Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLoca...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-01-04  Saam Barati  <sbarati@apple.com>
2
3         Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction)
4         https://bugs.webkit.org/show_bug.cgi?id=181296
5
6         Reviewed by Filip Pizlo.
7
8         Inside Speedometer's Ember test, there is a recompile loop like:
9         a: GetByVal(..., semanticOriginX)
10         b: SetLocal(Cell:@a, semanticOriginX)
11         
12         where the cell check always fails. For reasons I didn't investigate, the
13         baseline JIT's value profiling doesn't accurately capture the GetByVal's
14         result.
15         
16         However, when compiling this cell speculation check in the DFG, we get a null
17         MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for
18         this IR pattern because both @a and @b have the same semantic origin. We
19         should not follow the same semantic origin heuristic when dealing with
20         SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern.
21         For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction).
22         For this IR pattern, we will update the value profile for the semantic origin
23         for @nodeWithHeapPrediction. So, for the Speedometer example above, we
24         will correctly update the GetByVal's value profile, which will prevent
25         an OSR exit loop.
26
27         * dfg/DFGGraph.cpp:
28         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
29
30 2018-01-04  Keith Miller  <keith_miller@apple.com>
31
32         Array Storage operations sometimes did not update the indexing mask correctly.
33         https://bugs.webkit.org/show_bug.cgi?id=181301
34
35         Reviewed by Mark Lam.
36
37         I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
38
39         * runtime/JSArray.cpp:
40         (JSC::JSArray::shiftCountWithArrayStorage):
41         * runtime/JSObject.cpp:
42         (JSC::JSObject::increaseVectorLength):
43
44 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
45
46         [DFG] Define defs for MapSet/SetAdd to participate in CSE
47         https://bugs.webkit.org/show_bug.cgi?id=179911
48
49         Reviewed by Saam Barati.
50
51         With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
52         To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
53         produce added bucket as its result. Subsequent GetMapBucket will
54         be removed by CSE.
55
56         * dfg/DFGAbstractInterpreterInlines.h:
57         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
58         * dfg/DFGClobberize.h:
59         (JSC::DFG::clobberize):
60         * dfg/DFGNodeType.h:
61         * dfg/DFGOperations.cpp:
62         * dfg/DFGOperations.h:
63         * dfg/DFGPredictionPropagationPhase.cpp:
64         * dfg/DFGSpeculativeJIT.cpp:
65         (JSC::DFG::SpeculativeJIT::compileSetAdd):
66         (JSC::DFG::SpeculativeJIT::compileMapSet):
67         * dfg/DFGSpeculativeJIT.h:
68         (JSC::DFG::SpeculativeJIT::callOperation):
69         * ftl/FTLLowerDFGToB3.cpp:
70         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
71         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
72         * jit/JITOperations.h:
73         * runtime/HashMapImpl.h:
74         (JSC::HashMapImpl::addNormalized):
75         (JSC::HashMapImpl::addNormalizedInternal):
76
77 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
78
79         [JSC] Remove LocalScope
80         https://bugs.webkit.org/show_bug.cgi?id=181206
81
82         Reviewed by Geoffrey Garen.
83
84         The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
85         This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
86         and LocalScope.
87
88         We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
89         JSObject* directly in their fields.
90
91         * JavaScriptCore.xcodeproj/project.pbxproj:
92         * Sources.txt:
93         * heap/HandleStack.cpp: Removed.
94         * heap/HandleStack.h: Removed.
95         * heap/Heap.cpp:
96         (JSC::Heap::addCoreConstraints):
97         * heap/Heap.h:
98         (JSC::Heap::handleSet):
99         (JSC::Heap::handleStack): Deleted.
100         * heap/Local.h: Removed.
101         * heap/LocalScope.h: Removed.
102         * runtime/JSONObject.cpp:
103         (JSC::Stringifier::Holder::object const):
104         (JSC::gap):
105         (JSC::Stringifier::Stringifier):
106         (JSC::Stringifier::stringify):
107         (JSC::Stringifier::appendStringifiedValue):
108         (JSC::Stringifier::Holder::Holder):
109         (JSC::Stringifier::Holder::appendNextProperty):
110         (JSC::Walker::Walker):
111         (JSC::Walker::callReviver):
112         (JSC::Walker::walk):
113         (JSC::JSONProtoFuncParse):
114         (JSC::JSONProtoFuncStringify):
115         (JSC::JSONParse):
116         (JSC::JSONStringify):
117
118 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
119
120         [FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
121         https://bugs.webkit.org/show_bug.cgi?id=180238
122
123         Reviewed by Saam Barati.
124
125         We can optimize ObjectAllocationSinking a bit by using removeIf.
126
127         * dfg/DFGObjectAllocationSinkingPhase.cpp:
128
129 2018-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>
130
131         [JSC] Create parallel SlotVisitors apriori
132         https://bugs.webkit.org/show_bug.cgi?id=180907
133
134         Reviewed by Saam Barati.
135
136         The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
137         If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
138         Then we do not need to grab locks while iterating all the SlotVisitors.
139
140         In addition, we do not need to consider the case that the number of SlotVisitors increases
141         after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
142         does not increase any more.
