1 2015-07-19 Jordan Harband <ljharb@gmail.com>
3 new Date(NaN).toJSON() must return null instead of throwing a TypeError
4 https://bugs.webkit.org/show_bug.cgi?id=141115
6 Reviewed by Yusuke Suzuki.
8 * runtime/DatePrototype.cpp:
9 (JSC::dateProtoFuncToJSON):
11 2015-07-19 Saam barati <saambarati1@gmail.com>
13 Parser::parseFunctionInfo hits RELEASE_ASSERT for Arrow Functions
14 https://bugs.webkit.org/show_bug.cgi?id=147090
16 Reviewed by Yusuke Suzuki.
18 ArrowFunction's have there ParserFunctionInfo "name" field to
19 be a non-null pointer. This is obviously allowed and valid except we
20 had a RELEASE_ASSERT that claimed otherwise. This is a mistake.
22 Note: ArrowFunction's will never actually have a function name;
23 there ParserFunctionInfo "name" field will be the empty string.
24 This is not be mistaken with the name field being a null pointer.
27 (JSC::Parser<LexerType>::parseFunctionInfo):
29 2015-07-18 Saam barati <saambarati1@gmail.com>
31 [ES6] Add support for block scope const
32 https://bugs.webkit.org/show_bug.cgi?id=31813
34 Reviewed by Filip Pizlo.
36 'const' is now implemented in an ES6 spec compliant manner.
37 'const' variables are always block scoped and always live
38 either on the stack or in a JSLexicalEnvironment. 'const'
39 variables never live on the global object.
41 Inside the BytecodeGenerator, when assigning to a stack
42 'const' variable or a LocalClosureVar 'const' variable,
43 we will emit code that just throws a type error.
44 When assigning to a ClosureVar const variable, CodeBlock linking
45 will ensure that we perform a dynamic lookup of that variable so
46 that put_to_scope's slow path throws a type error.
48 The old 'const' implementation has been removed in this patch.
50 * bytecode/BytecodeList.json:
51 * bytecode/BytecodeUseDef.h:
52 (JSC::computeUsesForBytecodeOffset):
53 (JSC::computeDefsForBytecodeOffset):
54 * bytecode/CodeBlock.cpp:
55 (JSC::CodeBlock::dumpBytecode):
56 (JSC::CodeBlock::CodeBlock):
57 * bytecompiler/BytecodeGenerator.cpp:
58 (JSC::BytecodeGenerator::BytecodeGenerator):
59 (JSC::BytecodeGenerator::pushLexicalScope):
60 (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
61 (JSC::BytecodeGenerator::variable):
62 (JSC::BytecodeGenerator::variableForLocalEntry):
63 (JSC::BytecodeGenerator::createVariable):
64 (JSC::BytecodeGenerator::emitResolveScope):
65 (JSC::BytecodeGenerator::emitInstanceOf):
66 (JSC::BytecodeGenerator::emitGetById):
67 (JSC::BytecodeGenerator::isArgumentNumber):
68 (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
69 (JSC::BytecodeGenerator::emitEnumeration):
70 (JSC::BytecodeGenerator::variablePerSymbolTable): Deleted.
71 (JSC::BytecodeGenerator::emitInitGlobalConst): Deleted.
72 * bytecompiler/BytecodeGenerator.h:
73 (JSC::Variable::Variable):
74 (JSC::Variable::isReadOnly):
75 (JSC::Variable::isSpecial):
76 (JSC::Variable::isConst):
77 (JSC::BytecodeGenerator::thisRegister):
78 (JSC::BytecodeGenerator::emitTypeOf):
79 (JSC::BytecodeGenerator::emitIn):
80 * bytecompiler/NodesCodegen.cpp:
81 (JSC::PostfixNode::emitResolve):
82 (JSC::PrefixNode::emitResolve):
83 (JSC::ReadModifyResolveNode::emitBytecode):
84 (JSC::AssignResolveNode::emitBytecode):
85 (JSC::CommaNode::emitBytecode):
86 (JSC::BindingNode::bindValue):
87 (JSC::ConstDeclNode::emitCodeSingle): Deleted.
88 (JSC::ConstDeclNode::emitBytecode): Deleted.
89 (JSC::ConstStatementNode::emitBytecode): Deleted.
90 * dfg/DFGByteCodeParser.cpp:
91 (JSC::DFG::ByteCodeParser::parseBlock):
92 * dfg/DFGCapabilities.cpp:
93 (JSC::DFG::capabilityLevel):
95 (JSC::JIT::privateCompileMainPass):
97 * jit/JITPropertyAccess.cpp:
98 (JSC::JIT::emit_op_put_to_arguments):
99 (JSC::JIT::emit_op_init_global_const): Deleted.
100 * jit/JITPropertyAccess32_64.cpp:
101 (JSC::JIT::emit_op_put_to_arguments):
102 (JSC::JIT::emit_op_init_global_const): Deleted.
103 * llint/LowLevelInterpreter.asm:
104 * llint/LowLevelInterpreter32_64.asm:
105 * llint/LowLevelInterpreter64.asm:
106 * parser/ASTBuilder.h:
107 (JSC::ASTBuilder::createDeclarationStatement):
108 (JSC::ASTBuilder::createEmptyVarExpression):
109 (JSC::ASTBuilder::createDebugger):
110 (JSC::ASTBuilder::appendStatement):
111 (JSC::ASTBuilder::createVarStatement): Deleted.
112 (JSC::ASTBuilder::createLetStatement): Deleted.
113 (JSC::ASTBuilder::createConstStatement): Deleted.
114 (JSC::ASTBuilder::appendConstDecl): Deleted.
115 * parser/NodeConstructors.h:
116 (JSC::CommaNode::CommaNode):
117 (JSC::SourceElements::SourceElements):
118 (JSC::SwitchNode::SwitchNode):
119 (JSC::BlockNode::BlockNode):
120 (JSC::ConstStatementNode::ConstStatementNode): Deleted.
121 (JSC::ConstDeclNode::ConstDeclNode): Deleted.
123 (JSC::ConstDeclNode::hasInitializer): Deleted.
124 (JSC::ConstDeclNode::ident): Deleted.
126 (JSC::Parser<LexerType>::parseStatementListItem):
127 (JSC::Parser<LexerType>::parseVariableDeclaration):
128 (JSC::Parser<LexerType>::parseWhileStatement):
129 (JSC::Parser<LexerType>::parseVariableDeclarationList):
130 (JSC::Parser<LexerType>::createBindingPattern):
131 (JSC::Parser<LexerType>::parseDestructuringPattern):
132 (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
133 (JSC::Parser<LexerType>::parseForStatement):
134 (JSC::Parser<LexerType>::parseTryStatement):
135 (JSC::Parser<LexerType>::parseFunctionInfo):
136 (JSC::Parser<LexerType>::parseFunctionDeclaration):
137 (JSC::Parser<LexerType>::parseClass):
138 (JSC::Parser<LexerType>::parseConstDeclaration): Deleted.
139 (JSC::Parser<LexerType>::parseConstDeclarationList): Deleted.
142 (JSC::isEvalNode<EvalNode>):
145 (JSC::isEvalOrArgumentsIdentifier):
147 (JSC::Scope::declareCallee):
148 (JSC::Scope::declareVariable):
149 (JSC::Scope::declareLexicalVariable):
150 (JSC::Scope::hasDeclaredVariable):
151 (JSC::Scope::allowsVarDeclarations):
152 (JSC::Scope::allowsLexicalDeclarations):
153 (JSC::Scope::declareParameter):
154 (JSC::Scope::declareBoundParameter):
155 (JSC::Parser::destructuringKindFromDeclarationType):
156 (JSC::Parser::assignmentContextFromDeclarationType):
157 (JSC::Parser::isEvalOrArguments):
158 (JSC::Parser::currentScope):
159 (JSC::Parser::popScope):
160 (JSC::Parser::declareVariable):
161 (JSC::Parser::hasDeclaredVariable):
162 (JSC::Parser::setStrictMode):
163 (JSC::Parser::strictMode):
164 (JSC::Parser::isValidStrictMode):
165 (JSC::Parser::declareParameter):
166 (JSC::Parser::declareBoundParameter):
167 (JSC::Parser::breakIsValid):
168 * parser/SyntaxChecker.h:
169 (JSC::SyntaxChecker::createForInLoop):
170 (JSC::SyntaxChecker::createForOfLoop):
171 (JSC::SyntaxChecker::createEmptyStatement):
172 (JSC::SyntaxChecker::createDeclarationStatement):
173 (JSC::SyntaxChecker::createReturnStatement):
174 (JSC::SyntaxChecker::createBreakStatement):
175 (JSC::SyntaxChecker::createVarStatement): Deleted.
176 (JSC::SyntaxChecker::createLetStatement): Deleted.
177 * parser/VariableEnvironment.h:
178 (JSC::VariableEnvironmentEntry::isCaptured):
179 (JSC::VariableEnvironmentEntry::isConst):
180 (JSC::VariableEnvironmentEntry::isVar):
181 (JSC::VariableEnvironmentEntry::isLet):
182 (JSC::VariableEnvironmentEntry::setIsCaptured):
183 (JSC::VariableEnvironmentEntry::setIsConst):
184 (JSC::VariableEnvironmentEntry::setIsVar):
185 (JSC::VariableEnvironmentEntry::setIsLet):
186 (JSC::VariableEnvironmentEntry::isConstant): Deleted.
187 (JSC::VariableEnvironmentEntry::setIsConstant): Deleted.
188 * runtime/Executable.cpp:
189 (JSC::ProgramExecutable::initializeGlobalProperties):
190 * runtime/JSGlobalObject.cpp:
191 (JSC::JSGlobalObject::defineOwnProperty):
192 (JSC::JSGlobalObject::addGlobalVar):
193 (JSC::JSGlobalObject::addFunction):
194 (JSC::lastInPrototypeChain):
195 * runtime/JSGlobalObject.h:
196 (JSC::JSGlobalObject::finishCreation):
197 (JSC::JSGlobalObject::addVar):
198 (JSC::JSGlobalObject::addConst): Deleted.
199 * runtime/JSLexicalEnvironment.cpp:
200 (JSC::JSLexicalEnvironment::symbolTablePut):
201 * tests/stress/const-and-with-statement.js: Added.
204 (shouldThrowInvalidConstAssignment):
206 * tests/stress/const-exception-handling.js: Added.
210 * tests/stress/const-loop-semantics.js: Added.
213 (shouldThrowInvalidConstAssignment):
215 * tests/stress/const-not-strict-mode.js: Added.
220 * tests/stress/const-semantics.js: Added.
223 (shouldThrowInvalidConstAssignment):
225 * tests/stress/const-tdz.js: Added.
231 2015-07-18 Saam barati <saambarati1@gmail.com>
233 lexical scoping is broken with respect to "break" and "continue"
234 https://bugs.webkit.org/show_bug.cgi?id=147063
236 Reviewed by Filip Pizlo.
238 Bug #142944 which introduced "let" and lexical scoping
239 didn't properly hook into the bytecode generator's machinery
240 for calculating scope depth deltas for "break" and "continue". This
241 resulted in the bytecode generator popping an incorrect number
242 of scopes when lexical scopes were involved.
244 This patch fixes this problem and generalizes this machinery a bit.
245 This patch also renames old functions in a sensible way that is more
246 coherent in a world with lexical scoping.
248 * bytecompiler/BytecodeGenerator.cpp:
249 (JSC::BytecodeGenerator::BytecodeGenerator):
250 (JSC::BytecodeGenerator::newLabelScope):
251 (JSC::BytecodeGenerator::emitProfileType):
252 (JSC::BytecodeGenerator::pushLexicalScope):
253 (JSC::BytecodeGenerator::popLexicalScope):
254 (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
255 (JSC::BytecodeGenerator::resolveType):
256 (JSC::BytecodeGenerator::emitResolveScope):
257 (JSC::BytecodeGenerator::emitGetFromScope):
258 (JSC::BytecodeGenerator::emitPutToScope):
259 (JSC::BytecodeGenerator::emitPushWithScope):
260 (JSC::BytecodeGenerator::emitGetParentScope):
261 (JSC::BytecodeGenerator::emitPopScope):
262 (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
263 (JSC::BytecodeGenerator::emitPopScopes):
264 (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
265 (JSC::BytecodeGenerator::localScopeDepth):
266 (JSC::BytecodeGenerator::labelScopeDepth):
267 (JSC::BytecodeGenerator::emitThrowReferenceError):
268 (JSC::BytecodeGenerator::emitPushFunctionNameScope):
269 (JSC::BytecodeGenerator::pushScopedControlFlowContext):
270 (JSC::BytecodeGenerator::popScopedControlFlowContext):
271 (JSC::BytecodeGenerator::emitPushCatchScope):
272 (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
273 * bytecompiler/BytecodeGenerator.h:
274 (JSC::BytecodeGenerator::hasFinaliser):
275 (JSC::BytecodeGenerator::scopeDepth): Deleted.
276 * bytecompiler/NodesCodegen.cpp:
277 (JSC::ContinueNode::trivialTarget):
278 (JSC::BreakNode::trivialTarget):
279 (JSC::ReturnNode::emitBytecode):
280 (JSC::WithNode::emitBytecode):
281 (JSC::TryNode::emitBytecode):
282 * tests/stress/lexical-scoping-break-continue.js: Added.
286 2015-07-18 Commit Queue <commit-queue@webkit.org>
288 Unreviewed, rolling out r186996.
289 https://bugs.webkit.org/show_bug.cgi?id=147070
291 Broke JSC tests (Requested by smfr on #webkit).
295 "lexical scoping is broken with respect to "break" and
297 https://bugs.webkit.org/show_bug.cgi?id=147063
298 http://trac.webkit.org/changeset/186996
300 2015-07-18 Saam barati <saambarati1@gmail.com>
302 lexical scoping is broken with respect to "break" and "continue"
303 https://bugs.webkit.org/show_bug.cgi?id=147063
305 Reviewed by Filip Pizlo.
307 Bug #142944 which introduced "let" and lexical scoping
308 didn't properly hook into the bytecode generator's machinery
309 for calculating scope depth deltas for "break" and "continue". This
310 resulted in the bytecode generator popping an incorrect number
311 of scopes when lexical scopes were involved.
313 This patch fixes this problem and generalizes this machinery a bit.
314 This patch also renames old functions in a sensible way that is more
315 coherent in a world with lexical scoping.
317 * bytecompiler/BytecodeGenerator.cpp:
318 (JSC::BytecodeGenerator::BytecodeGenerator):
319 (JSC::BytecodeGenerator::newLabelScope):
320 (JSC::BytecodeGenerator::emitProfileType):
321 (JSC::BytecodeGenerator::pushLexicalScope):
322 (JSC::BytecodeGenerator::popLexicalScope):
323 (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
324 (JSC::BytecodeGenerator::resolveType):
325 (JSC::BytecodeGenerator::emitResolveScope):
326 (JSC::BytecodeGenerator::emitGetFromScope):
327 (JSC::BytecodeGenerator::emitPutToScope):
328 (JSC::BytecodeGenerator::emitPushWithScope):
329 (JSC::BytecodeGenerator::emitGetParentScope):
330 (JSC::BytecodeGenerator::emitPopScope):
331 (JSC::BytecodeGenerator::emitPopWithOrCatchScope):
332 (JSC::BytecodeGenerator::emitPopScopes):
333 (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
334 (JSC::BytecodeGenerator::localScopeDepth):
335 (JSC::BytecodeGenerator::labelScopeDepth):
336 (JSC::BytecodeGenerator::emitThrowReferenceError):
337 (JSC::BytecodeGenerator::emitPushFunctionNameScope):
338 (JSC::BytecodeGenerator::pushScopedControlFlowContext):
339 (JSC::BytecodeGenerator::popScopedControlFlowContext):
340 (JSC::BytecodeGenerator::emitPushCatchScope):
341 (JSC::BytecodeGenerator::currentScopeDepth): Deleted.
342 * bytecompiler/BytecodeGenerator.h:
343 (JSC::BytecodeGenerator::hasFinaliser):
344 (JSC::BytecodeGenerator::scopeDepth): Deleted.
345 * bytecompiler/NodesCodegen.cpp:
346 (JSC::ContinueNode::trivialTarget):
347 (JSC::BreakNode::trivialTarget):
348 (JSC::ReturnNode::emitBytecode):
349 (JSC::WithNode::emitBytecode):
350 (JSC::TryNode::emitBytecode):
351 * tests/stress/lexical-scoping-break-continue.js: Added.
355 2015-07-17 Filip Pizlo <fpizlo@apple.com>
357 DFG should have some obvious mitigations against watching structures that are unprofitable to watch
358 https://bugs.webkit.org/show_bug.cgi?id=147034
360 Reviewed by Mark Lam and Michael Saboff.
362 This implements two guards against the DFG watching structures that are likely to fire
365 - Don't watch dictionaries or any structure that had a dictionary in its past. Dictionaries
366 can be flattened, and then they can transform back to dictionaries.
368 - Don't watch structures whose past structures were transitioned-away from while their
369 transition watchpoints were being watched. This property gives us monotonicity: if we
370 recompile because we watched structure S1 of object O, then we won't make the same mistake
371 again when object O has structure S2, S3, and so on.
373 This is a 1.5% speed-up on Kraken. It does penalize some Octane tests, but it also seems to
374 help some of them, so on Octane it's basically neutral.
376 * bytecode/Watchpoint.h:
377 (JSC::WatchpointSet::invalidate):
378 (JSC::WatchpointSet::isBeingWatched):
379 (JSC::WatchpointSet::addressOfState):
380 (JSC::WatchpointSet::addressOfSetIsNotEmpty):
381 (JSC::InlineWatchpointSet::touch):
382 (JSC::InlineWatchpointSet::isBeingWatched):
383 * runtime/JSGlobalObject.h:
384 (JSC::JSGlobalObject::createStructure):
385 (JSC::JSGlobalObject::registerWeakMap):
386 * runtime/Structure.cpp:
387 (JSC::Structure::Structure):
388 (JSC::Structure::toDictionaryTransition):
389 (JSC::Structure::didTransitionFromThisStructure):
390 * runtime/Structure.h:
392 2015-07-16 Filip Pizlo <fpizlo@apple.com>
394 Remove DFG::DesiredWriteBarriers because it's just a very difficult way of saying "please barrier the machine code block owner"
395 https://bugs.webkit.org/show_bug.cgi?id=147030
397 Reviewed by Andreas Kling.
399 All of the users of DesiredWriteBarriers were just using it to request that Plan
400 finalization executes a barrier on codeBlock->ownerExecutable. Indeed, that's the only
401 owning cell in the heap that compilation affects. So, we might as well just have Plan
402 unconditionally execute that barrier and then we don't need DesiredWriteBarriers at
406 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
407 * JavaScriptCore.xcodeproj/project.pbxproj:
408 * dfg/DFGByteCodeParser.cpp:
409 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
410 * dfg/DFGDesiredWriteBarriers.cpp: Removed.
411 * dfg/DFGDesiredWriteBarriers.h: Removed.
