1 2017-11-21 Yusuke Suzuki <utatane.tea@gmail.com>
3 [DFG][FTL] Support MapSet / SetAdd intrinsics
4 https://bugs.webkit.org/show_bug.cgi?id=179858
6 Reviewed by Saam Barati.
8 Map.prototype.set and Set.prototype.add uses MapHash value anyway.
9 By handling them as MapSet and SetAdd DFG nodes and decoupling
10 MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
11 remove duplicate MapHash calculation for the same key.
13 One story is *set-if-not-exists*.
18 In the above code, both `has` and `set` require hash value for `key`.
19 If we can change `set` to the series of DFG nodes:
22 2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
24 we can remove duplicate @1 produced by `has` operation.
26 This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
30 map-set.es6 246.2413+-15.2084 ^ 204.3679+-11.2408 ^ definitely 1.2049x faster
31 map-set-object.es6 266.5075+-17.2289 ^ 221.2792+-12.2948 ^ definitely 1.2044x faster
35 map-has-and-set 148.1522+-7.6665 ^ 131.4552+-7.8846 ^ definitely 1.1270x faster
37 * dfg/DFGAbstractInterpreterInlines.h:
38 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
39 * dfg/DFGByteCodeParser.cpp:
40 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
41 * dfg/DFGClobberize.h:
42 (JSC::DFG::clobberize):
45 * dfg/DFGFixupPhase.cpp:
46 (JSC::DFG::FixupPhase::fixupNode):
48 * dfg/DFGOperations.cpp:
49 * dfg/DFGOperations.h:
50 * dfg/DFGPredictionPropagationPhase.cpp:
51 * dfg/DFGSafeToExecute.h:
52 (JSC::DFG::safeToExecute):
53 * dfg/DFGSpeculativeJIT.cpp:
54 (JSC::DFG::SpeculativeJIT::compileSetAdd):
55 (JSC::DFG::SpeculativeJIT::compileMapSet):
56 * dfg/DFGSpeculativeJIT.h:
57 (JSC::DFG::SpeculativeJIT::callOperation):
58 * dfg/DFGSpeculativeJIT32_64.cpp:
59 (JSC::DFG::SpeculativeJIT::compile):
60 * dfg/DFGSpeculativeJIT64.cpp:
61 (JSC::DFG::SpeculativeJIT::compile):
62 * ftl/FTLCapabilities.cpp:
63 (JSC::FTL::canCompile):
64 * ftl/FTLLowerDFGToB3.cpp:
65 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
66 (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
67 (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
68 * jit/JITOperations.h:
69 * runtime/HashMapImpl.h:
70 (JSC::HashMapImpl::addNormalized):
71 (JSC::HashMapImpl::addNormalizedInternal):
72 * runtime/Intrinsic.cpp:
74 * runtime/Intrinsic.h:
75 * runtime/MapPrototype.cpp:
76 (JSC::MapPrototype::finishCreation):
77 * runtime/SetPrototype.cpp:
78 (JSC::SetPrototype::finishCreation):
80 2017-11-21 Yusuke Suzuki <utatane.tea@gmail.com>
82 [JSC] Allow poly proto for intrinsic getters
83 https://bugs.webkit.org/show_bug.cgi?id=179550
85 Reviewed by Saam Barati.
87 This patch allows intrinsic getters to accept poly proto.
88 We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
89 poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
90 code for poly proto case.
92 * bytecode/IntrinsicGetterAccessCase.cpp:
93 (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
94 (JSC::IntrinsicGetterAccessCase::create):
95 * bytecode/IntrinsicGetterAccessCase.h:
96 * jit/IntrinsicEmitter.cpp:
97 (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
98 (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
100 (JSC::tryCacheGetByID):
102 2017-11-20 Don Olmstead <don.olmstead@sony.com>
104 Detect __declspec within JSBase.h
105 https://bugs.webkit.org/show_bug.cgi?id=179892
107 Reviewed by Darin Adler.
111 2017-11-19 Tim Horton <timothy_horton@apple.com>
113 Remove unused TOUCH_ICON_LOADING feature flag
114 https://bugs.webkit.org/show_bug.cgi?id=179873
116 Reviewed by Simon Fraser.
118 * Configurations/FeatureDefines.xcconfig:
120 2017-11-19 Yusuke Suzuki <utatane.tea@gmail.com>
122 Add CPU(UNKNOWN) to cover all the unknown CPU types
123 https://bugs.webkit.org/show_bug.cgi?id=179243
125 Reviewed by JF Bastien.
129 2017-11-19 Tim Horton <timothy_horton@apple.com>
131 Remove unused LEGACY_VENDOR_PREFIXES feature flag
132 https://bugs.webkit.org/show_bug.cgi?id=179872
134 Reviewed by Darin Adler.
136 * Configurations/FeatureDefines.xcconfig:
138 2017-11-18 Tim Horton <timothy_horton@apple.com>
140 Fix typos in closing ENABLE() comments
141 https://bugs.webkit.org/show_bug.cgi?id=179869
146 * wasm/WasmMemoryMode.h:
148 2017-11-17 JF Bastien <jfbastien@apple.com>
150 NFC update ClassInfo to C++14
151 https://bugs.webkit.org/show_bug.cgi?id=179783
153 Reviewed by Mark Lam.
155 Forked from #179734, use `using` instead of `typedef`. It's easier
158 * runtime/ClassInfo.h:
160 2017-11-17 JF Bastien <jfbastien@apple.com>
162 WebAssembly JS API: throw when a promise can't be created
163 https://bugs.webkit.org/show_bug.cgi?id=179826
164 <rdar://problem/35455813>
166 Reviewed by Mark Lam.
168 Failure *in* a promise causes rejection, but failure to create a
169 promise (because of stack overflow) isn't really spec'd (as all
170 stack things JS). This applies to WebAssembly.compile and
171 WebAssembly.instantiate.
173 Dan's current proposal says:
175 https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
177 Whenever a stack overflow occurs in WebAssembly code, the same
178 class of exception is thrown as for a stack overflow in
179 JavaScript. The particular exception here is
180 implementation-defined in both cases.
182 Note: ECMAScript doesn’t specify any sort of behavior on stack
183 overflow; implementations have been observed to throw RangeError,
184 InternalError or Error. Any is valid here.
186 This is for general stack overflow within WebAssembly, not
187 specifically for promise creation within JavaScript, but it seems
188 like a stack overflow in promise creation should follow the same
189 rule instead of, say, swallowing the overflow and returning
192 * wasm/js/WebAssemblyPrototype.cpp:
193 (JSC::webAssemblyCompileFunc):
194 (JSC::webAssemblyInstantiateFunc):
196 2017-11-16 Daniel Bates <dabates@apple.com>
198 Add feature define for alternative presentation button element
199 https://bugs.webkit.org/show_bug.cgi?id=179692
200 Part of <rdar://problem/34917108>
202 Reviewed by Andy Estes.
204 Only enabled on Cocoa platforms by default.
206 * Configurations/FeatureDefines.xcconfig:
208 2017-11-16 Saam Barati <sbarati@apple.com>
210 Fix a bug with cpuid in the FTL.
212 Rubber stamped by Mark Lam.
214 Before uploading the previous patch, I tried to condense the code. I
215 accidentally removed a crucial line saying that CPUID clobbers various
218 * ftl/FTLLowerDFGToB3.cpp:
219 (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
221 2017-11-16 Saam Barati <sbarati@apple.com>
223 Add some X86 intrinsics to $vm to help with some perf testing
224 https://bugs.webkit.org/show_bug.cgi?id=179693
226 Reviewed by Mark Lam.
228 I've been doing some local perf testing of various ideas and have
229 had these come in handy. I'm going to land them to dollarVM to prevent
230 having to add them to my local build every time I do perf testing.
232 * assembler/MacroAssemblerX86Common.h:
233 (JSC::MacroAssemblerX86Common::mfence):
234 (JSC::MacroAssemblerX86Common::rdtsc):
235 (JSC::MacroAssemblerX86Common::pause):
236 (JSC::MacroAssemblerX86Common::cpuid):
237 * assembler/X86Assembler.h:
238 (JSC::X86Assembler::rdtsc):
239 (JSC::X86Assembler::pause):
240 (JSC::X86Assembler::cpuid):
241 * dfg/DFGAbstractInterpreterInlines.h:
242 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
243 * dfg/DFGByteCodeParser.cpp:
244 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
245 * dfg/DFGClobberize.h:
246 (JSC::DFG::clobberize):
249 * dfg/DFGFixupPhase.cpp:
250 (JSC::DFG::FixupPhase::fixupNode):
252 (JSC::DFG::Graph::dump):
254 (JSC::DFG::Node::intrinsic):
256 * dfg/DFGPredictionPropagationPhase.cpp:
257 * dfg/DFGSafeToExecute.h:
258 (JSC::DFG::safeToExecute):
259 * dfg/DFGSpeculativeJIT32_64.cpp:
260 (JSC::DFG::SpeculativeJIT::compile):
261 * dfg/DFGSpeculativeJIT64.cpp:
262 (JSC::DFG::SpeculativeJIT::compile):
263 * dfg/DFGValidate.cpp:
264 * ftl/FTLCapabilities.cpp:
265 (JSC::FTL::canCompile):
266 * ftl/FTLLowerDFGToB3.cpp:
267 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
268 (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
269 * runtime/Intrinsic.cpp:
270 (JSC::intrinsicName):
271 * runtime/Intrinsic.h:
272 * tools/JSDollarVM.cpp:
273 (JSC::functionCpuMfence):
274 (JSC::functionCpuRdtsc):
275 (JSC::functionCpuCpuid):
276 (JSC::functionCpuPause):
277 (JSC::functionCpuClflush):
278 (JSC::JSDollarVM::finishCreation):
280 2017-11-16 JF Bastien <jfbastien@apple.com>
282 It should be easier to reify lazy property names
283 https://bugs.webkit.org/show_bug.cgi?id=179734
284 <rdar://problem/35492521>
286 Reviewed by Keith Miller.
288 We reify lazy property names in a few different ways, each
289 specific to the JSCell implementation, in put() instead of having
290 a special function to do reification. Let's make that simpler.
292 This patch makes it easier to reify property names in a uniform
293 manner, and does so in JSFunction. As a follow up I'll use the
296 ClonedArguments callee, iteratorSymbol (Symbol.iterator)
297 ErrorConstructor stackTraceLimit
298 ErrorInstance line, column, sourceURL, stack
299 GenericArguments length, callee, iteratorSymbol (Symbol.iterator)
300 GetterSetter RELEASE_ASSERT_NOT_REACHED()
302 RegExpObject lastIndex
305 * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
306 * runtime/JSCell.cpp:
307 (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
309 * runtime/JSFunction.cpp: `name` and `length` can be reified.
310 (JSC::JSFunction::reifyPropertyNameIfNeeded):
311 (JSC::JSFunction::put):
312 (JSC::JSFunction::reifyLength):
313 (JSC::JSFunction::reifyName):
314 (JSC::JSFunction::reifyLazyPropertyIfNeeded):
315 (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
316 (JSC::JSFunction::reifyLazyLengthIfNeeded):
317 (JSC::JSFunction::reifyLazyNameIfNeeded):
318 (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
319 * runtime/JSFunction.h:
320 (JSC::JSFunction::isLazy):
321 (JSC::JSFunction::isReified):
322 * runtime/JSObjectInlines.h:
323 (JSC::JSObject::putDirectInternal): do the reification here.
325 2017-11-16 Robin Morisset <rmorisset@apple.com>
327 Provide a runtime option for disabling the optimization of recursive tail calls
328 https://bugs.webkit.org/show_bug.cgi?id=179765
330 Reviewed by Mark Lam.
332 * bytecode/PreciseJumpTargets.cpp:
333 (JSC::getJumpTargetsForBytecodeOffset):
334 * bytecompiler/BytecodeGenerator.cpp:
335 (JSC::BytecodeGenerator::emitEnter):
336 * dfg/DFGByteCodeParser.cpp:
337 (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
340 2017-11-16 Robin Morisset <rmorisset@apple.com>
342 Fix null pointer dereference in bytecodeDumper
343 https://bugs.webkit.org/show_bug.cgi?id=179764
345 Reviewed by Mark Lam.
347 The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
349 * bytecode/BytecodeDumper.cpp:
350 (JSC::BytecodeDumper<Block>::printCallOp):
352 2017-11-16 Robin Morisset <rmorisset@apple.com>
354 REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
355 https://bugs.webkit.org/show_bug.cgi?id=179763
356 <rdar://problem/35550513>
358 Reviewed by Keith Miller.
360 Fix null pointer dereference caused by an eliminated tdz_check
362 The problem was when doing an OSR entry in DFG while |this| was null
363 (because super() had not yet been called in the constructor of this
364 subclass), it would be marked as non-null, and the tdz_check eliminated.
366 * dfg/DFGInPlaceAbstractState.cpp:
367 (JSC::DFG::InPlaceAbstractState::initialize):
369 2017-11-15 Ryan Haddad <ryanhaddad@apple.com>
371 Unreviewed, rolling out r224863.
373 Introduced LayoutTest crashes on iOS Simulator.
377 "Move JSONValues to WTF and convert uses of InspectorValues.h
379 https://bugs.webkit.org/show_bug.cgi?id=173793
380 https://trac.webkit.org/changeset/224863
382 2017-11-14 Mark Lam <mark.lam@apple.com>
384 Gardening: CLoop build fix after r224862.
385 https://bugs.webkit.org/show_bug.cgi?id=179699
389 * bytecode/CodeBlock.h:
390 (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
392 2017-11-14 Carlos Garcia Campos <cgarcia@igalia.com>
394 Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
395 https://bugs.webkit.org/show_bug.cgi?id=173793
397 Reviewed by Brian Burg.
399 Based on patch by Brian Burg.
401 * JavaScriptCore.xcodeproj/project.pbxproj:
403 * bindings/ScriptValue.cpp:
404 (Inspector::jsToInspectorValue):
405 (Inspector::toInspectorValue):
406 (Deprecated::ScriptValue::toInspectorValue const):
407 * bindings/ScriptValue.h:
408 * inspector/AsyncStackTrace.cpp:
409 * inspector/ConsoleMessage.cpp:
410 * inspector/ContentSearchUtilities.cpp:
411 * inspector/InjectedScript.cpp:
412 (Inspector::InjectedScript::getFunctionDetails):
413 (Inspector::InjectedScript::functionDetails):
414 (Inspector::InjectedScript::getPreview):
415 (Inspector::InjectedScript::getProperties):
416 (Inspector::InjectedScript::getDisplayableProperties):
417 (Inspector::InjectedScript::getInternalProperties):
418 (Inspector::InjectedScript::getCollectionEntries):
419 (Inspector::InjectedScript::saveResult):
420 (Inspector::InjectedScript::wrapCallFrames const):
421 (Inspector::InjectedScript::wrapObject const):
422 (Inspector::InjectedScript::wrapTable const):
423 (Inspector::InjectedScript::previewValue const):
424 (Inspector::InjectedScript::setExceptionValue):
425 (Inspector::InjectedScript::clearExceptionValue):
426 (Inspector::InjectedScript::inspectObject):
427 (Inspector::InjectedScript::releaseObject):
428 * inspector/InjectedScriptBase.cpp:
429 (Inspector::InjectedScriptBase::makeCall):
430 (Inspector::InjectedScriptBase::makeEvalCall):
431 * inspector/InjectedScriptBase.h:
432 * inspector/InjectedScriptManager.cpp:
433 (Inspector::InjectedScriptManager::injectedScriptForObjectId):
434 * inspector/InspectorBackendDispatcher.cpp:
435 (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
436 (Inspector::BackendDispatcher::dispatch):
437 (Inspector::BackendDispatcher::sendResponse):
438 (Inspector::BackendDispatcher::sendPendingErrors):
439 (Inspector::BackendDispatcher::getPropertyValue):
440 (Inspector::castToInteger):
441 (Inspector::castToNumber):
442 (Inspector::BackendDispatcher::getInteger):
443 (Inspector::BackendDispatcher::getDouble):
444 (Inspector::BackendDispatcher::getString):
445 (Inspector::BackendDispatcher::getBoolean):
446 (Inspector::BackendDispatcher::getObject):
447 (Inspector::BackendDispatcher::getArray):
448 (Inspector::BackendDispatcher::getValue):
449 * inspector/InspectorBackendDispatcher.h:
450 * inspector/InspectorProtocolTypes.h:
451 (Inspector::Protocol::Array::openAccessors):
452 (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
453 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
454 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
455 (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
456 * inspector/ScriptCallFrame.cpp:
457 * inspector/ScriptCallStack.cpp:
458 * inspector/agents/InspectorAgent.cpp:
459 (Inspector::InspectorAgent::inspect):
460 * inspector/agents/InspectorAgent.h:
461 * inspector/agents/InspectorDebuggerAgent.cpp:
462 (Inspector::buildAssertPauseReason):
463 (Inspector::buildCSPViolationPauseReason):
464 (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
465 (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
466 (Inspector::buildObjectForBreakpointCookie):
467 (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
468 (Inspector::parseLocation):
469 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
470 (Inspector::InspectorDebuggerAgent::setBreakpoint):
471 (Inspector::InspectorDebuggerAgent::continueToLocation):
472 (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
473 (Inspector::InspectorDebuggerAgent::didParseSource):
474 (Inspector::InspectorDebuggerAgent::breakProgram):
475 * inspector/agents/InspectorDebuggerAgent.h:
476 * inspector/agents/InspectorRuntimeAgent.cpp:
477 (Inspector::InspectorRuntimeAgent::callFunctionOn):
478 (Inspector::InspectorRuntimeAgent::saveResult):
479 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
480 * inspector/agents/InspectorRuntimeAgent.h:
481 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
482 (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
483 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
484 (CppBackendDispatcherImplementationGenerator.generate_output):
485 (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
486 * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
487 (CppFrontendDispatcherHeaderGenerator.generate_output):
488 * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
489 (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
490 * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
491 (_generate_unchecked_setter_for_member):
492 * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
493 (CppProtocolTypesImplementationGenerator):
494 * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
495 (ObjCBackendDispatcherImplementationGenerator.generate_output):
496 (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
497 * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
498 (ObjCFrontendDispatcherImplementationGenerator.generate_output):
499 (ObjCFrontendDispatcherImplementationGenerator._generate_event):
500 (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
501 * inspector/scripts/codegen/generate_objc_internal_header.py:
502 (ObjCInternalHeaderGenerator.generate_output):
503 * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
504 (ObjCProtocolTypesImplementationGenerator.generate_output):
505 * inspector/scripts/codegen/generator.py:
506 * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
507 * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
508 * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
509 * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
510 * inspector/scripts/tests/generic/expected/domain-availability.json-result:
511 * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
512 * inspector/scripts/tests/generic/expected/enum-values.json-result:
513 * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
514 * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
515 * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
516 * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
517 * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
518 * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
519 * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
520 * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
521 * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
522 * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
523 * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
524 * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
525 * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
527 2017-11-14 Mark Lam <mark.lam@apple.com>
529 Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
530 https://bugs.webkit.org/show_bug.cgi?id=179699
531 <rdar://problem/35462346>
533 Reviewed by Michael Saboff.
535 * interpreter/Interpreter.cpp:
536 (JSC::Interpreter::dumpRegisters):
537 - Need to skip the callee saved registers
539 2017-11-14 Guillaume Emont <guijemont@igalia.com>
541 REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
542 https://bugs.webkit.org/show_bug.cgi?id=179563
544 Reviewed by Carlos Alberto Lopez Perez.
546 When run with BranchIfTruncateSuccessful,
547 branchTruncateDoubleToInt32() should set the destination register
549 This change also removes branchTruncateDoubleToUInt32() as it is
550 deprecated (see r160205), merges branchOnTruncateResult() into
551 branchTruncateDoubleToInt32() and adds test cases in testmasm.
