1 2017-09-15 Saam Barati <sbarati@apple.com>
3 Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
4 https://bugs.webkit.org/show_bug.cgi?id=176981
6 Reviewed by Yusuke Suzuki.
8 This patch makes inline arity fixup happen in two phases:
9 1. We get all the values we need and MovHint them to the expected locals.
10 2. We SetLocal them inside the callee's CodeOrigin. This way, if we exit, the callee's
11 frame is already set up. If any SetLocal exits, we have a valid exit state.
12 This is required because if we didn't do this in two phases, we may exit in
13 the middle of arity fixup from the caller's CodeOrigin. This is unsound because if
14 we did the SetLocals in the caller's frame, the memcpy may clobber needed parts
15 of the frame right before exiting. For example, consider if we need to pad two args:
16 [arg3][arg2][arg1][arg0]
17 [fix ][fix ][arg3][arg2][arg1][arg0]
18 We memcpy starting from arg0 in the direction of arg3. If we were to exit at a type check
19 for arg3's SetLocal in the caller's CodeOrigin, we'd exit with a frame like so:
20 [arg3][arg2][arg1][arg2][arg1][arg0]
21 And the caller would then just end up thinking its argument are:
22 [arg3][arg2][arg1][arg2]
26 This patch also fixes a couple of bugs in IdentitiyWithProfile:
27 1. The bytecode generator for this bytecode intrinsic was written incorrectly.
28 It needed to store the result of evaluating its argument in a temporary that
29 it creates. Otherwise, it might try to simply overwrite a constant
30 or a register that it didn't own.
31 2. We weren't eliminating this node in CSE inside the DFG.
33 * bytecompiler/NodesCodegen.cpp:
34 (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
35 * dfg/DFGByteCodeParser.cpp:
36 (JSC::DFG::ByteCodeParser::inlineCall):
37 * dfg/DFGCSEPhase.cpp:
39 2017-09-15 JF Bastien <jfbastien@apple.com>
41 WTF: use Forward.h when appropriate instead of Vector.h
42 https://bugs.webkit.org/show_bug.cgi?id=176984
44 Reviewed by Saam Barati.
46 There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.
48 * bytecode/HandlerInfo.h:
49 * heap/GCIncomingRefCounted.h:
50 * heap/GCSegmentedArray.h:
51 * wasm/js/JSWebAssemblyModule.h:
53 2017-09-14 Saam Barati <sbarati@apple.com>
55 We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
56 https://bugs.webkit.org/show_bug.cgi?id=176863
58 Reviewed by Keith Miller.
61 * JavaScriptCore.xcodeproj/project.pbxproj:
62 * runtime/ProxyObject.cpp:
63 (JSC::performProxyGet):
64 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
65 (JSC::ProxyObject::performHasProperty):
66 (JSC::ProxyObject::getOwnPropertySlotCommon):
67 (JSC::ProxyObject::performPut):
68 (JSC::performProxyCall):
69 (JSC::performProxyConstruct):
70 (JSC::ProxyObject::performDelete):
71 (JSC::ProxyObject::performPreventExtensions):
72 (JSC::ProxyObject::performIsExtensible):
73 (JSC::ProxyObject::performDefineOwnProperty):
74 (JSC::ProxyObject::performGetOwnPropertyNames):
75 (JSC::ProxyObject::performSetPrototype):
76 (JSC::ProxyObject::performGetPrototype):
78 2017-09-14 Saam Barati <sbarati@apple.com>
80 Make dumping the graph print when both when exitOK and !exitOK
81 https://bugs.webkit.org/show_bug.cgi?id=176954
83 Reviewed by Keith Miller.
86 (JSC::DFG::Graph::dump):
88 2017-09-14 Saam Barati <sbarati@apple.com>
90 It should be valid to exit before each set when doing arity fixup when inlining
91 https://bugs.webkit.org/show_bug.cgi?id=176948
93 Reviewed by Keith Miller.
95 This patch makes it so that we can exit before each SetLocal when doing arity
96 fixup during inlining. This is OK because if we exit at any of these SetLocals,
97 we will simply exit to the beginning of the call instruction.
99 Not doing this led to a bug where FixupPhase would insert a ValueRep of
100 a node before the actual node. This is obviously invalid IR. I've added
101 a new validation rule to catch this malformed IR.
103 * dfg/DFGByteCodeParser.cpp:
104 (JSC::DFG::ByteCodeParser::inliningCost):
105 (JSC::DFG::ByteCodeParser::inlineCall):
106 * dfg/DFGValidate.cpp:
109 2017-09-14 Mark Lam <mark.lam@apple.com>
111 AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
112 https://bugs.webkit.org/show_bug.cgi?id=176874
113 <rdar://problem/34436415>
115 Reviewed by Saam Barati.
117 1. Make Probe::Stack play nice with ASan by:
119 a. using a local memcpy implementation that suppresses ASan on ASan builds.
120 We don't want to use std:memcpy() which validates stack memory because
121 we are intentionally copying stack memory beyond the current frame.
123 b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
124 This ensures that Page::flushWrites() only writes stack memory that was
125 modified by a probe. The probes should only modify stack memory that
126 belongs to JSC stack data structures. We don't want to inadvertently
127 modify adjacent words that may belong to ASan (which may happen if
128 s_chunkSize is larger than sizeof(uintptr_t)).
130 c. fixing a bug in Page dirtyBits management for when the size of the value to
131 write is greater than s_chunkSize. The fix in generic, but in practice,
132 this currently only manifests on 32-bit ASan builds because
133 sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
136 d. making Page::m_dirtyBits 64 bits always. This maximizes the number of
137 s_chunksPerPage we can have even on ASan builds.
139 2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
140 std::memcpy to avoid strict aliasing issues.
142 3. Optimized the implementation of Page::physicalAddressFor().
144 4. Optimized the implementation of Stack::set() in the recording of the low
145 watermark. We just record the lowest raw pointer now, and only compute the
146 alignment to its chuck boundary later when the low watermark is requested.
148 5. Changed a value in testmasm to make the test less vulnerable to rounding issues.
150 No new test needed because this is already covered by testmasm with ASan enabled.
152 * assembler/ProbeContext.h:
153 (JSC::Probe::CPUState::gpr const):
154 (JSC::Probe::CPUState::spr const):
155 (JSC::Probe::Context::gpr):
156 (JSC::Probe::Context::spr):
157 (JSC::Probe::Context::fpr):
158 (JSC::Probe::Context::gprName):
159 (JSC::Probe::Context::sprName):
160 (JSC::Probe::Context::fprName):
161 (JSC::Probe::Context::gpr const):
162 (JSC::Probe::Context::spr const):
163 (JSC::Probe::Context::fpr const):
164 (JSC::Probe::Context::pc):
165 (JSC::Probe::Context::fp):
166 (JSC::Probe::Context::sp):
167 (JSC::Probe:: const): Deleted.
168 * assembler/ProbeStack.cpp:
169 (JSC::Probe::copyStackPage):
170 (JSC::Probe::Page::Page):
171 (JSC::Probe::Page::flushWrites):
172 * assembler/ProbeStack.h:
173 (JSC::Probe::Page::get):
174 (JSC::Probe::Page::set):
175 (JSC::Probe::Page::dirtyBitFor):
176 (JSC::Probe::Page::physicalAddressFor):
177 (JSC::Probe::Stack::lowWatermark):
178 (JSC::Probe::Stack::get):
179 (JSC::Probe::Stack::set):
180 * assembler/testmasm.cpp:
181 (JSC::testProbeModifiesStackValues):
183 2017-09-14 Yusuke Suzuki <utatane.tea@gmail.com>
185 [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
186 https://bugs.webkit.org/show_bug.cgi?id=176917
188 Reviewed by Saam Barati.
190 * dfg/DFGByteCodeParser.cpp:
191 (JSC::DFG::ByteCodeParser::inliningCost):
194 2017-09-14 Yusuke Suzuki <utatane.tea@gmail.com>
196 [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
197 https://bugs.webkit.org/show_bug.cgi?id=176867
199 Reviewed by Sam Weinig.
201 We rarely require private symbols when enumerating property names.
202 This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
203 is specified, PropertyNameArray does not include private symbols.
204 This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.
206 One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
207 It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.
209 object-get-own-property-symbols 48.6275+-1.0021 ^ 38.1846+-1.7934 ^ definitely 1.2735x faster
211 * API/JSObjectRef.cpp:
212 (JSObjectCopyPropertyNames):
213 * bindings/ScriptValue.cpp:
214 (Inspector::jsToInspectorValue):
215 * bytecode/ObjectAllocationProfile.h:
216 (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
217 * runtime/EnumerationMode.h:
218 * runtime/IntlObject.cpp:
219 (JSC::supportedLocales):
220 * runtime/JSONObject.cpp:
221 (JSC::Stringifier::Stringifier):
222 (JSC::Stringifier::Holder::appendNextProperty):
224 * runtime/JSPropertyNameEnumerator.cpp:
225 (JSC::JSPropertyNameEnumerator::create):
226 * runtime/JSPropertyNameEnumerator.h:
227 (JSC::propertyNameEnumerator):
228 * runtime/ObjectConstructor.cpp:
229 (JSC::objectConstructorGetOwnPropertyDescriptors):
230 (JSC::objectConstructorAssign):
231 (JSC::objectConstructorValues):
232 (JSC::defineProperties):
233 (JSC::setIntegrityLevel):
234 (JSC::testIntegrityLevel):
235 (JSC::ownPropertyKeys):
236 * runtime/PropertyNameArray.h:
237 (JSC::PropertyNameArray::PropertyNameArray):
238 (JSC::PropertyNameArray::propertyNameMode const):
239 (JSC::PropertyNameArray::privateSymbolMode const):
240 (JSC::PropertyNameArray::addUncheckedInternal):
241 (JSC::PropertyNameArray::addUnchecked):
242 (JSC::PropertyNameArray::add):
243 (JSC::PropertyNameArray::isUidMatchedToTypeMode):
244 (JSC::PropertyNameArray::includeSymbolProperties const):
245 (JSC::PropertyNameArray::includeStringProperties const):
246 (JSC::PropertyNameArray::mode const): Deleted.
247 * runtime/ProxyObject.cpp:
248 (JSC::ProxyObject::performGetOwnPropertyNames):
250 2017-09-13 Mark Lam <mark.lam@apple.com>
252 Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
253 https://bugs.webkit.org/show_bug.cgi?id=176888
254 <rdar://problem/34381832>
258 * JavaScriptCore.xcodeproj/project.pbxproj:
259 * assembler/MacroAssembler.cpp:
260 (JSC::stdFunctionCallback):
261 * assembler/MacroAssemblerPrinter.cpp:
262 (JSC::Printer::printCallback):
263 * assembler/ProbeContext.h:
264 (JSC::Probe:: const):
265 (JSC::Probe::Context::Context):
266 (JSC::Probe::Context::gpr):
267 (JSC::Probe::Context::spr):
268 (JSC::Probe::Context::fpr):
269 (JSC::Probe::Context::gprName):
270 (JSC::Probe::Context::sprName):
271 (JSC::Probe::Context::fprName):
272 (JSC::Probe::Context::pc):
273 (JSC::Probe::Context::fp):
274 (JSC::Probe::Context::sp):
275 (JSC::Probe::CPUState::gpr const): Deleted.
276 (JSC::Probe::CPUState::spr const): Deleted.
277 (JSC::Probe::Context::arg): Deleted.
278 (JSC::Probe::Context::gpr const): Deleted.
279 (JSC::Probe::Context::spr const): Deleted.
280 (JSC::Probe::Context::fpr const): Deleted.
281 * assembler/ProbeFrame.h: Removed.
282 * assembler/ProbeStack.cpp:
283 (JSC::Probe::Page::Page):
284 * assembler/ProbeStack.h:
285 (JSC::Probe::Page::get):
286 (JSC::Probe::Page::set):
287 (JSC::Probe::Page::physicalAddressFor):
288 (JSC::Probe::Stack::lowWatermark):
289 (JSC::Probe::Stack::get):
290 (JSC::Probe::Stack::set):
291 * bytecode/ArithProfile.cpp:
292 * bytecode/ArithProfile.h:
293 * bytecode/ArrayProfile.h:
294 (JSC::ArrayProfile::observeArrayMode): Deleted.
295 * bytecode/CodeBlock.cpp:
296 (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
297 * bytecode/CodeBlock.h:
298 (JSC::CodeBlock::addressOfOSRExitCounter):
299 * bytecode/ExecutionCounter.h:
300 (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
301 (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
302 * bytecode/MethodOfGettingAValueProfile.cpp:
303 (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
304 * bytecode/MethodOfGettingAValueProfile.h:
306 (JSC::DFG::compileImpl):
307 * dfg/DFGJITCode.cpp:
308 (JSC::DFG::JITCode::findPC):
310 * dfg/DFGJITCompiler.cpp:
311 (JSC::DFG::JITCompiler::linkOSRExits):
312 (JSC::DFG::JITCompiler::link):
313 * dfg/DFGOSRExit.cpp:
314 (JSC::DFG::OSRExit::setPatchableCodeOffset):
315 (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
316 (JSC::DFG::OSRExit::codeLocationForRepatch const):
317 (JSC::DFG::OSRExit::correctJump):
318 (JSC::DFG::OSRExit::emitRestoreArguments):
319 (JSC::DFG::OSRExit::compileOSRExit):
320 (JSC::DFG::OSRExit::compileExit):
321 (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
322 (JSC::DFG::jsValueFor): Deleted.
323 (JSC::DFG::restoreCalleeSavesFor): Deleted.
324 (JSC::DFG::saveCalleeSavesFor): Deleted.
325 (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
326 (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
327 (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
328 (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
329 (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
330 (JSC::DFG::emitRestoreArguments): Deleted.
331 (JSC::DFG::OSRExit::executeOSRExit): Deleted.
332 (JSC::DFG::reifyInlinedCallFrames): Deleted.
333 (JSC::DFG::adjustAndJumpToTarget): Deleted.
334 (JSC::DFG::printOSRExit): Deleted.
336 (JSC::DFG::OSRExitState::OSRExitState): Deleted.
337 * dfg/DFGOSRExitCompilerCommon.cpp:
338 * dfg/DFGOSRExitCompilerCommon.h:
339 * dfg/DFGOperations.cpp:
340 * dfg/DFGOperations.h:
342 (JSC::DFG::osrExitGenerationThunkGenerator):
343 (JSC::DFG::osrExitThunkGenerator): Deleted.
345 * jit/AssemblyHelpers.cpp:
346 (JSC::AssemblyHelpers::debugCall):
347 * jit/AssemblyHelpers.h:
348 * jit/JITOperations.cpp:
349 * jit/JITOperations.h:
350 * profiler/ProfilerOSRExit.h:
351 (JSC::Profiler::OSRExit::incCount): Deleted.
352 * runtime/JSCJSValue.h:
353 * runtime/JSCJSValueInlines.h:
356 2017-09-13 Yusuke Suzuki <utatane.tea@gmail.com>
358 [JSC] Move class/struct used in other class' member out of anonymous namespace
359 https://bugs.webkit.org/show_bug.cgi?id=176876
361 Reviewed by Saam Barati.
363 GCC warns if a class has a base or field whose type uses the anonymous namespace
364 and it is defined in an included file. This is because this possibly violates
365 one definition rule (ODR): if an included file has the anonymous namespace, each
366 translation unit creates its private anonymous namespace. Thus, each type
367 inside the anonymous namespace becomes different in each translation unit if
368 the file is included in multiple translation units.
370 While the current use in JSC is not violating ODR since these cpp files are included
371 only once for unified sources, specifying `-Wno-subobject-linkage` could miss
372 the actual bugs. So, in this patch, we just move related classes/structs out of
373 the anonymous namespace.
375 * dfg/DFGIntegerCheckCombiningPhase.cpp:
376 (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
377 (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
378 (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
379 (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
380 (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
381 (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
382 (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
383 (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
384 (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
385 (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
386 * dfg/DFGLICMPhase.cpp:
388 2017-09-13 Devin Rousso <webkit@devinrousso.com>
390 Web Inspector: Event Listeners section does not update when listeners are added/removed
391 https://bugs.webkit.org/show_bug.cgi?id=170570
392 <rdar://problem/31501645>
394 Reviewed by Joseph Pecoraro.
396 * inspector/protocol/DOM.json:
397 Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
398 contain any information about the event listeners that were added/removed. They serve more
399 as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.
401 2017-09-13 Yusuke Suzuki <utatane.tea@gmail.com>
403 [JSC] Fix Array allocation in Object.keys
404 https://bugs.webkit.org/show_bug.cgi?id=176826
406 Reviewed by Saam Barati.
408 When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
409 We check isHavingABadTime() in ownPropertyKeys fast path.
410 And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
412 * runtime/ObjectConstructor.cpp:
413 (JSC::ownPropertyKeys):
415 2017-09-12 Yusuke Suzuki <utatane.tea@gmail.com>
417 [DFG] Optimize WeakMap::get by adding intrinsic and fixup
418 https://bugs.webkit.org/show_bug.cgi?id=176010
420 Reviewed by Filip Pizlo.
422 It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
423 It is used for meta property for objects (see peekMeta function in Ember.js).
425 This patch optimizes WeakMap#get.
427 1. We use inlineGet to inline WeakMap#get operation in the native function.
428 Since this native function itself is very small, we should inline HashMap#get
429 entirely in this function.
431 2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
432 very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
433 to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
434 ObjectUse, and Int32Use.
436 3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
437 calculate hash value for the key's Object and use this hash value to look up value from
438 JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
439 It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
440 But anyway, the current one already optimizes the performance, so we leave this for the subsequent
443 We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
444 not used in Ember.js right now.
