for bit operation.
3101 On x86, any 32bits value is valid. On ARM64, all the encoding
3102 form are tried and the immediate is used when possible.
3104 The arg type Imm64 is renamed to BigImm to better represent what
3105 it is: an immediate that does not fit into Imm.
3107 * assembler/ARM64Assembler.h:
3108 (JSC::LogicalImmediate::create32): Deleted.
3109 (JSC::LogicalImmediate::create64): Deleted.
3110 (JSC::LogicalImmediate::value): Deleted.
3111 (JSC::LogicalImmediate::isValid): Deleted.
3112 (JSC::LogicalImmediate::is64bit): Deleted.
3113 (JSC::LogicalImmediate::LogicalImmediate): Deleted.
3114 (JSC::LogicalImmediate::mask): Deleted.
3115 (JSC::LogicalImmediate::partialHSB): Deleted.
3116 (JSC::LogicalImmediate::highestSetBit): Deleted.
3117 (JSC::LogicalImmediate::findBitRange): Deleted.
3118 (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
3119 * assembler/AssemblerCommon.h:
3120 (JSC::ARM64LogicalImmediate::create32):
3121 (JSC::ARM64LogicalImmediate::create64):
3122 (JSC::ARM64LogicalImmediate::value):
3123 (JSC::ARM64LogicalImmediate::isValid):
3124 (JSC::ARM64LogicalImmediate::is64bit):
3125 (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
3126 (JSC::ARM64LogicalImmediate::mask):
3127 (JSC::ARM64LogicalImmediate::partialHSB):
3128 (JSC::ARM64LogicalImmediate::highestSetBit):
3129 (JSC::ARM64LogicalImmediate::findBitRange):
3130 (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
3131 * assembler/MacroAssemblerARM64.h:
3132 (JSC::MacroAssemblerARM64::and64):
3133 (JSC::MacroAssemblerARM64::or64):
3134 (JSC::MacroAssemblerARM64::xor64):
3135 * b3/B3LowerToAir.cpp:
3136 (JSC::B3::Air::LowerToAir::bitImm):
3137 (JSC::B3::Air::LowerToAir::bitImm64):
3138 (JSC::B3::Air::LowerToAir::appendBinOp):
3139 * b3/air/AirArg.cpp:
3140 (JSC::B3::Air::Arg::dump):
3141 (WTF::printInternal):
3143 (JSC::B3::Air::Arg::bitImm):
3144 (JSC::B3::Air::Arg::bitImm64):
3145 (JSC::B3::Air::Arg::isBitImm):
3146 (JSC::B3::Air::Arg::isBitImm64):
3147 (JSC::B3::Air::Arg::isSomeImm):
3148 (JSC::B3::Air::Arg::value):
3149 (JSC::B3::Air::Arg::isGP):
3150 (JSC::B3::Air::Arg::isFP):
3151 (JSC::B3::Air::Arg::hasType):
3152 (JSC::B3::Air::Arg::isValidBitImmForm):
3153 (JSC::B3::Air::Arg::isValidBitImm64Form):
3154 (JSC::B3::Air::Arg::isValidForm):
3155 (JSC::B3::Air::Arg::asTrustedImm32):
3156 (JSC::B3::Air::Arg::asTrustedImm64):
3157 * b3/air/AirOpcode.opcodes:
3158 * b3/air/opcode_generator.rb:
3160 2016-02-17 Keith Miller <keith_miller@apple.com>
3162 Spread operator should be allowed when not the first argument of parameter list
3163 https://bugs.webkit.org/show_bug.cgi?id=152721
3165 Reviewed by Saam Barati.
3167 Spread arguments to functions should now be ES6 compliant. Before we
3168 would only take a spread operator if it was the sole argument to a
3169 function. Additionally, we would not use the Symbol.iterator on the
3170 object to generate the arguments. Instead we would do a loop up to the
3171 length mapping indexed properties to the corresponding argument. We fix
3172 both these issues by doing an AST transformation from foo(...a, b, ...c, d)
3173 to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
3174 old spread semantics). This solution has the downside of requiring the
3175 allocation of another object and copying each element twice but avoids a
3176 large change to the vm calling convention.