553 * assembler/MacroAssemblerMIPS.h:
554 (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
555 (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
556 Properly set dest before branching.
557 (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
558 * assembler/testmasm.cpp:
559 (JSC::testBranchTruncateDoubleToInt32):
561 Add tests for branchTruncateDoubleToInt32().
563 2017-11-14 Daniel Bates <dabates@apple.com>
565 Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
568 Following r195498 and r201917 the Visual Studio property files for feature defines have
569 moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
570 Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
573 * Configurations/FeatureDefines.xcconfig:
575 2017-11-14 Mark Lam <mark.lam@apple.com>
577 Remove JSDollarVMPrototype.
578 https://bugs.webkit.org/show_bug.cgi?id=179685
580 Reviewed by Saam Barati.
582 1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
584 This allows us to call these functions during lldb debugging sessions using
585 VMInspector::foo() instead of JSDollarVMPrototype::foo(). It makes sense that
586 VMInspector provides VM debugging utility methods. It doesn't make sense to
587 have a JSDollarVMPrototype object provide these methods.
589 Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
591 2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
593 JSDollarVM is a special object used only for debugging purposes. There's no
594 gain in requiring its methods to be stored in a prototype object other than to
595 conform to typical JS convention. We can remove this complexity.
597 * JavaScriptCore.xcodeproj/project.pbxproj:
599 * runtime/JSGlobalObject.cpp:
600 (JSC::JSGlobalObject::init):
601 * tools/JSDollarVM.cpp:
602 (JSC::JSDollarVM::addFunction):
603 (JSC::functionCrash):
604 (JSC::functionDFGTrue):
605 (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
606 (JSC::CallerFrameJITTypeFunctor::operator() const):
607 (JSC::CallerFrameJITTypeFunctor::jitType):
608 (JSC::functionLLintTrue):
609 (JSC::functionJITTrue):
611 (JSC::functionEdenGC):
612 (JSC::functionCodeBlockForFrame):
613 (JSC::codeBlockFromArg):
614 (JSC::functionCodeBlockFor):
615 (JSC::functionPrintSourceFor):
616 (JSC::functionPrintBytecodeFor):
617 (JSC::functionPrint):
618 (JSC::functionPrintCallFrame):
619 (JSC::functionPrintStack):
620 (JSC::functionValue):
621 (JSC::functionGetPID):
622 (JSC::JSDollarVM::finishCreation):
623 * tools/JSDollarVM.h:
624 (JSC::JSDollarVM::create):
625 * tools/JSDollarVMPrototype.cpp: Removed.
626 * tools/JSDollarVMPrototype.h: Removed.
627 * tools/VMInspector.cpp:
628 (JSC::VMInspector::currentThreadOwnsJSLock):
629 (JSC::ensureCurrentThreadOwnsJSLock):
630 (JSC::VMInspector::gc):
631 (JSC::VMInspector::edenGC):
632 (JSC::VMInspector::isInHeap):
633 (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
634 (JSC::CellAddressCheckFunctor::operator() const):
635 (JSC::VMInspector::isValidCell):
636 (JSC::VMInspector::isValidCodeBlock):
637 (JSC::VMInspector::codeBlockForFrame):
638 (JSC::PrintFrameFunctor::PrintFrameFunctor):
639 (JSC::PrintFrameFunctor::operator() const):
640 (JSC::VMInspector::printCallFrame):
641 (JSC::VMInspector::printStack):
642 (JSC::VMInspector::printValue):
643 * tools/VMInspector.h:
645 2017-11-14 Joseph Pecoraro <pecoraro@apple.com>
647 Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
648 https://bugs.webkit.org/show_bug.cgi?id=179640
649 <rdar://problem/35517361>
651 Reviewed by Devin Rousso.
654 * DerivedSources.make:
655 Gate the ServiceWorker domain on the ENABLE feature flag.
657 * inspector/protocol/ServiceWorker.json: Added.
658 New domain to be made available inside of a ServiceWorker target.
660 2017-11-14 Yusuke Suzuki <utatane.tea@gmail.com>
662 [DFG][FTL] Support Array::DirectArguments with OutOfBounds
663 https://bugs.webkit.org/show_bug.cgi?id=179594
665 Reviewed by Saam Barati.
667 Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
668 If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
669 `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
670 to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
671 PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
673 This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
674 accept this type, and emit optimized code compared to Array::Generic case.
676 We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
677 exit instead of ExoticObjectMode.
679 This change significantly improves SixSpeed rest.es5 since it uses OOB access.
680 Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
682 rest.es5 59.6719+-2.2440 ^ 3.1634+-0.5507 ^ definitely 18.8635x faster
684 * dfg/DFGArgumentsEliminationPhase.cpp:
685 * dfg/DFGArrayMode.cpp:
686 (JSC::DFG::ArrayMode::refine const):
687 * dfg/DFGClobberize.h:
688 (JSC::DFG::clobberize):
689 * dfg/DFGSpeculativeJIT.cpp:
690 (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
691 * ftl/FTLLowerDFGToB3.cpp:
692 (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
693 (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
695 2017-11-14 Saam Barati <sbarati@apple.com>
697 We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
698 https://bugs.webkit.org/show_bug.cgi?id=179639
699 <rdar://problem/35513018>
701 Reviewed by JF Bastien.
703 Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
704 walk the stack for ShadowChicken (and maybe other things). We weren't updating
705 topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
706 use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
707 this bug by giving Wasm::Instance a lambda that is called when we need to store
708 the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
709 Currently, JSWebAssemblyInstance passes in a lambda that stores to
712 * wasm/WasmB3IRGenerator.cpp:
713 (JSC::Wasm::B3IRGenerator::addGrowMemory):
714 * wasm/WasmInstance.cpp:
715 (JSC::Wasm::Instance::Instance):
716 (JSC::Wasm::Instance::create):
717 * wasm/WasmInstance.h:
718 (JSC::Wasm::Instance::storeTopCallFrame):
719 * wasm/js/JSWebAssemblyInstance.cpp:
720 (JSC::JSWebAssemblyInstance::create):
721 * wasm/js/JSWebAssemblyInstance.h:
722 * wasm/js/WasmToJS.cpp:
723 (JSC::Wasm::wasmToJSException):
724 * wasm/js/WebAssemblyInstanceConstructor.cpp:
725 (JSC::constructJSWebAssemblyInstance):
726 * wasm/js/WebAssemblyPrototype.cpp:
729 2017-11-13 Saam Barati <sbarati@apple.com>
731 Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
732 https://bugs.webkit.org/show_bug.cgi?id=179203
734 Reviewed by Yusuke Suzuki.
736 This patch only removes the pointer caging for the described types in the title.
737 These types still allocate out of the gigacage. This is a just a cost vs benefit
738 tradeoff of performance vs security.
740 * dfg/DFGSpeculativeJIT.cpp:
741 (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
742 (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
743 * ftl/FTLLowerDFGToB3.cpp:
744 (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
745 * jit/JITPropertyAccess.cpp:
746 (JSC::JIT::emitDirectArgumentsGetByVal):
747 (JSC::JIT::emitScopedArgumentsGetByVal):
748 * runtime/DirectArguments.h:
749 (JSC::DirectArguments::storage):
750 * runtime/HashMapImpl.cpp:
751 (JSC::HashMapImpl<HashMapBucket>::visitChildren):
752 * runtime/HashMapImpl.h:
753 * runtime/JSLexicalEnvironment.h:
754 (JSC::JSLexicalEnvironment::variables):
755 * runtime/ScopedArguments.h:
756 (JSC::ScopedArguments::overflowStorage const):
758 2017-11-08 Keith Miller <keith_miller@apple.com>
760 Async iteration should only fetch the next method once and add feature flag
761 https://bugs.webkit.org/show_bug.cgi?id=179451
763 Reviewed by Geoffrey Garen.
765 Add feature flag for Async iteration. Also, change async iteration to match
766 the expected behavior of the proposal.
768 * Configurations/FeatureDefines.xcconfig:
769 * builtins/AsyncFromSyncIteratorPrototype.js:
770 (globalPrivate.createAsyncFromSyncIterator):
771 (globalPrivate.AsyncFromSyncIteratorConstructor):
772 * builtins/BuiltinNames.h:
773 * bytecompiler/BytecodeGenerator.cpp:
774 (JSC::BytecodeGenerator::emitGetAsyncIterator):
777 2017-11-13 Mark Lam <mark.lam@apple.com>
779 Add more overflow check book-keeping for MarkedArgumentBuffer.
780 https://bugs.webkit.org/show_bug.cgi?id=179634
781 <rdar://problem/35492517>
783 Reviewed by Saam Barati.
786 (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
788 (JSC::JSJobMicrotask::run):
789 * runtime/ObjectConstructor.cpp:
790 (JSC::defineProperties):
791 * runtime/ReflectObject.cpp:
792 (JSC::reflectObjectConstruct):
794 2017-11-13 Guillaume Emont <guijemont@igalia.com>
796 [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
797 https://bugs.webkit.org/show_bug.cgi?id=179542
799 Reviewed by Alex Christensen.
801 * assembler/MacroAssemblerARM.h:
802 (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
804 2017-11-13 Mark Lam <mark.lam@apple.com>
806 Make the jsc shell loadGetterFromGetterSetter() function more robust.
807 https://bugs.webkit.org/show_bug.cgi?id=179619
808 <rdar://problem/35492518>
810 Reviewed by Saam Barati.
813 (functionLoadGetterFromGetterSetter):
815 2017-11-12 Darin Adler <darin@apple.com>
817 More is<> and downcast<>, less static_cast<>
818 https://bugs.webkit.org/show_bug.cgi?id=179600
820 Reviewed by Chris Dumez.
822 * runtime/JSString.h:
823 (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
824 (JSC::jsSubstringOfResolved): Ditto.
826 2017-11-12 Mark Lam <mark.lam@apple.com>
828 We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
829 https://bugs.webkit.org/show_bug.cgi?id=179562
830 <rdar://problem/35467022>
832 Reviewed by Saam Barati.
834 * dfg/DFGFixupPhase.cpp:
835 (JSC::DFG::FixupPhase::fixupNode):
836 * dfg/DFGOperations.cpp:
837 * dfg/DFGSafeToExecute.h:
838 (JSC::DFG::SafeToExecuteEdge::operator()):
839 * dfg/DFGSpeculativeJIT.cpp:
840 (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
841 (JSC::DFG::SpeculativeJIT::speculate):
842 * dfg/DFGSpeculativeJIT.h:
843 * dfg/DFGUseKind.cpp:
844 (WTF::printInternal):
846 (JSC::DFG::typeFilterFor):
847 * ftl/FTLCapabilities.cpp:
848 (JSC::FTL::canCompile):
849 * ftl/FTLLowerDFGToB3.cpp:
850 (JSC::FTL::DFG::LowerDFGToB3::speculate):
851 (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
853 2017-11-11 Devin Rousso <webkit@devinrousso.com>
855 Web Inspector: Canvas tab: show detailed status during canvas recording
856 https://bugs.webkit.org/show_bug.cgi?id=178185
857 <rdar://problem/34939862>
859 Reviewed by Brian Burg.
861 * inspector/protocol/Canvas.json:
862 Add a `recordingProgress` event that is sent to the frontend that contains all the frame
863 payloads since the last Canvas.recordingProgress event and the current buffer usage.
865 * inspector/protocol/Recording.json:
866 Remove the required `frames` parameter from the Recording protocol object, as they will be
867 sent in batches via the Canvas.recordingProgress event.
869 2017-11-10 Joseph Pecoraro <pecoraro@apple.com>
871 Web Inspector: Make http status codes be "integer" instead of "number" in protocol
872 https://bugs.webkit.org/show_bug.cgi?id=179543
874 Reviewed by Antoine Quint.
876 * inspector/protocol/Network.json:
877 Use a better type for the status code.
879 2017-11-10 Robin Morisset <rmorisset@apple.com>
881 The memory consumption of DFG::BasicBlock can be easily reduced a bit
882 https://bugs.webkit.org/show_bug.cgi?id=179528
884 Reviewed by Saam Barati.
887 - Reordering some fields of DFG::BasicBlock to reduce padding
888 - Making the enum fields that are glorified booleans fit into a u8
889 - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
890 This change works because we never increase the number of arguments after allocating an Operands object.
891 It lets us avoid one extra capacity field and one extra pointer field per Operands,
892 and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
893 Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
894 we have a chance to avoid an allocation.
895 - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
897 * bytecode/Operands.h:
898 (JSC::Operands::Operands):
899 (JSC::Operands::numberOfArguments const):
900 (JSC::Operands::numberOfLocals const):
901 (JSC::Operands::argument):
902 (JSC::Operands::argument const):
903 (JSC::Operands::local):
904 (JSC::Operands::local const):
905 (JSC::Operands::ensureLocals):
906 (JSC::Operands::setLocal):
907 (JSC::Operands::getLocal):
908 (JSC::Operands::setArgumentFirstTime):
909 (JSC::Operands::setLocalFirstTime):
910 (JSC::Operands::operand):
911 (JSC::Operands::setOperand):
912 (JSC::Operands::size const):
913 (JSC::Operands::at const):
915 (JSC::Operands::isArgument const):
916 (JSC::Operands::isVariable const):
917 (JSC::Operands::virtualRegisterForIndex const):
918 (JSC::Operands::fill):
919 (JSC::Operands::operator== const):
920 (JSC::Operands::argumentForIndex const): Deleted.
921 (JSC::Operands::variableForIndex const): Deleted.
922 (JSC::Operands::indexForOperand const): Deleted.
923 * dfg/DFGBasicBlock.cpp:
924 (JSC::DFG::BasicBlock::BasicBlock):
925 * dfg/DFGBasicBlock.h:
926 * dfg/DFGBranchDirection.h:
927 * dfg/DFGStructureClobberState.h:
929 2017-11-09 Yusuke Suzuki <utatane.tea@gmail.com>
931 [JSC] Retry module fetching if previous request fails
932 https://bugs.webkit.org/show_bug.cgi?id=178168
934 Reviewed by Saam Barati.
936 According to the latest spec, the failed fetching operation can be retried if it is requested again.
939 <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
940 <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
942 When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
943 But when loading the second module, we do not use the cached failure result in the first module loading.
944 We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
945 This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
947 Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
948 like to cache modules based on their URLs. As a result,
950 <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
951 <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
953 In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
954 instantiation are cached in the module pipeline.
956 This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
957 failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
958 if the previous one fails. As an overview of our change,
960 1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
961 be unified. But if currently executing one fails, other attempts should retry fetching.
963 2. Instantiation should be cached if fetching succeeds.
965 3. Satisfying should be cached if it succeeds.
