1 2016-05-17 Filip Pizlo <fpizlo@apple.com>
3 JSC should detect the right default locale even when it's not embedded in WebCore
4 https://bugs.webkit.org/show_bug.cgi?id=157755
5 rdar://problem/24665424
7 Reviewed by Keith Miller.
9 This makes JSC try to use WTF's platform user preferred language detection if the DOM did
10 not register a defaultLanguage callback. The result is that when JSC runs standalone it
11 will detect the platform user preferred language almost the same way as when it's embedded
12 in WebCore. The only difference is that WebCore may have its own additional overrides via
13 the WK API. But in the absence of overrides, WebCore uses the same WTF logic that JSC falls
16 We first found this bug because on iOS, the intl tests would fail because ICU would report
17 a somewhat bogus locale on that platform. Prior to this change, standalone JSC would fall
18 back to ICU's locale detection. It turns out that the ICU default locale is also bogus on
19 OS X, just less so. For example, setting things to Poland did not result in the jsc shell
20 printing dates Polish-style. Now it will print them Polish-style if your system preferences
21 say so. Also, the tests don't fail on iOS anymore.
23 * runtime/IntlObject.cpp:
26 2016-05-17 Dean Jackson <dino@apple.com>
28 Remove ES6_GENERATORS flag
29 https://bugs.webkit.org/show_bug.cgi?id=157815
30 <rdar://problem/26332894>
32 Reviewed by Geoffrey Garen.
34 This flag isn't needed. Generators are enabled everywhere and
35 part of a stable specification.
37 * Configurations/FeatureDefines.xcconfig:
39 (JSC::Parser<LexerType>::parseFunctionDeclaration): Deleted.
40 (JSC::Parser<LexerType>::parseClass): Deleted.
41 (JSC::Parser<LexerType>::parseExportDeclaration): Deleted.
42 (JSC::Parser<LexerType>::parseAssignmentExpression): Deleted.
43 (JSC::Parser<LexerType>::parseProperty): Deleted.
44 (JSC::Parser<LexerType>::parseFunctionExpression): Deleted.
46 2016-05-17 Keith Miller <keith_miller@apple.com>
48 Rollout r200426 since it causes PLT regressions.
49 https://bugs.webkit.org/show_bug.cgi?id=157812
51 Unreviewed rollout of r200426 since the bots see a ~.6% PLT regression from the patch.
53 2016-05-17 Keith Miller <keith_miller@apple.com>
55 Add test262 harness support code
56 https://bugs.webkit.org/show_bug.cgi?id=157797
58 Reviewed by Filip Pizlo.
60 This patch adds some new tooling needed to run Test262 with the jsc
61 CLI. There were three options that needed to be added for Test262:
63 1) "--test262-async" This option overrides the print function in the test runner to look for
64 'Test262:AsyncTestComplete' instead of printing the passed text. If test262-async mode is on
65 and that string is not passed then the test is marked as failing.
67 2) "--strict-file=<file>" This option appends `"use strict";\n` to the beginning of the
68 passed file before passing the source code to the VM. This option can, in theory, be passed
71 3) "--exception=<name>" This option asserts that at the end of the last script file passed
72 the VM has an uncaught exception with its name property equal to the passed name.
76 (fillBufferWithContentsOfFile):
78 (checkUncaughtException):
80 (printUsageStatement):
81 (CommandLine::parseArguments):
84 2016-05-17 Filip Pizlo <fpizlo@apple.com>
86 WTF should know about Language
87 https://bugs.webkit.org/show_bug.cgi?id=157756
89 Reviewed by Geoffrey Garen.
91 Teach our scripts that a ObjC class beginning with WTF is totally cool.
93 * JavaScriptCore.xcodeproj/project.pbxproj:
95 2016-05-17 Joseph Pecoraro <pecoraro@apple.com>
97 console namespace breaks putting properties on console.__proto__
98 https://bugs.webkit.org/show_bug.cgi?id=157782
99 <rdar://problem/26250526>
101 Reviewed by Geoffrey Garen.
103 Some websites currently depend on console.__proto__ existing and being
104 a separate object from Object.prototype. This patch adds back a basic
105 console.__proto__ object, but all the console functions are left on
106 the ConsoleObject itself.
108 * runtime/JSGlobalObject.cpp:
109 (JSC::createConsoleProperty):
111 2016-05-17 Yusuke Suzuki <utatane.tea@gmail.com>
113 Unreviewed, dump more information when math-pow-stable-results.js failed
114 https://bugs.webkit.org/show_bug.cgi?id=157168
116 * tests/stress/math-pow-stable-results.js:
118 2016-05-16 Saam barati <sbarati@apple.com>
120 ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
121 https://bugs.webkit.org/show_bug.cgi?id=157770
123 Reviewed by Filip Pizlo.
125 ShadowChicken was reading the scope from a half formed
126 frame as it threw a stack overflow exception. The frame had
127 a valid CodeBlock pointer, but it did not have a valid scope.
128 The code in ShadowChicken's throw packet logging mechanism didn't
129 account for this. The fix is to respect whether genericUnwind wants
130 to unwind from the current frame or the caller's frame. For stack
131 overflow errors, we always unwind the caller's frame.
133 * jit/JITExceptions.cpp:
134 (JSC::genericUnwind):
136 2016-05-16 Yusuke Suzuki <utatane.tea@gmail.com>
138 REGRESSION(r200208): It made 2 JSC stress tests fail on x86
139 https://bugs.webkit.org/show_bug.cgi?id=157168
141 Reviewed by Benjamin Poulain.
143 The fast path in operationMathPow produces different results between x87 and the other environments.
144 This is because x87 calculates the double value in 80bit precision.
145 The situation is the following: in x86 32bit environment, floating point operations are compiled to
146 x87 operations by default even if we can use SSE2. But in DFG environment, we aggressively use SSE2
147 if the cpuid reports SSE2 is available. As a result, the implementations differ between C runtime
148 and DFG JIT code. The C runtime uses x87 while DFG JIT code uses SSE2. This causes a precision
149 problem since x87 has 80bit precision while SSE2 has 64bit precision.
151 In this patch, in x86 32bit environment, we use `volatile double` if the `-mfpmath=sse and -msse2 (or later)`
152 is not specified. This will round the x87 value into 64bit per multiplying. Note that this problem does not
153 occur in OS X clang 32bit environment. This is because `-mfpmath=sse` is enabled by default in OS X clang 32bit.
155 * b3/B3MathExtras.cpp:
156 (JSC::B3::powDoubleInt32):
157 * runtime/MathCommon.cpp:
158 (JSC::operationMathPow):
160 2016-05-16 Benjamin Poulain <bpoulain@apple.com>
162 [JSC] "return this" in a constructor does not need a branch on isObject(this)
163 https://bugs.webkit.org/show_bug.cgi?id=157775
165 Reviewed by Saam Barati and Ryosuke Niwa.
167 When returning "this" in a constructor, the bytecode generator was generating:
169 jtrue locX, 5(->second ret)
173 That code is eliminated in DFG but it is pretty costly lower tiers.
175 This patch changes bytecode generation to avoid the is_object test
176 when possible and not generate two ret if they encode the same thing.
178 * bytecompiler/BytecodeGenerator.cpp:
179 (JSC::BytecodeGenerator::emitReturn):
181 2016-05-16 Benjamin Poulain <bpoulain@apple.com>
183 [JSC] Remove the index check from op_get_by_val/op_put_by_val when the index is constant
184 https://bugs.webkit.org/show_bug.cgi?id=157766
186 Reviewed by Geoffrey Garen.
188 If the index is an integer constant, do not generate the index check.
190 * jit/JITPropertyAccess.cpp:
191 (JSC::JIT::emit_op_get_by_val):
192 (JSC::JIT::emitSlow_op_get_by_val):
193 (JSC::JIT::emit_op_put_by_val):
194 (JSC::JIT::emitSlow_op_put_by_val):
196 2016-05-16 Benjamin Poulain <bpoulain@apple.com>
198 [JSC][DFG] Fill spilled Int32 as Int32 instead of JSInt32
199 https://bugs.webkit.org/show_bug.cgi?id=157700
201 Reviewed by Michael Saboff.
203 In general, fillSpeculateInt32() originate from SpeculateInt32
204 and the user does not care about the tag.
206 This is particularily obvious on Sunspider's math-spectral-norm.js.
207 In that test, registers are frequently spilled because of x86's DIV.
209 When they are re-filled, they were always tagged.
210 Since the loops are small, all the tagging adds up.
212 * dfg/DFGSpeculativeJIT64.cpp:
213 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
215 2016-05-16 Saam barati <sbarati@apple.com>
217 Unreviewed Cloop build fix.
219 * bytecode/CodeBlock.cpp:
220 (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
222 2016-05-16 Saam barati <sbarati@apple.com>
224 Hook up ShadowChicken to the debugger to show tail deleted frames
225 https://bugs.webkit.org/show_bug.cgi?id=156685
226 <rdar://problem/25770521>
228 Reviewed by Filip Pizlo and Mark Lam and Joseph Pecoraro.
230 The heart of this patch hooks up ShadowChicken to DebuggerCallFrame to
231 allow the Web Inspector to display the ShadowChicken's shadow stack.
232 This means the Web Inspector can now display tail deleted frames.
233 To make this work, I made the necessary changes to ShadowChicken and
234 DebuggerCallFrame to allow DebuggerCallFrame to keep the same API
235 when representing both machine frames and tail deleted frames.
237 - ShadowChicken prologue packets now log the current scope. Tail packets
238 log the current scope, the 'this' value, the CodeBlock, and the
239 CallSiteIndex. This allows the inspector to not only show the
240 tail deleted frame, but also show exactly where the tail call happened (line and column numbers),
241 with which scope it executed, and with which 'this' value. This
242 patch also allows DebuggerCallFrame to execute console statements
243 in a tail deleted frame.
245 - I changed ShadowChicken's stack resizing algorithm. ShadowChicken
246 now only keeps a maximum number of tail deleted frames in its shadow stack.
247 It will happily represent all machine frames without limit. Right now, the
248 maximum number of tail deleted frames I chose to keep alive is 128.
249 We will keep frames alive starting from the top of the stack. This
250 allows us to have a strong defense against runaway memory usage. We will only
251 keep around at most 128 "shadow" frames that wouldn't have naturally been kept
252 alive by the executing program. We can play around with this number
253 if we find that 128 is either too many or too few frames.
255 - DebuggerCallFrame is no longer a cheap class to create. When it is created,
256 we will eagerly create the entire virtual debugger stack. So I modified the
257 existing code to lazily create DebuggerCallFrames only when necessary. We
258 used to eagerly create them at each op_debug statement even though we would
259 just throw them away if we didn't hit a breakpoint.
261 - A valid DebuggerCallFrame will always have a valid CallFrame* pointer
262 into the stack. This pointer won't always refer to the logical frame
263 that the DebuggerCallFrame represents because a DebuggerCallFrame can
264 now represent a tail deleted frame. To do this, DebuggerCallFrame now
265 has a ShadowChicken::Frame member variable. This allows DebuggerCallFrame
266 to know when it represents a tail deleted frame and gives DebuggerCallFrame
267 a mechanism to ask the tail deleted frame for interesting information
268 (like its 'this' value, scope, CodeBlock, etc). A tail deleted frame's
269 machine frame pointer will be the machine caller of the tail deleted frame
270 (or the machine caller of the first of a series of consecutive tail calls).
272 - I added a new flag to UnlinkedCodeBlock to indicate when it is compiled
273 with debugging opcodes. I did this because ShadowChicken may read a JSScope
274 from the machine stack. This is only safe if the machine CodeBlock was
275 compiled with debugging opcodes. This is safer than asking if the
276 CodeBlock's global object has an interactive debugger enabled because
277 it's theoretically possible for the debugger to be enabled while code
278 compiled without a debugger is still live on the stack. This field is
279 also now used to indicate to the DFGGraph that the interactive debugger
282 - Finally, this patch adds a new field to the Inspector's CallFrame protocol
283 object called 'isTailDeleted' to allow the Inspector to know when a
284 CallFrame represents a tail deleted frame.
286 * JavaScriptCore.xcodeproj/project.pbxproj:
287 * bytecode/BytecodeList.json:
288 * bytecode/BytecodeUseDef.h:
289 (JSC::computeUsesForBytecodeOffset):
290 * bytecode/CodeBlock.cpp:
291 (JSC::CodeBlock::dumpBytecode):
292 (JSC::CodeBlock::findPC):
293 (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
294 * bytecode/CodeBlock.h:
295 (JSC::CodeBlock::clearDebuggerRequests):
296 (JSC::CodeBlock::wasCompiledWithDebuggingOpcodes):
297 * bytecode/UnlinkedCodeBlock.cpp:
298 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
299 * bytecode/UnlinkedCodeBlock.h:
300 (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes):
301 (JSC::UnlinkedCodeBlock::finishCreation):
302 (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
303 * bytecode/UnlinkedFunctionExecutable.cpp:
304 (JSC::generateUnlinkedFunctionCodeBlock):
305 * bytecompiler/BytecodeGenerator.cpp:
306 (JSC::BytecodeGenerator::generate):
307 (JSC::BytecodeGenerator::BytecodeGenerator):
308 (JSC::BytecodeGenerator::emitEnter):
309 (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
310 (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
311 (JSC::BytecodeGenerator::emitCallDefineProperty):
312 * debugger/Debugger.cpp:
313 (JSC::DebuggerPausedScope::DebuggerPausedScope):
314 (JSC::DebuggerPausedScope::~DebuggerPausedScope):
315 (JSC::Debugger::didReachBreakpoint):
316 (JSC::Debugger::currentDebuggerCallFrame):
317 * debugger/Debugger.h:
318 * debugger/DebuggerCallFrame.cpp:
319 (JSC::LineAndColumnFunctor::operator()):
320 (JSC::DebuggerCallFrame::create):
321 (JSC::DebuggerCallFrame::DebuggerCallFrame):
322 (JSC::DebuggerCallFrame::callerFrame):
323 (JSC::DebuggerCallFrame::globalExec):
324 (JSC::DebuggerCallFrame::vmEntryGlobalObject):
325 (JSC::DebuggerCallFrame::sourceID):
326 (JSC::DebuggerCallFrame::functionName):
327 (JSC::DebuggerCallFrame::scope):
328 (JSC::DebuggerCallFrame::type):
329 (JSC::DebuggerCallFrame::thisValue):
330 (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
331 (JSC::DebuggerCallFrame::invalidate):
332 (JSC::DebuggerCallFrame::currentPosition):
333 (JSC::DebuggerCallFrame::positionForCallFrame):
334 (JSC::DebuggerCallFrame::sourceIDForCallFrame):
335 (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor): Deleted.
336 (JSC::FindCallerMidStackFunctor::operator()): Deleted.
337 (JSC::FindCallerMidStackFunctor::getCallerFrame): Deleted.
338 (JSC::DebuggerCallFrame::thisValueForCallFrame): Deleted.
339 * debugger/DebuggerCallFrame.h:
340 (JSC::DebuggerCallFrame::isValid):
341 (JSC::DebuggerCallFrame::isTailDeleted):
342 (JSC::DebuggerCallFrame::create): Deleted.
343 (JSC::DebuggerCallFrame::exec): Deleted.
344 * dfg/DFGByteCodeParser.cpp:
345 (JSC::DFG::ByteCodeParser::parseBlock):
346 * dfg/DFGFixupPhase.cpp:
347 (JSC::DFG::FixupPhase::fixupNode):
349 (JSC::DFG::Graph::Graph):
350 (JSC::DFG::Graph::~Graph):
351 * dfg/DFGJITCompiler.h:
352 (JSC::DFG::JITCompiler::addCallSite):
353 (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
354 (JSC::DFG::JITCompiler::emitStoreCallSiteIndex):
355 * dfg/DFGSpeculativeJIT32_64.cpp:
356 (JSC::DFG::SpeculativeJIT::compile):
357 * dfg/DFGSpeculativeJIT64.cpp:
358 (JSC::DFG::SpeculativeJIT::compile):
359 * ftl/FTLAbstractHeapRepository.h:
360 * ftl/FTLLowerDFGToB3.cpp:
361 (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
362 (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
363 (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
364 (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
365 (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
366 (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket): Deleted.
367 * inspector/InjectedScriptSource.js:
368 (InjectedScript.CallFrameProxy):
369 * inspector/JSJavaScriptCallFrame.cpp:
370 (Inspector::JSJavaScriptCallFrame::thisObject):
371 (Inspector::JSJavaScriptCallFrame::isTailDeleted):
372 (Inspector::JSJavaScriptCallFrame::type):
373 * inspector/JSJavaScriptCallFrame.h:
374 * inspector/JSJavaScriptCallFramePrototype.cpp:
375 (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
376 (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
377 (Inspector::jsJavaScriptCallFrameAttributeType):
378 (Inspector::jsJavaScriptCallFrameIsTailDeleted):
379 * inspector/JavaScriptCallFrame.h:
380 (Inspector::JavaScriptCallFrame::type):
381 (Inspector::JavaScriptCallFrame::scopeChain):
382 (Inspector::JavaScriptCallFrame::vmEntryGlobalObject):
383 (Inspector::JavaScriptCallFrame::isTailDeleted):
384 (Inspector::JavaScriptCallFrame::thisValue):
385 (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension):
386 * inspector/ScriptDebugServer.cpp:
387 (Inspector::ScriptDebugServer::evaluateBreakpointAction):
388 * inspector/protocol/Debugger.json:
389 * interpreter/ShadowChicken.cpp:
390 (JSC::ShadowChicken::update):
391 (JSC::ShadowChicken::visitChildren):
392 (JSC::ShadowChicken::reset):
393 * interpreter/ShadowChicken.h:
394 (JSC::ShadowChicken::Packet::throwMarker):
395 (JSC::ShadowChicken::Packet::prologue):
396 (JSC::ShadowChicken::Packet::tail):
397 (JSC::ShadowChicken::Frame::Frame):
398 (JSC::ShadowChicken::Frame::operator==):
399 * jit/CCallHelpers.cpp:
400 (JSC::CCallHelpers::logShadowChickenProloguePacket):
401 (JSC::CCallHelpers::logShadowChickenTailPacket):
402 (JSC::CCallHelpers::ensureShadowChickenPacket):
403 (JSC::CCallHelpers::setupShadowChickenPacket): Deleted.
