1 2018-04-29 Filip Pizlo <fpizlo@apple.com>
3 LICM shouldn't hoist nodes if hoisted nodes exited in that code block
4 https://bugs.webkit.org/show_bug.cgi?id=185126
6 Reviewed by Saam Barati.
8 This change is just restoring functionality that we've already had for a while. It had been
9 accidentally broken due to an unrelated CodeBlock refactoring.
11 * dfg/DFGLICMPhase.cpp:
12 (JSC::DFG::LICMPhase::attemptHoist):
14 2018-04-30 Mark Lam <mark.lam@apple.com>
16 Apply PtrTags to the MetaAllocator and friends.
17 https://bugs.webkit.org/show_bug.cgi?id=185110
18 <rdar://problem/39533895>
20 Reviewed by Saam Barati.
22 1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
23 2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
24 and add a sanity check to verify that allocated code buffers are within those
27 * assembler/LinkBuffer.cpp:
28 (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
29 (JSC::LinkBuffer::copyCompactAndLinkCode):
30 (JSC::LinkBuffer::linkCode):
31 (JSC::LinkBuffer::allocate):
32 * assembler/LinkBuffer.h:
33 (JSC::LinkBuffer::LinkBuffer):
34 (JSC::LinkBuffer::debugAddress):
35 (JSC::LinkBuffer::code):
36 * assembler/MacroAssemblerCodeRef.h:
37 (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
38 * bytecode/InlineAccess.cpp:
39 (JSC::linkCodeInline):
40 (JSC::InlineAccess::rewireStubAsJump):
42 (JSC::DFG::JITCode::findPC):
44 (JSC::FTL::JITCode::findPC):
45 * jit/ExecutableAllocator.cpp:
46 (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
47 (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
48 (JSC::ExecutableAllocator::allocate):
49 * jit/ExecutableAllocator.h:
51 (JSC::performJITMemcpy):
55 (JSC::isProfileEmpty):
56 * runtime/JSCPtrTag.h:
57 * wasm/WasmCallee.cpp:
58 (JSC::Wasm::Callee::Callee):
59 * wasm/WasmFaultSignalHandler.cpp:
60 (JSC::Wasm::trapHandler):
62 2018-04-30 Keith Miller <keith_miller@apple.com>
64 Move the MayBePrototype JSCell header bit to InlineTypeFlags
65 https://bugs.webkit.org/show_bug.cgi?id=185143
69 * runtime/IndexingType.h:
70 * runtime/JSCellInlines.h:
71 (JSC::JSCell::setStructure):
72 (JSC::JSCell::mayBePrototype const):
73 (JSC::JSCell::didBecomePrototype):
74 * runtime/JSTypeInfo.h:
75 (JSC::TypeInfo::mayBePrototype):
76 (JSC::TypeInfo::mergeInlineTypeFlags):
78 2018-04-30 Keith Miller <keith_miller@apple.com>
80 Remove unneeded exception check from String.fromCharCode
81 https://bugs.webkit.org/show_bug.cgi?id=185083
85 * runtime/StringConstructor.cpp:
86 (JSC::stringFromCharCode):
88 2018-04-30 Keith Miller <keith_miller@apple.com>
90 Move StructureIsImmortal to out of line flags.
91 https://bugs.webkit.org/show_bug.cgi?id=185101
93 Reviewed by Saam Barati.
95 This will free up a bit in the inline flags where we can move the
96 isPrototype bit to. This will, in turn, free a bit for use in
97 implementing copy on write butterflies.
99 Also, this patch removes an assertion from Structure::typeInfo()
100 that inadvertently makes the function invalid to call while
103 * heap/HeapCellType.cpp:
104 (JSC::DefaultDestroyFunc::operator() const):
106 * runtime/JSCellInlines.h:
107 (JSC::JSCell::callDestructor): Deleted.
108 * runtime/JSTypeInfo.h:
109 (JSC::TypeInfo::hasStaticPropertyTable):
110 (JSC::TypeInfo::structureIsImmortal const):
111 * runtime/Structure.h:
113 2018-04-30 Yusuke Suzuki <utatane.tea@gmail.com>
115 [JSC] Remove arity fixup check if the number of parameters is 1
116 https://bugs.webkit.org/show_bug.cgi?id=183984
118 Reviewed by Mark Lam.
120 If the number of parameters is one (|this|), we never hit arity fixup check.
121 We do not need to emit arity fixup check code.
124 (JSC::DFG::compileImpl):
125 * dfg/DFGJITCompiler.cpp:
126 (JSC::DFG::JITCompiler::compileFunction):
127 * dfg/DFGJITCompiler.h:
131 (JSC::JIT::compileWithoutLinking):
133 2018-04-30 Yusuke Suzuki <utatane.tea@gmail.com>
135 Use WordLock instead of std::mutex for Threading
136 https://bugs.webkit.org/show_bug.cgi?id=185121
138 Reviewed by Geoffrey Garen.
140 ThreadGroup starts using WordLock.
142 * heap/MachineStackMarker.h:
143 (JSC::MachineThreads::getLock):
145 2018-04-29 Filip Pizlo <fpizlo@apple.com>
147 B3 should run tail duplication at the bitter end
148 https://bugs.webkit.org/show_bug.cgi?id=185123
150 Reviewed by Geoffrey Garen.
152 Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
155 The goal of this change is to allow us to run path specialization after switch lowering but
156 before tail duplication.
159 (JSC::B3::generateToAir):
162 2018-04-29 Commit Queue <commit-queue@webkit.org>
164 Unreviewed, rolling out r231137.
165 https://bugs.webkit.org/show_bug.cgi?id=185118
167 It is breaking Test262 language/expressions/multiplication
168 /order-of-evaluation.js (Requested by caiolima on #webkit).
172 "[ESNext][BigInt] Implement support for "*" operation"
173 https://bugs.webkit.org/show_bug.cgi?id=183721
174 https://trac.webkit.org/changeset/231137
176 2018-04-28 Saam Barati <sbarati@apple.com>
178 We don't model regexp effects properly
179 https://bugs.webkit.org/show_bug.cgi?id=185059
180 <rdar://problem/39736150>
182 Reviewed by Filip Pizlo.
184 RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
185 the regexp is global.
187 * dfg/DFGAbstractInterpreterInlines.h:
188 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
189 * dfg/DFGClobberize.h:
190 (JSC::DFG::clobberize):
192 2018-04-28 Rick Waldron <waldron.rick@gmail.com>
194 Token misspelled "tocken" in error message string
195 https://bugs.webkit.org/show_bug.cgi?id=185030
197 Reviewed by Saam Barati.
199 * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
200 (JSC::Parser<LexerType>::Parser):
201 (JSC::Parser<LexerType>::didFinishParsing):
202 (JSC::Parser<LexerType>::parseSourceElements):
203 (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
204 (JSC::Parser<LexerType>::parseVariableDeclaration):
205 (JSC::Parser<LexerType>::parseWhileStatement):
206 (JSC::Parser<LexerType>::parseVariableDeclarationList):
207 (JSC::Parser<LexerType>::createBindingPattern):
208 (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
209 (JSC::Parser<LexerType>::parseObjectRestElement):
210 (JSC::Parser<LexerType>::parseDestructuringPattern):
211 (JSC::Parser<LexerType>::parseForStatement):
212 (JSC::Parser<LexerType>::parseBreakStatement):
213 (JSC::Parser<LexerType>::parseContinueStatement):
214 (JSC::Parser<LexerType>::parseThrowStatement):
215 (JSC::Parser<LexerType>::parseWithStatement):
216 (JSC::Parser<LexerType>::parseSwitchStatement):
217 (JSC::Parser<LexerType>::parseSwitchClauses):
218 (JSC::Parser<LexerType>::parseTryStatement):
219 (JSC::Parser<LexerType>::parseBlockStatement):
220 (JSC::Parser<LexerType>::parseFormalParameters):
221 (JSC::Parser<LexerType>::parseFunctionParameters):
222 (JSC::Parser<LexerType>::parseFunctionInfo):
223 (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
224 (JSC::Parser<LexerType>::parseExpressionStatement):
225 (JSC::Parser<LexerType>::parseIfStatement):
226 (JSC::Parser<LexerType>::parseAssignmentExpression):
227 (JSC::Parser<LexerType>::parseConditionalExpression):
228 (JSC::Parser<LexerType>::parseBinaryExpression):
229 (JSC::Parser<LexerType>::parseObjectLiteral):
230 (JSC::Parser<LexerType>::parseStrictObjectLiteral):
231 (JSC::Parser<LexerType>::parseArrayLiteral):
232 (JSC::Parser<LexerType>::parseArguments):
233 (JSC::Parser<LexerType>::parseMemberExpression):
234 (JSC::operatorString):
235 (JSC::Parser<LexerType>::parseUnaryExpression):
236 (JSC::Parser<LexerType>::printUnexpectedTokenText):
238 2018-04-28 Caio Lima <ticaiolima@gmail.com>
240 [ESNext][BigInt] Implement support for "*" operation
241 https://bugs.webkit.org/show_bug.cgi?id=183721
243 Reviewed by Saam Barati.
245 Added BigInt support into times binary operator into LLInt and on
246 JITOperations profiledMul and unprofiledMul. We are also replacing all
247 uses of int to unsigned when there is no negative values for
250 * dfg/DFGConstantFoldingPhase.cpp:
251 (JSC::DFG::ConstantFoldingPhase::foldConstants):
252 * jit/JITOperations.cpp:
253 * runtime/CommonSlowPaths.cpp:
254 (JSC::SLOW_PATH_DECL):
255 * runtime/JSBigInt.cpp:
256 (JSC::JSBigInt::JSBigInt):
257 (JSC::JSBigInt::allocationSize):
258 (JSC::JSBigInt::createWithLength):
259 (JSC::JSBigInt::toString):
260 (JSC::JSBigInt::multiply):
261 (JSC::JSBigInt::digitDiv):
262 (JSC::JSBigInt::internalMultiplyAdd):
263 (JSC::JSBigInt::multiplyAccumulate):
264 (JSC::JSBigInt::equals):
265 (JSC::JSBigInt::absoluteDivSmall):
266 (JSC::JSBigInt::calculateMaximumCharactersRequired):
267 (JSC::JSBigInt::toStringGeneric):
268 (JSC::JSBigInt::rightTrim):
269 (JSC::JSBigInt::allocateFor):
270 (JSC::JSBigInt::parseInt):
271 (JSC::JSBigInt::digit):
272 (JSC::JSBigInt::setDigit):
273 * runtime/JSBigInt.h:
274 * runtime/Operations.h:
277 2018-04-28 Commit Queue <commit-queue@webkit.org>
279 Unreviewed, rolling out r231131.
280 https://bugs.webkit.org/show_bug.cgi?id=185112
282 It is breaking Debug build due to unchecked exception
283 (Requested by caiolima on #webkit).
287 "[ESNext][BigInt] Implement support for "*" operation"
288 https://bugs.webkit.org/show_bug.cgi?id=183721
289 https://trac.webkit.org/changeset/231131
291 2018-04-27 Caio Lima <ticaiolima@gmail.com>
293 [ESNext][BigInt] Implement support for "*" operation
294 https://bugs.webkit.org/show_bug.cgi?id=183721
296 Reviewed by Saam Barati.
298 Added BigInt support into times binary operator into LLInt and on
299 JITOperations profiledMul and unprofiledMul. We are also replacing all
300 uses of int to unsigned when there is no negative values for
303 * dfg/DFGConstantFoldingPhase.cpp:
304 (JSC::DFG::ConstantFoldingPhase::foldConstants):
305 * jit/JITOperations.cpp:
306 * runtime/CommonSlowPaths.cpp:
307 (JSC::SLOW_PATH_DECL):
308 * runtime/JSBigInt.cpp:
309 (JSC::JSBigInt::JSBigInt):
310 (JSC::JSBigInt::allocationSize):
311 (JSC::JSBigInt::createWithLength):
312 (JSC::JSBigInt::toString):
313 (JSC::JSBigInt::multiply):
314 (JSC::JSBigInt::digitDiv):
315 (JSC::JSBigInt::internalMultiplyAdd):
316 (JSC::JSBigInt::multiplyAccumulate):
317 (JSC::JSBigInt::equals):
318 (JSC::JSBigInt::absoluteDivSmall):
319 (JSC::JSBigInt::calculateMaximumCharactersRequired):
320 (JSC::JSBigInt::toStringGeneric):
321 (JSC::JSBigInt::rightTrim):
322 (JSC::JSBigInt::allocateFor):
323 (JSC::JSBigInt::parseInt):
324 (JSC::JSBigInt::digit):
325 (JSC::JSBigInt::setDigit):
326 * runtime/JSBigInt.h:
327 * runtime/Operations.h:
330 2018-04-27 JF Bastien <jfbastien@apple.com>
332 Make the first 64 bits of JSString look like a double JSValue
333 https://bugs.webkit.org/show_bug.cgi?id=185081
335 Reviewed by Filip Pizlo.
337 We can be clever about how we lay out JSString so that, were it
338 reinterpreted as a JSValue, it would look like a double.
340 * assembler/MacroAssemblerX86Common.h:
341 (JSC::MacroAssemblerX86Common::and16):
342 * assembler/X86Assembler.h:
343 (JSC::X86Assembler::andw_mr):
344 * dfg/DFGSpeculativeJIT.cpp:
345 (JSC::DFG::SpeculativeJIT::compileMakeRope):
346 * ftl/FTLLowerDFGToB3.cpp:
347 (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
349 (JSC::FTL::Output::store32As8):
350 (JSC::FTL::Output::store32As16):
351 * runtime/JSString.h:
352 (JSC::JSString::JSString):
354 2018-04-27 Yusuke Suzuki <utatane.tea@gmail.com>
356 [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
357 https://bugs.webkit.org/show_bug.cgi?id=185055
359 Reviewed by JF Bastien.
361 This patch is paving the way to emitting jscvt instruction if possible.
362 To do that, we need to determine jscvt instruction is supported in the
365 We add a function collectCPUFeatures, which is responsible to collect
366 CPU features if necessary. In Linux, we can use auxiliary vector to get
367 the information without parsing /proc/cpuinfo.
369 Currently, nobody calls this function. It is later called when we emit
370 jscvt instruction. To make it possible, we also need to add disassembler
373 * assembler/AbstractMacroAssembler.h:
374 * assembler/MacroAssemblerARM64.cpp:
375 (JSC::MacroAssemblerARM64::collectCPUFeatures):
376 * assembler/MacroAssemblerARM64.h:
377 * assembler/MacroAssemblerX86Common.h:
379 2018-04-26 Filip Pizlo <fpizlo@apple.com>
381 Also run foldPathConstants before mussing up SSA
382 https://bugs.webkit.org/show_bug.cgi?id=185069
384 Reviewed by Saam Barati.
386 This isn't needed now, but will be once I implement the phase in bug 185060.
388 This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
389 Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
390 be landed separately and measured separately from that phase.
392 It's probably nice for sanity to have this and reduceStrength run before tail duplication and
393 another round of reduceStrength, since that make for something that is closer to a fixpoint. But
394 it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
395 neutral. It all depends on what programs typically look like.
398 (JSC::B3::generateToAir):
400 2018-04-27 Ryan Haddad <ryanhaddad@apple.com>
402 Unreviewed, rolling out r231086.
404 Caused JSC test failures due to an unchecked exception.
408 "[ESNext][BigInt] Implement support for "*" operation"
409 https://bugs.webkit.org/show_bug.cgi?id=183721
410 https://trac.webkit.org/changeset/231086
412 2018-04-26 Caio Lima <ticaiolima@gmail.com>
414 [ESNext][BigInt] Implement support for "*" operation
415 https://bugs.webkit.org/show_bug.cgi?id=183721
417 Reviewed by Saam Barati.
419 Added BigInt support into times binary operator into LLInt and on
420 JITOperations profiledMul and unprofiledMul. We are also replacing all
421 uses of int to unsigned when there is no negative values for
424 * dfg/DFGConstantFoldingPhase.cpp:
425 (JSC::DFG::ConstantFoldingPhase::foldConstants):
426 * jit/JITOperations.cpp:
427 * runtime/CommonSlowPaths.cpp:
428 (JSC::SLOW_PATH_DECL):
429 * runtime/JSBigInt.cpp:
430 (JSC::JSBigInt::JSBigInt):
431 (JSC::JSBigInt::allocationSize):
432 (JSC::JSBigInt::createWithLength):
433 (JSC::JSBigInt::toString):
434 (JSC::JSBigInt::multiply):
435 (JSC::JSBigInt::digitDiv):
436 (JSC::JSBigInt::internalMultiplyAdd):
437 (JSC::JSBigInt::multiplyAccumulate):
438 (JSC::JSBigInt::equals):
439 (JSC::JSBigInt::absoluteDivSmall):
440 (JSC::JSBigInt::calculateMaximumCharactersRequired):
441 (JSC::JSBigInt::toStringGeneric):
442 (JSC::JSBigInt::rightTrim):
443 (JSC::JSBigInt::allocateFor):
444 (JSC::JSBigInt::parseInt):
445 (JSC::JSBigInt::digit):
446 (JSC::JSBigInt::setDigit):
447 * runtime/JSBigInt.h:
448 * runtime/Operations.h:
451 2018-04-26 Mark Lam <mark.lam@apple.com>
453 Gardening: Speculative build fix for Windows.
454 https://bugs.webkit.org/show_bug.cgi?id=184976
455 <rdar://problem/39723901>
459 * runtime/JSCPtrTag.h:
461 2018-04-26 Mark Lam <mark.lam@apple.com>
463 Gardening: Windows build fix.
467 * runtime/Options.cpp:
469 2018-04-26 Jer Noble <jer.noble@apple.com>
471 WK_COCOA_TOUCH all the things.
472 https://bugs.webkit.org/show_bug.cgi?id=185006
473 <rdar://problem/39736025>
475 Reviewed by Tim Horton.
477 * Configurations/Base.xcconfig:
479 2018-04-26 Per Arne Vollan <pvollan@apple.com>
481 Disable content filtering in minimal simulator mode
482 https://bugs.webkit.org/show_bug.cgi?id=185027
483 <rdar://problem/39736091>
485 Reviewed by Jer Noble.
487 * Configurations/FeatureDefines.xcconfig:
489 2018-04-26 Andy VanWagoner <thetalecrafter@gmail.com>
491 [INTL] Implement Intl.PluralRules
492 https://bugs.webkit.org/show_bug.cgi?id=184312
494 Reviewed by JF Bastien.
496 Use UNumberFormat to enforce formatting, and then UPluralRules to find
497 the correct plural rule for the given number. Relies on ICU v59+ for
498 resolvedOptions().pluralCategories and trailing 0 detection.
499 Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
502 * Configurations/FeatureDefines.xcconfig:
503 * DerivedSources.make:
504 * JavaScriptCore.xcodeproj/project.pbxproj:
506 * builtins/BuiltinNames.h:
507 * runtime/BigIntObject.cpp:
508 (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
509 * runtime/BigIntObject.h:
510 * runtime/CommonIdentifiers.h:
511 * runtime/IntlObject.cpp:
512 (JSC::IntlObject::finishCreation):
513 * runtime/IntlObject.h:
514 * runtime/IntlPluralRules.cpp: Added.
515 (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
516 (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
517 (JSC::UEnumerationDeleter::operator() const):
518 (JSC::IntlPluralRules::create):
519 (JSC::IntlPluralRules::createStructure):
520 (JSC::IntlPluralRules::IntlPluralRules):
521 (JSC::IntlPluralRules::finishCreation):
522 (JSC::IntlPluralRules::destroy):
523 (JSC::IntlPluralRules::visitChildren):
524 (JSC::IntlPRInternal::localeData):
525 (JSC::IntlPluralRules::initializePluralRules):
526 (JSC::IntlPluralRules::resolvedOptions):
527 (JSC::IntlPluralRules::select):
528 * runtime/IntlPluralRules.h: Added.
529 * runtime/IntlPluralRulesConstructor.cpp: Added.
