1 2018-08-31 Mark Lam <mark.lam@apple.com>
3 Add missing exception check in arrayProtoFuncLastIndexOf().
4 https://bugs.webkit.org/show_bug.cgi?id=189184
5 <rdar://problem/39785959>
7 Reviewed by Yusuke Suzuki.
9 * runtime/ArrayPrototype.cpp:
10 (JSC::arrayProtoFuncLastIndexOf):
12 2018-08-31 Saam barati <sbarati@apple.com>
14 convertToRegExpMatchFastGlobal must use KnownString as the child use kind
15 https://bugs.webkit.org/show_bug.cgi?id=189173
16 <rdar://problem/43501645>
18 Reviewed by Michael Saboff.
20 We were crashing during validation because mayExit returned true
21 at a point in the program when we weren't allowed to exit.
23 The issue was is in StrengthReduction: we end up emitting code that
24 had a StringUse on an edge after a node that did side effects and before
25 an ExitOK/bytecode number transition. However, StrenghReduction did the
26 right thing here and also emitted the type checks before the node with
27 side effects. It just did bad bookkeeping. The node we convert to needs
28 to use KnownStringUse instead of StringUse for the child edge.
31 (JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
32 (JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
33 (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
34 (JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
36 * dfg/DFGStrengthReductionPhase.cpp:
37 (JSC::DFG::StrengthReductionPhase::handleNode):
39 2018-08-30 Saam barati <sbarati@apple.com>
41 Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
42 https://bugs.webkit.org/show_bug.cgi?id=189166
46 * bytecode/AccessCase.cpp:
47 (JSC::AccessCase::generateImpl):
48 * bytecode/GetterSetterAccessCase.cpp:
49 (JSC::GetterSetterAccessCase::emitDOMJITGetter):
50 * bytecode/InlineAccess.cpp:
51 (JSC::getScratchRegister):
52 * bytecode/PolymorphicAccess.cpp:
53 (JSC::PolymorphicAccess::regenerate):
54 * bytecode/StructureStubInfo.h:
55 (JSC::StructureStubInfo::valueRegs const):
56 * jit/JITInlineCacheGenerator.cpp:
57 (JSC::JITByIdGenerator::JITByIdGenerator):
58 (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
59 (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
61 2018-08-30 Saam barati <sbarati@apple.com>
63 InlineAccess should do StringLength
64 https://bugs.webkit.org/show_bug.cgi?id=158911
66 Reviewed by Yusuke Suzuki.
68 This patch extends InlineAccess to support StringLength. This patch also
69 fixes AccessCase::fromStructureStubInfo to support ArrayLength and StringLength.
70 I forgot to implement this for ArrayLength in the initial InlineAccess
71 implementation. Supporting StringLength is a natural extension of the
72 InlineAccess machinery.
74 * assembler/MacroAssembler.h:
75 (JSC::MacroAssembler::patchableBranch8):
76 * assembler/MacroAssemblerARM64.h:
77 (JSC::MacroAssemblerARM64::patchableBranch8):
78 * bytecode/AccessCase.cpp:
79 (JSC::AccessCase::fromStructureStubInfo):
80 * bytecode/BytecodeDumper.cpp:
81 (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
82 * bytecode/InlineAccess.cpp:
83 (JSC::InlineAccess::dumpCacheSizesAndCrash):
84 (JSC::InlineAccess::generateSelfPropertyAccess):
85 (JSC::getScratchRegister):
86 (JSC::InlineAccess::generateSelfPropertyReplace):
87 (JSC::InlineAccess::generateArrayLength):
88 (JSC::InlineAccess::generateSelfInAccess):
89 (JSC::InlineAccess::generateStringLength):
90 * bytecode/InlineAccess.h:
91 * bytecode/PolymorphicAccess.cpp:
92 (JSC::PolymorphicAccess::regenerate):
93 * bytecode/StructureStubInfo.cpp:
94 (JSC::StructureStubInfo::initStringLength):
95 (JSC::StructureStubInfo::deref):
96 (JSC::StructureStubInfo::aboutToDie):
97 (JSC::StructureStubInfo::propagateTransitions):
98 * bytecode/StructureStubInfo.h:
99 (JSC::StructureStubInfo::baseGPR const):
101 (JSC::tryCacheGetByID):
103 2018-08-30 Saam barati <sbarati@apple.com>
105 CSE DataViewGet* DFG nodes
106 https://bugs.webkit.org/show_bug.cgi?id=188768
108 Reviewed by Yusuke Suzuki.
110 This patch makes it so that we CSE DataViewGet* accesses. To do this,
111 I needed to add a third descriptor to HeapLocation to represent the
112 isLittleEndian child. This patch is neutral on compile time benchmarks,
113 and is a 50% speedup on a trivial CSE microbenchmark that I added.
115 * dfg/DFGClobberize.h:
116 (JSC::DFG::clobberize):
117 * dfg/DFGFixupPhase.cpp:
118 (JSC::DFG::FixupPhase::fixupNode):
119 * dfg/DFGHeapLocation.cpp:
120 (WTF::printInternal):
121 * dfg/DFGHeapLocation.h:
122 (JSC::DFG::HeapLocation::HeapLocation):
123 (JSC::DFG::HeapLocation::hash const):
124 (JSC::DFG::HeapLocation::operator== const):
125 (JSC::DFG::indexedPropertyLocForResultType):
127 2018-08-30 Yusuke Suzuki <yusukesuzuki@slowstart.org>
129 output of toString() of Generator is wrong
130 https://bugs.webkit.org/show_bug.cgi?id=188952
132 Reviewed by Saam Barati.
134 Function#toString does not respect generator and async generator.
135 This patch fixes them and supports all the function types.
137 * runtime/FunctionPrototype.cpp:
138 (JSC::functionProtoFuncToString):
140 2018-08-29 Mark Lam <mark.lam@apple.com>
142 Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
143 https://bugs.webkit.org/show_bug.cgi?id=189132
144 <rdar://problem/42513068>
146 Reviewed by Saam Barati.
148 * runtime/JSCJSValueInlines.h:
149 (JSC::JSValue::toPropertyKey const):
150 * runtime/JSString.cpp:
151 (JSC::JSRopeString::resolveRopeToAtomicString const):
153 2018-08-29 Commit Queue <commit-queue@webkit.org>
155 Unreviewed, rolling out r235432 and r235436.
156 https://bugs.webkit.org/show_bug.cgi?id=189086
158 Is a Swift source breaking change. (Requested by keith_miller
163 "Add nullablity attributes to JSValue"
164 https://bugs.webkit.org/show_bug.cgi?id=189047
165 https://trac.webkit.org/changeset/235432
167 "Add nullablity attributes to JSValue"
168 https://bugs.webkit.org/show_bug.cgi?id=189047
169 https://trac.webkit.org/changeset/235436
171 2018-08-28 Mark Lam <mark.lam@apple.com>
173 Fix bit-rotted Interpreter::dumpRegisters() and move it to the VMInspector.
174 https://bugs.webkit.org/show_bug.cgi?id=189059
175 <rdar://problem/40335354>
177 Reviewed by Saam Barati.
179 1. Moved Interpreter::dumpRegisters() to VMInspector::dumpRegisters().
180 2. Added $vm.dumpRegisters().
182 Usage: $vm.dumpRegisters(N) // dump the registers of the Nth CallFrame.
183 Usage: $vm.dumpRegisters() // dump the registers of the current CallFrame.
185 Note: Currently, $vm.dumpRegisters() only dump registers in the physical frame.
186 It will treat inlined frames content as registers in the bounding physical frame.
188 Here's an example of such a dump on a DFG frame:
192 -----------------------------------------------------------------------------
193 use | address | value
194 -----------------------------------------------------------------------------
195 [r 12 arguments[ 7]] | 0x7ffeefbfd330 | 0xa Undefined
196 [r 11 arguments[ 6]] | 0x7ffeefbfd328 | 0x10bbb3e80 Object: 0x10bbb3e80 with butterfly 0x0 (Structure 0x10bbf20d0:[Object, {}, NonArray, Proto:0x10bbb4000]), StructureID: 76
197 [r 10 arguments[ 5]] | 0x7ffeefbfd320 | 0xa Undefined
198 [r 9 arguments[ 4]] | 0x7ffeefbfd318 | 0xa Undefined
199 [r 8 arguments[ 3]] | 0x7ffeefbfd310 | 0xa Undefined
200 [r 7 arguments[ 2]] | 0x7ffeefbfd308 | 0xffff0000000a5eaa Int32: 679594
201 [r 6 arguments[ 1]] | 0x7ffeefbfd300 | 0x10bbd00f0 Object: 0x10bbd00f0 with butterfly 0x8000f8248 (Structure 0x10bba4700:[Function, {name:100, prototype:101, length:102, Symbol.species:103, isArray:104}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 160
202 [r 5 this] | 0x7ffeefbfd2f8 | 0x10bbe0000 Object: 0x10bbe0000 with butterfly 0x8000d8808 (Structure 0x10bb35340:[global, {parseInt:100, parseFloat:101, Object:102, Function:103, Array:104, RegExp:105, RangeError:106, TypeError:107, PrivateSymbol.Object:108, PrivateSymbol.Array:109, ArrayBuffer:110, String:111, Symbol:112, Number:113, Boolean:114, Error:115, Map:116, Set:117, Promise:118, eval:119, Reflect:121, $vm:122, WebAssembly:123, debug:124, describe:125, describeArray:126, print:127, printErr:128, quit:129, gc:130, fullGC:131, edenGC:132, forceGCSlowPaths:133, gcHeapSize:134, addressOf:135, version:136, run:137, runString:138, load:139, loadString:140, readFile:141, read:142, checkSyntax:143, sleepSeconds:144, jscStack:145, readline:146, preciseTime:147, neverInlineFunction:148, noInline:149, noDFG:150, noFTL:151, numberOfDFGCompiles:153, jscOptions:154, optimizeNextInvocation:155, reoptimizationRetryCount:156, transferArrayBuffer:157, failNextNewCodeBlock:158, OSRExit:159, isFinalTier:160, predictInt32:161, isInt32:162, isPureNaN:163, fiatInt52:164, effectful42:165, makeMasquerader:166, hasCustomProperties:167, createGlobalObject:168, dumpTypesForAllVariables:169, drainMicrotasks:170, getRandomSeed:171, setRandomSeed:172, isRope:173, callerSourceOrigin:174, is32BitPlatform:175, loadModule:176, checkModuleSyntax:177, platformSupportsSamplingProfiler:178, generateHeapSnapshot:179, resetSuperSamplerState:180, ensureArrayStorage:181, startSamplingProfiler:182, samplingProfilerStackTraces:183, maxArguments:184, asyncTestStart:185, asyncTestPassed:186, WebAssemblyMemoryMode:187, console:188, $:189, $262:190, waitForReport:191, heapCapacity:192, flashHeapAccess:193, disableRichSourceInfo:194, mallocInALoop:195, totalCompileTime:196, Proxy:197, uneval:198, WScript:199, failWithMessage:200, triggerAssertFalse:201, isNaN:202, isFinite:203, escape:204, unescape:205, decodeURI:206, decodeURIComponent:207, encodeURI:208, encodeURIComponent:209, EvalError:210, ReferenceError:211, SyntaxError:212, URIError:213, JSON:214, Math:215, Int8Array:216, PrivateSymbol.Int8Array:217, Int16Array:218, PrivateSymbol.Int16Array:219, Int32Array:220, PrivateSymbol.Int32Array:221, Uint8Array:222, PrivateSymbol.Uint8Array:223, Uint8ClampedArray:224, PrivateSymbol.Uint8ClampedArray:225, Uint16Array:226, PrivateSymbol.Uint16Array:227, Uint32Array:228, PrivateSymbol.Uint32Array:229, Float32Array:230, PrivateSymbol.Float32Array:231, Float64Array:232, PrivateSymbol.Float64Array:233, DataView:234, Date:235, WeakMap:236, WeakSet:237, Intl:120, desc:238}, NonArray, Proto:0x10bbb4000, UncacheableDictionary, Leaf]), StructureID: 474
203 -----------------------------------------------------------------------------
204 [ArgumentCount] | 0x7ffeefbfd2f0 | 7
205 [ReturnVPC] | 0x7ffeefbfd2f0 | 164 (line 57)
206 [Callee] | 0x7ffeefbfd2e8 | 0x10bb68db0 Object: 0x10bb68db0 with butterfly 0x0 (Structure 0x10bbf1c00:[Function, {}, NonArray, Proto:0x10bbd0000, Shady leaf]), StructureID: 65
207 [CodeBlock] | 0x7ffeefbfd2e0 | 0x10bb2f8e0 __callRandomFunction#DmVXnv:[0x10bb2f8e0->0x10bbfd1e0, LLIntFunctionCall, 253]
208 [ReturnPC] | 0x7ffeefbfd2d8 | 0x10064d14c
209 [CallerFrame] | 0x7ffeefbfd2d0 | 0x7ffeefbfd380
210 -----------------------------------------------------------------------------
211 [r -1 CalleeSaveReg] | 0x7ffeefbfd2c8 | 0xffff000000000002 Int32: 2
212 [r -2 CalleeSaveReg] | 0x7ffeefbfd2c0 | 0xffff000000000000 Int32: 0
213 [r -3 CalleeSaveReg] | 0x7ffeefbfd2b8 | 0x10baf1608
214 [r -4 ] | 0x7ffeefbfd2b0 | 0x10bbcc000 Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
215 [r -5 ] | 0x7ffeefbfd2a8 | 0x10bbcc000 Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
216 [r -6 ] | 0x7ffeefbfd2a0 | 0xa Undefined
217 -----------------------------------------------------------------------------
218 [r -7] | 0x7ffeefbfd298 | 0x10bb6fdc0 String (atomic) (identifier): length, StructureID: 4
219 [r -8] | 0x7ffeefbfd290 | 0x10bbb7ec0 Object: 0x10bbb7ec0 with butterfly 0x8000e0008 (Structure 0x10bbf2ae0:[Array, {}, ArrayWithContiguous, Proto:0x10bbc8080]), StructureID: 99
220 [r -9] | 0x7ffeefbfd288 | 0x10bbc33f0 Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
221 [r-10] | 0x7ffeefbfd280 | 0xffff000000000004 Int32: 4
222 [r-11] | 0x7ffeefbfd278 | 0x10bbb4290 Object: 0x10bbb4290 with butterfly 0x8000e8408 (Structure 0x10bb74850:[DollarVM, {abort:100, crash:101, breakpoint:102, dfgTrue:103, ftlTrue:104, cpuMfence:105, cpuRdtsc:106, cpuCpuid:107, cpuPause:108, cpuClflush:109, llintTrue:110, jitTrue:111, noInline:112, gc:113, edenGC:114, callFrame:115, codeBlockFor:116, codeBlockForFrame:117, dumpSourceFor:118, dumpBytecodeFor:119, dataLog:120, print:121, dumpCallFrame:122, dumpStack:123, dumpRegisters:124, dumpCell:125, indexingMode:126, inlineCapacity:127, value:128, getpid:129, createProxy:130, createRuntimeArray:131, createImpureGetter:132, createCustomGetterObject:133, createDOMJITNodeObject:134, createDOMJITGetterObject:135, createDOMJITGetterComplexObject:136, createDOMJITFunctionObject:137, createDOMJITCheckSubClassObject:138, createDOMJITGetterBaseJSObject:139, createBuiltin:140, getPrivateProperty:141, setImpureGetterDelegate:142, Root:143, Element:144, getElement:145, SimpleObject:146, getHiddenValue:147, setHiddenValue:148, shadowChickenFunctionsOnStack:149, setGlobalConstRedeclarationShouldNotThrow:150, findTypeForExpression:151, returnTypeFor:152, flattenDictionaryObject:153, dumpBasicBlockExecutionRanges:154, hasBasicBlockExecuted:155, basicBlockExecutionCount:156, enableDebuggerModeWhenIdle:158, disableDebuggerModeWhenIdle:159, globalObjectCount:160, globalObjectForObject:161, getGetterSetter:162, loadGetterFromGetterSetter:163, createCustomTestGetterSetter:164, deltaBetweenButterflies:165, totalGCTime:166}, NonArray, Proto:0x10bbb4000, Dictionary, Leaf]), StructureID: 306
223 [r-12] | 0x7ffeefbfd270 | 0x100000001
224 [r-13] | 0x7ffeefbfd268 | 0x10bbc33f0 Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
225 [r-14] | 0x7ffeefbfd260 | 0x0
226 [r-15] | 0x7ffeefbfd258 | 0x10064d14c
227 [r-16] | 0x7ffeefbfd250 | 0x7ffeefbfd2d0
228 [r-17] | 0x7ffeefbfd248 | 0x67ec87ee177 INVALID
229 [r-18] | 0x7ffeefbfd240 | 0x7ffeefbfd250
230 -----------------------------------------------------------------------------
232 3. Removed dumpCallFrame() from the jsc shell. We have the following tools that
233 we can use in its place:
236 $vm.dumpBytecodeFor()
237 $vm.dumpRegisters() // Just added in this patch.
239 4. Also fixed a bug in BytecodeDumper: it should only access
240 CallLinkInfo::haveLastSeenCallee() only if CallLinkInfo::isDirect() is false.
242 * bytecode/BytecodeDumper.cpp:
243 (JSC::BytecodeDumper<Block>::printCallOp):
244 * interpreter/Interpreter.cpp:
245 (JSC::Interpreter::dumpCallFrame): Deleted.
246 (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor): Deleted.
247 (JSC::DumpReturnVirtualPCFunctor::operator() const): Deleted.
248 (JSC::Interpreter::dumpRegisters): Deleted.
249 * interpreter/Interpreter.h:
251 (GlobalObject::finishCreation):
252 (functionDumpCallFrame): Deleted.
253 * tools/JSDollarVM.cpp:
254 (JSC::functionDumpRegisters):
255 (JSC::JSDollarVM::finishCreation):
256 * tools/VMInspector.cpp:
257 (JSC::VMInspector::dumpRegisters):
258 * tools/VMInspector.h:
260 2018-08-28 Keith Miller <keith_miller@apple.com>
262 Add nullablity attributes to JSValue
263 https://bugs.webkit.org/show_bug.cgi?id=189047
265 Reviewed by Dan Bernstein.
267 Switch to using NS_ASSUME_NONNULL_BEGIN/END.
271 2018-08-28 Keith Miller <keith_miller@apple.com>
273 Add nullablity attributes to JSValue
274 https://bugs.webkit.org/show_bug.cgi?id=189047
276 Reviewed by Geoffrey Garen.
280 2018-08-27 Yusuke Suzuki <yusukesuzuki@slowstart.org>
282 [WebAssembly] Parse wasm modules in a streaming fashion
283 https://bugs.webkit.org/show_bug.cgi?id=188943
285 Reviewed by Mark Lam.
287 This patch adds Wasm::StreamingParser, which parses wasm binary in a streaming fashion.
288 Currently, this StreamingParser is not enabled and integrated. In subsequent patches,
289 we start integrating it into BBQPlan and dropping the old ModuleParser.
291 * JavaScriptCore.xcodeproj/project.pbxproj:
293 * tools/JSDollarVM.cpp:
294 (WTF::WasmStreamingParser::WasmStreamingParser):
295 (WTF::WasmStreamingParser::create):
296 (WTF::WasmStreamingParser::createStructure):
297 (WTF::WasmStreamingParser::streamingParser):
298 (WTF::WasmStreamingParser::finishCreation):
299 (WTF::functionWasmStreamingParserAddBytes):
300 (WTF::functionWasmStreamingParserFinalize):
301 (JSC::functionCreateWasmStreamingParser):
302 (JSC::JSDollarVM::finishCreation):
303 The $vm Wasm::StreamingParser object is introduced for testing purpose. Added new stress test uses
304 this interface to test streaming parser in the JSC shell.
306 * wasm/WasmBBQPlan.cpp:
307 (JSC::Wasm::BBQPlan::BBQPlan):
308 (JSC::Wasm::BBQPlan::parseAndValidateModule):
309 (JSC::Wasm::BBQPlan::prepare):
310 (JSC::Wasm::BBQPlan::compileFunctions):
311 (JSC::Wasm::BBQPlan::complete):
312 (JSC::Wasm::BBQPlan::work):
313 * wasm/WasmBBQPlan.h:
314 BBQPlan has m_source, but once ModuleInformation is parsed, it is no longer necessary.
315 In subsequent patches, we will remove this, and stream the data into the BBQPlan.
318 * wasm/WasmModuleInformation.cpp:
319 (JSC::Wasm::ModuleInformation::ModuleInformation):
320 * wasm/WasmModuleInformation.h:
321 One of the largest change in this patch is that ModuleInformation no longer holds source bytes,
322 since source bytes can be added in a streaming fashion. Instead of holding all the source bytes
323 in ModuleInformation, each function (ModuleInformation::functions, FunctionData) should have
324 Vector<uint8_t> for its data. This data is eventually filled by StreamingParser, and compiling
325 a function with this data can be done concurrently with StreamingParser.
