1 2017-11-07 Maciej Stachowiak <mjs@apple.com>
3 Get rid of unsightly hex numbers from unified build object files
4 https://bugs.webkit.org/show_bug.cgi?id=179410
6 Reviewed by Saam Barati.
8 * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
10 2017-11-07 Saam Barati <sbarati@apple.com>
12 Only cage double butterfly accesses
13 https://bugs.webkit.org/show_bug.cgi?id=179202
17 This patch removes caging from all butterfly accesses except double loads/stores.
18 This is a performance vs security tradeoff. Double loads/stores are the only butterfly
19 loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
20 by caging. The other load/stores we are no longer caging to get back performance on
23 * bytecode/AccessCase.cpp:
24 (JSC::AccessCase::generateImpl):
25 * bytecode/InlineAccess.cpp:
26 (JSC::InlineAccess::dumpCacheSizesAndCrash):
27 (JSC::InlineAccess::generateSelfPropertyAccess):
28 (JSC::InlineAccess::generateSelfPropertyReplace):
29 (JSC::InlineAccess::generateArrayLength):
30 * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
31 * dfg/DFGSpeculativeJIT.cpp:
32 (JSC::DFG::SpeculativeJIT::compileCreateRest):
33 (JSC::DFG::SpeculativeJIT::compileSpread):
34 (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
35 * dfg/DFGSpeculativeJIT64.cpp:
36 (JSC::DFG::SpeculativeJIT::compile):
37 * ftl/FTLLowerDFGToB3.cpp:
38 (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
39 * jit/JITPropertyAccess.cpp:
40 (JSC::JIT::emitContiguousLoad):
41 (JSC::JIT::emitArrayStorageLoad):
42 (JSC::JIT::emitGenericContiguousPutByVal):
43 (JSC::JIT::emitArrayStoragePutByVal):
44 (JSC::JIT::emit_op_get_from_scope):
45 (JSC::JIT::emit_op_put_to_scope):
46 * llint/LowLevelInterpreter64.asm:
47 * runtime/AuxiliaryBarrier.h:
48 (JSC::AuxiliaryBarrier::operator-> const):
49 * runtime/Butterfly.h:
50 (JSC::Butterfly::caged):
51 (JSC::Butterfly::contiguousDouble):
52 * runtime/JSArray.cpp:
53 (JSC::JSArray::setLength):
55 (JSC::JSArray::shiftCountWithAnyIndexingType):
56 (JSC::JSArray::unshiftCountWithAnyIndexingType):
57 (JSC::JSArray::fillArgList):
58 (JSC::JSArray::copyToArguments):
59 * runtime/JSArrayInlines.h:
60 (JSC::JSArray::pushInline):
61 * runtime/JSObject.cpp:
62 (JSC::JSObject::heapSnapshot):
63 (JSC::JSObject::createInitialIndexedStorage):
64 (JSC::JSObject::createArrayStorage):
65 (JSC::JSObject::convertUndecidedToInt32):
66 (JSC::JSObject::ensureLengthSlow):
67 (JSC::JSObject::reallocateAndShrinkButterfly):
68 (JSC::JSObject::allocateMoreOutOfLineStorage):
70 (JSC::JSObject::canGetIndexQuickly):
71 (JSC::JSObject::getIndexQuickly):
72 (JSC::JSObject::tryGetIndexQuickly const):
73 (JSC::JSObject::canSetIndexQuickly):
74 (JSC::JSObject::butterfly const):
75 (JSC::JSObject::butterfly):
77 2017-11-07 Mark Lam <mark.lam@apple.com>
79 Introduce a default RegisterSet constructor so that we can use { } notation.
80 https://bugs.webkit.org/show_bug.cgi?id=179389
82 Reviewed by Saam Barati.
84 I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
85 does not add any code documentation value.
87 * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
89 (JSC::B3::Air::Code::setRegsInPriorityOrder):
90 * b3/air/AirPrintSpecial.cpp:
91 (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
92 (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
94 * bytecode/PolymorphicAccess.h:
95 (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
96 (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
98 (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
100 (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
102 (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
103 * jit/RegisterSet.cpp:
104 (JSC::RegisterSet::reservedHardwareRegisters):
105 (JSC::RegisterSet::runtimeRegisters):
106 (JSC::RegisterSet::macroScratchRegisters):
108 (JSC::RegisterSet::RegisterSet):
109 * wasm/WasmB3IRGenerator.cpp:
110 (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
112 2017-11-07 Mark Lam <mark.lam@apple.com>
114 AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
115 https://bugs.webkit.org/show_bug.cgi?id=179355
116 <rdar://problem/35263053>
118 Reviewed by Saam Barati.
120 In the Transition case in AccessCase::generateImpl(), we were restoring registers
121 using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
122 where we previously stashed the reallocated butterfly. If the generated code is
123 under heavy register pressure, scratchGPR could have been from the set of preserved
124 registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
125 As a result, the restoration would trash the butterfly result we stored there.
126 This patch fixes the issue by excluding the scratchGPR in the restoration.
128 * bytecode/AccessCase.cpp:
129 (JSC::AccessCase::generateImpl):
131 2017-11-06 Robin Morisset <rmorisset@apple.com>
133 CodeBlock::usesOpcode() is dead code
134 https://bugs.webkit.org/show_bug.cgi?id=179316
136 Reviewed by Yusuke Suzuki.
138 Remove CodeBlock::usesOpcode which is dead code
140 * bytecode/CodeBlock.cpp:
141 * bytecode/CodeBlock.h:
143 2017-11-05 Yusuke Suzuki <utatane.tea@gmail.com>
145 JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
146 https://bugs.webkit.org/show_bug.cgi?id=144458
148 Reviewed by Saam Barati.
150 Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
151 InternalFunction calls are not cached and they always go to the slow path. This is not good because
153 1. We need to query getCallData/getConstructData every time in the slow path.
154 2. CallLinkInfo tells nothing in the higher tier JITs.
156 This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
157 to hold pointers to the functions for call and construct. We have new stubs that can call/construct
158 InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
160 This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
161 for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
162 case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
163 nodes for these InternalFunctions since CallLinkInfo tells us nothing.
165 Attached microbenchmarks show performance improvement.
169 dfg-internal-function-construct 1.6439+-0.0826 ^ 1.2829+-0.0727 ^ definitely 1.2813x faster
170 dfg-internal-function-not-handled-construct 2.1862+-0.1361 2.0696+-0.1201 might be 1.0564x faster
171 dfg-internal-function-not-handled-call 20.7592+-0.9085 19.7369+-0.7921 might be 1.0518x faster
172 dfg-internal-function-call 1.6856+-0.0967 ^ 1.2771+-0.0744 ^ definitely 1.3198x faster
174 [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
176 * API/JSCallbackFunction.cpp:
177 (JSC::JSCallbackFunction::JSCallbackFunction):
178 (JSC::JSCallbackFunction::getCallData): Deleted.
179 * API/JSCallbackFunction.h:
180 (JSC::JSCallbackFunction::createStructure):
181 * API/ObjCCallbackFunction.h:
182 (JSC::ObjCCallbackFunction::createStructure):
183 * API/ObjCCallbackFunction.mm:
184 (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
185 (JSC::ObjCCallbackFunction::getCallData): Deleted.
186 (JSC::ObjCCallbackFunction::getConstructData): Deleted.
187 * bytecode/BytecodeDumper.cpp:
188 (JSC::BytecodeDumper<Block>::printCallOp):
189 * bytecode/BytecodeList.json:
190 * bytecode/CallLinkInfo.cpp:
191 (JSC::CallLinkInfo::setCallee):
192 (JSC::CallLinkInfo::callee):
193 (JSC::CallLinkInfo::setLastSeenCallee):
194 (JSC::CallLinkInfo::lastSeenCallee):
195 (JSC::CallLinkInfo::visitWeak):
196 * bytecode/CallLinkInfo.h:
197 * bytecode/CallLinkStatus.cpp:
198 (JSC::CallLinkStatus::computeFromCallLinkInfo):
199 * bytecode/LLIntCallLinkInfo.h:
200 * jit/JITOperations.cpp:
202 (JSC::JITThunks::ctiInternalFunctionCall):
203 (JSC::JITThunks::ctiInternalFunctionConstruct):
207 (JSC::linkPolymorphicCall):
209 * jit/ThunkGenerators.cpp:
210 (JSC::virtualThunkFor):
211 (JSC::nativeForGenerator):
212 (JSC::nativeCallGenerator):
213 (JSC::nativeTailCallGenerator):
214 (JSC::nativeTailCallWithoutSavedTagsGenerator):
215 (JSC::nativeConstructGenerator):
216 (JSC::internalFunctionCallGenerator):
217 (JSC::internalFunctionConstructGenerator):
218 * jit/ThunkGenerators.h:
219 * llint/LLIntSlowPaths.cpp:
220 (JSC::LLInt::setUpCall):
221 * llint/LowLevelInterpreter.asm:
222 * llint/LowLevelInterpreter32_64.asm:
223 * llint/LowLevelInterpreter64.asm:
224 * runtime/ArrayConstructor.cpp:
225 (JSC::ArrayConstructor::ArrayConstructor):
226 (JSC::ArrayConstructor::getConstructData): Deleted.
227 (JSC::ArrayConstructor::getCallData): Deleted.
228 * runtime/ArrayConstructor.h:
229 (JSC::ArrayConstructor::createStructure):
230 * runtime/AsyncFunctionConstructor.cpp:
231 (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
232 (JSC::AsyncFunctionConstructor::finishCreation):
233 (JSC::AsyncFunctionConstructor::getCallData): Deleted.
234 (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
235 * runtime/AsyncFunctionConstructor.h:
236 (JSC::AsyncFunctionConstructor::createStructure):
237 * runtime/AsyncGeneratorFunctionConstructor.cpp:
238 (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
239 (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
240 (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
241 (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
242 * runtime/AsyncGeneratorFunctionConstructor.h:
243 (JSC::AsyncGeneratorFunctionConstructor::createStructure):
244 * runtime/BooleanConstructor.cpp:
245 (JSC::callBooleanConstructor):
246 (JSC::BooleanConstructor::BooleanConstructor):
247 (JSC::BooleanConstructor::finishCreation):
248 (JSC::BooleanConstructor::getConstructData): Deleted.
249 (JSC::BooleanConstructor::getCallData): Deleted.
250 * runtime/BooleanConstructor.h:
251 (JSC::BooleanConstructor::createStructure):
252 * runtime/DateConstructor.cpp:
253 (JSC::DateConstructor::DateConstructor):
254 (JSC::DateConstructor::getConstructData): Deleted.
255 (JSC::DateConstructor::getCallData): Deleted.
256 * runtime/DateConstructor.h:
257 (JSC::DateConstructor::createStructure):
259 (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
260 (JSC::StrictModeTypeErrorFunction::createStructure):
261 (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
262 (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
263 * runtime/ErrorConstructor.cpp:
264 (JSC::ErrorConstructor::ErrorConstructor):
265 (JSC::ErrorConstructor::getConstructData): Deleted.
266 (JSC::ErrorConstructor::getCallData): Deleted.
267 * runtime/ErrorConstructor.h:
268 (JSC::ErrorConstructor::createStructure):
269 * runtime/FunctionConstructor.cpp:
270 (JSC::FunctionConstructor::FunctionConstructor):
271 (JSC::FunctionConstructor::finishCreation):
272 (JSC::FunctionConstructor::getConstructData): Deleted.
273 (JSC::FunctionConstructor::getCallData): Deleted.
274 * runtime/FunctionConstructor.h:
275 (JSC::FunctionConstructor::createStructure):
276 * runtime/FunctionPrototype.cpp:
277 (JSC::callFunctionPrototype):
278 (JSC::FunctionPrototype::FunctionPrototype):
279 (JSC::FunctionPrototype::getCallData): Deleted.
280 * runtime/FunctionPrototype.h:
281 (JSC::FunctionPrototype::createStructure):
282 * runtime/GeneratorFunctionConstructor.cpp:
283 (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
284 (JSC::GeneratorFunctionConstructor::finishCreation):
285 (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
286 (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
287 * runtime/GeneratorFunctionConstructor.h:
288 (JSC::GeneratorFunctionConstructor::createStructure):
289 * runtime/InternalFunction.cpp:
290 (JSC::InternalFunction::InternalFunction):
291 (JSC::InternalFunction::finishCreation):
292 (JSC::InternalFunction::getCallData):
293 (JSC::InternalFunction::getConstructData):
294 * runtime/InternalFunction.h:
295 (JSC::InternalFunction::createStructure):
296 (JSC::InternalFunction::nativeFunctionFor):
297 (JSC::InternalFunction::offsetOfNativeFunctionFor):
298 * runtime/IntlCollatorConstructor.cpp:
299 (JSC::IntlCollatorConstructor::createStructure):
300 (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
301 (JSC::IntlCollatorConstructor::getConstructData): Deleted.
302 (JSC::IntlCollatorConstructor::getCallData): Deleted.
303 * runtime/IntlCollatorConstructor.h:
304 * runtime/IntlDateTimeFormatConstructor.cpp:
305 (JSC::IntlDateTimeFormatConstructor::createStructure):
306 (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
307 (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
308 (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
309 * runtime/IntlDateTimeFormatConstructor.h:
310 * runtime/IntlNumberFormatConstructor.cpp:
311 (JSC::IntlNumberFormatConstructor::createStructure):
312 (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
313 (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
314 (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
315 * runtime/IntlNumberFormatConstructor.h:
316 * runtime/JSArrayBufferConstructor.cpp:
317 (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
318 (JSC::JSArrayBufferConstructor::createStructure):
319 (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
320 (JSC::JSArrayBufferConstructor::getCallData): Deleted.
321 * runtime/JSArrayBufferConstructor.h:
322 * runtime/JSGenericTypedArrayViewConstructor.h:
323 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
324 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
325 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
326 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
327 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
328 * runtime/JSInternalPromiseConstructor.cpp:
329 (JSC::JSInternalPromiseConstructor::createStructure):
330 (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
331 (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
332 (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
333 * runtime/JSInternalPromiseConstructor.h:
334 * runtime/JSPromiseConstructor.cpp:
335 (JSC::JSPromiseConstructor::createStructure):
336 (JSC::JSPromiseConstructor::JSPromiseConstructor):
337 (JSC::JSPromiseConstructor::getConstructData): Deleted.
338 (JSC::JSPromiseConstructor::getCallData): Deleted.
339 * runtime/JSPromiseConstructor.h:
341 * runtime/JSTypedArrayViewConstructor.cpp:
342 (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
343 (JSC::JSTypedArrayViewConstructor::createStructure):
344 (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
345 (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
346 * runtime/JSTypedArrayViewConstructor.h:
347 * runtime/MapConstructor.cpp:
348 (JSC::MapConstructor::MapConstructor):
349 (JSC::MapConstructor::getConstructData): Deleted.
350 (JSC::MapConstructor::getCallData): Deleted.
351 * runtime/MapConstructor.h:
352 (JSC::MapConstructor::createStructure):
353 (JSC::MapConstructor::MapConstructor): Deleted.
354 * runtime/NativeErrorConstructor.cpp:
355 (JSC::NativeErrorConstructor::NativeErrorConstructor):
356 (JSC::NativeErrorConstructor::getConstructData): Deleted.
357 (JSC::NativeErrorConstructor::getCallData): Deleted.
358 * runtime/NativeErrorConstructor.h:
359 (JSC::NativeErrorConstructor::createStructure):
360 * runtime/NullGetterFunction.cpp:
361 (JSC::NullGetterFunction::NullGetterFunction):
362 (JSC::NullGetterFunction::getCallData): Deleted.
363 (JSC::NullGetterFunction::getConstructData): Deleted.
364 * runtime/NullGetterFunction.h:
365 (JSC::NullGetterFunction::createStructure):
366 (JSC::NullGetterFunction::NullGetterFunction): Deleted.
367 * runtime/NullSetterFunction.cpp:
368 (JSC::NullSetterFunction::NullSetterFunction):
369 (JSC::NullSetterFunction::getCallData): Deleted.
370 (JSC::NullSetterFunction::getConstructData): Deleted.
371 * runtime/NullSetterFunction.h:
372 (JSC::NullSetterFunction::createStructure):
373 (JSC::NullSetterFunction::NullSetterFunction): Deleted.
374 * runtime/NumberConstructor.cpp:
375 (JSC::NumberConstructor::NumberConstructor):
376 (JSC::constructNumberConstructor):
377 (JSC::constructWithNumberConstructor): Deleted.
378 (JSC::NumberConstructor::getConstructData): Deleted.
379 (JSC::NumberConstructor::getCallData): Deleted.
380 * runtime/NumberConstructor.h:
381 (JSC::NumberConstructor::createStructure):
382 * runtime/ObjectConstructor.cpp:
383 (JSC::ObjectConstructor::ObjectConstructor):
384 (JSC::ObjectConstructor::getConstructData): Deleted.
385 (JSC::ObjectConstructor::getCallData): Deleted.
386 * runtime/ObjectConstructor.h:
387 (JSC::ObjectConstructor::createStructure):
388 * runtime/ProxyConstructor.cpp:
389 (JSC::ProxyConstructor::ProxyConstructor):
390 (JSC::ProxyConstructor::getConstructData): Deleted.
391 (JSC::ProxyConstructor::getCallData): Deleted.
392 * runtime/ProxyConstructor.h:
393 (JSC::ProxyConstructor::createStructure):
394 * runtime/ProxyRevoke.cpp:
395 (JSC::ProxyRevoke::ProxyRevoke):
396 (JSC::ProxyRevoke::getCallData): Deleted.
397 * runtime/ProxyRevoke.h:
398 (JSC::ProxyRevoke::createStructure):
399 * runtime/RegExpConstructor.cpp:
400 (JSC::RegExpConstructor::RegExpConstructor):
401 (JSC::RegExpConstructor::getConstructData): Deleted.
402 (JSC::RegExpConstructor::getCallData): Deleted.
403 * runtime/RegExpConstructor.h:
404 (JSC::RegExpConstructor::createStructure):
405 * runtime/SetConstructor.cpp:
406 (JSC::SetConstructor::SetConstructor):
407 (JSC::SetConstructor::getConstructData): Deleted.
408 (JSC::SetConstructor::getCallData): Deleted.
409 * runtime/SetConstructor.h:
410 (JSC::SetConstructor::createStructure):
411 (JSC::SetConstructor::SetConstructor): Deleted.
412 * runtime/StringConstructor.cpp:
413 (JSC::StringConstructor::StringConstructor):
414 (JSC::StringConstructor::getConstructData): Deleted.
415 (JSC::StringConstructor::getCallData): Deleted.
416 * runtime/StringConstructor.h:
417 (JSC::StringConstructor::createStructure):
418 * runtime/SymbolConstructor.cpp:
419 (JSC::SymbolConstructor::SymbolConstructor):
420 (JSC::SymbolConstructor::getConstructData): Deleted.