530 (JSC::IntlPluralRulesConstructor::create):
531 (JSC::IntlPluralRulesConstructor::createStructure):
532 (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
533 (JSC::IntlPluralRulesConstructor::finishCreation):
534 (JSC::constructIntlPluralRules):
535 (JSC::callIntlPluralRules):
536 (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
537 (JSC::IntlPluralRulesConstructor::visitChildren):
538 * runtime/IntlPluralRulesConstructor.h: Added.
539 * runtime/IntlPluralRulesPrototype.cpp: Added.
540 (JSC::IntlPluralRulesPrototype::create):
541 (JSC::IntlPluralRulesPrototype::createStructure):
542 (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
543 (JSC::IntlPluralRulesPrototype::finishCreation):
544 (JSC::IntlPluralRulesPrototypeFuncSelect):
545 (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
546 * runtime/IntlPluralRulesPrototype.h: Added.
547 * runtime/JSGlobalObject.cpp:
548 (JSC::JSGlobalObject::init):
549 (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
550 * runtime/JSGlobalObject.h:
552 * runtime/RegExpPrototype.cpp: Added inlines header.
557 2018-04-26 Dominik Infuehr <dinfuehr@igalia.com>
559 [MIPS] Fix branch offsets in branchNeg32
560 https://bugs.webkit.org/show_bug.cgi?id=185025
562 Reviewed by Yusuke Suzuki.
564 Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
566 * assembler/MacroAssemblerMIPS.h:
567 (JSC::MacroAssemblerMIPS::branchNeg32):
569 2018-04-25 Robin Morisset <rmorisset@apple.com>
571 In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
572 https://bugs.webkit.org/show_bug.cgi?id=184773
573 <rdar://problem/37773612>
575 Reviewed by Filip Pizlo.
577 We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
578 arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
579 This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
580 We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
581 This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
583 * ftl/FTLLowerDFGToB3.cpp:
584 (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
586 2018-04-25 Mark Lam <mark.lam@apple.com>
588 Push the definition of PtrTag down to the WTF layer.
589 https://bugs.webkit.org/show_bug.cgi?id=184976
590 <rdar://problem/39723901>
592 Reviewed by Saam Barati.
595 * JavaScriptCore.xcodeproj/project.pbxproj:
596 * assembler/ARM64Assembler.h:
597 * assembler/AbstractMacroAssembler.h:
598 * assembler/MacroAssemblerCodeRef.cpp:
599 * assembler/MacroAssemblerCodeRef.h:
600 * b3/B3MathExtras.cpp:
601 * bytecode/LLIntCallLinkInfo.h:
602 * disassembler/Disassembler.h:
603 * ftl/FTLJITCode.cpp:
604 * interpreter/InterpreterInlines.h:
605 * jit/ExecutableAllocator.h:
606 * jit/JITOperations.cpp:
607 * jit/ThunkGenerator.h:
608 * jit/ThunkGenerators.h:
609 * llint/LLIntOffsetsExtractor.cpp:
610 * llint/LLIntPCRanges.h:
611 * runtime/JSCPtrTag.h: Added.
612 * runtime/NativeFunction.h:
613 * runtime/PtrTag.h: Removed.
614 * runtime/VMTraps.cpp:
616 2018-04-25 Keith Miller <keith_miller@apple.com>
618 getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
619 https://bugs.webkit.org/show_bug.cgi?id=184998
621 Reviewed by Saam Barati.
623 * runtime/CodeCache.cpp:
624 (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
626 2018-04-25 Keith Miller <keith_miller@apple.com>
628 Add missing scope release to functionProtoFuncToString
629 https://bugs.webkit.org/show_bug.cgi?id=184995
631 Reviewed by Saam Barati.
633 * runtime/FunctionPrototype.cpp:
634 (JSC::functionProtoFuncToString):
636 2018-04-25 Yusuke Suzuki <utatane.tea@gmail.com>
638 REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
639 https://bugs.webkit.org/show_bug.cgi?id=184730
641 Reviewed by Mark Lam.
643 Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
644 And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
646 We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
647 ARMv7 implementation.
649 * assembler/ARMAssembler.h:
650 * assembler/MacroAssemblerARM.h:
651 (JSC::MacroAssemblerARM::add32):
652 (JSC::MacroAssemblerARM::and32):
653 (JSC::MacroAssemblerARM::lshift32):
654 (JSC::MacroAssemblerARM::mul32):
655 (JSC::MacroAssemblerARM::or32):
656 (JSC::MacroAssemblerARM::rshift32):
657 (JSC::MacroAssemblerARM::urshift32):
658 (JSC::MacroAssemblerARM::sub32):
659 (JSC::MacroAssemblerARM::xor32):
660 (JSC::MacroAssemblerARM::load8):
661 (JSC::MacroAssemblerARM::abortWithReason):
662 (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
663 (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
664 (JSC::MacroAssemblerARM::store8):
665 (JSC::MacroAssemblerARM::store32):
666 (JSC::MacroAssemblerARM::push):
667 (JSC::MacroAssemblerARM::swap):
668 (JSC::MacroAssemblerARM::branch8):
669 (JSC::MacroAssemblerARM::branchPtr):
670 (JSC::MacroAssemblerARM::branch32):
671 (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
672 (JSC::MacroAssemblerARM::branchTest8):
673 (JSC::MacroAssemblerARM::branchTest32):
674 (JSC::MacroAssemblerARM::jump):
675 (JSC::MacroAssemblerARM::branchAdd32):
676 (JSC::MacroAssemblerARM::mull32):
677 (JSC::MacroAssemblerARM::branchMul32):
678 (JSC::MacroAssemblerARM::patchableBranch32):
679 (JSC::MacroAssemblerARM::nearCall):
680 (JSC::MacroAssemblerARM::compare32):
681 (JSC::MacroAssemblerARM::compare8):
682 (JSC::MacroAssemblerARM::test32):
683 (JSC::MacroAssemblerARM::test8):
684 (JSC::MacroAssemblerARM::add64):
685 (JSC::MacroAssemblerARM::load32):
686 (JSC::MacroAssemblerARM::call):
687 (JSC::MacroAssemblerARM::branchPtrWithPatch):
688 (JSC::MacroAssemblerARM::branch32WithPatch):
689 (JSC::MacroAssemblerARM::storePtrWithPatch):
690 (JSC::MacroAssemblerARM::loadDouble):
691 (JSC::MacroAssemblerARM::storeDouble):
692 (JSC::MacroAssemblerARM::addDouble):
693 (JSC::MacroAssemblerARM::divDouble):
694 (JSC::MacroAssemblerARM::subDouble):
695 (JSC::MacroAssemblerARM::mulDouble):
696 (JSC::MacroAssemblerARM::convertInt32ToDouble):
697 (JSC::MacroAssemblerARM::branchDouble):
698 (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
699 (JSC::MacroAssemblerARM::truncateDoubleToInt32):
700 (JSC::MacroAssemblerARM::truncateDoubleToUint32):
701 (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
702 (JSC::MacroAssemblerARM::branchDoubleNonZero):
703 (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
704 (JSC::MacroAssemblerARM::call32):
705 (JSC::MacroAssemblerARM::internalCompare32):
707 2018-04-25 Ross Kirsling <ross.kirsling@sony.com>
709 [WinCairo] Fix js/regexp-unicode.html crash.
710 https://bugs.webkit.org/show_bug.cgi?id=184891
712 Reviewed by Yusuke Suzuki.
714 On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
715 RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
718 (JSC::Yarr::YarrGenerator::generateEnter):
719 (JSC::Yarr::YarrGenerator::generateReturn):
720 Unconditionally save and restore RDI on 64-bit Windows.
722 2018-04-25 Michael Catanzaro <mcatanzaro@igalia.com>
724 [GTK] Miscellaneous build cleanups
725 https://bugs.webkit.org/show_bug.cgi?id=184399
727 Reviewed by Žan Doberšek.
731 2018-04-24 Keith Miller <keith_miller@apple.com>
733 fromCharCode is missing some exception checks
734 https://bugs.webkit.org/show_bug.cgi?id=184952
736 Reviewed by Saam Barati.
738 I also removed the pointless slow path function and moved it into the
741 * runtime/StringConstructor.cpp:
742 (JSC::stringFromCharCode):
743 (JSC::stringFromCharCodeSlowCase): Deleted.
745 2018-04-24 Filip Pizlo <fpizlo@apple.com>
747 MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
748 https://bugs.webkit.org/show_bug.cgi?id=184923
750 Reviewed by Saam Barati.
752 If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
753 (i.e. we know that the object has one of those structures), then previously we would still emit a
754 switch with a case per structure along with a default case. That would mean one extra redundant
755 branch to check that whatever structure we wound up with belongs to the set. In that case, we
756 were already making the default case be an Oops.
758 One possible solution would be to say that the default case being Oops means that B3 doesn't need
759 to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
760 be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
761 seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
764 So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
767 This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
768 it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
771 * ftl/FTLLowerDFGToB3.cpp:
772 (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
773 (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
774 (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
776 2018-04-24 Filip Pizlo <fpizlo@apple.com>
778 DFG CSE should know how to decay a MultiGetByOffset
779 https://bugs.webkit.org/show_bug.cgi?id=159859
781 Reviewed by Keith Miller.
783 This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
784 clobberize() can report a def() for MultiGetByOffset.
786 This is a slight improvement to codegen in splay because splay is a heavy user of
787 MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
788 "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
789 removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
792 * dfg/DFGClobberize.h:
793 (JSC::DFG::clobberize):
795 (JSC::DFG::Node::remove):
796 (JSC::DFG::Node::removeWithoutChecks):
797 (JSC::DFG::Node::replaceWith):
798 (JSC::DFG::Node::replaceWithWithoutChecks):
800 (JSC::DFG::Node::convertToMultiGetByOffset):
801 (JSC::DFG::Node::replaceWith): Deleted.
803 * dfg/DFGObjectAllocationSinkingPhase.cpp:
805 2018-04-24 Keith Miller <keith_miller@apple.com>
807 Update API docs with information on which run loop the VM will use
808 https://bugs.webkit.org/show_bug.cgi?id=184900
809 <rdar://problem/39166054>
811 Reviewed by Mark Lam.
813 * API/JSContextRef.h:
814 * API/JSVirtualMachine.h:
816 2018-04-24 Filip Pizlo <fpizlo@apple.com>
818 $vm.totalGCTime() should be a thing
819 https://bugs.webkit.org/show_bug.cgi?id=184916
821 Reviewed by Sam Weinig.
823 When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
824 time spent in GC to determine if the regression is because the GC got slower.
826 This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
829 (JSC::Heap::runEndPhase):
831 (JSC::Heap::totalGCTime const):
832 * tools/JSDollarVM.cpp:
833 (JSC::functionTotalGCTime):
834 (JSC::JSDollarVM::finishCreation):
836 2018-04-23 Zalan Bujtas <zalan@apple.com>
838 [LayoutFormattingContext] Initial commit.
839 https://bugs.webkit.org/show_bug.cgi?id=184896
841 Reviewed by Antti Koivisto.
843 * Configurations/FeatureDefines.xcconfig:
845 2018-04-23 Filip Pizlo <fpizlo@apple.com>
847 Unreviewed, revert accidental change to verbose flag.
849 * dfg/DFGByteCodeParser.cpp:
851 2018-04-23 Filip Pizlo <fpizlo@apple.com>
853 Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
855 Rubber stamped by Saam Barati.
857 This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
858 anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
859 Seems sensible to just roll it out.
861 * dfg/DFGByteCodeParser.cpp:
862 (JSC::DFG::ByteCodeParser::addToGraph):
863 (JSC::DFG::ByteCodeParser::parse):
865 2018-04-22 Yusuke Suzuki <utatane.tea@gmail.com>
867 [JSC] Remove ModuleLoaderPrototype
868 https://bugs.webkit.org/show_bug.cgi?id=184784
870 Reviewed by Mark Lam.
872 When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
873 However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
874 This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
877 * DerivedSources.make:
878 * JavaScriptCore.xcodeproj/project.pbxproj:
880 * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
881 * runtime/JSGlobalObject.cpp:
882 (JSC::JSGlobalObject::init):
883 (JSC::JSGlobalObject::visitChildren):
884 * runtime/JSGlobalObject.h:
885 (JSC::JSGlobalObject::proxyRevokeStructure const):
886 (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
887 * runtime/JSModuleLoader.cpp:
888 (JSC::moduleLoaderParseModule):
889 (JSC::moduleLoaderRequestedModules):
890 (JSC::moduleLoaderModuleDeclarationInstantiation):
891 (JSC::moduleLoaderResolve):
892 (JSC::moduleLoaderResolveSync):
893 (JSC::moduleLoaderFetch):
894 (JSC::moduleLoaderGetModuleNamespaceObject):
895 (JSC::moduleLoaderEvaluate):
896 * runtime/JSModuleLoader.h:
897 * runtime/ModuleLoaderPrototype.cpp: Removed.
898 * runtime/ModuleLoaderPrototype.h: Removed.
900 2018-04-20 Carlos Garcia Campos <cgarcia@igalia.com>
902 [GLIB] All API tests fail in debug builds
903 https://bugs.webkit.org/show_bug.cgi?id=184813
905 Reviewed by Mark Lam.
907 This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
908 JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
910 * API/glib/JSCContext.cpp:
911 (JSCContextExceptionHandler::JSCContextExceptionHandler):
912 (JSCContextExceptionHandler::~JSCContextExceptionHandler):
913 (jscContextConstructed):
914 (ExceptionHandler::ExceptionHandler): Deleted.
915 (ExceptionHandler::~ExceptionHandler): Deleted.
917 2018-04-20 Tim Horton <timothy_horton@apple.com>
919 Adjust geolocation feature flag
920 https://bugs.webkit.org/show_bug.cgi?id=184856
922 Reviewed by Wenson Hsieh.
924 * Configurations/FeatureDefines.xcconfig:
926 2018-04-20 Brian Burg <bburg@apple.com>
928 Web Inspector: remove some dead code in IdentifiersFactory
929 https://bugs.webkit.org/show_bug.cgi?id=184839
931 Reviewed by Timothy Hatcher.
933 This was never used on non-Chrome ports, so the identifier always has a
934 prefix of '0.'. We may change this in the future, but for now remove this.
935 Using a PID for this purpose is problematic anyway.
937 * inspector/IdentifiersFactory.cpp:
938 (Inspector::addPrefixToIdentifier):
939 (Inspector::IdentifiersFactory::createIdentifier):
940 (Inspector::IdentifiersFactory::requestId):
941 (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
942 * inspector/IdentifiersFactory.h:
944 2018-04-20 Mark Lam <mark.lam@apple.com>
946 Add the ability to use a hash for setting PtrTag enum values.
947 https://bugs.webkit.org/show_bug.cgi?id=184852
948 <rdar://problem/39613891>
950 Reviewed by Saam Barati.
954 2018-04-20 Mark Lam <mark.lam@apple.com>
956 Some JSEntryPtrTags should actually be JSInternalPtrTags.
957 https://bugs.webkit.org/show_bug.cgi?id=184712
958 <rdar://problem/39507381>
960 Reviewed by Michael Saboff.
962 1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
963 2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
966 * bytecode/AccessCase.cpp:
967 (JSC::AccessCase::generateImpl):
968 * bytecode/ByValInfo.h:
969 (JSC::ByValInfo::ByValInfo):
970 * bytecode/CallLinkInfo.cpp:
971 (JSC::CallLinkInfo::callReturnLocation):
972 (JSC::CallLinkInfo::patchableJump):
973 (JSC::CallLinkInfo::hotPathBegin):
974 (JSC::CallLinkInfo::slowPathStart):
975 * bytecode/CallLinkInfo.h:
976 (JSC::CallLinkInfo::setCallLocations):
977 (JSC::CallLinkInfo::hotPathOther):
978 * bytecode/PolymorphicAccess.cpp:
979 (JSC::PolymorphicAccess::regenerate):
980 * bytecode/StructureStubInfo.h:
981 (JSC::StructureStubInfo::doneLocation):
982 * dfg/DFGJITCompiler.cpp:
983 (JSC::DFG::JITCompiler::link):
984 * dfg/DFGOSRExit.cpp:
985 (JSC::DFG::reifyInlinedCallFrames):
986 * ftl/FTLLazySlowPath.cpp:
987 (JSC::FTL::LazySlowPath::initialize):
988 * ftl/FTLLazySlowPath.h:
989 (JSC::FTL::LazySlowPath::done const):
990 * ftl/FTLLowerDFGToB3.cpp:
991 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
992 (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
993 (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
994 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
995 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
996 (JSC::FTL::DFG::LowerDFGToB3::compileIn):
997 (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1000 * jit/JITExceptions.cpp:
1001 (JSC::genericUnwind):
1003 (JSC::isProfileEmpty):
1004 * llint/LLIntData.cpp:
1005 (JSC::LLInt::initialize):
1006 * llint/LLIntData.h:
1007 (JSC::LLInt::getCodePtr):
1008 (JSC::LLInt::getExecutableAddress): Deleted.
1009 * llint/LLIntExceptions.cpp:
1010 (JSC::LLInt::callToThrow):
1011 * llint/LLIntSlowPaths.cpp:
1012 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1013 * wasm/js/WasmToJS.cpp:
1014 (JSC::Wasm::wasmToJS):
1016 2018-04-18 Jer Noble <jer.noble@apple.com>
1018 Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
1019 https://bugs.webkit.org/show_bug.cgi?id=184762
1021 Reviewed by Dan Bernstein.
1023 * Configurations/Base.xcconfig:
1024 * JavaScriptCore.xcodeproj/project.pbxproj:
1026 2018-04-20 Daniel Bates <dabates@apple.com>
1028 Remove code for compilers that did not support NSDMI for aggregates
1029 https://bugs.webkit.org/show_bug.cgi?id=184599
1031 Reviewed by Per Arne Vollan.
1033 Remove workaround for earlier Visual Studio versions that did not support non-static data
1034 member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
1035 and EWS bots to a newer version that supports this feature.
1037 * domjit/DOMJITEffect.h:
1038 (JSC::DOMJIT::Effect::Effect): Deleted.
1039 * runtime/HasOwnPropertyCache.h:
1040 (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
1041 * wasm/WasmFormat.h:
1042 (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
1044 2018-04-20 Mark Lam <mark.lam@apple.com>
1046 Build fix for internal builds after r230826.
1047 https://bugs.webkit.org/show_bug.cgi?id=184790
1048 <rdar://problem/39301369>
1052 * runtime/Options.cpp:
1053 (JSC::overrideDefaults):
1054 * tools/SigillCrashAnalyzer.cpp:
1055 (JSC::SignalContext::dump):
1057 2018-04-19 Tadeu Zagallo <tzagallo@apple.com>
1059 REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
1060 https://bugs.webkit.org/show_bug.cgi?id=184254
1061 <rdar://problem/39140200>
1063 Reviewed by Daniel Bates.
1065 Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
1067 * runtime/ArrayBuffer.h:
1068 (JSC::ArrayBufferContents::ArrayBufferContents):
1070 2018-04-19 Mark Lam <mark.lam@apple.com>
1072 Apply pointer profiling to Signal pointers.
1073 https://bugs.webkit.org/show_bug.cgi?id=184790
1074 <rdar://problem/39301369>
1076 Reviewed by Michael Saboff.
1078 1. Change stackPointer, framePointer, and instructionPointer accessors to
1079 be a pair of getter/setter functions.
1080 2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
1081 a pointer profiling variants of these accessors.