327 (JSC::Wasm::ModuleInformation::create):
328 (JSC::Wasm::ModuleInformation::memoryCount const):
329 (JSC::Wasm::ModuleInformation::tableCount const):
330 memoryCount and tableCount should be recorded in ModuleInformation.
332 * wasm/WasmModuleParser.cpp:
333 (JSC::Wasm::ModuleParser::parse):
334 (JSC::Wasm::makeI32InitExpr): Deleted.
335 (JSC::Wasm::ModuleParser::parseType): Deleted.
336 (JSC::Wasm::ModuleParser::parseImport): Deleted.
337 (JSC::Wasm::ModuleParser::parseFunction): Deleted.
338 (JSC::Wasm::ModuleParser::parseResizableLimits): Deleted.
339 (JSC::Wasm::ModuleParser::parseTableHelper): Deleted.
340 (JSC::Wasm::ModuleParser::parseTable): Deleted.
341 (JSC::Wasm::ModuleParser::parseMemoryHelper): Deleted.
342 (JSC::Wasm::ModuleParser::parseMemory): Deleted.
343 (JSC::Wasm::ModuleParser::parseGlobal): Deleted.
344 (JSC::Wasm::ModuleParser::parseExport): Deleted.
345 (JSC::Wasm::ModuleParser::parseStart): Deleted.
346 (JSC::Wasm::ModuleParser::parseElement): Deleted.
347 (JSC::Wasm::ModuleParser::parseCode): Deleted.
348 (JSC::Wasm::ModuleParser::parseInitExpr): Deleted.
349 (JSC::Wasm::ModuleParser::parseGlobalType): Deleted.
350 (JSC::Wasm::ModuleParser::parseData): Deleted.
351 (JSC::Wasm::ModuleParser::parseCustom): Deleted.
352 Extract section parsing code out from ModuleParser. We create SectionParser and ModuleParser uses it.
353 SectionParser is also used by StreamingParser.
355 * wasm/WasmModuleParser.h:
357 * wasm/WasmNameSection.h:
358 (JSC::Wasm::NameSection::NameSection):
359 (JSC::Wasm::NameSection::create):
360 (JSC::Wasm::NameSection::setHash):
361 Hash calculation is deferred since all the source is not available in streaming parsing.
363 * wasm/WasmNameSectionParser.cpp:
364 (JSC::Wasm::NameSectionParser::parse):
365 * wasm/WasmNameSectionParser.h:
366 Use Ref<NameSection>.
368 * wasm/WasmOMGPlan.cpp:
369 (JSC::Wasm::OMGPlan::work):
370 Wasm::Plan no longer have m_source since data will be eventually filled in a streaming fashion.
371 OMGPlan can get data of the function by using ModuleInformation::functions.
374 (JSC::Wasm::Parser::source const):
375 (JSC::Wasm::Parser::length const):
376 (JSC::Wasm::Parser::offset const):
377 (JSC::Wasm::Parser::fail const):
378 (JSC::Wasm::makeI32InitExpr):
380 (JSC::Wasm::Plan::Plan):
381 Wasm::Plan should not have all the source apriori. Streamed data will be pumped from the provider.
384 * wasm/WasmSectionParser.cpp: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.cpp.
385 SectionParser is extracted from ModuleParser. And it is used by both the old (currently working)
386 ModuleParser and the new StreamingParser.
388 (JSC::Wasm::SectionParser::parseType):
389 (JSC::Wasm::SectionParser::parseImport):
390 (JSC::Wasm::SectionParser::parseFunction):
391 (JSC::Wasm::SectionParser::parseResizableLimits):
392 (JSC::Wasm::SectionParser::parseTableHelper):
393 (JSC::Wasm::SectionParser::parseTable):
394 (JSC::Wasm::SectionParser::parseMemoryHelper):
395 (JSC::Wasm::SectionParser::parseMemory):
396 (JSC::Wasm::SectionParser::parseGlobal):
397 (JSC::Wasm::SectionParser::parseExport):
398 (JSC::Wasm::SectionParser::parseStart):
399 (JSC::Wasm::SectionParser::parseElement):
400 (JSC::Wasm::SectionParser::parseCode):
401 (JSC::Wasm::SectionParser::parseInitExpr):
402 (JSC::Wasm::SectionParser::parseGlobalType):
403 (JSC::Wasm::SectionParser::parseData):
404 (JSC::Wasm::SectionParser::parseCustom):
405 * wasm/WasmSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.h.
406 * wasm/WasmStreamingParser.cpp: Added.
407 (JSC::Wasm::parseUInt7):
408 (JSC::Wasm::StreamingParser::fail):
409 (JSC::Wasm::StreamingParser::StreamingParser):
410 (JSC::Wasm::StreamingParser::parseModuleHeader):
411 (JSC::Wasm::StreamingParser::parseSectionID):
412 (JSC::Wasm::StreamingParser::parseSectionSize):
413 (JSC::Wasm::StreamingParser::parseCodeSectionSize):
414 Code section in Wasm binary is specially handled compared with the other sections since it includes
415 a bunch of functions. StreamingParser extracts each function in a streaming fashion and enable
416 streaming validation / compilation of Wasm functions.
418 (JSC::Wasm::StreamingParser::parseFunctionSize):
419 (JSC::Wasm::StreamingParser::parseFunctionPayload):
420 (JSC::Wasm::StreamingParser::parseSectionPayload):
421 (JSC::Wasm::StreamingParser::consume):
422 (JSC::Wasm::StreamingParser::consumeVarUInt32):
423 (JSC::Wasm::StreamingParser::addBytes):
424 (JSC::Wasm::StreamingParser::failOnState):
425 (JSC::Wasm::StreamingParser::finalize):
426 * wasm/WasmStreamingParser.h: Added.
427 (JSC::Wasm::StreamingParser::addBytes):
428 (JSC::Wasm::StreamingParser::errorMessage const):
429 This is our new StreamingParser implementation. StreamingParser::consumeXXX functions get data, and
430 StreamingParser::parseXXX functions parse consumed data. The user of StreamingParser calls
431 StreamingParser::addBytes() to pump the bytes stream into the parser. And once all the data is pumped,
432 the user calls StreamingParser::finalize. StreamingParser is a state machine which feeds on the
433 incoming byte stream.
435 * wasm/js/JSWebAssemblyModule.cpp:
436 (JSC::JSWebAssemblyModule::source const): Deleted.
437 All the source should not be held.
439 * wasm/js/JSWebAssemblyModule.h:
440 * wasm/js/WebAssemblyPrototype.cpp:
441 (JSC::webAssemblyValidateFunc):
443 2018-08-27 Mark Lam <mark.lam@apple.com>
445 Fix exception throwing code so that topCallFrame and topEntryFrame stay true to their names.
446 https://bugs.webkit.org/show_bug.cgi?id=188577
447 <rdar://problem/42985684>
449 Reviewed by Saam Barati.
451 1. Introduced CallFrame::convertToStackOverflowFrame() which converts the current
452 (top) CallFrame (which may not have a valid callee) into a StackOverflowFrame.
454 The StackOverflowFrame is a sentinel frame that the low level code (exception
455 throwing code, stack visitor, and stack unwinding code) will know to skip
456 over. The StackOverflowFrame will also have a valid JSCallee so that client
457 code can compute the globalObject or VM from this frame.
459 As a result, client code that throws StackOverflowErrors no longer need to
460 compute the caller frame to throw from: it just converts the top frame into
461 a StackOverflowFrame and everything should *Just Work*.
463 2. NativeCallFrameTracerWithRestore is now obsolete.
465 Instead, client code should always call convertToStackOverflowFrame() on the
466 frame before instantiating a NativeCallFrameTracer with it.
468 This means that topCallFrame will always point to the top CallFrame (which
469 may be a StackOverflowFrame), and topEntryFrame will always point to the top
470 EntryFrame. We'll never temporarily point them to the previous EntryFrame
471 (which we used to do with NativeCallFrameTracerWithRestore).
473 3. genericUnwind() and Interpreter::unwind() will now always unwind from the top
474 CallFrame, and will know how to handle a StackOverflowFrame if they see one.
476 This obsoletes the UnwindStart flag.
479 * JavaScriptCore.xcodeproj/project.pbxproj:
481 * debugger/Debugger.cpp:
482 (JSC::Debugger::pauseIfNeeded):
483 * interpreter/CallFrame.cpp:
484 (JSC::CallFrame::callerFrame const):
485 (JSC::CallFrame::unsafeCallerFrame const):
486 (JSC::CallFrame::convertToStackOverflowFrame):
487 (JSC::CallFrame::callerFrame): Deleted.
488 (JSC::CallFrame::unsafeCallerFrame): Deleted.
489 * interpreter/CallFrame.h:
490 (JSC::ExecState::iterate):
491 * interpreter/CallFrameInlines.h: Added.
492 (JSC::CallFrame::isStackOverflowFrame const):
493 (JSC::CallFrame::isWasmFrame const):
494 * interpreter/EntryFrame.h: Added.
495 (JSC::EntryFrame::vmEntryRecordOffset):
496 (JSC::EntryFrame::calleeSaveRegistersBufferOffset):
497 * interpreter/FrameTracers.h:
498 (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): Deleted.
499 (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): Deleted.
500 * interpreter/Interpreter.cpp:
501 (JSC::Interpreter::unwind):
502 * interpreter/Interpreter.h:
503 * interpreter/StackVisitor.cpp:
504 (JSC::StackVisitor::StackVisitor):
505 * interpreter/StackVisitor.h:
506 (JSC::StackVisitor::visit):
507 (JSC::StackVisitor::topEntryFrameIsEmpty const):
508 * interpreter/VMEntryRecord.h:
509 (JSC::VMEntryRecord::callee const):
510 (JSC::EntryFrame::vmEntryRecordOffset): Deleted.
511 (JSC::EntryFrame::calleeSaveRegistersBufferOffset): Deleted.
512 * jit/AssemblyHelpers.h:
513 * jit/JITExceptions.cpp:
514 (JSC::genericUnwind):
515 * jit/JITExceptions.h:
516 * jit/JITOperations.cpp:
517 * llint/LLIntOffsetsExtractor.cpp:
518 * llint/LLIntSlowPaths.cpp:
519 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
520 * llint/LowLevelInterpreter.asm:
521 * llint/LowLevelInterpreter32_64.asm:
522 * llint/LowLevelInterpreter64.asm:
523 * runtime/CallData.cpp:
524 * runtime/CommonSlowPaths.cpp:
525 (JSC::throwArityCheckStackOverflowError):
526 (JSC::SLOW_PATH_DECL):
527 * runtime/CommonSlowPathsExceptions.cpp: Removed.
528 * runtime/CommonSlowPathsExceptions.h: Removed.
529 * runtime/Completion.cpp:
530 (JSC::evaluateWithScopeExtension):
531 * runtime/JSGeneratorFunction.h:
532 * runtime/JSGlobalObject.cpp:
533 (JSC::JSGlobalObject::init):
534 (JSC::JSGlobalObject::visitChildren):
535 * runtime/JSGlobalObject.h:
536 (JSC::JSGlobalObject::stackOverflowFrameCallee const):
538 (JSC::VM::throwException):
540 * runtime/VMInlines.h:
541 (JSC::VM::topJSCallFrame const):
543 2018-08-27 Keith Rollin <krollin@apple.com>
545 Unreviewed build fix -- disable LTO for production builds
547 * Configurations/Base.xcconfig:
549 2018-08-27 Aditya Keerthi <akeerthi@apple.com>
551 Consolidate ENABLE_INPUT_TYPE_COLOR and ENABLE_INPUT_TYPE_COLOR_POPOVER
552 https://bugs.webkit.org/show_bug.cgi?id=188931
554 Reviewed by Wenson Hsieh.
556 * Configurations/FeatureDefines.xcconfig: Removed ENABLE_INPUT_TYPE_COLOR_POPOVER.
558 2018-08-27 Devin Rousso <drousso@apple.com>
560 Web Inspector: provide autocompletion for event breakpoints
561 https://bugs.webkit.org/show_bug.cgi?id=188717
563 Reviewed by Brian Burg.
565 * inspector/protocol/DOM.json:
566 Add `getSupportedEventNames` command.
568 2018-08-27 Keith Rollin <krollin@apple.com>
570 Build system support for LTO
571 https://bugs.webkit.org/show_bug.cgi?id=187785
572 <rdar://problem/42353132>
574 Reviewed by Dan Bernstein.
576 Update Base.xcconfig and DebugRelease.xcconfig to optionally enable
579 * Configurations/Base.xcconfig:
580 * Configurations/DebugRelease.xcconfig:
582 2018-08-27 Patrick Griffis <pgriffis@igalia.com>
584 [GTK][JSC] Add warn_unused_result attribute to some APIs
585 https://bugs.webkit.org/show_bug.cgi?id=188983
587 Reviewed by Michael Catanzaro.
589 * API/glib/JSCValue.h:
591 2018-08-24 Yusuke Suzuki <yusukesuzuki@slowstart.org>
593 [JSC] Array.prototype.reverse modifies JSImmutableButterfly
594 https://bugs.webkit.org/show_bug.cgi?id=188794
596 Reviewed by Saam Barati.
598 While Array.prototype.reverse modifies the butterfly of the given Array,
599 it does not account JSImmutableButterfly case. So it accidentally modifies
600 the content of JSImmutableButterfly.
601 This patch converts CoW arrays to writable arrays before reversing.
603 * runtime/ArrayPrototype.cpp:
604 (JSC::arrayProtoFuncReverse):
605 * runtime/JSObject.h:
606 (JSC::JSObject::ensureWritable):
608 2018-08-24 Michael Saboff <msaboff@apple.com>
610 YARR: Update UCS canonicalization tables for Unicode 11
611 https://bugs.webkit.org/show_bug.cgi?id=188928
613 Reviewed by Mark Lam.
615 Generated YarrCanonicalizeUCS2.cpp from YarrCanonicalizeUCS2.js.
617 This passes JavaScriptCore and test262 tests.
619 * yarr/YarrCanonicalizeUCS2.cpp:
620 * yarr/YarrCanonicalizeUCS2.js:
623 2018-08-24 Michael Saboff <msaboff@apple.com>
625 YARR: JIT RegExps with non-greedy parenthesized sub patterns
626 https://bugs.webkit.org/show_bug.cgi?id=180876
628 Reviewed by Filip Pizlo.
630 Implemented the non-greedy nested parenthesis based on the prior greedy nested parenthesis work.
631 For the matching code, the greedy path was correct except that we don't try matching for the
632 non-greedy case. Added a jump out to the term after the parenthesis and a label to perform the
633 first / next match when we backtrack. The backtracking code needs to check to see if we have
634 tried the first match or if we can do another match.
636 Updated the disassembly annotations to include parenthesis capturing info, quantifier type and
637 count. Did other minor cleanup as well.
639 Fixed function name typo, added missing 't' in "setUsesPaternContextBuffer()".
641 Updated the text in some comments, both for this change as well as accuracy for existing code.
644 (JSC::Yarr::YarrGenerator::generate):
645 (JSC::Yarr::YarrGenerator::backtrack):
646 (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
647 (JSC::Yarr::YarrGenerator::compile):
648 (JSC::Yarr::dumpCompileFailure):
649 (JSC::Yarr::jitCompile):
651 (JSC::Yarr::YarrCodeBlock::setUsesPatternContextBuffer):
652 (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): Deleted.
654 2018-08-23 Simon Fraser <simon.fraser@apple.com>
656 Add support for dumping GC heap snapshots, and a viewer
657 https://bugs.webkit.org/show_bug.cgi?id=186416
659 Reviewed by Joseph Pecoraro.
661 Make a way to dump information about the GC heap that is useful for looking for leaked
662 or abandoned objects. This dump is obtained (on Apple platforms) via:
663 notifyutil -p com.apple.WebKit.dumpGCHeap
664 which writes a JSON file to /tmp which can then be loaded into the viewer in Tools/GCHeapInspector.
666 This leverages the heap snapshot used by Web Inspector, adding an alternate format for
667 the snapshot JSON that adds additional data about objects and why they are GC roots.
669 SlotVisitor maintains a RootMarkReason (via SetRootMarkReasonScope) that allows
670 the HeapSnapshotBuilder to keep track of why a JSCell was treated as a GC root. For
671 objects visited via opaque roots, we record the reason why via a new out param to
672 isReachableFromOpaqueRoots().
674 HeapSnapshotBuilder is enhanced to produce GCDebuggingSnapshot JSON output. This contains
675 additional information including the address of the JSCell* and the wrapped object (for
676 JSDOMWrappers), the root reasons, and for some objects like JSDocument a label which can
679 GCDebuggingSnapshots are always full snapshots (previous snapshots are not kept around).
681 * API/JSAPIWrapperObject.mm:
682 (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
683 * API/JSManagedValue.mm:
684 (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
685 * API/glib/JSAPIWrapperObjectGLib.cpp:
686 (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
688 * heap/ConservativeRoots.h:
689 (JSC::ConservativeRoots::size const):
690 (JSC::ConservativeRoots::size): Deleted.
692 (JSC::Heap::addCoreConstraints):
693 * heap/HeapSnapshotBuilder.cpp:
694 (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
695 (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
696 (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
697 (JSC::HeapSnapshotBuilder::buildSnapshot):
698 (JSC::HeapSnapshotBuilder::appendNode):
699 (JSC::HeapSnapshotBuilder::appendEdge):
700 (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
701 (JSC::HeapSnapshotBuilder::setWrappedObjectForCell):
702 (JSC::HeapSnapshotBuilder::previousSnapshotHasNodeForCell):
703 (JSC::snapshotTypeToString):
704 (JSC::rootTypeToString):
705 (JSC::HeapSnapshotBuilder::setLabelForCell):
706 (JSC::HeapSnapshotBuilder::descriptionForCell const):
707 (JSC::HeapSnapshotBuilder::json):
708 (JSC::HeapSnapshotBuilder::hasExistingNodeForCell): Deleted.
709 * heap/HeapSnapshotBuilder.h:
710 * heap/SlotVisitor.cpp:
711 (JSC::SlotVisitor::appendSlow):
712 * heap/SlotVisitor.h:
713 (JSC::SlotVisitor::heapSnapshotBuilder const):
714 (JSC::SlotVisitor::rootMarkReason const):
715 (JSC::SlotVisitor::setRootMarkReason):
716 (JSC::SetRootMarkReasonScope::SetRootMarkReasonScope):
717 (JSC::SetRootMarkReasonScope::~SetRootMarkReasonScope):
718 * heap/WeakBlock.cpp:
719 (JSC::WeakBlock::specializedVisit):
720 * heap/WeakHandleOwner.cpp:
721 (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
722 * heap/WeakHandleOwner.h:
723 * runtime/SimpleTypedArrayController.cpp:
724 (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
725 * runtime/SimpleTypedArrayController.h:
726 * tools/JSDollarVM.cpp:
728 2018-08-23 Saam barati <sbarati@apple.com>
730 JSRunLoopTimer may run part of a member function after it's destroyed
731 https://bugs.webkit.org/show_bug.cgi?id=188426
733 Reviewed by Mark Lam.
735 When I was reading the JSRunLoopTimer code, I noticed that it is possible
736 to end up running timer code after the class had been destroyed.
738 The issue I spotted was in this function:
740 void JSRunLoopTimer::timerDidFire()
742 JSLock* apiLock = m_apiLock.get();
744 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
748 std::lock_guard<JSLock> lock(*apiLock);
749 RefPtr<VM> vm = apiLock->vm();
751 // The VM has been destroyed, so we should just give up.
759 Look at the comment 'HERE'. Let's say that the timer callback thread gets context
760 switched before grabbing the API lock. Then, some other thread destroys the VM.
761 And let's say that the VM owns (perhaps transitively) this timer. Then, the
762 timer would run code and access member variables after it was destroyed.
764 This patch fixes this issue by introducing a new timer manager class.
765 This class manages timers on a per VM basis. When a timer is scheduled,
766 this class refs the timer. It also calls the timer callback while actively
767 maintaining a +1 ref to it. So, it's no longer possible to call the timer
768 callback after the timer has been destroyed. However, calling a timer callback
769 can still race with the VM being destroyed. We continue to detect this case and
770 bail out of the callback early.
