1 2017-12-14 Keith Miller <keith_miller@apple.com>
3 Fix assertion in JSObject's structure setting methods
4 https://bugs.webkit.org/show_bug.cgi?id=180840
8 I forgot that when Typed Arrays have non-indexed properties
9 added to them, they call the generic code. The generic code
10 in turn calls the regular structure setting methods. Thus,
11 these assertions were invalid and we should just avoid setting
12 the indexing mask if we have a Typed Array.
15 (JSC::JSObject::setButterfly):
16 (JSC::JSObject::nukeStructureAndSetButterfly):
18 2017-12-14 Michael Saboff <msaboff@apple.com>
20 REGRESSION (r225695): Repro crash on yahoo login page
21 https://bugs.webkit.org/show_bug.cgi?id=180761
23 Reviewed by JF Bastien.
25 Relanding r225695 with a fix.
27 The fix is that we need to save the return address for a parentheses in
28 the ParenContext because it is actually used by any immediately contained
31 Also did a little refactoring, changing occurances of PatternContext to
32 ParenContext since that is the name of the structure.
35 (JSC::byteCodeCompilePattern):
36 (JSC::RegExp::byteCodeCompileIfNecessary):
37 (JSC::RegExp::compile):
38 (JSC::RegExp::compileMatchOnly):
40 * runtime/RegExpInlines.h:
41 (JSC::RegExp::matchInline):
46 * yarr/YarrInterpreter.cpp:
47 (JSC::Yarr::ByteCompiler::compile):
48 (JSC::Yarr::ByteCompiler::dumpDisjunction):
50 (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
51 (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
52 (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
53 (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
54 (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
55 (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
56 (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
57 (JSC::Yarr::YarrGenerator::ParenContext::returnAddressOffset):
58 (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
59 (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
60 (JSC::Yarr::YarrGenerator::initParenContextFreeList):
61 (JSC::Yarr::YarrGenerator::allocateParenContext):
62 (JSC::Yarr::YarrGenerator::freeParenContext):
63 (JSC::Yarr::YarrGenerator::saveParenContext):
64 (JSC::Yarr::YarrGenerator::restoreParenContext):
65 (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
66 (JSC::Yarr::YarrGenerator::storeToFrame):
67 (JSC::Yarr::YarrGenerator::generateJITFailReturn):
68 (JSC::Yarr::YarrGenerator::clearMatches):
69 (JSC::Yarr::YarrGenerator::generate):
70 (JSC::Yarr::YarrGenerator::backtrack):
71 (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
72 (JSC::Yarr::YarrGenerator::generateEnter):
73 (JSC::Yarr::YarrGenerator::generateReturn):
74 (JSC::Yarr::YarrGenerator::YarrGenerator):
75 (JSC::Yarr::YarrGenerator::compile):
77 (JSC::Yarr::YarrCodeBlock::execute):
78 * yarr/YarrPattern.cpp:
79 (JSC::Yarr::indentForNestingLevel):
80 (JSC::Yarr::dumpUChar32):
81 (JSC::Yarr::dumpCharacterClass):
82 (JSC::Yarr::PatternTerm::dump):
83 (JSC::Yarr::YarrPattern::dumpPattern):
85 (JSC::Yarr::PatternTerm::containsAnyCaptures):
86 (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
87 (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
88 (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
89 (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
90 (JSC::Yarr::BackTrackInfoParentheses::parenContextHeadIndex):
91 (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
93 2017-12-13 Keith Miller <keith_miller@apple.com>
95 JSObjects should have a mask for loading indexed properties
96 https://bugs.webkit.org/show_bug.cgi?id=180768
100 This patch adds a new member to JSObject that holds an indexing
101 mask. The indexing mask is bitwise anded with the index used to
102 load a property. If for whatever reason an attacker is able to
103 clobber the vectorLength of our butterfly they still won't be able
104 to read substantially past the end of the buttefly. For
105 performance reasons we don't use the indexing masking for
106 TypedArrays. Since TypedArrays are already gigacaged the risk of
107 wild reads is still restricted.
109 This patch is a <1% regression on Speedometer and ~3% regression
110 on JetStream in my testing.
112 * assembler/MacroAssembler.h:
113 (JSC::MacroAssembler::urshiftPtr):
114 * bytecode/AccessCase.cpp:
115 (JSC::AccessCase::generateImpl):
116 * dfg/DFGAbstractHeap.h:
117 * dfg/DFGClobberize.h:
118 (JSC::DFG::clobberize):
119 * dfg/DFGSpeculativeJIT.cpp:
120 (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
121 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
122 (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
123 (JSC::DFG::SpeculativeJIT::compileCreateActivation):
124 (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
125 (JSC::DFG::SpeculativeJIT::compileArraySlice):
126 (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
127 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
128 (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
129 * dfg/DFGSpeculativeJIT.h:
130 (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
131 (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
132 * dfg/DFGSpeculativeJIT32_64.cpp:
133 (JSC::DFG::SpeculativeJIT::compile):
134 (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
135 * dfg/DFGSpeculativeJIT64.cpp:
136 (JSC::DFG::SpeculativeJIT::compile):
137 (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
138 * ftl/FTLAbstractHeap.cpp:
139 (JSC::FTL::IndexedAbstractHeap::baseIndex):
140 * ftl/FTLAbstractHeap.h:
141 * ftl/FTLAbstractHeapRepository.h:
142 * ftl/FTLLowerDFGToB3.cpp:
143 (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
144 (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
145 (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
146 (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
147 (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
148 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
149 (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
150 (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
151 (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
152 (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
153 (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask):
154 (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
155 (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
156 (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
157 (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
159 (JSC::FTL::Output::baseIndex):
160 * jit/AssemblyHelpers.h:
161 (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
162 (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
163 (JSC::AssemblyHelpers::emitAllocateJSObject):
164 (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
165 (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
166 (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
167 (JSC::AssemblyHelpers::storeButterfly): Deleted.
168 * jit/JITOpcodes.cpp:
169 (JSC::JIT::emit_op_new_object):
170 (JSC::JIT::emit_op_create_this):
171 * jit/JITOpcodes32_64.cpp:
172 (JSC::JIT::emit_op_new_object):
173 (JSC::JIT::emit_op_create_this):
174 * jit/JITPropertyAccess.cpp:
175 (JSC::JIT::emitDoubleLoad):
176 (JSC::JIT::emitContiguousLoad):
177 (JSC::JIT::emitArrayStorageLoad):
178 * llint/LowLevelInterpreter32_64.asm:
179 * llint/LowLevelInterpreter64.asm:
180 * runtime/ArrayStorage.h:
181 (JSC::ArrayStorage::availableVectorLength):
182 * runtime/Butterfly.h:
183 (JSC::ContiguousData::ContiguousData):
184 (JSC::ContiguousData::at const):
185 (JSC::ContiguousData::at):
186 (JSC::Butterfly::publicLength const):
187 (JSC::Butterfly::vectorLength const):
188 (JSC::Butterfly::computeIndexingMaskForVectorLength):
189 (JSC::Butterfly::computeIndexingMask):
190 (JSC::Butterfly::contiguousInt32):
191 (JSC::ContiguousData::operator[] const): Deleted.
192 (JSC::ContiguousData::operator[]): Deleted.
193 (JSC::Butterfly::publicLength): Deleted.
194 (JSC::Butterfly::vectorLength): Deleted.
195 * runtime/ButterflyInlines.h:
196 (JSC::ContiguousData<T>::at const):
197 (JSC::ContiguousData<T>::at):
198 * runtime/ClonedArguments.cpp:
199 (JSC::ClonedArguments::createEmpty):
200 * runtime/JSArray.cpp:
201 (JSC::JSArray::tryCreateUninitializedRestricted):
202 (JSC::JSArray::appendMemcpy):
203 (JSC::JSArray::setLength):
205 (JSC::JSArray::fastSlice):
206 (JSC::JSArray::shiftCountWithArrayStorage):
207 (JSC::JSArray::shiftCountWithAnyIndexingType):
208 (JSC::JSArray::unshiftCountWithAnyIndexingType):
209 (JSC::JSArray::fillArgList):
210 (JSC::JSArray::copyToArguments):
211 * runtime/JSArrayBufferView.cpp:
212 (JSC::JSArrayBufferView::JSArrayBufferView):
213 * runtime/JSArrayInlines.h:
214 (JSC::JSArray::pushInline):
215 * runtime/JSFixedArray.h:
216 (JSC::JSFixedArray::createFromArray):
217 * runtime/JSGenericTypedArrayViewInlines.h:
218 (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
219 * runtime/JSObject.cpp:
220 (JSC::JSObject::getOwnPropertySlotByIndex):
221 (JSC::JSObject::putByIndex):
222 (JSC::JSObject::createInitialInt32):
223 (JSC::JSObject::createInitialDouble):
224 (JSC::JSObject::createInitialContiguous):
225 (JSC::JSObject::convertUndecidedToInt32):
226 (JSC::JSObject::convertUndecidedToDouble):
227 (JSC::JSObject::convertUndecidedToContiguous):
228 (JSC::JSObject::convertInt32ToDouble):
229 (JSC::JSObject::convertInt32ToArrayStorage):
230 (JSC::JSObject::convertDoubleToContiguous):
231 (JSC::JSObject::convertDoubleToArrayStorage):
232 (JSC::JSObject::convertContiguousToArrayStorage):
233 (JSC::JSObject::createInitialForValueAndSet):
234 (JSC::JSObject::deletePropertyByIndex):
235 (JSC::JSObject::getOwnPropertyNames):
236 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
237 (JSC::JSObject::countElements):
238 (JSC::JSObject::ensureLengthSlow):
239 (JSC::JSObject::reallocateAndShrinkButterfly):
240 (JSC::JSObject::getEnumerableLength):
241 * runtime/JSObject.h:
242 (JSC::JSObject::canGetIndexQuickly):
243 (JSC::JSObject::getIndexQuickly):
244 (JSC::JSObject::tryGetIndexQuickly const):
245 (JSC::JSObject::setIndexQuickly):
246 (JSC::JSObject::initializeIndex):
247 (JSC::JSObject::initializeIndexWithoutBarrier):
248 (JSC::JSObject::butterflyIndexingMaskOffset):
249 (JSC::JSObject::butterflyIndexingMask const):
250 (JSC::JSObject::setButterflyWithIndexingMask):
251 (JSC::JSObject::setButterfly):
252 (JSC::JSObject::nukeStructureAndSetButterfly):
253 (JSC::JSObject::JSObject):
254 * runtime/RegExpMatchesArray.h:
255 (JSC::tryCreateUninitializedRegExpMatchesArray):
256 * runtime/Structure.cpp:
257 (JSC::Structure::flattenDictionaryStructure):
259 2017-12-14 David Kilzer <ddkilzer@apple.com>
261 REGRESSION (r225799/r225887): Remove duplicate entries for JSCPoisonedPtr.h in Xcode project
263 Fixes the following warning during builds:
265 Warning: Multiple build commands for output file WebKitBuild/Release/JavaScriptCore.framework/Versions/A/PrivateHeaders/JSCPoisonedPtr.h
267 * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicate
268 entries for JSCPoisonedPtr.h.
270 2017-12-14 David Kilzer <ddkilzer@apple.com>
272 REGRESSION (r225887): Build broke due to missing includes in InferredValue.h
273 <https://bugs.webkit.org/show_bug.cgi?id=180738>
275 * runtime/InferredValue.h: Attempt to fix build by adding
276 missing #include statements.
278 2017-12-13 Filip Pizlo <fpizlo@apple.com>
280 Octane/richards regressed by a whopping 20% because eliminateCommonSubexpressions has a weird fixpoint requirement
281 https://bugs.webkit.org/show_bug.cgi?id=180783
283 Reviewed by Saam Barati.
285 This fixes the regression by fixpointing CSE. We need to fixpoint CSE because of this case:
296 Lets assume that #3 loops around to #2, so to eliminate @d, we need to prove that it's redundant
297 with both @c and @e. The problem is that by the time we get to @d, the CSE state will look like
304 memoryAtTail: {@x=>@a, @a=>@c}
307 memoryAtTail: {@b=>@d}
310 memoryAtTail: {@b=>@e} [sic]
312 Note that #3's atTail map is keyed on @b, which was the old (no longer canonical) version of @a.
313 But @d's children were already substituted, so it refers to @a. Since @a is not in #3's atTail
314 map, we don't find it and leave the redundancy.
316 I think that the cleanest solution is to fixpoint. CSE is pretty cheap, so hopefully we can afford
317 this. It fixes the richards regression, since richards is super dependent on B3 CSE.
319 * b3/B3EliminateCommonSubexpressions.cpp: Logging.
321 (JSC::B3::generateToAir): Fix the bug.
322 * b3/air/AirReportUsedRegisters.cpp:
323 (JSC::B3::Air::reportUsedRegisters): Logging.
324 * dfg/DFGByteCodeParser.cpp:
325 * dfg/DFGSSAConversionPhase.cpp:
326 (JSC::DFG::SSAConversionPhase::run): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
327 * ftl/FTLLowerDFGToB3.cpp:
328 (JSC::FTL::DFG::LowerDFGToB3::lower): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
330 2017-12-13 Joseph Pecoraro <pecoraro@apple.com>
332 REGRESSION: Web Inspector: Opening inspector crashes page if there are empty resources
333 https://bugs.webkit.org/show_bug.cgi?id=180787
334 <rdar://problem/35934838>
336 Reviewed by Brian Burg.
338 * inspector/ContentSearchUtilities.cpp:
339 (Inspector::ContentSearchUtilities::findMagicComment):
340 For empty / null strings just return. There is no use
341 trying to search them for a long common syntax.
343 2017-12-13 Saam Barati <sbarati@apple.com>
345 Arrow functions need their own structure because they have different properties than sloppy functions
346 https://bugs.webkit.org/show_bug.cgi?id=180779
347 <rdar://problem/35814591>
349 Reviewed by Mark Lam.
351 We were using the same structure for sloppy functions and
352 arrow functions. This broke our IC caching machinery because
353 these two types of functions actually have different properties.
354 This patch gives them different structures.
356 * dfg/DFGAbstractInterpreterInlines.h:
357 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
358 * dfg/DFGSpeculativeJIT.cpp:
359 (JSC::DFG::SpeculativeJIT::compileNewFunction):
360 * ftl/FTLLowerDFGToB3.cpp:
361 (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
362 * runtime/FunctionConstructor.cpp:
363 (JSC::constructFunctionSkippingEvalEnabledCheck):
364 * runtime/JSFunction.cpp:
365 (JSC::JSFunction::selectStructureForNewFuncExp):
366 (JSC::JSFunction::create):
367 * runtime/JSFunction.h:
368 * runtime/JSFunctionInlines.h:
369 (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
370 * runtime/JSGlobalObject.cpp:
371 (JSC::JSGlobalObject::init):
372 (JSC::JSGlobalObject::visitChildren):
373 * runtime/JSGlobalObject.h:
374 (JSC::JSGlobalObject::arrowFunctionStructure const):
376 2017-12-12 Filip Pizlo <fpizlo@apple.com>
378 InferredValue should use IsoSubspace
379 https://bugs.webkit.org/show_bug.cgi?id=180738
381 Reviewed by Keith Miller.
383 This moves InferredValue into an IsoSubspace and then takes advantage of this to get rid of
384 its UnconditionalFinalizer.
386 * JavaScriptCore.xcodeproj/project.pbxproj:
388 (JSC::Heap::finalizeUnconditionalFinalizers):
389 * runtime/InferredValue.cpp:
390 (JSC::InferredValue::visitChildren):
391 (JSC::InferredValue::ValueCleanup::ValueCleanup): Deleted.
392 (JSC::InferredValue::ValueCleanup::~ValueCleanup): Deleted.
393 (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): Deleted.
394 * runtime/InferredValue.h:
395 (JSC::InferredValue::subspaceFor):
396 * runtime/InferredValueInlines.h: Added.
397 (JSC::InferredValue::finalizeUnconditionally):
402 2017-12-13 Devin Rousso <webkit@devinrousso.com>
404 Web Inspector: add instrumentation for ImageBitmapRenderingContext
405 https://bugs.webkit.org/show_bug.cgi?id=180736
407 Reviewed by Joseph Pecoraro.
409 * inspector/protocol/Canvas.json:
410 * inspector/scripts/codegen/generator.py:
412 2017-12-13 Saam Barati <sbarati@apple.com>
414 Take a value driven approach to how we emit structure checks in TypeCheckHoistingPhase to obviate the need for static_assert guards
415 https://bugs.webkit.org/show_bug.cgi?id=180771
417 Reviewed by JF Bastien.
419 * dfg/DFGTypeCheckHoistingPhase.cpp:
420 (JSC::DFG::TypeCheckHoistingPhase::run):
422 2017-12-13 Saam Barati <sbarati@apple.com>
424 REGRESSION(r225844): Around 850 new JSC failures on 32-bit
425 https://bugs.webkit.org/show_bug.cgi?id=180764
427 Unreviewed. We should only emit CheckStructureOrEmpty on 64 bit platforms.
429 * dfg/DFGTypeCheckHoistingPhase.cpp:
430 (JSC::DFG::TypeCheckHoistingPhase::run):
432 2017-12-13 Michael Saboff <msaboff@apple.com>
434 Unreviewed rollout of r225695. Caused a crash on yahoo login page.
436 That bug tracked in https://bugs.webkit.org/show_bug.cgi?id=180761.
438 * runtime/RegExp.cpp:
439 (JSC::RegExp::compile):
440 (JSC::RegExp::compileMatchOnly):
441 (JSC::byteCodeCompilePattern): Deleted.