421 (JSC::SymbolConstructor::getCallData): Deleted.
422 * runtime/SymbolConstructor.h:
423 (JSC::SymbolConstructor::createStructure):
426 (JSC::VM::getCTIInternalFunctionTrampolineFor):
428 * runtime/WeakMapConstructor.cpp:
429 (JSC::WeakMapConstructor::WeakMapConstructor):
430 (JSC::WeakMapConstructor::getConstructData): Deleted.
431 (JSC::WeakMapConstructor::getCallData): Deleted.
432 * runtime/WeakMapConstructor.h:
433 (JSC::WeakMapConstructor::createStructure):
434 (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
435 * runtime/WeakSetConstructor.cpp:
436 (JSC::WeakSetConstructor::WeakSetConstructor):
437 (JSC::WeakSetConstructor::getConstructData): Deleted.
438 (JSC::WeakSetConstructor::getCallData): Deleted.
439 * runtime/WeakSetConstructor.h:
440 (JSC::WeakSetConstructor::createStructure):
441 (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
442 * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
443 (JSC::WebAssemblyCompileErrorConstructor::createStructure):
444 (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
445 (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
446 (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
447 * wasm/js/WebAssemblyCompileErrorConstructor.h:
448 * wasm/js/WebAssemblyInstanceConstructor.cpp:
449 (JSC::WebAssemblyInstanceConstructor::createStructure):
450 (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
451 (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
452 (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
453 * wasm/js/WebAssemblyInstanceConstructor.h:
454 * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
455 (JSC::WebAssemblyLinkErrorConstructor::createStructure):
456 (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
457 (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
458 (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
459 * wasm/js/WebAssemblyLinkErrorConstructor.h:
460 * wasm/js/WebAssemblyMemoryConstructor.cpp:
461 (JSC::WebAssemblyMemoryConstructor::createStructure):
462 (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
463 (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
464 (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.
465 * wasm/js/WebAssemblyMemoryConstructor.h:
466 * wasm/js/WebAssemblyModuleConstructor.cpp:
467 (JSC::WebAssemblyModuleConstructor::createStructure):
468 (JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
469 (JSC::WebAssemblyModuleConstructor::getConstructData): Deleted.
470 (JSC::WebAssemblyModuleConstructor::getCallData): Deleted.
471 * wasm/js/WebAssemblyModuleConstructor.h:
472 * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
473 (JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
474 (JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
475 (JSC::WebAssemblyRuntimeErrorConstructor::getConstructData): Deleted.
476 (JSC::WebAssemblyRuntimeErrorConstructor::getCallData): Deleted.
477 * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
478 * wasm/js/WebAssemblyTableConstructor.cpp:
479 (JSC::WebAssemblyTableConstructor::createStructure):
480 (JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
481 (JSC::WebAssemblyTableConstructor::getConstructData): Deleted.
482 (JSC::WebAssemblyTableConstructor::getCallData): Deleted.
483 * wasm/js/WebAssemblyTableConstructor.h:
485 2017-11-03 Michael Saboff <msaboff@apple.com>
487 The Abstract Interpreter needs to change similar to clobberize() in r224366
488 https://bugs.webkit.org/show_bug.cgi?id=179267
490 Reviewed by Saam Barati.
492 Add clobberWorld() to HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
493 cases in the abstract interpreter to match what was done for r224366.
495 * dfg/DFGAbstractInterpreterInlines.h:
496 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
498 2017-11-03 Keith Miller <keith_miller@apple.com>
500 PutProperytSlot should inform the IC about the property before effects.
501 https://bugs.webkit.org/show_bug.cgi?id=179262
503 Reviewed by Mark Lam.
505 This patch fixes an issue where we choose to cache setters based on
506 incorrect information. If we did so we might end up OSR exiting
507 more than we would otherwise need to. The new model is that the
508 PutPropertySlot should inform the IC of what the property looked
509 like before any potential side effects might have occurred.
511 * runtime/JSObject.cpp:
512 (JSC::JSObject::putInlineSlow):
516 2017-11-03 Mark Lam <mark.lam@apple.com>
518 CachedCall (and its clients) needs overflow checks.
519 https://bugs.webkit.org/show_bug.cgi?id=179185
521 Reviewed by JF Bastien.
523 * interpreter/CachedCall.h:
524 (JSC::CachedCall::CachedCall):
525 (JSC::CachedCall::hasOverflowedArguments):
527 (JSC::MarkedArgumentBuffer::clear):
528 * runtime/StringPrototype.cpp:
529 (JSC::replaceUsingRegExpSearch):
531 2017-11-03 Devin Rousso <webkit@devinrousso.com>
533 Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
534 https://bugs.webkit.org/show_bug.cgi?id=178302
535 <rdar://problem/33158849>
537 Reviewed by Brian Burg.
539 * inspector/protocol/Recording.json:
540 Add `duration` to each Frame that represents the total time of all the recorded actions.
542 2017-11-02 Devin Rousso <webkit@devinrousso.com>
544 Web Inspector: Canvas Tab: show supported GL extensions for selected canvas
545 https://bugs.webkit.org/show_bug.cgi?id=179070
546 <rdar://problem/35278276>
548 Reviewed by Brian Burg.
550 * inspector/protocol/Canvas.json:
551 Add `extensionEnabled` event that is fired each time `getExtension` is called with a
552 different string on a WebGL context.
554 2017-11-02 Joseph Pecoraro <pecoraro@apple.com>
556 Make ServiceWorker a Remote Inspector debuggable target
557 https://bugs.webkit.org/show_bug.cgi?id=179043
558 <rdar://problem/34126008>
560 Reviewed by Brian Burg.
562 * inspector/remote/RemoteControllableTarget.h:
563 * inspector/remote/RemoteInspectionTarget.h:
564 * inspector/remote/RemoteInspectorConstants.h:
565 Include a new ServiceWorker remote inspector target type.
567 * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
568 (Inspector::RemoteInspector::listingForInspectionTarget const):
569 Implement listing for a ServiceWorker to include a URL like a page.
571 * inspector/remote/glib/RemoteInspectorGlib.cpp:
572 (Inspector::RemoteInspector::listingForInspectionTarget const):
573 Bail for ServiceWorker support in glib. They will need to implement their support.
575 2017-11-02 Michael Saboff <msaboff@apple.com>
577 DFG needs to handle code motion of code in for..in loop bodies
578 https://bugs.webkit.org/show_bug.cgi?id=179212
580 Reviewed by Keith Miller.
582 The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
583 make calls with side effects. Updated clobberize() for those nodes to take that into account.
585 * dfg/DFGClobberize.h:
586 (JSC::DFG::clobberize):
588 2017-11-02 Joseph Pecoraro <pecoraro@apple.com>
590 Inspector should display service worker served responses properly
591 https://bugs.webkit.org/show_bug.cgi?id=178597
592 <rdar://problem/35186111>
594 Reviewed by Brian Burg.
596 * inspector/protocol/Network.json:
597 Expose a new "service-worker" response source.
599 2017-11-02 Filip Pizlo <fpizlo@apple.com>
601 AI does not correctly model the clobber case of ArithClz32
602 https://bugs.webkit.org/show_bug.cgi?id=179188
604 Reviewed by Michael Saboff.
606 The non-Int32 case clobbers the world because it may call valueOf.
608 * dfg/DFGAbstractInterpreterInlines.h:
609 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
611 2017-11-02 Yusuke Suzuki <utatane.tea@gmail.com>
613 Unreviewed, release throw scope
614 https://bugs.webkit.org/show_bug.cgi?id=178726
616 * dfg/DFGOperations.cpp:
618 2017-11-02 Frederic Wang <fwang@igalia.com>
620 Add references to bug 179167 in FIXME comments
621 https://bugs.webkit.org/show_bug.cgi?id=179168
623 Reviewed by Daniel Bates.
625 * Configurations/FeatureDefines.xcconfig:
627 2017-11-01 Jeremy Jones <jeremyj@apple.com>
629 Implement WKFullscreenWindowController for iOS.
630 https://bugs.webkit.org/show_bug.cgi?id=178924
631 rdar://problem/34697120
633 Reviewed by Simon Fraser.
635 Enable ENABLE_FULLSCREEN_API for iOS.
637 * Configurations/FeatureDefines.xcconfig:
639 2017-11-01 Mark Lam <mark.lam@apple.com>
641 Add support to throw OOM if MarkedArgumentBuffer may overflow.
642 https://bugs.webkit.org/show_bug.cgi?id=179092
643 <rdar://problem/35116160>
645 Reviewed by Saam Barati.
647 The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
648 time, which renders it unsuitable for automated tests. Instead, I've run a
649 test manually to verify that an OutOfMemoryError will be thrown when an overflow
652 The MarkedArgumentBuffer's destructor will now assert that the client has indeed
653 checked for an overflow after invoking methods that may result in an overflow i.e.
654 the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
655 This is only done on debug builds.
657 * API/JSObjectRef.cpp:
658 (JSObjectMakeFunction):
661 (JSObjectMakeRegExp):
662 (JSObjectCallAsFunction):
663 (JSObjectCallAsConstructor):
664 * dfg/DFGOperations.cpp:
665 * inspector/InjectedScriptManager.cpp:
666 (Inspector::InjectedScriptManager::createInjectedScript):
667 * inspector/JSJavaScriptCallFrame.cpp:
668 (Inspector::JSJavaScriptCallFrame::scopeChain const):
669 * interpreter/Interpreter.cpp:
670 (JSC::Interpreter::executeProgram):
672 (functionDollarAgentReceiveBroadcast):
673 * runtime/ArgList.cpp:
674 (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
675 (JSC::MarkedArgumentBuffer::expandCapacity):
676 (JSC::MarkedArgumentBuffer::slowAppend):
678 (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
679 (JSC::MarkedArgumentBuffer::appendWithAction):
680 (JSC::MarkedArgumentBuffer::append):
681 (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
682 (JSC::MarkedArgumentBuffer::hasOverflowed):
683 (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
684 (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
685 * runtime/ArrayPrototype.cpp:
686 * runtime/CommonSlowPaths.cpp:
687 (JSC::SLOW_PATH_DECL):
688 * runtime/GetterSetter.cpp:
690 * runtime/IteratorOperations.cpp:
692 (JSC::iteratorClose):
693 * runtime/JSBoundFunction.cpp:
694 (JSC::boundThisNoArgsFunctionCall):
695 (JSC::boundFunctionCall):
696 (JSC::boundThisNoArgsFunctionConstruct):
697 (JSC::boundFunctionConstruct):
698 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
699 (JSC::constructGenericTypedArrayViewFromIterator):
700 * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
701 (JSC::genericTypedArrayViewProtoFuncSlice):
702 (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
703 * runtime/JSGlobalObject.cpp:
704 (JSC::JSGlobalObject::haveABadTime):
705 * runtime/JSInternalPromise.cpp:
706 (JSC::JSInternalPromise::then):
708 (JSC::JSJobMicrotask::run):
709 * runtime/JSMapIterator.cpp:
710 (JSC::JSMapIterator::createPair):
711 * runtime/JSModuleLoader.cpp:
712 (JSC::JSModuleLoader::provideFetch):
713 (JSC::JSModuleLoader::loadAndEvaluateModule):
714 (JSC::JSModuleLoader::loadModule):
715 (JSC::JSModuleLoader::linkAndEvaluateModule):
716 (JSC::JSModuleLoader::requestImportModule):
717 * runtime/JSONObject.cpp:
718 (JSC::Stringifier::toJSONImpl):
719 (JSC::Stringifier::appendStringifiedValue):
720 (JSC::Walker::callReviver):
721 * runtime/JSObject.cpp:
722 (JSC::ordinarySetSlow):
723 (JSC::callToPrimitiveFunction):
724 (JSC::JSObject::hasInstance):
725 * runtime/JSPromise.cpp:
726 (JSC::JSPromise::initialize):
727 (JSC::JSPromise::resolve):
728 * runtime/JSPromiseDeferred.cpp:
729 (JSC::newPromiseCapability):
731 * runtime/JSSetIterator.cpp:
732 (JSC::JSSetIterator::createPair):
733 * runtime/LiteralParser.cpp:
734 (JSC::LiteralParser<CharType>::parse):
735 * runtime/MapConstructor.cpp:
737 * runtime/ObjectConstructor.cpp:
738 (JSC::defineProperties):
739 * runtime/ProxyObject.cpp:
740 (JSC::performProxyGet):
741 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
742 (JSC::ProxyObject::performHasProperty):
743 (JSC::ProxyObject::performPut):
744 (JSC::performProxyCall):
745 (JSC::performProxyConstruct):
746 (JSC::ProxyObject::performDelete):
747 (JSC::ProxyObject::performPreventExtensions):
748 (JSC::ProxyObject::performIsExtensible):
749 (JSC::ProxyObject::performDefineOwnProperty):
750 (JSC::ProxyObject::performGetOwnPropertyNames):
751 (JSC::ProxyObject::performSetPrototype):
752 (JSC::ProxyObject::performGetPrototype):
753 * runtime/ReflectObject.cpp:
754 (JSC::reflectObjectConstruct):
755 * runtime/SetConstructor.cpp:
757 * runtime/StringPrototype.cpp:
758 (JSC::replaceUsingRegExpSearch):
759 (JSC::replaceUsingStringSearch):
760 * runtime/WeakMapConstructor.cpp:
761 (JSC::constructWeakMap):
762 * runtime/WeakSetConstructor.cpp:
763 (JSC::constructWeakSet):
764 * wasm/js/WasmToJS.cpp:
765 (JSC::Wasm::wasmToJS):
767 2017-11-01 Michael Saboff <msaboff@apple.com>
769 Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
770 https://bugs.webkit.org/show_bug.cgi?id=179140
772 Reviewed by Saam Barati.
774 Added overflow checks to computation of arg count plus this.
776 * dfg/DFGSpeculativeJIT32_64.cpp:
777 (JSC::DFG::SpeculativeJIT::compile):
778 * dfg/DFGSpeculativeJIT64.cpp:
779 (JSC::DFG::SpeculativeJIT::compile):
780 * ftl/FTLLowerDFGToB3.cpp:
781 (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
783 2017-11-01 Yusuke Suzuki <utatane.tea@gmail.com>
785 Unreviewed, use weakPointer instead of FTLOutput::weakPointer
786 https://bugs.webkit.org/show_bug.cgi?id=178934
788 * ftl/FTLLowerDFGToB3.cpp:
789 (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
791 2017-11-01 Yusuke Suzuki <utatane.tea@gmail.com>
793 [JSC] Introduce @toObject
794 https://bugs.webkit.org/show_bug.cgi?id=178726
796 Reviewed by Saam Barati.
798 This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
799 Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
800 is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
801 ObjectConstructor in LLInt and Baseline.
803 We add a new intrinsic `@toObject(target, "error message")`. It takes an error message string constant to
804 offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation
806 if (this === @undefined || this === null)
807 @throwTypeError("error message");
808 var object = @Object(this);
812 var object = @toObject(this, "error message");
814 And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
815 ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
816 In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.
818 It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.
820 * builtins/ArrayConstructor.js:
822 * builtins/ArrayPrototype.js:
838 (globalPrivate.concatSlowPath):
840 * builtins/DatePrototype.js:
841 (toLocaleString.toDateTimeOptionsAnyAll):
843 (toLocaleDateString.toDateTimeOptionsDateDate):
844 (toLocaleDateString):
845 (toLocaleTimeString.toDateTimeOptionsTimeTime):
846 (toLocaleTimeString):
847 * builtins/GlobalOperations.js:
848 (globalPrivate.copyDataProperties):
849 (globalPrivate.copyDataPropertiesNoExclusions):
850 * builtins/ObjectConstructor.js:
852 * builtins/StringConstructor.js:
854 * builtins/TypedArrayConstructor.js:
856 * builtins/TypedArrayPrototype.js:
859 * bytecode/BytecodeDumper.cpp:
860 (JSC::BytecodeDumper<Block>::dumpBytecode):
861 * bytecode/BytecodeIntrinsicRegistry.h:
862 * bytecode/BytecodeList.json:
863 * bytecode/BytecodeUseDef.h:
864 (JSC::computeUsesForBytecodeOffset):
865 (JSC::computeDefsForBytecodeOffset):
866 * bytecode/CodeBlock.cpp:
867 (JSC::CodeBlock::finishCreation):
868 * bytecompiler/BytecodeGenerator.cpp:
869 (JSC::BytecodeGenerator::emitToObject):
870 * bytecompiler/BytecodeGenerator.h:
871 * bytecompiler/NodesCodegen.cpp:
872 (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
873 * dfg/DFGAbstractInterpreterInlines.h:
874 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
875 * dfg/DFGByteCodeParser.cpp:
876 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
877 (JSC::DFG::ByteCodeParser::parseBlock):
878 * dfg/DFGCapabilities.cpp:
879 (JSC::DFG::capabilityLevel):
880 * dfg/DFGClobberize.h:
881 (JSC::DFG::clobberize):
884 * dfg/DFGFixupPhase.cpp:
885 (JSC::DFG::FixupPhase::fixupNode):
886 (JSC::DFG::FixupPhase::fixupToObject):
887 (JSC::DFG::FixupPhase::fixupCallObjectConstructor):
889 (JSC::DFG::Node::convertToCallObjectConstructor):
890 (JSC::DFG::Node::convertToNewStringObject):
891 (JSC::DFG::Node::convertToNewObject):
892 (JSC::DFG::Node::hasIdentifier):
893 (JSC::DFG::Node::hasHeapPrediction):
894 (JSC::DFG::Node::hasCellOperand):
896 * dfg/DFGOperations.cpp:
897 * dfg/DFGOperations.h:
898 * dfg/DFGPredictionPropagationPhase.cpp:
899 * dfg/DFGSafeToExecute.h:
900 (JSC::DFG::safeToExecute):
901 * dfg/DFGSpeculativeJIT.cpp:
902 (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
903 (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
904 * dfg/DFGSpeculativeJIT.h:
905 (JSC::DFG::SpeculativeJIT::callOperation):
906 * dfg/DFGSpeculativeJIT32_64.cpp:
907 (JSC::DFG::SpeculativeJIT::compile):
908 * dfg/DFGSpeculativeJIT64.cpp:
909 (JSC::DFG::SpeculativeJIT::compile):
910 * ftl/FTLCapabilities.cpp:
911 (JSC::FTL::canCompile):
912 * ftl/FTLLowerDFGToB3.cpp:
913 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
914 (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
915 (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
917 (JSC::JIT::privateCompileMainPass):
918 (JSC::JIT::privateCompileSlowCases):
920 * jit/JITOpcodes.cpp:
921 (JSC::JIT::emit_op_to_object):
922 (JSC::JIT::emitSlow_op_to_object):
923 * jit/JITOpcodes32_64.cpp:
924 (JSC::JIT::emit_op_to_object):
925 (JSC::JIT::emitSlow_op_to_object):
926 * jit/JITOperations.cpp:
927 * jit/JITOperations.h:
928 * llint/LowLevelInterpreter32_64.asm:
929 * llint/LowLevelInterpreter64.asm:
930 * runtime/CommonSlowPaths.cpp:
931 (JSC::SLOW_PATH_DECL):
932 * runtime/CommonSlowPaths.h:
934 2017-11-01 Fujii Hironori <Hironori.Fujii@sony.com>
936 Use LazyNeverDestroyed instead of DEFINE_GLOBAL
937 https://bugs.webkit.org/show_bug.cgi?id=174979
939 Reviewed by Yusuke Suzuki.
941 * config.h: Removed definitions of SKIP_STATIC_CONSTRUCTORS_ON_MSVC and SKIP_STATIC_CONSTRUCTORS_ON_GCC.