1082 3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
1084 * JavaScriptCorePrefix.h:
1085 * runtime/MachineContext.h:
1086 (JSC::MachineContext::stackPointerImpl):
1087 (JSC::MachineContext::stackPointer):
1088 (JSC::MachineContext::setStackPointer):
1089 (JSC::MachineContext::framePointerImpl):
1090 (JSC::MachineContext::framePointer):
1091 (JSC::MachineContext::setFramePointer):
1092 (JSC::MachineContext::instructionPointerImpl):
1093 (JSC::MachineContext::instructionPointer):
1094 (JSC::MachineContext::setInstructionPointer):
1095 (JSC::MachineContext::linkRegisterImpl):
1096 (JSC::MachineContext::linkRegister):
1097 (JSC::MachineContext::setLinkRegister):
1098 * runtime/SamplingProfiler.cpp:
1099 (JSC::SamplingProfiler::takeSample):
1100 * runtime/VMTraps.cpp:
1101 (JSC::SignalContext::SignalContext):
1102 (JSC::VMTraps::tryInstallTrapBreakpoints):
1103 * tools/CodeProfiling.cpp:
1104 (JSC::profilingTimer):
1105 * tools/SigillCrashAnalyzer.cpp:
1106 (JSC::SignalContext::dump):
1107 (JSC::installCrashHandler):
1108 (JSC::SigillCrashAnalyzer::analyze):
1109 * wasm/WasmFaultSignalHandler.cpp:
1110 (JSC::Wasm::trapHandler):
1112 2018-04-19 David Kilzer <ddkilzer@apple.com>
1114 Enable Objective-C weak references
1115 <https://webkit.org/b/184789>
1116 <rdar://problem/39571716>
1118 Reviewed by Dan Bernstein.
1120 * Configurations/Base.xcconfig:
1121 (CLANG_ENABLE_OBJC_WEAK): Enable.
1122 * Configurations/ToolExecutable.xcconfig:
1123 (CLANG_ENABLE_OBJC_ARC): Simplify.
1125 2018-04-17 Filip Pizlo <fpizlo@apple.com>
1127 The InternalFunction hierarchy should be in IsoSubspaces
1128 https://bugs.webkit.org/show_bug.cgi?id=184721
1130 Reviewed by Saam Barati.
1132 This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
1133 but subclasses that are the same size as InternalFunction share its subspace. I did this
1134 because the subclasses appear to just override methods, which are called dynamically via the
1135 structure or class of the object. So, I don't see a type confusion risk if UAF is used to
1136 allocate one kind of InternalFunction over another.
1139 * API/JSCallbackFunction.h:
1140 * API/ObjCCallbackFunction.h:
1141 (JSC::ObjCCallbackFunction::subspaceFor):
1143 * JavaScriptCore.xcodeproj/project.pbxproj:
1145 * heap/IsoSubspacePerVM.cpp: Added.
1146 (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
1147 (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
1148 (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
1149 (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
1150 (JSC::IsoSubspacePerVM::forVM):
1151 * heap/IsoSubspacePerVM.h: Added.
1152 (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
1154 * runtime/ErrorConstructor.h:
1155 * runtime/InternalFunction.h:
1156 (JSC::InternalFunction::subspaceFor):
1157 * runtime/IntlCollatorConstructor.h:
1158 * runtime/IntlDateTimeFormatConstructor.h:
1159 * runtime/IntlNumberFormatConstructor.h:
1160 * runtime/JSArrayBufferConstructor.h:
1161 * runtime/NativeErrorConstructor.h:
1162 * runtime/ProxyRevoke.h:
1163 * runtime/RegExpConstructor.h:
1168 2018-04-19 Yusuke Suzuki <utatane.tea@gmail.com>
1170 Unreviewed, Fix jsc shell
1171 https://bugs.webkit.org/show_bug.cgi?id=184600
1173 WebAssembly module loading does not finish with drainMicrotasks().
1174 So JSNativeStdFunction's capturing variables become invalid.
1175 This patch fixes this issue.
1178 (functionDollarAgentStart):
1183 2018-04-18 Ross Kirsling <ross.kirsling@sony.com>
1185 REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
1186 https://bugs.webkit.org/show_bug.cgi?id=184725
1188 Reviewed by Mark Lam.
1192 2018-04-18 Yusuke Suzuki <utatane.tea@gmail.com>
1194 [WebAssembly][Modules] Import tables in wasm modules
1195 https://bugs.webkit.org/show_bug.cgi?id=184738
1197 Reviewed by JF Bastien.
1199 This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
1200 Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
1203 * wasm/js/JSWebAssemblyInstance.cpp:
1204 (JSC::JSWebAssemblyInstance::create):
1205 * wasm/js/WebAssemblyModuleRecord.cpp:
1206 (JSC::WebAssemblyModuleRecord::link):
1208 2018-04-18 Dominik Infuehr <dinfuehr@igalia.com>
1210 [ARM] Fix build error and crash after PtrTag change
1211 https://bugs.webkit.org/show_bug.cgi?id=184732
1213 Reviewed by Mark Lam.
1215 Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
1216 MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
1217 twice with ARM-Thumb2.
1219 * assembler/MacroAssemblerCodeRef.h:
1220 (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1221 * jit/JITPropertyAccess32_64.cpp:
1222 (JSC::JIT::emitSlow_op_put_by_val):
1224 (JSC::linkPolymorphicCall):
1226 2018-04-18 Yusuke Suzuki <utatane.tea@gmail.com>
1228 [WebAssembly][Modules] Import globals from wasm modules
1229 https://bugs.webkit.org/show_bug.cgi?id=184736
1231 Reviewed by JF Bastien.
1233 This patch implements a feature importing globals to/from wasm modules.
1234 Since we are not supporting mutable globals now, we can just copy the
1235 global data when importing. Currently we do not support importing/exporting
1236 i64 globals. This will be supported once (1) mutable global bindings are
1237 specified and (2) BigInt based i64 importing/exporting is specified.
1239 * wasm/js/JSWebAssemblyInstance.cpp:
1240 (JSC::JSWebAssemblyInstance::create):
1241 * wasm/js/WebAssemblyModuleRecord.cpp:
1242 (JSC::WebAssemblyModuleRecord::link):
1244 2018-04-18 Tomas Popela <tpopela@redhat.com>
1246 Unreviewed, fix build on ARM
1248 * assembler/MacroAssemblerARM.h:
1249 (JSC::MacroAssemblerARM::readCallTarget):
1251 2018-04-18 Tomas Popela <tpopela@redhat.com>
1253 Unreviewed, fix build with GCC
1255 * assembler/LinkBuffer.h:
1256 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1258 2018-04-18 Yusuke Suzuki <utatane.tea@gmail.com>
1260 Unreviewed, reland r230697, r230720, and r230724.
1261 https://bugs.webkit.org/show_bug.cgi?id=184600
1263 With CatchScope check.
1265 * JavaScriptCore.xcodeproj/project.pbxproj:
1266 * builtins/ModuleLoaderPrototype.js:
1267 (globalPrivate.newRegistryEntry):
1268 (requestInstantiate):
1271 (convertShebangToJSComment):
1272 (fillBufferWithContentsOfFile):
1273 (fetchModuleFromLocalFileSystem):
1274 (GlobalObject::moduleLoaderFetch):
1275 (functionDollarAgentStart):
1278 * parser/NodesAnalyzeModule.cpp:
1279 (JSC::ImportDeclarationNode::analyzeModule):
1280 * parser/SourceProvider.h:
1281 (JSC::WebAssemblySourceProvider::create):
1282 (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
1283 * runtime/AbstractModuleRecord.cpp:
1284 (JSC::AbstractModuleRecord::hostResolveImportedModule):
1285 (JSC::AbstractModuleRecord::resolveImport):
1286 (JSC::AbstractModuleRecord::link):
1287 (JSC::AbstractModuleRecord::evaluate):
1288 (JSC::identifierToJSValue): Deleted.
1289 * runtime/AbstractModuleRecord.h:
1290 (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
1291 (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
1292 * runtime/JSModuleEnvironment.cpp:
1293 (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1294 * runtime/JSModuleLoader.cpp:
1295 (JSC::JSModuleLoader::evaluate):
1296 * runtime/JSModuleRecord.cpp:
1297 (JSC::JSModuleRecord::link):
1298 (JSC::JSModuleRecord::instantiateDeclarations):
1299 * runtime/JSModuleRecord.h:
1300 * runtime/ModuleLoaderPrototype.cpp:
1301 (JSC::moduleLoaderPrototypeParseModule):
1302 (JSC::moduleLoaderPrototypeRequestedModules):
1303 (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1304 * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
1305 * wasm/js/JSWebAssemblyHelpers.h:
1306 (JSC::getWasmBufferFromValue):
1307 (JSC::createSourceBufferFromValue):
1308 * wasm/js/JSWebAssemblyInstance.cpp:
1309 (JSC::JSWebAssemblyInstance::finalizeCreation):
1310 (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
1311 (JSC::JSWebAssemblyInstance::create):
1312 * wasm/js/JSWebAssemblyInstance.h:
1313 * wasm/js/WebAssemblyInstanceConstructor.cpp:
1314 (JSC::constructJSWebAssemblyInstance):
1315 * wasm/js/WebAssemblyModuleRecord.cpp:
1316 (JSC::WebAssemblyModuleRecord::prepareLink):
1317 (JSC::WebAssemblyModuleRecord::link):
1318 * wasm/js/WebAssemblyModuleRecord.h:
1319 * wasm/js/WebAssemblyPrototype.cpp:
1322 (JSC::compileAndInstantiate):
1323 (JSC::WebAssemblyPrototype::instantiate):
1324 (JSC::webAssemblyInstantiateFunc):
1325 (JSC::webAssemblyValidateFunc):
1326 * wasm/js/WebAssemblyPrototype.h:
1328 2018-04-17 Carlos Garcia Campos <cgarcia@igalia.com>
1330 [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
1331 https://bugs.webkit.org/show_bug.cgi?id=184687
1333 Reviewed by Michael Catanzaro.
1335 Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
1336 JSClassDefinition. This is required to implement dynamic properties that can't be added with
1337 jsc_class_add_property() for example to implement something like imports object in seed/gjs.
1339 * API/glib/JSCClass.cpp:
1340 (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
1341 can throw exceptions.
1342 (VTableExceptionHandler::~VTableExceptionHandler):
1343 (getProperty): Iterate the class chain to call get_property function.
1344 (setProperty): Iterate the class chain to call set_property function.
1345 (hasProperty): Iterate the class chain to call has_property function.
1346 (deleteProperty): Iterate the class chain to call delete_property function.
1347 (getPropertyNames): Iterate the class chain to call enumerate_properties function.
1348 (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
1350 (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
1351 * API/glib/JSCClass.h:
1352 * API/glib/JSCClassPrivate.h:
1353 * API/glib/JSCContext.cpp:
1354 (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
1355 (jsc_context_register_class): Add JSCClassVTable parameter.
1356 * API/glib/JSCContext.h:
1357 * API/glib/JSCContextPrivate.h:
1358 * API/glib/JSCWrapperMap.cpp:
1359 (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
1360 * API/glib/JSCWrapperMap.h:
1361 * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
1363 2018-04-17 Mark Lam <mark.lam@apple.com>
1365 Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
1366 https://bugs.webkit.org/show_bug.cgi?id=184702
1367 <rdar://problem/35391681>
1369 Reviewed by Filip Pizlo and Saam Barati.
1371 1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
1372 to take a PtrTag template argument.
1373 2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
1375 * assembler/AbstractMacroAssembler.h:
1376 (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
1377 (JSC::AbstractMacroAssembler::linkJump):
1378 (JSC::AbstractMacroAssembler::linkPointer):
1379 (JSC::AbstractMacroAssembler::getLinkerAddress):
1380 (JSC::AbstractMacroAssembler::repatchJump):
1381 (JSC::AbstractMacroAssembler::repatchJumpToNop):
1382 (JSC::AbstractMacroAssembler::repatchNearCall):
1383 (JSC::AbstractMacroAssembler::repatchCompact):
1384 (JSC::AbstractMacroAssembler::repatchInt32):
1385 (JSC::AbstractMacroAssembler::repatchPointer):
1386 (JSC::AbstractMacroAssembler::readPointer):
1387 (JSC::AbstractMacroAssembler::replaceWithLoad):
1388 (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
1389 * assembler/CodeLocation.h:
1390 (JSC::CodeLocationCommon:: const):
1391 (JSC::CodeLocationCommon::CodeLocationCommon):
1392 (JSC::CodeLocationInstruction::CodeLocationInstruction):
1393 (JSC::CodeLocationLabel::CodeLocationLabel):
1394 (JSC::CodeLocationLabel::retagged):
1395 (JSC::CodeLocationLabel:: const):
1396 (JSC::CodeLocationJump::CodeLocationJump):
1397 (JSC::CodeLocationJump::retagged):
1398 (JSC::CodeLocationCall::CodeLocationCall):
1399 (JSC::CodeLocationCall::retagged):
1400 (JSC::CodeLocationNearCall::CodeLocationNearCall):
1401 (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
1402 (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
1403 (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
1404 (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
1405 (JSC::CodeLocationCommon<tag>::instructionAtOffset):
1406 (JSC::CodeLocationCommon<tag>::labelAtOffset):
1407 (JSC::CodeLocationCommon<tag>::jumpAtOffset):
1408 (JSC::CodeLocationCommon<tag>::callAtOffset):
1409 (JSC::CodeLocationCommon<tag>::nearCallAtOffset):
1410 (JSC::CodeLocationCommon<tag>::dataLabelPtrAtOffset):
1411 (JSC::CodeLocationCommon<tag>::dataLabel32AtOffset):
1412 (JSC::CodeLocationCommon<tag>::dataLabelCompactAtOffset):
1413 (JSC::CodeLocationCommon<tag>::convertibleLoadAtOffset):
1414 (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
1415 (JSC::CodeLocationCommon::labelAtOffset): Deleted.
1416 (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
1417 (JSC::CodeLocationCommon::callAtOffset): Deleted.
1418 (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
1419 (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
1420 (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
1421 (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
1422 (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
1423 * assembler/LinkBuffer.cpp:
1424 (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
1425 (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
1426 (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
1427 (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
1428 * assembler/LinkBuffer.h:
1429 (JSC::LinkBuffer::link):
1430 (JSC::LinkBuffer::patch):
1431 (JSC::LinkBuffer::entrypoint):
1432 (JSC::LinkBuffer::locationOf):
1433 (JSC::LinkBuffer::locationOfNearCall):
1434 (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1435 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1436 (JSC::LinkBuffer::trampolineAt):
1437 * assembler/MacroAssemblerARM.h:
1438 (JSC::MacroAssemblerARM::readCallTarget):
1439 (JSC::MacroAssemblerARM::replaceWithJump):
1440 (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
1441 (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
1442 (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
1443 (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
1444 (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
1445 (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
1446 (JSC::MacroAssemblerARM::repatchCall):
1447 (JSC::MacroAssemblerARM::linkCall):
1448 * assembler/MacroAssemblerARM64.h:
1449 (JSC::MacroAssemblerARM64::readCallTarget):
1450 (JSC::MacroAssemblerARM64::replaceWithVMHalt):
1451 (JSC::MacroAssemblerARM64::replaceWithJump):
1452 (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
1453 (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
1454 (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
1455 (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
1456 (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1457 (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
1458 (JSC::MacroAssemblerARM64::repatchCall):
1459 (JSC::MacroAssemblerARM64::linkCall):
1460 * assembler/MacroAssemblerARMv7.h:
1461 (JSC::MacroAssemblerARMv7::replaceWithJump):
1462 (JSC::MacroAssemblerARMv7::readCallTarget):
1463 (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
1464 (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
1465 (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
1466 (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
1467 (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
1468 (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
1469 (JSC::MacroAssemblerARMv7::repatchCall):
1470 (JSC::MacroAssemblerARMv7::linkCall):
1471 * assembler/MacroAssemblerCodeRef.cpp:
1472 (JSC::MacroAssemblerCodePtrBase::dumpWithName):
1473 (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
1474 (JSC::MacroAssemblerCodeRefBase::disassembly):
1475 (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
1476 (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
1477 (JSC::MacroAssemblerCodePtr::dump const): Deleted.
1478 (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
1479 (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
1480 (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
1481 (JSC::MacroAssemblerCodeRef::dump const): Deleted.