442 (JSC::RegExp::byteCodeCompileIfNecessary): Deleted.
444 * runtime/RegExpInlines.h:
445 (JSC::RegExp::matchInline):
450 * yarr/YarrInterpreter.cpp:
451 (JSC::Yarr::ByteCompiler::compile):
452 (JSC::Yarr::ByteCompiler::dumpDisjunction):
453 (JSC::Yarr::ByteCompiler::emitDisjunction):
455 (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
456 (JSC::Yarr::YarrGenerator::generate):
457 (JSC::Yarr::YarrGenerator::backtrack):
458 (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
459 (JSC::Yarr::YarrGenerator::generateEnter):
460 (JSC::Yarr::YarrGenerator::generateReturn):
461 (JSC::Yarr::YarrGenerator::YarrGenerator):
462 (JSC::Yarr::YarrGenerator::compile):
463 (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes): Deleted.
464 (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns): Deleted.
465 (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots): Deleted.
466 (JSC::Yarr::YarrGenerator::ParenContext::sizeFor): Deleted.
467 (JSC::Yarr::YarrGenerator::ParenContext::nextOffset): Deleted.
468 (JSC::Yarr::YarrGenerator::ParenContext::beginOffset): Deleted.
469 (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset): Deleted.
470 (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset): Deleted.
471 (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset): Deleted.
472 (JSC::Yarr::YarrGenerator::initParenContextFreeList): Deleted.
473 (JSC::Yarr::YarrGenerator::allocatePatternContext): Deleted.
474 (JSC::Yarr::YarrGenerator::freePatternContext): Deleted.
475 (JSC::Yarr::YarrGenerator::savePatternContext): Deleted.
476 (JSC::Yarr::YarrGenerator::restorePatternContext): Deleted.
477 (JSC::Yarr::YarrGenerator::generateJITFailReturn): Deleted.
478 (JSC::Yarr::YarrGenerator::clearMatches): Deleted.
480 (JSC::Yarr::YarrCodeBlock::execute):
481 * yarr/YarrPattern.cpp:
482 (JSC::Yarr::indentForNestingLevel):
483 (JSC::Yarr::dumpUChar32):
484 (JSC::Yarr::PatternTerm::dump):
485 (JSC::Yarr::YarrPattern::dumpPattern):
486 (JSC::Yarr::dumpCharacterClass): Deleted.
487 * yarr/YarrPattern.h:
488 (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
489 (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
490 (JSC::Yarr::PatternTerm::containsAnyCaptures): Deleted.
491 (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex): Deleted.
492 (JSC::Yarr::BackTrackInfoParentheses::beginIndex): Deleted.
493 (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex): Deleted.
494 (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex): Deleted.
495 (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex): Deleted.
497 2017-12-13 Mark Lam <mark.lam@apple.com>
499 Fill out some Poisoned APIs, fix some bugs, and add some tests.
500 https://bugs.webkit.org/show_bug.cgi?id=180724
501 <rdar://problem/36006884>
503 Reviewed by JF Bastien.
505 * runtime/StructureTransitionTable.h:
507 2017-12-13 Caio Lima <ticaiolima@gmail.com>
509 [ESNext][BigInt] Breking tests on Debug build and 32-bits due to missing Exception check
510 https://bugs.webkit.org/show_bug.cgi?id=180746
512 Reviewed by Saam Barati.
514 We have some uncatched exceptions that could happen due to OOM into
515 JSBigInt::allocateFor and JSBigInt::toStringGeneric. This patching is
516 catching such exceptions properly.
518 * runtime/JSBigInt.cpp:
519 (JSC::JSBigInt::allocateFor):
520 (JSC::JSBigInt::parseInt):
521 * runtime/JSCJSValue.cpp:
522 (JSC::JSValue::toStringSlowCase const):
524 2017-12-13 Saam Barati <sbarati@apple.com>
526 Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
527 https://bugs.webkit.org/show_bug.cgi?id=163579
528 <rdar://problem/35455798>
530 Reviewed by Mark Lam.
532 Some functions in JavaScript do not have the "caller" and "arguments" properties.
533 For example, strict functions do not. When reading our code that dealt with these
534 types of functions, it was simply all wrong. We were doing weird things depending
535 on the method table hook. This patch fixes this by doing what we should've been
536 doing all along: when the JSFunction does not own the "caller"/"arguments" property,
537 it should defer to its base class implementation for the various method table hooks.
539 * runtime/JSFunction.cpp:
540 (JSC::JSFunction::put):
541 (JSC::JSFunction::deleteProperty):
542 (JSC::JSFunction::defineOwnProperty):
544 2017-12-13 Saam Barati <sbarati@apple.com>
546 TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
547 https://bugs.webkit.org/show_bug.cgi?id=180734
548 <rdar://problem/35640547>
550 Reviewed by Yusuke Suzuki.
552 The |this| value may be TDZ. If type check hoisting phase
553 hoists a CheckStructure to it, it will crash. This patch
554 makes it so we emit CheckStructureOrEmpty for |this|.
556 * dfg/DFGTypeCheckHoistingPhase.cpp:
557 (JSC::DFG::TypeCheckHoistingPhase::run):
559 2017-12-12 Yusuke Suzuki <utatane.tea@gmail.com>
561 [JSC] Optimize Object.assign by single transition acceleration
562 https://bugs.webkit.org/show_bug.cgi?id=180644
564 Reviewed by Saam Barati.
566 Handling single transition is critical. Since this get() function is only used
567 in Structure.cpp's 2 functions and it is quite small, we can annotate `inline`
570 This improves SixSpeed/object-assign.es6 by 2.8%.
574 object-assign.es6 382.3548+-8.0461 371.6496+-5.7439 might be 1.0288x faster
576 * runtime/Structure.cpp:
577 (JSC::StructureTransitionTable::get const):
579 2017-12-12 Filip Pizlo <fpizlo@apple.com>
581 Structure, StructureRareData, and PropertyTable should be in IsoSubspaces
582 https://bugs.webkit.org/show_bug.cgi?id=180732
584 Rubber stamped by Mark Lam.
586 We should eventually move all fixed-size cells into IsoSubspaces. I don't know if they are
587 scalable enough to support that, so we should do it carefully.
589 * heap/MarkedSpace.cpp:
590 * runtime/PropertyMapHashTable.h:
591 * runtime/Structure.h:
592 * runtime/StructureRareData.h:
597 2017-12-12 Saam Barati <sbarati@apple.com>
599 We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
600 https://bugs.webkit.org/show_bug.cgi?id=180725
601 <rdar://problem/35970511>
603 Reviewed by Michael Saboff.
605 * dfg/DFGClobberize.h:
606 (JSC::DFG::clobberize):
607 * dfg/DFGPreciseLocalClobberize.h:
608 (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
610 2017-12-12 Yusuke Suzuki <utatane.tea@gmail.com>
612 [JSC] Implement optimized WeakMap and WeakSet
613 https://bugs.webkit.org/show_bug.cgi?id=179929
615 Reviewed by Saam Barati.
617 This patch introduces WeakMapImpl to optimize WeakMap and WeakSet.
618 This is similar to HashMapImpl. But,
620 1. WeakMapImpl's bucket is not allocated in GC heap since WeakMap
621 do not need to have iterators.
623 2. WeakMapImpl's buffer is allocated in JSValue Gigacage instead
624 of auxiliary buffer. This is because we would like to allocate buffer
625 when finalizing GC. At that time, WeakMapImpl prunes dead entries and
626 shrink it if necessary. However, allocating from the GC heap during
627 finalization is not allowed.
629 In particular, (2) is important since it ensures any WeakMap operations
630 do not cause GC. Since GC may collect dead keys in WeakMap, rehash WeakMap,
631 and reallocate/change WeakMap's buffer, ensuring that any WeakMap operations
632 do not cause GC makes our implementation simple. To ensure this, we place
633 DisallowGC for each WeakMap's interface.
635 In DFG, we introduce WeakMapGet and ExtractValueFromWeakMapGet nodes.
636 WeakMapGet looks up entry in WeakMapImpl and returns value. If it is
637 WeakMap, it returns value. And it returns key if it is WeakSet. If it
638 does not find a corresponding entry, it returns JSEmpty.
639 ExtractValueFromWeakMapGet converts JSEmpty to JSUndefined.
641 This patch improves WeakMap and WeakSet operations.
645 weak-set-key 240.6932+-10.4923 ^ 148.7606+-6.1784 ^ definitely 1.6180x faster
646 weak-map-key 174.3176+-8.2680 ^ 151.7053+-6.8723 ^ definitely 1.1491x faster
648 * JavaScriptCore.xcodeproj/project.pbxproj:
650 * dfg/DFGAbstractHeap.h:
651 * dfg/DFGAbstractInterpreterInlines.h:
652 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
653 * dfg/DFGByteCodeParser.cpp:
654 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
655 * dfg/DFGClobberize.h:
656 (JSC::DFG::clobberize):
659 * dfg/DFGFixupPhase.cpp:
660 (JSC::DFG::FixupPhase::fixupNode):
662 (JSC::DFG::Node::hasHeapPrediction):
664 * dfg/DFGOperations.cpp:
665 * dfg/DFGOperations.h:
666 * dfg/DFGPredictionPropagationPhase.cpp:
667 * dfg/DFGSafeToExecute.h:
668 (JSC::DFG::safeToExecute):
669 * dfg/DFGSpeculativeJIT.cpp:
670 (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
671 (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
672 * dfg/DFGSpeculativeJIT.h:
673 * dfg/DFGSpeculativeJIT32_64.cpp:
674 (JSC::DFG::SpeculativeJIT::compile):
675 * dfg/DFGSpeculativeJIT64.cpp:
676 (JSC::DFG::SpeculativeJIT::compile):
677 * ftl/FTLAbstractHeapRepository.h:
678 * ftl/FTLCapabilities.cpp:
679 (JSC::FTL::canCompile):
680 * ftl/FTLLowerDFGToB3.cpp:
681 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
682 (JSC::FTL::DFG::LowerDFGToB3::compileExtractValueFromWeakMapGet):
683 (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
684 * inspector/JSInjectedScriptHost.cpp:
685 (Inspector::JSInjectedScriptHost::weakMapEntries):
686 (Inspector::JSInjectedScriptHost::weakSetEntries):
687 Existing code is incorrect. They can run GC and break WeakMap's iterator.
688 We introduce takeSnapshot function to WeakMapImpl, which retrieves live
689 entries without causing any GC.
691 * runtime/HashMapImpl.h:
693 (JSC::shouldRehashAfterAdd):
695 (JSC::HashMapImpl::shouldRehashAfterAdd const):
696 (JSC::HashMapImpl::shouldShrink const):
697 (JSC::HashMapImpl::rehash):
698 (JSC::WeakMapHash::hash): Deleted.
699 (JSC::WeakMapHash::equal): Deleted.
700 * runtime/Intrinsic.cpp:
701 (JSC::intrinsicName):
702 * runtime/Intrinsic.h:
703 * runtime/JSWeakMap.cpp:
704 * runtime/JSWeakMap.h:
705 * runtime/JSWeakSet.cpp:
706 * runtime/JSWeakSet.h:
708 * runtime/WeakGCMap.h:
709 (JSC::WeakGCMap::forEach): Deleted.
710 * runtime/WeakMapBase.cpp: Removed.
711 * runtime/WeakMapBase.h: Removed.
712 * runtime/WeakMapConstructor.cpp:
713 (JSC::constructWeakMap):
714 * runtime/WeakMapImpl.cpp: Added.
715 (JSC::WeakMapImpl<WeakMapBucket>::destroy):
716 (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
717 (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
718 (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences):
719 (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences):
720 (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
721 (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::takeSnapshot):
722 (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::takeSnapshot):
723 * runtime/WeakMapImpl.h: Added.
724 (JSC::jsWeakMapHash):
725 (JSC::nextCapacityAfterRemoveBatching):
726 (JSC::WeakMapBucket::setKey):
727 (JSC::WeakMapBucket::setValue):
728 (JSC::WeakMapBucket::key const):
729 (JSC::WeakMapBucket::value const):
730 (JSC::WeakMapBucket::copyFrom):
731 (JSC::WeakMapBucket::offsetOfKey):
732 (JSC::WeakMapBucket::offsetOfValue):
733 (JSC::WeakMapBucket::extractValue):
734 (JSC::WeakMapBucket::isEmpty):
735 (JSC::WeakMapBucket::deletedKey):
736 (JSC::WeakMapBucket::isDeleted):
737 (JSC::WeakMapBucket::makeDeleted):
738 (JSC::WeakMapBucket::visitAggregate):
739 (JSC::WeakMapBucket::clearValue):
740 (JSC::WeakMapBuffer::allocationSize):
741 (JSC::WeakMapBuffer::buffer const):
742 (JSC::WeakMapBuffer::create):
743 (JSC::WeakMapBuffer::reset):
744 (JSC::WeakMapImpl::WeakMapImpl):
745 (JSC::WeakMapImpl::finishCreation):
746 (JSC::WeakMapImpl::get):
747 (JSC::WeakMapImpl::has):
748 (JSC::WeakMapImpl::add):
749 (JSC::WeakMapImpl::remove):
750 (JSC::WeakMapImpl::size const):
751 (JSC::WeakMapImpl::offsetOfBuffer):
752 (JSC::WeakMapImpl::offsetOfCapacity):
753 (JSC::WeakMapImpl::findBucket):
754 (JSC::WeakMapImpl::buffer const):
755 (JSC::WeakMapImpl::forEach):
756 (JSC::WeakMapImpl::shouldRehashAfterAdd const):
757 (JSC::WeakMapImpl::shouldShrink const):
758 (JSC::WeakMapImpl::canUseBucket):
759 (JSC::WeakMapImpl::addInternal):
760 (JSC::WeakMapImpl::findBucketAlreadyHashed):
761 (JSC::WeakMapImpl::rehash):
762 (JSC::WeakMapImpl::checkConsistency const):
763 (JSC::WeakMapImpl::makeAndSetNewBuffer):
764 (JSC::WeakMapImpl::assertBufferIsEmpty const):
765 (JSC::WeakMapImpl::DeadKeyCleaner::target):
766 * runtime/WeakMapPrototype.cpp:
767 (JSC::WeakMapPrototype::finishCreation):
768 (JSC::protoFuncWeakMapGet):
769 (JSC::protoFuncWeakMapHas):
770 * runtime/WeakSetConstructor.cpp:
771 (JSC::constructWeakSet):
772 * runtime/WeakSetPrototype.cpp:
773 (JSC::WeakSetPrototype::finishCreation):
774 (JSC::protoFuncWeakSetHas):
775 (JSC::protoFuncWeakSetAdd):
777 2017-12-11 Filip Pizlo <fpizlo@apple.com>
779 It should be possible to flag a cell for unconditional finalization
780 https://bugs.webkit.org/show_bug.cgi?id=180636
782 Reviewed by Saam Barati.
784 UnconditionalFinalizers were annoying - you had to allocate them and you had to manage a
785 global linked list - but they had some nice properties:
787 - You only did the hardest work (creating the UnconditionalFinalizer) on first GC where you
788 survived and needed it.
789 -> Just needing it wasn't enough.
790 -> Just surviving wasn't enough.
792 The new API based on IsoSubspaces meant that just surviving was enough to cause unconditional
793 finalizer logic to be invoked. I think that's not great. InferredType got around this by
794 making InferredStructure a cell, but this was a gross hack. For one, it meant that
795 InferredStructure would survive during the GC in which its finalizer obviated the need for its
796 existence. It's not really an idiom I want us to repeat because it sounds like the sort of
797 thing that turns out to be subtly broken.
799 We really need to have a way of indicating when you have entered into the state that requires
800 your unconditional finalizer to be invoked. Basically, we want to be able to track the set of
801 objects that need unconditional finalizers. Only the subset of that set that overlaps with the
802 set of marked objects needs to be accurate. The easiest way to do this is a hierarchy of
803 bitvectors: one to say which MarkedBlocks have objects that have unconditional finalizers, and
804 another level to say which atoms within a MarkedBlock have unconditional finalizers.
806 This change introduces IsoCellSet, which couples itself to the MarkedAllocator of some
807 IsoSubspace to allow maintaining a set of objects (well, cells - you could do this with
808 auxiliaries) that belong to that IsoSubspace. It'll have undefined behavior if you try to
809 add/remove/contains an object that isn't in that IsoSubspace. For objects in that subspace,
810 you can add/remove/contains and forEachMarkedCell. The cost of each IsoCellSet is at worst
811 about 0.8% increase in size to every object in the subspace that the set is attached to. So,
812 it makes sense to have a handful per subspace max. This change only needs one per subspace,
813 but you could imagine more if we do this for WeakReferenceHarvester.
815 To absolutely minimize the possibility that this incurs costs, the add/remove/contains
816 functions can be used from any thread so long as forEachMarkedCell isn't running. This means
817 that InferredType only needs to add itself to the set during visitChildren. Thus, it needs to
818 both survive and need it for the hardest work to take place. The work of adding does involve
819 a gnarly load chain that ends in a CAS: load block handle from block, load index, load
820 segment, load bitvector, load bit -> if not set, then CAS. That's five dependent loads!
821 However, it's perfect for running in parallel since the only write operations are to widely
822 dispersed cache lines that contain the bits underlying the set.