404 * jit/CCallHelpers.h:
405 * jit/JITOpcodes.cpp:
406 (JSC::JIT::emit_op_profile_type):
407 (JSC::JIT::emit_op_log_shadow_chicken_prologue):
408 (JSC::JIT::emit_op_log_shadow_chicken_tail):
409 (JSC::JIT::emit_op_get_enumerable_length):
410 (JSC::JIT::emit_op_resume):
411 * jit/JITOpcodes32_64.cpp:
412 (JSC::JIT::emit_op_profile_type):
413 (JSC::JIT::emit_op_log_shadow_chicken_prologue):
414 (JSC::JIT::emit_op_log_shadow_chicken_tail):
415 * jit/RegisterSet.cpp:
416 (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
417 (JSC::RegisterSet::argumentGPRS):
418 (JSC::RegisterSet::registersToNotSaveForJSCall):
420 * llint/LLIntData.cpp:
421 (JSC::LLInt::Data::performAssertions):
422 * llint/LLIntSlowPaths.cpp:
423 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
424 * llint/LowLevelInterpreter.asm:
425 * llint/LowLevelInterpreter32_64.asm:
426 * llint/LowLevelInterpreter64.asm:
427 * runtime/CodeCache.cpp:
428 (JSC::CodeCache::getGlobalCodeBlock):
430 * tests/stress/shadow-chicken-enabled.js:
438 2016-05-16 Saam barati <sbarati@apple.com>
440 TypeSet/StructureShape have a flawed sense of JS prototype chains
441 https://bugs.webkit.org/show_bug.cgi?id=157760
443 Reviewed by Joseph Pecoraro.
445 There was an assumption that we would bottom out in "Object". This is
446 not true for many reasons. JS objects may not end in Object.prototype.
447 Also, our mechanism of grabbing an Object's class name may also not
448 bottom out in "Object". We were seeing this in the JS objects we use
449 in the InjectedScriptSource.js inspector script.
451 * runtime/TypeSet.cpp:
452 (JSC::StructureShape::leastCommonAncestor):
453 * tests/typeProfiler/weird-prototype-chain.js: Added.
458 2016-05-16 Joseph Pecoraro <pecoraro@apple.com>
460 Unreviewed rollout r200924. Caused js/regress/string-replace-generic.html to fail.
462 * API/JSProfilerPrivate.cpp: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
465 * API/JSProfilerPrivate.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
467 * JavaScriptCore.xcodeproj/project.pbxproj:
468 * bytecode/BytecodeList.json:
469 * bytecode/BytecodeUseDef.h:
470 (JSC::computeUsesForBytecodeOffset):
471 (JSC::computeDefsForBytecodeOffset):
472 * bytecode/CodeBlock.cpp:
473 (JSC::CodeBlock::dumpBytecode):
474 * bytecode/UnlinkedFunctionExecutable.cpp:
475 (JSC::generateUnlinkedFunctionCodeBlock):
476 (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
477 * bytecode/UnlinkedFunctionExecutable.h:
478 * bytecompiler/BytecodeGenerator.cpp:
479 (JSC::BytecodeGenerator::BytecodeGenerator):
480 (JSC::BytecodeGenerator::emitCall):
481 (JSC::BytecodeGenerator::emitCallVarargs):
482 (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
483 (JSC::BytecodeGenerator::emitConstructVarargs):
484 (JSC::BytecodeGenerator::emitConstruct):
485 * bytecompiler/BytecodeGenerator.h:
486 (JSC::CallArguments::profileHookRegister):
487 (JSC::BytecodeGenerator::shouldEmitProfileHooks):
488 * bytecompiler/NodesCodegen.cpp:
489 (JSC::CallArguments::CallArguments):
490 (JSC::CallFunctionCallDotNode::emitBytecode):
491 (JSC::ApplyFunctionCallDotNode::emitBytecode):
492 * dfg/DFGAbstractInterpreterInlines.h:
493 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
494 * dfg/DFGByteCodeParser.cpp:
495 (JSC::DFG::ByteCodeParser::parseBlock):
496 * dfg/DFGCapabilities.cpp:
497 (JSC::DFG::capabilityLevel):
498 * dfg/DFGClobberize.h:
499 (JSC::DFG::clobberize):
502 * dfg/DFGFixupPhase.cpp:
503 (JSC::DFG::FixupPhase::fixupNode):
505 * dfg/DFGPredictionPropagationPhase.cpp:
506 * dfg/DFGSafeToExecute.h:
507 (JSC::DFG::safeToExecute):
508 * dfg/DFGSpeculativeJIT32_64.cpp:
509 (JSC::DFG::SpeculativeJIT::compile):
510 * dfg/DFGSpeculativeJIT64.cpp:
511 (JSC::DFG::SpeculativeJIT::compile):
512 * inspector/InjectedScriptBase.cpp:
513 (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
514 * inspector/protocol/Timeline.json:
515 * interpreter/Interpreter.cpp:
516 (JSC::UnwindFunctor::operator()):
517 (JSC::Interpreter::execute):
518 (JSC::Interpreter::executeCall):
519 (JSC::Interpreter::executeConstruct):
521 (JSC::JIT::privateCompileMainPass):
523 * jit/JITOpcodes.cpp:
524 (JSC::JIT::emit_op_profile_will_call):
525 (JSC::JIT::emit_op_profile_did_call):
526 * jit/JITOpcodes32_64.cpp:
527 (JSC::JIT::emit_op_profile_will_call):
528 (JSC::JIT::emit_op_profile_did_call):
529 * jit/JITOperations.cpp:
530 * jit/JITOperations.h:
532 * llint/LLIntSlowPaths.cpp:
533 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
534 * llint/LLIntSlowPaths.h:
535 * llint/LowLevelInterpreter.asm:
536 * parser/ParserModes.h:
537 * profiler/CallIdentifier.h: Added.
538 (JSC::CallIdentifier::CallIdentifier):
539 (JSC::CallIdentifier::functionName):
540 (JSC::CallIdentifier::url):
541 (JSC::CallIdentifier::lineNumber):
542 (JSC::CallIdentifier::columnNumber):
543 (JSC::CallIdentifier::operator==):
544 (JSC::CallIdentifier::operator!=):
545 (JSC::CallIdentifier::Hash::hash):
546 (JSC::CallIdentifier::Hash::equal):
547 (JSC::CallIdentifier::hash):
548 (JSC::CallIdentifier::operator const char*):
549 (JSC::CallIdentifier::c_str):
550 (WTF::HashTraits<JSC::CallIdentifier>::constructDeletedValue):
551 (WTF::HashTraits<JSC::CallIdentifier>::isDeletedValue):
552 * profiler/LegacyProfiler.cpp: Added.
553 (JSC::LegacyProfiler::profiler):
554 (JSC::LegacyProfiler::startProfiling):
555 (JSC::LegacyProfiler::stopProfiling):
556 (JSC::callFunctionForProfilesWithGroup):
557 (JSC::LegacyProfiler::suspendProfiling):
558 (JSC::LegacyProfiler::unsuspendProfiling):
559 (JSC::LegacyProfiler::willExecute):
560 (JSC::LegacyProfiler::didExecute):
561 (JSC::LegacyProfiler::exceptionUnwind):
562 (JSC::LegacyProfiler::createCallIdentifier):
563 (JSC::createCallIdentifierFromFunctionImp):
564 * profiler/LegacyProfiler.h: Added.
565 (JSC::LegacyProfiler::currentProfiles):
566 * profiler/Profile.cpp: Added.
567 (JSC::Profile::create):
568 (JSC::Profile::Profile):
569 (JSC::Profile::~Profile):
570 (JSC::Profile::debugPrint):
571 (JSC::functionNameCountPairComparator):
572 (JSC::Profile::debugPrintSampleStyle):
573 * profiler/Profile.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
574 * profiler/ProfileGenerator.cpp: Added.
575 (JSC::ProfileGenerator::create):
576 (JSC::ProfileGenerator::ProfileGenerator):
577 (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
578 (JSC::AddParentForConsoleStartFunctor::foundParent):
579 (JSC::AddParentForConsoleStartFunctor::operator()):
580 (JSC::ProfileGenerator::addParentForConsoleStart):
581 (JSC::ProfileGenerator::title):
582 (JSC::ProfileGenerator::beginCallEntry):
583 (JSC::ProfileGenerator::endCallEntry):
584 (JSC::ProfileGenerator::willExecute):
585 (JSC::ProfileGenerator::didExecute):
586 (JSC::ProfileGenerator::exceptionUnwind):
587 (JSC::ProfileGenerator::stopProfiling):
588 (JSC::ProfileGenerator::removeProfileStart):
589 (JSC::ProfileGenerator::removeProfileEnd):
590 * profiler/ProfileGenerator.h: Added.
591 (JSC::ProfileGenerator::profile):
592 (JSC::ProfileGenerator::origin):
593 (JSC::ProfileGenerator::profileGroup):
594 (JSC::ProfileGenerator::setIsSuspended):
595 * profiler/ProfileNode.cpp: Added.
596 (JSC::ProfileNode::ProfileNode):
597 (JSC::ProfileNode::addChild):
598 (JSC::ProfileNode::removeChild):
599 (JSC::ProfileNode::spliceNode):
600 (JSC::ProfileNode::traverseNextNodePostOrder):
601 (JSC::ProfileNode::debugPrint):
602 (JSC::ProfileNode::debugPrintSampleStyle):
603 (JSC::ProfileNode::debugPrintRecursively):
604 (JSC::ProfileNode::debugPrintSampleStyleRecursively):
605 * profiler/ProfileNode.h: Added.
606 (JSC::ProfileNode::create):
607 (JSC::ProfileNode::Call::Call):
608 (JSC::ProfileNode::Call::startTime):
609 (JSC::ProfileNode::Call::setStartTime):
610 (JSC::ProfileNode::Call::elapsedTime):
611 (JSC::ProfileNode::Call::setElapsedTime):
612 (JSC::ProfileNode::operator==):
613 (JSC::ProfileNode::callerCallFrame):
614 (JSC::ProfileNode::callIdentifier):
615 (JSC::ProfileNode::id):
616 (JSC::ProfileNode::functionName):
617 (JSC::ProfileNode::url):
618 (JSC::ProfileNode::lineNumber):
619 (JSC::ProfileNode::columnNumber):
620 (JSC::ProfileNode::parent):
621 (JSC::ProfileNode::setParent):
622 (JSC::ProfileNode::calls):
623 (JSC::ProfileNode::lastCall):
624 (JSC::ProfileNode::appendCall):
625 (JSC::ProfileNode::children):
626 (JSC::ProfileNode::firstChild):
627 (JSC::ProfileNode::lastChild):
628 (JSC::ProfileNode::nextSibling):
629 (JSC::ProfileNode::setNextSibling):
630 (JSC::ProfileNode::forEachNodePostorder):
631 (JSC::CalculateProfileSubtreeDataFunctor::operator()):
632 (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
633 * profiler/ProfilerJettisonReason.cpp:
634 (WTF::printInternal):
635 * profiler/ProfilerJettisonReason.h:
636 * runtime/CodeCache.cpp:
637 (JSC::CodeCache::getGlobalCodeBlock):
638 (JSC::CodeCache::getProgramCodeBlock):
639 (JSC::CodeCache::getEvalCodeBlock):
640 (JSC::CodeCache::getModuleProgramCodeBlock):
641 * runtime/CodeCache.h:
642 * runtime/Executable.cpp:
643 (JSC::ScriptExecutable::newCodeBlockFor):
644 * runtime/JSGlobalObject.cpp:
645 (JSC::JSGlobalObject::~JSGlobalObject):
646 (JSC::JSGlobalObject::hasLegacyProfiler):
647 (JSC::JSGlobalObject::createProgramCodeBlock):
648 (JSC::JSGlobalObject::createEvalCodeBlock):
649 (JSC::JSGlobalObject::createModuleProgramCodeBlock):
650 * runtime/JSGlobalObject.h:
651 (JSC::JSGlobalObject::supportsLegacyProfiling):
655 (JSC::SetEnabledProfilerFunctor::operator()):
656 (JSC::VM::setEnabledProfiler):
658 (JSC::VM::enabledProfiler):
659 (JSC::VM::enabledProfilerAddress):
661 2016-05-16 Konstantin Tokarev <annulen@yandex.ru>
663 Unreviewed, fixed typo in a comment.
665 * assembler/MacroAssembler.h: Replaced "onvenience" with
668 2016-05-16 Filip Pizlo <fpizlo@apple.com>
670 FixupPhase should be more eager to demote bit math to untyped
671 https://bugs.webkit.org/show_bug.cgi?id=157746
673 Reviewed by Mark Lam.
675 This just makes the logic for how we fixup bit math match the way we do it in other places.
676 This doesn't affect performance on any major benchmark but it's a big win on new
677 microbenchmarks added in this change.
681 object-and 11.1610+-0.7602 ^ 4.8105+-0.1690 ^ definitely 2.3201x faster
682 object-or 11.0845+-0.2487 ^ 4.7146+-0.0374 ^ definitely 2.3511x faster
683 object-xor 10.2946+-0.9946 ^ 4.7278+-0.0814 ^ definitely 2.1775x faster
684 object-lshift 10.4896+-1.0867 ^ 4.7699+-0.0721 ^ definitely 2.1991x faster
685 object-rshift 11.1239+-0.5010 ^ 4.7194+-0.0445 ^ definitely 2.3570x faster
686 object-urshift 10.9745+-0.1315 ^ 4.7848+-0.0479 ^ definitely 2.2936x faster
688 * dfg/DFGFixupPhase.cpp:
689 (JSC::DFG::FixupPhase::fixupNode):
691 2016-05-15 Michael Saboff <msaboff@apple.com>
693 RegExp /y flag incorrect handling of mixed-length alternation
694 https://bugs.webkit.org/show_bug.cgi?id=157723
696 Reviewed by Filip Pizlo.
698 Previously for sticky patterns, we were bailing out and exiting when backtracking
699 alternatives with dissimilar match lengths. Deleted that code. Instead, for
700 sticky patterns we need to process the backtracking except for advancing to the
704 (JSC::Yarr::YarrGenerator::backtrack):
706 2016-05-15 Filip Pizlo <fpizlo@apple.com>
708 DFG::Plan shouldn't read from its VM once it's been cancelled
709 https://bugs.webkit.org/show_bug.cgi?id=157726
711 Reviewed by Saam Barati.
713 Plan::vm was a reference, not a pointer, and so wasn't nulled by Plan::cancel(). So, a
714 cancelled plan may have a dangling pointer to a VM: we could delete the VM after cancelling
717 Prior to http://trac.webkit.org/changeset/200705, this was probably fine because nobody
718 would read Plan::vm if the plan was cancelled. But r200705 changed that. It was a hard
719 regression to spot because usually a cancelled plan will still refer to a valid VM.
721 This change fixes the regression and makes it a lot easier to spot the regression in the
722 future. Plan::vm is now a pointer and we null it in Plan::cancel(). Now if you make this
723 mistake, you will get a crash anytime the Plan is cancelled, not just anytime the plan is
724 cancelled and the VM gets deleted. Also, it's now very clear what to do when you want to
725 use Plan::vm on the cancel path: you can null-check vm; if it's null, assume the worst.
727 Because we null the VM of a cancelled plan, we cannot have Safepoint::vm() return the
728 plan's VM anymore. That's because when we cancel a plan that is at a safepoint, we use the
729 safepoint's VM to determine whether this is one of our safepoints *after* the plan is
730 already cancelled. So, Safepoint now has its own copy of m_vm, and that copy gets nulled
731 when the Safepoint is cancelled. The Safepoint's m_vm will be nulled moments after Plan's
732 vm gets nulled (see Worklist::removeDeadPlans(), which has a cancel path for Plans in one
733 loop and a cancel path for Safepoints in the loop after it).
735 * dfg/DFGJITFinalizer.cpp:
736 (JSC::DFG::JITFinalizer::finalizeCommon):
738 (JSC::DFG::Plan::Plan):
739 (JSC::DFG::Plan::computeCompileTimes):
740 (JSC::DFG::Plan::reportCompileTimes):
741 (JSC::DFG::Plan::compileInThreadImpl):
742 (JSC::DFG::Plan::reallyAdd):
743 (JSC::DFG::Plan::notifyCompiling):
744 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
745 (JSC::DFG::Plan::cancel):
747 (JSC::DFG::Plan::canTierUpAndOSREnter):
748 * dfg/DFGSafepoint.cpp:
749 (JSC::DFG::Safepoint::cancel):
750 (JSC::DFG::Safepoint::vm):
751 * dfg/DFGSafepoint.h:
752 * dfg/DFGWorklist.cpp:
753 (JSC::DFG::Worklist::isActiveForVM):
754 (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
755 (JSC::DFG::Worklist::removeAllReadyPlansForVM):
756 (JSC::DFG::Worklist::rememberCodeBlocks):
757 (JSC::DFG::Worklist::visitWeakReferences):
758 (JSC::DFG::Worklist::removeDeadPlans):
759 (JSC::DFG::Worklist::runThread):
760 * ftl/FTLJITFinalizer.cpp:
761 (JSC::FTL::JITFinalizer::finalizeFunction):
763 2016-05-15 Yusuke Suzuki <utatane.tea@gmail.com>
765 Modernize Intl constructors; using InternalFunction::createSubclassStructure
766 https://bugs.webkit.org/show_bug.cgi?id=157082
768 Reviewed by Darin Adler.
770 Previously, Intl constructors retrieve "prototype" to inherit the "new.target".
771 At that time, this mis-assumed that getDirect() always returns meaningful JS value.
772 Actually, it returns an empty value if a property does not exist.
774 Instead of fixing this assertion, we now use InternalFunction::createSubclassStructure
775 in Intl constructors. It is modern and preferable way since it can cache the derived
776 structures in InternalFunction.
778 This patch also cleans up the workaround in Intl.NumberFormat and Intl.DateTimeFormat.
779 Those code are largely duplicate. This is now extracted into
780 constructIntlInstanceWithWorkaroundForLegacyIntlConstructor. This clean up does not
781 have any behavior changes. They are already tested in LayoutTests/js/intl-datetimeformat
782 and LayoutTests/js/intl-numberformat.
784 * JavaScriptCore.xcodeproj/project.pbxproj:
785 * runtime/IntlCollator.cpp:
786 (JSC::IntlCollator::create):
787 * runtime/IntlCollator.h:
788 * runtime/IntlCollatorConstructor.cpp:
789 (JSC::constructIntlCollator):
790 (JSC::callIntlCollator):
791 * runtime/IntlDateTimeFormat.cpp:
792 (JSC::IntlDateTimeFormat::create):
793 * runtime/IntlDateTimeFormat.h:
794 * runtime/IntlDateTimeFormatConstructor.cpp:
795 (JSC::constructIntlDateTimeFormat):
796 (JSC::callIntlDateTimeFormat):
797 * runtime/IntlDateTimeFormatPrototype.cpp:
798 (JSC::IntlDateTimeFormatPrototypeGetterFormat):
799 (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
800 * runtime/IntlNumberFormat.cpp:
801 (JSC::IntlNumberFormat::create):
802 * runtime/IntlNumberFormat.h:
803 * runtime/IntlNumberFormatConstructor.cpp:
804 (JSC::constructIntlNumberFormat):
805 (JSC::callIntlNumberFormat):
806 * runtime/IntlNumberFormatPrototype.cpp:
807 (JSC::IntlNumberFormatPrototypeGetterFormat):
808 (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
809 * runtime/IntlObjectInlines.h: Added.