1482 * assembler/MacroAssemblerCodeRef.h:
1483 (JSC::FunctionPtr::FunctionPtr):
1484 (JSC::FunctionPtr::retagged const):
1485 (JSC::FunctionPtr::retaggedExecutableAddress const):
1486 (JSC::FunctionPtr::operator== const):
1487 (JSC::FunctionPtr::operator!= const):
1488 (JSC::ReturnAddressPtr::ReturnAddressPtr):
1489 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1490 (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1491 (JSC::MacroAssemblerCodePtr::retagged const):
1492 (JSC::MacroAssemblerCodePtr:: const):
1493 (JSC::MacroAssemblerCodePtr::dumpWithName const):
1494 (JSC::MacroAssemblerCodePtr::dump const):
1495 (JSC::MacroAssemblerCodePtrHash::hash):
1496 (JSC::MacroAssemblerCodePtrHash::equal):
1497 (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1498 (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
1499 (JSC::MacroAssemblerCodeRef::code const):
1500 (JSC::MacroAssemblerCodeRef::retaggedCode const):
1501 (JSC::MacroAssemblerCodeRef::retagged const):
1502 (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
1503 (JSC::MacroAssemblerCodeRef::disassembly const):
1504 (JSC::MacroAssemblerCodeRef::dump const):
1505 (JSC::FunctionPtr<tag>::FunctionPtr):
1506 * assembler/MacroAssemblerMIPS.h:
1507 (JSC::MacroAssemblerMIPS::readCallTarget):
1508 (JSC::MacroAssemblerMIPS::replaceWithJump):
1509 (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
1510 (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
1511 (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
1512 (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
1513 (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
1514 (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
1515 (JSC::MacroAssemblerMIPS::repatchCall):
1516 (JSC::MacroAssemblerMIPS::linkCall):
1517 * assembler/MacroAssemblerX86.h:
1518 (JSC::MacroAssemblerX86::readCallTarget):
1519 (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
1520 (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
1521 (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
1522 (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
1523 (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
1524 (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
1525 (JSC::MacroAssemblerX86::repatchCall):
1526 (JSC::MacroAssemblerX86::linkCall):
1527 * assembler/MacroAssemblerX86Common.h:
1528 (JSC::MacroAssemblerX86Common::repatchCompact):
1529 (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
1530 (JSC::MacroAssemblerX86Common::replaceWithJump):
1531 * assembler/MacroAssemblerX86_64.h:
1532 (JSC::MacroAssemblerX86_64::readCallTarget):
1533 (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
1534 (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
1535 (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
1536 (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
1537 (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
1538 (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
1539 (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
1540 (JSC::MacroAssemblerX86_64::repatchCall):
1541 (JSC::MacroAssemblerX86_64::linkCall):
1542 * assembler/testmasm.cpp:
1545 (JSC::testProbeModifiesProgramCounter):
1546 * b3/B3Compilation.cpp:
1547 (JSC::B3::Compilation::Compilation):
1548 * b3/B3Compilation.h:
1549 (JSC::B3::Compilation::code const):
1550 (JSC::B3::Compilation::codeRef const):
1553 * b3/B3LowerMacros.cpp:
1554 * b3/air/AirDisassembler.cpp:
1555 (JSC::B3::Air::Disassembler::dump):
1556 * b3/air/testair.cpp:
1559 (JSC::B3::testInterpreter):
1560 (JSC::B3::testEntrySwitchSimple):
1561 (JSC::B3::testEntrySwitchNoEntrySwitch):
1562 (JSC::B3::testEntrySwitchWithCommonPaths):
1563 (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
1564 (JSC::B3::testEntrySwitchLoop):
1565 * bytecode/AccessCase.cpp:
1566 (JSC::AccessCase::generateImpl):
1567 * bytecode/AccessCaseSnippetParams.cpp:
1568 (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
1569 * bytecode/ByValInfo.h:
1570 (JSC::ByValInfo::ByValInfo):
1571 * bytecode/CallLinkInfo.cpp:
1572 (JSC::CallLinkInfo::callReturnLocation):
1573 (JSC::CallLinkInfo::patchableJump):
1574 (JSC::CallLinkInfo::hotPathBegin):
1575 (JSC::CallLinkInfo::slowPathStart):
1576 * bytecode/CallLinkInfo.h:
1577 (JSC::CallLinkInfo::setCallLocations):
1578 (JSC::CallLinkInfo::hotPathOther):
1579 * bytecode/CodeBlock.cpp:
1580 (JSC::CodeBlock::finishCreation):
1581 * bytecode/GetByIdStatus.cpp:
1582 (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1583 * bytecode/GetByIdVariant.cpp:
1584 (JSC::GetByIdVariant::GetByIdVariant):
1585 (JSC::GetByIdVariant::dumpInContext const):
1586 * bytecode/GetByIdVariant.h:
1587 (JSC::GetByIdVariant::customAccessorGetter const):
1588 * bytecode/GetterSetterAccessCase.cpp:
1589 (JSC::GetterSetterAccessCase::create):
1590 (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1591 (JSC::GetterSetterAccessCase::dumpImpl const):
1592 * bytecode/GetterSetterAccessCase.h:
1593 (JSC::GetterSetterAccessCase::customAccessor const):
1595 * bytecode/HandlerInfo.h:
1596 (JSC::HandlerInfo::initialize):
1597 * bytecode/InlineAccess.cpp:
1598 (JSC::linkCodeInline):
1599 (JSC::InlineAccess::rewireStubAsJump):
1600 * bytecode/InlineAccess.h:
1601 * bytecode/JumpTable.h:
1602 (JSC::StringJumpTable::ctiForValue):
1603 (JSC::SimpleJumpTable::ctiForValue):
1604 * bytecode/LLIntCallLinkInfo.h:
1605 (JSC::LLIntCallLinkInfo::unlink):
1606 * bytecode/PolymorphicAccess.cpp:
1607 (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1608 (JSC::PolymorphicAccess::regenerate):
1609 * bytecode/PolymorphicAccess.h:
1610 (JSC::AccessGenerationResult::AccessGenerationResult):
1611 (JSC::AccessGenerationResult::code const):
1612 * bytecode/StructureStubInfo.h:
1613 (JSC::StructureStubInfo::slowPathCallLocation):
1614 (JSC::StructureStubInfo::doneLocation):
1615 (JSC::StructureStubInfo::slowPathStartLocation):
1616 (JSC::StructureStubInfo::patchableJumpForIn):
1617 * dfg/DFGCommonData.h:
1618 (JSC::DFG::CommonData::appendCatchEntrypoint):
1619 * dfg/DFGDisassembler.cpp:
1620 (JSC::DFG::Disassembler::dumpDisassembly):
1622 * dfg/DFGJITCompiler.cpp:
1623 (JSC::DFG::JITCompiler::linkOSRExits):
1624 (JSC::DFG::JITCompiler::compileExceptionHandlers):
1625 (JSC::DFG::JITCompiler::link):
1626 (JSC::DFG::JITCompiler::compileFunction):
1627 (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1628 * dfg/DFGJITCompiler.h:
1629 (JSC::DFG::CallLinkRecord::CallLinkRecord):
1630 (JSC::DFG::JITCompiler::appendCall):
1631 (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
1632 (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
1633 (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
1634 * dfg/DFGJITFinalizer.cpp:
1635 (JSC::DFG::JITFinalizer::JITFinalizer):
1636 (JSC::DFG::JITFinalizer::finalize):
1637 (JSC::DFG::JITFinalizer::finalizeFunction):
1638 * dfg/DFGJITFinalizer.h:
1639 * dfg/DFGJumpReplacement.h:
1640 (JSC::DFG::JumpReplacement::JumpReplacement):
1642 * dfg/DFGOSREntry.cpp:
1643 (JSC::DFG::prepareOSREntry):
1644 (JSC::DFG::prepareCatchOSREntry):
1645 * dfg/DFGOSREntry.h:
1646 (JSC::DFG::prepareOSREntry):
1647 * dfg/DFGOSRExit.cpp:
1648 (JSC::DFG::OSRExit::executeOSRExit):
1649 (JSC::DFG::reifyInlinedCallFrames):
1650 (JSC::DFG::adjustAndJumpToTarget):
1651 (JSC::DFG::OSRExit::codeLocationForRepatch const):
1652 (JSC::DFG::OSRExit::emitRestoreArguments):
1653 (JSC::DFG::OSRExit::compileOSRExit):
1655 * dfg/DFGOSRExitCompilerCommon.cpp:
1656 (JSC::DFG::handleExitCounts):
1657 (JSC::DFG::reifyInlinedCallFrames):
1658 (JSC::DFG::osrWriteBarrier):
1659 (JSC::DFG::adjustAndJumpToTarget):
1660 * dfg/DFGOperations.cpp:
1661 * dfg/DFGSlowPathGenerator.h:
1662 (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
1663 (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
1664 (JSC::DFG::slowPathCall):
1665 * dfg/DFGSpeculativeJIT.cpp:
1666 (JSC::DFG::SpeculativeJIT::compileMathIC):
1667 (JSC::DFG::SpeculativeJIT::compileCallDOM):
1668 (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1669 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1670 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
1671 (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
1672 (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1673 (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
1674 (JSC::DFG::SpeculativeJIT::cachedPutById):
1675 * dfg/DFGSpeculativeJIT.h:
1676 (JSC::DFG::SpeculativeJIT::callOperation):
1677 (JSC::DFG::SpeculativeJIT::appendCall):
1678 (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1679 (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1680 (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1681 * dfg/DFGSpeculativeJIT64.cpp:
1682 (JSC::DFG::SpeculativeJIT::cachedGetById):
1683 (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
1684 (JSC::DFG::SpeculativeJIT::compile):
1685 * dfg/DFGThunks.cpp:
1686 (JSC::DFG::osrExitThunkGenerator):
1687 (JSC::DFG::osrExitGenerationThunkGenerator):
1688 (JSC::DFG::osrEntryThunkGenerator):
1690 * disassembler/ARM64Disassembler.cpp:
1691 (JSC::tryToDisassemble):
1692 * disassembler/ARMv7Disassembler.cpp:
1693 (JSC::tryToDisassemble):
1694 * disassembler/Disassembler.cpp:
1696 (JSC::disassembleAsynchronously):
1697 * disassembler/Disassembler.h:
1698 (JSC::tryToDisassemble):
1699 * disassembler/UDis86Disassembler.cpp:
1700 (JSC::tryToDisassembleWithUDis86):
1701 * disassembler/UDis86Disassembler.h:
1702 (JSC::tryToDisassembleWithUDis86):
1703 * disassembler/X86Disassembler.cpp:
1704 (JSC::tryToDisassemble):
1705 * ftl/FTLCompile.cpp:
1706 (JSC::FTL::compile):
1707 * ftl/FTLExceptionTarget.cpp:
1708 (JSC::FTL::ExceptionTarget::label):
1709 (JSC::FTL::ExceptionTarget::jumps):
1710 * ftl/FTLExceptionTarget.h:
1711 * ftl/FTLGeneratedFunction.h:
1712 * ftl/FTLJITCode.cpp:
1713 (JSC::FTL::JITCode::initializeB3Code):
1714 (JSC::FTL::JITCode::initializeAddressForCall):
1715 (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
1716 (JSC::FTL::JITCode::addressForCall):
1717 (JSC::FTL::JITCode::executableAddressAtOffset):
1719 (JSC::FTL::JITCode::b3Code const):
1720 * ftl/FTLJITFinalizer.cpp:
1721 (JSC::FTL::JITFinalizer::finalizeCommon):
1722 * ftl/FTLLazySlowPath.cpp:
1723 (JSC::FTL::LazySlowPath::initialize):
1724 (JSC::FTL::LazySlowPath::generate):
1725 * ftl/FTLLazySlowPath.h:
1726 (JSC::FTL::LazySlowPath::patchableJump const):
1727 (JSC::FTL::LazySlowPath::done const):
1728 (JSC::FTL::LazySlowPath::stub const):
1729 * ftl/FTLLazySlowPathCall.h:
1730 (JSC::FTL::createLazyCallGenerator):
1733 * ftl/FTLLowerDFGToB3.cpp:
1734 (JSC::FTL::DFG::LowerDFGToB3::lower):
1735 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1736 (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
1737 (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1738 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1739 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1740 (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1741 (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
1742 (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1743 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1744 (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
1745 (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1746 (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
1747 * ftl/FTLOSRExit.cpp:
1748 (JSC::FTL::OSRExit::codeLocationForRepatch const):
1750 * ftl/FTLOSRExitCompiler.cpp:
1751 (JSC::FTL::compileStub):
1752 (JSC::FTL::compileFTLOSRExit):
1753 * ftl/FTLOSRExitHandle.cpp:
1754 (JSC::FTL::OSRExitHandle::emitExitThunk):
1755 * ftl/FTLOperations.cpp:
1756 (JSC::FTL::compileFTLLazySlowPath):
1757 * ftl/FTLPatchpointExceptionHandle.cpp:
1758 (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
1759 * ftl/FTLSlowPathCall.cpp:
1760 (JSC::FTL::SlowPathCallContext::keyWithTarget const):
1761 (JSC::FTL::SlowPathCallContext::makeCall):
1762 * ftl/FTLSlowPathCall.h:
1763 (JSC::FTL::callOperation):
1764 * ftl/FTLSlowPathCallKey.cpp:
1765 (JSC::FTL::SlowPathCallKey::dump const):
1766 * ftl/FTLSlowPathCallKey.h:
1767 (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
1768 (JSC::FTL::SlowPathCallKey::callTarget const):
1769 (JSC::FTL::SlowPathCallKey::withCallTarget):
1770 (JSC::FTL::SlowPathCallKey::hash const):
1771 (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
1773 (JSC::FTL::State::State):
1774 * ftl/FTLThunks.cpp:
1775 (JSC::FTL::genericGenerationThunkGenerator):
1776 (JSC::FTL::osrExitGenerationThunkGenerator):
1777 (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1778 (JSC::FTL::slowPathCallThunkGenerator):
1780 (JSC::FTL::generateIfNecessary):
1781 (JSC::FTL::keyForThunk):
1782 (JSC::FTL::Thunks::getSlowPathCallThunk):
1783 (JSC::FTL::Thunks::keyForSlowPathCallThunk):
1784 * interpreter/InterpreterInlines.h:
1785 (JSC::Interpreter::getOpcodeID):
1786 * jit/AssemblyHelpers.cpp:
1787 (JSC::AssemblyHelpers::callExceptionFuzz):
1788 (JSC::AssemblyHelpers::emitDumbVirtualCall):
1789 (JSC::AssemblyHelpers::debugCall):
1790 * jit/CCallHelpers.cpp:
1791 (JSC::CCallHelpers::ensureShadowChickenPacket):
1792 * jit/ExecutableAllocator.cpp:
1793 (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1794 (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1795 * jit/ExecutableAllocator.h:
1796 (JSC::performJITMemcpy):
1797 * jit/GCAwareJITStubRoutine.cpp:
1798 (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
1799 (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
1800 (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
1801 (JSC::createJITStubRoutine):
1802 * jit/GCAwareJITStubRoutine.h:
1803 (JSC::createJITStubRoutine):
1805 (JSC::ctiPatchCallByReturnAddress):
1806 (JSC::JIT::compileWithoutLinking):
1808 (JSC::JIT::privateCompileExceptionHandlers):
1810 (JSC::CallRecord::CallRecord):
1811 * jit/JITArithmetic.cpp:
1812 (JSC::JIT::emitMathICFast):
1813 (JSC::JIT::emitMathICSlow):
1815 (JSC::JIT::compileOpCallSlowCase):
1816 * jit/JITCall32_64.cpp:
1817 (JSC::JIT::compileOpCallSlowCase):
1819 (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
1820 (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
1821 (JSC::DirectJITCode::DirectJITCode):
1822 (JSC::DirectJITCode::initializeCodeRef):
1823 (JSC::DirectJITCode::addressForCall):
1824 (JSC::NativeJITCode::NativeJITCode):
1825 (JSC::NativeJITCode::initializeCodeRef):
1826 (JSC::NativeJITCode::addressForCall):
1829 (JSC::JITCodeMap::Entry::Entry):
1830 (JSC::JITCodeMap::Entry::codeLocation):
1831 (JSC::JITCodeMap::append):
1832 (JSC::JITCodeMap::find const):
1833 * jit/JITDisassembler.cpp:
1834 (JSC::JITDisassembler::dumpDisassembly):
1835 * jit/JITExceptions.cpp:
1836 (JSC::genericUnwind):
1837 * jit/JITInlineCacheGenerator.cpp:
1838 (JSC::JITByIdGenerator::finalize):
1840 (JSC::JIT::emitNakedCall):
1841 (JSC::JIT::emitNakedTailCall):
1842 (JSC::JIT::appendCallWithExceptionCheck):
1843 (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
1844 (JSC::JIT::appendCallWithCallFrameRollbackOnException):
1845 (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
1846 (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
1848 (JSC::isProfileEmpty):
1849 * jit/JITOpcodes.cpp:
1850 (JSC::JIT::emit_op_catch):
1851 (JSC::JIT::emit_op_switch_imm):
1852 (JSC::JIT::emit_op_switch_char):
1853 (JSC::JIT::emit_op_switch_string):
1854 (JSC::JIT::privateCompileHasIndexedProperty):
1855 (JSC::JIT::emitSlow_op_has_indexed_property):
1856 * jit/JITOpcodes32_64.cpp:
1857 (JSC::JIT::privateCompileHasIndexedProperty):
1858 * jit/JITOperations.cpp:
1860 * jit/JITPropertyAccess.cpp:
1861 (JSC::JIT::stringGetByValStubGenerator):
1862 (JSC::JIT::emitGetByValWithCachedId):
1863 (JSC::JIT::emitSlow_op_get_by_val):
1864 (JSC::JIT::emitPutByValWithCachedId):
1865 (JSC::JIT::emitSlow_op_put_by_val):
1866 (JSC::JIT::emitSlow_op_try_get_by_id):
1867 (JSC::JIT::emitSlow_op_get_by_id_direct):
1868 (JSC::JIT::emitSlow_op_get_by_id):
1869 (JSC::JIT::emitSlow_op_get_by_id_with_this):
1870 (JSC::JIT::emitSlow_op_put_by_id):
1871 (JSC::JIT::privateCompileGetByVal):
1872 (JSC::JIT::privateCompileGetByValWithCachedId):
1873 (JSC::JIT::privateCompilePutByVal):
1874 (JSC::JIT::privateCompilePutByValWithCachedId):
1875 * jit/JITPropertyAccess32_64.cpp:
1876 (JSC::JIT::stringGetByValStubGenerator):
1877 (JSC::JIT::emitSlow_op_get_by_val):
1878 (JSC::JIT::emitSlow_op_put_by_val):
1879 * jit/JITStubRoutine.h:
1880 (JSC::JITStubRoutine::JITStubRoutine):
1881 (JSC::JITStubRoutine::createSelfManagedRoutine):
1882 (JSC::JITStubRoutine::code const):
1883 (JSC::JITStubRoutine::asCodePtr):
1884 * jit/JITThunks.cpp:
1885 (JSC::JITThunks::ctiNativeCall):
1886 (JSC::JITThunks::ctiNativeConstruct):
1887 (JSC::JITThunks::ctiNativeTailCall):
1888 (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
1889 (JSC::JITThunks::ctiInternalFunctionCall):
1890 (JSC::JITThunks::ctiInternalFunctionConstruct):
1891 (JSC::JITThunks::ctiStub):
1892 (JSC::JITThunks::existingCTIStub):
1893 (JSC::JITThunks::hostFunctionStub):
1895 * jit/PCToCodeOriginMap.cpp:
1896 (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
1897 * jit/PCToCodeOriginMap.h:
1898 * jit/PolymorphicCallStubRoutine.cpp:
1899 (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1900 * jit/PolymorphicCallStubRoutine.h:
1902 (JSC::readPutICCallTarget):
1903 (JSC::ftlThunkAwareRepatchCall):
1904 (JSC::appropriateOptimizingGetByIdFunction):
1905 (JSC::appropriateGetByIdFunction):
1906 (JSC::tryCacheGetByID):
1907 (JSC::repatchGetByID):
1908 (JSC::tryCachePutByID):
1909 (JSC::repatchPutByID):
1914 (JSC::linkDirectFor):
1917 (JSC::linkVirtualFor):
1918 (JSC::linkPolymorphicCall):
1919 (JSC::resetGetByID):
1920 (JSC::resetPutByID):
1922 * jit/SlowPathCall.h:
1923 (JSC::JITSlowPathCall::call):
1924 * jit/SpecializedThunkJIT.h:
1925 (JSC::SpecializedThunkJIT::finalize):
1926 (JSC::SpecializedThunkJIT::callDoubleToDouble):
1927 (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
1928 * jit/ThunkGenerator.h:
1929 * jit/ThunkGenerators.cpp:
1930 (JSC::throwExceptionFromCallSlowPathGenerator):
1932 (JSC::linkCallThunkGenerator):
1933 (JSC::linkPolymorphicCallThunkGenerator):
1934 (JSC::virtualThunkFor):
1935 (JSC::nativeForGenerator):
1936 (JSC::nativeCallGenerator):
1937 (JSC::nativeTailCallGenerator):
1938 (JSC::nativeTailCallWithoutSavedTagsGenerator):
1939 (JSC::nativeConstructGenerator):
1940 (JSC::internalFunctionCallGenerator):
1941 (JSC::internalFunctionConstructGenerator):
1942 (JSC::arityFixupGenerator):
1943 (JSC::unreachableGenerator):
1944 (JSC::charCodeAtThunkGenerator):
1945 (JSC::charAtThunkGenerator):
1946 (JSC::fromCharCodeThunkGenerator):
1947 (JSC::clz32ThunkGenerator):
1948 (JSC::sqrtThunkGenerator):
1949 (JSC::floorThunkGenerator):
1950 (JSC::ceilThunkGenerator):
1951 (JSC::truncThunkGenerator):
1952 (JSC::roundThunkGenerator):
1953 (JSC::expThunkGenerator):
1954 (JSC::logThunkGenerator):
1955 (JSC::absThunkGenerator):
1956 (JSC::imulThunkGenerator):
1957 (JSC::randomThunkGenerator):
1958 (JSC::boundThisNoArgsFunctionCallGenerator):
1959 * jit/ThunkGenerators.h:
1960 * llint/LLIntData.cpp:
1961 (JSC::LLInt::initialize):
1962 * llint/LLIntData.h:
1963 (JSC::LLInt::getExecutableAddress):
1964 (JSC::LLInt::getCodePtr):
1965 (JSC::LLInt::getCodeRef):
1966 (JSC::LLInt::getCodeFunctionPtr):
1967 * llint/LLIntEntrypoint.cpp:
1968 (JSC::LLInt::setFunctionEntrypoint):
1969 (JSC::LLInt::setEvalEntrypoint):
1970 (JSC::LLInt::setProgramEntrypoint):
1971 (JSC::LLInt::setModuleProgramEntrypoint):
1972 * llint/LLIntExceptions.cpp:
1973 (JSC::LLInt::callToThrow):
1974 * llint/LLIntSlowPaths.cpp:
1975 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1976 (JSC::LLInt::setUpCall):
1977 * llint/LLIntThunks.cpp:
1978 (JSC::vmEntryToWasm):
1979 (JSC::LLInt::generateThunkWithJumpTo):
1980 (JSC::LLInt::functionForCallEntryThunkGenerator):
1981 (JSC::LLInt::functionForConstructEntryThunkGenerator):
1982 (JSC::LLInt::functionForCallArityCheckThunkGenerator):
1983 (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
1984 (JSC::LLInt::evalEntryThunkGenerator):
1985 (JSC::LLInt::programEntryThunkGenerator):
1986 (JSC::LLInt::moduleProgramEntryThunkGenerator):
1987 * llint/LLIntThunks.h:
1988 * llint/LowLevelInterpreter.asm:
1989 * llint/LowLevelInterpreter32_64.asm:
1990 * llint/LowLevelInterpreter64.asm:
1991 * profiler/ProfilerCompilation.cpp:
1992 (JSC::Profiler::Compilation::addOSRExitSite):
1993 * profiler/ProfilerCompilation.h:
1994 * profiler/ProfilerOSRExitSite.cpp:
1995 (JSC::Profiler::OSRExitSite::toJS const):
1996 * profiler/ProfilerOSRExitSite.h:
1997 (JSC::Profiler::OSRExitSite::OSRExitSite):
1998 (JSC::Profiler::OSRExitSite::codeAddress const):
1999 (JSC::Profiler::OSRExitSite:: const): Deleted.
