1 2017-11-07 Saam Barati <sbarati@apple.com>
3 Only cage double butterfly accesses
4 https://bugs.webkit.org/show_bug.cgi?id=179202
8 This patch removes caging from all butterfly accesses except double loads/stores.
9 This is a performance vs security tradeoff. Double loads/stores are the only butterfly
10 loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
11 by caging. The other load/stores we are no longer caging to get back performance on
14 * bytecode/AccessCase.cpp:
15 (JSC::AccessCase::generateImpl):
16 * bytecode/InlineAccess.cpp:
17 (JSC::InlineAccess::dumpCacheSizesAndCrash):
18 (JSC::InlineAccess::generateSelfPropertyAccess):
19 (JSC::InlineAccess::generateSelfPropertyReplace):
20 (JSC::InlineAccess::generateArrayLength):
21 * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
22 * dfg/DFGSpeculativeJIT.cpp:
23 (JSC::DFG::SpeculativeJIT::compileCreateRest):
24 (JSC::DFG::SpeculativeJIT::compileSpread):
25 (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
26 * dfg/DFGSpeculativeJIT64.cpp:
27 (JSC::DFG::SpeculativeJIT::compile):
28 * ftl/FTLLowerDFGToB3.cpp:
29 (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
30 * jit/JITPropertyAccess.cpp:
31 (JSC::JIT::emitContiguousLoad):
32 (JSC::JIT::emitArrayStorageLoad):
33 (JSC::JIT::emitGenericContiguousPutByVal):
34 (JSC::JIT::emitArrayStoragePutByVal):
35 (JSC::JIT::emit_op_get_from_scope):
36 (JSC::JIT::emit_op_put_to_scope):
37 * llint/LowLevelInterpreter64.asm:
38 * runtime/AuxiliaryBarrier.h:
39 (JSC::AuxiliaryBarrier::operator-> const):
40 * runtime/Butterfly.h:
41 (JSC::Butterfly::caged):
42 (JSC::Butterfly::contiguousDouble):
43 * runtime/JSArray.cpp:
44 (JSC::JSArray::setLength):
46 (JSC::JSArray::shiftCountWithAnyIndexingType):
47 (JSC::JSArray::unshiftCountWithAnyIndexingType):
48 (JSC::JSArray::fillArgList):
49 (JSC::JSArray::copyToArguments):
50 * runtime/JSArrayInlines.h:
51 (JSC::JSArray::pushInline):
52 * runtime/JSObject.cpp:
53 (JSC::JSObject::heapSnapshot):
54 (JSC::JSObject::createInitialIndexedStorage):
55 (JSC::JSObject::createArrayStorage):
56 (JSC::JSObject::convertUndecidedToInt32):
57 (JSC::JSObject::ensureLengthSlow):
58 (JSC::JSObject::reallocateAndShrinkButterfly):
59 (JSC::JSObject::allocateMoreOutOfLineStorage):
61 (JSC::JSObject::canGetIndexQuickly):
62 (JSC::JSObject::getIndexQuickly):
63 (JSC::JSObject::tryGetIndexQuickly const):
64 (JSC::JSObject::canSetIndexQuickly):
65 (JSC::JSObject::butterfly const):
66 (JSC::JSObject::butterfly):
68 2017-11-07 Mark Lam <mark.lam@apple.com>
70 Introduce a default RegisterSet constructor so that we can use { } notation.
71 https://bugs.webkit.org/show_bug.cgi?id=179389
73 Reviewed by Saam Barati.
75 I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
76 does not add any code documentation value.
78 * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
80 (JSC::B3::Air::Code::setRegsInPriorityOrder):
81 * b3/air/AirPrintSpecial.cpp:
82 (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
83 (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
85 * bytecode/PolymorphicAccess.h:
86 (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
87 (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
89 (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
91 (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
93 (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
94 * jit/RegisterSet.cpp:
95 (JSC::RegisterSet::reservedHardwareRegisters):
96 (JSC::RegisterSet::runtimeRegisters):
97 (JSC::RegisterSet::macroScratchRegisters):
99 (JSC::RegisterSet::RegisterSet):
100 * wasm/WasmB3IRGenerator.cpp:
101 (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
103 2017-11-07 Mark Lam <mark.lam@apple.com>
105 AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
106 https://bugs.webkit.org/show_bug.cgi?id=179355
107 <rdar://problem/35263053>
109 Reviewed by Saam Barati.
111 In the Transition case in AccessCase::generateImpl(), we were restoring registers
112 using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
113 where we previously stashed the reallocated butterfly. If the generated code is
114 under heavy register pressure, scratchGPR could have been from the set of preserved
115 registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
116 As a result, the restoration would trash the butterfly result we stored there.
117 This patch fixes the issue by excluding the scratchGPR in the restoration.
119 * bytecode/AccessCase.cpp:
120 (JSC::AccessCase::generateImpl):
122 2017-11-06 Robin Morisset <rmorisset@apple.com>
124 CodeBlock::usesOpcode() is dead code
125 https://bugs.webkit.org/show_bug.cgi?id=179316
127 Reviewed by Yusuke Suzuki.
129 Remove CodeBlock::usesOpcode which is dead code
131 * bytecode/CodeBlock.cpp:
132 * bytecode/CodeBlock.h:
134 2017-11-05 Yusuke Suzuki <utatane.tea@gmail.com>
136 JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
137 https://bugs.webkit.org/show_bug.cgi?id=144458
139 Reviewed by Saam Barati.
141 Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
142 InternalFunction calls are not cached and they always go to the slow path. This is not good because
144 1. We need to query getCallData/getConstructData every time in the slow path.
145 2. CallLinkInfo tells nothing in the higher tier JITs.
147 This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
148 to hold pointers to the functions for call and construct. We have new stubs that can call/construct
149 InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
151 This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
152 for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
153 case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
154 nodes for these InternalFunctions since CallLinkInfo tells us nothing.
156 Attached microbenchmarks show performance improvement.
160 dfg-internal-function-construct 1.6439+-0.0826 ^ 1.2829+-0.0727 ^ definitely 1.2813x faster
161 dfg-internal-function-not-handled-construct 2.1862+-0.1361 2.0696+-0.1201 might be 1.0564x faster
162 dfg-internal-function-not-handled-call 20.7592+-0.9085 19.7369+-0.7921 might be 1.0518x faster
163 dfg-internal-function-call 1.6856+-0.0967 ^ 1.2771+-0.0744 ^ definitely 1.3198x faster
165 [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
167 * API/JSCallbackFunction.cpp:
168 (JSC::JSCallbackFunction::JSCallbackFunction):
169 (JSC::JSCallbackFunction::getCallData): Deleted.
170 * API/JSCallbackFunction.h:
171 (JSC::JSCallbackFunction::createStructure):
172 * API/ObjCCallbackFunction.h:
173 (JSC::ObjCCallbackFunction::createStructure):
174 * API/ObjCCallbackFunction.mm:
175 (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
176 (JSC::ObjCCallbackFunction::getCallData): Deleted.
177 (JSC::ObjCCallbackFunction::getConstructData): Deleted.
178 * bytecode/BytecodeDumper.cpp:
179 (JSC::BytecodeDumper<Block>::printCallOp):
180 * bytecode/BytecodeList.json:
181 * bytecode/CallLinkInfo.cpp:
182 (JSC::CallLinkInfo::setCallee):
183 (JSC::CallLinkInfo::callee):
184 (JSC::CallLinkInfo::setLastSeenCallee):
185 (JSC::CallLinkInfo::lastSeenCallee):
186 (JSC::CallLinkInfo::visitWeak):
187 * bytecode/CallLinkInfo.h:
188 * bytecode/CallLinkStatus.cpp:
189 (JSC::CallLinkStatus::computeFromCallLinkInfo):
190 * bytecode/LLIntCallLinkInfo.h:
191 * jit/JITOperations.cpp:
193 (JSC::JITThunks::ctiInternalFunctionCall):
194 (JSC::JITThunks::ctiInternalFunctionConstruct):
198 (JSC::linkPolymorphicCall):
200 * jit/ThunkGenerators.cpp:
201 (JSC::virtualThunkFor):
202 (JSC::nativeForGenerator):
203 (JSC::nativeCallGenerator):
204 (JSC::nativeTailCallGenerator):
205 (JSC::nativeTailCallWithoutSavedTagsGenerator):
206 (JSC::nativeConstructGenerator):
207 (JSC::internalFunctionCallGenerator):
208 (JSC::internalFunctionConstructGenerator):
209 * jit/ThunkGenerators.h:
210 * llint/LLIntSlowPaths.cpp:
211 (JSC::LLInt::setUpCall):
212 * llint/LowLevelInterpreter.asm:
213 * llint/LowLevelInterpreter32_64.asm:
214 * llint/LowLevelInterpreter64.asm:
215 * runtime/ArrayConstructor.cpp:
216 (JSC::ArrayConstructor::ArrayConstructor):
217 (JSC::ArrayConstructor::getConstructData): Deleted.
218 (JSC::ArrayConstructor::getCallData): Deleted.
219 * runtime/ArrayConstructor.h:
220 (JSC::ArrayConstructor::createStructure):
221 * runtime/AsyncFunctionConstructor.cpp:
222 (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
223 (JSC::AsyncFunctionConstructor::finishCreation):
224 (JSC::AsyncFunctionConstructor::getCallData): Deleted.
225 (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
226 * runtime/AsyncFunctionConstructor.h:
227 (JSC::AsyncFunctionConstructor::createStructure):
228 * runtime/AsyncGeneratorFunctionConstructor.cpp:
229 (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
230 (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
231 (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
232 (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
233 * runtime/AsyncGeneratorFunctionConstructor.h:
234 (JSC::AsyncGeneratorFunctionConstructor::createStructure):
235 * runtime/BooleanConstructor.cpp:
236 (JSC::callBooleanConstructor):
237 (JSC::BooleanConstructor::BooleanConstructor):
238 (JSC::BooleanConstructor::finishCreation):
239 (JSC::BooleanConstructor::getConstructData): Deleted.
240 (JSC::BooleanConstructor::getCallData): Deleted.
241 * runtime/BooleanConstructor.h:
242 (JSC::BooleanConstructor::createStructure):
243 * runtime/DateConstructor.cpp:
244 (JSC::DateConstructor::DateConstructor):
245 (JSC::DateConstructor::getConstructData): Deleted.
246 (JSC::DateConstructor::getCallData): Deleted.
247 * runtime/DateConstructor.h:
248 (JSC::DateConstructor::createStructure):
250 (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
251 (JSC::StrictModeTypeErrorFunction::createStructure):
252 (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
253 (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
254 * runtime/ErrorConstructor.cpp:
255 (JSC::ErrorConstructor::ErrorConstructor):
256 (JSC::ErrorConstructor::getConstructData): Deleted.
257 (JSC::ErrorConstructor::getCallData): Deleted.
258 * runtime/ErrorConstructor.h:
259 (JSC::ErrorConstructor::createStructure):
260 * runtime/FunctionConstructor.cpp:
261 (JSC::FunctionConstructor::FunctionConstructor):
262 (JSC::FunctionConstructor::finishCreation):
263 (JSC::FunctionConstructor::getConstructData): Deleted.
264 (JSC::FunctionConstructor::getCallData): Deleted.
265 * runtime/FunctionConstructor.h:
266 (JSC::FunctionConstructor::createStructure):
267 * runtime/FunctionPrototype.cpp:
268 (JSC::callFunctionPrototype):
269 (JSC::FunctionPrototype::FunctionPrototype):
270 (JSC::FunctionPrototype::getCallData): Deleted.
271 * runtime/FunctionPrototype.h:
272 (JSC::FunctionPrototype::createStructure):
273 * runtime/GeneratorFunctionConstructor.cpp:
274 (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
275 (JSC::GeneratorFunctionConstructor::finishCreation):
276 (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
277 (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
278 * runtime/GeneratorFunctionConstructor.h:
279 (JSC::GeneratorFunctionConstructor::createStructure):
280 * runtime/InternalFunction.cpp:
281 (JSC::InternalFunction::InternalFunction):
282 (JSC::InternalFunction::finishCreation):
283 (JSC::InternalFunction::getCallData):
284 (JSC::InternalFunction::getConstructData):
285 * runtime/InternalFunction.h:
286 (JSC::InternalFunction::createStructure):
287 (JSC::InternalFunction::nativeFunctionFor):
288 (JSC::InternalFunction::offsetOfNativeFunctionFor):
289 * runtime/IntlCollatorConstructor.cpp:
290 (JSC::IntlCollatorConstructor::createStructure):
291 (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
292 (JSC::IntlCollatorConstructor::getConstructData): Deleted.
293 (JSC::IntlCollatorConstructor::getCallData): Deleted.
294 * runtime/IntlCollatorConstructor.h:
295 * runtime/IntlDateTimeFormatConstructor.cpp:
296 (JSC::IntlDateTimeFormatConstructor::createStructure):
297 (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
298 (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
299 (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
300 * runtime/IntlDateTimeFormatConstructor.h:
301 * runtime/IntlNumberFormatConstructor.cpp:
302 (JSC::IntlNumberFormatConstructor::createStructure):
303 (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
304 (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
305 (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
306 * runtime/IntlNumberFormatConstructor.h:
307 * runtime/JSArrayBufferConstructor.cpp:
308 (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
309 (JSC::JSArrayBufferConstructor::createStructure):
310 (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
311 (JSC::JSArrayBufferConstructor::getCallData): Deleted.
312 * runtime/JSArrayBufferConstructor.h:
313 * runtime/JSGenericTypedArrayViewConstructor.h:
314 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
315 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
316 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
317 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
318 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
319 * runtime/JSInternalPromiseConstructor.cpp:
320 (JSC::JSInternalPromiseConstructor::createStructure):
321 (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
322 (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
323 (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
324 * runtime/JSInternalPromiseConstructor.h:
325 * runtime/JSPromiseConstructor.cpp:
326 (JSC::JSPromiseConstructor::createStructure):
327 (JSC::JSPromiseConstructor::JSPromiseConstructor):
328 (JSC::JSPromiseConstructor::getConstructData): Deleted.
329 (JSC::JSPromiseConstructor::getCallData): Deleted.
330 * runtime/JSPromiseConstructor.h:
332 * runtime/JSTypedArrayViewConstructor.cpp:
333 (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
334 (JSC::JSTypedArrayViewConstructor::createStructure):
335 (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
336 (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
337 * runtime/JSTypedArrayViewConstructor.h:
338 * runtime/MapConstructor.cpp:
339 (JSC::MapConstructor::MapConstructor):
340 (JSC::MapConstructor::getConstructData): Deleted.
341 (JSC::MapConstructor::getCallData): Deleted.
342 * runtime/MapConstructor.h:
343 (JSC::MapConstructor::createStructure):
344 (JSC::MapConstructor::MapConstructor): Deleted.
345 * runtime/NativeErrorConstructor.cpp:
346 (JSC::NativeErrorConstructor::NativeErrorConstructor):
347 (JSC::NativeErrorConstructor::getConstructData): Deleted.
348 (JSC::NativeErrorConstructor::getCallData): Deleted.
349 * runtime/NativeErrorConstructor.h:
350 (JSC::NativeErrorConstructor::createStructure):
351 * runtime/NullGetterFunction.cpp:
352 (JSC::NullGetterFunction::NullGetterFunction):
353 (JSC::NullGetterFunction::getCallData): Deleted.
354 (JSC::NullGetterFunction::getConstructData): Deleted.
355 * runtime/NullGetterFunction.h:
356 (JSC::NullGetterFunction::createStructure):
357 (JSC::NullGetterFunction::NullGetterFunction): Deleted.
358 * runtime/NullSetterFunction.cpp:
359 (JSC::NullSetterFunction::NullSetterFunction):
360 (JSC::NullSetterFunction::getCallData): Deleted.
361 (JSC::NullSetterFunction::getConstructData): Deleted.
362 * runtime/NullSetterFunction.h:
363 (JSC::NullSetterFunction::createStructure):
364 (JSC::NullSetterFunction::NullSetterFunction): Deleted.
365 * runtime/NumberConstructor.cpp:
366 (JSC::NumberConstructor::NumberConstructor):
367 (JSC::constructNumberConstructor):
368 (JSC::constructWithNumberConstructor): Deleted.
369 (JSC::NumberConstructor::getConstructData): Deleted.
370 (JSC::NumberConstructor::getCallData): Deleted.
371 * runtime/NumberConstructor.h:
372 (JSC::NumberConstructor::createStructure):
373 * runtime/ObjectConstructor.cpp:
374 (JSC::ObjectConstructor::ObjectConstructor):
375 (JSC::ObjectConstructor::getConstructData): Deleted.
376 (JSC::ObjectConstructor::getCallData): Deleted.
377 * runtime/ObjectConstructor.h:
378 (JSC::ObjectConstructor::createStructure):
379 * runtime/ProxyConstructor.cpp:
380 (JSC::ProxyConstructor::ProxyConstructor):
381 (JSC::ProxyConstructor::getConstructData): Deleted.
382 (JSC::ProxyConstructor::getCallData): Deleted.
383 * runtime/ProxyConstructor.h:
384 (JSC::ProxyConstructor::createStructure):
385 * runtime/ProxyRevoke.cpp:
386 (JSC::ProxyRevoke::ProxyRevoke):
387 (JSC::ProxyRevoke::getCallData): Deleted.
388 * runtime/ProxyRevoke.h:
389 (JSC::ProxyRevoke::createStructure):
390 * runtime/RegExpConstructor.cpp:
391 (JSC::RegExpConstructor::RegExpConstructor):
392 (JSC::RegExpConstructor::getConstructData): Deleted.
393 (JSC::RegExpConstructor::getCallData): Deleted.
394 * runtime/RegExpConstructor.h:
395 (JSC::RegExpConstructor::createStructure):
396 * runtime/SetConstructor.cpp:
397 (JSC::SetConstructor::SetConstructor):
398 (JSC::SetConstructor::getConstructData): Deleted.
399 (JSC::SetConstructor::getCallData): Deleted.
400 * runtime/SetConstructor.h:
401 (JSC::SetConstructor::createStructure):
402 (JSC::SetConstructor::SetConstructor): Deleted.
403 * runtime/StringConstructor.cpp:
404 (JSC::StringConstructor::StringConstructor):
405 (JSC::StringConstructor::getConstructData): Deleted.
406 (JSC::StringConstructor::getCallData): Deleted.
407 * runtime/StringConstructor.h:
408 (JSC::StringConstructor::createStructure):
409 * runtime/SymbolConstructor.cpp:
410 (JSC::SymbolConstructor::SymbolConstructor):
411 (JSC::SymbolConstructor::getConstructData): Deleted.
412 (JSC::SymbolConstructor::getCallData): Deleted.
413 * runtime/SymbolConstructor.h:
414 (JSC::SymbolConstructor::createStructure):
417 (JSC::VM::getCTIInternalFunctionTrampolineFor):
419 * runtime/WeakMapConstructor.cpp:
420 (JSC::WeakMapConstructor::WeakMapConstructor):
421 (JSC::WeakMapConstructor::getConstructData): Deleted.
422 (JSC::WeakMapConstructor::getCallData): Deleted.
423 * runtime/WeakMapConstructor.h:
424 (JSC::WeakMapConstructor::createStructure):
425 (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
426 * runtime/WeakSetConstructor.cpp:
427 (JSC::WeakSetConstructor::WeakSetConstructor):
428 (JSC::WeakSetConstructor::getConstructData): Deleted.
429 (JSC::WeakSetConstructor::getCallData): Deleted.
430 * runtime/WeakSetConstructor.h:
431 (JSC::WeakSetConstructor::createStructure):
432 (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
433 * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
434 (JSC::WebAssemblyCompileErrorConstructor::createStructure):
435 (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
436 (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
437 (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
438 * wasm/js/WebAssemblyCompileErrorConstructor.h:
439 * wasm/js/WebAssemblyInstanceConstructor.cpp:
440 (JSC::WebAssemblyInstanceConstructor::createStructure):
441 (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
442 (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
443 (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
444 * wasm/js/WebAssemblyInstanceConstructor.h:
445 * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
446 (JSC::WebAssemblyLinkErrorConstructor::createStructure):
447 (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
448 (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
449 (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
450 * wasm/js/WebAssemblyLinkErrorConstructor.h:
451 * wasm/js/WebAssemblyMemoryConstructor.cpp:
452 (JSC::WebAssemblyMemoryConstructor::createStructure):
453 (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
454 (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
455 (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.
456 * wasm/js/WebAssemblyMemoryConstructor.h:
457 * wasm/js/WebAssemblyModuleConstructor.cpp:
458 (JSC::WebAssemblyModuleConstructor::createStructure):
459 (JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
460 (JSC::WebAssemblyModuleConstructor::getConstructData): Deleted.
461 (JSC::WebAssemblyModuleConstructor::getCallData): Deleted.
462 * wasm/js/WebAssemblyModuleConstructor.h:
463 * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
464 (JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
465 (JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
466 (JSC::WebAssemblyRuntimeErrorConstructor::getConstructData): Deleted.
467 (JSC::WebAssemblyRuntimeErrorConstructor::getCallData): Deleted.
468 * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
469 * wasm/js/WebAssemblyTableConstructor.cpp:
470 (JSC::WebAssemblyTableConstructor::createStructure):
471 (JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
472 (JSC::WebAssemblyTableConstructor::getConstructData): Deleted.
473 (JSC::WebAssemblyTableConstructor::getCallData): Deleted.
474 * wasm/js/WebAssemblyTableConstructor.h:
476 2017-11-03 Michael Saboff <msaboff@apple.com>
478 The Abstract Interpreter needs to change similar to clobberize() in r224366
479 https://bugs.webkit.org/show_bug.cgi?id=179267
481 Reviewed by Saam Barati.
483 Add clobberWorld() to HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
484 cases in the abstract interpreter to match what was done for r224366.