413 (JSC::DFG::Graph::registerFrozenValues):
415 (JSC::DFG::Plan::reallyAdd):
416 (JSC::DFG::Plan::notifyCompiling):
417 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
418 (JSC::DFG::Plan::checkLivenessAndVisitChildren):
419 (JSC::DFG::Plan::cancel):
422 2015-07-17 Yusuke Suzuki <utatane.tea@gmail.com>
424 Integrate automatic microtask draining into JSC framework and re-enable Promise
425 https://bugs.webkit.org/show_bug.cgi?id=146828
427 Reviewed by Sam Weinig.
429 Add automatic microtask draining system into JSC framework.
430 When the depth of VM lock becomes 0, before this, we drain the queued microtasks.
431 Enqueuing behavior can be injected by the JSGlobalObject's method table.
432 It is utilized in WebCore to post the microtask to WebCore's event loop.
434 In the case of JSC interactive shell, VM depth is always greater than 0.
435 So we manually drains the queued microtasks after evaluating the written line.
437 Since now JSC framework has the microtask queue, we can drain the queued microtasks.
438 So re-enable the Promise in the JSC framework context.
440 * API/JSContextRef.cpp:
441 (javaScriptRuntimeFlags): Deleted.
442 * API/tests/testapi.c:
444 * API/tests/testapi.mm:
445 (testObjectiveCAPIMain):
448 * runtime/JSGlobalObject.cpp:
449 (JSC::JSGlobalObject::queueMicrotask):
450 * runtime/JSLock.cpp:
451 (JSC::JSLock::willReleaseLock):
453 (JSC::VM::queueMicrotask):
454 (JSC::VM::drainMicrotasks):
455 (JSC::QueuedTask::run):
457 (JSC::QueuedTask::QueuedTask):
459 2015-07-17 Saam barati <saambarati1@gmail.com>
461 Function parameters should be parsed in the same parser arena as the function body
462 https://bugs.webkit.org/show_bug.cgi?id=145995
464 Reviewed by Yusuke Suzuki.
466 This patch changes how functions are parsed in JSC. A function's
467 parameters are now parsed in the same arena as the function itself.
468 This allows us to arena allocate all destructuring AST nodes and
469 the FunctionParameters node. This will help make implementing ES6
470 default parameter values sane.
472 A source code that represents a function now includes the text of the function's
473 parameters. The starting offset is at the opening parenthesis of the parameter
474 list or at the starting character of the identifier for arrow functions that
475 have single arguments and don't start with parenthesis.
479 "function (param1, param2) { ... }"
481 | This offset used to be the starting offset of a function's SourceCode
483 | This is the new starting offset for a function's SourceCode.
485 This requires us to change how some offsets are calculated
486 and also requires us to report some different line numbers for internal
487 metrics that use a SourceCode's starting line and column numbers.
489 This patch also does a bit of cleanup with regards to how
490 functions are parsed in general (especially arrow functions).
491 It removes some unnecessary #ifdefs and the likes for arrow
492 to make things clearer and more deliberate.
494 * API/JSScriptRef.cpp:
496 * builtins/BuiltinExecutables.cpp:
497 (JSC::BuiltinExecutables::createExecutableInternal):
498 * bytecode/UnlinkedCodeBlock.cpp:
499 (JSC::generateFunctionCodeBlock):
500 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
501 (JSC::UnlinkedFunctionExecutable::visitChildren):
502 (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
503 * bytecode/UnlinkedCodeBlock.h:
504 * bytecompiler/NodesCodegen.cpp:
505 (JSC::DestructuringAssignmentNode::emitBytecode):
506 (JSC::assignDefaultValueIfUndefined):
507 (JSC::ArrayPatternNode::collectBoundIdentifiers):
508 (JSC::DestructuringPatternNode::~DestructuringPatternNode): Deleted.
509 * parser/ASTBuilder.h:
510 (JSC::ASTBuilder::createClassExpr):
511 (JSC::ASTBuilder::createFunctionExpr):
512 (JSC::ASTBuilder::createFunctionBody):
513 (JSC::ASTBuilder::createArrowFunctionExpr):
514 (JSC::ASTBuilder::createGetterOrSetterProperty):
515 (JSC::ASTBuilder::createElementList):
516 (JSC::ASTBuilder::createFormalParameterList):
517 (JSC::ASTBuilder::appendParameter):
518 (JSC::ASTBuilder::createClause):
519 (JSC::ASTBuilder::createClauseList):
520 (JSC::ASTBuilder::createFuncDeclStatement):
521 (JSC::ASTBuilder::createForInLoop):
522 (JSC::ASTBuilder::createForOfLoop):
523 (JSC::ASTBuilder::isResolve):
524 (JSC::ASTBuilder::createDestructuringAssignment):
525 (JSC::ASTBuilder::createArrayPattern):
526 (JSC::ASTBuilder::appendArrayPatternSkipEntry):
527 (JSC::ASTBuilder::appendArrayPatternEntry):
528 (JSC::ASTBuilder::appendArrayPatternRestEntry):
529 (JSC::ASTBuilder::finishArrayPattern):
530 (JSC::ASTBuilder::createObjectPattern):
531 (JSC::ASTBuilder::appendObjectPatternEntry):
532 (JSC::ASTBuilder::createBindingLocation):
533 (JSC::ASTBuilder::setEndOffset):
535 (JSC::Lexer<T>::Lexer):
536 (JSC::Lexer<T>::nextTokenIsColon):
537 (JSC::Lexer<T>::setTokenPosition):
538 (JSC::Lexer<T>::lex):
539 (JSC::Lexer<T>::clear):
541 (JSC::Lexer::setIsReparsingFunction):
542 (JSC::Lexer::isReparsingFunction):
543 (JSC::Lexer::lineNumber):
544 (JSC::Lexer::setIsReparsing): Deleted.
545 (JSC::Lexer::isReparsing): Deleted.
546 * parser/NodeConstructors.h:
547 (JSC::TryNode::TryNode):
548 (JSC::FunctionParameters::FunctionParameters):
549 (JSC::FuncExprNode::FuncExprNode):
550 (JSC::FuncDeclNode::FuncDeclNode):
551 (JSC::ArrayPatternNode::ArrayPatternNode):
552 (JSC::ObjectPatternNode::ObjectPatternNode):
553 (JSC::BindingNode::BindingNode):
554 (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
555 (JSC::ParameterNode::ParameterNode): Deleted.
556 (JSC::ArrayPatternNode::create): Deleted.
557 (JSC::ObjectPatternNode::create): Deleted.
558 (JSC::BindingNode::create): Deleted.
560 (JSC::ProgramNode::ProgramNode):
561 (JSC::EvalNode::EvalNode):
562 (JSC::FunctionBodyNode::FunctionBodyNode):
563 (JSC::FunctionBodyNode::finishParsing):
564 (JSC::FunctionNode::FunctionNode):
565 (JSC::FunctionNode::finishParsing):
566 (JSC::FunctionParameters::create): Deleted.
567 (JSC::FunctionParameters::FunctionParameters): Deleted.
568 (JSC::FunctionParameters::~FunctionParameters): Deleted.
570 (JSC::ProgramNode::startColumn):
571 (JSC::ProgramNode::endColumn):
572 (JSC::EvalNode::startColumn):
573 (JSC::EvalNode::endColumn):
574 (JSC::FunctionParameters::size):
575 (JSC::FunctionParameters::at):
576 (JSC::FunctionParameters::append):
577 (JSC::FuncExprNode::body):
578 (JSC::DestructuringPatternNode::~DestructuringPatternNode):
579 (JSC::DestructuringPatternNode::isBindingNode):
580 (JSC::DestructuringPatternNode::emitDirectBinding):
581 (JSC::ArrayPatternNode::appendIndex):
582 (JSC::ObjectPatternNode::appendEntry):
583 (JSC::BindingNode::boundProperty):
584 (JSC::BindingNode::divotStart):
585 (JSC::BindingNode::divotEnd):
586 (JSC::DestructuringAssignmentNode::bindings):
587 (JSC::FuncDeclNode::body):
588 (JSC::ParameterNode::pattern): Deleted.
589 (JSC::ParameterNode::nextParam): Deleted.
590 (JSC::FunctionParameters::patterns): Deleted.
592 (JSC::Parser<LexerType>::Parser):
593 (JSC::Parser<LexerType>::~Parser):
594 (JSC::Parser<LexerType>::parseInner):
595 (JSC::Parser<LexerType>::allowAutomaticSemicolon):
596 (JSC::Parser<LexerType>::parseSourceElements):
597 (JSC::Parser<LexerType>::createBindingPattern):
598 (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
599 (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
600 (JSC::Parser<LexerType>::parseSwitchClauses):
601 (JSC::Parser<LexerType>::parseSwitchDefaultClause):
602 (JSC::Parser<LexerType>::parseBlockStatement):
603 (JSC::Parser<LexerType>::parseStatement):
604 (JSC::Parser<LexerType>::parseFormalParameters):
605 (JSC::Parser<LexerType>::parseFunctionBody):
606 (JSC::stringForFunctionMode):
607 (JSC::Parser<LexerType>::parseFunctionParameters):
608 (JSC::Parser<LexerType>::parseFunctionInfo):
609 (JSC::Parser<LexerType>::parseFunctionDeclaration):
610 (JSC::Parser<LexerType>::parseClass):
611 (JSC::Parser<LexerType>::parsePrimaryExpression):
612 (JSC::Parser<LexerType>::parseMemberExpression):
613 (JSC::Parser<LexerType>::parseArrowFunctionExpression):
614 (JSC::operatorString):
615 (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody): Deleted.
617 (JSC::Parser::positionBeforeLastNewline):
618 (JSC::Parser::locationBeforeLastToken):
619 (JSC::Parser::findCachedFunctionInfo):
620 (JSC::Parser::isofToken):
621 (JSC::Parser::isEndOfArrowFunction):
622 (JSC::Parser::isArrowFunctionParamters):
623 (JSC::Parser::tokenStart):
624 (JSC::Parser::isLETMaskedAsIDENT):
625 (JSC::Parser::autoSemiColon):
626 (JSC::Parser::setEndOfStatement):
627 (JSC::Parser::canRecurse):
628 (JSC::Parser<LexerType>::parse):
630 * parser/ParserFunctionInfo.h:
631 * parser/ParserModes.h:
632 (JSC::functionNameIsInScope):
633 * parser/SourceCode.h:
635 (JSC::SourceCode::subExpression):
636 (JSC::SourceCode::subArrowExpression): Deleted.
637 * parser/SourceProviderCache.h:
638 (JSC::SourceProviderCache::get):
639 * parser/SourceProviderCacheItem.h:
640 (JSC::SourceProviderCacheItem::endFunctionToken):
641 (JSC::SourceProviderCacheItem::usedVariables):
642 (JSC::SourceProviderCacheItem::writtenVariables):
643 (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
644 * parser/SyntaxChecker.h:
645 (JSC::SyntaxChecker::SyntaxChecker):
646 (JSC::SyntaxChecker::createClassExpr):
647 (JSC::SyntaxChecker::createFunctionExpr):
648 (JSC::SyntaxChecker::createFunctionBody):
649 (JSC::SyntaxChecker::createArrowFunctionExpr):
650 (JSC::SyntaxChecker::setFunctionNameStart):
651 (JSC::SyntaxChecker::createArguments):
652 (JSC::SyntaxChecker::createPropertyList):
653 (JSC::SyntaxChecker::createElementList):
654 (JSC::SyntaxChecker::createFormalParameterList):
655 (JSC::SyntaxChecker::appendParameter):
656 (JSC::SyntaxChecker::createClause):
657 (JSC::SyntaxChecker::createClauseList):
658 * runtime/CodeCache.cpp:
659 (JSC::CodeCache::getGlobalCodeBlock):
660 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
661 * runtime/Completion.cpp:
663 * runtime/Executable.cpp:
664 (JSC::ProgramExecutable::checkSyntax):
665 * tests/controlFlowProfiler/conditional-expression.js:
666 (testConditionalFunctionCall):
668 2015-07-16 Filip Pizlo <fpizlo@apple.com>
670 Unreviewed, fix build for newer LLVMs.
672 * llvm/LLVMHeaders.h:
673 * llvm/library/LLVMExports.cpp:
675 2015-07-16 Mark Lam <mark.lam@apple.com>
677 RegExp::match() should set m_state to ByteCode if compilation fails.
678 https://bugs.webkit.org/show_bug.cgi?id=147023
680 Reviewed by Michael Saboff.
682 A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code.
683 If one of these compilations succeeds, RegExp::m_state will be set to JITCode.
684 Subsequently, if RegExp tries to compile another one of these but fails, m_state
685 will be left untouched i.e. it still says JITCode. As a result, when
686 RegExp::match() later tries to execute the non-existant compiled code, it will
689 The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile.
690 This failure should be rare. We'll do the minimal work here to fix the issue and
691 keep an eye on the perf bots. If perf regresses, we can do some optimization work then.
693 This issue is difficult to test for since it either requires a low memory condition
694 to trigger a failed RegExp compilation at the right moment, or for the RegExp to
695 succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode.
696 Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every
697 10 compilation attempts.
699 * runtime/RegExp.cpp:
700 (JSC::RegExp::compile):
701 (JSC::RegExp::compileMatchOnly):
703 2015-07-15 Brent Fulgham <bfulgham@apple.com>
705 [Win] Fix armv7 build.
707 * jit/CCallHelpers.h:
708 (JSC::CCallHelpers::setupArgumentsWithExecState): The 64-bit argument
709 version of poke is not available on armv7 builds.
711 2015-07-15 Brent Fulgham <bfulgham@apple.com>
713 [Win] 64-bit Build Failure
714 https://bugs.webkit.org/show_bug.cgi?id=146989
716 Reviewed by Mark Lam.
718 * jit/CCallHelpers.h:
719 (JSC::CCallHelpers::setupArgumentsWithExecState): Add missing
720 declaration for 64-bit type on 4-argument register machines (like
723 2015-07-15 Saam barati <saambarati1@gmail.com>
725 [ES6] implement block scoping to enable 'let'
726 https://bugs.webkit.org/show_bug.cgi?id=142944
728 Reviewed by Filip Pizlo.
731 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
732 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
733 * JavaScriptCore.xcodeproj/project.pbxproj:
734 * builtins/BuiltinExecutables.cpp:
735 (JSC::BuiltinExecutables::createExecutableInternal):
736 * bytecode/BytecodeList.json:
737 This patch adds a new opcode and removes op_pop_scope:
738 1) op_get_parent_scope returns the parent scope but doesn't
739 implicitly write that scope into the scope register. op_pop_scope
740 is now reduced to op_get_parent_scope followed by op_mov.
742 * bytecode/BytecodeUseDef.h:
743 (JSC::computeUsesForBytecodeOffset):
744 (JSC::computeDefsForBytecodeOffset):
745 * bytecode/CodeBlock.cpp:
746 (JSC::CodeBlock::dumpBytecode):
747 (JSC::CodeBlock::CodeBlock):
748 (JSC::CodeBlock::stronglyVisitStrongReferences):
749 * bytecode/CodeBlock.h:
750 (JSC::CodeBlock::addStringSwitchJumpTable):
751 (JSC::CodeBlock::stringSwitchJumpTable):
752 (JSC::CodeBlock::symbolTable):
753 (JSC::CodeBlock::evalCodeCache):
754 (JSC::CodeBlock::setConstantRegisters):
755 (JSC::CodeBlock::replaceConstant):
756 op_put_to_scope for LocalClosureVar now takes as an argument
757 the constant index for the Symbol Table it will be putting into.
758 This argument is only used to communicate from the BytecodeGenerator
759 to CodeBlock linking time and it is not present in the linked bytecode.
761 op_put_to_scope for non LocalClosureVar takes, at the same index, an
762 argument that represents the local scope depth which it uses for
763 JSScope::abstractResolve to know how many scopes it needs to skip.
764 Again, this is not in the linked code.
765 op_get_from_scope and op_resolve_scope also take as an argument
766 the local scope depth to use in JSScope::abstractResolve. Again,
767 this is not used in the linked code.
769 * bytecode/EvalCodeCache.h:
770 (JSC::EvalCodeCache::tryGet):
771 (JSC::EvalCodeCache::getSlow):
772 (JSC::EvalCodeCache::clear):
773 (JSC::EvalCodeCache::isCacheable):
774 When direct eval is called and passed a scope that
775 corresponds to a lexical scope, we can't safely cache
776 that code because we won't be able to guarantee
777 that the cached code is always executed in the same scope.
778 Consider this example:
791 We can't reuse resolution depth when linking get_from_scope in evals.
793 * bytecode/UnlinkedCodeBlock.cpp:
794 (JSC::generateFunctionCodeBlock):
795 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
796 (JSC::UnlinkedFunctionExecutable::parameterCount):
797 * bytecode/UnlinkedCodeBlock.h:
798 Unlinked functions now know the variables that were under TDZ in their parent
801 (JSC::UnlinkedCodeBlock::symbolTable):
802 (JSC::UnlinkedCodeBlock::setSymbolTable):
803 (JSC::UnlinkedCodeBlock::setSymbolTableConstantIndex):
804 (JSC::UnlinkedCodeBlock::symbolTableConstantIndex):
805 (JSC::UnlinkedCodeBlock::vm):
806 * bytecompiler/BytecodeGenerator.cpp:
807 (JSC::BytecodeGenerator::generate):
808 (JSC::BytecodeGenerator::BytecodeGenerator):
809 (JSC::BytecodeGenerator::~BytecodeGenerator):
810 (JSC::BytecodeGenerator::newRegister):
811 (JSC::BytecodeGenerator::reclaimFreeRegisters):
812 (JSC::BytecodeGenerator::newBlockScopeVariable):
813 (JSC::BytecodeGenerator::newTemporary):
814 (JSC::BytecodeGenerator::emitProfileType):
815 (JSC::BytecodeGenerator::emitLoadGlobalObject):
816 (JSC::BytecodeGenerator::pushLexicalScope):
817 (JSC::BytecodeGenerator::popLexicalScope):
818 (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
819 (JSC::BytecodeGenerator::variable):
820 (JSC::BytecodeGenerator::variablePerSymbolTable):
821 (JSC::BytecodeGenerator::variableForLocalEntry):
822 (JSC::BytecodeGenerator::createVariable):
823 (JSC::BytecodeGenerator::emitResolveScope):
824 (JSC::BytecodeGenerator::emitGetFromScope):
825 (JSC::BytecodeGenerator::emitPutToScope):
826 (JSC::BytecodeGenerator::initializeVariable):
827 (JSC::BytecodeGenerator::emitTDZCheck):
828 (JSC::BytecodeGenerator::needsTDZCheck):
829 (JSC::BytecodeGenerator::emitTDZCheckIfNecessary):
830 (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
831 (JSC::BytecodeGenerator::getVariablesUnderTDZ):
832 (JSC::BytecodeGenerator::emitNewObject):
833 (JSC::BytecodeGenerator::emitPushWithScope):
834 (JSC::BytecodeGenerator::emitGetParentScope):
835 (JSC::BytecodeGenerator::emitPopScope):
836 (JSC::BytecodeGenerator::emitDebugHook):
837 (JSC::BytecodeGenerator::pushFinallyContext):
838 (JSC::BytecodeGenerator::pushIteratorCloseContext):
839 (JSC::BytecodeGenerator::emitComplexPopScopes):
840 (JSC::BytecodeGenerator::emitPopScopes):
841 (JSC::BytecodeGenerator::popTryAndEmitCatch):
842 (JSC::BytecodeGenerator::calculateTargetScopeDepthForExceptionHandler):
843 (JSC::BytecodeGenerator::currentScopeDepth):
844 (JSC::BytecodeGenerator::emitThrowReferenceError):
845 (JSC::BytecodeGenerator::emitPushCatchScope):
846 (JSC::BytecodeGenerator::beginSwitch):
847 (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
848 (JSC::BytecodeGenerator::emitEnumeration):
849 * bytecompiler/BytecodeGenerator.h:
850 (JSC::Variable::Variable):
851 (JSC::Variable::isResolved):
852 (JSC::Variable::symbolTableConstantIndex):
853 (JSC::Variable::ident):
854 (JSC::BytecodeGenerator::ignoredResult):
855 (JSC::BytecodeGenerator::tempDestination):
856 (JSC::BytecodeGenerator::lastOpcodeID):
857 (JSC::BytecodeGenerator::makeFunction):
858 (JSC::BytecodeGenerator::symbolTable):
859 (JSC::BytecodeGenerator::shouldOptimizeLocals): Deleted.