810 (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
811 * tests/stress/intl-constructors-with-proxy.js: Added.
813 (throw.new.Error.Empty):
817 2016-05-14 Joseph Pecoraro <pecoraro@apple.com>
819 Remove LegacyProfiler
820 https://bugs.webkit.org/show_bug.cgi?id=153565
822 Reviewed by Mark Lam.
824 JavaScriptCore now provides a sampling profiler and it is enabled
825 by all ports. Web Inspector switched months ago to using the
826 sampling profiler and displaying its data. Remove the legacy
827 profiler, as it is no longer being used by anything other then
828 console.profile and tests. We will update console.profile's
829 behavior soon to have new behavior and use the sampling data.
831 * API/JSProfilerPrivate.cpp: Removed.
832 * API/JSProfilerPrivate.h: Removed.
834 * JavaScriptCore.xcodeproj/project.pbxproj:
835 * bytecode/BytecodeList.json:
836 * bytecode/BytecodeUseDef.h:
837 (JSC::computeUsesForBytecodeOffset): Deleted.
838 (JSC::computeDefsForBytecodeOffset): Deleted.
839 * bytecode/CodeBlock.cpp:
840 (JSC::CodeBlock::dumpBytecode): Deleted.
841 * bytecode/UnlinkedFunctionExecutable.cpp:
842 (JSC::generateUnlinkedFunctionCodeBlock):
843 (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
844 * bytecode/UnlinkedFunctionExecutable.h:
845 * bytecompiler/BytecodeGenerator.cpp:
846 (JSC::BytecodeGenerator::BytecodeGenerator):
847 (JSC::BytecodeGenerator::emitCall):
848 (JSC::BytecodeGenerator::emitCallVarargs):
849 (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
850 (JSC::BytecodeGenerator::emitConstructVarargs):
851 (JSC::BytecodeGenerator::emitConstruct):
852 * bytecompiler/BytecodeGenerator.h:
853 (JSC::CallArguments::profileHookRegister): Deleted.
854 (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
855 * bytecompiler/NodesCodegen.cpp:
856 (JSC::CallFunctionCallDotNode::emitBytecode):
857 (JSC::ApplyFunctionCallDotNode::emitBytecode):
858 (JSC::CallArguments::CallArguments): Deleted.
859 * dfg/DFGAbstractInterpreterInlines.h:
860 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
861 * dfg/DFGByteCodeParser.cpp:
862 (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
863 * dfg/DFGCapabilities.cpp:
864 (JSC::DFG::capabilityLevel): Deleted.
865 * dfg/DFGClobberize.h:
866 (JSC::DFG::clobberize): Deleted.
868 (JSC::DFG::doesGC): Deleted.
869 * dfg/DFGFixupPhase.cpp:
870 (JSC::DFG::FixupPhase::fixupNode): Deleted.
872 * dfg/DFGPredictionPropagationPhase.cpp:
873 * dfg/DFGSafeToExecute.h:
874 (JSC::DFG::safeToExecute): Deleted.
875 * dfg/DFGSpeculativeJIT32_64.cpp:
876 (JSC::DFG::SpeculativeJIT::compile): Deleted.
877 * dfg/DFGSpeculativeJIT64.cpp:
878 (JSC::DFG::SpeculativeJIT::compile): Deleted.
879 * inspector/InjectedScriptBase.cpp:
880 (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
881 * inspector/protocol/Timeline.json:
882 * interpreter/Interpreter.cpp:
883 (JSC::UnwindFunctor::operator()): Deleted.
884 (JSC::Interpreter::execute): Deleted.
885 (JSC::Interpreter::executeCall): Deleted.
886 (JSC::Interpreter::executeConstruct): Deleted.
888 (JSC::JIT::privateCompileMainPass): Deleted.
890 * jit/JITOpcodes.cpp:
891 (JSC::JIT::emit_op_profile_will_call): Deleted.
892 (JSC::JIT::emit_op_profile_did_call): Deleted.
893 * jit/JITOpcodes32_64.cpp:
894 (JSC::JIT::emit_op_profile_will_call): Deleted.
895 (JSC::JIT::emit_op_profile_did_call): Deleted.
896 * jit/JITOperations.cpp:
897 * jit/JITOperations.h:
899 * llint/LLIntSlowPaths.cpp:
900 (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
901 * llint/LLIntSlowPaths.h:
902 * llint/LowLevelInterpreter.asm:
903 * parser/ParserModes.h:
904 * profiler/CallIdentifier.h: Removed.
905 * profiler/LegacyProfiler.cpp: Removed.
906 * profiler/LegacyProfiler.h: Removed.
907 * profiler/Profile.cpp: Removed.
908 * profiler/Profile.h: Removed.
909 * profiler/ProfileGenerator.cpp: Removed.
910 * profiler/ProfileGenerator.h: Removed.
911 * profiler/ProfileNode.cpp: Removed.
912 * profiler/ProfileNode.h: Removed.
913 * profiler/ProfilerJettisonReason.cpp:
914 (WTF::printInternal): Deleted.
915 * profiler/ProfilerJettisonReason.h:
916 * runtime/CodeCache.cpp:
917 (JSC::CodeCache::getGlobalCodeBlock):
918 (JSC::CodeCache::getProgramCodeBlock):
919 (JSC::CodeCache::getEvalCodeBlock):
920 (JSC::CodeCache::getModuleProgramCodeBlock):
921 * runtime/CodeCache.h:
922 * runtime/Executable.cpp:
923 (JSC::ScriptExecutable::newCodeBlockFor):
924 * runtime/JSGlobalObject.cpp:
925 (JSC::JSGlobalObject::createProgramCodeBlock):
926 (JSC::JSGlobalObject::createEvalCodeBlock):
927 (JSC::JSGlobalObject::createModuleProgramCodeBlock):
928 (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
929 (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
930 * runtime/JSGlobalObject.h:
931 (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
934 (JSC::VM::VM): Deleted.
935 (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
936 (JSC::VM::setEnabledProfiler): Deleted.
938 (JSC::VM::enabledProfiler): Deleted.
939 (JSC::VM::enabledProfilerAddress): Deleted.
941 2016-05-13 Joseph Pecoraro <pecoraro@apple.com>
943 jsc: samplingProfilerStackTraces() without starting sampling should not cause jsc to crash
944 https://bugs.webkit.org/show_bug.cgi?id=157704
946 Reviewed by Saam Barati.
949 (functionStartSamplingProfiler):
950 (functionSamplingProfilerStackTraces):
951 Throw an exception instead of crashing if we haven't started sampling.
953 * inspector/agents/InspectorScriptProfilerAgent.cpp:
954 (Inspector::InspectorScriptProfilerAgent::startTracking):
957 (JSC::VM::ensureSamplingProfiler):
958 Switch ensure to returning a reference, like most other ensures.
960 2016-05-13 Saam barati <sbarati@apple.com>
962 DFG/FTL have a few bugs in their reasoning about the scope
963 https://bugs.webkit.org/show_bug.cgi?id=157696
965 Reviewed by Benjamin Poulain.
967 1. When the debugger is enabled, it is easier for the DFG to reason
968 about the scope register by simply claiming all nodes read the scope
969 register. This prevents us from ever entering the runtime where we
970 may take a stack trace but there isn't a scope on the stack.
972 2. This patch fixes a bug where the FTL compilation wasn't properly
973 setting the CodeBlock register. It was only doing this when there
974 was inline data, but when the debugger is enabled, we never inline.
975 So this code just needed to be removed from that loop. It was never
976 right for it to be inside the loop.
978 * dfg/DFGClobberize.h:
979 (JSC::DFG::clobberize):
980 * ftl/FTLCompile.cpp:
983 2016-05-13 Benjamin Poulain <bpoulain@apple.com>
985 [JSC] SetLocal without exit do not need phantoms
986 https://bugs.webkit.org/show_bug.cgi?id=157653
988 Reviewed by Filip Pizlo.
990 I made a mistake in r200498.
992 If a SetLocal cannot possibly exit, we were not clearing
993 the source of the operand. As a result, we sometime kept
994 a value alive up to the end of the block.
996 That's uncommon because SetLocal typically appear
997 toward the end of blocks. That's probably why there was
998 no perf impact with that fix.
1000 * dfg/DFGPhantomInsertionPhase.cpp:
1002 2016-05-13 Benjamin Poulain <bpoulain@apple.com>
1004 [JSC] Move the CheckTierUp function calls out of the main path
1005 https://bugs.webkit.org/show_bug.cgi?id=157668
1007 Reviewed by Mark Lam.
1009 If you have a tiny tiny loop (for example, Sunspider's bits-in-byte),
1010 the size of CheckTierUp is a problem.
1012 On multi-issue CPUs, the node is so big that we do not
1013 get to run anything from the loop in the instruction fetch.
1015 On x86, having a bigger loop also pushes us out of the LSD.
1017 This is a 6% improvement on bits-in-byte. Other Sunspider tests
1018 only improves marginally.
1020 * dfg/DFGSpeculativeJIT.cpp:
1021 (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
1022 (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
1023 * dfg/DFGSpeculativeJIT.h:
1024 (JSC::DFG::SpeculativeJIT::silentSpill):
1025 (JSC::DFG::SpeculativeJIT::silentFill):
1026 * dfg/DFGSpeculativeJIT64.cpp:
1027 (JSC::DFG::SpeculativeJIT::compile):
1029 2016-05-13 Benjamin Poulain <bpoulain@apple.com>
1031 [JSC] Emit the loads of emitLoadWithStructureCheck() in the order they are used
1032 https://bugs.webkit.org/show_bug.cgi?id=157671
1034 Reviewed by Mark Lam.
1036 This improves the chances of having a value
1037 when issuing the TEST.
1039 * jit/JITPropertyAccess.cpp:
1040 (JSC::JIT::emitLoadWithStructureCheck):
1042 2016-05-13 Joseph Pecoraro <pecoraro@apple.com>
1044 Web Inspector: Inform augmenting client when inspector controller is destroyed
1045 https://bugs.webkit.org/show_bug.cgi?id=157688
1046 <rdar://problem/25832724>
1048 Reviewed by Timothy Hatcher.
1050 * inspector/JSGlobalObjectInspectorController.cpp:
1051 (Inspector::JSGlobalObjectInspectorController::~JSGlobalObjectInspectorController):
1052 * inspector/augmentable/AugmentableInspectorControllerClient.h:
1053 There is a weak relationship between the InspectorController and the
1054 AugmentingClient. Let the augmenting client know when the controller
1055 is destroyed so it doesn't try to use us anymore.
1057 2016-05-13 Geoffrey Garen <ggaren@apple.com>
1059 Runaway malloc memory usage in this simple JSC program
1060 https://bugs.webkit.org/show_bug.cgi?id=157682
1062 Reviewed by Mark Lam.
1065 (JSC::WeakSet::sweep): Whenever we might add a block to
1066 m_logicallyEmptyWeakBlocks, be sure also to sweep a block in
1067 m_logicallyEmptyWeakBlocks. Otherwise, additions might outpace removals
1068 even when all memory is freed.
1070 We do this whenever we *might* add a block and not just whenever we *do*
1071 add a block because we'd like to sweep the entries in
1072 m_logicallyEmptyWeakBlocks promptly even when it's not growing, and this
1073 is a reasonably rate-limited opportunity to do so.
1075 2016-05-13 Mark Lam <mark.lam@apple.com>
1077 We should have one calleeSaveRegistersBuffer per VMEntryFrame, not one per VM.
1078 https://bugs.webkit.org/show_bug.cgi?id=157537
1079 <rdar://problem/24794845>
1081 Reviewed by Michael Saboff.
1083 The pre-existing code behaves this way:
1085 1. When JS code throws an exception, it saves callee save registers in
1086 the VM calleeSaveRegistersBuffer. These values are meant to be restored
1087 to the callee save registers later either at the catch handler or at the
1088 uncaught exception handler.
1090 2. If the Inspector is enable, the VM will invoke inspector C++ code to inspect
1091 the exception. That C++ code can change the values of the callee save
1094 The inspector code in turn re-enters the VM to execute JS inspector code.
1096 The JS inspector code can run hot enough that we do an enterOptimizationCheck
1097 on it. The enterOptimizationCheck first saves all callee save registers
1098 into the VM calleeSaveRegistersBuffer.
1100 This effectively overwrites the values in the VM calleeSaveRegistersBuffer
1103 3. Eventually, execution returns to the catch handler or the uncaught exception
1104 handler which restores the overwritten values in the VM
1105 calleeSaveRegistersBuffer to the callee save registers.
1107 When execution returns to the C++ code that entered the VM before (1), the
1108 values in the callee registers are not what that code expects, and badness
1109 and/or crashes ensues.
1111 This patch applies the following fix:
1113 1. Allocate space in the VMEntryFrame for the calleeSaveRegistersBuffer.
1114 This ensures that each VM entry session has its own buffer to use, and will
1115 not corrupt the one from the previous VM entry session.
1117 Delete the VM calleeSaveRegistersBuffer.
1119 2. Change all locations that uses the VM calleeSaveRegistersBuffer to use the
1120 calleeSaveRegistersBuffer in the current VMEntryFrame.
1122 3. Renamed all uses of the term "VMCalleeSavesBuffer" to
1123 "VMEntryFrameCalleeSavesBuffer".
1125 This fix has been tested on the following configurations:
1126 1. JSC and layout tests on a debug ASan build for 64-bit x86_64.
1127 2. JSC tests on a release ASan build for 32-bit x86.
1128 3. JSC tests on a release normal (non-ASan) build for ARM64.
1129 4. JSC tests on a release normal (non-ASan) build for ARMv7 and ARMv7s.
1130 5. JSC tests on a release ASan CLOOP build for x86_64.
1132 These test runs did not produce any new crashes. The ASan CLOOP has some
1133 pre-existing crashes which are not due to this patch.
1135 This bug can be tested by running the inspector/debugger/regress-133182.html test
1138 * bytecode/PolymorphicAccess.cpp:
1139 (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1140 * dfg/DFGJITCompiler.cpp:
1141 (JSC::DFG::JITCompiler::compileExceptionHandlers):
1142 * dfg/DFGOSREntry.cpp:
1143 (JSC::DFG::prepareOSREntry):
1144 * dfg/DFGOSRExitCompiler.cpp:
1145 * dfg/DFGOSRExitCompiler32_64.cpp:
1146 (JSC::DFG::OSRExitCompiler::compileExit):
1147 * dfg/DFGOSRExitCompiler64.cpp:
1148 (JSC::DFG::OSRExitCompiler::compileExit):
1149 * dfg/DFGThunks.cpp:
1150 (JSC::DFG::osrEntryThunkGenerator):
1151 * ftl/FTLCompile.cpp:
1152 (JSC::FTL::compile):
1153 * ftl/FTLLowerDFGToB3.cpp:
1154 (JSC::FTL::DFG::LowerDFGToB3::lower):
1155 * ftl/FTLOSRExitCompiler.cpp:
1156 (JSC::FTL::compileStub):
1157 * interpreter/Interpreter.cpp:
1158 (JSC::UnwindFunctor::operator()):
1159 (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1160 (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
1161 * interpreter/Interpreter.h:
1162 (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1163 * interpreter/VMEntryRecord.h:
1164 (JSC::VMEntryRecord::calleeSaveRegistersBufferOffset):
1165 (JSC::VMEntryRecord::prevTopCallFrame):
1166 (JSC::VMEntryRecord::unsafePrevTopCallFrame):
1167 (JSC::VMEntryFrame::vmEntryRecordOffset):
1168 (JSC::VMEntryFrame::calleeSaveRegistersBufferOffset):
1169 * jit/AssemblyHelpers.cpp:
1170 (JSC::AssemblyHelpers::emitRandomThunk):
1171 (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1172 (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
1173 * jit/AssemblyHelpers.h:
1174 (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
1175 (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1176 (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer):
1177 (JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
1178 (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer): Deleted.
1180 (JSC::JIT::emitEnterOptimizationCheck):
1181 (JSC::JIT::privateCompileExceptionHandlers):
1182 * jit/JITOpcodes.cpp:
1183 (JSC::JIT::emit_op_throw):
1184 (JSC::JIT::emit_op_catch):
1185 (JSC::JIT::emitSlow_op_loop_hint):
1186 * jit/JITOpcodes32_64.cpp:
1187 (JSC::JIT::emit_op_throw):
1188 (JSC::JIT::emit_op_catch):
1189 * jit/ThunkGenerators.cpp:
1190 (JSC::throwExceptionFromCallSlowPathGenerator):
1191 (JSC::nativeForGenerator):
1192 * llint/LLIntThunks.cpp:
1193 (JSC::vmEntryRecord):
1194 * llint/LowLevelInterpreter.asm:
1195 * llint/LowLevelInterpreter32_64.asm:
1196 * llint/LowLevelInterpreter64.asm:
1198 (JSC::VM::getCTIStub):
1199 (JSC::VM::calleeSaveRegistersBufferOffset): Deleted.
1200 * wasm/WASMFunctionCompiler.h:
1201 (JSC::WASMFunctionCompiler::endFunction):
1203 2016-05-13 Beth Dakin <bdakin@apple.com>
1205 Add dyldSPI.h for linked on or after checks, and add one for link preview
1206 https://bugs.webkit.org/show_bug.cgi?id=157401
1208 rdar://problem/26253396
1210 Reviewed by Darin Adler.
1212 Import #import <wtf/spi/darwin/dyldSPI.h> which now declares all of the
1214 * API/JSWrapperMap.mm:
1216 2016-05-13 Yusuke Suzuki <utatane.tea@gmail.com>
1218 Assertion failure for direct eval in non-class method
1219 https://bugs.webkit.org/show_bug.cgi?id=157138
1221 Reviewed by Saam Barati.
1223 This assertion was incorrect. In method definitions in object literals,
1224 it can be sloppy mode, but its DerivedContextType may not be DerivedContextType::None.
1226 * bytecode/EvalCodeCache.h:
1227 (JSC::EvalCodeCache::CacheKey::CacheKey):
1228 (JSC::EvalCodeCache::CacheKey::operator==):
1229 (JSC::EvalCodeCache::CacheKey::Hash::equal):
1230 (JSC::EvalCodeCache::tryGet):
1231 (JSC::EvalCodeCache::getSlow):
1232 * interpreter/Interpreter.cpp:
1234 * tests/stress/direct-eval-in-object-literal-methods.js: Added.