446 This patch optimizes WeakMap#get by 50%.
450 weak-map-key 88.6456+-3.9564 ^ 59.1502+-2.2406 ^ definitely 1.4987x faster
452 * bytecode/DirectEvalCodeCache.h:
453 (JSC::DirectEvalCodeCache::tryGet):
454 * bytecode/SpeculatedType.cpp:
455 (JSC::dumpSpeculation):
456 (JSC::speculationFromClassInfo):
457 (JSC::speculationFromJSType):
458 (JSC::speculationFromString):
459 * bytecode/SpeculatedType.h:
460 * dfg/DFGAbstractInterpreterInlines.h:
461 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
462 * dfg/DFGByteCodeParser.cpp:
463 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
464 * dfg/DFGClobberize.h:
465 (JSC::DFG::clobberize):
468 * dfg/DFGFixupPhase.cpp:
469 (JSC::DFG::FixupPhase::fixupNode):
470 * dfg/DFGHeapLocation.cpp:
471 (WTF::printInternal):
472 * dfg/DFGHeapLocation.h:
474 (JSC::DFG::Node::hasHeapPrediction):
476 * dfg/DFGOperations.cpp:
477 * dfg/DFGOperations.h:
478 * dfg/DFGPredictionPropagationPhase.cpp:
479 * dfg/DFGSafeToExecute.h:
480 (JSC::DFG::SafeToExecuteEdge::operator()):
481 (JSC::DFG::safeToExecute):
482 * dfg/DFGSpeculativeJIT.cpp:
483 (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
484 (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
485 (JSC::DFG::SpeculativeJIT::speculate):
486 (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
487 * dfg/DFGSpeculativeJIT.h:
488 (JSC::DFG::SpeculativeJIT::callOperation):
489 * dfg/DFGSpeculativeJIT32_64.cpp:
490 (JSC::DFG::SpeculativeJIT::compile):
491 * dfg/DFGSpeculativeJIT64.cpp:
492 (JSC::DFG::SpeculativeJIT::compile):
493 * dfg/DFGUseKind.cpp:
494 (WTF::printInternal):
496 (JSC::DFG::typeFilterFor):
498 * ftl/FTLCapabilities.cpp:
499 (JSC::FTL::canCompile):
500 * ftl/FTLLowerDFGToB3.cpp:
501 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
502 (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
503 (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
504 (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
505 (JSC::FTL::DFG::LowerDFGToB3::speculate):
506 (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
507 (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
508 * jit/JITOperations.h:
509 * runtime/HashMapImpl.h:
510 (JSC::WeakMapHash::hash):
511 (JSC::WeakMapHash::equal):
512 * runtime/Intrinsic.cpp:
513 (JSC::intrinsicName):
514 * runtime/Intrinsic.h:
516 * runtime/JSWeakMap.h:
518 * runtime/JSWeakSet.h:
520 * runtime/WeakMapBase.cpp:
521 (JSC::WeakMapBase::get):
522 * runtime/WeakMapBase.h:
523 (JSC::WeakMapBase::HashTranslator::hash):
524 (JSC::WeakMapBase::HashTranslator::equal):
525 (JSC::WeakMapBase::inlineGet):
526 * runtime/WeakMapPrototype.cpp:
527 (JSC::WeakMapPrototype::finishCreation):
529 (JSC::protoFuncWeakMapGet):
530 * runtime/WeakSetPrototype.cpp:
533 2017-09-12 Keith Miller <keith_miller@apple.com>
535 Rename JavaScriptCore CMake unifiable sources list
536 https://bugs.webkit.org/show_bug.cgi?id=176823
538 Reviewed by Joseph Pecoraro.
540 This patch also changes the error message when the unified source
541 bundler fails to be more accurate.
545 2017-09-12 Keith Miller <keith_miller@apple.com>
547 Do unified source builds for JSC
548 https://bugs.webkit.org/show_bug.cgi?id=176076
550 Reviewed by Geoffrey Garen.
552 This patch switches the CMake JavaScriptCore build to use unified sources.
553 The Xcode build will be upgraded in a follow up patch.
555 Most of the source changes in this patch are fixing static
556 variable/functions name collisions. The most common collisions
557 were from our use of "static const bool verbose" and "using
558 namespace ...". I fixed all the verbose cases and fixed the "using
559 namespace" issues that occurred under the current bundling
560 strategy. It's likely that more of the "using namespace" issues
561 will need to be resolved in the future, particularly in the FTL.
563 I don't expect either of these problems will apply to other parts
564 of the project nearly as much as in JSC. Using a verbose variable
565 is a JSC idiom and JSC tends use the same, canonical, class name
566 in multiple parts of the engine.
569 * b3/B3CheckSpecial.cpp:
570 (JSC::B3::CheckSpecial::forEachArg):
571 (JSC::B3::CheckSpecial::generate):
572 (JSC::B3::Air::numB3Args): Deleted.
573 * b3/B3DuplicateTails.cpp:
574 * b3/B3EliminateCommonSubexpressions.cpp:
576 (JSC::B3::demoteValues):
577 * b3/B3FoldPathConstants.cpp:
578 * b3/B3InferSwitches.cpp:
579 * b3/B3LowerMacrosAfterOptimizations.cpp:
581 * b3/B3LowerToAir.cpp:
582 (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
583 (JSC::B3::Air::LowerToAir::run): Deleted.
584 (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
585 (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
586 (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
587 (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
588 (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
589 (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
590 (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
591 (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
592 (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
593 (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
594 (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
595 (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
596 (JSC::B3::Air::LowerToAir::tmp): Deleted.
597 (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
598 (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
599 (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
600 (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
601 (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
602 (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
603 (JSC::B3::Air::LowerToAir::addr): Deleted.
604 (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
605 (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
606 (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
607 (JSC::B3::Air::LowerToAir::imm): Deleted.
608 (JSC::B3::Air::LowerToAir::bitImm): Deleted.
609 (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
610 (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
611 (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
612 (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
613 (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
614 (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
615 (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
616 (JSC::B3::Air::LowerToAir::appendShift): Deleted.
617 (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
618 (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
619 (JSC::B3::Air::LowerToAir::createStore): Deleted.
620 (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
621 (JSC::B3::Air::LowerToAir::appendStore): Deleted.
622 (JSC::B3::Air::LowerToAir::moveForType): Deleted.
623 (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
624 (JSC::B3::Air::LowerToAir::print): Deleted.
625 (JSC::B3::Air::LowerToAir::append): Deleted.
626 (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
627 (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
628 (JSC::B3::Air::LowerToAir::newBlock): Deleted.
629 (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
630 (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
631 (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
632 (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
633 (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
634 (JSC::B3::Air::LowerToAir::createBranch): Deleted.
635 (JSC::B3::Air::LowerToAir::createCompare): Deleted.
636 (JSC::B3::Air::LowerToAir::createSelect): Deleted.
637 (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
638 (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
639 (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
640 (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
641 (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
642 (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
643 (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
644 (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
645 (JSC::B3::Air::LowerToAir::lower): Deleted.
646 * b3/B3PatchpointSpecial.cpp:
647 (JSC::B3::PatchpointSpecial::generate):
648 * b3/B3ReduceDoubleToFloat.cpp:
649 (JSC::B3::reduceDoubleToFloat):
650 * b3/B3ReduceStrength.cpp:
651 * b3/B3StackmapGenerationParams.cpp:
652 * b3/B3StackmapSpecial.cpp:
653 (JSC::B3::StackmapSpecial::repsImpl):
654 (JSC::B3::StackmapSpecial::repForArg):
655 * b3/air/AirAllocateStackByGraphColoring.cpp:
656 (JSC::B3::Air::allocateStackByGraphColoring):
657 * b3/air/AirEmitShuffle.cpp:
658 (JSC::B3::Air::emitShuffle):
659 * b3/air/AirFixObviousSpills.cpp:
660 * b3/air/AirLowerAfterRegAlloc.cpp:
661 (JSC::B3::Air::lowerAfterRegAlloc):
662 * b3/air/AirStackAllocation.cpp:
663 (JSC::B3::Air::attemptAssignment):
664 (JSC::B3::Air::assign):
665 * bytecode/AccessCase.cpp:
666 (JSC::AccessCase::generateImpl):
667 * bytecode/CallLinkStatus.cpp:
668 (JSC::CallLinkStatus::computeDFGStatuses):
669 * bytecode/GetterSetterAccessCase.cpp:
670 (JSC::GetterSetterAccessCase::emitDOMJITGetter):
671 * bytecode/ObjectPropertyConditionSet.cpp:
672 * bytecode/PolymorphicAccess.cpp:
673 (JSC::PolymorphicAccess::addCases):
674 (JSC::PolymorphicAccess::regenerate):
675 * bytecode/PropertyCondition.cpp:
676 (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
677 * bytecode/StructureStubInfo.cpp:
678 (JSC::StructureStubInfo::addAccessCase):
679 * dfg/DFGArgumentsEliminationPhase.cpp:
680 * dfg/DFGByteCodeParser.cpp:
681 (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
682 (JSC::DFG::ByteCodeParser::inliningCost):
683 (JSC::DFG::ByteCodeParser::inlineCall):
684 (JSC::DFG::ByteCodeParser::attemptToInlineCall):
685 (JSC::DFG::ByteCodeParser::handleInlining):
686 (JSC::DFG::ByteCodeParser::planLoad):
687 (JSC::DFG::ByteCodeParser::store):
688 (JSC::DFG::ByteCodeParser::parseBlock):
689 (JSC::DFG::ByteCodeParser::linkBlock):
690 (JSC::DFG::ByteCodeParser::linkBlocks):
691 * dfg/DFGCSEPhase.cpp:
692 * dfg/DFGInPlaceAbstractState.cpp:
693 (JSC::DFG::InPlaceAbstractState::merge):
694 * dfg/DFGIntegerCheckCombiningPhase.cpp:
695 (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
696 * dfg/DFGIntegerRangeOptimizationPhase.cpp:
697 * dfg/DFGMovHintRemovalPhase.cpp:
698 * dfg/DFGObjectAllocationSinkingPhase.cpp:
699 * dfg/DFGPhantomInsertionPhase.cpp:
700 * dfg/DFGPutStackSinkingPhase.cpp:
701 * dfg/DFGStoreBarrierInsertionPhase.cpp:
702 * dfg/DFGVarargsForwardingPhase.cpp:
703 * ftl/FTLAbstractHeap.cpp:
704 (JSC::FTL::AbstractHeap::compute):
705 * ftl/FTLAbstractHeapRepository.cpp:
706 (JSC::FTL::AbstractHeapRepository::decorateMemory):
707 (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
708 (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
709 (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
710 (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
711 (JSC::FTL::AbstractHeapRepository::decorateFenceRead):
712 (JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
713 (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
714 (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
717 * heap/MarkingConstraintSet.cpp:
718 (JSC::MarkingConstraintSet::add):
719 * interpreter/ShadowChicken.cpp:
720 (JSC::ShadowChicken::update):
721 * jit/BinarySwitch.cpp:
722 (JSC::BinarySwitch::BinarySwitch):
723 (JSC::BinarySwitch::build):
724 * llint/LLIntData.cpp:
725 (JSC::LLInt::Data::loadStats):
726 (JSC::LLInt::Data::saveStats):
727 * runtime/ArrayPrototype.cpp:
728 (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
729 (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
730 * runtime/ErrorInstance.cpp:
731 (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
732 (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
733 (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame const): Deleted.
734 (JSC::FindFirstCallerFrameWithCodeblockFunctor::index const): Deleted.
735 * runtime/IntlDateTimeFormat.cpp:
736 (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
737 * runtime/PromiseDeferredTimer.cpp:
738 (JSC::PromiseDeferredTimer::doWork):
739 (JSC::PromiseDeferredTimer::addPendingPromise):
740 (JSC::PromiseDeferredTimer::cancelPendingPromise):
741 * runtime/TypeProfiler.cpp:
742 (JSC::TypeProfiler::insertNewLocation):
743 * runtime/TypeProfilerLog.cpp:
744 (JSC::TypeProfilerLog::processLogEntries):
745 * runtime/WeakMapPrototype.cpp:
746 (JSC::protoFuncWeakMapDelete):
747 (JSC::protoFuncWeakMapGet):
748 (JSC::protoFuncWeakMapHas):
749 (JSC::protoFuncWeakMapSet):
750 (JSC::getWeakMapData): Deleted.
751 * runtime/WeakSetPrototype.cpp:
752 (JSC::protoFuncWeakSetDelete):
753 (JSC::protoFuncWeakSetHas):
754 (JSC::protoFuncWeakSetAdd):
755 (JSC::getWeakMapData): Deleted.
759 * wasm/WasmB3IRGenerator.cpp:
760 (JSC::Wasm::parseAndCompile):
761 * wasm/WasmBBQPlan.cpp:
762 (JSC::Wasm::BBQPlan::moveToState):
763 (JSC::Wasm::BBQPlan::parseAndValidateModule):
764 (JSC::Wasm::BBQPlan::prepare):
765 (JSC::Wasm::BBQPlan::compileFunctions):
766 (JSC::Wasm::BBQPlan::complete):
767 * wasm/WasmFaultSignalHandler.cpp:
768 (JSC::Wasm::trapHandler):
769 * wasm/WasmOMGPlan.cpp:
770 (JSC::Wasm::OMGPlan::OMGPlan):
771 (JSC::Wasm::OMGPlan::work):
773 (JSC::Wasm::Plan::fail):
774 * wasm/WasmSignature.cpp:
775 (JSC::Wasm::SignatureInformation::adopt):
776 * wasm/WasmWorklist.cpp:
777 (JSC::Wasm::Worklist::enqueue):
779 2017-09-12 Michael Saboff <msaboff@apple.com>
781 String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp
782 https://bugs.webkit.org/show_bug.cgi?id=176814
784 Reviewed by Mark Lam.
786 The copy and advance indices where off by one and needed a little fine tuning.
788 * runtime/StringPrototype.cpp:
789 (JSC::substituteBackreferencesSlow):
791 2017-09-11 Mark Lam <mark.lam@apple.com>
793 More exception check book-keeping needed found by 32-bit JSC test failures.
794 https://bugs.webkit.org/show_bug.cgi?id=176742
796 Reviewed by Michael Saboff and Keith Miller.
798 * dfg/DFGOperations.cpp:
800 2017-09-11 Mark Lam <mark.lam@apple.com>
802 Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
803 https://bugs.webkit.org/show_bug.cgi?id=176722
805 Reviewed by Saam Barati.
807 For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
808 in effect when jsc is invoked.
811 (CommandLine::parseArguments):
813 2017-09-11 Ryan Haddad <ryanhaddad@apple.com>
815 Unreviewed, rolling out r221854.
817 The test added with this change fails on 32-bit JSC bots.
821 "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
822 https://bugs.webkit.org/show_bug.cgi?id=176010
823 http://trac.webkit.org/changeset/221854
825 2017-09-03 Yusuke Suzuki <utatane.tea@gmail.com>
827 [DFG] Optimize WeakMap::get by adding intrinsic and fixup
828 https://bugs.webkit.org/show_bug.cgi?id=176010
830 Reviewed by Filip Pizlo.
832 It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
833 It is used for meta property for objects (see peekMeta function in Ember.js).
835 This patch optimizes WeakMap#get.
837 1. We use inlineGet to inline WeakMap#get operation in the native function.
838 Since this native function itself is very small, we should inline HashMap#get
839 entirely in this function.
841 2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
842 very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
843 to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
844 ObjectUse, and Int32Use.
846 3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
847 calculate hash value for the key's Object and use this hash value to look up value from
848 JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
849 It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
850 But anyway, the current one already optimizes the performance, so we leave this for the subsequent
853 We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
854 not used in Ember.js right now.
856 This patch optimizes WeakMap#get by 50%.
860 weak-map-key 88.6456+-3.9564 ^ 59.1502+-2.2406 ^ definitely 1.4987x faster
862 * bytecode/DirectEvalCodeCache.h:
863 (JSC::DirectEvalCodeCache::tryGet):
864 * bytecode/SpeculatedType.cpp:
865 (JSC::dumpSpeculation):
866 (JSC::speculationFromClassInfo):
867 (JSC::speculationFromJSType):
868 (JSC::speculationFromString):
869 * bytecode/SpeculatedType.h:
870 * dfg/DFGAbstractInterpreterInlines.h:
871 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
872 * dfg/DFGByteCodeParser.cpp:
873 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
874 * dfg/DFGClobberize.h:
875 (JSC::DFG::clobberize):
878 * dfg/DFGFixupPhase.cpp:
879 (JSC::DFG::FixupPhase::fixupNode):
880 * dfg/DFGHeapLocation.cpp:
881 (WTF::printInternal):
882 * dfg/DFGHeapLocation.h:
884 (JSC::DFG::Node::hasHeapPrediction):
886 * dfg/DFGOperations.cpp:
887 * dfg/DFGOperations.h:
888 * dfg/DFGPredictionPropagationPhase.cpp:
889 * dfg/DFGSafeToExecute.h:
890 (JSC::DFG::SafeToExecuteEdge::operator()):
891 (JSC::DFG::safeToExecute):
892 * dfg/DFGSpeculativeJIT.cpp:
893 (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
894 (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
895 (JSC::DFG::SpeculativeJIT::speculate):
896 (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
897 * dfg/DFGSpeculativeJIT.h:
898 (JSC::DFG::SpeculativeJIT::callOperation):
899 * dfg/DFGSpeculativeJIT32_64.cpp:
900 (JSC::DFG::SpeculativeJIT::compile):
901 * dfg/DFGSpeculativeJIT64.cpp:
902 (JSC::DFG::SpeculativeJIT::compile):
903 * dfg/DFGUseKind.cpp:
904 (WTF::printInternal):
906 (JSC::DFG::typeFilterFor):
908 * ftl/FTLCapabilities.cpp:
909 (JSC::FTL::canCompile):
910 * ftl/FTLLowerDFGToB3.cpp:
911 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
912 (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
913 (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
914 (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
915 (JSC::FTL::DFG::LowerDFGToB3::speculate):
916 (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
917 (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
918 * jit/JITOperations.h:
919 * runtime/Intrinsic.cpp:
920 (JSC::intrinsicName):
921 * runtime/Intrinsic.h:
923 * runtime/JSWeakMap.h:
925 * runtime/JSWeakSet.h:
927 * runtime/WeakMapBase.cpp:
928 (JSC::WeakMapBase::get):
929 * runtime/WeakMapBase.h:
930 (JSC::WeakMapBase::HashTranslator::hash):
931 (JSC::WeakMapBase::HashTranslator::equal):
932 (JSC::WeakMapBase::inlineGet):
933 * runtime/WeakMapPrototype.cpp:
934 (JSC::WeakMapPrototype::finishCreation):
936 (JSC::protoFuncWeakMapGet):
937 * runtime/WeakSetPrototype.cpp:
940 2017-09-09 Yusuke Suzuki <utatane.tea@gmail.com>
942 [JSC] Optimize Object.keys by using careful array allocation
943 https://bugs.webkit.org/show_bug.cgi?id=176654
945 Reviewed by Darin Adler.
947 SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
948 function in JS apps. Luckily Object.keys has several good features.