943 2017-10-27 Yusuke Suzuki <utatane.tea@gmail.com>
945 [DFG][FTL] Introduce StringSlice
946 https://bugs.webkit.org/show_bug.cgi?id=178934
948 Reviewed by Saam Barati.
950 String.prototype.slice is one of the most frequently called function in ARES-6/Babylon.
951 This patch introduces StringSlice DFG node to optimize it in DFG and FTL.
953 This patch's StringSlice node optimizes the following things.
955 1. Empty string generation is accelerated. It is fully executed inline.
956 2. One char string generation is accelerated. `< 0x100` character is supported right now.
957 It is the same to charAt acceleration.
958 3. We calculate start and end index in DFG/FTL with Int32Use information and call optimized
961 We do not inline (3)'s operation right now since we do not have a way to call bmalloc allocation from DFG / FTL.
962 And we do not optimize String.prototype.{substring,substr} right now. But they can be optimized based on this change
963 in subsequent changes.
965 This patch improves ARES-6/Babylon performance by 3% in steady state.
968 Running... Babylon ( 1 to go)
969 firstIteration: 50.05 +- 13.68 ms
970 averageWorstCase: 16.80 +- 1.27 ms
971 steadyState: 7.53 +- 0.22 ms
974 Running... Babylon ( 1 to go)
975 firstIteration: 50.91 +- 13.41 ms
976 averageWorstCase: 16.12 +- 0.99 ms
977 steadyState: 7.30 +- 0.29 ms
979 * dfg/DFGAbstractInterpreterInlines.h:
980 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
981 * dfg/DFGBackwardsPropagationPhase.cpp:
982 (JSC::DFG::BackwardsPropagationPhase::propagate):
983 * dfg/DFGByteCodeParser.cpp:
984 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
985 * dfg/DFGClobberize.h:
986 (JSC::DFG::clobberize):
989 * dfg/DFGFixupPhase.cpp:
990 (JSC::DFG::FixupPhase::fixupNode):
992 * dfg/DFGOperations.cpp:
993 * dfg/DFGOperations.h:
994 * dfg/DFGPredictionPropagationPhase.cpp:
995 * dfg/DFGSafeToExecute.h:
996 (JSC::DFG::safeToExecute):
997 * dfg/DFGSpeculativeJIT.cpp:
998 (JSC::DFG::SpeculativeJIT::compileStringSlice):
999 (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
1000 (JSC::DFG::SpeculativeJIT::compileArraySlice):
1001 (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
1002 * dfg/DFGSpeculativeJIT.h:
1003 (JSC::DFG::SpeculativeJIT::callOperation):
1004 * dfg/DFGSpeculativeJIT32_64.cpp:
1005 (JSC::DFG::SpeculativeJIT::compile):
1006 * dfg/DFGSpeculativeJIT64.cpp:
1007 (JSC::DFG::SpeculativeJIT::compile):
1008 * ftl/FTLCapabilities.cpp:
1009 (JSC::FTL::canCompile):
1010 * ftl/FTLLowerDFGToB3.cpp:
1011 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1012 (JSC::FTL::DFG::LowerDFGToB3::populateSliceRange):
1013 (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1014 (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1015 * jit/JITOperations.h:
1016 * runtime/Intrinsic.cpp:
1017 (JSC::intrinsicName):
1018 * runtime/Intrinsic.h:
1019 * runtime/StringPrototype.cpp:
1020 (JSC::StringPrototype::finishCreation):
1022 2017-10-31 JF Bastien <jfbastien@apple.com>
1024 WebAssembly: Wasm::IndexOrName has a raw pointer to Name
1025 https://bugs.webkit.org/show_bug.cgi?id=176644
1027 Reviewed by Michael Saboff.
1029 IndexOrName now keeps a RefPtr to its original NameSection, which
1030 holds the Name (or references nullptr if Index). Holding onto the
1031 entire section seems like the better thing to do, since backtraces
1032 probably contain multiple names from the same Module.
1034 * JavaScriptCore.xcodeproj/project.pbxproj:
1035 * interpreter/Interpreter.cpp:
1036 (JSC::GetStackTraceFunctor::operator() const):
1037 * interpreter/StackVisitor.h: Frame is no longer POD because of the
1039 * runtime/StackFrame.cpp:
1040 (JSC::StackFrame::StackFrame):
1041 * runtime/StackFrame.h: Drop the union, size is now 40 bytes.
1042 (JSC::StackFrame::StackFrame): Deleted. Initialized in class instead.
1043 (JSC::StackFrame::wasm): Deleted. Make it a ctor instead.
1044 * wasm/WasmBBQPlanInlines.h:
1045 (JSC::Wasm::BBQPlan::initializeCallees):
1046 * wasm/WasmCallee.cpp:
1047 (JSC::Wasm::Callee::Callee):
1048 * wasm/WasmCallee.h:
1049 (JSC::Wasm::Callee::create):
1050 * wasm/WasmFormat.h: Move NameSection to its own header.
1051 (JSC::Wasm::isValidNameType):
1052 (JSC::Wasm::NameSection::get): Deleted.
1053 * wasm/WasmIndexOrName.cpp:
1054 (JSC::Wasm::IndexOrName::IndexOrName):
1055 (JSC::Wasm::makeString):
1056 * wasm/WasmIndexOrName.h:
1057 (JSC::Wasm::IndexOrName::IndexOrName):
1058 (JSC::Wasm::IndexOrName::isEmpty const):
1059 (JSC::Wasm::IndexOrName::isIndex const):
1060 * wasm/WasmModuleInformation.cpp:
1061 (JSC::Wasm::ModuleInformation::ModuleInformation):
1062 * wasm/WasmModuleInformation.h:
1063 (JSC::Wasm::ModuleInformation::ModuleInformation): Deleted.
1064 * wasm/WasmNameSection.h:
1065 (JSC::Wasm::NameSection::get):
1066 (JSC::Wasm::NameSection::create): Deleted.
1067 * wasm/WasmNameSectionParser.cpp:
1068 (JSC::Wasm::NameSectionParser::parse):
1069 * wasm/WasmNameSectionParser.h:
1070 * wasm/WasmOMGPlan.cpp:
1071 (JSC::Wasm::OMGPlan::work):
1073 2017-10-31 Tim Horton <timothy_horton@apple.com>
1075 Clean up some drag and drop feature flags
1076 https://bugs.webkit.org/show_bug.cgi?id=179082
1078 Reviewed by Simon Fraser.
1080 * Configurations/FeatureDefines.xcconfig:
1082 2017-10-31 Commit Queue <commit-queue@webkit.org>
1084 Unreviewed, rolling out r224243, r224246, and r224248.
1085 https://bugs.webkit.org/show_bug.cgi?id=179083
1087 The patch and fix broke the Windows build. (Requested by
1088 mlewis13 on #webkit).
1090 Reverted changesets:
1092 "StructureStubInfo should have GPRReg members not int8_ts"
1093 https://bugs.webkit.org/show_bug.cgi?id=179071
1094 https://trac.webkit.org/changeset/224243
1096 "Make all register enums be backed by uint8_t."
1097 https://bugs.webkit.org/show_bug.cgi?id=179074
1098 https://trac.webkit.org/changeset/224246
1100 "Unreviewed, windows build fix."
1101 https://trac.webkit.org/changeset/224248
1103 2017-10-31 Tim Horton <timothy_horton@apple.com>
1105 Fix up some content filtering feature flags
1106 https://bugs.webkit.org/show_bug.cgi?id=179079
1108 Reviewed by Simon Fraser.
1110 * Configurations/FeatureDefines.xcconfig:
1112 2017-10-31 Keith Miller <keith_miller@apple.com>
1114 Unreviewed, windows build fix.
1116 * assembler/X86Assembler.h:
1117 (JSC::X86Assembler::numberOfRegisters):
1118 (JSC::X86Assembler::numberOfSPRegisters):
1119 (JSC::X86Assembler::numberOfFPRegisters):
1121 2017-10-31 Keith Miller <keith_miller@apple.com>
1123 Make all register enums be backed by uint8_t.
1124 https://bugs.webkit.org/show_bug.cgi?id=179074
1126 Reviewed by Mark Lam.
1128 * assembler/ARM64Assembler.h:
1129 * assembler/ARMAssembler.h:
1130 * assembler/ARMv7Assembler.h:
1131 * assembler/MIPSAssembler.h:
1132 * assembler/MacroAssembler.h:
1133 * assembler/X86Assembler.h:
1135 2017-10-31 Keith Miller <keith_miller@apple.com>
1137 StructureStubInfo should have GPRReg members not int8_ts
1138 https://bugs.webkit.org/show_bug.cgi?id=179071
1140 Reviewed by Michael Saboff.
1142 This patch makes the various RegisterID enums be backed by
1143 uint8_t. This means that we can remove the old int8_t members in
1144 StructureStubInfo and replace them with the correct enum types.
1146 Also, this fixes an indentation issue in ARMv7Assembler.h.
1148 * assembler/ARM64Assembler.h:
1149 * assembler/ARMAssembler.h:
1150 * assembler/ARMv7Assembler.h:
1151 (JSC::ARMRegisters::asSingle):
1152 (JSC::ARMRegisters::asDouble):
1153 * assembler/MIPSAssembler.h:
1154 * assembler/X86Assembler.h:
1155 * bytecode/InlineAccess.cpp:
1156 (JSC::InlineAccess::generateSelfPropertyAccess):
1157 (JSC::getScratchRegister):
1158 * bytecode/PolymorphicAccess.cpp:
1159 (JSC::PolymorphicAccess::regenerate):
1160 * bytecode/StructureStubInfo.h:
1161 (JSC::StructureStubInfo::valueRegs const):
1162 * dfg/DFGSpeculativeJIT.cpp:
1163 (JSC::DFG::SpeculativeJIT::compileIn):
1164 * ftl/FTLLowerDFGToB3.cpp:
1165 (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1166 * jit/JITInlineCacheGenerator.cpp:
1167 (JSC::JITByIdGenerator::JITByIdGenerator):
1168 (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
1170 2017-10-31 Devin Rousso <webkit@devinrousso.com>
1172 Web Inspector: make ScriptCallStack::maxCallStackSizeToCapture the default value when capturing backtraces
1173 https://bugs.webkit.org/show_bug.cgi?id=179048
1175 Reviewed by Mark Lam.
1177 * inspector/ScriptCallStackFactory.h:
1178 * inspector/ScriptCallStackFactory.cpp:
1179 (createScriptCallStack):
1180 (createScriptCallStackForConsole):
1181 (createScriptCallStackFromException):
1183 * inspector/ConsoleMessage.cpp:
1184 (Inspector::ConsoleMessage::autogenerateMetadata):
1185 * inspector/JSGlobalObjectInspectorController.cpp:
1186 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1187 * inspector/agents/InspectorConsoleAgent.cpp:
1188 (Inspector::InspectorConsoleAgent::count):
1189 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1190 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
1192 2017-10-31 Carlos Garcia Campos <cgarcia@igalia.com>
1194 Unreviewed. Fix GTK+ make distcheck.
1196 Ensure DERIVED_SOURCES_JAVASCRIPTCORE_DIR/yarr is created before scripts generating files there are run.
1200 2017-10-30 Saam Barati <sbarati@apple.com>
1202 We need a storeStoreFence before storing to the instruction stream's live variable catch data
1203 https://bugs.webkit.org/show_bug.cgi?id=178649
1205 Reviewed by Keith Miller.
1207 * bytecode/CodeBlock.cpp:
1208 (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1210 2017-10-30 Michael Catanzaro <mcatanzaro@igalia.com>
1212 [WPE] Fix build warnings
1213 https://bugs.webkit.org/show_bug.cgi?id=178899
1215 Reviewed by Carlos Alberto Lopez Perez.
1217 * PlatformWPE.cmake:
1219 2017-10-30 Zan Dobersek <zdobersek@igalia.com>
1221 [ARMv7] Fix initial start register support in YarrJIT
1222 https://bugs.webkit.org/show_bug.cgi?id=178641
1224 Reviewed by Saam Barati.
1226 * yarr/YarrJIT.cpp: On ARMv7, use r8 as the initialStart register in the
1227 YarrGenerator class. r6 should be avoided since it's already used inside
1228 MacroAssemblerARMv7 as addressTempRegister. r7 isn't picked because it
1229 can be used as the frame pointer register when targetting ARM Thumb2.
1231 2017-10-30 Zan Dobersek <zdobersek@igalia.com>
1233 [ARM64][Linux] Re-enable Gigacage
1234 https://bugs.webkit.org/show_bug.cgi?id=178130
1236 Reviewed by Michael Catanzaro.
1238 Guard the current globaladdr opcode implementation for ARM64 with
1239 OS(DARWIN) as it's only usable for Mach-O.
1241 For OS(LINUX), ELF-supported :got: and :got_lo12: relocation specifiers
1242 have to be used. The .loh directive can't be used as it's not supported
1243 in GCC or the ld linker.
1245 On every other OS target, a compilation error is thrown.
1247 * offlineasm/arm64.rb:
1249 2017-10-27 Devin Rousso <webkit@devinrousso.com>
1251 Web Inspector: Canvas Tab: no way to see backtrace of where a canvas context was created
1252 https://bugs.webkit.org/show_bug.cgi?id=178799
1253 <rdar://problem/35175805>
1255 Reviewed by Brian Burg.
1257 * inspector/protocol/Canvas.json:
1258 Add optional `backtrace` to Canvas type that is an array of Console.CallFrame.
1260 2017-10-27 Yusuke Suzuki <utatane.tea@gmail.com>
1262 [JSC] Tweak ES6 generator function to allow inlining
1263 https://bugs.webkit.org/show_bug.cgi?id=178935
1265 Reviewed by Saam Barati.
1267 We optimize builtins' generator helper functions to allow them inlined in the caller side.
1268 This patch adjust the layer between @generatorResume, next(), throw(), and return() to allow
1269 them inlined in DFG.
1273 spread-generator.es6 301.2637+-11.1011 ^ 260.5905+-14.2258 ^ definitely 1.1561x faster
1274 generator.es6 269.6030+-13.2435 ^ 148.8840+-6.7614 ^ definitely 1.8108x faster
1276 * builtins/GeneratorPrototype.js:
1277 (globalPrivate.generatorResume):
1282 2017-10-27 Saam Barati <sbarati@apple.com>
1284 Bytecode liveness should live on UnlinkedCodeBlock so it can be shared amongst CodeBlocks
1285 https://bugs.webkit.org/show_bug.cgi?id=178949
1287 Reviewed by Keith Miller.
1289 This patch stores BytecodeLiveness on UnlinkedCodeBlock instead of CodeBlock
1290 so that we don't need to recompute liveness for the same UnlinkedCodeBlock
1291 more than once. To do this, this patch solidifies the invariant that CodeBlock
1292 linking can't do anything that would change the result of liveness. For example,
1293 it can't introduce new locals. This invariant was met my JSC before, because we
1294 didn't do anything in bytecode linking that would change liveness. However, it is
1295 now a correctness requirement that we don't do anything that would change the
1296 result of running liveness. To support this change, I've refactored BytecodeGraph
1297 to not be tied to a CodeBlockType*. Things that perform liveness will pass in
1298 CodeBlockType* and the instruction stream as needed. This means that we may
1299 compute liveness with one CodeBlock*'s instruction stream, and then perform
1300 queries on that analysis with a different CodeBlock*'s instruction stream.
1302 This seems to be a 2% JSBench progression.
1304 * bytecode/BytecodeGeneratorification.cpp:
1305 (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
1306 (JSC::BytecodeGeneratorification::graph):
1307 (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
1308 (JSC::GeneratorLivenessAnalysis::run):
1309 (JSC::BytecodeGeneratorification::run):
1310 * bytecode/BytecodeGraph.h:
1311 (JSC::BytecodeGraph::BytecodeGraph):
1312 (JSC::BytecodeGraph::codeBlock const): Deleted.
1313 (JSC::BytecodeGraph::instructions): Deleted.
1314 (JSC::BytecodeGraph<Block>::BytecodeGraph): Deleted.
1315 * bytecode/BytecodeLivenessAnalysis.cpp:
1316 (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
1317 (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
1318 (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
1319 (JSC::BytecodeLivenessAnalysis::computeKills):
1320 (JSC::BytecodeLivenessAnalysis::dumpResults):
1321 (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): Deleted.
1322 (JSC::BytecodeLivenessAnalysis::compute): Deleted.
1323 * bytecode/BytecodeLivenessAnalysis.h:
1324 * bytecode/BytecodeLivenessAnalysisInlines.h:
1325 (JSC::BytecodeLivenessPropagation::stepOverInstruction):
1326 (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
1327 (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
1328 (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
1329 (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
1330 * bytecode/BytecodeRewriter.cpp:
1331 (JSC::BytecodeRewriter::applyModification):
1332 (JSC::BytecodeRewriter::execute):
1333 (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
1334 * bytecode/BytecodeRewriter.h:
1335 (JSC::BytecodeRewriter::BytecodeRewriter):
1336 (JSC::BytecodeRewriter::removeBytecode):
1337 (JSC::BytecodeRewriter::graph):
1338 * bytecode/CodeBlock.cpp:
1339 (JSC::CodeBlock::finishCreation):
1340 (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1341 (JSC::CodeBlock::validate):
1342 (JSC::CodeBlock::livenessAnalysisSlow): Deleted.
1343 * bytecode/CodeBlock.h:
1344 (JSC::CodeBlock::livenessAnalysis):
1345 * bytecode/UnlinkedCodeBlock.cpp:
1346 (JSC::UnlinkedCodeBlock::applyModification):
1347 (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
1348 * bytecode/UnlinkedCodeBlock.h:
1349 (JSC::UnlinkedCodeBlock::livenessAnalysis):
1351 (JSC::DFG::Graph::livenessFor):
1352 (JSC::DFG::Graph::killsFor):
1354 (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
1356 (JSC::JIT::privateCompileMainPass):
1358 2017-10-27 Keith Miller <keith_miller@apple.com>
1360 Add unified source list files and build scripts to Xcode project navigator
1361 https://bugs.webkit.org/show_bug.cgi?id=178959
1363 Reviewed by Andy Estes.
1365 Also, Add some extra source files for so new .cpp/.mm files don't cause the build
1366 to fail right away. We already do this in WebCore.