772 This patch also removes a lot of duplicate code between GCActivityCallback
775 * heap/EdenGCActivityCallback.cpp:
776 (JSC::EdenGCActivityCallback::doCollection):
777 (JSC::EdenGCActivityCallback::lastGCLength):
778 (JSC::EdenGCActivityCallback::deathRate):
779 * heap/EdenGCActivityCallback.h:
780 * heap/FullGCActivityCallback.cpp:
781 (JSC::FullGCActivityCallback::doCollection):
782 (JSC::FullGCActivityCallback::lastGCLength):
783 (JSC::FullGCActivityCallback::deathRate):
784 * heap/FullGCActivityCallback.h:
785 * heap/GCActivityCallback.cpp:
786 (JSC::GCActivityCallback::doWork):
787 (JSC::GCActivityCallback::scheduleTimer):
788 (JSC::GCActivityCallback::didAllocate):
789 (JSC::GCActivityCallback::willCollect):
790 (JSC::GCActivityCallback::cancel):
791 (JSC::GCActivityCallback::cancelTimer): Deleted.
792 (JSC::GCActivityCallback::nextFireTime): Deleted.
793 * heap/GCActivityCallback.h:
795 (JSC::Heap::reportAbandonedObjectGraph):
796 (JSC::Heap::notifyIncrementalSweeper):
797 (JSC::Heap::updateAllocationLimits):
798 (JSC::Heap::didAllocate):
799 * heap/IncrementalSweeper.cpp:
800 (JSC::IncrementalSweeper::scheduleTimer):
801 (JSC::IncrementalSweeper::doWork):
802 (JSC::IncrementalSweeper::doSweep):
803 (JSC::IncrementalSweeper::sweepNextBlock):
804 (JSC::IncrementalSweeper::startSweeping):
805 (JSC::IncrementalSweeper::stopSweeping):
806 * heap/IncrementalSweeper.h:
807 * heap/StopIfNecessaryTimer.cpp:
808 (JSC::StopIfNecessaryTimer::doWork):
809 (JSC::StopIfNecessaryTimer::scheduleSoon):
810 * heap/StopIfNecessaryTimer.h:
811 * runtime/JSRunLoopTimer.cpp:
813 (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
814 (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
815 (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
816 (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
817 (JSC::JSRunLoopTimer::Manager::timerDidFire):
818 (JSC::JSRunLoopTimer::Manager::shared):
819 (JSC::JSRunLoopTimer::Manager::registerVM):
820 (JSC::JSRunLoopTimer::Manager::unregisterVM):
821 (JSC::JSRunLoopTimer::Manager::scheduleTimer):
822 (JSC::JSRunLoopTimer::Manager::cancelTimer):
823 (JSC::JSRunLoopTimer::Manager::timeUntilFire):
824 (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
825 (JSC::JSRunLoopTimer::timerDidFire):
826 (JSC::JSRunLoopTimer::JSRunLoopTimer):
827 (JSC::JSRunLoopTimer::timeUntilFire):
828 (JSC::JSRunLoopTimer::setTimeUntilFire):
829 (JSC::JSRunLoopTimer::cancelTimer):
830 (JSC::JSRunLoopTimer::setRunLoop): Deleted.
831 (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
832 (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
833 * runtime/JSRunLoopTimer.h:
834 (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
835 * runtime/PromiseDeferredTimer.cpp:
836 (JSC::PromiseDeferredTimer::doWork):
837 (JSC::PromiseDeferredTimer::runRunLoop):
838 (JSC::PromiseDeferredTimer::addPendingPromise):
839 (JSC::PromiseDeferredTimer::hasPendingPromise):
840 (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
841 (JSC::PromiseDeferredTimer::cancelPendingPromise):
842 (JSC::PromiseDeferredTimer::scheduleWorkSoon):
843 * runtime/PromiseDeferredTimer.h:
847 (JSC::VM::setRunLoop):
848 (JSC::VM::registerRunLoopTimer): Deleted.
849 (JSC::VM::unregisterRunLoopTimer): Deleted.
851 (JSC::VM::runLoop const):
852 * wasm/js/WebAssemblyPrototype.cpp:
853 (JSC::webAssemblyModuleValidateAsyncInternal):
855 (JSC::compileAndInstantiate):
856 (JSC::webAssemblyModuleInstantinateAsyncInternal):
857 (JSC::webAssemblyCompileStreamingInternal):
858 (JSC::webAssemblyInstantiateStreamingInternal):
860 2018-08-23 Mark Lam <mark.lam@apple.com>
862 Move vmEntryGlobalObject() to VM from CallFrame.
863 https://bugs.webkit.org/show_bug.cgi?id=188900
864 <rdar://problem/43655753>
866 Reviewed by Michael Saboff.
868 Also introduced CallFrame::isGlobalExec() which makes use of one property of
869 GlobalExecs to identify them i.e. GlobalExecs have null callerFrame and returnPCs.
870 CallFrame::initGlobalExec() ensures this.
872 In contrast, normal CallFrames always have a callerFrame (because they must at
873 least be preceded by a VM EntryFrame) and a returnPC (at least return to the
877 (handleExceptionIfNeeded):
881 (JSCheckScriptSyntax):
882 * API/JSContextRef.cpp:
883 (JSGlobalContextRetain):
884 (JSGlobalContextRelease):
885 (JSGlobalContextCopyName):
886 (JSGlobalContextSetName):
887 (JSGlobalContextGetRemoteInspectionEnabled):
888 (JSGlobalContextSetRemoteInspectionEnabled):
889 (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
890 (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
891 (JSGlobalContextGetDebuggerRunLoop):
892 (JSGlobalContextSetDebuggerRunLoop):
893 (JSGlobalContextGetAugmentableInspectorController):
895 (reportExceptionToInspector):
896 * API/glib/JSCClass.cpp:
897 (jscContextForObject):
898 * API/glib/JSCContext.cpp:
899 (jsc_context_evaluate_in_object):
900 * debugger/Debugger.cpp:
901 (JSC::Debugger::pauseIfNeeded):
902 * debugger/DebuggerCallFrame.cpp:
903 (JSC::DebuggerCallFrame::vmEntryGlobalObject const):
904 (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
905 * interpreter/CallFrame.cpp:
906 (JSC::CallFrame::vmEntryGlobalObject): Deleted.
907 * interpreter/CallFrame.h:
908 (JSC::ExecState::scope const):
909 (JSC::ExecState::noCaller):
910 (JSC::ExecState::isGlobalExec const):
911 * interpreter/Interpreter.cpp:
912 (JSC::notifyDebuggerOfUnwinding):
913 (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
914 (JSC::Interpreter::debug):
915 * runtime/CallData.cpp:
917 * runtime/Completion.cpp:
919 (JSC::profiledEvaluate):
920 (JSC::evaluateWithScopeExtension):
921 (JSC::loadAndEvaluateModule):
923 (JSC::linkAndEvaluateModule):
925 * runtime/ConstructData.cpp:
926 (JSC::profiledConstruct):
928 (JSC::getStackTrace):
930 (JSC::VM::throwException):
931 (JSC::VM::vmEntryGlobalObject const):
934 2018-08-23 Andy Estes <aestes@apple.com>
936 [Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave
937 https://bugs.webkit.org/show_bug.cgi?id=188829
939 Reviewed by Tim Horton.
941 * Configurations/FeatureDefines.xcconfig:
943 2018-08-23 Devin Rousso <drousso@apple.com>
945 Web Inspector: support breakpoints for timers and animation-frame events
946 https://bugs.webkit.org/show_bug.cgi?id=188778
948 Reviewed by Brian Burg.
950 * inspector/protocol/Debugger.json:
951 Add `AnimationFrame` and `Timer` types to the list of pause reasons.
953 * inspector/protocol/DOMDebugger.json:
954 Introduced `setEventBreakpoint` and `removeEventBreakpoint` to replace the more specific:
955 - `setEventListenerBreakpoint`
956 - `removeEventListenerBreakpoint`
957 - `setInstrumentationBreakpoint`
958 - `removeInstrumentationBreakpoint`
959 Also created an `EventBreakpointType` to enumerate the available types of event breakpoints.
961 * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
962 (CppProtocolTypesHeaderGenerator.generate_output):
963 (CppProtocolTypesHeaderGenerator._generate_forward_declarations_for_binding_traits):
964 (CppProtocolTypesHeaderGenerator._generate_declarations_for_enum_conversion_methods):
965 (CppProtocolTypesHeaderGenerator._generate_hash_declarations): Added.
966 Generate `DefaultHash` for all `enum class` used by inspector protocols.
968 * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
969 * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
970 * inspector/scripts/tests/generic/expected/enum-values.json-result:
971 * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
972 * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
973 * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
974 * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
976 2018-08-23 Michael Saboff <msaboff@apple.com>
978 YARR: Need to JIT compile a RegExp before using containsNestedSubpatterns flag
979 https://bugs.webkit.org/show_bug.cgi?id=188895
981 Reviewed by Mark Lam.
983 Found while working on another change. This will allow processing of nested
984 parenthesis that require saved ParenContext structures.
987 (JSC::Yarr::YarrGenerator::compile):
989 2018-08-22 Michael Saboff <msaboff@apple.com>
991 https://bugs.webkit.org/show_bug.cgi?id=188859
992 Eliminate dead code operationThrowDivideError() and operationThrowOutOfBoundsAccessError()
994 Rubber-stamped by Saam Barati.
996 Deleted these two functions.
998 * jit/JITOperations.cpp:
999 * jit/JITOperations.h:
1001 2018-08-22 Mark Lam <mark.lam@apple.com>
1003 The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
1004 https://bugs.webkit.org/show_bug.cgi?id=188298
1005 <rdar://problem/42888427>
1007 Reviewed by Saam Barati.
1009 In the event that both targets of a Branch is the same block, then even if we'll
1010 always take one path of the branch, the other target is not unreachable because
1011 it is the same target as the one in the taken path. Hence, it should not be
1014 * JavaScriptCore.xcodeproj/project.pbxproj:
1015 - Added DFGCFG.h which is in use and should have been added to the project.
1016 * dfg/DFGCFGSimplificationPhase.cpp:
1017 (JSC::DFG::CFGSimplificationPhase::run):
1019 2018-08-20 Yusuke Suzuki <yusukesuzuki@slowstart.org>
1021 [JSC] HeapUtil should care about pointer overflow
1022 https://bugs.webkit.org/show_bug.cgi?id=188740
1024 Reviewed by Saam Barati.
1026 `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
1027 For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
1028 with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
1031 (JSC::HeapUtil::findGCObjectPointersForMarking):
1033 2018-08-19 Yusuke Suzuki <yusukesuzuki@slowstart.org>
1035 [JSC] Should not rotate constant with 64
1036 https://bugs.webkit.org/show_bug.cgi?id=188556
1038 Reviewed by Saam Barati.
1040 To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1041 But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
1042 where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
1043 the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
1045 * assembler/MacroAssembler.h:
1046 (JSC::MacroAssembler::generateRotationSeed):
1047 (JSC::MacroAssembler::rotationBlindConstant):
1049 2018-08-21 Commit Queue <commit-queue@webkit.org>
1051 Unreviewed, rolling out r235107.
1052 https://bugs.webkit.org/show_bug.cgi?id=188832
1054 "It revealed bugs in Blob code as well as regressed JS
1055 performance tests" (Requested by saamyjoon on #webkit).
1059 "JSRunLoopTimer may run part of a member function after it's
1061 https://bugs.webkit.org/show_bug.cgi?id=188426
1062 https://trac.webkit.org/changeset/235107
1064 2018-08-21 Saam barati <sbarati@apple.com>
1066 JSRunLoopTimer may run part of a member function after it's destroyed
1067 https://bugs.webkit.org/show_bug.cgi?id=188426
1069 Reviewed by Mark Lam.
1071 When I was reading the JSRunLoopTimer code, I noticed that it is possible
1072 to end up running timer code after the class had been destroyed.
1074 The issue I spotted was in this function:
1076 void JSRunLoopTimer::timerDidFire()
1078 JSLock* apiLock = m_apiLock.get();
1080 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1084 std::lock_guard<JSLock> lock(*apiLock);
1085 RefPtr<VM> vm = apiLock->vm();
1087 // The VM has been destroyed, so we should just give up.
1095 Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1096 switched before grabbing the API lock. Then, some other thread destroys the VM.
1097 And let's say that the VM owns (perhaps transitively) this timer. Then, the
1098 timer would run code and access member variables after it was destroyed.
1100 This patch fixes this issue by introducing a new timer manager class.
1101 This class manages timers on a per VM basis. When a timer is scheduled,
1102 this class refs the timer. It also calls the timer callback while actively
1103 maintaining a +1 ref to it. So, it's no longer possible to call the timer
1104 callback after the timer has been destroyed. However, calling a timer callback
1105 can still race with the VM being destroyed. We continue to detect this case and
1106 bail out of the callback early.
1108 This patch also removes a lot of duplicate code between GCActivityCallback
1111 * heap/EdenGCActivityCallback.cpp:
1112 (JSC::EdenGCActivityCallback::doCollection):
1113 (JSC::EdenGCActivityCallback::lastGCLength):
1114 (JSC::EdenGCActivityCallback::deathRate):
1115 * heap/EdenGCActivityCallback.h:
1116 * heap/FullGCActivityCallback.cpp:
1117 (JSC::FullGCActivityCallback::doCollection):
1118 (JSC::FullGCActivityCallback::lastGCLength):
1119 (JSC::FullGCActivityCallback::deathRate):
1120 * heap/FullGCActivityCallback.h:
1121 * heap/GCActivityCallback.cpp:
1122 (JSC::GCActivityCallback::doWork):
1123 (JSC::GCActivityCallback::scheduleTimer):
1124 (JSC::GCActivityCallback::didAllocate):
1125 (JSC::GCActivityCallback::willCollect):
1126 (JSC::GCActivityCallback::cancel):
1127 (JSC::GCActivityCallback::cancelTimer): Deleted.
1128 (JSC::GCActivityCallback::nextFireTime): Deleted.
1129 * heap/GCActivityCallback.h:
1131 (JSC::Heap::reportAbandonedObjectGraph):
1132 (JSC::Heap::notifyIncrementalSweeper):
1133 (JSC::Heap::updateAllocationLimits):
1134 (JSC::Heap::didAllocate):
1135 * heap/IncrementalSweeper.cpp:
1136 (JSC::IncrementalSweeper::scheduleTimer):
1137 (JSC::IncrementalSweeper::doWork):
1138 (JSC::IncrementalSweeper::doSweep):
1139 (JSC::IncrementalSweeper::sweepNextBlock):
1140 (JSC::IncrementalSweeper::startSweeping):
1141 (JSC::IncrementalSweeper::stopSweeping):
1142 * heap/IncrementalSweeper.h:
1143 * heap/StopIfNecessaryTimer.cpp:
1144 (JSC::StopIfNecessaryTimer::doWork):
1145 (JSC::StopIfNecessaryTimer::scheduleSoon):
1146 * heap/StopIfNecessaryTimer.h:
1147 * runtime/JSRunLoopTimer.cpp:
1149 (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1150 (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1151 (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1152 (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1153 (JSC::JSRunLoopTimer::Manager::timerDidFire):
1154 (JSC::JSRunLoopTimer::Manager::shared):
1155 (JSC::JSRunLoopTimer::Manager::registerVM):
1156 (JSC::JSRunLoopTimer::Manager::unregisterVM):
1157 (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1158 (JSC::JSRunLoopTimer::Manager::cancelTimer):
1159 (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1160 (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1161 (JSC::JSRunLoopTimer::timerDidFire):
1162 (JSC::JSRunLoopTimer::JSRunLoopTimer):
1163 (JSC::JSRunLoopTimer::timeUntilFire):
1164 (JSC::JSRunLoopTimer::setTimeUntilFire):
1165 (JSC::JSRunLoopTimer::cancelTimer):
1166 (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1167 (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1168 (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1169 * runtime/JSRunLoopTimer.h:
1170 (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1171 * runtime/PromiseDeferredTimer.cpp:
1172 (JSC::PromiseDeferredTimer::doWork):
1173 (JSC::PromiseDeferredTimer::runRunLoop):
1174 (JSC::PromiseDeferredTimer::addPendingPromise):
1175 (JSC::PromiseDeferredTimer::hasPendingPromise):
1176 (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1177 (JSC::PromiseDeferredTimer::cancelPendingPromise):
1178 (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1179 * runtime/PromiseDeferredTimer.h:
1183 (JSC::VM::setRunLoop):
1184 (JSC::VM::registerRunLoopTimer): Deleted.
1185 (JSC::VM::unregisterRunLoopTimer): Deleted.
1187 (JSC::VM::runLoop const):
1188 * wasm/js/WebAssemblyPrototype.cpp:
1189 (JSC::webAssemblyModuleValidateAsyncInternal):
1191 (JSC::compileAndInstantiate):
1192 (JSC::webAssemblyModuleInstantinateAsyncInternal):
1193 (JSC::webAssemblyCompileStreamingInternal):
1194 (JSC::webAssemblyInstantiateStreamingInternal):
1196 2018-08-20 Saam barati <sbarati@apple.com>
1198 Inline DataView accesses into DFG/FTL
1199 https://bugs.webkit.org/show_bug.cgi?id=188573
1200 <rdar://problem/43286746>
1202 Reviewed by Michael Saboff.
1204 This patch teaches the DFG/FTL to inline DataView accesses. The approach is
1205 straight forward. We inline the various get*/set* operations as intrinsics.
1207 This patch takes the most obvious approach for now. We OSR exit when:
1208 - An isLittleEndian argument is provided, and is not a boolean.
1209 - The index isn't an integer.
1210 - The |this| isn't a DataView.
1211 - We do an OOB access (or see a neutered array)
1213 To implement this change in a performant way, this patch teaches the macro
1214 assembler how to emit byte swap operations. The semantics of the added functions
1215 are byteSwap + zero extend. This means for the 16bit byte swaps, we need
1216 to actually emit zero extend instructions. For the 32/64bit byte swaps,
1217 the instructions already have these semantics.
1219 This patch is just a lightweight initial implementation. There are some easy
1220 extensions we can do in future changes:
1221 - Teach B3 how to byte swap: https://bugs.webkit.org/show_bug.cgi?id=188759
1222 - CSE DataViewGet* nodes: https://bugs.webkit.org/show_bug.cgi?id=188768
1224 * assembler/MacroAssemblerARM64.h:
1225 (JSC::MacroAssemblerARM64::byteSwap16):
1226 (JSC::MacroAssemblerARM64::byteSwap32):
1227 (JSC::MacroAssemblerARM64::byteSwap64):
1228 * assembler/MacroAssemblerX86Common.h:
1229 (JSC::MacroAssemblerX86Common::byteSwap32):
1230 (JSC::MacroAssemblerX86Common::byteSwap16):
1231 (JSC::MacroAssemblerX86Common::byteSwap64):
1232 * assembler/X86Assembler.h:
1233 (JSC::X86Assembler::bswapl_r):
1234 (JSC::X86Assembler::bswapq_r):
1235 (JSC::X86Assembler::shiftInstruction16):
1236 (JSC::X86Assembler::rolw_i8r):
1237 (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1238 * assembler/testmasm.cpp:
1239 (JSC::testByteSwap):
1241 * bytecode/DataFormat.h:
1242 * bytecode/SpeculatedType.cpp:
1243 (JSC::dumpSpeculation):
1244 (JSC::speculationFromClassInfo):
1245 (JSC::speculationFromJSType):
1246 (JSC::speculationFromString):
1247 * bytecode/SpeculatedType.h:
1248 * dfg/DFGAbstractInterpreterInlines.h:
1249 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1250 * dfg/DFGByteCodeParser.cpp:
1251 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1252 * dfg/DFGClobberize.h:
1253 (JSC::DFG::clobberize):
1254 * dfg/DFGDoesGC.cpp:
1256 * dfg/DFGFixupPhase.cpp:
1257 (JSC::DFG::FixupPhase::fixupNode):
1259 (JSC::DFG::Node::hasHeapPrediction):
1260 (JSC::DFG::Node::dataViewData):
1261 * dfg/DFGNodeType.h:
1262 * dfg/DFGPredictionPropagationPhase.cpp:
1263 * dfg/DFGSafeToExecute.h:
1264 (JSC::DFG::SafeToExecuteEdge::operator()):
1265 (JSC::DFG::safeToExecute):
1266 * dfg/DFGSpeculativeJIT.cpp:
1267 (JSC::DFG::SpeculativeJIT::speculateDataViewObject):
1268 (JSC::DFG::SpeculativeJIT::speculate):
1269 * dfg/DFGSpeculativeJIT.h:
1270 * dfg/DFGSpeculativeJIT32_64.cpp:
1271 (JSC::DFG::SpeculativeJIT::compile):
1272 * dfg/DFGSpeculativeJIT64.cpp:
1273 (JSC::DFG::SpeculativeJIT::compile):
1274 * dfg/DFGUseKind.cpp:
1275 (WTF::printInternal):
1277 (JSC::DFG::typeFilterFor):
1279 * ftl/FTLCapabilities.cpp:
1280 (JSC::FTL::canCompile):
1281 * ftl/FTLLowerDFGToB3.cpp:
1282 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1283 (JSC::FTL::DFG::LowerDFGToB3::byteSwap32):
1284 (JSC::FTL::DFG::LowerDFGToB3::byteSwap64):
1285 (JSC::FTL::DFG::LowerDFGToB3::emitCodeBasedOnEndiannessBranch):
1286 (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
1287 (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
1288 (JSC::FTL::DFG::LowerDFGToB3::lowDataViewObject):
1289 (JSC::FTL::DFG::LowerDFGToB3::speculate):
1290 (JSC::FTL::DFG::LowerDFGToB3::speculateDataViewObject):
1291 * runtime/Intrinsic.cpp:
1292 (JSC::intrinsicName):
1293 * runtime/Intrinsic.h:
1294 * runtime/JSDataViewPrototype.cpp:
1296 2018-08-20 Yusuke Suzuki <utatane.tea@gmail.com>
1298 [YARR] Extend size of fixed characters bulk matching in 64bit platform
1299 https://bugs.webkit.org/show_bug.cgi?id=181989
1301 Reviewed by Michael Saboff.
1303 This patch extends bulk matching style for fixed-sized characters.
1304 In 64bit environment, the GPR can hold up to 8 characters. This change
1305 reduces the code size since we can fuse multiple `mov` operations into one.