967 [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
969 * builtins/ModuleLoaderPrototype.js:
971 (requestInstantiate):
975 * runtime/JSGlobalObject.cpp:
976 (JSC::JSGlobalObject::init):
978 2017-11-09 Devin Rousso <webkit@devinrousso.com>
980 Web Inspector: support undo/redo of insertAdjacentHTML
981 https://bugs.webkit.org/show_bug.cgi?id=179283
983 Reviewed by Joseph Pecoraro.
985 * inspector/protocol/DOM.json:
986 Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
989 2017-11-09 Joseph Pecoraro <pecoraro@apple.com>
991 Web Inspector: Make domain availability a list of types instead of a single type
992 https://bugs.webkit.org/show_bug.cgi?id=179457
994 Reviewed by Brian Burg.
996 * inspector/scripts/codegen/generate_js_backend_commands.py:
997 (JSBackendCommandsGenerator.generate_domain):
998 Update output of `InspectorBackend.activateDomain` to include the list.
1000 * inspector/scripts/codegen/models.py:
1001 (Protocol.parse_domain):
1002 Parse `availability` as a list and include a new supported value of "service-worker".
1004 * inspector/protocol/ApplicationCache.json:
1005 * inspector/protocol/CSS.json:
1006 * inspector/protocol/Canvas.json:
1007 * inspector/protocol/DOM.json:
1008 * inspector/protocol/DOMDebugger.json:
1009 * inspector/protocol/DOMStorage.json:
1010 * inspector/protocol/Database.json:
1011 * inspector/protocol/IndexedDB.json:
1012 * inspector/protocol/LayerTree.json:
1013 * inspector/protocol/Memory.json:
1014 * inspector/protocol/Network.json:
1015 * inspector/protocol/Page.json:
1016 * inspector/protocol/Timeline.json:
1017 * inspector/protocol/Worker.json:
1018 Update `availability` to be a list.
1020 * inspector/scripts/tests/generic/domain-availability.json:
1021 * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1022 * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
1023 * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
1024 * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
1025 * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
1026 * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
1027 Update tests to include a test for the type and an invalid value.
1029 2017-11-03 Yusuke Suzuki <utatane.tea@gmail.com>
1031 [JSC][JIT] Clean up SlowPathCall stubs
1032 https://bugs.webkit.org/show_bug.cgi?id=179247
1034 Reviewed by Saam Barati.
1036 We have bunch of duplicate functions that just call a slow path function.
1037 This patch cleans up the above duplication.
1040 (JSC::JIT::emitSlowCaseCall):
1041 (JSC::JIT::privateCompileSlowCases):
1043 * jit/JITArithmetic.cpp:
1044 (JSC::JIT::emitSlow_op_unsigned): Deleted.
1045 (JSC::JIT::emitSlow_op_inc): Deleted.
1046 (JSC::JIT::emitSlow_op_dec): Deleted.
1047 (JSC::JIT::emitSlow_op_bitand): Deleted.
1048 (JSC::JIT::emitSlow_op_bitor): Deleted.
1049 (JSC::JIT::emitSlow_op_bitxor): Deleted.
1050 (JSC::JIT::emitSlow_op_lshift): Deleted.
1051 (JSC::JIT::emitSlow_op_rshift): Deleted.
1052 (JSC::JIT::emitSlow_op_urshift): Deleted.
1053 (JSC::JIT::emitSlow_op_div): Deleted.
1054 * jit/JITArithmetic32_64.cpp:
1055 (JSC::JIT::emitSlow_op_unsigned): Deleted.
1056 (JSC::JIT::emitSlow_op_inc): Deleted.
1057 (JSC::JIT::emitSlow_op_dec): Deleted.
1058 * jit/JITOpcodes.cpp:
1059 (JSC::JIT::emitSlow_op_create_this): Deleted.
1060 (JSC::JIT::emitSlow_op_check_tdz): Deleted.
1061 (JSC::JIT::emitSlow_op_to_this): Deleted.
1062 (JSC::JIT::emitSlow_op_to_primitive): Deleted.
1063 (JSC::JIT::emitSlow_op_not): Deleted.
1064 (JSC::JIT::emitSlow_op_stricteq): Deleted.
1065 (JSC::JIT::emitSlow_op_nstricteq): Deleted.
1066 (JSC::JIT::emitSlow_op_to_number): Deleted.
1067 (JSC::JIT::emitSlow_op_to_string): Deleted.
1068 (JSC::JIT::emitSlow_op_to_object): Deleted.
1069 (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
1070 (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
1071 * jit/JITOpcodes32_64.cpp:
1072 (JSC::JIT::emitSlow_op_to_primitive): Deleted.
1073 (JSC::JIT::emitSlow_op_not): Deleted.
1074 (JSC::JIT::emitSlow_op_stricteq): Deleted.
1075 (JSC::JIT::emitSlow_op_nstricteq): Deleted.
1076 (JSC::JIT::emitSlow_op_to_number): Deleted.
1077 (JSC::JIT::emitSlow_op_to_string): Deleted.
1078 (JSC::JIT::emitSlow_op_to_object): Deleted.
1079 (JSC::JIT::emitSlow_op_create_this): Deleted.
1080 (JSC::JIT::emitSlow_op_to_this): Deleted.
1081 (JSC::JIT::emitSlow_op_check_tdz): Deleted.
1082 (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
1083 * jit/JITPropertyAccess.cpp:
1084 (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
1085 * jit/JITPropertyAccess32_64.cpp:
1086 (JSC::JIT::emit_op_resolve_scope):
1087 (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
1088 * jit/SlowPathCall.h:
1089 (JSC::JITSlowPathCall::JITSlowPathCall):
1090 * runtime/CommonSlowPaths.cpp:
1091 (JSC::SLOW_PATH_DECL):
1092 * runtime/CommonSlowPaths.h:
1094 2017-11-09 Guillaume Emont <guijemont@igalia.com>
1096 [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
1097 https://bugs.webkit.org/show_bug.cgi?id=179446
1099 Reviewed by Žan Doberšek.
1101 The trunc.w.d mips instruction should give a 0x7fffffff result when
1102 the source value is Infinity, NaN, or rounds to an integer outside the
1103 range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
1104 branchTruncateDoubleToUInt32() have been relying on. It turns out that
1105 this assumption is not true on some CPUs, including on the ci20 on
1106 which we run the testbot (we get 0x80000000 instead). We should the
1107 invalid operation cause bit instead to check whether the source value
1108 could be properly truncated. This requires the addition of the cfc1
1109 instruction, as well as the special registers that can be used with it
1110 (control registers of CP1).
1112 * assembler/MIPSAssembler.h:
1113 (JSC::MIPSAssembler::firstSPRegister):
1114 (JSC::MIPSAssembler::lastSPRegister):
1115 (JSC::MIPSAssembler::numberOfSPRegisters):
1116 (JSC::MIPSAssembler::sprName):
1117 Added control registers of CP1.
1118 (JSC::MIPSAssembler::cfc1):
1120 * assembler/MacroAssemblerMIPS.h:
1121 (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
1122 (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
1123 (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
1124 Use fcsr to check if the value could be properly truncated.
1126 2017-11-08 Jeremy Jones <jeremyj@apple.com>
1128 HTMLMediaElement should not use element fullscreen on iOS
1129 https://bugs.webkit.org/show_bug.cgi?id=179418
1130 rdar://problem/35409277
1132 Reviewed by Eric Carlson.
1134 Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
1136 * Configurations/FeatureDefines.xcconfig:
1138 2017-11-08 Joseph Pecoraro <pecoraro@apple.com>
1140 Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
1141 https://bugs.webkit.org/show_bug.cgi?id=179276
1143 Reviewed by Andy Estes.
1145 * inspector/InjectedScriptHost.h:
1146 * inspector/JSInjectedScriptHost.cpp:
1147 (Inspector::JSInjectedScriptHost::getInternalProperties):
1148 Call through to virtual implementation so that WebCore can provide custom
1149 internal properties for Web / DOM objects.
1151 2017-11-08 Saam Barati <sbarati@apple.com>
1153 A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
1154 https://bugs.webkit.org/show_bug.cgi?id=177792
1156 Reviewed by Yusuke Suzuki.
1158 Before this patch, if a JSFunction's rare data initialized its allocation profile
1159 before its backing Executable's poly proto watchpoint was invalidated, that
1160 JSFunction would continue to allocate non-poly proto objects until its allocation
1161 profile was cleared (which essentially never happens in practice). This patch
1162 improves on this pathology. A JSFunction's rare data will now watch the poly
1163 proto watchpoint if it's still valid and clear its allocation profile when we
1164 detect that we should go poly proto.
1166 * bytecode/ObjectAllocationProfile.h:
1167 * bytecode/ObjectAllocationProfileInlines.h:
1168 (JSC::ObjectAllocationProfile::initializeProfile):
1169 * runtime/FunctionRareData.cpp:
1170 (JSC::FunctionRareData::initializeObjectAllocationProfile):
1171 (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
1172 * runtime/FunctionRareData.h:
1173 (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
1174 (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
1175 (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
1177 2017-11-08 Keith Miller <keith_miller@apple.com>
1179 Add super sampler begin and end bytecodes.
1180 https://bugs.webkit.org/show_bug.cgi?id=179376
1182 Reviewed by Filip Pizlo.
1184 This patch adds a way to measure a narrow range of bytecodes for
1185 performance. This is done using the same infrastructure as the
1186 super sampler. I also added a class that helps do the bytecode
1187 checking with RAII. One problem with the current way this is done
1188 is that we don't handle decrementing early exits, either from
1189 branches or exceptions. So, when using this API users need to
1190 ensure that there are no early exits or that those exits don't
1191 occur on the measure code.
1193 * JavaScriptCore.xcodeproj/project.pbxproj:
1194 * bytecode/BytecodeDumper.cpp:
1195 (JSC::BytecodeDumper<Block>::dumpBytecode):
1196 * bytecode/BytecodeList.json:
1197 * bytecode/BytecodeUseDef.h:
1198 (JSC::computeUsesForBytecodeOffset):
1199 (JSC::computeDefsForBytecodeOffset):
1200 * bytecompiler/BytecodeGenerator.cpp:
1201 (JSC::BytecodeGenerator::emitSuperSamplerBegin):
1202 (JSC::BytecodeGenerator::emitSuperSamplerEnd):
1203 * bytecompiler/BytecodeGenerator.h:
1204 * bytecompiler/SuperSamplerBytecodeScope.h: Added.
1205 (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
1206 (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
1207 * dfg/DFGAbstractInterpreterInlines.h:
1208 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1209 * dfg/DFGByteCodeParser.cpp:
1210 (JSC::DFG::ByteCodeParser::parseBlock):
1211 * dfg/DFGClobberize.h:
1212 (JSC::DFG::clobberize):
1213 * dfg/DFGClobbersExitState.cpp:
1214 (JSC::DFG::clobbersExitState):
1215 * dfg/DFGDoesGC.cpp:
1217 * dfg/DFGFixupPhase.cpp:
1218 (JSC::DFG::FixupPhase::fixupNode):
1219 * dfg/DFGMayExit.cpp:
1220 * dfg/DFGNodeType.h:
1221 * dfg/DFGPredictionPropagationPhase.cpp:
1222 * dfg/DFGSafeToExecute.h:
1223 (JSC::DFG::safeToExecute):
1224 * dfg/DFGSpeculativeJIT.cpp:
1225 * dfg/DFGSpeculativeJIT32_64.cpp:
1226 (JSC::DFG::SpeculativeJIT::compile):
1227 * dfg/DFGSpeculativeJIT64.cpp:
1228 (JSC::DFG::SpeculativeJIT::compile):
1229 * ftl/FTLCapabilities.cpp:
1230 (JSC::FTL::canCompile):
1231 * ftl/FTLLowerDFGToB3.cpp:
1232 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1233 (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
1234 (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
1236 (JSC::JIT::privateCompileMainPass):
1238 * jit/JITOpcodes.cpp:
1239 (JSC::JIT::emit_op_super_sampler_begin):
1240 (JSC::JIT::emit_op_super_sampler_end):
1241 * llint/LLIntSlowPaths.cpp:
1242 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1243 * llint/LLIntSlowPaths.h:
1244 * llint/LowLevelInterpreter.asm:
1246 2017-11-08 Robin Morisset <rmorisset@apple.com>
1248 Turn recursive tail calls into loops
1249 https://bugs.webkit.org/show_bug.cgi?id=176601
1251 Reviewed by Saam Barati.
1253 Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
1255 We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
1256 One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
1257 Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
1258 We do this part through modifying the computation of the jump targets.
1259 Importantly, we only do this splitting for functions that have tail calls.
1260 It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
1262 We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
1263 The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
1265 * bytecode/CodeBlock.h:
1266 (JSC::CodeBlock::hasTailCalls const):
1267 * bytecode/PreciseJumpTargets.cpp:
1268 (JSC::getJumpTargetsForBytecodeOffset):
1269 (JSC::computePreciseJumpTargetsInternal):
1270 * bytecode/UnlinkedCodeBlock.cpp:
1271 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1272 * bytecode/UnlinkedCodeBlock.h:
1273 (JSC::UnlinkedCodeBlock::hasTailCalls const):
1274 (JSC::UnlinkedCodeBlock::setHasTailCalls):
1275 * bytecompiler/BytecodeGenerator.cpp:
1276 (JSC::BytecodeGenerator::emitEnter):
1277 (JSC::BytecodeGenerator::emitCallInTailPosition):
1278 * dfg/DFGByteCodeParser.cpp:
1279 (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
1280 (JSC::DFG::ByteCodeParser::makeBlockTargetable):
1281 (JSC::DFG::ByteCodeParser::handleCall):
1282 (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1283 (JSC::DFG::ByteCodeParser::parseBlock):
1284 (JSC::DFG::ByteCodeParser::parse):
1286 2017-11-08 Joseph Pecoraro <pecoraro@apple.com>
1288 Web Inspector: Remove unused Page.ScriptIdentifier protocol type
1289 https://bugs.webkit.org/show_bug.cgi?id=179407
1291 Reviewed by Matt Baker.
1293 * inspector/protocol/Page.json:
1294 Remove unused protocol type.
1296 2017-11-08 Carlos Garcia Campos <cgarcia@igalia.com>
1298 Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
1299 https://bugs.webkit.org/show_bug.cgi?id=173619
1301 Reviewed by Alex Christensen and Brian Burg.
1303 Eventually all classes used for our JSON-RPC message passing should be outside
1304 of the Inspector namespace since the protocol is used outside of Inspector code.
1305 This will also allow us to unify the primitive JSON types with parameteric types
1306 like Inspector::Protocol::Array<T> and other protocol-related types which don't
1307 need to be in the Inspector namespace.
1309 Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
1310 patches, other clients will move to use JSON::Value and friends. When all uses are
1311 changed, the actual implementation will be renamed. This patch just focuses on the typedef
1312 and making changes in generated protocol code.
1314 Original patch by Brian Burg, rebased and updated by me.
1316 * inspector/InspectorValues.cpp:
1317 * inspector/InspectorValues.h:
1318 * inspector/scripts/codegen/cpp_generator.py:
1319 (CppGenerator.cpp_protocol_type_for_type):
1320 (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
1321 (CppGenerator.cpp_type_for_type_with_name):
1322 (CppGenerator.cpp_type_for_stack_in_parameter):
1323 * inspector/scripts/codegen/cpp_generator_templates.py:
1325 * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1326 (_generate_class_for_object_declaration):
1327 (_generate_forward_declarations_for_binding_traits):
1328 * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1329 (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
1330 (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
1331 * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1332 * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1333 * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1334 * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1335 * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1336 * inspector/scripts/tests/generic/expected/enum-values.json-result:
1337 * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1338 * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1339 * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1340 * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1341 * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1342 * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1343 * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1344 * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1346 2017-11-07 Maciej Stachowiak <mjs@apple.com>
1348 Get rid of unsightly hex numbers from unified build object files
1349 https://bugs.webkit.org/show_bug.cgi?id=179410
1351 Reviewed by Saam Barati.
1353 * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
1355 2017-11-07 Saam Barati <sbarati@apple.com>
1357 Only cage double butterfly accesses
1358 https://bugs.webkit.org/show_bug.cgi?id=179202
1360 Reviewed by Mark Lam.
1362 This patch removes caging from all butterfly accesses except double loads/stores.
1363 This is a performance vs security tradeoff. Double loads/stores are the only butterfly
1364 loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
1365 by caging. The other load/stores we are no longer caging to get back performance on
1368 * bytecode/AccessCase.cpp:
1369 (JSC::AccessCase::generateImpl):
1370 * bytecode/InlineAccess.cpp:
1371 (JSC::InlineAccess::dumpCacheSizesAndCrash):
1372 (JSC::InlineAccess::generateSelfPropertyAccess):
1373 (JSC::InlineAccess::generateSelfPropertyReplace):
1374 (JSC::InlineAccess::generateArrayLength):
1375 * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
1376 * dfg/DFGSpeculativeJIT.cpp:
1377 (JSC::DFG::SpeculativeJIT::compileCreateRest):
1378 (JSC::DFG::SpeculativeJIT::compileSpread):
1379 (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1380 * dfg/DFGSpeculativeJIT64.cpp:
1381 (JSC::DFG::SpeculativeJIT::compile):
1382 * ftl/FTLLowerDFGToB3.cpp:
1383 (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1384 * jit/JITPropertyAccess.cpp:
1385 (JSC::JIT::emitContiguousLoad):
1386 (JSC::JIT::emitArrayStorageLoad):
1387 (JSC::JIT::emitGenericContiguousPutByVal):
1388 (JSC::JIT::emitArrayStoragePutByVal):
1389 (JSC::JIT::emit_op_get_from_scope):
1390 (JSC::JIT::emit_op_put_to_scope):
1391 * llint/LowLevelInterpreter64.asm:
1392 * runtime/AuxiliaryBarrier.h:
1393 (JSC::AuxiliaryBarrier::operator-> const):
1394 * runtime/Butterfly.h:
1395 (JSC::Butterfly::caged):
1396 (JSC::Butterfly::contiguousDouble):
1397 * runtime/JSArray.cpp:
1398 (JSC::JSArray::setLength):
1399 (JSC::JSArray::pop):
1400 (JSC::JSArray::shiftCountWithAnyIndexingType):
1401 (JSC::JSArray::unshiftCountWithAnyIndexingType):
1402 (JSC::JSArray::fillArgList):
1403 (JSC::JSArray::copyToArguments):
1404 * runtime/JSArrayInlines.h:
1405 (JSC::JSArray::pushInline):
1406 * runtime/JSObject.cpp:
1407 (JSC::JSObject::heapSnapshot):
1408 (JSC::JSObject::createInitialIndexedStorage):
1409 (JSC::JSObject::createArrayStorage):
1410 (JSC::JSObject::convertUndecidedToInt32):
1411 (JSC::JSObject::ensureLengthSlow):
1412 (JSC::JSObject::reallocateAndShrinkButterfly):
1413 (JSC::JSObject::allocateMoreOutOfLineStorage):
1414 * runtime/JSObject.h:
1415 (JSC::JSObject::canGetIndexQuickly):
1416 (JSC::JSObject::getIndexQuickly):
1417 (JSC::JSObject::tryGetIndexQuickly const):
1418 (JSC::JSObject::canSetIndexQuickly):
1419 (JSC::JSObject::butterfly const):
1420 (JSC::JSObject::butterfly):
1422 2017-11-07 Mark Lam <mark.lam@apple.com>
1424 Introduce a default RegisterSet constructor so that we can use { } notation.
1425 https://bugs.webkit.org/show_bug.cgi?id=179389
1427 Reviewed by Saam Barati.
1429 I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
1430 does not add any code documentation value.
