diff --git a/.gitignore b/.gitignore deleted file mode 100644 index a067ba6..0000000 --- a/.gitignore +++ /dev/null @@ -1 +0,0 @@ -LLIntOffsets diff --git a/API/APICallbackFunction.h b/API/APICallbackFunction.h index e5283b5..d2d37b1 100644 --- a/API/APICallbackFunction.h +++ b/API/APICallbackFunction.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013, 2016 Apple Inc. All rights reserved. + * Copyright (C) 2013-2020 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -35,77 +35,96 @@ namespace JSC { struct APICallbackFunction { - -template static EncodedJSValue JSC_HOST_CALL call(ExecState*); -template static EncodedJSValue JSC_HOST_CALL construct(ExecState*); - + template static EncodedJSValue callImpl(JSGlobalObject*, CallFrame*); + template static EncodedJSValue constructImpl(JSGlobalObject*, CallFrame*); }; template -EncodedJSValue JSC_HOST_CALL APICallbackFunction::call(ExecState* exec) +EncodedJSValue APICallbackFunction::callImpl(JSGlobalObject* globalObject, CallFrame* callFrame) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); auto scope = DECLARE_THROW_SCOPE(vm); - JSContextRef execRef = toRef(exec); - JSObjectRef functionRef = toRef(exec->jsCallee()); - JSObjectRef thisObjRef = toRef(jsCast(exec->thisValue().toThis(exec, NotStrictMode))); + JSContextRef execRef = toRef(globalObject); + JSObjectRef functionRef = toRef(callFrame->jsCallee()); + JSObjectRef thisObjRef = toRef(jsCast(callFrame->thisValue().toThis(globalObject, ECMAMode::sloppy()))); - int argumentCount = static_cast(exec->argumentCount()); + int argumentCount = static_cast(callFrame->argumentCount()); Vector arguments; arguments.reserveInitialCapacity(argumentCount); for (int i = 0; i < argumentCount; i++) - arguments.uncheckedAppend(toRef(exec, exec->uncheckedArgument(i))); + arguments.uncheckedAppend(toRef(globalObject, callFrame->uncheckedArgument(i))); - JSValueRef exception = 0; + JSValueRef exception = nullptr; JSValueRef result; { - JSLock::DropAllLocks dropAllLocks(exec); + JSLock::DropAllLocks dropAllLocks(globalObject); result = jsCast(toJS(functionRef))->functionCallback()(execRef, functionRef, thisObjRef, argumentCount, arguments.data(), &exception); } - if (exception) - throwException(exec, scope, toJS(exec, exception)); + if (exception) { + throwException(globalObject, scope, toJS(globalObject, exception)); + return JSValue::encode(jsUndefined()); + } // result must be a valid JSValue. if (!result) return JSValue::encode(jsUndefined()); - return JSValue::encode(toJS(exec, result)); + return JSValue::encode(toJS(globalObject, result)); } template -EncodedJSValue JSC_HOST_CALL APICallbackFunction::construct(ExecState* exec) +EncodedJSValue APICallbackFunction::constructImpl(JSGlobalObject* globalObject, CallFrame* callFrame) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); auto scope = DECLARE_THROW_SCOPE(vm); - JSObject* constructor = exec->jsCallee(); - JSContextRef ctx = toRef(exec); + JSValue callee = callFrame->jsCallee(); + T* constructor = jsCast(callFrame->jsCallee()); + JSContextRef ctx = toRef(globalObject); JSObjectRef constructorRef = toRef(constructor); - JSObjectCallAsConstructorCallback callback = jsCast(constructor)->constructCallback(); + JSObjectCallAsConstructorCallback callback = constructor->constructCallback(); if (callback) { - size_t argumentCount = exec->argumentCount(); + JSValue prototype; + JSValue newTarget = callFrame->newTarget(); + // If we are doing a derived class construction get the .prototype property off the new target first so we behave closer to normal JS. + if (newTarget != constructor) { + prototype = newTarget.get(globalObject, vm.propertyNames->prototype); + RETURN_IF_EXCEPTION(scope, { }); + } + + size_t argumentCount = callFrame->argumentCount(); Vector arguments; arguments.reserveInitialCapacity(argumentCount); for (size_t i = 0; i < argumentCount; ++i) - arguments.uncheckedAppend(toRef(exec, exec->uncheckedArgument(i))); + arguments.uncheckedAppend(toRef(globalObject, callFrame->uncheckedArgument(i))); - JSValueRef exception = 0; + JSValueRef exception = nullptr; JSObjectRef result; { - JSLock::DropAllLocks dropAllLocks(exec); + JSLock::DropAllLocks dropAllLocks(globalObject); result = callback(ctx, constructorRef, argumentCount, arguments.data(), &exception); } + if (exception) { - throwException(exec, scope, toJS(exec, exception)); - return JSValue::encode(toJS(exec, exception)); + throwException(globalObject, scope, toJS(globalObject, exception)); + return JSValue::encode(jsUndefined()); } // result must be a valid JSValue. if (!result) - return throwVMTypeError(exec, scope); - return JSValue::encode(toJS(result)); + return throwVMTypeError(globalObject, scope); + + JSObject* newObject = toJS(result); + // This won't trigger proxy traps on newObject's prototype handler but that's probably desirable here anyway. + if (newTarget != constructor && newObject->getPrototypeDirect(vm) == constructor->get(globalObject, vm.propertyNames->prototype)) { + RETURN_IF_EXCEPTION(scope, { }); + newObject->setPrototype(vm, globalObject, prototype); + RETURN_IF_EXCEPTION(scope, { }); + } + + return JSValue::encode(newObject); } - return JSValue::encode(toJS(JSObjectMake(ctx, jsCast(constructor)->classRef(), 0))); + return JSValue::encode(toJS(JSObjectMake(ctx, jsCast(callee)->classRef(), nullptr))); } } // namespace JSC diff --git a/API/APICast.h b/API/APICast.h index ae9bc07..0ebe2d7 100644 --- a/API/APICast.h +++ b/API/APICast.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006 Apple Inc. All rights reserved. + * Copyright (C) 2006-2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -33,7 +33,7 @@ #include "HeapCellInlines.h" namespace JSC { - class ExecState; + class CallFrame; class PropertyNameArray; class VM; class JSObject; @@ -49,26 +49,26 @@ typedef struct OpaqueJSValue* JSObjectRef; /* Opaque typing convenience methods */ -inline JSC::ExecState* toJS(JSContextRef c) +inline JSC::JSGlobalObject* toJS(JSContextRef context) { - ASSERT(c); - return reinterpret_cast(const_cast(c)); + ASSERT(context); + return reinterpret_cast(const_cast(context)); } -inline JSC::ExecState* toJS(JSGlobalContextRef c) +inline JSC::JSGlobalObject* toJS(JSGlobalContextRef context) { - ASSERT(c); - return reinterpret_cast(c); + ASSERT(context); + return reinterpret_cast(context); } inline JSC::JSGlobalObject* toJSGlobalObject(JSGlobalContextRef context) { - return toJS(context)->lexicalGlobalObject(); + return toJS(context); } -inline JSC::JSValue toJS(JSC::ExecState* exec, JSValueRef v) +inline JSC::JSValue toJS(JSC::JSGlobalObject* globalObject, JSValueRef v) { - ASSERT_UNUSED(exec, exec); + ASSERT_UNUSED(globalObject, globalObject); #if !CPU(ADDRESS64) JSC::JSCell* jsCell = reinterpret_cast(const_cast(v)); if (!jsCell) @@ -84,13 +84,20 @@ inline JSC::JSValue toJS(JSC::ExecState* exec, JSValueRef v) if (!result) return JSC::jsNull(); if (result.isCell()) - RELEASE_ASSERT(result.asCell()->methodTable(exec->vm())); + RELEASE_ASSERT(result.asCell()->methodTable(getVM(globalObject))); return result; } -inline JSC::JSValue toJSForGC(JSC::ExecState* exec, JSValueRef v) +#if CPU(ADDRESS64) +inline JSC::JSValue toJS(JSValueRef value) { - ASSERT_UNUSED(exec, exec); + return bitwise_cast(value); +} +#endif + +inline JSC::JSValue toJSForGC(JSC::JSGlobalObject* globalObject, JSValueRef v) +{ + ASSERT_UNUSED(globalObject, globalObject); #if !CPU(ADDRESS64) JSC::JSCell* jsCell = reinterpret_cast(const_cast(v)); if (!jsCell) @@ -100,7 +107,7 @@ inline JSC::JSValue toJSForGC(JSC::ExecState* exec, JSValueRef v) JSC::JSValue result = bitwise_cast(v); #endif if (result && result.isCell()) - RELEASE_ASSERT(result.asCell()->methodTable(exec->vm())); + RELEASE_ASSERT(result.asCell()->methodTable(getVM(globalObject))); return result; } @@ -114,7 +121,7 @@ inline JSC::JSObject* toJS(JSObjectRef o) { JSC::JSObject* object = uncheckedToJS(o); if (object) - RELEASE_ASSERT(object->methodTable(*object->vm())); + RELEASE_ASSERT(object->methodTable(object->vm())); return object; } @@ -143,11 +150,18 @@ inline JSValueRef toRef(JSC::VM& vm, JSC::JSValue v) #endif } -inline JSValueRef toRef(JSC::ExecState* exec, JSC::JSValue v) +inline JSValueRef toRef(JSC::JSGlobalObject* globalObject, JSC::JSValue v) { - return toRef(exec->vm(), v); + return toRef(getVM(globalObject), v); } +#if CPU(ADDRESS64) +inline JSValueRef toRef(JSC::JSValue v) +{ + return bitwise_cast(v); +} +#endif + inline JSObjectRef toRef(JSC::JSObject* o) { return reinterpret_cast(o); @@ -158,15 +172,14 @@ inline JSObjectRef toRef(const JSC::JSObject* o) return reinterpret_cast(const_cast(o)); } -inline JSContextRef toRef(JSC::ExecState* e) +inline JSContextRef toRef(JSC::JSGlobalObject* globalObject) { - return reinterpret_cast(e); + return reinterpret_cast(globalObject); } -inline JSGlobalContextRef toGlobalRef(JSC::ExecState* e) +inline JSGlobalContextRef toGlobalRef(JSC::JSGlobalObject* globalObject) { - ASSERT(e == e->lexicalGlobalObject()->globalExec()); - return reinterpret_cast(e); + return reinterpret_cast(globalObject); } inline JSPropertyNameAccumulatorRef toRef(JSC::PropertyNameArray* l) diff --git a/API/APIUtils.h b/API/APIUtils.h index 7a5e8ba..905642a 100644 --- a/API/APIUtils.h +++ b/API/APIUtils.h @@ -37,28 +37,30 @@ enum class ExceptionStatus { DidNotThrow }; -inline ExceptionStatus handleExceptionIfNeeded(JSC::CatchScope& scope, JSC::ExecState* exec, JSValueRef* returnedExceptionRef) +inline ExceptionStatus handleExceptionIfNeeded(JSC::CatchScope& scope, JSContextRef ctx, JSValueRef* returnedExceptionRef) { + JSC::JSGlobalObject* globalObject = toJS(ctx); if (UNLIKELY(scope.exception())) { JSC::Exception* exception = scope.exception(); if (returnedExceptionRef) - *returnedExceptionRef = toRef(exec, exception->value()); + *returnedExceptionRef = toRef(globalObject, exception->value()); scope.clearException(); #if ENABLE(REMOTE_INSPECTOR) - scope.vm().vmEntryGlobalObject(exec)->inspectorController().reportAPIException(exec, exception); + globalObject->inspectorController().reportAPIException(globalObject, exception); #endif return ExceptionStatus::DidThrow; } return ExceptionStatus::DidNotThrow; } -inline void setException(JSC::ExecState* exec, JSValueRef* returnedExceptionRef, JSC::JSValue exception) +inline void setException(JSContextRef ctx, JSValueRef* returnedExceptionRef, JSC::JSValue exception) { + JSC::JSGlobalObject* globalObject = toJS(ctx); if (returnedExceptionRef) - *returnedExceptionRef = toRef(exec, exception); + *returnedExceptionRef = toRef(globalObject, exception); #if ENABLE(REMOTE_INSPECTOR) - JSC::VM& vm = exec->vm(); - vm.vmEntryGlobalObject(exec)->inspectorController().reportAPIException(exec, JSC::Exception::create(vm, exception)); + JSC::VM& vm = getVM(globalObject); + globalObject->inspectorController().reportAPIException(globalObject, JSC::Exception::create(vm, exception)); #endif } diff --git a/API/JSAPIGlobalObject.cpp b/API/JSAPIGlobalObject.cpp index d75c58d..9f5e0ad 100644 --- a/API/JSAPIGlobalObject.cpp +++ b/API/JSAPIGlobalObject.cpp @@ -44,11 +44,19 @@ const GlobalObjectMethodTable JSAPIGlobalObject::s_globalObjectMethodTable = { nullptr, // moduleLoaderCreateImportMetaProperties nullptr, // moduleLoaderEvaluate nullptr, // promiseRejectionTracker + &reportUncaughtExceptionAtEventLoop, + ¤tScriptExecutionOwner, + &scriptExecutionStatus, nullptr, // defaultLanguage nullptr, // compileStreaming nullptr, // instantiateStreaming }; +void JSAPIGlobalObject::reportUncaughtExceptionAtEventLoop(JSGlobalObject* globalObject, Exception* exception) +{ + Base::reportUncaughtExceptionAtEventLoop(globalObject, exception); +} + } #endif diff --git a/API/JSAPIGlobalObject.h b/API/JSAPIGlobalObject.h index 339e5e2..8167c5c 100644 --- a/API/JSAPIGlobalObject.h +++ b/API/JSAPIGlobalObject.h @@ -31,13 +31,20 @@ OBJC_CLASS JSScript; namespace JSC { -class JSAPIGlobalObject : public JSGlobalObject { +class JSAPIGlobalObject final : public JSGlobalObject { public: using Base = JSGlobalObject; DECLARE_EXPORT_INFO; static const GlobalObjectMethodTable s_globalObjectMethodTable; + static constexpr bool needsDestruction = true; + template + static IsoSubspace* subspaceFor(VM& vm) + { + return vm.apiGlobalObjectSpace(); + } + static JSAPIGlobalObject* create(VM& vm, Structure* structure) { auto* object = new (NotNull, allocateCell(vm.heap)) JSAPIGlobalObject(vm, structure); @@ -47,16 +54,18 @@ public: static Structure* createStructure(VM& vm, JSValue prototype) { - auto* result = Structure::create(vm, 0, prototype, TypeInfo(GlobalObjectType, StructureFlags), info()); + auto* result = Structure::create(vm, nullptr, prototype, TypeInfo(GlobalObjectType, StructureFlags), info()); result->setTransitionWatchpointIsLikelyToBeFired(true); return result; } - static JSInternalPromise* moduleLoaderImportModule(JSGlobalObject*, ExecState*, JSModuleLoader*, JSString* moduleNameValue, JSValue parameters, const SourceOrigin&); - static Identifier moduleLoaderResolve(JSGlobalObject*, ExecState*, JSModuleLoader*, JSValue keyValue, JSValue referrerValue, JSValue); - static JSInternalPromise* moduleLoaderFetch(JSGlobalObject*, ExecState*, JSModuleLoader*, JSValue, JSValue, JSValue); - static JSObject* moduleLoaderCreateImportMetaProperties(JSGlobalObject*, ExecState*, JSModuleLoader*, JSValue, JSModuleRecord*, JSValue); - static JSValue moduleLoaderEvaluate(JSGlobalObject*, ExecState*, JSModuleLoader*, JSValue, JSValue, JSValue); + static void reportUncaughtExceptionAtEventLoop(JSGlobalObject*, Exception*); + + static JSInternalPromise* moduleLoaderImportModule(JSGlobalObject*, JSModuleLoader*, JSString* moduleNameValue, JSValue parameters, const SourceOrigin&); + static Identifier moduleLoaderResolve(JSGlobalObject*, JSModuleLoader*, JSValue keyValue, JSValue referrerValue, JSValue); + static JSInternalPromise* moduleLoaderFetch(JSGlobalObject*, JSModuleLoader*, JSValue, JSValue, JSValue); + static JSObject* moduleLoaderCreateImportMetaProperties(JSGlobalObject*, JSModuleLoader*, JSValue, JSModuleRecord*, JSValue); + static JSValue moduleLoaderEvaluate(JSGlobalObject*, JSModuleLoader*, JSValue, JSValue, JSValue); JSValue loadAndEvaluateJSScriptModule(const JSLockHolder&, JSScript *); diff --git a/API/JSAPIGlobalObject.mm b/API/JSAPIGlobalObject.mm index 3b30ca2..7a8a8b3 100644 --- a/API/JSAPIGlobalObject.mm +++ b/API/JSAPIGlobalObject.mm @@ -29,16 +29,16 @@ #if JSC_OBJC_API_ENABLED #import "APICast.h" +#import "CallFrameInlines.h" #import "CatchScope.h" #import "Completion.h" #import "Error.h" #import "Exception.h" #import "JSContextInternal.h" #import "JSInternalPromise.h" -#import "JSInternalPromiseDeferred.h" #import "JSModuleLoader.h" #import "JSNativeStdFunction.h" -#import "JSPromiseDeferred.h" +#import "JSPromise.h" #import "JSScriptInternal.h" #import "JSSourceCode.h" #import "JSValueInternal.h" @@ -47,11 +47,6 @@ #import "ObjectConstructor.h" #import "SourceOrigin.h" #import -#ifdef DARLING_NONUNIFIED_BUILD -#include "IdentifierInlines.h" -#include "AuxiliaryBarrierInlines.h" -#include "StrongInlines.h" -#endif namespace JSC { @@ -67,13 +62,22 @@ const GlobalObjectMethodTable JSAPIGlobalObject::s_globalObjectMethodTable = { &moduleLoaderResolve, // moduleLoaderResolve &moduleLoaderFetch, // moduleLoaderFetch &moduleLoaderCreateImportMetaProperties, // moduleLoaderCreateImportMetaProperties - moduleLoaderEvaluate, // moduleLoaderEvaluate + &moduleLoaderEvaluate, // moduleLoaderEvaluate nullptr, // promiseRejectionTracker + &reportUncaughtExceptionAtEventLoop, + ¤tScriptExecutionOwner, + &scriptExecutionStatus, nullptr, // defaultLanguage nullptr, // compileStreaming nullptr, // instantiateStreaming }; +void JSAPIGlobalObject::reportUncaughtExceptionAtEventLoop(JSGlobalObject* globalObject, Exception* exception) +{ + JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(globalObject)]; + [context notifyException:toRef(globalObject->vm(), exception->value())]; +} + static Expected computeValidImportSpecifier(const URL& base, const String& specifier) { URL absoluteURL(URL(), specifier); @@ -81,7 +85,7 @@ static Expected computeValidImportSpecifier(const URL& base, const return absoluteURL; if (!specifier.startsWith('/') && !specifier.startsWith("./") && !specifier.startsWith("../")) - return makeUnexpected(makeString("Module specifier: "_s, specifier, " does not start with \"/\", \"./\", or \"../\"."_s)); + return makeUnexpected(makeString("Module specifier: "_s, specifier, " does not start with \"/\", \"./\", or \"../\". Referenced from: "_s, base.string())); if (specifier.startsWith('/')) { absoluteURL = URL(URL({ }, "file://"), specifier); @@ -101,18 +105,18 @@ static Expected computeValidImportSpecifier(const URL& base, const return makeUnexpected(makeString("Could not form valid URL from identifier and base. Tried:"_s, absoluteURL.string())); } -Identifier JSAPIGlobalObject::moduleLoaderResolve(JSGlobalObject* globalObject, ExecState* exec, JSModuleLoader*, JSValue key, JSValue referrer, JSValue) +Identifier JSAPIGlobalObject::moduleLoaderResolve(JSGlobalObject* globalObject, JSModuleLoader*, JSValue key, JSValue referrer, JSValue) { - VM& vm = exec->vm(); + VM& vm = globalObject->vm(); auto scope = DECLARE_THROW_SCOPE(vm); - ASSERT_UNUSED(globalObject, globalObject == exec->lexicalGlobalObject()); + ASSERT_UNUSED(globalObject, globalObject == globalObject); ASSERT(key.isString() || key.isSymbol()); - String name = key.toWTFString(exec); + String name = key.toWTFString(globalObject); RETURN_IF_EXCEPTION(scope, { }); URL base; if (JSString* referrerString = jsDynamicCast(vm, referrer)) { - String value = referrerString->value(exec); + String value = referrerString->value(globalObject); RETURN_IF_EXCEPTION(scope, { }); URL referrerURL({ }, value); RELEASE_ASSERT(referrerURL.isValid()); @@ -121,78 +125,85 @@ Identifier JSAPIGlobalObject::moduleLoaderResolve(JSGlobalObject* globalObject, auto result = computeValidImportSpecifier(base, name); if (result) - return Identifier::fromString(&vm, result.value()); + return Identifier::fromString(vm, result.value().string()); - throwVMError(exec, scope, createError(exec, result.error())); + throwVMError(globalObject, scope, createError(globalObject, result.error())); return { }; } -JSInternalPromise* JSAPIGlobalObject::moduleLoaderImportModule(JSGlobalObject* globalObject, ExecState* exec, JSModuleLoader*, JSString* specifierValue, JSValue, const SourceOrigin& sourceOrigin) +JSInternalPromise* JSAPIGlobalObject::moduleLoaderImportModule(JSGlobalObject* globalObject, JSModuleLoader*, JSString* specifierValue, JSValue, const SourceOrigin& sourceOrigin) { VM& vm = globalObject->vm(); auto scope = DECLARE_CATCH_SCOPE(vm); - auto reject = [&] (JSValue exception) -> JSInternalPromise* { + auto reject = [&] (Exception* exception) -> JSInternalPromise* { + auto* promise = JSInternalPromise::create(vm, globalObject->internalPromiseStructure()); + if (UNLIKELY(isTerminatedExecutionException(vm, exception))) + return promise; + JSValue error = exception->value(); scope.clearException(); - auto* promise = JSInternalPromiseDeferred::tryCreate(exec, globalObject); - scope.clearException(); - return promise->reject(exec, exception); + // FIXME: We could have error since any JS call can throw stack-overflow errors. + // https://bugs.webkit.org/show_bug.cgi?id=203402 + promise->reject(globalObject, error); + return promise; }; auto import = [&] (URL& url) { - auto result = importModule(exec, Identifier::fromString(&vm, url), jsUndefined(), jsUndefined()); + auto result = importModule(globalObject, Identifier::fromString(vm, url.string()), jsUndefined(), jsUndefined()); if (UNLIKELY(scope.exception())) return reject(scope.exception()); return result; }; - auto specifier = specifierValue->value(exec); - if (UNLIKELY(scope.exception())) { - JSValue exception = scope.exception(); - scope.clearException(); - return reject(exception); - } + auto specifier = specifierValue->value(globalObject); + if (UNLIKELY(scope.exception())) + return reject(scope.exception()); - String referrer = !sourceOrigin.isNull() ? sourceOrigin.string() : String(); - URL baseURL(URL(), referrer); - auto result = computeValidImportSpecifier(baseURL, specifier); + auto result = computeValidImportSpecifier(sourceOrigin.url(), specifier); if (result) return import(result.value()); - return reject(createError(exec, result.error())); + auto* promise = JSInternalPromise::create(vm, globalObject->internalPromiseStructure()); + // FIXME: We could have error since any JS call can throw stack-overflow errors. + // https://bugs.webkit.org/show_bug.cgi?id=203402 + promise->reject(globalObject, createError(globalObject, result.error())); + return promise; } -JSInternalPromise* JSAPIGlobalObject::moduleLoaderFetch(JSGlobalObject* globalObject, ExecState* exec, JSModuleLoader*, JSValue key, JSValue, JSValue) +JSInternalPromise* JSAPIGlobalObject::moduleLoaderFetch(JSGlobalObject* globalObject, JSModuleLoader*, JSValue key, JSValue, JSValue) { VM& vm = globalObject->vm(); auto scope = DECLARE_CATCH_SCOPE(vm); - ASSERT(globalObject == exec->lexicalGlobalObject()); - JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(globalObject->globalExec())]; + ASSERT(globalObject == globalObject); + JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(globalObject)]; - JSInternalPromiseDeferred* deferred = JSInternalPromiseDeferred::tryCreate(exec, globalObject); - RETURN_IF_EXCEPTION(scope, nullptr); + JSInternalPromise* promise = JSInternalPromise::create(vm, globalObject->internalPromiseStructure()); - Identifier moduleKey = key.toPropertyKey(exec); + Identifier moduleKey = key.toPropertyKey(globalObject); if (UNLIKELY(scope.exception())) { - JSValue exception = scope.exception(); + Exception* exception = scope.exception(); + if (UNLIKELY(isTerminatedExecutionException(vm, exception))) + return promise; scope.clearException(); - return deferred->reject(exec, exception); + promise->reject(globalObject, exception->value()); + return promise; } - if (UNLIKELY(![context moduleLoaderDelegate])) - return deferred->reject(exec, createError(exec, "No module loader provided.")); + if (UNLIKELY(![context moduleLoaderDelegate])) { + promise->reject(globalObject, createError(globalObject, "No module loader provided.")); + return promise; + } - auto deferredPromise = Strong(vm, deferred); - auto* resolve = JSNativeStdFunction::create(vm, globalObject, 1, "resolve", [=] (ExecState* exec) { + auto strongPromise = Strong(vm, promise); + auto* resolve = JSNativeStdFunction::create(vm, globalObject, 1, "resolve", [=] (JSGlobalObject* globalObject, CallFrame* callFrame) { // This captures the globalObject but that's ok because our structure keeps it alive anyway. - VM& vm = exec->vm(); - JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(globalObject->globalExec())]; - id script = valueToObject(context, toRef(exec, exec->argument(0))); + VM& vm = globalObject->vm(); + JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(globalObject)]; + id script = valueToObject(context, toRef(globalObject, callFrame->argument(0))); MarkedArgumentBuffer args; auto rejectPromise = [&] (String message) { - args.append(createTypeError(exec, message)); - call(exec, deferredPromise->JSPromiseDeferred::reject(), args, "This should never be seen..."); + strongPromise.get()->reject(globalObject, createTypeError(globalObject, message)); return encodedJSUndefined(); }; @@ -207,55 +218,51 @@ JSInternalPromise* JSAPIGlobalObject::moduleLoaderFetch(JSGlobalObject* globalOb NSURL *sourceURL = [jsScript sourceURL]; String oldModuleKey { [sourceURL absoluteString] }; - if (UNLIKELY(Identifier::fromString(&vm, oldModuleKey) != moduleKey)) + if (UNLIKELY(Identifier::fromString(vm, oldModuleKey) != moduleKey)) return rejectPromise(makeString("The same JSScript was provided for two different identifiers, previously: ", oldModuleKey, " and now: ", moduleKey.string())); - args.append(source); - call(exec, deferredPromise->JSPromiseDeferred::resolve(), args, "This should never be seen..."); + strongPromise.get()->resolve(globalObject, source); return encodedJSUndefined(); }); - auto* reject = JSNativeStdFunction::create(vm, globalObject, 1, "reject", [=] (ExecState* exec) { - MarkedArgumentBuffer args; - args.append(exec->argument(0)); - - call(exec, deferredPromise->JSPromiseDeferred::reject(), args, "This should never be seen..."); + auto* reject = JSNativeStdFunction::create(vm, globalObject, 1, "reject", [=] (JSGlobalObject*, CallFrame* callFrame) { + strongPromise.get()->reject(globalObject, callFrame->argument(0)); return encodedJSUndefined(); }); - [[context moduleLoaderDelegate] context:context fetchModuleForIdentifier:[::JSValue valueWithJSValueRef:toRef(exec, key) inContext:context] withResolveHandler:[::JSValue valueWithJSValueRef:toRef(exec, resolve) inContext:context] andRejectHandler:[::JSValue valueWithJSValueRef:toRef(exec, reject) inContext:context]]; + [[context moduleLoaderDelegate] context:context fetchModuleForIdentifier:[::JSValue valueWithJSValueRef:toRef(globalObject, key) inContext:context] withResolveHandler:[::JSValue valueWithJSValueRef:toRef(globalObject, resolve) inContext:context] andRejectHandler:[::JSValue valueWithJSValueRef:toRef(globalObject, reject) inContext:context]]; if (context.exception) { - deferred->reject(exec, toJS(exec, [context.exception JSValueRef])); + promise->reject(globalObject, toJS(globalObject, [context.exception JSValueRef])); context.exception = nil; } - return deferred->promise(); + return promise; } -JSObject* JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties(JSGlobalObject* globalObject, ExecState* exec, JSModuleLoader*, JSValue key, JSModuleRecord*, JSValue) +JSObject* JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties(JSGlobalObject* globalObject, JSModuleLoader*, JSValue key, JSModuleRecord*, JSValue) { - VM& vm = exec->vm(); + VM& vm = globalObject->vm(); auto scope = DECLARE_THROW_SCOPE(vm); - JSObject* metaProperties = constructEmptyObject(exec, globalObject->nullPrototypeObjectStructure()); + JSObject* metaProperties = constructEmptyObject(vm, globalObject->nullPrototypeObjectStructure()); RETURN_IF_EXCEPTION(scope, nullptr); - metaProperties->putDirect(vm, Identifier::fromString(&vm, "filename"), key); + metaProperties->putDirect(vm, Identifier::fromString(vm, "filename"), key); RETURN_IF_EXCEPTION(scope, nullptr); return metaProperties; } -JSValue JSAPIGlobalObject::moduleLoaderEvaluate(JSGlobalObject* globalObject, ExecState* exec, JSModuleLoader* moduleLoader, JSValue key, JSValue moduleRecordValue, JSValue scriptFetcher) +JSValue JSAPIGlobalObject::moduleLoaderEvaluate(JSGlobalObject* globalObject, JSModuleLoader* moduleLoader, JSValue key, JSValue moduleRecordValue, JSValue scriptFetcher) { - VM& vm = exec->vm(); + VM& vm = globalObject->vm(); auto scope = DECLARE_THROW_SCOPE(vm); - JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(globalObject->globalExec())]; + JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(globalObject)]; id moduleLoaderDelegate = [context moduleLoaderDelegate]; NSURL *url = nil; if ([moduleLoaderDelegate respondsToSelector:@selector(willEvaluateModule:)] || [moduleLoaderDelegate respondsToSelector:@selector(didEvaluateModule:)]) { - String moduleKey = key.toWTFString(exec); + String moduleKey = key.toWTFString(globalObject); RETURN_IF_EXCEPTION(scope, { }); url = [NSURL URLWithString:static_cast(moduleKey)]; } @@ -264,7 +271,7 @@ JSValue JSAPIGlobalObject::moduleLoaderEvaluate(JSGlobalObject* globalObject, Ex [moduleLoaderDelegate willEvaluateModule:url]; scope.release(); - JSValue result = moduleLoader->evaluateNonVirtual(exec, key, moduleRecordValue, scriptFetcher); + JSValue result = moduleLoader->evaluateNonVirtual(globalObject, key, moduleRecordValue, scriptFetcher); if ([moduleLoaderDelegate respondsToSelector:@selector(didEvaluateModule:)]) [moduleLoaderDelegate didEvaluateModule:url]; @@ -276,16 +283,15 @@ JSValue JSAPIGlobalObject::loadAndEvaluateJSScriptModule(const JSLockHolder&, JS { ASSERT(script.type == kJSScriptTypeModule); VM& vm = this->vm(); - ExecState* exec = globalExec(); auto scope = DECLARE_THROW_SCOPE(vm); - Identifier key = Identifier::fromString(exec, String { [[script sourceURL] absoluteString] }); - JSInternalPromise* promise = importModule(exec, key, jsUndefined(), jsUndefined()); + Identifier key = Identifier::fromString(vm, String { [[script sourceURL] absoluteString] }); + JSInternalPromise* promise = importModule(this, key, jsUndefined(), jsUndefined()); RETURN_IF_EXCEPTION(scope, { }); - auto result = JSPromiseDeferred::tryCreate(exec, this); + auto* result = JSPromise::create(vm, this->promiseStructure()); + result->resolve(this, promise); RETURN_IF_EXCEPTION(scope, { }); - result->resolve(exec, promise); - return result->promise(); + return result; } } diff --git a/API/JSAPIValueWrapper.cpp b/API/JSAPIValueWrapper.cpp index 454f196..f3d31c0 100644 --- a/API/JSAPIValueWrapper.cpp +++ b/API/JSAPIValueWrapper.cpp @@ -23,8 +23,6 @@ #include "config.h" #include "JSAPIValueWrapper.h" -#include "NumberObject.h" - namespace JSC { STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(JSAPIValueWrapper); diff --git a/API/JSAPIValueWrapper.h b/API/JSAPIValueWrapper.h index aa26082..60f46ca 100644 --- a/API/JSAPIValueWrapper.h +++ b/API/JSAPIValueWrapper.h @@ -1,7 +1,7 @@ /* * Copyright (C) 1999-2001 Harri Porten (porten@kde.org) * Copyright (C) 2001 Peter Kelly (pmk@post.com) - * Copyright (C) 2003-2019 Apple Inc. All rights reserved. + * Copyright (C) 2003-2020 Apple Inc. All rights reserved. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Library General Public @@ -30,16 +30,22 @@ namespace JSC { class JSAPIValueWrapper final : public JSCell { - friend JSValue jsAPIValueWrapper(ExecState*, JSValue); + friend JSValue jsAPIValueWrapper(JSGlobalObject*, JSValue); public: - typedef JSCell Base; - static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal; + using Base = JSCell; + static constexpr unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal; + + template + static IsoSubspace* subspaceFor(VM& vm) + { + return vm.apiValueWrapperSpace(); + } JSValue value() const { return m_value.get(); } static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype) { - return Structure::create(vm, globalObject, prototype, TypeInfo(APIValueWrapperType, OverridesGetPropertyNames), info()); + return Structure::create(vm, globalObject, prototype, TypeInfo(APIValueWrapperType, StructureFlags), info()); } DECLARE_EXPORT_INFO; @@ -51,7 +57,7 @@ public: return wrapper; } -protected: +private: void finishCreation(VM& vm, JSValue value) { Base::finishCreation(vm); @@ -59,7 +65,6 @@ protected: ASSERT(!value.isCell()); } -private: JSAPIValueWrapper(VM& vm) : JSCell(vm, vm.apiWrapperStructure.get()) { diff --git a/API/JSAPIWrapperObject.h b/API/JSAPIWrapperObject.h index dd874dc..f3b98dc 100644 --- a/API/JSAPIWrapperObject.h +++ b/API/JSAPIWrapperObject.h @@ -33,9 +33,12 @@ namespace JSC { -class JSAPIWrapperObject : public JSDestructibleObject { +class JSAPIWrapperObject : public JSNonFinalObject { public: - typedef JSDestructibleObject Base; + using Base = JSNonFinalObject; + + template + static void subspaceFor(VM&) { RELEASE_ASSERT_NOT_REACHED(); } void finishCreation(VM&); static void visitChildren(JSCell*, JSC::SlotVisitor&); diff --git a/API/JSAPIWrapperObject.mm b/API/JSAPIWrapperObject.mm index 58b74e7..fde81ec 100644 --- a/API/JSAPIWrapperObject.mm +++ b/API/JSAPIWrapperObject.mm @@ -23,21 +23,21 @@ * THE POSSIBILITY OF SUCH DAMAGE. */ -#include "config.h" -#include "JSAPIWrapperObject.h" +#import "config.h" +#import "JSAPIWrapperObject.h" -#include "JSCInlines.h" -#include "JSCallbackObject.h" -#include "JSVirtualMachineInternal.h" -#include "Structure.h" -#include +#import "JSCInlines.h" +#import "JSCallbackObject.h" +#import "JSVirtualMachineInternal.h" +#import "Structure.h" +#import #if JSC_OBJC_API_ENABLED -class JSAPIWrapperObjectHandleOwner : public JSC::WeakHandleOwner { +class JSAPIWrapperObjectHandleOwner final : public JSC::WeakHandleOwner { public: - void finalize(JSC::Handle, void*) override; - bool isReachableFromOpaqueRoots(JSC::Handle, void* context, JSC::SlotVisitor&, const char**) override; + void finalize(JSC::Handle, void*) final; + bool isReachableFromOpaqueRoots(JSC::Handle, void* context, JSC::SlotVisitor&, const char**) final; }; static JSAPIWrapperObjectHandleOwner* jsAPIWrapperObjectHandleOwner() @@ -67,10 +67,38 @@ bool JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots(JSC::Handle const ClassInfo JSCallbackObject::s_info = { "JSAPIWrapperObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCallbackObject) }; -template<> const bool JSCallbackObject::needsDestruction = true; +static JSC_DECLARE_HOST_FUNCTION(callJSAPIWrapperObjectCallbackObject); +static JSC_DECLARE_HOST_FUNCTION(constructJSAPIWrapperObjectCallbackObject); +static JSC_DECLARE_CUSTOM_GETTER(callbackGetterJSAPIWrapperObjectCallbackObject); +static JSC_DECLARE_CUSTOM_GETTER(staticFunctionGetterJSAPIWrapperObjectCallbackObject); + +template <> const ClassInfo JSCallbackObject::s_info = { "JSAPIWrapperObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCallbackObject) }; +template <> const bool JSCallbackObject::needsDestruction = true; + +template <> +RawNativeFunction JSCallbackObject::getCallFunction() +{ + return callJSAPIWrapperObjectCallbackObject; +} + +template <> +RawNativeFunction JSCallbackObject::getConstructFunction() +{ + return constructJSAPIWrapperObjectCallbackObject; +} + +template <> +PropertySlot::GetValueFunc JSCallbackObject::getCallbackGetter() +{ + return callbackGetterJSAPIWrapperObjectCallbackObject; +} + +template <> +PropertySlot::GetValueFunc JSCallbackObject::getStaticFunctionGetter() +{ + return staticFunctionGetterJSAPIWrapperObjectCallbackObject; +} template <> Structure* JSCallbackObject::createStructure(VM& vm, JSGlobalObject* globalObject, JSValue proto) @@ -105,6 +133,39 @@ void JSAPIWrapperObject::visitChildren(JSCell* cell, JSC::SlotVisitor& visitor) scanExternalObjectGraph(visitor.vm(), visitor, wrappedObject); } +template <> +IsoSubspace* JSCallbackObject::subspaceForImpl(VM& vm, SubspaceAccess mode) +{ + switch (mode) { + case SubspaceAccess::OnMainThread: + return vm.apiWrapperObjectSpace(); + case SubspaceAccess::Concurrently: + return vm.apiWrapperObjectSpace(); + } + RELEASE_ASSERT_NOT_REACHED(); + return nullptr; +} + +JSC_DEFINE_HOST_FUNCTION(callJSAPIWrapperObjectCallbackObject, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return JSCallbackObject::callImpl(globalObject, callFrame); +} + +JSC_DEFINE_HOST_FUNCTION(constructJSAPIWrapperObjectCallbackObject, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return JSCallbackObject::constructImpl(globalObject, callFrame); +} + +JSC_DEFINE_CUSTOM_GETTER(callbackGetterJSAPIWrapperObjectCallbackObject, (JSGlobalObject* globalObject, EncodedJSValue thisValue, PropertyName propertyName)) +{ + return JSCallbackObject::callbackGetterImpl(globalObject, thisValue, propertyName); +} + +JSC_DEFINE_CUSTOM_GETTER(staticFunctionGetterJSAPIWrapperObjectCallbackObject, (JSGlobalObject* globalObject, EncodedJSValue thisValue, PropertyName propertyName)) +{ + return JSCallbackObject::staticFunctionGetterImpl(globalObject, thisValue, propertyName); +} + } // namespace JSC #endif // JSC_OBJC_API_ENABLED diff --git a/API/JSBase.cpp b/API/JSBase.cpp index 44ed498..0961c67 100644 --- a/API/JSBase.cpp +++ b/API/JSBase.cpp @@ -29,18 +29,13 @@ #include "JSBasePrivate.h" #include "APICast.h" -#include "CallFrame.h" #include "Completion.h" -#include "Exception.h" #include "GCActivityCallback.h" -#include "InitializeThreading.h" -#include "JSGlobalObject.h" -#include "JSLock.h" -#include "JSObject.h" -#include "OpaqueJSString.h" #include "JSCInlines.h" +#include "JSLock.h" +#include "ObjectConstructor.h" +#include "OpaqueJSString.h" #include "SourceCode.h" -#include #if ENABLE(REMOTE_INSPECTOR) #include "JSGlobalObjectInspectorController.h" @@ -48,81 +43,78 @@ using namespace JSC; -JSValueRef JSEvaluateScriptInternal(const JSLockHolder&, ExecState* exec, JSContextRef ctx, JSObjectRef thisObject, const SourceCode& source, JSValueRef* exception) +JSValueRef JSEvaluateScriptInternal(const JSLockHolder&, JSContextRef ctx, JSObjectRef thisObject, const SourceCode& source, JSValueRef* exception) { - UNUSED_PARAM(ctx); - JSObject* jsThisObject = toJS(thisObject); // evaluate sets "this" to the global object if it is NULL - VM& vm = exec->vm(); - JSGlobalObject* globalObject = vm.vmEntryGlobalObject(exec); + JSGlobalObject* globalObject = toJS(ctx); NakedPtr evaluationException; - JSValue returnValue = profiledEvaluate(globalObject->globalExec(), ProfilingReason::API, source, jsThisObject, evaluationException); + JSValue returnValue = profiledEvaluate(globalObject, ProfilingReason::API, source, jsThisObject, evaluationException); if (evaluationException) { if (exception) - *exception = toRef(exec, evaluationException->value()); + *exception = toRef(globalObject, evaluationException->value()); #if ENABLE(REMOTE_INSPECTOR) // FIXME: If we have a debugger attached we could learn about ParseError exceptions through // ScriptDebugServer::sourceParsed and this path could produce a duplicate warning. The // Debugger path is currently ignored by inspector. // NOTE: If we don't have a debugger, this SourceCode will be forever lost to the inspector. // We could stash it in the inspector in case an inspector is ever opened. - globalObject->inspectorController().reportAPIException(exec, evaluationException); + globalObject->inspectorController().reportAPIException(globalObject, evaluationException); #endif return nullptr; } if (returnValue) - return toRef(exec, returnValue); + return toRef(globalObject, returnValue); // happens, for example, when the only statement is an empty (';') statement - return toRef(exec, jsUndefined()); + return toRef(globalObject, jsUndefined()); } -JSValueRef JSEvaluateScript(JSContextRef ctx, JSStringRef script, JSObjectRef thisObject, JSStringRef sourceURL, int startingLineNumber, JSValueRef* exception) +JSValueRef JSEvaluateScript(JSContextRef ctx, JSStringRef script, JSObjectRef thisObject, JSStringRef sourceURLString, int startingLineNumber, JSValueRef* exception) { if (!ctx) { ASSERT_NOT_REACHED(); return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); startingLineNumber = std::max(1, startingLineNumber); - auto sourceURLString = sourceURL ? sourceURL->string() : String(); - SourceCode source = makeSource(script->string(), SourceOrigin { sourceURLString }, URL({ }, sourceURLString), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber())); + auto sourceURL = sourceURLString ? URL({ }, sourceURLString->string()) : URL(); + SourceCode source = makeSource(script->string(), SourceOrigin { sourceURL }, sourceURL.string(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber())); - return JSEvaluateScriptInternal(locker, exec, ctx, thisObject, source, exception); + return JSEvaluateScriptInternal(locker, ctx, thisObject, source, exception); } -bool JSCheckScriptSyntax(JSContextRef ctx, JSStringRef script, JSStringRef sourceURL, int startingLineNumber, JSValueRef* exception) +bool JSCheckScriptSyntax(JSContextRef ctx, JSStringRef script, JSStringRef sourceURLString, int startingLineNumber, JSValueRef* exception) { if (!ctx) { ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); startingLineNumber = std::max(1, startingLineNumber); - auto sourceURLString = sourceURL ? sourceURL->string() : String(); - SourceCode source = makeSource(script->string(), SourceOrigin { sourceURLString }, URL({ }, sourceURLString), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber())); + auto sourceURL = sourceURLString ? URL({ }, sourceURLString->string()) : URL(); + SourceCode source = makeSource(script->string(), SourceOrigin { sourceURL }, sourceURL.string(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber())); JSValue syntaxException; - bool isValidSyntax = checkSyntax(vm.vmEntryGlobalObject(exec)->globalExec(), source, &syntaxException); + bool isValidSyntax = checkSyntax(globalObject, source, &syntaxException); if (!isValidSyntax) { if (exception) - *exception = toRef(exec, syntaxException); + *exception = toRef(globalObject, syntaxException); #if ENABLE(REMOTE_INSPECTOR) Exception* exception = Exception::create(vm, syntaxException); - vm.vmEntryGlobalObject(exec)->inspectorController().reportAPIException(exec, exception); + globalObject->inspectorController().reportAPIException(globalObject, exception); #endif return false; } @@ -140,8 +132,8 @@ void JSGarbageCollect(JSContextRef ctx) if (!ctx) return; - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); vm.heap.reportAbandonedObjectGraph(); @@ -153,8 +145,8 @@ void JSReportExtraMemoryCost(JSContextRef ctx, size_t size) ASSERT_NOT_REACHED(); return; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); vm.heap.deprecatedReportExtraMemory(size); @@ -168,8 +160,8 @@ void JSSynchronousGarbageCollectForDebugging(JSContextRef ctx) if (!ctx) return; - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); vm.heap.collectNow(Sync, CollectionScope::Full); } @@ -179,8 +171,8 @@ void JSSynchronousEdenCollectForDebugging(JSContextRef ctx) if (!ctx) return; - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); vm.heap.collectSync(CollectionScope::Eden); } @@ -190,6 +182,29 @@ void JSDisableGCTimer(void) GCActivityCallback::s_shouldCreateGCTimer = false; } +JSObjectRef JSGetMemoryUsageStatistics(JSContextRef ctx) +{ + if (!ctx) { + ASSERT_NOT_REACHED(); + return nullptr; + } + + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); + JSLockHolder locker(vm); + + JSObject* object = constructEmptyObject(globalObject); + object->putDirect(vm, Identifier::fromString(vm, "heapSize"), jsNumber(vm.heap.size())); + object->putDirect(vm, Identifier::fromString(vm, "heapCapacity"), jsNumber(vm.heap.capacity())); + object->putDirect(vm, Identifier::fromString(vm, "extraMemorySize"), jsNumber(vm.heap.extraMemorySize())); + object->putDirect(vm, Identifier::fromString(vm, "objectCount"), jsNumber(vm.heap.objectCount())); + object->putDirect(vm, Identifier::fromString(vm, "protectedObjectCount"), jsNumber(vm.heap.protectedObjectCount())); + object->putDirect(vm, Identifier::fromString(vm, "globalObjectCount"), jsNumber(vm.heap.globalObjectCount())); + object->putDirect(vm, Identifier::fromString(vm, "protectedGlobalObjectCount"), jsNumber(vm.heap.protectedGlobalObjectCount())); + + return toRef(object); +} + #if PLATFORM(IOS_FAMILY) && TARGET_OS_IOS // FIXME: Expose symbols to tell dyld where to find JavaScriptCore on older versions of // iOS (< 7.0). We should remove these symbols once we no longer need to support such diff --git a/API/JSBase.h b/API/JSBase.h index 01c1b28..dbe11e4 100644 --- a/API/JSBase.h +++ b/API/JSBase.h @@ -145,7 +145,7 @@ JS_EXPORT void JSGarbageCollect(JSContextRef ctx); /* Enable the Objective-C API for platforms with a modern runtime. NOTE: This is duplicated in VM.h. */ #if !defined(JSC_OBJC_API_ENABLED) -#if (defined(__clang__) && defined(__APPLE__) && ((defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && !defined(__i386__)) || (defined(TARGET_OS_IPHONE) && TARGET_OS_IPHONE))) +#if (defined(__clang__) && defined(__APPLE__) && (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) || (defined(TARGET_OS_IPHONE) && TARGET_OS_IPHONE))) #define JSC_OBJC_API_ENABLED 1 #else #define JSC_OBJC_API_ENABLED 0 diff --git a/API/JSBaseInternal.h b/API/JSBaseInternal.h index a274af9..c4dae66 100644 --- a/API/JSBaseInternal.h +++ b/API/JSBaseInternal.h @@ -29,9 +29,9 @@ #include namespace JSC { +class CallFrame; class JSLockHolder; -class ExecState; class SourceCode; } -extern "C" JSValueRef JSEvaluateScriptInternal(const JSC::JSLockHolder&, JSC::ExecState*, JSContextRef, JSObjectRef thisObject, const JSC::SourceCode&, JSValueRef* exception); +extern "C" JSValueRef JSEvaluateScriptInternal(const JSC::JSLockHolder&, JSContextRef, JSObjectRef thisObject, const JSC::SourceCode&, JSValueRef* exception); diff --git a/API/JSBasePrivate.h b/API/JSBasePrivate.h index 2fc916b..150f45e 100644 --- a/API/JSBasePrivate.h +++ b/API/JSBasePrivate.h @@ -47,6 +47,22 @@ JS_EXPORT void JSReportExtraMemoryCost(JSContextRef ctx, size_t size) JSC_API_AV JS_EXPORT void JSDisableGCTimer(void); +/*! +@function +@abstract Produces an object with various statistics about current memory usage. +@param ctx The execution context to use. +@result An object containing GC heap status data. +@discussion Specifically, the result object has the following integer-valued fields: + heapSize: current size of heap + heapCapacity: current capacity of heap + extraMemorySize: amount of non-GC memory referenced by GC objects (included in heap size / capacity) + objectCount: current count of GC objects + protectedObjectCount: current count of protected GC objects + globalObjectCount: current count of global GC objects + protectedGlobalObjectCount: current count of protected global GC objects +*/ +JS_EXPORT JSObjectRef JSGetMemoryUsageStatistics(JSContextRef ctx); + #ifdef __cplusplus } #endif diff --git a/API/JSCTestRunnerUtils.cpp b/API/JSCTestRunnerUtils.cpp index d314c5d..14abd09 100644 --- a/API/JSCTestRunnerUtils.cpp +++ b/API/JSCTestRunnerUtils.cpp @@ -27,7 +27,7 @@ #include "JSCTestRunnerUtils.h" #include "APICast.h" -#include "JSCInlines.h" +#include "JSGlobalObjectInlines.h" #include "TestRunnerUtils.h" namespace JSC { @@ -35,30 +35,30 @@ namespace JSC { JSValueRef failNextNewCodeBlock(JSContextRef context) { - ExecState* exec= toJS(context); - JSLockHolder holder(exec); - return toRef(exec, failNextNewCodeBlock(exec)); + JSGlobalObject* globalObject= toJS(context); + JSLockHolder holder(globalObject); + return toRef(globalObject, failNextNewCodeBlock(globalObject)); } JSValueRef numberOfDFGCompiles(JSContextRef context, JSValueRef theFunctionValueRef) { - ExecState* exec= toJS(context); - JSLockHolder holder(exec); - return toRef(exec, numberOfDFGCompiles(toJS(exec, theFunctionValueRef))); + JSGlobalObject* globalObject= toJS(context); + JSLockHolder holder(globalObject); + return toRef(globalObject, numberOfDFGCompiles(toJS(globalObject, theFunctionValueRef))); } JSValueRef setNeverInline(JSContextRef context, JSValueRef theFunctionValueRef) { - ExecState* exec= toJS(context); - JSLockHolder holder(exec); - return toRef(exec, setNeverInline(toJS(exec, theFunctionValueRef))); + JSGlobalObject* globalObject= toJS(context); + JSLockHolder holder(globalObject); + return toRef(globalObject, setNeverInline(toJS(globalObject, theFunctionValueRef))); } JSValueRef setNeverOptimize(JSContextRef context, JSValueRef theFunctionValueRef) { - ExecState* exec= toJS(context); - JSLockHolder holder(exec); - return toRef(exec, setNeverOptimize(toJS(exec, theFunctionValueRef))); + JSGlobalObject* globalObject= toJS(context); + JSLockHolder holder(globalObject); + return toRef(globalObject, setNeverOptimize(toJS(globalObject, theFunctionValueRef))); } } // namespace JSC diff --git a/API/JSCallbackConstructor.cpp b/API/JSCallbackConstructor.cpp index 57e80a8..4877788 100644 --- a/API/JSCallbackConstructor.cpp +++ b/API/JSCallbackConstructor.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved. + * Copyright (C) 2006-2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -28,18 +28,15 @@ #include "APICallbackFunction.h" #include "APICast.h" -#include "Error.h" -#include "JSGlobalObject.h" -#include "JSLock.h" -#include "ObjectPrototype.h" #include "JSCInlines.h" +#include "JSLock.h" namespace JSC { const ClassInfo JSCallbackConstructor::s_info = { "CallbackConstructor", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCallbackConstructor) }; JSCallbackConstructor::JSCallbackConstructor(JSGlobalObject* globalObject, Structure* structure, JSClassRef jsClass, JSObjectCallAsConstructorCallback callback) - : JSDestructibleObject(globalObject->vm(), structure) + : Base(globalObject->vm(), structure) , m_class(jsClass) , m_callback(callback) { @@ -48,7 +45,7 @@ JSCallbackConstructor::JSCallbackConstructor(JSGlobalObject* globalObject, Struc void JSCallbackConstructor::finishCreation(JSGlobalObject* globalObject, JSClassRef jsClass) { Base::finishCreation(globalObject->vm()); - ASSERT(inherits(*vm(), info())); + ASSERT(inherits(vm(), info())); if (m_class) JSClassRetain(jsClass); } @@ -64,10 +61,19 @@ void JSCallbackConstructor::destroy(JSCell* cell) static_cast(cell)->JSCallbackConstructor::~JSCallbackConstructor(); } -ConstructType JSCallbackConstructor::getConstructData(JSCell*, ConstructData& constructData) +static JSC_DECLARE_HOST_FUNCTION(constructJSCallbackConstructor); + +JSC_DEFINE_HOST_FUNCTION(constructJSCallbackConstructor, (JSGlobalObject* globalObject, CallFrame* callFrame)) { - constructData.native.function = APICallbackFunction::construct; - return ConstructType::Host; + return APICallbackFunction::constructImpl(globalObject, callFrame); +} + +CallData JSCallbackConstructor::getConstructData(JSCell*) +{ + CallData constructData; + constructData.type = CallData::Type::Native; + constructData.native.function = constructJSCallbackConstructor; + return constructData; } } // namespace JSC diff --git a/API/JSCallbackConstructor.h b/API/JSCallbackConstructor.h index 3c31e07..d39850d 100644 --- a/API/JSCallbackConstructor.h +++ b/API/JSCallbackConstructor.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006, 2008 Apple Inc. All rights reserved. + * Copyright (C) 2006-2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -26,19 +26,26 @@ #ifndef JSCallbackConstructor_h #define JSCallbackConstructor_h -#include "JSDestructibleObject.h" +#include "JSObject.h" #include "JSObjectRef.h" namespace JSC { -class JSCallbackConstructor final : public JSDestructibleObject { +class JSCallbackConstructor final : public JSNonFinalObject { public: - typedef JSDestructibleObject Base; - static const unsigned StructureFlags = Base::StructureFlags | ImplementsHasInstance | ImplementsDefaultHasInstance; + using Base = JSNonFinalObject; + static constexpr unsigned StructureFlags = Base::StructureFlags | ImplementsHasInstance | ImplementsDefaultHasInstance; + static constexpr bool needsDestruction = true; - static JSCallbackConstructor* create(ExecState* exec, JSGlobalObject* globalObject, Structure* structure, JSClassRef classRef, JSObjectCallAsConstructorCallback callback) + template + static IsoSubspace* subspaceFor(VM& vm) { - VM& vm = exec->vm(); + return vm.callbackConstructorSpace(); + } + + static JSCallbackConstructor* create(JSGlobalObject* globalObject, Structure* structure, JSClassRef classRef, JSObjectCallAsConstructorCallback callback) + { + VM& vm = getVM(globalObject); JSCallbackConstructor* constructor = new (NotNull, allocateCell(vm.heap)) JSCallbackConstructor(globalObject, structure, classRef, callback); constructor->finishCreation(globalObject, classRef); return constructor; @@ -55,14 +62,13 @@ public: return Structure::create(vm, globalObject, proto, TypeInfo(ObjectType, StructureFlags), info()); } -protected: +private: JSCallbackConstructor(JSGlobalObject*, Structure*, JSClassRef, JSObjectCallAsConstructorCallback); void finishCreation(JSGlobalObject*, JSClassRef); -private: friend struct APICallbackFunction; - static ConstructType getConstructData(JSCell*, ConstructData&); + static CallData getConstructData(JSCell*); JSObjectCallAsConstructorCallback constructCallback() { return m_callback; } diff --git a/API/JSCallbackFunction.cpp b/API/JSCallbackFunction.cpp index 78ca55b..21dcb2e 100644 --- a/API/JSCallbackFunction.cpp +++ b/API/JSCallbackFunction.cpp @@ -27,14 +27,6 @@ #include "JSCallbackFunction.h" #include "APICallbackFunction.h" -#include "APICast.h" -#include "CodeBlock.h" -#include "Error.h" -#include "ExceptionHelpers.h" -#include "FunctionPrototype.h" -#include "JSFunction.h" -#include "JSGlobalObject.h" -#include "JSLock.h" #include "JSCInlines.h" namespace JSC { @@ -43,15 +35,22 @@ STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(JSCallbackFunction); const ClassInfo JSCallbackFunction::s_info = { "CallbackFunction", &InternalFunction::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCallbackFunction) }; +static JSC_DECLARE_HOST_FUNCTION(callJSCallbackFunction); + +JSC_DEFINE_HOST_FUNCTION(callJSCallbackFunction, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return APICallbackFunction::callImpl(globalObject, callFrame); +} + JSCallbackFunction::JSCallbackFunction(VM& vm, Structure* structure, JSObjectCallAsFunctionCallback callback) - : InternalFunction(vm, structure, APICallbackFunction::call, nullptr) + : InternalFunction(vm, structure, callJSCallbackFunction, nullptr) , m_callback(callback) { } void JSCallbackFunction::finishCreation(VM& vm, const String& name) { - Base::finishCreation(vm, name); + Base::finishCreation(vm, 0, name); ASSERT(inherits(vm, info())); } diff --git a/API/JSCallbackObject.cpp b/API/JSCallbackObject.cpp index cb63f49..2665d11 100644 --- a/API/JSCallbackObject.cpp +++ b/API/JSCallbackObject.cpp @@ -27,18 +27,74 @@ #include "config.h" #include "JSCallbackObject.h" -#include "Heap.h" #include "JSCInlines.h" -#include namespace JSC { -// Define the two types of JSCallbackObjects we support. -template <> const ClassInfo JSCallbackObject::s_info = { "CallbackObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCallbackObject) }; -template <> const ClassInfo JSCallbackObject::s_info = { "CallbackGlobalObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCallbackObject) }; +static JSC_DECLARE_HOST_FUNCTION(callJSNonFinalObjectCallbackObject); +static JSC_DECLARE_HOST_FUNCTION(constructJSNonFinalObjectCallbackObject); +static JSC_DECLARE_HOST_FUNCTION(callJSGlobalObjectCallbackObject); +static JSC_DECLARE_HOST_FUNCTION(constructJSGlobalObjectCallbackObject); -template<> const bool JSCallbackObject::needsDestruction = true; -template<> const bool JSCallbackObject::needsDestruction = false; +static JSC_DECLARE_CUSTOM_GETTER(callbackGetterJSNonFinalObjectCallbackObject); +static JSC_DECLARE_CUSTOM_GETTER(staticFunctionGetterJSNonFinalObjectCallbackObject); +static JSC_DECLARE_CUSTOM_GETTER(callbackGetterJSGlobalObjectCallbackObject); +static JSC_DECLARE_CUSTOM_GETTER(staticFunctionGetterJSGlobalObjectCallbackObject); + +// Define the two types of JSCallbackObjects we support. +template <> const ClassInfo JSCallbackObject::s_info = { "CallbackObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCallbackObject) }; +template <> const ClassInfo JSCallbackObject::s_info = { "CallbackGlobalObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCallbackObject) }; +template<> const bool JSCallbackObject::needsDestruction = true; +template<> const bool JSCallbackObject::needsDestruction = true; + +template<> +RawNativeFunction JSCallbackObject::getCallFunction() +{ + return callJSNonFinalObjectCallbackObject; +} + +template<> +RawNativeFunction JSCallbackObject::getConstructFunction() +{ + return constructJSNonFinalObjectCallbackObject; +} + +template <> +PropertySlot::GetValueFunc JSCallbackObject::getCallbackGetter() +{ + return callbackGetterJSNonFinalObjectCallbackObject; +} + +template <> +PropertySlot::GetValueFunc JSCallbackObject::getStaticFunctionGetter() +{ + return staticFunctionGetterJSNonFinalObjectCallbackObject; +} + + +template<> +RawNativeFunction JSCallbackObject::getCallFunction() +{ + return callJSGlobalObjectCallbackObject; +} + +template<> +RawNativeFunction JSCallbackObject::getConstructFunction() +{ + return constructJSGlobalObjectCallbackObject; +} + +template <> +PropertySlot::GetValueFunc JSCallbackObject::getCallbackGetter() +{ + return callbackGetterJSGlobalObjectCallbackObject; +} + +template <> +PropertySlot::GetValueFunc JSCallbackObject::getStaticFunctionGetter() +{ + return staticFunctionGetterJSGlobalObjectCallbackObject; +} template<> JSCallbackObject* JSCallbackObject::create(VM& vm, JSClassRef classRef, Structure* structure) @@ -49,7 +105,7 @@ JSCallbackObject* JSCallbackObject::create(VM& v } template <> -Structure* JSCallbackObject::createStructure(VM& vm, JSGlobalObject* globalObject, JSValue proto) +Structure* JSCallbackObject::createStructure(VM& vm, JSGlobalObject* globalObject, JSValue proto) { return Structure::create(vm, globalObject, proto, TypeInfo(ObjectType, StructureFlags), info()); } @@ -60,4 +116,70 @@ Structure* JSCallbackObject::createStructure(VM& vm, JSGlobalObj return Structure::create(vm, globalObject, proto, TypeInfo(GlobalObjectType, StructureFlags), info()); } +template <> +IsoSubspace* JSCallbackObject::subspaceForImpl(VM& vm, SubspaceAccess mode) +{ + switch (mode) { + case SubspaceAccess::OnMainThread: + return vm.callbackObjectSpace(); + case SubspaceAccess::Concurrently: + return vm.callbackObjectSpace(); + } + RELEASE_ASSERT_NOT_REACHED(); + return nullptr; +} + +template <> +IsoSubspace* JSCallbackObject::subspaceForImpl(VM& vm, SubspaceAccess mode) +{ + switch (mode) { + case SubspaceAccess::OnMainThread: + return vm.callbackGlobalObjectSpace(); + case SubspaceAccess::Concurrently: + return vm.callbackGlobalObjectSpace(); + } + RELEASE_ASSERT_NOT_REACHED(); + return nullptr; +} + +JSC_DEFINE_HOST_FUNCTION(callJSNonFinalObjectCallbackObject, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return JSCallbackObject::callImpl(globalObject, callFrame); +} + +JSC_DEFINE_HOST_FUNCTION(constructJSNonFinalObjectCallbackObject, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return JSCallbackObject::constructImpl(globalObject, callFrame); +} + +JSC_DEFINE_HOST_FUNCTION(callJSGlobalObjectCallbackObject, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return JSCallbackObject::callImpl(globalObject, callFrame); +} + +JSC_DEFINE_HOST_FUNCTION(constructJSGlobalObjectCallbackObject, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return JSCallbackObject::constructImpl(globalObject, callFrame); +} + +JSC_DEFINE_CUSTOM_GETTER(callbackGetterJSNonFinalObjectCallbackObject, (JSGlobalObject* globalObject, EncodedJSValue thisValue, PropertyName propertyName)) +{ + return JSCallbackObject::callbackGetterImpl(globalObject, thisValue, propertyName); +} + +JSC_DEFINE_CUSTOM_GETTER(staticFunctionGetterJSNonFinalObjectCallbackObject, (JSGlobalObject* globalObject, EncodedJSValue thisValue, PropertyName propertyName)) +{ + return JSCallbackObject::staticFunctionGetterImpl(globalObject, thisValue, propertyName); +} + +JSC_DEFINE_CUSTOM_GETTER(callbackGetterJSGlobalObjectCallbackObject, (JSGlobalObject* globalObject, EncodedJSValue thisValue, PropertyName propertyName)) +{ + return JSCallbackObject::callbackGetterImpl(globalObject, thisValue, propertyName); +} + +JSC_DEFINE_CUSTOM_GETTER(staticFunctionGetterJSGlobalObjectCallbackObject, (JSGlobalObject* globalObject, EncodedJSValue thisValue, PropertyName propertyName)) +{ + return JSCallbackObject::staticFunctionGetterImpl(globalObject, thisValue, propertyName); +} + } // namespace JSC diff --git a/API/JSCallbackObject.h b/API/JSCallbackObject.h index 07d709b..ad3d494 100644 --- a/API/JSCallbackObject.h +++ b/API/JSCallbackObject.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2019 Apple Inc. All rights reserved. + * Copyright (C) 2006-2020 Apple Inc. All rights reserved. * Copyright (C) 2007 Eric Seidel * * Redistribution and use in source and binary forms, with or without @@ -58,7 +58,7 @@ public: void setPrivateProperty(VM& vm, JSCell* owner, const Identifier& propertyName, JSValue value) { if (!m_privateProperties) - m_privateProperties = std::make_unique(); + m_privateProperties = makeUnique(); m_privateProperties->setPrivateProperty(vm, owner, propertyName, value); } @@ -123,26 +123,19 @@ public: template class JSCallbackObject final : public Parent { -protected: - JSCallbackObject(ExecState*, Structure*, JSClassRef, void* data); - JSCallbackObject(VM&, JSClassRef, Structure*); - - void finishCreation(ExecState*); - void finishCreation(VM&); - public: - typedef Parent Base; - static const unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesGetPropertyNames | OverridesGetCallData; + using Base = Parent; + static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesGetCallData | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | ProhibitsPropertyCaching | GetOwnPropertySlotMayBeWrongAboutDontEnum; static_assert(!(StructureFlags & ImplementsDefaultHasInstance), "using customHasInstance"); ~JSCallbackObject(); - static JSCallbackObject* create(ExecState* exec, JSGlobalObject* globalObject, Structure* structure, JSClassRef classRef, void* data) + static JSCallbackObject* create(JSGlobalObject* globalObject, Structure* structure, JSClassRef classRef, void* data) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); ASSERT_UNUSED(globalObject, !structure->globalObject() || structure->globalObject() == globalObject); - JSCallbackObject* callbackObject = new (NotNull, allocateCell(vm.heap)) JSCallbackObject(exec, structure, classRef, data); - callbackObject->finishCreation(exec); + JSCallbackObject* callbackObject = new (NotNull, allocateCell(vm.heap)) JSCallbackObject(globalObject, structure, classRef, data); + callbackObject->finishCreation(globalObject); return callbackObject; } static JSCallbackObject* create(VM&, JSClassRef, Structure*); @@ -153,6 +146,12 @@ public: static_cast(cell)->JSCallbackObject::~JSCallbackObject(); } + template + static IsoSubspace* subspaceFor(VM& vm) + { + return subspaceForImpl(vm, mode); + } + void setPrivate(void* data); void* getPrivate(); @@ -183,27 +182,39 @@ public: using Parent::methodTable; + static EncodedJSValue callImpl(JSGlobalObject*, CallFrame*); + static EncodedJSValue constructImpl(JSGlobalObject*, CallFrame*); + static EncodedJSValue staticFunctionGetterImpl(JSGlobalObject*, EncodedJSValue, PropertyName); + static EncodedJSValue callbackGetterImpl(JSGlobalObject*, EncodedJSValue, PropertyName); + private: + JSCallbackObject(JSGlobalObject*, Structure*, JSClassRef, void* data); + JSCallbackObject(VM&, JSClassRef, Structure*); + + void finishCreation(JSGlobalObject*); + void finishCreation(VM&); + + static IsoSubspace* subspaceForImpl(VM&, SubspaceAccess); static String className(const JSObject*, VM&); - static String toStringName(const JSObject*, ExecState*); + static String toStringName(const JSObject*, JSGlobalObject*); - static JSValue defaultValue(const JSObject*, ExecState*, PreferredPrimitiveType); + static JSValue defaultValue(const JSObject*, JSGlobalObject*, PreferredPrimitiveType); - static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&); - static bool getOwnPropertySlotByIndex(JSObject*, ExecState*, unsigned propertyName, PropertySlot&); + static bool getOwnPropertySlot(JSObject*, JSGlobalObject*, PropertyName, PropertySlot&); + static bool getOwnPropertySlotByIndex(JSObject*, JSGlobalObject*, unsigned propertyName, PropertySlot&); - static bool put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&); - static bool putByIndex(JSCell*, ExecState*, unsigned, JSValue, bool shouldThrow); + static bool put(JSCell*, JSGlobalObject*, PropertyName, JSValue, PutPropertySlot&); + static bool putByIndex(JSCell*, JSGlobalObject*, unsigned, JSValue, bool shouldThrow); - static bool deleteProperty(JSCell*, ExecState*, PropertyName); - static bool deletePropertyByIndex(JSCell*, ExecState*, unsigned); + static bool deleteProperty(JSCell*, JSGlobalObject*, PropertyName, DeletePropertySlot&); + static bool deletePropertyByIndex(JSCell*, JSGlobalObject*, unsigned); - static bool customHasInstance(JSObject*, ExecState*, JSValue); + static bool customHasInstance(JSObject*, JSGlobalObject*, JSValue); - static void getOwnNonIndexPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode); + static void getOwnSpecialPropertyNames(JSObject*, JSGlobalObject*, PropertyNameArray&, DontEnumPropertiesMode); - static ConstructType getConstructData(JSCell*, ConstructData&); - static CallType getCallData(JSCell*, CallData&); + static CallData getConstructData(JSCell*); + static CallData getCallData(JSCell*); static void visitChildren(JSCell* cell, SlotVisitor& visitor) { @@ -213,17 +224,22 @@ private: thisObject->m_callbackObjectData->visitChildren(visitor); } - void init(ExecState*); + void init(JSGlobalObject*); static JSCallbackObject* asCallbackObject(JSValue); static JSCallbackObject* asCallbackObject(EncodedJSValue); + + using RawNativeFunction = EncodedJSValue(JSC_HOST_CALL_ATTRIBUTES*)(JSGlobalObject*, CallFrame*); + + static RawNativeFunction getCallFunction(); + static RawNativeFunction getConstructFunction(); + + using GetValueFunc = EncodedJSValue(JIT_OPERATION_ATTRIBUTES*)(JSGlobalObject*, EncodedJSValue, PropertyName); + + static GetValueFunc getStaticFunctionGetter(); + static GetValueFunc getCallbackGetter(); - static EncodedJSValue JSC_HOST_CALL call(ExecState*); - static EncodedJSValue JSC_HOST_CALL construct(ExecState*); - - JSValue getStaticValue(ExecState*, PropertyName); - static EncodedJSValue staticFunctionGetter(ExecState*, EncodedJSValue, PropertyName); - static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName); + JSValue getStaticValue(JSGlobalObject*, PropertyName); std::unique_ptr m_callbackObjectData; const ClassInfo* m_classInfo { nullptr }; diff --git a/API/JSCallbackObjectFunctions.h b/API/JSCallbackObjectFunctions.h index ae3a6fe..68f9741 100644 --- a/API/JSCallbackObjectFunctions.h +++ b/API/JSCallbackObjectFunctions.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006, 2008, 2016 Apple Inc. All rights reserved. + * Copyright (C) 2006-2020 Apple Inc. All rights reserved. * Copyright (C) 2007 Eric Seidel * * Redistribution and use in source and binary forms, with or without @@ -24,6 +24,8 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#pragma once + #include "APICast.h" #include "Error.h" #include "ExceptionHelpers.h" @@ -43,7 +45,7 @@ namespace JSC { template inline JSCallbackObject* JSCallbackObject::asCallbackObject(JSValue value) { - ASSERT(asObject(value)->inherits(*value.getObject()->vm(), info())); + ASSERT(asObject(value)->inherits(value.getObject()->vm(), info())); return jsCast(asObject(value)); } @@ -51,14 +53,14 @@ template inline JSCallbackObject* JSCallbackObject::asCallbackObject(EncodedJSValue encodedValue) { JSValue value = JSValue::decode(encodedValue); - ASSERT(asObject(value)->inherits(*value.getObject()->vm(), info())); + ASSERT(asObject(value)->inherits(value.getObject()->vm(), info())); return jsCast(asObject(value)); } template -JSCallbackObject::JSCallbackObject(ExecState* exec, Structure* structure, JSClassRef jsClass, void* data) - : Parent(exec->vm(), structure) - , m_callbackObjectData(std::make_unique(data, jsClass)) +JSCallbackObject::JSCallbackObject(JSGlobalObject* globalObject, Structure* structure, JSClassRef jsClass, void* data) + : Parent(getVM(globalObject), structure) + , m_callbackObjectData(makeUnique(data, jsClass)) { } @@ -67,33 +69,33 @@ JSCallbackObject::JSCallbackObject(ExecState* exec, Structure* structure template JSCallbackObject::JSCallbackObject(VM& vm, JSClassRef jsClass, Structure* structure) : Parent(vm, structure) - , m_callbackObjectData(std::make_unique(nullptr, jsClass)) + , m_callbackObjectData(makeUnique(nullptr, jsClass)) { } template JSCallbackObject::~JSCallbackObject() { - VM* vm = this->HeapCell::vm(); - vm->currentlyDestructingCallbackObject = this; + VM& vm = this->HeapCell::vm(); + vm.currentlyDestructingCallbackObject = this; ASSERT(m_classInfo); - vm->currentlyDestructingCallbackObjectClassInfo = m_classInfo; + vm.currentlyDestructingCallbackObjectClassInfo = m_classInfo; JSObjectRef thisRef = toRef(static_cast(this)); for (JSClassRef jsClass = classRef(); jsClass; jsClass = jsClass->parentClass) { if (JSObjectFinalizeCallback finalize = jsClass->finalize) finalize(thisRef); } - vm->currentlyDestructingCallbackObject = nullptr; - vm->currentlyDestructingCallbackObjectClassInfo = nullptr; + vm.currentlyDestructingCallbackObject = nullptr; + vm.currentlyDestructingCallbackObjectClassInfo = nullptr; } template -void JSCallbackObject::finishCreation(ExecState* exec) +void JSCallbackObject::finishCreation(JSGlobalObject* globalObject) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); Base::finishCreation(vm); ASSERT(Parent::inherits(vm, info())); - init(exec); + init(globalObject); } // This is just for Global object, so we can assume that Base::finishCreation is JSGlobalObject::finishCreation. @@ -103,13 +105,13 @@ void JSCallbackObject::finishCreation(VM& vm) ASSERT(Parent::inherits(vm, info())); ASSERT(Parent::isGlobalObject()); Base::finishCreation(vm); - init(jsCast(this)->globalExec()); + init(jsCast(this)); } template -void JSCallbackObject::init(ExecState* exec) +void JSCallbackObject::init(JSGlobalObject* globalObject) { - ASSERT(exec); + ASSERT(globalObject); Vector initRoutines; JSClassRef jsClass = classRef(); @@ -120,12 +122,12 @@ void JSCallbackObject::init(ExecState* exec) // initialize from base to derived for (int i = static_cast(initRoutines.size()) - 1; i >= 0; i--) { - JSLock::DropAllLocks dropAllLocks(exec); + JSLock::DropAllLocks dropAllLocks(globalObject); JSObjectInitializeCallback initialize = initRoutines[i]; - initialize(toRef(exec), toRef(this)); + initialize(toRef(globalObject), toRef(jsCast(this))); } - m_classInfo = this->classInfo(); + m_classInfo = this->classInfo(getVM(globalObject)); } template @@ -140,164 +142,170 @@ String JSCallbackObject::className(const JSObject* object, VM& vm) } template -String JSCallbackObject::toStringName(const JSObject* object, ExecState* exec) +String JSCallbackObject::toStringName(const JSObject* object, JSGlobalObject* globalObject) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); const ClassInfo* info = object->classInfo(vm); ASSERT(info); return info->methodTable.className(object, vm); } template -bool JSCallbackObject::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot& slot) +bool JSCallbackObject::getOwnPropertySlot(JSObject* object, JSGlobalObject* globalObject, PropertyName propertyName, PropertySlot& slot) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); auto scope = DECLARE_THROW_SCOPE(vm); JSCallbackObject* thisObject = jsCast(object); - JSContextRef ctx = toRef(exec); - JSObjectRef thisRef = toRef(thisObject); + JSContextRef ctx = toRef(globalObject); + JSObjectRef thisRef = toRef(jsCast(thisObject)); RefPtr propertyNameRef; if (StringImpl* name = propertyName.uid()) { + unsigned attributes = PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum; for (JSClassRef jsClass = thisObject->classRef(); jsClass; jsClass = jsClass->parentClass) { // optional optimization to bypass getProperty in cases when we only need to know if the property exists if (JSObjectHasPropertyCallback hasProperty = jsClass->hasProperty) { if (!propertyNameRef) propertyNameRef = OpaqueJSString::tryCreate(name); - JSLock::DropAllLocks dropAllLocks(exec); + JSLock::DropAllLocks dropAllLocks(globalObject); if (hasProperty(ctx, thisRef, propertyNameRef.get())) { - slot.setCustom(thisObject, PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, callbackGetter); + slot.setCustom(thisObject, attributes, getCallbackGetter()); return true; } } else if (JSObjectGetPropertyCallback getProperty = jsClass->getProperty) { if (!propertyNameRef) propertyNameRef = OpaqueJSString::tryCreate(name); - JSValueRef exception = 0; + JSValueRef exception = nullptr; JSValueRef value; { - JSLock::DropAllLocks dropAllLocks(exec); + JSLock::DropAllLocks dropAllLocks(globalObject); value = getProperty(ctx, thisRef, propertyNameRef.get(), &exception); } if (exception) { - throwException(exec, scope, toJS(exec, exception)); - slot.setValue(thisObject, PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, jsUndefined()); + throwException(globalObject, scope, toJS(globalObject, exception)); + slot.setValue(thisObject, attributes, jsUndefined()); return true; } if (value) { - slot.setValue(thisObject, PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, toJS(exec, value)); + slot.setValue(thisObject, attributes, toJS(globalObject, value)); return true; } } - if (OpaqueJSClassStaticValuesTable* staticValues = jsClass->staticValues(exec)) { + if (OpaqueJSClassStaticValuesTable* staticValues = jsClass->staticValues(globalObject)) { if (staticValues->contains(name)) { - JSValue value = thisObject->getStaticValue(exec, propertyName); + JSValue value = thisObject->getStaticValue(globalObject, propertyName); + RETURN_IF_EXCEPTION(scope, false); if (value) { - slot.setValue(thisObject, PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, value); + slot.setValue(thisObject, attributes, value); return true; } } } - if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(exec)) { + if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(globalObject)) { if (staticFunctions->contains(name)) { - slot.setCustom(thisObject, PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, staticFunctionGetter); + slot.setCustom(thisObject, attributes, getStaticFunctionGetter()); return true; } } } } - return Parent::getOwnPropertySlot(thisObject, exec, propertyName, slot); + RELEASE_AND_RETURN(scope, Parent::getOwnPropertySlot(thisObject, globalObject, propertyName, slot)); } template -bool JSCallbackObject::getOwnPropertySlotByIndex(JSObject* object, ExecState* exec, unsigned propertyName, PropertySlot& slot) +bool JSCallbackObject::getOwnPropertySlotByIndex(JSObject* object, JSGlobalObject* globalObject, unsigned propertyName, PropertySlot& slot) { - return object->methodTable(exec->vm())->getOwnPropertySlot(object, exec, Identifier::from(exec, propertyName), slot); + VM& vm = getVM(globalObject); + return object->methodTable(vm)->getOwnPropertySlot(object, globalObject, Identifier::from(vm, propertyName), slot); } template -JSValue JSCallbackObject::defaultValue(const JSObject* object, ExecState* exec, PreferredPrimitiveType hint) +JSValue JSCallbackObject::defaultValue(const JSObject* object, JSGlobalObject* globalObject, PreferredPrimitiveType hint) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); auto scope = DECLARE_THROW_SCOPE(vm); const JSCallbackObject* thisObject = jsCast(object); - JSContextRef ctx = toRef(exec); - JSObjectRef thisRef = toRef(thisObject); + JSContextRef ctx = toRef(globalObject); + JSObjectRef thisRef = toRef(jsCast(thisObject)); ::JSType jsHint = hint == PreferString ? kJSTypeString : kJSTypeNumber; for (JSClassRef jsClass = thisObject->classRef(); jsClass; jsClass = jsClass->parentClass) { if (JSObjectConvertToTypeCallback convertToType = jsClass->convertToType) { - JSValueRef exception = 0; + JSValueRef exception = nullptr; JSValueRef result = convertToType(ctx, thisRef, jsHint, &exception); if (exception) { - throwException(exec, scope, toJS(exec, exception)); + throwException(globalObject, scope, toJS(globalObject, exception)); return jsUndefined(); } if (result) - return toJS(exec, result); + return toJS(globalObject, result); } } - return Parent::defaultValue(object, exec, hint); + RELEASE_AND_RETURN(scope, Parent::defaultValue(object, globalObject, hint)); } template -bool JSCallbackObject::put(JSCell* cell, ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot) +bool JSCallbackObject::put(JSCell* cell, JSGlobalObject* globalObject, PropertyName propertyName, JSValue value, PutPropertySlot& slot) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); auto scope = DECLARE_THROW_SCOPE(vm); JSCallbackObject* thisObject = jsCast(cell); - JSContextRef ctx = toRef(exec); - JSObjectRef thisRef = toRef(thisObject); + JSContextRef ctx = toRef(globalObject); + JSObjectRef thisRef = toRef(jsCast(thisObject)); RefPtr propertyNameRef; - JSValueRef valueRef = toRef(exec, value); + JSValueRef valueRef = toRef(globalObject, value); if (StringImpl* name = propertyName.uid()) { for (JSClassRef jsClass = thisObject->classRef(); jsClass; jsClass = jsClass->parentClass) { if (JSObjectSetPropertyCallback setProperty = jsClass->setProperty) { if (!propertyNameRef) propertyNameRef = OpaqueJSString::tryCreate(name); - JSValueRef exception = 0; + JSValueRef exception = nullptr; bool result; { - JSLock::DropAllLocks dropAllLocks(exec); + JSLock::DropAllLocks dropAllLocks(globalObject); result = setProperty(ctx, thisRef, propertyNameRef.get(), valueRef, &exception); } if (exception) - throwException(exec, scope, toJS(exec, exception)); + throwException(globalObject, scope, toJS(globalObject, exception)); if (result || exception) return result; } - if (OpaqueJSClassStaticValuesTable* staticValues = jsClass->staticValues(exec)) { + if (OpaqueJSClassStaticValuesTable* staticValues = jsClass->staticValues(globalObject)) { if (StaticValueEntry* entry = staticValues->get(name)) { if (entry->attributes & kJSPropertyAttributeReadOnly) return false; if (JSObjectSetPropertyCallback setProperty = entry->setProperty) { - JSValueRef exception = 0; + JSValueRef exception = nullptr; bool result; { - JSLock::DropAllLocks dropAllLocks(exec); + JSLock::DropAllLocks dropAllLocks(globalObject); result = setProperty(ctx, thisRef, entry->propertyNameRef.get(), valueRef, &exception); } if (exception) - throwException(exec, scope, toJS(exec, exception)); + throwException(globalObject, scope, toJS(globalObject, exception)); if (result || exception) return result; } } } - if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(exec)) { + if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(globalObject)) { if (StaticFunctionEntry* entry = staticFunctions->get(name)) { - PropertySlot getSlot(thisObject, PropertySlot::InternalMethodType::VMInquiry); - if (Parent::getOwnPropertySlot(thisObject, exec, propertyName, getSlot)) - return Parent::put(thisObject, exec, propertyName, value, slot); + PropertySlot getSlot(thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm); + bool found = Parent::getOwnPropertySlot(thisObject, globalObject, propertyName, getSlot); + RETURN_IF_EXCEPTION(scope, false); + getSlot.disallowVMEntry.reset(); + if (found) + RELEASE_AND_RETURN(scope, Parent::put(thisObject, globalObject, propertyName, value, slot)); if (entry->attributes & kJSPropertyAttributeReadOnly) return false; return thisObject->JSCallbackObject::putDirect(vm, propertyName, value); // put as override property @@ -306,58 +314,58 @@ bool JSCallbackObject::put(JSCell* cell, ExecState* exec, PropertyName p } } - return Parent::put(thisObject, exec, propertyName, value, slot); + RELEASE_AND_RETURN(scope, Parent::put(thisObject, globalObject, propertyName, value, slot)); } template -bool JSCallbackObject::putByIndex(JSCell* cell, ExecState* exec, unsigned propertyIndex, JSValue value, bool shouldThrow) +bool JSCallbackObject::putByIndex(JSCell* cell, JSGlobalObject* globalObject, unsigned propertyIndex, JSValue value, bool shouldThrow) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); auto scope = DECLARE_THROW_SCOPE(vm); JSCallbackObject* thisObject = jsCast(cell); - JSContextRef ctx = toRef(exec); - JSObjectRef thisRef = toRef(thisObject); + JSContextRef ctx = toRef(globalObject); + JSObjectRef thisRef = toRef(jsCast(thisObject)); RefPtr propertyNameRef; - JSValueRef valueRef = toRef(exec, value); - Identifier propertyName = Identifier::from(exec, propertyIndex); + JSValueRef valueRef = toRef(globalObject, value); + Identifier propertyName = Identifier::from(vm, propertyIndex); for (JSClassRef jsClass = thisObject->classRef(); jsClass; jsClass = jsClass->parentClass) { if (JSObjectSetPropertyCallback setProperty = jsClass->setProperty) { if (!propertyNameRef) propertyNameRef = OpaqueJSString::tryCreate(propertyName.impl()); - JSValueRef exception = 0; + JSValueRef exception = nullptr; bool result; { - JSLock::DropAllLocks dropAllLocks(exec); + JSLock::DropAllLocks dropAllLocks(globalObject); result = setProperty(ctx, thisRef, propertyNameRef.get(), valueRef, &exception); } if (exception) - throwException(exec, scope, toJS(exec, exception)); + throwException(globalObject, scope, toJS(globalObject, exception)); if (result || exception) return result; } - if (OpaqueJSClassStaticValuesTable* staticValues = jsClass->staticValues(exec)) { + if (OpaqueJSClassStaticValuesTable* staticValues = jsClass->staticValues(globalObject)) { if (StaticValueEntry* entry = staticValues->get(propertyName.impl())) { if (entry->attributes & kJSPropertyAttributeReadOnly) return false; if (JSObjectSetPropertyCallback setProperty = entry->setProperty) { - JSValueRef exception = 0; + JSValueRef exception = nullptr; bool result; { - JSLock::DropAllLocks dropAllLocks(exec); + JSLock::DropAllLocks dropAllLocks(globalObject); result = setProperty(ctx, thisRef, entry->propertyNameRef.get(), valueRef, &exception); } if (exception) - throwException(exec, scope, toJS(exec, exception)); + throwException(globalObject, scope, toJS(globalObject, exception)); if (result || exception) return result; } } } - if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(exec)) { + if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(globalObject)) { if (StaticFunctionEntry* entry = staticFunctions->get(propertyName.impl())) { if (entry->attributes & kJSPropertyAttributeReadOnly) return false; @@ -366,18 +374,18 @@ bool JSCallbackObject::putByIndex(JSCell* cell, ExecState* exec, unsigne } } - return Parent::putByIndex(thisObject, exec, propertyIndex, value, shouldThrow); + RELEASE_AND_RETURN(scope, Parent::putByIndex(thisObject, globalObject, propertyIndex, value, shouldThrow)); } template -bool JSCallbackObject::deleteProperty(JSCell* cell, ExecState* exec, PropertyName propertyName) +bool JSCallbackObject::deleteProperty(JSCell* cell, JSGlobalObject* globalObject, PropertyName propertyName, DeletePropertySlot& slot) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); auto scope = DECLARE_THROW_SCOPE(vm); JSCallbackObject* thisObject = jsCast(cell); - JSContextRef ctx = toRef(exec); - JSObjectRef thisRef = toRef(thisObject); + JSContextRef ctx = toRef(globalObject); + JSObjectRef thisRef = toRef(jsCast(thisObject)); RefPtr propertyNameRef; if (StringImpl* name = propertyName.uid()) { @@ -385,19 +393,19 @@ bool JSCallbackObject::deleteProperty(JSCell* cell, ExecState* exec, Pro if (JSObjectDeletePropertyCallback deleteProperty = jsClass->deleteProperty) { if (!propertyNameRef) propertyNameRef = OpaqueJSString::tryCreate(name); - JSValueRef exception = 0; + JSValueRef exception = nullptr; bool result; { - JSLock::DropAllLocks dropAllLocks(exec); + JSLock::DropAllLocks dropAllLocks(globalObject); result = deleteProperty(ctx, thisRef, propertyNameRef.get(), &exception); } if (exception) - throwException(exec, scope, toJS(exec, exception)); + throwException(globalObject, scope, toJS(globalObject, exception)); if (result || exception) return true; } - if (OpaqueJSClassStaticValuesTable* staticValues = jsClass->staticValues(exec)) { + if (OpaqueJSClassStaticValuesTable* staticValues = jsClass->staticValues(globalObject)) { if (StaticValueEntry* entry = staticValues->get(name)) { if (entry->attributes & kJSPropertyAttributeDontDelete) return false; @@ -405,7 +413,7 @@ bool JSCallbackObject::deleteProperty(JSCell* cell, ExecState* exec, Pro } } - if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(exec)) { + if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(globalObject)) { if (StaticFunctionEntry* entry = staticFunctions->get(name)) { if (entry->attributes & kJSPropertyAttributeDontDelete) return false; @@ -415,54 +423,62 @@ bool JSCallbackObject::deleteProperty(JSCell* cell, ExecState* exec, Pro } } - return Parent::deleteProperty(thisObject, exec, propertyName); + static_assert(std::is_final_v>, "Ensure no derived classes have custom deletePropertyByIndex implementation"); + if (Optional index = parseIndex(propertyName)) + RELEASE_AND_RETURN(scope, Parent::deletePropertyByIndex(thisObject, globalObject, index.value())); + RELEASE_AND_RETURN(scope, Parent::deleteProperty(thisObject, globalObject, propertyName, slot)); } template -bool JSCallbackObject::deletePropertyByIndex(JSCell* cell, ExecState* exec, unsigned propertyName) +bool JSCallbackObject::deletePropertyByIndex(JSCell* cell, JSGlobalObject* globalObject, unsigned propertyName) { + VM& vm = getVM(globalObject); JSCallbackObject* thisObject = jsCast(cell); - return thisObject->methodTable(exec->vm())->deleteProperty(thisObject, exec, Identifier::from(exec, propertyName)); + return JSCell::deleteProperty(thisObject, globalObject, Identifier::from(vm, propertyName)); } template -ConstructType JSCallbackObject::getConstructData(JSCell* cell, ConstructData& constructData) +CallData JSCallbackObject::getConstructData(JSCell* cell) { + CallData constructData; JSCallbackObject* thisObject = jsCast(cell); for (JSClassRef jsClass = thisObject->classRef(); jsClass; jsClass = jsClass->parentClass) { if (jsClass->callAsConstructor) { - constructData.native.function = construct; - return ConstructType::Host; + constructData.type = CallData::Type::Native; + constructData.native.function = getConstructFunction(); + break; } } - return ConstructType::None; + return constructData; } template -EncodedJSValue JSCallbackObject::construct(ExecState* exec) +EncodedJSValue JSCallbackObject::constructImpl(JSGlobalObject* globalObject, CallFrame* callFrame) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); auto scope = DECLARE_THROW_SCOPE(vm); - JSObject* constructor = exec->jsCallee(); - JSContextRef execRef = toRef(exec); + JSObject* constructor = callFrame->jsCallee(); + JSContextRef execRef = toRef(globalObject); JSObjectRef constructorRef = toRef(constructor); for (JSClassRef jsClass = jsCast*>(constructor)->classRef(); jsClass; jsClass = jsClass->parentClass) { if (JSObjectCallAsConstructorCallback callAsConstructor = jsClass->callAsConstructor) { - size_t argumentCount = exec->argumentCount(); + size_t argumentCount = callFrame->argumentCount(); Vector arguments; arguments.reserveInitialCapacity(argumentCount); for (size_t i = 0; i < argumentCount; ++i) - arguments.uncheckedAppend(toRef(exec, exec->uncheckedArgument(i))); - JSValueRef exception = 0; + arguments.uncheckedAppend(toRef(globalObject, callFrame->uncheckedArgument(i))); + JSValueRef exception = nullptr; JSObject* result; { - JSLock::DropAllLocks dropAllLocks(exec); + JSLock::DropAllLocks dropAllLocks(globalObject); result = toJS(callAsConstructor(execRef, constructorRef, argumentCount, arguments.data(), &exception)); } - if (exception) - throwException(exec, scope, toJS(exec, exception)); + if (exception) { + throwException(globalObject, scope, toJS(globalObject, exception)); + return JSValue::encode(jsUndefined()); + } return JSValue::encode(result); } } @@ -472,26 +488,26 @@ EncodedJSValue JSCallbackObject::construct(ExecState* exec) } template -bool JSCallbackObject::customHasInstance(JSObject* object, ExecState* exec, JSValue value) +bool JSCallbackObject::customHasInstance(JSObject* object, JSGlobalObject* globalObject, JSValue value) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); auto scope = DECLARE_THROW_SCOPE(vm); JSCallbackObject* thisObject = jsCast(object); - JSContextRef execRef = toRef(exec); - JSObjectRef thisRef = toRef(thisObject); + JSContextRef execRef = toRef(globalObject); + JSObjectRef thisRef = toRef(jsCast(thisObject)); for (JSClassRef jsClass = thisObject->classRef(); jsClass; jsClass = jsClass->parentClass) { if (JSObjectHasInstanceCallback hasInstance = jsClass->hasInstance) { - JSValueRef valueRef = toRef(exec, value); - JSValueRef exception = 0; + JSValueRef valueRef = toRef(globalObject, value); + JSValueRef exception = nullptr; bool result; { - JSLock::DropAllLocks dropAllLocks(exec); + JSLock::DropAllLocks dropAllLocks(globalObject); result = hasInstance(execRef, thisRef, valueRef, &exception); } if (exception) - throwException(exec, scope, toJS(exec, exception)); + throwException(globalObject, scope, toJS(globalObject, exception)); return result; } } @@ -499,43 +515,47 @@ bool JSCallbackObject::customHasInstance(JSObject* object, ExecState* ex } template -CallType JSCallbackObject::getCallData(JSCell* cell, CallData& callData) +CallData JSCallbackObject::getCallData(JSCell* cell) { + CallData callData; JSCallbackObject* thisObject = jsCast(cell); for (JSClassRef jsClass = thisObject->classRef(); jsClass; jsClass = jsClass->parentClass) { if (jsClass->callAsFunction) { - callData.native.function = call; - return CallType::Host; + callData.type = CallData::Type::Native; + callData.native.function = getCallFunction(); + break; } } - return CallType::None; + return callData; } template -EncodedJSValue JSCallbackObject::call(ExecState* exec) +EncodedJSValue JSCallbackObject::callImpl(JSGlobalObject* globalObject, CallFrame* callFrame) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); auto scope = DECLARE_THROW_SCOPE(vm); - JSContextRef execRef = toRef(exec); - JSObjectRef functionRef = toRef(exec->jsCallee()); - JSObjectRef thisObjRef = toRef(jsCast(exec->thisValue().toThis(exec, NotStrictMode))); + JSContextRef execRef = toRef(globalObject); + JSObjectRef functionRef = toRef(callFrame->jsCallee()); + JSObjectRef thisObjRef = toRef(jsCast(callFrame->thisValue().toThis(globalObject, ECMAMode::sloppy()))); for (JSClassRef jsClass = jsCast*>(toJS(functionRef))->classRef(); jsClass; jsClass = jsClass->parentClass) { if (JSObjectCallAsFunctionCallback callAsFunction = jsClass->callAsFunction) { - size_t argumentCount = exec->argumentCount(); + size_t argumentCount = callFrame->argumentCount(); Vector arguments; arguments.reserveInitialCapacity(argumentCount); for (size_t i = 0; i < argumentCount; ++i) - arguments.uncheckedAppend(toRef(exec, exec->uncheckedArgument(i))); - JSValueRef exception = 0; + arguments.uncheckedAppend(toRef(globalObject, callFrame->uncheckedArgument(i))); + JSValueRef exception = nullptr; JSValue result; { - JSLock::DropAllLocks dropAllLocks(exec); - result = toJS(exec, callAsFunction(execRef, functionRef, thisObjRef, argumentCount, arguments.data(), &exception)); + JSLock::DropAllLocks dropAllLocks(globalObject); + result = toJS(globalObject, callAsFunction(execRef, functionRef, thisObjRef, argumentCount, arguments.data(), &exception)); + } + if (exception) { + throwException(globalObject, scope, toJS(globalObject, exception)); + return JSValue::encode(jsUndefined()); } - if (exception) - throwException(exec, scope, toJS(exec, exception)); return JSValue::encode(result); } } @@ -545,46 +565,45 @@ EncodedJSValue JSCallbackObject::call(ExecState* exec) } template -void JSCallbackObject::getOwnNonIndexPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode) +void JSCallbackObject::getOwnSpecialPropertyNames(JSObject* object, JSGlobalObject* globalObject, PropertyNameArray& propertyNames, DontEnumPropertiesMode mode) { + VM& vm = getVM(globalObject); JSCallbackObject* thisObject = jsCast(object); - JSContextRef execRef = toRef(exec); - JSObjectRef thisRef = toRef(thisObject); + JSContextRef execRef = toRef(globalObject); + JSObjectRef thisRef = toRef(jsCast(thisObject)); for (JSClassRef jsClass = thisObject->classRef(); jsClass; jsClass = jsClass->parentClass) { if (JSObjectGetPropertyNamesCallback getPropertyNames = jsClass->getPropertyNames) { - JSLock::DropAllLocks dropAllLocks(exec); + JSLock::DropAllLocks dropAllLocks(globalObject); getPropertyNames(execRef, thisRef, toRef(&propertyNames)); } - if (OpaqueJSClassStaticValuesTable* staticValues = jsClass->staticValues(exec)) { + if (OpaqueJSClassStaticValuesTable* staticValues = jsClass->staticValues(globalObject)) { typedef OpaqueJSClassStaticValuesTable::const_iterator iterator; iterator end = staticValues->end(); for (iterator it = staticValues->begin(); it != end; ++it) { StringImpl* name = it->key.get(); StaticValueEntry* entry = it->value.get(); - if (entry->getProperty && (!(entry->attributes & kJSPropertyAttributeDontEnum) || mode.includeDontEnumProperties())) { + if (entry->getProperty && (mode == DontEnumPropertiesMode::Include || !(entry->attributes & kJSPropertyAttributeDontEnum))) { ASSERT(!name->isSymbol()); - propertyNames.add(Identifier::fromString(exec, String(name))); + propertyNames.add(Identifier::fromString(vm, String(name))); } } } - if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(exec)) { + if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(globalObject)) { typedef OpaqueJSClassStaticFunctionsTable::const_iterator iterator; iterator end = staticFunctions->end(); for (iterator it = staticFunctions->begin(); it != end; ++it) { StringImpl* name = it->key.get(); StaticFunctionEntry* entry = it->value.get(); - if (!(entry->attributes & kJSPropertyAttributeDontEnum) || mode.includeDontEnumProperties()) { + if (mode == DontEnumPropertiesMode::Include || !(entry->attributes & kJSPropertyAttributeDontEnum)) { ASSERT(!name->isSymbol()); - propertyNames.add(Identifier::fromString(exec, String(name))); + propertyNames.add(Identifier::fromString(vm, String(name))); } } } } - - Parent::getOwnNonIndexPropertyNames(thisObject, exec, propertyNames, mode); } template @@ -610,30 +629,30 @@ bool JSCallbackObject::inherits(JSClassRef c) const } template -JSValue JSCallbackObject::getStaticValue(ExecState* exec, PropertyName propertyName) +JSValue JSCallbackObject::getStaticValue(JSGlobalObject* globalObject, PropertyName propertyName) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); auto scope = DECLARE_THROW_SCOPE(vm); - JSObjectRef thisRef = toRef(this); + JSObjectRef thisRef = toRef(jsCast(this)); if (StringImpl* name = propertyName.uid()) { for (JSClassRef jsClass = classRef(); jsClass; jsClass = jsClass->parentClass) { - if (OpaqueJSClassStaticValuesTable* staticValues = jsClass->staticValues(exec)) { + if (OpaqueJSClassStaticValuesTable* staticValues = jsClass->staticValues(globalObject)) { if (StaticValueEntry* entry = staticValues->get(name)) { if (JSObjectGetPropertyCallback getProperty = entry->getProperty) { - JSValueRef exception = 0; + JSValueRef exception = nullptr; JSValueRef value; { - JSLock::DropAllLocks dropAllLocks(exec); - value = getProperty(toRef(exec), thisRef, entry->propertyNameRef.get(), &exception); + JSLock::DropAllLocks dropAllLocks(globalObject); + value = getProperty(toRef(globalObject), thisRef, entry->propertyNameRef.get(), &exception); } if (exception) { - throwException(exec, scope, toJS(exec, exception)); + throwException(globalObject, scope, toJS(globalObject, exception)); return jsUndefined(); } if (value) - return toJS(exec, value); + return toJS(globalObject, value); } } } @@ -644,21 +663,24 @@ JSValue JSCallbackObject::getStaticValue(ExecState* exec, PropertyName p } template -EncodedJSValue JSCallbackObject::staticFunctionGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName) +EncodedJSValue JSCallbackObject::staticFunctionGetterImpl(JSGlobalObject* globalObject, EncodedJSValue thisValue, PropertyName propertyName) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); auto scope = DECLARE_THROW_SCOPE(vm); JSCallbackObject* thisObj = asCallbackObject(thisValue); // Check for cached or override property. - PropertySlot slot2(thisObj, PropertySlot::InternalMethodType::VMInquiry); - if (Parent::getOwnPropertySlot(thisObj, exec, propertyName, slot2)) - return JSValue::encode(slot2.getValue(exec, propertyName)); + PropertySlot slot2(thisObj, PropertySlot::InternalMethodType::VMInquiry, &vm); + bool found = Parent::getOwnPropertySlot(thisObj, globalObject, propertyName, slot2); + RETURN_IF_EXCEPTION(scope, { }); + slot2.disallowVMEntry.reset(); + if (found) + return JSValue::encode(slot2.getValue(globalObject, propertyName)); if (StringImpl* name = propertyName.uid()) { for (JSClassRef jsClass = thisObj->classRef(); jsClass; jsClass = jsClass->parentClass) { - if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(exec)) { + if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(globalObject)) { if (StaticFunctionEntry* entry = staticFunctions->get(name)) { if (JSObjectCallAsFunctionCallback callAsFunction = entry->callAsFunction) { JSObject* o = JSCallbackFunction::create(vm, thisObj->globalObject(vm), callAsFunction, name); @@ -670,18 +692,18 @@ EncodedJSValue JSCallbackObject::staticFunctionGetter(ExecState* exec, E } } - return JSValue::encode(throwException(exec, scope, createReferenceError(exec, "Static function property defined with NULL callAsFunction callback."_s))); + return JSValue::encode(throwException(globalObject, scope, createReferenceError(globalObject, "Static function property defined with NULL callAsFunction callback."_s))); } template -EncodedJSValue JSCallbackObject::callbackGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName) +EncodedJSValue JSCallbackObject::callbackGetterImpl(JSGlobalObject* globalObject, EncodedJSValue thisValue, PropertyName propertyName) { - VM& vm = exec->vm(); + VM& vm = getVM(globalObject); auto scope = DECLARE_THROW_SCOPE(vm); JSCallbackObject* thisObj = asCallbackObject(thisValue); - JSObjectRef thisRef = toRef(thisObj); + JSObjectRef thisRef = toRef(jsCast(thisObj)); RefPtr propertyNameRef; if (StringImpl* name = propertyName.uid()) { @@ -689,23 +711,23 @@ EncodedJSValue JSCallbackObject::callbackGetter(ExecState* exec, Encoded if (JSObjectGetPropertyCallback getProperty = jsClass->getProperty) { if (!propertyNameRef) propertyNameRef = OpaqueJSString::tryCreate(name); - JSValueRef exception = 0; + JSValueRef exception = nullptr; JSValueRef value; { - JSLock::DropAllLocks dropAllLocks(exec); - value = getProperty(toRef(exec), thisRef, propertyNameRef.get(), &exception); + JSLock::DropAllLocks dropAllLocks(globalObject); + value = getProperty(toRef(globalObject), thisRef, propertyNameRef.get(), &exception); } if (exception) { - throwException(exec, scope, toJS(exec, exception)); + throwException(globalObject, scope, toJS(globalObject, exception)); return JSValue::encode(jsUndefined()); } if (value) - return JSValue::encode(toJS(exec, value)); + return JSValue::encode(toJS(globalObject, value)); } } } - return JSValue::encode(throwException(exec, scope, createReferenceError(exec, "hasProperty callback returned true for a property that doesn't exist."_s))); + return JSValue::encode(throwException(globalObject, scope, createReferenceError(globalObject, "hasProperty callback returned true for a property that doesn't exist."_s))); } } // namespace JSC diff --git a/API/JSClassRef.cpp b/API/JSClassRef.cpp index f1c9d57..374251c 100644 --- a/API/JSClassRef.cpp +++ b/API/JSClassRef.cpp @@ -27,22 +27,17 @@ #include "JSClassRef.h" #include "APICast.h" -#include "Identifier.h" #include "InitializeThreading.h" -#include "JSCallbackObject.h" -#include "JSGlobalObject.h" -#include "JSObjectRef.h" -#include "ObjectPrototype.h" #include "JSCInlines.h" -#include +#include "JSCallbackObject.h" using namespace JSC; -const JSClassDefinition kJSClassDefinitionEmpty = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; +const JSClassDefinition kJSClassDefinitionEmpty = { 0, 0, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr }; OpaqueJSClass::OpaqueJSClass(const JSClassDefinition* definition, OpaqueJSClass* protoClass) : parentClass(definition->parentClass) - , prototypeClass(0) + , prototypeClass(nullptr) , initialize(definition->initialize) , finalize(definition->finalize) , hasProperty(definition->hasProperty) @@ -56,24 +51,24 @@ OpaqueJSClass::OpaqueJSClass(const JSClassDefinition* definition, OpaqueJSClass* , convertToType(definition->convertToType) , m_className(String::fromUTF8(definition->className)) { - initializeThreading(); + JSC::initialize(); if (const JSStaticValue* staticValue = definition->staticValues) { - m_staticValues = std::make_unique(); + m_staticValues = makeUnique(); while (staticValue->name) { String valueName = String::fromUTF8(staticValue->name); if (!valueName.isNull()) - m_staticValues->set(valueName.impl(), std::make_unique(staticValue->getProperty, staticValue->setProperty, staticValue->attributes, valueName)); + m_staticValues->set(valueName.impl(), makeUnique(staticValue->getProperty, staticValue->setProperty, staticValue->attributes, valueName)); ++staticValue; } } if (const JSStaticFunction* staticFunction = definition->staticFunctions) { - m_staticFunctions = std::make_unique(); + m_staticFunctions = makeUnique(); while (staticFunction->name) { String functionName = String::fromUTF8(staticFunction->name); if (!functionName.isNull()) - m_staticFunctions->set(functionName.impl(), std::make_unique(staticFunction->callAsFunction, staticFunction->attributes)); + m_staticFunctions->set(functionName.impl(), makeUnique(staticFunction->callAsFunction, staticFunction->attributes)); ++staticFunction; } } @@ -107,7 +102,7 @@ OpaqueJSClass::~OpaqueJSClass() Ref OpaqueJSClass::createNoAutomaticPrototype(const JSClassDefinition* definition) { - return adoptRef(*new OpaqueJSClass(definition, 0)); + return adoptRef(*new OpaqueJSClass(definition, nullptr)); } Ref OpaqueJSClass::create(const JSClassDefinition* clientDefinition) @@ -115,12 +110,12 @@ Ref OpaqueJSClass::create(const JSClassDefinition* clientDefiniti JSClassDefinition definition = *clientDefinition; // Avoid modifying client copy. JSClassDefinition protoDefinition = kJSClassDefinitionEmpty; - protoDefinition.finalize = 0; + protoDefinition.finalize = nullptr; std::swap(definition.staticFunctions, protoDefinition.staticFunctions); // Move static functions to the prototype. // We are supposed to use JSClassRetain/Release but since we know that we currently have // the only reference to this class object we cheat and use a RefPtr instead. - RefPtr protoClass = adoptRef(new OpaqueJSClass(&protoDefinition, 0)); + RefPtr protoClass = adoptRef(new OpaqueJSClass(&protoDefinition, nullptr)); return adoptRef(*new OpaqueJSClass(&definition, protoClass.get())); } @@ -128,30 +123,30 @@ OpaqueJSClassContextData::OpaqueJSClassContextData(JSC::VM&, OpaqueJSClass* jsCl : m_class(jsClass) { if (jsClass->m_staticValues) { - staticValues = std::make_unique(); + staticValues = makeUnique(); OpaqueJSClassStaticValuesTable::const_iterator end = jsClass->m_staticValues->end(); for (OpaqueJSClassStaticValuesTable::const_iterator it = jsClass->m_staticValues->begin(); it != end; ++it) { ASSERT(!it->key->isAtom()); String valueName = it->key->isolatedCopy(); - staticValues->add(valueName.impl(), std::make_unique(it->value->getProperty, it->value->setProperty, it->value->attributes, valueName)); + staticValues->add(valueName.impl(), makeUnique(it->value->getProperty, it->value->setProperty, it->value->attributes, valueName)); } } if (jsClass->m_staticFunctions) { - staticFunctions = std::make_unique(); + staticFunctions = makeUnique(); OpaqueJSClassStaticFunctionsTable::const_iterator end = jsClass->m_staticFunctions->end(); for (OpaqueJSClassStaticFunctionsTable::const_iterator it = jsClass->m_staticFunctions->begin(); it != end; ++it) { ASSERT(!it->key->isAtom()); - staticFunctions->add(it->key->isolatedCopy(), std::make_unique(it->value->callAsFunction, it->value->attributes)); + staticFunctions->add(it->key->isolatedCopy(), makeUnique(it->value->callAsFunction, it->value->attributes)); } } } -OpaqueJSClassContextData& OpaqueJSClass::contextData(ExecState* exec) +OpaqueJSClassContextData& OpaqueJSClass::contextData(JSGlobalObject* globalObject) { - std::unique_ptr& contextData = exec->lexicalGlobalObject()->opaqueJSClassData().add(this, nullptr).iterator->value; + std::unique_ptr& contextData = globalObject->opaqueJSClassData().add(this, nullptr).iterator->value; if (!contextData) - contextData = std::make_unique(exec->vm(), this); + contextData = makeUnique(globalObject->vm(), this); return *contextData; } @@ -161,17 +156,17 @@ String OpaqueJSClass::className() return m_className.isolatedCopy(); } -OpaqueJSClassStaticValuesTable* OpaqueJSClass::staticValues(JSC::ExecState* exec) +OpaqueJSClassStaticValuesTable* OpaqueJSClass::staticValues(JSC::JSGlobalObject* globalObject) { - return contextData(exec).staticValues.get(); + return contextData(globalObject).staticValues.get(); } -OpaqueJSClassStaticFunctionsTable* OpaqueJSClass::staticFunctions(JSC::ExecState* exec) +OpaqueJSClassStaticFunctionsTable* OpaqueJSClass::staticFunctions(JSC::JSGlobalObject* globalObject) { - return contextData(exec).staticFunctions.get(); + return contextData(globalObject).staticFunctions.get(); } -JSObject* OpaqueJSClass::prototype(ExecState* exec) +JSObject* OpaqueJSClass::prototype(JSGlobalObject* globalObject) { /* Class (C++) and prototype (JS) inheritance are parallel, so: * (C++) | (JS) @@ -182,18 +177,18 @@ JSObject* OpaqueJSClass::prototype(ExecState* exec) */ if (!prototypeClass) - return 0; + return nullptr; - OpaqueJSClassContextData& jsClassData = contextData(exec); + OpaqueJSClassContextData& jsClassData = contextData(globalObject); if (JSObject* prototype = jsClassData.cachedPrototype.get()) return prototype; // Recursive, but should be good enough for our purposes - JSObject* prototype = JSCallbackObject::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->callbackObjectStructure(), prototypeClass, &jsClassData); // set jsClassData as the object's private data, so it can clear our reference on destruction + JSObject* prototype = JSCallbackObject::create(globalObject, globalObject->callbackObjectStructure(), prototypeClass, &jsClassData); // set jsClassData as the object's private data, so it can clear our reference on destruction if (parentClass) { - if (JSObject* parentPrototype = parentClass->prototype(exec)) - prototype->setPrototypeDirect(exec->vm(), parentPrototype); + if (JSObject* parentPrototype = parentClass->prototype(globalObject)) + prototype->setPrototypeDirect(globalObject->vm(), parentPrototype); } jsClassData.cachedPrototype = Weak(prototype); diff --git a/API/JSClassRef.h b/API/JSClassRef.h index 0dd0dca..aa9b5df 100644 --- a/API/JSClassRef.h +++ b/API/JSClassRef.h @@ -93,9 +93,9 @@ struct OpaqueJSClass : public ThreadSafeRefCounted { JS_EXPORT_PRIVATE ~OpaqueJSClass(); String className(); - OpaqueJSClassStaticValuesTable* staticValues(JSC::ExecState*); - OpaqueJSClassStaticFunctionsTable* staticFunctions(JSC::ExecState*); - JSC::JSObject* prototype(JSC::ExecState*); + OpaqueJSClassStaticValuesTable* staticValues(JSC::JSGlobalObject*); + OpaqueJSClassStaticFunctionsTable* staticFunctions(JSC::JSGlobalObject*); + JSC::JSObject* prototype(JSC::JSGlobalObject*); OpaqueJSClass* parentClass; OpaqueJSClass* prototypeClass; @@ -119,7 +119,7 @@ private: OpaqueJSClass(const OpaqueJSClass&); OpaqueJSClass(const JSClassDefinition*, OpaqueJSClass* protoClass); - OpaqueJSClassContextData& contextData(JSC::ExecState*); + OpaqueJSClassContextData& contextData(JSC::JSGlobalObject*); // Strings in these data members should not be put into any AtomStringTable. String m_className; diff --git a/API/JSContext.h b/API/JSContext.h index 6b9c5d4..d4e71ca 100644 --- a/API/JSContext.h +++ b/API/JSContext.h @@ -23,11 +23,8 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#ifndef JSContext_h -#define JSContext_h - -#include -#include +#import +#import #if JSC_OBJC_API_ENABLED @@ -234,5 +231,3 @@ JSC_CLASS_AVAILABLE(macos(10.9), ios(7.0)) @end #endif - -#endif // JSContext_h diff --git a/API/JSContext.mm b/API/JSContext.mm index f1efd09..fd25c08 100644 --- a/API/JSContext.mm +++ b/API/JSContext.mm @@ -23,7 +23,7 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include "config.h" +#import "config.h" #import "APICast.h" #import "Completion.h" @@ -39,16 +39,8 @@ #import "JSVirtualMachineInternal.h" #import "JSWrapperMap.h" #import "JavaScriptCore.h" -#ifdef DARLING -#import "ObjCRuntimeExtras.h" -#else #import "ObjcRuntimeExtras.h" -#endif #import "StrongInlines.h" -#ifdef DARLING_NONUNIFIED_BUILD -#include "JSScriptInternal.h" -#include "JSAPIGlobalObject.h" -#endif #import @@ -68,7 +60,7 @@ - (void)ensureWrapperMap { - if (!toJS([self JSGlobalContextRef])->lexicalGlobalObject()->wrapperMap()) { + if (!toJS([self JSGlobalContextRef])->wrapperMap()) { // The map will be retained by the GlobalObject in initialization. [[[JSWrapperMap alloc] initWithGlobalContextRef:[self JSGlobalContextRef]] release]; } @@ -126,29 +118,31 @@ - (JSValue *)evaluateJSScript:(JSScript *)script { - JSC::ExecState* exec = toJS(m_context); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS(m_context); + JSC::VM& vm = globalObject->vm(); JSC::JSLockHolder locker(vm); if (script.type == kJSScriptTypeProgram) { JSValueRef exceptionValue = nullptr; JSC::SourceCode sourceCode = [script sourceCode]; - JSValueRef result = JSEvaluateScriptInternal(locker, exec, m_context, nullptr, sourceCode, &exceptionValue); + JSValueRef result = JSEvaluateScriptInternal(locker, m_context, nullptr, sourceCode, &exceptionValue); if (exceptionValue) return [self valueFromNotifyException:exceptionValue]; return [JSValue valueWithJSValueRef:result inContext:self]; } - auto* globalObject = JSC::jsDynamicCast(vm, exec->lexicalGlobalObject()); - if (!globalObject) + auto* apiGlobalObject = JSC::jsDynamicCast(vm, globalObject); + if (!apiGlobalObject) return [JSValue valueWithNewPromiseRejectedWithReason:[JSValue valueWithNewErrorFromMessage:@"Context does not support module loading" inContext:self] inContext:self]; auto scope = DECLARE_CATCH_SCOPE(vm); - JSC::JSValue result = globalObject->loadAndEvaluateJSScriptModule(locker, script); + JSC::JSValue result = apiGlobalObject->loadAndEvaluateJSScriptModule(locker, script); if (scope.exception()) { - JSValueRef exceptionValue = toRef(exec, scope.exception()->value()); + JSValueRef exceptionValue = toRef(apiGlobalObject, scope.exception()->value()); scope.clearException(); + // FIXME: We should not clearException if it is TerminatedExecutionError. + // https://bugs.webkit.org/show_bug.cgi?id=220821 return [JSValue valueWithNewPromiseRejectedWithReason:[JSValue valueWithJSValueRef:exceptionValue inContext:self] inContext:self]; } return [JSValue valueWithJSValueRef:toRef(vm, result) inContext:self]; @@ -156,8 +150,8 @@ - (JSValue *)dependencyIdentifiersForModuleJSScript:(JSScript *)script { - JSC::ExecState* exec = toJS(m_context); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS(m_context); + JSC::VM& vm = globalObject->vm(); JSC::JSLockHolder locker(vm); if (script.type != kJSScriptTypeModule) { @@ -166,9 +160,9 @@ } auto scope = DECLARE_CATCH_SCOPE(vm); - JSC::JSArray* result = exec->lexicalGlobalObject()->moduleLoader()->dependencyKeysIfEvaluated(exec, JSC::jsString(&vm, [[script sourceURL] absoluteString])); + JSC::JSArray* result = globalObject->moduleLoader()->dependencyKeysIfEvaluated(globalObject, JSC::jsString(vm, [[script sourceURL] absoluteString])); if (scope.exception()) { - JSValueRef exceptionValue = toRef(exec, scope.exception()->value()); + JSValueRef exceptionValue = toRef(globalObject, scope.exception()->value()); scope.clearException(); return [self valueFromNotifyException:exceptionValue]; } @@ -180,10 +174,19 @@ return [JSValue valueWithJSValueRef:toRef(vm, result) inContext:self]; } +- (void)_setITMLDebuggableType +{ + JSC::JSGlobalObject* globalObject = toJS(m_context); + JSC::VM& vm = globalObject->vm(); + JSC::JSLockHolder locker(vm); + + globalObject->setIsITML(); +} + - (void)setException:(JSValue *)value { - JSC::ExecState* exec = toJS(m_context); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS(m_context); + JSC::VM& vm = globalObject->vm(); JSC::JSLockHolder locker(vm); if (value) m_exception.set(vm, toJS(JSValueToObject(m_context, valueInternalValue(value), 0))); @@ -240,10 +243,10 @@ if (!entry->currentArguments) { JSContext *context = [JSContext currentContext]; size_t count = entry->argumentCount; - JSValue * argumentArray[count]; - for (size_t i =0; i < count; ++i) - argumentArray[i] = [JSValue valueWithJSValueRef:entry->arguments[i] inContext:context]; - entry->currentArguments = [[NSArray alloc] initWithObjects:argumentArray count:count]; + NSMutableArray *arguments = [[NSMutableArray alloc] initWithCapacity:count]; + for (size_t i = 0; i < count; ++i) + [arguments setObject:[JSValue valueWithJSValueRef:entry->arguments[i] inContext:context] atIndexedSubscript:i]; + entry->currentArguments = arguments; } return entry->currentArguments; @@ -332,7 +335,7 @@ if (!self) return nil; - JSC::JSGlobalObject* globalObject = toJS(context)->lexicalGlobalObject(); + JSC::JSGlobalObject* globalObject = toJS(context); m_virtualMachine = [[JSVirtualMachine virtualMachineWithContextGroupRef:toRef(&globalObject->vm())] retain]; ASSERT(m_virtualMachine); m_context = JSGlobalContextRetain(context); @@ -392,7 +395,7 @@ - (JSWrapperMap *)wrapperMap { - return toJS(m_context)->lexicalGlobalObject()->wrapperMap(); + return toJS(m_context)->wrapperMap(); } - (JSValue *)wrapperForJSObject:(JSValueRef)value diff --git a/API/JSContextPrivate.h b/API/JSContextPrivate.h index 75f526b..838a9de 100644 --- a/API/JSContextPrivate.h +++ b/API/JSContextPrivate.h @@ -106,6 +106,12 @@ */ - (JSValue *)dependencyIdentifiersForModuleJSScript:(JSScript *)script JSC_API_AVAILABLE(macos(10.15), ios(13.0)); +/*! + @method + @abstract Mark this JSContext as an ITMLKit context for the purposes of remote inspection capabilities. + */ +- (void)_setITMLDebuggableType JSC_API_AVAILABLE(macos(11.0), ios(14.0)); + @end #endif diff --git a/API/JSContextRef.cpp b/API/JSContextRef.cpp index 9f5fdaf..37540ae 100644 --- a/API/JSContextRef.cpp +++ b/API/JSContextRef.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006, 2007, 2013, 2016 Apple Inc. All rights reserved. + * Copyright (C) 2006-2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -31,15 +31,15 @@ #include "CallFrame.h" #include "InitializeThreading.h" #include "JSAPIGlobalObject.h" +#include "JSAPIWrapperObject.h" #include "JSCallbackObject.h" #include "JSClassRef.h" -#include "JSObject.h" -#include "JSCInlines.h" -#include "SourceProvider.h" +#include "JSObjectInlines.h" #include "StackVisitor.h" +#include "StrongInlines.h" +#include "StructureInlines.h" #include "Watchdog.h" #include -#include #if ENABLE(REMOTE_INSPECTOR) #include "JSGlobalObjectDebuggable.h" @@ -54,7 +54,7 @@ #if OS(DARWIN) #include -static const int32_t webkitFirstVersionWithConcurrentGlobalContexts = 0x2100500; // 528.5.0 +static constexpr int32_t webkitFirstVersionWithConcurrentGlobalContexts = 0x2100500; // 528.5.0 #endif using namespace JSC; @@ -66,7 +66,7 @@ using namespace JSC; JSContextGroupRef JSContextGroupCreate() { - initializeThreading(); + JSC::initialize(); return toRef(&VM::createContextGroup().leakRef()); } @@ -84,10 +84,10 @@ void JSContextGroupRelease(JSContextGroupRef group) vm.deref(); } -static bool internalScriptTimeoutCallback(ExecState* exec, void* callbackPtr, void* callbackData) +static bool internalScriptTimeoutCallback(JSGlobalObject* globalObject, void* callbackPtr, void* callbackData) { JSShouldTerminateCallback callback = reinterpret_cast(callbackPtr); - JSContextRef contextRef = toRef(exec); + JSContextRef contextRef = toRef(globalObject); ASSERT(callback); return callback(contextRef, callbackData); } @@ -116,7 +116,7 @@ void JSContextGroupClearExecutionTimeLimit(JSContextGroupRef group) JSGlobalContextRef JSGlobalContextCreate(JSClassRef globalObjectClass) { - initializeThreading(); + JSC::initialize(); #if OS(DARWIN) // If the application was linked before JSGlobalContextCreate was changed to use a unique VM, @@ -126,12 +126,12 @@ JSGlobalContextRef JSGlobalContextCreate(JSClassRef globalObjectClass) } #endif // OS(DARWIN) - return JSGlobalContextCreateInGroup(0, globalObjectClass); + return JSGlobalContextCreateInGroup(nullptr, globalObjectClass); } JSGlobalContextRef JSGlobalContextCreateInGroup(JSContextGroupRef group, JSClassRef globalObjectClass) { - initializeThreading(); + JSC::initialize(); Ref vm = group ? Ref(*toJS(group)) : VM::createContextGroup(); @@ -143,12 +143,11 @@ JSGlobalContextRef JSGlobalContextCreateInGroup(JSContextGroupRef group, JSClass if (JSRemoteInspectorGetInspectionEnabledByDefault()) globalObject->setRemoteDebuggingEnabled(true); #endif - return JSGlobalContextRetain(toGlobalRef(globalObject->globalExec())); + return JSGlobalContextRetain(toGlobalRef(globalObject)); } - JSGlobalObject* globalObject = JSCallbackObject::create(vm.get(), globalObjectClass, JSCallbackObject::createStructure(vm.get(), 0, jsNull())); - ExecState* exec = globalObject->globalExec(); - JSValue prototype = globalObjectClass->prototype(exec); + JSGlobalObject* globalObject = JSCallbackObject::create(vm.get(), globalObjectClass, JSCallbackObject::createStructure(vm.get(), nullptr, jsNull())); + JSValue prototype = globalObjectClass->prototype(globalObject); if (!prototype) prototype = jsNull(); globalObject->resetPrototype(vm.get(), prototype); @@ -156,27 +155,27 @@ JSGlobalContextRef JSGlobalContextCreateInGroup(JSContextGroupRef group, JSClass if (JSRemoteInspectorGetInspectionEnabledByDefault()) globalObject->setRemoteDebuggingEnabled(true); #endif - return JSGlobalContextRetain(toGlobalRef(exec)); + return JSGlobalContextRetain(toGlobalRef(globalObject)); } JSGlobalContextRef JSGlobalContextRetain(JSGlobalContextRef ctx) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); - gcProtect(vm.vmEntryGlobalObject(exec)); + gcProtect(globalObject); vm.ref(); return ctx; } void JSGlobalContextRelease(JSGlobalContextRef ctx) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); - bool protectCountIsZero = vm.heap.unprotect(vm.vmEntryGlobalObject(exec)); + bool protectCountIsZero = vm.heap.unprotect(globalObject); if (protectCountIsZero) vm.heap.reportAbandonedObjectGraph(); vm.deref(); @@ -186,51 +185,51 @@ JSObjectRef JSContextGetGlobalObject(JSContextRef ctx) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); - return toRef(jsCast(exec->lexicalGlobalObject()->methodTable(vm)->toThis(exec->lexicalGlobalObject(), exec, NotStrictMode))); + return toRef(jsCast(globalObject->methodTable(vm)->toThis(globalObject, globalObject, ECMAMode::sloppy()))); } JSContextGroupRef JSContextGetGroup(JSContextRef ctx) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - return toRef(&exec->vm()); + JSGlobalObject* globalObject = toJS(ctx); + return toRef(&globalObject->vm()); } JSGlobalContextRef JSContextGetGlobalContext(JSContextRef ctx) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); - return toGlobalRef(exec->lexicalGlobalObject()->globalExec()); + return toGlobalRef(globalObject); } JSStringRef JSGlobalContextCopyName(JSGlobalContextRef ctx) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); - String name = vm.vmEntryGlobalObject(exec)->name(); + String name = globalObject->name(); if (name.isNull()) - return 0; + return nullptr; return OpaqueJSString::tryCreate(name).leakRef(); } @@ -242,13 +241,32 @@ void JSGlobalContextSetName(JSGlobalContextRef ctx, JSStringRef name) return; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); - vm.vmEntryGlobalObject(exec)->setName(name ? name->string() : String()); + globalObject->setName(name ? name->string() : String()); } +void JSGlobalContextSetUnhandledRejectionCallback(JSGlobalContextRef ctx, JSObjectRef function, JSValueRef* exception) +{ + if (!ctx) { + ASSERT_NOT_REACHED(); + return; + } + + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); + JSLockHolder locker(vm); + + JSObject* object = toJS(function); + if (!object->isCallable(vm)) { + *exception = toRef(createTypeError(globalObject)); + return; + } + + globalObject->setUnhandledRejectionCallback(vm, object); +} class BacktraceFunctor { public: @@ -304,17 +322,17 @@ JSStringRef JSContextCreateBacktrace(JSContextRef ctx, unsigned maxStackSize) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder lock(vm); StringBuilder builder; CallFrame* frame = vm.topCallFrame; ASSERT(maxStackSize); BacktraceFunctor functor(builder, maxStackSize); - frame->iterate(functor); + frame->iterate(vm, functor); return OpaqueJSString::tryCreate(builder.toString()).leakRef(); } @@ -326,11 +344,11 @@ bool JSGlobalContextGetRemoteInspectionEnabled(JSGlobalContextRef ctx) return false; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder lock(vm); - return vm.vmEntryGlobalObject(exec)->remoteDebuggingEnabled(); + return globalObject->remoteDebuggingEnabled(); } void JSGlobalContextSetRemoteInspectionEnabled(JSGlobalContextRef ctx, bool enabled) @@ -340,11 +358,11 @@ void JSGlobalContextSetRemoteInspectionEnabled(JSGlobalContextRef ctx, bool enab return; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder lock(vm); - vm.vmEntryGlobalObject(exec)->setRemoteDebuggingEnabled(enabled); + globalObject->setRemoteDebuggingEnabled(enabled); } bool JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions(JSGlobalContextRef ctx) @@ -355,11 +373,10 @@ bool JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions(JSGlobalCo return false; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder lock(vm); - JSGlobalObject* globalObject = vm.vmEntryGlobalObject(exec); return globalObject->inspectorController().includesNativeCallStackWhenReportingExceptions(); #else UNUSED_PARAM(ctx); @@ -375,11 +392,10 @@ void JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions(JSGlobalCo return; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder lock(vm); - JSGlobalObject* globalObject = vm.vmEntryGlobalObject(exec); globalObject->inspectorController().setIncludesNativeCallStackWhenReportingExceptions(includesNativeCallStack); #else UNUSED_PARAM(ctx); @@ -396,11 +412,11 @@ CFRunLoopRef JSGlobalContextGetDebuggerRunLoop(JSGlobalContextRef ctx) return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder lock(vm); - return vm.vmEntryGlobalObject(exec)->inspectorDebuggable().targetRunLoop(); + return globalObject->inspectorDebuggable().targetRunLoop(); #else UNUSED_PARAM(ctx); return nullptr; @@ -415,11 +431,11 @@ void JSGlobalContextSetDebuggerRunLoop(JSGlobalContextRef ctx, CFRunLoopRef runL return; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder lock(vm); - vm.vmEntryGlobalObject(exec)->inspectorDebuggable().setTargetRunLoop(runLoop); + globalObject->inspectorDebuggable().setTargetRunLoop(runLoop); #else UNUSED_PARAM(ctx); UNUSED_PARAM(runLoop); @@ -435,10 +451,10 @@ Inspector::AugmentableInspectorController* JSGlobalContextGetAugmentableInspecto return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder lock(vm); - return &vm.vmEntryGlobalObject(exec)->inspectorController(); + return &globalObject->inspectorController(); } #endif diff --git a/API/JSContextRefPrivate.h b/API/JSContextRefPrivate.h index 5218ad7..1a370fe 100644 --- a/API/JSContextRefPrivate.h +++ b/API/JSContextRefPrivate.h @@ -128,6 +128,16 @@ JS_EXPORT bool JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions( */ JS_EXPORT void JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions(JSGlobalContextRef ctx, bool includesNativeCallStack) JSC_API_AVAILABLE(macos(10.10), ios(8.0)); +/*! +@function +@abstract Sets the unhandled promise rejection callback for a context. +@discussion Similar to window.addEventListener('unhandledrejection'), but for contexts not associated with a web view. +@param ctx The JSGlobalContext to set the callback on. +@param function The callback function to set, which receives the promise and rejection reason as arguments. +@param exception A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception. +*/ +JS_EXPORT void JSGlobalContextSetUnhandledRejectionCallback(JSGlobalContextRef ctx, JSObjectRef function, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.15.4), ios(13.4)); + #ifdef __cplusplus } #endif diff --git a/API/JSHeapFinalizerPrivate.cpp b/API/JSHeapFinalizerPrivate.cpp index 012dc4f..d35a3fe 100644 --- a/API/JSHeapFinalizerPrivate.cpp +++ b/API/JSHeapFinalizerPrivate.cpp @@ -27,20 +27,17 @@ #include "JSHeapFinalizerPrivate.h" #include "APICast.h" -#include "JSCInlines.h" - -using namespace JSC; void JSContextGroupAddHeapFinalizer(JSContextGroupRef group, JSHeapFinalizer finalizer, void *userData) { - VM* vm = toJS(group); - JSLockHolder locker(vm); - vm->heap.addHeapFinalizerCallback(HeapFinalizerCallback(finalizer, userData)); + JSC::VM* vm = toJS(group); + JSC::JSLockHolder locker(vm); + vm->heap.addHeapFinalizerCallback(JSC::HeapFinalizerCallback(finalizer, userData)); } void JSContextGroupRemoveHeapFinalizer(JSContextGroupRef group, JSHeapFinalizer finalizer, void *userData) { - VM* vm = toJS(group); - JSLockHolder locker(vm); - vm->heap.removeHeapFinalizerCallback(HeapFinalizerCallback(finalizer, userData)); + JSC::VM* vm = toJS(group); + JSC::JSLockHolder locker(vm); + vm->heap.removeHeapFinalizerCallback(JSC::HeapFinalizerCallback(finalizer, userData)); } diff --git a/API/JSHeapFinalizerPrivate.h b/API/JSHeapFinalizerPrivate.h index 8c9b152..45e1ad1 100644 --- a/API/JSHeapFinalizerPrivate.h +++ b/API/JSHeapFinalizerPrivate.h @@ -26,7 +26,7 @@ #ifndef JSHeapFinalizerPrivate_h #define JSHeapFinalizerPrivate_h -#include +#include #include #ifdef __cplusplus diff --git a/inspector/EventLoop.h b/API/JSLockRef.cpp similarity index 71% rename from inspector/EventLoop.h rename to API/JSLockRef.cpp index 1625a6b..733bf15 100644 --- a/inspector/EventLoop.h +++ b/API/JSLockRef.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Apple Inc. All Rights Reserved. + * Copyright (C) 2020 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -23,33 +23,29 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#pragma once +#include "config.h" +#include "JSLockRefPrivate.h" -#include +#include "JSLock.h" -#if USE(CF) && !OS(WINDOWS) -#include -#endif +using namespace JSC; -namespace Inspector { - -class EventLoop { - WTF_MAKE_NONCOPYABLE(EventLoop); -public: - EventLoop() - : m_ended(false) - { +void JSLock(JSContextRef ctx) +{ + if (!ctx) { + ASSERT_NOT_REACHED(); + return; } + JSGlobalObject* globalObject = toJS(ctx); + globalObject->vm().apiLock().lock(); +} - void cycle(); - bool ended() const { return m_ended; } - -#if USE(CF) && !OS(WINDOWS) - static CFStringRef remoteInspectorRunLoopMode(); -#endif - -private: - bool m_ended; -}; - -} // namespace Inspector +void JSUnlock(JSContextRef ctx) +{ + if (!ctx) { + ASSERT_NOT_REACHED(); + return; + } + JSGlobalObject* globalObject = toJS(ctx); + globalObject->vm().apiLock().unlock(); +} diff --git a/API/JSLockRefPrivate.h b/API/JSLockRefPrivate.h new file mode 100644 index 0000000..141a37e --- /dev/null +++ b/API/JSLockRefPrivate.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2020 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY + * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#pragma once + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/*! + @function + @abstract Acquire the API lock for the given JSContextRef. + @param ctx The execution context to be locked. + @discussion The lock has to be held to perform any interactions with the JSContextRef. This function allows holding the lock across multiple interactions to amortize the cost. This lock is a recursive lock. + */ +JS_EXPORT void JSLock(JSContextRef ctx); + +/*! + @function + @abstract Release the API lock for the given JSContextRef. + @param ctx The execution context to be unlocked. + @discussion Releases the lock that was previously acquired using JSLock. + */ +JS_EXPORT void JSUnlock(JSContextRef ctx); + +#ifdef __cplusplus +} +#endif diff --git a/API/JSManagedValue.mm b/API/JSManagedValue.mm index be90515..c18737b 100644 --- a/API/JSManagedValue.mm +++ b/API/JSManagedValue.mm @@ -35,18 +35,14 @@ #import "JSValueInternal.h" #import "JSWeakValue.h" #import "WeakHandleOwner.h" -#ifdef DARLING -#import "ObjCRuntimeExtras.h" -#else #import "ObjcRuntimeExtras.h" -#endif #import "JSCInlines.h" #import -class JSManagedValueHandleOwner : public JSC::WeakHandleOwner { +class JSManagedValueHandleOwner final : public JSC::WeakHandleOwner { public: - void finalize(JSC::Handle, void* context) override; - bool isReachableFromOpaqueRoots(JSC::Handle, void* context, JSC::SlotVisitor&, const char**) override; + void finalize(JSC::Handle, void* context) final; + bool isReachableFromOpaqueRoots(JSC::Handle, void* context, JSC::SlotVisitor&, const char**) final; }; static JSManagedValueHandleOwner& managedValueHandleOwner() @@ -88,19 +84,18 @@ static JSManagedValueHandleOwner& managedValueHandleOwner() if (!value) return self; - JSC::ExecState* exec = toJS([value.context JSGlobalContextRef]); - JSC::JSGlobalObject* globalObject = exec->lexicalGlobalObject(); + JSC::JSGlobalObject* globalObject = toJS([value.context JSGlobalContextRef]); auto& owner = managedValueHandleOwner(); JSC::Weak weak(globalObject, &owner, (__bridge void*)self); m_globalObject.swap(weak); - m_lock = &exec->vm().apiLock(); + m_lock = &globalObject->vm().apiLock(); NSPointerFunctionsOptions weakIDOptions = NSPointerFunctionsWeakMemory | NSPointerFunctionsObjectPersonality; NSPointerFunctionsOptions integerOptions = NSPointerFunctionsOpaqueMemory | NSPointerFunctionsIntegerPersonality; m_owners = [[NSMapTable alloc] initWithKeyOptions:weakIDOptions valueOptions:integerOptions capacity:1]; - JSC::JSValue jsValue = toJS(exec, [value JSValueRef]); + JSC::JSValue jsValue = toJS(globalObject, [value JSValueRef]); if (jsValue.isObject()) m_weakValue.setObject(JSC::jsCast(jsValue.asCell()), owner, (__bridge void*)self); else if (jsValue.isString()) @@ -161,8 +156,8 @@ static JSManagedValueHandleOwner& managedValueHandleOwner() return nil; if (m_weakValue.isClear()) return nil; - JSC::ExecState* exec = m_globalObject->globalExec(); - JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(exec)]; + JSC::JSGlobalObject* globalObject = m_globalObject.get(); + JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(globalObject)]; JSC::JSValue value; if (m_weakValue.isPrimitive()) value = m_weakValue.primitive(); @@ -170,7 +165,7 @@ static JSManagedValueHandleOwner& managedValueHandleOwner() value = m_weakValue.string(); else value = m_weakValue.object(); - return [JSValue valueWithJSValueRef:toRef(exec, value) inContext:context]; + return [JSValue valueWithJSValueRef:toRef(globalObject, value) inContext:context]; } - (void)disconnectValue diff --git a/API/JSMarkingConstraintPrivate.cpp b/API/JSMarkingConstraintPrivate.cpp index d9ee674..f30c57a 100644 --- a/API/JSMarkingConstraintPrivate.cpp +++ b/API/JSMarkingConstraintPrivate.cpp @@ -27,7 +27,6 @@ #include "JSMarkingConstraintPrivate.h" #include "APICast.h" -#include "JSCInlines.h" #include "SimpleMarkingConstraint.h" using namespace JSC; @@ -71,7 +70,7 @@ void JSContextGroupAddMarkingConstraint(JSContextGroupRef group, JSMarkingConstr // else gets marked. ConstraintVolatility volatility = ConstraintVolatility::GreyedByMarking; - auto constraint = std::make_unique( + auto constraint = makeUnique( toCString("Amc", constraintIndex, "(", RawPointer(bitwise_cast(constraintCallback)), ")"), toCString("API Marking Constraint #", constraintIndex, " (", RawPointer(bitwise_cast(constraintCallback)), ", ", RawPointer(userData), ")"), [constraintCallback, userData] diff --git a/API/JSObjectRef.cpp b/API/JSObjectRef.cpp index 554d5f1..9584f76 100644 --- a/API/JSObjectRef.cpp +++ b/API/JSObjectRef.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2019 Apple Inc. All rights reserved. + * Copyright (C) 2006-2020 Apple Inc. All rights reserved. * Copyright (C) 2008 Kelvin W Sherlock (ksherlock@gmail.com) * * Redistribution and use in source and binary forms, with or without @@ -31,26 +31,17 @@ #include "APICast.h" #include "APIUtils.h" #include "DateConstructor.h" -#include "ErrorConstructor.h" -#include "Exception.h" #include "FunctionConstructor.h" #include "Identifier.h" #include "InitializeThreading.h" -#include "JSAPIWrapperObject.h" #include "JSArray.h" #include "JSCInlines.h" #include "JSCallbackConstructor.h" #include "JSCallbackFunction.h" #include "JSCallbackObject.h" #include "JSClassRef.h" -#include "JSFunction.h" -#include "JSGlobalObject.h" -#include "JSObject.h" #include "JSPromise.h" -#include "JSPromiseDeferred.h" -#include "JSRetainPtr.h" #include "JSString.h" -#include "JSValueRef.h" #include "ObjectConstructor.h" #include "ObjectPrototype.h" #include "PropertyNameArray.h" @@ -65,7 +56,7 @@ using namespace JSC; JSClassRef JSClassCreate(const JSClassDefinition* definition) { - initializeThreading(); + JSC::initialize(); auto jsClass = (definition->attributes & kJSClassAttributeNoAutomaticPrototype) ? OpaqueJSClass::createNoAutomaticPrototype(definition) : OpaqueJSClass::create(definition); @@ -88,17 +79,17 @@ JSObjectRef JSObjectMake(JSContextRef ctx, JSClassRef jsClass, void* data) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); if (!jsClass) - return toRef(constructEmptyObject(exec)); + return toRef(constructEmptyObject(globalObject)); - JSCallbackObject* object = JSCallbackObject::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->callbackObjectStructure(), jsClass, data); - if (JSObject* prototype = jsClass->prototype(exec)) + JSCallbackObject* object = JSCallbackObject::create(globalObject, globalObject->callbackObjectStructure(), jsClass, data); + if (JSObject* prototype = jsClass->prototype(globalObject)) object->setPrototypeDirect(vm, prototype); return toRef(object); @@ -108,62 +99,62 @@ JSObjectRef JSObjectMakeFunctionWithCallback(JSContextRef ctx, JSStringRef name, { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); - return toRef(JSCallbackFunction::create(vm, exec->lexicalGlobalObject(), callAsFunction, name ? name->string() : "anonymous"_s)); + return toRef(JSCallbackFunction::create(vm, globalObject, callAsFunction, name ? name->string() : "anonymous"_s)); } JSObjectRef JSObjectMakeConstructor(JSContextRef ctx, JSClassRef jsClass, JSObjectCallAsConstructorCallback callAsConstructor) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); - JSValue jsPrototype = jsClass ? jsClass->prototype(exec) : 0; + JSValue jsPrototype = jsClass ? jsClass->prototype(globalObject) : nullptr; if (!jsPrototype) - jsPrototype = exec->lexicalGlobalObject()->objectPrototype(); + jsPrototype = globalObject->objectPrototype(); - JSCallbackConstructor* constructor = JSCallbackConstructor::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->callbackConstructorStructure(), jsClass, callAsConstructor); + JSCallbackConstructor* constructor = JSCallbackConstructor::create(globalObject, globalObject->callbackConstructorStructure(), jsClass, callAsConstructor); constructor->putDirect(vm, vm.propertyNames->prototype, jsPrototype, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly); return toRef(constructor); } -JSObjectRef JSObjectMakeFunction(JSContextRef ctx, JSStringRef name, unsigned parameterCount, const JSStringRef parameterNames[], JSStringRef body, JSStringRef sourceURL, int startingLineNumber, JSValueRef* exception) +JSObjectRef JSObjectMakeFunction(JSContextRef ctx, JSStringRef name, unsigned parameterCount, const JSStringRef parameterNames[], JSStringRef body, JSStringRef sourceURLString, int startingLineNumber, JSValueRef* exception) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); startingLineNumber = std::max(1, startingLineNumber); - Identifier nameID = name ? name->identifier(&vm) : Identifier::fromString(exec, "anonymous"); + Identifier nameID = name ? name->identifier(&vm) : Identifier::fromString(vm, "anonymous"); MarkedArgumentBuffer args; for (unsigned i = 0; i < parameterCount; i++) - args.append(jsString(exec, parameterNames[i]->string())); - args.append(jsString(exec, body->string())); + args.append(jsString(vm, parameterNames[i]->string())); + args.append(jsString(vm, body->string())); if (UNLIKELY(args.hasOverflowed())) { auto throwScope = DECLARE_THROW_SCOPE(vm); - throwOutOfMemoryError(exec, throwScope); - handleExceptionIfNeeded(scope, exec, exception); - return 0; + throwOutOfMemoryError(globalObject, throwScope); + handleExceptionIfNeeded(scope, ctx, exception); + return nullptr; } - auto sourceURLString = sourceURL ? sourceURL->string() : String(); - JSObject* result = constructFunction(exec, exec->lexicalGlobalObject(), args, nameID, SourceOrigin { sourceURLString }, sourceURLString, TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber())); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) - result = 0; + auto sourceURL = sourceURLString ? URL({ }, sourceURLString->string()) : URL(); + JSObject* result = constructFunction(globalObject, args, nameID, SourceOrigin { sourceURL }, sourceURL.string(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber())); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + result = nullptr; return toRef(result); } @@ -171,10 +162,10 @@ JSObjectRef JSObjectMakeArray(JSContextRef ctx, size_t argumentCount, const JSVa { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); @@ -182,20 +173,20 @@ JSObjectRef JSObjectMakeArray(JSContextRef ctx, size_t argumentCount, const JSVa if (argumentCount) { MarkedArgumentBuffer argList; for (size_t i = 0; i < argumentCount; ++i) - argList.append(toJS(exec, arguments[i])); + argList.append(toJS(globalObject, arguments[i])); if (UNLIKELY(argList.hasOverflowed())) { auto throwScope = DECLARE_THROW_SCOPE(vm); - throwOutOfMemoryError(exec, throwScope); - handleExceptionIfNeeded(scope, exec, exception); - return 0; + throwOutOfMemoryError(globalObject, throwScope); + handleExceptionIfNeeded(scope, ctx, exception); + return nullptr; } - result = constructArray(exec, static_cast(0), argList); + result = constructArray(globalObject, static_cast(nullptr), argList); } else - result = constructEmptyArray(exec, 0); + result = constructEmptyArray(globalObject, nullptr); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) - result = 0; + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + result = nullptr; return toRef(result); } @@ -204,26 +195,26 @@ JSObjectRef JSObjectMakeDate(JSContextRef ctx, size_t argumentCount, const JSVal { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); MarkedArgumentBuffer argList; for (size_t i = 0; i < argumentCount; ++i) - argList.append(toJS(exec, arguments[i])); + argList.append(toJS(globalObject, arguments[i])); if (UNLIKELY(argList.hasOverflowed())) { auto throwScope = DECLARE_THROW_SCOPE(vm); - throwOutOfMemoryError(exec, throwScope); - handleExceptionIfNeeded(scope, exec, exception); - return 0; + throwOutOfMemoryError(globalObject, throwScope); + handleExceptionIfNeeded(scope, ctx, exception); + return nullptr; } - JSObject* result = constructDate(exec, exec->lexicalGlobalObject(), JSValue(), argList); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) - result = 0; + JSObject* result = constructDate(globalObject, JSValue(), argList); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + result = nullptr; return toRef(result); } @@ -232,19 +223,19 @@ JSObjectRef JSObjectMakeError(JSContextRef ctx, size_t argumentCount, const JSVa { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); - JSValue message = argumentCount ? toJS(exec, arguments[0]) : jsUndefined(); - Structure* errorStructure = exec->lexicalGlobalObject()->errorStructure(); - JSObject* result = ErrorInstance::create(exec, errorStructure, message); + JSValue message = argumentCount ? toJS(globalObject, arguments[0]) : jsUndefined(); + Structure* errorStructure = globalObject->errorStructure(); + JSObject* result = ErrorInstance::create(globalObject, errorStructure, message); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) - result = 0; + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + result = nullptr; return toRef(result); } @@ -253,26 +244,26 @@ JSObjectRef JSObjectMakeRegExp(JSContextRef ctx, size_t argumentCount, const JSV { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); MarkedArgumentBuffer argList; for (size_t i = 0; i < argumentCount; ++i) - argList.append(toJS(exec, arguments[i])); + argList.append(toJS(globalObject, arguments[i])); if (UNLIKELY(argList.hasOverflowed())) { auto throwScope = DECLARE_THROW_SCOPE(vm); - throwOutOfMemoryError(exec, throwScope); - handleExceptionIfNeeded(scope, exec, exception); - return 0; + throwOutOfMemoryError(globalObject, throwScope); + handleExceptionIfNeeded(scope, ctx, exception); + return nullptr; } - JSObject* result = constructRegExp(exec, exec->lexicalGlobalObject(), argList); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) - result = 0; + JSObject* result = constructRegExp(globalObject, argList); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + result = nullptr; return toRef(result); } @@ -284,14 +275,13 @@ JSObjectRef JSObjectMakeDeferredPromise(JSContextRef ctx, JSObjectRef* resolve, return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); + JSLockHolder locker(globalObject); auto scope = DECLARE_CATCH_SCOPE(vm); - auto* globalObject = exec->lexicalGlobalObject(); - JSPromiseDeferred::DeferredData data = JSPromiseDeferred::createDeferredData(exec, globalObject, globalObject->promiseConstructor()); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) + JSPromise::DeferredData data = JSPromise::createDeferredData(globalObject, globalObject->promiseConstructor()); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) return nullptr; if (resolve) @@ -305,13 +295,13 @@ JSValueRef JSObjectGetPrototype(JSContextRef ctx, JSObjectRef object) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); JSObject* jsObject = toJS(object); - return toRef(exec, jsObject->getPrototypeDirect(exec->vm())); + return toRef(globalObject, jsObject->getPrototypeDirect(globalObject->vm())); } void JSObjectSetPrototype(JSContextRef ctx, JSObjectRef object, JSValueRef value) @@ -320,15 +310,15 @@ void JSObjectSetPrototype(JSContextRef ctx, JSObjectRef object, JSValueRef value ASSERT_NOT_REACHED(); return; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); JSObject* jsObject = toJS(object); - JSValue jsValue = toJS(exec, value); - jsObject->setPrototype(vm, exec, jsValue.isObject() ? jsValue : jsNull()); - handleExceptionIfNeeded(scope, exec, nullptr); + JSValue jsValue = toJS(globalObject, value); + jsObject->setPrototype(vm, globalObject, jsValue.isObject() ? jsValue : jsNull()); + handleExceptionIfNeeded(scope, ctx, nullptr); } bool JSObjectHasProperty(JSContextRef ctx, JSObjectRef object, JSStringRef propertyName) @@ -337,31 +327,32 @@ bool JSObjectHasProperty(JSContextRef ctx, JSObjectRef object, JSStringRef prope ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); JSObject* jsObject = toJS(object); - return jsObject->hasProperty(exec, propertyName->identifier(&vm)); + return jsObject->hasProperty(globalObject, propertyName->identifier(&vm)); } JSValueRef JSObjectGetProperty(JSContextRef ctx, JSObjectRef object, JSStringRef propertyName, JSValueRef* exception) { - if (!ctx) { + if (!ctx || !object) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); JSObject* jsObject = toJS(object); - JSValue jsValue = jsObject->get(exec, propertyName->identifier(&vm)); - handleExceptionIfNeeded(scope, exec, exception); - return toRef(exec, jsValue); + JSValue jsValue = jsObject->get(globalObject, propertyName->identifier(&vm)); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + return nullptr; + return toRef(globalObject, jsValue); } void JSObjectSetProperty(JSContextRef ctx, JSObjectRef object, JSStringRef propertyName, JSValueRef value, JSPropertyAttributes attributes, JSValueRef* exception) @@ -370,26 +361,26 @@ void JSObjectSetProperty(JSContextRef ctx, JSObjectRef object, JSStringRef prope ASSERT_NOT_REACHED(); return; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); JSObject* jsObject = toJS(object); Identifier name(propertyName->identifier(&vm)); - JSValue jsValue = toJS(exec, value); + JSValue jsValue = toJS(globalObject, value); - bool doesNotHaveProperty = attributes && !jsObject->hasProperty(exec, name); + bool doesNotHaveProperty = attributes && !jsObject->hasProperty(globalObject, name); if (LIKELY(!scope.exception())) { if (doesNotHaveProperty) { PropertyDescriptor desc(jsValue, attributes); - jsObject->methodTable(vm)->defineOwnProperty(jsObject, exec, name, desc, false); + jsObject->methodTable(vm)->defineOwnProperty(jsObject, globalObject, name, desc, false); } else { PutPropertySlot slot(jsObject); - jsObject->methodTable(vm)->put(jsObject, exec, name, jsValue, slot); + jsObject->methodTable(vm)->put(jsObject, globalObject, name, jsValue, slot); } } - handleExceptionIfNeeded(scope, exec, exception); + handleExceptionIfNeeded(scope, ctx, exception); } bool JSObjectHasPropertyForKey(JSContextRef ctx, JSObjectRef object, JSValueRef key, JSValueRef* exception) @@ -398,18 +389,19 @@ bool JSObjectHasPropertyForKey(JSContextRef ctx, JSObjectRef object, JSValueRef ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); JSObject* jsObject = toJS(object); - Identifier ident = toJS(exec, key).toPropertyKey(exec); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) + Identifier ident = toJS(globalObject, key).toPropertyKey(globalObject); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) return false; - bool result = jsObject->hasProperty(exec, ident); - handleExceptionIfNeeded(scope, exec, exception); + bool result = jsObject->hasProperty(globalObject, ident); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + return false; return result; } @@ -419,19 +411,20 @@ JSValueRef JSObjectGetPropertyForKey(JSContextRef ctx, JSObjectRef object, JSVal ASSERT_NOT_REACHED(); return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); JSObject* jsObject = toJS(object); - Identifier ident = toJS(exec, key).toPropertyKey(exec); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) + Identifier ident = toJS(globalObject, key).toPropertyKey(globalObject); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) return nullptr; - JSValue jsValue = jsObject->get(exec, ident); - handleExceptionIfNeeded(scope, exec, exception); - return toRef(exec, jsValue); + JSValue jsValue = jsObject->get(globalObject, ident); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + return nullptr; + return toRef(globalObject, jsValue); } void JSObjectSetPropertyForKey(JSContextRef ctx, JSObjectRef object, JSValueRef key, JSValueRef value, JSPropertyAttributes attributes, JSValueRef* exception) @@ -440,29 +433,29 @@ void JSObjectSetPropertyForKey(JSContextRef ctx, JSObjectRef object, JSValueRef ASSERT_NOT_REACHED(); return; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); JSObject* jsObject = toJS(object); - JSValue jsValue = toJS(exec, value); + JSValue jsValue = toJS(globalObject, value); - Identifier ident = toJS(exec, key).toPropertyKey(exec); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) + Identifier ident = toJS(globalObject, key).toPropertyKey(globalObject); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) return; - bool doesNotHaveProperty = attributes && !jsObject->hasProperty(exec, ident); + bool doesNotHaveProperty = attributes && !jsObject->hasProperty(globalObject, ident); if (LIKELY(!scope.exception())) { if (doesNotHaveProperty) { PropertyDescriptor desc(jsValue, attributes); - jsObject->methodTable(vm)->defineOwnProperty(jsObject, exec, ident, desc, false); + jsObject->methodTable(vm)->defineOwnProperty(jsObject, globalObject, ident, desc, false); } else { PutPropertySlot slot(jsObject); - jsObject->methodTable(vm)->put(jsObject, exec, ident, jsValue, slot); + jsObject->methodTable(vm)->put(jsObject, globalObject, ident, jsValue, slot); } } - handleExceptionIfNeeded(scope, exec, exception); + handleExceptionIfNeeded(scope, ctx, exception); } bool JSObjectDeletePropertyForKey(JSContextRef ctx, JSObjectRef object, JSValueRef key, JSValueRef* exception) @@ -471,18 +464,19 @@ bool JSObjectDeletePropertyForKey(JSContextRef ctx, JSObjectRef object, JSValueR ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); JSObject* jsObject = toJS(object); - Identifier ident = toJS(exec, key).toPropertyKey(exec); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) + Identifier ident = toJS(globalObject, key).toPropertyKey(globalObject); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) return false; - bool result = jsObject->methodTable(vm)->deleteProperty(jsObject, exec, ident); - handleExceptionIfNeeded(scope, exec, exception); + bool result = JSCell::deleteProperty(jsObject, globalObject, ident); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + return false; return result; } @@ -490,18 +484,19 @@ JSValueRef JSObjectGetPropertyAtIndex(JSContextRef ctx, JSObjectRef object, unsi { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); JSObject* jsObject = toJS(object); - JSValue jsValue = jsObject->get(exec, propertyIndex); - handleExceptionIfNeeded(scope, exec, exception); - return toRef(exec, jsValue); + JSValue jsValue = jsObject->get(globalObject, propertyIndex); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + return nullptr; + return toRef(globalObject, jsValue); } @@ -511,16 +506,16 @@ void JSObjectSetPropertyAtIndex(JSContextRef ctx, JSObjectRef object, unsigned p ASSERT_NOT_REACHED(); return; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); JSObject* jsObject = toJS(object); - JSValue jsValue = toJS(exec, value); + JSValue jsValue = toJS(globalObject, value); - jsObject->methodTable(vm)->putByIndex(jsObject, exec, propertyIndex, jsValue, false); - handleExceptionIfNeeded(scope, exec, exception); + jsObject->methodTable(vm)->putByIndex(jsObject, globalObject, propertyIndex, jsValue, false); + handleExceptionIfNeeded(scope, ctx, exception); } bool JSObjectDeleteProperty(JSContextRef ctx, JSObjectRef object, JSStringRef propertyName, JSValueRef* exception) @@ -529,15 +524,16 @@ bool JSObjectDeleteProperty(JSContextRef ctx, JSObjectRef object, JSStringRef pr ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); JSObject* jsObject = toJS(object); - bool result = jsObject->methodTable(vm)->deleteProperty(jsObject, exec, propertyName->identifier(&vm)); - handleExceptionIfNeeded(scope, exec, exception); + bool result = JSCell::deleteProperty(jsObject, globalObject, propertyName->identifier(&vm)); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + return false; return result; } @@ -546,7 +542,7 @@ bool JSObjectDeleteProperty(JSContextRef ctx, JSObjectRef object, JSStringRef pr // during destruction. static const ClassInfo* classInfoPrivate(JSObject* jsObject) { - VM& vm = *jsObject->vm(); + VM& vm = jsObject->vm(); if (vm.currentlyDestructingCallbackObject != jsObject) return jsObject->classInfo(vm); @@ -557,7 +553,7 @@ static const ClassInfo* classInfoPrivate(JSObject* jsObject) void* JSObjectGetPrivate(JSObjectRef object) { JSObject* jsObject = uncheckedToJS(object); - VM& vm = *jsObject->vm(); + VM& vm = jsObject->vm(); const ClassInfo* classInfo = classInfoPrivate(jsObject); @@ -569,20 +565,20 @@ void* JSObjectGetPrivate(JSObjectRef object) if (classInfo->isSubClassOf(JSCallbackObject::info())) return static_cast*>(jsObject)->getPrivate(); - if (classInfo->isSubClassOf(JSCallbackObject::info())) - return static_cast*>(jsObject)->getPrivate(); + if (classInfo->isSubClassOf(JSCallbackObject::info())) + return static_cast*>(jsObject)->getPrivate(); #if JSC_OBJC_API_ENABLED if (classInfo->isSubClassOf(JSCallbackObject::info())) return static_cast*>(jsObject)->getPrivate(); #endif - return 0; + return nullptr; } bool JSObjectSetPrivate(JSObjectRef object, void* data) { JSObject* jsObject = uncheckedToJS(object); - VM& vm = *jsObject->vm(); + VM& vm = jsObject->vm(); const ClassInfo* classInfo = classInfoPrivate(jsObject); @@ -596,8 +592,8 @@ bool JSObjectSetPrivate(JSObjectRef object, void* data) static_cast*>(jsObject)->setPrivate(data); return true; } - if (classInfo->isSubClassOf(JSCallbackObject::info())) { - static_cast*>(jsObject)->setPrivate(data); + if (classInfo->isSubClassOf(JSCallbackObject::info())) { + static_cast*>(jsObject)->setPrivate(data); return true; } #if JSC_OBJC_API_ENABLED @@ -612,8 +608,8 @@ bool JSObjectSetPrivate(JSObjectRef object, void* data) JSValueRef JSObjectGetPrivateProperty(JSContextRef ctx, JSObjectRef object, JSStringRef propertyName) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); JSObject* jsObject = toJS(object); JSValue result; @@ -626,22 +622,22 @@ JSValueRef JSObjectGetPrivateProperty(JSContextRef ctx, JSObjectRef object, JSSt if (jsObject->inherits>(vm)) result = jsCast*>(jsObject)->getPrivateProperty(name); - else if (jsObject->inherits>(vm)) - result = jsCast*>(jsObject)->getPrivateProperty(name); + else if (jsObject->inherits>(vm)) + result = jsCast*>(jsObject)->getPrivateProperty(name); #if JSC_OBJC_API_ENABLED else if (jsObject->inherits>(vm)) result = jsCast*>(jsObject)->getPrivateProperty(name); #endif - return toRef(exec, result); + return toRef(globalObject, result); } bool JSObjectSetPrivateProperty(JSContextRef ctx, JSObjectRef object, JSStringRef propertyName, JSValueRef value) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); JSObject* jsObject = toJS(object); - JSValue jsValue = value ? toJS(exec, value) : JSValue(); + JSValue jsValue = value ? toJS(globalObject, value) : JSValue(); Identifier name(propertyName->identifier(&vm)); // Get wrapped object if proxied @@ -652,8 +648,8 @@ bool JSObjectSetPrivateProperty(JSContextRef ctx, JSObjectRef object, JSStringRe jsCast*>(jsObject)->setPrivateProperty(vm, name, jsValue); return true; } - if (jsObject->inherits>(vm)) { - jsCast*>(jsObject)->setPrivateProperty(vm, name, jsValue); + if (jsObject->inherits>(vm)) { + jsCast*>(jsObject)->setPrivateProperty(vm, name, jsValue); return true; } #if JSC_OBJC_API_ENABLED @@ -667,8 +663,8 @@ bool JSObjectSetPrivateProperty(JSContextRef ctx, JSObjectRef object, JSStringRe bool JSObjectDeletePrivateProperty(JSContextRef ctx, JSObjectRef object, JSStringRef propertyName) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); JSObject* jsObject = toJS(object); Identifier name(propertyName->identifier(&vm)); @@ -681,8 +677,8 @@ bool JSObjectDeletePrivateProperty(JSContextRef ctx, JSObjectRef object, JSStrin jsCast*>(jsObject)->deletePrivateProperty(name); return true; } - if (jsObject->inherits>(vm)) { - jsCast*>(jsObject)->deletePrivateProperty(name); + if (jsObject->inherits>(vm)) { + jsCast*>(jsObject)->deletePrivateProperty(name); return true; } #if JSC_OBJC_API_ENABLED @@ -698,55 +694,53 @@ bool JSObjectIsFunction(JSContextRef ctx, JSObjectRef object) { if (!object) return false; - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); - CallData callData; JSCell* cell = toJS(object); - return cell->methodTable(vm)->getCallData(cell, callData) != CallType::None; + return cell->isCallable(vm); } JSValueRef JSObjectCallAsFunction(JSContextRef ctx, JSObjectRef object, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); if (!object) - return 0; + return nullptr; JSObject* jsObject = toJS(object); JSObject* jsThisObject = toJS(thisObject); if (!jsThisObject) - jsThisObject = exec->globalThisValue(); + jsThisObject = globalObject->globalThis(); MarkedArgumentBuffer argList; for (size_t i = 0; i < argumentCount; i++) - argList.append(toJS(exec, arguments[i])); + argList.append(toJS(globalObject, arguments[i])); if (UNLIKELY(argList.hasOverflowed())) { auto throwScope = DECLARE_THROW_SCOPE(vm); - throwOutOfMemoryError(exec, throwScope); - handleExceptionIfNeeded(scope, exec, exception); - return 0; + throwOutOfMemoryError(globalObject, throwScope); + handleExceptionIfNeeded(scope, ctx, exception); + return nullptr; } - CallData callData; - CallType callType = jsObject->methodTable(vm)->getCallData(jsObject, callData); - if (callType == CallType::None) - return 0; + auto callData = getCallData(vm, jsObject); + if (callData.type == CallData::Type::None) + return nullptr; - JSValueRef result = toRef(exec, profiledCall(exec, ProfilingReason::API, jsObject, callType, callData, jsThisObject, argList)); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) - result = 0; + JSValueRef result = toRef(globalObject, profiledCall(globalObject, ProfilingReason::API, jsObject, callData, jsThisObject, argList)); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + result = nullptr; return result; } bool JSObjectIsConstructor(JSContextRef ctx, JSObjectRef object) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); if (!object) return false; @@ -755,34 +749,33 @@ bool JSObjectIsConstructor(JSContextRef ctx, JSObjectRef object) JSObjectRef JSObjectCallAsConstructor(JSContextRef ctx, JSObjectRef object, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); if (!object) - return 0; + return nullptr; JSObject* jsObject = toJS(object); - ConstructData constructData; - ConstructType constructType = jsObject->methodTable(vm)->getConstructData(jsObject, constructData); - if (constructType == ConstructType::None) - return 0; + auto constructData = getConstructData(vm, jsObject); + if (constructData.type == CallData::Type::None) + return nullptr; MarkedArgumentBuffer argList; for (size_t i = 0; i < argumentCount; i++) - argList.append(toJS(exec, arguments[i])); + argList.append(toJS(globalObject, arguments[i])); if (UNLIKELY(argList.hasOverflowed())) { auto throwScope = DECLARE_THROW_SCOPE(vm); - throwOutOfMemoryError(exec, throwScope); - handleExceptionIfNeeded(scope, exec, exception); - return 0; + throwOutOfMemoryError(globalObject, throwScope); + handleExceptionIfNeeded(scope, ctx, exception); + return nullptr; } - JSObjectRef result = toRef(profiledConstruct(exec, ProfilingReason::API, jsObject, constructType, constructData, argList)); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) - result = 0; + JSObjectRef result = toRef(profiledConstruct(globalObject, ProfilingReason::API, jsObject, constructData, argList)); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + result = nullptr; return result; } @@ -805,17 +798,17 @@ JSPropertyNameArrayRef JSObjectCopyPropertyNames(JSContextRef ctx, JSObjectRef o { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); - VM* vm = &exec->vm(); + VM& vm = globalObject->vm(); JSObject* jsObject = toJS(object); - JSPropertyNameArrayRef propertyNames = new OpaqueJSPropertyNameArray(vm); + JSPropertyNameArrayRef propertyNames = new OpaqueJSPropertyNameArray(&vm); PropertyNameArray array(vm, PropertyNameMode::Strings, PrivateSymbolMode::Exclude); - jsObject->methodTable(*vm)->getPropertyNames(jsObject, exec, array, EnumerationMode()); + jsObject->getPropertyNames(globalObject, array, DontEnumPropertiesMode::Exclude); size_t size = array.size(); propertyNames->array.reserveInitialCapacity(size); @@ -852,9 +845,9 @@ JSStringRef JSPropertyNameArrayGetNameAtIndex(JSPropertyNameArrayRef array, size void JSPropertyNameAccumulatorAddName(JSPropertyNameAccumulatorRef array, JSStringRef propertyName) { PropertyNameArray* propertyNames = toJS(array); - VM* vm = propertyNames->vm(); + VM& vm = propertyNames->vm(); JSLockHolder locker(vm); - propertyNames->add(propertyName->identifier(vm)); + propertyNames->add(propertyName->identifier(&vm)); } JSObjectRef JSObjectGetProxyTarget(JSObjectRef objectRef) @@ -862,7 +855,7 @@ JSObjectRef JSObjectGetProxyTarget(JSObjectRef objectRef) JSObject* object = toJS(objectRef); if (!object) return nullptr; - VM& vm = *object->vm(); + VM& vm = object->vm(); JSLockHolder locker(vm); JSObject* result = nullptr; if (JSProxy* proxy = jsDynamicCast(vm, object)) @@ -877,6 +870,6 @@ JSGlobalContextRef JSObjectGetGlobalContext(JSObjectRef objectRef) JSObject* object = toJS(objectRef); if (!object) return nullptr; - return reinterpret_cast(object->globalObject()->globalExec()); + return reinterpret_cast(object->globalObject()); } diff --git a/API/JSObjectRef.h b/API/JSObjectRef.h index b0dbd78..6f1a7ba 100644 --- a/API/JSObjectRef.h +++ b/API/JSObjectRef.h @@ -339,6 +339,8 @@ JSStaticValue StaticValueArray[] = { Standard JavaScript practice calls for storing function objects in prototypes, so they can be shared. The default JSClass created by JSClassCreate follows this idiom, instantiating objects with a shared, automatically generating prototype containing the class's function objects. The kJSClassAttributeNoAutomaticPrototype attribute specifies that a JSClass should not automatically generate such a prototype. The resulting JSClass instantiates objects with the default object prototype, and gives each instance object its own copy of the class's function objects. A NULL callback specifies that the default object callback should substitute, except in the case of hasProperty, where it specifies that getProperty should substitute. + +It is not possible to use JS subclassing with objects created from a class definition that sets callAsConstructor by default. Subclassing is supported via the JSObjectMakeConstructor function, however. */ typedef struct { int version; /* current (and only) version is 0 */ @@ -426,7 +428,7 @@ JS_EXPORT JSObjectRef JSObjectMakeFunctionWithCallback(JSContextRef ctx, JSStrin @param jsClass A JSClass that is the class your constructor will assign to the objects its constructs. jsClass will be used to set the constructor's .prototype property, and to evaluate 'instanceof' expressions. Pass NULL to use the default object class. @param callAsConstructor A JSObjectCallAsConstructorCallback to invoke when your constructor is used in a 'new' expression. Pass NULL to use the default object constructor. @result A JSObject that is a constructor. The object's prototype will be the default object prototype. -@discussion The default object constructor takes no arguments and constructs an object of class jsClass with no private data. +@discussion The default object constructor takes no arguments and constructs an object of class jsClass with no private data. If the constructor is inherited via JS subclassing and the value returned from callAsConstructor was created with jsClass, then the returned object will have it's prototype overridden to the derived class's prototype. */ JS_EXPORT JSObjectRef JSObjectMakeConstructor(JSContextRef ctx, JSClassRef jsClass, JSObjectCallAsConstructorCallback callAsConstructor); @@ -461,7 +463,7 @@ JS_EXPORT JSObjectRef JSObjectMakeDate(JSContextRef ctx, size_t argumentCount, c @param argumentCount An integer count of the number of arguments in arguments. @param arguments A JSValue array of arguments to pass to the Error Constructor. Pass NULL if argumentCount is 0. @param exception A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception. - @result A JSObject that is a Error. + @result A JSObject that is an Error. */ JS_EXPORT JSObjectRef JSObjectMakeError(JSContextRef ctx, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) JSC_API_AVAILABLE(macos(10.6), ios(7.0)); diff --git a/API/JSRemoteInspectorServer.cpp b/API/JSRemoteInspectorServer.cpp new file mode 100644 index 0000000..05a1fed --- /dev/null +++ b/API/JSRemoteInspectorServer.cpp @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2020 Sony Interactive Entertainment Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include "JSRemoteInspectorServer.h" + +#if ENABLE(REMOTE_INSPECTOR) +#include "RemoteInspectorServer.h" + +uint16_t JSRemoteInspectorServerStart(const char* address, uint16_t port) +{ + auto& server = Inspector::RemoteInspectorServer::singleton(); + if (!server.start(address, port)) + return 0; + + return server.getPort().valueOr(0); +} +#endif // ENABLE(REMOTE_INSPECTOR) diff --git a/API/JSRemoteInspectorServer.h b/API/JSRemoteInspectorServer.h new file mode 100644 index 0000000..503f370 --- /dev/null +++ b/API/JSRemoteInspectorServer.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2020 Sony Interactive Entertainment Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef JSRemoteInspectorServer_h +#define JSRemoteInspectorServer_h + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +JS_EXPORT uint16_t JSRemoteInspectorServerStart(const char* address, uint16_t port); + +#ifdef __cplusplus +} +#endif + +#endif /* JSRemoteInspectorServer_h */ diff --git a/API/JSRetainPtr.h b/API/JSRetainPtr.h index fd8412f..076d139 100644 --- a/API/JSRetainPtr.h +++ b/API/JSRetainPtr.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005-2018 Apple Inc. All rights reserved. + * Copyright (C) 2005-2020 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -29,13 +29,16 @@ #pragma once #include +#include #include #include -inline void JSRetain(JSStringRef string) { JSStringRetain(string); } -inline void JSRelease(JSStringRef string) { JSStringRelease(string); } +inline void JSRetain(JSClassRef context) { JSClassRetain(context); } +inline void JSRelease(JSClassRef context) { JSClassRelease(context); } inline void JSRetain(JSGlobalContextRef context) { JSGlobalContextRetain(context); } inline void JSRelease(JSGlobalContextRef context) { JSGlobalContextRelease(context); } +inline void JSRetain(JSStringRef string) { JSStringRetain(string); } +inline void JSRelease(JSStringRef string) { JSStringRelease(string); } enum AdoptTag { Adopt }; @@ -74,6 +77,7 @@ private: T m_ptr { nullptr }; }; +JSRetainPtr adopt(JSClassRef); JSRetainPtr adopt(JSStringRef); JSRetainPtr adopt(JSGlobalContextRef); @@ -82,6 +86,11 @@ template inline JSRetainPtr::JSRetainPtr(AdoptTag, T ptr) { } +inline JSRetainPtr adopt(JSClassRef o) +{ + return JSRetainPtr(Adopt, o); +} + inline JSRetainPtr adopt(JSStringRef o) { return JSRetainPtr(Adopt, o); diff --git a/API/JSScript.h b/API/JSScript.h index 4c2bd10..12ccb05 100644 --- a/API/JSScript.h +++ b/API/JSScript.h @@ -23,11 +23,6 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#ifdef DARLING_NONUNIFIED_BUILD -#include -#include -#endif - #import #if JSC_OBJC_API_ENABLED diff --git a/API/JSScript.mm b/API/JSScript.mm index 7ced49a..9e41457 100644 --- a/API/JSScript.mm +++ b/API/JSScript.mm @@ -1,5 +1,5 @@ /* - * Copyright (C) 2019 Apple Inc. All rights reserved. + * Copyright (C) 2019-2020 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -40,12 +40,10 @@ #import #import #import +#import #import #import #import -#ifdef DARLING_NONUNIFIED_BUILD -#include "runtime/Completion.h" -#endif #if JSC_OBJC_API_ENABLED @@ -73,7 +71,7 @@ static bool validateBytecodeCachePath(NSURL* cachePath, NSError** error) URL cachePathURL([cachePath absoluteURL]); if (!cachePathURL.isLocalFile()) { - createError([NSString stringWithFormat:@"Cache path `%@` is not a local file", static_cast(cachePathURL)], error); + createError([NSString stringWithFormat:@"Cache path `%@` is not a local file", static_cast(cachePathURL)], error); return false; } @@ -129,11 +127,11 @@ static bool validateBytecodeCachePath(NSURL* cachePath, NSError** error) URL filePathURL([filePath absoluteURL]); if (!filePathURL.isLocalFile()) - return createError([NSString stringWithFormat:@"File path %@ is not a local file", static_cast(filePathURL)], error); + return createError([NSString stringWithFormat:@"File path %@ is not a local file", static_cast(filePathURL)], error); bool success = false; String systemPath = filePathURL.fileSystemPath(); - FileSystem::MappedFileData fileData(systemPath, success); + FileSystem::MappedFileData fileData(systemPath, FileSystem::MappedFileMode::Shared, success); if (!success) return createError([NSString stringWithFormat:@"File at path %@ could not be mapped.", static_cast(systemPath)], error); @@ -156,30 +154,54 @@ static bool validateBytecodeCachePath(NSURL* cachePath, NSError** error) if (!m_cachePath) return; - int fd = open([m_cachePath path].UTF8String, O_RDONLY | O_EXLOCK | O_NONBLOCK, 0666); - if (fd == -1) + NSString *cachePathString = [m_cachePath path]; + const char* cacheFilename = cachePathString.UTF8String; + + auto fd = FileSystem::openAndLockFile(cacheFilename, FileSystem::FileOpenMode::Read, {FileSystem::FileLockMode::Exclusive, FileSystem::FileLockMode::Nonblocking}); + if (!FileSystem::isHandleValid(fd)) return; auto closeFD = makeScopeExit([&] { - close(fd); + FileSystem::unlockAndCloseFile(fd); }); - struct stat sb; - int res = fstat(fd, &sb); - size_t size = static_cast(sb.st_size); - if (res || !size) + bool success; + FileSystem::MappedFileData mappedFile(fd, FileSystem::MappedFileMode::Private, success); + if (!success) return; - void* buffer = mmap(nullptr, size, PROT_READ, MAP_PRIVATE, fd, 0); + const uint8_t* fileData = reinterpret_cast(mappedFile.data()); + unsigned fileTotalSize = mappedFile.size(); - Ref cachedBytecode = JSC::CachedBytecode::create(buffer, size); + // Ensure we at least have a SHA1::Digest to read. + if (fileTotalSize < sizeof(SHA1::Digest)) { + FileSystem::deleteFile(cacheFilename); + return; + } - JSC::VM& vm = [m_virtualMachine vm]; + unsigned fileDataSize = fileTotalSize - sizeof(SHA1::Digest); + + SHA1::Digest computedHash; + SHA1 sha1; + sha1.addBytes(fileData, fileDataSize); + sha1.computeHash(computedHash); + + SHA1::Digest fileHash; + memcpy(&fileHash, fileData + fileDataSize, sizeof(SHA1::Digest)); + + if (computedHash != fileHash) { + FileSystem::deleteFile(cacheFilename); + return; + } + + Ref cachedBytecode = JSC::CachedBytecode::create(WTFMove(mappedFile)); + + JSC::VM& vm = *toJS([m_virtualMachine JSContextGroupRef]); JSC::SourceCode sourceCode = [self sourceCode]; JSC::SourceCodeKey key = m_type == kJSScriptTypeProgram ? sourceCodeKeyForSerializedProgram(vm, sourceCode) : sourceCodeKeyForSerializedModule(vm, sourceCode); if (isCachedBytecodeStillValid(vm, cachedBytecode.copyRef(), key, m_type == kJSScriptTypeProgram ? JSC::SourceCodeType::ProgramType : JSC::SourceCodeType::ModuleType)) m_cachedBytecode = WTFMove(cachedBytecode); else - ftruncate(fd, 0); + FileSystem::truncateFile(fd, 0); } - (BOOL)cacheBytecodeWithError:(NSError **)error @@ -241,20 +263,22 @@ static bool validateBytecodeCachePath(NSURL* cachePath, NSError** error) - (JSC::SourceCode)sourceCode { - JSC::VM& vm = [m_virtualMachine vm]; + JSC::VM& vm = *toJS([m_virtualMachine JSContextGroupRef]); JSC::JSLockHolder locker(vm); TextPosition startPosition { }; - String url = String { [[self sourceURL] absoluteString] }; + String filename = String { [[self sourceURL] absoluteString] }; + URL url = URL({ }, filename); auto type = m_type == kJSScriptTypeModule ? JSC::SourceProviderSourceType::Module : JSC::SourceProviderSourceType::Program; - Ref sourceProvider = JSScriptSourceProvider::create(self, JSC::SourceOrigin(url), URL({ }, url), startPosition, type); + JSC::SourceOrigin origin(url); + Ref sourceProvider = JSScriptSourceProvider::create(self, origin, WTFMove(filename), startPosition, type); JSC::SourceCode sourceCode(WTFMove(sourceProvider), startPosition.m_line.oneBasedInt(), startPosition.m_column.oneBasedInt()); return sourceCode; } - (JSC::JSSourceCode*)jsSourceCode { - JSC::VM& vm = [m_virtualMachine vm]; + JSC::VM& vm = *toJS([m_virtualMachine JSContextGroupRef]); JSC::JSLockHolder locker(vm); JSC::JSSourceCode* jsSourceCode = JSC::JSSourceCode::create(vm, [self sourceCode]); return jsSourceCode; @@ -272,33 +296,60 @@ static bool validateBytecodeCachePath(NSURL* cachePath, NSError** error) return NO; } - int fd = open([m_cachePath path].UTF8String, O_CREAT | O_RDWR | O_EXLOCK | O_NONBLOCK, 0666); + // We want to do the write as a transaction (i.e. we guarantee that it's all + // or nothing). So, we'll write to a temp file first, and rename the temp + // file to the cache file only after we've finished writing the whole thing. + + NSString *cachePathString = [m_cachePath path]; + const char* cacheFileName = cachePathString.UTF8String; + const char* tempFileName = [cachePathString stringByAppendingString:@".tmp"].UTF8String; + int fd = open(cacheFileName, O_CREAT | O_WRONLY | O_EXLOCK | O_NONBLOCK, 0600); if (fd == -1) { error = makeString("Could not open or lock the bytecode cache file. It's likely another VM or process is already using it. Error: ", strerror(errno)); return NO; } + auto closeFD = makeScopeExit([&] { close(fd); }); + int tempFD = open(tempFileName, O_CREAT | O_RDWR | O_EXLOCK | O_NONBLOCK, 0600); + if (tempFD == -1) { + error = makeString("Could not open or lock the bytecode cache temp file. Error: ", strerror(errno)); + return NO; + } + + auto closeTempFD = makeScopeExit([&] { + close(tempFD); + }); + JSC::BytecodeCacheError cacheError; JSC::SourceCode sourceCode = [self sourceCode]; + JSC::VM& vm = *toJS([m_virtualMachine JSContextGroupRef]); switch (m_type) { case kJSScriptTypeModule: - m_cachedBytecode = JSC::generateModuleBytecode([m_virtualMachine vm], sourceCode, fd, cacheError); + m_cachedBytecode = JSC::generateModuleBytecode(vm, sourceCode, tempFD, cacheError); break; case kJSScriptTypeProgram: - m_cachedBytecode = JSC::generateProgramBytecode([m_virtualMachine vm], sourceCode, fd, cacheError); + m_cachedBytecode = JSC::generateProgramBytecode(vm, sourceCode, tempFD, cacheError); break; } if (cacheError.isValid()) { m_cachedBytecode = JSC::CachedBytecode::create(); - ftruncate(fd, 0); + FileSystem::truncateFile(fd, 0); error = makeString("Unable to generate bytecode for this JSScript because: ", cacheError.message()); return NO; } + SHA1::Digest computedHash; + SHA1 sha1; + sha1.addBytes(m_cachedBytecode->data(), m_cachedBytecode->size()); + sha1.computeHash(computedHash); + FileSystem::writeToFile(tempFD, reinterpret_cast(&computedHash), sizeof(computedHash)); + + fsync(tempFD); + rename(tempFileName, cacheFileName); return YES; } diff --git a/API/JSScriptInternal.h b/API/JSScriptInternal.h index 4a9427d..951438d 100644 --- a/API/JSScriptInternal.h +++ b/API/JSScriptInternal.h @@ -23,14 +23,12 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#pragma once +#if JSC_OBJC_API_ENABLED #import "JSScript.h" #import "SourceCode.h" #import -#if JSC_OBJC_API_ENABLED - NS_ASSUME_NONNULL_BEGIN namespace JSC { diff --git a/API/JSScriptRef.cpp b/API/JSScriptRef.cpp index 253caa8..762cec0 100644 --- a/API/JSScriptRef.cpp +++ b/API/JSScriptRef.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Apple Inc. All rights reserved. + * Copyright (C) 2012-2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -28,30 +28,28 @@ #include "APICast.h" #include "Completion.h" #include "Exception.h" -#include "JSBasePrivate.h" -#include "VM.h" +#include "JSGlobalObjectInlines.h" #include "JSScriptRefPrivate.h" #include "OpaqueJSString.h" -#include "JSCInlines.h" #include "Parser.h" #include "SourceCode.h" #include "SourceProvider.h" using namespace JSC; -struct OpaqueJSScript : public SourceProvider { +struct OpaqueJSScript final : public SourceProvider { public: - static WTF::Ref create(VM& vm, const SourceOrigin& sourceOrigin, URL&& url, int startingLineNumber, const String& source) + static WTF::Ref create(VM& vm, const SourceOrigin& sourceOrigin, String filename, int startingLineNumber, const String& source) { - return WTF::adoptRef(*new OpaqueJSScript(vm, sourceOrigin, WTFMove(url), startingLineNumber, source)); + return WTF::adoptRef(*new OpaqueJSScript(vm, sourceOrigin, WTFMove(filename), startingLineNumber, source)); } - unsigned hash() const override + unsigned hash() const final { return m_source.get().hash(); } - StringView source() const override + StringView source() const final { return m_source.get(); } @@ -59,14 +57,14 @@ public: VM& vm() const { return m_vm; } private: - OpaqueJSScript(VM& vm, const SourceOrigin& sourceOrigin, URL&& url, int startingLineNumber, const String& source) - : SourceProvider(sourceOrigin, WTFMove(url), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber()), SourceProviderSourceType::Program) + OpaqueJSScript(VM& vm, const SourceOrigin& sourceOrigin, String&& filename, int startingLineNumber, const String& source) + : SourceProvider(sourceOrigin, WTFMove(filename), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber()), SourceProviderSourceType::Program) , m_vm(vm) , m_source(source.isNull() ? *StringImpl::empty() : *source.impl()) { } - virtual ~OpaqueJSScript() { } + ~OpaqueJSScript() final { } VM& m_vm; Ref m_source; @@ -75,26 +73,26 @@ private: static bool parseScript(VM& vm, const SourceCode& source, ParserError& error) { return !!JSC::parse( - &vm, source, Identifier(), JSParserBuiltinMode::NotBuiltin, + vm, source, Identifier(), JSParserBuiltinMode::NotBuiltin, JSParserStrictMode::NotStrict, JSParserScriptMode::Classic, SourceParseMode::ProgramMode, SuperBinding::NotNeeded, error); } extern "C" { -JSScriptRef JSScriptCreateReferencingImmortalASCIIText(JSContextGroupRef contextGroup, JSStringRef url, int startingLineNumber, const char* source, size_t length, JSStringRef* errorMessage, int* errorLine) +JSScriptRef JSScriptCreateReferencingImmortalASCIIText(JSContextGroupRef contextGroup, JSStringRef urlString, int startingLineNumber, const char* source, size_t length, JSStringRef* errorMessage, int* errorLine) { auto& vm = *toJS(contextGroup); JSLockHolder locker(&vm); for (size_t i = 0; i < length; i++) { if (!isASCII(source[i])) - return 0; + return nullptr; } startingLineNumber = std::max(1, startingLineNumber); - auto sourceURLString = url ? url->string() : String(); - auto result = OpaqueJSScript::create(vm, SourceOrigin { sourceURLString }, URL({ }, sourceURLString), startingLineNumber, String(StringImpl::createFromLiteral(source, length))); + auto sourceURL = urlString ? URL({ }, urlString->string()) : URL(); + auto result = OpaqueJSScript::create(vm, SourceOrigin { sourceURL }, sourceURL.string(), startingLineNumber, String(StringImpl::createFromLiteral(source, length))); ParserError error; if (!parseScript(vm, SourceCode(result.copyRef()), error)) { @@ -108,15 +106,15 @@ JSScriptRef JSScriptCreateReferencingImmortalASCIIText(JSContextGroupRef context return &result.leakRef(); } -JSScriptRef JSScriptCreateFromString(JSContextGroupRef contextGroup, JSStringRef url, int startingLineNumber, JSStringRef source, JSStringRef* errorMessage, int* errorLine) +JSScriptRef JSScriptCreateFromString(JSContextGroupRef contextGroup, JSStringRef urlString, int startingLineNumber, JSStringRef source, JSStringRef* errorMessage, int* errorLine) { auto& vm = *toJS(contextGroup); JSLockHolder locker(&vm); startingLineNumber = std::max(1, startingLineNumber); - auto sourceURLString = url ? url->string() : String(); - auto result = OpaqueJSScript::create(vm, SourceOrigin { sourceURLString }, URL({ }, sourceURLString), startingLineNumber, source->string()); + auto sourceURL = urlString ? URL({ }, urlString->string()) : URL(); + auto result = OpaqueJSScript::create(vm, SourceOrigin { sourceURL }, sourceURL.string(), startingLineNumber, source->string()); ParserError error; if (!parseScript(vm, SourceCode(result.copyRef()), error)) { @@ -144,23 +142,23 @@ void JSScriptRelease(JSScriptRef script) JSValueRef JSScriptEvaluate(JSContextRef context, JSScriptRef script, JSValueRef thisValueRef, JSValueRef* exception) { - ExecState* exec = toJS(context); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(context); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); if (&script->vm() != &vm) { RELEASE_ASSERT_NOT_REACHED(); - return 0; + return nullptr; } NakedPtr internalException; - JSValue thisValue = thisValueRef ? toJS(exec, thisValueRef) : jsUndefined(); - JSValue result = evaluate(exec, SourceCode(*script), thisValue, internalException); + JSValue thisValue = thisValueRef ? toJS(globalObject, thisValueRef) : jsUndefined(); + JSValue result = evaluate(globalObject, SourceCode(*script), thisValue, internalException); if (internalException) { if (exception) - *exception = toRef(exec, internalException->value()); - return 0; + *exception = toRef(globalObject, internalException->value()); + return nullptr; } ASSERT(result); - return toRef(exec, result); + return toRef(globalObject, result); } } diff --git a/API/JSScriptSourceProvider.h b/API/JSScriptSourceProvider.h index 23b2986..677b7a0 100644 --- a/API/JSScriptSourceProvider.h +++ b/API/JSScriptSourceProvider.h @@ -23,18 +23,13 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#ifdef DARLING_NONUNIFIED_BUILD -#include -#include -#endif - #if JSC_OBJC_API_ENABLED #import "SourceProvider.h" @class JSScript; -class JSScriptSourceProvider : public JSC::SourceProvider { +class JSScriptSourceProvider final : public JSC::SourceProvider { public: template static Ref create(JSScript *script, Args&&... args) @@ -42,9 +37,9 @@ public: return adoptRef(*new JSScriptSourceProvider(script, std::forward(args)...)); } - unsigned hash() const override; - StringView source() const override; - RefPtr cachedBytecode() const override; + unsigned hash() const final; + StringView source() const final; + RefPtr cachedBytecode() const final; private: template diff --git a/API/JSStringRef.cpp b/API/JSStringRef.cpp index f5cb875..4d64004 100644 --- a/API/JSStringRef.cpp +++ b/API/JSStringRef.cpp @@ -36,13 +36,13 @@ using namespace WTF::Unicode; JSStringRef JSStringCreateWithCharacters(const JSChar* chars, size_t numChars) { - initializeThreading(); + JSC::initialize(); return &OpaqueJSString::create(reinterpret_cast(chars), numChars).leakRef(); } JSStringRef JSStringCreateWithUTF8CString(const char* string) { - initializeThreading(); + JSC::initialize(); if (string) { size_t length = strlen(string); Vector buffer(length); @@ -61,7 +61,7 @@ JSStringRef JSStringCreateWithUTF8CString(const char* string) JSStringRef JSStringCreateWithCharactersNoCopy(const JSChar* chars, size_t numChars) { - initializeThreading(); + JSC::initialize(); return OpaqueJSString::tryCreate(StringImpl::createWithoutCopying(reinterpret_cast(chars), numChars)).leakRef(); } diff --git a/API/JSStringRefCF.cpp b/API/JSStringRefCF.cpp index 1367715..55effd0 100644 --- a/API/JSStringRefCF.cpp +++ b/API/JSStringRefCF.cpp @@ -35,7 +35,7 @@ JSStringRef JSStringCreateWithCFString(CFStringRef string) { - JSC::initializeThreading(); + JSC::initialize(); // We cannot use CFIndex here since CFStringGetLength can return values larger than // it can hold. () diff --git a/API/JSStringRefCF.h b/API/JSStringRefCF.h index 1e210c7..f00c7c2 100644 --- a/API/JSStringRefCF.h +++ b/API/JSStringRefCF.h @@ -26,8 +26,8 @@ #ifndef JSStringRefCF_h #define JSStringRefCF_h -#include "JSBase.h" #include +#include #ifdef __cplusplus extern "C" { diff --git a/API/JSTypedArray.cpp b/API/JSTypedArray.cpp index 993bf2c..689fe9e 100644 --- a/API/JSTypedArray.cpp +++ b/API/JSTypedArray.cpp @@ -30,10 +30,7 @@ #include "APICast.h" #include "APIUtils.h" #include "ClassInfo.h" -#include "Error.h" -#include "JSArrayBufferViewInlines.h" #include "JSCInlines.h" -#include "JSDataView.h" #include "JSGenericTypedArrayViewInlines.h" #include "JSTypedArrays.h" #include "TypedArrayController.h" @@ -99,34 +96,33 @@ inline TypedArrayType toTypedArrayType(JSTypedArrayType type) RELEASE_ASSERT_NOT_REACHED(); } -static JSObject* createTypedArray(ExecState* exec, JSTypedArrayType type, RefPtr&& buffer, size_t offset, size_t length) +static JSObject* createTypedArray(JSGlobalObject* globalObject, JSTypedArrayType type, RefPtr&& buffer, size_t offset, size_t length) { - VM& vm = exec->vm(); + VM& vm = globalObject->vm(); auto scope = DECLARE_THROW_SCOPE(vm); - JSGlobalObject* globalObject = exec->lexicalGlobalObject(); if (!buffer) { - throwOutOfMemoryError(exec, scope); + throwOutOfMemoryError(globalObject, scope); return nullptr; } switch (type) { case kJSTypedArrayTypeInt8Array: - return JSInt8Array::create(exec, globalObject->typedArrayStructure(TypeInt8), WTFMove(buffer), offset, length); + return JSInt8Array::create(globalObject, globalObject->typedArrayStructure(TypeInt8), WTFMove(buffer), offset, length); case kJSTypedArrayTypeInt16Array: - return JSInt16Array::create(exec, globalObject->typedArrayStructure(TypeInt16), WTFMove(buffer), offset, length); + return JSInt16Array::create(globalObject, globalObject->typedArrayStructure(TypeInt16), WTFMove(buffer), offset, length); case kJSTypedArrayTypeInt32Array: - return JSInt32Array::create(exec, globalObject->typedArrayStructure(TypeInt32), WTFMove(buffer), offset, length); + return JSInt32Array::create(globalObject, globalObject->typedArrayStructure(TypeInt32), WTFMove(buffer), offset, length); case kJSTypedArrayTypeUint8Array: - return JSUint8Array::create(exec, globalObject->typedArrayStructure(TypeUint8), WTFMove(buffer), offset, length); + return JSUint8Array::create(globalObject, globalObject->typedArrayStructure(TypeUint8), WTFMove(buffer), offset, length); case kJSTypedArrayTypeUint8ClampedArray: - return JSUint8ClampedArray::create(exec, globalObject->typedArrayStructure(TypeUint8Clamped), WTFMove(buffer), offset, length); + return JSUint8ClampedArray::create(globalObject, globalObject->typedArrayStructure(TypeUint8Clamped), WTFMove(buffer), offset, length); case kJSTypedArrayTypeUint16Array: - return JSUint16Array::create(exec, globalObject->typedArrayStructure(TypeUint16), WTFMove(buffer), offset, length); + return JSUint16Array::create(globalObject, globalObject->typedArrayStructure(TypeUint16), WTFMove(buffer), offset, length); case kJSTypedArrayTypeUint32Array: - return JSUint32Array::create(exec, globalObject->typedArrayStructure(TypeUint32), WTFMove(buffer), offset, length); + return JSUint32Array::create(globalObject, globalObject->typedArrayStructure(TypeUint32), WTFMove(buffer), offset, length); case kJSTypedArrayTypeFloat32Array: - return JSFloat32Array::create(exec, globalObject->typedArrayStructure(TypeFloat32), WTFMove(buffer), offset, length); + return JSFloat32Array::create(globalObject, globalObject->typedArrayStructure(TypeFloat32), WTFMove(buffer), offset, length); case kJSTypedArrayTypeFloat64Array: - return JSFloat64Array::create(exec, globalObject->typedArrayStructure(TypeFloat64), WTFMove(buffer), offset, length); + return JSFloat64Array::create(globalObject, globalObject->typedArrayStructure(TypeFloat64), WTFMove(buffer), offset, length); case kJSTypedArrayTypeArrayBuffer: case kJSTypedArrayTypeNone: RELEASE_ASSERT_NOT_REACHED(); @@ -139,11 +135,11 @@ static JSObject* createTypedArray(ExecState* exec, JSTypedArrayType type, RefPtr JSTypedArrayType JSValueGetTypedArrayType(JSContextRef ctx, JSValueRef valueRef, JSValueRef*) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); - JSValue value = toJS(exec, valueRef); + JSValue value = toJS(globalObject, valueRef); if (!value.isObject()) return kJSTypedArrayTypeNone; JSObject* object = value.getObject(); @@ -156,8 +152,8 @@ JSTypedArrayType JSValueGetTypedArrayType(JSContextRef ctx, JSValueRef valueRef, JSObjectRef JSObjectMakeTypedArray(JSContextRef ctx, JSTypedArrayType arrayType, size_t length, JSValueRef* exception) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); @@ -167,16 +163,16 @@ JSObjectRef JSObjectMakeTypedArray(JSContextRef ctx, JSTypedArrayType arrayType, unsigned elementByteSize = elementSize(toTypedArrayType(arrayType)); auto buffer = ArrayBuffer::tryCreate(length, elementByteSize); - JSObject* result = createTypedArray(exec, arrayType, WTFMove(buffer), 0, length); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) + JSObject* result = createTypedArray(globalObject, arrayType, WTFMove(buffer), 0, length); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) return nullptr; return toRef(result); } JSObjectRef JSObjectMakeTypedArrayWithBytesNoCopy(JSContextRef ctx, JSTypedArrayType arrayType, void* bytes, size_t length, JSTypedArrayBytesDeallocator destructor, void* destructorContext, JSValueRef* exception) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); @@ -185,20 +181,20 @@ JSObjectRef JSObjectMakeTypedArrayWithBytesNoCopy(JSContextRef ctx, JSTypedArray unsigned elementByteSize = elementSize(toTypedArrayType(arrayType)); - auto buffer = ArrayBuffer::createFromBytes(bytes, length, [=](void* p) { + auto buffer = ArrayBuffer::createFromBytes(bytes, length, createSharedTask([=](void* p) { if (destructor) destructor(p, destructorContext); - }); - JSObject* result = createTypedArray(exec, arrayType, WTFMove(buffer), 0, length / elementByteSize); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) + })); + JSObject* result = createTypedArray(globalObject, arrayType, WTFMove(buffer), 0, length / elementByteSize); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) return nullptr; return toRef(result); } JSObjectRef JSObjectMakeTypedArrayWithArrayBuffer(JSContextRef ctx, JSTypedArrayType arrayType, JSObjectRef jsBufferRef, JSValueRef* exception) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); @@ -207,23 +203,23 @@ JSObjectRef JSObjectMakeTypedArrayWithArrayBuffer(JSContextRef ctx, JSTypedArray JSArrayBuffer* jsBuffer = jsDynamicCast(vm, toJS(jsBufferRef)); if (!jsBuffer) { - setException(exec, exception, createTypeError(exec, "JSObjectMakeTypedArrayWithArrayBuffer expects buffer to be an Array Buffer object")); + setException(ctx, exception, createTypeError(globalObject, "JSObjectMakeTypedArrayWithArrayBuffer expects buffer to be an Array Buffer object")); return nullptr; } RefPtr buffer = jsBuffer->impl(); unsigned elementByteSize = elementSize(toTypedArrayType(arrayType)); - JSObject* result = createTypedArray(exec, arrayType, WTFMove(buffer), 0, buffer->byteLength() / elementByteSize); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) + JSObject* result = createTypedArray(globalObject, arrayType, WTFMove(buffer), 0, buffer->byteLength() / elementByteSize); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) return nullptr; return toRef(result); } JSObjectRef JSObjectMakeTypedArrayWithArrayBufferAndOffset(JSContextRef ctx, JSTypedArrayType arrayType, JSObjectRef jsBufferRef, size_t offset, size_t length, JSValueRef* exception) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); @@ -232,35 +228,38 @@ JSObjectRef JSObjectMakeTypedArrayWithArrayBufferAndOffset(JSContextRef ctx, JST JSArrayBuffer* jsBuffer = jsDynamicCast(vm, toJS(jsBufferRef)); if (!jsBuffer) { - setException(exec, exception, createTypeError(exec, "JSObjectMakeTypedArrayWithArrayBuffer expects buffer to be an Array Buffer object")); + setException(ctx, exception, createTypeError(globalObject, "JSObjectMakeTypedArrayWithArrayBuffer expects buffer to be an Array Buffer object")); return nullptr; } - JSObject* result = createTypedArray(exec, arrayType, jsBuffer->impl(), offset, length); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) + JSObject* result = createTypedArray(globalObject, arrayType, jsBuffer->impl(), offset, length); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) return nullptr; return toRef(result); } -void* JSObjectGetTypedArrayBytesPtr(JSContextRef ctx, JSObjectRef objectRef, JSValueRef*) +void* JSObjectGetTypedArrayBytesPtr(JSContextRef ctx, JSObjectRef objectRef, JSValueRef* exception) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); JSObject* object = toJS(objectRef); if (JSArrayBufferView* typedArray = jsDynamicCast(vm, object)) { - ArrayBuffer* buffer = typedArray->possiblySharedBuffer(); - buffer->pinAndLock(); - return buffer->data(); + if (ArrayBuffer* buffer = typedArray->possiblySharedBuffer()) { + buffer->pinAndLock(); + return buffer->data(); + } + + setException(ctx, exception, createOutOfMemoryError(globalObject)); } return nullptr; } size_t JSObjectGetTypedArrayLength(JSContextRef ctx, JSObjectRef objectRef, JSValueRef*) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSObject* object = toJS(objectRef); if (JSArrayBufferView* typedArray = jsDynamicCast(vm, object)) @@ -271,8 +270,8 @@ size_t JSObjectGetTypedArrayLength(JSContextRef ctx, JSObjectRef objectRef, JSVa size_t JSObjectGetTypedArrayByteLength(JSContextRef ctx, JSObjectRef objectRef, JSValueRef*) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSObject* object = toJS(objectRef); if (JSArrayBufferView* typedArray = jsDynamicCast(vm, object)) @@ -283,8 +282,8 @@ size_t JSObjectGetTypedArrayByteLength(JSContextRef ctx, JSObjectRef objectRef, size_t JSObjectGetTypedArrayByteOffset(JSContextRef ctx, JSObjectRef objectRef, JSValueRef*) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSObject* object = toJS(objectRef); if (JSArrayBufferView* typedArray = jsDynamicCast(vm, object)) @@ -293,33 +292,38 @@ size_t JSObjectGetTypedArrayByteOffset(JSContextRef ctx, JSObjectRef objectRef, return 0; } -JSObjectRef JSObjectGetTypedArrayBuffer(JSContextRef ctx, JSObjectRef objectRef, JSValueRef*) +JSObjectRef JSObjectGetTypedArrayBuffer(JSContextRef ctx, JSObjectRef objectRef, JSValueRef* exception) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); JSObject* object = toJS(objectRef); - if (JSArrayBufferView* typedArray = jsDynamicCast(vm, object)) - return toRef(vm.m_typedArrayController->toJS(exec, typedArray->globalObject(vm), typedArray->possiblySharedBuffer())); + + if (JSArrayBufferView* typedArray = jsDynamicCast(vm, object)) { + if (ArrayBuffer* buffer = typedArray->possiblySharedBuffer()) + return toRef(vm.m_typedArrayController->toJS(globalObject, typedArray->globalObject(vm), buffer)); + + setException(ctx, exception, createOutOfMemoryError(globalObject)); + } return nullptr; } JSObjectRef JSObjectMakeArrayBufferWithBytesNoCopy(JSContextRef ctx, void* bytes, size_t byteLength, JSTypedArrayBytesDeallocator bytesDeallocator, void* deallocatorContext, JSValueRef* exception) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); - auto buffer = ArrayBuffer::createFromBytes(bytes, byteLength, [=](void* p) { + auto buffer = ArrayBuffer::createFromBytes(bytes, byteLength, createSharedTask([=](void* p) { if (bytesDeallocator) bytesDeallocator(p, deallocatorContext); - }); + })); - JSArrayBuffer* jsBuffer = JSArrayBuffer::create(vm, exec->lexicalGlobalObject()->arrayBufferStructure(ArrayBufferSharingMode::Default), WTFMove(buffer)); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) + JSArrayBuffer* jsBuffer = JSArrayBuffer::create(vm, globalObject->arrayBufferStructure(ArrayBufferSharingMode::Default), WTFMove(buffer)); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) return nullptr; return toRef(jsBuffer); @@ -327,15 +331,15 @@ JSObjectRef JSObjectMakeArrayBufferWithBytesNoCopy(JSContextRef ctx, void* bytes void* JSObjectGetArrayBufferBytesPtr(JSContextRef ctx, JSObjectRef objectRef, JSValueRef* exception) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); JSObject* object = toJS(objectRef); if (JSArrayBuffer* jsBuffer = jsDynamicCast(vm, object)) { ArrayBuffer* buffer = jsBuffer->impl(); if (buffer->isWasmMemory()) { - setException(exec, exception, createTypeError(exec, "Cannot get the backing buffer for a WebAssembly.Memory"_s)); + setException(ctx, exception, createTypeError(globalObject, "Cannot get the backing buffer for a WebAssembly.Memory"_s)); return nullptr; } @@ -347,8 +351,8 @@ void* JSObjectGetArrayBufferBytesPtr(JSContextRef ctx, JSObjectRef objectRef, JS size_t JSObjectGetArrayBufferByteLength(JSContextRef ctx, JSObjectRef objectRef, JSValueRef*) { - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSObject* object = toJS(objectRef); if (JSArrayBuffer* jsBuffer = jsDynamicCast(vm, object)) diff --git a/API/JSValue.h b/API/JSValue.h index c3e0017..1b5845e 100644 --- a/API/JSValue.h +++ b/API/JSValue.h @@ -26,11 +26,6 @@ #ifndef JSValue_h #define JSValue_h -#ifdef DARLING_NONUNIFIED_BUILD -#include -#include -#endif - #if JSC_OBJC_API_ENABLED #import diff --git a/API/JSValue.mm b/API/JSValue.mm index 12b8ea4..1844b06 100644 --- a/API/JSValue.mm +++ b/API/JSValue.mm @@ -23,7 +23,7 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include "config.h" +#import "config.h" #import "APICast.h" #import "DateInstance.h" @@ -36,11 +36,8 @@ #import "JSValueInternal.h" #import "JSValuePrivate.h" #import "JSWrapperMap.h" -#ifdef DARLING -#import "ObjCRuntimeExtras.h" -#else +#import "MarkedJSValueRefArray.h" #import "ObjcRuntimeExtras.h" -#endif #import "JSCInlines.h" #import "JSCJSValue.h" #import "Strong.h" @@ -49,7 +46,6 @@ #import #import #import -#import #import #import #import @@ -402,37 +398,65 @@ inline Expected performPropertyOperation(NSStringFunction st - (BOOL)isUndefined { +#if !CPU(ADDRESS64) return JSValueIsUndefined([_context JSGlobalContextRef], m_value); +#else + return toJS(m_value).isUndefined(); +#endif } - (BOOL)isNull { +#if !CPU(ADDRESS64) return JSValueIsNull([_context JSGlobalContextRef], m_value); +#else + return toJS(m_value).isNull(); +#endif } - (BOOL)isBoolean { +#if !CPU(ADDRESS64) return JSValueIsBoolean([_context JSGlobalContextRef], m_value); +#else + return toJS(m_value).isBoolean(); +#endif } - (BOOL)isNumber { +#if !CPU(ADDRESS64) return JSValueIsNumber([_context JSGlobalContextRef], m_value); +#else + return toJS(m_value).isNumber(); +#endif } - (BOOL)isString { +#if !CPU(ADDRESS64) return JSValueIsString([_context JSGlobalContextRef], m_value); +#else + return toJS(m_value).isString(); +#endif } - (BOOL)isObject { +#if !CPU(ADDRESS64) return JSValueIsObject([_context JSGlobalContextRef], m_value); +#else + return toJS(m_value).isObject(); +#endif } - (BOOL)isSymbol { +#if !CPU(ADDRESS64) return JSValueIsSymbol([_context JSGlobalContextRef], m_value); +#else + return toJS(m_value).isSymbol(); +#endif } - (BOOL)isArray @@ -476,8 +500,12 @@ inline Expected performPropertyOperation(NSStringFunction st - (JSValue *)callWithArguments:(NSArray *)argumentArray { + JSC::JSGlobalObject* globalObject = toJS([_context JSGlobalContextRef]); + JSC::VM& vm = globalObject->vm(); + JSC::JSLockHolder locker(vm); + NSUInteger argumentCount = [argumentArray count]; - JSValueRef arguments[argumentCount]; + JSC::MarkedJSValueRefArray arguments([_context JSGlobalContextRef], argumentCount); for (unsigned i = 0; i < argumentCount; ++i) arguments[i] = objectToValue(_context, [argumentArray objectAtIndex:i]); @@ -486,7 +514,7 @@ inline Expected performPropertyOperation(NSStringFunction st if (exception) return [_context valueFromNotifyException:exception]; - JSValueRef result = JSObjectCallAsFunction([_context JSGlobalContextRef], object, 0, argumentCount, arguments, &exception); + JSValueRef result = JSObjectCallAsFunction([_context JSGlobalContextRef], object, 0, argumentCount, arguments.data(), &exception); if (exception) return [_context valueFromNotifyException:exception]; @@ -495,8 +523,12 @@ inline Expected performPropertyOperation(NSStringFunction st - (JSValue *)constructWithArguments:(NSArray *)argumentArray { + JSC::JSGlobalObject* globalObject = toJS([_context JSGlobalContextRef]); + JSC::VM& vm = globalObject->vm(); + JSC::JSLockHolder locker(vm); + NSUInteger argumentCount = [argumentArray count]; - JSValueRef arguments[argumentCount]; + JSC::MarkedJSValueRefArray arguments([_context JSGlobalContextRef], argumentCount); for (unsigned i = 0; i < argumentCount; ++i) arguments[i] = objectToValue(_context, [argumentArray objectAtIndex:i]); @@ -505,7 +537,7 @@ inline Expected performPropertyOperation(NSStringFunction st if (exception) return [_context valueFromNotifyException:exception]; - JSObjectRef result = JSObjectCallAsConstructor([_context JSGlobalContextRef], object, argumentCount, arguments, &exception); + JSObjectRef result = JSObjectCallAsConstructor([_context JSGlobalContextRef], object, argumentCount, arguments.data(), &exception); if (exception) return [_context valueFromNotifyException:exception]; @@ -514,8 +546,12 @@ inline Expected performPropertyOperation(NSStringFunction st - (JSValue *)invokeMethod:(NSString *)method withArguments:(NSArray *)arguments { + JSC::JSGlobalObject* globalObject = toJS([_context JSGlobalContextRef]); + JSC::VM& vm = globalObject->vm(); + JSC::JSLockHolder locker(vm); + NSUInteger argumentCount = [arguments count]; - JSValueRef argumentArray[argumentCount]; + JSC::MarkedJSValueRefArray argumentArray([_context JSGlobalContextRef], argumentCount); for (unsigned i = 0; i < argumentCount; ++i) argumentArray[i] = objectToValue(_context, [arguments objectAtIndex:i]); @@ -533,7 +569,7 @@ inline Expected performPropertyOperation(NSStringFunction st if (exception) return [_context valueFromNotifyException:exception]; - JSValueRef result = JSObjectCallAsFunction([_context JSGlobalContextRef], object, thisObject, argumentCount, argumentArray, &exception); + JSValueRef result = JSObjectCallAsFunction([_context JSGlobalContextRef], object, thisObject, argumentCount, argumentArray.data(), &exception); if (exception) return [_context valueFromNotifyException:exception]; @@ -695,8 +731,8 @@ inline id JSContainerConvertor::convert(JSValueRef value) void JSContainerConvertor::add(Task task) { - JSC::ExecState* exec = toJS(m_context); - m_jsValues.append(JSC::Strong(exec->vm(), toJSForGC(exec, task.js))); + JSC::JSGlobalObject* globalObject = toJS(m_context); + m_jsValues.append(JSC::Strong(globalObject->vm(), toJSForGC(globalObject, task.js))); m_objectMap.add(task.js, task.objc); if (task.type != ContainerNone) m_worklist.append(task); @@ -713,17 +749,17 @@ JSContainerConvertor::Task JSContainerConvertor::take() #if ENABLE(REMOTE_INSPECTOR) static void reportExceptionToInspector(JSGlobalContextRef context, JSC::JSValue exceptionValue) { - JSC::ExecState* exec = toJS(context); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS(context); + JSC::VM& vm = globalObject->vm(); JSC::Exception* exception = JSC::Exception::create(vm, exceptionValue); - vm.vmEntryGlobalObject(exec)->inspectorController().reportAPIException(exec, exception); + globalObject->inspectorController().reportAPIException(globalObject, exception); } #endif static JSContainerConvertor::Task valueToObjectWithoutCopy(JSGlobalContextRef context, JSValueRef value) { - JSC::ExecState* exec = toJS(context); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS(context); + JSC::VM& vm = globalObject->vm(); if (!JSValueIsObject(context, value)) { id primitive; @@ -733,7 +769,7 @@ static JSContainerConvertor::Task valueToObjectWithoutCopy(JSGlobalContextRef co // Normalize the number, so it will unique correctly in the hash map - // it's nicer not to leak this internal implementation detail! value = JSValueMakeNumber(context, JSValueToNumber(context, value, 0)); - primitive = [NSNumber numberWithDouble:JSValueToNumber(context, value, 0)]; + primitive = @(JSValueToNumber(context, value, 0)); } else if (JSValueIsString(context, value)) { // Would be nice to unique strings, too. auto jsstring = adoptRef(JSValueToStringCopy(context, value, 0)); @@ -828,7 +864,7 @@ id valueToNumber(JSGlobalContextRef context, JSValueRef value, JSValueRef* excep return JSValueToBoolean(context, value) ? @YES : @NO; double result = JSValueToNumber(context, value, exception); - return [NSNumber numberWithDouble:*exception ? std::numeric_limits::quiet_NaN() : result]; + return @(*exception ? std::numeric_limits::quiet_NaN() : result); } id valueToString(JSGlobalContextRef context, JSValueRef value, JSValueRef* exception) @@ -944,8 +980,8 @@ JSValueRef ObjcContainerConvertor::convert(id object) void ObjcContainerConvertor::add(ObjcContainerConvertor::Task task) { - JSC::ExecState* exec = toJS(m_context.JSGlobalContextRef); - m_jsValues.append(JSC::Strong(exec->vm(), toJSForGC(exec, task.js))); + JSC::JSGlobalObject* globalObject = toJS(m_context.JSGlobalContextRef); + m_jsValues.append(JSC::Strong(globalObject->vm(), toJSForGC(globalObject, task.js))); m_objectMap.add(task.objc, task.js); if (task.type != ContainerNone) m_worklist.append(task); diff --git a/API/JSValueRef.cpp b/API/JSValueRef.cpp index 2b39fbe..bb6b8e4 100644 --- a/API/JSValueRef.cpp +++ b/API/JSValueRef.