824 The best part is how forEachMarkedCell works. That skips blocks that don't have any objects
825 that need unconditional finalizers, and only touches the memory of marked objects that have
826 the unconditional finalizer bit set. It will walk those objects in roughly address order. I
827 previously found that this speeds up walking over a lot of objects when I made similar changes
828 for DOM GC (calling visitAdditionalChildren via forEachMarkedCell rather than by walking a
831 This change makes InferredStructure be a malloc object again, but now it's in an IsoHeap.
833 My expectation for this change is that it's perf-neutral. Long-term, it gives us a path
834 forward for eliminating UnconditionalFinalizer and WeakReferenceHarvester while using
835 IsoSubspace in more places.
837 * JavaScriptCore.xcodeproj/project.pbxproj:
839 * heap/AtomIndices.h: Added.
840 (JSC::AtomIndices::AtomIndices):
842 (JSC::Heap::finalizeUnconditionalFinalizers):
844 * heap/IsoCellSet.cpp: Added.
845 (JSC::IsoCellSet::IsoCellSet):
846 (JSC::IsoCellSet::~IsoCellSet):
847 (JSC::IsoCellSet::addSlow):
848 (JSC::IsoCellSet::didResizeBits):
849 (JSC::IsoCellSet::didRemoveBlock):
850 (JSC::IsoCellSet::sweepToFreeList):
851 * heap/IsoCellSet.h: Added.
852 * heap/IsoCellSetInlines.h: Added.
853 (JSC::IsoCellSet::add):
854 (JSC::IsoCellSet::remove):
855 (JSC::IsoCellSet::contains const):
856 (JSC::IsoCellSet::forEachMarkedCell):
857 * heap/IsoSubspace.cpp:
858 (JSC::IsoSubspace::didResizeBits):
859 (JSC::IsoSubspace::didRemoveBlock):
860 (JSC::IsoSubspace::didBeginSweepingToFreeList):
861 * heap/IsoSubspace.h:
862 * heap/MarkedAllocator.cpp:
863 (JSC::MarkedAllocator::addBlock):
864 (JSC::MarkedAllocator::removeBlock):
865 * heap/MarkedAllocator.h:
866 * heap/MarkedAllocatorInlines.h:
867 * heap/MarkedBlock.cpp:
868 (JSC::MarkedBlock::Handle::sweep):
869 (JSC::MarkedBlock::Handle::isEmpty): Deleted.
870 * heap/MarkedBlock.h:
871 (JSC::MarkedBlock::marks const):
872 (JSC::MarkedBlock::Handle::newlyAllocated const):
873 * heap/MarkedBlockInlines.h:
874 (JSC::MarkedBlock::Handle::isAllocated):
875 (JSC::MarkedBlock::Handle::isEmpty):
876 (JSC::MarkedBlock::Handle::emptyMode):
877 (JSC::MarkedBlock::Handle::forEachMarkedCell):
879 (JSC::Subspace::didResizeBits):
880 (JSC::Subspace::didRemoveBlock):
881 (JSC::Subspace::didBeginSweepingToFreeList):
883 * heap/SubspaceInlines.h:
884 (JSC::Subspace::forEachMarkedCell):
885 * runtime/InferredStructure.cpp:
886 (JSC::InferredStructure::InferredStructure):
887 (JSC::InferredStructure::create): Deleted.
888 (JSC::InferredStructure::destroy): Deleted.
889 (JSC::InferredStructure::createStructure): Deleted.
890 (JSC::InferredStructure::visitChildren): Deleted.
891 (JSC::InferredStructure::finalizeUnconditionally): Deleted.
892 (JSC::InferredStructure::finishCreation): Deleted.
893 * runtime/InferredStructure.h:
894 * runtime/InferredStructureWatchpoint.cpp:
895 (JSC::InferredStructureWatchpoint::fireInternal):
896 * runtime/InferredType.cpp:
897 (JSC::InferredType::visitChildren):
898 (JSC::InferredType::willStoreValueSlow):
899 (JSC::InferredType::makeTopSlow):
900 (JSC::InferredType::set):
901 (JSC::InferredType::removeStructure):
902 (JSC::InferredType::finalizeUnconditionally):
903 * runtime/InferredType.h:
908 2017-12-12 Saam Barati <sbarati@apple.com>
910 ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
911 https://bugs.webkit.org/show_bug.cgi?id=180723
912 <rdar://problem/35859726>
914 Reviewed by JF Bastien.
916 * dfg/DFGConstantFoldingPhase.cpp:
917 (JSC::DFG::ConstantFoldingPhase::foldConstants):
919 2017-12-04 Brian Burg <bburg@apple.com>
921 Web Inspector: modernize InjectedScript a bit
922 https://bugs.webkit.org/show_bug.cgi?id=180367
924 Reviewed by Timothy Hatcher.
926 Stop using out parameters passed by pointer, use references instead.
927 Stop using OptOutput<T> in favor of std::optional where possible.
928 If there is only one out-parameter and a void return type, then return the value.
930 * inspector/InjectedScript.h:
931 * inspector/InjectedScript.cpp:
932 (Inspector::InjectedScript::evaluate):
933 (Inspector::InjectedScript::callFunctionOn):
934 (Inspector::InjectedScript::evaluateOnCallFrame):
935 (Inspector::InjectedScript::getFunctionDetails):
936 (Inspector::InjectedScript::functionDetails):
937 (Inspector::InjectedScript::getPreview):
938 (Inspector::InjectedScript::getProperties):
939 (Inspector::InjectedScript::getDisplayableProperties):
940 (Inspector::InjectedScript::getInternalProperties):
941 (Inspector::InjectedScript::getCollectionEntries):
942 (Inspector::InjectedScript::saveResult):
943 (Inspector::InjectedScript::setExceptionValue):
944 (Inspector::InjectedScript::clearExceptionValue):
945 (Inspector::InjectedScript::inspectObject):
946 (Inspector::InjectedScript::releaseObject):
948 * inspector/InjectedScriptBase.h:
949 * inspector/InjectedScriptBase.cpp:
950 (Inspector::InjectedScriptBase::InjectedScriptBase):
951 Declare m_environment with a default initializer.
953 (Inspector::InjectedScriptBase::makeCall):
954 (Inspector::InjectedScriptBase::makeEvalCall):
955 Just return the result, no need for an out-parameter.
956 Rearrange some code paths now that we can just return a result.
957 Return a Ref<JSON::Value> since it is either a result value or error value.
958 Use out_ prefixes in a few places to improve readability.
960 * inspector/agents/InspectorDebuggerAgent.cpp:
961 (Inspector::InspectorDebuggerAgent::getFunctionDetails):
962 (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
963 * inspector/agents/InspectorHeapAgent.cpp:
964 (Inspector::InspectorHeapAgent::getPreview):
965 * inspector/agents/InspectorRuntimeAgent.cpp:
966 (Inspector::InspectorRuntimeAgent::evaluate):
967 (Inspector::InspectorRuntimeAgent::callFunctionOn):
968 (Inspector::InspectorRuntimeAgent::getPreview):
969 (Inspector::InspectorRuntimeAgent::getProperties):
970 (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
971 (Inspector::InspectorRuntimeAgent::getCollectionEntries):
972 (Inspector::InspectorRuntimeAgent::saveResult):
973 Adapt to InjectedScript changes. In some cases we need to bridge OptOutput<T>
974 and std::optional until the former is removed from generated method signatures.
976 2017-12-12 Caio Lima <ticaiolima@gmail.com>
978 [ESNext][BigInt] Implement BigInt literals and JSBigInt
979 https://bugs.webkit.org/show_bug.cgi?id=179000
981 Reviewed by Darin Adler and Yusuke Suzuki.
983 This patch starts the implementation of BigInt primitive on
984 JavaScriptCore. We are introducing BigInt primitive and
985 implementing it on JSBigInt as a subclass of JSCell with [[BigIntData]]
986 field implemented contiguosly on memory as inline storage of JSBigInt to
987 take advantages on performance due to cache locality. The
988 implementation allows 64 or 32 bitwise arithmetic operations.
989 JSBigInt also has m_sign to store the sign of [[BigIntData]] and
990 m_length that keeps track of BigInt length.
991 The implementation is following the V8 one. [[BigIntData]] is manipulated
992 by JSBigInt::setDigit(index, value) and JSBigInt::digit(index) operations.
993 We also have some operations to support arithmetics over digits.
995 It is important to notice that on our representation,
996 JSBigInt::dataStorage()[0] represents the least significant digit and
997 JSBigInt::dataStorage()[m_length - 1] represents the most siginificant digit.
999 We are also introducing into this Patch the BigInt literals lexer and
1000 syntax parsing support. The operation Strict Equals on BigInts is also being
1001 implemented to enable tests.
1002 These features are being implemented behind a runtime flage "--useBigInt" and
1003 are disabled by default.
1005 * JavaScriptCore.xcodeproj/project.pbxproj:
1007 * bytecode/CodeBlock.cpp:
1008 * bytecompiler/BytecodeGenerator.cpp:
1009 (JSC::BytecodeGenerator::emitEqualityOp):
1010 (JSC::BytecodeGenerator::addBigIntConstant):
1011 * bytecompiler/BytecodeGenerator.h:
1012 (JSC::BytecodeGenerator::BigIntEntryHash::hash):
1013 (JSC::BytecodeGenerator::BigIntEntryHash::equal):
1014 * bytecompiler/NodesCodegen.cpp:
1015 (JSC::BigIntNode::jsValue const):
1016 * dfg/DFGAbstractInterpreterInlines.h:
1017 (JSC::DFG::isToThisAnIdentity):
1018 * interpreter/Interpreter.cpp:
1019 (JSC::sizeOfVarargs):
1020 * llint/LLIntData.cpp:
1021 (JSC::LLInt::Data::performAssertions):
1022 * llint/LowLevelInterpreter.asm:
1023 * parser/ASTBuilder.h:
1024 (JSC::ASTBuilder::createBigInt):
1026 (JSC::Lexer<T>::parseBinary):
1027 (JSC::Lexer<T>::parseOctal):
1028 (JSC::Lexer<T>::parseDecimal):
1029 (JSC::Lexer<T>::lex):
1030 (JSC::Lexer<T>::parseHex): Deleted.
1032 * parser/NodeConstructors.h:
1033 (JSC::BigIntNode::BigIntNode):
1035 (JSC::ExpressionNode::isBigInt const):
1036 (JSC::BigIntNode::value):
1037 * parser/Parser.cpp:
1038 (JSC::Parser<LexerType>::parsePrimaryExpression):
1039 * parser/ParserTokens.h:
1040 * parser/ResultType.h:
1041 (JSC::ResultType::definitelyIsBigInt const):
1042 (JSC::ResultType::mightBeBigInt const):
1043 (JSC::ResultType::isNotBigInt const):
1044 (JSC::ResultType::addResultType):
1045 (JSC::ResultType::bigIntType):
1046 (JSC::ResultType::forAdd):
1047 (JSC::ResultType::forLogicalOp):
1048 * parser/SyntaxChecker.h:
1049 (JSC::SyntaxChecker::createBigInt):
1050 * runtime/CommonIdentifiers.h:
1051 * runtime/JSBigInt.cpp: Added.
1052 (JSC::JSBigInt::visitChildren):
1053 (JSC::JSBigInt::JSBigInt):
1054 (JSC::JSBigInt::initialize):
1055 (JSC::JSBigInt::createStructure):
1056 (JSC::JSBigInt::createZero):
1057 (JSC::JSBigInt::allocationSize):
1058 (JSC::JSBigInt::createWithLength):
1059 (JSC::JSBigInt::finishCreation):
1060 (JSC::JSBigInt::toPrimitive const):
1061 (JSC::JSBigInt::singleDigitValueForString):
1062 (JSC::JSBigInt::parseInt):
1063 (JSC::JSBigInt::toString):
1064 (JSC::JSBigInt::isZero):
1065 (JSC::JSBigInt::inplaceMultiplyAdd):
1066 (JSC::JSBigInt::digitAdd):
1067 (JSC::JSBigInt::digitSub):
1068 (JSC::JSBigInt::digitMul):
1069 (JSC::JSBigInt::digitPow):
1070 (JSC::JSBigInt::digitDiv):
1071 (JSC::JSBigInt::internalMultiplyAdd):
1072 (JSC::JSBigInt::equalToBigInt):
1073 (JSC::JSBigInt::absoluteDivSmall):
1074 (JSC::JSBigInt::calculateMaximumCharactersRequired):
1075 (JSC::JSBigInt::toStringGeneric):
1076 (JSC::JSBigInt::rightTrim):
1077 (JSC::JSBigInt::allocateFor):
1078 (JSC::JSBigInt::estimatedSize):
1079 (JSC::JSBigInt::toNumber const):
1080 (JSC::JSBigInt::getPrimitiveNumber const):
1081 * runtime/JSBigInt.h: Added.
1082 (JSC::JSBigInt::setSign):
1083 (JSC::JSBigInt::sign const):
1084 (JSC::JSBigInt::setLength):
1085 (JSC::JSBigInt::length const):
1086 (JSC::JSBigInt::parseInt):
1087 (JSC::JSBigInt::offsetOfData):
1088 (JSC::JSBigInt::dataStorage):
1089 (JSC::JSBigInt::digit):
1090 (JSC::JSBigInt::setDigit):
1092 * runtime/JSCJSValue.cpp:
1093 (JSC::JSValue::synthesizePrototype const):
1094 (JSC::JSValue::toStringSlowCase const):
1095 * runtime/JSCJSValue.h:
1096 * runtime/JSCJSValueInlines.h:
1097 (JSC::JSValue::isBigInt const):
1098 (JSC::JSValue::strictEqualSlowCaseInline):
1099 * runtime/JSCell.cpp:
1101 (JSC::JSCell::putByIndex):
1102 (JSC::JSCell::toPrimitive const):
1103 (JSC::JSCell::getPrimitiveNumber const):
1104 (JSC::JSCell::toNumber const):
1105 (JSC::JSCell::toObjectSlow const):
1107 * runtime/JSCellInlines.h:
1108 (JSC::JSCell::isBigInt const):
1110 * runtime/MathCommon.h:
1112 * runtime/NumberPrototype.cpp:
1113 * runtime/Operations.cpp:
1114 (JSC::jsTypeStringForValue):
1115 (JSC::jsIsObjectTypeOrNull):
1116 * runtime/Options.h:
1117 * runtime/ParseInt.h:
1118 * runtime/SmallStrings.h:
1119 (JSC::SmallStrings::typeString const):
1120 * runtime/StructureInlines.h:
1121 (JSC::prototypeForLookupPrimitiveImpl):
1122 * runtime/TypeofType.cpp:
1123 (WTF::printInternal):
1124 * runtime/TypeofType.h:
1129 2017-12-12 Guillaume Emont <guijemont@igalia.com>
1131 LLInt: reserve 16 bytes of stack on MIPS for native calls
1132 https://bugs.webkit.org/show_bug.cgi?id=180653
1134 Reviewed by Carlos Alberto Lopez Perez.
1136 * llint/LowLevelInterpreter32_64.asm:
1137 On MIPS, substract 24 from the stack pointer (16 for calling
1138 convention + 8 to be 16-aligned) instead of the 8 on other platforms
1141 2017-12-12 Yusuke Suzuki <utatane.tea@gmail.com>
1143 [WTF] Thread::create should have Thread::tryCreate
1144 https://bugs.webkit.org/show_bug.cgi?id=180333
1146 Reviewed by Darin Adler.
1148 * assembler/testmasm.cpp:
1150 * b3/air/testair.cpp:
1154 (functionDollarAgentStart):
1156 2017-12-11 Michael Saboff <msaboff@apple.com>
1158 REGRESSION(r225683): Chakra test failure in es6/regex-unicode.js for 32bit builds
1159 https://bugs.webkit.org/show_bug.cgi?id=180685
1161 Reviewed by Saam Barati.
1163 The characterClass->m_anyCharacter check at the top of checkCharacterClass() caused
1164 the character class check to return true without reading the character. Given that
1165 the character could be a surrogate pair, we need to read the character even if we
1166 don't have the check it.
1168 * yarr/YarrInterpreter.cpp:
1169 (JSC::Yarr::Interpreter::testCharacterClass):
1170 (JSC::Yarr::Interpreter::checkCharacterClass):
1172 2017-12-11 Saam Barati <sbarati@apple.com>
1174 We need to disableCaching() in ErrorInstance when we materialize properties
1175 https://bugs.webkit.org/show_bug.cgi?id=180343
1176 <rdar://problem/35833002>
1178 Reviewed by Mark Lam.
1180 This patch fixes a bug in ErrorInstance where we forgot to call PutPropertySlot::disableCaching
1181 on puts() to a property that we lazily materialized. Forgetting to do this goes against the
1182 PutPropertySlot's caching API. This lazy materialization caused the ErrorInstance to transition
1183 from a Structure A to a Structure B. However, we were telling the IC that we were caching an
1184 existing property only found on Structure B. This is obviously wrong as it would lead to an
1185 OOB store if we didn't already crash when generating the IC.
1188 (JSC::tryCachePutByID):
1189 * runtime/ErrorInstance.cpp:
1190 (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1191 (JSC::ErrorInstance::put):
1192 * runtime/ErrorInstance.h:
1193 * runtime/Structure.cpp:
1194 (JSC::Structure::didCachePropertyReplacement):
1196 2017-12-11 Fujii Hironori <Hironori.Fujii@sony.com>
1198 [WinCairo] DLLLauncherMain should use SetDllDirectory
1199 https://bugs.webkit.org/show_bug.cgi?id=180642
1201 Reviewed by Alex Christensen.
1203 Windows have icuuc.dll in the system directory. WebKit should find
1204 one in WebKitLibraries directory, not one in the system directory.
1206 * shell/DLLLauncherMain.cpp:
1207 (modifyPath): Use SetDllDirectory for WebKitLibraries directory instead of modifying path.