950 1. Once PropertyNameArray is allocated, we know the length of the result array since
951 we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
952 but it rarely appears. ProxyObject case goes to the generic path.
954 2. Object.keys does not need to access object after listing PropertyNameArray. It means
955 that we do not need to worry about enumeration attribute change by touching object.
957 This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
958 with the size and ArrayContiguous indexing shape.
960 This further improves SixSpeed object-assign.es5 by 13%.
964 object-keys-map-values 73.4324+-2.5397 ^ 62.5933+-2.6677 ^ definitely 1.1732x faster
965 object-keys 40.8828+-1.5851 ^ 29.2066+-1.8944 ^ definitely 1.3998x faster
969 object-assign.es5 384.8719+-10.7204 ^ 340.2734+-12.0947 ^ definitely 1.1311x faster
971 BTW, the further optimization of Object.keys can be considered: introducing own property keys
972 cache which is similar to the current enumeration cache. But this patch is orthogonal to
975 * runtime/ObjectConstructor.cpp:
976 (JSC::objectConstructorValues):
977 (JSC::ownPropertyKeys):
978 * runtime/ObjectConstructor.h:
980 2017-09-10 Mark Lam <mark.lam@apple.com>
982 Fix all ExceptionScope verification failures in JavaScriptCore.
983 https://bugs.webkit.org/show_bug.cgi?id=176662
984 <rdar://problem/34352085>
986 Reviewed by Filip Pizlo.
988 1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
989 verification for release builds too (though this requires manually setting
990 ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
992 This is useful because it allows us to run the tests more quickly to check
993 if any regressions have occurred. Debug builds run so much slower and not
994 good for a quick turn around. Debug builds are necessary though to get
995 trace information without inlining by the C++ compiler. This is necessary to
996 diagnose where the missing exception check is.
998 2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
999 simulated throw when an exception scope verification fails.
1001 Previously, this option dumps the stack trace on all simulated throws. That
1002 turned out to not be very useful, and slows down the debugging process.
1003 Instead, the new implementation captures the stack trace and only dumps it
1004 if we have a verification failure.
1006 3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
1007 to pass with JSC_validateExceptionChecks=true.
1009 * bytecode/CodeBlock.cpp:
1010 (JSC::CodeBlock::finishCreation):
1011 * dfg/DFGOSRExit.cpp:
1012 (JSC::DFG::OSRExit::executeOSRExit):
1013 * dfg/DFGOperations.cpp:
1014 * interpreter/Interpreter.cpp:
1017 (JSC::Interpreter::unwind):
1018 (JSC::Interpreter::executeProgram):
1019 (JSC::Interpreter::executeCall):
1020 (JSC::Interpreter::executeConstruct):
1021 (JSC::Interpreter::prepareForRepeatCall):
1022 (JSC::Interpreter::execute):
1023 (JSC::Interpreter::executeModuleProgram):
1024 * jit/JITOperations.cpp:
1027 (WTF::CustomGetter::customGetterAcessor):
1028 (GlobalObject::moduleLoaderImportModule):
1029 (GlobalObject::moduleLoaderResolve):
1030 * llint/LLIntSlowPaths.cpp:
1031 (JSC::LLInt::getByVal):
1032 (JSC::LLInt::setUpCall):
1034 (JSC::Parser::popScopeInternal):
1035 * runtime/AbstractModuleRecord.cpp:
1036 (JSC::AbstractModuleRecord::hostResolveImportedModule):
1037 (JSC::AbstractModuleRecord::resolveImport):
1038 (JSC::AbstractModuleRecord::resolveExportImpl):
1039 (JSC::getExportedNames):
1040 (JSC::AbstractModuleRecord::getModuleNamespace):
1041 * runtime/ArrayPrototype.cpp:
1044 (JSC::arrayProtoFuncToString):
1045 (JSC::arrayProtoFuncToLocaleString):
1046 (JSC::arrayProtoFuncJoin):
1047 (JSC::arrayProtoFuncPop):
1048 (JSC::arrayProtoFuncPush):
1049 (JSC::arrayProtoFuncReverse):
1050 (JSC::arrayProtoFuncShift):
1051 (JSC::arrayProtoFuncSlice):
1052 (JSC::arrayProtoFuncSplice):
1053 (JSC::arrayProtoFuncUnShift):
1054 (JSC::arrayProtoFuncIndexOf):
1055 (JSC::arrayProtoFuncLastIndexOf):
1056 (JSC::concatAppendOne):
1057 (JSC::arrayProtoPrivateFuncConcatMemcpy):
1058 (JSC::arrayProtoPrivateFuncAppendMemcpy):
1059 * runtime/CatchScope.h:
1060 * runtime/CommonSlowPaths.cpp:
1061 (JSC::SLOW_PATH_DECL):
1062 * runtime/DatePrototype.cpp:
1063 (JSC::dateProtoFuncSetTime):
1064 (JSC::setNewValueFromTimeArgs):
1065 * runtime/DirectArguments.h:
1066 (JSC::DirectArguments::length const):
1067 * runtime/ErrorPrototype.cpp:
1068 (JSC::errorProtoFuncToString):
1069 * runtime/ExceptionFuzz.cpp:
1070 (JSC::doExceptionFuzzing):
1071 * runtime/ExceptionScope.h:
1072 (JSC::ExceptionScope::needExceptionCheck):
1073 (JSC::ExceptionScope::assertNoException):
1074 * runtime/GenericArgumentsInlines.h:
1075 (JSC::GenericArguments<Type>::defineOwnProperty):
1076 * runtime/HashMapImpl.h:
1077 (JSC::HashMapImpl::rehash):
1078 * runtime/IntlDateTimeFormat.cpp:
1079 (JSC::IntlDateTimeFormat::formatToParts):
1080 * runtime/JSArray.cpp:
1081 (JSC::JSArray::defineOwnProperty):
1082 (JSC::JSArray::put):
1083 * runtime/JSCJSValue.cpp:
1084 (JSC::JSValue::putToPrimitive):
1085 (JSC::JSValue::putToPrimitiveByIndex):
1086 * runtime/JSCJSValueInlines.h:
1087 (JSC::JSValue::toIndex const):
1088 (JSC::JSValue::get const):
1089 (JSC::JSValue::getPropertySlot const):
1090 (JSC::JSValue::equalSlowCaseInline):
1091 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1092 (JSC::constructGenericTypedArrayViewFromIterator):
1093 (JSC::constructGenericTypedArrayViewWithArguments):
1094 * runtime/JSGenericTypedArrayViewInlines.h:
1095 (JSC::JSGenericTypedArrayView<Adaptor>::set):
1096 * runtime/JSGlobalObject.cpp:
1097 (JSC::JSGlobalObject::put):
1098 * runtime/JSGlobalObjectFunctions.cpp:
1100 (JSC::globalFuncEval):
1101 (JSC::globalFuncProtoGetter):
1102 (JSC::globalFuncProtoSetter):
1103 (JSC::globalFuncImportModule):
1104 * runtime/JSInternalPromise.cpp:
1105 (JSC::JSInternalPromise::then):
1106 * runtime/JSInternalPromiseDeferred.cpp:
1107 (JSC::JSInternalPromiseDeferred::create):
1108 * runtime/JSJob.cpp:
1109 (JSC::JSJobMicrotask::run):
1110 * runtime/JSModuleEnvironment.cpp:
1111 (JSC::JSModuleEnvironment::getOwnPropertySlot):
1112 (JSC::JSModuleEnvironment::put):
1113 (JSC::JSModuleEnvironment::deleteProperty):
1114 * runtime/JSModuleLoader.cpp:
1115 (JSC::JSModuleLoader::provide):
1116 (JSC::JSModuleLoader::loadAndEvaluateModule):
1117 (JSC::JSModuleLoader::loadModule):
1118 (JSC::JSModuleLoader::linkAndEvaluateModule):
1119 (JSC::JSModuleLoader::requestImportModule):
1120 * runtime/JSModuleRecord.cpp:
1121 (JSC::JSModuleRecord::link):
1122 (JSC::JSModuleRecord::instantiateDeclarations):
1123 * runtime/JSONObject.cpp:
1124 (JSC::Stringifier::stringify):
1125 (JSC::Stringifier::toJSON):
1126 (JSC::JSONProtoFuncParse):
1127 * runtime/JSObject.cpp:
1128 (JSC::JSObject::calculatedClassName):
1129 (JSC::ordinarySetSlow):
1130 (JSC::JSObject::putInlineSlow):
1131 (JSC::JSObject::ordinaryToPrimitive const):
1132 (JSC::JSObject::toPrimitive const):
1133 (JSC::JSObject::hasInstance):
1134 (JSC::JSObject::getPropertyNames):
1135 (JSC::JSObject::toNumber const):
1136 (JSC::JSObject::defineOwnIndexedProperty):
1137 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1138 (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1139 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1140 (JSC::validateAndApplyPropertyDescriptor):
1141 (JSC::JSObject::defineOwnNonIndexProperty):
1142 (JSC::JSObject::getGenericPropertyNames):
1143 * runtime/JSObject.h:
1144 (JSC::JSObject::get const):
1145 * runtime/JSObjectInlines.h:
1146 (JSC::JSObject::getPropertySlot const):
1147 (JSC::JSObject::getPropertySlot):
1148 (JSC::JSObject::getNonIndexPropertySlot):
1149 (JSC::JSObject::putInlineForJSObject):
1150 * runtime/JSPromiseConstructor.cpp:
1151 (JSC::constructPromise):
1152 * runtime/JSPromiseDeferred.cpp:
1153 (JSC::JSPromiseDeferred::create):
1154 * runtime/JSScope.cpp:
1155 (JSC::abstractAccess):
1156 (JSC::JSScope::resolve):
1157 (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
1158 (JSC::JSScope::abstractResolve):
1159 * runtime/LiteralParser.cpp:
1160 (JSC::LiteralParser<CharType>::tryJSONPParse):
1161 (JSC::LiteralParser<CharType>::parse):
1164 * runtime/MapConstructor.cpp:
1165 (JSC::constructMap):
1166 * runtime/NumberPrototype.cpp:
1167 (JSC::numberProtoFuncToString):
1168 * runtime/ObjectConstructor.cpp:
1169 (JSC::objectConstructorSetPrototypeOf):
1170 (JSC::objectConstructorGetOwnPropertyDescriptor):
1171 (JSC::objectConstructorGetOwnPropertyDescriptors):
1172 (JSC::objectConstructorAssign):
1173 (JSC::objectConstructorValues):
1174 (JSC::toPropertyDescriptor):
1175 (JSC::objectConstructorDefineProperty):
1176 (JSC::defineProperties):
1177 (JSC::objectConstructorDefineProperties):
1178 (JSC::ownPropertyKeys):
1179 * runtime/ObjectPrototype.cpp:
1180 (JSC::objectProtoFuncHasOwnProperty):
1181 (JSC::objectProtoFuncIsPrototypeOf):
1182 (JSC::objectProtoFuncLookupGetter):
1183 (JSC::objectProtoFuncLookupSetter):
1184 (JSC::objectProtoFuncToLocaleString):
1185 (JSC::objectProtoFuncToString):
1186 * runtime/Options.h:
1187 * runtime/ParseInt.h:
1188 (JSC::toStringView):
1189 * runtime/ProxyObject.cpp:
1190 (JSC::performProxyGet):
1191 (JSC::ProxyObject::performPut):
1192 * runtime/ReflectObject.cpp:
1193 (JSC::reflectObjectDefineProperty):
1194 * runtime/RegExpConstructor.cpp:
1196 (JSC::regExpCreate):
1197 (JSC::constructRegExp):
1198 * runtime/RegExpObject.cpp:
1199 (JSC::collectMatches):
1200 * runtime/RegExpObjectInlines.h:
1201 (JSC::RegExpObject::execInline):
1202 (JSC::RegExpObject::matchInline):
1203 * runtime/RegExpPrototype.cpp:
1204 (JSC::regExpProtoFuncTestFast):
1205 (JSC::regExpProtoFuncExec):
1206 (JSC::regExpProtoFuncMatchFast):
1207 (JSC::regExpProtoFuncToString):
1208 (JSC::regExpProtoFuncSplitFast):
1209 * runtime/ScriptExecutable.cpp:
1210 (JSC::ScriptExecutable::newCodeBlockFor):
1211 (JSC::ScriptExecutable::prepareForExecutionImpl):
1212 * runtime/SetConstructor.cpp:
1213 (JSC::constructSet):
1214 * runtime/ThrowScope.cpp:
1215 (JSC::ThrowScope::simulateThrow):
1217 (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1219 * runtime/WeakMapPrototype.cpp:
1220 (JSC::protoFuncWeakMapSet):
1221 * runtime/WeakSetPrototype.cpp:
1222 (JSC::protoFuncWeakSetAdd):
1223 * wasm/js/WebAssemblyModuleConstructor.cpp:
1224 (JSC::WebAssemblyModuleConstructor::createModule):
1225 * wasm/js/WebAssemblyModuleRecord.cpp:
1226 (JSC::WebAssemblyModuleRecord::link):
1227 * wasm/js/WebAssemblyPrototype.cpp:
1229 (JSC::webAssemblyCompileFunc):
1231 (JSC::webAssemblyInstantiateFunc):
1233 2017-09-08 Filip Pizlo <fpizlo@apple.com>
1235 Error should compute .stack and friends lazily
1236 https://bugs.webkit.org/show_bug.cgi?id=176645
1238 Reviewed by Saam Barati.
1240 Building the string portion of the stack trace after we walk the stack accounts for most of
1241 the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the
1242 Vector<StackFrame> so that it can build the string only once it's really needed.
1244 This is an enormous speed-up for programs that allocate and throw exceptions.
1246 It's a 5.6x speed-up for "new Error()" with a stack that is 4 functions deep.
1248 It's a 2.2x speed-up for throwing and catching an Error.
1250 It's a 1.17x speed-up for the WSL test suite (which throws a lot).
1252 It's a significant speed-up on many of our existing try-catch microbenchmarks. For example,
1253 delta-blue-try-catch is 1.16x faster.
1255 * interpreter/Interpreter.cpp:
1256 (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
1257 (JSC::GetStackTraceFunctor::operator() const):
1258 (JSC::Interpreter::getStackTrace):
1259 * interpreter/Interpreter.h:
1260 * runtime/Error.cpp:
1261 (JSC::getStackTrace):
1262 (JSC::getBytecodeOffset):
1263 (JSC::addErrorInfo):
1264 (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
1266 * runtime/ErrorInstance.cpp:
1267 (JSC::ErrorInstance::ErrorInstance):
1268 (JSC::ErrorInstance::finishCreation):
1269 (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1270 (JSC::ErrorInstance::visitChildren):
1271 (JSC::ErrorInstance::getOwnPropertySlot):
1272 (JSC::ErrorInstance::getOwnNonIndexPropertyNames):
1273 (JSC::ErrorInstance::defineOwnProperty):
1274 (JSC::ErrorInstance::put):
1275 (JSC::ErrorInstance::deleteProperty):
1276 * runtime/ErrorInstance.h:
1277 * runtime/Exception.cpp:
1278 (JSC::Exception::visitChildren):
1279 (JSC::Exception::finishCreation):
1280 * runtime/Exception.h:
1281 * runtime/StackFrame.cpp:
1282 (JSC::StackFrame::visitChildren):
1283 * runtime/StackFrame.h:
1284 (JSC::StackFrame::StackFrame):
1286 2017-09-09 Mark Lam <mark.lam@apple.com>
1288 [Re-landing] Use JIT probes for DFG OSR exit.
1289 https://bugs.webkit.org/show_bug.cgi?id=175144
1290 <rdar://problem/33437050>
1292 Not reviewed. Original patch reviewed by Saam Barati.
1296 * JavaScriptCore.xcodeproj/project.pbxproj:
1297 * assembler/MacroAssembler.cpp:
1298 (JSC::stdFunctionCallback):
1299 * assembler/MacroAssemblerPrinter.cpp:
1300 (JSC::Printer::printCallback):
1301 * assembler/ProbeContext.h:
1302 (JSC::Probe::CPUState::gpr const):
1303 (JSC::Probe::CPUState::spr const):
1304 (JSC::Probe::Context::Context):
1305 (JSC::Probe::Context::arg):
1306 (JSC::Probe::Context::gpr):
1307 (JSC::Probe::Context::spr):
1308 (JSC::Probe::Context::fpr):
1309 (JSC::Probe::Context::gprName):
1310 (JSC::Probe::Context::sprName):
1311 (JSC::Probe::Context::fprName):
1312 (JSC::Probe::Context::gpr const):
1313 (JSC::Probe::Context::spr const):
1314 (JSC::Probe::Context::fpr const):
1315 (JSC::Probe::Context::pc):
1316 (JSC::Probe::Context::fp):
1317 (JSC::Probe::Context::sp):
1318 (JSC::Probe:: const): Deleted.
1319 * assembler/ProbeFrame.h: Copied from Source/JavaScriptCore/assembler/ProbeFrame.h.
1320 * assembler/ProbeStack.cpp:
1321 (JSC::Probe::Page::Page):
1322 * assembler/ProbeStack.h:
1323 (JSC::Probe::Page::get):
1324 (JSC::Probe::Page::set):
1325 (JSC::Probe::Page::physicalAddressFor):
1326 (JSC::Probe::Stack::lowWatermark):
1327 (JSC::Probe::Stack::get):
1328 (JSC::Probe::Stack::set):
1329 * bytecode/ArithProfile.cpp:
1330 * bytecode/ArithProfile.h:
1331 * bytecode/ArrayProfile.h:
1332 (JSC::ArrayProfile::observeArrayMode):
1333 * bytecode/CodeBlock.cpp:
1334 (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1335 * bytecode/CodeBlock.h:
1336 (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
1337 * bytecode/ExecutionCounter.h:
1338 (JSC::ExecutionCounter::hasCrossedThreshold const):
1339 (JSC::ExecutionCounter::setNewThresholdForOSRExit):
1340 * bytecode/MethodOfGettingAValueProfile.cpp:
1341 (JSC::MethodOfGettingAValueProfile::reportValue):
1342 * bytecode/MethodOfGettingAValueProfile.h:
1343 * dfg/DFGDriver.cpp:
1344 (JSC::DFG::compileImpl):
1345 * dfg/DFGJITCode.cpp:
1346 (JSC::DFG::JITCode::findPC): Deleted.