1307 * assembler/LinkBuffer.h:
1308 * runtime/Options.h:
1310 (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1311 (JSC::Yarr::YarrGenerator::compile):
1313 2018-08-20 Devin Rousso <drousso@apple.com>
1315 Web Inspector: allow breakpoints to be set for specific event listeners
1316 https://bugs.webkit.org/show_bug.cgi?id=183138
1318 Reviewed by Joseph Pecoraro.
1320 * inspector/protocol/DOM.json:
1321 Add `setBreakpointForEventListener` and `removeBreakpointForEventListener`, each of which
1322 takes an `eventListenerId` and toggles whether that specific usage of that event listener
1323 should have a breakpoint and pause before running.
1325 2018-08-20 Mark Lam <mark.lam@apple.com>
1327 Fix the LLInt so that btjs shows vmEntryToJavaScript instead of llintPCRangeStart for the entry frame.
1328 https://bugs.webkit.org/show_bug.cgi?id=188769
1330 Reviewed by Michael Saboff.
1332 * llint/LowLevelInterpreter.asm:
1333 - Just put an unused instruction between llintPCRangeStart and vmEntryToJavaScript
1334 so that libunwind doesn't get confused by the 2 labels pointing to the same
1337 2018-08-19 Carlos Garcia Campos <cgarcia@igalia.com>
1339 [GLIB] Add API to throw exceptions using printf formatted strings
1340 https://bugs.webkit.org/show_bug.cgi?id=188698
1342 Reviewed by Michael Catanzaro.
1344 Add jsc_context_throw_printf() and jsc_context_throw_with_name_printf(). Also add new public constructors of
1345 JSCException using printf formatted string.
1347 * API/glib/JSCContext.cpp:
1348 (jsc_context_throw_printf):
1349 (jsc_context_throw_with_name_printf):
1350 * API/glib/JSCContext.h:
1351 * API/glib/JSCException.cpp:
1352 (jsc_exception_new_printf):
1353 (jsc_exception_new_vprintf):
1354 (jsc_exception_new_with_name_printf):
1355 (jsc_exception_new_with_name_vprintf):
1356 * API/glib/JSCException.h:
1357 * API/glib/docs/jsc-glib-4.0-sections.txt:
1359 2018-08-19 Carlos Garcia Campos <cgarcia@igalia.com>
1361 [GLIB] Complete the JSCException API
1362 https://bugs.webkit.org/show_bug.cgi?id=188695
1364 Reviewed by Michael Catanzaro.
1366 Add more API to JSCException:
1367 - New function to get the column number
1368 - New function get exception as string (toString())
1369 - Add the possibility to create exceptions with a custom error name.
1370 - New function to get the exception error name
1371 - New function to get the exception backtrace.
1372 - New convenience function to report a exception by returning a formatted string with all the exception
1373 details, to be shown as a user error message.
1375 * API/glib/JSCContext.cpp:
1376 (jsc_context_throw_with_name):
1377 * API/glib/JSCContext.h:
1378 * API/glib/JSCException.cpp:
1379 (jscExceptionEnsureProperties):
1380 (jsc_exception_new):
1381 (jsc_exception_new_with_name):
1382 (jsc_exception_get_name):
1383 (jsc_exception_get_column_number):
1384 (jsc_exception_get_back_trace_string):
1385 (jsc_exception_to_string):
1386 (jsc_exception_report):
1387 * API/glib/JSCException.h:
1388 * API/glib/docs/jsc-glib-4.0-sections.txt:
1390 2018-08-19 Commit Queue <commit-queue@webkit.org>
1392 Unreviewed, rolling out r234852.
1393 https://bugs.webkit.org/show_bug.cgi?id=188736
1395 Workaround is not correct (Requested by yusukesuzuki on
1400 "[JSC] Should not rotate constant with 64"
1401 https://bugs.webkit.org/show_bug.cgi?id=188556
1402 https://trac.webkit.org/changeset/234852
1404 2018-08-19 Yusuke Suzuki <yusukesuzuki@slowstart.org>
1406 [WTF] Add WTF::unalignedLoad and WTF::unalignedStore
1407 https://bugs.webkit.org/show_bug.cgi?id=188716
1409 Reviewed by Darin Adler.
1411 Use WTF::unalignedLoad and WTF::unalignedStore to avoid undefined behavior.
1412 The compiler can emit appropriate mov operations in x86 even if we use these
1415 * assembler/AssemblerBuffer.h:
1416 (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
1417 (JSC::AssemblerBuffer::putIntegral):
1418 (JSC::AssemblerBuffer::putIntegralUnchecked):
1419 * assembler/MacroAssemblerX86.h:
1420 (JSC::MacroAssemblerX86::readCallTarget):
1421 * assembler/X86Assembler.h:
1422 (JSC::X86Assembler::linkJump):
1423 (JSC::X86Assembler::readPointer):
1424 (JSC::X86Assembler::replaceWithHlt):
1425 (JSC::X86Assembler::replaceWithJump):
1426 (JSC::X86Assembler::setPointer):
1427 (JSC::X86Assembler::setInt32):
1428 (JSC::X86Assembler::setInt8):
1429 * interpreter/InterpreterInlines.h:
1430 (JSC::Interpreter::getOpcodeID): Embedded opcode may be misaligned. Actually UBSan detects misaligned accesses here.
1432 2018-08-17 Saam barati <sbarati@apple.com>
1434 intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
1435 https://bugs.webkit.org/show_bug.cgi?id=188707
1436 <rdar://problem/43015442>
1438 Reviewed by Mark Lam.
1440 We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
1441 OSR enter at the head of a block. We verify it's safe to OSR enter by checking
1442 that each incoming value is compatible with its corresponding AbstractValue.
1444 The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
1445 with abstract values that were clobbererd. This meant that the value we're
1446 verifying with at OSR entry effectively has an infinite structure set because
1447 it's clobbered. So, imagine we have code like this:
1449 ---> We OSR enter here, and we're clobbered here
1454 The abstract value for @base inside intersectionOfPastValuesAtHead has a
1455 clobberred structure set, so we'd allow an incoming object with any
1456 structure. However, this is wrong because the invalidation point is no
1457 longer fulfilling its promise that it filters the structure that @base has.
1459 We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
1460 as if the incoming value may be live past an InvalidationPoint.
1461 This places a stricter requirement that to safely OSR enter at any basic
1462 block, all incoming values must be compatible as if they lived past
1463 the execution of an invalidation point.
1465 * dfg/DFGCFAPhase.cpp:
1466 (JSC::DFG::CFAPhase::run):
1468 2018-08-17 Yusuke Suzuki <yusukesuzuki@slowstart.org> and Fujii Hironori <Hironori.Fujii@sony.com>
1470 [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
1471 https://bugs.webkit.org/show_bug.cgi?id=188589
1473 Reviewed by Mark Lam.
1474 And reviewed by Yusuke Suzuki for Hironori's change.
1476 Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
1477 UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1479 - We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
1480 - We make GPRReg and FPRReg int8_t enums.
1481 - We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
1482 - We add operator+/- definition for RegisterIDs as a MSVC workaround. MSVC fails to resolve operator+ and operator-
1483 if `enum : int8_t` is used instead of `enum`.
1485 * assembler/ARM64Assembler.h:
1486 * assembler/ARMAssembler.h:
1487 * assembler/ARMv7Assembler.h:
1488 * assembler/MIPSAssembler.h:
1489 * assembler/MacroAssembler.h:
1490 * assembler/X86Assembler.h:
1491 * jit/CCallHelpers.h:
1492 (JSC::CCallHelpers::clampArrayToSize):
1495 (JSC::JSValueRegs::JSValueRegs):
1496 (JSC::JSValueRegs::tagGPR const):
1497 (JSC::JSValueRegs::payloadGPR const):
1498 (JSC::JSValueSource::JSValueSource):
1499 (JSC::JSValueSource::unboxedCell):
1500 (JSC::JSValueSource::operator bool const):
1501 (JSC::JSValueSource::base const):
1502 (JSC::JSValueSource::tagGPR const):
1503 (JSC::JSValueSource::payloadGPR const):
1504 (JSC::JSValueSource::hasKnownTag const):
1506 2018-08-16 Yusuke Suzuki <yusukesuzuki@slowstart.org>
1508 [JSC] alignas for RegisterState should respect alignof(RegisterState) too
1509 https://bugs.webkit.org/show_bug.cgi?id=188686
1511 Reviewed by Saam Barati.
1513 RegisterState would have larger alignment than `alignof(void*)`. We use the larger alignment value
1514 for `alignof` for RegisterState.
1516 * heap/RegisterState.h:
1518 2018-08-14 Yusuke Suzuki <yusukesuzuki@slowstart.org>
1520 [YARR] Align allocation size in BumpPointerAllocator with sizeof(void*)
1521 https://bugs.webkit.org/show_bug.cgi?id=188571
1523 Reviewed by Saam Barati.
1525 UBSan finds YarrInterpreter performs misaligned accesses. This is because YarrInterpreter
1526 allocates DisjunctionContext and ParenthesesDisjunctionContext from BumpPointerAllocator
1527 without considering alignment of them. This patch adds DisjunctionContext::allocationSize
1528 and ParenthesesDisjunctionContext::allocationSize to calculate allocation sizes for them.
1529 The size is always rounded to `sizeof(void*)` so that these classes are always allocated
1530 with `sizeof(void*)` alignment. We also ensure the alignments of both classes are less
1531 than or equal to `sizeof(void*)` by `static_assert`.
1533 * yarr/YarrInterpreter.cpp:
1534 (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
1535 (JSC::Yarr::Interpreter::allocDisjunctionContext):
1536 (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
1537 (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::getDisjunctionContext):
1538 (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
1539 (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
1540 (JSC::Yarr::Interpreter::Interpreter):
1541 (JSC::Yarr::Interpreter::DisjunctionContext::DisjunctionContext): Deleted.
1543 2018-08-15 Keith Miller <keith_miller@apple.com>
1545 Remove evernote hacks
1546 https://bugs.webkit.org/show_bug.cgi?id=188591
1548 Reviewed by Joseph Pecoraro.
1550 The hack was added in 2012 and the evernote app seems to work now.
1551 It's probably not needed anymore.
1553 * API/JSValueRef.cpp:
1555 (evernoteHackNeeded): Deleted.
1557 2018-08-14 Fujii Hironori <Hironori.Fujii@sony.com>
1559 Unreviewed, rolling out r234874 and r234876.
1561 WinCairo port can't compile
1563 Reverted changesets:
1565 "[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg"
1566 https://bugs.webkit.org/show_bug.cgi?id=188589
1567 https://trac.webkit.org/changeset/234874
1569 "Unreviewed, attempt to fix CLoop build"
1570 https://bugs.webkit.org/show_bug.cgi?id=188589
1571 https://trac.webkit.org/changeset/234876
1573 2018-08-14 Saam barati <sbarati@apple.com>
1575 HashMap<Ref<P>, V> asserts when V is not zero for its empty value
1576 https://bugs.webkit.org/show_bug.cgi?id=188582
1578 Reviewed by Sam Weinig.
1580 * runtime/SparseArrayValueMap.h:
1582 2018-08-14 Yusuke Suzuki <yusukesuzuki@slowstart.org>
1584 Unreviewed, attempt to fix CLoop build
1585 https://bugs.webkit.org/show_bug.cgi?id=188589
1587 * assembler/MacroAssembler.h:
1589 2018-08-14 Yusuke Suzuki <yusukesuzuki@slowstart.org>
1591 [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
1592 https://bugs.webkit.org/show_bug.cgi?id=188589
1594 Reviewed by Mark Lam.
1596 Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
1597 UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1599 1. We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
1600 2. We make GPRReg and FPRReg int8_t enums.
1601 3. We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
1603 * assembler/ARM64Assembler.h:
1604 * assembler/ARMAssembler.h:
1605 * assembler/ARMv7Assembler.h:
1606 * assembler/MIPSAssembler.h:
1607 * assembler/X86Assembler.h:
1610 (JSC::JSValueRegs::JSValueRegs):
1611 (JSC::JSValueRegs::tagGPR const):
1612 (JSC::JSValueRegs::payloadGPR const):
1613 (JSC::JSValueSource::JSValueSource):
1614 (JSC::JSValueSource::unboxedCell):
1615 (JSC::JSValueSource::operator bool const):
1616 (JSC::JSValueSource::base const):
1617 (JSC::JSValueSource::tagGPR const):
1618 (JSC::JSValueSource::payloadGPR const):
1619 (JSC::JSValueSource::hasKnownTag const):
1621 2018-08-14 Keith Miller <keith_miller@apple.com>
1623 Add missing availability macro.
1624 https://bugs.webkit.org/show_bug.cgi?id=188563
1626 Reviewed by Mark Lam.
1630 2018-08-14 Yusuke Suzuki <yusukesuzuki@slowstart.org>
1632 [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
1633 https://bugs.webkit.org/show_bug.cgi?id=188560
1635 Reviewed by Keith Miller.
1637 While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT,
1638 it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the
1639 uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer
1640 `m_wasSeenInJIT { false }`.
1642 * bytecode/GetByIdStatus.h:
1644 2018-08-14 Yusuke Suzuki <yusukesuzuki@slowstart.org>
1646 [DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants
1647 https://bugs.webkit.org/show_bug.cgi?id=188557
1649 Reviewed by Mark Lam.
1651 DFGPredictionPropagationPhase should set PrimaryPass before processing invariants since
1652 processing for ArithRound etc.'s invariants requires `m_pass` load. This issue is found
1655 * dfg/DFGPredictionPropagationPhase.cpp:
1657 2018-08-14 Yusuke Suzuki <yusukesuzuki@slowstart.org>
1659 [JSC] Should not rotate constant with 64
1660 https://bugs.webkit.org/show_bug.cgi?id=188556
1662 Reviewed by Mark Lam.
1664 To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1665 But if a seed becomes 64, the following code performs `value << 64` where value's type
1666 is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
1667 range of [0, 64) not to generate code causing UBs. This is found by UBSan.
1669 * assembler/MacroAssembler.h:
1670 (JSC::MacroAssembler::generateRotationSeed):
1671 (JSC::MacroAssembler::rotationBlindConstant):
1673 2018-08-12 Karo Gyoker <karogyoker2+webkit@gmail.com>
1675 Disable JIT on IA-32 without SSE2
1676 https://bugs.webkit.org/show_bug.cgi?id=188476
1678 Reviewed by Michael Catanzaro.
1680 Including missing header (MacroAssembler.h) in case of other
1681 operating systems than Windows too.
1683 * runtime/Options.cpp:
1685 2018-08-11 Karo Gyoker <karogyoker2+webkit@gmail.com>
1687 Disable JIT on IA-32 without SSE2
1688 https://bugs.webkit.org/show_bug.cgi?id=188476
1690 Reviewed by Yusuke Suzuki.
1692 On IA-32 CPUs without SSE2 most of the webpages cannot load
1693 if the JIT is turned on.
1695 * runtime/Options.cpp:
1696 (JSC::recomputeDependentOptions):
1698 2018-08-10 Joseph Pecoraro <pecoraro@apple.com>
1700 Web Inspector: console.log fires getters for deep properties
1701 https://bugs.webkit.org/show_bug.cgi?id=187542
1702 <rdar://problem/42873158>
1704 Reviewed by Saam Barati.
1706 * inspector/InjectedScriptSource.js:
1707 (RemoteObject.prototype._isPreviewableObject):
1708 Avoid getters/setters when checking for simple properties to preview.
1709 Here we avoid invoking `object[property]` if it could be a user getter.
1711 2018-08-10 Keith Miller <keith_miller@apple.com>
1713 Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
1714 https://bugs.webkit.org/show_bug.cgi?id=185127
1716 Reviewed by Saam Barati.
1718 Previously, we would truncate the indicies passed to slice to an
1719 int. This meant that the value was not getting properly clamped
1722 This patch also removes a non-spec compliant check that slice was
1723 passed at least one argument.
1725 * runtime/ArrayBuffer.cpp:
1726 (JSC::ArrayBuffer::clampValue):
1727 (JSC::ArrayBuffer::clampIndex const):
1728 (JSC::ArrayBuffer::slice const):
1729 * runtime/ArrayBuffer.h:
1730 (JSC::ArrayBuffer::clampValue): Deleted.
1731 (JSC::ArrayBuffer::clampIndex const): Deleted.
1732 * runtime/JSArrayBufferPrototype.cpp:
1733 (JSC::arrayBufferProtoFuncSlice):
1735 2018-08-10 Yusuke Suzuki <yusukesuzuki@slowstart.org>
1737 Date.UTC should not return NaN with only Year param
1738 https://bugs.webkit.org/show_bug.cgi?id=188378
1740 Reviewed by Keith Miller.
1742 Date.UTC requires one argument for |year|. But the other ones are optional.
1743 This patch fix this handling.
1745 * runtime/DateConstructor.cpp:
1746 (JSC::millisecondsFromComponents):
1748 2018-08-08 Keith Miller <keith_miller@apple.com>
1750 Array.prototype.sort should call @toLength instead of ">>> 0"
1751 https://bugs.webkit.org/show_bug.cgi?id=188430
1753 Reviewed by Saam Barati.
1755 Also add a new function to $vm that will fetch a private
1756 property. This can be useful for running builtin helper functions.
1758 * builtins/ArrayPrototype.js:
1760 * tools/JSDollarVM.cpp:
1761 (JSC::functionGetPrivateProperty):
1762 (JSC::JSDollarVM::finishCreation):
1764 2018-08-08 Keith Miller <keith_miller@apple.com>
1766 Array.prototype.sort should throw TypeError if param is a not callable object
1767 https://bugs.webkit.org/show_bug.cgi?id=188382
1769 Reviewed by Saam Barati.
1771 Improve spec compatability by checking if the Array.prototype.sort comparator is a function
1772 before doing anything else.
1774 Also, refactor the various helper functions to use let instead of var.
1776 * builtins/ArrayPrototype.js:
1777 (sort.stringComparator):
1778 (sort.compactSparse):
1784 (sort.comparatorSort):
1788 2018-08-08 Michael Saboff <msaboff@apple.com>
1790 Yarr JIT should include annotations with dumpDisassembly=true
1791 https://bugs.webkit.org/show_bug.cgi?id=188415
1793 Reviewed by Yusuke Suzuki.
1795 Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
1796 Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
1797 then the backtracking code through the YarrPattern ops in reverse order, the disassembler
1798 needs to do the same think.
1800 Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
1801 out simple methods for what was needed by the YarrDisassembler.
1803 Here is abbreviated sample output after this change.
1805 Generated JIT code for 8-bit regular expression /ab*c/:
1806 Code at [0x469561c03720, 0x469561c03840):
1807 0x469561c03720: push %rbp
1808 0x469561c03721: mov %rsp, %rbp
1810 0x469561c03762: sub $0x40, %rsp
1812 0:OpBodyAlternativeBegin minimum size 2
1813 0x469561c03766: add $0x2, %esi
1814 0x469561c03769: cmp %edx, %esi
1815 0x469561c0376b: ja 0x469561c037fa
1816 1:OpTerm TypePatternCharacter 'a'
1817 0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
1818 0x469561c03776: cmp $0x61, %eax
1819 0x469561c03779: jnz 0x469561c037e9
1820 2:OpTerm TypePatternCharacter 'b' {0,...} greedy
1821 0x469561c0377f: xor %r9d, %r9d
1822 0x469561c03782: cmp %edx, %esi
1823 0x469561c03784: jz 0x469561c037a2
1825 0x469561c0379d: jmp 0x469561c03782
1826 0x469561c037a2: mov %r9, 0x8(%rsp)
1827 3:OpTerm TypePatternCharacter 'c'
1828 0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
1829 0x469561c037ac: cmp $0x63, %eax
1830 0x469561c037af: jnz 0x469561c037d1
1831 4:OpBodyAlternativeEnd
1832 0x469561c037b5: add $0x40, %rsp
1834 0x469561c037cf: pop %rbp
1837 4:OpBodyAlternativeEnd
1838 3:OpTerm TypePatternCharacter 'c'
1839 2:OpTerm TypePatternCharacter 'b' {0,...} greedy
1840 0x469561c037d1: mov 0x8(%rsp), %r9
1842 0x469561c037e4: jmp 0x469561c037a2
1843 1:OpTerm TypePatternCharacter 'a'
1844 0:OpBodyAlternativeBegin minimum size 2
1845 0x469561c037e9: mov %rsi, %rax
1847 0x469561c0382f: pop %rbp
1850 * JavaScriptCore.xcodeproj/project.pbxproj:
1852 * runtime/RegExp.cpp:
1853 (JSC::RegExp::compile):
1854 (JSC::RegExp::compileMatchOnly):
1855 * yarr/YarrDisassembler.cpp: Added.