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006, 2007, 2016 Apple Inc. All rights reserved. + * Copyright (C) 2006-2020 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -29,20 +29,13 @@ #include "APICast.h" #include "APIUtils.h" #include "DateInstance.h" -#include "Exception.h" #include "JSAPIWrapperObject.h" #include "JSCInlines.h" -#include "JSCJSValue.h" #include "JSCallbackObject.h" -#include "JSGlobalObject.h" #include "JSONObject.h" -#include "JSObjectRefPrivate.h" -#include "JSString.h" #include "LiteralParser.h" #include "Protect.h" -#include #include -#include #include #if PLATFORM(MAC) @@ -61,14 +54,17 @@ using namespace JSC; ASSERT_NOT_REACHED(); return kJSTypeUndefined; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - - JSValue jsValue = toJS(exec, value); +#if !CPU(ADDRESS64) + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); + JSValue jsValue = toJS(globalObject, value); +#else + JSValue jsValue = toJS(value); +#endif if (jsValue.isUndefined()) return kJSTypeUndefined; - if (jsValue.isNull()) + if (!jsValue || jsValue.isNull()) return kJSTypeNull; if (jsValue.isBoolean()) return kJSTypeBoolean; @@ -88,10 +84,13 @@ bool JSValueIsUndefined(JSContextRef ctx, JSValueRef value) ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - - return toJS(exec, value).isUndefined(); +#if !CPU(ADDRESS64) + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); + return toJS(globalObject, value).isUndefined(); +#else + return toJS(value).isUndefined(); +#endif } bool JSValueIsNull(JSContextRef ctx, JSValueRef value) @@ -100,10 +99,14 @@ bool JSValueIsNull(JSContextRef ctx, JSValueRef value) ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - return toJS(exec, value).isNull(); +#if !CPU(ADDRESS64) + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); + return toJS(globalObject, value).isNull(); +#else + return !value || toJS(value).isNull(); +#endif } bool JSValueIsBoolean(JSContextRef ctx, JSValueRef value) @@ -112,10 +115,13 @@ bool JSValueIsBoolean(JSContextRef ctx, JSValueRef value) ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - - return toJS(exec, value).isBoolean(); +#if !CPU(ADDRESS64) + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); + return toJS(globalObject, value).isBoolean(); +#else + return toJS(value).isBoolean(); +#endif } bool JSValueIsNumber(JSContextRef ctx, JSValueRef value) @@ -124,10 +130,13 @@ bool JSValueIsNumber(JSContextRef ctx, JSValueRef value) ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - - return toJS(exec, value).isNumber(); +#if !CPU(ADDRESS64) + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); + return toJS(globalObject, value).isNumber(); +#else + return toJS(value).isNumber(); +#endif } bool JSValueIsString(JSContextRef ctx, JSValueRef value) @@ -136,10 +145,13 @@ bool JSValueIsString(JSContextRef ctx, JSValueRef value) ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - - return toJS(exec, value).isString(); +#if !CPU(ADDRESS64) + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); + return toJS(globalObject, value).isString(); +#else + return value && toJS(value).isString(); +#endif } bool JSValueIsObject(JSContextRef ctx, JSValueRef value) @@ -148,10 +160,13 @@ bool JSValueIsObject(JSContextRef ctx, JSValueRef value) ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - - return toJS(exec, value).isObject(); +#if !CPU(ADDRESS64) + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); + return toJS(globalObject, value).isObject(); +#else + return value && toJS(value).isObject(); +#endif } bool JSValueIsSymbol(JSContextRef ctx, JSValueRef value) @@ -160,10 +175,13 @@ bool JSValueIsSymbol(JSContextRef ctx, JSValueRef value) ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - - return toJS(exec, value).isSymbol(); +#if !CPU(ADDRESS64) + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); + return toJS(globalObject, value).isSymbol(); +#else + return value && toJS(value).isSymbol(); +#endif } bool JSValueIsArray(JSContextRef ctx, JSValueRef value) @@ -172,11 +190,11 @@ bool JSValueIsArray(JSContextRef ctx, JSValueRef value) ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); + JSLockHolder locker(globalObject); - return toJS(exec, value).inherits(vm); + return toJS(globalObject, value).inherits(vm); } bool JSValueIsDate(JSContextRef ctx, JSValueRef value) @@ -185,11 +203,11 @@ bool JSValueIsDate(JSContextRef ctx, JSValueRef value) ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); + JSLockHolder locker(globalObject); - return toJS(exec, value).inherits(vm); + return toJS(globalObject, value).inherits(vm); } bool JSValueIsObjectOfClass(JSContextRef ctx, JSValueRef value, JSClassRef jsClass) @@ -198,11 +216,11 @@ bool JSValueIsObjectOfClass(JSContextRef ctx, JSValueRef value, JSClassRef jsCla ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); + JSLockHolder locker(globalObject); - JSValue jsValue = toJS(exec, value); + JSValue jsValue = toJS(globalObject, value); if (JSObject* o = jsValue.getObject()) { if (o->inherits(vm)) @@ -210,8 +228,8 @@ bool JSValueIsObjectOfClass(JSContextRef ctx, JSValueRef value, JSClassRef jsCla if (o->inherits>(vm)) return jsCast*>(o)->inherits(jsClass); - if (o->inherits>(vm)) - return jsCast*>(o)->inherits(jsClass); + if (o->inherits>(vm)) + return jsCast*>(o)->inherits(jsClass); #if JSC_OBJC_API_ENABLED if (o->inherits>(vm)) return jsCast*>(o)->inherits(jsClass); @@ -226,16 +244,17 @@ bool JSValueIsEqual(JSContextRef ctx, JSValueRef a, JSValueRef b, JSValueRef* ex ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); - JSValue jsA = toJS(exec, a); - JSValue jsB = toJS(exec, b); + JSValue jsA = toJS(globalObject, a); + JSValue jsB = toJS(globalObject, b); - bool result = JSValue::equal(exec, jsA, jsB); // false if an exception is thrown - handleExceptionIfNeeded(scope, exec, exception); + bool result = JSValue::equal(globalObject, jsA, jsB); // false if an exception is thrown + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + return false; return result; } @@ -246,13 +265,13 @@ bool JSValueIsStrictEqual(JSContextRef ctx, JSValueRef a, JSValueRef b) ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); - JSValue jsA = toJS(exec, a); - JSValue jsB = toJS(exec, b); + JSValue jsA = toJS(globalObject, a); + JSValue jsB = toJS(globalObject, b); - return JSValue::strictEqual(exec, jsA, jsB); + return JSValue::strictEqual(globalObject, jsA, jsB); } bool JSValueIsInstanceOfConstructor(JSContextRef ctx, JSValueRef value, JSObjectRef constructor, JSValueRef* exception) @@ -261,18 +280,19 @@ bool JSValueIsInstanceOfConstructor(JSContextRef ctx, JSValueRef value, JSObject ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); - JSValue jsValue = toJS(exec, value); + JSValue jsValue = toJS(globalObject, value); JSObject* jsConstructor = toJS(constructor); if (!jsConstructor->structure(vm)->typeInfo().implementsHasInstance()) return false; - bool result = jsConstructor->hasInstance(exec, jsValue); // false if an exception is thrown - handleExceptionIfNeeded(scope, exec, exception); + bool result = jsConstructor->hasInstance(globalObject, jsValue); // false if an exception is thrown + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + return false; return result; } @@ -280,48 +300,60 @@ JSValueRef JSValueMakeUndefined(JSContextRef ctx) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - - return toRef(exec, jsUndefined()); +#if !CPU(ADDRESS64) + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); + return toRef(globalObject, jsUndefined()); +#else + return toRef(jsUndefined()); +#endif } JSValueRef JSValueMakeNull(JSContextRef ctx) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - - return toRef(exec, jsNull()); +#if !CPU(ADDRESS64) + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); + return toRef(globalObject, jsNull()); +#else + return toRef(jsNull()); +#endif } JSValueRef JSValueMakeBoolean(JSContextRef ctx, bool value) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - - return toRef(exec, jsBoolean(value)); +#if !CPU(ADDRESS64) + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); + return toRef(globalObject, jsBoolean(value)); +#else + return toRef(jsBoolean(value)); +#endif } JSValueRef JSValueMakeNumber(JSContextRef ctx, double value) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - - return toRef(exec, jsNumber(purifyNaN(value))); +#if !CPU(ADDRESS64) + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); + return toRef(globalObject, jsNumber(purifyNaN(value))); +#else + return toRef(jsNumber(purifyNaN(value))); +#endif } JSValueRef JSValueMakeSymbol(JSContextRef ctx, JSStringRef description) @@ -330,62 +362,63 @@ JSValueRef JSValueMakeSymbol(JSContextRef ctx, JSStringRef description) ASSERT_NOT_REACHED(); return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); + JSLockHolder locker(globalObject); if (!description) - return toRef(exec, Symbol::create(vm)); - return toRef(exec, Symbol::createWithDescription(vm, description->string())); + return toRef(globalObject, Symbol::create(vm)); + return toRef(globalObject, Symbol::createWithDescription(vm, description->string())); } JSValueRef JSValueMakeString(JSContextRef ctx, JSStringRef string) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); + JSLockHolder locker(vm); - return toRef(exec, jsString(exec, string ? string->string() : String())); + return toRef(globalObject, jsString(vm, string ? string->string() : String())); } JSValueRef JSValueMakeFromJSONString(JSContextRef ctx, JSStringRef string) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); String str = string->string(); unsigned length = str.length(); if (!length || str.is8Bit()) { - LiteralParser parser(exec, str.characters8(), length, StrictJSON); - return toRef(exec, parser.tryLiteralParse()); + LiteralParser parser(globalObject, str.characters8(), length, StrictJSON); + return toRef(globalObject, parser.tryLiteralParse()); } - LiteralParser parser(exec, str.characters16(), length, StrictJSON); - return toRef(exec, parser.tryLiteralParse()); + LiteralParser parser(globalObject, str.characters16(), length, StrictJSON); + return toRef(globalObject, parser.tryLiteralParse()); } JSStringRef JSValueCreateJSONString(JSContextRef ctx, JSValueRef apiValue, unsigned indent, JSValueRef* exception) { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); - JSValue value = toJS(exec, apiValue); - String result = JSONStringify(exec, value, indent); + JSValue value = toJS(globalObject, apiValue); + String result = JSONStringify(globalObject, value, indent); if (exception) - *exception = 0; - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) - return 0; + *exception = nullptr; + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + return nullptr; return OpaqueJSString::tryCreate(result).leakRef(); } @@ -395,11 +428,11 @@ bool JSValueToBoolean(JSContextRef ctx, JSValueRef value) ASSERT_NOT_REACHED(); return false; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); - JSValue jsValue = toJS(exec, value); - return jsValue.toBoolean(exec); + JSValue jsValue = toJS(globalObject, value); + return jsValue.toBoolean(globalObject); } double JSValueToNumber(JSContextRef ctx, JSValueRef value, JSValueRef* exception) @@ -408,15 +441,15 @@ double JSValueToNumber(JSContextRef ctx, JSValueRef value, JSValueRef* exception ASSERT_NOT_REACHED(); return PNaN; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); - JSValue jsValue = toJS(exec, value); + JSValue jsValue = toJS(globalObject, value); - double number = jsValue.toNumber(exec); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) + double number = jsValue.toNumber(globalObject); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) number = PNaN; return number; } @@ -425,17 +458,17 @@ JSStringRef JSValueToStringCopy(JSContextRef ctx, JSValueRef value, JSValueRef* { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); - JSValue jsValue = toJS(exec, value); + JSValue jsValue = toJS(globalObject, value); - auto stringRef(OpaqueJSString::tryCreate(jsValue.toWTFString(exec))); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) + auto stringRef(OpaqueJSString::tryCreate(jsValue.toWTFString(globalObject))); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) stringRef = nullptr; return stringRef.leakRef(); } @@ -444,18 +477,18 @@ JSObjectRef JSValueToObject(JSContextRef ctx, JSValueRef value, JSValueRef* exce { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); - JSValue jsValue = toJS(exec, value); + JSValue jsValue = toJS(globalObject, value); - JSObjectRef objectRef = toRef(jsValue.toObject(exec)); - if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow) - objectRef = 0; + JSObjectRef objectRef = toRef(jsValue.toObject(globalObject)); + if (handleExceptionIfNeeded(scope, ctx, exception) == ExceptionStatus::DidThrow) + objectRef = nullptr; return objectRef; } @@ -465,18 +498,18 @@ void JSValueProtect(JSContextRef ctx, JSValueRef value) ASSERT_NOT_REACHED(); return; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); - JSValue jsValue = toJSForGC(exec, value); + JSValue jsValue = toJSForGC(globalObject, value); gcProtect(jsValue); } void JSValueUnprotect(JSContextRef ctx, JSValueRef value) { - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); - JSValue jsValue = toJSForGC(exec, value); + JSValue jsValue = toJSForGC(globalObject, value); gcUnprotect(jsValue); } diff --git a/API/JSVirtualMachine.mm b/API/JSVirtualMachine.mm index d1b6b94..79b081d 100644 --- a/API/JSVirtualMachine.mm +++ b/API/JSVirtualMachine.mm @@ -23,7 +23,7 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include "config.h" +#import "config.h" #import "JavaScriptCore.h" @@ -40,6 +40,7 @@ #import #import #import +#import static NSMapTable *globalWrapperCache = 0; @@ -69,13 +70,13 @@ static NSMapTable *wrapperCache() + (void)addWrapper:(JSVirtualMachine *)wrapper forJSContextGroupRef:(JSContextGroupRef)group { - std::lock_guard lock(wrapperCacheMutex); + auto locker = holdLock(wrapperCacheMutex); NSMapInsert(wrapperCache(), group, (__bridge void*)wrapper); } + (JSVirtualMachine *)wrapperForJSContextGroupRef:(JSContextGroupRef)group { - std::lock_guard lock(wrapperCacheMutex); + auto locker = holdLock(wrapperCacheMutex); return (__bridge JSVirtualMachine *)NSMapGet(wrapperCache(), group); } @@ -180,17 +181,17 @@ static id getInternalObjcObject(id object) [self addExternalRememberedObject:owner]; auto externalDataMutexLocker = holdLock(m_externalDataMutex); - NSMapTable *ownedObjects = [m_externalObjectGraph objectForKey:owner]; + RetainPtr ownedObjects = [m_externalObjectGraph objectForKey:owner]; if (!ownedObjects) { NSPointerFunctionsOptions weakIDOptions = NSPointerFunctionsWeakMemory | NSPointerFunctionsObjectPersonality; NSPointerFunctionsOptions integerOptions = NSPointerFunctionsOpaqueMemory | NSPointerFunctionsIntegerPersonality; - ownedObjects = [[NSMapTable alloc] initWithKeyOptions:weakIDOptions valueOptions:integerOptions capacity:1]; + ownedObjects = adoptNS([[NSMapTable alloc] initWithKeyOptions:weakIDOptions valueOptions:integerOptions capacity:1]); - [m_externalObjectGraph setObject:ownedObjects forKey:owner]; + [m_externalObjectGraph setObject:ownedObjects.get() forKey:owner]; } - size_t count = reinterpret_cast(NSMapGet(ownedObjects, (__bridge void*)object)); - NSMapInsert(ownedObjects, (__bridge void*)object, reinterpret_cast(count + 1)); + size_t count = reinterpret_cast(NSMapGet(ownedObjects.get(), (__bridge void*)object)); + NSMapInsert(ownedObjects.get(), (__bridge void*)object, reinterpret_cast(count + 1)); } - (void)removeManagedReference:(id)object withOwner:(id)owner @@ -297,14 +298,15 @@ JSContextGroupRef getGroupFromVirtualMachine(JSVirtualMachine *virtualMachine) #endif // ENABLE(DFG_JIT) -- (JSC::VM&)vm +- (JSContextGroupRef)JSContextGroupRef { - return *toJS(m_group); + return m_group; } - (BOOL)isWebThreadAware { - return [self vm].apiLock().isWebThreadAware(); + JSC::VM* vm = toJS(m_group); + return vm->apiLock().isWebThreadAware(); } + (void)setCrashOnVMCreation:(BOOL)shouldCrash diff --git a/API/JSVirtualMachineInternal.h b/API/JSVirtualMachineInternal.h index b533482..adb0a37 100644 --- a/API/JSVirtualMachineInternal.h +++ b/API/JSVirtualMachineInternal.h @@ -46,10 +46,10 @@ JSContextGroupRef getGroupFromVirtualMachine(JSVirtualMachine *); - (JSContext *)contextForGlobalContextRef:(JSGlobalContextRef)globalContext; - (void)addContext:(JSContext *)wrapper forGlobalContextRef:(JSGlobalContextRef)globalContext; -- (JSC::VM&)vm; - - (BOOL)isWebThreadAware; +@property (readonly) JSContextGroupRef JSContextGroupRef; + @end #endif // defined(__OBJC__) diff --git a/API/JSVirtualMachinePrivate.h b/API/JSVirtualMachinePrivate.h index 950afc7..2113ec9 100644 --- a/API/JSVirtualMachinePrivate.h +++ b/API/JSVirtualMachinePrivate.h @@ -23,8 +23,8 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include "JSExportMacros.h" -#include +#import "JSExportMacros.h" +#import #if JSC_OBJC_API_ENABLED diff --git a/API/JSWeakObjectMapRefPrivate.cpp b/API/JSWeakObjectMapRefPrivate.cpp index c6b396d..686a0b9 100644 --- a/API/JSWeakObjectMapRefPrivate.cpp +++ b/API/JSWeakObjectMapRefPrivate.cpp @@ -27,11 +27,8 @@ #include "JSWeakObjectMapRefPrivate.h" #include "APICast.h" -#include "JSCJSValue.h" #include "JSCallbackObject.h" #include "JSWeakObjectMapRefInternal.h" -#include "JSCInlines.h" -#include "Weak.h" #include "WeakGCMapInlines.h" using namespace JSC; @@ -42,11 +39,11 @@ extern "C" { JSWeakObjectMapRef JSWeakObjectMapCreate(JSContextRef context, void* privateData, JSWeakMapDestroyedCallback callback) { - ExecState* exec = toJS(context); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(context); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); auto map = OpaqueJSWeakObjectMap::create(vm, privateData, callback); - exec->lexicalGlobalObject()->registerWeakMap(map.ptr()); + globalObject->registerWeakMap(map.ptr()); return map.ptr(); } @@ -56,15 +53,15 @@ void JSWeakObjectMapSet(JSContextRef ctx, JSWeakObjectMapRef map, void* key, JSO ASSERT_NOT_REACHED(); return; } - ExecState* exec = toJS(ctx); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(ctx); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); JSObject* obj = toJS(object); if (!obj) return; ASSERT(obj->inherits(vm) || obj->inherits>(vm) - || obj->inherits>(vm)); + || obj->inherits>(vm)); map->map().set(key, obj); } @@ -72,10 +69,10 @@ JSObjectRef JSWeakObjectMapGet(JSContextRef ctx, JSWeakObjectMapRef map, void* k { if (!ctx) { ASSERT_NOT_REACHED(); - return 0; + return nullptr; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); return toRef(jsCast(map->map().get(key))); } @@ -85,8 +82,8 @@ void JSWeakObjectMapRemove(JSContextRef ctx, JSWeakObjectMapRef map, void* key) ASSERT_NOT_REACHED(); return; } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + JSGlobalObject* globalObject = toJS(ctx); + JSLockHolder locker(globalObject); map->map().remove(key); } diff --git a/API/JSWeakPrivate.cpp b/API/JSWeakPrivate.cpp index 246649f..cd76bc3 100644 --- a/API/JSWeakPrivate.cpp +++ b/API/JSWeakPrivate.cpp @@ -27,7 +27,6 @@ #include "JSWeakPrivate.h" #include "APICast.h" -#include "JSCInlines.h" #include "Weak.h" #include diff --git a/API/JSWeakValue.cpp b/API/JSWeakValue.cpp index 77fcac6..4de056b 100644 --- a/API/JSWeakValue.cpp +++ b/API/JSWeakValue.cpp @@ -28,7 +28,6 @@ #include "JSWeakValue.h" #include "JSCInlines.h" -#include "WeakHandleOwner.h" namespace JSC { diff --git a/API/JSWrapperMap.mm b/API/JSWrapperMap.mm index 053ee65..1a6dc35 100644 --- a/API/JSWrapperMap.mm +++ b/API/JSWrapperMap.mm @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013-2015, 2017 Apple Inc. All rights reserved. + * Copyright (C) 2013-2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -23,7 +23,7 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include "config.h" +#import "config.h" #import "JavaScriptCore.h" #if JSC_OBJC_API_ENABLED @@ -35,26 +35,25 @@ #import "JSContextInternal.h" #import "JSWrapperMap.h" #import "ObjCCallbackFunction.h" -#ifdef DARLING -#import "ObjCRuntimeExtras.h" -#else #import "ObjcRuntimeExtras.h" -#endif #import "ObjectConstructor.h" #import "WeakGCMap.h" #import "WeakGCMapInlines.h" #import -#import -#include +#if PLATFORM(COCOA) +#import +#endif + +#import #if PLATFORM(APPLETV) #else -static const int32_t firstJavaScriptCoreVersionWithInitConstructorSupport = 0x21A0400; // 538.4.0 +static constexpr int32_t firstJavaScriptCoreVersionWithInitConstructorSupport = 0x21A0400; // 538.4.0 #if PLATFORM(IOS_FAMILY) -static const uint32_t firstSDKVersionWithInitConstructorSupport = DYLD_IOS_VERSION_10_0; +static constexpr uint32_t firstSDKVersionWithInitConstructorSupport = DYLD_IOS_VERSION_10_0; #elif PLATFORM(MAC) -static const uint32_t firstSDKVersionWithInitConstructorSupport = 0xA0A00; // OSX 10.10.0 +static constexpr uint32_t firstSDKVersionWithInitConstructorSupport = 0xA0A00; // OSX 10.10.0 #endif #endif @@ -66,7 +65,7 @@ static const uint32_t firstSDKVersionWithInitConstructorSupport = 0xA0A00; // OS @end -static const constexpr unsigned InitialBufferSize { 256 }; +static constexpr unsigned InitialBufferSize { 256 }; // Default conversion of selectors to property names. // All semicolons are removed, lowercase letters following a semicolon are capitalized. @@ -112,25 +111,25 @@ done: static bool constructorHasInstance(JSContextRef ctx, JSObjectRef constructorRef, JSValueRef possibleInstance, JSValueRef*) { - JSC::ExecState* exec = toJS(ctx); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS(ctx); + JSC::VM& vm = globalObject->vm(); JSC::JSLockHolder locker(vm); JSC::JSObject* constructor = toJS(constructorRef); - JSC::JSValue instance = toJS(exec, possibleInstance); - return JSC::JSObject::defaultHasInstance(exec, instance, constructor->get(exec, vm.propertyNames->prototype)); + JSC::JSValue instance = toJS(globalObject, possibleInstance); + return JSC::JSObject::defaultHasInstance(globalObject, instance, constructor->get(globalObject, vm.propertyNames->prototype)); } static JSC::JSObject* makeWrapper(JSContextRef ctx, JSClassRef jsClass, id wrappedObject) { - JSC::ExecState* exec = toJS(ctx); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS(ctx); + JSC::VM& vm = globalObject->vm(); JSC::JSLockHolder locker(vm); ASSERT(jsClass); - JSC::JSCallbackObject* object = JSC::JSCallbackObject::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->objcWrapperObjectStructure(), jsClass, 0); + JSC::JSCallbackObject* object = JSC::JSCallbackObject::create(globalObject, globalObject->objcWrapperObjectStructure(), jsClass, 0); object->setWrappedObject((__bridge void*)wrappedObject); - if (JSC::JSObject* prototype = jsClass->prototype(exec)) + if (JSC::JSObject* prototype = jsClass->prototype(globalObject)) object->setPrototypeDirect(vm, prototype); return object; @@ -187,26 +186,26 @@ inline void putNonEnumerable(JSContext *context, JSValue *base, NSString *proper { if (![base isObject]) return; - JSC::ExecState* exec = toJS([context JSGlobalContextRef]); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS([context JSGlobalContextRef]); + JSC::VM& vm = globalObject->vm(); JSC::JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); - JSC::JSObject* baseObject = JSC::asObject(toJS(exec, [base JSValueRef])); + JSC::JSObject* baseObject = JSC::asObject(toJS(globalObject, [base JSValueRef])); auto name = OpaqueJSString::tryCreate(propertyName); if (!name) return; JSC::PropertyDescriptor descriptor; - descriptor.setValue(toJS(exec, [value JSValueRef])); + descriptor.setValue(toJS(globalObject, [value JSValueRef])); descriptor.setEnumerable(false); descriptor.setConfigurable(true); descriptor.setWritable(true); bool shouldThrow = false; - baseObject->methodTable(vm)->defineOwnProperty(baseObject, exec, name->identifier(&vm), descriptor, shouldThrow); + baseObject->methodTable(vm)->defineOwnProperty(baseObject, globalObject, name->identifier(&vm), descriptor, shouldThrow); JSValueRef exception = 0; - if (handleExceptionIfNeeded(scope, exec, &exception) == ExceptionStatus::DidThrow) + if (handleExceptionIfNeeded(scope, [context JSGlobalContextRef], &exception) == ExceptionStatus::DidThrow) [context valueFromNotifyException:exception]; } @@ -272,7 +271,7 @@ static void copyMethodsToObject(JSContext *context, Class objcClass, Protocol *p name = renameMap[name]; if (!name) name = selectorToPropertyName(nameCStr); - auto exec = toJS([context JSGlobalContextRef]); + JSC::JSGlobalObject* globalObject = toJS([context JSGlobalContextRef]); JSValue *existingMethod = object[name]; // ObjCCallbackFunction does a dynamic lookup for the // selector before calling the method. In order to save @@ -281,7 +280,7 @@ static void copyMethodsToObject(JSContext *context, Class objcClass, Protocol *p // to override normal builtins e.g. "toString" we check if // the existing value on the prototype chain is an ObjC // callback already. - if ([existingMethod isObject] && JSC::jsDynamicCast(exec->vm(), toJS(exec, [existingMethod JSValueRef]))) + if ([existingMethod isObject] && JSC::jsDynamicCast(globalObject->vm(), toJS(globalObject, [existingMethod JSValueRef]))) return; JSObjectRef method = objCCallbackFunctionForMethod(context, objcClass, protocol, isInstanceMethod, sel, types); if (method) @@ -394,7 +393,7 @@ static void copyPrototypeProperties(JSContext *context, Class objcClass, Protoco @interface JSObjCClassInfo : NSObject { Class m_class; bool m_block; - JSClassRef m_classRef; + NakedPtr m_classRef; JSC::Weak m_prototype; JSC::Weak m_constructor; JSC::Weak m_structure; @@ -428,7 +427,7 @@ static void copyPrototypeProperties(JSContext *context, Class objcClass, Protoco - (void)dealloc { - JSClassRelease(m_classRef); + JSClassRelease(m_classRef.get()); [super dealloc]; } @@ -551,11 +550,11 @@ typedef std::pair ConstructorPrototypePair; JSC::Structure* structure = [self structureInContext:context]; - JSC::ExecState* exec = toJS([context JSGlobalContextRef]); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS([context JSGlobalContextRef]); + JSC::VM& vm = globalObject->vm(); JSC::JSLockHolder locker(vm); - auto wrapper = JSC::JSCallbackObject::create(exec, exec->lexicalGlobalObject(), structure, m_classRef, 0); + auto wrapper = JSC::JSCallbackObject::create(globalObject, structure, m_classRef, 0); wrapper->setWrappedObject((__bridge void*)object); return wrapper; } @@ -584,10 +583,9 @@ typedef std::pair ConstructorPrototypePair; if (structure) return structure; - JSC::ExecState* exec = toJS([context JSGlobalContextRef]); JSC::JSGlobalObject* globalObject = toJSGlobalObject([context JSGlobalContextRef]); JSC::JSObject* prototype = [self prototypeInContext:context]; - m_structure = JSC::JSCallbackObject::createStructure(exec->vm(), globalObject, prototype); + m_structure = JSC::JSCallbackObject::createStructure(globalObject->vm(), globalObject, prototype); return m_structure.get(); } @@ -610,7 +608,7 @@ typedef std::pair ConstructorPrototypePair; NSPointerFunctionsOptions valueOptions = NSPointerFunctionsWeakMemory | NSPointerFunctionsObjectPersonality; m_cachedObjCWrappers = [[NSMapTable alloc] initWithKeyOptions:keyOptions valueOptions:valueOptions capacity:0]; - m_cachedJSWrappers = std::make_unique>(toJS(context)->vm()); + m_cachedJSWrappers = makeUnique>(toJS(context)->vm()); ASSERT(!toJSGlobalObject(context)->wrapperMap()); toJSGlobalObject(context)->setWrapperMap(self); @@ -725,7 +723,7 @@ bool supportsInitMethodConstructors() // base our check on what SDK was used to build the application. static uint32_t programSDKVersion = 0; if (!programSDKVersion) - programSDKVersion = dyld_get_program_sdk_version(); + programSDKVersion = applicationSDKVersion(); return programSDKVersion >= firstSDKVersionWithInitConstructorSupport; #endif diff --git a/API/JavaScriptCore.h b/API/JavaScriptCore.h index b2fde1d..3d82867 100644 --- a/API/JavaScriptCore.h +++ b/API/JavaScriptCore.h @@ -31,11 +31,11 @@ #if defined(__OBJC__) && JSC_OBJC_API_ENABLED -#import "JSContext.h" -#import "JSValue.h" -#import "JSManagedValue.h" -#import "JSVirtualMachine.h" -#import "JSExport.h" +#import +#import +#import +#import +#import #endif diff --git a/jit/HostCallReturnValue.h b/API/MarkedJSValueRefArray.cpp similarity index 56% rename from jit/HostCallReturnValue.h rename to API/MarkedJSValueRefArray.cpp index 51987ea..bb6b3d0 100644 --- a/jit/HostCallReturnValue.h +++ b/API/MarkedJSValueRefArray.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Apple Inc. All rights reserved. + * Copyright (C) 2020 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -20,41 +20,46 @@ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#pragma once +#include "config.h" +#include "MarkedJSValueRefArray.h" #include "JSCJSValue.h" -#if !ENABLE(C_LOOP) - -#if CALLING_CONVENTION_IS_STDCALL -#define HOST_CALL_RETURN_VALUE_OPTION CDECL -#else -#define HOST_CALL_RETURN_VALUE_OPTION -#endif - namespace JSC { -extern "C" EncodedJSValue HOST_CALL_RETURN_VALUE_OPTION getHostCallReturnValue() REFERENCED_FROM_ASM WTF_INTERNAL; - -#if COMPILER(GCC_COMPATIBLE) - -// This is a public declaration only to convince CLANG not to elide it. -extern "C" EncodedJSValue HOST_CALL_RETURN_VALUE_OPTION getHostCallReturnValueWithExecState(ExecState*) REFERENCED_FROM_ASM WTF_INTERNAL; - -inline void initializeHostCallReturnValue() +MarkedJSValueRefArray::MarkedJSValueRefArray(JSGlobalContextRef context, unsigned size) + : m_size(size) { - getHostCallReturnValueWithExecState(0); + if (m_size > MarkedArgumentBuffer::inlineCapacity) { + m_buffer = BufferUniquePtr::create(m_size); + toJS(context)->vm().heap.addMarkedJSValueRefArray(this); + ASSERT(isOnList()); + } } -#else // COMPILER(GCC_COMPATIBLE) +MarkedJSValueRefArray::~MarkedJSValueRefArray() +{ + if (isOnList()) + remove(); +} -inline void initializeHostCallReturnValue() { } - -#endif // COMPILER(GCC_COMPATIBLE) +void MarkedJSValueRefArray::visitAggregate(SlotVisitor& visitor) +{ + JSValueRef* buffer = data(); + for (unsigned index = 0; index < m_size; ++index) { + JSValueRef value = buffer[index]; +#if !CPU(ADDRESS64) + JSCell* jsCell = reinterpret_cast(const_cast(value)); + if (!jsCell) + continue; + visitor.appendUnbarriered(jsCell); // We should mark the wrapper itself to keep JSValueRef live. +#else + visitor.appendUnbarriered(bitwise_cast(value)); +#endif + } +} } // namespace JSC - -#endif // !ENABLE(C_LOOP) diff --git a/API/MarkedJSValueRefArray.h b/API/MarkedJSValueRefArray.h new file mode 100644 index 0000000..8158795 --- /dev/null +++ b/API/MarkedJSValueRefArray.h @@ -0,0 +1,73 @@ +/* + * Copyright (C) 2020 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY + * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#pragma once + +#include "APICast.h" +#include "ArgList.h" +#include +#include +#include +#include + +namespace JSC { + +class MarkedJSValueRefArray final : public BasicRawSentinelNode { + WTF_MAKE_NONCOPYABLE(MarkedJSValueRefArray); + WTF_MAKE_NONMOVABLE(MarkedJSValueRefArray); + WTF_FORBID_HEAP_ALLOCATION; +public: + using BufferUniquePtr = CagedUniquePtr; + static constexpr size_t inlineCapacity = MarkedArgumentBuffer::inlineCapacity; + + JS_EXPORT_PRIVATE MarkedJSValueRefArray(JSGlobalContextRef, unsigned); + JS_EXPORT_PRIVATE ~MarkedJSValueRefArray(); + + size_t size() const { return m_size; } + bool isEmpty() const { return !m_size; } + + JSValueRef& operator[](unsigned index) { return data()[index]; } + + const JSValueRef* data() const + { + return const_cast(this)->data(); + } + + JSValueRef* data() + { + if (m_buffer) + return m_buffer.get(m_size); + return m_inlineBuffer; + } + + void visitAggregate(SlotVisitor&); + +private: + unsigned m_size; + JSValueRef m_inlineBuffer[inlineCapacity] { }; + BufferUniquePtr m_buffer; +}; + +} // namespace JSC diff --git a/API/ObjCCallbackFunction.h b/API/ObjCCallbackFunction.h index c30c156..57f03de 100644 --- a/API/ObjCCallbackFunction.h +++ b/API/ObjCCallbackFunction.h @@ -55,6 +55,7 @@ public: } static ObjCCallbackFunction* create(VM&, JSGlobalObject*, const String& name, std::unique_ptr); + static constexpr bool needsDestruction = true; static void destroy(JSCell*); static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype) diff --git a/API/ObjCCallbackFunction.mm b/API/ObjCCallbackFunction.mm index 11a3306..4bcd8f4 100644 --- a/API/ObjCCallbackFunction.mm +++ b/API/ObjCCallbackFunction.mm @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013, 2016 Apple Inc. All rights reserved. + * Copyright (C) 2013-2020 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -23,7 +23,7 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include "config.h" +#import "config.h" #import "JavaScriptCore.h" #if JSC_OBJC_API_ENABLED @@ -37,12 +37,7 @@ #import "JSWrapperMap.h" #import "JSValueInternal.h" #import "ObjCCallbackFunction.h" -#ifdef DARLING -// ugh, Apple with their stupid case-insensitivity -#import "ObjCRuntimeExtras.h" -#else #import "ObjcRuntimeExtras.h" -#endif #import "StructureInlines.h" #import #import @@ -60,8 +55,8 @@ CallbackArgument::~CallbackArgument() { } -class CallbackArgumentBoolean : public CallbackArgument { - void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef*) override +class CallbackArgumentBoolean final : public CallbackArgument { + void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef*) final { bool value = JSValueToBoolean([context JSGlobalContextRef], argument); [invocation setArgument:&value atIndex:argumentNumber]; @@ -69,40 +64,46 @@ class CallbackArgumentBoolean : public CallbackArgument { }; template -class CallbackArgumentInteger : public CallbackArgument { - void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override +class CallbackArgumentInteger final : public CallbackArgument { + void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) final { + ASSERT(exception && !*exception); T value = (T)JSC::toInt32(JSValueToNumber([context JSGlobalContextRef], argument, exception)); + if (*exception) + return; [invocation setArgument:&value atIndex:argumentNumber]; } }; template -class CallbackArgumentDouble : public CallbackArgument { - void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override +class CallbackArgumentDouble final : public CallbackArgument { + void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) final { + ASSERT(exception && !*exception); T value = (T)JSValueToNumber([context JSGlobalContextRef], argument, exception); + if (*exception) + return; [invocation setArgument:&value atIndex:argumentNumber]; } }; -class CallbackArgumentJSValue : public CallbackArgument { - void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef*) override +class CallbackArgumentJSValue final : public CallbackArgument { + void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef*) final { JSValue *value = [JSValue valueWithJSValueRef:argument inContext:context]; [invocation setArgument:&value atIndex:argumentNumber]; } }; -class CallbackArgumentId : public CallbackArgument { - void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef*) override +class CallbackArgumentId final : public CallbackArgument { + void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef*) final { id value = valueToObject(context, argument); [invocation setArgument:&value atIndex:argumentNumber]; } }; -class CallbackArgumentOfClass : public CallbackArgument { +class CallbackArgumentOfClass final : public CallbackArgument { public: CallbackArgumentOfClass(Class cls) : m_class(cls) @@ -110,8 +111,9 @@ public: } private: - void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override + void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) final { + ASSERT(exception && !*exception); JSGlobalContextRef contextRef = [context JSGlobalContextRef]; id object = tryUnwrapObjcObject(contextRef, argument); @@ -132,47 +134,62 @@ private: RetainPtr m_class; }; -class CallbackArgumentNSNumber : public CallbackArgument { - void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override +class CallbackArgumentNSNumber final : public CallbackArgument { + void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) final { + ASSERT(exception && !*exception); id value = valueToNumber([context JSGlobalContextRef], argument, exception); + if (*exception) + return; [invocation setArgument:&value atIndex:argumentNumber]; } }; -class CallbackArgumentNSString : public CallbackArgument { - void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override +class CallbackArgumentNSString final : public CallbackArgument { + void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) final { + ASSERT(exception && !*exception); id value = valueToString([context JSGlobalContextRef], argument, exception); + if (*exception) + return; [invocation setArgument:&value atIndex:argumentNumber]; } }; -class CallbackArgumentNSDate : public CallbackArgument { - void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override +class CallbackArgumentNSDate final : public CallbackArgument { + void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) final { + ASSERT(exception && !*exception); id value = valueToDate([context JSGlobalContextRef], argument, exception); + if (*exception) + return; [invocation setArgument:&value atIndex:argumentNumber]; } }; -class CallbackArgumentNSArray : public CallbackArgument { - void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override +class CallbackArgumentNSArray final : public CallbackArgument { + void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) final { + ASSERT(exception && !*exception); id value = valueToArray([context JSGlobalContextRef], argument, exception); + if (*exception) + return; [invocation setArgument:&value atIndex:argumentNumber]; } }; -class CallbackArgumentNSDictionary : public CallbackArgument { - void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override +class CallbackArgumentNSDictionary final : public CallbackArgument { + void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) final { + ASSERT(exception && !*exception); id value = valueToDictionary([context JSGlobalContextRef], argument, exception); + if (*exception) + return; [invocation setArgument:&value atIndex:argumentNumber]; } }; -class CallbackArgumentStruct : public CallbackArgument { +class CallbackArgumentStruct final : public CallbackArgument { public: CallbackArgumentStruct(NSInvocation *conversionInvocation, const char* encodedType) : m_conversionInvocation(conversionInvocation) @@ -181,7 +198,7 @@ public: } private: - void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef*) override + void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef*) final { JSValue *value = [JSValue valueWithJSValueRef:argument inContext:context]; [m_conversionInvocation invokeWithTarget:value]; @@ -193,25 +210,25 @@ private: StructBuffer m_buffer; }; -class ArgumentTypeDelegate { +class ArgumentTypeDelegate final { public: typedef std::unique_ptr ResultType; template static ResultType typeInteger() { - return std::make_unique>(); + return makeUnique>(); } template static ResultType typeDouble() { - return std::make_unique>(); + return makeUnique>(); } static ResultType typeBool() { - return std::make_unique(); + return makeUnique(); } static ResultType typeVoid() @@ -222,7 +239,7 @@ public: static ResultType typeId() { - return std::make_unique(); + return makeUnique(); } static ResultType typeOfClass(const char* begin, const char* end) @@ -233,19 +250,19 @@ public: return nullptr; if (cls == [JSValue class]) - return std::make_unique(); + return makeUnique(); if (cls == [NSString class]) - return std::make_unique(); + return makeUnique(); if (cls == [NSNumber class]) - return std::make_unique(); + return makeUnique(); if (cls == [NSDate class]) - return std::make_unique(); + return makeUnique(); if (cls == [NSArray class]) - return std::make_unique(); + return makeUnique(); if (cls == [NSDictionary class]) - return std::make_unique(); + return makeUnique(); - return std::make_unique(cls); + return makeUnique(cls); } static ResultType typeBlock(const char*, const char*) @@ -257,7 +274,7 @@ public: { StringRange copy(begin, end); if (NSInvocation *invocation = valueToTypeInvocationFor(copy)) - return std::make_unique(invocation, copy); + return makeUnique(invocation, copy); return nullptr; } }; @@ -272,15 +289,15 @@ public: virtual JSValueRef get(NSInvocation *, JSContext *, JSValueRef*) = 0; }; -class CallbackResultVoid : public CallbackResult { - JSValueRef get(NSInvocation *, JSContext *context, JSValueRef*) override +class CallbackResultVoid final : public CallbackResult { + JSValueRef get(NSInvocation *, JSContext *context, JSValueRef*) final { return JSValueMakeUndefined([context JSGlobalContextRef]); } }; -class CallbackResultId : public CallbackResult { - JSValueRef get(NSInvocation *invocation, JSContext *context, JSValueRef*) override +class CallbackResultId final : public CallbackResult { + JSValueRef get(NSInvocation *invocation, JSContext *context, JSValueRef*) final { id value; [invocation getReturnValue:&value]; @@ -289,8 +306,8 @@ class CallbackResultId : public CallbackResult { }; template -class CallbackResultNumeric : public CallbackResult { - JSValueRef get(NSInvocation *invocation, JSContext *context, JSValueRef*) override +class CallbackResultNumeric final : public CallbackResult { + JSValueRef get(NSInvocation *invocation, JSContext *context, JSValueRef*) final { T value; [invocation getReturnValue:&value]; @@ -298,8 +315,8 @@ class CallbackResultNumeric : public CallbackResult { } }; -class CallbackResultBoolean : public CallbackResult { - JSValueRef get(NSInvocation *invocation, JSContext *context, JSValueRef*) override +class CallbackResultBoolean final : public CallbackResult { + JSValueRef get(NSInvocation *invocation, JSContext *context, JSValueRef*) final { bool value; [invocation getReturnValue:&value]; @@ -307,7 +324,7 @@ class CallbackResultBoolean : public CallbackResult { } }; -class CallbackResultStruct : public CallbackResult { +class CallbackResultStruct final : public CallbackResult { public: CallbackResultStruct(NSInvocation *conversionInvocation, const char* encodedType) : m_conversionInvocation(conversionInvocation) @@ -316,7 +333,7 @@ public: } private: - JSValueRef get(NSInvocation *invocation, JSContext *context, JSValueRef*) override + JSValueRef get(NSInvocation *invocation, JSContext *context, JSValueRef*) final { [invocation getReturnValue:m_buffer]; @@ -333,52 +350,52 @@ private: StructBuffer m_buffer; }; -class ResultTypeDelegate { +class ResultTypeDelegate final { public: typedef std::unique_ptr ResultType; template static ResultType typeInteger() { - return std::make_unique>(); + return makeUnique>(); } template static ResultType typeDouble() { - return std::make_unique>(); + return makeUnique>(); } static ResultType typeBool() { - return std::make_unique(); + return makeUnique(); } static ResultType typeVoid() { - return std::make_unique(); + return makeUnique(); } static ResultType typeId() { - return std::make_unique(); + return makeUnique(); } static ResultType typeOfClass(const char*, const char*) { - return std::make_unique(); + return makeUnique(); } static ResultType typeBlock(const char*, const char*) { - return std::make_unique(); + return makeUnique(); } static ResultType typeStruct(const char* begin, const char* end) { StringRange copy(begin, end); if (NSInvocation *invocation = typeToValueInvocationFor(copy)) - return std::make_unique(invocation, copy); + return makeUnique(invocation, copy); return nullptr; } }; @@ -392,7 +409,8 @@ enum CallbackType { namespace JSC { -class ObjCCallbackFunctionImpl { +class ObjCCallbackFunctionImpl final { + WTF_MAKE_FAST_ALLOCATED; public: ObjCCallbackFunctionImpl(NSInvocation *invocation, CallbackType type, Class instanceClass, std::unique_ptr arguments, std::unique_ptr result) : m_type(type) @@ -451,6 +469,8 @@ private: static JSValueRef objCCallbackFunctionCallAsFunction(JSContextRef callerContext, JSObjectRef function, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) { + ASSERT(exception && !*exception); + // Retake the API lock - we need this for a few reasons: // (1) We don't want to support the C-API's confusing drops-locks-once policy - should only drop locks if we can do so recursively. // (2) We're calling some JSC internals that require us to be on the 'inside' - e.g. createTypeError. @@ -459,11 +479,13 @@ static JSValueRef objCCallbackFunctionCallAsFunction(JSContextRef callerContext, ObjCCallbackFunction* callback = static_cast(toJS(function)); ObjCCallbackFunctionImpl* impl = callback->impl(); - JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(callback->globalObject()->globalExec())]; + JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(callback->globalObject())]; if (impl->type() == CallbackInitMethod) { JSGlobalContextRef contextRef = [context JSGlobalContextRef]; *exception = toRef(JSC::createTypeError(toJS(contextRef), "Cannot call a class constructor without |new|"_s)); + if (*exception) + return nullptr; return JSValueMakeUndefined(contextRef); } @@ -476,16 +498,19 @@ static JSValueRef objCCallbackFunctionCallAsFunction(JSContextRef callerContext, *exception = valueInternalValue(context.exception); [context endCallbackWithData:&callbackData]; } + if (*exception) + return nullptr; return result; } static JSObjectRef objCCallbackFunctionCallAsConstructor(JSContextRef callerContext, JSObjectRef constructor, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) { + ASSERT(exception && !*exception); JSC::JSLockHolder locker(toJS(callerContext)); ObjCCallbackFunction* callback = static_cast(toJS(constructor)); ObjCCallbackFunctionImpl* impl = callback->impl(); - JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(toJS(callerContext)->lexicalGlobalObject()->globalExec())]; + JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(toJS(callerContext))]; CallbackData callbackData; JSValueRef result; @@ -496,22 +521,35 @@ static JSObjectRef objCCallbackFunctionCallAsConstructor(JSContextRef callerCont *exception = valueInternalValue(context.exception); [context endCallbackWithData:&callbackData]; } - - JSGlobalContextRef contextRef = [context JSGlobalContextRef]; if (*exception) return nullptr; + JSGlobalContextRef contextRef = [context JSGlobalContextRef]; if (!JSValueIsObject(contextRef, result)) { *exception = toRef(JSC::createTypeError(toJS(contextRef), "Objective-C blocks called as constructors must return an object."_s)); return nullptr; } + ASSERT(!*exception); return const_cast(result); } const JSC::ClassInfo ObjCCallbackFunction::s_info = { "CallbackFunction", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(ObjCCallbackFunction) }; +static JSC_DECLARE_HOST_FUNCTION(callObjCCallbackFunction); +static JSC_DECLARE_HOST_FUNCTION(constructObjCCallbackFunction); + +JSC_DEFINE_HOST_FUNCTION(callObjCCallbackFunction, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return APICallbackFunction::callImpl(globalObject, callFrame); +} + +JSC_DEFINE_HOST_FUNCTION(constructObjCCallbackFunction, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return APICallbackFunction::constructImpl(globalObject, callFrame); +} + ObjCCallbackFunction::ObjCCallbackFunction(JSC::VM& vm, JSC::Structure* structure, JSObjectCallAsFunctionCallback functionCallback, JSObjectCallAsConstructorCallback constructCallback, std::unique_ptr impl) - : Base(vm, structure, APICallbackFunction::call, impl->isConstructible() ? APICallbackFunction::construct : nullptr) + : Base(vm, structure, callObjCCallbackFunction, impl->isConstructible() ? constructObjCCallbackFunction : nullptr) , m_functionCallback(functionCallback) , m_constructCallback(constructCallback) , m_impl(WTFMove(impl)) @@ -522,7 +560,7 @@ ObjCCallbackFunction* ObjCCallbackFunction::create(JSC::VM& vm, JSC::JSGlobalObj { Structure* structure = globalObject->objcCallbackFunctionStructure(); ObjCCallbackFunction* function = new (NotNull, allocateCell(vm.heap)) ObjCCallbackFunction(vm, structure, objCCallbackFunctionCallAsFunction, objCCallbackFunctionCallAsConstructor, WTFMove(impl)); - function->finishCreation(vm, name); + function->finishCreation(vm, 0, name); return function; } @@ -544,6 +582,7 @@ String ObjCCallbackFunctionImpl::name() JSValueRef ObjCCallbackFunctionImpl::call(JSContext *context, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) { + ASSERT(exception && !*exception); JSGlobalContextRef contextRef = [context JSGlobalContextRef]; id target; @@ -554,6 +593,8 @@ JSValueRef ObjCCallbackFunctionImpl::call(JSContext *context, JSObjectRef thisOb target = [m_instanceClass alloc]; if (!target || ![target isKindOfClass:m_instanceClass.get()]) { *exception = toRef(JSC::createTypeError(toJS(contextRef), "self type check failed for Objective-C instance method"_s)); + if (*exception) + return nullptr; return JSValueMakeUndefined(contextRef); } [m_invocation setTarget:target]; @@ -564,6 +605,8 @@ JSValueRef ObjCCallbackFunctionImpl::call(JSContext *context, JSObjectRef thisOb target = tryUnwrapObjcObject(contextRef, thisObject); if (!target || ![target isKindOfClass:m_instanceClass.get()]) { *exception = toRef(JSC::createTypeError(toJS(contextRef), "self type check failed for Objective-C instance method"_s)); + if (*exception) + return nullptr; return JSValueMakeUndefined(contextRef); } [m_invocation setTarget:target]; @@ -582,13 +625,15 @@ JSValueRef ObjCCallbackFunctionImpl::call(JSContext *context, JSObjectRef thisOb JSValueRef value = argumentNumber < argumentCount ? arguments[argumentNumber] : JSValueMakeUndefined(contextRef); argument->set(m_invocation.get(), argumentNumber + firstArgument, context, value, exception); if (*exception) - return JSValueMakeUndefined(contextRef); + return nullptr; ++argumentNumber; } [m_invocation invoke]; JSValueRef result = m_result->get(m_invocation.get(), context, exception); + if (*exception) + return nullptr; // Balance our call to -alloc with a call to -autorelease. We have to do this after calling -init // because init family methods are allowed to release the allocated object and return something @@ -663,12 +708,12 @@ static JSObjectRef objCCallbackFunctionForInvocation(JSContext *context, NSInvoc ++argumentCount; } - JSC::ExecState* exec = toJS([context JSGlobalContextRef]); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS([context JSGlobalContextRef]); + JSC::VM& vm = globalObject->vm(); JSC::JSLockHolder locker(vm); - auto impl = std::make_unique(invocation, type, instanceClass, WTFMove(arguments), WTFMove(result)); + auto impl = makeUnique(invocation, type, instanceClass, WTFMove(arguments), WTFMove(result)); const String& name = impl->name(); - return toRef(JSC::ObjCCallbackFunction::create(vm, exec->lexicalGlobalObject(), name, WTFMove(impl))); + return toRef(JSC::ObjCCallbackFunction::create(vm, globalObject, name, WTFMove(impl))); } JSObjectRef objCCallbackFunctionForInit(JSContext *context, Class cls, Protocol *protocol, SEL sel, const char* types) diff --git a/API/ObjCRuntimeExtras.h b/API/ObjcRuntimeExtras.h similarity index 100% rename from API/ObjCRuntimeExtras.h rename to API/ObjcRuntimeExtras.h diff --git a/API/OpaqueJSString.cpp b/API/OpaqueJSString.cpp index 77a2e1c..252f14d 100644 --- a/API/OpaqueJSString.cpp +++ b/API/OpaqueJSString.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Apple Inc. All rights reserved. + * Copyright (C) 2008-2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -26,10 +26,8 @@ #include "config.h" #include "OpaqueJSString.h" -#include "CallFrame.h" #include "Identifier.h" #include "IdentifierInlines.h" -#include "JSGlobalObject.h" #include using namespace JSC; @@ -78,9 +76,9 @@ Identifier OpaqueJSString::identifier(VM* vm) const return Identifier(Identifier::EmptyIdentifier); if (m_string.is8Bit()) - return Identifier::fromString(vm, m_string.characters8(), m_string.length()); + return Identifier::fromString(*vm, m_string.characters8(), m_string.length()); - return Identifier::fromString(vm, m_string.characters16(), m_string.length()); + return Identifier::fromString(*vm, m_string.characters16(), m_string.length()); } const UChar* OpaqueJSString::characters() diff --git a/API/WebKitAvailability.h b/API/WebKitAvailability.h index 0f6afb6..2a1ce7c 100644 --- a/API/WebKitAvailability.h +++ b/API/WebKitAvailability.h @@ -31,43 +31,6 @@ #include #include -#if !TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED < 101100 -/* To support availability macros that mention newer OS X versions when building on older OS X versions, - we provide our own definitions of the underlying macros that the availability macros expand to. We're - free to expand the macros as no-ops since frameworks built on older OS X versions only ship bundled with - an application rather than as part of the system. -*/ - -#ifndef __NSi_10_10 // Building from trunk rather than SDK. -#define __NSi_10_10 introduced=10.0 // Use 10.0 to indicate that everything is available. -#endif - -#ifndef __NSi_10_11 // Building from trunk rather than SDK. -#define __NSi_10_11 introduced=10.0 // Use 10.0 to indicate that everything is available. -#endif - -#ifndef __NSi_10_12 // Building from trunk rather than SDK. -#define __NSi_10_12 introduced=10.0 // Use 10.0 to indicate that everything is available. -#endif - -#ifndef __AVAILABILITY_INTERNAL__MAC_10_9 -#define __AVAILABILITY_INTERNAL__MAC_10_9 -#endif - -#ifndef __AVAILABILITY_INTERNAL__MAC_10_10 -#define __AVAILABILITY_INTERNAL__MAC_10_10 -#endif - -#ifndef AVAILABLE_MAC_OS_X_VERSION_10_9_AND_LATER -#define AVAILABLE_MAC_OS_X_VERSION_10_9_AND_LATER -#endif - -#ifndef AVAILABLE_MAC_OS_X_VERSION_10_10_AND_LATER -#define AVAILABLE_MAC_OS_X_VERSION_10_10_AND_LATER -#endif - -#endif /* !TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED < 101100 */ - #if defined(BUILDING_GTK__) #undef JSC_API_AVAILABLE #define JSC_API_AVAILABLE(...) diff --git a/API/glib/JSAPIWrapperGlobalObject.cpp b/API/glib/JSAPIWrapperGlobalObject.cpp index 6ae1945..e7f4e45 100644 --- a/API/glib/JSAPIWrapperGlobalObject.cpp +++ b/API/glib/JSAPIWrapperGlobalObject.cpp @@ -31,9 +31,9 @@ #include "Structure.h" #include -class JSAPIWrapperGlobalObjectHandleOwner : public JSC::WeakHandleOwner { +class JSAPIWrapperGlobalObjectHandleOwner final : public JSC::WeakHandleOwner { public: - void finalize(JSC::Handle, void*) override; + void finalize(JSC::Handle, void*) final; }; static JSAPIWrapperGlobalObjectHandleOwner* jsAPIWrapperGlobalObjectHandleOwner() @@ -54,9 +54,50 @@ void JSAPIWrapperGlobalObjectHandleOwner::finalize(JSC::Handle han namespace JSC { -template <> const ClassInfo JSCallbackObject::s_info = { "JSAPIWrapperGlobalObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCallbackObject) }; +static JSC_DECLARE_HOST_FUNCTION(callJSAPIWrapperGlobalObjectCallbackObject); +static JSC_DECLARE_HOST_FUNCTION(constructJSAPIWrapperGlobalObjectCallbackObject); +static JSC_DECLARE_CUSTOM_GETTER(callbackGetterJSAPIWrapperGlobalObjectCallbackObject); +static JSC_DECLARE_CUSTOM_GETTER(staticFunctionGetterJSAPIWrapperGlobalObjectCallbackObject); -template<> const bool JSCallbackObject::needsDestruction = false; +template <> const ClassInfo JSCallbackObject::s_info = { "JSAPIWrapperGlobalObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCallbackObject) }; +template<> const bool JSCallbackObject::needsDestruction = true; + +template <> +RawNativeFunction JSCallbackObject::getCallFunction() +{ + return callJSAPIWrapperGlobalObjectCallbackObject; +} + +template <> +RawNativeFunction JSCallbackObject::getConstructFunction() +{ + return constructJSAPIWrapperGlobalObjectCallbackObject; +} + +template <> +PropertySlot::GetValueFunc JSCallbackObject::getCallbackGetter() +{ + return callbackGetterJSAPIWrapperGlobalObjectCallbackObject; +} + +template <> +PropertySlot::GetValueFunc JSCallbackObject::getStaticFunctionGetter() +{ + return staticFunctionGetterJSAPIWrapperGlobalObjectCallbackObject; +} + +template <> +IsoSubspace* JSCallbackObject::subspaceForImpl(VM& vm, SubspaceAccess mode) +{ + switch (mode) { + case SubspaceAccess::OnMainThread: + return vm.callbackAPIWrapperGlobalObjectSpace(); + case SubspaceAccess::Concurrently: + return vm.callbackAPIWrapperGlobalObjectSpace(); + } + RELEASE_ASSERT_NOT_REACHED(); + return nullptr; +} template <> Structure* JSCallbackObject::createStructure(VM& vm, JSGlobalObject*, JSValue proto) @@ -72,6 +113,26 @@ JSCallbackObject* JSCallbackObject::callImpl(globalObject, callFrame); +} + +JSC_DEFINE_HOST_FUNCTION(constructJSAPIWrapperGlobalObjectCallbackObject, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return JSCallbackObject::constructImpl(globalObject, callFrame); +} + +JSC_DEFINE_CUSTOM_GETTER(callbackGetterJSAPIWrapperGlobalObjectCallbackObject, (JSGlobalObject* globalObject, EncodedJSValue thisValue, PropertyName propertyName)) +{ + return JSCallbackObject::callbackGetterImpl(globalObject, thisValue, propertyName); +} + +JSC_DEFINE_CUSTOM_GETTER(staticFunctionGetterJSAPIWrapperGlobalObjectCallbackObject, (JSGlobalObject* globalObject, EncodedJSValue thisValue, PropertyName propertyName)) +{ + return JSCallbackObject::staticFunctionGetterImpl(globalObject, thisValue, propertyName); +} + JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject(VM& vm, Structure* structure) : Base(vm, structure) { diff --git a/API/glib/JSAPIWrapperGlobalObject.h b/API/glib/JSAPIWrapperGlobalObject.h index d54a9ec..6a34899 100644 --- a/API/glib/JSAPIWrapperGlobalObject.h +++ b/API/glib/JSAPIWrapperGlobalObject.h @@ -33,7 +33,10 @@ namespace JSC { class JSAPIWrapperGlobalObject : public JSGlobalObject { public: - typedef JSGlobalObject Base; + using Base = JSGlobalObject; + + template + static void subspaceFor(VM&) { RELEASE_ASSERT_NOT_REACHED(); } void finishCreation(VM&); static void visitChildren(JSCell*, JSC::SlotVisitor&); diff --git a/API/glib/JSAPIWrapperObjectGLib.cpp b/API/glib/JSAPIWrapperObjectGLib.cpp index 867fd42..6c466d5 100644 --- a/API/glib/JSAPIWrapperObjectGLib.cpp +++ b/API/glib/JSAPIWrapperObjectGLib.cpp @@ -33,10 +33,10 @@ #include "Structure.h" #include -class JSAPIWrapperObjectHandleOwner : public JSC::WeakHandleOwner { +class JSAPIWrapperObjectHandleOwner final : public JSC::WeakHandleOwner { public: - void finalize(JSC::Handle, void*) override; - bool isReachableFromOpaqueRoots(JSC::Handle, void* context, JSC::SlotVisitor&, const char**) override; + void finalize(JSC::Handle, void*) final; + bool isReachableFromOpaqueRoots(JSC::Handle, void* context, JSC::SlotVisitor&, const char**) final; }; static JSAPIWrapperObjectHandleOwner* jsAPIWrapperObjectHandleOwner() @@ -67,16 +67,77 @@ bool JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots(JSC::Handle const ClassInfo JSCallbackObject::s_info = { "JSAPIWrapperObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCallbackObject) }; +static JSC_DECLARE_HOST_FUNCTION(callJSAPIWrapperObjectCallbackObject); +static JSC_DECLARE_HOST_FUNCTION(constructJSAPIWrapperObjectCallbackObject); +static JSC_DECLARE_CUSTOM_GETTER(callbackGetterJSAPIWrapperObjectCallbackObject); +static JSC_DECLARE_CUSTOM_GETTER(staticFunctionGetterJSAPIWrapperObjectCallbackObject); +template <> const ClassInfo JSCallbackObject::s_info = { "JSAPIWrapperObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCallbackObject) }; template<> const bool JSCallbackObject::needsDestruction = true; +template <> +RawNativeFunction JSCallbackObject::getCallFunction() +{ + return callJSAPIWrapperObjectCallbackObject; +} + +template <> +RawNativeFunction JSCallbackObject::getConstructFunction() +{ + return constructJSAPIWrapperObjectCallbackObject; +} + +template <> +PropertySlot::GetValueFunc JSCallbackObject::getCallbackGetter() +{ + return callbackGetterJSAPIWrapperObjectCallbackObject; +} + +template <> +PropertySlot::GetValueFunc JSCallbackObject::getStaticFunctionGetter() +{ + return staticFunctionGetterJSAPIWrapperObjectCallbackObject; +} + +template <> +IsoSubspace* JSCallbackObject::subspaceForImpl(VM& vm, SubspaceAccess mode) +{ + switch (mode) { + case SubspaceAccess::OnMainThread: + return vm.apiWrapperObjectSpace(); + case SubspaceAccess::Concurrently: + return vm.apiWrapperObjectSpace(); + } + RELEASE_ASSERT_NOT_REACHED(); + return nullptr; +} + template <> Structure* JSCallbackObject::createStructure(VM& vm, JSGlobalObject* globalObject, JSValue proto) { return Structure::create(vm, globalObject, proto, TypeInfo(ObjectType, StructureFlags), &s_info); } +JSC_DEFINE_HOST_FUNCTION(callJSAPIWrapperObjectCallbackObject, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return JSCallbackObject::callImpl(globalObject, callFrame); +} + +JSC_DEFINE_HOST_FUNCTION(constructJSAPIWrapperObjectCallbackObject, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return JSCallbackObject::constructImpl(globalObject, callFrame); +} + +JSC_DEFINE_CUSTOM_GETTER(callbackGetterJSAPIWrapperObjectCallbackObject, (JSGlobalObject* globalObject, EncodedJSValue thisValue, PropertyName propertyName)) +{ + return JSCallbackObject::callbackGetterImpl(globalObject, thisValue, propertyName); +} + +JSC_DEFINE_CUSTOM_GETTER(staticFunctionGetterJSAPIWrapperObjectCallbackObject, (JSGlobalObject* globalObject, EncodedJSValue thisValue, PropertyName propertyName)) +{ + return JSCallbackObject::staticFunctionGetterImpl(globalObject, thisValue, propertyName); +} + JSAPIWrapperObject::JSAPIWrapperObject(VM& vm, Structure* structure) : Base(vm, structure) { diff --git a/API/glib/JSCCallbackFunction.cpp b/API/glib/JSCCallbackFunction.cpp index e222a40..20f1722 100644 --- a/API/glib/JSCCallbackFunction.cpp +++ b/API/glib/JSCCallbackFunction.cpp @@ -29,7 +29,6 @@ #include "APICallbackFunction.h" #include "APICast.h" -#include "IsoSubspacePerVM.h" #include "JSCClassPrivate.h" #include "JSCContextPrivate.h" #include "JSDestructibleObjectHeapCellType.h" @@ -53,16 +52,29 @@ static JSObjectRef callAsConstructor(JSContextRef callerContext, JSObjectRef con const ClassInfo JSCCallbackFunction::s_info = { "CallbackFunction", &InternalFunction::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCCallbackFunction) }; +static JSC_DECLARE_HOST_FUNCTION(callJSCCallbackFunction); +static JSC_DECLARE_HOST_FUNCTION(constructJSCCallbackFunction); + +JSC_DEFINE_HOST_FUNCTION(callJSCCallbackFunction, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return APICallbackFunction::callImpl(globalObject, callFrame); +} + +JSC_DEFINE_HOST_FUNCTION(constructJSCCallbackFunction, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return APICallbackFunction::constructImpl(globalObject, callFrame); +} + JSCCallbackFunction* JSCCallbackFunction::create(VM& vm, JSGlobalObject* globalObject, const String& name, Type type, JSCClass* jscClass, GRefPtr&& closure, GType returnType, Optional>&& parameters) { Structure* structure = globalObject->glibCallbackFunctionStructure(); JSCCallbackFunction* function = new (NotNull, allocateCell(vm.heap)) JSCCallbackFunction(vm, structure, type, jscClass, WTFMove(closure), returnType, WTFMove(parameters)); - function->finishCreation(vm, name); + function->finishCreation(vm, 0, name); return function; } JSCCallbackFunction::JSCCallbackFunction(VM& vm, Structure* structure, Type type, JSCClass* jscClass, GRefPtr&& closure, GType returnType, Optional>&& parameters) - : InternalFunction(vm, structure, APICallbackFunction::call, type == Type::Constructor ? APICallbackFunction::construct : nullptr) + : InternalFunction(vm, structure, callJSCCallbackFunction, type == Type::Constructor ? constructJSCCallbackFunction : nullptr) , m_functionCallback(callAsFunction) , m_constructCallback(callAsConstructor) , m_type(type) @@ -79,7 +91,7 @@ JSCCallbackFunction::JSCCallbackFunction(VM& vm, Structure* structure, Type type JSValueRef JSCCallbackFunction::call(JSContextRef callerContext, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) { JSLockHolder locker(toJS(callerContext)); - auto context = jscContextGetOrCreate(toGlobalRef(globalObject()->globalExec())); + auto context = jscContextGetOrCreate(toGlobalRef(globalObject())); auto* jsContext = jscContextGetJSContext(context.get()); if (m_type == Type::Constructor) { @@ -150,7 +162,7 @@ JSValueRef JSCCallbackFunction::call(JSContextRef callerContext, JSObjectRef thi JSObjectRef JSCCallbackFunction::construct(JSContextRef callerContext, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) { JSLockHolder locker(toJS(callerContext)); - auto context = jscContextGetOrCreate(toGlobalRef(globalObject()->globalExec())); + auto context = jscContextGetOrCreate(toGlobalRef(globalObject())); auto* jsContext = jscContextGetJSContext(context.get()); if (m_returnType == G_TYPE_NONE) { @@ -223,10 +235,4 @@ void JSCCallbackFunction::destroy(JSCell* cell) static_cast(cell)->JSCCallbackFunction::~JSCCallbackFunction(); } -IsoSubspace* JSCCallbackFunction::subspaceForImpl(VM& vm) -{ - NeverDestroyed perVM([] (VM& vm) -> IsoSubspacePerVM::SubspaceParameters { return ISO_SUBSPACE_PARAMETERS(vm.destructibleObjectHeapCellType.get(), JSCCallbackFunction); }); - return &perVM.get().forVM(vm); -} - } // namespace JSC diff --git a/API/glib/JSCCallbackFunction.h b/API/glib/JSCCallbackFunction.h index 2c59b9b..e5a5ee5 100644 --- a/API/glib/JSCCallbackFunction.h +++ b/API/glib/JSCCallbackFunction.h @@ -35,15 +35,15 @@ typedef struct _JSCClass JSCClass; namespace JSC { -class JSCCallbackFunction : public InternalFunction { +class JSCCallbackFunction final : public InternalFunction { friend struct APICallbackFunction; public: typedef InternalFunction Base; - template + template static IsoSubspace* subspaceFor(VM& vm) { - return subspaceForImpl(vm); + return vm.jscCallbackFunctionSpace(); } enum class Type { @@ -53,6 +53,7 @@ public: }; static JSCCallbackFunction* create(VM&, JSGlobalObject*, const String& name, Type, JSCClass*, GRefPtr&&, GType, Optional>&&); + static constexpr bool needsDestruction = true; static void destroy(JSCell*); static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype) @@ -67,8 +68,6 @@ public: JSObjectRef construct(JSContextRef, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception); private: - static IsoSubspace* subspaceForImpl(VM&); - JSCCallbackFunction(VM&, Structure*, Type, JSCClass*, GRefPtr&&, GType, Optional>&&); JSObjectCallAsFunctionCallback functionCallback() { return m_functionCallback; } diff --git a/API/glib/JSCClass.cpp b/API/glib/JSCClass.cpp index 4c054be..be57a2e 100644 --- a/API/glib/JSCClass.cpp +++ b/API/glib/JSCClass.cpp @@ -110,10 +110,10 @@ private: static bool isWrappedObject(JSC::JSObject* jsObject) { - JSC::ExecState* exec = jsObject->globalObject()->globalExec(); + JSC::JSGlobalObject* globalObject = jsObject->globalObject(); if (jsObject->isGlobalObject()) - return jsObject->inherits>(exec->vm()); - return jsObject->inherits>(exec->vm()); + return jsObject->inherits>(globalObject->vm()); + return jsObject->inherits>(globalObject->vm()); } static JSClassRef wrappedObjectClass(JSC::JSObject* jsObject) @@ -128,13 +128,11 @@ static GRefPtr jscContextForObject(JSC::JSObject* jsObject) { ASSERT(isWrappedObject(jsObject)); JSC::JSGlobalObject* globalObject = jsObject->globalObject(); - JSC::ExecState* exec = globalObject->globalExec(); if (jsObject->isGlobalObject()) { - JSC::VM& vm = globalObject->vm(); - if (auto* globalScopeExtension = vm.vmEntryGlobalObject(exec)->globalScopeExtension()) - exec = JSC::JSScope::objectAtScope(globalScopeExtension)->globalObject()->globalExec(); + if (auto* globalScopeExtension = globalObject->globalScopeExtension()) + globalObject = JSC::JSScope::objectAtScope(globalScopeExtension)->globalObject(); } - return jscContextGetOrCreate(toGlobalRef(exec)); + return jscContextGetOrCreate(toGlobalRef(globalObject)); } static JSValueRef getProperty(JSContextRef callerContext, JSObjectRef object, JSStringRef propertyName, JSValueRef* exception) @@ -558,10 +556,10 @@ static GRefPtr jscClassCreateConstructor(JSCClass* jscClass, const cha else closure = adoptGRef(g_cclosure_new(callback, userData, reinterpret_cast(reinterpret_cast(destroyNotify)))); JSCClassPrivate* priv = jscClass->priv; - JSC::ExecState* exec = toJS(priv->context); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS(priv->context); + JSC::VM& vm = globalObject->vm(); JSC::JSLockHolder locker(vm); - auto* functionObject = JSC::JSCCallbackFunction::create(vm, exec->lexicalGlobalObject(), String::fromUTF8(name), + auto* functionObject = JSC::JSCCallbackFunction::create(vm, globalObject, String::fromUTF8(name), JSC::JSCCallbackFunction::Type::Constructor, jscClass, WTFMove(closure), returnType, WTFMove(parameters)); auto context = jscContextGetOrCreate(priv->context); auto constructor = jscContextGetOrCreateValue(context.get(), toRef(functionObject)); @@ -707,10 +705,10 @@ static void jscClassAddMethod(JSCClass* jscClass, const char* name, GCallback ca { JSCClassPrivate* priv = jscClass->priv; GRefPtr closure = adoptGRef(g_cclosure_new(callback, userData, reinterpret_cast(reinterpret_cast(destroyNotify)))); - JSC::ExecState* exec = toJS(priv->context); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS(priv->context); + JSC::VM& vm = globalObject->vm(); JSC::JSLockHolder locker(vm); - auto* functionObject = toRef(JSC::JSCCallbackFunction::create(vm, exec->lexicalGlobalObject(), String::fromUTF8(name), + auto* functionObject = toRef(JSC::JSCCallbackFunction::create(vm, globalObject, String::fromUTF8(name), JSC::JSCCallbackFunction::Type::Method, jscClass, WTFMove(closure), returnType, WTFMove(parameters))); auto context = jscContextGetOrCreate(priv->context); auto method = jscContextGetOrCreateValue(context.get(), functionObject); diff --git a/API/glib/JSCContext.cpp b/API/glib/JSCContext.cpp index e01e970..22b31ac 100644 --- a/API/glib/JSCContext.cpp +++ b/API/glib/JSCContext.cpp @@ -107,7 +107,7 @@ static void jscContextSetVirtualMachine(JSCContext* context, GRefPtrjsContext = JSRetainPtr(Adopt, JSGlobalContextCreateInGroup(jscVirtualMachineGetContextGroup(priv->vm.get()), nullptr)); auto* globalObject = toJSGlobalObject(priv->jsContext.get()); if (!globalObject->wrapperMap()) - globalObject->setWrapperMap(std::make_unique(priv->jsContext.get())); + globalObject->setWrapperMap(makeUnique(priv->jsContext.get())); jscVirtualMachineAddContext(priv->vm.get(), context); } else if (priv->vm) { ASSERT(priv->jsContext); @@ -271,6 +271,9 @@ void jscContextPopCallback(JSCContext* context, CallbackData&& data) JSValueRef jscContextGArrayToJSArray(JSCContext* context, GPtrArray* gArray, JSValueRef* exception) { JSCContextPrivate* priv = context->priv; + JSC::JSGlobalObject* globalObject = toJS(priv->jsContext.get()); + JSC::JSLockHolder locker(globalObject); + auto* jsArray = JSObjectMakeArray(priv->jsContext.get(), 0, nullptr, exception); if (*exception) return JSValueMakeUndefined(priv->jsContext.get()); @@ -289,7 +292,7 @@ JSValueRef jscContextGArrayToJSArray(JSCContext* context, GPtrArray* gArray, JSV else if (JSC_IS_VALUE(item)) JSObjectSetPropertyAtIndex(priv->jsContext.get(), jsArrayObject, i, jscValueGetJSValue(JSC_VALUE(item)), exception); else - *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("invalid item type in GPtrArray"))); + *exception = toRef(JSC::createTypeError(globalObject, makeString("invalid item type in GPtrArray"))); if (*exception) return JSValueMakeUndefined(priv->jsContext.get()); @@ -301,11 +304,14 @@ JSValueRef jscContextGArrayToJSArray(JSCContext* context, GPtrArray* gArray, JSV static GRefPtr jscContextJSArrayToGArray(JSCContext* context, JSValueRef jsArray, JSValueRef* exception) { JSCContextPrivate* priv = context->priv; + JSC::JSGlobalObject* globalObject = toJS(priv->jsContext.get()); + JSC::JSLockHolder locker(globalObject); + if (JSValueIsNull(priv->jsContext.get(), jsArray)) return nullptr; if (!JSValueIsArray(priv->jsContext.get(), jsArray)) { - *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("invalid js type for GPtrArray"))); + *exception = toRef(JSC::createTypeError(globalObject, makeString("invalid js type for GPtrArray"))); return nullptr; } @@ -337,11 +343,14 @@ static GRefPtr jscContextJSArrayToGArray(JSCContext* context, JSValue GUniquePtr jscContextJSArrayToGStrv(JSCContext* context, JSValueRef jsArray, JSValueRef* exception) { JSCContextPrivate* priv = context->priv; + JSC::JSGlobalObject* globalObject = toJS(priv->jsContext.get()); + JSC::JSLockHolder locker(globalObject); + if (JSValueIsNull(priv->jsContext.get(), jsArray)) return nullptr; if (!JSValueIsArray(priv->jsContext.get(), jsArray)) { - *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("invalid js type for GStrv"))); + *exception = toRef(JSC::createTypeError(globalObject, makeString("invalid js type for GStrv"))); return nullptr; } @@ -366,7 +375,7 @@ GUniquePtr jscContextJSArrayToGStrv(JSCContext* context, JSValueRef jsArr auto jsValueItem = jscContextGetOrCreateValue(context, jsItem); if (!jsc_value_is_string(jsValueItem.get())) { - *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("invalid js type for GStrv: item ", String::number(i), " is not a string"))); + *exception = toRef(JSC::createTypeError(globalObject, makeString("invalid js type for GStrv: item ", String::number(i), " is not a string"))); return nullptr; } @@ -379,6 +388,8 @@ GUniquePtr jscContextJSArrayToGStrv(JSCContext* context, JSValueRef jsArr JSValueRef jscContextGValueToJSValue(JSCContext* context, const GValue* value, JSValueRef* exception) { JSCContextPrivate* priv = context->priv; + JSC::JSGlobalObject* globalObject = toJS(priv->jsContext.get()); + JSC::JSLockHolder locker(globalObject); switch (g_type_fundamental(G_VALUE_TYPE(value))) { case G_TYPE_BOOLEAN: @@ -446,15 +457,17 @@ JSValueRef jscContextGValueToJSValue(JSCContext* context, const GValue* value, J break; } - *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("unsupported type ", g_type_name(G_VALUE_TYPE(value))))); + *exception = toRef(JSC::createTypeError(globalObject, makeString("unsupported type ", g_type_name(G_VALUE_TYPE(value))))); return JSValueMakeUndefined(priv->jsContext.get()); } void jscContextJSValueToGValue(JSCContext* context, JSValueRef jsValue, GType type, GValue* value, JSValueRef* exception) { JSCContextPrivate* priv = context->priv; - g_value_init(value, type); + JSC::JSGlobalObject* globalObject = toJS(priv->jsContext.get()); + JSC::JSLockHolder locker(globalObject); + g_value_init(value, type); auto fundamentalType = g_type_fundamental(G_VALUE_TYPE(value)); switch (fundamentalType) { case G_TYPE_INT: @@ -528,7 +541,7 @@ void jscContextJSValueToGValue(JSCContext* context, JSValueRef jsValue, GType ty return; } - *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), "invalid pointer type"_s)); + *exception = toRef(JSC::createTypeError(globalObject, "invalid pointer type"_s)); return; } } @@ -539,7 +552,7 @@ void jscContextJSValueToGValue(JSCContext* context, JSValueRef jsValue, GType ty else if (G_IS_OBJECT(wrappedObject)) g_value_set_object(value, wrappedObject); else - *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), "wrapped object is not a GObject"_s)); + *exception = toRef(JSC::createTypeError(globalObject, "wrapped object is not a GObject"_s)); break; } case G_TYPE_LONG: @@ -564,7 +577,7 @@ void jscContextJSValueToGValue(JSCContext* context, JSValueRef jsValue, GType ty case G_TYPE_INTERFACE: case G_TYPE_VARIANT: default: - *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("unsupported type ", g_type_name(G_VALUE_TYPE(value))))); + *exception = toRef(JSC::createTypeError(globalObject, makeString("unsupported type ", g_type_name(G_VALUE_TYPE(value))))); break; } } @@ -879,10 +892,10 @@ JSCValue* jsc_context_evaluate_in_object(JSCContext* context, const char* code, JSRetainPtr objectContext(Adopt, instance ? jscClassCreateContextWithJSWrapper(objectClass, context, instance) : JSGlobalContextCreateInGroup(jscVirtualMachineGetContextGroup(context->priv->vm.get()), nullptr)); - JSC::ExecState* exec = toJS(objectContext.get()); - JSC::VM& vm = exec->vm(); - auto* jsObject = vm.vmEntryGlobalObject(exec); - jsObject->setGlobalScopeExtension(JSC::JSWithScope::create(vm, jsObject, jsObject->globalScope(), toJS(JSContextGetGlobalObject(context->priv->jsContext.get())))); + JSC::JSGlobalObject* globalObject = toJS(objectContext.get()); + JSC::VM& vm = globalObject->vm(); + JSC::JSLockHolder locker(globalObject); + globalObject->setGlobalScopeExtension(JSC::JSWithScope::create(vm, globalObject, globalObject->globalScope(), toJS(JSContextGetGlobalObject(context->priv->jsContext.get())))); JSValueRef exception = nullptr; JSValueRef result = evaluateScriptInContext(objectContext.get(), String::fromUTF8(code, length < 0 ? strlen(code) : length), uri, lineNumber, &exception); if (jscContextHandleExceptionIfNeeded(context, exception)) @@ -939,22 +952,22 @@ JSCCheckSyntaxResult jsc_context_check_syntax(JSCContext* context, const char* c lineNumber = std::max(1, lineNumber); auto* jsContext = context->priv->jsContext.get(); - JSC::ExecState* exec = toJS(jsContext); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS(jsContext); + JSC::VM& vm = globalObject->vm(); JSC::JSLockHolder locker(vm); - String sourceURLString = uri ? String::fromUTF8(uri) : String(); - JSC::SourceCode source = JSC::makeSource(String::fromUTF8(code, length < 0 ? strlen(code) : length), JSC::SourceOrigin { sourceURLString }, - URL({ }, sourceURLString), TextPosition(OrdinalNumber::fromOneBasedInt(lineNumber), OrdinalNumber())); + URL sourceURL = uri ? URL({ }, uri) : URL(); + JSC::SourceCode source = JSC::makeSource(String::fromUTF8(code, length < 0 ? strlen(code) : length), JSC::SourceOrigin { sourceURL }, + sourceURL.string() , TextPosition(OrdinalNumber::fromOneBasedInt(lineNumber), OrdinalNumber())); bool success = false; JSC::ParserError error; switch (mode) { case JSC_CHECK_SYNTAX_MODE_SCRIPT: - success = !!JSC::parse(&vm, source, JSC::Identifier(), JSC::JSParserBuiltinMode::NotBuiltin, + success = !!JSC::parse(vm, source, JSC::Identifier(), JSC::JSParserBuiltinMode::NotBuiltin, JSC::JSParserStrictMode::NotStrict, JSC::JSParserScriptMode::Classic, JSC::SourceParseMode::ProgramMode, JSC::SuperBinding::NotNeeded, error); break; case JSC_CHECK_SYNTAX_MODE_MODULE: - success = !!JSC::parse(&vm, source, JSC::Identifier(), JSC::JSParserBuiltinMode::NotBuiltin, + success = !!JSC::parse(vm, source, JSC::Identifier(), JSC::JSParserBuiltinMode::NotBuiltin, JSC::JSParserStrictMode::Strict, JSC::JSParserScriptMode::Module, JSC::SourceParseMode::ModuleAnalyzeMode, JSC::SuperBinding::NotNeeded, error); break; } @@ -994,8 +1007,8 @@ JSCCheckSyntaxResult jsc_context_check_syntax(JSCContext* context, const char* c } if (exception) { - auto* jsError = error.toErrorObject(exec->lexicalGlobalObject(), source); - *exception = jscExceptionCreate(context, toRef(exec, jsError)).leakRef(); + auto* jsError = error.toErrorObject(globalObject, source); + *exception = jscExceptionCreate(context, toRef(globalObject, jsError)).leakRef(); } return result; diff --git a/API/glib/JSCContextPrivate.h b/API/glib/JSCContextPrivate.h index fc7270e..b6594b1 100644 --- a/API/glib/JSCContextPrivate.h +++ b/API/glib/JSCContextPrivate.h @@ -25,9 +25,9 @@ #include "JSContextRef.h" #include -GRefPtr jscContextGetOrCreate(JSGlobalContextRef); -JSGlobalContextRef jscContextGetJSContext(JSCContext*); -GRefPtr jscContextGetOrCreateValue(JSCContext*, JSValueRef); +JS_EXPORT_PRIVATE GRefPtr jscContextGetOrCreate(JSGlobalContextRef); +JS_EXPORT_PRIVATE JSGlobalContextRef jscContextGetJSContext(JSCContext*); +JS_EXPORT_PRIVATE GRefPtr jscContextGetOrCreateValue(JSCContext*, JSValueRef); void jscContextValueDestroyed(JSCContext*, JSValueRef); JSC::JSObject* jscContextGetJSWrapper(JSCContext*, gpointer); JSC::JSObject* jscContextGetOrCreateJSWrapper(JSCContext*, JSClassRef, JSValueRef prototype = nullptr, gpointer = nullptr, GDestroyNotify = nullptr); diff --git a/API/glib/JSCException.cpp b/API/glib/JSCException.cpp index 27198d9..ccda8e9 100644 --- a/API/glib/JSCException.cpp +++ b/API/glib/JSCException.cpp @@ -74,8 +74,8 @@ GRefPtr jscExceptionCreate(JSCContext* context, JSValueRef jsExcep { GRefPtr exception = adoptGRef(JSC_EXCEPTION(g_object_new(JSC_TYPE_EXCEPTION, nullptr))); auto* jsContext = jscContextGetJSContext(context); - JSC::ExecState* exec = toJS(jsContext); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS(jsContext); + JSC::VM& vm = globalObject->vm(); JSC::JSLockHolder locker(vm); exception->priv->jsException.set(vm, toJS(JSValueToObject(jsContext, jsException, nullptr))); // The context has a strong reference to the exception, so we can't ref the context. We use a weak diff --git a/API/glib/JSCOptions.cpp b/API/glib/JSCOptions.cpp index af7b345..e730b85 100644 --- a/API/glib/JSCOptions.cpp +++ b/API/glib/JSCOptions.cpp @@ -31,7 +31,7 @@ * @title: JSCOptions * * JavaScript options allow changing the behavior of the JavaScript engine. - * They affect the way the engine works, so it's encouraged to set the options + * They affect the way the engine works, so the options must be set * at the very beginning of the program execution, before any other JavaScript * API call. Most of the options are only useful for testing and debugging. * Only a few of them are documented; you can use the undocumented options at @@ -166,9 +166,9 @@ static void valueToGValue(GCLogging::Level value, GValue* gValue) static gboolean jscOptionsSetValue(const char* option, const GValue* value) { -#define FOR_EACH_OPTION(type_, name_, defaultValue_, availability_, description_) \ +#define SET_OPTION_VALUE(type_, name_, defaultValue_, availability_, description_) \ if (!g_strcmp0(#name_, option)) { \ - type_ valueToSet; \ + OptionsStorage::type_ valueToSet; \ if (!valueFromGValue(value, valueToSet)) \ return FALSE; \ Options::name_() = valueToSet; \ @@ -176,24 +176,24 @@ static gboolean jscOptionsSetValue(const char* option, const GValue* value) } Options::initialize(); - JSC_OPTIONS(FOR_EACH_OPTION) -#undef FOR_EACH_OPTION + FOR_EACH_JSC_OPTION(SET_OPTION_VALUE) +#undef SET_OPTION_VALUE return FALSE; } static gboolean jscOptionsGetValue(const char* option, GValue* value) { -#define FOR_EACH_OPTION(type_, name_, defaultValue_, availability_, description_) \ +#define GET_OPTION_VALUE(type_, name_, defaultValue_, availability_, description_) \ if (!g_strcmp0(#name_, option)) { \ - type_ valueToGet = Options::name_(); \ + OptionsStorage::type_ valueToGet = Options::name_(); \ valueToGValue(valueToGet, value); \ return TRUE; \ } Options::initialize(); - JSC_OPTIONS(FOR_EACH_OPTION) -#undef FOR_EACH_OPTION + FOR_EACH_JSC_OPTION(GET_OPTION_VALUE) +#undef GET_OPTION_VALUE return FALSE; } @@ -614,18 +614,18 @@ void jsc_options_foreach(JSCOptionsFunc function, gpointer userData) { g_return_if_fail(function); -#define FOR_EACH_OPTION(type_, name_, defaultValue_, availability_, description_) \ +#define VISIT_OPTION(type_, name_, defaultValue_, availability_, description_) \ if (Options::Availability::availability_ == Options::Availability::Normal \ || Options::isAvailable(Options::name_##ID, Options::Availability::availability_)) { \ - type_ defaultValue { }; \ + OptionsStorage::type_ defaultValue { }; \ auto optionType = jscOptionsType(defaultValue); \ if (function (#name_, optionType, description_, userData)) \ return; \ } Options::initialize(); - JSC_OPTIONS(FOR_EACH_OPTION) -#undef FOR_EACH_OPTION + FOR_EACH_JSC_OPTION(VISIT_OPTION) +#undef VISIT_OPTION } static gboolean setOptionEntry(const char* optionNameFull, const char* value, gpointer, GError** error) @@ -664,7 +664,7 @@ GOptionGroup* jsc_options_get_option_group(void) g_option_group_set_translation_domain(group, GETTEXT_PACKAGE); GArray* entries = g_array_new(TRUE, TRUE, sizeof(GOptionEntry)); -#define FOR_EACH_OPTION(type_, name_, defaultValue_, availability_, description_) \ +#define REGISTER_OPTION(type_, name_, defaultValue_, availability_, description_) \ if (Options::Availability::availability_ == Options::Availability::Normal \ || Options::isAvailable(Options::name_##ID, Options::Availability::availability_)) { \ GUniquePtr name(g_strdup_printf("jsc-%s", #name_)); \ @@ -678,8 +678,8 @@ GOptionGroup* jsc_options_get_option_group(void) } Options::initialize(); - JSC_OPTIONS(FOR_EACH_OPTION) -#undef FOR_EACH_OPTION + FOR_EACH_JSC_OPTION(REGISTER_OPTION) +#undef REGISTER_OPTION g_option_group_add_entries(group, reinterpret_cast(entries->data)); return group; diff --git a/API/glib/JSCValue.cpp b/API/glib/JSCValue.cpp index 5e17749..190cb88 100644 --- a/API/glib/JSCValue.cpp +++ b/API/glib/JSCValue.cpp @@ -28,6 +28,7 @@ #include "JSCInlines.h" #include "JSCValuePrivate.h" #include "JSRetainPtr.h" +#include "LiteralParser.h" #include "OpaqueJSString.h" #include #include @@ -472,8 +473,11 @@ JSCValue* jsc_value_new_array(JSCContext* context, GType firstItemType, ...) { g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr); - JSValueRef exception = nullptr; auto* jsContext = jscContextGetJSContext(context); + JSC::JSGlobalObject* globalObject = toJS(jsContext); + JSC::JSLockHolder locker(globalObject); + + JSValueRef exception = nullptr; auto* jsArray = JSObjectMakeArray(jsContext, 0, nullptr, &exception); if (jscContextHandleExceptionIfNeeded(context, exception)) return nullptr; @@ -491,7 +495,7 @@ JSCValue* jsc_value_new_array(JSCContext* context, GType firstItemType, ...) GUniqueOutPtr error; G_VALUE_COLLECT_INIT(&item, itemType, args, G_VALUE_NOCOPY_CONTENTS, &error.outPtr()); if (error) { - exception = toRef(JSC::createTypeError(toJS(jsContext), makeString("failed to collect array item: ", error.get()))); + exception = toRef(JSC::createTypeError(globalObject, makeString("failed to collect array item: ", error.get()))); jscContextHandleExceptionIfNeeded(context, exception); jsArray = nullptr; break; @@ -878,6 +882,8 @@ static GRefPtr jscValueCallFunction(JSCValue* value, JSObjectRef funct { JSCValuePrivate* priv = value->priv; auto* jsContext = jscContextGetJSContext(priv->context.get()); + JSC::JSGlobalObject* globalObject = toJS(jsContext); + JSC::JSLockHolder locker(globalObject); JSValueRef exception = nullptr; Vector arguments; @@ -887,7 +893,7 @@ static GRefPtr jscValueCallFunction(JSCValue* value, JSObjectRef funct GUniqueOutPtr error; G_VALUE_COLLECT_INIT(¶meter, parameterType, args, G_VALUE_NOCOPY_CONTENTS, &error.outPtr()); if (error) { - exception = toRef(JSC::createTypeError(toJS(jsContext), makeString("failed to collect function paramater: ", error.get()))); + exception = toRef(JSC::createTypeError(globalObject, makeString("failed to collect function paramater: ", error.get()))); jscContextHandleExceptionIfNeeded(priv->context.get(), exception); return adoptGRef(jsc_value_new_undefined(priv->context.get())); } @@ -1004,7 +1010,7 @@ JSCValue* jsc_value_object_invoke_methodv(JSCValue* value, const char* name, uns auto result = jsObjectCall(jsContext, function, JSC::JSCCallbackFunction::Type::Method, object, arguments, &exception); if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception)) - jsc_value_new_undefined(priv->context.get()); + return jsc_value_new_undefined(priv->context.get()); return jscContextGetOrCreateValue(priv->context.get(), result).leakRef(); } @@ -1039,15 +1045,15 @@ void jsc_value_object_define_property_data(JSCValue* value, const char* property JSCValuePrivate* priv = value->priv; auto* jsContext = jscContextGetJSContext(priv->context.get()); - JSC::ExecState* exec = toJS(jsContext); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS(jsContext); + JSC::VM& vm = globalObject->vm(); JSC::JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); - JSC::JSValue jsValue = toJS(exec, priv->jsValue); - JSC::JSObject* object = jsValue.toObject(exec); + JSC::JSValue jsValue = toJS(globalObject, priv->jsValue); + JSC::JSObject* object = jsValue.toObject(globalObject); JSValueRef exception = nullptr; - if (handleExceptionIfNeeded(scope, exec, &exception) == ExceptionStatus::DidThrow) { + if (handleExceptionIfNeeded(scope, jsContext, &exception) == ExceptionStatus::DidThrow) { jscContextHandleExceptionIfNeeded(priv->context.get(), exception); return; } @@ -1057,12 +1063,12 @@ void jsc_value_object_define_property_data(JSCValue* value, const char* property return; JSC::PropertyDescriptor descriptor; - descriptor.setValue(toJS(exec, propertyValue->priv->jsValue)); + descriptor.setValue(toJS(globalObject, propertyValue->priv->jsValue)); descriptor.setEnumerable(flags & JSC_VALUE_PROPERTY_ENUMERABLE); descriptor.setConfigurable(flags & JSC_VALUE_PROPERTY_CONFIGURABLE); descriptor.setWritable(flags & JSC_VALUE_PROPERTY_WRITABLE); - object->methodTable(vm)->defineOwnProperty(object, exec, name->identifier(&vm), descriptor, true); - if (handleExceptionIfNeeded(scope, exec, &exception) == ExceptionStatus::DidThrow) { + object->methodTable(vm)->defineOwnProperty(object, globalObject, name->identifier(&vm), descriptor, true); + if (handleExceptionIfNeeded(scope, jsContext, &exception) == ExceptionStatus::DidThrow) { jscContextHandleExceptionIfNeeded(priv->context.get(), exception); return; } @@ -1099,15 +1105,15 @@ void jsc_value_object_define_property_accessor(JSCValue* value, const char* prop JSCValuePrivate* priv = value->priv; auto* jsContext = jscContextGetJSContext(priv->context.get()); - JSC::ExecState* exec = toJS(jsContext); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS(jsContext); + JSC::VM& vm = globalObject->vm(); JSC::JSLockHolder locker(vm); auto scope = DECLARE_CATCH_SCOPE(vm); - JSC::JSValue jsValue = toJS(exec, priv->jsValue); - JSC::JSObject* object = jsValue.toObject(exec); + JSC::JSValue jsValue = toJS(globalObject, priv->jsValue); + JSC::JSObject* object = jsValue.toObject(globalObject); JSValueRef exception = nullptr; - if (handleExceptionIfNeeded(scope, exec, &exception) == ExceptionStatus::DidThrow) { + if (handleExceptionIfNeeded(scope, jsContext, &exception) == ExceptionStatus::DidThrow) { jscContextHandleExceptionIfNeeded(priv->context.get(), exception); return; } @@ -1121,18 +1127,18 @@ void jsc_value_object_define_property_accessor(JSCValue* value, const char* prop descriptor.setConfigurable(flags & JSC_VALUE_PROPERTY_CONFIGURABLE); if (getter) { GRefPtr closure = adoptGRef(g_cclosure_new(getter, userData, reinterpret_cast(reinterpret_cast(destroyNotify)))); - auto function = JSC::JSCCallbackFunction::create(vm, exec->lexicalGlobalObject(), "get"_s, + auto function = JSC::JSCCallbackFunction::create(vm, globalObject, "get"_s, JSC::JSCCallbackFunction::Type::Method, nullptr, WTFMove(closure), propertyType, Vector { }); descriptor.setGetter(function); } if (setter) { GRefPtr closure = adoptGRef(g_cclosure_new(setter, userData, getter ? nullptr : reinterpret_cast(reinterpret_cast(destroyNotify)))); - auto function = JSC::JSCCallbackFunction::create(vm, exec->lexicalGlobalObject(), "set"_s, + auto function = JSC::JSCCallbackFunction::create(vm, globalObject, "set"_s, JSC::JSCCallbackFunction::Type::Method, nullptr, WTFMove(closure), G_TYPE_NONE, Vector { propertyType }); descriptor.setSetter(function); } - object->methodTable(vm)->defineOwnProperty(object, exec, name->identifier(&vm), descriptor, true); - if (handleExceptionIfNeeded(scope, exec, &exception) == ExceptionStatus::DidThrow) { + object->methodTable(vm)->defineOwnProperty(object, globalObject, name->identifier(&vm), descriptor, true); + if (handleExceptionIfNeeded(scope, jsContext, &exception) == ExceptionStatus::DidThrow) { jscContextHandleExceptionIfNeeded(priv->context.get(), exception); return; } @@ -1147,10 +1153,10 @@ static GRefPtr jscValueFunctionCreate(JSCContext* context, const char* closure = adoptGRef(g_cclosure_new_swap(callback, userData, reinterpret_cast(reinterpret_cast(destroyNotify)))); else closure = adoptGRef(g_cclosure_new(callback, userData, reinterpret_cast(reinterpret_cast(destroyNotify)))); - JSC::ExecState* exec = toJS(jscContextGetJSContext(context)); - JSC::VM& vm = exec->vm(); + JSC::JSGlobalObject* globalObject = toJS(jscContextGetJSContext(context)); + JSC::VM& vm = globalObject->vm(); JSC::JSLockHolder locker(vm); - auto* functionObject = toRef(JSC::JSCCallbackFunction::create(vm, exec->lexicalGlobalObject(), name ? String::fromUTF8(name) : "anonymous"_s, + auto* functionObject = toRef(JSC::JSCCallbackFunction::create(vm, globalObject, name ? String::fromUTF8(name) : "anonymous"_s, JSC::JSCCallbackFunction::Type::Function, nullptr, WTFMove(closure), returnType, WTFMove(parameters))); return jscContextGetOrCreateValue(context, functionObject); } @@ -1441,3 +1447,83 @@ JSCValue* jsc_value_constructor_callv(JSCValue* value, unsigned parametersCount, return jscContextGetOrCreateValue(priv->context.get(), result).leakRef(); } + +/** + * jsc_value_new_from_json: + * @context: a #JSCContext + * @json: the JSON string to be parsed + * + * Create a new #JSCValue referencing a new value created by parsing @json. + * + * Returns: (transfer full): a #JSCValue. + * + * Since: 2.28 + */ +JSCValue* jsc_value_new_from_json(JSCContext* context, const char* json) +{ + g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr); + + if (!json) + return jsc_value_new_null(context); + + auto* jsContext = jscContextGetJSContext(context); + JSC::JSGlobalObject* globalObject = toJS(jsContext); + JSC::JSLockHolder locker(globalObject); + + JSValueRef exception = nullptr; + JSC::JSValue jsValue; + String jsonString = String::fromUTF8(json); + if (jsonString.is8Bit()) { + JSC::LiteralParser jsonParser(globalObject, jsonString.characters8(), jsonString.length(), JSC::StrictJSON); + jsValue = jsonParser.tryLiteralParse(); + if (!jsValue) + exception = toRef(JSC::createSyntaxError(globalObject, jsonParser.getErrorMessage())); + } else { + JSC::LiteralParser jsonParser(globalObject, jsonString.characters16(), jsonString.length(), JSC::StrictJSON); + jsValue = jsonParser.tryLiteralParse(); + if (!jsValue) + exception = toRef(JSC::createSyntaxError(globalObject, jsonParser.getErrorMessage())); + } + + if (exception) { + jscContextHandleExceptionIfNeeded(context, exception); + return nullptr; + } + + return jsValue ? jscContextGetOrCreateValue(context, toRef(globalObject, jsValue)).leakRef() : nullptr; +} + +/** + * jsc_value_to_json: + * @value: a #JSCValue + * @indent: The number of spaces to indent when nesting. + * + * Create a JSON string of @value serialization. If @indent is 0, the resulting JSON will + * not contain newlines. The size of the indent is clamped to 10 spaces. + * + * Returns: (transfer full): a null-terminated JSON string with serialization of @value + * + * Since: 2.28 + */ +char* jsc_value_to_json(JSCValue* value, unsigned indent) +{ + g_return_val_if_fail(JSC_IS_VALUE(value), nullptr); + + JSCValuePrivate* priv = value->priv; + JSValueRef exception = nullptr; + JSRetainPtr jsJSON(Adopt, JSValueCreateJSONString(jscContextGetJSContext(priv->context.get()), priv->jsValue, indent, &exception)); + if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception)) + return nullptr; + + if (!jsJSON) + return nullptr; + + size_t maxSize = JSStringGetMaximumUTF8CStringSize(jsJSON.get()); + auto* json = static_cast(g_malloc(maxSize)); + if (!JSStringGetUTF8CString(jsJSON.get(), json, maxSize)) { + g_free(json); + return nullptr; + } + + return json; +} diff --git a/API/glib/JSCValue.h b/API/glib/JSCValue.h index fae6267..5f65497 100644 --- a/API/glib/JSCValue.h +++ b/API/glib/JSCValue.h @@ -260,6 +260,14 @@ jsc_value_constructor_callv (JSCValue *value, guint n_parameters, JSCValue **parameters); +JSC_API JSCValue * +jsc_value_new_from_json (JSCContext *context, + const char *json); + +JSC_API char * +jsc_value_to_json (JSCValue *value, + guint indent); + G_END_DECLS #endif /* JSCValue_h */ diff --git a/API/glib/JSCValuePrivate.h b/API/glib/JSCValuePrivate.h index 6214435..98ae5fe 100644 --- a/API/glib/JSCValuePrivate.h +++ b/API/glib/JSCValuePrivate.h @@ -21,5 +21,5 @@ #include "JSCValue.h" -JSValueRef jscValueGetJSValue(JSCValue*); +JS_EXPORT_PRIVATE JSValueRef jscValueGetJSValue(JSCValue*); JSCValue* jscValueCreate(JSCContext*, JSValueRef); diff --git a/API/glib/JSCVirtualMachine.cpp b/API/glib/JSCVirtualMachine.cpp index c061afe..1713248 100644 --- a/API/glib/JSCVirtualMachine.cpp +++ b/API/glib/JSCVirtualMachine.cpp @@ -33,7 +33,7 @@ * @see_also: JSCContext * * JSCVirtualMachine represents a group of JSCContexts. It allows - * concurrent JavaScript exeution by creating a different instance of + * concurrent JavaScript execution by creating a different instance of * JSCVirtualMachine in each thread. * * To create a group of JSCContexts pass the same JSCVirtualMachine @@ -51,20 +51,24 @@ static Lock wrapperCacheMutex; static HashMap& wrapperMap() { - static NeverDestroyed> map; - return map; + static LazyNeverDestroyed> shared; + static std::once_flag onceKey; + std::call_once(onceKey, [&] { + shared.construct(); + }); + return shared; } static void addWrapper(JSContextGroupRef group, JSCVirtualMachine* vm) { - std::lock_guard lock(wrapperCacheMutex); + auto locker = holdLock(wrapperCacheMutex); ASSERT(!wrapperMap().contains(group)); wrapperMap().set(group, vm); } static void removeWrapper(JSContextGroupRef group) { - std::lock_guard lock(wrapperCacheMutex); + auto locker = holdLock(wrapperCacheMutex); ASSERT(wrapperMap().contains(group)); wrapperMap().remove(group); } diff --git a/API/glib/JSCWeakValue.cpp b/API/glib/JSCWeakValue.cpp index 9897ee3..df9799b 100644 --- a/API/glib/JSCWeakValue.cpp +++ b/API/glib/JSCWeakValue.cpp @@ -70,9 +70,9 @@ static void jscWeakValueClear(JSCWeakValue* weakValue) priv->weakValueRef.clear(); } -class JSCWeakValueHandleOwner : public JSC::WeakHandleOwner { +class JSCWeakValueHandleOwner final : public JSC::WeakHandleOwner { public: - void finalize(JSC::Handle, void* context) override + void finalize(JSC::Handle, void* context) final { auto* weakValue = JSC_WEAK_VALUE(context); jscWeakValueClear(weakValue); @@ -90,14 +90,13 @@ static void jscWeakValueInitialize(JSCWeakValue* weakValue, JSCValue* value) { JSCWeakValuePrivate* priv = weakValue->priv; auto* jsContext = jscContextGetJSContext(jsc_value_get_context(value)); - JSC::ExecState* exec = toJS(jsContext); - JSC::JSGlobalObject* globalObject = exec->lexicalGlobalObject(); + JSC::JSGlobalObject* globalObject = toJS(jsContext); auto& owner = weakValueHandleOwner(); JSC::Weak weak(globalObject, &owner, weakValue); priv->globalObject.swap(weak); - priv->lock = &exec->vm().apiLock(); + priv->lock = &globalObject->vm().apiLock(); - JSC::JSValue jsValue = toJS(exec, jscValueGetJSValue(value)); + JSC::JSValue jsValue = toJS(globalObject, jscValueGetJSValue(value)); if (jsValue.isObject()) priv->weakValueRef.setObject(JSC::jsCast(jsValue.asCell()), owner, weakValue); else if (jsValue.isString()) @@ -206,7 +205,7 @@ JSCValue* jsc_weak_value_get_value(JSCWeakValue* weakValue) else value = priv->weakValueRef.object(); - JSC::ExecState* exec = priv->globalObject->globalExec(); - GRefPtr context = jscContextGetOrCreate(toGlobalRef(exec)); - return jscContextGetOrCreateValue(context.get(), toRef(exec, value)).leakRef(); + JSC::JSGlobalObject* globalObject = priv->globalObject.get(); + GRefPtr context = jscContextGetOrCreate(toGlobalRef(globalObject)); + return jscContextGetOrCreateValue(context.get(), toRef(globalObject, value)).leakRef(); } diff --git a/API/glib/JSCWrapperMap.cpp b/API/glib/JSCWrapperMap.cpp index 11bb7c0..c6211dc 100644 --- a/API/glib/JSCWrapperMap.cpp +++ b/API/glib/JSCWrapperMap.cpp @@ -33,7 +33,7 @@ namespace JSC { WrapperMap::WrapperMap(JSGlobalContextRef jsContext) - : m_cachedJSWrappers(std::make_unique>(toJS(jsContext)->vm())) + : m_cachedJSWrappers(makeUnique>(toJS(jsContext)->vm())) { } @@ -77,17 +77,17 @@ JSCClass* WrapperMap::registeredClass(JSClassRef jsClass) const JSObject* WrapperMap::createJSWrappper(JSGlobalContextRef jsContext, JSClassRef jsClass, JSValueRef prototype, gpointer wrappedObject, GDestroyNotify destroyFunction) { ASSERT(toJSGlobalObject(jsContext)->wrapperMap() == this); - ExecState* exec = toJS(jsContext); - VM& vm = exec->vm(); + JSGlobalObject* globalObject = toJS(jsContext); + VM& vm = globalObject->vm(); JSLockHolder locker(vm); - auto* object = JSC::JSCallbackObject::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->glibWrapperObjectStructure(), jsClass, nullptr); + auto* object = JSC::JSCallbackObject::create(globalObject, globalObject->glibWrapperObjectStructure(), jsClass, nullptr); if (wrappedObject) { object->setWrappedObject(new JSC::JSCGLibWrapperObject(wrappedObject, destroyFunction)); m_cachedJSWrappers->set(wrappedObject, object); } if (prototype) JSObjectSetPrototype(jsContext, toRef(object), prototype); - else if (auto* jsPrototype = jsClass->prototype(exec)) + else if (auto* jsPrototype = jsClass->prototype(globalObject)) object->setPrototypeDirect(vm, jsPrototype); return object; } @@ -101,15 +101,14 @@ JSGlobalContextRef WrapperMap::createContextWithJSWrappper(JSContextGroupRef jsG globalObject->setWrappedObject(new JSC::JSCGLibWrapperObject(wrappedObject, destroyFunction)); m_cachedJSWrappers->set(wrappedObject, globalObject); } - ExecState* exec = globalObject->globalExec(); if (prototype) - globalObject->resetPrototype(vm.get(), toJS(exec, prototype)); - else if (auto jsPrototype = jsClass->prototype(exec)) + globalObject->resetPrototype(vm.get(), toJS(globalObject, prototype)); + else if (auto jsPrototype = jsClass->prototype(globalObject)) globalObject->resetPrototype(vm.get(), jsPrototype); else globalObject->resetPrototype(vm.get(), jsNull()); - return JSGlobalContextRetain(toGlobalRef(exec)); + return JSGlobalContextRetain(toGlobalRef(globalObject)); } JSObject* WrapperMap::jsWrapper(gpointer wrappedObject) const diff --git a/API/glib/docs/jsc-glib-4.0-sections.txt b/API/glib/docs/jsc-glib-4.0-sections.txt index 3ae2225..36a0c8d 100644 --- a/API/glib/docs/jsc-glib-4.0-sections.txt +++ b/API/glib/docs/jsc-glib-4.0-sections.txt @@ -113,6 +113,8 @@ jsc_value_function_callv jsc_value_is_constructor jsc_value_constructor_call jsc_value_constructor_callv +jsc_value_new_from_json +jsc_value_to_json JSCValueClass diff --git a/API/glib/docs/jsc-glib-docs.sgml b/API/glib/docs/jsc-glib-docs.sgml index 1c2db5c..ca3eb5d 100644 --- a/API/glib/docs/jsc-glib-docs.sgml +++ b/API/glib/docs/jsc-glib-docs.sgml @@ -30,5 +30,10 @@ + + Index of new symbols in 2.28 + + + diff --git a/API/tests/CompareAndSwapTest.cpp b/API/tests/CompareAndSwapTest.cpp index 7c5b128..71d1c33 100644 --- a/API/tests/CompareAndSwapTest.cpp +++ b/API/tests/CompareAndSwapTest.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2015 Apple Inc. All rights reserved. + * Copyright (C) 2015-2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -40,11 +40,11 @@ public: inline size_t numBits() const { return words * wordSize; } private: - static const size_t Size = 4096*10; + static constexpr size_t Size = 4096*10; - static const unsigned wordSize = sizeof(uint8_t) * 8; - static const unsigned words = (Size + wordSize - 1) / wordSize; - static const uint8_t one = 1; + static constexpr unsigned wordSize = sizeof(uint8_t) * 8; + static constexpr unsigned words = (Size + wordSize - 1) / wordSize; + static constexpr uint8_t one = 1; uint8_t bits[words]; }; @@ -100,7 +100,7 @@ void testCompareAndSwap() RefPtr threads[numThreads]; Data data[numThreads]; - WTF::initializeThreading(); + WTF::initialize(); printf("Starting %d threads for CompareAndSwap test. Test should complete without hanging.\n", numThreads); for (int i = 0; i < numThreads; i++) { diff --git a/API/tests/CurrentThisInsideBlockGetterTest.mm b/API/tests/CurrentThisInsideBlockGetterTest.mm index bd7e8a6..0d91747 100644 --- a/API/tests/CurrentThisInsideBlockGetterTest.mm +++ b/API/tests/CurrentThisInsideBlockGetterTest.mm @@ -23,8 +23,8 @@ * THE POSSIBILITY OF SUCH DAMAGE. */ -#include "config.h" -#include "CurrentThisInsideBlockGetterTest.h" +#import "config.h" +#import "CurrentThisInsideBlockGetterTest.h" #if JSC_OBJC_API_ENABLED diff --git a/API/tests/ExecutionTimeLimitTest.cpp b/API/tests/ExecutionTimeLimitTest.cpp index 9c86700..b197dd5 100644 --- a/API/tests/ExecutionTimeLimitTest.cpp +++ b/API/tests/ExecutionTimeLimitTest.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2015 Apple Inc. All rights reserved. + * Copyright (C) 2015-2020 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -30,8 +30,6 @@ #include "JSContextRefPrivate.h" #include "JavaScript.h" #include "Options.h" - -#include #include #include #include @@ -78,7 +76,7 @@ static bool extendTerminateCallback(JSContextRef ctx, void*) extendTerminateCallbackCalled++; if (extendTerminateCallbackCalled == 1) { JSContextGroupRef contextGroup = JSContextGetGroup(ctx); - JSContextGroupSetExecutionTimeLimit(contextGroup, .200f, extendTerminateCallback, 0); + JSContextGroupSetExecutionTimeLimit(contextGroup, .200f, extendTerminateCallback, nullptr); return false; } return true; @@ -122,13 +120,14 @@ int testExecutionTimeLimit() { "LLINT", 0_ms, "--useConcurrentJIT=false --useLLInt=true --useJIT=false" }, { "Baseline", 0_ms, "--useConcurrentJIT=false --useLLInt=true --useJIT=true --useDFGJIT=false" }, { "DFG", 200_ms, "--useConcurrentJIT=false --useLLInt=true --useJIT=true --useDFGJIT=true --useFTLJIT=false" }, +#if ENABLE(FTL_JIT) { "FTL", 500_ms, "--useConcurrentJIT=false --useLLInt=true --useJIT=true --useDFGJIT=true --useFTLJIT=true" }, +#endif }; bool failed = false; - JSC::initializeThreading(); - Options::initialize(); // Ensure options is initialized first. + JSC::initialize(); for (auto tierOptions : tierOptionsList) { StringBuilder savedOptionsBuilder; @@ -154,9 +153,13 @@ int testExecutionTimeLimit() /* Test script on another thread: */ timeLimit = 100_ms + tierAdjustment; - JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), shouldTerminateCallback, 0); + JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), shouldTerminateCallback, nullptr); { +#if OS(LINUX) && (CPU(MIPS) || CPU(ARM_THUMB2)) + Seconds timeAfterWatchdogShouldHaveFired = 500_ms + tierAdjustment; +#else Seconds timeAfterWatchdogShouldHaveFired = 300_ms + tierAdjustment; +#endif JSStringRef script = JSStringCreateWithUTF8CString("function foo() { while (true) { } } foo();"); exception = nullptr; @@ -188,16 +191,22 @@ int testExecutionTimeLimit() /* Test script timeout: */ timeLimit = 100_ms + tierAdjustment; - JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), shouldTerminateCallback, 0); + JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), shouldTerminateCallback, nullptr); { Seconds timeAfterWatchdogShouldHaveFired = 300_ms + tierAdjustment; - StringBuilder scriptBuilder; - scriptBuilder.appendLiteral("function foo() { var startTime = currentCPUTime(); while (true) { for (var i = 0; i < 1000; i++); if (currentCPUTime() - startTime > "); - scriptBuilder.appendFixedPrecisionNumber(timeAfterWatchdogShouldHaveFired.seconds()); - scriptBuilder.appendLiteral(") break; } } foo();"); + CString scriptText = makeString( + "function foo() {" + "var startTime = currentCPUTime();" + "while (true) {" + "for (var i = 0; i < 1000; i++);" + "if (currentCPUTime() - startTime > ", timeAfterWatchdogShouldHaveFired.seconds(), ") break;" + "}" + "}" + "foo();" + ).utf8(); - JSStringRef script = JSStringCreateWithUTF8CString(scriptBuilder.toString().utf8().data()); + JSStringRef script = JSStringCreateWithUTF8CString(scriptText.data()); exception = nullptr; shouldTerminateCallbackWasCalled = false; auto startTime = CPUTime::forCurrentThread(); @@ -225,23 +234,22 @@ int testExecutionTimeLimit() /* Test script timeout with tail calls: */ timeLimit = 100_ms + tierAdjustment; - JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), shouldTerminateCallback, 0); + JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), shouldTerminateCallback, nullptr); { Seconds timeAfterWatchdogShouldHaveFired = 300_ms + tierAdjustment; - StringBuilder scriptBuilder; - scriptBuilder.appendLiteral("var startTime = currentCPUTime();" - "function recurse(i) {" - "'use strict';" - "if (i % 1000 === 0) {" - "if (currentCPUTime() - startTime >"); - scriptBuilder.appendFixedPrecisionNumber(timeAfterWatchdogShouldHaveFired.seconds()); - scriptBuilder.appendLiteral(" ) { return; }"); - scriptBuilder.appendLiteral(" }"); - scriptBuilder.appendLiteral(" return recurse(i + 1); }"); - scriptBuilder.appendLiteral("recurse(0);"); + CString scriptText = makeString( + "var startTime = currentCPUTime();" + "function recurse(i) {" + "'use strict';" + "if (i % 1000 === 0) {" + "if (currentCPUTime() - startTime >", timeAfterWatchdogShouldHaveFired.seconds(), ") { return; }" + "}" + "return recurse(i + 1); }" + "recurse(0);" + ).utf8(); - JSStringRef script = JSStringCreateWithUTF8CString(scriptBuilder.toString().utf8().data()); + JSStringRef script = JSStringCreateWithUTF8CString(scriptText.data()); exception = nullptr; shouldTerminateCallbackWasCalled = false; auto startTime = CPUTime::forCurrentThread(); @@ -269,16 +277,24 @@ int testExecutionTimeLimit() /* Test the script timeout's TerminatedExecutionException should NOT be catchable: */ timeLimit = 100_ms + tierAdjustment; - JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), shouldTerminateCallback, 0); + JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), shouldTerminateCallback, nullptr); { Seconds timeAfterWatchdogShouldHaveFired = 300_ms + tierAdjustment; - StringBuilder scriptBuilder; - scriptBuilder.appendLiteral("function foo() { var startTime = currentCPUTime(); try { while (true) { for (var i = 0; i < 1000; i++); if (currentCPUTime() - startTime > "); - scriptBuilder.appendFixedPrecisionNumber(timeAfterWatchdogShouldHaveFired.seconds()); - scriptBuilder.appendLiteral(") break; } } catch(e) { } } foo();"); + CString scriptText = makeString( + "function foo() {" + "var startTime = currentCPUTime();" + "try {" + "while (true) {" + "for (var i = 0; i < 1000; i++);" + "if (currentCPUTime() - startTime > ", timeAfterWatchdogShouldHaveFired.seconds(), ") break;" + "}" + "} catch(e) { }" + "}" + "foo();" + ).utf8(); - JSStringRef script = JSStringCreateWithUTF8CString(scriptBuilder.toString().utf8().data()); + JSStringRef script = JSStringCreateWithUTF8CString(scriptText.data()); exception = nullptr; shouldTerminateCallbackWasCalled = false; @@ -308,16 +324,22 @@ int testExecutionTimeLimit() /* Test script timeout with no callback: */ timeLimit = 100_ms + tierAdjustment; - JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), 0, 0); + JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), nullptr, nullptr); { Seconds timeAfterWatchdogShouldHaveFired = 300_ms + tierAdjustment; - StringBuilder scriptBuilder; - scriptBuilder.appendLiteral("function foo() { var startTime = currentCPUTime(); while (true) { for (var i = 0; i < 1000; i++); if (currentCPUTime() - startTime > "); - scriptBuilder.appendFixedPrecisionNumber(timeAfterWatchdogShouldHaveFired.seconds()); - scriptBuilder.appendLiteral(") break; } } foo();"); + CString scriptText = makeString( + "function foo() {" + "var startTime = currentCPUTime();" + "while (true) {" + "for (var i = 0; i < 1000; i++);" + "if (currentCPUTime() - startTime > ", timeAfterWatchdogShouldHaveFired.seconds(), ") break;" + "}" + "}" + "foo();" + ).utf8(); - JSStringRef script = JSStringCreateWithUTF8CString(scriptBuilder.toString().utf8().data()); + JSStringRef script = JSStringCreateWithUTF8CString(scriptText.data()); exception = nullptr; shouldTerminateCallbackWasCalled = false; @@ -347,16 +369,22 @@ int testExecutionTimeLimit() /* Test script timeout cancellation: */ timeLimit = 100_ms + tierAdjustment; - JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), cancelTerminateCallback, 0); + JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), cancelTerminateCallback, nullptr); { Seconds timeAfterWatchdogShouldHaveFired = 300_ms + tierAdjustment; - StringBuilder scriptBuilder; - scriptBuilder.appendLiteral("function foo() { var startTime = currentCPUTime(); while (true) { for (var i = 0; i < 1000; i++); if (currentCPUTime() - startTime > "); - scriptBuilder.appendFixedPrecisionNumber(timeAfterWatchdogShouldHaveFired.seconds()); - scriptBuilder.appendLiteral(") break; } } foo();"); + CString scriptText = makeString( + "function foo() {" + "var startTime = currentCPUTime();" + "while (true) {" + "for (var i = 0; i < 1000; i++);" + "if (currentCPUTime() - startTime > ", timeAfterWatchdogShouldHaveFired.seconds(), ") break;" + "}" + "}" + "foo();" + ).utf8(); - JSStringRef script = JSStringCreateWithUTF8CString(scriptBuilder.toString().utf8().data()); + JSStringRef script = JSStringCreateWithUTF8CString(scriptText.data()); exception = nullptr; cancelTerminateCallbackWasCalled = false; @@ -384,18 +412,24 @@ int testExecutionTimeLimit() /* Test script timeout extension: */ timeLimit = 100_ms + tierAdjustment; - JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), extendTerminateCallback, 0); + JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), extendTerminateCallback, nullptr); { Seconds timeBeforeExtendedDeadline = 250_ms + tierAdjustment; Seconds timeAfterExtendedDeadline = 600_ms + tierAdjustment; Seconds maxBusyLoopTime = 750_ms + tierAdjustment; - StringBuilder scriptBuilder; - scriptBuilder.appendLiteral("function foo() { var startTime = currentCPUTime(); while (true) { for (var i = 0; i < 1000; i++); if (currentCPUTime() - startTime > "); - scriptBuilder.appendFixedPrecisionNumber(maxBusyLoopTime.seconds()); // in seconds. - scriptBuilder.appendLiteral(") break; } } foo();"); + CString scriptText = makeString( + "function foo() {" + "var startTime = currentCPUTime();" + "while (true) {" + "for (var i = 0; i < 1000; i++);" + "if (currentCPUTime() - startTime > ", maxBusyLoopTime.seconds(), ") break;" + "}" + "}" + "foo();" + ).utf8(); - JSStringRef script = JSStringCreateWithUTF8CString(scriptBuilder.toString().utf8().data()); + JSStringRef script = JSStringCreateWithUTF8CString(scriptText.data()); exception = nullptr; extendTerminateCallbackCalled = 0; @@ -429,16 +463,22 @@ int testExecutionTimeLimit() #if HAVE(MACH_EXCEPTIONS) /* Test script timeout from dispatch queue: */ timeLimit = 100_ms + tierAdjustment; - JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), dispatchTermitateCallback, 0); + JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), dispatchTermitateCallback, nullptr); { Seconds timeAfterWatchdogShouldHaveFired = 300_ms + tierAdjustment; - StringBuilder scriptBuilder; - scriptBuilder.appendLiteral("function foo() { var startTime = currentCPUTime(); while (true) { for (var i = 0; i < 1000; i++); if (currentCPUTime() - startTime > "); - scriptBuilder.appendFixedPrecisionNumber(timeAfterWatchdogShouldHaveFired.seconds()); - scriptBuilder.appendLiteral(") break; } } foo();"); + CString scriptText = makeString( + "function foo() {" + "var startTime = currentCPUTime();" + "while (true) {" + "for (var i = 0; i < 1000; i++);" + "if (currentCPUTime() - startTime > ", timeAfterWatchdogShouldHaveFired.seconds(), ") break;" + "}" + "}" + "foo();" + ).utf8(); - JSStringRef script = JSStringCreateWithUTF8CString(scriptBuilder.toString().utf8().data()); + JSStringRef script = JSStringCreateWithUTF8CString(scriptText.data()); exception = nullptr; dispatchTerminateCallbackCalled = false; diff --git a/API/tests/FunctionOverridesTest.cpp b/API/tests/FunctionOverridesTest.cpp index 4629342..297faf1 100644 --- a/API/tests/FunctionOverridesTest.cpp +++ b/API/tests/FunctionOverridesTest.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2016 Apple Inc. All rights reserved. + * Copyright (C) 2016-2020 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -28,10 +28,8 @@ #include "FunctionOverrides.h" #include "InitializeThreading.h" -#include "JSContextRefPrivate.h" #include "JavaScript.h" #include "Options.h" -#include using JSC::Options; @@ -39,8 +37,7 @@ int testFunctionOverrides() { bool failed = false; - JSC::initializeThreading(); - Options::initialize(); // Ensure options is initialized first. + JSC::initialize(); const char* oldFunctionOverrides = Options::functionOverrides(); diff --git a/API/tests/GlobalContextWithFinalizerTest.h b/API/tests/GlobalContextWithFinalizerTest.h index 5f725e7..5672d22 100644 --- a/API/tests/GlobalContextWithFinalizerTest.h +++ b/API/tests/GlobalContextWithFinalizerTest.h @@ -25,8 +25,6 @@ #pragma once -#include "JSContextRefPrivate.h" - #ifdef __cplusplus extern "C" { #endif diff --git a/API/tests/JSONParseTest.cpp b/API/tests/JSONParseTest.cpp index d7e2bca..a062aab 100644 --- a/API/tests/JSONParseTest.cpp +++ b/API/tests/JSONParseTest.cpp @@ -43,14 +43,13 @@ int testJSONParse() JSLockHolder locker(vm.get()); JSGlobalObject* globalObject = JSGlobalObject::create(*vm, JSGlobalObject::createStructure(*vm, jsNull())); - ExecState* exec = globalObject->globalExec(); - JSValue v0 = JSONParse(exec, ""); - JSValue v1 = JSONParse(exec, "#$%^"); - JSValue v2 = JSONParse(exec, String()); + JSValue v0 = JSONParse(globalObject, ""); + JSValue v1 = JSONParse(globalObject, "#$%^"); + JSValue v2 = JSONParse(globalObject, String()); UChar emptyUCharArray[1] = { '\0' }; - JSValue v3 = JSONParse(exec, String(emptyUCharArray, 0)); + JSValue v3 = JSONParse(globalObject, String(emptyUCharArray, 0)); JSValue v4; - JSValue v5 = JSONParse(exec, "123"); + JSValue v5 = JSONParse(globalObject, "123"); failed = failed || (v0 != v1); failed = failed || (v1 != v2); diff --git a/API/tests/JSObjectGetProxyTargetTest.cpp b/API/tests/JSObjectGetProxyTargetTest.cpp index 71821ea..e924590 100644 --- a/API/tests/JSObjectGetProxyTargetTest.cpp +++ b/API/tests/JSObjectGetProxyTargetTest.cpp @@ -27,12 +27,10 @@ #include "JSObjectGetProxyTargetTest.h" #include "APICast.h" -#include "InitializeThreading.h" #include "JSCInlines.h" #include "JSObjectRefPrivate.h" #include "JSProxy.h" #include "JavaScript.h" -#include "Options.h" #include "ProxyObject.h" using namespace JSC; @@ -51,12 +49,11 @@ int testJSObjectGetProxyTarget() JSContextGroupRef group = JSContextGroupCreate(); JSGlobalContextRef context = JSGlobalContextCreateInGroup(group, nullptr); - ExecState* exec = toJS(context); VM& vm = *toJS(group); JSObjectRef globalObjectProxy = JSContextGetGlobalObject(context); JSGlobalObject* globalObjectObject; - JSObjectRef globalObject; + JSObjectRef globalObjectRef; JSProxy* jsProxyObject; { @@ -64,7 +61,7 @@ int testJSObjectGetProxyTarget() JSProxy* globalObjectProxyObject = jsCast(toJS(globalObjectProxy)); globalObjectObject = jsCast(globalObjectProxyObject->target()); Structure* proxyStructure = JSProxy::createStructure(vm, globalObjectObject, globalObjectObject->objectPrototype(), PureForwardingProxyType); - globalObject = toRef(globalObjectObject); + globalObjectRef = toRef(jsCast(globalObjectObject)); jsProxyObject = JSProxy::create(vm, proxyStructure); } @@ -76,7 +73,7 @@ int testJSObjectGetProxyTarget() JSLockHolder locker(vm); Structure* emptyObjectStructure = JSFinalObject::createStructure(vm, globalObjectObject, globalObjectObject->objectPrototype(), 0); JSObject* handler = JSFinalObject::create(vm, emptyObjectStructure); - proxyObjectObject = ProxyObject::create(exec, globalObjectObject, toJS(array), handler); + proxyObjectObject = ProxyObject::create(globalObjectObject, toJS(array), handler); } JSObjectRef jsProxy = toRef(jsProxyObject); @@ -91,11 +88,11 @@ int testJSObjectGetProxyTarget() jsProxyObject->setTarget(vm, globalObjectObject); } - test("proxy target of initialized JSProxy works", JSObjectGetProxyTarget(jsProxy) == globalObject); + test("proxy target of initialized JSProxy works", JSObjectGetProxyTarget(jsProxy) == globalObjectRef); test("proxy target of ProxyObject works", JSObjectGetProxyTarget(proxyObject) == array); - test("proxy target of GlobalObject is the globalObject", JSObjectGetProxyTarget(globalObjectProxy) == globalObject); + test("proxy target of GlobalObject is the globalObject", JSObjectGetProxyTarget(globalObjectProxy) == globalObjectRef); JSGlobalContextRelease(context); JSContextGroupRelease(group); diff --git a/API/tests/JSWrapperMapTests.mm b/API/tests/JSWrapperMapTests.mm index 931a945..ae484e9 100644 --- a/API/tests/JSWrapperMapTests.mm +++ b/API/tests/JSWrapperMapTests.mm @@ -28,6 +28,7 @@ #import "APICast.h" #import "HeapCellInlines.h" +#import "JSGlobalObjectInlines.h" #import "JSValue.h" #if JSC_OBJC_API_ENABLED @@ -55,15 +56,16 @@ extern "C" void checkResult(NSString *description, bool passed); { JSContext* context = [[JSContext alloc] init]; JSGlobalContextRef contextRef = JSGlobalContextRetain(context.JSGlobalContextRef); - JSC::ExecState* exec = toJS(contextRef); + JSC::JSGlobalObject* globalObject = toJS(contextRef); + JSC::VM& vm = globalObject->vm(); context[@"TestClass"] = [TestClass class]; JSValue* aWrapper = [context evaluateScript:@"new TestClass()"]; JSValue* bWrapper = [context evaluateScript:@"new TestClass()"]; - JSC::JSValue aValue = toJS(exec, aWrapper.JSValueRef); - JSC::JSValue bValue = toJS(exec, bWrapper.JSValueRef); - JSC::Structure* aStructure = aValue.structureOrNull(); - JSC::Structure* bStructure = bValue.structureOrNull(); + JSC::JSValue aValue = toJS(globalObject, aWrapper.JSValueRef); + JSC::JSValue bValue = toJS(globalObject, bWrapper.JSValueRef); + JSC::Structure* aStructure = aValue.structureOrNull(vm); + JSC::Structure* bStructure = bValue.structureOrNull(vm); checkResult(@"structure should not be null", !!aStructure); checkResult(@"both wrappers should share the same structure", aStructure == bStructure); } diff --git a/API/tests/MultithreadedMultiVMExecutionTest.cpp b/API/tests/MultithreadedMultiVMExecutionTest.cpp index b793258..5862337 100644 --- a/API/tests/MultithreadedMultiVMExecutionTest.cpp +++ b/API/tests/MultithreadedMultiVMExecutionTest.cpp @@ -27,9 +27,7 @@ #include "MultithreadedMultiVMExecutionTest.h" #include "InitializeThreading.h" -#include "JSContextRefPrivate.h" #include "JavaScript.h" -#include "Options.h" #include #include #include @@ -51,7 +49,7 @@ static std::vector& threadsList() void startMultithreadedMultiVMExecutionTest() { WTF::initializeMainThread(); - JSC::initializeThreading(); + JSC::initialize(); #define CHECK(condition, message) do { \ if (!condition) { \ diff --git a/API/tests/PingPongStackOverflowTest.cpp b/API/tests/PingPongStackOverflowTest.cpp index fbe4687..1312fb4 100644 --- a/API/tests/PingPongStackOverflowTest.cpp +++ b/API/tests/PingPongStackOverflowTest.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2015 Apple Inc. All rights reserved. + * Copyright (C) 2015-2020 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -27,7 +27,6 @@ #include "PingPongStackOverflowTest.h" #include "InitializeThreading.h" -#include "JSContextRefPrivate.h" #include "JavaScript.h" #include "Options.h" #include @@ -50,7 +49,7 @@ static bool PingPongStackOverflowObject_hasInstance(JSContextRef context, JSObje int countAtEntry = nativeRecursionCount++; - JSValueRef result = 0; + JSValueRef result = nullptr; if (nativeRecursionCount < 100) { JSObjectRef function = JSValueToObject(context, hasInstance, exception); result = JSObjectCallAsFunction(context, function, constructor, 1, &possibleValue, exception); @@ -65,7 +64,7 @@ static bool PingPongStackOverflowObject_hasInstance(JSContextRef context, JSObje builder.appendLiteral(");"); JSStringRef script = JSStringCreateWithUTF8CString(builder.toString().utf8().data()); - result = JSEvaluateScript(context, script, NULL, NULL, 1, exception); + result = JSEvaluateScript(context, script, nullptr, nullptr, 1, exception); JSStringRelease(script); } @@ -81,22 +80,22 @@ JSClassDefinition PingPongStackOverflowObject_definition = { kJSClassAttributeNone, "PingPongStackOverflowObject", - NULL, + nullptr, - NULL, - NULL, + nullptr, + nullptr, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, + nullptr, + nullptr, + nullptr, + nullptr, + nullptr, + nullptr, + nullptr, + nullptr, + nullptr, PingPongStackOverflowObject_hasInstance, - NULL, + nullptr, }; static JSClassRef PingPongStackOverflowObject_class(JSContextRef context) @@ -117,8 +116,7 @@ int testPingPongStackOverflow() { bool failed = false; - JSC::initializeThreading(); - Options::initialize(); // Ensure options is initialized first. + JSC::initialize(); auto origSoftReservedZoneSize = Options::softReservedZoneSize(); auto origReservedZoneSize = Options::reservedZoneSize(); @@ -151,9 +149,9 @@ int testPingPongStackOverflow() JSObjectRef globalObject = JSContextGetGlobalObject(context); ASSERT(JSValueIsObject(context, globalObject)); - JSObjectRef PingPongStackOverflowObject = JSObjectMake(context, PingPongStackOverflowObject_class(context), NULL); + JSObjectRef PingPongStackOverflowObject = JSObjectMake(context, PingPongStackOverflowObject_class(context), nullptr); JSStringRef PingPongStackOverflowObjectString = JSStringCreateWithUTF8CString("PingPongStackOverflowObject"); - JSObjectSetProperty(context, globalObject, PingPongStackOverflowObjectString, PingPongStackOverflowObject, kJSPropertyAttributeNone, NULL); + JSObjectSetProperty(context, globalObject, PingPongStackOverflowObjectString, PingPongStackOverflowObject, kJSPropertyAttributeNone, nullptr); JSStringRelease(PingPongStackOverflowObjectString); unsigned stackSize = 32 * KB; diff --git a/API/tests/TypedArrayCTest.cpp b/API/tests/TypedArrayCTest.cpp index b81b269..237bd46 100644 --- a/API/tests/TypedArrayCTest.cpp +++ b/API/tests/TypedArrayCTest.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2016 Apple Inc. All rights reserved. + * Copyright (C) 2016-2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -40,7 +40,7 @@ static void freePtr(void* ptr, void*) free(ptr); } -static const unsigned numLengths = 3; +static constexpr unsigned numLengths = 3; static const unsigned lengths[numLengths] = { diff --git a/API/tests/minidom.c b/API/tests/minidom.c index 6ebb399..f4a074c 100644 --- a/API/tests/minidom.c +++ b/API/tests/minidom.c @@ -88,10 +88,11 @@ static JSValueRef print(JSContextRef context, JSObjectRef object, JSObjectRef th if (argumentCount > 0) { JSStringRef string = JSValueToStringCopy(context, arguments[0], exception); size_t numChars = JSStringGetMaximumUTF8CStringSize(string); - char stringUTF8[numChars]; + char* stringUTF8 = (char*)malloc(numChars); JSStringGetUTF8CString(string, stringUTF8, numChars); printf("%s\n", stringUTF8); JSStringRelease(string); + free(stringUTF8); } return JSValueMakeUndefined(context); diff --git a/API/tests/testapi.c b/API/tests/testapi.c index fa24534..b77f811 100644 --- a/API/tests/testapi.c +++ b/API/tests/testapi.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2017 Apple Inc. All rights reserved. + * Copyright (C) 2006-2020 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -23,7 +23,7 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#define ASSERT_DISABLED 0 +#define ASSERT_ENABLED 1 #include "config.h" #if USE(CF) @@ -33,7 +33,6 @@ #endif #include "JSBasePrivate.h" -#include "JSContextRefPrivate.h" #include "JSHeapFinalizerPrivate.h" #include "JSMarkingConstraintPrivate.h" #include "JSObjectRefPrivate.h" @@ -77,6 +76,7 @@ void testObjectiveCAPI(const char*); #endif +void configureJSCForTesting(void); int testCAPIViaCpp(const char* filter); bool assertTrue(bool value, const char* message); @@ -1017,12 +1017,14 @@ static JSValueRef functionGC(JSContextRef context, JSObjectRef function, JSObjec static JSStaticValue globalObject_staticValues[] = { { "globalStaticValue", globalObject_get, globalObject_set, kJSPropertyAttributeNone }, + { "globalStaticValue2", globalObject_get, 0, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontEnum }, { 0, 0, 0, 0 } }; static JSStaticFunction globalObject_staticFunctions[] = { { "globalStaticFunction", globalObject_call, kJSPropertyAttributeNone }, { "globalStaticFunction2", globalObject_call, kJSPropertyAttributeNone }, + { "globalStaticFunction3", globalObject_call, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontEnum }, { "gc", functionGC, kJSPropertyAttributeNone }, { 0, 0, 0 } }; @@ -1387,9 +1389,12 @@ int main(int argc, char* argv[]) SetErrorMode(0); #endif + configureJSCForTesting(); + #if !OS(WINDOWS) char resolvedPath[PATH_MAX]; - realpath(argv[0], resolvedPath); + if (!realpath(argv[0], resolvedPath)) + fprintf(stdout, "Could not get the absolute pathname for: %s\n", argv[0]); char* newCWD = dirname(resolvedPath); if (chdir(newCWD)) fprintf(stdout, "Could not chdir to: %s\n", newCWD); @@ -2098,7 +2103,6 @@ int main(int argc, char* argv[]) JSGlobalContextRelease(context); } failed |= testTypedArrayCAPI(); - failed |= testExecutionTimeLimit(); failed |= testFunctionOverrides(); failed |= testGlobalContextWithFinalizer(); failed |= testPingPongStackOverflow(); @@ -2154,6 +2158,14 @@ int main(int argc, char* argv[]) failed = finalizeMultithreadedMultiVMExecutionTest() || failed; + // Don't run this till after the MultithreadedMultiVMExecutionTest has finished. + // This is because testExecutionTimeLimit() modifies JIT options at runtime + // as part of its testing. This can wreak havoc on the rest of the system that + // expects the options to be frozen. Ideally, we'll find a way for testExecutionTimeLimit() + // to do its work without changing JIT options, but that is not easy to do. + // For now, we'll just run it here at the end as a workaround. + failed |= testExecutionTimeLimit(); + if (failed) { printf("FAIL: Some tests failed.\n"); return 1; diff --git a/API/tests/testapi.cpp b/API/tests/testapi.cpp index 1cfd4c0..8c19f53 100644 --- a/API/tests/testapi.cpp +++ b/API/tests/testapi.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2017 Apple Inc. All rights reserved. + * Copyright (C) 2017-2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -26,9 +26,9 @@ #include "config.h" #include "APICast.h" -#include "JSCJSValueInlines.h" -#include "JSObject.h" - +#include "JSGlobalObjectInlines.h" +#include "MarkedJSValueRefArray.h" +#include #include #include #include @@ -38,7 +38,9 @@ #include #include +extern "C" void configureJSCForTesting(); extern "C" int testCAPIViaCpp(const char* filter); +extern "C" void JSSynchronousGarbageCollectForDebugging(JSContextRef); class APIString { WTF_MAKE_NONCOPYABLE(APIString); @@ -49,6 +51,11 @@ public: { } + APIString(const String& string) + : APIString(string.utf8().data()) + { + } + ~APIString() { JSStringRelease(m_string); @@ -70,9 +77,9 @@ public: APIString print("print"); JSObjectRef printFunction = JSObjectMakeFunctionWithCallback(m_context, print, [] (JSContextRef ctx, JSObjectRef, JSObjectRef, size_t argumentCount, const JSValueRef arguments[], JSValueRef*) { - JSC::ExecState* exec = toJS(ctx); + JSC::JSGlobalObject* globalObject = toJS(ctx); for (unsigned i = 0; i < argumentCount; i++) - dataLog(toJS(exec, arguments[i])); + dataLog(toJS(globalObject, arguments[i])); dataLogLn(); return JSValueMakeUndefined(ctx); }); @@ -86,7 +93,7 @@ public: } operator JSGlobalContextRef() { return m_context; } - operator JSC::ExecState*() { return toJS(m_context); } + operator JSC::JSGlobalObject*() { return toJS(m_context); } private: JSGlobalContextRef m_context; @@ -137,6 +144,13 @@ public: void symbolsDeletePropertyForKey(); void promiseResolveTrue(); void promiseRejectTrue(); + void promiseUnhandledRejection(); + void promiseUnhandledRejectionFromUnhandledRejectionCallback(); + void promiseEarlyHandledRejections(); + void topCallFrameAccess(); + void markedJSValueArrayAndGC(); + void classDefinitionWithJSSubclass(); + void proxyReturnedWithJSSubclassing(); int failed() const { return m_failed; } @@ -156,6 +170,8 @@ private: template bool functionReturnsTrue(const char* functionSource, ArgumentTypes... arguments); + bool scriptResultIs(ScriptResult, JSValueRef); + // Ways to make sets of interesting things. APIVector interestingObjects(); APIVector interestingKeys(); @@ -198,6 +214,30 @@ TestAPI::ScriptResult TestAPI::callFunction(const char* functionSource, Argument return Unexpected(exception); } +#if COMPILER(MSVC) +template<> +TestAPI::ScriptResult TestAPI::callFunction(const char* functionSource) +{ + JSValueRef function; + { + ScriptResult functionResult = evaluateScript(functionSource); + if (!functionResult) + return functionResult; + function = functionResult.value(); + } + + JSValueRef exception = nullptr; + if (JSObjectRef functionObject = JSValueToObject(context, function, &exception)) { + JSValueRef result = JSObjectCallAsFunction(context, functionObject, functionObject, 0, nullptr, &exception); + if (!exception) + return ScriptResult(result); + } + + RELEASE_ASSERT(exception); + return Unexpected(exception); +} +#endif + template bool TestAPI::functionReturnsTrue(const char* functionSource, ArgumentTypes... arguments) { @@ -208,6 +248,13 @@ bool TestAPI::functionReturnsTrue(const char* functionSource, ArgumentTypes... a return JSValueIsStrictEqual(context, trueValue, result.value()); } +bool TestAPI::scriptResultIs(ScriptResult result, JSValueRef value) +{ + if (!result) + return false; + return JSValueIsStrictEqual(context, result.value(), value); +} + template bool TestAPI::check(bool condition, Strings... messages) { @@ -454,7 +501,7 @@ void TestAPI::promiseResolveTrue() auto trueValue = JSValueMakeBoolean(context, true); JSObjectCallAsFunction(context, resolve, resolve, 1, &trueValue, &exception); - check(!exception, "No exception should be thrown resolve promise"); + check(!exception, "No exception should be thrown resolving promise"); check(passedTrueCalled, "then response function should have been called."); } @@ -479,7 +526,7 @@ void TestAPI::promiseRejectTrue() APIString catchString("catch"); JSValueRef catchFunction = JSObjectGetProperty(context, promise, catchString, &exception); - check(!exception && catchFunction && JSValueIsObject(context, catchFunction), "Promise should have a then object property"); + check(!exception && catchFunction && JSValueIsObject(context, catchFunction), "Promise should have a catch object property"); JSValueRef passedTrueFunction = JSObjectMakeFunctionWithCallback(context, trueString, passedTrue); JSObjectCallAsFunction(context, const_cast(catchFunction), promise, 1, &passedTrueFunction, &exception); @@ -487,8 +534,180 @@ void TestAPI::promiseRejectTrue() auto trueValue = JSValueMakeBoolean(context, true); JSObjectCallAsFunction(context, reject, reject, 1, &trueValue, &exception); - check(!exception, "No exception should be thrown resolve promise"); - check(passedTrueCalled, "then response function should have been called."); + check(!exception, "No exception should be thrown rejecting promise"); + check(passedTrueCalled, "catch response function should have been called."); +} + +void TestAPI::promiseUnhandledRejection() +{ + JSObjectRef reject = nullptr; + JSValueRef exception = nullptr; + static auto promise = JSObjectMakeDeferredPromise(context, nullptr, &reject, &exception); + check(!exception, "creating a (reject-only) deferred promise should not throw"); + static auto reason = JSValueMakeString(context, APIString("reason")); + + static TestAPI* tester = this; + static bool callbackCalled = false; + auto callback = [](JSContextRef ctx, JSObjectRef, JSObjectRef, size_t argumentCount, const JSValueRef arguments[], JSValueRef*) -> JSValueRef { + tester->check(argumentCount && JSValueIsStrictEqual(ctx, arguments[0], promise), "callback should receive rejected promise as first argument"); + tester->check(argumentCount > 1 && JSValueIsStrictEqual(ctx, arguments[1], reason), "callback should receive rejection reason as second argument"); + tester->check(argumentCount == 2, "callback should not receive a third argument"); + callbackCalled = true; + return JSValueMakeUndefined(ctx); + }; + auto callbackFunction = JSObjectMakeFunctionWithCallback(context, APIString("callback"), callback); + + JSGlobalContextSetUnhandledRejectionCallback(context, callbackFunction, &exception); + check(!exception, "setting unhandled rejection callback should not throw"); + + JSObjectCallAsFunction(context, reject, reject, 1, &reason, &exception); + check(!exception && callbackCalled, "unhandled rejection callback should be called upon unhandled rejection"); +} + +void TestAPI::promiseUnhandledRejectionFromUnhandledRejectionCallback() +{ + static JSObjectRef reject; + static JSValueRef exception = nullptr; + JSObjectMakeDeferredPromise(context, nullptr, &reject, &exception); + check(!exception, "creating a (reject-only) deferred promise should not throw"); + + static auto callbackCallCount = 0; + auto callback = [](JSContextRef ctx, JSObjectRef, JSObjectRef, size_t, const JSValueRef[], JSValueRef*) -> JSValueRef { + if (!callbackCallCount) + JSObjectCallAsFunction(ctx, reject, reject, 0, nullptr, &exception); + callbackCallCount++; + return JSValueMakeUndefined(ctx); + }; + auto callbackFunction = JSObjectMakeFunctionWithCallback(context, APIString("callback"), callback); + + JSGlobalContextSetUnhandledRejectionCallback(context, callbackFunction, &exception); + check(!exception, "setting unhandled rejection callback should not throw"); + + callFunction("(function () { Promise.reject(); })"); + check(!exception && callbackCallCount == 2, "unhandled rejection from unhandled rejection callback should also trigger the callback"); +} + +void TestAPI::promiseEarlyHandledRejections() +{ + JSValueRef exception = nullptr; + + static bool callbackCalled = false; + auto callback = [](JSContextRef ctx, JSObjectRef, JSObjectRef, size_t, const JSValueRef[], JSValueRef*) -> JSValueRef { + callbackCalled = true; + return JSValueMakeUndefined(ctx); + }; + auto callbackFunction = JSObjectMakeFunctionWithCallback(context, APIString("callback"), callback); + + JSGlobalContextSetUnhandledRejectionCallback(context, callbackFunction, &exception); + check(!exception, "setting unhandled rejection callback should not throw"); + + callFunction("(function () { const p = Promise.reject(); p.catch(() => {}); })"); + check(!callbackCalled, "unhandled rejection callback should not be called for synchronous early-handled rejection"); + + callFunction("(function () { const p = Promise.reject(); Promise.resolve().then(() => { p.catch(() => {}); }); })"); + check(!callbackCalled, "unhandled rejection callback should not be called for asynchronous early-handled rejection"); +} + +void TestAPI::topCallFrameAccess() +{ + { + JSObjectRef function = JSValueToObject(context, evaluateScript("(function () { })").value(), nullptr); + APIString argumentsString("arguments"); + auto arguments = JSObjectGetProperty(context, function, argumentsString, nullptr); + check(JSValueIsNull(context, arguments), "vm.topCallFrame access from C++ world should use nullptr internally for arguments"); + } + { + JSObjectRef arguments = JSValueToObject(context, evaluateScript("(function ok(v) { return ok.arguments; })(42)").value(), nullptr); + check(!JSValueIsNull(context, arguments), "vm.topCallFrame is materialized and we found the caller function's arguments"); + } + { + JSObjectRef function = JSValueToObject(context, evaluateScript("(function () { })").value(), nullptr); + APIString callerString("caller"); + auto caller = JSObjectGetProperty(context, function, callerString, nullptr); + check(JSValueIsNull(context, caller), "vm.topCallFrame access from C++ world should use nullptr internally for caller"); + } + { + JSObjectRef caller = JSValueToObject(context, evaluateScript("(function () { return (function ok(v) { return ok.caller; })(42); })()").value(), nullptr); + check(!JSValueIsNull(context, caller), "vm.topCallFrame is materialized and we found the caller function's caller"); + } + { + JSObjectRef caller = JSValueToObject(context, evaluateScript("(function ok(v) { return ok.caller; })(42)").value(), nullptr); + check(JSValueIsNull(context, caller), "vm.topCallFrame is materialized and we found the caller function's caller, but the caller is global code"); + } +} + +void TestAPI::markedJSValueArrayAndGC() +{ + auto testMarkedJSValueArray = [&] (unsigned count) { + auto* globalObject = toJS(context); + JSC::JSLockHolder locker(globalObject->vm()); + JSC::MarkedJSValueRefArray values(context, count); + for (unsigned index = 0; index < count; ++index) { + JSValueRef string = JSValueMakeString(context, APIString(makeString("Prefix", index))); + values[index] = string; + } + JSSynchronousGarbageCollectForDebugging(context); + bool ok = true; + for (unsigned index = 0; index < count; ++index) { + JSValueRef string = JSValueMakeString(context, APIString(makeString("Prefix", index))); + if (!JSValueIsStrictEqual(context, values[index], string)) + ok = false; + } + check(ok, "Held JSString should be alive and correct."); + }; + testMarkedJSValueArray(4); + testMarkedJSValueArray(1000); +} + +void TestAPI::classDefinitionWithJSSubclass() +{ + const static JSClassDefinition definition = kJSClassDefinitionEmpty; + static JSClassRef jsClass = JSClassCreate(&definition); + + auto constructor = [] (JSContextRef ctx, JSObjectRef, size_t, const JSValueRef*, JSValueRef*) -> JSObjectRef { + return JSObjectMake(ctx, jsClass, nullptr); + }; + + JSObjectRef Superclass = JSObjectMakeConstructor(context, jsClass, constructor); + + ScriptResult result = callFunction("(function (Superclass) { class Subclass extends Superclass { method() { return 'value'; } }; return new Subclass(); })", Superclass); + check(!!result, "creating a subclass should not throw."); + check(JSValueIsObject(context, result.value()), "result of construction should have been an object."); + JSObjectRef subclass = const_cast(result.value()); + + check(JSObjectHasProperty(context, subclass, APIString("method")), "subclass should have derived classes functions."); + check(functionReturnsTrue("(function (subclass, Superclass) { return subclass instanceof Superclass; })", subclass, Superclass), "JS subclass should instanceof the Superclass"); + + JSClassRelease(jsClass); +} + +void TestAPI::proxyReturnedWithJSSubclassing() +{ + const static JSClassDefinition definition = kJSClassDefinitionEmpty; + static JSClassRef jsClass = JSClassCreate(&definition); + static TestAPI& test = *this; + + auto constructor = [] (JSContextRef ctx, JSObjectRef, size_t, const JSValueRef*, JSValueRef*) -> JSObjectRef { + ScriptResult result = test.callFunction("(function (object) { return new Proxy(object, { getPrototypeOf: () => { globalThis.triggeredProxy = true; return object.__proto__; }}); })", JSObjectMake(ctx, jsClass, nullptr)); + test.check(!!result, "creating a proxy should not throw"); + test.check(JSValueIsObject(ctx, result.value()), "result of proxy creation should have been an object."); + return const_cast(result.value()); + }; + + JSObjectRef Superclass = JSObjectMakeConstructor(context, jsClass, constructor); + + ScriptResult result = callFunction("(function (Superclass) { class Subclass extends Superclass { method() { return 'value'; } }; return new Subclass(); })", Superclass); + check(!!result, "creating a subclass should not throw."); + check(JSValueIsObject(context, result.value()), "result of construction should have been an object."); + JSObjectRef subclass = const_cast(result.value()); + + check(scriptResultIs(evaluateScript("globalThis.triggeredProxy"), JSValueMakeUndefined(context)), "creating a subclass should not have triggered the proxy"); + check(functionReturnsTrue("(function (subclass, Superclass) { return subclass.__proto__ == Superclass.prototype; })", subclass, Superclass), "proxy's prototype should match Superclass.prototype"); +} + +void configureJSCForTesting() +{ + JSC::Config::configureForTesting(); } #define RUN(test) do { \ @@ -512,6 +731,7 @@ int testCAPIViaCpp(const char* filter) return !filter || WTF::findIgnoringASCIICaseWithoutLength(testName, filter) != WTF::notFound; }; + RUN(topCallFrameAccess()); RUN(basicSymbol()); RUN(symbolsTypeof()); RUN(symbolsDescription()); @@ -521,6 +741,12 @@ int testCAPIViaCpp(const char* filter) RUN(symbolsDeletePropertyForKey()); RUN(promiseResolveTrue()); RUN(promiseRejectTrue()); + RUN(promiseUnhandledRejection()); + RUN(promiseUnhandledRejectionFromUnhandledRejectionCallback()); + RUN(promiseEarlyHandledRejections()); + RUN(markedJSValueArrayAndGC()); + RUN(classDefinitionWithJSSubclass()); + RUN(proxyReturnedWithJSSubclassing()); if (tasks.isEmpty()) { dataLogLn("Filtered all tests: ERROR"); diff --git a/API/tests/testapi.mm b/API/tests/testapi.mm index 3ca4cc9..b79ab2b 100644 --- a/API/tests/testapi.mm +++ b/API/tests/testapi.mm @@ -128,7 +128,7 @@ JSExportAs(testArgumentTypes, } - (void)callback:(JSValue *)function { - [function callWithArguments:[NSArray arrayWithObject:[NSNumber numberWithInt:42]]]; + [function callWithArguments:@[@(42)]]; } - (void)bogusCallback:(void(^)(int))function { @@ -199,7 +199,7 @@ bool testXYZTested = false; return; JSValue *function = [m_onclickHandler value]; - [function callWithArguments:[NSArray array]]; + [function callWithArguments:@[]]; } @end @@ -1014,7 +1014,7 @@ static void testObjectiveCAPIMain() @autoreleasepool { JSContext *context = [[JSContext alloc] init]; JSValue *result = [context evaluateScript:@"String(console)"]; - checkResult(@"String(console)", [result isEqualToObject:@"[object Console]"]); + checkResult(@"String(console)", [result isEqualToObject:@"[object console]"]); result = [context evaluateScript:@"typeof console.log"]; checkResult(@"typeof console.log", [result isEqualToObject:@"function"]); } @@ -1171,10 +1171,8 @@ static void testObjectiveCAPIMain() JSContext *context = [[JSContext alloc] init]; context[@"handleTheDictionary"] = ^(NSDictionary *dict) { NSDictionary *expectedDict = @{ - @"foo" : [NSNumber numberWithInt:1], - @"bar" : @{ - @"baz": [NSNumber numberWithInt:2] - } + @"foo": @(1), + @"bar": @{ @"baz": @(2) } }; checkResult(@"recursively convert nested dictionaries", [dict isEqualToDictionary:expectedDict]); }; @@ -1340,7 +1338,7 @@ static void testObjectiveCAPIMain() } @autoreleasepool { - static const unsigned count = 100; + static constexpr unsigned count = 100; NSMutableArray *array = [NSMutableArray arrayWithCapacity:count]; JSContext *context = [[JSContext alloc] init]; @autoreleasepool { @@ -2405,7 +2403,9 @@ static void testBytecodeCacheValidation() testInvalidCacheURL([NSURL URLWithString:@""], @"Cache path `` is not a local file"); testInvalidCacheURL([NSURL URLWithString:@"file:///"], @"Cache path `/` already exists and is not a file"); testInvalidCacheURL([NSURL URLWithString:@"file:///a/b/c/d/e"], @"Cache directory `/a/b/c/d` is not a directory or does not exist"); +#if USE(APPLE_INTERNAL_SDK) testInvalidCacheURL([NSURL URLWithString:@"file:///private/tmp/file.cache"], @"Cache directory `/private/tmp` is not a data vault"); +#endif } #if USE(APPLE_INTERNAL_SDK) @@ -2859,7 +2859,8 @@ void testObjectiveCAPI(const char* filter) RUN(promiseCreateRejected()); RUN(parallelPromiseResolveTest()); - testObjectiveCAPIMain(); + if (!filter) + testObjectiveCAPIMain(); } #else diff --git a/API/tests/testapiScripts/testapi.js b/API/tests/testapiScripts/testapi.js index 88d3701..dbce155 100644 --- a/API/tests/testapiScripts/testapi.js +++ b/API/tests/testapiScripts/testapi.js @@ -84,6 +84,16 @@ this.globalStaticFunction2 = function() { return 20; } shouldBe("globalStaticFunction2();", 20); shouldBe("this.globalStaticFunction2();", 20); +var globalStaticValue2Descriptor = Object.getOwnPropertyDescriptor(this, "globalStaticValue2"); +shouldBe('typeof globalStaticValue2Descriptor', "object"); +shouldBe('globalStaticValue2Descriptor.writable', false); +shouldBe('globalStaticValue2Descriptor.enumerable', false); + +var globalStaticFunction3Descriptor = Object.getOwnPropertyDescriptor(this, "globalStaticFunction3"); +shouldBe('typeof globalStaticFunction3Descriptor', "object"); +shouldBe('globalStaticFunction3Descriptor.writable', false); +shouldBe('globalStaticFunction3Descriptor.enumerable', false); + function iAmNotAStaticFunction() { return 10; } shouldBe("iAmNotAStaticFunction();", 10); this.iAmNotAStaticFunction = function() { return 20; } @@ -267,7 +277,7 @@ shouldThrow("EvilExceptionObject*5"); EvilExceptionObject.toStringExplicit = function f() { return f(); } shouldThrow("String(EvilExceptionObject)"); -shouldBe("console", "[object Console]"); +shouldBe("console", "[object console]"); shouldBe("typeof console.log", "function"); shouldBe("EmptyObject", "[object CallbackObject]"); diff --git a/CMakeLists.txt.apple b/CMakeLists.txt.apple index c199aa8..58a5706 100644 --- a/CMakeLists.txt.apple +++ b/CMakeLists.txt.apple @@ -1,5 +1,6 @@ cmake_minimum_required(VERSION 3.10) include(WebKitCommon) +include(target/TargetWTF) set_property(DIRECTORY . PROPERTY FOLDER "JavaScriptCore") list(APPEND JavaScriptCore_UNIFIED_SOURCE_LIST_FILES @@ -7,7 +8,6 @@ list(APPEND JavaScriptCore_UNIFIED_SOURCE_LIST_FILES ) set(JavaScriptCore_INCLUDE_DIRECTORIES - "${WTF_FRAMEWORK_HEADERS_DIR}" "${JavaScriptCore_FRAMEWORK_HEADERS_DIR}" ) @@ -54,10 +54,6 @@ if (USE_CAPSTONE) list(APPEND JavaScriptCore_PRIVATE_INCLUDE_DIRECTORIES "${THIRDPARTY_DIR}/capstone/Source/include") endif () -set(JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES - "${ICU_INCLUDE_DIRS}" -) - set(JavaScriptCore_OBJECT_LUT_SOURCES runtime/ArrayConstructor.cpp runtime/AsyncFromSyncIteratorPrototype.cpp @@ -74,11 +70,22 @@ set(JavaScriptCore_OBJECT_LUT_SOURCES runtime/IntlCollatorPrototype.cpp runtime/IntlDateTimeFormatConstructor.cpp runtime/IntlDateTimeFormatPrototype.cpp + runtime/IntlDisplayNamesConstructor.cpp + runtime/IntlDisplayNamesPrototype.cpp + runtime/IntlListFormatConstructor.cpp + runtime/IntlListFormatPrototype.cpp + runtime/IntlLocalePrototype.cpp runtime/IntlNumberFormatConstructor.cpp runtime/IntlNumberFormatPrototype.cpp runtime/IntlObject.cpp runtime/IntlPluralRulesConstructor.cpp runtime/IntlPluralRulesPrototype.cpp + runtime/IntlRelativeTimeFormatConstructor.cpp + runtime/IntlRelativeTimeFormatPrototype.cpp + runtime/IntlSegmentIteratorPrototype.cpp + runtime/IntlSegmenterConstructor.cpp + runtime/IntlSegmenterPrototype.cpp + runtime/IntlSegmentsPrototype.cpp runtime/JSDataViewPrototype.cpp runtime/JSGlobalObject.cpp runtime/JSInternalPromiseConstructor.cpp @@ -104,7 +111,8 @@ set(JavaScriptCore_OBJECT_LUT_SOURCES wasm/js/JSToWasmICCallee.cpp wasm/js/WebAssemblyCompileErrorConstructor.cpp wasm/js/WebAssemblyCompileErrorPrototype.cpp - wasm/js/WebAssemblyFunctionHeapCellType.cpp + wasm/js/WebAssemblyGlobalConstructor.cpp + wasm/js/WebAssemblyGlobalPrototype.cpp wasm/js/WebAssemblyInstanceConstructor.cpp wasm/js/WebAssemblyInstancePrototype.cpp wasm/js/WebAssemblyLinkErrorConstructor.cpp @@ -113,17 +121,18 @@ set(JavaScriptCore_OBJECT_LUT_SOURCES wasm/js/WebAssemblyMemoryPrototype.cpp wasm/js/WebAssemblyModuleConstructor.cpp wasm/js/WebAssemblyModulePrototype.cpp - wasm/js/WebAssemblyPrototype.cpp wasm/js/WebAssemblyRuntimeErrorConstructor.cpp wasm/js/WebAssemblyRuntimeErrorPrototype.cpp wasm/js/WebAssemblyTableConstructor.cpp wasm/js/WebAssemblyTablePrototype.cpp ) -set(JavaScriptCore_LIBRARIES - WTF${DEBUG_SUFFIX} - ${ICU_I18N_LIBRARIES} +set(JavaScriptCore_FRAMEWORKS + WTF ) +if (NOT USE_SYSTEM_MALLOC) + list(APPEND JavaScriptCore_FRAMEWORKS bmalloc) +endif () if (USE_CAPSTONE) list(APPEND JavaScriptCore_LIBRARIES capstone) @@ -177,15 +186,23 @@ list(APPEND JavaScriptCore_HEADERS ${JavaScriptCore_DERIVED_SOURCES_DIR}/udis86_itab.h ) +# This is the default build variant for Xcode builds. +set(BUILD_VARIANTS + "normal" +) + set(LLINT_ASM llint/LowLevelInterpreter.asm llint/LowLevelInterpreter32_64.asm llint/LowLevelInterpreter64.asm + llint/WebAssembly.asm ) set(OFFLINE_ASM offlineasm/arm.rb offlineasm/arm64.rb + offlineasm/arm64e.rb + offlineasm/asm.rb offlineasm/ast.rb offlineasm/backends.rb offlineasm/cloop.rb @@ -206,6 +223,7 @@ set(OFFLINE_ASM set(GENERATOR generator/Argument.rb generator/Assertion.rb + generator/Checkpoints.rb generator/DSL.rb generator/Fits.rb generator/GeneratedFile.rb @@ -216,27 +234,26 @@ set(GENERATOR generator/Section.rb generator/Template.rb generator/Type.rb + generator/Wasm.rb generator/main.rb ) add_custom_command( - OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/Bytecodes.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitBytecodes.asm ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeStructs.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeIndices.h + OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/Bytecodes.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitBytecodes.asm ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeStructs.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeIndices.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/WasmLLIntGeneratorInlines.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitWasm.asm ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeDumperGenerated.cpp MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/generator/main.rb - DEPENDS ${GENERATOR} bytecode/BytecodeList.rb - COMMAND ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/generator/main.rb --bytecodes_h ${JavaScriptCore_DERIVED_SOURCES_DIR}/Bytecodes.h --init_bytecodes_asm ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitBytecodes.asm --bytecode_structs_h ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeStructs.h --bytecode_indices_h ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeIndices.h ${JAVASCRIPTCORE_DIR}/bytecode/BytecodeList.rb + DEPENDS ${GENERATOR} bytecode/BytecodeList.rb ${JAVASCRIPTCORE_DIR}/wasm/wasm.json + COMMAND ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/generator/main.rb --bytecodes_h ${JavaScriptCore_DERIVED_SOURCES_DIR}/Bytecodes.h --init_bytecodes_asm ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitBytecodes.asm --bytecode_structs_h ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeStructs.h --bytecode_indices_h ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeIndices.h ${JAVASCRIPTCORE_DIR}/bytecode/BytecodeList.rb --wasm_json ${JAVASCRIPTCORE_DIR}/wasm/wasm.json --wasm_llint_generator_h ${JavaScriptCore_DERIVED_SOURCES_DIR}/WasmLLIntGeneratorInlines.h --init_wasm_llint ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitWasm.asm --bytecode_dumper ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeDumperGenerated.cpp VERBATIM) +add_custom_target(Bytecodes DEPENDS "${JavaScriptCore_DERIVED_SOURCES_DIR}/Bytecodes.h") if (WTF_OS_MAC_OS_X) execute_process(COMMAND bash -c "date +'%s'" OUTPUT_VARIABLE BUILD_TIME OUTPUT_STRIP_TRAILING_WHITESPACE) else () - set(BUILD_TIME 0) + string(TIMESTAMP BUILD_TIME "%s") endif () -file(WRITE ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeCacheVersion.h "#define JSC_BYTECODE_CACHE_VERSION ${BUILD_TIME}\n") - list(APPEND JavaScriptCore_HEADERS - ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeCacheVersion.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeStructs.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/Bytecodes.h ) @@ -263,18 +280,31 @@ else () endif () endif () +add_custom_command( + OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/AirOpcode.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/AirOpcodeGenerated.h + MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/b3/air/AirOpcode.opcodes + DEPENDS ${JAVASCRIPTCORE_DIR}/b3/air/opcode_generator.rb + COMMAND ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/b3/air/opcode_generator.rb ${JAVASCRIPTCORE_DIR}/b3/air/AirOpcode.opcodes VERBATIM + WORKING_DIRECTORY ${JavaScriptCore_DERIVED_SOURCES_DIR} +) + +list(APPEND JavaScriptCore_HEADERS + ${JavaScriptCore_DERIVED_SOURCES_DIR}/AirOpcode.h + ${JavaScriptCore_DERIVED_SOURCES_DIR}/AirOpcodeGenerated.h +) + add_custom_command( OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/LLIntDesiredSettings.h MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/offlineasm/generate_settings_extractor.rb - DEPENDS ${LLINT_ASM} ${OFFLINE_ASM} ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitBytecodes.asm + DEPENDS ${LLINT_ASM} ${OFFLINE_ASM} ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitBytecodes.asm ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitWasm.asm COMMAND ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/offlineasm/generate_settings_extractor.rb -I${JavaScriptCore_DERIVED_SOURCES_DIR}/ ${JAVASCRIPTCORE_DIR}/llint/LowLevelInterpreter.asm ${JavaScriptCore_DERIVED_SOURCES_DIR}/LLIntDesiredSettings.h ${OFFLINE_ASM_BACKEND} VERBATIM) add_custom_command( OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/LLIntDesiredOffsets.h MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/offlineasm/generate_offset_extractor.rb - DEPENDS LLIntSettingsExtractor ${LLINT_ASM} ${OFFLINE_ASM} ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitBytecodes.asm - COMMAND ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/offlineasm/generate_offset_extractor.rb -I${JavaScriptCore_DERIVED_SOURCES_DIR}/ ${JAVASCRIPTCORE_DIR}/llint/LowLevelInterpreter.asm $ ${JavaScriptCore_DERIVED_SOURCES_DIR}/LLIntDesiredOffsets.h ${OFFLINE_ASM_BACKEND} + DEPENDS LLIntSettingsExtractor ${LLINT_ASM} ${OFFLINE_ASM} ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitBytecodes.asm ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitWasm.asm ${JavaScriptCore_DERIVED_SOURCES_DIR}/AirOpcode.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/WasmOps.h + COMMAND ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/offlineasm/generate_offset_extractor.rb -I${JavaScriptCore_DERIVED_SOURCES_DIR}/ ${JAVASCRIPTCORE_DIR}/llint/LowLevelInterpreter.asm $ ${JavaScriptCore_DERIVED_SOURCES_DIR}/LLIntDesiredOffsets.h ${OFFLINE_ASM_BACKEND} ${BUILD_VARIANTS} VERBATIM) # We add the header files directly to the ADD_EXECUTABLE call instead of setting the @@ -286,20 +316,32 @@ add_custom_command( # Additionally, setting the OBJECT_DEPENDS property will make the .h files a Makefile # dependency of both LLIntOffsetsExtractor and LLIntOffsetsExtractor.cpp, so the command will # actually be run multiple times! -add_executable(LLIntSettingsExtractor + +WEBKIT_EXECUTABLE_DECLARE(LLIntSettingsExtractor) +set(LLIntSettingsExtractor_SOURCES ${JAVASCRIPTCORE_DIR}/llint/LLIntSettingsExtractor.cpp ${JavaScriptCore_DERIVED_SOURCES_DIR}/LLIntDesiredSettings.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/Bytecodes.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeStructs.h ) -add_executable(LLIntOffsetsExtractor +set(LLIntSettingsExtractor_PRIVATE_INCLUDE_DIRECTORIES + $ +) +set(LLIntSettingsExtractor_FRAMEWORKS ${JavaScriptCore_FRAMEWORKS}) +set(LLIntSettingsExtractor_DEPENDENCIES JavaScriptCore_CopyHeaders) +WEBKIT_EXECUTABLE(LLIntSettingsExtractor) + +WEBKIT_EXECUTABLE_DECLARE(LLIntOffsetsExtractor) +set(LLIntOffsetsExtractor_SOURCES ${JAVASCRIPTCORE_DIR}/llint/LLIntOffsetsExtractor.cpp ${JavaScriptCore_DERIVED_SOURCES_DIR}/LLIntDesiredOffsets.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/Bytecodes.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeStructs.h ) -target_link_libraries(LLIntSettingsExtractor WTF) -add_dependencies(LLIntSettingsExtractor JavaScriptCoreFrameworkHeaders) -target_link_libraries(LLIntOffsetsExtractor WTF) -add_dependencies(LLIntOffsetsExtractor JavaScriptCoreFrameworkHeaders) +set(LLIntOffsetsExtractor_PRIVATE_INCLUDE_DIRECTORIES + $ +) +set(LLIntOffsetsExtractor_FRAMEWORKS ${JavaScriptCore_FRAMEWORKS}) +set(LLIntOffsetsExtractor_DEPENDENCIES JavaScriptCore_CopyHeaders) +WEBKIT_EXECUTABLE(LLIntOffsetsExtractor) # The build system will execute asm.rb every time LLIntOffsetsExtractor's mtime is newer than # LLIntAssembly.h's mtime. The problem we have here is: asm.rb has some built-in optimization @@ -317,8 +359,8 @@ endif () add_custom_command( OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/${LLIntOutput} MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/offlineasm/asm.rb - DEPENDS LLIntOffsetsExtractor ${LLINT_ASM} ${OFFLINE_ASM} ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitBytecodes.asm - COMMAND ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/offlineasm/asm.rb -I${JavaScriptCore_DERIVED_SOURCES_DIR}/ ${JAVASCRIPTCORE_DIR}/llint/LowLevelInterpreter.asm $ ${JavaScriptCore_DERIVED_SOURCES_DIR}/${LLIntOutput} ${OFFLINE_ASM_ARGS} + DEPENDS LLIntOffsetsExtractor ${LLINT_ASM} ${OFFLINE_ASM} ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitBytecodes.asm ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitWasm.asm + COMMAND ${CMAKE_COMMAND} -E env CMAKE_CXX_COMPILER_ID=${CMAKE_CXX_COMPILER_ID} GCC_OFFLINEASM_SOURCE_MAP=${GCC_OFFLINEASM_SOURCE_MAP} ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/offlineasm/asm.rb -I${JavaScriptCore_DERIVED_SOURCES_DIR}/ ${JAVASCRIPTCORE_DIR}/llint/LowLevelInterpreter.asm $ ${JavaScriptCore_DERIVED_SOURCES_DIR}/${LLIntOutput} ${BUILD_VARIANTS} ${OFFLINE_ASM_ARGS} COMMAND ${CMAKE_COMMAND} -E touch_nocreate ${JavaScriptCore_DERIVED_SOURCES_DIR}/${LLIntOutput} WORKING_DIRECTORY ${JavaScriptCore_DERIVED_SOURCES_DIR} VERBATIM) @@ -343,10 +385,17 @@ if (MSVC AND NOT ENABLE_C_LOOP) COMMAND ${MASM_EXECUTABLE} ${LLINT_MASM_FLAGS} ${JavaScriptCore_DERIVED_SOURCES_DIR}/LowLevelInterpreterWin.obj ${JavaScriptCore_DERIVED_SOURCES_DIR}/LowLevelInterpreterWin.asm VERBATIM) list(APPEND JavaScriptCore_SOURCES ${JavaScriptCore_DERIVED_SOURCES_DIR}/LowLevelInterpreterWin.obj) + add_library(LowLevelInterpreterLib OBJECT llint/LowLevelInterpreter.cpp) else () - list(APPEND JavaScriptCore_HEADERS - ${JavaScriptCore_DERIVED_SOURCES_DIR}/LLIntAssembly.h - ) + # As there's poor toolchain support for using `.file` directives in + # inline asm (i.e. there's no way to avoid clashes with the `.file` + # directives generated by the C code in the compilation unit), we + # introduce a postprocessing pass for the asm that gets assembled into + # an object file. We only need to do this for LowLevelInterpreter.cpp + # and cmake doesn't allow us to introduce a compiler wrapper for a + # single source file, so we need to create a separate target for it. + add_library(LowLevelInterpreterLib OBJECT llint/LowLevelInterpreter.cpp + ${JavaScriptCore_DERIVED_SOURCES_DIR}/${LLIntOutput}) endif () # WebAssembly generator @@ -362,7 +411,6 @@ macro(GENERATE_PYTHON _generator _additional_deps _input _output) WEBKIT_ADD_SOURCE_DEPENDENCIES(${_input} ${_output}) endmacro() GENERATE_PYTHON(${CMAKE_CURRENT_SOURCE_DIR}/wasm/generateWasmOpsHeader.py ${CMAKE_CURRENT_SOURCE_DIR}/wasm/generateWasm.py ${CMAKE_CURRENT_SOURCE_DIR}/wasm/wasm.json ${JavaScriptCore_DERIVED_SOURCES_DIR}/WasmOps.h) -GENERATE_PYTHON(${CMAKE_CURRENT_SOURCE_DIR}/wasm/generateWasmValidateInlinesHeader.py ${CMAKE_CURRENT_SOURCE_DIR}/wasm/generateWasm.py ${CMAKE_CURRENT_SOURCE_DIR}/wasm/wasm.json ${JavaScriptCore_DERIVED_SOURCES_DIR}/WasmValidateInlines.h) GENERATE_PYTHON(${CMAKE_CURRENT_SOURCE_DIR}/wasm/generateWasmB3IRGeneratorInlinesHeader.py ${CMAKE_CURRENT_SOURCE_DIR}/wasm/generateWasm.py ${CMAKE_CURRENT_SOURCE_DIR}/wasm/wasm.json ${JavaScriptCore_DERIVED_SOURCES_DIR}/WasmB3IRGeneratorInlines.h) # LUT generator @@ -400,6 +448,7 @@ set(JavaScriptCore_PUBLIC_FRAMEWORK_HEADERS set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS ${JavaScriptCore_DERIVED_SOURCES_DIR}/Bytecodes.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/JSCBuiltins.h + ${JavaScriptCore_DERIVED_SOURCES_DIR}/WasmOps.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorBackendDispatchers.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorFrontendDispatchers.h @@ -448,10 +497,11 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS assembler/AbortReason.h assembler/AbstractMacroAssembler.h assembler/AssemblerBuffer.h - assembler/AssemblerBufferWithConstantPool.h assembler/AssemblerCommon.h assembler/CPU.h assembler/CodeLocation.h + assembler/FastJITPermissions.h + assembler/JITOperationList.h assembler/LinkBuffer.h assembler/MIPSAssembler.h assembler/MIPSRegisters.h @@ -470,6 +520,10 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS assembler/X86Registers.h assembler/X86_64Registers.h + b3/B3Common.h + b3/B3Compilation.h + b3/B3Type.h + bindings/ScriptFunctionCall.h bindings/ScriptObject.h bindings/ScriptValue.h @@ -479,8 +533,8 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS bytecode/ArrayAllocationProfile.h bytecode/ArrayProfile.h - bytecode/ByValInfo.h bytecode/BytecodeConventions.h + bytecode/BytecodeIndex.h bytecode/BytecodeIntrinsicRegistry.h bytecode/CallEdge.h bytecode/CallLinkInfo.h @@ -492,6 +546,8 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS bytecode/CodeType.h bytecode/DFGExitProfile.h bytecode/DataFormat.h + bytecode/DeleteByIdVariant.h + bytecode/DeleteByStatus.h bytecode/DirectEvalCodeCache.h bytecode/ExecutableInfo.h bytecode/ExecutableToCodeBlockEdge.h @@ -510,14 +566,15 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS bytecode/LLIntCallLinkInfo.h bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h bytecode/LazyOperandValueProfile.h + bytecode/LinkTimeConstant.h bytecode/MetadataTable.h bytecode/ObjectAllocationProfile.h bytecode/ObjectPropertyCondition.h bytecode/Opcode.h bytecode/OpcodeSize.h + bytecode/Operands.h bytecode/PropertyCondition.h bytecode/PutByIdFlags.h - bytecode/SpecialPointer.h bytecode/SpeculatedType.h bytecode/StructureSet.h bytecode/SuperSampler.h @@ -540,8 +597,10 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS debugger/DebuggerParseData.h debugger/DebuggerPrimitives.h + dfg/DFGCodeOriginPool.h dfg/DFGCommon.h dfg/DFGCompilationMode.h + dfg/DFGDoesGCCheck.h dfg/DFGMinifiedID.h domjit/DOMJITAbstractHeap.h @@ -557,6 +616,7 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS heap/AllocatorInlines.h heap/AllocatorForMode.h heap/BlockDirectory.h + heap/BlockDirectoryBits.h heap/BlockDirectoryInlines.h heap/CellAttributes.h heap/CellContainer.h @@ -583,6 +643,7 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS heap/GCIncomingRefCountedInlines.h heap/GCIncomingRefCountedSet.h heap/GCLogging.h + heap/GCMemoryOperations.h heap/GCRequest.h heap/GCSegmentedArray.h heap/Handle.h @@ -590,6 +651,7 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS heap/HandleSet.h heap/HandleTypes.h heap/Heap.h + heap/HeapAnalyzer.h heap/HeapCell.h heap/HeapCellInlines.h heap/HeapCellType.h @@ -599,10 +661,10 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS heap/HeapSnapshotBuilder.h heap/IncrementalSweeper.h heap/IsoCellSet.h + heap/IsoHeapCellType.h heap/IsoSubspace.h heap/IsoSubspaceInlines.h heap/IsoSubspacePerVM.h - heap/LargeAllocation.h heap/LocalAllocator.h heap/LocalAllocatorInlines.h heap/LockDuringMarking.h @@ -615,6 +677,7 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS heap/MarkingConstraint.h heap/MutatorState.h heap/PackedCellPtr.h + heap/PreciseAllocation.h heap/RegisterState.h heap/RunningScope.h heap/SimpleMarkingConstraint.h @@ -653,12 +716,9 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS inspector/InspectorTarget.h inspector/PerGlobalObjectWrapperWorld.h inspector/ScriptArguments.h - inspector/ScriptBreakpoint.h inspector/ScriptCallFrame.h inspector/ScriptCallStack.h inspector/ScriptCallStackFactory.h - inspector/ScriptDebugListener.h - inspector/ScriptDebugServer.h inspector/agents/InspectorAgent.h inspector/agents/InspectorAuditAgent.h @@ -683,6 +743,7 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS interpreter/EntryFrame.h interpreter/FrameTracers.h interpreter/Register.h + interpreter/RegisterInlines.h interpreter/ShadowChicken.h interpreter/StackVisitor.h interpreter/VMEntryRecord.h @@ -750,16 +811,19 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS runtime/AbstractModuleRecord.h runtime/ArgList.h runtime/ArityCheckMode.h + runtime/ArrayConstructor.h runtime/ArrayBuffer.h runtime/ArrayBufferSharingMode.h runtime/ArrayBufferView.h runtime/ArrayConventions.h runtime/ArrayPrototype.h runtime/ArrayStorage.h + runtime/ArrayStorageInlines.h runtime/AuxiliaryBarrier.h runtime/AuxiliaryBarrierInlines.h runtime/BasicBlockLocation.h runtime/BatchedTransitionOptimizer.h + runtime/BigIntObject.h runtime/BigIntPrototype.h runtime/BooleanObject.h runtime/BooleanPrototype.h @@ -768,16 +832,20 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS runtime/BytecodeCacheError.h runtime/CachePayload.h runtime/CacheUpdate.h + runtime/CacheableIdentifier.h + runtime/CacheableIdentifierInlines.h runtime/CachedBytecode.h runtime/CachedTypes.h runtime/CagedBarrierPtr.h runtime/CallData.h runtime/CatchScope.h + runtime/CellSize.h runtime/ClassInfo.h runtime/CodeSpecializationKind.h runtime/CommonIdentifiers.h runtime/CompilationResult.h runtime/Completion.h + runtime/Concurrency.h runtime/ConcurrentJSLock.h runtime/ConfigFile.h runtime/ConsoleClient.h @@ -785,6 +853,7 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS runtime/ConstantMode.h runtime/ConstructAbility.h runtime/ConstructData.h + runtime/ConstructorKind.h runtime/ControlFlowProfiler.h runtime/CustomGetterSetter.h runtime/DOMAnnotation.h @@ -792,12 +861,16 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS runtime/DataView.h runtime/DateInstance.h runtime/DateInstanceCache.h + runtime/DeferredWorkTimer.h runtime/DefinePropertyAttributes.h + runtime/DeletePropertySlot.h runtime/DirectArgumentsOffset.h runtime/DirectEvalExecutable.h runtime/DisallowScope.h - runtime/DisallowVMReentry.h + runtime/DisallowVMEntry.h runtime/DumpContext.h + runtime/ECMAMode.h + runtime/EnsureStillAliveHere.h runtime/EnumerationMode.h runtime/Error.h runtime/ErrorHandlingScope.h @@ -819,10 +892,12 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS runtime/FunctionPrototype.h runtime/FunctionRareData.h runtime/FuzzerAgent.h + runtime/Gate.h runtime/GenericOffset.h runtime/GenericTypedArrayView.h runtime/GenericTypedArrayViewInlines.h runtime/GetPutInfo.h + runtime/GetVM.h runtime/GlobalExecutable.h runtime/HashMapImpl.h runtime/Identifier.h @@ -847,6 +922,7 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS runtime/JSArrayBufferView.h runtime/JSArrayBufferViewInlines.h runtime/JSBigInt.h + runtime/JSCConfig.h runtime/JSCInlines.h runtime/JSCJSValue.h runtime/JSCJSValueInlines.h @@ -856,6 +932,7 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS runtime/JSCell.h runtime/JSCellInlines.h runtime/JSDataView.h + runtime/JSDateMath.h runtime/JSDestructibleObject.h runtime/JSDestructibleObjectHeapCellType.h runtime/JSExportMacros.h @@ -870,8 +947,8 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS runtime/JSGlobalObjectFunctions.h runtime/JSGlobalObjectInlines.h runtime/JSImmutableButterfly.h + runtime/JSInternalFieldObjectImpl.h runtime/JSInternalPromise.h - runtime/JSInternalPromiseDeferred.h runtime/JSMicrotask.h runtime/JSLock.h runtime/JSMap.h @@ -879,13 +956,11 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS runtime/JSModuleLoader.h runtime/JSModuleRecord.h runtime/JSNativeStdFunction.h - runtime/JSNonDestructibleProxy.h runtime/JSONObject.h runtime/JSObject.h runtime/JSObjectInlines.h runtime/JSPromise.h runtime/JSPromiseConstructor.h - runtime/JSPromiseDeferred.h runtime/JSPropertyNameEnumerator.h runtime/JSProxy.h runtime/JSRunLoopTimer.h @@ -923,10 +998,11 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS runtime/ObjectPrototype.h runtime/Operations.h runtime/Options.h + runtime/OptionsList.h runtime/ParseInt.h + runtime/PrivateFieldPutKind.h runtime/PrivateName.h runtime/ProgramExecutable.h - runtime/PromiseDeferredTimer.h runtime/PropertyDescriptor.h runtime/PropertyMapHashTable.h runtime/PropertyName.h @@ -936,6 +1012,7 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS runtime/PropertyStorage.h runtime/Protect.h runtime/PrototypeKey.h + runtime/ProxyObject.h runtime/PureNaN.h runtime/PutDirectIndexMode.h runtime/PutPropertySlot.h @@ -950,6 +1027,7 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS runtime/SamplingProfiler.h runtime/ScopeOffset.h runtime/ScopedArgumentsTable.h + runtime/Scribble.h runtime/ScriptExecutable.h runtime/ScriptFetchParameters.h runtime/ScriptFetcher.h @@ -1002,23 +1080,36 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS runtime/WriteBarrier.h runtime/WriteBarrierInlines.h + tools/Integrity.h + tools/IntegrityInlines.h + tools/VMInspector.h + tools/VMInspectorInlines.h + + wasm/WasmCallee.h wasm/WasmCapabilities.h wasm/WasmCodeBlock.h + wasm/WasmCompilationMode.h wasm/WasmContext.h wasm/WasmEmbedder.h wasm/WasmExceptionType.h wasm/WasmFaultSignalHandler.h + wasm/WasmFormat.h + wasm/WasmFunctionCodeBlock.h wasm/WasmIndexOrName.h + wasm/WasmLLIntTierUpCounter.h wasm/WasmMemory.h + wasm/WasmMemoryInformation.h wasm/WasmMemoryMode.h wasm/WasmModule.h wasm/WasmName.h wasm/WasmNameSection.h wasm/WasmPageCount.h + wasm/WasmSignature.h wasm/WasmTierUpCount.h + wasm/js/JSWebAssembly.h + wasm/js/JSWebAssemblyMemory.h wasm/js/JSWebAssemblyModule.h - wasm/js/WebAssemblyPrototype.h yarr/RegularExpression.h @@ -1032,6 +1123,12 @@ set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS yarr/YarrUnicodeProperties.h ) +if (USE_INSPECTOR_SOCKET_SERVER) + list(APPEND JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS + API/JSRemoteInspectorServer.h + ) +endif () + # GENERATOR 1-B: particular LUT creator (for 1 file only) GENERATE_HASH_LUT(${CMAKE_CURRENT_SOURCE_DIR}/parser/Keywords.table ${JavaScriptCore_DERIVED_SOURCES_DIR}/Lexer.lut.h) @@ -1062,16 +1159,6 @@ add_custom_command( COMMAND ${PYTHON_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/yarr/generateYarrCanonicalizeUnicode ${JAVASCRIPTCORE_DIR}/ucd/CaseFolding.txt ${JavaScriptCore_DERIVED_SOURCES_DIR}/yarr/YarrCanonicalizeUnicode.cpp VERBATIM) -#GENERATOR: "IntlCanonicalizeLanguage.h": tables used by Intl -add_custom_command( - OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/IntlCanonicalizeLanguage.h - MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/Scripts/generateIntlCanonicalizeLanguage.py - DEPENDS ${JAVASCRIPTCORE_DIR}/ucd/language-subtag-registry.txt - COMMAND ${PYTHON_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/Scripts/generateIntlCanonicalizeLanguage.py ${JAVASCRIPTCORE_DIR}/ucd/language-subtag-registry.txt ${JavaScriptCore_DERIVED_SOURCES_DIR}/IntlCanonicalizeLanguage.h - VERBATIM) -list(APPEND JavaScriptCore_HEADERS ${JavaScriptCore_DERIVED_SOURCES_DIR}/IntlCanonicalizeLanguage.h) -WEBKIT_ADD_SOURCE_DEPENDENCIES(${CMAKE_CURRENT_SOURCE_DIR}/runtime/IntlObject.cpp ${JavaScriptCore_DERIVED_SOURCES_DIR}/IntlCanonicalizeLanguage.h) - #GENERATOR: "KeywordLookup.h": keyword decision tree used by the lexer add_custom_command( OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/KeywordLookup.h @@ -1102,11 +1189,15 @@ set(JavaScriptCore_INSPECTOR_PROTOCOL_SCRIPTS ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generator_templates.py ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/__init__.py ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/models.py + ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/preprocess.pl ) set(JavaScriptCore_INSPECTOR_DOMAINS + ${JAVASCRIPTCORE_DIR}/inspector/protocol/Animation.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/ApplicationCache.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Audit.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/Browser.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/CPUProfiler.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/CSS.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Canvas.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Console.json @@ -1117,38 +1208,22 @@ set(JavaScriptCore_INSPECTOR_DOMAINS ${JAVASCRIPTCORE_DIR}/inspector/protocol/Debugger.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/GenericTypes.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Heap.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/IndexedDB.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Inspector.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/LayerTree.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/Memory.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Network.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Page.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Recording.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Runtime.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/ScriptProfiler.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Security.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/ServiceWorker.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Target.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Timeline.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Worker.json ) -if (ENABLE_INDEXED_DATABASE) - list(APPEND JavaScriptCore_INSPECTOR_DOMAINS - ${JAVASCRIPTCORE_DIR}/inspector/protocol/IndexedDB.json - ) -endif () - -if (ENABLE_RESOURCE_USAGE) - list(APPEND JavaScriptCore_INSPECTOR_DOMAINS - ${JAVASCRIPTCORE_DIR}/inspector/protocol/CPUProfiler.json - ${JAVASCRIPTCORE_DIR}/inspector/protocol/Memory.json - ) -endif () - -if (ENABLE_SERVICE_WORKER) - list(APPEND JavaScriptCore_INSPECTOR_DOMAINS - ${JAVASCRIPTCORE_DIR}/inspector/protocol/ServiceWorker.json - ) -endif () - add_custom_command( OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/CombinedDomains.json MAIN_DEPENDENCY ${JavaScriptCore_SCRIPTS_DIR}/generate-combined-inspector-json.py @@ -1166,11 +1241,19 @@ add_custom_command( ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorFrontendDispatchers.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorProtocolObjects.cpp ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorProtocolObjects.h - ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorBackendCommands.js MAIN_DEPENDENCY ${JavaScriptCore_DERIVED_SOURCES_DIR}/CombinedDomains.json DEPENDS ${JavaScriptCore_INSPECTOR_PROTOCOL_SCRIPTS} COMMAND ${PYTHON_EXECUTABLE} ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/generate-inspector-protocol-bindings.py --outputDir "${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector" --framework JavaScriptCore ${JavaScriptCore_DERIVED_SOURCES_DIR}/CombinedDomains.json VERBATIM) +add_custom_command( + OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorBackendCommands.js + ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorBackendCommands.js.in + MAIN_DEPENDENCY ${JavaScriptCore_DERIVED_SOURCES_DIR}/CombinedDomains.json + DEPENDS ${JavaScriptCore_INSPECTOR_PROTOCOL_SCRIPTS} + COMMAND ${PYTHON_EXECUTABLE} ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/generate-inspector-protocol-bindings.py --outputDir ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector --framework WebInspectorUI ${JavaScriptCore_DERIVED_SOURCES_DIR}/CombinedDomains.json + COMMAND ${PERL_EXECUTABLE} ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/preprocess.pl --input ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorBackendCommands.js.in --defines "${FEATURE_DEFINES_WITH_SPACE_SEPARATOR}" --preprocessor "${CODE_GENERATOR_PREPROCESSOR}" --output ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorBackendCommands.js + VERBATIM) +add_custom_target(InspectorBackendCommands DEPENDS "${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorBackendCommands.js") # JSCBuiltins @@ -1226,7 +1309,7 @@ set(JavaScriptCore_BUILTINS_SOURCES ${JAVASCRIPTCORE_DIR}/builtins/StringPrototype.js ${JAVASCRIPTCORE_DIR}/builtins/TypedArrayConstructor.js ${JAVASCRIPTCORE_DIR}/builtins/TypedArrayPrototype.js - ${JAVASCRIPTCORE_DIR}/builtins/WebAssemblyPrototype.js + ${JAVASCRIPTCORE_DIR}/builtins/WebAssembly.js ) add_custom_command( @@ -1235,6 +1318,7 @@ add_custom_command( DEPENDS ${JavaScriptCore_BUILTINS_SOURCES} ${BUILTINS_GENERATOR_SCRIPTS} COMMAND ${PYTHON_EXECUTABLE} ${JavaScriptCore_SCRIPTS_DIR}/generate-js-builtins.py --framework JavaScriptCore --output-directory ${JavaScriptCore_DERIVED_SOURCES_DIR} --combined ${JavaScriptCore_BUILTINS_SOURCES} VERBATIM) +add_custom_target(JSCBuiltins DEPENDS "${JavaScriptCore_DERIVED_SOURCES_DIR}/JSCBuiltins.h") list(APPEND JavaScriptCore_HEADERS ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorBackendDispatchers.h @@ -1243,19 +1327,6 @@ list(APPEND JavaScriptCore_HEADERS ${JavaScriptCore_DERIVED_SOURCES_DIR}/JSCBuiltins.h ) -add_custom_command( - OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/AirOpcode.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/AirOpcodeGenerated.h - MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/b3/air/AirOpcode.opcodes - DEPENDS ${JAVASCRIPTCORE_DIR}/b3/air/opcode_generator.rb - COMMAND ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/b3/air/opcode_generator.rb ${JAVASCRIPTCORE_DIR}/b3/air/AirOpcode.opcodes VERBATIM - WORKING_DIRECTORY ${JavaScriptCore_DERIVED_SOURCES_DIR} -) - -list(APPEND JavaScriptCore_HEADERS - ${JavaScriptCore_DERIVED_SOURCES_DIR}/AirOpcode.h - ${JavaScriptCore_DERIVED_SOURCES_DIR}/AirOpcodeGenerated.h -) - add_custom_command( OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/InjectedScriptSource.