486 * dfg/DFGAbstractInterpreterInlines.h:
487 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
489 2017-11-03 Keith Miller <keith_miller@apple.com>
491 PutProperytSlot should inform the IC about the property before effects.
492 https://bugs.webkit.org/show_bug.cgi?id=179262
494 Reviewed by Mark Lam.
496 This patch fixes an issue where we choose to cache setters based on
497 incorrect information. If we did so we might end up OSR exiting
498 more than we would otherwise need to. The new model is that the
499 PutPropertySlot should inform the IC of what the property looked
500 like before any potential side effects might have occurred.
502 * runtime/JSObject.cpp:
503 (JSC::JSObject::putInlineSlow):
507 2017-11-03 Mark Lam <mark.lam@apple.com>
509 CachedCall (and its clients) needs overflow checks.
510 https://bugs.webkit.org/show_bug.cgi?id=179185
512 Reviewed by JF Bastien.
514 * interpreter/CachedCall.h:
515 (JSC::CachedCall::CachedCall):
516 (JSC::CachedCall::hasOverflowedArguments):
518 (JSC::MarkedArgumentBuffer::clear):
519 * runtime/StringPrototype.cpp:
520 (JSC::replaceUsingRegExpSearch):
522 2017-11-03 Devin Rousso <webkit@devinrousso.com>
524 Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
525 https://bugs.webkit.org/show_bug.cgi?id=178302
526 <rdar://problem/33158849>
528 Reviewed by Brian Burg.
530 * inspector/protocol/Recording.json:
531 Add `duration` to each Frame that represents the total time of all the recorded actions.
533 2017-11-02 Devin Rousso <webkit@devinrousso.com>
535 Web Inspector: Canvas Tab: show supported GL extensions for selected canvas
536 https://bugs.webkit.org/show_bug.cgi?id=179070
537 <rdar://problem/35278276>
539 Reviewed by Brian Burg.
541 * inspector/protocol/Canvas.json:
542 Add `extensionEnabled` event that is fired each time `getExtension` is called with a
543 different string on a WebGL context.
545 2017-11-02 Joseph Pecoraro <pecoraro@apple.com>
547 Make ServiceWorker a Remote Inspector debuggable target
548 https://bugs.webkit.org/show_bug.cgi?id=179043
549 <rdar://problem/34126008>
551 Reviewed by Brian Burg.
553 * inspector/remote/RemoteControllableTarget.h:
554 * inspector/remote/RemoteInspectionTarget.h:
555 * inspector/remote/RemoteInspectorConstants.h:
556 Include a new ServiceWorker remote inspector target type.
558 * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
559 (Inspector::RemoteInspector::listingForInspectionTarget const):
560 Implement listing for a ServiceWorker to include a URL like a page.
562 * inspector/remote/glib/RemoteInspectorGlib.cpp:
563 (Inspector::RemoteInspector::listingForInspectionTarget const):
564 Bail for ServiceWorker support in glib. They will need to implement their support.
566 2017-11-02 Michael Saboff <msaboff@apple.com>
568 DFG needs to handle code motion of code in for..in loop bodies
569 https://bugs.webkit.org/show_bug.cgi?id=179212
571 Reviewed by Keith Miller.
573 The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
574 make calls with side effects. Updated clobberize() for those nodes to take that into account.
576 * dfg/DFGClobberize.h:
577 (JSC::DFG::clobberize):
579 2017-11-02 Joseph Pecoraro <pecoraro@apple.com>
581 Inspector should display service worker served responses properly
582 https://bugs.webkit.org/show_bug.cgi?id=178597
583 <rdar://problem/35186111>
585 Reviewed by Brian Burg.
587 * inspector/protocol/Network.json:
588 Expose a new "service-worker" response source.
590 2017-11-02 Filip Pizlo <fpizlo@apple.com>
592 AI does not correctly model the clobber case of ArithClz32
593 https://bugs.webkit.org/show_bug.cgi?id=179188
595 Reviewed by Michael Saboff.
597 The non-Int32 case clobbers the world because it may call valueOf.
599 * dfg/DFGAbstractInterpreterInlines.h:
600 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
602 2017-11-02 Yusuke Suzuki <utatane.tea@gmail.com>
604 Unreviewed, release throw scope
605 https://bugs.webkit.org/show_bug.cgi?id=178726
607 * dfg/DFGOperations.cpp:
609 2017-11-02 Frederic Wang <fwang@igalia.com>
611 Add references to bug 179167 in FIXME comments
612 https://bugs.webkit.org/show_bug.cgi?id=179168
614 Reviewed by Daniel Bates.
616 * Configurations/FeatureDefines.xcconfig:
618 2017-11-01 Jeremy Jones <jeremyj@apple.com>
620 Implement WKFullscreenWindowController for iOS.
621 https://bugs.webkit.org/show_bug.cgi?id=178924
622 rdar://problem/34697120
624 Reviewed by Simon Fraser.
626 Enable ENABLE_FULLSCREEN_API for iOS.
628 * Configurations/FeatureDefines.xcconfig:
630 2017-11-01 Mark Lam <mark.lam@apple.com>
632 Add support to throw OOM if MarkedArgumentBuffer may overflow.
633 https://bugs.webkit.org/show_bug.cgi?id=179092
634 <rdar://problem/35116160>
636 Reviewed by Saam Barati.
638 The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
639 time, which renders it unsuitable for automated tests. Instead, I've run a
640 test manually to verify that an OutOfMemoryError will be thrown when an overflow
643 The MarkedArgumentBuffer's destructor will now assert that the client has indeed
644 checked for an overflow after invoking methods that may result in an overflow i.e.
645 the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
646 This is only done on debug builds.
648 * API/JSObjectRef.cpp:
649 (JSObjectMakeFunction):
652 (JSObjectMakeRegExp):
653 (JSObjectCallAsFunction):
654 (JSObjectCallAsConstructor):
655 * dfg/DFGOperations.cpp:
656 * inspector/InjectedScriptManager.cpp:
657 (Inspector::InjectedScriptManager::createInjectedScript):
658 * inspector/JSJavaScriptCallFrame.cpp:
659 (Inspector::JSJavaScriptCallFrame::scopeChain const):
660 * interpreter/Interpreter.cpp:
661 (JSC::Interpreter::executeProgram):
663 (functionDollarAgentReceiveBroadcast):
664 * runtime/ArgList.cpp:
665 (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
666 (JSC::MarkedArgumentBuffer::expandCapacity):
667 (JSC::MarkedArgumentBuffer::slowAppend):
669 (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
670 (JSC::MarkedArgumentBuffer::appendWithAction):
671 (JSC::MarkedArgumentBuffer::append):
672 (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
673 (JSC::MarkedArgumentBuffer::hasOverflowed):
674 (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
675 (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
676 * runtime/ArrayPrototype.cpp:
677 * runtime/CommonSlowPaths.cpp:
678 (JSC::SLOW_PATH_DECL):
679 * runtime/GetterSetter.cpp:
681 * runtime/IteratorOperations.cpp:
683 (JSC::iteratorClose):
684 * runtime/JSBoundFunction.cpp:
685 (JSC::boundThisNoArgsFunctionCall):
686 (JSC::boundFunctionCall):
687 (JSC::boundThisNoArgsFunctionConstruct):
688 (JSC::boundFunctionConstruct):
689 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
690 (JSC::constructGenericTypedArrayViewFromIterator):
691 * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
692 (JSC::genericTypedArrayViewProtoFuncSlice):
693 (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
694 * runtime/JSGlobalObject.cpp:
695 (JSC::JSGlobalObject::haveABadTime):
696 * runtime/JSInternalPromise.cpp:
697 (JSC::JSInternalPromise::then):
699 (JSC::JSJobMicrotask::run):
700 * runtime/JSMapIterator.cpp:
701 (JSC::JSMapIterator::createPair):
702 * runtime/JSModuleLoader.cpp:
703 (JSC::JSModuleLoader::provideFetch):
704 (JSC::JSModuleLoader::loadAndEvaluateModule):
705 (JSC::JSModuleLoader::loadModule):
706 (JSC::JSModuleLoader::linkAndEvaluateModule):
707 (JSC::JSModuleLoader::requestImportModule):
708 * runtime/JSONObject.cpp:
709 (JSC::Stringifier::toJSONImpl):
710 (JSC::Stringifier::appendStringifiedValue):
711 (JSC::Walker::callReviver):
712 * runtime/JSObject.cpp:
713 (JSC::ordinarySetSlow):
714 (JSC::callToPrimitiveFunction):
715 (JSC::JSObject::hasInstance):
716 * runtime/JSPromise.cpp:
717 (JSC::JSPromise::initialize):
718 (JSC::JSPromise::resolve):
719 * runtime/JSPromiseDeferred.cpp:
720 (JSC::newPromiseCapability):
722 * runtime/JSSetIterator.cpp:
723 (JSC::JSSetIterator::createPair):
724 * runtime/LiteralParser.cpp:
725 (JSC::LiteralParser<CharType>::parse):
726 * runtime/MapConstructor.cpp:
728 * runtime/ObjectConstructor.cpp:
729 (JSC::defineProperties):
730 * runtime/ProxyObject.cpp:
731 (JSC::performProxyGet):
732 (JSC::ProxyObject::performInternalMethodGetOwnProperty):
733 (JSC::ProxyObject::performHasProperty):
734 (JSC::ProxyObject::performPut):
735 (JSC::performProxyCall):
736 (JSC::performProxyConstruct):
737 (JSC::ProxyObject::performDelete):
738 (JSC::ProxyObject::performPreventExtensions):
739 (JSC::ProxyObject::performIsExtensible):
740 (JSC::ProxyObject::performDefineOwnProperty):
741 (JSC::ProxyObject::performGetOwnPropertyNames):
742 (JSC::ProxyObject::performSetPrototype):
743 (JSC::ProxyObject::performGetPrototype):
744 * runtime/ReflectObject.cpp:
745 (JSC::reflectObjectConstruct):
746 * runtime/SetConstructor.cpp:
748 * runtime/StringPrototype.cpp:
749 (JSC::replaceUsingRegExpSearch):
750 (JSC::replaceUsingStringSearch):
751 * runtime/WeakMapConstructor.cpp:
752 (JSC::constructWeakMap):
753 * runtime/WeakSetConstructor.cpp:
754 (JSC::constructWeakSet):
755 * wasm/js/WasmToJS.cpp:
756 (JSC::Wasm::wasmToJS):
758 2017-11-01 Michael Saboff <msaboff@apple.com>
760 Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
761 https://bugs.webkit.org/show_bug.cgi?id=179140
763 Reviewed by Saam Barati.
765 Added overflow checks to computation of arg count plus this.
767 * dfg/DFGSpeculativeJIT32_64.cpp:
768 (JSC::DFG::SpeculativeJIT::compile):
769 * dfg/DFGSpeculativeJIT64.cpp:
770 (JSC::DFG::SpeculativeJIT::compile):
771 * ftl/FTLLowerDFGToB3.cpp:
772 (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
774 2017-11-01 Yusuke Suzuki <utatane.tea@gmail.com>
776 Unreviewed, use weakPointer instead of FTLOutput::weakPointer
777 https://bugs.webkit.org/show_bug.cgi?id=178934
779 * ftl/FTLLowerDFGToB3.cpp:
780 (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
782 2017-11-01 Yusuke Suzuki <utatane.tea@gmail.com>
784 [JSC] Introduce @toObject
785 https://bugs.webkit.org/show_bug.cgi?id=178726
787 Reviewed by Saam Barati.
789 This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
790 Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
791 is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
792 ObjectConstructor in LLInt and Baseline.
794 We add a new intrinsic `@toObject(target, "error message")`. It takes an error message string constant to
795 offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation
797 if (this === @undefined || this === null)
798 @throwTypeError("error message");
799 var object = @Object(this);
803 var object = @toObject(this, "error message");
805 And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
806 ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
807 In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.
809 It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.
811 * builtins/ArrayConstructor.js:
813 * builtins/ArrayPrototype.js:
829 (globalPrivate.concatSlowPath):
831 * builtins/DatePrototype.js:
832 (toLocaleString.toDateTimeOptionsAnyAll):
834 (toLocaleDateString.toDateTimeOptionsDateDate):
835 (toLocaleDateString):
836 (toLocaleTimeString.toDateTimeOptionsTimeTime):
837 (toLocaleTimeString):
838 * builtins/GlobalOperations.js:
839 (globalPrivate.copyDataProperties):
840 (globalPrivate.copyDataPropertiesNoExclusions):
841 * builtins/ObjectConstructor.js:
843 * builtins/StringConstructor.js:
845 * builtins/TypedArrayConstructor.js:
847 * builtins/TypedArrayPrototype.js:
850 * bytecode/BytecodeDumper.cpp:
851 (JSC::BytecodeDumper<Block>::dumpBytecode):
852 * bytecode/BytecodeIntrinsicRegistry.h:
853 * bytecode/BytecodeList.json:
854 * bytecode/BytecodeUseDef.h:
855 (JSC::computeUsesForBytecodeOffset):
856 (JSC::computeDefsForBytecodeOffset):
857 * bytecode/CodeBlock.cpp:
858 (JSC::CodeBlock::finishCreation):
859 * bytecompiler/BytecodeGenerator.cpp:
860 (JSC::BytecodeGenerator::emitToObject):
861 * bytecompiler/BytecodeGenerator.h:
862 * bytecompiler/NodesCodegen.cpp:
863 (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
864 * dfg/DFGAbstractInterpreterInlines.h:
865 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
866 * dfg/DFGByteCodeParser.cpp:
867 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
868 (JSC::DFG::ByteCodeParser::parseBlock):
869 * dfg/DFGCapabilities.cpp:
870 (JSC::DFG::capabilityLevel):
871 * dfg/DFGClobberize.h:
872 (JSC::DFG::clobberize):
875 * dfg/DFGFixupPhase.cpp:
876 (JSC::DFG::FixupPhase::fixupNode):
877 (JSC::DFG::FixupPhase::fixupToObject):
878 (JSC::DFG::FixupPhase::fixupCallObjectConstructor):
880 (JSC::DFG::Node::convertToCallObjectConstructor):
881 (JSC::DFG::Node::convertToNewStringObject):
882 (JSC::DFG::Node::convertToNewObject):
883 (JSC::DFG::Node::hasIdentifier):
884 (JSC::DFG::Node::hasHeapPrediction):
885 (JSC::DFG::Node::hasCellOperand):
887 * dfg/DFGOperations.cpp:
888 * dfg/DFGOperations.h:
889 * dfg/DFGPredictionPropagationPhase.cpp:
890 * dfg/DFGSafeToExecute.h:
891 (JSC::DFG::safeToExecute):
892 * dfg/DFGSpeculativeJIT.cpp:
893 (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
894 (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
895 * dfg/DFGSpeculativeJIT.h:
896 (JSC::DFG::SpeculativeJIT::callOperation):
897 * dfg/DFGSpeculativeJIT32_64.cpp:
898 (JSC::DFG::SpeculativeJIT::compile):
899 * dfg/DFGSpeculativeJIT64.cpp:
900 (JSC::DFG::SpeculativeJIT::compile):
901 * ftl/FTLCapabilities.cpp:
902 (JSC::FTL::canCompile):
903 * ftl/FTLLowerDFGToB3.cpp:
904 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
905 (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
906 (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
908 (JSC::JIT::privateCompileMainPass):
909 (JSC::JIT::privateCompileSlowCases):
911 * jit/JITOpcodes.cpp:
912 (JSC::JIT::emit_op_to_object):
913 (JSC::JIT::emitSlow_op_to_object):
914 * jit/JITOpcodes32_64.cpp:
915 (JSC::JIT::emit_op_to_object):
916 (JSC::JIT::emitSlow_op_to_object):
917 * jit/JITOperations.cpp:
918 * jit/JITOperations.h:
919 * llint/LowLevelInterpreter32_64.asm:
920 * llint/LowLevelInterpreter64.asm:
921 * runtime/CommonSlowPaths.cpp:
922 (JSC::SLOW_PATH_DECL):
923 * runtime/CommonSlowPaths.h:
925 2017-11-01 Fujii Hironori <Hironori.Fujii@sony.com>
927 Use LazyNeverDestroyed instead of DEFINE_GLOBAL
928 https://bugs.webkit.org/show_bug.cgi?id=174979
930 Reviewed by Yusuke Suzuki.
932 * config.h: Removed definitions of SKIP_STATIC_CONSTRUCTORS_ON_MSVC and SKIP_STATIC_CONSTRUCTORS_ON_GCC.
934 2017-10-27 Yusuke Suzuki <utatane.tea@gmail.com>
936 [DFG][FTL] Introduce StringSlice
937 https://bugs.webkit.org/show_bug.cgi?id=178934
939 Reviewed by Saam Barati.
941 String.prototype.slice is one of the most frequently called function in ARES-6/Babylon.
942 This patch introduces StringSlice DFG node to optimize it in DFG and FTL.
944 This patch's StringSlice node optimizes the following things.
946 1. Empty string generation is accelerated. It is fully executed inline.
947 2. One char string generation is accelerated. `< 0x100` character is supported right now.
948 It is the same to charAt acceleration.
949 3. We calculate start and end index in DFG/FTL with Int32Use information and call optimized
952 We do not inline (3)'s operation right now since we do not have a way to call bmalloc allocation from DFG / FTL.
953 And we do not optimize String.prototype.{substring,substr} right now. But they can be optimized based on this change
954 in subsequent changes.
956 This patch improves ARES-6/Babylon performance by 3% in steady state.
959 Running... Babylon ( 1 to go)
960 firstIteration: 50.05 +- 13.68 ms
961 averageWorstCase: 16.80 +- 1.27 ms
962 steadyState: 7.53 +- 0.22 ms
965 Running... Babylon ( 1 to go)
966 firstIteration: 50.91 +- 13.41 ms
967 averageWorstCase: 16.12 +- 0.99 ms
968 steadyState: 7.30 +- 0.29 ms
970 * dfg/DFGAbstractInterpreterInlines.h:
971 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
972 * dfg/DFGBackwardsPropagationPhase.cpp:
973 (JSC::DFG::BackwardsPropagationPhase::propagate):
974 * dfg/DFGByteCodeParser.cpp:
975 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
976 * dfg/DFGClobberize.h:
977 (JSC::DFG::clobberize):
980 * dfg/DFGFixupPhase.cpp:
981 (JSC::DFG::FixupPhase::fixupNode):
983 * dfg/DFGOperations.cpp:
984 * dfg/DFGOperations.h:
985 * dfg/DFGPredictionPropagationPhase.cpp:
986 * dfg/DFGSafeToExecute.h:
987 (JSC::DFG::safeToExecute):
988 * dfg/DFGSpeculativeJIT.cpp:
989 (JSC::DFG::SpeculativeJIT::compileStringSlice):
990 (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
991 (JSC::DFG::SpeculativeJIT::compileArraySlice):
992 (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
993 * dfg/DFGSpeculativeJIT.h:
994 (JSC::DFG::SpeculativeJIT::callOperation):
995 * dfg/DFGSpeculativeJIT32_64.cpp:
996 (JSC::DFG::SpeculativeJIT::compile):
997 * dfg/DFGSpeculativeJIT64.cpp:
998 (JSC::DFG::SpeculativeJIT::compile):
999 * ftl/FTLCapabilities.cpp:
1000 (JSC::FTL::canCompile):
1001 * ftl/FTLLowerDFGToB3.cpp:
1002 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1003 (JSC::FTL::DFG::LowerDFGToB3::populateSliceRange):
1004 (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1005 (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1006 * jit/JITOperations.h:
1007 * runtime/Intrinsic.cpp:
1008 (JSC::intrinsicName):
1009 * runtime/Intrinsic.h:
1010 * runtime/StringPrototype.cpp:
1011 (JSC::StringPrototype::finishCreation):
1013 2017-10-31 JF Bastien <jfbastien@apple.com>
1015 WebAssembly: Wasm::IndexOrName has a raw pointer to Name
1016 https://bugs.webkit.org/show_bug.cgi?id=176644
1018 Reviewed by Michael Saboff.
1020 IndexOrName now keeps a RefPtr to its original NameSection, which
1021 holds the Name (or references nullptr if Index). Holding onto the
1022 entire section seems like the better thing to do, since backtraces
1023 probably contain multiple names from the same Module.
1025 * JavaScriptCore.xcodeproj/project.pbxproj:
1026 * interpreter/Interpreter.cpp:
1027 (JSC::GetStackTraceFunctor::operator() const):
1028 * interpreter/StackVisitor.h: Frame is no longer POD because of the
1030 * runtime/StackFrame.cpp:
1031 (JSC::StackFrame::StackFrame):
1032 * runtime/StackFrame.h: Drop the union, size is now 40 bytes.
1033 (JSC::StackFrame::StackFrame): Deleted. Initialized in class instead.
1034 (JSC::StackFrame::wasm): Deleted. Make it a ctor instead.
1035 * wasm/WasmBBQPlanInlines.h:
1036 (JSC::Wasm::BBQPlan::initializeCallees):
1037 * wasm/WasmCallee.cpp:
1038 (JSC::Wasm::Callee::Callee):
1039 * wasm/WasmCallee.h:
1040 (JSC::Wasm::Callee::create):
1041 * wasm/WasmFormat.h: Move NameSection to its own header.
1042 (JSC::Wasm::isValidNameType):
1043 (JSC::Wasm::NameSection::get): Deleted.