1237 (shouldBe.Parent.prototype.l):
1239 (shouldBe.Derived.prototype.m):
1242 2016-05-13 Skachkov Oleksandr <gskachkov@gmail.com>
1244 Assertion failure for super() call in arrow function default parameters
1245 https://bugs.webkit.org/show_bug.cgi?id=157079
1247 Reviewed by Saam Barati.
1249 Root of the issue that in arrow function we load bounded variables this/super/new.target just after
1250 input parameters were initialized, and did not covered case of default values for
1251 function parameters.
1252 Current patch tried to fix issue and allow to load bounded variables earlier, before the input
1253 parameters are assigned by default values.
1255 * bytecompiler/BytecodeGenerator.cpp:
1256 (JSC::BytecodeGenerator::BytecodeGenerator):
1257 * tests/stress/arrowfunction-lexical-bind-this-2.js:
1259 2016-05-12 Mark Lam <mark.lam@apple.com>
1261 Baseline and DFG's JSC_report...CompileTimes needs CodeBlock hashes.
1262 https://bugs.webkit.org/show_bug.cgi?id=157643
1264 Reviewed by Keith Miller.
1266 * runtime/Options.cpp:
1267 (JSC::recomputeDependentOptions):
1269 2016-05-12 Csaba Osztrogonác <ossy@webkit.org>
1271 Remove ENABLE(ES6_ARROWFUNCTION_SYNTAX) guards
1272 https://bugs.webkit.org/show_bug.cgi?id=157564
1274 Reviewed by Darin Adler.
1276 * Configurations/FeatureDefines.xcconfig:
1277 * parser/Parser.cpp:
1279 2016-05-12 Joseph Pecoraro <pecoraro@apple.com>
1281 Web Inspector: CRASH getting internal properties of function with no bound arguments causes
1282 https://bugs.webkit.org/show_bug.cgi?id=157613
1283 <rdar://problem/26238754>
1285 Reviewed by Timothy Hatcher.
1287 * inspector/JSInjectedScriptHost.cpp:
1288 (Inspector::JSInjectedScriptHost::getInternalProperties):
1289 Gracefully handle a JSBoundFunction with no bound arguments.
1290 In this case boundArgs is JSValue() which we don't want to
1291 expose as the value of the internal property.
1293 2016-05-11 Benjamin Poulain <bpoulain@apple.com>
1295 [JSC] Make sure StringRange is passed to Vector by register
1296 https://bugs.webkit.org/show_bug.cgi?id=157603
1298 Reviewed by Darin Adler.
1300 This is bizarre, but on my SDK, Vector::append(StringRange)
1301 is passing the values on the stack.
1302 The two integers are written to the stack, the address given
1303 to append(), then append() reads it back and store it.
1305 This patch changes the code to use constructAndAppend(), ensuring
1306 the values are used directly.
1308 On my machine, this helps Sunspider and Octane.
1309 This might be something wrong with my SDK but the fix is so easy
1310 that we might as well do this.
1312 * runtime/StringPrototype.cpp:
1313 (JSC::removeUsingRegExpSearch):
1314 (JSC::replaceUsingRegExpSearch):
1316 2016-05-11 Zan Dobersek <zdobersek@igalia.com>
1318 ARMv7Assembler: suppress a -Wnarrowing warning when compiling with GCC
1319 https://bugs.webkit.org/show_bug.cgi?id=157576
1321 Reviewed by Csaba Osztrogonác.
1323 * assembler/ARMv7Assembler.h:
1324 (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2): Explicitly cast the
1325 `OP_CMP_reg_T2 | left` value to uint16_t, avoiding a narrowing conversion
1326 warning that's being reported when compiling with GCC. The warning is sprung
1327 due to RegisterID (which is the type of `left`) being an enum based on int,
1328 even when the enum itself only declares 23 values.
1330 2016-05-11 Joseph Pecoraro <pecoraro@apple.com>
1332 Web Inspector: `this` in Scope Chain Sidebar does not have preview, looks poor
1333 https://bugs.webkit.org/show_bug.cgi?id=157602
1335 Reviewed by Timothy Hatcher.
1337 * inspector/InjectedScriptSource.js:
1338 (InjectedScript.CallFrameProxy):
1339 Include a preview when creating the RemoteObject for `this`.
1341 2016-05-11 Keith Miller <keith_miller@apple.com>
1343 Unreviewed, correct the title of the ChangeLog for r200667.
1345 2016-05-11 Joseph Pecoraro <pecoraro@apple.com>
1347 JSC test stress/reflect-set.js failing after 200694
1348 https://bugs.webkit.org/show_bug.cgi?id=157586
1350 Unreviewed test rebaseline.
1352 * tests/stress/reflect-set.js:
1353 Update the expected error message. We are in strict mode, so the
1354 improved error message makes sense.
1356 2016-05-11 Filip Pizlo <fpizlo@apple.com>
1358 Beef up JSC profiler event log
1359 https://bugs.webkit.org/show_bug.cgi?id=157584
1361 Reviewed by Saam Barati.
1363 Also log more about compilation.
1365 * bytecode/ExecutionCounter.cpp: Changed the meaning of codeBlock to be the codeBlock that is doing the profiling. This will now get the baseline version if it needs it. This is needed for logging the threshold checking event.
1366 (JSC::applyMemoryUsageHeuristics):
1367 (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
1368 * dfg/DFGJITCode.cpp: Pass the right codeBlock.
1369 (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
1370 (JSC::DFG::JITCode::optimizeNextInvocation):
1371 (JSC::DFG::JITCode::dontOptimizeAnytimeSoon):
1372 (JSC::DFG::JITCode::optimizeSoon):
1373 (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently):
1374 * dfg/DFGPlan.cpp: Log things about compile times and whether the compiler succeeded or failed.
1375 (JSC::DFG::Plan::computeCompileTimes):
1376 (JSC::DFG::Plan::reportCompileTimes):
1377 (JSC::DFG::Plan::compileInThread):
1378 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1379 * jit/ExecutableAllocatorFixedVMPool.cpp: Make it possible to look at memory usage, though separately from the log, for now.
1380 (JSC::ExecutableAllocator::allocate):
1381 * runtime/Options.h:
1383 2016-05-11 Saam barati <sbarati@apple.com>
1385 Air may decide to put the result register of an arithmetic snippet in the tag register
1386 https://bugs.webkit.org/show_bug.cgi?id=157548
1388 Reviewed by Filip Pizlo.
1390 This patch adds a new ValueRep to B3 called LateRegister. The semantics
1391 are similar to Register in that it can be used to pin an argument to
1392 a particular register. It differs from ValueRep::Register in that the semantics of
1393 LateRegister are that it is used after the result of the node its an argument to
1394 is computed. This means that a LateRegister argument will interfere with the result
1395 of a node. LateRegister is not a valid result ValueRep.
1397 This was needed because there was a bug where B3/Air would assign the
1398 result of a patchpoint to the TagTypeNumber register. This broke our
1399 code when we would box a double into a JSValue in a snippet when the
1400 result is the same as the TagTypeNumber register. To fix the issue,
1401 we pass TagMaskRegister and TagTypeNumberRegister as ValueRep::LateRegister
1402 arguments to various patchpoints.
1404 * b3/B3LowerToAir.cpp:
1405 (JSC::B3::Air::LowerToAir::fillStackmap):
1406 * b3/B3PatchpointSpecial.cpp:
1407 (JSC::B3::PatchpointSpecial::admitsStack):
1408 * b3/B3StackmapSpecial.cpp:
1409 (JSC::B3::StackmapSpecial::forEachArgImpl):
1410 (JSC::B3::StackmapSpecial::isArgValidForRep):
1411 * b3/B3Validate.cpp:
1412 * b3/B3ValueRep.cpp:
1413 (JSC::B3::ValueRep::addUsedRegistersTo):
1414 (JSC::B3::ValueRep::dump):
1415 (JSC::B3::ValueRep::emitRestore):
1416 (JSC::B3::ValueRep::recoveryForJSValue):
1417 (WTF::printInternal):
1419 (JSC::B3::ValueRep::reg):
1420 (JSC::B3::ValueRep::lateReg):
1421 (JSC::B3::ValueRep::stack):
1422 (JSC::B3::ValueRep::operator==):
1423 (JSC::B3::ValueRep::isSomeRegister):
1424 (JSC::B3::ValueRep::isReg):
1426 (JSC::B3::testSpillUseLargerThanDef):
1427 (JSC::B3::testLateRegister):
1430 * ftl/FTLLowerDFGToB3.cpp:
1431 (JSC::FTL::DFG::LowerDFGToB3::lower):
1432 (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1433 (JSC::FTL::DFG::LowerDFGToB3::getById):
1434 (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
1435 (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
1436 (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
1438 2016-05-11 Joseph Pecoraro <pecoraro@apple.com>
1440 Improve error messages for accessing arguments.callee and similar getters in strict mode
1441 https://bugs.webkit.org/show_bug.cgi?id=157545
1443 Reviewed by Mark Lam.
1445 * runtime/ClonedArguments.cpp:
1446 (JSC::ClonedArguments::getOwnPropertySlot):
1447 (JSC::ClonedArguments::materializeSpecials):
1448 Provide better error GetterSetter in strict mode.
1450 * runtime/JSFunction.cpp:
1451 (JSC::getThrowTypeErrorGetterSetter):
1452 (JSC::JSFunction::defineOwnProperty):
1453 Provide better error GetterSetter in strict mode.
1455 * runtime/JSGlobalObject.cpp:
1456 (JSC::JSGlobalObject::init):
1457 (JSC::JSGlobalObject::visitChildren):
1458 * runtime/JSGlobalObject.h:
1459 (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
1460 (JSC::JSGlobalObject::throwTypeErrorCalleeAndCallerGetterSetter):
1461 (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInStrictModeGetterSetter):
1462 (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInClassContextGetterSetter):
1463 (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerGetterSetter): Deleted.
1464 * runtime/JSGlobalObjectFunctions.cpp:
1465 (JSC::globalFuncThrowTypeErrorCalleeAndCaller):
1466 (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInStrictMode):
1467 (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInClassContext):
1468 (JSC::globalFuncThrowTypeErrorArgumentsAndCaller): Deleted.
1469 * runtime/JSGlobalObjectFunctions.h:
1470 Rename and expose new handles for new error getter setter native functions.
1472 2016-05-11 Commit Queue <commit-queue@webkit.org>
1474 Unreviewed, rolling out r200481.
1475 https://bugs.webkit.org/show_bug.cgi?id=157573
1477 it's bad news for asm.js (Requested by pizlo on #webkit).
1481 "Reduce maximum JIT pool size on X86_64."
1482 http://trac.webkit.org/changeset/200481
1484 2016-05-10 Keith Miller <keith_miller@apple.com>
1486 TypedArray.prototype.slice should not use the byteLength of the passed array for memmove
1487 https://bugs.webkit.org/show_bug.cgi?id=157551
1488 <rdar://problem/26179914>
1490 Reviewed by Michael Saboff.
1492 The TypedArray.prototype.slice function would use the byteLength of the passed array
1493 to determine the amount of data to copy. It should have been using the passed length
1494 times the size of each element. This fixes a crash on JavaPoly.com
1496 * runtime/JSGenericTypedArrayViewInlines.h:
1497 (JSC::JSGenericTypedArrayView<Adaptor>::set):
1498 * tests/stress/typedarray-slice.js:
1500 2016-05-10 Michael Saboff <msaboff@apple.com>
1502 REGRESSION(r200447): Unable to build C_LOOP with clang version 800.0.12 or higher
1503 https://bugs.webkit.org/show_bug.cgi?id=157549
1505 Reviewed by Keith Miller.
1507 Disable debug annotations for C_LOOP builds. They are inline assembly directives,
1508 unnecessary and they cause syntax errors.
1510 * offlineasm/asm.rb:
1512 2016-05-10 Filip Pizlo <fpizlo@apple.com>
1514 Internal JSC profiler should have a timestamped log of events for each code block
1515 https://bugs.webkit.org/show_bug.cgi?id=157538
1517 Reviewed by Benjamin Poulain.
1519 For example, in 3d-cube, I can query the events for MMulti and I get:
1521 1462917476.17083 MMulti#DTZ7qc installCode
1522 1462917476.179663 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode
1523 1462917476.179664 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline osrEntry at bc#49
1524 1462917476.185651 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1011.214233/1717.000000, -707
1525 1462917476.187913 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG installCode
1526 1462917476.187917 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG osrEntry at bc#49
1527 1462917476.205365 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG jettison due to OSRExit, counting = true, detail = (null)
1528 1462917476.205368 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit bc#65: BadCache/FromDFG
1529 1462917476.205369 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode
1530 1462917476.205482 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1013.000000/3434.000000, -1000
1531 1462917476.211547 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 2013.000000/3434.000000, -1000
1532 1462917476.213721 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG installCode
1533 1462917476.213726 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG osrEntry at bc#49
1534 1462917476.223976 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG jettison due to OSRExit, counting = true, detail = (null)
1535 1462917476.223981 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit bc#77: BadCache/FromDFG
1536 1462917476.223982 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit bc#94: BadCache/FromDFG
1537 1462917476.223982 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode
1538 1462917476.224064 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1013.000000/6868.000000, -1000
1539 1462917476.224151 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 2013.000000/6868.000000, -1000
1540 1462917476.224258 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 3013.000000/6868.000000, -1000
1541 1462917476.224337 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 4023.000000/6868.000000, -1000
1542 1462917476.224425 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 5023.000000/6868.000000, -1000
1543 1462917476.224785 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 6023.396484/6868.000000, -862
1544 1462917476.227669 MMulti#DTZ7qc MMulti#DTZ7qc-4-DFG installCode
1545 1462917476.227675 MMulti#DTZ7qc MMulti#DTZ7qc-4-DFG osrEntry at bc#0
1547 The output is ugly but useful. We can make it less ugly later.
1550 * JavaScriptCore.xcodeproj/project.pbxproj:
1551 * bytecode/CodeBlock.cpp:
1552 (JSC::CodeBlock::jettison):
1553 * bytecode/CodeBlock.h:
1554 (JSC::ScriptExecutable::forEachCodeBlock):
1555 * bytecode/DFGExitProfile.cpp:
1556 (JSC::DFG::ExitProfile::add):
1557 * dfg/DFGJITFinalizer.cpp:
1558 (JSC::DFG::JITFinalizer::finalizeCommon):
1559 * dfg/DFGOperations.cpp:
1560 * ftl/FTLJITFinalizer.cpp:
1561 (JSC::FTL::JITFinalizer::finalizeFunction):
1563 (JSC::JIT::privateCompile):
1564 * jit/JITOperations.cpp:
1565 * llint/LLIntSlowPaths.cpp:
1566 (JSC::LLInt::jitCompileAndSetHeuristics):
1567 (JSC::LLInt::entryOSR):
1568 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1569 * profiler/ProfilerCompilation.cpp:
1570 (JSC::Profiler::Compilation::Compilation):
1571 (JSC::Profiler::Compilation::setJettisonReason):
1572 (JSC::Profiler::Compilation::dump):
1573 (JSC::Profiler::Compilation::toJS):
1574 * profiler/ProfilerCompilation.h:
1575 (JSC::Profiler::Compilation::uid):
1576 * profiler/ProfilerDatabase.cpp:
1577 (JSC::Profiler::Database::ensureBytecodesFor):
1578 (JSC::Profiler::Database::notifyDestruction):
1579 (JSC::Profiler::Database::addCompilation):
1580 (JSC::Profiler::Database::toJS):
1581 (JSC::Profiler::Database::registerToSaveAtExit):
1582 (JSC::Profiler::Database::logEvent):
1583 (JSC::Profiler::Database::addDatabaseToAtExit):
1584 * profiler/ProfilerDatabase.h:
1585 * profiler/ProfilerEvent.cpp: Added.
1586 (JSC::Profiler::Event::dump):
1587 (JSC::Profiler::Event::toJS):
1588 * profiler/ProfilerEvent.h: Added.
1589 (JSC::Profiler::Event::Event):
1590 (JSC::Profiler::Event::operator bool):
1591 (JSC::Profiler::Event::time):
1592 (JSC::Profiler::Event::bytecodes):
1593 (JSC::Profiler::Event::compilation):
1594 (JSC::Profiler::Event::summary):
1595 (JSC::Profiler::Event::detail):
1596 * profiler/ProfilerUID.cpp: Added.
1597 (JSC::Profiler::UID::create):
1598 (JSC::Profiler::UID::dump):
1599 (JSC::Profiler::UID::toJS):
1600 * profiler/ProfilerUID.h: Added.
1601 (JSC::Profiler::UID::UID):
1602 (JSC::Profiler::UID::fromInt):
1603 (JSC::Profiler::UID::toInt):
1604 (JSC::Profiler::UID::operator==):
1605 (JSC::Profiler::UID::operator!=):
1606 (JSC::Profiler::UID::operator bool):
1607 (JSC::Profiler::UID::isHashTableDeletedValue):
1608 (JSC::Profiler::UID::hash):
1609 (JSC::Profiler::UIDHash::hash):
1610 (JSC::Profiler::UIDHash::equal):
1611 * runtime/CommonIdentifiers.h:
1612 * runtime/Executable.cpp:
1613 (JSC::ScriptExecutable::installCode):
1615 (JSC::VM::bytecodeIntrinsicRegistry):
1616 (JSC::VM::shadowChicken):
1617 * runtime/VMInlines.h:
1618 (JSC::VM::shouldTriggerTermination):
1619 (JSC::VM::logEvent):
1621 2016-05-10 Joseph Pecoraro <pecoraro@apple.com>
1623 Web Inspector: Backend should initiate timeline recordings on page navigations to ensure nothing is missed
1624 https://bugs.webkit.org/show_bug.cgi?id=157504
1625 <rdar://problem/26188642>
1627 Reviewed by Brian Burg.
1629 * inspector/protocol/Timeline.json:
1630 Add protocol commands to enable/disable auto capture and list the
1631 instruments that should be enabled when auto capture starts.
1632 Add protocol event for when the backend starts an auto capture.
1634 2016-05-10 Joseph Pecoraro <pecoraro@apple.com>
1636 Make the different evaluateWithScopeExtension implementations more consistent
1637 https://bugs.webkit.org/show_bug.cgi?id=157536
1639 Reviewed by Timothy Hatcher.
1641 * inspector/JSInjectedScriptHost.cpp:
1642 (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1643 Throw the exception consistent with JSJavaScriptCallFrame.
1645 * inspector/JSJavaScriptCallFrame.cpp:
1646 (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1647 Better error message consistent with InjectedScriptHost.
1649 * runtime/Completion.h:
1650 * runtime/Completion.cpp:
1651 (JSC::evaluateWithScopeExtension):
1652 Give this an Exception out parameter like other evaluations
1653 so the caller can decide what to do with it.