143
144         * heap/Heap.cpp:
145         (JSC::Heap::Heap):
146         (JSC::Heap::runBeginPhase):
147         * heap/Heap.h:
148         * heap/HeapInlines.h:
149         (JSC::Heap::forEachSlotVisitor):
150         (JSC::Heap::numberOfSlotVisitors): Deleted.
151         * heap/MarkingConstraintSolver.cpp:
152         (JSC::MarkingConstraintSolver::didVisitSomething const):
153
154 2018-01-03  Ting-Wei Lan  <lantw44@gmail.com>
155
156         Replace hard-coded paths in shebangs with #!/usr/bin/env
157         https://bugs.webkit.org/show_bug.cgi?id=181040
158
159         Reviewed by Alex Christensen.
160
161         * Scripts/UpdateContents.py:
162         * Scripts/cssmin.py:
163         * Scripts/generate-combined-inspector-json.py:
164         * Scripts/xxd.pl:
165         * create_hash_table:
166         * generate-bytecode-files:
167         * wasm/generateWasm.py:
168         * wasm/generateWasmOpsHeader.py:
169         * yarr/generateYarrCanonicalizeUnicode:
170
171 2018-01-03  Michael Saboff  <msaboff@apple.com>
172
173         Disable SharedArrayBuffers from Web API
174         https://bugs.webkit.org/show_bug.cgi?id=181266
175
176         Reviewed by Saam Barati.
177
178         Removed SharedArrayBuffer prototype and structure from GlobalObject creation
179         to disable.
180
181         * runtime/JSGlobalObject.cpp:
182         (JSC::JSGlobalObject::init):
183         (JSC::JSGlobalObject::visitChildren):
184         * runtime/JSGlobalObject.h:
185         (JSC::JSGlobalObject::arrayBufferPrototype const):
186         (JSC::JSGlobalObject::arrayBufferStructure const):
187
188 2018-01-03  Michael Saboff  <msaboff@apple.com>
189
190         Add "noInline" to $vm
191         https://bugs.webkit.org/show_bug.cgi?id=181265
192
193         Reviewed by Mark Lam.
194
195         This would be useful for web based tests.
196
197         * tools/JSDollarVM.cpp:
198         (JSC::getExecutableForFunction):
199         (JSC::functionNoInline):
200         (JSC::JSDollarVM::finishCreation):
201
202 2018-01-03  Michael Saboff  <msaboff@apple.com>
203
204         Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
205         https://bugs.webkit.org/show_bug.cgi?id=181263
206
207         Reviewed by Mark Lam.
208
209         Flushing the butterfly pointer provides no benefit and slows this function.
210
211         * tools/JSDollarVM.cpp:
212         (JSC::functionCpuClflush):
213
214 2018-01-03  Saam Barati  <sbarati@apple.com>
215
216         Fix BytecodeParser op_catch assert to work with useProfiler=1
217         https://bugs.webkit.org/show_bug.cgi?id=181260
218
219         Reviewed by Keith Miller.
220
221         op_catch was asserting that the current block was empty. This is only true
222         if the profiler isn't enabled. When the profiler is enabled, we will
223         insert a CountExecution node before each bytecode. This patch fixes the
224         assert to work with the profiler.
225
226         * dfg/DFGByteCodeParser.cpp:
227         (JSC::DFG::ByteCodeParser::parseBlock):
228
229 2018-01-03  Per Arne Vollan  <pvollan@apple.com>
230
231         [Win][Debug] testapi link error.
232         https://bugs.webkit.org/show_bug.cgi?id=181247
233         <rdar://problem/36166729>
234
235         Reviewed by Brent Fulgham.
236
237         Do not set the runtime library compile flag for C files, it is already set to the correct value.
238  
239         * shell/PlatformWin.cmake:
240
241 2018-01-03  Robin Morisset  <rmorisset@apple.com>
242
243         Inlining of a function that ends in op_unreachable crashes
244         https://bugs.webkit.org/show_bug.cgi?id=181027
245
246         Reviewed by Filip Pizlo.
247
248         * dfg/DFGByteCodeParser.cpp:
249         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
250         (JSC::DFG::ByteCodeParser::inlineCall):
251
252 2018-01-02  Saam Barati  <sbarati@apple.com>
253
254         Incorrect assertion inside AccessCase
255         https://bugs.webkit.org/show_bug.cgi?id=181200
256         <rdar://problem/35494754>
257
258         Reviewed by Yusuke Suzuki.
259
260         Consider a PutById compiled to a setter in a function like so:
261         
262         ```
263         function foo(o) { o.f = o; }
264         ```
265         
266         The DFG will often assign the same registers to the baseGPR (o in o.f) and the
267         valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
268         to the same register. However, we're asserting that they're not the same register.