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/InjectedScriptSource.min.js MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/inspector/InjectedScriptSource.js @@ -1279,46 +1350,75 @@ if (WTF_CPU_X86_64) endif () endif () +set(JavaScriptCore_INTERFACE_LIBRARIES JavaScriptCore) +set(JavaScriptCore_INTERFACE_INCLUDE_DIRECTORIES + ${JavaScriptCore_FRAMEWORK_HEADERS_DIR} + ${JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS_DIR} +) +set(JavaScriptCore_INTERFACE_DEPENDENCIES + JavaScriptCore_CopyHeaders + JavaScriptCore_CopyPrivateHeaders +) + WEBKIT_FRAMEWORK_DECLARE(JavaScriptCore) WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS() if (COMPILER_IS_GCC_OR_CLANG) # Avoid using fused multiply-add instructions since this could give different results # for e.g. parseInt depending on the platform and compilation flags. - WEBKIT_ADD_TARGET_CXX_FLAGS(JavaScriptCore -ffp-contract=off) + WEBKIT_ADD_TARGET_CXX_FLAGS(JavaScriptCore -ffp-contract=off -fno-slp-vectorize) endif () -WEBKIT_MAKE_FORWARDING_HEADERS(JavaScriptCore - TARGET_NAME JavaScriptCoreFrameworkHeaders +WEBKIT_COPY_FILES(JavaScriptCore_CopyHeaders DESTINATION ${JavaScriptCore_FRAMEWORK_HEADERS_DIR}/JavaScriptCore FILES ${JavaScriptCore_PUBLIC_FRAMEWORK_HEADERS} FLATTENED ) -WEBKIT_MAKE_FORWARDING_HEADERS(JavaScriptCore - TARGET_NAME JavaScriptCorePrivateFrameworkHeaders +WEBKIT_COPY_FILES(JavaScriptCore_CopyPrivateHeaders DESTINATION ${JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS_DIR}/JavaScriptCore FILES ${JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS} FLATTENED ) +add_dependencies(JavaScriptCore_CopyPrivateHeaders Bytecodes JSCBuiltins) +# JavaScriptCore_CopyPrivateHeaders needs to have a direct or indirect +# dependency of JavaScriptCore for CMake Visual Studio generator to +# eliminate duplicated custom commands. Otherwise, +# CombinedDomains.json will be generated in both projects. +if (NOT INTERNAL_BUILD) + add_dependencies(JavaScriptCore_CopyPrivateHeaders JavaScriptCore) +endif () -target_include_directories(LLIntSettingsExtractor PRIVATE - ${JavaScriptCore_INCLUDE_DIRECTORIES} - ${JavaScriptCore_PRIVATE_INCLUDE_DIRECTORIES} -) -target_include_directories(LLIntSettingsExtractor SYSTEM PRIVATE ${JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES}) +target_include_directories(LowLevelInterpreterLib + PRIVATE "$") +add_dependencies(LowLevelInterpreterLib Bytecodes JSCBuiltins) +if (TARGET WTF_CopyHeaders) + add_dependencies(LowLevelInterpreterLib WTF_CopyHeaders) +endif () -target_include_directories(LLIntOffsetsExtractor PRIVATE - ${JavaScriptCore_INCLUDE_DIRECTORIES} - ${JavaScriptCore_PRIVATE_INCLUDE_DIRECTORIES} -) -target_include_directories(LLIntOffsetsExtractor SYSTEM PRIVATE ${JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES}) +if (CMAKE_COMPILER_IS_GNUCXX AND GCC_OFFLINEASM_SOURCE_MAP) + message(STATUS "Enabling asm postprocessing") -add_subdirectory(shell) + set(LowLevelInterpreter_LAUNCHER "${JavaScriptCore_SCRIPTS_SOURCES_DIR}/postprocess-asm") + get_target_property(PROP_RULE_LAUNCH_COMPILE LowLevelInterpreterLib RULE_LAUNCH_COMPILE) + if (PROP_RULE_LAUNCH_COMPILE) + set(LowLevelInterpreter_LAUNCHER "${LowLevelInterpreter_LAUNCHER} ${PROP_RULE_LAUNCH_COMPILE}") + endif () + set_property(TARGET LowLevelInterpreterLib + PROPERTY RULE_LAUNCH_COMPILE "${LowLevelInterpreter_LAUNCHER}") + + # Pass in the filename as a magic preprocessor directive, so that + # the wrapper can accurately identify the source file. + set_source_files_properties("llint/LowLevelInterpreter.cpp" + PROPERTIES + COMPILE_DEFINITIONS "POSTPROCESS_ASM=llint/LowLevelInterpreter.cpp") +endif () + +list(APPEND JavaScriptCore_SOURCES $) WEBKIT_COMPUTE_SOURCES(JavaScriptCore) -WEBKIT_WRAP_SOURCELIST(${JavaScriptCore_SOURCES}) WEBKIT_FRAMEWORK(JavaScriptCore) +WEBKIT_FRAMEWORK_TARGET(JavaScriptCore) if (NOT "${PORT}" STREQUAL "Mac") if (${JavaScriptCore_LIBRARY_TYPE} STREQUAL "SHARED") @@ -1330,8 +1430,14 @@ endif () # Force staging of shared scripts, even if they aren't directly used to build JavaScriptCore. -add_custom_target(stageSharedScripts DEPENDS ${JavaScriptCore_SCRIPTS}) -add_dependencies(JavaScriptCore stageSharedScripts ${JavaScriptCore_EXTRA_DEPENDENCIES}) +add_custom_target(JavaScriptCoreSharedScripts DEPENDS ${JavaScriptCore_SCRIPTS}) +add_dependencies(JavaScriptCore JavaScriptCoreSharedScripts ${JavaScriptCore_EXTRA_DEPENDENCIES}) + +# JavaScriptCore target needs to have a direct or indirect dependency +# of InspectorBackendCommands for CMake Visual Studio generator to +# eliminate duplicated custom commands. Otherwise, +# CombinedDomains.json will be generated in both projects. +add_dependencies(JavaScriptCore InspectorBackendCommands) if (USE_VERSION_STAMPER) add_custom_command( @@ -1346,3 +1452,5 @@ if (USE_VERSION_STAMPER) COMMAND ${PERL_EXECUTABLE} ${WEBKIT_LIBRARIES_DIR}/tools/scripts/version-stamp.pl ${JavaScriptCore_DERIVED_SOURCES_DIR} $ VERBATIM) endif () + +add_subdirectory(shell) diff --git a/ChangeLog b/ChangeLog index e6637b2..8d1e12a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3492 +1,26256 @@ -2019-11-04 Kocsen Chung +2021-06-15 Alan Coon - Cherry-pick r248552. rdar://problem/56868427 + Cherry-pick r278819. rdar://problem/79355258 - Replace multiparameter overloads of append() in StringBuilder as a first step toward standardizinging on the flexibleAppend() implementation - https://bugs.webkit.org/show_bug.cgi?id=200614 + https://bugs.webkit.org/show_bug.cgi?id=226576 + + + Reviewed by Yusuke Suzuki. + + JSTests: + + * stress/short-circuit-read-modify-write-cant-write-dst-before-tdz-check.js: Added. + (let.result.eval.try.captureV): + (catch): + + Source/JavaScriptCore: + + ShortCircuitReadModifyResolveNode can't emit a value into + its result until after it emits a TDZ check. We were temporarily + storing the result of the get_from_scope into the dst. Then + we'd emit the TDZ check. The TDZ check can throw, and it could + lead to us returning TDZ from the eval itself. Instead, we need + to use a temporary to emit a TDZ check on. Only after the TDZ check + passes can we move the temporary into the result. + + * bytecompiler/NodesCodegen.cpp: + (JSC::ShortCircuitReadModifyResolveNode::emitBytecode): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@278819 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-06-13 Saam Barati + + https://bugs.webkit.org/show_bug.cgi?id=226576 + + + Reviewed by Yusuke Suzuki. + + ShortCircuitReadModifyResolveNode can't emit a value into + its result until after it emits a TDZ check. We were temporarily + storing the result of the get_from_scope into the dst. Then + we'd emit the TDZ check. The TDZ check can throw, and it could + lead to us returning TDZ from the eval itself. Instead, we need + to use a temporary to emit a TDZ check on. Only after the TDZ check + passes can we move the temporary into the result. + + * bytecompiler/NodesCodegen.cpp: + (JSC::ShortCircuitReadModifyResolveNode::emitBytecode): + +2021-06-15 Alan Coon + + Cherry-pick r278578. rdar://problem/79355258 + + Short circuit read modify write nodes emit byte code that uses the wrong locals + https://bugs.webkit.org/show_bug.cgi?id=226576 + + + Reviewed by Yusuke Suzuki. + + JSTests: + + * stress/short-circuit-read-modify-should-use-the-write-virtual-registers.js: Added. + (eval): + + Source/JavaScriptCore: + + It's never a good idea to use the wrong local :-) + + This patch also adds support for dumping predecessors of basic blocks + in the bytecode dump. + + * bytecode/BytecodeDumper.cpp: + (JSC::CodeBlockBytecodeDumper::dumpGraph): + * bytecompiler/NodesCodegen.cpp: + (JSC::ShortCircuitReadModifyResolveNode::emitBytecode): + (JSC::ShortCircuitReadModifyDotNode::emitBytecode): + (JSC::ShortCircuitReadModifyBracketNode::emitBytecode): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@278578 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-06-07 Saam Barati + + Short circuit read modify write nodes emit byte code that uses the wrong locals + https://bugs.webkit.org/show_bug.cgi?id=226576 + + + Reviewed by Yusuke Suzuki. + + It's never a good idea to use the wrong local :-) + + This patch also adds support for dumping predecessors of basic blocks + in the bytecode dump. + + * bytecode/BytecodeDumper.cpp: + (JSC::CodeBlockBytecodeDumper::dumpGraph): + * bytecompiler/NodesCodegen.cpp: + (JSC::ShortCircuitReadModifyResolveNode::emitBytecode): + (JSC::ShortCircuitReadModifyDotNode::emitBytecode): + (JSC::ShortCircuitReadModifyBracketNode::emitBytecode): + +2021-05-20 Alan Coon + + Cherry-pick r277613. rdar://problem/78264256 + + REGRESSION (r271119): Object methods defined with shorthand notation cannot access "caller" in non-strict mode + https://bugs.webkit.org/show_bug.cgi?id=225277 Reviewed by Darin Adler. - Renames StringBuilder::append(const LChar*, unsigned), StringBuilder::append(const UChar*, unsigned) and - StringBuilder::append(const char*, unsigned) to StringBuilder::appendCharacters(...). - - Renames StringBuilder::append(const String& string, unsigned offset, unsigned length) to - StringBuilder::appendSubstring(...). + JSTests: + + * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Now covers #157461 and #157863. + * stress/function-caller-cross-realm-via-call-apply.js: Added, coverage for #34553. + * stress/function-hidden-as-caller.js: Also adds test case for #102276. Source/JavaScriptCore: - * dfg/DFGStrengthReductionPhase.cpp: - (JSC::DFG::StrengthReductionPhase::handleNode): - * runtime/ConfigFile.cpp: - (JSC::ConfigFile::parse): - * runtime/LiteralParser.cpp: - (JSC::LiteralParser::Lexer::lexStringSlow): - * tools/FunctionOverrides.cpp: - (JSC::parseClause): - Update for renames. + This patch loosens `function.caller` to allow non-strict getters, setters, arrow functions, + and ES6 methods to be returned as callers, fixing web compatibility. - Source/WebCore: + The intent of r230662 is preserved: generator / async functions are never exposed. There is + no good way to acquire wrapper function from the internal body one, nor from its arguments. + Also, this behavior is on standards track [1] (seems to be considered desirable). - * dom/Range.cpp: - (WebCore::Range::toString const): - * editing/Editing.cpp: - (WebCore::stringWithRebalancedWhitespace): - * editing/MarkupAccumulator.cpp: - (WebCore::appendCharactersReplacingEntitiesInternal): - * editing/TextIterator.cpp: - (WebCore::TextIteratorCopyableText::appendToStringBuilder const): - * html/HTMLTextFormControlElement.cpp: - (WebCore::HTMLTextFormControlElement::valueWithHardLineBreaks const): - * html/parser/HTMLTokenizer.cpp: - (WebCore::HTMLTokenizer::bufferedCharacters const): - * platform/graphics/avfoundation/InbandTextTrackPrivateAVF.cpp: - (WebCore::InbandTextTrackPrivateAVF::processNativeSamples): - * platform/text/SegmentedString.cpp: - (WebCore::SegmentedString::Substring::appendTo const): - * platform/text/TextCodecICU.cpp: - (WebCore::TextCodecICU::decode): - * xml/XSLTProcessorLibxslt.cpp: - (WebCore::writeToStringBuilder): - Update for renames. + [1]: https://github.com/claudepache/es-legacy-function-reflection/blob/master/spec.md#get-functionprototypecaller (step 14) - Source/WebKit: - - * Shared/mac/AuxiliaryProcessMac.mm: - (WebKit::setAndSerializeSandboxParameters): - * UIProcess/WebProcessPool.cpp: - (WebKit::WebProcessPool::didReceiveInvalidMessage): - Update for renames. - - Source/WTF: - - * wtf/HexNumber.h: - (WTF::appendUnsignedAsHexFixedSize): - Add overload that explicitly takes a StringBuilder to work around rename from append to appendCharacters. - - * wtf/text/StringBuilder.cpp: - (WTF::StringBuilder::appendCharacters): - (WTF::StringBuilder::append): - * wtf/text/StringBuilder.h: - (WTF::StringBuilder::appendCharacters): - (WTF::StringBuilder::append): - (WTF::StringBuilder::appendSubstring): - (WTF::StringBuilder::appendLiteral): - (WTF::IntegerToStringConversionTrait::flush): - Update for renames. - - Tools: - - * TestWebKitAPI/Tests/WTF/StringBuilder.cpp: - (TestWebKitAPI::TEST): - Update for renames. + * runtime/JSFunction.cpp: + (JSC::JSC_DEFINE_CUSTOM_GETTER): - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248552 268f45cc-cd09-0410-ab3c-d52691b4dbfc + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277613 268f45cc-cd09-0410-ab3c-d52691b4dbfc - 2019-08-12 Sam Weinig + 2021-05-17 Alexey Shvayka - Replace multiparameter overloads of append() in StringBuilder as a first step toward standardizinging on the flexibleAppend() implementation - https://bugs.webkit.org/show_bug.cgi?id=200614 + REGRESSION (r271119): Object methods defined with shorthand notation cannot access "caller" in non-strict mode + https://bugs.webkit.org/show_bug.cgi?id=225277 Reviewed by Darin Adler. - Renames StringBuilder::append(const LChar*, unsigned), StringBuilder::append(const UChar*, unsigned) and - StringBuilder::append(const char*, unsigned) to StringBuilder::appendCharacters(...). + This patch loosens `function.caller` to allow non-strict getters, setters, arrow functions, + and ES6 methods to be returned as callers, fixing web compatibility. - Renames StringBuilder::append(const String& string, unsigned offset, unsigned length) to - StringBuilder::appendSubstring(...). + The intent of r230662 is preserved: generator / async functions are never exposed. There is + no good way to acquire wrapper function from the internal body one, nor from its arguments. + Also, this behavior is on standards track [1] (seems to be considered desirable). - * dfg/DFGStrengthReductionPhase.cpp: - (JSC::DFG::StrengthReductionPhase::handleNode): - * runtime/ConfigFile.cpp: - (JSC::ConfigFile::parse): - * runtime/LiteralParser.cpp: - (JSC::LiteralParser::Lexer::lexStringSlow): - * tools/FunctionOverrides.cpp: - (JSC::parseClause): - Update for renames. + [1]: https://github.com/claudepache/es-legacy-function-reflection/blob/master/spec.md#get-functionprototypecaller (step 14) -2019-10-20 Babak Shafiei + * runtime/JSFunction.cpp: + (JSC::JSC_DEFINE_CUSTOM_GETTER): - Cherry-pick r249538. rdar://problem/56426429 +2021-05-20 Alan Coon - LazyClassStructure::setConstructor should not store the constructor to the global object - https://bugs.webkit.org/show_bug.cgi?id=201484 - - - Reviewed by Yusuke Suzuki. - - JSTests: - - * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added. - - Source/JavaScriptCore: - - LazyClassStructure::setConstructor sets the constructor as a property of the global object. - This became a problem when it started being used for WebAssembly constructors, such as Module - and Instance, since they are properties of the WebAssembly object, not the global object. That - resulted in properties of the global object replaced whenever a lazy WebAssembly constructor - was first accessed. e.g. - - globalThis.Module = x; - WebAssembly.Module; - globalThis.Module === WebAssembly.Module; - - * runtime/LazyClassStructure.cpp: - (JSC::LazyClassStructure::Initializer::setConstructor): - * runtime/LazyClassStructure.h: - * runtime/Lookup.h: - (JSC::reifyStaticProperty): - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249538 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-09-05 Tadeu Zagallo - - LazyClassStructure::setConstructor should not store the constructor to the global object - https://bugs.webkit.org/show_bug.cgi?id=201484 - - - Reviewed by Yusuke Suzuki. - - LazyClassStructure::setConstructor sets the constructor as a property of the global object. - This became a problem when it started being used for WebAssembly constructors, such as Module - and Instance, since they are properties of the WebAssembly object, not the global object. That - resulted in properties of the global object replaced whenever a lazy WebAssembly constructor - was first accessed. e.g. - - globalThis.Module = x; - WebAssembly.Module; - globalThis.Module === WebAssembly.Module; - - * runtime/LazyClassStructure.cpp: - (JSC::LazyClassStructure::Initializer::setConstructor): - * runtime/LazyClassStructure.h: - * runtime/Lookup.h: - (JSC::reifyStaticProperty): - -2019-10-15 Kocsen Chung - - Cherry-pick r250629. rdar://problem/56280996 - - FTL OSR exit shouldn't bother updating get_by_id array profiles that have changed modes - https://bugs.webkit.org/show_bug.cgi?id=202493 - - Reviewed by Saam Barati. - - I added this optimization for DFG but forgot to do it for the FTL - at the same time. This patch rectifies that. - - * ftl/FTLOSRExitCompiler.cpp: - (JSC::FTL::compileStub): - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250629 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-10-02 Keith Miller - - FTL OSR exit shouldn't bother updating get_by_id array profiles that have changed modes - https://bugs.webkit.org/show_bug.cgi?id=202493 - - Reviewed by Saam Barati. - - I added this optimization for DFG but forgot to do it for the FTL - at the same time. This patch rectifies that. - - * ftl/FTLOSRExitCompiler.cpp: - (JSC::FTL::compileStub): - -2019-10-15 Kocsen Chung - - Cherry-pick r250585. rdar://problem/56280995 - - ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid - https://bugs.webkit.org/show_bug.cgi?id=199361 - - - Reviewed by Yusuke Suzuki. - - JSTests: - - * stress/allocation-sinking-hints-are-valid-ssa-2.js: Added. - (main.fn): - (main.executor): - (main): - * stress/allocation-sinking-hints-are-valid-ssa.js: Added. - (main.fn): - (main.executor): - (main): - - Source/JavaScriptCore: - - In a prior fix to the object allocation sinking phase, I added code where we - made sure to insert PutHints over Phis for fields of an object at control flow - merge points. However, that code didn't consider that the base of the PutHint - may no longer be a valid heap location. This could cause us to emit invalid - SSA code by referring to a node which does not dominate the PutHint location. - This patch fixes the bug to only emit the PutHints when valid. - - This patch also makes it so that DFGValidate actually validates that the graph - is in valid SSA form. E.g, any use of a node N must be dominated by N. - - * dfg/DFGObjectAllocationSinkingPhase.cpp: - * dfg/DFGValidate.cpp: - - - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250585 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-10-01 Saam Barati - - ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid - https://bugs.webkit.org/show_bug.cgi?id=199361 - - - Reviewed by Yusuke Suzuki. - - In a prior fix to the object allocation sinking phase, I added code where we - made sure to insert PutHints over Phis for fields of an object at control flow - merge points. However, that code didn't consider that the base of the PutHint - may no longer be a valid heap location. This could cause us to emit invalid - SSA code by referring to a node which does not dominate the PutHint location. - This patch fixes the bug to only emit the PutHints when valid. - - This patch also makes it so that DFGValidate actually validates that the graph - is in valid SSA form. E.g, any use of a node N must be dominated by N. - - * dfg/DFGObjectAllocationSinkingPhase.cpp: - * dfg/DFGValidate.cpp: - -2019-10-15 Kocsen Chung - - Cherry-pick r249959. rdar://problem/56280989 + Cherry-pick r277477. rdar://problem/78264390 - CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage - https://bugs.webkit.org/show_bug.cgi?id=201853 - - - Reviewed by Yusuke Suzuki. - - JSTests: - - * stress/direct-arguments-check-array-filter-type.js: Added. - (foo): - - Source/JavaScriptCore: - - We were claiming CheckArray for ScopedArguments/DirectArguments was filtering - out SlowPutArrayStorage. It does no such thing. We just check that the object - is either ScopedArguments/DirectArguments. - - * dfg/DFGArrayMode.h: - (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const): - (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const): - (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted. - - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249959 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-09-17 Saam Barati - - CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage - https://bugs.webkit.org/show_bug.cgi?id=201853 - - - Reviewed by Yusuke Suzuki. - - We were claiming CheckArray for ScopedArguments/DirectArguments was filtering - out SlowPutArrayStorage. It does no such thing. We just check that the object - is either ScopedArguments/DirectArguments. - - * dfg/DFGArrayMode.h: - (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const): - (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const): - (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted. - -2019-09-30 Babak Shafiei - - Cherry-pick r250058. rdar://problem/55826329 - - Phantom insertion phase may disagree with arguments forwarding about live ranges - https://bugs.webkit.org/show_bug.cgi?id=200715 - - - Reviewed by Yusuke Suzuki. - - JSTests: - - * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js: Added. - (main.v23): - (main.try.v43): - (main.): - (main): - - Source/JavaScriptCore: - - The issue is that Phantom insertion phase was disagreeing about live ranges - from the arguments forwarding phase. The effect is that Phantom insertion - would insert a Phantom creating a longer live range than what arguments - forwarding was analyzing. Arguments forwarding will look for the last DFG - use or the last bytecode use of a variable it wants to eliminate. It then - does an interference analysis to ensure that nothing clobbers other variables - it needs to recover the sunken allocation during OSR exit. - - Phantom insertion works by ordering the program into OSR exit epochs. If a value was used - in the current epoch, there is no need to insert a phantom for it. We - determine where we might need a Phantom by looking at bytecode kills. In this - analysis, we have a mapping from bytecode local to DFG node. However, we - sometimes forgot to remove the entry when a local is killed. So, if the first - kill of a variable is in the same OSR exit epoch, we won't insert a Phantom by design. - However, if the variable gets killed again, we might errantly insert a Phantom - for the prior variable which should've already been killed. The solution is to - clear the entry in our mapping when a variable is killed. - - The program in question was like this: - - 1: DirectArguments - ... - 2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1 - ... - clobber things needed for recovery - ... - - Arguments elimination would transform the program since between @1 and - @2, nothing clobbers values needed for exit and nothing escapes @1. The - program becomes: - - 1: PhantomDirectArguments - ... - 2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1 - ... - clobber things needed for recovery of @1 - ... - - - Phantom insertion would then transform the program into: - - 1: PhantomDirectArguments - ... - 2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1 - ... - clobber things needed for recovery of @1 - ... - 3: Phantom(@1) - ... - - This is wrong because Phantom insertion and arguments forwarding must agree on live - ranges, otherwise the interference analysis performed by arguments forwarding will - not correctly analyze up until where the value might be recovered. - - * dfg/DFGPhantomInsertionPhase.cpp: - - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250058 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-09-18 Saam Barati - - Phantom insertion phase may disagree with arguments forwarding about live ranges - https://bugs.webkit.org/show_bug.cgi?id=200715 - - - Reviewed by Yusuke Suzuki. - - The issue is that Phantom insertion phase was disagreeing about live ranges - from the arguments forwarding phase. The effect is that Phantom insertion - would insert a Phantom creating a longer live range than what arguments - forwarding was analyzing. Arguments forwarding will look for the last DFG - use or the last bytecode use of a variable it wants to eliminate. It then - does an interference analysis to ensure that nothing clobbers other variables - it needs to recover the sunken allocation during OSR exit. - - Phantom insertion works by ordering the program into OSR exit epochs. If a value was used - in the current epoch, there is no need to insert a phantom for it. We - determine where we might need a Phantom by looking at bytecode kills. In this - analysis, we have a mapping from bytecode local to DFG node. However, we - sometimes forgot to remove the entry when a local is killed. So, if the first - kill of a variable is in the same OSR exit epoch, we won't insert a Phantom by design. - However, if the variable gets killed again, we might errantly insert a Phantom - for the prior variable which should've already been killed. The solution is to - clear the entry in our mapping when a variable is killed. - - The program in question was like this: - - 1: DirectArguments - ... - 2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1 - ... - clobber things needed for recovery - ... - - Arguments elimination would transform the program since between @1 and - @2, nothing clobbers values needed for exit and nothing escapes @1. The - program becomes: - - 1: PhantomDirectArguments - ... - 2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1 - ... - clobber things needed for recovery of @1 - ... - - - Phantom insertion would then transform the program into: - - 1: PhantomDirectArguments - ... - 2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1 - ... - clobber things needed for recovery of @1 - ... - 3: Phantom(@1) - ... - - This is wrong because Phantom insertion and arguments forwarding must agree on live - ranges, otherwise the interference analysis performed by arguments forwarding will - not correctly analyze up until where the value might be recovered. - - * dfg/DFGPhantomInsertionPhase.cpp: - -2019-09-30 Babak Shafiei - - Cherry-pick r249926. rdar://problem/55826870 - - [JSC] Perform check again when we found non-BMP characters - https://bugs.webkit.org/show_bug.cgi?id=201647 - - Reviewed by Yusuke Suzuki. - - JSTests: - - * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js: Added. - * stress/regexp-unicode-within-string.js: Updated test to eliminate the bogus print(). - (testRegExpInbounds): - - Source/JavaScriptCore: - - We need to check for end of input for non-BMP characters when matching a character class that contains - both BMP and non-BMP characters. In advanceIndexAfterCharacterClassTermMatch() we were checking for - end of input for both BMP and non-BMP characters. For BMP characters, this check is redundant. - After moving the check to after the "is BMP check", we need to decrement index after reaching the failure - label to back out the index++ for the first surrogate of the non-BMP character. + [REGRESSION: r271876] Web Inspector: [Cocoa] Remote inspection crashes when using WEB_THREAD + https://bugs.webkit.org/show_bug.cgi?id=225794 - Added the same kind of check in generateCharacterClassOnce(). In that case, we have pre-checked the - first character (surrogate) for a non-BMP codepoint, so we just need to check for end of input before - we increment for the second surrogate. + Reviewed by Devin Rousso. - While writing tests, I found an off by one error in backtrackCharacterClassGreedy() and changed the - loop to check the count at loop top instead of loop bottom. + For WEB_THREAD, move `callback` in `dispatchAsyncOnTarget` to `block` scope to ensure it is available for the + lifetime of the block. - * yarr/YarrJIT.cpp: - (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch): - (JSC::Yarr::YarrGenerator::generateCharacterClassOnce): - (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy): - (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy): - (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy): + * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm: + (Inspector::RemoteConnectionToTarget::dispatchAsyncOnTarget): - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249926 268f45cc-cd09-0410-ab3c-d52691b4dbfc + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277477 268f45cc-cd09-0410-ab3c-d52691b4dbfc - 2019-09-16 Michael Saboff + 2021-05-13 Patrick Angle - [JSC] Perform check again when we found non-BMP characters - https://bugs.webkit.org/show_bug.cgi?id=201647 + [REGRESSION: r271876] Web Inspector: [Cocoa] Remote inspection crashes when using WEB_THREAD + https://bugs.webkit.org/show_bug.cgi?id=225794 - Reviewed by Yusuke Suzuki. + Reviewed by Devin Rousso. - We need to check for end of input for non-BMP characters when matching a character class that contains - both BMP and non-BMP characters. In advanceIndexAfterCharacterClassTermMatch() we were checking for - end of input for both BMP and non-BMP characters. For BMP characters, this check is redundant. - After moving the check to after the "is BMP check", we need to decrement index after reaching the failure - label to back out the index++ for the first surrogate of the non-BMP character. + For WEB_THREAD, move `callback` in `dispatchAsyncOnTarget` to `block` scope to ensure it is available for the + lifetime of the block. - Added the same kind of check in generateCharacterClassOnce(). In that case, we have pre-checked the - first character (surrogate) for a non-BMP codepoint, so we just need to check for end of input before - we increment for the second surrogate. + * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm: + (Inspector::RemoteConnectionToTarget::dispatchAsyncOnTarget): - While writing tests, I found an off by one error in backtrackCharacterClassGreedy() and changed the - loop to check the count at loop top instead of loop bottom. +2021-04-27 Russell Epstein - * yarr/YarrJIT.cpp: - (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch): - (JSC::Yarr::YarrGenerator::generateCharacterClassOnce): - (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy): - (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy): - (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy): + Cherry-pick r276609. rdar://problem/77211512 -2019-09-30 Babak Shafiei - - Cherry-pick r249777. rdar://problem/55826876 - - JSC crashes due to stack overflow while building RegExp - https://bugs.webkit.org/show_bug.cgi?id=201649 - - Reviewed by Yusuke Suzuki. - - JSTests: - - New regression test. - - * stress/regexp-bol-optimize-out-of-stack.js: Added. - (test): - (catch): - - Source/JavaScriptCore: - - Check for running out of stack when we are optimizing RegExp containing BOL terms or - other deep copying of disjunctions. - - * yarr/YarrPattern.cpp: - (JSC::Yarr::YarrPatternConstructor::copyDisjunction): - (JSC::Yarr::YarrPatternConstructor::copyTerm): - (JSC::Yarr::YarrPatternConstructor::error): - (JSC::Yarr::YarrPattern::compile): - - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249777 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-09-11 Michael Saboff - - JSC crashes due to stack overflow while building RegExp - https://bugs.webkit.org/show_bug.cgi?id=201649 - - Reviewed by Yusuke Suzuki. - - Check for running out of stack when we are optimizing RegExp containing BOL terms or - other deep copying of disjunctions. - - * yarr/YarrPattern.cpp: - (JSC::Yarr::YarrPatternConstructor::copyDisjunction): - (JSC::Yarr::YarrPatternConstructor::copyTerm): - (JSC::Yarr::YarrPatternConstructor::error): - (JSC::Yarr::YarrPattern::compile): - -2019-09-30 Babak Shafiei - - Cherry-pick r248951. rdar://problem/55826863 - - [JSC] incorrent JIT lead to StackOverflow - https://bugs.webkit.org/show_bug.cgi?id=197823 - - Reviewed by Tadeu Zagallo. - - JSTests: - - New test. - - * stress/bound-function-stack-overflow.js: Added. - (foo): - (catch): - - Source/JavaScriptCore: - - Added stack overflow check to the bound function thunk generator. Added a new C++ operation - throwStackOverflowErrorFromThunk() to throw the error. - - * jit/JITOperations.cpp: - * jit/JITOperations.h: - * jit/ThunkGenerators.cpp: - (JSC::boundThisNoArgsFunctionCallGenerator): - - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248951 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-08-21 Michael Saboff - - [JSC] incorrent JIT lead to StackOverflow - https://bugs.webkit.org/show_bug.cgi?id=197823 - - Reviewed by Tadeu Zagallo. - - Added stack overflow check to the bound function thunk generator. Added a new C++ operation - throwStackOverflowErrorFromThunk() to throw the error. - - * jit/JITOperations.cpp: - * jit/JITOperations.h: - * jit/ThunkGenerators.cpp: - (JSC::boundThisNoArgsFunctionCallGenerator): - -2019-09-30 Babak Shafiei - - Cherry-pick r248796. rdar://problem/55826874 - - [Re-land] ProxyObject should not be allow to access its target's private properties. - https://bugs.webkit.org/show_bug.cgi?id=200739 - - - Reviewed by Yusuke Suzuki. - - JSTests: - - * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js. - * stress/proxy-with-private-symbols.js: - - Source/JavaScriptCore: - - Re-landing this after r200829 which resolves the test262 failure uncovered by this patch. - - * runtime/ProxyObject.cpp: - (JSC::performProxyGet): - (JSC::ProxyObject::performInternalMethodGetOwnProperty): - (JSC::ProxyObject::performHasProperty): - (JSC::ProxyObject::performPut): - (JSC::ProxyObject::performDelete): - (JSC::ProxyObject::performDefineOwnProperty): - - - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248796 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-08-16 Mark Lam - - [Re-land] ProxyObject should not be allow to access its target's private properties. - https://bugs.webkit.org/show_bug.cgi?id=200739 - - - Reviewed by Yusuke Suzuki. - - Re-landing this after r200829 which resolves the test262 failure uncovered by this patch. - - * runtime/ProxyObject.cpp: - (JSC::performProxyGet): - (JSC::ProxyObject::performInternalMethodGetOwnProperty): - (JSC::ProxyObject::performHasProperty): - (JSC::ProxyObject::performPut): - (JSC::ProxyObject::performDelete): - (JSC::ProxyObject::performDefineOwnProperty): - -2019-09-30 Babak Shafiei - - Cherry-pick r247799. rdar://problem/55826880 - - performJITMemcpy should be PACed with a non-zero diversifier when passed and called via a pointer. - https://bugs.webkit.org/show_bug.cgi?id=200100 - - - Reviewed by Yusuke Suzuki. - - * assembler/ARM64Assembler.h: - (JSC::ARM64Assembler::CopyFunction::CopyFunction): - (JSC::ARM64Assembler::CopyFunction::operator()): - - I choose to use ptrauth_auth_function() here instead of retagCodePtr() because - retagCodePtr() would auth, assert, and re-pac the pointer. This is needed in - general because retagCodePtr() doesn't know that you will consume the pointer - immediately (and therefore crash imminently if a failed auth is encountered). - Since we know here that we will call with the auth'ed pointer immediately, we - can skip the assert. - - This also has the benefit of letting Clang do a peephole optimization to emit - a blrab instruction with the intended diversifier, instead of emitting multiple - instructions to auth the pointer into a C function, and then using a blraaz to - do a C function call. - - (JSC::ARM64Assembler::linkJumpOrCall): - (JSC::ARM64Assembler::linkCompareAndBranch): - (JSC::ARM64Assembler::linkConditionalBranch): - (JSC::ARM64Assembler::linkTestAndBranch): - * assembler/LinkBuffer.cpp: - (JSC::LinkBuffer::copyCompactAndLinkCode): - * runtime/JSCPtrTag.h: - - - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247799 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-07-24 Mark Lam - - performJITMemcpy should be PACed with a non-zero diversifier when passed and called via a pointer. - https://bugs.webkit.org/show_bug.cgi?id=200100 - - - Reviewed by Yusuke Suzuki. - - * assembler/ARM64Assembler.h: - (JSC::ARM64Assembler::CopyFunction::CopyFunction): - (JSC::ARM64Assembler::CopyFunction::operator()): - - I choose to use ptrauth_auth_function() here instead of retagCodePtr() because - retagCodePtr() would auth, assert, and re-pac the pointer. This is needed in - general because retagCodePtr() doesn't know that you will consume the pointer - immediately (and therefore crash imminently if a failed auth is encountered). - Since we know here that we will call with the auth'ed pointer immediately, we - can skip the assert. - - This also has the benefit of letting Clang do a peephole optimization to emit - a blrab instruction with the intended diversifier, instead of emitting multiple - instructions to auth the pointer into a C function, and then using a blraaz to - do a C function call. - - (JSC::ARM64Assembler::linkJumpOrCall): - (JSC::ARM64Assembler::linkCompareAndBranch): - (JSC::ARM64Assembler::linkConditionalBranch): - (JSC::ARM64Assembler::linkTestAndBranch): - * assembler/LinkBuffer.cpp: - (JSC::LinkBuffer::copyCompactAndLinkCode): - * runtime/JSCPtrTag.h: - -2019-09-27 Alan Coon - - Cherry-pick r250440. rdar://problem/55800893 - - OSR exit shouldn't bother updating get_by_id array profiles that have changed modes - https://bugs.webkit.org/show_bug.cgi?id=202324 - - - Reviewed by Yusuke Suzuki. - - This is an optimization that avoids polluting the array profile. - - * dfg/DFGOSRExit.cpp: - (JSC::DFG::OSRExit::executeOSRExit): - (JSC::DFG::OSRExit::compileExit): - - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250440 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-09-27 Keith Miller - - OSR exit shouldn't bother updating get_by_id array profiles that have changed modes - https://bugs.webkit.org/show_bug.cgi?id=202324 - - - Reviewed by Yusuke Suzuki. - - This is an optimization that avoids polluting the array profile. - - * dfg/DFGOSRExit.cpp: - (JSC::DFG::OSRExit::executeOSRExit): - (JSC::DFG::OSRExit::compileExit): - -2019-09-23 Alan Coon - - Cherry-pick r250116. rdar://problem/55608003 - - [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable - https://bugs.webkit.org/show_bug.cgi?id=202014 - - Reviewed by Saam Barati. - - JSTests: - - * stress/call-varargs-inlining-should-not-clobber-previous-to-free-register.js: Added. - (__v0): - - Source/JavaScriptCore: - - Let's look into the bytecode generated by the test. - - [ 0] enter - [ 1] get_scope loc4 - [ 3] mov loc5, loc4 - [ 6] check_traps - [ 7] mov loc6, callee - [ 10] create_direct_arguments loc7 - [ 12] to_this this - [ 15] mov loc8, loc7 - [ 18] mov loc9, loc6 - [ 21] mov loc12, Undefined(const0) - [ 24] get_by_id loc11, loc6, 0 - [ 29] jneq_ptr loc11, ApplyFunction, 18(->47) - [ 34] mov loc11, loc6 - [ 37] call_varargs loc11, loc11, this, loc8, loc13, 0 - [ 45] jmp 17(->62) - [ 47] mov loc16, loc6 - [ 50] mov loc15, this - [ 53] mov loc14, loc8 - [ 56] call loc11, loc11, 3, 22 - ... - - call_varargs uses loc13 as firstFreeReg (first usable bottom register in the current stack-frame to spread variadic arguments after this). - This is correct. And call_varargs uses |this| as this argument for the call_varargs. This |this| argument is not in a region starting from loc13. - And it is not in the previous place to loc13 (|this| is not loc12). - - On the other hand, DFG::ByteCodeParser's inlining path is always assuming that the previous to firstFreeReg is usable and part of arguments. - But this is wrong. loc12 in the above bytecode is used for `[ 56] call loc11, loc11, 3, 22`'s argument later, and this call assumes - that loc12 is not clobbered by call_varargs. But DFG and FTL clobbers it. - - The test is recursively calling the same function, and we inline the same function one-level. And stack-overflow error happens when inlined - CallForwardVarargs (from op_call_varargs) is called. FTL recovers the frames, and at this point, outer function's loc12 is recovered to garbage since - LoadVarargs clobbers it. And we eventually use it and crash. - - 60: LoadVarargs(Check:Untyped:Kill:@30, MustGen, start = loc13, count = loc15, machineStart = loc7, machineCount = loc9, offset = 0, mandatoryMinimum = 0, limit = 2, R:World, W:Stack(-16),Stack(-14),Stack(-13),Heap, Exits, ClobbersExit, bc#37, ExitValid) - - This LoadVarargs clobbers loc12, loc13, and loc15 while loc12 is used. + numCalleeLocals, numParameters, and numVars should be unsigned + https://bugs.webkit.org/show_bug.cgi?id=224995 - In all the tiers, op_call_varargs first allocates enough region to hold varargs including |this|. And we store |this| value to a correct place. - DFG should not assume that the previous register to firstFreeReg is used for |this|. + Reviewed by Mark Lam. - This patch fixes DFG::ByteCodeParser's stack region calculation for op_call_varargs inlining. And we rename maxNumArguments to maxArgumentCountIncludingThis to - represent that `maxArgumentCountIncludingThis` includes |this| count. + All of the various CodeBlock classes currently have the + numCalleeLocals and numVars marked as ints. I believe this is just + a historical artifact or because VirtualRegister's offset is an + int to make handling constants easier. Regardless, it's a bit + strange to not handle the sign conversion at the point of + comparison between a VirtualRegister offset and the local/var + count. This doesn't completely fix every place we use ints for + these values but starts on the right track. Lastly, I also added + some Checks to the wasm parser for sanity checking. - * bytecode/CallLinkInfo.cpp: - (JSC::CallLinkInfo::setMaxArgumentCountIncludingThis): - (JSC::CallLinkInfo::setMaxNumArguments): Deleted. - * bytecode/CallLinkInfo.h: - (JSC::CallLinkInfo::addressOfMaxArgumentCountIncludingThis): - (JSC::CallLinkInfo::maxArgumentCountIncludingThis): - (JSC::CallLinkInfo::addressOfMaxNumArguments): Deleted. - (JSC::CallLinkInfo::maxNumArguments): Deleted. - * bytecode/CallLinkStatus.cpp: - (JSC::CallLinkStatus::computeFor): - (JSC::CallLinkStatus::dump const): - * bytecode/CallLinkStatus.h: - (JSC::CallLinkStatus::maxArgumentCountIncludingThis const): - (JSC::CallLinkStatus::maxNumArguments const): Deleted. + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::setNumParameters): + (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndexSlow): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::numParameters const): + (JSC::CodeBlock::numberOfArgumentsToSkip const): + (JSC::CodeBlock::numCalleeLocals const): + (JSC::CodeBlock::numVars const): + (JSC::CodeBlock::numTmps const): + (JSC::CodeBlock::addressOfNumParameters): + (JSC::CodeBlock::isTemporaryRegister): + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedCodeBlock::numCalleeLocals const): + (JSC::UnlinkedCodeBlock::numVars const): + * bytecode/UnlinkedCodeBlockGenerator.h: + (JSC::UnlinkedCodeBlockGenerator::numCalleeLocals const): + (JSC::UnlinkedCodeBlockGenerator::numVars const): + (JSC::UnlinkedCodeBlockGenerator::setNumCalleeLocals): + (JSC::UnlinkedCodeBlockGenerator::setNumVars): + (JSC::UnlinkedCodeBlockGenerator::setNumParameters): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::generate): + (JSC::BytecodeGenerator::emitPushFunctionNameScope): + * bytecompiler/BytecodeGeneratorBaseInlines.h: + (JSC::BytecodeGeneratorBase::newRegister): * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::handleVarargsInlining): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::emitCall): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::emitCall): - * ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): - * jit/JITCall.cpp: - (JSC::JIT::compileSetupFrame): - * jit/JITCall32_64.cpp: - (JSC::JIT::compileSetupFrame): - * jit/JITOperations.cpp: - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250116 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-09-19 Yusuke Suzuki - - [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable - https://bugs.webkit.org/show_bug.cgi?id=202014 - - Reviewed by Saam Barati. - - Let's look into the bytecode generated by the test. - - [ 0] enter - [ 1] get_scope loc4 - [ 3] mov loc5, loc4 - [ 6] check_traps - [ 7] mov loc6, callee - [ 10] create_direct_arguments loc7 - [ 12] to_this this - [ 15] mov loc8, loc7 - [ 18] mov loc9, loc6 - [ 21] mov loc12, Undefined(const0) - [ 24] get_by_id loc11, loc6, 0 - [ 29] jneq_ptr loc11, ApplyFunction, 18(->47) - [ 34] mov loc11, loc6 - [ 37] call_varargs loc11, loc11, this, loc8, loc13, 0 - [ 45] jmp 17(->62) - [ 47] mov loc16, loc6 - [ 50] mov loc15, this - [ 53] mov loc14, loc8 - [ 56] call loc11, loc11, 3, 22 - ... - - call_varargs uses loc13 as firstFreeReg (first usable bottom register in the current stack-frame to spread variadic arguments after this). - This is correct. And call_varargs uses |this| as this argument for the call_varargs. This |this| argument is not in a region starting from loc13. - And it is not in the previous place to loc13 (|this| is not loc12). - - On the other hand, DFG::ByteCodeParser's inlining path is always assuming that the previous to firstFreeReg is usable and part of arguments. - But this is wrong. loc12 in the above bytecode is used for `[ 56] call loc11, loc11, 3, 22`'s argument later, and this call assumes - that loc12 is not clobbered by call_varargs. But DFG and FTL clobbers it. - - The test is recursively calling the same function, and we inline the same function one-level. And stack-overflow error happens when inlined - CallForwardVarargs (from op_call_varargs) is called. FTL recovers the frames, and at this point, outer function's loc12 is recovered to garbage since - LoadVarargs clobbers it. And we eventually use it and crash. - - 60: LoadVarargs(Check:Untyped:Kill:@30, MustGen, start = loc13, count = loc15, machineStart = loc7, machineCount = loc9, offset = 0, mandatoryMinimum = 0, limit = 2, R:World, W:Stack(-16),Stack(-14),Stack(-13),Heap, Exits, ClobbersExit, bc#37, ExitValid) - - This LoadVarargs clobbers loc12, loc13, and loc15 while loc12 is used. - - In all the tiers, op_call_varargs first allocates enough region to hold varargs including |this|. And we store |this| value to a correct place. - DFG should not assume that the previous register to firstFreeReg is used for |this|. - - This patch fixes DFG::ByteCodeParser's stack region calculation for op_call_varargs inlining. And we rename maxNumArguments to maxArgumentCountIncludingThis to - represent that `maxArgumentCountIncludingThis` includes |this| count. - - * bytecode/CallLinkInfo.cpp: - (JSC::CallLinkInfo::setMaxArgumentCountIncludingThis): - (JSC::CallLinkInfo::setMaxNumArguments): Deleted. - * bytecode/CallLinkInfo.h: - (JSC::CallLinkInfo::addressOfMaxArgumentCountIncludingThis): - (JSC::CallLinkInfo::maxArgumentCountIncludingThis): - (JSC::CallLinkInfo::addressOfMaxNumArguments): Deleted. - (JSC::CallLinkInfo::maxNumArguments): Deleted. - * bytecode/CallLinkStatus.cpp: - (JSC::CallLinkStatus::computeFor): - (JSC::CallLinkStatus::dump const): - * bytecode/CallLinkStatus.h: - (JSC::CallLinkStatus::maxArgumentCountIncludingThis const): - (JSC::CallLinkStatus::maxNumArguments const): Deleted. - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::handleVarargsInlining): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::emitCall): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::emitCall): - * ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): - * jit/JITCall.cpp: - (JSC::JIT::compileSetupFrame): - * jit/JITCall32_64.cpp: - (JSC::JIT::compileSetupFrame): - * jit/JITOperations.cpp: - -2019-09-17 Alan Coon - - Cherry-pick r249911. rdar://problem/55461405 - - JSObject::putInlineSlow should not ignore "__proto__" for Proxy - https://bugs.webkit.org/show_bug.cgi?id=200386 - - - Reviewed by Yusuke Suzuki. - - JSTests: - - * stress/proxy-__proto__-in-prototype-chain.js: Added. - * stress/proxy-property-replace-structure-transition.js: Added. - - Source/JavaScriptCore: - - We used to ignore '__proto__' in putInlineSlow when the object in question - was Proxy. There is no reason for this, and it goes against the spec. So - I've removed that condition. This also has the effect that it fixes an - assertion firing inside our inline caching code which dictates that for a - property replace that the base value's structure must be equal to the - structure when we grabbed the structure prior to the put operation. - The old code caused a weird edge case where we broke this invariant. - - * runtime/JSObject.cpp: - (JSC::JSObject::putInlineSlow): - - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249911 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-09-16 Saam Barati - - JSObject::putInlineSlow should not ignore "__proto__" for Proxy - https://bugs.webkit.org/show_bug.cgi?id=200386 - - - Reviewed by Yusuke Suzuki. - - We used to ignore '__proto__' in putInlineSlow when the object in question - was Proxy. There is no reason for this, and it goes against the spec. So - I've removed that condition. This also has the effect that it fixes an - assertion firing inside our inline caching code which dictates that for a - property replace that the base value's structure must be equal to the - structure when we grabbed the structure prior to the put operation. - The old code caused a weird edge case where we broke this invariant. - - * runtime/JSObject.cpp: - (JSC::JSObject::putInlineSlow): - -2019-09-04 Mark Lam - - Cherry-pick 249345. rdar://problem/55000994 - - 2019-08-30 Mark Lam - - Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information. - https://bugs.webkit.org/show_bug.cgi?id=201345 - - Reviewed by Yusuke Suzuki. - - This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using - the wrong pointer for capture the cell headerWord and zapReason. As a result, - we get junk for those 2 values. - - Previously, we were only capturing the upper 32-bits of the cell header slot, - and the lower 32-bit of the next slot in the zapped cell. We now capture the - full 64-bits of both slots. If the second slot did not contain a zapReason as we - expect, the upper 32-bits might give us a clue as to what type of value the slot - contains. - - This patch also adds capturing of the found MarkedBlock address for the zapped - cell, as well as some state bit values. - - * heap/SlotVisitor.cpp: - (JSC::SlotVisitor::reportZappedCellAndCrash): - -2019-09-04 Mark Lam - - Cherry-pick 248143, 248162. rdar://problem/55000992 - - Also deleted an unused function. This is needed to resolve a merge conflict for - this patch. - - * heap/MarkedBlock.cpp: - (JSC::MarkedBlock::Handle::zap): Deleted. - * heap/MarkedBlock.h: - (JSC::MarkedBlock::Handle::zap): Deleted. - - 2019-08-02 Mark Lam - - Gardening: build fix. - https://bugs.webkit.org/show_bug.cgi?id=200149 - - - Not reviewed. - - * assembler/CPU.cpp: - (JSC::hwPhysicalCPUMax): - - 2019-08-01 Mark Lam - - Add crash diagnostics for debugging unexpected zapped cells. - https://bugs.webkit.org/show_bug.cgi?id=200149 - - - Reviewed by Yusuke Suzuki. - - Add a check for zapped cells in SlotVisitor::appendToMarkStack() and - SlotVisitor::visitChildren(). If a zapped cell is detected, we will crash with - some diagnostic info. - - To facilitate this, we've made the following changes: - 1. Changed FreeCell to preserve the 1st 8 bytes. This is fine to do because all - cells are at least 16 bytes long. - 2. Changed HeapCell::zap() to only zap the structureID. Leave the rest of the - cell header info intact (including the cell JSType). - 3. Changed HeapCell::zap() to record the reason for zapping the cell. We stash - the reason immediately after the first 8 bytes. This is the same location as - FreeCell::scrambledNext. However, since a cell is not expected to be zapped - and on the free list at the same time, it is also fine to do this. - 4. Added a few utility functions to MarkedBlock for checking if a cell points - into the block. - 5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes. - 6. Added some comments to document the hashes of known subspaces. - 7. Added Options::dumpZappedCellCrashData() to make this check conditional. - We use this option to disable this check for slower machines so that their - PLT5 performance is not impacted. - - * assembler/CPU.cpp: - (JSC::hwL3CacheSize): - (JSC::hwPhysicalCPUMax): - * assembler/CPU.h: - (JSC::hwL3CacheSize): - (JSC::hwPhysicalCPUMax): - * heap/FreeList.h: - (JSC::FreeCell::offsetOfScrambledNext): - * heap/HeapCell.h: - (JSC::HeapCell::zap): - (JSC::HeapCell::isZapped const): - * heap/MarkedBlock.cpp: - (JSC::MarkedBlock::Handle::stopAllocating): - * heap/MarkedBlock.h: - (JSC::MarkedBlock::Handle::start const): - (JSC::MarkedBlock::Handle::end const): - (JSC::MarkedBlock::Handle::contains const): - * heap/MarkedBlockInlines.h: - (JSC::MarkedBlock::Handle::specializedSweep): - * heap/MarkedSpace.h: - (JSC::MarkedSpace::forEachSubspace): - * heap/SlotVisitor.cpp: - (JSC::SlotVisitor::appendToMarkStack): - (JSC::SlotVisitor::visitChildren): - (JSC::SlotVisitor::reportZappedCellAndCrash): - * heap/SlotVisitor.h: - * jit/AssemblyHelpers.cpp: - (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): - * runtime/Options.cpp: - (JSC::Options::initialize): - * runtime/Options.h: - * runtime/VM.cpp: - (JSC::VM::VM): - * tools/JSDollarVM.cpp: - (JSC::functionDumpSubspaceHashes): - (JSC::JSDollarVM::finishCreation): - * tools/VMInspector.cpp: - (JSC::VMInspector::dumpSubspaceHashes): - * tools/VMInspector.h: - -2019-09-03 Kocsen Chung - - Cherry-pick r248824. rdar://problem/55001142 - - [JSC] WebAssembly BBQ should switch compile mode for size of modules - https://bugs.webkit.org/show_bug.cgi?id=200807 - - Reviewed by Mark Lam. - - Some webpages use very large Wasm module, and it exhausts all executable memory in ARM64 devices since the size of executable memory region is 128MB. - The long term solution should be introducing Wasm interpreter. But as a short term solution, we introduce heuristics switching back to BBQ B3 at - the sacrifice of start-up time, since BBQ Air bloats such lengthy code, and thereby consumes a large amount of executable memory. - - Currently, I picked 10MB since the reported website is using 11MB wasm module. - - * runtime/Options.h: - * wasm/WasmAirIRGenerator.cpp: - (JSC::Wasm::parseAndCompileAir): - * wasm/WasmB3IRGenerator.cpp: - (JSC::Wasm::parseAndCompile): - * wasm/WasmBBQPlan.cpp: - (JSC::Wasm::BBQPlan::compileFunctions): - * wasm/WasmModuleInformation.h: - * wasm/WasmSectionParser.cpp: - (JSC::Wasm::SectionParser::parseCode): - * wasm/WasmStreamingParser.cpp: - (JSC::Wasm::StreamingParser::parseCodeSectionSize): - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248824 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-08-17 Yusuke Suzuki - - [JSC] WebAssembly BBQ should switch compile mode for size of modules - https://bugs.webkit.org/show_bug.cgi?id=200807 - - Reviewed by Mark Lam. - - Some webpages use very large Wasm module, and it exhausts all executable memory in ARM64 devices since the size of executable memory region is 128MB. - The long term solution should be introducing Wasm interpreter. But as a short term solution, we introduce heuristics switching back to BBQ B3 at - the sacrifice of start-up time, since BBQ Air bloats such lengthy code, and thereby consumes a large amount of executable memory. - - Currently, I picked 10MB since the reported website is using 11MB wasm module. - - * runtime/Options.h: - * wasm/WasmAirIRGenerator.cpp: - (JSC::Wasm::parseAndCompileAir): - * wasm/WasmB3IRGenerator.cpp: - (JSC::Wasm::parseAndCompile): - * wasm/WasmBBQPlan.cpp: - (JSC::Wasm::BBQPlan::compileFunctions): - * wasm/WasmModuleInformation.h: - * wasm/WasmSectionParser.cpp: - (JSC::Wasm::SectionParser::parseCode): - * wasm/WasmStreamingParser.cpp: - (JSC::Wasm::StreamingParser::parseCodeSectionSize): - -2019-09-03 Kocsen Chung - - Cherry-pick r248793. rdar://problem/55001191 - - [JSC] Promise.prototype.finally should accept non-promise objects - https://bugs.webkit.org/show_bug.cgi?id=200829 - - Reviewed by Mark Lam. - - JSTests: - - * stress/promise-finally-should-accept-non-promise-objects.js: Added. - (shouldBe): - (Thenable): - (Thenable.prototype.then): - - Source/JavaScriptCore: - - According to the Promise.prototype.finally spec step 2[1], we should check @isObject instead of @isPromise, - since Promise.prototype.finally should accept thenable objects that are defined by user libraries (like, bluebird for example). - This patch changes this check to the specified one. - - [1]: https://tc39.es/proposal-promise-finally/ - - * builtins/PromisePrototype.js: - (finally): - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248793 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-08-16 Yusuke Suzuki - - [JSC] Promise.prototype.finally should accept non-promise objects - https://bugs.webkit.org/show_bug.cgi?id=200829 - - Reviewed by Mark Lam. - - According to the Promise.prototype.finally spec step 2[1], we should check @isObject instead of @isPromise, - since Promise.prototype.finally should accept thenable objects that are defined by user libraries (like, bluebird for example). - This patch changes this check to the specified one. - - [1]: https://tc39.es/proposal-promise-finally/ - - * builtins/PromisePrototype.js: - (finally): - -2019-08-18 Babak Shafiei - - Cherry-pick r248800. rdar://problem/54454996 - - CodeBlock destructor should clear all of its watchpoints. - https://bugs.webkit.org/show_bug.cgi?id=200792 - - - Reviewed by Yusuke Suzuki. - - JSTests: - - * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added. - - Source/JavaScriptCore: - - We need to clear the watchpoints explicitly (just like we do in CodeBlock::jettison()) - because the JITCode may outlive the CodeBlock for a while. For example, the JITCode - is ref'd in Interpreter::execute(JSC::CallFrameClosure&) like so: - - JSValue result = closure.functionExecutable->generatedJITCodeForCall()->execute(&vm, closure.protoCallFrame); - - The call to generatedJITCodeForCall() returns a Ref with the underlying - JITCode ref'd. Hence, while the interpreter frame is still on the stack, the - executing JITCode instance will have a non-zero refCount, and be kept alive even - though its CodeBlock may have already been destructed. - - Note: the Interpreter execute() methods aren't the only ones who would ref the JITCode: - ExecutableBase also holds a RefPtr m_jitCodeForCall and RefPtr - m_jitCodeForConstruct. But a CodeBlock will be uninstalled before it gets destructed. - Hence, the uninstallation will deref the JITCode before we get to the CodeBlock - destructor. That said, we should be aware that a JITCode's refCount is not always - 1 after the JIT installs it into the CodeBlock, and it should not be assumed to be so. - - For this patch, I also audited all Watchpoint subclasses to ensure that we are - clearing all the relevant watchpoints in the CodeBlock destructor. Here is the - list of audited Watchpoints: - - CodeBlockJettisoningWatchpoint - AdaptiveStructureWatchpoint - AdaptiveInferredPropertyValueWatchpoint - - these are held in the DFG::CommonData, and is tied to JITCode's life cycle. - - they need to be cleared eagerly in CodeBlock's destructor. - - LLIntPrototypeLoadAdaptiveStructureWatchpoint - - stored in m_llintGetByIdWatchpointMap in the CodeBlock. - - this will be automatically cleared on CodeBlock destruction. - - The following does not reference CodeBlock: - - FunctionRareData::AllocationProfileClearingWatchpoint - - stored in FunctionRareData and will be cleared automatically on - FunctionRareData destruction. - - only references the owner FunctionRareData. - - ObjectToStringAdaptiveStructureWatchpoint - ObjectToStringAdaptiveInferredPropertyValueWatchpoint - - stored in StructureRareData and will be cleared automatically on - StructureRareData destruction. - - ObjectPropertyChangeAdaptiveWatchpoint - - stored in JSGlobalObject, and will be cleared automatically on - JSGlobalObject destruction. - - only references the owner JSGlobalObject. - - StructureStubClearingWatchpoint - - stored in WatchpointsOnStructureStubInfo and will be cleared automatically - on WatchpointsOnStructureStubInfo destruction. - - PropertyWatchpoint - StructureWatchpoint - - embedded in AdaptiveInferredPropertyValueWatchpointBase, which is extended - as AdaptiveInferredPropertyValueWatchpoint, ObjectPropertyChangeAdaptiveWatchpoint, - and ObjectToStringAdaptiveInferredPropertyValueWatchpoint. - - life cycle is handled by those 3 subclasses. - - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::~CodeBlock): - - - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248800 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-08-16 Mark Lam - - CodeBlock destructor should clear all of its watchpoints. - https://bugs.webkit.org/show_bug.cgi?id=200792 - - - Reviewed by Yusuke Suzuki. - - We need to clear the watchpoints explicitly (just like we do in CodeBlock::jettison()) - because the JITCode may outlive the CodeBlock for a while. For example, the JITCode - is ref'd in Interpreter::execute(JSC::CallFrameClosure&) like so: - - JSValue result = closure.functionExecutable->generatedJITCodeForCall()->execute(&vm, closure.protoCallFrame); - - The call to generatedJITCodeForCall() returns a Ref with the underlying - JITCode ref'd. Hence, while the interpreter frame is still on the stack, the - executing JITCode instance will have a non-zero refCount, and be kept alive even - though its CodeBlock may have already been destructed. - - Note: the Interpreter execute() methods aren't the only ones who would ref the JITCode: - ExecutableBase also holds a RefPtr m_jitCodeForCall and RefPtr - m_jitCodeForConstruct. But a CodeBlock will be uninstalled before it gets destructed. - Hence, the uninstallation will deref the JITCode before we get to the CodeBlock - destructor. That said, we should be aware that a JITCode's refCount is not always - 1 after the JIT installs it into the CodeBlock, and it should not be assumed to be so. - - For this patch, I also audited all Watchpoint subclasses to ensure that we are - clearing all the relevant watchpoints in the CodeBlock destructor. Here is the - list of audited Watchpoints: - - CodeBlockJettisoningWatchpoint - AdaptiveStructureWatchpoint - AdaptiveInferredPropertyValueWatchpoint - - these are held in the DFG::CommonData, and is tied to JITCode's life cycle. - - they need to be cleared eagerly in CodeBlock's destructor. - - LLIntPrototypeLoadAdaptiveStructureWatchpoint - - stored in m_llintGetByIdWatchpointMap in the CodeBlock. - - this will be automatically cleared on CodeBlock destruction. - - The following does not reference CodeBlock: - - FunctionRareData::AllocationProfileClearingWatchpoint - - stored in FunctionRareData and will be cleared automatically on - FunctionRareData destruction. - - only references the owner FunctionRareData. - - ObjectToStringAdaptiveStructureWatchpoint - ObjectToStringAdaptiveInferredPropertyValueWatchpoint - - stored in StructureRareData and will be cleared automatically on - StructureRareData destruction. - - ObjectPropertyChangeAdaptiveWatchpoint - - stored in JSGlobalObject, and will be cleared automatically on - JSGlobalObject destruction. - - only references the owner JSGlobalObject. - - StructureStubClearingWatchpoint - - stored in WatchpointsOnStructureStubInfo and will be cleared automatically - on WatchpointsOnStructureStubInfo destruction. - - PropertyWatchpoint - StructureWatchpoint - - embedded in AdaptiveInferredPropertyValueWatchpointBase, which is extended - as AdaptiveInferredPropertyValueWatchpoint, ObjectPropertyChangeAdaptiveWatchpoint, - and ObjectToStringAdaptiveInferredPropertyValueWatchpoint. - - life cycle is handled by those 3 subclasses. - - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::~CodeBlock): - -2019-08-13 Alan Coon - - Cherry-pick r248271. rdar://problem/54237771 - - JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray - https://bugs.webkit.org/show_bug.cgi?id=199997 - - Reviewed by Saam Barati. - - JSTests: - - New test. - - * stress/typedarray-no-alreadyChecked-assert.js: Added. - (checkIntArray): - (checkFloatArray): - - Source/JavaScriptCore: - - No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray() - and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a - CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array - and not for SpecEmpty. If we added a check for the SpecEmpty in the ASSERT, there are cases where - it won't be set. - + (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): + (JSC::DFG::ByteCodeParser::inliningCost): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGOSREntrypointCreationPhase.cpp: + (JSC::DFG::OSREntrypointCreationPhase::run): * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): - (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): - - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248271 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-08-05 Michael Saboff - - JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray - https://bugs.webkit.org/show_bug.cgi?id=199997 - - Reviewed by Saam Barati. - - No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray() - and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a - CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array - and not for SpecEmpty. If we added a check for the SpecEmpty in the ASSERT, there are cases where - it won't be set. - - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): - (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): - -2019-08-13 Alan Coon - - Cherry-pick r248149. rdar://problem/54237692 - - GetterSetter type confusion during DFG compilation - https://bugs.webkit.org/show_bug.cgi?id=199903 - - Reviewed by Mark Lam. - - JSTests: - - * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added. - - Source/JavaScriptCore: - - In AI, we are strongly assuming that GetGetter's child constant value should be GetterSetter if it exists. - However, this can be wrong since nobody ensures that. AI assumed so because the control-flow and preceding - CheckStructure ensures that. But this preceding check can be eliminated if the node becomes (at runtime) unreachable. - - Let's consider the following graph. - - 129: PutByOffset(KnownCell:@115, KnownCell:@115, Check:Untyped:@124, MustGen, id5{length}, 0, W:NamedProperties(5), ClobbersExit, bc#154, ExitValid) - 130: PutStructure(KnownCell:@115, MustGen, %C8:Object -> %C3:Object, ID:7726, R:JSObject_butterfly, W:JSCell_indexingType,JSCell_structureID,JSCell_typeInfoFlags,JSCell_typeInfoType, ClobbersExit, bc#154, ExitInvalid) - ... - 158: GetLocal(Check:Untyped:@197, JS|MustGen|UseAsOther, Final, loc7(R/FlushedCell), R:Stack(-8), bc#187, ExitValid) predicting Final - 210:< 1:-> DoubleRep(Check:NotCell:@158, Double|PureInt, BytecodeDouble, Exits, bc#187, ExitValid) - ... - 162: CheckStructure(Cell:@158, MustGen, [%Ad:Object], R:JSCell_structureID, Exits, bc#192, ExitValid) - 163:< 1:-> GetGetterSetterByOffset(KnownCell:@158, KnownCell:@158, JS|UseAsOther, OtherCell, id5{length}, 0, R:NamedProperties(5), Exits, bc#192, ExitValid) - 164:< 1:-> GetGetter(KnownCell:@163, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid) - - At @163 and @164, AI proves that @158's AbstractValue is None because @210's edge filters out Cells @158 is a cell. But we do not invalidate graph status as "Invalid" even if edge filters out all possible value. - This is because the result of edge can be None in a valid program. For example, we can put a dependency edge between a consuming node and a producing node, where the producing node is just like a check and it - does not produce a value actually. So, @163 and @164 are not invalidated. This is totally fine in our compiler pipeline right now. - - But after that, global CSE phase found that @115 and @158 are same and @129 dominates @158. As a result, we can replace GetGetter child's @163 with @124. Since CheckStructure is already removed (and now, at runtime, - @163 and @164 are never executed), we do not have any structure guarantee on @158 and the result of @163. This means that @163's CSE result can be non-GetterSetter value. - - 124:< 2:-> JSConstant(JS|UseAsOther, Final, Weak:Object: 0x1199e82a0 with butterfly 0x0 (Structure %B4:Object), StructureID: 49116, bc#0, ExitValid) - ... - 126:< 2:-> GetGetter(KnownCell:Kill:@124, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid) - - AI filters out @124's non-cell values. But @126 can get non-GetterSetter cell at AI phase. But our AI code is like the following. - - JSValue base = forNode(node->child1()).m_value; - if (base) { - GetterSetter* getterSetter = jsCast(base); - ... - - Then, jsCast casts the above object with GetterSetter accidentally. - - In general, DFG AI can get a proven constant value, which could not be shown at runtime. This happens if the processing node is unreachable at runtime while the graph is not invalid yet, because preceding edge - filters already filter out all the possible execution. DFG AI already considered about this possibility, and it attempts to fold a node into a constant only when the constant input matches against the expected one. - But several DFG nodes are not handling this correctly: GetGetter, GetSetter, and SkipScope. - - In this patch, we use `jsDynamicCast` to ensure that the constant input matches against the expected (foldable) one, and fold it only when the expectation is met. - We also remove DFG::Node::castConstant and its use. We should not rely on the constant folded value based on graph's control-flow. - - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGNode.h: - (JSC::DFG::Node::castConstant): Deleted. + (JSC::DFG::SpeculativeJIT::checkArgumentTypes): * ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation): + (JSC::FTL::DFG::LowerDFGToB3::lower): + * ftl/FTLOSREntry.cpp: + (JSC::FTL::prepareOSREntry): + * interpreter/CallFrameClosure.h: + * interpreter/ProtoCallFrameInlines.h: + (JSC::ProtoCallFrame::init): + * jit/JIT.cpp: + (JSC::JIT::compileWithoutLinking): + * runtime/CommonSlowPaths.h: + (JSC::CommonSlowPaths::numberOfStackPaddingSlots): + (JSC::CommonSlowPaths::numberOfStackPaddingSlotsWithExtraSlots): + * wasm/WasmFunctionCodeBlock.h: + (JSC::Wasm::FunctionCodeBlock::numVars const): + (JSC::Wasm::FunctionCodeBlock::numCalleeLocals const): + (JSC::Wasm::FunctionCodeBlock::setNumVars): + (JSC::Wasm::FunctionCodeBlock::setNumCalleeLocals): + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::push): + (JSC::Wasm::LLIntGenerator::getDropKeepCount): + (JSC::Wasm::LLIntGenerator::walkExpressionStack): + (JSC::Wasm::LLIntGenerator::checkConsistency): + (JSC::Wasm::LLIntGenerator::materializeConstantsAndLocals): + (JSC::Wasm::LLIntGenerator::splitStack): + (JSC::Wasm::LLIntGenerator::finalize): + (JSC::Wasm::LLIntGenerator::callInformationForCaller): + (JSC::Wasm::LLIntGenerator::addLoop): + (JSC::Wasm::LLIntGenerator::addTopLevel): + (JSC::Wasm::LLIntGenerator::addBlock): + (JSC::Wasm::LLIntGenerator::addIf): + (JSC::Wasm::LLIntGenerator::addElseToUnreachable): - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248149 268f45cc-cd09-0410-ab3c-d52691b4dbfc + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@276609 268f45cc-cd09-0410-ab3c-d52691b4dbfc - 2019-08-01 Yusuke Suzuki + 2021-04-26 Keith Miller - GetterSetter type confusion during DFG compilation - https://bugs.webkit.org/show_bug.cgi?id=199903 + numCalleeLocals, numParameters, and numVars should be unsigned + https://bugs.webkit.org/show_bug.cgi?id=224995 Reviewed by Mark Lam. - In AI, we are strongly assuming that GetGetter's child constant value should be GetterSetter if it exists. - However, this can be wrong since nobody ensures that. AI assumed so because the control-flow and preceding - CheckStructure ensures that. But this preceding check can be eliminated if the node becomes (at runtime) unreachable. + All of the various CodeBlock classes currently have the + numCalleeLocals and numVars marked as ints. I believe this is just + a historical artifact or because VirtualRegister's offset is an + int to make handling constants easier. Regardless, it's a bit + strange to not handle the sign conversion at the point of + comparison between a VirtualRegister offset and the local/var + count. This doesn't completely fix every place we use ints for + these values but starts on the right track. Lastly, I also added + some Checks to the wasm parser for sanity checking. - Let's consider the following graph. - - 129: PutByOffset(KnownCell:@115, KnownCell:@115, Check:Untyped:@124, MustGen, id5{length}, 0, W:NamedProperties(5), ClobbersExit, bc#154, ExitValid) - 130: PutStructure(KnownCell:@115, MustGen, %C8:Object -> %C3:Object, ID:7726, R:JSObject_butterfly, W:JSCell_indexingType,JSCell_structureID,JSCell_typeInfoFlags,JSCell_typeInfoType, ClobbersExit, bc#154, ExitInvalid) - ... - 158: GetLocal(Check:Untyped:@197, JS|MustGen|UseAsOther, Final, loc7(R/FlushedCell), R:Stack(-8), bc#187, ExitValid) predicting Final - 210:< 1:-> DoubleRep(Check:NotCell:@158, Double|PureInt, BytecodeDouble, Exits, bc#187, ExitValid) - ... - 162: CheckStructure(Cell:@158, MustGen, [%Ad:Object], R:JSCell_structureID, Exits, bc#192, ExitValid) - 163:< 1:-> GetGetterSetterByOffset(KnownCell:@158, KnownCell:@158, JS|UseAsOther, OtherCell, id5{length}, 0, R:NamedProperties(5), Exits, bc#192, ExitValid) - 164:< 1:-> GetGetter(KnownCell:@163, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid) - - At @163 and @164, AI proves that @158's AbstractValue is None because @210's edge filters out Cells @158 is a cell. But we do not invalidate graph status as "Invalid" even if edge filters out all possible value. - This is because the result of edge can be None in a valid program. For example, we can put a dependency edge between a consuming node and a producing node, where the producing node is just like a check and it - does not produce a value actually. So, @163 and @164 are not invalidated. This is totally fine in our compiler pipeline right now. - - But after that, global CSE phase found that @115 and @158 are same and @129 dominates @158. As a result, we can replace GetGetter child's @163 with @124. Since CheckStructure is already removed (and now, at runtime, - @163 and @164 are never executed), we do not have any structure guarantee on @158 and the result of @163. This means that @163's CSE result can be non-GetterSetter value. - - 124:< 2:-> JSConstant(JS|UseAsOther, Final, Weak:Object: 0x1199e82a0 with butterfly 0x0 (Structure %B4:Object), StructureID: 49116, bc#0, ExitValid) - ... - 126:< 2:-> GetGetter(KnownCell:Kill:@124, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid) - - AI filters out @124's non-cell values. But @126 can get non-GetterSetter cell at AI phase. But our AI code is like the following. - - - JSValue base = forNode(node->child1()).m_value; - if (base) { - GetterSetter* getterSetter = jsCast(base); - ... - - Then, jsCast casts the above object with GetterSetter accidentally. - - In general, DFG AI can get a proven constant value, which could not be shown at runtime. This happens if the processing node is unreachable at runtime while the graph is not invalid yet, because preceding edge - filters already filter out all the possible execution. DFG AI already considered about this possibility, and it attempts to fold a node into a constant only when the constant input matches against the expected one. - But several DFG nodes are not handling this correctly: GetGetter, GetSetter, and SkipScope. - - In this patch, we use `jsDynamicCast` to ensure that the constant input matches against the expected (foldable) one, and fold it only when the expectation is met. - We also remove DFG::Node::castConstant and its use. We should not rely on the constant folded value based on graph's control-flow. - - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGNode.h: - (JSC::DFG::Node::castConstant): Deleted. - * ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation): - -2019-08-12 Alan Coon - - Apply patch. rdar://problem/54171876 - - 2019-08-12 Maciej Stachowiak - - Branch build fix for r248494 - - * runtime/ClassInfo.h: METHOD_TABLE_ENTRY was called WTF_METHOD_TABLE_ENTRY on the branch. - -2019-08-12 Alan Coon - - Cherry-pick r248494. rdar://problem/54171876 - - Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive - https://bugs.webkit.org/show_bug.cgi?id=199864 - - Reviewed by Saam Barati. - - Source/JavaScriptCore: - - Our JSObject::put implementation is not correct in term of the spec. Our [[Put]] implementation is something like this. - - JSObject::put(object): - if (can-do-fast-path(object)) - return fast-path(object); - // slow-path - do { - object-put-check-and-setter-calls(object); // (1) - object = object->prototype; - } while (is-object(object)); - return do-put(object); - - Since JSObject::put is registered in the methodTable, the derived classes can override it. Some of classes are adding - extra checks to this put. - - Derived::put(object): - if (do-extra-check(object)) - fail - return JSObject::put(object) - - The problem is that Derived::put is only called when the |this| object is the Derived class. When traversing [[Prototype]] in - JSObject::put, at (1), we do not perform the extra checks added in Derived::put even if `object` is Derived one. This means that - we skip the check. - - Currently, JSObject::put and WebCore checking mechanism are broken. JSObject::put should call getOwnPropertySlot at (1) to - perform the additional checks. This behavior is matching against the spec. However, currently, our JSObject::getOwnPropertySlot - does not propagate setter information. This is required to cache cacheable [[Put]] at (1) for CustomValue, CustomAccessor, and - Accessors. We also need to reconsider how to integrate static property setters to this mechanism. So, basically, this involves - large refactoring to renew our JSObject::put and JSObject::getOwnPropertySlot. - - To work-around for now, we add a new TypeInfo flag, HasPutPropertySecurityCheck . And adding this flag to DOM objects - that implements the addition checks. We also add doPutPropertySecurityCheck method hook to perform the check in JSObject. - When we found this flag at (1), we perform doPutPropertySecurityCheck to properly perform the checks. - - Since our JSObject::put code is old and it does not match against the spec now, we should refactor it largely. This is tracked separately in [1]. - - [1]: https://bugs.webkit.org/show_bug.cgi?id=200562 - - * runtime/ClassInfo.h: - * runtime/JSCJSValue.cpp: - (JSC::JSValue::putToPrimitive): - * runtime/JSCell.cpp: - (JSC::JSCell::doPutPropertySecurityCheck): - * runtime/JSCell.h: - * runtime/JSObject.cpp: - (JSC::JSObject::putInlineSlow): - (JSC::JSObject::getOwnPropertyDescriptor): - * runtime/JSObject.h: - (JSC::JSObject::doPutPropertySecurityCheck): - * runtime/JSTypeInfo.h: - (JSC::TypeInfo::hasPutPropertySecurityCheck const): - - Source/WebCore: - - Test: http/tests/security/cross-frame-access-object-put-optimization.html - - * bindings/js/JSDOMWindowCustom.cpp: - (WebCore::JSDOMWindow::doPutPropertySecurityCheck): - * bindings/js/JSLocationCustom.cpp: - (WebCore::JSLocation::doPutPropertySecurityCheck): - * bindings/scripts/CodeGeneratorJS.pm: - (GenerateHeader): - * bindings/scripts/test/JS/JSTestActiveDOMObject.h: - - LayoutTests: - - * http/tests/security/cross-frame-access-object-put-optimization-expected.txt: Added. - * http/tests/security/cross-frame-access-object-put-optimization.html: Added. - * http/tests/security/resources/cross-frame-iframe-for-object-put-optimization-test.html: Added. - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248494 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-08-09 Yusuke Suzuki - - Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive - https://bugs.webkit.org/show_bug.cgi?id=199864 - - Reviewed by Saam Barati. - - Our JSObject::put implementation is not correct in term of the spec. Our [[Put]] implementation is something like this. - - JSObject::put(object): - if (can-do-fast-path(object)) - return fast-path(object); - // slow-path - do { - object-put-check-and-setter-calls(object); // (1) - object = object->prototype; - } while (is-object(object)); - return do-put(object); - - Since JSObject::put is registered in the methodTable, the derived classes can override it. Some of classes are adding - extra checks to this put. - - Derived::put(object): - if (do-extra-check(object)) - fail - return JSObject::put(object) - - The problem is that Derived::put is only called when the |this| object is the Derived class. When traversing [[Prototype]] in - JSObject::put, at (1), we do not perform the extra checks added in Derived::put even if `object` is Derived one. This means that - we skip the check. - - Currently, JSObject::put and WebCore checking mechanism are broken. JSObject::put should call getOwnPropertySlot at (1) to - perform the additional checks. This behavior is matching against the spec. However, currently, our JSObject::getOwnPropertySlot - does not propagate setter information. This is required to cache cacheable [[Put]] at (1) for CustomValue, CustomAccessor, and - Accessors. We also need to reconsider how to integrate static property setters to this mechanism. So, basically, this involves - large refactoring to renew our JSObject::put and JSObject::getOwnPropertySlot. - - To work-around for now, we add a new TypeInfo flag, HasPutPropertySecurityCheck . And adding this flag to DOM objects - that implements the addition checks. We also add doPutPropertySecurityCheck method hook to perform the check in JSObject. - When we found this flag at (1), we perform doPutPropertySecurityCheck to properly perform the checks. - - Since our JSObject::put code is old and it does not match against the spec now, we should refactor it largely. This is tracked separately in [1]. - - [1]: https://bugs.webkit.org/show_bug.cgi?id=200562 - - * runtime/ClassInfo.h: - * runtime/JSCJSValue.cpp: - (JSC::JSValue::putToPrimitive): - * runtime/JSCell.cpp: - (JSC::JSCell::doPutPropertySecurityCheck): - * runtime/JSCell.h: - * runtime/JSObject.cpp: - (JSC::JSObject::putInlineSlow): - (JSC::JSObject::getOwnPropertyDescriptor): - * runtime/JSObject.h: - (JSC::JSObject::doPutPropertySecurityCheck): - * runtime/JSTypeInfo.h: - (JSC::TypeInfo::hasPutPropertySecurityCheck const): - -2019-08-12 Alan Coon - - Cherry-pick r248027. rdar://problem/53836556 - - [JSC] Emit write barrier after storing instead of before storing - https://bugs.webkit.org/show_bug.cgi?id=200193 - - Reviewed by Saam Barati. - - I reviewed tricky GC-related code including visitChildren and manual writeBarrier, and I found that we have several problems with write-barriers. - - 1. Some write-barriers are emitted before stores happen - - Some code like LazyProperty emits write-barrier before we store the value. This is wrong since JSC has concurrent collector. Let's consider the situation like this. - - 1. Cell "A" is not marked yet - 2. Write-barrier is emitted onto "A" - 3. Concurrent collector scans "A" - 4. Store to "A"'s field happens - 5. (4)'s field is not rescaned - - We should emit write-barrier after stores. This patch places write-barriers after stores happen. - - 2. Should emit write-barrier after the stored fields are reachable from the owner. - - We have code that is logically the same to the following. - - ``` - auto data = std::make_unique(); - data->m_field.set(vm, owner, value); - - storeStoreBarrier(); - owner->m_data = WTFMove(data); - ``` - - This is not correct. When write-barrier is emitted, the owner cannot reach to the field that is stored. - The actual example is AccessCase. We are emitting write-barriers with owner when creating AccessCase, but this is not - effective until this AccessCase is chained to StructureStubInfo, which is reachable from CodeBlock. - - I don't think this is actually an issue because currently AccessCase generation is guarded by CodeBlock->m_lock. And CodeBlock::visitChildren takes this lock. - But emitting a write-barrier at the right place is still better. This patch places write-barriers when StructureStubInfo::addAccessCase is called. - - Speculative GC fix, it was hard to reproduce the crash since we need to control concurrent collector and main thread's scheduling in an instruction-level. - - * bytecode/BytecodeList.rb: - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::finishCreation): - * bytecode/StructureStubInfo.cpp: - (JSC::StructureStubInfo::addAccessCase): - * bytecode/StructureStubInfo.h: - (JSC::StructureStubInfo::considerCaching): - * dfg/DFGPlan.cpp: - (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): - * jit/JITOperations.cpp: - * llint/LLIntSlowPaths.cpp: - (JSC::LLInt::LLINT_SLOW_PATH_DECL): - (JSC::LLInt::setupGetByIdPrototypeCache): - * runtime/CommonSlowPaths.cpp: - (JSC::SLOW_PATH_DECL): - * runtime/LazyPropertyInlines.h: - (JSC::ElementType>::setMayBeNull): - * runtime/RegExpCachedResult.h: - (JSC::RegExpCachedResult::record): - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248027 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-07-30 Yusuke Suzuki - - [JSC] Emit write barrier after storing instead of before storing - https://bugs.webkit.org/show_bug.cgi?id=200193 - - Reviewed by Saam Barati. - - I reviewed tricky GC-related code including visitChildren and manual writeBarrier, and I found that we have several problems with write-barriers. - - 1. Some write-barriers are emitted before stores happen - - Some code like LazyProperty emits write-barrier before we store the value. This is wrong since JSC has concurrent collector. Let's consider the situation like this. - - 1. Cell "A" is not marked yet - 2. Write-barrier is emitted onto "A" - 3. Concurrent collector scans "A" - 4. Store to "A"'s field happens - 5. (4)'s field is not rescaned - - We should emit write-barrier after stores. This patch places write-barriers after stores happen. - - 2. Should emit write-barrier after the stored fields are reachable from the owner. - - We have code that is logically the same to the following. - - ``` - auto data = std::make_unique(); - data->m_field.set(vm, owner, value); - - storeStoreBarrier(); - owner->m_data = WTFMove(data); - ``` - - This is not correct. When write-barrier is emitted, the owner cannot reach to the field that is stored. - The actual example is AccessCase. We are emitting write-barriers with owner when creating AccessCase, but this is not - effective until this AccessCase is chained to StructureStubInfo, which is reachable from CodeBlock. - - I don't think this is actually an issue because currently AccessCase generation is guarded by CodeBlock->m_lock. And CodeBlock::visitChildren takes this lock. - But emitting a write-barrier at the right place is still better. This patch places write-barriers when StructureStubInfo::addAccessCase is called. - - Speculative GC fix, it was hard to reproduce the crash since we need to control concurrent collector and main thread's scheduling in an instruction-level. - - * bytecode/BytecodeList.rb: * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::finishCreation): - * bytecode/StructureStubInfo.cpp: - (JSC::StructureStubInfo::addAccessCase): - * bytecode/StructureStubInfo.h: - (JSC::StructureStubInfo::considerCaching): - * dfg/DFGPlan.cpp: - (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): - * jit/JITOperations.cpp: - * llint/LLIntSlowPaths.cpp: - (JSC::LLInt::LLINT_SLOW_PATH_DECL): - (JSC::LLInt::setupGetByIdPrototypeCache): - * runtime/CommonSlowPaths.cpp: - (JSC::SLOW_PATH_DECL): - * runtime/LazyPropertyInlines.h: - (JSC::ElementType>::setMayBeNull): - * runtime/RegExpCachedResult.h: - (JSC::RegExpCachedResult::record): + (JSC::CodeBlock::setNumParameters): + (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndexSlow): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::numParameters const): + (JSC::CodeBlock::numberOfArgumentsToSkip const): + (JSC::CodeBlock::numCalleeLocals const): + (JSC::CodeBlock::numVars const): + (JSC::CodeBlock::numTmps const): + (JSC::CodeBlock::addressOfNumParameters): + (JSC::CodeBlock::isTemporaryRegister): + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedCodeBlock::numCalleeLocals const): + (JSC::UnlinkedCodeBlock::numVars const): + * bytecode/UnlinkedCodeBlockGenerator.h: + (JSC::UnlinkedCodeBlockGenerator::numCalleeLocals const): + (JSC::UnlinkedCodeBlockGenerator::numVars const): + (JSC::UnlinkedCodeBlockGenerator::setNumCalleeLocals): + (JSC::UnlinkedCodeBlockGenerator::setNumVars): + (JSC::UnlinkedCodeBlockGenerator::setNumParameters): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::generate): + (JSC::BytecodeGenerator::emitPushFunctionNameScope): + * bytecompiler/BytecodeGeneratorBaseInlines.h: + (JSC::BytecodeGeneratorBase::newRegister): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): + (JSC::DFG::ByteCodeParser::inliningCost): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGOSREntrypointCreationPhase.cpp: + (JSC::DFG::OSREntrypointCreationPhase::run): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::checkArgumentTypes): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::lower): + * ftl/FTLOSREntry.cpp: + (JSC::FTL::prepareOSREntry): + * interpreter/CallFrameClosure.h: + * interpreter/ProtoCallFrameInlines.h: + (JSC::ProtoCallFrame::init): + * jit/JIT.cpp: + (JSC::JIT::compileWithoutLinking): + * runtime/CommonSlowPaths.h: + (JSC::CommonSlowPaths::numberOfStackPaddingSlots): + (JSC::CommonSlowPaths::numberOfStackPaddingSlotsWithExtraSlots): + * wasm/WasmFunctionCodeBlock.h: + (JSC::Wasm::FunctionCodeBlock::numVars const): + (JSC::Wasm::FunctionCodeBlock::numCalleeLocals const): + (JSC::Wasm::FunctionCodeBlock::setNumVars): + (JSC::Wasm::FunctionCodeBlock::setNumCalleeLocals): + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::push): + (JSC::Wasm::LLIntGenerator::getDropKeepCount): + (JSC::Wasm::LLIntGenerator::walkExpressionStack): + (JSC::Wasm::LLIntGenerator::checkConsistency): + (JSC::Wasm::LLIntGenerator::materializeConstantsAndLocals): + (JSC::Wasm::LLIntGenerator::splitStack): + (JSC::Wasm::LLIntGenerator::finalize): + (JSC::Wasm::LLIntGenerator::callInformationForCaller): + (JSC::Wasm::LLIntGenerator::addLoop): + (JSC::Wasm::LLIntGenerator::addTopLevel): + (JSC::Wasm::LLIntGenerator::addBlock): + (JSC::Wasm::LLIntGenerator::addIf): + (JSC::Wasm::LLIntGenerator::addElseToUnreachable): -2019-08-09 Alan Coon +2021-04-23 Ruben Turcios - Cherry-pick r248462. rdar://problem/54144119 + Cherry-pick r276527. rdar://problem/77091667 - [Win] Fix internal build - https://bugs.webkit.org/show_bug.cgi?id=200519 + [YARR Interpreter] Improper backtrack of parentheses with non-zero based greedy quantifiers + https://bugs.webkit.org/show_bug.cgi?id=224983 - Reviewed by Alex Christensen. + Reviewed by Mark Lam. - Source/JavaScriptCore: + When we backtrack a parentheses with a greedy non zero based quantifier, + we don't properly restore for the case where we hadn't reached the minimum count. + We now save the input position on entry and restore it when we backtrack for + this case. We also properly release the allocated ParenthesesDisjunctionContext's. - The script 'generate-js-builtins.py' cannot be found when building WebCore. Copy the JavaScriptCore Scripts - folder after building JSC. - - * JavaScriptCore.vcxproj/JavaScriptCore.proj: - - Source/WebKitLegacy/win: - - Switch to the String::wideCharacers method, since its return type is compatible with the Win32 api. - - * WebDownloadCFNet.cpp: - (WebDownload::didFinish): + * yarr/YarrInterpreter.cpp: + (JSC::Yarr::Interpreter::matchParentheses): + (JSC::Yarr::Interpreter::backtrackParentheses): - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248462 268f45cc-cd09-0410-ab3c-d52691b4dbfc + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@276527 268f45cc-cd09-0410-ab3c-d52691b4dbfc - 2019-08-08 Per Arne Vollan + 2021-04-23 Michael Saboff - [Win] Fix internal build - https://bugs.webkit.org/show_bug.cgi?id=200519 + [YARR Interpreter] Improper backtrack of parentheses with non-zero based greedy quantifiers + https://bugs.webkit.org/show_bug.cgi?id=224983 - Reviewed by Alex Christensen. + Reviewed by Mark Lam. - The script 'generate-js-builtins.py' cannot be found when building WebCore. Copy the JavaScriptCore Scripts - folder after building JSC. + When we backtrack a parentheses with a greedy non zero based quantifier, + we don't properly restore for the case where we hadn't reached the minimum count. + We now save the input position on entry and restore it when we backtrack for + this case. We also properly release the allocated ParenthesesDisjunctionContext's. - * JavaScriptCore.vcxproj/JavaScriptCore.proj: + * yarr/YarrInterpreter.cpp: + (JSC::Yarr::Interpreter::matchParentheses): + (JSC::Yarr::Interpreter::backtrackParentheses): -2019-08-06 Alan Coon +2021-04-23 Ruben Turcios - Apply patch. rdar://problem/53992160 + Cherry-pick r276524. rdar://problem/77089783 - 2019-08-06 Per Arne Vollan - - [Win] Fix AppleWin build - https://bugs.webkit.org/show_bug.cgi?id=200414 - - Reviewed by Brent Fulgham. - - * CMakeLists.txt: - * PlatformWin.cmake: - * shell/CMakeLists.txt: - -2019-07-29 Alan Coon - - Cherry-pick r247714. rdar://problem/53647616 - - [bmalloc] Each IsoPage gets 1MB VA because VMHeap::tryAllocateLargeChunk rounds up - https://bugs.webkit.org/show_bug.cgi?id=200024 + Fix B3 strength reduction for shl. + https://bugs.webkit.org/show_bug.cgi?id=224913 + rdar://76978874 - Reviewed by Saam Barati. + Reviewed by Michael Saboff. - Source/bmalloc: + If the operation can potentially either underflow or overflow, then the result + can be any value. - When we allocate IsoHeap's page, we reused VMHeap::tryAllocateLargeChunk. However, this function is originally designed - to be used for Large allocation in bmalloc (e.g. allocating Chunk in bmalloc). As a result, this function rounds up the - requested size with 1MB (bmalloc::chunkSize). As a result, all IsoHeap's 16KB page gets 1MB VA while it just uses 16KB of - the allocated region. This leads to VA exhaustion since IsoHeap now uses 64x VA than we expected! - - This patch fixes the above VA exhaustion issue by allocating a page by using tryVMAllocate. When allocating a page, we start - using a VM tag for IsoHeap. We discussed at e-mail and we decided reusing a VM tag previously assigned to CLoop Stack since - this is less profitable. Since this tag is not Malloc-related tag, Leaks tool can scan memory region conservatively without - registering allocated region into Zone, which was previously done in VMHeap and that's why we reused VMHeap for IsoHeap. - - * bmalloc/BVMTags.h: - * bmalloc/IsoPage.cpp: - (bmalloc::IsoPageBase::allocatePageMemory): - * bmalloc/IsoTLS.cpp: - (bmalloc::IsoTLS::ensureEntries): - * bmalloc/VMAllocate.h: - (bmalloc::vmAllocate): - - Source/JavaScriptCore: - - Discussed and we decided to use this VM tag for IsoHeap instead of CLoop stack. - - * interpreter/CLoopStack.cpp: - (JSC::CLoopStack::CLoopStack): - - Source/WebCore: - - Changed how we interpret VM tags. Add IsoHeap VM tag support, and rename WebAssembly tag - to Gigacage tag. - - * page/ResourceUsageData.h: - * page/ResourceUsageOverlay.h: - * page/cocoa/ResourceUsageOverlayCocoa.mm: - (WebCore::HistoricResourceUsageData::HistoricResourceUsageData): - * page/cocoa/ResourceUsageThreadCocoa.mm: - (WebCore::displayNameForVMTag): - (WebCore::categoryForVMTag): - - Source/WTF: - - Start using a VM tag for IsoHeap instead of CLoop Stack. - - * wtf/OSAllocator.h: - * wtf/VMTags.h: - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247714 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-07-22 Yusuke Suzuki - - [bmalloc] Each IsoPage gets 1MB VA because VMHeap::tryAllocateLargeChunk rounds up - https://bugs.webkit.org/show_bug.cgi?id=200024 - - Reviewed by Saam Barati. - - Discussed and we decided to use this VM tag for IsoHeap instead of CLoop stack. - - * interpreter/CLoopStack.cpp: - (JSC::CLoopStack::CLoopStack): - -2019-07-29 Alan Coon - - Cherry-pick r247713. rdar://problem/53648241 - - Turn off Wasm fast memory on iOS - https://bugs.webkit.org/show_bug.cgi?id=200016 - - - Reviewed by Yusuke Suzuki. - - We turned them on when we disabled Gigacage on iOS. However, we re-enabled - Gigacage on iOS, but forgot to turn wasm fast memories back off. - - * runtime/Options.h: + * b3/B3ReduceStrength.cpp: - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247713 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@276524 268f45cc-cd09-0410-ab3c-d52691b4dbfc - 2019-07-22 Saam Barati + 2021-04-23 Mark Lam - Turn off Wasm fast memory on iOS - https://bugs.webkit.org/show_bug.cgi?id=200016 - + Fix B3 strength reduction for shl. + https://bugs.webkit.org/show_bug.cgi?id=224913 + rdar://76978874 - Reviewed by Yusuke Suzuki. + Reviewed by Michael Saboff. - We turned them on when we disabled Gigacage on iOS. However, we re-enabled - Gigacage on iOS, but forgot to turn wasm fast memories back off. + If the operation can potentially either underflow or overflow, then the result + can be any value. - * runtime/Options.h: + * b3/B3ReduceStrength.cpp: -2019-07-29 Alan Coon +2021-04-23 Russell Epstein - Cherry-pick r247703. rdar://problem/53647465 + Cherry-pick r276324. rdar://problem/77086404 - [JSC] Make DFG Local CSE and AI conservative for huge basic block - https://bugs.webkit.org/show_bug.cgi?id=199929 - + FullGCActivityCallback should use the percentage of pages uncompressed in RAM to determine deferral. + https://bugs.webkit.org/show_bug.cgi?id=224817 Reviewed by Filip Pizlo. - In CNN page, the main thread hangs several seconds. On less-powerful devices (like iPhone7), it hangs for ~11 seconds. This is not an acceptable behavior. - The reason of this is that the DFG compiler takes too long time in the compilation for a particular function. It takes 8765 ms even in powerful x64 machine! - DFG compiler is concurrent one. However, when GC requires all the peripheral threads to be stopped, the main thread needs to wait for the DFG compiler's stop. - DFG compiler stops at GC safepoints, and they are inserted between DFG phases. So, if some of DFG phases take very long time, the main thread is blocked during that. - As a result, the main thread is blocked due to this pathological compilation. - - By measuring the time taken in each DFG phase, we found that our AI and CSE phase have a problem having quadratic complexity for # of DFG nodes in a basic block. - In this patch, we add a threshold for # of DFG nodes in a basic block. If a basic block exceeds this threshold, we use conservative but O(1) algorithm for AI and Local CSE phase. - We did not add this threshold for Global CSE since FTL has another bytecode cost threshold which prevents us from compiling the large functions. But on the other hand, - DFG should compile them because DFG is intended to be a fast compiler even for a bit larger CodeBlock. - - We first attempted to reduce the threshold for DFG compilation. We are using 100000 bytecode cost for DFG compilation and it is very large. However, we found that bytecode cost - is not the problem in CNN page. The problematic function has 67904 cost, and it takes 8765 ms in x64 machine. However, JetStream2/octane-zlib has 61949 function and it only takes - ~400 ms. This difference comes from the # of DFG nodes in a basic block. The problematic function has 43297 DFG nodes in one basic block and it makes AI and Local CSE super time-consuming. - Rather than relying on the bytecode cost which a bit indirectly related to this pathological compile-time, we should look into # of DFG nodes in a basic block which is more directly - related to this problem. And we also found that 61949's Octane-zlib function is very critical for performance. This fact makes a bit hard to pick a right threshold: 67904 causes the problem, - and 61949 must be compiled. This is why this patch is introducing conservative analysis instead of adjusting the threshold for DFG. - - This patch has two changes. - - 1. DFG AI has structure transition tracking which has quadratic complexity - - Structure transition tracking takes very long time since its complexity is O(N^2) where N is # of DFG nodes in a basic block. - CNN has very pathological script and it shows 43297 DFG nodes. We should reduce the complexity of this algorithm. - For now, we just say "structures are clobbered" if # of DFG nodes in a basic block exceeds the threshold (20000). - We could improve the current algorithm from O(N^2) to O(2N) without being conservative, and I'm tracking this in [1]. - - 2. DFG Local CSE has quadratic complexity - - Local CSE's clobbering iterates all the impure heap values to remove the clobbered one. Since # of impure heap values tend to be proportional to # of DFG nodes we visited, - each CSE for a basic block gets O(N^2) complexity. To avoid this, we introduce HugeMap. This has the same interface to LargeMap and SmallMap in CSE, but its clobbering - implementation just clears the map completely. We can further make this O(N) without introducing conservative behavior by using epochs. For now, we do not see such a huge basic block in - JetStream2 and Speedometer2 so I'll track it in a separate bug[2]. - - This patch reduces the compilation time from ~11 seconds to ~200 ms. - - [1]: https://bugs.webkit.org/show_bug.cgi?id=199959 - [2]: https://bugs.webkit.org/show_bug.cgi?id=200014 - - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::observeTransition): - (JSC::DFG::AbstractInterpreter::observeTransitions): - * dfg/DFGCSEPhase.cpp: - * runtime/Options.h: - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247703 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-07-20 Yusuke Suzuki - - [JSC] Make DFG Local CSE and AI conservative for huge basic block - https://bugs.webkit.org/show_bug.cgi?id=199929 - - - Reviewed by Filip Pizlo. - - In CNN page, the main thread hangs several seconds. On less-powerful devices (like iPhone7), it hangs for ~11 seconds. This is not an acceptable behavior. - The reason of this is that the DFG compiler takes too long time in the compilation for a particular function. It takes 8765 ms even in powerful x64 machine! - DFG compiler is concurrent one. However, when GC requires all the peripheral threads to be stopped, the main thread needs to wait for the DFG compiler's stop. - DFG compiler stops at GC safepoints, and they are inserted between DFG phases. So, if some of DFG phases take very long time, the main thread is blocked during that. - As a result, the main thread is blocked due to this pathological compilation. - - By measuring the time taken in each DFG phase, we found that our AI and CSE phase have a problem having quadratic complexity for # of DFG nodes in a basic block. - In this patch, we add a threshold for # of DFG nodes in a basic block. If a basic block exceeds this threshold, we use conservative but O(1) algorithm for AI and Local CSE phase. - We did not add this threshold for Global CSE since FTL has another bytecode cost threshold which prevents us from compiling the large functions. But on the other hand, - DFG should compile them because DFG is intended to be a fast compiler even for a bit larger CodeBlock. - - We first attempted to reduce the threshold for DFG compilation. We are using 100000 bytecode cost for DFG compilation and it is very large. However, we found that bytecode cost - is not the problem in CNN page. The problematic function has 67904 cost, and it takes 8765 ms in x64 machine. However, JetStream2/octane-zlib has 61949 function and it only takes - ~400 ms. This difference comes from the # of DFG nodes in a basic block. The problematic function has 43297 DFG nodes in one basic block and it makes AI and Local CSE super time-consuming. - Rather than relying on the bytecode cost which a bit indirectly related to this pathological compile-time, we should look into # of DFG nodes in a basic block which is more directly - related to this problem. And we also found that 61949's Octane-zlib function is very critical for performance. This fact makes a bit hard to pick a right threshold: 67904 causes the problem, - and 61949 must be compiled. This is why this patch is introducing conservative analysis instead of adjusting the threshold for DFG. - - This patch has two changes. - - 1. DFG AI has structure transition tracking which has quadratic complexity - - Structure transition tracking takes very long time since its complexity is O(N^2) where N is # of DFG nodes in a basic block. - CNN has very pathological script and it shows 43297 DFG nodes. We should reduce the complexity of this algorithm. - For now, we just say "structures are clobbered" if # of DFG nodes in a basic block exceeds the threshold (20000). - We could improve the current algorithm from O(N^2) to O(2N) without being conservative, and I'm tracking this in [1]. - - 2. DFG Local CSE has quadratic complexity - - Local CSE's clobbering iterates all the impure heap values to remove the clobbered one. Since # of impure heap values tend to be proportional to # of DFG nodes we visited, - each CSE for a basic block gets O(N^2) complexity. To avoid this, we introduce HugeMap. This has the same interface to LargeMap and SmallMap in CSE, but its clobbering - implementation just clears the map completely. We can further make this O(N) without introducing conservative behavior by using epochs. For now, we do not see such a huge basic block in - JetStream2 and Speedometer2 so I'll track it in a separate bug[2]. - - This patch reduces the compilation time from ~11 seconds to ~200 ms. - - [1]: https://bugs.webkit.org/show_bug.cgi?id=199959 - [2]: https://bugs.webkit.org/show_bug.cgi?id=200014 - - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::observeTransition): - (JSC::DFG::AbstractInterpreter::observeTransitions): - * dfg/DFGCSEPhase.cpp: - * runtime/Options.h: - -2019-07-24 Alan Coon - - Apply patch. rdar://problem/53483188 - - Disable ENABLE_LAYOUT_FORMATTING_CONTEXT https://bugs.webkit.org/show_bug.cgi?id=200038 - - Reviewed by Zalan Bujtas. - - This feature is not complete. It is enabled for the trunk, but needs - to be disabled in branches for shipping products. - Source/JavaScriptCore: - * Configurations/FeatureDefines.xcconfig: + Right now we try to determine if too many pages are paged out by + dereferencing them and bailing out of the GC if we go over a + deadline. While this works if the only goal is to avoid causing + extensive thrashing on spinny disks (HDD), it doesn't prevent + thrashing when access to disk is fast (e.g. SSD). This is because + on fast disks the proportional time to load the memory from disk + is much lower. Additionally, on SSDs in particular we don't want + to load the pages into RAM then bail as that will force a + different page onto disk, increasing wear. - Source/WebCore: + This patch switches to asking the OS if each MarkedBlock is paged + out. Then if we are over a threshold we wait until we would have + GC'd anyway. This patch uses the (maxVMGrowthFactor - 1) as the + percentage of "slow" pages (paged out or compressed) needed to + defer the GC. The idea behind that threshold is that if we add + that many pages then the same number of pages would be forced + out of RAM for us to do a GC anyway (in the limit). - No new tests -- this change does not add any new functionality. - - * Configurations/FeatureDefines.xcconfig: - - Source/WebCore/PAL: - - * Configurations/FeatureDefines.xcconfig: + * heap/BlockDirectory.cpp: + (JSC::BlockDirectory::updatePercentageOfPagedOutPages): + (JSC::BlockDirectory::isPagedOut): Deleted. + * heap/BlockDirectory.h: + * heap/FullGCActivityCallback.cpp: + (JSC::FullGCActivityCallback::doCollection): + * heap/Heap.cpp: + (JSC::Heap::isPagedOut): + * heap/Heap.h: + * heap/MarkedSpace.cpp: + (JSC::MarkedSpace::isPagedOut): + * heap/MarkedSpace.h: + * runtime/OptionsList.h: Source/WebKit: - * Configurations/FeatureDefines.xcconfig: + Add mincore to the acceptable syscall list. - Source/WebKitLegacy/mac: + * WebProcess/com.apple.WebProcess.sb.in: - * Configurations/FeatureDefines.xcconfig: + Source/WTF: - Tools: + Add a noexcept flavor of FunctionTraits. On Linux mincore (and probably other syscalls) are marked noexcept so the existing overloads don't work. - * TestWebKitAPI/Configurations/FeatureDefines.xcconfig: + * wtf/FunctionTraits.h: + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@276324 268f45cc-cd09-0410-ab3c-d52691b4dbfc - 2019-07-23 Keith Rollin + 2021-04-20 Keith Miller - Disable ENABLE_LAYOUT_FORMATTING_CONTEXT - https://bugs.webkit.org/show_bug.cgi?id=200038 - - - Reviewed by Zalan Bujtas. - - This feature is not complete. It is enabled for the trunk, but needs - to be disabled in branches for shipping products. - - * Configurations/FeatureDefines.xcconfig: - -2019-07-17 Kocsen Chung - - Cherry-pick r247532. rdar://problem/53228435 - - ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds. - https://bugs.webkit.org/show_bug.cgi?id=199821 - - - Reviewed by Filip Pizlo. - - JSTests: - - * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added. - - Source/JavaScriptCore: - - Excluding the ArgumentsEliminationPhase, PutStack nodes are converted from SetLocal - nodes in the SSAConversionPhase. SetLocal nodes are always preceded by MovHint nodes, - and the SSAConversionPhase always inserts a KillStack node before a MovHint node. - Hence, a PutStack node is always preceded by a KillStack node. - - However, the ArgumentsEliminationPhase can convert LoadVarargs nodes into a series - of one or more PutStacks nodes, and it prepends MovHint nodes before the PutStack - nodes. However, it neglects to prepend KillStack nodes as well. Since the - ArgumentsEliminationPhase runs after the SSAConversionPhase, the PutStack nodes - added during ArgumentsElimination will not be preceded by KillStack nodes. - - This patch fixes this by inserting a KillStack in the ArgumentsEliminationPhase - before it inserts a MovHint and a PutStack node. - - Consider this test case which can manifest the above issue as a crash: - - function inlinee(value) { - ... - let tmp = value + 1; - } - - function reflect() { - return inlinee.apply(undefined, arguments); - } - - function test(arr) { - let object = inlinee.apply(undefined, arr); // Uses a lot of SetArgumentMaybe nodes. - reflect(); // Calls with a LoadVararg, which gets converted into a PutStack of a constant. - } - - In this test case, we have a scenario where a SetArgumentMaybe's stack - slot is reused as the stack slot for a PutStack later. Here, the PutStack will - put a constant undefined value. Coincidentally, the SetArgumentMaybe may also - initialize that stack slot to a constant undefined value. Note that by the time - the PutStack executes, the SetArgumentMaybe's stack slot is dead. The liveness of - these 2 values are distinct. - - However, because we were missing a KillStack before the PutStack, OSR availability - analysis gets misled into thinking that the PutStack constant value is still in the - stack slot because the value left there by the SetArgumentMaybe hasn't been killed - off yet. As a result, OSR exit code will attempt to recover the PutStack's undefined - constant by loading from the stack slot instead of materializing it. Since - SetArgumentMaybe may not actually initialize the stack slot, we get a crash in OSR - exit when we try to recover the PutStack constant value from the stack slot, and - end up using what ever junk value we read from there. - - Fixing the ArgumentsEliminationPhase to insert KillStack before the PutStack - removes this conflation of the PutStack's constant value with the SetArgumentMaybe's - constant value in the same stack slot. And, OSR availability analysis will no - longer be misled to load the PutStack's constant value from the stack, but will - materialize the constant instead. - - * dfg/DFGArgumentsEliminationPhase.cpp: - - - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247532 268f45cc-cd09-0410-ab3c-d52691b4dbfc - - 2019-07-17 Mark Lam - - ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds. - https://bugs.webkit.org/show_bug.cgi?id=199821 - + FullGCActivityCallback should use the percentage of pages uncompressed in RAM to determine deferral. + https://bugs.webkit.org/show_bug.cgi?id=224817 Reviewed by Filip Pizlo. - Excluding the ArgumentsEliminationPhase, PutStack nodes are converted from SetLocal - nodes in the SSAConversionPhase. SetLocal nodes are always preceded by MovHint nodes, - and the SSAConversionPhase always inserts a KillStack node before a MovHint node. - Hence, a PutStack node is always preceded by a KillStack node. + Right now we try to determine if too many pages are paged out by + dereferencing them and bailing out of the GC if we go over a + deadline. While this works if the only goal is to avoid causing + extensive thrashing on spinny disks (HDD), it doesn't prevent + thrashing when access to disk is fast (e.g. SSD). This is because + on fast disks the proportional time to load the memory from disk + is much lower. Additionally, on SSDs in particular we don't want + to load the pages into RAM then bail as that will force a + different page onto disk, increasing wear. - However, the ArgumentsEliminationPhase can convert LoadVarargs nodes into a series - of one or more PutStacks nodes, and it prepends MovHint nodes before the PutStack - nodes. However, it neglects to prepend KillStack nodes as well. Since the - ArgumentsEliminationPhase runs after the SSAConversionPhase, the PutStack nodes - added during ArgumentsElimination will not be preceded by KillStack nodes. + This patch switches to asking the OS if each MarkedBlock is paged + out. Then if we are over a threshold we wait until we would have + GC'd anyway. This patch uses the (maxVMGrowthFactor - 1) as the + percentage of "slow" pages (paged out or compressed) needed to + defer the GC. The idea behind that threshold is that if we add + that many pages then the same number of pages would be forced + out of RAM for us to do a GC anyway (in the limit). - This patch fixes this by inserting a KillStack in the ArgumentsEliminationPhase - before it inserts a MovHint and a PutStack node. + * heap/BlockDirectory.cpp: + (JSC::BlockDirectory::updatePercentageOfPagedOutPages): + (JSC::BlockDirectory::isPagedOut): Deleted. + * heap/BlockDirectory.h: + * heap/FullGCActivityCallback.cpp: + (JSC::FullGCActivityCallback::doCollection): + * heap/Heap.cpp: + (JSC::Heap::isPagedOut): + * heap/Heap.h: + * heap/MarkedSpace.cpp: + (JSC::MarkedSpace::isPagedOut): + * heap/MarkedSpace.h: + * runtime/OptionsList.h: - Consider this test case which can manifest the above issue as a crash: +2021-04-16 Alan Coon - function inlinee(value) { - ... - let tmp = value + 1; - } + Cherry-pick r276155. rdar://problem/76781047 - function reflect() { - return inlinee.apply(undefined, arguments); - } - - function test(arr) { - let object = inlinee.apply(undefined, arr); // Uses a lot of SetArgumentMaybe nodes. - reflect(); // Calls with a LoadVararg, which gets converted into a PutStack of a constant. - } - - In this test case, we have a scenario where a SetArgumentMaybe's stack - slot is reused as the stack slot for a PutStack later. Here, the PutStack will - put a constant undefined value. Coincidentally, the SetArgumentMaybe may also - initialize that stack slot to a constant undefined value. Note that by the time - the PutStack executes, the SetArgumentMaybe's stack slot is dead. The liveness of - these 2 values are distinct. - - However, because we were missing a KillStack before the PutStack, OSR availability - analysis gets misled into thinking that the PutStack constant value is still in the - stack slot because the value left there by the SetArgumentMaybe hasn't been killed - off yet. As a result, OSR exit code will attempt to recover the PutStack's undefined - constant by loading from the stack slot instead of materializing it. Since - SetArgumentMaybe may not actually initialize the stack slot, we get a crash in OSR - exit when we try to recover the PutStack constant value from the stack slot, and - end up using what ever junk value we read from there. - - Fixing the ArgumentsEliminationPhase to insert KillStack before the PutStack - removes this conflation of the PutStack's constant value with the SetArgumentMaybe's - constant value in the same stack slot. And, OSR availability analysis will no - longer be misled to load the PutStack's constant value from the stack, but will - materialize the constant instead. - - * dfg/DFGArgumentsEliminationPhase.cpp: - -2019-07-17 Kocsen Chung - - Cherry-pick r247474. rdar://problem/53229615 - - JSGlobalObject type macros should support feature flags and WeakRef should have one - https://bugs.webkit.org/show_bug.cgi?id=199601 + Before deleting a MarkedBlock we do not need to clear its m_directory pointer. + https://bugs.webkit.org/show_bug.cgi?id=224677 - Reviewed by Mark Lam. + Reviewed by Yusuke Suzuki. + + Right now when we are about to free a MarkedBlock we clear the + m_directory pointer in the MarkedBlock's Handle. This has the + downside, however, of potentially paging in the footer from disk / + the compressor, which some data we have seen shows is happening. + This patch prevents this uncessary store to hopefully reduce the + number of pageins/decompressions caused by Safari web content. + + * heap/BlockDirectory.cpp: + (JSC::BlockDirectory::removeBlock): + (JSC::BlockDirectory::removeBlockForDeletion): + * heap/BlockDirectory.h: + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::Handle::~Handle): + * heap/MarkedSpace.cpp: + (JSC::MarkedSpace::freeBlock): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@276155 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-04-16 Keith Miller + + Before deleting a MarkedBlock we do not need to clear its m_directory pointer. + https://bugs.webkit.org/show_bug.cgi?id=224677 + + Reviewed by Yusuke Suzuki. + + Right now when we are about to free a MarkedBlock we clear the + m_directory pointer in the MarkedBlock's Handle. This has the + downside, however, of potentially paging in the footer from disk / + the compressor, which some data we have seen shows is happening. + This patch prevents this uncessary store to hopefully reduce the + number of pageins/decompressions caused by Safari web content. + + * heap/BlockDirectory.cpp: + (JSC::BlockDirectory::removeBlock): + (JSC::BlockDirectory::removeBlockForDeletion): + * heap/BlockDirectory.h: + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::Handle::~Handle): + * heap/MarkedSpace.cpp: + (JSC::MarkedSpace::freeBlock): + +2021-04-15 Russell Epstein + + Cherry-pick r275233. rdar://problem/76727522 + + Ensure that GlobalPropertyInfo is allocated on the stack. + https://bugs.webkit.org/show_bug.cgi?id=223911 + + Unreviewed test gardening. + + Rebaseline builtins generator tests after r275212. + + * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result: + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@275233 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-03-30 Ryan Haddad + + Ensure that GlobalPropertyInfo is allocated on the stack. + https://bugs.webkit.org/show_bug.cgi?id=223911 + + Unreviewed test gardening. + + Rebaseline builtins generator tests after r275212. + + * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result: + +2021-04-15 Russell Epstein + + Cherry-pick r275845. rdar://problem/76727387 + + Modernize uses of ConsoleClient + https://bugs.webkit.org/show_bug.cgi?id=224398 + + Reviewed by David Kilzer. + + ConsoleClient acts like a delegate, so its callers + should be using weak references to it. Source/JavaScriptCore: - This patch refactors the various builtin type macros to have a - parameter, which is the feature flag enabling it. Since most - builtin types are enabled by default this patch adds a new global - bool typeExposedByDefault for clarity. Note, because static hash - tables have no concept of feature flags we can't use feature flags - with lazy properties. This is probably not a big deal as features - that are off by default won't be allocated anywhere we care about - memory usage anyway. - - * runtime/CommonIdentifiers.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::consoleClient const): + * inspector/JSGlobalObjectInspectorController.h: + * runtime/ConsoleClient.h: + * runtime/ConsoleObject.cpp: + (JSC::consoleLogWithLevel): + (JSC::JSC_DEFINE_HOST_FUNCTION): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): - (JSC::JSGlobalObject::visitChildren): + (JSC::JSGlobalObject::setConsoleClient): * runtime/JSGlobalObject.h: - (JSC::JSGlobalObject::stringObjectStructure const): - (JSC::JSGlobalObject::bigIntObjectStructure const): Deleted. - * runtime/Options.h: - * wasm/js/JSWebAssembly.cpp: + (JSC::JSGlobalObject::consoleClient const): + (JSC::JSGlobalObject::setConsoleClient): Deleted. - Tools: + Source/WebCore: - JSC options need to be set before the window is created for the test. + * bindings/js/ScriptCachedFrameData.cpp: + (WebCore::ScriptCachedFrameData::restore): + * bindings/js/ScriptController.cpp: + (WebCore::ScriptController::initScriptForWindowProxy): + * bindings/js/WindowProxy.cpp: + (WebCore::WindowProxy::setDOMWindow): + * workers/WorkerOrWorkletScriptController.cpp: + (WebCore::WorkerOrWorkletScriptController::initScriptWithSubclass): - * DumpRenderTree/mac/DumpRenderTree.mm: - (resetWebViewToConsistentStateBeforeTesting): - * DumpRenderTree/win/DumpRenderTree.cpp: - (setJSCOptions): - (resetWebViewToConsistentStateBeforeTesting): - - LayoutTests: - - Add JSC option requirements for WeakRef tests. - - * js/script-tests/weakref-async-is-collected.js: - * js/script-tests/weakref-eventually-collects-values.js: - * js/script-tests/weakref-microtasks-dont-collect.js: - * js/script-tests/weakref-weakset-consistency.js: - * js/weakref-async-is-collected.html: - * js/weakref-eventually-collects-values.html: - * js/weakref-microtasks-dont-collect.html: - * js/weakref-weakset-consistency.html: - - git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247474 268f45cc-cd09-0410-ab3c-d52691b4dbfc + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@275845 268f45cc-cd09-0410-ab3c-d52691b4dbfc - 2019-07-15 Keith Miller + 2021-04-12 BJ Burg - JSGlobalObject type macros should support feature flags and WeakRef should have one - https://bugs.webkit.org/show_bug.cgi?id=199601 + Modernize uses of ConsoleClient + https://bugs.webkit.org/show_bug.cgi?id=224398 + + Reviewed by David Kilzer. + + ConsoleClient acts like a delegate, so its callers + should be using weak references to it. + + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::consoleClient const): + * inspector/JSGlobalObjectInspectorController.h: + * runtime/ConsoleClient.h: + * runtime/ConsoleObject.cpp: + (JSC::consoleLogWithLevel): + (JSC::JSC_DEFINE_HOST_FUNCTION): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::setConsoleClient): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::consoleClient const): + (JSC::JSGlobalObject::setConsoleClient): Deleted. + +2021-04-15 Russell Epstein + + Cherry-pick r275212. rdar://problem/76727522 + + Ensure that GlobalPropertyInfo is allocated on the stack. + https://bugs.webkit.org/show_bug.cgi?id=223911 + rdar://75865742 + + Reviewed by Yusuke Suzuki. + + Source/JavaScriptCore: + + We rely on GlobalPropertyInfo being allocated on the stack to allow its JSValue + value to be scanned by the GC. Unfortunately, an ASAN compilation would choose + to allocate the GlobalPropertyInfo on a side buffer instead of directly on the + stack. This prevents the GC from doing the needed scan. + + We'll fix this by suppressing ASAN on the functions that allocated GlobalPropertyInfo + arrays. Also added an ASSERT in the GlobalPropertyInfo constructor to assert that + it is allocated on the stack. + + * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py: + (BuiltinsInternalsWrapperImplementationGenerator.generate_initialize_method): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::initStaticGlobals): + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::exposeDollarVM): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::GlobalPropertyInfo::GlobalPropertyInfo): + + Source/WebCore: + + * bindings/js/JSDOMGlobalObject.cpp: + (WebCore::JSDOMGlobalObject::addBuiltinGlobals): + * bindings/js/JSDOMWindowBase.cpp: + (WebCore::JSDOMWindowBase::finishCreation): + (WebCore::JSDOMWindowBase::initStaticGlobals): + * bindings/js/JSDOMWindowBase.h: + + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@275212 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-03-30 Mark Lam + + Ensure that GlobalPropertyInfo is allocated on the stack. + https://bugs.webkit.org/show_bug.cgi?id=223911 + rdar://75865742 + + Reviewed by Yusuke Suzuki. + + We rely on GlobalPropertyInfo being allocated on the stack to allow its JSValue + value to be scanned by the GC. Unfortunately, an ASAN compilation would choose + to allocate the GlobalPropertyInfo on a side buffer instead of directly on the + stack. This prevents the GC from doing the needed scan. + + We'll fix this by suppressing ASAN on the functions that allocated GlobalPropertyInfo + arrays. Also added an ASSERT in the GlobalPropertyInfo constructor to assert that + it is allocated on the stack. + + * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py: + (BuiltinsInternalsWrapperImplementationGenerator.generate_initialize_method): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::initStaticGlobals): + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::exposeDollarVM): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::GlobalPropertyInfo::GlobalPropertyInfo): + +2021-04-08 Russell Epstein + + Cherry-pick r274325. rdar://problem/76416354 + + Adopt VM_FLAGS_PERMANENT for the config vm mapping + https://bugs.webkit.org/show_bug.cgi?id=222086 + + + Reviewed by Yusuke Suzuki and Mark Lam. + + Source/JavaScriptCore: + + * runtime/JSCConfig.h: + (JSC::Config::configureForTesting): + + Source/WebKit: + + * Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceMain.mm: + (WebKit::XPCServiceMain): + + Source/WTF: + + * wtf/PlatformHave.h: + * wtf/Threading.cpp: + (WTF::initialize): + * wtf/WTFConfig.cpp: + (WTF::setPermissionsOfConfigPage): + * wtf/WTFConfig.h: + (WTF::setPermissionsOfConfigPage): + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@274325 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-03-11 Saam Barati + + Adopt VM_FLAGS_PERMANENT for the config vm mapping + https://bugs.webkit.org/show_bug.cgi?id=222086 + + + Reviewed by Yusuke Suzuki and Mark Lam. + + * runtime/JSCConfig.h: + (JSC::Config::configureForTesting): + +2021-04-08 Russell Epstein + + Cherry-pick r274699. rdar://problem/76373830 + + JS->Wasm IC must save the tag registers if it uses them + https://bugs.webkit.org/show_bug.cgi?id=223491 + + + Reviewed by Yusuke Suzuki. + + JSTests: + + * wasm/stress/save-tag-callee-saves-in-js-entrypoint-ic.js: Added. + (0x0b.WebAssembly.instantiate.wasm.then.e.const.mod.e.instance.exports.Test.prototype.get breakIt): + (0x0b.WebAssembly.instantiate.wasm.then.e.const.mod.e.instance.exports.Test): + (0x0b.WebAssembly.instantiate.wasm.then.e.const.obj.new.Test): + + Source/JavaScriptCore: + + It turns out, that when you use a callee save register, you should save it. + + * wasm/js/WebAssemblyFunction.cpp: + (JSC::WebAssemblyFunction::usesTagRegisters const): + (JSC::WebAssemblyFunction::calleeSaves const): + (JSC::WebAssemblyFunction::jsCallEntrypointSlow): + (JSC::WebAssemblyFunction::useTagRegisters const): Deleted. + * wasm/js/WebAssemblyFunction.h: + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@274699 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-03-18 Saam Barati + + JS->Wasm IC must save the tag registers if it uses them + https://bugs.webkit.org/show_bug.cgi?id=223491 + + + Reviewed by Yusuke Suzuki. + + It turns out, that when you use a callee save register, you should save it. + + * wasm/js/WebAssemblyFunction.cpp: + (JSC::WebAssemblyFunction::usesTagRegisters const): + (JSC::WebAssemblyFunction::calleeSaves const): + (JSC::WebAssemblyFunction::jsCallEntrypointSlow): + (JSC::WebAssemblyFunction::useTagRegisters const): Deleted. + * wasm/js/WebAssemblyFunction.h: + +2021-04-08 Russell Epstein + + Cherry-pick r274539. rdar://problem/76374197 + + Object allocation sinking phase should prioritize materializations with no dependencies before materializations with no reverse dependencies + https://bugs.webkit.org/show_bug.cgi?id=221069 + + + Reviewed by Yusuke Suzuki. + + JSTests: + + * stress/allocation-sinking-scope-materialization-order.js: Added. + (var3.var2.x): + (var3): + + Source/JavaScriptCore: + + Suppose we have two scope objects, A and B. Let's say A points to B, so B is + A's parent scope. A then depends on B. B has no dependencies here. When deciding + an order to materialize scope objects, we should always do it in reverse dependency + order. So above, we should materialize B, then A. + + Inside object allocation sinking phase, when at an object materialization + site, we do track both dependencies and reverse dependencies. In the above + object graph, we'd attempt to materialize the objects in the right order, + always picking things with no dependencies first (and updating the list of + dependencies as we materialzed objects). + + The code was using an std::list to track things to materialize, and it had + notions for materializing something first, and materializing something last. + However, there was a bug in how the code managed to insert things when + it first inserted last followed by inserting first. This patch simplifies + the code and makes it do the right thing. + + * dfg/DFGObjectAllocationSinkingPhase.cpp: + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@274539 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-03-16 Saam Barati + + Object allocation sinking phase should prioritize materializations with no dependencies before materializations with no reverse dependencies + https://bugs.webkit.org/show_bug.cgi?id=221069 + + + Reviewed by Yusuke Suzuki. + + Suppose we have two scope objects, A and B. Let's say A points to B, so B is + A's parent scope. A then depends on B. B has no dependencies here. When deciding + an order to materialize scope objects, we should always do it in reverse dependency + order. So above, we should materialize B, then A. + + Inside object allocation sinking phase, when at an object materialization + site, we do track both dependencies and reverse dependencies. In the above + object graph, we'd attempt to materialize the objects in the right order, + always picking things with no dependencies first (and updating the list of + dependencies as we materialzed objects). + + The code was using an std::list to track things to materialize, and it had + notions for materializing something first, and materializing something last. + However, there was a bug in how the code managed to insert things when + it first inserted last followed by inserting first. This patch simplifies + the code and makes it do the right thing. + + * dfg/DFGObjectAllocationSinkingPhase.cpp: + +2021-04-08 Russell Epstein + + Cherry-pick r274288. rdar://problem/76415622 + + Web Inspector: Occasional crash under RemoteConnectionToTargetCocoa::close() + https://bugs.webkit.org/show_bug.cgi?id=223038 + + + Reviewed by Alex Christensen. + + * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm: + (Inspector::RemoteConnectionToTarget::setup): + (Inspector::RemoteConnectionToTarget::close): + Don't use a capture default, and copy the targetIdentifier. + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@274288 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-03-11 BJ Burg + + Web Inspector: Occasional crash under RemoteConnectionToTargetCocoa::close() + https://bugs.webkit.org/show_bug.cgi?id=223038 + + + Reviewed by Alex Christensen. + + * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm: + (Inspector::RemoteConnectionToTarget::setup): + (Inspector::RemoteConnectionToTarget::close): + Don't use a capture default, and copy the targetIdentifier. + +2021-04-08 Russell Epstein + + Cherry-pick r273972. rdar://problem/76375074 + + OpGetPrivateName needs to be listed in FOR_EACH_OPCODE_WITH_VALUE_PROFILE + https://bugs.webkit.org/show_bug.cgi?id=222775 + + + Reviewed by Michael Saboff. + + JSTests: + + * stress/private-name-assignment-in-constructor.js: Added. + (Foo): + + Source/JavaScriptCore: + + Right now valueProfileForBytecodeIndex incorrectly returns null for op_get_private_name. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::valueProfileForBytecodeIndex): + * bytecode/Opcode.h: + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@273972 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-03-05 Tadeu Zagallo + + OpGetPrivateName needs to be listed in FOR_EACH_OPCODE_WITH_VALUE_PROFILE + https://bugs.webkit.org/show_bug.cgi?id=222775 + + + Reviewed by Michael Saboff. + + Right now valueProfileForBytecodeIndex incorrectly returns null for op_get_private_name. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::valueProfileForBytecodeIndex): + * bytecode/Opcode.h: + +2021-02-17 Ruben Turcios + + Cherry-pick r271767. rdar://problem/74409412 + + Obj-C API should do correct type checks when using a 32-bit address space + https://bugs.webkit.org/show_bug.cgi?id=220880 + + + Reviewed by Tadeu Zagallo. + + * API/JSValue.mm: + (-[JSValue isNull]): + (-[JSValue isBoolean]): + (-[JSValue isNumber]): + (-[JSValue isString]): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271767 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-01-22 Keith Miller + + Obj-C API should do correct type checks when using a 32-bit address space + https://bugs.webkit.org/show_bug.cgi?id=220880 + + + Reviewed by Tadeu Zagallo. + + * API/JSValue.mm: + (-[JSValue isNull]): + (-[JSValue isBoolean]): + (-[JSValue isNumber]): + (-[JSValue isString]): + +2021-02-17 Ruben Turcios + + Cherry-pick r270719. rdar://problem/74409412 + + REGRESSION (r270665): testapi failing on JSC bots + https://bugs.webkit.org/show_bug.cgi?id=219787 + + Reviewed by Saam Barati. + + * API/JSValueRef.cpp: + (JSValueIsString): + (JSValueIsObject): + (JSValueIsSymbol): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@270719 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2020-12-11 Tadeu Zagallo + + REGRESSION (r270665): testapi failing on JSC bots + https://bugs.webkit.org/show_bug.cgi?id=219787 + + Reviewed by Saam Barati. + + * API/JSValueRef.cpp: + (JSValueIsString): + (JSValueIsObject): + (JSValueIsSymbol): + +2021-02-17 Ruben Turcios + + Cherry-pick r270700. rdar://problem/74409412 + + REGRESSION (r270665): testapi failing on CLoop bot + https://bugs.webkit.org/show_bug.cgi?id=219787 + + Reviewed by Mark Lam. + + The API has to special case the empty JSValue as null. + + * API/JSValueRef.cpp: + (JSValueGetType): + (JSValueIsNull): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@270700 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2020-12-11 Tadeu Zagallo + + REGRESSION (r270665): testapi failing on CLoop bot + https://bugs.webkit.org/show_bug.cgi?id=219787 Reviewed by Mark Lam. - This patch refactors the various builtin type macros to have a - parameter, which is the feature flag enabling it. Since most - builtin types are enabled by default this patch adds a new global - bool typeExposedByDefault for clarity. Note, because static hash - tables have no concept of feature flags we can't use feature flags - with lazy properties. This is probably not a big deal as features - that are off by default won't be allocated anywhere we care about - memory usage anyway. + The API has to special case the empty JSValue as null. - * runtime/CommonIdentifiers.h: - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::init): - (JSC::JSGlobalObject::visitChildren): - * runtime/JSGlobalObject.h: - (JSC::JSGlobalObject::stringObjectStructure const): - (JSC::JSGlobalObject::bigIntObjectStructure const): Deleted. - * runtime/Options.h: + * API/JSValueRef.cpp: + (JSValueGetType): + (JSValueIsNull): + +2021-02-17 Ruben Turcios + + Cherry-pick r270665. rdar://problem/74409412 + + Removing unnecessary locking from JSValue API functions + https://bugs.webkit.org/show_bug.cgi?id=219723 + + Reviewed by Filip Pizlo. + + PerformanceTests: + + Print an error message when benchmarks fail to run and add option to change + the configuration used to build the benchmarks. + + * APIBench/api-bench: + + Source/JavaScriptCore: + + Remove the unnecessary locking from the JSValueIs* and JSValueMake* API functions + that only work on primitives. Also remove the unnecessary method dispatching and + call from the -[JSValue is*] methods. + + This improves the APIBench score by another ~8% since these are such common operations. + Here are the results: (Baseline includes https://bugs.webkit.org/show_bug.cgi?id=219663) + + CURRENT_API: Baseline Change + ---------------------------------------- + RichardsMostlyC: 74ms 60ms + RichardsMostlyObjC: 304ms 300ms + RichardsMostlySwift: 305ms 293ms + RichardsSomeC: 97ms 77ms + RichardsSomeObjC: 158ms 159ms + RichardsSomeSwift: 202ms 198ms + + UPCOMING_API: Baseline Change + ---------------------------------------- + RichardsMostlyC: 23ms 19ms + RichardsMostlyObjC: 282ms 282ms + RichardsMostlySwift: 280ms 282ms + RichardsSomeC: 95ms 76ms + RichardsSomeObjC: 157ms 156ms + RichardsSomeSwift: 202ms 197ms + ---------------------------------------- + Score: 33.6404 36.4006 + + * API/APICast.h: + (toRef): + * API/JSValue.mm: + (-[JSValue isUndefined]): + (-[JSValue isNull]): + (-[JSValue isBoolean]): + (-[JSValue isNumber]): + (-[JSValue isString]): + (-[JSValue isObject]): + (-[JSValue isSymbol]): + * API/JSValueRef.cpp: + (JSValueGetType): + (JSValueIsUndefined): + (JSValueIsNull): + (JSValueIsBoolean): + (JSValueIsNumber): + (JSValueIsString): + (JSValueIsObject): + (JSValueIsSymbol): + (JSValueMakeUndefined): + (JSValueMakeNull): + (JSValueMakeBoolean): + (JSValueMakeNumber): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@270665 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2020-12-10 Tadeu Zagallo + + Removing unnecessary locking from JSValue API functions + https://bugs.webkit.org/show_bug.cgi?id=219723 + + Reviewed by Filip Pizlo. + + Remove the unnecessary locking from the JSValueIs* and JSValueMake* API functions + that only work on primitives. Also remove the unnecessary method dispatching and + call from the -[JSValue is*] methods. + + This improves the APIBench score by another ~8% since these are such common operations. + Here are the results: (Baseline includes https://bugs.webkit.org/show_bug.cgi?id=219663) + + CURRENT_API: Baseline Change + ---------------------------------------- + RichardsMostlyC: 74ms 60ms + RichardsMostlyObjC: 304ms 300ms + RichardsMostlySwift: 305ms 293ms + RichardsSomeC: 97ms 77ms + RichardsSomeObjC: 158ms 159ms + RichardsSomeSwift: 202ms 198ms + + UPCOMING_API: Baseline Change + ---------------------------------------- + RichardsMostlyC: 23ms 19ms + RichardsMostlyObjC: 282ms 282ms + RichardsMostlySwift: 280ms 282ms + RichardsSomeC: 95ms 76ms + RichardsSomeObjC: 157ms 156ms + RichardsSomeSwift: 202ms 197ms + ---------------------------------------- + Score: 33.6404 36.4006 + + * API/APICast.h: + (toRef): + * API/JSValue.mm: + (-[JSValue isUndefined]): + (-[JSValue isNull]): + (-[JSValue isBoolean]): + (-[JSValue isNumber]): + (-[JSValue isString]): + (-[JSValue isObject]): + (-[JSValue isSymbol]): + * API/JSValueRef.cpp: + (JSValueGetType): + (JSValueIsUndefined): + (JSValueIsNull): + (JSValueIsBoolean): + (JSValueIsNumber): + (JSValueIsString): + (JSValueIsObject): + (JSValueIsSymbol): + (JSValueMakeUndefined): + (JSValueMakeNull): + (JSValueMakeBoolean): + (JSValueMakeNumber): + +2021-02-19 Alan Coon + + Cherry-pick r272938. rdar://problem/74500752 + + operationNewArrayWithSize should call tryCreate instead of create + https://bugs.webkit.org/show_bug.cgi?id=221983 + + + Reviewed by Mark Lam. + + I disassembled crashlogs inside operationNewArrayWithSize. They are crashing + inside array allocation. They are crashing on OOM. By code inspection, + operationNewArrayWithSizeAndHint has the same problem. + + Callsites to both functions already handle exceptions being thrown, so + converting both operationNewArrayWithSize and operationNewArrayWithSizeAndHint + to throw instead of crash on OOM is trivial. + + I wasn't able to come up with a test case for this. + + * dfg/DFGOperations.cpp: + (JSC::DFG::JSC_DEFINE_JIT_OPERATION): + * runtime/ObjectConstructor.cpp: + (JSC::ownPropertyKeys): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272938 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-02-16 Saam Barati + + operationNewArrayWithSize should call tryCreate instead of create + https://bugs.webkit.org/show_bug.cgi?id=221983 + + + Reviewed by Mark Lam. + + I disassembled crashlogs inside operationNewArrayWithSize. They are crashing + inside array allocation. They are crashing on OOM. By code inspection, + operationNewArrayWithSizeAndHint has the same problem. + + Callsites to both functions already handle exceptions being thrown, so + converting both operationNewArrayWithSize and operationNewArrayWithSizeAndHint + to throw instead of crash on OOM is trivial. + + I wasn't able to come up with a test case for this. + + * dfg/DFGOperations.cpp: + (JSC::DFG::JSC_DEFINE_JIT_OPERATION): + * runtime/ObjectConstructor.cpp: + (JSC::ownPropertyKeys): + +2021-02-16 Ruben Turcios + + Cherry-pick r272685. rdar://problem/74410538 + + We should not static_assert on an ENABLE() macro. + https://bugs.webkit.org/show_bug.cgi?id=221714 + rdar://74197896 + + Reviewed by Yusuke Suzuki. + + This is because the ENABLE() macro reduces to a macro expression + `(defined ENABLE_##WTF_FEATURE && ENABLE_##WTF_FEATURE)` which is not a C++ + expression that a static_assert can evaluate. + + * llint/LLIntData.cpp: + * llint/LLIntData.h: + (JSC::LLInt::getCodePtr): + (JSC::LLInt::getWide16CodePtr): + (JSC::LLInt::getWide32CodePtr): + + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272685 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-02-10 Mark Lam + + We should not static_assert on an ENABLE() macro. + https://bugs.webkit.org/show_bug.cgi?id=221714 + rdar://74197896 + + Reviewed by Yusuke Suzuki. + + This is because the ENABLE() macro reduces to a macro expression + `(defined ENABLE_##WTF_FEATURE && ENABLE_##WTF_FEATURE)` which is not a C++ + expression that a static_assert can evaluate. + + * llint/LLIntData.cpp: + * llint/LLIntData.h: + (JSC::LLInt::getCodePtr): + (JSC::LLInt::getWide16CodePtr): + (JSC::LLInt::getWide32CodePtr): + +2021-02-16 Ruben Turcios + + Cherry-pick r272663. rdar://problem/74409155 + + Don't crash when reparsing an arrow function and the parsing invariant is broken + https://bugs.webkit.org/show_bug.cgi?id=221632 + + + Reviewed by Tadeu Zagallo and Mark Lam. + + We have code where we assert that when reparsing an arrow function, + we see the '=>' token after parsing the parameters. Since we already + parsed the arrow function before, this assertion makes sense. But somehow, + this is leading to crashes on real websites. We don't know why this invariant + is being broken. I'm changing this to a debug assert, and we're tracking + the full fix in: + https://bugs.webkit.org/show_bug.cgi?id=221633 + + * parser/Parser.cpp: + (JSC::Parser::parseInner): + + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272663 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-02-10 Saam Barati + + Don't crash when reparsing an arrow function and the parsing invariant is broken + https://bugs.webkit.org/show_bug.cgi?id=221632 + + + Reviewed by Tadeu Zagallo and Mark Lam. + + We have code where we assert that when reparsing an arrow function, + we see the '=>' token after parsing the parameters. Since we already + parsed the arrow function before, this assertion makes sense. But somehow, + this is leading to crashes on real websites. We don't know why this invariant + is being broken. I'm changing this to a debug assert, and we're tracking + the full fix in: + https://bugs.webkit.org/show_bug.cgi?id=221633 + + * parser/Parser.cpp: + (JSC::Parser::parseInner): + +2021-02-16 Ruben Turcios + + Cherry-pick r272430. rdar://problem/74409193 + + Unreviewed, follow-up change after r272428 + https://bugs.webkit.org/show_bug.cgi?id=221454 + + isPropertyNameExcluded can invoke GC etc. Structure::forEachProperty can miss PropertyTable and Structure + reference when it is highly optimized, so that it can crash if GC happens in the middle of Structure::forEachProperty. + + 1. Insert ensureStillAliveHere in Structure::forEachProperty to ensure liveness of PropertyTable + 2. We should not perform side-effectful operation including GC in Structure::forEachProperty. So we moved isPropertyNameExcluded. + + * runtime/StructureInlines.h: + (JSC::Structure::forEachProperty): + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272430 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-02-05 Yusuke Suzuki + + Unreviewed, follow-up change after r272428 + https://bugs.webkit.org/show_bug.cgi?id=221454 + + isPropertyNameExcluded can invoke GC etc. Structure::forEachProperty can miss PropertyTable and Structure + reference when it is highly optimized, so that it can crash if GC happens in the middle of Structure::forEachProperty. + + 1. Insert ensureStillAliveHere in Structure::forEachProperty to ensure liveness of PropertyTable + 2. We should not perform side-effectful operation including GC in Structure::forEachProperty. So we moved isPropertyNameExcluded. + + * runtime/StructureInlines.h: + (JSC::Structure::forEachProperty): + +2021-02-16 Ruben Turcios + + Cherry-pick r272428. rdar://problem/74409193 + + [JSC] globalFuncCopyDataProperties should not perform GC-sensitive operation in the middle of Structure::forEachProperty + https://bugs.webkit.org/show_bug.cgi?id=221454 + + Reviewed by Mark Lam. + + JSTests: + + * stress/copy-data-properties-fast-path.js: Added. + (foo): + + Source/JavaScriptCore: + + isPropertyNameExcluded can invoke GC etc. And running Structure::forEachProperty + is fragile state against any side-effect including GC. + We should not perform GC-sensitive operation during Structure::forEachProperty. + + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272428 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-02-05 Yusuke Suzuki + + [JSC] globalFuncCopyDataProperties should not perform GC-sensitive operation in the middle of Structure::forEachProperty + https://bugs.webkit.org/show_bug.cgi?id=221454 + + Reviewed by Mark Lam. + + isPropertyNameExcluded can invoke GC etc. And running Structure::forEachProperty + is fragile state against any side-effect including GC. + We should not perform GC-sensitive operation during Structure::forEachProperty. + + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + +2021-02-16 Ruben Turcios + + Cherry-pick r272406. rdar://problem/74410311 + + [JSC] JSImmutableButterfly's toString cache should not happen for generic join + https://bugs.webkit.org/show_bug.cgi?id=221444 + + + Reviewed by Mark Lam. + + JSTests: + + * stress/immutable-butterfly-to-string-cache-should-not-happen-for-generic-join.js: Added. + (foo): + + Source/JavaScriptCore: + + We should not cache Array#toString results with JSImmutableButterfly if + its join operation becomes generic join: including objects in array, since + this can invoke object.toString(), and it isn't side-effect free. + + * runtime/ArrayPrototype.cpp: + (JSC::fastJoin): + (JSC::JSC_DEFINE_HOST_FUNCTION): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272406 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-02-05 Yusuke Suzuki + + [JSC] JSImmutableButterfly's toString cache should not happen for generic join + https://bugs.webkit.org/show_bug.cgi?id=221444 + + + Reviewed by Mark Lam. + + We should not cache Array#toString results with JSImmutableButterfly if + its join operation becomes generic join: including objects in array, since + this can invoke object.toString(), and it isn't side-effect free. + + * runtime/ArrayPrototype.cpp: + (JSC::fastJoin): + (JSC::JSC_DEFINE_HOST_FUNCTION): + +2021-02-16 Ruben Turcios + + Cherry-pick r271746. rdar://problem/74410558 + + Disable Options:useAtMethod because of compatibility issue. + https://bugs.webkit.org/show_bug.cgi?id=220788 + rdar://72933608 + + Reviewed by Saam Barati and Yusuke Suzuki. + + Source/JavaScriptCore: + + See https://github.com/tc39/proposal-relative-indexing-method/issues/41. + + * jsc.cpp: + (CommandLine::parseArguments): + - enable Options::useAtMethod by default for the jsc shell for testing. + * runtime/OptionsList.h: + + LayoutTests: + + Enable Options::useAtMethod for these tests. + + * inspector/model/remote-object-get-properties.html: + * js/Object-getOwnPropertyNames.html: + * js/array-unscopables-properties.html: + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271746 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-01-22 Mark Lam + + Disable Options:useAtMethod because of compatibility issue. + https://bugs.webkit.org/show_bug.cgi?id=220788 + rdar://72933608 + + Reviewed by Saam Barati and Yusuke Suzuki. + + See https://github.com/tc39/proposal-relative-indexing-method/issues/41. + + * jsc.cpp: + (CommandLine::parseArguments): + - enable Options::useAtMethod by default for the jsc shell for testing. + * runtime/OptionsList.h: + +2021-02-10 Alan Coon + + Revert r272538. rdar://problem/74183111 + +2021-02-10 Alan Coon + + Revert r272539. rdar://problem/74183111 + +2021-02-08 Russell Epstein + + Cherry-pick r271570. rdar://problem/74105714 + + [JSC] GenericArguments::defineOwnProperty's assumption about error is not correct + https://bugs.webkit.org/show_bug.cgi?id=220693 + + + Reviewed by Mark Lam. + + JSTests: + + * stress/freeze-invokes-out-of-memory.js: Added. + (shouldThrow): + + Source/JavaScriptCore: + + Any function taking JSGlobalObject* can cause out-of-memory error potentially. And we have a way to invoke it. + But GenericArguments::defineOwnProperty didn't assume OutOfMemory error. This patch fixes it. + + * runtime/GenericArgumentsInlines.h: + (JSC::GenericArguments::defineOwnProperty): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271570 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-01-17 Yusuke Suzuki + + [JSC] GenericArguments::defineOwnProperty's assumption about error is not correct + https://bugs.webkit.org/show_bug.cgi?id=220693 + + + Reviewed by Mark Lam. + + Any function taking JSGlobalObject* can cause out-of-memory error potentially. And we have a way to invoke it. + But GenericArguments::defineOwnProperty didn't assume OutOfMemory error. This patch fixes it. + + * runtime/GenericArgumentsInlines.h: + (JSC::GenericArguments::defineOwnProperty): + +2021-02-08 Russell Epstein + + Cherry-pick r270664. rdar://problem/74105714 + + Align [[DefineOwnProperty]] method of mapped arguments object with the spec + https://bugs.webkit.org/show_bug.cgi?id=219750 + + Reviewed by Yusuke Suzuki. + + JSTests: + + * test262/expectations.yaml: Mark 5 test cases as passing. + + Source/JavaScriptCore: + + This patch reimplements [[DefineOwnProperty]] method to resemble the spec [1] as + closely as possible, aligning JSC with V8 and SpiderMonkey on remaining test262 cases. + + Unlike the spec [2], JSC doesn't materialize mapped indices with initial values, + so putDirectIndex() is performed on the first call to handle incomplete descriptors. + + Even though there is a possibility to avoid JSObject storage puts for a handful of + super rare descriptors, it's not worth the increased complexity. + + [1]: https://tc39.es/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc + [2]: https://tc39.es/ecma262/#sec-createmappedargumentsobject (step 15.b) + + * runtime/GenericArgumentsInlines.h: + (JSC::GenericArguments::defineOwnProperty): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@270664 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2020-12-10 Alexey Shvayka + + Align [[DefineOwnProperty]] method of mapped arguments object with the spec + https://bugs.webkit.org/show_bug.cgi?id=219750 + + Reviewed by Yusuke Suzuki. + + This patch reimplements [[DefineOwnProperty]] method to resemble the spec [1] as + closely as possible, aligning JSC with V8 and SpiderMonkey on remaining test262 cases. + + Unlike the spec [2], JSC doesn't materialize mapped indices with initial values, + so putDirectIndex() is performed on the first call to handle incomplete descriptors. + + Even though there is a possibility to avoid JSObject storage puts for a handful of + super rare descriptors, it's not worth the increased complexity. + + [1]: https://tc39.es/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc + [2]: https://tc39.es/ecma262/#sec-createmappedargumentsobject (step 15.b) + + * runtime/GenericArgumentsInlines.h: + (JSC::GenericArguments::defineOwnProperty): + +2021-02-08 Russell Epstein + + Cherry-pick r271767. rdar://problem/74105427 + + Obj-C API should do correct type checks when using a 32-bit address space + https://bugs.webkit.org/show_bug.cgi?id=220880 + + + Reviewed by Tadeu Zagallo. + + * API/JSValue.mm: + (-[JSValue isNull]): + (-[JSValue isBoolean]): + (-[JSValue isNumber]): + (-[JSValue isString]): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271767 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-01-22 Keith Miller + + Obj-C API should do correct type checks when using a 32-bit address space + https://bugs.webkit.org/show_bug.cgi?id=220880 + + + Reviewed by Tadeu Zagallo. + + * API/JSValue.mm: + (-[JSValue isNull]): + (-[JSValue isBoolean]): + (-[JSValue isNumber]): + (-[JSValue isString]): + +2021-02-08 Russell Epstein + + Cherry-pick r270665. rdar://problem/74105427 + + Removing unnecessary locking from JSValue API functions + https://bugs.webkit.org/show_bug.cgi?id=219723 + + Reviewed by Filip Pizlo. + + PerformanceTests: + + Print an error message when benchmarks fail to run and add option to change + the configuration used to build the benchmarks. + + * APIBench/api-bench: + + Source/JavaScriptCore: + + Remove the unnecessary locking from the JSValueIs* and JSValueMake* API functions + that only work on primitives. Also remove the unnecessary method dispatching and + call from the -[JSValue is*] methods. + + This improves the APIBench score by another ~8% since these are such common operations. + Here are the results: (Baseline includes https://bugs.webkit.org/show_bug.cgi?id=219663) + + CURRENT_API: Baseline Change + ---------------------------------------- + RichardsMostlyC: 74ms 60ms + RichardsMostlyObjC: 304ms 300ms + RichardsMostlySwift: 305ms 293ms + RichardsSomeC: 97ms 77ms + RichardsSomeObjC: 158ms 159ms + RichardsSomeSwift: 202ms 198ms + + UPCOMING_API: Baseline Change + ---------------------------------------- + RichardsMostlyC: 23ms 19ms + RichardsMostlyObjC: 282ms 282ms + RichardsMostlySwift: 280ms 282ms + RichardsSomeC: 95ms 76ms + RichardsSomeObjC: 157ms 156ms + RichardsSomeSwift: 202ms 197ms + ---------------------------------------- + Score: 33.6404 36.4006 + + * API/APICast.h: + (toRef): + * API/JSValue.mm: + (-[JSValue isUndefined]): + (-[JSValue isNull]): + (-[JSValue isBoolean]): + (-[JSValue isNumber]): + (-[JSValue isString]): + (-[JSValue isObject]): + (-[JSValue isSymbol]): + * API/JSValueRef.cpp: + (JSValueGetType): + (JSValueIsUndefined): + (JSValueIsNull): + (JSValueIsBoolean): + (JSValueIsNumber): + (JSValueIsString): + (JSValueIsObject): + (JSValueIsSymbol): + (JSValueMakeUndefined): + (JSValueMakeNull): + (JSValueMakeBoolean): + (JSValueMakeNumber): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@270665 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2020-12-10 Tadeu Zagallo + + Removing unnecessary locking from JSValue API functions + https://bugs.webkit.org/show_bug.cgi?id=219723 + + Reviewed by Filip Pizlo. + + Remove the unnecessary locking from the JSValueIs* and JSValueMake* API functions + that only work on primitives. Also remove the unnecessary method dispatching and + call from the -[JSValue is*] methods. + + This improves the APIBench score by another ~8% since these are such common operations. + Here are the results: (Baseline includes https://bugs.webkit.org/show_bug.cgi?id=219663) + + CURRENT_API: Baseline Change + ---------------------------------------- + RichardsMostlyC: 74ms 60ms + RichardsMostlyObjC: 304ms 300ms + RichardsMostlySwift: 305ms 293ms + RichardsSomeC: 97ms 77ms + RichardsSomeObjC: 158ms 159ms + RichardsSomeSwift: 202ms 198ms + + UPCOMING_API: Baseline Change + ---------------------------------------- + RichardsMostlyC: 23ms 19ms + RichardsMostlyObjC: 282ms 282ms + RichardsMostlySwift: 280ms 282ms + RichardsSomeC: 95ms 76ms + RichardsSomeObjC: 157ms 156ms + RichardsSomeSwift: 202ms 197ms + ---------------------------------------- + Score: 33.6404 36.4006 + + * API/APICast.h: + (toRef): + * API/JSValue.mm: + (-[JSValue isUndefined]): + (-[JSValue isNull]): + (-[JSValue isBoolean]): + (-[JSValue isNumber]): + (-[JSValue isString]): + (-[JSValue isObject]): + (-[JSValue isSymbol]): + * API/JSValueRef.cpp: + (JSValueGetType): + (JSValueIsUndefined): + (JSValueIsNull): + (JSValueIsBoolean): + (JSValueIsNumber): + (JSValueIsString): + (JSValueIsObject): + (JSValueIsSymbol): + (JSValueMakeUndefined): + (JSValueMakeNull): + (JSValueMakeBoolean): + (JSValueMakeNumber): + +2021-02-08 Russell Epstein + + Cherry-pick r272349. rdar://problem/74104450 + + [JSC] Insert PhantomLocal just before SetLocal for |this| to ensure liveness + https://bugs.webkit.org/show_bug.cgi?id=221353 + + + Reviewed by Saam Barati. + + Let's consider the following case before SSA conversion. + + BB#0: + SetArgumentDefinitely(this) + ... + @a: SomethingFun() + MoveHint(@a, this) + SetLocal(@a, this) + Jump #1 + + BB#1: + ... + ExitOK (this point) + ... + @b: SomethingFun() + MoveHint(@b, this) + SetLocal(@b, this) + ... + + BB#2: (Catch entry point) + ... + @c: SetArgumentDefinitely(this) + ... + Jump #1 + + We have two entry points. And BB#0 sets @a to |this| while BB#2 does not update |this|, so it is using @c. + We have several patterns we can store |this|: arrow functions' |this| loading, derived constructors' |this| update. So we can see + SetLocal(@x, this) at arbitrary code points in CodeBlocks having them. + + The problem is that DFG strongly assumed that |this| is initialized in the root basic block only once. So usually, we do not insert Flush/PhantomLocal for |this|. + But this is problematic when we can store |this| at arbitrary basic blocks since we do not properly insert Flush/PhantomLocal(this) in BB#1's just before Store. + + Not inserting that in the above case makes |this| dead in BB#1's head liveness. Then we do not properly insert Phi(BB#0, BB#2) for |this|. + This is OK for non |this| locals since literally that local is not used at all in BB#1. But |this| is special since it is always live in bytecode. + So, OSR availability will be broken in the above graph: at ExitOK place, |this| must be live in bytecode. But |this| is pointing ConflictingFlush since + BB#0 says @a and BB#2 says @c while we do not have Phi. + + The problem is that we do not keep liveness of |this| properly in BB#1. When setting a new |this|, we insert PhantomLocal to keep liveness so that appropriate Phi + will be inserted when two predecessors have different DFG nodes for |this|, and this graph can appear in arrow functions, derived constructors, and code with catch. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::setArgument): + * dfg/DFGVariableAccessDataDump.cpp: + (JSC::DFG::VariableAccessDataDump::dump const): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272349 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-02-03 Yusuke Suzuki + + [JSC] Insert PhantomLocal just before SetLocal for |this| to ensure liveness + https://bugs.webkit.org/show_bug.cgi?id=221353 + + + Reviewed by Saam Barati. + + Let's consider the following case before SSA conversion. + + BB#0: + SetArgumentDefinitely(this) + ... + @a: SomethingFun() + MoveHint(@a, this) + SetLocal(@a, this) + Jump #1 + + BB#1: + ... + ExitOK (this point) + ... + @b: SomethingFun() + MoveHint(@b, this) + SetLocal(@b, this) + ... + + BB#2: (Catch entry point) + ... + @c: SetArgumentDefinitely(this) + ... + Jump #1 + + We have two entry points. And BB#0 sets @a to |this| while BB#2 does not update |this|, so it is using @c. + We have several patterns we can store |this|: arrow functions' |this| loading, derived constructors' |this| update. So we can see + SetLocal(@x, this) at arbitrary code points in CodeBlocks having them. + + The problem is that DFG strongly assumed that |this| is initialized in the root basic block only once. So usually, we do not insert Flush/PhantomLocal for |this|. + But this is problematic when we can store |this| at arbitrary basic blocks since we do not properly insert Flush/PhantomLocal(this) in BB#1's just before Store. + + Not inserting that in the above case makes |this| dead in BB#1's head liveness. Then we do not properly insert Phi(BB#0, BB#2) for |this|. + This is OK for non |this| locals since literally that local is not used at all in BB#1. But |this| is special since it is always live in bytecode. + So, OSR availability will be broken in the above graph: at ExitOK place, |this| must be live in bytecode. But |this| is pointing ConflictingFlush since + BB#0 says @a and BB#2 says @c while we do not have Phi. + + The problem is that we do not keep liveness of |this| properly in BB#1. When setting a new |this|, we insert PhantomLocal to keep liveness so that appropriate Phi + will be inserted when two predecessors have different DFG nodes for |this|, and this graph can appear in arrow functions, derived constructors, and code with catch. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::setArgument): + * dfg/DFGVariableAccessDataDump.cpp: + (JSC::DFG::VariableAccessDataDump::dump const): + +2021-02-08 Russell Epstein + + Cherry-pick r272330. rdar://problem/74032526 + + [AppleWin 32bit][LLInt] LLIntData.h(104) : warning C4172: returning address of local variable or temporary: id + https://bugs.webkit.org/show_bug.cgi?id=220714 + + Reviewed by Mark Lam. + + This patch fixes LLInt build when ENABLE(COMPUTED_GOTO_OPCODES) is false. + + * llint/LLIntData.h: + (JSC::LLInt::getOpcode): + (JSC::LLInt::getOpcodeWide16): + (JSC::LLInt::getOpcodeWide32): + (JSC::LLInt::getOpcodeAddress): + (JSC::LLInt::getOpcodeWide16Address): + (JSC::LLInt::getOpcodeWide32Address): + (JSC::LLInt::getCodePtr): + (JSC::LLInt::getWide16CodePtr): + (JSC::LLInt::getWide32CodePtr): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272330 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-02-03 Yusuke Suzuki + + [AppleWin 32bit][LLInt] LLIntData.h(104) : warning C4172: returning address of local variable or temporary: id + https://bugs.webkit.org/show_bug.cgi?id=220714 + + Reviewed by Mark Lam. + + This patch fixes LLInt build when ENABLE(COMPUTED_GOTO_OPCODES) is false. + + * llint/LLIntData.h: + (JSC::LLInt::getOpcode): + (JSC::LLInt::getOpcodeWide16): + (JSC::LLInt::getOpcodeWide32): + (JSC::LLInt::getOpcodeAddress): + (JSC::LLInt::getOpcodeWide16Address): + (JSC::LLInt::getOpcodeWide32Address): + (JSC::LLInt::getCodePtr): + (JSC::LLInt::getWide16CodePtr): + (JSC::LLInt::getWide32CodePtr): + +2021-02-08 Russell Epstein + + Cherry-pick r272191. rdar://problem/74032517 + + Sign m_offset in AssemblerLabel + https://bugs.webkit.org/show_bug.cgi?id=221237 + + Reviewed by Mark Lam. + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::labelForWatchpoint): + (JSC::ARM64Assembler::label): + (JSC::ARM64Assembler::getRelocatedAddress): + (JSC::ARM64Assembler::getDifferenceBetweenLabels): + (JSC::ARM64Assembler::getCallReturnOffset): + (JSC::ARM64Assembler::linkJump): + (JSC::ARM64Assembler::addressOf): + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::labelForWatchpoint): + (JSC::ARMv7Assembler::label): + (JSC::ARMv7Assembler::getRelocatedAddress): + (JSC::ARMv7Assembler::getDifferenceBetweenLabels): + (JSC::ARMv7Assembler::getCallReturnOffset): + (JSC::ARMv7Assembler::linkJump): + (JSC::ARMv7Assembler::linkCall): + (JSC::ARMv7Assembler::linkPointer): + * assembler/AbstractMacroAssembler.h: + (JSC::AbstractMacroAssembler::Jump::link const): + (JSC::AbstractMacroAssembler::Jump::linkTo const): + * assembler/AssemblerBuffer.h: + (JSC::AssemblerLabel::AssemblerLabel): + (JSC::AssemblerLabel::operator=): + (JSC::AssemblerLabel::isSet const): + (JSC::AssemblerLabel::labelAtOffset const): + (JSC::AssemblerLabel::operator== const): + (JSC::AssemblerLabel::offset const): + (JSC::AssemblerLabel::setOffset): + * assembler/LinkBuffer.h: + (JSC::LinkBuffer::offsetOf): + (JSC::LinkBuffer::applyOffset): + * assembler/MIPSAssembler.h: + (JSC::MIPSAssembler::labelForWatchpoint): + (JSC::MIPSAssembler::label): + (JSC::MIPSAssembler::getRelocatedAddress): + (JSC::MIPSAssembler::getDifferenceBetweenLabels): + (JSC::MIPSAssembler::getCallReturnOffset): + (JSC::MIPSAssembler::linkJump): + (JSC::MIPSAssembler::linkCall): + (JSC::MIPSAssembler::linkPointer): + * assembler/X86Assembler.h: + (JSC::X86Assembler::labelForWatchpoint): + (JSC::X86Assembler::label): + (JSC::X86Assembler::linkJump): + (JSC::X86Assembler::linkCall): + (JSC::X86Assembler::linkPointer): + (JSC::X86Assembler::getCallReturnOffset): + (JSC::X86Assembler::getRelocatedAddress): + (JSC::X86Assembler::getDifferenceBetweenLabels): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272191 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-02-01 Saam Barati + + Sign m_offset in AssemblerLabel + https://bugs.webkit.org/show_bug.cgi?id=221237 + + Reviewed by Mark Lam. + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::labelForWatchpoint): + (JSC::ARM64Assembler::label): + (JSC::ARM64Assembler::getRelocatedAddress): + (JSC::ARM64Assembler::getDifferenceBetweenLabels): + (JSC::ARM64Assembler::getCallReturnOffset): + (JSC::ARM64Assembler::linkJump): + (JSC::ARM64Assembler::addressOf): + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::labelForWatchpoint): + (JSC::ARMv7Assembler::label): + (JSC::ARMv7Assembler::getRelocatedAddress): + (JSC::ARMv7Assembler::getDifferenceBetweenLabels): + (JSC::ARMv7Assembler::getCallReturnOffset): + (JSC::ARMv7Assembler::linkJump): + (JSC::ARMv7Assembler::linkCall): + (JSC::ARMv7Assembler::linkPointer): + * assembler/AbstractMacroAssembler.h: + (JSC::AbstractMacroAssembler::Jump::link const): + (JSC::AbstractMacroAssembler::Jump::linkTo const): + * assembler/AssemblerBuffer.h: + (JSC::AssemblerLabel::AssemblerLabel): + (JSC::AssemblerLabel::operator=): + (JSC::AssemblerLabel::isSet const): + (JSC::AssemblerLabel::labelAtOffset const): + (JSC::AssemblerLabel::operator== const): + (JSC::AssemblerLabel::offset const): + (JSC::AssemblerLabel::setOffset): + * assembler/LinkBuffer.h: + (JSC::LinkBuffer::offsetOf): + (JSC::LinkBuffer::applyOffset): + * assembler/MIPSAssembler.h: + (JSC::MIPSAssembler::labelForWatchpoint): + (JSC::MIPSAssembler::label): + (JSC::MIPSAssembler::getRelocatedAddress): + (JSC::MIPSAssembler::getDifferenceBetweenLabels): + (JSC::MIPSAssembler::getCallReturnOffset): + (JSC::MIPSAssembler::linkJump): + (JSC::MIPSAssembler::linkCall): + (JSC::MIPSAssembler::linkPointer): + * assembler/X86Assembler.h: + (JSC::X86Assembler::labelForWatchpoint): + (JSC::X86Assembler::label): + (JSC::X86Assembler::linkJump): + (JSC::X86Assembler::linkCall): + (JSC::X86Assembler::linkPointer): + (JSC::X86Assembler::getCallReturnOffset): + (JSC::X86Assembler::getRelocatedAddress): + (JSC::X86Assembler::getDifferenceBetweenLabels): + +2021-02-08 Russell Epstein + + Cherry-pick r271731. rdar://problem/74105559 + + [JSC] JSPromise should not propagate TerminatedExecutionError + https://bugs.webkit.org/show_bug.cgi?id=220820 + + + Reviewed by Mark Lam. + + JSTests: + + * stress/terminated-execution-error-in-promise.js: Added. + (let.x.get toString): + (import.x.then): + + Source/JavaScriptCore: + + TerminatedExecutionError is uncatcheable exception to finish JS execution as soon as possible. + We should not propagate TerminatedExecutionError in JSPromise's rejection. + In this patch, we do not reject promise if exception is TerminatedExecutionError. + + * API/JSAPIGlobalObject.mm: + (JSC::JSAPIGlobalObject::moduleLoaderImportModule): + (JSC::JSAPIGlobalObject::moduleLoaderFetch): + * API/JSContext.mm: + (-[JSContext evaluateJSScript:]): + * jsc.cpp: + (GlobalObject::moduleLoaderImportModule): + (GlobalObject::moduleLoaderFetch): + (runWithOptions): + * runtime/Completion.cpp: + (JSC::rejectPromise): + (JSC::loadAndEvaluateModule): + (JSC::loadModule): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * runtime/JSModuleLoader.cpp: + (JSC::reject): + (JSC::JSModuleLoader::importModule): + (JSC::JSModuleLoader::resolve): + (JSC::JSModuleLoader::fetch): + (JSC::JSC_DEFINE_HOST_FUNCTION): + * wasm/js/JSWebAssembly.cpp: + (JSC::reject): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271731 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-01-21 Yusuke Suzuki + + [JSC] JSPromise should not propagate TerminatedExecutionError + https://bugs.webkit.org/show_bug.cgi?id=220820 + + + Reviewed by Mark Lam. + + TerminatedExecutionError is uncatcheable exception to finish JS execution as soon as possible. + We should not propagate TerminatedExecutionError in JSPromise's rejection. + In this patch, we do not reject promise if exception is TerminatedExecutionError. + + * API/JSAPIGlobalObject.mm: + (JSC::JSAPIGlobalObject::moduleLoaderImportModule): + (JSC::JSAPIGlobalObject::moduleLoaderFetch): + * API/JSContext.mm: + (-[JSContext evaluateJSScript:]): + * jsc.cpp: + (GlobalObject::moduleLoaderImportModule): + (GlobalObject::moduleLoaderFetch): + (runWithOptions): + * runtime/Completion.cpp: + (JSC::rejectPromise): + (JSC::loadAndEvaluateModule): + (JSC::loadModule): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * runtime/JSModuleLoader.cpp: + (JSC::reject): + (JSC::JSModuleLoader::importModule): + (JSC::JSModuleLoader::resolve): + (JSC::JSModuleLoader::fetch): + (JSC::JSC_DEFINE_HOST_FUNCTION): * wasm/js/JSWebAssembly.cpp: + (JSC::reject): -2019-07-15 Ryan Haddad +2021-02-08 Russell Epstein - Unreviewed, attempt to fix production builds after r247403. + Cherry-pick r271624. rdar://problem/74105183 - * JavaScriptCore.xcodeproj/project.pbxproj: + Unreviewed, fix GCC warnings + https://bugs.webkit.org/show_bug.cgi?id=220718 + + * dfg/DFGOperations.cpp: + (JSC::DFG::tierUpCommon): + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271624 268f45cc-cd09-0410-ab3c-d52691b4dbfc -2019-07-15 Tadeu Zagallo + 2021-01-19 Yusuke Suzuki - Concurrent GC should not rely on current phase to determine if it's safe to steal conn - https://bugs.webkit.org/show_bug.cgi?id=199786 - + Unreviewed, fix GCC warnings + https://bugs.webkit.org/show_bug.cgi?id=220718 - Reviewed by Saam Barati. + * dfg/DFGOperations.cpp: + (JSC::DFG::tierUpCommon): - In r246507, we fixed a race condition in the concurrent GC where the mutator might steal - the conn from the collector thread while it transitions from the End phase to NotRunning. - However, that fix was not sufficient. In the case that the mutator steals the conn, and the - execution interleaves long enough for the mutator to progress to a different collection phase, - the collector will resume in a phase other than NotRunning, and hence the check added to - NotRunning will not suffice. To fix that, we add a new variable to track whether the collector - thread is running (m_collectorThreadIsRunning) and use it to determine whether it's safe to - steal the conn, rather than relying on m_currentPhase. +2021-02-08 Russell Epstein - * heap/Heap.cpp: - (JSC::Heap::runNotRunningPhase): - (JSC::Heap::requestCollection): - * heap/Heap.h: + Cherry-pick r271596. rdar://problem/74105183 -2019-07-12 Keith Miller + [JSC] FTL::prepareOSREntry can clear OSR entry CodeBlock if it is already invalidated + https://bugs.webkit.org/show_bug.cgi?id=220718 + + + Reviewed by Mark Lam. + + JSTests: + + * stress/ftl-osr-failure-clear-twice.js: Added. + (foo): + + Source/JavaScriptCore: + + FTL::prepareOSREntry can clear OSR entry CodeBlock if it is already invalidated. However, the caller is not assuming that, + and it calls clearOSREntryBlockAndResetThresholds again. And clearOSREntryBlockAndResetThresholds's assertion hit. + This patch correctly handles the invalidated case. + + * dfg/DFGOperations.cpp: + (JSC::DFG::tierUpCommon): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271596 268f45cc-cd09-0410-ab3c-d52691b4dbfc - Add API to get all the dependencies of a given JSScript - https://bugs.webkit.org/show_bug.cgi?id=199746 + 2021-01-18 Yusuke Suzuki - Reviewed by Saam Barati. + [JSC] FTL::prepareOSREntry can clear OSR entry CodeBlock if it is already invalidated + https://bugs.webkit.org/show_bug.cgi?id=220718 + - The method only returns the dependencies if the module was - actually evaluated. Technically, we know what the dependencies are - at the satisfy phase but for API simplicity we only provide that - information if the module graph was complete enough to at least - run. + Reviewed by Mark Lam. - This patch also fixes an issue where we would allow import - specifiers that didn't start "./" or "/". For reference, We have - this restriction to be consistent with the web/node. The - restriction exists in order to preserve namespace for - builtin-modules. + FTL::prepareOSREntry can clear OSR entry CodeBlock if it is already invalidated. However, the caller is not assuming that, + and it calls clearOSREntryBlockAndResetThresholds again. And clearOSREntryBlockAndResetThresholds's assertion hit. + This patch correctly handles the invalidated case. - Lastly, this patch makes it so that we copy all scripts in the - API/tests/testapiScripts directory so they don't have to be - individually added to the xcode project. + * dfg/DFGOperations.cpp: + (JSC::DFG::tierUpCommon): - * API/JSAPIGlobalObject.mm: - (JSC::computeValidImportSpecifier): - (JSC::JSAPIGlobalObject::moduleLoaderResolve): - (JSC::JSAPIGlobalObject::moduleLoaderImportModule): - * API/JSContext.mm: - (-[JSContext dependencyIdentifiersForModuleJSScript:]): - * API/JSContextPrivate.h: - * API/JSScript.h: - * API/tests/testapi.mm: - (testFetchWithTwoCycle): - (testFetchWithThreeCycle): - (testModuleBytecodeCache): - (+[JSContextFileLoaderDelegate newContext]): - (-[JSContextFileLoaderDelegate fetchModuleScript:]): - (-[JSContextFileLoaderDelegate findScriptForKey:]): - (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]): - (testDependenciesArray): - (testDependenciesEvaluationError): - (testDependenciesSyntaxError): - (testDependenciesBadImportId): - (testDependenciesMissingImport): - (testObjectiveCAPI): - * API/tests/testapiScripts/dependencyListTests/badModuleImportId.js: Added. - * API/tests/testapiScripts/dependencyListTests/bar.js: Added. - * API/tests/testapiScripts/dependencyListTests/dependenciesEntry.js: Added. - * API/tests/testapiScripts/dependencyListTests/foo.js: Added. - * API/tests/testapiScripts/dependencyListTests/missingImport.js: Added. - * API/tests/testapiScripts/dependencyListTests/referenceError.js: Added. - * API/tests/testapiScripts/dependencyListTests/syntaxError.js: Added. - * API/tests/testapiScripts/testapi-function-overrides.js: Renamed from Source/JavaScriptCore/API/tests/testapi-function-overrides.js. - * API/tests/testapiScripts/testapi.js: Renamed from Source/JavaScriptCore/API/tests/testapi.js. - * JavaScriptCore.xcodeproj/project.pbxproj: - * builtins/ModuleLoader.js: - (dependencyKeysIfEvaluated): - * runtime/JSModuleLoader.cpp: - (JSC::JSModuleLoader::dependencyKeysIfEvaluated): - * runtime/JSModuleLoader.h: - * shell/CMakeLists.txt: +2021-02-08 Russell Epstein -2019-07-12 Justin Michaud + Cherry-pick r271571. rdar://problem/74105245 - B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y)) - https://bugs.webkit.org/show_bug.cgi?id=196371 + [JSC] FTL OSR entry FlushFormat array is reversed + https://bugs.webkit.org/show_bug.cgi?id=220695 + + + Reviewed by Mark Lam. + + JSTests: + + * stress/ftl-osr-entry-order-reverse.js: Added. + (shouldThrow): + (foo): + + Source/JavaScriptCore: + + After r268783, FlushFormat array is erroneously sorted in reversed order. + This patch fixes that. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::lower): + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271571 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-01-17 Yusuke Suzuki + + [JSC] FTL OSR entry FlushFormat array is reversed + https://bugs.webkit.org/show_bug.cgi?id=220695 + + + Reviewed by Mark Lam. + + After r268783, FlushFormat array is erroneously sorted in reversed order. + This patch fixes that. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::lower): + +2021-02-02 Alan Coon + + Cherry-pick r271813. rdar://problem/73888012 + + Update availability annotations to match the macOS 11.0 and iOS 14.0 GM SDKs + https://bugs.webkit.org/show_bug.cgi?id=220874 + + + Reviewed by Darin Adler. + + Source/JavaScriptCore: + * API/JSContextPrivate.h: + * API/JSContextRefPrivate.h: + + Source/WebKit: + * UIProcess/API/Cocoa/WKContentWorld.h: + * UIProcess/API/Cocoa/WKError.h: + * UIProcess/API/Cocoa/WKFindConfiguration.h: + * UIProcess/API/Cocoa/WKFindResult.h: + * UIProcess/API/Cocoa/WKFrameInfoPrivate.h: + * UIProcess/API/Cocoa/WKHTTPCookieStorePrivate.h: + * UIProcess/API/Cocoa/WKNavigationDelegate.h: + * UIProcess/API/Cocoa/WKNavigationDelegatePrivate.h: + * UIProcess/API/Cocoa/WKOpenPanelParametersPrivate.h: + * UIProcess/API/Cocoa/WKPDFConfiguration.h: + * UIProcess/API/Cocoa/WKPreferences.h: + * UIProcess/API/Cocoa/WKPreferencesPrivate.h: + * UIProcess/API/Cocoa/WKProcessPoolPrivate.h: + * UIProcess/API/Cocoa/WKScriptMessage.h: + * UIProcess/API/Cocoa/WKScriptMessageHandlerWithReply.h: + * UIProcess/API/Cocoa/WKUIDelegatePrivate.h: + * UIProcess/API/Cocoa/WKURLSchemeTaskPrivate.h: + * UIProcess/API/Cocoa/WKUserContentController.h: + * UIProcess/API/Cocoa/WKUserContentControllerPrivate.h: + * UIProcess/API/Cocoa/WKUserScript.h: + * UIProcess/API/Cocoa/WKUserScriptPrivate.h: + * UIProcess/API/Cocoa/WKWebView.h: + * UIProcess/API/Cocoa/WKWebViewConfiguration.h: + * UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h: + * UIProcess/API/Cocoa/WKWebViewPrivate.h: + * UIProcess/API/Cocoa/WKWebpagePreferences.h: + * UIProcess/API/Cocoa/WKWebpagePreferencesPrivate.h: + * UIProcess/API/Cocoa/WKWebsiteDataRecordPrivate.h: + * UIProcess/API/Cocoa/WKWebsiteDataStorePrivate.h: + * UIProcess/API/Cocoa/_WKDownload.h: + * UIProcess/API/Cocoa/_WKFrameTreeNode.h: + * UIProcess/API/Cocoa/_WKInputDelegate.h: + * UIProcess/API/Cocoa/_WKInspectorDebuggableInfo.h: + * UIProcess/API/Cocoa/_WKProcessPoolConfiguration.h: + * UIProcess/API/Cocoa/_WKResourceLoadDelegate.h: + * UIProcess/API/Cocoa/_WKResourceLoadInfo.h: + * UIProcess/API/Cocoa/_WKResourceLoadStatisticsFirstParty.h: + * UIProcess/API/Cocoa/_WKResourceLoadStatisticsThirdParty.h: + * UIProcess/API/Cocoa/_WKTextManipulationConfiguration.h: + * UIProcess/API/Cocoa/_WKTextManipulationExclusionRule.h: + * UIProcess/API/Cocoa/_WKTextManipulationItem.h: + * UIProcess/API/Cocoa/_WKTextManipulationToken.h: + * UIProcess/API/Cocoa/_WKUserContentWorld.h: + * UIProcess/API/Cocoa/_WKUserStyleSheet.h: + * UIProcess/API/Cocoa/_WKWebAuthenticationAssertionResponse.h: + * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.h: + * UIProcess/API/Cocoa/_WKWebsiteDataStoreConfiguration.h: + * UIProcess/API/Cocoa/_WKWebsitePolicies.h: + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271813 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-01-25 Chris Dumez + + Update availability annotations to match the macOS 11.0 and iOS 14.0 GM SDKs + https://bugs.webkit.org/show_bug.cgi?id=220874 + + + Reviewed by Darin Adler. + + * API/JSContextPrivate.h: + * API/JSContextRefPrivate.h: + +2021-02-02 Alan Coon + + Cherry-pick r271876. rdar://problem/73887844 + + Crash when remote inspecting in debug builds + https://bugs.webkit.org/show_bug.cgi?id=220956 + + + Reviewed by Devin Rousso. + + Convert RemoteConnectionToTarget from using BlockPtr<> to Function<> because BlockPtr<> + was triggering crashes which seem to be related to mixing ARC and non-ARC code. + + * inspector/remote/RemoteConnectionToTarget.h: + * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm: + (Inspector::RemoteTargetHandleRunSourceGlobal): + (Inspector::RemoteTargetQueueTaskOnGlobalQueue): + (Inspector::RemoteTargetHandleRunSourceWithInfo): + (Inspector::RemoteConnectionToTarget::dispatchAsyncOnTarget): + (Inspector::RemoteConnectionToTarget::setup): + (Inspector::RemoteConnectionToTarget::close): + (Inspector::RemoteConnectionToTarget::sendMessageToTarget): + (Inspector::RemoteConnectionToTarget::queueTaskOnPrivateRunLoop): + (Inspector::RemoteConnectionToTarget::takeQueue): + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271876 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-01-25 Simon Fraser + + Crash when remote inspecting in debug builds + https://bugs.webkit.org/show_bug.cgi?id=220956 + + + Reviewed by Devin Rousso. + + Convert RemoteConnectionToTarget from using BlockPtr<> to Function<> because BlockPtr<> + was triggering crashes which seem to be related to mixing ARC and non-ARC code. + + * inspector/remote/RemoteConnectionToTarget.h: + * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm: + (Inspector::RemoteTargetHandleRunSourceGlobal): + (Inspector::RemoteTargetQueueTaskOnGlobalQueue): + (Inspector::RemoteTargetHandleRunSourceWithInfo): + (Inspector::RemoteConnectionToTarget::dispatchAsyncOnTarget): + (Inspector::RemoteConnectionToTarget::setup): + (Inspector::RemoteConnectionToTarget::close): + (Inspector::RemoteConnectionToTarget::sendMessageToTarget): + (Inspector::RemoteConnectionToTarget::queueTaskOnPrivateRunLoop): + (Inspector::RemoteConnectionToTarget::takeQueue): + +2021-01-27 Yusuke Suzuki + + [JSC] Avoid using DirectCall when executable is wasm function + https://bugs.webkit.org/show_bug.cgi?id=221055 Reviewed by Keith Miller. - Adding these strength reductions gives 2x a (x86) and 3x (arm64) performance improvement - on the microbenchmark. + This is a partial patch from https://bugs.webkit.org/show_bug.cgi?id=220339, which is reverted because of Facebook crash. + For now, we just avoid using DirectCall to wasm functions so that normal Call will be used, and it is efficient. This + patch avoids JetStream2 regression. - * b3/B3ReduceStrength.cpp: - * b3/testb3.cpp: - (JSC::B3::testSubSub): - (JSC::B3::testSubSub2): - (JSC::B3::testSubAdd): - (JSC::B3::testSubFirstNeg): - (JSC::B3::run): + * dfg/DFGOperations.cpp: + (JSC::DFG::JSC_DEFINE_JIT_OPERATION): + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + * jit/JITOperations.cpp: + (JSC::virtualForWithFunction): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::setUpCall): + * runtime/Intrinsic.cpp: + (JSC::intrinsicName): + * runtime/Intrinsic.h: + * wasm/js/WebAssemblyFunction.cpp: + (JSC::WebAssemblyFunction::create): -2019-07-12 Caio Lima +2021-01-28 Alan Coon - [BigInt] Add ValueBitLShift into DFG - https://bugs.webkit.org/show_bug.cgi?id=192664 + Cherry-pick r271873. rdar://problem/73722521 - Reviewed by Saam Barati. + REGRESSION (r270874): Some React Native apps are reported broken on iOS + https://bugs.webkit.org/show_bug.cgi?id=220809 + + Reviewed by Saam Barati. + + Source/JavaScriptCore: + + r270874 fixed for/in shadowing issue by introducing an invariant: a property + returned by getOwn*PropertyNames() in DontEnumPropertiesMode::Exclude should be + reported as [[Enumerable]] by getOwnPropertySlot(). Otherwise, for/in skips the + property, which causes RN apps to break. + + Since there is no way to enforce this invariant for opaque API objects like + JSCallbackObject, this change skips [[Enumerable]] check for them by introducing + GetOwnPropertySlotMayBeWrongAboutDontEnum out of line type info flag. + + Also, this patch reverts JSCallbackObject::getOwnPropertySlot() changes of r270874 + that are no longer necessary and observable (via Object.getOwnPropertyDescriptor). + + * API/JSCallbackObject.h: + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::getOwnPropertySlot): + * API/tests/testapiScripts/testapi.js: + * runtime/JSObject.cpp: + (JSC::JSObject::hasEnumerableProperty const): + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::getOwnPropertySlotMayBeWrongAboutDontEnum const): + + Source/WebCore: + + * bridge/runtime_object.h: + + Source/WebKit: + + * WebProcess/Plugins/Netscape/JSNPObject.h: + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271873 268f45cc-cd09-0410-ab3c-d52691b4dbfc - This patch is splitting the `BitLShift` into `ArithBitLShift` and - `ValueBitLShift` to handle BigInt speculation more efficiently during - DFG and FTL layers. Following the same approach of other `ValueBitOps`, - `ValueBitLShift` handles Untyped and BigInt speculations, while - `ArithBitLShift` handles number and boolean operands and always results into - Int32. + 2021-01-25 Alexey Shvayka + + REGRESSION (r270874): Some React Native apps are reported broken on iOS + https://bugs.webkit.org/show_bug.cgi?id=220809 + + Reviewed by Saam Barati. + + r270874 fixed for/in shadowing issue by introducing an invariant: a property + returned by getOwn*PropertyNames() in DontEnumPropertiesMode::Exclude should be + reported as [[Enumerable]] by getOwnPropertySlot(). Otherwise, for/in skips the + property, which causes RN apps to break. + + Since there is no way to enforce this invariant for opaque API objects like + JSCallbackObject, this change skips [[Enumerable]] check for them by introducing + GetOwnPropertySlotMayBeWrongAboutDontEnum out of line type info flag. + + Also, this patch reverts JSCallbackObject::getOwnPropertySlot() changes of r270874 + that are no longer necessary and observable (via Object.getOwnPropertyDescriptor). + + * API/JSCallbackObject.h: + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::getOwnPropertySlot): + * API/tests/testapiScripts/testapi.js: + * runtime/JSObject.cpp: + (JSC::JSObject::hasEnumerableProperty const): + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::getOwnPropertySlotMayBeWrongAboutDontEnum const): + +2021-01-25 Alan Coon + + Cherry-pick r271586. rdar://problem/73477459 + + [AppleWin 32bit] LLInt C Loop: LowLevelInterpreter.cpp(90,7): error C2653: 'WebConfig': is not a class or namespace name + https://bugs.webkit.org/show_bug.cgi?id=220405 + + Reviewed by Fujii Hironori. + + Add a missing #if ENABLE(UNIFIED_AND_FREEZABLE_CONFIG_RECORD). + + * llint/LowLevelInterpreter.cpp: + + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271586 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-01-18 Mark Lam + + [AppleWin 32bit] LLInt C Loop: LowLevelInterpreter.cpp(90,7): error C2653: 'WebConfig': is not a class or namespace name + https://bugs.webkit.org/show_bug.cgi?id=220405 + + Reviewed by Fujii Hironori. + + Add a missing #if ENABLE(UNIFIED_AND_FREEZABLE_CONFIG_RECORD). + + * llint/LowLevelInterpreter.cpp: + +2021-01-25 Alan Coon + + Cherry-pick r271422. rdar://problem/73477541 + + [JSC] Bypass OperationPtrTagging for JITCage verification for CallDOMGetter + https://bugs.webkit.org/show_bug.cgi?id=220564 + + Reviewed by Saam Barati. + + JSTests: + + * stress/domjit-getter2.js: Added. + (shouldBe): + (access): + + Source/JavaScriptCore: + + CustomAccessorPtrTag functions are not registered ones for JITCage since we are using C++ trampoline to invoke them. + However, we do not want to use this trampoline in x64 due to performance issue. So we would like to call these + functions directly from JIT while they are not registered (And this is OK in JITCage since they are called from trampoline). + In this patch we bypass OperationPtrTagging by using WTF::tagNativeCodePtrImpl directly for non JITCage case. + + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::appendOperationCall): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCallDOMGetter): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::appendOperationCall): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): + (JSC::FTL::DFG::LowerDFGToB3::vmCall): + * ftl/FTLOutput.h: + (JSC::FTL::Output::operation): + * tools/JSDollarVM.cpp: + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271422 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-01-12 Yusuke Suzuki + + [JSC] Bypass OperationPtrTagging for JITCage verification for CallDOMGetter + https://bugs.webkit.org/show_bug.cgi?id=220564 + + Reviewed by Saam Barati. + + CustomAccessorPtrTag functions are not registered ones for JITCage since we are using C++ trampoline to invoke them. + However, we do not want to use this trampoline in x64 due to performance issue. So we would like to call these + functions directly from JIT while they are not registered (And this is OK in JITCage since they are called from trampoline). + In this patch we bypass OperationPtrTagging by using WTF::tagNativeCodePtrImpl directly for non JITCage case. + + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::appendOperationCall): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCallDOMGetter): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::appendOperationCall): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): + (JSC::FTL::DFG::LowerDFGToB3::vmCall): + * ftl/FTLOutput.h: + (JSC::FTL::Output::operation): + * tools/JSDollarVM.cpp: + +2021-01-25 Alan Coon + + Cherry-pick r271544. rdar://problem/73471591 + + [JSC] Clean up DFGPreciseLocalClobberize to avoid duplicate code + https://bugs.webkit.org/show_bug.cgi?id=220670 + + Reviewed by Filip Pizlo. + + This patch cleans up DFGPreciseLocalClobberize by extracting code to lambda to remove duplicate code. + + * dfg/DFGPreciseLocalClobberize.h: + (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): + + git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271544 268f45cc-cd09-0410-ab3c-d52691b4dbfc + + 2021-01-15 Yusuke Suzuki + + [JSC] Clean up DFGPreciseLocalClobberize to avoid duplicate code + https://bugs.webkit.org/show_bug.cgi?id=220670 + + Reviewed by Filip Pizlo. + + This patch cleans up DFGPreciseLocalClobberize by extracting code to lambda to remove duplicate code. + + * dfg/DFGPreciseLocalClobberize.h: + (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): + +2021-01-13 Russell Epstein + + Revert r270664. rdar://problem/73165685 + +2021-01-13 Russell Epstein + + Revert r270665. rdar://problem/73165685 + +2021-01-13 Russell Epstein + + Revert r270700. rdar://problem/73165685 + +2021-01-13 Russell Epstein + + Revert r270719. rdar://problem/73165685 + +2021-01-10 Yusuke Suzuki + + [JSC] JITCage's Gate mechanism is used in ARM64E even if JITCage is disable + https://bugs.webkit.org/show_bug.cgi?id=220500 + + Reviewed by Mark Lam. + + We should ensure that Gate mechanism just works even if ENABLE(JIT_CAGE) is OFF in ARM64E since + in LLInt we are always using Gate even if ENABLE(JIT_CAGE) is OFF. It makes LLInt code + significantly simpler: we do not want to have multiple implementations for ARM64E for ENABLE(JIT_CAGE) ON/OFF + in LLInt if it is not necessary in terms of performance. And it didn't cause performance regression. + So for simplicity, we are always using Gate in LLInt. + + However, when disabling ENABLE(JIT_CAGE), we accidentally disabled Gate mechanism too in LLInt. + It makes ARM64E broken if ENABLE(JIT_CAGE) is OFF. This patch makes Gate work even if ENABLE(JIT_CAGE) is OFF, + and this is the expected design. + + * llint/LLIntData.cpp: + (JSC::LLInt::initialize): + * llint/LLIntEntrypoint.cpp: + (JSC::LLInt::setFunctionEntrypoint): + (JSC::LLInt::setEvalEntrypoint): + (JSC::LLInt::setProgramEntrypoint): + (JSC::LLInt::setModuleProgramEntrypoint): + * llint/LLIntThunks.cpp: + * llint/LLIntThunks.h: + +2021-01-08 Alexey Shvayka + + Implement @copyDataProperties in C++ to optimize object rest / spread + https://bugs.webkit.org/show_bug.cgi?id=193618 + + Reviewed by Yusuke Suzuki. + + Since @copyDataProperties is inherently polymorphic, implementing it in JS is not beneficial. + This patch: + + 1. Merges almost identical @copyDataProperties variants and moves them to C++, avoiding + allocations of JSArray instances and Identifier wrappers. + 2. Skips non-observable [[Get]] calls, leveraging `slot.isTaintedByOpaqueObject()`. + 3. Performs [[DefineOwnProperty]] via putDirectMayBeIndex(), since the spec guarantees + property creation to be successful [1]: `target` is an newly created object that is + not yet accessible to userland code. It's impossible for `target` to be non-extensible + nor have a non-configurable property. + 4. Introduces a fast path similar to Object.assign, but: + a) with no checks on `target`, because it's guaranteed to be an extensible JSFinalObject; + b) with less checks on `source`, since we are performing putDirect() and don't care about + read-only properties nor __proto__. + + Altogether, these changes result in 3.1x speed-up for object rest / spread. + Also, this patch removes unnecessary `target` return and @isObject check. + + [1]: https://tc39.es/ecma262/#sec-copydataproperties (step 6.c.ii.2, note the "!" prefix) + + * builtins/BuiltinNames.h: + * builtins/GlobalOperations.js: + (globalPrivate.speciesConstructor): + (globalPrivate.copyDataProperties): Deleted. + (globalPrivate.copyDataPropertiesNoExclusions): Deleted. + * bytecode/BytecodeIntrinsicRegistry.h: + * bytecode/LinkTimeConstant.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::ObjectPatternNode::bindValue const): + (JSC::ObjectSpreadExpressionNode::emitBytecode): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_defineEnumerableWritableConfigurableDataProperty): Deleted. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::canPerformFastPropertyEnumerationForCopyDataProperties): + (JSC::JSC_DEFINE_HOST_FUNCTION): + * runtime/JSGlobalObjectFunctions.h: + +2021-01-08 Yusuke Suzuki + + [JSC] Disable JITCage compile time in old iOS + https://bugs.webkit.org/show_bug.cgi?id=220477 + + Reviewed by Darin Adler. + + * runtime/Gate.h: This is required in LLInt ARM64E. + * runtime/Options.cpp: + +2021-01-08 Alexey Proskuryakov + + JavaScriptCore API headers contain project style includes + https://bugs.webkit.org/show_bug.cgi?id=220449 + rdar://problem/71493605 + + Reviewed by Yusuke Suzuki. + + * API/JSStringRefCF.h: + * API/JavaScriptCore.h: + +2021-01-08 Alexey Shvayka + + for/in over a Proxy should not call [[GetOwnProperty]] trap twice per property + https://bugs.webkit.org/show_bug.cgi?id=189034 + + Reviewed by Yusuke Suzuki. + + Although the spec [1] doesn't normatively require calling [[GetOwnProperty]] + only once per property, this is what V8 and SpiderMonkey do. + + Since [[Enumerable]] property attribute is checked by has_enumerable_property + bytecode op, this patch avoids another observable [[GetOwnProperty]] call + by using DontEnumPropertiesMode::Include exclusively for Proxy objects. + + A side effect of this change: if a property becomes [[Enumerable]] after + [[OwnPropertyKeys]] trap was called, it will be enumerated, which matches + the spec [2] and developer expectations. + + This patch advances provided microbenchmark by 100%. + + [1]: https://tc39.es/ecma262/#sec-enumerate-object-properties + [2]: https://tc39.es/ecma262/#sec-%foriniteratorprototype%.next (step 7.b.iii) + + * runtime/JSPropertyNameEnumerator.cpp: + (JSC::getEnumerablePropertyNames): + +2021-01-08 Yusuke Suzuki + + Unreviewed, add missing scope.release() in JSModuleNamespaceObject + https://bugs.webkit.org/show_bug.cgi?id=220465 + + * runtime/JSModuleNamespaceObject.cpp: + (JSC::JSModuleNamespaceObject::getOwnPropertyNames): + +2021-01-08 Dmitry Bezhetskov + + [WASM-References] Add optional default value parameter for Table.constructor, Table.grow and Table.set + https://bugs.webkit.org/show_bug.cgi?id=220323 + + Reviewed by Yusuke Suzuki. + + Introduce the new optional parameter "defaultValue" for Table.grow(numOfElementsToAdd, [defaultValue]). + It is used to initialize newly added table elements. + Introduce the new optional parameter "defaultValue" for Table({initial: N, element:type}, [defaultValue]). + After Table is created we append initial times defaultValue to table if it is present. + Also add type check for funcref's table for Table.grow, Table ctor and Table.set. + Spec: https://webassembly.github.io/reference-types/js-api/index.html#tables. + + * wasm/WasmOperations.cpp: + (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): + * wasm/WasmTable.cpp: + (JSC::Wasm::Table::grow): + * wasm/WasmTable.h: + (JSC::Wasm::Table::isFuncrefTable const): + * wasm/js/JSWebAssemblyTable.cpp: + (JSC::JSWebAssemblyTable::grow): + * wasm/js/JSWebAssemblyTable.h: + * wasm/js/WebAssemblyTableConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * wasm/js/WebAssemblyTablePrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + +2021-01-08 Yusuke Suzuki + + [JSC] AtomicsIsLockFree's AI result is wrong + https://bugs.webkit.org/show_bug.cgi?id=220452 + + + Reviewed by Mark Lam. + + The result type should be SpecBoolean. This leads to FTL unreachable in the test code. - * bytecode/BytecodeList.rb: - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::finishCreation): - * bytecode/Opcode.h: - * dfg/DFGAbstractInterpreter.h: * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::handleConstantBinaryBitwiseOp): (JSC::DFG::AbstractInterpreter::executeEffects): - We moved `BitLShift` constant fold rules to a new method - `handleConstantBinaryBitwiseOp` to be reused by `ArithBitLShift` and - `ValueBitLShift`. This also enables support of constant folding on other - bitwise operations like `ValueBitAnd`, `ValueBitOr` and `ValueBitXor`, when - their binary use kind is UntypedUse. Such cases can happen on those - nodes because fixup phase is conservative. +2021-01-07 Yusuke Suzuki - * dfg/DFGBackwardsPropagationPhase.cpp: - (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo): - (JSC::DFG::BackwardsPropagationPhase::propagate): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::handleIntrinsicGetter): - (JSC::DFG::ByteCodeParser::parseBlock): + [JSC] DFG/FTL Atomics should assume non-typed-array input with storage-edge + https://bugs.webkit.org/show_bug.cgi?id=220451 + - We parse `op_lshift` as `ArithBitLShift` when its operands are numbers. - Otherwise, we fallback to `ValueBitLShift` and rely on fixup phase to - convert `ValueBitLShift` into `ArithBitLShift` when possible. + Reviewed by Mark Lam. - * dfg/DFGClobberize.h: - (JSC::DFG::clobberize): - - `ArithBitLShift` has the same clobberize rules as former `BitLShift`. - `ValueBitLShift` only clobberize world when it is UntypedUse. - - * dfg/DFGDoesGC.cpp: - (JSC::DFG::doesGC): - - `ValueBitLShift` can GC when `BigIntUse` because it allocates new - JSBigInts to perform this operation. It also can GC on UntypedUse - because of observable user code. + Atomics implementation assumed that it only gets TypedArray via checkArray filter if storage-edge exists. But this is wrong. + String and the other cases can put storage-edge while it is not TypedArray. We should check whether this is one of TypedArray, + and if it is not, we should make it generic one instead of using fast TypedArray path. + * dfg/DFGArrayMode.h: + (JSC::DFG::ArrayMode::isOneOfTypedArrayView const): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): - `ValueBitLShift` and `ArithBitLShift` has the same fixup rules of - other binary bitwise operations. In the case of `ValueBitLShift` - We check if we should speculate on BigInt or Untyped and fallback to - `ArithBitLShift` when both cheks fail. +2021-01-07 Mark Lam + Work around Clang bug in __builtin_return_address(). + https://bugs.webkit.org/show_bug.cgi?id=220432 + rdar://71648468 + + Reviewed by Yusuke Suzuki. + + Clang's __builtin_return_address() currently sometimes returns a PAC signed pointer + and sometimes not. This patch works around that by always ensuring that the pointer + is not signed. + + Also changed the ReturnAddressPtr to store a signed pointer. + + * assembler/MacroAssemblerCodeRef.h: + (JSC::ReturnAddressPtr::ReturnAddressPtr): + (JSC::ReturnAddressPtr::untaggedValue const): + (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr): + * interpreter/AbstractPC.h: + (JSC::AbstractPC::AbstractPC): + * interpreter/CallFrame.h: + * jit/JIT.cpp: + (JSC::ctiPatchCallByReturnAddress): + * jit/JITOpcodes.cpp: + (JSC::JIT::privateCompileHasIndexedProperty): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::privateCompileHasIndexedProperty): + * jit/JITOperations.cpp: + (JSC::JSC_DEFINE_JIT_OPERATION): + (JSC::unprofiledMul): Deleted. + (JSC::profiledMul): Deleted. + (JSC::unprofiledSub): Deleted. + (JSC::profiledSub): Deleted. + * jit/JITPropertyAccess.cpp: + (JSC::JIT::privateCompilePutByVal): + (JSC::JIT::privateCompilePutPrivateNameWithCachedId): + (JSC::JIT::privateCompilePutByValWithCachedId): + * runtime/JSCPtrTag.h: + +2021-01-07 Alexey Shvayka + + [JSC] Simplify get*PropertyNames() methods and EnumerationMode + https://bugs.webkit.org/show_bug.cgi?id=212954 + + Reviewed by Yusuke Suzuki. + + Before this change, [[OwnPropertyKeys]] overrides were sometimes implemented + inconsistently, via different get*PropertyNames() methods that duplicated logic + (e.g. ErrorInstance, RegExpObject, and StringObject). + + This patch: + + 1. Introduces a clear convention to implement [[OwnPropertyKeys]] overrides: + if it's defined by the spec, getOwnPropertyNames() method is used; otherwise, + non-materialized properties are enumerated / reified in getOwnSpecialPropertyNames(). + While no class should define both methods, we don't assert this to support inheritance. + + Removes getOwnNonIndexPropertyNames() from the method table and converts it to instance + method; its overrides were renamed to getOwnSpecialPropertyNames() and exempted from + calling the no-op base method. + + This approach was chosen, instead of getOwnNonIndexPropertyNames() override, because + for/in enumeration must be sure there are no enumerable properties between + getEnumerableLength() and the first structure property. + + Also, removes getStructurePropertyNames() from the method table as it's unreasonable + to override it. + + 2. Extracts JSObject::getOwnIndexPropertyNames() instance method to enforce + correct enumeration order in getOwnPropertyNames() overrides: special indices => + butterfly storage => special properties => non-reified static => structure properties. + + Loose mode `arguments` were fixed to enumerate indices from butterfly storage before + special properties [1], aligning JSC with V8 and SpiderMonkey. + + 3. Reworks for/in enumeration so the special properties always come before structure ones, + aligning enumeration order of String objects [2] and typed arrays [3] that have expando + properties with the spec, V8, and SpiderMonkey. + + Removes getPropertyNames() and getGenericPropertyNames() from the method table, along + with their overrides, because ES7 disabled customization of for/in enumeration [4]. + Instead, JSObject::getPropertyNames() instance method and getEnumerablePropertyNames() + are introduced, featuring a loop instead of recursion. + + Also, this enabled dropping hard-to-follow JSObjectPropertiesMode bit and simplifying + EnumerationMode to an enum. + + for/in and Object.keys microbenchmarks are neutral. This change does not affect + JSPropertyNameEnumerator caching, nor fast paths of its bytecodes. + + [1]: https://tc39.es/ecma262/#sec-createmappedargumentsobject (steps 15-16 and 20-21) + [2]: https://tc39.es/ecma262/#sec-string-exotic-objects-ownpropertykeys + [3]: https://tc39.es/ecma262/#sec-integer-indexed-exotic-objects-ownpropertykeys + [4]: https://github.com/tc39/ecma262/pull/367 + + * API/JSAPIValueWrapper.h: + Remove OverridesAnyFormOfGetPropertyNames structure flag as it should never be queried + from JSCell instances. + + * API/JSCallbackObject.h: + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::getOwnSpecialPropertyNames): + (JSC::JSCallbackObject::getOwnNonIndexPropertyNames): Deleted. + * API/JSObjectRef.cpp: + (JSObjectCopyPropertyNames): + * bindings/ScriptValue.cpp: + (Inspector::jsToInspectorValue): + * bytecode/ObjectAllocationProfileInlines.h: + (JSC::ObjectAllocationProfileBase::possibleDefaultPropertyCount): + Use DontEnumPropertyMode::Include as the intent is to count all properties, even + private symbols. EnumerationMode() defaults did exclude non-enumerable properties. + + * debugger/DebuggerScope.cpp: + (JSC::DebuggerScope::getOwnPropertyNames): + * debugger/DebuggerScope.h: + * runtime/ClassInfo.h: + * runtime/ClonedArguments.cpp: + (JSC::ClonedArguments::getOwnSpecialPropertyNames): + Don't materialize DontEnum properties unless it's DontEnumPropertiesMode::Include, + advancing provided microbenchmark by ~23%. + + (JSC::ClonedArguments::getOwnPropertyNames): Deleted. + * runtime/ClonedArguments.h: + * runtime/EnumerationMode.h: + Explicitly specify enum type to reduce its size. + + (JSC::EnumerationMode::EnumerationMode): Deleted. + (JSC::EnumerationMode::includeDontEnumProperties): Deleted. + (JSC::EnumerationMode::includeJSObjectProperties): Deleted. + * runtime/ErrorInstance.cpp: + (JSC::ErrorInstance::getOwnSpecialPropertyNames): + Don't materialize DontEnum properties unless it's DontEnumPropertiesMode::Include, + advancing provided microbenchmark by a factor of 5. + + (JSC::ErrorInstance::getOwnNonIndexPropertyNames): Deleted. + (JSC::ErrorInstance::getStructurePropertyNames): Deleted. + * runtime/ErrorInstance.h: + * runtime/GenericArguments.h: + * runtime/GenericArgumentsInlines.h: + (JSC::GenericArguments::getOwnPropertyNames): + * runtime/JSArray.cpp: + (JSC::JSArray::getOwnSpecialPropertyNames): + (JSC::JSArray::getOwnNonIndexPropertyNames): Deleted. + * runtime/JSArray.h: + * runtime/JSCell.cpp: + (JSC::JSCell::getOwnPropertyNames): + (JSC::JSCell::getOwnSpecialPropertyNames): + (JSC::JSCell::getOwnNonIndexPropertyNames): Deleted. + (JSC::JSCell::getPropertyNames): Deleted. + (JSC::JSCell::getStructurePropertyNames): Deleted. + (JSC::JSCell::getGenericPropertyNames): Deleted. + * runtime/JSCell.h: + * runtime/JSFunction.cpp: + (JSC::JSFunction::getOwnSpecialPropertyNames): + (JSC::JSFunction::getOwnNonIndexPropertyNames): Deleted. + * runtime/JSFunction.h: + * runtime/JSGenericTypedArrayView.h: + * runtime/JSGenericTypedArrayViewInlines.h: + (JSC::JSGenericTypedArrayView::getOwnPropertyNames): + * runtime/JSGlobalObject.h: + Remove OverridesAnyFormOfGetPropertyNames structure flag as it's inherited from + JSSymbolTableObject, and JSGlobalObject itself doesn't override getOwn*PropertyNames(). + + * runtime/JSLexicalEnvironment.cpp: + (JSC::JSLexicalEnvironment::getOwnSpecialPropertyNames): + (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames): Deleted. + * runtime/JSLexicalEnvironment.h: + * runtime/JSModuleEnvironment.cpp: + (JSC::JSModuleEnvironment::getOwnSpecialPropertyNames): + (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames): Deleted. + * runtime/JSModuleEnvironment.h: + * runtime/JSModuleNamespaceObject.cpp: + (JSC::JSModuleNamespaceObject::getOwnPropertyNames): + Call getOwnNonIndexPropertyNames() directly, guarded by includeSymbolProperties() check, + since module namespace objects can't have string properties besides m_names. + (See https://tc39.es/ecma262/#sec-module-namespace-exotic-objects-defineownproperty-p-desc) + + * runtime/JSModuleNamespaceObject.h: + * runtime/JSONObject.cpp: + (JSC::Stringifier::Holder::appendNextProperty): + (JSC::Walker::walk): + * runtime/JSObject.cpp: + (JSC::JSObject::getNonReifiedStaticPropertyNames): + (JSC::JSObject::getPropertyNames): + (JSC::JSObject::getOwnPropertyNames): + (JSC::JSObject::getOwnSpecialPropertyNames): + (JSC::JSObject::getOwnIndexedPropertyNames): + (JSC::JSObject::getOwnNonIndexPropertyNames): + (JSC::getClassPropertyNames): Deleted. + (JSC::JSObject::getStructurePropertyNames): Deleted. + (JSC::JSObject::getGenericPropertyNames): Deleted. + * runtime/JSObject.h: + (JSC::JSObject::getOwnSpecialPropertyNames): + * runtime/JSPropertyNameEnumerator.cpp: + (JSC::getEnumerablePropertyNames): + * runtime/JSPropertyNameEnumerator.h: + (JSC::propertyNameEnumerator): + * runtime/JSProxy.cpp: + (JSC::JSProxy::getOwnPropertyNames): + (JSC::JSProxy::getPropertyNames): Deleted. + (JSC::JSProxy::getStructurePropertyNames): Deleted. + (JSC::JSProxy::getGenericPropertyNames): Deleted. + * runtime/JSProxy.h: + * runtime/JSSymbolTableObject.cpp: + (JSC::JSSymbolTableObject::getOwnSpecialPropertyNames): + (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): Deleted. + * runtime/JSSymbolTableObject.h: + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::overridesGetOwnPropertyNames const): + (JSC::TypeInfo::overridesGetOwnSpecialPropertyNames const): + (JSC::TypeInfo::overridesAnyFormOfGetOwnPropertyNames const): + (JSC::TypeInfo::overridesGetPropertyNames const): Deleted. + (JSC::TypeInfo::overridesAnyFormOfGetPropertyNames const): Deleted. + * runtime/ObjectConstructor.cpp: + (JSC::objectConstructorGetOwnPropertyDescriptors): + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::defineProperties): + (JSC::setIntegrityLevel): + (JSC::testIntegrityLevel): + (JSC::ownPropertyKeys): + * runtime/ProxyObject.cpp: + (JSC::ProxyObject::performGetOwnPropertyNames): + (JSC::ProxyObject::getOwnPropertyNames): + (JSC::ProxyObject::getPropertyNames): Deleted. + (JSC::ProxyObject::getOwnNonIndexPropertyNames): Deleted. + (JSC::ProxyObject::getStructurePropertyNames): Deleted. + (JSC::ProxyObject::getGenericPropertyNames): Deleted. + * runtime/ProxyObject.h: + Remove IsQuickPropertyAccessAllowedForEnumeration flag from ProxyObject's structure + since canAccessPropertiesQuicklyForEnumeration() now checks for method overrides. + + * runtime/RegExpObject.cpp: + (JSC::RegExpObject::getOwnSpecialPropertyNames): + (JSC::RegExpObject::getOwnNonIndexPropertyNames): Deleted. + (JSC::RegExpObject::getPropertyNames): Deleted. + (JSC::RegExpObject::getGenericPropertyNames): Deleted. + * runtime/RegExpObject.h: + * runtime/StringObject.cpp: + (JSC::StringObject::getOwnPropertyNames): + (JSC::StringObject::getOwnNonIndexPropertyNames): Deleted. + * runtime/StringObject.h: + * runtime/Structure.cpp: + (JSC::Structure::validateFlags): + Strengthen overridesGetOwn*PropertyNames and overridesGetPrototype asserts into + equivalence tests. + + (JSC::Structure::getPropertyNamesFromStructure): + (JSC::Structure::canAccessPropertiesQuicklyForEnumeration const): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::canCacheOwnPropertyNames const): + * tools/JSDollarVM.cpp: + Remove OverridesAnyFormOfGetPropertyNames structure flag as it's inherited from + JSArray, and RuntimeArray itself doesn't override getOwn*PropertyNames(). + +2021-01-07 Yusuke Suzuki + + [JSC] New expression and value function call should reserve function register if arguments include assignments + https://bugs.webkit.org/show_bug.cgi?id=220429 + + + Reviewed by Alexey Shvayka. + + If the following code is executed, we need to reserve |x| before evaluating arguments since arguments can override + local |x| variable before calling it. + + new x(x = 1) + + We found there are two places we are not doing this. + + 1. new expression + 2. function value call (it is checking `isLocation()`, but we can still use local variables for function if we use comma expression) + + We introduced hasAssignment flag to ArgumentsNode, and reserve a function in a new temporary register if arguments include assignments. + We also need to increment assignmentCount in destructuring assignment. + + * bytecompiler/NodesCodegen.cpp: + (JSC::NewExprNode::emitBytecode): + (JSC::FunctionCallValueNode::emitBytecode): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::createArguments): + * parser/NodeConstructors.h: + (JSC::ArgumentsNode::ArgumentsNode): + * parser/Nodes.h: + * parser/Parser.cpp: + (JSC::Parser::parseDestructuringPattern): + (JSC::Parser::parseArguments): + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::createArguments): + +2021-01-07 Mark Lam + + The scratch register should be different from the target register when calling validateUntaggedPtr. + https://bugs.webkit.org/show_bug.cgi?id=220397 + rdar://72771069 + + Reviewed by Yusuke Suzuki. + + * assembler/MacroAssemblerARM64E.h: + (JSC::MacroAssemblerARM64E::validateUntaggedPtr): + - Added an ASSERT to enforce this invariant. + * jit/ThunkGenerators.cpp: + (JSC::emitPointerValidation): + - emitPointerValidation() was reusing the target register as the scratch register. + This is a hold over from the previous way of doing the validation (which had a + bug). With the validation bug fixed, this register reuse is no longer allowed. + +2021-01-07 Mark Lam + + Remove some aliases of obsolete JSC options. + https://bugs.webkit.org/show_bug.cgi?id=220402 + + Reviewed by Yusuke Suzuki. + + * runtime/OptionsList.h: + +2021-01-06 Mark Lam + + Fix a dataMemoryTempRegister use violation in FTLLowerDFGToB3's compileLoopHint(). + https://bugs.webkit.org/show_bug.cgi?id=220399 + + Reviewed by Yusuke Suzuki. + + This was tripping an assertion failure on the invalid use of the dataMemoryTempRegister + during a Debug build JSC stress test run with DoesGC validation enabled. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint): + +2021-01-06 Yusuke Suzuki + + [JSC] DateTimeFormat#formatRange should generate the same output to DateTimeFormat#format if startDate and endDate are "practically-equal" + https://bugs.webkit.org/show_bug.cgi?id=220395 + + Reviewed by Ross Kirsling. + + Intl.DateTimeFormat.formatRange(startDate, endDate) also needs to generate the same formatted string to the Intl.DateTimeFormat.format + if startDate and endDate are *practically-equal* (spec term). However, due to CLDR, just using udtitvfmt_format generates different + formatted string to udat_format's result even though startDate and endDate are the same. + + new Intl.DateTimeFormat("en", { dateStyle: "long", timeStyle: "short" }).format(new Date()) + // "December 12, 2019 at 11:48 AM" + new Intl.DateTimeFormat("en", { dateStyle: "long", timeStyle: "short" }).formatRange(new Date(), new Date()) + // "December 12, 2019, 11:48 AM" + + In Intl.DateTimeFormat#formatRangeToParts, we deploys *practically-equal* checking to avoid this issue. The same thing should be done in + Intl.DateTimeFormat#formatRange too. + + In this patch, we stop using udtitvfmt_format if ICU version is 64 or later to perform *practically-equal* checking. + + [1]: https://github.com/tc39/proposal-intl-DateTimeFormat-formatRange/issues/19 + + * runtime/IntlDateTimeFormat.cpp: + (JSC::formattedValueFromDateRange): + (JSC::dateFieldsPracticallyEqual): + (JSC::IntlDateTimeFormat::formatRange): + (JSC::IntlDateTimeFormat::formatRangeToParts): + (JSC::definitelyAfterGregorianCalendarChangeDate): Deleted. + +2021-01-06 Yusuke Suzuki + + [JSC] Replace JSBigInt::toUint64 with JSBigInt::toBigUInt64 + https://bugs.webkit.org/show_bug.cgi?id=220378 + + Reviewed by Darin Adler. + + This patch replaces JSBigInt::toUint64 with JSBigInt::toBigUInt64. + Rough purposes of these functions are the same, and JSBigInt::toBigUInt64 + has the semantics defined in the ECMA262 spec. While the behavior is + slightly different[1], this difference does not matter for the clients of + JSBigInt::toUint64. + + [1]: JSBigInt::toUint64 fails conversion if JSBigInt is out of range of uint64_t, + while JSBigInt::toBigUInt64 always generates uint64_t by computing mod UINT64_MAX. + + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::toUint64Heap): Deleted. + * runtime/JSBigInt.h: + +2021-01-05 Yusuke Suzuki + + [WASM] [BigInt] Add I64 to BigInt conversion + https://bugs.webkit.org/show_bug.cgi?id=213528 + + Reviewed by Michael Saboff. + + This patch implements i64 to BigInt / BigInt to i64 support in WebAssembly to expose i64 features to JS. + + 1. Arguments of exposed wasm functions can have i64. + 2. Returned values of exposed wasm functions can have i64. + 3. WebAssembly.Global can expose i64 value to JS. + + Currently, we do not support fast JS->Wasm IC for wasm functions including i64 arguments. But this should be supported later + in https://bugs.webkit.org/show_bug.cgi?id=220053. + + * jsc.cpp: + (JSC_DEFINE_HOST_FUNCTION): + * runtime/BigIntConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::toBigInt): Deleted. + * runtime/BigIntConstructor.h: + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::toBigUInt64Heap): + * runtime/JSBigInt.h: + * runtime/JSCJSValue.cpp: + (JSC::JSValue::toBigInt const): + (JSC::JSValue::toBigInt64 const): + (JSC::JSValue::toBigUInt64 const): + * runtime/JSCJSValue.h: + * wasm/WasmExceptionType.h: + * wasm/WasmGlobal.cpp: + (JSC::Wasm::Global::get const): + (JSC::Wasm::Global::set): + * wasm/WasmGlobal.h: + * wasm/WasmOperations.cpp: + (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): + * wasm/WasmOperations.h: + * wasm/js/JSToWasm.cpp: + (JSC::Wasm::marshallJSResult): + (JSC::Wasm::createJSToWasmWrapper): + (JSC::Wasm::boxWasmResult): Deleted. + * wasm/js/WasmToJS.cpp: + (JSC::Wasm::wasmToJS): + (JSC::Wasm::handleBadI64Use): Deleted. + * wasm/js/WebAssemblyFunction.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::WebAssemblyFunction::jsCallEntrypointSlow): + * wasm/js/WebAssemblyGlobalConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * wasm/js/WebAssemblyGlobalPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::link): + +2021-01-05 Alexey Shvayka + + We should have a DFG intrinsic for the construct case of the Object constructor + https://bugs.webkit.org/show_bug.cgi?id=155591 + + Reviewed by Yusuke Suzuki. + + Given that a) ObjectConstructor behaves identically for [[Call]] and [[Construct]] with itself + as NewTarget [1] and b) handleConstantInternalFunction() returns early if NewTarget is altered, + this patch simply removes CodeForCall guard. + + While `new Object()` is already optimized via BytecodeGenerator::emitExpectedFunctionSnippet(), + this change is a 4x speedup for rather rare usages like `new window.Object()`. + + [1]: https://tc39.es/ecma262/#sec-object-value (step 1) + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): + +2021-01-05 Dmitry Bezhetskov + + [WASM-References] Added few unreached-invalid tests + https://bugs.webkit.org/show_bug.cgi?id=220311 + + Reviewed by Yusuke Suzuki. + + Add semantic checks for parsing unreachable for the following intructions: + local.get/set.tee, global.get/set, br/br_if and call. + + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::parseIndexForLocal): + (JSC::Wasm::FunctionParser::parseIndexForGlobal): + (JSC::Wasm::FunctionParser::parseFunctionIndex): + (JSC::Wasm::FunctionParser::parseBranchTarget): + (JSC::Wasm::FunctionParser::parseExpression): + (JSC::Wasm::FunctionParser::parseUnreachableExpression): + +2020-12-16 Tadeu Zagallo + + propertyNameEnumerator must check it can still take the fast path after getGenericPropertyNames + https://bugs.webkit.org/show_bug.cgi?id=219957 + + + Reviewed by Yusuke Suzuki. + + We need to check if we still `canAccessPropertiesQuicklyForEnumeration` on + `structureAfterGettingPropertyNames`, since we might call out out to a proxy's + `getPrototypeOf` callback through `getGenericPropertyNames`. + + * runtime/JSPropertyNameEnumerator.h: + (JSC::propertyNameEnumerator): + +2020-11-17 Tadeu Zagallo + + Validate every instruction in AssemblerBuffer + https://bugs.webkit.org/show_bug.cgi?id=218104 + + + Reviewed by Saam Barati. + + * assembler/AssemblerBuffer.cpp: + (JSC::threadSpecificAssemblerHashes): + * assembler/AssemblerBuffer.h: + (JSC::AssemblerBuffer::AssemblerBuffer): + (JSC::AssemblerBuffer::~AssemblerBuffer): + (JSC::AssemblerBuffer::releaseAssemblerData): + (JSC::AssemblerBuffer::releaseAssemblerHashes): + (JSC::AssemblerBuffer::putIntegralUnchecked): + (JSC::AssemblerBuffer::grow): + (JSC::AssemblerBuffer::outOfLineGrow): + (JSC::ARM64EHash::update): Deleted. + (JSC::ARM64EHash::finalHash const): Deleted. + (): Deleted. + (JSC::AssemblerBuffer::hash const): Deleted. + * assembler/LinkBuffer.cpp: + (JSC::LinkBuffer::copyCompactAndLinkCode): + * assembler/LinkBuffer.h: + +2021-01-04 Dmitry Bezhetskov + + [WASM-References] Fix data section parsing and add more tests from ref-types + https://bugs.webkit.org/show_bug.cgi?id=220235 + + Reviewed by Yusuke Suzuki. + + We should read leb128 unsigned integer instead of just one byte for + Data entry flag. + + * wasm/WasmSectionParser.cpp: + (JSC::Wasm::SectionParser::parseData): + +2021-01-04 Jeff Miller + + Update user-visible copyright strings to include 2021 + https://bugs.webkit.org/show_bug.cgi?id=219901 + + Reviewed by Anders Carlsson. + + * Info.plist: + +2021-01-01 Yusuke Suzuki + + [JSC] Remove unnecessary mov bytecodes when performing simple object pattern destructuring to variables + https://bugs.webkit.org/show_bug.cgi?id=220219 + + Reviewed by Alexey Shvayka. + + Currently, we are first puts object pattern's expression into temporary variable, and then, we store it into local variable register. + + The following code + + ({ data } = object); + + emits this kind of bytecode. + + get_by_id dst:loc10, base:loc9, property:0 + mov dst:loc6, src:loc10 + + However, this should be + + get_by_id dst:loc6, base:loc9, property:0 + + We are emitting many unnecessary movs since this destructuring pattern is common. Increasing amount of mov (1) discourages inlining unnecessarily and (2) simply makes + bytecode memory large. Since this is very common pattern, we should carefully optimize it to remove such unnecessary movs. + + This patch looks into pattern when performing object pattern destructuring. And avoid emitting mov when it is possible. There are some cases we cannot remove movs, so + this patch's writableDirectBindingIfPossible looks into whether this is possible (& profitable). + + * bytecompiler/NodesCodegen.cpp: + (JSC::ObjectPatternNode::bindValue const): + (JSC::BindingNode::writableDirectBindingIfPossible const): + (JSC::BindingNode::finishDirectBindingAssignment const): + (JSC::AssignmentElementNode::writableDirectBindingIfPossible const): + (JSC::AssignmentElementNode::finishDirectBindingAssignment const): + * parser/Nodes.h: + (JSC::DestructuringPatternNode::writableDirectBindingIfPossible const): + (JSC::DestructuringPatternNode::finishDirectBindingAssignment const): + +2021-01-02 Alexey Shvayka + + Improve error message for uninitialized |this| in derived constructor + https://bugs.webkit.org/show_bug.cgi?id=220221 + + Reviewed by Yusuke Suzuki. + + Since class constructors perform `return this;` by default, and derived + constructors require `super()` to be called before |this| access, regular + TDZ error message is quite confusing, given the following code: + + `new (class extends Object { constructor() { } });` + + Considering that currently op_check_tdz is called on thisRegister() only + in derived constructors, this patch modifies its slow path to throw a + helpful error message that covers |this| access and non-object returns. + + V8 and SpiderMonkey have similar error messages, mentioning `super()`. + + slow_path_throw_tdz_error is merged into slow_path_check_tdz, which is + invoked from baseline JIT, so we can reliably acquire the bytecode and + avoid code duplication. + + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/CommonSlowPaths.cpp: + (JSC::JSC_DEFINE_COMMON_SLOW_PATH): + * runtime/CommonSlowPaths.h: + +2021-01-02 Alexey Shvayka + + Don't throw if `function.caller` is a non-strict / generator / async function + https://bugs.webkit.org/show_bug.cgi?id=220216 + + Reviewed by Yusuke Suzuki. + + The spec forbids [1] ES6+ and strict mode functions from having their own "caller" + property. r230662 went even further, throwing TypeError if `function.caller` attempts + to return non-strict / generator / async function, which doesn't contradict ECMA-262, + but diverges from V8 and SpiderMonkey (they just return the caller). + + Since throwing TypeError causes quite a lot test262 failures and is a bit dangerous + (legacy library which uses `function.caller` is called from ES6 code), this patch + replaces it with `null` return. + + Given that r230662 appears to be web-compatible, this change preserves its intent + to limit `function.caller` API as much as possible by returning `null` for all ES6+ + functions, including methods, accessors, and arrow functions. + + [1]: https://tc39.es/ecma262/#sec-forbidden-extensions (paragraphs 1-2) + + * runtime/JSFunction.cpp: + (JSC::JSC_DEFINE_CUSTOM_GETTER): + +2020-12-31 Alexey Shvayka + + JSFunction::deleteProperty() fails to delete a non-existent "prototype" property + https://bugs.webkit.org/show_bug.cgi?id=220211 + + Reviewed by Yusuke Suzuki. + + This patch replaces arrow function check with hasPrototypeProperty() since there + are more functions without a "prototype" (accessors, methods, async functions), + aligning JSC with the spec, V8, and SpiderMonkey. + + hasPrototypeProperty() is already used by JSFunction::getOwnPropertySlot(). + + * runtime/JSFunction.cpp: + (JSC::JSFunction::deleteProperty): + +2020-12-30 Yusuke Suzuki + + [JSC] WebAssembly Table/Memory/Global should allow inheritance + https://bugs.webkit.org/show_bug.cgi?id=220207 + + Reviewed by Alexey Shvayka. + + WebAssembly.{Table,Memory,Global} should accept inheritance by JS class syntax. + We need to create structure from new.target value. + + * wasm/js/WebAssemblyGlobalConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * wasm/js/WebAssemblyMemoryConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * wasm/js/WebAssemblyTableConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + +2020-12-30 Yusuke Suzuki + + Unreviewed, fix iteration count check + https://bugs.webkit.org/show_bug.cgi?id=220206 + + We should have iterationCount variable to track iteration count since it can be larger than MarkedArgumentBuffer's size. + + * wasm/WasmOperations.cpp: + (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): + +2020-12-30 Yusuke Suzuki + + [JSC] Wasm multivalue should iterate iterable result from JS function first before converting values + https://bugs.webkit.org/show_bug.cgi?id=220206 + + Reviewed by Alexey Shvayka. + + When converting JS results to Wasm multivalue (result from JS when executing Wasm->JS calls), we should first iterate all results from iterable. + And then, we should convert each element into Wasm value. Currently, we are converting while iterating, this is not aligned to the spec. + + * wasm/WasmOperations.cpp: + (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): + +2020-12-29 Yusuke Suzuki + + [JSC] Update WebAssembly instance's exports object + https://bugs.webkit.org/show_bug.cgi?id=220189 + + Reviewed by Alexey Shvayka. + + This patch aligns the WebAssembly Instance's exports object to the updated spec. + + 1. exports object is a plain object which [[Prototype]] is null[1]. We were using module namespace object. Also, the object should be frozen. + 2. exported functions' name should be index, according to the spec[2]. + + [1]: https://webassembly.github.io/spec/js-api/index.html#create-an-exports-object + [2]: https://webassembly.github.io/spec/js-api/index.html#exported-function-exotic-objects + + * wasm/js/JSWebAssembly.cpp: + (JSC::resolve): + * wasm/js/JSWebAssemblyInstance.cpp: + (JSC::JSWebAssemblyInstance::finishCreation): + (JSC::JSWebAssemblyInstance::visitChildren): + (JSC::JSWebAssemblyInstance::finalizeCreation): + (JSC::JSWebAssemblyInstance::tryCreate): + * wasm/js/JSWebAssemblyInstance.h: + * wasm/js/WebAssemblyInstancePrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::visitChildren): + (JSC::WebAssemblyModuleRecord::link): + * wasm/js/WebAssemblyModuleRecord.h: + +2020-12-27 Dmitry Bezhetskov + + [WASM-References] Fix table.init and table.grow to satisfy the spec + https://bugs.webkit.org/show_bug.cgi?id=220181 + + Reviewed by Yusuke Suzuki. + + Fix and refactor a little bit table.init and + table.grow. + + * wasm/WasmOperations.cpp: + (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): + * wasm/WasmOperations.h: + * wasm/WasmSlowPaths.cpp: + (JSC::LLInt::WASM_SLOW_PATH_DECL): + +2020-12-27 Dmitry Bezhetskov + + [WASM-References] Adjust table.fill to satisfy the spec + https://bugs.webkit.org/show_bug.cgi?id=220161 + + Reviewed by Yusuke Suzuki. + + Fixed table.fill for the case when count is 0 and offset is equal to + table size. + + * wasm/WasmOperations.cpp: + (JSC::Wasm::setWasmTableElement): + (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): + * wasm/WasmOperations.h: + * wasm/WasmSlowPaths.cpp: + (JSC::LLInt::WASM_SLOW_PATH_DECL): + +2020-12-27 Dmitry Bezhetskov + + [WASM-References] Add declared function indexes set to check from what functions we can create refs + https://bugs.webkit.org/show_bug.cgi?id=220009 + + Reviewed by Yusuke Suzuki. + + By ref-types spec we can create references only from declared functions. + Declared function is a function that was mentioned: + as export, + as part of ref.func init expression for a global, + in the element section. + In this patch declared function indexes set introduced to check this + requirement. + https://webassembly.github.io/reference-types/core/valid/instructions.html#reference-instructions. + + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::parseExpression): + * wasm/WasmModuleInformation.h: + (JSC::Wasm::ModuleInformation::isDeclaredFunction const): + (JSC::Wasm::ModuleInformation::addDeclaredFunction): + * wasm/WasmSectionParser.cpp: + (JSC::Wasm::SectionParser::parseGlobal): + (JSC::Wasm::SectionParser::parseExport): + (JSC::Wasm::SectionParser::parseElementSegmentVectorOfExpressions): + (JSC::Wasm::SectionParser::parseElementSegmentVectorOfIndexes): + +2020-12-25 Mark Lam + + VMInspector::dumpRegisters() should not dump beyond the start of the next frame. + https://bugs.webkit.org/show_bug.cgi?id=220136 + rdar://64404201 + + Reviewed by Yusuke Suzuki. + + VMInspector::dumpRegisters() was dumping stack slots up for up to + codeBlock->numCalleeLocals() slots for any given CallFrame. This is incorrect. + codeBlock->numCalleeLocals() indicates the maximum number of stack slots that the + codeBlock may use. However, the executing codeBlock may not necessary use up that + number of slots before calling another function. + + In the attached test case, the global program has 98 callee locals. However, it + was only using a very small number of stack slots to call $vm.dumpRegisters(). + On an ASAN build, iterating thru 98 stack slots of the global program (to dump + their contents) ended up reading beyond the top of the stack, and this made ASAN + very unhappy. The fix is simply to ensure that VMInspector::dumpRegisters() never + dumps past the start of the next CallFrame. + + * tools/VMInspector.cpp: + (JSC::VMInspector::dumpRegisters): + +2020-12-21 Jessica Tallon + + [JSC] Add minimum parameter to the WASM JS-API for Memory & Table. + https://bugs.webkit.org/show_bug.cgi?id=219600 + + Reviewed by Yusuke Suzuki. + + This patch adds a "minimum" perameter to the constructor of both WebAssembly.Memory and + WebAssembly.Table. This represents the same value as the "initial" perameter. The new + perameter name is outlined here [1]. It is part of the JS type reflection proposal. + + [1]: https://github.com/WebAssembly/js-types/blob/master/proposals/js-types/Overview.md#naming-of-size-limits + + * JSTests/wasm/js-api/table.js: + * JSTests/wasm/js-api/test_memory_constructor.js: + * Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.cpp: + * Source/JavaScriptCore/wasm/js/WebAssemblyTableConstructor.cpp: + +2020-12-21 Keith Miller + + DFG should make sure replacement watchpoint is fired before folding to PutByOffset + https://bugs.webkit.org/show_bug.cgi?id=220031 + + + Reviewed by Saam Barati. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::presenceConditionIfConsistent): + (JSC::DFG::ByteCodeParser::checkPresence): + (JSC::DFG::ByteCodeParser::checkPresenceForReplace): + (JSC::DFG::ByteCodeParser::load): + (JSC::DFG::ByteCodeParser::store): + (JSC::DFG::ByteCodeParser::presenceLike): Deleted. + (JSC::DFG::ByteCodeParser::checkPresenceLike): Deleted. + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset): + * runtime/Structure.cpp: + (JSC::Structure::dump const): + +2020-12-18 Mark Lam + + Build fix after r270988. + https://bugs.webkit.org/show_bug.cgi?id=220021 + + + Not reviewed. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2020-12-18 Saam Barati + + CachedRefPtr should adoptRef before calling ref to appease RefCounted's debug assertions + https://bugs.webkit.org/show_bug.cgi?id=219953 + + + Reviewed by Tadeu Zagallo. + + * runtime/CachedTypes.cpp: + (JSC::CachedRefPtr::decode const): + +2020-12-18 Mark Lam + + Fix MacroAssemblerARM64E::validateUntaggedPtr() to account for TBI. + https://bugs.webkit.org/show_bug.cgi?id=220021 + + + Reviewed by Saam Barati. + + * assembler/AbstractMacroAssembler.h: + * assembler/DisallowMacroScratchRegisterUsage.h: + - templatized the DisallowMacroScratchRegisterUsage class so that we can #include + it in MacroAssembler implementations. + * assembler/MacroAssemblerARM64E.h: + (JSC::MacroAssemblerARM64E::validateUntaggedPtr): + +2020-12-17 Mark Lam + + Add tagging to JIT probe's return address. + https://bugs.webkit.org/show_bug.cgi?id=220008 + rdar://71279530 + + Reviewed by Keith Miller and Robin Morisset. + + * assembler/MacroAssemblerARM64.cpp: + * assembler/testmasm.cpp: + (JSC::testProbeModifiesProgramCounter): + * runtime/JSCPtrTag.h: + +2020-12-18 Yusuke Suzuki + + [CSSJIT] Do not use trampoline if JITCage is disabled + https://bugs.webkit.org/show_bug.cgi?id=220004 + + Reviewed by Tadeu Zagallo. + + * llint/LLIntData.cpp: + * llint/LowLevelInterpreter.asm: + +2020-12-18 Dmitry Bezhetskov + + [WASM-References] Reuse instance initElementSegment to reduce duplication + https://bugs.webkit.org/show_bug.cgi?id=220007 + + Reviewed by Yusuke Suzuki. + + Simple refactroing. We need only one place to initialize elements + segments. + + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::evaluate): + +2020-12-17 Dmitry Bezhetskov + + [WASM-References] Add support for memory.copy, memory.init and data.drop + https://bugs.webkit.org/show_bug.cgi?id=219943 + + Reviewed by Yusuke Suzuki. + + Add support for memory.copy [dstAddress, srcAddress, length] -> [] + that copies one memory segment to another memory segment. + The memory.copy calls C memcpy function to utilize all possible optimization for copy. + This instruction speedup copying data segments in wasm because without it we need to use a lot + load/store instructions with loops in wasm. + + Add support for memory.init data_segment_index [dstAddress, srcAddress, length] -> [] + that copies data from a passive data segment into a memory segment. + This instruction is the same as memory.copy but for read-only data segments. + It also utilize C memcpy under the hood. + + Add support for data.drop data_segment_index [] -> [] + that resize given data segment to zero. + Data.drop makes redundant data segment and prevents usage of it in the next. + BTW, it is just a hint for the host runtime so we don't have to change data segment. + + Add support for Data count section. + This section just stores the number of data segments. + We need this to validate memory.init instruction's data index because + Code section comes before Data section. + + These instructions are needed to support reference types proposal and bulk proposal. + + * bytecode/BytecodeList.rb: + * llint/WebAssembly.asm: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::addMemoryCopy): + (JSC::Wasm::AirIRGenerator::addMemoryInit): + (JSC::Wasm::AirIRGenerator::addDataDrop): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::addMemoryInit): + (JSC::Wasm::B3IRGenerator::addMemoryCopy): + (JSC::Wasm::B3IRGenerator::addDataDrop): + * wasm/WasmFormat.cpp: + (JSC::Wasm::Segment::create): + * wasm/WasmFormat.h: + (JSC::Wasm::Segment::isActive const): + (JSC::Wasm::Segment::isPassive const): + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::parseDataSegmentIndex): + (JSC::Wasm::FunctionParser::parseMemoryCopyImmediates): + (JSC::Wasm::FunctionParser::parseMemoryInitImmediates): + (JSC::Wasm::FunctionParser::parseExpression): + (JSC::Wasm::FunctionParser::parseUnreachableExpression): + * wasm/WasmInstance.cpp: + (JSC::Wasm::Instance::Instance): + (JSC::Wasm::Instance::memoryInit): + (JSC::Wasm::Instance::dataDrop): + * wasm/WasmInstance.h: + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::addMemoryInit): + (JSC::Wasm::LLIntGenerator::addDataDrop): + (JSC::Wasm::LLIntGenerator::addMemoryCopy): + * wasm/WasmMemory.cpp: + (JSC::Wasm::Memory::copy): + (JSC::Wasm::Memory::init): + * wasm/WasmMemory.h: + * wasm/WasmModuleInformation.h: + (JSC::Wasm::ModuleInformation::dataSegmentsCount const): + * wasm/WasmOperations.cpp: + (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): + * wasm/WasmOperations.h: + * wasm/WasmSectionParser.cpp: + (JSC::Wasm::SectionParser::parseElement): + (JSC::Wasm::SectionParser::parseI32InitExpr): + (JSC::Wasm::SectionParser::parseI32InitExprForElementSection): + (JSC::Wasm::SectionParser::parseI32InitExprForDataSection): + (JSC::Wasm::SectionParser::parseDataSegmentCoreSpec): + (JSC::Wasm::SectionParser::parseDataSegmentReferenceTypesSpec): + (JSC::Wasm::SectionParser::parseGlobalType): + (JSC::Wasm::SectionParser::parseData): + (JSC::Wasm::SectionParser::parseDataCount): + * wasm/WasmSectionParser.h: + * wasm/WasmSections.h: + (JSC::Wasm::validateOrder): + * wasm/WasmSlowPaths.cpp: + (JSC::LLInt::WASM_SLOW_PATH_DECL): + * wasm/WasmSlowPaths.h: + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::evaluate): + * wasm/wasm.json: + +2020-12-16 Yusuke Suzuki + + [JSC] Not using JITCage trampoline for non JITCage JSC + https://bugs.webkit.org/show_bug.cgi?id=219974 + + Reviewed by Tadeu Zagallo. + + We avoid using JITCage trampoline in YarrJIT if JSC is not using JITCage. + + * llint/LowLevelInterpreter.asm: + * yarr/YarrJIT.cpp: + * yarr/YarrJIT.h: + (JSC::Yarr::YarrCodeBlock::execute): + +2020-12-15 Yusuke Suzuki + + [JSC] Accept arbitrary module namespace identifier names + https://bugs.webkit.org/show_bug.cgi?id=217576 + + + Reviewed by Darin Adler. + + This patch implements arbitrary module namespace identifier names[1]. + After this, we can export and import arbitrary module export names which are not valid as a variable identifier. + For example, + + import { "delete" as deletedValue } from "./ok.js"; + + ... + + export { + deletedValue as "delete" + }; + + [1]: https://github.com/tc39/ecma262/pull/2154 + + * parser/Parser.cpp: + (JSC::Parser::parseImportClauseItem): + (JSC::Parser::parseImportDeclaration): + (JSC::Parser::parseExportSpecifier): + (JSC::Parser::parseExportDeclaration): + * parser/Parser.h: + +2020-12-16 Yusuke Suzuki + + Unreviewed, fix stale assertions + https://bugs.webkit.org/show_bug.cgi?id=219847 + + After r270764, HostFunctionPtrTag and CustomAccessorPtrTag are categorized as Native ones. + However, in non-JIT-caged environment, still they are used as JIT ones. Then, we are getting + stale assertions. Several other tags are showing similar things for non JIT environments etc. + Add `Options::useJITCage()` check since this caller/callee type is only valid in JIT Cage environment. + + * assembler/MacroAssemblerARM64E.h: + (JSC::MacroAssemblerARM64E::call): + (JSC::MacroAssemblerARM64E::farJump): + +2020-12-15 Saam Barati + + destinationFor should check for FTLJIT, not DFGJIT twice + https://bugs.webkit.org/show_bug.cgi?id=219929 + + Reviewed by Mark Lam. + + The code was checking for DFGJIT twice instead of checking for FTLJIT. + This doesn't fix any actual bugs, since nobody passes in FTLJIT to this + function. But if we ever do in the future, it would have revealed this bug. + + * bytecode/BytecodeOperandsForCheckpoint.h: + (JSC::destinationFor): + +2020-12-15 Alexey Shvayka + + Non-enumerable property fails to shadow inherited enumerable property from for-in + https://bugs.webkit.org/show_bug.cgi?id=38970 + + Reviewed by Keith Miller. + + While for/in was initially specified with notion of "shadowing", it wasn't clarified + until ES5 that [[Enumerable]] attributes are ignored when determining if a property + has already been processed. Recently, for/in spec was expanded [1] to pin down common + case enumeration as it's currently implemented by V8 and SpiderMonkey. + + Since keeping track of DontEnum properties is a massive slowdown for uncached runs + (with any data structure used), this patch simply adds [[Enumerable]] check to + has_{indexed,structure,generic}_property bytecode ops and does renaming chores. + + Common code is now shared between HasIndexedProperty (emitted for `0 in arr`) and + HasEnumerableIndexedProperty DFG nodes via passing different slow path ops rather + than having OpInfo with PropertySlot::InternalMethodType, which is a nice refactor. + + While this change aligns common case for/in enumeration with the spec and other + engines, it also introduces a few observable discrepancies from V8 and SpiderMonkey, + which are permitted by the spec [2]: + a) properties that have been redefined as DontEnum within loop body are skipped, + which matches the spec [3] and seems like expected behavior; + b) "shadowing" is broken if a DontEnum property of already visited object is + added / deleted / redefined within loop body, which (pretty much) never happens. + + This patch introduces a new invariant: all properties getOwn*PropertyNames() returns + in DontEnumPropertiesMode::Exclude should be reported as [[Enumerable]] by + getOwnPropertySlot(). JSCallbackObject and RuntimeArray are fixed to follow it. + + for/in and Object.keys microbenchmarks are neutral. This change does not affect + JSPropertyNameEnumerator caching, nor fast paths of its bytecodes. + + [1]: https://github.com/tc39/ecma262/pull/1791 + [2]: https://tc39.es/ecma262/#sec-enumerate-object-properties (last paragraph) + [3]: https://tc39.es/ecma262/#sec-%foriniteratorprototype%.next (step 7.b.iii) + + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::getOwnPropertySlot): + * API/tests/testapi.c: + * API/tests/testapiScripts/testapi.js: + * bytecode/BytecodeList.rb: + * bytecode/BytecodeUseDef.cpp: + (JSC::computeUsesForBytecodeIndexImpl): + (JSC::computeDefsForBytecodeIndexImpl): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finishCreation): + * bytecode/Opcode.h: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitHasEnumerableIndexedProperty): + (JSC::BytecodeGenerator::emitHasEnumerableStructureProperty): + (JSC::BytecodeGenerator::emitHasEnumerableProperty): + (JSC::BytecodeGenerator::emitHasGenericProperty): Deleted. + (JSC::BytecodeGenerator::emitHasIndexedProperty): Deleted. + (JSC::BytecodeGenerator::emitHasStructureProperty): Deleted. + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::ForInNode::emitBytecode): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::convertToHasIndexedProperty): * dfg/DFGNode.h: - (JSC::DFG::Node::hasHeapPrediction): + (JSC::DFG::Node::hasArrayMode): + (JSC::DFG::Node::hasInternalMethodType const): Deleted. + (JSC::DFG::Node::internalMethodType const): Deleted. + (JSC::DFG::Node::setInternalMethodType): Deleted. * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: - - We updated `operationValueBitLShift` to handle BigInt cases. Also, we - added `operationBitLShiftBigInt` that is used when we compile - `ValueBitLValueBitLShift(BigIntUse)`. - + (JSC::DFG::JSC_DEFINE_JIT_OPERATION): * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: - - `ValueBitLShift`'s prediction propagation rules differs from other - bitwise operations, because using only heap prediction for this node causes - significant performance regression on Octane's zlib and mandreel. - The reason is because of cases where a function is compiled but the - instruction `op_lshift` was never executed before. If we use - `getPrediction()` we will emit a `ForceOSRExit`, resulting in more OSR - than desired. To solve such issue, we are then using - `getPredictionWithoutOSR()` and falling back to `getHeapPrediction()` - only on cases where we can't rely on node's input types. - + * dfg/DFGSSALoweringPhase.cpp: + (JSC::DFG::SSALoweringPhase::handleNode): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileValueLShiftOp): - (JSC::DFG::SpeculativeJIT::compileShiftOp): + (JSC::DFG::SpeculativeJIT::compileHasEnumerableProperty): + (JSC::DFG::SpeculativeJIT::compileHasEnumerableStructureProperty): + (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty): + (JSC::DFG::SpeculativeJIT::compileHasGenericProperty): Deleted. + (JSC::DFG::SpeculativeJIT::compileHasStructureProperty): Deleted. * dfg/DFGSpeculativeJIT.h: - (JSC::DFG::SpeculativeJIT::shiftOp): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGStrengthReductionPhase.cpp: - (JSC::DFG::StrengthReductionPhase::handleNode): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): - (JSC::FTL::DFG::LowerDFGToB3::compileArithBitLShift): - (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift): - (JSC::FTL::DFG::LowerDFGToB3::compileBitLShift): Deleted. - * llint/LowLevelInterpreter32_64.asm: + (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty): + (JSC::FTL::DFG::LowerDFGToB3::compileHasEnumerableProperty): + (JSC::FTL::DFG::LowerDFGToB3::compileHasEnumerableStructureProperty): + (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty): Deleted. + (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty): Deleted. + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + * jit/JIT.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_has_enumerable_structure_property): + (JSC::JIT::emit_op_has_enumerable_indexed_property): + (JSC::JIT::emitSlow_op_has_enumerable_indexed_property): + (JSC::JIT::emit_op_has_structure_property): Deleted. + (JSC::JIT::emit_op_has_indexed_property): Deleted. + (JSC::JIT::emitSlow_op_has_indexed_property): Deleted. + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_has_enumerable_structure_property): + (JSC::JIT::emit_op_has_enumerable_indexed_property): + (JSC::JIT::emitSlow_op_has_enumerable_indexed_property): + (JSC::JIT::emit_op_has_structure_property): Deleted. + (JSC::JIT::emit_op_has_indexed_property): Deleted. + (JSC::JIT::emitSlow_op_has_indexed_property): Deleted. + * jit/JITOperations.cpp: + (JSC::JSC_DEFINE_JIT_OPERATION): + * jit/JITOperations.h: + * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.cpp: - (JSC::SLOW_PATH_DECL): - -2019-07-12 Keith Miller - - getIndexQuickly should be const - https://bugs.webkit.org/show_bug.cgi?id=199747 - - Reviewed by Yusuke Suzuki. - - * runtime/Butterfly.h: - (JSC::Butterfly::indexingPayload const): - (JSC::Butterfly::arrayStorage const): - (JSC::Butterfly::contiguousInt32 const): - (JSC::Butterfly::contiguousDouble const): - (JSC::Butterfly::contiguous const): + (JSC::JSC_DEFINE_COMMON_SLOW_PATH): + * runtime/CommonSlowPaths.h: + * runtime/JSObject.cpp: + (JSC::JSObject::hasProperty const): + (JSC::JSObject::hasEnumerableProperty const): + (JSC::JSObject::hasPropertyGeneric const): Deleted. * runtime/JSObject.h: - (JSC::JSObject::canGetIndexQuickly const): - (JSC::JSObject::getIndexQuickly const): - (JSC::JSObject::tryGetIndexQuickly const): - (JSC::JSObject::canGetIndexQuickly): Deleted. - (JSC::JSObject::getIndexQuickly): Deleted. -2019-07-11 Justin Michaud +2020-12-15 Saam Barati - Add b3 macro lowering for CheckMul on arm64 - https://bugs.webkit.org/show_bug.cgi?id=199251 + Switch to using a linked list for the TDZ environment instead of a Vector + https://bugs.webkit.org/show_bug.cgi?id=219909 + - Reviewed by Robin Morisset. + Reviewed by Tadeu Zagallo. - - Lower CheckMul for 32-bit arguments on arm64 into a mul and then an overflow check. - - Add a new opcode to air on arm64 for smull (multiplySignExtend32). - - Fuse sign extend 32 + mul into smull (taking two 32-bit arguments and producing 64 bits). - - 1.25x speedup on power of two microbenchmark, 1.15x speedup on normal constant microbenchmark, - and no change on the no-constant benchmark. - Also, skip some of the b3 tests that were failing before this patch so that the new tests can run - to completion. + Before, we'd represent the TDZ stack in terms of a Vector. While the entries + in the Vector were reference counted, the spine of the Vector itself would + match the length of the TDZ scope stack. It turns out this spine itself can + use non-trivial amounts of memory. We are seeing about a 0.5% regression from + this inside RAMification. This change makes it so that we now use a tree-like + data structure for scope stack entries. The data structure is a tree with only + parent pointers. Any field that used to be a vector of entries is now a + pointer to a node in this tree. So any pointer into this tree will have a + linked-list window into the tree, where the linked-list represents the same + data as the previous vector-as-stack data structure. + + Initial testing shows this might be up to a 0.5% progression on RAMification. - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::multiplySignExtend32): - * assembler/testmasm.cpp: - (JSC::testMul32SignExtend): - (JSC::run): - * b3/B3LowerMacros.cpp: - * b3/B3LowerToAir.cpp: - * b3/air/AirOpcode.opcodes: - * b3/testb3.cpp: - (JSC::B3::testMulArgs32SignExtend): - (JSC::B3::testMulImm32SignExtend): - (JSC::B3::testMemoryFence): - (JSC::B3::testStoreFence): - (JSC::B3::testLoadFence): - (JSC::B3::testPinRegisters): - (JSC::B3::run): + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::createExecutable): + * bytecode/UnlinkedFunctionExecutable.cpp: + (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): + * bytecode/UnlinkedFunctionExecutable.h: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + (JSC::BytecodeGenerator::popLexicalScopeInternal): + (JSC::BytecodeGenerator::needsTDZCheck): + (JSC::BytecodeGenerator::liftTDZCheckIfPossible): + (JSC::BytecodeGenerator::pushTDZVariables): + (JSC::BytecodeGenerator::getVariablesUnderTDZ): + (JSC::BytecodeGenerator::preserveTDZStack): + (JSC::BytecodeGenerator::restoreTDZStack): + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::generate): + * parser/VariableEnvironment.h: + (JSC::TDZEnvironmentLink::TDZEnvironmentLink): + (JSC::TDZEnvironmentLink::create): + (JSC::TDZEnvironmentLink::contains const): + (JSC::TDZEnvironmentLink::parent): + * runtime/CachedTypes.cpp: + (JSC::CachedTDZEnvironmentLink::encode): + (JSC::CachedTDZEnvironmentLink::decode const): + * runtime/CodeCache.cpp: + (JSC::generateUnlinkedCodeBlockImpl): + (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable): -2019-07-11 Yusuke Suzuki +2020-12-15 Commit Queue - Unreviewed, revert r243617. - https://bugs.webkit.org/show_bug.cgi?id=196341 + Unreviewed, reverting r270860. + https://bugs.webkit.org/show_bug.cgi?id=219918 - Mark pointed out that JSVirtualMachine can be gone in the other thread while we are executing GC constraint-solving. - This patch does not account that JavaScriptCore.framework is multi-thread safe: JSVirtualMachine wrapper can be destroyed, - and [JSVirtualMachine dealloc] can be executed in any threads while the VM is retained and used in the other thread (e.g. - destroyed from AutoReleasePool in some thread). - - * API/JSContext.mm: - (-[JSContext initWithVirtualMachine:]): - (-[JSContext dealloc]): - (-[JSContext initWithGlobalContextRef:]): - (-[JSContext wrapperMap]): - (+[JSContext contextWithJSGlobalContextRef:]): - * API/JSVirtualMachine.mm: - (initWrapperCache): - (wrapperCache): - (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): - (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): - (-[JSVirtualMachine initWithContextGroupRef:]): - (-[JSVirtualMachine dealloc]): - (+[JSVirtualMachine virtualMachineWithContextGroupRef:]): - (-[JSVirtualMachine contextForGlobalContextRef:]): - (-[JSVirtualMachine addContext:forGlobalContextRef:]): - (scanExternalObjectGraph): - (scanExternalRememberedSet): - * API/JSVirtualMachineInternal.h: - * runtime/JSGlobalObject.h: - (JSC::JSGlobalObject::setWrapperMap): - (JSC::JSGlobalObject::setAPIWrapper): Deleted. - (JSC::JSGlobalObject::apiWrapper const): Deleted. - * runtime/VM.h: - -2019-07-10 Tadeu Zagallo - - Optimize join of large empty arrays - https://bugs.webkit.org/show_bug.cgi?id=199636 - - Reviewed by Mark Lam. - - Replicate the behavior of `str.repeat(count)` when performing `new Array(count + 1).join(str)`. - I added two new microbenchmarks: - - large-empty-array-join, which does not use the result of the join and runs ~44x faster and uses ~18x less memory. - - large-empty-array-join-resolve-rope, which uses the result of the join and runs 2x faster. - - baseline diff - large-empty-array-join 2713.9698+-72.7621 ^ 61.2335+-10.4836 ^ definitely 44.3217x faster - large-empty-array-join-resolve-string 26.5517+-0.3995 ^ 12.9309+-0.5516 ^ definitely 2.0533x faster - - large-empty-array-join memory usage with baseline (dirty): - 733012 kB current_mem - 756824 kB lifetime_peak - - large-empty-array-join memory usage with diff (dirty): - 41904 kB current_mem - 41972 kB lifetime_peak - - Additionally, I ran JetStream2, sunspider and v8-spider and all were neutral. - - * runtime/ArrayPrototype.cpp: - (JSC::fastJoin): - -2019-07-08 Keith Miller - - Enable Intl.PluralRules and Intl.NumberFormatToParts by default - https://bugs.webkit.org/show_bug.cgi?id=199288 - - Reviewed by Yusuke Suzuki. - - These features have been around for a while. We should turn them on by default. - - * runtime/IntlNumberFormatPrototype.cpp: - (JSC::IntlNumberFormatPrototype::finishCreation): - * runtime/IntlObject.cpp: - (JSC::IntlObject::finishCreation): Deleted. - * runtime/IntlObject.h: - * runtime/Options.h: - -2019-07-08 Antoine Quint - - [Pointer Events] Enable only on the most recent version of the supported iOS family - https://bugs.webkit.org/show_bug.cgi?id=199562 - - - Reviewed by Dean Jackson. - - * Configurations/FeatureDefines.xcconfig: - -2019-07-06 Michael Saboff - - switch(String) needs to check for exceptions when resolving the string - https://bugs.webkit.org/show_bug.cgi?id=199541 - - Reviewed by Mark Lam. - - Added exception checks for resolved Strings in switch processing for all tiers. - - * dfg/DFGOperations.cpp: - * jit/JITOperations.cpp: - * llint/LLIntSlowPaths.cpp: - (JSC::LLInt::LLINT_SLOW_PATH_DECL): - -2019-07-05 Mark Lam - - ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero. - https://bugs.webkit.org/show_bug.cgi?id=199533 - - - Reviewed by Filip Pizlo. - - * dfg/DFGArgumentsEliminationPhase.cpp: - -2019-07-05 Yusuke Suzuki - - Unreviewed, fix build failure on ARM64_32 - https://bugs.webkit.org/show_bug.cgi?id=182434 - - Implicit narrowing from uint64_t to uint32_t happens. We should explicitly narrow it because we already checked - the `length` is <= UINT32_MAX. - - * runtime/ArrayPrototype.cpp: - (JSC::arrayProtoFuncSpeciesCreate): - -2019-07-05 Alexey Shvayka - - [JSC] Clean up ArraySpeciesCreate - https://bugs.webkit.org/show_bug.cgi?id=182434 - - Reviewed by Yusuke Suzuki. - - We have duplicate code in arraySpeciesCreate, filter, map, concatSlowPath of ArrayPrototype.js - and speciesConstructArray of ArrayPrototype.cpp. This patch fixes cross-realm Array constructor - detection in native speciesConstructArray, upgrades `length` type to correctly handle large integers, - and exposes it as @arraySpeciesCreate. Also removes now unused @isArrayConstructor private function. - Native speciesConstructArray is preferred because it has fast path via speciesWatchpointIsValid. - - Thoroughly benchmarked: this change progresses ARES-6 by 0-1%. - - * builtins/ArrayPrototype.js: - (filter): - (map): - (globalPrivate.concatSlowPath): - (globalPrivate.arraySpeciesCreate): Deleted. - * builtins/BuiltinNames.h: - * runtime/ArrayConstructor.cpp: - (JSC::arrayConstructorPrivateFuncIsArrayConstructor): Deleted. - * runtime/ArrayConstructor.h: - * runtime/ArrayPrototype.cpp: - (JSC::arrayProtoFuncSpeciesCreate): - * runtime/ArrayPrototype.h: - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::init): - -2019-07-05 Tadeu Zagallo - - Unreviewed, change the value used to scribble Heap::m_worldState - https://bugs.webkit.org/show_bug.cgi?id=199498 - - Follow-up after r247160. The value used to scribble should have the - conn bit set. - - * heap/Heap.cpp: - (JSC::Heap::~Heap): - -2019-07-05 Ryan Haddad - - Unreviewed, rolling out r247115. - - Breaks lldbWebKitTester (and by extension, test-webkitpy) + We workaround it differently, so this revert is not necessary Reverted changeset: - "[WHLSL] Standard library is too big to directly include in - WebCore" - https://bugs.webkit.org/show_bug.cgi?id=198186 - https://trac.webkit.org/changeset/247115 + "Unreviewed, reverting r269320, r269341, r269502, and + r269576." + https://bugs.webkit.org/show_bug.cgi?id=219915 + https://trac.webkit.org/changeset/270860 -2019-07-05 Tadeu Zagallo +2020-12-15 Commit Queue - Scribble Heap::m_worldState on destructor - https://bugs.webkit.org/show_bug.cgi?id=199498 + Unreviewed, reverting r269320, r269341, r269502, and r269576. + https://bugs.webkit.org/show_bug.cgi?id=219915 + + ICU C++ internal API causes trouble + + Reverted changesets: + + "REGRESSION (r254038): Simple.com money transfer UI is very + laggy (multiple seconds per keypress)" + https://bugs.webkit.org/show_bug.cgi?id=218348 + https://trac.webkit.org/changeset/269320 + + "[JSC] Obtain default timezone ID from cached icu::TimeZone" + https://bugs.webkit.org/show_bug.cgi?id=218531 + https://trac.webkit.org/changeset/269341 + + "toLocaleDateString() resolves incorrect date for some old + dates" + https://bugs.webkit.org/show_bug.cgi?id=161623 + https://trac.webkit.org/changeset/269502 + + "[JSC] Add TimeZone range cache over ICU TimeZone API" + https://bugs.webkit.org/show_bug.cgi?id=218681 + https://trac.webkit.org/changeset/269576 + +2020-12-15 Dmitry Bezhetskov + + [WASM-References] Add support for memory.fill + https://bugs.webkit.org/show_bug.cgi?id=219848 + + Reviewed by Yusuke Suzuki. + + Add support for memory.fill from ref-types spec. + memory.fill sets all bytes in a memory region to a given byte: + https://webassembly.github.io/reference-types/core/syntax/instructions.html#memory-instructions. + + * bytecode/BytecodeList.rb: + * llint/WebAssembly.asm: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::addMemoryFill): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::addMemoryFill): + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::parseMemoryFillImmediate): + (JSC::Wasm::FunctionParser::parseExpression): + (JSC::Wasm::FunctionParser::parseUnreachableExpression): + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::addMemoryFill): + * wasm/WasmMemory.cpp: + (JSC::Wasm::Memory::fill): + (JSC::Wasm::Memory::doMemoryFill): + * wasm/WasmMemory.h: + * wasm/WasmOperations.cpp: + (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): + * wasm/WasmOperations.h: + * wasm/WasmSlowPaths.cpp: + (JSC::LLInt::WASM_SLOW_PATH_DECL): + * wasm/WasmSlowPaths.h: + * wasm/wasm.json: + +2020-12-15 Dmitry Bezhetskov + + [WASM-References] Add support for type annotated select + https://bugs.webkit.org/show_bug.cgi?id=219595 + + Reviewed by Yusuke Suzuki. + + Add support for typed select instruction from ref-types proposal: + select t : [t t i32] -> [t]. + The annotated select instruction takes a value type immediate to deduce result type of select expression. + This version of select will help us with subtyping in the future where we want to avoid computing lubs. + For more information see: + https://github.com/WebAssembly/reference-types/issues/125, + https://webassembly.github.io/reference-types/core/binary/instructions.html#parametric-instructions. + + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::parseAnnotatedSelectImmediates): + (JSC::Wasm::FunctionParser::parseExpression): + (JSC::Wasm::FunctionParser::parseUnreachableExpression): + * wasm/wasm.json: + +2020-12-14 Tadeu Zagallo + + Move some of the work from JSLock to VMEntryScope + https://bugs.webkit.org/show_bug.cgi?id=219830 + + Reviewed by Mark Lam. + + We move several things from JSLock to VMEntryScope that could only be observed after we entered the VM: + - WasmThreads: only used when tiering up wasm, so VMEntryScope would have executed + - registerThreadForMachExceptionHandling: The mach exception handlers are used for: + - sigill crash analyzer: only relevant after we enter the vm + - wasm fault signal handler: same, we must be executing wasm and therefore VMEntryScope will have executed. + - VMTraps: only handles faults in JIT code + - firePrimitiveGigacageEnabledIfNecessary: Only watched by the JITs + + This gives is a ~10% improvement on APIBench (score change from ~36.3 to ~39.9), but as it turns out the most expensive + call is adding the current thread to the heap as this requires acquiring two locks. We can't move this to VMEntryScope + since it's possible to use the API and GC without ever entering the VM, which would result in the current thread's stack + not being scanned. Instead, we just remember the last thread that acquired the lock and skip the call if we're seeing the + same thread again. This greatly amortizes the cost and gives us another ~10%: + + CURRENT_API: Baseline Change + ---------------------------------------- + RichardsMostlyC: 62ms 32ms + RichardsMostlyObjC: 303ms 264ms + RichardsMostlySwift: 296ms 261ms + RichardsSomeC: 76ms 49ms + RichardsSomeObjC: 156ms 150ms + RichardsSomeSwift: 200ms 197ms + + UPCOMING_API: Baseline Change + ---------------------------------------- + RichardsMostlyC: 19ms 19ms + RichardsMostlyObjC: 282ms 260ms + RichardsMostlySwift: 282ms 264ms + RichardsSomeC: 79ms 46ms + RichardsSomeObjC: 156ms 149ms + RichardsSomeSwift: 195ms 195ms + ---------------------------------------- + Score: 36.2211 43.3368 + + * runtime/JSLock.cpp: + (JSC::JSLock::didAcquireLock): + (JSC::JSLock::willReleaseLock): + * runtime/JSLock.h: + * runtime/VMEntryScope.cpp: + (JSC::VMEntryScope::VMEntryScope): + (JSC::VMEntryScope::~VMEntryScope): + +2020-12-14 Robin Morisset + + Minor cleanup of BigInts + https://bugs.webkit.org/show_bug.cgi?id=219253 + + Reviewed by Yusuke Suzuki. + + * runtime/JSBigInt.cpp: + (JSC::rightShiftByAbsolute): + +2020-12-13 Yusuke Suzuki + + [JSC] Introduce vmEntryCustomAccessor and vmEntryHostFunction for JITCage + https://bugs.webkit.org/show_bug.cgi?id=219847 + + Reviewed by Mark Lam. + + Instead of registering all host-functions and custom accessors with OperationPtrTag or HostFunctionPtrTag, + this patch introduces a trampoline which invokes them with special ptr-tag to reduce memory usage of JITOperationList. + + When invoking custom accessor, we pass that pointer as a forth argument, and call vmEntryCustomAccessor. + And vmEntryCustomAccessor jumps to the passed argument with special ptr tag. And we register vmEntryCustomAccessor as an operation. + For host-functions, we pass that pointer as a third argument. + + * assembler/JITOperationList.cpp: + (JSC::addPointers): + (JSC::JITOperationList::populatePointersInJavaScriptCore): + (JSC::JITOperationList::populatePointersInJavaScriptCoreForLLInt): + (JSC::JITOperationList::populatePointersInEmbedder): + * assembler/JITOperationList.h: + (JSC::JITOperationList::assertIsHostFunction): Deleted. + * b3/testb3_1.cpp: + (main): + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateImpl): + * bytecode/GetByIdVariant.cpp: + (JSC::GetByIdVariant::GetByIdVariant): + * bytecode/GetByIdVariant.h: + (JSC::GetByIdVariant::customAccessorGetter const): + * bytecode/GetByStatus.cpp: + (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): + * bytecode/GetterSetterAccessCase.cpp: + (JSC::GetterSetterAccessCase::create): + * bytecode/GetterSetterAccessCase.h: + * dfg/DFGNode.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCallDOMGetter): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): + * jit/JITOperations.h: + * jit/Repatch.cpp: + (JSC::tryCacheGetBy): + (JSC::tryCachePutByID): + * jit/ThunkGenerators.cpp: + (JSC::nativeForGenerator): + * jsc.cpp: + (jscmain): + * llint/LLIntData.cpp: + (JSC::LLInt::initialize): + * llint/LLIntThunks.cpp: + * llint/LLIntThunks.h: + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/Gate.h: + * runtime/JSCPtrTag.h: + (JSC::tagJSCCodePtrImpl): + (JSC::untagJSCCodePtrImpl): + * runtime/NativeFunction.h: + * runtime/PropertySlot.h: + * runtime/PutPropertySlot.h: + (JSC::PutPropertySlot::customSetter const): + * runtime/VM.cpp: + (JSC::VM::getHostFunction): + +2020-12-14 Youenn Fablet + + Pass an isolated copy of Settings to workers and worklets. + https://bugs.webkit.org/show_bug.cgi?id=219688 Reviewed by Sam Weinig. - The worldState is dumped when we crash due to a failed checkConn, and - this will make it clear if the heap has already been destroyed. + * runtime/RuntimeFlags.h: + (JSC::RuntimeFlags::isolatedCopy const): - * heap/Heap.cpp: - (JSC::Heap::~Heap): +2020-12-13 Samuel Thibault -2019-07-03 Sam Weinig + [JSC] Set s_maxPathLength fallback when OS does not have a PATH_MAX limitation + https://bugs.webkit.org/show_bug.cgi?id=219571 - Adopt simple structured bindings in more places - https://bugs.webkit.org/show_bug.cgi?id=199247 + Reviewed by Yusuke Suzuki. - Reviewed by Alex Christensen. + * runtime/ConfigFile.h: + (ConfigFile::s_maxPathLength): Fallback to 4095 when PATH_MAX is not defined. - Replaces simple uses of std::tie() with structured bindings. Does not touch - uses of std::tie() that are not initial declarations, use std::ignore or in - case where the binding is captured by a lambda, as structured bindings don't - work for those cases yet. +2020-12-11 Tadeu Zagallo - * runtime/PromiseDeferredTimer.cpp: - (JSC::PromiseDeferredTimer::doWork): - * wasm/WasmFaultSignalHandler.cpp: - (JSC::Wasm::trapHandler): - * wasm/js/JSWebAssemblyHelpers.h: - (JSC::createSourceBufferFromValue): - * wasm/js/WebAssemblyPrototype.cpp: - (JSC::webAssemblyValidateFunc): - -2019-07-03 Keith Miller - - PACCage should first cage leaving PAC bits intact then authenticate - https://bugs.webkit.org/show_bug.cgi?id=199372 + REGRESSION (r270665): testapi failing on JSC bots + https://bugs.webkit.org/show_bug.cgi?id=219787 Reviewed by Saam Barati. - This ordering prevents someone from taking a signed pointer from - outside the gigacage and using it in a struct that expects a caged - pointer. Previously, the PACCaging just double checked that the PAC - bits were valid for the original pointer. + * API/JSValueRef.cpp: + (JSValueIsString): + (JSValueIsObject): + (JSValueIsSymbol): +2020-12-11 Caio Lima - +---------------------------+ - | | | | - | "PAC" | "base" | "offset" +----+ - | | | | | - +---------------------------+ | Caging - | | - | | - | v - | +---------------------------+ - | | | | | - | Bit Merge | 00000 | base | "offset" | - | | | | | - | +---------------------------+ - | | - | | - v | Bit Merge - +---------------------------+ | - | | | | | - | "PAC" | base | "offset" +<--------+ - | | | | - +---------------------------+ - | - | - | Authenticate - | - v - +---------------------------+ - | | | | - | Auth | base | "offset" | - | | | | - +---------------------------+ + [JIT] Require value registers explicitly on emitValueProfilingSite + https://bugs.webkit.org/show_bug.cgi?id=219550 - The above ascii art graph shows how the PACCage system works. The - key take away is that even if someone passes in a valid, signed - pointer outside the cage it will still fail to authenticate as the - "base" bits will change before authentication. + Reviewed by Yusuke Suzuki. + This patch is removing the default value for `emitValueProfilingSite` + to avoid bugs like r270423 and r270431. - * assembler/MacroAssemblerARM64E.h: - * assembler/testmasm.cpp: - (JSC::testCagePreservesPACFailureBit): - * ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::caged): - * jit/AssemblyHelpers.h: - (JSC::AssemblyHelpers::cageConditionally): - * llint/LowLevelInterpreter64.asm: + * jit/JIT.cpp: + (JSC::JIT::compileWithoutLinking): + * jit/JIT.h: + * jit/JITCall.cpp: + (JSC::JIT::emitPutCallResult): + (JSC::JIT::emit_op_iterator_open): + * jit/JITCall32_64.cpp: + (JSC::JIT::emitPutCallResult): + (JSC::JIT::emit_op_iterator_open): + * jit/JITInlines.h: + (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile): + (JSC::JIT::emitValueProfilingSiteIfProfiledOpcode): + (JSC::JIT::emitValueProfilingSite): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_to_number): + (JSC::JIT::emit_op_to_numeric): + (JSC::JIT::emit_op_to_object): + (JSC::JIT::emit_op_catch): + (JSC::JIT::emit_op_get_direct_pname): + (JSC::JIT::emit_op_get_argument): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_to_number): + (JSC::JIT::emit_op_to_numeric): + (JSC::JIT::emit_op_to_object): + (JSC::JIT::emit_op_catch): + (JSC::JIT::emit_op_get_direct_pname): + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emit_op_get_private_name): + (JSC::JIT::emit_op_try_get_by_id): + (JSC::JIT::emit_op_get_by_id_direct): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_get_by_id_with_this): + (JSC::JIT::emit_op_get_from_scope): + (JSC::JIT::emit_op_get_from_arguments): + (JSC::JIT::emit_op_get_internal_field): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emit_op_get_private_name): + (JSC::JIT::emit_op_try_get_by_id): + (JSC::JIT::emit_op_get_by_id_direct): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_get_by_id_with_this): + (JSC::JIT::emit_op_get_from_scope): + (JSC::JIT::emit_op_get_from_arguments): + (JSC::JIT::emit_op_get_internal_field): -2019-07-03 Paulo Matos +2020-12-11 Tadeu Zagallo - Refactoring of architectural Register Information - https://bugs.webkit.org/show_bug.cgi?id=198604 + REGRESSION (r270665): testapi failing on CLoop bot + https://bugs.webkit.org/show_bug.cgi?id=219787 - Reviewed by Keith Miller. + Reviewed by Mark Lam. - The goal of this patch is to centralize the register information per platform - but access it in a platform independent way. The patch as been implemented for all - known platforms: ARM64, ARMv7, MIPS, X86 and X86_64. Register information has - been centralized in an architecture per-file: each file is called assembler/Registers.h. + The API has to special case the empty JSValue as null. - RegisterInfo.h is used as a forwarding header to choose which register information to load. - assembler/Assembler.h and jit/RegisterSet.cpp use this information in a platform - independent way. + * API/JSValueRef.cpp: + (JSValueGetType): + (JSValueIsNull): + +2020-12-11 Don Olmstead + + [CMake] Determine correct visibility for linked frameworks + https://bugs.webkit.org/show_bug.cgi?id=210366 + + Reviewed by Michael Catanzaro. + + Set JavaScriptCore_FRAMEWORKS to determine correct linkage for the library. Remove + explicit setting of STATICALLY_LINKED_WITH_${framework} and $ + by ports. + + Move the add_subdirectory of shell to the end of the CMakeLists.txt so its after the + WEBKIT_FRAMEWORK call. This ensures that the frameworks linked into JavaScriptCore are + known when creating the executables in that directory. * CMakeLists.txt: - * JavaScriptCore.xcodeproj/project.pbxproj: - * assembler/ARM64Assembler.h: - (JSC::ARM64Assembler::gprName): Use register names from register info file. - (JSC::ARM64Assembler::sprName): likewise. - (JSC::ARM64Assembler::fprName): likewise. - * assembler/ARM64Registers.h: Added. - * assembler/ARMv7Assembler.h: - (JSC::ARMv7Assembler::gprName): Use register names from register info file. - (JSC::ARMv7Assembler::sprName): likewise. - (JSC::ARMv7Assembler::fprName): likewise. - * assembler/ARMv7Registers.h: Added. - * assembler/MIPSAssembler.h: - (JSC::MIPSAssembler::gprName): Use register names from register info file. - (JSC::MIPSAssembler::sprName): likewise. - (JSC::MIPSAssembler::fprName): likewise. - * assembler/MIPSRegisters.h: Added. - * assembler/RegisterInfo.h: Added. - * assembler/X86Assembler.h: - (JSC::X86Assembler::gprName): Use register names from register info file. - (JSC::X86Assembler::sprName): likewise. - (JSC::X86Assembler::fprName): likewise. - * assembler/X86Registers.h: Added. - * assembler/X86_64Registers.h: Added. - * jit/GPRInfo.h: Fix typo in comment (s/basline/baseline). - * jit/RegisterSet.cpp: - (JSC::RegisterSet::reservedHardwareRegisters): Use register properties from register info file. - (JSC::RegisterSet::calleeSaveRegisters): likewise. + * PlatformGTK.cmake: + * PlatformJSCOnly.cmake: + * PlatformMac.cmake: + * PlatformPlayStation.cmake: + * shell/CMakeLists.txt: -2019-07-02 Michael Saboff +2020-12-11 Dmitry Bezhetskov - Exception from For..of loop destructured assignment eliminates TDZ checks in subsequent code - https://bugs.webkit.org/show_bug.cgi?id=199395 + [WASM-References] Add table.init + https://bugs.webkit.org/show_bug.cgi?id=219297 + + Reviewed by Yusuke Suzuki. + + Add support for table.init, elem.drop and new element section + from reference-type proposal: + https://webassembly.github.io/reference-types/core/syntax/instructions.html#table-instructions, + https://webassembly.github.io/reference-types/core/syntax/modules.html#element-segments. + All in one patch because all this stuff are very coupled and ref-types + spec tests require each other to run the its tests, so not to write + hand-crafted tests this is in one PR. + + * bytecode/BytecodeList.rb: + * llint/WebAssembly.asm: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::addTableInit): + (JSC::Wasm::AirIRGenerator::addElemDrop): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::addTableInit): + (JSC::Wasm::B3IRGenerator::addElemDrop): + * wasm/WasmFormat.h: + (JSC::Wasm::Element::Element): + (JSC::Wasm::Element::length const): + (JSC::Wasm::Element::isPassive const): + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::parseExpression): + * wasm/WasmInstance.cpp: + (JSC::Wasm::Instance::Instance): + (JSC::Wasm::Instance::elemDrop): + (JSC::Wasm::Instance::elem const): + (JSC::Wasm::Instance::initElementSegment): + (JSC::Wasm::Instance::tableInit): + * wasm/WasmInstance.h: + (JSC::Wasm::Instance::isImportFunction const): + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::addTableInit): + (JSC::Wasm::LLIntGenerator::addElemDrop): + * wasm/WasmModuleInformation.h: + (JSC::Wasm::ModuleInformation::elementCount const): + * wasm/WasmOperations.cpp: + (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): + * wasm/WasmOperations.h: + * wasm/WasmSectionParser.cpp: + (JSC::Wasm::SectionParser::parseElement): + (JSC::Wasm::SectionParser::parseElementSegmentVectorOfExpressions): + (JSC::Wasm::SectionParser::parseElementSegmentVectorOfIndexes): + (JSC::Wasm::SectionParser::parseFuncIndexFromRefExpForElementSection): Deleted. + (JSC::Wasm::SectionParser::parseFuncIndexForElementSection): Deleted. + * wasm/WasmSectionParser.h: + * wasm/WasmSlowPaths.cpp: + (JSC::LLInt::WASM_SLOW_PATH_DECL): + * wasm/WasmSlowPaths.h: + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::evaluate): + * wasm/wasm.json: + +2020-12-11 Mark Lam + + Add extra validation after untagging code pointers. + https://bugs.webkit.org/show_bug.cgi?id=219765 + rdar://72069920 + + Reviewed by Robin Morisset. + + * assembler/AbstractMacroAssembler.h: + (JSC::AbstractMacroAssembler::untagReturnAddress): + (JSC::AbstractMacroAssembler::validateUntaggedPtr): + * assembler/MacroAssemblerARM64E.h: + (JSC::MacroAssemblerARM64E::untagReturnAddress): + (JSC::MacroAssemblerARM64E::validateUntaggedPtr): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::reifyInlinedCallFrames): + * ftl/FTLThunks.cpp: + (JSC::FTL::genericGenerationThunkGenerator): + * jit/CCallHelpers.h: + (JSC::CCallHelpers::prepareForTailCallSlow): + * jit/CallFrameShuffler.cpp: + (JSC::CallFrameShuffler::prepareForTailCall): + * jit/ThunkGenerators.cpp: + (JSC::emitPointerValidation): + (JSC::arityFixupGenerator): + * llint/LLIntThunks.cpp: + (JSC::LLInt::createTailCallGate): + (JSC::LLInt::untagGateThunk): + * wasm/js/WebAssemblyFunction.cpp: + (JSC::WebAssemblyFunction::jsCallEntrypointSlow): + +2020-12-10 Tadeu Zagallo + + Removing unnecessary locking from JSValue API functions + https://bugs.webkit.org/show_bug.cgi?id=219723 Reviewed by Filip Pizlo. - For destructuring assignmests, the assignment might throw a reference error if - the RHS cannot be coerced. The current bytecode generated for such assignments - optimizes out the TDZ check after the coercible check. + Remove the unnecessary locking from the JSValueIs* and JSValueMake* API functions + that only work on primitives. Also remove the unnecessary method dispatching and + call from the -[JSValue is*] methods. - By saving the current state of the TDZ stack before processing the setting of - target destructured values and then restoring afterwards, we won't optimize out - later TDZ check(s). + This improves the APIBench score by another ~8% since these are such common operations. + Here are the results: (Baseline includes https://bugs.webkit.org/show_bug.cgi?id=219663) - A similar change of saving / restoring the TDZ stack where exceptions might - happen was done for for..in loops in change set r232219. + CURRENT_API: Baseline Change + ---------------------------------------- + RichardsMostlyC: 74ms 60ms + RichardsMostlyObjC: 304ms 300ms + RichardsMostlySwift: 305ms 293ms + RichardsSomeC: 97ms 77ms + RichardsSomeObjC: 158ms 159ms + RichardsSomeSwift: 202ms 198ms + + UPCOMING_API: Baseline Change + ---------------------------------------- + RichardsMostlyC: 23ms 19ms + RichardsMostlyObjC: 282ms 282ms + RichardsMostlySwift: 280ms 282ms + RichardsSomeC: 95ms 76ms + RichardsSomeObjC: 157ms 156ms + RichardsSomeSwift: 202ms 197ms + ---------------------------------------- + Score: 33.6404 36.4006 + + * API/APICast.h: + (toRef): + * API/JSValue.mm: + (-[JSValue isUndefined]): + (-[JSValue isNull]): + (-[JSValue isBoolean]): + (-[JSValue isNumber]): + (-[JSValue isString]): + (-[JSValue isObject]): + (-[JSValue isSymbol]): + * API/JSValueRef.cpp: + (JSValueGetType): + (JSValueIsUndefined): + (JSValueIsNull): + (JSValueIsBoolean): + (JSValueIsNumber): + (JSValueIsString): + (JSValueIsObject): + (JSValueIsSymbol): + (JSValueMakeUndefined): + (JSValueMakeNull): + (JSValueMakeBoolean): + (JSValueMakeNumber): + +2020-12-10 Alexey Shvayka + + Align [[DefineOwnProperty]] method of mapped arguments object with the spec + https://bugs.webkit.org/show_bug.cgi?id=219750 + + Reviewed by Yusuke Suzuki. + + This patch reimplements [[DefineOwnProperty]] method to resemble the spec [1] as + closely as possible, aligning JSC with V8 and SpiderMonkey on remaining test262 cases. + + Unlike the spec [2], JSC doesn't materialize mapped indices with initial values, + so putDirectIndex() is performed on the first call to handle incomplete descriptors. + + Even though there is a possibility to avoid JSObject storage puts for a handful of + super rare descriptors, it's not worth the increased complexity. + + [1]: https://tc39.es/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc + [2]: https://tc39.es/ecma262/#sec-createmappedargumentsobject (step 15.b) + + * runtime/GenericArgumentsInlines.h: + (JSC::GenericArguments::defineOwnProperty): + +2020-12-10 Tadeu Zagallo + + Add a JSC API to allow acquiring the JSLock + https://bugs.webkit.org/show_bug.cgi?id=219663 + + Reviewed by Filip Pizlo. + + Introduce two new functions to the C API: JSLock and JSUnlock. These + functions allow users to take control of the JSContext's lock, which + can greatly reduce the overhead of bridging between JS and native. + + * API/JSLockRef.cpp: Added. + (JSLock): + (JSUnlock): + * API/JSLockRefPrivate.h: Added. + * API/JSValueRef.cpp: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + +2020-12-10 Don Olmstead + + [CMake] Determine when to use $ for executables + https://bugs.webkit.org/show_bug.cgi?id=219648 + + Reviewed by Michael Catanzaro. + + Use ${taget_name}_FRAMEWORKS to specify WebKit frameworks when linking executables. + + * CMakeLists.txt: + * shell/CMakeLists.txt: + +2020-12-10 Don Olmstead + + [CMake] Use WEBKIT_EXECUTABLE macro for LLInt executables + https://bugs.webkit.org/show_bug.cgi?id=219746 + + Reviewed by Michael Catanzaro. + + The LLInt executables were the only ones within Source that were being created + without the WEBKIT_EXECUTABLE macros. + + * CMakeLists.txt: + +2020-12-10 Patrick Angle + + Web Inspector: Show current properties for font in new Elements sidebar Font panel + https://bugs.webkit.org/show_bug.cgi?id=218964 + + Reviewed by Devin Rousso. + + Adds objects and method for getting font data for a node to the `CSS` domain. A `CSS.Font` is meant to represent + a `WebCore::Font` and contain information about the underlying font as the system sees it. The source for this + information can be a system font or a web font. Each `CSS.Font` in turn can have some number of + `CSS.FontVariationAxis` for its available open-type variation axes. Fonts that don't support these features will + have an empty set of axes. + + * inspector/protocol/CSS.json: + - Added objects and method for getting font data for a node. + +2020-12-10 Don Olmstead + + [CMake] Use TARGET_PROPERTY to set includes for executables + https://bugs.webkit.org/show_bug.cgi?id=219743 + + Reviewed by Michael Catanzaro. + + Use $ for all executables being + built alongside JavaScriptCore. This simplifies the includes for those targets. + + Additionally relocate the setting of include directories for LLInt executables + so they're next to the rest of their definitions. + + * CMakeLists.txt: + * shell/CMakeLists.txt: + +2020-12-09 Dmitry Bezhetskov + + Fix redundant assert + https://bugs.webkit.org/show_bug.cgi?id=219725 + + Reviewed by Ross Kirsling. + + * runtime/JSArrayBufferPrototype.cpp: + (JSC::arrayBufferSlice): + +2020-12-08 Ross Kirsling + + Unreviewed debug test fix following r270552. + + * runtime/JSGenericTypedArrayViewConstructorInlines.h: + (JSC::constructCustomArrayBufferIfNeeded): + (JSC::constructGenericTypedArrayViewWithArguments): + Add missing exception check (and rearrange slightly). + +2020-12-08 Ross Kirsling + + Unreviewed non-unified build fix following r270552. + + * runtime/JSArrayBufferPrototypeInlines.h: + +2020-12-08 Ross Kirsling + + Align %TypedArray% constructor behavior with spec + https://bugs.webkit.org/show_bug.cgi?id=219527 + + Reviewed by Yusuke Suzuki. + + These should be the last JSC-side corrections for typed array behavior: + namely, fixes for the constructor itself. + + Broadly speaking, there are three fixes here: + 1. ArrayBuffer argument (https://tc39.es/ecma262/#sec-initializetypedarrayfromarraybuffer): + We need to throw if the input buffer gets detached. + + 2. Array-like argument (https://tc39.es/ecma262/#sec-initializetypedarrayfromarraylike): + length needs toLength, not toUInt32. + + 3. Typed array argument (https://tc39.es/ecma262/#sec-initializetypedarrayfromtypedarray): + We need to support the case where the input typed array uses a custom ArrayBuffer. + This case is *extremely* strange -- we still create the same type of typed array with a normal ArrayBuffer, + but we override the prototype of that ArrayBuffer to inputTypedArray.buffer.constructor[@@species].prototype. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * runtime/JSArrayBufferConstructor.cpp: + * runtime/JSArrayBufferPrototype.cpp: + (JSC::arrayBufferSpeciesConstructorSlow): Added. + (JSC::speciesWatchpointIsValid): Moved. + * runtime/JSArrayBufferPrototype.h: + * runtime/JSArrayBufferPrototypeInlines.h: Added. + * runtime/JSGenericTypedArrayViewConstructorInlines.h: + (JSC::constructCustomArrayBufferIfNeeded): Added. + (JSC::constructGenericTypedArrayViewWithArguments): + * runtime/JSGlobalObject.h: + +2020-12-08 Yusuke Suzuki + + [JSC] Enable "at" methods + https://bugs.webkit.org/show_bug.cgi?id=219631 + + Reviewed by Ross Kirsling. + + This patch enables "at" methods in Array, String, and %TypedArray% by flipping runtime flag. + + * runtime/OptionsList.h: + +2020-12-08 Caio Lima + + [ESNext] op_put_private_name is wrong + https://bugs.webkit.org/show_bug.cgi?id=219616 + + Reviewed by Tadeu Zagallo. + + Since `m_property` is a JSCell pointer, we need to use both `loadp` + and `bpneq` on `op_put_private_name`. + + * llint/LowLevelInterpreter64.asm: + +2020-12-07 Dmitry Bezhetskov + + [WASM-References] Add support for table.copy + https://bugs.webkit.org/show_bug.cgi?id=219427 + + Reviewed by Yusuke Suzuki. + + Add support for table.copy from reference types proposal: + https://webassembly.github.io/reference-types/core/syntax/instructions.html#table-instructions. + The table.copy instruction accepts three stack arguments (destination + offset, source offset, length) and two immediates for table indexes + and copies items from one wasm table to another. + + + * bytecode/BytecodeList.rb: + * llint/WebAssembly.asm: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::addTableFill): + (JSC::Wasm::AirIRGenerator::addTableCopy): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::addTableFill): + (JSC::Wasm::B3IRGenerator::addTableCopy): + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::parseExpression): + * wasm/WasmInstance.cpp: + (JSC::Wasm::Instance::tableCopy): + * wasm/WasmInstance.h: + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::addTableCopy): + * wasm/WasmOperations.cpp: + (JSC::Wasm::isSumOverflow): + (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): + * wasm/WasmOperations.h: + * wasm/WasmSectionParser.cpp: + (JSC::Wasm::SectionParser::parseElement): + * wasm/WasmSlowPaths.cpp: + (JSC::LLInt::WASM_SLOW_PATH_DECL): + * wasm/WasmSlowPaths.h: + * wasm/WasmTable.cpp: + (JSC::Wasm::Table::copy): + (JSC::Wasm::FuncRefTable::copyFunction): + * wasm/WasmTable.h: + * wasm/wasm.json: + +2020-12-07 Don Olmstead + + [CMake] Remove WEBKIT_WRAP_SOURCELIST + https://bugs.webkit.org/show_bug.cgi?id=196916 + + Reviewed by Michael Catanzaro. + + * CMakeLists.txt: + +2020-12-06 Yusuke Suzuki + + [JSC] get / set for object literal and class should not be escaped + https://bugs.webkit.org/show_bug.cgi?id=219576 + + Reviewed by Alexey Shvayka. + + "get" and "set" for getter and setter should not be escaped one. + Terminal symbols of the lexical grammars are shown in fixed width font [1], + and are to appear in a script exactly as written. + + [1]: https://tc39.es/ecma262/#sec-method-definitions + + * parser/Parser.cpp: + (JSC::Parser::parseClass): + (JSC::Parser::parseProperty): + +2020-12-05 Yusuke Suzuki + + [JSC] Accept escaped keywords for class and object property names + https://bugs.webkit.org/show_bug.cgi?id=219575 + + Reviewed by Alexey Shvayka. + + In this patch, we accept escaped keywords for class, object, and object pattern property names. + + var object = { + bre\u0061k: 42 + }; + + When escaped keyword appears, we produce ESCAPED_KEYWORD with CanBeErrorTokenFlag. Now CanBeErrorTokenFlag + represents "when this token appears in an error condition, possibly this is error token and special message will appear", + instead of saying this token is definitely an error. So we can just use ESCAPED_KEYWORD token to handle this case. + + * parser/Lexer.cpp: + (JSC::Lexer::parseIdentifierSlowCase): + (JSC::Lexer::lexWithoutClearingLineTerminator): + * parser/Parser.cpp: + (JSC::Parser::parseDestructuringPattern): + (JSC::Parser::parseClass): + (JSC::Parser::parseProperty): + (JSC::Parser::printUnexpectedTokenText): + * parser/Parser.h: + (JSC::Parser::parse): + * parser/ParserTokens.h: + +2020-12-04 Adam Roben + + More FALLBACK_PLATFORM adoption + https://bugs.webkit.org/show_bug.cgi?id=219545 + + Reviewed by Tim Horton. + + * Configurations/SDKVariant.xcconfig: + WK_EMPTY_$(THIS_IS_NOT_EMPTY) evaluates to the empty string, not to + NO. + +2020-12-04 Caio Lima + + [JIT] Value profile stores wrong value in BaselineJIT for some operations + https://bugs.webkit.org/show_bug.cgi?id=219535 + + Reviewed by Mark Lam. + + This patch is a follow up from r270423 to fix 32-bits baseline JIT + code from `op_iterator_next`. It's also fixing wrong profile value for + `op_get_prototype_of`. + + * jit/JITCall32_64.cpp: + (JSC::JIT::emit_op_iterator_next): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_get_prototype_of): + +2020-12-03 Saam Barati + + "done" checkpoint of iterator_next stores the wrong register in the value profile in baseline JIT + https://bugs.webkit.org/show_bug.cgi?id=219501 + + Reviewed by Keith Miller. + + * jit/JIT.h: + * jit/JITCall.cpp: + (JSC::JIT::emit_op_iterator_next): + * jit/JITInlines.h: + (JSC::JIT::emitValueProfilingSite): + (JSC::JIT::emitValueProfilingSiteIfProfiledOpcode): + +2020-12-03 Adam Roben + + Adopt FALLBACK_PLATFORM + https://bugs.webkit.org/show_bug.cgi?id=219504 + + Reviewed by Tim Horton. + + * Configurations/SDKVariant.xcconfig: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Scripts/check-xcfilelists.sh: + Use FALLBACK_PLATFORM it if it's defined, otherwise use PLATFORM_NAME + as before. + +2020-12-03 Yusuke Suzuki + + [JSC] not using std::make_pair for workaround of (possibly) ASan bug + https://bugs.webkit.org/show_bug.cgi?id=219502 + + + Reviewed by Robin Morisset. + + We are getting ASan crash in LayoutTests/fast/canvas/webgl/array-unit-tests.html after r269574. + However, this is inside std::make_pair, and it looks like a bug in ASan. + To workaround this for now, we avoid using std::make_pair and instead just using C++ uniform initialization. + + * runtime/JSArrayBufferPrototype.cpp: + +2020-12-03 Saam Barati + + JIT::emit_op_iterator_next fast path passes in the wrong identifier to the "done" JITGetByIdGenerator + https://bugs.webkit.org/show_bug.cgi?id=219499 + + Reviewed by Keith Miller. + + The reason nothing was failing here is that the slow path which calls into C + code to do repatching of the IC was using the right "done" identifier. The + fast path only checks if the identifier is "length", so the code sidestepped + itself being wrong in any way. However, it's good form to use the correct + identifier. + + * jit/JITCall.cpp: + (JSC::JIT::emit_op_iterator_next): + +2020-12-03 Lauro Moura + + [WTF] Avoid JSONValue::create with raw string falling to bool overload + https://bugs.webkit.org/show_bug.cgi?id=219483 + + Reviewed by Adrian Perez de Castro. + + * inspector/InjectedScriptBase.cpp: + (Inspector::InjectedScriptBase::makeAsyncCall): Convert to WTF::String when creating the value. + +2020-12-02 Michael Catanzaro + + aarch64 llint does not build with JIT disabled + https://bugs.webkit.org/show_bug.cgi?id=219288 + + + Reviewed by Darin Adler. + + * assembler/ARM64Assembler.h: Rename USE(JUMP_ISLANDS) to ENABLE(JUMP_ISLANDS). + (JSC::ARM64Assembler::replaceWithJump): + (JSC::ARM64Assembler::linkJumpOrCall): + * assembler/AbstractMacroAssembler.h: Rename USE(JUMP_ISLANDS) to ENABLE(JUMP_ISLANDS). + (JSC::AbstractMacroAssembler::prepareForAtomicRepatchNearCallConcurrently): + * assembler/LinkBuffer.cpp: + (JSC::LinkBuffer::copyCompactAndLinkCode): Guard JIT-specific code with ENABLE(JIT). + * jit/ExecutableAllocator.cpp: Rename USE(JUMP_ISLANDS) to ENABLE(JUMP_ISLANDS). + (JSC::initializeJITPageReservation): + * jit/ExecutableAllocator.h: Rename USE(JUMP_ISLANDS) to ENABLE(JUMP_ISLANDS). + +2020-12-02 Ross Kirsling + + %TypedArray%#slice shouldn't care about source buffer detachment if there's nothing to copy + https://bugs.webkit.org/show_bug.cgi?id=219451 + + Reviewed by Yusuke Suzuki. + + From https://tc39.es/ecma262/#sec-%typedarray%.prototype.slice: + 13. Let A be ? TypedArraySpeciesCreate(O, « 𝔽(count) »). + 14. If count > 0, then + a. If IsDetachedBuffer(O.[[ViewedArrayBuffer]]) is true, throw a TypeError exception. + ... + 15. Return A. + + We had step 14.a raised above 14; this patch fixes the ordering. + + * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: + (JSC::genericTypedArrayViewProtoFuncSlice): + +2020-12-02 Dmitry Bezhetskov + + [WASM-References] Add support for active mods in element section + https://bugs.webkit.org/show_bug.cgi?id=219192 + + Reviewed by Yusuke Suzuki. + + Adjust wasm parser to parse new form of element section. + https://webassembly.github.io/reference-types/core/binary/modules.html#element-section. + + * wasm/WasmEntryPlan.cpp: + (JSC::Wasm::EntryPlan::prepare): + * wasm/WasmFormat.h: + (JSC::Wasm::Element::Element): + (JSC::Wasm::Element::active const): + * wasm/WasmSectionParser.cpp: + (JSC::Wasm::SectionParser::parseElement): + (JSC::Wasm::SectionParser::validateElementTableIdx): + (JSC::Wasm::SectionParser::parseI32InitExpr): + (JSC::Wasm::SectionParser::parseElemKind): + (JSC::Wasm::SectionParser::parseIndexCountForElemSection): + (JSC::Wasm::SectionParser::parseFuncIdxFromRefExpForElemSection): + (JSC::Wasm::SectionParser::parseFuncIdxForElemSection): + * wasm/WasmSectionParser.h: + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::evaluate): + +2020-12-01 Sergey Rubanov + + Fix Aarch64 build failure + https://bugs.webkit.org/show_bug.cgi?id=219395 + + Reviewed by Yusuke Suzuki. + + * offlineasm/arm64.rb: + +2020-12-01 Keith Rollin + + Consolidate header postprocessing scripts + https://bugs.webkit.org/show_bug.cgi?id=219388 + + + Reviewed by David Kilzer. + + Our build system contains the following scripts to perform some + postprocessing of headers that we export to the SDK: + + JavaScriptCore/postprocess-headers.sh + WebKit/mac/postprocess-framework-headers.sh + WebKitLegacy/mac/postprocess-headers.sh + + The preceding scripts are used when using the non-XCBuild -- or + "legacy" -- Xcode build system. They are invoked in a custom Run + Script build phase after the headers have been exported with the + standard Xcode facility for creating frameworks. + + Alternatively, we also have the following postprocessing scripts: + + WebKit/Scripts/postprocess-header-rule + JavaScriptCore/Scripts/postprocess-header-rule + WebKitLegacy/scripts/postprocess-header-rule + + These scripts are used when using the XCBuild build system. They are + invoked *during* the header export process to copy and postprocess the + headers in one blow. They are part of a Custom Build Rule for + exporting files ending in ".h". + + The reason why we have two sets of scripts is because of the different + capabilities of the two Xcode build systems. The legacy system does + not support a custom "export header" step that would allow us to copy + and postprocess each header in a single step. Therefore, when using + the legacy build system, we export in one build step and postprocess + in a subsequent build step. And XCBuild doesn't like the approach + taken by the old build system where files are exported first and then + munged in a separate step, since that confuses its notion of the state + of the build ("Hey! That file I exported in the previous build? I see + now that it's been changed, so I'm going to export it again. And + change its modification date. And then rebuild everything downstream + that uses it."). Therefore, XCBuild added a facility for copying and + postprocessing in one step. + + The scripts supporting each of these approaches are very similar to + each other, such that there is a lot of code duplication between them. + At the same time, by having two sets of scripts that are very similar + to each other, we run the risk of "drift", where files in one set may + get updated while their counterparts in the other set are not. + + Address this duplication by making the scripts in the "legacy" set be + mere stubs that invoke the scripts in the new "XCBuild" set. In doing + this, we also fix a case of drift: the legacy-based scripts made use + of a timestamp file to determine if headers needed to be reprocessed + and exported, while the XCBuild-based scripts used a "process the + files and export them if any actual changes now exist between this new + version and any previously-exported version" approach. + + Along the way, fix a bug in WebKitLegacy's postprocess-header-rule + that resulted in WebKitAvailability.h not being processed. The + practical effect of this bug is that the file ended up with both macOS + and iOS code, along with the #if that controlled which chunk of code + was compiled, instead of just the chunk of code specific to the + targeted SDK. Normally, the unused chunk of code would get removed + through the invocation of `unifdef`. But, because of the bug, the + results of running `unifdef` were being discarded. + + * postprocess-headers.sh: + +2020-12-01 Alexey Shvayka + + Remove unused getPrimitiveNumber() methods + https://bugs.webkit.org/show_bug.cgi?id=219370 + + Reviewed by Mark Lam. + + These methods were originated in KJS, have weird signature / return value, + are currently unused, and were displaced by toNumber() / toPrimitive(). + + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::getPrimitiveNumber const): Deleted. + * runtime/JSBigInt.h: + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::getPrimitiveNumber): Deleted. + * runtime/JSCell.cpp: + (JSC::JSCell::getPrimitiveNumber const): Deleted. + * runtime/JSCell.h: + * runtime/JSObject.cpp: + (JSC::JSObject::getPrimitiveNumber const): Deleted. + * runtime/JSObject.h: + * runtime/JSString.cpp: + (JSC::JSString::getPrimitiveNumber const): Deleted. + * runtime/JSString.h: + (JSC::JSString::toBoolean const): + * runtime/Symbol.cpp: + (JSC::Symbol::getPrimitiveNumber const): Deleted. + * runtime/Symbol.h: + +2020-12-01 Lauro Moura + + [JSC] Make Bytecodes generator command also depend on wasm.json + https://bugs.webkit.org/show_bug.cgi?id=219383 + + Reviewed by Adrian Perez de Castro. + + r270265 added some new operations to wasm.json but its change did not + trigger the bytecodes generator command, causing the build to fail in + some platforms (in fact, it was caught by GTK and WPE EWS bots). + + * CMakeLists.txt: Add wasm.json as dependency to the bytecodes.h generator + command. + +2020-11-30 Yusuke Suzuki + + Making module entry promise-like by setting "then" + https://bugs.webkit.org/show_bug.cgi?id=216695 + + Reviewed by Saam Barati. + + Setting then: @undefined to make entry promise-like. + We also optimize @InternalPromise.internalAll a bit. + + * builtins/InternalPromiseConstructor.js: + (internalAll.newResolveElement): + (internalAll): + * builtins/ModuleLoader.js: + (globalPrivate.newRegistryEntry): + (requestImportModule): + (async requestImportModule): Deleted. + * builtins/PromiseOperations.js: + (globalPrivate.fulfillPromiseWithFirstResolvingFunctionCallCheck): + +2020-11-30 Sergey Rubanov + + Add support for the Wasm i64 sign-extension-ops proposal + https://bugs.webkit.org/show_bug.cgi?id=218990 + + Reviewed by Yusuke Suzuki. + + * llint/WebAssembly.asm: + * offlineasm/arm64.rb: + * offlineasm/cloop.rb: + * offlineasm/instructions.rb: + * offlineasm/x86.rb: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::addOp): + (JSC::Wasm::AirIRGenerator::addOp): + (JSC::Wasm::AirIRGenerator::addOp): + * wasm/wasm.json: + +2020-11-28 Yusuke Suzuki + + Unreviewed, follow-up after r270214 + https://bugs.webkit.org/show_bug.cgi?id=219281 + + ARM64 does not support unary Not32 / Not64. + + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::emitAtomicBinaryRMWOp): + +2020-11-27 Yusuke Suzuki + + [JSC] Use ARM atomic ops in wasm + https://bugs.webkit.org/show_bug.cgi?id=219281 + + Reviewed by Filip Pizlo. + + This patch uses ARM LSE Atomic instructions in wasm atomic operations. This includes support in MacroAssembler, offlineasm, Air and B3, + so that FTL atomic operations automatically leverage ARM LSE atomic instructions too. Later we can extend DFG JIT to use it too. + + One interesting thing is that this includes a fix for cmpxchg wasm operation implementations. Unfortunately, current wasm cmpxchg ops + are not the same to ARM cas / X86 cmpxchg. For example, i64.atomic.rmw8.cmpxchg_u takes i64 expected value. And the spec requires that + we should perform `i64-expected-value loaded-zero-extended-1byte-value`. For example, if the expected value is `0xffffffff_ffffff00`, + and the value stored in the memory is `0x00`, then the wasm op needs to fail since `0x00` is not `0xffffffff_ffffff00`. But x86 and ARM + cmpxchg / cas ops behave differently since it truncates expected value to 1byte when performing 1byte cmpxchg. So we need to have a check + which performs the value is within 1byte range in this operation. + + * assembler/ARM64EAssembler.h: + (JSC::ARM64EAssembler::exoticAtomicLoadStore): + (JSC::ARM64EAssembler::exoticAtomicCAS): + (JSC::ARM64EAssembler::ldaddal): + (JSC::ARM64EAssembler::ldeoral): + (JSC::ARM64EAssembler::ldclral): + (JSC::ARM64EAssembler::ldsetal): + (JSC::ARM64EAssembler::swpal): + (JSC::ARM64EAssembler::casal): + * assembler/MacroAssemblerARM64E.h: + (JSC::MacroAssemblerARM64E::atomicXchgAdd8): + (JSC::MacroAssemblerARM64E::atomicXchgAdd16): + (JSC::MacroAssemblerARM64E::atomicXchgAdd32): + (JSC::MacroAssemblerARM64E::atomicXchgAdd64): + (JSC::MacroAssemblerARM64E::atomicXchgXor8): + (JSC::MacroAssemblerARM64E::atomicXchgXor16): + (JSC::MacroAssemblerARM64E::atomicXchgXor32): + (JSC::MacroAssemblerARM64E::atomicXchgXor64): + (JSC::MacroAssemblerARM64E::atomicXchgOr8): + (JSC::MacroAssemblerARM64E::atomicXchgOr16): + (JSC::MacroAssemblerARM64E::atomicXchgOr32): + (JSC::MacroAssemblerARM64E::atomicXchgOr64): + (JSC::MacroAssemblerARM64E::atomicXchgClear8): + (JSC::MacroAssemblerARM64E::atomicXchgClear16): + (JSC::MacroAssemblerARM64E::atomicXchgClear32): + (JSC::MacroAssemblerARM64E::atomicXchgClear64): + (JSC::MacroAssemblerARM64E::atomicXchg8): + (JSC::MacroAssemblerARM64E::atomicXchg16): + (JSC::MacroAssemblerARM64E::atomicXchg32): + (JSC::MacroAssemblerARM64E::atomicXchg64): + (JSC::MacroAssemblerARM64E::atomicStrongCAS8): + (JSC::MacroAssemblerARM64E::atomicStrongCAS16): + (JSC::MacroAssemblerARM64E::atomicStrongCAS32): + (JSC::MacroAssemblerARM64E::atomicStrongCAS64): + * b3/B3LowerMacros.cpp: + * b3/B3LowerToAir.cpp: + * b3/air/AirOpcode.opcodes: + * b3/air/opcode_generator.rb: + * disassembler/ARM64/A64DOpcode.cpp: + (JSC::ARM64Disassembler::A64DOpcodeLoadAtomic::format): + (JSC::ARM64Disassembler::A64DOpcodeSwapAtomic::format): + (JSC::ARM64Disassembler::A64DOpcodeCAS::format): + * disassembler/ARM64/A64DOpcode.h: + (JSC::ARM64Disassembler::A64DOpcode::appendInstructionName): + (JSC::ARM64Disassembler::A64DOpcodeLoadAtomic::opName): + (JSC::ARM64Disassembler::A64DOpcodeLoadAtomic::rs): + (JSC::ARM64Disassembler::A64DOpcodeLoadAtomic::opc): + (JSC::ARM64Disassembler::A64DOpcodeLoadAtomic::ar): + (JSC::ARM64Disassembler::A64DOpcodeLoadAtomic::opNumber): + (JSC::ARM64Disassembler::A64DOpcodeSwapAtomic::opName): + (JSC::ARM64Disassembler::A64DOpcodeSwapAtomic::rs): + (JSC::ARM64Disassembler::A64DOpcodeSwapAtomic::ar): + (JSC::ARM64Disassembler::A64DOpcodeSwapAtomic::opNumber): + (JSC::ARM64Disassembler::A64DOpcodeCAS::opName): + (JSC::ARM64Disassembler::A64DOpcodeCAS::rs): + (JSC::ARM64Disassembler::A64DOpcodeCAS::o1): + (JSC::ARM64Disassembler::A64DOpcodeCAS::l): + (JSC::ARM64Disassembler::A64DOpcodeCAS::opNumber): + * llint/WebAssembly.asm: + * offlineasm/arm64.rb: + * offlineasm/instructions.rb: + * offlineasm/x86.rb: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::sanitizeAtomicResult): + (JSC::Wasm::AirIRGenerator::appendGeneralAtomic): + (JSC::Wasm::AirIRGenerator::appendStrongCAS): + (JSC::Wasm::AirIRGenerator::emitAtomicLoadOp): + (JSC::Wasm::AirIRGenerator::emitAtomicStoreOp): + (JSC::Wasm::AirIRGenerator::emitAtomicBinaryRMWOp): + (JSC::Wasm::AirIRGenerator::emitAtomicCompareExchange): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::emitAtomicCompareExchange): + +2020-11-26 Yusuke Suzuki + + [JSC] Add wasm atomics instructions + https://bugs.webkit.org/show_bug.cgi?id=218954 + + Reviewed by Filip Pizlo. + + This patch implements wasm threading's atomic operations[1] in X86_64 and ARM64. Currently, all ARM64 atomic operations are implemented by using LL/SC. + Later, we will use ARM64 CAS operations if possible, at least in ARM64E. + + To test it easily, we also extend jsc shell's worker to support transferring shared WebAssembly.Memory so that we can use wasm atomic operations in several + workers in jsc shell. + + [1]: https://github.com/WebAssembly/threads + + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::atomicXchg8): + (JSC::MacroAssemblerX86Common::atomicXchg16): + (JSC::MacroAssemblerX86Common::atomicXchg32): + * b3/B3Kind.h: + (JSC::B3::Kind::hasTraps const): + * b3/B3LowerToAir.cpp: + * b3/B3Width.h: + (JSC::B3::bytesForWidth): + * b3/testb3_8.cpp: + (testAtomicXchg): + * bytecode/BytecodeList.rb: + * interpreter/Register.h: + (JSC::Register::unboxedInt64 const): + (JSC::Register::asanUnsafeUnboxedInt64 const): + * jsc.cpp: + (Message::releaseContents): + (Message::Message): + (JSC_DEFINE_HOST_FUNCTION): + * llint/WebAssembly.asm: + * offlineasm/arm64.rb: + * offlineasm/instructions.rb: + * offlineasm/x86.rb: + * runtime/OptionsList.h: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::appendEffectful): + (JSC::Wasm::accessWidth): + (JSC::Wasm::sizeOfAtomicOpMemoryAccess): + (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffsetForAtomicOps): + (JSC::Wasm::AirIRGenerator::sanitizeAtomicResult): + (JSC::Wasm::AirIRGenerator::appendGeneralAtomic): + (JSC::Wasm::AirIRGenerator::appendStrongCAS): + (JSC::Wasm::AirIRGenerator::emitAtomicLoadOp): + (JSC::Wasm::AirIRGenerator::atomicLoad): + (JSC::Wasm::AirIRGenerator::emitAtomicStoreOp): + (JSC::Wasm::AirIRGenerator::atomicStore): + (JSC::Wasm::AirIRGenerator::emitAtomicBinaryRMWOp): + (JSC::Wasm::AirIRGenerator::atomicBinaryRMW): + (JSC::Wasm::AirIRGenerator::emitAtomicCompareExchange): + (JSC::Wasm::AirIRGenerator::atomicCompareExchange): + (JSC::Wasm::AirIRGenerator::atomicWait): + (JSC::Wasm::AirIRGenerator::atomicNotify): + (JSC::Wasm::AirIRGenerator::atomicFence): + (JSC::Wasm::AirIRGenerator::addCall): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer): + (JSC::Wasm::B3IRGenerator::memoryKind): + (JSC::Wasm::accessWidth): + (JSC::Wasm::sizeOfAtomicOpMemoryAccess): + (JSC::Wasm::B3IRGenerator::sanitizeAtomicResult): + (JSC::Wasm::B3IRGenerator::fixupPointerPlusOffsetForAtomicOps): + (JSC::Wasm::B3IRGenerator::emitAtomicLoadOp): + (JSC::Wasm::B3IRGenerator::atomicLoad): + (JSC::Wasm::B3IRGenerator::emitAtomicStoreOp): + (JSC::Wasm::B3IRGenerator::atomicStore): + (JSC::Wasm::B3IRGenerator::emitAtomicBinaryRMWOp): + (JSC::Wasm::B3IRGenerator::atomicBinaryRMW): + (JSC::Wasm::B3IRGenerator::emitAtomicCompareExchange): + (JSC::Wasm::B3IRGenerator::atomicCompareExchange): + (JSC::Wasm::B3IRGenerator::atomicWait): + (JSC::Wasm::B3IRGenerator::atomicNotify): + (JSC::Wasm::B3IRGenerator::atomicFence): + (JSC::Wasm::B3IRGenerator::addCall): + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::atomicLoad): + (JSC::Wasm::FunctionParser::atomicStore): + (JSC::Wasm::FunctionParser::atomicBinaryRMW): + (JSC::Wasm::FunctionParser::atomicCompareExchange): + (JSC::Wasm::FunctionParser::atomicWait): + (JSC::Wasm::FunctionParser::atomicNotify): + (JSC::Wasm::FunctionParser::atomicFence): + (JSC::Wasm::FunctionParser::parseExpression): + (JSC::Wasm::FunctionParser::parseUnreachableExpression): + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::atomicLoad): + (JSC::Wasm::LLIntGenerator::atomicStore): + (JSC::Wasm::LLIntGenerator::atomicBinaryRMW): + (JSC::Wasm::LLIntGenerator::atomicCompareExchange): + (JSC::Wasm::LLIntGenerator::atomicWait): + (JSC::Wasm::LLIntGenerator::atomicNotify): + (JSC::Wasm::LLIntGenerator::atomicFence): + * wasm/WasmMemory.h: + * wasm/WasmMemoryInformation.cpp: + (JSC::Wasm::MemoryInformation::MemoryInformation): + * wasm/WasmMemoryInformation.h: + (JSC::Wasm::MemoryInformation::isShared const): + * wasm/WasmOperations.cpp: + (JSC::Wasm::wait): + (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): + * wasm/WasmOperations.h: + * wasm/WasmSectionParser.cpp: + (JSC::Wasm::SectionParser::parseResizableLimits): + (JSC::Wasm::SectionParser::parseTableHelper): + (JSC::Wasm::SectionParser::parseMemoryHelper): + * wasm/WasmSectionParser.h: + * wasm/WasmSlowPaths.cpp: + (JSC::LLInt::WASM_SLOW_PATH_DECL): + * wasm/WasmSlowPaths.h: + * wasm/generateWasm.py: + (isAtomic): + (isAtomicLoad): + (isAtomicStore): + (isAtomicBinaryRMW): + (memoryLog2Alignment): + * wasm/generateWasmOpsHeader.py: + (atomicMemoryLoadMacroizer): + (atomicMemoryLoadMacroizer.modifier): + (atomicMemoryStoreMacroizer): + (atomicMemoryStoreMacroizer.modifier): + (atomicBinaryRMWMacroizer): + (atomicBinaryRMWMacroizer.modifier): + (memoryLog2AlignmentGenerator): + (atomicMemoryLog2AlignmentGenerator): + (ExtAtomicOpType): + * wasm/js/JSWebAssemblyInstance.cpp: + (JSC::JSWebAssemblyInstance::tryCreate): + * wasm/wasm.json: + +2020-11-19 Yusuke Suzuki + + [JSC] Enable private instance and static fields + https://bugs.webkit.org/show_bug.cgi?id=219179 + + Reviewed by Mark Lam. + + Enable private instance and static fields. We are not supporting private methods and static private methods yet. + + * runtime/OptionsList.h: + +2020-11-19 Saam Barati + + Use os_thread_self_restrict_rwx_is_supported instead of pthread_jit_write_protect_supported_np on Apple Internal SDK builds + https://bugs.webkit.org/show_bug.cgi?id=219099 + + + Reviewed by Mark Lam. + + * assembler/FastJITPermissions.h: + (useFastJITPermissions): + (threadSelfRestrictRWXToRW): + (threadSelfRestrictRWXToRX): + +2020-11-19 Xan López + + [JSC] Add support for static private class fields + https://bugs.webkit.org/show_bug.cgi?id=214297 + + Reviewed by Yusuke Suzuki. + + Static private fields come trivially now that both private and + static (public) fields are implemented. + + * parser/Parser.cpp: + (JSC::Parser::parseClass): accept static private fields if the runtime option allows it. + * runtime/Options.cpp: + (JSC::Options::recomputeDependentOptions): usePrivateStaticClassFields depends on usePrivateClassFields. + * runtime/OptionsList.h: add runtime option to enable static private fields. + * tools/JSDollarVM.cpp: add a method to check for private symbols in the stress tests. + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::JSDollarVM::finishCreation): + +2020-11-19 Adrian Perez de Castro + + [JSC] Build failed due to unknown values in LLIntDesiredOffsets.h + https://bugs.webkit.org/show_bug.cgi?id=219158 + + Reviewed by Don Olmstead. + + CMake uses the contents of the variables OFFLINE_ASM and GENERATOR as part of the + dependencies that cause LLIntDesiredOffsets.h to be regenerated, so add to them + those files missing from the lists. + + * CMakeLists.txt: Update OFFLINE_ASM and GENERATOR lists. + +2020-11-18 Dmitry Bezhetskov + + [WASM-References] Remove subtyping rule for externref and funcref + https://bugs.webkit.org/show_bug.cgi?id=218885 + + Reviewed by Yusuke Suzuki. + + Make funcref is not a subtype of externref. + The spec: https://webassembly.github.io/reference-types/core/ + The PR for removing subtype from the spec: + https://github.com/WebAssembly/reference-types/pull/87. + + * wasm/WasmFormat.h: + (JSC::Wasm::isSubtype): + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::parseExpression): + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::link): + +2020-11-18 Ross Kirsling + + [JSC] Reinstate String#at + https://bugs.webkit.org/show_bug.cgi?id=219124 + + Reviewed by Yusuke Suzuki. + + At this week's TC39 meeting, consensus was achieved on renaming item() *and* keeping it for strings too. + Accordingly, this patch reinstates String.prototype.at behind the existing useAtMethod runtime option. + + * builtins/StringPrototype.js: + (at): + * runtime/StringPrototype.cpp: + (JSC::StringPrototype::finishCreation): + +2020-11-17 Yusuke Suzuki + + [JSC] Improve Wasm binary test coverage + https://bugs.webkit.org/show_bug.cgi?id=204843 + + Reviewed by Darin Adler. + + This patch fixes some of bugs in wasm parser so that we validate malformed wasm modules more strictly. + + 1. current_memory / grow_memory should have uint8 flag, not varuint32 flag. + 2. global section should have uint8 mutability information, not varuint32. + 3. memory section should have varuint32 memory count. + + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::parseExpression): + (JSC::Wasm::FunctionParser::parseUnreachableExpression): + * wasm/WasmSectionParser.cpp: + (JSC::Wasm::SectionParser::parseResizableLimits): + (JSC::Wasm::SectionParser::parseMemory): + (JSC::Wasm::SectionParser::parseGlobalType): + * wasm/wasm.json: + +2020-11-18 Yusuke Suzuki + + Unreviewed, relanding r269940 + https://bugs.webkit.org/show_bug.cgi?id=219076 + + ARM64E clang optimizer is broken and optimizing forever if Wasm::MemoryHandle::memory() is inlined. + Putting NEVER_INLINE onto this function for now (unfortunate). + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * llint/LLIntPCRanges.h: + (JSC::LLInt::isWasmLLIntPC): + * llint/LowLevelInterpreter.asm: + * llint/WebAssembly.asm: + * runtime/JSArrayBuffer.h: + (JSC::JSArrayBuffer::toWrappedAllowShared): + * runtime/JSArrayBufferView.h: + * runtime/JSArrayBufferViewInlines.h: + (JSC::JSArrayBufferView::toWrappedAllowShared): + * runtime/JSGenericTypedArrayView.h: + (JSC::JSGenericTypedArrayView::toWrappedAllowShared): + * runtime/Options.cpp: + (JSC::overrideDefaults): + (JSC::Options::initialize): + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::AirIRGenerator): + (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): + (JSC::Wasm::AirIRGenerator::addCurrentMemory): + (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer): + (JSC::Wasm::AirIRGenerator::addCall): + (JSC::Wasm::AirIRGenerator::addCallIndirect): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::B3IRGenerator): + (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): + (JSC::Wasm::B3IRGenerator::addCurrentMemory): + (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer): + (JSC::Wasm::B3IRGenerator::addCall): + (JSC::Wasm::B3IRGenerator::addCallIndirect): + * wasm/WasmBinding.cpp: + (JSC::Wasm::wasmToWasm): + * wasm/WasmFaultSignalHandler.cpp: + (JSC::Wasm::trapHandler): + (JSC::Wasm::enableFastMemory): + (JSC::Wasm::prepareFastMemory): + * wasm/WasmInstance.h: + (JSC::Wasm::Instance::cachedMemory const): + (JSC::Wasm::Instance::cachedBoundsCheckingSize const): + (JSC::Wasm::Instance::updateCachedMemory): + (JSC::Wasm::Instance::offsetOfCachedBoundsCheckingSize): + (JSC::Wasm::Instance::cachedMemorySize const): Deleted. + (JSC::Wasm::Instance::offsetOfCachedMemorySize): Deleted. + * wasm/WasmMemory.cpp: + (JSC::Wasm::MemoryHandle::MemoryHandle): + (JSC::Wasm::MemoryHandle::~MemoryHandle): + (JSC::Wasm::MemoryHandle::memory const): + (JSC::Wasm::Memory::Memory): + (JSC::Wasm::Memory::create): + (JSC::Wasm::Memory::tryCreate): + (JSC::Wasm::Memory::addressIsInGrowableOrFastMemory): + (JSC::Wasm::Memory::growShared): + (JSC::Wasm::Memory::grow): + (JSC::Wasm::Memory::dump const): + (JSC::Wasm::Memory::~Memory): Deleted. + (JSC::Wasm::Memory::addressIsInActiveFastMemory): Deleted. + * wasm/WasmMemory.h: + (JSC::Wasm::Memory::addressIsInGrowableOrFastMemory): + (JSC::Wasm::Memory::operator bool const): Deleted. + (JSC::Wasm::Memory::memory const): Deleted. + (JSC::Wasm::Memory::size const): Deleted. + (JSC::Wasm::Memory::sizeInPages const): Deleted. + (JSC::Wasm::Memory::initial const): Deleted. + (JSC::Wasm::Memory::maximum const): Deleted. + (JSC::Wasm::Memory::mode const): Deleted. + (JSC::Wasm::Memory::check): Deleted. + (JSC::Wasm::Memory::offsetOfMemory): Deleted. + (JSC::Wasm::Memory::offsetOfSize): Deleted. + (JSC::Wasm::Memory::addressIsInActiveFastMemory): Deleted. + * wasm/WasmMemoryInformation.cpp: + (JSC::Wasm::PinnedRegisterInfo::get): + (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo): + * wasm/WasmMemoryInformation.h: + (JSC::Wasm::PinnedRegisterInfo::toSave const): + * wasm/WasmMemoryMode.cpp: + (JSC::Wasm::makeString): + * wasm/WasmMemoryMode.h: + * wasm/js/JSToWasm.cpp: + (JSC::Wasm::createJSToWasmWrapper): + * wasm/js/JSWebAssemblyInstance.cpp: + (JSC::JSWebAssemblyInstance::tryCreate): + * wasm/js/JSWebAssemblyMemory.cpp: + (JSC::JSWebAssemblyMemory::buffer): + (JSC::JSWebAssemblyMemory::growSuccessCallback): + * wasm/js/JSWebAssemblyMemory.h: + * wasm/js/WebAssemblyFunction.cpp: + (JSC::WebAssemblyFunction::jsCallEntrypointSlow): + * wasm/js/WebAssemblyMemoryConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * wasm/js/WebAssemblyMemoryPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::evaluate): + +2020-11-18 Commit Queue + + Unreviewed, reverting r269940. + https://bugs.webkit.org/show_bug.cgi?id=219076 + + caused seemingly-infinite build time regression + + Reverted changeset: + + "[JSC] Implement WebAssembly.Memory with shared" + https://bugs.webkit.org/show_bug.cgi?id=218693 + https://trac.webkit.org/changeset/269940 + +2020-11-16 Yusuke Suzuki + + [JSC] Implement WebAssembly.Memory with shared + https://bugs.webkit.org/show_bug.cgi?id=218693 + + Reviewed by Saam Barati. + + This patch implements shared WebAssembly.Memory. This can be shared between workers like SharedArrayBuffer. + The most interesting thing of shared WebAssembly.Memory is that it is growable. The memory can be grown in + one thread, and immediately, it should be accessible in the other threads. + + To achieve that, shared WebAssembly.Memory leverages signaling even if bounds-checking is mainly used. + If the fast memory is enabled, we just use it so that mprotect can make memory grown easily. But if fast memory + is disabled, we allocates requested VA region and perform bounds-checking with this VA. Since WebAssembly.Memory + always requires "maximum" size of memory, we can first allocate VA and map active part of memory first. And + when growing, we perform mprotect to the rest of the memory. Since this VA is not 4GB, we still need to perform + bounds-checking, but we perform bounds-checking with VA size instead of active memory size. As a result, even if + shared WebAssembly.Memory is grown, we do not need to update (1) pointer and (2) bounds-checking size. + The shared bounds-checking WebAssembly.Memory is something like below. + + <================================================ maximum ============================><------------ other memory, protected by bounds-checking --... + <======= active ==========><===================== not active yet =====================> + ^ [ if we access this, fault handler will detect it] ^ + pointer bounds checking size + + These "growable bound-checking memory" is now managed by wasm memory-manager. And fault handler is used even if fast memory is disabled. + And fault handler also accepts signals from Wasm LLInt code since both bounds-checkings + signalings are required to confine memory access even in + Wasm LLInt. This patch also renamed memory-size and size-register to bounds-checking-size and bounds-checking-size-register since this is no longer + a size of memory. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * llint/LLIntPCRanges.h: + (JSC::LLInt::isWasmLLIntPC): + * llint/LowLevelInterpreter.asm: + * llint/WebAssembly.asm: + * runtime/JSArrayBuffer.h: + (JSC::JSArrayBuffer::toWrappedAllowShared): + * runtime/JSArrayBufferView.h: + * runtime/JSArrayBufferViewInlines.h: + (JSC::JSArrayBufferView::toWrappedAllowShared): + * runtime/JSGenericTypedArrayView.h: + (JSC::JSGenericTypedArrayView::toWrappedAllowShared): + * runtime/Options.cpp: + (JSC::overrideDefaults): + (JSC::Options::initialize): + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::AirIRGenerator): + (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): + (JSC::Wasm::AirIRGenerator::addCurrentMemory): + (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer): + (JSC::Wasm::AirIRGenerator::addCall): + (JSC::Wasm::AirIRGenerator::addCallIndirect): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::B3IRGenerator): + (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): + (JSC::Wasm::B3IRGenerator::addCurrentMemory): + (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer): + (JSC::Wasm::B3IRGenerator::addCall): + (JSC::Wasm::B3IRGenerator::addCallIndirect): + * wasm/WasmBinding.cpp: + (JSC::Wasm::wasmToWasm): + * wasm/WasmFaultSignalHandler.cpp: + (JSC::Wasm::trapHandler): + (JSC::Wasm::enableFastMemory): + (JSC::Wasm::prepareFastMemory): + * wasm/WasmInstance.h: + (JSC::Wasm::Instance::cachedMemory const): + (JSC::Wasm::Instance::cachedBoundsCheckingSize const): + (JSC::Wasm::Instance::updateCachedMemory): + (JSC::Wasm::Instance::offsetOfCachedBoundsCheckingSize): + (JSC::Wasm::Instance::cachedMemorySize const): Deleted. + (JSC::Wasm::Instance::offsetOfCachedMemorySize): Deleted. + * wasm/WasmMemory.cpp: + (JSC::Wasm::MemoryHandle::MemoryHandle): + (JSC::Wasm::MemoryHandle::~MemoryHandle): + (JSC::Wasm::Memory::Memory): + (JSC::Wasm::Memory::create): + (JSC::Wasm::Memory::tryCreate): + (JSC::Wasm::Memory::addressIsInGrowableOrFastMemory): + (JSC::Wasm::Memory::growShared): + (JSC::Wasm::Memory::grow): + (JSC::Wasm::Memory::dump const): + (JSC::Wasm::Memory::~Memory): Deleted. + (JSC::Wasm::Memory::addressIsInActiveFastMemory): Deleted. + * wasm/WasmMemory.h: + (JSC::Wasm::Memory::addressIsInGrowableOrFastMemory): + (JSC::Wasm::Memory::operator bool const): Deleted. + (JSC::Wasm::Memory::memory const): Deleted. + (JSC::Wasm::Memory::size const): Deleted. + (JSC::Wasm::Memory::sizeInPages const): Deleted. + (JSC::Wasm::Memory::initial const): Deleted. + (JSC::Wasm::Memory::maximum const): Deleted. + (JSC::Wasm::Memory::mode const): Deleted. + (JSC::Wasm::Memory::check): Deleted. + (JSC::Wasm::Memory::offsetOfMemory): Deleted. + (JSC::Wasm::Memory::offsetOfSize): Deleted. + (JSC::Wasm::Memory::addressIsInActiveFastMemory): Deleted. + * wasm/WasmMemoryInformation.cpp: + (JSC::Wasm::PinnedRegisterInfo::get): + (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo): + * wasm/WasmMemoryInformation.h: + (JSC::Wasm::PinnedRegisterInfo::toSave const): + * wasm/WasmMemoryMode.cpp: + (JSC::Wasm::makeString): + * wasm/WasmMemoryMode.h: + * wasm/js/JSToWasm.cpp: + (JSC::Wasm::createJSToWasmWrapper): + * wasm/js/JSWebAssemblyInstance.cpp: + (JSC::JSWebAssemblyInstance::tryCreate): + * wasm/js/JSWebAssemblyMemory.cpp: + (JSC::JSWebAssemblyMemory::buffer): + (JSC::JSWebAssemblyMemory::growSuccessCallback): + * wasm/js/JSWebAssemblyMemory.h: + * wasm/js/WebAssemblyFunction.cpp: + (JSC::WebAssemblyFunction::jsCallEntrypointSlow): + * wasm/js/WebAssemblyMemoryConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * wasm/js/WebAssemblyMemoryPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::evaluate): + +2020-11-17 Yusuke Suzuki + + [JSC] Enable static public class fields + https://bugs.webkit.org/show_bug.cgi?id=219058 + + Reviewed by Saam Barati. + + Let's flip the runtime flag (usePublicStaticClassFields). And we drop usePublicClassFields flag since it is already shipped. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + * bytecompiler/NodesCodegen.cpp: + (JSC::FunctionCallValueNode::emitBytecode): + * parser/Parser.cpp: + (JSC::Parser::parseClass): + * runtime/OptionsList.h: + +2020-11-17 Michael Catanzaro + + [CMake] generate_offset_extractor.rb missing build dependency for llint/WebAssembly.asm + https://bugs.webkit.org/show_bug.cgi?id=219043 + + Reviewed by Don Olmstead. + + generate_offset_extractor.rb is missing a build dependency for llint/WebAssembly.asm. If + WebAssembly.asm is modified, generate_offset_extracter.rb needs to be run again. + + * CMakeLists.txt: + +2020-11-17 Saam Barati + + Add more info to the RELEASE_ASSERT inside Parser::parseInner + https://bugs.webkit.org/show_bug.cgi?id=219054 + + + Reviewed by Mark Lam. + + We have some crashes here, and it'll be helpful for the crashlogs to have + more info in the register state. + + * parser/Lexer.h: + (JSC::Lexer::codeLength): + * parser/Parser.cpp: + (JSC::Parser::parseInner): + +2020-11-17 Sergey Rubanov + + Add support for the Wasm i32 sign-extension-ops proposal + https://bugs.webkit.org/show_bug.cgi?id=210302 + + Reviewed by Yusuke Suzuki. + + * llint/LowLevelInterpreter.asm: + * llint/WebAssembly.asm: + * offlineasm/arm64.rb: + * offlineasm/cloop.rb: + * offlineasm/instructions.rb: + * offlineasm/x86.rb: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::addOp): + (JSC::Wasm::AirIRGenerator::addOp): + * wasm/wasm.json: + +2020-11-17 Xan López + + [JSC] Add support for static public class fields + https://bugs.webkit.org/show_bug.cgi?id=194095 + + Reviewed by Yusuke Suzuki. + + Add support for static public class fields. We can reuse most of + the existing machinery available for instance fields. Like + instance fields, static fields are initialized with a synthetic + function. This is done to allow us to trivially follow the scoping + rules in the spec. As it happens with instance fields this could + be inlined in a future patch. + + A lot of small changes in many files are just a matter of doing + s/instance/class/ for variables related to class fields, which + before were assuming there are only instance fields implemented. + + * bytecode/UnlinkedFunctionExecutable.cpp: + (JSC::generateUnlinkedFunctionCodeBlock): do s/instanceField/classField/. + * bytecode/UnlinkedFunctionExecutable.h: ditto. + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitNewClassFieldInitializerFunction): ditto. + * bytecompiler/BytecodeGenerator.h: ditto, plus add a parameter + for static field locations in emitDefineClassElements. + * bytecompiler/NodesCodegen.cpp: + (JSC::PropertyListNode::emitBytecode): save static fields + locations when going through the property list. + (JSC::PropertyListNode::emitSaveComputedFieldName): consider + static fields here too. + (JSC::ClassExprNode::emitBytecode): call the initializer for + static fields as the very last action of the class creation. + * parser/ASTBuilder.h: + (JSC::ASTBuilder::createDefineField): field nodes can be static + too now. + * parser/NodeConstructors.h: + (JSC::DefineFieldNode::DefineFieldNode): ditto. + * parser/Nodes.h: ditto. + * parser/Parser.cpp: + (JSC::Parser::parseInner): s/instanceField/classField/ + (JSC::Parser::parseClass): consider static fields. + (JSC::Parser::parseInstanceFieldInitializerSourceElements): + s/instanceField/classField/, and consider static fields. + * parser/Parser.h: + (JSC::Parser::parse): s/instanceField/classField/ + (JSC::parse): ditto. + * runtime/JSFunction.cpp: + (JSC::JSFunction::setFunctionName): s/instanceField/classField/ + * runtime/OptionsList.h: add option to enable/disable static public fields. + +2020-11-15 Yusuke Suzuki + + [JSC] Wasm should get byte length from source typed array + https://bugs.webkit.org/show_bug.cgi?id=218955 + + Reviewed by Sam Weinig. + + WebAssembly's module source should be read with byteLength instead of length of typed-array. + + * runtime/JSArrayBufferView.cpp: + (JSC::JSArrayBufferView::byteLength const): + (JSC::JSArrayBufferView::slowDownAndWasteMemory): + * runtime/JSArrayBufferView.h: + * wasm/js/JSWebAssemblyHelpers.h: + (JSC::getWasmBufferFromValue): + +2020-11-14 Don Olmstead + + [clang-tidy] Run modernize-use-override through JSC + https://bugs.webkit.org/show_bug.cgi?id=218916 + + Reviewed by Yusuke Suzuki. + + * inspector/agents/InspectorAgent.h: + * inspector/agents/InspectorScriptProfilerAgent.h: + * inspector/agents/InspectorTargetAgent.h: + * inspector/agents/JSGlobalObjectAuditAgent.h: + * inspector/agents/JSGlobalObjectDebuggerAgent.h: + * inspector/agents/JSGlobalObjectRuntimeAgent.h: + * inspector/remote/socket/RemoteInspectorConnectionClient.h: + * inspector/remote/socket/RemoteInspectorServer.h: + * runtime/JSGlobalObjectDebuggable.h: + +2020-11-13 Xan López + + [JSC] Use symbols as identifiers for class fields computed names storage + https://bugs.webkit.org/show_bug.cgi?id=216172 + + Reviewed by Yusuke Suzuki. + + Use private symbols for the property keys of the class fields with + computed names. This is cleaner than using raw numeric identifiers and + will be less cumbersome when we add static fields. It also prevents + potential collisions if other features want to store data in the class + scope. + + * bytecompiler/NodesCodegen.cpp: + (JSC::PropertyListNode::emitSaveComputedFieldName): adapt a comment. + * parser/Parser.cpp: + (JSC::Parser::parseClass): use private identifiers for computed fields property keys. + (JSC::Parser::parseInstanceFieldInitializerSourceElements): ditto. + * parser/ParserArena.cpp: + (JSC::IdentifierArena::makePrivateIdentifier): method to create a private identifier. + * parser/ParserArena.h: + * runtime/CachedTypes.cpp: + (JSC::CachedUniquedStringImplBase::encode): consider registered symbols, they are used by the parser now. + (JSC::CachedUniquedStringImplBase::decode const): ditto. + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + (JSC::VM::privateSymbolRegistry): create a private symbol registry too. + +2020-11-13 Sergey Rubanov + + WebAssembly: opcodes for table.grow and table.size are mixed up + https://bugs.webkit.org/show_bug.cgi?id=218644 + + Reviewed by Yusuke Suzuki. + + * wasm/wasm.json: + +2020-11-12 Devin Rousso + + Web Inspector: ensure that `JSON::ArrayOf` doesn't allow `addItem` to be called with a type other than `T` + https://bugs.webkit.org/show_bug.cgi?id=218686 + + Reviewed by Brian Burg. + + * inspector/scripts/codegen/cpp_generator_templates.py: + * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: + (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain): + (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain): + * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: + * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py: + (CppProtocolTypesImplementationGenerator._generate_enum_mapping): + (CppProtocolTypesImplementationGenerator._generate_open_field_names): + Use `ASCIILiteral`, `makeString`, and `_s` instead of inlined `char*` to ensure that the + `String` function overload is used. + + * inspector/scripts/tests/expected/command-targetType-matching-domain-debuggableType.json-result: + * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: + * inspector/scripts/tests/expected/definitions-with-mac-platform.json-result: + * inspector/scripts/tests/expected/domain-debuggableTypes.json-result: + * inspector/scripts/tests/expected/domain-targetType-matching-domain-debuggableType.json-result: + * inspector/scripts/tests/expected/domain-targetTypes.json-result: + * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: + * inspector/scripts/tests/expected/enum-values.json-result: + * inspector/scripts/tests/expected/event-targetType-matching-domain-debuggableType.json-result: + * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: + * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: + * inspector/scripts/tests/expected/type-declaration-array-type.json-result: + * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: + * inspector/scripts/tests/expected/type-declaration-object-type.json-result: + * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: + * inspector/scripts/tests/expected/type-with-open-parameters.json-result: + +2020-11-12 Dmitry Bezhetskov + + [WASM-References] Support imm for ref.null + https://bugs.webkit.org/show_bug.cgi?id=218744 + + Reviewed by Yusuke Suzuki. + + Updated ref.null according to the ref-types spec: + https://github.com/WebAssembly/reference-types/. + + * wasm/WasmFormat.h: + (JSC::Wasm::isRefType): + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::parseExpression): + * wasm/WasmParser.h: + (JSC::Wasm::Parser::parseRefType): + * wasm/WasmSectionParser.cpp: + (JSC::Wasm::SectionParser::parseInitExpr): + * wasm/wasm.json: + +2020-11-11 John Wilander + + PCM: Change from ad-click-attribution to private-click-measurement (in all forms, including .well-known URL) + https://bugs.webkit.org/show_bug.cgi?id=218730 + + + Reviewed by Alex Christensen. + + Change to the official name of the proposed standard Private Click Measurement + https://github.com/privacycg/private-click-measurement. + + This includes a change of the reporting URL from + "/.well-known/ad-click-attribution/" to + "/.well-known/private-click-measurement/". + + * inspector/ConsoleMessage.cpp: + (Inspector::messageSourceValue): + * inspector/protocol/Console.json: + * inspector/protocol/Page.json: + * runtime/ConsoleClient.cpp: + (JSC::appendMessagePrefix): + * runtime/ConsoleTypes.h: + +2020-11-11 Yusuke Suzuki + + [JSC] Implement Intl.DateTimeFormat.formatRangeToParts + https://bugs.webkit.org/show_bug.cgi?id=213822 + + + Reviewed by Ross Kirsling. + + This patch implements Intl.DateTimeFormat.formatRangeToParts. It is already stage-4 (included in the spec). + The inputs are date interval, and this function generates array of parts of formatted string of date interval. + Currently, required ICU APIs are draft status. So, for now, we track ABI changes, and use APIs with careful version checks. + + However, currently, OpenSource macOS WebKit is built with specific ICU header (ICU 62 headers). So for now, we disable it + in OpenSource macOS WebKit build. But we enable it for Apple Internal SDK WebKit build. We can enable it if we include + multiple ICU header sets and select appropriate one against the linked ICU version. In the other platforms, they are using + corresponding ICU headers so that we can just enable it. + + There are two interesting implementation topics. + + 1. From ICU 67, the signature of udtitvfmt_formatToResult is changed. We need to switch the implementation with fine grained ICU version checks. + 2. udtitvfmt_formatToResult does not have an ability to configure gregorian calendar change date: before that date, the calendar is julian. + In ECMAScript spec, we need to ignore this gregorian calendar change date, and we should handle all gregorian calendar dates as is even if + the dates are older than gregorian calendar change date. However, since udtitvfmt_formatToResult does not offer the above ability, + ICU automatically switches the calendar between gregorian and julian. To fix this issue, ICU 67 introduced udtitvfmt_formatCalendarToResult, + which can take an explicit calendar for each input date so that we configure gregorian calendar change date. But this only exists after ICU 67. + In the implementations using ICU 64-66, we just use udtitvfmt_formatToResult. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * runtime/IntlDateTimeFormat.cpp: + (JSC::UDateIntervalFormatDeleter::operator()): + (JSC::IntlDateTimeFormat::formatToParts const): + (JSC::definitelyAfterGregorianCalendarChangeDate): + (JSC::formattedValueFromDateRange): + (JSC::IntlDateTimeFormat::formatRange): + (JSC::IntlDateTimeFormat::formatRangeToParts): + * runtime/IntlDateTimeFormat.h: + * runtime/IntlDateTimeFormatPrototype.cpp: + (JSC::IntlDateTimeFormatPrototype::create): + (JSC::IntlDateTimeFormatPrototype::finishCreation): + (JSC::JSC_DEFINE_HOST_FUNCTION): + * runtime/IntlDateTimeFormatPrototype.h: + * runtime/OptionsList.h: + +2020-11-11 Yusuke Suzuki + + [JSC] wasm fault trampoline should be C code since it is tagged as CFunctionPtr + https://bugs.webkit.org/show_bug.cgi?id=218781 + + Reviewed by Keith Miller and Mark Lam. + + When returning from signal handler, handler requires that instruction pointer is CFunctionPtrTag-ed. + So we should set C trampoline instead of JIT trampoline here. + This patch implements trampoline in LLInt Wasm code so that we can use CFunctionPtrTag. + + * bytecode/BytecodeList.rb: + * llint/WebAssembly.asm: + * wasm/WasmFaultSignalHandler.cpp: + (JSC::Wasm::trapHandler): + +2020-11-10 Commit Queue + + Unreviewed, reverting r269660. + https://bugs.webkit.org/show_bug.cgi?id=218786 + + Crashing in EWS iOS simulator bots + + Reverted changeset: + + "PCM: Change from ad-click-attribution to private-click- + measurement (in all forms, including .well-known URL)" + https://bugs.webkit.org/show_bug.cgi?id=218730 + https://trac.webkit.org/changeset/269660 + +2020-11-10 Ross Kirsling + + Align %TypedArray% behavior with recent spec adjustments + https://bugs.webkit.org/show_bug.cgi?id=218776 + + Reviewed by Yusuke Suzuki. + + The recent spec changes for typed arrays with detached buffers had certain ripple effects, + namely the following two PRs which will be presented in next week's TC39 meeting. + Since no controversy is expected, this patch addresses them now, though test262 adjustments are forthcoming. + + 1. https://github.com/tc39/ecma262/pull/2210 + It is correct that `ta[i] = n` doesn't throw when `ta` has a detached buffer or `i` is otherwise OOB, + but by not throwing, Reflect.set(ta, i, n) is obliged to return true. + + 2. https://github.com/tc39/ecma262/pull/2221 + Until now, %TypedArray%.prototype.{includes, indexOf, join, lastIndexOf} lacked a rigorous specification; + in particular, each has a parameter that may detach the buffer upon valueOf or toString, and the expected + behavior was not made clear. It seems most sensible to do what the corresponding Array methods do upon + `array.length = 0`: make use of the cached length but don't access indices, such that indexOf/lastIndexOf + return -1 while includes/join act as if the elements were all `undefined`. + + * runtime/JSGenericTypedArrayViewInlines.h: + (JSC::JSGenericTypedArrayView::put): + (JSC::JSGenericTypedArrayView::defineOwnProperty): + (JSC::JSGenericTypedArrayView::putByIndex): + * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: + (JSC::genericTypedArrayViewProtoFuncIncludes): + (JSC::genericTypedArrayViewProtoFuncIndexOf): + (JSC::genericTypedArrayViewProtoFuncJoin): + (JSC::genericTypedArrayViewProtoFuncLastIndexOf): + +2020-11-10 John Wilander + + PCM: Change from ad-click-attribution to private-click-measurement (in all forms, including .well-known URL) + https://bugs.webkit.org/show_bug.cgi?id=218730 + + + Reviewed by Devin Rousso. + + Change to the official name of the proposed standard Private Click Measurement + https://github.com/privacycg/private-click-measurement. + + This includes a change of the reporting URL from + "/.well-known/ad-click-attribution/" to + "/.well-known/private-click-measurement/". + + * inspector/ConsoleMessage.cpp: + (Inspector::messageSourceValue): + * inspector/protocol/Console.json: + * inspector/protocol/Page.json: + * runtime/ConsoleClient.cpp: + (JSC::appendMessagePrefix): + * runtime/ConsoleTypes.h: + +2020-11-09 Keith Miller + + Add total counts to sampling profiler dump + https://bugs.webkit.org/show_bug.cgi?id=218666 + + Reviewed by Yusuke Suzuki. + + This is nice for computing the approximate percentage of total time in a function. + + * runtime/SamplingProfiler.cpp: + (JSC::SamplingProfiler::reportTopFunctions): + (JSC::SamplingProfiler::reportTopBytecodes): + +2020-11-08 Yusuke Suzuki + + [JSC] Add TimeZone range cache over ICU TimeZone API + https://bugs.webkit.org/show_bug.cgi?id=218681 + + Reviewed by Ross Kirsling. + + icu::TimeZone is more accurate and faster than localtime_r. But still, it is slower than returning cached data! + We saw 10% regression in JetStream2/date-format-xparb-SP with icu::TimeZone switching. + In this patch, we put one-depth timezone cache back over icu::TimeZone API, and recover the performance. + In addition, new version of timezone cache includes "start" side extension (while old one only extends "end" of the range). + The test covers all cases in the added cache. + + * runtime/JSDateMath.cpp: + (JSC::DateCache::calculateLocalTimeOffset): + (JSC::DateCache::localTimeOffset): + (JSC::DateCache::gregorianDateTimeToMS): + (JSC::DateCache::msToGregorianDateTime): + (JSC::DateCache::parseDate): + (JSC::DateCache::reset): + (JSC::localTimeOffset): Deleted. + * runtime/JSDateMath.h: + (JSC::DateCache::timeZoneCache): + * runtime/VM.h: + (JSC::LocalTimeOffsetCache::LocalTimeOffsetCache): Deleted. + (JSC::LocalTimeOffsetCache::reset): Deleted. + +2020-11-08 Yusuke Suzuki + + [JSC] Support @@species in ArrayBuffer / SharedArrayBuffer slice + https://bugs.webkit.org/show_bug.cgi?id=218697 + + Reviewed by Ross Kirsling. + + This patch adds support for @@species in ArrayBuffer/SharedArrayBuffer.prototype.slice. + We leverage the mechanism similar to Array's @@species handling: adding fast path with watchpoint. + When we found that some of critical properties (e.g. %Prototype%.constructor, %Constructor%[@@species]) + are modified, watchpoint is fired and we go to the slow path. Until that, we use fast path that is + basically the same to the code before this patch. + + * runtime/ArrayBuffer.cpp: + (JSC::ArrayBuffer::slice const): + (JSC::ArrayBuffer::sliceWithClampedIndex const): + (JSC::ArrayBuffer::sliceImpl const): Deleted. + * runtime/ArrayBuffer.h: + * runtime/ArrayBufferSharingMode.h: + * runtime/ArrayPrototype.cpp: + (JSC::speciesWatchpointIsValid): + * runtime/JSArrayBufferPrototype.cpp: + (JSC::speciesWatchpointIsValid): + (JSC::arrayBufferSlice): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::JSGlobalObject): + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + (JSC::JSGlobalObject::tryInstallSpeciesWatchpoint): + (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint): + (JSC::JSGlobalObject::tryInstallArrayBufferSpeciesWatchpoint): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::arrayBufferSpeciesWatchpointSet): + (JSC::JSGlobalObject::arrayBufferPrototype const): + (JSC::JSGlobalObject::arrayBufferStructure const): + (JSC::JSGlobalObject::arrayBufferConstructor const): + +2020-11-06 Dmitry Bezhetskov + + [WASM-References] Rename anyref to externref + https://bugs.webkit.org/show_bug.cgi?id=218331 + + Reviewed by Keith Miller. + + * bytecode/BytecodeDumper.cpp: + (JSC::Wasm::BytecodeDumper::formatConstant const): + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::gExternref): + (JSC::Wasm::AirIRGenerator::tmpForType): + (JSC::Wasm::AirIRGenerator::emitCCall): + (JSC::Wasm::AirIRGenerator::moveOpForValueType): + (JSC::Wasm::AirIRGenerator::AirIRGenerator): + (JSC::Wasm::AirIRGenerator::addLocal): + (JSC::Wasm::AirIRGenerator::addConstant): + (JSC::Wasm::AirIRGenerator::setGlobal): + (JSC::Wasm::AirIRGenerator::gAnyref): Deleted. + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::addLocal): + (JSC::Wasm::B3IRGenerator::addTableGet): + (JSC::Wasm::B3IRGenerator::setGlobal): + * wasm/WasmCallingConvention.h: + (JSC::Wasm::WasmCallingConvention::marshallLocation const): + (JSC::Wasm::JSCallingConvention::marshallLocation const): + * wasm/WasmFormat.h: + (JSC::Wasm::isValueType): + (JSC::Wasm::isSubtype): + (JSC::Wasm::TableInformation::wasmType const): + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::parseExpression): + * wasm/WasmGlobal.cpp: + (JSC::Wasm::Global::get const): + (JSC::Wasm::Global::set): + (JSC::Wasm::Global::visitAggregate): + * wasm/WasmGlobal.h: + * wasm/WasmInstance.cpp: + (JSC::Wasm::Instance::Instance): + (JSC::Wasm::Instance::setGlobal): + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::jsNullConstant): + (JSC::Wasm::LLIntGenerator::callInformationForCaller): + (JSC::Wasm::LLIntGenerator::callInformationForCallee): + (JSC::Wasm::LLIntGenerator::addArguments): + (JSC::Wasm::LLIntGenerator::addLocal): + (JSC::Wasm::LLIntGenerator::setGlobal): + * wasm/WasmOperations.cpp: + (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): + (JSC::Wasm::setWasmTableElement): + * wasm/WasmSectionParser.cpp: + (JSC::Wasm::SectionParser::parseTableHelper): + * wasm/WasmTable.cpp: + (JSC::Wasm::Table::tryCreate): + (JSC::Wasm::Table::set): + * wasm/WasmTable.h: + (JSC::Wasm::Table::isExternrefTable const): + (JSC::Wasm::Table::isAnyrefTable const): Deleted. + * wasm/js/JSToWasm.cpp: + (JSC::Wasm::boxWasmResult): + * wasm/js/JSWebAssemblyTable.cpp: + (JSC::JSWebAssemblyTable::set): + * wasm/js/WasmToJS.cpp: + (JSC::Wasm::wasmToJS): + * wasm/js/WebAssemblyFunction.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::WebAssemblyFunction::jsCallEntrypointSlow): + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::link): + * wasm/js/WebAssemblyTableConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * wasm/wasm.json: + +2020-11-06 Yusuke Suzuki + + Re-enable SharedArrayBuffer for JSC shell and Testers + https://bugs.webkit.org/show_bug.cgi?id=212069 + + Reviewed by Keith Miller. + + This patch revives SharedArrayBuffer and Atomics and aligning them to the latest spec. + + 1. SharedArrayBuffer's sort should be done in JS side. C++ sort is not safe for SharedArrayBuffer since the buffer + can be modified by different threads while sorting. + 2. Atomics.wait should be renamed to Atomics.notify. + 3. Atomics operation should be VarArgs in DFG because DFGSSALoweringPhase assumes that they are VarArgs and they can + have another arg for CheckInBounds dependency. + 4. For test262, JSC shell should support "--can-block-is-false" flag. If it is true, the main thread's [[CanBlock]] becomes false. + This means that `Atomics.wait` cannot be used. + + * builtins/BuiltinNames.h: + * builtins/TypedArrayPrototype.js: + (sort): + * bytecode/LinkTimeConstant.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsicCall): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::mustGenerate const): + (JSC::DFG::Node::hasVarArgs const): + (JSC::DFG::Node::mustGenerate): Deleted. + * dfg/DFGNodeType.h: + * dfg/DFGSSALoweringPhase.cpp: + (JSC::DFG::SSALoweringPhase::handleNode): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree): + * jsc.cpp: + (printUsageStatement): + (CommandLine::parseArguments): + (runJSC): + * runtime/AtomicsObject.cpp: + (JSC::AtomicsObject::finishCreation): + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::JSC_DEFINE_JIT_OPERATION): + * runtime/CommonIdentifiers.h: + * runtime/Intrinsic.cpp: + (JSC::intrinsicName): + * runtime/Intrinsic.h: + * runtime/JSArrayBufferPrototype.cpp: + (JSC::arrayBufferSlice): + (JSC::arrayBufferByteLength): + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::JSArrayBufferPrototype::finishCreation): + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::toIntegerOrInfinity const): + * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: + (JSC::genericTypedArrayViewProtoFuncReverse): + (JSC::genericTypedArrayViewPrivateFuncSort): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/JSTypedArrayViewPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * runtime/JSTypedArrayViewPrototype.h: + * runtime/OptionsList.h: + * runtime/SimpleTypedArrayController.cpp: + (JSC::SimpleTypedArrayController::SimpleTypedArrayController): + (JSC::SimpleTypedArrayController::isAtomicsWaitAllowedOnCurrentThread): + * runtime/SimpleTypedArrayController.h: + * runtime/SmallStrings.cpp: + (JSC::SmallStrings::initializeCommonStrings): + (JSC::SmallStrings::visitStrongReferences): + * runtime/SmallStrings.h: + (JSC::SmallStrings::notEqualString const): + (JSC::SmallStrings::timedOutString const): + (JSC::SmallStrings::okString const): + +2020-11-06 Mark Lam + + Use address diversified PAC to ensure the integrity of opcode maps. + https://bugs.webkit.org/show_bug.cgi?id=218646 + + Reviewed by Yusuke Suzuki. + + One reason for doing this is because space in the JSCConfig is limited, and may + hurt RAMification scores if we need to expand it when adding new opcodes. + By putting the opcode maps in dirty global memory, we still use less memory + because dirty global memory does not incur internal fragmentation like the + JSCConfig does. + + In this patch, we move g_jscConfig.llint.opcodeMap, g_jscConfig.llint.opcodeMapWide16, + and g_jscConfig.llint.opcodeMapWide32 back to global arrays g_opcodeMap, g_opcodeMapWide16, + and g_opcodeMapWide32. + + * interpreter/InterpreterInlines.h: + (JSC::Interpreter::getOpcodeID): + - Since this function is only used debugging purposes during development, and is + currently unused, we can just strip the PAC bits from the opcode when computing + the opcodeID. The alternative to doing this requires that we know how the + Opcode is signed by the client. Since this function is currently unused, we + have no clients to study / fix up for now. + + * llint/LLIntData.cpp: + (JSC::LLInt::initialize): + - Changed an ASSERT for llint_throw_from_slow_path_trampoline to static_assert, + and add a second one as well for wasm_throw_from_slow_path_trampoline. + - Moved the signing of the Opcode pointers into llint_entry() and wasm_entry() + instead. Now, non-ARM64E ports don't need to execute this no-op assignment loop + (assuming it wasn't already elided by the compiler). + + * llint/LLIntData.h: + (JSC::LLInt::opcodeMap): + (JSC::LLInt::opcodeMapWide16): + (JSC::LLInt::opcodeMapWide32): + (JSC::LLInt::getOpcode): + (JSC::LLInt::getOpcodeWide16): + (JSC::LLInt::getOpcodeWide32): + - Change getOpcode(), getOpcodeWide16(), and getOpcodeWide32() to return a reference + to the entry in the corresponding opcode map. This is needed because we need to + be able to compute the address of the Opcode entry in order to retag the Opcode. + + (JSC::LLInt::getCodePtrImpl): + (JSC::LLInt::getCodePtr): + (JSC::LLInt::getWide16CodePtr): + (JSC::LLInt::getWide32CodePtr): + + * llint/LowLevelInterpreter.asm: + * llint/WebAssembly.asm: + - Changed the bytecode dispatch `jmp`s to use address diversification when + authenticating the Opcode pointer. + - Changed llint_entry and wasm_entry to also tag the Opcode pointers for ARM64E. + - Changed llint_entry and wasm_entry to validate that they are only called during + system initialization. + + * offlineasm/arm64.rb: + - Optimize `leap` code generation to elide an add instruction if it's only adding + 0 to a global address. + + * offlineasm/arm64e.rb: + * offlineasm/ast.rb: + * offlineasm/instructions.rb: + - Added support for jmp or call using address diversified pointers. + - Added a tagCodePtr instruction that also supports signing address diversified pointers. + + * runtime/JSCConfig.h: + * runtime/JSCPtrTag.h: + (JSC::untagAddressDiversifiedCodePtr): + - Added untagAddressDiversifiedCodePtr() so that we can retag the Opcode pointers. + +2020-11-05 Don Olmstead + + Non-unified build fixes, early November 2020 edition + https://bugs.webkit.org/show_bug.cgi?id=218628 + + Unreviewed non-unified build fix. + + * llint/LLIntSlowPaths.cpp: + +2020-11-05 Yusuke Suzuki + + Unreviewed, build fix for ARM64E + https://bugs.webkit.org/show_bug.cgi?id=218587 + + * llint/LLIntData.cpp: + +2020-11-04 Yusuke Suzuki + + Apply JITCage to CSSJIT + https://bugs.webkit.org/show_bug.cgi?id=218587 + + Reviewed by Mark Lam. + + * llint/LLIntData.cpp: + * llint/LowLevelInterpreter.asm: + * runtime/JSCPtrTag.h: + * yarr/YarrJIT.cpp: + +2020-11-04 David Kilzer + + WebKit should remove unused debug variant support + + + + Reviewed by Darin Adler. + + Remove support for building the debug variant since it is + currently unused. We now set default values for the + DEAD_CODE_STRIPPING, DEBUG_DEFINES, GCC_OPTIMIZATION_LEVEL and + STRIP_INSTALLED_PRODUCT variables. + + Also move these values out of the Xcode project into + Base.xcconfig files using the [config=Debug] specifier so that + these overrides are next to the definitions. + + * Configurations/Base.xcconfig: + * JavaScriptCore.xcodeproj/project.pbxproj: + +2020-11-04 Yusuke Suzuki + + Unreviewed, fix ARM64 only crash (ARM64E works) after JIT Cage + https://bugs.webkit.org/show_bug.cgi?id=218143 + + * yarr/YarrJIT.h: + (JSC::Yarr::YarrCodeBlock::execute): + +2020-11-03 Yusuke Suzuki + + Unreviewed, build fix for ARM64E debug build + https://bugs.webkit.org/show_bug.cgi?id=218143 + + * runtime/JSCPtrTag.cpp: + (JSC::tagForPtr): + +2020-11-03 Saam Barati + + Add back the removed assertion from r269338 and add a test + https://bugs.webkit.org/show_bug.cgi?id=218543 + + Reviewed by Filip Pizlo. + + The assertion from r269338 was wrong in JSLock::willReleaseLock because + of our use of DropAllLocks. However, it is correct inside the topmost ~VMEntryScope. + + * jsc.cpp: + (JSC_DEFINE_HOST_FUNCTION): + * runtime/VMEntryScope.cpp: + (JSC::VMEntryScope::~VMEntryScope): + +2020-11-03 Yusuke Suzuki + + [JSC] Add JITCage support + https://bugs.webkit.org/show_bug.cgi?id=218143 + + Reviewed by Saam Barati. + + Towards software verified JIT, this patch adds partial JIT-Caging support which cages JIT call / jumps in a certain format. + This is currently only enabled when internal SDK is enabled. And it is only enabled in ARM64E for now. + Currently, this patch does not have CSS JIT support. Subsequent patch will add it. + We ensured that JS2 and RAMification are neutral. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * assembler/JITOperationList.cpp: + (JSC::addPointers): + (JSC::JITOperationList::populatePointersInJavaScriptCoreForLLInt): + * assembler/JITOperationList.h: + (JSC::JITOperationList::map const): + (JSC::JITOperationList::assertIsHostFunction): + (JSC::JITOperationList::assertIsJITOperation): + (JSC::JITOperationList::contains const): Deleted. + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::farJump): + * assembler/MacroAssemblerARM64E.h: + (JSC::MacroAssemblerARM64E::callTrustedPtr): + (JSC::MacroAssemblerARM64E::call): + (JSC::MacroAssemblerARM64E::callRegister): + (JSC::MacroAssemblerARM64E::farJumpRegister): + (JSC::MacroAssemblerARM64E::farJump): + (JSC::MacroAssemblerARM64E::ret): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::farJump): + * assembler/MacroAssemblerMIPS.h: + (JSC::MacroAssemblerMIPS::farJump): + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::farJump): + * bytecode/BytecodeList.rb: + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::callerReturnPC): + (JSC::DFG::adjustAndJumpToTarget): + * dfg/DFGOSRExitCompilerCommon.h: + * jit/ExecutableAllocator.cpp: + (JSC::ExecutableAllocator::setJITEnabled): + (JSC::initializeJITPageReservation): + * jit/GPRInfo.h: + * jit/PolymorphicCallStubRoutine.cpp: + (JSC::PolymorphicCallNode::unlink): + * jit/ThunkGenerators.cpp: + (JSC::emitPointerValidation): + * llint/LLIntData.cpp: + (JSC::LLInt::initialize): + * llint/LLIntData.h: + (JSC::LLInt::getOpcode): + (JSC::LLInt::getOpcodeWide16): + (JSC::LLInt::getOpcodeWide32): + (JSC::LLInt::getCodePtr): + (JSC::LLInt::getWide16CodePtr): + (JSC::LLInt::getWide32CodePtr): + (JSC::LLInt::getCodeFunctionPtr): + (JSC::LLInt::getWide16CodeFunctionPtr): + (JSC::LLInt::getWide32CodeFunctionPtr): + * llint/LLIntEntrypoint.cpp: + (JSC::LLInt::entrypointTrampoline): + (JSC::LLInt::setFunctionEntrypoint): + (JSC::LLInt::setEvalEntrypoint): + (JSC::LLInt::setProgramEntrypoint): + (JSC::LLInt::setModuleProgramEntrypoint): + (JSC::LLInt::getHostCallReturnValueEntrypoint): + (JSC::LLInt::fuzzerReturnEarlyFromLoopHintEntrypoint): + (JSC::LLInt::genericReturnPointEntrypoint): + * llint/LLIntEntrypoint.h: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + (JSC::LLInt::commonCallEval): + (JSC::LLInt::dispatchToNextInstruction): + * llint/LLIntThunks.cpp: + (JSC::LLInt::generateThunkWithJumpTo): + (JSC::LLInt::generateThunkWithJumpToPrologue): + (JSC::LLInt::generateThunkWithJumpToLLIntReturnPoint): + (JSC::LLInt::functionForCallEntryThunk): + (JSC::LLInt::functionForConstructEntryThunk): + (JSC::LLInt::functionForCallArityCheckThunk): + (JSC::LLInt::functionForConstructArityCheckThunk): + (JSC::LLInt::evalEntryThunk): + (JSC::LLInt::programEntryThunk): + (JSC::LLInt::moduleProgramEntryThunk): + (JSC::LLInt::wasmFunctionEntryThunk): + (JSC::LLInt::handleCatchThunk): + (JSC::LLInt::genericReturnPointThunk): + (JSC::LLInt::fuzzerReturnEarlyFromLoopHintThunk): + (JSC::LLInt::createJSGateThunk): + (JSC::LLInt::createWasmGateThunk): + (JSC::LLInt::createTailCallGate): + (JSC::LLInt::loopOSREntryGateThunk): + (JSC::LLInt::entryOSREntryGateThunk): + (JSC::LLInt::wasmOSREntryGateThunk): + (JSC::LLInt::exceptionHandlerGateThunk): + (JSC::LLInt::returnFromLLIntGateThunk): + (JSC::LLInt::tagGateThunk): + (JSC::LLInt::untagGateThunk): + (JSC::LLInt::jitCagePtrThunk): + (JSC::LLInt::normalOSRExitTrampolineThunk): + (JSC::LLInt::checkpointOSRExitTrampolineThunk): + (JSC::LLInt::checkpointOSRExitFromInlinedCallTrampolineThunk): + (JSC::LLInt::returnLocationThunk): + * llint/LLIntThunks.h: + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * llint/WebAssembly.asm: + * offlineasm/arm64.rb: + * offlineasm/mips.rb: + * runtime/Gate.h: Added. + * runtime/JSCConfig.h: + * runtime/JSCPtrTag.cpp: + (JSC::tagForPtr): + (JSC::callerType): + (JSC::calleeType): + * runtime/JSCPtrTag.h: + (JSC::tagJSCCodePtrImpl): + (JSC::untagJSCCodePtrImpl): + (JSC::tagCodePtrWithStackPointerForJITCall): + (JSC::untagCodePtrWithStackPointerForJITCall): + * runtime/MatchResult.h: + (JSC::MatchResult::MatchResult): + * runtime/Options.cpp: + (JSC::disableAllJITOptions): + (JSC::canUseJITCage): + * runtime/OptionsList.h: + * wasm/WasmSlowPaths.cpp: + * yarr/YarrJIT.cpp: + * yarr/YarrJIT.h: + (JSC::Yarr::YarrCodeBlock::execute): + +2020-11-03 Geoffrey Garen + + Drop most uses of the phrase 'neuter' from the tree + https://bugs.webkit.org/show_bug.cgi?id=218536 + + Reviewed by Tim Horton. + + In ArrayBuffer use cases, the spec has gone with "detached". + + In other cases, I picked something. + + * JavaScriptCore.order: + * builtins/ArrayIteratorPrototype.js: + (next): + * builtins/BuiltinNames.h: + * builtins/TypedArrayPrototype.js: + (fill): + (globalPrivate.typedArrayElementCompare): + * bytecode/LinkTimeConstant.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsicCall): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDesiredWatchpoints.cpp: + (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCheckDetached): + (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsDetachedIfOutOfBounds): + (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): + (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray): + (JSC::DFG::SpeculativeJIT::compileCheckNeutered): Deleted. + (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): Deleted. + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGTypeCheckHoistingPhase.cpp: + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckDetached): + (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): + (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotDetached): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckNeutered): Deleted. + (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): Deleted. + * runtime/ArrayBuffer.cpp: + (JSC::ArrayBufferContents::tryAllocate): + (JSC::ArrayBuffer::transferTo): + (JSC::ArrayBuffer::detach): + (JSC::ArrayBuffer::notifyDetaching): + (JSC::ArrayBuffer::neuter): Deleted. + (JSC::ArrayBuffer::notifyNeutering): Deleted. + * runtime/ArrayBuffer.h: + (JSC::ArrayBuffer::isDetached): + (JSC::ArrayBuffer::detachingWatchpointSet): + (JSC::ArrayBuffer::isNeutered): Deleted. + (JSC::ArrayBuffer::neuteringWatchpointSet): Deleted. + * runtime/ArrayBufferView.cpp: + (JSC::ArrayBufferView::ArrayBufferView): + (JSC::ArrayBufferView::~ArrayBufferView): + (JSC::ArrayBufferView::setDetachable): + (JSC::ArrayBufferView::setNeuterable): Deleted. + * runtime/ArrayBufferView.h: + (JSC::ArrayBufferView::isDetached const): + (JSC::ArrayBufferView::possiblySharedBuffer const): + (JSC::ArrayBufferView::isShared const): + (JSC::ArrayBufferView::baseAddress const): + (JSC::ArrayBufferView::byteOffset const): + (JSC::ArrayBufferView::isDetachable const): + (JSC::ArrayBufferView::isNeutered const): Deleted. + (JSC::ArrayBufferView::isNeuterable const): Deleted. + * runtime/GenericTypedArrayView.h: + * runtime/JSArrayBufferView.cpp: + (JSC::JSArrayBufferView::detach): + (JSC::JSArrayBufferView::neuter): Deleted. + * runtime/JSArrayBufferView.h: + (JSC::JSArrayBufferView::isDetached): + (JSC::JSArrayBufferView::isNeutered): Deleted. + * runtime/JSDataView.cpp: + (JSC::JSDataView::create): + * runtime/JSDataViewPrototype.cpp: + (JSC::getData): + (JSC::setData): + (JSC::JSC_DEFINE_HOST_FUNCTION): + * runtime/JSGenericTypedArrayView.h: + * runtime/JSGenericTypedArrayViewInlines.h: + (JSC::JSGenericTypedArrayView::setWithSpecificType): + (JSC::JSGenericTypedArrayView::set): + (JSC::JSGenericTypedArrayView::getOwnPropertySlotByIndex): + (JSC::JSGenericTypedArrayView::deletePropertyByIndex): + * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: + (JSC::speciesConstruct): + (JSC::genericTypedArrayViewProtoFuncSet): + (JSC::genericTypedArrayViewProtoFuncCopyWithin): + (JSC::genericTypedArrayViewProtoFuncIncludes): + (JSC::genericTypedArrayViewProtoFuncIndexOf): + (JSC::genericTypedArrayViewProtoFuncJoin): + (JSC::genericTypedArrayViewProtoFuncLastIndexOf): + (JSC::genericTypedArrayViewProtoFuncReverse): + (JSC::genericTypedArrayViewPrivateFuncSort): + (JSC::genericTypedArrayViewProtoFuncSlice): + (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/JSTypedArrayViewPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::createTypedArrayIteratorObject): + * runtime/JSTypedArrayViewPrototype.h: + * wasm/js/JSWebAssemblyHelpers.h: + (JSC::getWasmBufferFromValue): + * wasm/js/JSWebAssemblyMemory.cpp: + (JSC::JSWebAssemblyMemory::growSuccessCallback): + +2020-11-03 Yusuke Suzuki + + [JSC] Obtain default timezone ID from cached icu::TimeZone + https://bugs.webkit.org/show_bug.cgi?id=218531 + + + Reviewed by Ross Kirsling. + + ICU internally caches icu::TimeZone (icu::TimeZone::createDefault), and it is not updated even if system timezone is changed. + As a result, we will see wrong timezone in Intl.DateTimeFormat when system timezone is changed. + We have a mechanism that clears TimeZone cache for JS Date. However, this mechanism is not used for Intl.DateTimeFormat. + + This patch retrieves timezone ID from cached icu::TimeZone in VM::dateCache. So system's timezone change can be effective for + Intl.DateTimeFormat, and timezone becomes consistent between JS Date and Intl.DateTimeFormat. + + Unfortunately, we need to use C++ APIs since we do not have a way to get timezone ID from icu::TimeZone. + Once https://unicode-org.atlassian.net/browse/ICU-21372 is fixed, we can switch to C APIs. + + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + (JSC::isUTCEquivalent): Deleted. + (JSC::defaultTimeZone): Deleted. + * runtime/JSDateMath.cpp: + (JSC::DateCache::defaultTimeZone): + * runtime/JSDateMath.h: + (JSC::isUTCEquivalent): + +2020-11-03 Saam Barati + + Don't assert there is no checkpoint side state when dropping the JSLock + https://bugs.webkit.org/show_bug.cgi?id=218537 + + Reviewed by Filip Pizlo. + + You may have multiple OSR exit sidestate data on the stack, and then call into + API code, which might DropAllLocks. Hence, this assert is wrong. + + Working on a test. Will land in a followup. + + * runtime/JSLock.cpp: + (JSC::JSLock::willReleaseLock): + +2020-11-03 Yusuke Suzuki + + REGRESSION (r254038): Simple.com money transfer UI is very laggy (multiple seconds per keypress) + https://bugs.webkit.org/show_bug.cgi?id=218348 + + Reviewed by Darin Adler. + + We have depth-1 LocalTimeOffset cache to avoid repeatedly calling `localtime_r`. But this depth-1 cache can be easily missed if + we parse Dates of multiple years. Instead of increasing depth as a work-around, this patch starts using ICU TimeZone cache. + This is used in SpiderMonkey and V8 too, and it is the right direction since ICU knows tzdata and can do more sophisticated caching. + + Microbenchmark shows 24x improvement. + + ToT Patched + + local-date-constructor 2026.8715+-11.2909 ^ 85.0022+-1.0548 ^ definitely 23.8449x faster + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * runtime/DateConstructor.cpp: + (JSC::millisecondsFromComponents): + (JSC::constructDate): + (JSC::JSC_DEFINE_HOST_FUNCTION): + * runtime/DateInstance.cpp: + (JSC::DateInstance::calculateGregorianDateTime const): + (JSC::DateInstance::calculateGregorianDateTimeUTC const): + * runtime/DateInstance.h: + * runtime/DatePrototype.cpp: + (JSC::setNewValueFromTimeArgs): + (JSC::setNewValueFromDateArgs): + (JSC::JSC_DEFINE_HOST_FUNCTION): + * runtime/JSDateMath.cpp: + (JSC::OpaqueICUTimeZoneDeleter::operator()): + (JSC::localTimeOffset): + (JSC::DateCache::gregorianDateTimeToMS): + (JSC::DateCache::msToGregorianDateTime): + (JSC::DateCache::parseDate): + (JSC::DateCache::cachedDateInstanceData): + (JSC::DateCache::timeZoneCacheSlow): + (JSC::DateCache::reset): + (JSC::gregorianDateTimeToMS): Deleted. + (JSC::msToGregorianDateTime): Deleted. + (JSC::parseDate): Deleted. + * runtime/JSDateMath.h: + (JSC::DateCache::timeZoneCache): + * runtime/VM.cpp: + (JSC::VM::resetDateCache): Deleted. + * runtime/VM.h: + (JSC::VM::resetDateCache): + * runtime/VMEntryScope.cpp: + (JSC::VMEntryScope::VMEntryScope): + +2020-11-03 Keith Rollin + + Extend check-for-inappropriate-files-in-framework to WebKitLegacy and JavaScriptCore + https://bugs.webkit.org/show_bug.cgi?id=218272 + + + Reviewed by Simon Fraser. + + Bug 218268 reports that some *.txt files got included in WebKitLegacy. + To help protect against this happening in the future, extend + check-for-inappropriate-files-in-framework to check for *.txt files, + and apply the script to WebKitLegacy and JavaScriptCore in addition to + WebCore and WebKit. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2020-11-03 Don Olmstead + + [CMake] Add remote inspector platforms + https://bugs.webkit.org/show_bug.cgi?id=218451 + + Reviewed by Michael Catanzaro. + + Add a CMake definition for each of the three remote inspector server backends to + remove duplication between the ports. Modify the port's CMake files to use the + shared definitions. + + * PlatformFTW.cmake: + * PlatformGTK.cmake: + * PlatformJSCOnly.cmake: + * PlatformPlayStation.cmake: + * PlatformWPE.cmake: + * PlatformWin.cmake: + * inspector/remote/Cocoa.cmake: Added. + * inspector/remote/GLib.cmake: Added. + * inspector/remote/Socket.cmake: Added. + * inspector/remote/SourcesCocoa.txt: Copied from Source/JavaScriptCore/SourcesWPE.txt. + * inspector/remote/SourcesGLib.txt: Renamed from Source/JavaScriptCore/SourcesGTK.txt. + * inspector/remote/SourcesSocket.txt: Renamed from Source/JavaScriptCore/SourcesWPE.txt. + +2020-11-02 Xan Lopez + + [JSC] Remove compiler warning in LLIntData.cpp + https://bugs.webkit.org/show_bug.cgi?id=218443 + + Reviewed by Mark Lam. + + Fix compiler warning by casting a scoped enum to its underlying + type. Not allowing implicit type conversions is the whole point of + scoped enums. + + * interpreter/CallFrame.h: remove underlying type specifier, since + we are using the default anyway ('int'). + * llint/LLIntData.cpp: + (JSC::LLInt::Data::performAssertions): cast the scoped enum to its + underlying type. + +2020-10-29 Jérôme Decoodt + + JavaScriptCore should support multiple build variants + + + + Reviewed by Keith Miller. + + Update JavaScriptCore to handle BUILD_VARIANTS properly by + passing the value to build phase scripts and handling all + variants set during the build. For engineering builds, + BUILD_VARIANTS=normal. + + * CMakeLists.txt: + - Update to pass equivalent ${BUILD_VARIANTS} for non-Apple + platforms to asm.rb and generate_offset_extractor.rb. + + * JavaScriptCore.xcodeproj/project.pbxproj: + (LLInt Offsets | Generate Derived Sources): + (Offline Assembler | Offline Assemble): + - Update build phase script to pass "${BUILD_VARIANTS}" as an + argument to scripts. + + * offlineasm/asm.rb: + - Parse BUILD_VARIANTS argument to pass to + offsetsAndConfigurationIndexForVariants(). + * offlineasm/generate_offset_extractor.rb: + - Parse BUILD_VARIANTS argument to pass to + configurationIndicesForVariants(). + + * offlineasm/offsets.rb: + (offsetsAndConfigurationIndex): + - Update argument list in comment block. + (offsetsAndConfigurationIndexForVariants): Add. + - Invoke offsetsAndConfigurationIndex() for each build variant. + (configurationIndices): + - Update argument list in comment block. + (configurationIndicesForVariants): Add. + - Invoke configurationIndices() for each build variant. + +2020-10-28 Basuke Suzuki + + [WinCairo][PlayStation] Add handling for accept failure case + https://bugs.webkit.org/show_bug.cgi?id=217353 + + Reviewed by Alex Christensen. + + It is rare to happen, but listening socket can be invalid state (i.e. cable disconnection, interface error), + and accept() will be called because of the poll's false report. In that situation, it is required to rebuild + the listening socket from the scratch. The failure of accept is the good place to capture this situation. + + This patch moves listening duty into Listener internal calss and it is possible to make the invalid state + while maintained by SocketEndpoint. Also in case of failure continues, the retry will be gradually increasing + the intervals. + + * inspector/remote/socket/RemoteInspectorServer.h: + * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: + (Inspector::RemoteInspectorSocketEndpoint::listenInet): + (Inspector::RemoteInspectorSocketEndpoint::pollingTimeout): + (Inspector::RemoteInspectorSocketEndpoint::workerThread): + (Inspector::RemoteInspectorSocketEndpoint::createClient): + (Inspector::RemoteInspectorSocketEndpoint::disconnect): + (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled): + * inspector/remote/socket/RemoteInspectorSocketEndpoint.h: + +2020-10-28 Saam Barati + + Better cache our serialization of the outer TDZ environment when creating FunctionExecutables during bytecode generation + https://bugs.webkit.org/show_bug.cgi?id=199866 + + + Reviewed by Tadeu Zagallo. + + This patch removes performance pathologies regarding programs with + many variables under TDZ (let/const). We had an algorithm for caching + the results of gathering all variables under TDZ, but that algorithm + wasn't nearly aggressive enough in its caching. This lead us to worst + case quadratic runtime, which could happens in practice for large functions. + + There are a few fixes here: + - Instead of flattening the entire TDZ stack, and caching that result, + we now cache each stack entry individually. So as you push/pop to the + TDZ environment stack, we no longer invalidate everything. Instead, we + will just need to cache the newly pushed entry. We also no longer invalidate + the cache for lifting a TDZ check. The compromise here is we may emit + more runtime TDZ checks for closure variables. This is better than N^2 + bytecode compile time perf, since a well predicted branch for a TDZ + check is essentially free. + - We no longer transform the CompactTDZEnvironment (formerly CompactVariableEnvironment) + from a Vector into a HashSet each time we generate code for an inner function. Instead, + CompactTDZEnvironment can be in two modes: compact and inflated. It starts life off in + compact mode (a vector), and will turn into an inflated mode if it's ever needed. Once + inflated, it'll stay this way until it's destructed. This improves our algorithm from being + O(EnvSize * NumFunctions) to O(EnvSize) at the cost of using more space in a HashTable versus a + Vector. In the future, we could consider just binary searching through this Vector, and never using + a hash table. + + * bytecode/UnlinkedFunctionExecutable.cpp: + (JSC::generateUnlinkedFunctionCodeBlock): + (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): + * bytecode/UnlinkedFunctionExecutable.h: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + (JSC::BytecodeGenerator::popLexicalScopeInternal): + (JSC::BytecodeGenerator::needsTDZCheck): + (JSC::BytecodeGenerator::liftTDZCheckIfPossible): + (JSC::BytecodeGenerator::pushTDZVariables): + (JSC::BytecodeGenerator::getVariablesUnderTDZ): + (JSC::BytecodeGenerator::preserveTDZStack): + (JSC::BytecodeGenerator::restoreTDZStack): + (JSC::BytecodeGenerator::emitNewInstanceFieldInitializerFunction): + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::generate): + (JSC::BytecodeGenerator::makeFunction): + * debugger/DebuggerCallFrame.cpp: + (JSC::DebuggerCallFrame::evaluateWithScopeExtension): + * interpreter/Interpreter.cpp: + (JSC::eval): + * parser/Parser.h: + (JSC::Parser::parse): + (JSC::parse): + * parser/VariableEnvironment.cpp: + (JSC::CompactTDZEnvironment::sortCompact): + (JSC::CompactTDZEnvironment::CompactTDZEnvironment): + (JSC::CompactTDZEnvironment::operator== const): + (JSC::CompactTDZEnvironment::toTDZEnvironmentSlow const): + (JSC::CompactTDZEnvironmentMap::get): + (JSC::CompactTDZEnvironmentMap::Handle::~Handle): + (JSC::CompactTDZEnvironmentMap::Handle::Handle): + (JSC::CompactVariableEnvironment::CompactVariableEnvironment): Deleted. + (JSC::CompactVariableEnvironment::operator== const): Deleted. + (JSC::CompactVariableEnvironment::toVariableEnvironment const): Deleted. + (JSC::CompactVariableMap::get): Deleted. + (JSC::CompactVariableMap::Handle::~Handle): Deleted. + (JSC::CompactVariableMap::Handle::Handle): Deleted. + * parser/VariableEnvironment.h: + (JSC::CompactTDZEnvironment::toTDZEnvironment const): + (JSC::CompactTDZEnvironmentKey::CompactTDZEnvironmentKey): + (JSC::CompactTDZEnvironmentKey::hash): + (JSC::CompactTDZEnvironmentKey::equal): + (JSC::CompactTDZEnvironmentKey::makeDeletedValue): + (JSC::CompactTDZEnvironmentKey::isHashTableDeletedValue const): + (JSC::CompactTDZEnvironmentKey::environment): + (WTF::HashTraits::emptyValue): + (WTF::HashTraits::isEmptyValue): + (WTF::HashTraits::constructDeletedValue): + (WTF::HashTraits::isDeletedValue): + (JSC::CompactTDZEnvironmentMap::Handle::environment const): + (JSC::CompactVariableEnvironment::hash const): Deleted. + (JSC::CompactVariableMapKey::CompactVariableMapKey): Deleted. + (JSC::CompactVariableMapKey::hash): Deleted. + (JSC::CompactVariableMapKey::equal): Deleted. + (JSC::CompactVariableMapKey::makeDeletedValue): Deleted. + (JSC::CompactVariableMapKey::isHashTableDeletedValue const): Deleted. + (JSC::CompactVariableMapKey::isHashTableEmptyValue const): Deleted. + (JSC::CompactVariableMapKey::environment): Deleted. + (WTF::HashTraits::emptyValue): Deleted. + (WTF::HashTraits::isEmptyValue): Deleted. + (WTF::HashTraits::constructDeletedValue): Deleted. + (WTF::HashTraits::isDeletedValue): Deleted. + (JSC::CompactVariableMap::Handle::Handle): Deleted. + (JSC::CompactVariableMap::Handle::operator=): Deleted. + (JSC::CompactVariableMap::Handle::operator bool const): Deleted. + (JSC::CompactVariableMap::Handle::environment const): Deleted. + (JSC::CompactVariableMap::Handle::swap): Deleted. + * runtime/CachedTypes.cpp: + (JSC::Decoder::handleForTDZEnvironment const): + (JSC::Decoder::setHandleForTDZEnvironment): + (JSC::CachedCompactTDZEnvironment::encode): + (JSC::CachedCompactTDZEnvironment::decode const): + (JSC::CachedCompactTDZEnvironmentMapHandle::encode): + (JSC::CachedCompactTDZEnvironmentMapHandle::decode const): + (JSC::CachedFunctionExecutableRareData::decode const): + (JSC::Decoder::handleForEnvironment const): Deleted. + (JSC::Decoder::setHandleForEnvironment): Deleted. + (JSC::CachedCompactVariableEnvironment::encode): Deleted. + (JSC::CachedCompactVariableEnvironment::decode const): Deleted. + (JSC::CachedCompactVariableMapHandle::encode): Deleted. + (JSC::CachedCompactVariableMapHandle::decode const): Deleted. + * runtime/CachedTypes.h: + * runtime/CodeCache.cpp: + (JSC::generateUnlinkedCodeBlockImpl): + (JSC::generateUnlinkedCodeBlock): + (JSC::generateUnlinkedCodeBlockForDirectEval): + (JSC::recursivelyGenerateUnlinkedCodeBlockForProgram): + (JSC::recursivelyGenerateUnlinkedCodeBlockForModuleProgram): + (JSC::CodeCache::getUnlinkedGlobalCodeBlock): + * runtime/CodeCache.h: + * runtime/Completion.cpp: + (JSC::generateProgramBytecode): + (JSC::generateModuleBytecode): + * runtime/DirectEvalExecutable.cpp: + (JSC::DirectEvalExecutable::create): + * runtime/DirectEvalExecutable.h: + * runtime/JSScope.cpp: + (JSC::JSScope::collectClosureVariablesUnderTDZ): + * runtime/JSScope.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2020-10-28 Robin Morisset + + DFGIntegerRangeOptimization is wrong for Upsilon (as 'shadow' nodes are not in SSA form) + https://bugs.webkit.org/show_bug.cgi?id=218073 + + Reviewed by Saam Barati. + + In DFGIntegerRangeOptimization, when visiting an Upsilon node, we call setEquivalence, that calls setRelationship. + But despite its name, this function does not overwrite a pre-existing relationship, it simply replaces it by an over-approximation of the intersection of the old and new relationship (see the filter method). + Since the old relationship is always (by definition) an over-approximation of this intersection, it will often do nothing at all if it cannot find a closer approximation. + This is a problem specifically for Upsilon nodes, because several of them can store to the same "shadow node" corresponding to a given Phi, so they are the only case where there can already be a completely different relationship for the same nodes (coming from a different Upsilon). + + The fix is very simple thanks to a suggestion by Phil: we just remove all relationships referring to the shadow node just before executing an Upsilon. + This is correct since the upsilon effectively kills that shadow node, before making it live again with a different value, and we already aggressively prune the relationshipMaps by liveness. + + * dfg/DFGIntegerRangeOptimizationPhase.cpp: + +2020-10-27 Michael Catanzaro + + -Wparentheses warning in OptionsList.h + https://bugs.webkit.org/show_bug.cgi?id=218242 + + Unreviewed, fix warning by adding extra parentheses. + + * runtime/OptionsList.h: + +2020-10-26 Devin Rousso + + Web Inspector: console command line API should be exposed to breakpoint conditions/actions + https://bugs.webkit.org/show_bug.cgi?id=218141 + + + Reviewed by Brian Burg. + + * debugger/Debugger.h: + (JSC::Debugger::Client::scopeExtensionObject): Added. + * debugger/Debugger.cpp: + (JSC::Debugger::setClient): Added. + (JSC::Debugger::evaluateBreakpointCondition): + (JSC::Debugger::evaluateBreakpointActions): + Introduce an optional `Debugger::Client` virtual class that can be used to adjust behavior + in various situations. Right now it is used when evaluating breakpoint conditions/actions + to get a scope extension object. + + * inspector/agents/InspectorDebuggerAgent.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::internalEnable): + (Inspector::InspectorDebuggerAgent::internalDisable): + (Inspector::InspectorDebuggerAgent::scopeExtensionObject): Added. + Implement `Debugger::Client` and provide a newly created `CommandLineAPI` instance. + + * inspector/InjectedScript.h: + * inspector/InjectedScript.cpp: + (Inspector::InjectedScript::createCommandLineAPIObject const): Added. + * inspector/InjectedScriptSource.js: + (let.InjectedScript.prototype.createCommandLineAPIObject): Added. + (let.InjectedScript.prototype._evaluateOn): + Expose a way for the C++ to create `CommandLineAPI` instances. + +2020-10-15 Tadeu Zagallo + + Sign MacroAssembler::jumpsToLink + https://bugs.webkit.org/show_bug.cgi?id=217774 + + + Reviewed by Saam Barati. + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::LinkRecord::LinkRecord): + (JSC::ARM64Assembler::LinkRecord::setFrom): + (JSC::ARM64Assembler::LinkRecord::to const): + (JSC::ARM64Assembler::linkJump): + * assembler/LinkBuffer.cpp: + (JSC::LinkBuffer::copyCompactAndLinkCode): + +2020-10-15 Tadeu Zagallo + + Validate addresses returned by LinkBuffer::locationOf + https://bugs.webkit.org/show_bug.cgi?id=217786 + + + Reviewed by Saam Barati. + + * assembler/LinkBuffer.h: + (JSC::LinkBuffer::locationOf): + (JSC::LinkBuffer::locationOfNearCall): + (JSC::LinkBuffer::getLinkerAddress): + +2020-10-26 Alex Christensen + + Inclusive software: Remove instances of "dumb" from the code + https://bugs.webkit.org/show_bug.cgi?id=217778 + + Reviewed by Simon Fraser. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): + (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean): + * heap/SlotVisitor.h: + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::emitVirtualCall): + (JSC::AssemblyHelpers::emitDumbVirtualCall): Deleted. + * jit/AssemblyHelpers.h: + * jit/JITCall.cpp: + (JSC::JIT::compileCallEvalSlowCase): + * jit/JITCall32_64.cpp: + (JSC::JIT::compileCallEvalSlowCase): + * runtime/CachedTypes.cpp: + * runtime/JSCJSValue.h: + * runtime/WriteBarrier.h: + * runtime/WriteBarrierInlines.h: + (JSC::RawValueTraits>::set): + (JSC::DumbValueTraits>::set): Deleted. + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::addCallIndirect): + * wasm/generateWasm.py: + (opcodeIterator): + +2020-10-26 Sam Weinig + + JSC special function forward declarations (e.g. JSC_DECLARE_HOST_FUNCTION) that are internal to a cpp file should be declared with static to avoid external linkage + https://bugs.webkit.org/show_bug.cgi?id=218159 + + Reviewed by Darin Adler. + + Add static prefix when declarations are constrained to the cpp file. This should help out the linker + by using the correct linkage type. + + * runtime/ArrayPrototype.cpp: + * runtime/AsyncGeneratorFunctionConstructor.cpp: + * runtime/AtomicsObject.cpp: + * runtime/DateConstructor.cpp: + * runtime/DatePrototype.cpp: + * runtime/InspectorInstrumentationObject.cpp: + * runtime/JSDataViewPrototype.cpp: + * runtime/JSONObject.cpp: + * runtime/MathObject.cpp: + * runtime/ObjectConstructor.cpp: + * runtime/RegExpObject.cpp: + * runtime/StringPrototype.cpp: + +2020-10-24 Yusuke Suzuki + + [ECMA-402] Implement Intl.ListFormat + https://bugs.webkit.org/show_bug.cgi?id=209775 + + Reviewed by Ross Kirsling. + + This patch implements Intl.ListFormat. Intl.ListFormat requires ulistfmt_openForType. + But it is available after ICU 67, and it is draft (unstable) API in ICU 67. + But now, this function is stable in ICU 68 without signature change and no major + change happened to this API. Thus, we can assume that this API signature won't be changed. + We specially undef U_HIDE_DRAFT_API for unicode/ulistformatter.h to use this draft (but stable) APIs. + + While macOS / iOS shipping ICU (AppleICU) is ICU 66, AppleICU has ulistfmt_openForType and related APIs + even in ICU 66. We use these APIs in AppleICU 66 to implement Intl.ListFormat. + + * CMakeLists.txt: + * DerivedSources-input.xcfilelist: + * DerivedSources-output.xcfilelist: + * DerivedSources.make: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * runtime/CommonIdentifiers.h: + * runtime/IntlDisplayNames.cpp: + (JSC::IntlDisplayNames::initializeDisplayNames): + * runtime/IntlListFormat.cpp: Added. + (JSC::UListFormatterDeleter::operator()): + (JSC::IntlListFormat::create): + (JSC::IntlListFormat::createStructure): + (JSC::IntlListFormat::IntlListFormat): + (JSC::IntlListFormat::finishCreation): + (JSC::IntlListFormat::initializeListFormat): + (JSC::stringListFromIterable): + (JSC::ListFormatInput::ListFormatInput): + (JSC::ListFormatInput::size const): + (JSC::ListFormatInput::stringPointers const): + (JSC::ListFormatInput::stringLengths const): + (JSC::IntlListFormat::format const): + (JSC::IntlListFormat::formatToParts const): + (JSC::IntlListFormat::resolvedOptions const): + (JSC::IntlListFormat::styleString): + (JSC::IntlListFormat::typeString): + * runtime/IntlListFormat.h: Added. + * runtime/IntlListFormatConstructor.cpp: Added. + (JSC::IntlListFormatConstructor::create): + (JSC::IntlListFormatConstructor::createStructure): + (JSC::IntlListFormatConstructor::IntlListFormatConstructor): + (JSC::IntlListFormatConstructor::finishCreation): + (JSC::JSC_DEFINE_HOST_FUNCTION): + * runtime/IntlListFormatConstructor.h: Added. + * runtime/IntlListFormatPrototype.cpp: Added. + (JSC::IntlListFormatPrototype::create): + (JSC::IntlListFormatPrototype::createStructure): + (JSC::IntlListFormatPrototype::IntlListFormatPrototype): + (JSC::IntlListFormatPrototype::finishCreation): + (JSC::JSC_DEFINE_HOST_FUNCTION): + * runtime/IntlListFormatPrototype.h: Added. + * runtime/IntlObject.cpp: + (JSC::createListFormatConstructor): + (JSC::IntlObject::finishCreation): + * runtime/IntlObject.h: + (JSC::intlListFormatAvailableLocales): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::listFormatStructure): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2020-10-23 Keith Miller + + Using WASM function size as the cap for choosing a register allocator causes performance regressions. + https://bugs.webkit.org/show_bug.cgi?id=217290 + + Reviewed by Michael Saboff. + + Previously in https://bugs.webkit.org/show_bug.cgi?id=212105 we + limited the size of WASM functions we compile with OMG because + sufficiently large functions caused us to OOM while register + allocating. The memory growth we saw is because the memory usage + of graph coloring is O((number of tmps)^2). However, some large + WASM functions may not have that many tmps by the time we get to + register allocation. This patch changes our heuristic to instead + use the total number of tmps right before register allocation + instead of the WASM function size. The number of tmps is more + likely to represent the worst case memory usage of register + allocation. This fixes a performance regression in Safari 14 when running + https://dos.zone/en/play/https%3A%2F%2Fdoszone-uploads.s3.dualstack.eu-central-1.amazonaws.com%2Foriginal%2F2X%2Fb%2Fb4b5275904d86a4ab8a20917b2b7e34f0df47bf7.jsdos + + * b3/air/AirGenerate.cpp: + (JSC::B3::Air::prepareForGeneration): + * runtime/OptionsList.h: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::AirIRGenerator): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::B3IRGenerator): + (JSC::Wasm::parseAndCompile): + * wasm/WasmCompilationMode.cpp: + (JSC::Wasm::wasmFunctionSizeCanBeOMGCompiled): Deleted. + * wasm/WasmCompilationMode.h: + * wasm/WasmOperations.cpp: + (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): + +2020-10-23 Angelos Oikonomopoulos + + [JSC] Fix argument order for double and/or ops on ARMv7 + https://bugs.webkit.org/show_bug.cgi?id=218118 + + Reviewed by Adrian Perez de Castro. + + The andDouble and orDouble macro assembler methods for ARMv7 + incorrectly pass the destination register as the last argument, + whereas the assembler expects the destination to be the first + argument. + + This fixes a failing testmasm test. + + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::andDouble): + (JSC::MacroAssemblerARMv7::orDouble): + +2020-10-22 Robin Morisset + + Use operand names when dumping Bytecode + https://bugs.webkit.org/show_bug.cgi?id=218084 + + Reviewed by Saam Barati. + + For example this would output the following: + [ 258] put_to_scope scope:loc7, var:3, value:loc8, getPutInfo:1048576, symbolTableOrScopeDepth:0, offset:0 + instead of + [ 258] put_to_scope loc7, 3, loc8, 1048576, 0, 0 + + * bytecode/BytecodeDumper.h: + (JSC::BytecodeDumperBase::dumpOperand): + * generator/Opcode.rb: + +2020-10-21 Caitlin Potter + + [JSC] support op_get_private_name in DFG and FTL + https://bugs.webkit.org/show_bug.cgi?id=214861 + + Reviewed by Filip Pizlo. + + Adds DFG/FTL support for op_get_private_name. + + During DFG bytecode parsing, we will attempt, if deemed possible by + the information available, to output a GetByOffset operation. If a + single private field identifier is used in all cases (the common case), + but there are too many structure variants, a GetPrivateNameById + operation is emitted instead. Failing that, the GetPrivateName + operation is produced, which produces a GetByVal IC like in the + baseline JIT. + + In FTL, GetPrivateNameByID can be reduced to [Multi]GetByOffset in the + DFGConstantFoldingPhase, or a GetByID IC when lowering to B3. + + * bytecode/GetByStatus.cpp: + (JSC::GetByStatus::computeFromLLInt): + * bytecode/StructureStubInfo.h: + (JSC::appropriateOptimizingGetByIdFunction): + (JSC::appropriateGenericGetByIdFunction): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::simplifyGetByStatus): + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::handleGetPrivateNameById): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToGetByOffset): + (JSC::DFG::Node::convertToMultiGetByOffset): + (JSC::DFG::Node::hasCacheableIdentifier): + (JSC::DFG::Node::hasHeapPrediction): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileGetPrivateName): + (JSC::DFG::SpeculativeJIT::compileGetPrivateNameByVal): + (JSC::DFG::SpeculativeJIT::compileGetPrivateNameById): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::getPrivateName): + (JSC::FTL::DFG::LowerDFGToB3::compileGetPrivateName): + (JSC::FTL::DFG::LowerDFGToB3::compileGetPrivateNameById): + * jit/ICStats.h: + * jit/JITOperations.cpp: + (JSC::getPrivateName): + (JSC::JSC_DEFINE_JIT_OPERATION): + * jit/JITOperations.h: + * jit/Repatch.cpp: + (JSC::appropriateOptimizingGetByFunction): + (JSC::appropriateGetByFunction): + (JSC::tryCacheGetBy): + * jit/Repatch.h: + * runtime/OptionsList.h: + +2020-10-20 Saam Barati + + Don't OSR exit to bc#0 for FTL argument type checks during loop OSR entry + https://bugs.webkit.org/show_bug.cgi?id=217925 + + + Reviewed by Michael Saboff and Tadeu Zagallo. + + When the FTL was emitting type checks for the named arguments of a function, + it was always emitting these type checks with an exit origin of bc#0. It was + doing this even if we were an OSR entry compilation! This meant that type + checks for arguments that failed during loop OSR entry would incorrectly exit + back to bc#0. + + This patch fixes this by having the OSR entry runtime code validate the + argument types before OSR entering. The current OSR entry compiled code in + the FTL is designed to only allow exiting after all ExtractOSREntryLocal and + MovHints have executed, so it is simpler to put the type checks in the runtime + instead of the compiled code. + + This patch also makes it so we do exponential backoff when failing to OSR + enter. This is needed due to insufficient profiling where we never properly + profile the type of arguments. Before this, we'd OSR exit in the FTL code + itself, which does exponential backoff when recompiling. This patch builds + this same exponential backoff in for when we fail to OSR enter enough times + to give up on the OSR entry compilation. + + * ftl/FTLForOSREntryJITCode.h: + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::lower): + * ftl/FTLOSREntry.cpp: + (JSC::FTL::prepareOSREntry): + +2020-10-20 Michael Saboff + + [JSC] Update RegExp UCD to version 13.0 + https://bugs.webkit.org/show_bug.cgi?id=217975 + + Reviewed by Yusuke Suzuki. + + UCD 13.0 data files and an update to the generated file's copyright. + + * ucd/CaseFolding.txt: + * ucd/DerivedBinaryProperties.txt: + * ucd/DerivedCoreProperties.txt: + * ucd/DerivedNormalizationProps.txt: + * ucd/PropList.txt: + * ucd/PropertyAliases.txt: + * ucd/PropertyValueAliases.txt: + * ucd/ScriptExtensions.txt: + * ucd/Scripts.txt: + * ucd/UnicodeData.txt: + * ucd/emoji-data.txt: + * yarr/generateYarrUnicodePropertyTables.py: + +2020-10-20 Ross Kirsling + + [JSC] Rename item() to at() and move it behind a flag + https://bugs.webkit.org/show_bug.cgi?id=217942 + + Reviewed by Yusuke Suzuki. + + {Array, %TypedArray%}.prototype.item is official web-incompatible, + but it is expected to be renamed to `at` instead of being scrapped entirely: + https://github.com/tc39/proposal-item-method/issues/34 + + This patch performs the renaming, but does so behind a runtime flag since this has yet to achieve consensus. + + * builtins/ArrayPrototype.js: + (at): + (item): Deleted. + * builtins/TypedArrayPrototype.js: + (at): + (item): Deleted. + * runtime/ArrayPrototype.cpp: + (JSC::ArrayPrototype::finishCreation): + * runtime/JSTypedArrayViewPrototype.cpp: + (JSC::JSTypedArrayViewPrototype::finishCreation): + * runtime/OptionsList.h: + +2020-10-20 Philippe Normand and Pavel Feldman + + Web Inspector: Add setScreenSizeOverride API to the Page agent + https://bugs.webkit.org/show_bug.cgi?id=213242 + + Reviewed by Devin Rousso. + + * inspector/protocol/Page.json: Add a new setScreenSizeOverride API in the Page agent. + +2020-10-19 Ross Kirsling + + %TypedArray%#sort helper functions should be globalPrivate + https://bugs.webkit.org/show_bug.cgi?id=217928 + + Reviewed by Yusuke Suzuki and Alexey Shvayka. + + Following r267827, this patch ensures that %TypedArray%.prototype.sort's helper functions: + 1. use parameters instead of capturing variables + 2. are converted from local functions to globalPrivate ones + + To this end, also expose Math.min as a link-time constant. + + * builtins/ArrayPrototype.js: + (globalPrivate.sortMerge): + (globalPrivate.sortMin): Deleted. + * builtins/BuiltinNames.h: + * builtins/TypedArrayPrototype.js: + (globalPrivate.typedArrayElementCompare): Added. + (globalPrivate.typedArrayMerge): Added. + (globalPrivate.typedArrayMergeSort): Added. + (sort): + (sort.min): Deleted. + (sort.merge): Deleted. + (sort.mergeSort): Deleted. + * bytecode/LinkTimeConstant.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/MathObject.cpp: + * runtime/MathObject.h: + +2020-10-19 Alexey Shvayka + + [WebIDL] %Interface%.prototype.constructor should be defined on [[Set]] receiver + https://bugs.webkit.org/show_bug.cgi?id=216533 + + Reviewed by Darin Adler. + + Before this change, a [[Set]] performed on an %Interface% instance used to overwrite + %Interface%.prototype.constructor instead of defining own "constructor" property. + + Since using CustomValue is essential for lazy initialization of WebIDL constructors, + and forwarding [[Set]] with correct receiver would require further diverging + CustomValue setter signature from CustomAccessor counterpart, this patch makes a + CustomValue property without a setter to be treated as a data descriptor [1]. + + This avoids generating a "constructor" setter for every exposed WebIDL interface and + making an extra put() dispatch in putInlineSlow(). Changing the semantics is safe + because there were no setter-less CustomValue properties before this patch. + + [1]: https://tc39.es/ecma262/#sec-ordinarysetwithowndescriptor (step 3.e.ii) + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateImpl): + * runtime/CustomGetterSetter.cpp: + (JSC::callCustomSetter): + * runtime/CustomGetterSetter.h: + * runtime/JSCJSValue.cpp: + (JSC::JSValue::putToPrimitive): Add missing exception check. + * runtime/JSCustomGetterSetterFunction.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * runtime/JSObject.cpp: + (JSC::JSObject::putInlineSlow): + * runtime/Lookup.h: + (JSC::putEntry): + * runtime/PropertySlot.cpp: + (JSC::PropertySlot::customGetter const): + * runtime/PropertySlot.h: + * tools/JSDollarVM.cpp: + +2020-10-19 Mark Cohen + + test262: test/language/expressions/conditional/in-branch-1.js + https://bugs.webkit.org/show_bug.cgi?id=217879 + + Reviewed by Darin Adler. + + The test262 test in question checks that the parser respects the +In + parameter on the left-hand AssignmentExpression (between `?` and `:`) + in the ternary operator grammar. The relevant piece of the spec can be + found here (https://tc39.es/ecma262/#sec-conditional-operator). The + test checks this by embedding a ternary with left-hand + AssignmentExpression that contains the `in` keyword in the + initializing statement of a `for` loop, where `in` would normally be + disallowed. All this patch does is unconditionally allow the `in` + keyword inside the left-hand AssignmentExpression of a ternary. + + This also fixes a variable typo in parseForStatement. + + * parser/Parser.cpp: + +2020-10-18 David Kilzer + + Fix -Wdeprecated-copy warnings in WTF and JavaScriptCore + + + + Reviewed by Darin Adler. + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::LinkRecord::LinkRecord): Add. + - Implement the copy constructor since the compiler may not + have implemented it the same way as the copy assignment + operator. + (JSC::ARM64Assembler::LinkRecord::operator=): + - Fix return type of copy assignment operator and simplify it. + +2020-10-18 Caio Lima + + [ESNext][JIT] Add support for UntypedUse on PutPrivateName's base operand + https://bugs.webkit.org/show_bug.cgi?id=217373 + + Reviewed by Yusuke Suzuki. + + This patch is adding UntypedUse for `PutPrivateName`'s base operand to + avoid a OSR when we have a non-cell base. + Also, it is fixing a bug on private field operations `get_private_name` and + `put_private_name` to call `ToObject` on base to properly support + class fields spec text[1][2]. + + [1] - https://tc39.es/proposal-class-fields/#sec-getvalue + [2] - https://tc39.es/proposal-class-fields/#sec-putvalue + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compilePutPrivateName): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateName): + * jit/JITOperations.cpp: + (JSC::setPrivateField): + (JSC::definePrivateField): + (JSC::JSC_DEFINE_JIT_OPERATION): + (JSC::getPrivateName): + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_put_private_name): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_put_private_name): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/CommonSlowPaths.cpp: + + Previous implementation was wrongly considering that base was always + an object, causing segmentation fault when base was not an object. + We changed this to handle cases when base is not and object, following + what spec text specifies. + +2020-10-17 Ross Kirsling + + Unreviewed fix for r268640 + https://bugs.webkit.org/show_bug.cgi?id=217883 + + It seems I made a late adjustment that test262 was unhappy with; this reverts just that line. + + * runtime/JSGenericTypedArrayViewInlines.h: + (JSC::JSGenericTypedArrayView::defineOwnProperty): + +2020-10-17 Ross Kirsling + + Ensure %TypedArray% essential internal methods adhere to spec + https://bugs.webkit.org/show_bug.cgi?id=217854 + + Reviewed by Yusuke Suzuki. + + This patch addresses https://github.com/tc39/ecma262/pull/2164, + which aligns detached buffer semantics in typed arrays with web reality. + + In particular: + - [[HasProperty]] must not throw + - IntegerIndexedElementGet (i.e. [[GetOwnProperty]] and [[Get]]) must not throw + - IntegerIndexedElementSet (i.e. [[DefineOwnProperty]] and [[Set]]) must not throw + - Integer-indexed elements must be [[Configurable]] (to avoid breaking a [[HasProperty]] invariant) + - [[Delete]] must be overridden to return false for integer-indexed elements (which are *not* deletable) + + This patch furthermore ensures that all of these essential internal methods have a spec-perfect implementation. + + Note that there are a couple of interesting ripple effects here: + - The fill(), sort(), and set() methods should throw explicitly, but we'd been letting [[Get]] throw instead. + - Other callback-taking methods should *not* throw anymore; they only did so implicitly via [[Get]] and [[Set]]. + + * builtins/TypedArrayPrototype.js: + (fill): + (sort): + * runtime/JSGenericTypedArrayView.h: + * runtime/JSGenericTypedArrayViewInlines.h: + (JSC::JSGenericTypedArrayView::set): + (JSC::JSGenericTypedArrayView::getOwnPropertySlot): + (JSC::JSGenericTypedArrayView::put): + (JSC::JSGenericTypedArrayView::defineOwnProperty): + (JSC::JSGenericTypedArrayView::deleteProperty): + (JSC::JSGenericTypedArrayView::getOwnPropertySlotByIndex): + (JSC::JSGenericTypedArrayView::deletePropertyByIndex): + * runtime/JSGlobalObjectFunctions.h: + * runtime/JSObjectInlines.h: + (JSC::JSObject::getPropertySlot): + (JSC::JSObject::getNonIndexPropertySlot): + * runtime/JSTypedArrays.cpp: + +2020-10-16 Devin Rousso + + Web Inspector: REGRESSION(r266074): line-based JavaScript breakpoints don't hit after reload + https://bugs.webkit.org/show_bug.cgi?id=217862 + + Reviewed by Timothy Hatcher. + + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): + Don't clear the list of protocol breakpoints when the global object changes. Protocol + breakpoints should only be cleared when individually removed or by `Debugger.disable`. + +2020-10-16 Saam Barati + + Don't emit OpSpread with a constant as the destination + https://bugs.webkit.org/show_bug.cgi?id=217800 + + + Reviewed by Yusuke Suzuki. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitCall): + (JSC::BytecodeGenerator::emitConstruct): + +2020-10-16 Michael Catanzaro + + REGRESSION(r267727): Warning spam from JSC_DECLARE_CUSTOM_GETTER + https://bugs.webkit.org/show_bug.cgi?id=217585 + + Reviewed by Yusuke Suzuki. + + A small number of source files now need to use JSC_DECLARE_CUSTOM_GETTER_WITHOUT_WTF_INTERNAL. + + * b3/testb3_5.cpp: + * b3/testb3_7.cpp: + * tools/JSDollarVM.cpp: + +2020-10-15 Saam Barati + + Don't assign a bogus register to Load/ForwardVarargs in AvailabilityAnalysis before stack layout + https://bugs.webkit.org/show_bug.cgi?id=217789 + + + Reviewed by Keith Miller. + + There is code inside AvailabilityAnalysis phase that was assuming the + Load/ForwardVarargs data was already stack allocated. However, this isn't + guaranteed to be the case. However, we were doing virtual register math on + invalid virtual registers, leading to wonky results. The fix here is to + model it like we do GetStack/PutStack, where we say, before we do stack + allocation, we just tell availability analysis the flush format, but not + where it's flushed. + + This was causing validation errors when merging these invalid FlushedAts with + the FlushedAts from GetStack/PutStack. + + * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: + (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): + +2020-10-15 Alexey Shvayka + + REGRESSION (r268489): test/built-ins/Object/entries/order-after-define-property.js failing on test262 bots + https://bugs.webkit.org/show_bug.cgi?id=217738 + + Reviewed by Yusuke Suzuki. + + This change fixes an oversight of r268489 that caused Object.entries to + return a sparse array if its argument contained non-enumerable properties. + + * builtins/ObjectConstructor.js: + (entries): + +2020-10-14 Alexey Shvayka + + Use @putByValDirect instead of Array.prototype.@push in built-ins + https://bugs.webkit.org/show_bug.cgi?id=175432 + + Reviewed by Yusuke Suzuki. + + Before this patch, Array.prototype.@push was used to implement List spec type, + stacks / queues, and in place of CreateDataProperty [1]. + It's undesirably observable since elements are pushed using [[Set]], + affecting indexed properties on prototypes [2]. + + This change introduces @arrayPush() intrinsic to use with lists / stacks / queues. + @arrayPush() should only be used with JSArray receivers because "length" isn't + incremented. Unlike Array.prototype.@push, it doesn't grow arrays beyond UINT_MAX, + which is OK for current use cases. Object.entries microbenchmark is neutral. + + Despite Array.prototype.@shift also performing [[Set]], it's safe to use with + non-sparse receivers. + + [1]: https://tc39.es/ecma262/#sec-createarrayfromlist (step 4.a) + [2]: https://tc39.es/ecma262/#sec-array.prototype.push (step 5.a) + + * builtins/ArrayPrototype.js: + (globalPrivate.sortBucketSort): + * builtins/ObjectConstructor.js: + (entries): + * builtins/RegExpPrototype.js: + (globalPrivate.matchSlow): + (Symbol.replace): + (Symbol.split): + * builtins/TypedArrayPrototype.js: + (filter): + * bytecode/BytecodeIntrinsicRegistry.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::BytecodeIntrinsicNode::emit_intrinsic_arrayPush): + * runtime/ArrayPrototype.cpp: + (JSC::ArrayPrototype::finishCreation): + +2020-10-14 Don Olmstead + + Non-unified build fixes, mid October 2020 + https://bugs.webkit.org/show_bug.cgi?id=217721 + + Reviewed by Yusuke Suzuki. + + * API/JSContextRef.cpp: + * dfg/DFGDoesGCCheck.cpp: + * llint/LLIntExceptions.cpp: + * llint/LLIntExceptions.h: + * llint/LLIntThunks.h: + +2020-10-13 Saam Barati + + JSObject::getPropertyNames should have a stack overflow check + https://bugs.webkit.org/show_bug.cgi?id=217677 + + + Reviewed by Tadeu Zagallo. + + A prototype chain can be long enough where the recursion causes a stack + overflow. The attached test case uses $vm to mimic such a prototype chain + by using JSProxy to make a cyclic prototype chain. But the same works by + making a prototype chain very long, but the test case takes too long to + run to justify landing. For posterity, the alternate test case is: + + ``` + function makeLongProtoChain(length) { + let object = /foo/; + for (let i = 0; i < length; ++i) { + next = /foo/; + next.