1044 * wasm/WasmIndexOrName.cpp:
1045 (JSC::Wasm::IndexOrName::IndexOrName):
1046 (JSC::Wasm::makeString):
1047 * wasm/WasmIndexOrName.h:
1048 (JSC::Wasm::IndexOrName::IndexOrName):
1049 (JSC::Wasm::IndexOrName::isEmpty const):
1050 (JSC::Wasm::IndexOrName::isIndex const):
1051 * wasm/WasmModuleInformation.cpp:
1052 (JSC::Wasm::ModuleInformation::ModuleInformation):
1053 * wasm/WasmModuleInformation.h:
1054 (JSC::Wasm::ModuleInformation::ModuleInformation): Deleted.
1055 * wasm/WasmNameSection.h:
1056 (JSC::Wasm::NameSection::get):
1057 (JSC::Wasm::NameSection::create): Deleted.
1058 * wasm/WasmNameSectionParser.cpp:
1059 (JSC::Wasm::NameSectionParser::parse):
1060 * wasm/WasmNameSectionParser.h:
1061 * wasm/WasmOMGPlan.cpp:
1062 (JSC::Wasm::OMGPlan::work):
1064 2017-10-31 Tim Horton <timothy_horton@apple.com>
1066 Clean up some drag and drop feature flags
1067 https://bugs.webkit.org/show_bug.cgi?id=179082
1069 Reviewed by Simon Fraser.
1071 * Configurations/FeatureDefines.xcconfig:
1073 2017-10-31 Commit Queue <commit-queue@webkit.org>
1075 Unreviewed, rolling out r224243, r224246, and r224248.
1076 https://bugs.webkit.org/show_bug.cgi?id=179083
1078 The patch and fix broke the Windows build. (Requested by
1079 mlewis13 on #webkit).
1081 Reverted changesets:
1083 "StructureStubInfo should have GPRReg members not int8_ts"
1084 https://bugs.webkit.org/show_bug.cgi?id=179071
1085 https://trac.webkit.org/changeset/224243
1087 "Make all register enums be backed by uint8_t."
1088 https://bugs.webkit.org/show_bug.cgi?id=179074
1089 https://trac.webkit.org/changeset/224246
1091 "Unreviewed, windows build fix."
1092 https://trac.webkit.org/changeset/224248
1094 2017-10-31 Tim Horton <timothy_horton@apple.com>
1096 Fix up some content filtering feature flags
1097 https://bugs.webkit.org/show_bug.cgi?id=179079
1099 Reviewed by Simon Fraser.
1101 * Configurations/FeatureDefines.xcconfig:
1103 2017-10-31 Keith Miller <keith_miller@apple.com>
1105 Unreviewed, windows build fix.
1107 * assembler/X86Assembler.h:
1108 (JSC::X86Assembler::numberOfRegisters):
1109 (JSC::X86Assembler::numberOfSPRegisters):
1110 (JSC::X86Assembler::numberOfFPRegisters):
1112 2017-10-31 Keith Miller <keith_miller@apple.com>
1114 Make all register enums be backed by uint8_t.
1115 https://bugs.webkit.org/show_bug.cgi?id=179074
1117 Reviewed by Mark Lam.
1119 * assembler/ARM64Assembler.h:
1120 * assembler/ARMAssembler.h:
1121 * assembler/ARMv7Assembler.h:
1122 * assembler/MIPSAssembler.h:
1123 * assembler/MacroAssembler.h:
1124 * assembler/X86Assembler.h:
1126 2017-10-31 Keith Miller <keith_miller@apple.com>
1128 StructureStubInfo should have GPRReg members not int8_ts
1129 https://bugs.webkit.org/show_bug.cgi?id=179071
1131 Reviewed by Michael Saboff.
1133 This patch makes the various RegisterID enums be backed by
1134 uint8_t. This means that we can remove the old int8_t members in
1135 StructureStubInfo and replace them with the correct enum types.
1137 Also, this fixes an indentation issue in ARMv7Assembler.h.
1139 * assembler/ARM64Assembler.h:
1140 * assembler/ARMAssembler.h:
1141 * assembler/ARMv7Assembler.h:
1142 (JSC::ARMRegisters::asSingle):
1143 (JSC::ARMRegisters::asDouble):
1144 * assembler/MIPSAssembler.h:
1145 * assembler/X86Assembler.h:
1146 * bytecode/InlineAccess.cpp:
1147 (JSC::InlineAccess::generateSelfPropertyAccess):
1148 (JSC::getScratchRegister):
1149 * bytecode/PolymorphicAccess.cpp:
1150 (JSC::PolymorphicAccess::regenerate):
1151 * bytecode/StructureStubInfo.h:
1152 (JSC::StructureStubInfo::valueRegs const):
1153 * dfg/DFGSpeculativeJIT.cpp:
1154 (JSC::DFG::SpeculativeJIT::compileIn):
1155 * ftl/FTLLowerDFGToB3.cpp:
1156 (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1157 * jit/JITInlineCacheGenerator.cpp:
1158 (JSC::JITByIdGenerator::JITByIdGenerator):
1159 (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
1161 2017-10-31 Devin Rousso <webkit@devinrousso.com>
1163 Web Inspector: make ScriptCallStack::maxCallStackSizeToCapture the default value when capturing backtraces
1164 https://bugs.webkit.org/show_bug.cgi?id=179048
1166 Reviewed by Mark Lam.
1168 * inspector/ScriptCallStackFactory.h:
1169 * inspector/ScriptCallStackFactory.cpp:
1170 (createScriptCallStack):
1171 (createScriptCallStackForConsole):
1172 (createScriptCallStackFromException):
1174 * inspector/ConsoleMessage.cpp:
1175 (Inspector::ConsoleMessage::autogenerateMetadata):
1176 * inspector/JSGlobalObjectInspectorController.cpp:
1177 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1178 * inspector/agents/InspectorConsoleAgent.cpp:
1179 (Inspector::InspectorConsoleAgent::count):
1180 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1181 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
1183 2017-10-31 Carlos Garcia Campos <cgarcia@igalia.com>
1185 Unreviewed. Fix GTK+ make distcheck.
1187 Ensure DERIVED_SOURCES_JAVASCRIPTCORE_DIR/yarr is created before scripts generating files there are run.
1191 2017-10-30 Saam Barati <sbarati@apple.com>
1193 We need a storeStoreFence before storing to the instruction stream's live variable catch data
1194 https://bugs.webkit.org/show_bug.cgi?id=178649
1196 Reviewed by Keith Miller.
1198 * bytecode/CodeBlock.cpp:
1199 (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1201 2017-10-30 Michael Catanzaro <mcatanzaro@igalia.com>
1203 [WPE] Fix build warnings
1204 https://bugs.webkit.org/show_bug.cgi?id=178899
1206 Reviewed by Carlos Alberto Lopez Perez.
1208 * PlatformWPE.cmake:
1210 2017-10-30 Zan Dobersek <zdobersek@igalia.com>
1212 [ARMv7] Fix initial start register support in YarrJIT
1213 https://bugs.webkit.org/show_bug.cgi?id=178641
1215 Reviewed by Saam Barati.
1217 * yarr/YarrJIT.cpp: On ARMv7, use r8 as the initialStart register in the
1218 YarrGenerator class. r6 should be avoided since it's already used inside
1219 MacroAssemblerARMv7 as addressTempRegister. r7 isn't picked because it
1220 can be used as the frame pointer register when targetting ARM Thumb2.
1222 2017-10-30 Zan Dobersek <zdobersek@igalia.com>
1224 [ARM64][Linux] Re-enable Gigacage
1225 https://bugs.webkit.org/show_bug.cgi?id=178130
1227 Reviewed by Michael Catanzaro.
1229 Guard the current globaladdr opcode implementation for ARM64 with
1230 OS(DARWIN) as it's only usable for Mach-O.
1232 For OS(LINUX), ELF-supported :got: and :got_lo12: relocation specifiers
1233 have to be used. The .loh directive can't be used as it's not supported
1234 in GCC or the ld linker.
1236 On every other OS target, a compilation error is thrown.
1238 * offlineasm/arm64.rb:
1240 2017-10-27 Devin Rousso <webkit@devinrousso.com>
1242 Web Inspector: Canvas Tab: no way to see backtrace of where a canvas context was created
1243 https://bugs.webkit.org/show_bug.cgi?id=178799
1244 <rdar://problem/35175805>
1246 Reviewed by Brian Burg.
1248 * inspector/protocol/Canvas.json:
1249 Add optional `backtrace` to Canvas type that is an array of Console.CallFrame.
1251 2017-10-27 Yusuke Suzuki <utatane.tea@gmail.com>
1253 [JSC] Tweak ES6 generator function to allow inlining
1254 https://bugs.webkit.org/show_bug.cgi?id=178935
1256 Reviewed by Saam Barati.
1258 We optimize builtins' generator helper functions to allow them inlined in the caller side.
1259 This patch adjust the layer between @generatorResume, next(), throw(), and return() to allow
1260 them inlined in DFG.
1264 spread-generator.es6 301.2637+-11.1011 ^ 260.5905+-14.2258 ^ definitely 1.1561x faster
1265 generator.es6 269.6030+-13.2435 ^ 148.8840+-6.7614 ^ definitely 1.8108x faster
1267 * builtins/GeneratorPrototype.js:
1268 (globalPrivate.generatorResume):
1273 2017-10-27 Saam Barati <sbarati@apple.com>
1275 Bytecode liveness should live on UnlinkedCodeBlock so it can be shared amongst CodeBlocks
1276 https://bugs.webkit.org/show_bug.cgi?id=178949
1278 Reviewed by Keith Miller.
1280 This patch stores BytecodeLiveness on UnlinkedCodeBlock instead of CodeBlock
1281 so that we don't need to recompute liveness for the same UnlinkedCodeBlock
1282 more than once. To do this, this patch solidifies the invariant that CodeBlock
1283 linking can't do anything that would change the result of liveness. For example,
1284 it can't introduce new locals. This invariant was met my JSC before, because we
1285 didn't do anything in bytecode linking that would change liveness. However, it is
1286 now a correctness requirement that we don't do anything that would change the
1287 result of running liveness. To support this change, I've refactored BytecodeGraph
1288 to not be tied to a CodeBlockType*. Things that perform liveness will pass in
1289 CodeBlockType* and the instruction stream as needed. This means that we may
1290 compute liveness with one CodeBlock*'s instruction stream, and then perform
1291 queries on that analysis with a different CodeBlock*'s instruction stream.
1293 This seems to be a 2% JSBench progression.
1295 * bytecode/BytecodeGeneratorification.cpp:
1296 (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
1297 (JSC::BytecodeGeneratorification::graph):
1298 (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
1299 (JSC::GeneratorLivenessAnalysis::run):
1300 (JSC::BytecodeGeneratorification::run):
1301 * bytecode/BytecodeGraph.h:
1302 (JSC::BytecodeGraph::BytecodeGraph):
1303 (JSC::BytecodeGraph::codeBlock const): Deleted.
1304 (JSC::BytecodeGraph::instructions): Deleted.
1305 (JSC::BytecodeGraph<Block>::BytecodeGraph): Deleted.
1306 * bytecode/BytecodeLivenessAnalysis.cpp:
1307 (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
1308 (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
1309 (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
1310 (JSC::BytecodeLivenessAnalysis::computeKills):
1311 (JSC::BytecodeLivenessAnalysis::dumpResults):
1312 (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): Deleted.
1313 (JSC::BytecodeLivenessAnalysis::compute): Deleted.
1314 * bytecode/BytecodeLivenessAnalysis.h:
1315 * bytecode/BytecodeLivenessAnalysisInlines.h:
1316 (JSC::BytecodeLivenessPropagation::stepOverInstruction):
1317 (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
1318 (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
1319 (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
1320 (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
1321 * bytecode/BytecodeRewriter.cpp:
1322 (JSC::BytecodeRewriter::applyModification):
1323 (JSC::BytecodeRewriter::execute):
1324 (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
1325 * bytecode/BytecodeRewriter.h:
1326 (JSC::BytecodeRewriter::BytecodeRewriter):
1327 (JSC::BytecodeRewriter::removeBytecode):
1328 (JSC::BytecodeRewriter::graph):
1329 * bytecode/CodeBlock.cpp:
1330 (JSC::CodeBlock::finishCreation):
1331 (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1332 (JSC::CodeBlock::validate):
1333 (JSC::CodeBlock::livenessAnalysisSlow): Deleted.
1334 * bytecode/CodeBlock.h:
1335 (JSC::CodeBlock::livenessAnalysis):
1336 * bytecode/UnlinkedCodeBlock.cpp:
1337 (JSC::UnlinkedCodeBlock::applyModification):
1338 (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
1339 * bytecode/UnlinkedCodeBlock.h:
1340 (JSC::UnlinkedCodeBlock::livenessAnalysis):
1342 (JSC::DFG::Graph::livenessFor):
1343 (JSC::DFG::Graph::killsFor):
1345 (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
1347 (JSC::JIT::privateCompileMainPass):
1349 2017-10-27 Keith Miller <keith_miller@apple.com>
1351 Add unified source list files and build scripts to Xcode project navigator
1352 https://bugs.webkit.org/show_bug.cgi?id=178959
1354 Reviewed by Andy Estes.
1356 Also, Add some extra source files for so new .cpp/.mm files don't cause the build
1357 to fail right away. We already do this in WebCore.
1359 * JavaScriptCore.xcodeproj/project.pbxproj:
1360 * PlatformMac.cmake:
1361 * SourcesCocoa.txt: Renamed from Source/JavaScriptCore/SourcesMac.txt.
1363 2017-10-27 JF Bastien <jfbastien@apple.com>
1365 WebAssembly: update arbitrary limits to what browsers use
1366 https://bugs.webkit.org/show_bug.cgi?id=178946
1367 <rdar://problem/34257412>
1368 <rdar://problem/34501154>
1370 Reviewed by Saam Barati.
1372 https://github.com/WebAssembly/design/issues/1138 discusses the
1373 arbitrary function size limit, which it turns out Chrome and
1374 Firefox didn't enforce. We didn't use it because it was
1375 ridiculously low and actual programs ran into that limit (bummer
1376 for Edge which just shipped it...). Now that we agree on a high
1377 arbitrary program limit, let's update it! While I'm doing this
1378 there are a few other spots that I polished to use Checked or
1379 better check limits overall.
1381 * wasm/WasmB3IRGenerator.cpp:
1382 (JSC::Wasm::B3IRGenerator::addLocal):
1383 * wasm/WasmFormat.cpp:
1384 (JSC::Wasm::Segment::create):
1385 * wasm/WasmFunctionParser.h:
1386 (JSC::Wasm::FunctionParser<Context>::parse):
1387 * wasm/WasmInstance.cpp:
1388 * wasm/WasmLimits.h:
1389 * wasm/WasmModuleParser.cpp:
1390 (JSC::Wasm::ModuleParser::parseGlobal):
1391 (JSC::Wasm::ModuleParser::parseCode):
1392 (JSC::Wasm::ModuleParser::parseData):
1393 * wasm/WasmSignature.h:
1394 (JSC::Wasm::Signature::allocatedSize):
1395 * wasm/WasmTable.cpp:
1396 (JSC::Wasm::Table::Table):
1397 * wasm/js/JSWebAssemblyTable.cpp:
1398 (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
1399 (JSC::JSWebAssemblyTable::grow):
1401 2017-10-26 Michael Saboff <msaboff@apple.com>
1403 REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
1404 https://bugs.webkit.org/show_bug.cgi?id=178890
1406 Reviewed by Keith Miller.
1408 We need to let a contained subpattern backtrack before declaring that the containing
1409 parenthesis doesn't match. If the subpattern fails to match backtracking, then we
1410 can check to see if we trying to backtrack below the minimum match count.
1412 * yarr/YarrInterpreter.cpp:
1413 (JSC::Yarr::Interpreter::backtrackParentheses):
1415 2017-10-26 Mark Lam <mark.lam@apple.com>
1417 JSRopeString::RopeBuilder::append() should check for overflows.
1418 https://bugs.webkit.org/show_bug.cgi?id=178385
1419 <rdar://problem/35027468>
1421 Reviewed by Saam Barati.
1423 1. Made RopeString check for overflow like the Checked class does.
1424 2. Added a missing overflow check in objectProtoFuncToString().
1426 * runtime/JSString.cpp:
1427 (JSC::JSRopeString::RopeBuilder<RecordOverflow>::expand):
1428 (JSC::JSRopeString::RopeBuilder::expand): Deleted.
1429 * runtime/JSString.h:
1430 * runtime/ObjectPrototype.cpp:
1431 (JSC::objectProtoFuncToString):
1432 * runtime/Operations.h:
1433 (JSC::jsStringFromRegisterArray):
1434 (JSC::jsStringFromArguments):
1436 2017-10-26 JF Bastien <jfbastien@apple.com>
1438 WebAssembly: no VM / JS version of our implementation
1439 https://bugs.webkit.org/show_bug.cgi?id=177472
1441 Reviewed by Michael Saboff.
1443 This patch removes all appearances of "JS" and "VM" in the wasm
1444 directory. These now only appear in the wasm/js directory, which
1445 is only used in a JS embedding of wasm. It should therefore now be
1446 possible to create non-JS embeddings of wasm through JSC, though
1447 it'll still require:
1449 - Mild codegen for wasm<->embedder calls;
1450 - A strategy for trap handling (no need for full unwind! Could kill).
1451 - Creation of the Wasm::* objects.
1452 - Calling convention handling to call the embedder.
1453 - Handling of multiple embedders (see #177475, this is optional).
1455 Most of the patch consists in renaming JSWebAssemblyInstance to
1456 Instance, and removing temporary copies which I'd added to make
1457 this specific patch very simple.
1459 * interpreter/CallFrame.cpp:
1460 (JSC::CallFrame::wasmAwareLexicalGlobalObject): this one place
1461 which needs to know about who "owns" the Wasm::Instance. In a JS
1462 embedding it's the JSWebAssemblyInstance.
1463 * wasm/WasmB3IRGenerator.cpp:
1464 (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1465 (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1466 (JSC::Wasm::B3IRGenerator::addGrowMemory):
1467 (JSC::Wasm::B3IRGenerator::addCurrentMemory):
1468 (JSC::Wasm::B3IRGenerator::getGlobal):
1469 (JSC::Wasm::B3IRGenerator::setGlobal):
1470 (JSC::Wasm::B3IRGenerator::addCall):
1471 (JSC::Wasm::B3IRGenerator::addCallIndirect):
1472 * wasm/WasmBinding.cpp:
1473 (JSC::Wasm::wasmToWasm):
1474 * wasm/WasmContext.cpp:
1475 (JSC::Wasm::Context::load const):
1476 (JSC::Wasm::Context::store):
1477 * wasm/WasmContext.h:
1478 * wasm/WasmEmbedder.h:
1479 * wasm/WasmInstance.cpp:
1480 (JSC::Wasm::Instance::Instance):
1481 (JSC::Wasm::Instance::create):
1482 (JSC::Wasm::Instance::extraMemoryAllocated const):
1483 * wasm/WasmInstance.h: add an "owner", the Wasm::Context, move the
1484 "tail" import information from JSWebAssemblyInstance over to here.
1485 (JSC::Wasm::Instance::finalizeCreation):
1486 (JSC::Wasm::Instance::owner const):
1487 (JSC::Wasm::Instance::offsetOfOwner):
1488 (JSC::Wasm::Instance::context const):
1489 (JSC::Wasm::Instance::setMemory):
1490 (JSC::Wasm::Instance::setTable):
1491 (JSC::Wasm::Instance::offsetOfMemory):
1492 (JSC::Wasm::Instance::offsetOfGlobals):
1493 (JSC::Wasm::Instance::offsetOfTable):
1494 (JSC::Wasm::Instance::offsetOfTail):
1495 (JSC::Wasm::Instance::numImportFunctions const):
1496 (JSC::Wasm::Instance::importFunctionInfo):
1497 (JSC::Wasm::Instance::offsetOfTargetInstance):
1498 (JSC::Wasm::Instance::offsetOfWasmEntrypoint):
1499 (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress):
1500 (JSC::Wasm::Instance::offsetOfImportFunction):
1501 (JSC::Wasm::Instance::importFunction):
1502 (JSC::Wasm::Instance::allocationSize):
1503 (JSC::Wasm::Instance::create): Deleted.
1504 * wasm/WasmOMGPlan.cpp:
1505 (JSC::Wasm::OMGPlan::runForIndex):
1506 * wasm/WasmOMGPlan.h:
1507 * wasm/WasmTable.cpp:
1508 (JSC::Wasm::Table::Table):
1509 (JSC::Wasm::Table::setFunction):
1511 * wasm/WasmThunks.cpp:
1512 (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1513 (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1514 * wasm/js/JSToWasm.cpp:
1515 (JSC::Wasm::createJSToWasmWrapper):
1516 * wasm/js/JSWebAssemblyInstance.cpp: delete code that is now on Wasm::Instance
1517 (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): The embedder
1518 decides what the import function is. Here we must properly
1519 placement-new it to what we've elected (and initialize it later).
1520 (JSC::JSWebAssemblyInstance::visitChildren):
1521 (JSC::JSWebAssemblyInstance::finalizeCreation):
1522 (JSC::JSWebAssemblyInstance::create):
1523 * wasm/js/JSWebAssemblyInstance.h: delete code that is now on Wasm::Instance
1524 (JSC::JSWebAssemblyInstance::instance):
1525 (JSC::JSWebAssemblyInstance::moduleNamespaceObject):
1526 (JSC::JSWebAssemblyInstance::setMemory):
1527 (JSC::JSWebAssemblyInstance::table):
1528 (JSC::JSWebAssemblyInstance::setTable):
1529 (JSC::JSWebAssemblyInstance::offsetOfInstance):
1530 (JSC::JSWebAssemblyInstance::offsetOfCallee):
1531 (JSC::JSWebAssemblyInstance::context const): Deleted.
1532 (JSC::JSWebAssemblyInstance::offsetOfTail): Deleted.