1209 2017-12-11 Eric Carlson <eric.carlson@apple.com>
1211 Web Inspector: Optionally log WebKit log parameters as JSON
1212 https://bugs.webkit.org/show_bug.cgi?id=180529
1213 <rdar://problem/35909462>
1215 Reviewed by Joseph Pecoraro.
1217 * inspector/ConsoleMessage.cpp:
1218 (Inspector::ConsoleMessage::ConsoleMessage): New constructor that takes a vector of JSON log
1219 values. Concatenate all adjacent strings to make logging cleaner.
1220 (Inspector::ConsoleMessage::addToFrontend): Process WebKit logging arguments.
1221 (Inspector::ConsoleMessage::scriptState const):
1222 * inspector/ConsoleMessage.h:
1224 * inspector/InjectedScript.cpp:
1225 (Inspector::InjectedScript::wrapJSONString const): Wrap JSON string log arguments.
1226 * inspector/InjectedScript.h:
1227 * inspector/InjectedScriptSource.js:
1228 (let.InjectedScript.prototype.wrapJSONString):
1230 2017-12-11 Joseph Pecoraro <pecoraro@apple.com>
1232 Remove unused builtin names
1233 https://bugs.webkit.org/show_bug.cgi?id=180673
1235 Reviewed by Keith Miller.
1237 * builtins/BuiltinNames.h:
1239 2017-12-11 David Quesada <david_quesada@apple.com>
1241 Turn on ENABLE_APPLICATION_MANIFEST
1242 https://bugs.webkit.org/show_bug.cgi?id=180562
1243 rdar://problem/35924737
1245 Reviewed by Geoffrey Garen.
1247 * Configurations/FeatureDefines.xcconfig:
1249 2017-12-10 Filip Pizlo <fpizlo@apple.com>
1251 Harden a few assertions in GC sweep
1252 https://bugs.webkit.org/show_bug.cgi?id=180634
1254 Reviewed by Saam Barati.
1256 This turns one dynamic check into a release assertion and upgrades another assertion to a release
1259 * heap/MarkedBlock.cpp:
1260 (JSC::MarkedBlock::Handle::sweep):
1262 2017-12-10 Konstantin Tokarev <annulen@yandex.ru>
1264 [python] Modernize "except" usage for python3 compatibility
1265 https://bugs.webkit.org/show_bug.cgi?id=180612
1267 Reviewed by Michael Catanzaro.
1269 * inspector/scripts/generate-inspector-protocol-bindings.py:
1271 2017-12-05 Filip Pizlo <fpizlo@apple.com>
1273 InferredType should not use UnconditionalFinalizer
1274 https://bugs.webkit.org/show_bug.cgi?id=180456
1276 Reviewed by Saam Barati.
1278 This turns InferredStructure into a cell so that we can unconditionally finalize them without
1279 having to add things to the UnconditionalFinalizer list. I'm removing all uses of
1280 UnconditionalFinalizers and WeakReferenceHarvesters because the data structures used to manage
1281 them are a top cause of lock contention in the parallel GC. Also, we don't need those data
1282 structures if we use IsoSubspaces, subspace iteration, and marking constraints.
1284 * JavaScriptCore.xcodeproj/project.pbxproj:
1287 (JSC::Heap::finalizeUnconditionalFinalizers):
1289 * runtime/InferredStructure.cpp: Added.
1290 (JSC::InferredStructure::create):
1291 (JSC::InferredStructure::destroy):
1292 (JSC::InferredStructure::createStructure):
1293 (JSC::InferredStructure::visitChildren):
1294 (JSC::InferredStructure::finalizeUnconditionally):
1295 (JSC::InferredStructure::InferredStructure):
1296 (JSC::InferredStructure::finishCreation):
1297 * runtime/InferredStructure.h: Added.
1298 * runtime/InferredStructureWatchpoint.cpp: Added.
1299 (JSC::InferredStructureWatchpoint::fireInternal):
1300 * runtime/InferredStructureWatchpoint.h: Added.
1301 * runtime/InferredType.cpp:
1302 (JSC::InferredType::visitChildren):
1303 (JSC::InferredType::willStoreValueSlow):
1304 (JSC::InferredType::makeTopSlow):
1305 (JSC::InferredType::set):
1306 (JSC::InferredType::removeStructure):
1307 (JSC::InferredType::InferredStructureWatchpoint::fireInternal): Deleted.
1308 (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally): Deleted.
1309 (JSC::InferredType::InferredStructure::InferredStructure): Deleted.
1310 * runtime/InferredType.h:
1315 2017-12-09 Konstantin Tokarev <annulen@yandex.ru>
1317 [python] Replace print >> operator with print() function for python3 compatibility
1318 https://bugs.webkit.org/show_bug.cgi?id=180611
1320 Reviewed by Michael Catanzaro.
1322 * Scripts/make-js-file-arrays.py:
1325 2017-12-08 Joseph Pecoraro <pecoraro@apple.com>
1327 ServiceWorker Inspector: Various issues inspecting service worker on mobile.twitter.com
1328 https://bugs.webkit.org/show_bug.cgi?id=180520
1329 <rdar://problem/35900764>
1331 Reviewed by Brian Burg.
1333 * inspector/protocol/ServiceWorker.json:
1334 Include content script content in the initialization info.
1336 2017-12-08 Konstantin Tokarev <annulen@yandex.ru>
1338 [python] Replace print operator with print() function for python3 compatibility
1339 https://bugs.webkit.org/show_bug.cgi?id=180592
1341 Reviewed by Michael Catanzaro.
1343 * Scripts/generateYarrUnicodePropertyTables.py:
1345 (verifyUCDFilesExist):
1346 (Aliases.parsePropertyAliasesFile):
1347 (Aliases.parsePropertyValueAliasesFile):
1348 * Scripts/make-js-file-arrays.py:
1350 * generate-bytecode-files:
1352 2017-12-08 Mark Lam <mark.lam@apple.com>
1354 Need to unpoison native function pointers for CLoop.
1355 https://bugs.webkit.org/show_bug.cgi?id=180601
1356 <rdar://problem/35942028>
1358 Reviewed by JF Bastien.
1360 * llint/LowLevelInterpreter64.asm:
1362 2017-12-08 Michael Saboff <msaboff@apple.com>
1364 YARR: JIT RegExps with greedy parenthesized sub patterns
1365 https://bugs.webkit.org/show_bug.cgi?id=180538
1367 Reviewed by JF Bastien.
1369 This patch adds JIT support for regular expressions containing greedy counted
1370 parenthesis. An example expression that couldn't be JIT'ed before is /q(a|b)*q/.
1372 Just like in the interpreter, expressions with nested parenthetical subpatterns
1373 require saving the results of previous matches of the parentheses contents along
1374 with any associated state. This saved state is needed in the case that we need
1375 to backtrack. This state is called ParenContext within the code space allocated
1376 for this ParenContext is managed using a simple block allocator within the JIT'ed
1377 code. The raw space managed by this allocator is passed into the JIT'ed function.
1379 Since this fixed sized space may be exceeded, this patch adds a fallback mechanism.
1380 If the JIT'ed code exhausts all its ParenContext space, it returns a new error
1381 JSRegExpJITCodeFailure. The caller will then bytecompile and interpret the
1384 Due to increased register usage by the parenthesis handling code, the use of
1385 registers by the JIT engine was restructured, with registers used for Unicode
1386 pattern matching replaced with constants.
1388 Reworked some of the context structures that are used across the interpreter
1389 and JIT implementations to make them a little more uniform and to handle the
1390 needs of JIT'ing the new parentheses forms.
1392 To help with development and debugging of this code, compiled patterns dumping
1393 code was enhanced. Also added the ability to also dump interpreter ByteCodes.
1395 * runtime/RegExp.cpp:
1396 (JSC::byteCodeCompilePattern):
1397 (JSC::RegExp::byteCodeCompileIfNecessary):
1398 (JSC::RegExp::compile):
1399 (JSC::RegExp::compileMatchOnly):
1401 * runtime/RegExpInlines.h:
1402 (JSC::RegExp::matchInline):
1407 * yarr/YarrInterpreter.cpp:
1408 (JSC::Yarr::ByteCompiler::compile):
1409 (JSC::Yarr::ByteCompiler::dumpDisjunction):
1411 (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
1412 (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
1413 (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
1414 (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
1415 (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
1416 (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
1417 (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
1418 (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
1419 (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
1420 (JSC::Yarr::YarrGenerator::initParenContextFreeList):
1421 (JSC::Yarr::YarrGenerator::allocatePatternContext):
1422 (JSC::Yarr::YarrGenerator::freePatternContext):
1423 (JSC::Yarr::YarrGenerator::savePatternContext):
1424 (JSC::Yarr::YarrGenerator::restorePatternContext):
1425 (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1426 (JSC::Yarr::YarrGenerator::storeToFrame):
1427 (JSC::Yarr::YarrGenerator::generateJITFailReturn):
1428 (JSC::Yarr::YarrGenerator::clearMatches):
1429 (JSC::Yarr::YarrGenerator::generate):
1430 (JSC::Yarr::YarrGenerator::backtrack):
1431 (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1432 (JSC::Yarr::YarrGenerator::generateEnter):
1433 (JSC::Yarr::YarrGenerator::generateReturn):
1434 (JSC::Yarr::YarrGenerator::YarrGenerator):
1435 (JSC::Yarr::YarrGenerator::compile):
1437 (JSC::Yarr::YarrCodeBlock::execute):
1438 * yarr/YarrPattern.cpp:
1439 (JSC::Yarr::indentForNestingLevel):
1440 (JSC::Yarr::dumpUChar32):
1441 (JSC::Yarr::dumpCharacterClass):
1442 (JSC::Yarr::PatternTerm::dump):
1443 (JSC::Yarr::YarrPattern::dumpPattern):
1444 * yarr/YarrPattern.h:
1445 (JSC::Yarr::PatternTerm::containsAnyCaptures):
1446 (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
1447 (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
1448 (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
1449 (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
1450 (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex):
1451 (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
1453 2017-12-08 Joseph Pecoraro <pecoraro@apple.com>
1455 Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages
1456 https://bugs.webkit.org/show_bug.cgi?id=180590
1457 <rdar://problem/35882767>
1459 Reviewed by Mark Lam.
1461 * inspector/agents/InspectorConsoleAgent.cpp:
1462 (Inspector::InspectorConsoleAgent::enable):
1463 Swap the messages to a Vector that won't change during iteration.
1465 2017-12-08 Michael Saboff <msaboff@apple.com>
1467 YARR: Coalesce constructed character classes
1468 https://bugs.webkit.org/show_bug.cgi?id=180537
1470 Reviewed by JF Bastien.
1472 When adding characters or character ranges to a character class being constructed,
1473 we now coalesce adjacent characters and character ranges. When we create a
1474 character class after construction is complete, we do a final coalescing pass
1475 across the character list and ranges to catch any remaining coalescing
1478 Added an optimization for character classes that will match any character.
1479 This is somewhat common in code created before the /s (dotAll) flag was added
1482 * yarr/YarrInterpreter.cpp:
1483 (JSC::Yarr::Interpreter::checkCharacterClass):
1485 (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1486 (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1487 (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1488 (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1489 * yarr/YarrPattern.cpp:
1490 (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
1491 (JSC::Yarr::CharacterClassConstructor::reset):
1492 (JSC::Yarr::CharacterClassConstructor::charClass):
1493 (JSC::Yarr::CharacterClassConstructor::addSorted):
1494 (JSC::Yarr::CharacterClassConstructor::addSortedRange):
1495 (JSC::Yarr::CharacterClassConstructor::mergeRangesFrom):
1496 (JSC::Yarr::CharacterClassConstructor::coalesceTables):
1497 (JSC::Yarr::CharacterClassConstructor::anyCharacter):
1498 (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
1499 (JSC::Yarr::PatternTerm::dump):
1500 (JSC::Yarr::anycharCreate):
1501 * yarr/YarrPattern.h:
1502 (JSC::Yarr::CharacterClass::CharacterClass):
1504 2017-12-07 Saam Barati <sbarati@apple.com>
1506 Modify our dollar VM clflush intrinsic to aid in some perf testing
1507 https://bugs.webkit.org/show_bug.cgi?id=180559
1509 Reviewed by Mark Lam.
1511 * tools/JSDollarVM.cpp:
1512 (JSC::functionCpuClflush):
1513 (JSC::functionDeltaBetweenButterflies):
1514 (JSC::JSDollarVM::finishCreation):
1516 2017-12-07 Eric Carlson <eric.carlson@apple.com>
1518 Simplify log channel configuration UI
1519 https://bugs.webkit.org/show_bug.cgi?id=180527
1520 <rdar://problem/35908382>
1522 Reviewed by Joseph Pecoraro.
1524 * inspector/protocol/Console.json:
1526 2017-12-07 Mark Lam <mark.lam@apple.com>
1528 Apply poisoning to some native code pointers.
1529 https://bugs.webkit.org/show_bug.cgi?id=180541
1530 <rdar://problem/35916875>
1532 Reviewed by Filip Pizlo.
1534 Renamed g_classInfoPoison to g_globalDataPoison.
1535 Renamed g_masmPoison to g_jitCodePoison.
1536 Introduced g_nativeCodePoison.
1537 Applied g_nativeCodePoison to poisoning some native code pointers.
1539 Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
1540 to malloc allocated data structures (where needed).
1542 * API/JSCallbackFunction.h:
1543 (JSC::JSCallbackFunction::functionCallback):
1544 * JavaScriptCore.xcodeproj/project.pbxproj:
1545 * jit/ThunkGenerators.cpp:
1546 (JSC::nativeForGenerator):
1547 * llint/LowLevelInterpreter64.asm:
1548 * runtime/CustomGetterSetter.h:
1549 (JSC::CustomGetterSetter::getter const):
1550 (JSC::CustomGetterSetter::setter const):
1551 * runtime/InternalFunction.cpp:
1552 (JSC::InternalFunction::getCallData):
1553 (JSC::InternalFunction::getConstructData):
1554 * runtime/InternalFunction.h:
1555 (JSC::InternalFunction::nativeFunctionFor):
1556 * runtime/JSCPoison.h: Added.
1557 * runtime/JSCPoisonedPtr.cpp:
1558 (JSC::initializePoison):
1559 * runtime/JSCPoisonedPtr.h:
1561 * runtime/NativeExecutable.cpp:
1562 (JSC::NativeExecutable::hashFor const):
1563 * runtime/NativeExecutable.h:
1564 * runtime/Structure.cpp:
1565 (JSC::StructureTransitionTable::setSingleTransition):
1566 * runtime/StructureTransitionTable.h:
1567 (JSC::StructureTransitionTable::StructureTransitionTable):
1568 (JSC::StructureTransitionTable::isUsingSingleSlot const):
1569 (JSC::StructureTransitionTable::map const):
1570 (JSC::StructureTransitionTable::weakImpl const):
1571 (JSC::StructureTransitionTable::setMap):
1573 2017-12-07 Joseph Pecoraro <pecoraro@apple.com>
1575 Web Inspector: Fix style in remote inspector classes
1576 https://bugs.webkit.org/show_bug.cgi?id=180545
1578 Reviewed by Youenn Fablet.
1580 * inspector/remote/RemoteControllableTarget.h:
1581 * inspector/remote/RemoteInspectionTarget.h:
1582 * runtime/JSGlobalObjectDebuggable.h:
1584 2017-12-07 Per Arne Vollan <pvollan@apple.com>
1586 Use fastAlignedFree to free aligned memory.
1587 https://bugs.webkit.org/show_bug.cgi?id=180540
1589 Reviewed by Saam Barati.
1591 * heap/IsoAlignedMemoryAllocator.cpp:
1592 (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1594 2017-12-07 Matt Lewis <jlewis3@apple.com>
1596 Unreviewed, rolling out r225634.
1598 This caused layout tests to time out.
1602 "Simplify log channel configuration UI"
1603 https://bugs.webkit.org/show_bug.cgi?id=180527
1604 https://trac.webkit.org/changeset/225634
1606 2017-12-07 Eric Carlson <eric.carlson@apple.com>
1608 Simplify log channel configuration UI
1609 https://bugs.webkit.org/show_bug.cgi?id=180527
1610 <rdar://problem/35908382>
1612 Reviewed by Joseph Pecoraro.
1614 * inspector/protocol/Console.json:
1616 2017-12-07 Mark Lam <mark.lam@apple.com>
1618 [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
1619 https://bugs.webkit.org/show_bug.cgi?id=180514
1621 Reviewed by Saam Barati and JF Bastien.
1623 Re-landing r225620 with speculative build fix for GCC 7.
1625 * API/JSCallbackObject.h:
1626 * API/JSObjectRef.cpp:
1628 * JavaScriptCore.xcodeproj/project.pbxproj:
1630 * assembler/MacroAssemblerCodeRef.h:
1631 (JSC::FunctionPtr::FunctionPtr):
1632 (JSC::FunctionPtr::value const):
1633 (JSC::FunctionPtr::executableAddress const):
1634 (JSC::ReturnAddressPtr::ReturnAddressPtr):
1635 (JSC::ReturnAddressPtr::value const):
1636 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1637 (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1638 (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1639 (JSC::MacroAssemblerCodePtr:: const):
1640 (JSC::MacroAssemblerCodePtr::operator! const):
1641 (JSC::MacroAssemblerCodePtr::operator== const):
1642 (JSC::MacroAssemblerCodePtr::emptyValue):
1643 (JSC::MacroAssemblerCodePtr::deletedValue):
1644 (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1645 * b3/B3LowerMacros.cpp:
1647 (JSC::B3::testInterpreter):
1648 * dfg/DFGSpeculativeJIT.cpp:
1649 (JSC::DFG::SpeculativeJIT::checkArray):
1650 (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1651 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1652 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1653 * ftl/FTLLowerDFGToB3.cpp:
1654 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1655 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1656 * jit/AssemblyHelpers.h:
1657 (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1658 * jit/SpecializedThunkJIT.h:
1659 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1660 * jit/ThunkGenerators.cpp:
1661 (JSC::virtualThunkFor):
1662 (JSC::boundThisNoArgsFunctionCallGenerator):
1663 * llint/LLIntSlowPaths.cpp:
1664 (JSC::LLInt::handleHostCall):
1665 (JSC::LLInt::setUpCall):
1666 * llint/LowLevelInterpreter64.asm:
1667 * runtime/InitializeThreading.cpp:
1668 (JSC::initializeThreading):
1669 * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1670 (JSC::initializePoison):
1671 (JSC::initializeScrambledPtrKeys): Deleted.