__proto__ = object; + object = next; + } + return object; + } + + let o = makeLongProtoChain(30000); + for (let q in o) {} + ``` + + * runtime/JSObject.cpp: + (JSC::JSObject::getPropertyNames): + +2020-10-13 Keith Rollin + + Remove leftover MACOSX_DEPLOYMENT_TARGET_macosx support + https://bugs.webkit.org/show_bug.cgi?id=217649 + + + Reviewed by Darin Adler. + + Bug 42796 introduced MACOSX_DEPLOYMENT_TARGET_ as "support + for compiling WebKit against iOS SDKs". Support for the iOS part of + this feature was later removed in several changes, including Bug + 139212, Bug 139463 and Bug 144762. However, vestiges have remained for + five or six years in the form of MACOSX_DEPLOYMENT_TARGET_macosx. The + inclusion of the platform in MACOSX_DEPLOYMENT_TARGET is no longer + needed and can be removed. + + This changes brings most projects in conformance with other projects + that don't support including the platform in MACOSX_DEPLOYMENT_TARGET, + including WebEditingTester, gtest, WebKitTestRunner, MiniBrowser, and + TestWebKitAPI. + + Along the way, remove a couple of left-over references to macOS 10.16, + and a couple of places where [sdk=macosx*] was still being used. + + With this change, initialization of MACOSX_DEPLOYMENT_TARGET should be + consistent across all projects, with two exceptions: WebKitLauncher + (which hardcodes it to 10.12) and libwebrtc's copy of googletest + (which hardcodes it to 10.4). The reasons for these hard-coded values + is not apparent, so leave them be. + + * Configurations/DebugRelease.xcconfig: + +2020-10-12 Yusuke Suzuki + + JIT operations do not need extern "C" + https://bugs.webkit.org/show_bug.cgi?id=217636 + + Reviewed by Saam Barati. + + Since they are directly embedded by JIT code generator (not linked via linker), they do not need to be C linkage. + + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * ftl/FTLOSRExitCompiler.cpp: + * ftl/FTLOSRExitCompiler.h: + * ftl/FTLOperations.cpp: + * ftl/FTLOperations.h: + * jit/JITOperations.cpp: + * jit/JITOperations.h: + +2020-10-12 Saam Barati + + Array.prototype.sort's sortBucketSort accesses an array in an invalid way that can lead to incorrect results with indexed properties on the prototype chain + https://bugs.webkit.org/show_bug.cgi?id=217634 + + + Reviewed by Yusuke Suzuki. + + Inside one of Array.prototype.sort's builtin helper methods, we are using an + array as an internal data structure to do some bookkeeping. However, we were + accessing it in such a way that it was reading properties from the prototype + chain. The code is written in a way such that it is only correct if it is + reading self properties (as the prototype chain can be user controlled). The + fix is to set this bookkeeping array's __proto__ to null, so we don't read + from the prototype chain. + + * builtins/ArrayPrototype.js: + (globalPrivate.sortBucketSort): + +2020-10-11 Yusuke Suzuki + + OpToPropertyKey only accepts temporary for destination + https://bugs.webkit.org/show_bug.cgi?id=217471 + + Reviewed by Saam Barati. + + propertyName register can be constant. We should create temporary register if it is necessary for the destination. * bytecompiler/NodesCodegen.cpp: (JSC::ObjectPatternNode::bindValue const): -2019-07-02 Commit Queue +2020-10-12 Luming Yin - Unreviewed, rolling out r247041. - https://bugs.webkit.org/show_bug.cgi?id=199425 + [macOS] Workaround for MAC_OS_X_VERSION_MAJOR incorrectly including minor version when building + with Xcode 12 on macOS Big Sur SUs + https://bugs.webkit.org/show_bug.cgi?id=217602 + rdar://70194453 - broke some iOS arm64e tests (Requested by keith_miller on - #webkit). + Reviewed by Darin Adler. - Reverted changeset: + The previous workaround turns out to be ineffective because we can't set the value of + TARGET_MAC_OS_X_VERSION_MAJOR based on a previous value of itself. Introduce a new + variable TARGET_MAC_OS_X_VERSION_MAJOR to determine whether we need to explicitly + adjust MAC_OS_X_VERSION_MAJOR to 110000. - "PACCage should first cage leaving PAC bits intact then - authenticate" - https://bugs.webkit.org/show_bug.cgi?id=199372 - https://trac.webkit.org/changeset/247041 + * Configurations/DebugRelease.xcconfig: -2019-07-02 Keith Miller +2020-10-12 Luming Yin - Frozen Arrays length assignment should throw in strict mode - https://bugs.webkit.org/show_bug.cgi?id=199365 + [macOS] Workaround for MAC_OS_X_VERSION_MAJOR incorrectly including minor version when building + with Xcode 12 on macOS Big Sur SUs + https://bugs.webkit.org/show_bug.cgi?id=217602 + rdar://70194453 + + Reviewed by Darin Adler. + + Due to a bug in Xcode (rdar://70185899), Xcode 12.0 and Xcode 12.1 Beta incorrectly includes the + minor release number in MAC_OS_X_VERSION_MAJOR, which causes Debug and Release builds of WebKit + to be misconfigured when building on macOS Big Sur SUs, leading to webpages failing to load. + + To work around the Xcode bug, when the MAC_OS_X_VERSION_MAJOR includes the minor version number, + drop the minor version number by explicitly setting TARGET_MAC_OS_X_VERSION_MAJOR to 110000. + + Note: This change should be reverted after is resolved. + + * Configurations/DebugRelease.xcconfig: + +2020-10-11 Luming Yin + + Strip patch version from TARGET_MAC_OS_X_VERSION_MAJOR when building for macOS Big Sur + or later + https://bugs.webkit.org/show_bug.cgi?id=217594 + rdar://70188497 + + Reviewed by Darin Adler. + + To ensure successful Mac Catalyst WebKit builds, strip the patch version from + TARGET_MAC_OS_X_VERSION_MAJOR by using two `base:`s on MACOSX_DEPLOYMENT_TARGET. + + * Configurations/Base.xcconfig: + +2020-10-11 Luming Yin + + Ignore deployment suffix and identifier when computing major OS version for macOS + Big Sur and newer + https://bugs.webkit.org/show_bug.cgi?id=217584 + rdar://70168426 + + Reviewed by Darin Adler. + + Stop using MACOSX_DEPLOYMENT_TARGET:suffix:identifier to compute major OS versions. + Only use the deployment target base for macOS Big Sur and newer. Keep the manual + definitions for legacy versions of macOS. + + * Configurations/Base.xcconfig: + +2020-10-11 Yusuke Suzuki + + Unreviewed, mark missing custom getter and setters + https://bugs.webkit.org/show_bug.cgi?id=217500 + + * tools/JSDollarVM.cpp: + +2020-10-11 Yusuke Suzuki + + [JSC] arguments.callee should become ThrowTypeError if function has non simple parameter list + https://bugs.webkit.org/show_bug.cgi?id=217574 + + Reviewed by Darin Adler. + + We should set ThrowTypeError in ClonedArguments when the callee is strict mode or callee has non simple parameter list[1]. + We propagate NonSimpleParameterList information from parser and use it when materializing "callee" property of ClonedArguments. + + [1]: https://tc39.es/ecma262/#sec-functiondeclarationinstantiation + + * parser/Nodes.h: + (JSC::ScopeNode::isStrictMode const): + (JSC::ScopeNode::usesNonSimpleParameterList const): + (JSC::ScopeNode::setFeatures): Deleted. + (JSC::ScopeNode::setUsesArguments): Deleted. + * parser/Parser.cpp: + (JSC::Parser::parseInner): + * parser/ParserModes.h: + * runtime/ClonedArguments.cpp: + (JSC::ClonedArguments::getOwnPropertySlot): + (JSC::ClonedArguments::materializeSpecials): + * runtime/ScriptExecutable.h: + (JSC::ScriptExecutable::usesNonSimpleParameterList const): + +2020-10-11 Yusuke Suzuki + + [JSC] BigInt constructor should be constructible while it always throws an error + https://bugs.webkit.org/show_bug.cgi?id=217575 + + Reviewed by Darin Adler. + + In terms of the spec, BigInt constructor should be a constructor. So we should put constructBigIntConstructor function instead of nullptr. + But it should always throw a TypeError. Error message looks a bit awkward ("TypeError: function is not a constructor..."), but this looks + most intuitive to users. Note that V8 and SpiderMonkey throw similar messages ("is not a constructor"). + + * runtime/BigIntConstructor.cpp: + (JSC::BigIntConstructor::BigIntConstructor): + (JSC::JSC_DEFINE_HOST_FUNCTION): + +2020-10-11 Yusuke Suzuki + + [JSC] LowerCase when LanguageTag checks duplicate variants + https://bugs.webkit.org/show_bug.cgi?id=217571 + + Reviewed by Ross Kirsling. + + Since Unicode LanguageTag is case insensitive, we need to recognize "VARIANT0" and "variant0" are the same language tag variants. + To achieve that, we perform toASCIILower when computing VariantCode. + + * runtime/IntlObject.cpp: + (JSC::parseVariantCode): + +2020-10-09 Yusuke Suzuki + + [JSC] Assert Operation and HostFunction are in JITOperationsList + https://bugs.webkit.org/show_bug.cgi?id=217500 + + Reviewed by Saam Barati. + + We make JSC PtrTag more restricted. We add the following information for each PtrTag. + + 1. What code target is tagged with this PtrTag? Native or JIT. + 2. What uses this PtrTag when invoking code? Native, JIT, or None. + + And we will verify via JIT-caging. + + This patch adds HostFunctionPtrTag and sign host functions with it. Previously, it was signed with JSEntryPtrTag, + and this is wrong since it is used for JS entry thunks. And we introduce assertion that function is registered in + JITOperationList when signing function with OperationPtrTag or HostFunctionPtrTag. + + We also annotate all operations in testb3 so that testb3 can work with OperationPtrTag / HostFunctionPtrTag assertions. + + * assembler/JITOperationList.cpp: + (JSC::addPointers): + * assembler/JITOperationList.h: + * b3/testb3_1.cpp: + (main): + * b3/testb3_5.cpp: + (JSC_DEFINE_JIT_OPERATION): + (simpleFunction): Deleted. + (functionWithHellaArguments): Deleted. + (functionWithHellaArguments2): Deleted. + (functionWithHellaArguments3): Deleted. + (simpleFunctionDouble): Deleted. + (simpleFunctionFloat): Deleted. + (functionWithHellaDoubleArguments): Deleted. + (functionWithHellaFloatArguments): Deleted. + * b3/testb3_6.cpp: + (JSC_DEFINE_JIT_OPERATION): + (interpreterPrint): Deleted. + * b3/testb3_7.cpp: + (JSC_DEFINE_JIT_OPERATION): + (oneFunction): Deleted. + (noOpFunction): Deleted. + (functionNineArgs): Deleted. + * dfg/DFGOSREntry.cpp: + (JSC::DFG::prepareOSREntry): + * dfg/DFGOperations.cpp: + * jit/JITOperations.cpp: + * jit/ThunkGenerators.cpp: + (JSC::nativeForGenerator): + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/JSCPtrTag.cpp: + (JSC::tagForPtr): + (JSC::ptrTagName): + * runtime/JSCPtrTag.h: + (JSC::tagJSCCodePtrImpl): + (JSC::untagJSCCodePtrImpl): + * runtime/NativeFunction.h: + (JSC::TaggedNativeFunction::TaggedNativeFunction): + (JSC::TaggedNativeFunction::operator NativeFunction): + * wasm/WasmOperations.cpp: + (JSC::Wasm::doOSREntry): + +2020-10-09 Keith Miller + + Enable WeakRefs/FinalizationRegistries by default. + https://bugs.webkit.org/show_bug.cgi?id=215789 Reviewed by Yusuke Suzuki. - * runtime/JSArray.cpp: - (JSC::JSArray::put): + * runtime/OptionsList.h: -2019-07-02 Paulo Matos +2020-10-09 Keith Miller - Fix typo in if/else block and remove dead assignment - https://bugs.webkit.org/show_bug.cgi?id=199352 + Finalizers shouldn't run if events can't fire + https://bugs.webkit.org/show_bug.cgi?id=214508 - Reviewed by Alexey Proskuryakov. + Reviewed by Ryosuke Niwa. - * yarr/YarrPattern.cpp: - (JSC::Yarr::YarrPattern::dumpPattern): Fix typo in if/else block and remove dead assignment + This patch makes it so the DeferredWorkTimer won't run scheduled + tasks if those would not have run if they were scheduled in + WebCore. To do this there is now a concept of a + ScriptExecutionOwner. The ScriptExecutionOwner is almost always + the same as the global object of the pending task (referred to as + the ticket). The only exception to this is if the global object + is a JSDOMWindowBase, then the ScriptExecutionOwner is the + Document's JS wrapper. To tell the status of a + ScriptExecutionOwner, the DeferredWorkTimer calls a virtual + function on the global object of the ticket, for JSC-only this + just always returns Running. For WebCore, we ask the + ScriptExecutionContext associated with the ScriptExecutionOwner. -2019-07-02 Keith Miller + * API/JSAPIGlobalObject.cpp: + * API/JSAPIGlobalObject.mm: + * jsc.cpp: + * runtime/DeferredWorkTimer.cpp: + (JSC::DeferredWorkTimer::doWork): + (JSC::DeferredWorkTimer::addPendingWork): + (JSC::DeferredWorkTimer::hasDependancyInPendingWork): + (JSC::DeferredWorkTimer::didResumeScriptExecutionOwner): + * runtime/DeferredWorkTimer.h: + * runtime/JSFinalizationRegistry.cpp: + (JSC::JSFinalizationRegistry::create): + (JSC::JSFinalizationRegistry::finishCreation): + * runtime/JSFinalizationRegistry.h: + * runtime/JSGlobalObject.cpp: + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::currentScriptExecutionOwner): + (JSC::JSGlobalObject::scriptExecutionStatus): - PACCage should first cage leaving PAC bits intact then authenticate - https://bugs.webkit.org/show_bug.cgi?id=199372 +2020-10-08 Yusuke Suzuki - Reviewed by Saam Barati. + Unreviewed, reland r268170 + https://bugs.webkit.org/show_bug.cgi?id=217460 - This ordering prevents someone from taking a signed pointer from - outside the gigacage and using it in a struct that expects a caged - pointer. Previously, the PACCaging just double checked that the PAC - bits were valid for the original pointer. + Fixed missing wrong OperationPtrTag use in Repatch.cpp. - - +---------------------------+ - | | | | - | "PAC" | "base" | "offset" +----+ - | | | | | - +---------------------------+ | Caging - | | - | | - | v - | +---------------------------+ - | | | | | - | Bit Merge | 00000 | base | "offset" | - | | | | | - | +---------------------------+ - | | - | | - v | Bit Merge - +---------------------------+ | - | | | | | - | "PAC" | base | "offset" +<--------+ - | | | | - +---------------------------+ - | - | - | Authenticate - | - v - +---------------------------+ - | | | | - | Auth | base | "offset" | - | | | | - +---------------------------+ - - The above ascii art graph shows how the PACCage system works. The - key take away is that even if someone passes in a valid, signed - pointer outside the cage it will still fail to authenticate as the - "base" bits will change before authentication. - - - * assembler/MacroAssemblerARM64E.h: + * assembler/AbstractMacroAssembler.h: + (JSC::AbstractMacroAssembler::getLinkerAddress): + * assembler/AssemblerBuffer.h: + (JSC::ARM64EHash::update): + (JSC::ARM64EHash::finalHash const): + * assembler/JITOperationList.cpp: + (JSC::addPointers): + * assembler/MacroAssemblerARM64.cpp: + (JSC::MacroAssembler::probe): + * assembler/MacroAssemblerCodeRef.h: + (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr): + (JSC::MacroAssemblerCodePtr::createFromExecutableAddress): * assembler/testmasm.cpp: - (JSC::testCagePreservesPACFailureBit): - * ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::caged): - * jit/AssemblyHelpers.h: - (JSC::AssemblyHelpers::cageConditionally): - * llint/LowLevelInterpreter64.asm: + (JSC::testProbeModifiesProgramCounter): + * b3/air/testair.cpp: + * ftl/FTLOutput.h: + (JSC::FTL::Output::callWithoutSideEffects): + (JSC::FTL::Output::operation): + * ftl/FTLSlowPathCall.cpp: + (JSC::FTL::SlowPathCallContext::makeCall): + * jit/JITCode.cpp: + (JSC::JITCodeWithCodeRef::executableAddressAtOffset): + * jit/JITExceptions.cpp: + (JSC::genericUnwind): + * jit/JITOperations.cpp: + * jit/Repatch.cpp: + (JSC::readPutICCallTarget): + (JSC::ftlThunkAwareRepatchCall): + (JSC::tryCacheGetBy): + (JSC::tryCachePutByID): + * llint/LLIntData.cpp: + (JSC::LLInt::initialize): + * llint/LLIntPCRanges.h: + (JSC::LLInt::isLLIntPC): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::setUpCall): + * llint/LLIntThunks.cpp: + (JSC::LLInt::generateThunkWithJumpTo): + * runtime/JSCPtrTag.h: + * runtime/MachineContext.h: + (JSC::MachineContext::instructionPointer): + * runtime/NativeExecutable.cpp: + (JSC::NativeExecutable::finishCreation): + * runtime/PutPropertySlot.h: + (JSC::PutPropertySlot::setCustomValue): + (JSC::PutPropertySlot::setCustomAccessor): + (JSC::PutPropertySlot::customSetter const): + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::emitCCall): + * wasm/WasmSlowPaths.cpp: -2019-07-01 Justin Michaud +2020-10-08 Commit Queue - [Wasm-References] Disable references by default - https://bugs.webkit.org/show_bug.cgi?id=199390 + Unreviewed, reverting r268170 and r268190. + https://bugs.webkit.org/show_bug.cgi?id=217502 + + Crash on ARM64E exclusively + + Reverted changesets: + + "[JSC] Restrict more ptr-tagging and avoid using + OperationPtrTag for JIT code" + https://bugs.webkit.org/show_bug.cgi?id=217460 + https://trac.webkit.org/changeset/268170 + + "Unreviewed, build fix for ARM64E" + https://bugs.webkit.org/show_bug.cgi?id=217460 + https://trac.webkit.org/changeset/268190 + +2020-10-08 Ryosuke Niwa + + Make it possible to send an arbitrary IPC message from JavaScript + https://bugs.webkit.org/show_bug.cgi?id=217423 + + + Reviewed by Geoffrey Garen. + + Added a helper function to get uint64_t out of BigInt. + + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::toUint64Heap): Added. + * runtime/JSBigInt.h: + (JSC::JSBigInt::toUint64): Added. + +2020-10-07 Yusuke Suzuki + + [JSC] Restrict more ptr-tagging and avoid using OperationPtrTag for JIT code + https://bugs.webkit.org/show_bug.cgi?id=217460 Reviewed by Saam Barati. - * runtime/Options.h: + This patch makes tagging / untagging pointer functions solid by using PtrTag in template parameter. + Later, we will introduce compile time behavior change for different kind of PtrTag so that we can insert OperationPtrTag validation + when tagging a function with OperationPtrTag. -2019-07-01 Ryan Haddad + We also found that FTL is tagging JIT code with OperationPtrTag wrongly. We should tag it with JITThunkPtrTag. - Unreviewed, rolling out r246946. + * assembler/AbstractMacroAssembler.h: + (JSC::AbstractMacroAssembler::getLinkerAddress): + * assembler/AssemblerBuffer.h: + (JSC::ARM64EHash::update): + (JSC::ARM64EHash::finalHash const): + * assembler/JITOperationList.cpp: + (JSC::addPointers): + * assembler/MacroAssemblerARM64.cpp: + (JSC::MacroAssembler::probe): + * assembler/MacroAssemblerCodeRef.h: + (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr): + (JSC::MacroAssemblerCodePtr::createFromExecutableAddress): + * assembler/testmasm.cpp: + (JSC::testProbeModifiesProgramCounter): + * b3/air/testair.cpp: + * ftl/FTLOutput.h: + (JSC::FTL::Output::callWithoutSideEffects): + (JSC::FTL::Output::operation): + * ftl/FTLSlowPathCall.cpp: + (JSC::FTL::SlowPathCallContext::makeCall): + * jit/JITCode.cpp: + (JSC::JITCodeWithCodeRef::executableAddressAtOffset): + * jit/JITExceptions.cpp: + (JSC::genericUnwind): + * jit/JITOperations.cpp: + * jit/Repatch.cpp: + (JSC::readPutICCallTarget): + (JSC::ftlThunkAwareRepatchCall): + (JSC::tryCacheGetBy): + (JSC::tryCachePutByID): + * llint/LLIntData.cpp: + (JSC::LLInt::initialize): + * llint/LLIntPCRanges.h: + (JSC::LLInt::isLLIntPC): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::setUpCall): + * llint/LLIntThunks.cpp: + (JSC::LLInt::generateThunkWithJumpTo): + * runtime/MachineContext.h: + (JSC::MachineContext::instructionPointer): + * runtime/NativeExecutable.cpp: + (JSC::NativeExecutable::finishCreation): + * runtime/PutPropertySlot.h: + (JSC::PutPropertySlot::setCustomValue): + (JSC::PutPropertySlot::setCustomAccessor): + (JSC::PutPropertySlot::customSetter const): + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::emitCCall): + * wasm/WasmSlowPaths.cpp: - Caused JSC test crashes on arm64 +2020-10-07 Ross Kirsling + + [JSC] Revert String.prototype.item + https://bugs.webkit.org/show_bug.cgi?id=217449 + + Reviewed by Yusuke Suzuki. + + This patch reverts the String part of r267814, as it has been shown to be web-incompatible: + https://github.com/tc39/proposal-item-method/issues/31 + + Thankfully, this was the inessential part of the proposal; the core parts (Array and %TypedArray%) remain for now. + + * builtins/StringPrototype.js: + (item): Deleted. + * runtime/StringPrototype.cpp: + +2020-10-07 Keith Rollin + + Update post-processing rules for headers to not unnecessarily change timestamps + https://bugs.webkit.org/show_bug.cgi?id=217371 + + + Reviewed by Darin Adler. + + Under XCBuild, the scripts employed in custom build rules can be + invoked in innocuous situations. A common example is when the user is + building from the command-line and they change the `make` output from + stdout to a file, or vice-versa. Changing the output changes the + setting of the COLOR_DIAGNOSTICS environment variable, which is enough + to cause XCBuild to think something is different and that the custom + build rule needs to be invoked. For the script's part, nothing + significant has changed, yet it post-processes the header files, + causing their modification dates to change, causing downstream + rebuilds to occur. + + Fix this problem by adopting an approach that doesn't modify the + post-processed header files unless their contents actually change. + + * Scripts/postprocess-header-rule: + +2020-10-05 Yusuke Suzuki + + [JSC] More consistent PtrTagging for code types + https://bugs.webkit.org/show_bug.cgi?id=217362 + + Reviewed by Mark Lam. + + 1. Avoid tagging JIT code with OperationPtrTag. OperationPtrTag should be used only for operations (C++ code). + 2. Avoid mixing JIT and C++ code for the same tagged pointers. For exception trampoline, in JIT mode, we should have + JIT trampoline thunk which goes to LLInt bytecode handler code. + + * bytecode/BytecodeList.rb: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finishCreation): + (JSC::CodeBlock::finalizeUnconditionally): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::compileExceptionHandlers): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileMathIC): + * jit/ICStats.h: + * jit/JIT.cpp: + (JSC::JIT::compileWithoutLinking): + (JSC::JIT::link): + (JSC::JIT::privateCompileExceptionHandlers): + * jit/JIT.h: + (JSC::CallRecord::CallRecord): + * jit/JITCall.cpp: + (JSC::JIT::compileTailCall): + (JSC::JIT::compileOpCall): + (JSC::JIT::compileOpCallSlowCase): + * jit/JITCall32_64.cpp: + (JSC::JIT::compileOpCall): + (JSC::JIT::compileOpCallSlowCase): + * jit/JITExceptions.cpp: + (JSC::genericUnwind): + * jit/JITInlines.h: + (JSC::JIT::emitNakedNearCall): + (JSC::JIT::emitNakedNearTailCall): + (JSC::JIT::emitNakedCall): Deleted. + (JSC::JIT::emitNakedTailCall): Deleted. + * jit/JITPropertyAccess.cpp: + (JSC::JIT::privateCompilePutByVal): + (JSC::JIT::privateCompilePutPrivateNameWithCachedId): + (JSC::JIT::privateCompilePutByValWithCachedId): + * jit/SlowPathCall.h: + (JSC::JITSlowPathCall::call): + * llint/LLIntData.h: + (JSC::LLInt::getWide16CodeRef): + (JSC::LLInt::getWide32CodeRef): + (JSC::LLInt::getCodeFunctionPtr): + (JSC::LLInt::getWide16CodeFunctionPtr): + (JSC::LLInt::getWide32CodeFunctionPtr): + * llint/LLIntEntrypoint.cpp: + (JSC::LLInt::setFunctionEntrypoint): + (JSC::LLInt::setEvalEntrypoint): + (JSC::LLInt::setProgramEntrypoint): + (JSC::LLInt::setModuleProgramEntrypoint): + * llint/LLIntExceptions.cpp: + (JSC::LLInt::callToThrow): + (JSC::LLInt::handleUncaughtException): + (JSC::LLInt::catcher): + * llint/LLIntExceptions.h: + * llint/LLIntSlowPaths.cpp: + * llint/LLIntThunks.cpp: + (JSC::LLInt::generateThunkWithJumpTo): + (JSC::LLInt::functionForCallEntryThunk): + (JSC::LLInt::functionForConstructEntryThunk): + (JSC::LLInt::functionForCallArityCheckThunk): + (JSC::LLInt::functionForConstructArityCheckThunk): + (JSC::LLInt::evalEntryThunk): + (JSC::LLInt::programEntryThunk): + (JSC::LLInt::moduleProgramEntryThunk): + (JSC::LLInt::wasmFunctionEntryThunk): + (JSC::LLInt::callToThrowThunk): + (JSC::LLInt::handleUncaughtExceptionThunk): + (JSC::LLInt::catcherThunk): + * llint/LLIntThunks.h: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/SamplingProfiler.cpp: + (JSC::SamplingProfiler::processUnverifiedStackTraces): + * wasm/WasmOperations.cpp: + (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): + +2020-10-05 Ross Kirsling + + %TypedArray%.from must do mapping and putting in lockstep + https://bugs.webkit.org/show_bug.cgi?id=217349 + + Reviewed by Yusuke Suzuki. + + %TypedArray%.from first turns the input iterator into a list to find the size for the resulting typed array, + then it fills the typed array with the list elements. + + If a map function is provided, however, it must be called during the *second* phase, not the first, + because if an element throws upon valueOf, that should prevent all further calls of the map function. + + * builtins/TypedArrayConstructor.js: + (from): + +2020-10-05 Yusuke Suzuki + + Unrevewed, fix crash for ASan debug builds + https://bugs.webkit.org/show_bug.cgi?id=217261 + + Reviewed by Saam Barati. + + This function touches memory region which ASan cannot understand whether this is safe. + And ASan makes pointer fat so that it will see some null pointers. + + * assembler/JITOperationList.cpp: + (JSC::addPointers): + +2020-10-05 Keith Miller + + Add JSC option to trigger a hardware breakpoint when debugger expressions are reached. + https://bugs.webkit.org/show_bug.cgi?id=217334 + + Reviewed by Yusuke Suzuki. + + * interpreter/Interpreter.cpp: + (JSC::Interpreter::debug): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::defaultCodeGenerationMode const): + * runtime/OptionsList.h: + +2020-10-05 David Kilzer + + Build fix: Use JSC_DEFINE_HOST_FUNCTION_WITH_ATTRIBUTES() with SUPPRESS_ASAN + + + * tools/JSDollarVM.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION_WITH_ATTRIBUTES): + - Change `SUPPRESS_ASAN JSC_DEFINE_HOST_FUNCTION()` to + `JSC_DEFINE_HOST_FUNCTION_WITH_ATTRIBUTES(..., SUPPRESS_ASAN, ...)` + to fix the build. + +2020-10-03 Yusuke Suzuki + + [JSC] Introduce JITOperationList to validate JIT-caged pointers + https://bugs.webkit.org/show_bug.cgi?id=217261 + + Reviewed by Saam Barati. + + This patch adds JITOperationList, which manages all the host-function & jit-operation pointers. + And we can now query whether the given pointer is registered in this table. + Currently, as a test, we are verifying that host-function is registered in this table when creating NativeExecutable in debug build. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * assembler/JITOperationList.cpp: Added. + (JSC::JITOperationList::initialize): + (JSC::addPointers): + (JSC::JITOperationList::populatePointersInJavaScriptCore): + (JSC::JITOperationList::populatePointersInEmbedder): + * assembler/JITOperationList.h: Added. + (JSC::JITOperationList::contains const): + (JSC::JITOperationList::assertIsHostFunction): + (JSC::JITOperationList::assertIsJITOperation): + (JSC::JITOperationList::instance): + * assembler/MacroAssemblerARM64.cpp: + * assembler/MacroAssemblerARMv7.cpp: + * assembler/MacroAssemblerMIPS.cpp: + * assembler/MacroAssemblerX86Common.cpp: + * jsc.cpp: + (jscmain): + * runtime/InitializeThreading.cpp: + (JSC::initialize): + * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: + (JSC::genericTypedArrayViewProtoFuncSet): + (JSC::genericTypedArrayViewProtoFuncCopyWithin): + (JSC::genericTypedArrayViewProtoFuncIncludes): + (JSC::genericTypedArrayViewProtoFuncIndexOf): + (JSC::genericTypedArrayViewProtoFuncJoin): + (JSC::genericTypedArrayViewProtoFuncLastIndexOf): + (JSC::genericTypedArrayViewProtoGetterFuncBuffer): + (JSC::genericTypedArrayViewProtoGetterFuncLength): + (JSC::genericTypedArrayViewProtoGetterFuncByteLength): + (JSC::genericTypedArrayViewProtoGetterFuncByteOffset): + (JSC::genericTypedArrayViewProtoFuncReverse): + (JSC::genericTypedArrayViewPrivateFuncSort): + (JSC::genericTypedArrayViewProtoFuncSlice): + (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate): + (JSC::JSC_DEFINE_HOST_FUNCTION): Deleted. + * runtime/VM.cpp: + (JSC::VM::getHostFunction): + +2020-10-02 Ross Kirsling + + [JSC] Add Array#item to @@unscopables + https://bugs.webkit.org/show_bug.cgi?id=217243 + + Reviewed by Yusuke Suzuki. + + ES2015+ Array methods must be listed in Array.prototype[@@unscopables] per the note here: + https://tc39.es/ecma262/#sec-array.prototype-@@unscopables + + The Array#item spec doesn't currently make this explicit, but I created an issue to ensure it isn't overlooked: + https://github.com/tc39/proposal-item-method/issues/30 + + * runtime/ArrayPrototype.cpp: + (JSC::ArrayPrototype::finishCreation): + +2020-10-02 Adrian Perez de Castro + + Unreviewed. [GTK] Add missing locale.h header needed for setlocale() + + * jsc.cpp: Add missing locale.h header for the GTK port, which is needed to get the + definition for setlocale() in scope. + +2020-10-01 Yusuke Suzuki + + [JSC] Masm probe should invoke JIT operation function + https://bugs.webkit.org/show_bug.cgi?id=217199 + + Reviewed by Mark Lam. + + Masm probe function should be invoked via OperationPtrTag since it is invoked from JIT code, and it is native code. + And we should register probe trampoline as JIT operation. + + * assembler/MacroAssemblerARM64.cpp: + (JSC::MacroAssembler::probe): + * assembler/MacroAssemblerARMv7.cpp: + * assembler/MacroAssemblerMIPS.cpp: + * assembler/MacroAssemblerX86Common.cpp: + * runtime/JSCPtrTag.h: + +2020-10-01 Adrian Perez de Castro and Don Olmstead + + Non-unified build fixes, early October 2020 edition + https://bugs.webkit.org/show_bug.cgi?id=217165 + + Reviewed by Yusuke Suzuki. + + * llint/LLIntEntrypoint.h: + * llint/LLIntSlowPaths.cpp: + +2020-10-01 Yusuke Suzuki + + stress/put-private-name-invalid-define.js.ftl-eager is getting flaky failure + https://bugs.webkit.org/show_bug.cgi?id=217164 + + Reviewed by Mark Lam. + + JIT operations need to use JITOperationPrologueCallFrameTracer to configure top call frame correctly. + But putById private field JIT operations miss them or use wrong frame tracer. Since we are not setting top frame correctly, + exception object creation from this JIT operations can be broken, and leading to stress/put-private-name-invalid-define.js.ftl-eager crash. + This patch configures top call frame via JITOperationPrologueCallFrameTracer appropriately. + + * jit/JITOperations.cpp: + +2020-10-01 Yusuke Suzuki + + [JSC] Define Array#sort's implementation functions as globalPrivate + https://bugs.webkit.org/show_bug.cgi?id=217168 + + Reviewed by Ross Kirsling. + + Now, these Array#sort's implementation functions are not capturing any heap variables. So we can make them @globalPrivate, + this avoids function allocations in LLInt / Baseline / DFG in Array#sort. + + * builtins/ArrayPrototype.js: + (globalPrivate.sortMin): + (globalPrivate.sortStringComparator): + (globalPrivate.sortCompact): + (globalPrivate.sortCommit): + (globalPrivate.sortMerge): + (globalPrivate.sortMergeSort): + (globalPrivate.sortBucketSort): + (sort): + (sort.min): Deleted. + (sort.stringComparator): Deleted. + (sort.compact): Deleted. + (sort.commit): Deleted. + (sort.merge): Deleted. + (sort.mergeSort): Deleted. + (sort.bucketSort): Deleted. + +2020-10-01 Yusuke Suzuki + + [JSC] Do not use std::function in setPrivateField and definePrivateField + https://bugs.webkit.org/show_bug.cgi?id=217167 + + Reviewed by Ross Kirsling. + + std::function can potentially allocate an object in heap. We should should just pass lambda with a templatized parameter instead. + + * jit/JITOperations.cpp: + (JSC::setPrivateField): + (JSC::definePrivateField): + +2020-09-30 Yusuke Suzuki + + [JSC] We should not tag C function with JIT code related ptr tag + https://bugs.webkit.org/show_bug.cgi?id=217150 + + Reviewed by Mark Lam. + + We are tagging getHostCallReturnValue function with JIT related PtrTag. As a part of JIT-caging effort, we are restricting our + PtrTag usage more for code types (e.g. JIT code should be tagged with JIT related PtrTag). So, we should not tag getHostCallReturnValue + with that. This patch implements getHostCallReturnValue in JIT code if JIT is enabled. If not, it is implemented by LLInt. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * bytecode/BytecodeList.rb: + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * heap/MarkedBlock.h: + (JSC::MarkedBlock::Footer::offsetOfVM): + * heap/PreciseAllocation.h: + (JSC::PreciseAllocation::offsetOfWeakSet): + * heap/WeakSet.h: + (JSC::WeakSet::offsetOfVM): + * jit/HostCallReturnValue.cpp: Removed. + * jit/HostCallReturnValue.h: Removed. + * jit/JITOperations.cpp: + * jit/JITOperationsMSVC64.cpp: Removed. + * jit/JITStubsMSVC64.asm: + * llint/LLIntEntrypoint.cpp: + (JSC::LLInt::getHostCallReturnValueEntrypoint): + * llint/LLIntEntrypoint.h: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::handleHostCall): + (JSC::LLInt::commonCallEval): + * llint/LLIntThunks.cpp: + (JSC::LLInt::getHostCallReturnValueThunk): + * llint/LLIntThunks.h: + * llint/LowLevelInterpreter.cpp: + (JSC::CLoop::execute): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/JSCellInlines.h: + (JSC::tryAllocateCellHelper): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::offsetOfVM): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + (JSC::VM::offsetOfEncodedHostCallReturnValue): + +2020-09-30 Ross Kirsling + + [JSC] Implement item method proposal + https://bugs.webkit.org/show_bug.cgi?id=217115 + + Reviewed by Yusuke Suzuki. + + This patch implements {Array, %TypedArray%, String}.prototype.item, which reached Stage 3 at TC39 last week: + https://github.com/tc39/proposal-item-method/ + + This method behaves like the [] operator except: + - it recognizes negative indices (-1 through -length, without wrapping) + - it returns undefined *without* calling getters for out-of-bounds indices + + The primary motivation for this is as a layering improvement for Web APIs (see, e.g., NodeList.prototype.item), + but the primary visible benefit for JavaScript users is negative indexation. + + * builtins/ArrayPrototype.js: + (item): + * builtins/StringPrototype.js: + (item): + * builtins/TypedArrayPrototype.js: + (item): + * runtime/ArrayPrototype.cpp: + (JSC::ArrayPrototype::finishCreation): + * runtime/JSTypedArrayViewPrototype.cpp: + (JSC::JSTypedArrayViewPrototype::finishCreation): + * runtime/StringPrototype.cpp: + +2020-09-30 Yusuke Suzuki + + [JSC] Common slow paths should be JIT operations + https://bugs.webkit.org/show_bug.cgi?id=217141 + + Reviewed by Saam Barati. + + Unlike LLInt slow paths, common (common means common between LLInt and Baseline) slow paths can be called from baseline JIT code. Thus, they should be JIT operations. + + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::llint_slow_path_checkpoint_osr_exit_from_inlined_call): + (JSC::LLInt::llint_slow_path_checkpoint_osr_exit): + (JSC::LLInt::slow_path_checkpoint_osr_exit_from_inlined_call): Deleted. + (JSC::LLInt::slow_path_checkpoint_osr_exit): Deleted. + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter.asm: + * runtime/CommonSlowPaths.cpp: + (JSC::JSC_DEFINE_COMMON_SLOW_PATH): + (JSC::iteratorOpenTryFastImpl): + (JSC::iteratorNextTryFastImpl): + (JSC::SLOW_PATH_DECL): Deleted. + (JSC::iterator_open_try_fast): Deleted. + (JSC::iterator_next_try_fast): Deleted. + * runtime/CommonSlowPaths.h: + +2020-09-30 Basuke Suzuki + + [PlayStation][WinCairo] Enable WebDriver target on PlayStation and client for WinCairo + https://bugs.webkit.org/show_bug.cgi?id=216908 + + Reviewed by Don Olmstead. + + Implement automation session correctly for PlayStation and WinCairo. + + * inspector/remote/RemoteInspector.h: + * inspector/remote/socket/RemoteInspectorConnectionClient.cpp: + (Inspector::RemoteInspectorConnectionClient::parseTargetListJSON): + * inspector/remote/socket/RemoteInspectorConnectionClient.h: + * inspector/remote/socket/RemoteInspectorSocket.cpp: + (Inspector::RemoteInspector::stopInternal): + (Inspector::RemoteInspector::requestAutomationSession): + (Inspector::RemoteInspector::startAutomationSession): + +2020-09-30 Commit Queue + + Unreviewed, reverting r267795. + https://bugs.webkit.org/show_bug.cgi?id=217135 + + Incorrect fix. Reverted changeset: - "Add b3 macro lowering for CheckMul on arm64" - https://bugs.webkit.org/show_bug.cgi?id=199251 - https://trac.webkit.org/changeset/246946 + "REGRESSION(r259582): Build fails on aarch64 Linux with WebKit + 2.30.1 on LLIntOffsetsExtractor.cpp.o" + https://bugs.webkit.org/show_bug.cgi?id=217079 + https://trac.webkit.org/changeset/267795 -2019-06-28 Justin Michaud +2020-09-30 Mike Gorse - Add b3 macro lowering for CheckMul on arm64 - https://bugs.webkit.org/show_bug.cgi?id=199251 + REGRESSION(r259582): Build fails on aarch64 Linux with WebKit 2.30.1 on LLIntOffsetsExtractor.cpp.o + https://bugs.webkit.org/show_bug.cgi?id=217079 + + Reviewed by Michael Catanzaro. + + * assembler/LinkBuffer.cpp: + (JSC::LinkBuffer::copyCompactAndLinkCode): DOn't compile in a call to + dumpJITMemory if JIT is disabled; leads to a build failure. + +2020-09-29 Yusuke Suzuki + + Always use OperationPtrTag for all operations and annotate operations in CSS JIT + https://bugs.webkit.org/show_bug.cgi?id=217117 + + Reviewed by Mark Lam. + + For JIT-caging, we would like to annotate all operations consistently with OperationPtrTag. + This patch replaces B3CCallPtrTag and CSSOperationPtrTag with OperationPtrTag and handle these + operations as Operation in JIT-caging. + + We also collect and annotate all the operations called in CSS JIT and define them with JSC_DEFINE_JIT_OPERATION. + + * b3/B3LowerMacros.cpp: + * b3/B3LowerMacrosAfterOptimizations.cpp: + * b3/B3MathExtras.cpp: + * b3/B3ReduceLoopStrength.cpp: + (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy): + * b3/B3ReduceStrength.cpp: + * b3/air/AirCCallSpecial.cpp: + (JSC::B3::Air::CCallSpecial::generate): + * b3/testb3_5.cpp: + (testCallSimple): + (testCallRare): + (testCallRareLive): + (testCallSimplePure): + (testCallFunctionWithHellaArguments): + (testCallFunctionWithHellaArguments2): + (testCallFunctionWithHellaArguments3): + (testCallSimpleDouble): + (testCallSimpleFloat): + (testCallFunctionWithHellaDoubleArguments): + (testCallFunctionWithHellaFloatArguments): + (testLinearScanWithCalleeOnStack): + * b3/testb3_6.cpp: + (testInterpreter): + * b3/testb3_7.cpp: + (testLICMPure): + (testLICMPureSideExits): + (testLICMPureWritesPinned): + (testLICMPureWrites): + (testLICMReadsLocalState): + (testLICMReadsPinned): + (testLICMReads): + (testLICMPureNotBackwardsDominant): + (testLICMPureFoiledByChild): + (testLICMPureNotBackwardsDominantFoiledByChild): + (testLICMExitsSideways): + (testLICMWritesLocalState): + (testLICMWrites): + (testLICMFence): + (testLICMWritesPinned): + (testLICMControlDependent): + (testLICMControlDependentNotBackwardsDominant): + (testLICMControlDependentSideExits): + (testLICMReadsPinnedWritesPinned): + (testLICMReadsWritesDifferentHeaps): + (testLICMReadsWritesOverlappingHeaps): + (testLICMDefaultCall): + (testShuffleDoesntTrashCalleeSaves): + * ftl/FTLOutput.h: + (JSC::FTL::Output::callWithoutSideEffects): + (JSC::FTL::Output::operation): + * runtime/JSCPtrTag.h: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::emitCCall): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::addTableGet): + (JSC::Wasm::B3IRGenerator::addTableSet): + (JSC::Wasm::B3IRGenerator::addRefFunc): + (JSC::Wasm::B3IRGenerator::addTableSize): + (JSC::Wasm::B3IRGenerator::addTableGrow): + (JSC::Wasm::B3IRGenerator::addTableFill): + (JSC::Wasm::B3IRGenerator::addGrowMemory): + (JSC::Wasm::B3IRGenerator::setGlobal): + (JSC::Wasm::B3IRGenerator::emitWriteBarrierForJSWrapper): + (JSC::Wasm::B3IRGenerator::addOp): + (JSC::Wasm::B3IRGenerator::addOp): + +2020-09-26 Darin Adler + + Refactor test runner code to cut down on copy/paste code and long-winded repetitive idioms + https://bugs.webkit.org/show_bug.cgi?id=217028 + + Reviewed by Sam Weinig. + + * API/JSRetainPtr.h: Added support for JSClassRef. + +2020-09-29 Yusuke Suzuki + + [JSC] Annotate JIT operation functions called from B3 etc. + https://bugs.webkit.org/show_bug.cgi?id=217082 + + Reviewed by Saam Barati. + + There are many math functions that are called from B3 etc. We should make them JIT operations to complete JIT-caging. + + * b3/B3LowerMacros.cpp: + * b3/B3LowerMacrosAfterOptimizations.cpp: + * b3/B3MathExtras.cpp: + * b3/B3ReduceLoopStrength.cpp: + (JSC::B3::JSC_DEFINE_JIT_OPERATION): + (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy): + (JSC::B3::fastForwardCopy32): Deleted. + * b3/B3ReduceLoopStrength.h: + (JSC::B3::fastForwardCopy32): + * b3/B3ReduceStrength.cpp: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGArithMode.cpp: + (JSC::DFG::arithUnaryFunction): + (JSC::DFG::arithUnaryOperation): + (WTF::printInternal): + * dfg/DFGArithMode.h: + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsicCall): + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileArithMod): + (JSC::DFG::SpeculativeJIT::compileArithRounding): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileArithPow): + * ftl/FTLOutput.cpp: + (JSC::FTL::Output::doubleTrunc): + (JSC::FTL::Output::doubleUnary): + (JSC::FTL::Output::doubleStdPow): + (JSC::FTL::Output::doublePow): Deleted. + * ftl/FTLOutput.h: + * jit/SpecializedThunkJIT.h: + (JSC::SpecializedThunkJIT::callDoubleToDouble): + * jit/ThunkGenerators.cpp: + * runtime/MathCommon.cpp: + (JSC::Math::log1pDoubleImpl): + (JSC::Math::log1pFloatImpl): + (JSC::Math::log1p): + (JSC::Math::JSC_DEFINE_JIT_OPERATION): + (JSC::Math::roundDoubleImpl): + * runtime/MathCommon.h: + * runtime/MathObject.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + * runtime/Operations.h: + (JSC::jsRemainder): + +2020-09-29 Yusuke Suzuki + + Unreviewed, attempt to fix WinCairo build failure part 2 + https://bugs.webkit.org/show_bug.cgi?id=217071 + + * ftl/FTLOperations.h: + +2020-09-29 Yusuke Suzuki + + Unreviewed, attempt to fix WinCairo build failure + https://bugs.webkit.org/show_bug.cgi?id=217071 + + * ftl/FTLOperations.h: + * tools/JSDollarVM.cpp: + +2020-09-28 Yusuke Suzuki + + Use JSC_DECLARE_JIT_OPERATION / JSC_DECLARE_CUSTOM_GETTER / JSC_DECLARE_CUSTOM_SETTER + https://bugs.webkit.org/show_bug.cgi?id=217071 + + Reviewed by Keith Miller. + + This patch changes how to define JIT_OPERATIONs including custom getters and setters. + We introduce JSC_DECLARE_JIT_OPERATION etc. to declare and define them. This is useful + to perform some additional things (like, JIT-caging registering) for each function. + +2020-09-28 Mark Lam + + Add Bounds Check Elimination validation for debugging. + https://bugs.webkit.org/show_bug.cgi?id=217055 + rdar://69122891 + + Reviewed by Keith Miller. + + Added a JSC_validateBoundsCheckElimination option (with alias + JSC_validateBCE) that adds an AssertInBounds whenever a CheckInBounds + node is elided. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGIntegerCheckCombiningPhase.cpp: + (JSC::DFG::IntegerCheckCombiningPhase::handleBlock): + * dfg/DFGIntegerRangeOptimizationPhase.cpp: + * dfg/DFGNodeType.h: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGValidate.cpp: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::validateAIState): + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty): + (JSC::FTL::DFG::LowerDFGToB3::compileAssertInBounds): + * ftl/FTLOperations.cpp: + (JSC::FTL::operationReportBoundsCheckEliminationErrorAndCrash): + * ftl/FTLOperations.h: + * runtime/OptionsList.h: + +2020-09-26 Yusuke Suzuki + + Unreviewed, follow-up after r267373 to resolve post-commit review comments + https://bugs.webkit.org/show_bug.cgi?id=216667 + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileMapHash): + (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey): + * runtime/HashMapImpl.h: + (JSC::jsMapHash): + +2020-09-25 Ross Kirsling + + %TypedArray%.{from, of} no longer perform AllocateTypedArray + https://bugs.webkit.org/show_bug.cgi?id=216991 + + Reviewed by Yusuke Suzuki. + + Back in ES2015, %TypedArray%.of and %TypedArray%.from appear to have been based on the abstract operation + AllocateTypedArray, which involved crawling the prototype chain to find the appropriate constructor and + only permitted `this` to be a (derived) typed array. + + This appears to have gone away as of ES2016 -- we simply expect `this` to be a constructor and verify that it + produced a typed array (of sufficient length). + + * builtins/BuiltinNames.h: + * builtins/TypedArrayConstructor.js: + (of): + (from): + (allocateInt8Array): Deleted. + (allocateInt16Array): Deleted. + (allocateInt32Array): Deleted. + (allocateUint32Array): Deleted. + (allocateUint16Array): Deleted. + (allocateUint8Array): Deleted. + (allocateUint8ClampedArray): Deleted. + (allocateFloat32Array): Deleted. + (allocateFloat64Array): Deleted. + * runtime/JSGenericTypedArrayViewConstructor.h: + * runtime/JSGenericTypedArrayViewConstructorInlines.h: + (JSC::JSGenericTypedArrayViewConstructor::finishCreation): + (JSC::JSGenericTypedArrayViewConstructor::create): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + +2020-09-25 Yusuke Suzuki + + [JSC] Introduce JSC_DECLARE_HOST_FUNCTION / JSC_DEFINE_HOST_FUNCTION to make host function definition easy-to-scanned for JIT-caging + https://bugs.webkit.org/show_bug.cgi?id=216966 + + Reviewed by Saam Barati. + + This patch introduces JSC_DECLARE_HOST_FUNCTION / JSC_DEFINE_HOST_FUNCTION and changes how to define host functions. + In the new way, we declare a function like, + + JSC_DECLARE_HOST_FUNCTION(functionHelloWorld); + + And define the function like, + + JSC_DEFINE_HOST_FUNCTION(functionHelloWorld, (JSGlobalObject* globalObject, CallFrame* callFrame)) + { + // function body. + } + + This makes adding some meta information to each function easy, which helps JIT-caging to collect allowed function pointers. + + * API/JSAPIWrapperObject.mm: + (JSC::JSCallbackObject::getCallFunction): + (JSC::JSCallbackObject::getConstructFunction): + (JSC::JSC_DEFINE_HOST_FUNCTION): + * API/JSCallbackConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructJSCallbackConstructor): Deleted. + * API/JSCallbackFunction.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callJSCallbackFunction): Deleted. + * API/JSCallbackObject.cpp: + (JSC::JSCallbackObject::getCallFunction): + (JSC::JSCallbackObject::getConstructFunction): + (JSC::JSCallbackObject::getCallFunction): + (JSC::JSCallbackObject::getConstructFunction): + (JSC::JSC_DEFINE_HOST_FUNCTION): + * API/JSCallbackObject.h: + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::getConstructData): + (JSC::JSCallbackObject::constructImpl): + (JSC::JSCallbackObject::getCallData): + (JSC::JSCallbackObject::callImpl): + (JSC::JSCallbackObject::construct): Deleted. + (JSC::JSCallbackObject::call): Deleted. + * API/ObjCCallbackFunction.mm: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callObjCCallbackFunction): Deleted. + (JSC::constructObjCCallbackFunction): Deleted. + * API/glib/JSAPIWrapperGlobalObject.cpp: + (JSC::JSCallbackObject::getCallFunction): + (JSC::JSCallbackObject::getConstructFunction): + * API/glib/JSAPIWrapperObjectGLib.cpp: + (JSC::JSCallbackObject::getCallFunction): + (JSC::JSCallbackObject::getConstructFunction): + (JSC::JSC_DEFINE_HOST_FUNCTION): + * API/glib/JSCCallbackFunction.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callJSCCallbackFunction): Deleted. + (JSC::constructJSCCallbackFunction): Deleted. + * inspector/JSInjectedScriptHostPrototype.cpp: + (Inspector::JSC_DEFINE_HOST_FUNCTION): + (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate): Deleted. + (Inspector::jsInjectedScriptHostPrototypeAttributeSavedResultAlias): Deleted. + (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName): Deleted. + (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection): Deleted. + (Inspector::jsInjectedScriptHostPrototypeFunctionIsPromiseRejectedWithNativeGetterTypeError): Deleted. + (Inspector::jsInjectedScriptHostPrototypeFunctionProxyTargetValue): Deleted. + (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize): Deleted. + (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries): Deleted. + (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize): Deleted. + (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries): Deleted. + (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries): Deleted. + (Inspector::jsInjectedScriptHostPrototypeFunctionQueryInstances): Deleted. + (Inspector::jsInjectedScriptHostPrototypeFunctionQueryHolders): Deleted. + (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension): Deleted. + (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype): Deleted. + (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails): Deleted. + (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties): Deleted. + * inspector/JSJavaScriptCallFramePrototype.cpp: + (Inspector::JSC_DEFINE_HOST_FUNCTION): + (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension): Deleted. + (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions): Deleted. + (Inspector::jsJavaScriptCallFrameAttributeCaller): Deleted. + (Inspector::jsJavaScriptCallFrameAttributeSourceID): Deleted. + (Inspector::jsJavaScriptCallFrameAttributeLine): Deleted. + (Inspector::jsJavaScriptCallFrameAttributeColumn): Deleted. + (Inspector::jsJavaScriptCallFrameAttributeFunctionName): Deleted. + (Inspector::jsJavaScriptCallFrameAttributeScopeChain): Deleted. + (Inspector::jsJavaScriptCallFrameAttributeThisObject): Deleted. + (Inspector::jsJavaScriptCallFrameAttributeType): Deleted. + (Inspector::jsJavaScriptCallFrameIsTailDeleted): Deleted. + * jsc.cpp: + (JSC_DEFINE_HOST_FUNCTION): + (functionPrintStdOut): Deleted. + (functionPrintStdErr): Deleted. + (functionDebug): Deleted. + (functionDescribe): Deleted. + (functionDescribeArray): Deleted. + (functionSleepSeconds): Deleted. + (functionJSCStack): Deleted. + (functionGCAndSweep): Deleted. + (functionFullGC): Deleted. + (functionEdenGC): Deleted. + (functionHeapSize): Deleted. + (functionResetMemoryPeak): Deleted. + (functionAddressOf): Deleted. + (functionVersion): Deleted. + (functionRun): Deleted. + (functionRunString): Deleted. + (functionLoad): Deleted. + (functionLoadString): Deleted. + (functionReadFile): Deleted. + (functionCheckSyntax): Deleted. + (functionSetSamplingFlags): Deleted. + (functionClearSamplingFlags): Deleted. + (functionGetRandomSeed): Deleted. + (functionSetRandomSeed): Deleted. + (functionIsRope): Deleted. + (functionCallerSourceOrigin): Deleted. + (functionReadline): Deleted. + (functionPreciseTime): Deleted. + (functionNeverInlineFunction): Deleted. + (functionNoDFG): Deleted. + (functionNoFTL): Deleted. + (functionNoOSRExitFuzzing): Deleted. + (functionOptimizeNextInvocation): Deleted. + (functionNumberOfDFGCompiles): Deleted. + (functionCallerIsOMGCompiled): Deleted. + (functionDollarCreateRealm): Deleted. + (functionDollarEvalScript): Deleted. + (functionDollarAgentStart): Deleted. + (functionDollarAgentReceiveBroadcast): Deleted. + (functionDollarAgentReport): Deleted. + (functionDollarAgentSleep): Deleted. + (functionDollarAgentBroadcast): Deleted. + (functionDollarAgentGetReport): Deleted. + (functionDollarAgentLeaving): Deleted. + (functionDollarAgentMonotonicNow): Deleted. + (functionWaitForReport): Deleted. + (functionHeapCapacity): Deleted. + (functionFlashHeapAccess): Deleted. + (functionDisableRichSourceInfo): Deleted. + (functionMallocInALoop): Deleted. + (functionTotalCompileTime): Deleted. + (functionJSCOptions): Deleted. + (functionReoptimizationRetryCount): Deleted. + (functionTransferArrayBuffer): Deleted. + (functionFailNextNewCodeBlock): Deleted. + (functionQuit): Deleted. + (functionFalse): Deleted. + (functionUndefined1): Deleted. + (functionUndefined2): Deleted. + (functionIsInt32): Deleted. + (functionIsPureNaN): Deleted. + (functionIdentity): Deleted. + (functionEffectful42): Deleted. + (functionMakeMasquerader): Deleted. + (functionCallMasquerader): Deleted. + (functionHasCustomProperties): Deleted. + (functionDumpTypesForAllVariables): Deleted. + (functionDrainMicrotasks): Deleted. + (functionSetTimeout): Deleted. + (functionReleaseWeakRefs): Deleted. + (functionFinalizationRegistryLiveCount): Deleted. + (functionFinalizationRegistryDeadCount): Deleted. + (functionIs32BitPlatform): Deleted. + (functionCreateGlobalObject): Deleted. + (functionCreateHeapBigInt): Deleted. + (functionCreateBigInt32): Deleted. + (functionUseBigInt32): Deleted. + (functionIsBigInt32): Deleted. + (functionIsHeapBigInt): Deleted. + (functionCheckModuleSyntax): Deleted. + (functionPlatformSupportsSamplingProfiler): Deleted. + (functionGenerateHeapSnapshot): Deleted. + (functionGenerateHeapSnapshotForGCDebugging): Deleted. + (functionResetSuperSamplerState): Deleted. + (functionEnsureArrayStorage): Deleted. + (functionStartSamplingProfiler): Deleted. + (functionSamplingProfilerStackTraces): Deleted. + (functionMaxArguments): Deleted. + (functionAsyncTestStart): Deleted. + (functionAsyncTestPassed): Deleted. + (functionWebAssemblyMemoryMode): Deleted. + (functionSetUnhandledRejectionCallback): Deleted. + (functionAsDoubleNumber): Deleted. + * runtime/AggregateErrorConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callAggregateErrorConstructor): Deleted. + (JSC::constructAggregateErrorConstructor): Deleted. + * runtime/ArrayConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructWithArrayConstructor): Deleted. + (JSC::callArrayConstructor): Deleted. + (JSC::arrayConstructorPrivateFuncIsArraySlow): Deleted. + * runtime/ArrayConstructor.h: + * runtime/ArrayPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::arrayProtoFuncSpeciesCreate): Deleted. + (JSC::arrayProtoFuncToString): Deleted. + (JSC::arrayProtoFuncToLocaleString): Deleted. + (JSC::arrayProtoFuncJoin): Deleted. + (JSC::arrayProtoFuncValues): Deleted. + (JSC::arrayProtoFuncEntries): Deleted. + (JSC::arrayProtoFuncKeys): Deleted. + (JSC::arrayProtoFuncPop): Deleted. + (JSC::arrayProtoFuncPush): Deleted. + (JSC::arrayProtoFuncReverse): Deleted. + (JSC::arrayProtoFuncShift): Deleted. + (JSC::arrayProtoFuncSlice): Deleted. + (JSC::arrayProtoFuncSplice): Deleted. + (JSC::arrayProtoFuncUnShift): Deleted. + (JSC::arrayProtoFuncIndexOf): Deleted. + (JSC::arrayProtoFuncLastIndexOf): Deleted. + (JSC::arrayProtoPrivateFuncConcatMemcpy): Deleted. + (JSC::arrayProtoPrivateFuncAppendMemcpy): Deleted. + * runtime/ArrayPrototype.h: + * runtime/AsyncFunctionConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callAsyncFunctionConstructor): Deleted. + (JSC::constructAsyncFunctionConstructor): Deleted. + * runtime/AsyncGeneratorFunctionConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callAsyncGeneratorFunctionConstructor): Deleted. + (JSC::constructAsyncGeneratorFunctionConstructor): Deleted. + * runtime/AtomicsObject.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::atomicsFuncAdd): Deleted. + (JSC::atomicsFuncAnd): Deleted. + (JSC::atomicsFuncCompareExchange): Deleted. + (JSC::atomicsFuncExchange): Deleted. + (JSC::atomicsFuncIsLockFree): Deleted. + (JSC::atomicsFuncLoad): Deleted. + (JSC::atomicsFuncOr): Deleted. + (JSC::atomicsFuncStore): Deleted. + (JSC::atomicsFuncSub): Deleted. + (JSC::atomicsFuncWait): Deleted. + (JSC::atomicsFuncWake): Deleted. + (JSC::atomicsFuncXor): Deleted. + * runtime/BigIntConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callBigIntConstructor): Deleted. + (JSC::bigIntConstructorFuncAsUintN): Deleted. + (JSC::bigIntConstructorFuncAsIntN): Deleted. + * runtime/BigIntPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::bigIntProtoFuncToString): Deleted. + (JSC::bigIntProtoFuncToLocaleString): Deleted. + (JSC::bigIntProtoFuncValueOf): Deleted. + * runtime/BooleanConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callBooleanConstructor): Deleted. + (JSC::constructWithBooleanConstructor): Deleted. + * runtime/BooleanPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::booleanProtoFuncToString): Deleted. + (JSC::booleanProtoFuncValueOf): Deleted. + * runtime/ConsoleObject.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::consoleProtoFuncDebug): Deleted. + (JSC::consoleProtoFuncError): Deleted. + (JSC::consoleProtoFuncLog): Deleted. + (JSC::consoleProtoFuncInfo): Deleted. + (JSC::consoleProtoFuncWarn): Deleted. + (JSC::consoleProtoFuncClear): Deleted. + (JSC::consoleProtoFuncDir): Deleted. + (JSC::consoleProtoFuncDirXML): Deleted. + (JSC::consoleProtoFuncTable): Deleted. + (JSC::consoleProtoFuncTrace): Deleted. + (JSC::consoleProtoFuncAssert): Deleted. + (JSC::consoleProtoFuncCount): Deleted. + (JSC::consoleProtoFuncCountReset): Deleted. + (JSC::consoleProtoFuncProfile): Deleted. + (JSC::consoleProtoFuncProfileEnd): Deleted. + (JSC::consoleProtoFuncTakeHeapSnapshot): Deleted. + (JSC::consoleProtoFuncTime): Deleted. + (JSC::consoleProtoFuncTimeLog): Deleted. + (JSC::consoleProtoFuncTimeEnd): Deleted. + (JSC::consoleProtoFuncTimeStamp): Deleted. + (JSC::consoleProtoFuncGroup): Deleted. + (JSC::consoleProtoFuncGroupCollapsed): Deleted. + (JSC::consoleProtoFuncGroupEnd): Deleted. + (JSC::consoleProtoFuncRecord): Deleted. + (JSC::consoleProtoFuncRecordEnd): Deleted. + (JSC::consoleProtoFuncScreenshot): Deleted. + * runtime/DateConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructWithDateConstructor): Deleted. + (JSC::callDate): Deleted. + (JSC::dateParse): Deleted. + (JSC::dateNow): Deleted. + (JSC::dateUTC): Deleted. + * runtime/DatePrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::dateProtoFuncToString): Deleted. + (JSC::dateProtoFuncToUTCString): Deleted. + (JSC::dateProtoFuncToISOString): Deleted. + (JSC::dateProtoFuncToDateString): Deleted. + (JSC::dateProtoFuncToTimeString): Deleted. + (JSC::dateProtoFuncToPrimitiveSymbol): Deleted. + (JSC::dateProtoFuncGetTime): Deleted. + (JSC::dateProtoFuncGetFullYear): Deleted. + (JSC::dateProtoFuncGetUTCFullYear): Deleted. + (JSC::dateProtoFuncGetMonth): Deleted. + (JSC::dateProtoFuncGetUTCMonth): Deleted. + (JSC::dateProtoFuncGetDate): Deleted. + (JSC::dateProtoFuncGetUTCDate): Deleted. + (JSC::dateProtoFuncGetDay): Deleted. + (JSC::dateProtoFuncGetUTCDay): Deleted. + (JSC::dateProtoFuncGetHours): Deleted. + (JSC::dateProtoFuncGetUTCHours): Deleted. + (JSC::dateProtoFuncGetMinutes): Deleted. + (JSC::dateProtoFuncGetUTCMinutes): Deleted. + (JSC::dateProtoFuncGetSeconds): Deleted. + (JSC::dateProtoFuncGetUTCSeconds): Deleted. + (JSC::dateProtoFuncGetMilliSeconds): Deleted. + (JSC::dateProtoFuncGetUTCMilliseconds): Deleted. + (JSC::dateProtoFuncGetTimezoneOffset): Deleted. + (JSC::dateProtoFuncSetTime): Deleted. + (JSC::dateProtoFuncSetMilliSeconds): Deleted. + (JSC::dateProtoFuncSetUTCMilliseconds): Deleted. + (JSC::dateProtoFuncSetSeconds): Deleted. + (JSC::dateProtoFuncSetUTCSeconds): Deleted. + (JSC::dateProtoFuncSetMinutes): Deleted. + (JSC::dateProtoFuncSetUTCMinutes): Deleted. + (JSC::dateProtoFuncSetHours): Deleted. + (JSC::dateProtoFuncSetUTCHours): Deleted. + (JSC::dateProtoFuncSetDate): Deleted. + (JSC::dateProtoFuncSetUTCDate): Deleted. + (JSC::dateProtoFuncSetMonth): Deleted. + (JSC::dateProtoFuncSetUTCMonth): Deleted. + (JSC::dateProtoFuncSetFullYear): Deleted. + (JSC::dateProtoFuncSetUTCFullYear): Deleted. + (JSC::dateProtoFuncSetYear): Deleted. + (JSC::dateProtoFuncGetYear): Deleted. + (JSC::dateProtoFuncToJSON): Deleted. + * runtime/DatePrototype.h: + * runtime/ErrorConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructErrorConstructor): Deleted. + (JSC::callErrorConstructor): Deleted. + * runtime/ErrorPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::errorProtoFuncToString): Deleted. + * runtime/FinalizationRegistryConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callFinalizationRegistry): Deleted. + (JSC::constructFinalizationRegistry): Deleted. + * runtime/FinalizationRegistryPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::protoFuncFinalizationRegistryRegister): Deleted. + (JSC::protoFuncFinalizationRegistryUnregister): Deleted. + * runtime/FunctionConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructWithFunctionConstructor): Deleted. + (JSC::callFunctionConstructor): Deleted. + * runtime/FunctionPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callFunctionPrototype): Deleted. + (JSC::functionProtoFuncToString): Deleted. + * runtime/GeneratorFunctionConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callGeneratorFunctionConstructor): Deleted. + (JSC::constructGeneratorFunctionConstructor): Deleted. + * runtime/InspectorInstrumentationObject.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::inspectorInstrumentationObjectLog): Deleted. + * runtime/IntlCollatorConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructIntlCollator): Deleted. + (JSC::callIntlCollator): Deleted. + (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): Deleted. + * runtime/IntlCollatorPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::IntlCollatorFuncCompare): Deleted. + (JSC::IntlCollatorPrototypeGetterCompare): Deleted. + (JSC::IntlCollatorPrototypeFuncResolvedOptions): Deleted. + * runtime/IntlDateTimeFormatConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructIntlDateTimeFormat): Deleted. + (JSC::callIntlDateTimeFormat): Deleted. + (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): Deleted. + * runtime/IntlDateTimeFormatPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::IntlDateTimeFormatFuncFormatDateTime): Deleted. + (JSC::IntlDateTimeFormatPrototypeGetterFormat): Deleted. + (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts): Deleted. + (JSC::IntlDateTimeFormatPrototypeFuncFormatRange): Deleted. + (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions): Deleted. + * runtime/IntlDisplayNamesConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructIntlDisplayNames): Deleted. + (JSC::callIntlDisplayNames): Deleted. + (JSC::IntlDisplayNamesConstructorSupportedLocalesOf): Deleted. + * runtime/IntlDisplayNamesPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::IntlDisplayNamesPrototypeFuncOf): Deleted. + (JSC::IntlDisplayNamesPrototypeFuncResolvedOptions): Deleted. + * runtime/IntlLocaleConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructIntlLocale): Deleted. + (JSC::callIntlLocale): Deleted. + * runtime/IntlLocalePrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::IntlLocalePrototypeFuncMaximize): Deleted. + (JSC::IntlLocalePrototypeFuncMinimize): Deleted. + (JSC::IntlLocalePrototypeFuncToString): Deleted. + (JSC::IntlLocalePrototypeGetterBaseName): Deleted. + (JSC::IntlLocalePrototypeGetterCalendar): Deleted. + (JSC::IntlLocalePrototypeGetterCaseFirst): Deleted. + (JSC::IntlLocalePrototypeGetterCollation): Deleted. + (JSC::IntlLocalePrototypeGetterHourCycle): Deleted. + (JSC::IntlLocalePrototypeGetterNumeric): Deleted. + (JSC::IntlLocalePrototypeGetterNumberingSystem): Deleted. + (JSC::IntlLocalePrototypeGetterLanguage): Deleted. + (JSC::IntlLocalePrototypeGetterScript): Deleted. + (JSC::IntlLocalePrototypeGetterRegion): Deleted. + * runtime/IntlNumberFormatConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructIntlNumberFormat): Deleted. + (JSC::callIntlNumberFormat): Deleted. + (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): Deleted. + * runtime/IntlNumberFormatPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::IntlNumberFormatFuncFormat): Deleted. + (JSC::IntlNumberFormatPrototypeGetterFormat): Deleted. + (JSC::IntlNumberFormatPrototypeFuncFormatToParts): Deleted. + (JSC::IntlNumberFormatPrototypeFuncResolvedOptions): Deleted. + * runtime/IntlObject.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::intlObjectFuncGetCanonicalLocales): Deleted. + * runtime/IntlPluralRulesConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructIntlPluralRules): Deleted. + (JSC::callIntlPluralRules): Deleted. + (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf): Deleted. + * runtime/IntlPluralRulesPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::IntlPluralRulesPrototypeFuncSelect): Deleted. + (JSC::IntlPluralRulesPrototypeFuncResolvedOptions): Deleted. + * runtime/IntlRelativeTimeFormatConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructIntlRelativeTimeFormat): Deleted. + (JSC::callIntlRelativeTimeFormat): Deleted. + (JSC::IntlRelativeTimeFormatConstructorFuncSupportedLocalesOf): Deleted. + * runtime/IntlRelativeTimeFormatPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::IntlRelativeTimeFormatPrototypeFuncFormat): Deleted. + (JSC::IntlRelativeTimeFormatPrototypeFuncFormatToParts): Deleted. + (JSC::IntlRelativeTimeFormatPrototypeFuncResolvedOptions): Deleted. + * runtime/IntlSegmentIteratorPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::IntlSegmentIteratorPrototypeFuncNext): Deleted. + * runtime/IntlSegmenterConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructIntlSegmenter): Deleted. + (JSC::callIntlSegmenter): Deleted. + (JSC::IntlSegmenterConstructorSupportedLocalesOf): Deleted. + * runtime/IntlSegmenterPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::IntlSegmenterPrototypeFuncSegment): Deleted. + (JSC::IntlSegmenterPrototypeFuncResolvedOptions): Deleted. + * runtime/IntlSegmentsPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::IntlSegmentsPrototypeFuncContaining): Deleted. + (JSC::IntlSegmentsPrototypeFuncIterator): Deleted. + * runtime/JSArrayBufferConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callArrayBuffer): Deleted. + (JSC::constructArrayBuffer): Deleted. + (JSC::constructSharedArrayBuffer): Deleted. + (JSC::arrayBufferFuncIsView): Deleted. + * runtime/JSArrayBufferPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::arrayBufferProtoFuncSlice): Deleted. + (JSC::arrayBufferProtoGetterFuncByteLength): Deleted. + (JSC::sharedArrayBufferProtoGetterFuncByteLength): Deleted. + * runtime/JSBoundFunction.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::boundThisNoArgsFunctionCall): Deleted. + (JSC::boundFunctionCall): Deleted. + (JSC::boundThisNoArgsFunctionConstruct): Deleted. + (JSC::boundFunctionConstruct): Deleted. + (JSC::isBoundFunction): Deleted. + (JSC::hasInstanceBoundFunction): Deleted. + * runtime/JSBoundFunction.h: + * runtime/JSCustomGetterSetterFunction.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::customGetterSetterFunctionCall): Deleted. + * runtime/JSDataViewPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::dataViewProtoGetterBuffer): Deleted. + (JSC::dataViewProtoGetterByteLength): Deleted. + (JSC::dataViewProtoGetterByteOffset): Deleted. + (JSC::dataViewProtoFuncGetInt8): Deleted. + (JSC::dataViewProtoFuncGetInt16): Deleted. + (JSC::dataViewProtoFuncGetInt32): Deleted. + (JSC::dataViewProtoFuncGetUint8): Deleted. + (JSC::dataViewProtoFuncGetUint16): Deleted. + (JSC::dataViewProtoFuncGetUint32): Deleted. + (JSC::dataViewProtoFuncGetFloat32): Deleted. + (JSC::dataViewProtoFuncGetFloat64): Deleted. + (JSC::dataViewProtoFuncSetInt8): Deleted. + (JSC::dataViewProtoFuncSetInt16): Deleted. + (JSC::dataViewProtoFuncSetInt32): Deleted. + (JSC::dataViewProtoFuncSetUint8): Deleted. + (JSC::dataViewProtoFuncSetUint16): Deleted. + (JSC::dataViewProtoFuncSetUint32): Deleted. + (JSC::dataViewProtoFuncSetFloat32): Deleted. + (JSC::dataViewProtoFuncSetFloat64): Deleted. + * runtime/JSFunction.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::argumentsGetter): + (JSC::callerGetter): + (JSC::callHostFunctionAsConstructor): Deleted. + (JSC::JSFunction::argumentsGetter): Deleted. + (JSC::JSFunction::callerGetter): Deleted. + * runtime/JSFunction.h: + * runtime/JSGenericTypedArrayViewConstructor.h: + * runtime/JSGenericTypedArrayViewConstructorInlines.h: + (JSC::JSGenericTypedArrayViewConstructor::JSGenericTypedArrayViewConstructor): + (JSC::constructGenericTypedArrayViewImpl): + (JSC::callGenericTypedArrayViewImpl): + (JSC::constructGenericTypedArrayView): Deleted. + (JSC::callGenericTypedArrayView): Deleted. + * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::genericTypedArrayViewProtoFuncSet): Deleted. + (JSC::genericTypedArrayViewProtoFuncCopyWithin): Deleted. + (JSC::genericTypedArrayViewProtoFuncIncludes): Deleted. + (JSC::genericTypedArrayViewProtoFuncIndexOf): Deleted. + (JSC::genericTypedArrayViewProtoFuncJoin): Deleted. + (JSC::genericTypedArrayViewProtoFuncLastIndexOf): Deleted. + (JSC::genericTypedArrayViewProtoGetterFuncBuffer): Deleted. + (JSC::genericTypedArrayViewProtoGetterFuncLength): Deleted. + (JSC::genericTypedArrayViewProtoGetterFuncByteLength): Deleted. + (JSC::genericTypedArrayViewProtoGetterFuncByteOffset): Deleted. + (JSC::genericTypedArrayViewProtoFuncReverse): Deleted. + (JSC::genericTypedArrayViewPrivateFuncSort): Deleted. + (JSC::genericTypedArrayViewProtoFuncSlice): Deleted. + (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate): Deleted. + * runtime/JSGlobalObject.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::makeBoundFunction): Deleted. + (JSC::hasOwnLengthProperty): Deleted. + (JSC::createPrivateSymbol): Deleted. + (JSC::assertCall): Deleted. + (JSC::enableSamplingProfiler): Deleted. + (JSC::disableSamplingProfiler): Deleted. + (JSC::enableSuperSampler): Deleted. + (JSC::disableSuperSampler): Deleted. + (JSC::enqueueJob): Deleted. + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::globalFuncEval): Deleted. + (JSC::globalFuncParseInt): Deleted. + (JSC::globalFuncParseFloat): Deleted. + (JSC::globalFuncDecodeURI): Deleted. + (JSC::globalFuncDecodeURIComponent): Deleted. + (JSC::globalFuncEncodeURI): Deleted. + (JSC::globalFuncEncodeURIComponent): Deleted. + (JSC::globalFuncEscape): Deleted. + (JSC::globalFuncUnescape): Deleted. + (JSC::globalFuncThrowTypeError): Deleted. + (JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller): Deleted. + (JSC::globalFuncMakeTypeError): Deleted. + (JSC::globalFuncProtoGetter): Deleted. + (JSC::globalFuncProtoSetter): Deleted. + (JSC::globalFuncSetPrototypeDirect): Deleted. + (JSC::globalFuncHostPromiseRejectionTracker): Deleted. + (JSC::globalFuncBuiltinLog): Deleted. + (JSC::globalFuncBuiltinDescribe): Deleted. + (JSC::globalFuncImportModule): Deleted. + (JSC::globalFuncPropertyIsEnumerable): Deleted. + (JSC::globalFuncOwnKeys): Deleted. + (JSC::globalFuncDateTimeFormat): Deleted. + * runtime/JSGlobalObjectFunctions.h: + * runtime/JSModuleLoader.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::moduleLoaderParseModule): Deleted. + (JSC::moduleLoaderRequestedModules): Deleted. + (JSC::moduleLoaderModuleDeclarationInstantiation): Deleted. + (JSC::moduleLoaderResolve): Deleted. + (JSC::moduleLoaderResolveSync): Deleted. + (JSC::moduleLoaderFetch): Deleted. + (JSC::moduleLoaderGetModuleNamespaceObject): Deleted. + (JSC::moduleLoaderEvaluate): Deleted. + * runtime/JSNativeStdFunction.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::runStdFunction): Deleted. + * runtime/JSONObject.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::JSONProtoFuncParse): Deleted. + (JSC::JSONProtoFuncStringify): Deleted. + * runtime/JSObject.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::objectPrivateFuncInstanceOf): Deleted. + * runtime/JSObject.h: + * runtime/JSTypedArrayViewConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructTypedArrayView): Deleted. + * runtime/JSTypedArrayViewPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::typedArrayViewPrivateFuncIsTypedArrayView): Deleted. + (JSC::typedArrayViewPrivateFuncIsNeutered): Deleted. + (JSC::typedArrayViewPrivateFuncLength): Deleted. + (JSC::typedArrayViewPrivateFuncGetOriginalConstructor): Deleted. + (JSC::typedArrayViewProtoFuncValues): Deleted. + (JSC::typedArrayProtoViewFuncEntries): Deleted. + (JSC::typedArrayViewProtoFuncKeys): Deleted. + (JSC::typedArrayViewPrivateFuncSort): Deleted. + (JSC::typedArrayViewProtoFuncSet): Deleted. + (JSC::typedArrayViewProtoFuncCopyWithin): Deleted. + (JSC::typedArrayViewProtoFuncIncludes): Deleted. + (JSC::typedArrayViewProtoFuncLastIndexOf): Deleted. + (JSC::typedArrayViewProtoFuncIndexOf): Deleted. + (JSC::typedArrayViewProtoFuncJoin): Deleted. + (JSC::typedArrayViewProtoGetterFuncBuffer): Deleted. + (JSC::typedArrayViewProtoGetterFuncLength): Deleted. + (JSC::typedArrayViewProtoGetterFuncByteLength): Deleted. + (JSC::typedArrayViewProtoGetterFuncByteOffset): Deleted. + (JSC::typedArrayViewProtoFuncReverse): Deleted. + (JSC::typedArrayViewPrivateFuncSubarrayCreate): Deleted. + (JSC::typedArrayViewProtoFuncSlice): Deleted. + (JSC::typedArrayViewProtoGetterFuncToStringTag): Deleted. + * runtime/JSTypedArrayViewPrototype.h: + * runtime/JSTypedArrays.cpp: + (JSC::createUint8TypedArray): Deleted. + * runtime/MapConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callMap): Deleted. + (JSC::constructMap): Deleted. + (JSC::mapPrivateFuncMapBucketHead): Deleted. + (JSC::mapPrivateFuncMapBucketNext): Deleted. + (JSC::mapPrivateFuncMapBucketKey): Deleted. + (JSC::mapPrivateFuncMapBucketValue): Deleted. + * runtime/MapConstructor.h: + * runtime/MapPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::mapProtoFuncClear): Deleted. + (JSC::mapProtoFuncDelete): Deleted. + (JSC::mapProtoFuncGet): Deleted. + (JSC::mapProtoFuncHas): Deleted. + (JSC::mapProtoFuncSet): Deleted. + (JSC::mapProtoFuncValues): Deleted. + (JSC::mapProtoFuncKeys): Deleted. + (JSC::mapProtoFuncEntries): Deleted. + (JSC::mapProtoFuncSize): Deleted. + * runtime/MathObject.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::mathProtoFuncAbs): Deleted. + (JSC::mathProtoFuncACos): Deleted. + (JSC::mathProtoFuncASin): Deleted. + (JSC::mathProtoFuncATan): Deleted. + (JSC::mathProtoFuncATan2): Deleted. + (JSC::mathProtoFuncCeil): Deleted. + (JSC::mathProtoFuncClz32): Deleted. + (JSC::mathProtoFuncCos): Deleted. + (JSC::mathProtoFuncExp): Deleted. + (JSC::mathProtoFuncFloor): Deleted. + (JSC::mathProtoFuncHypot): Deleted. + (JSC::mathProtoFuncLog): Deleted. + (JSC::mathProtoFuncMax): Deleted. + (JSC::mathProtoFuncMin): Deleted. + (JSC::mathProtoFuncPow): Deleted. + (JSC::mathProtoFuncRandom): Deleted. + (JSC::mathProtoFuncRound): Deleted. + (JSC::mathProtoFuncSign): Deleted. + (JSC::mathProtoFuncSin): Deleted. + (JSC::mathProtoFuncSqrt): Deleted. + (JSC::mathProtoFuncTan): Deleted. + (JSC::mathProtoFuncIMul): Deleted. + (JSC::mathProtoFuncACosh): Deleted. + (JSC::mathProtoFuncASinh): Deleted. + (JSC::mathProtoFuncATanh): Deleted. + (JSC::mathProtoFuncCbrt): Deleted. + (JSC::mathProtoFuncCosh): Deleted. + (JSC::mathProtoFuncExpm1): Deleted. + (JSC::mathProtoFuncFround): Deleted. + (JSC::mathProtoFuncLog1p): Deleted. + (JSC::mathProtoFuncLog10): Deleted. + (JSC::mathProtoFuncLog2): Deleted. + (JSC::mathProtoFuncSinh): Deleted. + (JSC::mathProtoFuncTanh): Deleted. + (JSC::mathProtoFuncTrunc): Deleted. + * runtime/MathObject.h: + * runtime/NativeErrorConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callEvalError): Deleted. + (JSC::constructEvalError): Deleted. + (JSC::callRangeError): Deleted. + (JSC::constructRangeError): Deleted. + (JSC::callReferenceError): Deleted. + (JSC::constructReferenceError): Deleted. + (JSC::callSyntaxError): Deleted. + (JSC::constructSyntaxError): Deleted. + (JSC::callTypeError): Deleted. + (JSC::constructTypeError): Deleted. + (JSC::callURIError): Deleted. + (JSC::constructURIError): Deleted. + * runtime/NativeFunction.h: + * runtime/NullGetterFunction.cpp: + (JSC::NullGetterFunctionInternal::JSC_DEFINE_HOST_FUNCTION): + (JSC::NullGetterFunctionInternal::callReturnUndefined): Deleted. + * runtime/NullSetterFunction.cpp: + (JSC::NullSetterFunctionInternal::JSC_DEFINE_HOST_FUNCTION): + (JSC::NullSetterFunctionInternal::callReturnUndefined): Deleted. + (JSC::NullSetterFunctionInternal::callThrowError): Deleted. + * runtime/NumberConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructNumberConstructor): Deleted. + (JSC::callNumberConstructor): Deleted. + (JSC::numberConstructorFuncIsInteger): Deleted. + (JSC::numberConstructorFuncIsSafeInteger): Deleted. + * runtime/NumberPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::numberProtoFuncToExponential): Deleted. + (JSC::numberProtoFuncToFixed): Deleted. + (JSC::numberProtoFuncToPrecision): Deleted. + (JSC::numberProtoFuncToString): Deleted. + (JSC::numberProtoFuncToLocaleString): Deleted. + (JSC::numberProtoFuncValueOf): Deleted. + * runtime/NumberPrototype.h: + * runtime/ObjectConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructWithObjectConstructor): Deleted. + (JSC::callObjectConstructor): Deleted. + (JSC::objectConstructorGetPrototypeOf): Deleted. + (JSC::objectConstructorSetPrototypeOf): Deleted. + (JSC::objectConstructorGetOwnPropertyNames): Deleted. + (JSC::objectConstructorGetOwnPropertySymbols): Deleted. + (JSC::objectConstructorKeys): Deleted. + (JSC::objectConstructorAssign): Deleted. + (JSC::objectConstructorValues): Deleted. + (JSC::objectConstructorDefineProperty): Deleted. + (JSC::objectConstructorDefineProperties): Deleted. + (JSC::objectConstructorCreate): Deleted. + (JSC::objectConstructorPreventExtensions): Deleted. + (JSC::objectConstructorIsSealed): Deleted. + (JSC::objectConstructorIsFrozen): Deleted. + (JSC::objectConstructorIsExtensible): Deleted. + (JSC::objectConstructorIs): Deleted. + * runtime/ObjectConstructor.h: + * runtime/ObjectPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::objectProtoFuncValueOf): Deleted. + (JSC::objectProtoFuncHasOwnProperty): Deleted. + (JSC::objectProtoFuncIsPrototypeOf): Deleted. + (JSC::objectProtoFuncDefineGetter): Deleted. + (JSC::objectProtoFuncDefineSetter): Deleted. + (JSC::objectProtoFuncLookupGetter): Deleted. + (JSC::objectProtoFuncLookupSetter): Deleted. + (JSC::objectProtoFuncPropertyIsEnumerable): Deleted. + (JSC::objectProtoFuncToLocaleString): Deleted. + (JSC::objectProtoFuncToString): Deleted. + * runtime/ObjectPrototype.h: + * runtime/ProxyConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::makeRevocableProxy): Deleted. + (JSC::constructProxyObject): Deleted. + (JSC::callProxy): Deleted. + * runtime/ProxyObject.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::performProxyCall): Deleted. + (JSC::performProxyConstruct): Deleted. + * runtime/ProxyRevoke.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::performProxyRevoke): Deleted. + * runtime/ReflectObject.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::reflectObjectConstruct): Deleted. + (JSC::reflectObjectDefineProperty): Deleted. + (JSC::reflectObjectGet): Deleted. + (JSC::reflectObjectGetOwnPropertyDescriptor): Deleted. + (JSC::reflectObjectGetPrototypeOf): Deleted. + (JSC::reflectObjectIsExtensible): Deleted. + (JSC::reflectObjectOwnKeys): Deleted. + (JSC::reflectObjectPreventExtensions): Deleted. + (JSC::reflectObjectSet): Deleted. + (JSC::reflectObjectSetPrototypeOf): Deleted. + * runtime/RegExpConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::esSpecRegExpCreate): Deleted. + (JSC::esSpecIsRegExp): Deleted. + (JSC::constructWithRegExpConstructor): Deleted. + (JSC::callRegExpConstructor): Deleted. + * runtime/RegExpConstructor.h: + * runtime/RegExpPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::regExpProtoFuncTestFast): Deleted. + (JSC::regExpProtoFuncExec): Deleted. + (JSC::regExpProtoFuncMatchFast): Deleted. + (JSC::regExpProtoFuncCompile): Deleted. + (JSC::regExpProtoFuncToString): Deleted. + (JSC::regExpProtoGetterGlobal): Deleted. + (JSC::regExpProtoGetterIgnoreCase): Deleted. + (JSC::regExpProtoGetterMultiline): Deleted. + (JSC::regExpProtoGetterDotAll): Deleted. + (JSC::regExpProtoGetterSticky): Deleted. + (JSC::regExpProtoGetterUnicode): Deleted. + (JSC::regExpProtoGetterFlags): Deleted. + (JSC::regExpProtoGetterSource): Deleted. + (JSC::regExpProtoFuncSearchFast): Deleted. + (JSC::regExpProtoFuncSplitFast): Deleted. + * runtime/RegExpPrototype.h: + * runtime/SetConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callSet): Deleted. + (JSC::constructSet): Deleted. + (JSC::setPrivateFuncSetBucketHead): Deleted. + (JSC::setPrivateFuncSetBucketNext): Deleted. + (JSC::setPrivateFuncSetBucketKey): Deleted. + * runtime/SetConstructor.h: + * runtime/SetPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::setProtoFuncAdd): Deleted. + (JSC::setProtoFuncClear): Deleted. + (JSC::setProtoFuncDelete): Deleted. + (JSC::setProtoFuncHas): Deleted. + (JSC::setProtoFuncSize): Deleted. + (JSC::setProtoFuncValues): Deleted. + (JSC::setProtoFuncEntries): Deleted. + * runtime/StringConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::stringFromCharCode): + (JSC::stringFromCodePoint): Deleted. + (JSC::constructWithStringConstructor): Deleted. + (JSC::callStringConstructor): Deleted. + * runtime/StringConstructor.h: + * runtime/StringPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::stringProtoFuncRepeatCharacter): Deleted. + (JSC::stringProtoFuncReplaceUsingRegExp): Deleted. + (JSC::stringProtoFuncReplaceUsingStringSearch): Deleted. + (JSC::stringProtoFuncReplaceAllUsingStringSearch): Deleted. + (JSC::stringProtoFuncToString): Deleted. + (JSC::stringProtoFuncCharAt): Deleted. + (JSC::stringProtoFuncCharCodeAt): Deleted. + (JSC::stringProtoFuncCodePointAt): Deleted. + (JSC::stringProtoFuncIndexOf): Deleted. + (JSC::builtinStringIndexOfInternal): Deleted. + (JSC::stringProtoFuncLastIndexOf): Deleted. + (JSC::stringProtoFuncSlice): Deleted. + (JSC::stringProtoFuncSplitFast): Deleted. + (JSC::stringProtoFuncSubstr): Deleted. + (JSC::stringProtoFuncSubstring): Deleted. + (JSC::builtinStringSubstringInternal): Deleted. + (JSC::stringProtoFuncToLowerCase): Deleted. + (JSC::stringProtoFuncToUpperCase): Deleted. + (JSC::stringProtoFuncLocaleCompare): Deleted. + (JSC::stringProtoFuncToLocaleLowerCase): Deleted. + (JSC::stringProtoFuncToLocaleUpperCase): Deleted. + (JSC::stringProtoFuncTrim): Deleted. + (JSC::stringProtoFuncTrimStart): Deleted. + (JSC::stringProtoFuncTrimEnd): Deleted. + (JSC::stringProtoFuncStartsWith): Deleted. + (JSC::stringProtoFuncEndsWith): Deleted. + (JSC::stringProtoFuncIncludes): Deleted. + (JSC::builtinStringIncludesInternal): Deleted. + (JSC::stringProtoFuncIterator): Deleted. + (JSC::stringProtoFuncNormalize): Deleted. + * runtime/StringPrototype.h: + * runtime/Structure.h: + * runtime/SymbolConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callSymbol): Deleted. + (JSC::constructSymbol): Deleted. + (JSC::symbolConstructorFor): Deleted. + (JSC::symbolConstructorKeyFor): Deleted. + * runtime/SymbolPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::symbolProtoGetterDescription): Deleted. + (JSC::symbolProtoFuncToString): Deleted. + (JSC::symbolProtoFuncValueOf): Deleted. + * runtime/WeakMapConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callWeakMap): Deleted. + (JSC::constructWeakMap): Deleted. + * runtime/WeakMapPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::protoFuncWeakMapDelete): Deleted. + (JSC::protoFuncWeakMapGet): Deleted. + (JSC::protoFuncWeakMapHas): Deleted. + (JSC::protoFuncWeakMapSet): Deleted. + * runtime/WeakObjectRefConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callWeakRef): Deleted. + (JSC::constructWeakRef): Deleted. + * runtime/WeakObjectRefPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::protoFuncWeakRefDeref): Deleted. + * runtime/WeakSetConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callWeakSet): Deleted. + (JSC::constructWeakSet): Deleted. + * runtime/WeakSetPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::protoFuncWeakSetDelete): Deleted. + (JSC::protoFuncWeakSetHas): Deleted. + (JSC::protoFuncWeakSetAdd): Deleted. + * tools/JSDollarVM.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::JSDollarVM::finishCreation): + (JSC::functionCrash): Deleted. + (JSC::functionBreakpoint): Deleted. + (JSC::functionDFGTrue): Deleted. + (JSC::functionFTLTrue): Deleted. + (JSC::functionCpuMfence): Deleted. + (JSC::functionCpuRdtsc): Deleted. + (JSC::functionCpuCpuid): Deleted. + (JSC::functionCpuPause): Deleted. + (JSC::functionCpuClflush): Deleted. + (JSC::functionLLintTrue): Deleted. + (JSC::functionBaselineJITTrue): Deleted. + (JSC::functionNoInline): Deleted. + (JSC::functionGC): Deleted. + (JSC::functionEdenGC): Deleted. + (JSC::functionGCSweepAsynchronously): Deleted. + (JSC::functionDumpSubspaceHashes): Deleted. + (JSC::functionCallFrame): Deleted. + (JSC::functionCodeBlockForFrame): Deleted. + (JSC::functionCodeBlockFor): Deleted. + (JSC::functionDumpSourceFor): Deleted. + (JSC::functionDumpBytecodeFor): Deleted. + (JSC::functionDataLog): Deleted. + (JSC::functionPrint): Deleted. + (JSC::functionDumpCallFrame): Deleted. + (JSC::functionDumpStack): Deleted. + (JSC::functionDumpRegisters): Deleted. + (JSC::functionDumpCell): Deleted. + (JSC::functionIndexingMode): Deleted. + (JSC::functionInlineCapacity): Deleted. + (JSC::functionValue): Deleted. + (JSC::functionGetPID): Deleted. + (JSC::functionHaveABadTime): Deleted. + (JSC::functionIsHavingABadTime): Deleted. + (JSC::functionCallWithStackSize): Deleted. + (JSC::functionCreateGlobalObject): Deleted. + (JSC::functionCreateProxy): Deleted. + (JSC::functionCreateRuntimeArray): Deleted. + (JSC::functionCreateNullRopeString): Deleted. + (JSC::functionCreateImpureGetter): Deleted. + (JSC::functionCreateCustomGetterObject): Deleted. + (JSC::functionCreateDOMJITNodeObject): Deleted. + (JSC::functionCreateDOMJITGetterObject): Deleted. + (JSC::functionCreateDOMJITGetterNoEffectsObject): Deleted. + (JSC::functionCreateDOMJITGetterComplexObject): Deleted. + (JSC::functionCreateDOMJITFunctionObject): Deleted. + (JSC::functionCreateDOMJITCheckJSCastObject): Deleted. + (JSC::functionCreateDOMJITGetterBaseJSObject): Deleted. + (JSC::functionCreateWasmStreamingParser): Deleted. + (JSC::functionCreateStaticCustomAccessor): Deleted. + (JSC::functionCreateStaticCustomValue): Deleted. + (JSC::functionCreateObjectDoingSideEffectPutWithoutCorrectSlotStatus): Deleted. + (JSC::functionCreateEmptyFunctionWithName): Deleted. + (JSC::functionSetImpureGetterDelegate): Deleted. + (JSC::functionCreateBuiltin): Deleted. + (JSC::functionGetPrivateProperty): Deleted. + (JSC::functionCreateRoot): Deleted. + (JSC::functionCreateElement): Deleted. + (JSC::functionGetElement): Deleted. + (JSC::functionCreateSimpleObject): Deleted. + (JSC::functionGetHiddenValue): Deleted. + (JSC::functionSetHiddenValue): Deleted. + (JSC::functionShadowChickenFunctionsOnStack): Deleted. + (JSC::functionSetGlobalConstRedeclarationShouldNotThrow): Deleted. + (JSC::functionFindTypeForExpression): Deleted. + (JSC::functionReturnTypeFor): Deleted. + (JSC::functionFlattenDictionaryObject): Deleted. + (JSC::functionDumpBasicBlockExecutionRanges): Deleted. + (JSC::functionHasBasicBlockExecuted): Deleted. + (JSC::functionBasicBlockExecutionCount): Deleted. + (JSC::functionEnableDebuggerModeWhenIdle): Deleted. + (JSC::functionDisableDebuggerModeWhenIdle): Deleted. + (JSC::functionDeleteAllCodeWhenIdle): Deleted. + (JSC::functionGlobalObjectCount): Deleted. + (JSC::functionGlobalObjectForObject): Deleted. + (JSC::functionGetGetterSetter): Deleted. + (JSC::functionLoadGetterFromGetterSetter): Deleted. + (JSC::functionCreateCustomTestGetterSetter): Deleted. + (JSC::functionDeltaBetweenButterflies): Deleted. + (JSC::functionCurrentCPUTime): Deleted. + (JSC::functionTotalGCTime): Deleted. + (JSC::functionParseCount): Deleted. + (JSC::functionIsWasmSupported): Deleted. + (JSC::functionMake16BitStringIfPossible): Deleted. + (JSC::JSDollarVMHelper::functionGetStructureTransitionList): Deleted. + (JSC::functionGetConcurrently): Deleted. + (JSC::functionHasOwnLengthProperty): Deleted. + (JSC::functionRejectPromiseAsHandled): Deleted. + (JSC::functionSetUserPreferredLanguages): Deleted. + (JSC::functionICUVersion): Deleted. + (JSC::functionICUHeaderVersion): Deleted. + (JSC::functionAssertEnabled): Deleted. + (JSC::functionIsMemoryLimited): Deleted. + (JSC::functionUseJIT): Deleted. + (JSC::functionIsGigacageEnabled): Deleted. + (JSC::functionToUncacheableDictionary): Deleted. + * wasm/js/JSWebAssembly.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::webAssemblyCompileFunc): Deleted. + (JSC::webAssemblyInstantiateFunc): Deleted. + (JSC::webAssemblyValidateFunc): Deleted. + (JSC::webAssemblyCompileStreamingInternal): Deleted. + (JSC::webAssemblyInstantiateStreamingInternal): Deleted. + * wasm/js/JSWebAssembly.h: + * wasm/js/WebAssemblyCompileErrorConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructJSWebAssemblyCompileError): Deleted. + (JSC::callJSWebAssemblyCompileError): Deleted. + * wasm/js/WebAssemblyFunction.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callWebAssemblyFunction): Deleted. + * wasm/js/WebAssemblyGlobalConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructJSWebAssemblyGlobal): Deleted. + (JSC::callJSWebAssemblyGlobal): Deleted. + * wasm/js/WebAssemblyGlobalPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::webAssemblyGlobalProtoFuncValueOf): Deleted. + (JSC::webAssemblyGlobalProtoGetterFuncValue): Deleted. + (JSC::webAssemblyGlobalProtoSetterFuncValue): Deleted. + * wasm/js/WebAssemblyInstanceConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructJSWebAssemblyInstance): Deleted. + (JSC::callJSWebAssemblyInstance): Deleted. + * wasm/js/WebAssemblyInstancePrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::webAssemblyInstanceProtoFuncExports): Deleted. + * wasm/js/WebAssemblyLinkErrorConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructJSWebAssemblyLinkError): Deleted. + (JSC::callJSWebAssemblyLinkError): Deleted. + * wasm/js/WebAssemblyMemoryConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructJSWebAssemblyMemory): Deleted. + (JSC::callJSWebAssemblyMemory): Deleted. + * wasm/js/WebAssemblyMemoryPrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::webAssemblyMemoryProtoFuncGrow): Deleted. + (JSC::webAssemblyMemoryProtoFuncBuffer): Deleted. + * wasm/js/WebAssemblyModuleConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::webAssemblyModuleCustomSections): Deleted. + (JSC::webAssemblyModuleImports): Deleted. + (JSC::webAssemblyModuleExports): Deleted. + (JSC::constructJSWebAssemblyModule): Deleted. + (JSC::callJSWebAssemblyModule): Deleted. + * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructJSWebAssemblyRuntimeError): Deleted. + (JSC::callJSWebAssemblyRuntimeError): Deleted. + * wasm/js/WebAssemblyTableConstructor.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::constructJSWebAssemblyTable): Deleted. + (JSC::callJSWebAssemblyTable): Deleted. + * wasm/js/WebAssemblyTablePrototype.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::webAssemblyTableProtoFuncLength): Deleted. + (JSC::webAssemblyTableProtoFuncGrow): Deleted. + (JSC::webAssemblyTableProtoFuncGet): Deleted. + (JSC::webAssemblyTableProtoFuncSet): Deleted. + * wasm/js/WebAssemblyWrapperFunction.cpp: + (JSC::JSC_DEFINE_HOST_FUNCTION): + (JSC::callWebAssemblyWrapperFunction): Deleted. + +2020-09-25 Chris Dumez + + Get rid of AudioNode::RefType + https://bugs.webkit.org/show_bug.cgi?id=216945 + + Reviewed by Darin Adler. + + * runtime/CachedTypes.cpp: + (JSC::CachedRefPtr::decode const): + +2020-09-25 Alexey Shvayka + + DataView instances should not have own "byteLength" and "byteOffset" properties + https://bugs.webkit.org/show_bug.cgi?id=149906 + + Reviewed by Ross Kirsling. + + Following JSDataView::getOwnPropertySlot() deletion in r266529, this patch + removes related method overrides that incorrectly reported "byteLength" and + "byteOffset" as own properties of DataView instances [1]. + + This change brings DataView objects in compliance with invariants of internal + methods [2] and aligns JSC with V8 and SpiderMonkey. + DataView microbenchmarks are neutral. + + [1]: https://tc39.es/ecma262/#sec-properties-of-dataview-instances + [2]: https://tc39.es/ecma262/#sec-invariants-of-the-essential-internal-methods + + * runtime/JSDataView.cpp: + (JSC::JSDataView::put): Deleted. + (JSC::JSDataView::defineOwnProperty): Deleted. + (JSC::JSDataView::deleteProperty): Deleted. + (JSC::JSDataView::getOwnNonIndexPropertyNames): Deleted. + * runtime/JSDataView.h: + +2020-09-25 Adrian Perez de Castro + + Non-unified build fixes, late September 2020 edition + https://bugs.webkit.org/show_bug.cgi?id=216950 + + Unreviewed build fix. + + * inspector/agents/InspectorConsoleAgent.cpp: Add missing ScriptArguments.h include. + +2020-09-24 Ross Kirsling + + %TypedArray%.prototype.toLocaleString must make conscious use of @toString + https://bugs.webkit.org/show_bug.cgi?id=216956 + + Reviewed by Yusuke Suzuki. + + A fascinating bug: if we override Number.prototype.toLocaleString to return { valueOf() { ... } }, + then we can observe our %TypedArray%.prototype.toLocaleString resolving its element values in the wrong order. + + * builtins/TypedArrayPrototype.js: + (toLocaleString): + Wrap the toLocaleString call for each element in @toString(), as the spec indicates. + +2020-09-24 Ross Kirsling + + %TypedArray%.prototype.sort must throw if comparator is defined and uncallable + https://bugs.webkit.org/show_bug.cgi?id=216952 + + Reviewed by Yusuke Suzuki. + + * builtins/TypedArrayPrototype.js: + (sort): + +2020-09-24 Ross Kirsling + + %TypedArray% methods should perform TypedArraySpeciesCreate correctly + https://bugs.webkit.org/show_bug.cgi?id=216938 + + Reviewed by Yusuke Suzuki. + + map, filter, and slice are obliged to throw when: + 1. this.constructor is defined but not an object + 2. the species constructor produces a valid typed array which is shorter than the expected length + + * builtins/TypedArrayPrototype.js: + (map): + (filter): + * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: + (JSC::genericTypedArrayViewProtoFuncSlice): + +2020-09-24 Basuke Suzuki + + [PlayStation] Stop raising SIGPIPE when client side of RemoteInspector dies + https://bugs.webkit.org/show_bug.cgi?id=216805 + + Reviewed by Don Olmstead. + + When communication is stopped caused by peer crash or non-polite close, SIGPIPE will be + raised on BSD (and maybe on Linux). We prefer to handle those events by returning error. + + On Windows, there's no such fancy feature from the beginning. + + * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp: + (Inspector::Socket::read): + (Inspector::Socket::write): + +2020-09-24 Angelos Oikonomopoulos + + [MIPS] Broken build after r267371 + https://bugs.webkit.org/show_bug.cgi?id=216893 + + Reviewed by Adrian Perez de Castro. + + This addresses two issues. + + First, the fix in https://bugs.webkit.org/show_bug.cgi?id=216772 was not + getting exercised, because the LabelReference offset was always zero. + + The reason the offset was zero is that LabelReference.mapChildren would discard + the offset when generating a new LabelReference to wrap the Label returned by + the code block it yielded to. + + The reason this was only an issue on MIPS is because only MIPS was using the + result of calls to LabelReference.mapChildren (in its lowering phase, + assignRegistersToTemporaries -> replaceTemporariesWithRegisters -> + mapChildren). Other archs, e.g. X86_64 only call mapChildren in earlier phases + (specifically, subsequent to a call to isASTErroneous), in which the new + LabelReferences returned by mapChildren are later discarded. Even though ARM + 32/64 contains indirect calls to mapChildren, those are made after the + arm{,64}LowerLabelReferences transformation which doesn't leave any + LabelReference nodes around for .mapChildren to be called on. + + So this is not an issue for architectures other than MIPS because + (a) AddImmediates.fold correctly constructs a LabelReference with an offset by + calling LabelReference.plusOffset and + (b) they don't call (and therefore don't use the result of) + LabelReference.mapChildren in their lowering code. + + Second, the code we generate needs to look up the /label/ in the GOT, not the + computed address. After the lookup, we simply need to add the offset. + + * offlineasm/ast.rb: + * offlineasm/mips.rb: + +2020-09-24 Ross Kirsling + + %TypedArray%.prototype.fill must only evaluate its argument once + https://bugs.webkit.org/show_bug.cgi?id=216912 + + Reviewed by Yusuke Suzuki. + + Currently, we evaluate the argument in `typedArray.fill({ valueOf() { ... } })` once per filled element, + but it should only be evaluated once in total. + + * builtins/TypedArrayPrototype.js: + (fill): + +2020-09-23 Ross Kirsling + + %ArrayIteratorPrototype%.next must check for detached buffers + https://bugs.webkit.org/show_bug.cgi?id=216904 + + Reviewed by Yusuke Suzuki. + + Per https://tc39.es/ecma262/#sec-%arrayiteratorprototype%.next: + 8. If a has a [[TypedArrayName]] internal slot, then + a. If IsDetachedBuffer(a.[[ViewedArrayBuffer]]) is true, throw a TypeError exception. + + * builtins/ArrayIteratorPrototype.js: + (next): + * builtins/BuiltinNames.h: + * bytecode/LinkTimeConstant.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/JSTypedArrayViewPrototype.cpp: + (JSC::typedArrayViewPrivateFuncIsNeutered): + * runtime/JSTypedArrayViewPrototype.h: + +2020-09-23 Yusuke Suzuki + + [JSC] Simply some of template-specialized host functions by defining each function + https://bugs.webkit.org/show_bug.cgi?id=216907 + + Reviewed by Saam Barati. + + This makes automatically-registering these functions in JIT-caging easy. + + * API/APICallbackFunction.h: + (JSC::APICallbackFunction::callImpl): + (JSC::APICallbackFunction::constructImpl): + (JSC::APICallbackFunction::call): Deleted. + (JSC::APICallbackFunction::construct): Deleted. + * API/JSCallbackConstructor.cpp: + (JSC::constructJSCallbackConstructor): + (JSC::JSCallbackConstructor::getConstructData): + * API/JSCallbackFunction.cpp: + (JSC::callJSCallbackFunction): + (JSC::JSCallbackFunction::JSCallbackFunction): + * API/ObjCCallbackFunction.mm: + (JSC::callObjCCallbackFunction): + (JSC::constructObjCCallbackFunction): + (JSC::ObjCCallbackFunction::ObjCCallbackFunction): + * API/glib/JSCCallbackFunction.cpp: + (JSC::callJSCCallbackFunction): + (JSC::constructJSCCallbackFunction): + (JSC::JSCCallbackFunction::JSCCallbackFunction): + * dfg/DFGOperations.h: + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * jsc.cpp: + (accessorMakeMasquerader): + * runtime/JSArrayBufferConstructor.cpp: + (JSC::JSGenericArrayBufferConstructor::JSGenericArrayBufferConstructor): + (JSC::JSGenericArrayBufferConstructor::constructImpl): + (JSC::constructArrayBuffer): + (JSC::constructSharedArrayBuffer): + (JSC::JSGenericArrayBufferConstructor::constructArrayBuffer): Deleted. + * runtime/JSArrayBufferConstructor.h: + * runtime/JSCustomGetterSetterFunction.cpp: + (JSC::customGetterSetterFunctionCall): + (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall): Deleted. + * runtime/JSCustomGetterSetterFunction.h: + * runtime/NativeErrorConstructor.cpp: + (JSC::NativeErrorConstructor::constructImpl): + (JSC::NativeErrorConstructor::callImpl): + (JSC::callEvalError): + (JSC::constructEvalError): + (JSC::callRangeError): + (JSC::constructRangeError): + (JSC::callReferenceError): + (JSC::constructReferenceError): + (JSC::callSyntaxError): + (JSC::constructSyntaxError): + (JSC::callTypeError): + (JSC::constructTypeError): + (JSC::callURIError): + (JSC::constructURIError): + (JSC::callFunction): + (JSC::constructFunction): + (JSC::NativeErrorConstructor::NativeErrorConstructor): + (JSC::NativeErrorConstructorBase::finishCreation): + (JSC::NativeErrorConstructor::constructNativeErrorConstructor): Deleted. + (JSC::NativeErrorConstructor::callNativeErrorConstructor): Deleted. + * runtime/NativeErrorConstructor.h: + * runtime/RegExpConstructor.cpp: + (JSC::regExpConstructorDollarImpl): + (JSC::regExpConstructorDollar1): + (JSC::regExpConstructorDollar2): + (JSC::regExpConstructorDollar3): + (JSC::regExpConstructorDollar4): + (JSC::regExpConstructorDollar5): + (JSC::regExpConstructorDollar6): + (JSC::regExpConstructorDollar7): + (JSC::regExpConstructorDollar8): + (JSC::regExpConstructorDollar9): + (JSC::regExpConstructorInput): + (JSC::regExpConstructorMultiline): + (JSC::regExpConstructorLastMatch): + (JSC::regExpConstructorLastParen): + (JSC::regExpConstructorLeftContext): + (JSC::regExpConstructorRightContext): + (JSC::setRegExpConstructorInput): + (JSC::setRegExpConstructorMultiline): + (JSC::regExpConstructorDollar): Deleted. + * tools/JSDollarVM.cpp: + +2020-09-23 Alexey Shvayka + + Update Array.prototype.sort to be consistent with tightened spec + https://bugs.webkit.org/show_bug.cgi?id=202582 + + Reviewed by Yusuke Suzuki and Keith Miller. + + This patch implements the spec change [1] that reduces amount of cases resulting + in an implementation-defined sort order, aligning JSC with V8 and SpiderMonkey. + + To achieve this, we collect all existing non-undefined receiver elements to a + temporary array, sort it, and write back sorted items, followed by `undefined` + values and holes. + + This change is proven to be web-compatible (shipping since Chrome 76) and neutral + on peak memory consumption in the wild. + + Although we can unobservably detect sparse receivers, we can't avoid creating a + temporary array for common case since userland comparators may throw; string + sorting won't measurably benefit from this, only increasing code complexity. + + This change uses @putByValDirect unless the spec requires [[Set]], avoids using + closure variables, and adds a few drive-by optimizations, resulting in ~22% + faster string sorting and 13% speed-up for userland comparators. + Dromaeo/jslib is neutral. + + [1]: https://github.com/tc39/ecma262/pull/1585 + + * builtins/ArrayPrototype.js: + (sort.stringComparator): + Optimization #1: replace char-by-char comparison loop with > operator, aligning + JSC with V8 and SpiderMonkey. This semantically equivalent change alone is a ~15% + progression for string sort. + + (sort.compact): + (sort.commit): + Optimization #2: copy large non-numeric arrays in a loop rather than @appendMemcpy. + Using the latter unconditionally regresses provided microbenchmarks. + + (sort.merge): + Optimization #3: replace `typeof` check and negation with strict equality. + + (sort.mergeSort): + Optimization #4: always return sorted array instead of copying, even if it's the buffer. + Tweak: create the buffer with correct length. + + (sort.bucketSort): + Optimization #5: avoid emitting 2 extra get_by_val ops by saving bucket lookup to a variable. + Tweak: create new bucket via array literal. + + (sort): Fix typo in error message. + (sort.compactSparse): Deleted. + (sort.compactSlow): Deleted. + (sort.comparatorSort): Deleted. + (sort.stringSort): Deleted. + * runtime/ObjectConstructor.cpp: + (JSC::ObjectConstructor::finishCreation): + Remove @Object.@getPrototypeOf as it's now unused and we have @getPrototypeOf intrinsic anyway. + +2020-09-23 Yusuke Suzuki + + [JSC] Intl spec update: handle awkward rounding behavior + https://bugs.webkit.org/show_bug.cgi?id=216760 + + Reviewed by Ross Kirsling. + + This patch supports new spec change of "handle awkward rounding behavior"[1]. + This changes minimumFractionDigits / maximumFractionDigits calculation when the specified ones are less than currency-digits. + + [1]: https://github.com/tc39/ecma402/pull/471 + + * runtime/CommonIdentifiers.h: + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::resolvedOptions const): + * runtime/IntlNumberFormatInlines.h: + (JSC::setNumberFormatDigitOptions): + * runtime/IntlPluralRules.cpp: + (JSC::IntlPluralRules::resolvedOptions const): + +2020-09-23 Caio Lima + + [JSC][ESNext] Create a new opcode to handle private fields store/define + https://bugs.webkit.org/show_bug.cgi?id=213372 + + Reviewed by Yusuke Suzuki. + + This patch is adding a new opcode to handle private field storage. + Before this change, we were using `put_by_val_direct` and including + the information of `PutKind` into `PutByValFlags`. We initially decided + to use `put_by_val_direct` to take advantage of all IC mechanism already + implemented for this instruction, however the semantics of private field + is different enough to complicate the understanding of + `put_by_val_direct`. + + The new instruction is called `put_private_name` and has as its operands + `baseObject` where the put is going to be placed, the `property` + that's going to be installed (it is always a private symbol of a + private field), the `value` we are going to store and the + `PrivateFieldPutKind` that can be `Define` or `Set`. + The difference of each `PrivateFieldPutKind` is the following: + + - Define: It defines a new private field. If this field is already + present, it throws a `TypeError`. + - Set: It sets the value of a private field. If the field is not + present at the moment of set, it throws a `TypeError`. + + This patch includes support of IC for all tiers. For DFG and FTL, we + are only emmiting IC when we are able to emit `CheckConstant` + for subscript identifier during Bytecode parsing. We are adding a new + DFG node called `PutPrivateNameById` that handles such cases when we + have constant identifiers. + We are also adding a new DFG node `PutPrivateName` that handles generic + case of `put_private_name`. The strategy used to compile + `put_private_name` is very similar with what we are using with + `put_by_val[_direct]`. We first try to compile it as `[Multi]PutByOffset` + using profiled information from LLInt and Baseline execution. If it + is not possible, we then emit `PutPrivateName[ById]` node. We get another + chance to transform `PutPrivateNameById` into `PutByOffset` if we can prove + its structure set at constant folding phase. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * bytecode/BytecodeList.rb: + * bytecode/BytecodeUseDef.cpp: + (JSC::computeUsesForBytecodeIndexImpl): + (JSC::computeDefsForBytecodeIndexImpl): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finishCreation): + (JSC::CodeBlock::propagateTransitions): + (JSC::CodeBlock::finalizeLLIntInlineCaches): + * bytecode/Fits.h: + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFromLLInt): + (JSC::PutByIdStatus::computeFor): + * bytecode/PutByIdStatus.h: + * bytecode/PutByValFlags.cpp: Removed. + * bytecode/PutByValFlags.h: Removed. + * bytecode/PutKind.h: + (): Deleted. + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitDirectPutByVal): + (JSC::BytecodeGenerator::emitDefinePrivateField): + (JSC::BytecodeGenerator::emitPrivateFieldPut): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handlePutPrivateNameById): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::handlePutByVal): + (JSC::DFG::ecmaMode): Deleted. + (JSC::DFG::ecmaMode): Deleted. + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToPutByOffset): + (JSC::DFG::Node::convertToMultiPutByOffset): + (JSC::DFG::Node::hasCacheableIdentifier): + (JSC::DFG::Node::hasPrivateFieldPutKind): + (JSC::DFG::Node::privateFieldPutKind): + * dfg/DFGNodeType.h: + * dfg/DFGOpInfo.h: + (JSC::DFG::OpInfo::OpInfo): + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compilePutPrivateName): + (JSC::DFG::SpeculativeJIT::compilePutPrivateNameById): + (JSC::DFG::SpeculativeJIT::compilePutByIdFlush): + (JSC::DFG::SpeculativeJIT::compilePutById): + (JSC::DFG::SpeculativeJIT::compilePutByIdDirect): + (JSC::DFG::SpeculativeJIT::cachedPutById): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStoreBarrierInsertionPhase.cpp: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateNameById): + (JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateName): + (JSC::FTL::DFG::LowerDFGToB3::cachedPutById): + (JSC::FTL::DFG::LowerDFGToB3::compilePutById): + * generator/DSL.rb: + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + (JSC::JIT::link): + * jit/JIT.h: + (JSC::ByValCompilationInfo::ByValCompilationInfo): + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITPutByIdGenerator::JITPutByIdGenerator): + (JSC::JITPutByIdGenerator::slowPathFunction): + * jit/JITInlineCacheGenerator.h: + (JSC::JITPutByIdGenerator::JITPutByIdGenerator): + * jit/JITInlines.h: + (JSC::JIT::ecmaMode): + (JSC::JIT::ecmaMode): Deleted. + (JSC::JIT::privateFieldAccessKind): Deleted. + (JSC::JIT::privateFieldAccessKind): Deleted. + * jit/JITOperations.cpp: + (JSC::setPrivateField): + (JSC::putPrivateField): Deleted. + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emitSlow_op_put_by_val): + (JSC::JIT::emit_op_put_private_name): + (JSC::JIT::emitSlow_op_put_private_name): + (JSC::JIT::emit_op_put_by_id): + (JSC::JIT::emitPutPrivateNameWithCachedId): + (JSC::JIT::privateCompilePutPrivateNameWithCachedId): + (JSC::JIT::privateCompilePutByValWithCachedId): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_put_private_name): + (JSC::JIT::emitSlow_op_put_private_name): + (JSC::JIT::emit_op_put_by_id): + * jit/Repatch.cpp: + (JSC::appropriateGenericPutByIdFunction): + (JSC::appropriateOptimizingPutByIdFunction): + (JSC::tryCachePutByID): + (JSC::resetPutByID): + * llint/LLIntOffsetsExtractor.cpp: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/JSObject.h: + * runtime/JSObjectInlines.h: + (JSC::JSObject::setPrivateField): + (JSC::JSObject::putPrivateField): Deleted. + * runtime/PrivateFieldPutKind.cpp: Added. + (JSC::PrivateFieldPutKind::dump const): + * runtime/PrivateFieldPutKind.h: Added. + (JSC::PrivateFieldPutKind::fromByte): + (JSC::PrivateFieldPutKind::none): + (JSC::PrivateFieldPutKind::set): + (JSC::PrivateFieldPutKind::define): + (JSC::PrivateFieldPutKind::isNone const): + (JSC::PrivateFieldPutKind::isSet const): + (JSC::PrivateFieldPutKind::isDefine const): + (JSC::PrivateFieldPutKind::value const): + (JSC::PrivateFieldPutKind::PrivateFieldPutKind): + +2020-09-22 Yusuke Suzuki + + [JSC] Enable Intl.DateTimeFormat dayPeriod + https://bugs.webkit.org/show_bug.cgi?id=216845 + + Reviewed by Mark Lam. + + Since we already have consensus, let's enable it. + For now, we keep this flag since it is possible that something + happens before the change is integrated into the spec. + + * runtime/OptionsList.h: + +2020-09-22 HyeockJin Kim + + Coerce computed property before adding to |excludedList| + https://bugs.webkit.org/show_bug.cgi?id=216437 + + Reviewed by Yusuke Suzuki. + + * bytecompiler/NodesCodegen.cpp: + (JSC::ObjectPatternNode::bindValue const): + +2020-09-21 Paulo Matos + + Fix MIPS leai,leap when offset is nonzero + https://bugs.webkit.org/show_bug.cgi?id=216772 + + Reviewed by Mark Lam. + + Fix required by change from webkit#216685 + * offlineasm/mips.rb: + +2020-09-21 Yusuke Suzuki + + [JSC] BigInt should work with Map / Set + https://bugs.webkit.org/show_bug.cgi?id=216667 Reviewed by Robin Morisset. - - Lower CheckMul for 32-bit arguments on arm64 into a mul and then an overflow check. - - Add a new opcode to air on arm64 for smull (multiplySignExtend32). - - Fuse sign extend 32 + mul into smull (taking two 32-bit arguments and producing 64 bits). - - 1.25x speedup on power of two microbenchmark, 1.15x speedup on normal constant microbenchmark, - and no change on the no-constant benchmark. - Also, skip some of the b3 tests that were failing before this patch so that the new tests can run - to completion. + This patch makes BigInt supported in Map / Set. - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::multiplySignExtend32): - * assembler/testmasm.cpp: - (JSC::testMul32SignExtend): - (JSC::run): - * b3/B3LowerMacros.cpp: - * b3/B3LowerToAir.cpp: - * b3/air/AirOpcode.opcodes: - * b3/testb3.cpp: - (JSC::B3::testMulArgs32SignExtend): - (JSC::B3::testMulImm32SignExtend): - (JSC::B3::testMemoryFence): - (JSC::B3::testStoreFence): - (JSC::B3::testLoadFence): - (JSC::B3::testPinRegisters): - (JSC::B3::run): - -2019-06-28 Konstantin Tokarev - - Remove traces of ENABLE_ICONDATABASE remaining after its removal in 219733 - https://bugs.webkit.org/show_bug.cgi?id=199317 - - Reviewed by Michael Catanzaro. - - While IconDatabase and all code using it was removed, - ENABLE_ICONDATABASE still exists as build option and C++ macro. - - * Configurations/FeatureDefines.xcconfig: - -2019-06-27 Mark Lam - - FTL keepAlive()'s patchpoint should also declare that it reads HeapRange::top(). - https://bugs.webkit.org/show_bug.cgi?id=199291 - - Reviewed by Yusuke Suzuki and Filip Pizlo. - - The sole purpose of keepAlive() is to communicate to B3 that an LValue - needs to be kept alive past the last opportunity for a GC. The only way - we can get a GC is via a function call. Hence, what keepAlive() really - needs to communicate is that the LValue needs to be kept alive past the - last function call. Function calls read and write HeapRange::top(). - Currently, B3 does not shuffle writes. Hence, simply inserting the - keepAlive() after the calls that can GC is sufficient. - - But to be strictly correct, keepAlive() should also declare that it reads - HeapRange::top(). This will guarantee that the keepAlive patchpoint won't - ever be moved before the function call should B3 gain the ability to shuffle - writes in the future. + 1. In NormalizeMapKey, we always attempt to convert HeapBigInt to BigInt32 (if supported). So we ensure that, + normalized BigInt has one unique form for BigInt32 range. This allows us to use hashing for BigInt32 bit pattern directly. + 2. In MapHash, for BigInt32, we directly has the JSValue bits. For HeapBigInt, we calculate hash via Hasher. + 3. In GetMapBucket, we consider HeapBigInt case correctly. + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::fixupNormalizeMapKey): + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::keepAlive): + (JSC::FTL::DFG::LowerDFGToB3::compileMapHash): + (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey): + (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket): + * runtime/HashMapImpl.h: + (JSC::normalizeMapKey): + (JSC::jsMapHash): + (JSC::concurrentJSMapHash): + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::concurrentHash): + * runtime/JSBigInt.h: + (JSC::tryConvertToBigInt32): -2019-06-27 Beth Dakin +2020-09-21 Mark Lam - Upstream use of MACCATALYST - https://bugs.webkit.org/show_bug.cgi?id=199245 - rdar://problem/51687723 + Move some LLInt globals into JSC::Config. + https://bugs.webkit.org/show_bug.cgi?id=216685 + rdar://68964544 - Reviewed by Tim Horton. + Reviewed by Keith Miller. - * Configurations/Base.xcconfig: - * Configurations/FeatureDefines.xcconfig: - * Configurations/JavaScriptCore.xcconfig: - * Configurations/SDKVariant.xcconfig: + 1. Moved the following into g_jscConfig: -2019-06-27 Saam Barati + Data::s_exceptionInstructions ==> g_jscConfig.llint.exceptionInstructions + Data::s_wasmExceptionInstructions ==> g_jscConfig.llint.wasmExceptionInstructions + g_opcodeMap ==> g_jscConfig.llint.opcodeMap + g_opcodeMapWide16 ==> g_jscConfig.llint.opcodeMapWide16 + g_opcodeMapWide32 ==> g_jscConfig.llint.opcodeMapWide32 - Make WEBGPU enabled only on Mojave and later. + 2. Fixed cloop.rb so that it can take an offset for the leap offlineasm instruction. + 3. Fixed x86.rb so that it can take an offset for the leap offlineasm instruction. + 4. Fixed arm.rb so that it can take an offset for the leap offlineasm instruction. - Rubber-stamped by Myles C. Maxfield. + Note: arm64.rb already does this right. - * Configurations/FeatureDefines.xcconfig: + 5. Added JSC::Config::singleton() to return a reference to g_jscConfig. + This is useful when debugging with lldb since g_jscConfig is not an actual + label, but is a macro that computes the address of the Config record. -2019-06-27 Don Olmstead + This patch has been smoke tested on arm64e, x86_64, and cloop (on x86_64 and armv7k). - [FTW] Build JavaScriptCore - https://bugs.webkit.org/show_bug.cgi?id=199254 + * llint/LLIntData.cpp: + (JSC::LLInt::LLIntInitializeAssertScope::LLIntInitializeAssertScope): + (JSC::LLInt::LLIntInitializeAssertScope::~LLIntInitializeAssertScope): + (JSC::LLInt::LLIntInitializeAssertScope::assertInitializationIsAllowed): + (JSC::LLInt::initialize): + * llint/LLIntData.h: + (JSC::LLInt::exceptionInstructions): + (JSC::LLInt::wasmExceptionInstructions): + (JSC::LLInt::opcodeMap): + (JSC::LLInt::opcodeMapWide16): + (JSC::LLInt::opcodeMapWide32): + (JSC::LLInt::getOpcode): + (JSC::LLInt::getOpcodeWide16): + (JSC::LLInt::getOpcodeWide32): + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter.cpp: + * llint/LowLevelInterpreter64.asm: + * llint/WebAssembly.asm: + * offlineasm/arm.rb: + * offlineasm/cloop.rb: + * offlineasm/x86.rb: + * runtime/JSCConfig.cpp: + (JSC::Config::singleton): + * runtime/JSCConfig.h: - Reviewed by Brent Fulgham. +2020-09-21 Basuke Suzuki - * PlatformFTW.cmake: Added. + [WinCairo][PlayStation] Support different instances of listener client. + https://bugs.webkit.org/show_bug.cgi?id=216733 -2019-06-27 Konstantin Tokarev + Reviewed by Don Olmstead. - Use JSC_GLIB_API_ENABLED instead of USE(GLIB) as a compile-time check for GLib JSC API - https://bugs.webkit.org/show_bug.cgi?id=199270 + Currently RemoteInspectorSocketEndpoint support one client instance for all + listeners. This patch allows listeners to create its own listener client on + accept timing. - Reviewed by Michael Catanzaro. + * inspector/remote/RemoteControllableTarget.h: + * inspector/remote/RemoteInspector.h: + * inspector/remote/socket/RemoteInspectorConnectionClient.cpp: + (Inspector::RemoteInspectorConnectionClient::didReceive): + * inspector/remote/socket/RemoteInspectorConnectionClient.h: + * inspector/remote/socket/RemoteInspectorServer.cpp: + (Inspector::RemoteInspectorServer::start): + (Inspector::RemoteInspectorServer::doAccept): + * inspector/remote/socket/RemoteInspectorServer.h: + * inspector/remote/socket/RemoteInspectorSocket.cpp: + (Inspector::RemoteInspector::didClose): + * inspector/remote/socket/RemoteInspectorSocket.h: + * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: + (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint): + (Inspector::RemoteInspectorSocketEndpoint::~RemoteInspectorSocketEndpoint): + (Inspector::RemoteInspectorSocketEndpoint::listenInet): + (Inspector::RemoteInspectorSocketEndpoint::workerThread): + (Inspector::RemoteInspectorSocketEndpoint::generateConnectionID): + (Inspector::RemoteInspectorSocketEndpoint::createClient): + (Inspector::RemoteInspectorSocketEndpoint::disconnect): + (Inspector::RemoteInspectorSocketEndpoint::createListener): + (Inspector::RemoteInspectorSocketEndpoint::invalidateClient): + (Inspector::RemoteInspectorSocketEndpoint::invalidateListener): + (Inspector::RemoteInspectorSocketEndpoint::getPort const): + (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled): + (Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled): + (Inspector::RemoteInspectorSocketEndpoint::send): + (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled): + * inspector/remote/socket/RemoteInspectorSocketEndpoint.h: - This change allows building code with enabled USE(GLIB) but without - GLib JSC API. +2020-09-21 Keith Miller - * heap/Heap.cpp: - (JSC::Heap::releaseDelayedReleasedObjects): - * heap/Heap.h: - * heap/HeapInlines.h: + Functions should consistently enumerate length before name + https://bugs.webkit.org/show_bug.cgi?id=216789 -2019-06-27 Devin Rousso + Reviewed by Yusuke Suzuki. - Web Inspector: throw an error if console.count/console.countReset is called with an object that throws an error from toString - https://bugs.webkit.org/show_bug.cgi?id=199252 + In https://github.com/tc39/ecma262/pull/2116, which has been + approved to be merged into the main JS spec, it's expected that + all functions should have their length property enumerated before + the name property. To ensure this invariant, this patch moves the + length set into InternalFunction::finishCreation. - Reviewed by Joseph Pecoraro. + There are no new tests since tests will be added to test262 when + the spec PR is merged. Adding tests to stress just means we will + have the same test twice, which seems like a waste. - Parse the arguments passed to `console.count` and `console.countReset` before sending it to - the `ConsoleClient` so that an error can be thrown if the first argument doesn't `toString` - nicely (e.g. without throwing an error). + * API/JSCallbackFunction.cpp: + (JSC::JSCallbackFunction::finishCreation): + * API/ObjCCallbackFunction.mm: + (JSC::ObjCCallbackFunction::create): + * API/glib/JSCCallbackFunction.cpp: + (JSC::JSCCallbackFunction::create): + * runtime/AggregateErrorConstructor.cpp: + (JSC::AggregateErrorConstructor::finishCreation): + * runtime/ArrayConstructor.cpp: + (JSC::ArrayConstructor::finishCreation): + * runtime/AsyncFunctionConstructor.cpp: + (JSC::AsyncFunctionConstructor::finishCreation): + * runtime/AsyncGeneratorFunctionConstructor.cpp: + (JSC::AsyncGeneratorFunctionConstructor::finishCreation): + * runtime/BigIntConstructor.cpp: + (JSC::BigIntConstructor::finishCreation): + * runtime/BooleanConstructor.cpp: + (JSC::BooleanConstructor::finishCreation): + * runtime/DateConstructor.cpp: + (JSC::DateConstructor::finishCreation): + * runtime/ErrorConstructor.cpp: + (JSC::ErrorConstructor::finishCreation): + * runtime/FinalizationRegistryConstructor.cpp: + (JSC::FinalizationRegistryConstructor::finishCreation): + * runtime/FunctionConstructor.cpp: + (JSC::FunctionConstructor::finishCreation): + * runtime/FunctionPrototype.cpp: + (JSC::FunctionPrototype::finishCreation): + * runtime/GeneratorFunctionConstructor.cpp: + (JSC::GeneratorFunctionConstructor::finishCreation): + * runtime/InternalFunction.cpp: + (JSC::InternalFunction::finishCreation): + (JSC::InternalFunction::createFunctionThatMasqueradesAsUndefined): + * runtime/InternalFunction.h: + * runtime/IntlCollatorConstructor.cpp: + (JSC::IntlCollatorConstructor::finishCreation): + * runtime/IntlDateTimeFormatConstructor.cpp: + (JSC::IntlDateTimeFormatConstructor::finishCreation): + * runtime/IntlDisplayNamesConstructor.cpp: + (JSC::IntlDisplayNamesConstructor::finishCreation): + * runtime/IntlLocaleConstructor.cpp: + (JSC::IntlLocaleConstructor::finishCreation): + * runtime/IntlNumberFormatConstructor.cpp: + (JSC::IntlNumberFormatConstructor::finishCreation): + * runtime/IntlPluralRulesConstructor.cpp: + (JSC::IntlPluralRulesConstructor::finishCreation): + * runtime/IntlRelativeTimeFormatConstructor.cpp: + (JSC::IntlRelativeTimeFormatConstructor::finishCreation): + * runtime/IntlSegmenterConstructor.cpp: + (JSC::IntlSegmenterConstructor::finishCreation): + * runtime/JSArrayBufferConstructor.cpp: + (JSC::JSGenericArrayBufferConstructor::finishCreation): + * runtime/JSGenericTypedArrayViewConstructorInlines.h: + (JSC::JSGenericTypedArrayViewConstructor::finishCreation): + * runtime/JSTypedArrayViewConstructor.cpp: + (JSC::JSTypedArrayViewConstructor::finishCreation): + * runtime/MapConstructor.cpp: + (JSC::MapConstructor::finishCreation): + * runtime/NativeErrorConstructor.cpp: + (JSC::NativeErrorConstructorBase::finishCreation): + * runtime/NullGetterFunction.h: + * runtime/NullSetterFunction.h: + * runtime/NumberConstructor.cpp: + (JSC::NumberConstructor::finishCreation): + * runtime/ObjectConstructor.cpp: + (JSC::ObjectConstructor::finishCreation): + * runtime/ProxyConstructor.cpp: + (JSC::ProxyConstructor::finishCreation): + * runtime/ProxyRevoke.cpp: + (JSC::ProxyRevoke::finishCreation): + * runtime/RegExpConstructor.cpp: + (JSC::RegExpConstructor::finishCreation): + * runtime/SetConstructor.cpp: + (JSC::SetConstructor::finishCreation): + * runtime/StringConstructor.cpp: + (JSC::StringConstructor::finishCreation): + * runtime/SymbolConstructor.cpp: + (JSC::SymbolConstructor::finishCreation): + * runtime/WeakMapConstructor.cpp: + (JSC::WeakMapConstructor::finishCreation): + * runtime/WeakObjectRefConstructor.cpp: + (JSC::WeakObjectRefConstructor::finishCreation): + * runtime/WeakSetConstructor.cpp: + (JSC::WeakSetConstructor::finishCreation): + * wasm/js/WebAssemblyCompileErrorConstructor.cpp: + (JSC::WebAssemblyCompileErrorConstructor::finishCreation): + * wasm/js/WebAssemblyGlobalConstructor.cpp: + (JSC::WebAssemblyGlobalConstructor::finishCreation): + * wasm/js/WebAssemblyInstanceConstructor.cpp: + (JSC::WebAssemblyInstanceConstructor::finishCreation): + * wasm/js/WebAssemblyLinkErrorConstructor.cpp: + (JSC::WebAssemblyLinkErrorConstructor::finishCreation): + * wasm/js/WebAssemblyMemoryConstructor.cpp: + (JSC::WebAssemblyMemoryConstructor::finishCreation): + * wasm/js/WebAssemblyModuleConstructor.cpp: + (JSC::WebAssemblyModuleConstructor::finishCreation): + * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: + (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation): + * wasm/js/WebAssemblyTableConstructor.cpp: + (JSC::WebAssemblyTableConstructor::finishCreation): - Generate call stacks for `console.countReset` to match other `console` methods. Also do this - for `console.time`, `console.timeLog`, and `console.timeEnd`. Limit the call stack to only - have the top frame, so no unnecessary/extra data is sent to the frontend (right now, only - the call location is displayed). +2020-09-21 Yusuke Suzuki - Rename `title` to `label` for `console.time`, `console.timeLog`, and `console.timeEnd` to - better match the spec. + [JSC] Proxy should be trapped if base value is primitive + https://bugs.webkit.org/show_bug.cgi?id=216764 - * runtime/ConsoleClient.h: - * runtime/ConsoleObject.cpp: - (JSC::valueOrDefaultLabelString): - (JSC::consoleProtoFuncCount): - (JSC::consoleProtoFuncCountReset): - (JSC::consoleProtoFuncTime): - (JSC::consoleProtoFuncTimeLog): - (JSC::consoleProtoFuncTimeEnd): + Reviewed by Darin Adler. + + While we have special care in JSObject::putInline etc., we missed it in JSValue::putToPrimitive. + So, if proxy exists in the prototype chain for the primitive values (e.g. StringPrototype -> Proxy chain), + we miss the Proxy trap. We should have ProxyObject special check in JSValue::putToPrimitive too. + + * runtime/JSCJSValue.cpp: + (JSC::JSValue::putToPrimitive): + +2020-09-20 Yusuke Suzuki + + [JSC] Drop Options::useBigInt + https://bugs.webkit.org/show_bug.cgi?id=216743 + + Reviewed by Darin Adler. + + Now BigInt is shipped. Let's just remove Options::useBigInt. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitEqualityOpImpl): + * parser/Lexer.cpp: + (JSC::Lexer::parseHex): + (JSC::Lexer::parseBinary): + (JSC::Lexer::parseOctal): + (JSC::Lexer::parseDecimal): + * runtime/JSGlobalObject.h: + * runtime/OptionsList.h: + +2020-09-20 Yusuke Suzuki + + Unreviewed, use RELEASE_AND_RETURN to suppress exception verification failure + https://bugs.webkit.org/show_bug.cgi?id=216686 + + + * runtime/JSModuleNamespaceObject.cpp: + (JSC::JSModuleNamespaceObject::defineOwnProperty): + +2020-09-18 Yusuke Suzuki + + [JSC] Generator declaration should not be allowed in single statement context + https://bugs.webkit.org/show_bug.cgi?id=216720 + + Reviewed by Ross Kirsling. + + Generator declaration in single statement context (like the following code) should be syntax error. + We already made async function / async generator function syntax error. We should apply the same rule + to generator declaration too. + + if (false) + function * gen() { } + + * parser/Parser.cpp: + (JSC::Parser::parseSingleFunction): + (JSC::Parser::parseStatement): + (JSC::Parser::parseFunctionDeclarationStatement): + (JSC::Parser::parseFunctionDeclaration): + (JSC::Parser::parseExportDeclaration): + * parser/Parser.h: + +2020-09-18 Yusuke Suzuki + + [JSC] PreciseAllocation's isNewlyAllocated flag should be propagated from isMarked at GC begin phase to make isLive correct + https://bugs.webkit.org/show_bug.cgi?id=216717 + + Reviewed by Mark Lam. + + When starting full GC, at beginMarking, PreciseAllocation's mark bit is cleared to be usable for upcoming marking. + However, this means that HeapCell::isLive will see this object as dead until it is marked. + Let's consider that this object is not newly allocated one. Then, its isNewlyAllocated is false. And now mark bit + is also cleared. Since PreciseAllocation::isLive is isNewlyAllocated || isMarked, then it looks dead, while it is live. + This confuses HeapCell:isLive function and makes some of watchpoints perform wrong decisions (e.g. this condition is + no longer valid, let's just discard it). + At the beginning of full collection, we should propagate the old mark bit to isNewlyAllocated so that it looks live + during marking. This is similar trick to MarkedBlock::aboutToMark. + + * heap/PreciseAllocation.cpp: + (JSC::PreciseAllocation::flip): + +2020-09-18 Saam Barati + + console APIs shouldn't crash making a string that's too long for a console warning when using user provided labels + https://bugs.webkit.org/show_bug.cgi?id=216709 + + + Reviewed by Mark Lam and Devin Rousso. + + Various console APIs send warnings when a label can't be found. These warnings + include the label itself. If this label has a long enough length, when we make + these warning strings, we can crash, because we exceed max string length. + This patch fixes this by truncating the label everywhere it's used if it + exceeds a length of 10000. - * inspector/JSGlobalObjectConsoleClient.h: * inspector/JSGlobalObjectConsoleClient.cpp: - (Inspector::JSGlobalObjectConsoleClient::count): - (Inspector::JSGlobalObjectConsoleClient::countReset): - (Inspector::JSGlobalObjectConsoleClient::time): - (Inspector::JSGlobalObjectConsoleClient::timeLog): - (Inspector::JSGlobalObjectConsoleClient::timeEnd): - - * inspector/agents/InspectorConsoleAgent.h: + (Inspector::JSGlobalObjectConsoleClient::profile): + * inspector/ScriptArguments.h: * inspector/agents/InspectorConsoleAgent.cpp: (Inspector::InspectorConsoleAgent::startTiming): (Inspector::InspectorConsoleAgent::logTiming): (Inspector::InspectorConsoleAgent::stopTiming): (Inspector::InspectorConsoleAgent::count): (Inspector::InspectorConsoleAgent::countReset): - (Inspector::InspectorConsoleAgent::getCounterLabel): Deleted. - * inspector/ConsoleMessage.h: - * inspector/ConsoleMessage.cpp: - (Inspector::ConsoleMessage::ConsoleMessage): - Allow `ConsoleMessage`s to be created with both `ScriptArguments` and a `ScriptCallStack`. +2020-09-18 Keith Miller -2019-06-27 Fujii Hironori - - [CMake] Bump cmake_minimum_required version to 3.10 - https://bugs.webkit.org/show_bug.cgi?id=199181 - - Reviewed by Don Olmstead. - - * CMakeLists.txt: - -2019-06-26 Basuke Suzuki - - [RemoteInspector] Add address argument to listen for RemoteInspectorServer Socket implementation. - https://bugs.webkit.org/show_bug.cgi?id=199035 - - Reviewed by Ross Kirsling. - - Added new argument `address` to start listening. - - * inspector/remote/socket/RemoteInspectorServer.cpp: - (Inspector::RemoteInspectorServer::start): - * inspector/remote/socket/RemoteInspectorServer.h: - * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp: - (Inspector::Socket::listen): - * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp: - (Inspector::Socket::listen): - -2019-06-26 Keith Miller - - speciesConstruct needs to throw if the result is a DataView - https://bugs.webkit.org/show_bug.cgi?id=199231 - - Reviewed by Mark Lam. - - Previously, we only checked that the result was a - JSArrayBufferView, which can include DataViews. This is incorrect - as the result should be only be a TypedArray. - - * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: - (JSC::speciesConstruct): - -2019-06-26 Joseph Pecoraro - - Web Inspector: Implement console.countReset - https://bugs.webkit.org/show_bug.cgi?id=199200 - - Reviewed by Devin Rousso. - - * inspector/JSGlobalObjectConsoleClient.cpp: - (Inspector::JSGlobalObjectConsoleClient::countReset): - * inspector/JSGlobalObjectConsoleClient.h: - * inspector/agents/InspectorConsoleAgent.cpp: - (Inspector::InspectorConsoleAgent::getCounterLabel): - (Inspector::InspectorConsoleAgent::count): - (Inspector::InspectorConsoleAgent::countReset): - * inspector/agents/InspectorConsoleAgent.h: - * runtime/ConsoleClient.h: - * runtime/ConsoleObject.cpp: - (JSC::ConsoleObject::finishCreation): - (JSC::consoleProtoFuncCountReset): - -2019-06-26 Keith Miller - - remove unneeded didBecomePrototype() calls - https://bugs.webkit.org/show_bug.cgi?id=199221 + DFG should ensure there are PhantomLocals for the taken block of op_jneq_ptr + https://bugs.webkit.org/show_bug.cgi?id=216669 Reviewed by Saam Barati. - Since we now set didBecomePrototype in Structure::create we don't - need to set it expliticly in most of our finishCreation - methods. The only exception to this is object prototype, which we - set as the prototype of function prototype late (via - setPrototypeWithoutTransition). + Right now, if there is a local that is live on the taken branch but dead on + not-taken branch then nothing will preserve it for OSR exit. This patch simply + adds a PhantomLocal for each live operand for the first bytecode of the taken block. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + +2020-09-18 Paulo Matos + + Unified build fixes from ARMv7 build failures + https://bugs.webkit.org/show_bug.cgi?id=216698 + + Reviewed by Adrian Perez de Castro. + + * llint/LLIntThunks.cpp: + * runtime/FileBasedFuzzerAgent.cpp: + * runtime/FunctionExecutableDump.cpp: + * runtime/NativeExecutable.cpp: + * runtime/WeakMapImpl.cpp: + +2020-09-17 Mark Lam + + Use OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) in speculationFromCell()'s isSanePointer(). + https://bugs.webkit.org/show_bug.cgi?id=216638 + + Reviewed by Saam Barati. + + We should be using OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) instead of assuming the + width of the pointer address bits. + + * bytecode/SpeculatedType.cpp: + (JSC::isSanePointer): + +2020-09-17 Devin Rousso + + Web Inspector: REGRESSION(r266885): fix open source build + https://bugs.webkit.org/show_bug.cgi?id=216675 + + Reviewed by Timothy Hatcher. + + Add back methods used by `WebInspector.framework`. + + * inspector/InspectorBackendDispatcher.cpp: + (Inspector::BackendDispatcher::getInteger): Added. + (Inspector::BackendDispatcher::getDouble): Added. + (Inspector::BackendDispatcher::getString): Added. + +2020-09-17 Tadeu Zagallo + + Inconsistent loop exit assertion in B3ReduceLoopStrength + https://bugs.webkit.org/show_bug.cgi?id=216274 + + + Reviewed by Keith Miller. + + On B3ReduceLoopStrength, we first calculate where the loop exits to, and ensure there's only + one exit target. Later on, we compute how many places within the loop exit to that single exit + target. Currently, we assume that having a single target implies that we'll only ever have one + exit point, which is incorrect. To fix it, instead of asserting there should only be one exit + point, we just bail if we find more than one. + + * b3/B3ReduceLoopStrength.cpp: + (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy): + +2020-09-17 Yusuke Suzuki + + [JSC] Async generator default-export is not handled + https://bugs.webkit.org/show_bug.cgi?id=216643 + + Reviewed by Ross Kirsling. + + `export default async function * test() { }` syntax should be correctly handled. + This patch adds the code retrieving "test" name from the above declaration correctly. + + * parser/Parser.cpp: + (JSC::Parser::parseExportDeclaration): + +2020-09-17 Yusuke Suzuki + + [JSC] Update JSModuleNamespaceObject::defineOwnProperty + https://bugs.webkit.org/show_bug.cgi?id=216640 + + Reviewed by Ross Kirsling. + + This patch implements spec update of JSModuleNamespaceObject::defineOwnProperty. + We implement https://tc39.es/ecma262/#sec-module-namespace-exotic-objects-defineownproperty-p-desc precisely. + + * runtime/JSModuleNamespaceObject.cpp: + (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon): + (JSC::JSModuleNamespaceObject::deleteProperty): + (JSC::JSModuleNamespaceObject::getOwnPropertyNames): + (JSC::JSModuleNamespaceObject::defineOwnProperty): + +2020-09-17 Mark Lam + + Add some pointer sanity checks to speculationFromCell(). + https://bugs.webkit.org/show_bug.cgi?id=216638 + rdar://23226333 + + Reviewed by Yusuke Suzuki. + + Add some sanity checks to mitigate against some potential pointer corruptions + from profiling data. The goal here is not to exhaustively filter out all possible + bad pointers, but simply to filter out as many as possible to reduce crashes from + such bad pointers, and to do so with the least possible performance impact. + + It is OK to do such filtering here because we're only trying to compute a + SpeculatedType from the pointer. If the pointer is bad, we can just return + SpecNone indicating that we don't have any info to speculate on. + + * bytecode/SpeculatedType.cpp: + (JSC::isSanePointer): + (JSC::speculationFromCell): + * runtime/StructureIDTable.h: + (JSC::StructureIDTable::tryGet): + * runtime/VM.h: + (JSC::VM::tryGetStructure): + +2020-09-17 Yusuke Suzuki + + Support export namespace `export * as ns` + https://bugs.webkit.org/show_bug.cgi?id=214379 + + Reviewed by Ross Kirsling. + + This patch supports `export * as ns from "module"` syntax. If it is used, we expose "module"'s namespace object as "ns". + For each module environment, we create *namespace* (starNamespace) private symbol scope variable. And we fill it later + with module namespace object. This way allows us to use module namespace object IC and super fast imported module binding + lookup though environment variable lookup mechanism. + + * builtins/BuiltinNames.h: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + * parser/NodesAnalyzeModule.cpp: + (JSC::ExportNamedDeclarationNode::analyzeModule): + * parser/Parser.cpp: + (JSC::Parser::parseExportDeclaration): + * runtime/AbstractModuleRecord.cpp: + (JSC::AbstractModuleRecord::ExportEntry::createNamespace): + (JSC::AbstractModuleRecord::resolveExportImpl): + (JSC::AbstractModuleRecord::getModuleNamespace): + (JSC::AbstractModuleRecord::setModuleEnvironment): + (JSC::AbstractModuleRecord::dump): + * runtime/AbstractModuleRecord.h: + * runtime/CommonIdentifiers.h: + * runtime/JSFunction.cpp: + (JSC::JSFunction::name): + (JSC::JSFunction::reifyName): + * runtime/JSModuleNamespaceObject.cpp: + (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon): + * runtime/JSModuleRecord.cpp: + (JSC::JSModuleRecord::instantiateDeclarations): + (JSC::JSModuleRecord::evaluate): + * wasm/js/JSWebAssemblyModule.cpp: + (JSC::JSWebAssemblyModule::finishCreation): + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::link): + +2020-09-17 Yusuke Suzuki + + [JSC] Optimize Promise#finally by avoiding creating multiple environments + https://bugs.webkit.org/show_bug.cgi?id=216637 + + Reviewed by Ross Kirsling. + + Let's just create functions inside Promise#finally. This avoids creating + multiple lexical environments that are captured by each function. + + * builtins/PromisePrototype.js: + (finally): + (globalPrivate.getThenFinally): Deleted. + (globalPrivate.getCatchFinally): Deleted. + +2020-09-16 Saam Barati + + Don't IC a null custom accessor/value setter + https://bugs.webkit.org/show_bug.cgi?id=216620 + + + Reviewed by Mark Lam. + + Our runtime allows CustomGetterSetter objects setter field to not contain an + actual C function to call. In such a scenario, the runtime just does nothing + except return false to the ::put code (which may result in throwing an + exception in strict mode code). + + However, our IC code never considered whether this function could be nullptr. + The fix here is simple: don't IC such custom accessor/value setters. + + * runtime/PutPropertySlot.h: + (JSC::PutPropertySlot::isCacheableCustom const): + +2020-09-16 Philippe Normand + + [Flatpak SDK][WPE] Launching the remote inspector kills MB + https://bugs.webkit.org/show_bug.cgi?id=213899 + + Reviewed by Adrian Perez de Castro. + + Load inspector resources from developer build artefacts, when the inspector server is + running in this configuration. Fall back to system libraries loading mechanism otherwise. + + * inspector/remote/glib/RemoteInspectorUtils.cpp: + (Inspector::backendCommands): + +2020-09-16 Adrian Perez de Castro + + Non-unified build fixes, early September 2020 edition + https://bugs.webkit.org/show_bug.cgi?id=216599 + + Unreviewed build fix. + + Largely based on a patch by Lauro Moura + + * runtime/IntlCache.cpp: Add missing wtf/Vector.h include. + * runtime/IntlCache.h: Add missing wtf/text/CString.h include. + * runtime/IntlNumberFormatPrototype.cpp: Replace IntlNumberFormat.h + include with IntlNumberFormatInlines.h to fix linking. + +2020-09-15 Saam Barati + + JSImmutableButterfly::get needs to return jsDoubleNumber for double arrays + https://bugs.webkit.org/show_bug.cgi?id=216589 + + + Reviewed by Yusuke Suzuki. + + We are using JSImmutableButterfly::get in AI to constant fold GetByVal, + but we were failing to always return a boxed double value for double loads. + We were calling jsNumber instead of jsDooubleNumber. This is in contrast to + the runtime, which always returns a double boxed value. This would lead AI + to disagree with the runtime, and miscompile code. + + * runtime/JSImmutableButterfly.h: + (JSC::JSImmutableButterfly::get const): + +2020-09-15 Yusuke Suzuki + + [JSC] Cache UDateTimePatternGenerator + https://bugs.webkit.org/show_bug.cgi?id=213454 + + Reviewed by Ross Kirsling. + + ICU udatpg_open function is particularly slow. As a result, 80~% of time is used by this function when calling Date#toLocaleString. + We should have last-used cache in VM, which covers major cases like, "One locale (possibly default locale) is used and continuously + use toLocaleString with that locale". + + This significantly improves toLocaleString / toLocaleDateString / toLocaleTimeString performance. + + ToT Patched + + date-to-locale-string 392.0092+-0.6811 ^ 87.3196+-3.1598 ^ definitely 4.4894x faster + date-to-locale-date-string 377.9117+-7.8701 ^ 70.4155+-3.6661 ^ definitely 5.3669x faster + date-to-locale-time-string 373.1970+-3.0142 ^ 67.3790+-2.8952 ^ definitely 5.5388x faster + + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * runtime/IntlCache.cpp: Added. + (JSC::IntlCache::cacheSharedPatternGenerator): + (JSC::IntlCache::getBestDateTimePattern): + * runtime/IntlCache.h: Added. + (JSC::IntlCache::getSharedPatternGenerator): + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + (JSC::VM::intlCache): + +2020-09-15 HyeockJin Kim + + Check whether the iterator is callable in spread + https://bugs.webkit.org/show_bug.cgi?id=215974 + + Reviewed by Darin Adler. + + * builtins/IteratorHelpers.js: + (performIteration): + +2020-09-15 Tadeu Zagallo + + Object allocation sinking forgets escaped nodes when structure changes + https://bugs.webkit.org/show_bug.cgi?id=216214 + + + Reviewed by Saam Barati. + + Consider the following program: + bb0: + a: NewObject + b: CreateActivation() + _: Branch(bb2, bb1) + bb1: + _: PutByOffset(a, 'x', 42) + _: PutStrucute(a, {x: 0}) + _: Branch(bb2, bb1) + bb2: + _: CheckStructure(a, {x: 0}) + _: PutClosureVar(b, 0, Kill:a) + _: Branch(bb3, bb2) + bb3: + c: GetClosureVar(b, 0) + _: PutByOffset(global, 'y', c) + _: Return + + Due to the order we visit the program, we'll visit bb2 before bb1. The first time we visit bb2, heapAtHead will be: + #@a: ObjectAllocation({}) + #@b: ActivationAllocation() + @a => #@a + @b => #@b + + Now CheckStructure would always fail, so it will escape @a and heapAtTail will be: + #@a: EscapedAllocation() + #@b: ActivationAllocation() + @a => #@a + @b => #@b + + And after pruning: + #@b: ActivationAllocation() + @b => #@b + + Now, we'll visit bb3 and then bb1. When we visit bb1 we'll set the structure {x: 0} for the #@a and eventually visit bb2 again. This time around CheckStructure will no longer escape @a, since the allocation has the right structure, and heapAtTail will be: + #@a: ObjectAllocation({x: 0}) + #@b: ActivationAllocation(0: #@a) + @b => #@b + + However, we now have to merge into bb3, which has heapAtHead: + #@b: ActivationAllocation() + @b => #@b + + Since we can't add the extra field to the activation, we'll end up escaping @a at the edge and therefore pruning #@b, which will leave the heap for bb3 unchanged. + That's a problem, since PutClosureVar didn't see the escaped object, but GetClosureVar thinks it's escaped. The materialization for @a will be placed after the + PutClosureVar, at end of bb2, when the node is already dead. When computing the SSA defs, the PutByOffset at bb3 will then see @a (which at this point will be a + PhantomNewObject) instead of its materialization. + + The issue happens because we don't allow allocations to add extra fields while merging, but we do allow adding new structures. This results in different decisions + being made about what escapes in CheckStructure and MultiGetByOffset. To avoid this problem, we track two sets of structures: structures and structuresForMaterialization. + The first is used for checks and should never grow while the second is used for materialization and is allowed to grow. + + * dfg/DFGObjectAllocationSinkingPhase.cpp: + +2020-09-15 Saam Barati + + CustomFunctionEquivalence PropertyCondition needs to check if the structure has the property + https://bugs.webkit.org/show_bug.cgi?id=216575 + + + Reviewed by Yusuke Suzuki. + + The CustomFunctionEquivalence PropertyCondition would only return false to + isStillValidAssumingImpurePropertyWatchpoint if the Structure's static + property table was reified or if the static property table did not contain the + property. However, this missed the obvious case of where we store to this + property in normal object storage without reifying the static property table. + The fix here is simple: we first check if the Structure's property table + has this property, and if so, return false. + + This patch also renames CustomFunctionEquivalence to HasStaticProperty to + better capture what we're doing. + + * bytecode/ObjectPropertyCondition.h: + (JSC::ObjectPropertyCondition::hasStaticProperty): + (JSC::ObjectPropertyCondition::customFunctionEquivalence): Deleted. + * bytecode/ObjectPropertyConditionSet.cpp: + (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition const): + (JSC::ObjectPropertyConditionSet::slotBaseCondition const): + (JSC::generateConditionsForPrototypePropertyHitCustom): + * bytecode/PropertyCondition.cpp: + (JSC::PropertyCondition::dumpInContext const): + (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): + (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const): + (JSC::PropertyCondition::isStillValid const): + (JSC::PropertyCondition::isWatchableWhenValid const): + (WTF::printInternal): + * bytecode/PropertyCondition.h: + (JSC::PropertyCondition::hasStaticProperty): + (JSC::PropertyCondition::hash const): + (JSC::PropertyCondition::operator== const): + (JSC::PropertyCondition::customFunctionEquivalence): Deleted. + * tools/JSDollarVM.cpp: + (JSC::functionCreateStaticCustomValue): + (JSC::JSDollarVM::finishCreation): + +2020-09-15 Yusuke Suzuki + + [JSC] Apply Intl.DateTimeFormat hour-cycle correctly when timeStyle is used + https://bugs.webkit.org/show_bug.cgi?id=216521 + + Reviewed by Ross Kirsling. + + When specifying timeStyle in Intl.DateTimeFormat, we need to check that the generated format also follows to the hourCycle / hour12 options + specified in the constructor. Because dayPeriod can be included automatically, just replacing symbols after generating a pattern can dump strange result. + For example, the generated one is something like "02:12:47 PM Coordinated Universal Time". And we adjust the pattern to make it "14:12:47 PM Coordinated Universal Time" + when hourCycle H23 / H24 is specified. But this looks strange since dayPeriod "PM" should not exist when using H23 / H24. + + In this patch, we revise our hour-cycle handling in Intl.DateTimeFormat. We align our behavior to SpiderMonkey's one[1] rather than the spec's one: when hour12 is specified, + we will just use 'H' or 'h' skeleton and do not enforce hour-cycle after generating pattern in hour12 case. If hour12 is not specified, then we use 'h' or 'H' skeleton + symbols based on hour-cycle, and later we modify the pattern based on hour-cycle. If both are not offered, we use 'j' which allows ICU to pick preferable one. + This is slightly different behavior to the spec (hcDefault etc.) but the spec's behavior can cause a bit surprising result[2,3], and SpiderMonkey like behavior will be + integrated into the spec eventually[4]. + + [1]: https://github.com/tc39/ecma402/issues/402#issuecomment-623628320 + [2]: https://github.com/tc39/ecma402/issues/402 + [3]: https://bugs.chromium.org/p/chromium/issues/detail?id=1045791 + [4]: https://github.com/tc39/ecma402/pull/436 + + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::setFormatsFromPattern): + (JSC::IntlDateTimeFormat::parseHourCycle): + (JSC::IntlDateTimeFormat::hourCycleFromPattern): + (JSC::IntlDateTimeFormat::replaceHourCycleInSkeleton): + (JSC::IntlDateTimeFormat::replaceHourCycleInPattern): + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + (JSC::IntlDateTimeFormat::hourCycleString): + (JSC::IntlDateTimeFormat::resolvedOptions const): + (JSC::IntlDateTimeFormat::createDateIntervalFormatIfNecessary): + * runtime/IntlDateTimeFormat.h: + +2020-09-14 Yusuke Suzuki + + [JSC] Intl.Collator should take collation option + https://bugs.webkit.org/show_bug.cgi?id=216529 + + Reviewed by Ross Kirsling. + + This patch adds "collation" option to Intl.Collator. We are already getting consensus[1], and will be integrated into the spec. + Previously, passing "collation" is only available through "-u-co-" unicode extension in the passed locale. The proposal exposes + collation option as an option to Intl.Collator so that we can set it easily. + "collation" is used only when "usage" is "sort". "search" usage will filter out collation options since "search" itself is one of + the "collation" option. + + [1]: https://github.com/tc39/ecma402/pull/459 + + * runtime/IntlCollator.cpp: + (JSC::IntlCollator::sortLocaleData): + (JSC::IntlCollator::initializeCollator): + +2020-09-15 Joonghun Park + + Unreviewed. Remove the build warning below since r228533. + warning: ‘%40s’ directive argument is null [-Wformat-overflow=] + + Since gcc which has version >= 9 is stricter about passing null string + pointers to printf-like functions, add null string pointer check + to fix the warning proactively. + + * jsc.cpp: + (runJSC): + +2020-09-14 Keith Miller + + BytecodeParser should GetLocal op_ret's value even if it's unused by the caller + https://bugs.webkit.org/show_bug.cgi?id=216506 + + Reviewed by Mark Lam. + + We have to unconditionally GetLocal operands each bytecode claims to use + regardless of true liveness. This is important to keep OSRAvailability simple. + However, op_ret would only GetLocal the return value if we knew the value + was going to be used by an inline caller. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + +2020-09-14 Alexey Shvayka + + Proxy's "ownKeys" trap result should not be sorted + https://bugs.webkit.org/show_bug.cgi?id=216227 + + Reviewed by Yusuke Suzuki. + + Given that we can't know whether ownPropertyKeys() received property names from + userland Proxy's "ownKeys" trap, this patch moves symbols after strings sorting [1] + to Structure::getPropertyNamesFromStructure(), aligning observed property order + (via Proxy's "getOwnPropertyDescriptor" trap) with V8 and SpiderMonkey. + + Also, removes sorting logic duplication in objectConstructorAssign(). + + This change is neutral on provided Reflect.ownKeys microbenchmark. Although property + name collection besides PropertyNameMode::StringsAndSymbols cases is unaffected, + Object.{keys,getOwnPropertySymbols} microbenchmarks regress by 6-12% due to + increased Structure::getPropertyNamesFromStructure() code size. + + [1]: https://tc39.es/ecma262/#sec-ordinaryownpropertykeys (steps 3-4) + + * runtime/ObjectConstructor.cpp: + (JSC::objectConstructorAssign): + (JSC::ownPropertyKeys): + * runtime/Structure.cpp: + (JSC::Structure::getPropertyNamesFromStructure): + +2020-09-14 Alexey Shvayka + + ArraySetLength should coerce [[Value]] before descriptor validation + https://bugs.webkit.org/show_bug.cgi?id=158791 + + Reviewed by Darin Adler. + + This patch: + + 1. Moves [[Value]] coercion before descriptor validation as per spec [1], + which fixes ASSERT() failure and aligns JSC with V8 & SpiderMonkey. + + 2. Prevents JSArray::setLengthWithArrayStorage() from throwing if the length + is unchanged, even if it's read-only [2]. + + 3. Refactors JSArray::defineOwnProperty() leveraging #2 to always perform + setLength(), which greatly reduces the number of checks, branches, + and setLengthWritable() calls. + + Following the ArraySetLength spec steps precisely [1] would result in + more difficult-to-follow code because descriptor validation [2] is inlined + and [[Delete]] failures are handled in setLength(). + + This change is performance-neutral as it doesn't affect JSArray::put(), + which was vetted to be spec-correct and is covered by test262 suite. + + [1]: https://tc39.es/ecma262/#sec-arraysetlength (steps 3-4) + [2]: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor (step 7.a.ii) + + * runtime/JSArray.cpp: + (JSC::JSArray::defineOwnProperty): + (JSC::JSArray::setLengthWithArrayStorage): + +2020-09-14 Saam Barati + + Remove bogus asserts in FTLLower that assume programs are compiled with sensible speculations + https://bugs.webkit.org/show_bug.cgi?id=216485 + + + Reviewed by Keith Miller. + + We had an assert inside lowCell that if a value was not part of the JSValue + hashmap of values, then the type must not conform to being a cell. However, + consider a program like this: + + ``` + x = ArithAdd(i32, i32) <-- x is an i32 here + if (b) { + Check(Cell:@x) + ArrayifyToStructure(@x, thingy) + } + <-- HERE + ``` + + @x will live in FTLLower's i32 hashmap, but because of the AI rule for + ArrayifyToStructure, it will also have SpecCell in its type. This is totally + valid, and asserting that this isn't possible is wrong. (Obviously the above + speculation is stupid, as we will always exit at the Check, but it's valid IR.) + + This patch removes this assertion from lowCell, and removes similar assertions + from other low* functions. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::lowInt32): + (JSC::FTL::DFG::LowerDFGToB3::lowInt52): + (JSC::FTL::DFG::LowerDFGToB3::lowCell): + (JSC::FTL::DFG::LowerDFGToB3::lowBoolean): + (JSC::FTL::DFG::LowerDFGToB3::lowDouble): + +2020-09-14 Alexey Shvayka + + Make a few built-in methods throw if called as top-level functions + https://bugs.webkit.org/show_bug.cgi?id=216467 + + Reviewed by Darin Adler. + + Non-strict userland functions substitute undefined & null `this` values + with the global object [1], while built-in functions do not [2]. + + This patch adds 5 missing toThis(globalObject, ECMAMode::strict()) calls, + preventing built-in methods from being called as top-level functions: + + ``` + let {toString} = Error.prototype; + toString(); // now throws TypeError + ``` + + Aligns JSC with V8 and SpiderMonkey. + This change is performance-neutral due to DFG inlining of OpToThis. + All other callFrame->thisValue() usages were vetted to be spec-correct. + + [1]: https://tc39.es/ecma262/#sec-ordinarycallbindthis (step 6.a.iii) + [2]: https://tc39.es/ecma262/#sec-built-in-function-objects-call-thisargument-argumentslist (step 10) + + * runtime/ArrayPrototype.cpp: + (JSC::createArrayIteratorObject): + * runtime/DatePrototype.cpp: + (JSC::dateProtoFuncToPrimitiveSymbol): + (JSC::dateProtoFuncToJSON): + * runtime/ErrorPrototype.cpp: + (JSC::errorProtoFuncToString): + * runtime/RegExpPrototype.cpp: + (JSC::regExpProtoFuncToString): + +2020-09-14 Devin Rousso + + Web Inspector: REGRESSION(r266885): dyld: Symbol not found: __ZN9Inspector17BackendDispatcher12sendResponseElON3WTF6RefPtrINS1_8JSONImpl6ObjectENS1_13DumbPtrTraitsIS4_EEEEb + https://bugs.webkit.org/show_bug.cgi?id=216486 + + Reviewed by Joseph Pecoraro. + + * inspector/InspectorBackendDispatcher.h: + * inspector/InspectorBackendDispatcher.cpp: + (Inspector::BackendDispatcher::sendResponse): + Add back overloads removed in r266885 so that the symbols exist. + +2020-09-14 Saam Barati + + Don't assume byte code operands are uint32 JSValues + https://bugs.webkit.org/show_bug.cgi?id=216386 + + Reviewed by Yusuke Suzuki. + + The slow path for enumerator_generic_pname was assuming that its input index operand + would always be a UInt32 JSValue boxed as int32. However, this assumption isn't true + because that value can have double format in the DFG, and remain in that format when + we exit from the DFG to baseline/LLInt code. + + This was found via the widening number fuzzing agent. + + I also audited two more places that seem like they suffer from the same issue, + and also switched them to using the asUInt32AsAnyInt function: + - enumerator_structure_pname + - create_rest + + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + +2020-09-11 Yusuke Suzuki + + [JSC] Canonicalize "true" unicode extension type value to "" + https://bugs.webkit.org/show_bug.cgi?id=216224 + + Reviewed by Ross Kirsling. + + Unicode Technical Standard #35 defines that unicode extension type's "true" should be converged to "". + This patch implements it by extracting unicode extension subtags and replacing "true" to "". + + * runtime/IntlLocale.cpp: + (JSC::LocaleIDBuilder::toCanonical): + (JSC::IntlLocale::keywordValue const): + (JSC::IntlLocale::calendar): + (JSC::IntlLocale::caseFirst): + (JSC::IntlLocale::collation): + (JSC::IntlLocale::hourCycle): + (JSC::IntlLocale::numberingSystem): + (JSC::IntlLocale::numeric): + * runtime/IntlLocale.h: + * runtime/IntlLocalePrototype.cpp: + (JSC::IntlLocalePrototypeGetterCalendar): + (JSC::IntlLocalePrototypeGetterCaseFirst): + (JSC::IntlLocalePrototypeGetterCollation): + (JSC::IntlLocalePrototypeGetterHourCycle): + (JSC::IntlLocalePrototypeGetterNumberingSystem): + * runtime/IntlObject.cpp: + (JSC::unicodeExtensionSubTags): + (JSC::canonicalizeUnicodeExtensionsAfterICULocaleCanonicalization): + (JSC::languageTagForLocaleID): + (JSC::resolveLocale): + * runtime/IntlObject.h: + * runtime/IntlObjectInlines.h: + (JSC::computeTwoCharacters16Code): + * runtime/StringPrototype.cpp: + (JSC::computeTwoCharacters16Code): Deleted. + +2020-09-11 Yusuke Suzuki + + [JSC] attribute-change transition should not pin Structure + https://bugs.webkit.org/show_bug.cgi?id=215528 + + Reviewed by Saam Barati. + + This patch avoids using pin in attribute-change transition. To achieve this, attribute-change transition is now fully supported + transition chain in forEachPropertyConcurrently etc.: we can retrieve properties with changed attributes correctly via traversing + transition chain. And we also support attribute-change transition in materializePropertyTable, so we do not need to pin structure. + + The design largely mimics existing removePropertyTransition and addPropertyTransition. This patch also adds `hasBeenDictionary()` + check before adding structure to the transition so that we can avoid adding unnecessary structure entry to the transition table. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateImpl): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure): + * jit/Repatch.cpp: + (JSC::tryCacheDeleteBy): + * runtime/Structure.cpp: + (JSC::Structure::materializePropertyTable): + (JSC::Structure::addPropertyTransitionToExistingStructureImpl): + (JSC::Structure::addPropertyTransition): + (JSC::Structure::addNewPropertyTransition): + (JSC::Structure::removePropertyTransitionFromExistingStructureImpl): + (JSC::Structure::removeNewPropertyTransition): + (JSC::Structure::attributeChangeTransitionToExistingStructure): + (JSC::Structure::attributeChangeTransition): + (JSC::Structure::nonPropertyTransitionSlow): + (JSC::Structure::attributeChange): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::forEachPropertyConcurrently): + (JSC::Structure::attributeChange): + (JSC::Structure::attributeChangeWithoutTransition): + * tools/JSDollarVM.cpp: + (JSC::JSDollarVMHelper::functionGetStructureTransitionList): + +2020-09-10 Yusuke Suzuki + + [JSC] customGetterSetterFunctionCall should have proper exception checking + https://bugs.webkit.org/show_bug.cgi?id=216391 + + + Reviewed by Mark Lam. + + Add appropriate exception checking to customGetterSetterFunctionCall. + + * runtime/JSCustomGetterSetterFunction.cpp: + (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall): + +2020-09-10 Yusuke Suzuki + + [JSC] Add exception checks to JSCallbackObject + https://bugs.webkit.org/show_bug.cgi?id=216384 + + + Reviewed by Saam Barati. + + This patch adds necessary exception checks to JSCallbackObject to suppress exception verifier crash in Debug build. + + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::getOwnPropertySlot): + (JSC::JSCallbackObject::defaultValue): + (JSC::JSCallbackObject::put): + (JSC::JSCallbackObject::putByIndex): + (JSC::JSCallbackObject::deleteProperty): + (JSC::JSCallbackObject::staticFunctionGetter): + +2020-09-10 Yusuke Suzuki + + [JSC] agent start function should move isolated copy of source + https://bugs.webkit.org/show_bug.cgi?id=216383 + + + Reviewed by Saam Barati. + + We are calling `isolatedCopy()` and setting it to variable in caller thread. And we are copying it to the thread. + This means that ref-count will happen in caller thread and callee thread, this is wrong. + We should pass isolatedCopy string directly to the callee thread. + + * jsc.cpp: + (functionDollarAgentStart): + +2020-09-10 Yusuke Suzuki + + [JSC] unshift / shift should take structure lock + https://bugs.webkit.org/show_bug.cgi?id=216378 + + + Reviewed by Mark Lam. + + When unshifting / shifting butterfly, we need to move property storage values too. + If property storage values are moved while concurrent JIT compiler is accessing it, it could include garbage value. + + For example, concurrent JIT compiler is accessing [2] property storage. + + 1 2 3 + [ JSValue ][ JSValue ][ Header ] + + But unshift moved it like this. + + 1 2 3 + [ JSValue ][ JSValue ][ Header ] + + Since butterfly pointer held by JSObject is not updated yet, concurrent JIT compiler will read [ Header ] as JSValue and crash. + In this patch, we take structure lock when shifting existing butterfly since this affect on property storage. Since JSObject::getDirectConcurrently + takes a structure lock, this locking prevents concurrent compilers from getting an invalid value. + + * runtime/JSArray.cpp: + (JSC::JSArray::unshiftCountSlowCase): + (JSC::JSArray::shiftCountWithArrayStorage): + (JSC::JSArray::unshiftCountWithArrayStorage): + +2020-09-10 Joonghun Park + + Unreviewed. Remove the build warning below since r266885. + warning: redundant move in return statement [-Wredundant-move] + + Because return statement already returns rvalue reference, + we don't need WTFMove at return. + + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): + (Inspector::InspectorRuntimeAgent::getBasicBlocks): + +2020-09-10 Alexey Shvayka + + Promise.prototype.finally should perform PromiseResolve + https://bugs.webkit.org/show_bug.cgi?id=176006 + + Reviewed by Yusuke Suzuki. + + This patch extracts @promiseResolve global private function and utilizes it in + Promise.prototype.finally then/catch functions [1] to avoid creating an extra + Promise Capability. Aligns JSC with V8 and SpiderMonkey. + + [1]: https://tc39.es/ecma262/#sec-thenfinallyfunctions (step 7) + + * builtins/PromiseConstructor.js: + (resolve): + * builtins/PromiseOperations.js: + (globalPrivate.promiseResolve): + * builtins/PromisePrototype.js: + (globalPrivate.getThenFinally): + (globalPrivate.getCatchFinally): + +2020-09-10 Devin Rousso + + Web Inspector: modernize generated backend protocol code + https://bugs.webkit.org/show_bug.cgi?id=216302 + + + Reviewed by Brian Burg. + + Previously, the inspector protocol was expressed in code in a somewhat confusing way: + - the error string was the first argument + - required parameters were `T` or `const T&` + - optional parameters were `const T*` + - enum parameters were the underlying type requiring the backend dispatcher handler to + process it instead of it being preprocessed + - required returns were `T&` + - optional returns were `T*` + This doesn't really make for easy/obvious reading of code since the order of arguments is + not weird (e.g. error string first), and that there are references/pointers to primitive + types. + + This patch cleans up the generated inspector protocol code to be: + - required parameters are `T` or `Ref&&` + - optional parameters are `Optional&&` or `RefPtr&&` + - enum parameters are preprocessed and passed to the backend dispatcher handler if valid + - synchronous commands return `Expected` using the same types/rules above + where `X` is either a single return or a `std::tuple` of multiple returns + + The one exception to the above is `String`, which is already a tri-state of `nullString()`, + `emptyString()`, and something set, so there's no need to use `Optional`. + + Also use `Protocol` objects/`typedefs` wherever possible to further relate the protocol + JSON and the actual backend dispatcher handler implementation. + + * inspector/scripts/codegen/generator.py: + (Generator.generate_includes_from_entries): + * inspector/scripts/codegen/cpp_generator_templates.py: + * inspector/scripts/codegen/cpp_generator.py: + (CppGenerator.helpers_namespace): + (CppGenerator.cpp_getter_method_for_type): + (CppGenerator.cpp_setter_method_for_type): + (CppGenerator.cpp_protocol_type_for_type): + (CppGenerator.cpp_type_for_type_member_argument): Added. + (CppGenerator.cpp_type_for_command_parameter): Added. + (CppGenerator.cpp_type_for_command_return_declaration): Added. + (CppGenerator.cpp_type_for_command_return_argument): Added. + (CppGenerator.cpp_type_for_event_parameter): Added. + (CppGenerator.cpp_type_for_enum): Added. + (CppGenerator.should_move_argument): Added. + (CppGenerator.should_release_argument): Added. + (CppGenerator.should_dereference_argument): Added. + (CppGenerator.cpp_protocol_type_for_type_member): Deleted. + (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Deleted. + (CppGenerator.cpp_type_for_checked_formal_event_parameter): Deleted. + (CppGenerator.cpp_type_for_type_member): Deleted. + (CppGenerator.cpp_type_for_type_with_name): Deleted. + (CppGenerator.cpp_type_for_formal_out_parameter): Deleted. + (CppGenerator.cpp_type_for_formal_async_parameter): Deleted. + (CppGenerator.cpp_type_for_stack_in_parameter): Deleted. + (CppGenerator.cpp_type_for_stack_out_parameter): Deleted. + (CppGenerator.cpp_assertion_method_for_type_member): Deleted. + (CppGenerator.cpp_assertion_method_for_type_member.assertion_method_for_type): Deleted. + (CppGenerator.should_use_wrapper_for_return_type): Deleted. + (CppGenerator.should_use_references_for_type): Deleted. + (CppGenerator.should_pass_by_copy_for_return_type): Deleted. + * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py: + (CppAlternateBackendDispatcherHeaderGenerator._generate_secondary_header_includes): + (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command): + * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: + (CppBackendDispatcherHeaderGenerator.generate_output): + (CppBackendDispatcherHeaderGenerator._generate_secondary_header_includes): + (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain): + (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command): + (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command): + (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command): + (CppBackendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter): Deleted. + * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: + (CppBackendDispatcherImplementationGenerator._generate_secondary_header_includes): + (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain): + (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): + (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): + * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py: + (CppFrontendDispatcherHeaderGenerator._generate_secondary_header_includes): + (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_event): + * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py: + (CppFrontendDispatcherImplementationGenerator._generate_secondary_header_includes): + (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): + * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: + (CppProtocolTypesHeaderGenerator._generate_secondary_header_includes): + * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py: + (CppProtocolTypesImplementationGenerator._generate_secondary_header_includes): + (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain): + (CppProtocolTypesImplementationGenerator._generate_open_field_names): + (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum): + * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py: + (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declaration_for_command): + * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py: + (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_command): + (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command): + (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command.and): + (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command.in_param_expression): + (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): + (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command): + * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py: + (ObjCFrontendDispatcherImplementationGenerator._generate_event): + (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters): + * inspector/scripts/codegen/objc_generator_templates.py: + * inspector/scripts/codegen/objc_generator.py: + (ObjCGenerator.protocol_type_for_type): + (ObjCGenerator.objc_type_for_param_internal): + (ObjCGenerator.objc_protocol_import_expression_for_parameter): + + * inspector/protocol/Page.json: + Now that enums are processed before being passed to backend dispacher handlers, the + `appearance` parameter of `Page.setForcedAppearance` must be marked `optional` as + there's no way for it to accept an empty string, as that's not possible for an enum. + + * inspector/agents/InspectorAgent.h: + * inspector/agents/InspectorAgent.cpp: + * inspector/agents/InspectorAuditAgent.h: + * inspector/agents/InspectorAuditAgent.cpp: + * inspector/agents/InspectorConsoleAgent.h: + * inspector/agents/InspectorConsoleAgent.cpp: + * inspector/agents/InspectorDebuggerAgent.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + * inspector/agents/InspectorHeapAgent.h: + * inspector/agents/InspectorHeapAgent.cpp: + * inspector/agents/InspectorRuntimeAgent.h: + * inspector/agents/InspectorRuntimeAgent.cpp: + * inspector/agents/InspectorScriptProfilerAgent.h: + * inspector/agents/InspectorScriptProfilerAgent.cpp: + * inspector/agents/InspectorTargetAgent.h: + * inspector/agents/InspectorTargetAgent.cpp: + * inspector/agents/JSGlobalObjectAuditAgent.h: + * inspector/agents/JSGlobalObjectAuditAgent.cpp: + * inspector/agents/JSGlobalObjectDebuggerAgent.h: + * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: + * inspector/agents/JSGlobalObjectRuntimeAgent.h: + * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: + * inspector/JSGlobalObjectConsoleClient.cpp: + * inspector/JSGlobalObjectInspectorController.cpp: + Elided backend dispatcher handler changes describe above. + + * bindings/ScriptValue.cpp: + (Inspector::jsToInspectorValue): + * inspector/AsyncStackTrace.h: + * inspector/AsyncStackTrace.cpp: + (Inspector::AsyncStackTrace::buildInspectorObject const): + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::addToFrontend): + * inspector/InjectedScriptBase.h: + * inspector/InjectedScriptBase.cpp: + (Inspector::InjectedScriptBase::makeEvalCall): + (Inspector::InjectedScriptBase::checkCallResult): + (Inspector::InjectedScriptBase::checkAsyncCallResult): + * inspector/InjectedScript.h: + * inspector/InjectedScript.cpp: + (Inspector::InjectedScript::execute): + (Inspector::InjectedScript::evaluate): + (Inspector::InjectedScript::callFunctionOn): + (Inspector::InjectedScript::evaluateOnCallFrame): + (Inspector::InjectedScript::getFunctionDetails): + (Inspector::InjectedScript::functionDetails): + (Inspector::InjectedScript::getPreview): + (Inspector::InjectedScript::getProperties): + (Inspector::InjectedScript::getDisplayableProperties): + (Inspector::InjectedScript::getInternalProperties): + (Inspector::InjectedScript::getCollectionEntries): + (Inspector::InjectedScript::saveResult): + (Inspector::InjectedScript::wrapCallFrames const): + (Inspector::InjectedScript::wrapObject const): + (Inspector::InjectedScript::wrapJSONString const): + (Inspector::InjectedScript::wrapTable const): + (Inspector::InjectedScript::previewValue const): + * inspector/InjectedScriptManager.cpp: + (Inspector::InjectedScriptManager::injectedScriptForObjectId): + * inspector/InspectorBackendDispatcher.h: + * inspector/InspectorBackendDispatcher.cpp: + (Inspector::BackendDispatcher::CallbackBase::sendSuccess): + (Inspector::BackendDispatcher::dispatch): + (Inspector::BackendDispatcher::sendResponse): + (Inspector::BackendDispatcher::getPropertyValue): + (Inspector::BackendDispatcher::getBoolean): + (Inspector::BackendDispatcher::getInteger): + (Inspector::BackendDispatcher::getDouble): + (Inspector::BackendDispatcher::getString): + (Inspector::BackendDispatcher::getValue): + (Inspector::BackendDispatcher::getObject): + (Inspector::BackendDispatcher::getArray): + (Inspector::castToInteger): Deleted. + (Inspector::castToNumber): Deleted. + * inspector/InspectorProtocolTypes.h: + (Inspector::Protocol::BindingTraits>::runtimeCast): + (Inspector::Protocol::BindingTraits>::assertValueHasExpectedType): + * inspector/remote/socket/RemoteInspectorConnectionClient.cpp: + (Inspector::RemoteInspectorConnectionClient::extractEvent): + * inspector/remote/socket/RemoteInspectorSocket.cpp: + (Inspector::RemoteInspector::pushListingsNow): + * runtime/TypeSet.cpp: + (JSC::StructureShape::inspectorRepresentation): + `JSON` classes now use `Ref&&` wherever possible and `Optional` instead of an out parameter + for `get*`/`as*` so that values can be more easily manipulated and can be confidently known + to exist. + + * inspector/scripts/tests/enum-values.json: + * inspector/scripts/tests/expected/command-targetType-matching-domain-debuggableType.json-result: + * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: + * inspector/scripts/tests/expected/definitions-with-mac-platform.json-result: + * inspector/scripts/tests/expected/domain-debuggableTypes.json-result: + * inspector/scripts/tests/expected/domain-targetType-matching-domain-debuggableType.json-result: + * inspector/scripts/tests/expected/domain-targetTypes.json-result: + * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: + * inspector/scripts/tests/expected/enum-values.json-result: + * inspector/scripts/tests/expected/event-targetType-matching-domain-debuggableType.json-result: + * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: + * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: + * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: + * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: + * inspector/scripts/tests/expected/should-strip-comments.json-result: + * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: + * inspector/scripts/tests/expected/type-declaration-array-type.json-result: + * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: + * inspector/scripts/tests/expected/type-declaration-object-type.json-result: + * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: + * inspector/scripts/tests/expected/type-with-open-parameters.json-result: + * inspector/scripts/tests/expected/version.json-result: + +2020-09-09 Saam Barati + + OutOfBoundsSaneChain operations should use their own heap locations + https://bugs.webkit.org/show_bug.cgi?id=216328 + + + Reviewed by Keith Miller. + + There is code in local CSE that does some basic bounds check elimination + for PutByVal. It does this analysis by seeing if a particular heap location + is already defined, and if so, it eliminates the bounds check for the + PutByVal. This doesn't work for OutOfBoundsSaneChain for the obvious reason + that these GetByVals are not proven to be in bounds. So GetByVal's in the + OutOfBoundsSaneChain mode reusing non OutOfBoundsSaneChain heap locations + can lead to a bug where we mistakenly remove a bounds check. The fix is to + have all OutOfBoundsSaneChain operations use distinct heaps, and for CSE to + not query those heaps. + + * dfg/DFGArrayMode.h: + (JSC::DFG::ArrayMode::isAnySaneChain const): Deleted. + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGHeapLocation.cpp: + (WTF::printInternal): + * dfg/DFGHeapLocation.h: + +2020-09-09 Keith Miller + + BigInt should PACCage its data pointer + https://bugs.webkit.org/show_bug.cgi?id=216319 + + Reviewed by Yusuke Suzuki. + + * runtime/JSBigInt.h: + +2020-09-09 Alexey Shvayka + + Don't emitDirectBinding() if there is a [...rest] element binding + https://bugs.webkit.org/show_bug.cgi?id=216228 + + Reviewed by Darin Adler. + + emitDirectBinding() is up for removal due to not respecting overriden or removed + Array.prototype[Symbol.iterator]. However, dropping it slows down popular swap pattern + `[a, b] = [b, a]` by 40% with DFG/FTL, and by a factor of 6 with baseline JIT only. + + Until we figure out the best way to preserve common case performance, this patch + prevents `let [...rest] = [1]` from ending up as a number instead of an array, + aligning JSC with V8 and SpiderMonkey. + + * bytecompiler/NodesCodegen.cpp: + (JSC::ArrayPatternNode::emitDirectBinding): + +2020-09-08 Yusuke Suzuki + + [JSC] returnEarlyFromInfiniteLoopsForFuzzing should return object + https://bugs.webkit.org/show_bug.cgi?id=216289 + + + Reviewed by Saam Barati. + + When returning early with returnEarlyFromInfiniteLoopsForFuzzing, we are returning with undefined. + But this is wrong when the callee is constructor since constructor is strongly assumed that it returns an object. + We should return some object from returnEarlyFromInfiniteLoopsForFuzzing. In this patch, we return global object + associated to this callee instead of undefined + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finishCreation): + (JSC::CodeBlock::~CodeBlock): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_loop_hint): + * llint/LowLevelInterpreter64.asm: + +2020-09-08 Saam Barati + + re-enable TCSM on all OSs + https://bugs.webkit.org/show_bug.cgi?id=216281 + + Reviewed by Tadeu Zagallo. + + * runtime/Options.cpp: + (JSC::defaultTCSMValue): + +2020-09-08 Yusuke Suzuki + + [JSC] Special property caching should check Structure's cacheability + https://bugs.webkit.org/show_bug.cgi?id=216222 + + Reviewed by Saam Barati. + + While StructureRareData::cacheSpecialPropertySlow caches properties, the way it takes is incomplete. + It is not checking Structure's cacheability. We were caching miss condition even if structure is !propertyAccessesAreCacheableForAbsence. + We should perform the same check done in IC case. Strictly speaking, we can cache value for uncacheable-dictionary because we are setting + property change watchpoint (which will fire). But it sounds not so profitable if this structure is uncacheable. + + * runtime/JSObject.cpp: + (JSC::JSObject::convertToUncacheableDictionary): + * runtime/JSObject.h: + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::cacheSpecialPropertySlow): + * tools/JSDollarVM.cpp: + (JSC::functionToUncacheableDictionary): + (JSC::JSDollarVM::finishCreation): + +2020-09-07 Joonghun Park + + Unreviewed. Remove the build warning below since r266567. + warning: parameter ‘hint’ set but not used [-Wunused-but-set-parameter] + + * runtime/JSObject.cpp: + (JSC::callToPrimitiveFunction): + +2020-09-06 Darin Adler + + TextCodec refinements + https://bugs.webkit.org/show_bug.cgi?id=216219 + + Reviewed by Sam Weinig. + + * parser/Lexer.h: + (JSC::Lexer::isWhiteSpace): Use byteOrderMark constant. + +2020-09-05 Yusuke Suzuki + + Unreviewed, suppress exception checking after unwrapForOldFunctions + https://bugs.webkit.org/show_bug.cgi?id=216193 + + * runtime/IntlNumberFormatPrototype.cpp: + (JSC::IntlNumberFormatPrototypeGetterFormat): + (JSC::IntlNumberFormatPrototypeFuncResolvedOptions): + +2020-09-05 Devin Rousso + + Web Inspector: allow DOM breakpoints to be configured + https://bugs.webkit.org/show_bug.cgi?id=215795 + + Reviewed by Brian Burg. + + * inspector/protocol/DOMDebugger.json: + Add an `options` parameter to `DOMDebugger.setDOMBreakpoint` to allow configuration. + +2020-09-04 Yusuke Suzuki + + [JSC] Align legacy Intl constructor behavior to spec + https://bugs.webkit.org/show_bug.cgi?id=216193 + + Reviewed by Darin Adler. + + Legacy Intl constructors (Intl.DateTimeFormat and Intl.NumberFormat) have special handling when it is called via `Intl.DateTimeFormat()` form. + This allowed legacy Intl constructors to be used with prototype-based inheritance without using class syntax. This legacy behavior is later specified + explicitly in the spec. So we should align our implementation to the spec's one. + + 1. When defining fallback formats, we need to put them into the property which is visible via Symbol("IntlLegacyConstructedSymbol"). + 2. Even if the provided thisValue is IntlDateTimeFormat* / IntlNumberFormat*, we should create another instance and put it to Symbol("IntlLegacyConstructedSymbol") field. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * builtins/BuiltinNames.cpp: + (JSC::BuiltinNames::BuiltinNames): + * builtins/BuiltinNames.h: + (JSC::BuiltinNames::intlLegacyConstructedSymbol const): + * runtime/CommonIdentifiers.h: + * runtime/IntlDateTimeFormat.h: + * runtime/IntlDateTimeFormatConstructor.cpp: + (JSC::IntlDateTimeFormatConstructor::finishCreation): + (JSC::callIntlDateTimeFormat): + * runtime/IntlDateTimeFormatInlines.h: Added. + (JSC::IntlDateTimeFormat::unwrapForOldFunctions): + * runtime/IntlDateTimeFormatPrototype.cpp: + (JSC::IntlDateTimeFormatPrototypeGetterFormat): + (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts): + (JSC::IntlDateTimeFormatPrototypeFuncFormatRange): + (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions): + * runtime/IntlNumberFormat.h: + * runtime/IntlNumberFormatConstructor.cpp: + (JSC::IntlNumberFormatConstructor::finishCreation): + (JSC::callIntlNumberFormat): + * runtime/IntlNumberFormatInlines.h: + (JSC::IntlNumberFormat::unwrapForOldFunctions): + * runtime/IntlNumberFormatPrototype.cpp: + (JSC::IntlNumberFormatPrototypeGetterFormat): + (JSC::IntlNumberFormatPrototypeFuncFormatToParts): + (JSC::IntlNumberFormatPrototypeFuncResolvedOptions): + * runtime/IntlObject.cpp: + (JSC::createDateTimeFormatConstructor): + (JSC::createNumberFormatConstructor): + * runtime/IntlObjectInlines.h: + (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor): + (JSC::unwrapForLegacyIntlConstructor): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::dateTimeFormatConstructor): + (JSC::JSGlobalObject::dateTimeFormatPrototype): + (JSC::JSGlobalObject::numberFormatConstructor): + (JSC::JSGlobalObject::numberFormatPrototype): + +2020-09-04 Alexey Shvayka + + Array.prototype.push should always perform [[Set]] in strict mode + https://bugs.webkit.org/show_bug.cgi?id=216121 + + Unreviewed, address Darin's feedback on r266581. + + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncPush): Remove unnecessary static_cast. + +2020-09-04 Alexey Shvayka + + Array.prototype.push should always perform [[Set]] in strict mode + https://bugs.webkit.org/show_bug.cgi?id=216121 + + Reviewed by Darin Adler. + + This patch fixes arrayProtoFuncPush() to throw a TypeError if putting an + index beyond UINT32_MAX has failed, aligning JSC with the spec [1], V8, + and SpiderMonkey. Also, refactors the method leveraging putByIndexInline(). + + Array.prototype.push microbenchmarks, including varargs tests, are neutral. + + [1]: https://tc39.es/ecma262/#sec-array.prototype.push (step 5.b) + + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncPush): + +2020-09-03 Carlos Garcia Campos + + Unreviewed. [GLIB] Add missing return + + There's no change in behavior because jsObjectCall() returns undefined in case of failure, but fixes a memory leak. + + * API/glib/JSCValue.cpp: + (jsc_value_object_invoke_methodv): + +2020-09-02 Yusuke Suzuki + + [JSC] Cache toString / valueOf / @@toPrimitive for major cases + https://bugs.webkit.org/show_bug.cgi?id=216061 + + Reviewed by Saam Barati. + + When toPrimitive is called, we need to look-up three properties at most to perform operation. And these special properties do not have caching mechanism at all. + We found that Speedometer2/EmberJS-Debug-TodoMVC is using very much time for this property look-up. We should have caching mechanism in StructureRareData, which + should be similar to @@toStringTag & Object#toString caching mechanism. + + This patch generalizes @@toStringTag & Object#toString caching mechanism as SpecialPropertyCache. And we accelerate toString / valueOf / @@toPrimitive look-ups in + toPrimitive with this caching mechanism. + + This patch improved Speedometer2/EmberJS-Debug-TodoMVC by 10%. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * bytecode/Watchpoint.cpp: + * bytecode/Watchpoint.h: + * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp: Renamed from Source/JavaScriptCore/runtime/ObjectToStringAdaptiveStructureWatchpoint.cpp. + (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::CachedSpecialPropertyAdaptiveStructureWatchpoint): + (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::install): + (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::fireInternal): + * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ObjectToStringAdaptiveStructureWatchpoint.h. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::objectProtoToStringFunction const): + * runtime/JSObject.cpp: + (JSC::callToPrimitiveFunction): + (JSC::JSObject::ordinaryToPrimitive const): + (JSC::JSObject::toPrimitive const): + * runtime/ObjectPrototype.cpp: + (JSC::ObjectPrototype::finishCreation): + (JSC::objectProtoFuncToString): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::cacheSpecialProperty): + (JSC::Structure::setObjectToStringValue): Deleted. + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::visitChildren): + (JSC::StructureRareData::ensureSpecialPropertyCacheSlow): + (JSC::StructureRareData::giveUpOnSpecialPropertyCache): + (JSC::StructureRareData::cacheSpecialPropertySlow): + (JSC::StructureRareData::clearCachedSpecialProperty): + (JSC::StructureRareData::finalizeUnconditionally): + (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint): + (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::isValid const): + (JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::handleFire): + (JSC::StructureRareData::setObjectToStringValue): Deleted. + (JSC::StructureRareData::clearObjectToStringValue): Deleted. + (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::ObjectToStringAdaptiveInferredPropertyValueWatchpoint): Deleted. + (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid const): Deleted. + (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire): Deleted. + * runtime/StructureRareData.h: + * runtime/StructureRareDataInlines.h: + (JSC::StructureRareData::cachedSpecialProperty const): + (JSC::StructureRareData::canCacheSpecialProperty): + (JSC::StructureRareData::ensureSpecialPropertyCache): + (JSC::StructureRareData::cacheSpecialProperty): + (JSC::StructureRareData::objectToStringValue const): Deleted. + +2020-09-03 Saam Barati + + Sampling profiler should dump hash as part of the top function key to prevent incorrectly grouping nameless functions together + https://bugs.webkit.org/show_bug.cgi?id=216087 + + Reviewed by Tadeu Zagallo. + + * runtime/SamplingProfiler.cpp: + (JSC::SamplingProfiler::reportTopFunctions): + +2020-09-03 Devin Rousso + + Web Inspector: allow url breakpoints to be configured + https://bugs.webkit.org/show_bug.cgi?id=215793 + + Reviewed by Brian Burg. + + * inspector/protocol/DOMDebugger.json: + Add an `options` parameter to `DOMDebugger.setURLBreakpoint` to allow configuration. + Add an `isRegex` parameter to `DOMDebugger.removeURLBreakpoint` so that we know what + type of URL breakpoint is being removed. + +2020-09-03 Devin Rousso + + Web Inspector: allow special JavaScript breakpoints to be configured + https://bugs.webkit.org/show_bug.cgi?id=215794 + + Reviewed by Brian Burg. + + * inspector/protocol/Debugger.json: + Add an `options` parameter to the following commands for configuring the related breakpoint: + - `Debugger.setPauseOnDebuggerStatements` + - `Debugger.setPauseOnExceptions` + - `Debugger.setPauseOnAssertions` + - `Debugger.setPauseOnMicrotasks` + + * debugger/Debugger.h: + (JSC::Debugger::needsExceptionCallbacks const): + (JSC::Debugger::pauseOnAllExceptionsBreakpoint const): Added. + (JSC::Debugger::setPauseOnAllExceptionsBreakpoint): Added. + (JSC::Debugger::pauseOnUncaughtExceptionsBreakpoint const): Added. + (JSC::Debugger::setPauseOnUncaughtExceptionsBreakpoint): Added. + (JSC::Debugger::setPauseOnDebuggerStatementsBreakpoint): Added. + (JSC::Debugger::pauseOnExceptionsState const): Deleted. + (JSC::Debugger::setPauseOnDebuggerStatements): Deleted. + * debugger/Debugger.cpp: + (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::TemporarilyDisableExceptionBreakpoints): Added. + (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::~TemporarilyDisableExceptionBreakpoints): Added. + (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::replace): Added. + (JSC::Debugger::TemporarilyDisableExceptionBreakpoints::restore): Added. + (JSC::Debugger::Debugger): + (JSC::Debugger::breakProgram): + (JSC::Debugger::exception): + (JSC::Debugger::didReachDebuggerStatement): + (JSC::Debugger::setPauseOnExceptionsState): Deleted. + Add `JSC::Breakpoint` member variables for the Debugger Statements and Exceptions + breakpoints. Split the Exceptions breakpoint into two `JSC::Breakpoint` now that + All Exceptions and Uncaught Exceptions can be independently configured (the All + Exceptions breakpoint still takes precedence). + + * debugger/DebuggerCallFrame.h: + * debugger/DebuggerCallFrame.cpp: + (JSC::DebuggerCallFrame::evaluateWithScopeExtension): + If there is no `CallFrame`, climb the backtrace until the first valid `CallFrame` is reached. + This is needed when pausing in native code, such as for assertions/exceptions. + + * debugger/Breakpoint.h: + Export `JSC::Breakpoint::create` so that other parts of WebKit can create breakpoints. + + * inspector/agents/InspectorDebuggerAgent.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::disable): + (Inspector::InspectorDebuggerAgent::handleConsoleAssert): + (Inspector::InspectorDebuggerAgent::setPauseOnDebuggerStatements): + (Inspector::InspectorDebuggerAgent::setPauseOnExceptions): + (Inspector::InspectorDebuggerAgent::setPauseOnAssertions): + (Inspector::InspectorDebuggerAgent::setPauseOnMicrotasks): + (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): + (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP): + (Inspector::InspectorDebuggerAgent::willRunMicrotask): + (Inspector::InspectorDebuggerAgent::didRunMicrotask): + (Inspector::InspectorDebuggerAgent::breakProgram): + Add `JSC::Breakpoint` member variables for the Assertion Failures and All Microtasks + breakpoints. Pass them to the `JSC::Debugger` when they are hit. + + * inspector/agents/InspectorAuditAgent.cpp: + (Inspector::InspectorAuditAgent::run): + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::evaluate): + (Inspector::InspectorRuntimeAgent::callFunctionOn): + (Inspector::InspectorRuntimeAgent::getPreview): + (Inspector::InspectorRuntimeAgent::getProperties): + (Inspector::InspectorRuntimeAgent::getDisplayableProperties): + (Inspector::setPauseOnExceptionsState): Deleted. + Use `TemporarilyDisableExceptionBreakpoints` to save, override, and restore the exceptions + breakpoints now that they've been separated into two `JSC::Breakpoint` instead of an `enum`. + +2020-09-03 Keith Miller + + Finish comment describing the various *Stack SSA nodes in DFG + https://bugs.webkit.org/show_bug.cgi?id=216110 + + Reviewed by Sam Weinig. + + * dfg/DFGNodeType.h: + +2020-09-03 David Kilzer + + AbstractMacroAssembler::Jump class has uninitialized instance variables + + + Reviewed by Michael Saboff. + + * assembler/AbstractMacroAssembler.h: + (JSC::AbstractMacroAssembler::Jump): + - Switch to default constructor syntax. + - Provide defaults for instance variables. + +2020-09-03 Ross Kirsling + + [JSC] Add missing detached buffer errors for DataView + https://bugs.webkit.org/show_bug.cgi?id=216062 + + Reviewed by Yusuke Suzuki. + + DataView methods are often expected to throw a TypeError if the underlying ArrayBuffer is detached + (or neutered, in older terminology) -- this patch adds a slew of missing cases from the following spec section: + - https://tc39.es/ecma262/#sec-properties-of-the-dataview-prototype-object + + At the same time: + - get rid of JSDataView::getOwnPropertySlot, which was turning dataViewProtoGetterByte{Length,Offset} + into mostly unreachable code and erroneously causing byte{Length,Offset} to have property descriptors + - perform some simple cleanup of neighboring error calls / messages + - fix value of DataView.length (our only other DataView spec bug) + + * runtime/JSDataView.cpp: + (JSC::JSDataView::create): + (JSC::JSDataView::getOwnPropertySlot): Deleted. + * runtime/JSDataView.h: + * runtime/JSDataViewPrototype.cpp: + (JSC::getData): + (JSC::setData): + (JSC::dataViewProtoGetterByteLength): + (JSC::dataViewProtoGetterByteOffset): + * runtime/JSGenericTypedArrayViewConstructorInlines.h: + (JSC::JSGenericTypedArrayViewConstructor::finishCreation): + +2020-09-02 Michael Saboff + + ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSetterType ./bytecode/ObjectPropertyConditionSet.cpp + https://bugs.webkit.org/show_bug.cgi?id=216103 + + Reviewed by Saam Barati. + + Changed the ASSERT to an if statement. This checks to see if, the likely newly changed, + property is still a custom getter setter before caching its access as such. + + * bytecode/ObjectPropertyConditionSet.cpp: + (JSC::generateConditionsForPrototypePropertyHitCustom): + * tools/JSDollarVM.cpp: Added test helper function. + +2020-09-01 Yusuke Suzuki + + Skip fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html if Gigacage is not enabled + https://bugs.webkit.org/show_bug.cgi?id=216043 + + + Reviewed by Mark Lam. + + * tools/JSDollarVM.cpp: + (JSC::functionIsGigacageEnabled): + (JSC::JSDollarVM::finishCreation): + +2020-08-31 Mark Lam + + Remove some PtrTag debugging code from release builds. + https://bugs.webkit.org/show_bug.cgi?id=216025 + + + Reviewed by Saam Barati. + + Removed PtrTag name lookup debugging utility from release builds. + + * runtime/JSCPtrTag.cpp: + * runtime/JSCPtrTag.h: + +2020-09-01 Carlos Garcia Campos + + [Linux] Web Inspector: show per thread cpu usage + https://bugs.webkit.org/show_bug.cgi?id=215883 + + Reviewed by Adrian Perez de Castro. + + Remove platform specific getter machThread() and add thread() to return the Thread instead. The caller knows how + to get the machThread or id from a Thread. + + * runtime/SamplingProfiler.cpp: + (JSC::SamplingProfiler::reportTopBytecodes): + (JSC::SamplingProfiler::machThread): Deleted. + * runtime/SamplingProfiler.h: + (JSC::SamplingProfiler::thread): + +2020-08-31 Yusuke Suzuki + + [JSC] StructureStubInfo / CallLinkInfo / ByValInfo should set CodeOrigin or BytecodeIndex at construction + https://bugs.webkit.org/show_bug.cgi?id=215987 + + + Reviewed by Mark Lam. + + We had race condition during construction of StructureStubInfo and CodeOrigin field setting. + + 1. The thread creates StructureStubInfo by calling CodeBlock::addStubInfo. This is guarded by the lock. But at this point we are not setting StructureStubInfo::codeOrigin. + 2. Then (1)'s thread attempts to set StructureStubInfo::codeOrigin. But at this point, it is not guarded by the lock. + 3. Before (2) is executed, DFG ByteCodeParser calls CodeBlock::getICStatusMap. It creates HashMap. + 4. Since StructureStubInfo*'s codeOrigin is not configured yet, (3) sees invalid CodeOrigin. And storing invalid CodeOrigin as a HashMap key is not correct. + + We should configure CodeOrigin at construction of StructureStubInfo, which is guarded by the lock. We have the same problem for CallLinkInfo and ByValInfo. This patch fixes them. + To reproduce this, we need to execute a script 2~ days repeatedly. So it is difficult to add a test. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateImpl): + * bytecode/ByValInfo.h: + (JSC::ByValInfo::ByValInfo): + (JSC::ByValInfo::setUp): + * bytecode/CallLinkInfo.cpp: + (JSC::CallLinkInfo::CallLinkInfo): + * bytecode/CallLinkInfo.h: + (JSC::CallLinkInfo::setUpCall): + (JSC::CallLinkInfo::setCodeOrigin): Deleted. + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::addStubInfo): + (JSC::CodeBlock::addByValInfo): + (JSC::CodeBlock::addCallLinkInfo): + * bytecode/CodeBlock.h: + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::StructureStubInfo): + * bytecode/StructureStubInfo.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): + (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): + (JSC::FTL::DFG::LowerDFGToB3::compileTailCall): + (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): + (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): + (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): + * jit/JIT.cpp: + (JSC::JIT::link): + * jit/JITCall.cpp: + (JSC::JIT::compileCallEvalSlowCase): + (JSC::JIT::compileOpCall): + * jit/JITCall32_64.cpp: + (JSC::JIT::compileCallEvalSlowCase): + (JSC::JIT::compileOpCall): + * jit/JITInlineCacheGenerator.cpp: + (JSC::garbageStubInfo): + (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_has_indexed_property): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_has_indexed_property): + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_put_by_val): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_put_by_val): + * wasm/js/WasmToJS.cpp: + (JSC::Wasm::wasmToJS): + +2020-08-30 Yusuke Suzuki + + [JSC] @defaultPromiseThen fast path should check species constructor + https://bugs.webkit.org/show_bug.cgi?id=215996 + + Reviewed by Ross Kirsling. + + When executing @defaultPromiseThen fast path, we assumed that this execution is not observable. + This is wrong only for species constructor part: this @@species access & derived constructor calls + can be observable. In this patch, + + 1. We extract part of Promise#then as @performPromiseThen, which corresponds to the spec's PerformPromiseThen. + 2. In promise fast path, we check @speciesConstructor is @Promise or @InternalPromise. If it is not, then we go to the slow path. + + This fixes Promise#finally failures in test262. + + * builtins/PromiseOperations.js: + (globalPrivate.promiseResolveThenableJobFast): + (globalPrivate.promiseResolveThenableJobWithoutPromiseFast): + (globalPrivate.promiseResolveThenableJobWithDerivedPromise): + (onFulfilled): + (onRejected): + (globalPrivate.performPromiseThen): + * builtins/PromisePrototype.js: + (then): + (onFulfilled): Deleted. + (onRejected): Deleted. + +2020-08-30 Yusuke Suzuki + + [JSC] Use -2 for grouping options in IntlRelativeTimeFormat + https://bugs.webkit.org/show_bug.cgi?id=215984 + + Reviewed by Ross Kirsling. + + Several test262 tests are failing after ICU 67. This is because Intl.RelativeTimeFormat is not using locale-sensitive grouping option. + There are hidden option -2 for UNumberFormat. It is supported so long, but it is not explicitly documented. After ICU 68, it is exposed as a constant, + we should pass -2 to UNumberFormat's grouping options to use locale-sensitive grouping option here. + + * runtime/IntlRelativeTimeFormat.cpp: + (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat): + +2020-08-30 Yusuke Suzuki + + [JSC] async function cannot appear in single-statement context + https://bugs.webkit.org/show_bug.cgi?id=215993 + + Reviewed by Darin Adler. + + The following code is syntax error[1] because ExpressionStatement has `async [no LineTerminator here] function` lookahead. + + if (false) + async function t() { } + + [1]: https://tc39.es/ecma262/#sec-expression-statement + + * parser/Parser.cpp: + (JSC::Parser::parseStatement): + (JSC::Parser::maybeParseAsyncFunctionDeclarationStatement): Deleted. + * parser/Parser.h: + +2020-08-29 Yusuke Suzuki + + [JSC] `let [` sequence cannot appear in ExpressionStatement context + https://bugs.webkit.org/show_bug.cgi?id=215977 + + Reviewed by Ross Kirsling. + + Because of ambiguity between destructuring assignment and member access (let IDENTIFIER), ECMA262 does not allow `let [` sequence in ExpressionStatement context[1]. + We should throw SyntaxError when we see something like this. + + if (false) + let [ok] = [42]; + + [1]: https://tc39.es/ecma262/#sec-expression-statement + + * parser/Parser.cpp: + (JSC::Parser::parseStatement): + +2020-08-29 Yusuke Suzuki + + [JSC] for-of uses AssignmentExpression while for-in uses Expression + https://bugs.webkit.org/show_bug.cgi?id=215975 + + Reviewed by Ross Kirsling. + + While for-in uses Expression, for-of and for-await-of use AssignmentExpression which does not accept comma-expression. + We should align our implementation to that. + + for (LeftHandSideExpression in Expression) Statement + for (LeftHandSideExpression of AssignmentExpression) Statement + for await(LeftHandSideExpression of AssignmentExpression) Statement + + * parser/Parser.cpp: + (JSC::Parser::parseForStatement): + +2020-08-28 Yusuke Suzuki + + [JSC] for-of / for-in left-hand-side target should be simple-assignment-target + https://bugs.webkit.org/show_bug.cgi?id=215969 + + Reviewed by Ross Kirsling. + + Left-hand-side of `for-in`, `for-of`, and `for-await-of` should be simple assignment target[1] + if the target is not declaration and not destructuring pattern. + + [1]: https://tc39.es/ecma262/#sec-for-in-and-for-of-statements-static-semantics-early-errors + + * parser/Parser.cpp: + (JSC::Parser::parseForStatement): + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::createCommaExpr): Should return CommaExpr to align it to ASTBuilder. + (JSC::SyntaxChecker::appendToCommaExpr): + (JSC::SyntaxChecker::appendStatement): + (JSC::SyntaxChecker::combineCommaNodes): Deleted since it is not used. + +2020-08-28 Yusuke Suzuki + + [JSC] Implement Intl.DateTimeFormat dayPeriod + https://bugs.webkit.org/show_bug.cgi?id=215839 + + Reviewed by Ross Kirsling. + + This patch implements Intl.DateTimeFormat dayPeriod option[1]. We can use "narrow", "short", or "long" for dayPeriod, + and it determines how "AM" etc. is represented. + + [1]: https://github.com/tc39/ecma402/pull/346 + + * builtins/DatePrototype.js: + (toLocaleString.toDateTimeOptionsAnyAll): + (toLocaleString): + (toLocaleTimeString.toDateTimeOptionsTimeTime): + (toLocaleTimeString): + * bytecode/BytecodeIntrinsicRegistry.cpp: + (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): + * bytecode/BytecodeIntrinsicRegistry.h: + * runtime/CommonIdentifiers.h: + * runtime/IntlDateTimeFormat.cpp: + (JSC::toDateTimeOptionsAnyDate): + (JSC::IntlDateTimeFormat::setFormatsFromPattern): + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + (JSC::IntlDateTimeFormat::dayPeriodString): + (JSC::IntlDateTimeFormat::resolvedOptions const): + * runtime/IntlDateTimeFormat.h: + * runtime/OptionsList.h: + +2020-08-28 Yusuke Suzuki + + [JSC] super property with new should be accepted + https://bugs.webkit.org/show_bug.cgi?id=215966 + + Reviewed by Ross Kirsling. + + While we should reject `new super` / `new super()`, we should accept `new super.property`. + https://tc39.es/ecma262/#prod-SuperProperty is a child production of https://tc39.es/ecma262/#prod-MemberExpression, + unlike https://tc39.es/ecma262/#prod-SuperCall. So `new` should accept SuperProperty (e.g. `super.xxx`). + + * parser/Parser.cpp: + (JSC::Parser::parseMemberExpression): + +2020-08-28 Yusuke Suzuki + + [JSC] `new import.meta()` is acceptable + https://bugs.webkit.org/show_bug.cgi?id=215915 + + Reviewed by Ross Kirsling. + + `new import.meta()` is valid in terms of syntax while it throws runtime error. + We should accept this code, while `new import()` is not correct syntax. + + * parser/Parser.cpp: + (JSC::Parser::parseMemberExpression): + +2020-08-27 Alexey Shvayka + + __proto__ in object literal should perform [[SetPrototypeOf]] directly + https://bugs.webkit.org/show_bug.cgi?id=215769 + + Reviewed by Ross Kirsling. + + To fix __proto__ usage in object literals if Object.prototype.__proto__ is overridden + or removed, this patch sets the [[Prototype]] directly, aligning JSC with V8 and + SpiderMonkey. We are safe to skip method table lookups and cycle checks, as the + spec [1] calls [[SetPrototypeOf]] on newly created (unreferenced) ordinary objects. + + This change removes PropertyNode::PutType because its only purpose was to accomodate + __proto__ in object literals. Since emitPutConstantProperty() handles static public + class fields, which don't need `super` binding, PropertyNode::isUnderscoreProtoSetter() + is extended to reject class properties. + + This patch speeds up creating object literals with __proto__ by 25%. + + [1]: https://tc39.es/ecma262/#sec-__proto__-property-names-in-object-initializers (step 7.a) + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitDirectPutById): + (JSC::BytecodeGenerator::emitDirectSetPrototypeOf): + 1. Remove unused `dst` parameter to align with other `put` methods. + 2. Remove `divot*` parameters as it's cumbersome to pass them through, + and globalFuncSetPrototypeDirect() never throws anyway. + + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::PropertyListNode::emitPutConstantProperty): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate): + (JSC::ClassExprNode::emitBytecode): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::createGetterOrSetterProperty): + (JSC::ASTBuilder::createProperty): + (JSC::ASTBuilder::isUnderscoreProtoSetter const): + * parser/NodeConstructors.h: + (JSC::PropertyNode::PropertyNode): + * parser/Nodes.h: + * parser/Parser.cpp: + (JSC::Parser::parseClass): + (JSC::Parser::parseProperty): + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::createProperty): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncSetPrototypeDirect): + 1. Ignore a prototype value of incorrect type as per spec [1], + which is unobservable for call sites in ClassExprNode::emitBytecode(). + 2. Assert that JSObject::setPrototypeDirect() doesn't throw. + +2020-08-27 Yusuke Suzuki + + [JSC] setLength in Array#push could get very large length + https://bugs.webkit.org/show_bug.cgi?id=215897 + + + Reviewed by Keith Miller. + + Array#push can get length larger than UINT32_MAX. And in this case, we should throw a RangeError. + Before r266215, it was using putLength which throws an error. But it was replaced with setLength, + and JSC::setLength assumes that it never gets a length greater than UINT32_MAX by asserting. We + should fix it so that Array#push should thrown an error correctly. + + * runtime/ArrayPrototype.cpp: + (JSC::setLength): + +2020-08-27 Saam Barati + + GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined + https://bugs.webkit.org/show_bug.cgi?id=215894 + + + Reviewed by Michael Saboff and Keith Miller. + + GetByVals of the form { OutOfBoundsSaneChain, Double } where there are no + BytecodeUsesAsOther return PNaN for holes and OOB accesses, not jsUndefined(). + The constant folding for this though was folding to jsUndefined(). I forgot + to update that code to constant fold to PNaN when I wrote the OutOfBoundsSaneChain + implementation. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + +2020-08-27 Keith Miller + + structureOrNull should take VM instead of getting it from the marked block + https://bugs.webkit.org/show_bug.cgi?id=215899 + + Reviewed by Yusuke Suzuki. + + It's slightly faster use an existing VM over recomputing the address. It probably doesn't + happen to matter here for performance but it's good hygiene. + + * API/tests/JSWrapperMapTests.mm: + (+[JSWrapperMapTests testStructureIdentity]): + * jit/JITOperations.cpp: + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::structureOrNull const): + (JSC::JSValue::structureOrUndefined const): Deleted. + +2020-08-27 Yusuke Suzuki + + [JSC] Use auxiliary memory for JSBigInt storage + https://bugs.webkit.org/show_bug.cgi?id=215876 + + Reviewed by Mark Lam. + + This makes JSBigInt non-destructible cell. And it makes allocating JSBigInt from JIT easy. + + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::JSBigInt): + (JSC::JSBigInt::visitChildren): + (JSC::JSBigInt::createWithLength): + (JSC::JSBigInt::destroy): Deleted. + * runtime/JSBigInt.h: + * runtime/VM.cpp: + (JSC::VM::VM): + +2020-08-27 Keith Miller + + OSR availability validation should run for any node with exitOK + https://bugs.webkit.org/show_bug.cgi?id=215672 + + Reviewed by Saam Barati. + + Currently we only validate OSR exit availability if a node would + say `mayExit(graph, node) != DoesNotExit` and the node is marked + as exitOK. However, it would be perfectly valid to insert a node + that exits anywhere we have a node marked exitOK. So with this + patch we now validate all places where it would ever be possible + to OSR exit. + + Relaxing our criteria revealed a number of bugs however. Which I + will describe below in, IMO, increasing complexity/subtly. + + First, we currently don't mark arity fixup during inlining as not + exitOK. However, since our arity code says its code origin is + OpEnter, we assume arity fixup has already happened. + + Second, OpGetScope, should not mark its first argument as used + since it's not actually used. This is problematic because we could + have a loop where OpGetScope is the first bytecode, namely when + doing tail recursive inlining. If we were in that position, there + could be a local that was used at a merge point at the loop + backedge that had two MovHint defs from both predecessors. In DFG + IR this would look like: + + BB#1: + @1: MovHint(Undefined, loc1) + ... + Jump(#2) + + BB#2: + ... // loc1 is live here in bytecode + @2: MovHint(@scopeObject, loc1) + @3: SetLocal(@scopeObject, loc1) + Branch(#3, #4) // #4 is the successor of the tail call loop + + BB#3: + @4 MovHint(Undefined, loc1) + ... + Jump(#2) + + When we do CPS conversion the MovHints at @1 and @4 will be seen + as different variables (there's no GetLocal). Then, after, during + SSA conversion we won't insert a phi connecting them, making the + argument to OpGetScope, in this case loc1, unrecoverable there are + conflicting nodes and the value isn't saved on the stack. + + There were also issues with MovHintRemoval Phase but rather than + fix them we opted to just remove the phase as it didn't show any + performance impact. I'll describe the issues I found below for + completeness, however. + + Third, MovHint removal phase had a bug where it would not mark + sections where a zombied MovHint has yet to be killed as not + exitOK. So in theory another phase could come along and insert an + exiting node there. + + Fourth, MovHint removal phase had a second bug where a MovHint + that was not killed in the current block would be zombied, which + is wrong for SSA. It's wrong because the MovHinted value could + still be live for OSR exit in a successor block. + + Lastly, this patch adds some new verbose options as well as the ability to + dump a DFG::BasicBlock without dereferencing it. + + * bytecode/BytecodeUseDef.cpp: + (JSC::computeUsesForBytecodeIndexImpl): + * dfg/DFGBasicBlock.cpp: + (WTF::printInternal): + * dfg/DFGBasicBlock.h: + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::inlineCall): + * dfg/DFGCPSRethreadingPhase.cpp: + (JSC::DFG::CPSRethreadingPhase::propagatePhis): + * dfg/DFGEpoch.h: + (JSC::DFG::Epoch::operator bool const): + * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: + (JSC::DFG::OSRAvailabilityAnalysisPhase::run): + * dfg/DFGSSACalculator.cpp: + (JSC::DFG::SSACalculator::dump const): + +2020-08-27 Keith Miller + + JSClassRef should work with JS class syntax. + https://bugs.webkit.org/show_bug.cgi?id=215047 + + Reviewed by Darin Adler. + + This is done by checking if value returned by the + callAsConstructor parameter to JSObjectMakeConstructor returns an + object allocated as the jsClass parameter. When that happens we + replace the prototype of the returned object with the prototype of + the new.target. Ideally we would have passed the derived classes + constructor from the beginning of our support for JS subclassing + but at this point that's probably not compatible with too many + applications. + + * API/APICallbackFunction.h: + (JSC::APICallbackFunction::construct): + * API/JSObjectRef.h: + * API/tests/testapi.cpp: + (APIString::APIString): + (TestAPI::markedJSValueArrayAndGC): + (TestAPI::classDefinitionWithJSSubclass): + (testCAPIViaCpp): + * API/tests/testapi.mm: + (testObjectiveCAPI): + +2020-08-26 Alexey Shvayka + + Use jsTypeofIsObject() in DFG AI and operationTypeOfIsObject() + https://bugs.webkit.org/show_bug.cgi?id=144457 + + Reviewed by Saam Barati. + + This patch refactors jsTypeofIsObject(), leveraging fast path of isCallable(), + moves it to the header, and utilizes it in operationTypeOfIsObject() & DFG AI + (minding concurrency) to eliminate code duplication. + + Also, removes orphaned slow_path_is_object declaration. + + No behavior change, `typeof` microbenchmarks are neutral. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGOperations.cpp: + * runtime/CommonSlowPaths.h: + * runtime/Operations.cpp: + (JSC::jsTypeofIsObject): Deleted. + * runtime/Operations.h: + (JSC::jsTypeofIsObjectWithConcurrency): + (JSC::jsTypeofIsObject): + +2020-08-26 Alexey Shvayka + + Merge putLength() into setLength() + https://bugs.webkit.org/show_bug.cgi?id=211279 + + Reviewed by Darin Adler and Saam Barati. + + This patch: + + 1. Replaces all putLength() call sites with setLength(), saving two JSValue + instantiations in arrayProtoFuncPop() and two in arrayProtoFuncShift(). + + 2. Merges putLength() into setLength(), removing superfluous put() call for + JSArray. Also, performs put() in strict mode to preserve the original + error messages, like ones in ProxyObject::performPut(). + + 3. Inlines performPop(), which avoided an extra index check and Identifier + creation, as it was on the slow path anyway (note JSArray::pop() call). + + This change advances provided setLength()-heavy microbenchmark by ~40%, + while existing Array tests are neutral. + + * runtime/ArrayPrototype.cpp: + (JSC::setLength): + (JSC::arrayProtoFuncPop): + (JSC::arrayProtoFuncPush): + (JSC::arrayProtoFuncShift): + (JSC::arrayProtoFuncUnShift): + (JSC::putLength): Deleted. + +2020-08-26 Saam Barati + + Make isIndex use MAX_ARRAY_INDEX + https://bugs.webkit.org/show_bug.cgi?id=215872 + + Reviewed by Darin Adler. + + It's already written in such a way where it relies on what MAX_ARRAY_INDEX + is defined as. But instead of MAX_ARRAY_INDEX, the function was hardcoding + MAX_ARRAY_INDEX + 1. + + * runtime/Identifier.h: + (JSC::isIndex): + +2020-08-26 Alexey Shvayka + + Use unsigned type for `length` of JSFunction + https://bugs.webkit.org/show_bug.cgi?id=215870 + + Reviewed by Darin Adler. + + Since the `length` value of a built-in function is its arity, + we can communicate it's always non-negative via method signatures. + + No behavior change: `length` values redefined by user code are unaffected. + + * runtime/InternalFunction.cpp: + (JSC::InternalFunction::createFunctionThatMasqueradesAsUndefined): + * runtime/InternalFunction.h: + * runtime/JSFunction.cpp: + (JSC::JSFunction::create): + (JSC::JSFunction::finishCreation): + * runtime/JSFunction.h: + * runtime/JSNativeStdFunction.cpp: + (JSC::JSNativeStdFunction::finishCreation): + (JSC::JSNativeStdFunction::create): + * runtime/JSNativeStdFunction.h: + +2020-08-26 Yusuke Suzuki + + [JSC] Enable Intl.Segmenter + https://bugs.webkit.org/show_bug.cgi?id=215854 + + Reviewed by Ross Kirsling. + + This is already stage-3 and all the features are implemented. Let's just enable it. + + * runtime/IntlObject.cpp: + (JSC::IntlObject::finishCreation): + * runtime/OptionsList.h: + +2020-08-26 Yusuke Suzuki + + [JSC] Add ASCII comparison fast path for IntlCollator + https://bugs.webkit.org/show_bug.cgi?id=215798 + + Reviewed by Darin Adler, Ross Kirsling, and Saam Barati. + + The idea behind this change is the following: ICU Collator's comparison is too slow. We should have fast path for ASCII strings when we know this equals to ICU Collator's result. + The problem is that even for ASCII strings, collation is super complicated! + + 1. Unicode defines Unicode Collation Algorithm (UCA). To perform collation, it uses collation element tables which defines weights on various levels per code point. UCA also offers + the Default Unicode Collation Element Table (DUCET). This UCA with DUCET is used when using ICU Root Collator. + 2. UCA collation consists of rules, which defines how collation works. And ICU locales define customized collations by adding special rules to that. + 3. UCA behaves differently by using different options. + + Based on that, our observation is that some of major locales are not defining additional rules in (2). This means that they behaves the same to UCA with DUCET. + This patch implements a simplified version of comparison which generates the same results for ASCII strings (excluding control characters) to UCA with DUCET. This fast path can be usable only when the following conditions are met. + + 1. The collator does not have additional rules to ICU Root Colator. + 2. The collator is using default options. + + These checks are very important since there are a lot of edge-case locales. For example, + + 1. th (Thai language) ignores punctuations (even including ASCII punctuations) by default. This is defined as ignore-punctuations option is enabled by default, so without (2)'s check, th comparison becomes wrong. + 2. There are contraction concept (multiple letters behave as a single letter). "ch" letters are ordered interestingly in Czech language. So even in ASCII, Czech shows very interesting collation behavior. + + So we cannot safely take this fast path without carefully querying the information to ICU. + + This shows 37% improvement in JetStream2/cdjs in en-US environment. + + * runtime/IntlCollator.cpp: + (JSC::IntlCollator::initializeCollator): + (JSC::IntlCollator::compareStrings const): + (JSC::canDoASCIIUCADUCETComparisonWithUCollator): + (JSC::IntlCollator::updateCanDoASCIIUCADUCETComparison const): + (JSC::IntlCollator::checkICULocaleInvariants): + * runtime/IntlCollator.h: + * runtime/IntlObject.cpp: + (JSC::intlCollatorAvailableLocales): + * runtime/IntlObject.h: + * runtime/IntlObjectInlines.h: + (JSC::canUseASCIIUCADUCETComparison): + (JSC::compareASCIIWithUCADUCET): + +2020-08-26 Yusuke Suzuki + + [JSC] Implement Intl.DateTimeFormat fractionalSecondDigits + https://bugs.webkit.org/show_bug.cgi?id=215840 + + Reviewed by Ross Kirsling. + + This patch implements fractionalSecondDigits option for Intl.DateTimeFormat. If it is + specified, milliseconds in N digits are represented in the formatted output. + This extension is about to be merged into the spec[1]. SpiderMonkey and V8 support it, + and V8 shipped it without flags. + + [1]: https://github.com/tc39/ecma402/pull/347 + + * builtins/DatePrototype.js: + (toLocaleString.toDateTimeOptionsAnyAll): + (toLocaleString): + (toLocaleTimeString.toDateTimeOptionsTimeTime): + (toLocaleTimeString): + * runtime/CommonIdentifiers.h: + * runtime/IntlDateTimeFormat.cpp: + (JSC::toDateTimeOptionsAnyDate): + (JSC::IntlDateTimeFormat::setFormatsFromPattern): + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + (JSC::IntlDateTimeFormat::resolvedOptions const): + (JSC::partTypeString): + * runtime/IntlDateTimeFormat.h: + +2020-08-25 Yusuke Suzuki + + [JSC] FTL should use m_origin instead of m_node->origin since m_node can be nullptr + https://bugs.webkit.org/show_bug.cgi?id=215833 + + Reviewed by Mark Lam. + + While we are using m_node->origin, m_node can be nullptr (at the entry of the FTL function). + m_origin is always pointing appropriate origin. We should use it instead. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor): + (JSC::FTL::DFG::LowerDFGToB3::compileToThis): + (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): + (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): + (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): + (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC): + (JSC::FTL::DFG::LowerDFGToB3::compileStrCat): + (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub): + (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32): + (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv): + (JSC::FTL::DFG::LowerDFGToB3::compileValueMod): + (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs): + (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary): + (JSC::FTL::DFG::LowerDFGToB3::compileValuePow): + (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom): + (JSC::FTL::DFG::LowerDFGToB3::compileArithRound): + (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor): + (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil): + (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc): + (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt): + (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound): + (JSC::FTL::DFG::LowerDFGToB3::compileIncOrDec): + (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate): + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot): + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd): + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr): + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor): + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift): + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift): + (JSC::FTL::DFG::LowerDFGToB3::compileGetById): + (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis): + (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis): + (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis): + (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis): + (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite): + (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree): + (JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty): + (JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty): + (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): + (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf): + (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): + (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): + (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById): + (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById): + (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal): + (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById): + (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal): + (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush): + (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice): + (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf): + (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop): + (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation): + (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateArgumentsButterfly): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest): + (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeysOrObjectGetOwnPropertyNames): + (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate): + (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol): + (JSC::FTL::DFG::LowerDFGToB3::compileNewArray): + (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis): + (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): + (JSC::FTL::DFG::LowerDFGToB3::compileSpread): + (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer): + (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize): + (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): + (JSC::FTL::DFG::LowerDFGToB3::compileToNumber): + (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric): + (JSC::FTL::DFG::LowerDFGToB3::compileCallNumberConstructor): + (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf): + (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive): + (JSC::FTL::DFG::LowerDFGToB3::compileToPropertyKey): + (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope): + (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): + (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode): + (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset): + (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis): + (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument): + (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): + (JSC::FTL::DFG::LowerDFGToB3::compileSameValue): + (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): + (JSC::FTL::DFG::LowerDFGToB3::compileVarargsLength): + (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs): + (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs): + (JSC::FTL::DFG::LowerDFGToB3::compileSwitch): + (JSC::FTL::DFG::LowerDFGToB3::compileThrow): + (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError): + (JSC::FTL::DFG::LowerDFGToB3::mapHashString): + (JSC::FTL::DFG::LowerDFGToB3::compileMapHash): + (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket): + (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd): + (JSC::FTL::DFG::LowerDFGToB3::compileMapSet): + (JSC::FTL::DFG::LowerDFGToB3::compileTypeOfIsObject): + (JSC::FTL::DFG::LowerDFGToB3::compileIsCallable): + (JSC::FTL::DFG::LowerDFGToB3::compileIsConstructor): + (JSC::FTL::DFG::LowerDFGToB3::compileInByVal): + (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty): + (JSC::FTL::DFG::LowerDFGToB3::compileParseInt): + (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom): + (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty): + (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty): + (JSC::FTL::DFG::LowerDFGToB3::compileHasStructurePropertyImpl): + (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname): + (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator): + (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString): + (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps): + (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp): + (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName): + (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace): + (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail): + (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength): + (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee): + (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart): + (JSC::FTL::DFG::LowerDFGToB3::compare): + (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice): + (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase): + (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix): + (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant): + (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval): + (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope): + (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar): + (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar): + (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM): + (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): + (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint): + (JSC::FTL::DFG::LowerDFGToB3::genericJSValueCompare): + (JSC::FTL::DFG::LowerDFGToB3::stringsEqual): + (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray): + (JSC::FTL::DFG::LowerDFGToB3::boolify): + (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined): + (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds): + (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow): + (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): + (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath): + (JSC::FTL::DFG::LowerDFGToB3::masqueradesAsUndefinedWatchpointIsStillValid): + (JSC::FTL::DFG::LowerDFGToB3::codeOriginDescriptionOfCallSite const): + (JSC::FTL::DFG::LowerDFGToB3::callCheck): + (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit): + * jsc.cpp: + (runJSC): + * runtime/OptionsList.h: + +2020-08-25 Devin Rousso + + Web Inspector: breakpoint condition should be evaluated before the ignore count + https://bugs.webkit.org/show_bug.cgi?id=215364 + + + Reviewed by Joseph Pecoraro. + + Previously, when pausing, `JSC::Breakpoint` would check that it's `ignoreCount` before it + would even attempt to evaluate it's `condition`. This meant that a `JSC::Breakpoint` with + a `condition` of `foo === 42` and an `ignoreCount` of `3` would ignore the first three + pauses and then only pause if `foo === 42`. This is likely contrary to the expectation of + most users (especially since the `condition` input is before the `ignoreCount` input in + the Web Inspector frontend UI) in that they would probably expect to ignore the first + three pauses if `foo === 42`. + + * debugger/Breakpoint.cpp: + (JSC::Breakpoint::shouldPause): + +2020-08-25 Alexey Shvayka + + Invalid early error for object literal method named "__proto__" + https://bugs.webkit.org/show_bug.cgi?id=215760 + + Reviewed by Ross Kirsling. + + According to Annex B [1], `{ __proto__: null, __proto__() {} }` is a valid object literal as the second + `__proto__` wasn't obtained from `PropertyDefinition : PropertyName : AssignmentExpression` production. + Currently, JSC throws an early SyntaxError, unlike V8 and SpiderMonkey. + + Since a method needs `super` binding, the most straightforward fix would be adding SuperBinding field + to SyntaxChecker::Property and exposing it via an accessor. However, given that Property is a very + common structure, this approach would noticeably increase memory pressure during parsing. + + Instead, this patch reworks SyntaxChecker::Property to accept `isUnderscoreProtoSetter` parameter, + removing optional `name` field, its accessor, and shouldCheckPropertyForUnderscoreProtoDuplicate(), + which reduces sizeof(SyntaxChecker::Property) by a factor of 8: from 16 to 2 bytes. + Also, this change avoids two extra makeNumericIdentifier() calls, speeding up numeric keys parsing. + + This approach is feasible because "__proto__" is the only identifier-based early error for object + literals [2], with no such errors being added in upcoming stage 2-4 proposals. + + Additionally, this patch removes `strict` / `complete` bool parameter from {parse,create}Property() + signatures as a) it was always `true`, b) is now unused, and c) strict mode can be checked via scope. + + [1]: https://tc39.es/ecma262/#sec-__proto__-property-names-in-object-initializers + [2]: https://tc39.es/ecma262/#sec-object-initializer-static-semantics-early-errors + + * parser/ASTBuilder.h: + (JSC::ASTBuilder::createGetterOrSetterProperty): + (JSC::ASTBuilder::createProperty): + (JSC::ASTBuilder::isUnderscoreProtoSetter const): + (JSC::ASTBuilder::getName const): Deleted. + * parser/Nodes.h: + * parser/Parser.cpp: + (JSC::Parser::parseClass): + (JSC::Parser::parseProperty): + (JSC::Parser::parseGetterSetter): + (JSC::Parser::parseObjectLiteral): + (JSC::Parser::shouldCheckPropertyForUnderscoreProtoDuplicate): Deleted. + * parser/Parser.h: + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::SyntaxChecker): + (JSC::SyntaxChecker::Property::Property): + (JSC::SyntaxChecker::Property::operator!): + (JSC::SyntaxChecker::createProperty): + (JSC::SyntaxChecker::createGetterOrSetterProperty): + (JSC::SyntaxChecker::operatorStackPop): + +2020-08-25 Yusuke Suzuki + + [JSC] Add concurrency-aware version of isCallable / isConstructor to make it usable in DFG compiler + https://bugs.webkit.org/show_bug.cgi?id=215746 + + Reviewed by Saam Barati. + + This patch adds isCallableWithConcurrency and isConstructorWithConcurrency to JSCell, JSValue etc. + This can work even if it is called from concurrent compiler threads. We also add jsTypeStringForValueWithConcurrency + and jsTypeofIsFunctionWithConcurrency which are using the above WithConcurrency functionalities. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * runtime/Concurrency.h: Added. + (WTF::printInternal): + * runtime/InternalFunction.cpp: + (JSC::InternalFunction::finishCreation): + (JSC::InternalFunction::getCallData): + (JSC::InternalFunction::getConstructData): + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::isCallableWithConcurrency const): + (JSC::JSValue::isConstructorWithConcurrency const): + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::isCallableWithConcurrency): + (JSC::JSCell::isConstructorWithConcurrency): + (JSC::JSCell::isCallable): + (JSC::JSCell::isConstructor): + * runtime/JSFunction.cpp: + (JSC::JSFunction::finishCreation): + (JSC::JSFunction::getCallData): + (JSC::JSFunction::getConstructData): + * runtime/NumberPrototype.cpp: + (JSC::throwVMToThisNumberError): + * runtime/Operations.cpp: + (JSC::jsTypeStringForValueWithConcurrency): + (JSC::jsTypeStringForValue): Deleted. + * runtime/Operations.h: + (JSC::jsTypeofIsFunctionWithConcurrency): + (JSC::jsTypeStringForValue): + (JSC::jsTypeofIsFunction): + +2020-08-25 Alexey Shvayka + + Implementation of the class "extends" clause incorrectly uses __proto__ for setting prototypes + https://bugs.webkit.org/show_bug.cgi?id=205848 + + Reviewed by Keith Miller. + + To prevent `class extends` from breaking if Object.prototype.__proto__ is overridden + or removed, this patch replaces OpPutById bytecodes in ClassExprNode::emitBytecode() + with JSObject::setPrototypeDirect() invocations via OpCall. + + Since the spec sets [[Prototype]] values directly [1], we are safe to skip method + table lookups and cycle checks. + + Although this approach adds 4 `mov` ops to emitted bytecode for `class extends` creation, + increasing instruction count to 35, I prefer it over introducing a slow path only op. + To avoid emitting 2 extra `mov` ops, globalFuncSetPrototypeDirect() uses thisRegister(). + + Aligns JSC with V8 and SpiderMonkey. Derived class creation microbenchmark is neutral. + + [1]: https://tc39.es/ecma262/#sec-createbuiltinfunction (step 7) + + * builtins/BuiltinNames.h: + * bytecode/BytecodeDumper.cpp: + (JSC::CodeBlockBytecodeDumper::dumpConstants): Fix typo. + * bytecode/LinkTimeConstant.h: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitSetPrototypeOf): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::ClassExprNode::emitBytecode): + * parser/Nodes.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + +2020-08-24 Keith Miller + + DFG should always run CFG Simplification after Constant Folding. + https://bugs.webkit.org/show_bug.cgi?id=215286 + + Reviewed by Robin Morisset. + + We didn't do this originally because LICM, many years ago, was + unsound if the CFG didn't have exactly the right shape around + loops. This is no longer true so we don't have to worry about + changing the CFG anymore. While, this doesn't appear to be a + speedup on JetStream 2 CFG, probably because we'd eventually + simplify the graph in B3, CFG Simplification is very cheap and + make other DFG optimizations easier in the future. + + Also, remove unecessary validation rule that no exitOKs can come + before any Phi nodes in DFG. This isn't required and fails after + merging two basic blocks where the latter block has a Phi. + + * dfg/DFGCFGSimplificationPhase.cpp: + (JSC::DFG::CFGSimplificationPhase::run): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGValidate.cpp: + +2020-08-24 Keith Miller + + Remove MovHintRemoval phase + https://bugs.webkit.org/show_bug.cgi?id=215785 + + Reviewed by Saam Barati. + + The MovHintRemoval phase doesn't play nicely with our OSR + Availability. Specifically, it needs to do a tricky dance where it + marks all the live ranges of the ZombieHints as not + exitOK. There's also an issue because we treated unused locals as + kill in this block, which is wrong for SSA when a MovHint is + used in another block. Since removing MovHintRemoval isn't a + performance regression, we are removing it rather than fixing bugs + related to it. Relatedly, since the only place we produce + ZombieHints is MovHintRemoval this patch also removes that node + type. + + * Sources.txt: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGClobbersExitState.cpp: + (JSC::DFG::clobbersExitState): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGMayExit.cpp: + * dfg/DFGMovHintRemovalPhase.cpp: Removed. + * dfg/DFGMovHintRemovalPhase.h: Removed. + * dfg/DFGNode.h: + (JSC::DFG::Node::containsMovHint): + (JSC::DFG::Node::hasUnlinkedOperand): + * dfg/DFGNodeType.h: + * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: + (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): + * dfg/DFGPhantomInsertionPhase.cpp: + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileMovHint): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGVarargsForwardingPhase.cpp: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::validateAIState): + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + * runtime/OptionsList.h: + +2020-08-24 Devin Rousso + + Web Inspector: rename `ScriptDebugServer` subclasses/methods + https://bugs.webkit.org/show_bug.cgi?id=215363 + + + Reviewed by Brian Burg. + + r266074 merged `Inspector::ScriptDebugServer` into `JSC::Debugger`. All subclasses and + functions should be renamed to match this change. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * inspector/InspectorEnvironment.h: + * inspector/JSGlobalObjectDebugger.h: Renamed from Source/JavaScriptCore/inspector/JSGlobalObjectScriptDebugServer.h. + * inspector/JSGlobalObjectDebugger.cpp: Renamed from Source/JavaScriptCore/inspector/JSGlobalObjectScriptDebugServer.cpp. + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectInspectorController.cpp: + * inspector/agents/InspectorAuditAgent.h: + * inspector/agents/InspectorAuditAgent.cpp: + * inspector/agents/InspectorDebuggerAgent.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + * inspector/agents/InspectorRuntimeAgent.h: + * inspector/agents/InspectorRuntimeAgent.cpp: + * inspector/agents/InspectorScriptProfilerAgent.cpp: + * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: + * inspector/remote/RemoteInspectionTarget.cpp: + * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm: + +2020-08-24 Devin Rousso + + Web Inspector: allow event breakpoints to be configured + https://bugs.webkit.org/show_bug.cgi?id=215362 + + + Reviewed by Brian Burg. + + This allows developers to do things like: + - only pause when `window.event.type` is a certain value + - ignore the first N pauses + - evaluate JavaScript whenever an event listener is invoked without pausing + + * inspector/protocol/DOM.json: + Add an `options` paramater to `DOM.setBreakpointForEventListener` to allow configuration. + + * inspector/protocol/DOMDebugger.json: + Add an `options` paramater to `DOMDebugger.setEventBreakpoint` to allow configuration. + + * debugger/Breakpoint.h: + (JSC::Breakpoint::id const): Added. + (JSC::Breakpoint::sourceID const): Added. + (JSC::Breakpoint::lineNumber const): Added. + (JSC::Breakpoint::columnNumber const): Added. + (JSC::Breakpoint::condition const): Added. + (JSC::Breakpoint::actions const): Added. + (JSC::Breakpoint::isAutoContinue const): Added. + (JSC::Breakpoint::resetHitCount): Added. + (JSC::Breakpoint::isLinked const): Added. + (JSC::Breakpoint::isResolved const): Added. + (JSC::BreakpointsList::~BreakpointsList): Deleted. + * debugger/Breakpoint.cpp: Added. + (JSC::Breakpoint::Action::Action): Added. + (JSC::Breakpoint::create): Added. + (JSC::Breakpoint::Breakpoint): Added. + (JSC::Breakpoint::link): Added. + (JSC::Breakpoint::resolve): Added. + (JSC::Breakpoint::shouldPause): Added. + Unify `JSC::Breakpoint` and `Inspector::ScriptBreakpoint`. + + * debugger/DebuggerPrimitives.h: + * debugger/Debugger.h: + * debugger/Debugger.cpp: + (JSC::Debugger::Debugger): + (JSC::Debugger::addObserver): Added. + (JSC::Debugger::removeObserver): Added. + (JSC::Debugger::canDispatchFunctionToObservers const): Added. + (JSC::Debugger::dispatchFunctionToObservers): Added. + (JSC::Debugger::sourceParsed): Added. + (JSC::Debugger::toggleBreakpoint): + (JSC::Debugger::applyBreakpoints): + (JSC::Debugger::resolveBreakpoint): + (JSC::Debugger::setBreakpoint): + (JSC::Debugger::removeBreakpoint): + (JSC::Debugger::didHitBreakpoint): Added. + (JSC::Debugger::clearBreakpoints): + (JSC::Debugger::evaluateBreakpointCondition): Added. + (JSC::Debugger::evaluateBreakpointActions): Added. + (JSC::Debugger::schedulePauseAtNextOpportunity): Added. + (JSC::Debugger::cancelPauseAtNextOpportunity): Added. + (JSC::Debugger::schedulePauseForSpecialBreakpoint): Added. + (JSC::Debugger::cancelPauseForSpecialBreakpoint): Added. + (JSC::Debugger::continueProgram): + (JSC::Debugger::stepNextExpression): + (JSC::Debugger::stepIntoStatement): + (JSC::Debugger::stepOverStatement): + (JSC::Debugger::stepOutOfFunction): + (JSC::Debugger::pauseIfNeeded): + (JSC::Debugger::handlePause): Added. + (JSC::Debugger::exceptionOrCaughtValue): Added. + (JSC::Debugger::atExpression): + (JSC::Debugger::clearNextPauseState): + (JSC::Debugger::willRunMicrotask): Added. + (JSC::Debugger::didRunMicrotask): Added. + (JSC::Debugger::hasBreakpoint): Deleted. + (JSC::Debugger::setPauseOnNextStatement): Deleted. + Unify `JSC::Debugger` and `Inspector::ScriptDebugServer` to simplify breakpoint logic. + Introduce the concept of a "special breakpoint", which is essentially a `JSC::Breakpoint` + that is expected to pause at the next opportunity but isn't tied to a particular location. + As an example, whenever an event breakpoint is hit, instead of just pausing at the next + opportunity, the newly managed `JSC::Breakpoint` is used as a "special breakpoint", allowing + for it's configuration (ie.g. condition, ignore count, actions, auto-continue) to be used. + + * inspector/agents/InspectorDebuggerAgent.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::objectGroupForBreakpointAction): + (Inspector::breakpointActionTypeForString): Added. + (Inspector::parseBreakpointOptions): Added. + (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::fromPayload): Added. + (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::ProtocolBreakpoint): Added. + (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::createDebuggerBreakpoint const): Added. + (Inspector::InspectorDebuggerAgent::ProtocolBreakpoint::matchesScriptURL const): Added. + (Inspector::InspectorDebuggerAgent::debuggerBreakpointFromPayload): Added. + (Inspector::InspectorDebuggerAgent::enable): + (Inspector::InspectorDebuggerAgent::disable): + (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason): + (Inspector::InspectorDebuggerAgent::handleConsoleAssert): + (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall): + (Inspector::buildDebuggerLocation): + (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): + (Inspector::InspectorDebuggerAgent::setBreakpoint): + (Inspector::InspectorDebuggerAgent::didSetBreakpoint): + (Inspector::InspectorDebuggerAgent::resolveBreakpoint): + (Inspector::InspectorDebuggerAgent::removeBreakpoint): + (Inspector::InspectorDebuggerAgent::continueToLocation): + (Inspector::InspectorDebuggerAgent::schedulePauseAtNextOpportunity): Added. + (Inspector::InspectorDebuggerAgent::cancelPauseAtNextOpportunity): Added. + (Inspector::InspectorDebuggerAgent::schedulePauseForSpecialBreakpoint): Added. + (Inspector::InspectorDebuggerAgent::cancelPauseForSpecialBreakpoint): Added. + (Inspector::InspectorDebuggerAgent::pause): + (Inspector::InspectorDebuggerAgent::resume): + (Inspector::InspectorDebuggerAgent::didBecomeIdle): + (Inspector::InspectorDebuggerAgent::sourceMapURLForScript): + (Inspector::InspectorDebuggerAgent::didParseSource): + (Inspector::InspectorDebuggerAgent::willRunMicrotask): + (Inspector::InspectorDebuggerAgent::didRunMicrotask): + (Inspector::InspectorDebuggerAgent::didPause): + (Inspector::InspectorDebuggerAgent::breakpointActionSound): + (Inspector::InspectorDebuggerAgent::breakpointActionProbe): + (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState): + (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): + (Inspector::matches): Deleted. + (Inspector::buildObjectForBreakpointCookie): Deleted. + (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol): Deleted. + (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement): Deleted. + (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement): Deleted. + Create a private `ProtocolBreakpoint` class that holds the data sent by the frontend. This + is necessary because breakpoints in the frontend have a potentially one-to-many relationship + with breakpoints in the backend, as the same script can be loaded many times on a page. Each + of those scripts is independent, however, and can execute differently, meaning that the same + breakpoint for each script also needs a different state (e.g. ignore count). As such, the + `ProtocolBreakpoint` is effectively a template that is actualized whenever a new script is + parsed that matches the URL of the `ProtocolBreakpoint` to create a `JSC::Breakpoint` that + is used by the `JSC::Debugger`. `ProtocolBreakpoint` also parses breakpoint configurations. + + * inspector/InspectorEnvironment.h: + * inspector/JSGlobalObjectScriptDebugServer.h: + * inspector/JSGlobalObjectScriptDebugServer.cpp: + (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer): + (Inspector::JSGlobalObjectScriptDebugServer::attachDebugger): + (Inspector::JSGlobalObjectScriptDebugServer::detachDebugger): + (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused): + * inspector/agents/InspectorAuditAgent.h: + * inspector/agents/InspectorAuditAgent.cpp: + (Inspector::InspectorAuditAgent::run): + * inspector/agents/InspectorRuntimeAgent.h: + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::setPauseOnExceptionsState): + (Inspector::InspectorRuntimeAgent::evaluate): + (Inspector::InspectorRuntimeAgent::callFunctionOn): + (Inspector::InspectorRuntimeAgent::getPreview): + (Inspector::InspectorRuntimeAgent::getProperties): + (Inspector::InspectorRuntimeAgent::getDisplayableProperties): + * inspector/agents/InspectorScriptProfilerAgent.cpp: + * inspector/agents/JSGlobalObjectDebuggerAgent.h: + Replace `Inspector::ScriptDebugServer` with `JSC::Debugger`. + + * runtime/JSMicrotask.cpp: + (JSC::JSMicrotask::run): + Drive-by: r248894 mistakenly omitted the call to notify the debugger that the microtask ran. + + * inspector/ScriptBreakpoint.h: Removed. + * inspector/ScriptDebugListener.h: Removed. + * inspector/ScriptDebugServer.h: Removed. + * inspector/ScriptDebugServer.cpp: Removed. + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + +2020-08-24 Devin Rousso + + Web Inspector: remove "extra domains" concept now that domains can be added based on the debuggable type + https://bugs.webkit.org/show_bug.cgi?id=201150 + + + Reviewed by Brian Burg. + + * inspector/scripts/codegen/objc_generator_templates.py: + * inspector/augmentable/AugmentableInspectorController.h: + + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::connectFrontend): + (Inspector::JSGlobalObjectInspectorController::registerAlternateAgent): Added. + (Inspector::JSGlobalObjectInspectorController::appendExtraAgent): Deleted. + + * inspector/InspectorAgentRegistry.h: + * inspector/InspectorAgentRegistry.cpp: + (Inspector::AgentRegistry::appendExtraAgent): Deleted. + + * inspector/protocol/Inspector.json: + * inspector/agents/InspectorAgent.h: + * inspector/agents/InspectorAgent.cpp: + (Inspector::InspectorAgent::activateExtraDomain): Deleted. + (Inspector::InspectorAgent::activateExtraDomains): Deleted. + + * inspector/scripts/tests/expected/command-targetType-matching-domain-debuggableType.json-result: + * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: + * inspector/scripts/tests/expected/definitions-with-mac-platform.json-result: + * inspector/scripts/tests/expected/domain-debuggableTypes.json-result: + * inspector/scripts/tests/expected/domain-targetType-matching-domain-debuggableType.json-result: + * inspector/scripts/tests/expected/domain-targetTypes.json-result: + * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: + * inspector/scripts/tests/expected/enum-values.json-result: + * inspector/scripts/tests/expected/event-targetType-matching-domain-debuggableType.json-result: + * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: + Rebase protocol tests. + +2020-08-23 Yusuke Suzuki + + Unreviewed, wrong merge resolution between r266031 and r263837 + https://bugs.webkit.org/show_bug.cgi?id=209774 + + r263837 is landed after r266031 is configured. OSS buildbots didn't catch this since they are using old ICU headers. + + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::initializeNumberFormat): + +2020-08-22 Yusuke Suzuki + + Unreviewed, assertion was opposite + https://bugs.webkit.org/show_bug.cgi?id=215058 + + We should ensure that this is *not* zero. + + * runtime/IntlObject.cpp: + (JSC::parseVariantCode): + +2020-08-22 Yusuke Suzuki + + [JSC] Implement Intl Language Tag Parser + https://bugs.webkit.org/show_bug.cgi?id=215058 + + Reviewed by Ross Kirsling and Darin Adler. + + This patch adds LanguageTagParser which performs isStructurallyValidLanguageTag[1] validation precisely. + The spec strictly defines acceptable format as language-tag and this is not the same to ICU's one and this + is even tested in test262. We should have LanguageTagParser to validate the input. + + [1]: https://tc39.es/ecma402/#sec-isstructurallyvalidlanguagetag + + * runtime/IntlLocale.cpp: + (JSC::LocaleIDBuilder::initialize): + (JSC::IntlLocale::initializeLocale): + * runtime/IntlObject.cpp: + (JSC::canonicalizeLocaleList): + (JSC::parseVariantCode): + (JSC::convertToUnicodeSingletonIndex): + (JSC::isUnicodeExtensionAttribute): + (JSC::isUnicodeExtensionKey): + (JSC::isUnicodeExtensionTypeComponent): + (JSC::isUnicodePUExtensionValue): + (JSC::isUnicodeOtherExtensionValue): + (JSC::isUnicodeTKey): + (JSC::isUnicodeTValueComponent): + (JSC::LanguageTagParser::LanguageTagParser): + (JSC::LanguageTagParser::isEOS): + (JSC::LanguageTagParser::next): + (JSC::LanguageTagParser::parseUnicodeLocaleId): + (JSC::LanguageTagParser::parseUnicodeLanguageId): + (JSC::LanguageTagParser::parseUnicodeExtensionAfterPrefix): + (JSC::LanguageTagParser::parseTransformedExtensionAfterPrefix): + (JSC::LanguageTagParser::parseOtherExtensionAfterPrefix): + (JSC::LanguageTagParser::parsePUExtensionAfterPrefix): + (JSC::LanguageTagParser::parseExtensionsAndPUExtensions): + (JSC::isStructurallyValidLanguageTag): + (JSC::isUnicodeLanguageId): + * runtime/IntlObject.h: + +2020-08-22 Yusuke Suzuki + + Unreviewed, workaround for old ICU headers in macOS Catalina bots + https://bugs.webkit.org/show_bug.cgi?id=209774 + + EWS and Catalina bots are inconsistent in terms of ICU header versions. + This patch adds a workaround which checks ICU header version too at runtime. + + * tools/JSDollarVM.cpp: + (JSC::functionICUHeaderVersion): + (JSC::JSDollarVM::finishCreation): + +2020-08-22 Alexey Shvayka + + The [[ThrowTypeError]] function object must not be extensible + https://bugs.webkit.org/show_bug.cgi?id=108873 + + Reviewed by Yusuke Suzuki. + + This patch: + + 1. Sets the value of %ThrowTypeError% "name" property to the empty string, + as required [1] for anonymous built-in functions. + + 2. Calls JSObject::freeze() on %ThrowTypeError%, making it non-extensible and + its "name" and "length" properties non-configurable to match the spec [2]. + + Both changes align JSC with V8 and SpiderMonkey. + + [1]: https://tc39.es/ecma262/#sec-ecmascript-standard-built-in-objects + [2]: https://tc39.es/ecma262/#sec-%throwtypeerror% + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + +2020-08-22 Yusuke Suzuki + + [ECMA-402] Intl.DateTimeFormat dateStyle/timeStyle missing in WebKit + https://bugs.webkit.org/show_bug.cgi?id=209776 + + Reviewed by Darin Adler and Ross Kirsling. + + This patch implements Intl.DateTimeFormat dateStyle and timeStyle options. When it is specified, + we query the best date-time format with these options to ICU instead of configuring each date-time + formats. + + Since ECMA402 requires enforcement of hourCycle specified from the option, even if ICU ignores that. + So, after getting the appropriate pattern from ICU, we modify this pattern and re-create UDateFormat + from the modified pattern. + + * builtins/DatePrototype.js: + (toLocaleString.toDateTimeOptionsAnyAll): + (toLocaleString): + (toLocaleDateString.toDateTimeOptionsDateDate): + (toLocaleDateString): + (toLocaleTimeString.toDateTimeOptionsTimeTime): + (toLocaleTimeString): + * runtime/CommonIdentifiers.h: + * runtime/IntlDateTimeFormat.cpp: + (JSC::toDateTimeOptionsAnyDate): + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + (JSC::IntlDateTimeFormat::formatStyleString): + (JSC::IntlDateTimeFormat::resolvedOptions const): + * runtime/IntlDateTimeFormat.h: + +2020-08-22 Yusuke Suzuki + + [ECMA-402] Implement Intl.DateTimeFormat.prototype.formatRange + https://bugs.webkit.org/show_bug.cgi?id=209778 + + Reviewed by Ross Kirsling. + + This patch adds Intl.DateTimeFormat#formatRange. It takes two dates, and + generates formatted text which represents interval between these two dates. + We skip the implementation of Intl.DateTimeFormat#formatRangeToParts since + ICU udtitvfmt_formatToResult API is not getting stable state yet. We retrieve + pattern from UDateFormat, get skeleton from that pattern, and construct + UDateIntervalFormat from this skeleton. + + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + (JSC::IntlDateTimeFormat::createDateIntervalFormatIfNecessary): + (JSC::IntlDateTimeFormat::formatRange): + (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator() const): Deleted. + * runtime/IntlDateTimeFormat.h: + * runtime/IntlDateTimeFormatPrototype.cpp: + (JSC::IntlDateTimeFormatPrototypeFuncFormatRange): + +2020-08-22 Yusuke Suzuki + + [JSC] Add Intl.Segmenter + https://bugs.webkit.org/show_bug.cgi?id=213638 + + Reviewed by Ross Kirsling. + + This patch implements Intl.Segmenter[1]. Intl.Segmenter offers access to ICU break iterator feature, which can break strings into grapheme cluster / words / sentences. + + [1]: https://github.com/tc39/proposal-intl-segmenter + + * CMakeLists.txt: + * DerivedSources-input.xcfilelist: + * DerivedSources-output.xcfilelist: + * DerivedSources.make: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * runtime/CommonIdentifiers.h: + * runtime/IntlObject.cpp: + (JSC::createSegmenterConstructor): + (JSC::IntlObject::finishCreation): + (JSC::intlSegmenterAvailableLocales): + * runtime/IntlObject.h: + * runtime/IntlSegmentIterator.cpp: Added. + (JSC::IntlSegmentIterator::create): + (JSC::IntlSegmentIterator::createStructure): + (JSC::IntlSegmentIterator::IntlSegmentIterator): + (JSC::IntlSegmentIterator::finishCreation): + (JSC::IntlSegmentIterator::visitChildren): + (JSC::IntlSegmentIterator::next): + * runtime/IntlSegmentIterator.h: Added. + * runtime/IntlSegmentIteratorPrototype.cpp: Added. + (JSC::IntlSegmentIteratorPrototype::create): + (JSC::IntlSegmentIteratorPrototype::createStructure): + (JSC::IntlSegmentIteratorPrototype::IntlSegmentIteratorPrototype): + (JSC::IntlSegmentIteratorPrototype::finishCreation): + (JSC::IntlSegmentIteratorPrototypeFuncNext): + * runtime/IntlSegmentIteratorPrototype.h: Added. + * runtime/IntlSegmenter.cpp: Added. + (JSC::IntlSegmenter::create): + (JSC::IntlSegmenter::createStructure): + (JSC::IntlSegmenter::IntlSegmenter): + (JSC::IntlSegmenter::finishCreation): + (JSC::IntlSegmenter::initializeSegmenter): + (JSC::IntlSegmenter::segment const): + (JSC::IntlSegmenter::resolvedOptions const): + (JSC::IntlSegmenter::granularityString): + (JSC::IntlSegmenter::createSegmentDataObject): + * runtime/IntlSegmenter.h: Added. + * runtime/IntlSegmenterConstructor.cpp: Added. + (JSC::IntlSegmenterConstructor::create): + (JSC::IntlSegmenterConstructor::createStructure): + (JSC::IntlSegmenterConstructor::IntlSegmenterConstructor): + (JSC::IntlSegmenterConstructor::finishCreation): + (JSC::constructIntlSegmenter): + (JSC::callIntlSegmenter): + (JSC::IntlSegmenterConstructorSupportedLocalesOf): + * runtime/IntlSegmenterConstructor.h: Added. + * runtime/IntlSegmenterPrototype.cpp: Added. + (JSC::IntlSegmenterPrototype::create): + (JSC::IntlSegmenterPrototype::createStructure): + (JSC::IntlSegmenterPrototype::IntlSegmenterPrototype): + (JSC::IntlSegmenterPrototype::finishCreation): + (JSC::IntlSegmenterPrototypeFuncSegment): + (JSC::IntlSegmenterPrototypeFuncResolvedOptions): + * runtime/IntlSegmenterPrototype.h: Added. + * runtime/IntlSegments.cpp: Added. + (JSC::IntlSegments::create): + (JSC::IntlSegments::createStructure): + (JSC::IntlSegments::IntlSegments): + (JSC::IntlSegments::finishCreation): + (JSC::IntlSegments::containing): + (JSC::IntlSegments::createSegmentIterator): + (JSC::IntlSegments::visitChildren): + * runtime/IntlSegments.h: Added. + * runtime/IntlSegmentsPrototype.cpp: Added. + (JSC::IntlSegmentsPrototype::create): + (JSC::IntlSegmentsPrototype::createStructure): + (JSC::IntlSegmentsPrototype::IntlSegmentsPrototype): + (JSC::IntlSegmentsPrototype::finishCreation): + (JSC::IntlSegmentsPrototypeFuncContaining): + (JSC::IntlSegmentsPrototypeFuncIterator): + * runtime/IntlSegmentsPrototype.h: Added. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::segmentIteratorStructure): + (JSC::JSGlobalObject::segmenterStructure): + (JSC::JSGlobalObject::segmentsStructure): + * runtime/OptionsList.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2020-08-22 Yusuke Suzuki + + [ECMA-402] Implement unified Intl.NumberFormat + https://bugs.webkit.org/show_bug.cgi?id=209774 + + Reviewed by Ross Kirsling and Darin Adler. + + This patch implements updated Intl.NumberFormat. This update was proposed in [1], and integrated into ECMA-402 spec. + This patch adds support for missing features in the previous Intl.NumberFormat implementation. Adding "unit", "unitDisplay", + "signDisplay", "notation", and "currencySign". Then Intl.NumberFormat can now handle "unit" etc. + + To support new features, we need to use UNumberFormatter which is available after ICU 64 (while it is offered in ICU 62, some + critical part are added in 64 too). So, we keep the old UNumberFormat based implementation which is used for [60, 64) since WebKit + currently supports ICU 60. Old implementation does not support new things. If ICU is 64 or later, Intl.NumberFormat starts using + UNumberFormatter, and implements all the specified features. + + [1]: https://github.com/tc39/proposal-unified-intl-numberformat + + * JavaScriptCore.xcodeproj/project.pbxproj: + * runtime/IntlCollator.cpp: + (JSC::IntlCollator::UCollatorDeleter::operator() const): Deleted. + * runtime/IntlCollator.h: + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator() const): Deleted. + * runtime/IntlDateTimeFormat.h: + * runtime/IntlNumberFormat.cpp: + (JSC::computeCurrencyDigits): + (JSC::sanctionedSimpleUnitIdentifier): + (JSC::WellFormedUnit::WellFormedUnit): + (JSC::wellFormedUnitIdentifier): + (JSC::IntlNumberFormat::initializeNumberFormat): + (JSC::IntlNumberFormat::format const): + (JSC::IntlNumberFormat::styleString): + (JSC::IntlNumberFormat::currencyDisplayString): + (JSC::IntlNumberFormat::notationString): + (JSC::IntlNumberFormat::currencySignString): + (JSC::IntlNumberFormat::unitDisplayString): + (JSC::IntlNumberFormat::compactDisplayString): + (JSC::IntlNumberFormat::signDisplayString): + (JSC::IntlNumberFormat::resolvedOptions const): + (JSC::partTypeString): + (JSC::IntlNumberFormat::formatToPartsInternal): + (JSC::IntlNumberFormat::formatToParts const): + (JSC::IntlNumberFormat::UNumberFormatDeleter::operator() const): Deleted. + * runtime/IntlNumberFormat.h: + * runtime/IntlNumberFormatInlines.h: Added. + (JSC::setNumberFormatDigitOptions): + (JSC::IntlFieldIterator::IntlFieldIterator): + (JSC::IntlFieldIterator::next): + * runtime/IntlPluralRules.cpp: + (JSC::IntlPluralRules::initializePluralRules): + (JSC::IntlPluralRules::resolvedOptions const): + (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const): Deleted. + (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const): Deleted. + (JSC::UEnumerationDeleter::operator() const): Deleted. + * runtime/IntlPluralRules.h: + * runtime/IntlRelativeTimeFormat.cpp: + (JSC::IntlRelativeTimeFormat::formatToParts const): + (JSC::IntlRelativeTimeFormat::URelativeDateTimeFormatterDeleter::operator() const): Deleted. + (JSC::IntlRelativeTimeFormat::UNumberFormatDeleter::operator() const): Deleted. + * runtime/IntlRelativeTimeFormat.h: + * tools/JSDollarVM.cpp: + (JSC::functionICUVersion): + +2020-08-21 Yusuke Suzuki + + Console object's @@toStringTag should be "console" instead of "Console" + https://bugs.webkit.org/show_bug.cgi?id=215750 + + Reviewed by Ross Kirsling. + + Use "console" instead of "Console". Now, namespace object has @@toStringTag. + https://github.com/web-platform-tests/wpt/pull/24717 + + * runtime/ConsoleObject.cpp: + +2020-08-22 Yusuke Suzuki + + [JSC] Enable Intl.DisplayNames + https://bugs.webkit.org/show_bug.cgi?id=215749 + + Reviewed by Ross Kirsling. + + Enable Intl.DisplayNames by default. This is already stage 4 and integrated into the spec. + + * runtime/IntlObject.cpp: + (JSC::IntlObject::finishCreation): + * runtime/OptionsList.h: + +2020-08-21 Alexey Shvayka + + StrictEq should not care about masqueradesAsUndefinedWatchpoint + https://bugs.webkit.org/show_bug.cgi?id=215743 + + Reviewed by Yusuke Suzuki. + + This patch removes masqueradesAsUndefinedWatchpoint handling for StrictEq + from fixupCompareStrictEqAndSameValue(), aligning it with SameValue. + + According to the spec [1], only a few language constructs special-case + [[IsHTMLDDA]] objects: ToBoolean, abstract equality, and `typeof`. + + No behavior change. + + [1]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue): + +2020-08-21 Commit Queue + + Unreviewed, reverting r265965. + https://bugs.webkit.org/show_bug.cgi?id=215744 + + getCallData can be called from DFG concurrent compiler, but it + is not safe in DOM PluginObject + + Reverted changeset: + + "Use jsTypeofIsObject() in DFG AI and + operationTypeOfIsObject()" + https://bugs.webkit.org/show_bug.cgi?id=144457 + https://trac.webkit.org/changeset/265965 + +2020-08-21 Alexey Shvayka + + Align "length" properties of function prototypes with the spec + https://bugs.webkit.org/show_bug.cgi?id=215716 + + Reviewed by Ross Kirsling. + + This change defines Function.prototype.length [1] as [[Configurable]] and + removes "length" properties from other (async/generator) function prototypes + that are ordinary non-callable objects [2], aligning JSC with V8 and SpiderMonkey. + + Also, adds inherits() ASSERT in FunctionPrototype::finishCreation() + to match (most of) the other built-ins. + + [1]: https://tc39.es/ecma262/#sec-properties-of-the-function-prototype-object + [2]: https://tc39.es/ecma262/#sec-async-function-prototype-properties + + * runtime/AsyncFunctionPrototype.cpp: + (JSC::AsyncFunctionPrototype::finishCreation): + * runtime/AsyncGeneratorFunctionPrototype.cpp: + (JSC::AsyncGeneratorFunctionPrototype::finishCreation): + * runtime/FunctionPrototype.cpp: + (JSC::FunctionPrototype::finishCreation): + * runtime/GeneratorFunctionPrototype.cpp: + (JSC::GeneratorFunctionPrototype::finishCreation): + +2020-08-21 Alexey Shvayka + + Define Intl[Symbol.toStringTag] + https://bugs.webkit.org/show_bug.cgi?id=215715 + + Reviewed by Ross Kirsling. + + This patch utilizes JSC_TO_STRING_TAG_WITHOUT_TRANSITION() to define Symbol.toStringTag + on Intl namespace object, implementing the recent spec change [1] and aligning JSC with V8. + Also, adds inherits() ASSERT to match (most of) the other built-ins. + + [1]: https://github.com/tc39/ecma402/pull/487 + + * runtime/IntlObject.cpp: + (JSC::IntlObject::finishCreation): + +2020-08-21 Alexey Shvayka + + Function.prototype.bind should not clamp "length" to int32 + https://bugs.webkit.org/show_bug.cgi?id=215733 + + Reviewed by Darin Adler. + + This patch fixes to integer conversion of target function's "length" values + beyond UINT_MAX, aligning JSC with the spec [1], V8 and SpiderMonkey. + + `double` is used instead of `uint64_t` to retain semantics of JS Number type [2] + and hold Infinity values. To avoid spreading `double length` over JSFunction::create() + and its subclasses, JSBoundFunction is modified to use JSFunction::finishCreation(VM&) + overload, removing 2 unused arguments and speeding up bound function creation by ~9%. + + [1]: https://tc39.es/ecma262/#sec-function.prototype.bind (step 6.c.i) + [2]: https://tc39.es/ecma262/#sec-ecmascript-language-types-number-type + + * builtins/FunctionPrototype.js: + (bind): + * runtime/JSBoundFunction.cpp: + (JSC::JSBoundFunction::create): + (JSC::JSBoundFunction::JSBoundFunction): + (JSC::JSBoundFunction::finishCreation): + * runtime/JSBoundFunction.h: + * runtime/JSFunction.cpp: + (JSC::JSFunction::finishCreation): + (JSC::JSFunction::reifyLength): + * runtime/JSGlobalObject.cpp: + (JSC::makeBoundFunction): + +2020-08-20 Saam Barati + + Replace IC on Proxy must write barrier Proxy's target + https://bugs.webkit.org/show_bug.cgi?id=215720 + + Reviewed by Yusuke Suzuki. + + The put_by_id opcode in the baseline and the DFG/FTl will emit a writeBarrier + after the operation is complete. But it does this to the base object. In the + case of an IC with the base as a Proxy, we're not actually storing to the Proxy, but + instead, the Proxy's target. This patch makes it so our IC code writeBarriers + the Proxy's target. This fixed a crash when running Speedometer2. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::canReplace const): + (JSC::AccessCase::generateImpl): + * bytecode/PolymorphicAccess.cpp: + (JSC::AccessGenerationState::preserveLiveRegistersToStackForCallWithoutExceptions): + * bytecode/PolymorphicAccess.h: + +2020-08-20 Alexey Shvayka + + Invalid early errors for class methods named "constructor" and "prototype" + https://bugs.webkit.org/show_bug.cgi?id=215413 + + Reviewed by Darin Adler. + + This change removes invalid early syntax errors, allowing static async/generator + methods named "constructor" and instance async/generator methods named "prototype", + which aligns JSC with the spec [1], V8, and SpiderMonkey. + + Also, removes a FIXME related to super() calls outside constructor that was + resolved in r181404 and is covered by test262 suite. + + [1]: https://tc39.es/ecma262/#sec-class-definitions-static-semantics-early-errors + + * parser/Parser.cpp: + (JSC::Parser::parseClass): + +2020-08-20 Alexey Shvayka + + Use jsTypeofIsObject() in DFG AI and operationTypeOfIsObject() + https://bugs.webkit.org/show_bug.cgi?id=144457 + + Reviewed by Saam Barati. + + This patch: + + 1. Refactors jsTypeofIsObject(), leveraging fast path of isCallable(), + moves it to the header, and utilizes it in DFG AI and + operationTypeOfIsObject() to eliminate code duplication. + + 2. Splits jsTypeofIsFunction() into 2 methods to accomodate + operationTypeOfIsFunction() calling it with JSObject* argument. + + 3. Removes orphaned slow_path_is_object declaration. + + No behavior change, `typeof` microbenchmarks are neutral. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGOperations.cpp: + * runtime/CommonSlowPaths.h: + * runtime/Operations.cpp: + (JSC::jsTypeofIsObject): Deleted. + * runtime/Operations.h: + (JSC::jsTypeofIsObject): + (JSC::jsTypeofIsFunction): + +2020-08-19 Yusuke Suzuki + + [JSC] Add Object.getOwnPropertyNames caching as it is done for Object.keys, and accelerate Object.getOwnPropertyDescriptor + https://bugs.webkit.org/show_bug.cgi?id=215666 + + Reviewed by Saam Barati. + + Object.getOwnPropertyNames is immutable for Structure if structure meets some conditions. And we have optimization for Object.keys. + This patch wires existing caching mechanism for Object.keys to Object.getOwnPropertyNames so that Object.getOwnPropertyNames has + full support of caching & inlined code in DFG / FTL. + + We also pre-bake structure for the result of Object.getOwnPropertyDescriptor so that we do not need to perform hash table lookup every + time we create an object for Object.getOwnPropertyDescriptor. This makes Object.getOwnPropertyDescriptor 2x faster from the microbenchmark. + + The above two optimization makes Speedometer2/Inferno-TodoMVC 7% faster, and it also optimizes Speedometer2/EmberJS-Debug by 5%. + In total, we can get 0.7 - 1.0% progression in Speedometer2. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsicCall): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNodeType.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileObjectKeysOrObjectGetOwnPropertyNames): + (JSC::DFG::SpeculativeJIT::compileObjectKeys): Deleted. + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeysOrObjectGetOwnPropertyNames): + (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys): Deleted. + * runtime/Intrinsic.cpp: + (JSC::intrinsicName): + * runtime/Intrinsic.h: + * runtime/IteratorOperations.cpp: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::dataPropertyDescriptorObjectStructure const): + (JSC::JSGlobalObject::accessorPropertyDescriptorObjectStructure const): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncOwnKeys): + * runtime/ObjectConstructor.cpp: + (JSC::objectConstructorGetOwnPropertyNames): + (JSC::objectConstructorGetOwnPropertySymbols): + (JSC::objectConstructorKeys): + (JSC::ownPropertyKeys): + (JSC::constructObjectFromPropertyDescriptorSlow): + * runtime/ObjectConstructor.h: + (JSC::createDataPropertyDescriptorObjectStructure): + (JSC::createAccessorPropertyDescriptorObjectStructure): + (JSC::constructObjectFromPropertyDescriptor): + * runtime/ReflectObject.cpp: + (JSC::reflectObjectOwnKeys): + * runtime/Structure.cpp: + (JSC::Structure::canCachePropertyNameEnumerator const): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::setCachedPropertyNames): + (JSC::Structure::cachedPropertyNames const): + (JSC::Structure::cachedPropertyNamesIgnoringSentinel const): + (JSC::Structure::canCacheOwnPropertyNames const): + (JSC::Structure::setCachedOwnKeys): Deleted. + (JSC::Structure::cachedOwnKeys const): Deleted. + (JSC::Structure::cachedOwnKeysIgnoringSentinel const): Deleted. + (JSC::Structure::canCacheOwnKeys const): Deleted. + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::visitChildren): + * runtime/StructureRareData.h: + * runtime/StructureRareDataInlines.h: + (JSC::StructureRareData::cachedPropertyNames const): + (JSC::StructureRareData::cachedPropertyNamesIgnoringSentinel const): + (JSC::StructureRareData::cachedPropertyNamesConcurrently const): + (JSC::StructureRareData::setCachedPropertyNames): + (JSC::StructureRareData::cachedOwnKeys const): Deleted. + (JSC::StructureRareData::cachedOwnKeysIgnoringSentinel const): Deleted. + (JSC::StructureRareData::cachedOwnKeysConcurrently const): Deleted. + (JSC::StructureRareData::setCachedOwnKeys): Deleted. + +2020-08-19 Alexey Shvayka + + Introduce OpIsCallable bytecode and intrinsic + https://bugs.webkit.org/show_bug.cgi?id=215572 + + Reviewed by Ross Kirsling and Saam Barati. + + This patch: + + 1. Aligns slow_path_is_function with DFG/FTL implementations by introducing + jsTypeofIsFunction() helper. This fixes `typeof document.all === "function"` + to return `false` instead of `true`. + + 2. Renames is_function bytecode op to typeof_is_function, aligning it with + typeof_is_undefined and typeof_is_object. New name offers better semantics + and clearly communicates the op should be avoided when implementing new + features because of `typeof` behavior with [[IsHTMLDDA]] objects [1]. + + 3. Adds is_callable bytecode op and utilizes it in built-ins via intrinsic, + removing `typeof callback === "function"` checks. This prevents [[IsHTMLDDA]] + objects from being considered non-callable [2]. + + To preserve the fast path for JSFunctionType, + createFunctionThatMasqueradesAsUndefined() is relocated to InternalFunction. + + `typeof` microbenchmarks are neutral. + + [1]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot-typeof + [2]: https://tc39.es/ecma262/#sec-array.prototype.map (step 3) + + * builtins/ArrayConstructor.js: + * builtins/ArrayPrototype.js: + (reduce): + (reduceRight): + (every): + (forEach): + (filter): + (map): + (some): + (find): + (findIndex): + (sort): + (flatMap): + * builtins/FunctionPrototype.js: + (overriddenName.string_appeared_here.symbolHasInstance): + (bind): + * builtins/MapPrototype.js: + (forEach): + * builtins/PromiseConstructor.js: + (all): + (allSettled): + (any): + (race): + (nakedConstructor.Promise): + (nakedConstructor.InternalPromise): + * builtins/PromiseOperations.js: + (globalPrivate.newPromiseCapabilitySlow): + (globalPrivate.resolvePromise): + (globalPrivate.resolveWithoutPromise): + * builtins/PromisePrototype.js: + (finally): + (globalPrivate.getThenFinally): + (globalPrivate.getCatchFinally): + * builtins/ReflectObject.js: + (apply): + * builtins/RegExpPrototype.js: + (globalPrivate.regExpExec): + (overriddenName.string_appeared_here.replace): + * builtins/SetPrototype.js: + (forEach): + * builtins/TypedArrayConstructor.js: + * builtins/TypedArrayPrototype.js: + (every): + (find): + (findIndex): + (forEach): + (some): + (sort): + (reduce): + (reduceRight): + (map): + (filter): + * bytecode/BytecodeIntrinsicRegistry.h: + * bytecode/BytecodeList.rb: + * bytecode/BytecodeUseDef.cpp: + (JSC::computeUsesForBytecodeIndexImpl): + (JSC::computeDefsForBytecodeIndexImpl): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitEqualityOpImpl): + (JSC::BytecodeGenerator::emitIsCallable): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGHeapLocation.cpp: + (WTF::printInternal): + * dfg/DFGHeapLocation.h: + * dfg/DFGNodeType.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIsCallable): + (JSC::DFG::SpeculativeJIT::compileIsFunction): Deleted. + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileIsCallable): + (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction): Deleted. + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + * jit/JITOperations.h: + * jsc.cpp: + (functionMakeMasquerader): + * llint/LowLevelInterpreter.asm: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/CommonSlowPaths.h: + * runtime/InternalFunction.cpp: + (JSC::InternalFunction::createFunctionThatMasqueradesAsUndefined): + * runtime/InternalFunction.h: + * runtime/JSFunction.cpp: + (JSC::JSFunction::createFunctionThatMasqueradesAsUndefined): Deleted. + * runtime/JSFunction.h: + * runtime/Operations.h: + (JSC::jsTypeofIsFunction): + +2020-08-19 Saam Barati + + REGRESSION (r265775): DFG ASSERTION FAILED: AI-clobberize disagreement; AI says FoldedClobber while clobberize says (Direct:[], Super:[]) + https://bugs.webkit.org/show_bug.cgi?id=215639 + + + Reviewed by Robin Morisset. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + +2020-08-19 Tadeu Zagallo + + B3 IntRange is incorrect for negative masks + https://bugs.webkit.org/show_bug.cgi?id=215536 + + + Reviewed by Michael Saboff and Robin Morisset. + + In the B3 ReduceStrength phase, we compute rangeForMask as (0, mask). This is correct for + positive values, but incorrect when negative. To fix it, we use `(INT_MIN & mask, INT_MAX & mask)` + as the range for negative masks. + + * b3/B3ReduceStrength.cpp: + * b3/testb3.h: + * b3/testb3_1.cpp: + (run): + * b3/testb3_5.cpp: + (testCheckSubBitAnd): + +2020-08-18 Saam Barati + + Update byte offsets in JSString.h comment + https://bugs.webkit.org/show_bug.cgi?id=215621 + + Reviewed by Yusuke Suzuki. + + * runtime/JSString.h: + +2020-08-17 Saam Barati + + Have an OOB+SaneChain Array::Speculation + https://bugs.webkit.org/show_bug.cgi?id=215487 + + Reviewed by Yusuke Suzuki. + + This patch adds a new ArrayMode speculation in the DFG/FTL called OutOfBoundsSaneChain. + It allows us to do fast things when we go OOB, like simply return undefined. + This is because we install watchpoints on the prototype chain to ensure they + have no indexed properties. This patch implements OutOfBoundsSaneChain on + GetByVal over Int32/Double/Contiguous original JS arrays. We can extend it in + the future to non original JS arrays if we prove their prototype is Array.prototype. + To implement this properly, we also need to ensure that the index isn't negative, + as Array.prototype/Object.prototype may have negative indexed accessors. We + do this via speculation, and if we ever recompile, and see an exit because of + this, we will stop speculating OutOfBoundsSaneChain. + + This is about 20% faster on crypto-md5-SP. And ~3-4x faster on the + microbenchmarks I created. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGArrayMode.cpp: + (JSC::DFG::ArrayMode::refine const): + (JSC::DFG::arraySpeculationToString): + * dfg/DFGArrayMode.h: + (JSC::DFG::ArrayMode::isInBoundsSaneChain const): + (JSC::DFG::ArrayMode::isOutOfBoundsSaneChain const): + (JSC::DFG::ArrayMode::isOutOfBounds const): + (JSC::DFG::ArrayMode::isEffectfulOutOfBounds const): + (JSC::DFG::ArrayMode::isInBounds const): + (JSC::DFG::ArrayMode::isSaneChain const): Deleted. + * dfg/DFGCSEPhase.cpp: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::checkArray): + (JSC::DFG::FixupPhase::setSaneChainIfPossible): + (JSC::DFG::FixupPhase::convertToHasIndexedProperty): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileGetByValOnString): + (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGValidate.cpp: + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): + (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): + (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty): + +2020-08-16 Alexey Shvayka + + Remove OpIsObjectOrNull from ClassExprNode::emitBytecode() + https://bugs.webkit.org/show_bug.cgi?id=214525 + + Reviewed by Keith Miller. + + This patch: + + 1. Replaces OpIsObjectOrNull in ClassExprNode::emitBytecode() [1] with emitIsObject() + + emitIsNull(), preventing DFG/FTL from throwing a TypeError if `document.all` is the + value of superclass "prototype" property, which aligns JSC with V8 and SpiderMonkey. + Also, tweaks error message to reflect that `null` is allowed. + + 2. Renames is_object_or_null bytecode op to typeof_is_object, fixing the confusing + operationObjectIsObject() name, and aligns it with typeof_is_undefined. + New name offers better semantics and clearly communicates the op should be avoided when + implementing new features because of `typeof` behavior with [[IsHTMLDDA]] objects [2]. + + [1]: https://tc39.es/ecma262/#sec-runtime-semantics-classdefinitionevaluation (step 5.g.ii) + [2]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot-typeof + + * bytecode/BytecodeList.rb: + * bytecode/BytecodeUseDef.cpp: + (JSC::computeUsesForBytecodeIndexImpl): + (JSC::computeDefsForBytecodeIndexImpl): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitEqualityOpImpl): + * bytecompiler/NodesCodegen.cpp: + (JSC::ClassExprNode::emitBytecode): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGHeapLocation.cpp: + (WTF::printInternal): + * dfg/DFGHeapLocation.h: + * dfg/DFGNodeType.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileTypeOfIsObject): + (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull): Deleted. + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileTypeOfIsObject): + (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull): Deleted. + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + * llint/LowLevelInterpreter.asm: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/CommonSlowPaths.h: + * runtime/Operations.cpp: + (JSC::jsTypeofIsObject): + (JSC::jsIsObjectTypeOrNull): Deleted. + * runtime/Operations.h: + +2020-08-15 Adrian Perez de Castro + + Unreviewed non-unified source build fix + + * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Add missing OperandsInlines.h header. + +2020-08-14 Caio Lima + + [ARMv7][JSC] Conservative GC is not considering `r7` as a root + https://bugs.webkit.org/show_bug.cgi?id=215512 + + Reviewed by Yusuke Suzuki. + + Since `r7` is a callee-saved register on ARMv7 + we need to consider it as a conservative root. + + See the statement "A subroutine must preserve + the contents of the registers r4-r8, r10, r11 + and SP (and r9 in PCS variants that designate + r9 as v6) form page 15 of + https://developer.arm.com/documentation/ihi0042/f/. + + * heap/RegisterState.h: + +2020-08-12 Keith Miller + + OSRAvailabilityAnalysis shouldn't mark GetStack nodes directly as valid places for recovery + https://bugs.webkit.org/show_bug.cgi?id=215434 + + Reviewed by Saam Barati. + + It's somewhat subtle why we cannot use the node for the GetStack + itself in the Availability's node field. The reason is that if we + did we would need to make any phase that converts nodes to + GetStack availability aware. For instance, a place where this + could come up is in constant folding if you had a graph like the + following, which could arise from PutStack sinking: + + BB#1: + @1: NewObject() + @2: MovHint(@1, inline-arg1) + @3: Jump(#2, #3) + + BB#2: + @4: PutStack(@1, inline-arg1) + @5: GetMyArgumentByVal(inline-arg1) + @6: Jump(#3) + + BB#3: + @7: InvalidationPoint() + + If constant folding converts @5 to a GetStack then at @7 + inline-arg1 won't be available since at the end of BB#1 our + availability is (@1, DeadFlush) and (@5, + FlushedAt(inline-arg1)). When that gets merged at BB#3 then the + availability will be (nullptr, ConflictingFlush). + + This patch also makes validation check that availability is sane + at each pontential exit site if + Options::validateFTLOSRExitLiveness() is set. Since this is + actually a Phase we also need to make sure that we don't infinite + loop, so there is now a m_isValidating field on m_graph. The + validateOSRExitAvailability phase is also careful not to modify + the Graph, in order to avoid masking bugs when validating. + + In a followup patch I intend to look into why MovHint elimination + will convert: + + @2: MovHint(@0, loc1, bc#1, ExitInvalid) + @3: KillStack(loc1, bc#2, ExitValid) + @4: MovHint(@1 loc1, bc#2, ExitInvalid) + + into + + @2: ZombieHint(@0, loc1, bc#1, ExitInvalid) + @3: KillStack(loc1, bc#2, ExitValid) + @4: MovHint(@1 loc1, bc#2, ExitInvalid) + + when loc1 is live in the bytecode at bc#2. But for now, the + validation rule works around this by only checking when mayExit + and the nodes exitOK agree exiting is possible. + + * dfg/DFGGraph.h: + * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: + (JSC::DFG::OSRAvailabilityAnalysisPhase::OSRAvailabilityAnalysisPhase): + (JSC::DFG::OSRAvailabilityAnalysisPhase::run): + (JSC::DFG::performOSRAvailabilityAnalysis): + (JSC::DFG::validateOSRExitAvailability): + (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): + * dfg/DFGOSRAvailabilityAnalysisPhase.h: + * dfg/DFGPhase.h: + (JSC::DFG::runPhase): + * dfg/DFGValidate.cpp: + +2020-08-13 Alexey Shvayka + + Cache Structure::attributeChangeTransition() + https://bugs.webkit.org/show_bug.cgi?id=214890 + + Reviewed by Yusuke Suzuki. + + With this change, a non-dictionary structure adds attribute-change transitions + to transition table, making redefinition to previous atttributes a fast path. + + After too many transitions, the structure becomes a dictionary, firing the + transition watchpoint. Attribute-change transitions pin their property tables, + preventing forEachPropertyConcurrently() traversal. + + This patch advances provided microbenchmark by ~90% and progresses + Speedometer2/EmberJS-Debug-TodoMVC by ~12% (~5% over r264573). + + No behavior change. + + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::getRegExpPrototypeProperty): + * runtime/JSObjectInlines.h: + (JSC::JSObject::putDirectInternal): + * runtime/Structure.cpp: + (JSC::Structure::materializePropertyTable): + (JSC::Structure::removeNewPropertyTransition): + (JSC::Structure::attributeChangeTransition): + * runtime/Structure.h: + +2020-08-13 Alexey Shvayka + + Rework StructureTransitionTable::Hash::Key encoding + https://bugs.webkit.org/show_bug.cgi?id=215483 + + Reviewed by Yusuke Suzuki. + + This patch implements new encoding of StructureTransitionTable::Hash::Key + to enable storing attribute change transitions in a transition table. + + Since PropertyMapEntry attributes are always uint8_t, the remaining 8 bits + are used for TransitionKind, which also accommodates non-property transitions, + removing a bit hacky toAttributes() and utilization of unused pointer bits. + + This change also introduces TransitionKind::Unknown we can validate against, + preventing addition transition from being a default, which could be unsafe. + + No behavior change. + + * runtime/JSObject.cpp: + (JSC::JSObject::notifyPresenceOfIndexedAccessors): + (JSC::JSObject::createInitialUndecided): + (JSC::JSObject::createInitialInt32): + (JSC::JSObject::createInitialDouble): + (JSC::JSObject::createInitialContiguous): + (JSC::JSObject::convertUndecidedToInt32): + (JSC::JSObject::convertUndecidedToDouble): + (JSC::JSObject::convertUndecidedToContiguous): + (JSC::JSObject::convertUndecidedToArrayStorage): + (JSC::JSObject::convertInt32ToDouble): + (JSC::JSObject::convertInt32ToContiguous): + (JSC::JSObject::convertInt32ToArrayStorage): + (JSC::JSObject::convertDoubleToContiguous): + (JSC::JSObject::convertDoubleToArrayStorage): + (JSC::JSObject::convertContiguousToArrayStorage): + (JSC::JSObject::convertFromCopyOnWrite): + (JSC::JSObject::switchToSlowPutArrayStorage): + (JSC::JSObject::suggestedArrayStorageTransition const): + * runtime/JSObject.h: + * runtime/Structure.cpp: + (JSC::StructureTransitionTable::contains const): + (JSC::StructureTransitionTable::get const): + (JSC::StructureTransitionTable::add): + (JSC::Structure::Structure): + (JSC::Structure::addPropertyTransitionToExistingStructureImpl): + (JSC::Structure::addNewPropertyTransition): + (JSC::Structure::removePropertyTransitionFromExistingStructureImpl): + (JSC::Structure::removeNewPropertyTransition): + (JSC::Structure::sealTransition): + (JSC::Structure::freezeTransition): + (JSC::Structure::preventExtensionsTransition): + (JSC::Structure::nonPropertyTransitionSlow): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::nonPropertyTransition): + * runtime/StructureTransitionTable.h: + (JSC::changesIndexingType): + (JSC::newIndexingType): + (JSC::preventsExtensions): + (JSC::setsDontDeleteOnAllProperties): + (JSC::setsReadOnlyOnNonAccessorProperties): + (JSC::StructureTransitionTable::Hash::Key::Key): + (JSC::StructureTransitionTable::Hash::Key::attributes const): + (JSC::StructureTransitionTable::Hash::Key::transitionKind const): + (JSC::StructureTransitionTable::Hash::hash): + (JSC::toAttributes): Deleted. + (JSC::StructureTransitionTable::Hash::Key::isAddition const): Deleted. + +2020-08-12 Keith Rollin + + Remove the need for defining USE_NEW_BUILD_SYSTEM + https://bugs.webkit.org/show_bug.cgi?id=215439 + + Reviewed by Darin Adler. + + When building WebKit for XCBuild, we currently require that the + external build system (such as the Makefile, build-webkit, etc.) + defines the USE_NEW_BUILD_SYSTEM=YES build setting. This build setting + controls parts of our build instructions that are sensitive to when + XCBuild or the Legacy build system are being used. Notably, we need to + know when to use our custom “copy and modify” scripts with copying + certain header files (used with the Legacy build system) vs. using the + enhanced Copy Headers build phase that’s enabled with + APPLY_RULES_IN_COPY_HEADERS=YES (introduced with and used by XCBuild). + The choice of which method to copy headers is used is controlled by + USE_NEW_BUILD_SYSTEM. + + There is no built-in build setting that we can probe to help us + determine which approach to take when copying and modifying headers, + which is why we need to define USE_NEW_BUILD_SYSTEM ourselves. But it + turns out that we can *detect* which build system is being used by + taking advantage of a subtle difference between the two systems. As + noted in: + + https://developer.apple.com/documentation/xcode-release-notes/build-system-release-notes-for-xcode-10 + + “When an .xcconfig file contains multiple assignments of the same + build setting, later assignments using $(inherited) or + $() will inherit from earlier assignments in the + .xcconfig. The legacy build system caused every use of + $(inherited) or $() skip any other values defined + within the .xcconfig.” + + This difference can be exploited as follows: + + WK_WHICH_BUILD_SYSTEM = not_ + WK_WHICH_BUILD_SYSTEM = $(inherited)legacy + WK_USE_NEW_BUILD_SYSTEM = $(WK_USE_NEW_BUILD_SYSTEM_$(WK_WHICH_BUILD_SYSTEM)) + WK_USE_NEW_BUILD_SYSTEM_legacy = NO + WK_USE_NEW_BUILD_SYSTEM_not_legacy = YES + + We can then use WK_USE_NEW_BUILD_SYSTEM where we used to use the + externally-defined USE_NEW_BUILD_SYSTEM. + + * Configurations/Base.xcconfig: + * Configurations/JavaScriptCore.xcconfig: + * JavaScriptCore.xcodeproj/project.pbxproj: + +2020-08-12 Saam Barati + + Inline cache Replace and Setters on PureForwardingProxy + https://bugs.webkit.org/show_bug.cgi?id=215250 + + Reviewed by Yusuke Suzuki. + + We didn't used to cache any Puts on PureForwardingProxy. This patch + implements Replace and JS/Custom Setters on PureForwardingProxy. We don't support + Transition puts because in our current implementation different global objects + will never share the same structure. + + This patch also aligns how our runtime and the ICs invoke Customs when the + passed in |this| value is a JSProxy. For custom accessors, our runtime passes + in the JSProxy, where our ICs used to pass in the target of the JSProxy, for + the receiver value. For custom values, the IC behavior and the runtime were + already aligned in passing in the property owner, which is the JSProxy's + target. This patch aligns our IC behavior to match our runtime behavior. + + This patch also renames some of the registers in the IC code to clear + up what they're used for. + + This is a 2.5x speedup on the microbenchmark I've added, and a 15-20% speedup + on JetStream2's 3d-cube-SP. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateWithGuard): + (JSC::AccessCase::generateImpl): + * bytecode/GetterSetterAccessCase.cpp: + (JSC::GetterSetterAccessCase::create): + * bytecode/GetterSetterAccessCase.h: + * jit/JITOperations.cpp: + * jit/Repatch.cpp: + (JSC::tryCachePutByID): + * runtime/CommonSlowPaths.h: + (JSC::CommonSlowPaths::originalStructureBeforePut): + (JSC::CommonSlowPaths::putDirectWithReify): + +2020-08-11 Mark Lam + + ScriptExecutable::newCodeBlockFor() neglected to set the exception pointer result in one case. + https://bugs.webkit.org/show_bug.cgi?id=215357 + + + Reviewed by Yusuke Suzuki. + + At the bottom of ScriptExecutable::newCodeBlockFor(), it calls: + RELEASE_AND_RETURN(throwScope, FunctionCodeBlock::create(vm, executable, unlinkedCodeBlock, scope)); + + However, ScriptExecutable::newCodeBlockFor() has 2 return values: a CodeBlock*, + and a passed in Exception*& that needs to be set if there's an exception. + FunctionCodeBlock::create() is capable of returning a null CodeBlock* because + CodeBlock::finishCreation() can throw exceptions. As a result, we have a scenario + here where ScriptExecutable::newCodeBlockFor() can return a null CodeBlock* without + setting the Exception*& result. + + Consequently, Interpreter::executeCall() is relying on this and can end up + crashing while dereferencing a null CodeBlock* because the exception result was + not set. + + This patch fixes ScriptExecutable::newCodeBlockFor() to set the exception result. + + * runtime/ScriptExecutable.cpp: + (JSC::ScriptExecutable::newCodeBlockFor): + +2020-08-10 Lauro Moura + + [CMake][JSC] Fix testapiScripts copy location + https://bugs.webkit.org/show_bug.cgi?id=215338 + + file(COPY src/dir DESTINATION target/dir) copies the entire `dir` + inside target/dir instead of only the contents. + + Reviewed by Alex Christensen. + + * shell/CMakeLists.txt: + +2020-08-10 Alex Christensen + + REGRESSION(r261159) PokerBros only shows black screen + https://bugs.webkit.org/show_bug.cgi?id=215293 + + + Reviewed by Keith Miller. + + The PokerBros app has some logic that was broken by the change in behavior of r261159. + It caused the app do do nothing except show a black screen upon opening. + Revert to the old behavior for this app until they update to iOS14. + + * runtime/JSObject.cpp: + (JSC::needsOldStringName): + (JSC::JSObject::toStringName): + +2020-08-10 Yusuke Suzuki + + [JSC] JSFinalObject::finishCreation's ASSERT has stale condition + https://bugs.webkit.org/show_bug.cgi?id=215317 + + Reviewed by Mark Lam. + + JSFinalObject::finishCreation assumes that there is no out-of-line property storage (inline storage capacity == total storage capacity). + But this is wrong when passing Butterfly* parameter to JSFinalObject. Previously, this feature is not used and we instead used JSObject::createRawObject, + which bypasses this assertion. But now, we start using this when creating an object for MaterializeNewObject in DFG and FTL, and then we hit the crash + because this assertion does not consider about non-nullptr butterfly. + + This patch makes create function explicit by introducing `JSFinalObject::createWithButterfly`, which is similar to JSArray::createWithButterfly. + And we fix the assertion by checking butterfly existence. By renaming JSFinalObject::create to JSFinalObject::createWithButterfly when getting butterfly, + this patch also clarifies that only MaterializeNewObject related functions, which were using JSObject::createRawObject to bypass this assertion, is passing + butterfly. + + * dfg/DFGOperations.cpp: + * runtime/JSObject.h: + (JSC::JSFinalObject::createWithButterfly): + (JSC::JSFinalObject::create): + +2020-08-09 Commit Queue + + Unreviewed, reverting r265392. + https://bugs.webkit.org/show_bug.cgi?id=215316 + + Crash ARM64 / ARM64E JSC tests + + Reverted changeset: + + "REGRESSION(r261159) PokerBros only shows black screen" + https://bugs.webkit.org/show_bug.cgi?id=215293 + https://trac.webkit.org/changeset/265392 + +2020-08-09 Yusuke Suzuki + + [JSC] Make CommandLine on Worker agent (JSC shell feature for testing) work on iOS + https://bugs.webkit.org/show_bug.cgi?id=215311 + + + Reviewed by Mark Lam. + + We should not reconfigure Options since this is once initialized. Since Options are frozen, + this results in crash. + + * jsc.cpp: + (CommandLine::CommandLine): + (functionDollarAgentStart): + +2020-08-09 Commit Queue + + Unreviewed, reverting r263195, r263252, and r265394. + https://bugs.webkit.org/show_bug.cgi?id=215312 + + Revert all related GC Bitmap changes because some of perf is + not fully recovered + + Reverted changesets: + + "Replace JSC::FreeList linked list with a Bitmap." + https://bugs.webkit.org/show_bug.cgi?id=213071 + https://trac.webkit.org/changeset/263195 + + "Unify Bitmap math loops in + MarkedBlock::Handle::specializedSweep()." + https://bugs.webkit.org/show_bug.cgi?id=213345 + https://trac.webkit.org/changeset/263252 + + "[JSC] Disable ENABLE_BITMAP_FREELIST" + https://bugs.webkit.org/show_bug.cgi?id=215285 + https://trac.webkit.org/changeset/265394 + +2020-08-08 Yusuke Suzuki + + [JSC] Speculate children first in DFG NewArray + https://bugs.webkit.org/show_bug.cgi?id=215308 + + + Reviewed by Mark Lam. + + SpeculativeJIT::emitAllocateRawObject can create uninitialized butterfly since we later fill them. + However, DFG NewArray node has speculation after that. So if speculation failure happens, we release + half-baked butterfly. + + Let's see the example. + + 8459 emitAllocateRawObject(resultGPR, structure, storageGPR, numElements, vectorLengthHint); + ... + 8482 case ALL_INT32_INDEXING_TYPES: + 8483 case ALL_CONTIGUOUS_INDEXING_TYPES: { + 8484 JSValueOperand operand(this, use, ManualOperandSpeculation); + 8485 JSValueRegs operandRegs = operand.jsValueRegs(); + 8486 if (hasInt32(node->indexingType())) { + 8487 DFG_TYPE_CHECK( + 8488 operandRegs, use, SpecInt32Only, + 8489 m_jit.branchIfNotInt32(operandRegs)); + 8490 } + 8491 m_jit.storeValue(operandRegs, MacroAssembler::Address(storageGPR, sizeof(JSValue) * operandIdx)); + 8492 break; + 8493 } + + L8487-L8489 is doing speculation check. If it failed, the rest of the butterfly can be filled with garbage. This looks OK since + it is Int32 butterfly so GC never scans it. However, if have-a-bad-time happens and the array is reachable from the conservative root, + this half-baked array is converted from Int32 array to ArrayStorage. At that time, since Int32 butterfly should hold JSInt32, + we store this garbage to ArrayStorage. Later, if conservative root still holds this array, and GC scans this garbage as as JSValue, + this value confuses GC. + + In this patch, we first perform speculation before creating uninitialized JSArray so that we can ensure that we never exit after + creating this array until we fill it. This strategy is the same to FTL's NewArray implementation. + + And we also found that emitAllocateRawObject is allocating an object from JSFinalObject space while we use it for JSArray too. + We should get per-type allocator to ensure JSArray is allocated in its IsoSubspace. + + * dfg/DFGOperations.cpp: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): + (JSC::DFG::SpeculativeJIT::compileNewArray): + (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNewArray): + (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject): + * runtime/JSObject.h: + (JSC::JSObject::createRawObject): Deleted. + +2020-08-07 Yusuke Suzuki + + [JSC] Disable ENABLE_BITMAP_FREELIST + https://bugs.webkit.org/show_bug.cgi?id=215285 + + Reviewed by Mark Lam. + + From performance bots, we observed that, + + 1. MBP11,4 shows 1% regression in Speedometer2. + 2. The other MBP / iMac / MBA bots show neutral or slight regression in Speedometer2. + + Based on the above result, for now, we disable this feature. + + * heap/FreeList.h: + +2020-08-07 Alex Christensen + + REGRESSION(r261159) PokerBros only shows black screen + https://bugs.webkit.org/show_bug.cgi?id=215293 + + Reviewed by Keith Miller. + + The PokerBros app has some logic that was broken by the change in behavior of r261159. + It caused the app do do nothing except show a black screen upon opening. + Revert to the old behavior for this app until they update to iOS14. + + * runtime/JSObject.cpp: + (JSC::needsOldStringName): + (JSC::JSObject::toStringName): + +2020-08-07 Michael Saboff + + RegExp sticky not matching alternates correctly, ignoring lastIndex requirement + https://bugs.webkit.org/show_bug.cgi?id=214181 + + Reviewed by Yusuke Suzuki. + + In the YARR JIT, we need to check for sticky patterns before checking for fixed character + terms when backtracking. The YARR interpreter doesn't have this issue. + + * yarr/YarrJIT.cpp: + +2020-08-05 Tim Horton + + Remove all references to non-existent 10.16 + https://bugs.webkit.org/show_bug.cgi?id=215202 + + Reviewed by Wenson Hsieh. + + * Configurations/Base.xcconfig: + * Configurations/DebugRelease.xcconfig: + * Configurations/Version.xcconfig: + * Configurations/WebKitTargetConditionals.xcconfig: + +2020-08-05 Saam Barati + + Fix returnEarlyFromInfiniteLoopsForFuzzing in DFG and validateDoesGC + https://bugs.webkit.org/show_bug.cgi?id=215194 + + + Reviewed by Mark Lam. + + I already fixed this same issue in the FTL in r264330, but I forgot + to do it in the DFG. + + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + +2020-08-05 Keith Miller + + The various AllowList options should be able to take the function name inline + https://bugs.webkit.org/show_bug.cgi?id=215184 + + Reviewed by Saam Barati. + + Right now when I use the various AllowList JSC options I almost + always only care about a single function. Right now you need to + create a file with that single name in it. That is inconvenient, so + this patch changes the behavior to treat the string as the + function name if no file at that path exists. I'm also + speculatively assuming fopen doesn't return ENOENT when it fails + due to sandboxing... I didn't feel like testing it because this is + a debug option. + + * runtime/OptionsList.h: + * tools/FunctionAllowlist.cpp: + (JSC::FunctionAllowlist::FunctionAllowlist): + +2020-08-05 Keith Miller + + Add assertions / inline capacity to checkpoint side state stacks + https://bugs.webkit.org/show_bug.cgi?id=215175 + + Reviewed by Saam Barati. + + The inline capacity should hopefully avoid unneeded mallocs close to 100% of the time during our OSR exit ramp. + + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::compileExit): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * runtime/VM.cpp: + (JSC::VM::pushCheckpointOSRSideState): + * runtime/VM.h: + +2020-08-04 Yusuke Suzuki + + [JSC] Use LazyNeverDestroyed & std::call_once for complex singletons + https://bugs.webkit.org/show_bug.cgi?id=215153 + + + Reviewed by Mark Lam. + + We are getting some crashes in RemoteInspector and this speculatively fixes the crash. + My guess is that NeverDestroyed calls constructor twice in heavily contended situation: + WebKit's static does not have thread-safety. If two threads come here at the same time, it is possible that + constructor is invoked twice. In that case, later constructor will clear members, which involves clearing + Lock m_mutex field. This makes Lock's invariant broken. + This patch uses LazyNeverDestroyed and std::call_once to ensure invoking constructor only once. + + * API/glib/JSCVirtualMachine.cpp: + * dfg/DFGCommonData.cpp: + * disassembler/Disassembler.cpp: + * inspector/remote/RemoteInspector.h: + * inspector/remote/cocoa/RemoteInspectorCocoa.mm: + (Inspector::RemoteInspector::singleton): + * inspector/remote/glib/RemoteInspectorGlib.cpp: + (Inspector::RemoteInspector::singleton): + * inspector/remote/socket/RemoteInspectorServer.cpp: + (Inspector::RemoteInspectorServer::singleton): + * inspector/remote/socket/RemoteInspectorServer.h: + * inspector/remote/socket/RemoteInspectorSocket.cpp: + (Inspector::RemoteInspector::singleton): + * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: + (Inspector::RemoteInspectorSocketEndpoint::singleton): + * interpreter/Interpreter.cpp: + (JSC::Interpreter::opcodeIDTable): + * runtime/IntlObject.cpp: + (JSC::intlAvailableLocales): + (JSC::intlCollatorAvailableLocales): + (JSC::defaultLocale): + (JSC::numberingSystemsForLocale): + +2020-08-04 Keith Miller + + CheckpointSideState shoud play nicely with StackOverflowException unwinding. + https://bugs.webkit.org/show_bug.cgi?id=215114 + + Reviewed by Saam Barati. + + This patch fixes an issue where we the StackVisitor would + automatically unwind into the first frame before calling into the + provided functor. As a note, we do this because the first frame is + not fully initialized at the time we check for stack + overflow. When this happened we would fail to clear the side state + causing a memory leak. To fix this the unwind function now clears + every checkpoint up to and including the call frame containing our + handler. Some care needs to be taken that we don't clear + checkpoint side state for other threads, which could happen if + there are no checkpoints on the current thread and an API + miggrated us from another thread below the current thread. + + This patch also makes two refacorings. The first is to make the + checkpoint side state into a stack, which is how we used it + anyway. The second is that CallFrame::dump and everything associated + with it is now marked const so we can PointerDump a CallFrame*. + + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::compileExit): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * interpreter/CallFrame.cpp: + (JSC::CallFrame::bytecodeIndex const): + (JSC::CallFrame::codeOrigin const): + (JSC::CallFrame::dump const): + (JSC::CallFrame::bytecodeIndex): Deleted. + (JSC::CallFrame::codeOrigin): Deleted. + (JSC::CallFrame::dump): Deleted. + * interpreter/CallFrame.h: + (JSC::CallFrame::argument const): + (JSC::CallFrame::uncheckedArgument const): + (JSC::CallFrame::getArgumentUnsafe const): + (JSC::CallFrame::thisValue const): + (JSC::CallFrame::newTarget const): + (JSC::CallFrame::argument): Deleted. + (JSC::CallFrame::uncheckedArgument): Deleted. + (JSC::CallFrame::getArgumentUnsafe): Deleted. + (JSC::CallFrame::thisValue): Deleted. + (JSC::CallFrame::newTarget): Deleted. + * interpreter/CheckpointOSRExitSideState.h: + (JSC::CheckpointOSRExitSideState::CheckpointOSRExitSideState): + * interpreter/Interpreter.cpp: + (JSC::UnwindFunctor::operator() const): + (JSC::Interpreter::unwind): + (): Deleted. + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::slow_path_checkpoint_osr_exit_from_inlined_call): + (JSC::LLInt::slow_path_checkpoint_osr_exit): + * runtime/VM.cpp: + (JSC::VM::scanSideState const): + (JSC::VM::pushCheckpointOSRSideState): + (JSC::VM::popCheckpointOSRSideState): + (JSC::VM::popAllCheckpointOSRSideStateUntil): + (JSC::VM::addCheckpointOSRSideState): Deleted. + (JSC::VM::findCheckpointOSRSideState): Deleted. + * runtime/VM.h: + +2020-08-03 Alberto Garcia + + [GTK] 2.29.4 fails to build in armhf + https://bugs.webkit.org/show_bug.cgi?id=214966 + + Reviewed by Michael Catanzaro. + + SP register cannot be used as a destination register of SUB or ADD + on Thumb mode. + + * llint/LowLevelInterpreter32_64.asm: + +2020-08-03 Adrian Perez de Castro + + Non-unified build fixes, early August 20202 edition + https://bugs.webkit.org/show_bug.cgi?id=215082 + + Unreviewed build fix. + + * dfg/DFGOSREntry.h: Add missing inclusion of CodeLocation.h + * ftl/FTLGeneratedFunction.h: Ditto. + * jit/CallFrameShuffler.h: Forward-declare CCallHelpers. + +2020-08-02 Yusuke Suzuki + + Unreviewed, fix CLoop build + https://bugs.webkit.org/show_bug.cgi?id=215010 + + * tools/SigillCrashAnalyzer.cpp: + +2020-08-02 Commit Queue + + Unreviewed, reverting r265151. + https://bugs.webkit.org/show_bug.cgi?id=215074 + + Broke ARM64E JSC tests + + Reverted changeset: + + "validate untagArrayPtr" + https://bugs.webkit.org/show_bug.cgi?id=214953 + https://trac.webkit.org/changeset/265151 + +2020-08-01 Commit Queue + + Unreviewed, reverting r265097, r265113, and r265122. + https://bugs.webkit.org/show_bug.cgi?id=215065 + + Broke AppleSilicon Big Sur + + Reverted changesets: + + "Strip pointers instead of authing for byteOffset to not allow + for a possible way to guess data pac" + https://bugs.webkit.org/show_bug.cgi?id=214952 + https://trac.webkit.org/changeset/265097 + + "Compute number of PAC bits from what the OS says its address + space is" + https://bugs.webkit.org/show_bug.cgi?id=214986 + https://trac.webkit.org/changeset/265113 + + "Remove UB from nonPACBitsMask computation" + https://bugs.webkit.org/show_bug.cgi?id=214996 + https://trac.webkit.org/changeset/265122 + +2020-07-31 Keith Miller + + Move Options setter to where we allow access to the Options object + https://bugs.webkit.org/show_bug.cgi?id=215028 + + Reviewed by Saam Barati. + + Right now jsc CLI crashes when assertions are enabled on iOS. + + * jsc.cpp: + (main): + (CommandLine::parseArguments): + +2020-07-31 Saam Barati + + Re-enable NO_SMT on Catalina + https://bugs.webkit.org/show_bug.cgi?id=215024 + + Reviewed by Alexey Proskuryakov. + + * runtime/Options.cpp: + (JSC::defaultTCSMValue): + * runtime/OptionsList.h: + +2020-07-31 Saam Barati + + validate untagArrayPtr + https://bugs.webkit.org/show_bug.cgi?id=214953 + + Reviewed by Keith Miller. + + This patch adds validation to untagArrayPtr along paths where we don't + immediately store/load from the result. + + This patch also changes the removeArrayPtrTag macro assembler function to + use shifts instead of xpacd to strip the tag, because it's faster. + + * assembler/MacroAssemblerARM64E.h: + (JSC::MacroAssemblerARM64E::untagArrayPtr): + (JSC::MacroAssemblerARM64E::removeArrayPtrTag): + * assembler/testmasm.cpp: + (JSC::testCagePreservesPACFailureBit): + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateWithGuard): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): + (JSC::FTL::DFG::LowerDFGToB3::caged): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::cageWithoutUntagging): + (JSC::AssemblyHelpers::cageConditionallyAndUntag): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::cageWithoutUntagging): Deleted. + (JSC::AssemblyHelpers::cageConditionally): Deleted. + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitIntTypedArrayPutByVal): + (JSC::JIT::emitFloatTypedArrayPutByVal): + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): + (JSC::Wasm::AirIRGenerator::addCallIndirect): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): + (JSC::Wasm::B3IRGenerator::addCallIndirect): + * wasm/WasmBinding.cpp: + (JSC::Wasm::wasmToWasm): + * wasm/js/JSToWasm.cpp: + (JSC::Wasm::createJSToWasmWrapper): + * wasm/js/WebAssemblyFunction.cpp: + (JSC::WebAssemblyFunction::jsCallEntrypointSlow): + +2020-07-31 Keith Miller + + Reduce over include usage in JSC + https://bugs.webkit.org/show_bug.cgi?id=215010 + + Reviewed by Mark Lam. + + My first attempt to fix + https://bugs.webkit.org/show_bug.cgi?id=215009 by making it so we + don't include FastJITPermissions.h in TestWebKitAPI, was + unsuccessful. Mostly because I gave up after several hours of + building... I figure it's still worth it to land the last working + version I was able to get building. + + * assembler/MacroAssemblerCodeRef.h: + * bytecode/CodeBlock.cpp: + * bytecode/PolymorphicAccess.h: + * inspector/agents/InspectorRuntimeAgent.cpp: + * interpreter/CallFrame.h: + * jit/ThunkGenerators.cpp: + * llint/LLIntOffsetsExtractor.cpp: + * runtime/TypeLocationCache.cpp: + * runtime/VM.cpp: + (JSC::VM::getCTIStub): + * runtime/VM.h: + (JSC::VM::getCTIStub): Deleted. + * tools/JSDollarVM.cpp: + +2020-07-31 Yusuke Suzuki + + [JSC] Follow-up changes after r265036 + https://bugs.webkit.org/show_bug.cgi?id=214982 + + Reviewed by Darin Adler. + + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::compileExit): Remove dupe definitions in OSRExit. + * jit/JITCall32_64.cpp: + (JSC::JIT::emit_op_iterator_open): We should use emitJumpSlowCaseIfNotJSCell(regT1). + +2020-07-30 Keith Miller + + Remove UB from nonPACBitsMask computation + https://bugs.webkit.org/show_bug.cgi?id=214996 + + Reviewed by Tadeu Zagallo. + + For non-ARM64E we now set numberOfPACBits to zero, which was causing UB in our computation of the nonPACBitsMask. + + * assembler/MacroAssemblerARM64E.h: + +2020-07-30 Keith Miller + + Compute number of PAC bits from what the OS says its address space is + https://bugs.webkit.org/show_bug.cgi?id=214986 + + Reviewed by Saam Barati. + + * assembler/MacroAssemblerARM64E.h: + +2020-07-30 Caio Lima + + [JSC][32-bits] interator_next should check for EmptyValue instead of undefined to execute LLInt fast path + https://bugs.webkit.org/show_bug.cgi?id=214963 + + Reviewed by Yusuke Suzuki. + + There was a bug in previous implementation that allows execution of + `interator_next` fast path if we set ArrayIterator.prototype.next to + 0. This happened because we were not properly checking `ValueEmpty` + from `m_next`. This patch is fixing such issue and doing the proper + verification. + + * llint/LowLevelInterpreter32_64.asm: + +2020-07-30 Saam Barati + + Strip pointers instead of authing for byteOffset to not allow for a possible way to guess data pac + https://bugs.webkit.org/show_bug.cgi?id=214952 + + Reviewed by Keith Miller. + + In the old way of doing things, we would auth the vector pointer before subtracting + the base from it. Since we never validated the auth, this allowed for a + potential data-PAC bypass by just repeatedly calling byteOffset in a loop + and observing the integer result of the operation. + + Since byteOffset does no loads/stores, it suffices to just strip the PAC + bits before doing the subtraction. This eliminates any such attacks like + the above because the PAC bits are ignored. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): + +2020-07-29 Yusuke Suzuki + + [JSC] Add B3::BottomTupleValue node + https://bugs.webkit.org/show_bug.cgi?id=214956 + + + Reviewed by Keith Miller. + + In B3 strength reduction, we convert B3 values to bottom value based on type after Oops kind, and then they are *typically* removed later. + While we support bottom values for usual types, we do not have a bottom value for tuple type. So when replaceWithBottom is called, we + fail to replace Patchpoints producing tuples with bottom values. + + This patch newly adds B3 BottomTupleValue, which is just a BottomValue for tuple. We can extend it to generate arbitrary constant + tuple values, but for now, we just support bottom tuple values. We add a new node instead of generating patchpoint which generates bottom + values since BottomTupleValues implementation is simpler: BottomTupleValue just emits bunch of zero clear for Air tmps and Air does everything + automatically. On the other hand, implementing a patchpoint needs to add code which clears things with zero while checking the ValueRep. And + since we have Const32, Const64, etc. values, having this kind of value for tuple too is natural. Plus, this design allows us to remove bunch + of unnecessary instructions after lowering this to Air since Air knows what instructions will be emitted by this BottomTupleValue, and Air + can remove a lot of zero clear instructions if they are not read later by Extract. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * b3/B3BottomTupleValue.cpp: Copied from Source/JavaScriptCore/b3/B3InsertionSet.cpp. + (JSC::B3::BottomTupleValue::dumpMeta const): + * b3/B3BottomTupleValue.h: Copied from Source/JavaScriptCore/b3/B3InsertionSet.cpp. + * b3/B3InsertionSet.cpp: + (JSC::B3::InsertionSet::insertBottom): + * b3/B3LowerToAir.cpp: + * b3/B3Opcode.cpp: + (WTF::printInternal): + * b3/B3Opcode.h: + * b3/B3Procedure.cpp: + (JSC::B3::Procedure::addBottom): + * b3/B3TypeMap.h: + (JSC::B3::TypeMap::TypeMap): Deleted. + * b3/B3Validate.cpp: + * b3/B3Value.cpp: + (JSC::B3::Value::effects const): + (JSC::B3::Value::key const): + * b3/B3Value.h: + * b3/B3ValueInlines.h: + * b3/B3ValueKey.cpp: + (JSC::B3::ValueKey::materialize const): + * b3/testb3_7.cpp: + (testBottomTupleValue): + (addTupleTests): + +2020-07-29 Tadeu Zagallo + + WebAssembly validation for call_indirect is incorrect + https://bugs.webkit.org/show_bug.cgi?id=214901 + + + Reviewed by Saam Barati. + + There was an incorrect condition when validating call_indirect's arguments, which often resulted in skipping this validation. + + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::parseExpression): + +2020-07-29 Mark Lam + + Update some JSArrayBufferView comments and add some assertions. + https://bugs.webkit.org/show_bug.cgi?id=214914 + + Reviewed by Darin Adler. + + * runtime/ArrayBuffer.cpp: + (JSC::ArrayBuffer::createAdopted): + * runtime/JSArrayBufferView.cpp: + (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): + (JSC::JSArrayBufferView::finalize): + * runtime/JSArrayBufferView.h: + +2020-07-29 Paulo Matos + + for..of intrinsics implementation for 32bits + https://bugs.webkit.org/show_bug.cgi?id=214737 + + Reviewed by Yusuke Suzuki. + + Joint work with Caio Lima . + + Implements for..of intrinsics for 32bits. + Adds or8 instruction to ARMv7 and MIPS Macro Assembler. + Adds intrinsic operations to LLInt and Baseline for 32bits. + Fixes DFG OSR Exit bug, where checkpoint temporary value is + incorrectly recreated for Baseline. + Refactors code in DFG OSR Exit to be easier to modify and + maintain by separating the switch cases for 32 and 64bits. + + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::or8): Adds or8(TrustedImm, AbsoluteAddress) + (JSC::MacroAssemblerARMv7::or32): + (JSC::MacroAssemblerARMv7::store8): + * assembler/MacroAssemblerMIPS.h: + (JSC::MacroAssemblerMIPS::or8): Adds or8(TrustedImm, AbsoluteAddress) + (JSC::MacroAssemblerMIPS::store8): + * assembler/testmasm.cpp: + (JSC::testOrImmMem): Tests or8 + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitEnumeration): + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::compileExit): Fixes DFG OSR Exit bug, where checkpoint temporary value is + incorrectly recreated for Baseline. Refactors code in DFG OSR Exit to be easier to modify and + maintain by separating the switch cases for 32 and 64bits. + * jit/JIT.h: + * jit/JITCall32_64.cpp: + (JSC::JIT::emitPutCallResult): + (JSC::JIT::compileSetupFrame): + (JSC::JIT::compileOpCall): + (JSC::JIT::emit_op_iterator_open): + (JSC::JIT::emitSlow_op_iterator_open): + (JSC::JIT::emit_op_iterator_next): + (JSC::JIT::emitSlow_op_iterator_next): + * jit/JITInlines.h: + (JSC::JIT::emitJumpSlowCaseIfNotJSCell): + * llint/LowLevelInterpreter32_64.asm: + +2020-07-29 Yusuke Suzuki + + [JSC] Reflect object should have toStringTag with "Reflect" + https://bugs.webkit.org/show_bug.cgi?id=214909 + + Reviewed by Mark Lam. + + We call JSC_TO_STRING_TAG_WITHOUT_TRANSITION in ReflectObject to set "Reflect" @@toStringTag, which fixes one test262 failure. + + * runtime/ReflectObject.cpp: + (JSC::ReflectObject::finishCreation): + +2020-07-28 Yusuke Suzuki + + [JSC] Add hasCustomGetterSetterProperties to canAccessPropertiesQuicklyForEnumeration + https://bugs.webkit.org/show_bug.cgi?id=214908 + + + Reviewed by Mark Lam. + + canAccessPropertiesQuicklyForEnumeration should filter out hasCustomGetterSetterProperties too. + + * runtime/Structure.cpp: + (JSC::Structure::canAccessPropertiesQuicklyForEnumeration const): + +2020-07-28 Caitlin Potter + + [JSC] add IC support for op_get_private_name + https://bugs.webkit.org/show_bug.cgi?id=213545 + + Reviewed by Saam Barati. + + The baseline JIT now supports a fast path for op_private_name, + using a variant of GetByVal IC. + + The generated AccessCase has the following qualities: + - Always "direct", relying only on the current structure for cachebility + - Never impure (DOM properties are not supported at this time, ProxyObjects are treated as JSObjects) + + Based on the microbenchmark reviewed on https://bugs.webkit.org/show_bug.cgi?id=213544, this sees + an improvement of roughly 50% on average. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finishCreation): + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::reset): + * bytecode/StructureStubInfo.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): + * jit/ICStats.h: + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + * jit/JIT.h: + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITGetByValGenerator::JITGetByValGenerator): + * jit/JITInlineCacheGenerator.h: + * jit/JITOperations.cpp: + (JSC::getPrivateName): + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emit_op_get_private_name): + (JSC::JIT::emitSlow_op_get_private_name): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emit_op_get_private_name): + (JSC::JIT::emitSlow_op_get_private_name): + * jit/Repatch.cpp: + (JSC::appropriateOptimizingGetByFunction): + (JSC::appropriateGetByFunction): + (JSC::tryCacheGetBy): + * jit/Repatch.h: + +2020-07-27 Yusuke Suzuki + + [JSC][wasm] Truncating slightly less than INT32_MIN is incorrect + https://bugs.webkit.org/show_bug.cgi?id=214834 + + Reviewed by Darin Adler. + + Wasm trunc_f64_s should handle (INT32_MIN - 1.0, INT32_MIN) range too. + + * llint/WebAssembly.asm: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::addOp): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::addOp): + +2020-07-28 Mark Lam + + ASSERTION FAILED: isSymbol() in Source/JavaScriptCore/runtime/JSCell.cpp(188) + https://bugs.webkit.org/show_bug.cgi?id=214837 + + Reviewed by Darin Adler. + + The issue found by this bug was that jsc shell test properties were enumerable. + These properties are only meant for test development use. They will never be + present in a productized JavaScript environment. + + This patch helps reduce the change of users of the jsc shell tripping up on these + test properties when enumerating the global object. + + * jsc.cpp: + +2020-07-28 Yusuke Suzuki + + IndexedDB binding utilities miss exception checks + https://bugs.webkit.org/show_bug.cgi?id=214820 + + + Reviewed by Mark Lam. + + jsStringWithCache does not need to take JSGlobalObject*. + + * runtime/JSString.h: + (JSC::jsStringWithCache): + +2020-07-27 Mark Lam + + DisallowVMEntry needs a copy assignment operator, detected by gcc's -Wdeprecated-copy warning + https://bugs.webkit.org/show_bug.cgi?id=214809 + + Reviewed by Yusuke Suzuki. + + According to https://en.cppreference.com/w/cpp/language/copy_assignment, + "The generation of the implicitly-defined copy assignment operator is deprecated + (since C++11) if T has a user-declared destructor or user-declared copy constructor." + DisallowVMEntry has both a user-declared destructor and a user-declared copy + constructor. Hence, it needs to define its own copy assignment operator to placate + the compiler. + + This patch also adds back WTF_FORBID_HEAP_ALLOCATION to DisallowVMEntry. + DisallowVMEntry should always have forbid heap allocation. It was accidentally + removed in a prior patch. + + * runtime/DisallowVMEntry.h: + (JSC::DisallowVMEntryImpl::operator=): + +2020-07-27 Caio Lima + + DoesGC failures in debug mode in 32bits + https://bugs.webkit.org/show_bug.cgi?id=214449 + + Reviewed by Mark Lam. + + Adding the DoesGC update code into OSRExit::compileExit for 32-bits. + + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::compileExit): + +2020-07-24 Mark Lam + + pluginElementCustomGetOwnPropertySlot() should support VMInquiry requests. + https://bugs.webkit.org/show_bug.cgi?id=214555 + + + Reviewed by Yusuke Suzuki. + + 1. Add handling for VMInquiry failure in JSObject::getPropertySlot() and + JSObject::getNonIndexPropertySlot(). Basically, if the query isTaintedByOpaqueObject, + then we should treat the false result as a failed VMInquiry. + + 2. Fix JSModuleNamespaceObject::getOwnPropertySlotCommon() and + ProxyObject::getOwnPropertySlotCommon() to initialize the PropertySlot to a + jsUndefined() value if we have a failed VMInquiry. The client shouldn't + be reading the value if the VMInquiry failed, but as a defensive action, we'll + initialize the slot to effectively return an undefined value. + + * runtime/JSModuleNamespaceObject.cpp: + (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon): + * runtime/JSObjectInlines.h: + (JSC::JSObject::getPropertySlot): + (JSC::JSObject::getNonIndexPropertySlot): + * runtime/ProxyObject.cpp: + (JSC::ProxyObject::getOwnPropertySlotCommon): + +2020-07-24 Dean Jackson + + JavaScriptCore Xcode project has some errors + https://bugs.webkit.org/show_bug.cgi?id=214775 + + Reviewed by Yusuke Suzuki. + + When looking at the build output for JavaScriptCore I noticed two + weird errors in the Xcode project file. Firstly, there was a broken + group called "runtime" that was causing some files to appear + duplicated. Secondly, there was a generated file + WebAssemblyCompileErrorConstructor.lut.h whose location was + incorrectly identified as being part of the project source. + + Xcode moved a bunch of other things around, but it seems to compile + fine. Weirdly, the diff shows that the project file had unusual + whitespace. I wonder if it had been edited by hand. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2020-07-24 Yusuke Suzuki + + [JSC] DFG::AbstractValue::filterByValue should re-filter configured m_value via m_type + https://bugs.webkit.org/show_bug.cgi?id=214721 + + + Reviewed by Mark Lam. + + Let's consider the following case. + + 1. Input AbstractValue is saying SpecObjectOther. + 2. We have CheckIsConstant with StringPrototype (which is SpecObjectOther | SpecStringObject in the current SpeculatedType). + 3. We call filterByValue, which filters m_type by SpecObjectOther | SpecStringObject. But the filtered m_type is SpecObjectOther since (2)'s SpeculatedType is broader. + 4. We store the given constant (StringPrototype) to m_value. + 5. This AbstractValue's m_type is SpecObjectOther while its m_value's SpeculatedType is SpecObjectOther | SpecStringObject. Contradiction! + + When setting m_value by filterByValue, we should filter m_value with m_type to ensure that m_value is the expected one. + This patch also avoid using SpecObjectOther | SpecStringObject for StringPrototype since we can return narrower type for that. + + * bytecode/SpeculatedType.cpp: + (JSC::speculationFromStructure): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::filterByValue): + (JSC::DFG::AbstractValue::filter): + * dfg/DFGPredictionPropagationPhase.cpp: + * runtime/StringObject.cpp: + (JSC::StringObject::finishCreation): + +2020-07-24 Alexey Shvayka + + JSON.parse should not modify non-configurable properties. + https://bugs.webkit.org/show_bug.cgi?id=163446 + + Reviewed by Darin Adler. + + This change implements step 2.c.ii.3 of InternalizeJSONProperty [1], replacing + put() with defineOwnProperty(). Using the latter fixes JSON.parse() with + non-configurable (failures are silently ignored; see note in the spec), + non-writable, and accessor properties, aligning JSC with V8 and SpiderMonkey. + + Since it's extremely unlikely for userland `reviver` to remove or redefine the + next property, a fast path for PropertyAttribute::None attributes is introduced. + It advances microbenchmarks/json-parse-object-*.js by ~13%. + + [1]: https://tc39.es/ecma262/#sec-internalizejsonproperty + + * runtime/JSONObject.cpp: + (JSC::Walker::walk): + +2020-07-24 Yusuke Suzuki + + [JSC] Do not use hardened Array for Intl supportedLocalesOf + https://bugs.webkit.org/show_bug.cgi?id=214676 + + Reviewed by Mark Lam. + + We do not need to call getOwnPropertyNames & defineOwnProperty because hardening array of Intl.XXX.supportedLocalesOf is removed from the spec. + We should just return an array from bestFitSupportedLocales or lookupSupportedLocales, while this change is not observable to users (but it is better + for performance). This fully fixes https://github.com/tc39/ecma402/pull/278. + + * runtime/IntlObject.cpp: + (JSC::supportedLocales): + +2020-07-23 Yusuke Suzuki + + [JSC] Arrow function |this| resolution should not be trapped by with-scope + https://bugs.webkit.org/show_bug.cgi?id=214716 + + + Reviewed by Darin Adler. + + We were using usual "this" named variable in lexical-environment to load and store arrow-function's |this|. + But since this looks normal variable, it can be trapped by "with" scope's object while it should not be. + We use thisPrivateName instead to avoid this behavior since Proxy does not trap private names. + + * builtins/BuiltinNames.h: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded): + (JSC::BytecodeGenerator::variable): + (JSC::BytecodeGenerator::createVariable): + (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment): + (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope): + * bytecompiler/NodesCodegen.cpp: + (JSC::HasOwnPropertyFunctionCallDotNode::emitBytecode): + (JSC::ForInNode::emitBytecode): + * runtime/CommonIdentifiers.cpp: + (JSC::CommonIdentifiers::CommonIdentifiers): + * runtime/CommonIdentifiers.h: + +2020-07-23 Yusuke Suzuki + + [JSC] FTL OSR entry should store boxed |this| + https://bugs.webkit.org/show_bug.cgi?id=214675 + + + Reviewed by Michael Saboff and Mark Lam. + + In this patch, after ensuring that we will go to FTL OSR entry, we store boxed |this| instead of the unboxed value + to agree to the FTL assumption that all arguments should be boxed. + + * dfg/DFGOperations.cpp: + * ftl/FTLOSREntry.cpp: + (JSC::FTL::prepareOSREntry): + +2020-07-23 Yusuke Suzuki + + [JSC] BigInt can be `false` in boolean context in DFG AI + https://bugs.webkit.org/show_bug.cgi?id=214678 + + + Reviewed by Mark Lam. + + DFG::AbstractInterpreter::booleanResult returns wrong result if finite structure includes HeapBigInt structure + since HeapBigInt 0n can be evaluated `false` in boolean context while this function does not care it. This patch + fixes it and cleans up code by using WTF/TriState. + + * dfg/DFGAbstractInterpreter.h: + (): Deleted. + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::booleanResult): + (JSC::DFG::AbstractInterpreter::executeEffects): + +2020-07-23 Caio Lima + + [32-bits] Fixing the return of doVMEntry into LowLevelInterpreter32_64.asm + https://bugs.webkit.org/show_bug.cgi?id=214641 + + Reviewed by Mark Lam. + + Adjusting the return of `doVMEntry` for 32-bits LLInt to proper set + `EncodedJSValue` return in little-endian architectures. It is expected + that tag is stored in `r1` and payload is stored in `r0`. + + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + +2020-07-23 Alexey Shvayka + + Remove ArrayNode::m_optional + https://bugs.webkit.org/show_bug.cgi?id=214294 + + Reviewed by Darin Adler. + + m_optional, which dates back to KJS era, means "is this an array with optional trailing comma, + with elision, or an empty array". It was used by ArrayNode::streamTo() to preserve a trailing + comma when converting array node to source string, as well as in few other places, + before ECMA-262 clarified trailing comma in array literals [1]. + + Currently, m_optional is used only by ArrayNode::isSimpleArray(), along with m_elision. + Checking m_elision is enough since trailing comma doesn't add extra `undefined` element. + + This patch completely removes m_optional, speeding up destructuring and function.apply() + with empty arrays and arrays with trailing commas by ~55% and a factor of 11 respectively. + Reflect.apply() optimization (https://webkit.org/b/190668) will also benefit from this change. + + Also, this change converts isSpreadExpression() check to an ASSERT (was enabled by r196323). + + [1]: https://tc39.es/ecma262/#sec-array-initializer + + * bytecompiler/NodesCodegen.cpp: + (JSC::ArrayNode::isSimpleArray const): + (JSC::ArrayNode::toArgumentList const): + (JSC::ArrayNode::emitDirectBinding): + * parser/NodeConstructors.h: + (JSC::ArrayNode::ArrayNode): + * parser/Nodes.h: + +2020-07-23 Alexey Shvayka + + Remove emitIsUndefined() from ClassExprNode::emitBytecode() + https://bugs.webkit.org/show_bug.cgi?id=214645 + + Reviewed by Darin Adler. + + This change removes `superclass === undefined` check because it's missing from + the spec [1] and isn't a common case. No behavior change: values except `null` are + passed to OpIsConstructor, resulting in the same error being thrown for `undefined`. + + Test: LayoutTests/js/class-syntax-extends.html + + [1]: https://tc39.es/ecma262/#sec-runtime-semantics-classdefinitionevaluation (step 5.e) + + * bytecompiler/NodesCodegen.cpp: + (JSC::ClassExprNode::emitBytecode): + +2020-07-22 Conrad Shultz + + Update macOS Version macros + https://bugs.webkit.org/show_bug.cgi?id=214653 + + Reviewed by Tim Horton. + + * Configurations/Base.xcconfig: + * Configurations/DebugRelease.xcconfig: + * Configurations/Version.xcconfig: + * Configurations/WebKitTargetConditionals.xcconfig: + +2020-07-22 Geoffrey Garen + + WTF::Function adoption should be explicit instead of implicit + https://bugs.webkit.org/show_bug.cgi?id=214654 + + Reviewed by Darin Adler. + + * heap/Heap.cpp: + (JSC::Heap::LambdaFinalizerOwner::finalize): Use new adopt function. + +2020-07-22 Mark Lam + + Disallow VM entry when doing a VMInquiry. + https://bugs.webkit.org/show_bug.cgi?id=214624 + + + Reviewed by Saam Barati. + + 1. In PropertySlot's constructor, automatically install a DisallowVMEntry scope + if the passed in internal method type is VMInquiry. This ensures that we won't + be able to enter the VM to call JS code while doing the inquiry. As a result, + the PropertySlot constructor will now take an optional VM pointer, which is + must be passed in in when the internal method type is VMInquiry. + + Note that the handling of attempts to enter the VM depends on + Options::crashOnDisallowedVMEntry(). + + On Debug build (due to ASSERT_ENABLED), Options::crashOnDisallowedVMEntry() + defaults to true and the VM will crash on disallowed entry. + On Release build, Options::crashOnDisallowedVMEntry() defaults to false and + disallow entry attempts into the VM will be treated like calling an empty + function that returns undefined. This is not new behavior in this patch, but + I just want to have a reminder here of how DisallowVMEntry will be enforcing + no entry into the VM while doing a VMInquiry. + + 2. After VMInquiry gets, sometimes the client code wants to do other work that + do entails entering the VM. In such cases, we need to reset the PropertySlot's + disallowVMEntry scope. Fixed up a few places in client code to do this reset. + + 3. Make the DisableVMEntry scope copyable. At least one place wants to copy + PropertySlot, and as a result, will need to copy its embedded DisableVMEntry + scope as well if installed. + + For DisableVMEntry, we'll handle copying semantics as follows: copying a + DisableVMEntry will ref the VM::disallowVMEntryCount. The count will be + decremented when both instances are destructed. As a result, VM entry will + be disallowed as long as one of the copies are still alive. + + 4. For the setObjectToStringValue() method of Structure and StructureRareData, we + were previously passing a PropertySlot by copy. We don't really need to do + this. Ultimately, only StructureRareData::setObjectToStringValue() needs to + access a few of the PropertySlot query methods. So, we changed these methods + to pass a `const PropertySlot&` instead to void the needless copying. + + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::put): + (JSC::JSCallbackObject::staticFunctionGetter): + * heap/HeapSnapshotBuilder.cpp: + (JSC::HeapSnapshotBuilder::json): + * inspector/JSInjectedScriptHost.cpp: + (Inspector::JSInjectedScriptHost::queryInstances): + * interpreter/Interpreter.cpp: + (JSC::Interpreter::execute): + * jit/JITOperations.cpp: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/DisallowVMEntry.h: + (JSC::DisallowVMEntryImpl::DisallowVMEntryImpl): + * runtime/ErrorInstance.cpp: + (JSC::ErrorInstance::sanitizedToString): + * runtime/JSFunction.cpp: + (JSC::JSFunction::getOwnNonIndexPropertyNames): + (JSC::JSFunction::put): + (JSC::JSFunction::defineOwnProperty): + * runtime/JSGenericTypedArrayViewConstructorInlines.h: + (JSC::constructGenericTypedArrayViewWithArguments): + * runtime/JSGlobalObject.cpp: + (JSC::getGetterById): + (JSC::JSGlobalObject::defineOwnProperty): + (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint): + * runtime/JSObject.cpp: + (JSC::JSObject::calculatedClassName): + * runtime/JSObjectInlines.h: + (JSC::JSObject::getPrivateFieldSlot): + * runtime/JSScope.cpp: + (JSC::abstractAccess): + * runtime/PropertySlot.h: + (JSC::PropertySlot::PropertySlot): + * runtime/SamplingProfiler.cpp: + (JSC::SamplingProfiler::StackFrame::nameFromCallee): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::setObjectToStringValue): + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::setObjectToStringValue): + * runtime/StructureRareData.h: + * tools/JSDollarVM.cpp: + (JSC::functionGetGetterSetter): + +2020-07-22 Geoffrey Garen + + JSRunLoopTimer should use WTF::RunLoop rather than custom CF code + https://bugs.webkit.org/show_bug.cgi?id=214102 + + Unreviewed, re-landing r264242 with crash fixed. + + We needed to synchronize timer destruction with timer firing. + + * runtime/DeferredWorkTimer.cpp: + (JSC::DeferredWorkTimer::doWork): + (JSC::DeferredWorkTimer::runRunLoop): + * runtime/JSRunLoopTimer.cpp: + (JSC::epochTime): + (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): + (JSC::JSRunLoopTimer::Manager::timerDidFireCallback): + (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData): + (JSC::JSRunLoopTimer::Manager::timerDidFire): + (JSC::JSRunLoopTimer::Manager::registerVM): + (JSC::JSRunLoopTimer::Manager::scheduleTimer): + (JSC::JSRunLoopTimer::Manager::cancelTimer): + (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop): Deleted. + (JSC::JSRunLoopTimer::Manager::didChangeRunLoop): Deleted. + * runtime/JSRunLoopTimer.h: + (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): Deleted. + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::VM::create): + (JSC::VM::tryCreate): + (JSC::VM::setRunLoop): Deleted. + * runtime/VM.h: + (JSC::VM::runLoop const): + +2020-07-21 Mark Lam + + Simplify DisallowScope, DisallowGC, and DisallowVMReentry implementations. + https://bugs.webkit.org/show_bug.cgi?id=214539 + + + Reviewed by Keith Miller. + + Previously, DisallowScope needed to support enabling and disabling. This was + only needed to enable the implementation of ObjectInitializationScope. Now, we + can make the DisallowGC and DisallowVMReentry inside ObjectInitializationScope + optional with WTF::Optional. With that we can simplify these scopes and make + them true RAII scope objects. + + This patch also does the following: + + 1. Renamed DisallowVMReentry to DisallowVMEntry. + The scope can be used to disable VM entry completely. There's no need to + restrict it to only re-entries. + + 2. Enforcement of DisallowVMReentry is now done in the LLInt's doVMEntry() instead + of the VMEntryScope's constructor. This is a stronger guarantee. + + If Options::crashOnDisallowedVMEntry() is true, the VM will crash if it sees + an attempt to enter the VM while disallowed. + + If Options::crashOnDisallowedVMEntry() is false, an attempt to call into the VM + while disallowed will return immediately with an undefined result without + invoking any script. + + By default, Options::crashOnDisallowedVMEntry() is true if ASSERT_ENABLED is + true. + + 3. Change DisallowScope and DisallowGC to be based on ASSERT_ENABLED instead of NEBUG. + + 4. Make DisallowVMEntry always enforceable, not just when ASSERT_ENABLED. + It's enforcement action depends on Options::crashOnDisallowedVMEntry() as + described above. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * heap/DeferGC.cpp: + * heap/DeferGC.h: + (JSC::DisallowGC::DisallowGC): + (JSC::DisallowGC::initialize): + * interpreter/Interpreter.cpp: + (JSC::Interpreter::executeProgram): + (JSC::Interpreter::executeCall): + (JSC::Interpreter::executeConstruct): + (JSC::Interpreter::execute): + (JSC::Interpreter::executeModuleProgram): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::llint_check_vm_entry_permission): + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/DisallowScope.h: + (JSC::DisallowScope::DisallowScope): + (JSC::DisallowScope::~DisallowScope): + (JSC::DisallowScope::isInEffectOnCurrentThread): + (JSC::DisallowScope::enable): Deleted. + (JSC::DisallowScope::disable): Deleted. + (JSC::DisallowScope::enterScope): Deleted. + (JSC::DisallowScope::exitScope): Deleted. + * runtime/DisallowVMEntry.h: Copied from Source/JavaScriptCore/runtime/DisallowVMReentry.h. + (JSC::DisallowVMEntryImpl::DisallowVMEntryImpl): + (JSC::DisallowVMEntryImpl::~DisallowVMEntryImpl): + (JSC::DisallowVMEntryImpl::isEngaged const): + (JSC::DisallowVMEntryImpl::release): + (JSC::DisallowVMReentry::DisallowVMReentry): Deleted. + (JSC::DisallowVMReentry::initialize): Deleted. + (JSC::DisallowVMReentry::scopeReentryCount): Deleted. + (JSC::DisallowVMReentry::setScopeReentryCount): Deleted. + * runtime/DisallowVMReentry.cpp: Removed. + * runtime/DisallowVMReentry.h: Removed. + * runtime/InitializeThreading.cpp: + (JSC::initialize): + * runtime/JSArray.cpp: + (JSC::JSArray::tryCreateUninitializedRestricted): + * runtime/ObjectInitializationScope.cpp: + (JSC::ObjectInitializationScope::ObjectInitializationScope): + (JSC::ObjectInitializationScope::notifyAllocated): + (JSC::ObjectInitializationScope::notifyInitialized): + * runtime/ObjectInitializationScope.h: + (JSC::ObjectInitializationScope::vm const): + (JSC::ObjectInitializationScope::ObjectInitializationScope): + (JSC::ObjectInitializationScope::~ObjectInitializationScope): + (JSC::ObjectInitializationScope::notifyAllocated): + (JSC::ObjectInitializationScope::notifyInitialized): + * runtime/OptionsList.h: + * runtime/RegExpMatchesArray.h: + (JSC::tryCreateUninitializedRegExpMatchesArray): + * runtime/VM.h: + * runtime/VMEntryScope.cpp: + (JSC::VMEntryScope::VMEntryScope): + +2020-07-21 Mark Lam + + llint_slow_path_get_private_name() should not be using PropertySlot::InternalMethodType::VMInquiry. + https://bugs.webkit.org/show_bug.cgi?id=214603 + + Reviewed by Yusuke Suzuki. + + VMInquiry means (1) the get operation should not call back into JS, (2) it should + not throw any exceptions (except for OutOfMemoryError or StackOverflowError which + can be thrown at any time), or have any side effects that is observable from JS + code. In this case, llint_slow_path_get_private_name() is just implementating + PrivateFieldGet (https://tc39.es/proposal-class-fields/#sec-privatefieldget) and + should actually be using PropertySlot::InternalMethodType::GetOwnProperty + (according to https://tc39.es/proposal-class-fields/#sec-privatefieldfind). + + This patch makes the above change, and also adds an assert in JSObject::getPrivateField + to ensure that no one calls it for a VMInquiry since it is not supported. + + Also added a PropertySlot::isVMInquiry() convenience query method. + + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/JSObjectInlines.h: + (JSC::JSObject::getPrivateField): + * runtime/PropertySlot.h: + (JSC::PropertySlot::isVMInquiry const): + +2020-07-21 Keith Miller + + Fix FinalizationRegistry GC finalizer interation + https://bugs.webkit.org/show_bug.cgi?id=214586 + + + Reviewed by Mark Lam and Yusuke Suzuki. + + Turns out when you remove the ith element from a Vector and you + increment the index anyway you skip things... Use the helper + functions instead. This fixes an ASAN crash on our + FinalizationRegistry tests. + + * heap/Heap.cpp: + (JSC::Heap::finalizeUnconditionalFinalizers): + * runtime/DeferredWorkTimer.cpp: + (JSC::DeferredWorkTimer::addPendingWork): + (JSC::DeferredWorkTimer::hasPendingWork): + (JSC::DeferredWorkTimer::hasDependancyInPendingWork): + (JSC::DeferredWorkTimer::cancelPendingWork): + * runtime/JSFinalizationRegistry.cpp: + (JSC::JSFinalizationRegistry::finalizeUnconditionally): + (JSC::JSFinalizationRegistry::takeDeadHoldingsValue): + +2020-07-21 Saam Barati + + Disable NO_SMT by default + https://bugs.webkit.org/show_bug.cgi?id=214607 + + Reviewed by Filip Pizlo. + + * runtime/OptionsList.h: + +2020-07-21 Caio Lima + + Debug build is failing after r264537 on Linux + https://bugs.webkit.org/show_bug.cgi?id=214596 + + Reviewed by Yusuke Suzuki. + + Removing `ASSERT_UNDER_CONTEXPR_CONTEXT(0)` to avoid compilation + failure of Debug builds on Linux. + + * runtime/IntlObject.cpp: + (JSC::relevantExtensionKeyString): + +2020-07-21 Adrian Perez de Castro + + Unreview non-unified source build fix + + * runtime/IntlDisplayNames.cpp: Add missing header. + +2020-07-20 Mark Lam + + TryGetById clobberize rules are wrong. + https://bugs.webkit.org/show_bug.cgi?id=163834 + + + Reviewed by Keith Miller. + + Theoretically, TryGetById can do the same things GetById does i.e. reify lazy + properties, read the stack, etc. Hence, its clobberize rule should be clobberTop + just like GetById. However, in practice, we don't currently use @tryGetById to + access anything on the stack (and probably never will). But as a conservative + measure, we'll just treat TryGetById like it can. In clobberize terms, this + means we declare TryGetById as doing read(World) (just like GetById) instead of + read(Heap). + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGClobbersExitState.cpp: + (JSC::DFG::clobbersExitState): + +2020-07-20 Yusuke Suzuki + + Unreviewed, fix duplicate forward declaration introduced by merge conflict + https://bugs.webkit.org/show_bug.cgi?id=209779 + + * runtime/IntlRelativeTimeFormat.h: + +2020-07-20 Yusuke Suzuki + + [ECMA-402] Implement Intl.DisplayNames + https://bugs.webkit.org/show_bug.cgi?id=209779 + + Reviewed by Ross Kirsling. + + This patch implements Intl.DisplayNames behind useIntlDisplayNames=1 flag. + Intl.DisplayNames can offer readable "display-name" for ICU language, script, region, currency codes. + For example, it can offer "United States" string for "US" region code. + We use ICU ULocaleDisplayNames to implement it, except for currency since ULocaleDisplayNames is not supporting + currency correctly: it ignores "long", "short", and "narrow" style configurations. We need to call ucurr_getName + directly. + + This patch appropriately adds unicode-language-id parsing in IntlLocale.cpp so that we can validate language id + when it is passed to `Intl.DisplayNames#of` as defined in the spec. + + * CMakeLists.txt: + * DerivedSources-input.xcfilelist: + * DerivedSources-output.xcfilelist: + * DerivedSources.make: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * runtime/CommonIdentifiers.h: + * runtime/IntlDisplayNames.cpp: Added. + (JSC::IntlDisplayNames::create): + (JSC::IntlDisplayNames::createStructure): + (JSC::IntlDisplayNames::IntlDisplayNames): + (JSC::IntlDisplayNames::finishCreation): + (JSC::IntlDisplayNames::initializeDisplayNames): + (JSC::IntlDisplayNames::of const): + (JSC::IntlDisplayNames::resolvedOptions const): + (JSC::IntlDisplayNames::styleString): + (JSC::IntlDisplayNames::typeString): + (JSC::IntlDisplayNames::fallbackString): + * runtime/IntlDisplayNames.h: Copied from Source/JavaScriptCore/runtime/IntlRelativeTimeFormat.h. + * runtime/IntlDisplayNamesConstructor.cpp: Added. + (JSC::IntlDisplayNamesConstructor::create): + (JSC::IntlDisplayNamesConstructor::createStructure): + (JSC::IntlDisplayNamesConstructor::IntlDisplayNamesConstructor): + (JSC::IntlDisplayNamesConstructor::finishCreation): + (JSC::constructIntlDisplayNames): + (JSC::callIntlDisplayNames): + (JSC::IntlDisplayNamesConstructorSupportedLocalesOf): + * runtime/IntlDisplayNamesConstructor.h: Added. + * runtime/IntlDisplayNamesPrototype.cpp: Added. + (JSC::IntlDisplayNamesPrototype::create): + (JSC::IntlDisplayNamesPrototype::createStructure): + (JSC::IntlDisplayNamesPrototype::IntlDisplayNamesPrototype): + (JSC::IntlDisplayNamesPrototype::finishCreation): + (JSC::IntlDisplayNamesPrototypeFuncOf): + (JSC::IntlDisplayNamesPrototypeFuncResolvedOptions): + * runtime/IntlDisplayNamesPrototype.h: Added. + * runtime/IntlLocale.cpp: + (JSC::isUnicodeLanguageSubtag): Deleted. + (JSC::isUnicodeScriptSubtag): Deleted. + (JSC::isUnicodeRegionSubtag): Deleted. + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::initializeNumberFormat): + * runtime/IntlObject.cpp: + (JSC::createDisplayNamesConstructor): + (JSC::IntlObject::finishCreation): + (JSC::isUnicodeLanguageSubtag): + (JSC::isUnicodeScriptSubtag): + (JSC::isUnicodeRegionSubtag): + (JSC::isUnicodeVariantSubtag): + (JSC::isUnicodeLanguageId): + (JSC::isWellFormedCurrencyCode): + * runtime/IntlObject.h: + (JSC::intlDisplayNamesAvailableLocales): + * runtime/IntlRelativeTimeFormat.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::displayNamesStructure): + * runtime/OptionsList.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2020-07-20 Geoffrey Garen + + REGRESSION (r264242): [ macOS ] imported/w3c/web-platform-tests/wasm/jsapi/constructor/instantiate.any.html is a flaky crash + https://bugs.webkit.org/show_bug.cgi?id=214572 + + Unreviewed, reverting r264242. + + * runtime/JSRunLoopTimer.cpp: + (JSC::epochTime): + (JSC::JSRunLoopTimer::Manager::timerDidFireCallback): + (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop): + (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): + (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData): + (JSC::JSRunLoopTimer::Manager::timerDidFire): + (JSC::JSRunLoopTimer::Manager::registerVM): + (JSC::JSRunLoopTimer::Manager::scheduleTimer): + (JSC::JSRunLoopTimer::Manager::cancelTimer): + (JSC::JSRunLoopTimer::Manager::didChangeRunLoop): + * runtime/JSRunLoopTimer.h: + (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): + * runtime/PromiseTimer.cpp: + (JSC::PromiseTimer::doWork): + (JSC::PromiseTimer::runRunLoop): + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::VM::create): + (JSC::VM::tryCreate): + (JSC::VM::setRunLoop): + * runtime/VM.h: + (JSC::VM::runLoop const): + +2020-07-20 Ross Kirsling + + [JSC] eval?.() should be indirect eval + https://bugs.webkit.org/show_bug.cgi?id=214568 + + Reviewed by Keith Miller. + + eval?.() is specified as indirect eval, but (virtually) all implementations assumed it should be direct eval. + I raised this topic in today's TC39 meeting and we've decided to keep the spec as it is. + + * parser/ASTBuilder.h: + (JSC::ASTBuilder::makeFunctionCallNode): + Don't use EvalFunctionCallNode for optional call of eval. + +2020-07-20 Adrian Perez de Castro + + Non unified build fixes, midsummer 2020 edition + https://bugs.webkit.org/show_bug.cgi?id=213616 + + Unreviewed build fix. + + * b3/air/AirTmpInlines.h: + (JSC::B3::Air::TmpWidth::widths): Moved from AirTmpWidth.h + * b3/air/AirTmpWidth.cpp: Included AirTmpInlines.h + * b3/air/AirTmpWidth.h: TmpWidth::widths() moved out from here. + * runtime/ExceptionFuzz.cpp: Add missing inclusion of JSCJSValueInlines.h + * runtime/StructureIDTable.cpp: Add missing inclusions of wtf/DataLog.h + and wtf/RawPointer.h + * runtime/VMTraps.cpp: Ditto. + +2020-07-20 Keith Miller + + Add support for FinalizationRegistries + https://bugs.webkit.org/show_bug.cgi?id=199888 + + Reviewed by Yusuke Suzuki. + + This patch adds support for FinalizationRegistries. There are two + main parts to this patch, the first is refactoring PromiseTimer a + more general into DeferredWorkTimer. This allows us to finally + have a "real" setTimeout on the jsc command line. The second part + is adding all the new classes needed for FinalizationRegistries. + + The refactoring is mostly a rename but does two main new + things. The first is that it now notifies the VM we have finished + a synchronuous JS execution, so that WeakRefs can be + collected. The second is that it now catches any exceptions and + forwards the to a new method on the global object method + table. For WebCore, this reports the exception to the console. For + API users, this calls their exceptionHandler block. For the CLI, + it exits with exit status 3 (our general exception exit + status). Unfortunately, there's not currently an ergonomic way to + pass the expected exception from the CLI arguments to this handler + so that's not supported here. + + In order to support FinalizationRegistry this patch adds a "new" + class JSDestructibleInternalFieldObjectImpl, which allows us to + have a destructible object with internal fields. Since the order + of collection doesn't matter we currently use C++ HashTables on + the FinalizationRegistry. Since users can unregister objects while + the callback is pending we have a hash table for the live entries + and a second hash table for the dead ones. Lastly, because users + are not requred to provide a token for unregistration we have two + extra Vectors containing the live/dead objects that are not + unregisterible. + + * API/JSAPIGlobalObject.cpp: + * API/JSAPIGlobalObject.mm: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * heap/Heap.cpp: + (JSC::Heap::finalizeUnconditionalFinalizers): + * jsc.cpp: + (functionSetTimeout): + (functionFinalizationRegistryLiveCount): + (functionFinalizationRegistryDeadCount): + (main): + (checkUncaughtException): + (checkException): + (GlobalObject::reportUncaughtExceptionAtEventLoop): + (runJSC): + * runtime/ArrayIteratorPrototype.cpp: + * runtime/CommonIdentifiers.h: + * runtime/DeferredWorkTimer.cpp: Renamed from Source/JavaScriptCore/runtime/PromiseTimer.cpp. + (JSC::DeferredWorkTimer::DeferredWorkTimer): + (JSC::DeferredWorkTimer::doWork): + (JSC::DeferredWorkTimer::runRunLoop): + (JSC::DeferredWorkTimer::addPendingWork): + (JSC::DeferredWorkTimer::hasPendingWork): + (JSC::DeferredWorkTimer::hasDependancyInPendingWork): + (JSC::DeferredWorkTimer::cancelPendingWork): + (JSC::DeferredWorkTimer::scheduleWorkSoon): + * runtime/DeferredWorkTimer.h: Renamed from Source/JavaScriptCore/runtime/PromiseTimer.h. + * runtime/FinalizationRegistryConstructor.cpp: Added. + (JSC::FinalizationRegistryConstructor::finishCreation): + (JSC::FinalizationRegistryConstructor::FinalizationRegistryConstructor): + (JSC::callFinalizationRegistry): + (JSC::constructFinalizationRegistry): + * runtime/FinalizationRegistryConstructor.h: Copied from Source/JavaScriptCore/API/JSAPIGlobalObject.cpp. + * runtime/FinalizationRegistryPrototype.cpp: Added. + (JSC::FinalizationRegistryPrototype::finishCreation): + (JSC::getFinalizationRegistry): + (JSC::protoFuncFinalizationRegistryRegister): + (JSC::protoFuncFinalizationRegistryUnregister): + * runtime/FinalizationRegistryPrototype.h: Copied from Source/JavaScriptCore/API/JSAPIGlobalObject.cpp. + * runtime/IdentifierInlines.h: + (JSC::Identifier::Identifier): + * runtime/JSFinalizationRegistry.cpp: Added. + (JSC::JSFinalizationRegistry::createStructure): + (JSC::JSFinalizationRegistry::create): + (JSC::JSFinalizationRegistry::finishCreation): + (JSC::JSFinalizationRegistry::visitChildren): + (JSC::JSFinalizationRegistry::destroy): + (JSC::JSFinalizationRegistry::finalizeUnconditionally): + (JSC::JSFinalizationRegistry::runFinalizationCleanup): + (JSC::JSFinalizationRegistry::takeDeadHoldingsValue): + (JSC::JSFinalizationRegistry::registerTarget): + (JSC::JSFinalizationRegistry::unregister): + (JSC::JSFinalizationRegistry::liveCount): + (JSC::JSFinalizationRegistry::deadCount): + (JSC::JSFinalizationRegistry::toStringName): + * runtime/JSFinalizationRegistry.h: Added. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reportUncaughtExceptionAtEventLoop): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::stackOverflowFrameCallee const): + (JSC::JSGlobalObject::arrayIteratorProtocolWatchpointSet): + (JSC::JSGlobalObject::mapIteratorProtocolWatchpointSet): + (JSC::JSGlobalObject::setIteratorProtocolWatchpointSet): + (JSC::JSGlobalObject::stringIteratorProtocolWatchpointSet): + (JSC::JSGlobalObject::mapSetWatchpointSet): + (JSC::JSGlobalObject::setAddWatchpointSet): + (JSC::JSGlobalObject::arraySpeciesWatchpointSet): + (JSC::JSGlobalObject::arrayJoinWatchpointSet): + (JSC::JSGlobalObject::numberToStringWatchpointSet): + * runtime/JSInternalFieldObjectImpl.h: + * runtime/JSInternalFieldObjectImplInlines.h: + (JSC::Base>::visitChildren): + (JSC::JSInternalFieldObjectImpl::visitChildren): Deleted. + * runtime/JSPromise.cpp: + (JSC::JSPromise::resolve): + (JSC::JSPromise::reject): + * runtime/StructureIDTable.cpp: + (JSC::StructureIDTable::allocateID): + (JSC::StructureIDTable::deallocateID): + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::VM::~VM): + * runtime/VM.h: + * wasm/js/JSWebAssembly.cpp: + (JSC::webAssemblyModuleValidateAsyncInternal): + (JSC::instantiate): + (JSC::compileAndInstantiate): + (JSC::webAssemblyModuleInstantinateAsyncInternal): + (JSC::webAssemblyCompileStreamingInternal): + (JSC::webAssemblyInstantiateStreamingInternal): + * wasm/js/JSWebAssemblyCodeBlock.h: + +2020-07-20 Michael Catanzaro + + JSC build scripts should be quiet by default + https://bugs.webkit.org/show_bug.cgi?id=214535 + + Reviewed by Saam Barati. + + There's no need for these scripts to print "Nothing changed" when they don't do anything. + + * offlineasm/asm.rb: + * offlineasm/generate_offset_extractor.rb: + * offlineasm/generate_settings_extractor.rb: + +2020-07-19 Fujii Hironori + + Unreviewed non-unified source build fix + + * runtime/IntlDateTimeFormat.cpp: + * runtime/IntlRelativeTimeFormat.h: + +2020-07-19 Michael Catanzaro + + -Warray-bounds warnings in testb3 and testair + https://bugs.webkit.org/show_bug.cgi?id=214533 + + Reviewed by Darin Adler. + + Suppress these warnings when building testb3 and testair. + + * shell/CMakeLists.txt: + +2020-07-19 Michael Catanzaro + + cpp_generator.py:134: SyntaxWarning: "is" with a literal. Did you mean "=="? + https://bugs.webkit.org/show_bug.cgi?id=214530 + + Reviewed by Philippe Normand. + + * inspector/scripts/codegen/cpp_generator.py: + (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): + +2020-07-18 Mark Lam + + Fixed regression due to r264507: Math.{min|max} inequality test should use DoubleNotEqualOrUnordered instead DoubleNotEqualAndOrdered. + https://bugs.webkit.org/show_bug.cgi?id=214526 + + + Reviewed by Yusuke Suzuki. + + This bug resulted in NaNs being handled by the "equal" case in some scenarios, + which resulted in an assertion failure in a ValueRep on an internal test. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileArithMinMax): + +2020-07-18 Alexey Shvayka + + Redefining a property should not change its insertion index (Object.keys order) + https://bugs.webkit.org/show_bug.cgi?id=142933 + + Reviewed by Saam Barati. + + Before this change, JSC used to delete & put back a non-indexed property just to + update attributes, which was less efficient and corrupted observable property order. + + This patch: + 1. Rewrites validateAndApplyPropertyDescriptor() to closely resemble the spec [1]. + 2. Drops property deletion, inlines putDescriptor(), and sets necessary Structure + flags in attributeChangeTransition(). + 3. Simplifies validateAndApplyPropertyDescriptor() a bit by obtaining GetterSetter + instance from current descriptor rather then calling getDirect(). + + This change aligns property order with V8 and SpiderMonkey, advancing provided + microbenchmarks by 5-85% (especially for objects in dictionary mode). + SixSpeed, SunSpider, and ARES-6 are all neutral. + + [1]: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor + + * runtime/JSObject.cpp: + (JSC::validateAndApplyPropertyDescriptor): + (JSC::JSObject::defineOwnNonIndexProperty): + (JSC::putDescriptor): Deleted. + * runtime/JSObjectInlines.h: + (JSC::JSObject::putDirectInternal): + * runtime/PropertyDescriptor.cpp: + (JSC::PropertyDescriptor::slowGetterSetter const): + (JSC::PropertyDescriptor::slowGetterSetter): Deleted. + * runtime/PropertyDescriptor.h: + * runtime/Structure.cpp: + (JSC::Structure::attributeChangeTransition): + +2020-07-17 Yusuke Suzuki + + [JSC] Clean up resolveLocale + https://bugs.webkit.org/show_bug.cgi?id=214446 + + Reviewed by Darin Adler. + + Introduce RelevantExtensionKey and optimize resolveLocale implementation which avoids using HashMap for input and output. + We instead use std::array since # of RelevantExtensionKeys is only 6. + + For input option, we use std::array, numberOfRelevantExtensionKeys> since this distinguish non-set-option and null String(). + For output extension values, we simply use std::array. + + * runtime/IntlCollator.cpp: + (JSC::IntlCollator::sortLocaleData): + (JSC::IntlCollator::searchLocaleData): + (JSC::IntlCollator::initializeCollator): + * runtime/IntlCollator.h: + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::localeData): + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + * runtime/IntlDateTimeFormat.h: + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::localeData): + (JSC::IntlNumberFormat::initializeNumberFormat): + * runtime/IntlNumberFormat.h: + * runtime/IntlObject.cpp: + (JSC::relevantExtensionKeyString): + (JSC::resolveLocale): + * runtime/IntlObject.h: + * runtime/IntlPluralRules.cpp: + (JSC::IntlPluralRules::localeData): + (JSC::IntlPluralRules::initializePluralRules): + * runtime/IntlPluralRules.h: + * runtime/IntlRelativeTimeFormat.cpp: + (JSC::IntlRelativeTimeFormat::localeData): + (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat): + * runtime/IntlRelativeTimeFormat.h: + +2020-07-17 Xan López + + Math.max() can yield the wrong result for max(0, -0). + https://bugs.webkit.org/show_bug.cgi?id=204457 + + Reviewed by Mark Lam. + + The implementations for Math.{max,min} in both DFG and FTL are not + considering the fact that according to the spec -0.0 < 0.0 (which + is not true for normal double arithmetic). + See: https://tc39.es/ecma262/#sec-math.max and https://tc39.es/ecma262/#sec-math.min + + Beyond tweaking the algorithms used in DFG and FTL we must + implement the and/or operations on double in MIPS and ARMv7, since + these are used in the DFG JIT to distinguish between -0.0 and 0.0. + + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::vand): + (JSC::ARMv7Assembler::vorr): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::andDouble): + (JSC::MacroAssemblerARMv7::orDouble): + * assembler/MacroAssemblerMIPS.h: + (JSC::MacroAssemblerMIPS::andDouble): + (JSC::MacroAssemblerMIPS::orDouble): + * assembler/testmasm.cpp: + (JSC::testAndOrDouble): + (JSC::run): + * dfg/DFGAbstractInterpreterInlines.h: consider that -0.0 < 0.0 per the ECMAScript spec. + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGSpeculativeJIT.cpp: ditto. + (JSC::DFG::SpeculativeJIT::compileArithMinMax): + * ftl/FTLLowerDFGToB3.cpp: ditto. + (JSC::FTL::DFG::LowerDFGToB3::compileArithMinOrMax): + +2020-07-17 Alexey Shvayka + + emitIsUndefined() should not special-case [[IsHTMLDDA]] objects + https://bugs.webkit.org/show_bug.cgi?id=214443 + + Reviewed by Yusuke Suzuki. + + According to Annex B [1], there is only a handful of language constructs + that handle [[IsHTMLDDA]] objects: ToBoolean, abstract equality with `null` + or `undefined`, and `typeof`. Currently, op_is_undefined does special-case + masquarader objects, even though it is used beyond `typeof`. + + With this change, emitIsUndefined() produces `=== undefined`, which meets + developer expectations and the spec for all its usages, while op_is_undefined + is renamed to op_typeof_is_undefined. New name offers better semantics and + clearly communicates the op should be avoided when implementing new features. + + Apart from fixing default values with [[IsHTMLDDA]] objects [2], this change + brings significant speed-up: +50% for function parameters and +20% for + object destructuring (masqueradesAsUndefinedWatchpoint is not fired). + + This patch also introduces similar emitIsNull() method to avoid breaking + masquarader object as superclass test262 case. + + [1]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot + [2]: https://tc39.es/ecma262/#sec-runtime-semantics-keyedbindinginitialization (step 2) + + * bytecode/BytecodeList.rb: + * bytecode/BytecodeUseDef.cpp: + (JSC::computeUsesForBytecodeIndexImpl): + (JSC::computeDefsForBytecodeIndexImpl): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitEqualityOpImpl): + (JSC::BytecodeGenerator::emitIsUndefined): Deleted. + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::emitIsNull): + (JSC::BytecodeGenerator::emitIsUndefined): + * bytecompiler/NodesCodegen.cpp: + (JSC::ForInNode::emitBytecode): + (JSC::ClassExprNode::emitBytecode): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGWatchpointCollectionPhase.cpp: + (JSC::DFG::WatchpointCollectionPhase::handle): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileTypeOfIsUndefined): + (JSC::FTL::DFG::LowerDFGToB3::compileIsUndefined): Deleted. + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + * jit/JIT.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_typeof_is_undefined): + (JSC::JIT::emit_op_is_undefined): Deleted. + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_typeof_is_undefined): + (JSC::JIT::emit_op_is_undefined): Deleted. + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2020-07-16 Yusuke Suzuki + + [JSC] Clean up Intl option parsing code by introducing intlOption<> + https://bugs.webkit.org/show_bug.cgi?id=214437 + + Reviewed by Ross Kirsling. + + This patch introduces intlOption<>(...) function and remove redundant string comparisons. + This makes option handling efficient, and it makes code clean. + + * runtime/IntlCollator.cpp: + (JSC::IntlCollator::initializeCollator): + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::initializeNumberFormat): + * runtime/IntlObject.cpp: + (JSC::resolveLocale): + (JSC::supportedLocales): + * runtime/IntlObject.h: + * runtime/IntlObjectInlines.h: + (JSC::intlOption): + * runtime/IntlPluralRules.cpp: + (JSC::IntlPluralRules::initializePluralRules): + * runtime/IntlRelativeTimeFormat.cpp: + (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat): + +2020-07-16 Fujii Hironori + + [WTF] Remove the unnecessary inner class DefaultHash::Hash + https://bugs.webkit.org/show_bug.cgi?id=214389 + + Reviewed by Darin Adler. + + * assembler/MacroAssemblerCodeRef.h: + * b3/B3CheckSpecial.h: + * b3/B3Kind.h: + * b3/B3ValueKey.h: + * b3/air/AirAllocateRegistersByGraphColoring.cpp: + * b3/air/AirArg.h: + * b3/air/AirTmp.h: + * bytecode/BytecodeIndex.h: + * bytecode/CallVariant.h: + * bytecode/CodeOrigin.h: + * bytecode/DFGExitProfile.h: + * bytecode/LazyOperandValueProfile.h: + * bytecode/ObjectPropertyCondition.h: + * bytecode/PropertyCondition.h: + * dfg/DFGAbstractHeap.h: + * dfg/DFGArgumentsEliminationPhase.cpp: + * dfg/DFGByteCodeParser.cpp: + * dfg/DFGCSEPhase.cpp: + * dfg/DFGCompilationKey.h: + * dfg/DFGDesiredGlobalProperty.h: + * dfg/DFGHeapLocation.h: + * dfg/DFGLivenessAnalysisPhase.cpp: + * dfg/DFGMinifiedID.h: + * dfg/DFGNodeFlowProjection.h: + * dfg/DFGPromotedHeapLocation.h: + * dfg/DFGPropertyTypeKey.h: + * dfg/DFGPureValue.h: + * ftl/FTLLocation.h: + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread): + (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): + (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject): + * ftl/FTLSlowPathCallKey.h: + * heap/MarkedBlock.h: + * heap/VisitRaceKey.h: + * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: + * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: + * inspector/scripts/tests/expected/enum-values.json-result: + * inspector/scripts/tests/expected/type-declaration-array-type.json-result: + * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: + * inspector/scripts/tests/expected/type-declaration-object-type.json-result: + * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: + * jit/ICStats.h: + * jit/JITThunks.h: + * jit/Reg.h: + * jit/RegisterSet.h: + * parser/VariableEnvironment.h: + * profiler/ProfilerOrigin.h: + * profiler/ProfilerOriginStack.h: + * profiler/ProfilerUID.h: + * runtime/CachedTypes.cpp: + * runtime/ControlFlowProfiler.h: + * runtime/NativeFunction.h: + * runtime/PrototypeKey.h: + * runtime/RegExpKey.h: + * runtime/TemplateObjectDescriptor.h: + * runtime/TypeProfiler.h: + * runtime/VarOffset.h: + * runtime/WeakGCMap.h: + * wasm/WasmBBQPlan.h: + * wasm/WasmCodeBlock.h: + * wasm/WasmEntryPlan.h: + * wasm/WasmLLIntPlan.h: + * wasm/WasmSignature.h: + +2020-07-16 Yusuke Suzuki + + [JSC] Use unvalidatedGet instead of get to access UnlinkedCodeBlock from CodeBlock destructor + https://bugs.webkit.org/show_bug.cgi?id=214403 + + + Reviewed by Mark Lam. + + WriteBarrier<>::get has a check whether this is not executed when sweeping cells. This is good assertion since + destruction order of cells are not defined in general, so member cell access from a destructor is almost always wrong. + But in CodeBlock case, this is OK because (1) CodeBlock destructor accesses UnlinkedCodeBlock and (2) GC ensures that + CodeBlock gets destroyed before UnlinkedCodeBlock gets destroyed. So this assertion is hit incorrectly. + In this patch, we use WriteBarrier<>::unvalidatedGet in CodeBlock destructor to bypass the above assertion explicitly. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::~CodeBlock): + * heap/Heap.cpp: + (JSC::Heap::deleteUnmarkedCompiledCode): + +2020-07-15 Fujii Hironori + + [CMake][WebDriver] Generating WebDriverAtoms.cpp is rarely failing as "ImportError: No module named jsmin" + https://bugs.webkit.org/show_bug.cgi?id=214339 + + Reviewed by Don Olmstead. + + * CMakeLists.txt: Renamed stageSharedScripts to JavaScriptCoreSharedScripts. + +2020-07-15 Mark Lam + + Add handling of out of memory handling while adding a worklet module. + https://bugs.webkit.org/show_bug.cgi?id=214354 + + + Reviewed by Yusuke Suzuki and Keith Miller. + + Add VM::tryCreate() that can fail if we encounter an out of memory issue. + As always, we're taking a best effort approach to handling out of memory errors. + Hence, we will not attempt to exhaustively handle every OOME scenario. This patch + only checks for failure to allocate a BigInt due to Gigacage exhaustion. While it + doesn't handle other allocation errors, it does enable us to add handling of other + cases in the future as needed. + + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::VM::tryCreate): + * runtime/VM.h: + +2020-07-15 Jim Mason + + [WTF] Fix PackedAlignedPtr for X86_64 canonical addresses + https://bugs.webkit.org/show_bug.cgi?id=214142 + + Reviewed by Mark Lam + + Fixed pointer test to use unsigned in place of signed. + + * wasm/js/WebAssemblyFunction.cpp: + (JSC::callWebAssemblyFunction): + +2020-07-15 Alexey Shvayka + + Emit HasOwnPropertyFunctionCallDotNode for "Reflect" identifiers + https://bugs.webkit.org/show_bug.cgi?id=214325 + + Reviewed by Darin Adler and Saam Barati. + + Currently, HasOwnPropertyFunctionCallDotNode is emitted for all ResolveNodes + except ones with "Reflect" identifier. This exception doesn't seem necessary + as ReflectObject inherits ordinary `Object.prototype.hasOwnProperty` method. + + This patch removes the exception, advancing provided "Reflect" microbenchmark + by 20%. No behavior change. + + * parser/ASTBuilder.h: + (JSC::ASTBuilder::makeFunctionCallNode): + +2020-07-15 Yusuke Suzuki + + [JSC] Introduce JSCTEST_hardTimeout + https://bugs.webkit.org/show_bug.cgi?id=214343 + + Reviewed by Mark Lam. + + JSC Debug tests are failing consistently these days, https://build.webkit.org/builders/Apple-Catalina-Debug-JSC-Tests/. + My guess is that some tests get stuck inside JSC even if timeout occurs. Let's consider the following case. + + 1. The test is having `JSC_useConcurrentJIT=0`. + 2. The test is building super heavy FTL code in the main thread. + 3. The timeout thread notifies the VM about the timeout. + 4. But VM does not stop since it is running super heavy FTL compilation. + 5. After 1200 seconds, buildbot terminates the entire test. + + In the above case, JSC gets stuck, and eventually buildbot terminates. + In this patch, we introduce JSCTEST_hardTimeout. After soft-timeout (usual timeout) happens, we wait another JSCTEST_hardTimeout seconds. + And if the JSC shell is not finished, we forcefully terminates the JSC shell via exit(EXIT_FAILURE), to avoid entire JSC test termination + in buildbot. + + We pick 300 seconds. This means, after soft-timeout occurs, we wait for 5 mins, and if the JSC shell is still active, kill it. 5 mins sounds + reasonable amount of time. And this should fit within buildbot's hard timeout (1200 seconds). + + * jsc.cpp: + (startTimeoutTimer): + +2020-07-14 Saam Barati + + We must hold the CodeBlock lock when calling StructureStubInfo::reset + https://bugs.webkit.org/show_bug.cgi?id=214332 + + + Reviewed by Yusuke Suzuki. + + There was a race between resetting the StructureStubInfo, and reading from + it from the compiler thread. There was one place inside Repatch where we + didn't hold the CodeBlock's lock when calling StructureStubInfo::reset. + + To make it clear which functions require the CodeBlock's lock to be + held when called, I've changed all such functions to take the + LockHolder as a parameter. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finalizeBaselineJITInlineCaches): + * bytecode/StructureStubClearingWatchpoint.cpp: + (JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal): + (JSC::AdaptiveValueStructureStubClearingWatchpoint::handleFire): + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::initGetByIdSelf): + (JSC::StructureStubInfo::initArrayLength): + (JSC::StructureStubInfo::initStringLength): + (JSC::StructureStubInfo::initPutByIdReplace): + (JSC::StructureStubInfo::initInByIdSelf): + (JSC::StructureStubInfo::addAccessCase): + (JSC::StructureStubInfo::reset): + (JSC::StructureStubInfo::visitWeakReferences): + (JSC::StructureStubInfo::setCacheType): + * bytecode/StructureStubInfo.h: + * jit/Repatch.cpp: + (JSC::fireWatchpointsAndClearStubIfNeeded): + (JSC::tryCacheGetBy): + (JSC::tryCachePutByID): + (JSC::tryCacheInByID): + +2020-07-14 Mark Lam + + Handle out of memory error while creating an error message in the literal parser. + https://bugs.webkit.org/show_bug.cgi?id=214313 + + + Reviewed by Saam Barati. + + * runtime/LiteralParser.cpp: + (JSC::LiteralParser::parse): + +2020-07-14 Caitlin Potter + + [JSC] fixup LLInt fast path in op_get_private_name + https://bugs.webkit.org/show_bug.cgi?id=214311 + + Reviewed by Tadeu Zagallo. + + The LLInt slow path would previously always be taken in op_get_private_name, + due to not comparing the operand field name's JSValue payload with the cached + field name, but the register index itself. + + This fixup can't really be verified by tests, as it is primarily a + minor performance improvement. + + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2020-07-14 Xan Lopez + + [JSC] Remove compiler warning in JSBigInt + https://bugs.webkit.org/show_bug.cgi?id=214298 + + Reviewed by Sam Weinig. + + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::parseInt): no need to ASSERT >= 0 with an unsigned int. + +2020-07-14 Fujii Hironori + + Unreviewed non-unified build fixes + + * runtime/IntlObject.cpp: + +2020-07-13 Fujii Hironori + + Unreviewed non-unified build fixes + + * dfg/DFGCodeOriginPool.h: + +2020-07-13 Saam Barati + + returnEarlyFromInfiniteLoopsForFuzzing and validateDoesGC may fail when used together in the FTL + https://bugs.webkit.org/show_bug.cgi?id=214289 + + + Reviewed by Keith Miller. + + Because the patchpoint we use for returnEarlyFromInfiniteLoopsForFuzzing doesn't + read or write any heap ranges, B3 move memory ops around it. In particular, it + might move the validate DoesGC store above it. In the FTL, we should make returnEarlyFromInfiniteLoopsForFuzzing + mimic what Return does for validating DoesGC. + + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint): + +2020-07-13 Yusuke Suzuki + + [JSC] IntlLocale::initializeLocale should have scope.release + https://bugs.webkit.org/show_bug.cgi?id=214271 + + + Reviewed by Darin Adler. + + Add missing scope.release() to suppress validateExceptionChecks crash. + + * runtime/IntlLocale.cpp: + (JSC::IntlLocale::initializeLocale): + +2020-07-13 Yusuke Suzuki + + [JSC] FTL isCellOrMisc should be isCellOrMiscOrBigInt32 + https://bugs.webkit.org/show_bug.cgi?id=214269 + + + Reviewed by Mark Lam. + + FTL isCellOrMisc's check can accept BigInt32 too. So it should be isCellOrMiscOrBigInt32. + Since our proven type filter does not include SpecBigInt32, isCellOrMisc can be folded into + false for BigInt32 AbstractValue. This patch fixes that filter. And we also reviewed places + using isCellOrMisc / isNotCellOrMisc. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileSwitch): + (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellNorBigIntToInt32): + (JSC::FTL::DFG::LowerDFGToB3::isCellOrMiscOrBigInt32): + (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMiscOrBigInt32): + (JSC::FTL::DFG::LowerDFGToB3::isNumber): + (JSC::FTL::DFG::LowerDFGToB3::isNotNumber): + (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc): Deleted. + (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc): Deleted. + +2020-07-13 Geoffrey Garen + + Unreviewed, re-landing r264242 with crash fixed. + + Re-landed changeset: + + "JSRunLoopTimer should use WTF::RunLoop rather than custom CF + code" + https://bugs.webkit.org/show_bug.cgi?id=214102 + https://trac.webkit.org/changeset/264242 + + * runtime/JSRunLoopTimer.cpp: + (JSC::epochTime): + (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): + (JSC::JSRunLoopTimer::Manager::timerDidFireCallback): + (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData): + (JSC::JSRunLoopTimer::Manager::timerDidFire): + (JSC::JSRunLoopTimer::Manager::registerVM): + (JSC::JSRunLoopTimer::Manager::scheduleTimer): + (JSC::JSRunLoopTimer::Manager::cancelTimer): + (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop): Deleted. + (JSC::JSRunLoopTimer::Manager::didChangeRunLoop): Deleted. + * runtime/JSRunLoopTimer.h: + (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): Deleted. + * runtime/PromiseTimer.cpp: + (JSC::PromiseTimer::doWork): + (JSC::PromiseTimer::runRunLoop): + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::VM::create): + (JSC::VM::setRunLoop): Deleted. + * runtime/VM.h: + (JSC::VM::runLoop const): + +2020-07-13 Keith Miller + + Clean up SourceProvider and add caller relative load script to jsc.cpp + https://bugs.webkit.org/show_bug.cgi?id=214205 + + Reviewed by Yusuke Suzuki. + + This patch originally was just to add an optional parameter to our + load function so that any relative path is computed with respect + to calling script. Rather than computing the path relative to the + current working directory. The main advantage of this is now you + can run all the JSTests/stress scripts from anywhere rather than + only from the stress directory. This also matches jsc.cpp's module + loader implementation. + + To make this possible a surprising number of changes were + needed. Specifically, it was much easier to get this to work if we + converted SourceOrigin's url to a WTF::URL rather than just a + WTF::String. At the same time it became clear that + SourceProvider's m_sourceURL is really not a URL but more of a + file name, which can sometimes be a URL. It's possible that we + don't need m_sourceURL at all but we should do that in a different + patch. + + Additionally, jsc.cpp now uses WTF::URL for handling file + paths. This is cleaner than managing trying to do it ourselves and + should work across all the ports. + + Lastly, the JSC CLI no longer accepts "bare-name" + specifiers. i.e. all specifiers must start with "/", "./", or + "../". This matches what we do in our Obj-C API and in + WebCore. While fixing tests I also noticed that the error message + was almost useless since it didn't tell you what the specifier or + referrer in question so that information is now part of the user + visible error. + + * API/JSAPIGlobalObject.mm: + (JSC::computeValidImportSpecifier): + (JSC::JSAPIGlobalObject::moduleLoaderImportModule): + * API/JSBase.cpp: + (JSEvaluateScript): + (JSCheckScriptSyntax): + * API/JSObjectRef.cpp: + (JSObjectMakeFunction): + * API/JSScript.mm: + (-[JSScript sourceCode]): + * API/JSScriptRef.cpp: + * API/glib/JSCContext.cpp: + (jsc_context_check_syntax): + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::BuiltinExecutables): + * debugger/DebuggerLocation.cpp: + (JSC::DebuggerLocation::DebuggerLocation): + * debugger/DebuggerLocation.h: + (JSC::DebuggerLocation::DebuggerLocation): + * inspector/ScriptDebugServer.cpp: + (Inspector::ScriptDebugServer::sourceParsed): + * jsc.cpp: + (currentWorkingDirectory): + (absolutePath): + (GlobalObject::moduleLoaderImportModule): + (GlobalObject::moduleLoaderResolve): + (jscSource): + (fetchModuleFromLocalFileSystem): + (GlobalObject::moduleLoaderFetch): + (functionLoad): + (functionCallerSourceOrigin): + (functionDollarAgentStart): + (functionCheckModuleSyntax): + (runWithOptions): + (runInteractive): + (ModuleName::startsWithRoot const): Deleted. + (ModuleName::ModuleName): Deleted. + (extractDirectoryName): Deleted. + (resolvePath): Deleted. + * parser/Nodes.h: + (JSC::ScopeNode::source const): + (JSC::ScopeNode::sourceURL const): Deleted. + * parser/SourceCode.h: + (JSC::makeSource): + * parser/SourceCodeKey.h: + (JSC::SourceCodeKey::host const): + * parser/SourceProvider.cpp: + (JSC::SourceProvider::SourceProvider): + * parser/SourceProvider.h: + (JSC::SourceProvider::sourceURL const): + (JSC::StringSourceProvider::create): + (JSC::StringSourceProvider::StringSourceProvider): + (JSC::SourceProvider::url const): Deleted. + * runtime/CachedTypes.cpp: + (JSC::CachedSourceOrigin::encode): + (JSC::CachedSourceOrigin::decode const): + (JSC::CachedSourceProviderShape::encode): + (JSC::CachedStringSourceProvider::decode const): + (JSC::CachedWebAssemblySourceProvider::decode const): + * runtime/Error.cpp: + (JSC::addErrorInfo): + * runtime/FunctionConstructor.cpp: + (JSC::constructFunctionSkippingEvalEnabledCheck): + * runtime/ScriptExecutable.h: + (JSC::ScriptExecutable::sourceURL const): + * runtime/SourceOrigin.h: + (JSC::SourceOrigin::SourceOrigin): + (JSC::SourceOrigin::url const): + (JSC::SourceOrigin::string const): + (JSC::SourceOrigin::isNull const): + * runtime/ThrowScope.cpp: + (JSC::ThrowScope::throwException): + * runtime/ThrowScope.h: + (JSC::ThrowScope::throwException): + (JSC::throwVMException): + * tools/FunctionOverrides.cpp: + (JSC::initializeOverrideInfo): + * tools/JSDollarVM.cpp: + (JSC::doPrint): + (JSC::functionCrash): + +2020-07-12 Yusuke Suzuki + + [JSC] String.protoytpe.toLocaleLowerCase's availableLocales HashSet is inefficient + https://bugs.webkit.org/show_bug.cgi?id=213158 + + Reviewed by Darin Adler. + + Currently, we are always creating the same HashSet every time String.protoytpe.toLocaleLowerCase is called. + We changed bestAvailableLocale to take predicate function. And we pass a predicate which returns true for + case-sensitive locales. + + * runtime/IntlObject.cpp: + (JSC::bestAvailableLocale): + * runtime/IntlObject.h: + * runtime/IntlObjectInlines.h: + (JSC::bestAvailableLocale): + * runtime/StringPrototype.cpp: + (JSC::computeTwoCharacters16Code): + (JSC::toLocaleCase): + +2020-07-12 Yusuke Suzuki + + [JSC] We should keep unaligned access feature in certain architectures in macro-assembler + https://bugs.webkit.org/show_bug.cgi?id=214243 + + Reviewed by Darin Adler. + + We introduced the assertion in r263049, but this assertion crashes in testb3 Debug build. + testb3 actually tests unaligned access feature since ARM64 and x64 allow it. And unaligned access is useful + for Yarr etc., so we want to keep unaligned access feature if architecture allows it. We should make this + assertion effective only if CPU(NEEDS_ALIGNED_ACCESS) is true. + + * assembler/MacroAssembler.h: + (JSC::MacroAssembler::loadPtr): + +2020-07-12 Yusuke Suzuki + + [JSC] Avoid JSString creation in Intl.Locale#{minimize,maximize} + https://bugs.webkit.org/show_bug.cgi?id=214231 + + Reviewed by Darin Adler. + + Add initializeLocale function taking String to avoid unnecessary JSString creation + in Intl.Locale#{maximize,minimize}. + + * runtime/IntlLocale.cpp: + (JSC::IntlLocale::initializeLocale): + * runtime/IntlLocale.h: + * runtime/IntlLocalePrototype.cpp: + (JSC::IntlLocalePrototypeFuncMaximize): + (JSC::IntlLocalePrototypeFuncMinimize): + +2020-07-11 Yusuke Suzuki + + Intl.Locale maximize, minimize should return Intl.Locale instead of String + https://bugs.webkit.org/show_bug.cgi?id=214223 + + + Reviewed by Ross Kirsling. + + Intl.Locale#{maximize,minimize} should return Intl.Locale object instead of generated locale string. + + We also add some protection and use jsString instead of jsNontrivialString because it would be still + possible that ICU's locale recognition and our locale interpretation do not agree each other and ICU + failed to produce locale, and then the string becomes empty. Since this is a boundary between third-party + library and JSC, and we are not ensuring our invariant inside third-party library, taking safer path makes + it better. + + We also change IntlLocale#{maximize,minimize} C++ function names to maximal and minimal to align them + to the sepc's definitions. + + * runtime/IntlLocale.cpp: + (JSC::IntlLocale::maximal): + (JSC::IntlLocale::minimal): + (JSC::IntlLocale::maximize): Deleted. + (JSC::IntlLocale::minimize): Deleted. + * runtime/IntlLocale.h: + * runtime/IntlLocalePrototype.cpp: + (JSC::IntlLocalePrototypeFuncMaximize): + (JSC::IntlLocalePrototypeFuncMinimize): + (JSC::IntlLocalePrototypeFuncToString): + (JSC::IntlLocalePrototypeGetterBaseName): + (JSC::IntlLocalePrototypeGetterCalendar): + (JSC::IntlLocalePrototypeGetterCaseFirst): + (JSC::IntlLocalePrototypeGetterCollation): + (JSC::IntlLocalePrototypeGetterHourCycle): + (JSC::IntlLocalePrototypeGetterNumberingSystem): + (JSC::IntlLocalePrototypeGetterLanguage): + (JSC::IntlLocalePrototypeGetterScript): + (JSC::IntlLocalePrototypeGetterRegion): + +2020-07-10 Chris Dumez + + Unreviewed, reverting r264242. + + Caused many crashes on iOS bots + + Reverted changeset: + + "JSRunLoopTimer should use WTF::RunLoop rather than custom CF + code" + https://bugs.webkit.org/show_bug.cgi?id=214102 + https://trac.webkit.org/changeset/264242 + +2020-07-10 Geoffrey Garen + + JSRunLoopTimer should use WTF::RunLoop rather than custom CF code + https://bugs.webkit.org/show_bug.cgi?id=214102 + + Reviewed by Darin Adler. + + The generic RunLoop codepath was already mostly right. Just needed to + clarify the API to demonstrate that VMs do not hop from one RunLoop + to another. + + * runtime/JSRunLoopTimer.cpp: + (JSC::epochTime): Removed the CF path. + + (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): Include a RunLoop + as a constructor argument so that the web thread can override it. + + (JSC::JSRunLoopTimer::Manager::timerDidFireCallback): Removed the CF path. + + (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData): No need to + explicitly clear our RunLoop -- the RunLoop::Timer destructor will do + the job. + + (JSC::JSRunLoopTimer::Manager::timerDidFire): + (JSC::JSRunLoopTimer::Manager::registerVM): + (JSC::JSRunLoopTimer::Manager::scheduleTimer): + (JSC::JSRunLoopTimer::Manager::cancelTimer): Removed the CF path. + + (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop): Deleted. + (JSC::JSRunLoopTimer::Manager::didChangeRunLoop): Deleted. Changing + RunLoops is not actually a feature we use. + + * runtime/JSRunLoopTimer.h: + (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData): Deleted. + * runtime/PromiseTimer.cpp: + (JSC::PromiseTimer::doWork): + (JSC::PromiseTimer::runRunLoop): Removed the CF path. + + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::VM::create): + (JSC::VM::setRunLoop): Deleted. + * runtime/VM.h: + (JSC::VM::runLoop const): Require a RunLoop in the VM constructor in + order to clarify that we always know our RunLoop and never change it. + +2020-07-09 Brian Burg + + REGRESSION(r262302): ITMLKit debuggables in listings are missing a title, use UUID instead + https://bugs.webkit.org/show_bug.cgi?id=214153 + + Reviewed by Devin Rousso. + + * inspector/remote/cocoa/RemoteInspectorCocoa.mm: + (Inspector::RemoteInspector::listingForInspectionTarget const): + Looks like this is due to copypasta. + +2020-07-09 Alexey Shvayka + + ErrorInstance::finishCreation() puts "message" twice, with different attributes + https://bugs.webkit.org/show_bug.cgi?id=214089 + + Reviewed by Yusuke Suzuki. + + This change refactors appendSourceToError() to return new message, making it almost pure + and eliminating extra JSString -> String -> JSString conversion and {get,put}Direct() calls + from ErrorInstance::finishCreation(). Also, moves null message check as early as possible. + + Removed putDirect() call didn't pass PropertyAttribute::DontEnum. An implementation detail, + that is about to change in https://webkit.org/b/142933, prevented "message" property from + beind redefined with PropertyAttribute::None. + + No behavior change. Advances provided microbenchmark by 5%. + + * runtime/ErrorInstance.cpp: + (JSC::appendSourceToErrorMessage): + (JSC::ErrorInstance::finishCreation): + (JSC::appendSourceToError): Deleted. + +2020-07-08 Yusuke Suzuki + + [JSC] B3 PureCSE should ignore values which are moved to new BasicBlock + https://bugs.webkit.org/show_bug.cgi?id=214115 + + + Reviewed by Saam Barati. + + We are performing "Select" specialization like this. + + BB#target + ... + @a = Select(@p, @x, 42) + @b = Add(@a, 35) + Check(@b) + @c = ... + + becomes this: + + BB#predecessor + ... + Branch(@p, #truecase, #falsecase) + + BB#truecase: + @b_truecase = Add(@x, 35) + Check(@b_truecase) + Upsilon(@x, ^a) + Upsilon(@b_truecase, ^b) + Jump(#continuation) + + BB#falsecase: + @b_falsecase = Add(42, 35) + Check(@b_falsecase) + Upsilon(42, ^a) + Upsilon(@b_falsecase, ^b) + Jump(#continuation) + + BB#continuation: + @a = Phi() + @b = Phi() + Jump(#target) + + BB#target + @c = ... + + In the above transformation, we create a new BasicBlock and move @a and @b to that one. This is good since we do not need to rewrite all the use of @a and @b. + However, this confuses PureCSE since @a and @b point to a BasicBlock (BB#continuation) which is not inserted into the graph yet. + + This patch changes PureCSE so that it ignores values which owners are not inserted yet. + + * b3/B3BasicBlock.h: + (JSC::B3::BasicBlock::isInserted const): + * b3/B3GenericBlockInsertionSet.h: + (JSC::B3::GenericBlockInsertionSet::insert): + * b3/B3PureCSE.cpp: + (JSC::B3::PureCSE::findMatch): + (JSC::B3::PureCSE::process): + * b3/air/AirBasicBlock.h: + +2020-07-08 Saam Barati + + Add a fuzzing toggle for LICM + https://bugs.webkit.org/show_bug.cgi?id=214093 + + Reviewed by Yusuke Suzuki. + + We have an AI based safety checker for LICM, to determine if it's safe to + hoist nodes. Historically, we've had bugs here, where we allow unsafe + hoisting. In practice, we've been saved by safety checks also being hoisted + at the same time as the operation they're protecting, so even if we + have bugs in AI-based safeToExecute, things usually just work. Since + we've had security bugs here before, where the safety checks don't get hoisted, + leading to issues, it's helpful if we can fuzz this area. This patch implements + a way to says we won't hoist a node based on some probability, allowing us to play + with what does and doesn't get hoisted. + + * dfg/DFGLICMPhase.cpp: + (JSC::DFG::LICMPhase::run): + * runtime/OptionsList.h: + +2020-07-08 Saam Barati + + Add a way to return early from detected infinite loops to aid the fuzzer + https://bugs.webkit.org/show_bug.cgi?id=214067 + + Reviewed by Yusuke Suzuki. + + It's useful for the fuzzer to not get stuck in infinite loops so its + test cases can make forward progress trying to find bugs. This patch + adds a new mechanism where we can early return if we've exceeded a total + execution count for a static loop in bytecode. Note: this is not on a + per-frame basis, but it's a way to implement this in a non-invasive way + which is also practical for the fuzzer to use. + + * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: + (JSC::B3::Air::GenerateAndAllocateRegisters::generate): + * b3/air/AirCode.cpp: + (JSC::B3::Air::Code::emitEpilogue): + * b3/air/AirCode.h: + * b3/air/AirGenerate.cpp: + (JSC::B3::Air::generateWithAlreadyAllocatedRegisters): + * bytecode/BytecodeList.rb: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finishCreation): + (JSC::CodeBlock::~CodeBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileLoopHint): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_loop_hint): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * offlineasm/mips.rb: + * runtime/OptionsList.h: + * runtime/VM.cpp: + (JSC::VM::addLoopHintExecutionCounter): + (JSC::VM::getLoopHintExecutionCounter): + (JSC::VM::removeLoopHintExecutionCounter): + * runtime/VM.h: + +2020-07-07 Yusuke Suzuki + + [JSC] BytecodeGenerator should be robust against failed constant generation + https://bugs.webkit.org/show_bug.cgi?id=214062 + + + Reviewed by Saam Barati. + + Some code in NodesCodegen.cpp assumes `jsValue(generator)` call for constant nodes must succeed. + But this can fail when BigInt in source code is too large and becomes OOM. BytecodeGenerator should + be robust against BigInt OOM. + + * bytecompiler/NodesCodegen.cpp: + (JSC::ConstantNode::emitBytecodeInConditionContext): + (JSC::ArrayNode::emitBytecode): + (JSC::BinaryOpNode::tryFoldToBranch): + +2020-07-07 Yusuke Suzuki + + [JSC] Should not pass Exception to JSPromise::reject + https://bugs.webkit.org/show_bug.cgi?id=214061 + + + Reviewed by Mark Lam. + + In some places, we are passing Exception* as JSValue instead of Exception::value()'s JSValue. + Error and Exception are different, and Exception is not an object. We should pass Exception::value()'s + thrown value instead. I checked `reject(` call sites and ensure error is passed. + + * API/JSAPIGlobalObject.mm: + (JSC::JSAPIGlobalObject::moduleLoaderImportModule): + (JSC::JSAPIGlobalObject::moduleLoaderFetch): + * jsc.cpp: + (GlobalObject::moduleLoaderImportModule): + (GlobalObject::moduleLoaderFetch): + * runtime/JSModuleLoader.cpp: + (JSC::JSModuleLoader::importModule): + (JSC::JSModuleLoader::resolve): + (JSC::JSModuleLoader::fetch): + (JSC::moduleLoaderParseModule): + * runtime/JSPromise.cpp: + (JSC::JSPromise::resolve): + (JSC::JSPromise::reject): + +2020-07-07 Yusuke Suzuki + + [JSC] Fix btjs by recovering CallFrame::describeFrame + https://bugs.webkit.org/show_bug.cgi?id=214055 + + Reviewed by Mark Lam. + + While CallFrame::describeFrame is not used in WebKit tree, it is used in LLDB btjs which is invoked from python. + So we need to keep it. We also use std::call_once based buffer allocation instead of `static char buffer[...]` + to avoid spreading debug-use-only buffer in BSS segment. + + * interpreter/CallFrame.cpp: + (JSC::CallFrame::describeFrame): + * interpreter/CallFrame.h: + +2020-07-07 Keith Miller + + Bytecode UseDef should be aware of checkpoints + https://bugs.webkit.org/show_bug.cgi?id=213566 + + Reviewed by Saam Barati. + + Previously, we tried to solve teaching DFG about uses and defs of + locals across checkpoints by asking what locals were def'd at some + checkpoint. However, this was subtly wrong because we couldn't + report any uses at subsequent checkpoints so DFG thought the + local was dead immediately after its birth. + + This patch reverts that change and instead teaches BytecodeUseDef + about checkpoints. Right now, BytecodeUseDef only knows about + locals at checkpoints but in the future we may teach it about tmps + at well. + + Since the vectors containing our liveness bitmaps were already + sparse (they are indexed by the bytecode offset) we can reuse the + gaps to hold our checkpoint liveness information. To make sure we + don't overlap between the next bytecode and a checkpoint for the + current bytecode there is now a static assert that the length of + the bytecode is greater than the number of checkpoints. This + assumption is already true for existing bytecodes with checkpoints (and + likely to be true for future ones anyway). + + Many of the BytecodeLivenessPropegation functions have been + renamed to reflect that they operate over the full instruction, + including checkpoints, rather than just the BytecodeIndex passed. + + Lastly, this patch makes a speculative fix to forAllKilledOperands where we + wouldn't report that all tmps die at the end of each bytecode. I can't think + of a case where this would break things but it's probably good hygiene. + + * bytecode/BytecodeGeneratorification.cpp: + (JSC::GeneratorLivenessAnalysis::run): + * bytecode/BytecodeIndex.h: + (JSC::BytecodeIndex::BytecodeIndex): + (JSC::BytecodeIndex::checkpoint const): + (JSC::BytecodeIndex::withCheckpoint const): + (JSC::BytecodeIndex::pack): + * bytecode/BytecodeLivenessAnalysis.cpp: + (JSC::BytecodeLivenessAnalysis::computeFullLiveness): + (JSC::BytecodeLivenessAnalysis::dumpResults): + (JSC::tmpLivenessForCheckpoint): + (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeIndex): Deleted. + (JSC::livenessForCheckpoint): Deleted. + * bytecode/BytecodeLivenessAnalysis.h: + (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtInstruction): + * bytecode/BytecodeLivenessAnalysisInlines.h: + (JSC::BytecodeLivenessPropagation::stepOverBytecodeIndexDef): + (JSC::BytecodeLivenessPropagation::stepOverBytecodeIndexUse): + (JSC::BytecodeLivenessPropagation::stepOverBytecodeIndexUseInExceptionHandler): + (JSC::BytecodeLivenessPropagation::stepOverBytecodeIndex): + (JSC::BytecodeLivenessPropagation::stepOverInstruction): + (JSC::BytecodeLivenessPropagation::computeLocalLivenessForInstruction): + (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock): + (JSC::BytecodeLivenessPropagation::getLivenessInfoAtInstruction): + (JSC::BytecodeLivenessPropagation::stepOverInstructionDef): Deleted. + (JSC::BytecodeLivenessPropagation::stepOverInstructionUse): Deleted. + (JSC::BytecodeLivenessPropagation::stepOverInstructionUseInExceptionHandler): Deleted. + (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeIndex): Deleted. + (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeIndex): Deleted. + * bytecode/BytecodeUseDef.cpp: + (JSC::computeUsesForBytecodeIndexImpl): + (JSC::computeDefsForBytecodeIndexImpl): + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeIndex): + (JSC::computeDefsForBytecodeIndex): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndexSlow): + (JSC::CodeBlock::validate): + * bytecode/FullBytecodeLiveness.h: + (JSC::FullBytecodeLiveness::getLiveness const): + (JSC::FullBytecodeLiveness::toIndex): + * bytecode/Instruction.h: + (JSC::BaseInstruction::numberOfCheckpoints const): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::ForInContext::finalize): + * dfg/DFGForAllKills.h: + (JSC::DFG::forAllKilledOperands): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::isLiveInBytecode): + * dfg/DFGGraph.h: + * dfg/DFGMovHintRemovalPhase.cpp: + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary): + * generator/Opcode.rb: + * generator/Section.rb: + +2020-07-06 Geoffrey Garen + + callOnMainThread should use the same queue as RunLoop::dispatch + https://bugs.webkit.org/show_bug.cgi?id=213830 + + Reviewed by Brady Eidson. + + * JavaScriptCore.order: + +2020-07-05 Commit Queue + + Unreviewed, reverting r263960. + https://bugs.webkit.org/show_bug.cgi?id=213980 + + Re-land, because r263959 somehow fixed the build issue caused + by r263953 + + Reverted changeset: + + "Unreviewed, reverting r263953 and r263959." + https://bugs.webkit.org/show_bug.cgi?id=213979 + https://trac.webkit.org/changeset/263960 + +2020-07-05 Commit Queue + + Unreviewed, reverting r263953 and r263959. + https://bugs.webkit.org/show_bug.cgi?id=213979 + + Broke internal build + + Reverted changesets: + + "[Cocoa] Move almost all features from FeatureDefines.xcconfig + to PlatformEnableCocoa.h" + https://bugs.webkit.org/show_bug.cgi?id=212542 + https://trac.webkit.org/changeset/263953 + + "[Cocoa] Remove FEATURE_DEFINES from the Cocoa/Xcode build + system" + https://bugs.webkit.org/show_bug.cgi?id=213976 + https://trac.webkit.org/changeset/263959 + +2020-07-05 Darin Adler + + [Cocoa] Remove FEATURE_DEFINES from the Cocoa/Xcode build system + https://bugs.webkit.org/show_bug.cgi?id=213976 + + Reviewed by Sam Weinig. + + * Configurations/Base.xcconfig: Removed FEATURE_DEFINES. + * Configurations/FeatureDefines.xcconfig: Removed. + * Configurations/JSC.xcconfig: Removed include of FeatureDefines.xcconfig. + * Configurations/JavaScriptCore.xcconfig: Ditto. + * Configurations/ToolExecutable.xcconfig: Ditto. + * DerivedSources-input.xcfilelist: Removed FeatureDefines.xcconfig. + * DerivedSources.make: Removed FEATURE_DEFINES and FEATURE_DEFINE_FLAGS. + * JavaScriptCore.xcodeproj/project.pbxproj: Removed FeatureDefines.xcconfig. + +2020-07-05 Darin Adler + + [Cocoa] Move almost all features from FeatureDefines.xcconfig to PlatformEnableCocoa.h + https://bugs.webkit.org/show_bug.cgi?id=212542 + + Reviewed by Sam Weinig. + + * Configurations/FeatureDefines.xcconfig: Delete everything except + ENABLE_EXPERIMENTAL_FEATURES and ENABLE_WEBRTC. + +2020-07-05 Philippe Normand + + Web Inspector: Fix python3 build warnings + https://bugs.webkit.org/show_bug.cgi?id=213971 + + Reviewed by Sam Weinig. + + Fix Python3 syntax warnings. Using 'is' with string literals triggers those. Adopt the == + operator instead, which is more idiomatic anyway. + + * inspector/scripts/codegen/cpp_generator.py: + (CppGenerator.cpp_getter_method_for_type): + (CppGenerator.cpp_setter_method_for_type): + * inspector/scripts/codegen/objc_generator.py: + (ObjCTypeCategory.category_for_type): + (ObjCGenerator.objc_type_for_raw_name): + (ObjCGenerator.objc_class_for_raw_name): + (ObjCGenerator.protocol_type_for_raw_name): + (ObjCGenerator.objc_protocol_export_expression_for_variable): + (ObjCGenerator.objc_protocol_import_expression_for_variable): + (ObjCGenerator.objc_to_protocol_expression_for_member): + (ObjCGenerator.protocol_to_objc_expression_for_member): + (ObjCGenerator.payload_to_objc_expression_for_member): + (ObjCGenerator.objc_setter_method_for_member_internal): + (ObjCGenerator.objc_getter_method_for_member_internal): + (ObjCGenerator.objc_protocol_export_expression_for_variable.is): Deleted. + (ObjCGenerator.objc_protocol_import_expression_for_variable.is): Deleted. + (ObjCGenerator.objc_to_protocol_expression_for_member.is): Deleted. + (ObjCGenerator.protocol_to_objc_expression_for_member.is): Deleted. + +2020-07-04 Darin Adler + + [Cocoa] Remove all features from FeatureDefines.xcconfig that are already mentioned in PlatformEnableCocoa.h + https://bugs.webkit.org/show_bug.cgi?id=213962 + + Reviewed by Sam Weinig. + + * Configurations/FeatureDefines.xcconfig: Removed all features that were mentioned + in PlatformEnableCocoa.h; the rules in that file now define whether they are enabled. + +2020-07-04 Alexey Shvayka + + %TypedArray%.prototype.{indexOf,lastIndexOf} are not spec-perfect + https://bugs.webkit.org/show_bug.cgi?id=213715 + + Reviewed by Yusuke Suzuki. + + This patch: + + 1. Implements step 3 of {Array,%TypedArray%}.prototype.indexOf [1] and + %TypedArray%.prototype.lastIndexOf [2] since it is observable when + second argument is an object with userland toString() or valueOf() method. + Advances provided microbenchmark by 100% for Array and by 25% for %TypedArray%. + + 2. Removes argument count check from %TypedArray%.prototype.{indexOf,lastIndexOf}, + allowing these methods to be invoked w/o arguments. The spec treats missing + arguments as `undefined`, always returning -1 for typed arrays. + + Both changes align JSC with V8 and SpiderMonkey. + + [1]: https://tc39.es/ecma262/#sec-array.prototype.indexof + [2]: https://tc39.es/ecma262/#sec-%typedarray%.prototype.lastindexof + + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncIndexOf): + (JSC::arrayProtoFuncLastIndexOf): + * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: + (JSC::genericTypedArrayViewProtoFuncIndexOf): + (JSC::genericTypedArrayViewProtoFuncLastIndexOf): + +2020-07-04 Darin Adler + + [Cocoa] Remove unconditional features from FeatureDefines.xcconfig, making sure they are covered in PlatformEnableCocoa.h + https://bugs.webkit.org/show_bug.cgi?id=212418 + + Reviewed by Sam Weinig. + + * Configurations/FeatureDefines.xcconfig: Removed features that are either unconditionally not enabled, + or unconditionally enabled. Double checked that all the enabled ones are either in PlatformEnable.h or + PlatformEnableCocoa.h. + +2020-07-03 Darin Adler + + Make generate-unified-sources.sh not depend on features being listed in FEATURE_DEFINES environment variable + https://bugs.webkit.org/show_bug.cgi?id=212420 + + Reviewed by Don Olmstead. + + * Scripts/generate-unified-sources.sh: Removed many unneeded quote marks from the + invocation of generate-unified-source-bundles.rb. + +2020-07-04 Darin Adler + + Update comment in FeatureDefines.xcconfig since PlatformEnableCocoa.h should be used instead + https://bugs.webkit.org/show_bug.cgi?id=213952 + + Reviewed by Sam Weinig. + + * Configurations/FeatureDefines.xcconfig: Updated comment. + +2020-07-03 Yusuke Suzuki + + [JSC] Promise should check whether a user-provided function is set by using `@isUndefinedOrNull` + https://bugs.webkit.org/show_bug.cgi?id=213951 + + Reviewed by Ross Kirsling. + + If a user-provided function is masquerade-as-undefined value, `if (!xxx.@onRejected)` returns wrong + value since this function object is considered as undefined in this context. We should use `@isUndefinedOrNull` + here instead since this if-branch is checking whether this property is null/undefined actually. + And `if (@isUndefinedOrNull(...))` is efficient since we have `jundefined_or_null` / `jnundefined_or_null` bytecodes. + + * builtins/PromiseOperations.js: + (globalPrivate.promiseReactionJob): + +2020-07-03 Sam Weinig + + Remove support for ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE + https://bugs.webkit.org/show_bug.cgi?id=213932 + + Reviewed by Darin Adler. + + Removes support for non-standard , currently being + guarded by the macro ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE. This macro, was + added back in 2013 as a temporary measure to support some engines who shipped + support for . It is currently not enabled for any + ports so now seems like as good a time as any to remove it. + + * Configurations/FeatureDefines.xcconfig: + +2020-07-03 Sam Weinig + + Add "-Wliteral-conversion" warning to Xcode based builds and fix the issues it finds + https://bugs.webkit.org/show_bug.cgi?id=213931 + + Reviewed by Darin Adler. + + * Configurations/Base.xcconfig: + Add -Wliteral-conversion. + +2020-07-03 Yusuke Suzuki + + [JSC] Add exception checks before and after viewWithUnderlyingString + https://bugs.webkit.org/show_bug.cgi?id=213923 + + + Reviewed by Sam Weinig. + + This patch inserts missing exception checks before and after viewWithUnderlyingString. + + * jsc.cpp: + (printInternal): + (functionDebug): + * runtime/FunctionConstructor.cpp: + (JSC::constructFunctionSkippingEvalEnabledCheck): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncParseFloat): + * runtime/JSONObject.cpp: + (JSC::JSONProtoFuncParse): + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncCharAt): + (JSC::stringProtoFuncCharCodeAt): + +2020-07-03 Yusuke Suzuki + + [JSC] Add exception checks in JSStringBuilder and Array#join + https://bugs.webkit.org/show_bug.cgi?id=213915 + + + Reviewed by Saam Barati and Mark Lam. + + This patch adds missing exception checks into Array#join's certain place and JSStringBuilder. + + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncToString): + * runtime/JSStringJoiner.h: + (JSC::JSStringJoiner::append): + +2020-07-03 Fujii Hironori + + Builtin internal wrapper implementation files wrap static global initialization code with incorrect guards + https://bugs.webkit.org/show_bug.cgi?id=213792 + + Reviewed by Youenn Fablet. + + Streams API hadn't worked since r263700 for AppleWin and WinCairo + ports. r263700 removed the unused ENABLE_STREAMS_API. + + Before r263700, the static global initialization code was wrapped + by "ENABLE(WEB_RTC) || ENABLE(STREAMS_API)". After r263700, it was + wrapped by "ENABLE(WEB_RTC)". AppleWin and WinCairo doesn't turn + on ENABLE_WEB_RTC. So, builtins for Streams API weren't properly + initialized for them. + + * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result: Rebaselined. + * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py: + (BuiltinsInternalsWrapperImplementationGenerator.generate_initialize_method): + Removed calling wrap_with_guard for the value of _generate_initialize_static_globals(). + +2020-07-02 Alex Christensen + + Update Mac CMake build + + * PlatformMac.cmake: + +2020-07-02 Yusuke Suzuki + + [JSC] Configure option-offered numberingSystem in Intl.NumberFormat through locale + https://bugs.webkit.org/show_bug.cgi?id=213872 + + Reviewed by Ross Kirsling. + + We need to pass numberingSystem option to ICU through locale when constructing UNumberFormat. + We are passing it when we get "en-US-u-nu-hanidec" locale, but we are not passing it when + we are getting `new Intl.NumberFormat("en-US", { numberingSystem: "hanidec" })`. + + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::initializeNumberFormat): + +2020-07-01 Yusuke Suzuki + + [JSC] Intl.Collator should set usage:"search" option through ICU locale + https://bugs.webkit.org/show_bug.cgi?id=213869 + + Reviewed by Ross Kirsling. + + Intl.Collator has usage:"search" option, and it affects on collation. However, UCollator does not have an interface to set this collation option, + and only way to configure UCollator is setting "-u-co-search" unicode extension to passed locale string. This patch adds "-u-co-search" unicode + extension if Usage::Search is specified. + + * runtime/IntlCollator.cpp: + (JSC::IntlCollator::initializeCollator): + +2020-07-01 Keith Miller + + Rename zeroExtend32ToPtr to zeroExtend32ToWord + https://bugs.webkit.org/show_bug.cgi?id=213866 + + Reviewed by Saam Barati. + + The old name no longer makes sense now that we have configurations + where sizeof(void*) != sizeof(CPURegister). + + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32): + (JSC::MacroAssemblerARM64::zeroExtend32ToWord): + (JSC::MacroAssemblerARM64::branchMul32): + (JSC::MacroAssemblerARM64::zeroExtend32ToPtr): Deleted. + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::zeroExtend32ToWord): + (JSC::MacroAssemblerARMv7::zeroExtend32ToPtr): Deleted. + * assembler/MacroAssemblerMIPS.h: + (JSC::MacroAssemblerMIPS::zeroExtend32ToWord): + (JSC::MacroAssemblerMIPS::zeroExtend32ToPtr): Deleted. + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::add32): + (JSC::MacroAssemblerX86Common::and32): + (JSC::MacroAssemblerX86Common::mul32): + (JSC::MacroAssemblerX86Common::or32): + (JSC::MacroAssemblerX86Common::xor32): + (JSC::MacroAssemblerX86Common::zeroExtend32ToWord): + (JSC::MacroAssemblerX86Common::branchAdd32): + (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr): Deleted. + * b3/air/AirOpcode.opcodes: + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateWithGuard): + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::compileExit): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileStringSlice): + (JSC::DFG::SpeculativeJIT::compileValueToInt32): + (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber): + (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult): + (JSC::DFG::SpeculativeJIT::compileArithDiv): + (JSC::DFG::SpeculativeJIT::compileCreateRest): + (JSC::DFG::SpeculativeJIT::compileArraySlice): + (JSC::DFG::SpeculativeJIT::compileArrayIndexOf): + (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): + (JSC::DFG::SpeculativeJIT::emitAllocateButterfly): + (JSC::DFG::SpeculativeJIT::compileWeakMapGet): + (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::reboxAccordingToFormat): + * jit/CallFrameShuffler64.cpp: + (JSC::CallFrameShuffler::emitBox): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_has_indexed_property): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_has_indexed_property): + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_put_by_val): + * jit/JSInterfaceJIT.h: + (JSC::JSInterfaceJIT::emitLoadInt32): + * wasm/js/JSToWasm.cpp: + (JSC::Wasm::boxWasmResult): + * wasm/js/WasmToJS.cpp: + (JSC::Wasm::wasmToJS): + * wasm/js/WebAssemblyFunction.cpp: + (JSC::WebAssemblyFunction::jsCallEntrypointSlow): + * yarr/YarrJIT.cpp: + +2020-07-01 Saam Barati + + Script to copy over testapi.js is redundant in xcodebuild + https://bugs.webkit.org/show_bug.cgi?id=213824 + + Reviewed by Keith Miller. + + We're already copying over the entire testapiScripts directory. + No need to manually copy just one file from it, too. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2020-07-01 Tetsuharu Ohzeki + + Use properly flag names for tests of Tools/Scripts/run-builtins-generator-tests + https://bugs.webkit.org/show_bug.cgi?id=213733 + + Reviewed by Youenn Fablet. + + Test cases under Source/JavaScriptCore/Scripts/tests/builtins/ uses exist compilation flags. + But they can take an arbitary flag name and don't have to use an exist flag. + I think it's better to rename them to more proper ones. + + * Scripts/tests/builtins/WebCore-ArbitraryConditionalGuard-Separate.js: + * Scripts/tests/builtins/WebCore-DuplicateKeyValueAnnotation-Separate.js: + * Scripts/tests/builtins/WebCore-GuardedBuiltin-Separate.js: + * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js: + * Scripts/tests/builtins/WebCore-xmlCasingTest-Separate.js: + * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: + * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: + * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: + * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: + * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result: + +2020-06-30 Peng Liu + + Enable the support of FULLSCREEN_API in WebKitTestRunner + https://bugs.webkit.org/show_bug.cgi?id=213774 + + Reviewed by Youenn Fablet. + + Replace the definition of ENABLE_FULLSCREEN_API in FeatureDefines.xcconfig with + the one in PlatformEnableCocoa.h. We have to do that because WebKitTestRunner + does not have a FeatureDefines.xcconfig but it uses "ENABLE(FULLSCREEN_API)" + to conditionally compile code to test the element fullscreen API. + WebKitTestRunner can use the macro defined in PlatformEnableCocoa.h. + + * Configurations/FeatureDefines.xcconfig: + +2020-06-30 Andy Estes + + [Xcode] Enable the "My Mac (Mac Catalyst)" destination in WebKit Xcode projects + https://bugs.webkit.org/show_bug.cgi?id=213740 + + Reviewed by Darin Adler. + + * Configurations/Base.xcconfig: Set SUPPORTS_MACCATALYST to YES to tell Xcode that this + project supports building for Mac Catalyst. + +2020-06-29 Tetsuharu Ohzeki + + Remove ENABLE_STREAMS_API compilation flag + https://bugs.webkit.org/show_bug.cgi?id=213728 + + Reviewed by Sam Weinig. + + test cases under Scripts/tests/builtins/ does not uses + this removed compilation flag. So we don't have to touch them in this change. + + But they are confusable so I plan to fix them in bug 213733. + + * Configurations/FeatureDefines.xcconfig: + +2020-06-29 Keith Miller + + ConservativeRoots should mark any cell it finds an interior pointer to + https://bugs.webkit.org/show_bug.cgi?id=213686 + + Reviewed by Yusuke Suzuki. + + Currently, if ConserativeRoots finds an interior pointer to a cell + it will only mark that cell if it's a butterfly of some + kind. However, this can cause problems if the C++ or B3 compilers + pre-compute the offset of some cell member they want to load from + after a call. If this happens and that interior pointer is the + only reference to the cell it can get collected while it is still + "alive". + + A naive patch that doesn't return from + findGCObjectPointersForMarking after finding a live non-interior, + non-butterfly cell was a 2% regression on Speedometer2 and + JetStream2. So, this patch immediately returns after + marking some non-butterfly cell, which appears to have fixed the + regression locally. Given this was such a big regression (likely + from running MarkedBlock::isLive) more than once there's possibly + an optimization opportunity here. I filed + https://bugs.webkit.org/show_bug.cgi?id=213687 to investigate + further. + + * heap/HeapCell.cpp: + (WTF::printInternal): + * heap/HeapCell.h: + (JSC::isJSCellKind): + (JSC::mayHaveIndexingHeader): + (JSC::hasInteriorPointers): Deleted. + * heap/HeapUtil.h: + (JSC::HeapUtil::findGCObjectPointersForMarking): + * heap/SlotVisitor.cpp: + (JSC::SlotVisitor::appendJSCellOrAuxiliary): + * runtime/VM.cpp: + (JSC::VM::VM): + +2020-06-28 Geoffrey Garen + + Rename initializeThreading to initialize + https://bugs.webkit.org/show_bug.cgi?id=213674 + + Reviewed by Mark Lam. + + * API/JSClassRef.cpp: + * API/JSContextRef.cpp: + (JSContextGroupCreate): + (JSGlobalContextCreate): + (JSGlobalContextCreateInGroup): + * API/JSObjectRef.cpp: + (JSClassCreate): + * API/JSStringRef.cpp: + (JSStringCreateWithCharacters): + (JSStringCreateWithUTF8CString): + (JSStringCreateWithCharactersNoCopy): + * API/JSStringRefCF.cpp: + (JSStringCreateWithCFString): + * API/tests/CompareAndSwapTest.cpp: + (testCompareAndSwap): + * API/tests/ExecutionTimeLimitTest.cpp: + (testExecutionTimeLimit): + * API/tests/FunctionOverridesTest.cpp: + (testFunctionOverrides): + * API/tests/MultithreadedMultiVMExecutionTest.cpp: + (startMultithreadedMultiVMExecutionTest): + * API/tests/PingPongStackOverflowTest.cpp: + (testPingPongStackOverflow): + * JavaScriptCore.order: + * assembler/testmasm.cpp: + (JSC::run): + * b3/air/testair.cpp: + (main): + * b3/testb3_1.cpp: + (main): + * dfg/testdfg.cpp: + (main): + * dynbench.cpp: + (main): + * inspector/remote/cocoa/RemoteInspectorCocoa.mm: + (Inspector::RemoteInspector::singleton): + * jsc.cpp: + (main): + (jscmain): + * runtime/InitializeThreading.cpp: + (JSC::initialize): + (JSC::initializeThreading): Deleted. + * runtime/InitializeThreading.h: + * runtime/JSCConfig.h: + * shell/playstation/TestShell.cpp: + (setupTestRun): + * testRegExp.cpp: + (main): + +2020-06-27 Saam Barati + + BytecodeBasicBlock::addSuccessor should check if the successor already exists + https://bugs.webkit.org/show_bug.cgi?id=213670 + + Reviewed by Yusuke Suzuki. + + It makes it nicer for algorithms using BytecodeGraph to not have to consider + whether or not there are duplicates in the successor list. Also, because of + this, bytecode liveness was doing extra work since it walked the successor list, + including any duplicates in it. + + * bytecode/BytecodeBasicBlock.h: + (JSC::BytecodeBasicBlock::addSuccessor): + +2020-06-27 Saam Barati + + Change bytecode dumping to dump the bytecode control flow graph + https://bugs.webkit.org/show_bug.cgi?id=213669 + + Reviewed by Yusuke Suzuki. + + This makes the bytecode control flow graphs much easier to understand, and + puts bytecode dumping in more in line with how we dump other IRs. + + The new dumps look like this: + ``` + foo#Ahf63N:[0x1035bc120->0x1035e5100, NoneFunctionCall, 36]: 13 instructions (0 16-bit instructions, 0 32-bit instructions, 1 instructions with metadata); 156 bytes (120 metadata bytes); 2 parameter(s); 8 callee register(s); 6 variable(s); scope at loc4 + + bb#1 + [ 0] enter + [ 1] get_scope loc4 + [ 3] mov loc5, loc4 + [ 6] check_traps + [ 7] mov loc6, (const0) + [ 10] mov loc6, Undefined(const1) + [ 13] mod loc7, arg1, Int32: 2(const2) + [ 17] jfalse loc7, 8(->25) + Successors: [ #3 #2 ] + + bb#2 + [ 20] mov loc6, Int32: 42(const3) + [ 23] jmp 5(->28) + Successors: [ #4 ] + + bb#3 + [ 25] mov loc6, Int32: 77(const4) + Successors: [ #4 ] + + bb#4 + [ 28] add loc7, arg1, loc6, OperandTypes(126, 126) + [ 34] ret loc7 + Successors: [ ] + ``` + + * bytecode/BytecodeDumper.cpp: + (JSC::dumpHeader): + (JSC::dumpFooter): + (JSC::CodeBlockBytecodeDumper::dumpBlock): + (JSC::CodeBlockBytecodeDumper::dumpGraph): + * bytecode/BytecodeDumper.h: + * bytecode/BytecodeGraph.h: + (JSC::BytecodeGraph::dump): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + +2020-06-27 Stephan Szabo + + [PlayStation] Update test runner for changes to Options and signing + https://bugs.webkit.org/show_bug.cgi?id=213650 + + Reviewed by Don Olmstead. + + * shell/playstation/Initializer.cpp: Load ICU library + * shell/playstation/TestShell.cpp: Update between test options reset + +2020-06-26 Geoffrey Garen + + Initializing the main thread should initialize the main run loop + https://bugs.webkit.org/show_bug.cgi?id=213637 + + Reviewed by Anders Carlsson. + + * JavaScriptCore.order: Removed some defunct stuff. + * shell/playstation/TestShell.cpp: + (setupTestRun): Merged initializeThreading call with + initializeMainThread call because initializeMainThread is a superset. + +2020-06-25 Yusuke Suzuki + + REGRESSION(r263035): stress/get-prototype-of.js broken on s390x + https://bugs.webkit.org/show_bug.cgi?id=213307 + + Reviewed by Ross Kirsling. + + Structure::m_outOfLineTypeFlags is uint16_t. If we access this field as 32bit field, we have different value in big endian architectures. + Since we do not have half-size-load branch instructions, we should load this uint16_t value via `loadh` (which zero-extends the loaded value) + and perform branch onto that value. + + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::emitLoadPrototype): + * llint/LowLevelInterpreter64.asm: + +2020-06-25 Mark Lam + + JSCell constructor needs to ensure that the passed in structure is still alive. + https://bugs.webkit.org/show_bug.cgi?id=213593 + + + Reviewed by Yusuke Suzuki. + + Note that in the initializer list of the `JSCell(VM&, Structure*)` constructor, + we are only using values inside the passed in structure but not necessarily the + structure pointer itself. All these values are contained inside Structure::m_blob. + Note also that this constructor is an inline function. Hence, the compiler may + choose to pre-compute the address of structure->m_blob and discard the structure + pointer itself. + + Here's an example: + + 0x10317a21e <+1054>: movq 0x18(%rsp), %rdx // rdx:vm = &vm + 0x10317a223 <+1059>: addq $0x8, %r13 // r13 = &structure.m_blob <== pre-compute address of m_blob !!! + // r13 previously contained the structure pointer. + // Now, there's no more references to the structure base address. + + 0x10317a227 <+1063>: leaq 0x48(%rdx), %rdi // arg0:heap = &vm.heap + 0x10317a22b <+1067>: movl $0x10, %edx // arg2:size = 16. + 0x10317a230 <+1072>: movq %rdi, 0x28(%rsp) + 0x10317a235 <+1077>: xorl %esi, %esi // arg1:deferralContext = 0 + 0x10317a237 <+1079>: callq 0x10317ae60 // call JSC::allocateCell <== Can GC here !!! + + 0x10317a23c <+1084>: movq %rax, %rbx // rbx:cell = rax:allocation result. + ... + 0x10317a253 <+1107>: movl (%r13), %eax // eax = m_blob.structureID <== Use pre-computed m_blob address here. + + There's a chance that the GC may run while allocating this cell. In the event + that the structure is newly instantiated just before calling this constructor, + there may not be any other references to it. As a result, the structure may get + collected before the cell is even constructed. To avoid this possibility, we need + to ensure that the structure pointer is still alive by the time this constructor + is called. + + I am not committing any tests for this issue because the test cases relies on: + + 1. Manually forcing an O3 ASan Release build. + + 2. Not running jsc with --useDollarVM=1. Note: the JSC test harness automatically + adds --useDollarVM=1 for all test runs. + + 3. Memory being allocated in a specific order. The recent Bitmap FreeList change + enabled this issue to manifest. The old linked list FreeList implementation + would have hidden the issue. + + 4. Adding some logging code can also make the issue stop manifesting. + + In short, the test cases will not detect any regression even if we commit them + because the existing automatic regression test runs will not have the necessary + conditions for reproducing the issue. The tests are also somewhat fragile where + any changes in memory layout may stop the issue from manifesting in an observable + way. + + * runtime/JSCellInlines.h: + (JSC::JSCell::JSCell): + +2020-06-24 Ross Kirsling + + [Intl] Disprefer using ICU enums directly as instance variables + https://bugs.webkit.org/show_bug.cgi?id=213587 + + Reviewed by Yusuke Suzuki. + + * runtime/IntlPluralRules.cpp: + (JSC::IntlPluralRules::initializePluralRules): + (JSC::IntlPluralRules::resolvedOptions const): + * runtime/IntlPluralRules.h: + * runtime/IntlRelativeTimeFormat.cpp: + (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat): + (JSC::IntlRelativeTimeFormat::styleString): Renamed from JSC::styleString. + (JSC::IntlRelativeTimeFormat::resolvedOptions const): + (JSC::numericString): Deleted. + * runtime/IntlRelativeTimeFormat.h: + +2020-06-24 Caitlin Potter + + [JSC] handle Put/DefinePrivateField in resetPutByID + https://bugs.webkit.org/show_bug.cgi?id=213583 + + Reviewed by Yusuke Suzuki. + + r262613 extends and uses PutByValDirect to support updating and defining private fields, in order to reuse + the IC machinery. The necessary resetPutByID change was erroneously omitted, and is presented here. + + * jit/Repatch.cpp: + (JSC::resetPutByID): + +2020-06-24 Yusuke Suzuki + + [JSC] llintTrue / jitTrue can encounter native functions + https://bugs.webkit.org/show_bug.cgi?id=213442 + + + Reviewed by Mark Lam. + + If the CallFrame is for native function, associated CodeBlock is nullptr. + This patch fixes this case to handle it gracefully. + + * tools/JSDollarVM.cpp: + (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor): + (JSC::CallerFrameJITTypeFunctor::operator() const): + (JSC::functionBaselineJITTrue): + (JSC::JSDollarVM::finishCreation): + (JSC::functionJITTrue): Deleted. + +2020-06-24 Umar Iqbal + + We should resurrect the older patch that collects some statistics of web API calls + https://bugs.webkit.org/show_bug.cgi?id=213319 + + Reviewed by Brent Fulgham. + + + Enabled ENABLE_WEB_API_STATISTICS flag + + * Configurations/FeatureDefines.xcconfig: + +2020-06-24 Alexey Shvayka + + Add DFG/FTL fast path for GetPrototypeOf based on OverridesGetPrototype flag + https://bugs.webkit.org/show_bug.cgi?id=213191 + + Reviewed by Yusuke Suzuki. + + This patch: + + 1. Introduces `loadInlineOffset` LLInt macro (64-bit only) and utilizes it in + `get_prototype_of` since we assert that `knownPolyProtoOffset` is an inline offset. + + 2. Brings baseline JIT fast path to 32-bit builds, progressing `super-getter.js` + microbenchmark by a factor of 10 (w/o DFG). + + 3. Adds GetPrototypeOf DFG/FTL fast paths that leverage OverridesGetPrototype type + info flag, advancing provided rare objects microbenchmark by ~46% (~37% w/o FTL). + Also, cleans up existing DFG fast path by using AssemblyHelpers::loadValue(). + + 4. Extracts AssemblyHelpers::emitLoadPrototype() and uses it in baseline JIT, DFG, and + InstanceOfGeneric access case. With this change, `instanceof` access case handles all + [[GetPrototypeOf]] overrides (before: only Proxy objects), which is more correct, yet + not observable enough to provide a test case. `instanceof` microbenchmarks are neutral. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateWithGuard): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf): + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::emitLoadPrototype): + * jit/AssemblyHelpers.h: + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_get_prototype_of): + * llint/LowLevelInterpreter64.asm: + +2020-06-24 Yusuke Suzuki + + [JSC] Clobberize misses `write(Heap)` report in some nodes + https://bugs.webkit.org/show_bug.cgi?id=213525 + + + Reviewed by Mark Lam. + + In some DFG nodes, clobberize phase misses `clobberTopFunctor` call while it is `write(Heap)`, + which confuses clobberizing validation. + + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + +2020-06-23 Mark Lam + + Handle string overflow in DFG graph dump while validating AI. + https://bugs.webkit.org/show_bug.cgi?id=213524 + + + Not reviewed. + + Applying refinement suggested by Darin in https://bugs.webkit.org/show_bug.cgi?id=213524#c3. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::validateAIState): + +2020-06-23 Mark Lam + + Handle string overflow in DFG graph dump while validating AI. + https://bugs.webkit.org/show_bug.cgi?id=213524 + + + Reviewed by Saam Barati. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::validateAIState): + +2020-06-23 Devin Rousso + + Keyframe animation doesn't 't show up in the Animations timeline + https://bugs.webkit.org/show_bug.cgi?id=213441 + + Reviewed by Brian Burg. + + * inspector/protocol/Animation.json: + An `interationCount` of `Infinity` is not JSON serializable, so represent it as `-1` instead. + +2020-06-22 Saam Barati + + Attempt to fix watchOS simulator build. + + * assembler/FastJITPermissions.h: + (threadSelfRestrictRWXToRW): + (threadSelfRestrictRWXToRX): + +2020-06-22 Saam Barati + + Allow building JavaScriptCore Mac+arm64 in public SDK build + https://bugs.webkit.org/show_bug.cgi?id=213472 + + Reviewed by Sam Weinig. + + We used to only builld code for fast permission switching when using the + Apple internal SDK. However, with arm64 on macOS, this is no longer a viable + implementation strategy. + + This patch makes it so we can build JSC on macOS+arm64 using the public Xcode + SDK. + + - ENABLE_FAST_JIT_PERMISSIONS is removed. We now use runtime checks instead. + - In the new suite of OS betas, pthreads has added API for fast permissions + switching. We now use this API instead of using the non-public SDK found in + the kernel headers. + - We fall back to the separated W/X heaps when fast permissions checking is + not supported. This all happens at runtime. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::fillNops): + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::fillNops): + * assembler/FastJITPermissions.h: Added. + (useFastJITPermissions): + (threadSelfRestrictRWXToRW): + (threadSelfRestrictRWXToRX): + (fastJITPermissionsIsSupported): + * assembler/LinkBuffer.cpp: + (JSC::memcpyWrapper): + (JSC::LinkBuffer::copyCompactAndLinkCode): + * assembler/MIPSAssembler.h: + (JSC::MIPSAssembler::fillNops): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::link): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::link): + * jit/ExecutableAllocator.cpp: + (JSC::initializeJITPageReservation): + * jit/ExecutableAllocator.h: + (JSC::performJITMemcpy): + (JSC::useFastJITPermissions): Deleted. + * runtime/JSCConfig.h: + * runtime/Options.cpp: + (JSC::Options::recomputeDependentOptions): + * runtime/OptionsList.h: + +2020-06-22 Tim Horton + + Disable the JS JIT when running in a translated process + https://bugs.webkit.org/show_bug.cgi?id=213478 + + Reviewed by Saam Barati. + + * runtime/Options.cpp: + (JSC::Options::recomputeDependentOptions): + Based on our performance experiements, disable the JavaScript JIT + (but not the regular expression, DOM, or Wasm JIT) when running + in a translated process. + +2020-06-22 Tim Horton + + Update macOS version macros + https://bugs.webkit.org/show_bug.cgi?id=213484 + + Reviewed by Alexey Proskuryakov. + + * Configurations/Base.xcconfig: + * Configurations/DebugRelease.xcconfig: + * Configurations/Version.xcconfig: + * Configurations/WebKitTargetConditionals.xcconfig: + +2020-06-19 Yusuke Suzuki + + [JSC] Check Gigacage usage before launching VM + https://bugs.webkit.org/show_bug.cgi?id=213410 + + Reviewed by Mark Lam. + + Since VM allocates JSBigInt from Gigacage, it is possible that VM creation fails when Gigacage is exhausted. + As a work-around for internal testing, we insert ad-hoc Gigacage usage check before launching a new agent. + If 80% of Gigacage is used, we fail to launch a new VM gracefully. + + * assembler/testmasm.cpp: + (JSC::testCagePreservesPACFailureBit): + * jsc.cpp: + (functionDollarAgentStart): + +2020-06-19 James Darpinian + + Typed array constructor behaves differently when length is not passed or when undefined is passed + https://bugs.webkit.org/show_bug.cgi?id=184232 + + Reviewed by Yusuke Suzuki. + + Passing undefined for length should have the same effect as omitting the argument. It was being + treated as 0 instead. + + * runtime/JSGenericTypedArrayViewConstructorInlines.h: + (JSC::constructGenericTypedArrayView): + +2020-06-19 Yusuke Suzuki + + [JSC] Attempt to reduce timeout failures on Apple Watch Series 3 + https://bugs.webkit.org/show_bug.cgi?id=213419 + + Reviewed by Mark Lam. + + * tools/JSDollarVM.cpp: + (JSC::functionUseJIT): + (JSC::JSDollarVM::finishCreation): + +2020-06-19 Mark Lam + + toString of String doesn't check integrity of structureID in one path. + https://bugs.webkit.org/show_bug.cgi?id=213338 + + Reviewed by Saam Barati. + + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncToString): + +2020-06-19 Saam Barati + + Have a memory monitor thread in jsc shell when running tests using --memory-limited + https://bugs.webkit.org/show_bug.cgi?id=213389 + + Reviewed by Mark Lam. + + When testing on iOS, there are times high memory usage from a JSC test + will jetsam our entire test runner. This makes it so we don't get any test + results from that test run, which can make it difficult to track testing + results. + + This patch introduces an optional memory monitoring thread to the JSC + shell. It's a best effort approach. If memory usage exceeds the passed + in threshold, we crash the process. Similar to how the timeout mechanism + works. On Cocoa platforms, we also perform this check in the low memory + warning handler. + + Currently, we use this feature when running JSC stress tests in + "--memory-limited" mode. + + * jsc.cpp: + (crashIfExceedingMemoryLimit): + (startMemoryMonitoringThreadIfNeeded): + (jscmain): + +2020-06-19 Mark Lam + + Make $vm properties non-configurable, non-enumerable, and non-writable. + https://bugs.webkit.org/show_bug.cgi?id=213395 + + Reviewed by Saam Barati and Yusuke Suzuki. + + $vm provides functions for test development and VM debugging. There's no reason + for them to be configurable, enumerable, and writable. + + We particularly don't want them to be enumerable as this can trip up some fuzzers. + Fuzzers should not be fuzzing the $vm object which doesn't exist in real world + uses of JavaScriptCore. + + * tools/JSDollarVM.cpp: + (JSC::JSDollarVM::finishCreation): + (JSC::JSDollarVM::addFunction): + (JSC::JSDollarVM::addConstructibleFunction): + +2020-06-19 Tuomas Karkkainen + + functionCpuClflush checks that the second argument is Int32 but it actually expects it to be UInt32 + https://bugs.webkit.org/show_bug.cgi?id=213388 + + Reviewed by Saam Barati. + + This changes the check from isInt32() to isUInt32() so that the logic is consistent. + + * tools/JSDollarVM.cpp: + +2020-06-18 Mark Lam + + Unify Bitmap math loops in MarkedBlock::Handle::specializedSweep(). + https://bugs.webkit.org/show_bug.cgi?id=213345 + + Reviewed by Robin Morisset and Saam Barati. + + This change appears to be performance neutral. However, we'll take the change + because we know that it does less work, and the new way of expressing the Bitmap + math in MarkedBlock::Handle::specializedSweep() does appear to be easier to + understand than the old code. + + Also addressed feedback from Robin and Saam in https://bugs.webkit.org/show_bug.cgi?id=213071. + + Changes made: + + 1. Use the new Bitmap::words() API to get direct access to the underlying bits + storage. With this, we can do the merging of the marked and newlyAllocated + bits with a single pass looping thru the bitmap words. + + 2. In MarkedBlock::Handle::specializedSweep()'s Bitmap free list code, moved the + implementation of handleDeadCells lambda down to the call to freeAtoms.forEachSetBit() + because this is the only place it is used. + + 3. Fixed MarkedBlock::Handle::specializedSweep()'s Bitmap free list code to + handle the dead cells unconditionally. This condition check was wrongly + adapted from the linked list implementation where handleDeadCell() was called + in 2 places depending on the destruction mode. With the Bitmap free list, + there is only once place to handle the dead cells, and it should be executed + unconditionally. + + This fixes a bug where the FreeList::originalSize() never gets computed if the + cells in the block does not need destruction. + + 4. Renamed FreeList::bitmapRows() to FreeList::bitmapRowsMinusOne(). + Renamed FreeList::offsetOfBitmapRows() to FreeList::offsetOfBitmapRowsMinusOne(). + + 5. Also fixed some typos in comments. + + * heap/FreeList.h: + (JSC::FreeList::bitmapIsEmpty const): + (JSC::FreeList::offsetOfBitmapRowsMinusOne): + (JSC::FreeList::bitmapRowsMinusOne const): + (JSC::FreeList::offsetOfBitmapRows): Deleted. + (JSC::FreeList::bitmapRows const): Deleted. + * heap/FreeListInlines.h: + (JSC::FreeList::allocate): + (JSC::FreeList::forEach const): + * heap/MarkedBlockInlines.h: + (JSC::MarkedBlock::Handle::specializedSweep): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): + +2020-06-18 Yusuke Suzuki + + [JSC] Remove dead non-ICU locale Date code since we are always using ICU version + https://bugs.webkit.org/show_bug.cgi?id=213362 + + Reviewed by Ross Kirsling. + + There are old non-ICU version of Date locale code. But this is now dead code since we are always using ICU version, + which is invoked from builtin JS DatePrototype.js. We should remove these dead code. + + * runtime/DatePrototype.cpp: + (JSC::DatePrototype::finishCreation): + (): Deleted. + (JSC::styleFromArgString): Deleted. + (JSC::formatLocaleDate): Deleted. + (JSC::dateProtoFuncToLocaleString): Deleted. + (JSC::dateProtoFuncToLocaleDateString): Deleted. + (JSC::dateProtoFuncToLocaleTimeString): Deleted. + +2020-06-18 Ross Kirsling + + Unreviewed, address Darin's feedback on r263227. + + * runtime/IntlRelativeTimeFormat.cpp: + (JSC::IntlRelativeTimeFormat::UNumberFormatDeleter::operator() const): + (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat): + (JSC::IntlRelativeTimeFormat::formatToParts const): + * runtime/IntlRelativeTimeFormat.h: + Keep ownership over our UNumberFormat instance after all, + to avoid relying on behavior ICU isn't explicitly guaranteeing. + +2020-06-18 Ross Kirsling + + [Intl] Enable RelativeTimeFormat and Locale by default + https://bugs.webkit.org/show_bug.cgi?id=213324 + + Reviewed by Yusuke Suzuki. + + * runtime/IntlObject.cpp: + (JSC::createDateTimeFormatConstructor): + (JSC::createLocaleConstructor): + (JSC::createNumberFormatConstructor): + (JSC::createRelativeTimeFormatConstructor): + (JSC::IntlObject::finishCreation): + Unconditionalize creation of RelativeTimeFormat and Locale constructors. + + * runtime/IntlRelativeTimeFormat.cpp: + (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat): + (JSC::IntlRelativeTimeFormat::formatToParts const): + (JSC::IntlRelativeTimeFormat::UNumberFormatDeleter::operator() const): Deleted. + * runtime/IntlRelativeTimeFormat.h: + Fix an actual bug -- URelativeDateTimeFormatter *adopts* the UNumberFormat it's instantiated with, + so we can't keep a unique_ptr to it. + + * runtime/OptionsList.h: + Remove feature flags. + +2020-06-18 Alexey Shvayka + + Promise built-in functions should be anonymous non-constructors + https://bugs.webkit.org/show_bug.cgi?id=213317 + + Reviewed by Darin Adler. + + This patch makes userland-exposed Promise built-in functions + non-constructors and sets their "name" properties to empty strings + as per spec [1], aligning JSC with V8 and SpiderMonkey. + + @createResolvingFunctionsWithoutPromise change is covered by test262's + async-generator/yield-thenable-create-resolving-functions-*.js cases. + + Promise microbenchmarks are neutral. Promise constructors bytecode is + unchanged, while @createResolvingFunctions* bytecode is reduced by 2 + instructions. + + [1]: https://tc39.es/ecma262/#sec-ecmascript-standard-built-in-objects + + * builtins/PromiseConstructor.js: + (nakedConstructor.Promise): + (nakedConstructor.InternalPromise): + * builtins/PromiseOperations.js: + (globalPrivate.newPromiseCapabilitySlow): + (globalPrivate.createResolvingFunctions): + (globalPrivate.createResolvingFunctionsWithoutPromise): + (globalPrivate.createResolvingFunctions.resolve): Deleted. + (globalPrivate.createResolvingFunctions.reject): Deleted. + (resolve): Deleted. + (reject): Deleted. + * builtins/PromisePrototype.js: + (globalPrivate.getThenFinally): + (globalPrivate.getCatchFinally): + (valueThunk): Deleted. + (thrower): Deleted. + +2020-06-18 Alexey Shvayka + + TypedArray.prototype.set is incorrect with primitives + https://bugs.webkit.org/show_bug.cgi?id=212730 + + Reviewed by Yusuke Suzuki. + + This change implements step 14 of %TypedArray%.prototype.set [1], + which coerces primitives to objects instead of throwing an error, + aligning JSC with V8 and SpiderMonkey. + + [1]: https://tc39.es/ecma262/#sec-%typedarray%.prototype.set-array-offset + + * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: + (JSC::genericTypedArrayViewProtoFuncSet): + +2020-06-17 Mark Lam + + Replace JSC::FreeList linked list with a Bitmap. + https://bugs.webkit.org/show_bug.cgi?id=213071 + + Reviewed by Filip Pizlo. + + Implement an alternative to the linked list FreeList. This alternative uses + a Bitmap to record which atom in the block is available for allocation. + + The intuition here is that allocation using the Bitmap implementation will do: + 2 loads - m_currentRowBitmap, m_currentMarkedBlockRowAddress + 1 store - m_currentRowBitmap + + whereas the linked list implementation will do: + 3 loads - m_scrambledHead, m_secret, result->scrambledNext + 1 store - m_scrambledHead + + and result->scrambledNext is from a different region of code and therefore not + in the same cache line. + + The downside of the Bitmap implementation is that it uses more instructions. + + This change is currently only enabled for x86_64, which shows about a 0.8% + progression on Speedometer 2. + + It appears to be about a 1% regression on ARM64E. Hence, for now, we keep the + linked list implementation for ARM64 builds. + + This is how the Bitmap FreeList works: + + 1. The Bitmap implementation only replaces the linked list implementation. It + does not replace the bump allocator. + + 2. The Bitmap allocator keeps a m_bitmap that is initialized in + MarkedBlock::Handle::specializedSweep() to have a bit set for each atom + location that is available for allocation (i.e. is free). Note that a cell + is usually allocated using more than 1 atom. Only the bit corresponding to + the first atom (in that cell length range of free atoms) will be set. + + This is consistent with how bits in MarkedBlock::Footer::m_marks and + MarkedBlock::Footer::m_newlyAllocated are set i.e. only the bit for the first + atom in the cell can be set. + + 3. The allocation algorithm thinks of the MarkedBlock as consisting of rows + of atoms, where the number of atoms in a row equals the number of bits in + a AtomsBitmap::Word. On 64-bit CPUs, this would be 64. + + We will start allocating from the last (highest numbered) row down to the + first (row 0). As we allocate, we will only update m_currentRowIndex and + m_currentRowBitmap. m_bitmap will not be updated. This is so in order to + reduce the number of instructions executed during an allocation. + + When m_currentRowIndex points to N, the AtomsBitmap::Word for row N in + m_bitmap will have been copied into m_currentRowBitmap. This is the row + that we will be allocating from until the row is exhausted. + + This is how we know whether an atom is available for allocation or not: + i. Atoms in any rows above m_currentRowIndex are guaranteed to be + allocated already (because we allocate downwards), and hence, are not + available. + ii. For row m_currentRowIndex, m_currentRowBitmap is the source of truth + on which atoms in the row are available for allocation. + iii. For rows below m_currentRowIndex, m_bitmap is the source of truth on + which atoms are available for allocation. + + When m_currentRowIndex reaches 0, the info in m_bitmap is completely + obsoleted, and m_currentRowBitmap holds the availability info for row 0. + When both m_currentRowIndex and m_currentRowBitmap are 0, then we have + completely exhausted the block and no more atoms are available for + allocation. + + 4. Allocation happens in 3 paths: fast, middle, slow. + + The fast path checks m_currentRowBitmap. If it's not 0, then we compute the + bit number of the lowest set bit in it. That bit number will be used together + with m_currentMarkedBlockRowAddress to compute the address of the atom + location available for allocation. m_currentRowBitmap will be updated to clear + the bit for the atom that has just ben allocated. + + If m_currentRowBitmap is 0, then we'll go to the middle path. + + The middle path checks m_currentRowIndex to see if we have more rows to allocate + from. For each m_currentRowIndex, we check its corresponding AtomsBitmap::Word + in m_bitmap. If the word is non-zero, we copy it to m_currentRowBitmap and + jump to the fast path to do the allocation. The middle path will update + m_currentRowIndex to point to the current row we're allocating from. + + If we have decremented m_currentRowIndex down to 0 but still can't find a + non-zero AtomsBitmap::Word in m_bitmap, then the block has been exhausted, and + we'll go to the slow path. + + The slow path is analogous to the old slow path i.e. we try to refill the + LocalAllocator with a new MarkedBlock. + + 5. On the layout of fields in FreeList (see changes in FreeList.h), we try to + preserve the positions of the bump allocator fields. The only change we made + there is in the location of m_cellSize. It is now moved up next to m_remaining, + and m_originalSize is moved down. This is because m_originalSize is only + accessed in the slow path, and m_cellSize is accessed in the bump allocation + path. + + Next, we try to put Bitmap allocation fields where the linked list fields + would have been. The one bit of trickiness is that we'll put + m_currentMarkedBlockRowAddress in a union with m_payloadEnd. This is because + m_payloadEnd is only used in the bump allocation path. If m_remaining is 0, + then we can reuse this location for m_currentMarkedBlockRowAddress. + + With this, we would have 4 bytes of padding after m_currentRowIndex. For + compactness, we put m_originalSize there in that space. For builds that use + the linked list implementation, m_originalSize will be located below after + m_cellSize. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): + * heap/FreeList.cpp: + (JSC::FreeList::clear): + (JSC::FreeList::initializeAtomsBitmap): + (JSC::FreeList::initializeBump): + (JSC::FreeList::contains const): + (JSC::FreeList::dump const): + * heap/FreeList.h: + (JSC::FreeList::bitmapIsEmpty const): + (JSC::FreeList::allocationWillFail const): + (JSC::FreeList::offsetOfCurrentRowBitmap): + (JSC::FreeList::offsetOfBitmapRows): + (JSC::FreeList::offsetOfCurrentRowIndex): + (JSC::FreeList::offsetOfCurrentMarkedBlockRowAddress): + (JSC::FreeList::offsetOfRemaining): + (JSC::FreeList::atomsBitmap): + (JSC::FreeList::bitmapRows const): + (JSC::FreeList::offsetOfOriginalSize): Deleted. + * heap/FreeListInlines.h: + (JSC::FreeList::allocate): + (JSC::FreeList::forEach const): + * heap/LocalAllocator.cpp: + (JSC::LocalAllocator::isFreeListedCell const): + * heap/MarkedBlock.h: + (JSC::MarkedBlock::Handle::atomAt const): + * heap/MarkedBlockInlines.h: + (JSC::MarkedBlock::Handle::specializedSweep): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): + +2020-06-17 Mark Lam + + StructureIDTable::validate() doesn't work when compiled with GCC. + https://bugs.webkit.org/show_bug.cgi?id=213302 + + + Reviewed by Yusuke Suzuki. + + I was previously using ensureStillAliveHere() to force the validation load to + not be elided. However, this is not how ensureStillAliveHere() works. The proper + way to force the load is to use a volatile pointer instead, which is applied in + this patch. + + With Clang, the ensureStillAliveHere() happened to do what I expected, but with + GCC it did not. The compiler is at liberty to elide the load because there is + no memory clobbering operation between the load and the call to + ensureStillAliveHere(). Switching to using the volatile pointer solution. + + * runtime/StructureIDTable.h: + (JSC::StructureIDTable::validate): + +2020-06-17 Yusuke Suzuki + + [JSC] Freeze JSBigInt when setting it as a constant in AI + https://bugs.webkit.org/show_bug.cgi?id=213310 + + + Reviewed by Mark Lam. + + JSCells should be explicitly frozen via DFG::Graph::freeze or DFG::Graph::freezeStrong. And heap JSBigInt is JSCell. + We should freeze it before setting it as a parameter of setConstant in AI. We use DFG::Graph::freeze since we know + that this is coming from somewhere in DFG graph: this ToNumeric node itself is not newly producing this JSBigInt. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + +2020-06-17 Keith Miller + + $vm.haveABadTime/isHavingABadTime should work with non-globalObject parameters + https://bugs.webkit.org/show_bug.cgi?id=213304 + + Reviewed by Mark Lam. + + Previously, $vm.haveABadTime would crash if passed a + non-globalObject object as the first parameter because it was + missing a `return` in front the error handling case. This patch + resolves that issue but also extends the semantics of + haveABadTime/isHavingABadTime to either use the global object of + the first parameter even if it's not a JSGlobalObject. If no + argument is passed, haveABadTime/isHavingABadTime instead use the + global object of the callee. + + * tools/JSDollarVM.cpp: + (JSC::functionHaveABadTime): + (JSC::functionIsHavingABadTime): + +2020-06-17 Mark Lam + + Gardening: move some unused data inside ENABLE(JIT) to unbreak the CLoop build. + https://bugs.webkit.org/show_bug.cgi?id=213255 + + Not reviewed. + + * assembler/testmasm.cpp: + +2020-06-17 Yusuke Suzuki + + Unreviewed, avoid node access in link-task + https://bugs.webkit.org/show_bug.cgi?id=213266 + + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileCheckJSCast): + +2020-06-17 Mark Lam + + Add a shiftAndAdd() emitter in AssemblyHelpers. + https://bugs.webkit.org/show_bug.cgi?id=213255 + + Reviewed by Michael Saboff. + + void shiftAndAdd(RegisterID base, RegisterID index, uint8_t shift, RegisterID dest, Optional = { }); + + Emits code to compute: dest = base + index << shift. + + * assembler/testmasm.cpp: + (doubleOperands): + (floatOperands): + (int32Operands): + (int64Operands): + (JSC::testShiftAndAdd): + (JSC::run): + (JSC::doubleOperands): Deleted. + (JSC::floatOperands): Deleted. + (JSC::int32Operands): Deleted. + (JSC::int64Operands): Deleted. + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::shiftAndAdd): + +2020-06-17 Michael Saboff + + [Wasm] Reduce the amount of memory used by the Air register coloring allocator + https://bugs.webkit.org/show_bug.cgi?id=212106 + + Reviewed by Yusuke Suzuki. + + Changed InterferenceEdge to be a templated class so we can instantiate an unsigned + short version to cut memory in half for code that has less than 2^16 temps. + Through instrumentation, my testing showed that almost all compilations use the + 16bit implementation. Although this change is for all B3/Air compilations at O2, + Wasm compilations are usally larger and therefore get the greatest benefit. + + This allowed increasing the default value for the option webAssemblyBBQFallbackSize, + with a small increase in memory usage. + + * b3/air/AirAllocateRegistersByGraphColoring.cpp: + * runtime/OptionsList.h: + +2020-06-16 Yusuke Suzuki + + [JSC] Check NullSetterFunction under strict-mode context since structure / PropertyCondition are unaware of this + https://bugs.webkit.org/show_bug.cgi?id=213266 + + Reviewed by Mark Lam. + + Our PropertyCondition is tracking the shape of Structure. This is enough for IC except for one case: throwing an error when invoking null setters in strict code. + + "use strict"; + var object = { get value() { return 42; } } + object.value = 42; + + In the above case, we need to throw an error. Let's consider the following scenario. + + 1. Object has valid setter. + 2. IC is buffering OPC which includes (1)'s object in [[Prototype]] hit. + 3. IC commits buffered AccessCase with OPC. And PropertyCondition says Object + setter-offset => Presence. + 4. Object deletes its setter. + 5. Just after (4), DFG concurrently reads buffered committed OPCs. + 6. DFG see that PropertyCondition is valid even after (4) since accessor property does exist. + 7. Set up DFG sequence `GetSetter, Call`. + 8. DFG calls null-setter under strict code, which is not assumed to be called. + + In this patch, we insert NullSetterFunction check before setter invocation under strict mode. In IC, if we see NullSetterFunction, + we replace the calling target with special function which throws an error. In DFG / FTL, we emit `CheckNotJSCast` DFG node which + ensures that this setter is not null setter. + + In IC code, we already have null-setter checking code before. So this change does not have any impact in terms of performance. + In DFG / FTL code, we only insert this check when we do not inline this setter. This is because inlining emits `CheckCell` anyway so + we can know that this is not NullSetterFunction. And this means that DFG Call opcode exists after CheckNotJSCast. Since Call opcode + loads the fields of call target anyway, this also does not affect on performance. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateImpl): + * bytecode/PolymorphicAccess.cpp: + (JSC::PolymorphicAccess::regenerate): + * bytecode/PolymorphicAccess.h: + (JSC::AccessGenerationState::AccessGenerationState): + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::addAccessCase): + * bytecode/StructureStubInfo.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleCall): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::handlePutById): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasClassInfo const): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCheckJSCast): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStructureAbstractValue.cpp: + (JSC::DFG::StructureAbstractValue::isNotSubClassOf const): + * dfg/DFGStructureAbstractValue.h: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckJSCast): + * jit/Repatch.cpp: + (JSC::tryCacheGetBy): + (JSC::tryCacheArrayGetByVal): + (JSC::tryCachePutByID): + (JSC::tryCacheDeleteBy): + (JSC::tryCacheInByID): + (JSC::tryCacheInstanceOf): + * jit/ThunkGenerators.cpp: + (JSC::virtualThunkFor): + * runtime/InternalFunction.cpp: + (JSC::InternalFunction::finishCreation): + * runtime/JSCast.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::nullSetterStrictFunction const): + * runtime/JSType.cpp: + (WTF::printInternal): + * runtime/JSType.h: + * runtime/NullSetterFunction.cpp: + (JSC::NullSetterFunctionInternal::callThrowError): + (JSC::NullSetterFunction::NullSetterFunction): + * runtime/NullSetterFunction.h: + +2020-06-16 Mark Lam + + Make Options::useJIT() be the canonical source of truth on whether we should use the JIT. + https://bugs.webkit.org/show_bug.cgi?id=212556 + + + Reviewed by Saam Barati. + + After r263055, Options::useJIT() always equals VM::canUseJIT() after canUseJIT() + has been computed. This patch removes VM::canUseJIT(), and replaces all calls to + it with calls to Options::useJIT(). + + In the old code, VM::canUseJIT() would assert s_canUseJITIsSet to ensure that + its clients will not access s_canUseJIT before it is initialized. We not have an + equivalent mechanism with Options. This is how it works: + + 1. There are 2 new Options flags in the g_jscConfig: + g_jscConfig.options.isFinalized + g_jscConfig.options.allowUnfinalizedAccess + + g_jscConfig.options.isFinalized means that all Options values are finalized + i.e. initialization is complete and ready to be frozen in the Config. + + g_jscConfig.options.isFinalized is set by initializeThreading() by calling + Options::finalize() once options initialization is complete. + + g_jscConfig.options.allowUnfinalizedAccess is an allowance for clients to + access Options values before they are finalized. This is only needed in + options initialization code where Options values are read and written to. + + g_jscConfig.options.allowUnfinalizedAccess is set and cleared using the + Options::AllowUnfinalizedAccessScope RAII object. The few pieces of code that + do options initialization will instantiate this scope object. + + 2. All Options accessors (e.g. Option::useJIT()) will now assert that either + g_jscConfig.options.allowUnfinalizedAccess or g_jscConfig.options.isFinalized + is set. + + 3. Since r263055, Options::recomputeDependentOptions() ensures that if useJIT() is + false, all other JIT options (e.g. useBaselineJIT(), useDFTJIT(), useFTLJIT(), + etc.) are also false. This patch also adds useBBQJIT() and useOMGJIT() to that + list. + + With this, checks for useJIT() are now redundant if there's also another JIT + option check, e.g. useRegExpJIT() or useDFGJIT(). When redundant, this patch + elides the useJIT() check (which used to be a VM::canUseJIT() check). + + Ideally, we should also introduce a separate abstraction for requested option + values before finalization than the finalized option values that will be adopted + by the system. We'll do this as a separate exercise in a later patch. + + * API/tests/ExecutionTimeLimitTest.cpp: + (testExecutionTimeLimit): + * API/tests/FunctionOverridesTest.cpp: + (testFunctionOverrides): + * API/tests/PingPongStackOverflowTest.cpp: + (testPingPongStackOverflow): + - Removed redundant calls to Options::initialize(). + + * API/tests/testapi.c: + (main): + - move the call to testExecutionTimeLimit() to after finalizeMultithreadedMultiVMExecutionTest() + returns. This is because testExecutionTimeLimit() modifies JIT options at runtime + as part of its testing. This can wreak havoc on the rest of the system that expects + the options to be frozen. Ideally, we'll find a way for testExecutionTimeLimit() to + do its work without changing JIT options, but that is not easy to do. For now, + we'll just run it at the end as a workaround. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::setNumParameters): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::numberOfArgumentValueProfiles): + (JSC::CodeBlock::valueProfileForArgument): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::isSupported): + * heap/Heap.cpp: + (JSC::Heap::completeAllJITPlans): + (JSC::Heap::iterateExecutingAndCompilingCodeBlocks): + (JSC::Heap::gatherScratchBufferRoots): + (JSC::Heap::removeDeadCompilerWorklistEntries): + (JSC::Heap::stopThePeriphery): + (JSC::Heap::suspendCompilerThreads): + (JSC::Heap::resumeCompilerThreads): + (JSC::Heap::addCoreConstraints): + * interpreter/AbstractPC.cpp: + (JSC::AbstractPC::AbstractPC): + * jit/JITThunks.cpp: + (JSC::JITThunks::ctiNativeCall): + (JSC::JITThunks::ctiNativeConstruct): + (JSC::JITThunks::ctiNativeTailCall): + (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags): + (JSC::JITThunks::ctiInternalFunctionCall): + (JSC::JITThunks::ctiInternalFunctionConstruct): + (JSC::JITThunks::hostFunctionStub): + * jsc.cpp: + (CommandLine::parseArguments): + (jscmain): + * llint/LLIntEntrypoint.cpp: + (JSC::LLInt::setFunctionEntrypoint): + (JSC::LLInt::setEvalEntrypoint): + (JSC::LLInt::setProgramEntrypoint): + (JSC::LLInt::setModuleProgramEntrypoint): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::shouldJIT): + (JSC::LLInt::jitCompileAndSetHeuristics): + * runtime/InitializeThreading.cpp: + (JSC::initializeThreading): + * runtime/JSCConfig.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::numberToStringWatchpointSet): + * runtime/Options.cpp: + (JSC::jitEnabledByDefault): + (JSC::disableAllJITOptions): + + (JSC::Options::initialize): + - Move the calls to dumpOptionsIfNeeded() and ensureOptionsAreCoherent() to the + end after all the options have been initialized because this where they belong. + + (JSC::Options::finalize): + (JSC::Options::setOptions): + (JSC::Options::setOption): + (JSC::Options::dumpAllOptions): + (JSC::Options::ensureOptionsAreCoherent): + * runtime/Options.h: + (JSC::Options::AllowUnfinalizedAccessScope::AllowUnfinalizedAccessScope): + (JSC::Options::AllowUnfinalizedAccessScope::~AllowUnfinalizedAccessScope): + * runtime/OptionsList.h: + * runtime/RegExp.cpp: + (JSC::RegExp::compile): + (JSC::RegExp::compileMatchOnly): + * runtime/SymbolTable.h: + (JSC::SymbolTableEntry::isWatchable const): + * runtime/VM.cpp: + (JSC::VM::computeCanUseJIT): + (JSC::VM::VM): + (JSC::VM::getHostFunction): + (JSC::VM::getCTIInternalFunctionTrampolineFor): + * runtime/VM.h: + (JSC::VM::isInMiniMode): + (JSC::VM::canUseJIT): Deleted. + * wasm/WasmCapabilities.h: + (JSC::Wasm::isSupported): + * wasm/WasmOperations.cpp: + (JSC::Wasm::shouldJIT): + * wasm/WasmSlowPaths.cpp: + (JSC::LLInt::shouldJIT): + +2020-06-16 Robin Morisset + + Optimize Air::TmpWidth analysis in IRC + https://bugs.webkit.org/show_bug.cgi?id=152478 + + Reviewed by Filip Pizlo. + + AirTmpWidth currently uses a HashMap to map tmps to their width. + Since tmps have consecutive indices, we can instead use vectors (one for GP and one for FP tmps). + As a bonus, we can just compute the width of the tmps of the bank the register allocator is currently looking at. + This cuts the time spent in the register allocator in JetStream2 by about 100ms out of 3.4s + (or sometimes 80ms out of 2.4, the bimodality of the time spent is due to a huge function in tagcloud-SP which usually but not always reach the FTL, I'll check later if it can be fixed by tweaking the inliner). + + * b3/air/AirAllocateRegistersByGraphColoring.cpp: + (JSC::B3::Air::allocateRegistersByGraphColoring): + * b3/air/AirTmpWidth.cpp: + (JSC::B3::Air::TmpWidth::TmpWidth): + (JSC::B3::Air::TmpWidth::recompute): + * b3/air/AirTmpWidth.h: + (JSC::B3::Air::TmpWidth::width const): + (JSC::B3::Air::TmpWidth::requiredWidth): + (JSC::B3::Air::TmpWidth::defWidth const): + (JSC::B3::Air::TmpWidth::useWidth const): + (JSC::B3::Air::TmpWidth::Widths::Widths): + (JSC::B3::Air::TmpWidth::widths): + (JSC::B3::Air::TmpWidth::widths const): + (JSC::B3::Air::TmpWidth::addWidths): + (JSC::B3::Air::TmpWidth::widthsVector): + +2020-06-16 Fujii Hironori + + [CMake][Visual Studio] CombinedDomains.json is generated twice in JavaScriptCore.vcxproj and InspectorBackendCommands.vcxproj + https://bugs.webkit.org/show_bug.cgi?id=213225 + + Reviewed by Don Olmstead. + + Since r262203 (Bug 210014) added a new target + InspectorBackendCommands, CombinedDomains.json is generated twice + in JavaScriptCore.vcxproj and InspectorBackendCommands.vcxproj. + This caused unnecessary incremental builds. + + The fundamental issue of this issue was fixed in CMake side. + + However, JavaScriptCore target needs to have a direct or indirect + dependency of InspectorBackendCommands target for CMake Visual + Studio generator to eliminate duplicated custom commands. + + * CMakeLists.txt: Added add_dependencies(JavaScriptCore InspectorBackendCommands). + +2020-06-16 Mark Lam + + Add SIGABRT handler for non OS(DARWIN) builds to the jsc shell with the -s option. + https://bugs.webkit.org/show_bug.cgi?id=213200 + + Reviewed by Michael Catanzaro. + + This is needed because non OS(DARWIN) builds uses abort as their "CRASH"ing + mechanism. + + * jsc.cpp: + (CommandLine::parseArguments): + +2020-06-15 Michael Catanzaro + + WTF signal machinery is guarded by #if USE(PTHREADS) && HAVE(MACHINE_CONTEXT) but does not use pthreads or machine context + https://bugs.webkit.org/show_bug.cgi?id=213223 + + Reviewed by Mark Lam. + + Use #if OS(UNIX) here too. This should fix stress/ensure-crash.js when + HAVE(MACHINE_CONTEXT) is false. + + * jsc.cpp: + (printUsageStatement): + (CommandLine::parseArguments): + +2020-06-15 Pavel Feldman + + Web Inspector: introduce request interception + https://bugs.webkit.org/show_bug.cgi?id=207446 + + Reviewed by Devin Rousso. + + This change introduces network request interception to the Network + protocol domain. It adds Network.interceptWithRequest notification that + can be continued, modified or fulfilled. NetworkStage enum can now have + 'request' and 'response' values. + + * inspector/protocol/Network.json: + +2020-06-15 Tadeu Zagallo + + op_iterator_open getNext checkpoint needs to declare it uses m_iterator + https://bugs.webkit.org/show_bug.cgi?id=213106 + + + Reviewed by Keith Miller. + + Currently, we have no way of specifying that a checkpoint uses an operand defined at an earlier + point in the same bytecode, which is the case for op_iterator_open: we assume that it will have + already allocated the iterator and stored it in m_iterator by the time we get to the getNext + checkpoint. In order to support that, we change tmpLivenessForCheckpoint to livenessForCheckpoint + and allow it to also declare the use of the operands defined within the bytecode. + + * bytecode/BytecodeLivenessAnalysis.cpp: + (JSC::livenessForCheckpoint): + (JSC::tmpLivenessForCheckpoint): Deleted. + * bytecode/BytecodeLivenessAnalysis.h: + * bytecode/FullBytecodeLiveness.h: + * dfg/DFGForAllKills.h: + (JSC::DFG::forAllKilledOperands): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::isLiveInBytecode): + * dfg/DFGGraph.h: + +2020-06-15 Alexey Shvayka + + Expand JSObject::defineOwnIndexedProperty() fast path for existing properties + https://bugs.webkit.org/show_bug.cgi?id=213133 + + Reviewed by Yusuke Suzuki. + + This patch expands fast path of JSObject::defineOwnIndexedProperty() to cover existing properties + if given data descriptor has no falsy attributes, preventing the object from entering SparseMode. + The optimization is possible due to this invariant: indexed properties of non-SparseMode objects + have attributes of PropertyAttribute::None (except for typed arrays; added assert covers it). + + PropertyDescriptor::attributesOverridingCurrent() with PropertyAttribute::None descriptor + is used to support partial descriptors like {value: 1, writable: true}. + + This change advances Object.defineProperty microbenchmark by 35%; array read/write benchmark + following property redefinition is progressed by a factor of 16 due to avoiding SparseMode. + + * runtime/JSObject.cpp: + (JSC::JSObject::defineOwnIndexedProperty): + +2020-06-15 Robin Morisset + + testB3::testReportUsedRegistersLateUseFollowedByEarlyDefDoesNotMarkUseAsDead() has a validation failure in debug mode + https://bugs.webkit.org/show_bug.cgi?id=196103 + + + Reviewed by Keith Miller. + + The problem was trivial: patchpoints were referring to constants that were defined after them. + Just exchanging the order of the definition was enough to make this test pass. + + * b3/testb3_1.cpp: + (shouldRun): + * b3/testb3_7.cpp: + (testReportUsedRegistersLateUseFollowedByEarlyDefDoesNotMarkUseAsDead): + +2020-06-15 Mark Lam + + Do not install the VMTraps signal handler if Options::useJIT=false. + https://bugs.webkit.org/show_bug.cgi?id=212543 + + + Reviewed by Keith Miller. + + VMTraps is only needed for JITted code. Hence, if the JIT is disabled, we should + set Options::usePollingTraps() to true to indicate that we won't be using VMTraps. + + With this change, we no longer install any signal handling machinery if + Options::useJIT() is false. + + Because we may still disable the JIT even if useJIT() is true (due to failure to + allocate JIT memory or a number of other factors), we will also add a check of + VM::canUseJIT() in initializeThreading(), and disable useJIT() if needed. Of + course, this also means we need to call Options::recomputeDependentOptions() to + make other options consistent with useJIT() being false. + + * runtime/InitializeThreading.cpp: + (JSC::initializeThreading): + * runtime/Options.cpp: + (JSC::disableAllJITOptions): + (JSC::Options::recomputeDependentOptions): + (JSC::recomputeDependentOptions): Deleted. + * runtime/Options.h: + * runtime/VMTraps.cpp: + (JSC::VMTraps::initializeSignals): + * tools/SigillCrashAnalyzer.cpp: + (JSC::SigillCrashAnalyzer::instance): + +2020-06-15 Keith Miller + + CheckIsConstant should not use BadCache exit kind + https://bugs.webkit.org/show_bug.cgi?id=213141 + + Reviewed by Yusuke Suzuki. + + The BadCache exit kind causes the OSR exit compilers to try to + update ArrayProfiles. This is just incorrect for CheckIsConstant + since the node's origin may not even have an + ArrayProfile... BadCache also strongly assumes the value it's + profiling is a cell, which is clearly not always the case for + CheckIsConstant. + + CheckIsConstant now uses the BadConstantValue (BadValue conflicts + with macros exported by X11 on GTK) exit kind for all use kinds, + which is just a rename of BadCell. All existing places where we + can emit a CheckIsConstant already have a story for BadConstantValue. + + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeFromLLInt): + (JSC::CallLinkStatus::computeExitSiteData): + * bytecode/ExitKind.cpp: + (JSC::exitKindToString): + * bytecode/ExitKind.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::handleIntrinsicCall): + (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::handlePutByVal): + (JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::isPseudoTerminal): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCheckIsConstant): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckIsConstant): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckBadValue): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckBadCell): Deleted. + +2020-06-15 Yusuke Suzuki + + Webkit Feature BigInt on webkit.org + https://bugs.webkit.org/show_bug.cgi?id=197546 + + Reviewed by Sam Weinig. + + Add BigInt entry to JSC features.json. + + * features.json: + +2020-06-15 Keith Miller + + JIT thunks should work on arm64_32 + https://bugs.webkit.org/show_bug.cgi?id=213103 + + Reviewed by Saam Barati. + + This patch fixes various issues when running JSC on arm64_32 with + useJIT=1 and useBaselineJIT=0. In particular this patch makes the + following changes: + + 1) ScalePtr is now just part of the Scale enum and is set based on + the size of the address space. + + 2) MacroAssembler::*Ptr functions call 32/64 bit variants based on + Address space size rather than cpu architecture. Vetting of callsites + using Ptr as 64 will happen in future patches since it's hard to + comprehensively vet. + + 3) Add some missing variants of functions for when pointers are 32-bit. + + 4) Add a load/storeReg function that stores a full register regardless + of pointer size for storing/loading callee saves. + + 5) numberOfDFGCompiles should report a big number for + useBaselineJIT=0 as some tests fail by default if useBaselineJIT=0 + but useJIT=1. + + 6) Assert BaseIndex has a scale of PtrSize or TimesOne (for pre-scaled + values) when passed to a load/storePtr function. + + * assembler/AbstractMacroAssembler.h: + (JSC::AbstractMacroAssembler::timesPtr): Deleted. + * assembler/MacroAssembler.h: + (JSC::MacroAssembler::rotateRightPtr): + (JSC::MacroAssembler::loadPtr): + (JSC::MacroAssembler::loadPtrWithCompactAddressOffsetPatch): + (JSC::MacroAssembler::branchPtr): + (JSC::MacroAssembler::storePtr): + (JSC::MacroAssembler::shouldBlindDouble): + (JSC::MacroAssembler::moveDouble): + (JSC::MacroAssembler::store64): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::add32): + (JSC::MacroAssemblerARM64::signExtend32ToPtr): + (JSC::MacroAssemblerARM64::loadPtr): + (JSC::MacroAssemblerARM64::call): + (JSC::MacroAssemblerARM64::farJump): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::rotateRight32): + * assembler/MacroAssemblerMIPS.h: + (JSC::MacroAssemblerMIPS::rotateRight32): + * assembler/MacroAssemblerX86.h: + * assembler/MacroAssemblerX86_64.h: + * b3/B3LowerMacros.cpp: + * b3/testb3_6.cpp: + (testInterpreter): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::emitLoadStructure): + (JSC::AssemblyHelpers::emitAllocateVariableSized): + (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer): + (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::storeReg): + (JSC::AssemblyHelpers::loadReg): + (JSC::AssemblyHelpers::emitMaterializeTagCheckRegisters): + (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr): + (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32): + (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64): + (JSC::AssemblyHelpers::emitPutToCallFrameHeader): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_enumerator_structure_pname): + (JSC::JIT::emit_op_enumerator_generic_pname): + * jit/ThunkGenerators.cpp: + (JSC::nativeForGenerator): + * runtime/TestRunnerUtils.cpp: + (JSC::numberOfDFGCompiles): + +2020-06-15 Caitlin Potter + + [JSC] add machinery to disable JIT tiers when experimental features are enabled + https://bugs.webkit.org/show_bug.cgi?id=213193 + + Reviewed by Mark Lam. + + A new macro FOR_EACH_JSC_EXPERIMENTAL_OPTION() supplies flags indicating the supported + JIT tiers (or, in the future, other options) of a particular feature, + in an easy to understand format. These flags are then used to + recompute dependent feature flags. + + This should simplify the incremental development of language features. + + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + * runtime/OptionsList.h: + +2020-06-15 Keith Miller + + Signal handlers should have a two phase installation. + https://bugs.webkit.org/show_bug.cgi?id=213160 + + Reviewed by Mark Lam. + + * jsc.cpp: + (CommandLine::parseArguments): + (jscmain): + * runtime/InitializeThreading.cpp: + (JSC::initializeThreading): + * runtime/VMTraps.cpp: + * tools/SigillCrashAnalyzer.cpp: + (JSC::installCrashHandler): + * wasm/WasmFaultSignalHandler.cpp: + (JSC::Wasm::enableFastMemory): + (JSC::Wasm::prepareFastMemory): + * wasm/WasmFaultSignalHandler.h: + +2020-06-15 Yusuke Suzuki + + Unreviewed, fix LLInt + https://bugs.webkit.org/show_bug.cgi?id=157972 + + loadi only takes address. + + * llint/LowLevelInterpreter64.asm: + +2020-06-15 Alexey Shvayka + + super should not depend on __proto__ + https://bugs.webkit.org/show_bug.cgi?id=157972 + + Reviewed by Saam Barati. + + Before this change, both super() call [1] and super.property [2] relied on + Object.prototype.__proto__ to acquire super base, which was observable and + incorrect if __proto__ gets removed. + + This patch introduces get_prototype_of bytecode, ensuring returned values + are profiled so the op can be wired to existing DFG and FTL implementations. + In order to avoid performance regression w/o DFG (__proto__ is optimized via + IntrinsicGetterAccessCase), fast paths for LLInt and baseline JIT are added + (64-bit only), utilizing OverridesGetPrototypeOutOfLine type info flag. + + This change aligns JSC with V8 and SpiderMonkey, progressing microbenchmarks/ + super-get-by-{id,val}-with-this-monomorphic.js by 7-10%. SixSpeed is neutral. + + Also, extracts JSValue::getPrototype() method to avoid code duplication and + utilizes it in objectConstructorGetPrototypeOf(), advancing provided + microbenchmark by 40%. + + [1]: https://tc39.es/ecma262/#sec-getsuperconstructor (step 5) + [2]: https://tc39.es/ecma262/#sec-getsuperbase (step 5) + + * builtins/BuiltinNames.h: + * bytecode/BytecodeIntrinsicRegistry.h: + * bytecode/BytecodeList.rb: + * bytecode/BytecodeUseDef.cpp: + (JSC::computeUsesForBytecodeIndexImpl): + (JSC::computeDefsForBytecodeIndexImpl): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finishCreation): + * bytecode/Opcode.h: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitGetPrototypeOf): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::emitSuperBaseForCallee): + (JSC::emitGetSuperFunctionForConstruct): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPrototypeOf): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsicGetter): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGOperations.cpp: + * jit/IntrinsicEmitter.cpp: + (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter): + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + * jit/JIT.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_get_prototype_of): + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/CommonSlowPaths.h: + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::getPrototype const): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncProtoGetter): + * runtime/JSObject.cpp: + (JSC::JSObject::calculatedClassName): + * runtime/JSObject.h: + (JSC::JSObject::getPrototype): + * runtime/JSObjectInlines.h: + (JSC::JSObject::canPerformFastPutInlineExcludingProto): + (JSC::JSObject::getPropertySlot): + (JSC::JSObject::getNonIndexPropertySlot): + * runtime/JSProxy.h: + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::overridesGetPrototype const): + * runtime/ObjectConstructor.cpp: + (JSC::objectConstructorGetPrototypeOf): + * runtime/ProxyObject.h: + * runtime/Structure.h: + * runtime/Structure.cpp: + (JSC::Structure::validateFlags): + +2020-06-13 Devin Rousso + + Make `errors` an own property of `AggregateError` instead of a prototype accessor + https://bugs.webkit.org/show_bug.cgi?id=212677 + + Reviewed by Yusuke Suzuki. + + * runtime/AggregateError.h: + (JSC::AggregateError::destroy): Deleted. + (JSC::AggregateError::subspaceFor): Deleted. + (JSC::AggregateError::errors): Deleted. + * runtime/AggregateError.cpp: + (JSC::AggregateError::AggregateError): + (JSC::AggregateError::finishCreation): Added. + (JSC::AggregateError::visitChildren): Deleted. + + * runtime/AggregateErrorPrototype.h: + * runtime/AggregateErrorPrototype.cpp: + (JSC::AggregateErrorPrototype::finishCreation): + (JSC::aggregateErrorPrototypeAccessorErrors): Deleted. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::initializeAggregateErrorConstructor): + + * runtime/VM.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * heap/Heap.cpp: + (JSC::Heap::finalizeUnconditionalFinalizers): + Remove `aggregateErrorSpace` since `AggregateError` doesn't add any new member variables. + Ensure that it can share an `IsoSubspace` with `ErrorInstance`. + + * runtime/CommonIdentifiers.h: + Add `errors`. + +2020-06-12 Robin Morisset + + The ||= operator (and similar ones) should produce valid bytecode even if the right side is a static error + https://bugs.webkit.org/show_bug.cgi?id=213154 + + Reviewed by Devin Rousso. + + There were two minor issues here that interacted: + - emitThrowReferenceError did not take an optional `dst` argument like everything else, and instead always returned a new temporary. + As a result, the various functions that sometimes did "return emitThrowReferenceError(..);" could return a different RegisterID than the one + provided to them through `dst`, breaking the invariant stated at the top of the file. + - ShortCircuitReadModifyResolveNode::emitBytecode used the result of such a function, unnecessarily, and (correctly) relied on the invariant being upheld. + The combination of these led to the bytecode trying to do a move of a temporary that was only defined in one of the predecessors of the basic block it was on, + which was caught by validateBytecode. + + I fixed both issues, and verified that either fix is enough to stop the bug. + I fixed the first because other code may depend on that invariant in more subtle ways. + I fixed the second because it was just unnecessary complexity and made the code misleading. + + I also reworded the comment at the top of NodesCodegen.cpp based on Keith's explanation and Mark's advice to make it less cryptic. + + * bytecompiler/NodesCodegen.cpp: + (JSC::ThrowableExpressionData::emitThrowReferenceError): + (JSC::PostfixNode::emitBytecode): + (JSC::DeleteBracketNode::emitBytecode): + (JSC::DeleteDotNode::emitBytecode): + (JSC::PrefixNode::emitBytecode): + (JSC::ShortCircuitReadModifyResolveNode::emitBytecode): + (JSC::AssignErrorNode::emitBytecode): + * parser/Nodes.h: + +2020-06-12 Yusuke Suzuki + + [JSC] el(Greek) characters' upper-case conversion is locale-sensitive + https://bugs.webkit.org/show_bug.cgi?id=213155 + + + Reviewed by Darin Adler. + + CLDR defines 4 locales which has language-sensitive case conversions. "az", "el", "lt", and "tr", where, + + az = Azerbaijani + el = Greek + lt = Lithuanian + tr = Turkish + + We can ensure it easily like this. + + 1. Download CLDR data + 2. `ls common/transforms/*Upper.xml` + + common/transforms/az-Upper.xml + common/transforms/el-Upper.xml + common/transforms/lt-Upper.xml + common/transforms/tr-Upper.xml + + And ECMA-402 String.prototype.{toLocaleLowerCase,toLocaleUpperCase} requires these locales are listed as `availableLocales`. + + > 7. Let availableLocales be a List with language tags that includes the languages for which the Unicode Character + > Database contains language sensitive case mappings. Implementations may add additional language tags if they + > support case mapping for additional locales. + + https://tc39.es/ecma402/#sup-string.prototype.tolocalelowercase + + This patch adds "el" to our maintained availableLocales list. Previously we only had "az", "lt", and "tr". + + * runtime/StringPrototype.cpp: + (JSC::toLocaleCase): + (JSC::stringProtoFuncToLocaleUpperCase): + +2020-06-12 Keith Miller + + Tests expecting a crash should use a signal handler in the JSC CLI process + https://bugs.webkit.org/show_bug.cgi?id=212479 + + Reviewed by Yusuke Suzuki. + + Have the -s option use WTF::Signals and make sure it adds breakpoint catching + as well. + + * jsc.cpp: + (printUsageStatement): + (CommandLine::parseArguments): + * tools/SigillCrashAnalyzer.cpp: + (JSC::installCrashHandler): + +2020-06-12 Alexey Shvayka + + AsyncGenerator should await "return" completions + https://bugs.webkit.org/show_bug.cgi?id=212774 + + Reviewed by Ross Kirsling. + + This patch fixes 2 spec discrepancies, observable with async generators if the + value of "return" completion is a Promise, aligning JSC with V8 and SpiderMonkey. + + * builtins/AsyncGeneratorPrototype.js: + (onFulfilled): + This change implements step 8 of AsyncGeneratorYield [1], that is executed after + step 15 of AsyncGeneratorResumeNext [2] (implemented as @doAsyncGeneratorBodyCall). + We are safe to rely on [[AsyncGeneratorState]] being "suspendedYield" (set in + step 6 of AsyncGeneratorYield [1]) instead of adding extra field to AsyncGenerator: + AsyncGeneratorResumeNext [2] does not overwrite "suspendedYield" state. + This change fixes most of test262 cases. + + [1]: https://tc39.es/ecma262/#sec-asyncgeneratoryield + [2]: https://tc39.es/ecma262/#sec-asyncgeneratorresumenext + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitDelegateYield): + This change implements step 7.c.iii.1 of yield* runtime semantics [3], that is + observable only if [[Value]] has userland "then" getter. Awaited result is discarded. + This change fixes async-generator/yield-star-return-then-getter-ticks.js test262 case. + + [3]: https://tc39.es/ecma262/#sec-generator-function-definitions-runtime-semantics-evaluation + +2020-06-12 Ross Kirsling + + Unreviewed, address Darin's feedback on r262890. + + * runtime/IntlObject.cpp: + (JSC::addScriptlessLocaleIfNeeded): + Use != instead of < for clarity. + +2020-06-12 Adrian Perez de Castro + + Build is broken with EVENT_LOOP_TYPE=GLib + https://bugs.webkit.org/show_bug.cgi?id=212987 + + Reviewed by Konstantin Tokarev. + + * PlatformJSCOnly.cmake: Add sources needed to support the remote inspector to + JavaScriptCore_SOURCES. + +2020-06-11 Saam Barati + + Linear Scan uses the wrong Interval for spills for tmps with roles of early def or late use + https://bugs.webkit.org/show_bug.cgi?id=213055 + + + Reviewed by Yusuke Suzuki. + + There was a bug in linear scan when computing the live range interval for + spill tmps that had early defs or late uses. When linear scan spills a + tmp, it creates a new tmp that it loads to and stores from, and replaces the old tmp + with the new tmp, and emits stores/loads around pertinent instructions. The live + interval for such tmps is small by nature, it's contained in the interval for the + instruction itself. However, we'd build this interval purely based off the + original tmp's arg timing. So, for example, let's consider a program like this: + + RandoInsn: LateUse:Tmp1, Use:Tmp2, [early = N, late = N+1] + Let's say that Tmp1's last use is RandoInsn, and it had a def before + RandoInsn, therefore, its live range will be something like: + [J where J < N, N+1] + + and now imagine we spilled Tmp1 for some reason, and rewrote the + program to be: + Move Addr(spill for Tmp1), TmpSpill + RandoInsn: LateUse:TmpSpill, Use:Tmp2, [early = N, late = N+1] + + We used to incorrectly mark the live range for TmpSpill to just be [N+1, N+2). + However, the bug here is that we neglected that TmpSpill actually had an earlier + def at [N, N+1). So, the live range for TmpSpill was wrong. This could incorrectly + lead us to allocate Tmp2 and TmpSpill to the same register, since their live + ranges may not intersect if Tmp2 dies at RandoInsn. + + We also had the symmetric bug for EarlyDefs: we wouldn't account for the + store-spill that'd happen after something like RandoInsn. + + The fix is to account for the loads/stores of spill tmps when assigning + them a live range. + + This patch contains a standalone test in testair. It also fixes crashes we had when + running B3O1 tests using typed arrays on arm64e since we had patchpoints that utilized + LateUse for signing and auth. + + * b3/B3Procedure.h: + * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: + * b3/air/testair.cpp: + +2020-06-11 Saam Barati + + Replace uses of black/white list with block/allow list + https://bugs.webkit.org/show_bug.cgi?id=213084 + + Reviewed by Keith Miller. + + We should be using racially neutral names in our code. From Chromium style guide: + + "Terms such as 'blacklist' and 'whitelist' reinforce the notion that + black==bad and white==good." + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * b3/air/AirLowerAfterRegAlloc.cpp: + (JSC::B3::Air::lowerAfterRegAlloc): + * dfg/DFGDriver.cpp: + (JSC::DFG::ensureGlobalDFGAllowlist): + (JSC::DFG::compileImpl): + (JSC::DFG::ensureGlobalDFGWhitelist): Deleted. + * dfg/DFGTierUpCheckInjectionPhase.cpp: + (JSC::DFG::ensureGlobalFTLAllowlist): + (JSC::DFG::TierUpCheckInjectionPhase::run): + (JSC::DFG::ensureGlobalFTLWhitelist): Deleted. + * heap/MachineStackMarker.cpp: + * inspector/scripts/codegen/objc_generator.py: + (ObjCGenerator.should_generate_types_for_domain): + (ObjCGenerator.should_generate_commands_for_domain): + (ObjCGenerator.should_generate_events_for_domain): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::ensureGlobalJITAllowlist): + (JSC::LLInt::shouldJIT): + (JSC::LLInt::ensureGlobalJITWhitelist): Deleted. + * runtime/OptionsList.h: + * tools/FunctionAllowlist.cpp: Copied from Source/JavaScriptCore/tools/FunctionWhitelist.cpp. + (JSC::FunctionAllowlist::FunctionAllowlist): + (JSC::FunctionAllowlist::contains const): + (JSC::FunctionWhitelist::FunctionWhitelist): Deleted. + (JSC::FunctionWhitelist::contains const): Deleted. + * tools/FunctionAllowlist.h: Copied from Source/JavaScriptCore/tools/FunctionWhitelist.h. + * tools/FunctionWhitelist.cpp: Removed. + * tools/FunctionWhitelist.h: Removed. + +2020-06-11 Yusuke Suzuki + + [JSC] Return DisposableCallSiteIndex when destroying GCAwareJITStubRoutineWithExceptionHandler + https://bugs.webkit.org/show_bug.cgi?id=213069 + + + Reviewed by Saam Barati. + + Inside GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount, we are returning DisposableCallSiteIndex to freelist. + However, GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount can be called even if the code of GCAwareJITStubRoutineWithExceptionHandler is + on the stack. Let's consider the following scenario. + + 1. Execute GCAwareJITStubRoutineWithExceptionHandler's code. Set CallSiteIndex to the stack. + 2. Execute more code. (1)'s GCAwareJITStubRoutineWithExceptionHandler's code is on the stack. + 3. (1)'s GCAwareJITStubRoutineWithExceptionHandler's refcount becomes zero. + 4. CallSiteIndex of GCAwareJITStubRoutineWithExceptionHandler is returned. + 5. Execute StackVisitor to construct frames. But we cannot find CodeOrigin corresponding to CallSiteIndex stored in (1) since it is already returned. + + DisposableCallSiteIndex should be returned after ensuring that GCAwareJITStubRoutineWithExceptionHandler's code is not on the stack. Detecting this is the functionality + what GCAwareJITStubRoutineWithExceptionHandler can offer. It is destroyed after ensuring that GCAwareJITStubRoutineWithExceptionHandler's code is not on the stack. + + This patch delays DisposableCallSiteIndex returning until we destroy owner GCAwareJITStubRoutineWithExceptionHandler. But it is possible that CodeBlock* corresponding to + GCAwareJITStubRoutineWithExceptionHandler is already destroyed. To avoid this condition, we extract CodeOrigins vector as Ref and keep it alive from + GCAwareJITStubRoutineWithExceptionHandler too. And since CodeOrigin addition / removal happens only from the main thread after finishing the compilation, and + GCAwareJITStubRoutineWithExceptionHandler's destructor is called from the Heap's finalizer, which must be executed from the main thread, we can just modify it without a lock. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::newExceptionHandlingCallSiteIndex): + (JSC::CodeBlock::codeOrigins): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::codeOrigin): + * dfg/DFGCodeOriginPool.cpp: Added. + (JSC::DFG::CodeOriginPool::addCodeOrigin): + (JSC::DFG::CodeOriginPool::addUniqueCallSiteIndex): + (JSC::DFG::CodeOriginPool::lastCallSite const): + (JSC::DFG::CodeOriginPool::addDisposableCallSiteIndex): + (JSC::DFG::CodeOriginPool::removeDisposableCallSiteIndex): + (JSC::DFG::CodeOriginPool::shrinkToFit): + * dfg/DFGCodeOriginPool.h: Added. + (JSC::DFG::CodeOriginPool::create): + (JSC::DFG::CodeOriginPool::get): + (JSC::DFG::CodeOriginPool::size const): + * dfg/DFGCommonData.cpp: + (JSC::DFG::CommonData::shrinkToFit): + (JSC::DFG::CommonData::addCodeOrigin): Deleted. + (JSC::DFG::CommonData::addUniqueCallSiteIndex): Deleted. + (JSC::DFG::CommonData::lastCallSite const): Deleted. + (JSC::DFG::CommonData::addDisposableCallSiteIndex): Deleted. + (JSC::DFG::CommonData::removeDisposableCallSiteIndex): Deleted. + * dfg/DFGCommonData.h: + (JSC::DFG::CommonData::CommonData): + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::exceptionCheck): + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::addCallSite): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compilePutById): + (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): + (JSC::FTL::DFG::LowerDFGToB3::compileDelBy): + (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): + (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): + (JSC::FTL::DFG::LowerDFGToB3::compileTailCall): + (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): + (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): + (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): + (JSC::FTL::DFG::LowerDFGToB3::compileInById): + (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf): + (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail): + (JSC::FTL::DFG::LowerDFGToB3::getById): + (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis): + (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath): + (JSC::FTL::DFG::LowerDFGToB3::callPreflight): + * ftl/FTLSlowPathCall.cpp: + (JSC::FTL::callSiteIndexForCodeOrigin): + * jit/GCAwareJITStubRoutine.cpp: + (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler): + (JSC::GCAwareJITStubRoutineWithExceptionHandler::~GCAwareJITStubRoutineWithExceptionHandler): + (JSC::GCAwareJITStubRoutineWithExceptionHandler::aboutToDie): + (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount): + * jit/GCAwareJITStubRoutine.h: + +2020-06-11 Alexey Shvayka + + RegExp.prototype getters should throw on cross-realm access + https://bugs.webkit.org/show_bug.cgi?id=213075 + + Reviewed by Saam Barati. + + This patch makes RegExp.prototype getters throw TypeError when called on + RegExp.prototype object from another realm, aligning JSC with V8 and SpiderMonkey. + + The spec [1] allows same-realm access to avoid breaking the web, while makes + RegExp.prototype an ordinary object (rather than RegExp instance) where possible. + + [1]: https://tc39.es/ecma262/#sec-get-regexp.prototype.global (step 3.a) + + * runtime/RegExpPrototype.cpp: + (JSC::regExpProtoGetterGlobal): + (JSC::regExpProtoGetterIgnoreCase): + (JSC::regExpProtoGetterMultiline): + (JSC::regExpProtoGetterDotAll): + (JSC::regExpProtoGetterSticky): + (JSC::regExpProtoGetterUnicode): + (JSC::regExpProtoGetterSource): + +2020-06-11 Paulo Matos + + Add missing include to JSONObject.cpp - non-unified build + https://bugs.webkit.org/show_bug.cgi?id=213073 + + Reviewed by Adrian Perez de Castro. + + * runtime/JSONObject.cpp: + +2020-06-10 Ross Kirsling + + REGRESSION(r260697): [Intl] "missing script" locales like zh-TW are no longer mapped + https://bugs.webkit.org/show_bug.cgi?id=213007 + + Reviewed by Darin Adler. + + addMissingScriptLocales was removed from IntlObject when changing our locale resolution to depend more directly + on ICU, but apparently even latest ICU won't perform this legacy "region implies script" mapping for us. + + ICU 65+ does have uloc_openAvailableByType which will do the trick, so perhaps we should use this in the future, + but it still doesn't seem to help us with Collator, which has its own separate set of "available locales". + + The exact set of locales which should be mapped is currently under discussion here: + https://github.com/tc39/ecma402/issues/159 + But the crux seems to be that we should ensure we have an xx-ZZ alias for all available xx-Yyyy-ZZ locales. + + * runtime/IntlObject.cpp: + (JSC::addScriptlessLocaleIfNeeded): + (JSC::intlAvailableLocales): + (JSC::intlCollatorAvailableLocales): + +2020-06-10 Yusuke Suzuki + + [JSC] JSCallbackObject::deleteProperty should redirect to Parent::deletePropertyByIndex if propertyName is index + https://bugs.webkit.org/show_bug.cgi?id=213041 + + + Reviewed by Darin Adler. + + We have an infinite recursion here. + + -> JSCallbackObject::deletePropertyByIndex + -> JSCell::deleteProperty + -> JSCallbackObject::deleteProperty + -> JSObject::deleteProperty + -> JSCallbackObject::deletePropertyByIndex + + When propertyName in JSCallbackObject::deleteProperty is an index, we should go to JSObject::deletePropertyByIndex instead of JSObject::deleteProperty. + + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::deleteProperty): + +2020-06-09 Mark Lam + + Stringifier::appendStringifiedValue() should not assume it is always safe to recurse. + https://bugs.webkit.org/show_bug.cgi?id=213006 + + + Reviewed by Keith Miller. + + In r262727, I suggested that Alexey Shvayka add an assertion in + Stringifier::appendStringifiedValue() to assert that it is safe to recurse because + we don't expect it to recurse into itself. Turns out this is a bad idea because + a client may be doing the recursing before calling Stringifier::appendStringifiedValue(). + As a result, Stringifier::appendStringifiedValue() ends up being executed with + the stack pointer already in the reserved zone. This is legal, and is what the + reserved zone is intended for as long as we don't recurse from here. However, + this also means that asserting vm.isSafeToRecurseSoft() here will surely fail + because we are already in the reserved zone area. The fix is simply to remove + this faulty assertion. + + * runtime/JSONObject.cpp: + (JSC::Stringifier::appendStringifiedValue): + +2020-06-09 Mark Lam + + Disambiguate the OverridesGetPropertyNames structure flag + https://bugs.webkit.org/show_bug.cgi?id=212909 + + + Reviewed by Saam Barati. + + Previously, the OverridesGetPropertyNames structure flag could mean 2 different + things: + 1. the getPropertyNames() method is overridden, or + 2. any of the forms of getPropertyName() is overridden: + getPropertyName, getOwnPropertyNames, getOwnNonIndexPropertyNames + + Some parts of the code expects one definition while other parts expect the other. + This patch disambiguates between the 2 by introducing OverridesAnyFormOfGetPropertyNames + for definition (2). OverridesGetPropertyNames now only means definition (1). + + Note: we could have implemented overridesGetPropertyNames() by doing a comparison + of the getPropertyNames pointer in the MethodTable. This is a little slower than + checking a TypeInfo flag, but probably doesn't matter a lot in the code paths + where overridesGetPropertyNames() is called. However, we have bits in TypeInfo + left. So, we'll might as well use it. + + This ambiguity resulted in JSObject::getPropertyNames() recursing infinitely + when it didn't think it could recurse. This is demonstrated in + JSTests/stress/unexpected-stack-overflow-below-JSObject-getPropertyNames.js as + follows: + + 1. The test case invokes JSObject::getPropertyNames on a JSArray. + + 2. In the while loop at the bottom of JSObject::getPropertynames(), we check + `if (prototype->structure(vm)->typeInfo().overridesGetPropertyNames()) {`. + + 3. The test overrides proto as follows: + `arg0.__proto__ = arr1` where both arg0 and arr1 are JArrays. + + 4. In the old code, JSArray sets OverridesGetPropertyNames but does not override + getPropertyNames(). It actually meant to set OverridesAnyFormOfGetPropertyNames + (after we disambiguated it) because JSArray overrides getOwnNonIndexPropertyNames(). + + 5. When we get to the check at (2), we ask if the prototype overridesGetPropertyNames(). + Since JSArray sets OverridesGetPropertyNames, the answer is yes / true. + + JSObject::getPropertynames() then proceeds to invoke + `prototype->methodTable(vm)->getPropertyNames(prototype, globalObject, propertyNames, mode);` + + But because JSArray does not actually overrides getPropertyNames(), we're + actually invoking JSObject::getPropertyNames() here. Viola! Infinite loop. + + With this patch, JSArray is disambiguated to set OverridesAnyFormOfGetPropertyNames + instead of OverridesGetPropertyNames, and this infinite loop no longer exists. + + This patch also made the following changes: + + 1. Templatized TypeInfo::isSetOnFlags1() and TypeInfo::isSetOnFlags2() so that + we can used static_asserts instead of a debug ASSERT to verify the integrity of + the flag we're checking against. + + 2. Added a Structure::validateFlags() called from the Structure constructor. + validateFlags() will verify the following: + a. OverridesGetOwnPropertySlot must be set in the flags if getOwnPropertySlot + is overridden in the MethodTable. + b. InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero must be set in + the flags if getOwnPropertySlotByIndex is overridden in the MethodTable. + c. HasPutPropertySecurityCheck must be set in the flags if doPutPropertySecurityCheck + is overridden in the MethodTable. + d. OverridesGetPropertyNames must be set in the flags if getPropertyNames + is overridden in the MethodTable. + e. OverridesAnyFormOfGetPropertyNames must be set in the flags if any of + getPropertyNames, getOwnPropertyNames, or getOwnNonIndexPropertyNames are + overridden in the MethodTable. + + An alternate solution would be to automatically set these flags if we detect + their corresponding methods are overridden. However, this alternate solution + requires this laundry list to be checked every time a structure is constructed. + The current implementation of having the required flags already pre-determined + as a constant is more efficient in terms of performance and code space. + + Also, it only takes one instantiation of the structure to verify that the flags + are valid. Since we only write JSCell / JSObject classes when we need them + and we always write tests to exercise new code (especially such classes), we're + guaranteed the flags validation will be exercised. + + 3. Made JSObject::getOwnPropertySlot() and JSObject::doPutPropertySecurityCheck() + not inlined when ASSERT_ENABLED. This is needed in order for Structure::validateFlags() + to do its checks using function pointer comparisons. Otherwise, the inline + functions can result in multiple instantiations of these functions. For + example, WebCore can get its own copy of JSObject::getOwnPropertySlot() and + the comparisons will think the function is overridden even when it's not. + + 4. Structure::validateFlags() found the following problems which are now fixed: + + GetterSetter was not using its StructureFlags. As a result, it was missing the + OverridesGetOwnPropertySlot flag. + + JSDataView did not define its StructureFlags. It was missing the + OverridesGetOwnPropertySlot and OverridesAnyFormOfGetPropertyNames flags. + + 5. Changed a TypeInfo constructor to not have a default argument for the flags value. + Also grepped for all uses of this constructor to make sure that it is passed + the StructureFlags field. This exercise found the following issue: + + JSAPIValueWrapper was not using its StructureFlags when creating its structure. + Previously, it was just ignoring the StructureIsImmortal flag in StructureFlags. + + 6. Hardened the assertions for hasReadOnlyOrGetterSetterPropertiesExcludingProto() + and hasGetterSetterProperties() in the Structure constructor. + + Previously, if the flag is set, it verifies that the ClassInfo has the + appropriate data expected by the flag. However, it does not assert the reverse + i.e. that if the ClassInfo data exists, then the flag must also be set. + The new assertions now checks both. + + Moved the overridesGetCallData() assertion into Structure::validateFlags() + because it concerns the OverridesGetCallData flag. This assertion has also + ben hardened. + + * API/JSAPIValueWrapper.h: + * API/JSCallbackObject.h: + * debugger/DebuggerScope.h: + * inspector/JSInjectedScriptHostPrototype.h: + * inspector/JSJavaScriptCallFramePrototype.h: + * runtime/ClonedArguments.h: + * runtime/ErrorInstance.h: + * runtime/GenericArguments.h: + * runtime/GetterSetter.h: + * runtime/JSArray.h: + * runtime/JSDataView.h: + * runtime/JSFunction.h: + * runtime/JSGenericTypedArrayView.h: + * runtime/JSGlobalObject.h: + * runtime/JSLexicalEnvironment.h: + * runtime/JSModuleEnvironment.h: + * runtime/JSModuleNamespaceObject.h: + * runtime/JSObject.cpp: + (JSC::JSObject::doPutPropertySecurityCheck): + (JSC::JSObject::getOwnPropertySlot): + * runtime/JSObject.h: + (JSC::JSObject::getOwnPropertySlotImpl): + (JSC::JSObject::getOwnPropertySlot): + * runtime/JSProxy.h: + * runtime/JSString.h: + * runtime/JSSymbolTableObject.h: + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::TypeInfo): + (JSC::TypeInfo::masqueradesAsUndefined const): + (JSC::TypeInfo::implementsHasInstance const): + (JSC::TypeInfo::implementsDefaultHasInstance const): + (JSC::TypeInfo::overridesGetCallData const): + (JSC::TypeInfo::overridesToThis const): + (JSC::TypeInfo::structureIsImmortal const): + (JSC::TypeInfo::overridesGetPropertyNames const): + (JSC::TypeInfo::overridesAnyFormOfGetPropertyNames const): + (JSC::TypeInfo::prohibitsPropertyCaching const): + (JSC::TypeInfo::getOwnPropertySlotIsImpure const): + (JSC::TypeInfo::getOwnPropertySlotIsImpureForPropertyAbsence const): + (JSC::TypeInfo::hasPutPropertySecurityCheck const): + (JSC::TypeInfo::newImpurePropertyFiresWatchpoints const): + (JSC::TypeInfo::isImmutablePrototypeExoticObject const): + (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero const): + (JSC::TypeInfo::isSetOnFlags1 const): + (JSC::TypeInfo::isSetOnFlags2 const): + * runtime/ObjectConstructor.cpp: + (JSC::objectConstructorAssign): + * runtime/ProxyObject.h: + * runtime/RegExpObject.h: + * runtime/StringObject.h: + * runtime/Structure.cpp: + (JSC::Structure::validateFlags): + (JSC::Structure::Structure): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::canCacheOwnKeys const): + * tools/JSDollarVM.cpp: + +2020-06-09 Jonathan Bedard + + JavaScriptCore: Support tvOS and watchOS builds with the public SDK + https://bugs.webkit.org/show_bug.cgi?id=212788 + + + Reviewed by Tim Horton. + + * Configurations/Base.xcconfig: Link to tvOS and watchOS framework stubs. + * Configurations/JavaScriptCore.xcconfig: Use iOS flags for all embedded platforms. + +2020-06-09 Yusuke Suzuki + + [JSC] Shrink __DATA,(__data,__bss,__common) more + https://bugs.webkit.org/show_bug.cgi?id=212863 + + Reviewed by Sam Weinig. + + 1. Use `unsigned` instead of `size_t` in GC size-class array. We know that this number never exceeds largeCutoff, + which must be much maller than UINT32_MAX. + 2. Add missing const to various variables to put them DATA,__const instead of DATA,__data etc. + + * heap/MarkedSpace.cpp: + (JSC::MarkedSpace::initializeSizeClassForStepSize): + * heap/MarkedSpace.h: + * heap/VisitRaceKey.cpp: + * heap/VisitRaceKey.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + * inspector/agents/InspectorDebuggerAgent.h: + * runtime/PropertyDescriptor.cpp: + * runtime/PropertyDescriptor.h: + +2020-06-08 Keith Miller + + Removed unneeded POINTER_WIDTH macro from b3 + https://bugs.webkit.org/show_bug.cgi?id=212927 + + Reviewed by Yusuke Suzuki. + + C++20 has real constexpr functions so we don't need the + POINTER_WIDTH macro anymore. + + * b3/B3Width.h: + (JSC::B3::pointerWidth): + * b3/air/opcode_generator.rb: + +2020-06-08 Alexey Shvayka + + JSON.stringify should throw stack overflow error + https://bugs.webkit.org/show_bug.cgi?id=143511 + + Reviewed by Ross Kirsling and Mark Lam. + + This change adds m_holderStack.size() check, reusing the limit of JSON.parse, + and throws StackOverflowError if exceeded, aligning JSC with V8 and SpiderMonkey. + Even with all the cyclic structure checks in place, excess is possible due to + very deeply nested object, user-provided "toJSON" method or functional replacer. + + While Stringifier::appendStringifiedValue() and Holder::appendNextProperty() + mutually call each other, recursion is avoided by !holderStackWasEmpty check and + do/while loop at the end of appendStringifiedValue(), as well as cyclic structure + check as per spec [1]. + + [1]: https://tc39.es/ecma262/#sec-serializejsonobject (step 1) + + * runtime/JSONObject.cpp: + (JSC::Stringifier::appendStringifiedValue): + (JSC::Walker::walk): + +2020-06-08 Jonathan Bedard + + JavaScriptCore: Fix PLATFORM(TVOS) macro + https://bugs.webkit.org/show_bug.cgi?id=212900 + + + Unreviewed build fix. + + * tools/JSDollarVM.cpp: + (JSC::functionIsMemoryLimited): PLATFORM(TVOS) should be PLATFORM(APPLETV). + +2020-06-07 Philippe Normand + + Remove ENABLE_VIDEO_TRACK ifdef guards + https://bugs.webkit.org/show_bug.cgi?id=212568 + + Reviewed by Youenn Fablet. + + * Configurations/FeatureDefines.xcconfig: Remove ENABLE_VIDEO_TRACK, which is now enabled by + default under the ENABLE_VIDEO guard. + +2020-06-07 Yusuke Suzuki + + [JSC] Checksum for generated files should be emitted at the end of the files + https://bugs.webkit.org/show_bug.cgi?id=212875 + + Reviewed by Mark Lam. + + If the offlineasm file generation is interrupted in the middle of the generation, it already emitted checksum. + So next file generation can accept this broken file as a result of offlineasm and skip file generation. + We should emit checksum at the end of files. For now, this patch takes a quick way: just iterating lines, getting + a last line and use it for checksum comparison. + + * generator/GeneratedFile.rb: + * offlineasm/asm.rb: + +2020-06-06 Mark Lam + + Make CodeBlockHash robust against unreasonably long source code. + https://bugs.webkit.org/show_bug.cgi?id=212847 + + + Reviewed by Saam Barati. + + This patch adds a heuristic to avoid trying to compute the CodeBlockHash on + unreasonably long source code strings. This is done by first applying a length + check and, if needed, computing the hash with an alternate method. + + This is OK to do because: + 1. CodeBlockHash is not a critical hash. + 2. In practice, reasonable source code are not that long. + 3. And if they are that long, then we are still diversifying the hash on their + length. But if they do collide, it's OK. + + The only invariant here is that we should always produce the same hash for the + same source string. Since the algorithm is deterministic, this invariant is not + violated. + + * bytecode/CodeBlockHash.cpp: + (JSC::CodeBlockHash::CodeBlockHash): + +2020-06-06 Devin Rousso + + Web Inspector: unify the naming scheme for agents used by instrumentation + https://bugs.webkit.org/show_bug.cgi?id=212859 + + Reviewed by Timothy Hatcher. + + Inspector agents fall into one of three categories: + - "persistent" when Web Inspector is connected + - "enabled" when that agent is `enable`d, such as if the corresponding tab is visible + - "tracking" when that agent is part of a timeline recording. + + The only exception to this is the Console agent, as that exists regardless of whether Web + Inspector is connected as it needs to preserve messages logged before Web Inspector connects. + + Also remove the "Inspector" prefix from getter/setter methods as it adds confusion if that + agent also has subclasses (e.g. `InspectorRuntimeAgent` and `PageRuntimeAgent`). + + * inspector/JSGlobalObjectConsoleClient.h: + * inspector/JSGlobalObjectInspectorController.cpp: + * inspector/agents/InspectorConsoleAgent.h: + +2020-06-05 Michael Saboff + + Make FAST_JIT_PERMISSIONS check in LinkBuffer::copyCompactAndLinkCode a runtime check + https://bugs.webkit.org/show_bug.cgi?id=212825 + + Reviewed by Saam Barati. + + Added useFastJITPermissions() for runtime checks of FAST_JIT_PERMISSIONS + including the cases where it is conditional on OS settings. This is now + used in a few places to declutter the code. + + When using the fast JIT permissions path, the JIT memory is the direct output + of the linking. Modified BranchCompactionLinkBuffer to hold a pointer to that + output "buffer" or a temporarily allocated buffer depending on if fast JIT + permissions are enabled. + + Broke out the "verify hash" conditionally compiled code with a file local + ENABLE_VERIFY_JIT_HASH macro for readability. + + * assembler/LinkBuffer.cpp: + (JSC::BranchCompactionLinkBuffer::BranchCompactionLinkBuffer): + (JSC::BranchCompactionLinkBuffer::~BranchCompactionLinkBuffer): + Changed this to use a provided buffer or a malloc'ed buffer. When using + a malloc'ed buffer, we put it in a thread local cache. + + (JSC::LinkBuffer::copyCompactAndLinkCode): + * jit/ExecutableAllocator.h: + (JSC::useFastJITPermissions): + (JSC::performJITMemcpy): + +2020-06-05 Yusuke Suzuki + + [JSC] Put dfgOpNames in __DATA,__const section instead of __DATA,__data + https://bugs.webkit.org/show_bug.cgi?id=212840 + + Reviewed by Saam Barati. + + dfgOpNames array itself is not const annotated, and the compiler makes it __DATA,__data instead of __DATA,__const. + We should annotate it with const to ensure that this is compiled into __DATA,__const. We also remove unused CallFrame::describeFrame + since it allocates some bss memory, while we have more sophisticated mechanism (VMInspector) for this functionality and this function + is no longer used. + + * dfg/DFGDoesGCCheck.cpp: + (JSC::DFG::DoesGCCheck::verifyCanGC): + * dfg/DFGGraph.cpp: + * dfg/DFGGraph.h: + * interpreter/CallFrame.cpp: + (JSC::CallFrame::describeFrame): Deleted. + * interpreter/CallFrame.h: + +2020-06-05 Tadeu Zagallo + + REGRESSION(r262523): Fix testb3 + https://bugs.webkit.org/show_bug.cgi?id=212791 + + Reviewed by Mark Lam. + + * b3/testb3_1.cpp: + (run): + (main): + +2020-06-05 Paulo Matos + + Add missing ECMAMode header to fix NonUnified Build + https://bugs.webkit.org/show_bug.cgi?id=212838 + + Reviewed by Darin Adler. + + * bytecode/PutByValFlags.h: + +2020-06-05 Saam Barati + + Audit safe to execute + https://bugs.webkit.org/show_bug.cgi?id=207075 + + + Reviewed by Yusuke Suzuki. + + This audit found one interesting case for DOMJIT nodes. We emit safety checks + for CallDOM/CallDOMGetter inside fixup phase and the bytecode parser. When + determining if these nodes are safe to execute, we need to also ensure that + these checks hold. + + I've also added a helper to JSDollarVM to ensure that this patch doesn't break + LICM of DOMJIT. + + This patch also moves some nodes we will never hoist to return false. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleDOMJITGetter): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::attemptToMakeCallDOM): + * dfg/DFGNode.h: + (JSC::DFG::Node::classInfo): + (JSC::DFG::Node::requiredDOMJITClassInfo): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * tools/JSDollarVM.cpp: + (JSC::functionCreateDOMJITGetterNoEffectsObject): + (JSC::JSDollarVM::finishCreation): + +2020-06-05 Devin Rousso + + Logical Assignment: perform NamedEvaluation of anonymous functions + https://bugs.webkit.org/show_bug.cgi?id=212679 + + Reviewed by Ross Kirsling. + + * parser/ASTBuilder.h: + (JSC::ASTBuilder::makeAssignNode): + +2020-06-05 Yusuke Suzuki + + DOM constructor should only accept Ref<> / ExceptionOr> for creation to ensure toJSNewlyCreated is always returning object + https://bugs.webkit.org/show_bug.cgi?id=212767 + + Reviewed by Darin Adler. + + * runtime/JSObject.h: + (JSC::asObject): + +2020-06-05 Andy Estes + + [Apple Pay] Remove conditionals for ENABLE_APPLE_PAY_SESSION_V(3|4) + https://bugs.webkit.org/show_bug.cgi?id=212541 + + + Reviewed by Darin Adler. + + APPLE_PAY_SESSION_V(3|4) is now enabled whenever APPLE_PAY itself is enabled. + + * Configurations/FeatureDefines.xcconfig: + +2020-06-05 Caitlin Potter + + [JSC] Add support for private class fields + https://bugs.webkit.org/show_bug.cgi?id=206431 + + Reviewed by Saam Barati. + + Expanding upon the earlier public class fields patch, we implement the remaining (and + significant parts) of the instance fields (https://tc39.es/proposal-class-fields/). + + There are a variety of key changes here: + + - Parser now understands the concept of private names (Token PRIVATENAME). + - 1 new opcode (op_get_private_name), one changed opcode (op_put_by_val_direct). + - A method for creating Symbol objects with a null PrivateSymbolImpl is exposed as a + LinkTimeConstant (@createPrivateSymbol). + - Null Private Symbols are stored by name (not a valid identifier) in a JSScope, and + are loaded from the outer scope whenever they are used by the modified opcodes. + + The changes to op_put_by_val_direct include a new bytecode operand (PutByValFlags) which are + used to distinguish between overwriting or defining a new private field. Specifically, when it + comes to private field accesses, it's necessary to throw an exception when accessing a field + which does not exist, or when attempting to define a private field which has already been + defined. + + During the evaluation of a class expression, before the class element list is evaluated (in case + any computed property names expressions refer to a new private field), a new PrivateSymbol is + created for each individual private field name, and stored in the class lexical scope. + + Private field names are loaded from scope before their use. This prevents multiple evaluations + of the same class source from accessing each other's private fields, because the values of the + symbols loaded from the class scope would be distinct. This is required by the proposal text, + and is the key reason why we use ByVal lookups rather than ById lookups. + + To illustrate, typical private field access will look like: + + + resolve_scope , , "#x", GlobalProperty, 0 + get_from_scope , , "#x", 1050624, 0, 0 + get_private_name , , + + + resolve_scope , , "#x", GlobalProperty, 0 + get_from_scope , , "#x", 1050624, 0, 0 + put_by_val_direct , , , + + + resolve_scope , , "#x", GlobalProperty, 0 + get_from_scope , , "#x", 1050624, 0, 0 + put_by_val_direct , , , + + The feature is currently hidden behind the feature flag JSC::Options::usePrivateClassFields. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * builtins/BuiltinNames.h: + * bytecode/BytecodeList.rb: + * bytecode/BytecodeUseDef.cpp: + (JSC::computeUsesForBytecodeIndexImpl): + (JSC::computeDefsForBytecodeIndexImpl): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finalizeLLIntInlineCaches): + * bytecode/Fits.h: + * bytecode/LinkTimeConstant.h: + * bytecode/PutByValFlags.cpp: Copied from Source/JavaScriptCore/bytecode/PutKind.h. + (WTF::printInternal): + * bytecode/PutByValFlags.h: Added. + (JSC::PutByValFlags::create): + (JSC::PutByValFlags::createDirect): + (JSC::PutByValFlags::createDefinePrivateField): + (JSC::PutByValFlags::createPutPrivateField): + (JSC::PutByValFlags::isDirect const): + (JSC::PutByValFlags::ecmaMode const): + (JSC::PutByValFlags::privateFieldAccessKind const): + (JSC::PutByValFlags::isPrivateFieldAccess const): + (JSC::PutByValFlags::isPrivateFieldPut const): + (JSC::PutByValFlags::isPrivateFieldAdd const): + (JSC::PutByValFlags::PutByValFlags): + * bytecode/PutKind.h: + * bytecode/UnlinkedFunctionExecutable.cpp: + (JSC::generateUnlinkedFunctionCodeBlock): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::instantiateLexicalVariables): + (JSC::BytecodeGenerator::emitDirectGetByVal): + (JSC::BytecodeGenerator::emitDirectPutByVal): + (JSC::BytecodeGenerator::emitDefinePrivateField): + (JSC::BytecodeGenerator::emitPrivateFieldPut): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::PropertyListNode::emitDeclarePrivateFieldNames): + (JSC::PropertyListNode::emitBytecode): + (JSC::PropertyListNode::emitPutConstantProperty): + (JSC::DotAccessorNode::emitBytecode): + (JSC::BaseDotNode::emitGetPropertyValue): + (JSC::BaseDotNode::emitPutProperty): + (JSC::FunctionCallDotNode::emitBytecode): + (JSC::PostfixNode::emitDot): + (JSC::PrefixNode::emitDot): + (JSC::AssignDotNode::emitBytecode): + (JSC::ReadModifyDotNode::emitBytecode): + (JSC::DefineFieldNode::emitBytecode): + (JSC::ClassExprNode::emitBytecode): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ecmaMode): + (JSC::DFG::ecmaMode): + (JSC::DFG::ByteCodeParser::handlePutByVal): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::cachedPutById): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compilePutById): + * generator/DSL.rb: + * jit/ICStats.h: + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + * jit/JIT.h: + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITPutByIdGenerator::JITPutByIdGenerator): + (JSC::JITPutByIdGenerator::slowPathFunction): + * jit/JITInlineCacheGenerator.h: + (JSC::JITPutByIdGenerator::JITPutByIdGenerator): + * jit/JITInlines.h: + (JSC::JIT::ecmaMode): + (JSC::JIT::ecmaMode): + (JSC::JIT::ecmaMode): + (JSC::JIT::privateFieldAccessKind): + (JSC::JIT::privateFieldAccessKind): + * jit/JITOperations.cpp: + (JSC::putPrivateField): + (JSC::definePrivateField): + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emitSlow_op_put_by_val): + (JSC::JIT::emit_op_put_by_id): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitSlow_op_put_by_val): + (JSC::JIT::emit_op_put_by_id): + * jit/Repatch.cpp: + (JSC::appropriateGenericPutByIdFunction): + (JSC::appropriateOptimizingPutByIdFunction): + (JSC::tryCachePutByID): + * llint/LLIntOffsetsExtractor.cpp: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * parser/ASTBuilder.h: + (JSC::ASTBuilder::createDotAccess): + (JSC::ASTBuilder::isPrivateLocation): + (JSC::ASTBuilder::makeFunctionCallNode): + (JSC::ASTBuilder::makeAssignNode): + * parser/Lexer.cpp: + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifierSlowCase): + (JSC::Lexer::lexWithoutClearingLineTerminator): + * parser/NodeConstructors.h: + (JSC::BaseDotNode::BaseDotNode): + (JSC::DotAccessorNode::DotAccessorNode): + (JSC::FunctionCallDotNode::FunctionCallDotNode): + (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode): + (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode): + (JSC::HasOwnPropertyFunctionCallDotNode::HasOwnPropertyFunctionCallDotNode): + (JSC::AssignDotNode::AssignDotNode): + (JSC::ReadModifyDotNode::ReadModifyDotNode): + * parser/Nodes.cpp: + (JSC::PropertyListNode::shouldCreateLexicalScopeForClass): + * parser/Nodes.h: + (JSC::ExpressionNode::isPrivateLocation const): + (JSC::BaseDotNode::base const): + (JSC::BaseDotNode::identifier const): + (JSC::BaseDotNode::type const): + (JSC::BaseDotNode::isPrivateField const): + * parser/Parser.cpp: + (JSC::Parser::parseVariableDeclarationList): + (JSC::Parser::parseDestructuringPattern): + (JSC::Parser::parseClass): + (JSC::Parser::parseInstanceFieldInitializerSourceElements): + (JSC::Parser::usePrivateName): + (JSC::Parser::parseMemberExpression): + (JSC::Parser::parseUnaryExpression): + (JSC::Parser::printUnexpectedTokenText): + * parser/Parser.h: + (JSC::Scope::isPrivateNameScope const): + (JSC::Scope::setIsPrivateNameScope): + (JSC::Scope::hasPrivateName): + (JSC::Scope::copyUndeclaredPrivateNamesTo): + (JSC::Scope::hasUsedButUndeclaredPrivateNames const): + (JSC::Scope::usePrivateName): + (JSC::Scope::declarePrivateName): + (JSC::Parser::findPrivateNameScope): + (JSC::Parser::privateNameScope): + (JSC::Parser::copyUndeclaredPrivateNamesToOuterScope): + (JSC::Parser::matchAndUpdate): + (JSC::Parser::parse): + (JSC::parse): + * parser/ParserTokens.h: + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::createDotAccess): + (JSC::SyntaxChecker::operatorStackPop): + * parser/VariableEnvironment.cpp: + (JSC::VariableEnvironment::operator=): + (JSC::VariableEnvironment::swap): + (JSC::CompactVariableEnvironment::CompactVariableEnvironment): + * parser/VariableEnvironment.h: + (JSC::VariableEnvironmentEntry::isPrivateName const): + (JSC::VariableEnvironmentEntry::setIsPrivateName): + (JSC::PrivateNameEntry::PrivateNameEntry): + (JSC::PrivateNameEntry::isUsed const): + (JSC::PrivateNameEntry::isDeclared const): + (JSC::PrivateNameEntry::setIsUsed): + (JSC::PrivateNameEntry::setIsDeclared): + (JSC::PrivateNameEntry::bits const): + (JSC::PrivateNameEntry::operator== const): + (JSC::VariableEnvironment::VariableEnvironment): + (JSC::VariableEnvironment::size const): + (JSC::VariableEnvironment::mapSize const): + (JSC::VariableEnvironment::declarePrivateName): + (JSC::VariableEnvironment::usePrivateName): + (JSC::VariableEnvironment::privateNames const): + (JSC::VariableEnvironment::privateNamesSize const): + (JSC::VariableEnvironment::hasPrivateName): + (JSC::VariableEnvironment::copyPrivateNamesTo const): + (JSC::VariableEnvironment::copyUndeclaredPrivateNamesTo const): + (JSC::VariableEnvironment::RareData::RareData): + (JSC::VariableEnvironment::getOrAddPrivateName): + * runtime/CachedTypes.cpp: + (JSC::CachedOptional::decodeAsPtr const): + (JSC::CachedVariableEnvironmentRareData::encode): + (JSC::CachedVariableEnvironmentRareData::decode const): + (JSC::CachedVariableEnvironment::encode): + (JSC::CachedVariableEnvironment::decode const): + (JSC::CachedSymbolTableRareData::encode): + (JSC::CachedSymbolTableRareData::decode const): + (JSC::CachedSymbolTable::encode): + (JSC::CachedSymbolTable::decode const): + * runtime/CodeCache.cpp: + (JSC::generateUnlinkedCodeBlockImpl): + * runtime/CommonIdentifiers.cpp: + (JSC::CommonIdentifiers::CommonIdentifiers): + * runtime/CommonIdentifiers.h: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/CommonSlowPaths.h: + * runtime/ExceptionHelpers.cpp: + (JSC::createInvalidPrivateNameError): + (JSC::createRedefinedPrivateNameError): + * runtime/ExceptionHelpers.h: + * runtime/JSGlobalObject.cpp: + (JSC::createPrivateSymbol): + (JSC::JSGlobalObject::init): + * runtime/JSObject.h: + * runtime/JSObjectInlines.h: + (JSC::JSObject::getPrivateFieldSlot): + (JSC::JSObject::getPrivateField): + (JSC::JSObject::putPrivateField): + (JSC::JSObject::definePrivateField): + * runtime/JSScope.cpp: + (JSC::JSScope::collectClosureVariablesUnderTDZ): + * runtime/OptionsList.h: + * runtime/SymbolTable.cpp: + (JSC::SymbolTable::cloneScopePart): + * runtime/SymbolTable.h: + +2020-06-05 Paulo Matos + + Fix includes to fix latest non-unified builds breakages + https://bugs.webkit.org/show_bug.cgi?id=212802 + + Reviewed by Adrian Perez de Castro. + + * dfg/DFGDoesGCCheck.cpp: + * runtime/JSDateMath.h: + +2020-06-04 Yusuke Suzuki + + [JSC] Report extra memory allocation from PropertyTable + https://bugs.webkit.org/show_bug.cgi?id=212793 + + Reviewed by Saam Barati. + + This patch adds extra memory reporting from PropertyTable to make GC + responsive to the increase of memory in PropertyTable. + + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::add): + (JSC::PropertyTable::remove): + (JSC::PropertyTable::rehash): + (JSC::PropertyTable::dataSize): + * runtime/PropertyTable.cpp: + (JSC::PropertyTable::finishCreation): + (JSC::PropertyTable::visitChildren): + * runtime/Structure.cpp: + (JSC::Structure::materializePropertyTable): + * runtime/StructureInlines.h: + (JSC::Structure::add): + (JSC::Structure::remove): + +2020-06-04 Commit Queue + + Unreviewed, reverting r262583. + https://bugs.webkit.org/show_bug.cgi?id=212799 + + Internal source code has the same bug, needs to be landed + after fixing internal source + + Reverted changeset: + + "DOM constructor should only accept Ref<> / ExceptionOr> + for creation to ensure toJSNewlyCreated is always returning + object" + https://bugs.webkit.org/show_bug.cgi?id=212767 + https://trac.webkit.org/changeset/262583 + +2020-06-04 Michael Saboff + + Add a Thread Specific Cache for LinkBuffer::CompactAndLinkCode() + https://bugs.webkit.org/show_bug.cgi?id=212765 + + Reviewed by Saam Barati. + + Added a thread local buffer for CPU types that use a second buffer when compacting. + This is very similary to the work done in https://bugs.webkit.org/show_bug.cgi?id=212562. + + * assembler/LinkBuffer.cpp: + (JSC::threadSpecificBranchCompactionLinkBuffer): + (JSC::BranchCompactionLinkBuffer::BranchCompactionLinkBuffer): + (JSC::BranchCompactionLinkBuffer::~BranchCompactionLinkBuffer): + (JSC::BranchCompactionLinkBuffer::data): + (JSC::BranchCompactionLinkBuffer::takeBufferIfLarger): + (JSC::BranchCompactionLinkBuffer::size): + (JSC::LinkBuffer::copyCompactAndLinkCode): + +2020-06-04 Mark Lam + + Add Options::validateDoesGC() for turning DoesGC validation on/off. + https://bugs.webkit.org/show_bug.cgi?id=212773 + + Reviewed by Saam Barati. + + It will default to on if ASSERT_ENABLED because we want testing to be done with + the validation on. When needed, we can turn it off if we need to e.g. to + de-clutter disassembly dumps while debugging. + + If Options::validateDoesGC() is false, we turn off JIT code emission for this + check, as well as skip the validation checks. There are still places in C++ + code that store to DoesGC::m_value without checking Options::validateDoesGC(). + It doesn't hurt to just let these stores proceed, and performance-wise, it's + probably cheaper to just do the store unconditionally than to gate it on a load of + Options::validateDoesGC() first. + + Also made it explicit that the check on validateDFGDoesGC is a constexpr check. + + * dfg/DFGDoesGCCheck.cpp: + (JSC::DFG::DoesGCCheck::verifyCanGC): + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::compileExit): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * runtime/OptionsList.h: + +2020-06-04 Ross Kirsling + + Intl classes should have meaningful @@toStringTag values + https://bugs.webkit.org/show_bug.cgi?id=212769 + + Reviewed by Yusuke Suzuki. + + Implementation of https://github.com/tc39/ecma402/pull/430, which achieved consensus this week. + This ensures we get "[object Intl.Collator]" (etc.) instead "[object Object]" for older Intl classes. + + * runtime/IntlCollatorPrototype.cpp: + * runtime/IntlDateTimeFormatPrototype.cpp: + * runtime/IntlNumberFormatPrototype.cpp: + * runtime/IntlPluralRulesPrototype.cpp: + +2020-06-04 Alexey Shvayka + + GetMethod isn't performed properly on iterators + https://bugs.webkit.org/show_bug.cgi?id=212771 + + Reviewed by Saam Barati. + + Before this change, iterator's "return" and "throw" methods with value of `null` were + considered incorrect rather than missing, causing TypeError to be thrown. + + This patch aligns method lookup of iterators with the spec [1], V8, and SpiderMonkey + by utilizing isUndefinedOrNull(), which doesn't special-case [[IsHTMLDDA]] objects [2], + fixing a few Annex B tests. + + for/of microbenchmarks are neutral. + + [1]: https://tc39.es/ecma262/#sec-getmethod (step 3) + [2]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot + + * builtins/AsyncFromSyncIteratorPrototype.js: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitIteratorGenericClose): + (JSC::BytecodeGenerator::emitGetAsyncIterator): + (JSC::BytecodeGenerator::emitDelegateYield): + * runtime/IteratorOperations.cpp: + (JSC::iteratorClose): + * runtime/JSGenericTypedArrayViewConstructorInlines.h: + (JSC::constructGenericTypedArrayViewWithArguments): + +2020-06-04 Mark Lam + + Reduce DFGDoesGCCheck to only storing a uint32_t. + https://bugs.webkit.org/show_bug.cgi?id=212734 + + Reviewed by Saam Barati and Caio Lima. + + This patch changes the encoding of DoesGCCheck so that it will fit better in a + uint32_t. This has the following benefits: + 1. speed improvement for debug builds because it now takes less instructions + (especially in JITted code) to store to DoesGCCheck::m_value. + 2. enables this check for 32-bit platforms as well. + + Fun fact: we currently have 373 DFG::NodeTypes. Hence, 9 bits for nodeOp. + + The new encoding provides 21 bis for the nodeIndex. This gives us up to 2097152 + node indexes. In my experience, I've never seen more than 3 decimal digits for + the nodeIndex so far. If we ever find that we need more than 21 bits of nodeIndex, + we have 2 options to deal with it: + + 1. We can just ignore the high bits. After all, it is the nodeOp that is the + most interesting piece of data we need to debug doesGC issues. + + 2. We can make DoesGCCheck use uint64_t for storage. This encoding automatically + scales to 64-bit, while still allowing the more efficient form of storing a + 32-bit immediate to be used for the common cases. + + This patch also makes ENABLE_DFG_DOES_GC_VALIDATION dependent on ENABLE(DFG_JIT). + DoesGC is only relevant for the DFG and FTL JITs. + + * dfg/DFGDoesGCCheck.cpp: + (JSC::DFG::DoesGCCheck::verifyCanGC): + * dfg/DFGDoesGCCheck.h: + (JSC::DFG::DoesGCCheck::encode): + (JSC::DFG::DoesGCCheck::expectDoesGC const): + (JSC::DFG::DoesGCCheck::isSpecial const): + (JSC::DFG::DoesGCCheck::special): + (JSC::DFG::DoesGCCheck::nodeOp): + (JSC::DFG::DoesGCCheck::nodeIndex): + (JSC::DFG::DoesGCCheck::expectDoesGC): Deleted. + (JSC::DFG::DoesGCCheck::isSpecial): Deleted. + (JSC::DFG::DoesGCCheck::specialIndex): Deleted. + (JSC::DFG::DoesGCCheck::bits): Deleted. + * dfg/DFGNodeType.h: + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::compileExit): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * heap/Heap.h: + +2020-06-04 Tim Horton + + Work around broken system version macro + https://bugs.webkit.org/show_bug.cgi?id=212726 + + Reviewed by Dan Bernstein. + + * Configurations/DebugRelease.xcconfig: + +2020-06-04 Andy Estes + + [watchOS] Re-enable content filtering in the simulator build + https://bugs.webkit.org/show_bug.cgi?id=212711 + + + Reviewed by Wenson Hsieh. + + * Configurations/FeatureDefines.xcconfig: + +2020-06-04 Mark Lam + + SpeculativeJIT::compileDateGet()'s slow path does not need an exception check. + https://bugs.webkit.org/show_bug.cgi?id=212645 + + Reviewed by Yusuke Suzuki. + + SpeculativeJIT::compileDateGet() implements a bunch of Date intrinsics which call + into a C++ operation function do their work. However, the call to these operation + functions were done using a slow path generator configured to automatically + emit exception checks after the call. These exception checks are unneeded because + those functions will not throw any exceptions. + + This issue was found with JSC stress test runs on a debug build. The doesGC + verifier was failing on the exceptionFuzz/date-format-xparb.js test. The reason + is because doesGC does not expect any these Date intrinsics to throw any exceptions, + but SpeculativeJIT was emitting the unneeded exception checks there. These + exception check sites get turned into throw sites by the exceptionFuzzer, and + they allocate an Error object there. This allocation made the doesGC verifier + not happy. + + This patch fixes this issue by changing SpeculativeJIT::compileDateGet() to + pass ExceptionCheckRequirement::CheckNotNeeded to the slow path generator. + + The patch also proves that all the operation functions cannot throw any exceptions. + Previously, the operations passes a VM& to the Date functions. The purpose for + doing this is so that the Date functions can work with a few date cache data + structures stored as VM fields. + + This patch refactors those VM fields into a VM::DateCache struct, and changed all + those Date functions to take a VM::DateCache& instead of a VM&. Since the Date + functions no longer take a VM&, this proves that they cannot throw because they + would need a VM& to make a ThrowScope in order to throw. + + Update: Yusuke pointed out that the lack of a JSGlobalObject* argument is sufficient + to guarantee that the Date functions cannot throw. However, we'll keep this + DateCache refactoring since it provides additional info that the Date functions + only operate on the DateCache fields and nothing else in VM. + + Also removed DFG::JITCompile's fastExceptionCheck() which is unused. + + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::fastExceptionCheck): Deleted. + * dfg/DFGOperations.cpp: + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compileDateGet): + * runtime/DateConstructor.cpp: + (JSC::millisecondsFromComponents): + (JSC::callDate): + * runtime/DateInstance.cpp: + (JSC::DateInstance::calculateGregorianDateTime const): + (JSC::DateInstance::calculateGregorianDateTimeUTC const): + * runtime/DateInstance.h: + * runtime/DatePrototype.cpp: + (JSC::formatLocaleDate): + (JSC::formateDateInstance): + (JSC::dateProtoFuncToISOString): + (JSC::dateProtoFuncGetFullYear): + (JSC::dateProtoFuncGetUTCFullYear): + (JSC::dateProtoFuncGetMonth): + (JSC::dateProtoFuncGetUTCMonth): + (JSC::dateProtoFuncGetDate): + (JSC::dateProtoFuncGetUTCDate): + (JSC::dateProtoFuncGetDay): + (JSC::dateProtoFuncGetUTCDay): + (JSC::dateProtoFuncGetHours): + (JSC::dateProtoFuncGetUTCHours): + (JSC::dateProtoFuncGetMinutes): + (JSC::dateProtoFuncGetUTCMinutes): + (JSC::dateProtoFuncGetSeconds): + (JSC::dateProtoFuncGetUTCSeconds): + (JSC::dateProtoFuncGetTimezoneOffset): + (JSC::setNewValueFromTimeArgs): + (JSC::setNewValueFromDateArgs): + (JSC::dateProtoFuncSetYear): + (JSC::dateProtoFuncGetYear): + * runtime/JSDateMath.cpp: + (JSC::localTimeOffset): + (JSC::gregorianDateTimeToMS): + (JSC::msToGregorianDateTime): + (JSC::parseDate): + * runtime/JSDateMath.h: + * runtime/VM.cpp: + (JSC::VM::resetDateCache): + * runtime/VM.h: + +2020-06-04 Paulo Matos + + Fix 32bit build broken at r262513 + https://bugs.webkit.org/show_bug.cgi?id=212735 + + Unreviewed Gardening. + + Proper fix is being worked out under https://bugs.webkit.org/show_bug.cgi?id=212734 + + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::compileExit): + +2020-06-03 Tadeu Zagallo + + Disable B3 hoistLoopInvariantValues by default + https://bugs.webkit.org/show_bug.cgi?id=212511 + + + Reviewed by Mark Lam. + + The hoistLoopInvariantValues optimization in B3 does not calculate the cost of hoisting the candidates. + For example, in the test case provided with the bug, a switch inside a loop can lead to hoisting the body + of several switch cases which would never be executed. Other than leading to worse runtime, this also + increases the pressure in the register allocate, leading to worse compile times (~10x worse in this case). + I have added a FIXME to consider adding cost calculation and re-enabling this pass, but given that we + already have LICM in DFG, it should be ok to disable it for now. + + * b3/B3Generate.cpp: + (JSC::B3::generateToAir): + * runtime/OptionsList.h: + +2020-06-03 Mark Lam + + Gardening: fix broken Windows debug build. + https://bugs.webkit.org/show_bug.cgi?id=212680 + + Not reviewed. + + * dfg/DFGDoesGCCheck.cpp: + (JSC::DFG::DoesGCCheck::verifyCanGC): + * dfg/DFGDoesGCCheck.h: + +2020-06-03 Mark Lam + + [Re-landing] Enhance DoesGC verification to print more useful info when verification fails. + https://bugs.webkit.org/show_bug.cgi?id=212680 + + Reviewed by Yusuke Susuki. + + When DoesGC verification fails, the first step of debugging it would be to find + out what and which DFG node resulted in the failed verification. In pre-existing + code, all we get is an assertion failure. + + This patch makes it so that the verifier will dump useful info. Here's an example: + + Error: DoesGC failed @ D@34 DateGetInt32OrNaN in #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)] + [0] frame 0x7ffee8285660 { + name: + sourceURL: + isInlinedFrame: false + callee: 0x1135f6820 + returnPC: 0x50ce61248ae6 + callerFrame: 0x7ffee82856f0 + rawLocationBits: 5 0x5 + codeBlock: 0x1135bd1d0 #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)] + hasCodeOrigins: true + callSiteIndex: 5 of 13 + jitCode: 0x113020200 start 0x50ce61214c60 end 0x50ce61219b00 + line: 1 + column: 60 + EntryFrame: 0x7ffee8285860 + } + [1] frame 0x7ffee82856f0 { + name: + sourceURL: date-format-xparb.js + isInlinedFrame: false + callee: 0x1135f65a0 + returnPC: 0x50ce61227e99 + callerFrame: 0x7ffee8285770 + rawLocationBits: 4 0x4 + codeBlock: 0x1135bd0a0 #BU6Zcd:[0x1135bd0a0->0x1135bc260->0x1135e5180, DFGFunctionCall, 112 (DidTryToEnterInLoop)] + hasCodeOrigins: true + callSiteIndex: 4 of 12 + jitCode: 0x113004000 start 0x50ce61212c60 end 0x50ce61214960 + line: 26 + column: 22 + EntryFrame: 0x7ffee8285860 + } + [2] frame 0x7ffee8285770 { + name: + sourceURL: date-format-xparb.js + isInlinedFrame: false + callee: 0x1135f64e0 + returnPC: 0x108058eb1 + callerFrame: 0x7ffee82857e0 + rawLocationBits: 1001 0x3e9 + codeBlock: 0x1135bc130 #DAS9xe:[0x1135bc130->0x1135e5100, BaselineFunctionCall, 1149] + bc#1001 of 1149 + line: 417 + column: 38 + EntryFrame: 0x7ffee8285860 + } + [3] frame 0x7ffee82857e0 { + name: global code + sourceURL: date-format-xparb.js + isInlinedFrame: false + callee: 0x1130f97b8 + returnPC: 0x108039043 + callerFrame: 0x0 + rawLocationBits: 23 0x17 + codeBlock: 0x1135bc000 #CukXvt:[0x1135bc000->0x1130cd768, LLIntGlobal, 81] + bc#23 of 81 + line: 425 + column: 3 + EntryFrame: 0x7ffee8285860 + } + + ASSERTION FAILED: expectDoesGC() + + The error message now comes with the node index, NodeType, codeBlock which this + failure was found in, and the JS call stack that led to the failure. + + Changes made: + + 1. Introduced a DoesGCCheck value that is used to encode some of the above data. + + Previously, we only recorded whether doesGC() returns true or false for the + Node. Now, we record the nodeIndex and nodeOp as well. + + Note that we also set DoesGC expectations for OSR exits. So, DoesGCCheck + includes Special cases for those. + + 2. Added store64(TrustedImm64 imm, const void* address) emitters for X86_64 and ARM64. + Also added a test for this new emitter in testmasm. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::store64): + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::store64): + * assembler/testmasm.cpp: + (JSC::testStore64Imm64AddressPointer): + (JSC::run): + * dfg/DFGDoesGCCheck.cpp: Copied from Source/JavaScriptCore/dfg/DFGDoesGCCheck.cpp. + * dfg/DFGDoesGCCheck.h: Copied from Source/JavaScriptCore/dfg/DFGDoesGCCheck.h. + * dfg/DFGGraph.cpp: + * dfg/DFGOSRExit.cpp: + (JSC::DFG::operationCompileOSRExit): + (JSC::DFG::OSRExit::compileExit): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + (JSC::FTL::operationCompileFTLOSRExit): + * heap/CompleteSubspace.cpp: + (JSC::CompleteSubspace::tryAllocateSlow): + (JSC::CompleteSubspace::reallocatePreciseAllocationNonVirtual): + * heap/CompleteSubspaceInlines.h: + (JSC::CompleteSubspace::allocateNonVirtual): + * heap/DeferGC.h: + (JSC::DeferGC::~DeferGC): + * heap/GCDeferralContextInlines.h: + (JSC::GCDeferralContext::~GCDeferralContext): + * heap/Heap.cpp: + (JSC::Heap::collectNow): + (JSC::Heap::collectAsync): + (JSC::Heap::collectSync): + (JSC::Heap::stopIfNecessarySlow): + (JSC::Heap::collectIfNecessaryOrDefer): + * heap/Heap.h: + (JSC::Heap::addressOfDoesGC): + (JSC::Heap::setDoesGCExpectation): + (JSC::Heap::verifyCanGC): + (JSC::Heap::expectDoesGC const): Deleted. + (JSC::Heap::setExpectDoesGC): Deleted. + (JSC::Heap::addressOfExpectDoesGC): Deleted. + * heap/HeapInlines.h: + (JSC::Heap::acquireAccess): + (JSC::Heap::stopIfNecessary): + * heap/LocalAllocatorInlines.h: + (JSC::LocalAllocator::allocate): + * heap/PreciseAllocation.cpp: + (JSC::PreciseAllocation::tryCreate): + (JSC::PreciseAllocation::createForLowerTier): + * runtime/JSString.h: + (JSC::jsSingleCharacterString): + (JSC::JSString::toAtomString const): + (JSC::JSString::toExistingAtomString const): + (JSC::JSString::value const): + (JSC::JSString::tryGetValue const): + (JSC::JSRopeString::unsafeView const): + (JSC::JSRopeString::viewWithUnderlyingString const): + (JSC::JSString::unsafeView const): + * runtime/RegExpMatchesArray.h: + (JSC::createRegExpMatchesArray): + +2020-06-03 Mark Lam + + DFGSSAConversionPhase.cpp needs to #include OperandsInlines.h. + https://bugs.webkit.org/show_bug.cgi?id=212687 + + Reviewed by Keith Miller. + + Without this, strange build failures can happen with unified builds. + + For example, the Windows build started failing due a linkage error in this file + when the patch from https://bugs.webkit.org/show_bug.cgi?id=212680 landed. + 212680 introduced a new .cpp file, and that probably bumped DFGSSAConversionPhase.cpp + into another unified unit, thereby depriving it from seeing the OperandsInlines.h + #include'd by another .cpp. + + * dfg/DFGSSAConversionPhase.cpp: + +2020-06-03 Mark Lam + + Fix non-unified --jsc-only build. + https://bugs.webkit.org/show_bug.cgi?id=212707 + + Reviewed by Yusuke Suzuki. + + These files need JSGlobalObjectInlines.h. But rather than adding yet another + #include, we'll just remove many individual ones and just #include JSCInlines.h + instead. + + * wasm/js/JSToWasmICCallee.cpp: + * wasm/js/WebAssemblyCompileErrorConstructor.cpp: + * wasm/js/WebAssemblyCompileErrorPrototype.cpp: + * wasm/js/WebAssemblyGlobalPrototype.cpp: + * wasm/js/WebAssemblyInstanceConstructor.cpp: + * wasm/js/WebAssemblyInstancePrototype.cpp: + * wasm/js/WebAssemblyLinkErrorConstructor.cpp: + * wasm/js/WebAssemblyLinkErrorPrototype.cpp: + * wasm/js/WebAssemblyModulePrototype.cpp: + * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: + * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp: + +2020-06-03 Rob Buis + + Make generated C++ code use modern C++ + https://bugs.webkit.org/show_bug.cgi?id=190714 + + Reviewed by Jonathan Bedard. + + Update inspector protocol generator and rebaseline the tests. + + * inspector/scripts/codegen/cpp_generator_templates.py: + * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: + * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: + * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: + * inspector/scripts/tests/expected/enum-values.json-result: + * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: + * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: + * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: + * inspector/scripts/tests/expected/type-declaration-array-type.json-result: + * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: + * inspector/scripts/tests/expected/type-declaration-object-type.json-result: + * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: + * yarr/generateYarrUnicodePropertyTables.py: + +2020-06-02 Mark Lam + + Rolling out r262475 to unbreak Windows bot. + https://bugs.webkit.org/show_bug.cgi?id=212680 + + Not reviewed. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * assembler/MacroAssemblerARM64.h: + * assembler/MacroAssemblerX86_64.h: + * assembler/testmasm.cpp: + (JSC::testCountTrailingZeros64WithoutNullCheck): + (JSC::run): + (JSC::testStore64Imm64AddressPointer): Deleted. + * dfg/DFGDoesGCCheck.cpp: Removed. + * dfg/DFGDoesGCCheck.h: Removed. + * dfg/DFGGraph.cpp: + * dfg/DFGOSRExit.cpp: + (JSC::DFG::operationCompileOSRExit): + (JSC::DFG::OSRExit::compileExit): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + (JSC::FTL::operationCompileFTLOSRExit): + * heap/CompleteSubspace.cpp: + (JSC::CompleteSubspace::tryAllocateSlow): + (JSC::CompleteSubspace::reallocatePreciseAllocationNonVirtual): + * heap/CompleteSubspaceInlines.h: + (JSC::CompleteSubspace::allocateNonVirtual): + * heap/DeferGC.h: + (JSC::DeferGC::~DeferGC): + * heap/GCDeferralContextInlines.h: + (JSC::GCDeferralContext::~GCDeferralContext): + * heap/Heap.cpp: + (JSC::Heap::collectNow): + (JSC::Heap::collectAsync): + (JSC::Heap::collectSync): + (JSC::Heap::stopIfNecessarySlow): + (JSC::Heap::collectIfNecessaryOrDefer): + * heap/Heap.h: + (JSC::Heap::expectDoesGC const): + (JSC::Heap::setExpectDoesGC): + (JSC::Heap::addressOfExpectDoesGC): + (JSC::Heap::addressOfDoesGC): Deleted. + (JSC::Heap::setDoesGCExpectation): Deleted. + (JSC::Heap::verifyCanGC): Deleted. + * heap/HeapInlines.h: + (JSC::Heap::acquireAccess): + (JSC::Heap::stopIfNecessary): + * heap/LocalAllocatorInlines.h: + (JSC::LocalAllocator::allocate): + * heap/PreciseAllocation.cpp: + (JSC::PreciseAllocation::tryCreate): + (JSC::PreciseAllocation::createForLowerTier): + * runtime/JSString.h: + (JSC::jsSingleCharacterString): + (JSC::JSString::toAtomString const): + (JSC::JSString::toExistingAtomString const): + (JSC::JSString::value const): + (JSC::JSString::tryGetValue const): + (JSC::JSRopeString::unsafeView const): + (JSC::JSRopeString::viewWithUnderlyingString const): + (JSC::JSString::unsafeView const): + * runtime/RegExpMatchesArray.h: + (JSC::createRegExpMatchesArray): + +2020-06-02 Mark Lam + + Enhance DoesGC verification to print more useful info when verification fails. + https://bugs.webkit.org/show_bug.cgi?id=212680 + + Reviewed by Yusuke Suzuki. + + When DoesGC verification fails, the first step of debugging it would be to find + out what and which DFG node resulted in the failed verification. In pre-existing + code, all we get is an assertion failure. + + This patch makes it so that the verifier will dump useful info. Here's an example: + + Error: DoesGC failed @ D@34 DateGetInt32OrNaN in #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)] + [0] frame 0x7ffee8285660 { + name: + sourceURL: + isInlinedFrame: false + callee: 0x1135f6820 + returnPC: 0x50ce61248ae6 + callerFrame: 0x7ffee82856f0 + rawLocationBits: 5 0x5 + codeBlock: 0x1135bd1d0 #DtCHMz:[0x1135bd1d0->0x1135bcab0->0x1135e5c80, DFGFunctionCall, 150 (DidTryToEnterInLoop)] + hasCodeOrigins: true + callSiteIndex: 5 of 13 + jitCode: 0x113020200 start 0x50ce61214c60 end 0x50ce61219b00 + line: 1 + column: 60 + EntryFrame: 0x7ffee8285860 + } + [1] frame 0x7ffee82856f0 { + name: + sourceURL: date-format-xparb.js + isInlinedFrame: false + callee: 0x1135f65a0 + returnPC: 0x50ce61227e99 + callerFrame: 0x7ffee8285770 + rawLocationBits: 4 0x4 + codeBlock: 0x1135bd0a0 #BU6Zcd:[0x1135bd0a0->0x1135bc260->0x1135e5180, DFGFunctionCall, 112 (DidTryToEnterInLoop)] + hasCodeOrigins: true + callSiteIndex: 4 of 12 + jitCode: 0x113004000 start 0x50ce61212c60 end 0x50ce61214960 + line: 26 + column: 22 + EntryFrame: 0x7ffee8285860 + } + [2] frame 0x7ffee8285770 { + name: + sourceURL: date-format-xparb.js + isInlinedFrame: false + callee: 0x1135f64e0 + returnPC: 0x108058eb1 + callerFrame: 0x7ffee82857e0 + rawLocationBits: 1001 0x3e9 + codeBlock: 0x1135bc130 #DAS9xe:[0x1135bc130->0x1135e5100, BaselineFunctionCall, 1149] + bc#1001 of 1149 + line: 417 + column: 38 + EntryFrame: 0x7ffee8285860 + } + [3] frame 0x7ffee82857e0 { + name: global code + sourceURL: date-format-xparb.js + isInlinedFrame: false + callee: 0x1130f97b8 + returnPC: 0x108039043 + callerFrame: 0x0 + rawLocationBits: 23 0x17 + codeBlock: 0x1135bc000 #CukXvt:[0x1135bc000->0x1130cd768, LLIntGlobal, 81] + bc#23 of 81 + line: 425 + column: 3 + EntryFrame: 0x7ffee8285860 + } + + ASSERTION FAILED: expectDoesGC() + + The error message now comes with the node index, NodeType, codeBlock which this + failure was found in, and the JS call stack that led to the failure. + + Changes made: + + 1. Introduced a DoesGCCheck value that is used to encode some of the above data. + + Previously, we only recorded whether doesGC() returns true or false for the + Node. Now, we record the nodeIndex and nodeOp as well. + + Note that we also set DoesGC expectations for OSR exits. So, DoesGCCheck + includes Special cases for those. + + 2. Added store64(TrustedImm64 imm, const void* address) emitters for X86_64 and ARM64. + Also added a test for this new emitter in testmasm. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::store64): + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::store64): + * assembler/testmasm.cpp: + (JSC::testStore64Imm64AddressPointer): + (JSC::run): + * dfg/DFGDoesGCCheck.cpp: Added. + (JSC::DFG::DoesGCCheck::verifyCanGC): + * dfg/DFGDoesGCCheck.h: Added. + (JSC::DFG::DoesGCCheck::DoesGCCheck): + (JSC::DFG::DoesGCCheck::encode): + (JSC::DFG::DoesGCCheck::set): + (JSC::DFG::DoesGCCheck::expectDoesGC): + (JSC::DFG::DoesGCCheck::special): + (JSC::DFG::DoesGCCheck::nodeIndex): + (JSC::DFG::DoesGCCheck::nodeOp): + (JSC::DFG::DoesGCCheck::isSpecial): + (JSC::DFG::DoesGCCheck::specialIndex): + (JSC::DFG::DoesGCCheck::bits): + * dfg/DFGGraph.cpp: + * dfg/DFGOSRExit.cpp: + (JSC::DFG::operationCompileOSRExit): + (JSC::DFG::OSRExit::compileExit): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + (JSC::FTL::operationCompileFTLOSRExit): + * heap/CompleteSubspace.cpp: + (JSC::CompleteSubspace::tryAllocateSlow): + (JSC::CompleteSubspace::reallocatePreciseAllocationNonVirtual): + * heap/CompleteSubspaceInlines.h: + (JSC::CompleteSubspace::allocateNonVirtual): + * heap/DeferGC.h: + (JSC::DeferGC::~DeferGC): + * heap/GCDeferralContextInlines.h: + (JSC::GCDeferralContext::~GCDeferralContext): + * heap/Heap.cpp: + (JSC::Heap::collectNow): + (JSC::Heap::collectAsync): + (JSC::Heap::collectSync): + (JSC::Heap::stopIfNecessarySlow): + (JSC::Heap::collectIfNecessaryOrDefer): + * heap/Heap.h: + (JSC::Heap::addressOfDoesGC): + (JSC::Heap::setDoesGCExpectation): + (JSC::Heap::verifyCanGC): + (JSC::Heap::expectDoesGC const): Deleted. + (JSC::Heap::setExpectDoesGC): Deleted. + (JSC::Heap::addressOfExpectDoesGC): Deleted. + * heap/HeapInlines.h: + (JSC::Heap::acquireAccess): + (JSC::Heap::stopIfNecessary): + * heap/LocalAllocatorInlines.h: + (JSC::LocalAllocator::allocate): + * heap/PreciseAllocation.cpp: + (JSC::PreciseAllocation::tryCreate): + (JSC::PreciseAllocation::createForLowerTier): + * runtime/JSString.h: + (JSC::jsSingleCharacterString): + (JSC::JSString::toAtomString const): + (JSC::JSString::toExistingAtomString const): + (JSC::JSString::value const): + (JSC::JSString::tryGetValue const): + (JSC::JSRopeString::unsafeView const): + (JSC::JSRopeString::viewWithUnderlyingString const): + (JSC::JSString::unsafeView const): + * runtime/RegExpMatchesArray.h: + (JSC::createRegExpMatchesArray): + +2020-06-02 Mark Lam + + VMInspector APIs should be taking a VM* instead of a JSGlobalObject*. + https://bugs.webkit.org/show_bug.cgi?id=212676 + + Reviewed by Saam Barati and Robin Morisset. + + This because: + 1. None of the functions currently taking a JSGlobalObject* actually need the + globalObject. All of them need the VM. + 2. The role of the VMInspector is to enable inspection of the VM. By requiring + that it be passed a JSGlobalObject*, we were actually preventing the VMInspector + from being used in code that have a VM to inspect but don't have a JSGlobalObject + to use. + + The reason I'm choosing to pass VM* instead of VM& is because it makes these + functions trivial to call using lldb interactively. The VMInspector functions + are also intentionally designed so that they can be used for this purpose. + On occasion, I may have to cast literal numbers (addresses) to VM*. Technically, + I could cast a number to VM* and dereference it to get a VM& too. However, at + present, lldb is often buggy and not always reliable with casts. I would like to + lessen the chance that lldb fails on me when I'm deep in the middle of a debugging + session, and have a need to call one of these functions. + + * tools/JSDollarVM.cpp: + (JSC::functionGC): + (JSC::functionEdenGC): + (JSC::functionCodeBlockForFrame): + (JSC::codeBlockFromArg): + (JSC::functionDumpCallFrame): + (JSC::functionDumpStack): + * tools/VMInspector.cpp: + (JSC::VMInspector::currentThreadOwnsJSLock): + (JSC::ensureCurrentThreadOwnsJSLock): + (JSC::VMInspector::gc): + (JSC::VMInspector::edenGC): + (JSC::VMInspector::isValidCodeBlock): + (JSC::VMInspector::codeBlockForFrame): + (JSC::VMInspector::dumpCallFrame): + (JSC::VMInspector::dumpStack): + * tools/VMInspector.h: + +2020-06-02 Keith Rollin + + Revert FEATURES_DEFINES related changes + https://bugs.webkit.org/show_bug.cgi?id=212664 + + + Reviewed by Andy Estes. + + Bug 262310, Bug 262311, Bug 262318, and Bug 262331 involve changes to + FEATURE_DEFINES and how the values there relate to those found in the + Platform*.h files. Those changes break XCBuild (by removing the + .xcfilelist related to UnifiedSources and the process for generating + them), and so are being reverted. + + * Configurations/FeatureDefines.xcconfig: + +2020-06-02 Ryan Haddad + + Unreviewed, reverting r262424. + + Caused webkitpy test failure + + Reverted changeset: + + "Make generated C++ code use modern C++" + https://bugs.webkit.org/show_bug.cgi?id=190714 + https://trac.webkit.org/changeset/262424 + +2020-06-02 Mark Lam + + Change Gigacage::Config to use storage in WebConfig::g_config instead of its own. + https://bugs.webkit.org/show_bug.cgi?id=212585 + + + Reviewed by Yusuke Suzuki. + + * assembler/testmasm.cpp: + (JSC::testCagePreservesPACFailureBit): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::caged): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::cageConditionally): + * llint/LowLevelInterpreter64.asm: + * runtime/JSCConfig.h: + (JSC::Config::isPermanentlyFrozen): + +2020-06-02 Saam Barati + + MultiDeleteByOffset should not always def + https://bugs.webkit.org/show_bug.cgi?id=212621 + + + Reviewed by Yusuke Suzuki. + + Clobberize used to claim that MultiDeleteByOffset always defd a value. + That's an incorrect modeling of MultiDeleteByOffset though, since it might + have delete misses in its variant list. This would lead us to incorrectly + CSE when we shouldn't. This patch fixes this by saying MultiDeleteByOffset + only defs when all its cases write out a value (are hits). + + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGNode.cpp: + (JSC::DFG::MultiDeleteByOffsetData::allVariantsStoreEmpty const): + * dfg/DFGNode.h: + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileMultiDeleteByOffset): + +2020-06-02 Rob Buis + + Make generated C++ code use modern C++ + https://bugs.webkit.org/show_bug.cgi?id=190714 + + Reviewed by Sam Weinig. + + Update inspector protocol generator and rebaseline the tests. + + * inspector/scripts/codegen/cpp_generator_templates.py: + * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: + * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: + * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: + * inspector/scripts/tests/expected/enum-values.json-result: + * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: + * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: + * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: + * inspector/scripts/tests/expected/type-declaration-array-type.json-result: + * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: + * inspector/scripts/tests/expected/type-declaration-object-type.json-result: + * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: + * yarr/generateYarrUnicodePropertyTables.py: + +2020-06-02 Paulo Matos + + Fix assert message formatting + https://bugs.webkit.org/show_bug.cgi?id=212591 + + Reviewed by Adrian Perez de Castro. + + Fixes warning by gcc - lineParts.size() is size_t, %zu should be used. + + * runtime/FuzzerPredictions.cpp: + (JSC::FuzzerPredictions::FuzzerPredictions): + +2020-06-01 Devin Rousso + + Web Inspector: Graphics: should use the `id` (name) of the animation if it exists + https://bugs.webkit.org/show_bug.cgi?id=212618 + + Reviewed by Timothy Hatcher. + + * inspector/protocol/Animation.json: + - added an optional `name` property to the `Animation.Animation` type + - created a new `Animation.nameChanged` event + +2020-06-01 Saam Barati + + Correct misunderstandings on how ThreadSpecific work + https://bugs.webkit.org/show_bug.cgi?id=212616 + + Reviewed by Michael Saboff. + + There were two misunderstandings I had when writing code using ThreadSpecific + when doing LLInt bytecode buffer caching in Wasm. + + 1. For ThreadSpecific, I was calling Vector's constructor twice + unnecessarily, and incorrectly, since we ended up constructing over an + already constructed Vector for the second call. When doing operator* or + operator-> on a ThreadSpecific, T() is called if it has not been + initialized yet. So there is no need to do manually call the constructor + the second time. + + 2. There is no need to try to destroy entries for ThreadSpecific manually + since we already run destructors when the thread goes away. + + This patch removes code for (1) and (2) both from the Wasm bytecode + buffer and from AssemblerData. + + * assembler/AssemblerBuffer.cpp: + (JSC::clearAssembleDataThreadSpecificCache): Deleted. + * assembler/AssemblerBuffer.h: + (JSC::AssemblerBuffer::AssemblerBuffer): + (JSC::AssemblerBuffer::~AssemblerBuffer): + (JSC::AssemblerBuffer::getThreadSpecificAssemblerData): Deleted. + * dfg/DFGWorklist.cpp: + * jit/JITWorklist.cpp: + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::LLIntGenerator): + (JSC::Wasm::clearLLIntThreadSpecificCache): Deleted. + * wasm/WasmLLIntGenerator.h: + * wasm/WasmWorklist.cpp: + +2020-06-01 Yusuke Suzuki + + Unreviewed, fix build failure in ARMv7k + https://bugs.webkit.org/show_bug.cgi?id=212595 + + * runtime/JSCJSValue.cpp: + (JSC::JSValue::toThisSlowCase const): + +2020-06-01 Yusuke Suzuki + + [JSC] JSBigInt::rightTrim can miss |this| pointer and leads to incorrect GC collection + https://bugs.webkit.org/show_bug.cgi?id=212601 + + Reviewed by Saam Barati. + + This is pretty rare case. But in some optimization level, JSBigInt::rightTrim could store |this| + offset pointer into the stack instead of |this| + and make conservative GC think that |this| JSBigInt is unreachable. We put ensureStillAliveHere(this) to ensure that this is alive. + + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::rightTrim): + +2020-06-01 Mark Lam + + x86.rb's LabelReference.x86LoadOperand()'s address operand should be a pointer type. + https://bugs.webkit.org/show_bug.cgi?id=212603 + + Reviewed by Saam Barati. + + The current implementation mistakenly sets the address type to that of the value + being loaded. I encountered this issue when I was trying to do a loadb from a + global address. Because of this bug, the emitted code was trying do a load using + %al (8 byte register) as the pointer to load from. With this fix, it now loads + from %rax. + + * offlineasm/x86.rb: + +2020-06-01 Yusuke Suzuki + + [JSC] JSValue::toThis should not throw exception + https://bugs.webkit.org/show_bug.cgi?id=212595 + + Reviewed by Mark Lam. + + Including WebCore code, there are a lot of code which assume JSValue::toThis should not throw an exception. + This assumption was now broken after making JSBigInt allocation graceful for OOM. But for this particular JSValue::toThis case, + we can make it non-throwing code. + + This patch makes JSValue::toThis non-throwing code to fix exception-missing debug assertions. + We ensure that BigIntObject can hold BigInt32 (actually, it can already if toObjectSlowCase path is taken). + + * runtime/BigIntObject.cpp: + (JSC::BigIntObject::create): + * runtime/JSCJSValue.cpp: + (JSC::JSValue::toThisSlowCase const): + +2020-06-01 Yusuke Suzuki + + [JSC] BigInt operations should handle exception correctly + https://bugs.webkit.org/show_bug.cgi?id=212596 + + Reviewed by Mark Lam. + + Some places miss exception check / explicit scope-release while BigInt operations can now throw an exception. + This patch adds them. They are covered by existing stress tests with Debug build. + + * runtime/Operations.h: + (JSC::compareBigIntToOtherPrimitive): + (JSC::compareBigInt32ToOtherPrimitive): + (JSC::jsInc): + (JSC::jsDec): + (JSC::jsBitwiseNot): + +2020-05-31 Michael Saboff + + Consider a Thread Specific Cache for AssemblerBuffers + https://bugs.webkit.org/show_bug.cgi?id=212562 + + Reviewed by Filip Pizlo. + + This patch creates a thread local cache of AssemblerData in the hopes that it will reduce + memory allocation churn. The cache is cleared when a thread is destroyed. + If an AssemblerData is destroyed in another thread, its storage is cached by the + destroying thread. + + Made a few changes described below to facilite the swap as well as returning a + clear()'ed AssemblerData back to its original state. + + Reviewed by Filip Pizlo. + + * assembler/AssemblerBuffer.cpp: + (JSC::threadSpecificAssemblerData): + (JSC::clearAssembleDataThreadSpecificCache): + * assembler/AssemblerBuffer.h: + + (JSC::AssemblerData::AssemblerData): + (JSC::AssemblerData::operator=): + The copy constructor and assignment operator now perform complete AssemblerBuffer swaps. + + (JSC::AssemblerData::takeBufferIfLarger): + A new method that will conditionally copy the enclosed buffer of the argument to "this" + if the argument's buffer is larger than the current buffer of "this". + + (JSC::AssemblerData::~AssemblerData): + (JSC::AssemblerData::clear): + The destructor now calls clear which has been changed to reset the buffer to one with + inline capacity. + + (JSC::AssemblerBuffer::AssemblerBuffer): + Take the cached out of line buffer if there is one. + + (JSC::AssemblerBuffer::~AssemblerBuffer): + Cache the enclosed out of line buffer if it is larger than the currently cached one. + + (JSC::AssemblerBuffer::getThreadSpecificAssemblerData): + * dfg/DFGWorklist.cpp: + * jit/JITWorklist.cpp: + * wasm/WasmWorklist.cpp: + +2020-05-31 Mark Lam + + Change JSC::Config to use storage in WTF::Config instead of its own. + https://bugs.webkit.org/show_bug.cgi?id=212575 + + + Reviewed by Yusuke Suzuki. + + Since Configs must be rounded up to CeilingOnPageSize, this will save us some + memory since the contents of both Configs do not add up to CeilingOnPageSize. + + g_jscConfig is now located at g_wtfConfig.spaceForExtensions. + + * runtime/JSCConfig.cpp: + (JSC::Config::disableFreezingForTesting): + (JSC::Config::enableRestrictedOptions): + (JSC::Config::permanentlyFreeze): Deleted. + * runtime/JSCConfig.h: + (JSC::Config::permanentlyFreeze): + (JSC::Config::isPermanentlyFrozen): + (): Deleted. + * runtime/Options.cpp: + (JSC::Options::setOptions): + * tools/JSDollarVM.cpp: + (JSC::functionCallWithStackSize): + +2020-05-30 Mark Lam + + Rename Signal::BadAccess to Signal::AccessFault. + https://bugs.webkit.org/show_bug.cgi?id=212577 + + Reviewed by Yusuke Suzuki. + + * runtime/VMTraps.cpp: + * wasm/WasmFaultSignalHandler.cpp: + (JSC::Wasm::enableFastMemory): + +2020-05-30 Yusuke Suzuki + + [JSC] for-in should allocate new temporary register for base + https://bugs.webkit.org/show_bug.cgi?id=212519 + + + Reviewed by Saam Barati. + + While r262233 keeps for-in's enumerated object in variable register if possible to use this register for heuristics driving an optimization, + for-in body can replace the content of this register during enumeration and confuse enumerator. + + Instead, we record Variable information in StructureForInContext. This allows us to detect patterns using heap-variables too. + Further, this patch extends pattern-matching code to support ThisNode too. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::pushStructureForInScope): + * bytecompiler/BytecodeGenerator.h: + (JSC::Variable::Variable): + (JSC::Variable::isResolved const): + (JSC::Variable::symbolTableConstantIndex const): + (JSC::Variable::ident const): + (JSC::Variable::offset const): + (JSC::Variable::isLocal const): + (JSC::Variable::local const): + (JSC::Variable::isReadOnly const): + (JSC::Variable::isSpecial const): + (JSC::Variable::isConst const): + (JSC::Variable::setIsReadOnly): + (JSC::Variable::operator== const): + (JSC::StructureForInContext::StructureForInContext): + (JSC::StructureForInContext::baseVariable const): + (JSC::StructureForInContext::base const): Deleted. + * bytecompiler/NodesCodegen.cpp: + (JSC::HasOwnPropertyFunctionCallDotNode::emitBytecode): + (JSC::ForInNode::emitBytecode): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::makeFunctionCallNode): + * parser/Nodes.h: + (JSC::ExpressionNode::isThisNode const): + +2020-05-30 Yusuke Suzuki + + Unreviewed, fix JSC debug tests' exception checking + https://bugs.webkit.org/show_bug.cgi?id=212512 + + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::createWithLength): + (JSC::JSBigInt::allocateFor): + +2020-05-30 Mark Lam + + AssemblyHelpers::callExceptionFuzz() is passing a wrong argument to operationExceptionFuzz(). + https://bugs.webkit.org/show_bug.cgi?id=212561 + + Reviewed by Yusuke Suzuki. + + There's 2 possible solution to this issue: + 1. Thread the globalObject from all the way up the clients calling into + callExceptionFuzz(), or + 2. Introduce a operationExceptionFuzzWithCallFrame() wrapper take receives a VM* + and CallFrame*, and use these to get the lexicalGlobalObject. + + This patch applies solution 2. + + Solution 1 is too unwieldy because it will cause the threading of the globalObject + argument to fan out to many clients, and almost all of those clients currently + do not need the globalObject. Hence, implementing this solution may incur some + performance penalty in normal code, for the sole benefit of this one fuzzing tool. + + Secondly, the exception fuzzer doesn't really care which globalObject is used. + It only cares that an exception is thrown, and we need a globalObject in order to + throw that exception. Hence, there is no benefit to threading the globalObject + down from all the clients. + + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::callExceptionFuzz): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + +2020-05-29 Yusuke Suzuki + + [JSC] JSBigInt allocation should be graceful for OOM + https://bugs.webkit.org/show_bug.cgi?id=212512 + + Reviewed by Mark Lam. + + This patch allows JSBigInt's storage allocation to fail gracefully if OOM condition happens. + We thread JSGlobalObject* instead of VM& and throw OOM error if storage allocation failed. + We also rename `JSGlobalObject* globalObject` parameter to `JSGlobalObject* nullOrGlobalObjectForOOM` + if it can be nullptr. + + * jit/JITOperations.cpp: + * jsc.cpp: + (functionCreateHeapBigInt): + * parser/ParserArena.cpp: + (JSC::IdentifierArena::makeBigIntDecimalIdentifier): + * runtime/BigIntConstructor.cpp: + (JSC::toBigInt): + (JSC::callBigIntConstructor): + * runtime/BigIntPrototype.cpp: + (JSC::toThisBigIntValue): + (JSC::bigIntProtoFuncToString): + (JSC::bigIntProtoFuncToLocaleString): + (JSC::bigIntProtoFuncValueOf): + * runtime/CachedTypes.cpp: + (JSC::CachedBigInt::decode const): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/IntlNumberFormatPrototype.cpp: + (JSC::IntlNumberFormatFuncFormat): + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::createZero): + (JSC::JSBigInt::tryCreateZero): + (JSC::JSBigInt::createWithLength): + (JSC::JSBigInt::tryCreateWithLength): + (JSC::JSBigInt::createFrom): + (JSC::JSBigInt::tryCreateFrom): + (JSC::JSBigInt::createFromImpl): + (JSC::JSBigInt::parseInt): + (JSC::HeapBigIntImpl::toHeapBigInt): + (JSC::Int32BigIntImpl::toHeapBigInt): + (JSC::zeroImpl): + (JSC::JSBigInt::exponentiateImpl): + (JSC::JSBigInt::multiplyImpl): + (JSC::JSBigInt::divideImpl): + (JSC::JSBigInt::copy): + (JSC::JSBigInt::unaryMinusImpl): + (JSC::JSBigInt::unaryMinus): + (JSC::JSBigInt::remainderImpl): + (JSC::JSBigInt::incImpl): + (JSC::JSBigInt::decImpl): + (JSC::JSBigInt::addImpl): + (JSC::JSBigInt::subImpl): + (JSC::JSBigInt::bitwiseAndImpl): + (JSC::JSBigInt::bitwiseOrImpl): + (JSC::JSBigInt::bitwiseXorImpl): + (JSC::JSBigInt::absoluteAdd): + (JSC::JSBigInt::absoluteSub): + (JSC::JSBigInt::absoluteDivWithDigitDivisor): + (JSC::JSBigInt::absoluteDivWithBigIntDivisor): + (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy): + (JSC::JSBigInt::absoluteBitwiseOp): + (JSC::JSBigInt::absoluteAnd): + (JSC::JSBigInt::absoluteOr): + (JSC::JSBigInt::absoluteAndNot): + (JSC::JSBigInt::absoluteXor): + (JSC::JSBigInt::absoluteAddOne): + (JSC::JSBigInt::absoluteSubOne): + (JSC::JSBigInt::leftShiftByAbsolute): + (JSC::JSBigInt::rightShiftByAbsolute): + (JSC::JSBigInt::rightShiftByMaximum): + (JSC::JSBigInt::toStringBasePowerOfTwo): + (JSC::JSBigInt::toStringGeneric): + (JSC::JSBigInt::rightTrim): + (JSC::JSBigInt::tryRightTrim): + (JSC::JSBigInt::allocateFor): + (JSC::JSBigInt::asIntNImpl): + (JSC::JSBigInt::asUintNImpl): + (JSC::JSBigInt::truncateToNBits): + (JSC::JSBigInt::truncateAndSubFromPowerOfTwo): + (JSC::JSBigInt::createWithLengthUnchecked): Deleted. + * runtime/JSBigInt.h: + * runtime/JSCJSValue.cpp: + (JSC::JSValue::toThisSlowCase const): + * runtime/VM.cpp: + (JSC::VM::VM): + +2020-05-29 Saam Barati + + We need to properly model heap ranges of Delete in DFG/B3 + https://bugs.webkit.org/show_bug.cgi?id=212538 + + + Reviewed by Filip Pizlo. + + We need to properly model the aliasing dependencies of an inlined delete + operation. + + We had a bug in the B3 IR we generated from code like this for a delete + followed by a property addition: + ``` + const o = { y: 0 }; + delete o.y; + o.z = 0; + ``` + + generated: + + ``` + note: bb#5 dominates bb#10, bb#10 dominates bb#15 + + bb#5 + Void b@125 = Store($-562949953421312(b@282), b@112, offset = 16, ControlDependent|Writes:129, D@30) + bb#10 + Void b@171 = Store($0(b@2), b@112, offset = 16, ControlDependent|Writes:129, D@37) + bb#15 + Void b@217 = Store($-562949953421312(b@282), b@112, offset = 16, ControlDependent|Writes:130, D@44) + ``` + + Notice that "y" and "z" ended up at the same property offset. + + In the above program, B3 proves the pointer we're storing to is the same value + in all three stores (b@112). However, because of how it does store forwarding, + it determined it could eliminate b@217 because b@125 already stored the same + value to the same pointer. It didn't know that b@171 was a write because its + heap range is different than @217. Generally, when using two heap ranges, it's + telling B3 that two pointers don't alias. + ``` + @A, Heap_H + @B, Heap_H + ``` + In the above program, + - If @B reads H and @A writes H, then @B is dependent on @A. + - If @B writes H, then @B is dependent on @A if @A reads or writes H. + + So for delete, we need to model the deletion of a property as actually + writing to all named properties that may exist at that slot given a + series of structure transitions. We model this by saying the PutStructure + for an inlined delete, or MultiDeleteByOffset, writes to all named properties + (which is a superset of all named properties that may exist at that slot + through a series of transitions). + + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * ftl/FTLAbstractHeap.cpp: + (JSC::FTL::IndexedAbstractHeap::dump): + (JSC::FTL::NumberedAbstractHeap::dump): + (JSC::FTL::AbsoluteAbstractHeap::dump): + (JSC::FTL::IndexedAbstractHeap::dump const): Deleted. + (JSC::FTL::NumberedAbstractHeap::dump const): Deleted. + (JSC::FTL::AbsoluteAbstractHeap::dump const): Deleted. + * ftl/FTLAbstractHeap.h: + (JSC::FTL::IndexedAbstractHeap::atAnyIndex): + (JSC::FTL::NumberedAbstractHeap::atAnyNumber): + (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress): + (JSC::FTL::IndexedAbstractHeap::atAnyIndex const): Deleted. + (JSC::FTL::NumberedAbstractHeap::atAnyNumber const): Deleted. + (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress const): Deleted. + * ftl/FTLAbstractHeapRepository.cpp: + (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure): + (JSC::FTL::DFG::LowerDFGToB3::compileMultiDeleteByOffset): + +2020-05-29 Andy Estes + + [Apple Pay] Remove conditionals for ENABLE_APPLE_PAY_SESSION_V(3|4) + https://bugs.webkit.org/show_bug.cgi?id=212541 + + Reviewed by Darin Adler. + + APPLE_PAY_SESSION_V(3|4) is now enabled whenever APPLE_PAY itself is enabled. + + * Configurations/FeatureDefines.xcconfig: + +2020-05-29 Darin Adler + + Remove things from FeatureDefines.xcconfig that are covered by PlatformEnableCocoa.h + https://bugs.webkit.org/show_bug.cgi?id=212418 + + Rubber-stamped by Simon Fraser. + + * Configurations/FeatureDefines.xcconfig: Add back ENABLE_CSS_CONIC_GRADIENTS, removed + by accident. + +2020-05-27 Darin Adler + + Remove things from FeatureDefines.xcconfig that are covered by PlatformEnableCocoa.h + https://bugs.webkit.org/show_bug.cgi?id=212418 + + Reviewed by Andy Estes. + + * Configurations/FeatureDefines.xcconfig: Removed 83 of the 119 things defined in + this file. There are 36 more that are slightly more complex that we can remove + carefully later. + +2020-05-29 Darin Adler + + [Cocoa] Pass all defines from Platform.h to various scripts, not just the ones from .xcconfig + https://bugs.webkit.org/show_bug.cgi?id=212451 + + Reviewed by Sam Weinig. + + * DerivedSources.make: Run the preprocessor on Platform.h and parse the output into + FEATURE_AND_PLATFORM_DEFINES. Use that and FEATURE_AND_PLATFORM_DEFINE_DEPENDENCIES + whenever we need a list of defines. Also took out some Windows-specific stuff since + this is now only used on Mac platforms. Use ":=" when calling $(shell) to make sure + the same shell command is not invoked over and over again. + +2020-05-29 Keith Rollin + + Revert switch to XCBuild + https://bugs.webkit.org/show_bug.cgi?id=212530 + + + Unreviewed build fix. + + Bug 209890 enabled the use of XCBuild by default. Since then, some + build issues have shown up. While addressing them, temporarily turn + off the use of XCBuild by default. + + * Configurations/JavaScriptCore.xcconfig: + * JavaScriptCore.xcodeproj/project.pbxproj: + +2020-05-29 Commit Queue + + Unreviewed, reverting r262245. + https://bugs.webkit.org/show_bug.cgi?id=212531 + + "Caused WebCore's 'Check .xcfilelists' build phase to be ~100x + slower" + + Reverted changeset: + + "[Cocoa] Pass all defines from Platform.h to various scripts, + not just the ones from .xcconfig" + https://bugs.webkit.org/show_bug.cgi?id=212451 + https://trac.webkit.org/changeset/262245 + +2020-05-29 Devin Rousso + + Web Inspector: add ITML debuggable/target type + https://bugs.webkit.org/show_bug.cgi?id=203300 + + + Reviewed by Joseph Pecoraro and Brian Burg. + + * API/JSContextPrivate.h: + * API/JSContext.mm: + (-[JSContext _setITMLDebuggableType]): Added. + * runtime/JSGlobalObject.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::setIsITML): Added. + Create an SPI for marking a `JSContext` as an ITML context for Web Inspector. + + * runtime/JSGlobalObjectDebuggable.h: + (isType): + * inspector/remote/RemoteControllableTarget.h: + * inspector/remote/RemoteInspectionTarget.h: + * inspector/remote/RemoteInspectorConstants.h: + + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::connectFrontend): + Don't dispatch `Inspector.activateExtraDomains` unless we're a basic `JavaScript` debuggable. + + * inspector/remote/cocoa/RemoteInspectorCocoa.mm: + (Inspector::RemoteInspector::listingForInspectionTarget const): + + * inspector/scripts/codegen/models.py: + (validate_target_types): + * inspector/scripts/codegen/objc_generator.py: + (ObjCGenerator): + * inspector/scripts/tests/expected/fail-on-command-targetTypes-value.json-error: + * inspector/scripts/tests/expected/fail-on-domain-debuggableTypes-value.json-error: + * inspector/scripts/tests/expected/fail-on-domain-targetTypes-value.json-error: + * inspector/scripts/tests/expected/fail-on-event-targetTypes-value.json-error: + + * inspector/protocol/Audit.json: + * inspector/protocol/CSS.json: + * inspector/protocol/Console.json: + * inspector/protocol/DOM.json: + * inspector/protocol/DOMStorage.json: + * inspector/protocol/Database.json: + * inspector/protocol/Debugger.json: + * inspector/protocol/Heap.json: + * inspector/protocol/Inspector.json: + * inspector/protocol/Network.json: + * inspector/protocol/Page.json: + * inspector/protocol/Runtime.json: + * inspector/protocol/Security.json: + Add support for `itml` debuggables and targets, marking non-ITML commands/events with `page`. + +2020-05-29 Mark Lam + + Add a check for errors when computing a utf string in jsc shell's runInteractive(). + https://bugs.webkit.org/show_bug.cgi?id=212526 + + + Reviewed by Michael Saboff. + + * jsc.cpp: + (runInteractive): + +2020-05-28 Devin Rousso + + Web Inspector: add missing condition guards when generating objc protocol files + https://bugs.webkit.org/show_bug.cgi?id=212494 + + Reviewed by Timothy Hatcher. + + * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py: + (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations): + * inspector/scripts/codegen/generate_objc_configuration_header.py: + (ObjCConfigurationHeaderGenerator._generate_properties_for_domain): + * inspector/scripts/codegen/generate_objc_configuration_implementation.py: + (ObjCConfigurationImplementationGenerator._generate_configuration_implementation_for_domains): + (ObjCConfigurationImplementationGenerator._generate_ivars): + (ObjCConfigurationImplementationGenerator._generate_dealloc): + (ObjCConfigurationImplementationGenerator._generate_event_dispatcher_getter_for_domain): + (ObjCConfigurationImplementationGenerator._variable_name_prefix_for_domain): Deleted. + * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py: + (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations): + (ObjCFrontendDispatcherImplementationGenerator._generate_event): + * inspector/scripts/codegen/generate_objc_header.py: + (ObjCHeaderGenerator._generate_forward_declarations): + (ObjCHeaderGenerator._generate_enums): + (ObjCHeaderGenerator._generate_types): + (ObjCHeaderGenerator._generate_command_protocols): + (ObjCHeaderGenerator._generate_event_interfaces): + (ObjCHeaderGenerator._generate_single_event_interface): + * inspector/scripts/codegen/generate_objc_internal_header.py: + (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces): + * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py: + (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions): + * inspector/scripts/tests/definitions-with-mac-platform.json: + * inspector/scripts/tests/expected/definitions-with-mac-platform.json-result: + +2020-05-27 Keith Miller + + for-of should check the iterable is a JSArray for FastArray in DFG iterator_open + https://bugs.webkit.org/show_bug.cgi?id=212383 + + Reviewed by Saam Barati. + + This patch fixes an issue where we didn't check that the iterable operand to + iterator_open was a JSArray when lowering the FastArray only variant of the bytecode to the DFG. + This meant we would OSR exit at the iterator_next's lowering then assertion failure in the + checkpoint OSR exit helper. To make this work, this patch extends (and renames from CheckSubClass) + CheckJSCast to use the same JSType information that we use for the jsCast function. In order to + get the JSType range from a ClassInfo* the macro that autogenerates MethodTable now also fills + a Optional into the ClassInfo as well. + + Lastly, speculationFromClassInfo was misused by AI. This patch + renames it to speculationFromClassInfoInheritance to better + reflect how AI was using it. The only other user of + speculationFromClassInfo was speculationFromStructure. Any case + where speculationFromClassInfoInteritance would differ from what a + Structure would tell you has been hoisted to + speculationFromStructure. + + * assembler/testmasm.cpp: + (JSC::testBranchIfType): + (JSC::testBranchIfNotType): + * bytecode/SpeculatedType.cpp: + (JSC::speculationFromClassInfoInheritance): + (JSC::speculationFromStructure): + (JSC::speculationFromClassInfo): Deleted. + * bytecode/SpeculatedType.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::filterClassInfo): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleDOMJITGetter): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::attemptToMakeCallDOM): + (JSC::DFG::FixupPhase::fixupCheckJSCast): + (JSC::DFG::FixupPhase::fixupCheckSubClass): Deleted. + * dfg/DFGNode.h: + (JSC::DFG::Node::hasClassInfo const): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::checkArray): + (JSC::DFG::SpeculativeJIT::compileCheckJSCast): + (JSC::DFG::SpeculativeJIT::compileCheckSubClass): Deleted. + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckJSCast): + (JSC::FTL::DFG::LowerDFGToB3::isCellWithType): + (JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): Deleted. + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::branchIfType): + (JSC::AssemblyHelpers::branchIfNotType): + * runtime/ClassInfo.h: + * runtime/JSCast.h: + (JSC::JSTypeRange::contains const): + (JSC::JSCastingHelpers::inheritsJSTypeImpl): + * runtime/JSFunction.cpp: + (JSC::JSFunction::assertTypeInfoFlagInvariants): + * tools/JSDollarVM.cpp: + (JSC::functionCreateDOMJITCheckJSCastObject): + (JSC::JSDollarVM::finishCreation): + (JSC::functionCreateDOMJITCheckSubClassObject): Deleted. + +2020-05-27 Darin Adler + + [Cocoa] Pass all defines from Platform.h to various scripts, not just the ones from .xcconfig + https://bugs.webkit.org/show_bug.cgi?id=212451 + + Reviewed by Sam Weinig. + + * DerivedSources.make: Run the preprocessor on Platform.h and parse the output into + FEATURE_AND_PLATFORM_DEFINES. Use that and FEATURE_AND_PLATFORM_DEFINE_DEPENDENCIES + whenever we need a list of defines. Also took out some Windows-specific stuff since + this is now only used on Mac platforms. + +2020-05-28 Michael Catanzaro + + Web Inspector: generate_cpp_protocol_types_header.py:294: SyntaxWarning: "is" with a literal. Did you mean "=="? + https://bugs.webkit.org/show_bug.cgi?id=212468 + + Reviewed by Timothy Hatcher. + + Use "==" instead of "is" to compare against 0. + + * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: + +2020-05-28 Mark Lam + + Gardening: Add an assertNoException() to placate the exception checker and green the bots. + https://bugs.webkit.org/show_bug.cgi?id=212248 + + Not reviewed. + + This solution was pointed out by Caio Lima in https://bugs.webkit.org/show_bug.cgi?id=212248#c10. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + +2020-05-27 Saam Barati + + hasOwnProperty inside structure property for-in loop should use an opcode like has_structure_property but for hasOwnProperty + https://bugs.webkit.org/show_bug.cgi?id=212248 + + Reviewed by Keith Miller. + + This patch applies the same principles from r262083 but to hasOwnProperty. + + In this patch, we have a fast path for this syntactic pattern when + iterating structure properties: + + for (let

in ) + if (.hasOwnProperty(

)) + + We look for both