1534 (JSC::JSWebAssemblyInstance::importFunctionInfo): Deleted.
1535 (JSC::JSWebAssemblyInstance::offsetOfTargetInstance): Deleted.
1536 (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint): Deleted.
1537 (JSC::JSWebAssemblyInstance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
1538 (JSC::JSWebAssemblyInstance::offsetOfImportFunction): Deleted.
1539 (JSC::JSWebAssemblyInstance::importFunction): Deleted.
1540 (JSC::JSWebAssemblyInstance::internalMemory): Deleted.
1541 (JSC::JSWebAssemblyInstance::wasmCodeBlock const): Deleted.
1542 (JSC::JSWebAssemblyInstance::offsetOfWasmTable): Deleted.
1543 (JSC::JSWebAssemblyInstance::offsetOfGlobals): Deleted.
1544 (JSC::JSWebAssemblyInstance::offsetOfCodeBlock): Deleted.
1545 (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock): Deleted.
1546 (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit): Deleted.
1547 (JSC::JSWebAssemblyInstance::offsetOfWasmMemory): Deleted.
1548 (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer): Deleted.
1549 (JSC::JSWebAssemblyInstance::cachedStackLimit const): Deleted.
1550 (JSC::JSWebAssemblyInstance::setCachedStackLimit): Deleted.
1551 (JSC::JSWebAssemblyInstance::wasmMemory): Deleted.
1552 (JSC::JSWebAssemblyInstance::wasmModule): Deleted.
1553 (JSC::JSWebAssemblyInstance::allocationSize): Deleted.
1554 * wasm/js/JSWebAssemblyTable.cpp:
1555 (JSC::JSWebAssemblyTable::setFunction):
1556 * wasm/js/WasmToJS.cpp: One extra indirection to find the JSWebAssemblyInstance.
1557 (JSC::Wasm::materializeImportJSCell):
1558 (JSC::Wasm::handleBadI64Use):
1559 (JSC::Wasm::wasmToJS):
1560 (JSC::Wasm::wasmToJSException):
1561 * wasm/js/WasmToJS.h:
1562 * wasm/js/WebAssemblyFunction.cpp:
1563 (JSC::callWebAssemblyFunction):
1564 * wasm/js/WebAssemblyInstanceConstructor.cpp:
1565 (JSC::constructJSWebAssemblyInstance):
1566 * wasm/js/WebAssemblyModuleRecord.cpp:
1567 (JSC::WebAssemblyModuleRecord::link):
1568 (JSC::WebAssemblyModuleRecord::evaluate):
1569 * wasm/js/WebAssemblyPrototype.cpp:
1571 * wasm/js/WebAssemblyWrapperFunction.cpp:
1572 (JSC::WebAssemblyWrapperFunction::create):
1574 2017-10-25 Devin Rousso <webkit@devinrousso.com>
1576 Web Inspector: provide a way to enable/disable event listeners
1577 https://bugs.webkit.org/show_bug.cgi?id=177451
1578 <rdar://problem/34994925>
1580 Reviewed by Joseph Pecoraro.
1582 * inspector/protocol/DOM.json:
1583 Add `setEventListenerDisabled` command that enables/disables a specific event listener
1584 during event dispatch. When a disabled event listener is fired, the listener's callback will
1587 2017-10-25 Commit Queue <commit-queue@webkit.org>
1589 Unreviewed, rolling out r223691 and r223729.
1590 https://bugs.webkit.org/show_bug.cgi?id=178834
1592 Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
1593 by rniwa on #webkit).
1595 Reverted changesets:
1597 "Turn recursive tail calls into loops"
1598 https://bugs.webkit.org/show_bug.cgi?id=176601
1599 https://trac.webkit.org/changeset/223691
1601 "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
1602 comparison is always false due to limited range of data type
1604 https://bugs.webkit.org/show_bug.cgi?id=178543
1605 https://trac.webkit.org/changeset/223729
1607 2017-10-25 Michael Saboff <msaboff@apple.com>
1609 REGRESSION(r223937): Use of -fobjc-weak causes build failures with older compilers
1610 https://bugs.webkit.org/show_bug.cgi?id=178825
1612 Reviewed by Mark Lam.
1614 Enable ARC for ARM64_32. This eliminate the need for setting CLANG_ENABLE_OBJC_WEAK.
1616 * Configurations/ToolExecutable.xcconfig:
1618 2017-10-25 Keith Miller <keith_miller@apple.com>
1620 Fix implicit cast of enum, which seems to break the windows build of unified sources.
1621 https://bugs.webkit.org/show_bug.cgi?id=178822
1623 Reviewed by Saam Barati.
1625 * bytecode/DFGExitProfile.h:
1626 (JSC::DFG::FrequentExitSite::hash const):
1628 2017-10-24 Michael Saboff <msaboff@apple.com>
1630 Allow OjbC Weak References when building TestAPI
1631 https://bugs.webkit.org/show_bug.cgi?id=178748
1633 Reviewed by Dan Bernstein.
1635 Set TestAPI build flag Weak References in Manual Retain Release to true.
1637 * JavaScriptCore.xcodeproj/project.pbxproj: Reverted.
1638 * Configurations/ToolExecutable.xcconfig: Changed the flag here instead.
1640 2017-10-24 Eric Carlson <eric.carlson@apple.com>
1642 Web Inspector: Enable WebKit logging configuration and display
1643 https://bugs.webkit.org/show_bug.cgi?id=177027
1644 <rdar://problem/33964767>
1646 Reviewed by Joseph Pecoraro.
1648 * inspector/ConsoleMessage.cpp:
1649 (Inspector::messageSourceValue): Inspector::Protocol::Console::ConsoleMessage ->
1650 Inspector::Protocol::Console::ChannelSource.
1651 * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
1652 (Inspector::JSGlobalObjectConsoleAgent::getLoggingChannels): There are no logging channels
1653 specific to a JSContext yet, so return an empty channel array.
1654 (Inspector::JSGlobalObjectConsoleAgent::setLoggingChannelLevel): No channels, return an error.
1655 * inspector/agents/JSGlobalObjectConsoleAgent.h:
1657 * inspector/protocol/Console.json: Add ChannelSource, ChannelLevel, and Channel. Add getLoggingChannels
1658 and setLoggingChannelLevel.
1660 * inspector/scripts/codegen/generator.py: Special case "webrtc"-> "WebRTC".
1661 * inspector/scripts/tests/generic/expected/enum-values.json-result:
1662 * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1663 * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1664 * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1665 * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1667 * runtime/ConsoleTypes.h: Add Media and WebRTC.
1669 2017-10-24 Michael Saboff <msaboff@apple.com>
1671 Allow OjbC Weak References when building TestAPI
1672 https://bugs.webkit.org/show_bug.cgi?id=178748
1674 Reviewed by Saam Barati.
1676 Set TestAPI build flag Weak References in Manual Retain Release to true.
1678 * JavaScriptCore.xcodeproj/project.pbxproj:
1680 2017-10-24 Yusuke Suzuki <utatane.tea@gmail.com>
1682 [FTL] Support NewStringObject
1683 https://bugs.webkit.org/show_bug.cgi?id=178737
1685 Reviewed by Saam Barati.
1687 FTL should support NewStringObject and encourage use of NewStringObject in DFG pipeline.
1688 After this change, we can convert `CallObjectConstructor(String)` to `NewStringObject(String)`.
1690 * ftl/FTLAbstractHeapRepository.h:
1691 * ftl/FTLCapabilities.cpp:
1692 (JSC::FTL::canCompile):
1693 * ftl/FTLLowerDFGToB3.cpp:
1694 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1695 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1697 2017-10-24 Guillaume Emont <guijemont@igalia.com>
1699 [mips] fix offsets of branches that have to go over a jump
1700 https://bugs.webkit.org/show_bug.cgi?id=153464
1702 The jump() function creates 8 instructions, but the offsets of branches
1703 meant to go over them only account for 6. In most cases, this is not an
1704 issue as the last two instructions of jump() would be nops, but in the
1705 rarer case where the jump destination is in a different 256 MB segment,
1706 MIPSAssembler::linkWithOffset() will rewrite the code in a way in which
1707 the last 4 instructions would be a 2 instruction load (lui/ori) into
1708 $t9, a "j $t9" and then a nop. The wrong offset will mean that the
1709 previous branches meant to go over the whole jump will branch to the
1710 "j $t9" instruction, which would jump to whatever is currently in $t9
1711 (since lui/ori would not be executed).
1713 Reviewed by Michael Catanzaro.
1715 * assembler/MacroAssemblerMIPS.h:
1716 (JSC::MacroAssemblerMIPS::branchAdd32):
1717 (JSC::MacroAssemblerMIPS::branchMul32):
1718 (JSC::MacroAssemblerMIPS::branchSub32):
1719 Fix the offsets of branches meant to go over code generated by jump().
1721 2017-10-24 JF Bastien <jfbastien@apple.com>
1723 WebAssembly: NFC renames of things that aren't JS-specific
1724 https://bugs.webkit.org/show_bug.cgi?id=178738
1726 Reviewed by Saam Barati.
1728 * wasm/WasmB3IRGenerator.cpp:
1729 (JSC::Wasm::parseAndCompile):
1730 * wasm/WasmB3IRGenerator.h:
1731 * wasm/WasmBBQPlan.cpp:
1732 (JSC::Wasm::BBQPlan::complete):
1733 * wasm/WasmCodeBlock.cpp:
1734 (JSC::Wasm::CodeBlock::CodeBlock):
1735 * wasm/WasmCodeBlock.h:
1736 (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
1737 (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace): Deleted.
1738 * wasm/WasmFormat.h:
1739 * wasm/js/JSToWasm.cpp:
1740 (JSC::Wasm::createJSToWasmWrapper):
1741 * wasm/js/WebAssemblyModuleRecord.cpp:
1742 (JSC::WebAssemblyModuleRecord::link):
1743 (JSC::WebAssemblyModuleRecord::evaluate):
1745 2017-10-24 Stephan Szabo <stephan.szabo@sony.com>
1747 [Win][JSCOnly] Make jsconly build testapi and dlls and copy dlls when running tests
1748 https://bugs.webkit.org/show_bug.cgi?id=177279
1750 Reviewed by Yusuke Suzuki.
1752 * shell/PlatformJSCOnly.cmake: Added.
1754 2017-10-15 Yusuke Suzuki <utatane.tea@gmail.com>
1756 [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
1757 https://bugs.webkit.org/show_bug.cgi?id=178308
1759 Reviewed by Mark Lam.
1761 With the change of the spec[1], we now do not need to remember star resolution modules.
1762 We reflect this change to our implementation. Since this change is covered by test262,
1763 this patch improves the score of test262.
1765 We also add logging to ResolveExport to debug it easily.
1767 [1]: https://github.com/tc39/ecma262/commit/a865e778ff0fc60e26e3e1c589635103710766a1
1769 * runtime/AbstractModuleRecord.cpp:
1770 (JSC::AbstractModuleRecord::ResolveQuery::dump const):
1771 (JSC::AbstractModuleRecord::resolveExportImpl):
1773 2017-10-24 Yusuke Suzuki <utatane.tea@gmail.com>
1775 [JSC] Use emitDumbVirtualCall in 32bit JIT
1776 https://bugs.webkit.org/show_bug.cgi?id=178644
1778 Reviewed by Mark Lam.
1780 This patch aligns 32bit JIT op_call_eval slow case to 64bit version by using emitDumbVirtualCall.
1782 * jit/JITCall32_64.cpp:
1783 (JSC::JIT::compileCallEvalSlowCase):
1785 2017-10-22 Yusuke Suzuki <utatane.tea@gmail.com>
1787 [JSC] Drop ArityCheckData
1788 https://bugs.webkit.org/show_bug.cgi?id=178648
1790 Reviewed by Mark Lam.
1792 ArityCheckData is used to return a pair of `slotsToAdd` and `thunkToCall`.
1793 However, use of `thunkToCall` is removed in 64bit environment at r189575.
1795 We remove `thunkToCall` and align 32bit implementation to 64bit implementation.
1796 Since we no longer need to have the above pair, we can remove ArityCheckData too.
1798 * llint/LowLevelInterpreter32_64.asm:
1799 * llint/LowLevelInterpreter64.asm:
1800 * runtime/CommonSlowPaths.cpp:
1801 (JSC::SLOW_PATH_DECL):
1802 (JSC::setupArityCheckData): Deleted.
1803 * runtime/CommonSlowPaths.h:
1808 2017-10-23 Keith Miller <keith_miller@apple.com>
1810 Unreviewed, reland r223866
1812 Didn't break the windows build...
1816 "WebAssembly: topEntryFrame on Wasm::Instance"
1817 https://bugs.webkit.org/show_bug.cgi?id=178690
1818 https://trac.webkit.org/changeset/223866
1821 2017-10-23 Commit Queue <commit-queue@webkit.org>
1823 Unreviewed, rolling out r223866.
1824 https://bugs.webkit.org/show_bug.cgi?id=178699
1826 Probably broke the windows build (Requested by keith_miller on
1831 "WebAssembly: topEntryFrame on Wasm::Instance"
1832 https://bugs.webkit.org/show_bug.cgi?id=178690
1833 https://trac.webkit.org/changeset/223866
1835 2017-10-23 Joseph Pecoraro <pecoraro@apple.com>
1837 Web Inspector: Remove unused Console.setMonitoringXHREnabled
1838 https://bugs.webkit.org/show_bug.cgi?id=178617
1840 Reviewed by Sam Weinig.
1842 * JavaScriptCore.xcodeproj/project.pbxproj:
1844 * inspector/agents/InspectorConsoleAgent.h:
1845 * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
1846 * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
1847 * inspector/protocol/Console.json:
1848 Removed files and method.
1850 * inspector/JSGlobalObjectInspectorController.cpp:
1851 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1852 This can use the base ConsoleAgent now.
1854 2017-10-23 JF Bastien <jfbastien@apple.com>
1856 WebAssembly: topEntryFrame on Wasm::Instance
1857 https://bugs.webkit.org/show_bug.cgi?id=178690
1859 Reviewed by Saam Barati.
1861 topEntryFrame is usually on VM, but for a no-VM WebAssembly we
1862 need to hold topEntryFrame elsewhere, and generated code cannot
1863 hard-code where topEntryFrame live. Do this at creation time of
1864 Wasm::Instance, and then generated code will just load from
1865 wherever Wasm::Instance was told topEntryFrame is. In a JavaScript
1866 embedding this is still from VM, so all of the unwinding machinery
1869 * dfg/DFGOSREntry.cpp:
1870 (JSC::DFG::prepareOSREntry):
1871 * dfg/DFGOSRExit.cpp:
1872 (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1873 (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1874 * ftl/FTLOSRExitCompiler.cpp:
1875 (JSC::FTL::compileStub):
1876 * interpreter/Interpreter.cpp:
1877 (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1878 * jit/AssemblyHelpers.cpp:
1879 (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
1880 (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
1881 * jit/AssemblyHelpers.h:
1882 (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
1883 The default parameter was never non-defaulted from any of the
1884 callers. The new version calls the impl directly because it
1885 doesn't have VM and doesn't hard-code the address of
1887 * jit/RegisterSet.cpp:
1888 (JSC::RegisterSet::vmCalleeSaveRegisterOffsets): This was weird on
1889 VM because it's not really VM-specific.
1890 * jit/RegisterSet.h:
1892 (JSC::VM::getAllCalleeSaveRegisterOffsets): Deleted.
1894 (JSC::VM::getCTIStub):
1895 * wasm/WasmB3IRGenerator.cpp:
1896 (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1897 (JSC::Wasm::B3IRGenerator::addCall):
1898 (JSC::Wasm::B3IRGenerator::addCallIndirect):
1899 * wasm/WasmInstance.cpp:
1900 (JSC::Wasm::Instance::Instance):
1901 * wasm/WasmInstance.h: topEntryFramePointer will eventually live
1902 here for real. Right now it's mirrored in JSWebAssemblyInstance
1903 because that's the acting Context.
1904 (JSC::Wasm::Instance::create):
1905 (JSC::Wasm::Instance::offsetOfTopEntryFramePointer):
1906 * wasm/WasmThunks.cpp:
1907 (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1908 * wasm/js/JSWebAssemblyInstance.cpp:
1909 (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
1910 * wasm/js/JSWebAssemblyInstance.h: Mirror Wasm::Instance temporarily.
1911 (JSC::JSWebAssemblyInstance::offsetOfCallee):
1912 (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer):
1913 (JSC::JSWebAssemblyInstance::offsetOfVM): Deleted.
1914 * wasm/js/WebAssemblyInstanceConstructor.cpp:
1915 (JSC::constructJSWebAssemblyInstance):
1916 * wasm/js/WebAssemblyPrototype.cpp:
1919 2017-10-23 Joseph Pecoraro <pecoraro@apple.com>
1921 Web Inspector: Please support HAR Export for network traffic
1922 https://bugs.webkit.org/show_bug.cgi?id=146692
1923 <rdar://problem/7463672>
1925 Reviewed by Brian Burg.
1927 * inspector/protocol/Network.json:
1928 Add a walltime to each send request.
1930 2017-10-23 Matt Lewis <jlewis3@apple.com>
1932 Unreviewed, rolling out r223820.
1934 This caused a build break on Windows.
1938 "Web Inspector: Remove unused Console.setMonitoringXHREnabled"
1939 https://bugs.webkit.org/show_bug.cgi?id=178617
1940 https://trac.webkit.org/changeset/223820
1942 2017-10-23 Yusuke Suzuki <utatane.tea@gmail.com>
1944 [JSC] Use fastJoin in Array#toString
1945 https://bugs.webkit.org/show_bug.cgi?id=178062
1947 Reviewed by Darin Adler.
1949 Array#toString()'s fast path uses original join operation.
1950 But this should use fastJoin if possible.
1951 This patch adds a fast path using fastJoin in Array#toString.
1952 And we also extend fastJoin to perform fast joining for int32
1957 double-array-to-string 126.6157+-5.8625 ^ 103.7343+-4.4968 ^ definitely 1.2206x faster
1958 int32-array-to-string 64.7792+-2.6524 61.2390+-2.1749 might be 1.0578x faster
1959 contiguous-array-to-string 62.6224+-2.6388 ^ 56.9899+-2.0852 ^ definitely 1.0988x faster
1962 * runtime/ArrayPrototype.cpp:
1964 (JSC::arrayProtoFuncToString):
1965 (JSC::arrayProtoFuncToLocaleString):
1966 * runtime/JSStringJoiner.h:
1967 (JSC::JSStringJoiner::appendWithoutSideEffects):
1968 (JSC::JSStringJoiner::appendInt32):
1969 (JSC::JSStringJoiner::appendDouble):
1971 2017-10-22 Zan Dobersek <zdobersek@igalia.com>
1973 [JSC] Remove !(OS(LINUX) && CPU(ARM64)) guards in RegisterState.h
1974 https://bugs.webkit.org/show_bug.cgi?id=178452
1976 Reviewed by Yusuke Suzuki.
1978 * heap/RegisterState.h: Re-enable the custom RegisterState and
1979 ALLOCATE_AND_GET_REGISTER_STATE definitions on ARM64 Linux. These don't
1980 cause any crashes nowadays.
1982 2017-10-22 Yusuke Suzuki <utatane.tea@gmail.com>
1984 [JSC][Baseline] Use linkAllSlowCasesForBytecodeOffset as much as possible to simplify slow cases handling
1985 https://bugs.webkit.org/show_bug.cgi?id=178647
1987 Reviewed by Saam Barati.
1989 There is much code counting slow cases in fast paths to call `linkSlowCase` carefully. This is really error-prone
1990 since the number of slow cases depends on values of instruction's metadata. We have linkAllSlowCasesForBytecodeOffset,
1991 which drains all slow cases for a specified bytecode offset. In typical cases like just calling a slow path function,
1992 this is enough. We use linkAllSlowCasesForBytecodeOffset as much as possible. It significantly simplifies the code.