1432 * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
1433 * b3/air/AirCode.cpp:
1434 (JSC::B3::Air::Code::setRegsInPriorityOrder):
1435 * b3/air/AirPrintSpecial.cpp:
1436 (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
1437 (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
1438 * b3/air/testair.cpp:
1439 * bytecode/PolymorphicAccess.h:
1440 (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
1441 (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
1442 * dfg/DFGJITCode.cpp:
1443 (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1444 * ftl/FTLJITCode.cpp:
1445 (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1447 (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1448 * jit/RegisterSet.cpp:
1449 (JSC::RegisterSet::reservedHardwareRegisters):
1450 (JSC::RegisterSet::runtimeRegisters):
1451 (JSC::RegisterSet::macroScratchRegisters):
1452 * jit/RegisterSet.h:
1453 (JSC::RegisterSet::RegisterSet):
1454 * wasm/WasmB3IRGenerator.cpp:
1455 (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
1457 2017-11-07 Mark Lam <mark.lam@apple.com>
1459 AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
1460 https://bugs.webkit.org/show_bug.cgi?id=179355
1461 <rdar://problem/35263053>
1463 Reviewed by Saam Barati.
1465 In the Transition case in AccessCase::generateImpl(), we were restoring registers
1466 using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
1467 where we previously stashed the reallocated butterfly. If the generated code is
1468 under heavy register pressure, scratchGPR could have been from the set of preserved
1469 registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
1470 As a result, the restoration would trash the butterfly result we stored there.
1471 This patch fixes the issue by excluding the scratchGPR in the restoration.
1473 * bytecode/AccessCase.cpp:
1474 (JSC::AccessCase::generateImpl):
1476 2017-11-06 Robin Morisset <rmorisset@apple.com>
1478 CodeBlock::usesOpcode() is dead code
1479 https://bugs.webkit.org/show_bug.cgi?id=179316
1481 Reviewed by Yusuke Suzuki.
1483 Remove CodeBlock::usesOpcode which is dead code
1485 * bytecode/CodeBlock.cpp:
1486 * bytecode/CodeBlock.h:
1488 2017-11-05 Yusuke Suzuki <utatane.tea@gmail.com>
1490 JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
1491 https://bugs.webkit.org/show_bug.cgi?id=144458
1493 Reviewed by Saam Barati.
1495 Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
1496 InternalFunction calls are not cached and they always go to the slow path. This is not good because
1498 1. We need to query getCallData/getConstructData every time in the slow path.
1499 2. CallLinkInfo tells nothing in the higher tier JITs.
1501 This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
1502 to hold pointers to the functions for call and construct. We have new stubs that can call/construct
1503 InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
1505 This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
1506 for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
1507 case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
1508 nodes for these InternalFunctions since CallLinkInfo tells us nothing.
1510 Attached microbenchmarks show performance improvement.
1514 dfg-internal-function-construct 1.6439+-0.0826 ^ 1.2829+-0.0727 ^ definitely 1.2813x faster
1515 dfg-internal-function-not-handled-construct 2.1862+-0.1361 2.0696+-0.1201 might be 1.0564x faster
1516 dfg-internal-function-not-handled-call 20.7592+-0.9085 19.7369+-0.7921 might be 1.0518x faster
1517 dfg-internal-function-call 1.6856+-0.0967 ^ 1.2771+-0.0744 ^ definitely 1.3198x faster
1519 [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
1521 * API/JSCallbackFunction.cpp:
1522 (JSC::JSCallbackFunction::JSCallbackFunction):
1523 (JSC::JSCallbackFunction::getCallData): Deleted.
1524 * API/JSCallbackFunction.h:
1525 (JSC::JSCallbackFunction::createStructure):
1526 * API/ObjCCallbackFunction.h:
1527 (JSC::ObjCCallbackFunction::createStructure):
1528 * API/ObjCCallbackFunction.mm:
1529 (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
1530 (JSC::ObjCCallbackFunction::getCallData): Deleted.
1531 (JSC::ObjCCallbackFunction::getConstructData): Deleted.
1532 * bytecode/BytecodeDumper.cpp:
1533 (JSC::BytecodeDumper<Block>::printCallOp):
1534 * bytecode/BytecodeList.json:
1535 * bytecode/CallLinkInfo.cpp:
1536 (JSC::CallLinkInfo::setCallee):
1537 (JSC::CallLinkInfo::callee):
1538 (JSC::CallLinkInfo::setLastSeenCallee):
1539 (JSC::CallLinkInfo::lastSeenCallee):
1540 (JSC::CallLinkInfo::visitWeak):
1541 * bytecode/CallLinkInfo.h:
1542 * bytecode/CallLinkStatus.cpp:
1543 (JSC::CallLinkStatus::computeFromCallLinkInfo):
1544 * bytecode/LLIntCallLinkInfo.h:
1545 * jit/JITOperations.cpp:
1546 * jit/JITThunks.cpp:
1547 (JSC::JITThunks::ctiInternalFunctionCall):
1548 (JSC::JITThunks::ctiInternalFunctionConstruct):
1552 (JSC::linkPolymorphicCall):
1554 * jit/ThunkGenerators.cpp:
1555 (JSC::virtualThunkFor):
1556 (JSC::nativeForGenerator):
1557 (JSC::nativeCallGenerator):
1558 (JSC::nativeTailCallGenerator):
1559 (JSC::nativeTailCallWithoutSavedTagsGenerator):
1560 (JSC::nativeConstructGenerator):
1561 (JSC::internalFunctionCallGenerator):
1562 (JSC::internalFunctionConstructGenerator):
1563 * jit/ThunkGenerators.h:
1564 * llint/LLIntSlowPaths.cpp:
1565 (JSC::LLInt::setUpCall):
1566 * llint/LowLevelInterpreter.asm:
1567 * llint/LowLevelInterpreter32_64.asm:
1568 * llint/LowLevelInterpreter64.asm:
1569 * runtime/ArrayConstructor.cpp:
1570 (JSC::ArrayConstructor::ArrayConstructor):
1571 (JSC::ArrayConstructor::getConstructData): Deleted.
1572 (JSC::ArrayConstructor::getCallData): Deleted.
1573 * runtime/ArrayConstructor.h:
1574 (JSC::ArrayConstructor::createStructure):
1575 * runtime/AsyncFunctionConstructor.cpp:
1576 (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
1577 (JSC::AsyncFunctionConstructor::finishCreation):
1578 (JSC::AsyncFunctionConstructor::getCallData): Deleted.
1579 (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
1580 * runtime/AsyncFunctionConstructor.h:
1581 (JSC::AsyncFunctionConstructor::createStructure):
1582 * runtime/AsyncGeneratorFunctionConstructor.cpp:
1583 (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
1584 (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
1585 (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
1586 (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
1587 * runtime/AsyncGeneratorFunctionConstructor.h:
1588 (JSC::AsyncGeneratorFunctionConstructor::createStructure):
1589 * runtime/BooleanConstructor.cpp:
1590 (JSC::callBooleanConstructor):
1591 (JSC::BooleanConstructor::BooleanConstructor):
1592 (JSC::BooleanConstructor::finishCreation):
1593 (JSC::BooleanConstructor::getConstructData): Deleted.
1594 (JSC::BooleanConstructor::getCallData): Deleted.
1595 * runtime/BooleanConstructor.h:
1596 (JSC::BooleanConstructor::createStructure):
1597 * runtime/DateConstructor.cpp:
1598 (JSC::DateConstructor::DateConstructor):
1599 (JSC::DateConstructor::getConstructData): Deleted.
1600 (JSC::DateConstructor::getCallData): Deleted.
1601 * runtime/DateConstructor.h:
1602 (JSC::DateConstructor::createStructure):
1604 (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
1605 (JSC::StrictModeTypeErrorFunction::createStructure):
1606 (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
1607 (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
1608 * runtime/ErrorConstructor.cpp:
1609 (JSC::ErrorConstructor::ErrorConstructor):
1610 (JSC::ErrorConstructor::getConstructData): Deleted.
1611 (JSC::ErrorConstructor::getCallData): Deleted.
1612 * runtime/ErrorConstructor.h:
1613 (JSC::ErrorConstructor::createStructure):
1614 * runtime/FunctionConstructor.cpp:
1615 (JSC::FunctionConstructor::FunctionConstructor):
1616 (JSC::FunctionConstructor::finishCreation):
1617 (JSC::FunctionConstructor::getConstructData): Deleted.
1618 (JSC::FunctionConstructor::getCallData): Deleted.
1619 * runtime/FunctionConstructor.h:
1620 (JSC::FunctionConstructor::createStructure):
1621 * runtime/FunctionPrototype.cpp:
1622 (JSC::callFunctionPrototype):
1623 (JSC::FunctionPrototype::FunctionPrototype):
1624 (JSC::FunctionPrototype::getCallData): Deleted.
1625 * runtime/FunctionPrototype.h:
1626 (JSC::FunctionPrototype::createStructure):
1627 * runtime/GeneratorFunctionConstructor.cpp:
1628 (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
1629 (JSC::GeneratorFunctionConstructor::finishCreation):
1630 (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
1631 (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
1632 * runtime/GeneratorFunctionConstructor.h:
1633 (JSC::GeneratorFunctionConstructor::createStructure):
1634 * runtime/InternalFunction.cpp:
1635 (JSC::InternalFunction::InternalFunction):
1636 (JSC::InternalFunction::finishCreation):
1637 (JSC::InternalFunction::getCallData):
1638 (JSC::InternalFunction::getConstructData):
1639 * runtime/InternalFunction.h:
1640 (JSC::InternalFunction::createStructure):
1641 (JSC::InternalFunction::nativeFunctionFor):
1642 (JSC::InternalFunction::offsetOfNativeFunctionFor):
1643 * runtime/IntlCollatorConstructor.cpp:
1644 (JSC::IntlCollatorConstructor::createStructure):
1645 (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
1646 (JSC::IntlCollatorConstructor::getConstructData): Deleted.
1647 (JSC::IntlCollatorConstructor::getCallData): Deleted.
1648 * runtime/IntlCollatorConstructor.h:
1649 * runtime/IntlDateTimeFormatConstructor.cpp:
1650 (JSC::IntlDateTimeFormatConstructor::createStructure):
1651 (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
1652 (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
1653 (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
1654 * runtime/IntlDateTimeFormatConstructor.h:
1655 * runtime/IntlNumberFormatConstructor.cpp:
1656 (JSC::IntlNumberFormatConstructor::createStructure):
1657 (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
1658 (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
1659 (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
1660 * runtime/IntlNumberFormatConstructor.h:
1661 * runtime/JSArrayBufferConstructor.cpp:
1662 (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
1663 (JSC::JSArrayBufferConstructor::createStructure):
1664 (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
1665 (JSC::JSArrayBufferConstructor::getCallData): Deleted.
1666 * runtime/JSArrayBufferConstructor.h:
1667 * runtime/JSGenericTypedArrayViewConstructor.h:
1668 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1669 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
1670 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
1671 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
1672 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
1673 * runtime/JSInternalPromiseConstructor.cpp:
1674 (JSC::JSInternalPromiseConstructor::createStructure):
1675 (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
1676 (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
1677 (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
1678 * runtime/JSInternalPromiseConstructor.h:
1679 * runtime/JSPromiseConstructor.cpp:
1680 (JSC::JSPromiseConstructor::createStructure):
1681 (JSC::JSPromiseConstructor::JSPromiseConstructor):
1682 (JSC::JSPromiseConstructor::getConstructData): Deleted.
1683 (JSC::JSPromiseConstructor::getCallData): Deleted.
1684 * runtime/JSPromiseConstructor.h:
1686 * runtime/JSTypedArrayViewConstructor.cpp:
1687 (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
1688 (JSC::JSTypedArrayViewConstructor::createStructure):
1689 (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
1690 (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
1691 * runtime/JSTypedArrayViewConstructor.h:
1692 * runtime/MapConstructor.cpp:
1693 (JSC::MapConstructor::MapConstructor):
1694 (JSC::MapConstructor::getConstructData): Deleted.
1695 (JSC::MapConstructor::getCallData): Deleted.
1696 * runtime/MapConstructor.h:
1697 (JSC::MapConstructor::createStructure):
1698 (JSC::MapConstructor::MapConstructor): Deleted.
1699 * runtime/NativeErrorConstructor.cpp:
1700 (JSC::NativeErrorConstructor::NativeErrorConstructor):
1701 (JSC::NativeErrorConstructor::getConstructData): Deleted.
1702 (JSC::NativeErrorConstructor::getCallData): Deleted.
1703 * runtime/NativeErrorConstructor.h:
1704 (JSC::NativeErrorConstructor::createStructure):
1705 * runtime/NullGetterFunction.cpp:
1706 (JSC::NullGetterFunction::NullGetterFunction):
1707 (JSC::NullGetterFunction::getCallData): Deleted.
1708 (JSC::NullGetterFunction::getConstructData): Deleted.
1709 * runtime/NullGetterFunction.h:
1710 (JSC::NullGetterFunction::createStructure):
1711 (JSC::NullGetterFunction::NullGetterFunction): Deleted.
1712 * runtime/NullSetterFunction.cpp:
1713 (JSC::NullSetterFunction::NullSetterFunction):
1714 (JSC::NullSetterFunction::getCallData): Deleted.
1715 (JSC::NullSetterFunction::getConstructData): Deleted.
1716 * runtime/NullSetterFunction.h:
1717 (JSC::NullSetterFunction::createStructure):
1718 (JSC::NullSetterFunction::NullSetterFunction): Deleted.
1719 * runtime/NumberConstructor.cpp:
1720 (JSC::NumberConstructor::NumberConstructor):
1721 (JSC::constructNumberConstructor):
1722 (JSC::constructWithNumberConstructor): Deleted.
1723 (JSC::NumberConstructor::getConstructData): Deleted.
1724 (JSC::NumberConstructor::getCallData): Deleted.
1725 * runtime/NumberConstructor.h:
1726 (JSC::NumberConstructor::createStructure):
1727 * runtime/ObjectConstructor.cpp:
1728 (JSC::ObjectConstructor::ObjectConstructor):
1729 (JSC::ObjectConstructor::getConstructData): Deleted.
1730 (JSC::ObjectConstructor::getCallData): Deleted.
1731 * runtime/ObjectConstructor.h:
1732 (JSC::ObjectConstructor::createStructure):
1733 * runtime/ProxyConstructor.cpp:
1734 (JSC::ProxyConstructor::ProxyConstructor):
1735 (JSC::ProxyConstructor::getConstructData): Deleted.
1736 (JSC::ProxyConstructor::getCallData): Deleted.
1737 * runtime/ProxyConstructor.h:
1738 (JSC::ProxyConstructor::createStructure):
1739 * runtime/ProxyRevoke.cpp:
1740 (JSC::ProxyRevoke::ProxyRevoke):
1741 (JSC::ProxyRevoke::getCallData): Deleted.
1742 * runtime/ProxyRevoke.h:
1743 (JSC::ProxyRevoke::createStructure):
1744 * runtime/RegExpConstructor.cpp:
1745 (JSC::RegExpConstructor::RegExpConstructor):
1746 (JSC::RegExpConstructor::getConstructData): Deleted.
1747 (JSC::RegExpConstructor::getCallData): Deleted.
1748 * runtime/RegExpConstructor.h:
1749 (JSC::RegExpConstructor::createStructure):
1750 * runtime/SetConstructor.cpp:
1751 (JSC::SetConstructor::SetConstructor):
1752 (JSC::SetConstructor::getConstructData): Deleted.
1753 (JSC::SetConstructor::getCallData): Deleted.
1754 * runtime/SetConstructor.h:
1755 (JSC::SetConstructor::createStructure):
1756 (JSC::SetConstructor::SetConstructor): Deleted.
1757 * runtime/StringConstructor.cpp:
1758 (JSC::StringConstructor::StringConstructor):
1759 (JSC::StringConstructor::getConstructData): Deleted.