860 (JSC::BytecodeGenerator::canOptimizeNonLocals): Deleted.
861 The heart of the changes in this patch are in the bytecode generator.
862 The bytecode generator now keeps a stack of tuples of
863 {symbol table, scope register, flag indicating catch or with scope, symbol table index in constant pool}
864 that models the runtime scope stack. This symbol table stack is used
865 in resolving local variables.
867 Also, the bytecode generator handles pushing and popping of lexical scopes.
868 This is relatively straight forward:
869 Captured 'let' variables end up in the JSLexicalEnvironment scope and non-captured
870 variables end up on the stack. Some trickiness is involved in generating
871 code for 'for' loops that have captured variables (I'm talking about variables in the loop
872 header, not the loop body). Each iteration of the for loop ends up with
873 its own JSLexicalEnvironment. Static code must be generated in such a way
874 to create this runtime behavior. This is done by emitting instructions to
875 push and pop a lexical scope at the end of each loop and copying values
876 from the previous loop's scope into the new scope. This code must also
877 ensure that each loop iteration's scope refers to the same underlying
878 SymbolTable so that no scope is accidentally mistaken as being a singleton scope.
880 When the debugger is enabled, all lexically defined variables will end up in the
881 JSLexicalEnvironment.
883 * bytecompiler/NodesCodegen.cpp:
884 (JSC::ResolveNode::emitBytecode):
885 (JSC::FunctionCallResolveNode::emitBytecode):
886 (JSC::PostfixNode::emitResolve):
887 (JSC::DeleteResolveNode::emitBytecode):
888 (JSC::TypeOfResolveNode::emitBytecode):
889 (JSC::PrefixNode::emitResolve):
890 (JSC::ReadModifyResolveNode::emitBytecode):
891 (JSC::AssignResolveNode::emitBytecode):
892 (JSC::BlockNode::emitBytecode):
893 (JSC::ExprStatementNode::emitBytecode):
894 (JSC::DeclarationStatement::emitBytecode):
895 (JSC::EmptyVarExpression::emitBytecode):
896 (JSC::EmptyLetExpression::emitBytecode):
897 (JSC::ForNode::emitBytecode):
898 (JSC::ForInNode::emitMultiLoopBytecode):
899 (JSC::ForOfNode::emitBytecode):
900 (JSC::SwitchNode::emitBytecode):
901 (JSC::BindingNode::bindValue):
902 (JSC::VarStatementNode::emitBytecode): Deleted.
903 * debugger/DebuggerCallFrame.cpp:
904 (JSC::DebuggerCallFrame::evaluate):
905 * debugger/DebuggerScope.cpp:
906 (JSC::DebuggerScope::getOwnPropertySlot):
907 (JSC::DebuggerScope::put):
908 * dfg/DFGByteCodeParser.cpp:
909 (JSC::DFG::ByteCodeParser::parseBlock):
910 * dfg/DFGCapabilities.cpp:
911 (JSC::DFG::capabilityLevel):
913 (JSC::DFG::Node::castConstant):
914 (JSC::DFG::Node::initializationValueForActivation):
915 (JSC::DFG::Node::containsMovHint):
916 * dfg/DFGObjectAllocationSinkingPhase.cpp:
917 CreateActivation nodes now have a second OpInfo that tracks the
918 initial value that needs to be placed in the activation. This initial value
919 is also used in allocation sinking to create proper bottom values for all
922 * dfg/DFGOperations.cpp:
923 * dfg/DFGOperations.h:
924 * dfg/DFGSpeculativeJIT.cpp:
925 (JSC::DFG::SpeculativeJIT::compileCreateActivation):
926 * dfg/DFGSpeculativeJIT.h:
927 (JSC::DFG::SpeculativeJIT::callOperation):
928 * ftl/FTLIntrinsicRepository.h:
929 * ftl/FTLLowerDFGToLLVM.cpp:
930 (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateActivation):
931 (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
932 * ftl/FTLOperations.cpp:
933 (JSC::FTL::operationMaterializeObjectInOSR):
934 * interpreter/Interpreter.cpp:
935 (JSC::Interpreter::execute):
936 * jit/CCallHelpers.h:
937 (JSC::CCallHelpers::setupArgumentsWithExecState):
939 (JSC::JIT::privateCompileMainPass):
942 (JSC::JIT::callOperation):
943 * jit/JITOpcodes.cpp:
944 (JSC::JIT::emit_op_push_with_scope):
945 (JSC::JIT::compileOpStrictEq):
946 (JSC::JIT::emit_op_catch):
947 (JSC::JIT::emit_op_create_lexical_environment):
948 (JSC::JIT::emit_op_get_parent_scope):
949 (JSC::JIT::emit_op_switch_imm):
950 (JSC::JIT::emit_op_enter):
951 (JSC::JIT::emit_op_get_scope):
952 (JSC::JIT::emit_op_pop_scope): Deleted.
953 * jit/JITOpcodes32_64.cpp:
954 (JSC::JIT::emit_op_push_with_scope):
955 (JSC::JIT::emit_op_to_number):
956 (JSC::JIT::emit_op_catch):
957 (JSC::JIT::emit_op_create_lexical_environment):
958 (JSC::JIT::emit_op_get_parent_scope):
959 (JSC::JIT::emit_op_switch_imm):
960 (JSC::JIT::emit_op_enter):
961 (JSC::JIT::emit_op_get_scope):
962 (JSC::JIT::emit_op_pop_scope): Deleted.
963 * jit/JITOperations.cpp:
964 (JSC::canAccessArgumentIndexQuickly):
965 * jit/JITOperations.h:
966 * llint/LLIntSlowPaths.cpp:
967 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
968 * llint/LLIntSlowPaths.h:
969 * llint/LowLevelInterpreter.asm:
970 * llint/LowLevelInterpreter32_64.asm:
971 * llint/LowLevelInterpreter64.asm:
972 * parser/ASTBuilder.h:
973 (JSC::ASTBuilder::createSourceElements):
974 (JSC::ASTBuilder::funcDeclarations):
975 (JSC::ASTBuilder::features):
976 (JSC::ASTBuilder::numConstants):
977 (JSC::ASTBuilder::createConditionalExpr):
978 (JSC::ASTBuilder::createAssignResolve):
979 (JSC::ASTBuilder::createClassDeclStatement):
980 (JSC::ASTBuilder::createBlockStatement):
981 (JSC::ASTBuilder::createIfStatement):
982 (JSC::ASTBuilder::createForLoop):
983 (JSC::ASTBuilder::createForInLoop):
984 (JSC::ASTBuilder::createForOfLoop):
985 (JSC::ASTBuilder::isBindingNode):
986 (JSC::ASTBuilder::createEmptyStatement):
987 (JSC::ASTBuilder::createDeclarationStatement):
988 (JSC::ASTBuilder::createVarStatement):
989 (JSC::ASTBuilder::createLetStatement):
990 (JSC::ASTBuilder::createEmptyVarExpression):
991 (JSC::ASTBuilder::createEmptyLetExpression):
992 (JSC::ASTBuilder::createReturnStatement):
993 (JSC::ASTBuilder::createTryStatement):
994 (JSC::ASTBuilder::createSwitchStatement):
995 (JSC::ASTBuilder::appendStatement):
996 (JSC::ASTBuilder::createCommaExpr):
997 (JSC::ASTBuilder::appendObjectPatternEntry):
998 (JSC::ASTBuilder::createBindingLocation):
999 (JSC::ASTBuilder::setEndOffset):
1000 (JSC::ASTBuilder::Scope::Scope):
1001 (JSC::ASTBuilder::makeAssignNode):
1002 (JSC::ASTBuilder::varDeclarations): Deleted.
1003 (JSC::ASTBuilder::addVar): Deleted.
1004 * parser/Keywords.table:
1005 * parser/NodeConstructors.h:
1006 (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
1007 (JSC::AssignResolveNode::AssignResolveNode):
1008 (JSC::ExprStatementNode::ExprStatementNode):
1009 (JSC::DeclarationStatement::DeclarationStatement):
1010 (JSC::EmptyVarExpression::EmptyVarExpression):
1011 (JSC::EmptyLetExpression::EmptyLetExpression):
1012 (JSC::IfElseNode::IfElseNode):
1013 (JSC::WhileNode::WhileNode):
1014 (JSC::ForNode::ForNode):
1015 (JSC::CaseBlockNode::CaseBlockNode):
1016 (JSC::SwitchNode::SwitchNode):
1017 (JSC::ConstDeclNode::ConstDeclNode):
1018 (JSC::BlockNode::BlockNode):
1019 (JSC::EnumerationNode::EnumerationNode):
1020 (JSC::ForInNode::ForInNode):
1021 (JSC::ForOfNode::ForOfNode):
1022 (JSC::ObjectPatternNode::create):
1023 (JSC::BindingNode::create):
1024 (JSC::BindingNode::BindingNode):
1025 (JSC::VarStatementNode::VarStatementNode): Deleted.
1027 (JSC::ScopeNode::ScopeNode):
1028 (JSC::ScopeNode::singleStatement):
1029 (JSC::ProgramNode::ProgramNode):
1030 (JSC::EvalNode::EvalNode):
1031 (JSC::FunctionNode::FunctionNode):
1032 (JSC::FunctionNode::finishParsing):
1033 (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
1035 (JSC::VariableEnvironmentNode::VariableEnvironmentNode):
1036 (JSC::VariableEnvironmentNode::lexicalVariables):
1037 (JSC::ScopeNode::usesThis):
1038 (JSC::ScopeNode::needsActivationForMoreThanVariables):
1039 (JSC::ScopeNode::needsActivation):
1040 (JSC::ScopeNode::hasCapturedVariables):
1041 (JSC::ScopeNode::captures):
1042 (JSC::ScopeNode::varDeclarations):
1043 (JSC::ScopeNode::functionStack):
1044 (JSC::ScopeNode::neededConstants):
1045 (JSC::ProgramNode::startColumn):
1046 (JSC::ProgramNode::endColumn):
1047 (JSC::EvalNode::startColumn):
1048 (JSC::EvalNode::endColumn):
1049 (JSC::BindingNode::boundProperty):
1050 (JSC::BindingNode::divotStart):
1051 (JSC::BindingNode::divotEnd):
1052 (JSC::ScopeNode::capturedVariableCount): Deleted.
1053 (JSC::ScopeNode::capturedVariables): Deleted.
1054 (JSC::ScopeNode::varStack): Deleted.
1055 There is a new class called 'VariableEnvironmentNode' that has the
1056 necessary fields to model a lexical scope. Multiple AST nodes now
1057 also inherit from VariableEnvironmentNode.
1059 * parser/Parser.cpp:
1060 (JSC::Parser<LexerType>::parseInner):
1061 (JSC::Parser<LexerType>::didFinishParsing):
1062 (JSC::Parser<LexerType>::parseStatementListItem):
1063 (JSC::Parser<LexerType>::parseVariableDeclaration):
1064 (JSC::Parser<LexerType>::parseWhileStatement):
1065 (JSC::Parser<LexerType>::parseVariableDeclarationList):
1066 (JSC::Parser<LexerType>::createBindingPattern):
1067 (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
1068 (JSC::Parser<LexerType>::parseDestructuringPattern):
1069 (JSC::Parser<LexerType>::parseConstDeclarationList):
1070 (JSC::Parser<LexerType>::parseForStatement):
1071 (JSC::Parser<LexerType>::parseBreakStatement):
1072 (JSC::Parser<LexerType>::parseContinueStatement):
1073 (JSC::Parser<LexerType>::parseSwitchStatement):
1074 (JSC::Parser<LexerType>::parseTryStatement):
1075 (JSC::Parser<LexerType>::parseBlockStatement):
1076 (JSC::Parser<LexerType>::parseStatement):
1077 (JSC::Parser<LexerType>::parseFunctionInfo):
1078 (JSC::Parser<LexerType>::parseClassDeclaration):
1079 (JSC::Parser<LexerType>::parseClass):
1080 (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
1081 (JSC::Parser<LexerType>::parseAssignmentExpression):
1082 (JSC::Parser<LexerType>::parseGetterSetter):
1083 (JSC::Parser<LexerType>::parsePrimaryExpression):
1084 (JSC::Parser<LexerType>::parseVarDeclaration): Deleted.
1085 (JSC::Parser<LexerType>::parseVarDeclarationList): Deleted.
1087 (JSC::Scope::Scope):
1088 (JSC::Scope::setIsFunction):
1089 (JSC::Scope::isFunction):
1090 (JSC::Scope::isFunctionBoundary):
1091 (JSC::Scope::setIsLexicalScope):
1092 (JSC::Scope::isLexicalScope):
1093 (JSC::Scope::declaredVariables):
1094 (JSC::Scope::finalizeLexicalEnvironment):
1095 (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
1096 (JSC::Scope::declareCallee):
1097 (JSC::Scope::declareVariable):
1098 (JSC::Scope::declareLexicalVariable):
1099 (JSC::Scope::hasDeclaredVariable):
1100 (JSC::Scope::hasLexicallyDeclaredVariable):
1101 (JSC::Scope::hasDeclaredParameter):
1102 (JSC::Scope::declareWrite):
1103 (JSC::Scope::preventAllVariableDeclarations):
1104 (JSC::Scope::preventVarDeclarations):
1105 (JSC::Scope::allowsVarDeclarations):
1106 (JSC::Scope::allowsLexicalDeclarations):
1107 (JSC::Scope::declareParameter):
1108 (JSC::Scope::declareBoundParameter):
1109 (JSC::Scope::useVariable):
1110 (JSC::Scope::setNeedsFullActivation):
1111 (JSC::Scope::needsFullActivation):
1112 (JSC::Scope::hasDirectSuper):
1113 (JSC::Scope::setNeedsSuperBinding):
1114 (JSC::Scope::collectFreeVariables):
1115 (JSC::Scope::getCapturedVars):
1116 (JSC::Scope::copyCapturedVariablesToVector):
1117 (JSC::Parser::AutoCleanupLexicalScope::AutoCleanupLexicalScope):
1118 (JSC::Parser::AutoCleanupLexicalScope::~AutoCleanupLexicalScope):
1119 (JSC::Parser::AutoCleanupLexicalScope::setIsValid):
1120 (JSC::Parser::AutoCleanupLexicalScope::isValid):
1121 (JSC::Parser::AutoCleanupLexicalScope::setPopped):
1122 (JSC::Parser::AutoCleanupLexicalScope::scope):
1123 (JSC::Parser::currentScope):
1124 (JSC::Parser::pushScope):
1125 (JSC::Parser::popScopeInternal):
1126 (JSC::Parser::popScope):
1127 (JSC::Parser::declareVariable):
1128 (JSC::Parser::hasDeclaredVariable):
1129 (JSC::Parser::hasDeclaredParameter):
1130 (JSC::Parser::declareWrite):
1131 (JSC::Parser::findCachedFunctionInfo):
1132 (JSC::Parser::isFunctionBodyNode):
1133 (JSC::Parser::continueIsValid):
1134 (JSC::Parser::pushLabel):
1135 (JSC::Parser::popLabel):
1136 (JSC::Parser::getLabel):
1137 (JSC::Parser::isLETMaskedAsIDENT):
1138 (JSC::Parser<LexerType>::parse):
1139 (JSC::Scope::preventNewDecls): Deleted.
1140 (JSC::Scope::allowsNewDecls): Deleted.
1141 (JSC::Scope::getCapturedVariables): Deleted.
1142 There are basic parser changes that now allow for the 'let'
1143 keyword. The trickiest change is how we will still treat 'let'
1144 as an identifier for sloppy-mode code sometimes. For example,
1145 "var let = ..." is allowed but "let let" or "const let" is not.
1147 The most significant change to the parser made for this patch
1148 is appropriating the Scope struct to also also model a lexical
1149 scope. Changes were made in how we track captured variables to
1150 account for this. In general, I think some of this code could
1151 benefit from a slight refactoring to make things cleaner.
1153 * parser/ParserTokens.h:
1154 * parser/SyntaxChecker.h:
1155 (JSC::SyntaxChecker::createNewExpr):
1156 (JSC::SyntaxChecker::createConditionalExpr):
1157 (JSC::SyntaxChecker::createAssignResolve):
1158 (JSC::SyntaxChecker::createEmptyVarExpression):
1159 (JSC::SyntaxChecker::createEmptyLetExpression):
1160 (JSC::SyntaxChecker::createClassExpr):
1161 (JSC::SyntaxChecker::createClassDeclStatement):
1162 (JSC::SyntaxChecker::createBlockStatement):
1163 (JSC::SyntaxChecker::createExprStatement):
1164 (JSC::SyntaxChecker::createIfStatement):
1165 (JSC::SyntaxChecker::createForLoop):
1166 (JSC::SyntaxChecker::createForInLoop):
1167 (JSC::SyntaxChecker::createForOfLoop):
1168 (JSC::SyntaxChecker::createEmptyStatement):
1169 (JSC::SyntaxChecker::createVarStatement):
1170 (JSC::SyntaxChecker::createLetStatement):
1171 (JSC::SyntaxChecker::createReturnStatement):
1172 (JSC::SyntaxChecker::createBreakStatement):
1173 (JSC::SyntaxChecker::createContinueStatement):
1174 (JSC::SyntaxChecker::createTryStatement):
1175 (JSC::SyntaxChecker::createSwitchStatement):
1176 (JSC::SyntaxChecker::createWhileStatement):
1177 (JSC::SyntaxChecker::createWithStatement):
1178 (JSC::SyntaxChecker::createDoWhileStatement):
1179 (JSC::SyntaxChecker::createGetterOrSetterProperty):
1180 (JSC::SyntaxChecker::appendStatement):
1181 (JSC::SyntaxChecker::combineCommaNodes):
1182 (JSC::SyntaxChecker::evalCount):
1183 (JSC::SyntaxChecker::appendBinaryExpressionInfo):
1184 (JSC::SyntaxChecker::operatorStackPop):
1185 (JSC::SyntaxChecker::addVar): Deleted.
1186 * parser/VariableEnvironment.cpp: Added.
1187 (JSC::VariableEnvironment::markVariableAsCapturedIfDefined):
1188 (JSC::VariableEnvironment::markVariableAsCaptured):
1189 (JSC::VariableEnvironment::markAllVariablesAsCaptured):
1190 (JSC::VariableEnvironment::hasCapturedVariables):
1191 (JSC::VariableEnvironment::captures):
1192 (JSC::VariableEnvironment::swap):
1193 * parser/VariableEnvironment.h: Added.