1995 (JSC::JIT::linkAllSlowCases):
1996 * jit/JITArithmetic.cpp:
1997 (JSC::JIT::emitSlow_op_unsigned):
1998 (JSC::JIT::emit_compareAndJump):
1999 (JSC::JIT::emit_compareAndJumpSlow):
2000 (JSC::JIT::emitSlow_op_inc):
2001 (JSC::JIT::emitSlow_op_dec):
2002 (JSC::JIT::emitSlow_op_mod):
2003 (JSC::JIT::emitSlow_op_negate):
2004 (JSC::JIT::emitSlow_op_bitand):
2005 (JSC::JIT::emitSlow_op_bitor):
2006 (JSC::JIT::emitSlow_op_bitxor):
2007 (JSC::JIT::emitSlow_op_lshift):
2008 (JSC::JIT::emitSlow_op_rshift):
2009 (JSC::JIT::emitSlow_op_urshift):
2010 (JSC::JIT::emitSlow_op_add):
2011 (JSC::JIT::emitSlow_op_div):
2012 (JSC::JIT::emitSlow_op_mul):
2013 (JSC::JIT::emitSlow_op_sub):
2014 * jit/JITArithmetic32_64.cpp:
2015 (JSC::JIT::emit_compareAndJumpSlow):
2016 (JSC::JIT::emitSlow_op_unsigned):
2017 (JSC::JIT::emitSlow_op_inc):
2018 (JSC::JIT::emitSlow_op_dec):
2019 (JSC::JIT::emitSlow_op_mod):
2021 (JSC::JIT::compileCallEvalSlowCase):
2022 (JSC::JIT::compileOpCallSlowCase):
2023 * jit/JITCall32_64.cpp:
2024 (JSC::JIT::compileCallEvalSlowCase):
2025 (JSC::JIT::compileOpCallSlowCase):
2027 (JSC::JIT::linkAllSlowCasesForBytecodeOffset):
2028 * jit/JITOpcodes.cpp:
2029 (JSC::JIT::emitSlow_op_new_object):
2030 (JSC::JIT::emitSlow_op_create_this):
2031 (JSC::JIT::emitSlow_op_check_tdz):
2032 (JSC::JIT::emitSlow_op_to_this):
2033 (JSC::JIT::emitSlow_op_to_primitive):
2034 (JSC::JIT::emitSlow_op_not):
2035 (JSC::JIT::emitSlow_op_eq):
2036 (JSC::JIT::emitSlow_op_neq):
2037 (JSC::JIT::emitSlow_op_stricteq):
2038 (JSC::JIT::emitSlow_op_nstricteq):
2039 (JSC::JIT::emitSlow_op_instanceof):
2040 (JSC::JIT::emitSlow_op_instanceof_custom):
2041 (JSC::JIT::emitSlow_op_to_number):
2042 (JSC::JIT::emitSlow_op_to_string):
2043 (JSC::JIT::emitSlow_op_loop_hint):
2044 (JSC::JIT::emitSlow_op_check_traps):
2045 (JSC::JIT::emitSlow_op_has_indexed_property):
2046 (JSC::JIT::emitSlow_op_get_direct_pname):
2047 (JSC::JIT::emitSlow_op_has_structure_property):
2048 * jit/JITOpcodes32_64.cpp:
2049 (JSC::JIT::emitSlow_op_new_object):
2050 (JSC::JIT::emitSlow_op_instanceof):
2051 (JSC::JIT::emitSlow_op_instanceof_custom):
2052 (JSC::JIT::emitSlow_op_to_primitive):
2053 (JSC::JIT::emitSlow_op_not):
2054 (JSC::JIT::emitSlow_op_stricteq):
2055 (JSC::JIT::emitSlow_op_nstricteq):
2056 (JSC::JIT::emitSlow_op_to_number):
2057 (JSC::JIT::emitSlow_op_to_string):
2058 (JSC::JIT::emitSlow_op_create_this):
2059 (JSC::JIT::emitSlow_op_to_this):
2060 (JSC::JIT::emitSlow_op_check_tdz):
2061 (JSC::JIT::emitSlow_op_has_indexed_property):
2062 (JSC::JIT::emitSlow_op_get_direct_pname):
2063 * jit/JITPropertyAccess.cpp:
2064 (JSC::JIT::emitSlow_op_try_get_by_id):
2065 (JSC::JIT::emitSlow_op_get_by_id):
2066 (JSC::JIT::emitSlow_op_get_by_id_with_this):
2067 (JSC::JIT::emitSlow_op_put_by_id):
2068 (JSC::JIT::emitSlow_op_resolve_scope):
2069 (JSC::JIT::emitSlow_op_get_from_scope):
2070 (JSC::JIT::emitSlow_op_put_to_scope):
2071 * jit/JITPropertyAccess32_64.cpp:
2072 (JSC::JIT::emitSlow_op_try_get_by_id):
2073 (JSC::JIT::emitSlow_op_get_by_id):
2074 (JSC::JIT::emitSlow_op_get_by_id_with_this):
2075 (JSC::JIT::emitSlow_op_put_by_id):
2076 (JSC::JIT::emitSlow_op_resolve_scope):
2077 (JSC::JIT::emitSlow_op_get_from_scope):
2078 (JSC::JIT::emitSlow_op_put_to_scope):
2080 2017-10-22 Yusuke Suzuki <utatane.tea@gmail.com>
2082 [JSC] Clean up baseline slow path
2083 https://bugs.webkit.org/show_bug.cgi?id=178646
2085 Reviewed by Saam Barati.
2087 If the given op is just calling a slow path function, we should use DEFINE_SLOW_OP instead.
2088 It is good since (1) we can reduce the manual emitting code and (2) it can clarify which
2089 function is implemented as a slow path call. This patch is an attempt to reduce 32bit specific
2090 code in baseline JIT.
2093 (JSC::JIT::privateCompileMainPass):
2095 * jit/JITArithmetic.cpp:
2096 (JSC::JIT::emit_op_pow): Deleted.
2097 * jit/JITArithmetic32_64.cpp:
2098 (JSC::JIT::emitSlow_op_mod):
2099 * jit/JITOpcodes.cpp:
2100 (JSC::JIT::emit_op_strcat): Deleted.
2101 (JSC::JIT::emit_op_push_with_scope): Deleted.
2102 (JSC::JIT::emit_op_assert): Deleted.
2103 (JSC::JIT::emit_op_create_lexical_environment): Deleted.
2104 (JSC::JIT::emit_op_throw_static_error): Deleted.
2105 (JSC::JIT::emit_op_new_array_with_spread): Deleted.
2106 (JSC::JIT::emit_op_spread): Deleted.
2107 (JSC::JIT::emit_op_get_enumerable_length): Deleted.
2108 (JSC::JIT::emit_op_has_generic_property): Deleted.
2109 (JSC::JIT::emit_op_get_property_enumerator): Deleted.
2110 (JSC::JIT::emit_op_to_index_string): Deleted.
2111 (JSC::JIT::emit_op_create_direct_arguments): Deleted.
2112 (JSC::JIT::emit_op_create_scoped_arguments): Deleted.
2113 (JSC::JIT::emit_op_create_cloned_arguments): Deleted.
2114 (JSC::JIT::emit_op_create_rest): Deleted.
2115 (JSC::JIT::emit_op_unreachable): Deleted.
2116 * jit/JITOpcodes32_64.cpp:
2117 (JSC::JIT::emit_op_strcat): Deleted.
2118 (JSC::JIT::emit_op_push_with_scope): Deleted.
2119 (JSC::JIT::emit_op_assert): Deleted.
2120 (JSC::JIT::emit_op_create_lexical_environment): Deleted.
2121 * jit/JITPropertyAccess.cpp:
2122 (JSC::JIT::emit_op_put_by_val_with_this): Deleted.
2123 (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
2124 (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
2125 (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
2126 (JSC::JIT::emit_op_define_data_property): Deleted.
2127 (JSC::JIT::emit_op_define_accessor_property): Deleted.
2128 * jit/JITPropertyAccess32_64.cpp:
2129 (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
2130 (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
2131 (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
2132 (JSC::JIT::emit_op_put_by_val_with_this): Deleted.
2134 2017-10-21 Joseph Pecoraro <pecoraro@apple.com>
2136 Web Inspector: Remove unused Console.setMonitoringXHREnabled
2137 https://bugs.webkit.org/show_bug.cgi?id=178617
2139 Reviewed by Sam Weinig.
2141 * JavaScriptCore.xcodeproj/project.pbxproj:
2143 * inspector/agents/InspectorConsoleAgent.h:
2144 * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
2145 * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
2146 * inspector/protocol/Console.json:
2147 Removed files and method.
2149 * inspector/JSGlobalObjectInspectorController.cpp:
2150 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2151 This can use the base ConsoleAgent now.
2153 2017-10-21 Yusuke Suzuki <utatane.tea@gmail.com>
2155 [JSC] Remove per-host-function CTI stub in 32bit environment
2156 https://bugs.webkit.org/show_bug.cgi?id=178581
2158 Reviewed by Saam Barati.
2160 JIT::privateCompileCTINativeCall only exists in 32bit environment and it is almost the same to native call CTI stub.
2161 The only difference is that it embed the address of the host function directly in the generated stub. This means
2162 that we have per-host-function CTI stub only in 32bit environment.
2164 This patch just removes it and use one CTI stub instead. This design is the same to the current 64bit implementation.
2167 (JSC::JIT::compileCTINativeCall): Deleted.
2169 * jit/JITOpcodes.cpp:
2170 (JSC::JIT::privateCompileCTINativeCall): Deleted.
2171 * jit/JITOpcodes32_64.cpp:
2172 (JSC::JIT::privateCompileCTINativeCall): Deleted.
2173 * jit/JITThunks.cpp:
2174 (JSC::JITThunks::hostFunctionStub):
2176 2017-10-20 Antoine Quint <graouts@apple.com>
2178 [Web Animations] Provide basic timeline and animation interfaces
2179 https://bugs.webkit.org/show_bug.cgi?id=178526
2181 Reviewed by Dean Jackson.
2183 Remove the WEB_ANIMATIONS compile-time flag.
2185 * Configurations/FeatureDefines.xcconfig:
2187 2017-10-20 Commit Queue <commit-queue@webkit.org>
2189 Unreviewed, rolling out r223744, r223750, and r223751.
2190 https://bugs.webkit.org/show_bug.cgi?id=178594
2192 These caused consistent failures in test that existed and were
2193 added in the patches. (Requested by mlewis13 on #webkit).
2195 Reverted changesets:
2197 "[JSC] ScriptFetcher should be notified directly from module
2199 https://bugs.webkit.org/show_bug.cgi?id=178340
2200 https://trac.webkit.org/changeset/223744
2202 "Unreviewed, fix changed line number in test expect files"
2203 https://bugs.webkit.org/show_bug.cgi?id=178340
2204 https://trac.webkit.org/changeset/223750
2206 "Unreviewed, follow up to reflect comments"
2207 https://bugs.webkit.org/show_bug.cgi?id=178340
2208 https://trac.webkit.org/changeset/223751
2210 2017-10-20 Yusuke Suzuki <utatane.tea@gmail.com>
2212 Unreviewed, follow up to reflect comments
2213 https://bugs.webkit.org/show_bug.cgi?id=178340
2215 * runtime/JSModuleLoader.cpp:
2216 (JSC::JSModuleLoader::notifyCompleted):
2218 2017-10-20 Saam Barati <sbarati@apple.com>
2220 Optimize accesses to how we get the direct prototype
2221 https://bugs.webkit.org/show_bug.cgi?id=178548
2223 Reviewed by Yusuke Suzuki.
2225 This patch makes JSObject::getPrototypeDirect take VM& as a parameter
2226 so it can use the faster version of the structure accessor function.
2227 The reason for making this change is that JSObjet::getPrototypeDirect
2228 is called on the hot path in property lookup.
2230 * API/JSObjectRef.cpp:
2231 (JSObjectGetPrototype):
2233 (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2234 (WTF::DOMJITGetterBaseJSObject::customGetter):
2235 (functionCreateProxy):
2236 * runtime/ArrayPrototype.cpp:
2237 (JSC::speciesWatchpointIsValid):
2238 * runtime/ErrorInstance.cpp:
2239 (JSC::ErrorInstance::sanitizedToString):
2240 * runtime/JSArray.cpp:
2241 (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
2242 * runtime/JSGlobalObject.cpp:
2243 (JSC::JSGlobalObject::init):
2244 (JSC::lastInPrototypeChain):
2245 (JSC::JSGlobalObject::resetPrototype):
2246 (JSC::JSGlobalObject::finishCreation):
2247 * runtime/JSGlobalObjectInlines.h:
2248 (JSC::JSGlobalObject::objectPrototypeIsSane):
2249 (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
2250 (JSC::JSGlobalObject::stringPrototypeChainIsSane):
2251 * runtime/JSLexicalEnvironment.cpp:
2252 (JSC::JSLexicalEnvironment::getOwnPropertySlot):
2253 * runtime/JSMap.cpp:
2254 (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
2255 * runtime/JSObject.cpp:
2256 (JSC::JSObject::calculatedClassName):
2257 (JSC::JSObject::setPrototypeWithCycleCheck):
2258 (JSC::JSObject::getPrototype):
2259 (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
2260 (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
2261 (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
2262 (JSC::JSObject::prototypeChainMayInterceptStoreTo):
2263 * runtime/JSObject.h:
2264 (JSC::JSObject::finishCreation):
2265 (JSC::JSObject::getPrototypeDirect const):
2266 (JSC::JSObject::getPrototype):
2267 * runtime/JSObjectInlines.h:
2268 (JSC::JSObject::canPerformFastPutInline):
2269 (JSC::JSObject::getPropertySlot):
2270 (JSC::JSObject::getNonIndexPropertySlot):
2271 * runtime/JSProxy.cpp:
2272 (JSC::JSProxy::setTarget):
2273 * runtime/JSSet.cpp:
2274 (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2275 * runtime/ProgramExecutable.cpp:
2276 (JSC::ProgramExecutable::initializeGlobalProperties):
2277 * runtime/StructureInlines.h:
2278 (JSC::Structure::isValid const):
2280 2017-10-20 Yusuke Suzuki <utatane.tea@gmail.com>
2282 [ARM64] static_cast<int32_t>() in BinaryOpNode::emitBytecode() prevents op_unsigned emission
2283 https://bugs.webkit.org/show_bug.cgi?id=178379
2285 Reviewed by Saam Barati.
2287 We reuse jsNumber's checking mechanism here to precisely check the generated number is within uint32_t
2288 in bytecode compiler. This is reasonable since the NumberNode will generate the exact this JSValue.
2290 * bytecompiler/NodesCodegen.cpp:
2291 (JSC::BinaryOpNode::emitBytecode):
2293 2017-10-20 Yusuke Suzuki <utatane.tea@gmail.com>
2295 [JSC] ScriptFetcher should be notified directly from module pipeline
2296 https://bugs.webkit.org/show_bug.cgi?id=178340
2298 Reviewed by Sam Weinig.
2300 Previously, we use JSStdFunction to let WebCore inform the module pipeline results.
2301 We setup JSStdFunction to the resulted promise of the module pipeline. It is super
2302 ad-hoc since JSStdFunction's lambda need extra-careful to make it non-cyclic-referenced.
2303 JSStdFunction's lambda can capture variables, but they are not able to be marked by GC.
2305 But now, we have ScriptFetcher. It is introduced after we implemented the module pipeline
2306 notification mechanism by using JSStdFunction. But it is appropriate one to receive notification
2307 from the module pipeline by observer style.
2309 This patch removes the above ad-hoc JSStdFunction use. And now ScriptFetcher receives
2310 completion/failure notifications from the module pipeline.
2312 * builtins/ModuleLoaderPrototype.js:
2314 (loadAndEvaluateModule):
2315 * runtime/Completion.cpp:
2317 * runtime/Completion.h:
2318 * runtime/JSModuleLoader.cpp:
2319 (JSC::jsValueToModuleKey):
2320 (JSC::JSModuleLoader::notifyCompleted):
2321 (JSC::JSModuleLoader::notifyFailed):
2322 * runtime/JSModuleLoader.h:
2323 * runtime/ModuleLoaderPrototype.cpp:
2324 (JSC::moduleLoaderPrototypeNotifyCompleted):
2325 (JSC::moduleLoaderPrototypeNotifyFailed):
2326 * runtime/ScriptFetcher.h:
2327 (JSC::ScriptFetcher::notifyLoadCompleted):
2328 (JSC::ScriptFetcher::notifyLoadFailed):
2330 2017-10-19 JF Bastien <jfbastien@apple.com>
2332 WebAssembly: no VM / JS version of everything but Instance
2333 https://bugs.webkit.org/show_bug.cgi?id=177473
2335 Reviewed by Filip Pizlo, Saam Barati.
2337 This change entails cleaning up and splitting a bunch of code which we had
2338 intertwined between C++ classes which represent JS objects, and pure C++
2339 implementation objects. This specific change goes most of the way towards
2340 allowing JSC's WebAssembly to work without VM / JS, up to but excluding
2341 JSWebAssemblyInstance (there's Wasm::Instance, but it's not *the* thing
2342 yet). Because of this we still have a few FIXME identifying places that need to
2343 change. A follow-up change will go the rest of the way.
2345 I went about this change in the simplest way possible: grep the
2346 JavaScriptCore/wasm directory for "JS[^C_]" as well as "VM" and exclude the /js/
2347 sub-directory (which contains the JS implementation of WebAssembly).
2349 None of this change removes the need for a JIT entitlement to be able to use
2350 WebAssembly. We don't have an interpreter, the process therefore still needs to
2351 be allowed to JIT to use these pure-C++ APIs.
2353 Interesting things to note:
2355 - Remove VM from Plan and associated places. It can just live as a capture in
2356 the callback lambda if it's needed.
2357 - Wasm::Memory shouldn't require a VM. It was only used to ask the GC to
2358 collect. We now instead pass two lambdas at construction time for this
2359 purpose: one to notify of memory pressure, and the other to ask for
2360 syncrhonous memory reclamation. This allows whoever creates the memory to
2361 dictate how to react to both these cases, and for a JS embedding that's to
2362 call the GC (async or sync, respectively).
2363 - Move grow logic from JSWebAssemblyMemory to Wasm::Memory::grow. Use Expected
2364 there, with an enum class for failure types.
2365 - Exceeding max on memory growth now returns a range error as per spec. This
2366 is a (very minor) breaking change: it used to throw OOM error. Update the
2368 - When generating the grow_memory opcode, no need to get the VM. Instead,
2369 reach directly for Wasm::Memory and grow it.
2370 - JSWebAssemblyMemory::grow can now always throw on failure, because it's only
2371 ever called from JS (not from grow_memory as before).
2372 - Wasm::Memory now takes a callback for successful growth. This allows JS
2373 wrappers to register themselves when growth succeeds without Wasm::Memory
2374 knowning anything about JS. It'll also allow creating a list of callbacks
2375 for when we add thread support (we'll want to notify many wrappers, all
2377 - Wasm::Memory is now back to being the source of truth about address / size,
2378 used directly by generated code instead of JSWebAssemblyMemory.
2379 - Move wasmToJS from the general WasmBinding header to its own header under
2380 wasm/js. It's only used by wasm/js/JSWebAssemblyCodeBlock.cpp, and uses VM,
2381 and therefore isn't general WebAssembly.
2382 - Make Wasm::Context an actual type (just a struct holding a
2383 JSWebAssemlyInstance for now) instead of an alias for that. Notably this
2384 doesn't add anything to the Context and doesn't change what actually gets
2385 passed around in JIT code (fast TLS or registers) because these changes
2386 potentially impact performance. The entire purpose of this change is to
2387 allow passing Wasm::Context around without having to know about VM. Since VM
2388 contains a Wasm::Context the JS embedding is effectively the same, but with
2389 this setup a non-JS embedding is much better off.
2390 - Move JSWebAssembly into the JS folder.
2391 - OMGPlan: use Wasm::CodeBlock directly instead of JSWebAssemblyCodeBlock.
2392 - wasm->JS stubs are now on the instance's tail as raw pointers, instead of
2393 being on JSWebAssemblyCodeBlock, and are now called wasm->Embedder
2394 stubs. The owned reference is still on JSWebAssemblyCodeBlock, and is still
2395 called wasm->JS stub. This move means that the embedder must, after creating
2396 a Wasm::CodeBlock, somehow create the stubs to call back into the
2397 embedder. This removes an indirection in the generated code because
2398 the B3 IR generator now reaches into the instance instead of
2399 JSWebAssemblyCodeBlock.
2400 - Move more CodeBlock things. Compilation completion is now marked by its own
2401 atomic<bool> flag instead of a nullptr plan: that required using a lock, and
2402 was causing a deadlock in stack-trace.js because before my changes
2403 JSWebAssemblyCodeBlock did its own completion checking separately from
2404 Wasm::CodeBlock, without getting the lock. Now that everything points to
2405 Wasm::CodeBlock and there's no cached completion marker, the lock was being
2406 acquired in a sanity-check assertion.
2407 - Embedder -> Wasm wrappers are now generated through a function that's passed
2408 in at compilation time, instead of being hard-coded as a JS -> Wasm wrapper.
2409 - WasmMemory doens't need to know about fault handling thunks. Only the IR
2410 generator should know, and should make sure that the exception throwing
2411 thunk is generated if any memory is present (note: with signal handling not
2412 all of them generate an exception check).
2413 - Make exception throwing pluggable: instead of having a hard-coded
2414 JS-specific lambda we now have a regular C++ function being called from JIT
2415 code when a WebAssembly exception is thrown. This allows any embedder to get
2416 called as they wish. For now a process can only have a single of these
2417 functions (i.e. only one embedder per process) because the trap handler is a
2418 singleton. That can be fixed in in #177475.
2419 - Create WasmEmbedder.h where all embedder plugging will live.
2420 - Split up JSWebAssemblyTable into Wasm::Table which is
2421 refcounted. JSWebAssemblyTable now only contains the JS functions in the
2422 table, and Wasm::Table is what's used by the JIT code to lookup where to
2423 call and do the instance check (for context switch). Note that this creates
2424 an extra allocation for all the instances in Wasm::Table, and in exchange
2425 removes an indirection in JIT code because the instance used to be obtained
2426 off of the JS function. Also note that it's the embedder than keeps the
2427 instances alive, not Wasm::Table (which holds a dumb pointer to the
2428 instance), because doing otherwise would cause reference cycles.
2429 - Add WasmInstance. It doesn't do much for now, owns globals.
2430 - JSWebAssembly instance now doesn't just contain the imported functions as
2431 JSObjects, it also has the corresponding import's instance and wasm
2432 entrypoint. This triples the space allocated per instance's imported
2433 function, but there shouldn't be that many imports. This has two upsides: it
2434 creates smaller and faster code, and makes is easier to disassociate
2435 embedder-specific things from embedder-neutral things. The small / faster
2436 win is in two places: B3 IR generator only needs offsetOfImportFunction for
2437 the call opcode (when the called index is an import) to know whether the
2438 import is wasm->wasm or wasm->embedder (this isn't known at compile-time
2439 because it's dependent on the import object), this is now done by seeing if
2440 that import function has an associated target instance (only wasm->wasm
2441 does); the other place is wasmBinding which uses offsetOfImportFunction to
2442 figure out the wasm->wasm target instance, and then gets
2443 WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation to do a tail
2444 call. The disassociation comes because the target instance can be
2445 Wasm::Instance once we change what the Context is, and
2446 WasmEntrypointLoadLocation is already embedder-independent. As a next step I
2447 can move this tail allocation from JSWebAssemblyInstance to Wasm::Instance,
2448 and leave importFunction in as an opaque pointer which is embedder-specific,
2449 and in JS will remain WriteBarrier<JSObject>.