1672 * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1673 * runtime/JSCScrambledPtr.cpp: Removed.
1674 * runtime/JSCScrambledPtr.h: Removed.
1675 * runtime/JSDestructibleObject.h:
1676 (JSC::JSDestructibleObject::classInfo const):
1677 * runtime/JSSegmentedVariableObject.h:
1678 (JSC::JSSegmentedVariableObject::classInfo const):
1679 * runtime/Structure.h:
1682 2017-12-07 Michael Catanzaro <mcatanzaro@igalia.com>
1684 Unreviewed, rolling out r225620
1685 https://bugs.webkit.org/show_bug.cgi?id=180514
1686 <rdar://problem/35901694>
1688 It broke the build with GCC 7, and I don't know how to fix it.
1690 * API/JSCallbackObject.h:
1691 * API/JSObjectRef.cpp:
1693 * JavaScriptCore.xcodeproj/project.pbxproj:
1695 * assembler/MacroAssemblerCodeRef.h:
1696 (JSC::FunctionPtr::FunctionPtr):
1697 (JSC::FunctionPtr::value const):
1698 (JSC::FunctionPtr::executableAddress const):
1699 (JSC::ReturnAddressPtr::ReturnAddressPtr):
1700 (JSC::ReturnAddressPtr::value const):
1701 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1702 (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1703 (JSC::MacroAssemblerCodePtr::scrambledPtr const):
1704 (JSC::MacroAssemblerCodePtr:: const):
1705 (JSC::MacroAssemblerCodePtr::operator! const):
1706 (JSC::MacroAssemblerCodePtr::operator== const):
1707 (JSC::MacroAssemblerCodePtr::emptyValue):
1708 (JSC::MacroAssemblerCodePtr::deletedValue):
1709 (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
1710 * b3/B3LowerMacros.cpp:
1712 (JSC::B3::testInterpreter):
1713 * dfg/DFGSpeculativeJIT.cpp:
1714 (JSC::DFG::SpeculativeJIT::checkArray):
1715 (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1716 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1717 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1718 * ftl/FTLLowerDFGToB3.cpp:
1719 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1720 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1721 * jit/AssemblyHelpers.h:
1722 (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1723 * jit/SpecializedThunkJIT.h:
1724 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1725 * jit/ThunkGenerators.cpp:
1726 (JSC::virtualThunkFor):
1727 (JSC::boundThisNoArgsFunctionCallGenerator):
1728 * llint/LLIntSlowPaths.cpp:
1729 (JSC::LLInt::handleHostCall):
1730 (JSC::LLInt::setUpCall):
1731 * llint/LowLevelInterpreter64.asm:
1732 * runtime/InitializeThreading.cpp:
1733 (JSC::initializeThreading):
1734 * runtime/JSCScrambledPtr.cpp: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
1735 (JSC::initializeScrambledPtrKeys):
1736 * runtime/JSCScrambledPtr.h: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.h.
1737 * runtime/JSDestructibleObject.h:
1738 (JSC::JSDestructibleObject::classInfo const):
1739 * runtime/JSSegmentedVariableObject.h:
1740 (JSC::JSSegmentedVariableObject::classInfo const):
1741 * runtime/Structure.h:
1744 2017-12-06 Mark Lam <mark.lam@apple.com>
1746 Refactoring: Rename ScrambledPtr to Poisoned.
1747 https://bugs.webkit.org/show_bug.cgi?id=180514
1749 Reviewed by Saam Barati.
1751 * API/JSCallbackObject.h:
1752 * API/JSObjectRef.cpp:
1754 * JavaScriptCore.xcodeproj/project.pbxproj:
1756 * assembler/MacroAssemblerCodeRef.h:
1757 (JSC::FunctionPtr::FunctionPtr):
1758 (JSC::FunctionPtr::value const):
1759 (JSC::FunctionPtr::executableAddress const):
1760 (JSC::ReturnAddressPtr::ReturnAddressPtr):
1761 (JSC::ReturnAddressPtr::value const):
1762 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1763 (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1764 (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1765 (JSC::MacroAssemblerCodePtr:: const):
1766 (JSC::MacroAssemblerCodePtr::operator! const):
1767 (JSC::MacroAssemblerCodePtr::operator== const):
1768 (JSC::MacroAssemblerCodePtr::emptyValue):
1769 (JSC::MacroAssemblerCodePtr::deletedValue):
1770 (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1771 * b3/B3LowerMacros.cpp:
1773 (JSC::B3::testInterpreter):
1774 * dfg/DFGSpeculativeJIT.cpp:
1775 (JSC::DFG::SpeculativeJIT::checkArray):
1776 (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1777 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1778 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1779 * ftl/FTLLowerDFGToB3.cpp:
1780 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1781 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1782 * jit/AssemblyHelpers.h:
1783 (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1784 * jit/SpecializedThunkJIT.h:
1785 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1786 * jit/ThunkGenerators.cpp:
1787 (JSC::virtualThunkFor):
1788 (JSC::boundThisNoArgsFunctionCallGenerator):
1789 * llint/LLIntSlowPaths.cpp:
1790 (JSC::LLInt::handleHostCall):
1791 (JSC::LLInt::setUpCall):
1792 * llint/LowLevelInterpreter64.asm:
1793 * runtime/InitializeThreading.cpp:
1794 (JSC::initializeThreading):
1795 * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1796 (JSC::initializePoison):
1797 (JSC::initializeScrambledPtrKeys): Deleted.
1798 * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1799 * runtime/JSCScrambledPtr.cpp: Removed.
1800 * runtime/JSCScrambledPtr.h: Removed.
1801 * runtime/JSDestructibleObject.h:
1802 (JSC::JSDestructibleObject::classInfo const):
1803 * runtime/JSSegmentedVariableObject.h:
1804 (JSC::JSSegmentedVariableObject::classInfo const):
1805 * runtime/Structure.h:
1808 2017-12-02 Darin Adler <darin@apple.com>
1810 Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
1811 https://bugs.webkit.org/show_bug.cgi?id=180009
1813 Reviewed by Alex Christensen.
1815 * bytecode/ArrayProfile.cpp: Removed include of StringExtras.h.
1816 * bytecode/CodeBlock.cpp: Ditto.
1817 * bytecode/ExecutionCounter.cpp: Ditto.
1818 * runtime/ConfigFile.cpp: Ditto.
1819 * runtime/DatePrototype.cpp: Ditto.
1820 * runtime/IndexingType.cpp: Ditto.
1821 * runtime/JSCJSValue.cpp: Ditto.
1822 * runtime/JSDateMath.cpp: Ditto.
1823 * runtime/JSGlobalObjectFunctions.cpp: Ditto.
1824 * runtime/Options.cpp: Ditto.
1825 (JSC::parse): Use equalLettersIgnoringASCIICase instead of strcasecmp.
1827 2017-12-06 Saam Barati <sbarati@apple.com>
1829 ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
1830 https://bugs.webkit.org/show_bug.cgi?id=180438
1831 <rdar://problem/35862342>
1833 Reviewed by Yusuke Suzuki.
1835 A couple inspector methods that take stacktraces need
1838 * inspector/ScriptCallStackFactory.cpp:
1839 (Inspector::createScriptCallStack):
1840 (Inspector::createScriptCallStackForConsole):
1842 2017-12-05 Stephan Szabo <stephan.szabo@sony.com>
1844 Switch windows build to Visual Studio 2017
1845 https://bugs.webkit.org/show_bug.cgi?id=172412
1847 Reviewed by Per Arne Vollan.
1849 * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1851 2017-12-05 JF Bastien <jfbastien@apple.com>
1853 WebAssembly: don't eagerly checksum
1854 https://bugs.webkit.org/show_bug.cgi?id=180441
1855 <rdar://problem/35156628>
1857 Reviewed by Saam Barati.
1859 Make checksumming of module optional for now. The bots think the
1860 checksum hurt compile-time. I'd measured it and couldn't see a
1861 difference, and still can't at this point in time, but we'll see
1862 if disabling it fixes the bots. If so then I can make it lazy upon
1863 first backtrace construction, or I can try out MD5 instead of
1866 * runtime/Options.h:
1867 * wasm/WasmModuleInformation.cpp:
1868 (JSC::Wasm::ModuleInformation::ModuleInformation):
1869 * wasm/WasmModuleInformation.h:
1870 * wasm/WasmNameSection.h:
1871 (JSC::Wasm::NameSection::NameSection):
1873 2017-12-05 Filip Pizlo <fpizlo@apple.com>
1875 IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
1876 https://bugs.webkit.org/show_bug.cgi?id=180425
1878 Reviewed by Saam Barati.
1880 Failure to do so causes leaks after starting workers.
1882 * heap/IsoAlignedMemoryAllocator.cpp:
1883 (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1884 (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
1886 2017-12-05 Per Arne Vollan <pvollan@apple.com>
1888 [Win64] Compile error in testmasm.cpp.
1889 https://bugs.webkit.org/show_bug.cgi?id=180436
1891 Reviewed by Mark Lam.
1893 Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
1895 * assembler/testmasm.cpp:
1896 (JSC::testGetEffectiveAddress):
1898 2017-12-01 Filip Pizlo <fpizlo@apple.com>
1900 GC constraint solving should be parallel
1901 https://bugs.webkit.org/show_bug.cgi?id=179934
1903 Reviewed by JF Bastien.
1905 This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
1906 speed-up. It's more than 1% on trunk-Speedometer.
1908 The constraint solver supports running constraints in parallel in two different ways:
1910 - Run multiple constraints in parallel to each other. This only works for constraints that can
1911 tolerate other constraints running concurrently to them (constraint.concurrency() ==
1912 ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
1913 constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
1914 could probably make them concurrent, but I'm playing it safe for now.
1916 - A constraint can create parallel work for itself, which the constraint solver will interleave
1917 with other stuff. A constraint can report that it has parallel work by returning
1918 ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
1919 constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
1920 for as long as that function wants to run.
1922 It's not possible to have a non-concurrent constraint that creates parallel work.
1924 The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
1925 most natural for two reasons:
1927 - No need to start any other threads.
1929 - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
1930 access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
1931 create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
1932 thread, that thread will have work it can start doing immediately. Before this change, we had to
1933 contribute the work found by the constraint solver to the global worklist so that it could be
1934 distributed to the marker threads by load balancing. This change probably helps to avoid that
1935 load balancing step.
1937 A lot of this change is about making it easy to iterate GC data structures in parallel. This
1938 change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
1939 the parallel work API. That constraint iterates the marked cells in two subspaces. This change
1940 makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
1941 The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
1942 iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
1943 RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
1944 when it returns a falsish version of ... (in the current code, that's always a pointer type, so
1945 done is indicated by null).
1947 * API/JSMarkingConstraintPrivate.cpp:
1948 (JSContextGroupAddMarkingConstraint):
1949 * API/JSVirtualMachine.mm:
1950 (scanExternalObjectGraph):
1951 (scanExternalRememberedSet):
1952 * JavaScriptCore.xcodeproj/project.pbxproj:
1954 * bytecode/AccessCase.cpp:
1955 (JSC::AccessCase::propagateTransitions const):
1956 * bytecode/CodeBlock.cpp:
1957 (JSC::CodeBlock::visitWeakly):
1958 (JSC::CodeBlock::shouldJettisonDueToOldAge):
1959 (JSC::shouldMarkTransition):
1960 (JSC::CodeBlock::propagateTransitions):
1961 (JSC::CodeBlock::determineLiveness):
1962 * dfg/DFGWorklist.cpp:
1963 * ftl/FTLCompile.cpp:
1964 (JSC::FTL::compile):
1965 * heap/ConstraintParallelism.h: Added.
1966 (WTF::printInternal):
1969 (JSC::Heap::addToRememberedSet):
1970 (JSC::Heap::runFixpointPhase):
1971 (JSC::Heap::stopThePeriphery):
1972 (JSC::Heap::resumeThePeriphery):
1973 (JSC::Heap::addCoreConstraints):
1974 (JSC::Heap::setBonusVisitorTask):
1975 (JSC::Heap::runTaskInParallel):
1976 (JSC::Heap::forEachSlotVisitor): Deleted.
1978 (JSC::Heap::worldIsRunning const):
1979 (JSC::Heap::runFunctionInParallel):
1980 * heap/HeapInlines.h:
1981 (JSC::Heap::worldIsStopped const):
1982 (JSC::Heap::isMarked):
1983 (JSC::Heap::incrementDeferralDepth):
1984 (JSC::Heap::decrementDeferralDepth):
1985 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1986 (JSC::Heap::forEachSlotVisitor):
1987 (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
1988 (JSC::Heap::isMarkedConcurrently): Deleted.
1989 * heap/HeapSnapshotBuilder.cpp:
1990 (JSC::HeapSnapshotBuilder::appendNode):
1991 * heap/LargeAllocation.h:
1992 (JSC::LargeAllocation::isMarked):
1993 (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
1994 * heap/LockDuringMarking.h:
1995 (JSC::lockDuringMarking):
1996 * heap/MarkedAllocator.cpp:
1997 (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
1998 * heap/MarkedAllocator.h:
1999 * heap/MarkedBlock.h:
2000 (JSC::MarkedBlock::aboutToMark):
2001 (JSC::MarkedBlock::isMarked):
2002 (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
2003 (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
2004 * heap/MarkedSpace.h:
2005 (JSC::MarkedSpace::activeWeakSetsBegin):
2006 (JSC::MarkedSpace::activeWeakSetsEnd):
2007 (JSC::MarkedSpace::newActiveWeakSetsBegin):
2008 (JSC::MarkedSpace::newActiveWeakSetsEnd):
2009 * heap/MarkingConstraint.cpp:
2010 (JSC::MarkingConstraint::MarkingConstraint):
2011 (JSC::MarkingConstraint::execute):
2012 (JSC::MarkingConstraint::quickWorkEstimate):
2013 (JSC::MarkingConstraint::workEstimate):
2014 (JSC::MarkingConstraint::doParallelWork):
2015 (JSC::MarkingConstraint::finishParallelWork):
2016 (JSC::MarkingConstraint::doParallelWorkImpl):
2017 (JSC::MarkingConstraint::finishParallelWorkImpl):
2018 * heap/MarkingConstraint.h:
2019 (JSC::MarkingConstraint::lastExecuteParallelism const):
2020 (JSC::MarkingConstraint::parallelism const):
2021 (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
2022 (JSC::MarkingConstraint::workEstimate): Deleted.
2023 * heap/MarkingConstraintSet.cpp:
2024 (JSC::MarkingConstraintSet::MarkingConstraintSet):
2025 (JSC::MarkingConstraintSet::add):
2026 (JSC::MarkingConstraintSet::executeConvergence):
2027 (JSC::MarkingConstraintSet::executeConvergenceImpl):
2028 (JSC::MarkingConstraintSet::executeAll):
2029 (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
2030 (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
2031 (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
2032 (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
2033 (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
2034 (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
2036 * heap/MarkingConstraintSet.h:
2037 * heap/MarkingConstraintSolver.cpp: Added.
2038 (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
2039 (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
2040 (JSC::MarkingConstraintSolver::didVisitSomething const):
2041 (JSC::MarkingConstraintSolver::execute):
2042 (JSC::MarkingConstraintSolver::drain):
2043 (JSC::MarkingConstraintSolver::converge):
2044 (JSC::MarkingConstraintSolver::runExecutionThread):
2045 (JSC::MarkingConstraintSolver::didExecute):
2046 * heap/MarkingConstraintSolver.h: Added.
2047 * heap/OpaqueRootSet.h: Removed.
2048 * heap/ParallelSourceAdapter.h: Added.
2049 (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
2050 (JSC::createParallelSourceAdapter):
2051 * heap/SimpleMarkingConstraint.cpp: Added.
2052 (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
2053 (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
2054 (JSC::SimpleMarkingConstraint::quickWorkEstimate):
2055 (JSC::SimpleMarkingConstraint::executeImpl):
2056 * heap/SimpleMarkingConstraint.h: Added.
2057 * heap/SlotVisitor.cpp:
2058 (JSC::SlotVisitor::didStartMarking):
2059 (JSC::SlotVisitor::reset):
2060 (JSC::SlotVisitor::appendToMarkStack):
2061 (JSC::SlotVisitor::visitChildren):
2062 (JSC::SlotVisitor::updateMutatorIsStopped):
2063 (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
2064 (JSC::SlotVisitor::drain):
2065 (JSC::SlotVisitor::performIncrementOfDraining):
2066 (JSC::SlotVisitor::didReachTermination):
2067 (JSC::SlotVisitor::hasWork):
2068 (JSC::SlotVisitor::drainFromShared):
2069 (JSC::SlotVisitor::drainInParallelPassively):
2070 (JSC::SlotVisitor::waitForTermination):
2071 (JSC::SlotVisitor::addOpaqueRoot): Deleted.