1194 (JSC::VariableEnvironmentEntry::isCaptured):
1195 (JSC::VariableEnvironmentEntry::isConstant):
1196 (JSC::VariableEnvironmentEntry::isVar):
1197 (JSC::VariableEnvironmentEntry::isLet):
1198 (JSC::VariableEnvironmentEntry::setIsCaptured):
1199 (JSC::VariableEnvironmentEntry::setIsConstant):
1200 (JSC::VariableEnvironmentEntry::setIsVar):
1201 (JSC::VariableEnvironmentEntry::setIsLet):
1202 (JSC::VariableEnvironmentEntry::clearIsVar):
1203 (JSC::VariableEnvironment::begin):
1204 (JSC::VariableEnvironment::end):
1205 (JSC::VariableEnvironment::add):
1206 (JSC::VariableEnvironment::size):
1207 (JSC::VariableEnvironment::contains):
1208 (JSC::VariableEnvironment::remove):
1209 VariableEnvironment is a new class that keeps track
1210 of the static environment in the parser and the bytecode generator.
1211 VariableEnvironment behaves like SymbolTable but for the bytecode generator.
1212 It keeps track of variable types, i.e, if a variable is a "var", "let", "const"
1213 and whether or not its captured.
1215 * runtime/CodeCache.cpp:
1216 (JSC::CodeCache::getGlobalCodeBlock):
1217 (JSC::CodeCache::getProgramCodeBlock):
1218 (JSC::CodeCache::getEvalCodeBlock):
1219 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1220 * runtime/CodeCache.h:
1221 (JSC::CodeCache::clear):
1222 * runtime/CommonSlowPaths.cpp:
1223 (JSC::SLOW_PATH_DECL):
1224 * runtime/CommonSlowPaths.h:
1225 * runtime/ExceptionHelpers.cpp:
1226 (JSC::createErrorForInvalidGlobalAssignment):
1227 (JSC::createTDZError):
1228 (JSC::throwOutOfMemoryError):
1229 * runtime/ExceptionHelpers.h:
1230 * runtime/Executable.cpp:
1231 (JSC::EvalExecutable::create):
1232 (JSC::ProgramExecutable::initializeGlobalProperties):
1233 * runtime/Executable.h:
1234 * runtime/JSCJSValue.h:
1238 * runtime/JSEnvironmentRecord.h:
1239 (JSC::JSEnvironmentRecord::finishCreationUninitialized):
1240 (JSC::JSEnvironmentRecord::finishCreation):
1241 * runtime/JSGlobalObject.cpp:
1242 (JSC::JSGlobalObject::createProgramCodeBlock):
1243 (JSC::JSGlobalObject::createEvalCodeBlock):
1244 * runtime/JSGlobalObject.h:
1245 (JSC::JSGlobalObject::weakRandomInteger):
1246 * runtime/JSGlobalObjectFunctions.cpp:
1247 (JSC::globalFuncEval):
1248 * runtime/JSLexicalEnvironment.cpp:
1249 (JSC::JSLexicalEnvironment::symbolTableGet):
1250 * runtime/JSLexicalEnvironment.h:
1251 (JSC::JSLexicalEnvironment::create):
1252 * runtime/JSScope.cpp:
1253 (JSC::JSScope::resolve):
1254 (JSC::JSScope::abstractResolve):
1255 (JSC::JSScope::collectVariablesUnderTDZ):
1256 (JSC::JSScope::isLexicalScope):
1257 (JSC::resolveModeName):
1258 * runtime/JSScope.h:
1259 * runtime/PropertySlot.h:
1260 (JSC::PropertySlot::setValue):
1261 * runtime/SymbolTable.cpp:
1262 (JSC::SymbolTable::SymbolTable):
1263 (JSC::SymbolTable::cloneScopePart):
1264 * runtime/SymbolTable.h:
1265 SymbolTable now uses an extra bit to know if it corresponds
1266 to a "let"-like environment or not.
1268 * runtime/WriteBarrier.h:
1269 (JSC::WriteBarrierBase<Unknown>::get):
1270 (JSC::WriteBarrierBase<Unknown>::clear):
1271 (JSC::WriteBarrierBase<Unknown>::setUndefined):
1272 (JSC::WriteBarrierBase<Unknown>::setStartingValue):
1273 (JSC::WriteBarrierBase<Unknown>::isNumber):
1274 (JSC::WriteBarrierBase<Unknown>::isObject):
1275 (JSC::WriteBarrierBase<Unknown>::isNull):
1276 * tests/stress/activation-sink-default-value-tdz-error.js: Added.
1280 * tests/stress/activation-sink-osrexit-default-value-tdz-error.js: Added.
1283 * tests/stress/lexical-let-and-with-statement.js: Added.
1287 * tests/stress/lexical-let-exception-handling.js: Added.
1291 * tests/stress/lexical-let-global-not-captured-variables.js: Added.
1296 * tests/stress/lexical-let-loop-semantics.js: Added.
1301 * tests/stress/lexical-let-not-strict-mode.js: Added.
1306 * tests/stress/lexical-let-semantics.js: Added.
1309 (let.globalFunction):
1310 (let.retGlobalNumberCaptured):
1311 (let.setGlobalNumberCaptured):
1313 * tests/stress/lexical-let-tdz.js: Added.
1319 2015-07-15 Anders Carlsson <andersca@apple.com>
1321 Make JavaScriptCore SPI headers used by WebCore SPI headers self-contained
1322 https://bugs.webkit.org/show_bug.cgi?id=146978
1324 Reviewed by Dan Bernstein.
1326 * debugger/DebuggerPrimitives.h:
1327 * disassembler/Disassembler.h:
1329 * inspector/InspectorValues.h:
1330 * runtime/JSCJSValue.h:
1332 2015-07-14 Anders Carlsson <andersca@apple.com>
1334 Assertions.h should include ExportMacros.h
1335 https://bugs.webkit.org/show_bug.cgi?id=146948
1337 Reviewed by Tim Horton.
1339 Remove now unneeded WTF_EXPORT_PRIVATE define.
1343 2015-07-14 Matthew Mirman <mmirman@apple.com>
1345 Repatch. Makes compileArithSub in the DFG ensure that the constant is an int32.
1346 https://bugs.webkit.org/show_bug.cgi?id=146910
1347 rdar://problem/21729083
1349 Reviewed by Filip Pizlo.
1351 Also fixes the debug build problem where all edges are assumed to
1352 have UntypedUse before the fixup phase.
1354 * dfg/DFGSpeculativeJIT.cpp:
1355 (JSC::DFG::SpeculativeJIT::compileArithSub):
1356 * dfg/DFGValidate.cpp:
1357 (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
1358 * tests/stress/arith-add-with-constants.js: Added some tests for this case.
1359 (arithAdd42WrittenAsInteger):
1360 (testArithAdd42WrittenAsInteger):
1361 (arithSub42WrittenAsDouble):
1362 (testArithSub42WrittenAsDouble):
1364 (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
1365 (arithAdd42WrittenAsDouble): Deleted.
1366 (testArithAdd42WrittenAsDouble): Deleted.
1368 2015-07-14 Matthew Mirman <mmirman@apple.com>
1370 Unreviewed, rolling out r186805.
1372 Made raytracer on octane 80% slower
1376 "Makes compileArithSub in the DFG ensure that the constant is
1378 https://bugs.webkit.org/show_bug.cgi?id=146910
1379 http://trac.webkit.org/changeset/186805
1381 2015-07-13 Matthew Mirman <mmirman@apple.com>
1383 Makes compileArithSub in the DFG ensure that the constant is an int32.
1384 https://bugs.webkit.org/show_bug.cgi?id=146910
1385 rdar://problem/21729083
1387 Reviewed by Filip Pizlo.
1389 Also fixes the debug build problem where all edges are assumed to
1390 have UntypedUse before the fixup phase.
1392 * dfg/DFGSpeculativeJIT.cpp:
1393 (JSC::DFG::SpeculativeJIT::compileArithSub):
1394 * dfg/DFGValidate.cpp:
1395 (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
1396 * tests/stress/arith-add-with-constants.js: Added some tests for this case.
1397 (arithAdd42WrittenAsInteger):
1398 (testArithAdd42WrittenAsInteger):
1399 (arithSub42WrittenAsDouble):
1400 (testArithSub42WrittenAsDouble):
1402 (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
1403 (arithAdd42WrittenAsDouble): Deleted.
1404 (testArithAdd42WrittenAsDouble): Deleted.
1406 2015-07-13 Basile Clement <basile_clement@apple.com>
1408 Object cycles should not prevent allocation elimination/sinking
1409 https://bugs.webkit.org/show_bug.cgi?id=143073
1411 Reviewed by Filip Pizlo.
1413 This patch introduces a new allocation sinking phase that is able to
1414 sink cycles, in DFGAllocationCycleSinkingPhase.cpp. This phase
1415 supersedes the old allocation sinking phase in
1416 DFGObjectAllocationSinkingPhase.cpp, as that previous phase was never
1417 able to sink allocation cycles while the new phase sometimes can; see
1418 DFGAllocationCycleSinkingPhase.cpp for details.
1420 For now, the new sinking phase is kept behind a
1421 JSC_enableAllocationCycleSinking flag that reverts to the old sinking
1422 phase when false (i.e., by default). This also removes the old
1423 JSC_enableObjectAllocationSinking flag. run-javascriptcore-tests
1424 defaults to using the new sinking phase.
1427 (JSC::DFG::Graph::addStructureSet): Allow empty structure sets
1428 * dfg/DFGLazyNode.cpp:
1429 (JSC::DFG::LazyNode::dump): Prettier dump
1431 (JSC::DFG::Node::cellOperand): Move to opInfo for MaterializeCreateActivation
1432 (JSC::DFG::Node::hasStructureSet): Add MaterializeNewObject
1433 (JSC::DFG::Node::objectMaterializationData): Move to opInfo2
1434 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Remove unused header
1435 * dfg/DFGObjectAllocationSinkingPhase.cpp:
1436 (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase): Deleted.
1437 (JSC::DFG::ObjectAllocationSinkingPhase::run): Deleted.
1438 (JSC::DFG::ObjectAllocationSinkingPhase::performSinking): Deleted.
1439 (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): Deleted.
1440 (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): Deleted.
1441 (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): Deleted.
1442 (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): Deleted.
1443 (JSC::DFG::ObjectAllocationSinkingPhase::resolve): Deleted.
1444 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): Deleted.
1445 (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): Deleted.
1446 (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): Deleted.
1447 * dfg/DFGObjectAllocationSinkingPhase.h:
1448 * dfg/DFGPromotedHeapLocation.h: Add a hash and a helper function to PromotedLocationDescriptor
1449 (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
1450 (JSC::DFG::PromotedLocationDescriptor::operator bool):
1451 (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization):
1452 (JSC::DFG::PromotedLocationDescriptorHash::hash):
1453 (JSC::DFG::PromotedLocationDescriptorHash::equal):
1454 * dfg/DFGValidate.cpp:
1455 (JSC::DFG::Validate::validateSSA): Assert that most nodes never see a phantom allocation
1456 * ftl/FTLLowerDFGToLLVM.cpp:
1457 (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeNewObject): Use the new structureSet() operand
1458 (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation): Node has a new child
1459 * ftl/FTLOSRExitCompiler.cpp: Handle materialization cycles
1460 (JSC::FTL::compileStub):
1461 * ftl/FTLOperations.cpp: Handle materialization cycles
1462 (JSC::FTL::operationPopulateObjectInOSR):
1463 (JSC::FTL::operationMaterializeObjectInOSR):
1464 * ftl/FTLOperations.h: Handle materialization cycles
1465 * tests/stress/correctly-sink-object-even-though-it-dies.js: Added.
1468 * tests/stress/eliminate-object-read-over-call.js: Added.
1471 * tests/stress/materialize-object-on-edge.js: Added.
1474 * tests/stress/object-sinking-stress.js: Added.
1476 * tests/stress/sink-object-cycle.js: Added.
1479 * tests/stress/sink-object-past-put.js: Added.
1482 * tests/stress/sinkable-new-object-in-loop.js: Added.
1485 2015-07-13 Daniel Bates <dabates@apple.com>
1487 Cleanup: Avoid extraneous increment and decrement of reference count of ScriptArguments in ConsoleClient
1488 https://bugs.webkit.org/show_bug.cgi?id=146920
1490 Reviewed by Brian Burg.
1492 Remove local variable RefPtr<ScriptArguments> and copy constructor call with an argument that
1493 was initialized with an rvalue reference. The argument itself is an lvalue reference.
1495 * runtime/ConsoleClient.cpp:
1496 (JSC::ConsoleClient::printConsoleMessageWithArguments):
1497 (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
1499 2015-07-13 Anders Carlsson <andersca@apple.com>
1501 Apps linked with a deployment target of iOS 7.x or earlier crash when using modern WebKit API
1502 https://bugs.webkit.org/show_bug.cgi?id=146913
1503 rdar://problem/21789252
1505 Reviewed by Dan Bernstein.
1507 Make a top-level symlink from /System/Library/PrivateFrameworks/JavaScriptCore.framework to
1508 /System/Library/Frameworks/JavaScriptCore.framework.
1510 * JavaScriptCore.xcodeproj/project.pbxproj:
1512 2015-07-12 Filip Pizlo <fpizlo@apple.com>
1514 If Watchpoint::fire() looks at the state of the world, it should definitely see its set invalidated, and maybe it should see the object of interest in the transitioned-to state
1515 https://bugs.webkit.org/show_bug.cgi?id=146897
1517 Reviewed by Mark Lam.
1519 The idea is to eventually support adaptive watchpoints. An adaptive watchpoint will be
1520 able to watch for a condition that is more fine-grained than any one watchpoint set. For
1521 example, we might watch a singleton object to see if it ever acquires a property called
1522 "foo". So long as it doesn't have such a property, we don't want to invalidate any code.
1523 But if it gets that property, then we should deoptimize. Current watchpoints will
1524 invalidate code as soon as any property is added (or deleted), because they will use the
1525 transition watchpoint set of the singleton object's structure, and that fires anytime
1526 there is any transition.
1528 An adaptive watchpoint would remember the singleton object, and when it got fired, it
1529 would check if the object's new structure has the property "foo". If not, it would check
1530 if the object's new structure is watchable (i.e. has a valid transition watchpoint set).
1531 If the property is missing and the structure is watchable, it would add itself to the
1532 watchpoint set of the new structure. Otherwise, it would deoptimize.
1534 There are two problems with this idea, and this patch fixes these problems. First, we
1535 usually fire the transition watchpoint before we do the structure transition. This means
1536 that if the fire() method looked at the singleton object's structure, it would see the old
1537 structure, not the new one. It would have no way of knowing what the new structure is.
1538 Second, inside the fire() method, the watchpoint set being invalidated still appears
1539 valid, since we change the state after we fire all watchpoints.
1541 This patch addresses both issues. Now, in the most important case (addPropertyTransition),
1542 we fire the watchpoint set after we have modified the object. This is accomplished using
1543 a deferral scope called DeferredStructureTransitionWatchpointFire. In cases where there is
1544 no deferral, the adaptive watchpoint will conservatively resort to deoptimization because
1545 it would find that the singleton object's structure is no longer watchable. This is
1546 because in the absence of deferral, the singleton object would still have the original
1547 structure, but that structure's watchpoint set would now report itself as having been
1550 * bytecode/Watchpoint.cpp:
1551 (JSC::WatchpointSet::fireAllSlow): Change the state of the set before firing all watchpoints.
1552 (JSC::WatchpointSet::fireAllWatchpoints):
1553 * runtime/JSObject.h:
1554 (JSC::JSObject::putDirectInternal): Use the deferral scope.
1555 * runtime/Structure.cpp:
1556 (JSC::Structure::Structure): Pass the deferral scope to didTransitionFromThisStructure.
1557 (JSC::Structure::addPropertyTransition): Pass the deferral scope to create().
1558 (JSC::StructureFireDetail::dump): This is no longer anonymous.
1559 (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire): Start with a null structure.
1560 (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire): Fire the watchpoint if there is a structure.
1561 (JSC::DeferredStructureTransitionWatchpointFire::add): Add a structure. Logically this is a list of deferred things, but we assert that there only will be one (happens to be true now).
1562 (JSC::Structure::didTransitionFromThisStructure): Defer the watchpoint firing if there is a deferral scope.
1563 * runtime/Structure.h:
1564 (JSC::StructureFireDetail::StructureFireDetail): Move this to the header.
1565 * runtime/StructureInlines.h:
1566 (JSC::Structure::create): Pass the deferral scope to the constructor.
1568 2015-07-12 Filip Pizlo <fpizlo@apple.com>
1570 Watchpoints should be removed from their owning WatchpointSet before they are fired
1571 https://bugs.webkit.org/show_bug.cgi?id=146895
1573 Reviewed by Sam Weinig.
1575 This simplifies the WatchpointSet API by making it so that when Watchpoint::fire() is
1576 called, the Watchpoint is no longer in the set. This means that you don't have to remember
1577 to remove it from the set's list (currently we do that implicitly as part of whatever
1578 any particular Watchpoint::fireInternal() does), and you can now write adaptive
1579 watchpoints that re-add themselves to a different set if they determine that the thing
1580 they are actually watching is still intact but now needs to be watched in a different way
1581 (like watching for whether some singleton object has a property of some name).
1583 * bytecode/Watchpoint.cpp:
1584 (JSC::Watchpoint::~Watchpoint): Add a comment about why this is necessary.
1585 (JSC::Watchpoint::fire): Make this out-of-line, private, and make it assert that we're no longer on the list.
1586 (JSC::WatchpointSet::fireAllWatchpoints): Make this remove the watchpoint from the list before firing it.
1587 * bytecode/Watchpoint.h:
1588 (JSC::Watchpoint::fire): Deleted. I moved this to Watchpoint.cpp.
1590 2015-07-10 Filip Pizlo <fpizlo@apple.com>
1592 DFG::DesiredWatchpoints should accept WatchpointSetType's that aren't necessarily pointers
1593 https://bugs.webkit.org/show_bug.cgi?id=146875
1595 Reviewed by Dan Bernstein.
1597 In the future we'll want to add a desired watchpoint set that's something like "please
1598 watch property 'Foo' for 'deletion' on structure 'S1'", so that the "set type" is struct
1599 like "struct MySet { StringImpl* property; Mode mode; Structure* structure };".
1601 This is a very mechanical change for now - all of the current users happen to use sets
1602 that are pointer typed, so it's just a matter of moving some "*"'s around.
1604 * dfg/DFGDesiredWatchpoints.h:
1605 (JSC::DFG::GenericSetAdaptor::add):
1606 (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
1607 (JSC::DFG::GenericDesiredWatchpoints::GenericDesiredWatchpoints):
1608 (JSC::DFG::GenericDesiredWatchpoints::addLazily):
1609 (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
1610 (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
1611 (JSC::DFG::GenericDesiredWatchpoints::isWatched):
1612 (JSC::DFG::DesiredWatchpoints::isWatched):
1614 2015-07-10 Filip Pizlo <fpizlo@apple.com>
1616 Watchpoints should be allocated with FastMalloc
1617 https://bugs.webkit.org/show_bug.cgi?id=146874
1619 Reviewed by Dan Bernstein.
1621 This is in preparation for adding new subclasses of Watchpoint. While starting to do this
1622 I realized that the way Watchpoints allocated themselves was unusual.
1624 * bytecode/CodeBlockJettisoningWatchpoint.h:
1625 (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): No need for the default constructor.