2450 - Rename VMEntryFrame to EntryFrame, and in many places pass a pointer to it
2451 around instead of VM. This is a first step in allowing entry frames which
2452 aren't stored on VM, but which are instead stored in an embedder-specific
2453 location. That change won't really affect JS except through code churn, but
2454 will allow WebAssembly to use some machinery in a generic manner without
2457 * JavaScriptCore.xcodeproj/project.pbxproj:
2459 * bytecode/PolymorphicAccess.cpp:
2460 (JSC::AccessGenerationState::emitExplicitExceptionHandler):
2461 * debugger/Debugger.cpp:
2462 (JSC::Debugger::stepOutOfFunction):
2463 (JSC::Debugger::returnEvent):
2464 (JSC::Debugger::unwindEvent):
2465 (JSC::Debugger::didExecuteProgram):
2466 * dfg/DFGJITCompiler.cpp:
2467 (JSC::DFG::JITCompiler::compileExceptionHandlers):
2468 * dfg/DFGOSREntry.cpp:
2469 (JSC::DFG::prepareOSREntry):
2470 * dfg/DFGOSRExit.cpp:
2471 (JSC::DFG::OSRExit::compileOSRExit):
2472 (JSC::DFG::OSRExit::compileExit):
2473 * dfg/DFGThunks.cpp:
2474 (JSC::DFG::osrEntryThunkGenerator):
2475 * ftl/FTLCompile.cpp:
2476 (JSC::FTL::compile):
2479 * ftl/FTLLowerDFGToB3.cpp:
2480 (JSC::FTL::DFG::LowerDFGToB3::lower):
2481 * ftl/FTLOSRExitCompiler.cpp:
2482 (JSC::FTL::compileStub):
2483 * interpreter/CallFrame.cpp:
2484 (JSC::CallFrame::wasmAwareLexicalGlobalObject):
2485 (JSC::CallFrame::callerFrame):
2486 (JSC::CallFrame::unsafeCallerFrame):
2487 * interpreter/CallFrame.h:
2488 (JSC::ExecState::callerFrame const):
2489 (JSC::ExecState::callerFrameOrEntryFrame const):
2490 (JSC::ExecState::unsafeCallerFrameOrEntryFrame const):
2491 * interpreter/FrameTracers.h:
2492 (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2493 (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
2494 (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
2495 * interpreter/Interpreter.cpp:
2496 (JSC::UnwindFunctor::operator() const):
2497 (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2498 (JSC::Interpreter::unwind):
2499 * interpreter/StackVisitor.cpp:
2500 (JSC::StackVisitor::StackVisitor):
2501 (JSC::StackVisitor::gotoNextFrame):
2502 (JSC::StackVisitor::readNonInlinedFrame):
2503 (JSC::StackVisitor::Frame::dump const):
2504 * interpreter/StackVisitor.h:
2505 (JSC::StackVisitor::Frame::callerIsEntryFrame const):
2506 * interpreter/VMEntryRecord.h:
2507 (JSC::VMEntryRecord::prevTopEntryFrame):
2508 (JSC::VMEntryRecord::unsafePrevTopEntryFrame):
2509 (JSC::EntryFrame::vmEntryRecordOffset):
2510 * jit/AssemblyHelpers.cpp:
2511 (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
2512 (JSC::AssemblyHelpers::loadWasmContextInstance):
2513 (JSC::AssemblyHelpers::storeWasmContextInstance):
2514 (JSC::AssemblyHelpers::loadWasmContextInstanceNeedsMacroScratchRegister):
2515 (JSC::AssemblyHelpers::storeWasmContextInstanceNeedsMacroScratchRegister):
2516 (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
2517 * jit/AssemblyHelpers.h:
2518 (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2519 (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
2520 (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
2522 (JSC::JIT::emitEnterOptimizationCheck):
2523 (JSC::JIT::privateCompileExceptionHandlers):
2524 * jit/JITExceptions.cpp:
2525 (JSC::genericUnwind):
2526 * jit/JITOpcodes.cpp:
2527 (JSC::JIT::emit_op_throw):
2528 (JSC::JIT::emit_op_catch):
2529 (JSC::JIT::emitSlow_op_loop_hint):
2530 * jit/JITOpcodes32_64.cpp:
2531 (JSC::JIT::emit_op_throw):
2532 (JSC::JIT::emit_op_catch):
2533 * jit/JITOperations.cpp:
2534 * jit/ThunkGenerators.cpp:
2535 (JSC::throwExceptionFromCallSlowPathGenerator):
2536 (JSC::nativeForGenerator):
2538 (functionDumpCallFrame):
2539 * llint/LLIntSlowPaths.cpp:
2540 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2541 * llint/LLIntThunks.cpp:
2542 (JSC::vmEntryRecord):
2543 * llint/LowLevelInterpreter.asm:
2544 * llint/LowLevelInterpreter32_64.asm:
2545 * llint/LowLevelInterpreter64.asm:
2546 * runtime/Options.cpp:
2547 (JSC::recomputeDependentOptions):
2548 * runtime/Options.h:
2549 * runtime/SamplingProfiler.cpp:
2550 (JSC::FrameWalker::FrameWalker):
2551 (JSC::FrameWalker::advanceToParentFrame):
2552 (JSC::SamplingProfiler::processUnverifiedStackTraces):
2553 * runtime/ThrowScope.cpp:
2554 (JSC::ThrowScope::~ThrowScope):
2559 (JSC::VM::topEntryFrameOffset):
2560 * runtime/VMTraps.cpp:
2562 (JSC::VMTraps::tryInstallTrapBreakpoints):
2563 (JSC::VMTraps::invalidateCodeBlocksOnStack):
2564 * wasm/WasmB3IRGenerator.cpp:
2565 (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
2566 (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2567 (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2568 (JSC::Wasm::B3IRGenerator::addGrowMemory):
2569 (JSC::Wasm::B3IRGenerator::addCurrentMemory):
2570 (JSC::Wasm::B3IRGenerator::addCall):
2571 (JSC::Wasm::B3IRGenerator::addCallIndirect):
2572 (JSC::Wasm::parseAndCompile):
2573 * wasm/WasmB3IRGenerator.h:
2574 * wasm/WasmBBQPlan.cpp:
2575 (JSC::Wasm::BBQPlan::BBQPlan):
2576 (JSC::Wasm::BBQPlan::compileFunctions):
2577 (JSC::Wasm::BBQPlan::complete):
2578 * wasm/WasmBBQPlan.h:
2579 * wasm/WasmBBQPlanInlines.h:
2580 (JSC::Wasm::BBQPlan::initializeCallees):
2581 * wasm/WasmBinding.cpp:
2582 (JSC::Wasm::wasmToWasm):
2583 * wasm/WasmBinding.h:
2584 * wasm/WasmCodeBlock.cpp:
2585 (JSC::Wasm::CodeBlock::create):
2586 (JSC::Wasm::CodeBlock::CodeBlock):
2587 (JSC::Wasm::CodeBlock::compileAsync):
2588 (JSC::Wasm::CodeBlock::setCompilationFinished):
2589 * wasm/WasmCodeBlock.h:
2590 (JSC::Wasm::CodeBlock::offsetOfImportStubs):
2591 (JSC::Wasm::CodeBlock::allocationSize):
2592 (JSC::Wasm::CodeBlock::importWasmToEmbedderStub):
2593 (JSC::Wasm::CodeBlock::offsetOfImportWasmToEmbedderStub):
2594 (JSC::Wasm::CodeBlock::wasmToJSCallStubForImport):
2595 (JSC::Wasm::CodeBlock::compilationFinished):
2596 (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
2597 (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
2598 * wasm/WasmContext.cpp:
2599 (JSC::Wasm::Context::useFastTLS):
2600 (JSC::Wasm::Context::load const):
2601 (JSC::Wasm::Context::store):
2602 * wasm/WasmContext.h:
2603 * wasm/WasmEmbedder.h: Copied from Source/JavaScriptCore/wasm/WasmContext.h.
2604 * wasm/WasmFaultSignalHandler.cpp:
2605 * wasm/WasmFaultSignalHandler.h:
2606 * wasm/WasmFormat.h:
2607 * wasm/WasmInstance.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
2608 (JSC::Wasm::Instance::Instance):
2609 (JSC::Wasm::Instance::~Instance):
2610 (JSC::Wasm::Instance::extraMemoryAllocated const):
2611 * wasm/WasmInstance.h: Added.
2612 (JSC::Wasm::Instance::create):
2613 (JSC::Wasm::Instance::finalizeCreation):
2614 (JSC::Wasm::Instance::module):
2615 (JSC::Wasm::Instance::codeBlock):
2616 (JSC::Wasm::Instance::memory):
2617 (JSC::Wasm::Instance::table):
2618 (JSC::Wasm::Instance::loadI32Global const):
2619 (JSC::Wasm::Instance::loadI64Global const):
2620 (JSC::Wasm::Instance::loadF32Global const):
2621 (JSC::Wasm::Instance::loadF64Global const):
2622 (JSC::Wasm::Instance::setGlobal):
2623 (JSC::Wasm::Instance::offsetOfCachedStackLimit):
2624 (JSC::Wasm::Instance::cachedStackLimit const):
2625 (JSC::Wasm::Instance::setCachedStackLimit):
2626 * wasm/WasmMemory.cpp:
2627 (JSC::Wasm::Memory::Memory):
2628 (JSC::Wasm::Memory::create):
2629 (JSC::Wasm::Memory::~Memory):
2630 (JSC::Wasm::Memory::grow):
2631 * wasm/WasmMemory.h:
2632 (JSC::Wasm::Memory::offsetOfMemory):
2633 (JSC::Wasm::Memory::offsetOfSize):
2634 * wasm/WasmMemoryInformation.cpp:
2635 (JSC::Wasm::PinnedRegisterInfo::get):
2636 (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
2637 * wasm/WasmMemoryInformation.h:
2638 (JSC::Wasm::PinnedRegisterInfo::toSave const):
2639 * wasm/WasmMemoryMode.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
2640 (JSC::Wasm::makeString):
2641 * wasm/WasmMemoryMode.h: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
2642 * wasm/WasmModule.cpp:
2643 (JSC::Wasm::makeValidationCallback):
2644 (JSC::Wasm::Module::validateSync):
2645 (JSC::Wasm::Module::validateAsync):
2646 (JSC::Wasm::Module::getOrCreateCodeBlock):
2647 (JSC::Wasm::Module::compileSync):
2648 (JSC::Wasm::Module::compileAsync):
2649 * wasm/WasmModule.h:
2650 * wasm/WasmModuleParser.cpp:
2651 (JSC::Wasm::ModuleParser::parseTableHelper):
2652 * wasm/WasmOMGPlan.cpp:
2653 (JSC::Wasm::OMGPlan::OMGPlan):
2654 (JSC::Wasm::OMGPlan::runForIndex):
2655 * wasm/WasmOMGPlan.h:
2656 * wasm/WasmPageCount.h:
2657 (JSC::Wasm::PageCount::isValid const):
2658 * wasm/WasmPlan.cpp:
2659 (JSC::Wasm::Plan::Plan):
2660 (JSC::Wasm::Plan::runCompletionTasks):
2661 (JSC::Wasm::Plan::addCompletionTask):
2662 (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
2664 (JSC::Wasm::Plan::dontFinalize):
2665 * wasm/WasmSignature.cpp:
2666 * wasm/WasmSignature.h:
2667 * wasm/WasmTable.cpp: Added.
2668 (JSC::Wasm::Table::create):
2669 (JSC::Wasm::Table::~Table):
2670 (JSC::Wasm::Table::Table):
2671 (JSC::Wasm::Table::grow):
2672 (JSC::Wasm::Table::clearFunction):
2673 (JSC::Wasm::Table::setFunction):
2674 * wasm/WasmTable.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h.
2675 (JSC::Wasm::Table::maximum const):
2676 (JSC::Wasm::Table::size const):
2677 (JSC::Wasm::Table::offsetOfSize):
2678 (JSC::Wasm::Table::offsetOfFunctions):
2679 (JSC::Wasm::Table::offsetOfInstances):
2680 (JSC::Wasm::Table::isValidSize):
2681 * wasm/WasmThunks.cpp:
2682 (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2683 (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2684 (JSC::Wasm::Thunks::setThrowWasmException):
2685 (JSC::Wasm::Thunks::throwWasmException):
2686 * wasm/WasmThunks.h:
2687 * wasm/WasmWorklist.cpp:
2688 (JSC::Wasm::Worklist::stopAllPlansForContext):
2689 * wasm/WasmWorklist.h:
2690 * wasm/js/JSToWasm.cpp: Added.
2691 (JSC::Wasm::createJSToWasmWrapper):
2692 * wasm/js/JSToWasm.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
2693 * wasm/js/JSWebAssembly.cpp: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.cpp.
2694 * wasm/js/JSWebAssembly.h: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.h.
2695 * wasm/js/JSWebAssemblyCodeBlock.cpp:
2696 (JSC::JSWebAssemblyCodeBlock::create):
2697 (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2698 * wasm/js/JSWebAssemblyCodeBlock.h:
2699 * wasm/js/JSWebAssemblyInstance.cpp:
2700 (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
2701 (JSC::JSWebAssemblyInstance::finishCreation):
2702 (JSC::JSWebAssemblyInstance::visitChildren):
2703 (JSC::JSWebAssemblyInstance::finalizeCreation):
2704 (JSC::JSWebAssemblyInstance::create):
2705 * wasm/js/JSWebAssemblyInstance.h:
2706 (JSC::JSWebAssemblyInstance::instance):
2707 (JSC::JSWebAssemblyInstance::context const):
2708 (JSC::JSWebAssemblyInstance::table):
2709 (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee):
2710 (JSC::JSWebAssemblyInstance::setMemory):
2711 (JSC::JSWebAssemblyInstance::offsetOfTail):
2712 (JSC::JSWebAssemblyInstance::importFunctionInfo):
2713 (JSC::JSWebAssemblyInstance::offsetOfTargetInstance):
2714 (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint):
2715 (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
2716 (JSC::JSWebAssemblyInstance::importFunction):
2717 (JSC::JSWebAssemblyInstance::internalMemory):
2718 (JSC::JSWebAssemblyInstance::wasmCodeBlock const):
2719 (JSC::JSWebAssemblyInstance::offsetOfWasmTable):
2720 (JSC::JSWebAssemblyInstance::offsetOfCallee):
2721 (JSC::JSWebAssemblyInstance::offsetOfGlobals):
2722 (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock):
2723 (JSC::JSWebAssemblyInstance::offsetOfWasmMemory):
2724 (JSC::JSWebAssemblyInstance::cachedStackLimit const):
2725 (JSC::JSWebAssemblyInstance::setCachedStackLimit):
2726 (JSC::JSWebAssemblyInstance::wasmMemory):
2727 (JSC::JSWebAssemblyInstance::wasmModule):
2728 (JSC::JSWebAssemblyInstance::allocationSize):
2729 (JSC::JSWebAssemblyInstance::module const):
2730 * wasm/js/JSWebAssemblyMemory.cpp:
2731 (JSC::JSWebAssemblyMemory::create):
2732 (JSC::JSWebAssemblyMemory::adopt):
2733 (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
2734 (JSC::JSWebAssemblyMemory::grow):
2735 (JSC::JSWebAssemblyMemory::growSuccessCallback):
2736 * wasm/js/JSWebAssemblyMemory.h:
2737 * wasm/js/JSWebAssemblyModule.cpp:
2738 (JSC::JSWebAssemblyModule::moduleInformation const):
2739 (JSC::JSWebAssemblyModule::exportSymbolTable const):
2740 (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace const):
2741 (JSC::JSWebAssemblyModule::callee const):
2742 (JSC::JSWebAssemblyModule::codeBlock):
2743 (JSC::JSWebAssemblyModule::module):
2744 * wasm/js/JSWebAssemblyModule.h:
2745 * wasm/js/JSWebAssemblyTable.cpp:
2746 (JSC::JSWebAssemblyTable::create):
2747 (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
2748 (JSC::JSWebAssemblyTable::visitChildren):
2749 (JSC::JSWebAssemblyTable::grow):
2750 (JSC::JSWebAssemblyTable::getFunction):
2751 (JSC::JSWebAssemblyTable::clearFunction):
2752 (JSC::JSWebAssemblyTable::setFunction):
2753 * wasm/js/JSWebAssemblyTable.h:
2754 (JSC::JSWebAssemblyTable::isValidSize):
2755 (JSC::JSWebAssemblyTable::maximum const):
2756 (JSC::JSWebAssemblyTable::size const):
2757 (JSC::JSWebAssemblyTable::table):
2758 * wasm/js/WasmToJS.cpp: Copied from Source/JavaScriptCore/wasm/WasmBinding.cpp.
2759 (JSC::Wasm::materializeImportJSCell):
2760 (JSC::Wasm::wasmToJS):
2761 (JSC::Wasm::wasmToJSException):
2762 * wasm/js/WasmToJS.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
2763 * wasm/js/WebAssemblyFunction.cpp:
2764 (JSC::callWebAssemblyFunction):
2765 * wasm/js/WebAssemblyInstanceConstructor.cpp:
2766 (JSC::constructJSWebAssemblyInstance):
2767 * wasm/js/WebAssemblyMemoryConstructor.cpp:
2768 (JSC::constructJSWebAssemblyMemory):
2769 * wasm/js/WebAssemblyMemoryPrototype.cpp:
2770 (JSC::webAssemblyMemoryProtoFuncGrow):
2771 * wasm/js/WebAssemblyModuleConstructor.cpp:
2772 (JSC::constructJSWebAssemblyModule):
2773 (JSC::WebAssemblyModuleConstructor::createModule):
2774 * wasm/js/WebAssemblyModuleConstructor.h:
2775 * wasm/js/WebAssemblyModuleRecord.cpp:
2776 (JSC::WebAssemblyModuleRecord::link):
2777 (JSC::WebAssemblyModuleRecord::evaluate):
2778 * wasm/js/WebAssemblyPrototype.cpp:
2779 (JSC::webAssemblyCompileFunc):
2781 (JSC::compileAndInstantiate):
2782 (JSC::webAssemblyValidateFunc):
2783 * wasm/js/WebAssemblyTableConstructor.cpp:
2784 (JSC::constructJSWebAssemblyTable):
2785 * wasm/js/WebAssemblyWrapperFunction.cpp:
2786 (JSC::WebAssemblyWrapperFunction::create):
2788 2017-10-19 Mark Lam <mark.lam@apple.com>
2790 Stringifier::appendStringifiedValue() is missing an exception check.
2791 https://bugs.webkit.org/show_bug.cgi?id=178386
2792 <rdar://problem/35027610>
2794 Reviewed by Saam Barati.
2796 * runtime/JSONObject.cpp:
2797 (JSC::Stringifier::appendStringifiedValue):
2799 2017-10-19 Saam Barati <sbarati@apple.com>
2801 REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning: comparison is always false due to limited range of data type [-Wtype-limits]
2802 https://bugs.webkit.org/show_bug.cgi?id=178543
2804 Reviewed by Filip Pizlo.
2806 * dfg/DFGByteCodeParser.cpp:
2807 (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2809 2017-10-19 Saam Barati <sbarati@apple.com>
2811 re-inline ObjectAllocationProfile::initializeProfile
2812 https://bugs.webkit.org/show_bug.cgi?id=178532
2814 Rubber stamped by Michael Saboff.
2816 I un-inlined this function when implementing poly proto.
2817 This patch re-inlines it. In my testing, it looks like it
2818 might be a 0.5% speedometer progression to inline it.
2820 * JavaScriptCore.xcodeproj/project.pbxproj:
2822 * bytecode/CodeBlock.cpp:
2823 * bytecode/ObjectAllocationProfile.cpp: Removed.
2824 * bytecode/ObjectAllocationProfileInlines.h: Copied from Source/JavaScriptCore/bytecode/ObjectAllocationProfile.cpp.
2825 (JSC::ObjectAllocationProfile::initializeProfile):
2826 (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2827 * runtime/FunctionRareData.cpp:
2829 2017-10-19 Michael Saboff <msaboff@apple.com>
2831 Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2832 https://bugs.webkit.org/show_bug.cgi?id=178521
2834 Reviewed by JF Bastien.
2836 * ucd/emoji-data.txt: Replaced with the Unicode Emoji 5.0 version of the file as that is the most recent
2837 standard version. The prior version was the draft 6.0 version.
2839 2017-10-19 Saam Barati <sbarati@apple.com>
2841 We should hard code the poly proto offset
2842 https://bugs.webkit.org/show_bug.cgi?id=178531
2844 Reviewed by Filip Pizlo.
2846 This patch embraces that the poly proto offset is always zero. It's already
2847 the case that we would always get the inline offset zero for poly proto just
2848 by construction. This just hardcodes this assumption throughout the codebase.