1348 * dfg/DFGJITCompiler.cpp:
1349 (JSC::DFG::JITCompiler::linkOSRExits):
1350 (JSC::DFG::JITCompiler::link):
1351 * dfg/DFGOSRExit.cpp:
1352 (JSC::DFG::jsValueFor):
1353 (JSC::DFG::restoreCalleeSavesFor):
1354 (JSC::DFG::saveCalleeSavesFor):
1355 (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1356 (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1357 (JSC::DFG::saveOrCopyCalleeSavesFor):
1358 (JSC::DFG::createDirectArgumentsDuringExit):
1359 (JSC::DFG::createClonedArgumentsDuringExit):
1360 (JSC::DFG::OSRExit::OSRExit):
1361 (JSC::DFG::emitRestoreArguments):
1362 (JSC::DFG::OSRExit::executeOSRExit):
1363 (JSC::DFG::reifyInlinedCallFrames):
1364 (JSC::DFG::adjustAndJumpToTarget):
1365 (JSC::DFG::printOSRExit):
1366 (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
1367 (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
1368 (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
1369 (JSC::DFG::OSRExit::correctJump): Deleted.
1370 (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
1371 (JSC::DFG::OSRExit::compileOSRExit): Deleted.
1372 (JSC::DFG::OSRExit::compileExit): Deleted.
1373 (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
1375 (JSC::DFG::OSRExitState::OSRExitState):
1376 (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
1377 * dfg/DFGOSRExitCompilerCommon.cpp:
1378 * dfg/DFGOSRExitCompilerCommon.h:
1379 * dfg/DFGOperations.cpp:
1380 * dfg/DFGOperations.h:
1381 * dfg/DFGThunks.cpp:
1382 (JSC::DFG::osrExitThunkGenerator):
1383 (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
1385 * jit/AssemblyHelpers.cpp:
1386 (JSC::AssemblyHelpers::debugCall): Deleted.
1387 * jit/AssemblyHelpers.h:
1388 * jit/JITOperations.cpp:
1389 * jit/JITOperations.h:
1390 * profiler/ProfilerOSRExit.h:
1391 (JSC::Profiler::OSRExit::incCount):
1392 * runtime/JSCJSValue.h:
1393 * runtime/JSCJSValueInlines.h:
1396 2017-09-09 Ryan Haddad <ryanhaddad@apple.com>
1398 Unreviewed, rolling out r221774.
1400 This change introduced three debug JSC test timeouts.
1404 "Use JIT probes for DFG OSR exit."
1405 https://bugs.webkit.org/show_bug.cgi?id=175144
1406 http://trac.webkit.org/changeset/221774
1408 2017-09-09 Mark Lam <mark.lam@apple.com>
1410 Avoid duplicate computations of ExecState::vm().
1411 https://bugs.webkit.org/show_bug.cgi?id=176647
1413 Reviewed by Saam Barati.
1415 Because while computing ExecState::vm() is cheap, it is not free.
1418 1. gets rids of some convenience methods in CallFrame that implicitly does a
1419 ExecState::vm() computation. This minimizes the chance of us accidentally
1420 computing ExecState::vm() more than necessary.
1421 2. passes vm (when available) to methodTable().
1422 3. passes vm (when available) to JSLockHolder.
1425 (JSCheckScriptSyntax):
1427 (JSReportExtraMemoryCost):
1428 (JSSynchronousGarbageCollectForDebugging):
1429 (JSSynchronousEdenCollectForDebugging):
1430 * API/JSCallbackConstructor.h:
1431 (JSC::JSCallbackConstructor::create):
1432 * API/JSCallbackObject.h:
1433 (JSC::JSCallbackObject::create):
1435 (-[JSContext setException:]):
1436 * API/JSContextRef.cpp:
1437 (JSContextGetGlobalObject):
1438 (JSContextCreateBacktrace):
1439 * API/JSManagedValue.mm:
1440 (-[JSManagedValue value]):
1441 * API/JSObjectRef.cpp:
1443 (JSObjectMakeFunctionWithCallback):
1444 (JSObjectMakeConstructor):
1445 (JSObjectMakeFunction):
1446 (JSObjectSetPrototype):
1447 (JSObjectHasProperty):
1448 (JSObjectGetProperty):
1449 (JSObjectSetProperty):
1450 (JSObjectSetPropertyAtIndex):
1451 (JSObjectDeleteProperty):
1452 (JSObjectGetPrivateProperty):
1453 (JSObjectSetPrivateProperty):
1454 (JSObjectDeletePrivateProperty):
1455 (JSObjectIsFunction):
1456 (JSObjectCallAsFunction):
1457 (JSObjectCallAsConstructor):
1458 (JSObjectCopyPropertyNames):
1459 (JSPropertyNameAccumulatorAddName):
1460 * API/JSScriptRef.cpp:
1461 * API/JSTypedArray.cpp:
1462 (JSValueGetTypedArrayType):
1463 (JSObjectMakeTypedArrayWithArrayBuffer):
1464 (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
1465 (JSObjectGetTypedArrayBytesPtr):
1466 (JSObjectGetTypedArrayBuffer):
1467 (JSObjectMakeArrayBufferWithBytesNoCopy):
1468 (JSObjectGetArrayBufferBytesPtr):
1469 * API/JSWeakObjectMapRefPrivate.cpp:
1470 * API/JSWrapperMap.mm:
1471 (constructorHasInstance):
1473 * API/ObjCCallbackFunction.mm:
1474 (objCCallbackFunctionForInvocation):
1475 * bytecode/CodeBlock.cpp:
1476 (JSC::CodeBlock::CodeBlock):
1477 (JSC::CodeBlock::jettison):
1478 * bytecode/CodeBlock.h:
1479 (JSC::CodeBlock::addConstant):
1480 (JSC::CodeBlock::replaceConstant):
1481 * bytecode/PutByIdStatus.cpp:
1482 (JSC::PutByIdStatus::computeFromLLInt):
1483 (JSC::PutByIdStatus::computeFor):
1484 * dfg/DFGDesiredWatchpoints.cpp:
1485 (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
1487 (JSC::DFG::Graph::globalThisObjectFor):
1488 * dfg/DFGOperations.cpp:
1489 * ftl/FTLOSRExitCompiler.cpp:
1490 (JSC::FTL::compileFTLOSRExit):
1491 * ftl/FTLOperations.cpp:
1492 (JSC::FTL::operationPopulateObjectInOSR):
1493 (JSC::FTL::operationMaterializeObjectInOSR):
1494 * heap/GCAssertions.h:
1495 * inspector/InjectedScriptHost.cpp:
1496 (Inspector::InjectedScriptHost::wrapper):
1497 * inspector/JSInjectedScriptHost.cpp:
1498 (Inspector::JSInjectedScriptHost::subtype):
1499 (Inspector::constructInternalProperty):
1500 (Inspector::JSInjectedScriptHost::getInternalProperties):
1501 (Inspector::JSInjectedScriptHost::weakMapEntries):
1502 (Inspector::JSInjectedScriptHost::weakSetEntries):
1503 (Inspector::JSInjectedScriptHost::iteratorEntries):
1504 * inspector/JSJavaScriptCallFrame.cpp:
1505 (Inspector::valueForScopeLocation):
1506 (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
1508 * inspector/ScriptCallStackFactory.cpp:
1509 (Inspector::extractSourceInformationFromException):
1510 (Inspector::createScriptArguments):
1511 * interpreter/CachedCall.h:
1512 (JSC::CachedCall::CachedCall):
1513 * interpreter/CallFrame.h:
1514 (JSC::ExecState::atomicStringTable const): Deleted.
1515 (JSC::ExecState::propertyNames const): Deleted.
1516 (JSC::ExecState::emptyList const): Deleted.
1517 (JSC::ExecState::interpreter): Deleted.
1518 (JSC::ExecState::heap): Deleted.
1519 * interpreter/Interpreter.cpp:
1520 (JSC::Interpreter::executeProgram):
1521 (JSC::Interpreter::execute):
1522 (JSC::Interpreter::executeModuleProgram):
1524 (JSC::JIT::privateCompileMainPass):
1525 * jit/JITOperations.cpp:
1526 * jit/JITWorklist.cpp:
1527 (JSC::JITWorklist::compileNow):
1529 (WTF::RuntimeArray::create):
1530 (WTF::RuntimeArray::getOwnPropertySlot):
1531 (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
1532 (WTF::DOMJITFunctionObject::unsafeFunction):
1533 (WTF::DOMJITCheckSubClassObject::unsafeFunction):
1534 (GlobalObject::moduleLoaderFetch):
1535 (functionDumpCallFrame):
1536 (functionCreateRoot):
1537 (functionGetElement):
1538 (functionSetElementRoot):
1539 (functionCreateSimpleObject):
1540 (functionSetHiddenValue):
1541 (functionCreateProxy):
1542 (functionCreateImpureGetter):
1543 (functionCreateCustomGetterObject):
1544 (functionCreateDOMJITNodeObject):
1545 (functionCreateDOMJITGetterObject):
1546 (functionCreateDOMJITGetterComplexObject):
1547 (functionCreateDOMJITFunctionObject):
1548 (functionCreateDOMJITCheckSubClassObject):
1549 (functionGCAndSweep):
1553 (functionShadowChickenFunctionsOnStack):
1554 (functionSetGlobalConstRedeclarationShouldNotThrow):
1555 (functionJSCOptions):
1556 (functionFailNextNewCodeBlock):
1557 (functionMakeMasquerader):
1558 (functionDumpTypesForAllVariables):
1559 (functionFindTypeForExpression):
1560 (functionReturnTypeFor):
1561 (functionDumpBasicBlockExecutionRanges):
1562 (functionBasicBlockExecutionCount):
1563 (functionDrainMicrotasks):
1564 (functionGenerateHeapSnapshot):
1565 (functionEnsureArrayStorage):
1566 (functionStartSamplingProfiler):
1568 * llint/LLIntSlowPaths.cpp:
1569 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1570 * parser/ModuleAnalyzer.cpp:
1571 (JSC::ModuleAnalyzer::ModuleAnalyzer):
1572 * profiler/ProfilerBytecode.cpp:
1573 (JSC::Profiler::Bytecode::toJS const):
1574 * profiler/ProfilerBytecodeSequence.cpp:
1575 (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
1576 * profiler/ProfilerBytecodes.cpp:
1577 (JSC::Profiler::Bytecodes::toJS const):
1578 * profiler/ProfilerCompilation.cpp:
1579 (JSC::Profiler::Compilation::toJS const):
1580 * profiler/ProfilerCompiledBytecode.cpp:
1581 (JSC::Profiler::CompiledBytecode::toJS const):
1582 * profiler/ProfilerDatabase.cpp:
1583 (JSC::Profiler::Database::toJS const):
1584 * profiler/ProfilerEvent.cpp:
1585 (JSC::Profiler::Event::toJS const):
1586 * profiler/ProfilerOSRExit.cpp:
1587 (JSC::Profiler::OSRExit::toJS const):
1588 * profiler/ProfilerOrigin.cpp:
1589 (JSC::Profiler::Origin::toJS const):
1590 * profiler/ProfilerProfiledBytecodes.cpp:
1591 (JSC::Profiler::ProfiledBytecodes::toJS const):
1592 * runtime/AbstractModuleRecord.cpp:
1593 (JSC::identifierToJSValue):
1594 (JSC::AbstractModuleRecord::resolveExportImpl):
1595 (JSC::getExportedNames):
1596 * runtime/ArrayPrototype.cpp:
1597 (JSC::arrayProtoFuncToString):
1598 (JSC::arrayProtoFuncToLocaleString):
1599 * runtime/BooleanConstructor.cpp:
1600 (JSC::constructBooleanFromImmediateBoolean):
1601 * runtime/CallData.cpp:
1603 * runtime/CommonSlowPaths.cpp:
1604 (JSC::SLOW_PATH_DECL):
1605 * runtime/CommonSlowPaths.h:
1606 (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1607 (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
1608 * runtime/Completion.cpp:
1611 (JSC::loadAndEvaluateModule):
1613 (JSC::linkAndEvaluateModule):
1614 (JSC::importModule):
1615 * runtime/ConstructData.cpp:
1617 * runtime/DatePrototype.cpp:
1618 (JSC::dateProtoFuncToJSON):
1619 * runtime/DirectArguments.h:
1620 (JSC::DirectArguments::length const):
1621 * runtime/DirectEvalExecutable.cpp:
1622 (JSC::DirectEvalExecutable::create):
1623 * runtime/ErrorPrototype.cpp:
1624 (JSC::errorProtoFuncToString):
1625 * runtime/ExceptionHelpers.cpp:
1626 (JSC::createUndefinedVariableError):
1627 (JSC::errorDescriptionForValue):
1628 * runtime/FunctionConstructor.cpp:
1629 (JSC::constructFunction):
1630 * runtime/GenericArgumentsInlines.h:
1631 (JSC::GenericArguments<Type>::getOwnPropertyNames):
1632 * runtime/IdentifierInlines.h:
1633 (JSC::Identifier::add):
1634 * runtime/IndirectEvalExecutable.cpp:
1635 (JSC::IndirectEvalExecutable::create):
1636 * runtime/InternalFunction.cpp:
1637 (JSC::InternalFunction::finishCreation):
1638 (JSC::InternalFunction::createSubclassStructureSlow):
1639 * runtime/JSArray.cpp:
1640 (JSC::JSArray::getOwnPropertySlot):
1641 (JSC::JSArray::put):
1642 (JSC::JSArray::deleteProperty):
1643 (JSC::JSArray::getOwnNonIndexPropertyNames):
1644 (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
1645 * runtime/JSArray.h:
1646 (JSC::JSArray::shiftCountForShift):
1647 * runtime/JSCJSValue.cpp:
1648 (JSC::JSValue::dumpForBacktrace const):
1649 * runtime/JSDataView.cpp:
1650 (JSC::JSDataView::getOwnPropertySlot):
1651 (JSC::JSDataView::deleteProperty):
1652 (JSC::JSDataView::getOwnNonIndexPropertyNames):
1653 * runtime/JSFunction.cpp:
1654 (JSC::JSFunction::getOwnPropertySlot):
1655 (JSC::JSFunction::deleteProperty):
1656 (JSC::JSFunction::reifyName):
1657 * runtime/JSGlobalObjectFunctions.cpp:
1658 (JSC::globalFuncEval):
1659 * runtime/JSInternalPromise.cpp:
1660 (JSC::JSInternalPromise::then):
1661 * runtime/JSLexicalEnvironment.cpp:
1662 (JSC::JSLexicalEnvironment::deleteProperty):
1663 * runtime/JSMap.cpp:
1664 (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
1665 * runtime/JSMapIterator.h:
1666 (JSC::JSMapIterator::advanceIter):
1667 * runtime/JSModuleEnvironment.cpp:
1668 (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
1669 * runtime/JSModuleLoader.cpp:
1670 (JSC::printableModuleKey):
1671 (JSC::JSModuleLoader::provide):
1672 (JSC::JSModuleLoader::loadAndEvaluateModule):
1673 (JSC::JSModuleLoader::loadModule):
1674 (JSC::JSModuleLoader::linkAndEvaluateModule):
1675 (JSC::JSModuleLoader::requestImportModule):
1676 * runtime/JSModuleNamespaceObject.h:
1677 * runtime/JSModuleRecord.cpp:
1678 (JSC::JSModuleRecord::evaluate):
1679 * runtime/JSONObject.cpp:
1680 (JSC::Stringifier::Stringifier):
1681 (JSC::Stringifier::appendStringifiedValue):
1682 (JSC::Stringifier::Holder::appendNextProperty):
1683 * runtime/JSObject.cpp:
1684 (JSC::JSObject::calculatedClassName):
1685 (JSC::JSObject::putByIndex):
1686 (JSC::JSObject::ordinaryToPrimitive const):
1687 (JSC::JSObject::toPrimitive const):
1688 (JSC::JSObject::hasInstance):
1689 (JSC::JSObject::getOwnPropertyNames):
1690 (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1691 (JSC::getCustomGetterSetterFunctionForGetterSetter):
1692 (JSC::JSObject::getOwnPropertyDescriptor):
1693 (JSC::JSObject::getMethod):
1694 * runtime/JSObject.h:
1695 (JSC::JSObject::createRawObject):
1696 (JSC::JSFinalObject::create):
1697 * runtime/JSObjectInlines.h:
1698 (JSC::JSObject::canPerformFastPutInline):
1699 (JSC::JSObject::putInlineForJSObject):
1700 (JSC::JSObject::hasOwnProperty const):
1701 * runtime/JSScope.cpp:
1702 (JSC::isUnscopable):
1703 (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
1704 * runtime/JSSet.cpp:
1705 (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
1706 * runtime/JSSetIterator.h:
1707 (JSC::JSSetIterator::advanceIter):
1708 * runtime/JSString.cpp:
1709 (JSC::JSString::getStringPropertyDescriptor):
1710 * runtime/JSString.h:
1711 (JSC::JSString::getStringPropertySlot):
1712 * runtime/MapConstructor.cpp:
1713 (JSC::constructMap):
1714 * runtime/ModuleProgramExecutable.cpp:
1715 (JSC::ModuleProgramExecutable::create):
1716 * runtime/ObjectPrototype.cpp:
1717 (JSC::objectProtoFuncToLocaleString):
1718 * runtime/ProgramExecutable.h:
1719 * runtime/RegExpObject.cpp:
1720 (JSC::RegExpObject::getOwnPropertySlot):
1721 (JSC::RegExpObject::deleteProperty):
1722 (JSC::RegExpObject::getOwnNonIndexPropertyNames):
1723 (JSC::RegExpObject::getPropertyNames):
1724 (JSC::RegExpObject::getGenericPropertyNames):
1725 (JSC::RegExpObject::put):
1726 * runtime/ScopedArguments.h:
1727 (JSC::ScopedArguments::length const):
1728 * runtime/StrictEvalActivation.h:
1729 (JSC::StrictEvalActivation::create):
1730 * runtime/StringObject.cpp:
1731 (JSC::isStringOwnProperty):
1732 (JSC::StringObject::deleteProperty):
1733 (JSC::StringObject::getOwnNonIndexPropertyNames):
1734 * tools/JSDollarVMPrototype.cpp:
1735 (JSC::JSDollarVMPrototype::gc):
1736 (JSC::JSDollarVMPrototype::edenGC):
1737 * wasm/js/WebAssemblyModuleRecord.cpp:
1738 (JSC::WebAssemblyModuleRecord::evaluate):
1740 2017-09-08 Yusuke Suzuki <utatane.tea@gmail.com>
1742 [DFG] NewArrayWithSize(size)'s size does not care negative zero
1743 https://bugs.webkit.org/show_bug.cgi?id=176300
1745 Reviewed by Saam Barati.
1747 NewArrayWithSize(size)'s size does not care negative zero as
1748 is the same to NewTypedArray. We propagate this information
1749 in DFGBackwardsPropagationPhase. This removes negative zero
1750 check in kraken fft's deinterleave function.