1368 * JavaScriptCore.xcodeproj/project.pbxproj:
1369 * PlatformMac.cmake:
1370 * SourcesCocoa.txt: Renamed from Source/JavaScriptCore/SourcesMac.txt.
1372 2017-10-27 JF Bastien <jfbastien@apple.com>
1374 WebAssembly: update arbitrary limits to what browsers use
1375 https://bugs.webkit.org/show_bug.cgi?id=178946
1376 <rdar://problem/34257412>
1377 <rdar://problem/34501154>
1379 Reviewed by Saam Barati.
1381 https://github.com/WebAssembly/design/issues/1138 discusses the
1382 arbitrary function size limit, which it turns out Chrome and
1383 Firefox didn't enforce. We didn't use it because it was
1384 ridiculously low and actual programs ran into that limit (bummer
1385 for Edge which just shipped it...). Now that we agree on a high
1386 arbitrary program limit, let's update it! While I'm doing this
1387 there are a few other spots that I polished to use Checked or
1388 better check limits overall.
1390 * wasm/WasmB3IRGenerator.cpp:
1391 (JSC::Wasm::B3IRGenerator::addLocal):
1392 * wasm/WasmFormat.cpp:
1393 (JSC::Wasm::Segment::create):
1394 * wasm/WasmFunctionParser.h:
1395 (JSC::Wasm::FunctionParser<Context>::parse):
1396 * wasm/WasmInstance.cpp:
1397 * wasm/WasmLimits.h:
1398 * wasm/WasmModuleParser.cpp:
1399 (JSC::Wasm::ModuleParser::parseGlobal):
1400 (JSC::Wasm::ModuleParser::parseCode):
1401 (JSC::Wasm::ModuleParser::parseData):
1402 * wasm/WasmSignature.h:
1403 (JSC::Wasm::Signature::allocatedSize):
1404 * wasm/WasmTable.cpp:
1405 (JSC::Wasm::Table::Table):
1406 * wasm/js/JSWebAssemblyTable.cpp:
1407 (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
1408 (JSC::JSWebAssemblyTable::grow):
1410 2017-10-26 Michael Saboff <msaboff@apple.com>
1412 REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
1413 https://bugs.webkit.org/show_bug.cgi?id=178890
1415 Reviewed by Keith Miller.
1417 We need to let a contained subpattern backtrack before declaring that the containing
1418 parenthesis doesn't match. If the subpattern fails to match backtracking, then we
1419 can check to see if we trying to backtrack below the minimum match count.
1421 * yarr/YarrInterpreter.cpp:
1422 (JSC::Yarr::Interpreter::backtrackParentheses):
1424 2017-10-26 Mark Lam <mark.lam@apple.com>
1426 JSRopeString::RopeBuilder::append() should check for overflows.
1427 https://bugs.webkit.org/show_bug.cgi?id=178385
1428 <rdar://problem/35027468>
1430 Reviewed by Saam Barati.
1432 1. Made RopeString check for overflow like the Checked class does.
1433 2. Added a missing overflow check in objectProtoFuncToString().
1435 * runtime/JSString.cpp:
1436 (JSC::JSRopeString::RopeBuilder<RecordOverflow>::expand):
1437 (JSC::JSRopeString::RopeBuilder::expand): Deleted.
1438 * runtime/JSString.h:
1439 * runtime/ObjectPrototype.cpp:
1440 (JSC::objectProtoFuncToString):
1441 * runtime/Operations.h:
1442 (JSC::jsStringFromRegisterArray):
1443 (JSC::jsStringFromArguments):
1445 2017-10-26 JF Bastien <jfbastien@apple.com>
1447 WebAssembly: no VM / JS version of our implementation
1448 https://bugs.webkit.org/show_bug.cgi?id=177472
1450 Reviewed by Michael Saboff.
1452 This patch removes all appearances of "JS" and "VM" in the wasm
1453 directory. These now only appear in the wasm/js directory, which
1454 is only used in a JS embedding of wasm. It should therefore now be
1455 possible to create non-JS embeddings of wasm through JSC, though
1456 it'll still require:
1458 - Mild codegen for wasm<->embedder calls;
1459 - A strategy for trap handling (no need for full unwind! Could kill).
1460 - Creation of the Wasm::* objects.
1461 - Calling convention handling to call the embedder.
1462 - Handling of multiple embedders (see #177475, this is optional).
1464 Most of the patch consists in renaming JSWebAssemblyInstance to
1465 Instance, and removing temporary copies which I'd added to make
1466 this specific patch very simple.
1468 * interpreter/CallFrame.cpp:
1469 (JSC::CallFrame::wasmAwareLexicalGlobalObject): this one place
1470 which needs to know about who "owns" the Wasm::Instance. In a JS
1471 embedding it's the JSWebAssemblyInstance.
1472 * wasm/WasmB3IRGenerator.cpp:
1473 (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1474 (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1475 (JSC::Wasm::B3IRGenerator::addGrowMemory):
1476 (JSC::Wasm::B3IRGenerator::addCurrentMemory):
1477 (JSC::Wasm::B3IRGenerator::getGlobal):
1478 (JSC::Wasm::B3IRGenerator::setGlobal):
1479 (JSC::Wasm::B3IRGenerator::addCall):
1480 (JSC::Wasm::B3IRGenerator::addCallIndirect):
1481 * wasm/WasmBinding.cpp:
1482 (JSC::Wasm::wasmToWasm):
1483 * wasm/WasmContext.cpp:
1484 (JSC::Wasm::Context::load const):
1485 (JSC::Wasm::Context::store):
1486 * wasm/WasmContext.h:
1487 * wasm/WasmEmbedder.h:
1488 * wasm/WasmInstance.cpp:
1489 (JSC::Wasm::Instance::Instance):
1490 (JSC::Wasm::Instance::create):
1491 (JSC::Wasm::Instance::extraMemoryAllocated const):
1492 * wasm/WasmInstance.h: add an "owner", the Wasm::Context, move the
1493 "tail" import information from JSWebAssemblyInstance over to here.
1494 (JSC::Wasm::Instance::finalizeCreation):
1495 (JSC::Wasm::Instance::owner const):
1496 (JSC::Wasm::Instance::offsetOfOwner):
1497 (JSC::Wasm::Instance::context const):
1498 (JSC::Wasm::Instance::setMemory):
1499 (JSC::Wasm::Instance::setTable):
1500 (JSC::Wasm::Instance::offsetOfMemory):
1501 (JSC::Wasm::Instance::offsetOfGlobals):
1502 (JSC::Wasm::Instance::offsetOfTable):
1503 (JSC::Wasm::Instance::offsetOfTail):
1504 (JSC::Wasm::Instance::numImportFunctions const):
1505 (JSC::Wasm::Instance::importFunctionInfo):
1506 (JSC::Wasm::Instance::offsetOfTargetInstance):
1507 (JSC::Wasm::Instance::offsetOfWasmEntrypoint):
1508 (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress):
1509 (JSC::Wasm::Instance::offsetOfImportFunction):
1510 (JSC::Wasm::Instance::importFunction):
1511 (JSC::Wasm::Instance::allocationSize):
1512 (JSC::Wasm::Instance::create): Deleted.
1513 * wasm/WasmOMGPlan.cpp:
1514 (JSC::Wasm::OMGPlan::runForIndex):
1515 * wasm/WasmOMGPlan.h:
1516 * wasm/WasmTable.cpp:
1517 (JSC::Wasm::Table::Table):
1518 (JSC::Wasm::Table::setFunction):
1520 * wasm/WasmThunks.cpp:
1521 (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1522 (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1523 * wasm/js/JSToWasm.cpp:
1524 (JSC::Wasm::createJSToWasmWrapper):
1525 * wasm/js/JSWebAssemblyInstance.cpp: delete code that is now on Wasm::Instance
1526 (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): The embedder
1527 decides what the import function is. Here we must properly
1528 placement-new it to what we've elected (and initialize it later).
1529 (JSC::JSWebAssemblyInstance::visitChildren):
1530 (JSC::JSWebAssemblyInstance::finalizeCreation):
1531 (JSC::JSWebAssemblyInstance::create):
1532 * wasm/js/JSWebAssemblyInstance.h: delete code that is now on Wasm::Instance
1533 (JSC::JSWebAssemblyInstance::instance):
1534 (JSC::JSWebAssemblyInstance::moduleNamespaceObject):
1535 (JSC::JSWebAssemblyInstance::setMemory):
1536 (JSC::JSWebAssemblyInstance::table):
1537 (JSC::JSWebAssemblyInstance::setTable):
1538 (JSC::JSWebAssemblyInstance::offsetOfInstance):
1539 (JSC::JSWebAssemblyInstance::offsetOfCallee):
1540 (JSC::JSWebAssemblyInstance::context const): Deleted.
1541 (JSC::JSWebAssemblyInstance::offsetOfTail): Deleted.
1543 (JSC::JSWebAssemblyInstance::importFunctionInfo): Deleted.
1544 (JSC::JSWebAssemblyInstance::offsetOfTargetInstance): Deleted.
1545 (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint): Deleted.
1546 (JSC::JSWebAssemblyInstance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
1547 (JSC::JSWebAssemblyInstance::offsetOfImportFunction): Deleted.
1548 (JSC::JSWebAssemblyInstance::importFunction): Deleted.
1549 (JSC::JSWebAssemblyInstance::internalMemory): Deleted.
1550 (JSC::JSWebAssemblyInstance::wasmCodeBlock const): Deleted.
1551 (JSC::JSWebAssemblyInstance::offsetOfWasmTable): Deleted.
1552 (JSC::JSWebAssemblyInstance::offsetOfGlobals): Deleted.
1553 (JSC::JSWebAssemblyInstance::offsetOfCodeBlock): Deleted.
1554 (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock): Deleted.
1555 (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit): Deleted.
1556 (JSC::JSWebAssemblyInstance::offsetOfWasmMemory): Deleted.
1557 (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer): Deleted.
1558 (JSC::JSWebAssemblyInstance::cachedStackLimit const): Deleted.
1559 (JSC::JSWebAssemblyInstance::setCachedStackLimit): Deleted.
1560 (JSC::JSWebAssemblyInstance::wasmMemory): Deleted.
1561 (JSC::JSWebAssemblyInstance::wasmModule): Deleted.
1562 (JSC::JSWebAssemblyInstance::allocationSize): Deleted.
1563 * wasm/js/JSWebAssemblyTable.cpp:
1564 (JSC::JSWebAssemblyTable::setFunction):
1565 * wasm/js/WasmToJS.cpp: One extra indirection to find the JSWebAssemblyInstance.
1566 (JSC::Wasm::materializeImportJSCell):
1567 (JSC::Wasm::handleBadI64Use):
1568 (JSC::Wasm::wasmToJS):
1569 (JSC::Wasm::wasmToJSException):
1570 * wasm/js/WasmToJS.h:
1571 * wasm/js/WebAssemblyFunction.cpp:
1572 (JSC::callWebAssemblyFunction):
1573 * wasm/js/WebAssemblyInstanceConstructor.cpp:
1574 (JSC::constructJSWebAssemblyInstance):
1575 * wasm/js/WebAssemblyModuleRecord.cpp:
1576 (JSC::WebAssemblyModuleRecord::link):
1577 (JSC::WebAssemblyModuleRecord::evaluate):
1578 * wasm/js/WebAssemblyPrototype.cpp:
1580 * wasm/js/WebAssemblyWrapperFunction.cpp:
1581 (JSC::WebAssemblyWrapperFunction::create):
1583 2017-10-25 Devin Rousso <webkit@devinrousso.com>
1585 Web Inspector: provide a way to enable/disable event listeners
1586 https://bugs.webkit.org/show_bug.cgi?id=177451
1587 <rdar://problem/34994925>
1589 Reviewed by Joseph Pecoraro.
1591 * inspector/protocol/DOM.json:
1592 Add `setEventListenerDisabled` command that enables/disables a specific event listener
1593 during event dispatch. When a disabled event listener is fired, the listener's callback will
1596 2017-10-25 Commit Queue <commit-queue@webkit.org>
1598 Unreviewed, rolling out r223691 and r223729.
1599 https://bugs.webkit.org/show_bug.cgi?id=178834
1601 Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
1602 by rniwa on #webkit).
1604 Reverted changesets:
1606 "Turn recursive tail calls into loops"
1607 https://bugs.webkit.org/show_bug.cgi?id=176601
1608 https://trac.webkit.org/changeset/223691
1610 "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
1611 comparison is always false due to limited range of data type
1613 https://bugs.webkit.org/show_bug.cgi?id=178543
1614 https://trac.webkit.org/changeset/223729
1616 2017-10-25 Michael Saboff <msaboff@apple.com>
1618 REGRESSION(r223937): Use of -fobjc-weak causes build failures with older compilers
1619 https://bugs.webkit.org/show_bug.cgi?id=178825
1621 Reviewed by Mark Lam.
1623 Enable ARC for ARM64_32. This eliminate the need for setting CLANG_ENABLE_OBJC_WEAK.
1625 * Configurations/ToolExecutable.xcconfig:
1627 2017-10-25 Keith Miller <keith_miller@apple.com>
1629 Fix implicit cast of enum, which seems to break the windows build of unified sources.
1630 https://bugs.webkit.org/show_bug.cgi?id=178822
1632 Reviewed by Saam Barati.
1634 * bytecode/DFGExitProfile.h:
1635 (JSC::DFG::FrequentExitSite::hash const):
1637 2017-10-24 Michael Saboff <msaboff@apple.com>
1639 Allow OjbC Weak References when building TestAPI
1640 https://bugs.webkit.org/show_bug.cgi?id=178748
1642 Reviewed by Dan Bernstein.
1644 Set TestAPI build flag Weak References in Manual Retain Release to true.
1646 * JavaScriptCore.xcodeproj/project.pbxproj: Reverted.
1647 * Configurations/ToolExecutable.xcconfig: Changed the flag here instead.
1649 2017-10-24 Eric Carlson <eric.carlson@apple.com>
1651 Web Inspector: Enable WebKit logging configuration and display
1652 https://bugs.webkit.org/show_bug.cgi?id=177027
1653 <rdar://problem/33964767>
1655 Reviewed by Joseph Pecoraro.
1657 * inspector/ConsoleMessage.cpp:
1658 (Inspector::messageSourceValue): Inspector::Protocol::Console::ConsoleMessage ->
1659 Inspector::Protocol::Console::ChannelSource.
1660 * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
1661 (Inspector::JSGlobalObjectConsoleAgent::getLoggingChannels): There are no logging channels
1662 specific to a JSContext yet, so return an empty channel array.
1663 (Inspector::JSGlobalObjectConsoleAgent::setLoggingChannelLevel): No channels, return an error.
1664 * inspector/agents/JSGlobalObjectConsoleAgent.h:
1666 * inspector/protocol/Console.json: Add ChannelSource, ChannelLevel, and Channel. Add getLoggingChannels
1667 and setLoggingChannelLevel.
1669 * inspector/scripts/codegen/generator.py: Special case "webrtc"-> "WebRTC".
1670 * inspector/scripts/tests/generic/expected/enum-values.json-result:
1671 * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1672 * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1673 * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1674 * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1676 * runtime/ConsoleTypes.h: Add Media and WebRTC.
1678 2017-10-24 Michael Saboff <msaboff@apple.com>
1680 Allow OjbC Weak References when building TestAPI
1681 https://bugs.webkit.org/show_bug.cgi?id=178748
1683 Reviewed by Saam Barati.
1685 Set TestAPI build flag Weak References in Manual Retain Release to true.
1687 * JavaScriptCore.xcodeproj/project.pbxproj:
1689 2017-10-24 Yusuke Suzuki <utatane.tea@gmail.com>
1691 [FTL] Support NewStringObject
1692 https://bugs.webkit.org/show_bug.cgi?id=178737
1694 Reviewed by Saam Barati.
1696 FTL should support NewStringObject and encourage use of NewStringObject in DFG pipeline.
1697 After this change, we can convert `CallObjectConstructor(String)` to `NewStringObject(String)`.
1699 * ftl/FTLAbstractHeapRepository.h:
1700 * ftl/FTLCapabilities.cpp:
1701 (JSC::FTL::canCompile):
1702 * ftl/FTLLowerDFGToB3.cpp:
1703 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1704 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1706 2017-10-24 Guillaume Emont <guijemont@igalia.com>
1708 [mips] fix offsets of branches that have to go over a jump
1709 https://bugs.webkit.org/show_bug.cgi?id=153464
1711 The jump() function creates 8 instructions, but the offsets of branches
1712 meant to go over them only account for 6. In most cases, this is not an
1713 issue as the last two instructions of jump() would be nops, but in the
1714 rarer case where the jump destination is in a different 256 MB segment,
1715 MIPSAssembler::linkWithOffset() will rewrite the code in a way in which
1716 the last 4 instructions would be a 2 instruction load (lui/ori) into
1717 $t9, a "j $t9" and then a nop. The wrong offset will mean that the
1718 previous branches meant to go over the whole jump will branch to the
1719 "j $t9" instruction, which would jump to whatever is currently in $t9
1720 (since lui/ori would not be executed).
1722 Reviewed by Michael Catanzaro.
1724 * assembler/MacroAssemblerMIPS.h:
1725 (JSC::MacroAssemblerMIPS::branchAdd32):
1726 (JSC::MacroAssemblerMIPS::branchMul32):
1727 (JSC::MacroAssemblerMIPS::branchSub32):
1728 Fix the offsets of branches meant to go over code generated by jump().
1730 2017-10-24 JF Bastien <jfbastien@apple.com>
1732 WebAssembly: NFC renames of things that aren't JS-specific
1733 https://bugs.webkit.org/show_bug.cgi?id=178738
1735 Reviewed by Saam Barati.
1737 * wasm/WasmB3IRGenerator.cpp:
1738 (JSC::Wasm::parseAndCompile):
1739 * wasm/WasmB3IRGenerator.h:
1740 * wasm/WasmBBQPlan.cpp:
1741 (JSC::Wasm::BBQPlan::complete):
1742 * wasm/WasmCodeBlock.cpp:
1743 (JSC::Wasm::CodeBlock::CodeBlock):
1744 * wasm/WasmCodeBlock.h:
1745 (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
1746 (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace): Deleted.