2849 This appears to be a 1% speedometer progression in my testing.
2851 The downside of this patch is that it may require changing how we do
2852 things when we implement poly proto when inheriting from builtin
2853 types. I think we can face this problem when we decide to implement
2856 * bytecode/AccessCase.cpp:
2857 (JSC::AccessCase::generateWithGuard):
2858 * dfg/DFGOperations.cpp:
2859 * dfg/DFGSpeculativeJIT.cpp:
2860 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2861 (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
2862 * ftl/FTLLowerDFGToB3.cpp:
2863 (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
2864 (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
2865 * jit/JITOpcodes.cpp:
2866 (JSC::JIT::emit_op_instanceof):
2867 * jit/JITOpcodes32_64.cpp:
2868 (JSC::JIT::emit_op_instanceof):
2869 * runtime/CommonSlowPaths.cpp:
2870 (JSC::SLOW_PATH_DECL):
2871 * runtime/JSObject.cpp:
2872 (JSC::JSObject::setPrototypeDirect):
2873 * runtime/JSObject.h:
2874 (JSC::JSObject::locationForOffset const):
2875 (JSC::JSObject::locationForOffset):
2876 (JSC::JSObject::getDirect const):
2877 * runtime/PropertyOffset.h:
2878 * runtime/Structure.cpp:
2879 (JSC::Structure::create):
2880 (JSC::Structure::dump const):
2881 * runtime/Structure.h:
2882 * runtime/StructureInlines.h:
2883 (JSC::Structure::storedPrototype const):
2884 (JSC::Structure::storedPrototypeObject const):
2886 2017-10-19 Saam Barati <sbarati@apple.com>
2888 Turn various poly proto RELEASE_ASSERTs into ASSERTs because they're on the hot path in speedometer
2889 https://bugs.webkit.org/show_bug.cgi?id=178529
2891 Reviewed by Mark Lam.
2893 * runtime/Structure.h:
2894 * runtime/StructureInlines.h:
2895 (JSC::Structure::storedPrototypeObject const):
2896 (JSC::Structure::storedPrototypeStructure const):
2897 (JSC::Structure::storedPrototype const):
2898 (JSC::Structure::prototypeForLookup const):
2899 (JSC::Structure::prototypeChain const):
2901 2017-10-19 Saam Barati <sbarati@apple.com>
2903 Turn poly proto back on by default and remove the option
2904 https://bugs.webkit.org/show_bug.cgi?id=178525
2906 Reviewed by Mark Lam.
2908 I added this option because I thought it'd speed speedometer up because the
2909 original poly proto patch slowed speedometer down. It turns out that
2910 allocating poly proto objects is not what slows speedometer down. It's
2911 other code I added in the runtime that needs to be poly proto aware. I'll
2912 be addressing these in follow up patches.
2914 * runtime/Options.h:
2915 * runtime/StructureInlines.h:
2916 (JSC::Structure::shouldConvertToPolyProto):
2918 2017-10-19 Robin Morisset <rmorisset@apple.com>
2920 Turn recursive tail calls into loops
2921 https://bugs.webkit.org/show_bug.cgi?id=176601
2923 Reviewed by Saam Barati.
2925 We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
2926 One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
2927 Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
2928 We do this part through modifying the computation of the jump targets.
2929 Importantly, we only do this splitting for functions that have tail calls.
2930 It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
2932 We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
2933 The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
2935 * bytecode/CodeBlock.h:
2936 (JSC::CodeBlock::hasTailCalls const):
2937 * bytecode/PreciseJumpTargets.cpp:
2938 (JSC::getJumpTargetsForBytecodeOffset):
2939 (JSC::computePreciseJumpTargetsInternal):
2940 * bytecode/UnlinkedCodeBlock.cpp:
2941 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2942 * bytecode/UnlinkedCodeBlock.h:
2943 (JSC::UnlinkedCodeBlock::hasTailCalls const):
2944 (JSC::UnlinkedCodeBlock::setHasTailCalls):
2945 * bytecompiler/BytecodeGenerator.cpp:
2946 (JSC::BytecodeGenerator::emitEnter):
2947 (JSC::BytecodeGenerator::emitCallInTailPosition):
2948 * dfg/DFGByteCodeParser.cpp:
2949 (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
2950 (JSC::DFG::ByteCodeParser::makeBlockTargetable):
2951 (JSC::DFG::ByteCodeParser::handleCall):
2952 (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2953 (JSC::DFG::ByteCodeParser::parseBlock):
2954 (JSC::DFG::ByteCodeParser::parse):
2956 2017-10-18 Mark Lam <mark.lam@apple.com>
2958 RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2959 https://bugs.webkit.org/show_bug.cgi?id=177600
2960 <rdar://problem/34710985>
2962 Reviewed by Saam Barati.
2964 According to http://www.ecma-international.org/ecma-262/8.0/#sec-validateandapplypropertydescriptor,
2965 section 9.1.6.3-7.a.ii, we should only check if the value is the same if the
2966 descriptor value is present.
2968 * runtime/RegExpObject.cpp:
2969 (JSC::RegExpObject::defineOwnProperty):
2971 2017-10-18 Keith Miller <keith_miller@apple.com>
2973 Setup WebCore build to start using unified sources.
2974 https://bugs.webkit.org/show_bug.cgi?id=178362
2976 Reviewed by Tim Horton.
2978 Change comments in source list files. Also, pass explicit names for build files.
2981 * PlatformGTK.cmake:
2982 * PlatformMac.cmake:
2987 2017-10-18 Commit Queue <commit-queue@webkit.org>
2989 Unreviewed, rolling out r223321.
2990 https://bugs.webkit.org/show_bug.cgi?id=178476
2992 This protocol change broke some internal builds (Requested by
2993 brrian__ on #webkit).
2997 "Web Inspector: provide a way to enable/disable event
2999 https://bugs.webkit.org/show_bug.cgi?id=177451
3000 https://trac.webkit.org/changeset/223321
3002 2017-10-18 Mark Lam <mark.lam@apple.com>
3004 The compiler should always register a structure when it adds its transitionWatchPointSet.
3005 https://bugs.webkit.org/show_bug.cgi?id=178420
3006 <rdar://problem/34814024>
3008 Reviewed by Saam Barati and Filip Pizlo.
3010 Instead of invoking addLazily() to add a structure's transitionWatchpointSet, we
3011 now invoke Graph::registerAndWatchStructureTransition() on the structure.
3012 registerAndWatchStructureTransition() both registers the structure and add its
3013 transitionWatchpointSet to the plan desired watchpoints.
3015 Graph::registerAndWatchStructureTransition() is based on Graph::registerStructure()
3016 except registerAndWatchStructureTransition() adds the structure's
3017 transitionWatchpointSet unconditionally.
3019 * dfg/DFGArgumentsEliminationPhase.cpp:
3020 * dfg/DFGArrayMode.cpp:
3021 (JSC::DFG::ArrayMode::refine const):
3022 * dfg/DFGByteCodeParser.cpp:
3023 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3024 * dfg/DFGFixupPhase.cpp:
3025 (JSC::DFG::FixupPhase::fixupNode):
3028 (JSC::DFG::Graph::registerAndWatchStructureTransition):
3031 * dfg/DFGSpeculativeJIT.cpp:
3032 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3033 - The second set of addLazily()s is redundant. This set is executed only when
3034 prototypeChainIsSane is true, and prototypeChainIsSane can only be true if and
3035 only if we've executed the if statement above it. That preceding if statement
3036 already registerAndWatchStructureTransition() the same 2 structures. Hence,
3037 this second set can be deleted.
3039 * dfg/DFGWatchpointCollectionPhase.cpp:
3040 (JSC::DFG::WatchpointCollectionPhase::addLazily):
3041 - Deleted an unused function.
3043 * ftl/FTLLowerDFGToB3.cpp:
3044 (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
3046 2017-10-18 Yusuke Suzuki <utatane.tea@gmail.com>
3048 [JSC] Remove unused private name structure
3049 https://bugs.webkit.org/show_bug.cgi?id=178436
3051 Reviewed by Sam Weinig.
3053 It is no longer used. This patch just removes it.
3055 * runtime/JSGlobalObject.h:
3056 (JSC::JSGlobalObject::numberObjectStructure const):
3057 (JSC::JSGlobalObject::privateNameStructure const): Deleted.
3059 2017-10-18 Ryosuke Niwa <rniwa@webkit.org>
3061 Fix macOS and iOS builds after r223594.
3063 * JavaScriptCore.xcodeproj/project.pbxproj:
3065 2017-10-18 Yusuke Suzuki <utatane.tea@gmail.com>
3067 [JSC] __proto__ getter should be fast
3068 https://bugs.webkit.org/show_bug.cgi?id=178067
3070 Reviewed by Saam Barati.
3072 In our ES6 class implementation, we access __proto__ field to retrieve super constructor.
3073 Currently, it is handled as an usual getter call to a generic function. And DFG just emits
3074 Call node for this. It is inefficient since typically we know the `prototype` of the given
3075 object when accessing `object.__proto__` since we emit CheckStructure for this `object`.
3076 If Structure has mono proto, we can immediately fold it to constant value. If it is poly proto,
3077 we can still change this to efficient access to poly proto slot.
3079 This patch implements GetPrototypeOf DFG node. This node efficiently accesses to prototype of
3080 the given object. And in AI and ByteCodeParser phase, we attempt to fold it to constant.
3081 ByteCodeParser's folding is a bit important since we have `callee.__proto__` code to get super
3082 constructor. If we can change this to constant, we can reify CallLinkInfo with this constant.
3083 This paves the way to optimizing ArrayConstructor super calls[1], which is particularly important
3086 And we also optimize Reflect.getPrototypeOf and Object.getPrototypeOf with this GetPrototypeOf node.
3088 Currently, __proto__ access for poly proto object is not handled well in IC. But we add code handling
3089 poly proto in GetPrototypeOf since Reflect.getPrototypeOf and Object.getPrototypeOf can use it.
3090 Once IC starts handling poly proto & intrinsic getter well, this code will be used for that too.
3092 This patch improves SixSpeed super.es6 by 3.42x.
3096 super.es6 123.6666+-3.9917 ^ 36.1684+-1.0351 ^ definitely 3.4192x faster
3098 [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
3100 * dfg/DFGAbstractInterpreterInlines.h:
3101 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3102 * dfg/DFGByteCodeParser.cpp:
3103 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3104 (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
3105 (JSC::DFG::ByteCodeParser::handleGetById):
3106 * dfg/DFGClobberize.h:
3107 (JSC::DFG::clobberize):
3108 * dfg/DFGDoesGC.cpp:
3110 * dfg/DFGFixupPhase.cpp:
3111 (JSC::DFG::FixupPhase::fixupNode):
3112 (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
3113 * dfg/DFGHeapLocation.cpp:
3114 (WTF::printInternal):
3115 * dfg/DFGHeapLocation.h:
3117 (JSC::DFG::Node::hasHeapPrediction):
3118 (JSC::DFG::Node::shouldSpeculateFunction):
3119 * dfg/DFGNodeType.h:
3120 * dfg/DFGOperations.cpp:
3121 * dfg/DFGOperations.h:
3122 * dfg/DFGPredictionPropagationPhase.cpp:
3123 * dfg/DFGSafeToExecute.h:
3124 (JSC::DFG::safeToExecute):
3125 * dfg/DFGSpeculativeJIT.cpp:
3126 (JSC::DFG::SpeculativeJIT::speculateFunction):
3127 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
3128 (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
3129 * dfg/DFGSpeculativeJIT.h:
3130 (JSC::DFG::SpeculativeJIT::callOperation):
3131 * dfg/DFGSpeculativeJIT32_64.cpp:
3132 (JSC::DFG::SpeculativeJIT::compile):
3133 * dfg/DFGSpeculativeJIT64.cpp:
3134 (JSC::DFG::SpeculativeJIT::compile):
3135 * ftl/FTLCapabilities.cpp:
3136 (JSC::FTL::canCompile):
3137 * ftl/FTLLowerDFGToB3.cpp:
3138 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3139 (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
3140 (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
3141 * jit/IntrinsicEmitter.cpp:
3142 (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
3143 (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
3144 * jit/JITOperations.h:
3145 * runtime/Intrinsic.cpp:
3146 (JSC::intrinsicName):
3147 * runtime/Intrinsic.h:
3148 * runtime/JSGlobalObject.cpp:
3149 (JSC::JSGlobalObject::init):
3150 * runtime/JSGlobalObject.h:
3151 (JSC::JSGlobalObject::booleanPrototype const):
3152 (JSC::JSGlobalObject::numberPrototype const):
3153 (JSC::JSGlobalObject::booleanObjectStructure const):
3154 * runtime/JSGlobalObjectFunctions.cpp:
3155 (JSC::globalFuncProtoGetter):
3156 * runtime/JSGlobalObjectFunctions.h:
3157 * runtime/ObjectConstructor.cpp:
3158 * runtime/ReflectObject.cpp:
3160 2017-10-17 Ryan Haddad <ryanhaddad@apple.com>
3162 Unreviewed, rolling out r223523.
3164 A test for this change is failing on debug JSC bots.
3168 "[JSC] __proto__ getter should be fast"
3169 https://bugs.webkit.org/show_bug.cgi?id=178067
3170 https://trac.webkit.org/changeset/223523
3172 2017-10-17 Youenn Fablet <youenn@apple.com>
3174 Add preliminary support for fetch event
3175 https://bugs.webkit.org/show_bug.cgi?id=178171
3177 Reviewed by Chris Dumez.
3181 * runtime/JSPromise.h:
3183 2017-10-10 Yusuke Suzuki <utatane.tea@gmail.com>
3185 [JSC] __proto__ getter should be fast
3186 https://bugs.webkit.org/show_bug.cgi?id=178067
3188 Reviewed by Saam Barati.
3190 In our ES6 class implementation, we access __proto__ field to retrieve super constructor.
3191 Currently, it is handled as an usual getter call to a generic function. And DFG just emits
3192 Call node for this. It is inefficient since typically we know the `prototype` of the given
3193 object when accessing `object.__proto__` since we emit CheckStructure for this `object`.
3194 If Structure has mono proto, we can immediately fold it to constant value. If it is poly proto,
3195 we can still change this to efficient access to poly proto slot.
3197 This patch implements GetPrototypeOf DFG node. This node efficiently accesses to prototype of
3198 the given object. And in AI and ByteCodeParser phase, we attempt to fold it to constant.
3199 ByteCodeParser's folding is a bit important since we have `callee.__proto__` code to get super
3200 constructor. If we can change this to constant, we can reify CallLinkInfo with this constant.
3201 This paves the way to optimizing ArrayConstructor super calls[1], which is particularly important
3204 And we also optimize Reflect.getPrototypeOf and Object.getPrototypeOf with this GetPrototypeOf node.
3206 Currently, __proto__ access for poly proto object is not handled well in IC. But we add code handling
3207 poly proto in GetPrototypeOf since Reflect.getPrototypeOf and Object.getPrototypeOf can use it.
3208 Once IC starts handling poly proto & intrinsic getter well, this code will be used for that too.
3210 This patch improves SixSpeed super.es6 by 3.42x.
3214 super.es6 123.6666+-3.9917 ^ 36.1684+-1.0351 ^ definitely 3.4192x faster
3216 [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
3218 * dfg/DFGAbstractInterpreterInlines.h:
3219 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3220 * dfg/DFGByteCodeParser.cpp:
3221 (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3222 (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
3223 (JSC::DFG::ByteCodeParser::handleGetById):
3224 * dfg/DFGClobberize.h:
3225 (JSC::DFG::clobberize):
3226 * dfg/DFGDoesGC.cpp:
3228 * dfg/DFGFixupPhase.cpp:
3229 (JSC::DFG::FixupPhase::fixupNode):
3230 (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
3231 * dfg/DFGHeapLocation.cpp:
3232 (WTF::printInternal):
3233 * dfg/DFGHeapLocation.h:
3235 (JSC::DFG::Node::hasHeapPrediction):
3236 (JSC::DFG::Node::shouldSpeculateFunction):
3237 * dfg/DFGNodeType.h:
3238 * dfg/DFGOperations.cpp:
3239 * dfg/DFGOperations.h:
3240 * dfg/DFGPredictionPropagationPhase.cpp:
3241 * dfg/DFGSafeToExecute.h:
3242 (JSC::DFG::safeToExecute):
3243 * dfg/DFGSpeculativeJIT.cpp:
3244 (JSC::DFG::SpeculativeJIT::speculateFunction):
3245 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
3246 (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
3247 * dfg/DFGSpeculativeJIT.h:
3248 * dfg/DFGSpeculativeJIT32_64.cpp:
3249 (JSC::DFG::SpeculativeJIT::compile):
3250 * dfg/DFGSpeculativeJIT64.cpp:
3251 (JSC::DFG::SpeculativeJIT::compile):
3252 * ftl/FTLCapabilities.cpp:
3253 (JSC::FTL::canCompile):
3254 * ftl/FTLLowerDFGToB3.cpp:
3255 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3256 (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
3257 (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
3258 * jit/IntrinsicEmitter.cpp:
3259 (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
3260 (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
3261 * runtime/Intrinsic.cpp:
3262 (JSC::intrinsicName):
3263 * runtime/Intrinsic.h:
3264 * runtime/JSGlobalObject.cpp:
3265 (JSC::JSGlobalObject::init):
3266 * runtime/JSGlobalObjectFunctions.cpp:
3267 (JSC::globalFuncProtoGetter):
3268 * runtime/JSGlobalObjectFunctions.h:
3269 * runtime/ObjectConstructor.cpp:
3270 * runtime/ReflectObject.cpp:
3272 2017-10-17 Keith Miller <keith_miller@apple.com>
3274 Change WebCore sources to work with unified source builds
3275 https://bugs.webkit.org/show_bug.cgi?id=178229
3277 Rubber stamped by Tim Horton.
3279 * Configurations/FeatureDefines.xcconfig:
3281 2017-10-15 Filip Pizlo <fpizlo@apple.com>
3283 Make some asserts into release asserts
3284 https://bugs.webkit.org/show_bug.cgi?id=178324
3286 Reviewed by Saam Barati.
3288 These asserts are not on perf critical paths, so they might as well be release asserts.
3290 * runtime/DataView.h:
3291 (JSC::DataView::get):
3292 (JSC::DataView::set):
3294 2017-10-16 JF Bastien <jfbastien@apple.com>
3296 JSRunLoopTimer: reduce likely race when used improperly
3297 https://bugs.webkit.org/show_bug.cgi?id=178298
3298 <rdar://problem/32899816>
3300 Reviewed by Saam Barati.
3302 If an API user sets a timer on JSRunLoopTimer, and then racily
3303 destroys the JSRunLoopTimer while the timer is firing then it's
3304 possible for timerDidFire to cause a use-after-free and / or crash
3305 because e.g. m_apiLock becomes a nullptr while timerDidFire is
3306 executing. That results from an invalid use of JSRunLoopTimer, but
3307 we should try to be more resilient for that type of misuse because
3308 it's not necessarily easy to catch by inspection.
3310 With this change the only remaining race is if the timer fires,
3311 and then only timerDidFire's prologue executes, but not the load
3312 of the m_apiLock pointer from `this`. It's a much smaller race.
3314 Separately, I'll reach out to API users who are seemingly misusing
3317 * runtime/JSRunLoopTimer.cpp:
3318 (JSC::JSRunLoopTimer::timerDidFire): put m_apiLock on the stack,
3319 and checks for nullptr. This prevents loading it twice off of
3320 `this` and turns a nullptr deref into "just" a use-after-free.
3321 (JSC::JSRunLoopTimer::~JSRunLoopTimer): acquire m_apiLock before
3322 calling m_vm->unregisterRunLoopTimer(this), which in turn does
3323 CFRunLoopRemoveTimer / CFRunLoopTimerInvalidate. This prevents
3324 timerDidFire from doing much while the timers are un-registered.
3325 ~JSRunLoopTimer also needs to set m_apiLock to nullptr before
3326 releasing the lock, so it needs its own local copy.
3328 2017-10-15 Yusuke Suzuki <utatane.tea@gmail.com>
3330 [JSC] Perform module specifier validation at parsing time
3331 https://bugs.webkit.org/show_bug.cgi?id=178256
3333 Reviewed by Darin Adler.
3335 This patch make module loader's `resolve` operation synchronous. And we validate
3336 module's requested module names when instantiating the module instead of satisfying
3337 module's dependencies. This change is not observable to users. But this is precise
3338 to the spec and this optimizes & simplifies the current module loader a bit by
3339 reducing object allocations.
3341 Previously, we have an object called pair in the module loader. This is pair of
3342 module's name and module's record. And we use it to link one module to dependent
3343 modules. Now, it is replaced with module's registry entry.
3345 We also change our loader functions to take a registry entry instead of a module key.
3346 Previous design is due to the consideration that these APIs may be exposed to users
3347 in whatwg/loader spec. However, this won't happen. This change removes unnecessary
3348 repeatedly hash map lookups.
3350 * builtins/ModuleLoaderPrototype.js:
3351 (globalPrivate.newRegistryEntry):
3353 (requestInstantiate):
3359 (GlobalObject::moduleLoaderResolve):
3360 * runtime/AbstractModuleRecord.cpp:
3361 (JSC::AbstractModuleRecord::finishCreation):
3362 (JSC::AbstractModuleRecord::hostResolveImportedModule):
3363 * runtime/JSGlobalObject.h:
3364 * runtime/JSModuleLoader.cpp:
3365 (JSC::JSModuleLoader::resolveSync):
3366 (JSC::JSModuleLoader::resolve):
3367 * runtime/JSModuleLoader.h:
3368 * runtime/ModuleLoaderPrototype.cpp:
3369 (JSC::moduleLoaderPrototypeResolveSync):
3371 2017-10-14 Devin Rousso <webkit@devinrousso.com>
3373 Web Inspector: provide a way to enable/disable event listeners
3374 https://bugs.webkit.org/show_bug.cgi?id=177451
3376 Reviewed by Joseph Pecoraro.
3378 * inspector/protocol/DOM.json:
3379 Add `setEventListenerDisabled` command that enables/disables a specific event listener
3380 during event dispatch. When a disabled event listener is fired, the listener's callback will
3383 2017-10-14 Yusuke Suzuki <utatane.tea@gmail.com>
3385 Reland "Add Above/Below comparisons for UInt32 patterns"
3386 https://bugs.webkit.org/show_bug.cgi?id=177281
3388 Reviewed by Saam Barati.
3390 We reland this patch without DFGStrengthReduction change to see what causes
3391 regression in the iOS bot.