1752 * dfg/DFGBackwardsPropagationPhase.cpp:
1753 (JSC::DFG::BackwardsPropagationPhase::propagate):
1755 2017-09-08 Yusuke Suzuki <utatane.tea@gmail.com>
1757 [DFG] PutByVal with Array::Generic is too generic
1758 https://bugs.webkit.org/show_bug.cgi?id=176345
1760 Reviewed by Filip Pizlo.
1762 Our DFG/FTL's PutByVal with Array::Generic is too generic implementation.
1763 We could have the case like,
1765 dst[key] = src[key];
1767 with string or symbol keys. But they are handled in slow path.
1768 This patch adds PutByVal(CellUse, StringUse/SymbolUse, UntypedUse). They go
1769 to optimized path that does not have generic checks like (isInt32() / isDouble() etc.).
1771 This improves SixSpeed object-assign.es5 by 9.1%.
1773 object-assign.es5 424.3159+-11.0471 ^ 388.8771+-10.9239 ^ definitely 1.0911x faster
1775 * dfg/DFGFixupPhase.cpp:
1776 (JSC::DFG::FixupPhase::fixupNode):
1777 * dfg/DFGOperations.cpp:
1778 (JSC::DFG::putByVal):
1779 (JSC::DFG::putByValInternal):
1780 (JSC::DFG::putByValCellInternal):
1781 (JSC::DFG::putByValCellStringInternal):
1782 (JSC::DFG::operationPutByValInternal): Deleted.
1783 * dfg/DFGOperations.h:
1784 * dfg/DFGSpeculativeJIT.cpp:
1785 (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString):
1786 (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol):
1787 * dfg/DFGSpeculativeJIT.h:
1788 (JSC::DFG::SpeculativeJIT::callOperation):
1789 * dfg/DFGSpeculativeJIT32_64.cpp:
1790 (JSC::DFG::SpeculativeJIT::compile):
1791 * dfg/DFGSpeculativeJIT64.cpp:
1792 (JSC::DFG::SpeculativeJIT::compile):
1793 * ftl/FTLLowerDFGToB3.cpp:
1794 (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1795 * jit/JITOperations.h:
1797 2017-09-08 Yusuke Suzuki <utatane.tea@gmail.com>
1799 [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
1800 https://bugs.webkit.org/show_bug.cgi?id=176590
1802 Reviewed by Saam Barati.
1804 We add fixup edges for GetByVal(Array::Generic) to call faster operation instead of generic operationGetByVal.
1808 object-iterate 5.8531+-0.3029 5.7903+-0.2795 might be 1.0108x faster
1809 object-iterate-symbols 7.4099+-0.3993 ^ 5.8254+-0.2276 ^ definitely 1.2720x faster
1811 * dfg/DFGFixupPhase.cpp:
1812 (JSC::DFG::FixupPhase::fixupNode):
1813 * dfg/DFGOperations.cpp:
1814 (JSC::DFG::getByValObject):
1815 * dfg/DFGOperations.h:
1816 * dfg/DFGSpeculativeJIT.cpp:
1817 (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
1818 (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
1819 * dfg/DFGSpeculativeJIT.h:
1820 * dfg/DFGSpeculativeJIT32_64.cpp:
1821 (JSC::DFG::SpeculativeJIT::compile):
1822 * dfg/DFGSpeculativeJIT64.cpp:
1823 (JSC::DFG::SpeculativeJIT::compile):
1824 * ftl/FTLLowerDFGToB3.cpp:
1825 (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1827 2017-09-07 Mark Lam <mark.lam@apple.com>
1829 Use JIT probes for DFG OSR exit.
1830 https://bugs.webkit.org/show_bug.cgi?id=175144
1831 <rdar://problem/33437050>
1833 Reviewed by Saam Barati.
1835 This patch does the following:
1836 1. Replaces osrExitGenerationThunkGenerator() with osrExitThunkGenerator().
1837 While osrExitGenerationThunkGenerator() generates a thunk that compiles a
1838 unique OSR offramp for each DFG OSR exit site, osrExitThunkGenerator()
1839 generates a thunk that just executes the OSR exit.
1841 The osrExitThunkGenerator() generated thunk works by using a single JIT probe
1842 to call OSRExit::executeOSRExit(). The JIT probe takes care of preserving
1843 CPU registers, and providing the Probe::Stack mechanism for modifying the
1846 OSRExit::executeOSRExit() replaces OSRExit::compileOSRExit() and
1847 OSRExit::compileExit(). It is basically a re-write of those functions to
1848 execute the OSR exit work instead of compiling code to execute the work.
1850 As a result, we get the following savings:
1851 a. no more OSR exit ramp compilation time.
1852 b. no use of JIT executable memory for storing each unique OSR exit ramp.
1854 On the negative side, we incur these costs:
1856 c. the OSRExit::executeOSRExit() ramp may be a little slower than the compiled
1857 version of the ramp. However, OSR exits are rare. Hence, this small
1858 difference should not matter much. It is also offset by the savings from
1861 d. the Probe::Stack allocates 1K pages for memory for buffering stack
1862 modifcations. The number of these pages depends on the span of stack memory
1863 that the OSR exit ramp reads from and writes to. Since the OSR exit ramp
1864 tends to only modify values in the current DFG frame and the current
1865 VMEntryRecord, the number of pages tends to only be 1 or 2.
1867 Using the jsc tests as a workload, the vast majority of tests that do OSR
1868 exit, uses 3 or less 1K pages (with the overwhelming number using just 1 page).
1869 A few tests that are pathological uses up to 14 pages, and one particularly
1870 bad test (function-apply-many-args.js) uses 513 pages.
1872 Similar to the old code, the OSR exit ramp still has 2 parts: 1 part that is
1873 only executed once to compute some values for the exit site that is used by
1874 all exit operations from that site, and a 2nd part to execute the exit. The
1875 1st part is protected by a checking if exit.exitState has already been
1876 initialized. The computed values are cached in exit.exitState.
1878 Because the OSR exit thunk no longer compiles an OSR exit off-ramp, we no
1879 longer need the facility to patch the site that jumps to the OSR exit ramp.
1880 The DFG::JITCompiler has been modified to remove this patching code.
1882 2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
1883 std::memcpy to avoid strict aliasing issues.
1885 Also optimized the implementation of Probe::Stack::physicalAddressFor().
1887 3. Miscellaneous convenience methods added to make the Probe::Context easier of
1890 4. Added a Probe::Frame class that makes it easier to get/set operands and
1891 arguments in a given frame using the deferred write properties of the
1892 Probe::Stack. Probe::Frame makes it easier to do some of the recovery work in
1895 5. Cloned or converted some functions needed by the OSR exit ramp. The original
1896 JIT versions of these functions are still left in place because they are still
1897 needed for FTL OSR exit. A FIXME comment has been added to remove them later.
1898 These functions include:
1900 DFGOSRExitCompilerCommon.cpp's handleExitCounts() ==>
1901 CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize()
1902 DFGOSRExitCompilerCommon.cpp's reifyInlinedCallFrames() ==>
1903 DFGOSRExit.cpp's reifyInlinedCallFrames()
1904 DFGOSRExitCompilerCommon.cpp's adjustAndJumpToTarget() ==>
1905 DFGOSRExit.cpp's adjustAndJumpToTarget()
1907 MethodOfGettingAValueProfile::emitReportValue() ==>
1908 MethodOfGettingAValueProfile::reportValue()
1910 DFGOperations.cpp's operationCreateDirectArgumentsDuringExit() ==>
1911 DFGOSRExit.cpp's createDirectArgumentsDuringExit()
1912 DFGOperations.cpp's operationCreateClonedArgumentsDuringExit() ==>
1913 DFGOSRExit.cpp's createClonedArgumentsDuringExit()
1915 * JavaScriptCore.xcodeproj/project.pbxproj:
1916 * assembler/MacroAssembler.cpp:
1917 (JSC::stdFunctionCallback):
1918 * assembler/MacroAssemblerPrinter.cpp:
1919 (JSC::Printer::printCallback):
1920 * assembler/ProbeContext.h:
1921 (JSC::Probe::CPUState::gpr const):
1922 (JSC::Probe::CPUState::spr const):
1923 (JSC::Probe::Context::Context):
1924 (JSC::Probe::Context::arg):
1925 (JSC::Probe::Context::gpr):
1926 (JSC::Probe::Context::spr):
1927 (JSC::Probe::Context::fpr):
1928 (JSC::Probe::Context::gprName):
1929 (JSC::Probe::Context::sprName):
1930 (JSC::Probe::Context::fprName):
1931 (JSC::Probe::Context::gpr const):
1932 (JSC::Probe::Context::spr const):
1933 (JSC::Probe::Context::fpr const):
1934 (JSC::Probe::Context::pc):
1935 (JSC::Probe::Context::fp):
1936 (JSC::Probe::Context::sp):
1937 (JSC::Probe:: const): Deleted.
1938 * assembler/ProbeFrame.h: Added.
1939 (JSC::Probe::Frame::Frame):
1940 (JSC::Probe::Frame::getArgument):
1941 (JSC::Probe::Frame::getOperand):
1942 (JSC::Probe::Frame::get):
1943 (JSC::Probe::Frame::setArgument):
1944 (JSC::Probe::Frame::setOperand):
1945 (JSC::Probe::Frame::set):
1946 * assembler/ProbeStack.cpp:
1947 (JSC::Probe::Page::Page):
1948 * assembler/ProbeStack.h:
1949 (JSC::Probe::Page::get):
1950 (JSC::Probe::Page::set):
1951 (JSC::Probe::Page::physicalAddressFor):
1952 (JSC::Probe::Stack::lowWatermark):
1953 (JSC::Probe::Stack::get):
1954 (JSC::Probe::Stack::set):
1955 * bytecode/ArithProfile.cpp:
1956 * bytecode/ArithProfile.h:
1957 * bytecode/ArrayProfile.h:
1958 (JSC::ArrayProfile::observeArrayMode):
1959 * bytecode/CodeBlock.cpp:
1960 (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1961 * bytecode/CodeBlock.h:
1962 (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
1963 * bytecode/ExecutionCounter.h:
1964 (JSC::ExecutionCounter::hasCrossedThreshold const):
1965 (JSC::ExecutionCounter::setNewThresholdForOSRExit):
1966 * bytecode/MethodOfGettingAValueProfile.cpp:
1967 (JSC::MethodOfGettingAValueProfile::reportValue):
1968 * bytecode/MethodOfGettingAValueProfile.h:
1969 * dfg/DFGDriver.cpp:
1970 (JSC::DFG::compileImpl):
1971 * dfg/DFGJITCode.cpp:
1972 (JSC::DFG::JITCode::findPC): Deleted.
1974 * dfg/DFGJITCompiler.cpp:
1975 (JSC::DFG::JITCompiler::linkOSRExits):
1976 (JSC::DFG::JITCompiler::link):
1977 * dfg/DFGOSRExit.cpp:
1978 (JSC::DFG::jsValueFor):
1979 (JSC::DFG::restoreCalleeSavesFor):
1980 (JSC::DFG::saveCalleeSavesFor):
1981 (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1982 (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1983 (JSC::DFG::saveOrCopyCalleeSavesFor):
1984 (JSC::DFG::createDirectArgumentsDuringExit):
1985 (JSC::DFG::createClonedArgumentsDuringExit):
1986 (JSC::DFG::OSRExit::OSRExit):
1987 (JSC::DFG::emitRestoreArguments):
1988 (JSC::DFG::OSRExit::executeOSRExit):
1989 (JSC::DFG::reifyInlinedCallFrames):
1990 (JSC::DFG::adjustAndJumpToTarget):
1991 (JSC::DFG::printOSRExit):
1992 (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
1993 (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
1994 (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
1995 (JSC::DFG::OSRExit::correctJump): Deleted.
1996 (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
1997 (JSC::DFG::OSRExit::compileOSRExit): Deleted.
1998 (JSC::DFG::OSRExit::compileExit): Deleted.
1999 (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
2001 (JSC::DFG::OSRExitState::OSRExitState):
2002 (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
2003 * dfg/DFGOSRExitCompilerCommon.cpp:
2004 * dfg/DFGOSRExitCompilerCommon.h:
2005 * dfg/DFGOperations.cpp:
2006 * dfg/DFGOperations.h:
2007 * dfg/DFGThunks.cpp:
2008 (JSC::DFG::osrExitThunkGenerator):
2009 (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
2011 * jit/AssemblyHelpers.cpp:
2012 (JSC::AssemblyHelpers::debugCall): Deleted.
2013 * jit/AssemblyHelpers.h:
2014 * jit/JITOperations.cpp:
2015 * jit/JITOperations.h:
2016 * profiler/ProfilerOSRExit.h:
2017 (JSC::Profiler::OSRExit::incCount):
2018 * runtime/JSCJSValue.h:
2019 * runtime/JSCJSValueInlines.h:
2022 2017-09-07 Michael Saboff <msaboff@apple.com>
2024 Add support for RegExp named capture groups
2025 https://bugs.webkit.org/show_bug.cgi?id=176435
2027 Reviewed by Filip Pizlo.
2029 Added parsing for both naming a captured parenthesis as well and using a named group in
2030 a back reference. Also added support for using named groups with String.prototype.replace().
2032 This patch does not throw Syntax Errors as described in the current spec text for the two
2033 cases of malformed back references in String.prototype.replace() as I believe that it
2034 is inconsistent with the current semantics for handling of other malformed replacement
2035 tokens. I filed an issue for the requested change to the proposed spec and also filed
2036 a FIXME bug https://bugs.webkit.org/show_bug.cgi?id=176434.
2038 This patch does not implement strength reduction in the optimizing JITs for named capture
2039 groups. Filed https://bugs.webkit.org/show_bug.cgi?id=176464.
2041 * dfg/DFGAbstractInterpreterInlines.h:
2042 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2043 * dfg/DFGStrengthReductionPhase.cpp:
2044 (JSC::DFG::StrengthReductionPhase::handleNode):
2045 * runtime/CommonIdentifiers.h:
2046 * runtime/JSGlobalObject.cpp:
2047 (JSC::JSGlobalObject::init):
2048 (JSC::JSGlobalObject::haveABadTime):
2049 * runtime/JSGlobalObject.h:
2050 (JSC::JSGlobalObject::regExpMatchesArrayWithGroupsStructure const):
2051 * runtime/RegExp.cpp:
2052 (JSC::RegExp::finishCreation):
2054 * runtime/RegExpMatchesArray.cpp:
2055 (JSC::createStructureImpl):
2056 (JSC::createRegExpMatchesArrayWithGroupsStructure):
2057 (JSC::createRegExpMatchesArrayWithGroupsSlowPutStructure):
2058 * runtime/RegExpMatchesArray.h:
2059 (JSC::createRegExpMatchesArray):
2060 * runtime/StringPrototype.cpp:
2061 (JSC::substituteBackreferencesSlow):
2062 (JSC::replaceUsingRegExpSearch):
2063 * yarr/YarrParser.h:
2064 (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
2065 (JSC::Yarr::Parser::parseEscape):
2066 (JSC::Yarr::Parser::parseParenthesesBegin):
2067 (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
2068 (JSC::Yarr::Parser::tryConsumeIdentifierCharacter):
2069 (JSC::Yarr::Parser::isIdentifierStart):
2070 (JSC::Yarr::Parser::isIdentifierPart):
2071 (JSC::Yarr::Parser::tryConsumeGroupName):
2072 * yarr/YarrPattern.cpp:
2073 (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
2074 (JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
2075 (JSC::Yarr::YarrPattern::errorMessage):
2076 * yarr/YarrPattern.h:
2077 (JSC::Yarr::YarrPattern::reset):
2078 * yarr/YarrSyntaxChecker.cpp:
2079 (JSC::Yarr::SyntaxChecker::atomParenthesesSubpatternBegin):
2080 (JSC::Yarr::SyntaxChecker::atomNamedBackReference):
2082 2017-09-07 Myles C. Maxfield <mmaxfield@apple.com>
2084 [PAL] Unify PlatformUserPreferredLanguages.h with Language.h
2085 https://bugs.webkit.org/show_bug.cgi?id=176561
2087 Reviewed by Brent Fulgham.
2089 * runtime/IntlObject.cpp:
2090 (JSC::defaultLocale):
2092 2017-09-07 Joseph Pecoraro <pecoraro@apple.com>
2094 Augmented Inspector: Provide a way to inspect a DOM Node (DOM.inspect)
2095 https://bugs.webkit.org/show_bug.cgi?id=176563
2096 <rdar://problem/19639583>
2098 Reviewed by Matt Baker.
2100 * inspector/protocol/DOM.json:
2101 Add an event that is useful for augmented inspectors to inspect
2102 a node. Web pages will still prefer Inspector.inspect.