1626 * bytecode/Watchpoint.h:
1627 (JSC::Watchpoint::Watchpoint): This should be noncopyable and fast-allocated.
1628 * dfg/DFGCommonData.h: Use a Bag<> instead of SegmentedVector<>. Bag means "malloc things but allow me to free them all at once", which is what we are doing here.
1629 * dfg/DFGDesiredWatchpoints.h:
1630 (JSC::DFG::GenericDesiredWatchpoints::reallyAdd): Use the Bag<> API rather than the very awkward SegmentedVector<> API.
1632 2015-07-10 Filip Pizlo <fpizlo@apple.com>
1634 AI folding of IsObjectOrNull is broken for non-object types that may be null
1635 https://bugs.webkit.org/show_bug.cgi?id=146867
1637 Reviewed by Ryosuke Niwa.
1639 * dfg/DFGAbstractInterpreterInlines.h:
1640 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Fix the bug and add some text describing what is going on.
1641 * tests/stress/misc-is-object-or-null.js: Added. Test for the bug.
1643 * tests/stress/other-is-object-or-null.js: Added. Test for a bug I almost introduced.
1646 2015-07-10 Filip Pizlo <fpizlo@apple.com>
1648 It should be easy to measure total compile times.
1649 https://bugs.webkit.org/show_bug.cgi?id=146857
1651 Reviewed by Sam Weinig.
1653 This gives DFG::Plan the ability to track total compile times, and return them in a map
1654 of stats that jsc.cpp can display.
1656 I want to do some work to bring down DFG compile times. This will help me measure whether
1657 I'm making a difference or not.
1660 (JSC::DFG::Plan::Plan):
1661 (JSC::DFG::Plan::~Plan):
1662 (JSC::DFG::Plan::computeCompileTimes):
1663 (JSC::DFG::Plan::reportCompileTimes):
1664 (JSC::DFG::Plan::compileInThread):
1665 (JSC::DFG::Plan::compileInThreadImpl):
1666 (JSC::DFG::Plan::cancel):
1667 (JSC::DFG::Plan::compileTimeStats):
1668 (JSC::DFG::dumpAndVerifyGraph): Deleted.
1669 (JSC::DFG::profilerCompilationKindForMode): Deleted.
1671 (JSC::DFG::Plan::compileTimeStats):
1674 * runtime/Options.h:
1676 2015-07-04 Filip Pizlo <fpizlo@apple.com>
1678 DFG fragile frozen values are fundamentally broken
1679 https://bugs.webkit.org/show_bug.cgi?id=146602
1681 Reviewed by Mark Lam.
1683 This change gets rid of the FragileValue value strength, because it was fundamentally
1686 FragileValue was a value known to the compiler but not tracked by the GC in any way -
1687 it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR
1688 must-handle values. The philosophy was that if the compiler did use the value for
1689 optimization, it would have been strengthened to a weak value (or maybe even a strong
1690 value, though we probably won't do that). But this was too much of a pipe dream. I've
1691 found at least one case where the compiler did use the value, but never strengthened
1692 it: it would happen if the value ended up in an OSR entry data expected value. Then if
1693 we GCed, we might have killed the value, but OSR entry would still try to use it for
1694 validation. That might have sort of just worked, but it's clearly shady.
1696 The reason why we made must-handle values fragile and not weak is that most of the time
1697 the values disappear from the abstract state: they are LUBed to a non-constant. If we
1698 kept them around as weak, we'd have too many cases of the GC killing the code because
1699 it thought that the value was somehow meaningful to the code when it was only used as a
1700 temporary artifact of optimization.
1702 So, it's true that it's very important for must-handle values not to automatically be
1703 weak or strong. It's also true that the values are necessary for AI bootstrap because
1704 we need to know what values OSR entry will require. But we shouldn't accomplish these
1705 goals by having the compiler hold onto what are essentially dangling pointers.
1707 This implements a better solution: instead of having InPlaceAbstractState bootstrap the
1708 AI with must-handle values at the beginning, we now widen the valuesAtHead of the
1709 must-handle block after AI converges. This widening is done in CFAPhase. This allows us
1710 to see if the must-handle values are necessary at all. In most cases, the widening
1711 takes a non-constant abstract value and simply amends something to its type based on
1712 the type of the must-handle value, and so the must-handle value never actually shows up
1713 in either the IR or any abstract value. In the unlikely event that the value at head is
1714 bottom, we freeze the must-handle value. This change removes FragileValue, and this
1715 freezing uses WeakValue as the strength. That makes sense: since the abstract value was
1716 bottom, the must-handle value becomes integral to the IR and so it makes no sense for
1717 the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will
1718 sometimes happen for example if you have a very long-running loop whose pre-header
1719 allocates some object, but that pre-header appears to always exit to the optimizing JIT
1720 because it was only profiled once in the LLInt and that profiling appears insufficient
1721 to the DFG. In that case, we'll effectively constant-fold the references to the object
1722 inside the loop, which is both efficient (yay constant folding!) and necessary
1723 (otherwise we wouldn't know what the type of the variable should have been).
1725 Testing and debugging this is complicated. So, this adds some new capabilities:
1727 - DFG IR dumps also dump all of the FrozenValues that point to the heap along with
1728 their strengths, so that it's easy to see what GC objects the DFG feels are necessary
1729 for the compilation.
1731 - DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy
1732 to see what GC pointers (and other things) are used for OSR entry validation. The
1733 printouts are quite detailed, and should also help other kinds of OSR entry
1736 - DFG::Plan now validates whether all of the GC pointers planted in the various JITCode
1737 data structures are also properly registered as either weak or strong pointers in the
1738 CodeBlock. This validation check previously failed due to fragile values ending up in
1739 the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js)
1740 and in some pre-existing tests (like earley-boyer and 3d-raytrace).
1743 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1744 * JavaScriptCore.xcodeproj/project.pbxproj:
1745 * bytecode/CodeBlock.cpp:
1746 (JSC::CodeBlock::stronglyVisitStrongReferences):
1747 * bytecode/CodeOrigin.cpp:
1748 (JSC::InlineCallFrame::visitAggregate):
1749 * bytecode/Operands.h:
1750 (JSC::Operands::operand):
1751 (JSC::Operands::hasOperand):
1752 * bytecode/StructureSet.cpp:
1753 (JSC::StructureSet::dump):
1754 (JSC::StructureSet::validateReferences):
1755 * bytecode/StructureSet.h:
1756 * bytecode/TrackedReferences.cpp: Added.
1757 (JSC::TrackedReferences::TrackedReferences):
1758 (JSC::TrackedReferences::~TrackedReferences):
1759 (JSC::TrackedReferences::add):
1760 (JSC::TrackedReferences::check):
1761 (JSC::TrackedReferences::dump):
1762 * bytecode/TrackedReferences.h: Added.
1763 * dfg/DFGAbstractValue.cpp:
1764 (JSC::DFG::AbstractValue::observeTransitions):
1765 (JSC::DFG::AbstractValue::set):
1766 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
1767 (JSC::DFG::AbstractValue::mergeOSREntryValue):
1768 (JSC::DFG::AbstractValue::filter):
1769 (JSC::DFG::AbstractValue::dumpInContext):
1770 (JSC::DFG::AbstractValue::validateReferences):
1771 (JSC::DFG::AbstractValue::setOSREntryValue): Deleted.
1772 * dfg/DFGAbstractValue.h:
1773 (JSC::DFG::AbstractValue::fullTop):
1774 (JSC::DFG::AbstractValue::merge):
1775 * dfg/DFGByteCodeParser.cpp:
1776 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1777 * dfg/DFGCFAPhase.cpp:
1778 (JSC::DFG::CFAPhase::run):
1779 * dfg/DFGCommonData.cpp:
1780 (JSC::DFG::CommonData::invalidate):
1781 (JSC::DFG::CommonData::validateReferences):
1782 * dfg/DFGCommonData.h:
1783 (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
1784 * dfg/DFGFrozenValue.h:
1785 (JSC::DFG::FrozenValue::FrozenValue):
1786 (JSC::DFG::FrozenValue::strengthenTo):
1787 (JSC::DFG::FrozenValue::pointsToHeap):
1788 (JSC::DFG::FrozenValue::strength):
1789 (JSC::DFG::FrozenValue::freeze):
1791 (JSC::DFG::Graph::Graph):
1792 (JSC::DFG::Graph::dump):
1793 (JSC::DFG::Graph::registerFrozenValues):
1794 (JSC::DFG::Graph::visitChildren):
1795 (JSC::DFG::Graph::freeze):
1796 (JSC::DFG::Graph::freezeStrong):
1797 (JSC::DFG::Graph::freezeFragile): Deleted.
1799 * dfg/DFGInPlaceAbstractState.cpp:
1800 (JSC::DFG::InPlaceAbstractState::initialize):
1801 * dfg/DFGJITCode.cpp:
1802 (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
1803 (JSC::DFG::JITCode::validateReferences):
1805 * dfg/DFGJITCompiler.cpp:
1806 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
1807 (JSC::DFG::JITCompiler::noticeOSREntry):
1808 * dfg/DFGJITCompiler.h:
1809 (JSC::DFG::JITCompiler::branchStructurePtr):
1810 (JSC::DFG::JITCompiler::jitCode):
1811 (JSC::DFG::JITCompiler::noticeOSREntry): Deleted.
1812 * dfg/DFGMinifiedGraph.cpp: Added.
1813 (JSC::DFG::MinifiedGraph::prepareAndShrink):
1814 (JSC::DFG::MinifiedGraph::validateReferences):
1815 * dfg/DFGMinifiedGraph.h:
1816 (JSC::DFG::MinifiedGraph::append):
1817 (JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted.
1818 * dfg/DFGOSREntry.cpp:
1819 (JSC::DFG::OSREntryData::dumpInContext):
1820 (JSC::DFG::OSREntryData::dump):
1821 (JSC::DFG::prepareOSREntry):
1822 * dfg/DFGOSREntry.h:
1823 (JSC::DFG::getOSREntryDataBytecodeIndex):
1825 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1826 * dfg/DFGSpeculativeJIT.cpp:
1827 (JSC::DFG::SpeculativeJIT::linkOSREntries):
1828 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1829 * dfg/DFGStructureAbstractValue.cpp:
1830 (JSC::DFG::StructureAbstractValue::dump):
1831 (JSC::DFG::StructureAbstractValue::validateReferences):
1832 * dfg/DFGStructureAbstractValue.h:
1833 * dfg/DFGValidate.cpp:
1834 (JSC::DFG::Validate::validate):
1835 * dfg/DFGValueStrength.cpp:
1836 (WTF::printInternal):
1837 * dfg/DFGValueStrength.h:
1839 * ftl/FTLExitPropertyValue.cpp:
1840 (JSC::FTL::ExitPropertyValue::dump):
1841 (JSC::FTL::ExitPropertyValue::validateReferences):
1842 * ftl/FTLExitPropertyValue.h:
1843 * ftl/FTLExitTimeObjectMaterialization.cpp:
1844 (JSC::FTL::ExitTimeObjectMaterialization::dump):
1845 (JSC::FTL::ExitTimeObjectMaterialization::validateReferences):
1846 * ftl/FTLExitTimeObjectMaterialization.h:
1847 * ftl/FTLExitValue.cpp:
1848 (JSC::FTL::ExitValue::dump):
1849 (JSC::FTL::ExitValue::validateReferences):
1850 * ftl/FTLExitValue.h:
1851 * ftl/FTLJITCode.cpp:
1852 (JSC::FTL::JITCode::dfgCommon):
1853 (JSC::FTL::JITCode::validateReferences):
1855 (JSC::FTL::JITCode::handles):
1856 (JSC::FTL::JITCode::dataSections):
1857 * ftl/FTLOSRExit.cpp:
1858 (JSC::FTL::OSRExit::codeLocationForRepatch):
1859 (JSC::FTL::OSRExit::validateReferences):
1861 (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
1863 (JSC::JITCode::typeName):
1864 (JSC::JITCode::validateReferences):
1865 (JSC::JITCode::execute):
1867 (JSC::JITCode::start):
1868 * tests/stress/dead-osr-entry-value.js: Added.
1871 2015-07-09 Filip Pizlo <fpizlo@apple.com>
1873 It should be possible to run the OSR exit fuzzer
1874 https://bugs.webkit.org/show_bug.cgi?id=146814
1876 Reviewed by Mark Lam.
1878 Fix a silly bug: the option matching was accidentally allowing a prefix match, which
1879 always did the wrong thing for --fireOSRExitFuzzAt and --fireOSRExitFuzzAtStatic. Make
1880 this an exact match instead.
1882 * runtime/Options.cpp:
1883 (JSC::Options::setOption):
1885 2015-07-09 Mark Lam <mark.lam@apple.com>
1887 SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector.
1888 https://bugs.webkit.org/show_bug.cgi?id=146807
1890 Reviewed by Filip Pizlo.
1892 When we capture an argument by name and we use "arguments", we put all of the
1893 arguments into the scope. But destructured arguments are put into the scope
1894 anonymously i.e. the SymbolTable knows that the scope offset is in use via
1895 SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in
1898 The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will
1899 have a size which is based on the largest ScopeOffset in the m_map. If we have a
1900 scenario where the anonymous argument is at a higher ScopeOffset than all the
1901 named arguments, then the m_localsToEntry vector will not have an entry for it
1902 i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of
1903 the anonymous argument.
1905 Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is
1906 within the bounds of the m_localToEntry vector before indexing into it.
1908 * runtime/SymbolTable.cpp:
1909 (JSC::SymbolTable::entryFor):
1911 2015-07-09 Michael Saboff <msaboff@apple.com>
1913 REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20
1914 https://bugs.webkit.org/show_bug.cgi?id=146767
1916 Reviewed by Geoffrey Garen.
1918 If the stack check fails at the top most frame, we must use that frame to
1919 generate the exception. Reverted the code to always use the current frame to
1920 throw an out of stack exception.
1922 * llint/LLIntSlowPaths.cpp:
1923 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1925 2015-07-03 Filip Pizlo <fpizlo@apple.com>
1927 OSR exit fuzzing should allow us to select a static exit site
1928 https://bugs.webkit.org/show_bug.cgi?id=146601
1930 Reviewed by Geoffrey Garen.
1932 The original implementation of the fuzzer allows us to trigger an exit based on its index
1933 in the dynamic sequence of exit sites encountered. But there are usually millions of
1934 dynamically encountered exit sites, even if the program only has thousands of static exit
1935 sites. That means that we would at best be able to do a random sampling of exits, and
1936 those would be biased to the hottest exit sites.
1938 This change allows us to also select exit sites based on their index in the static
1939 sequence of exit sites that the compiler compiled. Then, once that static exit site is
1940 selected, we can select which dynamic exit at that exit site we should trigger. Since the
1941 number of static exit sites is usually smallish (it's bounded by program size), we can do
1942 an exhaustive search over all exit sites in most programs.
1944 * dfg/DFGOSRExitFuzz.cpp:
1945 (JSC::numberOfStaticOSRExitFuzzChecks):
1946 (JSC::numberOfOSRExitFuzzChecks):
1947 * dfg/DFGOSRExitFuzz.h:
1948 (JSC::DFG::doOSRExitFuzzing):
1949 * dfg/DFGSpeculativeJIT.cpp:
1950 (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
1951 * ftl/FTLLowerDFGToLLVM.cpp:
1952 (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
1955 * runtime/Options.h:
1956 * runtime/TestRunnerUtils.h:
1958 2015-07-08 Joseph Pecoraro <pecoraro@apple.com>
1960 Fix grammar issue in TypeError attempting to change an unconfigurable property
1961 https://bugs.webkit.org/show_bug.cgi?id=146774
1963 Reviewed by Brent Fulgham.
1965 * runtime/JSFunction.cpp:
1966 (JSC::JSFunction::defineOwnProperty):
1967 * runtime/JSObject.cpp:
1968 (JSC::JSObject::defineOwnNonIndexProperty):
1969 * runtime/StringObject.cpp:
1970 (JSC::StringObject::defineOwnProperty):
1972 2015-07-06 Csaba Osztrogonác <ossy@webkit.org>
1974 Remove the unused HeapBlock.h
1975 https://bugs.webkit.org/show_bug.cgi?id=146580
1977 Reviewed by Andreas Kling.
1979 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1980 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1981 * JavaScriptCore.xcodeproj/project.pbxproj:
1982 * heap/CopiedBlock.h:
1983 * heap/CopiedSpace.h:
1984 * heap/CopiedSpaceInlines.h:
1985 * heap/HandleBlock.h:
1986 * heap/HeapBlock.h: Removed.
1987 * heap/MarkedBlock.h:
1989 2015-07-06 Saam barati <saambarati1@gmail.com>
1991 JSC's parser should follow the ES6 spec with respect to parsing Declarations
1992 https://bugs.webkit.org/show_bug.cgi?id=146621
1994 Reviewed by Mark Lam.
1996 There were a few locations where JSC would allow declaration statements
1997 in incorrect ways. JSC didn't distinguish between 'Statement' and
1998 'StatementListItem' grammar productions. The relevant grammar is here:
1999 http://www.ecma-international.org/ecma-262/6.0/index.html#sec-statements
2001 From the ECMA Script 6.0 spec:
2002 1. Section 13.6 The if Statement (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-if-statement)
2003 says that IfStatements only takes Statements for the "then-else" clauses, not StatementListItems.
2004 (Same with 'while/for/do-while' loop bodies).
2005 2. Section 13 ECMAScript Language: Statements and Declarations
2006 (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-ecmascript-language-statements-and-declarations)
2007 defines the syntax of Statements, and they do not include ClassDeclarations and LexicalDeclarations
2008 (const, let, see 13.3.1 Let and Const Declarations).
2009 Declarations can only be in the “then-else” clauses when embedded in a StatementListItem in a BlockStatement (see 13.2).
2011 Hence, the following style of declarations are no longer allowed:
2012 'if/for/while (condition) const x = 40;'
2013 'if/for/while (condition) class C { }'
2015 Instead, we mandate such declaration constructs are within a StatementList
2016 (which is the production that JSC's Parser::parseSourceElements function parses):
2017 'if/for/while (condition) { const x = 40; }'
2018 'if/for/while (condition) { class C { } }'
2020 * parser/Parser.cpp:
2021 (JSC::Parser<LexerType>::parseSourceElements):
2022 (JSC::Parser<LexerType>::parseStatementListItem):
2023 (JSC::Parser<LexerType>::parseVarDeclaration):
2024 (JSC::Parser<LexerType>::parseStatement):
2025 (JSC::Parser<LexerType>::parseExpressionStatement):
2027 (JSC::Parser::getLabel):
2029 2015-07-06 Alex Christensen <achristensen@webkit.org>
2031 Unreviewed debug build fix after r186358.
2033 * runtime/JSArray.cpp:
2034 (JSC::JSArray::fastConcatWith):
2035 Pass vm parameter to fastConcatType.
2037 2015-07-06 Ryosuke Niwa <rniwa@webkit.org>
2039 Array.concat should be fast for integer or double arrays
2040 https://bugs.webkit.org/show_bug.cgi?id=146260
2042 Reviewed by Darin Adler.
2044 Added a fast path to Array.prototype.concat. When concatenating two Int32, Double, or Contiguous
2045 arrays, simply memcopy the arrays into a new uninitialized buffer.