269         This patch just removes this invalid assertion.
270
271         * bytecode/AccessCase.cpp:
272         (JSC::AccessCase::generateImpl):
273
274 2018-01-02  Caio Lima  <ticaiolima@gmail.com>
275
276         [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
277         https://bugs.webkit.org/show_bug.cgi?id=175359
278
279         Reviewed by Yusuke Suzuki.
280
281         This patch is implementing BigIntConstructor and BigIntPrototype
282         following spec[1, 2]. As addition, we are also implementing BigIntObject
283         warapper to handle ToObject(v) abstract operation when "v" is a BigInt
284         primitive. With these classes, now it's possible to syntetize
285         BigInt.prototype and then call "toString", "valueOf" and
286         "toLocaleString" when the primitive is a BigInt.
287         BigIntConstructor exposes an API to parse other primitives such as
288         Number, Boolean and String to BigInt.
289         We decided to skip parseInt implementation, since it was removed from
290         spec.
291
292         [1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
293         [2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object 
294
295         * CMakeLists.txt:
296         * DerivedSources.make:
297         * JavaScriptCore.xcodeproj/project.pbxproj:
298         * Sources.txt:
299         * jsc.cpp:
300         * runtime/BigIntConstructor.cpp: Added.
301         (JSC::BigIntConstructor::BigIntConstructor):
302         (JSC::BigIntConstructor::finishCreation):
303         (JSC::isSafeInteger):
304         (JSC::toBigInt):
305         (JSC::callBigIntConstructor):
306         (JSC::bigIntConstructorFuncAsUintN):
307         (JSC::bigIntConstructorFuncAsIntN):
308         * runtime/BigIntConstructor.h: Added.
309         (JSC::BigIntConstructor::create):
310         (JSC::BigIntConstructor::createStructure):
311         * runtime/BigIntObject.cpp: Added.
312         (JSC::BigIntObject::BigIntObject):
313         (JSC::BigIntObject::finishCreation):
314         (JSC::BigIntObject::toStringName):
315         (JSC::BigIntObject::defaultValue):
316         * runtime/BigIntObject.h: Added.
317         (JSC::BigIntObject::create):
318         (JSC::BigIntObject::internalValue const):
319         (JSC::BigIntObject::createStructure):
320         * runtime/BigIntPrototype.cpp: Added.
321         (JSC::BigIntPrototype::BigIntPrototype):
322         (JSC::BigIntPrototype::finishCreation):
323         (JSC::toThisBigIntValue):
324         (JSC::bigIntProtoFuncToString):
325         (JSC::bigIntProtoFuncToLocaleString):
326         (JSC::bigIntProtoFuncValueOf):
327         * runtime/BigIntPrototype.h: Added.
328         (JSC::BigIntPrototype::create):
329         (JSC::BigIntPrototype::createStructure):
330         * runtime/IntlCollator.cpp:
331         (JSC::IntlCollator::initializeCollator):
332         * runtime/IntlNumberFormat.cpp:
333         (JSC::IntlNumberFormat::initializeNumberFormat):
334         * runtime/JSBigInt.cpp:
335         (JSC::JSBigInt::createFrom):
336         (JSC::JSBigInt::parseInt):
337         (JSC::JSBigInt::toObject const):
338         * runtime/JSBigInt.h:
339         * runtime/JSCJSValue.cpp:
340         (JSC::JSValue::synthesizePrototype const):
341         * runtime/JSCPoisonedPtr.cpp:
342         * runtime/JSCell.cpp:
343         (JSC::JSCell::toObjectSlow const):
344         * runtime/JSGlobalObject.cpp:
345         (JSC::JSGlobalObject::init):
346         (JSC::JSGlobalObject::visitChildren):
347         * runtime/JSGlobalObject.h:
348         (JSC::JSGlobalObject::bigIntPrototype const):
349         (JSC::JSGlobalObject::bigIntObjectStructure const):
350         * runtime/StructureCache.h:
351         * runtime/StructureInlines.h:
352         (JSC::prototypeForLookupPrimitiveImpl):
353
354 2018-01-02  Tim Horton  <timothy_horton@apple.com>
355
356         Fix the MathCommon build with a recent compiler
357         https://bugs.webkit.org/show_bug.cgi?id=181216
358
359         Reviewed by Sam Weinig.
360
361         * runtime/MathCommon.cpp:
362         (JSC::fdlibmPow):
363         This cast drops the 'const' qualifier from the pointer to 'one',
364         but it doesn't have to, and it makes the compiler sad.
365
366 == Rolled over to ChangeLog-2018-01-01 ==