1747 * wasm/WasmFormat.h:
1748 * wasm/js/JSToWasm.cpp:
1749 (JSC::Wasm::createJSToWasmWrapper):
1750 * wasm/js/WebAssemblyModuleRecord.cpp:
1751 (JSC::WebAssemblyModuleRecord::link):
1752 (JSC::WebAssemblyModuleRecord::evaluate):
1754 2017-10-24 Stephan Szabo <stephan.szabo@sony.com>
1756 [Win][JSCOnly] Make jsconly build testapi and dlls and copy dlls when running tests
1757 https://bugs.webkit.org/show_bug.cgi?id=177279
1759 Reviewed by Yusuke Suzuki.
1761 * shell/PlatformJSCOnly.cmake: Added.
1763 2017-10-15 Yusuke Suzuki <utatane.tea@gmail.com>
1765 [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
1766 https://bugs.webkit.org/show_bug.cgi?id=178308
1768 Reviewed by Mark Lam.
1770 With the change of the spec[1], we now do not need to remember star resolution modules.
1771 We reflect this change to our implementation. Since this change is covered by test262,
1772 this patch improves the score of test262.
1774 We also add logging to ResolveExport to debug it easily.
1776 [1]: https://github.com/tc39/ecma262/commit/a865e778ff0fc60e26e3e1c589635103710766a1
1778 * runtime/AbstractModuleRecord.cpp:
1779 (JSC::AbstractModuleRecord::ResolveQuery::dump const):
1780 (JSC::AbstractModuleRecord::resolveExportImpl):
1782 2017-10-24 Yusuke Suzuki <utatane.tea@gmail.com>
1784 [JSC] Use emitDumbVirtualCall in 32bit JIT
1785 https://bugs.webkit.org/show_bug.cgi?id=178644
1787 Reviewed by Mark Lam.
1789 This patch aligns 32bit JIT op_call_eval slow case to 64bit version by using emitDumbVirtualCall.
1791 * jit/JITCall32_64.cpp:
1792 (JSC::JIT::compileCallEvalSlowCase):
1794 2017-10-22 Yusuke Suzuki <utatane.tea@gmail.com>
1796 [JSC] Drop ArityCheckData
1797 https://bugs.webkit.org/show_bug.cgi?id=178648
1799 Reviewed by Mark Lam.
1801 ArityCheckData is used to return a pair of `slotsToAdd` and `thunkToCall`.
1802 However, use of `thunkToCall` is removed in 64bit environment at r189575.
1804 We remove `thunkToCall` and align 32bit implementation to 64bit implementation.
1805 Since we no longer need to have the above pair, we can remove ArityCheckData too.
1807 * llint/LowLevelInterpreter32_64.asm:
1808 * llint/LowLevelInterpreter64.asm:
1809 * runtime/CommonSlowPaths.cpp:
1810 (JSC::SLOW_PATH_DECL):
1811 (JSC::setupArityCheckData): Deleted.
1812 * runtime/CommonSlowPaths.h:
1817 2017-10-23 Keith Miller <keith_miller@apple.com>
1819 Unreviewed, reland r223866
1821 Didn't break the windows build...
1825 "WebAssembly: topEntryFrame on Wasm::Instance"
1826 https://bugs.webkit.org/show_bug.cgi?id=178690
1827 https://trac.webkit.org/changeset/223866
1830 2017-10-23 Commit Queue <commit-queue@webkit.org>
1832 Unreviewed, rolling out r223866.
1833 https://bugs.webkit.org/show_bug.cgi?id=178699
1835 Probably broke the windows build (Requested by keith_miller on
1840 "WebAssembly: topEntryFrame on Wasm::Instance"
1841 https://bugs.webkit.org/show_bug.cgi?id=178690
1842 https://trac.webkit.org/changeset/223866
1844 2017-10-23 Joseph Pecoraro <pecoraro@apple.com>
1846 Web Inspector: Remove unused Console.setMonitoringXHREnabled
1847 https://bugs.webkit.org/show_bug.cgi?id=178617
1849 Reviewed by Sam Weinig.
1851 * JavaScriptCore.xcodeproj/project.pbxproj:
1853 * inspector/agents/InspectorConsoleAgent.h:
1854 * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
1855 * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
1856 * inspector/protocol/Console.json:
1857 Removed files and method.
1859 * inspector/JSGlobalObjectInspectorController.cpp:
1860 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1861 This can use the base ConsoleAgent now.
1863 2017-10-23 JF Bastien <jfbastien@apple.com>
1865 WebAssembly: topEntryFrame on Wasm::Instance
1866 https://bugs.webkit.org/show_bug.cgi?id=178690
1868 Reviewed by Saam Barati.
1870 topEntryFrame is usually on VM, but for a no-VM WebAssembly we
1871 need to hold topEntryFrame elsewhere, and generated code cannot
1872 hard-code where topEntryFrame live. Do this at creation time of
1873 Wasm::Instance, and then generated code will just load from
1874 wherever Wasm::Instance was told topEntryFrame is. In a JavaScript
1875 embedding this is still from VM, so all of the unwinding machinery
1878 * dfg/DFGOSREntry.cpp:
1879 (JSC::DFG::prepareOSREntry):
1880 * dfg/DFGOSRExit.cpp:
1881 (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1882 (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1883 * ftl/FTLOSRExitCompiler.cpp:
1884 (JSC::FTL::compileStub):
1885 * interpreter/Interpreter.cpp:
1886 (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1887 * jit/AssemblyHelpers.cpp:
1888 (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
1889 (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
1890 * jit/AssemblyHelpers.h:
1891 (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
1892 The default parameter was never non-defaulted from any of the
1893 callers. The new version calls the impl directly because it
1894 doesn't have VM and doesn't hard-code the address of
1896 * jit/RegisterSet.cpp:
1897 (JSC::RegisterSet::vmCalleeSaveRegisterOffsets): This was weird on
1898 VM because it's not really VM-specific.
1899 * jit/RegisterSet.h:
1901 (JSC::VM::getAllCalleeSaveRegisterOffsets): Deleted.
1903 (JSC::VM::getCTIStub):
1904 * wasm/WasmB3IRGenerator.cpp:
1905 (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1906 (JSC::Wasm::B3IRGenerator::addCall):
1907 (JSC::Wasm::B3IRGenerator::addCallIndirect):
1908 * wasm/WasmInstance.cpp:
1909 (JSC::Wasm::Instance::Instance):
1910 * wasm/WasmInstance.h: topEntryFramePointer will eventually live
1911 here for real. Right now it's mirrored in JSWebAssemblyInstance
1912 because that's the acting Context.
1913 (JSC::Wasm::Instance::create):
1914 (JSC::Wasm::Instance::offsetOfTopEntryFramePointer):
1915 * wasm/WasmThunks.cpp:
1916 (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1917 * wasm/js/JSWebAssemblyInstance.cpp:
1918 (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
1919 * wasm/js/JSWebAssemblyInstance.h: Mirror Wasm::Instance temporarily.
1920 (JSC::JSWebAssemblyInstance::offsetOfCallee):
1921 (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer):
1922 (JSC::JSWebAssemblyInstance::offsetOfVM): Deleted.
1923 * wasm/js/WebAssemblyInstanceConstructor.cpp:
1924 (JSC::constructJSWebAssemblyInstance):
1925 * wasm/js/WebAssemblyPrototype.cpp:
1928 2017-10-23 Joseph Pecoraro <pecoraro@apple.com>
1930 Web Inspector: Please support HAR Export for network traffic
1931 https://bugs.webkit.org/show_bug.cgi?id=146692
1932 <rdar://problem/7463672>
1934 Reviewed by Brian Burg.
1936 * inspector/protocol/Network.json:
1937 Add a walltime to each send request.
1939 2017-10-23 Matt Lewis <jlewis3@apple.com>
1941 Unreviewed, rolling out r223820.
1943 This caused a build break on Windows.
1947 "Web Inspector: Remove unused Console.setMonitoringXHREnabled"
1948 https://bugs.webkit.org/show_bug.cgi?id=178617
1949 https://trac.webkit.org/changeset/223820
1951 2017-10-23 Yusuke Suzuki <utatane.tea@gmail.com>
1953 [JSC] Use fastJoin in Array#toString
1954 https://bugs.webkit.org/show_bug.cgi?id=178062
1956 Reviewed by Darin Adler.
1958 Array#toString()'s fast path uses original join operation.
1959 But this should use fastJoin if possible.
1960 This patch adds a fast path using fastJoin in Array#toString.
1961 And we also extend fastJoin to perform fast joining for int32
1966 double-array-to-string 126.6157+-5.8625 ^ 103.7343+-4.4968 ^ definitely 1.2206x faster
1967 int32-array-to-string 64.7792+-2.6524 61.2390+-2.1749 might be 1.0578x faster
1968 contiguous-array-to-string 62.6224+-2.6388 ^ 56.9899+-2.0852 ^ definitely 1.0988x faster
1971 * runtime/ArrayPrototype.cpp:
1973 (JSC::arrayProtoFuncToString):
1974 (JSC::arrayProtoFuncToLocaleString):
1975 * runtime/JSStringJoiner.h:
1976 (JSC::JSStringJoiner::appendWithoutSideEffects):
1977 (JSC::JSStringJoiner::appendInt32):
1978 (JSC::JSStringJoiner::appendDouble):
1980 2017-10-22 Zan Dobersek <zdobersek@igalia.com>
1982 [JSC] Remove !(OS(LINUX) && CPU(ARM64)) guards in RegisterState.h
1983 https://bugs.webkit.org/show_bug.cgi?id=178452
1985 Reviewed by Yusuke Suzuki.
1987 * heap/RegisterState.h: Re-enable the custom RegisterState and
1988 ALLOCATE_AND_GET_REGISTER_STATE definitions on ARM64 Linux. These don't
1989 cause any crashes nowadays.
1991 2017-10-22 Yusuke Suzuki <utatane.tea@gmail.com>
1993 [JSC][Baseline] Use linkAllSlowCasesForBytecodeOffset as much as possible to simplify slow cases handling
1994 https://bugs.webkit.org/show_bug.cgi?id=178647
1996 Reviewed by Saam Barati.
1998 There is much code counting slow cases in fast paths to call `linkSlowCase` carefully. This is really error-prone
1999 since the number of slow cases depends on values of instruction's metadata. We have linkAllSlowCasesForBytecodeOffset,
2000 which drains all slow cases for a specified bytecode offset. In typical cases like just calling a slow path function,
2001 this is enough. We use linkAllSlowCasesForBytecodeOffset as much as possible. It significantly simplifies the code.
2004 (JSC::JIT::linkAllSlowCases):
2005 * jit/JITArithmetic.cpp:
2006 (JSC::JIT::emitSlow_op_unsigned):
2007 (JSC::JIT::emit_compareAndJump):
2008 (JSC::JIT::emit_compareAndJumpSlow):
2009 (JSC::JIT::emitSlow_op_inc):
2010 (JSC::JIT::emitSlow_op_dec):
2011 (JSC::JIT::emitSlow_op_mod):
2012 (JSC::JIT::emitSlow_op_negate):
2013 (JSC::JIT::emitSlow_op_bitand):
2014 (JSC::JIT::emitSlow_op_bitor):
2015 (JSC::JIT::emitSlow_op_bitxor):
2016 (JSC::JIT::emitSlow_op_lshift):
2017 (JSC::JIT::emitSlow_op_rshift):
2018 (JSC::JIT::emitSlow_op_urshift):
2019 (JSC::JIT::emitSlow_op_add):
2020 (JSC::JIT::emitSlow_op_div):
2021 (JSC::JIT::emitSlow_op_mul):
2022 (JSC::JIT::emitSlow_op_sub):
2023 * jit/JITArithmetic32_64.cpp:
2024 (JSC::JIT::emit_compareAndJumpSlow):
2025 (JSC::JIT::emitSlow_op_unsigned):
2026 (JSC::JIT::emitSlow_op_inc):
2027 (JSC::JIT::emitSlow_op_dec):
2028 (JSC::JIT::emitSlow_op_mod):
2030 (JSC::JIT::compileCallEvalSlowCase):
2031 (JSC::JIT::compileOpCallSlowCase):
2032 * jit/JITCall32_64.cpp:
2033 (JSC::JIT::compileCallEvalSlowCase):
2034 (JSC::JIT::compileOpCallSlowCase):
2036 (JSC::JIT::linkAllSlowCasesForBytecodeOffset):
2037 * jit/JITOpcodes.cpp:
2038 (JSC::JIT::emitSlow_op_new_object):
2039 (JSC::JIT::emitSlow_op_create_this):
2040 (JSC::JIT::emitSlow_op_check_tdz):
2041 (JSC::JIT::emitSlow_op_to_this):
2042 (JSC::JIT::emitSlow_op_to_primitive):
2043 (JSC::JIT::emitSlow_op_not):
2044 (JSC::JIT::emitSlow_op_eq):
2045 (JSC::JIT::emitSlow_op_neq):
2046 (JSC::JIT::emitSlow_op_stricteq):
2047 (JSC::JIT::emitSlow_op_nstricteq):
2048 (JSC::JIT::emitSlow_op_instanceof):
2049 (JSC::JIT::emitSlow_op_instanceof_custom):
2050 (JSC::JIT::emitSlow_op_to_number):
2051 (JSC::JIT::emitSlow_op_to_string):
2052 (JSC::JIT::emitSlow_op_loop_hint):
2053 (JSC::JIT::emitSlow_op_check_traps):
2054 (JSC::JIT::emitSlow_op_has_indexed_property):
2055 (JSC::JIT::emitSlow_op_get_direct_pname):
2056 (JSC::JIT::emitSlow_op_has_structure_property):
2057 * jit/JITOpcodes32_64.cpp:
2058 (JSC::JIT::emitSlow_op_new_object):
2059 (JSC::JIT::emitSlow_op_instanceof):
2060 (JSC::JIT::emitSlow_op_instanceof_custom):
2061 (JSC::JIT::emitSlow_op_to_primitive):
2062 (JSC::JIT::emitSlow_op_not):
2063 (JSC::JIT::emitSlow_op_stricteq):
2064 (JSC::JIT::emitSlow_op_nstricteq):
2065 (JSC::JIT::emitSlow_op_to_number):
2066 (JSC::JIT::emitSlow_op_to_string):
2067 (JSC::JIT::emitSlow_op_create_this):
2068 (JSC::JIT::emitSlow_op_to_this):
2069 (JSC::JIT::emitSlow_op_check_tdz):
2070 (JSC::JIT::emitSlow_op_has_indexed_property):
2071 (JSC::JIT::emitSlow_op_get_direct_pname):
2072 * jit/JITPropertyAccess.cpp:
2073 (JSC::JIT::emitSlow_op_try_get_by_id):
2074 (JSC::JIT::emitSlow_op_get_by_id):
2075 (JSC::JIT::emitSlow_op_get_by_id_with_this):
2076 (JSC::JIT::emitSlow_op_put_by_id):
2077 (JSC::JIT::emitSlow_op_resolve_scope):
2078 (JSC::JIT::emitSlow_op_get_from_scope):
2079 (JSC::JIT::emitSlow_op_put_to_scope):
2080 * jit/JITPropertyAccess32_64.cpp:
2081 (JSC::JIT::emitSlow_op_try_get_by_id):
2082 (JSC::JIT::emitSlow_op_get_by_id):
2083 (JSC::JIT::emitSlow_op_get_by_id_with_this):
2084 (JSC::JIT::emitSlow_op_put_by_id):
2085 (JSC::JIT::emitSlow_op_resolve_scope):
2086 (JSC::JIT::emitSlow_op_get_from_scope):
2087 (JSC::JIT::emitSlow_op_put_to_scope):
2089 2017-10-22 Yusuke Suzuki <utatane.tea@gmail.com>
2091 [JSC] Clean up baseline slow path
2092 https://bugs.webkit.org/show_bug.cgi?id=178646
2094 Reviewed by Saam Barati.
2096 If the given op is just calling a slow path function, we should use DEFINE_SLOW_OP instead.
2097 It is good since (1) we can reduce the manual emitting code and (2) it can clarify which
2098 function is implemented as a slow path call. This patch is an attempt to reduce 32bit specific
2099 code in baseline JIT.
2102 (JSC::JIT::privateCompileMainPass):
2104 * jit/JITArithmetic.cpp:
2105 (JSC::JIT::emit_op_pow): Deleted.
2106 * jit/JITArithmetic32_64.cpp:
2107 (JSC::JIT::emitSlow_op_mod):
2108 * jit/JITOpcodes.cpp:
2109 (JSC::JIT::emit_op_strcat): Deleted.
2110 (JSC::JIT::emit_op_push_with_scope): Deleted.
2111 (JSC::JIT::emit_op_assert): Deleted.
2112 (JSC::JIT::emit_op_create_lexical_environment): Deleted.
2113 (JSC::JIT::emit_op_throw_static_error): Deleted.
2114 (JSC::JIT::emit_op_new_array_with_spread): Deleted.
2115 (JSC::JIT::emit_op_spread): Deleted.
2116 (JSC::JIT::emit_op_get_enumerable_length): Deleted.
2117 (JSC::JIT::emit_op_has_generic_property): Deleted.
2118 (JSC::JIT::emit_op_get_property_enumerator): Deleted.
2119 (JSC::JIT::emit_op_to_index_string): Deleted.
2120 (JSC::JIT::emit_op_create_direct_arguments): Deleted.
2121 (JSC::JIT::emit_op_create_scoped_arguments): Deleted.
2122 (JSC::JIT::emit_op_create_cloned_arguments): Deleted.
2123 (JSC::JIT::emit_op_create_rest): Deleted.
2124 (JSC::JIT::emit_op_unreachable): Deleted.
2125 * jit/JITOpcodes32_64.cpp:
2126 (JSC::JIT::emit_op_strcat): Deleted.
2127 (JSC::JIT::emit_op_push_with_scope): Deleted.
2128 (JSC::JIT::emit_op_assert): Deleted.
2129 (JSC::JIT::emit_op_create_lexical_environment): Deleted.
2130 * jit/JITPropertyAccess.cpp:
2131 (JSC::JIT::emit_op_put_by_val_with_this): Deleted.
2132 (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
2133 (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
2134 (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
2135 (JSC::JIT::emit_op_define_data_property): Deleted.
2136 (JSC::JIT::emit_op_define_accessor_property): Deleted.
2137 * jit/JITPropertyAccess32_64.cpp:
2138 (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
2139 (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
2140 (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
2141 (JSC::JIT::emit_op_put_by_val_with_this): Deleted.
2143 2017-10-21 Joseph Pecoraro <pecoraro@apple.com>
2145 Web Inspector: Remove unused Console.setMonitoringXHREnabled
2146 https://bugs.webkit.org/show_bug.cgi?id=178617
2148 Reviewed by Sam Weinig.
2150 * JavaScriptCore.xcodeproj/project.pbxproj:
2152 * inspector/agents/InspectorConsoleAgent.h:
2153 * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
2154 * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
2155 * inspector/protocol/Console.json:
2156 Removed files and method.
2158 * inspector/JSGlobalObjectInspectorController.cpp:
2159 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2160 This can use the base ConsoleAgent now.