2047 This improves huffman encoding in CompressionBench by 3.7x on a Mid 2014 MacBookPro.
2049 * runtime/ArrayPrototype.cpp:
2050 (JSC::arrayProtoFuncConcat):
2051 * runtime/JSArray.cpp:
2052 (JSC::JSArray::fastConcatWith): Added.
2053 * runtime/JSArray.h:
2054 (JSC::JSArray::fastConcatType): Added. Returns the resultant array's indexing type if we can use
2055 the fact path. Returns NonArray otherwise.
2057 2015-07-06 Youenn Fablet <youenn.fablet@crf.canon.fr>
2059 [Streams API] Remove ReadableStream custom constructor
2060 https://bugs.webkit.org/show_bug.cgi?id=146547
2062 Reviewed by Darin Adler.
2064 Adding helper function to throw range errors.
2067 (JSC::throwRangeError):
2068 (JSC::throwVMRangeError):
2070 2015-07-05 Yusuke Suzuki <utatane.tea@gmail.com>
2072 [ES6] Implement the latest Promise spec in JS
2073 https://bugs.webkit.org/show_bug.cgi?id=146229
2075 Reviewed by Sam Weinig.
2077 Updated the Promise implementation to meet to the ES6 spec.
2079 1. Implement ES6 Promise and related abstract operations in builtins JS
2080 2. Expose @enqueueJob private function to JS world to post the microtask
2082 Updated implementation has one-on-one correspondence to the ES6 spec description.
2083 And keep the JSPromiseDeferred because it is the interface used from the WebCore.
2086 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2087 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2088 * JavaScriptCore.xcodeproj/project.pbxproj:
2089 * builtins/Array.prototype.js:
2102 ToInteger / ToLength are renamed to toInteger and toLength.
2103 * builtins/ArrayConstructor.js:
2105 ToInteger / ToLength are renamed to toInteger and toLength.
2106 * builtins/GlobalObject.js:
2110 (ToInteger): Deleted.
2111 (ToLength): Deleted.
2112 ToInteger / ToLength are renamed to toInteger and toLength.
2113 Add new abstract operation, isObject.
2114 * builtins/Operations.Promise.js: Added.
2116 (newPromiseReaction):
2117 (newPromiseDeferred):
2118 (newPromiseCapability.executor):
2119 (newPromiseCapability):
2120 (triggerPromiseReactions):
2123 (createResolvingFunctions.resolve):
2124 (createResolvingFunctions.reject):
2125 (createResolvingFunctions):
2126 (promiseReactionJob):
2127 (promiseResolveThenableJob):
2128 (initializePromise):
2129 Added Promise related abstract operations.
2130 * builtins/Promise.prototype.js:
2135 Promise#then implementation in JS.
2136 * builtins/PromiseConstructor.js: Added.
2137 (all.newResolveElement):
2142 Promise static functions implementations in JS.
2143 * builtins/StringConstructor.js:
2145 ToInteger / ToLength are renamed to toInteger and toLength.
2146 * inspector/JSInjectedScriptHost.cpp:
2147 (Inspector::JSInjectedScriptHost::getInternalProperties):
2148 * runtime/CommonIdentifiers.h:
2149 * runtime/JSGlobalObject.cpp:
2151 (JSC::JSGlobalObject::init):
2152 (JSC::JSGlobalObject::visitChildren):
2153 * runtime/JSGlobalObject.h:
2154 (JSC::JSGlobalObject::initializePromiseFunction):
2155 (JSC::JSGlobalObject::newPromiseDeferredFunction):
2156 * runtime/JSJob.cpp: Renamed from Source/JavaScriptCore/runtime/JSPromiseReaction.h.
2158 (JSC::JSJobMicrotask::run):
2159 * runtime/JSJob.h: Renamed from Source/JavaScriptCore/runtime/JSPromiseFunctions.h.
2160 * runtime/JSPromise.cpp:
2161 (JSC::JSPromise::create):
2162 (JSC::JSPromise::JSPromise):
2163 (JSC::JSPromise::finishCreation):
2164 (JSC::JSPromise::result):
2165 (JSC::JSPromise::destroy): Deleted.
2166 (JSC::JSPromise::visitChildren): Deleted.
2167 (JSC::JSPromise::reject): Deleted.
2168 (JSC::JSPromise::resolve): Deleted.
2169 (JSC::JSPromise::appendResolveReaction): Deleted.
2170 (JSC::JSPromise::appendRejectReaction): Deleted.
2171 (JSC::triggerPromiseReactions): Deleted.
2172 * runtime/JSPromise.h:
2173 (JSC::JSPromise::status): Deleted.
2174 (JSC::JSPromise::result): Deleted.
2175 (JSC::JSPromise::constructor): Deleted.
2176 * runtime/JSPromiseConstructor.cpp:
2177 (JSC::constructPromise):
2178 (JSC::JSPromiseConstructorFuncResolve): Deleted.
2179 (JSC::JSPromiseConstructorFuncReject): Deleted.
2180 (JSC::performPromiseRaceLoop): Deleted.
2181 (JSC::JSPromiseConstructorFuncRace): Deleted.
2182 (JSC::performPromiseAll): Deleted.
2183 (JSC::JSPromiseConstructorFuncAll): Deleted.
2184 * runtime/JSPromiseDeferred.cpp:
2185 (JSC::JSPromiseDeferred::create):
2186 (JSC::createJSPromiseDeferredFromConstructor): Deleted.
2187 (JSC::updateDeferredFromPotentialThenable): Deleted.
2188 (JSC::performDeferredResolve): Deleted.
2189 (JSC::performDeferredReject): Deleted.
2190 (JSC::abruptRejection): Deleted.
2191 * runtime/JSPromiseDeferred.h:
2192 * runtime/JSPromiseFunctions.cpp: Removed.
2193 (JSC::deferredConstructionFunction): Deleted.
2194 (JSC::createDeferredConstructionFunction): Deleted.
2195 (JSC::identifyFunction): Deleted.
2196 (JSC::createIdentifyFunction): Deleted.
2197 (JSC::promiseAllCountdownFunction): Deleted.
2198 (JSC::createPromiseAllCountdownFunction): Deleted.
2199 (JSC::promiseResolutionHandlerFunction): Deleted.
2200 (JSC::createPromiseResolutionHandlerFunction): Deleted.
2201 (JSC::rejectPromiseFunction): Deleted.
2202 (JSC::createRejectPromiseFunction): Deleted.
2203 (JSC::resolvePromiseFunction): Deleted.
2204 (JSC::createResolvePromiseFunction): Deleted.
2205 (JSC::throwerFunction): Deleted.
2206 (JSC::createThrowerFunction): Deleted.
2207 * runtime/JSPromisePrototype.cpp:
2208 (JSC::JSPromisePrototypeFuncThen): Deleted.
2209 * runtime/JSPromiseReaction.cpp: Removed.
2210 (JSC::createExecutePromiseReactionMicrotask): Deleted.
2211 (JSC::ExecutePromiseReactionMicrotask::run): Deleted.
2212 (JSC::JSPromiseReaction::create): Deleted.
2213 (JSC::JSPromiseReaction::JSPromiseReaction): Deleted.
2214 (JSC::JSPromiseReaction::finishCreation): Deleted.
2215 (JSC::JSPromiseReaction::visitChildren): Deleted.
2217 (JSC::VM::VM): Deleted.
2220 2015-07-04 Chris Dumez <cdumez@apple.com>
2222 Drop RefPtr::clear() method
2223 https://bugs.webkit.org/show_bug.cgi?id=146556
2225 Reviewed by Brady Eidson.
2227 Drop RefPtr::clear() method in favor of "= nullptr;" pattern.
2229 2015-07-03 Dan Bernstein <mitz@apple.com>
2231 Just give up on -Wunreachable-code in JavaScriptCore.
2233 * Configurations/Base.xcconfig:
2234 * llint/LowLevelInterpreter.cpp:
2235 (JSC::CLoop::execute):
2237 2015-07-03 Dan Bernstein <mitz@apple.com>
2239 Fixed the LLINT CLoop build.
2241 * llint/LowLevelInterpreter.cpp:
2242 (JSC::CLoop::execute):
2244 2015-07-03 Dan Bernstein <mitz@apple.com>
2246 [Xcode] Update some build settings as recommended by Xcode 7
2247 https://bugs.webkit.org/show_bug.cgi?id=146597
2249 Reviewed by Sam Weinig.
2251 * Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and
2252 GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING.
2254 * JavaScriptCore.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.
2256 * dfg/DFGGraph.h: Tweaked the definition of DFG_CRASH to suppress unreachable code warnings.
2258 2015-07-03 Yusuke Suzuki <utatane.tea@gmail.com>
2260 Relax builtin JS restriction about try-catch
2261 https://bugs.webkit.org/show_bug.cgi?id=146555
2263 Reviewed by Sam Weinig.
2265 When retrieving the captured variables from the full activated scope,
2266 it swapped the given vector with the stored declared variables vector.
2267 This is because retrieving the captured variables are executed in the
2268 last sequence of the parser, so declared variables are no longer used.
2269 However, in builtins functions case, after retrieving the captured
2270 variables, we check the variables by using declared variables vector.
2271 So at that time, the declared variables vector becomes empty and it
2272 raises assertion failures when the builtins function contains the full
2273 activated scope. try-catch's catch scope requires the upper scope full
2274 activated, so JS code in the builtins cannot use the try-catch.
2276 This patch relaxes this restriction. When retrieving the captured
2277 variables from the scope, just copy to the given vector.
2280 (JSC::Scope::getCapturedVariables):
2282 2015-07-02 Filip Pizlo <fpizlo@apple.com>
2284 DFG and FTL should have an OSR exit fuzzer
2285 https://bugs.webkit.org/show_bug.cgi?id=146562
2287 Reviewed by Benjamin Poulain.
2289 Adds a basic OSR exit fuzzer to JSC. This isn't hooked into any test harnesses yet, but I
2290 spot-checked it on v8-earley-boyer.js and so far found no bugs. I'd like to figure out how
2291 to harness this after I land it.
2293 Since it's turned off by default, it should have no effect on behavior.
2296 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2297 * JavaScriptCore.xcodeproj/project.pbxproj:
2298 * dfg/DFGOSRExitFuzz.cpp: Added.
2299 (JSC::numberOfOSRExitFuzzChecks):
2300 * dfg/DFGOSRExitFuzz.h: Added.
2301 * dfg/DFGSpeculativeJIT.cpp:
2302 (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
2303 (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
2304 (JSC::DFG::SpeculativeJIT::speculationCheck):
2305 * dfg/DFGSpeculativeJIT.h:
2306 * ftl/FTLLowerDFGToLLVM.cpp:
2307 (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2310 * runtime/Options.h:
2311 * runtime/TestRunnerUtils.h:
2313 2015-07-02 Saam barati <saambarati1@gmail.com>
2315 Rename "Deconstruction" to "Destructuring" throughout JSC
2316 https://bugs.webkit.org/show_bug.cgi?id=146100
2318 Reviewed by Mark Lam.
2320 It is good to use the same naming conventions as the ES6
2321 spec because it is the de facto way of speaking about these
2322 language features. This also has the benefit of improving JSC's
2323 hackability because it improves code readability for newcomers
2324 to JSC or newcomers to this part of the code base.
2326 * bytecompiler/BytecodeGenerator.cpp:
2327 (JSC::BytecodeGenerator::generate):
2328 (JSC::BytecodeGenerator::BytecodeGenerator):
2329 (JSC::BytecodeGenerator::initializeNextParameter):
2330 (JSC::BytecodeGenerator::visibleNameForParameter):
2331 * bytecompiler/BytecodeGenerator.h:
2332 (JSC::BytecodeGenerator::registerFor):
2333 * bytecompiler/NodesCodegen.cpp:
2334 (JSC::ForInNode::tryGetBoundLocal):
2335 (JSC::ForInNode::emitLoopHeader):
2336 (JSC::ForOfNode::emitBytecode):
2337 (JSC::ClassExprNode::emitBytecode):
2338 (JSC::DestructuringAssignmentNode::emitBytecode):
2339 (JSC::DestructuringPatternNode::~DestructuringPatternNode):
2340 (JSC::ArrayPatternNode::collectBoundIdentifiers):
2341 (JSC::DeconstructingAssignmentNode::emitBytecode): Deleted.
2342 (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): Deleted.
2343 * parser/ASTBuilder.h:
2344 (JSC::ASTBuilder::createElementList):
2345 (JSC::ASTBuilder::createFormalParameterList):
2346 (JSC::ASTBuilder::createClause):
2347 (JSC::ASTBuilder::createClauseList):
2348 (JSC::ASTBuilder::createForInLoop):
2349 (JSC::ASTBuilder::createForOfLoop):
2350 (JSC::ASTBuilder::isBindingNode):
2351 (JSC::ASTBuilder::isResolve):
2352 (JSC::ASTBuilder::createDestructuringAssignment):
2353 (JSC::ASTBuilder::createArrayPattern):
2354 (JSC::ASTBuilder::appendArrayPatternSkipEntry):
2355 (JSC::ASTBuilder::appendArrayPatternEntry):
2356 (JSC::ASTBuilder::appendArrayPatternRestEntry):
2357 (JSC::ASTBuilder::createObjectPattern):
2358 (JSC::ASTBuilder::appendObjectPatternEntry):
2359 (JSC::ASTBuilder::createDeconstructingAssignment): Deleted.
2360 * parser/NodeConstructors.h:
2361 (JSC::TryNode::TryNode):
2362 (JSC::ParameterNode::ParameterNode):
2363 (JSC::ForOfNode::ForOfNode):
2364 (JSC::DestructuringPatternNode::DestructuringPatternNode):
2365 (JSC::ArrayPatternNode::ArrayPatternNode):
2366 (JSC::ArrayPatternNode::create):
2367 (JSC::ObjectPatternNode::ObjectPatternNode):
2368 (JSC::BindingNode::create):
2369 (JSC::BindingNode::BindingNode):
2370 (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
2371 (JSC::DeconstructionPatternNode::DeconstructionPatternNode): Deleted.
2372 (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode): Deleted.
2374 (JSC::FunctionParameters::create):
2376 (JSC::ExpressionNode::isResolveNode):
2377 (JSC::ExpressionNode::isBracketAccessorNode):
2378 (JSC::ExpressionNode::isDotAccessorNode):
2379 (JSC::ExpressionNode::isDestructuringNode):
2380 (JSC::ExpressionNode::isFuncExprNode):
2381 (JSC::ExpressionNode::isCommaNode):
2382 (JSC::ExpressionNode::isSimpleArray):
2383 (JSC::ParameterNode::pattern):
2384 (JSC::ParameterNode::nextParam):
2385 (JSC::FunctionParameters::size):
2386 (JSC::FunctionParameters::at):
2387 (JSC::FunctionParameters::patterns):
2388 (JSC::DestructuringPatternNode::isBindingNode):
2389 (JSC::DestructuringPatternNode::emitDirectBinding):
2390 (JSC::ArrayPatternNode::appendIndex):
2391 (JSC::ObjectPatternNode::appendEntry):
2392 (JSC::BindingNode::boundProperty):
2393 (JSC::DestructuringAssignmentNode::bindings):
2394 (JSC::ExpressionNode::isDeconstructionNode): Deleted.
2395 (JSC::DeconstructionPatternNode::isBindingNode): Deleted.
2396 (JSC::DeconstructionPatternNode::emitDirectBinding): Deleted.
2397 (JSC::DeconstructingAssignmentNode::bindings): Deleted.
2398 * parser/Parser.cpp:
2399 (JSC::Parser<LexerType>::parseVarDeclaration):
2400 (JSC::Parser<LexerType>::parseWhileStatement):
2401 (JSC::Parser<LexerType>::parseVarDeclarationList):
2402 (JSC::Parser<LexerType>::createBindingPattern):
2403 (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
2404 (JSC::Parser<LexerType>::parseDestructuringPattern):
2405 (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
2406 (JSC::Parser<LexerType>::parseForStatement):
2407 (JSC::Parser<LexerType>::parseFormalParameters):
2408 (JSC::Parser<LexerType>::parseFunctionParameters):
2409 (JSC::Parser<LexerType>::parseAssignmentExpression):
2410 (JSC::Parser<LexerType>::tryParseDeconstructionPatternExpression): Deleted.
2411 (JSC::Parser<LexerType>::parseDeconstructionPattern): Deleted.
2412 (JSC::Parser<LexerType>::parseDefaultValueForDeconstructionPattern): Deleted.
2415 * parser/SyntaxChecker.h:
2416 (JSC::SyntaxChecker::createPropertyList):
2417 (JSC::SyntaxChecker::createElementList):
2418 (JSC::SyntaxChecker::createFormalParameterList):
2419 (JSC::SyntaxChecker::createClause):
2420 (JSC::SyntaxChecker::createClauseList):
2421 (JSC::SyntaxChecker::operatorStackPop):
2422 * tests/stress/reserved-word-with-escape.js:
2423 * tests/stress/rest-elements.js:
2425 2015-07-02 Mark Lam <mark.lam@apple.com>
2427 Build fix for Win EWS bot.
2428 https://bugs.webkit.org/show_bug.cgi?id=146551
2432 * tools/JSDollarVMPrototype.cpp:
2433 (JSC::functionCrash):
2435 2015-07-02 Dan Bernstein <mitz@apple.com>
2437 <rdar://problem/21429613> [iOS] Stop making symlinks from PrivateFrameworks to Frameworks
2438 https://bugs.webkit.org/show_bug.cgi?id=146542
2440 Reviewed by Sam Weinig.
2442 * JavaScriptCore.xcodeproj/project.pbxproj: Removed the build phase that makes the symlink.
2444 2015-07-01 Joseph Pecoraro <pecoraro@apple.com>
2446 Web Inspector: Aggregate profile call information on the backend to drastically reduce profile sizes
2447 https://bugs.webkit.org/show_bug.cgi?id=146536
2449 Reviewed by Timothy Hatcher.
2451 * inspector/protocol/Timeline.json:
2452 Change a CPUProfile from sending a required "calls" param to sending a required
2453 "callInfo" param which includes aggregated information about the calls.
2455 2015-06-30 Filip Pizlo <fpizlo@apple.com>
2457 DFG::freezeFragile should register the frozen value's structure
2458 https://bugs.webkit.org/show_bug.cgi?id=136055
2459 rdar://problem/21042120
2461 Reviewed by Mark Lam and Geoffrey Garen.
2463 This fixes weird concurrency bugs where the constant folding phase tries to convert
2464 something to a constant but then crashes because the constant's structure wasn't
2465 registered. The AI was registering the structure of any value it saw, but constant folding
2466 wasn't - and that's fine so long as there ain't no concurrency.
2468 The best fix is to just make it impossible to introduce a constant into the IR without
2469 registering its structure. That's what this change does. This is not only a great
2470 concurrency fix - it also makes the compiler somewhat easier to hack on because it's one
2471 less case of structure registering that you have to remember about.
2473 * dfg/DFGAbstractValue.cpp:
2474 (JSC::DFG::AbstractValue::setOSREntryValue): No need to register.