1760 (JSC::StringConstructor::getCallData): Deleted.
1761 * runtime/StringConstructor.h:
1762 (JSC::StringConstructor::createStructure):
1763 * runtime/SymbolConstructor.cpp:
1764 (JSC::SymbolConstructor::SymbolConstructor):
1765 (JSC::SymbolConstructor::getConstructData): Deleted.
1766 (JSC::SymbolConstructor::getCallData): Deleted.
1767 * runtime/SymbolConstructor.h:
1768 (JSC::SymbolConstructor::createStructure):
1771 (JSC::VM::getCTIInternalFunctionTrampolineFor):
1773 * runtime/WeakMapConstructor.cpp:
1774 (JSC::WeakMapConstructor::WeakMapConstructor):
1775 (JSC::WeakMapConstructor::getConstructData): Deleted.
1776 (JSC::WeakMapConstructor::getCallData): Deleted.
1777 * runtime/WeakMapConstructor.h:
1778 (JSC::WeakMapConstructor::createStructure):
1779 (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
1780 * runtime/WeakSetConstructor.cpp:
1781 (JSC::WeakSetConstructor::WeakSetConstructor):
1782 (JSC::WeakSetConstructor::getConstructData): Deleted.
1783 (JSC::WeakSetConstructor::getCallData): Deleted.
1784 * runtime/WeakSetConstructor.h:
1785 (JSC::WeakSetConstructor::createStructure):
1786 (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
1787 * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1788 (JSC::WebAssemblyCompileErrorConstructor::createStructure):
1789 (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
1790 (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
1791 (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
1792 * wasm/js/WebAssemblyCompileErrorConstructor.h:
1793 * wasm/js/WebAssemblyInstanceConstructor.cpp:
1794 (JSC::WebAssemblyInstanceConstructor::createStructure):
1795 (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
1796 (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
1797 (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
1798 * wasm/js/WebAssemblyInstanceConstructor.h:
1799 * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1800 (JSC::WebAssemblyLinkErrorConstructor::createStructure):
1801 (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
1802 (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
1803 (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
1804 * wasm/js/WebAssemblyLinkErrorConstructor.h:
1805 * wasm/js/WebAssemblyMemoryConstructor.cpp:
1806 (JSC::WebAssemblyMemoryConstructor::createStructure):
1807 (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
1808 (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
1809 (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.
1810 * wasm/js/WebAssemblyMemoryConstructor.h:
1811 * wasm/js/WebAssemblyModuleConstructor.cpp:
1812 (JSC::WebAssemblyModuleConstructor::createStructure):
1813 (JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
1814 (JSC::WebAssemblyModuleConstructor::getConstructData): Deleted.
1815 (JSC::WebAssemblyModuleConstructor::getCallData): Deleted.
1816 * wasm/js/WebAssemblyModuleConstructor.h:
1817 * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1818 (JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
1819 (JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
1820 (JSC::WebAssemblyRuntimeErrorConstructor::getConstructData): Deleted.
1821 (JSC::WebAssemblyRuntimeErrorConstructor::getCallData): Deleted.
1822 * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
1823 * wasm/js/WebAssemblyTableConstructor.cpp:
1824 (JSC::WebAssemblyTableConstructor::createStructure):
1825 (JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
1826 (JSC::WebAssemblyTableConstructor::getConstructData): Deleted.
1827 (JSC::WebAssemblyTableConstructor::getCallData): Deleted.
1828 * wasm/js/WebAssemblyTableConstructor.h:
1830 2017-11-03 Michael Saboff <msaboff@apple.com>
1832 The Abstract Interpreter needs to change similar to clobberize() in r224366
1833 https://bugs.webkit.org/show_bug.cgi?id=179267
1835 Reviewed by Saam Barati.
1837 Add clobberWorld() to HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
1838 cases in the abstract interpreter to match what was done for r224366.
1840 * dfg/DFGAbstractInterpreterInlines.h:
1841 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1843 2017-11-03 Keith Miller <keith_miller@apple.com>
1845 PutProperytSlot should inform the IC about the property before effects.
1846 https://bugs.webkit.org/show_bug.cgi?id=179262
1848 Reviewed by Mark Lam.
1850 This patch fixes an issue where we choose to cache setters based on
1851 incorrect information. If we did so we might end up OSR exiting
1852 more than we would otherwise need to. The new model is that the
1853 PutPropertySlot should inform the IC of what the property looked
1854 like before any potential side effects might have occurred.
1856 * runtime/JSObject.cpp:
1857 (JSC::JSObject::putInlineSlow):
1861 2017-11-03 Mark Lam <mark.lam@apple.com>
1863 CachedCall (and its clients) needs overflow checks.
1864 https://bugs.webkit.org/show_bug.cgi?id=179185
1866 Reviewed by JF Bastien.
1868 * interpreter/CachedCall.h:
1869 (JSC::CachedCall::CachedCall):
1870 (JSC::CachedCall::hasOverflowedArguments):
1871 * runtime/ArgList.h:
1872 (JSC::MarkedArgumentBuffer::clear):
1873 * runtime/StringPrototype.cpp:
1874 (JSC::replaceUsingRegExpSearch):
1876 2017-11-03 Devin Rousso <webkit@devinrousso.com>
1878 Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
1879 https://bugs.webkit.org/show_bug.cgi?id=178302
1880 <rdar://problem/33158849>
1882 Reviewed by Brian Burg.
1884 * inspector/protocol/Recording.json:
1885 Add `duration` to each Frame that represents the total time of all the recorded actions.
1887 2017-11-02 Devin Rousso <webkit@devinrousso.com>
1889 Web Inspector: Canvas Tab: show supported GL extensions for selected canvas
1890 https://bugs.webkit.org/show_bug.cgi?id=179070
1891 <rdar://problem/35278276>
1893 Reviewed by Brian Burg.
1895 * inspector/protocol/Canvas.json:
1896 Add `extensionEnabled` event that is fired each time `getExtension` is called with a
1897 different string on a WebGL context.
1899 2017-11-02 Joseph Pecoraro <pecoraro@apple.com>
1901 Make ServiceWorker a Remote Inspector debuggable target
1902 https://bugs.webkit.org/show_bug.cgi?id=179043
1903 <rdar://problem/34126008>
1905 Reviewed by Brian Burg.
1907 * inspector/remote/RemoteControllableTarget.h:
1908 * inspector/remote/RemoteInspectionTarget.h:
1909 * inspector/remote/RemoteInspectorConstants.h:
1910 Include a new ServiceWorker remote inspector target type.
1912 * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1913 (Inspector::RemoteInspector::listingForInspectionTarget const):
1914 Implement listing for a ServiceWorker to include a URL like a page.
1916 * inspector/remote/glib/RemoteInspectorGlib.cpp:
1917 (Inspector::RemoteInspector::listingForInspectionTarget const):
1918 Bail for ServiceWorker support in glib. They will need to implement their support.
1920 2017-11-02 Michael Saboff <msaboff@apple.com>
1922 DFG needs to handle code motion of code in for..in loop bodies
1923 https://bugs.webkit.org/show_bug.cgi?id=179212
1925 Reviewed by Keith Miller.
1927 The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
1928 make calls with side effects. Updated clobberize() for those nodes to take that into account.
1930 * dfg/DFGClobberize.h:
1931 (JSC::DFG::clobberize):
1933 2017-11-02 Joseph Pecoraro <pecoraro@apple.com>
1935 Inspector should display service worker served responses properly
1936 https://bugs.webkit.org/show_bug.cgi?id=178597
1937 <rdar://problem/35186111>
1939 Reviewed by Brian Burg.
1941 * inspector/protocol/Network.json:
1942 Expose a new "service-worker" response source.
1944 2017-11-02 Filip Pizlo <fpizlo@apple.com>
1946 AI does not correctly model the clobber case of ArithClz32
1947 https://bugs.webkit.org/show_bug.cgi?id=179188
1949 Reviewed by Michael Saboff.
1951 The non-Int32 case clobbers the world because it may call valueOf.
1953 * dfg/DFGAbstractInterpreterInlines.h:
1954 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1956 2017-11-02 Yusuke Suzuki <utatane.tea@gmail.com>
1958 Unreviewed, release throw scope
1959 https://bugs.webkit.org/show_bug.cgi?id=178726
1961 * dfg/DFGOperations.cpp:
1963 2017-11-02 Frederic Wang <fwang@igalia.com>
1965 Add references to bug 179167 in FIXME comments
1966 https://bugs.webkit.org/show_bug.cgi?id=179168
1968 Reviewed by Daniel Bates.
1970 * Configurations/FeatureDefines.xcconfig:
1972 2017-11-01 Jeremy Jones <jeremyj@apple.com>
1974 Implement WKFullscreenWindowController for iOS.
1975 https://bugs.webkit.org/show_bug.cgi?id=178924
1976 rdar://problem/34697120
1978 Reviewed by Simon Fraser.
1980 Enable ENABLE_FULLSCREEN_API for iOS.
1982 * Configurations/FeatureDefines.xcconfig:
1984 2017-11-01 Mark Lam <mark.lam@apple.com>
1986 Add support to throw OOM if MarkedArgumentBuffer may overflow.
1987 https://bugs.webkit.org/show_bug.cgi?id=179092
1988 <rdar://problem/35116160>
1990 Reviewed by Saam Barati.
1992 The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
1993 time, which renders it unsuitable for automated tests. Instead, I've run a
1994 test manually to verify that an OutOfMemoryError will be thrown when an overflow
1997 The MarkedArgumentBuffer's destructor will now assert that the client has indeed
1998 checked for an overflow after invoking methods that may result in an overflow i.e.
1999 the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
2000 This is only done on debug builds.
2002 * API/JSObjectRef.cpp:
2003 (JSObjectMakeFunction):
2004 (JSObjectMakeArray):
2006 (JSObjectMakeRegExp):
2007 (JSObjectCallAsFunction):
2008 (JSObjectCallAsConstructor):
2009 * dfg/DFGOperations.cpp:
2010 * inspector/InjectedScriptManager.cpp:
2011 (Inspector::InjectedScriptManager::createInjectedScript):
2012 * inspector/JSJavaScriptCallFrame.cpp:
2013 (Inspector::JSJavaScriptCallFrame::scopeChain const):
2014 * interpreter/Interpreter.cpp:
2015 (JSC::Interpreter::executeProgram):
2017 (functionDollarAgentReceiveBroadcast):
2018 * runtime/ArgList.cpp:
2019 (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
2020 (JSC::MarkedArgumentBuffer::expandCapacity):
2021 (JSC::MarkedArgumentBuffer::slowAppend):
2022 * runtime/ArgList.h:
2023 (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
2024 (JSC::MarkedArgumentBuffer::appendWithAction):
2025 (JSC::MarkedArgumentBuffer::append):
2026 (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
2027 (JSC::MarkedArgumentBuffer::hasOverflowed):
2028 (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
2029 (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
2030 * runtime/ArrayPrototype.cpp:
2031 * runtime/CommonSlowPaths.cpp:
2032 (JSC::SLOW_PATH_DECL):
2033 * runtime/GetterSetter.cpp:
2035 * runtime/IteratorOperations.cpp:
2036 (JSC::iteratorNext):
2037 (JSC::iteratorClose):
2038 * runtime/JSBoundFunction.cpp:
2039 (JSC::boundThisNoArgsFunctionCall):
2040 (JSC::boundFunctionCall):
2041 (JSC::boundThisNoArgsFunctionConstruct):
2042 (JSC::boundFunctionConstruct):
2043 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2044 (JSC::constructGenericTypedArrayViewFromIterator):
2045 * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2046 (JSC::genericTypedArrayViewProtoFuncSlice):
2047 (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2048 * runtime/JSGlobalObject.cpp:
2049 (JSC::JSGlobalObject::haveABadTime):
2050 * runtime/JSInternalPromise.cpp:
2051 (JSC::JSInternalPromise::then):
2052 * runtime/JSJob.cpp:
2053 (JSC::JSJobMicrotask::run):
2054 * runtime/JSMapIterator.cpp:
2055 (JSC::JSMapIterator::createPair):
2056 * runtime/JSModuleLoader.cpp:
2057 (JSC::JSModuleLoader::provideFetch):
2058 (JSC::JSModuleLoader::loadAndEvaluateModule):
2059 (JSC::JSModuleLoader::loadModule):
2060 (JSC::JSModuleLoader::linkAndEvaluateModule):
2061 (JSC::JSModuleLoader::requestImportModule):
2062 * runtime/JSONObject.cpp:
2063 (JSC::Stringifier::toJSONImpl):
2064 (JSC::Stringifier::appendStringifiedValue):
2065 (JSC::Walker::callReviver):
2066 * runtime/JSObject.cpp:
2067 (JSC::ordinarySetSlow):
2068 (JSC::callToPrimitiveFunction):
2069 (JSC::JSObject::hasInstance):
2070 * runtime/JSPromise.cpp:
2071 (JSC::JSPromise::initialize):
2072 (JSC::JSPromise::resolve):
2073 * runtime/JSPromiseDeferred.cpp:
2074 (JSC::newPromiseCapability):
2075 (JSC::callFunction):
2076 * runtime/JSSetIterator.cpp:
2077 (JSC::JSSetIterator::createPair):
2078 * runtime/LiteralParser.cpp:
2079 (JSC::LiteralParser<CharType>::parse):
2080 * runtime/MapConstructor.cpp:
2081 (JSC::constructMap):
2082 * runtime/ObjectConstructor.cpp:
2083 (JSC::defineProperties):
2084 * runtime/ProxyObject.cpp:
2085 (JSC::performProxyGet):
2086 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2087 (JSC::ProxyObject::performHasProperty):
2088 (JSC::ProxyObject::performPut):
2089 (JSC::performProxyCall):
2090 (JSC::performProxyConstruct):
2091 (JSC::ProxyObject::performDelete):
2092 (JSC::ProxyObject::performPreventExtensions):
2093 (JSC::ProxyObject::performIsExtensible):
2094 (JSC::ProxyObject::performDefineOwnProperty):
2095 (JSC::ProxyObject::performGetOwnPropertyNames):
2096 (JSC::ProxyObject::performSetPrototype):
2097 (JSC::ProxyObject::performGetPrototype):
2098 * runtime/ReflectObject.cpp:
2099 (JSC::reflectObjectConstruct):
2100 * runtime/SetConstructor.cpp:
2101 (JSC::constructSet):
2102 * runtime/StringPrototype.cpp:
2103 (JSC::replaceUsingRegExpSearch):
2104 (JSC::replaceUsingStringSearch):
2105 * runtime/WeakMapConstructor.cpp:
2106 (JSC::constructWeakMap):
2107 * runtime/WeakSetConstructor.cpp:
2108 (JSC::constructWeakSet):
2109 * wasm/js/WasmToJS.cpp:
2110 (JSC::Wasm::wasmToJS):
2112 2017-11-01 Michael Saboff <msaboff@apple.com>
2114 Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2115 https://bugs.webkit.org/show_bug.cgi?id=179140
2117 Reviewed by Saam Barati.
2119 Added overflow checks to computation of arg count plus this.
2121 * dfg/DFGSpeculativeJIT32_64.cpp:
2122 (JSC::DFG::SpeculativeJIT::compile):
2123 * dfg/DFGSpeculativeJIT64.cpp:
2124 (JSC::DFG::SpeculativeJIT::compile):
2125 * ftl/FTLLowerDFGToB3.cpp:
2126 (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
2128 2017-11-01 Yusuke Suzuki <utatane.tea@gmail.com>
2130 Unreviewed, use weakPointer instead of FTLOutput::weakPointer
2131 https://bugs.webkit.org/show_bug.cgi?id=178934
2133 * ftl/FTLLowerDFGToB3.cpp:
2134 (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2136 2017-11-01 Yusuke Suzuki <utatane.tea@gmail.com>
2138 [JSC] Introduce @toObject
2139 https://bugs.webkit.org/show_bug.cgi?id=178726
2141 Reviewed by Saam Barati.
2143 This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
2144 Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
2145 is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
2146 ObjectConstructor in LLInt and Baseline.
2148 We add a new intrinsic `@toObject(target, "error message")`. It takes an error message string constant to
2149 offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation
2151 if (this === @undefined || this === null)
2152 @throwTypeError("error message");
2153 var object = @Object(this);
2157 var object = @toObject(this, "error message");