1655 2016-05-10 Benjamin Poulain <bpoulain@apple.com>
1657 [JSC] FTL can produce GetByVal nodes without proper bounds checking
1658 https://bugs.webkit.org/show_bug.cgi?id=157502
1659 rdar://problem/26027027
1661 Reviewed by Filip Pizlo.
1663 It was possible for FTL to generates GetByVal on arbitrary offsets
1664 without any bounds checking.
1666 The bug is caused by the order of optimization phases:
1667 -First, the Integer Range Optimization proves that a CheckInBounds
1668 test can never fail.
1669 This proof is based on control flow or preceeding instructions
1671 -The Loop Invariant Code Motion phase finds that the GetByVal does not
1672 depend on anything in the loop and hoist it out of the loop.
1673 -> As a result, the conditions that were necessary to eliminate
1674 the CheckInBounds are no longer met before the GetByVal.
1676 This patch just moves the Integer Range Optimization phase after
1677 Loop Invariant Code Motion to make sure no code is moved after
1678 its integer ranges bounds proofs have been used.
1681 (JSC::DFG::Plan::compileInThreadImpl):
1682 * tests/stress/bounds-check-not-eliminated-by-licm.js: Added.
1685 2016-05-10 Joseph Pecoraro <pecoraro@apple.com>
1687 Web Inspector: Eliminate the crazy code for evaluateOnCallFrame
1688 https://bugs.webkit.org/show_bug.cgi?id=157510
1689 <rdar://problem/26191332>
1691 Reviewed by Timothy Hatcher.
1693 * debugger/DebuggerCallFrame.cpp:
1694 (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1695 Set and clear an optional scope extension object.
1697 * inspector/InjectedScriptSource.js:
1698 (InjectedScript.prototype.evaluate):
1699 (InjectedScript.prototype._evaluateOn):
1700 (InjectedScript.prototype.evaluateOnCallFrame):
1701 Unify the code to use the passed in evaluate function and object.
1702 When evaluating on a call frame the evaluate function ends up being
1703 DebuggerCallFrame::evaluateWithScopeExtension. When evaluating globally
1704 this ends up being JSInjectedScriptHost::evaluateWithScopeExtension.
1705 In both cases "object" is the preferred this object to use.
1707 * debugger/DebuggerCallFrame.h:
1708 * inspector/JSJavaScriptCallFrame.cpp:
1709 (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1710 (Inspector::JSJavaScriptCallFrame::evaluate): Deleted.
1711 * inspector/JSJavaScriptCallFrame.h:
1712 * inspector/JSJavaScriptCallFramePrototype.cpp:
1713 (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
1714 (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
1715 * inspector/JavaScriptCallFrame.h:
1716 (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension):
1717 (Inspector::JavaScriptCallFrame::evaluate): Deleted.
1718 Pass through to DebuggerCallFrame with the proper arguments.
1720 * debugger/Debugger.cpp:
1721 (JSC::Debugger::hasBreakpoint):
1722 * inspector/ScriptDebugServer.cpp:
1723 (Inspector::ScriptDebugServer::evaluateBreakpointAction):
1724 Use the new evaluate on call frame method name and no scope extension object.
1726 2016-05-10 Saam barati <sbarati@apple.com>
1728 Make super-property-access.js test run for less time because it was timing out in debug builds.
1730 Rubber stamped by Filip Pizlo.
1732 * tests/stress/super-property-access.js:
1736 (test.B.prototype.bar):
1739 2016-05-10 Csaba Osztrogonác <ossy@webkit.org>
1741 [JSC] Fix the !ENABLE(DFG_JIT) build
1742 https://bugs.webkit.org/show_bug.cgi?id=157512
1744 Reviewed by Mark Lam.
1748 2016-05-09 Joseph Pecoraro <pecoraro@apple.com>
1750 Web Inspector: CRASH under JSC::DebuggerCallFrame::thisValue when hitting breakpoint
1751 https://bugs.webkit.org/show_bug.cgi?id=157442
1752 <rdar://problem/24172015>
1754 Reviewed by Saam Barati.
1756 * debugger/DebuggerCallFrame.cpp:
1757 (JSC::DebuggerCallFrame::thisValueForCallFrame):
1758 When the thisValue is JSValue() return undefined and avoid calling
1759 toThisValue which would lead to a crash. Having `this` be an empty
1760 JSValue could happen inside an ES6 class constructor, before
1763 2016-05-09 Filip Pizlo <fpizlo@apple.com>
1765 Unreviewed, fix cloop.
1767 * bytecode/ValueProfile.cpp:
1768 (JSC::ResultProfile::emitDetectNumericness):
1769 (JSC::ResultProfile::emitSetNonNumber):
1770 * bytecode/ValueProfile.h:
1771 (JSC::ResultProfile::addressOfFlags):
1772 (JSC::ResultProfile::addressOfSpecialFastPathCount):
1773 (JSC::ResultProfile::detectNumericness):
1774 (JSC::ResultProfile::hasBits):
1776 2016-05-09 Michael Saboff <msaboff@apple.com>
1778 Crash beneath ObjCCallbackFunctionImpl::call
1779 https://bugs.webkit.org/show_bug.cgi?id=157491
1781 Reviewed by Saam Barati.
1783 Clear any exceptions after the micro task runs.
1785 Tried creating a test case, but I don't have source for the app.
1786 I can't seem to find the right combination of Promises and ObjC code.
1788 * runtime/JSJob.cpp:
1789 (JSC::JSJobMicrotask::run):
1791 2016-05-09 Filip Pizlo <fpizlo@apple.com>
1793 Polymorphic operands in operators coerces downstream values to double.
1794 https://bugs.webkit.org/show_bug.cgi?id=151793
1796 Reviewed by Mark Lam.
1798 Previously if an object flowed into arithmetic, the prediction propagation phase would either
1799 assume that the output of the arithmetic had to be double or sometimes it would assume that it
1800 couldn't be double. We want it to only assume that the output is double if it actually had been.
1802 The first part of this patch is to roll out http://trac.webkit.org/changeset/200502. That removed
1803 some of the machinery that we had in place to detect whether the output of an operation is int or
1804 double. That changeset claimed that the machinery was "fundamentally broken". It actually wasn't.
1805 The reason why it didn't work was that ByteCodeParser was ignoring it if likelyToTakeSlowCase was
1806 false. I think this was a complete goof-up: the code in ByteCodeParser::makeSafe was structured
1807 in a way that made it non-obvious that the method is a no-op if !likelyToTakeSlowCase. So, this
1808 change rolls out r200502 and makes ResultProfile do its job by reshaping how makeSafe processes
1811 This also makes two other changes to shore up ResultProfile:
1812 - OSR exit can now refine a ResultProfile the same way that it refines ValueProfile.
1813 - Baseline JIT slow paths now set bits in ResultProfile.
1815 Based on this stuff, the DFG now predicts int/double/string in op_add/op_sub/op_mul based on
1816 ResultProfiles. To be conservative, we still only use the ResultProfiles if the incoming
1817 prediction is not number-or-boolean. This ensures that we exactly retain our old behavior in
1818 those cases for which it was tuned. But I hope to remove this soon. I believe that ResultProfile
1819 is already strictly better than what prediction propagation was doing before.
1821 This can be an enormous win. This patch adds some simple microbenchmarks that demonstrate the
1822 problem of assuming that arithmetic on objects returns double. The most extreme of these speeds
1823 up 8x with this change (object-int-add-array).
1826 * JavaScriptCore.xcodeproj/project.pbxproj:
1827 * bytecode/CodeBlock.h:
1828 (JSC::CodeBlock::addFrequentExitSite):
1829 (JSC::CodeBlock::hasExitSite):
1830 * bytecode/DFGExitProfile.cpp:
1831 (JSC::DFG::FrequentExitSite::dump):
1832 (JSC::DFG::ExitProfile::ExitProfile):
1833 (JSC::DFG::ExitProfile::~ExitProfile):
1834 (JSC::DFG::ExitProfile::add):
1835 * bytecode/DFGExitProfile.h:
1836 (JSC::DFG::FrequentExitSite::isHashTableDeletedValue):
1837 * bytecode/MethodOfGettingAValueProfile.cpp:
1838 (JSC::MethodOfGettingAValueProfile::fromLazyOperand):
1839 (JSC::MethodOfGettingAValueProfile::emitReportValue):
1840 (JSC::MethodOfGettingAValueProfile::getSpecFailBucket): Deleted.
1841 * bytecode/MethodOfGettingAValueProfile.h:
1842 (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
1843 (JSC::MethodOfGettingAValueProfile::operator bool):
1844 (JSC::MethodOfGettingAValueProfile::operator!): Deleted.
1845 * bytecode/PolymorphicAccess.cpp:
1846 (JSC::AccessCase::generateImpl):
1847 * bytecode/ValueProfile.cpp:
1848 (JSC::ResultProfile::emitDetectBitsLight):
1849 (JSC::ResultProfile::emitSetDouble):
1850 (JSC::ResultProfile::emitSetNonNumber):
1851 (WTF::printInternal):
1852 * bytecode/ValueProfile.h:
1853 (JSC::ResultProfile::ResultProfile):
1854 (JSC::ResultProfile::bytecodeOffset):
1855 (JSC::ResultProfile::specialFastPathCount):
1856 (JSC::ResultProfile::didObserveNonInt32):
1857 (JSC::ResultProfile::didObserveDouble):
1858 (JSC::ResultProfile::didObserveNonNegZeroDouble):
1859 (JSC::ResultProfile::didObserveNegZeroDouble):
1860 (JSC::ResultProfile::didObserveNonNumber):
1861 (JSC::ResultProfile::didObserveInt32Overflow):
1862 (JSC::ResultProfile::didObserveInt52Overflow):
1863 (JSC::ResultProfile::setObservedNonNegZeroDouble):
1864 (JSC::ResultProfile::setObservedNegZeroDouble):
1865 (JSC::ResultProfile::setObservedNonNumber):
1866 (JSC::ResultProfile::setObservedInt32Overflow):
1867 (JSC::ResultProfile::addressOfFlags):
1868 (JSC::ResultProfile::addressOfSpecialFastPathCount):
1869 (JSC::ResultProfile::detectBitsLight):
1870 (JSC::ResultProfile::hasBits):
1871 * dfg/DFGByteCodeParser.cpp:
1872 (JSC::DFG::ByteCodeParser::makeSafe):
1873 * dfg/DFGFixupPhase.cpp:
1874 (JSC::DFG::FixupPhase::fixupNode):
1876 (JSC::DFG::Graph::ensureNaturalLoops):
1877 (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1878 (JSC::DFG::Graph::valueProfileFor): Deleted.
1880 (JSC::DFG::Graph::hasExitSite):
1881 (JSC::DFG::Graph::numBlocks):
1883 (JSC::DFG::Node::arithNodeFlags):
1884 (JSC::DFG::Node::mayHaveNonIntResult):
1885 (JSC::DFG::Node::mayHaveDoubleResult):
1886 (JSC::DFG::Node::mayHaveNonNumberResult):
1887 (JSC::DFG::Node::hasConstantBuffer):
1888 * dfg/DFGNodeFlags.cpp:
1889 (JSC::DFG::dumpNodeFlags):
1890 * dfg/DFGNodeFlags.h:
1891 * dfg/DFGOSRExitCompiler32_64.cpp:
1892 (JSC::DFG::OSRExitCompiler::compileExit):
1893 * dfg/DFGOSRExitCompiler64.cpp:
1894 (JSC::DFG::OSRExitCompiler::compileExit):
1895 * dfg/DFGOperations.cpp:
1896 * dfg/DFGOperations.h:
1897 * dfg/DFGPredictionPropagationPhase.cpp:
1898 * dfg/DFGSpeculativeJIT.h:
1899 (JSC::DFG::SpeculativeJIT::callOperation):
1900 * ftl/FTLOSRExitCompiler.cpp:
1901 (JSC::FTL::compileStub):
1902 * jit/AssemblyHelpers.h:
1903 (JSC::AssemblyHelpers::branchIfEqual):
1904 (JSC::AssemblyHelpers::branchIfNotCell):
1905 (JSC::AssemblyHelpers::branchIfNotNumber):
1906 (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
1907 (JSC::AssemblyHelpers::branchIfBoolean):
1908 (JSC::AssemblyHelpers::branchIfEmpty):
1909 (JSC::AssemblyHelpers::branchStructure):
1910 * jit/CCallHelpers.h:
1911 (JSC::CCallHelpers::CCallHelpers):
1912 (JSC::CCallHelpers::setupArguments):
1913 (JSC::CCallHelpers::setupArgumentsWithExecState):
1914 * jit/IntrinsicEmitter.cpp:
1915 (JSC::AccessCase::emitIntrinsicGetter):
1917 * jit/JITAddGenerator.cpp:
1918 (JSC::JITAddGenerator::generateFastPath):
1919 * jit/JITAddGenerator.h:
1920 (JSC::JITAddGenerator::JITAddGenerator):
1921 * jit/JITArithmetic.cpp:
1922 (JSC::JIT::emit_op_add):
1923 (JSC::JIT::emitSlow_op_add):
1924 (JSC::JIT::emit_op_div):
1925 (JSC::JIT::emit_op_mul):
1926 (JSC::JIT::emitSlow_op_mul):
1927 (JSC::JIT::emit_op_sub):
1928 (JSC::JIT::emitSlow_op_sub):
1930 (JSC::JIT::callOperation):
1931 (JSC::JIT::callOperationNoExceptionCheck):
1932 * jit/JITMulGenerator.cpp:
1933 (JSC::JITMulGenerator::generateFastPath):
1934 * jit/JITOperations.cpp:
1935 * jit/JITOperations.h:
1936 * jit/JITSubGenerator.cpp:
1937 (JSC::JITSubGenerator::generateFastPath):
1938 * jit/JITSubGenerator.h:
1939 (JSC::JITSubGenerator::JITSubGenerator):
1940 * jit/TagRegistersMode.cpp: Added.
1941 (WTF::printInternal):
1942 * jit/TagRegistersMode.h: Added.
1943 * runtime/CommonSlowPaths.cpp:
1944 (JSC::updateResultProfileForBinaryArithOp):
1946 2016-05-09 Keith Miller <keith_miller@apple.com>
1948 CallObjectConstructor should not call operationToThis in the FTL
1949 https://bugs.webkit.org/show_bug.cgi?id=157492
1950 <rdar://problem/26149904>
1952 Reviewed by Mark Lam.
1954 At some point when I was working on intrinsifying the Object
1955 constructor, I realized that the Object constructor was different
1956 from the ToObject operation. I fixed the DFG but I guess I didn't
1959 This patch fixes an issue with www.wunderground.com not loading
1960 the 10-day forecast and local map.
1962 * ftl/FTLLowerDFGToB3.cpp:
1963 (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
1964 * tests/stress/call-object-constructor.js: Added.
1968 2016-05-09 Saam barati <sbarati@apple.com>
1970 Getter and setter on super are called with wrong "this" object
1971 https://bugs.webkit.org/show_bug.cgi?id=147064
1972 <rdar://problem/21885916>
1974 Reviewed by Filip Pizlo.
1976 This patch implements calls to 'super' getters and setters.
1977 The problem before is we were passing the 'super' (i.e, the prototype
1978 object) as the this value to these getters/setters, which is wrong.
1979 We should be passing the caller's this value.
1981 To implement this behavior, I've introduced four new opcodes and their corresponding DFG nodes:
1982 - op_get_by_id_with_this | GetByIdWithThis
1983 - op_put_by_id_with_this | PutByIdWithThis
1984 - op_get_by_val_with_this | GetByValWithThis
1985 - op_put_by_val_with_this | PutByValWithThis
1987 These are implemented with no optimizations. The future plan is
1988 to unite them with the *by_id and *by_val opcodes and nodes:
1989 https://bugs.webkit.org/show_bug.cgi?id=157215
1991 * bytecode/BytecodeList.json:
1992 * bytecode/BytecodeUseDef.h:
1993 (JSC::computeUsesForBytecodeOffset):
1994 (JSC::computeDefsForBytecodeOffset):
1995 * bytecode/CodeBlock.cpp:
1996 (JSC::CodeBlock::dumpBytecode):
1997 * bytecompiler/BytecodeGenerator.cpp:
1998 (JSC::BytecodeGenerator::emitGetById):
1999 (JSC::BytecodeGenerator::emitPutById):
2000 (JSC::BytecodeGenerator::emitDirectPutById):
2001 (JSC::BytecodeGenerator::emitGetByVal):
2002 (JSC::BytecodeGenerator::emitPutByVal):
2003 (JSC::BytecodeGenerator::emitDirectPutByVal):
2004 (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
2005 (JSC::BytecodeGenerator::ensureThis):
2006 (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
2007 * bytecompiler/BytecodeGenerator.h:
2008 * bytecompiler/NodesCodegen.cpp:
2009 (JSC::ThisNode::emitBytecode):
2010 (JSC::emitHomeObjectForCallee):
2011 (JSC::emitSuperBaseForCallee):
2012 (JSC::emitGetSuperFunctionForConstruct):
2013 (JSC::SuperNode::emitBytecode):
2014 (JSC::NewTargetNode::emitBytecode):
2015 (JSC::TaggedTemplateNode::emitBytecode):
2016 (JSC::BracketAccessorNode::emitBytecode):
2017 (JSC::DotAccessorNode::emitBytecode):
2018 (JSC::FunctionCallValueNode::emitBytecode):
2019 (JSC::FunctionCallBracketNode::emitBytecode):
2020 (JSC::FunctionCallDotNode::emitBytecode):
2021 (JSC::CallFunctionCallDotNode::emitBytecode):
2022 (JSC::ApplyFunctionCallDotNode::emitBytecode):
2023 (JSC::PostfixNode::emitBracket):
2024 (JSC::PostfixNode::emitDot):
2025 (JSC::PrefixNode::emitBracket):
2026 (JSC::PrefixNode::emitDot):
2027 (JSC::AssignDotNode::emitBytecode):
2028 (JSC::ReadModifyDotNode::emitBytecode):
2029 (JSC::AssignBracketNode::emitBytecode):
2030 (JSC::ReadModifyBracketNode::emitBytecode):
2031 (JSC::ForInNode::emitLoopHeader):
2032 (JSC::ForOfNode::emitBytecode):
2033 (JSC::AssignmentElementNode::bindValue):
2034 * dfg/DFGAbstractInterpreterInlines.h:
2035 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2036 * dfg/DFGByteCodeParser.cpp:
2037 (JSC::DFG::ByteCodeParser::parseBlock):
2038 * dfg/DFGCapabilities.cpp:
2039 (JSC::DFG::capabilityLevel):
2040 * dfg/DFGClobberize.h:
2041 (JSC::DFG::clobberize):
2042 * dfg/DFGDoesGC.cpp:
2044 * dfg/DFGFixupPhase.cpp:
2045 (JSC::DFG::FixupPhase::fixupNode):
2047 (JSC::DFG::Node::hasIdentifier):
2048 * dfg/DFGNodeType.h:
2049 * dfg/DFGOperations.cpp:
2050 (JSC::DFG::newTypedArrayWithSize):
2051 (JSC::DFG::putWithThis):
2052 * dfg/DFGOperations.h:
2053 * dfg/DFGPredictionPropagationPhase.cpp:
2054 * dfg/DFGSafeToExecute.h:
2055 (JSC::DFG::safeToExecute):
2056 * dfg/DFGSpeculativeJIT.h:
2057 (JSC::DFG::SpeculativeJIT::callOperation):
2058 * dfg/DFGSpeculativeJIT32_64.cpp:
2059 (JSC::DFG::SpeculativeJIT::compile):
2060 * dfg/DFGSpeculativeJIT64.cpp:
2061 (JSC::DFG::SpeculativeJIT::compile):
2062 * ftl/FTLCapabilities.cpp:
2063 (JSC::FTL::canCompile):
2064 * ftl/FTLLowerDFGToB3.cpp:
2065 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2066 (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
2067 (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
2068 (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis):
2069 (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis):
2070 (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis):
2071 (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
2072 * jit/CCallHelpers.cpp:
2073 (JSC::CCallHelpers::setupShadowChickenPacket):
2074 (JSC::CCallHelpers::setupFourStubArgsGPR):
2075 * jit/CCallHelpers.h:
2076 (JSC::CCallHelpers::setupArgumentsWithExecState):
2077 (JSC::CCallHelpers::setupThreeStubArgsGPR):
2078 (JSC::CCallHelpers::setupTwoStubArgsFPR):
2079 (JSC::CCallHelpers::setupStubArguments134):
2081 (JSC::argumentRegisterFor): Deleted.