2000 * runtime/ExecutableBase.cpp:
2001 (JSC::ExecutableBase::clearCode):
2002 * runtime/ExecutableBase.h:
2003 (JSC::ExecutableBase::entrypointFor):
2004 * runtime/NativeExecutable.cpp:
2005 (JSC::NativeExecutable::finishCreation):
2006 * runtime/NativeFunction.h:
2007 (JSC::TaggedNativeFunction::TaggedNativeFunction):
2008 (JSC::TaggedNativeFunction::operator NativeFunction):
2011 (JSC::untagCodePtr):
2012 (JSC::retagCodePtr):
2013 (JSC::tagCFunctionPtr):
2014 (JSC::untagCFunctionPtr):
2015 (JSC::nextPtrTagID): Deleted.
2016 * runtime/PutPropertySlot.h:
2017 (JSC::PutPropertySlot::PutPropertySlot):
2018 (JSC::PutPropertySlot::setCustomValue):
2019 (JSC::PutPropertySlot::setCustomAccessor):
2020 (JSC::PutPropertySlot::customSetter const):
2021 * runtime/ScriptExecutable.cpp:
2022 (JSC::ScriptExecutable::installCode):
2024 (JSC::VM::getHostFunction):
2025 (JSC::VM::getCTIInternalFunctionTrampolineFor):
2027 (JSC::VM::getCTIStub):
2028 * wasm/WasmB3IRGenerator.cpp:
2029 (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2030 (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
2031 (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2032 (JSC::Wasm::B3IRGenerator::addCall):
2033 (JSC::Wasm::B3IRGenerator::addCallIndirect):
2034 * wasm/WasmBBQPlan.cpp:
2035 (JSC::Wasm::BBQPlan::prepare):
2036 (JSC::Wasm::BBQPlan::complete):
2037 * wasm/WasmBBQPlan.h:
2038 * wasm/WasmBinding.cpp:
2039 (JSC::Wasm::wasmToWasm):
2040 * wasm/WasmBinding.h:
2041 * wasm/WasmCallee.h:
2042 (JSC::Wasm::Callee::entrypoint const):
2043 * wasm/WasmCallingConvention.h:
2044 (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
2045 * wasm/WasmCodeBlock.h:
2046 (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
2047 * wasm/WasmFaultSignalHandler.cpp:
2048 (JSC::Wasm::trapHandler):
2049 * wasm/WasmFormat.h:
2050 * wasm/WasmInstance.h:
2051 * wasm/WasmOMGPlan.cpp:
2052 (JSC::Wasm::OMGPlan::work):
2053 * wasm/WasmThunks.cpp:
2054 (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2055 (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2056 (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2057 (JSC::Wasm::Thunks::stub):
2058 (JSC::Wasm::Thunks::existingStub):
2059 * wasm/WasmThunks.h:
2060 * wasm/js/JSToWasm.cpp:
2061 (JSC::Wasm::createJSToWasmWrapper):
2062 * wasm/js/JSWebAssemblyCodeBlock.h:
2063 * wasm/js/WasmToJS.cpp:
2064 (JSC::Wasm::handleBadI64Use):
2065 (JSC::Wasm::wasmToJS):
2066 * wasm/js/WasmToJS.h:
2067 * wasm/js/WebAssemblyFunction.h:
2069 (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
2070 (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
2071 (JSC::Yarr::YarrGenerator::compile):
2073 (JSC::Yarr::YarrCodeBlock::set8BitCode):
2074 (JSC::Yarr::YarrCodeBlock::set16BitCode):
2075 (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
2076 (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
2077 (JSC::Yarr::YarrCodeBlock::execute):
2078 (JSC::Yarr::YarrCodeBlock::clear):
2080 2018-04-17 Commit Queue <commit-queue@webkit.org>
2082 Unreviewed, rolling out r230697, r230720, and r230724.
2083 https://bugs.webkit.org/show_bug.cgi?id=184717
2085 These caused multiple failures on the Test262 testers.
2086 (Requested by mlewis13 on #webkit).
2088 Reverted changesets:
2090 "[WebAssembly][Modules] Prototype wasm import"
2091 https://bugs.webkit.org/show_bug.cgi?id=184600
2092 https://trac.webkit.org/changeset/230697
2094 "[WebAssembly][Modules] Implement function import from wasm
2096 https://bugs.webkit.org/show_bug.cgi?id=184689
2097 https://trac.webkit.org/changeset/230720
2099 "[JSC] Rename runWebAssembly to runWebAssemblySuite"
2100 https://bugs.webkit.org/show_bug.cgi?id=184703
2101 https://trac.webkit.org/changeset/230724
2103 2018-04-17 JF Bastien <jfbastien@apple.com>
2105 A put is not an ExistingProperty put when we transition a structure because of an attributes change
2106 https://bugs.webkit.org/show_bug.cgi?id=184706
2107 <rdar://problem/38871451>
2109 Reviewed by Saam Barati.
2111 When putting a property on a structure and the slot is a different
2112 type, the slot can't be said to have already been existing.
2114 * runtime/JSObjectInlines.h:
2115 (JSC::JSObject::putDirectInternal):
2117 2018-04-17 Filip Pizlo <fpizlo@apple.com>
2119 JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
2120 https://bugs.webkit.org/show_bug.cgi?id=184705
2122 Reviewed by Michael Saboff.
2124 My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
2125 while testing an unrelated patch, a concurrent GC thread crashed inside
2126 JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
2127 because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
2128 mode and another vector.
2130 The fix is to lock inside visitChildren and anyone who changes those fields.
2132 I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
2135 * runtime/JSArrayBufferView.cpp:
2136 (JSC::JSArrayBufferView::neuter):
2137 * runtime/JSGenericTypedArrayViewInlines.h:
2138 (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2139 (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2141 2018-04-16 Filip Pizlo <fpizlo@apple.com>
2143 PutStackSinkingPhase should know that KillStack means ConflictingFlush
2144 https://bugs.webkit.org/show_bug.cgi?id=184672
2146 Reviewed by Michael Saboff.
2148 We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
2149 KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
2150 archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
2151 intentional - I don't know.
2153 Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
2154 doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
2155 the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
2156 KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
2157 that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
2158 specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
2159 could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
2160 KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
2161 inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
2162 have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
2163 values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
2164 value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
2166 This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
2167 them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
2168 its stack slot for the purpose of clobberize.
2170 * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
2171 * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
2172 * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
2173 (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2175 2018-04-17 Filip Pizlo <fpizlo@apple.com>
2177 JSWebAssemblyCodeBlock should be in an IsoSubspace
2178 https://bugs.webkit.org/show_bug.cgi?id=184704
2180 Reviewed by Mark Lam.
2182 Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
2183 CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
2184 shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
2190 * wasm/js/JSWebAssemblyCodeBlock.h:
2192 2018-04-17 Jer Noble <jer.noble@apple.com>
2194 Only enable useSeparatedWXHeap on ARM64.
2195 https://bugs.webkit.org/show_bug.cgi?id=184697
2197 Reviewed by Saam Barati.
2199 * runtime/Options.cpp:
2200 (JSC::recomputeDependentOptions):
2202 2018-04-17 Yusuke Suzuki <utatane.tea@gmail.com>
2204 [WebAssembly][Modules] Implement function import from wasm modules
2205 https://bugs.webkit.org/show_bug.cgi?id=184689
2207 Reviewed by JF Bastien.
2209 This patch implements function import from wasm modules. We move function importing part
2210 from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
2211 is because linking these functions requires that all the dependent modules are created.
2212 While we want to move all the linking functionality from JSWebAssemblyInstance to
2213 WebAssemblyModuleRecord::link, we do not that in this patch. In this patch, we move only
2214 function importing part because efficient compilation of WebAssembly needs to know
2215 the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
2216 or attached WebAssembly memory object. So we cannot defer this linking to
2217 WebAssemblyModuleRecord::link now.
2219 The largest difference from JS module linking is that WebAssembly module linking links
2220 function from the module by snapshotting. When you have a cyclic module graph like this,
2222 -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
2224 +--------------------------------------------------+
2226 we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
2227 is described in [1], and tested in this patch.
2229 [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
2231 * JavaScriptCore.xcodeproj/project.pbxproj:
2233 (functionDollarAgentStart):
2236 Small fixes for wasm module loading.
2238 * parser/NodesAnalyzeModule.cpp:
2239 (JSC::ImportDeclarationNode::analyzeModule):
2240 * runtime/AbstractModuleRecord.cpp:
2241 (JSC::AbstractModuleRecord::resolveImport):
2242 (JSC::AbstractModuleRecord::link):
2243 * runtime/AbstractModuleRecord.h:
2244 (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
2245 (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
2246 Now, wasm modules can have import which is named "*". So this function does not work.
2247 Since wasm modules never have namespace importing, we check this in JS's module analyzer.
2249 * runtime/JSModuleEnvironment.cpp:
2250 (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
2251 * runtime/JSModuleRecord.cpp:
2252 (JSC::JSModuleRecord::instantiateDeclarations):
2253 * wasm/WasmCreationMode.h: Added.
2254 * wasm/js/JSWebAssemblyInstance.cpp:
2255 (JSC::JSWebAssemblyInstance::finalizeCreation):
2256 (JSC::JSWebAssemblyInstance::create):
2257 * wasm/js/JSWebAssemblyInstance.h:
2258 * wasm/js/WebAssemblyInstanceConstructor.cpp:
2259 (JSC::constructJSWebAssemblyInstance):
2260 * wasm/js/WebAssemblyModuleRecord.cpp:
2261 (JSC::WebAssemblyModuleRecord::link):
2262 * wasm/js/WebAssemblyModuleRecord.h:
2263 * wasm/js/WebAssemblyPrototype.cpp:
2266 (JSC::compileAndInstantiate):
2267 (JSC::WebAssemblyPrototype::instantiate):
2268 (JSC::webAssemblyInstantiateFunc):
2270 2018-04-17 Dominik Infuehr <dinfuehr@igalia.com>
2272 Implement setupArgumentsImpl for ARM and MIPS
2273 https://bugs.webkit.org/show_bug.cgi?id=183786
2275 Reviewed by Yusuke Suzuki.
2277 Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
2278 numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
2279 registers used for 64-bit values on 32-bit architectures. numCrossSources
2280 keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
2282 * assembler/MacroAssemblerARMv7.h:
2283 (JSC::MacroAssemblerARMv7::moveDouble):
2284 * assembler/MacroAssemblerMIPS.h:
2285 (JSC::MacroAssemblerMIPS::moveDouble):
2286 * jit/CCallHelpers.h:
2287 (JSC::CCallHelpers::setupStubCrossArgs):
2288 (JSC::CCallHelpers::ArgCollection::ArgCollection):
2289 (JSC::CCallHelpers::ArgCollection::pushRegArg):
2290 (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
2291 (JSC::CCallHelpers::ArgCollection::addGPRArg):
2292 (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
2293 (JSC::CCallHelpers::ArgCollection::addStackArg):
2294 (JSC::CCallHelpers::ArgCollection::addPoke):
2295 (JSC::CCallHelpers::ArgCollection::argCount):
2296 (JSC::CCallHelpers::calculatePokeOffset):
2297 (JSC::CCallHelpers::pokeForArgument):
2298 (JSC::CCallHelpers::stackAligned):
2299 (JSC::CCallHelpers::marshallArgumentRegister):
2300 (JSC::CCallHelpers::setupArgumentsImpl):
2301 (JSC::CCallHelpers::pokeArgumentsAligned):
2302 (JSC::CCallHelpers::std::is_integral<CURRENT_ARGUMENT_TYPE>::value):
2303 (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value):
2304 (JSC::CCallHelpers::setupArguments):
2306 (JSC::FPRInfo::toArgumentRegister):
2308 2018-04-17 Saam Barati <sbarati@apple.com>
2310 Add system trace points for process launch and for initializeWebProcess
2311 https://bugs.webkit.org/show_bug.cgi?id=184669
2313 Reviewed by Simon Fraser.
2315 * runtime/VMEntryScope.cpp:
2316 (JSC::VMEntryScope::VMEntryScope):
2317 (JSC::VMEntryScope::~VMEntryScope):
2319 2018-04-17 Jer Noble <jer.noble@apple.com>
2321 Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
2322 https://bugs.webkit.org/show_bug.cgi?id=184602
2324 Reviewed by Beth Dakin.
2326 * JavaScriptCore.xcodeproj/project.pbxproj:
2328 2018-04-17 Carlos Garcia Campos <cgarcia@igalia.com>
2330 [GLIB] Add API to clear JSCContext uncaught exception
2331 https://bugs.webkit.org/show_bug.cgi?id=184685
2333 Reviewed by Žan Doberšek.
2335 Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
2337 * API/glib/JSCContext.cpp:
2338 (jsc_context_clear_exception):
2339 * API/glib/JSCContext.h:
2340 * API/glib/docs/jsc-glib-4.0-sections.txt:
2342 2018-04-17 Carlos Garcia Campos <cgarcia@igalia.com>
2344 [GLIB] Add API to query, delete and enumerate properties
2345 https://bugs.webkit.org/show_bug.cgi?id=184647
2347 Reviewed by Michael Catanzaro.
2349 Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
2351 * API/glib/JSCValue.cpp:
2352 (jsc_value_object_has_property):
2353 (jsc_value_object_delete_property):
2354 (jsc_value_object_enumerate_properties):
2355 * API/glib/JSCValue.h:
2356 * API/glib/docs/jsc-glib-4.0-sections.txt:
2358 2018-04-16 Yusuke Suzuki <utatane.tea@gmail.com>
2360 [WebAssembly][Modules] Prototype wasm import
2361 https://bugs.webkit.org/show_bug.cgi?id=184600
2363 Reviewed by JF Bastien.
2365 This patch is an initial attempt to implement Wasm loading in module pipeline.
2368 1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
2369 in whatwg HTML, we should integrate this into WebCore.
2371 2. We only support exporting values from Wasm. Wasm module cannot import anything from
2372 the other modules now.
2374 When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
2375 loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
2376 module loader pipeline just handles it as the same to JS. When parsing a module, we
2377 checks the type of JSSourceCode. If the source code is Wasm source code, we create a
2378 WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
2379 AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
2381 * builtins/ModuleLoaderPrototype.js:
2382 (globalPrivate.newRegistryEntry):
2383 (requestInstantiate):
2386 (convertShebangToJSComment):
2387 (fillBufferWithContentsOfFile):
2388 (fetchModuleFromLocalFileSystem):
2389 (GlobalObject::moduleLoaderFetch):
2390 * parser/SourceProvider.h:
2391 (JSC::WebAssemblySourceProvider::create):
2392 (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
2393 * runtime/AbstractModuleRecord.cpp:
2394 (JSC::AbstractModuleRecord::hostResolveImportedModule):
2395 (JSC::AbstractModuleRecord::link):
2396 (JSC::AbstractModuleRecord::evaluate):
2397 (JSC::identifierToJSValue): Deleted.
2398 * runtime/AbstractModuleRecord.h:
2399 * runtime/JSModuleLoader.cpp:
2400 (JSC::JSModuleLoader::evaluate):
2401 * runtime/JSModuleRecord.cpp:
2402 (JSC::JSModuleRecord::link):
2403 (JSC::JSModuleRecord::instantiateDeclarations):
2404 * runtime/JSModuleRecord.h:
2405 * runtime/ModuleLoaderPrototype.cpp:
2406 (JSC::moduleLoaderPrototypeParseModule):
2407 (JSC::moduleLoaderPrototypeRequestedModules):
2408 (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
2409 * wasm/js/JSWebAssemblyHelpers.h:
2410 (JSC::getWasmBufferFromValue):
2411 (JSC::createSourceBufferFromValue):
2412 * wasm/js/JSWebAssemblyInstance.cpp:
2413 (JSC::JSWebAssemblyInstance::finalizeCreation):
2414 (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
2415 (JSC::JSWebAssemblyInstance::create):
2416 * wasm/js/JSWebAssemblyInstance.h:
2417 * wasm/js/WebAssemblyInstanceConstructor.cpp:
2418 (JSC::constructJSWebAssemblyInstance):
2419 * wasm/js/WebAssemblyModuleRecord.cpp:
2420 (JSC::WebAssemblyModuleRecord::prepareLink):
2421 (JSC::WebAssemblyModuleRecord::link):
2422 * wasm/js/WebAssemblyModuleRecord.h:
2423 * wasm/js/WebAssemblyPrototype.cpp:
2426 (JSC::compileAndInstantiate):
2427 (JSC::WebAssemblyPrototype::instantiate):
2428 (JSC::webAssemblyInstantiateFunc):
2429 (JSC::webAssemblyValidateFunc):
2430 * wasm/js/WebAssemblyPrototype.h:
2432 2018-04-14 Filip Pizlo <fpizlo@apple.com>
2434 Function.prototype.caller shouldn't return generator bodies
2435 https://bugs.webkit.org/show_bug.cgi?id=184630
2437 Reviewed by Yusuke Suzuki.
2439 Function.prototype.caller no longer returns generator bodies. Those are meant to be
2442 Also added some builtin debugging tools so that it's easier to do the investigation that I
2445 * builtins/BuiltinNames.h:
2446 * runtime/JSFunction.cpp:
2447 (JSC::JSFunction::callerGetter):
2448 * runtime/JSGlobalObject.cpp:
2449 (JSC::JSGlobalObject::init):
2450 * runtime/JSGlobalObjectFunctions.cpp:
2451 (JSC::globalFuncBuiltinDescribe):
2452 * runtime/JSGlobalObjectFunctions.h:
2454 2018-04-13 Yusuke Suzuki <utatane.tea@gmail.com>
2456 [DFG] Remove duplicate 32bit ProfileType implementation
2457 https://bugs.webkit.org/show_bug.cgi?id=184536
2459 Reviewed by Saam Barati.
2461 This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
2463 * dfg/DFGSpeculativeJIT.cpp:
2464 (JSC::DFG::SpeculativeJIT::compileProfileType):
2465 * dfg/DFGSpeculativeJIT.h:
2466 * dfg/DFGSpeculativeJIT32_64.cpp:
2467 (JSC::DFG::SpeculativeJIT::compile):
2468 * dfg/DFGSpeculativeJIT64.cpp:
2469 (JSC::DFG::SpeculativeJIT::compile):
2470 * jit/AssemblyHelpers.h:
2471 (JSC::AssemblyHelpers::branchIfUndefined):
2472 (JSC::AssemblyHelpers::branchIfNull):