2475 (JSC::DFG::AbstractValue::set): We still call register, but just to get the watchpoint state.
2477 (JSC::DFG::Graph::freezeFragile): Register the structure.
2478 * dfg/DFGStructureRegistrationPhase.cpp:
2479 (JSC::DFG::StructureRegistrationPhase::run): Assert that these are all registered.
2481 2015-07-01 Matthew Mirman <mmirman@apple.com>
2483 Unreviewed, rolling out r185889
2484 https://bugs.webkit.org/show_bug.cgi?id=146528
2485 rdar://problem/21573959
2487 Patch breaks chromeexperiments.com
2492 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2493 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2494 * JavaScriptCore.xcodeproj/project.pbxproj:
2495 * inspector/InjectedScriptSource.js:
2497 * runtime/JSBoundSlotBaseFunction.cpp: Removed.
2498 * runtime/JSBoundSlotBaseFunction.h: Removed.
2499 * runtime/JSGlobalObject.cpp:
2500 (JSC::JSGlobalObject::init): Deleted.
2501 (JSC::JSGlobalObject::visitChildren): Deleted.
2502 * runtime/JSGlobalObject.h:
2503 (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): Deleted.
2504 * runtime/JSObject.cpp:
2505 (JSC::JSObject::getOwnPropertyDescriptor):
2506 (JSC::getBoundSlotBaseFunctionForGetterSetter): Deleted.
2508 (JSC::VM::VM): Deleted.
2511 2015-07-01 Dean Jackson <dino@apple.com>
2513 Disable the experimental WebGL2 implementation
2514 https://bugs.webkit.org/show_bug.cgi?id=146526
2515 <rdar://problem/21641235>
2517 Reviewed by Myles Maxfield.
2519 Add (and disable) an ENABLE_WEBGL2 flag.
2521 * Configurations/FeatureDefines.xcconfig:
2523 2015-07-01 Matthew Daiter <mdaiter@apple.com>
2525 Enable MEDIA_STREAM flag
2526 https://bugs.webkit.org/show_bug.cgi?id=145947
2527 <rdar://problem/21365829>
2529 Reviewed by Eric Carlson.
2531 * Configurations/FeatureDefines.xcconfig: Added MEDIA_STREAM flag
2533 2015-06-30 Andy VanWagoner <thetalecrafter@gmail.com>
2535 Implement ECMAScript Internationalization API
2536 https://bugs.webkit.org/show_bug.cgi?id=90906
2538 Reviewed by Benjamin Poulain.
2540 * CMakeLists.txt: add IntlObject.cpp
2541 * Configurations/FeatureDefines.xcconfig: add ENABLE_INTL flag
2542 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: add IntlObject
2543 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: add IntlObject
2544 * JavaScriptCore.xcodeproj/project.pbxproj: add IntlObject
2545 * runtime/CommonIdentifiers.h: add "Intl" name
2546 * runtime/IntlObject.cpp: Added.
2547 (JSC::IntlObject::IntlObject):
2548 (JSC::IntlObject::create):
2549 (JSC::IntlObject::finishCreation):
2550 (JSC::IntlObject::createStructure):
2551 * runtime/IntlObject.h: Added.
2552 * runtime/JSGlobalObject.cpp: Add global Intl
2553 (JSC::JSGlobalObject::init):
2555 2015-06-30 Basile Clement <basile_clement@apple.com>
2557 Allow object allocation sinking through GetScope, GetExecutable and SkipScope nodes
2558 https://bugs.webkit.org/show_bug.cgi?id=146431
2560 Reviewed by Filip Pizlo.
2563 (JSC::DFG::Node::isFunctionAllocation):
2564 (JSC::DFG::Node::isPhantomFunctionAllocation):
2565 * dfg/DFGObjectAllocationSinkingPhase.cpp:
2566 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
2567 * dfg/DFGPromoteHeapAccess.h:
2568 (JSC::DFG::promoteHeapAccess):
2570 2015-06-30 Matt Baker <mattbaker@apple.com>
2572 Web Inspector: Reduce rendering frames "Other" time by instrumenting compositing
2573 https://bugs.webkit.org/show_bug.cgi?id=146168
2575 Reviewed by Brian Burg.
2577 * inspector/protocol/Timeline.json:
2578 New timeline record type for compositing events.
2580 2015-06-29 Dean Jackson <dino@apple.com>
2582 Temporarily disable PICTURE_SIZES
2583 https://bugs.webkit.org/show_bug.cgi?id=146435
2584 <rdar://problem/21087013>
2586 Reviewed by Tim Horton.
2588 Temporarily disable PICTURE_SIZES because it causes problems with out
2589 of date <picture> polyfills.
2591 * Configurations/FeatureDefines.xcconfig:
2593 2015-06-29 Youenn Fablet <youenn.fablet@crf.canon.fr>
2595 Binding generator should allow using JSC::Value for "any" parameter in lieu of ScriptValue
2596 https://bugs.webkit.org/show_bug.cgi?id=146403
2598 Reviewed by Darin Adler.
2600 * bindings/ScriptValue.h: Added implicit conversion to JSC::JSValue.
2602 2015-06-28 Aleksandr Skachkov <gskachkov@gmail.com>
2604 [ES6] Implement ES6 arrow function syntax. No Line terminator between function parameters and =>
2605 https://bugs.webkit.org/show_bug.cgi?id=146394
2607 Reviewed by Yusuke Suzuki.
2609 * parser/Parser.cpp:
2610 (JSC::Parser<LexerType>::parseFunctionInfo):
2612 2015-06-27 Darin Adler <darin@apple.com>
2614 Make converting JSString to StringView idiomatically safe
2615 https://bugs.webkit.org/show_bug.cgi?id=146387
2617 Reviewed by Anders Carlsson.
2620 (functionPrint): Add explicit call to SafeView::get, needed since there
2621 is no StringView temporary.
2622 (functionDebug): Ditto.
2624 * runtime/ArrayPrototype.cpp:
2625 (JSC::holesMustForwardToPrototype): Refactored into helper function.
2626 (JSC::join): Refactored so that StringView is a function argument, making
2627 the lifetime simpler.
2628 (JSC::arrayProtoFuncJoin): Ditto.
2629 (JSC::arrayProtoFuncReverse): Use new holesMustForwardToPrototype helper.
2631 * runtime/JSGlobalObjectFunctions.cpp:
2632 (JSC::encode): Add explicit call to SafeView::get.
2634 * runtime/JSString.h: Moved declarations of functions to the top of the
2635 file instead of mixing them in with the function definitions. Changed
2636 return type of the view function to return a JSString::SafeView so that
2637 the JSString's lifetime will last as long as the StringView does in
2638 typical coding idioms.
2639 (JSC::JSString::getIndex): Use unsafeView so we can index into the
2640 view; could also have used view.get but here in this class this seems fine.
2641 (JSC::JSRopeString::unsafeView): Renamed existing view function to this.
2642 (JSC::JSString::unsafeView): Ditto.
2643 (JSC::JSString::SafeView::SafeView): Contains reference to an ExecState
2644 and a JSString. The ExecState is needed to create the StringView, and the
2645 JSString needs to be kept alive as long as the StringView is.
2646 (JSC::JSString::SafeView::operator StringView): Call unsafeView.
2647 (JSC::JSString::SafeView::get): Convenience for when we want to call
2648 StringView member functions.
2649 (JSC::JSString::view): Added. Returns a SafeView.
2651 * runtime/StringPrototype.cpp:
2652 (JSC::stringProtoFuncIndexOf): Add explicit call to SafeView::get.
2654 2015-06-26 Csaba Osztrogonác <ossy@webkit.org>
2656 Remove ARMv7Assembler.cpp
2657 https://bugs.webkit.org/show_bug.cgi?id=146340
2659 Reviewed by Filip Pizlo.
2662 * JavaScriptCore.xcodeproj/project.pbxproj:
2663 * assembler/ARMv7Assembler.cpp: Removed.
2665 2015-06-26 Csaba Osztrogonác <ossy@webkit.org>
2667 Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r185989
2668 https://bugs.webkit.org/show_bug.cgi?id=146344
2670 Reviewed by Yusuke Suzuki.
2672 * parser/Parser.cpp:
2673 (JSC::Parser<LexerType>::parseSourceElements):
2675 2015-06-26 Aleksandr Skachkov <gskachkov@gmail.com>
2677 [ES6] Implement ES6 arrow function syntax. Parser of arrow function with execution as common function.
2678 https://bugs.webkit.org/show_bug.cgi?id=144955
2680 Reviewed by Yusuke Suzuki.
2682 Added support of ES6 arrow function. Changes were made according to following spec http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax. Patch does not include any arrow function specific behavior e.g. lexical bind this, arguments and etc.
2683 This patch implements the simplest cases of arrow function declaration:
2684 parameters () => 10 + 20
2685 parameter x => x + 20
2686 parameters (x, y) => x + y
2687 function with block x => { return x*10; }
2690 bind of the this, arguments, super and etc.
2691 exception in case of trying to use 'new' with arrow function
2693 * parser/ASTBuilder.h:
2694 (JSC::ASTBuilder::createFunctionExpr):
2695 (JSC::ASTBuilder::createArrowFunctionExpr):
2696 (JSC::ASTBuilder::createGetterOrSetterProperty):
2697 (JSC::ASTBuilder::createFuncDeclStatement):
2699 (JSC::Lexer<T>::setTokenPosition):
2700 (JSC::Lexer<T>::lex):
2702 (JSC::Lexer::lastTokenLocation):
2703 (JSC::Lexer::setTerminator):
2704 * parser/Parser.cpp:
2705 (JSC::Parser<LexerType>::parseInner):
2706 (JSC::Parser<LexerType>::parseSourceElements):
2707 (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody):
2708 (JSC::Parser<LexerType>::parseSwitchClauses):
2709 (JSC::Parser<LexerType>::parseSwitchDefaultClause):
2710 (JSC::Parser<LexerType>::parseBlockStatement):
2711 (JSC::Parser<LexerType>::parseFunctionBody):
2712 (JSC::stringForFunctionMode):
2713 (JSC::Parser<LexerType>::parseFunctionParameters):
2714 (JSC::Parser<LexerType>::parseFunctionInfo):
2715 (JSC::Parser<LexerType>::parseFunctionDeclaration):
2716 (JSC::Parser<LexerType>::parseClass):
2717 (JSC::Parser<LexerType>::parseAssignmentExpression):
2718 (JSC::Parser<LexerType>::parsePropertyMethod):
2719 (JSC::Parser<LexerType>::parseGetterSetter):
2720 (JSC::Parser<LexerType>::parseArrowFunctionExpression):
2722 (JSC::Parser::locationBeforeLastToken):
2723 (JSC::Parser::isEndOfArrowFunction):
2724 (JSC::Parser::isArrowFunctionParamters):
2725 (JSC::Parser::setEndOfStatement):
2726 * parser/ParserFunctionInfo.h:
2727 * parser/ParserTokens.h:
2728 * parser/SourceCode.h:
2729 (JSC::SourceCode::subArrowExpression):
2730 * parser/SourceProviderCacheItem.h:
2731 (JSC::SourceProviderCacheItem::endFunctionToken):
2732 (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
2733 * parser/SyntaxChecker.h:
2734 (JSC::SyntaxChecker::createArrowFunctionExpr):
2735 (JSC::SyntaxChecker::setFunctionNameStart):
2737 2015-06-25 Yusuke Suzuki <utatane.tea@gmail.com>
2739 [ES6] Support rest element in destructuring assignments
2740 https://bugs.webkit.org/show_bug.cgi?id=146206
2742 Reviewed by Oliver Hunt.
2744 This patch enables rest element (...rest) in array binding patterns.
2745 It generates array from the iterables.
2746 In variable declarations and parameters, `[...identifier]` form is only allowed,
2747 while expressions can take `[...[...rest]]` pattern.
2749 * bytecompiler/BytecodeGenerator.cpp:
2750 (JSC::BytecodeGenerator::emitEnumeration):
2751 (JSC::BytecodeGenerator::emitIteratorNext):
2752 * bytecompiler/BytecodeGenerator.h:
2753 * bytecompiler/NodesCodegen.cpp:
2754 (JSC::ArrayPatternNode::bindValue):
2755 (JSC::ArrayPatternNode::toString):
2756 * parser/ASTBuilder.h:
2757 (JSC::ASTBuilder::appendArrayPatternSkipEntry):
2758 (JSC::ASTBuilder::appendArrayPatternEntry):
2759 (JSC::ASTBuilder::appendArrayPatternRestEntry):
2761 (JSC::ArrayPatternNode::appendIndex):
2762 * parser/Parser.cpp:
2763 (JSC::Parser<LexerType>::parseDeconstructionPattern):
2764 * parser/SyntaxChecker.h:
2765 (JSC::SyntaxChecker::operatorStackPop):
2766 * tests/stress/rest-elements.js: Added.
2770 2015-06-25 Commit Queue <commit-queue@webkit.org>
2772 Unreviewed, rolling out r185956.
2773 https://bugs.webkit.org/show_bug.cgi?id=146321
2775 Causes massive crashes on test bots (Requested by bfulgham on
2780 "Enabling MEDIA_STREAM"
2781 https://bugs.webkit.org/show_bug.cgi?id=145947
2782 http://trac.webkit.org/changeset/185956
2784 2015-06-25 Michael Saboff <msaboff@apple.com>
2786 Minor fix to idx bounds check after 185954
2788 Rubber Stamped by Ryosuke Niwa.
2790 Changed "idx > 1" to "idx > 0" in two places.
2792 * runtime/ExceptionHelpers.cpp:
2793 (JSC::functionCallBase):
2795 2015-06-25 Keith Miller <keith_miller@apple.com>
2797 Address Sanitizer does not play well with memcpy in JSC::MachineThreads::tryCopyOtherThreadStack.
2798 https://bugs.webkit.org/show_bug.cgi?id=146297
2800 Reviewed by Filip Pizlo.
2802 Since we cannot blacklist the system memcpy we must use our own naive implementation,
2803 copyMemory. This is not a significant performance loss as tryCopyOtherThreadStack is
2804 only called as part of an O(heapsize) operation. As the heap is generally much larger
2805 than the stack the performance hit is minimal.
2807 * heap/MachineStackMarker.cpp:
2809 (JSC::MachineThreads::tryCopyOtherThreadStack):
2810 (JSC::asanUnsafeMemcpy): Deleted.
2812 2015-06-25 Matthew Daiter <mdaiter@apple.com>
2814 Enabling MEDIA_STREAM
2815 https://bugs.webkit.org/show_bug.cgi?id=145947
2816 <rdar://problem/21365829>
2818 Reviewed by Brent Fulgham.
2820 * Configurations/FeatureDefines.xcconfig:
2822 2015-06-25 Michael Saboff <msaboff@apple.com>
2824 REGRESSION (r181889): basspro.com hangs on load under JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool) + 2801 (JavaScriptCore + 3560689)
2825 https://bugs.webkit.org/show_bug.cgi?id=146298
2827 Reviewed by Mark Lam.
2829 We were underflowing in ExceptionHelpers.cpp::functionCallBase() with a right to left
2830 string index. Added checks that idx stays within the string. Also added a termination
2831 condition when idx is 0.
2833 * runtime/ExceptionHelpers.cpp:
2834 (JSC::functionCallBase):
2836 2015-06-24 Chris Dumez <cdumez@apple.com>
2838 Unreviewed, speculative build fix after r185942.
2840 Add missing include for StrongInlines.h.
2842 * runtime/ArrayPrototype.cpp:
2844 2015-06-24 Darin Adler <darin@apple.com>
2846 Optimize Array.join and Array.reverse for high speed array types
2847 https://bugs.webkit.org/show_bug.cgi?id=146275
2849 Reviewed by Mark Lam.
2851 This seems to yield another 17% speed improvement in the array
2852 test from the Peacekeeper benchmark.
2854 * runtime/ArrayPrototype.cpp:
2855 (JSC::isHole): Added. Helper to check for holes.
2856 (JSC::containsHole): Ditto.
2857 (JSC::arrayProtoFuncJoin): Added special cases for the various types
2858 of arrays that could be in a butterfly.
2859 (JSC::arrayProtoFuncReverse): Ditto.
2861 * runtime/JSStringJoiner.h: Made appendEmptyString public so we can
2862 call it from the new parts of Array.join.
2864 2015-06-24 Filip Pizlo <fpizlo@apple.com>
2866 DFG::SpeculativeJIT shouldn't use filter==Contradiction when it meant isClear
2867 https://bugs.webkit.org/show_bug.cgi?id=146291
2868 rdar://problem/21435366
2870 Reviewed by Michael Saboff.
2872 The filter() method returns Contradiction only when a value *becomes* clear. This is
2873 necessary for supporting the convention that non-JSValue nodes have a bottom proved
2874 type. (We should fix that convention eventually, but for now let's just be consistent
2877 * dfg/DFGFiltrationResult.h: Document the issue.
2878 * dfg/DFGSpeculativeJIT32_64.cpp: Work around the issue.
2879 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2880 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2881 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2882 * dfg/DFGSpeculativeJIT64.cpp: Work around the issue.
2883 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2884 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2885 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2886 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2888 2015-06-24 Michael Saboff <msaboff@apple.com>
2890 Crash on gog.com due to PolymorphicCallNode's having stale references to CallLinkInfo
2891 https://bugs.webkit.org/show_bug.cgi?id=146285
2893 Reviewed by Filip Pizlo.
2895 CallLinkInfo's contain a RefPtr to a PolymorphicCallStubRoutine, named stub, which contains
2896 a collection of PolymorphicCallNode. Those PolymorphicCallNodes have a reference back to the
2897 CallLinkInfo. When a CallLinkInfo replaces or clears "stub", the ref count of the
2898 PolymorphicCallStubRoutine is decremented as expected, but since it inherits from
2899 GCAwareJITStubRoutine, it isn't actually deleted until GC. In the mean time, the original
2900 CallLinkInfo can go away. If PolymorphicCallNode::unlink() is called at that point,
2901 it will try to unlink a now deleted CallLinkInfo and crash as a result.
2903 The fix is to clear the CallLinkInfo references from any PolymorphicCallNode objects when
2904 when we set a new stub or clear an existing stub for a CallLinkInfo. This is done by
2905 calling PolymorphicCallNode::clearCallNodesFor() on the old stub.
2907 The prior code would only call clearCallNodesFor() from the CallLinkInfo destructor.
2908 This only took care of the last PolymorphicCallStubRoutine held in the CallLinkInfo.
2909 Any prior PolymorphicCallStubRoutine would still have a, now bad, reference to the CallLinkInfo.
2911 In the process I refactored CallLinkInfo from a struct to a class with proper accessors and
2912 made all the data elements private.
2914 * bytecode/CallLinkInfo.cpp:
2915 (JSC::CallLinkInfo::clearStub): Updated to call PolymorphicCallStubRoutine::clearCallNodesFor()
2916 to clear the back references to this CallLinkInfo.
2917 * bytecode/CallLinkInfo.h:
2918 (JSC::CallLinkInfo::~CallLinkInfo): Moved clearCallNodesFor() call to clearStub().
2919 (JSC::CallLinkInfo::setStub): Clear any prior stub before changing to the new stub.