3178 * interpreter/Interpreter.cpp:
3180 * parser/ASTBuilder.h:
3181 (JSC::ASTBuilder::createElementList):
3182 * parser/Parser.cpp:
3183 (JSC::Parser<LexerType>::parseArguments):
3184 (JSC::Parser<LexerType>::parseArgument):
3185 (JSC::Parser<LexerType>::parseMemberExpression):
3187 * parser/SyntaxChecker.h:
3188 (JSC::SyntaxChecker::createElementList):
3190 * tests/stress/spread-calling.js: Added.
3194 (otherIterator.return.next):
3197 (throwingIter.return.next):
3201 2016-02-17 Brian Burg <bburg@apple.com>
3203 Remove a wrong cast in RemoteInspector::receivedSetupMessage
3204 https://bugs.webkit.org/show_bug.cgi?id=154361
3205 <rdar://problem/24709281>
3207 Reviewed by Joseph Pecoraro.
3209 * inspector/remote/RemoteInspector.mm:
3210 (Inspector::RemoteInspector::receivedSetupMessage):
3211 Not only is this cast unnecessary (the constructor accepts the base class),
3212 but it is wrong since the target could be an automation target. Remove it.
3214 2016-02-17 Filip Pizlo <fpizlo@apple.com>
3216 Rename FTLB3Blah to FTLBlah
3217 https://bugs.webkit.org/show_bug.cgi?id=154365
3219 Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
3222 * JavaScriptCore.xcodeproj/project.pbxproj:
3223 * ftl/FTLB3Compile.cpp: Removed.
3224 * ftl/FTLB3Output.cpp: Removed.
3225 * ftl/FTLB3Output.h: Removed.
3226 * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
3227 * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
3228 * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
3230 2016-02-17 Filip Pizlo <fpizlo@apple.com>
3232 Remove LLVM dependencies from WebKit
3233 https://bugs.webkit.org/show_bug.cgi?id=154323
3235 Reviewed by Antti Koivisto and Benjamin Poulain.
3237 We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
3238 LLVM-related code dead, including the disassembler, which was only reachable when you were on
3239 a platform that already had an in-tree disassembler.
3242 * JavaScriptCore.xcodeproj/project.pbxproj:
3245 (JSC::DFG::Plan::compileInThread):
3246 (JSC::DFG::Plan::compileInThreadImpl):
3247 (JSC::DFG::Plan::compileTimeStats):
3248 * disassembler/ARM64Disassembler.cpp:
3249 (JSC::tryToDisassemble):
3250 * disassembler/ARMv7Disassembler.cpp:
3251 (JSC::tryToDisassemble):
3252 * disassembler/Disassembler.cpp:
3254 (JSC::disassembleAsynchronously):
3255 * disassembler/Disassembler.h:
3256 (JSC::tryToDisassemble):
3257 * disassembler/LLVMDisassembler.cpp: Removed.
3258 * disassembler/LLVMDisassembler.h: Removed.
3259 * disassembler/UDis86Disassembler.cpp:
3260 (JSC::tryToDisassembleWithUDis86):
3261 * disassembler/UDis86Disassembler.h:
3262 (JSC::tryToDisassembleWithUDis86):
3263 * disassembler/X86Disassembler.cpp:
3264 (JSC::tryToDisassemble):
3265 * ftl/FTLAbbreviatedTypes.h:
3266 * ftl/FTLAbbreviations.h: Removed.