1856 (JSC::Yarr::YarrDisassembler::indentString):
1857 (JSC::Yarr::YarrDisassembler::YarrDisassembler):
1858 (JSC::Yarr::YarrDisassembler::~YarrDisassembler):
1859 (JSC::Yarr::YarrDisassembler::dump):
1860 (JSC::Yarr::YarrDisassembler::dumpHeader):
1861 (JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
1862 (JSC::Yarr::YarrDisassembler::dumpForInstructions):
1863 (JSC::Yarr::YarrDisassembler::dumpDisassembly):
1864 * yarr/YarrDisassembler.h: Added.
1865 (JSC::Yarr::YarrJITInfo::~YarrJITInfo):
1866 (JSC::Yarr::YarrDisassembler::setStartOfCode):
1867 (JSC::Yarr::YarrDisassembler::setForGenerate):
1868 (JSC::Yarr::YarrDisassembler::setForBacktrack):
1869 (JSC::Yarr::YarrDisassembler::setEndOfGenerate):
1870 (JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
1871 (JSC::Yarr::YarrDisassembler::setEndOfCode):
1872 (JSC::Yarr::YarrDisassembler::indentString):
1874 (JSC::Yarr::YarrGenerator::generate):
1875 (JSC::Yarr::YarrGenerator::backtrack):
1876 (JSC::Yarr::YarrGenerator::YarrGenerator):
1877 (JSC::Yarr::YarrGenerator::compile):
1878 (JSC::Yarr::jitCompile):
1880 * yarr/YarrPattern.cpp:
1881 (JSC::Yarr::dumpCharacterClass):
1882 (JSC::Yarr::PatternTerm::dump):
1883 (JSC::Yarr::YarrPattern::dumpPatternString):
1884 (JSC::Yarr::YarrPattern::dumpPattern):
1885 * yarr/YarrPattern.h:
1887 2018-08-05 Darin Adler <darin@apple.com>
1889 [Cocoa] More tweaks and refactoring to prepare for ARC
1890 https://bugs.webkit.org/show_bug.cgi?id=188245
1892 Reviewed by Dan Bernstein.
1894 * API/JSValue.mm: Use __unsafe_unretained.
1895 (JSContainerConvertor::convert): Use auto for compatibility with the above.
1896 * API/JSWrapperMap.mm:
1897 (allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
1898 (-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.
1900 * heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.
1902 2018-08-07 Yusuke Suzuki <yusukesuzuki@slowstart.org>
1904 Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
1905 https://bugs.webkit.org/show_bug.cgi?id=188328
1907 Reviewed by Saam Barati.
1909 Shrinking the size of PropertyCondition can improve memory consumption by a lot.
1910 For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
1911 and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
1914 This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
1915 PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
1916 are within 48bit, we can put PropertyCondition::Kind in this unused bits.
1917 To make it easy, we add WTF::CompactPointerTuple<PointerType, Type>, which automatically
1918 folds a pointer and 1byte type into 64bit data.
1920 This change shrinks PropertyCondition from 24bytes to 16bytes.
1922 * bytecode/PropertyCondition.cpp:
1923 (JSC::PropertyCondition::dumpInContext const):
1924 (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1925 (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
1926 (JSC::PropertyCondition::isStillValid const):
1927 (JSC::PropertyCondition::isWatchableWhenValid const):
1928 * bytecode/PropertyCondition.h:
1929 (JSC::PropertyCondition::PropertyCondition):
1930 (JSC::PropertyCondition::presenceWithoutBarrier):
1931 (JSC::PropertyCondition::absenceWithoutBarrier):
1932 (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
1933 (JSC::PropertyCondition::equivalenceWithoutBarrier):
1934 (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
1935 (JSC::PropertyCondition::operator bool const):
1936 (JSC::PropertyCondition::kind const):
1937 (JSC::PropertyCondition::uid const):
1938 (JSC::PropertyCondition::hasOffset const):
1939 (JSC::PropertyCondition::hasAttributes const):
1940 (JSC::PropertyCondition::hasPrototype const):
1941 (JSC::PropertyCondition::hasRequiredValue const):
1942 (JSC::PropertyCondition::hash const):
1943 (JSC::PropertyCondition::operator== const):
1944 (JSC::PropertyCondition::isHashTableDeletedValue const):
1945 (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):
1947 2018-08-07 Mark Lam <mark.lam@apple.com>
1949 Use a more specific PtrTag for PlatformRegisters PC and LR.
1950 https://bugs.webkit.org/show_bug.cgi?id=188366
1951 <rdar://problem/42984123>
1953 Reviewed by Keith Miller.
1955 Also fixed a bug in linkRegister(), which was previously returning the PC instead
1956 of LR. It now returns LR.
1958 * runtime/JSCPtrTag.h:
1959 * runtime/MachineContext.h:
1960 (JSC::MachineContext::instructionPointer):
1961 (JSC::MachineContext::linkRegister):
1962 * runtime/VMTraps.cpp:
1963 (JSC::SignalContext::SignalContext):
1964 * tools/SigillCrashAnalyzer.cpp:
1965 (JSC::SignalContext::SignalContext):
1967 2018-08-07 Karo Gyoker <karogyoker2+webkit@gmail.com>
1969 Hardcoded LFENCE instruction
1970 https://bugs.webkit.org/show_bug.cgi?id=188145
1972 Reviewed by Filip Pizlo.
1974 Remove lfence instruction because it is crashing systems without SSE2 and
1975 this is not the way how WebKit mitigates Spectre.
1977 * runtime/JSLock.cpp:
1978 (JSC::JSLock::didAcquireLock):
1979 (JSC::JSLock::willReleaseLock):
1981 2018-08-04 David Kilzer <ddkilzer@apple.com>
1983 REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
1984 <https://webkit.org/b/188331>
1986 Reviewed by Yusuke Suzuki.
1988 * runtime/TemplateObjectDescriptor.h:
1989 (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
1990 Use `m_rawstrings` instead of `rawStrings` to calculate hash.
1992 2018-08-03 Saam Barati <sbarati@apple.com>
1994 Give the `jsc` shell the JIT entitlement
1995 https://bugs.webkit.org/show_bug.cgi?id=188324
1996 <rdar://problem/42885806>
1998 Reviewed by Dan Bernstein.
2000 This should help us in ensuring the system jsc is able to JIT.
2002 * Configurations/JSC.xcconfig:
2003 * JavaScriptCore.xcodeproj/project.pbxproj:
2004 * allow-jit-macOS.entitlements: Added.
2006 2018-08-03 Alex Christensen <achristensen@webkit.org>
2008 Fix spelling of "overridden"
2009 https://bugs.webkit.org/show_bug.cgi?id=188315
2011 Reviewed by Darin Adler.
2014 * inspector/InjectedScriptSource.js:
2016 2018-08-02 Saam Barati <sbarati@apple.com>
2018 Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
2019 https://bugs.webkit.org/show_bug.cgi?id=188271
2020 <rdar://problem/42850884>
2022 Reviewed by Michael Saboff.
2024 This patch defends against the instructionPointer containing garbage bits.
2025 See radar for details.
2027 * runtime/MachineContext.h:
2028 (JSC::MachineContext::instructionPointer):
2029 * runtime/SamplingProfiler.cpp:
2030 (JSC::SamplingProfiler::takeSample):
2031 * runtime/VMTraps.cpp:
2032 (JSC::SignalContext::SignalContext):
2033 (JSC::SignalContext::tryCreate):
2034 * tools/CodeProfiling.cpp:
2035 (JSC::profilingTimer):
2036 * tools/SigillCrashAnalyzer.cpp:
2037 (JSC::SignalContext::SignalContext):
2038 (JSC::SignalContext::tryCreate):
2039 (JSC::SignalContext::dump):
2040 (JSC::installCrashHandler):
2041 * wasm/WasmFaultSignalHandler.cpp:
2042 (JSC::Wasm::trapHandler):
2044 2018-08-02 David Fenton <david_fenton@apple.com>
2046 Unreviewed, rolling out r234489.
2048 Caused 50+ crashes and 60+ API failures on iOS
2052 "[WTF] Rename String::format to String::deprecatedFormat"
2053 https://bugs.webkit.org/show_bug.cgi?id=188191
2054 https://trac.webkit.org/changeset/234489
2056 2018-08-01 Yusuke Suzuki <utatane.tea@gmail.com>
2058 Add self.queueMicrotask(f) on DOMWindow
2059 https://bugs.webkit.org/show_bug.cgi?id=188212
2061 Reviewed by Ryosuke Niwa.
2064 * JavaScriptCore.xcodeproj/project.pbxproj:
2066 * runtime/JSGlobalObject.cpp:
2068 * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
2069 (JSC::createJSMicrotask):
2070 Export them to WebCore.
2072 (JSC::JSMicrotask::run):
2073 * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
2074 Add another version of JSMicrotask which does not have arguments.
2076 2018-08-01 Tomas Popela <tpopela@redhat.com>
2078 [WTF] Rename String::format to String::deprecatedFormat
2079 https://bugs.webkit.org/show_bug.cgi?id=188191
2081 Reviewed by Darin Adler.
2083 It should be replaced with string concatenation.
2085 * bytecode/CodeBlock.cpp:
2086 (JSC::CodeBlock::nameForRegister):
2087 * inspector/InjectedScriptBase.cpp:
2088 (Inspector::InjectedScriptBase::makeCall):
2089 * inspector/InspectorBackendDispatcher.cpp:
2090 (Inspector::BackendDispatcher::getPropertyValue):
2091 * inspector/agents/InspectorConsoleAgent.cpp:
2092 (Inspector::InspectorConsoleAgent::enable):
2093 (Inspector::InspectorConsoleAgent::stopTiming):
2095 (FunctionJSCStackFunctor::operator() const):
2097 (JSC::Lexer<T>::invalidCharacterMessage const):
2098 * runtime/IntlDateTimeFormat.cpp:
2099 (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2100 * runtime/IntlObject.cpp:
2101 (JSC::canonicalizeLocaleList):
2102 * runtime/LiteralParser.cpp:
2103 (JSC::LiteralParser<CharType>::Lexer::lex):
2104 (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2105 (JSC::LiteralParser<CharType>::parse):
2106 * runtime/LiteralParser.h:
2107 (JSC::LiteralParser::getErrorMessage):
2109 2018-08-01 Andy VanWagoner <andy@vanwagoner.family>
2111 [INTL] Allow "unknown" formatToParts types
2112 https://bugs.webkit.org/show_bug.cgi?id=188176
2114 Reviewed by Darin Adler.
2116 Originally extra unexpected field types were marked as "literal", since
2117 the spec did not account for these. The ECMA 402 spec has since been updated
2118 to specify "unknown" should be used in these cases.
2120 Currently there is no known way to reach these cases, so no tests can
2121 account for them. Theoretically they shoudn't exist, but they are specified,
2122 just to be safe. Marking them as "unknown" instead of "literal" hopefully
2123 will make such cases easy to identify if they ever happen.
2125 * runtime/IntlDateTimeFormat.cpp:
2126 (JSC::IntlDateTimeFormat::partTypeString):
2127 * runtime/IntlNumberFormat.cpp:
2128 (JSC::IntlNumberFormat::partTypeString):
2130 2018-08-01 Andy VanWagoner <andy@vanwagoner.family>
2132 [INTL] Implement hourCycle in DateTimeFormat
2133 https://bugs.webkit.org/show_bug.cgi?id=188006
2135 Reviewed by Darin Adler.
2137 Implemented hourCycle, updating both the skeleton and the final pattern.
2138 Changed resolveLocale to assume undefined options are not given and null
2139 strings actually mean null, which removes the tag extension.
2141 * runtime/CommonIdentifiers.h:
2142 * runtime/IntlCollator.cpp:
2143 (JSC::IntlCollator::initializeCollator):
2144 * runtime/IntlDateTimeFormat.cpp:
2145 (JSC::IntlDTFInternal::localeData):
2146 (JSC::IntlDateTimeFormat::setFormatsFromPattern):
2147 (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2148 (JSC::IntlDateTimeFormat::resolvedOptions):
2149 * runtime/IntlDateTimeFormat.h:
2150 * runtime/IntlObject.cpp:
2151 (JSC::resolveLocale):
2153 2018-08-01 Keith Miller <keith_miller@apple.com>
2155 JSArrayBuffer should have its own JSType
2156 https://bugs.webkit.org/show_bug.cgi?id=188231
2158 Reviewed by Saam Barati.
2160 * runtime/JSArrayBuffer.cpp:
2161 (JSC::JSArrayBuffer::createStructure):
2165 2018-07-31 Keith Miller <keith_miller@apple.com>
2167 Unreviewed 32-bit build fix...
2169 * dfg/DFGSpeculativeJIT32_64.cpp:
2171 2018-07-31 Keith Miller <keith_miller@apple.com>
2173 Long compiling JSC files should not be unified
2174 https://bugs.webkit.org/show_bug.cgi?id=188205
2176 Reviewed by Saam Barati.
2178 The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
2179 to compile. Unifying them means touching anything in the same
2180 bundle as those files takes a long time to incrementally build.
2181 This patch separates those files so they build standalone.
2183 * JavaScriptCore.xcodeproj/project.pbxproj:
2185 * dfg/DFGSpeculativeJIT64.cpp:
2187 2018-07-31 Yusuke Suzuki <utatane.tea@gmail.com>
2189 [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
2190 https://bugs.webkit.org/show_bug.cgi?id=188201
2192 Reviewed by Keith Miller.
2194 We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
2195 When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
2196 new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
2197 never becomes broken state. This patch removes unnecessary locking.
2199 * runtime/JSObject.cpp:
2200 (JSC::JSObject::visitButterflyImpl):
2202 2018-07-31 Guillaume Emont <guijemont@igalia.com>
2204 [JSC] Remove gcc warnings for 32-bit platforms
2205 https://bugs.webkit.org/show_bug.cgi?id=187803
2207 Reviewed by Yusuke Suzuki.
2209 * assembler/MacroAssemblerPrinter.cpp:
2210 (JSC::Printer::printPCRegister):
2211 (JSC::Printer::printRegisterID):
2212 (JSC::Printer::printAddress):
2213 * dfg/DFGSpeculativeJIT.cpp:
2214 (JSC::DFG::SpeculativeJIT::speculateNumber):
2215 (JSC::DFG::SpeculativeJIT::speculateMisc):
2216 * jit/CCallHelpers.h:
2217 (JSC::CCallHelpers::calculatePokeOffset):
2218 * runtime/Options.cpp:
2221 2018-07-30 Wenson Hsieh <wenson_hsieh@apple.com>
2223 watchOS engineering build is broken after r234227
2224 https://bugs.webkit.org/show_bug.cgi?id=188180
2226 Reviewed by Keith Miller.
2228 In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
2229 postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
2230 `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
2231 `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
2233 To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
2234 entirely, since there's no relevant version to replace them with.
2236 * postprocess-headers.sh:
2238 2018-07-30 Keith Miller <keith_miller@apple.com>
2240 Clarify conversion rules for JSValue property access API
2241 https://bugs.webkit.org/show_bug.cgi?id=188179
2243 Reviewed by Geoffrey Garen.
2247 2018-07-30 Keith Miller <keith_miller@apple.com>
2249 Rename some JSC API functions/types.
2250 https://bugs.webkit.org/show_bug.cgi?id=188173
2252 Reviewed by Saam Barati.
2254 * API/JSObjectRef.cpp:
2255 (JSObjectHasPropertyForKey):
2256 (JSObjectGetPropertyForKey):
2257 (JSObjectSetPropertyForKey):
2258 (JSObjectDeletePropertyForKey):
2259 (JSObjectHasPropertyKey): Deleted.
2260 (JSObjectGetPropertyKey): Deleted.
2261 (JSObjectSetPropertyKey): Deleted.
2262 (JSObjectDeletePropertyKey): Deleted.
2263 * API/JSObjectRef.h:
2266 (-[JSValue valueForProperty:]):
2267 (-[JSValue setValue:forProperty:]):
2268 (-[JSValue deleteProperty:]):
2269 (-[JSValue hasProperty:]):
2270 (-[JSValue defineProperty:descriptor:]):
2271 * API/tests/testapi.cpp:
2274 2018-07-30 Mark Lam <mark.lam@apple.com>
2276 Add a debugging utility to dump the memory layout of a JSCell.
2277 https://bugs.webkit.org/show_bug.cgi?id=188157
2279 Reviewed by Yusuke Suzuki.
2281 This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
2282 dump the memory contents of a cell and if present, its butterfly for debugging
2285 Example usage for JS code when JSC_useDollarVM=true:
2289 Example usage from C++ code or from lldb:
2291 (lldb) p JSC::VMInspector::dumpCellMemory(obj)
2293 Some examples of dumps:
2295 <0x104bc8260, Object>
2296 [0] 0x104bc8260 : 0x010016000000016c header
2297 structureID 364 0x16c structure 0x104b721b0
2298 indexingTypeAndMisc 0 0x0 NonArray
2302 [1] 0x104bc8268 : 0x0000000000000000 butterfly
2303 [2] 0x104bc8270 : 0xffff000000000007
2304 [3] 0x104bc8278 : 0xffff000000000008
2306 <0x104bb4360, Array>
2307 [0] 0x104bb4360 : 0x0108210b00000171 header
2308 structureID 369 0x171 structure 0x104b723e0
2309 indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
2313 [1] 0x104bb4368 : 0x00000008000f4718 butterfly
2315 hasIndexingHeader YES hasAnyArrayStorage YES
2316 publicLength 4 vectorLength 7 indexBias 2
2317 preCapacity 2 propertyCapacity 4
2319 [0] 0x8000f46e0 : 0x0000000000000000
2320 [1] 0x8000f46e8 : 0x0000000000000000
2321 <--- propertyCapacity
2322 [2] 0x8000f46f0 : 0x0000000000000000
2323 [3] 0x8000f46f8 : 0x0000000000000000
2324 [4] 0x8000f4700 : 0xffff00000000000d
2325 [5] 0x8000f4708 : 0xffff00000000000c
2327 [6] 0x8000f4710 : 0x0000000700000004
2330 [7] 0x8000f4718 : 0x0000000000000000
2331 [8] 0x8000f4720 : 0x0000000400000002
2332 <--- indexedProperties
2333 [9] 0x8000f4728 : 0xffff000000000008
2334 [10] 0x8000f4730 : 0xffff000000000009
2335 [11] 0x8000f4738 : 0xffff000000000005
2336 [12] 0x8000f4740 : 0xffff000000000006
2337 [13] 0x8000f4748 : 0x0000000000000000
2338 [14] 0x8000f4750 : 0x0000000000000000
2339 [15] 0x8000f4758 : 0x0000000000000000
2340 <--- unallocated capacity
2341 [16] 0x8000f4760 : 0x0000000000000000
2342 [17] 0x8000f4768 : 0x0000000000000000
2343 [18] 0x8000f4770 : 0x0000000000000000
2344 [19] 0x8000f4778 : 0x0000000000000000
2346 * runtime/JSObject.h:
2347 * tools/JSDollarVM.cpp:
2348 (JSC::functionDumpCell):
2349 (JSC::JSDollarVM::finishCreation):
2350 * tools/VMInspector.cpp:
2351 (JSC::VMInspector::dumpCellMemory):
2352 (JSC::IndentationScope::IndentationScope):
2353 (JSC::IndentationScope::~IndentationScope):
2354 (JSC::VMInspector::dumpCellMemoryToStream):
2355 * tools/VMInspector.h:
2357 2018-07-27 Mark Lam <mark.lam@apple.com>
2359 Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
2360 https://bugs.webkit.org/show_bug.cgi?id=188123
2361 <rdar://problem/42672268>
2363 Reviewed by Keith Miller.
2365 1. Add VM::m_id and Heap::m_lastPhase fields. Both of these fit within existing
2366 padding space in VM and Heap, and should not cost any measurable perf to
2367 initialize and update.