2072 (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
2073 (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
2074 (JSC::SlotVisitor::mergeIfNecessary): Deleted.
2075 (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
2076 (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
2077 * heap/SlotVisitor.h:
2078 * heap/SlotVisitorInlines.h:
2079 (JSC::SlotVisitor::addOpaqueRoot):
2080 (JSC::SlotVisitor::containsOpaqueRoot const):
2081 (JSC::SlotVisitor::vm):
2082 (JSC::SlotVisitor::vm const):
2083 * heap/Subspace.cpp:
2084 (JSC::Subspace::parallelAllocatorSource):
2085 (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
2087 * heap/SubspaceInlines.h:
2088 (JSC::Subspace::forEachMarkedCellInParallel):
2089 * heap/VisitCounter.h: Added.
2090 (JSC::VisitCounter::VisitCounter):
2091 (JSC::VisitCounter::visitCount const):
2092 * heap/VisitingTimeout.h: Removed.
2093 * heap/WeakBlock.cpp:
2094 (JSC::WeakBlock::specializedVisit):
2095 * runtime/Structure.cpp:
2096 (JSC::Structure::isCheapDuringGC):
2097 (JSC::Structure::markIfCheap):
2099 2017-12-04 JF Bastien <jfbastien@apple.com>
2101 Math: don't redundantly check for exceptions, just release scope
2102 https://bugs.webkit.org/show_bug.cgi?id=180395
2104 Rubber stamped by Mark Lam.
2106 Two of the exceptions checks could just have been exception scope
2107 releases before the return, which is ever-so-slightly more
2108 efficient. The same technically applies where we have loops over
2109 parameters, but doing the scope release there isn't really more
2110 efficient and is way harder to read.
2112 * runtime/MathObject.cpp:
2113 (JSC::mathProtoFuncATan2):
2114 (JSC::mathProtoFuncPow):
2116 2017-12-04 David Quesada <david_quesada@apple.com>
2118 Add a class for parsing application manifests
2119 https://bugs.webkit.org/show_bug.cgi?id=177973
2120 rdar://problem/34747949
2122 Reviewed by Geoffrey Garen.
2124 * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
2126 2017-12-04 JF Bastien <jfbastien@apple.com>
2128 Update std::expected to match libc++ coding style
2129 https://bugs.webkit.org/show_bug.cgi?id=180264
2131 Reviewed by Alex Christensen.
2133 Update various uses of Expected.
2135 * wasm/WasmModule.h:
2136 * wasm/WasmModuleParser.cpp:
2137 (JSC::Wasm::ModuleParser::parseImport):
2138 (JSC::Wasm::ModuleParser::parseTableHelper):
2139 (JSC::Wasm::ModuleParser::parseTable):
2140 (JSC::Wasm::ModuleParser::parseMemoryHelper):
2141 * wasm/WasmParser.h:
2142 * wasm/generateWasmValidateInlinesHeader.py:
2145 * wasm/js/JSWebAssemblyModule.cpp:
2146 (JSC::JSWebAssemblyModule::createStub):
2147 * wasm/js/JSWebAssemblyModule.h:
2149 2017-12-04 Saam Barati <sbarati@apple.com>
2151 We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2152 https://bugs.webkit.org/show_bug.cgi?id=180366
2153 <rdar://problem/35685877>
2155 Reviewed by Michael Saboff.
2157 On the TailCall slow path, the CallFrameShuffler will build the frame with
2158 respect to SP instead of FP. However, this may overwrite slots on the stack
2159 that are needed if the slow path C call does a stack walk. The slow path
2160 C call does a stack walk when it throws an exception. This patch fixes
2161 this bug by ensuring that the top of the stack in the FTL always has enough
2162 space to allow CallFrameShuffler to build a frame without overwriting any
2163 items on the stack that are needed when doing a stack walk.
2165 * ftl/FTLLowerDFGToB3.cpp:
2166 (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2168 2017-12-04 Devin Rousso <webkit@devinrousso.com>
2170 Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
2171 https://bugs.webkit.org/show_bug.cgi?id=175166
2172 <rdar://problem/34040740>
2174 Reviewed by Joseph Pecoraro.
2176 * inspector/protocol/Recording.json:
2177 Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
2179 * inspector/JSGlobalObjectConsoleClient.h:
2180 * inspector/JSGlobalObjectConsoleClient.cpp:
2181 (Inspector::JSGlobalObjectConsoleClient::record):
2182 (Inspector::JSGlobalObjectConsoleClient::recordEnd):
2184 * runtime/ConsoleClient.h:
2185 * runtime/ConsoleObject.cpp:
2186 (JSC::ConsoleObject::finishCreation):
2187 (JSC::consoleProtoFuncRecord):
2188 (JSC::consoleProtoFuncRecordEnd):
2190 2017-12-03 Yusuke Suzuki <utatane.tea@gmail.com>
2192 WTF shouldn't have both Thread and ThreadIdentifier
2193 https://bugs.webkit.org/show_bug.cgi?id=180308
2195 Reviewed by Darin Adler.
2197 * heap/MachineStackMarker.cpp:
2198 (JSC::MachineThreads::tryCopyOtherThreadStacks):
2199 * llint/LLIntSlowPaths.cpp:
2200 (JSC::LLInt::llint_trace_operand):
2201 (JSC::LLInt::llint_trace_value):
2202 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2203 (JSC::LLInt::traceFunctionPrologue):
2204 * runtime/ExceptionScope.cpp:
2205 (JSC::ExceptionScope::unexpectedExceptionMessage):
2207 (JSC::JSLock::currentThreadIsHoldingLock):
2209 (JSC::VM::throwException):
2211 (JSC::VM::throwingThread const):
2212 (JSC::VM::clearException):
2213 * tools/HeapVerifier.cpp:
2214 (JSC::HeapVerifier::printVerificationHeader):
2216 2017-12-03 Caio Lima <ticaiolima@gmail.com>
2218 Rename DestroyFunc to avoid redefinition on unified build
2219 https://bugs.webkit.org/show_bug.cgi?id=180335
2221 Reviewed by Filip Pizlo.
2223 Changing DestroyFunc structures to more specific names to avoid
2224 conflits on unified builds.
2226 * heap/HeapCellType.cpp:
2227 (JSC::HeapCellType::finishSweep):
2228 (JSC::HeapCellType::destroy):
2229 * runtime/JSDestructibleObjectHeapCellType.cpp:
2230 (JSC::JSDestructibleObjectHeapCellType::finishSweep):
2231 (JSC::JSDestructibleObjectHeapCellType::destroy):
2232 * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
2233 (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
2234 (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
2235 * runtime/JSStringHeapCellType.cpp:
2236 (JSC::JSStringHeapCellType::finishSweep):
2237 (JSC::JSStringHeapCellType::destroy):
2238 * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
2239 (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
2240 (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
2242 2017-12-01 JF Bastien <jfbastien@apple.com>
2244 JavaScriptCore: missing exception checks in Math functions that take more than one argument
2245 https://bugs.webkit.org/show_bug.cgi?id=180297
2246 <rdar://problem/35745556>
2248 Reviewed by Mark Lam.
2250 * runtime/MathObject.cpp:
2251 (JSC::mathProtoFuncATan2):
2252 (JSC::mathProtoFuncMax):
2253 (JSC::mathProtoFuncMin):
2254 (JSC::mathProtoFuncPow):
2256 2017-12-01 Mark Lam <mark.lam@apple.com>
2258 Let's scramble ClassInfo pointers in cells.
2259 https://bugs.webkit.org/show_bug.cgi?id=180291
2260 <rdar://problem/35807620>
2262 Reviewed by JF Bastien.
2264 * API/JSCallbackObject.h:
2265 * API/JSObjectRef.cpp:
2267 * JavaScriptCore.xcodeproj/project.pbxproj:
2269 * assembler/MacroAssemblerCodeRef.cpp:
2270 (JSC::MacroAssemblerCodePtr::initialize): Deleted.
2271 * assembler/MacroAssemblerCodeRef.h:
2272 (JSC::MacroAssemblerCodePtr:: const):
2273 (JSC::MacroAssemblerCodePtr::hash const):
2274 * dfg/DFGSpeculativeJIT.cpp:
2275 (JSC::DFG::SpeculativeJIT::checkArray):
2276 (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2277 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2278 * ftl/FTLLowerDFGToB3.cpp:
2279 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2280 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2281 * jit/AssemblyHelpers.h:
2282 (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2283 * jit/SpecializedThunkJIT.h:
2284 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2285 * runtime/InitializeThreading.cpp:
2286 (JSC::initializeThreading):
2287 * runtime/JSCScrambledPtr.cpp: Added.
2288 (JSC::initializeScrambledPtrKeys):
2289 * runtime/JSCScrambledPtr.h: Added.
2290 * runtime/JSDestructibleObject.h:
2291 (JSC::JSDestructibleObject::classInfo const):
2292 * runtime/JSSegmentedVariableObject.h:
2293 (JSC::JSSegmentedVariableObject::classInfo const):
2294 * runtime/Structure.h:
2297 2017-12-01 Brian Burg <bburg@apple.com>
2299 Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
2300 https://bugs.webkit.org/show_bug.cgi?id=173662
2302 Reviewed by Joseph Pecoraro.
2304 Adopt new type names. Fix protocol generator to use correct type names.
2306 * inspector/ConsoleMessage.cpp:
2307 (Inspector::ConsoleMessage::addToFrontend):
2308 Improve namings and use 'auto' when the type is obvious and repeated.
2310 * inspector/ContentSearchUtilities.cpp:
2311 (Inspector::ContentSearchUtilities::searchInTextByLines):
2312 * inspector/ContentSearchUtilities.h:
2313 * inspector/InjectedScript.cpp:
2314 (Inspector::InjectedScript::getProperties):
2315 (Inspector::InjectedScript::getDisplayableProperties):
2316 (Inspector::InjectedScript::getInternalProperties):
2317 (Inspector::InjectedScript::getCollectionEntries):
2318 (Inspector::InjectedScript::wrapCallFrames const):
2319 * inspector/InjectedScript.h:
2320 * inspector/InspectorProtocolTypes.h:
2321 (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
2322 (Inspector::Protocol::Array::Array): Deleted.
2323 (Inspector::Protocol::Array::openAccessors): Deleted.
2324 (Inspector::Protocol::Array::addItem): Deleted.
2325 (Inspector::Protocol::Array::create): Deleted.
2326 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
2327 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
2328 Move the implementation out of this file.
2330 * inspector/ScriptCallStack.cpp:
2331 (Inspector::ScriptCallStack::buildInspectorArray const):
2332 * inspector/ScriptCallStack.h:
2333 * inspector/agents/InspectorAgent.cpp:
2334 (Inspector::InspectorAgent::activateExtraDomain):
2335 (Inspector::InspectorAgent::activateExtraDomains):
2336 * inspector/agents/InspectorAgent.h:
2337 * inspector/agents/InspectorConsoleAgent.cpp:
2338 (Inspector::InspectorConsoleAgent::getLoggingChannels):
2339 * inspector/agents/InspectorConsoleAgent.h:
2340 * inspector/agents/InspectorDebuggerAgent.cpp:
2341 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2342 (Inspector::InspectorDebuggerAgent::searchInContent):
2343 (Inspector::InspectorDebuggerAgent::currentCallFrames):
2344 * inspector/agents/InspectorDebuggerAgent.h:
2345 * inspector/agents/InspectorRuntimeAgent.cpp:
2346 (Inspector::InspectorRuntimeAgent::getProperties):
2347 (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2348 (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2349 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2350 (Inspector::InspectorRuntimeAgent::getBasicBlocks):
2351 * inspector/agents/InspectorRuntimeAgent.h:
2352 * inspector/agents/InspectorScriptProfilerAgent.cpp:
2353 (Inspector::buildSamples):
2354 Use more 'auto' and rename a variable.
2356 * inspector/scripts/codegen/cpp_generator.py:
2357 (CppGenerator.cpp_protocol_type_for_type):
2358 Adopt new type names. This exposed a latent bug where we should have been
2359 unwrapping an AliasedType prior to generating a C++ type for it. The aliased
2360 type may be an array, in which case we would have generated the wrong type.
2362 * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2363 (_generate_typedefs_for_domain.JSON):
2364 (_generate_typedefs_for_domain.Inspector): Deleted.
2365 * inspector/scripts/codegen/objc_generator.py:
2366 (ObjCGenerator.protocol_type_for_type):
2367 (ObjCGenerator.objc_protocol_export_expression_for_variable):
2368 * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2369 * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2370 * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2371 * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2372 * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2373 * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2376 * runtime/TypeSet.cpp:
2377 (JSC::TypeSet::allStructureRepresentations const):
2378 (JSC::StructureShape::inspectorRepresentation):
2379 * runtime/TypeSet.h:
2381 2017-12-01 Saam Barati <sbarati@apple.com>
2383 Having a bad time needs to handle ArrayClass indexing type as well
2384 https://bugs.webkit.org/show_bug.cgi?id=180274
2385 <rdar://problem/35667869>
2387 Reviewed by Keith Miller and Mark Lam.
2389 We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
2390 Otherwise, we'll end up with the wrong Structure, which will lead us to not
2391 adhere to the spec. The bug was that we were not considering ArrayClass inside
2392 hasBrokenIndexing. This patch rewrites that function to automatically opt
2393 in non-empty indexing types as broken, instead of having to opt out all
2394 non-empty indexing types besides SlowPutArrayStorage.
2396 * runtime/IndexingType.h:
2397 (JSC::hasSlowPutArrayStorage):
2398 (JSC::shouldUseSlowPut):
2399 * runtime/JSGlobalObject.cpp:
2400 * runtime/JSObject.cpp:
2401 (JSC::JSObject::switchToSlowPutArrayStorage):
2403 2017-12-01 JF Bastien <jfbastien@apple.com>
2405 WebAssembly: stack trace improvement follow-ups
2406 https://bugs.webkit.org/show_bug.cgi?id=180273
2408 Reviewed by Saam Barati.
2410 * wasm/WasmIndexOrName.cpp:
2411 (JSC::Wasm::makeString):
2412 * wasm/WasmIndexOrName.h:
2413 (JSC::Wasm::IndexOrName::nameSection const):
2414 * wasm/WasmNameSection.h:
2415 (JSC::Wasm::NameSection::NameSection):
2416 (JSC::Wasm::NameSection::get):
2418 2017-12-01 JF Bastien <jfbastien@apple.com>
2420 WebAssembly: restore cached stack limit after out-call
2421 https://bugs.webkit.org/show_bug.cgi?id=179106
2422 <rdar://problem/35337525>
2424 Reviewed by Saam Barati.
2426 We cache the stack limit on the Instance so that we can do fast
2427 stack checks where required. In regular usage the stack limit
2428 never changes because we always run on the same thread, but in
2429 rare cases an API user can totally migrate which thread (and
2430 therefore stack) is used for execution between WebAssembly
2431 traces. For that reason we set the cached stack limit to
2432 UINTPTR_MAX on the outgoing Instance when transitioning back into
2433 a different Instance. We usually restore the cached stack limit in
2434 Context::store, but this wasn't called on all code paths. We had a
2435 bug where an Instance calling into itself indirectly would
2436 therefore fail to restore its cached stack limit properly.
2438 This patch therefore restores the cached stack limit after direct
2439 calls which could be to imports (both wasm->wasm and
2440 wasm->embedder). We have to do all of them because we have no way
2441 of knowing what imports will do (they're known at instantiation
2442 time, not compilation time, and different instances can have
2443 different imports). To make this efficient we also add a pointer
2444 to the canonical location of the stack limit (i.e. the extra
2445 indirection we're trying to save by caching the stack limit on the
2446 Instance in the first place). This is potentially a small perf hit
2447 on imported direct calls.
2449 It's hard to say what the performance cost will be because we
2450 haven't seen much code in the wild which does this. We're adding
2451 two dependent loads and a store of the loaded value, which is
2452 unlikely to get used soon after. It's more code, but on an
2453 out-of-order processor it doesn't contribute to the critical path.
2455 * wasm/WasmB3IRGenerator.cpp:
2456 (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2457 (JSC::Wasm::B3IRGenerator::addGrowMemory):
2458 (JSC::Wasm::B3IRGenerator::addCall):
2459 (JSC::Wasm::B3IRGenerator::addCallIndirect):
2460 * wasm/WasmInstance.cpp:
2461 (JSC::Wasm::Instance::Instance):
2462 (JSC::Wasm::Instance::create):
2463 * wasm/WasmInstance.h:
2464 (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
2465 (JSC::Wasm::Instance::cachedStackLimit const):
2466 (JSC::Wasm::Instance::setCachedStackLimit):
2467 * wasm/js/JSWebAssemblyInstance.cpp:
2468 (JSC::JSWebAssemblyInstance::create):
2469 * wasm/js/WebAssemblyFunction.cpp:
2470 (JSC::callWebAssemblyFunction):
2472 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2474 [JSC] Use JSFixedArray for op_new_array_buffer
2475 https://bugs.webkit.org/show_bug.cgi?id=180084
2477 Reviewed by Saam Barati.
2479 For op_new_array_buffer, we have a special constant buffer in CodeBlock.
2480 But using JSFixedArray is better because,
2482 1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
2483 If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
2485 2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
2486 has JSFixedArray, we can just emit a held JSFixedArray.
2488 3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
2490 4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
2492 5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
2493 DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
2494 will be introduced in [1].