2159 And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
2160 ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
2161 In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.
2163 It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.
2165 * builtins/ArrayConstructor.js:
2167 * builtins/ArrayPrototype.js:
2183 (globalPrivate.concatSlowPath):
2185 * builtins/DatePrototype.js:
2186 (toLocaleString.toDateTimeOptionsAnyAll):
2188 (toLocaleDateString.toDateTimeOptionsDateDate):
2189 (toLocaleDateString):
2190 (toLocaleTimeString.toDateTimeOptionsTimeTime):
2191 (toLocaleTimeString):
2192 * builtins/GlobalOperations.js:
2193 (globalPrivate.copyDataProperties):
2194 (globalPrivate.copyDataPropertiesNoExclusions):
2195 * builtins/ObjectConstructor.js:
2197 * builtins/StringConstructor.js:
2199 * builtins/TypedArrayConstructor.js:
2201 * builtins/TypedArrayPrototype.js:
2204 * bytecode/BytecodeDumper.cpp:
2205 (JSC::BytecodeDumper<Block>::dumpBytecode):
2206 * bytecode/BytecodeIntrinsicRegistry.h:
2207 * bytecode/BytecodeList.json:
2208 * bytecode/BytecodeUseDef.h:
2209 (JSC::computeUsesForBytecodeOffset):
2210 (JSC::computeDefsForBytecodeOffset):
2211 * bytecode/CodeBlock.cpp:
2212 (JSC::CodeBlock::finishCreation):
2213 * bytecompiler/BytecodeGenerator.cpp:
2214 (JSC::BytecodeGenerator::emitToObject):
2215 * bytecompiler/BytecodeGenerator.h:
2216 * bytecompiler/NodesCodegen.cpp:
2217 (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
2218 * dfg/DFGAbstractInterpreterInlines.h:
2219 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2220 * dfg/DFGByteCodeParser.cpp:
2221 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2222 (JSC::DFG::ByteCodeParser::parseBlock):
2223 * dfg/DFGCapabilities.cpp:
2224 (JSC::DFG::capabilityLevel):
2225 * dfg/DFGClobberize.h:
2226 (JSC::DFG::clobberize):
2227 * dfg/DFGDoesGC.cpp:
2229 * dfg/DFGFixupPhase.cpp:
2230 (JSC::DFG::FixupPhase::fixupNode):
2231 (JSC::DFG::FixupPhase::fixupToObject):
2232 (JSC::DFG::FixupPhase::fixupCallObjectConstructor):
2234 (JSC::DFG::Node::convertToCallObjectConstructor):
2235 (JSC::DFG::Node::convertToNewStringObject):
2236 (JSC::DFG::Node::convertToNewObject):
2237 (JSC::DFG::Node::hasIdentifier):
2238 (JSC::DFG::Node::hasHeapPrediction):
2239 (JSC::DFG::Node::hasCellOperand):
2240 * dfg/DFGNodeType.h:
2241 * dfg/DFGOperations.cpp:
2242 * dfg/DFGOperations.h:
2243 * dfg/DFGPredictionPropagationPhase.cpp:
2244 * dfg/DFGSafeToExecute.h:
2245 (JSC::DFG::safeToExecute):
2246 * dfg/DFGSpeculativeJIT.cpp:
2247 (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2248 (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
2249 * dfg/DFGSpeculativeJIT.h:
2250 (JSC::DFG::SpeculativeJIT::callOperation):
2251 * dfg/DFGSpeculativeJIT32_64.cpp:
2252 (JSC::DFG::SpeculativeJIT::compile):
2253 * dfg/DFGSpeculativeJIT64.cpp:
2254 (JSC::DFG::SpeculativeJIT::compile):
2255 * ftl/FTLCapabilities.cpp:
2256 (JSC::FTL::canCompile):
2257 * ftl/FTLLowerDFGToB3.cpp:
2258 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2259 (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
2260 (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
2262 (JSC::JIT::privateCompileMainPass):
2263 (JSC::JIT::privateCompileSlowCases):
2265 * jit/JITOpcodes.cpp:
2266 (JSC::JIT::emit_op_to_object):
2267 (JSC::JIT::emitSlow_op_to_object):
2268 * jit/JITOpcodes32_64.cpp:
2269 (JSC::JIT::emit_op_to_object):
2270 (JSC::JIT::emitSlow_op_to_object):
2271 * jit/JITOperations.cpp:
2272 * jit/JITOperations.h:
2273 * llint/LowLevelInterpreter32_64.asm:
2274 * llint/LowLevelInterpreter64.asm:
2275 * runtime/CommonSlowPaths.cpp:
2276 (JSC::SLOW_PATH_DECL):
2277 * runtime/CommonSlowPaths.h:
2279 2017-11-01 Fujii Hironori <Hironori.Fujii@sony.com>
2281 Use LazyNeverDestroyed instead of DEFINE_GLOBAL
2282 https://bugs.webkit.org/show_bug.cgi?id=174979
2284 Reviewed by Yusuke Suzuki.
2286 * config.h: Removed definitions of SKIP_STATIC_CONSTRUCTORS_ON_MSVC and SKIP_STATIC_CONSTRUCTORS_ON_GCC.
2288 2017-10-27 Yusuke Suzuki <utatane.tea@gmail.com>
2290 [DFG][FTL] Introduce StringSlice
2291 https://bugs.webkit.org/show_bug.cgi?id=178934
2293 Reviewed by Saam Barati.
2295 String.prototype.slice is one of the most frequently called function in ARES-6/Babylon.
2296 This patch introduces StringSlice DFG node to optimize it in DFG and FTL.
2298 This patch's StringSlice node optimizes the following things.
2300 1. Empty string generation is accelerated. It is fully executed inline.
2301 2. One char string generation is accelerated. `< 0x100` character is supported right now.
2302 It is the same to charAt acceleration.
2303 3. We calculate start and end index in DFG/FTL with Int32Use information and call optimized
2306 We do not inline (3)'s operation right now since we do not have a way to call bmalloc allocation from DFG / FTL.
2307 And we do not optimize String.prototype.{substring,substr} right now. But they can be optimized based on this change
2308 in subsequent changes.
2310 This patch improves ARES-6/Babylon performance by 3% in steady state.
2313 Running... Babylon ( 1 to go)
2314 firstIteration: 50.05 +- 13.68 ms
2315 averageWorstCase: 16.80 +- 1.27 ms
2316 steadyState: 7.53 +- 0.22 ms
2319 Running... Babylon ( 1 to go)
2320 firstIteration: 50.91 +- 13.41 ms
2321 averageWorstCase: 16.12 +- 0.99 ms
2322 steadyState: 7.30 +- 0.29 ms
2324 * dfg/DFGAbstractInterpreterInlines.h:
2325 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2326 * dfg/DFGBackwardsPropagationPhase.cpp:
2327 (JSC::DFG::BackwardsPropagationPhase::propagate):
2328 * dfg/DFGByteCodeParser.cpp:
2329 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2330 * dfg/DFGClobberize.h:
2331 (JSC::DFG::clobberize):
2332 * dfg/DFGDoesGC.cpp:
2334 * dfg/DFGFixupPhase.cpp:
2335 (JSC::DFG::FixupPhase::fixupNode):
2336 * dfg/DFGNodeType.h:
2337 * dfg/DFGOperations.cpp:
2338 * dfg/DFGOperations.h:
2339 * dfg/DFGPredictionPropagationPhase.cpp:
2340 * dfg/DFGSafeToExecute.h:
2341 (JSC::DFG::safeToExecute):
2342 * dfg/DFGSpeculativeJIT.cpp:
2343 (JSC::DFG::SpeculativeJIT::compileStringSlice):
2344 (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
2345 (JSC::DFG::SpeculativeJIT::compileArraySlice):
2346 (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2347 * dfg/DFGSpeculativeJIT.h:
2348 (JSC::DFG::SpeculativeJIT::callOperation):
2349 * dfg/DFGSpeculativeJIT32_64.cpp:
2350 (JSC::DFG::SpeculativeJIT::compile):
2351 * dfg/DFGSpeculativeJIT64.cpp:
2352 (JSC::DFG::SpeculativeJIT::compile):
2353 * ftl/FTLCapabilities.cpp:
2354 (JSC::FTL::canCompile):
2355 * ftl/FTLLowerDFGToB3.cpp:
2356 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2357 (JSC::FTL::DFG::LowerDFGToB3::populateSliceRange):
2358 (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2359 (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2360 * jit/JITOperations.h:
2361 * runtime/Intrinsic.cpp:
2362 (JSC::intrinsicName):
2363 * runtime/Intrinsic.h:
2364 * runtime/StringPrototype.cpp:
2365 (JSC::StringPrototype::finishCreation):
2367 2017-10-31 JF Bastien <jfbastien@apple.com>
2369 WebAssembly: Wasm::IndexOrName has a raw pointer to Name
2370 https://bugs.webkit.org/show_bug.cgi?id=176644
2372 Reviewed by Michael Saboff.
2374 IndexOrName now keeps a RefPtr to its original NameSection, which
2375 holds the Name (or references nullptr if Index). Holding onto the
2376 entire section seems like the better thing to do, since backtraces
2377 probably contain multiple names from the same Module.
2379 * JavaScriptCore.xcodeproj/project.pbxproj:
2380 * interpreter/Interpreter.cpp:
2381 (JSC::GetStackTraceFunctor::operator() const):
2382 * interpreter/StackVisitor.h: Frame is no longer POD because of the
2384 * runtime/StackFrame.cpp:
2385 (JSC::StackFrame::StackFrame):
2386 * runtime/StackFrame.h: Drop the union, size is now 40 bytes.
2387 (JSC::StackFrame::StackFrame): Deleted. Initialized in class instead.
2388 (JSC::StackFrame::wasm): Deleted. Make it a ctor instead.
2389 * wasm/WasmBBQPlanInlines.h:
2390 (JSC::Wasm::BBQPlan::initializeCallees):
2391 * wasm/WasmCallee.cpp:
2392 (JSC::Wasm::Callee::Callee):
2393 * wasm/WasmCallee.h:
2394 (JSC::Wasm::Callee::create):
2395 * wasm/WasmFormat.h: Move NameSection to its own header.
2396 (JSC::Wasm::isValidNameType):
2397 (JSC::Wasm::NameSection::get): Deleted.
2398 * wasm/WasmIndexOrName.cpp:
2399 (JSC::Wasm::IndexOrName::IndexOrName):
2400 (JSC::Wasm::makeString):
2401 * wasm/WasmIndexOrName.h:
2402 (JSC::Wasm::IndexOrName::IndexOrName):
2403 (JSC::Wasm::IndexOrName::isEmpty const):
2404 (JSC::Wasm::IndexOrName::isIndex const):
2405 * wasm/WasmModuleInformation.cpp:
2406 (JSC::Wasm::ModuleInformation::ModuleInformation):
2407 * wasm/WasmModuleInformation.h:
2408 (JSC::Wasm::ModuleInformation::ModuleInformation): Deleted.
2409 * wasm/WasmNameSection.h:
2410 (JSC::Wasm::NameSection::get):
2411 (JSC::Wasm::NameSection::create): Deleted.
2412 * wasm/WasmNameSectionParser.cpp:
2413 (JSC::Wasm::NameSectionParser::parse):
2414 * wasm/WasmNameSectionParser.h:
2415 * wasm/WasmOMGPlan.cpp:
2416 (JSC::Wasm::OMGPlan::work):
2418 2017-10-31 Tim Horton <timothy_horton@apple.com>
2420 Clean up some drag and drop feature flags
2421 https://bugs.webkit.org/show_bug.cgi?id=179082
2423 Reviewed by Simon Fraser.
2425 * Configurations/FeatureDefines.xcconfig:
2427 2017-10-31 Commit Queue <commit-queue@webkit.org>
2429 Unreviewed, rolling out r224243, r224246, and r224248.
2430 https://bugs.webkit.org/show_bug.cgi?id=179083
2432 The patch and fix broke the Windows build. (Requested by
2433 mlewis13 on #webkit).
2435 Reverted changesets:
2437 "StructureStubInfo should have GPRReg members not int8_ts"
2438 https://bugs.webkit.org/show_bug.cgi?id=179071
2439 https://trac.webkit.org/changeset/224243
2441 "Make all register enums be backed by uint8_t."
2442 https://bugs.webkit.org/show_bug.cgi?id=179074
2443 https://trac.webkit.org/changeset/224246
2445 "Unreviewed, windows build fix."
2446 https://trac.webkit.org/changeset/224248
2448 2017-10-31 Tim Horton <timothy_horton@apple.com>
2450 Fix up some content filtering feature flags
2451 https://bugs.webkit.org/show_bug.cgi?id=179079
2453 Reviewed by Simon Fraser.
2455 * Configurations/FeatureDefines.xcconfig:
2457 2017-10-31 Keith Miller <keith_miller@apple.com>
2459 Unreviewed, windows build fix.
2461 * assembler/X86Assembler.h:
2462 (JSC::X86Assembler::numberOfRegisters):
2463 (JSC::X86Assembler::numberOfSPRegisters):
2464 (JSC::X86Assembler::numberOfFPRegisters):
2466 2017-10-31 Keith Miller <keith_miller@apple.com>
2468 Make all register enums be backed by uint8_t.
2469 https://bugs.webkit.org/show_bug.cgi?id=179074
2471 Reviewed by Mark Lam.
2473 * assembler/ARM64Assembler.h:
2474 * assembler/ARMAssembler.h:
2475 * assembler/ARMv7Assembler.h:
2476 * assembler/MIPSAssembler.h:
2477 * assembler/MacroAssembler.h:
2478 * assembler/X86Assembler.h:
2480 2017-10-31 Keith Miller <keith_miller@apple.com>
2482 StructureStubInfo should have GPRReg members not int8_ts
2483 https://bugs.webkit.org/show_bug.cgi?id=179071
2485 Reviewed by Michael Saboff.
2487 This patch makes the various RegisterID enums be backed by
2488 uint8_t. This means that we can remove the old int8_t members in
2489 StructureStubInfo and replace them with the correct enum types.
2491 Also, this fixes an indentation issue in ARMv7Assembler.h.
2493 * assembler/ARM64Assembler.h:
2494 * assembler/ARMAssembler.h:
2495 * assembler/ARMv7Assembler.h:
2496 (JSC::ARMRegisters::asSingle):
2497 (JSC::ARMRegisters::asDouble):
2498 * assembler/MIPSAssembler.h:
2499 * assembler/X86Assembler.h:
2500 * bytecode/InlineAccess.cpp:
2501 (JSC::InlineAccess::generateSelfPropertyAccess):
2502 (JSC::getScratchRegister):
2503 * bytecode/PolymorphicAccess.cpp:
2504 (JSC::PolymorphicAccess::regenerate):
2505 * bytecode/StructureStubInfo.h:
2506 (JSC::StructureStubInfo::valueRegs const):
2507 * dfg/DFGSpeculativeJIT.cpp:
2508 (JSC::DFG::SpeculativeJIT::compileIn):
2509 * ftl/FTLLowerDFGToB3.cpp:
2510 (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2511 * jit/JITInlineCacheGenerator.cpp:
2512 (JSC::JITByIdGenerator::JITByIdGenerator):
2513 (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
2515 2017-10-31 Devin Rousso <webkit@devinrousso.com>
2517 Web Inspector: make ScriptCallStack::maxCallStackSizeToCapture the default value when capturing backtraces
2518 https://bugs.webkit.org/show_bug.cgi?id=179048
2520 Reviewed by Mark Lam.
2522 * inspector/ScriptCallStackFactory.h:
2523 * inspector/ScriptCallStackFactory.cpp:
2524 (createScriptCallStack):
2525 (createScriptCallStackForConsole):
2526 (createScriptCallStackFromException):
2528 * inspector/ConsoleMessage.cpp:
2529 (Inspector::ConsoleMessage::autogenerateMetadata):
2530 * inspector/JSGlobalObjectInspectorController.cpp:
2531 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2532 * inspector/agents/InspectorConsoleAgent.cpp:
2533 (Inspector::InspectorConsoleAgent::count):
2534 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2535 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2537 2017-10-31 Carlos Garcia Campos <cgarcia@igalia.com>
2539 Unreviewed. Fix GTK+ make distcheck.
2541 Ensure DERIVED_SOURCES_JAVASCRIPTCORE_DIR/yarr is created before scripts generating files there are run.
2545 2017-10-30 Saam Barati <sbarati@apple.com>
2547 We need a storeStoreFence before storing to the instruction stream's live variable catch data
2548 https://bugs.webkit.org/show_bug.cgi?id=178649
2550 Reviewed by Keith Miller.
2552 * bytecode/CodeBlock.cpp:
2553 (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
2555 2017-10-30 Michael Catanzaro <mcatanzaro@igalia.com>
2557 [WPE] Fix build warnings
2558 https://bugs.webkit.org/show_bug.cgi?id=178899
2560 Reviewed by Carlos Alberto Lopez Perez.
2562 * PlatformWPE.cmake:
2564 2017-10-30 Zan Dobersek <zdobersek@igalia.com>
2566 [ARMv7] Fix initial start register support in YarrJIT
2567 https://bugs.webkit.org/show_bug.cgi?id=178641
2569 Reviewed by Saam Barati.
2571 * yarr/YarrJIT.cpp: On ARMv7, use r8 as the initialStart register in the
2572 YarrGenerator class. r6 should be avoided since it's already used inside
2573 MacroAssemblerARMv7 as addressTempRegister. r7 isn't picked because it
2574 can be used as the frame pointer register when targetting ARM Thumb2.
2576 2017-10-30 Zan Dobersek <zdobersek@igalia.com>
2578 [ARM64][Linux] Re-enable Gigacage
2579 https://bugs.webkit.org/show_bug.cgi?id=178130
2581 Reviewed by Michael Catanzaro.
2583 Guard the current globaladdr opcode implementation for ARM64 with
2584 OS(DARWIN) as it's only usable for Mach-O.
2586 For OS(LINUX), ELF-supported :got: and :got_lo12: relocation specifiers
2587 have to be used. The .loh directive can't be used as it's not supported
2588 in GCC or the ld linker.
2590 On every other OS target, a compilation error is thrown.
2592 * offlineasm/arm64.rb:
2594 2017-10-27 Devin Rousso <webkit@devinrousso.com>
2596 Web Inspector: Canvas Tab: no way to see backtrace of where a canvas context was created
2597 https://bugs.webkit.org/show_bug.cgi?id=178799
2598 <rdar://problem/35175805>
2600 Reviewed by Brian Burg.
2602 * inspector/protocol/Canvas.json:
2603 Add optional `backtrace` to Canvas type that is an array of Console.CallFrame.
2605 2017-10-27 Yusuke Suzuki <utatane.tea@gmail.com>
2607 [JSC] Tweak ES6 generator function to allow inlining
2608 https://bugs.webkit.org/show_bug.cgi?id=178935
2610 Reviewed by Saam Barati.
2612 We optimize builtins' generator helper functions to allow them inlined in the caller side.
2613 This patch adjust the layer between @generatorResume, next(), throw(), and return() to allow
2614 them inlined in DFG.