2474 2018-04-12 Mark Lam <mark.lam@apple.com>
2476 Consolidate some PtrTags.
2477 https://bugs.webkit.org/show_bug.cgi?id=184552
2478 <rdar://problem/39389404>
2480 Reviewed by Filip Pizlo.
2482 Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
2483 Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
2485 * assembler/AbstractMacroAssembler.h:
2486 (JSC::AbstractMacroAssembler::repatchNearCall):
2487 * assembler/MacroAssemblerARM.h:
2488 (JSC::MacroAssemblerARM::readCallTarget):
2489 * assembler/MacroAssemblerARMv7.h:
2490 (JSC::MacroAssemblerARMv7::readCallTarget):
2491 * assembler/MacroAssemblerMIPS.h:
2492 (JSC::MacroAssemblerMIPS::readCallTarget):
2493 * assembler/MacroAssemblerX86.h:
2494 (JSC::MacroAssemblerX86::readCallTarget):
2495 * assembler/MacroAssemblerX86_64.h:
2496 (JSC::MacroAssemblerX86_64::readCallTarget):
2497 * bytecode/AccessCase.cpp:
2498 (JSC::AccessCase::generateImpl):
2499 * bytecode/InlineAccess.cpp:
2500 (JSC::InlineAccess::rewireStubAsJump):
2501 * bytecode/PolymorphicAccess.cpp:
2502 (JSC::PolymorphicAccess::regenerate):
2503 * dfg/DFGJITCompiler.cpp:
2504 (JSC::DFG::JITCompiler::linkOSRExits):
2505 (JSC::DFG::JITCompiler::link):
2506 (JSC::DFG::JITCompiler::compileFunction):
2507 * dfg/DFGJITFinalizer.cpp:
2508 (JSC::DFG::JITFinalizer::finalize):
2509 (JSC::DFG::JITFinalizer::finalizeFunction):
2510 * dfg/DFGOSREntry.cpp:
2511 (JSC::DFG::prepareOSREntry):
2512 * dfg/DFGOSRExit.cpp:
2513 (JSC::DFG::OSRExit::executeOSRExit):
2514 (JSC::DFG::adjustAndJumpToTarget):
2515 (JSC::DFG::OSRExit::compileOSRExit):
2516 * dfg/DFGOSRExitCompilerCommon.cpp:
2517 (JSC::DFG::adjustAndJumpToTarget):
2518 * dfg/DFGOperations.cpp:
2519 * ftl/FTLJITCode.cpp:
2520 (JSC::FTL::JITCode::executableAddressAtOffset):
2521 * ftl/FTLJITFinalizer.cpp:
2522 (JSC::FTL::JITFinalizer::finalizeCommon):
2523 * ftl/FTLLazySlowPath.cpp:
2524 (JSC::FTL::LazySlowPath::generate):
2527 * ftl/FTLLowerDFGToB3.cpp:
2528 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2529 (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
2530 (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2531 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2532 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2533 (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
2534 * ftl/FTLOSRExitCompiler.cpp:
2535 (JSC::FTL::compileFTLOSRExit):
2536 * ftl/FTLOSRExitHandle.cpp:
2537 (JSC::FTL::OSRExitHandle::emitExitThunk):
2538 * jit/AssemblyHelpers.cpp:
2539 (JSC::AssemblyHelpers::emitDumbVirtualCall):
2541 (JSC::JIT::compileWithoutLinking):
2544 (JSC::JIT::compileOpCallSlowCase):
2546 (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2547 (JSC::NativeJITCode::addressForCall):
2549 (JSC::JIT::emitNakedCall):
2550 (JSC::JIT::emitNakedTailCall):
2552 (JSC::isProfileEmpty):
2553 * jit/JITOpcodes.cpp:
2554 (JSC::JIT::privateCompileHasIndexedProperty):
2555 * jit/JITOperations.cpp:
2556 * jit/JITPropertyAccess.cpp:
2557 (JSC::JIT::stringGetByValStubGenerator):
2558 (JSC::JIT::privateCompileGetByVal):
2559 (JSC::JIT::privateCompileGetByValWithCachedId):
2560 (JSC::JIT::privateCompilePutByVal):
2561 (JSC::JIT::privateCompilePutByValWithCachedId):
2562 * jit/JITThunks.cpp:
2563 (JSC::JITThunks::hostFunctionStub):
2567 (JSC::linkPolymorphicCall):
2568 * jit/SpecializedThunkJIT.h:
2569 (JSC::SpecializedThunkJIT::finalize):
2570 * jit/ThunkGenerators.cpp:
2571 (JSC::virtualThunkFor):
2572 (JSC::nativeForGenerator):
2573 (JSC::boundThisNoArgsFunctionCallGenerator):
2574 * llint/LLIntData.cpp:
2575 (JSC::LLInt::initialize):
2576 * llint/LLIntEntrypoint.cpp:
2577 (JSC::LLInt::setEvalEntrypoint):
2578 (JSC::LLInt::setProgramEntrypoint):
2579 (JSC::LLInt::setModuleProgramEntrypoint):
2580 * llint/LLIntSlowPaths.cpp:
2581 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2582 (JSC::LLInt::setUpCall):
2583 * llint/LLIntThunks.cpp:
2584 (JSC::LLInt::generateThunkWithJumpTo):
2585 (JSC::LLInt::functionForCallEntryThunkGenerator):
2586 (JSC::LLInt::functionForConstructEntryThunkGenerator):
2587 (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2588 (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2589 (JSC::LLInt::evalEntryThunkGenerator):
2590 (JSC::LLInt::programEntryThunkGenerator):
2591 (JSC::LLInt::moduleProgramEntryThunkGenerator):
2592 * llint/LowLevelInterpreter.asm:
2593 * llint/LowLevelInterpreter64.asm:
2594 * runtime/NativeExecutable.cpp:
2595 (JSC::NativeExecutable::finishCreation):
2596 * runtime/NativeFunction.h:
2597 (JSC::TaggedNativeFunction::TaggedNativeFunction):
2598 (JSC::TaggedNativeFunction::operator NativeFunction):
2600 * wasm/WasmBBQPlan.cpp:
2601 (JSC::Wasm::BBQPlan::complete):
2602 * wasm/WasmOMGPlan.cpp:
2603 (JSC::Wasm::OMGPlan::work):
2604 * wasm/WasmThunks.cpp:
2605 (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2606 (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
2607 (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2608 * wasm/js/WasmToJS.cpp:
2609 (JSC::Wasm::wasmToJS):
2610 * wasm/js/WebAssemblyFunction.h:
2612 (JSC::Yarr::YarrGenerator::compile):
2614 2018-04-12 Michael Catanzaro <mcatanzaro@igalia.com>
2616 [WPE] Move libWPEWebInspectorResources.so to pkglibdir
2617 https://bugs.webkit.org/show_bug.cgi?id=184379
2619 Reviewed by Žan Doberšek.
2621 Load the module from the new location.
2623 * PlatformWPE.cmake:
2624 * inspector/remote/glib/RemoteInspectorUtils.cpp:
2625 (Inspector::backendCommands):
2627 2018-04-12 Yusuke Suzuki <utatane.tea@gmail.com>
2629 [DFG] Remove compileBigIntEquality in DFG 32bit
2630 https://bugs.webkit.org/show_bug.cgi?id=184535
2632 Reviewed by Saam Barati.
2634 We can have the unified implementation for compileBigIntEquality.
2636 * dfg/DFGSpeculativeJIT.cpp:
2637 (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2638 * dfg/DFGSpeculativeJIT32_64.cpp:
2639 (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2640 * dfg/DFGSpeculativeJIT64.cpp:
2641 (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
2643 2018-04-12 Michael Catanzaro <mcatanzaro@igalia.com>
2645 [WPE] Improve include hierarchy
2646 https://bugs.webkit.org/show_bug.cgi?id=184376
2648 Reviewed by Žan Doberšek.
2650 Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
2651 /usr/include/wpe-0.1/WPE/jsc.
2653 * PlatformWPE.cmake:
2655 2018-04-11 Carlos Garcia Campos <cgarcia@igalia.com>
2657 [GLIB] Handle strings containing null characters
2658 https://bugs.webkit.org/show_bug.cgi?id=184450
2660 Reviewed by Michael Catanzaro.
2662 We should be able to evaluate scripts containing null characters and to handle strings that contains them
2663 too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
2664 parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
2665 jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
2666 contain null characters.
2668 * API/OpaqueJSString.cpp:
2669 (OpaqueJSString::create): Add a create constructor that takes the String.
2670 * API/OpaqueJSString.h:
2671 (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
2672 * API/glib/JSCContext.cpp:
2673 (jsc_context_evaluate): Add length parameter.
2674 (jsc_context_evaluate_with_source_uri): Ditto.
2675 * API/glib/JSCContext.h:
2676 * API/glib/JSCValue.cpp:
2677 (jsc_value_new_string_from_bytes):
2678 (jsc_value_to_string):
2679 (jsc_value_to_string_as_bytes):
2680 (jsc_value_object_is_instance_of): Pass length to evaluate.
2681 * API/glib/JSCValue.h:
2682 * API/glib/docs/jsc-glib-4.0-sections.txt:
2684 2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com>
2686 [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
2687 https://bugs.webkit.org/show_bug.cgi?id=184500
2689 Reviewed by Mark Lam.
2691 Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
2692 JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
2693 It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
2694 CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
2695 poke held GPR. The benefit from this CellValue is that we can use the same code
2696 for 32bit and 64bit. This patch removes several ifdefs.
2698 * bytecode/AccessCase.cpp:
2699 (JSC::AccessCase::generateImpl):
2700 * dfg/DFGSpeculativeJIT.cpp:
2701 (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2702 (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2703 (JSC::DFG::SpeculativeJIT::cachedPutById):
2704 * dfg/DFGSpeculativeJIT32_64.cpp:
2705 (JSC::DFG::SpeculativeJIT::cachedGetById):
2706 (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2707 * jit/CCallHelpers.h:
2708 (JSC::CCallHelpers::CellValue::CellValue):
2709 (JSC::CCallHelpers::CellValue::gpr const):
2710 (JSC::CCallHelpers::setupArgumentsImpl):
2712 2018-04-11 Mark Lam <mark.lam@apple.com>
2714 [Build fix] Replace CompactJITCodeMap with JITCodeMap.
2715 https://bugs.webkit.org/show_bug.cgi?id=184512
2716 <rdar://problem/35391728>
2720 * bytecode/CodeBlock.h:
2723 2018-04-11 Mark Lam <mark.lam@apple.com>
2725 Replace CompactJITCodeMap with JITCodeMap.
2726 https://bugs.webkit.org/show_bug.cgi?id=184512
2727 <rdar://problem/35391728>
2729 Reviewed by Filip Pizlo.
2732 * JavaScriptCore.xcodeproj/project.pbxproj:
2733 * bytecode/CodeBlock.h:
2734 (JSC::CodeBlock::setJITCodeMap):
2735 (JSC::CodeBlock::jitCodeMap const):
2736 (JSC::CodeBlock::jitCodeMap): Deleted.
2737 * dfg/DFGOSRExit.cpp:
2738 (JSC::DFG::OSRExit::executeOSRExit):
2739 * dfg/DFGOSRExitCompilerCommon.cpp:
2740 (JSC::DFG::adjustAndJumpToTarget):
2741 * jit/AssemblyHelpers.cpp:
2742 (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
2743 * jit/AssemblyHelpers.h:
2744 * jit/CompactJITCodeMap.h: Removed.
2747 * jit/JITCodeMap.h: Added.
2748 (JSC::JITCodeMap::Entry::Entry):
2749 (JSC::JITCodeMap::Entry::bytecodeIndex const):
2750 (JSC::JITCodeMap::Entry::codeLocation):
2751 (JSC::JITCodeMap::append):
2752 (JSC::JITCodeMap::finish):
2753 (JSC::JITCodeMap::find const):
2754 (JSC::JITCodeMap::operator bool const):
2755 * llint/LLIntSlowPaths.cpp:
2756 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2758 2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com>
2760 [DFG] Remove CompareSlowPathGenerator
2761 https://bugs.webkit.org/show_bug.cgi?id=184492
2763 Reviewed by Mark Lam.
2765 Now CompareSlowPathGenerator is just calling a specified function.
2766 This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
2768 We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
2769 introducing a new constructor for GPRTemporary.
2771 * JavaScriptCore.xcodeproj/project.pbxproj:
2772 * dfg/DFGCompareSlowPathGenerator.h: Removed.
2773 * dfg/DFGSpeculativeJIT.cpp:
2774 (JSC::DFG::GPRTemporary::GPRTemporary):
2775 (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
2776 (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
2777 (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2778 (JSC::DFG::SpeculativeJIT::compileIsObject):
2779 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2780 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2781 * dfg/DFGSpeculativeJIT.h:
2782 (JSC::DFG::GPRTemporary::GPRTemporary):
2783 * dfg/DFGSpeculativeJIT64.cpp:
2784 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2786 2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com>
2788 Unreviewed, build fix for 32bit
2789 https://bugs.webkit.org/show_bug.cgi?id=184236
2791 * dfg/DFGSpeculativeJIT.cpp:
2792 (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2794 2018-04-11 Yusuke Suzuki <utatane.tea@gmail.com>
2796 [DFG] Remove duplicate 32bit code more
2797 https://bugs.webkit.org/show_bug.cgi?id=184236
2799 Reviewed by Mark Lam.
2801 Remove duplicate 32bit code more aggressively part 2.
2803 * JavaScriptCore.xcodeproj/project.pbxproj:
2804 * dfg/DFGCompareSlowPathGenerator.h: Added.
2805 (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
2806 Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
2808 * dfg/DFGOperations.cpp:
2809 * dfg/DFGOperations.h:
2810 * dfg/DFGSpeculativeJIT.cpp:
2811 (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
2812 (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
2813 (JSC::DFG::SpeculativeJIT::compileIsObject):
2814 (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
2815 (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
2816 (JSC::DFG::SpeculativeJIT::compilePutById):
2817 (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
2818 (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
2819 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
2820 (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
2821 (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2822 (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
2823 (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
2824 (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
2825 (JSC::DFG::SpeculativeJIT::cachedPutById):
2826 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2827 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2828 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
2829 * dfg/DFGSpeculativeJIT.h:
2830 (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
2831 * dfg/DFGSpeculativeJIT32_64.cpp:
2832 (JSC::DFG::SpeculativeJIT::compile):
2833 (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2834 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2835 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2836 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
2837 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2838 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2839 (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2840 (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2841 * dfg/DFGSpeculativeJIT64.cpp:
2842 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2843 (JSC::DFG::SpeculativeJIT::compile):
2844 (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
2845 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
2846 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
2848 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
2849 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
2850 (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
2851 (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
2852 * ftl/FTLLowerDFGToB3.cpp:
2853 (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2854 operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
2856 * jit/AssemblyHelpers.h:
2857 (JSC::AssemblyHelpers::loadValue):
2858 (JSC::AssemblyHelpers::selectScratchGPR):
2859 (JSC::AssemblyHelpers::constructRegisterSet):
2860 * jit/RegisterSet.h:
2861 (JSC::RegisterSet::setAny):
2862 Clean up selectScratchGPR code to pass JSValueRegs.
2864 2018-04-10 Caio Lima <ticaiolima@gmail.com>
2866 [ESNext][BigInt] Add support for BigInt in SpeculatedType
2867 https://bugs.webkit.org/show_bug.cgi?id=182470
2869 Reviewed by Saam Barati.
2871 This patch introduces the SpecBigInt type to DFG to enable BigInt
2872 speculation into DFG and FTL.
2874 With SpecBigInt introduction, we can then specialize "===" operations
2875 to BigInts. As we are doing for some cells, we first check if operands
2876 are pointing to the same JSCell, and if it is false, we
2877 fallback to "operationCompareStrictEqCell". The idea in further
2878 patches is to implement BigInt equality check directly in
2881 We are also adding support for BigInt constant folding into
2884 * bytecode/SpeculatedType.cpp:
2885 (JSC::dumpSpeculation):
2886 (JSC::speculationFromClassInfo):
2887 (JSC::speculationFromStructure):
2888 (JSC::speculationFromJSType):
2889 (JSC::speculationFromString):
2890 * bytecode/SpeculatedType.h:
2891 (JSC::isBigIntSpeculation):
2892 * dfg/DFGAbstractInterpreterInlines.h:
2893 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2894 * dfg/DFGAbstractValue.cpp:
2895 (JSC::DFG::AbstractValue::set):
2896 * dfg/DFGConstantFoldingPhase.cpp:
2897 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2898 * dfg/DFGFixupPhase.cpp:
2899 (JSC::DFG::FixupPhase::fixupNode):
2900 (JSC::DFG::FixupPhase::fixupToThis):
2901 (JSC::DFG::FixupPhase::observeUseKindOnNode):
2902 * dfg/DFGInferredTypeCheck.cpp:
2903 (JSC::DFG::insertInferredTypeCheck):
2905 (JSC::DFG::Node::shouldSpeculateBigInt):
2906 * dfg/DFGPredictionPropagationPhase.cpp:
2907 * dfg/DFGSafeToExecute.h:
2908 (JSC::DFG::SafeToExecuteEdge::operator()):
2909 * dfg/DFGSpeculativeJIT.cpp:
2910 (JSC::DFG::SpeculativeJIT::compileStrictEq):
2911 (JSC::DFG::SpeculativeJIT::speculateBigInt):
2912 (JSC::DFG::SpeculativeJIT::speculate):
2913 * dfg/DFGSpeculativeJIT.h:
2914 * dfg/DFGSpeculativeJIT32_64.cpp:
2915 (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2916 * dfg/DFGSpeculativeJIT64.cpp:
2917 (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
2918 * dfg/DFGUseKind.cpp:
2919 (WTF::printInternal):
2921 (JSC::DFG::typeFilterFor):
2923 * ftl/FTLCapabilities.cpp:
2924 (JSC::FTL::canCompile):
2925 * ftl/FTLLowerDFGToB3.cpp:
2926 (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2927 (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
2928 (JSC::FTL::DFG::LowerDFGToB3::speculate):
2929 (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
2930 (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
2931 * jit/AssemblyHelpers.cpp:
2932 (JSC::AssemblyHelpers::branchIfNotType):
2933 * jit/AssemblyHelpers.h:
2934 (JSC::AssemblyHelpers::branchIfBigInt):
2935 (JSC::AssemblyHelpers::branchIfNotBigInt):
2936 * runtime/InferredType.cpp:
2937 (JSC::InferredType::Descriptor::forValue):
2938 (JSC::InferredType::Descriptor::putByIdFlags const):
2939 (JSC::InferredType::Descriptor::merge):
2940 (WTF::printInternal):
2941 * runtime/InferredType.h:
2942 * runtime/JSBigInt.h:
2944 2018-04-10 Filip Pizlo <fpizlo@apple.com>
2946 Unreviewed, fix cloop build.
2948 * dfg/DFGAbstractInterpreterClobberState.cpp:
2950 2018-04-10 Mark Lam <mark.lam@apple.com>
2952 Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
2953 https://bugs.webkit.org/show_bug.cgi?id=184464
2954 <rdar://problem/39323947>
2956 Reviewed by Saam Barati.
2958 * heap/MarkedSpace.h:
2959 (JSC::MarkedSpace::sizeClassToIndex):
2961 2018-04-09 Filip Pizlo <fpizlo@apple.com>
2963 DFG AI and clobberize should agree with each other
2964 https://bugs.webkit.org/show_bug.cgi?id=184440
2966 Reviewed by Saam Barati.
2968 One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
2969 agree with each other. That's what this patch does: it adds an assertion that AI's structure
2970 state tracking must be equivalent to JSCell_structureID being clobbered.
2972 One subtlety is that AI sometimes folds away structure clobbering using information that
2973 clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
2974 ObservedTransitions).
2976 This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
2977 clobberize missing a write(Heap).
2979 This also makes some cases more precise in order to appease the assertion. Making things more
2980 precise might make things faster, but I didn't measure it because that wasn't the goal.
2982 * JavaScriptCore.xcodeproj/project.pbxproj:
2984 * dfg/DFGAbstractInterpreter.h:
2985 * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
2986 (WTF::printInternal):
2987 * dfg/DFGAbstractInterpreterClobberState.h: Added.