3393 Sometimes, we would like to have UInt32 operations in JS. While VM does
3394 not support UInt32 nicely, VM supports efficient Int32 operations. As long
3395 as signedness does not matter, we can just perform Int32 operations instead
3396 and recognize its bit pattern as UInt32.
3398 But of course, some operations respect signedness. The most frequently
3399 used one is comparison. Octane/zlib performs UInt32 comparison by performing
3400 `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
3401 UInt32 in Int32 form. And op_unsigned will generate Double value if
3402 the generated Int32 is < 0 (which should be UInt32).
3404 There is a chance for optimization. The given code pattern is the following.
3406 op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
3408 This can be converted to the following.
3410 op_urshift(@1) below:< op_urshift(@2)
3412 The above conversion is nice since
3414 1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
3415 this check depends on the value of Int32, dropping this check is not as easy as
3416 removing Int32 edge filters.
3418 2. We can perform unsigned comparison in Int32 form. We do not need to convert
3421 Since the above comparison exists in Octane/zlib's *super* hot path, dropping
3422 op_unsigned offers huge win.
3424 At first, my patch attempts to convert the above thing in DFG pipeline.
3425 However it poses several problems.
3427 1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
3428 2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
3430 2: UInt32ToNumber(@0)
3432 4: UInt32ToNumber(@1)
3435 we could drop @5's MovHint. But @3 is difficult since @4 can exit.
3437 So, instead, we start introducing a simple optimization in the bytecode compiler.
3438 It performs pattern matching for op_urshift and comparison to drop op_unsigned.
3439 We adds op_below and op_above families to bytecodes. They only accept Int32 and
3440 perform unsigned comparison.
3442 This offers 4% performance improvement in Octane/zlib.
3446 zlib x2 431.07483+-16.28434 414.33407+-9.38375 might be 1.0404x faster
3448 * bytecode/BytecodeDumper.cpp:
3449 (JSC::BytecodeDumper<Block>::printCompareJump):
3450 (JSC::BytecodeDumper<Block>::dumpBytecode):
3451 * bytecode/BytecodeDumper.h:
3452 * bytecode/BytecodeList.json:
3453 * bytecode/BytecodeUseDef.h:
3454 (JSC::computeUsesForBytecodeOffset):
3455 (JSC::computeDefsForBytecodeOffset):
3456 * bytecode/Opcode.h:
3458 * bytecode/PreciseJumpTargetsInlines.h:
3459 (JSC::extractStoredJumpTargetsForBytecodeOffset):
3460 * bytecompiler/BytecodeGenerator.cpp:
3461 (JSC::BytecodeGenerator::emitJumpIfTrue):
3462 (JSC::BytecodeGenerator::emitJumpIfFalse):
3463 * bytecompiler/NodesCodegen.cpp:
3464 (JSC::BinaryOpNode::emitBytecode):
3465 * dfg/DFGAbstractInterpreterInlines.h:
3466 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3467 * dfg/DFGByteCodeParser.cpp:
3468 (JSC::DFG::ByteCodeParser::parseBlock):
3469 * dfg/DFGCapabilities.cpp:
3470 (JSC::DFG::capabilityLevel):
3471 * dfg/DFGClobberize.h:
3472 (JSC::DFG::clobberize):
3473 * dfg/DFGDoesGC.cpp:
3475 * dfg/DFGFixupPhase.cpp:
3476 (JSC::DFG::FixupPhase::fixupNode):
3477 * dfg/DFGIntegerRangeOptimizationPhase.cpp:
3478 * dfg/DFGNodeType.h:
3479 * dfg/DFGPredictionPropagationPhase.cpp:
3480 * dfg/DFGSafeToExecute.h:
3481 (JSC::DFG::safeToExecute):
3482 * dfg/DFGSpeculativeJIT.cpp:
3483 (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
3484 * dfg/DFGSpeculativeJIT.h:
3485 * dfg/DFGSpeculativeJIT32_64.cpp:
3486 (JSC::DFG::SpeculativeJIT::compile):
3487 * dfg/DFGSpeculativeJIT64.cpp:
3488 (JSC::DFG::SpeculativeJIT::compile):
3489 * dfg/DFGValidate.cpp:
3490 * ftl/FTLCapabilities.cpp:
3491 (JSC::FTL::canCompile):
3492 * ftl/FTLLowerDFGToB3.cpp:
3493 (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3494 (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
3495 (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
3497 (JSC::JIT::privateCompileMainPass):
3499 * jit/JITArithmetic.cpp:
3500 (JSC::JIT::emit_op_below):
3501 (JSC::JIT::emit_op_beloweq):
3502 (JSC::JIT::emit_op_jbelow):
3503 (JSC::JIT::emit_op_jbeloweq):
3504 (JSC::JIT::emit_compareUnsignedAndJump):
3505 (JSC::JIT::emit_compareUnsigned):
3506 * jit/JITArithmetic32_64.cpp:
3507 (JSC::JIT::emit_compareUnsignedAndJump):
3508 (JSC::JIT::emit_compareUnsigned):
3509 * llint/LowLevelInterpreter.asm:
3510 * llint/LowLevelInterpreter32_64.asm:
3511 * llint/LowLevelInterpreter64.asm:
3513 (JSC::ExpressionNode::isBinaryOpNode const):
3515 2017-10-12 Yusuke Suzuki <utatane.tea@gmail.com>
3517 WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
3518 https://bugs.webkit.org/show_bug.cgi?id=178210
3520 Reviewed by Saam Barati.
3522 In Wasm, we have two JS functions exposed to users: WebAssemblyFunction and WebAssemblyWrapperFunction.
3523 The former is an exported wasm function and the latter is an imported & exported function. Since they
3524 have [[Call]], they should be categorized into "function" in typeof operation.
3526 However, these functions do not implement our function protocol correctly. They inherit JSFunction.
3527 But JSType of WebAssemblyFunction is WebAssemblyFunctionType, and one of WebAssemblyWrapperFunction is
3528 ObjectType. Since both do not have TypeOfShouldCallGetCallData, they return "object" when performing
3531 In this patch, we address the above issue by the following 2 fixes.
3533 1. We add TypeOfShouldCallGetCallData to WebAssemblyFunction. This is the same way how we implement
3534 InternalFunction. Since WebAssemblyFunction requires WebAssemblyFunctionType for fast checking in Wasm
3535 implementation, we cannot make this JSFunctionType.
3537 2. On the other hand, WebAssemblyWrapperFunction does not require a specific JSType. So this patch
3538 changes JSType of WebAssemblyWrapperFunction to JSFunctionType. JSFunctionType can be usable for derived
3539 classes of JSFunction (e.g. JSCustomGetterSetterFunction).
3541 * wasm/js/WebAssemblyFunction.h:
3542 (JSC::WebAssemblyFunction::signatureIndex const): Deleted.
3543 (JSC::WebAssemblyFunction::wasmEntrypointLoadLocation const): Deleted.
3544 (JSC::WebAssemblyFunction::callableFunction const): Deleted.
3545 (JSC::WebAssemblyFunction::jsEntrypoint): Deleted.
3546 (JSC::WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation): Deleted.
3547 * wasm/js/WebAssemblyWrapperFunction.cpp:
3548 (JSC::WebAssemblyWrapperFunction::createStructure):
3549 * wasm/js/WebAssemblyWrapperFunction.h:
3550 (JSC::WebAssemblyWrapperFunction::signatureIndex const): Deleted.
3551 (JSC::WebAssemblyWrapperFunction::wasmEntrypointLoadLocation const): Deleted.
3552 (JSC::WebAssemblyWrapperFunction::callableFunction const): Deleted.
3553 (JSC::WebAssemblyWrapperFunction::function): Deleted.
3555 2017-10-12 Per Arne Vollan <pvollan@apple.com>
3557 [Win64] JSC compile error.
3558 https://bugs.webkit.org/show_bug.cgi?id=178213
3560 Reviewed by Alex Christensen.
3562 Add static cast from int64 to uintptr_t.
3564 * dfg/DFGOSRExit.cpp:
3565 (JSC::DFG::OSRExit::executeOSRExit):
3567 2017-09-29 Filip Pizlo <fpizlo@apple.com>
3569 Enable gigacage on iOS
3570 https://bugs.webkit.org/show_bug.cgi?id=177586
3572 Reviewed by JF Bastien.
3574 The hardest part of enabling Gigacage on iOS is that it requires loading global variables while
3575 executing JS, so the LLInt needs to know how to load from global variables on all platforms that
3576 have Gigacage. So, this teaches ARM64 how to load from global variables.
3578 Also, this makes the code handle disabling the gigacage a bit better.
3580 * ftl/FTLLowerDFGToB3.cpp:
3581 (JSC::FTL::DFG::LowerDFGToB3::caged):
3582 * jit/AssemblyHelpers.h:
3583 (JSC::AssemblyHelpers::cage):
3584 (JSC::AssemblyHelpers::cageConditionally):
3585 * offlineasm/arm64.rb:
3586 * offlineasm/asm.rb:
3587 * offlineasm/instructions.rb:
3589 2017-10-11 Sam Weinig <sam@webkit.org>
3591 Remove out-parameter variants of copyToVector
3592 https://bugs.webkit.org/show_bug.cgi?id=178155
3594 Reviewed by Tim Horton.
3596 * inspector/ScriptDebugServer.cpp:
3597 (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
3598 (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
3599 (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
3600 (Inspector::ScriptDebugServer::dispatchDidParseSource):
3601 (Inspector::ScriptDebugServer::dispatchFailedToParseSource):
3602 (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
3604 Replace out-parameter based copyToVector, with one that returns a Vector.
3606 2017-10-12 Yusuke Suzuki <utatane.tea@gmail.com>
3608 Support integrity="" on module scripts
3609 https://bugs.webkit.org/show_bug.cgi?id=177959
3611 Reviewed by Sam Weinig.
3613 This patch adds Subresource Integrity check for module scripts. Currently,
3614 only top-level module can be verified with integrity parameter since there
3615 is no way to perform integrity check onto the imported modules.
3617 In JSC side, we add `parameters` to the entry point of the module loader
3618 pipeline. This is fetching parameters and used when fetching modules.
3620 We separately pass this parameters to the pipeline along with the script fetcher.
3621 The script fetcher is only one for module graph since this is the initiator of
3622 this module graph loading. On the other hand, this parameters is for each
3623 module fetching. While setting "integrity" parameters to this script fetcher is
3624 sufficient to pass parameters to top-level-module's fetching, it is not enough
3625 for the future extension.
3627 In the future, we will investigate a way to pass parameters to each non-top-level
3628 module. At that time, this `parameters` should be per-module. This is because
3629 "integrity" value should be different for each module. For example, we will accept
3630 some form of syntax to add parameters to `import`. Some proposed syntax is like
3631 https://discourse.wicg.io/t/specifying-nonce-or-integrity-when-importing-modules/1861
3633 import "./xxx.js" integrity "xxxxxxx"
3635 In this case, this `parameters` will be passed to "./xxx.js" module fetching. This
3636 `parameters` should be different from the one of top-level-module's one. That's why
3637 we need per-module `parameters` and why this patch adds `parameters` to the module pipeline.
3639 On the other hand, we also want to keep script fetcher. This `per-module-graph` thing
3640 is important to offer module-graph-wide information. For example, import.meta would
3641 have `import.meta.scriptElement`, which is the script element fetching the module graph
3642 including this. So, we keep the both, script fetcher and parameters.
3643 https://github.com/tc39/proposal-import-meta
3645 This parameters will be finally used by pipeline's fetch hook, and WebCore side
3646 can use this parameters to fetch modules.
3648 We also further clean up the module pipeline by dropping unnecessary features.
3650 * JavaScriptCore.xcodeproj/project.pbxproj:
3652 * builtins/ModuleLoaderPrototype.js:
3654 (requestInstantiate):
3657 (loadAndEvaluateModule):
3658 This loadAndEvaluateModule should be implemented by just calling loadModule and
3659 linkAndEvaluateModule. We can drop requestReady and requestLink.
3661 (requestLink): Deleted.
3662 (requestImportModule): Deleted.
3664 (GlobalObject::moduleLoaderImportModule):
3665 (GlobalObject::moduleLoaderFetch):
3666 import and fetch hook takes parameters. Currently, we always pass `undefined` for
3667 import hook. When dynamic `import()` is extended to accept additional parameters
3668 like integrity, this parameters will be replaced with the actual value.
3670 (functionLoadModule):
3672 * runtime/Completion.cpp:
3673 (JSC::loadAndEvaluateModule):
3675 (JSC::importModule):
3676 * runtime/Completion.h:
3677 * runtime/JSGlobalObject.h:
3678 * runtime/JSGlobalObjectFunctions.cpp:
3679 (JSC::globalFuncImportModule):
3680 * runtime/JSModuleLoader.cpp:
3681 (JSC::JSModuleLoader::loadAndEvaluateModule):
3682 (JSC::JSModuleLoader::loadModule):
3683 (JSC::JSModuleLoader::requestImportModule):
3684 (JSC::JSModuleLoader::importModule):
3685 (JSC::JSModuleLoader::fetch):
3686 * runtime/JSModuleLoader.h:
3687 * runtime/JSScriptFetchParameters.cpp: Added.
3688 (JSC::JSScriptFetchParameters::destroy):
3689 * runtime/JSScriptFetchParameters.h: Added.
3690 (JSC::JSScriptFetchParameters::createStructure):
3691 (JSC::JSScriptFetchParameters::create):
3692 (JSC::JSScriptFetchParameters::parameters const):
3693 (JSC::JSScriptFetchParameters::JSScriptFetchParameters):
3694 Add ScriptFetchParameters' JSCell wrapper, JSScriptFetchParameters.
3695 It is used in the module pipeline.
3698 * runtime/ModuleLoaderPrototype.cpp:
3699 (JSC::moduleLoaderPrototypeFetch):
3700 * runtime/ScriptFetchParameters.h: Added.
3701 (JSC::ScriptFetchParameters::~ScriptFetchParameters):
3702 Add ScriptFetchParameters. We can define our own custom ScriptFetchParameters
3703 by inheriting this class. WebCore creates ModuleFetchParameters by inheriting
3710 2017-10-11 Yusuke Suzuki <utatane.tea@gmail.com>
3712 import.meta should not be assignable
3713 https://bugs.webkit.org/show_bug.cgi?id=178202
3715 Reviewed by Saam Barati.
3717 `import.meta` cannot be used for LHS. This patch adds MetaPropertyNode
3718 and make NewTargetNode and ImportMetaNode as derived classes of MetaPropertyNode.
3719 We change the parser not to allow assignments for MetaPropertyNode.
3721 * bytecompiler/NodesCodegen.cpp:
3722 (JSC::ImportMetaNode::emitBytecode):
3723 * parser/ASTBuilder.h:
3724 (JSC::ASTBuilder::createImportMetaExpr):
3725 (JSC::ASTBuilder::isMetaProperty):
3726 (JSC::ASTBuilder::isImportMeta):
3727 * parser/NodeConstructors.h:
3728 (JSC::MetaPropertyNode::MetaPropertyNode):
3729 (JSC::NewTargetNode::NewTargetNode):
3730 (JSC::ImportMetaNode::ImportMetaNode):
3732 (JSC::ExpressionNode::isMetaProperty const):
3733 (JSC::ExpressionNode::isImportMeta const):
3734 * parser/Parser.cpp:
3735 (JSC::Parser<LexerType>::metaPropertyName):
3736 (JSC::Parser<LexerType>::parseAssignmentExpression):
3737 (JSC::Parser<LexerType>::parseMemberExpression):
3738 (JSC::Parser<LexerType>::parseUnaryExpression):
3740 * parser/SyntaxChecker.h:
3741 (JSC::SyntaxChecker::createImportMetaExpr):
3742 (JSC::SyntaxChecker::isMetaProperty):
3743 (JSC::SyntaxChecker::isImportMeta):
3745 2017-10-11 Saam Barati <sbarati@apple.com>
3747 Runtime disable poly proto because it may be a 3-4% Speedometer regression
3748 https://bugs.webkit.org/show_bug.cgi?id=178192
3750 Reviewed by JF Bastien.
3752 * runtime/Options.h:
3753 * runtime/StructureInlines.h:
3754 (JSC::Structure::shouldConvertToPolyProto):
3756 2017-10-11 Commit Queue <commit-queue@webkit.org>
3758 Unreviewed, rolling out r223113 and r223121.
3759 https://bugs.webkit.org/show_bug.cgi?id=178182
3761 Reintroduced 20% regression on Kraken (Requested by rniwa on
3764 Reverted changesets:
3766 "Enable gigacage on iOS"
3767 https://bugs.webkit.org/show_bug.cgi?id=177586
3768 https://trac.webkit.org/changeset/223113
3770 "Use one virtual allocation for all gigacages and their
3772 https://bugs.webkit.org/show_bug.cgi?id=178050
3773 https://trac.webkit.org/changeset/223121
3775 2017-10-11 Michael Saboff <msaboff@apple.com>
3777 Update JavaScriptCore/ucd/CaseFolding.txt to Unicode database 10.0
3778 https://bugs.webkit.org/show_bug.cgi?id=178106
3780 Reviewed by Keith Miller.
3782 * ucd/CaseFolding.txt:
3784 2017-10-11 Caio Lima <ticaiolima@gmail.com>
3786 Object properties are undefined in super.call() but not in this.call()
3787 https://bugs.webkit.org/show_bug.cgi?id=177230
3789 Reviewed by Saam Barati.
3791 Bytecode generation for "super.call(...)" or "super.apply(...)"
3792 shouldn't be considered as CallFunctionCallDotNode or
3793 ApplyFunctionCallDotNode because they should be considered as common
3794 super property access as any other function. According to spec[1],
3795 "super" is not refering to parent constructor.
3797 [1] - https://tc39.github.io/ecma262/#sec-super-keyword-runtime-semantics-evaluation
3799 * parser/ASTBuilder.h:
3800 (JSC::ASTBuilder::makeFunctionCallNode):
3801 * parser/Parser.cpp:
3802 (JSC::Parser<LexerType>::parseMemberExpression):
3803 * parser/SyntaxChecker.h:
3804 (JSC::SyntaxChecker::makeFunctionCallNode):
3806 2017-10-11 Yusuke Suzuki <utatane.tea@gmail.com>
3808 [JSC] Drop Instantiate hook in ES6 module loader
3809 https://bugs.webkit.org/show_bug.cgi?id=178162
3811 Reviewed by Sam Weinig.
3813 This patch is a part of patch series for module loader refactoring to adopt
3814 integrity="" parameters and introduce new whatwg module import mechanism.
3816 In this patch, we drop instantiate hook in module loader. This hook is originally
3817 introduced because it is defined in whatwg/loader spec. But this hook is not
3818 used in our implementation, and this hook won't be used since (1) whatwg/loader
3819 spec is abandoned, and (2) this type of hooks should be done in Service Workers.
3821 In addition, this patch applies some cleaning up of our module loader JS code
3822 to simplify things. This change paves the way to more efficient loader implementation
3823 with great flexibility to adopt integrity="" parameters.
3825 * builtins/ModuleLoaderPrototype.js:
3826 (requestInstantiate):
3828 provide is changed to provideFetch since we only used this function with Fetch stage parameter.
3830 (fulfillInstantiate): Deleted.
3831 (commitInstantiated): Deleted.
3832 (instantiation): Deleted.
3833 They are merged into requestInstantiate code. This is simpler.
3837 * runtime/Completion.cpp:
3838 (JSC::loadAndEvaluateModule):
3840 * runtime/JSGlobalObject.cpp:
3841 * runtime/JSGlobalObject.h:
3842 * runtime/JSModuleLoader.cpp:
3843 (JSC::JSModuleLoader::provideFetch):
3844 (JSC::JSModuleLoader::provide): Deleted.
3845 Changed to provideFetch.
3847 (JSC::JSModuleLoader::instantiate): Deleted.
3850 * runtime/JSModuleLoader.h:
3851 * runtime/ModuleLoaderPrototype.cpp:
3852 (JSC::moduleLoaderPrototypeInstantiate): Deleted.
3855 2017-10-10 Saam Barati <sbarati@apple.com>
3857 Prototype structure transition should be a deferred transition
3858 https://bugs.webkit.org/show_bug.cgi?id=177734
3860 Reviewed by Keith Miller.
3862 Absence ObjectPropertyConditions work by verifying both that the Structure
3863 does not have a particular property and that its prototype has
3864 remained constant. However, the prototype transition was firing
3865 the transition watchpoint before setting the object's structure.
3866 This meant that isValid for Absence would never return false because
3867 the prototype changed. Clearly this is wrong. The reason this didn't
3868 break OPCs in general is that we'd also check if we could still watch
3869 the OPC. In this case, we can't still watch it because we're inspecting
3870 a structure with an invalidated transition watchpoint. To fix
3871 this weird quirk of the code, I'm making it so that doing a prototype
3872 transition uses the DeferredStructureTransitionWatchpointFire machinery.
3874 This patch also fixes some dead code that I left in regarding
3877 * bytecode/PropertyCondition.cpp:
3878 (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
3879 * runtime/JSObject.cpp:
3880 (JSC::JSObject::setPrototypeDirect):
3881 * runtime/Structure.cpp:
3882 (JSC::Structure::changePrototypeTransition):
3883 * runtime/Structure.h:
3885 2017-10-10 Robin Morisset <rmorisset@apple.com>
3887 Avoid allocating useless landingBlocks in DFGByteCodeParser::handleInlining()
3888 https://bugs.webkit.org/show_bug.cgi?id=177926
3890 Reviewed by Saam Barati.
3892 When doing polyvariant inlining, there used to be a landing block for each callee, each of which was then linked to a continuation block.
git://git.webkit.org / WebKit-https.git / blob