2162 2017-10-21 Yusuke Suzuki <utatane.tea@gmail.com>
2164 [JSC] Remove per-host-function CTI stub in 32bit environment
2165 https://bugs.webkit.org/show_bug.cgi?id=178581
2167 Reviewed by Saam Barati.
2169 JIT::privateCompileCTINativeCall only exists in 32bit environment and it is almost the same to native call CTI stub.
2170 The only difference is that it embed the address of the host function directly in the generated stub. This means
2171 that we have per-host-function CTI stub only in 32bit environment.
2173 This patch just removes it and use one CTI stub instead. This design is the same to the current 64bit implementation.
2176 (JSC::JIT::compileCTINativeCall): Deleted.
2178 * jit/JITOpcodes.cpp:
2179 (JSC::JIT::privateCompileCTINativeCall): Deleted.
2180 * jit/JITOpcodes32_64.cpp:
2181 (JSC::JIT::privateCompileCTINativeCall): Deleted.
2182 * jit/JITThunks.cpp:
2183 (JSC::JITThunks::hostFunctionStub):
2185 2017-10-20 Antoine Quint <graouts@apple.com>
2187 [Web Animations] Provide basic timeline and animation interfaces
2188 https://bugs.webkit.org/show_bug.cgi?id=178526
2190 Reviewed by Dean Jackson.
2192 Remove the WEB_ANIMATIONS compile-time flag.
2194 * Configurations/FeatureDefines.xcconfig:
2196 2017-10-20 Commit Queue <commit-queue@webkit.org>
2198 Unreviewed, rolling out r223744, r223750, and r223751.
2199 https://bugs.webkit.org/show_bug.cgi?id=178594
2201 These caused consistent failures in test that existed and were
2202 added in the patches. (Requested by mlewis13 on #webkit).
2204 Reverted changesets:
2206 "[JSC] ScriptFetcher should be notified directly from module
2208 https://bugs.webkit.org/show_bug.cgi?id=178340
2209 https://trac.webkit.org/changeset/223744
2211 "Unreviewed, fix changed line number in test expect files"
2212 https://bugs.webkit.org/show_bug.cgi?id=178340
2213 https://trac.webkit.org/changeset/223750
2215 "Unreviewed, follow up to reflect comments"
2216 https://bugs.webkit.org/show_bug.cgi?id=178340
2217 https://trac.webkit.org/changeset/223751
2219 2017-10-20 Yusuke Suzuki <utatane.tea@gmail.com>
2221 Unreviewed, follow up to reflect comments
2222 https://bugs.webkit.org/show_bug.cgi?id=178340
2224 * runtime/JSModuleLoader.cpp:
2225 (JSC::JSModuleLoader::notifyCompleted):
2227 2017-10-20 Saam Barati <sbarati@apple.com>
2229 Optimize accesses to how we get the direct prototype
2230 https://bugs.webkit.org/show_bug.cgi?id=178548
2232 Reviewed by Yusuke Suzuki.
2234 This patch makes JSObject::getPrototypeDirect take VM& as a parameter
2235 so it can use the faster version of the structure accessor function.
2236 The reason for making this change is that JSObjet::getPrototypeDirect
2237 is called on the hot path in property lookup.
2239 * API/JSObjectRef.cpp:
2240 (JSObjectGetPrototype):
2242 (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2243 (WTF::DOMJITGetterBaseJSObject::customGetter):
2244 (functionCreateProxy):
2245 * runtime/ArrayPrototype.cpp:
2246 (JSC::speciesWatchpointIsValid):
2247 * runtime/ErrorInstance.cpp:
2248 (JSC::ErrorInstance::sanitizedToString):
2249 * runtime/JSArray.cpp:
2250 (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
2251 * runtime/JSGlobalObject.cpp:
2252 (JSC::JSGlobalObject::init):
2253 (JSC::lastInPrototypeChain):
2254 (JSC::JSGlobalObject::resetPrototype):
2255 (JSC::JSGlobalObject::finishCreation):
2256 * runtime/JSGlobalObjectInlines.h:
2257 (JSC::JSGlobalObject::objectPrototypeIsSane):
2258 (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
2259 (JSC::JSGlobalObject::stringPrototypeChainIsSane):
2260 * runtime/JSLexicalEnvironment.cpp:
2261 (JSC::JSLexicalEnvironment::getOwnPropertySlot):
2262 * runtime/JSMap.cpp:
2263 (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
2264 * runtime/JSObject.cpp:
2265 (JSC::JSObject::calculatedClassName):
2266 (JSC::JSObject::setPrototypeWithCycleCheck):
2267 (JSC::JSObject::getPrototype):
2268 (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
2269 (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
2270 (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
2271 (JSC::JSObject::prototypeChainMayInterceptStoreTo):
2272 * runtime/JSObject.h:
2273 (JSC::JSObject::finishCreation):
2274 (JSC::JSObject::getPrototypeDirect const):
2275 (JSC::JSObject::getPrototype):
2276 * runtime/JSObjectInlines.h:
2277 (JSC::JSObject::canPerformFastPutInline):
2278 (JSC::JSObject::getPropertySlot):
2279 (JSC::JSObject::getNonIndexPropertySlot):
2280 * runtime/JSProxy.cpp:
2281 (JSC::JSProxy::setTarget):
2282 * runtime/JSSet.cpp:
2283 (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2284 * runtime/ProgramExecutable.cpp:
2285 (JSC::ProgramExecutable::initializeGlobalProperties):
2286 * runtime/StructureInlines.h:
2287 (JSC::Structure::isValid const):
2289 2017-10-20 Yusuke Suzuki <utatane.tea@gmail.com>
2291 [ARM64] static_cast<int32_t>() in BinaryOpNode::emitBytecode() prevents op_unsigned emission
2292 https://bugs.webkit.org/show_bug.cgi?id=178379
2294 Reviewed by Saam Barati.
2296 We reuse jsNumber's checking mechanism here to precisely check the generated number is within uint32_t
2297 in bytecode compiler. This is reasonable since the NumberNode will generate the exact this JSValue.
2299 * bytecompiler/NodesCodegen.cpp:
2300 (JSC::BinaryOpNode::emitBytecode):
2302 2017-10-20 Yusuke Suzuki <utatane.tea@gmail.com>
2304 [JSC] ScriptFetcher should be notified directly from module pipeline
2305 https://bugs.webkit.org/show_bug.cgi?id=178340
2307 Reviewed by Sam Weinig.
2309 Previously, we use JSStdFunction to let WebCore inform the module pipeline results.
2310 We setup JSStdFunction to the resulted promise of the module pipeline. It is super
2311 ad-hoc since JSStdFunction's lambda need extra-careful to make it non-cyclic-referenced.
2312 JSStdFunction's lambda can capture variables, but they are not able to be marked by GC.
2314 But now, we have ScriptFetcher. It is introduced after we implemented the module pipeline
2315 notification mechanism by using JSStdFunction. But it is appropriate one to receive notification
2316 from the module pipeline by observer style.
2318 This patch removes the above ad-hoc JSStdFunction use. And now ScriptFetcher receives
2319 completion/failure notifications from the module pipeline.
2321 * builtins/ModuleLoaderPrototype.js:
2323 (loadAndEvaluateModule):
2324 * runtime/Completion.cpp:
2326 * runtime/Completion.h:
2327 * runtime/JSModuleLoader.cpp:
2328 (JSC::jsValueToModuleKey):
2329 (JSC::JSModuleLoader::notifyCompleted):
2330 (JSC::JSModuleLoader::notifyFailed):
2331 * runtime/JSModuleLoader.h:
2332 * runtime/ModuleLoaderPrototype.cpp:
2333 (JSC::moduleLoaderPrototypeNotifyCompleted):
2334 (JSC::moduleLoaderPrototypeNotifyFailed):
2335 * runtime/ScriptFetcher.h:
2336 (JSC::ScriptFetcher::notifyLoadCompleted):
2337 (JSC::ScriptFetcher::notifyLoadFailed):
2339 2017-10-19 JF Bastien <jfbastien@apple.com>
2341 WebAssembly: no VM / JS version of everything but Instance
2342 https://bugs.webkit.org/show_bug.cgi?id=177473
2344 Reviewed by Filip Pizlo, Saam Barati.
2346 This change entails cleaning up and splitting a bunch of code which we had
2347 intertwined between C++ classes which represent JS objects, and pure C++
2348 implementation objects. This specific change goes most of the way towards
2349 allowing JSC's WebAssembly to work without VM / JS, up to but excluding
2350 JSWebAssemblyInstance (there's Wasm::Instance, but it's not *the* thing
2351 yet). Because of this we still have a few FIXME identifying places that need to
2352 change. A follow-up change will go the rest of the way.
2354 I went about this change in the simplest way possible: grep the
2355 JavaScriptCore/wasm directory for "JS[^C_]" as well as "VM" and exclude the /js/
2356 sub-directory (which contains the JS implementation of WebAssembly).
2358 None of this change removes the need for a JIT entitlement to be able to use
2359 WebAssembly. We don't have an interpreter, the process therefore still needs to
2360 be allowed to JIT to use these pure-C++ APIs.
2362 Interesting things to note:
2364 - Remove VM from Plan and associated places. It can just live as a capture in
2365 the callback lambda if it's needed.
2366 - Wasm::Memory shouldn't require a VM. It was only used to ask the GC to
2367 collect. We now instead pass two lambdas at construction time for this
2368 purpose: one to notify of memory pressure, and the other to ask for
2369 syncrhonous memory reclamation. This allows whoever creates the memory to
2370 dictate how to react to both these cases, and for a JS embedding that's to
2371 call the GC (async or sync, respectively).
2372 - Move grow logic from JSWebAssemblyMemory to Wasm::Memory::grow. Use Expected
2373 there, with an enum class for failure types.
2374 - Exceeding max on memory growth now returns a range error as per spec. This
2375 is a (very minor) breaking change: it used to throw OOM error. Update the
2377 - When generating the grow_memory opcode, no need to get the VM. Instead,
2378 reach directly for Wasm::Memory and grow it.
2379 - JSWebAssemblyMemory::grow can now always throw on failure, because it's only
2380 ever called from JS (not from grow_memory as before).
2381 - Wasm::Memory now takes a callback for successful growth. This allows JS
2382 wrappers to register themselves when growth succeeds without Wasm::Memory
2383 knowning anything about JS. It'll also allow creating a list of callbacks
2384 for when we add thread support (we'll want to notify many wrappers, all
2386 - Wasm::Memory is now back to being the source of truth about address / size,
2387 used directly by generated code instead of JSWebAssemblyMemory.
2388 - Move wasmToJS from the general WasmBinding header to its own header under
2389 wasm/js. It's only used by wasm/js/JSWebAssemblyCodeBlock.cpp, and uses VM,
2390 and therefore isn't general WebAssembly.
2391 - Make Wasm::Context an actual type (just a struct holding a
2392 JSWebAssemlyInstance for now) instead of an alias for that. Notably this
2393 doesn't add anything to the Context and doesn't change what actually gets
2394 passed around in JIT code (fast TLS or registers) because these changes
2395 potentially impact performance. The entire purpose of this change is to
2396 allow passing Wasm::Context around without having to know about VM. Since VM
2397 contains a Wasm::Context the JS embedding is effectively the same, but with
2398 this setup a non-JS embedding is much better off.
2399 - Move JSWebAssembly into the JS folder.
2400 - OMGPlan: use Wasm::CodeBlock directly instead of JSWebAssemblyCodeBlock.
2401 - wasm->JS stubs are now on the instance's tail as raw pointers, instead of
2402 being on JSWebAssemblyCodeBlock, and are now called wasm->Embedder
2403 stubs. The owned reference is still on JSWebAssemblyCodeBlock, and is still
2404 called wasm->JS stub. This move means that the embedder must, after creating
2405 a Wasm::CodeBlock, somehow create the stubs to call back into the
2406 embedder. This removes an indirection in the generated code because
2407 the B3 IR generator now reaches into the instance instead of
2408 JSWebAssemblyCodeBlock.
2409 - Move more CodeBlock things. Compilation completion is now marked by its own
2410 atomic<bool> flag instead of a nullptr plan: that required using a lock, and
2411 was causing a deadlock in stack-trace.js because before my changes
2412 JSWebAssemblyCodeBlock did its own completion checking separately from
2413 Wasm::CodeBlock, without getting the lock. Now that everything points to
2414 Wasm::CodeBlock and there's no cached completion marker, the lock was being
2415 acquired in a sanity-check assertion.
2416 - Embedder -> Wasm wrappers are now generated through a function that's passed
2417 in at compilation time, instead of being hard-coded as a JS -> Wasm wrapper.
2418 - WasmMemory doens't need to know about fault handling thunks. Only the IR
2419 generator should know, and should make sure that the exception throwing
2420 thunk is generated if any memory is present (note: with signal handling not
2421 all of them generate an exception check).
2422 - Make exception throwing pluggable: instead of having a hard-coded
2423 JS-specific lambda we now have a regular C++ function being called from JIT
2424 code when a WebAssembly exception is thrown. This allows any embedder to get
2425 called as they wish. For now a process can only have a single of these
2426 functions (i.e. only one embedder per process) because the trap handler is a
2427 singleton. That can be fixed in in #177475.
2428 - Create WasmEmbedder.h where all embedder plugging will live.
2429 - Split up JSWebAssemblyTable into Wasm::Table which is
2430 refcounted. JSWebAssemblyTable now only contains the JS functions in the
2431 table, and Wasm::Table is what's used by the JIT code to lookup where to
2432 call and do the instance check (for context switch). Note that this creates
2433 an extra allocation for all the instances in Wasm::Table, and in exchange
2434 removes an indirection in JIT code because the instance used to be obtained
2435 off of the JS function. Also note that it's the embedder than keeps the
2436 instances alive, not Wasm::Table (which holds a dumb pointer to the
2437 instance), because doing otherwise would cause reference cycles.
2438 - Add WasmInstance. It doesn't do much for now, owns globals.
2439 - JSWebAssembly instance now doesn't just contain the imported functions as
2440 JSObjects, it also has the corresponding import's instance and wasm
2441 entrypoint. This triples the space allocated per instance's imported
2442 function, but there shouldn't be that many imports. This has two upsides: it
2443 creates smaller and faster code, and makes is easier to disassociate
2444 embedder-specific things from embedder-neutral things. The small / faster
2445 win is in two places: B3 IR generator only needs offsetOfImportFunction for
2446 the call opcode (when the called index is an import) to know whether the
2447 import is wasm->wasm or wasm->embedder (this isn't known at compile-time
2448 because it's dependent on the import object), this is now done by seeing if
2449 that import function has an associated target instance (only wasm->wasm
2450 does); the other place is wasmBinding which uses offsetOfImportFunction to
2451 figure out the wasm->wasm target instance, and then gets
2452 WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation to do a tail
2453 call. The disassociation comes because the target instance can be
2454 Wasm::Instance once we change what the Context is, and
2455 WasmEntrypointLoadLocation is already embedder-independent. As a next step I
2456 can move this tail allocation from JSWebAssemblyInstance to Wasm::Instance,
2457 and leave importFunction in as an opaque pointer which is embedder-specific,
2458 and in JS will remain WriteBarrier<JSObject>.