2369 2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
2371 worldState tells us the value we failed the assertion on.
2373 m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
2376 VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
2378 VM::isEntered() tells us if the current VM is currently executing JS code.
2380 Some of this data may be redundant, but the redundancy is intentional so that
2381 we can double check what is really happening at the time of crash.
2385 (JSC::Heap::checkConn):
2386 (JSC::Heap::changePhase):
2392 (JSC::VM::numberOfIDs):
2393 (JSC::VM::id const):
2394 (JSC::VM::isEntered const):
2396 2018-07-25 Yusuke Suzuki <utatane.tea@gmail.com>
2398 [JSC] Record CoW status in ArrayProfile correctly
2399 https://bugs.webkit.org/show_bug.cgi?id=187949
2401 Reviewed by Saam Barati.
2403 In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
2404 This is important since our OSR exit compiler records m_observedArrayModes by calculating
2405 ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
2406 our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
2407 Array::Generic DFG nodes.
2409 * bytecode/ArrayProfile.h:
2410 (JSC::asArrayModes):
2411 (JSC::ArrayProfile::ArrayProfile):
2412 * dfg/DFGOSRExit.cpp:
2413 (JSC::DFG::OSRExit::compileExit):
2414 * ftl/FTLOSRExitCompiler.cpp:
2415 (JSC::FTL::compileStub):
2416 * runtime/IndexingType.h:
2418 2018-07-26 Andy VanWagoner <andy@vanwagoner.family>
2420 [INTL] Remove INTL sub-feature compile flags
2421 https://bugs.webkit.org/show_bug.cgi?id=188081
2423 Reviewed by Michael Catanzaro.
2425 Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
2426 The runtime flags are still present, and should be relied on instead.
2427 The defines for ICU features have also been updated to match HAVE() style.
2429 * Configurations/FeatureDefines.xcconfig:
2430 * runtime/IntlPluralRules.cpp:
2431 (JSC::IntlPluralRules::resolvedOptions):
2432 (JSC::IntlPluralRules::select):
2433 * runtime/IntlPluralRules.h:
2434 * runtime/Options.h:
2436 2018-07-26 Yusuke Suzuki <utatane.tea@gmail.com>
2438 [JSC] Dump IndexingMode in Structure
2439 https://bugs.webkit.org/show_bug.cgi?id=188085
2441 Reviewed by Keith Miller.
2443 Dump IndexingMode instead of IndexingType.
2445 * runtime/Structure.cpp:
2446 (JSC::Structure::dump const):
2448 2018-07-26 Ross Kirsling <ross.kirsling@sony.com>
2450 String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
2451 https://bugs.webkit.org/show_bug.cgi?id=187963
2453 Reviewed by Alex Christensen.
2455 * inspector/InspectorBackendDispatcher.cpp:
2456 (Inspector::BackendDispatcher::dispatch):
2458 (ModuleName::ModuleName):
2460 * runtime/IntlObject.cpp:
2461 (JSC::canonicalizeLanguageTag):
2462 (JSC::removeUnicodeLocaleExtension):
2463 Update split/splitAllowingEmptyEntries usage.
2465 2018-07-26 Commit Queue <commit-queue@webkit.org>
2467 Unreviewed, rolling out r234181 and r234189.
2468 https://bugs.webkit.org/show_bug.cgi?id=188075
2470 These are not needed right now (Requested by thorton on
2473 Reverted changesets:
2475 "Enable Web Content Filtering on watchOS"
2476 https://bugs.webkit.org/show_bug.cgi?id=187979
2477 https://trac.webkit.org/changeset/234181
2479 "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
2480 https://bugs.webkit.org/show_bug.cgi?id=187985
2481 https://trac.webkit.org/changeset/234189
2483 2018-07-26 Mark Lam <mark.lam@apple.com>
2485 arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
2486 https://bugs.webkit.org/show_bug.cgi?id=188065
2487 <rdar://problem/42515726>
2489 Reviewed by Saam Barati.
2491 * runtime/ArrayPrototype.cpp:
2492 (JSC::clearElement):
2493 (JSC::copyElements):
2494 (JSC::arrayProtoPrivateFuncConcatMemcpy):
2496 2018-07-26 Andy VanWagoner <andy@vanwagoner.family>
2498 JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
2499 https://bugs.webkit.org/show_bug.cgi?id=167991
2501 Reviewed by Michael Catanzaro.
2503 Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
2504 Checked locale.isEmpty() before returning it from defaultLocale, so there should be
2505 no more cases where you might have an invalid locale come back from resolveLocale.
2507 * runtime/IntlObject.cpp:
2508 (JSC::convertICULocaleToBCP47LanguageTag):
2509 (JSC::defaultLocale):
2510 (JSC::lookupMatcher):
2511 * runtime/IntlObject.h:
2512 * runtime/JSGlobalObject.cpp:
2513 (JSC::JSGlobalObject::intlCollatorAvailableLocales):
2514 (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
2515 (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
2516 (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
2518 2018-07-26 Fujii Hironori <Hironori.Fujii@sony.com>
2520 REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
2521 https://bugs.webkit.org/show_bug.cgi?id=188040
2523 Unreviewed build fix for AppleWin port.
2525 * API/tests/testapi.c: Disabled warning C4204.
2526 (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
2528 2018-07-26 Fujii Hironori <Hironori.Fujii@sony.com>
2530 [JSC API] We should support the symbol type in our C/Obj-C API
2531 https://bugs.webkit.org/show_bug.cgi?id=175836
2533 Unreviewed build fix for Windows port.
2535 r234227 introduced a compilation error unresolved external symbol
2536 "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
2538 Windows ports are compiling testapi.c as C++ by using /TP switch.
2540 * API/tests/testapi.c:
2541 (main): Removed `::` prefix of ::SetErrorMode Windows API.
2542 (dllLauncherEntryPoint): Converted into C style.
2543 * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
2545 2018-07-25 Keith Miller <keith_miller@apple.com>
2547 [JSC API] We should support the symbol type in our C/Obj-C API
2548 https://bugs.webkit.org/show_bug.cgi?id=175836
2550 Reviewed by Filip Pizlo.
2552 This patch makes the following API additions:
2553 1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
2554 2) Create a symbol on both APIs.
2555 3) Get/Set/Delete/Define property now take ids in the Obj-C API.
2556 4) Add Get/Set/Delete in the C API.
2558 We can do 3 because it is both binary and source compatable with
2559 the existing API. I added (4) because the current property access
2560 APIs only have the ability to get Strings. It was possible to
2561 merge symbols into JSStringRef but that felt confusing and exposes
2562 implementation details of our engine. The new functions match the
2563 same meaning that they have in JS, thus should be forward
2564 compatible with any future language extensions.
2566 Lastly, this patch adds the same availability preproccessing phase
2567 in WebCore to JavaScriptCore, which enables TBA features for
2568 testing on previous releases.
2571 * API/JSBasePrivate.h:
2573 * API/JSContextPrivate.h:
2574 * API/JSContextRef.h:
2575 * API/JSContextRefInternal.h:
2576 * API/JSContextRefPrivate.h:
2577 * API/JSManagedValue.h:
2578 * API/JSObjectRef.cpp:
2579 (JSObjectHasPropertyKey):
2580 (JSObjectGetPropertyKey):
2581 (JSObjectSetPropertyKey):
2582 (JSObjectDeletePropertyKey):
2583 * API/JSObjectRef.h:
2584 * API/JSRemoteInspector.h:
2585 * API/JSTypedArray.h:
2588 (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
2589 (performPropertyOperation):
2590 (-[JSValue valueForProperty:valueForProperty:]):
2591 (-[JSValue setValue:forProperty:setValue:forProperty:]):
2592 (-[JSValue deleteProperty:deleteProperty:]):
2593 (-[JSValue hasProperty:hasProperty:]):
2594 (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
2595 (-[JSValue isSymbol]):
2596 (-[JSValue objectForKeyedSubscript:]):
2597 (-[JSValue setObject:forKeyedSubscript:]):
2598 (-[JSValue valueForProperty:]): Deleted.
2599 (-[JSValue setValue:forProperty:]): Deleted.
2600 (-[JSValue deleteProperty:]): Deleted.
2601 (-[JSValue hasProperty:]): Deleted.
2602 (-[JSValue defineProperty:descriptor:]): Deleted.
2603 * API/JSValueRef.cpp:
2606 (JSValueMakeSymbol):
2608 * API/WebKitAvailability.h:
2609 * API/tests/CurrentThisInsideBlockGetterTest.mm:
2610 * API/tests/CustomGlobalObjectClassTest.c:
2611 * API/tests/DateTests.mm:
2612 * API/tests/JSExportTests.mm:
2613 * API/tests/JSNode.c:
2614 * API/tests/JSNodeList.c:
2616 * API/tests/NodeList.c:
2617 * API/tests/minidom.c:
2618 * API/tests/testapi.c:
2620 * API/tests/testapi.cpp: Added.
2621 (APIString::APIString):
2622 (APIString::~APIString):
2623 (APIString::operator JSStringRef):
2624 (APIContext::APIContext):
2625 (APIContext::~APIContext):
2626 (APIContext::operator JSGlobalContextRef):
2627 (APIVector::APIVector):
2628 (APIVector::~APIVector):
2629 (APIVector::append):
2631 (TestAPI::evaluateScript):
2632 (TestAPI::callFunction):
2633 (TestAPI::functionReturnsTrue):
2635 (TestAPI::checkJSAndAPIMatch):
2636 (TestAPI::interestingObjects):
2637 (TestAPI::interestingKeys):
2639 * API/tests/testapi.mm:
2640 (testObjectiveCAPIMain):
2641 * JavaScriptCore.xcodeproj/project.pbxproj:
2643 * postprocess-headers.sh:
2644 * shell/CMakeLists.txt:
2645 * testmem/testmem.mm:
2647 2018-07-25 Andy VanWagoner <andy@vanwagoner.family>
2649 [INTL] Call Typed Array elements toLocaleString with locale and options
2650 https://bugs.webkit.org/show_bug.cgi?id=185796
2652 Reviewed by Keith Miller.
2654 Improve ECMA 402 compliance of typed array toLocaleString, passing along
2655 the locale and options to element toLocaleString calls.
2657 * builtins/TypedArrayPrototype.js:
2660 2018-07-25 Andy VanWagoner <andy@vanwagoner.family>
2662 [INTL] Intl constructor lengths should be configurable
2663 https://bugs.webkit.org/show_bug.cgi?id=187960
2665 Reviewed by Saam Barati.
2667 Removed DontDelete from Intl constructor lengths.
2668 Fixed DateTimeFormat formatToParts length.
2670 * runtime/IntlCollatorConstructor.cpp:
2671 (JSC::IntlCollatorConstructor::finishCreation):
2672 * runtime/IntlDateTimeFormatConstructor.cpp:
2673 (JSC::IntlDateTimeFormatConstructor::finishCreation):
2674 * runtime/IntlDateTimeFormatPrototype.cpp:
2675 (JSC::IntlDateTimeFormatPrototype::finishCreation):
2676 * runtime/IntlNumberFormatConstructor.cpp:
2677 (JSC::IntlNumberFormatConstructor::finishCreation):
2678 * runtime/IntlPluralRulesConstructor.cpp:
2679 (JSC::IntlPluralRulesConstructor::finishCreation):
2681 2018-07-24 Fujii Hironori <Hironori.Fujii@sony.com>
2683 runJITThreadLimitTests is failing
2684 https://bugs.webkit.org/show_bug.cgi?id=187886
2685 <rdar://problem/42561966>
2687 Unreviewed build fix for MSVC.
2689 MSVC doen't support ternary operator without second operand.
2691 * dfg/DFGWorklist.cpp:
2692 (JSC::DFG::getNumberOfDFGCompilerThreads):
2693 (JSC::DFG::getNumberOfFTLCompilerThreads):
2695 2018-07-24 Commit Queue <commit-queue@webkit.org>
2697 Unreviewed, rolling out r234183.
2698 https://bugs.webkit.org/show_bug.cgi?id=187983
2700 cause regression in Kraken gaussian blur and desaturate
2701 (Requested by yusukesuzuki on #webkit).
2705 "[JSC] Record CoW status in ArrayProfile"
2706 https://bugs.webkit.org/show_bug.cgi?id=187949
2707 https://trac.webkit.org/changeset/234183
2709 2018-07-24 Yusuke Suzuki <utatane.tea@gmail.com>
2711 [JSC] Record CoW status in ArrayProfile
2712 https://bugs.webkit.org/show_bug.cgi?id=187949
2714 Reviewed by Saam Barati.
2716 Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
2717 Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
2718 in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
2719 seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
2722 In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
2723 speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
2725 This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
2729 stanford-crypto-aes 60.893+-1.346 ^ 57.412+-1.298 ^ definitely 1.0606x faster
2730 stanford-crypto-ccm 62.124+-1.992 58.921+-1.844 might be 1.0544x faster
2732 * bytecode/ArrayProfile.cpp:
2733 (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
2734 * bytecode/ArrayProfile.h:
2735 (JSC::asArrayModes):
2736 We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
2738 (JSC::ArrayProfile::ArrayProfile):
2739 (JSC::ArrayProfile::addressOfObservedIndexingModes):
2740 (JSC::ArrayProfile::observedIndexingModes const):
2741 Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
2742 So storing the union of seen IndexingMode in `unsigned` instead.
2744 * dfg/DFGArrayMode.cpp:
2745 (JSC::DFG::ArrayMode::fromObserved):
2746 * dfg/DFGArrayMode.h:
2747 (JSC::DFG::ArrayMode::withProfile const):
2749 (JSC::JIT::compileOpCall):
2750 * jit/JITCall32_64.cpp:
2751 (JSC::JIT::compileOpCall):
2753 (JSC::JIT::emitArrayProfilingSiteWithCell):
2754 * llint/LowLevelInterpreter.asm:
2755 * llint/LowLevelInterpreter32_64.asm:
2756 * llint/LowLevelInterpreter64.asm:
2758 2018-07-24 Tim Horton <timothy_horton@apple.com>
2760 Enable Web Content Filtering on watchOS
2761 https://bugs.webkit.org/show_bug.cgi?id=187979
2762 <rdar://problem/42559346>
2764 Reviewed by Wenson Hsieh.
2766 * Configurations/FeatureDefines.xcconfig:
2768 2018-07-24 Tadeu Zagallo <tzagallo@apple.com>
2770 Don't modify Options when setting JIT thread limits
2771 https://bugs.webkit.org/show_bug.cgi?id=187886
2773 Reviewed by Filip Pizlo.
2775 Previously, when setting the JIT thread limit prior to the worklist
2776 initialization, it'd be set via Options, which didn't work if Options
2777 hadn't been initialized yet. Change it to use a static variable in the
2780 * API/JSVirtualMachine.mm:
2781 (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
2782 (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
2783 * API/tests/testapi.mm:
2784 (testObjectiveCAPIMain):
2785 * dfg/DFGWorklist.cpp:
2786 (JSC::DFG::getNumberOfDFGCompilerThreads):
2787 (JSC::DFG::getNumberOfFTLCompilerThreads):
2788 (JSC::DFG::setNumberOfDFGCompilerThreads):
2789 (JSC::DFG::setNumberOfFTLCompilerThreads):
2790 (JSC::DFG::ensureGlobalDFGWorklist):
2791 (JSC::DFG::ensureGlobalFTLWorklist):
2792 * dfg/DFGWorklist.h:
2794 2018-07-24 Mark Lam <mark.lam@apple.com>
2796 Refactoring: make DFG::Plan a class.
2797 https://bugs.webkit.org/show_bug.cgi?id=187968
2799 Reviewed by Saam Barati.
2801 This patch makes all the DFG::Plan fields private, and provide accessor methods
2802 for them. This makes it easier to reason about how these fields are used and
2805 * dfg/DFGAbstractInterpreterInlines.h:
2806 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2807 * dfg/DFGByteCodeParser.cpp:
2808 (JSC::DFG::ByteCodeParser::handleCall):
2809 (JSC::DFG::ByteCodeParser::handleVarargsCall):
2810 (JSC::DFG::ByteCodeParser::handleInlining):
2811 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2812 (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2813 (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
2814 (JSC::DFG::ByteCodeParser::handleGetById):
2815 (JSC::DFG::ByteCodeParser::handlePutById):
2816 (JSC::DFG::ByteCodeParser::parseBlock):
2817 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2818 (JSC::DFG::ByteCodeParser::parseCodeBlock):
2819 (JSC::DFG::ByteCodeParser::parse):
2820 * dfg/DFGCFAPhase.cpp:
2821 (JSC::DFG::CFAPhase::run):
2822 (JSC::DFG::CFAPhase::injectOSR):
2823 * dfg/DFGClobberize.h:
2824 (JSC::DFG::clobberize):
2825 * dfg/DFGCommonData.cpp:
2826 (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2827 * dfg/DFGCommonData.h:
2828 * dfg/DFGConstantFoldingPhase.cpp:
2829 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2830 * dfg/DFGDriver.cpp:
2831 (JSC::DFG::compileImpl):
2832 * dfg/DFGFinalizer.h:
2833 * dfg/DFGFixupPhase.cpp:
2834 (JSC::DFG::FixupPhase::fixupNode):
2835 (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2837 (JSC::DFG::Graph::Graph):
2838 (JSC::DFG::Graph::watchCondition):
2839 (JSC::DFG::Graph::inferredTypeFor):
2840 (JSC::DFG::Graph::requiredRegisterCountForExit):
2841 (JSC::DFG::Graph::registerFrozenValues):
2842 (JSC::DFG::Graph::registerStructure):
2843 (JSC::DFG::Graph::registerAndWatchStructureTransition):
2844 (JSC::DFG::Graph::assertIsRegistered):
2846 (JSC::DFG::Graph::compilation):
2847 (JSC::DFG::Graph::identifiers):
2848 (JSC::DFG::Graph::watchpoints):
2849 * dfg/DFGJITCompiler.cpp:
2850 (JSC::DFG::JITCompiler::JITCompiler):
2851 (JSC::DFG::JITCompiler::link):
2852 (JSC::DFG::JITCompiler::compile):
2853 (JSC::DFG::JITCompiler::compileFunction):
2854 (JSC::DFG::JITCompiler::disassemble):
2855 * dfg/DFGJITCompiler.h:
2856 (JSC::DFG::JITCompiler::addWeakReference):
2857 * dfg/DFGJITFinalizer.cpp:
2858 (JSC::DFG::JITFinalizer::finalize):
2859 (JSC::DFG::JITFinalizer::finalizeFunction):
2860 (JSC::DFG::JITFinalizer::finalizeCommon):
2861 * dfg/DFGOSREntrypointCreationPhase.cpp:
2862 (JSC::DFG::OSREntrypointCreationPhase::run):
2864 (JSC::DFG::Phase::beginPhase):
2866 (JSC::DFG::runAndLog):
2868 (JSC::DFG::Plan::Plan):
2869 (JSC::DFG::Plan::computeCompileTimes const):
2870 (JSC::DFG::Plan::reportCompileTimes const):
2871 (JSC::DFG::Plan::compileInThread):
2872 (JSC::DFG::Plan::compileInThreadImpl):
2873 (JSC::DFG::Plan::isStillValid):
2874 (JSC::DFG::Plan::reallyAdd):
2875 (JSC::DFG::Plan::notifyCompiling):
2876 (JSC::DFG::Plan::notifyReady):
2877 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2878 (JSC::DFG::Plan::finalizeAndNotifyCallback):
2879 (JSC::DFG::Plan::key):
2880 (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2881 (JSC::DFG::Plan::finalizeInGC):
2882 (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2883 (JSC::DFG::Plan::cancel):
2884 (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
2886 (JSC::DFG::Plan::canTierUpAndOSREnter const):
2887 (JSC::DFG::Plan::vm const):
2888 (JSC::DFG::Plan::codeBlock):
2889 (JSC::DFG::Plan::mode const):
2890 (JSC::DFG::Plan::osrEntryBytecodeIndex const):
2891 (JSC::DFG::Plan::mustHandleValues const):
2892 (JSC::DFG::Plan::threadData const):
2893 (JSC::DFG::Plan::compilation const):
2894 (JSC::DFG::Plan::finalizer const):
2895 (JSC::DFG::Plan::setFinalizer):
2896 (JSC::DFG::Plan::inlineCallFrames const):
2897 (JSC::DFG::Plan::watchpoints):
2898 (JSC::DFG::Plan::identifiers):
2899 (JSC::DFG::Plan::weakReferences):
2900 (JSC::DFG::Plan::transitions):
2901 (JSC::DFG::Plan::recordedStatuses):
2902 (JSC::DFG::Plan::willTryToTierUp const):
2903 (JSC::DFG::Plan::setWillTryToTierUp):
2904 (JSC::DFG::Plan::tierUpInLoopHierarchy):
2905 (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
2906 (JSC::DFG::Plan::stage const):
2907 (JSC::DFG::Plan::callback const):
2908 (JSC::DFG::Plan::setCallback):
2909 * dfg/DFGPlanInlines.h:
2910 (JSC::DFG::Plan::iterateCodeBlocksForGC):
2911 * dfg/DFGPreciseLocalClobberize.h:
2912 (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2913 * dfg/DFGPredictionInjectionPhase.cpp:
2914 (JSC::DFG::PredictionInjectionPhase::run):
2915 * dfg/DFGSafepoint.cpp:
2916 (JSC::DFG::Safepoint::Safepoint):
2917 (JSC::DFG::Safepoint::~Safepoint):
2918 (JSC::DFG::Safepoint::begin):
2919 * dfg/DFGSafepoint.h:
2920 * dfg/DFGSpeculativeJIT.h:
2921 (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
2922 (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
2923 * dfg/DFGStackLayoutPhase.cpp:
2924 (JSC::DFG::StackLayoutPhase::run):
2925 * dfg/DFGStrengthReductionPhase.cpp:
2926 (JSC::DFG::StrengthReductionPhase::handleNode):
2927 * dfg/DFGTierUpCheckInjectionPhase.cpp:
2928 (JSC::DFG::TierUpCheckInjectionPhase::run):
2929 * dfg/DFGTypeCheckHoistingPhase.cpp:
2930 (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
2931 * dfg/DFGWorklist.cpp:
2932 (JSC::DFG::Worklist::isActiveForVM const):
2933 (JSC::DFG::Worklist::compilationState):
2934 (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
2935 (JSC::DFG::Worklist::removeAllReadyPlansForVM):
2936 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
2937 (JSC::DFG::Worklist::visitWeakReferences):
2938 (JSC::DFG::Worklist::removeDeadPlans):
2939 (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
2940 * dfg/DFGWorklistInlines.h:
2941 (JSC::DFG::Worklist::iterateCodeBlocksForGC):
2942 * ftl/FTLCompile.cpp:
2943 (JSC::FTL::compile):
2946 * ftl/FTLJITFinalizer.cpp:
2947 (JSC::FTL::JITFinalizer::finalizeCommon):
2950 * ftl/FTLLowerDFGToB3.cpp:
2951 (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2952 (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2953 (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
2955 (JSC::FTL::State::State):
2957 2018-07-24 Saam Barati <sbarati@apple.com>
2959 Make VM::canUseJIT an inlined function
2960 https://bugs.webkit.org/show_bug.cgi?id=187583
2962 Reviewed by Mark Lam.
2964 We know the answer to this query in initializeThreading after initializing
2965 the executable allocator. This patch makes it so that we just hold this value
2966 in a static variable and have an inlined function that just returns the value
2967 of that static variable.