2104 2017-09-06 Yusuke Suzuki <utatane.tea@gmail.com>
2106 [JSC] Remove "malloc" and "free" from JSC/API
2107 https://bugs.webkit.org/show_bug.cgi?id=176331
2109 Reviewed by Keith Miller.
2111 Remove "malloc" and "free" manual calls in JSC/API.
2114 (createStructHandlerMap):
2115 * API/JSWrapperMap.mm:
2116 (parsePropertyAttributes):
2118 (copyPrototypeProperties):
2119 Use RetainPtr<NSString> to keep NSString. We avoid repeated "char*" to "NSString" conversion.
2121 * API/ObjcRuntimeExtras.h:
2123 Add adoptSystem to automate calling system free().
2125 (protocolImplementsProtocol):
2126 (forEachProtocolImplementingProtocol):
2127 (forEachMethodInClass):
2128 (forEachMethodInProtocol):
2129 (forEachPropertyInProtocol):
2130 (StringRange::StringRange):
2131 (StringRange::operator const char* const):
2132 (StringRange::get const):
2133 Use CString for backend.
2135 (StructBuffer::StructBuffer):
2136 (StructBuffer::~StructBuffer):
2137 (StringRange::~StringRange): Deleted.
2138 Use fastAlignedMalloc/astAlignedFree to get aligned memory.
2140 2017-09-06 Mark Lam <mark.lam@apple.com>
2142 constructGenericTypedArrayViewWithArguments() is missing an exception check.
2143 https://bugs.webkit.org/show_bug.cgi?id=176485
2144 <rdar://problem/33898874>
2146 Reviewed by Keith Miller.
2148 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2149 (JSC::constructGenericTypedArrayViewWithArguments):
2151 2017-09-06 Saam Barati <sbarati@apple.com>
2153 Air should have a Vector of prologue generators instead of a HashMap representing an optional prologue generator
2154 https://bugs.webkit.org/show_bug.cgi?id=176346
2156 Reviewed by Mark Lam.
2158 * b3/B3Procedure.cpp:
2159 (JSC::B3::Procedure::Procedure):
2160 (JSC::B3::Procedure::setNumEntrypoints):
2162 (JSC::B3::Procedure::setNumEntrypoints): Deleted.
2163 * b3/air/AirCode.cpp:
2164 (JSC::B3::Air::defaultPrologueGenerator):
2165 (JSC::B3::Air::Code::Code):
2166 (JSC::B3::Air::Code::setNumEntrypoints):
2168 (JSC::B3::Air::Code::setPrologueForEntrypoint):
2169 (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
2170 (JSC::B3::Air::Code::setEntrypoints):
2171 (JSC::B3::Air::Code::setEntrypointLabels):
2172 * b3/air/AirGenerate.cpp:
2173 (JSC::B3::Air::generate):
2174 * ftl/FTLLowerDFGToB3.cpp:
2175 (JSC::FTL::DFG::LowerDFGToB3::lower):
2177 2017-09-06 Saam Barati <sbarati@apple.com>
2179 ASSERTION FAILED: op() == CheckStructure in Source/JavaScriptCore/dfg/DFGNode.h(443)
2180 https://bugs.webkit.org/show_bug.cgi?id=176470
2182 Reviewed by Mark Lam.
2184 Update Node::convertToCheckStructureImmediate's assertion to allow
2185 the node to either be a CheckStructure or CheckStructureOrEmpty.
2188 (JSC::DFG::Node::convertToCheckStructureImmediate):
2190 2017-09-05 Saam Barati <sbarati@apple.com>
2192 isNotCellSpeculation is wrong with respect to SpecEmpty
2193 https://bugs.webkit.org/show_bug.cgi?id=176429
2195 Reviewed by Michael Saboff.
2197 The isNotCellSpeculation(SpeculatedType t) function was not taking into account
2198 SpecEmpty in the set for t. It should return false when SpecEmpty is present, since
2199 the empty value will fail a NotCell check. This bug would cause us to erroneously
2200 generate NotCellUse UseKinds for inputs that are the empty value, causing repeated OSR exits.
2202 * bytecode/SpeculatedType.h:
2203 (JSC::isNotCellSpeculation):
2205 2017-09-05 Saam Barati <sbarati@apple.com>
2207 Make the distinction between entrypoints and CFG roots more clear by naming things better
2208 https://bugs.webkit.org/show_bug.cgi?id=176336
2210 Reviewed by Mark Lam and Keith Miller and Michael Saboff.
2212 This patch does renaming to make the distinction between Graph::m_entrypoints
2213 and Graph::m_numberOfEntrypoints more clear. The source of confusion is that
2214 Graph::m_entrypoints.size() is not equivalent to Graph::m_numberOfEntrypoints.
2215 Graph::m_entrypoints is really just the CFG roots. In CPS, this vector has
2216 size >= 1. In SSA, the size is always 1. This patch renames Graph::m_entrypoints
2217 to Graph::m_roots. To be consistent, this patch also renames Graph's m_entrypointToArguments
2218 field to m_rootToArguments.
2220 Graph::m_numberOfEntrypoints retains its name. This field is only used in SSA
2221 when compiling with EntrySwitch. It represents the logical number of entrypoints
2222 the compilation will end up with. Each EntrySwitch has m_numberOfEntrypoints
2225 * dfg/DFGByteCodeParser.cpp:
2226 (JSC::DFG::ByteCodeParser::parseBlock):
2227 (JSC::DFG::ByteCodeParser::parseCodeBlock):
2229 (JSC::DFG::CFG::roots):
2230 (JSC::DFG::CPSCFG::CPSCFG):
2231 * dfg/DFGCPSRethreadingPhase.cpp:
2232 (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
2233 * dfg/DFGDCEPhase.cpp:
2234 (JSC::DFG::DCEPhase::run):
2236 (JSC::DFG::Graph::dump):
2237 (JSC::DFG::Graph::determineReachability):
2238 (JSC::DFG::Graph::blocksInPreOrder):
2239 (JSC::DFG::Graph::blocksInPostOrder):
2240 (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2242 (JSC::DFG::Graph::isRoot):
2243 (JSC::DFG::Graph::isEntrypoint): Deleted.
2244 * dfg/DFGInPlaceAbstractState.cpp:
2245 (JSC::DFG::InPlaceAbstractState::initialize):
2246 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2247 (JSC::DFG::createPreHeader):
2248 * dfg/DFGMaximalFlushInsertionPhase.cpp:
2249 (JSC::DFG::MaximalFlushInsertionPhase::run):
2250 (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2251 * dfg/DFGOSREntrypointCreationPhase.cpp:
2252 (JSC::DFG::OSREntrypointCreationPhase::run):
2253 * dfg/DFGPredictionInjectionPhase.cpp:
2254 (JSC::DFG::PredictionInjectionPhase::run):
2255 * dfg/DFGSSAConversionPhase.cpp:
2256 (JSC::DFG::SSAConversionPhase::run):
2257 * dfg/DFGSpeculativeJIT.cpp:
2258 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2259 (JSC::DFG::SpeculativeJIT::linkOSREntries):
2260 * dfg/DFGTypeCheckHoistingPhase.cpp:
2261 (JSC::DFG::TypeCheckHoistingPhase::run):
2262 * dfg/DFGValidate.cpp:
2264 2017-09-05 Joseph Pecoraro <pecoraro@apple.com>
2266 test262: Completion values for control flow do not match the spec
2267 https://bugs.webkit.org/show_bug.cgi?id=171265
2269 Reviewed by Saam Barati.
2271 * bytecompiler/BytecodeGenerator.h:
2272 (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
2273 When we care about having proper completion values (global code
2274 in programs, modules, and eval) insert undefined results for
2275 control flow statements.
2277 * bytecompiler/NodesCodegen.cpp:
2278 (JSC::SourceElements::emitBytecode):
2279 Reduce writing a default `undefined` value to the completion result to
2280 only once before the last statement we know will produce a value.
2282 (JSC::IfElseNode::emitBytecode):
2283 (JSC::WithNode::emitBytecode):
2284 (JSC::WhileNode::emitBytecode):
2285 (JSC::ForNode::emitBytecode):
2286 (JSC::ForInNode::emitBytecode):
2287 (JSC::ForOfNode::emitBytecode):
2288 (JSC::SwitchNode::emitBytecode):
2289 Insert an undefined to handle cases where code may break out of an
2290 if/else or with statement (break/continue).
2292 (JSC::TryNode::emitBytecode):
2293 Same handling for break cases. Also, finally block statement completion
2294 values are always ignored for the try statement result.
2296 (JSC::ClassDeclNode::emitBytecode):
2297 Class declarations, like function declarations, produce an empty result.
2300 (JSC::SourceElements::lastStatement):
2301 (JSC::SourceElements::hasCompletionValue):
2302 (JSC::SourceElements::hasEarlyBreakOrContinue):
2303 (JSC::BlockNode::lastStatement):
2304 (JSC::BlockNode::singleStatement):
2305 (JSC::BlockNode::hasCompletionValue):
2306 (JSC::BlockNode::hasEarlyBreakOrContinue):
2307 (JSC::ScopeNode::singleStatement):
2308 (JSC::ScopeNode::hasCompletionValue):
2309 (JSC::ScopeNode::hasEarlyBreakOrContinue):
2310 The only non-trivial cases need to loop through their list of statements
2311 to determine if this has a completion value or not. Likewise for
2312 determining if there is an early break / continue, meaning a break or
2313 continue statement with no preceding statement that has a completion value.
2316 (JSC::StatementNode::next):
2317 (JSC::StatementNode::hasCompletionValue):
2318 Helper to check if a statement nodes produces a completion value or not.
2320 2017-09-04 Saam Barati <sbarati@apple.com>
2322 typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
2323 https://bugs.webkit.org/show_bug.cgi?id=176317
2325 Reviewed by Keith Miller.
2327 It turns out that TypeCheckHoistingPhase may hoist a CheckStructure up to
2328 the SetLocal of a particular value where the value is the empty JSValue.
2329 On 64-bit platforms, the empty value is zero. This means that the empty value
2330 passes a cell check. This will lead to a crash when we dereference null to load
2331 the value's structure. This patch teaches TypeCheckHoistingPhase to be conservative
2332 in the structure checks it hoists. On 64-bit platforms, instead of emitting a
2333 CheckStructure node, we now emit a CheckStructureOrEmpty node. This node allows
2334 the empty value to flow through. If the value isn't empty, it'll perform the normal
2335 structure check that CheckStructure performs. For now, we only emit CheckStructureOrEmpty
2336 on 64-bit platforms since a cell check on 32-bit platforms does not allow the empty
2337 value to flow through.
2339 * dfg/DFGAbstractInterpreterInlines.h:
2340 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2341 * dfg/DFGArgumentsEliminationPhase.cpp:
2342 * dfg/DFGClobberize.h:
2343 (JSC::DFG::clobberize):
2344 * dfg/DFGConstantFoldingPhase.cpp:
2345 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2346 * dfg/DFGDoesGC.cpp:
2348 * dfg/DFGFixupPhase.cpp:
2349 (JSC::DFG::FixupPhase::fixupNode):
2351 (JSC::DFG::Node::convertCheckStructureOrEmptyToCheckStructure):
2352 (JSC::DFG::Node::hasStructureSet):
2353 * dfg/DFGNodeType.h:
2354 * dfg/DFGObjectAllocationSinkingPhase.cpp:
2355 * dfg/DFGPredictionPropagationPhase.cpp:
2356 * dfg/DFGSafeToExecute.h:
2357 (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
2358 (JSC::DFG::SafeToExecuteEdge::operator()):
2359 (JSC::DFG::SafeToExecuteEdge::maySeeEmptyChild):
2360 (JSC::DFG::safeToExecute):
2361 * dfg/DFGSpeculativeJIT.cpp:
2362 (JSC::DFG::SpeculativeJIT::emitStructureCheck):
2363 (JSC::DFG::SpeculativeJIT::compileCheckStructure):
2364 * dfg/DFGSpeculativeJIT.h:
2365 * dfg/DFGSpeculativeJIT32_64.cpp:
2366 (JSC::DFG::SpeculativeJIT::compile):
2367 * dfg/DFGSpeculativeJIT64.cpp:
2368 (JSC::DFG::SpeculativeJIT::compile):
2369 * dfg/DFGTypeCheckHoistingPhase.cpp:
2370 (JSC::DFG::TypeCheckHoistingPhase::run):
2371 * dfg/DFGValidate.cpp:
2372 * ftl/FTLCapabilities.cpp:
2373 (JSC::FTL::canCompile):
2374 * ftl/FTLLowerDFGToB3.cpp:
2375 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2376 (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureOrEmpty):
2378 2017-09-04 Saam Barati <sbarati@apple.com>
2380 Support compiling catch in the FTL
2381 https://bugs.webkit.org/show_bug.cgi?id=175396
2383 Reviewed by Filip Pizlo.
2385 This patch implements op_catch in the FTL. It extends the DFG implementation
2386 by supporting multiple entrypoints in DFG-SSA. This patch implements this
2387 by introducing an EntrySwitch node. When converting to SSA, we introduce a new
2388 root block with an EntrySwitch that has the previous DFG entrypoints as its
2389 successors. By convention, we pick the zeroth entry point index to be the
2390 op_enter entrypoint. Like in B3, in DFG-SSA, EntrySwitch just acts like a
2391 switch over the entrypoint index argument. DFG::EntrySwitch in the FTL
2392 simply lowers to B3::EntrySwitch. The EntrySwitch in the root block that
2393 SSAConversion creates can not exit because we would both not know where to exit
2394 to in the program: we would not have valid OSR exit state. This design also
2395 mandates that anything we hoist above EntrySwitch in the new root block
2396 can not exit since they also do not have valid OSR exit state.
2398 This patch also adds a new metadata node named InitializeEntrypointArguments.
2399 InitializeEntrypointArguments is a metadata node that initializes the flush format for
2400 the arguments at a given entrypoint. For a given entrypoint index, this node
2401 tells AI and OSRAvailabilityAnalysis what the flush format for each argument
2402 is. This allows each individual entrypoint to have an independent set of
2403 argument types. Currently, this won't happen in practice because ArgumentPosition
2404 unifies flush formats, but this is an implementation detail we probably want
2405 to modify in the future. SSAConversion will add InitializeEntrypointArguments
2406 to the beginning of each of the original DFG entrypoint blocks.
2408 This patch also adds the ability to specify custom prologue code generators in Air.
2409 This allows the FTL to specify a custom prologue for catch entrypoints that
2410 matches the op_catch OSR entry calling convention that the DFG uses. This way,
2411 the baseline JIT code OSR enters into op_catch the same way both in the DFG
2412 and the FTL. In the future, we can use this same mechanism to perform stack
2413 overflow checks instead of using a patchpoint.
2415 * b3/air/AirCode.cpp:
2416 (JSC::B3::Air::Code::isEntrypoint):
2417 (JSC::B3::Air::Code::entrypointIndex):
2419 (JSC::B3::Air::Code::setPrologueForEntrypoint):
2420 (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
2421 * b3/air/AirGenerate.cpp:
2422 (JSC::B3::Air::generate):
2423 * dfg/DFGAbstractInterpreterInlines.h:
2424 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2425 * dfg/DFGBasicBlock.h:
2426 * dfg/DFGByteCodeParser.cpp:
2427 (JSC::DFG::ByteCodeParser::parseBlock):
2428 (JSC::DFG::ByteCodeParser::parse):
2430 (JSC::DFG::selectCFG):
2431 * dfg/DFGClobberize.h:
2432 (JSC::DFG::clobberize):
2433 * dfg/DFGClobbersExitState.cpp:
2434 (JSC::DFG::clobbersExitState):
2435 * dfg/DFGCommonData.cpp:
2436 (JSC::DFG::CommonData::shrinkToFit):
2437 (JSC::DFG::CommonData::finalizeCatchEntrypoints):
2438 * dfg/DFGCommonData.h:
2439 (JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex):
2440 (JSC::DFG::CommonData::appendCatchEntrypoint):
2441 * dfg/DFGDoesGC.cpp:
2443 * dfg/DFGFixupPhase.cpp:
2444 (JSC::DFG::FixupPhase::fixupNode):
2446 (JSC::DFG::Graph::dump):
2447 (JSC::DFG::Graph::invalidateCFG):
2448 (JSC::DFG::Graph::ensureCPSCFG):
2449 (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2451 (JSC::DFG::Graph::isEntrypoint):
2452 * dfg/DFGInPlaceAbstractState.cpp:
2453 (JSC::DFG::InPlaceAbstractState::initialize):
2454 (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
2455 * dfg/DFGJITCode.cpp:
2456 (JSC::DFG::JITCode::shrinkToFit):
2457 (JSC::DFG::JITCode::finalizeOSREntrypoints):
2459 (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex): Deleted.
2460 (JSC::DFG::JITCode::appendCatchEntrypoint): Deleted.