2496 [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
2498 * bytecode/BytecodeDumper.cpp:
2499 (JSC::BytecodeDumper<Block>::dumpBytecode):
2500 * bytecode/BytecodeList.json:
2501 * bytecode/BytecodeUseDef.h:
2502 (JSC::computeUsesForBytecodeOffset):
2503 * bytecode/CodeBlock.cpp:
2504 (JSC::CodeBlock::finishCreation):
2505 * bytecode/CodeBlock.h:
2506 (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
2507 (JSC::CodeBlock::addConstantBuffer): Deleted.
2508 (JSC::CodeBlock::constantBufferAsVector): Deleted.
2509 (JSC::CodeBlock::constantBuffer): Deleted.
2510 * bytecode/UnlinkedCodeBlock.cpp:
2511 (JSC::UnlinkedCodeBlock::shrinkToFit):
2512 * bytecode/UnlinkedCodeBlock.h:
2513 (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
2514 (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
2515 (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
2516 (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
2517 * bytecompiler/BytecodeGenerator.cpp:
2518 (JSC::BytecodeGenerator::emitNewArray):
2519 (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
2520 * bytecompiler/BytecodeGenerator.h:
2521 * dfg/DFGByteCodeParser.cpp:
2522 (JSC::DFG::ByteCodeParser::parseBlock):
2523 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2524 (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
2525 (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
2526 (JSC::DFG::ConstantBufferKey::hash const): Deleted.
2527 (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
2528 (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
2529 (JSC::DFG::ConstantBufferKey::index const): Deleted.
2530 (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
2531 (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
2532 * dfg/DFGClobberize.h:
2533 (JSC::DFG::clobberize):
2535 (JSC::DFG::Graph::dump):
2538 (JSC::DFG::Node::hasNewArrayBufferData):
2539 (JSC::DFG::Node::newArrayBufferData):
2540 (JSC::DFG::Node::hasVectorLengthHint):
2541 (JSC::DFG::Node::vectorLengthHint):
2542 (JSC::DFG::Node::indexingType):
2543 (JSC::DFG::Node::hasCellOperand):
2544 (JSC::DFG::Node::OpInfoWrapper::operator=):
2545 (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
2546 (JSC::DFG::Node::hasConstantBuffer): Deleted.
2547 (JSC::DFG::Node::startConstant): Deleted.
2548 (JSC::DFG::Node::numConstants): Deleted.
2549 * dfg/DFGOperations.cpp:
2550 * dfg/DFGOperations.h:
2551 * dfg/DFGSpeculativeJIT.h:
2552 (JSC::DFG::SpeculativeJIT::callOperation):
2553 * dfg/DFGSpeculativeJIT32_64.cpp:
2554 (JSC::DFG::SpeculativeJIT::compile):
2555 * dfg/DFGSpeculativeJIT64.cpp:
2556 (JSC::DFG::SpeculativeJIT::compile):
2557 * ftl/FTLLowerDFGToB3.cpp:
2558 (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2560 (JSC::JIT::privateCompileMainPass):
2562 * jit/JITOpcodes.cpp:
2563 (JSC::JIT::emit_op_new_array_buffer): Deleted.
2564 * jit/JITOperations.cpp:
2565 * jit/JITOperations.h:
2566 * llint/LLIntSlowPaths.cpp:
2567 * llint/LLIntSlowPaths.h:
2568 * llint/LowLevelInterpreter.asm:
2569 * runtime/CommonSlowPaths.cpp:
2570 (JSC::SLOW_PATH_DECL):
2571 * runtime/CommonSlowPaths.h:
2572 * runtime/JSFixedArray.cpp:
2573 (JSC::JSFixedArray::dumpToStream):
2574 * runtime/JSFixedArray.h:
2575 (JSC::JSFixedArray::create):
2576 (JSC::JSFixedArray::get const):
2577 (JSC::JSFixedArray::set):
2578 (JSC::JSFixedArray::buffer const):
2579 (JSC::JSFixedArray::values const):
2580 (JSC::JSFixedArray::length const):
2581 (JSC::JSFixedArray::get): Deleted.
2583 2017-11-30 JF Bastien <jfbastien@apple.com>
2585 WebAssembly: improve stack trace
2586 https://bugs.webkit.org/show_bug.cgi?id=179343
2588 Reviewed by Saam Barati.
2590 Stack traces now include:
2592 - Module name, if provided by the name section.
2593 - Module SHA1 hash if no name was provided
2594 - Stub identification, to differentiate from user code
2595 - Slightly different naming to match design from:
2596 https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
2598 * interpreter/StackVisitor.cpp:
2599 (JSC::StackVisitor::Frame::functionName const):
2600 * runtime/StackFrame.cpp:
2601 (JSC::StackFrame::functionName const):
2602 (JSC::StackFrame::visitChildren):
2603 * wasm/WasmIndexOrName.cpp:
2604 (JSC::Wasm::IndexOrName::IndexOrName):
2605 (JSC::Wasm::makeString):
2606 * wasm/WasmIndexOrName.h:
2607 (JSC::Wasm::IndexOrName::nameSection const):
2608 * wasm/WasmModuleInformation.cpp:
2609 (JSC::Wasm::ModuleInformation::ModuleInformation):
2610 * wasm/WasmModuleInformation.h:
2611 * wasm/WasmNameSection.h:
2612 (JSC::Wasm::NameSection::NameSection):
2613 (JSC::Wasm::NameSection::get):
2614 * wasm/WasmNameSectionParser.cpp:
2615 (JSC::Wasm::NameSectionParser::parse):
2617 2017-11-30 Stephan Szabo <stephan.szabo@sony.com>
2619 Make LegacyCustomProtocolManager optional for network process
2620 https://bugs.webkit.org/show_bug.cgi?id=176230
2622 Reviewed by Alex Christensen.
2624 * Configurations/FeatureDefines.xcconfig:
2626 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2628 [JSC] Remove easy toRemove & map.remove() use in OAS phase
2629 https://bugs.webkit.org/show_bug.cgi?id=180208
2631 Reviewed by Mark Lam.
2633 In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2634 to optimize this common pattern. This patch only modifies apparent ones.
2635 But we can apply this refactoring further to OAS phase in the future.
2637 One thing we should care is that predicate of removeIf should not touch the
2638 removing set itself. In this patch, we apply this change to (1) apparently
2639 correct one and (2) things in DFG OAS phase since it is very slow.
2641 * b3/B3MoveConstants.cpp:
2642 * dfg/DFGObjectAllocationSinkingPhase.cpp:
2644 2017-11-30 Commit Queue <commit-queue@webkit.org>
2646 Unreviewed, rolling out r225362.
2647 https://bugs.webkit.org/show_bug.cgi?id=180225
2649 removeIf predicate function can touch remove target set
2650 (Requested by yusukesuzuki on #webkit).
2654 "[JSC] Remove easy toRemove & map.remove() use"
2655 https://bugs.webkit.org/show_bug.cgi?id=180208
2656 https://trac.webkit.org/changeset/225362
2658 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2660 [JSC] Use AllocatorIfExists for MaterializeNewObject
2661 https://bugs.webkit.org/show_bug.cgi?id=180189
2663 Reviewed by Filip Pizlo.
2665 I don't think anyone guarantees this allocator exists at this phase.
2666 And nullptr allocator just works here. We change AllocatorForMode
2667 to AllocatorIfExists to accept nullptr for allocator.
2669 * ftl/FTLLowerDFGToB3.cpp:
2670 (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2672 2017-11-30 Mark Lam <mark.lam@apple.com>
2674 Let's scramble MacroAssemblerCodePtr values.
2675 https://bugs.webkit.org/show_bug.cgi?id=180169
2676 <rdar://problem/35758340>
2678 Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
2680 1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
2682 2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
2683 template argument type that will be used to cast the result. This makes the
2684 client code that uses these functions a little less verbose.
2686 3. Change the code base in general to minimize passing void* code pointers around.
2687 We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
2688 at the last moment when we need the underlying code pointer.
2690 4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
2691 default. I'm leaving them in because they are instrumental in finding bugs
2692 where not all MacroAssemblerCodePtr values were not scrambled as expected.
2693 I expect them to be useful in the near future as we add more scrambling.
2695 5. Also disable the casting operator on MacroAssemblerCodePtr (except for
2696 explicit casts to a boolean). This ensures that clients will always explicitly
2697 use scrambledBits() or executableAddress() to get a value based on which value
2700 5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
2701 This was helpful when debugging tests that ran multiple VMs concurrently on
2704 MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
2705 CLoop). It is not yet supported in 32-bit and Windows because we don't
2706 currently have a way to read a global variable from their LLInt code.
2708 * assembler/AbstractMacroAssembler.h:
2709 (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
2710 (JSC::AbstractMacroAssembler::linkPointer):
2711 * assembler/CodeLocation.h:
2712 (JSC::CodeLocationCommon::instructionAtOffset):
2713 (JSC::CodeLocationCommon::labelAtOffset):
2714 (JSC::CodeLocationCommon::jumpAtOffset):
2715 (JSC::CodeLocationCommon::callAtOffset):
2716 (JSC::CodeLocationCommon::nearCallAtOffset):
2717 (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
2718 (JSC::CodeLocationCommon::dataLabel32AtOffset):
2719 (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
2720 (JSC::CodeLocationCommon::convertibleLoadAtOffset):
2721 * assembler/LinkBuffer.cpp:
2722 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2723 * assembler/LinkBuffer.h:
2724 (JSC::LinkBuffer::link):
2725 (JSC::LinkBuffer::patch):
2726 * assembler/MacroAssemblerCodeRef.cpp:
2727 (JSC::MacroAssemblerCodePtr::initialize):
2728 * assembler/MacroAssemblerCodeRef.h:
2729 (JSC::FunctionPtr::FunctionPtr):
2730 (JSC::FunctionPtr::value const):
2731 (JSC::FunctionPtr::executableAddress const):
2732 (JSC::ReturnAddressPtr::ReturnAddressPtr):
2733 (JSC::ReturnAddressPtr::value const):
2734 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2735 (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2736 (JSC::MacroAssemblerCodePtr::scrambledPtr const):
2737 (JSC::MacroAssemblerCodePtr:: const):
2738 (JSC::MacroAssemblerCodePtr::operator! const):
2739 (JSC::MacroAssemblerCodePtr::operator bool const):
2740 (JSC::MacroAssemblerCodePtr::operator== const):
2741 (JSC::MacroAssemblerCodePtr::hash const):
2742 (JSC::MacroAssemblerCodePtr::emptyValue):
2743 (JSC::MacroAssemblerCodePtr::deletedValue):
2744 (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
2745 (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
2746 * b3/B3LowerMacros.cpp:
2748 (JSC::B3::testInterpreter):
2749 * dfg/DFGDisassembler.cpp:
2750 (JSC::DFG::Disassembler::dumpDisassembly):
2751 * dfg/DFGJITCompiler.cpp:
2752 (JSC::DFG::JITCompiler::link):
2753 (JSC::DFG::JITCompiler::compileFunction):
2754 * dfg/DFGOperations.cpp:
2755 * dfg/DFGSpeculativeJIT.cpp:
2756 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2757 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2758 (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
2759 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2760 * dfg/DFGSpeculativeJIT.h:
2761 * disassembler/Disassembler.cpp:
2763 * disassembler/UDis86Disassembler.cpp:
2764 (JSC::tryToDisassembleWithUDis86):
2765 * ftl/FTLCompile.cpp:
2766 (JSC::FTL::compile):
2767 * ftl/FTLJITCode.cpp:
2768 (JSC::FTL::JITCode::executableAddressAtOffset):
2771 * ftl/FTLLowerDFGToB3.cpp:
2772 (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
2773 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2774 (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2775 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2776 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2777 * interpreter/InterpreterInlines.h:
2778 (JSC::Interpreter::getOpcodeID):
2779 * jit/JITArithmetic.cpp:
2780 (JSC::JIT::emitMathICFast):
2781 (JSC::JIT::emitMathICSlow):
2783 (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2784 (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
2785 (JSC::JITCodeWithCodeRef::offsetOf):
2786 * jit/JITDisassembler.cpp:
2787 (JSC::JITDisassembler::dumpDisassembly):
2788 * jit/PCToCodeOriginMap.cpp:
2789 (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
2791 (JSC::ftlThunkAwareRepatchCall):
2792 * jit/ThunkGenerators.cpp:
2793 (JSC::virtualThunkFor):
2794 (JSC::boundThisNoArgsFunctionCallGenerator):
2795 * llint/LLIntSlowPaths.cpp:
2796 (JSC::LLInt::llint_trace_operand):
2797 (JSC::LLInt::llint_trace_value):
2798 (JSC::LLInt::handleHostCall):
2799 (JSC::LLInt::setUpCall):
2800 * llint/LowLevelInterpreter64.asm:
2801 * offlineasm/cloop.rb:
2802 * runtime/InitializeThreading.cpp:
2803 (JSC::initializeThreading):
2804 * wasm/WasmBBQPlan.cpp:
2805 (JSC::Wasm::BBQPlan::complete):
2806 * wasm/WasmCallee.h:
2807 (JSC::Wasm::Callee::entrypoint const):
2808 * wasm/WasmCodeBlock.cpp:
2809 (JSC::Wasm::CodeBlock::CodeBlock):
2810 * wasm/WasmOMGPlan.cpp:
2811 (JSC::Wasm::OMGPlan::work):
2812 * wasm/js/WasmToJS.cpp:
2813 (JSC::Wasm::wasmToJS):
2814 * wasm/js/WebAssemblyFunction.cpp:
2815 (JSC::callWebAssemblyFunction):
2816 * wasm/js/WebAssemblyFunction.h:
2817 * wasm/js/WebAssemblyWrapperFunction.cpp:
2818 (JSC::WebAssemblyWrapperFunction::create):
2820 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2822 [JSC] Remove easy toRemove & map.remove() use
2823 https://bugs.webkit.org/show_bug.cgi?id=180208
2825 Reviewed by Mark Lam.
2827 In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2828 to optimize this common pattern. This patch only modifies apparent ones.
2829 But we can apply this refactoring further to OAS phase in the future.
2831 * b3/B3MoveConstants.cpp:
2832 * dfg/DFGArgumentsEliminationPhase.cpp:
2833 * dfg/DFGObjectAllocationSinkingPhase.cpp:
2834 * wasm/WasmSignature.cpp:
2835 (JSC::Wasm::SignatureInformation::tryCleanup):
2837 2017-11-29 Yusuke Suzuki <utatane.tea@gmail.com>
2839 [JSC] Use getEffectiveAddress more in JSC
2840 https://bugs.webkit.org/show_bug.cgi?id=180154
2842 Reviewed by Mark Lam.
2844 We can use MacroAssembler::getEffectiveAddress for stack height calculation.
2845 And we also add MacroAssembler::negPtr(src, dest) variation.
2847 * assembler/MacroAssembler.h:
2848 (JSC::MacroAssembler::negPtr):
2849 * assembler/MacroAssemblerARM.h:
2850 (JSC::MacroAssemblerARM::neg32):
2851 * assembler/MacroAssemblerARM64.h:
2852 (JSC::MacroAssemblerARM64::neg32):
2853 (JSC::MacroAssemblerARM64::neg64):
2854 * assembler/MacroAssemblerARMv7.h:
2855 (JSC::MacroAssemblerARMv7::neg32):
2856 * assembler/MacroAssemblerMIPS.h:
2857 (JSC::MacroAssemblerMIPS::neg32):
2858 * assembler/MacroAssemblerX86Common.h:
2859 (JSC::MacroAssemblerX86Common::neg32):
2860 * assembler/MacroAssemblerX86_64.h:
2861 (JSC::MacroAssemblerX86_64::neg64):
2862 * dfg/DFGThunks.cpp:
2863 (JSC::DFG::osrEntryThunkGenerator):
2864 * ftl/FTLLowerDFGToB3.cpp:
2865 (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2866 * jit/SetupVarargsFrame.cpp:
2867 (JSC::emitSetVarargsFrame):
2869 2017-11-30 Mark Lam <mark.lam@apple.com>
2871 jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2872 https://bugs.webkit.org/show_bug.cgi?id=180219
2873 <rdar://problem/35696536>
2875 Reviewed by Filip Pizlo.
2878 (functionFlashHeapAccess):
2880 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2882 [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2883 https://bugs.webkit.org/show_bug.cgi?id=180190
2885 Reviewed by Mark Lam.
2887 If DFG HasIndexedProperty node observes negative index, it goes to a slow
2888 path by calling operationHasIndexedProperty. The problem is that
2889 operationHasIndexedProperty does not account negative index. Negative index
2890 was used as uint32 array index.
2892 In this patch we add a path for negative index in operationHasIndexedProperty.
2893 And rename it to operationHasIndexedPropertyByInt to make intension clear.
2894 We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
2895 since it is only used in DFG and FTL.
2897 While fixing this bug, we found that our op_in does not record OutOfBound feedback.
2898 This causes repeated OSR exit and significantly regresses the performance. We opened
2899 a bug to track this issue[1].
2901 [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
2903 * dfg/DFGOperations.cpp:
2904 * dfg/DFGOperations.h:
2905 * dfg/DFGSpeculativeJIT32_64.cpp:
2906 (JSC::DFG::SpeculativeJIT::compile):
2907 * dfg/DFGSpeculativeJIT64.cpp:
2908 (JSC::DFG::SpeculativeJIT::compile):
2909 * ftl/FTLLowerDFGToB3.cpp:
2910 (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2911 * jit/JITOperations.cpp:
2912 * jit/JITOperations.h:
2914 2017-11-30 Michael Saboff <msaboff@apple.com>
2916 Allow JSC command line tool to accept UTF8
2917 https://bugs.webkit.org/show_bug.cgi?id=180205
2919 Reviewed by Keith Miller.
2921 This unifies the UTF8 handling of interactive mode with that of source files.
2926 2017-11-30 Yusuke Suzuki <utatane.tea@gmail.com>
2928 REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
2929 https://bugs.webkit.org/show_bug.cgi?id=180185
2931 Reviewed by Carlos Garcia Campos.
2933 After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
2934 But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
2935 can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
2936 And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
2937 DFG node can be emitted if we see untaken path includes String + String code.
2939 This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
2940 As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
2941 I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
2942 original code used before r225314.