2988 (JSC::DFG::mergeClobberStates):
2989 * dfg/DFGAbstractInterpreterInlines.h:
2990 (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
2991 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2992 (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
2993 (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
2994 (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
2995 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
2996 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
2997 (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
2998 * dfg/DFGAtTailAbstractState.h:
2999 (JSC::DFG::AtTailAbstractState::setClobberState):
3000 (JSC::DFG::AtTailAbstractState::mergeClobberState):
3001 (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
3002 * dfg/DFGCFAPhase.cpp:
3003 (JSC::DFG::CFAPhase::performBlockCFA):
3004 * dfg/DFGClobberSet.cpp:
3005 (JSC::DFG::writeSet):
3006 * dfg/DFGClobberSet.h:
3007 * dfg/DFGClobberize.h:
3008 (JSC::DFG::clobberize):
3009 * dfg/DFGConstantFoldingPhase.cpp:
3010 (JSC::DFG::ConstantFoldingPhase::foldConstants):
3011 * dfg/DFGInPlaceAbstractState.h:
3012 (JSC::DFG::InPlaceAbstractState::clobberState const):
3013 (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
3014 (JSC::DFG::InPlaceAbstractState::didClobber const):
3015 (JSC::DFG::InPlaceAbstractState::setClobberState):
3016 (JSC::DFG::InPlaceAbstractState::mergeClobberState):
3017 (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
3019 2018-04-10 Filip Pizlo <fpizlo@apple.com>
3021 ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
3022 https://bugs.webkit.org/show_bug.cgi?id=184460
3023 <rdar://problem/37610966>
3025 Reviewed by Mark Lam.
3027 * bytecode/ExecutableToCodeBlockEdge.cpp:
3028 (JSC::ExecutableToCodeBlockEdge::visitChildren):
3030 2018-04-10 Filip Pizlo <fpizlo@apple.com>
3032 REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
3033 https://bugs.webkit.org/show_bug.cgi?id=184455
3035 Reviewed by Michael Saboff.
3037 LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
3038 says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
3039 (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
3040 the thing being hoisted does have effects, then we get a crash.
3042 In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
3043 ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
3044 would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
3047 Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
3048 clobberize to also think that CompareEq(Untyped:, _) is effectful.
3050 This fixes the whole situation by teaching both clobberize and AI that the only effectful form
3051 of CompareEq is ComapreEq(Untyped:, Untyped:).
3053 * dfg/DFGAbstractInterpreterInlines.h:
3054 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3055 * dfg/DFGClobberize.h:
3056 (JSC::DFG::clobberize):
3058 2018-04-09 Filip Pizlo <fpizlo@apple.com>
3060 Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
3061 https://bugs.webkit.org/show_bug.cgi?id=184372
3063 Reviewed by Saam Barati.
3065 We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
3066 have already proved, using techniques that are more precise than AI, that the edge has type
3067 Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
3068 because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
3069 other than a check - so we think we can call those just because we should have already
3070 bailed. It's better to think of them as the result of folding a check. Therefore, we should
3071 only do it if there had been a check to begin with.
3073 * dfg/DFGSpeculativeJIT64.cpp:
3074 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
3075 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
3076 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3077 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3078 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3079 * ftl/FTLLowerDFGToB3.cpp:
3080 (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
3081 (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
3082 (JSC::FTL::DFG::LowerDFGToB3::lowCell):
3083 (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
3084 (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
3085 (JSC::FTL::DFG::LowerDFGToB3::speculate):
3086 (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
3087 (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
3089 2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
3091 [JSC] Introduce @putByIdDirectPrivate
3092 https://bugs.webkit.org/show_bug.cgi?id=184400
3094 Reviewed by Saam Barati.
3096 This patch adds @putByIdDirectPrivate() to use it for builtin JS.
3097 @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
3098 accessing to ECMAScript internal fields.
3100 This change removes accidental [[Put]] operation to an object whose [[Prototype]]
3101 has internal fields (not direct properties). By using @getByIdDirectPrivate() and
3102 @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
3103 fields that accessing to the internal fields does not traverse prototype chains.
3105 * builtins/ArrayIteratorPrototype.js:
3106 (globalPrivate.arrayIteratorValueNext):
3107 (globalPrivate.arrayIteratorKeyNext):
3108 (globalPrivate.arrayIteratorKeyValueNext):
3109 * builtins/ArrayPrototype.js:
3110 (globalPrivate.createArrayIterator):
3111 * builtins/AsyncFromSyncIteratorPrototype.js:
3112 (globalPrivate.AsyncFromSyncIteratorConstructor):
3113 * builtins/AsyncFunctionPrototype.js:
3114 (globalPrivate.asyncFunctionResume):
3115 * builtins/AsyncGeneratorPrototype.js:
3116 (globalPrivate.asyncGeneratorQueueEnqueue):
3117 (globalPrivate.asyncGeneratorQueueDequeue):
3118 (asyncGeneratorYieldAwaited):
3119 (globalPrivate.asyncGeneratorYield):
3120 (globalPrivate.doAsyncGeneratorBodyCall):
3121 (globalPrivate.asyncGeneratorResumeNext):
3122 * builtins/GeneratorPrototype.js:
3123 (globalPrivate.generatorResume):
3124 * builtins/MapIteratorPrototype.js:
3125 (globalPrivate.mapIteratorNext):
3126 * builtins/MapPrototype.js:
3127 (globalPrivate.createMapIterator):
3128 * builtins/ModuleLoaderPrototype.js:
3129 (forceFulfillPromise):
3130 * builtins/PromiseOperations.js:
3131 (globalPrivate.newHandledRejectedPromise):
3132 (globalPrivate.rejectPromise):
3133 (globalPrivate.fulfillPromise):
3134 (globalPrivate.initializePromise):
3135 * builtins/PromisePrototype.js:
3137 * builtins/SetIteratorPrototype.js:
3138 (globalPrivate.setIteratorNext):
3139 * builtins/SetPrototype.js:
3140 (globalPrivate.createSetIterator):
3141 * builtins/StringIteratorPrototype.js:
3143 * bytecode/BytecodeIntrinsicRegistry.h:
3144 * bytecompiler/NodesCodegen.cpp:
3145 (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
3146 (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
3148 2018-04-09 Mark Lam <mark.lam@apple.com>
3150 Decorate method table entries to support pointer profiling.
3151 https://bugs.webkit.org/show_bug.cgi?id=184430
3152 <rdar://problem/39296190>
3154 Reviewed by Saam Barati.
3156 * runtime/ClassInfo.h:
3158 2018-04-09 Michael Catanzaro <mcatanzaro@igalia.com>
3160 [WPE] Don't install JSC C API headers
3161 https://bugs.webkit.org/show_bug.cgi?id=184375
3163 Reviewed by Žan Doberšek.
3165 None of the functions declared in these headers are exported in WPE. Use the new jsc API
3168 * PlatformWPE.cmake:
3170 2018-04-08 Mark Lam <mark.lam@apple.com>
3172 Add pointer profiling to the FTL and supporting code.
3173 https://bugs.webkit.org/show_bug.cgi?id=184395
3174 <rdar://problem/39264019>
3176 Reviewed by Michael Saboff and Filip Pizlo.
3178 * assembler/CodeLocation.h:
3179 (JSC::CodeLocationLabel::retagged):
3180 (JSC::CodeLocationJump::retagged):
3181 * assembler/LinkBuffer.h:
3182 (JSC::LinkBuffer::locationOf):
3183 * dfg/DFGJITCompiler.cpp:
3184 (JSC::DFG::JITCompiler::linkOSRExits):
3185 (JSC::DFG::JITCompiler::link):
3186 * ftl/FTLCompile.cpp:
3187 (JSC::FTL::compile):
3188 * ftl/FTLExceptionTarget.cpp:
3189 (JSC::FTL::ExceptionTarget::label):
3190 (JSC::FTL::ExceptionTarget::jumps):
3191 * ftl/FTLExceptionTarget.h:
3192 * ftl/FTLJITCode.cpp:
3193 (JSC::FTL::JITCode::executableAddressAtOffset):
3194 * ftl/FTLLazySlowPath.cpp:
3195 (JSC::FTL::LazySlowPath::~LazySlowPath):
3196 (JSC::FTL::LazySlowPath::initialize):
3197 (JSC::FTL::LazySlowPath::generate):
3198 (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
3199 * ftl/FTLLazySlowPath.h:
3202 * ftl/FTLLowerDFGToB3.cpp:
3203 (JSC::FTL::DFG::LowerDFGToB3::lower):
3204 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3205 (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
3206 (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3207 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
3208 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3209 (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
3210 (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
3211 * ftl/FTLOSRExitCompiler.cpp:
3212 (JSC::FTL::compileStub):
3213 (JSC::FTL::compileFTLOSRExit):
3214 * ftl/FTLOSRExitHandle.cpp:
3215 (JSC::FTL::OSRExitHandle::emitExitThunk):
3216 * ftl/FTLOperations.cpp:
3217 (JSC::FTL::compileFTLLazySlowPath):
3219 (JSC::FTL::Output::callWithoutSideEffects):
3220 (JSC::FTL::Output::operation):
3221 * ftl/FTLPatchpointExceptionHandle.cpp:
3222 (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
3223 * ftl/FTLSlowPathCall.cpp:
3224 (JSC::FTL::SlowPathCallContext::makeCall):
3225 * ftl/FTLSlowPathCallKey.h:
3226 (JSC::FTL::SlowPathCallKey::withCallTarget):
3227 (JSC::FTL::SlowPathCallKey::callPtrTag const):
3228 * ftl/FTLThunks.cpp:
3229 (JSC::FTL::genericGenerationThunkGenerator):
3230 (JSC::FTL::osrExitGenerationThunkGenerator):
3231 (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3232 (JSC::FTL::slowPathCallThunkGenerator):
3234 (JSC::isProfileEmpty):
3236 (JSC::readPutICCallTarget):
3237 (JSC::ftlThunkAwareRepatchCall):
3238 (JSC::tryCacheGetByID):
3239 (JSC::repatchGetByID):
3240 (JSC::tryCachePutByID):
3241 (JSC::repatchPutByID):
3243 (JSC::resetGetByID):
3244 (JSC::resetPutByID):
3245 (JSC::readCallTarget): Deleted.
3249 2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
3251 Unreviewed, attempt to fix Windows build
3252 https://bugs.webkit.org/show_bug.cgi?id=183508
3256 2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
3258 Unreviewed, build fix for Windows by suppressing padding warning for JIT
3259 https://bugs.webkit.org/show_bug.cgi?id=183508
3263 2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
3265 Use alignas instead of compiler-specific attributes
3266 https://bugs.webkit.org/show_bug.cgi?id=183508
3268 Reviewed by Mark Lam.
3270 Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
3272 * heap/RegisterState.h:
3274 (JSC::JIT::compile): Deleted.
3275 (JSC::JIT::compileGetByVal): Deleted.
3276 (JSC::JIT::compileGetByValWithCachedId): Deleted.
3277 (JSC::JIT::compilePutByVal): Deleted.
3278 (JSC::JIT::compileDirectPutByVal): Deleted.
3279 (JSC::JIT::compilePutByValWithCachedId): Deleted.
3280 (JSC::JIT::compileHasIndexedProperty): Deleted.
3281 (JSC::JIT::appendCall): Deleted.
3282 (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
3283 (JSC::JIT::exceptionCheck): Deleted.
3284 (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
3285 (JSC::JIT::emitInt32Load): Deleted.
3286 (JSC::JIT::emitInt32GetByVal): Deleted.
3287 (JSC::JIT::emitInt32PutByVal): Deleted.
3288 (JSC::JIT::emitDoublePutByVal): Deleted.
3289 (JSC::JIT::emitContiguousPutByVal): Deleted.
3290 (JSC::JIT::emitStoreCell): Deleted.
3291 (JSC::JIT::getSlowCase): Deleted.
3292 (JSC::JIT::linkSlowCase): Deleted.
3293 (JSC::JIT::linkDummySlowCase): Deleted.
3294 (JSC::JIT::linkAllSlowCases): Deleted.
3295 (JSC::JIT::callOperation): Deleted.
3296 (JSC::JIT::callOperationWithProfile): Deleted.
3297 (JSC::JIT::callOperationWithResult): Deleted.
3298 (JSC::JIT::callOperationNoExceptionCheck): Deleted.
3299 (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
3300 (JSC::JIT::emitEnterOptimizationCheck): Deleted.
3301 (JSC::JIT::sampleCodeBlock): Deleted.
3302 (JSC::JIT::canBeOptimized): Deleted.
3303 (JSC::JIT::canBeOptimizedOrInlined): Deleted.
3304 (JSC::JIT::shouldEmitProfiling): Deleted.
3307 2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
3309 Unreviewed, follow-up patch for DFG 32bit
3310 https://bugs.webkit.org/show_bug.cgi?id=183970
3312 * dfg/DFGSpeculativeJIT32_64.cpp:
3313 (JSC::DFG::SpeculativeJIT::cachedGetById):
3315 2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
3317 [JSC] Fix incorrect assertion for VM's regexp buffer lock
3318 https://bugs.webkit.org/show_bug.cgi?id=184398
3320 Reviewed by Mark Lam.
3322 isLocked check before taking a lock is incorrect.
3325 (JSC::VM::acquireRegExpPatternContexBuffer):
3327 2018-04-08 Yusuke Suzuki <utatane.tea@gmail.com>
3329 [JSC] Introduce op_get_by_id_direct
3330 https://bugs.webkit.org/show_bug.cgi?id=183970
3332 Reviewed by Filip Pizlo.
3334 This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
3335 But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
3336 in all the tiers, so using this opcode does not lead to inefficiency.
3338 Main purpose of this op_get_by_id_direct is using it for private properties. We are using
3339 properties indexed with private symbols to implement ECMAScript internal fields. Before this
3340 patch, we just use get and put operations. However, it is not the correct semantics: accessing
3341 to the internal fields should not traverse prototype chain, which is specified in the spec.
3342 We use op_get_by_id_direct to access to properties which are used internal fields, so that
3343 prototype chains are not traversed.
3345 To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
3346 When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
3347 bytecode `op_get_by_id_direct, object, @name`.
3349 * builtins/ArrayIteratorPrototype.js:
3351 (globalPrivate.arrayIteratorValueNext):
3352 (globalPrivate.arrayIteratorKeyNext):
3353 (globalPrivate.arrayIteratorKeyValueNext):
3354 * builtins/AsyncFromSyncIteratorPrototype.js:
3355 * builtins/AsyncFunctionPrototype.js:
3356 (globalPrivate.asyncFunctionResume):
3357 * builtins/AsyncGeneratorPrototype.js:
3358 (globalPrivate.asyncGeneratorQueueIsEmpty):
3359 (globalPrivate.asyncGeneratorQueueEnqueue):
3360 (globalPrivate.asyncGeneratorQueueDequeue):
3361 (globalPrivate.asyncGeneratorDequeue):
3362 (globalPrivate.isExecutionState):
3363 (globalPrivate.isSuspendYieldState):
3364 (globalPrivate.asyncGeneratorReject):
3365 (globalPrivate.asyncGeneratorResolve):
3366 (globalPrivate.doAsyncGeneratorBodyCall):
3367 (globalPrivate.asyncGeneratorEnqueue):
3368 * builtins/GeneratorPrototype.js:
3369 (globalPrivate.generatorResume):
3373 * builtins/MapIteratorPrototype.js:
3375 * builtins/PromiseOperations.js:
3376 (globalPrivate.isPromise):
3377 (globalPrivate.rejectPromise):
3378 (globalPrivate.fulfillPromise):
3379 * builtins/PromisePrototype.js:
3381 * builtins/SetIteratorPrototype.js:
3383 * builtins/StringIteratorPrototype.js:
3385 * builtins/TypedArrayConstructor.js:
3388 * bytecode/BytecodeDumper.cpp:
3389 (JSC::BytecodeDumper<Block>::dumpBytecode):
3390 * bytecode/BytecodeIntrinsicRegistry.h:
3391 * bytecode/BytecodeList.json:
3392 * bytecode/BytecodeUseDef.h:
3393 (JSC::computeUsesForBytecodeOffset):
3394 (JSC::computeDefsForBytecodeOffset):
3395 * bytecode/CodeBlock.cpp:
3396 (JSC::CodeBlock::finishCreation):
3397 (JSC::CodeBlock::finalizeLLIntInlineCaches):
3398 * bytecode/GetByIdStatus.cpp:
3399 (JSC::GetByIdStatus::computeFromLLInt):
3400 (JSC::GetByIdStatus::computeFor):
3401 * bytecode/StructureStubInfo.cpp:
3402 (JSC::StructureStubInfo::reset):
3403 * bytecode/StructureStubInfo.h:
3404 (JSC::appropriateOptimizingGetByIdFunction):
3405 (JSC::appropriateGenericGetByIdFunction):
3406 * bytecompiler/BytecodeGenerator.cpp:
3407 (JSC::BytecodeGenerator::emitDirectGetById):
3408 * bytecompiler/BytecodeGenerator.h:
3409 * bytecompiler/NodesCodegen.cpp:
3410 (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
3411 (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
3412 * dfg/DFGAbstractInterpreterInlines.h:
3413 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3414 * dfg/DFGByteCodeParser.cpp:
3415 (JSC::DFG::ByteCodeParser::handleGetById):
3416 (JSC::DFG::ByteCodeParser::parseBlock):
3417 * dfg/DFGCapabilities.cpp:
3418 (JSC::DFG::capabilityLevel):
3419 * dfg/DFGClobberize.h:
3420 (JSC::DFG::clobberize):
3421 * dfg/DFGConstantFoldingPhase.cpp:
3422 (JSC::DFG::ConstantFoldingPhase::foldConstants):
3423 * dfg/DFGDoesGC.cpp:
3425 * dfg/DFGFixupPhase.cpp:
3426 (JSC::DFG::FixupPhase::fixupNode):
3428 (JSC::DFG::Node::convertToGetByOffset):
3429 (JSC::DFG::Node::convertToMultiGetByOffset):
3430 (JSC::DFG::Node::hasIdentifier):
3431 (JSC::DFG::Node::hasHeapPrediction):
3432 * dfg/DFGNodeType.h:
3433 * dfg/DFGOperations.cpp:
3434 * dfg/DFGOperations.h:
3435 * dfg/DFGPredictionPropagationPhase.cpp:
3436 * dfg/DFGSafeToExecute.h:
3437 (JSC::DFG::safeToExecute):
3438 * dfg/DFGSpeculativeJIT.cpp:
3439 (JSC::DFG::SpeculativeJIT::compileGetById):
3440 (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
3441 (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
3442 * dfg/DFGSpeculativeJIT.h:
3443 * dfg/DFGSpeculativeJIT32_64.cpp:
3444 (JSC::DFG::SpeculativeJIT::cachedGetById):
3445 (JSC::DFG::SpeculativeJIT::compile):
3446 * dfg/DFGSpeculativeJIT64.cpp:
3447 (JSC::DFG::SpeculativeJIT::cachedGetById):
3448 (JSC::DFG::SpeculativeJIT::compile):
3449 * ftl/FTLCapabilities.cpp:
3450 (JSC::FTL::canCompile):
3451 * ftl/FTLLowerDFGToB3.cpp:
3452 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3453 (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
3454 (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
3455 (JSC::FTL::DFG::LowerDFGToB3::getById):
3457 (JSC::JIT::privateCompileMainPass):
3458 (JSC::JIT::privateCompileSlowCases):
3460 * jit/JITOperations.cpp:
3461 * jit/JITOperations.h:
3462 * jit/JITPropertyAccess.cpp:
3463 (JSC::JIT::emit_op_get_by_id_direct):
3464 (JSC::JIT::emitSlow_op_get_by_id_direct):
3465 * jit/JITPropertyAccess32_64.cpp:
3466 (JSC::JIT::emit_op_get_by_id_direct):
3467 (JSC::JIT::emitSlow_op_get_by_id_direct):
3469 (JSC::appropriateOptimizingGetByIdFunction):
3470 (JSC::appropriateGetByIdFunction):
3471 (JSC::tryCacheGetByID):
3472 (JSC::repatchGetByID):
3473 (JSC::appropriateGenericGetByIdFunction): Deleted.