2461 * dfg/DFGJITCompiler.cpp:
2462 (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
2463 (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
2464 * dfg/DFGMayExit.cpp:
2466 (JSC::DFG::Node::isEntrySwitch):
2467 (JSC::DFG::Node::isTerminal):
2468 (JSC::DFG::Node::entrySwitchData):
2469 (JSC::DFG::Node::numSuccessors):
2470 (JSC::DFG::Node::successor):
2471 (JSC::DFG::Node::entrypointIndex):
2472 * dfg/DFGNodeType.h:
2473 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2474 (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2475 (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2476 * dfg/DFGOSREntry.cpp:
2477 (JSC::DFG::prepareCatchOSREntry):
2478 * dfg/DFGOSREntry.h:
2479 * dfg/DFGOSREntrypointCreationPhase.cpp:
2480 (JSC::DFG::OSREntrypointCreationPhase::run):
2481 * dfg/DFGPredictionPropagationPhase.cpp:
2482 * dfg/DFGSSAConversionPhase.cpp:
2483 (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
2484 (JSC::DFG::SSAConversionPhase::run):
2485 * dfg/DFGSafeToExecute.h:
2486 (JSC::DFG::safeToExecute):
2487 * dfg/DFGSpeculativeJIT.cpp:
2488 (JSC::DFG::SpeculativeJIT::linkOSREntries):
2489 * dfg/DFGSpeculativeJIT32_64.cpp:
2490 (JSC::DFG::SpeculativeJIT::compile):
2491 * dfg/DFGSpeculativeJIT64.cpp:
2492 (JSC::DFG::SpeculativeJIT::compile):
2493 * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
2494 (JSC::DFG::StaticExecutionCountEstimationPhase::run):
2495 * dfg/DFGValidate.cpp:
2496 * ftl/FTLCapabilities.cpp:
2497 (JSC::FTL::canCompile):
2498 * ftl/FTLCompile.cpp:
2499 (JSC::FTL::compile):
2500 * ftl/FTLLowerDFGToB3.cpp:
2501 (JSC::FTL::DFG::LowerDFGToB3::lower):
2502 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2503 (JSC::FTL::DFG::LowerDFGToB3::compileExtractCatchLocal):
2504 (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
2505 (JSC::FTL::DFG::LowerDFGToB3::compileEntrySwitch):
2506 (JSC::FTL::DFG::LowerDFGToB3::speculate):
2507 (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):
2508 (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
2509 (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
2510 * ftl/FTLOutput.cpp:
2511 (JSC::FTL::Output::entrySwitch):
2513 * jit/JITOperations.cpp:
2515 2017-09-03 Yusuke Suzuki <utatane.tea@gmail.com>
2517 [DFG][FTL] Efficiently execute number#toString()
2518 https://bugs.webkit.org/show_bug.cgi?id=170007
2520 Reviewed by Keith Miller.
2522 In JS, the natural way to convert number to string with radix is `number.toString(radix)`.
2523 However, our IC only cares about cells. If the base value is a number, it always goes to the slow path.
2525 While extending our IC for number and boolean, the most meaningful use of this IC is calling `number.toString(radix)`.
2526 So, in this patch, we first add a fast path for this in DFG by using watchpoint. We set up a watchpoint for
2527 Number.prototype.toString. And if this watchpoint is kept alive and GetById(base, "toString")'s base should be
2528 speculated as Number, we emit Number related Checks and convert GetById to Number.prototype.toString constant.
2529 It removes costly GetById slow path, and makes it non-clobbering node (JSConstant).
2531 In addition, we add NumberToStringWithValidRadixConstant node. We have NumberToStringWithRadix node, but it may
2532 throw an error if the valid value is incorrect (for example, number.toString(2000)). So its clobbering rule is
2533 conservatively use read(World)/write(Heap). But in reality, `number.toString` is mostly called with the constant
2534 radix, and we can easily figure out this radix is valid (2 <= radix && radix < 32).
2535 We add a rule to the constant folding phase to convert NumberToStringWithRadix to NumberToStringWithValidRadixConstant.
2536 It ensures that it has valid constant radix. And we relax our clobbering rule for NumberToStringWithValidRadixConstant.
2538 Added microbenchmarks show performance improvement.
2542 number-to-string-with-radix-cse 43.8312+-1.3017 ^ 7.4930+-0.5105 ^ definitely 5.8496x faster
2543 number-to-string-with-radix-10 7.2775+-0.5225 ^ 2.1906+-0.1864 ^ definitely 3.3222x faster
2544 number-to-string-with-radix 39.7378+-1.4921 ^ 16.6137+-0.7776 ^ definitely 2.3919x faster
2545 number-to-string-strength-reduction 94.9667+-2.7157 ^ 9.3060+-0.7202 ^ definitely 10.2049x faster
2547 * dfg/DFGAbstractInterpreterInlines.h:
2548 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2549 * dfg/DFGClobberize.h:
2550 (JSC::DFG::clobberize):
2551 * dfg/DFGConstantFoldingPhase.cpp:
2552 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2553 * dfg/DFGDoesGC.cpp:
2555 * dfg/DFGFixupPhase.cpp:
2556 (JSC::DFG::FixupPhase::fixupNode):
2558 (JSC::DFG::Graph::isWatchingGlobalObjectWatchpoint):
2559 (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
2560 (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint):
2562 (JSC::DFG::Node::convertToNumberToStringWithValidRadixConstant):
2563 (JSC::DFG::Node::hasValidRadixConstant):
2564 (JSC::DFG::Node::validRadixConstant):
2565 * dfg/DFGNodeType.h:
2566 * dfg/DFGPredictionPropagationPhase.cpp:
2567 * dfg/DFGSafeToExecute.h:
2568 (JSC::DFG::safeToExecute):
2569 * dfg/DFGSpeculativeJIT.cpp:
2570 (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor):
2571 (JSC::DFG::SpeculativeJIT::compileNumberToStringWithValidRadixConstant):
2572 (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnNumber): Deleted.
2573 * dfg/DFGSpeculativeJIT.h:
2574 * dfg/DFGSpeculativeJIT32_64.cpp:
2575 (JSC::DFG::SpeculativeJIT::compile):
2576 * dfg/DFGSpeculativeJIT64.cpp:
2577 (JSC::DFG::SpeculativeJIT::compile):
2578 * dfg/DFGStrengthReductionPhase.cpp:
2579 (JSC::DFG::StrengthReductionPhase::handleNode):
2580 * ftl/FTLCapabilities.cpp:
2581 (JSC::FTL::canCompile):
2582 * ftl/FTLLowerDFGToB3.cpp:
2583 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2584 (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
2585 * runtime/JSGlobalObject.cpp:
2586 (JSC::JSGlobalObject::JSGlobalObject):
2587 (JSC::JSGlobalObject::init):
2588 (JSC::JSGlobalObject::visitChildren):
2589 * runtime/JSGlobalObject.h:
2590 (JSC::JSGlobalObject::numberToStringWatchpoint):
2591 (JSC::JSGlobalObject::numberProtoToStringFunction const):
2592 * runtime/NumberPrototype.cpp:
2593 (JSC::NumberPrototype::finishCreation):
2594 (JSC::toStringWithRadixInternal):
2595 (JSC::toStringWithRadix):
2596 (JSC::int32ToStringInternal):
2597 (JSC::numberToStringInternal):
2598 * runtime/NumberPrototype.h:
2600 2017-09-04 Yusuke Suzuki <utatane.tea@gmail.com>
2602 [DFG] Consider increasing the number of DFG worklist threads
2603 https://bugs.webkit.org/show_bug.cgi?id=176222
2605 Reviewed by Saam Barati.
2607 Attempt to add one more thread to DFG worklist. DFG compiler sometimes takes
2608 very long time if the target function is very large. However, DFG worklist
2609 has only one thread before this patch. Therefore, one function that takes
2610 too much time to be compiled can prevent the other functions from being
2611 compiled in DFG or upper tiers.
2613 One example is Octane/zlib. In zlib, compiling "a1" function in DFG takes
2614 super long time (447 ms) because of its super large size of the function.
2615 While this function never gets compiled in FTL due to its large size,
2616 it can be compiled in DFG and takes super long time. Subsequent "a8" function
2617 compilation in DFG is blocked by this "a1". As a consequence, the benchmark
2618 takes very long time in a1/Baseline code, which is slower than DFG of course.
2620 While FTL has a bit more threads, DFG worklist has only one thread. This patch
2621 adds one more thread to DFG worklist to alleviate the above situation. This
2622 change significantly improves Octane/zlib performance.
2626 zlib x2 482.32825+-6.07640 ^ 408.66072+-14.03856 ^ definitely 1.1803x faster
2628 * runtime/Options.h:
2630 2017-09-04 Sam Weinig <sam@webkit.org>
2632 [WebIDL] Unify and simplify EnableBySettings with the rest of the runtime settings
2633 https://bugs.webkit.org/show_bug.cgi?id=176312
2635 Reviewed by Darin Adler.
2637 * runtime/CommonIdentifiers.h:
2639 Remove WebCore specific identifiers from CommonIdentifiers. They have been moved
2640 to WebCoreBuiltinNames in WebCore.
2642 2017-09-03 Yusuke Suzuki <utatane.tea@gmail.com>
2644 Remove "malloc" and "free" use
2645 https://bugs.webkit.org/show_bug.cgi?id=176310
2647 Reviewed by Darin Adler.
2651 * API/JSWrapperMap.mm:
2652 (selectorToPropertyName):
2654 2017-09-03 Darin Adler <darin@apple.com>
2656 Try to fix Windows build.
2658 * runtime/JSGlobalObjectFunctions.cpp: #include <unicode/utf8.h>.
2660 2017-09-03 Yusuke Suzuki <utatane.tea@gmail.com>
2662 [WTF] Add C++03 allocator interface for GCC < 6
2663 https://bugs.webkit.org/show_bug.cgi?id=176301
2665 Reviewed by Darin Adler.
2667 * dfg/DFGObjectAllocationSinkingPhase.cpp:
2669 2017-09-03 Chris Dumez <cdumez@apple.com>
2671 Unreviewed, rolling out r221555.
2673 Did not fix Windows build
2677 "Unreviewed attempt to fix Windows build."
2678 http://trac.webkit.org/changeset/221555
2680 2017-09-03 Chris Dumez <cdumez@apple.com>
2682 Unreviewed attempt to fix Windows build.
2684 * runtime/JSGlobalObjectFunctions.cpp:
2686 2017-09-03 Chris Dumez <cdumez@apple.com>
2688 Unreviewed, rolling out r221552.
2694 "[WTF] Add C++03 allocator interface for GCC < 6"
2695 https://bugs.webkit.org/show_bug.cgi?id=176301
2696 http://trac.webkit.org/changeset/221552
2698 2017-09-03 Yusuke Suzuki <utatane.tea@gmail.com>
2700 [WTF] Add C++03 allocator interface for GCC < 6
2701 https://bugs.webkit.org/show_bug.cgi?id=176301
2703 Reviewed by Darin Adler.
2705 * dfg/DFGObjectAllocationSinkingPhase.cpp:
2707 2017-09-03 Yusuke Suzuki <utatane.tea@gmail.com>
2709 [JSC] Clean up BytecodeLivenessAnalysis
2710 https://bugs.webkit.org/show_bug.cgi?id=176295
2712 Reviewed by Saam Barati.
2714 Previously, computeDefsForBytecodeOffset was a bit customizable.
2715 This is used for try-catch handler's liveness analysis. But after
2716 careful generatorification implementation, it is now not necessary.
2717 This patch drops this customizability.
2719 * bytecode/BytecodeGeneratorification.cpp:
2720 (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
2721 (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
2722 * bytecode/BytecodeLivenessAnalysis.cpp:
2723 (JSC::BytecodeLivenessAnalysis::computeKills):
2724 (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
2725 (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
2726 * bytecode/BytecodeLivenessAnalysis.h:
2727 * bytecode/BytecodeLivenessAnalysisInlines.h:
2728 (JSC::BytecodeLivenessPropagation::stepOverInstruction):
2729 (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
2730 (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
2731 (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
2732 (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
2733 (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction): Deleted.
2734 (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset): Deleted.
2735 (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock): Deleted.
2736 (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset): Deleted.
2737 (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint): Deleted.
2739 2017-09-03 Sam Weinig <sam@webkit.org>
2742 https://bugs.webkit.org/show_bug.cgi?id=176288
2744 Reviewed by Yusuke Suzuki.
2746 CanvasProxy does not appear to be in any current HTML spec
2747 and was disabled and unimplemented in our tree. Time to
2750 * Configurations/FeatureDefines.xcconfig:
2752 2017-09-02 Oliver Hunt <oliver@apple.com>
2754 Need an API to get the global context from JSObjectRef
2755 https://bugs.webkit.org/show_bug.cgi?id=176291
2757 Reviewed by Saam Barati.
2759 Very simple additional API, starting off as SPI on principle.
2761 * API/JSObjectRef.cpp:
2762 (JSObjectGetGlobalContext):
2763 * API/JSObjectRefPrivate.h:
2764 * API/tests/testapi.c:
2767 2017-09-02 Yusuke Suzuki <utatane.tea@gmail.com>
2769 [DFG] Relax arity requirement
2770 https://bugs.webkit.org/show_bug.cgi?id=175523
2772 Reviewed by Saam Barati.
2774 Our DFG pipeline gives up inlining when the arity of the target function is more than the number of the arguments.
2775 It effectively prevents us from inlining and optimizing functions, which takes some optional arguments in the form
2778 This patch removes the above restriction by performing the arity fixup in DFG.
2780 SixSpeed shows improvement when we can inline arity-mismatched functions. (For example, calling generator.next()).
2784 defaults.es5 1232.1226+-20.6775 ^ 442.3326+-26.1883 ^ definitely 2.7855x faster
2785 rest.es6 5.3406+-0.8588 ^ 3.5812+-0.5388 ^ definitely 1.4913x faster
2786 spread-generator.es6 320.9107+-12.4808 310.4295+-12.0047 might be 1.0338x faster
2787 generator.es6 318.3514+-9.6023 ^ 286.4974+-12.6203 ^ definitely 1.1112x faster
2789 * bytecode/InlineCallFrame.cpp:
2790 (JSC::InlineCallFrame::dumpInContext const):
2791 * bytecode/InlineCallFrame.h:
2792 (JSC::InlineCallFrame::InlineCallFrame):
2793 * dfg/DFGAbstractInterpreterInlines.h:
2794 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2795 * dfg/DFGArgumentsEliminationPhase.cpp:
2796 * dfg/DFGArgumentsUtilities.cpp:
2797 (JSC::DFG::argumentsInvolveStackSlot):
2798 (JSC::DFG::emitCodeToGetArgumentsArrayLength):
2799 * dfg/DFGByteCodeParser.cpp:
2800 (JSC::DFG::ByteCodeParser::setLocal):
2801 (JSC::DFG::ByteCodeParser::setArgument):
2802 (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
2803 (JSC::DFG::ByteCodeParser::flush):
2804 (JSC::DFG::ByteCodeParser::getArgumentCount):
2805 (JSC::DFG::ByteCodeParser::inliningCost):
2806 (JSC::DFG::ByteCodeParser::inlineCall):
2807 (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2808 (JSC::DFG::ByteCodeParser::parseBlock):
2809 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2810 * dfg/DFGCommonData.cpp:
2811 (JSC::DFG::CommonData::validateReferences):
2812 * dfg/DFGConstantFoldingPhase.cpp:
2813 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2815 (JSC::DFG::Graph::isLiveInBytecode):
2817 (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
2818 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2819 (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2820 * dfg/DFGOSRExit.cpp:
2821 (JSC::DFG::OSRExit::emitRestoreArguments):
2822 * dfg/DFGOSRExitCompilerCommon.cpp:
2823 (JSC::DFG::reifyInlinedCallFrames):
2824 * dfg/DFGPreciseLocalClobberize.h:
2825 (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2826 * dfg/DFGSpeculativeJIT.cpp:
2827 (JSC::DFG::SpeculativeJIT::emitGetLength):
2828 (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
2829 * dfg/DFGStackLayoutPhase.cpp:
2830 (JSC::DFG::StackLayoutPhase::run):
2831 * ftl/FTLCompile.cpp:
2832 (JSC::FTL::compile):
2833 * ftl/FTLLowerDFGToB3.cpp:
2834 (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2835 (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
2836 * ftl/FTLOperations.cpp:
2837 (JSC::FTL::operationMaterializeObjectInOSR):
2838 * interpreter/StackVisitor.cpp:
2839 (JSC::StackVisitor::readInlinedFrame):
2840 * jit/AssemblyHelpers.h:
2841 (JSC::AssemblyHelpers::argumentsStart):
2842 * jit/SetupVarargsFrame.cpp:
2843 (JSC::emitSetupVarargsFrameFastCase):
2844 * runtime/ClonedArguments.cpp:
2845 (JSC::ClonedArguments::createWithInlineFrame):
2846 * runtime/CommonSlowPaths.h:
2847 (JSC::CommonSlowPaths::numberOfExtraSlots):
2848 (JSC::CommonSlowPaths::numberOfStackPaddingSlots):
2849 (JSC::CommonSlowPaths::numberOfStackPaddingSlotsWithExtraSlots):
2850 (JSC::CommonSlowPaths::arityCheckFor):
2851 * runtime/StackAlignment.h:
2852 (JSC::stackAlignmentBytes):
2853 (JSC::stackAlignmentRegisters):
2855 2017-09-01 Yusuke Suzuki <utatane.tea@gmail.com>
2857 [FTL] FTL allocation for async Function is incorrect
2858 https://bugs.webkit.org/show_bug.cgi?id=176214
2860 Reviewed by Saam Barati.
2862 In FTL, allocating async function / async generator function was incorrectly using
2863 JSFunction logic. While it is not observable right now since sizeof(JSFunction) == sizeof(JSAsyncFunction),
2866 * ftl/FTLLowerDFGToB3.cpp:
2867 (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2869 2017-08-31 Yusuke Suzuki <utatane.tea@gmail.com>
2871 [JSC] Fix "name" and "length" of Proxy revoke function
2872 https://bugs.webkit.org/show_bug.cgi?id=176155
2874 Reviewed by Mark Lam.
2876 ProxyRevoke's length should be configurable. And it does not have
2877 its own name. We add NameVisibility enum to InternalFunction to
2878 control visibility of the name.
2880 * runtime/InternalFunction.cpp:
2881 (JSC::InternalFunction::finishCreation):
2882 * runtime/InternalFunction.h:
2883 * runtime/ProxyRevoke.cpp:
2884 (JSC::ProxyRevoke::finishCreation):
2886 2017-08-31 Saam Barati <sbarati@apple.com>
2888 Throwing an exception in the DFG/FTL should not cause a jettison
2889 https://bugs.webkit.org/show_bug.cgi?id=176060
2890 <rdar://problem/34143348>
2892 Reviewed by Keith Miller.
2894 Throwing an exception is not something that should be a jettison-able
2895 OSR exit. We used to count Throw/ThrowStaticError towards our OSR exit
2896 counts which could cause a CodeBlock to jettison and recompile. This
2897 was dumb. Throwing an exception is not a reason to jettison and
2898 recompile in the way that a speculation failure is. This patch
2899 treats Throw/ThrowStaticError as true terminals in DFG IR.