2944 * dfg/DFGSpeculativeJIT.cpp:
2945 (JSC::DFG::SpeculativeJIT::compileMakeRope):
2946 * ftl/FTLLowerDFGToB3.cpp:
2947 (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2949 2017-11-28 Filip Pizlo <fpizlo@apple.com>
2951 CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
2952 https://bugs.webkit.org/show_bug.cgi?id=180108
2954 Reviewed by Saam Barati.
2956 This was creating a vector of things to remove and then removing them. I think I remember writing
2957 this code, and I did that because at the time we did not have removeAllMatching, which is
2958 definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
2959 obvious improvement before I did more fundamental things to this code.
2961 * heap/CodeBlockSet.cpp:
2962 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2964 2017-11-29 Filip Pizlo <fpizlo@apple.com>
2966 GC should support isoheaps
2967 https://bugs.webkit.org/show_bug.cgi?id=179288
2969 Reviewed by Saam Barati.
2971 This expands the power of the Subspace API in JSC:
2973 - Everything associated with describing the types of objects is now part of the HeapCellType class.
2974 We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
2975 HeapCellType; these are orthogonal things.
2977 - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
2978 any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
2979 special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
2980 pages but releases the physical pages as part of the respective allocator's scavenging policy
2981 (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
2984 So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
2987 This does not have any effect on JetStream (0.18% faster with p = 0.69).
2989 * JavaScriptCore.xcodeproj/project.pbxproj:
2991 * bytecode/AccessCase.cpp:
2992 (JSC::AccessCase::generateImpl):
2993 * bytecode/ObjectAllocationProfileInlines.h:
2994 (JSC::ObjectAllocationProfile::initializeProfile):
2995 * dfg/DFGSpeculativeJIT.cpp:
2996 (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2997 (JSC::DFG::SpeculativeJIT::compileMakeRope):
2998 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2999 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3000 * dfg/DFGSpeculativeJIT64.cpp:
3001 (JSC::DFG::SpeculativeJIT::compile):
3002 * ftl/FTLAbstractHeapRepository.h:
3003 * ftl/FTLLowerDFGToB3.cpp:
3004 (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3005 (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3006 (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3007 (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3008 (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3009 * heap/AlignedMemoryAllocator.cpp:
3010 (JSC::AlignedMemoryAllocator::registerAllocator):
3011 (JSC::AlignedMemoryAllocator::registerSubspace):
3012 * heap/AlignedMemoryAllocator.h:
3013 (JSC::AlignedMemoryAllocator::firstAllocator const):
3014 * heap/AllocationFailureMode.h: Added.
3015 * heap/CompleteSubspace.cpp: Added.
3016 (JSC::CompleteSubspace::CompleteSubspace):
3017 (JSC::CompleteSubspace::~CompleteSubspace):
3018 (JSC::CompleteSubspace::allocatorFor):
3019 (JSC::CompleteSubspace::allocate):
3020 (JSC::CompleteSubspace::allocateNonVirtual):
3021 (JSC::CompleteSubspace::allocatorForSlow):
3022 (JSC::CompleteSubspace::allocateSlow):
3023 (JSC::CompleteSubspace::tryAllocateSlow):
3024 * heap/CompleteSubspace.h: Added.
3025 (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
3026 (JSC::CompleteSubspace::allocatorForSizeStep):
3027 (JSC::CompleteSubspace::allocatorForNonVirtual):
3028 * heap/HeapCellType.cpp: Added.
3029 (JSC::HeapCellType::HeapCellType):
3030 (JSC::HeapCellType::~HeapCellType):
3031 (JSC::HeapCellType::finishSweep):
3032 (JSC::HeapCellType::destroy):
3033 * heap/HeapCellType.h: Added.
3034 (JSC::HeapCellType::attributes const):
3035 * heap/IsoAlignedMemoryAllocator.cpp: Added.
3036 (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
3037 (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
3038 (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
3039 (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
3040 (JSC::IsoAlignedMemoryAllocator::dump const):
3041 * heap/IsoAlignedMemoryAllocator.h: Added.
3042 * heap/IsoSubspace.cpp: Added.
3043 (JSC::IsoSubspace::IsoSubspace):
3044 (JSC::IsoSubspace::~IsoSubspace):
3045 (JSC::IsoSubspace::allocatorFor):
3046 (JSC::IsoSubspace::allocatorForNonVirtual):
3047 (JSC::IsoSubspace::allocate):
3048 (JSC::IsoSubspace::allocateNonVirtual):
3049 * heap/IsoSubspace.h: Added.
3050 (JSC::IsoSubspace::size const):
3051 * heap/MarkedAllocator.cpp:
3052 (JSC::MarkedAllocator::MarkedAllocator):
3053 (JSC::MarkedAllocator::setSubspace):
3054 (JSC::MarkedAllocator::allocateSlowCase):
3055 (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
3056 (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
3057 * heap/MarkedAllocator.h:
3058 (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
3059 (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
3060 * heap/MarkedAllocatorInlines.h:
3061 (JSC::MarkedAllocator::allocate):
3062 (JSC::MarkedAllocator::tryAllocate): Deleted.
3063 * heap/MarkedBlock.h:
3064 * heap/MarkedBlockInlines.h:
3065 (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
3066 (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
3067 * heap/MarkedSpace.cpp:
3068 (JSC::MarkedSpace::addMarkedAllocator):
3069 * heap/MarkedSpace.h:
3070 * heap/Subspace.cpp:
3071 (JSC::Subspace::Subspace):
3072 (JSC::Subspace::initialize):
3073 (JSC::Subspace::finishSweep):
3074 (JSC::Subspace::destroy):
3075 (JSC::Subspace::prepareForAllocation):
3076 (JSC::Subspace::findEmptyBlockToSteal):
3078 (JSC::Subspace::allocate): Deleted.
3079 (JSC::Subspace::tryAllocate): Deleted.
3080 (JSC::Subspace::allocatorForSlow): Deleted.
3081 (JSC::Subspace::allocateSlow): Deleted.
3082 (JSC::Subspace::tryAllocateSlow): Deleted.
3083 (JSC::Subspace::didAllocate): Deleted.
3085 (JSC::Subspace::heapCellType const):
3086 (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
3087 (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
3088 (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
3089 (JSC::Subspace::allocatorForSizeStep): Deleted.
3090 (JSC::Subspace::tryAllocatorFor): Deleted.
3091 (JSC::Subspace::allocatorFor): Deleted.
3092 * jit/AssemblyHelpers.h:
3093 (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3094 (JSC::AssemblyHelpers::emitAllocateVariableSized):
3095 (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
3096 * jit/JITOpcodes.cpp:
3097 (JSC::JIT::emit_op_new_object):
3098 * runtime/ButterflyInlines.h:
3099 (JSC::Butterfly::createUninitialized):
3100 (JSC::Butterfly::tryCreate):
3101 (JSC::Butterfly::growArrayRight):
3102 * runtime/DirectArguments.cpp:
3103 (JSC::DirectArguments::overrideThings):
3104 * runtime/DirectArguments.h:
3105 (JSC::DirectArguments::subspaceFor):
3106 * runtime/DirectEvalExecutable.h:
3107 * runtime/EvalExecutable.h:
3108 * runtime/ExecutableBase.h:
3109 (JSC::ExecutableBase::subspaceFor):
3110 * runtime/FunctionExecutable.h:
3111 * runtime/GenericArgumentsInlines.h:
3112 (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
3113 * runtime/HashMapImpl.h:
3114 (JSC::HashMapBuffer::create):
3115 * runtime/IndirectEvalExecutable.h:
3116 * runtime/JSArray.cpp:
3117 (JSC::JSArray::tryCreateUninitializedRestricted):
3118 (JSC::JSArray::unshiftCountSlowCase):
3119 * runtime/JSArray.h:
3120 (JSC::JSArray::tryCreate):
3121 * runtime/JSArrayBufferView.cpp:
3122 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3125 * runtime/JSCellInlines.h:
3126 (JSC::JSCell::subspaceFor):
3127 (JSC::tryAllocateCellHelper):
3128 (JSC::allocateCell):
3129 (JSC::tryAllocateCell):
3130 * runtime/JSDestructibleObject.h:
3131 (JSC::JSDestructibleObject::subspaceFor):
3132 * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
3133 (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3134 (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
3135 (JSC::JSDestructibleObjectHeapCellType::finishSweep):
3136 (JSC::JSDestructibleObjectHeapCellType::destroy):
3137 (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
3138 (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
3139 (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
3140 (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
3141 * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
3142 * runtime/JSDestructibleObjectSubspace.cpp: Removed.
3143 * runtime/JSDestructibleObjectSubspace.h: Removed.
3144 * runtime/JSLexicalEnvironment.h:
3145 (JSC::JSLexicalEnvironment::subspaceFor):
3146 * runtime/JSSegmentedVariableObject.h:
3147 (JSC::JSSegmentedVariableObject::subspaceFor):
3148 * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
3149 (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3150 (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
3151 (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
3152 (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
3153 (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
3154 (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
3155 (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
3156 (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
3157 * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
3158 * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
3159 * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
3160 * runtime/JSString.h:
3161 (JSC::JSString::subspaceFor):
3162 * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
3163 (JSC::JSStringHeapCellType::JSStringHeapCellType):
3164 (JSC::JSStringHeapCellType::~JSStringHeapCellType):
3165 (JSC::JSStringHeapCellType::finishSweep):
3166 (JSC::JSStringHeapCellType::destroy):
3167 (JSC::JSStringSubspace::JSStringSubspace): Deleted.
3168 (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
3169 (JSC::JSStringSubspace::finishSweep): Deleted.
3170 (JSC::JSStringSubspace::destroy): Deleted.
3171 * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
3172 * runtime/JSStringSubspace.cpp: Removed.
3173 * runtime/JSStringSubspace.h: Removed.
3174 * runtime/ModuleProgramExecutable.h:
3175 * runtime/NativeExecutable.h:
3176 * runtime/ProgramExecutable.h:
3177 * runtime/RegExpMatchesArray.h:
3178 (JSC::tryCreateUninitializedRegExpMatchesArray):
3179 * runtime/ScopedArguments.h:
3180 (JSC::ScopedArguments::subspaceFor):
3184 (JSC::VM::gigacageAuxiliarySpace):
3185 * wasm/js/JSWebAssemblyCodeBlock.h:
3186 * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
3187 (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3188 (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
3189 (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
3190 (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
3191 (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
3192 (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
3193 (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
3194 (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
3195 * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
3196 * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
3197 * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
3198 * wasm/js/JSWebAssemblyMemory.h:
3199 (JSC::JSWebAssemblyMemory::subspaceFor):
3201 2017-11-29 Saam Barati <sbarati@apple.com>
3203 Remove pointer caging for double arrays
3204 https://bugs.webkit.org/show_bug.cgi?id=180163
3206 Reviewed by Mark Lam.
3208 This patch removes pointer caging from double arrays. Like
3209 my previous removals of pointer caging, this is a security vs
3210 performance tradeoff. We believe that butterflies being allocated
3211 in the cage and with a 32GB runway gives us enough security that
3212 pointer caging the butterfly just for double arrays does not add
3213 enough security benefit for the performance hit it incurs.
3215 This patch also removes the GetButterflyWithoutCaging node and
3216 the FixedButterflyAccessUncaging phase. The node is no longer needed
3217 because now all GetButterfly nodes are not caged. The phase is removed
3218 since we no longer have two nodes.
3220 * dfg/DFGAbstractInterpreterInlines.h:
3221 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3222 * dfg/DFGArgumentsEliminationPhase.cpp:
3223 * dfg/DFGClobberize.h:
3224 (JSC::DFG::clobberize):
3225 * dfg/DFGDoesGC.cpp:
3227 * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
3228 * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
3229 * dfg/DFGFixupPhase.cpp:
3230 (JSC::DFG::FixupPhase::fixupNode):
3231 * dfg/DFGHeapLocation.cpp:
3232 (WTF::printInternal):
3233 * dfg/DFGHeapLocation.h:
3234 * dfg/DFGNodeType.h:
3236 (JSC::DFG::Plan::compileInThreadImpl):
3237 * dfg/DFGPredictionPropagationPhase.cpp:
3238 * dfg/DFGSafeToExecute.h:
3239 (JSC::DFG::safeToExecute):
3240 * dfg/DFGSpeculativeJIT.cpp:
3241 (JSC::DFG::SpeculativeJIT::compileSpread):
3242 (JSC::DFG::SpeculativeJIT::compileArraySlice):
3243 (JSC::DFG::SpeculativeJIT::compileGetButterfly):
3244 * dfg/DFGSpeculativeJIT32_64.cpp:
3245 (JSC::DFG::SpeculativeJIT::compile):
3246 * dfg/DFGSpeculativeJIT64.cpp:
3247 (JSC::DFG::SpeculativeJIT::compile):
3248 * dfg/DFGTypeCheckHoistingPhase.cpp:
3249 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3250 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3251 * ftl/FTLCapabilities.cpp:
3252 (JSC::FTL::canCompile):
3253 * ftl/FTLLowerDFGToB3.cpp:
3254 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3255 (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
3256 * jit/JITPropertyAccess.cpp:
3257 (JSC::JIT::emitDoubleLoad):
3258 (JSC::JIT::emitGenericContiguousPutByVal):
3259 * runtime/Butterfly.h:
3260 (JSC::Butterfly::pointer):
3261 (JSC::Butterfly::contiguousDouble):
3262 (JSC::Butterfly::caged): Deleted.
3263 * runtime/ButterflyInlines.h:
3264 (JSC::Butterfly::createOrGrowPropertyStorage):
3265 * runtime/JSObject.cpp:
3266 (JSC::JSObject::ensureLengthSlow):
3267 (JSC::JSObject::reallocateAndShrinkButterfly):
3269 2017-11-29 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com>
3271 [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
3272 https://bugs.webkit.org/show_bug.cgi?id=175447
3274 Reviewed by Carlos Alberto Lopez Perez.
3276 This patch allows DFG JIT to be enabled on MIPS platforms.
3279 * assembler/MIPSAssembler.h:
3280 (JSC::MIPSAssembler::lastSPRegister):
3281 (JSC::MIPSAssembler::numberOfSPRegisters):
3282 (JSC::MIPSAssembler::sprName):
3283 * assembler/MacroAssemblerMIPS.cpp: Added.
3284 (JSC::MacroAssembler::probe):
3285 * assembler/ProbeContext.cpp:
3286 (JSC::Probe::executeProbe):
3287 * assembler/ProbeContext.h:
3288 (JSC::Probe::CPUState::pc):
3289 * assembler/testmasm.cpp:
3290 (JSC::isSpecialGPR):
3291 (JSC::testProbePreservesGPRS):
3292 (JSC::testProbeModifiesStackPointer):
3293 (JSC::testProbeModifiesStackValues):
3295 2017-11-29 Matt Lewis <jlewis3@apple.com>
3297 Unreviewed, rolling out r225286.
3299 The source files within this patch have been marked as
3304 "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
3305 https://bugs.webkit.org/show_bug.cgi?id=175447
3306 https://trac.webkit.org/changeset/225286
3308 2017-11-29 Alex Christensen <achristensen@webkit.org>
3310 Fix Mac CMake build.
3312 * PlatformMac.cmake:
3314 2017-11-29 Stanislav Ocovaj <stanislav.ocovaj@rt-rk.com>
3316 [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
3317 https://bugs.webkit.org/show_bug.cgi?id=175447
3319 Reviewed by Carlos Alberto Lopez Perez.
3321 This patch allows DFG JIT to be enabled on MIPS platforms.
3324 * assembler/MIPSAssembler.h:
3325 (JSC::MIPSAssembler::lastSPRegister):
3326 (JSC::MIPSAssembler::numberOfSPRegisters):
3327 (JSC::MIPSAssembler::sprName):
3328 * assembler/MacroAssemblerMIPS.cpp: Added.
3329 (JSC::MacroAssembler::probe):
3330 * assembler/ProbeContext.cpp:
3331 (JSC::Probe::executeProbe):
3332 * assembler/ProbeContext.h:
3333 (JSC::Probe::CPUState::pc):
3334 * assembler/testmasm.cpp:
3335 (JSC::isSpecialGPR):
3336 (JSC::testProbePreservesGPRS):
3337 (JSC::testProbeModifiesStackPointer):
3338 (JSC::testProbeModifiesStackValues):
3340 2017-11-28 JF Bastien <jfbastien@apple.com>
3342 Strict and sloppy functions shouldn't share structure
3343 https://bugs.webkit.org/show_bug.cgi?id=180103
3344 <rdar://problem/35667847>
3346 Reviewed by Saam Barati.
3348 Sloppy and strict functions don't act the same when it comes to
3349 arguments, caller, and callee. Sharing a structure means that
3350 anything that is cached gets shared, and that's incorrect.
3352 * dfg/DFGAbstractInterpreterInlines.h:
3353 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3354 * dfg/DFGSpeculativeJIT.cpp:
3355 (JSC::DFG::SpeculativeJIT::compileNewFunction):
git://git.webkit.org / WebKit-https.git / blob