2969 * runtime/InitializeThreading.cpp:
2970 (JSC::initializeThreading):
2972 (JSC::VM::computeCanUseJIT):
2973 (JSC::VM::canUseJIT): Deleted.
2975 (JSC::VM::canUseJIT):
2977 2018-07-24 Mark Lam <mark.lam@apple.com>
2979 Placate exception check verification after recent changes.
2980 https://bugs.webkit.org/show_bug.cgi?id=187961
2981 <rdar://problem/42545394>
2983 Reviewed by Saam Barati.
2985 * runtime/IntlObject.cpp:
2986 (JSC::intlNumberOption):
2988 2018-07-23 Saam Barati <sbarati@apple.com>
2990 need to didFoldClobberWorld when we constant fold GetByVal
2991 https://bugs.webkit.org/show_bug.cgi?id=187917
2992 <rdar://problem/42505095>
2994 Reviewed by Yusuke Suzuki.
2996 * dfg/DFGAbstractInterpreterInlines.h:
2997 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2999 2018-07-23 Andy VanWagoner <andy@vanwagoner.family>
3001 [INTL] Language tags are not canonicalized
3002 https://bugs.webkit.org/show_bug.cgi?id=185836
3004 Reviewed by Keith Miller.
3006 Canonicalize language tags, replacing deprecated tag parts with the
3007 preferred values. Remove broken support for algorithmic numbering systems,
3008 that can cause an error in icu, and are not supported in other engines.
3010 Generate the lookup functions from the language-subtag-registry.
3012 Also initialize the UNumberFormat in initializeNumberFormat so any
3013 failures are thrown immediately instead of failing to format later.
3016 * DerivedSources.make:
3017 * JavaScriptCore.xcodeproj/project.pbxproj:
3018 * Scripts/generateIntlCanonicalizeLanguage.py: Added.
3019 * runtime/IntlDateTimeFormat.cpp:
3020 (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3021 * runtime/IntlNumberFormat.cpp:
3022 (JSC::IntlNumberFormat::initializeNumberFormat):
3023 (JSC::IntlNumberFormat::formatNumber):
3024 (JSC::IntlNumberFormat::formatToParts):
3025 (JSC::IntlNumberFormat::createNumberFormat): Deleted.
3026 * runtime/IntlNumberFormat.h:
3027 * runtime/IntlObject.cpp:
3028 (JSC::intlNumberOption):
3029 (JSC::intlDefaultNumberOption):
3030 (JSC::preferredLanguage):
3031 (JSC::preferredRegion):
3032 (JSC::canonicalLangTag):
3033 (JSC::canonicalizeLanguageTag):
3034 (JSC::defaultLocale):
3035 (JSC::removeUnicodeLocaleExtension):
3036 (JSC::numberingSystemsForLocale):
3037 (JSC::grandfatheredLangTag): Deleted.
3038 * runtime/IntlObject.h:
3039 * runtime/IntlPluralRules.cpp:
3040 (JSC::IntlPluralRules::initializePluralRules):
3041 * runtime/JSGlobalObject.cpp:
3042 (JSC::addMissingScriptLocales):
3043 (JSC::JSGlobalObject::intlCollatorAvailableLocales):
3044 (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
3045 (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
3046 (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
3047 * ucd/language-subtag-registry.txt: Added.
3049 2018-07-23 Mark Lam <mark.lam@apple.com>
3051 Add some asserts to help diagnose a crash.
3052 https://bugs.webkit.org/show_bug.cgi?id=187915
3053 <rdar://problem/42508166>
3055 Reviewed by Michael Saboff.
3057 Add some asserts to verify that an CodeBlock alternative should always have a
3058 non-null jitCode. Also change a RELEASE_ASSERT_NOT_REACHED() in
3059 CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
3060 so that we'll retain the state of the variables that failed the assertion (again
3061 to help with diagnosis).
3063 * bytecode/CodeBlock.cpp:
3064 (JSC::CodeBlock::setAlternative):
3065 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
3067 (JSC::DFG::Plan::Plan):
3069 2018-07-23 Filip Pizlo <fpizlo@apple.com>
3071 Unreviewed, fix no-JIT build.
3073 * bytecode/CallLinkStatus.cpp:
3074 (JSC::CallLinkStatus::computeFor):
3075 * bytecode/CodeBlock.cpp:
3076 (JSC::CodeBlock::finalizeUnconditionally):
3077 * bytecode/GetByIdStatus.cpp:
3078 (JSC::GetByIdStatus::computeFor):
3079 (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3080 * bytecode/InByIdStatus.cpp:
3081 * bytecode/PutByIdStatus.cpp:
3082 (JSC::PutByIdStatus::computeForStubInfo):
3084 2018-07-22 Yusuke Suzuki <utatane.tea@gmail.com>
3086 [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
3087 https://bugs.webkit.org/show_bug.cgi?id=187891
3089 Reviewed by Saam Barati.
3091 When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
3092 two variants are mergeable but they have "Miss" status. We make merging failed if
3093 the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
3094 if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
3095 which patch have more chances to merge variants.
3097 This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
3098 is not related since it does not use this check in Transition case.
3100 * bytecode/GetByIdVariant.cpp:
3101 (JSC::GetByIdVariant::attemptToMerge):
3102 * bytecode/InByIdVariant.cpp:
3103 (JSC::InByIdVariant::attemptToMerge):
3105 2018-07-22 Yusuke Suzuki <utatane.tea@gmail.com>
3107 [DFG] Fold GetByVal if the indexed value is non configurable and non writable
3108 https://bugs.webkit.org/show_bug.cgi?id=186462
3110 Reviewed by Saam Barati.
3112 Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
3113 property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
3114 Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
3116 This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
3117 concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
3118 and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
3119 attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
3120 changed and we can safely use it. We arrange our existing code to use this protocol.
3122 Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
3123 since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
3125 This patch improves SixSpeed/template_string_tag.es6.
3129 template_string_tag.es6 237.0301+-4.8374 ^ 9.8779+-0.3628 ^ definitely 23.9960x faster
3131 * dfg/DFGAbstractInterpreterInlines.h:
3132 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3133 * runtime/JSArray.cpp:
3134 (JSC::JSArray::setLengthWithArrayStorage):
3135 * runtime/JSObject.cpp:
3136 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
3137 (JSC::JSObject::deletePropertyByIndex):
3138 (JSC::JSObject::getOwnPropertyNames):
3139 (JSC::putIndexedDescriptor):
3140 (JSC::JSObject::defineOwnIndexedProperty):
3141 (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
3142 (JSC::JSObject::putIndexedDescriptor): Deleted.
3143 * runtime/JSObject.h:
3144 * runtime/SparseArrayValueMap.cpp:
3145 (JSC::SparseArrayValueMap::SparseArrayValueMap):
3146 (JSC::SparseArrayValueMap::add):
3147 (JSC::SparseArrayValueMap::putDirect):
3148 (JSC::SparseArrayValueMap::getConcurrently):
3149 (JSC::SparseArrayEntry::get const):
3150 (JSC::SparseArrayEntry::getConcurrently const):
3151 (JSC::SparseArrayEntry::put):
3152 (JSC::SparseArrayEntry::getNonSparseMode const):
3153 (JSC::SparseArrayValueMap::visitChildren):
3154 (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
3155 * runtime/SparseArrayValueMap.h:
3156 (JSC::SparseArrayEntry::SparseArrayEntry):
3157 (JSC::SparseArrayEntry::attributes const):
3158 (JSC::SparseArrayEntry::forceSet):
3159 (JSC::SparseArrayEntry::asValue):
3161 2018-06-02 Filip Pizlo <fpizlo@apple.com>
3163 We should support CreateThis in the FTL
3164 https://bugs.webkit.org/show_bug.cgi?id=164904
3166 Reviewed by Yusuke Suzuki.
3168 This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
3169 inference adventure.
3171 CreateThis in the FTL was a massive regression in raytrace because it disturbed that
3172 benchmark's extremely perverse way of winning at type inference:
3174 - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
3175 the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
3176 benchmark was falling back to other mechanisms...
3178 - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
3179 see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
3180 GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
3181 that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
3182 The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
3183 is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
3185 Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
3186 into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
3187 baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
3188 helper because it had a CreateThis.
3190 - Compilations that inlined the construction helper would have gotten super lucky with
3191 parse-time constant folding, so they knew what structure the input to the get_by_id would
3192 have at parse time. This is only profitable if the get_by_id parsing computed a
3193 GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
3194 the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
3195 cases, we would indeed get a finite number of cases. The parser would then prune those
3196 cases to just one - based on its knowledge of the structure - and that would result in that
3197 get_by_id being folded at parse time to a constant.
3199 - The subsequent op_call would inline based on parse-time knowledge of that constant.
3201 This patch comprehensively fixes these issues, as well as other issues that come up along the
3202 way. The short version is that raytrace was revealing sloppiness in our use of profiling for
3203 type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
3204 i.e. the profiling that considers call context. I was encouraged to do this by the fact that
3205 even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
3206 Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
3207 attack raytrace's problem as a shortcoming of polyvariant profiling.
3209 - Polyvariant profiling now consults every DFG or FTL code block that participated in any
3210 subset of the inline stack that includes the IC we're profiling. For example, if we have
3211 an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
3212 compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
3213 up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
3214 a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
3215 polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
3216 from polyvariant profling. Previously, the polyvariant profiler would only look at the
3217 previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
3218 had inlined bar and then baz. It may not have done that, because those calls could have
3219 required polyvariant profiling that was only available in the FTL.
3221 - A particularly interesting case is when some IC in foo-baseline is also available in
3222 foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
3223 In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
3224 the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
3225 find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
3226 merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
3227 because it warns us of historical polymorphism. Historical polymorphism usually means
3228 future polymorphism. IC status code already had some merging functionality, but I needed to
3229 beef it up a lot to make this work right.
3231 - Inlining an inline cache now preserves as much information as profiling. One challenge of
3232 polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
3233 inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
3234 (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
3235 say "I don't have such an IC". At this point the DFG compilation that included that IC that
3236 gave us the information that we used to inline the IC is no longer alive. To keep us from
3237 losing the information we learned about the IC, there is now a RecordedStatuses data
3238 structure that preserves the statuses we use for inlining ICs. We also filter those
3239 statuses according to things we learn from AI. This further reduces the risk of information
3240 about an IC being forgotten.
3242 - Exit profiling now considers whether or not an exit happened from inline code. This
3243 protects us in the case where the not-inlined version of an IC exited a lot because of
3244 polymorphism that doesn't exist in the inlined version. So, when using polyvariant
3245 profiling data, we consider only inlined exits.
3247 - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
3248 would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
3249 surprising that we've had this bug.
3251 Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
3252 microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
3253 Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
3254 prototype access folding in the bytecode parser and constant folder. That would require some
3255 significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
3256 have a test that captures raytrace's behavior in the case that the parser cannot fold the
3259 This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
3260 recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
3261 compile time regression anytime we fill in FTL coverage.
3263 This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
3264 speeds up and that raytrace slows down, but these changes balance out and don't affect the
3265 overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
3266 or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
3267 0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
3268 see a significant difference. In all three cases the difference is <0.5% with a high p value,
3269 with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
3270 an insignificant infinitesimal slow-down.
3272 Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
3273 eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
3274 flow in a polymorphic constructor while having a bad time, and we'll still compile it.
3277 * JavaScriptCore.xcodeproj/project.pbxproj:
3279 * bytecode/ByValInfo.h:
3280 * bytecode/BytecodeDumper.cpp:
3281 (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
3282 (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
3283 (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
3284 (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
3285 (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
3286 (JSC::BytecodeDumper<Block>::printCallOp):
3287 (JSC::BytecodeDumper<Block>::dumpBytecode):
3288 (JSC::BytecodeDumper<Block>::dumpBlock):
3289 * bytecode/BytecodeDumper.h:
3290 * bytecode/CallLinkInfo.h:
3291 * bytecode/CallLinkStatus.cpp:
3292 (JSC::CallLinkStatus::computeFor):
3293 (JSC::CallLinkStatus::computeExitSiteData):
3294 (JSC::CallLinkStatus::computeFromCallLinkInfo):
3295 (JSC::CallLinkStatus::accountForExits):
3296 (JSC::CallLinkStatus::finalize):
3297 (JSC::CallLinkStatus::filter):
3298 (JSC::CallLinkStatus::computeDFGStatuses): Deleted.
3299 * bytecode/CallLinkStatus.h:
3300 (JSC::CallLinkStatus::operator bool const):
3301 (JSC::CallLinkStatus::operator! const): Deleted.
3302 * bytecode/CallVariant.cpp:
3303 (JSC::CallVariant::finalize):
3304 (JSC::CallVariant::filter):
3305 * bytecode/CallVariant.h:
3306 (JSC::CallVariant::operator bool const):
3307 (JSC::CallVariant::operator! const): Deleted.
3308 * bytecode/CodeBlock.cpp:
3309 (JSC::CodeBlock::dumpBytecode):
3310 (JSC::CodeBlock::propagateTransitions):
3311 (JSC::CodeBlock::finalizeUnconditionally):
3312 (JSC::CodeBlock::getICStatusMap):
3313 (JSC::CodeBlock::resetJITData):
3314 (JSC::CodeBlock::getStubInfoMap): Deleted.
3315 (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
3316 (JSC::CodeBlock::getByValInfoMap): Deleted.
3317 * bytecode/CodeBlock.h:
3318 * bytecode/CodeOrigin.cpp:
3319 (JSC::CodeOrigin::isApproximatelyEqualTo const):
3320 (JSC::CodeOrigin::approximateHash const):
3321 * bytecode/CodeOrigin.h:
3322 (JSC::CodeOrigin::exitingInlineKind const):
3323 * bytecode/DFGExitProfile.cpp:
3324 (JSC::DFG::FrequentExitSite::dump const):
3325 (JSC::DFG::ExitProfile::add):
3326 * bytecode/DFGExitProfile.h:
3327 (JSC::DFG::FrequentExitSite::FrequentExitSite):
3328 (JSC::DFG::FrequentExitSite::operator== const):
3329 (JSC::DFG::FrequentExitSite::subsumes const):
3330 (JSC::DFG::FrequentExitSite::hash const):
3331 (JSC::DFG::FrequentExitSite::inlineKind const):
3332 (JSC::DFG::FrequentExitSite::withInlineKind const):
3333 (JSC::DFG::QueryableExitProfile::hasExitSite const):
3334 (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
3335 (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
3336 * bytecode/ExitFlag.cpp: Added.
3337 (JSC::ExitFlag::dump const):
3338 * bytecode/ExitFlag.h: Added.
3339 (JSC::ExitFlag::ExitFlag):
3340 (JSC::ExitFlag::operator| const):
3341 (JSC::ExitFlag::operator|=):
3342 (JSC::ExitFlag::operator& const):
3343 (JSC::ExitFlag::operator&=):
3344 (JSC::ExitFlag::operator bool const):
3345 (JSC::ExitFlag::isSet const):
3346 * bytecode/ExitingInlineKind.cpp: Added.
3347 (WTF::printInternal):
3348 * bytecode/ExitingInlineKind.h: Added.
3349 * bytecode/GetByIdStatus.cpp:
3350 (JSC::GetByIdStatus::computeFor):
3351 (JSC::GetByIdStatus::computeForStubInfo):
3352 (JSC::GetByIdStatus::slowVersion const):
3353 (JSC::GetByIdStatus::markIfCheap):
3354 (JSC::GetByIdStatus::finalize):
3355 (JSC::GetByIdStatus::hasExitSite): Deleted.
3356 * bytecode/GetByIdStatus.h:
3357 * bytecode/GetByIdVariant.cpp:
3358 (JSC::GetByIdVariant::markIfCheap):
3359 (JSC::GetByIdVariant::finalize):
3360 * bytecode/GetByIdVariant.h:
3361 * bytecode/ICStatusMap.cpp: Added.
3362 (JSC::ICStatusContext::get const):
3363 (JSC::ICStatusContext::isInlined const):
3364 (JSC::ICStatusContext::inlineKind const):
3365 * bytecode/ICStatusMap.h: Added.
3366 * bytecode/ICStatusUtils.cpp: Added.
3367 (JSC::hasBadCacheExitSite):
3368 * bytecode/ICStatusUtils.h:
3369 * bytecode/InstanceOfStatus.cpp:
3370 (JSC::InstanceOfStatus::computeFor):
3371 * bytecode/InstanceOfStatus.h:
3372 * bytecode/PolyProtoAccessChain.h:
3373 * bytecode/PutByIdStatus.cpp:
3374 (JSC::PutByIdStatus::hasExitSite):
3375 (JSC::PutByIdStatus::computeFor):
3376 (JSC::PutByIdStatus::slowVersion const):
3377 (JSC::PutByIdStatus::markIfCheap):
3378 (JSC::PutByIdStatus::finalize):
3379 (JSC::PutByIdStatus::filter):
3380 * bytecode/PutByIdStatus.h:
3381 * bytecode/PutByIdVariant.cpp:
3382 (JSC::PutByIdVariant::markIfCheap):
3383 (JSC::PutByIdVariant::finalize):
3384 * bytecode/PutByIdVariant.h:
3385 (JSC::PutByIdVariant::structureSet const):
3386 * bytecode/RecordedStatuses.cpp: Added.
3387 (JSC::RecordedStatuses::operator=):
3388 (JSC::RecordedStatuses::RecordedStatuses):
3389 (JSC::RecordedStatuses::addCallLinkStatus):
3390 (JSC::RecordedStatuses::addGetByIdStatus):
3391 (JSC::RecordedStatuses::addPutByIdStatus):
3392 (JSC::RecordedStatuses::markIfCheap):
3393 (JSC::RecordedStatuses::finalizeWithoutDeleting):
3394 (JSC::RecordedStatuses::finalize):
3395 (JSC::RecordedStatuses::shrinkToFit):
3396 * bytecode/RecordedStatuses.h: Added.
3397 (JSC::RecordedStatuses::RecordedStatuses):
3398 (JSC::RecordedStatuses::forEachVector):
3399 * bytecode/StructureSet.cpp:
3400 (JSC::StructureSet::markIfCheap const):
3401 (JSC::StructureSet::isStillAlive const):
3402 * bytecode/StructureSet.h:
3403 * bytecode/TerminatedCodeOrigin.h: Added.