2083 (JSC::JIT::privateCompileMainPass):
2085 * jit/JITOperations.h:
2086 * jit/JITPropertyAccess.cpp:
2087 (JSC::JIT::emit_op_put_by_val):
2088 (JSC::JIT::emit_op_put_by_val_with_this):
2089 (JSC::JIT::emitGenericContiguousPutByVal):
2090 (JSC::JIT::emit_op_get_by_id):
2091 (JSC::JIT::emit_op_get_by_id_with_this):
2092 (JSC::JIT::emit_op_get_by_val_with_this):
2093 (JSC::JIT::emitSlow_op_get_by_id):
2094 (JSC::JIT::emit_op_put_by_id):
2095 (JSC::JIT::emit_op_put_by_id_with_this):
2096 (JSC::JIT::emitSlow_op_put_by_id):
2097 * jit/JITPropertyAccess32_64.cpp:
2098 (JSC::JIT::emit_op_put_to_arguments):
2099 (JSC::JIT::emit_op_get_by_id_with_this):
2100 (JSC::JIT::emit_op_get_by_val_with_this):
2101 (JSC::JIT::emit_op_put_by_id_with_this):
2102 (JSC::JIT::emit_op_put_by_val_with_this):
2103 * llint/LowLevelInterpreter.asm:
2104 * runtime/CommonSlowPaths.cpp:
2105 (JSC::SLOW_PATH_DECL):
2106 * runtime/CommonSlowPaths.h:
2107 * tests/stress/super-property-access-exceptions.js: Added.
2111 (test.A.prototype.get foo):
2112 (test.A.prototype.get x):
2115 (test.B.prototype.bar):
2116 (test.B.prototype.baz):
2119 (test.A.prototype.set foo):
2120 * tests/stress/super-property-access-tdz.js: Added.
2124 (test.A.prototype.get foo):
2125 (test.A.prototype.set foo):
2133 * tests/stress/super-property-access.js: Added.
2138 (test.A.prototype.set value):
2139 (test.A.prototype.get value):
2140 (test.B.prototype.set value):
2141 (test.B.prototype.get value):
2144 (test.A.prototype.get func):
2145 (test.B.prototype.inc):
2146 (test.B.prototype.dec):
2147 (test.B.prototype.preInc):
2148 (test.B.prototype.preDec):
2149 (test.B.prototype.plusEq):
2150 (test.B.prototype.minusEq):
2151 (test.B.prototype.timesEq):
2152 (test.B.prototype.divEq):
2153 (test.B.prototype.funcDot):
2154 (test.B.prototype.funcBracket):
2156 (test.B.prototype.baz):
2157 (test.B.prototype.jaz):
2158 (test.B.prototype.bar):
2159 (test.B.prototype.index):
2161 (test.prototype.bar):
2162 (test.A.prototype.set foo):
2163 (test.A.prototype.get array):
2164 (test.A.prototype.get foo):
2166 (test.A.prototype.get call):
2167 (test.A.prototype.get apply):
2168 (test.B.prototype.foo):
2169 (test.A.prototype.get i):
2171 2016-05-08 Chris Dumez <cdumez@apple.com>
2173 [COCOA] Disable HAVE_DTRACE at build time
2174 https://bugs.webkit.org/show_bug.cgi?id=157433
2175 <rdar://problem/26148841>
2177 Reviewed by Mark Lam.
2179 Drop DTRACE-related code from JSC since it is very old and seems
2182 * JavaScriptCore.xcodeproj/project.pbxproj:
2183 * PlatformMac.cmake:
2185 (JSC::Heap::collectImpl): Deleted.
2186 (JSC::Heap::didFinishCollection): Deleted.
2187 * profiler/ProfileGenerator.cpp:
2188 (JSC::ProfileGenerator::willExecute): Deleted.
2189 (JSC::ProfileGenerator::didExecute): Deleted.
2190 * runtime/Tracing.d: Removed.
2191 * runtime/Tracing.h: Removed.
2193 2016-05-07 Mark Lam <mark.lam@apple.com>
2195 Add JSC options bytecodeRangeToJITCompile and jitWhitelist.
2196 https://bugs.webkit.org/show_bug.cgi?id=157428
2198 Reviewed by Michael Saboff.
2200 1. Added Options::bytecodeRangeToJITCompile and Options::jitWhitelist options.
2202 2. Moved DFGFunctionWhitelist* to FunctionWhitelist* and made it generic so that
2203 it can be used for more than one whitelist instance. In this case, we now have
2204 two: the dfgWhitelist and the jitWhitelist.
2206 3. Added "can compile" checks in LLInt::shouldJIT() to check
2207 Options::bytecodeRangeToJITCompile and Options::jitWhitelist.
2210 * JavaScriptCore.xcodeproj/project.pbxproj:
2211 * dfg/DFGDriver.cpp:
2212 (JSC::DFG::getNumCompilations):
2213 (JSC::DFG::ensureGlobalDFGWhitelist):
2214 (JSC::DFG::compileImpl):
2215 * dfg/DFGFunctionWhitelist.cpp: Removed.
2216 * dfg/DFGFunctionWhitelist.h: Removed.
2218 * llint/LLIntSlowPaths.cpp:
2219 (JSC::LLInt::ensureGlobalJITWhitelist):
2220 (JSC::LLInt::shouldJIT):
2222 * runtime/Options.h:
2224 * tools/FunctionWhitelist.cpp: Copied from Source/JavaScriptCore/dfg/DFGFunctionWhitelist.cpp.
2225 (JSC::FunctionWhitelist::FunctionWhitelist):
2226 (JSC::FunctionWhitelist::contains):
2227 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist): Deleted.
2228 (JSC::DFG::FunctionWhitelist::FunctionWhitelist): Deleted.
2229 (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile): Deleted.
2230 (JSC::DFG::FunctionWhitelist::contains): Deleted.
2231 * tools/FunctionWhitelist.h: Copied from Source/JavaScriptCore/dfg/DFGFunctionWhitelist.h.
2233 2016-05-07 Benjamin Poulain <bpoulain@apple.com>
2235 [JSC][32bit] stress/tagged-templates-template-object.js fails in debug
2236 https://bugs.webkit.org/show_bug.cgi?id=157436
2238 Reviewed by Filip Pizlo.
2240 * dfg/DFGSpeculativeJIT32_64.cpp:
2241 (JSC::DFG::SpeculativeJIT::compile):
2242 The node OverridesHasInstance had a speculation after a jump.
2244 2016-05-06 Joseph Pecoraro <pecoraro@apple.com>
2246 Web Inspector: Misc CommandLineAPI cleanup
2247 https://bugs.webkit.org/show_bug.cgi?id=157450
2249 Reviewed by Ryosuke Niwa.
2251 * inspector/InjectedScriptSource.js:
2252 (BasicCommandLineAPI):
2253 Fix mistake in r200533, and modernize related code.
2255 2016-05-06 Joseph Pecoraro <pecoraro@apple.com>
2257 Web Inspector: Improve console.count()
2258 https://bugs.webkit.org/show_bug.cgi?id=157439
2259 <rdar://problem/26152654>
2261 Reviewed by Timothy Hatcher.
2263 - make console.count() increment an unnamed global counter.
2264 - make console.count(label) increment a counter with that label name.
2266 * inspector/agents/InspectorConsoleAgent.cpp:
2267 (Inspector::InspectorConsoleAgent::count):
2269 2016-05-06 Simon Fraser <simon.fraser@apple.com>
2271 Enable IOS_TEXT_AUTOSIZING on Mac and make it testable
2272 https://bugs.webkit.org/show_bug.cgi?id=157432
2273 rdar://problem/16406720
2275 Reviewed by Dean Jackson.
2277 Enable IOS_TEXT_AUTOSIZING on Mac so it can be tested.
2279 * Configurations/FeatureDefines.xcconfig:
2281 2016-05-06 Joseph Pecoraro <pecoraro@apple.com>
2283 Web Inspector: Console: Variables defined with let/const aren't accessible outside of console's scope
2284 https://bugs.webkit.org/show_bug.cgi?id=150752
2285 <rdar://problem/23343385>
2287 Reviewed by Mark Lam.
2289 This approach allows Web Inspector to hang a "Scope Extension", a
2290 WithObjectScope, off the GlobalObject. When resolving identifiers
2291 in fails to resolve anything in the normal scope chain, consult
2292 the scope extension.
2294 This allows us to eliminate the `with (commandLineAPI) { ... }`
2295 block in global console evaluations, and instead makes it a full
2296 program evaluation, with the commandLineAPI available and safely
2297 shadowed by actual variables as expected.
2299 * inspector/InjectedScriptSource.js:
2300 (InjectedScript.prototype._evaluateOn):
2301 Use the new evaluateWithScopeExtension and provide the CommandLineAPI
2302 object as the scope extension object.
2304 (BasicCommandLineAPI):
2305 (BasicCommandLineAPI.inScopeVariables): Deleted.
2306 Simplify now that we don't need to check for variable shadowing ourselves.
2308 * inspector/JSInjectedScriptHost.cpp:
2309 (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
2310 * inspector/JSInjectedScriptHost.h:
2311 * inspector/JSInjectedScriptHostPrototype.cpp:
2312 (Inspector::JSInjectedScriptHostPrototype::finishCreation):
2313 (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
2314 Provide a new InjectedScriptHost method to evaluate a program
2315 with a scope extension.
2317 * runtime/Completion.cpp:
2318 (JSC::evaluateWithScopeExtension):
2319 * runtime/Completion.h:
2320 General JSC::evaluate function to evaluate a program with a scope extension.
2322 * runtime/JSGlobalObject.cpp:
2323 (JSC::JSGlobalObject::setGlobalScopeExtension):
2324 (JSC::JSGlobalObject::clearGlobalScopeExtension):
2325 (JSC::JSGlobalObject::visitChildren):
2326 * runtime/JSGlobalObject.h:
2327 (JSC::JSGlobalObject::globalScopeExtension):
2328 Hang a scope extension off the global object.
2330 * runtime/JSScope.cpp:
2331 (JSC::JSScope::resolve):
2332 Consult the scope extension when resolve fails to find anything normally.
2334 2016-05-06 Mark Lam <mark.lam@apple.com>
2336 Add JSC options reportBaselineCompileTimes and reportDFGCompileTimes.
2337 https://bugs.webkit.org/show_bug.cgi?id=157427
2339 Reviewed by Filip Pizlo and Keith Miller.
2341 The compile times reporting options are now:
2342 reportCompileTimes -> report compile times in all tiers.
2343 reportBaselineCompileTimes -> report compile times in baseline JIT.
2344 reportDFGCompileTimes -> report compile times in DFG and FTL.
2345 reportFTLCompileTimes -> report compile times in FTL.
2347 Also updated reportTotalCompileTimes() to collect stats that include the baseline
2348 JIT. compileTimeStats() is now moved into JIT.cpp (from DFGPlan.cpp).
2351 (JSC::DFG::Plan::reportCompileTimes):
2352 (JSC::DFG::Plan::compileInThread):
2353 (JSC::DFG::Plan::compileInThreadImpl):
2354 (JSC::DFG::Plan::cancel):
2355 (JSC::DFG::Plan::compileTimeStats): Deleted.
2357 (JSC::DFG::Plan::compileTimeStats): Deleted.
2359 (JSC::ctiPatchCallByReturnAddress):
2360 (JSC::JIT::privateCompile):
2361 (JSC::JIT::stackPointerOffsetFor):
2362 (JSC::JIT::reportCompileTimes):
2363 (JSC::JIT::computeCompileTimes):
2364 (JSC::JIT::compileTimeStats):
2366 (JSC::JIT::shouldEmitProfiling):
2369 * runtime/Options.h:
2371 2016-05-05 Benjamin Poulain <bpoulain@apple.com>
2373 [JSC] Get rid of NonNegZeroDouble, it is broken
2374 https://bugs.webkit.org/show_bug.cgi?id=157399
2375 rdar://problem/25339647
2377 Reviewed by Mark Lam.
2379 The profile "NonNegZeroDouble" is fundamentally broken.
2381 It is used by DFG to predict the result of ArithMul as being a Double
2383 The problem is you are likely to mispredict, and when you do, you are
2384 guaranteed to end up in a recompile loop.
2386 The compile loops usually happen like this:
2387 -We speculate you have Int32 despite producing doubles.
2388 -We OSR exit on another node (ValueToInt32 for example) from the result of this ArithMul.
2389 -When we compile this block again, ArithMul will do the same misprediction
2390 because it unconditionally predicts Int32.
2392 The flag NonNegZeroDouble was very unlikely to be set correctly
2395 In LLINT, the flag is only set on the slow path.
2396 Since double*double is on the fast path, those cases are ignored.
2398 In Baseline, the flag is set for any case that falls back on double
2399 multiplication. BUT, the DFG flag was only set for nodes that spend
2400 many iteration in slow path, which obviously does not apply to double*double.
2402 Given the perf drawbacks and the recompile loops, I removed
2403 the whole flag for now.
2405 * bytecode/ValueProfile.cpp:
2406 (WTF::printInternal):
2407 * bytecode/ValueProfile.h:
2408 (JSC::ResultProfile::didObserveNonInt32): Deleted.
2409 (JSC::ResultProfile::didObserveDouble): Deleted.
2410 (JSC::ResultProfile::didObserveNonNegZeroDouble): Deleted.
2411 (JSC::ResultProfile::setObservedNonNegZeroDouble): Deleted.
2412 * dfg/DFGByteCodeParser.cpp:
2413 (JSC::DFG::ByteCodeParser::makeSafe): Deleted.
2415 (JSC::DFG::Node::mayHaveNonIntResult): Deleted.
2416 * dfg/DFGNodeFlags.cpp:
2417 (JSC::DFG::dumpNodeFlags): Deleted.
2418 * dfg/DFGNodeFlags.h:
2419 * dfg/DFGPredictionPropagationPhase.cpp:
2420 * jit/JITMulGenerator.cpp:
2421 (JSC::JITMulGenerator::generateFastPath): Deleted.
2422 * runtime/CommonSlowPaths.cpp:
2423 (JSC::updateResultProfileForBinaryArithOp): Deleted.
2425 2016-05-05 Joseph Pecoraro <pecoraro@apple.com>
2427 REGRESSION(r200422): Web Inspector: Make new Array Iterator objects play nice with Web Inspector
2428 https://bugs.webkit.org/show_bug.cgi?id=157361
2429 <rdar://problem/26099793>
2431 Reviewed by Timothy Hatcher.
2433 * builtins/ArrayPrototype.js:
2434 (createArrayIterator):
2438 * builtins/TypedArrayPrototype.js:
2442 * runtime/CommonIdentifiers.h:
2443 Set the kind on the iterator object, that can be shown
2444 to the inspector if the object is shown in the console.
2446 * inspector/InjectedScriptSource.js:
2447 (InjectedScript.prototype._describe):
2448 Get a better name for the new Array Iterator which is just an Object.
2450 * inspector/JSInjectedScriptHost.cpp:
2451 (Inspector::JSInjectedScriptHost::subtype):
2452 (Inspector::JSInjectedScriptHost::getInternalProperties):
2453 Detect and handle ArrayIterator object instances. Porting the code
2454 from the JSArrayIterator code path.
2456 2016-05-05 Benjamin Poulain <bpoulain@apple.com>
2458 [JSC] In DFG, an OSR Exit on SetLocal can trash its child node
2459 https://bugs.webkit.org/show_bug.cgi?id=157358
2460 rdar://problem/25339647
2462 Reviewed by Filip Pizlo.
2464 When we OSR Exit on SetLocal, the child is never restored if its representation
2465 was changed since the MovHint.
2467 For example, say we have:
2468 @1 = SomethingProducingDouble()
2471 @4 = SetLocal(@3, FlushedInt32)
2473 When we lower SetLocal(), we start by speculating that @3 is an Int32.
2474 Now this can fail if @1 was really a double.
2475 When that happens, we go over the VariableEventStream to find where values
2476 are, and @1 died at @3. Since the speculation failure happens before
2477 the SetLocal event, we don't do anything with @3.
2479 In this patch, I extend the PhantomInsertion phase to keep the MovHint
2480 alive past the SetLocal.
2482 * dfg/DFGPhantomInsertionPhase.cpp:
2483 * tests/stress/multiply-typed-double-and-object.js: Added.