2901 * bytecode/BytecodeUseDef.h:
2902 (JSC::computeUsesForBytecodeOffset):
2903 * dfg/DFGAbstractInterpreterInlines.h:
2904 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2905 * dfg/DFGByteCodeParser.cpp:
2906 (JSC::DFG::ByteCodeParser::parseBlock):
2907 * dfg/DFGClobberize.h:
2908 (JSC::DFG::clobberize):
2909 * dfg/DFGFixupPhase.cpp:
2910 (JSC::DFG::FixupPhase::fixupNode):
2911 * dfg/DFGInPlaceAbstractState.cpp:
2912 (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
2914 (JSC::DFG::Node::isTerminal):
2915 (JSC::DFG::Node::isPseudoTerminal):
2916 (JSC::DFG::Node::errorType):
2917 * dfg/DFGNodeType.h:
2918 * dfg/DFGOperations.cpp:
2919 * dfg/DFGOperations.h:
2920 * dfg/DFGPredictionPropagationPhase.cpp:
2921 * dfg/DFGSpeculativeJIT.cpp:
2922 (JSC::DFG::SpeculativeJIT::compileThrow):
2923 (JSC::DFG::SpeculativeJIT::compileThrowStaticError):
2924 * dfg/DFGSpeculativeJIT.h:
2925 (JSC::DFG::SpeculativeJIT::callOperation):
2926 * dfg/DFGSpeculativeJIT32_64.cpp:
2927 (JSC::DFG::SpeculativeJIT::compile):
2928 * dfg/DFGSpeculativeJIT64.cpp:
2929 (JSC::DFG::SpeculativeJIT::compile):
2930 * ftl/FTLLowerDFGToB3.cpp:
2931 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2932 (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
2933 (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
2934 * jit/JITOperations.h:
2936 2017-08-31 Saam Barati <sbarati@apple.com>
2938 Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
2939 https://bugs.webkit.org/show_bug.cgi?id=176206
2941 Reviewed by Keith Miller.
2943 Mark fixed the main issue in Graph::methodOfGettingAValueProfileFor in r208560
2944 when he fixed it from overwriting invalid parts of the ArithProfile when the
2945 currentNode and the operandNode are from the same bytecode. However, the
2946 mechanism used to determine same bytecode was comparing NodeOrigin. That's
2947 slightly wrong. We need to compare semantic origin, since two NodeOrigins can
2948 have the same semantic origin, but differ only in exitOK. For example,
2949 in the below IR, the DoubleRep and the Phi have the same semantic
2950 origin, but different NodeOrigins.
2952 43 Phi(JS|PureInt, NonBoolInt32|NonIntAsdouble, W:SideState, bc#63, ExitInvalid)
2953 58 ExitOK(MustGen, W:SideState, bc#63)
2954 51 DoubleRep(Check:Number:Kill:@43, Double|PureInt, BytecodeDouble, Exits, bc#63)
2955 54 ArithNegate(DoubleRep:Kill:@51<Double>, Double|UseAsOther|MayHaveDoubleResult, AnyIntAsDouble|NonIntAsdouble, NotSet, Exits, bc#63)
2958 (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2960 2017-08-31 Don Olmstead <don.olmstead@sony.com>
2962 [CMake] Make USE_CF conditional within Windows
2963 https://bugs.webkit.org/show_bug.cgi?id=176173
2965 Reviewed by Alex Christensen.
2967 * PlatformWin.cmake:
2969 2017-08-31 Saam Barati <sbarati@apple.com>
2971 useSeparatedWXHeap should never be true when not on iOS
2972 https://bugs.webkit.org/show_bug.cgi?id=176190
2974 Reviewed by JF Bastien.
2976 If you set useSeparatedWXHeap to true on X86_64, and launch the jsc shell,
2977 the process insta-crashes. Let's silently ignore that option and set it
2978 to false when not on iOS.
2980 * runtime/Options.cpp:
2981 (JSC::recomputeDependentOptions):
2983 2017-08-31 Filip Pizlo <fpizlo@apple.com>
2987 Rubber stamped by Mark Lam.
2989 * runtime/JSArrayBufferView.cpp:
2990 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2992 2017-08-31 Filip Pizlo <fpizlo@apple.com>
2994 All of the different ArrayBuffer::data's should be CagedPtr<>
2995 https://bugs.webkit.org/show_bug.cgi?id=175515
2997 Reviewed by Michael Saboff.
2999 This straightforwardly implements what the title says.
3001 * runtime/ArrayBuffer.cpp:
3002 (JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
3003 (JSC::ArrayBufferContents::destroy):
3004 (JSC::ArrayBufferContents::tryAllocate):
3005 (JSC::ArrayBufferContents::makeShared):
3006 (JSC::ArrayBufferContents::copyTo):
3007 (JSC::ArrayBuffer::createFromBytes):
3008 (JSC::ArrayBuffer::transferTo):
3009 * runtime/ArrayBuffer.h:
3010 (JSC::SharedArrayBufferContents::data const):
3011 (JSC::ArrayBufferContents::data const):
3012 (JSC::ArrayBuffer::data):
3013 (JSC::ArrayBuffer::data const):
3014 * runtime/ArrayBufferView.h:
3015 (JSC::ArrayBufferView::baseAddress const):
3016 * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid.
3017 * runtime/DataView.h:
3018 (JSC::DataView::get):
3019 (JSC::DataView::set):
3020 * runtime/JSArrayBufferView.cpp:
3021 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3022 * runtime/JSArrayBufferView.h:
3023 (JSC::JSArrayBufferView::ConstructionContext::vector const):
3024 (JSC::JSArrayBufferView::vector const):
3025 * runtime/JSGenericTypedArrayViewInlines.h:
3026 (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
3028 2017-08-22 Filip Pizlo <fpizlo@apple.com>
3030 Strings need to be in some kind of gigacage
3031 https://bugs.webkit.org/show_bug.cgi?id=174924
3033 Reviewed by Oliver Hunt.
3035 * runtime/JSString.cpp:
3036 (JSC::JSRopeString::resolveRopeToAtomicString const):
3037 (JSC::JSRopeString::resolveRope const):
3038 * runtime/JSString.h:
3039 (JSC::JSString::create):
3040 (JSC::JSString::createHasOtherOwner):
3041 * runtime/JSStringBuilder.h:
3043 (JSC::VM::gigacageAuxiliarySpace):
3045 2017-08-31 Yusuke Suzuki <utatane.tea@gmail.com>
3047 [JSC] Use reifying system for "name" property of builtin JSFunction
3048 https://bugs.webkit.org/show_bug.cgi?id=175260
3050 Reviewed by Saam Barati.
3052 Currently builtin JSFunction uses direct property for "name", which is different
3053 from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
3054 to apply this reifying mechanism to builtin JSFunction to simplify code and drop
3055 JSFunction::createBuiltinFunction.
3057 We would like to store the "correct" name in FunctionExecutable. For example,
3058 we would like to store the name like "get [Symbol.species]" to FunctionExecutable
3059 instead of specifying name when creating JSFunction. To do so, we add a new
3060 annotations, @getter and @overriddenName. When @getter is specified, the name of
3061 the function becomes "get xxx". And when @overriddenName="xxx" is specified,
3062 the name of the function becomes "xxx".
3064 We also treat @xxx as anonymous builtin functions that cannot be achieved in
3065 the current JS without privilege.
3067 * Scripts/builtins/builtins_generate_combined_header.py:
3068 (generate_section_for_code_table_macro):
3069 * Scripts/builtins/builtins_generate_combined_implementation.py:
3070 (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3071 * Scripts/builtins/builtins_generate_separate_header.py:
3072 (generate_section_for_code_table_macro):
3073 * Scripts/builtins/builtins_generate_separate_implementation.py:
3074 (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3075 * Scripts/builtins/builtins_model.py:
3076 (BuiltinFunction.__init__):
3077 (BuiltinFunction.fromString):
3078 * Scripts/builtins/builtins_templates.py:
3079 * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
3080 (overriddenName.string_appeared_here.match):
3081 (intrinsic.RegExpTestIntrinsic.test):
3082 * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
3083 (overriddenName.string_appeared_here.match):
3084 (intrinsic.RegExpTestIntrinsic.test):
3085 * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3086 * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3087 * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3088 * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3089 * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3090 * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3091 * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3092 * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3093 * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3094 * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3095 * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3096 * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3097 * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3098 * builtins/AsyncIteratorPrototype.js:
3099 (symbolAsyncIteratorGetter): Deleted.
3100 * builtins/BuiltinExecutables.cpp:
3101 (JSC::BuiltinExecutables::BuiltinExecutables):
3102 * builtins/BuiltinExecutables.h:
3103 * builtins/BuiltinNames.h:
3104 * builtins/FunctionPrototype.js:
3105 (symbolHasInstance): Deleted.
3106 * builtins/GlobalOperations.js:
3107 (globalPrivate.speciesGetter): Deleted.
3108 * builtins/IteratorPrototype.js:
3109 (symbolIteratorGetter): Deleted.
3110 * builtins/PromiseConstructor.js:
3111 (all.newResolveElement.return.resolve):
3112 (all.newResolveElement):
3114 * builtins/PromiseOperations.js:
3115 (globalPrivate.newPromiseCapability.executor):
3116 (globalPrivate.newPromiseCapability):
3117 (globalPrivate.createResolvingFunctions.resolve):
3118 (globalPrivate.createResolvingFunctions.reject):
3119 (globalPrivate.createResolvingFunctions):
3120 * builtins/RegExpPrototype.js:
3126 (functionCreateBuiltin):
3127 * runtime/AsyncIteratorPrototype.cpp:
3128 (JSC::AsyncIteratorPrototype::finishCreation):
3129 * runtime/FunctionPrototype.cpp:
3130 (JSC::FunctionPrototype::addFunctionProperties):
3131 * runtime/IteratorPrototype.cpp:
3132 (JSC::IteratorPrototype::finishCreation):
3133 * runtime/JSFunction.cpp:
3134 (JSC::JSFunction::finishCreation):
3135 (JSC::JSFunction::getOwnNonIndexPropertyNames):
3136 (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
3137 (JSC::JSFunction::createBuiltinFunction): Deleted.
3138 * runtime/JSFunction.h:
3139 * runtime/JSGlobalObject.cpp:
3140 (JSC::JSGlobalObject::init):
3141 * runtime/JSObject.cpp:
3142 (JSC::JSObject::putDirectBuiltinFunction):
3143 (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
3144 * runtime/JSTypedArrayViewPrototype.cpp:
3145 (JSC::JSTypedArrayViewPrototype::finishCreation):
3146 * runtime/Lookup.cpp:
3147 (JSC::reifyStaticAccessor):
3148 * runtime/MapPrototype.cpp:
3149 (JSC::MapPrototype::finishCreation):
3150 * runtime/RegExpPrototype.cpp:
3151 (JSC::RegExpPrototype::finishCreation):
3152 * runtime/SetPrototype.cpp:
3153 (JSC::SetPrototype::finishCreation):
3155 2017-08-30 Ryan Haddad <ryanhaddad@apple.com>
3157 Unreviewed, rolling out r221327.
3159 This change caused test262 failures.
3163 "[JSC] Use reifying system for "name" property of builtin
3165 https://bugs.webkit.org/show_bug.cgi?id=175260
3166 http://trac.webkit.org/changeset/221327
3168 2017-08-30 Matt Lewis <jlewis3@apple.com>
3170 Unreviewed, rolling out r221384.
3172 This patch caused multiple 32-bit JSC test failures.
3176 "Strings need to be in some kind of gigacage"
3177 https://bugs.webkit.org/show_bug.cgi?id=174924
3178 http://trac.webkit.org/changeset/221384
3180 2017-08-30 Saam Barati <sbarati@apple.com>
3182 semicolon is being interpreted as an = in the LiteralParser
3183 https://bugs.webkit.org/show_bug.cgi?id=176114
3185 Reviewed by Oliver Hunt.
3187 When lexing a semicolon in the LiteralParser, we were properly
3188 setting the TokenType on the current token, however, we were
3189 *returning* the wrong TokenType. The lex function both returns
3190 the TokenType and sets it on the current token. Semicolon was
3191 setting the TokenType to semicolon, but returning the TokenType
3192 for '='. This caused programs like `x;123` to be interpreted as
3195 * runtime/LiteralParser.cpp:
3196 (JSC::LiteralParser<CharType>::Lexer::lex):
3197 (JSC::LiteralParser<CharType>::Lexer::next):
3199 2017-08-22 Filip Pizlo <fpizlo@apple.com>
3201 Strings need to be in some kind of gigacage
3202 https://bugs.webkit.org/show_bug.cgi?id=174924
3204 Reviewed by Oliver Hunt.
3206 * runtime/JSString.cpp:
3207 (JSC::JSRopeString::resolveRopeToAtomicString const):
3208 (JSC::JSRopeString::resolveRope const):
3209 * runtime/JSString.h:
3210 (JSC::JSString::create):
3211 (JSC::JSString::createHasOtherOwner):
3212 * runtime/JSStringBuilder.h:
3214 (JSC::VM::gigacageAuxiliarySpace):
3216 2017-08-30 Oleksandr Skachkov <gskachkov@gmail.com>
3218 [ESNext] Async iteration - Implement async iteration statement: for-await-of
3219 https://bugs.webkit.org/show_bug.cgi?id=166698
3221 Reviewed by Yusuke Suzuki.
3223 Implementation of the for-await-of statement.
3225 * bytecompiler/BytecodeGenerator.cpp:
3226 (JSC::BytecodeGenerator::emitEnumeration):
3227 (JSC::BytecodeGenerator::emitIteratorNext):
3228 * bytecompiler/BytecodeGenerator.h:
3229 * parser/ASTBuilder.h:
3230 (JSC::ASTBuilder::createForOfLoop):
3231 * parser/NodeConstructors.h:
3232 (JSC::ForOfNode::ForOfNode):
3234 (JSC::ForOfNode::isForAwait const):
3235 * parser/Parser.cpp:
3236 (JSC::Parser<LexerType>::parseForStatement):
3238 (JSC::Scope::setSourceParseMode):
3239 (JSC::Scope::setIsFunction):
3240 (JSC::Scope::setIsAsyncGeneratorFunction):
3241 (JSC::Scope::setIsAsyncGeneratorFunctionBody):
3242 * parser/SyntaxChecker.h:
3243 (JSC::SyntaxChecker::createForOfLoop):
3245 2017-08-29 Commit Queue <commit-queue@webkit.org>
3247 Unreviewed, rolling out r221317.
3248 https://bugs.webkit.org/show_bug.cgi?id=176090
3250 "It broke a testing mode because we will never FTL compile a
3251 function that repeatedly throws" (Requested by saamyjoon on
3256 "Throwing an exception in the DFG/FTL should not be a
3257 jettison-able OSR exit"
3258 https://bugs.webkit.org/show_bug.cgi?id=176060
3259 http://trac.webkit.org/changeset/221317
3261 2017-08-29 Yusuke Suzuki <utatane.tea@gmail.com>
3263 [DFG] Add constant folding rule to convert CompareStrictEq(Untyped, Untyped [with non string cell constant]) to CompareEqPtr(Untyped)
3264 https://bugs.webkit.org/show_bug.cgi?id=175895
3266 Reviewed by Saam Barati.
3268 We have `bucket === @sentinelMapBucket` code in builtin. Since @sentinelMapBucket and bucket
3269 are MapBucket cell (SpecCellOther), we do not have any good fixup for CompareStrictEq.
3270 But rather than introducing a special fixup edge (like, NonStringCellUse), converting
3271 CompareStrictEq(Untyped, Untyped) to CompareEqPtr is simpler.
3272 In constant folding phase, we convert CompareStrictEq(Untyped, Untyped) to CompareEqPtr(Untyed)
3273 if one side of the children is constant non String cell.
3275 This slightly optimizes map/set iteration.
3277 set-for-each 4.5064+-0.3072 ^ 3.2862+-0.2098 ^ definitely 1.3713x faster
3278 large-map-iteration 56.2583+-1.6640 53.6798+-2.0097 might be 1.0480x faster
3279 set-for-of 8.8058+-0.5953 ^ 7.5832+-0.3805 ^ definitely 1.1612x faster
3280 map-for-each 4.2633+-0.2694 ^ 3.3967+-0.3013 ^ definitely 1.2551x faster
3281 map-for-of 13.1556+-0.5707 12.4911+-0.6004 might be 1.0532x faster
3283 * dfg/DFGAbstractInterpreterInlines.h:
3284 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3285 * dfg/DFGConstantFoldingPhase.cpp:
3286 (JSC::DFG::ConstantFoldingPhase::foldConstants):
3288 (JSC::DFG::Node::convertToCompareEqPtr):
3290 2017-08-29 Yusuke Suzuki <utatane.tea@gmail.com>
3292 [JSC] Use reifying system for "name" property of builtin JSFunction
3293 https://bugs.webkit.org/show_bug.cgi?id=175260
3295 Reviewed by Saam Barati.
3297 Currently builtin JSFunction uses direct property for "name", which is different
3298 from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
3299 to apply this reifying mechanism to builtin JSFunction to simplify code and drop
3300 JSFunction::createBuiltinFunction.
3302 We would like to store the "correct" name in FunctionExecutable. For example,
3303 we would like to store the name like "get [Symbol.species]" to FunctionExecutable
3304 instead of specifying name when creating JSFunction. To do so, we add a new
3305 annotations, @getter and @overriddenName. When @getter is specified, the name of
3306 the function becomes "get xxx". And when @overriddenName="xxx" is specified,
3307 the name of the function becomes "xxx".
3309 * Scripts/builtins/builtins_generate_combined_header.py:
3310 (generate_section_for_code_table_macro):
3311 * Scripts/builtins/builtins_generate_combined_implementation.py:
3312 (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3313 * Scripts/builtins/builtins_generate_separate_header.py:
3314 (generate_section_for_code_table_macro):
3315 * Scripts/builtins/builtins_generate_separate_implementation.py:
3316 (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3317 * Scripts/builtins/builtins_model.py:
3318 (BuiltinFunction.__init__):
3319 (BuiltinFunction.fromString):
3320 * Scripts/builtins/builtins_templates.py:
3321 * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
3322 (overriddenName.string_appeared_here.match):
3323 (intrinsic.RegExpTestIntrinsic.test):
3324 * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
3325 (overriddenName.string_appeared_here.match):
3326 (intrinsic.RegExpTestIntrinsic.test):
3327 * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
3328 * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
3329 * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
3330 * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
3331 * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
3332 * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
3333 * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
3334 * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3335 * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
git://git.webkit.org / WebKit-https.git / blob