3404 (JSC::TerminatedCodeOrigin::TerminatedCodeOrigin):
3405 (JSC::TerminatedCodeOriginHashTranslator::hash):
3406 (JSC::TerminatedCodeOriginHashTranslator::equal):
3407 * bytecode/Watchpoint.cpp:
3408 (WTF::printInternal):
3409 * bytecode/Watchpoint.h:
3410 * dfg/DFGAbstractInterpreter.h:
3411 * dfg/DFGAbstractInterpreterInlines.h:
3412 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3413 (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
3414 * dfg/DFGByteCodeParser.cpp:
3415 (JSC::DFG::ByteCodeParser::handleCall):
3416 (JSC::DFG::ByteCodeParser::handleVarargsCall):
3417 (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3418 (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
3419 (JSC::DFG::ByteCodeParser::handleGetById):
3420 (JSC::DFG::ByteCodeParser::handlePutById):
3421 (JSC::DFG::ByteCodeParser::parseBlock):
3422 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3423 (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
3424 (JSC::DFG::ByteCodeParser::parse):
3425 * dfg/DFGClobberize.h:
3426 (JSC::DFG::clobberize):
3427 * dfg/DFGClobbersExitState.cpp:
3428 (JSC::DFG::clobbersExitState):
3429 * dfg/DFGCommonData.h:
3430 * dfg/DFGConstantFoldingPhase.cpp:
3431 (JSC::DFG::ConstantFoldingPhase::foldConstants):
3432 * dfg/DFGDesiredWatchpoints.h:
3433 (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
3434 * dfg/DFGDoesGC.cpp:
3436 * dfg/DFGFixupPhase.cpp:
3437 (JSC::DFG::FixupPhase::fixupNode):
3439 (JSC::DFG::Graph::dump):
3440 * dfg/DFGMayExit.cpp:
3442 (JSC::DFG::Node::hasCallLinkStatus):
3443 (JSC::DFG::Node::callLinkStatus):
3444 (JSC::DFG::Node::hasGetByIdStatus):
3445 (JSC::DFG::Node::getByIdStatus):
3446 (JSC::DFG::Node::hasPutByIdStatus):
3447 (JSC::DFG::Node::putByIdStatus):
3448 * dfg/DFGNodeType.h:
3449 * dfg/DFGOSRExitBase.cpp:
3450 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
3451 * dfg/DFGObjectAllocationSinkingPhase.cpp:
3453 (JSC::DFG::Plan::reallyAdd):
3454 (JSC::DFG::Plan::checkLivenessAndVisitChildren):
3455 (JSC::DFG::Plan::finalizeInGC):
3457 * dfg/DFGPredictionPropagationPhase.cpp:
3458 * dfg/DFGSafeToExecute.h:
3459 (JSC::DFG::safeToExecute):
3460 * dfg/DFGSpeculativeJIT32_64.cpp:
3461 (JSC::DFG::SpeculativeJIT::compile):
3462 * dfg/DFGSpeculativeJIT64.cpp:
3463 (JSC::DFG::SpeculativeJIT::compile):
3464 * dfg/DFGStrengthReductionPhase.cpp:
3465 (JSC::DFG::StrengthReductionPhase::handleNode):
3466 * dfg/DFGWorklist.cpp:
3467 (JSC::DFG::Worklist::removeDeadPlans):
3468 * ftl/FTLAbstractHeapRepository.h:
3469 * ftl/FTLCapabilities.cpp:
3470 (JSC::FTL::canCompile):
3471 * ftl/FTLLowerDFGToB3.cpp:
3472 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3473 (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
3474 (JSC::FTL::DFG::LowerDFGToB3::compileFilterICStatus):
3475 * jit/PolymorphicCallStubRoutine.cpp:
3476 (JSC::PolymorphicCallStubRoutine::hasEdges const):
3477 (JSC::PolymorphicCallStubRoutine::edges const):
3478 * jit/PolymorphicCallStubRoutine.h:
3479 * profiler/ProfilerBytecodeSequence.cpp:
3480 (JSC::Profiler::BytecodeSequence::BytecodeSequence):
3481 * runtime/FunctionRareData.cpp:
3482 (JSC::FunctionRareData::initializeObjectAllocationProfile):
3483 * runtime/Options.h:
3485 2018-07-21 Yusuke Suzuki <utatane.tea@gmail.com>
3487 [JSC] Use Function / ScopedLambda / RecursableLambda instead of std::function
3488 https://bugs.webkit.org/show_bug.cgi?id=187472
3490 Reviewed by Mark Lam.
3492 std::function allocates memory from standard malloc instead of bmalloc. Instead of
3493 using that, we should use WTF::{Function,ScopedLambda,RecursableLambda}.
3495 This patch attempts to replace std::function with the above WTF function types.
3496 If the function's lifetime can be the same to the stack, we can use ScopedLambda, which
3497 is really efficient. Otherwise, we should use WTF::Function.
3498 For recurring use cases, we can use RecursableLambda.
3500 * assembler/MacroAssembler.cpp:
3501 (JSC::stdFunctionCallback):
3502 (JSC::MacroAssembler::probe):
3503 * assembler/MacroAssembler.h:
3504 * b3/air/AirDisassembler.cpp:
3505 (JSC::B3::Air::Disassembler::dump):
3506 * b3/air/AirDisassembler.h:
3507 * bytecompiler/BytecodeGenerator.cpp:
3508 (JSC::BytecodeGenerator::BytecodeGenerator):
3509 (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
3510 (JSC::BytecodeGenerator::emitEnumeration):
3511 * bytecompiler/BytecodeGenerator.h:
3512 * bytecompiler/NodesCodegen.cpp:
3513 (JSC::ArrayNode::emitBytecode):
3514 (JSC::ApplyFunctionCallDotNode::emitBytecode):
3515 (JSC::ForOfNode::emitBytecode):
3516 * dfg/DFGSpeculativeJIT.cpp:
3517 (JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda):
3518 (JSC::DFG::SpeculativeJIT::compileMathIC):
3519 * dfg/DFGSpeculativeJIT.h:
3520 * dfg/DFGSpeculativeJIT64.cpp:
3521 (JSC::DFG::SpeculativeJIT::compile):
3522 * dfg/DFGValidate.cpp:
3523 * ftl/FTLCompile.cpp:
3524 (JSC::FTL::compile):
3525 * heap/HeapSnapshotBuilder.cpp:
3526 (JSC::HeapSnapshotBuilder::json):
3527 * heap/HeapSnapshotBuilder.h:
3528 * interpreter/StackVisitor.cpp:
3529 (JSC::StackVisitor::Frame::dump const):
3530 * interpreter/StackVisitor.h:
3531 * runtime/PromiseDeferredTimer.h:
3533 (JSC::VM::whenIdle):
3534 (JSC::enableProfilerWithRespectToCount):
3535 (JSC::disableProfilerWithRespectToCount):
3537 * runtime/VMEntryScope.cpp:
3538 (JSC::VMEntryScope::addDidPopListener):
3539 * runtime/VMEntryScope.h:
3540 * tools/HeapVerifier.cpp:
3541 (JSC::HeapVerifier::verifyCellList):
3542 (JSC::HeapVerifier::validateCell):
3543 (JSC::HeapVerifier::validateJSCell):
3544 * tools/HeapVerifier.h:
3546 2018-07-20 Michael Saboff <msaboff@apple.com>
3548 DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
3549 https://bugs.webkit.org/show_bug.cgi?id=187827
3550 rdar://problem/42146858
3552 Reviewed by Saam Barati.
3554 When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
3555 that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
3556 We can't end up with other shapes, Int32, Double, etc because GenericArguments sets
3557 InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
3558 putByIndex() path that doesn't change the shape.
3560 * dfg/DFGArrayMode.h:
3561 (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
3563 2018-07-20 Yusuke Suzuki <utatane.tea@gmail.com>
3565 [DFG] Fold GetByVal if Array is CoW
3566 https://bugs.webkit.org/show_bug.cgi?id=186459
3568 Reviewed by Saam Barati.
3570 CoW indexing type means that we now tracks the changes in CoW Array by structure. So DFG has a chance to
3571 fold GetByVal if the given array is CoW. This patch folds GetByVal onto the CoW Array. If the structure
3572 is watched and the butterfly is JSImmutableButterfly, we can load the value from this butterfly.
3574 This can be useful since these CoW arrays are used for a storage for constants. Constant-indexed access
3575 to these constant arrays can be folded into an actual constant by this patch.
3579 template_string.es6 4993.9853+-147.5308 ^ 824.1685+-44.1839 ^ definitely 6.0594x faster
3580 template_string_tag.es5 67.0822+-2.0100 ^ 9.3540+-0.5376 ^ definitely 7.1715x faster
3582 * dfg/DFGAbstractInterpreterInlines.h:
3583 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3585 2018-07-20 Yusuke Suzuki <utatane.tea@gmail.com>
3587 [JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
3588 https://bugs.webkit.org/show_bug.cgi?id=186602
3590 Reviewed by Saam Barati.
3592 JSObject::convertContiguousToArrayStorage's cellLock() is not necessary since we do not
3593 change the part of the butterfly, length etc. We prove that our procedure is safe, and
3594 drop the cellLock() here.
3596 * runtime/JSObject.cpp:
3597 (JSC::JSObject::convertContiguousToArrayStorage):
3599 2018-07-20 Saam Barati <sbarati@apple.com>
3601 CompareEq should be using KnownOtherUse instead of OtherUse
3602 https://bugs.webkit.org/show_bug.cgi?id=186814
3603 <rdar://problem/39720030>
3605 Reviewed by Filip Pizlo.
3607 CompareEq in fixup phase was doing this:
3608 insertCheck(child, OtherUse)
3609 setUseKind(child, OtherUse)
3610 And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
3611 lead to edge verification crashing because a phase may optimize the check out
3612 by removing the node. However, AI may not be privy to that optimization, and
3613 AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
3614 backend to actually emit a check here, but it does not.
3616 This exact pattern is why we have KnownXYZ use kinds. This patch introduces
3617 KnownOtherUse and changes the above pattern to be:
3618 insertCheck(child, OtherUse)
3619 setUseKind(child, KnownOtherUse)
3621 * dfg/DFGFixupPhase.cpp:
3622 (JSC::DFG::FixupPhase::fixupNode):
3623 * dfg/DFGSafeToExecute.h:
3624 (JSC::DFG::SafeToExecuteEdge::operator()):
3625 * dfg/DFGSpeculativeJIT.cpp:
3626 (JSC::DFG::SpeculativeJIT::speculate):
3627 * dfg/DFGUseKind.cpp:
3628 (WTF::printInternal):
3630 (JSC::DFG::typeFilterFor):
3631 (JSC::DFG::shouldNotHaveTypeCheck):
3632 (JSC::DFG::checkMayCrashIfInputIsEmpty):
3633 * dfg/DFGWatchpointCollectionPhase.cpp:
3634 (JSC::DFG::WatchpointCollectionPhase::handle):
3635 * ftl/FTLCapabilities.cpp:
3636 (JSC::FTL::canCompile):
3637 * ftl/FTLLowerDFGToB3.cpp:
3638 (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
3639 (JSC::FTL::DFG::LowerDFGToB3::speculate):
3641 2018-07-20 Yusuke Suzuki <utatane.tea@gmail.com>
3643 [JSC] A bit performance improvement for Object.assign by cleaning up code
3644 https://bugs.webkit.org/show_bug.cgi?id=187852
3646 Reviewed by Saam Barati.
3648 We clean up Object.assign code a bit.
3650 1. Vector and MarkedArgumentBuffer are extracted out from the loop since repeatedly creating MarkedArgumentBuffer is costly.
3651 2. canDoFastPath is not necessary. Restructuring the code to clean up things.
3653 It improves the performance a bit.
3657 object-assign.es6 237.7719+-5.5175 231.2856+-4.6907 might be 1.0280x faster
3659 * runtime/ObjectConstructor.cpp:
3660 (JSC::objectConstructorAssign):
3662 2018-07-19 Carlos Garcia Campos <cgarcia@igalia.com>
3664 [GLIB] jsc_context_evaluate_in_object() should receive an instance when a JSCClass is given
3665 https://bugs.webkit.org/show_bug.cgi?id=187798
3667 Reviewed by Michael Catanzaro.
3669 Because a JSCClass is pretty much useless without an instance in this case. It should be similar to
3670 jsc_value_new_object() because indeed we are creating a new object. This makes destroy function and vtable
3671 functions to work. We can't use JSAPIWrapperObject to wrap this object, because it's a global object, so this
3672 patch adds JSAPIWrapperGlobalObject or that.
3674 * API/glib/JSAPIWrapperGlobalObject.cpp: Added.
3675 (jsAPIWrapperGlobalObjectHandleOwner):
3676 (JSAPIWrapperGlobalObjectHandleOwner::finalize):
3677 (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::createStructure):
3678 (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::create):
3679 (JSC::JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject):
3680 (JSC::JSAPIWrapperGlobalObject::finishCreation):
3681 (JSC::JSAPIWrapperGlobalObject::visitChildren):
3682 * API/glib/JSAPIWrapperGlobalObject.h: Added.
3683 (JSC::JSAPIWrapperGlobalObject::wrappedObject const):
3684 (JSC::JSAPIWrapperGlobalObject::setWrappedObject):
3685 * API/glib/JSCClass.cpp:
3686 (isWrappedObject): Helper to check if the given object is a JSAPIWrapperObject or JSAPIWrapperGlobalObject.
3687 (wrappedObjectClass): Return the class of a wrapped object.
3688 (jscContextForObject): Get the execution context of an object. If the object is a JSAPIWrapperGlobalObject, the
3689 scope extension global object is used instead.
3690 (getProperty): Use isWrappedObject, wrappedObjectClass and jscContextForObject.
3691 (setProperty): Ditto.
3692 (hasProperty): Ditto.
3693 (deleteProperty): Ditto.
3694 (getPropertyNames): Ditto.
3695 (jscClassCreateContextWithJSWrapper): Call jscContextCreateContextWithJSWrapper().
3696 * API/glib/JSCClassPrivate.h:
3697 * API/glib/JSCContext.cpp:
3698 (jscContextCreateContextWithJSWrapper): Call WrapperMap::createContextWithJSWrappper().
3699 (jsc_context_evaluate_in_object): Use jscClassCreateContextWithJSWrapper() when a JSCClass is given.
3700 * API/glib/JSCContext.h:
3701 * API/glib/JSCContextPrivate.h:
3702 * API/glib/JSCWrapperMap.cpp:
3703 (JSC::WrapperMap::createContextWithJSWrappper): Create the new context for jsc_context_evaluate_in_object() here
3704 when a JSCClass is used to create the JSAPIWrapperGlobalObject.
3705 (JSC::WrapperMap::wrappedObject const): Return the wrapped object also in case of JSAPIWrapperGlobalObject.
3706 * API/glib/JSCWrapperMap.h:
3709 2018-07-19 Saam Barati <sbarati@apple.com>
3711 Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash
3712 https://bugs.webkit.org/show_bug.cgi?id=187836
3713 <rdar://problem/42409527>
3715 Reviewed by Mark Lam.
3717 We have crash reports that we're crashing on source->getDirect in Object.assign's
3718 fast path. Mark investigated this and determined we end up with a nullptr for
3719 butterfly. This is curious, because source's Structure indicated that it has
3720 out of line properties. My leading hypothesis for this at the moment is a bit
3721 handwavy, but it's essentially:
3722 - We end up firing a watchpoint when assigning to the target (this can happen
3723 if a watchpoint was set up for storing to that particular field)
3724 - When we fire that watchpoint, we end up doing some kind work on the source,
3725 perhaps causing it to flattenDictionaryStructure. Therefore, we end up
3728 I'm not super convinced this is what we're running into, but just by reading
3729 the code, I think it needs to be something similar to this. Seeing if this change
3730 fixes the crasher will give us good data to determine if something like this is
3731 happening or if the bug is something else entirely.
3733 * runtime/ObjectConstructor.cpp:
3734 (JSC::objectConstructorAssign):
3736 2018-07-19 Commit Queue <commit-queue@webkit.org>
3738 Unreviewed, rolling out r233998.
3739 https://bugs.webkit.org/show_bug.cgi?id=187815
3741 Not needed. (Requested by mlam|a on #webkit).
3745 "Temporarily mitigate a bug where a source provider is null
3746 when it shouldn't be."
3747 https://bugs.webkit.org/show_bug.cgi?id=187812
3748 https://trac.webkit.org/changeset/233998
3750 2018-07-19 Mark Lam <mark.lam@apple.com>
3752 Temporarily mitigate a bug where a source provider is null when it shouldn't be.
3753 https://bugs.webkit.org/show_bug.cgi?id=187812
3754 <rdar://problem/41192691>
3756 Reviewed by Michael Saboff.
3758 Adding a null check to temporarily mitigate https://bugs.webkit.org/show_bug.cgi?id=187811.
3760 * runtime/Error.cpp:
3761 (JSC::addErrorInfo):
3763 2018-07-19 Keith Rollin <krollin@apple.com>
3765 Adjust WEBCORE_EXPORT annotations for LTO
3766 https://bugs.webkit.org/show_bug.cgi?id=187781
3767 <rdar://problem/42351124>
3769 Reviewed by Alex Christensen.
3771 Continuation of Bug 186944. This bug addresses issues not caught
3772 during the first pass of adjustments. The initial work focussed on
3773 macOS; this one addresses issues found when building for iOS. From
3776 Adjust a number of places that result in WebKit's
3777 'check-for-weak-vtables-and-externals' script reporting weak external
3780 ERROR: WebCore has a weak external symbol in it (/Volumes/Data/dev/webkit/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore)
3781 ERROR: A weak external symbol is generated when a symbol is defined in multiple compilation units and is also marked as being exported from the library.
3782 ERROR: A common cause of weak external symbols is when an inline function is listed in the linker export file.
3785 These cases are caused by inline methods being marked with WTF_EXPORT
3786 (or related macro) or with an inline function being in a class marked
3787 as such, and when enabling LTO builds.
3789 For the most part, address these by removing the WEBCORE_EXPORT
3790 annotation from inline methods. In some cases, move the implementation
3791 out-of-line because it's the class that has the WEBCORE_EXPORT on it
3792 and removing the annotation from the class would be too disruptive.
3793 Finally, in other cases, move the implementation out-of-line because
3794 check-for-weak-vtables-and-externals still complains when keeping the
3795 implementation inline and removing the annotation; this seems to
3796 typically (but not always) happen with destructors.
3798 * inspector/remote/RemoteAutomationTarget.cpp:
3799 (Inspector::RemoteAutomationTarget::~RemoteAutomationTarget):
3800 * inspector/remote/RemoteAutomationTarget.h:
3801 * inspector/remote/RemoteInspector.cpp:
3802 (Inspector::RemoteInspector::Client::~Client):
3803 * inspector/remote/RemoteInspector.h:
3805 2018-07-19 Yusuke Suzuki <utatane.tea@gmail.com>
3807 Unreviewed, check scope after performing getPropertySlot in JSON.stringify
3808 https://bugs.webkit.org/show_bug.cgi?id=187807
3810 Properly putting EXCEPTION_ASSERT to tell our exception checker mechanism
3811 that we know that exception occurrence and handle it well.
3813 * runtime/JSONObject.cpp:
3814 (JSC::Stringifier::Holder::appendNextProperty):
3816 2018-07-18 Yusuke Suzuki <utatane.tea@gmail.com>
3818 [JSC] Reduce size of AST nodes
3819 https://bugs.webkit.org/show_bug.cgi?id=187689
3821 Reviewed by Mark Lam.
3823 We clean up AST nodes to reduce size. By doing so, we can reduce the memory consumption
3824 of ParserArena at peak state.
3826 1. Annotate `final` to AST nodes to make them solid. And it allows the compiler to
3827 devirtualize a call to the function which are implemented in a final class.
3829 2. Use default member initializers more.
3831 3. And use `nullptr` instead of `0`.
3833 4. Arrange the layout of AST nodes to reduce the size. It includes changing the order
3834 of classes in multiple inheritance. In particular, StatementNode is decreased from 48
3835 to 40. This decreases the sizes of all the derived Statement nodes.
3837 * parser/NodeConstructors.h:
3839 (JSC::StatementNode::StatementNode):
3840 (JSC::ElementNode::ElementNode):
3841 (JSC::ArrayNode::ArrayNode):
3842 (JSC::PropertyListNode::PropertyListNode):
3843 (JSC::ObjectLiteralNode::ObjectLiteralNode):
3844 (JSC::ArgumentListNode::ArgumentListNode):
3845 (JSC::ArgumentsNode::ArgumentsNode):
3846 (JSC::NewExprNode::NewExprNode):
3847 (JSC::BytecodeIntrinsicNode::Bytec
git://git.webkit.org / WebKit-https.git / blob