2618 spread-generator.es6 301.2637+-11.1011 ^ 260.5905+-14.2258 ^ definitely 1.1561x faster
2619 generator.es6 269.6030+-13.2435 ^ 148.8840+-6.7614 ^ definitely 1.8108x faster
2621 * builtins/GeneratorPrototype.js:
2622 (globalPrivate.generatorResume):
2627 2017-10-27 Saam Barati <sbarati@apple.com>
2629 Bytecode liveness should live on UnlinkedCodeBlock so it can be shared amongst CodeBlocks
2630 https://bugs.webkit.org/show_bug.cgi?id=178949
2632 Reviewed by Keith Miller.
2634 This patch stores BytecodeLiveness on UnlinkedCodeBlock instead of CodeBlock
2635 so that we don't need to recompute liveness for the same UnlinkedCodeBlock
2636 more than once. To do this, this patch solidifies the invariant that CodeBlock
2637 linking can't do anything that would change the result of liveness. For example,
2638 it can't introduce new locals. This invariant was met my JSC before, because we
2639 didn't do anything in bytecode linking that would change liveness. However, it is
2640 now a correctness requirement that we don't do anything that would change the
2641 result of running liveness. To support this change, I've refactored BytecodeGraph
2642 to not be tied to a CodeBlockType*. Things that perform liveness will pass in
2643 CodeBlockType* and the instruction stream as needed. This means that we may
2644 compute liveness with one CodeBlock*'s instruction stream, and then perform
2645 queries on that analysis with a different CodeBlock*'s instruction stream.
2647 This seems to be a 2% JSBench progression.
2649 * bytecode/BytecodeGeneratorification.cpp:
2650 (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
2651 (JSC::BytecodeGeneratorification::graph):
2652 (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
2653 (JSC::GeneratorLivenessAnalysis::run):
2654 (JSC::BytecodeGeneratorification::run):
2655 * bytecode/BytecodeGraph.h:
2656 (JSC::BytecodeGraph::BytecodeGraph):
2657 (JSC::BytecodeGraph::codeBlock const): Deleted.
2658 (JSC::BytecodeGraph::instructions): Deleted.
2659 (JSC::BytecodeGraph<Block>::BytecodeGraph): Deleted.
2660 * bytecode/BytecodeLivenessAnalysis.cpp:
2661 (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
2662 (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
2663 (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
2664 (JSC::BytecodeLivenessAnalysis::computeKills):
2665 (JSC::BytecodeLivenessAnalysis::dumpResults):
2666 (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): Deleted.
2667 (JSC::BytecodeLivenessAnalysis::compute): Deleted.
2668 * bytecode/BytecodeLivenessAnalysis.h:
2669 * bytecode/BytecodeLivenessAnalysisInlines.h:
2670 (JSC::BytecodeLivenessPropagation::stepOverInstruction):
2671 (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
2672 (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
2673 (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
2674 (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
2675 * bytecode/BytecodeRewriter.cpp:
2676 (JSC::BytecodeRewriter::applyModification):
2677 (JSC::BytecodeRewriter::execute):
2678 (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
2679 * bytecode/BytecodeRewriter.h:
2680 (JSC::BytecodeRewriter::BytecodeRewriter):
2681 (JSC::BytecodeRewriter::removeBytecode):
2682 (JSC::BytecodeRewriter::graph):
2683 * bytecode/CodeBlock.cpp:
2684 (JSC::CodeBlock::finishCreation):
2685 (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
2686 (JSC::CodeBlock::validate):
2687 (JSC::CodeBlock::livenessAnalysisSlow): Deleted.
2688 * bytecode/CodeBlock.h:
2689 (JSC::CodeBlock::livenessAnalysis):
2690 * bytecode/UnlinkedCodeBlock.cpp:
2691 (JSC::UnlinkedCodeBlock::applyModification):
2692 (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
2693 * bytecode/UnlinkedCodeBlock.h:
2694 (JSC::UnlinkedCodeBlock::livenessAnalysis):
2696 (JSC::DFG::Graph::livenessFor):
2697 (JSC::DFG::Graph::killsFor):
2699 (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
2701 (JSC::JIT::privateCompileMainPass):
2703 2017-10-27 Keith Miller <keith_miller@apple.com>
2705 Add unified source list files and build scripts to Xcode project navigator
2706 https://bugs.webkit.org/show_bug.cgi?id=178959
2708 Reviewed by Andy Estes.
2710 Also, Add some extra source files for so new .cpp/.mm files don't cause the build
2711 to fail right away. We already do this in WebCore.
2713 * JavaScriptCore.xcodeproj/project.pbxproj:
2714 * PlatformMac.cmake:
2715 * SourcesCocoa.txt: Renamed from Source/JavaScriptCore/SourcesMac.txt.
2717 2017-10-27 JF Bastien <jfbastien@apple.com>
2719 WebAssembly: update arbitrary limits to what browsers use
2720 https://bugs.webkit.org/show_bug.cgi?id=178946
2721 <rdar://problem/34257412>
2722 <rdar://problem/34501154>
2724 Reviewed by Saam Barati.
2726 https://github.com/WebAssembly/design/issues/1138 discusses the
2727 arbitrary function size limit, which it turns out Chrome and
2728 Firefox didn't enforce. We didn't use it because it was
2729 ridiculously low and actual programs ran into that limit (bummer
2730 for Edge which just shipped it...). Now that we agree on a high
2731 arbitrary program limit, let's update it! While I'm doing this
2732 there are a few other spots that I polished to use Checked or
2733 better check limits overall.
2735 * wasm/WasmB3IRGenerator.cpp:
2736 (JSC::Wasm::B3IRGenerator::addLocal):
2737 * wasm/WasmFormat.cpp:
2738 (JSC::Wasm::Segment::create):
2739 * wasm/WasmFunctionParser.h:
2740 (JSC::Wasm::FunctionParser<Context>::parse):
2741 * wasm/WasmInstance.cpp:
2742 * wasm/WasmLimits.h:
2743 * wasm/WasmModuleParser.cpp:
2744 (JSC::Wasm::ModuleParser::parseGlobal):
2745 (JSC::Wasm::ModuleParser::parseCode):
2746 (JSC::Wasm::ModuleParser::parseData):
2747 * wasm/WasmSignature.h:
2748 (JSC::Wasm::Signature::allocatedSize):
2749 * wasm/WasmTable.cpp:
2750 (JSC::Wasm::Table::Table):
2751 * wasm/js/JSWebAssemblyTable.cpp:
2752 (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
2753 (JSC::JSWebAssemblyTable::grow):
2755 2017-10-26 Michael Saboff <msaboff@apple.com>
2757 REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2758 https://bugs.webkit.org/show_bug.cgi?id=178890
2760 Reviewed by Keith Miller.
2762 We need to let a contained subpattern backtrack before declaring that the containing
2763 parenthesis doesn't match. If the subpattern fails to match backtracking, then we
2764 can check to see if we trying to backtrack below the minimum match count.
2766 * yarr/YarrInterpreter.cpp:
2767 (JSC::Yarr::Interpreter::backtrackParentheses):
2769 2017-10-26 Mark Lam <mark.lam@apple.com>
2771 JSRopeString::RopeBuilder::append() should check for overflows.
2772 https://bugs.webkit.org/show_bug.cgi?id=178385
2773 <rdar://problem/35027468>
2775 Reviewed by Saam Barati.
2777 1. Made RopeString check for overflow like the Checked class does.
2778 2. Added a missing overflow check in objectProtoFuncToString().
2780 * runtime/JSString.cpp:
2781 (JSC::JSRopeString::RopeBuilder<RecordOverflow>::expand):
2782 (JSC::JSRopeString::RopeBuilder::expand): Deleted.
2783 * runtime/JSString.h:
2784 * runtime/ObjectPrototype.cpp:
2785 (JSC::objectProtoFuncToString):
2786 * runtime/Operations.h:
2787 (JSC::jsStringFromRegisterArray):
2788 (JSC::jsStringFromArguments):
2790 2017-10-26 JF Bastien <jfbastien@apple.com>
2792 WebAssembly: no VM / JS version of our implementation
2793 https://bugs.webkit.org/show_bug.cgi?id=177472
2795 Reviewed by Michael Saboff.
2797 This patch removes all appearances of "JS" and "VM" in the wasm
2798 directory. These now only appear in the wasm/js directory, which
2799 is only used in a JS embedding of wasm. It should therefore now be
2800 possible to create non-JS embeddings of wasm through JSC, though
2801 it'll still require:
2803 - Mild codegen for wasm<->embedder calls;
2804 - A strategy for trap handling (no need for full unwind! Could kill).
2805 - Creation of the Wasm::* objects.
2806 - Calling convention handling to call the embedder.
2807 - Handling of multiple embedders (see #177475, this is optional).
2809 Most of the patch consists in renaming JSWebAssemblyInstance to
2810 Instance, and removing temporary copies which I'd added to make
2811 this specific patch very simple.
2813 * interpreter/CallFrame.cpp:
2814 (JSC::CallFrame::wasmAwareLexicalGlobalObject): this one place
2815 which needs to know about who "owns" the Wasm::Instance. In a JS
2816 embedding it's the JSWebAssemblyInstance.
2817 * wasm/WasmB3IRGenerator.cpp:
2818 (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2819 (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2820 (JSC::Wasm::B3IRGenerator::addGrowMemory):
2821 (JSC::Wasm::B3IRGenerator::addCurrentMemory):
2822 (JSC::Wasm::B3IRGenerator::getGlobal):
2823 (JSC::Wasm::B3IRGenerator::setGlobal):
2824 (JSC::Wasm::B3IRGenerator::addCall):
2825 (JSC::Wasm::B3IRGenerator::addCallIndirect):
2826 * wasm/WasmBinding.cpp:
2827 (JSC::Wasm::wasmToWasm):
2828 * wasm/WasmContext.cpp:
2829 (JSC::Wasm::Context::load const):
2830 (JSC::Wasm::Context::store):
2831 * wasm/WasmContext.h:
2832 * wasm/WasmEmbedder.h:
2833 * wasm/WasmInstance.cpp:
2834 (JSC::Wasm::Instance::Instance):
2835 (JSC::Wasm::Instance::create):
2836 (JSC::Wasm::Instance::extraMemoryAllocated const):
2837 * wasm/WasmInstance.h: add an "owner", the Wasm::Context, move the
2838 "tail" import information from JSWebAssemblyInstance over to here.
2839 (JSC::Wasm::Instance::finalizeCreation):
2840 (JSC::Wasm::Instance::owner const):
2841 (JSC::Wasm::Instance::offsetOfOwner):
2842 (JSC::Wasm::Instance::context const):
2843 (JSC::Wasm::Instance::setMemory):
2844 (JSC::Wasm::Instance::setTable):
2845 (JSC::Wasm::Instance::offsetOfMemory):
2846 (JSC::Wasm::Instance::offsetOfGlobals):
2847 (JSC::Wasm::Instance::offsetOfTable):
2848 (JSC::Wasm::Instance::offsetOfTail):
2849 (JSC::Wasm::Instance::numImportFunctions const):
2850 (JSC::Wasm::Instance::importFunctionInfo):
2851 (JSC::Wasm::Instance::offsetOfTargetInstance):
2852 (JSC::Wasm::Instance::offsetOfWasmEntrypoint):
2853 (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress):
2854 (JSC::Wasm::Instance::offsetOfImportFunction):
2855 (JSC::Wasm::Instance::importFunction):
2856 (JSC::Wasm::Instance::allocationSize):
2857 (JSC::Wasm::Instance::create): Deleted.
2858 * wasm/WasmOMGPlan.cpp:
2859 (JSC::Wasm::OMGPlan::runForIndex):
2860 * wasm/WasmOMGPlan.h:
2861 * wasm/WasmTable.cpp:
2862 (JSC::Wasm::Table::Table):
2863 (JSC::Wasm::Table::setFunction):
2865 * wasm/WasmThunks.cpp:
2866 (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2867 (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2868 * wasm/js/JSToWasm.cpp:
2869 (JSC::Wasm::createJSToWasmWrapper):
2870 * wasm/js/JSWebAssemblyInstance.cpp: delete code that is now on Wasm::Instance
2871 (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): The embedder
2872 decides what the import function is. Here we must properly
2873 placement-new it to what we've elected (and initialize it later).
2874 (JSC::JSWebAssemblyInstance::visitChildren):
2875 (JSC::JSWebAssemblyInstance::finalizeCreation):
2876 (JSC::JSWebAssemblyInstance::create):
2877 * wasm/js/JSWebAssemblyInstance.h: delete code that is now on Wasm::Instance
2878 (JSC::JSWebAssemblyInstance::instance):
2879 (JSC::JSWebAssemblyInstance::moduleNamespaceObject):
2880 (JSC::JSWebAssemblyInstance::setMemory):
2881 (JSC::JSWebAssemblyInstance::table):
2882 (JSC::JSWebAssemblyInstance::setTable):
2883 (JSC::JSWebAssemblyInstance::offsetOfInstance):
2884 (JSC::JSWebAssemblyInstance::offsetOfCallee):
2885 (JSC::JSWebAssemblyInstance::context const): Deleted.
2886 (JSC::JSWebAssemblyInstance::offsetOfTail): Deleted.
2888 (JSC::JSWebAssemblyInstance::importFunctionInfo): Deleted.
2889 (JSC::JSWebAssemblyInstance::offsetOfTargetInstance): Deleted.
2890 (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint): Deleted.
2891 (JSC::JSWebAssemblyInstance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
2892 (JSC::JSWebAssemblyInstance::offsetOfImportFunction): Deleted.
2893 (JSC::JSWebAssemblyInstance::importFunction): Deleted.
2894 (JSC::JSWebAssemblyInstance::internalMemory): Deleted.
2895 (JSC::JSWebAssemblyInstance::wasmCodeBlock const): Deleted.
2896 (JSC::JSWebAssemblyInstance::offsetOfWasmTable): Deleted.
2897 (JSC::JSWebAssemblyInstance::offsetOfGlobals): Deleted.
2898 (JSC::JSWebAssemblyInstance::offsetOfCodeBlock): Deleted.
2899 (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock): Deleted.
2900 (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit): Deleted.
2901 (JSC::JSWebAssemblyInstance::offsetOfWasmMemory): Deleted.
2902 (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer): Deleted.
2903 (JSC::JSWebAssemblyInstance::cachedStackLimit const): Deleted.
2904 (JSC::JSWebAssemblyInstance::setCachedStackLimit): Deleted.
2905 (JSC::JSWebAssemblyInstance::wasmMemory): Deleted.
2906 (JSC::JSWebAssemblyInstance::wasmModule): Deleted.
2907 (JSC::JSWebAssemblyInstance::allocationSize): Deleted.
2908 * wasm/js/JSWebAssemblyTable.cpp:
2909 (JSC::JSWebAssemblyTable::setFunction):
2910 * wasm/js/WasmToJS.cpp: One extra indirection to find the JSWebAssemblyInstance.
2911 (JSC::Wasm::materializeImportJSCell):
2912 (JSC::Wasm::handleBadI64Use):
2913 (JSC::Wasm::wasmToJS):
2914 (JSC::Wasm::wasmToJSException):
2915 * wasm/js/WasmToJS.h:
2916 * wasm/js/WebAssemblyFunction.cpp:
2917 (JSC::callWebAssemblyFunction):
2918 * wasm/js/WebAssemblyInstanceConstructor.cpp:
2919 (JSC::constructJSWebAssemblyInstance):
2920 * wasm/js/WebAssemblyModuleRecord.cpp:
2921 (JSC::WebAssemblyModuleRecord::link):
2922 (JSC::WebAssemblyModuleRecord::evaluate):
2923 * wasm/js/WebAssemblyPrototype.cpp:
2925 * wasm/js/WebAssemblyWrapperFunction.cpp:
2926 (JSC::WebAssemblyWrapperFunction::create):
2928 2017-10-25 Devin Rousso <webkit@devinrousso.com>
2930 Web Inspector: provide a way to enable/disable event listeners
2931 https://bugs.webkit.org/show_bug.cgi?id=177451
2932 <rdar://problem/34994925>
2934 Reviewed by Joseph Pecoraro.
2936 * inspector/protocol/DOM.json:
2937 Add `setEventListenerDisabled` command that enables/disables a specific event listener
2938 during event dispatch. When a disabled event listener is fired, the listener's callback will
2941 2017-10-25 Commit Queue <commit-queue@webkit.org>
2943 Unreviewed, rolling out r223691 and r223729.
2944 https://bugs.webkit.org/show_bug.cgi?id=178834
2946 Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2947 by rniwa on #webkit).