2459 - Rename VMEntryFrame to EntryFrame, and in many places pass a pointer to it
2460 around instead of VM. This is a first step in allowing entry frames which
2461 aren't stored on VM, but which are instead stored in an embedder-specific
2462 location. That change won't really affect JS except through code churn, but
2463 will allow WebAssembly to use some machinery in a generic manner without
2466 * JavaScriptCore.xcodeproj/project.pbxproj:
2468 * bytecode/PolymorphicAccess.cpp:
2469 (JSC::AccessGenerationState::emitExplicitExceptionHandler):
2470 * debugger/Debugger.cpp:
2471 (JSC::Debugger::stepOutOfFunction):
2472 (JSC::Debugger::returnEvent):
2473 (JSC::Debugger::unwindEvent):
2474 (JSC::Debugger::didExecuteProgram):
2475 * dfg/DFGJITCompiler.cpp:
2476 (JSC::DFG::JITCompiler::compileExceptionHandlers):
2477 * dfg/DFGOSREntry.cpp:
2478 (JSC::DFG::prepareOSREntry):
2479 * dfg/DFGOSRExit.cpp:
2480 (JSC::DFG::OSRExit::compileOSRExit):
2481 (JSC::DFG::OSRExit::compileExit):
2482 * dfg/DFGThunks.cpp:
2483 (JSC::DFG::osrEntryThunkGenerator):
2484 * ftl/FTLCompile.cpp:
2485 (JSC::FTL::compile):
2488 * ftl/FTLLowerDFGToB3.cpp:
2489 (JSC::FTL::DFG::LowerDFGToB3::lower):
2490 * ftl/FTLOSRExitCompiler.cpp:
2491 (JSC::FTL::compileStub):
2492 * interpreter/CallFrame.cpp:
2493 (JSC::CallFrame::wasmAwareLexicalGlobalObject):
2494 (JSC::CallFrame::callerFrame):
2495 (JSC::CallFrame::unsafeCallerFrame):
2496 * interpreter/CallFrame.h:
2497 (JSC::ExecState::callerFrame const):
2498 (JSC::ExecState::callerFrameOrEntryFrame const):
2499 (JSC::ExecState::unsafeCallerFrameOrEntryFrame const):
2500 * interpreter/FrameTracers.h:
2501 (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2502 (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
2503 (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
2504 * interpreter/Interpreter.cpp:
2505 (JSC::UnwindFunctor::operator() const):
2506 (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2507 (JSC::Interpreter::unwind):
2508 * interpreter/StackVisitor.cpp:
2509 (JSC::StackVisitor::StackVisitor):
2510 (JSC::StackVisitor::gotoNextFrame):
2511 (JSC::StackVisitor::readNonInlinedFrame):
2512 (JSC::StackVisitor::Frame::dump const):
2513 * interpreter/StackVisitor.h:
2514 (JSC::StackVisitor::Frame::callerIsEntryFrame const):
2515 * interpreter/VMEntryRecord.h:
2516 (JSC::VMEntryRecord::prevTopEntryFrame):
2517 (JSC::VMEntryRecord::unsafePrevTopEntryFrame):
2518 (JSC::EntryFrame::vmEntryRecordOffset):
2519 * jit/AssemblyHelpers.cpp:
2520 (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
2521 (JSC::AssemblyHelpers::loadWasmContextInstance):
2522 (JSC::AssemblyHelpers::storeWasmContextInstance):
2523 (JSC::AssemblyHelpers::loadWasmContextInstanceNeedsMacroScratchRegister):
2524 (JSC::AssemblyHelpers::storeWasmContextInstanceNeedsMacroScratchRegister):
2525 (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
2526 * jit/AssemblyHelpers.h:
2527 (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2528 (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
2529 (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
2531 (JSC::JIT::emitEnterOptimizationCheck):
2532 (JSC::JIT::privateCompileExceptionHandlers):
2533 * jit/JITExceptions.cpp:
2534 (JSC::genericUnwind):
2535 * jit/JITOpcodes.cpp:
2536 (JSC::JIT::emit_op_throw):
2537 (JSC::JIT::emit_op_catch):
2538 (JSC::JIT::emitSlow_op_loop_hint):
2539 * jit/JITOpcodes32_64.cpp:
2540 (JSC::JIT::emit_op_throw):
2541 (JSC::JIT::emit_op_catch):
2542 * jit/JITOperations.cpp:
2543 * jit/ThunkGenerators.cpp:
2544 (JSC::throwExceptionFromCallSlowPathGenerator):
2545 (JSC::nativeForGenerator):
2547 (functionDumpCallFrame):
2548 * llint/LLIntSlowPaths.cpp:
2549 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2550 * llint/LLIntThunks.cpp:
2551 (JSC::vmEntryRecord):
2552 * llint/LowLevelInterpreter.asm:
2553 * llint/LowLevelInterpreter32_64.asm:
2554 * llint/LowLevelInterpreter64.asm:
2555 * runtime/Options.cpp:
2556 (JSC::recomputeDependentOptions):
2557 * runtime/Options.h:
2558 * runtime/SamplingProfiler.cpp:
2559 (JSC::FrameWalker::FrameWalker):
2560 (JSC::FrameWalker::advanceToParentFrame):
2561 (JSC::SamplingProfiler::processUnverifiedStackTraces):
2562 * runtime/ThrowScope.cpp:
2563 (JSC::ThrowScope::~ThrowScope):
2568 (JSC::VM::topEntryFrameOffset):
2569 * runtime/VMTraps.cpp:
2571 (JSC::VMTraps::tryInstallTrapBreakpoints):
2572 (JSC::VMTraps::invalidateCodeBlocksOnStack):
2573 * wasm/WasmB3IRGenerator.cpp:
2574 (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
2575 (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2576 (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2577 (JSC::Wasm::B3IRGenerator::addGrowMemory):
2578 (JSC::Wasm::B3IRGenerator::addCurrentMemory):
2579 (JSC::Wasm::B3IRGenerator::addCall):
2580 (JSC::Wasm::B3IRGenerator::addCallIndirect):
2581 (JSC::Wasm::parseAndCompile):
2582 * wasm/WasmB3IRGenerator.h:
2583 * wasm/WasmBBQPlan.cpp:
2584 (JSC::Wasm::BBQPlan::BBQPlan):
2585 (JSC::Wasm::BBQPlan::compileFunctions):
2586 (JSC::Wasm::BBQPlan::complete):
2587 * wasm/WasmBBQPlan.h:
2588 * wasm/WasmBBQPlanInlines.h:
2589 (JSC::Wasm::BBQPlan::initializeCallees):
2590 * wasm/WasmBinding.cpp:
2591 (JSC::Wasm::wasmToWasm):
2592 * wasm/WasmBinding.h:
2593 * wasm/WasmCodeBlock.cpp:
2594 (JSC::Wasm::CodeBlock::create):
2595 (JSC::Wasm::CodeBlock::CodeBlock):
2596 (JSC::Wasm::CodeBlock::compileAsync):
2597 (JSC::Wasm::CodeBlock::setCompilationFinished):
2598 * wasm/WasmCodeBlock.h:
2599 (JSC::Wasm::CodeBlock::offsetOfImportStubs):
2600 (JSC::Wasm::CodeBlock::allocationSize):
2601 (JSC::Wasm::CodeBlock::importWasmToEmbedderStub):
2602 (JSC::Wasm::CodeBlock::offsetOfImportWasmToEmbedderStub):
2603 (JSC::Wasm::CodeBlock::wasmToJSCallStubForImport):
2604 (JSC::Wasm::CodeBlock::compilationFinished):
2605 (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
2606 (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
2607 * wasm/WasmContext.cpp:
2608 (JSC::Wasm::Context::useFastTLS):
2609 (JSC::Wasm::Context::load const):
2610 (JSC::Wasm::Context::store):
2611 * wasm/WasmContext.h:
2612 * wasm/WasmEmbedder.h: Copied from Source/JavaScriptCore/wasm/WasmContext.h.
2613 * wasm/WasmFaultSignalHandler.cpp:
2614 * wasm/WasmFaultSignalHandler.h:
2615 * wasm/WasmFormat.h:
2616 * wasm/WasmInstance.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
2617 (JSC::Wasm::Instance::Instance):
2618 (JSC::Wasm::Instance::~Instance):
2619 (JSC::Wasm::Instance::extraMemoryAllocated const):
2620 * wasm/WasmInstance.h: Added.
2621 (JSC::Wasm::Instance::create):
2622 (JSC::Wasm::Instance::finalizeCreation):
2623 (JSC::Wasm::Instance::module):
2624 (JSC::Wasm::Instance::codeBlock):
2625 (JSC::Wasm::Instance::memory):
2626 (JSC::Wasm::Instance::table):
2627 (JSC::Wasm::Instance::loadI32Global const):
2628 (JSC::Wasm::Instance::loadI64Global const):
2629 (JSC::Wasm::Instance::loadF32Global const):
2630 (JSC::Wasm::Instance::loadF64Global const):
2631 (JSC::Wasm::Instance::setGlobal):
2632 (JSC::Wasm::Instance::offsetOfCachedStackLimit):
2633 (JSC::Wasm::Instance::cachedStackLimit const):
2634 (JSC::Wasm::Instance::setCachedStackLimit):
2635 * wasm/WasmMemory.cpp:
2636 (JSC::Wasm::Memory::Memory):
2637 (JSC::Wasm::Memory::create):
2638 (JSC::Wasm::Memory::~Memory):
2639 (JSC::Wasm::Memory::grow):
2640 * wasm/WasmMemory.h:
2641 (JSC::Wasm::Memory::offsetOfMemory):
2642 (JSC::Wasm::Memory::offsetOfSize):
2643 * wasm/WasmMemoryInformation.cpp:
2644 (JSC::Wasm::PinnedRegisterInfo::get):
2645 (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
2646 * wasm/WasmMemoryInformation.h:
2647 (JSC::Wasm::PinnedRegisterInfo::toSave const):
2648 * wasm/WasmMemoryMode.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
2649 (JSC::Wasm::makeString):
2650 * wasm/WasmMemoryMode.h: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
2651 * wasm/WasmModule.cpp:
2652 (JSC::Wasm::makeValidationCallback):
2653 (JSC::Wasm::Module::validateSync):
2654 (JSC::Wasm::Module::validateAsync):
2655 (JSC::Wasm::Module::getOrCreateCodeBlock):
2656 (JSC::Wasm::Module::compileSync):
2657 (JSC::Wasm::Module::compileAsync):
2658 * wasm/WasmModule.h:
2659 * wasm/WasmModuleParser.cpp:
2660 (JSC::Wasm::ModuleParser::parseTableHelper):
2661 * wasm/WasmOMGPlan.cpp:
2662 (JSC::Wasm::OMGPlan::OMGPlan):
2663 (JSC::Wasm::OMGPlan::runForIndex):
2664 * wasm/WasmOMGPlan.h:
2665 * wasm/WasmPageCount.h:
2666 (JSC::Wasm::PageCount::isValid const):
2667 * wasm/WasmPlan.cpp:
2668 (JSC::Wasm::Plan::Plan):
2669 (JSC::Wasm::Plan::runCompletionTasks):
2670 (JSC::Wasm::Plan::addCompletionTask):
2671 (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
2673 (JSC::Wasm::Plan::dontFinalize):
2674 * wasm/WasmSignature.cpp:
2675 * wasm/WasmSignature.h:
2676 * wasm/WasmTable.cpp: Added.
2677 (JSC::Wasm::Table::create):
2678 (JSC::Wasm::Table::~Table):
2679 (JSC::Wasm::Table::Table):
2680 (JSC::Wasm::Table::grow):
2681 (JSC::Wasm::Table::clearFunction):
2682 (JSC::Wasm::Table::setFunction):
2683 * wasm/WasmTable.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h.
2684 (JSC::Wasm::Table::maximum const):
2685 (JSC::Wasm::Table::size const):
2686 (JSC::Wasm::Table::offsetOfSize):
2687 (JSC::Wasm::Table::offsetOfFunctions):
2688 (JSC::Wasm::Table::offsetOfInstances):
2689 (JSC::Wasm::Table::isValidSize):
2690 * wasm/WasmThunks.cpp:
2691 (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2692 (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2693 (JSC::Wasm::Thunks::setThrowWasmException):
2694 (JSC::Wasm::Thunks::throwWasmException):
2695 * wasm/WasmThunks.h:
2696 * wasm/WasmWorklist.cpp:
2697 (JSC::Wasm::Worklist::stopAllPlansForContext):
2698 * wasm/WasmWorklist.h:
2699 * wasm/js/JSToWasm.cpp: Added.
2700 (JSC::Wasm::createJSToWasmWrapper):
2701 * wasm/js/JSToWasm.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
2702 * wasm/js/JSWebAssembly.cpp: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.cpp.
2703 * wasm/js/JSWebAssembly.h: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.h.
2704 * wasm/js/JSWebAssemblyCodeBlock.cpp:
2705 (JSC::JSWebAssemblyCodeBlock::create):
2706 (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2707 * wasm/js/JSWebAssemblyCodeBlock.h:
2708 * wasm/js/JSWebAssemblyInstance.cpp:
2709 (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
2710 (JSC::JSWebAssemblyInstance::finishCreation):
2711 (JSC::JSWebAssemblyInstance::visitChildren):
2712 (JSC::JSWebAssemblyInstance::finalizeCreation):
2713 (JSC::JSWebAssemblyInstance::create):
2714 * wasm/js/JSWebAssemblyInstance.h:
2715 (JSC::JSWebAssemblyInstance::instance):
2716 (JSC::JSWebAssemblyInstance::context const):
2717 (JSC::JSWebAssemblyInstance::table):
2718 (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee):
2719 (JSC::JSWebAssemblyInstance::setMemory):
2720 (JSC::JSWebAssemblyInstance::offsetOfTail):
2721 (JSC::JSWebAssemblyInstance::importFunctionInfo):
2722 (JSC::JSWebAssemblyInstance::offsetOfTargetInstance):
2723 (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint):
2724 (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
2725 (JSC::JSWebAssemblyInstance::importFunction):
2726 (JSC::JSWebAssemblyInstance::internalMemory):
2727 (JSC::JSWebAssemblyInstance::wasmCodeBlock const):
2728 (JSC::JSWebAssemblyInstance::offsetOfWasmTable):
2729 (JSC::JSWebAssemblyInstance::offsetOfCallee):
2730 (JSC::JSWebAssemblyInstance::offsetOfGlobals):
2731 (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock):
2732 (JSC::JSWebAssemblyInstance::offsetOfWasmMemory):
2733 (JSC::JSWebAssemblyInstance::cachedStackLimit const):
2734 (JSC::JSWebAssemblyInstance::setCachedStackLimit):
2735 (JSC::JSWebAssemblyInstance::wasmMemory):
2736 (JSC::JSWebAssemblyInstance::wasmModule):
2737 (JSC::JSWebAssemblyInstance::allocationSize):
2738 (JSC::JSWebAssemblyInstance::module const):
2739 * wasm/js/JSWebAssemblyMemory.cpp:
2740 (JSC::JSWebAssemblyMemory::create):
2741 (JSC::JSWebAssemblyMemory::adopt):
2742 (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
2743 (JSC::JSWebAssemblyMemory::grow):
2744 (JSC::JSWebAssemblyMemory::growSuccessCallback):
2745 * wasm/js/JSWebAssemblyMemory.h:
2746 * wasm/js/JSWebAssemblyModule.cpp:
2747 (JSC::JSWebAssemblyModule::moduleInformation const):
2748 (JSC::JSWebAssemblyModule::exportSymbolTable const):
2749 (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace const):
2750 (JSC::JSWebAssemblyModule::callee const):
2751 (JSC::JSWebAssemblyModule::codeBlock):
2752 (JSC::JSWebAssemblyModule::module):
2753 * wasm/js/JSWebAssemblyModule.h:
2754 * wasm/js/JSWebAssemblyTable.cpp:
2755 (JSC::JSWebAssemblyTable::create):
2756 (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
2757 (JSC::JSWebAssemblyTable::visitChildren):
2758 (JSC::JSWebAssemblyTable::grow):
2759 (JSC::JSWebAssemblyTable::getFunction):
2760 (JSC::JSWebAssemblyTable::clearFunction):
2761 (JSC::JSWebAssemblyTable::setFunction):
2762 * wasm/js/JSWebAssemblyTable.h:
2763 (JSC::JSWebAssemblyTable::isValidSize):
2764 (JSC::JSWebAssemblyTable::maximum const):
2765 (JSC::JSWebAssemblyTable::size const):
2766 (JSC::JSWebAssemblyTable::table):
2767 * wasm/js/WasmToJS.cpp: Copied from Source/JavaScriptCore/wasm/WasmBinding.cpp.
2768 (JSC::Wasm::materializeImportJSCell):
2769 (JSC::Wasm::wasmToJS):
2770 (JSC::Wasm::wasmToJSException):
2771 * wasm/js/WasmToJS.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
2772 * wasm/js/WebAssemblyFunction.cpp:
2773 (JSC::callWebAssemblyFunction):
2774 * wasm/js/WebAssemblyInstanceConstructor.cpp:
2775 (JSC::constructJSWebAssemblyInstance):
2776 * wasm/js/WebAssemblyMemoryConstructor.cpp:
2777 (JSC::constructJSWebAssemblyMemory):
2778 * wasm/js/WebAssemblyMemoryPrototype.cpp:
2779 (JSC::webAssemblyMemoryProtoFuncGrow):
2780 * wasm/js/WebAssemblyModuleConstructor.cpp:
2781 (JSC::constructJSWebAssemblyModule):
2782 (JSC::WebAssemblyModuleConstructor::createModule):
2783 * wasm/js/WebAssemblyModuleConstructor.h:
2784 * wasm/js/WebAssemblyModuleRecord.cpp:
2785 (JSC::WebAssemblyModuleRecord::link):
2786 (JSC::WebAssemblyModuleRecord::evaluate):
2787 * wasm/js/WebAssemblyPrototype.cpp:
2788 (JSC::webAssemblyCompileFunc):
2790 (JSC::compileAndInstantiate):
2791 (JSC::webAssemblyValidateFunc):
2792 * wasm/js/WebAssemblyTableConstructor.cpp:
2793 (JSC::constructJSWebAssemblyTable):
2794 * wasm/js/WebAssemblyWrapperFunction.cpp:
2795 (JSC::WebAssemblyWrapperFunction::create):
2797 2017-10-19 Mark Lam <mark.lam@apple.com>
2799 Stringifier::appendStringifiedValue() is missing an exception check.
2800 https://bugs.webkit.org/show_bug.cgi?id=178386
2801 <rdar://problem/35027610>
2803 Reviewed by Saam Barati.
2805 * runtime/JSONObject.cpp:
2806 (JSC::Stringifier::appendStringifiedValue):
2808 2017-10-19 Saam Barati <sbarati@apple.com>
2810 REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning: comparison is always false due to limited range of data type [-Wtype-limits]
2811 https://bugs.webkit.org/show_bug.cgi?id=178543
2813 Reviewed by Filip Pizlo.
2815 * dfg/DFGByteCodeParser.cpp:
2816 (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2818 2017-10-19 Saam Barati <sbarati@apple.com>
2820 re-inline ObjectAllocationProfile::initializeProfile
2821 https://bugs.webkit.org/show_bug.cgi?id=178532
2823 Rubber stamped by Michael Saboff.
2825 I un-inlined this function when implementing poly proto.
2826 This patch re-inlines it. In my testing, it looks like it
2827 might be a 0.5% speedometer progression to inline it.
2829 * JavaScriptCore.xcodeproj/project.pbxproj:
2831 * bytecode/CodeBlock.cpp:
2832 * bytecode/ObjectAllocationProfile.cpp: Removed.
2833 * bytecode/ObjectAllocationProfileInlines.h: Copied from Source/JavaScriptCore/bytecode/ObjectAllocationProfile.cpp.
2834 (JSC::ObjectAllocationProfile::initializeProfile):
2835 (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2836 * runtime/FunctionRareData.cpp:
2838 2017-10-19 Michael Saboff <msaboff@apple.com>
2840 Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2841 https://bugs.webkit.org/show_bug.cgi?id=178521
2843 Reviewed by JF Bastien.
2845 * ucd/emoji-data.txt: Replaced with the Unicode Emoji 5.0 version of the file as that is the most recent
2846 standard version. The prior version was the draft 6.0 version.
2848 2017-10-19 Saam Barati <sbarati@apple.com>
2850 We should hard code the poly proto offset
2851 https://bugs.webkit.org/show_bug.cgi?id=178531
2853 Reviewed by Filip Pizlo.
2855 This patch embraces that the poly proto offset is always zero. It's already
2856 the case that we would always get the inline offset zero for poly proto just
2857 by construction. This just hardcodes this assumption throughout the codebase.
2858 This appears to be a 1% speedometer progression in my testing.
2860 The downside of this patch is that it may require changing how we do
2861 things when we implement poly proto when inheriting from builtin
2862 types. I think we can face this problem when we decide to implement
2865 * bytecode/AccessCase.cpp:
2866 (JSC::AccessCase::generateWithGuard):
2867 * dfg/DFGOperations.cpp:
2868 * dfg/DFGSpeculativeJIT.cpp:
2869 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2870 (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
2871 * ftl/FTLLowerDFGToB3.cpp:
2872 (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
2873 (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
2874 * jit/JITOpcodes.cpp:
2875 (JSC::JIT::emit_op_instanceof):
2876 * jit/JITOpcodes32_64.cpp:
2877 (JSC::JIT::emit_op_instanceof):
2878 * runtime/CommonSlowPaths.cpp:
2879 (JSC::SLOW_PATH_DECL):
2880 * runtime/JSObject.cpp:
2881 (JSC::JSObject::setPrototypeDirect):
2882 * runtime/JSObject.h:
2883 (JSC::JSObject::locationForOffset const):
2884 (JSC::JSObject::locationForOffset):
2885 (JSC::JSObject::getDirect const):
2886 * runtime/PropertyOffset.h:
2887 * runtime/Structure.cpp:
2888 (JSC::Structure::create):
2889 (JSC::Structure::dump const):
2890 * runtime/Structure.h:
2891 * runtime/StructureInlines.h:
2892 (JSC::Structure::storedPrototype const):
2893 (JSC::Structure::storedPrototypeObject const):
2895 2017-10-19 Saam Barati <sbarati@apple.com>
2897 Turn various poly proto RELEASE_ASSERTs into ASSERTs because they're on the hot path in speedometer
2898 https://bugs.webkit.org/show_bug.cgi?id=178529
2900 Reviewed by Mark Lam.
2902 * runtime/Structure.h:
2903 * runtime/StructureInlines.h:
2904 (JSC::Structure::storedPrototypeObject const):
2905 (JSC::Structure::storedPrototypeStructure const):
2906 (JSC::Structure::storedPrototype const):
2907 (JSC::Structure::prototypeForLookup const):
2908 (JSC::Structure::prototypeChain const):
2910 2017-10-19 Saam Barati <sbarati@apple.com>
2912 Turn poly proto back on by default and remove the option
2913 https://bugs.webkit.org/show_bug.cgi?id=178525
2915 Reviewed by Mark Lam.
2917 I added this option because I thought it'd speed speedometer up because the
2918 original poly proto patch slowed speedometer down. It turns out that
2919 allocating poly proto objects is not what slows speedometer down. It's
2920 other code I added in the runtime that needs to be poly proto aware. I'll
2921 be addressing these in follow up patches.