2921 2015-06-24 Michael Saboff <msaboff@apple.com>
2923 Refactor CallLinkInfo from a struct to a class
2924 https://bugs.webkit.org/show_bug.cgi?id=146292
2926 Rubber stamped by Filip Pizlo.
2928 Refactored CallLinkInfo from a struct to a class with proper accessors and made all the
2929 data elements private.
2931 Done in preparation for fixing https://bugs.webkit.org/show_bug.cgi?id=146285.
2933 * bytecode/CallLinkInfo.cpp:
2934 (JSC::CallLinkInfo::clearStub):
2935 (JSC::CallLinkInfo::unlink):
2936 (JSC::CallLinkInfo::visitWeak):
2937 * bytecode/CallLinkInfo.h:
2938 (JSC::CallLinkInfo::callTypeFor):
2939 (JSC::CallLinkInfo::CallLinkInfo):
2940 (JSC::CallLinkInfo::~CallLinkInfo):
2941 (JSC::CallLinkInfo::specializationKindFor):
2942 (JSC::CallLinkInfo::specializationKind):
2943 (JSC::CallLinkInfo::isLinked):
2944 (JSC::CallLinkInfo::setUpCall):
2945 (JSC::CallLinkInfo::setCallLocations):
2946 (JSC::CallLinkInfo::setUpCallFromFTL):
2947 (JSC::CallLinkInfo::callReturnLocation):
2948 (JSC::CallLinkInfo::hotPathBegin):
2949 (JSC::CallLinkInfo::hotPathOther):
2950 (JSC::CallLinkInfo::setCallee):
2951 (JSC::CallLinkInfo::clearCallee):
2952 (JSC::CallLinkInfo::callee):
2953 (JSC::CallLinkInfo::setLastSeenCallee):
2954 (JSC::CallLinkInfo::clearLastSeenCallee):
2955 (JSC::CallLinkInfo::lastSeenCallee):
2956 (JSC::CallLinkInfo::haveLastSeenCallee):
2957 (JSC::CallLinkInfo::setStub):
2958 (JSC::CallLinkInfo::stub):
2959 (JSC::CallLinkInfo::seenOnce):
2960 (JSC::CallLinkInfo::clearSeen):
2961 (JSC::CallLinkInfo::setSeen):
2962 (JSC::CallLinkInfo::hasSeenClosure):
2963 (JSC::CallLinkInfo::setHasSeenClosure):
2964 (JSC::CallLinkInfo::clearedByGC):
2965 (JSC::CallLinkInfo::setCallType):
2966 (JSC::CallLinkInfo::callType):
2967 (JSC::CallLinkInfo::addressOfMaxNumArguments):
2968 (JSC::CallLinkInfo::maxNumArguments):
2969 (JSC::CallLinkInfo::offsetOfSlowPathCount):
2970 (JSC::CallLinkInfo::setCalleeGPR):
2971 (JSC::CallLinkInfo::calleeGPR):
2972 (JSC::CallLinkInfo::slowPathCount):
2973 (JSC::CallLinkInfo::setCodeOrigin):
2974 (JSC::CallLinkInfo::codeOrigin):
2975 (JSC::getCallLinkInfoCodeOrigin):
2976 * bytecode/CallLinkStatus.cpp:
2977 (JSC::CallLinkStatus::computeFor):
2978 (JSC::CallLinkStatus::computeFromCallLinkInfo):
2979 (JSC::CallLinkStatus::computeDFGStatuses):
2980 * bytecode/CallLinkStatus.h:
2981 * bytecode/CodeBlock.cpp:
2982 (JSC::CodeBlock::printCallOp):
2983 (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2984 * dfg/DFGJITCompiler.cpp:
2985 (JSC::DFG::JITCompiler::link):
2986 * dfg/DFGOSRExitCompilerCommon.cpp:
2987 (JSC::DFG::reifyInlinedCallFrames):
2988 * dfg/DFGSpeculativeJIT32_64.cpp:
2989 (JSC::DFG::SpeculativeJIT::emitCall):
2990 * dfg/DFGSpeculativeJIT64.cpp:
2991 (JSC::DFG::SpeculativeJIT::emitCall):
2992 * ftl/FTLJSCallBase.cpp:
2993 (JSC::FTL::JSCallBase::link):
2994 * jit/AccessorCallJITStubRoutine.h:
2996 (JSC::JIT::privateCompile):
2999 (JSC::JIT::compileSetupVarargsFrame):
3000 (JSC::JIT::compileOpCall):
3001 * jit/JITCall32_64.cpp:
3002 (JSC::JIT::compileSetupVarargsFrame):
3003 (JSC::JIT::compileOpCall):
3004 * jit/JITOperations.cpp:
3005 * jit/PolymorphicCallStubRoutine.cpp:
3006 (JSC::PolymorphicCallNode::unlink):
3007 (JSC::PolymorphicCallNode::clearCallLinkInfo):
3008 * jit/PolymorphicCallStubRoutine.h:
3010 (JSC::generateByIdStub):
3015 (JSC::linkPolymorphicCall):
3016 * jit/ThunkGenerators.cpp:
3017 (JSC::virtualForThunkGenerator):
3019 2015-06-24 Doug Russell <d_russell@apple.com>
3021 Bug 146177 - AX: AXObjectCache should try to use an unignored accessibilityObject
3022 when posting a selection notification when on the border between two accessibilityObjects
3023 https://bugs.webkit.org/show_bug.cgi?id=146177
3025 Add an adopt() function to simplify JSRetainPtr<JSStringRef> { Adopt, string } to adopt(string).
3027 Reviewed by Darin Adler.
3029 * API/JSRetainPtr.h:
3032 2015-06-24 Keith Miller <keith_miller@apple.com>
3034 Strict Equality on objects should only check that one of the two sides is an object.
3035 https://bugs.webkit.org/show_bug.cgi?id=145992
3037 This patch adds a new optimization for checking strict equality on objects.
3038 If we speculate that a strict equality comparison has an object on one side
3039 we only need to type check that side. Equality is then determined by a pointer
3040 comparison between the two values (although in the 32-bit case we must also check
3041 that the other side is a cell). Once LICM hoists type checks out of a loop we
3042 can be cleverer about how we choose the operand we type check if both are
3043 speculated to be objects.
3045 For testing I added the addressOf function, which returns the address
3046 of a Cell to the runtime.
3048 Reviewed by Mark Lam.
3050 * dfg/DFGFixupPhase.cpp:
3051 (JSC::DFG::FixupPhase::fixupNode):
3052 * dfg/DFGSpeculativeJIT.cpp:
3053 (JSC::DFG::SpeculativeJIT::compileStrictEq):
3054 * dfg/DFGSpeculativeJIT.h:
3055 * dfg/DFGSpeculativeJIT32_64.cpp:
3056 (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
3057 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality):
3058 * dfg/DFGSpeculativeJIT64.cpp:
3059 (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
3060 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality):
3061 * ftl/FTLCapabilities.cpp:
3062 (JSC::FTL::canCompile):
3063 * ftl/FTLLowerDFGToLLVM.cpp:
3064 (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
3066 (GlobalObject::finishCreation):
3067 (functionAddressOf):
3068 * tests/stress/equality-type-checking.js: Added.
3071 (checkStrictEqOther):
3073 2015-06-24 Mark Lam <mark.lam@apple.com>
3075 Fixed assertion in JSStringJoiner::join() (regression from r185899).
3079 JSStringJoiner did not account for the case where the array being joined can
3080 have null or undefined elements. As a result, its size may be less than
3081 its initially reserved capacity (which was estimated based on the array length).
3083 * runtime/JSStringJoiner.cpp:
3084 (JSC::JSStringJoiner::join):
3086 2015-06-24 Darin Adler <darin@apple.com>
3088 Fix Array.concat with RuntimeArray (regression from my last patch)
3090 * runtime/ArrayPrototype.cpp:
3091 (JSC::arrayProtoFuncConcat): Use getLength instead of JSArray::length.
3093 * runtime/JSArray.cpp:
3094 (JSC::JSArray::defineOwnProperty): Added comment about use of
3095 JSArray::length here that is incorrect (in a really non-obvious way).
3096 (JSC::JSArray::fillArgList): Ditto.
3097 (JSC::JSArray::copyToArguments): Ditto.
3099 * runtime/JSArray.h: Added a comment explaining that it is not always
3100 safe to use JSArray::length.
3102 2015-06-23 Mark Lam <mark.lam@apple.com>
3104 Gardening: Fixing 2 bad asserts from r185889.
3105 https://bugs.webkit.org/show_bug.cgi?id=140575
3109 * runtime/JSBoundSlotBaseFunction.cpp:
3110 (JSC::JSBoundSlotBaseFunction::finishCreation):
3112 2015-06-23 Dan Bernstein <mitz@apple.com>
3114 Fixed iOS production builds.
3116 * JavaScriptCore.xcodeproj/project.pbxproj:
3118 2015-06-22 Darin Adler <darin@apple.com>
3120 Make Array.join work directly on substrings without reifying them
3121 https://bugs.webkit.org/show_bug.cgi?id=146191
3123 Reviewed by Andreas Kling.
3125 Besides the Array.join change, this has other optimizations based on
3126 profiling the Peacekeeper array benchmark.
3128 I measured a 14% speed improvement in the Peacekeeper array benchmark.
3130 Still a lot of low hanging fruit in that test because so many of functions
3131 on the array prototype are not optimizing for simple cases. For example,
3132 the reverse function does individual get and put calls even when the array
3133 is entirely made up of integers in contiguous storage.
3135 * runtime/ArrayPrototype.cpp:
3136 (JSC::getProperty): Use tryGetIndexQuickly first before getPropertySlot.
3137 (JSC::argumentClampedIndexFromStartOrEnd): Marked inline.
3138 (JSC::shift): Use the getProperty helper in this file instead of using
3139 getPropertySlot. Use putByIndexInline instead of calling putByIndex directly.
3140 In both cases this can yield a faster code path.
3141 (JSC::unshift): Ditto.
3142 (JSC::arrayProtoFuncToString): Updated to use the new JSStringJoiner
3143 interface. Changed local variable name to thisArray since it's not a
3144 JSObject*. Changed loop index to i instead of k.
3145 (JSC::arrayProtoFuncToLocaleString): Updated to use the new JSStringJoiner
3146 interface. Renamed thisObj to thisObject. Added a missing exception check
3147 after the toLocaleString function is called, but before toString is called
3148 the result of that function.
3149 (JSC::arrayProtoFuncJoin): Updated to use the new JSStringJointer interface.
3150 Added a missing exception check after calling toString on the separator
3151 but before calling get to get the first element in the array-like object
3152 being joined. Changed loop index to i instead of k. Added missing exception
3153 check after calling toString on each string from the array before calling
3154 get for the next element.
3155 (JSC::arrayProtoFuncConcat): Use JSArray::length instead of using the
3157 (JSC::arrayProtoFuncReverse): Ditto. Also use putByIndexInline.
3158 (JSC::arrayProtoFuncShift): Ditto.
3159 (JSC::arrayProtoFuncSplice): Use getIndex instead of get, which includes some
3160 additional optimizations.
3161 (JSC::getOrHole): Deleted. Unused function.
3162 (JSC::arrayProtoFuncUnShift): Use putByIndexInline.
3164 * runtime/ExceptionHelpers.cpp:
3165 (JSC::errorDescriptionForValue): Removed the duplicate copy of the the logic
3166 from JSValue::toString.
3168 * runtime/JSCJSValue.cpp:
3169 (JSC::JSValue::toStringSlowCase): Improved the performance when converting a
3170 small integer to a single character string.
3171 (JSC::JSValue::toWTFStringSlowCase): Moved the contents of the
3172 inlineJSValueNotStringtoString function here.
3173 * runtime/JSCJSValue.h: Removed no longer used toWTFStringInline and fixed
3174 a comment with a typo.
3176 * runtime/JSObject.h:
3177 (JSC::JSObject::putByIndexInline): Marked ALWAYS_INLINE because this was not
3178 getting inlined at some call sites.
3179 (JSC::JSObject::indexingData): Deleted. Unused function.
3180 (JSC::JSObject::currentIndexingData): Deleted. Unused function.
3181 (JSC::JSObject::getHolyIndexQuickly): Deleted. Unused function.
3182 (JSC::JSObject::relevantLength): Deleted. Unused function.
3183 (JSC::JSObject::currentRelevantLength): Deleted. Unused function.
3185 * runtime/JSString.h: Added the StringViewWithUnderlyingString struct and
3186 the viewWithUnderlyingString function. Removed the inlineJSValueNotStringtoString
3187 and toWTFStringInline functions.
3189 * runtime/JSStringJoiner.cpp:
3190 (JSC::appendStringToData): Changed this to be a template instead of writing
3191 it out, since StringView::getCharactersWithUpconvert does almsot exactly what
3192 this function was trying to do.
3193 (JSC::joinStrings): Rewrote this to use StringView.
3194 (JSC::JSStringJoiner::joinedLength): Added. Factored out from the join function.
3195 (JSC::JSStringJoiner::join): Rewrote to make it a bit simpler. Added an assertion
3196 that we entirely filled capacity, since we are now reserving capacity and using
3197 uncheckedAppend. Use String instead of RefPtr<StringImpl> because there was no
3198 particular value to using the impl directly.
3200 * runtime/JSStringJoiner.h: Changed the interface to the class to use StringView.
3201 Also changed this class so it now has the responsibility to convert each JSValue
3202 into a string. This let us share more code between toString and join, and also
3203 lets us use the new viewWithUnderlyingString function, which could be confusing at
3204 all the call sites, but is easier to understand here.
3206 2015-06-23 Matthew Mirman <mmirman@apple.com>
3208 Completes native binding descriptors with native getters and potentially setters.
3209 https://bugs.webkit.org/show_bug.cgi?id=140575
3210 rdar://problem/19506502
3212 Reviewed by Mark Lam.
3214 * CMakeLists.txt: Added JSBoundSlotBaseFunction.cpp
3215 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3216 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3217 * JavaScriptCore.xcodeproj/project.pbxproj:
3218 * inspector/InjectedScriptSource.js: Added case for descriptor having a native getter.
3219 * runtime/JSBoundSlotBaseFunction.cpp: Added.
3220 (JSC::boundSlotBaseFunctionCall):
3221 (JSC::JSBoundSlotBaseFunction::JSBoundSlotBaseFunction):
3222 Necessary wrapper for custom getters and setters as objects.
3223 (JSC::JSBoundSlotBaseFunction::create):
3224 (JSC::JSBoundSlotBaseFunction::visitChildren):
3225 (JSC::JSBoundSlotBaseFunction::finishCreation):
3226 * runtime/JSBoundSlotBaseFunction.h: Added.
3227 (JSC::JSBoundSlotBaseFunction::createStructure):
3228 (JSC::JSBoundSlotBaseFunction::boundSlotBase):
3229 (JSC::JSBoundSlotBaseFunction::customGetterSetter):
3230 (JSC::JSBoundSlotBaseFunction::isGetter):
3231 * runtime/JSGlobalObject.cpp:
3232 (JSC::JSGlobalObject::init): Added a globally initialized structure for JSBoundSlotBaseFunction
3233 (JSC::JSGlobalObject::visitChildren): visits that structure
3234 * runtime/JSGlobalObject.h:
3235 (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): added a getter for that structure
3236 * runtime/JSObject.cpp:
3237 (JSC::JSObject::getOwnPropertyDescriptor): extends the case for CustomGetterSetter to
3238 actually include GetterSetter as a JSBoundSlotBaseFunction
3239 * runtime/VM.cpp: Added initializer for customGetterSetterFunctionMap
3240 * runtime/VM.h: Added cache for JSBoundSlotBaseFunction
3242 2015-06-22 Yusuke Suzuki <utatane.tea@gmail.com>
3244 [ES6] Allow trailing comma in ArrayBindingPattern and ObjectBindingPattern
3245 https://bugs.webkit.org/show_bug.cgi?id=146192
3247 Reviewed by Darin Adler.
3249 According to the ES6 spec, trailing comma in ArrayBindingPattern and ObjectBindingPattern is allowed.
3250 And empty ArrayBindingPattern and ObjectBindingPattern is also allowed.
3252 This patch allows trailing comma and empty binding patterns.
3254 * bytecompiler/NodesCodegen.cpp:
3255 (JSC::ArrayPatternNode::bindValue):
3256 * parser/Parser.cpp:
3257 (JSC::Parser<LexerType>::parseDeconstructionPattern):
3258 * tests/stress/trailing-comma-in-patterns.js: Added.
3262 2015-06-20 Yusuke Suzuki <utatane.tea@gmail.com>
3264 [ES6] Destructuring assignment need to accept iterables
3265 https://bugs.webkit.org/show_bug.cgi?id=144111
3267 Reviewed by Darin Adler.
3269 This patch makes that destructuring assignments to array binding patterns accept iterables.
3270 Previously, it just access the indexed properties.
3271 After this patch, it iterates the given value by using ES6 iterator protocol.
3273 The iteration becomes different from the for-of case.
3274 1. Since there's no break/continue case, finally scope is not necessary.
3275 2. When the error is raised, the close status of the iterator becomes true. So IteratorClose is not called for that.
3276 3. Since the array binding patterns requires a limited count of iterations (if there is no rest(...rest) case), IteratorClose is called when the iteration does not consume the all values of the iterator.
3277 4. Since the array binding patterns requires a specified count of iterations, iterator's next call is skipped when iterator becomes closed.
3279 * bytecompiler/BytecodeGenerator.cpp:
3280 (JSC::BytecodeGenerator::emitIteratorClose):
3281 * bytecompiler/BytecodeGenerator.h:
3282 * bytecompiler/NodesCodegen.cpp:
3283 (JSC::ArrayPatternNode::bindValue):
3284 * parser/ASTBuilder.h:
3285 (JSC::ASTBuilder::finishArrayPattern):
3287 * parser/Parser.cpp:
3288 (JSC::Parser<LexerType>::parseDeconstructionPattern):
3289 * parser/SyntaxChecker.h:
3290 (JSC::SyntaxChecker::operatorStackPop):
3291 * tests/stress/destructuring-assignment-accepts-iterables.js: Added.
3296 2015-06-19 Devin Rousso <drousso@apple.com>
3298 Web Inspector: Highlight currently edited CSS selector
3299 https://bugs.webkit.org/show_bug.cgi?id=145658
3301 Reviewed by Joseph Pecoraro.
3303 * inspector/protocol/DOM.json: Added highlightSelector to show highlight over multiple nodes.
3305 2015-06-19 Mark Lam <mark.lam@apple.com>
3307 Gardening: fix build for EWS bots.
3311 * runtime/JSArray.cpp:
3312 (JSC::JSArray::setLengthWithArrayStorage):
3314 2015-06-19 Michael Saboff <msaboff@apple.com>
3316 Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL::fixFunctionBasedOnStackMaps + 17225
3317 https://bugs.webkit.org/show_bug.cgi?id=146133
3319 Reviewed by Geoffrey Garen.
3321 When generating code to put in inline caching areas, if there isn't enough space,
3322 then create and link to an out of line area. We connect the inline code to this
3323 out of line code area by planting a jump from the inline area to the out of line
3324 code and appending a jump at the end of the out of line code bck to the instruction
3325 following the inline area. We fill the unused inline area with nops, primarily to
3326 ensure the disassembler doesn't get confused.
3328 * ftl/FTLCompile.cpp:
git://git.webkit.org / WebKit-https.git / blob