2484 (otherObject.valueOf):
2485 (targetDFG.multiply):
2486 (targetFTL.multiply):
2488 2016-05-05 Oliver Hunt <oliver@apple.com>
2490 Enable separated heap by default on ios
2491 https://bugs.webkit.org/show_bug.cgi?id=156720
2493 Reviewed by Geoffrey Garen.
2495 We've fixed the xnu side of things, so we can reland this.
2497 * runtime/Options.cpp:
2498 (JSC::recomputeDependentOptions):
2500 2016-05-05 Joseph Pecoraro <pecoraro@apple.com>
2502 JSContext Inspector: Better CommandLineAPI in JSContext inspection
2503 https://bugs.webkit.org/show_bug.cgi?id=157387
2504 <rdar://problem/22630583>
2506 Reviewed by Timothy Hatcher.
2508 * inspector/InjectedScriptSource.js:
2509 (InjectedScript.prototype._evaluateOn):
2510 (BasicCommandLineAPI.inScopeVariables):
2511 (BasicCommandLineAPI):
2512 When creating a BasicCommandLineAPI, pass the call frame so
2513 that we don't shadow variables in the callstack.
2515 (BasicCommandLineAPI.methods):
2522 Some just pass through to console, others are tiny methods.
2523 Implement them, and give them the expected toString string.
2525 2016-05-05 Filip Pizlo <fpizlo@apple.com>
2527 Reduce maximum JIT pool size on X86_64.
2529 Rubber stamped by Geoffrey Garen.
2531 This changes our maximum pool size to 100MB. The problem with letting a page allocate much
2532 more than this is that we will sometimes call deleteAllCode() or one of its friends. Deleting
2533 a huge amount of memory is expensive in our allocator.
2535 So long as we allow for such large-scale code death to happen, and so long as it's expensive,
2536 we should bound the amount of code we end up with in the first place.
2538 In the long run, we should fix our executable allocator so that it's not so expensive to kill
2541 * jit/ExecutableAllocator.h:
2543 2016-05-05 Filip Pizlo <fpizlo@apple.com>
2545 Reduce thresholds that control the maximum IC stub size.
2547 Rubber stamped by Chris Dumez and Benjamin Poulain.
2549 This reduces the thresholds to before the megamorphic load optimizations to see if that
2550 recovers a PLT regression.
2552 * runtime/Options.h:
2554 2016-05-05 Filip Pizlo <fpizlo@apple.com>
2556 We shouldn't crash if DFG AI proved that something was unreachable on one run but then decided not to prove it on another run
2557 https://bugs.webkit.org/show_bug.cgi?id=157379
2559 Reviewed by Mark Lam.
2561 Any run of DFG AI is a fixpoint that loosens the proof until it can't find any more
2562 counterexamples to the proof. It errs on the side of loosening proofs, i.e., on the side of
2563 proving fewer things.
2565 We run this fixpoint multiple times since there are multiple points in the DFG optimization
2566 pipeline when we run DFG AI. Each of those runs completes a fixpoint and produces the
2567 tightest proof it can that did not result in counterexamples being found.
2569 It's possible that on run K of DFG AI, we prove some property, but on run K+1, we don't prove
2570 that property. The code could have changed between the two runs due to other phases. Other
2571 phases may modify the code in such a way that it's less amenable to AI's analysis. Our design
2572 allows this because DFG AI is not 100% precise. It defends itself from making unsound choices
2573 or running forever by sometimes punting on proving some property. It must be able to do this,
2574 and so therefore, it might sometimes prove fewer things on a later run.
2576 Currently in trunk if the property that AI proves on run K but fails to prove on run K+1 is
2577 the reachability of a piece of code, then run K+1 will crash on an assertion at the
2578 Unreachable node. It will complain that it reached an Unreachable. But it might be reaching
2579 that Unreachable because it failed to prove that something earlier was always exiting. That's
2582 So, we should remove the assertion that AI doesn't see Unreachable.
2584 No new tests because I don't know how to make this happen. I believe that this happens in the
2585 wild based on crash logs.
2587 * dfg/DFGAbstractInterpreterInlines.h:
2588 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2590 2016-05-05 Joseph Pecoraro <pecoraro@apple.com>
2592 Crash if you type "debugger" in the console and continue
2593 https://bugs.webkit.org/show_bug.cgi?id=156924
2594 <rdar://problem/25884189>
2596 Reviewed by Mark Lam.
2598 * inspector/agents/InspectorDebuggerAgent.cpp:
2599 (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
2600 Bail with an error when we are not paused.
2602 * inspector/agents/InspectorRuntimeAgent.cpp:
2603 (Inspector::InspectorRuntimeAgent::callFunctionOn):
2604 (Inspector::InspectorRuntimeAgent::getProperties):
2605 (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2606 (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2607 (Inspector::InspectorRuntimeAgent::saveResult):
2608 Update poor error message.
2610 2016-05-05 Keith Miller <keith_miller@apple.com>
2612 Add support for delete by value to the DFG
2613 https://bugs.webkit.org/show_bug.cgi?id=157372
2615 Reviewed by Filip Pizlo.
2617 This patch adds basic support for delete by value to the DFG. delete by value
2618 just calls out to a C++ operation on each execution. Additionally, this patch
2619 fixes an issue with delete by id where we would crash if the base was null
2622 * dfg/DFGAbstractInterpreterInlines.h:
2623 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2624 * dfg/DFGByteCodeParser.cpp:
2625 (JSC::DFG::ByteCodeParser::parseBlock):
2626 * dfg/DFGCapabilities.cpp:
2627 (JSC::DFG::capabilityLevel):
2628 * dfg/DFGClobberize.h:
2629 (JSC::DFG::clobberize):
2630 * dfg/DFGDoesGC.cpp:
2632 * dfg/DFGFixupPhase.cpp:
2633 (JSC::DFG::FixupPhase::fixupNode):
2634 * dfg/DFGNodeType.h:
2635 * dfg/DFGPredictionPropagationPhase.cpp:
2636 * dfg/DFGSafeToExecute.h:
2637 (JSC::DFG::safeToExecute):
2638 * dfg/DFGSpeculativeJIT.cpp:
2639 (JSC::DFG::SpeculativeJIT::compileDeleteById):
2640 (JSC::DFG::SpeculativeJIT::compileDeleteByVal):
2641 * dfg/DFGSpeculativeJIT.h:
2642 (JSC::DFG::SpeculativeJIT::callOperation):
2643 * dfg/DFGSpeculativeJIT32_64.cpp:
2644 (JSC::DFG::SpeculativeJIT::compile):
2645 * dfg/DFGSpeculativeJIT64.cpp:
2646 (JSC::DFG::SpeculativeJIT::compile):
2648 (JSC::JIT::privateCompileMainPass):
2650 * jit/JITOperations.cpp:
2651 * jit/JITOperations.h:
2652 * jit/JITPropertyAccess.cpp:
2653 (JSC::JIT::emit_op_del_by_val):
2654 * jit/JITPropertyAccess32_64.cpp:
2655 (JSC::JIT::emit_op_del_by_val):
2656 * tests/stress/delete-by-val.js: Added.
2659 * tests/stress/delete-to-object-exception.js: Added.
2663 2016-05-05 Michael Saboff <msaboff@apple.com>
2665 Unreviewed build fix after change set r200447.
2667 Made the detection of clang version XCode build specific.
2668 Now shouldEnableDebugAnnotations() should return false for all other build types.
2670 * offlineasm/config.rb:
2672 2016-05-05 Joseph Pecoraro <pecoraro@apple.com>
2674 Create console object lazily
2675 https://bugs.webkit.org/show_bug.cgi?id=157328
2677 Reviewed by Geoffrey Garen.
2679 * runtime/CommonIdentifiers.h:
2680 * runtime/JSGlobalObject.cpp:
2681 (JSC::createConsoleProperty):
2682 (JSC::JSGlobalObject::init): Deleted.
2684 2016-05-04 Michael Saboff <msaboff@apple.com>
2686 Enable Dwarf2 debug information in offline assembler for clang compiler
2687 https://bugs.webkit.org/show_bug.cgi?id=157364.
2689 Reviewed by Mark Lam.
2691 Added a new function shouldEnableDebugAnnotations() that determines if
2692 we are using clang and a new enough version to support the debug annotations.
2694 * offlineasm/config.rb:
2695 (shouldEnableDebugAnnotations): Added.
2697 2016-05-04 Keith Miller <keith_miller@apple.com>
2699 Unreviewed, fix test for new ArrayIteratorPrototype.next() error message.
2701 * tests/stress/array-iterators-next-with-call.js:
2703 2016-05-04 Filip Pizlo <fpizlo@apple.com>
2705 Speed up JSGlobalObject initialization by making some properties lazy
2706 https://bugs.webkit.org/show_bug.cgi?id=157045
2708 Reviewed by Keith Miller.
2710 This makes about half of JSGlobalObject's state lazy. There are three categories of
2711 state in JSGlobalObject:
2713 1) C++ fields in JSGlobalObject.
2714 2) JS object properties in JSGlobalObject's JSObject superclass.
2715 3) JS variables in JSGlobalObject's JSSegmentedVariableObject superclass.
2717 State held in JS variables cannot yet be made lazy. That's why this patch only goes
2720 State in JS object properties can be made lazy if we move it to the static property
2721 hashtable. JSGlobalObject already had one of those. This patch makes static property
2722 hashtables a lot more powerful, by adding three new kinds of static properties. These
2723 new kinds allow us to make almost all of JSGlobalObject's object properties lazy.
2725 State in C++ fields can now be made lazy thanks in part to WTF's support for stateless
2726 lambdas. You can of course make anything lazy by hand, but there are many C++ fields in
2727 JSGlobalObject and we are adding more all the time. We don't want to require that each
2728 of these has a getter with an initialization check and a corresponding out-of-line slow
2729 path that does the initialization. We want this kind of boilerplate to be handled by
2732 The primary abstraction introduced in this patch is LazyProperty<Type>. Currently, this
2733 only works where Type is a subclass of JSCell. Such a property holds a pointer to Type.
2734 You can use it like you would a WriteBarrier<Type>. It even has set() and get() methods,
2735 so it's almost a drop-in replacement.
2737 The key to LazyProperty<Type>'s power is that you can do this:
2741 LazyProperty<Foo> m_foo;
2745 [] (const LazyProperty<Foo>::Initializer<Bar>& init) {
2746 init.set(Foo::create(init.vm, init.owner));
2749 This initLater() call requires that you pass a stateless lambda (see WTF changelog for
2750 the definition). Miraculously, this initLater() call is guaranteed to compile to a store
2751 of a pointer constant to m_foo, as in:
2753 movabsq 0xBLAH, %rax
2756 This magical pointer constant points to a callback that was generated by the template
2757 instantiation of initLater(). That callback knows to call your stateless lambda, but
2758 also does some other bookkeeping: it makes sure that you indeed initialized the property
2759 inside the callback and it manages recursive initializations. It's totally legal to call
2760 m_foo.get() inside the initLater() callback. If you do that before you call init.set(),
2761 m_foo.get() will return null. This is an excellent escape hatch if we ever find
2762 ourselves in a dependency cycle. I added this feature because I already had to create a
2765 Note that using LazyProperties from DFG threads is super awkward. It's going to be hard
2766 to get this right. The DFG thread cannot initialize those fields, so it has to make sure
2767 that it does conservative things. But for some nodes this could mean adding a lot of new
2768 logic, like NewTypedArray, which currently is written in such a way that it assumes that
2769 we always have the typed array structure. Currently we take a two-fold approach: for
2770 typed arrays we don't handle the NewTypedArray intrinsic if the structure isn't
2771 initialized, and for everything else we don't make the properties lazy if the DFG needs
2772 them. As we optimize this further we might need to teach the DFG to handle more lazy
2773 properties. I tried to do this for RegExp but found it to be very confusing. With typed
2776 There is also a somewhat more powerful construct called LazyClassStructure. We often
2777 need to keep around the structure of some standard JS class, like Date. We also need to
2778 make sure that the constructor ends up in the global object's property table. And we
2779 often need to keep the original value of the constructor for ourselves. In this case, we
2780 want to make sure that the creation of the structure-prototype-constructor constellation
2781 is atomic. We don't want code to start looking at the structure if it points to a
2782 prototype that doesn't have its "constructor" property set yet, for example.
2783 LazyClassStructure solves this by abstracting that whole initialization. You provide the
2784 callback that allocates everything, since we are super inconsistent about the way we
2785 initialize things, but LazyClassStructure establishes the workflow and helps you not
2788 Finally, the new static hashtable attributes allow for all of this to work with the JS
2791 PropertyCallback: if you use this attribute, the second column in the table should be
2792 the name of a function to call to initialize this property. This is useful for things
2793 like the Math property. The Math object turns out to be very expensive to allocate.
2794 Delaying its allocation is super easy with the PropertyCallback attribute.
2796 CellProperty: with this attribute the second column should be a C++ field name like
2797 JSGlobalObject::m_evalErrorConstructor. The static hashtable will grab the offset of
2798 this property, and when it needs to be initialized, Lookup will assume you have a
2799 LazyProperty<JSCell> and call its get() method. It will initialize the property to
2800 whatever get() returned. Note that it's legal to cast a LazyProperty<Anything> to
2801 LazyProperty<JSCell> for the purpose of calling get() because the get() method will just
2802 call whatever callback function pointer is encoded in the property and it does not need
2803 to know anything about what type that callback will instantiate.
2805 ClassStructure: with this attribute the second column should be a C++ field name. The
2806 static hashtable will initialize the property by treating the field as a
2807 LazyClassStructure and it will call get(). LazyClassStructure completely owns the whole
2808 initialization workflow, so Lookup assumes that when LazyClassStructure::get() returns,
2809 the property in question will already be set. By convention, we have LazyClassStructure
2810 initialize the property with a pointer to the constructor, since that's how all of our
2811 classes work: "globalObject.Date" points to the DateConstructor.
2813 This is a 2x speed-up in JSGlobalObject initialization time in a microbenchmark that
2814 calls our C API. This is a 1% speed-up on SunSpider and JSRegress.
2816 Rolling this back in after fixing the function pointer alignment issue. The last version
2817 relied on function pointers being aligned to a 4-byte boundary. We cannot rely on this,
2818 especially since ARMv7 uses the low bit of function pointers as a tag to indicate the
2819 instruction set. This version adds an extra indirection, so that
2820 LazyProperty<>::m_pointer points to a pointer that points to the function. A pointer to
2821 a pointer is guaranteed to be at least 4-byte aligned.
2823 * API/JSCallbackFunction.cpp:
2824 (JSC::JSCallbackFunction::create):
2825 * API/ObjCCallbackFunction.h:
2826 (JSC::ObjCCallbackFunction::impl):
2827 * API/ObjCCallbackFunction.mm:
2828 (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
2829 (JSC::ObjCCallbackFunction::create):
2831 * JavaScriptCore.xcodeproj/project.pbxproj:
2832 * create_hash_table:
2833 * debugger/DebuggerScope.cpp:
2834 (JSC::DebuggerScope::create):
2835 (JSC::DebuggerScope::DebuggerScope):
2836 * debugger/DebuggerScope.h:
2837 (JSC::DebuggerScope::jsScope):
2838 (JSC::DebuggerScope::create): Deleted.
2839 * dfg/DFGAbstractInterpreterInlines.h:
2840 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2841 * dfg/DFGAbstractValue.cpp:
2842 (JSC::DFG::AbstractValue::set):
2843 * dfg/DFGArrayMode.cpp:
2844 (JSC::DFG::ArrayMode::originalArrayStructure):
2845 * dfg/DFGByteCodeParser.cpp:
2846 (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
2847 * dfg/DFGSpeculativeJIT.cpp:
2848 (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2849 * dfg/DFGSpeculativeJIT32_64.cpp:
2850 (JSC::DFG::SpeculativeJIT::compile):
2851 * dfg/DFGSpeculativeJIT64.cpp:
2852 (JSC::DFG::SpeculativeJIT::compile):
2853 * dfg/DFGStructureRegistrationPhase.cpp:
2854 (JSC::DFG::StructureRegistrationPhase::run):
2855 * ftl/FTLLowerDFGToB3.cpp:
2856 (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2857 * runtime/ClonedArguments.cpp:
2858 (JSC::ClonedArguments::getOwnPropertySlot):
2859 (JSC::ClonedArguments::materializeSpecials):
2860 * runtime/CommonSlowPaths.cpp:
2861 (JSC::SLOW_PATH_DECL):
2862 * runtime/FunctionPrototype.cpp:
2863 (JSC::functionProtoFuncToString):
2864 * runtime/InternalFunction.cpp:
2865 (JSC::InternalFunction::visitChildren):
2866 (JSC::InternalFunction::name):
2867 (JSC::InternalFunction::calculatedDisplayName):
2868 (JSC::InternalFunction::createSubclassStructure):
2869 * runtime/InternalFunction.h:
2870 * runtime/JSBoundFunction.cpp:
2871 (JSC::JSBoundFunction::finishCreation):
2872 (JSC::JSBoundFunction::visitChildren):
2873 * runtime/JSBoundSlotBaseFunction.cpp:
2874 (JSC::JSBoundSlotBaseFunction::create):
2875 * runtime/JSFunction.cpp:
2876 (JSC::retrieveCallerFunction):
2877 (JSC::getThrowTypeErrorGetterSetter):
2878 (JSC::JSFunction::callerGetter):
2879 (JSC::JSFunction::getOwnPropertySlot):
2880 (JSC::JSFunction::defineOwnProperty):
2881 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2882 (JSC::constructGenericTypedArrayView):
2883 * runtime/JSGlobalObject.cpp:
2884 (JSC::createProxyProperty):
2885 (JSC::createJSONProperty):
2886 (JSC::createMathProperty):
2887 (JSC::JSGlobalObject::init):
2888 (JSC::JSGlobalObject::stringPrototypeChainIsSane):
2889 (JSC::JSGlobalObject::resetPrototype):
2890 (JSC::JSGlobalObject::visitChildren):
2891 (JSC::JSGlobalObject::toThis):
2892 (JSC::JSGlobalObject::getOwnPropertySlot):
2893 (JSC::JSGlobalObject::createThrowTypeError): Deleted.
2894 (JSC::JSGlobalObject::createThrowTypeErrorArgumentsAndCaller): Deleted.