2949 Reverted changesets:
2951 "Turn recursive tail calls into loops"
2952 https://bugs.webkit.org/show_bug.cgi?id=176601
2953 https://trac.webkit.org/changeset/223691
2955 "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2956 comparison is always false due to limited range of data type
2958 https://bugs.webkit.org/show_bug.cgi?id=178543
2959 https://trac.webkit.org/changeset/223729
2961 2017-10-25 Michael Saboff <msaboff@apple.com>
2963 REGRESSION(r223937): Use of -fobjc-weak causes build failures with older compilers
2964 https://bugs.webkit.org/show_bug.cgi?id=178825
2966 Reviewed by Mark Lam.
2968 Enable ARC for ARM64_32. This eliminate the need for setting CLANG_ENABLE_OBJC_WEAK.
2970 * Configurations/ToolExecutable.xcconfig:
2972 2017-10-25 Keith Miller <keith_miller@apple.com>
2974 Fix implicit cast of enum, which seems to break the windows build of unified sources.
2975 https://bugs.webkit.org/show_bug.cgi?id=178822
2977 Reviewed by Saam Barati.
2979 * bytecode/DFGExitProfile.h:
2980 (JSC::DFG::FrequentExitSite::hash const):
2982 2017-10-24 Michael Saboff <msaboff@apple.com>
2984 Allow OjbC Weak References when building TestAPI
2985 https://bugs.webkit.org/show_bug.cgi?id=178748
2987 Reviewed by Dan Bernstein.
2989 Set TestAPI build flag Weak References in Manual Retain Release to true.
2991 * JavaScriptCore.xcodeproj/project.pbxproj: Reverted.
2992 * Configurations/ToolExecutable.xcconfig: Changed the flag here instead.
2994 2017-10-24 Eric Carlson <eric.carlson@apple.com>
2996 Web Inspector: Enable WebKit logging configuration and display
2997 https://bugs.webkit.org/show_bug.cgi?id=177027
2998 <rdar://problem/33964767>
3000 Reviewed by Joseph Pecoraro.
3002 * inspector/ConsoleMessage.cpp:
3003 (Inspector::messageSourceValue): Inspector::Protocol::Console::ConsoleMessage ->
3004 Inspector::Protocol::Console::ChannelSource.
3005 * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
3006 (Inspector::JSGlobalObjectConsoleAgent::getLoggingChannels): There are no logging channels
3007 specific to a JSContext yet, so return an empty channel array.
3008 (Inspector::JSGlobalObjectConsoleAgent::setLoggingChannelLevel): No channels, return an error.
3009 * inspector/agents/JSGlobalObjectConsoleAgent.h:
3011 * inspector/protocol/Console.json: Add ChannelSource, ChannelLevel, and Channel. Add getLoggingChannels
3012 and setLoggingChannelLevel.
3014 * inspector/scripts/codegen/generator.py: Special case "webrtc"-> "WebRTC".
3015 * inspector/scripts/tests/generic/expected/enum-values.json-result:
3016 * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3017 * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3018 * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3019 * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3021 * runtime/ConsoleTypes.h: Add Media and WebRTC.
3023 2017-10-24 Michael Saboff <msaboff@apple.com>
3025 Allow OjbC Weak References when building TestAPI
3026 https://bugs.webkit.org/show_bug.cgi?id=178748
3028 Reviewed by Saam Barati.
3030 Set TestAPI build flag Weak References in Manual Retain Release to true.
3032 * JavaScriptCore.xcodeproj/project.pbxproj:
3034 2017-10-24 Yusuke Suzuki <utatane.tea@gmail.com>
3036 [FTL] Support NewStringObject
3037 https://bugs.webkit.org/show_bug.cgi?id=178737
3039 Reviewed by Saam Barati.
3041 FTL should support NewStringObject and encourage use of NewStringObject in DFG pipeline.
3042 After this change, we can convert `CallObjectConstructor(String)` to `NewStringObject(String)`.
3044 * ftl/FTLAbstractHeapRepository.h:
3045 * ftl/FTLCapabilities.cpp:
3046 (JSC::FTL::canCompile):
3047 * ftl/FTLLowerDFGToB3.cpp:
3048 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3049 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
3051 2017-10-24 Guillaume Emont <guijemont@igalia.com>
3053 [mips] fix offsets of branches that have to go over a jump
3054 https://bugs.webkit.org/show_bug.cgi?id=153464
3056 The jump() function creates 8 instructions, but the offsets of branches
3057 meant to go over them only account for 6. In most cases, this is not an
3058 issue as the last two instructions of jump() would be nops, but in the
3059 rarer case where the jump destination is in a different 256 MB segment,
3060 MIPSAssembler::linkWithOffset() will rewrite the code in a way in which
3061 the last 4 instructions would be a 2 instruction load (lui/ori) into
3062 $t9, a "j $t9" and then a nop. The wrong offset will mean that the
3063 previous branches meant to go over the whole jump will branch to the
3064 "j $t9" instruction, which would jump to whatever is currently in $t9
3065 (since lui/ori would not be executed).
3067 Reviewed by Michael Catanzaro.
3069 * assembler/MacroAssemblerMIPS.h:
3070 (JSC::MacroAssemblerMIPS::branchAdd32):
3071 (JSC::MacroAssemblerMIPS::branchMul32):
3072 (JSC::MacroAssemblerMIPS::branchSub32):
3073 Fix the offsets of branches meant to go over code generated by jump().
3075 2017-10-24 JF Bastien <jfbastien@apple.com>
3077 WebAssembly: NFC renames of things that aren't JS-specific
3078 https://bugs.webkit.org/show_bug.cgi?id=178738
3080 Reviewed by Saam Barati.
3082 * wasm/WasmB3IRGenerator.cpp:
3083 (JSC::Wasm::parseAndCompile):
3084 * wasm/WasmB3IRGenerator.h:
3085 * wasm/WasmBBQPlan.cpp:
3086 (JSC::Wasm::BBQPlan::complete):
3087 * wasm/WasmCodeBlock.cpp:
3088 (JSC::Wasm::CodeBlock::CodeBlock):
3089 * wasm/WasmCodeBlock.h:
3090 (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
3091 (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace): Deleted.
3092 * wasm/WasmFormat.h:
3093 * wasm/js/JSToWasm.cpp:
3094 (JSC::Wasm::createJSToWasmWrapper):
3095 * wasm/js/WebAssemblyModuleRecord.cpp:
3096 (JSC::WebAssemblyModuleRecord::link):
3097 (JSC::WebAssemblyModuleRecord::evaluate):
3099 2017-10-24 Stephan Szabo <stephan.szabo@sony.com>
3101 [Win][JSCOnly] Make jsconly build testapi and dlls and copy dlls when running tests
3102 https://bugs.webkit.org/show_bug.cgi?id=177279
3104 Reviewed by Yusuke Suzuki.
3106 * shell/PlatformJSCOnly.cmake: Added.
3108 2017-10-15 Yusuke Suzuki <utatane.tea@gmail.com>
3110 [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3111 https://bugs.webkit.org/show_bug.cgi?id=178308
3113 Reviewed by Mark Lam.
3115 With the change of the spec[1], we now do not need to remember star resolution modules.
3116 We reflect this change to our implementation. Since this change is covered by test262,
3117 this patch improves the score of test262.
3119 We also add logging to ResolveExport to debug it easily.
3121 [1]: https://github.com/tc39/ecma262/commit/a865e778ff0fc60e26e3e1c589635103710766a1
3123 * runtime/AbstractModuleRecord.cpp:
3124 (JSC::AbstractModuleRecord::ResolveQuery::dump const):
3125 (JSC::AbstractModuleRecord::resolveExportImpl):
3127 2017-10-24 Yusuke Suzuki <utatane.tea@gmail.com>
3129 [JSC] Use emitDumbVirtualCall in 32bit JIT
3130 https://bugs.webkit.org/show_bug.cgi?id=178644
3132 Reviewed by Mark Lam.
3134 This patch aligns 32bit JIT op_call_eval slow case to 64bit version by using emitDumbVirtualCall.
3136 * jit/JITCall32_64.cpp:
3137 (JSC::JIT::compileCallEvalSlowCase):
3139 2017-10-22 Yusuke Suzuki <utatane.tea@gmail.com>
3141 [JSC] Drop ArityCheckData
3142 https://bugs.webkit.org/show_bug.cgi?id=178648
3144 Reviewed by Mark Lam.
3146 ArityCheckData is used to return a pair of `slotsToAdd` and `thunkToCall`.
3147 However, use of `thunkToCall` is removed in 64bit environment at r189575.
3149 We remove `thunkToCall` and align 32bit implementation to 64bit implementation.
3150 Since we no longer need to have the above pair, we can remove ArityCheckData too.
3152 * llint/LowLevelInterpreter32_64.asm:
3153 * llint/LowLevelInterpreter64.asm:
3154 * runtime/CommonSlowPaths.cpp:
3155 (JSC::SLOW_PATH_DECL):
3156 (JSC::setupArityCheckData): Deleted.
3157 * runtime/CommonSlowPaths.h:
3162 2017-10-23 Keith Miller <keith_miller@apple.com>
3164 Unreviewed, reland r223866
3166 Didn't break the windows build...
3170 "WebAssembly: topEntryFrame on Wasm::Instance"
3171 https://bugs.webkit.org/show_bug.cgi?id=178690
3172 https://trac.webkit.org/changeset/223866
3175 2017-10-23 Commit Queue <commit-queue@webkit.org>
3177 Unreviewed, rolling out r223866.
3178 https://bugs.webkit.org/show_bug.cgi?id=178699
3180 Probably broke the windows build (Requested by keith_miller on
3185 "WebAssembly: topEntryFrame on Wasm::Instance"
3186 https://bugs.webkit.org/show_bug.cgi?id=178690
3187 https://trac.webkit.org/changeset/223866
3189 2017-10-23 Joseph Pecoraro <pecoraro@apple.com>
3191 Web Inspector: Remove unused Console.setMonitoringXHREnabled
3192 https://bugs.webkit.org/show_bug.cgi?id=178617
3194 Reviewed by Sam Weinig.
3196 * JavaScriptCore.xcodeproj/project.pbxproj:
3198 * inspector/agents/InspectorConsoleAgent.h:
3199 * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
3200 * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
3201 * inspector/protocol/Console.json:
3202 Removed files and method.
3204 * inspector/JSGlobalObjectInspectorController.cpp:
3205 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3206 This can use the base ConsoleAgent now.
3208 2017-10-23 JF Bastien <jfbastien@apple.com>
3210 WebAssembly: topEntryFrame on Wasm::Instance
3211 https://bugs.webkit.org/show_bug.cgi?id=178690
3213 Reviewed by Saam Barati.
3215 topEntryFrame is usually on VM, but for a no-VM WebAssembly we
3216 need to hold topEntryFrame elsewhere, and generated code cannot
3217 hard-code where topEntryFrame live. Do this at creation time of
3218 Wasm::Instance, and then generated code will just load from
3219 wherever Wasm::Instance was told topEntryFrame is. In a JavaScript
3220 embedding this is still from VM, so all of the unwinding machinery
3223 * dfg/DFGOSREntry.cpp:
3224 (JSC::DFG::prepareOSREntry):
3225 * dfg/DFGOSRExit.cpp:
3226 (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
3227 (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
3228 * ftl/FTLOSRExitCompiler.cpp:
3229 (JSC::FTL::compileStub):
3230 * interpreter/Interpreter.cpp:
3231 (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
3232 * jit/AssemblyHelpers.cpp:
3233 (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
3234 (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
3235 * jit/AssemblyHelpers.h:
3236 (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
3237 The default parameter was never non-defaulted from any of the
3238 callers. The new version calls the impl directly because it
3239 doesn't have VM and doesn't hard-code the address of
3241 * jit/RegisterSet.cpp:
3242 (JSC::RegisterSet::vmCalleeSaveRegisterOffsets): This was weird on
3243 VM because it's not really VM-specific.
3244 * jit/RegisterSet.h:
3246 (JSC::VM::getAllCalleeSaveRegisterOffsets): Deleted.
3248 (JSC::VM::getCTIStub):
3249 * wasm/WasmB3IRGenerator.cpp:
3250 (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3251 (JSC::Wasm::B3IRGenerator::addCall):
3252 (JSC::Wasm::B3IRGenerator::addCallIndirect):
3253 * wasm/WasmInstance.cpp:
3254 (JSC::Wasm::Instance::Instance):
3255 * wasm/WasmInstance.h: topEntryFramePointer will eventually live
3256 here for real. Right now it's mirrored in JSWebAssemblyInstance
3257 because that's the acting Context.
3258 (JSC::Wasm::Instance::create):
3259 (JSC::Wasm::Instance::offsetOfTopEntryFramePointer):
3260 * wasm/WasmThunks.cpp:
3261 (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
3262 * wasm/js/JSWebAssemblyInstance.cpp:
3263 (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
3264 * wasm/js/JSWebAssemblyInstance.h: Mirror Wasm::Instance temporarily.
3265 (JSC::JSWebAssemblyInstance::offsetOfCallee):
3266 (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer):
3267 (JSC::JSWebAssemblyInstance::offsetOfVM): Deleted.
3268 * wasm/js/WebAssemblyInstanceConstructor.cpp:
3269 (JSC::constructJSWebAssemblyInstance):
3270 * wasm/js/WebAssemblyPrototype.cpp:
3273 2017-10-23 Joseph Pecoraro <pecoraro@apple.com>
3275 Web Inspector: Please support HAR Export for network traffic
3276 https://bugs.webkit.org/show_bug.cgi?id=146692
3277 <rdar://problem/7463672>
3279 Reviewed by Brian Burg.
3281 * inspector/protocol/Network.json:
3282 Add a walltime to each send request.
3284 2017-10-23 Matt Lewis <jlewis3@apple.com>
3286 Unreviewed, rolling out r223820.
3288 This caused a build break on Windows.
3292 "Web Inspector: Remove unused Console.setMonitoringXHREnabled"
3293 https://bugs.webkit.org/show_bug.cgi?id=178617
3294 https://trac.webkit.org/changeset/223820
3296 2017-10-23 Yusuke Suzuki <utatane.tea@gmail.com>
3298 [JSC] Use fastJoin in Array#toString
3299 https://bugs.webkit.org/show_bug.cgi?id=178062
3301 Reviewed by Darin Adler.
3303 Array#toString()'s fast path uses original join operation.
3304 But this should use fastJoin if possible.
3305 This patch adds a fast path using fastJoin in Array#toString.
3306 And we also extend fastJoin to perform fast joining for int32
3311 double-array-to-string 126.6157+-5.8625 ^ 103.7343+-4.4968 ^ definitely 1.2206x faster
3312 int32-array-to-string 64.7792+-2.6524 61.2390+-2.1749 might be 1.0578x faster
3313 contiguous-array-to-string 62.6224+-2.6388 ^ 56.9899+-2.0852 ^ definitely 1.0988x faster
3316 * runtime/ArrayPrototype.cpp:
3318 (JSC::arrayProtoFuncToString):
3319 (JSC::arrayProtoFuncToLocaleString):
3320 * runtime/JSStringJoiner.h:
3321 (JSC::JSStringJoiner::appendWithoutSideEffects):
3322 (JSC::JSStringJoiner::appendInt32):
3323 (JSC::JSStringJoiner::appendDouble):
3325 2017-10-22 Zan Dobersek <zdobersek@igalia.com>
3327 [JSC] Remove !(OS(LINUX) && CPU(ARM64)) guards in RegisterState.h
3328 https://bugs.webkit.org/show_bug.cgi?id=178452
3330 Reviewed by Yusuke Suzuki.
3332 * heap/RegisterState.h: Re-enable the custom RegisterState and
3333 ALLOCATE_AND_GET_REGISTER_STATE definitions on ARM64 Linux. These don't
3334 cause any crashes nowadays.
3336 2017-10-22 Yusuke Suzuki <utatane.tea@gmail.com>
3338 [JSC][Baseline] Use linkAllSlowCasesForBytecodeOffset as much as possible to simplify slow cases handling
3339 https://bugs.webkit.org/show_bug.cgi?id=178647
3341 Reviewed by Saam Barati.
3343 There is much code counting slow cases in fast paths to call `linkSlowCase` carefully. This is really error-prone
3344 since the number of slow cases depends on values of instruction's metadata. We have linkAllSlowCasesForBytecodeOffset,
3345 which drains all slow cases for a specified bytecode offset. In typical cases like just calling a slow path function,
3346 this is enough. We use linkAllSlowCasesForBytecodeOffset as much as possible. It significantly simplifies the code.
3349 (JSC::JIT::linkAllSlowCases):
3350 * jit/JITArithmetic.cpp:
3351 (JSC::JIT::emitSlow_op_unsigned):
3352 (JSC::JIT::emit_compareAndJump):
3353 (JSC::JIT::emit_compareAndJumpSlow):
3354 (JSC::JIT::emitSlow_op_inc):
3355 (JSC::JIT::emitSlow_op_dec):
3356 (JSC::JIT::emitSlow_op_mod):
3357 (JSC::JIT::emitSlow_op_negate):
3358 (JSC::JIT::emitSlow_op_bitand):
3359 (JSC::JIT::emitSlow_op_bitor):
3360 (JSC::JIT::emitSlow_op_bitxor):
3361 (JSC::JIT::emitSlow_op_lshift):
3362 (JSC::JIT::emitSlow_op_rshift):
3363 (JSC::JIT::emitSlow_op_urshift):
3364 (JSC::JIT::emitSlow_op_add):
3365 (JSC::JIT::emitSlow_op_div):
3366 (JSC::JIT::emitSlow_op_mul):
3367 (JSC::JIT::emitSlow_op_sub):
3368 * jit/JITArithmetic32_64.cpp:
3369 (JSC::JIT::emit_compareAndJumpSlow):
3370 (JSC::JIT::emitSlow_op_unsigned):
3371 (JSC::JIT::emitSlow_op_inc):
3372 (JSC::JIT::emitSlow_op_dec):
3373 (JSC::JIT::emitSlow_op_mod):
git://git.webkit.org / WebKit-https.git / blob