2923 * runtime/Options.h:
2924 * runtime/StructureInlines.h:
2925 (JSC::Structure::shouldConvertToPolyProto):
2927 2017-10-19 Robin Morisset <rmorisset@apple.com>
2929 Turn recursive tail calls into loops
2930 https://bugs.webkit.org/show_bug.cgi?id=176601
2932 Reviewed by Saam Barati.
2934 We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
2935 One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
2936 Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
2937 We do this part through modifying the computation of the jump targets.
2938 Importantly, we only do this splitting for functions that have tail calls.
2939 It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
2941 We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
2942 The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
2944 * bytecode/CodeBlock.h:
2945 (JSC::CodeBlock::hasTailCalls const):
2946 * bytecode/PreciseJumpTargets.cpp:
2947 (JSC::getJumpTargetsForBytecodeOffset):
2948 (JSC::computePreciseJumpTargetsInternal):
2949 * bytecode/UnlinkedCodeBlock.cpp:
2950 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2951 * bytecode/UnlinkedCodeBlock.h:
2952 (JSC::UnlinkedCodeBlock::hasTailCalls const):
2953 (JSC::UnlinkedCodeBlock::setHasTailCalls):
2954 * bytecompiler/BytecodeGenerator.cpp:
2955 (JSC::BytecodeGenerator::emitEnter):
2956 (JSC::BytecodeGenerator::emitCallInTailPosition):
2957 * dfg/DFGByteCodeParser.cpp:
2958 (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
2959 (JSC::DFG::ByteCodeParser::makeBlockTargetable):
2960 (JSC::DFG::ByteCodeParser::handleCall):
2961 (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2962 (JSC::DFG::ByteCodeParser::parseBlock):
2963 (JSC::DFG::ByteCodeParser::parse):
2965 2017-10-18 Mark Lam <mark.lam@apple.com>
2967 RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2968 https://bugs.webkit.org/show_bug.cgi?id=177600
2969 <rdar://problem/34710985>
2971 Reviewed by Saam Barati.
2973 According to http://www.ecma-international.org/ecma-262/8.0/#sec-validateandapplypropertydescriptor,
2974 section 9.1.6.3-7.a.ii, we should only check if the value is the same if the
2975 descriptor value is present.
2977 * runtime/RegExpObject.cpp:
2978 (JSC::RegExpObject::defineOwnProperty):
2980 2017-10-18 Keith Miller <keith_miller@apple.com>
2982 Setup WebCore build to start using unified sources.
2983 https://bugs.webkit.org/show_bug.cgi?id=178362
2985 Reviewed by Tim Horton.
2987 Change comments in source list files. Also, pass explicit names for build files.
2990 * PlatformGTK.cmake:
2991 * PlatformMac.cmake:
2996 2017-10-18 Commit Queue <commit-queue@webkit.org>
2998 Unreviewed, rolling out r223321.
2999 https://bugs.webkit.org/show_bug.cgi?id=178476
3001 This protocol change broke some internal builds (Requested by
3002 brrian__ on #webkit).
3006 "Web Inspector: provide a way to enable/disable event
3008 https://bugs.webkit.org/show_bug.cgi?id=177451
3009 https://trac.webkit.org/changeset/223321
3011 2017-10-18 Mark Lam <mark.lam@apple.com>
3013 The compiler should always register a structure when it adds its transitionWatchPointSet.
3014 https://bugs.webkit.org/show_bug.cgi?id=178420
3015 <rdar://problem/34814024>
3017 Reviewed by Saam Barati and Filip Pizlo.
3019 Instead of invoking addLazily() to add a structure's transitionWatchpointSet, we
3020 now invoke Graph::registerAndWatchStructureTransition() on the structure.
3021 registerAndWatchStructureTransition() both registers the structure and add its
3022 transitionWatchpointSet to the plan desired watchpoints.
3024 Graph::registerAndWatchStructureTransition() is based on Graph::registerStructure()
3025 except registerAndWatchStructureTransition() adds the structure's
3026 transitionWatchpointSet unconditionally.
3028 * dfg/DFGArgumentsEliminationPhase.cpp:
3029 * dfg/DFGArrayMode.cpp:
3030 (JSC::DFG::ArrayMode::refine const):
3031 * dfg/DFGByteCodeParser.cpp:
3032 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3033 * dfg/DFGFixupPhase.cpp:
3034 (JSC::DFG::FixupPhase::fixupNode):
3037 (JSC::DFG::Graph::registerAndWatchStructureTransition):
3040 * dfg/DFGSpeculativeJIT.cpp:
3041 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3042 - The second set of addLazily()s is redundant. This set is executed only when
3043 prototypeChainIsSane is true, and prototypeChainIsSane can only be true if and
3044 only if we've executed the if statement above it. That preceding if statement
3045 already registerAndWatchStructureTransition() the same 2 structures. Hence,
3046 this second set can be deleted.
3048 * dfg/DFGWatchpointCollectionPhase.cpp:
3049 (JSC::DFG::WatchpointCollectionPhase::addLazily):
3050 - Deleted an unused function.
3052 * ftl/FTLLowerDFGToB3.cpp:
3053 (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
3055 2017-10-18 Yusuke Suzuki <utatane.tea@gmail.com>
3057 [JSC] Remove unused private name structure
3058 https://bugs.webkit.org/show_bug.cgi?id=178436
3060 Reviewed by Sam Weinig.
3062 It is no longer used. This patch just removes it.
3064 * runtime/JSGlobalObject.h:
3065 (JSC::JSGlobalObject::numberObjectStructure const):
3066 (JSC::JSGlobalObject::privateNameStructure const): Deleted.
3068 2017-10-18 Ryosuke Niwa <rniwa@webkit.org>
3070 Fix macOS and iOS builds after r223594.
3072 * JavaScriptCore.xcodeproj/project.pbxproj:
3074 2017-10-18 Yusuke Suzuki <utatane.tea@gmail.com>
3076 [JSC] __proto__ getter should be fast
3077 https://bugs.webkit.org/show_bug.cgi?id=178067
3079 Reviewed by Saam Barati.
3081 In our ES6 class implementation, we access __proto__ field to retrieve super constructor.
3082 Currently, it is handled as an usual getter call to a generic function. And DFG just emits
3083 Call node for this. It is inefficient since typically we know the `prototype` of the given
3084 object when accessing `object.__proto__` since we emit CheckStructure for this `object`.
3085 If Structure has mono proto, we can immediately fold it to constant value. If it is poly proto,
3086 we can still change this to efficient access to poly proto slot.
3088 This patch implements GetPrototypeOf DFG node. This node efficiently accesses to prototype of
3089 the given object. And in AI and ByteCodeParser phase, we attempt to fold it to constant.
3090 ByteCodeParser's folding is a bit important since we have `callee.__proto__` code to get super
3091 constructor. If we can change this to constant, we can reify CallLinkInfo with this constant.
3092 This paves the way to optimizing ArrayConstructor super calls[1], which is particularly important
3095 And we also optimize Reflect.getPrototypeOf and Object.getPrototypeOf with this GetPrototypeOf node.
3097 Currently, __proto__ access for poly proto object is not handled well in IC. But we add code handling
3098 poly proto in GetPrototypeOf since Reflect.getPrototypeOf and Object.getPrototypeOf can use it.
3099 Once IC starts handling poly proto & intrinsic getter well, this code will be used for that too.
3101 This patch improves SixSpeed super.es6 by 3.42x.
3105 super.es6 123.6666+-3.9917 ^ 36.1684+-1.0351 ^ definitely 3.4192x faster
3107 [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
3109 * dfg/DFGAbstractInterpreterInlines.h:
3110 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3111 * dfg/DFGByteCodeParser.cpp:
3112 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3113 (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
3114 (JSC::DFG::ByteCodeParser::handleGetById):
3115 * dfg/DFGClobberize.h:
3116 (JSC::DFG::clobberize):
3117 * dfg/DFGDoesGC.cpp:
3119 * dfg/DFGFixupPhase.cpp:
3120 (JSC::DFG::FixupPhase::fixupNode):
3121 (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
3122 * dfg/DFGHeapLocation.cpp:
3123 (WTF::printInternal):
3124 * dfg/DFGHeapLocation.h:
3126 (JSC::DFG::Node::hasHeapPrediction):
3127 (JSC::DFG::Node::shouldSpeculateFunction):
3128 * dfg/DFGNodeType.h:
3129 * dfg/DFGOperations.cpp:
3130 * dfg/DFGOperations.h:
3131 * dfg/DFGPredictionPropagationPhase.cpp:
3132 * dfg/DFGSafeToExecute.h:
3133 (JSC::DFG::safeToExecute):
3134 * dfg/DFGSpeculativeJIT.cpp:
3135 (JSC::DFG::SpeculativeJIT::speculateFunction):
3136 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
3137 (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
3138 * dfg/DFGSpeculativeJIT.h:
3139 (JSC::DFG::SpeculativeJIT::callOperation):
3140 * dfg/DFGSpeculativeJIT32_64.cpp:
3141 (JSC::DFG::SpeculativeJIT::compile):
3142 * dfg/DFGSpeculativeJIT64.cpp:
3143 (JSC::DFG::SpeculativeJIT::compile):
3144 * ftl/FTLCapabilities.cpp:
3145 (JSC::FTL::canCompile):
3146 * ftl/FTLLowerDFGToB3.cpp:
3147 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3148 (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
3149 (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
3150 * jit/IntrinsicEmitter.cpp:
3151 (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
3152 (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
3153 * jit/JITOperations.h:
3154 * runtime/Intrinsic.cpp:
3155 (JSC::intrinsicName):
3156 * runtime/Intrinsic.h:
3157 * runtime/JSGlobalObject.cpp:
3158 (JSC::JSGlobalObject::init):
3159 * runtime/JSGlobalObject.h:
3160 (JSC::JSGlobalObject::booleanPrototype const):
3161 (JSC::JSGlobalObject::numberPrototype const):
3162 (JSC::JSGlobalObject::booleanObjectStructure const):
3163 * runtime/JSGlobalObjectFunctions.cpp:
3164 (JSC::globalFuncProtoGetter):
3165 * runtime/JSGlobalObjectFunctions.h:
3166 * runtime/ObjectConstructor.cpp:
3167 * runtime/ReflectObject.cpp:
3169 2017-10-17 Ryan Haddad <ryanhaddad@apple.com>
3171 Unreviewed, rolling out r223523.
3173 A test for this change is failing on debug JSC bots.
3177 "[JSC] __proto__ getter should be fast"
3178 https://bugs.webkit.org/show_bug.cgi?id=178067
3179 https://trac.webkit.org/changeset/223523
3181 2017-10-17 Youenn Fablet <youenn@apple.com>
3183 Add preliminary support for fetch event
3184 https://bugs.webkit.org/show_bug.cgi?id=178171
3186 Reviewed by Chris Dumez.
3190 * runtime/JSPromise.h:
3192 2017-10-10 Yusuke Suzuki <utatane.tea@gmail.com>
3194 [JSC] __proto__ getter should be fast
3195 https://bugs.webkit.org/show_bug.cgi?id=178067
3197 Reviewed by Saam Barati.
3199 In our ES6 class implementation, we access __proto__ field to retrieve super constructor.
3200 Currently, it is handled as an usual getter call to a generic function. And DFG just emits
3201 Call node for this. It is inefficient since typically we know the `prototype` of the given
3202 object when accessing `object.__proto__` since we emit CheckStructure for this `object`.
3203 If Structure has mono proto, we can immediately fold it to constant value. If it is poly proto,
3204 we can still change this to efficient access to poly proto slot.
3206 This patch implements GetPrototypeOf DFG node. This node efficiently accesses to prototype of
3207 the given object. And in AI and ByteCodeParser phase, we attempt to fold it to constant.
3208 ByteCodeParser's folding is a bit important since we have `callee.__proto__` code to get super
3209 constructor. If we can change this to constant, we can reify CallLinkInfo with this constant.
3210 This paves the way to optimizing ArrayConstructor super calls[1], which is particularly important
3213 And we also optimize Reflect.getPrototypeOf and Object.getPrototypeOf with this GetPrototypeOf node.
3215 Currently, __proto__ access for poly proto object is not handled well in IC. But we add code handling
3216 poly proto in GetPrototypeOf since Reflect.getPrototypeOf and Object.getPrototypeOf can use it.
3217 Once IC starts handling poly proto & intrinsic getter well, this code will be used for that too.
3219 This patch improves SixSpeed super.es6 by 3.42x.
3223 super.es6 123.6666+-3.9917 ^ 36.1684+-1.0351 ^ definitely 3.4192x faster
3225 [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
3227 * dfg/DFGAbstractInterpreterInlines.h:
3228 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3229 * dfg/DFGByteCodeParser.cpp:
3230 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3231 (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
3232 (JSC::DFG::ByteCodeParser::handleGetById):
3233 * dfg/DFGClobberize.h:
3234 (JSC::DFG::clobberize):
3235 * dfg/DFGDoesGC.cpp:
3237 * dfg/DFGFixupPhase.cpp:
3238 (JSC::DFG::FixupPhase::fixupNode):
3239 (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
3240 * dfg/DFGHeapLocation.cpp:
3241 (WTF::printInternal):
3242 * dfg/DFGHeapLocation.h:
3244 (JSC::DFG::Node::hasHeapPrediction):
3245 (JSC::DFG::Node::shouldSpeculateFunction):
3246 * dfg/DFGNodeType.h:
3247 * dfg/DFGOperations.cpp:
3248 * dfg/DFGOperations.h:
3249 * dfg/DFGPredictionPropagationPhase.cpp:
3250 * dfg/DFGSafeToExecute.h:
3251 (JSC::DFG::safeToExecute):
3252 * dfg/DFGSpeculativeJIT.cpp:
3253 (JSC::DFG::SpeculativeJIT::speculateFunction):
3254 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
3255 (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
3256 * dfg/DFGSpeculativeJIT.h:
3257 * dfg/DFGSpeculativeJIT32_64.cpp:
3258 (JSC::DFG::SpeculativeJIT::compile):
3259 * dfg/DFGSpeculativeJIT64.cpp:
3260 (JSC::DFG::SpeculativeJIT::compile):
3261 * ftl/FTLCapabilities.cpp:
3262 (JSC::FTL::canCompile):
3263 * ftl/FTLLowerDFGToB3.cpp:
3264 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3265 (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
3266 (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
3267 * jit/IntrinsicEmitter.cpp:
3268 (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
3269 (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
3270 * runtime/Intrinsic.cpp:
3271 (JSC::intrinsicName):
3272 * runtime/Intrinsic.h:
3273 * runtime/JSGlobalObject.cpp:
3274 (JSC::JSGlobalObject::init):
3275 * runtime/JSGlobalObjectFunctions.cpp:
3276 (JSC::globalFuncProtoGetter):
3277 * runtime/JSGlobalObjectFunctions.h:
3278 * runtime/ObjectConstructor.cpp:
3279 * runtime/ReflectObject.cpp:
3281 2017-10-17 Keith Miller <keith_miller@apple.com>
3283 Change WebCore sources to work with unified source builds
3284 https://bugs.webkit.org/show_bug.cgi?id=178229
3286 Rubber stamped by Tim Horton.
3288 * Configurations/FeatureDefines.xcconfig:
3290 2017-10-15 Filip Pizlo <fpizlo@apple.com>
3292 Make some asserts into release asserts
3293 https://bugs.webkit.org/show_bug.cgi?id=178324
3295 Reviewed by Saam Barati.
3297 These asserts are not on perf critical paths, so they might as well be release asserts.
3299 * runtime/DataView.h:
3300 (JSC::DataView::get):
3301 (JSC::DataView::set):
3303 2017-10-16 JF Bastien <jfbastien@apple.com>
3305 JSRunLoopTimer: reduce likely race when used improperly
3306 https://bugs.webkit.org/show_bug.cgi?id=178298
3307 <rdar://problem/32899816>
3309 Reviewed by Saam Barati.
3311 If an API user sets a timer on JSRunLoopTimer, and then racily
3312 destroys the JSRunLoopTimer while the timer is firing then it's
3313 possible for timerDidFire to cause a use-after-free and / or crash
3314 because e.g. m_apiLock becomes a nullptr while timerDidFire is
3315 executing. That results from an invalid use of JSRunLoopTimer, but
3316 we should try to be more resilient for that type of misuse because
3317 it's not necessarily easy to catch by inspection.
3319 With this change the only remaining race is if the timer fires,
3320 and then only timerDidFire's prologue executes, but not the load
3321 of the m_apiLock pointer from `this`. It's a much smaller race.
3323 Separately, I'll reach out to API users who are seemingly misusing
3326 * runtime/JSRunLoopTimer.cpp:
3327 (JSC::JSRunLoopTimer::timerDidFire): put m_apiLock on the stack,
3328 and checks for nullptr. This prevents loading it twice off of
3329 `this` and turns a nullptr deref into "just" a use-after-free.
3330 (JSC::JSRunLoopTimer::~JSRunLoopTimer): acquire m_apiLock before
3331 calling m_vm->unregisterRunLoopTimer(this), which in turn does
3332 CFRunLoopRemoveTimer / CFRunLoopTimerInvalidate. This prevents
3333 timerDidFire from doing much while the timers are un-registered.
3334 ~JSRunLoopTimer also needs to set m_apiLock to nullptr before
3335 releasing the lock, so it needs its own local copy.
3337 2017-10-15 Yusuke Suzuki <utatane.tea@gmail.com>
3339 [JSC] Perform module specifier validation at parsing time
3340 https://bugs.webkit.org/show_bug.cgi?id=178256
3342 Reviewed by Darin Adler.
git://git.webkit.org / WebKit-https.git / blob