3267 * ftl/FTLAbstractHeap.cpp:
3268 (JSC::FTL::AbstractHeap::decorateInstruction):
3269 (JSC::FTL::AbstractHeap::dump):
3270 (JSC::FTL::AbstractField::dump):
3271 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
3272 (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
3273 (JSC::FTL::IndexedAbstractHeap::baseIndex):
3274 (JSC::FTL::IndexedAbstractHeap::dump):
3275 (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
3276 (JSC::FTL::NumberedAbstractHeap::dump):
3277 (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
3278 (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
3279 * ftl/FTLAbstractHeap.h:
3280 (JSC::FTL::AbstractHeap::AbstractHeap):
3281 (JSC::FTL::AbstractHeap::heapName):
3282 (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
3283 (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
3284 (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
3285 (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
3286 * ftl/FTLAbstractHeapRepository.cpp:
3287 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
3288 * ftl/FTLAbstractHeapRepository.h:
3289 * ftl/FTLB3Compile.cpp:
3290 * ftl/FTLB3Output.cpp:
3291 (JSC::FTL::Output::Output):
3292 (JSC::FTL::Output::check):
3293 (JSC::FTL::Output::load):
3294 (JSC::FTL::Output::store):
3295 * ftl/FTLB3Output.h:
3296 * ftl/FTLCommonValues.cpp:
3297 (JSC::FTL::CommonValues::CommonValues):
3298 (JSC::FTL::CommonValues::initializeConstants):
3299 * ftl/FTLCommonValues.h:
3300 (JSC::FTL::CommonValues::initialize): Deleted.
3301 * ftl/FTLCompile.cpp: Removed.
3302 * ftl/FTLCompileBinaryOp.cpp: Removed.
3303 * ftl/FTLCompileBinaryOp.h: Removed.
3304 * ftl/FTLDWARFDebugLineInfo.cpp: Removed.
3305 * ftl/FTLDWARFDebugLineInfo.h: Removed.
3306 * ftl/FTLDWARFRegister.cpp: Removed.
3307 * ftl/FTLDWARFRegister.h: Removed.
3308 * ftl/FTLDataSection.cpp: Removed.
3309 * ftl/FTLDataSection.h: Removed.
3310 * ftl/FTLExceptionHandlerManager.cpp: Removed.
3311 * ftl/FTLExceptionHandlerManager.h: Removed.
3312 * ftl/FTLExceptionTarget.cpp:
3313 * ftl/FTLExceptionTarget.h:
3314 * ftl/FTLExitThunkGenerator.cpp: Removed.
3315 * ftl/FTLExitThunkGenerator.h: Removed.
3318 * ftl/FTLInlineCacheDescriptor.h: Removed.
3319 * ftl/FTLInlineCacheSize.cpp: Removed.
3320 * ftl/FTLInlineCacheSize.h: Removed.
3321 * ftl/FTLIntrinsicRepository.cpp: Removed.
3322 * ftl/FTLIntrinsicRepository.h: Removed.
3323 * ftl/FTLJITCode.cpp:
3324 (JSC::FTL::JITCode::~JITCode):
3325 (JSC::FTL::JITCode::initializeB3Code):
3326 (JSC::FTL::JITCode::initializeB3Byproducts):
3327 (JSC::FTL::JITCode::initializeAddressForCall):
3328 (JSC::FTL::JITCode::contains):
3329 (JSC::FTL::JITCode::ftl):
3330 (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3331 (JSC::FTL::JITCode::initializeExitThunks): Deleted.
3332 (JSC::FTL::JITCode::addHandle): Deleted.
3333 (JSC::FTL::JITCode::addDataSection): Deleted.
3334 (JSC::FTL::JITCode::exitThunks): Deleted.
3336 (JSC::FTL::JITCode::b3Code):
3337 (JSC::FTL::JITCode::handles): Deleted.
3338 (JSC::FTL::JITCode::dataSections): Deleted.
3339 * ftl/FTLJITFinalizer.cpp:
3340 (JSC::FTL::JITFinalizer::codeSize):
3341 (JSC::FTL::JITFinalizer::finalizeFunction):
3342 * ftl/FTLJITFinalizer.h:
3343 * ftl/FTLJSCall.cpp: Removed.
3344 * ftl/FTLJSCall.h: Removed.
3345 * ftl/FTLJSCallBase.cpp: Removed.
3346 * ftl/FTLJSCallBase.h: Removed.
3347 * ftl/FTLJSCallVarargs.cpp: Removed.
3348 * ftl/FTLJSCallVarargs.h: Removed.
3349 * ftl/FTLJSTailCall.cpp: Removed.
3350 * ftl/FTLJSTailCall.h: Removed.
3351 * ftl/FTLLazySlowPath.cpp:
3352 (JSC::FTL::LazySlowPath::LazySlowPath):
3353 (JSC::FTL::LazySlowPath::generate):
git://git.webkit.org / WebKit-https.git / blob