3475 * llint/LLIntSlowPaths.cpp:
3476 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3477 * llint/LLIntSlowPaths.h:
3478 * llint/LowLevelInterpreter32_64.asm:
3479 * llint/LowLevelInterpreter64.asm:
3480 * runtime/JSCJSValue.h:
3481 * runtime/JSCJSValueInlines.h:
3482 (JSC::JSValue::getOwnPropertySlot const):
3483 * runtime/JSObject.h:
3484 * runtime/JSObjectInlines.h:
3485 (JSC::JSObject::getOwnPropertySlotInline):
3487 2018-04-07 Yusuke Suzuki <utatane.tea@gmail.com>
3489 [JSC] Remove several asXXX functions
3490 https://bugs.webkit.org/show_bug.cgi?id=184355
3492 Reviewed by JF Bastien.
3494 Remove asActivation, asInternalFunction, and asGetterSetter.
3495 Use jsCast<> / jsDynamicCast<> consistently.
3497 * runtime/ArrayConstructor.cpp:
3498 (JSC::constructArrayWithSizeQuirk):
3499 * runtime/AsyncFunctionConstructor.cpp:
3500 (JSC::callAsyncFunctionConstructor):
3501 (JSC::constructAsyncFunctionConstructor):
3502 * runtime/AsyncGeneratorFunctionConstructor.cpp:
3503 (JSC::callAsyncGeneratorFunctionConstructor):
3504 (JSC::constructAsyncGeneratorFunctionConstructor):
3505 * runtime/BooleanConstructor.cpp:
3506 (JSC::constructWithBooleanConstructor):
3507 * runtime/DateConstructor.cpp:
3508 (JSC::constructWithDateConstructor):
3509 * runtime/ErrorConstructor.cpp:
3510 (JSC::Interpreter::constructWithErrorConstructor):
3511 (JSC::Interpreter::callErrorConstructor):
3512 * runtime/FunctionConstructor.cpp:
3513 (JSC::constructWithFunctionConstructor):
3514 (JSC::callFunctionConstructor):
3515 * runtime/FunctionPrototype.cpp:
3516 (JSC::functionProtoFuncToString):
3517 * runtime/GeneratorFunctionConstructor.cpp:
3518 (JSC::callGeneratorFunctionConstructor):
3519 (JSC::constructGeneratorFunctionConstructor):
3520 * runtime/GetterSetter.h:
3521 (JSC::asGetterSetter): Deleted.
3522 * runtime/InternalFunction.h:
3523 (JSC::asInternalFunction): Deleted.
3524 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3525 (JSC::constructGenericTypedArrayView):
3526 * runtime/JSLexicalEnvironment.h:
3527 (JSC::asActivation): Deleted.
3528 * runtime/JSObject.cpp:
3529 (JSC::validateAndApplyPropertyDescriptor):
3530 * runtime/MapConstructor.cpp:
3531 (JSC::constructMap):
3532 * runtime/PropertyDescriptor.cpp:
3533 (JSC::PropertyDescriptor::setDescriptor):
3534 * runtime/RegExpConstructor.cpp:
3535 (JSC::constructWithRegExpConstructor):
3536 (JSC::callRegExpConstructor):
3537 * runtime/SetConstructor.cpp:
3538 (JSC::constructSet):
3539 * runtime/StringConstructor.cpp:
3540 (JSC::constructWithStringConstructor):
3541 * runtime/WeakMapConstructor.cpp:
3542 (JSC::constructWeakMap):
3543 * runtime/WeakSetConstructor.cpp:
3544 (JSC::constructWeakSet):
3545 * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3546 (JSC::constructJSWebAssemblyCompileError):
3547 (JSC::callJSWebAssemblyCompileError):
3548 * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3549 (JSC::constructJSWebAssemblyLinkError):
3550 (JSC::callJSWebAssemblyLinkError):
3551 * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3552 (JSC::constructJSWebAssemblyRuntimeError):
3553 (JSC::callJSWebAssemblyRuntimeError):
3555 2018-04-05 Mark Lam <mark.lam@apple.com>
3557 MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7.
3558 https://bugs.webkit.org/show_bug.cgi?id=184347
3559 <rdar://problem/39183165>
3561 Reviewed by Michael Saboff.
3563 * assembler/MacroAssemblerCodeRef.h:
3564 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
3565 (JSC::MacroAssemblerCodePtr::retagged const):
3567 2018-04-05 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com>
3569 [MIPS] Optimize generated JIT code for branches
3570 https://bugs.webkit.org/show_bug.cgi?id=183130
3572 Reviewed by Yusuke Suzuki.
3574 The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to
3575 branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch()
3576 to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump.
3577 However, this adds a significant overhead for all other types of branches. Since these nop's
3578 protect the code that is generated by branchPtrWithPatch, this function seems like a better
3581 * assembler/MIPSAssembler.h:
3582 (JSC::MIPSAssembler::repatchInt32):
3583 (JSC::MIPSAssembler::revertJumpToMove):
3584 * assembler/MacroAssemblerMIPS.h:
3585 (JSC::MacroAssemblerMIPS::branchAdd32):
3586 (JSC::MacroAssemblerMIPS::branchMul32):
3587 (JSC::MacroAssemblerMIPS::branchSub32):
3588 (JSC::MacroAssemblerMIPS::branchNeg32):
3589 (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
3590 (JSC::MacroAssemblerMIPS::branchEqual):
3591 (JSC::MacroAssemblerMIPS::branchNotEqual):
3593 2018-04-05 Yusuke Suzuki <utatane.tea@gmail.com>
3595 [WTF] Remove StaticLock
3596 https://bugs.webkit.org/show_bug.cgi?id=184332
3598 Reviewed by Mark Lam.
3601 (handerForStructTag):
3602 * API/JSVirtualMachine.mm:
3603 (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
3604 (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
3605 * API/glib/JSCVirtualMachine.cpp:
3608 * assembler/testmasm.cpp:
3609 * b3/air/testair.cpp:
3611 * bytecode/SuperSampler.cpp:
3612 * dfg/DFGCommon.cpp:
3613 * dfg/DFGCommonData.cpp:
3615 * heap/MachineStackMarker.cpp:
3616 (JSC::MachineThreads::tryCopyOtherThreadStacks):
3617 * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
3618 (Inspector::RemoteTargetHandleRunSourceGlobal):
3619 (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
3620 * interpreter/CLoopStack.cpp:
3621 * parser/SourceProvider.cpp:
3622 * profiler/ProfilerDatabase.cpp:
3623 * profiler/ProfilerUID.cpp:
3624 (JSC::Profiler::UID::create):
3625 * runtime/IntlObject.cpp:
3626 (JSC::numberingSystemsForLocale):
3627 * runtime/JSLock.cpp:
3629 * runtime/SamplingProfiler.cpp:
3630 (JSC::SamplingProfiler::registerForReportAtExit):
3632 * wasm/WasmFaultSignalHandler.cpp:
3634 2018-04-04 Mark Lam <mark.lam@apple.com>
3636 Add pointer profiling support to the DFG and supporting files.
3637 https://bugs.webkit.org/show_bug.cgi?id=184316
3638 <rdar://problem/39188524>
3640 Reviewed by Filip Pizlo.
3642 1. Profile lots of pointers with PtrTags.
3644 2. Remove PtrTag.cpp and make ptrTagName() into an inline function. It's only
3645 used for debugging anyway, and not normally called in the code. Making it
3646 an inline function prevents it from taking up code space in builds when not in
3649 3. Change the call to the the arityFixupThunk in DFG code to be a near call.
3650 It doesn't need to be a far call.
3653 * JavaScriptCore.xcodeproj/project.pbxproj:
3655 * assembler/testmasm.cpp:
3656 (JSC::testProbeModifiesProgramCounter):
3657 * b3/B3LowerMacros.cpp:
3658 * b3/air/AirCCallSpecial.cpp:
3659 (JSC::B3::Air::CCallSpecial::generate):
3660 * b3/air/AirCCallSpecial.h:
3662 (JSC::B3::testInterpreter):
3663 * bytecode/AccessCase.cpp:
3664 (JSC::AccessCase::generateImpl):
3665 * bytecode/HandlerInfo.h:
3666 (JSC::HandlerInfo::initialize):
3667 * bytecode/PolymorphicAccess.cpp:
3668 (JSC::PolymorphicAccess::regenerate):
3669 * dfg/DFGJITCompiler.cpp:
3670 (JSC::DFG::JITCompiler::compileExceptionHandlers):
3671 (JSC::DFG::JITCompiler::link):
3672 (JSC::DFG::JITCompiler::compileFunction):
3673 (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
3674 * dfg/DFGJITCompiler.h:
3675 (JSC::DFG::JITCompiler::appendCall):
3676 * dfg/DFGOSREntry.cpp:
3677 (JSC::DFG::prepareOSREntry):
3678 * dfg/DFGOSRExit.cpp:
3679 (JSC::DFG::reifyInlinedCallFrames):
3680 (JSC::DFG::adjustAndJumpToTarget):
3681 (JSC::DFG::OSRExit::emitRestoreArguments):
3682 (JSC::DFG::OSRExit::compileOSRExit):
3683 * dfg/DFGOSRExitCompilerCommon.cpp:
3684 (JSC::DFG::handleExitCounts):
3685 (JSC::DFG::reifyInlinedCallFrames):
3686 (JSC::DFG::osrWriteBarrier):
3687 (JSC::DFG::adjustAndJumpToTarget):
3688 * dfg/DFGOperations.cpp:
3689 * dfg/DFGSlowPathGenerator.h:
3690 (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
3691 (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
3692 (JSC::DFG::slowPathCall):
3693 * dfg/DFGSpeculativeJIT.cpp:
3694 (JSC::DFG::SpeculativeJIT::compileMathIC):
3695 * dfg/DFGSpeculativeJIT.h:
3696 (JSC::DFG::SpeculativeJIT::callOperation):
3697 (JSC::DFG::SpeculativeJIT::appendCall):
3698 (JSC::DFG::SpeculativeJIT::appendCallSetResult):
3699 * dfg/DFGSpeculativeJIT64.cpp:
3700 (JSC::DFG::SpeculativeJIT::cachedGetById):
3701 (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
3702 (JSC::DFG::SpeculativeJIT::cachedPutById):
3703 (JSC::DFG::SpeculativeJIT::compile):
3704 * dfg/DFGThunks.cpp:
3705 (JSC::DFG::osrExitThunkGenerator):
3706 (JSC::DFG::osrExitGenerationThunkGenerator):
3707 (JSC::DFG::osrEntryThunkGenerator):
3708 * jit/AssemblyHelpers.cpp:
3709 (JSC::AssemblyHelpers::emitDumbVirtualCall):
3711 (JSC::JIT::emitEnterOptimizationCheck):
3712 (JSC::JIT::compileWithoutLinking):
3714 (JSC::JIT::compileOpCallSlowCase):
3716 (JSC::isProfileEmpty):
3717 * jit/JITOpcodes.cpp:
3718 (JSC::JIT::emit_op_catch):
3719 (JSC::JIT::emitSlow_op_loop_hint):
3720 * jit/JITOperations.cpp:
3726 (JSC::linkVirtualFor):
3727 (JSC::linkPolymorphicCall):
3728 * jit/ThunkGenerators.cpp:
3729 (JSC::throwExceptionFromCallSlowPathGenerator):
3730 (JSC::linkCallThunkGenerator):
3731 (JSC::linkPolymorphicCallThunkGenerator):
3732 (JSC::virtualThunkFor):
3733 (JSC::arityFixupGenerator):
3734 (JSC::unreachableGenerator):
3735 * runtime/PtrTag.cpp: Removed.
3738 * runtime/VMEntryScope.cpp:
3739 * wasm/js/WasmToJS.cpp:
3740 (JSC::Wasm::wasmToJS):
3742 2018-04-04 Filip Pizlo <fpizlo@apple.com>
3744 REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
3745 https://bugs.webkit.org/show_bug.cgi?id=184319
3747 Reviewed by Saam Barati.
3749 In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with
3750 assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before
3753 But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds
3754 GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to
3755 eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that
3756 with a GetByVal(SaneChain), then we will hit the assertion.
3758 This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets
3759 tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more
3760 than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain.
3762 * dfg/DFGCSEPhase.cpp:
3763 * dfg/DFGClobberize.h:
3764 (JSC::DFG::clobberize):
3765 * dfg/DFGHeapLocation.cpp:
3766 (WTF::printInternal):
3767 * dfg/DFGHeapLocation.h:
3768 * dfg/DFGSpeculativeJIT.cpp:
3769 (JSC::DFG::SpeculativeJIT::compileArrayPush):
3771 2018-04-04 Filip Pizlo <fpizlo@apple.com>
3773 Remove poisoning of typed array vector
3774 https://bugs.webkit.org/show_bug.cgi?id=184313
3776 Reviewed by Saam Barati.
3778 * dfg/DFGFixupPhase.cpp:
3779 (JSC::DFG::FixupPhase::checkArray):
3780 * dfg/DFGSpeculativeJIT.cpp:
3781 (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
3782 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3783 (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
3784 (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
3785 * ftl/FTLAbstractHeapRepository.h:
3786 * ftl/FTLLowerDFGToB3.cpp:
3787 (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
3788 (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
3789 (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
3790 (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
3791 * jit/IntrinsicEmitter.cpp:
3792 (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
3793 * jit/JITPropertyAccess.cpp:
3794 (JSC::JIT::emitIntTypedArrayGetByVal):
3795 (JSC::JIT::emitFloatTypedArrayGetByVal):
3796 (JSC::JIT::emitIntTypedArrayPutByVal):
3797 (JSC::JIT::emitFloatTypedArrayPutByVal):
3798 * llint/LowLevelInterpreter.asm:
3799 * llint/LowLevelInterpreter64.asm:
3800 * offlineasm/arm64.rb:
3801 * offlineasm/x86.rb:
3802 * runtime/CagedBarrierPtr.h:
3803 * runtime/JSArrayBufferView.cpp:
3804 (JSC::JSArrayBufferView::JSArrayBufferView):
3805 (JSC::JSArrayBufferView::finalize):
3806 (JSC::JSArrayBufferView::neuter):
3807 * runtime/JSArrayBufferView.h:
3808 (JSC::JSArrayBufferView::vector const):
3809 (JSC::JSArrayBufferView::offsetOfVector):
3810 (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
3811 (JSC::JSArrayBufferView::poisonFor): Deleted.
3812 (JSC::JSArrayBufferView::Poison::key): Deleted.
3813 * runtime/JSCPoison.cpp:
3814 (JSC::initializePoison):
3815 * runtime/JSCPoison.h:
3816 * runtime/JSGenericTypedArrayViewInlines.h:
3817 (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
3818 (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
3819 (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3820 * runtime/JSObject.h:
3822 2018-04-03 Filip Pizlo <fpizlo@apple.com>
3824 Don't do index masking or poisoning for DirectArguments
3825 https://bugs.webkit.org/show_bug.cgi?id=184280
3827 Reviewed by Saam Barati.
3829 * JavaScriptCore.xcodeproj/project.pbxproj:
3830 * bytecode/AccessCase.cpp:
3831 (JSC::AccessCase::generateWithGuard):
3832 * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
3833 (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
3834 * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
3835 * dfg/DFGSpeculativeJIT.cpp:
3836 (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3837 (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3838 (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3839 (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
3840 (JSC::DFG::SpeculativeJIT::compilePutToArguments):
3841 * ftl/FTLAbstractHeapRepository.h:
3842 * ftl/FTLLowerDFGToB3.cpp:
3843 (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
3844 (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3845 (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3846 (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
3847 (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
3848 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3849 (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
3850 (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
3851 (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
3852 (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
3853 * heap/SecurityKind.h:
3854 * jit/JITPropertyAccess.cpp:
3855 (JSC::JIT::emit_op_get_from_arguments):
3856 (JSC::JIT::emit_op_put_to_arguments):
3857 (JSC::JIT::emitDirectArgumentsGetByVal):
3858 * jit/JITPropertyAccess32_64.cpp:
3859 (JSC::JIT::emit_op_get_from_arguments):
3860 (JSC::JIT::emit_op_put_to_arguments):
3861 * llint/LowLevelInterpreter.asm:
3862 * llint/LowLevelInterpreter32_64.asm:
3863 * llint/LowLevelInterpreter64.asm:
3864 * runtime/DirectArguments.cpp:
3865 (JSC::DirectArguments::DirectArguments):
3866 (JSC::DirectArguments::createUninitialized):
3867 (JSC::DirectArguments::create):
3868 (JSC::DirectArguments::createByCopying):
3869 (JSC::DirectArguments::estimatedSize):
3870 (JSC::DirectArguments::visitChildren):
3871 (JSC::DirectArguments::overrideThings):
3872 (JSC::DirectArguments::copyToArguments):
3873 (JSC::DirectArguments::mappedArgumentsSize):
3874 * runtime/DirectArguments.h:
3875 * runtime/JSCPoison.h:
3876 * runtime/JSLexicalEnvironment.h:
3877 * runtime/JSSymbolTableObject.h:
3879 2018-04-03 Filip Pizlo <fpizlo@apple.com>
3881 JSArray::appendMemcpy seems to be missing a barrier
3882 https://bugs.webkit.org/show_bug.cgi?id=184290
3884 Reviewed by Mark Lam.
3886 If you write to an array that may contain pointers and you didn't just allocate it, then you need to
3887 barrier right after.
3889 I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
3890 obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
3892 * runtime/JSArray.cpp:
3893 (JSC::JSArray::appendMemcpy):
3895 2018-04-03 Filip Pizlo <fpizlo@apple.com>
3897 GC shouldn't do object distancing
3898 https://bugs.webkit.org/show_bug.cgi?id=184195
3900 Reviewed by Saam Barati.
3902 This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems
3903 to be a small speed-up.
3906 * JavaScriptCore.xcodeproj/project.pbxproj:
3908 * heap/BlockDirectory.cpp:
3909 (JSC::BlockDirectory::findBlockForAllocation):
3910 (JSC::BlockDirectory::addBlock):
3911 * heap/BlockDirectory.h:
3912 * heap/CellAttributes.cpp:
3913 (JSC::CellAttributes::dump const):
3914 * heap/CellAttributes.h:
3915 (JSC::CellAttributes::CellAttributes):
3916 * heap/LocalAllocator.cpp:
3917 (JSC::LocalAllocator::allocateSlowCase):
3918 (JSC::LocalAllocator::tryAllocateWithoutCollecting):
3919 * heap/MarkedBlock.cpp:
3920 (JSC::MarkedBlock::Handle::didAddToDirectory):
3921 * heap/MarkedBlock.h:
3922 (JSC::MarkedBlock::Handle::securityOriginToken const): Deleted.
3923 * heap/SecurityKind.cpp: Removed.
3924 * heap/SecurityKind.h: Removed.
3925 * heap/SecurityOriginToken.cpp: Removed.
3926 * heap/SecurityOriginToken.h: Removed.
3927 * heap/ThreadLocalCache.cpp:
3928 (JSC::ThreadLocalCache::create):
3929 (JSC::ThreadLocalCache::ThreadLocalCache):
3930 * heap/ThreadLocalCache.h:
3931 (JSC::ThreadLocalCache::securityOriginToken const): Deleted.
3932 * runtime/JSDestructibleObjectHeapCellType.cpp:
3933 (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3934 * runtime/JSGlobalObject.cpp:
3935 (JSC::JSGlobalObject::JSGlobalObject):
3936 * runtime/JSGlobalObject.h:
3937 (JSC::JSGlobalObject::threadLocalCache const): Deleted.
3938 * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
3939 (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3940 * runtime/JSStringHeapCellType.cpp:
3941 (JSC::JSStringHeapCellType::JSStringHeapCellType):
3945 * runtime/VMEntryScope.cpp:
3946 (JSC::VMEntryScope::VMEntryScope):
3947 * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
3948 (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3950 2018-04-02 Saam Barati <sbarati@apple.com>
3952 bmalloc should compute its own estimate of its footprint
3953 https://bugs.webkit.org/show_bug.cgi?id=184121
3955 Reviewed by Filip Pizlo.
3957 * heap/IsoAlignedMemoryAllocator.cpp:
3958 (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
3959 (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
3960 (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
3962 2018-04-02 Mark Lam <mark.lam@apple.com>
3964 We should not trash the stack pointer on OSR entry.
3965 https://bugs.webkit.org/show_bug.cgi?id=184243
3966 <rdar://problem/39114319>
3968 Reviewed by Filip Pizlo.
3970 In the DFG OSR entry path, we momentarily over-write the stack pointer with
3971 returnValueGPR2. returnValueGPR2 contains a pointer to a side buffer we malloc'ed.
3972 Hence, this assignment is wrong, and it turns out to be unnecessary as well.