2895 * runtime/JSGlobalObject.h:
2896 (JSC::JSGlobalObject::objectConstructor):
2897 (JSC::JSGlobalObject::promiseConstructor):
2898 (JSC::JSGlobalObject::internalPromiseConstructor):
2899 (JSC::JSGlobalObject::evalErrorConstructor):
2900 (JSC::JSGlobalObject::rangeErrorConstructor):
2901 (JSC::JSGlobalObject::referenceErrorConstructor):
2902 (JSC::JSGlobalObject::syntaxErrorConstructor):
2903 (JSC::JSGlobalObject::typeErrorConstructor):
2904 (JSC::JSGlobalObject::URIErrorConstructor):
2905 (JSC::JSGlobalObject::nullGetterFunction):
2906 (JSC::JSGlobalObject::nullSetterFunction):
2907 (JSC::JSGlobalObject::callFunction):
2908 (JSC::JSGlobalObject::applyFunction):
2909 (JSC::JSGlobalObject::definePropertyFunction):
2910 (JSC::JSGlobalObject::arrayProtoValuesFunction):
2911 (JSC::JSGlobalObject::initializePromiseFunction):
2912 (JSC::JSGlobalObject::newPromiseCapabilityFunction):
2913 (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
2914 (JSC::JSGlobalObject::regExpProtoExecFunction):
2915 (JSC::JSGlobalObject::regExpProtoSymbolReplaceFunction):
2916 (JSC::JSGlobalObject::regExpProtoGlobalGetter):
2917 (JSC::JSGlobalObject::regExpProtoUnicodeGetter):
2918 (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
2919 (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerGetterSetter):
2920 (JSC::JSGlobalObject::moduleLoader):
2921 (JSC::JSGlobalObject::objectPrototype):
2922 (JSC::JSGlobalObject::functionPrototype):
2923 (JSC::JSGlobalObject::arrayPrototype):
2924 (JSC::JSGlobalObject::booleanPrototype):
2925 (JSC::JSGlobalObject::stringPrototype):
2926 (JSC::JSGlobalObject::symbolPrototype):
2927 (JSC::JSGlobalObject::numberPrototype):
2928 (JSC::JSGlobalObject::datePrototype):
2929 (JSC::JSGlobalObject::regExpPrototype):
2930 (JSC::JSGlobalObject::errorPrototype):
2931 (JSC::JSGlobalObject::iteratorPrototype):
2932 (JSC::JSGlobalObject::generatorFunctionPrototype):
2933 (JSC::JSGlobalObject::generatorPrototype):
2934 (JSC::JSGlobalObject::debuggerScopeStructure):
2935 (JSC::JSGlobalObject::withScopeStructure):
2936 (JSC::JSGlobalObject::strictEvalActivationStructure):
2937 (JSC::JSGlobalObject::activationStructure):
2938 (JSC::JSGlobalObject::moduleEnvironmentStructure):
2939 (JSC::JSGlobalObject::directArgumentsStructure):
2940 (JSC::JSGlobalObject::scopedArgumentsStructure):
2941 (JSC::JSGlobalObject::clonedArgumentsStructure):
2942 (JSC::JSGlobalObject::isOriginalArrayStructure):
2943 (JSC::JSGlobalObject::booleanObjectStructure):
2944 (JSC::JSGlobalObject::callbackConstructorStructure):
2945 (JSC::JSGlobalObject::callbackFunctionStructure):
2946 (JSC::JSGlobalObject::callbackObjectStructure):
2947 (JSC::JSGlobalObject::propertyNameIteratorStructure):
2948 (JSC::JSGlobalObject::objcCallbackFunctionStructure):
2949 (JSC::JSGlobalObject::objcWrapperObjectStructure):
2950 (JSC::JSGlobalObject::dateStructure):
2951 (JSC::JSGlobalObject::nullPrototypeObjectStructure):
2952 (JSC::JSGlobalObject::errorStructure):
2953 (JSC::JSGlobalObject::calleeStructure):
2954 (JSC::JSGlobalObject::functionStructure):
2955 (JSC::JSGlobalObject::boundFunctionStructure):
2956 (JSC::JSGlobalObject::boundSlotBaseFunctionStructure):
2957 (JSC::JSGlobalObject::getterSetterStructure):
2958 (JSC::JSGlobalObject::nativeStdFunctionStructure):
2959 (JSC::JSGlobalObject::namedFunctionStructure):
2960 (JSC::JSGlobalObject::functionNameOffset):
2961 (JSC::JSGlobalObject::numberObjectStructure):
2962 (JSC::JSGlobalObject::privateNameStructure):
2963 (JSC::JSGlobalObject::mapStructure):
2964 (JSC::JSGlobalObject::regExpStructure):
2965 (JSC::JSGlobalObject::generatorFunctionStructure):
2966 (JSC::JSGlobalObject::setStructure):
2967 (JSC::JSGlobalObject::stringObjectStructure):
2968 (JSC::JSGlobalObject::symbolObjectStructure):
2969 (JSC::JSGlobalObject::iteratorResultObjectStructure):
2970 (JSC::JSGlobalObject::lazyTypedArrayStructure):
2971 (JSC::JSGlobalObject::typedArrayStructure):
2972 (JSC::JSGlobalObject::typedArrayStructureConcurrently):
2973 (JSC::JSGlobalObject::isOriginalTypedArrayStructure):
2974 (JSC::JSGlobalObject::typedArrayConstructor):
2975 (JSC::JSGlobalObject::actualPointerFor):
2976 (JSC::JSGlobalObject::internalFunctionStructure): Deleted.
2977 * runtime/JSNativeStdFunction.cpp:
2978 (JSC::JSNativeStdFunction::create):
2979 * runtime/JSWithScope.cpp:
2980 (JSC::JSWithScope::create):
2981 (JSC::JSWithScope::visitChildren):
2982 (JSC::JSWithScope::createStructure):
2983 (JSC::JSWithScope::JSWithScope):
2984 * runtime/JSWithScope.h:
2985 (JSC::JSWithScope::object):
2986 (JSC::JSWithScope::create): Deleted.
2987 (JSC::JSWithScope::createStructure): Deleted.
2988 (JSC::JSWithScope::JSWithScope): Deleted.
2989 * runtime/LazyClassStructure.cpp: Added.
2990 (JSC::LazyClassStructure::Initializer::Initializer):
2991 (JSC::LazyClassStructure::Initializer::setPrototype):
2992 (JSC::LazyClassStructure::Initializer::setStructure):
2993 (JSC::LazyClassStructure::Initializer::setConstructor):
2994 (JSC::LazyClassStructure::visit):
2995 (JSC::LazyClassStructure::dump):
2996 * runtime/LazyClassStructure.h: Added.
2997 (JSC::LazyClassStructure::LazyClassStructure):
2998 (JSC::LazyClassStructure::get):
2999 (JSC::LazyClassStructure::prototype):
3000 (JSC::LazyClassStructure::constructor):
3001 (JSC::LazyClassStructure::getConcurrently):
3002 (JSC::LazyClassStructure::prototypeConcurrently):
3003 (JSC::LazyClassStructure::constructorConcurrently):
3004 * runtime/LazyClassStructureInlines.h: Added.
3005 (JSC::LazyClassStructure::initLater):
3006 * runtime/LazyProperty.h: Added.
3007 (JSC::LazyProperty::Initializer::Initializer):
3008 (JSC::LazyProperty::LazyProperty):
3009 (JSC::LazyProperty::get):
3010 (JSC::LazyProperty::getConcurrently):
3011 * runtime/LazyPropertyInlines.h: Added.
3012 (JSC::ElementType>::Initializer::set):
3013 (JSC::ElementType>::initLater):
3014 (JSC::ElementType>::setMayBeNull):
3015 (JSC::ElementType>::set):
3016 (JSC::ElementType>::visit):
3017 (JSC::ElementType>::dump):
3018 (JSC::ElementType>::callFunc):
3019 * runtime/Lookup.cpp:
3020 (JSC::setUpStaticFunctionSlot):
3022 (JSC::HashTableValue::function):
3023 (JSC::HashTableValue::functionLength):
3024 (JSC::HashTableValue::propertyGetter):
3025 (JSC::HashTableValue::propertyPutter):
3026 (JSC::HashTableValue::accessorGetter):
3027 (JSC::HashTableValue::accessorSetter):
3028 (JSC::HashTableValue::constantInteger):
3029 (JSC::HashTableValue::lexerValue):
3030 (JSC::HashTableValue::lazyCellPropertyOffset):
3031 (JSC::HashTableValue::lazyClassStructureOffset):
3032 (JSC::HashTableValue::lazyPropertyCallback):
3033 (JSC::getStaticPropertySlot):
3034 (JSC::getStaticValueSlot):
3036 (JSC::reifyStaticProperty):
3037 * runtime/PropertySlot.h:
3038 * runtime/TypedArrayType.h:
3040 2016-05-04 Joseph Pecoraro <pecoraro@apple.com>
3042 Improve the grammar of some error messages 'a argument list' => 'an argument list'
3043 https://bugs.webkit.org/show_bug.cgi?id=157350
3044 <rdar://problem/26082108>
3046 Reviewed by Mark Lam.
3048 * parser/Parser.cpp:
3049 (JSC::Parser<LexerType>::parseIfStatement):
3050 (JSC::Parser<LexerType>::parseImportDeclaration):
3051 (JSC::Parser<LexerType>::parseExportDeclaration):
3052 (JSC::Parser<LexerType>::parseObjectLiteral):
3053 (JSC::Parser<LexerType>::parseStrictObjectLiteral):
3054 (JSC::Parser<LexerType>::parseArguments):
3055 Use the alternate error message formatter macro which outputs 'an'
3056 instead of 'a' preceding the last argument.
3058 2016-05-04 Keith Miller <keith_miller@apple.com>
3060 Corrections to r200422
3061 https://bugs.webkit.org/show_bug.cgi?id=157351
3063 Reviewed by Joseph Pecoraro.
3065 Fix some typos in various files. Also, make separate error messages
3066 for the this value being undefined vs null in the ArrayIteratorprototype
3067 next function and add test.
3069 * Scripts/builtins/builtins_model.py:
3070 * builtins/ArrayIteratorPrototype.js:
3072 (arrayIteratorValueNext):
3073 (arrayIteratorKeyNext):
3074 (arrayIteratorKeyValueNext):
3075 * builtins/ArrayPrototype.js:
3078 * builtins/TypedArrayPrototype.js:
3079 * runtime/JSGlobalObject.cpp:
3080 (JSC::JSGlobalObject::init): Deleted.
3081 * tests/stress/array-iterators-next-error-messages.js: Added.
3085 2016-05-04 Keith Miller <keith_miller@apple.com>
3087 Unreviewed, reland r200149 since the rollout had inconclusive PLT AB testing results.
3089 2016-05-04 Mark Lam <mark.lam@apple.com>
3091 ES6 Function.name inferred from property names of literal objects can break some websites.
3092 https://bugs.webkit.org/show_bug.cgi?id=157246
3094 Reviewed by Geoffrey Garen.
3096 Specifically, the library mathjs (see http://mathjs.org and https://github.com/josdejong/mathjs)
3097 uses an idiom where it created literal objects with property names that look like
3098 this: 'number | BigNumber | Unit'. Later, this name is used in a string to create
3099 function source code that gets eval'ed. Since 'number | BigNumber | Unit' is not
3100 a valid function name, we get a syntax error.
3102 Here are the details:
3104 1. mathjs uses object literals with the funky property names for its function members.
3107 // helper function to type check the middle value of the array
3108 var middle = typed({
3109 'number | BigNumber | Unit': function (value) {
3114 2. mathjs' getName() uses Function.name to get the name of functions (hence, picks
3115 up the property name as inferred value of Function.name as specified by ES6):
3118 * Retrieve the function name from a set of functions, and check
3119 * whether the name of all functions match (if given)
3122 function getName (fns) {
3125 for (var i = 0; i < fns.length; i++) {
3133 3. mathjs uses that name to assembler new function source code that gets eval'ed:
3136 * Compose a function from sub-functions each handling a single type signature.
3139 function _typed(name, signatures) {
3141 // generate code for the typed function
3143 var _name = name || '';
3145 code.push('function ' + _name + '(' + _args.join(', ') + ') {');
3146 code.push(' "use strict";');
3147 code.push(' var name = \'' + _name + '\';');
3148 code.push(node.toCode(refs, ' '));
3151 // generate body for the factory function
3154 'return ' + code.join('\n')
3157 // evaluate the JavaScript code and attach function references
3158 var factory = (new Function(refs.name, 'createError', body)); // <== Syntax Error here!
3159 var fn = factory(refs, createError);
3164 Until mathjs (and any other frameworks that does similar things) and sites that
3165 uses mathjs has been updated to work with ES6, we'll need a compatibility hack to
3168 Here's what we'll do:
3169 1. Introduce a needsSiteSpecificQuirks flag in JSGlobalObject.
3170 2. Have WebCore's JSDOMWindowBase set that flag if the browser's
3171 needsSiteSpecificQuirks is enabled in its settings.
3172 3. If needsSiteSpecificQuirks is enabled, have JSFunction::reifyName() check for
3173 ' ' or '|' in the name string it will use to reify the Function.name property.
3174 If those characters exists in the name, we'll replace the name string with a
3177 * runtime/JSFunction.cpp:
3178 (JSC::JSFunction::reifyName):
3179 * runtime/JSGlobalObject.h:
3180 (JSC::JSGlobalObject::needsSiteSpecificQuirks):
3181 (JSC::JSGlobalObject::GlobalPropertyInfo::GlobalPropertyInfo):
3182 (JSC::JSGlobalObject::setNeedsSiteSpecificQuirks):
3184 2016-05-04 Keith Miller <keith_miller@apple.com>
3186 Speedup array iterators
3187 https://bugs.webkit.org/show_bug.cgi?id=157315
3189 Reviewed by Michael Saboff.
3191 This patch improves the performance of Array iterators in ES6. There are two main changes
3192 that make things faster. The first is that the value, keys and entries functions have been
3193 moved to JS. This enables us to inline the construction of the iterator. Thus, when we get
3194 to the FTL we are able to sink the allocation of the iterator object. This significantly
3195 improves the performance of any for-of loop since we are now able to have both the iteration
3196 counter and the iterated object in local variables rather than in the heap.
3198 Secondly, instead of using a number to store the iteratation kind we now use a virtual
3199 method on the iteration object to indicate which next function to use. This ends up being
3200 helpful because it means we can eliminate the branches in the old next function that decide
3201 what value to return. With those branches gone the various next functions are now small
3202 enough to inline. Once the next functions are inlined then the FTL is able to sink the
3203 allocation of next() result object. There is still room for optimization in the loop since
3204 we currently don't recognize that the array access in the next function is in bounds or that
3205 the increment to the loop counter cannot overflow.
3207 The overall performance changes appear to be a ~4-6x speedup in a simple microbenchmark that
3208 computes the sum of an array with some extra arithmetic. The variance depends on the exact
3209 body of the loop. Additionally, on a new regress test that changes all the loops in
3210 deltablue into for-of loops this patch is a 1.8x progression. Overall, it still looks like
3211 for-of loops are significantly slower than an indexed for loop. In the first test it's ~2-4x
3212 slower with the difference depending on the body of the loop. If the loop is just the sum
3213 then we see a much larger regression than if the loop does even simple arithmetic. It looks
3214 like the indexed for loop without extra arithmetic is small enough to fit into the x86
3215 replay buffer on my machine, which would explain why there is such a big difference between
3216 the for of loop in that case. On the deltablue benchmark it's 1.4x slower. It's clear from
3217 these numbers that there is still a lot of work we can do to make for of loops faster.
3219 This patch also makes some changes to the way that we decorate our builtin js
3220 functions. Instead of the old syntax (putting the decorated values in [] before the function
3221 declaration i.e. [intrinsic=foo]) this patch changes the syntax to be closer to the way that
3222 decorators are proposed in a future ECMAScript proposal (using @ followed by the entry on a
3223 new line before the function declaration i.e. @intrinsic=foo).
3225 Finally, in the builtin scripts regular expressions re.S has been changed to re.DOTALL since
3226 DOTALL is easier to understand without going to the reference page for python regular
3229 * Scripts/builtins/builtins_model.py:
3230 * builtins/ArrayIteratorPrototype.js:
3232 (arrayIteratorValueNext):
3233 (arrayIteratorKeyNext):
3234 (arrayIteratorKeyValueNext):
3235 * builtins/ArrayPrototype.js:
3236 (createArrayIterator):
3240 * builtins/RegExpPrototype.js:
3241 (intrinsic.RegExpTestIntrinsic.test):
3242 * builtins/StringPrototype.js:
3243 (intrinsic.StringPrototypeReplaceIntrinsic.replace):
3244 * builtins/TypedArrayPrototype.js:
3248 * inspector/JSInjectedScriptHost.cpp:
3249 (Inspector::cloneArrayIteratorObject):
3250 (Inspector::JSInjectedScriptHost::iteratorEntries):
3251 * jit/ThunkGenerators.cpp:
3252 * runtime/ArrayPrototype.cpp:
3253 (JSC::ArrayPrototype::finishCreation):
3254 (JSC::arrayProtoFuncValues): Deleted.
3255 (JSC::arrayProtoFuncEntries): Deleted.
3256 (JSC::arrayProtoFuncKeys): Deleted.
3257 * runtime/CommonIdentifiers.h:
3258 * runtime/JSArrayIterator.cpp:
3259 (JSC::JSArrayIterator::clone): Deleted.
3260 * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3261 (JSC::genericTypedArrayViewProtoFuncEntries): Deleted.
3262 (JSC::genericTypedArrayViewProtoFuncKeys): Deleted.
3263 (JSC::typedArrayViewProtoFuncValues): Deleted.
3264 * runtime/JSGlobalObject.cpp:
3265 (JSC::JSGlobalObject::init):
3266 * runtime/JSGlobalObject.h:
3267 * runtime/JSTypedArrayViewPrototype.cpp:
3268 (JSC::JSTypedArrayViewPrototype::finishCreation):
3269 (JSC::typedArrayViewProtoFuncEntries): Deleted.
3270 (JSC::typedArrayViewProtoFuncKeys): Deleted.
3271 (JSC::typedArrayViewProtoFuncValues): Deleted.
3272 * runtime/MapPrototype.cpp:
3273 (JSC::MapPrototype::finishCreation):
3274 * runtime/SetPrototype.cpp:
3275 (JSC::SetPrototype::finishCreation):
3277 2016-05-04 Yusuke Suzuki <utatane.tea@gmail.com>
3279 [JSC] Object constructor need to be aware of new.target
3280 https://bugs.webkit.org/show_bug.cgi?id=157196
3282 Reviewed by Darin Adler.
3284 Object constructor should be aware of new.target.
3285 When the new.target is specified, we should store it.prototype to the newly created
3286 object's [[Prototype]].
3288 * runtime/JSGlobalObject.cpp:
3289 (JSC::JSGlobalObject::init):
3290 (JSC::JSGlobalObject::visitChildren):
3291 Take the design that caches the structure used for empty object.
3292 This structure is also used in constructEmptyObject frequently.
3294 * runtime/JSGlobalObject.h:
3295 (JSC::JSGlobalObject::objectStructureForObjectConstructor):
3296 * runtime/ObjectConstructor.cpp:
3297 (JSC::constructObject):
3298 (JSC::constructWithObjectConstructor):
3299 (JSC::callObjectConstructor):
3300 * runtime/ObjectConstructor.h:
3301 (JSC::constructEmptyObject):
3302 Construct the object by using the plain structure that is also used in the ObjectConstructor.
3304 * tests/stress/object-constructor-should-be-new-target-aware.js: Added.
git://git.webkit.org / WebKit-https.git / blob