and as resolve nodes, and we look for them being the + same values both in the header and inside the body. + + Using a simple static analysis, when we detect this pattern, we compare the + result of `.hasOwnProperty` to the original hasOwnProperty function. If + it's the same, we execute the fast path new bytecode has_own_structure_property, + which on the fast path is two loads, a compare and branch, and a materialization of + the boolean constant true. + + On the slow path, has_own_structure_property just executes the runtime code + for hasOwnProperty. + + In my testing, this seems like it might be 3-5% faster on Speedometer 2's + react subtests. I was getting some noise when running the tests locally, + so I can't say for certain it's a definite speedup. But the data implies + it has a good chance at being a speedup. + + * builtins/BuiltinNames.h: + * bytecode/BytecodeList.rb: + * bytecode/BytecodeUseDef.cpp: + (JSC::computeUsesForBytecodeIndexImpl): + (JSC::computeDefsForBytecodeIndexImpl): + * bytecode/LinkTimeConstant.h: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitWideJumpIfNotFunctionHasOwnProperty): + (JSC::BytecodeGenerator::recordHasOwnStructurePropertyInForInLoop): + (JSC::BytecodeGenerator::emitHasOwnStructureProperty): + (JSC::BytecodeGenerator::pushStructureForInScope): + (JSC::StructureForInContext::finalize): + (JSC::BytecodeGenerator::findStructureForInContext): + * bytecompiler/BytecodeGenerator.h: + (JSC::StructureForInContext::StructureForInContext): + (JSC::StructureForInContext::base const): + (JSC::StructureForInContext::addHasOwnPropertyJump): + * bytecompiler/Label.h: + (JSC::GenericBoundLabel::GenericBoundLabel): + * bytecompiler/NodesCodegen.cpp: + (JSC::HasOwnPropertyFunctionCallDotNode::emitBytecode): + (JSC::ForInNode::emitBytecode): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNodeType.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileHasStructureProperty): + (JSC::DFG::SpeculativeJIT::compileHasOwnStructurePropertyImpl): + (JSC::DFG::SpeculativeJIT::compileHasOwnStructureProperty): + (JSC::DFG::SpeculativeJIT::compileInStructureProperty): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnStructureProperty): + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + * jit/JIT.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_has_structure_propertyImpl): + (JSC::JIT::emit_op_has_structure_property): + (JSC::JIT::emit_op_has_own_structure_property): + (JSC::JIT::emit_op_in_structure_property): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_has_structure_propertyImpl): + (JSC::JIT::emit_op_has_structure_property): + (JSC::JIT::emit_op_has_own_structure_property): + (JSC::JIT::emit_op_in_structure_property): + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter64.asm: + * parser/ASTBuilder.h: + (JSC::ASTBuilder::makeFunctionCallNode): + * parser/NodeConstructors.h: + (JSC::HasOwnPropertyFunctionCallDotNode::HasOwnPropertyFunctionCallDotNode): + * parser/Nodes.h: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/CommonSlowPaths.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/ObjectPrototype.cpp: + (JSC::objectPrototypeHasOwnProperty): + (JSC::objectProtoFuncHasOwnProperty): + * runtime/ObjectPrototype.h: + +2020-05-27 Yusuke Suzuki + + [ macOS iOS ] REGRESSION(r261600?): imported/w3c/web-platform-tests/html/dom/reflection-embedded.html & imported/w3c/web-platform-tests/html/dom/reflection-forms.html are flaky failures + https://bugs.webkit.org/show_bug.cgi?id=212430 + + Reviewed by Saam Barati. + + r261600 added IsConstructor rule to DFG AI. That rule is saying that if the object is not JSFunction and not ProxyObject, + then it must not be a constructor. But this is wrong since any objects can implement getConstructData and DOM constructors + are actually implementing it while it is not JSFunction and it is not ProxyObject. This patch removes that rule. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * tools/JSDollarVM.cpp: + +2020-05-27 Saam Barati + + Limit memory used by wasm/references/multitable.js on memory limited devices + https://bugs.webkit.org/show_bug.cgi?id=212437 + + Reviewed by Keith Miller. + + * tools/JSDollarVM.cpp: + (JSC::functionIsMemoryLimited): + (JSC::JSDollarVM::finishCreation): + +2020-05-27 David Kilzer + + REGRESSION: Build errors during JavaScriptCore "Generate Derived Sources" about missing Availability.h header and invalid SDKROOT [-Wmissing-sysroot] + + + Unreviewed build fix. + + * Scripts/generate-derived-sources.sh: Pass SDKROOT to `make` + command from the current environment. + +2020-05-27 Mark Lam + + Add missing #include for when LLINT_TRACING is enabled. + https://bugs.webkit.org/show_bug.cgi?id=212433 + + Reviewed by Tadeu Zagallo. + + * llint/LLIntExceptions.cpp: + +2020-05-27 Devin Rousso + + Web Inspector: replace `featureGuard` and `availability` with a combined `condition` that accepts any macro + https://bugs.webkit.org/show_bug.cgi?id=210014 + + Reviewed by Brian Burg. + + Previously, the generated InspectorBackendCommands.js would include code for things that the + backend doesn't actually support. By using actual macros and preprocessing that file, we can + ensure that the frontend doesn't incorrectly think that something is supported by the page + being inspected: + - the `Canvas` commands and events related to shader programs/pipelines should only exist + when the corresponding context type exists, namely `ENABLE(WEBGL)` and `ENABLE(WEBGPU)`. + - iOS doesn't support showing rulers, so create a variant of `DOM.setInspectModeEnabled` + that only exists for `PLATFORM(IOS_FAMILY)` that doesn't have the `showRulers` optional + parameter, as well as removing `Page.setShowRulers` entirely. + - setting the forced appearance should only be possible if dark mode is supported. + - web archives only exist if CF is used. + + * inspector/protocol/CPUProfiler.json: + * inspector/protocol/Canvas.json: + * inspector/protocol/DOM.json: + * inspector/protocol/IndexedDB.json: + * inspector/protocol/Inspector.json: + * inspector/protocol/Memory.json: + * inspector/protocol/Page.json: + * inspector/protocol/ServiceWorker.json: + + * Scripts/generate-derived-sources.sh: + Set `CC` if it hasn't already been set. + + * DerivedSources.make: + * DerivedSources-input.xcfilelist: + Preprocess `InspectorBackendCommands.js.in` to get an accurate `InspectorBackendCommands.js` + that follows the logic/description above. + + * CMakeLists.txt: + Create a new `InspectorBackendCommands` target now that `InspectorBackendCommands.js` is + generated seprately from the rest of the protocol files. + + * Configurations/FeatureDefines.xcconfig: + Add `ENABLE_WEB_ARCHIVE` since it's always enabled in wtf/PlatformEnableCocoa.h. + + * inspector/scripts/generate-inspector-protocol-bindings.py: + (generate_from_specification): + (generate_from_specification.load_specification): + * inspector/scripts/codegen/generator.py: + (Generator.__init__): + (Generator.model): + (Generator.set_generator_setting): + (Generator.type_declarations_for_domain): + (Generator.commands_for_domain): + (Generator.events_for_domain): + (Generator.wrap_with_guard_for_condition): Added. + (Generator.platform): Deleted. + (Generator.can_generate_platform): Deleted. + (Generator.wrap_with_guard_for_domain): Deleted. + (Generator.wrap_with_guard): Deleted. + * inspector/scripts/codegen/models.py: + (Frameworks): + (Protocol.parse_domain): + (Protocol.parse_type_declaration): + (Protocol.parse_command): + (Protocol.parse_event): + (Domain.__init__): + (TypeDeclaration.__init__): + (Command.__init__): + (Event.__init__): + (Platform): Deleted. + (Platform.__init__): Deleted. + (Platform.fromString): Deleted. + (Platforms): Deleted. + (Platforms.__metaclass__): Deleted. + (Platforms.__metaclass__.__iter__): Deleted. + * inspector/scripts/codegen/generator_templates.py: + Remove `platform` as it is handled by `condition`. + + * inspector/scripts/codegen/preprocess.pl: Copied from Source/WebCore/bindings/scripts/preprocessor.pm. + + * inspector/scripts/codegen/generate_js_backend_commands.py: + (JSBackendCommandsGenerator.output_filename): + (JSBackendCommandsGenerator.generate_domain): + Output to `InspectorBackendCommands.js.in` that includes `#if` for preprocessing. + + * inspector/scripts/codegen/cpp_generator_templates.py: + * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py: + (CppAlternateBackendDispatcherHeaderGenerator.generate_output): + (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain): + (CppAlternateBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command): + * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: + (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate): + (CppBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain): + (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command): + (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command): + (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain): + (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command): + * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: + (CppBackendDispatcherImplementationGenerator.generate_output): + (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain): + (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain): + (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain): + (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain): + (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): + (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): + * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py: + (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain): + (CppFrontendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_event): + * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py: + (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain): + (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): + * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: + (CppProtocolTypesHeaderGenerator._generate_versions): + * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py: + (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain.generate_conversion_method_body): + (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain): + (CppProtocolTypesImplementationGenerator._generate_open_field_names): + (CppProtocolTypesImplementationGenerator._generate_builders_for_domain): + * inspector/scripts/codegen/objc_generator_templates.py: + * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py: + (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain): + (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declaration_for_command): + * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py: + (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_domain): + (ObjCBackendDispatcherImplementationGenerator._generate_handler_implementation_for_command): + * inspector/scripts/codegen/generate_objc_header.py: + (add_newline): + (ObjCHeaderGenerator.generate_output): + (ObjCHeaderGenerator._generate_forward_declarations): + (ObjCHeaderGenerator._generate_enums): + (ObjCHeaderGenerator._generate_types): + (ObjCHeaderGenerator._generate_type_interface): + (ObjCHeaderGenerator._generate_command_protocols): + (ObjCHeaderGenerator._generate_single_command_protocol): + (ObjCHeaderGenerator._generate_event_interfaces): + (ObjCHeaderGenerator._generate_single_event_interface): + (ObjCHeaderGenerator._generate_enum_for_platforms): Deleted. + * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py: + (add_newline): + (ObjCProtocolTypeConversionsHeaderGenerator.generate_output): + (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_functions): + (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_for_platforms): Deleted. + * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py: + (add_newline): + (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface): + (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_method_declaration): + (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation): + (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_method_implementation): + * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py: + (add_newline): + (ObjCProtocolTypesImplementationGenerator.generate_type_implementations): + (ObjCProtocolTypesImplementationGenerator.generate_type_implementation): + Wrap each domain, type, command, and event with the associated `condition` (if it exists). + + * inspector/scripts/tests/command-targetType-matching-domain-debuggableType.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/command-targetType-matching-domain-debuggableType.json. + * inspector/scripts/tests/commands-with-async-attribute.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/commands-with-async-attribute.json. + * inspector/scripts/tests/commands-with-optional-call-return-parameters.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/commands-with-optional-call-return-parameters.json. + * inspector/scripts/tests/definitions-with-mac-platform.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/mac/definitions-with-mac-platform.json. + * inspector/scripts/tests/domain-debuggableTypes.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/domain-debuggableTypes.json. + * inspector/scripts/tests/domain-targetType-matching-domain-debuggableType.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/domain-targetType-matching-domain-debuggableType.json. + * inspector/scripts/tests/domain-targetTypes.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/domain-targetTypes.json. + * inspector/scripts/tests/domains-with-varying-command-sizes.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/domains-with-varying-command-sizes.json. + * inspector/scripts/tests/enum-values.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/enum-values.json. + * inspector/scripts/tests/event-targetType-matching-domain-debuggableType.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/event-targetType-matching-domain-debuggableType.json. + * inspector/scripts/tests/events-with-optional-parameters.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/events-with-optional-parameters.json. + * inspector/scripts/tests/expected/command-targetType-matching-domain-debuggableType.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/command-targetType-matching-domain-debuggableType.json-result. + * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result. + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result. + * inspector/scripts/tests/expected/definitions-with-mac-platform.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result. + * inspector/scripts/tests/expected/domain-debuggableTypes.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/domain-debuggableTypes.json-result. + * inspector/scripts/tests/expected/domain-targetType-matching-domain-debuggableType.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/domain-targetType-matching-domain-debuggableType.json-result. + * inspector/scripts/tests/expected/domain-targetTypes.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/domain-targetTypes.json-result. + * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result. + * inspector/scripts/tests/expected/enum-values.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/enum-values.json-result. + * inspector/scripts/tests/expected/event-targetType-matching-domain-debuggableType.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/event-targetType-matching-domain-debuggableType.json-result. + * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result. + * inspector/scripts/tests/expected/fail-on-command-targetType-matching-domain-debuggableType.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-command-targetType-matching-domain-debuggableType.json-error. + * inspector/scripts/tests/expected/fail-on-command-targetTypes-type.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-command-targetTypes-type.json-error. + * inspector/scripts/tests/expected/fail-on-command-targetTypes-value.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-command-targetTypes-value.json-error. + * inspector/scripts/tests/expected/fail-on-domain-debuggableTypes-type.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-domain-debuggableTypes-type.json-error. + * inspector/scripts/tests/expected/fail-on-domain-debuggableTypes-value.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-domain-debuggableTypes-value.json-error. + * inspector/scripts/tests/expected/fail-on-domain-targetType-matching-domain-debuggableType.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-domain-targetType-matching-domain-debuggableType.json-error. + * inspector/scripts/tests/expected/fail-on-domain-targetTypes-type.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-domain-targetTypes-type.json-error. + * inspector/scripts/tests/expected/fail-on-domain-targetTypes-value.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-domain-targetTypes-value.json-error. + * inspector/scripts/tests/expected/fail-on-duplicate-command-call-parameter-names.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-duplicate-command-call-parameter-names.json-error. + * inspector/scripts/tests/expected/fail-on-duplicate-command-return-parameter-names.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-duplicate-command-return-parameter-names.json-error. + * inspector/scripts/tests/expected/fail-on-duplicate-event-parameter-names.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-duplicate-event-parameter-names.json-error. + * inspector/scripts/tests/expected/fail-on-duplicate-type-declarations.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-duplicate-type-declarations.json-error. + * inspector/scripts/tests/expected/fail-on-duplicate-type-member-names.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-duplicate-type-member-names.json-error. + * inspector/scripts/tests/expected/fail-on-enum-with-no-values.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-enum-with-no-values.json-error. + * inspector/scripts/tests/expected/fail-on-event-targetType-matching-domain-debuggableType.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-event-targetType-matching-domain-debuggableType.json-error. + * inspector/scripts/tests/expected/fail-on-event-targetTypes-type.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-event-targetTypes-type.json-error. + * inspector/scripts/tests/expected/fail-on-event-targetTypes-value.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-event-targetTypes-value.json-error. + * inspector/scripts/tests/expected/fail-on-number-typed-optional-parameter-flag.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-number-typed-optional-parameter-flag.json-error. + * inspector/scripts/tests/expected/fail-on-number-typed-optional-type-member.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-number-typed-optional-type-member.json-error. + * inspector/scripts/tests/expected/fail-on-string-typed-optional-parameter-flag.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-string-typed-optional-parameter-flag.json-error. + * inspector/scripts/tests/expected/fail-on-string-typed-optional-type-member.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-string-typed-optional-type-member.json-error. + * inspector/scripts/tests/expected/fail-on-type-declaration-using-type-reference.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-type-declaration-using-type-reference.json-error. + * inspector/scripts/tests/expected/fail-on-type-reference-as-primitive-type.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-type-reference-as-primitive-type.json-error. + * inspector/scripts/tests/expected/fail-on-type-with-lowercase-name.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-type-with-lowercase-name.json-error. + * inspector/scripts/tests/expected/fail-on-unknown-type-reference-in-type-declaration.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-unknown-type-reference-in-type-declaration.json-error. + * inspector/scripts/tests/expected/fail-on-unknown-type-reference-in-type-member.json-error: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/fail-on-unknown-type-reference-in-type-member.json-error. + * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result. + * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result. + * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result. + * inspector/scripts/tests/expected/should-strip-comments.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/should-strip-comments.json-result. + * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result. + * inspector/scripts/tests/expected/type-declaration-array-type.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result. + * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result. + * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result. + * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result. + * inspector/scripts/tests/expected/type-with-open-parameters.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result. + * inspector/scripts/tests/expected/version.json-result: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/expected/version.json-result. + * inspector/scripts/tests/fail-on-command-targetType-matching-domain-debuggableType.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-command-targetType-matching-domain-debuggableType.json. + * inspector/scripts/tests/fail-on-command-targetTypes-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-command-targetTypes-type.json. + * inspector/scripts/tests/fail-on-command-targetTypes-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-command-targetTypes-value.json. + * inspector/scripts/tests/fail-on-domain-debuggableTypes-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-debuggableTypes-type.json. + * inspector/scripts/tests/fail-on-domain-debuggableTypes-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-debuggableTypes-value.json. + * inspector/scripts/tests/fail-on-domain-targetType-matching-domain-debuggableType.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-targetType-matching-domain-debuggableType.json. + * inspector/scripts/tests/fail-on-domain-targetTypes-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-targetTypes-type.json. + * inspector/scripts/tests/fail-on-domain-targetTypes-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-targetTypes-value.json. + * inspector/scripts/tests/fail-on-duplicate-command-call-parameter-names.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-duplicate-command-call-parameter-names.json. + * inspector/scripts/tests/fail-on-duplicate-command-return-parameter-names.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-duplicate-command-return-parameter-names.json. + * inspector/scripts/tests/fail-on-duplicate-event-parameter-names.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-duplicate-event-parameter-names.json. + * inspector/scripts/tests/fail-on-duplicate-type-declarations.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-duplicate-type-declarations.json. + * inspector/scripts/tests/fail-on-duplicate-type-member-names.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-duplicate-type-member-names.json. + * inspector/scripts/tests/fail-on-enum-with-no-values.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-enum-with-no-values.json. + * inspector/scripts/tests/fail-on-event-targetType-matching-domain-debuggableType.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-event-targetType-matching-domain-debuggableType.json. + * inspector/scripts/tests/fail-on-event-targetTypes-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-event-targetTypes-type.json. + * inspector/scripts/tests/fail-on-event-targetTypes-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-event-targetTypes-value.json. + * inspector/scripts/tests/fail-on-number-typed-optional-parameter-flag.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-number-typed-optional-parameter-flag.json. + * inspector/scripts/tests/fail-on-number-typed-optional-type-member.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-number-typed-optional-type-member.json. + * inspector/scripts/tests/fail-on-string-typed-optional-parameter-flag.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-string-typed-optional-parameter-flag.json. + * inspector/scripts/tests/fail-on-string-typed-optional-type-member.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-string-typed-optional-type-member.json. + * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-type-declaration-using-type-reference.json. + * inspector/scripts/tests/fail-on-type-reference-as-primitive-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-type-reference-as-primitive-type.json. + * inspector/scripts/tests/fail-on-type-with-lowercase-name.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-type-with-lowercase-name.json. + * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-unknown-type-reference-in-type-declaration.json. + * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-unknown-type-reference-in-type-member.json. + * inspector/scripts/tests/generate-domains-with-feature-guards.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/generate-domains-with-feature-guards.json. + * inspector/scripts/tests/same-type-id-different-domain.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/same-type-id-different-domain.json. + * inspector/scripts/tests/shadowed-optional-type-setters.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/shadowed-optional-type-setters.json. + * inspector/scripts/tests/should-strip-comments.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/should-strip-comments.json. + * inspector/scripts/tests/type-declaration-aliased-primitive-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/type-declaration-aliased-primitive-type.json. + * inspector/scripts/tests/type-declaration-array-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/type-declaration-array-type.json. + * inspector/scripts/tests/type-declaration-enum-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/type-declaration-enum-type.json. + * inspector/scripts/tests/type-declaration-object-type.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/type-declaration-object-type.json. + * inspector/scripts/tests/type-requiring-runtime-casts.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/type-requiring-runtime-casts.json. + * inspector/scripts/tests/type-with-open-parameters.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/type-with-open-parameters.json. + * inspector/scripts/tests/version.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/version.json. + * inspector/scripts/tests/generic/definitions-with-mac-platform.json: Removed. + * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result: Removed. + * inspector/scripts/tests/generic/fail-on-command-with-invalid-platform.json: Removed. + * inspector/scripts/tests/generic/expected/fail-on-command-with-invalid-platform.json-error: Removed. + * inspector/scripts/tests/generic/fail-on-type-with-invalid-platform.json: Removed. + * inspector/scripts/tests/generic/expected/fail-on-type-with-invalid-platform.json-error: Removed. + * inspector/scripts/tests/ios/definitions-with-mac-platform.json: Removed. + * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result: Removed. + * inspector/scripts/tests/all/definitions-with-mac-platform.json: Removed. + * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: Removed. + Don't separate the inspector generator tests by platform. + +2020-05-27 Keith Miller + + in_structure_property needs to handle constants on the RHS of the "in" + https://bugs.webkit.org/show_bug.cgi?id=212399 + + Reviewed by Saam Barati. + + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + +2020-05-27 Keith Rollin + + Enable the use of XCBuild by default in Apple builds + https://bugs.webkit.org/show_bug.cgi?id=209890 + + + Unreviewed build fix. Check the value of XCODE_VERSION_ACTUAL rather + than XCODE_VERSION_MAJOR when determining whether to use the XCBuild + or non-XCBuild method of running header post-processing scripts. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2020-05-26 Mark Lam + + Add some new emitters to the X86_64 and ARM64 MacroAssemblers. + https://bugs.webkit.org/show_bug.cgi?id=212385 + + Reviewed by Robin Morisset. + + This patch adds these MacroAssembler emitters: + clearBit64 + clearBits64WithMask + countTrailingZeros64WithoutNullCheck + + clearBit64 clears a bit. + + clearBits64WithMask does the equivalent of and64 with the 1's complement of the + provided mask. + + countTrailingZeros64WithoutNullCheck does the same thing as countTrailingZeros64, + except that it assumes that the word in the register it is processing will never + be null, and therefore skips the null check. This is useful in code generation + that already does a null check ahead of time. So, there's no need to do a + redundant null check. + + Also added testmasm tests for these emitters. + + * assembler/AbortReason.h: + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::clearBit64): + (JSC::MacroAssemblerARM64::clearBits64WithMask): + (JSC::MacroAssemblerARM64::countTrailingZeros64WithoutNullCheck): + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::countTrailingZeros64WithoutNullCheck): + (JSC::MacroAssemblerX86_64::clearBit64): + (JSC::MacroAssemblerX86_64::clearBits64WithMask): + * assembler/X86Assembler.h: + (JSC::X86Assembler::btrq_rr): + * assembler/testmasm.cpp: + (JSC::testClearBit64): + (JSC::testClearBits64WithMask): + (JSC::testClearBits64WithMaskTernary): + (JSC::testCountTrailingZeros64Impl): + (JSC::testCountTrailingZeros64): + (JSC::testCountTrailingZeros64WithoutNullCheck): + (JSC::run): + +2020-05-26 Yoshiaki JITSUKAWA + + [PlayStation] Enable RemoteWebInspector + https://bugs.webkit.org/show_bug.cgi?id=212312 + + Reviewed by Don Olmstead. + + * API/JSRemoteInspectorServer.cpp: + Fix compile error. + * PlatformPlayStation.cmake: + Add JSRemoteInspectorServer.h to the public header list. + * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp: + Set PlayStation specific socket option. + +2020-05-26 Alexey Shvayka + + IteratorClose should suppress GetMethod errors + https://bugs.webkit.org/show_bug.cgi?id=212378 + + Reviewed by Keith Miller. + + This patch implements recent spec change [1] that prevents "return" method lookup error + from overriding outer exception, aligning JSC with V8 and SpiderMonkey. + + It is accomplished by moving pushTry() before emitGetById() in BytecodeGenerator.cpp + (covered by test262 suite) and removal of RETURN_IF_EXCEPTION in IteratorOperations.cpp + (added a stress test). + + Before this patch, JSC partly implemented the spec change [1] by suppressing TypeError + if "return" method of iterator was not callable. + + BytecodeGenerator::emitDelegateYield() is intentionally left unchanged. + Also, this patch utilizes emitIteratorGenericClose() to avoid code duplication. + for/of microbenchmarks are neutral. + + [1]: https://github.com/tc39/ecma262/pull/1408 + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitGenericEnumeration): + (JSC::BytecodeGenerator::emitEnumeration): + * runtime/IteratorOperations.cpp: + (JSC::iteratorClose): + +2020-05-26 Mark Lam + + SamplingProfiler::takeSample() should not assume that ENABLE(WEBASSEMBLY) means Wasm is enabled. + https://bugs.webkit.org/show_bug.cgi?id=212382 + + Reviewed by Saam Barati. + + Wasm can still be disabled at runtime with JSC options. Fixing this will allow + sampling profiler tests to run with JSC_useJIT=0 without crashing. + + * runtime/SamplingProfiler.cpp: + (JSC::FrameWalker::FrameWalker): + (JSC::FrameWalker::recordJITFrame): + (JSC::CFrameWalker::CFrameWalker): + (JSC::SamplingProfiler::takeSample): + +2020-05-26 Keith Rollin + + Enable the use of XCBuild by default in Apple builds + https://bugs.webkit.org/show_bug.cgi?id=209890 + + + Reviewed by Darin Adler. + + Switch from the "legacy" Xcode build system to the "new" build system + (also known as "XCBuild"). Switching to the new system speeds up + builds by a small percentage, better validates projects for + build-related issues (such as dependency cycles), lets WebKit benefit + from future improvements in XCBuild such as those coming from the + underlying llbuild open source project, and prepares us for any other + tools built for this new ecosystem. + + Specific changes: + + - Remove Xcode project and workspace settings that selected the Build + system, allowing the default to take hold (which is currently the + New build system). + - Updated webkitdirs.pm with a terser check for Xcode version. + - Update build-webkit and Makefile.shared to be explicit when using + the old build system (no longer treat it as a default or fall-back + configuration). + - Update various xcconfig files similarly to treat the default as + using the new build system. + - Update various post-processing build steps to check for Xcode 11.4 + and to no longer treat the default as using the old build system. + + * Configurations/JavaScriptCore.xcconfig: + * JavaScriptCore.xcodeproj/project.pbxproj: + +2020-05-23 Paulo Matos + + Fix non-unified builds for x86_64 + https://bugs.webkit.org/show_bug.cgi?id=212297 + + Reviewed by Adrian Perez de Castro. + + * b3/B3BasicBlock.cpp: + * b3/B3CaseCollection.cpp: + * b3/B3DuplicateTails.cpp: + * b3/B3EnsureLoopPreHeaders.cpp: + * b3/B3FenceValue.cpp: + * b3/B3HoistLoopInvariantValues.cpp: + * b3/B3LegalizeMemoryOffsets.cpp: + * b3/B3LowerMacrosAfterOptimizations.cpp: + * b3/B3LowerToAir.cpp: + * b3/B3MathExtras.cpp: + * b3/B3MemoryValue.cpp: + * b3/B3Procedure.cpp: + * b3/B3StackmapValue.cpp: + * b3/B3SwitchValue.cpp: + * b3/B3UseCounts.cpp: + * b3/B3Validate.cpp: + * b3/B3VariableValue.cpp: + * b3/B3WasmAddressValue.cpp: + * b3/B3WasmBoundsCheckValue.cpp: + * ftl/FTLCommonValues.cpp: + * ftl/FTLCompile.cpp: + * ftl/FTLOSREntry.cpp: + * ftl/FTLOSRExitCompiler.cpp: + * wasm/WasmInstance.cpp: + * wasm/WasmStreamingParser.cpp: + * wasm/js/JSToWasm.cpp: + * wasm/js/JSToWasmICCallee.cpp: + * wasm/js/JSWebAssembly.cpp: + * wasm/js/JSWebAssemblyCodeBlock.cpp: + * wasm/js/WebAssemblyCompileErrorConstructor.cpp: + * wasm/js/WebAssemblyCompileErrorPrototype.cpp: + * wasm/js/WebAssemblyFunction.cpp: + * wasm/js/WebAssemblyFunctionBase.cpp: + * wasm/js/WebAssemblyGlobalPrototype.cpp: + * wasm/js/WebAssemblyInstanceConstructor.cpp: + * wasm/js/WebAssemblyInstancePrototype.cpp: + * wasm/js/WebAssemblyLinkErrorConstructor.cpp: + * wasm/js/WebAssemblyLinkErrorPrototype.cpp: + * wasm/js/WebAssemblyMemoryConstructor.cpp: + * wasm/js/WebAssemblyMemoryPrototype.cpp: + * wasm/js/WebAssemblyModuleConstructor.cpp: + * wasm/js/WebAssemblyModulePrototype.cpp: + * wasm/js/WebAssemblyModuleRecord.cpp: + * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: + * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp: + * wasm/js/WebAssemblyTableConstructor.cpp: + * wasm/js/WebAssemblyTablePrototype.cpp: + +2020-05-22 Yoshiaki JITSUKAWA + + [PlayStation] Enable JSC shell to run + https://bugs.webkit.org/show_bug.cgi?id=212294 + + Reviewed by Ross Kirsling. + + * shell/PlatformPlayStation.cmake: + Set working directory for Visual Studio + * shell/playstation/Initializer.cpp: + Load libJavaScriptCore as we now build it as SHARED. + +2020-05-22 Alexey Shvayka + + Array.prototype.splice doesn't set "length" of returned object + https://bugs.webkit.org/show_bug.cgi?id=212285 + + Reviewed by Darin Adler. + + This change implements step 12 of Array.prototype.splice [1], which is observable + if result object is not JSArray, aligning JSC with V8 and SpiderMonkey. + + Only slow path of splice() is affected by this patch; zero-argument case already + performs setLength(). Microbenchmarks are neutral. + + [1]: https://tc39.es/ecma262/#sec-array.prototype.splice + + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncSplice): + +2020-05-22 Saam Barati + + in_by_val inside structure property for-in loop should use an opcode like has_structure_property but for "in" + https://bugs.webkit.org/show_bug.cgi?id=212239 + + Reviewed by Tadeu Zagallo. + + There is code inside Speedometer 2 that is like: + + ``` + for (let p in o) { + if (p in o2) + ... + } + ``` + + Where o and o2 frequently share the same structure. Elm does this when it's + diffing two objects. We already optimize o2[p] (get_by_val) in the above loop + for structure properties. This patch adds that same optimization for in_by_val. + Because we already emit a "structure" loop for for-in, where we iterate structure + properties, the fast path for the above, where o and o2 have the same + structure is simply a structure check followed by return true. + + This patch introduces the new opcode: op_in_structure_property. Its fast path is identical + to op_has_structure_property. Its slow path, however, behaves like "in", which + uses the HasProperty internal method, unlike op_has_structure_property, + which uses the GetOwnProperty internal method. This behavior difference is + observable using Proxy. + + This a 5% perf improvement in the Elm subtest in Speedometer 2. + + * bytecode/BytecodeList.rb: + * bytecode/BytecodeUseDef.cpp: + (JSC::computeUsesForBytecodeIndexImpl): + (JSC::computeDefsForBytecodeIndexImpl): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitInByVal): + (JSC::rewriteOp): + (JSC::StructureForInContext::finalize): + * bytecompiler/BytecodeGenerator.h: + (JSC::StructureForInContext::addInInst): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNodeType.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileInStructureProperty): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileHasStructurePropertyImpl): + (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty): + (JSC::FTL::DFG::LowerDFGToB3::compileInStructureProperty): + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + * jit/JIT.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_in_structure_property): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_in_structure_property): + * llint/LLIntOffsetsExtractor.cpp: + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/CommonSlowPaths.h: + * runtime/JSObject.cpp: + (JSC::JSObject::hasPropertyGeneric const): + * runtime/JSPropertyNameEnumerator.h: + +2020-05-22 Keith Miller + + Checkpoint inlined call return handler needs an exception check when dispatching + https://bugs.webkit.org/show_bug.cgi?id=212104 + + Reviewed by Yusuke Suzuki. + + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::dispatchToNextInstruction): + (JSC::LLInt::slow_path_checkpoint_osr_exit_from_inlined_call): + (JSC::LLInt::slow_path_checkpoint_osr_exit): + +2020-05-22 Paulo Matos + + Fix non-unified builds for i386 build + https://bugs.webkit.org/show_bug.cgi?id=212258 + + Reviewed by Adrian Perez de Castro. + + * API/JSContextRef.cpp: + * bytecode/IntrinsicGetterAccessCase.cpp: + * inspector/InjectedScriptHost.cpp: + * llint/LLIntData.cpp: + * llint/LLIntThunks.cpp: + * runtime/Exception.cpp: + * runtime/ExecutableBase.cpp: + * runtime/JSBigInt.cpp: + * runtime/JSInternalPromiseConstructor.cpp: + * runtime/JSString.cpp: + * runtime/ScopedArgumentsTable.cpp: + * runtime/ScriptExecutable.cpp: + * runtime/SparseArrayValueMap.cpp: + * runtime/StructureRareData.cpp: + +2020-05-22 Paulo Matos + + Fix typo in JSCVirtualMachine documentation + + Unreviewed Typo Fix. + + * API/glib/JSCVirtualMachine.cpp: + +2020-05-21 Robin Morisset + + Various compile-time boolean flags could/should be marked constexpr + https://bugs.webkit.org/show_bug.cgi?id=212244 + + Reviewed by Mark Lam. + + This trivial patch saves roughly 16kB from the JavaScriptCore binary in release mode. + + * b3/B3OptimizeAssociativeExpressionTrees.cpp: + * b3/air/AirAllocateRegistersByGraphColoring.cpp: + * b3/air/AirSimplifyCFG.cpp: + (JSC::B3::Air::simplifyCFG): + * b3/air/AirTmpWidth.cpp: + (JSC::B3::Air::TmpWidth::recompute): + * dfg/DFGPredictionPropagationPhase.cpp: + * heap/GCIncomingRefCountedInlines.h: + (JSC::GCIncomingRefCounted::filterIncomingReferences): + * heap/Heap.cpp: + (JSC::Heap::updateAllocationLimits): + * wasm/WasmEntryPlan.cpp: + +2020-05-21 Robin Morisset + + Remove AssemblerBufferWithConstantPool.h (as it has been dead for years) + https://bugs.webkit.org/show_bug.cgi?id=212241 + + Reviewed by Yusuke Suzuki. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * assembler/AssemblerBufferWithConstantPool.h: Removed. + +2020-05-21 Alexey Shvayka + + Use @isUndefinedOrNull instead of abstract equality with null + https://bugs.webkit.org/show_bug.cgi?id=210954 + + Reviewed by Yusuke Suzuki. + + This patch: + + a) Replaces 2 `!== @undefined` comparisons in String.prototype.{replace,replaceAll} + with @isUndefinedOrNull() as per spec [1], aligning JSC with V8 and SpiderMonkey. + + b) Replaces 3 `!= @undefined` and 7 `!= null` comparisons with @isUndefinedOrNull() + as only the latter is correct with [[IsHTMLDDA]] aka MasqueradesAsUndefined objects [2]. + + c) Removes @isDictionary() since it is unused, easy to inline and its name is quite + misleading: one might expect it to perform Structure::isDictionary(). + + [1]: https://tc39.es/ecma262/#sec-getmethod (step 3) + [2]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot + + * builtins/ArrayConstructor.js: + * builtins/GlobalOperations.js: + (globalPrivate.isDictionary): Deleted. + * builtins/RegExpPrototype.js: + (Symbol.split): Unobservable as there is `=== null` check in @regExpExec. + * builtins/StringPrototype.js: + (match): + (replace): + (replaceAll): + (search): + (split): + * builtins/TypedArrayConstructor.js: + +2020-05-21 Saam Barati + + Add an option that exposes functions on the global object to turn on and off the sampling profiler and the super sampler + https://bugs.webkit.org/show_bug.cgi?id=212178 + + Reviewed by Yusuke Suzuki. + + When profiling things like Speedometer inside the browser, it's important to + to only enable the super sampler and the sampling profiler around the code + that you want profiled. Otherwise, you will be profiling things that aren't + relevant to the benchmark score. This patch adds a new option, exposeProfilersOnGlobalObject, + which when true, will expose JS functions on the global object that allow + enabling/disabling the super sampler and the sampling profiler. This way, + we can change the Speedometer source code locally such that these profilers + are only sampling code accounted for in the benchmark score. + + * bytecode/SuperSampler.cpp: + (JSC::initializeSuperSampler): + (JSC::enableSuperSampler): + (JSC::disableSuperSampler): + * bytecode/SuperSampler.h: + * jsc.cpp: + (jscmain): + * runtime/JSGlobalObject.cpp: + (JSC::enableSamplingProfiler): + (JSC::disableSamplingProfiler): + (JSC::enableSuperSampler): + (JSC::disableSuperSampler): + (JSC::JSGlobalObject::init): + * runtime/OptionsList.h: + +2020-05-21 Yusuke Suzuki + + [JSC] Fix 32bit JSBigInt with INT32_MAX < x <= UINT32_MAX + https://bugs.webkit.org/show_bug.cgi?id=212193 + + Reviewed by Mark Lam. + + In 32bit architecture, we are creating one-length JSBigInt for INT32_MIN <= x <= INT32_MAX, and two-length JSBigInt otherwise. + This is wrong since one-length JSBigInt should cover from -UINT32_MAX <= x <= UINT32_MAX. + + This patch fixes the bug and cleans up createFrom(VM&, int64_t). And it also adds JSBigInt::createFrom(VM&, uint64_t) in preparation for [1] + Currently, this path is not used while it was used previously because BigIntConstructor starts using JSBigInt::createFrom(VM&, double). But this + will be used in [1], and simply the existing implementation is wrong. + + [1]: https://bugs.webkit.org/show_bug.cgi?id=190800 + + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::createFromImpl): + (JSC::JSBigInt::createFrom): + * runtime/JSBigInt.h: + +2020-05-21 Paulo Matos + + Further non-unified build fixes + https://bugs.webkit.org/show_bug.cgi?id=212195 + + Reviewed by Adrian Perez de Castro. + + * bytecode/InstanceOfStatus.cpp: + * heap/MarkedSpace.cpp: + * runtime/ObjectInitializationScope.cpp: + * runtime/ThrowScope.cpp: + +2020-05-21 Alexey Shvayka + + Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1 + https://bugs.webkit.org/show_bug.cgi?id=212167 + + Reviewed by Saam Barati. + + This patch increases "length" limit of Array.prototype.concat result to @MAX_SAFE_INTEGER + and changes thrown error to TypeError, aligning JSC with the spec [1], V8, and SpiderMonkey. + + Also, adds missing @MAX_SAFE_INTEGER overflow check in Array.from [2] (we implement similar + checks in other methods). SunSpider and microbenchmarks/concat-append-one.js are both neutral. + + [1]: https://tc39.es/ecma262/#sec-array.prototype.concat (steps 5.c.iii, 5.d.ii) + [2]: https://tc39.es/ecma262/#sec-array.from (step 5.e.i) + + * builtins/ArrayConstructor.js: + (from): + * builtins/ArrayPrototype.js: + (globalPrivate.concatSlowPath): + +2020-05-20 Michael Saboff + + [Wasm] Limit the size of Wasm function we optimize in OMG mode + https://bugs.webkit.org/show_bug.cgi?id=212105 + + Reviewed by Filip Pizlo. + + Given that memory grows O(N^2) compiling Wasm code through the OMG path, + we can run out of memory when compiling large Wasm functions. This change adds + a limit option, webAssemblyBBQFallbackSize, When the Wasm function size is + equal to or greater than this limit we always compile using BBQ optimization + parameters. + + As part of this change, we still go through the OMG loop entry OSR code + generation path for functions that are at or above the threshold, but we + compile such functions with BBQ compilation optimization levels. + Also for Wasm functions at or above the threashold, we don't tier up to an + OMG compiled normal entry function. Instead we stay with the BBQ compiled version. + + * runtime/OptionsList.h: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::AirIRGenerator): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::B3IRGenerator): + (JSC::Wasm::parseAndCompile): + * wasm/WasmCompilationMode.cpp: + (JSC::Wasm::wasmFunctionSizeCanBeOMGCompiled): + * wasm/WasmCompilationMode.h: + * wasm/WasmOperations.cpp: + (JSC::Wasm::operationWasmTriggerOSREntryNow): + +2020-05-19 Ross Kirsling + + REGRESSION(r261755): Win/Linux non-unified builds have hundreds of link failures + https://bugs.webkit.org/show_bug.cgi?id=212111 + + Unreviewed build fix. + + * API/: + * bindings/: + * bytecode/: + * bytecompiler/NodesCodegen.cpp: + * debugger/: + * dfg/: + * heap/: + * inspector/: + * interpreter/: + * jit/: + * llint/LLIntEntrypoint.cpp: + * parser/: + * profiler/: + * runtime/: + Restore *Inlines.h includes for >300 files, + but try to preserve the spirit of the original patch by pruning redundancies along the way. + +2020-05-19 Mark Lam + + Put PtrTagLookup data structures in Configs for freezing. + https://bugs.webkit.org/show_bug.cgi?id=212089 + + + Reviewed by Robin Morisset. + + PtrTagLookup data structures were always meant to only be initialized once at + initialization time and never modified thereafter. This patch puts them in the + Configs for freezing to document and enforce this invariant. + + * runtime/JSCConfig.h: + * runtime/JSCPtrTag.cpp: + (JSC::initializePtrTagLookup): + +2020-05-19 Youenn Fablet + + [ Mac wk1 Debug ] imported/w3c/web-platform-tests/fetch/api/basic/stream-safe-creation.any.html is flaky crashing with alerts - WTFCrashWithInfo - SC::JSObject::get(JSC::JSGlobalObject*, JSC::PropertyName) + https://bugs.webkit.org/show_bug.cgi?id=211923 + + + Reviewed by Mark Lam. + + * runtime/JSObject.h: + (JSC::JSObject::get const): + When calling get, a terminate exception might happen if running in workers. + Return early in that case. Add an ASSERT that only terminated exceptions can actually happen. + +2020-05-18 Andy Estes + + http/tests/ssl/applepay/ApplePayInstallmentConfiguration.https.html fails in public SDK builds + https://bugs.webkit.org/show_bug.cgi?id=212000 + + + Reviewed by Youenn Fablet. + + * Configurations/FeatureDefines.xcconfig: + +2020-05-18 Saam Barati + + Do more speculation that a GetByVal/PutByVal will have an int32 index based on data from ArrayProfile + https://bugs.webkit.org/show_bug.cgi?id=211877 + + Reviewed by Yusuke Suzuki. + + Before this patch, when a GetByVal or PutByVal had a non int32 prediction for + their incoming index, they'd fall completely off the fast path. However, there + are programs where an int32 is boxed inside a double, but our notion of + predicted types don't fully capture this fact. For example, if we have a double Add + to produce an array index, that double Add will predict a full double result, + not a SpecAnyIntAsDouble. However, for GetByVal and PutByVal, there is information + from ArrayProfile we can use to determine if the incoming value is expected to + be in int32 range. The heuristic this patch introduces is: + + isFullNumberSpeculation(indexSpeculation) + && node->arrayMode().isSpecific() + && node->arrayMode().isInBounds() + && !m_graph.hasExitSite(node->origin.semantic, Overflow) // DoubleAsInt32 will exit with Overflow on failure + + If these conditions are met, we'll now emit a DoubleAsInt32 conversion node + for the index. This puts along the fast path for GetByVal and PutByVal on + array accesses where the incoming index is an int32 boxed in a double. + + To make the above isFullNumberSpeculation check more robust, this patch also + makes it so non index double accesses result in marking the array profile as + out of bounds. So this means indices greater than max safe index, and also, + fractional doubles. + + + This is a 3.75x speedup on microbenchmarks/get-and-put-by-val-double-index-dont-fall-off-a-cliff.js + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * jit/JITOperations.cpp: + (JSC::getByVal): + +2020-05-18 Yusuke Suzuki + + [JSC] BigInt peephole compare should speculate appropriately + https://bugs.webkit.org/show_bug.cgi?id=212037 + + + Reviewed by Saam Barati. + + SpeculativeJIT::nonSpeculativePeepholeBranch missed BigInt speculation. This patch renames it + to SpeculativeJIT::genericJSValuePeepholeBranch and adds speculation checks appropriately. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): + (JSC::DFG::SpeculativeJIT::genericJSValuePeepholeBranch): + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted. + * dfg/DFGSpeculativeJIT.h: + +2020-05-18 Keith Miller + + OSR loop entry to iterator_next generic needs to CheckNotEmpty on m_next + https://bugs.webkit.org/show_bug.cgi?id=212001 + + Reviewed by Saam Barati. + + If we happen to OSR enter into iterator_next during a for-of loop + that has only profiled a generic iterator but is actually running + a fast iterator we will incorrectly perform the Call node This + could happen if we loop_hint OSR enter the first time have seen a + fast iterator. If this happens right now, we generate the following + code: + + D@113: GetLocal(Check:Untyped:D@198, JS|MustGen|UseAsOther, Function|Empty, loc13(W~/FlushedJSValue), machine:loc10, R:Stack(loc13),Stack(loc5), bc#46, ExitValid) predicting Function|Empty + 0x4913f1806151: mov -0x58(%rbp), %rsi + D@114: FilterCallLinkStatus(Check:Untyped:D@113, MustGen, (Function: Object: 0x1053f47e0 with butterfly 0x0 (Structure 0x1053f9260:[0x6dad, Function, {}, NonArray, Proto:0x1050fc248]), StructureID: 28077; Executable: next#Ddkruz:[0x1053c0480->0x1053e4a80, BaselineFunctionCall, 54 (StrictMode)]), R:Stack(loc5), W:SideState, bc#46, ExitValid) + D@115: Call(Check:Untyped:D@113, Check:Untyped:D@110, JS|MustGen|VarArgs|UseAsOther, Final, R:World,Stack(loc5), W:Heap, ExitsForExceptions, ClobbersExit, bc#46, ExitValid) predicting Final + 0x4913f1806155: mov $0x1, 0x10(%rsp) + 0x4913f180615d: mov %rax, 0x18(%rsp) + 0x4913f1806162: mov %rsi, 0x8(%rsp) + 0x4913f1806167: mov %rax, -0xa0(%rbp) + 0x4913f180616e: mov $0x0, 0x24(%rbp) + 0x4913f1806175: mov $0x0, %r11 + 0x4913f180617f: cmp %r11, %rsi + 0x4913f1806182: jnz 0x4913f1806192 + 0x4913f1806188: call 0x4913f180618d + 0x4913f180618d: jmp 0x4913f18061ae + 0x4913f1806192: mov %rsi, %rax + 0x4913f1806195: mov $0x1050cfcb0, %rdx + 0x4913f180619f: mov $0x1052fab68, %rcx + 0x4913f18061a9: call 0x4913f1801680 + 0x4913f18061ae: lea -0xd0(%rbp), %rsp + D@116: MovHint(Check:Untyped:D@115, MustGen, tmp0, R:Stack(loc5), W:SideState, ClobbersExit, bc#46, ExitInvalid) + D@332: InvalidationPoint(MustGen, R:Stack(loc5), W:SideState, Exits, bc#46, exit: bc#46cp#1, ExitValid) + D@335: CheckStructure(Check:Cell:D@115, MustGen, [%B2:Object], R:Stack(loc5),JSCell_structureID, Exits, bc#46, exit: bc#46cp#1, ExitValid) + 0x4913f18061b5: test %rax, %r15 + 0x4913f18061b8: jnz 0x4913f18068db + 0x4913f18061be: cmp $0xcaae, (%rax) + 0x4913f18061c4: jnz 0x4913f18068f1 + + Loc13 in this IR is the location of the next function. Since it's + nullptr, we will pass the initial fast-path value of 0 and make a + garbage call. This is because Call does not know how to handle + empty values. Subsequently, we will fail a structure check for the + Call's result and OSR exit to the getDone checkpoint. The fix for + this is to simply put a CheckNotEmpty at the top of the generic + case. 99.9% of the time this check will be eliminated so it + doesn't really cost anything. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + +2020-05-17 Yusuke Suzuki + + Unreviewed, link fix for our internal Debug build + + * heap/AlignedMemoryAllocator.cpp: + +2020-05-17 Lauro Moura + + [JSC] Silence unused-but-set-parameter warnings for older compilers + https://bugs.webkit.org/show_bug.cgi?id=212006 + + Reviewed by Mark Lam. + + GCC up to 9.x will emit unused-but-set-parameter for the sources + parameter when NumberOfRegisters is zero (the if block is eliminated) + and for destinations when also ASSERT_ENABLED is false. + + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupStubArgs): + +2020-05-16 Yusuke Suzuki + + [JSC] Make OutOfMemory error as instance of RangeError + https://bugs.webkit.org/show_bug.cgi?id=211952 + + Reviewed by Mark Lam. + + The spec sometimes requires "check parameters and throw RangeError" before allocating an object. + But we are just allocating an object and throwing an out-of-memory error since wrong parameter will + cause out-of-memory. If out-of-memory error is RangeError, then we can keep our current behavior while + we can make us spec compliant. And note that out-of-memory error is RangeError in SpiderMonkey and V8. + + This patch makes out-of-memory error as RangeError instead of Error. We also fix @throwOutOfMemoryError + in builtin code: the previous thrown errors are not marked as out-of-memory error. + + * bytecode/BytecodeList.rb: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitThrowStaticError): + (JSC::BytecodeGenerator::emitThrowReferenceError): + (JSC::BytecodeGenerator::emitThrowTypeError): + (JSC::BytecodeGenerator::emitThrowRangeError): + (JSC::BytecodeGenerator::emitThrowOutOfMemoryError): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::RegExpNode::emitBytecode): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_throwTypeError): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_throwRangeError): + * dfg/DFGOperations.cpp: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/Error.cpp: + (JSC::createError): + (JSC::createOutOfMemoryError): + * runtime/Error.h: + * runtime/ErrorType.cpp: + (JSC::errorTypeName): + (WTF::printInternal): + * runtime/ErrorType.h: We introduced ErrorTypeWithExtension separately from ErrorType to keep ErrorType one-on-one to spec-specified error types. + +2020-05-15 Yusuke Suzuki + + [JSC] getFunctionRealm should not use recursion + https://bugs.webkit.org/show_bug.cgi?id=211965 + + + Reviewed by Saam Barati. + + This patch avoids using recursion in getFunctionRealm to avoid stack-overflow. + + * runtime/InternalFunction.cpp: + (JSC::getFunctionRealm): + +2020-05-15 Keith Miller + + Unreviewed, fix internal arm64e build. + + * dfg/DFGSpeculativeJIT.cpp: + +2020-05-15 Keith Miller + + Unreviewed, fix internal fast tls build. + + * jit/AssemblyHelpers.cpp: + +2020-05-15 Ross Kirsling + + [IWYU] Remove unnecessary includes from JSC implementation files + https://bugs.webkit.org/show_bug.cgi?id=211867 + + Reviewed by Keith Miller. + + * API/: + * assembler/: + * b3/: + * bindings/: + * builtins/BuiltinExecutables.cpp: + * bytecode/: + * bytecompiler/: + * debugger/: + * dfg/: + * disassembler/: + * ftl/: + * heap/: + * inspector/: + * interpreter/: + * jit/: + * jsc.cpp: + * llint/: + * parser/: + * profiler/: + * runtime/: + * testRegExp.cpp: + * tools/: + * wasm/: + * yarr/: + +2020-05-15 Michael Catanzaro + + -Wtype-limits warning spam from CCallHelpers.h + https://bugs.webkit.org/show_bug.cgi?id=211701 + + Reviewed by Darin Adler. + + Skip the problematic loops when TargetSize or NumberOfRegisters is 0 using constexpr if. + Solution suggested by Mark Lam. + + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupStubArgs): + (JSC::CCallHelpers::clampArrayToSize): + +2020-05-15 Mark Lam + + Remove debugging dataLogs in LinkBuffer::copyCompactAndLinkCode() for release builds. + https://bugs.webkit.org/show_bug.cgi?id=211961 + + + Reviewed by Keith Miller. + + * assembler/LinkBuffer.cpp: + (JSC::LinkBuffer::copyCompactAndLinkCode): + +2020-05-15 Paulo Matos + + Fix ARM NEON only assert + https://bugs.webkit.org/show_bug.cgi?id=211889 + + Reviewed by Mark Lam. + + Fix assert that breaks if ARM does not contain NEON extensions - + the register d16 is only defined if NEON exists. + + * assembler/ARMv7Assembler.h: + (JSC::RegisterNames::asSingle): + (JSC::RegisterNames::asSingleUpper): + +2020-05-14 Saam Barati + + GetByVal and PutByVal runtime operations shouldn't fall off a performance cliff when the property is an integer boxed as a double + https://bugs.webkit.org/show_bug.cgi?id=211935 + + Reviewed by Yusuke Suzuki and Mark Lam. + + There were parts in the runtime for get_by_val that weren't properly handling + ints boxed as doubles along the fast path. This could lead to terrible + performance as we could go from double -> string -> int while converting the + subscript into a property to access. + + This patch fixes that, and removes the duplicate code we had throughout the + codebase that does this conversion. I'm adding a new functions tryGetAsUint32Index + and tryGetAsInt32 which will handle the double to int conversion. + + This is a 10x speedup on the microbenchmark get-and-put-by-val-double-index-dont-fall-off-a-cliff.js + + * dfg/DFGOperations.cpp: + (JSC::DFG::putByValInternal): + * jit/JITOperations.cpp: + (JSC::getByVal): + * jsc.cpp: + (functionAsDoubleNumber): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::getByVal): + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::tryGetAsUint32Index): + (JSC::JSValue::tryGetAsInt32): + +2020-05-14 Devin Rousso + + [ESNext] enable logical assignment operators by default + https://bugs.webkit.org/show_bug.cgi?id=211921 + + Reviewed by Yusuke Suzuki. + + * runtime/OptionsList.h: + * parser/Lexer.cpp: + (JSC::Lexer::lexWithoutClearingLineTerminator): + Remove `useLogicalAssignmentOperators` option. + +2020-05-14 Keith Miller + + Undecided Arrays shouldn't need to be OriginalArray to covert to GetArrayLength + https://bugs.webkit.org/show_bug.cgi?id=211914 + + Reviewed by Saam Barati. + + Also, fix a bug that arrayModesThatPassFiltering() can't handle + Undecided arrays. Because we can now emit a CheckArray on + Undecided AI will try to figure out what types flow out of the + check. Since Undecided was unhandled by filtering, AI will assume + bottom is the only possible value and the DFG/FTL will insert a + breakpoint, causing a crash. + + * dfg/DFGArrayMode.cpp: + (JSC::DFG::ArrayMode::refine const): + * dfg/DFGArrayMode.h: + (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const): + +2020-05-14 Keith Miller + + GetArrayLength should be "blessed" during Fixup phase in the DFG + https://bugs.webkit.org/show_bug.cgi?id=211540 + + Reviewed by Saam Barati. + + If we got an ArrayMode during bytecode parsing for-of that expects + to be configured during Fixup, then right now we will crash on + GetArrayLength. This fixes GetArrayLength to properly call + blessArrayOperation and fixes clobberize to know that + GetArrayLength could have a ForceExit ArrayMode briefly before + being cleaned up. + + When blessing GetArrayLength we can now produce CheckArrays that + have an AnyTypedArray ArrayMode::Type. So this patch expands + CheckArray to properly handle that. To help with this we expand + branchIfType to have a starting JSType and an optional ending + JSType. Additionally, to prevent extra checks AI has been taught + to fold more ArrayModes so we should almost always avoid new + runtime checks. + + Lastly, make sure that Undecided Arrays don't fall back to generic + because GetArrayLength can't be converted to... + GetArrayLenth. Also, GetArrayLength would previously pass it's own + speculation for the speculation of the index, which logically + doesn't make sense. So this patch adds a new constant, which is + SpecInt32Only, that can be passed if a DFG node doesn't have an + index. + + * assembler/testmasm.cpp: + (JSC::testBranchIfType): + (JSC::testBranchIfNotType): + (JSC::run): + * dfg/DFGArrayMode.cpp: + (JSC::DFG::canBecomeGetArrayLength): + * dfg/DFGArrayMode.h: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::blessArrayOperation): + (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::checkArray): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForCheckArray): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::branchIfType): + (JSC::AssemblyHelpers::branchIfNotType): + * runtime/JSType.h: + +2020-05-13 Keith Miller + + iteration bytecodes need to handle osr exiting from inlined getter frames + https://bugs.webkit.org/show_bug.cgi?id=211873 + + Reviewed by Saam Barati. + + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::slow_path_checkpoint_osr_exit_from_inlined_call): + +2020-05-13 Devin Rousso + + Web Inspector: rename CSS.StyleSheetOrigin.Regular to CSS.StyleSheetOrigin.Author to match the spec + https://bugs.webkit.org/show_bug.cgi?id=211827 + + Reviewed by Timothy Hatcher. + + * inspector/protocol/CSS.json: + +2020-05-13 Yusuke Suzuki + + JSDOMWindowBase m_windowCloseWatchpoints must be Ref<> + https://bugs.webkit.org/show_bug.cgi?id=211844 + + Reviewed by Mark Lam. + + * bytecode/Watchpoint.cpp: + (JSC::InlineWatchpointSet::inflateSlow): + * bytecode/Watchpoint.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::JSGlobalObject): + * runtime/Structure.cpp: + (JSC::Structure::ensurePropertyReplacementWatchpointSet): + * runtime/SymbolTable.cpp: + (JSC::SymbolTableEntry::prepareToWatch): + * runtime/VM.cpp: + (JSC::VM::ensureWatchpointSetForImpureProperty): + +2020-05-13 Caio Lima + + Making 32-bits JIT build without Unified Build system + https://bugs.webkit.org/show_bug.cgi?id=211853 + + Reviewed by Adrian Perez de Castro. + + This patch is moving some templates to allow non-unified builds on + 32-bits JIT configurations. + Those templates were from JITArithmetic32_64 and JITPropertyAccess32_64. + + * jit/JITArithmetic.cpp: + (JSC::JIT::emit_compareAndJump): + (JSC::JIT::emit_compareUnsignedAndJump): + (JSC::JIT::emit_compareUnsigned): + (JSC::JIT::emit_compareAndJumpSlow): + (JSC::JIT::emitBinaryDoubleOp): + * jit/JITArithmetic32_64.cpp: + (JSC::JIT::emit_compareAndJump): Deleted. + (JSC::JIT::emit_compareUnsignedAndJump): Deleted. + (JSC::JIT::emit_compareUnsigned): Deleted. + (JSC::JIT::emit_compareAndJumpSlow): Deleted. + (JSC::JIT::emitBinaryDoubleOp): Deleted. + * jit/JITOpcodes32_64.cpp: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitPutByValWithCachedId): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitPutByValWithCachedId): Deleted. + +2020-05-13 Caio Lima + + [JSC] Support delete by val/id IC on 32-bits + https://bugs.webkit.org/show_bug.cgi?id=208207 + + Reviewed by Saam Barati. + + This patch implements DeleteById and DeleteByVal IC on 32-bits JIT. It + includes both Baseline and DFG changes. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileDeleteById): + (JSC::DFG::SpeculativeJIT::compileDeleteByVal): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compileDeleteById): Deleted. + (JSC::DFG::SpeculativeJIT::compileDeleteByVal): Deleted. + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compileDeleteById): Deleted. + (JSC::DFG::SpeculativeJIT::compileDeleteByVal): Deleted. + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileDelBy): + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITDelByValGenerator::JITDelByValGenerator): + (JSC::JITDelByIdGenerator::JITDelByIdGenerator): + * jit/JITInlineCacheGenerator.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_del_by_id): + (JSC::JIT::emit_op_del_by_val): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_del_by_id): + (JSC::JIT::emit_op_del_by_val): + (JSC::JIT::emitSlow_op_del_by_val): + (JSC::JIT::emitSlow_op_del_by_id): + +2020-05-13 Saam Barati + + MovHint can see an arguments object be MovHinted to a Tmp + https://bugs.webkit.org/show_bug.cgi?id=211820 + + + Reviewed by Keith Miller. + + We had an assert that it wasn't possible to have a MovHint from an arguments + object to a Tmp. However, this is possible with for-of. There is nothing + about the current algorithm that is specific to only VirtualRegisters. The + algorithm also works over Tmps. So I've generalized the algorithm to just work + over Operand. + + * dfg/DFGVarargsForwardingPhase.cpp: + +2020-05-13 Alexey Shvayka + + Move @isConstructor checks from fast paths of Array.from and Array.of + https://bugs.webkit.org/show_bug.cgi?id=211805 + + Reviewed by Keith Miller. + + This semantically equivalent change advances provided Array.{from,of} microbenchmarks by ~60%. + + Also, this patch removes @isConstructor check from @newPromiseCapabilitySlow (that is heavily + used by Promise subclasses) since it comes right before [[Construct]], its message doesn't add + more clarity, and constructability of its argument was likely checked by @speciesConstructor. + + * builtins/ArrayConstructor.js: + (of): + (from): + * builtins/PromiseOperations.js: + (globalPrivate.newPromiseCapabilitySlow): + +2020-05-12 Alexey Shvayka + + Implement @isConstructor bytecode intrinsic and bytecode for that + https://bugs.webkit.org/show_bug.cgi?id=144093 + + Reviewed by Keith Miller. + + This change replaces @isConstructor link-time-constant with bytecode intrinsic and utilizes it + in ClassExprNode::emitBytecode() according to the spec [1], aligning JSC with V8 and SpiderMonkey. + + Before this patch, we checked if "prototype" of superclass is an object, which is incorrect for + generators and bound non-constructor functions with own "prototype". + + OpIsConstructor's fast path can't be easily compiled, and it's not a hot code anyway, so instead + we reduce code bloat by just calling slow ops from DFG and FTL (if we bail out, we slow down all + @isConstructor call sites). This advances microbenchmarks/is-constructor.js by ~35%. + + [1]: https://tc39.es/ecma262/#sec-runtime-semantics-classdefinitionevaluation (step 5.f) + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * builtins/BuiltinNames.h: + * bytecode/BytecodeIntrinsicRegistry.h: + * bytecode/BytecodeList.rb: + * bytecode/BytecodeUseDef.cpp: + (JSC::computeUsesForBytecodeIndexImpl): + (JSC::computeDefsForBytecodeIndexImpl): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitIsConstructor): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::ClassExprNode::emitBytecode): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGHeapLocation.cpp: + (WTF::printInternal): + * dfg/DFGHeapLocation.h: + * dfg/DFGNodeType.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIsConstructor): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileIsConstructor): + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + * llint/LowLevelInterpreter.asm: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/CommonSlowPaths.h: + * runtime/ECMAScriptSpecInternalFunctions.cpp: Removed. + * runtime/ECMAScriptSpecInternalFunctions.h: Removed. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + +2020-05-12 Robin Morisset + + Exception check for OOM is a bit too late in JSBigInt::exponentiate. + https://bugs.webkit.org/show_bug.cgi?id=211823 + + Reviewed by Mark Lam. + + We were doing multiplyImpl(...).payload.asHeapBigInt(), but multiplyImpl can return a null payload if it causes an exception. + So we must first check whether an exception was raised, and only if not can we do asHeapBigInt. + + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::exponentiateImpl): + +2020-05-12 Saam Barati + + handling of Check in VarargsForwardingPhase is too pessimistic + https://bugs.webkit.org/show_bug.cgi?id=211810 + + Reviewed by Keith Miller and Filip Pizlo. + + We were treating a check, even if it wasn't on the sink candidate, + as if it could escape the candidate. That's wrong. Only checks on the + candidate have the escaping ability. + + * dfg/DFGVarargsForwardingPhase.cpp: + +2020-05-12 Keith Miller + + The bottom value set for m_value in iterator_next should be materialized after a done getter + https://bugs.webkit.org/show_bug.cgi?id=211811 + + Reviewed by Saam Barati. + + Right now, if the done getter contains control flow, then we will + have the bottom value in a different block from the + MovHint/SetLocal and we will fail to validate. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + +2020-05-12 Ross Kirsling + + Fix existing usage of final/override/virtual in JSC and WTF + https://bugs.webkit.org/show_bug.cgi?id=211772 + + Reviewed by Darin Adler. + + * API/JSAPIWrapperObject.mm: + * API/JSManagedValue.mm: + * API/JSScriptSourceProvider.h: + * API/ObjCCallbackFunction.mm: + * API/glib/JSAPIWrapperGlobalObject.cpp: + * API/glib/JSAPIWrapperObjectGLib.cpp: + * API/glib/JSCWeakValue.cpp: + * bytecode/AccessCaseSnippetParams.cpp: + * bytecode/AccessCaseSnippetParams.h: + * bytecode/CodeBlock.cpp: + * bytecode/StructureStubClearingWatchpoint.h: + * bytecode/VariableWriteFireDetail.h: + * bytecode/Watchpoint.h: + * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h: + * dfg/DFGArrayifySlowPathGenerator.h: + * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: + * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: + * dfg/DFGSaneStringGetByValSlowPathGenerator.h: + * dfg/DFGSlowPathGenerator.h: + * dfg/DFGSnippetParams.h: + * dfg/DFGWorklist.cpp: + * ftl/FTLSnippetParams.h: + * heap/BlockDirectory.cpp: + * heap/EdenGCActivityCallback.h: + * heap/FullGCActivityCallback.h: + * heap/Heap.cpp: + * heap/Heap.h: + * heap/IncrementalSweeper.h: + * heap/IsoCellSet.cpp: + * heap/IsoCellSetInlines.h: + * heap/IsoHeapCellType.h: + * heap/IsoInlinedHeapCellType.h: + * heap/ParallelSourceAdapter.h: + * heap/StopIfNecessaryTimer.h: + * heap/Subspace.cpp: + * heap/SubspaceInlines.h: + * inspector/InjectedScript.h: + * inspector/JSGlobalObjectConsoleClient.h: + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectScriptDebugServer.h: + * inspector/JSInjectedScriptHost.cpp: + * inspector/agents/InspectorAgent.h: + * inspector/agents/InspectorScriptProfilerAgent.h: + * inspector/agents/InspectorTargetAgent.h: + * inspector/agents/JSGlobalObjectAuditAgent.h: + * inspector/agents/JSGlobalObjectDebuggerAgent.h: + * inspector/agents/JSGlobalObjectRuntimeAgent.h: + * inspector/augmentable/AlternateDispatchableAgent.h: + * inspector/remote/RemoteConnectionToTarget.h: + * inspector/remote/RemoteInspector.h: + * inspector/remote/socket/RemoteInspectorServer.h: + * inspector/scripts/codegen/cpp_generator_templates.py: + * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py: + * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result: + * inspector/scripts/tests/generic/expected/command-targetType-matching-domain-debuggableType.json-result: + * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result: + * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: + * inspector/scripts/tests/generic/expected/domain-debuggableTypes.json-result: + * inspector/scripts/tests/generic/expected/domain-targetType-matching-domain-debuggableType.json-result: + * inspector/scripts/tests/generic/expected/domain-targetTypes.json-result: + * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result: + * inspector/scripts/tests/generic/expected/enum-values.json-result: + * inspector/scripts/tests/generic/expected/event-targetType-matching-domain-debuggableType.json-result: + * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result: + * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result: + * jit/JITWorklist.cpp: + * parser/Nodes.h: + * parser/SourceProvider.h: + * runtime/DataView.h: + * runtime/DoublePredictionFuzzerAgent.h: + * runtime/FileBasedFuzzerAgent.h: + * runtime/GenericTypedArrayView.h: + * runtime/JSMicrotask.cpp: + * runtime/NarrowingNumberPredictionFuzzerAgent.h: + * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: + * runtime/PredictionFileCreatingFuzzerAgent.h: + * runtime/PromiseTimer.h: + * runtime/RandomizingFuzzerAgent.h: + * runtime/RegExpCache.h: + * runtime/Structure.cpp: + * runtime/StructureRareData.cpp: + * runtime/VMTraps.cpp: + * runtime/WideningNumberPredictionFuzzerAgent.h: + * tools/JSDollarVM.cpp: + * wasm/WasmBBQPlan.h: + * wasm/WasmCallee.h: + * wasm/WasmLLIntPlan.h: + * wasm/WasmOMGForOSREntryPlan.h: + * wasm/WasmOMGPlan.h: + * wasm/WasmWorklist.cpp: + * yarr/YarrJIT.cpp: + +2020-05-12 Ross Kirsling + + [clang-tidy] Run modernize-use-override over JSC, then ensure as much as possible is final + https://bugs.webkit.org/show_bug.cgi?id=211743 + + Reviewed by Saam Barati. + + * API/JSScriptRef.cpp: + * b3/B3ArgumentRegValue.h: + * b3/B3AtomicValue.h: + * b3/B3CCallValue.h: + * b3/B3CheckSpecial.h: + * b3/B3CheckValue.h: + * b3/B3Const32Value.h: + * b3/B3Const64Value.h: + * b3/B3ConstDoubleValue.h: + * b3/B3ConstFloatValue.h: + * b3/B3DataSection.h: + * b3/B3ExtractValue.h: + * b3/B3FenceValue.h: + * b3/B3MemoryValue.h: + * b3/B3PatchpointSpecial.h: + * b3/B3PatchpointValue.h: + * b3/B3SlotBaseValue.h: + * b3/B3StackmapSpecial.h: + * b3/B3StackmapValue.h: + * b3/B3SwitchValue.h: + * b3/B3UpsilonValue.h: + * b3/B3VariableValue.h: + * b3/B3WasmAddressValue.h: + * b3/B3WasmBoundsCheckValue.h: + * b3/air/AirCCallSpecial.h: + * b3/air/AirPrintSpecial.h: + * bytecode/BytecodeDumper.h: + * bytecode/GetterSetterAccessCase.h: + * bytecode/InstanceOfAccessCase.h: + * bytecode/IntrinsicGetterAccessCase.h: + * bytecode/ModuleNamespaceAccessCase.h: + * bytecode/ProxyableAccessCase.h: + * bytecode/Watchpoint.h: + * dfg/DFGFailedFinalizer.h: + * dfg/DFGGraph.h: + * dfg/DFGJITCode.h: + * dfg/DFGJITFinalizer.h: + * dfg/DFGToFTLDeferredCompilationCallback.h: + * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h: + * ftl/FTLForOSREntryJITCode.h: + * ftl/FTLJITCode.h: + * ftl/FTLJITFinalizer.h: + * heap/CompleteSubspace.h: + * heap/FastMallocAlignedMemoryAllocator.h: + * heap/GigacageAlignedMemoryAllocator.h: + * heap/HeapSnapshotBuilder.h: + * heap/IsoAlignedMemoryAllocator.h: + * heap/IsoSubspace.h: + * heap/IsoSubspacePerVM.cpp: + * heap/IsoSubspacePerVM.h: + * heap/MarkStackMergingConstraint.h: + * heap/SimpleMarkingConstraint.h: + * heap/SpaceTimeMutatorScheduler.h: + * heap/StochasticSpaceTimeMutatorScheduler.h: + * heap/SynchronousStopTheWorldMutatorScheduler.h: + * jit/GCAwareJITStubRoutine.h: + * jit/JITCode.h: + * jit/JITThunks.h: + * jit/JITToDFGDeferredCompilationCallback.h: + * jit/PolymorphicCallStubRoutine.h: + * jsc.cpp: + * parser/Lexer.cpp: Address warning. + * runtime/JSDestructibleObjectHeapCellType.h: + * runtime/SimpleTypedArrayController.h: + * runtime/Structure.h: + * runtime/WeakGCMap.h: + * wasm/WasmEntryPlan.h: + +2020-05-12 Michael Catanzaro + + -Wsign-compare warnings in FTLLowerDFGToB3.cpp and DFGSpeculativeJIT.cpp + https://bugs.webkit.org/show_bug.cgi?id=211783 + + Reviewed by Darin Adler. + + This fixes -Wsign-compare warnings introduced in r260331. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileValueBitNot): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot): + +2020-05-12 Truitt Savell + + Unreviewed, reverting r261542. + + Broke internal builds + + Reverted changeset: + + "[clang-tidy] Run modernize-use-override over JSC, then ensure + as much as possible is final" + https://bugs.webkit.org/show_bug.cgi?id=211743 + https://trac.webkit.org/changeset/261542 + +2020-05-12 Mark Lam + + Wasm::enableFastMemory() was called too late. + https://bugs.webkit.org/show_bug.cgi?id=211773 + + Reviewed by Yusuke Suzuki. + + If Wasm fast memory is to be enabled, we should just do it in initializeThreading() + just like for all the other signal handlers that need to be initialized for JSC. + This simplifies its initialization and ensures that it is done in a timely manner + before Configs are frozen. + + * jsc.cpp: + (jscmain): + * runtime/InitializeThreading.cpp: + (JSC::initializeThreading): + +2020-05-11 Darin Adler + + Fix problems caught by replacing WTF::Optional with std::optional + https://bugs.webkit.org/show_bug.cgi?id=211703 + + Reviewed by Chris Dumez. + + * runtime/MachineContext.h: + (JSC::MachineContext::instructionPointer): Use explcit makeOptional here, + to work around the fact that MacroAssemblerCodePtr uses an unusual technique + to disable conversions to everything except bool. + +2020-05-11 Yoshiaki JITSUKAWA + + Fix build errors after r260992 + https://bugs.webkit.org/show_bug.cgi?id=211756 + + Reviewed by Darin Adler. + + Add JSC namespace specifier to NonIntrinsic and PropertyAttribute + in the macros in JSObject.h since those can be used outside of + or without introducing JSC namespace. + * runtime/JSObject.h: + +2020-05-11 Ross Kirsling + + [clang-tidy] Run modernize-use-override over JSC, then ensure as much as possible is final + https://bugs.webkit.org/show_bug.cgi?id=211743 + + Reviewed by Saam Barati. + + * API/JSScriptRef.cpp: + * b3/B3ArgumentRegValue.h: + * b3/B3AtomicValue.h: + * b3/B3CCallValue.h: + * b3/B3CheckSpecial.h: + * b3/B3CheckValue.h: + * b3/B3Const32Value.h: + * b3/B3Const64Value.h: + * b3/B3ConstDoubleValue.h: + * b3/B3ConstFloatValue.h: + * b3/B3DataSection.h: + * b3/B3ExtractValue.h: + * b3/B3FenceValue.h: + * b3/B3MemoryValue.h: + * b3/B3PatchpointSpecial.h: + * b3/B3PatchpointValue.h: + * b3/B3SlotBaseValue.h: + * b3/B3StackmapSpecial.h: + * b3/B3StackmapValue.h: + * b3/B3SwitchValue.h: + * b3/B3UpsilonValue.h: + * b3/B3VariableValue.h: + * b3/B3WasmAddressValue.h: + * b3/B3WasmBoundsCheckValue.h: + * b3/air/AirCCallSpecial.h: + * b3/air/AirPrintSpecial.h: + * bytecode/BytecodeDumper.h: + * bytecode/GetterSetterAccessCase.h: + * bytecode/InstanceOfAccessCase.h: + * bytecode/IntrinsicGetterAccessCase.h: + * bytecode/ModuleNamespaceAccessCase.h: + * bytecode/ProxyableAccessCase.h: + * bytecode/Watchpoint.h: + * dfg/DFGFailedFinalizer.h: + * dfg/DFGGraph.h: + * dfg/DFGJITCode.h: + * dfg/DFGJITFinalizer.h: + * dfg/DFGToFTLDeferredCompilationCallback.h: + * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h: + * ftl/FTLForOSREntryJITCode.h: + * ftl/FTLJITCode.h: + * ftl/FTLJITFinalizer.h: + * heap/CompleteSubspace.h: + * heap/FastMallocAlignedMemoryAllocator.h: + * heap/GigacageAlignedMemoryAllocator.h: + * heap/HeapSnapshotBuilder.h: + * heap/IsoAlignedMemoryAllocator.h: + * heap/IsoSubspace.h: + * heap/IsoSubspacePerVM.cpp: + * heap/IsoSubspacePerVM.h: + * heap/MarkStackMergingConstraint.h: + * heap/SimpleMarkingConstraint.h: + * heap/SpaceTimeMutatorScheduler.h: + * heap/StochasticSpaceTimeMutatorScheduler.h: + * heap/SynchronousStopTheWorldMutatorScheduler.h: + * jit/GCAwareJITStubRoutine.h: + * jit/JITCode.h: + * jit/JITThunks.h: + * jit/JITToDFGDeferredCompilationCallback.h: + * jit/PolymorphicCallStubRoutine.h: + * jsc.cpp: + * parser/Lexer.cpp: Address warning. + * runtime/JSDestructibleObjectHeapCellType.h: + * runtime/SimpleTypedArrayController.h: + * runtime/Structure.h: + * runtime/WeakGCMap.h: + * wasm/WasmEntryPlan.h: + +2020-05-11 Mark Lam + + Introduce WTF::Config and put Signal.cpp's init-once globals in it. + https://bugs.webkit.org/show_bug.cgi?id=211729 + + + Reviewed by Keith Miller and Saam Barati. + + 1. Initialize VMTraps' signals early now that we'll be freezing signals at the end + of the first VM initialization. + + 2. Move the !initializeThreadingHasBeenCalled RELEASE_ASSERT in initializeThreading() + to the bottom of the function. This way, we'll also catch bugs which may cause + us to jump into the middle of the function. + + Added a compilerFence there to ensure that the RELEASE_ASSERT is only executed + after all initialization is done. This guarantees that it will only be executed + at the end. + + 3. Call WTF::Config::permanentlyFreeze() from JSC::Config::permanentlyFreeze() + for obvious reasons: freezing one should freeze the other. + + * runtime/InitializeThreading.cpp: + (JSC::initializeThreading): + * runtime/JSCConfig.cpp: + (JSC::Config::permanentlyFreeze): + * runtime/VMTraps.cpp: + (JSC::VMTraps::initializeSignals): + * runtime/VMTraps.h: + +2020-05-11 Keith Miller + + Remove unused BytecodeKills.h + https://bugs.webkit.org/show_bug.cgi?id=211753 + + Reviewed by Yusuke Suzuki. + + No one uses this class anymore, we should get rid of it. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/BytecodeKills.h: Removed. + * bytecode/BytecodeLivenessAnalysis.cpp: + (JSC::BytecodeLivenessAnalysis::computeKills): Deleted. + * bytecode/BytecodeLivenessAnalysis.h: + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::killsFor): Deleted. + * dfg/DFGGraph.h: + +2020-05-10 Ross Kirsling + + [clang-tidy] Run modernize-use-nullptr over JSC + https://bugs.webkit.org/show_bug.cgi?id=211706 + + Reviewed by Darin Adler. + + * API/APICallbackFunction.h: + * API/JSAPIGlobalObject.h: + * API/JSBase.cpp: + * API/JSCallbackObjectFunctions.h: + * API/JSClassRef.cpp: + * API/JSContextRef.cpp: + * API/JSObjectRef.cpp: + * API/JSScriptRef.cpp: + * API/JSValueRef.cpp: + * API/JSWeakObjectMapRefPrivate.cpp: + * API/tests/ExecutionTimeLimitTest.cpp: + * API/tests/PingPongStackOverflowTest.cpp: + * assembler/AbstractMacroAssembler.h: + * assembler/CPU.cpp: + * bytecode/CodeBlock.cpp: + * bytecode/DeleteByIdVariant.cpp: + * bytecode/GetByIdVariant.cpp: + * bytecode/InByIdVariant.cpp: + * bytecode/InlineCallFrame.cpp: + * bytecode/LazyOperandValueProfile.cpp: + * bytecode/PutByIdVariant.cpp: + * bytecode/ValueProfile.h: + * bytecode/ValueRecovery.cpp: + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + * debugger/DebuggerScope.h: + * dfg/DFGAbstractValue.cpp: + * dfg/DFGAdjacencyList.h: + * dfg/DFGArgumentPosition.h: + * dfg/DFGArrayifySlowPathGenerator.h: + * dfg/DFGAvailability.h: + * dfg/DFGByteCodeParser.cpp: + * dfg/DFGCFGSimplificationPhase.cpp: + * dfg/DFGCPSRethreadingPhase.cpp: + * dfg/DFGCompilationKey.h: + * dfg/DFGConstantFoldingPhase.cpp: + * dfg/DFGDisassembler.cpp: + * dfg/DFGDoubleFormatState.h: + * dfg/DFGEdge.h: + * dfg/DFGFixupPhase.cpp: + * dfg/DFGFrozenValue.cpp: + * dfg/DFGGenerationInfo.h: + * dfg/DFGGraph.h: + * dfg/DFGInPlaceAbstractState.cpp: + * dfg/DFGIntegerCheckCombiningPhase.cpp: + * dfg/DFGLazyJSValue.cpp: + * dfg/DFGNode.h: + * dfg/DFGOSREntrypointCreationPhase.cpp: + * dfg/DFGOSRExit.cpp: + * dfg/DFGOperations.cpp: + * dfg/DFGSilentRegisterSavePlan.h: + * dfg/DFGSpeculativeJIT.cpp: + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT64.cpp: + * dfg/DFGStructureAbstractValue.cpp: + * dfg/DFGTransition.cpp: + * dfg/DFGTypeCheckHoistingPhase.cpp: + * dfg/DFGWorklist.cpp: + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLAvailableRecovery.h: + * ftl/FTLExitValue.cpp: + * ftl/FTLFormattedValue.h: + * ftl/FTLJITCode.cpp: + * ftl/FTLLink.cpp: + * ftl/FTLLowerDFGToB3.cpp: + * ftl/FTLLoweredNodeValue.h: + * ftl/FTLOSREntry.cpp: + * ftl/FTLOSRExitCompiler.cpp: + * ftl/FTLTypedPointer.h: + * ftl/FTLValueFromBlock.h: + * ftl/FTLValueRange.h: + * heap/GCSegmentedArray.h: + * heap/Handle.h: + * heap/HandleSet.h: + * heap/HandleTypes.h: + * heap/HeapSnapshotBuilder.cpp: + * heap/MarkedBlockInlines.h: + * heap/Strong.h: + * heap/WeakImpl.h: + * heap/WeakInlines.h: + * heap/WeakSet.cpp: + * heap/WeakSet.h: + * interpreter/CallFrame.cpp: + * interpreter/CallFrame.h: + * interpreter/Interpreter.cpp: + * interpreter/ProtoCallFrame.h: + * interpreter/StackVisitor.cpp: + * interpreter/StackVisitor.h: + * jit/AssemblyHelpers.h: + * jit/CCallHelpers.h: + * jit/JITCode.cpp: + * jit/JITOperations.cpp: + * jit/Repatch.cpp: + * jit/ThunkGenerators.cpp: + * jsc.cpp: + * llint/LLIntSlowPaths.cpp: + * parser/ASTBuilder.h: + * parser/Lexer.cpp: + * parser/Lexer.h: + * parser/Nodes.cpp: + * parser/Nodes.h: + * parser/Parser.cpp: + * parser/Parser.h: + * parser/ParserArena.cpp: + * parser/ParserArena.h: + * parser/ParserFunctionInfo.h: + * parser/SyntaxChecker.h: + * parser/UnlinkedSourceCode.h: + * profiler/ProfilerBytecodeSequence.cpp: + * profiler/ProfilerCompilation.cpp: + * profiler/ProfilerDatabase.cpp: + * profiler/ProfilerOSRExitSite.cpp: + * profiler/ProfilerOriginStack.cpp: + * runtime/ArgList.h: + * runtime/ArrayPrototype.cpp: + * runtime/ClonedArguments.cpp: + * runtime/CommonSlowPaths.cpp: + * runtime/Completion.h: + * runtime/DataView.h: + * runtime/DatePrototype.cpp: + * runtime/DirectEvalExecutable.cpp: + * runtime/DumpContext.cpp: + * runtime/FunctionExecutable.cpp: + * runtime/IndirectEvalExecutable.cpp: + * runtime/JSArray.cpp: + * runtime/JSArrayBufferView.cpp: + * runtime/JSCJSValue.cpp: + * runtime/JSCJSValueInlines.h: + * runtime/JSCell.cpp: + * runtime/JSDataView.cpp: + * runtime/JSDestructibleObject.h: + * runtime/JSFunction.cpp: + * runtime/JSGlobalObject.cpp: + * runtime/JSGlobalObject.h: + * runtime/JSONObject.cpp: + * runtime/JSObject.cpp: + * runtime/JSObject.h: + * runtime/JSScope.cpp: + * runtime/JSScope.h: + * runtime/LiteralParser.cpp: + * runtime/OptionsList.h: + * runtime/PropertyDescriptor.cpp: + * runtime/PropertyMapHashTable.h: + * runtime/PropertySlot.h: + * runtime/PutPropertySlot.h: + * runtime/RegExpMatchesArray.h: + * runtime/RegExpPrototype.cpp: + * runtime/StringPrototype.cpp: + * runtime/Structure.cpp: + * runtime/Structure.h: + * runtime/TestRunnerUtils.cpp: + * runtime/TypedArrayType.cpp: + * runtime/VM.cpp: + * runtime/Watchdog.cpp: + * runtime/Watchdog.h: + * runtime/WriteBarrier.h: + * testRegExp.cpp: + * tools/JSDollarVM.cpp: + * wasm/WasmSlowPaths.cpp: + * yarr/RegularExpression.h: + * yarr/YarrInterpreter.cpp: + * yarr/YarrJIT.cpp: + * yarr/YarrJIT.h: + * yarr/YarrPattern.cpp: + * yarr/YarrPattern.h: + +2020-05-09 Ross Kirsling + + Fix build errors and warnings for non-unified JSCOnly + https://bugs.webkit.org/show_bug.cgi?id=211655 + + Reviewed by Darin Adler and Yusuke Suzuki. + + * bytecode/BytecodeDumper.cpp: + (JSC::isConstantRegisterIndex): Deleted. + Remove unused function. + + * llint/LLIntEntrypoint.cpp: + * llint/LLIntThunks.cpp: + * llint/LLIntThunks.h: + * runtime/AggregateErrorConstructor.cpp: + * runtime/AggregateErrorPrototype.cpp: + * wasm/js/WebAssemblyFunction.cpp: + Fix includes. + + * tools/JSDollarVM.cpp: + Deal with "unused constant" warnings for needsDestruction. + + * wasm/WasmLLIntPlan.cpp: + * wasm/WasmSignature.cpp: + Remove unused constants. + +2020-05-08 Darin Adler + + Streamline MarkupAccumulator to improve efficiency a bit + https://bugs.webkit.org/show_bug.cgi?id=211656 + + Reviewed by Anders Carlsson. + + * b3/air/AirFixPartialRegisterStalls.h: Fix spelling of "explicitly". + +2020-05-08 Alexey Shvayka + + Array.prototype.concat fast path checks should not be observable + https://bugs.webkit.org/show_bug.cgi?id=211643 + + Reviewed by Ross Kirsling. + + This change utilizes @tryGetByIdWithWellKnownSymbol intrinsic to make + off the spec Symbol.isConcatSpreadable lookups unobservable to userland code, + aligning JSC with V8 and SpiderMonkey. + + Since @tryGetById uses PropertySlot::getPureResult(), which returns `null` + for Proxy [[Get]] traps and JS getters (covered by stress/try-get-by-id.js), + we can safely compare its result `undefined`. Also, this allows us to remove + @isProxyObject check as Proxy argument is never a fast path anyway. + + This patch is neutral on microbenchmarks/concat-append-one.js. + + * builtins/ArrayPrototype.js: + (concat): + +2020-05-07 Michael Catanzaro + + Simplify preprocessor guards in GCMemoryOperations.h + https://bugs.webkit.org/show_bug.cgi?id=211588 + + Reviewed by Darin Adler. + + If we adjust the guards a bit, then we don't need to repeat the fallback path. + + * heap/GCMemoryOperations.h: + (JSC::gcSafeMemmove): + (JSC::gcSafeZeroMemory): + +2020-05-07 Mark Lam + + Give the DFG and FTL WorkList threads more stack space on ASAN builds. + https://bugs.webkit.org/show_bug.cgi?id=211535 + + + Reviewed by Geoffrey Garen. + + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::ThreadBody::ThreadBody): + - Mark the AutomaticThread as ThreadType::Compiler. + +2020-05-07 Daniel Kolesa + + REGRESSION(r251875): Crash in JSC::StructureIDTable::get on ppc64le: gcSafeMemcpy broken on JSVALUE64 platforms other than x86_64 and aarch64 + https://bugs.webkit.org/show_bug.cgi?id=210685 + + Reviewed by Michael Catanzaro. + + Fix gcSafeMemcpy on non-x86_64/aarch64 64-bit architectures. + + We were hitting an incorrect x86_64 assertion on values larger than + mediumCutoff on JSVALUE64 architectures other than x86_64 and aarch64, + as the control flow is wrong. + + * heap/GCMemoryOperations.h: + (JSC::gcSafeMemcpy): + +2020-05-07 Mark Lam + + Add stack checks to the DFG and FTL bytecode parser. + https://bugs.webkit.org/show_bug.cgi?id=211547 + + + Reviewed by Yusuke Suzuki. + + Inlining can cause some level of recursion of the DFG bytecode parser. We should + do a stack check at each inlining check before recursing. If a stack overflow + appears to be imminent, then just refuse to inline, and therefore, don't recurse + deeper into the parser. + + This issue is more noticeable on ASan debug builds where stack frames can be + humongous. + + Removed the SUPPRESS_ASAN on cloberrize() and the associated comment from r260692. + It was a mis-diagnosis. The stack checks are what we need. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleVarargsInlining): + (JSC::DFG::ByteCodeParser::handleInlining): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGGraph.h: + +2020-05-07 Darin Adler + + REGRESSION (r261257): Lifetime problem with upconverted characters in toLocaleCase + https://bugs.webkit.org/show_bug.cgi?id=211580 + rdar://62980449 + + Reviewed by Yusuke Suzuki. + + The problem comes from the fact that callBufferProducingFunction is moving the same + arguments multiple times. At the moment, this works around the only practical + problem with that, but later it should be fixed in callBufferProducingFunction. + + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Work around mistakes in how + callBufferProducingFunction works with arguments by calling get() explicitly on the + result of upconvertedCharacters. Later we could fix callBufferProducingFunction to + be safer, but for now this solves the problem. + * runtime/StringPrototype.cpp: + (JSC::toLocaleCase): Ditto. + +2020-05-07 Keith Miller + + Fix ArrayMode nodes after r261260 + https://bugs.webkit.org/show_bug.cgi?id=211543 + + Reviewed by Yusuke Suzuki. + + I accidentally ran tests with a release build rather than + release+assert when uploading r261260. This patch skips the + CheckArray node in the ArrayMode clobbersTop() logic before + Fixup. And also marks a GetArrayLength in the TypedArray + intrsinics as ExitOK. + + This patch also relands r261260. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsicGetter): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + +2020-05-07 Ryan Haddad + + Unreviewed, reverting r261260. + + Caused 26 JSC test failures + + Reverted changeset: + + "DFG ByVal nodes with ArrayModes should clobberTop until Fixup + phase runs." + https://bugs.webkit.org/show_bug.cgi?id=211531 + https://trac.webkit.org/changeset/261260 + +2020-05-07 Mark Lam + + Fix broken exceptionFuzz tests. + https://bugs.webkit.org/show_bug.cgi?id=211550 + + Reviewed by Yusuke Suzuki. + + Remove the bad and now unused utility function to set Options::useExceptionFuzz(). + + * tools/JSDollarVM.cpp: + (JSC::JSDollarVM::finishCreation): + (JSC::functionEnableExceptionFuzz): Deleted. + +2020-05-06 Keith Miller + + DFG ByVal nodes with ArrayModes should clobberTop until Fixup phase runs. + https://bugs.webkit.org/show_bug.cgi?id=211531 + + Reviewed by Yusuke Suzuki. + + When parsing bytecode we may pick a relatively constrained + ArrayMode based on our profiling. Some of these modes may not + clobber exit state. However, Fixup sometimes wants to widen this + to a more generic mode based on other data. This causes us to + think it was valid to exit immediately after the + GetByVal/HasIndexedProperty, which would be wrong with the wider + ArrayMode. We may also incorrectly insert invalidition points + if clobberize gives us the wrong data. + + To fix this clobberize should say All ByVal nodes clobberTop() + until after fixup. Additionally, this patch adds an assertion that + nodes don't go from not clobbering exit state to clobbering exit + state during fixup. + + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::performFixup): + * dfg/DFGGraph.h: + +2020-05-06 Darin Adler + + Make a helper for the pattern of ICU functions that may need to be called twice to populate a buffer + https://bugs.webkit.org/show_bug.cgi?id=211499 + + Reviewed by Ross Kirsling. + + * runtime/IntlDateTimeFormat.cpp: + (JSC::defaultTimeZone): Use callBufferProducingFunction. + (JSC::canonicalizeTimeZoneName): Ditto. + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Ditto. + (JSC::IntlDateTimeFormat::format const): Ditto. + (JSC::IntlDateTimeFormat::formatToParts const): Ditto. + * runtime/IntlLocale.cpp: + (JSC::LocaleIDBuilder::toCanonical): Ditto. + (JSC::IntlLocale::language): Ditto. + (JSC::IntlLocale::script): Ditto. + (JSC::IntlLocale::region): Ditto. + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::format const): Ditto. + (JSC::IntlNumberFormat::formatToParts const): Ditto. + * runtime/IntlObject.cpp: + (JSC::languageTagForLocaleID): Ditto. + * runtime/IntlRelativeTimeFormat.cpp: + (JSC::IntlRelativeTimeFormat::formatInternal const): Ditto. + (JSC::IntlRelativeTimeFormat::formatToParts const): Ditto. + * runtime/StringPrototype.cpp: + (JSC::toLocaleCase): Ditto. + +2020-05-06 Devin Rousso + + ASSERT_WITH_MESSAGE(m_isOwnedByMainThread == isMainThread()) when web inspecting + https://bugs.webkit.org/show_bug.cgi?id=203638 + + + Reviewed by Brian Burg. + + Mark the `InspectorEnvironment::executionStopwatch` abstract function as `const` and have it + return a `Stopwatch&` instead of a `RefPtr&` as callers assume that it exists. + By not using a `RefPtr`, an additional `copyRef` can be avoided. + + * inspector/InspectorEnvironment.h: + + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::executionStopwatch const): Added. + (Inspector::JSGlobalObjectInspectorController::executionStopwatch): Deleted. + + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::didPause): + (Inspector::InspectorDebuggerAgent::breakpointActionProbe): + (Inspector::InspectorDebuggerAgent::didContinue): + * inspector/agents/InspectorHeapAgent.cpp: + (Inspector::InspectorHeapAgent::snapshot): + (Inspector::InspectorHeapAgent::willGarbageCollect): + (Inspector::InspectorHeapAgent::didGarbageCollect): + * inspector/agents/InspectorScriptProfilerAgent.cpp: + (Inspector::InspectorScriptProfilerAgent::startTracking): + (Inspector::InspectorScriptProfilerAgent::willEvaluateScript): + (Inspector::InspectorScriptProfilerAgent::didEvaluateScript): + (Inspector::InspectorScriptProfilerAgent::trackingComplete): + * runtime/SamplingProfiler.h: + * runtime/SamplingProfiler.cpp: + (JSC::SamplingProfiler::SamplingProfiler): + * runtime/VM.h: + * runtime/VM.cpp: + (JSC::VM::ensureSamplingProfiler): + +2020-05-05 Ross Kirsling + + [ECMA-402] Implement Intl.Locale + https://bugs.webkit.org/show_bug.cgi?id=209772 + + Reviewed by Darin Adler and Saam Barati. + + This patch implements the recent ECMA-402 feature Intl.Locale. + + This is effectively a wrapper class for all the pieces of uloc.h that ECMA-402 cares about. + (If we used the C++ API, there's a LocaleBuilder that would make this much easier, but in sticking to the C API, + it's basically an object that has an ICU localeID as data and uloc_* functions as methods / getters. + Furthermore, there's no way to modify said data, so every method / getter can be lazy and cache its result.) + + Usage example: + >>> locale = new Intl.Locale('ja', { region: 'JP', calendar: 'japanese', numeric: false }) + "ja-JP-u-ca-japanese-kn-false" + >>> locale.baseName + "ja-JP" + + Intl.Locale can be used anywhere that Intl APIs accept locale strings as input parameters, + and is moreover hoped to be the class by which future Web APIs will handle the current locale. + + This feature is runtime-guarded by the `useIntlLocale` option. + + * CMakeLists.txt: + * DerivedSources-input.xcfilelist: + * DerivedSources-output.xcfilelist: + * DerivedSources.make: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * runtime/CommonIdentifiers.h: + * runtime/IntlLocale.cpp: Added. + * runtime/IntlLocale.h: Added. + * runtime/IntlLocaleConstructor.cpp: Added. + * runtime/IntlLocaleConstructor.h: Added. + * runtime/IntlLocalePrototype.cpp: Added. + * runtime/IntlLocalePrototype.h: Added. + * runtime/IntlObject.cpp: + (JSC::IntlObject::finishCreation): + (JSC::localeIDBufferForLanguageTag): Added. + (JSC::languageTagForLocaleID): Renamed from JSC::convertICULocaleToBCP47LanguageTag. + (JSC::intlAvailableLocales): + (JSC::intlCollatorAvailableLocales): + (JSC::canonicalizeLanguageTag): + (JSC::canonicalizeLocaleList): + (JSC::defaultLocale): + * runtime/IntlObject.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::collatorStructure): + (JSC::JSGlobalObject::numberFormatStructure): + (JSC::JSGlobalObject::localeStructure): + * runtime/OptionsList.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2020-05-05 Keith Miller + + clobberize validator should use branchTest8 directly. + https://bugs.webkit.org/show_bug.cgi?id=211469 + + Reviewed by Yusuke Suzuki. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): + +2020-05-05 Yusuke Suzuki + + [JSC] Implement BigInt.asIntN and BigInt.asUintN + https://bugs.webkit.org/show_bug.cgi?id=181144 + + Reviewed by Darin Adler. + + This patch implements BigInt.asIntN[1] and BigInt.asUintN[2] features. + As the same to the other BigInt runtime C++ code, we port V8 code to JSC to implement both. + + BigInt.asIntN is `static_cast(BigInt value)` and BigInt.asUintN is `static_cast(BigInt value)`. + They are getting slice of N bits from two's complement representation of the given BigInt. The difference between + asIntN and asUintN is asIntN renders MSB as a sign. + + This patch is once rolled out due to ARM64_32 build failure, which is caused by the existing bug[3]. Relanding it + since it is now fixed. + + [1]: https://tc39.es/ecma262/#sec-bigint.asintn + [2]: https://tc39.es/ecma262/#sec-bigint.asuintn + [3]: https://trac.webkit.org/changeset/261174/webkit + + * runtime/BigIntConstructor.cpp: + (JSC::toBigInt): + (JSC::bigIntConstructorFuncAsUintN): + (JSC::bigIntConstructorFuncAsIntN): + * runtime/JSBigInt.cpp: + (JSC::zeroImpl): + (JSC::JSBigInt::divideImpl): + (JSC::JSBigInt::unaryMinusImpl): + (JSC::JSBigInt::remainderImpl): + (JSC::JSBigInt::digitDiv): + (JSC::JSBigInt::absoluteSub): + (JSC::JSBigInt::asIntNImpl): + (JSC::JSBigInt::asUintNImpl): + (JSC::JSBigInt::truncateToNBits): + (JSC::JSBigInt::truncateAndSubFromPowerOfTwo): + (JSC::JSBigInt::asIntN): + (JSC::JSBigInt::asUintN): + * runtime/JSBigInt.h: + +2020-05-05 Ross Kirsling + + [Intl] Alphabetize extension keys and correctly mark const methods + https://bugs.webkit.org/show_bug.cgi?id=211359 + + Reviewed by Darin Adler. + + Two cleanup items for Intl classes: + + 1. Ensure `resolvedOptions().locale` returns relevant extension keys in alphabetical order. + ICU does this for us via Intl.getCanonicalLocales / Intl.*.supportedLocalesOf but not via ResolveLocale. + However, we don't need to do any sorting in ResolveLocale; we can just pre-alphabetize relevantExtensionKeys. + (See also https://github.com/tc39/ecma402/pull/433.) + + 2. Ensure Intl classes are marking const methods correctly. + + * runtime/IntlCollator.cpp: + (JSC::IntlCollator::sortLocaleData): + (JSC::IntlCollator::searchLocaleData): + (JSC::IntlCollator::compareStrings const): Add const specifier. + (JSC::IntlCollator::resolvedOptions const): Add const specifier. + * runtime/IntlCollator.h: + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::localeData): + (JSC::IntlDateTimeFormat::resolvedOptions const): Add const specifier. + (JSC::IntlDateTimeFormat::format const): Add const specifier. + (JSC::IntlDateTimeFormat::formatToParts const): Add const specifier. + * runtime/IntlDateTimeFormat.h: + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::format const): Add const specifier. + (JSC::IntlNumberFormat::resolvedOptions const): Add const specifier. + (JSC::IntlNumberFormat::formatToParts const): Add const specifier. + * runtime/IntlNumberFormat.h: + * runtime/IntlPluralRules.cpp: + (JSC::IntlPluralRules::resolvedOptions const): Add const specifier. + (JSC::IntlPluralRules::select const): Add const specifier. + * runtime/IntlPluralRules.h: + * runtime/IntlRelativeTimeFormat.cpp: + (JSC::IntlRelativeTimeFormat::resolvedOptions const): Add const specifier. + (JSC::IntlRelativeTimeFormat::formatInternal const): Add const specifier. + (JSC::IntlRelativeTimeFormat::format const): Add const specifier. + (JSC::IntlRelativeTimeFormat::formatToParts const): Add const specifier. + * runtime/IntlRelativeTimeFormat.h: + +2020-05-05 Keith Miller + + Add Clobberize validator for clobber top. + https://bugs.webkit.org/show_bug.cgi?id=209432 + + Reviewed by Yusuke Suzuki. + + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::scratchRegister): + * assembler/MacroAssemblerMIPS.h: + (JSC::MacroAssemblerMIPS::scratchRegister): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): + * dfg/DFGSpeculativeJIT64.cpp: + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::lower): + (JSC::FTL::DFG::LowerDFGToB3::compileBlock): + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + * interpreter/Interpreter.cpp: + (JSC::eval): + (JSC::Interpreter::executeProgram): + (JSC::Interpreter::executeCall): + (JSC::Interpreter::executeConstruct): + (JSC::Interpreter::execute): + (JSC::Interpreter::executeModuleProgram): + * jit/JITCodeInlines.h: + (JSC::JITCode::execute): + * llint/LLIntThunks.h: + (JSC::vmEntryToWasm): + * runtime/OptionsList.h: + * runtime/VM.h: + +2020-05-05 Mark Lam + + Allow Bitmap to use up to a UCPURegister word size for internal bit storage. + https://bugs.webkit.org/show_bug.cgi?id=211328 + + + Reviewed by Yusuke Suzuki. + + * assembler/CPU.h: + +2020-05-05 Keith Miller + + iterator_open should remap the symbolIterator argument correctly when inlined. + https://bugs.webkit.org/show_bug.cgi?id=211308 + + + Reviewed by Mark Lam. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + +2020-05-05 Yusuke Suzuki + + [JSC] JSBigInt::maxLengthBits and JSBigInt::maxLength are wrong + https://bugs.webkit.org/show_bug.cgi?id=211445 + + Reviewed by Mark Lam. + + JSBigInt::maxLengthBits and JSBigInt::maxLength definitions are wrong. + + 1. We are defining maxLength and maxLengthBits as an unrelated value to each other. This is wrong. + maxLength should be defined as maxLengthBits / (sizeof(Digit) * bitsPerByte). + 2. We use `sizeof(void*)` and assume that `sizeof(Digit) == sizeof(void*)`. This is wrong in ARM64_32 environment + where Digit size is sizeof(uint64_t) while the pointer size is sizeof(uint32_t). This causes compile errors in ARM64_32 + when the code is using these values with static_assert. + + * runtime/JSBigInt.h: + +2020-05-05 Yusuke Suzuki + + Unreviewed, reverting r261156. + + Break ARM64_32 build due to existing bug + + Reverted changeset: + + "[JSC] Implement BigInt.asIntN and BigInt.asUintN" + https://bugs.webkit.org/show_bug.cgi?id=181144 + https://trac.webkit.org/changeset/261156 + +2020-05-05 Alexey Shvayka + + Object.prototype.toString is not spec-perfect + https://bugs.webkit.org/show_bug.cgi?id=199138 + + Reviewed by Darin Adler and Keith Miller. + + Before ES6, Object.prototype.toString relied only on internal [[Class]] slot. Starting with ES6, + Object.prototype.toString checks for a handful of internal slots, mimicing [[Class]], to ensure + backwards compatibility for pre-ES6 instances. Newly-added built-ins provide @@toStringTag for + the method to use. + + Before this change, Object.prototype.toString in JSC relied on className() a.k.a [[Class]] for + all instances. For (almost all) new built-ins, it was overriden by toStringName() returning + "Object", while @@toStringTag was set to correct value. This is quite an error-prone approach + and observable spec discrepancy if @@toStringTag is deleted or set to a non-string. + + This change eliminates the above-mentioned discrepancy and fixes Object.prototype.toString + to return "[object Function]" for callable Proxy objects, aligning JSC with the spec [1], V8, + and SpiderMonkey. + + For Object.prototype.toString to work through DebuggerScope and JSProxy, we perform all checks + in JSObject::toStringName(). Given that isArray() may throw a TypeError [2], we invoke + toStringName() before @@toStringTag lookup to accomodate revoked Proxy case. + + Also, this patch defines @@toStringTag for WebAssembly namespace object (to match Chrome), + JSC shell, and ConsoleObject. + + [1]: https://tc39.es/ecma262/#sec-object.prototype.tostring + [2]: https://tc39.es/ecma262/#sec-isarray (step 3.a) + + * jsc.cpp: + * runtime/BigIntObject.cpp: + (JSC::BigIntObject::toStringName): Deleted. + * runtime/BigIntObject.h: + * runtime/BooleanObject.cpp: + (JSC::BooleanObject::toStringName): + * runtime/BooleanObject.h: + * runtime/ConsoleObject.cpp: + (JSC::ConsoleObject::finishCreation): + * runtime/DateInstance.cpp: + (JSC::DateInstance::toStringName): + * runtime/DateInstance.h: + * runtime/ErrorInstance.cpp: + (JSC::ErrorInstance::toStringName): + * runtime/ErrorInstance.h: + * runtime/JSArrayBufferView.cpp: + (JSC::JSArrayBufferView::toStringName): Deleted. + * runtime/JSArrayBufferView.h: + * runtime/JSMap.cpp: + (JSC::JSMap::toStringName): Deleted. + * runtime/JSMap.h: + * runtime/JSObject.cpp: + (JSC::JSObject::toStringName): + * runtime/JSSet.cpp: + (JSC::JSSet::toStringName): Deleted. + * runtime/JSSet.h: + * runtime/JSWeakMap.cpp: + (JSC::JSWeakMap::toStringName): Deleted. + * runtime/JSWeakMap.h: + * runtime/JSWeakObjectRef.cpp: + (JSC::JSWeakObjectRef::toStringName): Deleted. + * runtime/JSWeakObjectRef.h: + * runtime/JSWeakSet.cpp: + (JSC::JSWeakSet::toStringName): Deleted. + * runtime/JSWeakSet.h: + * runtime/NumberObject.cpp: + (JSC::NumberObject::toStringName): + * runtime/NumberObject.h: + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncToString): + * runtime/ProxyObject.cpp: + (JSC::ProxyObject::toStringName): Deleted. + * runtime/ProxyObject.h: + * runtime/RegExpObject.cpp: + (JSC::RegExpObject::toStringName): + * runtime/RegExpObject.h: + * runtime/StringObject.cpp: + (JSC::StringObject::toStringName): + * runtime/StringObject.h: + * runtime/SymbolObject.cpp: + (JSC::SymbolObject::toStringName): Deleted. + * runtime/SymbolObject.h: + * wasm/js/JSWebAssembly.cpp: + (JSC::JSWebAssembly::finishCreation): + +2020-05-04 Yusuke Suzuki + + [JSC] Implement BigInt.asIntN and BigInt.asUintN + https://bugs.webkit.org/show_bug.cgi?id=181144 + + Reviewed by Darin Adler. + + This patch implements BigInt.asIntN[1] and BigInt.asUintN[2] features. + As the same to the other BigInt runtime C++ code, we port V8 code to JSC to implement both. + + BigInt.asIntN is `static_cast(BigInt value)` and BigInt.asUintN is `static_cast(BigInt value)`. + They are getting slice of N bits from two's complement representation of the given BigInt. The difference between + asIntN and asUintN is asIntN renders MSB as a sign. + + [1]: https://tc39.es/ecma262/#sec-bigint.asintn + [2]: https://tc39.es/ecma262/#sec-bigint.asuintn + + * runtime/BigIntConstructor.cpp: + (JSC::toBigInt): + (JSC::bigIntConstructorFuncAsUintN): + (JSC::bigIntConstructorFuncAsIntN): + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::zeroImpl): + (JSC::JSBigInt::divideImpl): + (JSC::JSBigInt::unaryMinusImpl): + (JSC::JSBigInt::remainderImpl): + (JSC::JSBigInt::digitDiv): + (JSC::JSBigInt::asIntNImpl): + (JSC::JSBigInt::asUintNImpl): + (JSC::JSBigInt::truncateToNBits): + (JSC::JSBigInt::truncateAndSubFromPowerOfTwo): + (JSC::JSBigInt::asIntN): + (JSC::JSBigInt::asUintN): + * runtime/JSBigInt.h: + +2020-05-04 Yusuke Suzuki + + [JSC] DFG NotCellUse is used without considering about BigInt32 + https://bugs.webkit.org/show_bug.cgi?id=211395 + + Reviewed by Saam Barati. + + When we see CompareXXX(BigInt32, Double), we are emitting CompareXXX(DoubleRep(BigInt:NotCellUse), Double). But this has two problems. + + 1. We should emit CompareXXX(UntypedUse, UntypedUse) in this case. + 2. DoubleRep(NotCellUse) does not support converting BigInt32 to double. Since DoubleRep's semantics is for ToNumber, it should not + accept BigInt32 since it should throw an error. However, DoubleRep currently assumes that NotCellUse value can be converted to double + without any errors. + + To keep DoubleRep's semantics ToNumber, we replace NotCellUse with NotCellNorBigIntUse, which rejects BigInt32. This patch also uses NotCellNorBigIntUse + for ValueToInt32 because of the same reason. + + For CompareXXX and CompareEq nodes, we can optimize it if we introduce new DoubleRepAcceptingBigInt32 DFG node which can convert BigInt32 to Double, since + CompareXXX and CompareEq are not requiring toNumber semantics. This should be done in a separate bug https://bugs.webkit.org/show_bug.cgi?id=211407. + + * bytecode/SpeculatedType.h: + (JSC::isNotCellNorBigIntSpeculation): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::fixIntConvertingEdge): + (JSC::DFG::FixupPhase::fixupChecksInBlock): + * dfg/DFGNode.h: + (JSC::DFG::Node::shouldSpeculateNotCellNorBigInt): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileValueToInt32): + (JSC::DFG::SpeculativeJIT::compileDoubleRep): + (JSC::DFG::SpeculativeJIT::speculateNotCellNorBigInt): + (JSC::DFG::SpeculativeJIT::speculate): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + (JSC::DFG::checkMayCrashIfInputIsEmpty): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep): + (JSC::FTL::DFG::LowerDFGToB3::compileValueToInt32): + (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellNorBigIntToInt32): + (JSC::FTL::DFG::LowerDFGToB3::speculate): + (JSC::FTL::DFG::LowerDFGToB3::speculateNotCellNorBigInt): + (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32): Deleted. + +2020-05-04 Yusuke Suzuki + + [JSC] Add @@toStringTag to WebAssembly.Global + https://bugs.webkit.org/show_bug.cgi?id=211372 + + Reviewed by Sam Weinig. + + As r260992 did for the other wasm prototypes, we should put @@toStringTag to WebAssembly.Global's prototype too. + + * wasm/js/WebAssemblyGlobalPrototype.cpp: + (JSC::WebAssemblyGlobalPrototype::finishCreation): + +2020-05-04 Devin Rousso + + Web Inspector: Worker: should use the name of the worker if it exists + https://bugs.webkit.org/show_bug.cgi?id=211244 + + Reviewed by Brian Burg. + + * inspector/protocol/Worker.json: + Include the `name` in `Worker.workerCreated`. + +2020-05-04 Devin Rousso + + Web Inspector: provide a way for inspector to turn on/off ITP debug mode and AdClickAttribution debug mode + https://bugs.webkit.org/show_bug.cgi?id=209763 + + Reviewed by Brian Burg. + + * inspector/protocol/Page.json: + Add new enum values to `Page.Setting`: + - `AdClickAttributionDebugModeEnabled` + - `ITPDebugModeEnabled` + +2020-05-03 Maciej Stachowiak + + Remove no longer needed WebKitAdditions include for JavaScriptCorePrefix.h + https://bugs.webkit.org/show_bug.cgi?id=211357 + + Reviewed by Mark Lam. + + * JavaScriptCorePrefix.h: + +2020-05-02 Mark Lam + + Gardening: rolling out r261050 and r261051. + https://bugs.webkit.org/show_bug.cgi?id=211328 + + + Not reviewed. + + * assembler/CPU.h: + +2020-05-01 Mark Lam + + Allow Bitmap to use up to a UCPURegister word size for internal bit storage. + https://bugs.webkit.org/show_bug.cgi?id=211328 + + + Reviewed by Yusuke Suzuki. + + * assembler/CPU.h: + +2020-05-01 Saam Barati + + Have a thread local cache for the Wasm LLInt bytecode buffer + https://bugs.webkit.org/show_bug.cgi?id=211317 + + Reviewed by Filip Pizlo and Mark Lam. + + One of the main things slowing down Wasm compile times is the banging + on bmalloc's global heap lock. This patch makes it so for the bytecode + instruction buffer, we keep a thread local cache with latest capacity + the thread needed to compile. This makes it so that in the average case, + we only do one malloc at the end of a compile to memcpy the final result. + + We clear these thread local caches when the WasmWorklist's automatic threads + underlying machine thread is destroyed. + + This is a 15% speedup in zen garden compile times on a 16-core Mac Pro. + This is a 4-5% speedup in zen garden compile times on a 6-core MBP. + + * bytecode/InstructionStream.h: + (JSC::InstructionStreamWriter::setInstructionBuffer): + (JSC::InstructionStreamWriter::finalize): + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::threadSpecificBuffer): + (JSC::Wasm::clearLLIntThreadSpecificCache): + (JSC::Wasm::LLIntGenerator::LLIntGenerator): + (JSC::Wasm::LLIntGenerator::finalize): + * wasm/WasmLLIntGenerator.h: + * wasm/WasmWorklist.cpp: + +2020-05-01 Per Arne Vollan + + [Win] Fix AppleWin build + https://bugs.webkit.org/show_bug.cgi?id=211324 + + Reviewed by Don Olmstead. + + Check if target WTF_CopyHeaders exists before using it. + + * CMakeLists.txt: + +2020-05-01 Don Olmstead + + [GTK] Add additional exports to support hidden visibility + https://bugs.webkit.org/show_bug.cgi?id=211246 + + Reviewed by Michael Catanzaro. + + * API/glib/JSCContextPrivate.h: + * API/glib/JSCValuePrivate.h: + * inspector/remote/glib/RemoteInspectorServer.h: + * inspector/remote/glib/RemoteInspectorUtils.h: + +2020-05-01 Don Olmstead + + Use export macros on all platforms + https://bugs.webkit.org/show_bug.cgi?id=211293 + + Reviewed by Michael Catanzaro. + + Allow overriding of JS_EXPORT_PRIVATE if desired otherwise use the defaults. + + * runtime/JSExportMacros.h: + +2020-05-01 Saam Barati + + Unreviewed. Non-speculative build fix for watchOS build. + + * runtime/ArrayPrototype.cpp: + (JSC::shift): + (JSC::unshift): + (JSC::arrayProtoFuncToLocaleString): + (JSC::arrayProtoFuncReverse): + (JSC::arrayProtoFuncSlice): + (JSC::arrayProtoFuncSplice): + * runtime/JSONObject.cpp: + (JSC::Stringifier::Stringifier): + +2020-05-01 Saam Barati + + Unreviewed. Speculative build fix for watchOS build. + + * runtime/ArrayPrototype.cpp: + (JSC::shift): + +2020-05-01 Alexey Shvayka + + [WebIDL] Interface prototype objects should define @@toStringTag + https://bugs.webkit.org/show_bug.cgi?id=211020 + + Unreviewed follow-up to r260992. + + * runtime/JSArrayBufferPrototype.cpp: + (JSC::JSArrayBufferPrototype::finishCreation): Revert change in attempt to fix ARMv7 test. + +2020-05-01 David Kilzer + + JSC::PropertySlot::m_attributes is uninitialized in constructor + + + Reviewed by Mark Lam. + + * runtime/PropertySlot.h: + (JSC::PropertySlot::PropertySlot): + - Initialize m_attributes and m_additionalData, and make use of + default initializers. + +2020-05-01 Alexey Shvayka + + [WebIDL] Interface prototype objects should define @@toStringTag + https://bugs.webkit.org/show_bug.cgi?id=211020 + + Reviewed by Darin Adler. + + WebIDL spec was recently updated [1] to define @@toStringTag on interface prototype objects. + This change aligns WebIDL with ECMA-262 built-ins and Blink's behavior. Gecko have also + expressed implementation commitment. + + This patch implements the spec change, making `X.prototype.toString()` return "[object X]" + instead of "[object XPrototype]", where X is WebIDL interface. This behavior is proven to + be web compatible (shipping in Chrome since Q2 2016) and matches class strings of iterator + prototype objects [2] introduced in r253855. + + We define @@toStringTag for all WebAssembly interfaces but Error subclasses since they + are not defined using WebIDL [3]. + + This change also introduces JSC_TO_STRING_TAG_WITHOUT_TRANSITION() macro that sets up + @@toStringTag using ClassInfo to avoid extra strings creation, ensuring `className` equality + between prototype and instance classes (fixing a few discrepancies), as well as correct + descriptors. It also ensures using faster jsNontrivialString() and relieves from putting + more code into CodeGeneratorJS.pm. + + [1]: https://github.com/heycam/webidl/pull/357 + [2]: https://heycam.github.io/webidl/#es-iterator-prototype-object + [3]: https://webassembly.github.io/spec/js-api/#error-objects + + Tests: imported/w3c/web-platform-tests/wasm/jsapi/instance/toString.any.js + imported/w3c/web-platform-tests/wasm/jsapi/memory/toString.any.js + imported/w3c/web-platform-tests/wasm/jsapi/module/toString.any.js + imported/w3c/web-platform-tests/wasm/jsapi/table/toString.any.js - * inspector/JSInjectedScriptHostPrototype.cpp: - (Inspector::JSInjectedScriptHostPrototype::finishCreation): - * inspector/JSJavaScriptCallFramePrototype.cpp: - (Inspector::JSJavaScriptCallFramePrototype::finishCreation): * runtime/ArrayIteratorPrototype.cpp: (JSC::ArrayIteratorPrototype::finishCreation): - * runtime/ArrayPrototype.cpp: - (JSC::ArrayPrototype::finishCreation): - * runtime/AsyncFromSyncIteratorPrototype.cpp: - (JSC::AsyncFromSyncIteratorPrototype::finishCreation): * runtime/AsyncFunctionPrototype.cpp: (JSC::AsyncFunctionPrototype::finishCreation): * runtime/AsyncGeneratorFunctionPrototype.cpp: (JSC::AsyncGeneratorFunctionPrototype::finishCreation): * runtime/AsyncGeneratorPrototype.cpp: (JSC::AsyncGeneratorPrototype::finishCreation): - * runtime/AsyncIteratorPrototype.cpp: - (JSC::AsyncIteratorPrototype::finishCreation): + * runtime/BigIntPrototype.cpp: + (JSC::BigIntPrototype::finishCreation): * runtime/GeneratorFunctionPrototype.cpp: (JSC::GeneratorFunctionPrototype::finishCreation): * runtime/GeneratorPrototype.cpp: (JSC::GeneratorPrototype::finishCreation): - * runtime/IteratorPrototype.cpp: - (JSC::IteratorPrototype::finishCreation): - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::init): - * runtime/MapIteratorPrototype.cpp: - (JSC::MapIteratorPrototype::finishCreation): - * runtime/MapPrototype.cpp: - (JSC::MapPrototype::finishCreation): - * runtime/ObjectPrototype.cpp: - (JSC::ObjectPrototype::finishCreation): - * runtime/RegExpStringIteratorPrototype.cpp: - (JSC::RegExpStringIteratorPrototype::finishCreation): - * runtime/SetIteratorPrototype.cpp: - (JSC::SetIteratorPrototype::finishCreation): - * runtime/SetPrototype.cpp: - (JSC::SetPrototype::finishCreation): - * runtime/StringIteratorPrototype.cpp: - (JSC::StringIteratorPrototype::finishCreation): - * runtime/WeakMapPrototype.cpp: - (JSC::WeakMapPrototype::finishCreation): - * runtime/WeakObjectRefPrototype.cpp: - (JSC::WeakObjectRefPrototype::finishCreation): - * runtime/WeakSetPrototype.cpp: - (JSC::WeakSetPrototype::finishCreation): - -2019-06-25 Keith Miller - - Structure::create should call didBecomePrototype() - https://bugs.webkit.org/show_bug.cgi?id=196315 - - Reviewed by Filip Pizlo. - - Structure::create should also assert that the indexing type makes sense - for the prototype being used. - - * runtime/JSObject.h: - * runtime/Structure.cpp: - (JSC::Structure::isValidPrototype): - (JSC::Structure::changePrototypeTransition): - * runtime/Structure.h: - (JSC::Structure::create): Deleted. - * runtime/StructureInlines.h: - (JSC::Structure::create): - (JSC::Structure::setPrototypeWithoutTransition): - -2019-06-25 Joseph Pecoraro - - Web Inspector: Implement console.timeLog - https://bugs.webkit.org/show_bug.cgi?id=199184 - - Reviewed by Devin Rousso. - - * inspector/JSGlobalObjectConsoleClient.cpp: - (Inspector::JSGlobalObjectConsoleClient::timeLog): - * inspector/JSGlobalObjectConsoleClient.h: - * inspector/agents/InspectorConsoleAgent.cpp: - (Inspector::InspectorConsoleAgent::logTiming): - (Inspector::InspectorConsoleAgent::stopTiming): - * inspector/agents/InspectorConsoleAgent.h: - * runtime/ConsoleClient.h: - * runtime/ConsoleObject.cpp: - (JSC::ConsoleObject::finishCreation): - (JSC::consoleProtoFuncTimeLog): - -2019-06-25 Michael Catanzaro - - REGRESSION(r245586): static assertion failed: Match result and EncodedMatchResult should be the same size - https://bugs.webkit.org/show_bug.cgi?id=198518 - - Reviewed by Keith Miller. - - r245586 made some bad assumptions about the size of size_t, which we can solve using the - CPU(ADDRESS32) guard that I didn't know about. - - This solution was developed by Mark Lam and Keith Miller. I'm just preparing the patch. - - * runtime/MatchResult.h: - -2019-06-24 Commit Queue - - Unreviewed, rolling out r246714. - https://bugs.webkit.org/show_bug.cgi?id=199179 - - revert to do patch in a different way. (Requested by keith_mi_ - on #webkit). - - Reverted changeset: - - "All prototypes should call didBecomePrototype()" - https://bugs.webkit.org/show_bug.cgi?id=196315 - https://trac.webkit.org/changeset/246714 - -2019-06-24 Alexey Shvayka - - Add Array.prototype.{flat,flatMap} to unscopables - https://bugs.webkit.org/show_bug.cgi?id=194322 - - Reviewed by Keith Miller. - - * runtime/ArrayPrototype.cpp: - (JSC::ArrayPrototype::finishCreation): - -2019-06-24 Mark Lam - - ArraySlice needs to keep the source array alive. - https://bugs.webkit.org/show_bug.cgi?id=197374 - - - Reviewed by Michael Saboff and Filip Pizlo. - - The implementation of the FTL ArraySlice intrinsics may GC while allocating the - result array and its butterfly. Previously, ArraySlice already keeps the source - butterfly alive in order to copy from it to the new butterfly after the allocation. - Unfortunately, this is not enough. We also need to keep the source array alive - so that GC will scan the values in the butterfly as well. Note: the butterfly - does not have a visitChildren() method to do this scan. It's the parent object's - responsibility to do the scanning. - - This patch fixes this by introducing a keepAlive() utility method, and we use it - to keep the source array alive while allocating the result array and butterfly. - - keepAlive() works by using a patchpoint to communicate to B3 that a value (the - source array in this case) is still in use. It also uses a fence to keep B3 from - relocating the patchpoint, which may defeat the fix. - - For the DFG's SpeculativeJIT::compileArraySlice(), we may have lucked out and the - source array cell is kept alive. This patch makes it explicit that we should - keep its cell alive till after the result array has been allocated. - - For the Baseline JIT and LLInt, we use the arrayProtoFuncSlice() runtime function - and there is no issue because the source array (in "thisObj") is in the element - copying loop that follows the allocation of the result array. However, for - documentation purposes, this patch adds a call to HeapCell::use() to indicate that - the source array need to kept alive at least until after the allocation of the - result array. - - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileArraySlice): - * ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice): - (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray): - (JSC::FTL::DFG::LowerDFGToB3::keepAlive): - * runtime/ArrayPrototype.cpp: - (JSC::arrayProtoFuncSlice): - -2019-06-22 Robin Morisset and Yusuke Suzuki - - All prototypes should call didBecomePrototype() - https://bugs.webkit.org/show_bug.cgi?id=196315 - - Reviewed by Saam Barati. - - Otherwise we won't remember to run haveABadTime() when someone adds to them an indexed accessor. - - I added a check used in both Structure::finishCreation() and Structure::changePrototypeTransition to make sure we don't - create structures with invalid prototypes. - It found a lot of objects that are used as prototypes in JSGlobalObject and yet were missing didBecomePrototype() in their finishCreation(). - Somewhat surprisingly, some of them have names like FunctionConstructor and not only FooPrototype. - - * runtime/BigIntPrototype.cpp: - (JSC::BigIntPrototype::finishCreation): - * runtime/BooleanPrototype.cpp: - (JSC::BooleanPrototype::finishCreation): - * runtime/DatePrototype.cpp: - (JSC::DatePrototype::finishCreation): - * runtime/ErrorConstructor.cpp: - (JSC::ErrorConstructor::finishCreation): - * runtime/ErrorPrototype.cpp: - (JSC::ErrorPrototype::finishCreation): - * runtime/FunctionConstructor.cpp: - (JSC::FunctionConstructor::finishCreation): - * runtime/FunctionPrototype.cpp: - (JSC::FunctionPrototype::finishCreation): * runtime/IntlCollatorPrototype.cpp: (JSC::IntlCollatorPrototype::finishCreation): * runtime/IntlDateTimeFormatPrototype.cpp: @@ -3495,1696 +26259,4327 @@ (JSC::IntlNumberFormatPrototype::finishCreation): * runtime/IntlPluralRulesPrototype.cpp: (JSC::IntlPluralRulesPrototype::finishCreation): + * runtime/IntlRelativeTimeFormatPrototype.cpp: + (JSC::IntlRelativeTimeFormatPrototype::finishCreation): * runtime/JSArrayBufferPrototype.cpp: (JSC::JSArrayBufferPrototype::finishCreation): * runtime/JSDataViewPrototype.cpp: (JSC::JSDataViewPrototype::finishCreation): - * runtime/JSGenericTypedArrayViewPrototypeInlines.h: - (JSC::JSGenericTypedArrayViewPrototype::finishCreation): - * runtime/JSGlobalObject.cpp: - (JSC::createConsoleProperty): + * runtime/JSONObject.cpp: + (JSC::JSONObject::finishCreation): + * runtime/JSObject.h: * runtime/JSPromisePrototype.cpp: (JSC::JSPromisePrototype::finishCreation): - * runtime/JSTypedArrayViewConstructor.cpp: - (JSC::JSTypedArrayViewConstructor::finishCreation): - * runtime/JSTypedArrayViewPrototype.cpp: - (JSC::JSTypedArrayViewPrototype::finishCreation): - * runtime/NumberPrototype.cpp: - (JSC::NumberPrototype::finishCreation): - * runtime/RegExpPrototype.cpp: - (JSC::RegExpPrototype::finishCreation): - * runtime/StringPrototype.cpp: - (JSC::StringPrototype::finishCreation): - * runtime/Structure.cpp: - (JSC::Structure::isValidPrototype): - (JSC::Structure::changePrototypeTransition): - * runtime/Structure.h: - * runtime/StructureInlines.h: - (JSC::Structure::setPrototypeWithoutTransition): + * runtime/MapIteratorPrototype.cpp: + (JSC::MapIteratorPrototype::finishCreation): + * runtime/MapPrototype.cpp: + (JSC::MapPrototype::finishCreation): + * runtime/MathObject.cpp: + (JSC::MathObject::finishCreation): + * runtime/RegExpStringIteratorPrototype.cpp: + (JSC::RegExpStringIteratorPrototype::finishCreation): + * runtime/SetIteratorPrototype.cpp: + (JSC::SetIteratorPrototype::finishCreation): + * runtime/SetPrototype.cpp: + (JSC::SetPrototype::finishCreation): + * runtime/StringIteratorPrototype.cpp: + (JSC::StringIteratorPrototype::finishCreation): * runtime/SymbolPrototype.cpp: (JSC::SymbolPrototype::finishCreation): - * wasm/js/WebAssemblyCompileErrorPrototype.cpp: - (JSC::WebAssemblyCompileErrorPrototype::finishCreation): + * runtime/WeakMapPrototype.cpp: + (JSC::WeakMapPrototype::finishCreation): + * runtime/WeakObjectRefPrototype.cpp: + (JSC::WeakObjectRefPrototype::finishCreation): + * runtime/WeakSetPrototype.cpp: + (JSC::WeakSetPrototype::finishCreation): * wasm/js/WebAssemblyInstancePrototype.cpp: (JSC::WebAssemblyInstancePrototype::finishCreation): - * wasm/js/WebAssemblyLinkErrorPrototype.cpp: - (JSC::WebAssemblyLinkErrorPrototype::finishCreation): * wasm/js/WebAssemblyMemoryPrototype.cpp: (JSC::WebAssemblyMemoryPrototype::finishCreation): * wasm/js/WebAssemblyModulePrototype.cpp: (JSC::WebAssemblyModulePrototype::finishCreation): - * wasm/js/WebAssemblyPrototype.cpp: - (JSC::WebAssemblyPrototype::finishCreation): - * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp: - (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation): * wasm/js/WebAssemblyTablePrototype.cpp: (JSC::WebAssemblyTablePrototype::finishCreation): -2019-06-22 Yusuke Suzuki +2020-05-01 Saam Barati - [JSC] Strict, Sloppy and Arrow functions should have different classInfo - https://bugs.webkit.org/show_bug.cgi?id=197631 - - Reviewed by Saam Barati. - - If a constructor inherits a builtin class, it creates a Structure which is subclassing the builtin class. - This is done by using InternalFunction::createSubclassStructure. But to accelerate the common cases, we - cache the created structure in InternalFunctionAllocationProfile. Whether the cache is valid is checked - by comparing classInfo of the cached structure and the given base structure. This implicitly assume that - each builtin class's InternalFunction creates an instance based on one structure. - - However, Function constructor is an exception: Function constructor creates an instance which has different - structures based on a parameter. If a strict code is given (e.g. "'use strict'"), it creates a function - instance with strict function structure. - - As a result, InternalFunctionAllocationProfile incorrectly caches the structure. Consider the following code. - - class A extends Function { }; - let a = new A("'use strict'"); - let b = new A(""); - - While `a` and `b` should have different structures, `A` caches the structure for `a`, and reuse it even the given - code is not a strict code. This is problematic: We are separating structures of strict, sloppy, and arrow functions - because they have different properties. However, in the above case, a and b have the same structure while they have - different properties. So it causes incorrect structure-based caching in JSC. One of the example is HasOwnPropertyCache. - - In this patch, we introduce JSStrictFunction, JSSloppyFunction, and JSArrowFunction classes and classInfos. This design - works well and already partially accepted for JSGeneratorFunction, JSAsyncGeneratorFunction, and JSAsyncFunction. Each - structure now has a different classInfo so that InternalFunctionAllocationProfile correctly caches and invalidates the - cached one based on the classInfo. Since we already have different structures for these instances, and DFG and FTL - optimizations are based on JSFunctionType (not classInfo), introducing these three classInfo do not break the optimization. - - Note that structures on ArrayConstructor does not cause the same problem. It only uses Undecided indexing typed array - structure in InternalFunctionAllocationProfile, and once haveABadTime happens, it clears InternalFunctionAllocationProfile. - - * runtime/JSAsyncFunction.h: This subspaceFor is not necessary since it is defined in JSFunction. And we already ensure that - sizeof(JSAsyncFunction) == sizeof(JSFunction). - * runtime/JSAsyncGeneratorFunction.cpp: - * runtime/JSAsyncGeneratorFunction.h: Ditto. - * runtime/JSFunction.cpp: - * runtime/JSFunction.h: - * runtime/JSGeneratorFunction.h: Ditto. - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::init): - -2019-06-22 Yusuke Suzuki - - [JSC] ClassExpr should not store result in the middle of evaluation - https://bugs.webkit.org/show_bug.cgi?id=199106 - - Reviewed by Tadeu Zagallo. - - Let's consider the case, - - let a = class A { - static get[a=0x12345678]() { - } - }; - - When evaluating `class A` expression, we should not use the local register for `let a` - until we finally store it to that register. Otherwise, `a=0x12345678` will override it. - Out BytecodeGenerator does that this by using tempDestination and finalDestination, but - we did not do that in ClassExprNode. - - This patch leverages tempDestination and finalDestination to store `class A` result finally, - while we attempt to reduce mov. - - * bytecompiler/NodesCodegen.cpp: - (JSC::ClassExprNode::emitBytecode): - -2019-06-21 Sihui Liu - - openDatabase should return an empty object when WebSQL is disabled - https://bugs.webkit.org/show_bug.cgi?id=198805 - - Reviewed by Geoffrey Garen. - - * runtime/JSFunction.cpp: - (JSC::JSFunction::createFunctionThatMasqueradesAsUndefined): - * runtime/JSFunction.h: - -2019-06-21 Alexey Shvayka - - Remove extra check in RegExp @matchSlow - https://bugs.webkit.org/show_bug.cgi?id=198846 - - Reviewed by Joseph Pecoraro. - - Type of RegExp `exec` result is already asserted in @regExpExec. - - * builtins/RegExpPrototype.js: - (globalPrivate.matchSlow): Remove isObject check. - -2019-06-20 Justin Michaud - - [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs - https://bugs.webkit.org/show_bug.cgi?id=199044 - - Reviewed by Saam Barati. - - Fix parsing table indices from the element section. The byte that we previously read as the table index actually tells us how to parse the table index. - Fix some areas where we got the isSubtype check wrong, causing funcrefs to not be considred anyrefs. - - * wasm/WasmAirIRGenerator.cpp: - (JSC::Wasm::AirIRGenerator::unify): - * wasm/WasmSectionParser.cpp: - (JSC::Wasm::SectionParser::parseElement): - * wasm/WasmValidate.cpp: - (JSC::Wasm::Validate::unify): - -2019-06-18 Darin Adler - - Tidy up the remaining bits of the AtomicString to AtomString rename - https://bugs.webkit.org/show_bug.cgi?id=198990 - - Reviewed by Michael Catanzaro. - - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): Use flagIsAtom. - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): Ditto. - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compile): Ditto. - * ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty): Ditto. - (JSC::FTL::DFG::LowerDFGToB3::speculateStringIdent): Ditto. - -2019-06-19 Alexey Shvayka - - Optimize `resolve` method lookup in Promise static methods - https://bugs.webkit.org/show_bug.cgi?id=198864 + We can't cast toLength result to unsigned + https://bugs.webkit.org/show_bug.cgi?id=211205 + Reviewed by Yusuke Suzuki. - Lookup `resolve` method only once in Promise.{all,allSettled,race}. - (https://github.com/tc39/ecma262/pull/1506) + toLength, according to the spec, returns a 53-bit integer. In our + implementation, we return a double. However, there were many callsites + that did something like: + ``` + unsigned length = toLength(obj); + ``` + + This is bad for a few reasons: + - Casting to unsigned from double is undefined behavior when the integer + is greater than UINT_MAX. In practice, this means that we'd have different + engine behavior depending on what architecture we'd be running on. For + example, if the length were UINT_MAX + 1, on x86, we'd treat the + length as zero. On arm64, we'd treat it as UINT_MAX. Both are wrong. + - We weren't spec compliant. We were just ignoring that these numbers could + be 53-bit integers. + + This patch addresses each bad use of the undefined behavior, and by doing so, + makes us more spec compliant. - Already implemented in V8. + * dfg/DFGOperations.cpp: + * jit/JITOperations.cpp: + (JSC::getByVal): + * runtime/ArrayPrototype.cpp: + (JSC::getProperty): + (JSC::setLength): + (JSC::argumentClampedIndexFromStartOrEnd): + (JSC::shift): + (JSC::unshift): + (JSC::arrayProtoFuncToLocaleString): + (JSC::arrayProtoFuncPop): + (JSC::arrayProtoFuncPush): + (JSC::arrayProtoFuncReverse): + (JSC::arrayProtoFuncShift): + (JSC::arrayProtoFuncSlice): + (JSC::arrayProtoFuncSplice): + (JSC::arrayProtoFuncUnShift): + (JSC::fastIndexOf): + (JSC::arrayProtoFuncIndexOf): + (JSC::arrayProtoFuncLastIndexOf): + * runtime/Identifier.h: + (JSC::Identifier::from): + * runtime/IntlObject.cpp: + (JSC::canonicalizeLocaleList): + * runtime/JSONObject.cpp: + (JSC::Stringifier::Stringifier): + (JSC::Stringifier::Holder::appendNextProperty): + (JSC::Walker::walk): + * runtime/JSObject.cpp: + (JSC::JSObject::hasProperty const): + * runtime/JSObject.h: + (JSC::JSObject::putByIndexInline): + (JSC::JSObject::putDirectIndex): + (JSC::JSObject::canGetIndexQuickly const): + (JSC::JSObject::tryGetIndexQuickly const): + * runtime/JSObjectInlines.h: + (JSC::JSObject::getPropertySlot): + (JSC::JSObject::deleteProperty): + (JSC::JSObject::get const): + * runtime/PropertySlot.h: + (JSC::PropertySlot::getValue const): + * tools/JSDollarVM.cpp: + (JSC::functionSetUserPreferredLanguages): - * builtins/PromiseConstructor.js: +2020-04-30 Ross Kirsling -2019-06-19 Tadeu Zagallo - - Some of the ASSERTs in CachedTypes.cpp should be RELEASE_ASSERTs - https://bugs.webkit.org/show_bug.cgi?id=199030 + TriState should be an enum class and use "Indeterminate" instead of "Mixed" + https://bugs.webkit.org/show_bug.cgi?id=211268 Reviewed by Mark Lam. - These assertions represent strong assumptions that the cache makes so - it's not safe to keep executing if they fail. - - * runtime/CachedTypes.cpp: - (JSC::Encoder::malloc): - (JSC::Encoder::Page::alignEnd): - (JSC::Decoder::ptrForOffsetFromBase): - (JSC::Decoder::handleForEnvironment const): - (JSC::Decoder::setHandleForEnvironment): - (JSC::CachedPtr::get const): - (JSC::CachedOptional::encode): - (JSC::CachedOptional::decodeAsPtr const): Deleted. - -2019-06-19 Adrian Perez de Castro - - [WPE][GTK] Fix build with unified sources disabled - https://bugs.webkit.org/show_bug.cgi?id=198752 - - Reviewed by Michael Catanzaro. - - * runtime/WeakObjectRefConstructor.h: Add missing inclusion of InternalFunction.h - and forward declaration of WeakObjectRefPrototype. - * wasm/js/WebAssemblyFunction.cpp: Add missing inclusion of JSWebAssemblyHelpers.h - -2019-06-19 Justin Michaud - - [WASM-References] Rename anyfunc to funcref - https://bugs.webkit.org/show_bug.cgi?id=198983 - - Reviewed by Yusuke Suzuki. - - Anyfunc should become funcref since it was renamed in the spec. We should also support the string 'anyfunc' in the table constructor since this is - the only non-binary-format place where it is exposed to users. - - * wasm/WasmAirIRGenerator.cpp: - (JSC::Wasm::AirIRGenerator::gFuncref): - (JSC::Wasm::AirIRGenerator::tmpForType): - (JSC::Wasm::AirIRGenerator::emitCCall): - (JSC::Wasm::AirIRGenerator::moveOpForValueType): - (JSC::Wasm::AirIRGenerator::AirIRGenerator): - (JSC::Wasm::AirIRGenerator::addLocal): - (JSC::Wasm::AirIRGenerator::addConstant): - (JSC::Wasm::AirIRGenerator::addRefFunc): - (JSC::Wasm::AirIRGenerator::addReturn): - (JSC::Wasm::AirIRGenerator::gAnyfunc): Deleted. - * wasm/WasmCallingConvention.h: - (JSC::Wasm::CallingConventionAir::marshallArgument const): - (JSC::Wasm::CallingConventionAir::setupCall const): - * wasm/WasmExceptionType.h: - * wasm/WasmFormat.h: - (JSC::Wasm::isValueType): - (JSC::Wasm::isSubtype): - (JSC::Wasm::TableInformation::wasmType const): - * wasm/WasmFunctionParser.h: - (JSC::Wasm::FunctionParser::parseExpression): - * wasm/WasmSectionParser.cpp: - (JSC::Wasm::SectionParser::parseTableHelper): - (JSC::Wasm::SectionParser::parseElement): - (JSC::Wasm::SectionParser::parseInitExpr): - * wasm/WasmValidate.cpp: - (JSC::Wasm::Validate::addRefFunc): - * wasm/js/JSToWasm.cpp: - (JSC::Wasm::createJSToWasmWrapper): - * wasm/js/WasmToJS.cpp: - (JSC::Wasm::wasmToJS): - * wasm/js/WebAssemblyFunction.cpp: - (JSC::callWebAssemblyFunction): - (JSC::WebAssemblyFunction::jsCallEntrypointSlow): - * wasm/js/WebAssemblyModuleRecord.cpp: - (JSC::WebAssemblyModuleRecord::link): - * wasm/js/WebAssemblyTableConstructor.cpp: - (JSC::constructJSWebAssemblyTable): - * wasm/wasm.json: - -2019-06-19 Fujii Hironori - - [CMake][Win] CombinedDomains.json is generated twice in JavaScriptCore_CopyPrivateHeaders and JavaScriptCore projects - https://bugs.webkit.org/show_bug.cgi?id=198853 - - Reviewed by Don Olmstead. - - JavaScriptCore_CopyPrivateHeaders target needs to have a direct or - indirect dependency of JavaScriptCore target for CMake Visual - Studio generator to eliminate duplicated custom commands. - - * CMakeLists.txt: Added JavaScriptCore as a dependency of JavaScriptCore_CopyPrivateHeaders. - -2019-06-18 Yusuke Suzuki - - [JSC] JSLock should be WebThread aware - https://bugs.webkit.org/show_bug.cgi?id=198911 - - Reviewed by Geoffrey Garen. - - Since WebKitLegacy content rendering is done in WebThread instead of the main thread in iOS, user of WebKitLegacy (e.g. UIWebView) needs - to grab the WebThread lock (which is a recursive lock) in the main thread when touching the WebKitLegacy content. - But, WebKitLegacy can expose JSContext for the web view. And we can interact with the JS content through JavaScriptCore APIs. However, - since WebThread is a concept in WebCore, JavaScriptCore APIs do not grab the WebThread lock. As a result, WebKitLegacy web content can be - modified from the main thread without grabbing the WebThread lock through JavaScriptCore APIs. - - This patch makes JSC aware of WebThread: JSLock grabs the WebThread lock before grabbing JS's lock. While this seems layering violation, - we already have many USE(WEB_THREAD) and WebThread aware code in WTF. Eventually, we should move WebThread code from WebCore to WTF since - JSC and WTF need to be aware of WebThread. But, for now, we just use the function pointer exposed by WebCore. - - Since both JSLock and the WebThread lock are recursive locks, nested locking is totally OK. The possible problem is the order of locking. - We ensure that we always grab locks in (1) the WebThread lock and (2) JSLock order. - - In JSLock, we take the WebThread lock, but we do not unlock it. This is how we use the WebThread lock: the WebThread lock is released - automatically when RunLoop finishes the current cycle, and in WebKitLegacy, we do not call unlocking function of the WebThread lock except - for some edge cases. - - * API/JSVirtualMachine.mm: - (-[JSVirtualMachine isWebThreadAware]): - * API/JSVirtualMachineInternal.h: - * runtime/JSLock.cpp: - (JSC::JSLockHolder::JSLockHolder): - (JSC::JSLock::lock): - (JSC::JSLockHolder::init): Deleted. - * runtime/JSLock.h: - (JSC::JSLock::makeWebThreadAware): - (JSC::JSLock::isWebThreadAware const): - -2019-06-18 Justin Michaud - - [WASM-References] Add support for Table.size, grow and fill instructions - https://bugs.webkit.org/show_bug.cgi?id=198761 - - Reviewed by Yusuke Suzuki. - - Add support for Table.size, grow and fill instructions. This also required - adding support for two-byte opcodes to the ops generator. - - * wasm/WasmAirIRGenerator.cpp: - (JSC::Wasm::AirIRGenerator::gAnyref): - (JSC::Wasm::AirIRGenerator::tmpForType): - (JSC::Wasm::AirIRGenerator::addTableSize): - (JSC::Wasm::AirIRGenerator::addTableGrow): - (JSC::Wasm::AirIRGenerator::addTableFill): - * wasm/WasmB3IRGenerator.cpp: - (JSC::Wasm::B3IRGenerator::addTableSize): - (JSC::Wasm::B3IRGenerator::addTableGrow): - (JSC::Wasm::B3IRGenerator::addTableFill): - * wasm/WasmExceptionType.h: - * wasm/WasmFormat.h: - (JSC::Wasm::TableInformation::wasmType const): - * wasm/WasmFunctionParser.h: - (JSC::Wasm::FunctionParser::parseExpression): - (JSC::Wasm::FunctionParser::parseUnreachableExpression): - * wasm/WasmInstance.cpp: - (JSC::Wasm::doWasmTableGrow): - (JSC::Wasm::doWasmTableFill): - * wasm/WasmInstance.h: - * wasm/WasmTable.cpp: - (JSC::Wasm::Table::grow): - * wasm/WasmValidate.cpp: - (JSC::Wasm::Validate::addTableSize): - (JSC::Wasm::Validate::addTableGrow): - (JSC::Wasm::Validate::addTableFill): - * wasm/generateWasmOpsHeader.py: - (opcodeMacroizer): - (ExtTableOpType): - * wasm/wasm.json: - -2019-06-18 Keith Miller - - Unreviewed, fix signature of currentWeakRefVersion to return an uintptr_t. - - * runtime/VM.h: - (JSC::VM::currentWeakRefVersion const): - -2019-06-18 Justin Michaud - - [WASM-References] Add support for multiple tables - https://bugs.webkit.org/show_bug.cgi?id=198760 - - Reviewed by Saam Barati. - - Support multiple wasm tables. We turn tableInformation into a tables array, and update all of the - existing users to give a table index. The array of Tables in Wasm::Instance is hung off the tail - to make it easier to use from jit code. - - * wasm/WasmAirIRGenerator.cpp: - (JSC::Wasm::AirIRGenerator::AirIRGenerator): - (JSC::Wasm::AirIRGenerator::addTableGet): - (JSC::Wasm::AirIRGenerator::addTableSet): - (JSC::Wasm::AirIRGenerator::addCallIndirect): - * wasm/WasmB3IRGenerator.cpp: - (JSC::Wasm::B3IRGenerator::B3IRGenerator): - (JSC::Wasm::B3IRGenerator::addTableGet): - (JSC::Wasm::B3IRGenerator::addTableSet): - (JSC::Wasm::B3IRGenerator::addCallIndirect): - * wasm/WasmExceptionType.h: - * wasm/WasmFormat.h: - (JSC::Wasm::Element::Element): - * wasm/WasmFunctionParser.h: - (JSC::Wasm::FunctionParser::parseExpression): - (JSC::Wasm::FunctionParser::parseUnreachableExpression): - * wasm/WasmInstance.cpp: - (JSC::Wasm::Instance::Instance): - (JSC::Wasm::Instance::create): - (JSC::Wasm::Instance::extraMemoryAllocated const): - (JSC::Wasm::Instance::table): - (JSC::Wasm::Instance::setTable): - * wasm/WasmInstance.h: - (JSC::Wasm::Instance::updateCachedMemory): - (JSC::Wasm::Instance::offsetOfGlobals): - (JSC::Wasm::Instance::offsetOfTablePtr): - (JSC::Wasm::Instance::allocationSize): - (JSC::Wasm::Instance::table): Deleted. - (JSC::Wasm::Instance::setTable): Deleted. - (JSC::Wasm::Instance::offsetOfTable): Deleted. - * wasm/WasmModuleInformation.h: - (JSC::Wasm::ModuleInformation::tableCount const): - * wasm/WasmSectionParser.cpp: - (JSC::Wasm::SectionParser::parseImport): - (JSC::Wasm::SectionParser::parseTableHelper): - (JSC::Wasm::SectionParser::parseTable): - (JSC::Wasm::SectionParser::parseElement): - * wasm/WasmTable.h: - (JSC::Wasm::Table::owner const): - * wasm/WasmValidate.cpp: - (JSC::Wasm::Validate::addTableGet): - (JSC::Wasm::Validate::addTableSet): - (JSC::Wasm::Validate::addCallIndirect): - * wasm/js/JSWebAssemblyInstance.cpp: - (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): - (JSC::JSWebAssemblyInstance::visitChildren): - * wasm/js/JSWebAssemblyInstance.h: - * wasm/js/WebAssemblyModuleRecord.cpp: - (JSC::WebAssemblyModuleRecord::link): - (JSC::WebAssemblyModuleRecord::evaluate): - * wasm/wasm.json: - -2019-06-18 Alexey Shvayka - - [ESNExt] String.prototype.matchAll - https://bugs.webkit.org/show_bug.cgi?id=186694 - - Reviewed by Yusuke Suzuki. - - Implement String.prototype.matchAll. - (https://tc39.es/ecma262/#sec-string.prototype.matchall) - - Also rename @globalPrivate @constructor functions and C++ variables holding them. - - Shipping in Chrome since version 73. - Shipping in Firefox since version 67. - - * CMakeLists.txt: - * DerivedSources-input.xcfilelist: - * DerivedSources.make: - * JavaScriptCore.xcodeproj/project.pbxproj: - * Scripts/wkbuiltins/builtins_generate_combined_header.py: - (get_var_name): - (generate_section_for_global_private_code_name_macro): - * Sources.txt: - * builtins/ArrayPrototype.js: - (globalPrivate.ArrayIterator): - (values): - (keys): - (entries): - (globalPrivate.createArrayIterator): Deleted. - * builtins/AsyncFromSyncIteratorPrototype.js: - (globalPrivate.createAsyncFromSyncIterator): - (globalPrivate.AsyncFromSyncIterator): - (globalPrivate.AsyncFromSyncIteratorConstructor): Deleted. - * builtins/BuiltinNames.h: - * builtins/MapPrototype.js: - (globalPrivate.MapIterator): - (values): - (keys): - (entries): - (globalPrivate.createMapIterator): Deleted. - * builtins/RegExpPrototype.js: - (globalPrivate.RegExpStringIterator): - (overriddenName.string_appeared_here.matchAll): - * builtins/RegExpStringIteratorPrototype.js: Added. - (next): - * builtins/SetPrototype.js: - (globalPrivate.SetIterator): - (values): - (entries): - (globalPrivate.createSetIterator): Deleted. - * builtins/StringPrototype.js: - (matchAll): - * builtins/TypedArrayPrototype.js: - (values): - (keys): - (entries): - * runtime/CommonIdentifiers.h: - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::init): - * runtime/RegExpPrototype.cpp: - (JSC::RegExpPrototype::finishCreation): - * runtime/RegExpStringIteratorPrototype.cpp: Added. - (JSC::RegExpStringIteratorPrototype::finishCreation): - * runtime/RegExpStringIteratorPrototype.h: Added. - * runtime/StringPrototype.cpp: - -2019-06-18 Keith Miller - - Add support for WeakRef - https://bugs.webkit.org/show_bug.cgi?id=198710 - - Reviewed by Yusuke Suzuki. - - Add support for WeakRefs which are now at stage 3 - (https://tc39.es/proposal-weakrefs). This patch doesn't add - support for FinalizationGroups, which I'll add in another patch. - - Some other things of interest. Per the spec, we cannot collect a - weak refs target unless it has not been dereffed (or created) in - the current microtask turn. i.e. WeakRefs are only allowed to be - collected at the end of a drain of the Microtask queue. My - understanding for this behavior is to reduce implementation - dependence on specific GC behavior in a given browser. - - We track if a WeakRef is retaining its target by using a version - number on each WeakRef as well as on the VM. Whenever a WeakRef is - derefed we update its version number to match the VM's then - WriteBarrier ourselves. During marking if the VM and the WeakRef - have the same version number, the target is visited. - - * JavaScriptCore.xcodeproj/project.pbxproj: - * Sources.txt: - * heap/Heap.cpp: - (JSC::Heap::finalizeUnconditionalFinalizers): - * jsc.cpp: - (GlobalObject::finishCreation): - (functionReleaseWeakRefs): - * runtime/CommonIdentifiers.h: - * runtime/JSGlobalObject.cpp: - * runtime/JSGlobalObject.h: - * runtime/JSWeakObjectRef.cpp: Added. - (JSC::JSWeakObjectRef::finishCreation): - (JSC::JSWeakObjectRef::visitChildren): - (JSC::JSWeakObjectRef::finalizeUnconditionally): - (JSC::JSWeakObjectRef::toStringName): - * runtime/JSWeakObjectRef.h: Added. - * runtime/VM.cpp: - (JSC::VM::drainMicrotasks): - * runtime/VM.h: - (JSC::VM::setOnEachMicrotaskTick): - (JSC::VM::finalizeSynchronousJSExecution): - (JSC::VM::currentWeakRefVersion const): - * runtime/WeakObjectRefConstructor.cpp: Added. - (JSC::WeakObjectRefConstructor::finishCreation): - (JSC::WeakObjectRefConstructor::WeakObjectRefConstructor): - (JSC::callWeakRef): - (JSC::constructWeakRef): - * runtime/WeakObjectRefConstructor.h: Added. - (JSC::WeakObjectRefConstructor::create): - (JSC::WeakObjectRefConstructor::createStructure): - * runtime/WeakObjectRefPrototype.cpp: Added. - (JSC::WeakObjectRefPrototype::finishCreation): - (JSC::getWeakRef): - (JSC::protoFuncWeakRefDeref): - * runtime/WeakObjectRefPrototype.h: Added. - -2019-06-18 Tadeu Zagallo - - Add missing mutator fence in compileNewFunction - https://bugs.webkit.org/show_bug.cgi?id=198849 - - - Reviewed by Saam Barati. - - Follow-up after r246553. Saam pointed out that we still need a mutator - fence before allocating the FunctionRareData, since the allocation - might trigger a slow path call. - - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): - * ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): - -2019-06-18 Tadeu Zagallo - - DFG code should not reify the names of builtin functions with private names - https://bugs.webkit.org/show_bug.cgi?id=198849 - - - Reviewed by Filip Pizlo. - - Builtin functions that have a private name call setHasReifiedName from finishCreation. - When compiled with DFG and FTL, that does not get called and the function ends up reifying - its name. In order to fix that, we initialize FunctionRareData and set m_hasReifiedName to - true from compileNewFunction in both DFG and FTL. - - * bytecode/InternalFunctionAllocationProfile.h: - (JSC::InternalFunctionAllocationProfile::offsetOfStructure): - * bytecode/ObjectAllocationProfile.h: - (JSC::ObjectAllocationProfileWithPrototype::offsetOfPrototype): - * bytecode/UnlinkedFunctionExecutable.h: - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): - * ftl/FTLAbstractHeapRepository.h: - * ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): - * runtime/FunctionExecutable.h: - * runtime/FunctionRareData.h: - * runtime/JSFunction.cpp: - (JSC::JSFunction::finishCreation): - * runtime/JSFunction.h: - * runtime/JSFunctionInlines.h: - (JSC::JSFunction::isAnonymousBuiltinFunction const): - -2019-06-18 Keith Miller - - MaybeParseAsGeneratorForScope sometimes loses track of its scope ref - https://bugs.webkit.org/show_bug.cgi?id=198969 - - - Reviewed by Tadeu Zagallo. - - Sometimes if the parser has enough nested scopes - MaybeParseAsGeneratorForScope can lose track of the ScopeRef it - should be tracking. This is because the parser sometimes relocates - its ScopeRefs. To fix this MaybeParseAsGeneratorForScope should - hold the scope ref it's watching. - - * parser/Parser.cpp: - (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope): - (JSC::Scope::MaybeParseAsGeneratorForScope::~MaybeParseAsGeneratorForScope): - -2019-06-17 Justin Michaud - - Validate that table element type is funcref if using an element section - https://bugs.webkit.org/show_bug.cgi?id=198910 - - Reviewed by Yusuke Suzuki. - - Add missing validation when attempting to add an element section to an anyref table. - - * wasm/WasmSectionParser.cpp: - (JSC::Wasm::SectionParser::parseElement): - -2019-06-17 Tadeu Zagallo - - Concurrent GC should check the conn before starting a new collection cycle - https://bugs.webkit.org/show_bug.cgi?id=198913 - - - Reviewed by Filip Pizlo. - - Heap::requestCollection tries to steal the conn as an optimization to avoid waking up the collector - thread if it's idle. We determine if the collector is idle by ensuring that there are no pending collections - and that the current GC phase is NotRunning. However, that's not safe immediately after the concurrent - GC has finished processing the last pending request. The collector thread will runEndPhase and immediately - start runNotRunningPhase, without checking if it still has the conn. If the mutator has stolen the conn in - the mean time, this will lead to both threads collecting concurrently, and eventually we'll crash in checkConn, - since the collector is running but doesn't have the conn anymore. - - To solve this, we check if we still have the conn after holding the lock in runNotRunningPhase, in case the mutator - has stolen the conn. Ideally, we wouldn't let the mutator steal the conn in the first place, but that doesn't seem - trivial to determine. - - * heap/Heap.cpp: - (JSC::Heap::runNotRunningPhase): - -2019-06-17 Yusuke Suzuki - - [JSC] Introduce DisposableCallSiteIndex to enforce type-safety - https://bugs.webkit.org/show_bug.cgi?id=197378 - - Reviewed by Saam Barati. - - Some of CallSiteIndex are disposable. This is because some of CallSiteIndex are allocated and freed at runtime (not DFG/FTL compile time). - The example is CallSiteIndex for exception handler in GCAwareJITStubRoutineWithExceptionHandler. If we do not allocate and free CallSiteIndex, - we will create a new CallSiteIndex continuously and leak memory. - - The other CallSiteIndex are not simply disposable because the ownership model is not unique one. They can be shared between multiple clients. - But not disposing them is OK because they are static one: they are allocated when compiling DFG/FTL, and we do not allocate such CallSiteIndex - at runtime. - - To make this difference explicit and avoid disposing non-disposable CallSiteIndex accidentally, we introduce DisposableCallSiteIndex type, and - enforce type-safety to some degree. - - We also correctly update the DisposableCallSiteIndex => CodeOrigin table when we are reusing the previously used DisposableCallSiteIndex. - + * b3/B3Const32Value.cpp: + (JSC::B3::Const32Value::equalConstant const): + (JSC::B3::Const32Value::notEqualConstant const): + (JSC::B3::Const32Value::lessThanConstant const): + (JSC::B3::Const32Value::greaterThanConstant const): + (JSC::B3::Const32Value::lessEqualConstant const): + (JSC::B3::Const32Value::greaterEqualConstant const): + (JSC::B3::Const32Value::aboveConstant const): + (JSC::B3::Const32Value::belowConstant const): + (JSC::B3::Const32Value::aboveEqualConstant const): + (JSC::B3::Const32Value::belowEqualConstant const): + * b3/B3Const64Value.cpp: + (JSC::B3::Const64Value::equalConstant const): + (JSC::B3::Const64Value::notEqualConstant const): + (JSC::B3::Const64Value::lessThanConstant const): + (JSC::B3::Const64Value::greaterThanConstant const): + (JSC::B3::Const64Value::lessEqualConstant const): + (JSC::B3::Const64Value::greaterEqualConstant const): + (JSC::B3::Const64Value::aboveConstant const): + (JSC::B3::Const64Value::belowConstant const): + (JSC::B3::Const64Value::aboveEqualConstant const): + (JSC::B3::Const64Value::belowEqualConstant const): + * b3/B3ConstDoubleValue.cpp: + (JSC::B3::ConstDoubleValue::equalConstant const): + (JSC::B3::ConstDoubleValue::notEqualConstant const): + (JSC::B3::ConstDoubleValue::lessThanConstant const): + (JSC::B3::ConstDoubleValue::greaterThanConstant const): + (JSC::B3::ConstDoubleValue::lessEqualConstant const): + (JSC::B3::ConstDoubleValue::greaterEqualConstant const): + (JSC::B3::ConstDoubleValue::equalOrUnorderedConstant const): + * b3/B3ConstFloatValue.cpp: + (JSC::B3::ConstFloatValue::equalConstant const): + (JSC::B3::ConstFloatValue::notEqualConstant const): + (JSC::B3::ConstFloatValue::lessThanConstant const): + (JSC::B3::ConstFloatValue::greaterThanConstant const): + (JSC::B3::ConstFloatValue::lessEqualConstant const): + (JSC::B3::ConstFloatValue::greaterEqualConstant const): + (JSC::B3::ConstFloatValue::equalOrUnorderedConstant const): + * b3/B3Procedure.cpp: + (JSC::B3::Procedure::addBoolConstant): + * b3/B3Procedure.h: + * b3/B3ReduceStrength.cpp: + * b3/B3Value.cpp: + (JSC::B3::Value::equalConstant const): + (JSC::B3::Value::notEqualConstant const): + (JSC::B3::Value::lessThanConstant const): + (JSC::B3::Value::greaterThanConstant const): + (JSC::B3::Value::lessEqualConstant const): + (JSC::B3::Value::greaterEqualConstant const): + (JSC::B3::Value::aboveConstant const): + (JSC::B3::Value::belowConstant const): + (JSC::B3::Value::aboveEqualConstant const): + (JSC::B3::Value::belowEqualConstant const): + (JSC::B3::Value::equalOrUnorderedConstant const): + (JSC::B3::Value::asTriState const): + * b3/B3Value.h: * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::newExceptionHandlingCallSiteIndex): - (JSC::CodeBlock::removeExceptionHandlerForCallSite): - * bytecode/CodeBlock.h: - * bytecode/PolymorphicAccess.cpp: - (JSC::AccessGenerationState::callSiteIndexForExceptionHandling): - (JSC::PolymorphicAccess::regenerate): - * bytecode/PolymorphicAccess.h: - (JSC::AccessGenerationState::callSiteIndexForExceptionHandling): Deleted. - * dfg/DFGCommonData.cpp: - (JSC::DFG::CommonData::addUniqueCallSiteIndex): - (JSC::DFG::CommonData::addDisposableCallSiteIndex): - (JSC::DFG::CommonData::removeDisposableCallSiteIndex): - (JSC::DFG::CommonData::removeCallSiteIndex): Deleted. - * dfg/DFGCommonData.h: - * interpreter/CallFrame.h: - (JSC::DisposableCallSiteIndex::DisposableCallSiteIndex): - (JSC::DisposableCallSiteIndex::fromCallSiteIndex): - * jit/GCAwareJITStubRoutine.cpp: - (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler): - (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount): - (JSC::createJITStubRoutine): - * jit/GCAwareJITStubRoutine.h: - * jit/JITInlineCacheGenerator.h: - -2019-06-17 Justin Michaud - - [WASM-References] Add support for Funcref in parameters and return types - https://bugs.webkit.org/show_bug.cgi?id=198157 - - Reviewed by Yusuke Suzuki. - - Add support for funcref in parameters, globals, and in table.get/set. When converting a JSValue to - a funcref (nee anyfunc), we first make sure it is an exported wasm function or null. - - We also add support for Ref.func. Anywhere a Ref.func is used, (statically) we construct a JS wrapper - for it so that we never need to construct JSValues when handling references. This should make threads - easier to implement. - - Finally, we add some missing bounds checks for table.get/set. - - * wasm/WasmAirIRGenerator.cpp: - (JSC::Wasm::AirIRGenerator::tmpForType): - (JSC::Wasm::AirIRGenerator::moveOpForValueType): - (JSC::Wasm::AirIRGenerator::AirIRGenerator): - (JSC::Wasm::AirIRGenerator::addLocal): - (JSC::Wasm::AirIRGenerator::addConstant): - (JSC::Wasm::AirIRGenerator::addRefFunc): - (JSC::Wasm::AirIRGenerator::addTableSet): - (JSC::Wasm::AirIRGenerator::setGlobal): - (JSC::Wasm::AirIRGenerator::addReturn): - * wasm/WasmB3IRGenerator.cpp: - (JSC::Wasm::B3IRGenerator::addLocal): - (JSC::Wasm::B3IRGenerator::addTableSet): - (JSC::Wasm::B3IRGenerator::addRefFunc): - (JSC::Wasm::B3IRGenerator::setGlobal): - * wasm/WasmBBQPlan.cpp: - (JSC::Wasm::BBQPlan::compileFunctions): - * wasm/WasmCallingConvention.h: - (JSC::Wasm::CallingConventionAir::marshallArgument const): - (JSC::Wasm::CallingConventionAir::setupCall const): - * wasm/WasmExceptionType.h: - * wasm/WasmFormat.h: - (JSC::Wasm::isValueType): - (JSC::Wasm::isSubtype): - * wasm/WasmFunctionParser.h: - (JSC::Wasm::FunctionParser::parseExpression): - (JSC::Wasm::FunctionParser::parseUnreachableExpression): - * wasm/WasmInstance.cpp: - (JSC::Wasm::Instance::Instance): - (JSC::Wasm::Instance::getFunctionWrapper const): - (JSC::Wasm::Instance::setFunctionWrapper): - * wasm/WasmInstance.h: - * wasm/WasmModuleInformation.h: - (JSC::Wasm::ModuleInformation::referencedFunctions const): - (JSC::Wasm::ModuleInformation::addReferencedFunction const): - * wasm/WasmSectionParser.cpp: - (JSC::Wasm::SectionParser::parseGlobal): - (JSC::Wasm::SectionParser::parseInitExpr): - * wasm/WasmValidate.cpp: - (JSC::Wasm::Validate::addTableGet): - (JSC::Wasm::Validate::addTableSet): - (JSC::Wasm::Validate::addRefIsNull): - (JSC::Wasm::Validate::addRefFunc): - (JSC::Wasm::Validate::setLocal): - (JSC::Wasm::Validate::addCall): - (JSC::Wasm::Validate::addCallIndirect): - * wasm/js/JSToWasm.cpp: - (JSC::Wasm::createJSToWasmWrapper): - * wasm/js/JSWebAssemblyHelpers.h: - (JSC::isWebAssemblyHostFunction): - * wasm/js/JSWebAssemblyInstance.cpp: - (JSC::JSWebAssemblyInstance::visitChildren): - * wasm/js/JSWebAssemblyRuntimeError.cpp: - (JSC::createJSWebAssemblyRuntimeError): - * wasm/js/JSWebAssemblyRuntimeError.h: - * wasm/js/WasmToJS.cpp: - (JSC::Wasm::handleBadI64Use): - (JSC::Wasm::wasmToJS): - (JSC::Wasm::emitWasmToJSException): - * wasm/js/WasmToJS.h: - * wasm/js/WebAssemblyFunction.cpp: - (JSC::callWebAssemblyFunction): - (JSC::WebAssemblyFunction::jsCallEntrypointSlow): - * wasm/js/WebAssemblyModuleRecord.cpp: - (JSC::WebAssemblyModuleRecord::link): - * wasm/wasm.json: - -2019-06-16 Darin Adler - - Rename AtomicString to AtomString - https://bugs.webkit.org/show_bug.cgi?id=195276 - - Reviewed by Michael Catanzaro. - - * many files: Let do-webcore-rename do the renaming. - -2019-06-16 Yusuke Suzuki - - [JSC] Grown region of WasmTable should be initialized with null - https://bugs.webkit.org/show_bug.cgi?id=198903 - - Reviewed by Saam Barati. - - Grown region of Wasmtable is now empty. We should initialize it with null. - We also rename Wasm::Table::visitChildren to Wasm::Table::visitAggregate to - align to the naming convention. - - * wasm/WasmTable.cpp: - (JSC::Wasm::Table::grow): - (JSC::Wasm::Table::visitAggregate): - (JSC::Wasm::Table::visitChildren): Deleted. - * wasm/WasmTable.h: - * wasm/js/JSWebAssemblyTable.cpp: - (JSC::JSWebAssemblyTable::visitChildren): - -2019-06-14 Keith Miller - - Restore PAC based cage. - https://bugs.webkit.org/show_bug.cgi?id=198872 - - Rubber-stamped by Saam Barati. - - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::bitFieldInsert64): - * assembler/MacroAssemblerARM64E.h: - * assembler/testmasm.cpp: - (JSC::testCagePreservesPACFailureBit): - (JSC::run): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): - (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): - (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): - (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): - * ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): - (JSC::FTL::DFG::LowerDFGToB3::caged): - * jit/AssemblyHelpers.h: - (JSC::AssemblyHelpers::cageWithoutUntagging): - (JSC::AssemblyHelpers::cageConditionally): - (JSC::AssemblyHelpers::cage): Deleted. - * jit/JITPropertyAccess.cpp: - (JSC::JIT::emitIntTypedArrayGetByVal): - (JSC::JIT::emitFloatTypedArrayGetByVal): - (JSC::JIT::emitIntTypedArrayPutByVal): - (JSC::JIT::emitFloatTypedArrayPutByVal): - * llint/LowLevelInterpreter.asm: - * llint/LowLevelInterpreter64.asm: - * offlineasm/arm64.rb: - * offlineasm/instructions.rb: - * offlineasm/registers.rb: - * wasm/WasmAirIRGenerator.cpp: - (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): - (JSC::Wasm::AirIRGenerator::addCallIndirect): - * wasm/WasmB3IRGenerator.cpp: - (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): - (JSC::Wasm::B3IRGenerator::addCallIndirect): - * wasm/WasmBinding.cpp: - (JSC::Wasm::wasmToWasm): - * wasm/js/JSToWasm.cpp: - (JSC::Wasm::createJSToWasmWrapper): - * wasm/js/WebAssemblyFunction.cpp: - (JSC::WebAssemblyFunction::jsCallEntrypointSlow): - -2019-06-13 Yusuke Suzuki - - Yarr bytecode compilation failure should be gracefully handled - https://bugs.webkit.org/show_bug.cgi?id=198700 - - Reviewed by Michael Saboff. - - Currently, we assume that Yarr bytecode compilation does not fail. But in fact it can fail. - We should gracefully handle this failure as a runtime error, as we did for parse errors in [1]. - We also harden Yarr's consumed character calculation by using Checked. - - [1]: https://bugs.webkit.org/show_bug.cgi?id=185755 - - * inspector/ContentSearchUtilities.cpp: - (Inspector::ContentSearchUtilities::findMagicComment): - * runtime/RegExp.cpp: - (JSC::RegExp::byteCodeCompileIfNecessary): - (JSC::RegExp::compile): - (JSC::RegExp::compileMatchOnly): - * runtime/RegExpInlines.h: - (JSC::RegExp::matchInline): - * yarr/YarrErrorCode.cpp: - (JSC::Yarr::errorMessage): - (JSC::Yarr::errorToThrow): - * yarr/YarrErrorCode.h: - * yarr/YarrInterpreter.cpp: - (JSC::Yarr::ByteCompiler::ByteCompiler): - (JSC::Yarr::ByteCompiler::compile): - (JSC::Yarr::ByteCompiler::atomCharacterClass): - (JSC::Yarr::ByteCompiler::atomBackReference): - (JSC::Yarr::ByteCompiler::atomParenthesesOnceBegin): - (JSC::Yarr::ByteCompiler::atomParenthesesTerminalBegin): - (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternBegin): - (JSC::Yarr::ByteCompiler::atomParentheticalAssertionBegin): - (JSC::Yarr::ByteCompiler::popParenthesesStack): - (JSC::Yarr::ByteCompiler::closeAlternative): - (JSC::Yarr::ByteCompiler::closeBodyAlternative): - (JSC::Yarr::ByteCompiler::alternativeBodyDisjunction): - (JSC::Yarr::ByteCompiler::alternativeDisjunction): - (JSC::Yarr::ByteCompiler::emitDisjunction): - -2019-06-12 Yusuke Suzuki - - [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call - https://bugs.webkit.org/show_bug.cgi?id=198770 - - Reviewed by Saam Barati. - - Polymorphic call stub is a bit specially patched in JS call site. Typical JS call site for tail calls - are the following. - - if (callee == patchableCallee) { - restore callee saves for tail call - prepare for tail call - jump to the target function - } - restore callee saves for slow path - call the slow path function - - And linking patches patchableCallee, target function, and slow path function. But polymorphic call stub - patches the above `if` statement with the jump to the stub. - - jump to the polymorphic call stub - - This is because polymorphic call stub wants to use CallFrameShuffler to get scratch registers. As a result, - "restore callee saves for tail call" thing needs to be done in the polymorphic call stubs. While it is - correctly done for the major cases, we have `slowPath` skips, and that path missed restoring callee saves. - This skip happens if the callee is non JSCell or non JS function, so typically, InternalFunction is handled - in that path. - - This patch does that skips after restoring callee saves. - - * bytecode/CallLinkInfo.cpp: - (JSC::CallLinkInfo::CallLinkInfo): - * bytecode/CallLinkInfo.h: - (JSC::CallLinkInfo::setUpCall): - (JSC::CallLinkInfo::calleeGPR): - (JSC::CallLinkInfo::setCalleeGPR): Deleted. - * jit/Repatch.cpp: - (JSC::revertCall): - (JSC::linkVirtualFor): - (JSC::linkPolymorphicCall): - * jit/Repatch.h: - * jit/ThunkGenerators.cpp: - (JSC::virtualThunkFor): - -2019-06-12 Commit Queue - - Unreviewed, rolling out r246322. - https://bugs.webkit.org/show_bug.cgi?id=198796 - - "It's a huge page load regression on iOS" (Requested by - saamyjoon on #webkit). - - Reverted changeset: - - "Roll out PAC cage" - https://bugs.webkit.org/show_bug.cgi?id=198726 - https://trac.webkit.org/changeset/246322 - -2019-06-11 Alexey Shvayka - - JSC should throw if proxy set returns falsish in strict mode context - https://bugs.webkit.org/show_bug.cgi?id=177398 - - Reviewed by Yusuke Suzuki. - - Throw TypeError exception if Proxy's `set` trap returns falsy value. - (step 6.c of https://tc39.es/ecma262/#sec-putvalue) - - * runtime/ProxyObject.cpp: - (JSC::ProxyObject::performPut): - (JSC::ProxyObject::put): - (JSC::ProxyObject::putByIndexCommon): - * runtime/ProxyObject.h: - -2019-06-11 Alexey Shvayka - - Error message for non-callable Proxy `construct` trap is misleading - https://bugs.webkit.org/show_bug.cgi?id=198637 - - Reviewed by Saam Barati. - - Just like other traps, Proxy `construct` trap is invoked with [[Call]], not [[Construct]]. - - * runtime/ProxyObject.cpp: - (JSC::performProxyConstruct): Tweak error message. - -2019-06-10 Tadeu Zagallo - - AI BitURShift's result should not be unsigned - https://bugs.webkit.org/show_bug.cgi?id=198689 - - - Reviewed by Saam Barati. - - Treating BitURShift's result as unsigned in the abstract interpreter incorrectly overflows it. - This breaks the DFG and FTL, since they assume that BitURShift's result is an int32 value, but - get a double constant from AI. Since the result will be converted to unsigned by UInt32ToNumber, - all we have to do is store the result as a signed int32. - - * dfg/DFGAbstractInterpreterInlines.h: - -2019-06-11 Michael Catanzaro - - Unreviewed build warning fixes - - Silence -Wreturn-type warning - - * wasm/WasmTable.cpp: - (JSC::Wasm::Table::tryCreate): - -2019-06-11 Saam Barati - - Roll out PAC cage - https://bugs.webkit.org/show_bug.cgi?id=198726 - - Reviewed by Keith Miller. - - This patch rolls out: r245064, r245145, r245168, r245313, r245432, r245622. - - The resulting state we're in is we have Gigacage enabled on arm64. - There is no more PAC caging. - - We're doing this because there are performance issues with PAC caging - that we haven't resolved yet. - - * assembler/CPU.h: - (JSC::isARM64E): Deleted. - * assembler/MacroAssemblerARM64E.h: - (JSC::MacroAssemblerARM64E::tagArrayPtr): Deleted. - (JSC::MacroAssemblerARM64E::untagArrayPtr): Deleted. - (JSC::MacroAssemblerARM64E::removeArrayPtrTag): Deleted. - * b3/B3LowerToAir.cpp: - * b3/B3PatchpointSpecial.cpp: - (JSC::B3::PatchpointSpecial::admitsStack): - * b3/B3StackmapSpecial.cpp: - (JSC::B3::StackmapSpecial::forEachArgImpl): - (JSC::B3::StackmapSpecial::isArgValidForRep): - * b3/B3Validate.cpp: - * b3/B3ValueRep.cpp: - (JSC::B3::ValueRep::addUsedRegistersTo const): - (JSC::B3::ValueRep::dump const): - (WTF::printInternal): - * b3/B3ValueRep.h: - (JSC::B3::ValueRep::ValueRep): - (JSC::B3::ValueRep::isReg const): - * dfg/DFGOperations.cpp: - (JSC::DFG::newTypedArrayWithSize): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): - (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): - (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): - (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): - (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): - * dfg/DFGSpeculativeJIT.h: + (JSC::CodeBlock::~CodeBlock): + (JSC::CodeBlock::thresholdForJIT): + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): + * bytecode/UnlinkedFunctionExecutable.cpp: + (JSC::UnlinkedFunctionExecutable::visitChildren): + * bytecompiler/NodesCodegen.cpp: + (JSC::ConstantNode::emitBytecodeInConditionContext): + (JSC::BinaryOpNode::emitBytecodeInConditionContext): + (JSC::BinaryOpNode::tryFoldToBranch): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsicCall): + * dfg/DFGCFGSimplificationPhase.cpp: + (JSC::DFG::CFGSimplificationPhase::run): + * dfg/DFGLazyJSValue.cpp: + (JSC::DFG::equalToSingleCharacter): + (JSC::DFG::equalToStringImpl): + (JSC::DFG::LazyJSValue::strictEqual const): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): - (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): - (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet): (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet): - (JSC::FTL::DFG::LowerDFGToB3::caged): - (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): - (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): Deleted. - (JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag): Deleted. - * heap/ConservativeRoots.cpp: - (JSC::ConservativeRoots::genericAddPointer): - * jit/AssemblyHelpers.h: - (JSC::AssemblyHelpers::cageConditionally): - * jit/IntrinsicEmitter.cpp: - (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): - * jit/JITPropertyAccess.cpp: - (JSC::JIT::emitDirectArgumentsGetByVal): - (JSC::JIT::emitIntTypedArrayGetByVal): - (JSC::JIT::emitFloatTypedArrayGetByVal): - (JSC::JIT::emitIntTypedArrayPutByVal): - (JSC::JIT::emitFloatTypedArrayPutByVal): - * jit/PolymorphicCallStubRoutine.cpp: - (JSC::PolymorphicCallNode::clearCallLinkInfo): - * jit/RegisterSet.h: - * llint/LowLevelInterpreter64.asm: - * runtime/ArrayBuffer.cpp: - (JSC::SharedArrayBufferContents::SharedArrayBufferContents): - (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): - (JSC::ArrayBufferContents::ArrayBufferContents): - (JSC::ArrayBufferContents::destroy): - (JSC::ArrayBufferContents::tryAllocate): - (JSC::ArrayBufferContents::makeShared): - (JSC::ArrayBufferContents::copyTo): - * runtime/ArrayBuffer.h: - (JSC::SharedArrayBufferContents::data const): - (JSC::ArrayBufferContents::data const): - (JSC::ArrayBuffer::data): - (JSC::ArrayBuffer::data const): - (JSC::ArrayBuffer::byteLength const): - * runtime/ArrayBufferView.cpp: - (JSC::ArrayBufferView::ArrayBufferView): - * runtime/ArrayBufferView.h: - (JSC::ArrayBufferView::baseAddress const): - (JSC::ArrayBufferView::setRangeImpl): - (JSC::ArrayBufferView::getRangeImpl): - (JSC::ArrayBufferView::byteLength const): Deleted. + * ftl/FTLOutput.cpp: + (JSC::FTL::Output::equal): + (JSC::FTL::Output::notEqual): + (JSC::FTL::Output::above): + (JSC::FTL::Output::aboveOrEqual): + (JSC::FTL::Output::below): + (JSC::FTL::Output::belowOrEqual): + (JSC::FTL::Output::greaterThan): + (JSC::FTL::Output::greaterThanOrEqual): + (JSC::FTL::Output::lessThan): + (JSC::FTL::Output::lessThanOrEqual): + * jit/JITOperations.cpp: * runtime/CachedTypes.cpp: - (JSC::CachedScopedArgumentsTable::encode): - (JSC::CachedScopedArgumentsTable::decode const): - * runtime/CagedBarrierPtr.h: - (JSC::CagedBarrierPtr::CagedBarrierPtr): - (JSC::CagedBarrierPtr::set): - (JSC::CagedBarrierPtr::get const): - (JSC::CagedBarrierPtr::getMayBeNull const): - (JSC::CagedBarrierPtr::operator== const): - (JSC::CagedBarrierPtr::operator!= const): - (JSC::CagedBarrierPtr::operator bool const): - (JSC::CagedBarrierPtr::setWithoutBarrier): - (JSC::CagedBarrierPtr::operator* const): - (JSC::CagedBarrierPtr::operator-> const): - (JSC::CagedBarrierPtr::operator[] const): - (JSC::CagedBarrierPtr::getUnsafe const): Deleted. - (JSC::CagedBarrierPtr::at const): Deleted. - * runtime/DataView.cpp: - (JSC::DataView::DataView): - * runtime/DataView.h: - (JSC::DataView::get): - (JSC::DataView::set): - * runtime/DirectArguments.cpp: - (JSC::DirectArguments::visitChildren): - (JSC::DirectArguments::overrideThings): - (JSC::DirectArguments::unmapArgument): - * runtime/DirectArguments.h: - * runtime/GenericArguments.h: - * runtime/GenericArgumentsInlines.h: - (JSC::GenericArguments::visitChildren): - (JSC::GenericArguments::initModifiedArgumentsDescriptor): - (JSC::GenericArguments::setModifiedArgumentDescriptor): - (JSC::GenericArguments::isModifiedArgumentDescriptor): - * runtime/GenericTypedArrayView.h: - * runtime/GenericTypedArrayViewInlines.h: - (JSC::GenericTypedArrayView::GenericTypedArrayView): - * runtime/JSArrayBufferView.cpp: - (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): - (JSC::JSArrayBufferView::JSArrayBufferView): - (JSC::JSArrayBufferView::finalize): - (JSC::JSArrayBufferView::slowDownAndWasteMemory): - * runtime/JSArrayBufferView.h: - (JSC::JSArrayBufferView::ConstructionContext::vector const): - (JSC::JSArrayBufferView::isNeutered): - (JSC::JSArrayBufferView::vector const): - (JSC::JSArrayBufferView::hasVector const): Deleted. - * runtime/JSGenericTypedArrayViewInlines.h: - (JSC::JSGenericTypedArrayView::createUninitialized): - (JSC::JSGenericTypedArrayView::estimatedSize): - (JSC::JSGenericTypedArrayView::visitChildren): - * runtime/Options.h: - * runtime/ScopedArgumentsTable.cpp: - (JSC::ScopedArgumentsTable::clone): - (JSC::ScopedArgumentsTable::setLength): - * runtime/ScopedArgumentsTable.h: - * runtime/SymbolTable.h: - * wasm/WasmAirIRGenerator.cpp: - (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): - (JSC::Wasm::AirIRGenerator::addCallIndirect): - * wasm/WasmB3IRGenerator.cpp: - (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): - (JSC::Wasm::B3IRGenerator::addCallIndirect): - * wasm/WasmBBQPlan.cpp: - (JSC::Wasm::BBQPlan::complete): - * wasm/WasmBinding.cpp: - (JSC::Wasm::wasmToWasm): - * wasm/WasmInstance.h: - (JSC::Wasm::Instance::cachedMemory const): - (JSC::Wasm::Instance::updateCachedMemory): - * wasm/WasmMemory.cpp: - (JSC::Wasm::Memory::Memory): - (JSC::Wasm::Memory::~Memory): - (JSC::Wasm::Memory::grow): - (JSC::Wasm::Memory::dump const): - * wasm/WasmMemory.h: - (JSC::Wasm::Memory::memory const): - * wasm/js/JSToWasm.cpp: - (JSC::Wasm::createJSToWasmWrapper): - * wasm/js/WebAssemblyFunction.cpp: - (JSC::WebAssemblyFunction::jsCallEntrypointSlow): + (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): + * runtime/DefinePropertyAttributes.h: + (JSC::DefinePropertyAttributes::DefinePropertyAttributes): + (JSC::DefinePropertyAttributes::hasWritable const): + (JSC::DefinePropertyAttributes::writable const): + (JSC::DefinePropertyAttributes::hasConfigurable const): + (JSC::DefinePropertyAttributes::configurable const): + (JSC::DefinePropertyAttributes::hasEnumerable const): + (JSC::DefinePropertyAttributes::enumerable const): + (JSC::DefinePropertyAttributes::setWritable): + (JSC::DefinePropertyAttributes::setConfigurable): + (JSC::DefinePropertyAttributes::setEnumerable): + * runtime/IntlCollator.cpp: + (JSC::IntlCollator::initializeCollator): + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::initializeNumberFormat): + * runtime/IntlObject.cpp: + (JSC::intlBooleanOption): + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::pureStrictEqual): + (JSC::JSValue::pureToBoolean const): + * runtime/JSCellInlines.h: + (JSC::JSCell::pureToBoolean const): -2019-06-10 Basuke Suzuki +2020-04-30 Ross Kirsling - [WinCairo] Remove build warning from RemoteInspector. - https://bugs.webkit.org/show_bug.cgi?id=198724 + [JSC] intlBooleanOption should return TriState instead of taking an out param + https://bugs.webkit.org/show_bug.cgi?id=211256 - Reviewed by Joseph Pecoraro. + Reviewed by Darin Adler and Mark Lam. - In `RemoteInspectorConnectionClient.h`, an interface was defined with empty implementation. - This method is to be overwritten by sub classes so that parameter name is important - so they are commented out rather than just removing from the definition. + Boolean options for Intl constructors can have default values of true, false, or undefined. + To handle the undefined case, intlBooleanOption currently has a `bool& usesFallback` param; + we should have the return type simply be a TriState instead. - * inspector/remote/RemoteInspector.h: + * runtime/IntlCollator.cpp: + (JSC::IntlCollator::initializeCollator): + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::initializeNumberFormat): + * runtime/IntlObject.cpp: + (JSC::intlBooleanOption): + * runtime/IntlObject.h: -2019-06-10 Sam Weinig +2020-04-30 Devin Rousso - Remove Dashboard support - https://bugs.webkit.org/show_bug.cgi?id=198615 + WebKit.WebContent process crashes when web developer tools are opened in Safari + https://bugs.webkit.org/show_bug.cgi?id=210794 + - Reviewed by Ryosuke Niwa. + Reviewed by Brian Burg. - * Configurations/FeatureDefines.xcconfig: + * inspector/InjectedScriptManager.cpp: + (Inspector::InjectedScriptManager::injectedScriptFor): + Don't crash if a `TerminatedExecutionError` is thrown. -2019-06-10 Devin Rousso + * inspector/InjectedScriptBase.cpp: + (Inspector::InjectedScriptBase::makeCall): + Report the actual error message. Check that the result has a value before attempting to make + a `JSON::Value` out of it. - Web Automation: add notifications for when remote automation is enabled/disabled - https://bugs.webkit.org/show_bug.cgi?id=198703 - +2020-04-29 Ross Kirsling - Reviewed by Timothy Hatcher. + Ensure Intl classes don't have naming conflicts with unified builds + https://bugs.webkit.org/show_bug.cgi?id=211213 - * inspector/remote/RemoteInspectorConstants.h: + Reviewed by Yusuke Suzuki. -2019-06-10 Yusuke Suzuki + Each Intl class usually has an array named relevantExtensionsKeys and a function named localeData. + This can result in redefinition errors when unified builds put two of them into the same translation unit. + Some are already guarding against this with an internal namespace while others are not. - Unreviewed, build fix for non-DFG configurations, part 2 - https://bugs.webkit.org/show_bug.cgi?id=198023 + As a uniform approach, this patch makes each localeData function a static method and + puts each relevantExtensionsKeys array (as well as any constants for its indices) into an internal namespace. - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::finalizeUnconditionally): + Furthermore, since three different classes are defining an identical UFieldPositionIteratorDeleter, + this patch consolidates them into one definition in IntlObject. -2019-06-10 Yusuke Suzuki + * runtime/IntlCollator.cpp: + (JSC::IntlCollator::sortLocaleData): Renamed from JSC::sortLocaleData. + (JSC::IntlCollator::searchLocaleData): Renamed from JSC::searchLocaleData. + (JSC::IntlCollator::initializeCollator): + * runtime/IntlCollator.h: + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::localeData): Renamed from JSC::IntlDTFInternal::localeData. + (JSC::toDateTimeOptionsAnyDate): Renamed from JSC::IntlDTFInternal::toDateTimeOptionsAnyDate. + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + (JSC::UFieldPositionIteratorDeleter::operator() const): Deleted. + * runtime/IntlDateTimeFormat.h: + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::localeData): Renamed from JSC::IntlNFInternal::localeData. + (JSC::IntlNumberFormat::initializeNumberFormat): + (JSC::UFieldPositionIteratorDeleter::operator() const): Deleted. + * runtime/IntlNumberFormat.h: + * runtime/IntlObject.cpp: + (JSC::UFieldPositionIteratorDeleter::operator() const): Added. + * runtime/IntlObject.h: + * runtime/IntlPluralRules.cpp: + (JSC::IntlPluralRules::localeData): Renamed from JSC::localeData. + * runtime/IntlPluralRules.h: + * runtime/IntlRelativeTimeFormat.cpp: + (JSC::IntlRelativeTimeFormat::localeData): Renamed from JSC::localeData. + (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat): + (JSC::UFieldPositionIteratorDeleter::operator() const): Deleted. + * runtime/IntlRelativeTimeFormat.h: - Unreviewed, build fix for non-DFG configurations - https://bugs.webkit.org/show_bug.cgi?id=198023 +2020-04-29 Ross Kirsling - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::finalizeUnconditionally): + Unreviewed follow-up to r260848. + LowerDFGToB3 has its own isFunction which should NOT have been renamed. -2019-06-10 Yusuke Suzuki + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis): + (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): + (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull): + (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction): + (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): + (JSC::FTL::DFG::LowerDFGToB3::isFunction): Renamed from isCallable. - [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode - https://bugs.webkit.org/show_bug.cgi?id=198023 +2020-04-29 Alexey Shvayka + + AsyncFromSyncIterator methods should not pass absent values + https://bugs.webkit.org/show_bug.cgi?id=211147 + + Reviewed by Ross Kirsling. + + This patch implements minor spec change [1] to match async and sync iteration + from the perspective of userland `next` and `return` iterator methods. + `throw` method always receives an argument, yet we align with others to be + consistent and future-proof. + + This change is already implemented in SpiderMonkey. + + [1]: https://github.com/tc39/ecma262/pull/1776 + + * builtins/AsyncFromSyncIteratorPrototype.js: + +2020-04-29 Mark Lam + + Freezing of Gigacage and JSC Configs should be thread safe. + https://bugs.webkit.org/show_bug.cgi?id=211201 + + + Reviewed by Yusuke Suzuki. + + If a client creates multiple VM instances in different threads concurrently, the + following race can occur: + + Config::permanentlyFreeze() contains the following code: + + if (!g_jscConfig.isPermanentlyFrozen) // Point P1 + g_jscConfig.isPermanentlyFrozen = true; // Point P2 + + Let's say there are 2 threads T1 and T2. + + 1. T1 creates a VM and gets to point P1, and sees that g_jscConfig.isPermanentlyFrozen is not set. + T1 is about to execute P2 when it gets pre-empted. + + 2. T2 creates a VM and gets to point P1, and sees that g_jscConfig.isPermanentlyFrozen is not set. + T2 proceeds to point P2 and sets g_jscConfig.isPermanentlyFrozen to true. + T2 goes on to freeze the Config and makes it not writable. + + 3. T1 gets to run again, and proceeds to point P2. + T1 tries to set g_jscConfig.isPermanentlyFrozen to true. + But because the Config has been frozen against writes, the write to + g_jscConfig.isPermanentlyFrozen results in a crash. + + This is a classic TOCTOU bug. The fix is simply to ensure that only one thread + can enter Config::permanentlyFreeze() at a time. + + Ditto for Gigacage::permanentlyFreezeGigacageConfig(). + + * runtime/JSCConfig.cpp: + (JSC::Config::permanentlyFreeze): + +2020-04-29 Yusuke Suzuki + + [JSC] JSStringJoiner is missing BigInt handling + https://bugs.webkit.org/show_bug.cgi?id=211174 + + Reviewed by Mark Lam. + + JSStringJoiner missed handling of BigInt (specifically BigInt32) and appending empty string incorrectly. + In debug build, assertion hits. We should support BigInt in JSStringJoiner. + + * runtime/JSStringJoiner.h: + (JSC::JSStringJoiner::appendWithoutSideEffects): + +2020-04-29 Saam Barati + + U_STRING_NOT_TERMINATED_WARNING ICU must be handled when using the output buffer as a C string + https://bugs.webkit.org/show_bug.cgi?id=211142 + + + Reviewed by Darin Adler. + + * runtime/IntlDateTimeFormat.cpp: + (JSC::defaultTimeZone): + (JSC::canonicalizeTimeZoneName): + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + (JSC::IntlDateTimeFormat::format): + (JSC::IntlDateTimeFormat::formatToParts): + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::format): + (JSC::IntlNumberFormat::formatToParts): + * runtime/IntlObject.cpp: + (JSC::convertICULocaleToBCP47LanguageTag): + (JSC::canonicalizeLanguageTag): + * runtime/IntlRelativeTimeFormat.cpp: + (JSC::IntlRelativeTimeFormat::formatInternal): + (JSC::IntlRelativeTimeFormat::formatToParts): + * runtime/StringPrototype.cpp: + (JSC::toLocaleCase): + (JSC::normalize): + +2020-04-28 Saam Barati + + Unreviewed. Fix 32-bit build. + + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::createFrom): + (JSC::Int32BigIntImpl::digit): + +2020-04-28 Commit Queue + + Unreviewed, reverting r260876 and r260877. + https://bugs.webkit.org/show_bug.cgi?id=211165 + + Broke build (Requested by yusukesuzuki on #webkit). + + Reverted changesets: + + "Unreviewed, build fix on watchOS" + https://bugs.webkit.org/show_bug.cgi?id=210978 + https://trac.webkit.org/changeset/260876 + + "Unreviewed, speculative build fix on watchOS part 2" + https://bugs.webkit.org/show_bug.cgi?id=210978 + https://trac.webkit.org/changeset/260877 + +2020-04-28 Yusuke Suzuki + + Unreviewed, speculative build fix on watchOS part 2 + https://bugs.webkit.org/show_bug.cgi?id=210978 + + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::createFrom): + (JSC::Int32BigIntImpl::digit): + * runtime/JSBigInt.h: + +2020-04-28 Yusuke Suzuki + + Unreviewed, build fix on watchOS + https://bugs.webkit.org/show_bug.cgi?id=210978 + + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::createFrom): + (JSC::Int32BigIntImpl::digit): + * runtime/JSBigInt.h: + +2020-04-28 Yusuke Suzuki + + [JSC] BigInt constructor should accept larger integers than safe-integers + https://bugs.webkit.org/show_bug.cgi?id=210755 + + Reviewed by Darin Adler. + + While our implementation of BigInt constructor only accepts safe integers, it should accept all integers. + This patch implements it by creating JSBigInt::createFrom(double). We port double bit processing part from + V8 as the same to the other part of JSBigInt. + + * runtime/BigIntConstructor.cpp: + (JSC::callBigIntConstructor): + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::createFrom): + * runtime/JSBigInt.h: + * runtime/MathCommon.h: + (JSC::isInteger): + (JSC::isSafeInteger): + * runtime/NumberConstructor.cpp: + (JSC::numberConstructorFuncIsSafeInteger): + * runtime/NumberConstructor.h: + +2020-04-28 Ross Kirsling + + [JSC] Align upon the name isCallable instead of isFunction + https://bugs.webkit.org/show_bug.cgi?id=211140 + + Reviewed by Darin Adler. + + Follow-up to r260722. Usage is now cleanly separated between isFunction / getCallData, + but the name isCallable is still clearer than isFunction so let's flip that after all. + + * API/JSContextRef.cpp: + (JSGlobalContextSetUnhandledRejectionCallback): + * API/JSObjectRef.cpp: + (JSObjectIsFunction): + * dfg/DFGOperations.cpp: + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis): + (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): + (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull): + (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction): + (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): + (JSC::FTL::DFG::LowerDFGToB3::isCallable): + (JSC::FTL::DFG::LowerDFGToB3::isFunction): Deleted. + * ftl/FTLOperations.cpp: + (JSC::FTL::operationTypeOfObjectAsTypeofType): + * jsc.cpp: + (functionSetUnhandledRejectionCallback): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/ExceptionHelpers.cpp: + (JSC::errorDescriptionForValue): + * runtime/FunctionPrototype.cpp: + (JSC::functionProtoFuncToString): + * runtime/InternalFunction.cpp: + (JSC::getFunctionRealm): + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::isCallable const): + (JSC::JSValue::isFunction const): Deleted. + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::isCallable): + (JSC::JSCell::isFunction): Deleted. + * runtime/JSONObject.cpp: + (JSC::Stringifier::appendStringifiedValue): + * runtime/ObjectConstructor.cpp: + (JSC::toPropertyDescriptor): + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncDefineGetter): + (JSC::objectProtoFuncDefineSetter): + * runtime/Operations.cpp: + (JSC::jsTypeStringForValue): + (JSC::jsIsObjectTypeOrNull): + * runtime/ProxyObject.cpp: + (JSC::ProxyObject::structureForTarget): + (JSC::ProxyObject::finishCreation): + * runtime/RuntimeType.cpp: + (JSC::runtimeTypeForValue): + * tools/JSDollarVM.cpp: + (JSC::functionCallWithStackSize): + (JSC::functionFindTypeForExpression): + (JSC::functionReturnTypeFor): + (JSC::functionHasBasicBlockExecuted): + (JSC::functionBasicBlockExecutionCount): + * wasm/WasmInstance.cpp: + (JSC::Wasm::Instance::setFunctionWrapper): + * wasm/WasmOperations.cpp: + (JSC::Wasm::operationIterateResults): + (JSC::Wasm::operationWasmRefFunc): + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::link): + * wasm/js/WebAssemblyWrapperFunction.cpp: + (JSC::WebAssemblyWrapperFunction::finishCreation): + +2020-04-28 Yusuke Suzuki + + [JSC] NumberConstructor should accept BigInt + https://bugs.webkit.org/show_bug.cgi?id=210835 + + Reviewed by Mark Lam. + + This patch fixes our Number constructor behavior to accept BigInt. According to the spec[1], + Number constructor should accept BigInt and should generate numbers from that. + + We port V8's BigInt to double conversion code as we did for the other HeapBigInt runtime functions. + + And we introduce CallNumberConstructor DFG node and handle Number constructor call with BigInt correctly + in DFG and FTL. Previously we were emitting ToNumber DFG node for Number constructor. But this is wrong + now since ToNumber does not accept BigInt and throws an error, and Number constructor should not use + ToNumber to implement its implementation. So we should introduce slightly different semantics: CallNumberConstructor + as we introduced CallStringConstructor in addition to ToString DFG node. And we add appropriate BigInt32 path + to emit efficient CallNumberConstructor machine code. + + [1]: https://tc39.es/ecma262/#sec-number-constructor-number-value + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGBackwardsPropagationPhase.cpp: + (JSC::DFG::BackwardsPropagationPhase::propagate): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::fixupToNumberOrToNumericOrCallNumberConstructor): + (JSC::DFG::FixupPhase::fixupToNumeric): Deleted. + (JSC::DFG::FixupPhase::fixupToNumber): Deleted. + * dfg/DFGNode.h: + (JSC::DFG::Node::hasHeapPrediction): + * dfg/DFGNodeType.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileToNumeric): + (JSC::DFG::SpeculativeJIT::compileCallNumberConstructor): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileCallNumberConstructor): + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::decideRounding): + (JSC::JSBigInt::toNumberHeap): + * runtime/JSBigInt.h: + * runtime/NumberConstructor.cpp: + (JSC::constructNumberConstructor): + (JSC::callNumberConstructor): + +2020-04-27 Yusuke Suzuki + + [JSC] Throw OutOfMemoryError instead of RangeError if BigInt is too big + https://bugs.webkit.org/show_bug.cgi?id=211111 Reviewed by Saam Barati. - While CodeBlock is periodically jettisoned, UnlinkedCodeBlock and UnlinkedFunctionExecutable can be retained almost forever in certain type of applications. - When we execute a program, which has UnlinkedProgramCodeBlock retained in CodeCache. And UnlinkedProgramCodeBlock holds array of UnlinkedFunctionExecutable. - And UnlinkedFunctionExecutables hold UnlinkedFunctionCodeBlocks once it is generated. So eventually, this tree gets larger and larger until we purge - UnlinkedProgramCodeBlock from CodeCache. This is OK in the browser case. We navigate to various other pages, and UnlinkedProgramCodeBlocks should eventually - be pruned from CodeCache with the new ones. So this tree won't be retained forever. But the behavior is different in the other applications that do not have - navigations. If they only have one program which holds all, we basically retain this tree during executing this application. The same thing can happen in - web applications which does not have navigation and keeps alive for a long time. Once we hit CodeCache limit by periodically executing a new script, we will - hit the uppermost of memory footprint. But until that, we increase our memory footprint. + Currently, we are throwing a RangeError if we detect that JSBigInt becomes too large. But this is not consistent with our JSString's policy. + We should throw OutOfMemoryError in this case. This also makes DFG simple since DFG allows throwing OutOfMemoryError in any places which node + is even removed. - However, destroying these UnlinkedCodeBlocks and UnlinkedFunctionExecutables causes a tricky problem. In the browser environment, navigation can happen at any - time. So even if the given UnlinkedCodeBlock seems unused in the current page, it can be used when navigating to a new page which is under the same domain. - One example is initializing function in a script. It is only executed once per page. So once it is executed, it seems that this UnlinkedCodeBlock is unused. - But this will be used when we navigate to a new page. Pruning code blocks based on usage could cause performance regression. + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * runtime/ExceptionHelpers.cpp: + (JSC::throwOutOfMemoryError): + * runtime/ExceptionHelpers.h: + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::tryCreateWithLength): + (JSC::JSBigInt::exponentiateHeap): + (JSC::JSBigInt::leftShiftByAbsolute): + (JSC::JSBigInt::allocateFor): - But if our VM is mini VM mode, the story is different. In mini VM mode, we focus on memory footprint rather than performance e.g. daemons. The daemon never - reuse these CodeCache since we do not have the navigation. +2020-04-27 Saam Barati - This patch logically makes UnlinkedFunctionExecutable -> UnlinkedCodeBlock reference weak when VM is mini mode. If UnlinkedCodeBlock is used in previous GC - cycle, we retain it. But if it is not used, and if UnlinkedFunctionExecutable is only the cell keeping UnlinkedCodeBlock alive, we destroy it. It is a - heuristic. In a super pathological case, it could increase memory footprint. Consider the following example. + BigInt math runtime shouldn't convert BigInt32 input operands to a heap cell when doing math + https://bugs.webkit.org/show_bug.cgi?id=210978 - UnlinkedFunctionExecutable(A1) -> UnlinkedCodeBlock(B1) -> UnlinkedFunctionExecutable(C1) -> UnlinkedCodeBlock(D1) - ^ - CodeBlock(E1) + Reviewed by Yusuke Suzuki. - We could delete A1, B1, and C1 while keeping D1. But if we eventually re-execute the same code corresponding to A1, B1, C1, they will be newly created, and - we will create duplicate UnlinkedCodeBlock and instructions stream for D1. + This patch adds support in the runtime for doing alomst all BigInt math + operations on the inputs either being Int32, HeapBigInt, or a mixing + of both. Before, if we detected a binary operation on an Int32 and a + HeapBigInt, this would lead us to convert the Int32 operand into a HeapBigInt. + + This is especially bad because we'd repeat this for all math ops. For example, + if x is a BigInt32, and all rhs are a HeapBigInt, we'd repeatedly convert x + to a HeapBigInt for each operation: + ``` + x + y + x * y + x - y + x >> y + x << y + etc + ``` + + To teach the runtime how to operate both over a BigInt32 and a HeapBigInt, I + templatized the runtime math operations to work both over BigInt32 and + HeapBigInt wrapper classes that expose the same interface. + + This is a ~28% speedup on microbenchmarks/sunspider-sha1-big-int.js - UnlinkedCodeBlock(D1) - ^ - CodeBlock(E1) + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compare): + * jit/JITOperations.cpp: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/JSBigInt.cpp: + (JSC::HeapBigIntImpl::HeapBigIntImpl): + (JSC::HeapBigIntImpl::isZero): + (JSC::HeapBigIntImpl::sign): + (JSC::HeapBigIntImpl::length): + (JSC::HeapBigIntImpl::digit): + (JSC::HeapBigIntImpl::toHeapBigInt): + (JSC::Int32BigIntImpl::Int32BigIntImpl): + (JSC::Int32BigIntImpl::isZero): + (JSC::Int32BigIntImpl::sign): + (JSC::Int32BigIntImpl::length): + (JSC::Int32BigIntImpl::digit): + (JSC::Int32BigIntImpl::toHeapBigInt): + (JSC::JSBigInt::ImplResult::ImplResult): + (JSC::tryConvertToBigInt32): + (JSC::JSBigInt::inplaceMultiplyAdd): + (JSC::JSBigInt::exponentiateImpl): + (JSC::JSBigInt::exponentiate): + (JSC::JSBigInt::multiplyImpl): + (JSC::JSBigInt::multiply): + (JSC::JSBigInt::divideImpl): + (JSC::JSBigInt::divide): + (JSC::JSBigInt::copy): + (JSC::JSBigInt::unaryMinusImpl): + (JSC::JSBigInt::unaryMinus): + (JSC::JSBigInt::remainderImpl): + (JSC::JSBigInt::remainder): + (JSC::JSBigInt::incImpl): + (JSC::JSBigInt::inc): + (JSC::JSBigInt::decImpl): + (JSC::JSBigInt::dec): + (JSC::JSBigInt::addImpl): + (JSC::JSBigInt::add): + (JSC::JSBigInt::subImpl): + (JSC::JSBigInt::sub): + (JSC::JSBigInt::bitwiseAndImpl): + (JSC::JSBigInt::bitwiseAnd): + (JSC::JSBigInt::bitwiseOrImpl): + (JSC::JSBigInt::bitwiseOr): + (JSC::JSBigInt::bitwiseXorImpl): + (JSC::JSBigInt::bitwiseXor): + (JSC::JSBigInt::leftShiftImpl): + (JSC::JSBigInt::leftShift): + (JSC::JSBigInt::leftShiftSlow): + (JSC::JSBigInt::signedRightShiftImpl): + (JSC::JSBigInt::signedRightShift): + (JSC::JSBigInt::bitwiseNotImpl): + (JSC::JSBigInt::bitwiseNot): + (JSC::JSBigInt::internalMultiplyAdd): + (JSC::JSBigInt::multiplyAccumulate): + (JSC::JSBigInt::absoluteCompare): + (JSC::JSBigInt::compareImpl): + (JSC::JSBigInt::compare): + (JSC::JSBigInt::absoluteAdd): + (JSC::JSBigInt::absoluteSub): + (JSC::JSBigInt::absoluteDivWithDigitDivisor): + (JSC::JSBigInt::absoluteDivWithBigIntDivisor): + (JSC::JSBigInt::absoluteLeftShiftAlwaysCopy): + (JSC::JSBigInt::absoluteBitwiseOp): + (JSC::JSBigInt::absoluteAnd): + (JSC::JSBigInt::absoluteOr): + (JSC::JSBigInt::absoluteAndNot): + (JSC::JSBigInt::absoluteXor): + (JSC::JSBigInt::absoluteAddOne): + (JSC::JSBigInt::absoluteSubOne): + (JSC::JSBigInt::leftShiftByAbsolute): + (JSC::JSBigInt::rightShiftByAbsolute): + (JSC::JSBigInt::rightShiftByMaximum): + (JSC::JSBigInt::toStringGeneric): + (JSC::JSBigInt::toShiftAmount): + (JSC::JSBigInt::exponentiateHeap): Deleted. + (JSC::JSBigInt::multiplyHeap): Deleted. + (JSC::JSBigInt::divideHeap): Deleted. + (JSC::JSBigInt::unaryMinusHeap): Deleted. + (JSC::JSBigInt::remainderHeap): Deleted. + (JSC::JSBigInt::incHeap): Deleted. + (JSC::JSBigInt::decHeap): Deleted. + (JSC::JSBigInt::addHeap): Deleted. + (JSC::JSBigInt::subHeap): Deleted. + (JSC::JSBigInt::bitwiseAndHeap): Deleted. + (JSC::JSBigInt::bitwiseOrHeap): Deleted. + (JSC::JSBigInt::bitwiseXorHeap): Deleted. + (JSC::JSBigInt::leftShiftHeap): Deleted. + (JSC::JSBigInt::signedRightShiftHeap): Deleted. + (JSC::JSBigInt::bitwiseNotHeap): Deleted. + (JSC::JSBigInt::compareToInt32): Deleted. + * runtime/JSBigInt.h: + * runtime/Operations.cpp: + (JSC::jsAddSlowCase): + * runtime/Operations.h: + (JSC::compareBigInt): + (JSC::compareBigInt32ToOtherPrimitive): + (JSC::arithmeticBinaryOp): + (JSC::jsSub): + (JSC::jsMul): + (JSC::jsDiv): + (JSC::jsRemainder): + (JSC::jsPow): + (JSC::jsInc): + (JSC::jsDec): + (JSC::jsBitwiseNot): + (JSC::shift): + (JSC::jsLShift): + (JSC::jsRShift): + (JSC::bitwiseBinaryOp): + (JSC::jsBitwiseAnd): + (JSC::jsBitwiseOr): + (JSC::jsBitwiseXor): - UnlinkedFunctionExecutable(A2) -> UnlinkedCodeBlock(B2) -> UnlinkedFunctionExecutable(C2) -> UnlinkedCodeBlock(D2) +2020-04-27 Yusuke Suzuki - But this does not happen in practice and even it happens, we eventually discard D1 and D2 since CodeBlock E1 will be jettisoned anyway. So in practice, we do - not see memory footprint increase. We tested it in Gmail and the target application, but both said memory footprint reduction (30 MB / 400 MB and 1 MB /6 MB). - While this affects on performance much on tests which has navigation (1-3 % regression in Speedometer2, note that JetStream2 does not show regression in x64, - while it is not enabling mini mode), we do not apply this to non mini mode VM until we come up with a good strategy to fasten performance of re-generation. - Personally I think flushing destroyed UnlinkedCodeBlock to the disk sounds promising. + [JSC] >>> should call ToNumeric + https://bugs.webkit.org/show_bug.cgi?id=211065 - If UnlinkedCodeBlock is generated from bytecode cache, we do not make UnlinkedFunctionExecutable -> UnlinkedCodeBlock link weak because the decoder of the bytecode - cache assumes that generated JSCells won't be destroyed while the parent cells of that cell are live. This is true in the current implementation, and this assumption - will be broken with this patch. So, for now, we do not make this link weak. Currently, our target application does not use bytecode cache so it is OK. + Reviewed by Ross Kirsling. - This patch also introduce simple heuristic. We are counting UnlinkedCodeBlock's age. And once the age becomes maximum size, we make UnlinkedFunctionExecutable -> - UnlinkedCodeBlock link weak. We also use execution counter information to reset this age: CodeBlock will reset undelying UnlinkedCodeBlock's age if it has executed - While this heuristic is quite simple, it has some effect in practice. Basically what happens with this heuristic is that UnlinkedFunctionExecutable -> - UnlinkedCodeBlock link strong. When GC happens, we are executing some CodeBlocks, which become live. And ScriptExecutables -> UnlinkedFunctionExecutables held - by this CodeBlock become also live. Then UnlinkedFunctionExecutables can mark the child UnlinkedCodeBlocks if it is not so old. - If some of parent UnlinkedFunctionExecutable becomes dead, child UnlinkedCodeBlocks tends to be dead unless some live CodeBlock holds it. But it is OK for a first - heuristics since this means that parent code block is now considered old, reachable UnlinkedCodeBlock will be used when the parent is executed again. So destroying - the tree is OK even if the tree may include some new UnlinkedCodeBlock. While we could make more sophisticated mechanism to manage these lifetime, I think this is a - good starting point. + While BigInt does not support >>> operator, >>> operator should call ToNumeric (in this case, toBigIntOrInt32) for both before throwing an error. + We call toBigIntOrInt32 for both operands, and throw an error. And after that, casting int32_t to uint32_t to perform >>> operator. This is correct + since the only difference between toUint32 and toInt32 is casting int32_t result to uint32_t. - Based on measurement, we pick 7 as a maximum age. If we pick 0, we can get more memory reduction (1 - 1.5 MB!), while we ends up reparsing codes so many times. - It seems that 7 can reduce fair amount of memory while doing small # of reparsing on average (usually, 1, 2. Sometimes, 100. But not 300, which is the case in 0). - If we want to get more memory reduction for the sake of performance, we could decrease this age limit. + * dfg/DFGOperations.cpp: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/Operations.h: + (JSC::shift): + (JSC::jsURShift): - Since we do not have an automated script right now so it is a bit difficult to measure memory footprint precisely. But manual testing shows that this patch improves - memory footprint of our target application from about 6.5 MB to about 5.9 MB. +2020-04-27 Keith Miller - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::finalizeUnconditionally): - * bytecode/CodeBlock.h: - * bytecode/UnlinkedCodeBlock.cpp: - (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): - (JSC::UnlinkedCodeBlock::visitChildren): - * bytecode/UnlinkedCodeBlock.h: - (JSC::UnlinkedCodeBlock::age const): - (JSC::UnlinkedCodeBlock::resetAge): - * bytecode/UnlinkedFunctionExecutable.cpp: - (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): - (JSC::UnlinkedFunctionExecutable::visitChildren): - (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor): - (JSC::UnlinkedFunctionExecutable::decodeCachedCodeBlocks): - (JSC::UnlinkedFunctionExecutable::finalizeUnconditionally): - * bytecode/UnlinkedFunctionExecutable.h: - * heap/Heap.cpp: - (JSC::Heap::finalizeUnconditionalFinalizers): - * runtime/CachedTypes.cpp: - (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): - (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): - * runtime/CodeSpecializationKind.h: - * runtime/Options.h: + OSR Exit compiler should know and print the exiting DFG node's index + https://bugs.webkit.org/show_bug.cgi?id=210998 + + Reviewed by Mark Lam. + + The only interesting thing here is that we set the node to index 0 if there is no node. + AFAICT, we only don't have a node when we are checking arguments. + + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::OSRExit): + (JSC::DFG::operationCompileOSRExit): + * dfg/DFGOSRExitBase.h: + (JSC::DFG::OSRExitBase::OSRExitBase): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): + (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation): + * ftl/FTLOSRExit.cpp: + (JSC::FTL::OSRExitDescriptor::emitOSRExit): + (JSC::FTL::OSRExitDescriptor::emitOSRExitLater): + (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle): + (JSC::FTL::OSRExit::OSRExit): + * ftl/FTLOSRExit.h: + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + +2020-04-27 Saam Barati + + compilePeepHoleBigInt32Branch needs to handle all conditions + https://bugs.webkit.org/show_bug.cgi?id=211096 + + + Reviewed by Yusuke Suzuki. + + We were falling through to the generic path for all conditions which + weren't Equal/NotEqual. The generic path does not do speculation, so + it was leading to potential miscompiles because we omitted a type check. + Defining compilePeepHoleBigInt32Branch for other conditions is trivial, + so this patch just implements that. + + This failure is caught by microbenchmarks/sunspider-sha1-big-int.js + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compilePeepHoleBigInt32Branch): + +2020-04-27 Jason Lawrence + + Unreviewed, reverting r260772. + + This commit caused tests to start failing internally. + + Reverted changeset: + + "OSR Exit compiler should know and print the exiting DFG + node's index" + https://bugs.webkit.org/show_bug.cgi?id=210998 + https://trac.webkit.org/changeset/260772 + +2020-04-27 Yusuke Suzuki + + [JSC] Add $vm.assertEnabled() to suppress Debug crash expected tests in release+assert build + https://bugs.webkit.org/show_bug.cgi?id=211089 + + Reviewed by Keith Miller. + + Expose ASSERT_ENABLED condition to the shell to control crash expected tests. + + * tools/JSDollarVM.cpp: + (JSC::functionAssertEnabled): + (JSC::JSDollarVM::finishCreation): + +2020-04-27 Keith Miller + + OSR Exit compiler should know and print the exiting DFG node's index + https://bugs.webkit.org/show_bug.cgi?id=210998 + + Reviewed by Mark Lam. + + The only interesting thing here is that we set the node to index 0 if there is no node. + AFAICT, we only don't have a node when we are checking arguments. + + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::OSRExit): + (JSC::DFG::operationCompileOSRExit): + * dfg/DFGOSRExitBase.h: + (JSC::DFG::OSRExitBase::OSRExitBase): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): + (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation): + * ftl/FTLOSRExit.cpp: + (JSC::FTL::OSRExitDescriptor::emitOSRExit): + (JSC::FTL::OSRExitDescriptor::emitOSRExitLater): + (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle): + (JSC::FTL::OSRExit::OSRExit): + * ftl/FTLOSRExit.h: + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + +2020-04-27 Ross Kirsling + + [JSC] CallData/ConstructData should include CallType/ConstructType + https://bugs.webkit.org/show_bug.cgi?id=211059 + + Reviewed by Darin Adler. + + getCallData/getConstructData return a CallType/ConstructType and have a CallData/ConstructData out param, + and then *both* of these are passed side-by-side to `call`/`construct`, which all seems a bit silly. + + This patch merges CallType/ConstructType into CallData/ConstructData such that getCallData/getConstructData + no longer need an out param and `call`/`construct` require one less overt parameter. + + In so doing, it also: + - removes ConstructData entirely as it's an exact duplicate of CallData + - renames enum value Host to Native in alignment with CallData's union + + * API/JSCallbackConstructor.cpp: + (JSC::JSCallbackConstructor::getConstructData): + * API/JSCallbackConstructor.h: + * API/JSCallbackObject.h: + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::getConstructData): + (JSC::JSCallbackObject::getCallData): + * API/JSObjectRef.cpp: + (JSObjectCallAsFunction): + (JSObjectCallAsConstructor): + * bindings/ScriptFunctionCall.cpp: + (Deprecated::ScriptFunctionCall::call): + * bindings/ScriptFunctionCall.h: + * dfg/DFGOperations.cpp: + * inspector/InjectedScriptManager.cpp: + (Inspector::InjectedScriptManager::createInjectedScript): + * inspector/InspectorEnvironment.h: + * interpreter/Interpreter.cpp: + (JSC::Interpreter::executeProgram): + (JSC::Interpreter::executeCall): + (JSC::Interpreter::executeConstruct): + * interpreter/Interpreter.h: + * jit/JITOperations.cpp: + * jsc.cpp: + (functionDollarAgentReceiveBroadcast): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::handleHostCall): + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncToString): + (JSC::arrayProtoFuncToLocaleString): + * runtime/CallData.cpp: + (JSC::call): + (JSC::profiledCall): + * runtime/CallData.h: + * runtime/ClassInfo.h: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/ConstructData.cpp: + (JSC::construct): + (JSC::profiledConstruct): + * runtime/ConstructData.h: + (JSC::construct): + (JSC::profiledConstruct): + (): Deleted. + * runtime/DatePrototype.cpp: + (JSC::dateProtoFuncToJSON): + * runtime/GetterSetter.cpp: + (JSC::callGetter): + (JSC::callSetter): + * runtime/InternalFunction.cpp: + (JSC::InternalFunction::getCallData): + (JSC::InternalFunction::getConstructData): + * runtime/InternalFunction.h: + * runtime/IteratorOperations.cpp: + (JSC::iteratorNext): + (JSC::iteratorClose): + (JSC::hasIteratorMethod): + (JSC::iteratorMethod): + (JSC::iteratorForIterable): + * runtime/JSBoundFunction.cpp: + (JSC::boundThisNoArgsFunctionCall): + (JSC::boundFunctionCall): + (JSC::boundThisNoArgsFunctionConstruct): + (JSC::boundFunctionConstruct): + * runtime/JSCJSValue.h: + * runtime/JSCell.cpp: + (JSC::JSCell::getCallData): + (JSC::JSCell::getConstructData): + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::isFunction): + (JSC::JSCell::isConstructor): + * runtime/JSFunction.cpp: + (JSC::JSFunction::getCallData): + (JSC::JSFunction::getConstructData): + * runtime/JSFunction.h: + * runtime/JSInternalPromise.cpp: + (JSC::JSInternalPromise::then): + * runtime/JSMicrotask.cpp: + (JSC::JSMicrotask::run): + * runtime/JSModuleLoader.cpp: + (JSC::JSModuleLoader::dependencyKeysIfEvaluated): + (JSC::JSModuleLoader::provideFetch): + (JSC::JSModuleLoader::loadAndEvaluateModule): + (JSC::JSModuleLoader::loadModule): + (JSC::JSModuleLoader::linkAndEvaluateModule): + (JSC::JSModuleLoader::requestImportModule): + * runtime/JSONObject.cpp: + (JSC::Stringifier::isCallableReplacer const): + (JSC::Stringifier::Stringifier): + (JSC::Stringifier::toJSON): + (JSC::Stringifier::appendStringifiedValue): + (JSC::Walker::Walker): + (JSC::Walker::callReviver): + (JSC::JSONProtoFuncParse): + * runtime/JSObject.cpp: + (JSC::ordinarySetSlow): + (JSC::callToPrimitiveFunction): + (JSC::JSObject::hasInstance): + (JSC::JSObject::getMethod): + * runtime/JSObject.h: + * runtime/JSObjectInlines.h: + (JSC::getCallData): + (JSC::getConstructData): + * runtime/JSPromise.cpp: + (JSC::JSPromise::createDeferredData): + (JSC::JSPromise::resolvedPromise): + (JSC::callFunction): + * runtime/MapConstructor.cpp: + (JSC::constructMap): + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncToLocaleString): + * runtime/ProxyObject.cpp: + (JSC::performProxyGet): + (JSC::ProxyObject::performInternalMethodGetOwnProperty): + (JSC::ProxyObject::performHasProperty): + (JSC::ProxyObject::performPut): + (JSC::performProxyCall): + (JSC::ProxyObject::getCallData): + (JSC::performProxyConstruct): + (JSC::ProxyObject::getConstructData): + (JSC::ProxyObject::performDelete): + (JSC::ProxyObject::performPreventExtensions): + (JSC::ProxyObject::performIsExtensible): + (JSC::ProxyObject::performDefineOwnProperty): + (JSC::ProxyObject::performGetOwnPropertyNames): + (JSC::ProxyObject::performSetPrototype): + (JSC::ProxyObject::performGetPrototype): + * runtime/ProxyObject.h: + * runtime/ReflectObject.cpp: + (JSC::reflectObjectConstruct): + * runtime/SamplingProfiler.cpp: + (JSC::SamplingProfiler::processUnverifiedStackTraces): + * runtime/SetConstructor.cpp: + (JSC::constructSet): + * runtime/StringPrototype.cpp: + (JSC::replaceUsingRegExpSearch): + (JSC::operationStringProtoFuncReplaceRegExpEmptyStr): + (JSC::operationStringProtoFuncReplaceRegExpString): + (JSC::replaceUsingStringSearch): * runtime/VM.cpp: - (JSC::VM::isInMiniMode): Deleted. - * runtime/VM.h: - (JSC::VM::isInMiniMode): - (JSC::VM::useUnlinkedCodeBlockJettisoning): + (JSC::VM::callPromiseRejectionCallback): + * runtime/WeakMapConstructor.cpp: + (JSC::constructWeakMap): + * runtime/WeakSetConstructor.cpp: + (JSC::constructWeakSet): + * tools/JSDollarVM.cpp: + (JSC::callWithStackSizeProbeFunction): + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::evaluate): + * wasm/js/WebAssemblyWrapperFunction.cpp: + (JSC::callWebAssemblyWrapperFunction): -2019-06-10 Timothy Hatcher +2020-04-26 Ross Kirsling - Integrate dark mode support for iOS. - https://bugs.webkit.org/show_bug.cgi?id=198687 - rdar://problem/51545643 + [JSC] Clearly distinguish isConstructor from getConstructData + https://bugs.webkit.org/show_bug.cgi?id=211053 + + Reviewed by Sam Weinig. + + Follow-up to r260722. Remove the isConstructor overload that duplicates getConstructData + and clearly distinguish the usage of these two functions. + + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::isConstructor): + Remove isConstructor overload. + + * runtime/JSBoundFunction.cpp: + (JSC::JSBoundFunction::create): + Don't use getConstructData if you don't need ConstructData. + + * runtime/ReflectObject.cpp: + (JSC::reflectObjectConstruct): + Use getConstructData if you need ConstructData. + + * API/JSObjectRef.cpp: + (JSObjectIsFunction): + Use isFunction (leftover spot from last patch). + +2020-04-26 Alexey Shvayka + + Symbol should have [[Construct]] internal method + https://bugs.webkit.org/show_bug.cgi?id=211050 + + Reviewed by Yusuke Suzuki. + + This change introduces constructSymbol() method, which unconditionally throws + a TypeError, since its presence is observable when, for example, Symbol is a + [[ProxyTarget]] itself [1]. Aligns JSC with the spec [2], V8, and SpiderMonkey. + + [1]: https://tc39.es/ecma262/#sec-proxycreate (step 7.b) + [2]: https://tc39.es/ecma262/#constructor + + * runtime/SymbolConstructor.cpp: + (JSC::SymbolConstructor::SymbolConstructor): + (JSC::constructSymbol): + +2020-04-26 Alexey Shvayka + + InternalFunction::createSubclassStructure should use newTarget's globalObject + https://bugs.webkit.org/show_bug.cgi?id=202599 + + Reviewed by Yusuke Suzuki. + + If "prototype" of NewTarget is not an object, built-in constructors [1] should acquire + default [[Prototype]] from realm of NewTarget, utilizing GetFunctionRealm helper [2]. + Before this change, realm of active constructor was used instead. This patch introduces + GetFunctionRealm and aligns all subclassable constructors with the spec, V8, and SpiderMonkey. + + This change inlines fast paths checks of InternalFunction::createSubclassStructure() and + simplifies its signature; getFunctionRealm() is invoked in slow paths only. + + While a dynamically created function uses NewTarget's realm for its default [[Prototype]] + similar to other built-ins, its "prototype" object inherit from ObjectPrototype + of active constructor's realm [3] (just like their scope), making it retain references + to 2 different global objects. To accomodate this behavior, this change introduces + `scopeGlobalObject` in JSFunction.cpp methods. + + Above-mentioned behavior also simplifies creation of JSGenerator and JSAsyncGenerator + instances since NewTarget's realm is irrelevant to them. + + IntlCollatorConstructor::collatorStructure() and 6 similar methods are removed: + a) to impose good practice of using newTarget's globalObject; + b) with this change, each of them have 1 call site max; + c) other JSC constructors have no methods alike. + + [1]: https://tc39.es/ecma262/#sec-map-constructor (step 2) + [2]: https://tc39.es/ecma262/#sec-getfunctionrealm + [3]: https://tc39.es/ecma262/#sec-createdynamicfunction (steps 23-25) + + * dfg/DFGOperations.cpp: + * runtime/AggregateErrorConstructor.cpp: + (JSC::callAggregateErrorConstructor): + (JSC::constructAggregateErrorConstructor): + * runtime/AggregateErrorConstructor.h: + * runtime/AsyncFunctionConstructor.cpp: + (JSC::constructAsyncFunctionConstructor): + * runtime/AsyncGeneratorFunctionConstructor.cpp: + (JSC::constructAsyncGeneratorFunctionConstructor): + * runtime/BooleanConstructor.cpp: + (JSC::constructWithBooleanConstructor): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + (JSC::createInternalFieldObject): + * runtime/DateConstructor.cpp: + (JSC::constructDate): + * runtime/ErrorConstructor.cpp: + (JSC::constructErrorConstructor): + * runtime/FunctionConstructor.cpp: + (JSC::constructFunctionSkippingEvalEnabledCheck): + * runtime/InternalFunction.cpp: + (JSC::InternalFunction::createSubclassStructure): + (JSC::getFunctionRealm): + (JSC::InternalFunction::createSubclassStructureSlow): Deleted. + * runtime/InternalFunction.h: + (JSC::InternalFunction::createSubclassStructure): Deleted. + * runtime/IntlCollatorConstructor.cpp: + (JSC::constructIntlCollator): + (JSC::callIntlCollator): + * runtime/IntlCollatorConstructor.h: + * runtime/IntlDateTimeFormatConstructor.cpp: + (JSC::constructIntlDateTimeFormat): + (JSC::callIntlDateTimeFormat): + * runtime/IntlDateTimeFormatConstructor.h: + * runtime/IntlNumberFormatConstructor.cpp: + (JSC::constructIntlNumberFormat): + (JSC::callIntlNumberFormat): + * runtime/IntlNumberFormatConstructor.h: + * runtime/IntlPluralRulesConstructor.cpp: + (JSC::constructIntlPluralRules): + * runtime/IntlPluralRulesConstructor.h: + * runtime/IntlRelativeTimeFormatConstructor.cpp: + (JSC::constructIntlRelativeTimeFormat): + * runtime/IntlRelativeTimeFormatConstructor.h: + * runtime/JSArrayBufferConstructor.cpp: + (JSC::JSGenericArrayBufferConstructor::constructArrayBuffer): + * runtime/JSFunction.cpp: + (JSC::JSFunction::prototypeForConstruction): + (JSC::JSFunction::getOwnPropertySlot): + * runtime/JSGenericTypedArrayViewConstructorInlines.h: + (JSC::constructGenericTypedArrayView): + * runtime/JSGlobalObjectInlines.h: + (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const): + * runtime/MapConstructor.cpp: + (JSC::constructMap): + * runtime/NativeErrorConstructor.cpp: + (JSC::NativeErrorConstructor::constructNativeErrorConstructor): + (JSC::NativeErrorConstructor::callNativeErrorConstructor): + * runtime/NativeErrorConstructor.h: + * runtime/NumberConstructor.cpp: + (JSC::constructNumberConstructor): + * runtime/ObjectConstructor.cpp: + (JSC::constructObjectWithNewTarget): + * runtime/RegExpConstructor.cpp: + (JSC::getRegExpStructure): + (JSC::constructRegExp): + (JSC::esSpecRegExpCreate): + * runtime/RegExpConstructor.h: + * runtime/SetConstructor.cpp: + (JSC::constructSet): + * runtime/StringConstructor.cpp: + (JSC::constructWithStringConstructor): + * runtime/WeakMapConstructor.cpp: + (JSC::constructWeakMap): + * runtime/WeakObjectRefConstructor.cpp: + (JSC::constructWeakRef): + * runtime/WeakSetConstructor.cpp: + (JSC::constructWeakSet): + * wasm/js/WebAssemblyCompileErrorConstructor.cpp: + (JSC::constructJSWebAssemblyCompileError): + * wasm/js/WebAssemblyInstanceConstructor.cpp: + (JSC::constructJSWebAssemblyInstance): + * wasm/js/WebAssemblyLinkErrorConstructor.cpp: + (JSC::constructJSWebAssemblyLinkError): + * wasm/js/WebAssemblyModuleConstructor.cpp: + (JSC::WebAssemblyModuleConstructor::createModule): + * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: + (JSC::constructJSWebAssemblyRuntimeError): + +2020-04-26 Yusuke Suzuki + + [JSC] ValueAdd, VaueSub, ValueMul, Inc, Dec should say SpecBigInt32 prediction based on ArithProfile + https://bugs.webkit.org/show_bug.cgi?id=211038 + + Reviewed by Filip Pizlo. + + This patch adds profile feedback to ValueAdd, ValueSub, ValueMul, Inc, Dec to say SpecBigInt32 prediction. + + Our HeapBigInt v.s. BigInt32 strategy is simpler than Double v.s. Int32 strategy: we always + prefer BigInt32 over HeapBigInt. This is because HeapBigInt calculation and conversion require + much higher cost than BigInt32. This tradeoff is largely different from Double v.s. Int32. + So keeping HeapBigInt is simply inefficient when we can use BigInt32. + + This means that ArithProfile's feedback is also very simple. If we see HeapBigInt, this means + overflow happens. In DFG, we propagate this information to ValueAdd, ValueSub, and ValueMul nodes + and record it in DFGNodeFlags. And based on this information, we change the prediction and + speculation in prediction propagation and fixup phase. + + We change exit reason from Overflow to BigInt32Overflow since Overflow is solely used for Int32 case, + and we have Int52Overflow for Int52 case. We should have BigInt32Overflow for BigInt32 to precisely + record and tell about what happens in DFG as a feedback for the next compilation. + + We add BigInt32 speculation for ValueSub. Previously, we missed that in fixup phase and we always + speculate ValueSub with AnyBigIntUse or HeapBigIntUse. Now it can use BigInt32Use. + + We also fix Inc / Dec's fixup phase to use BigInt path. Previously, it was always using UntypedUse since + `node->child1()->shouldSpeculateUntypedForArithmetic()` returns true for BigInt. We fix the ordering of + speculation attempts as it is done in the other places in fixup phase. + + This patch offers 7.9% performance improvement in sunspider-sha1-big-int. + + ToT Patched + + sunspider-sha1-big-int 134.5668+-2.8695 ^ 124.6743+-0.7541 ^ definitely 1.0793x faster + + * bytecode/ExitKind.cpp: + (JSC::exitKindToString): + * bytecode/ExitKind.h: + * bytecode/SpeculatedType.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::makeSafe): + (JSC::DFG::ByteCodeParser::makeDivSafe): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::binaryArithShouldSpeculateBigInt32): + (JSC::DFG::Graph::unaryArithShouldSpeculateBigInt32): + * dfg/DFGNode.h: + (JSC::DFG::Node::mayHaveBigInt32Result): + (JSC::DFG::Node::mayHaveHeapBigIntResult): + (JSC::DFG::Node::mayHaveBigIntResult): + (JSC::DFG::Node::canSpeculateBigInt32): + (JSC::DFG::Node::canSpeculateInt52): + * dfg/DFGNodeFlags.cpp: + (JSC::DFG::dumpNodeFlags): + * dfg/DFGNodeFlags.h: + (JSC::DFG::nodeMayHaveHeapBigInt): + (JSC::DFG::nodeCanSpeculateBigInt32): + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileValueAdd): + (JSC::DFG::SpeculativeJIT::compileValueSub): + (JSC::DFG::SpeculativeJIT::compileValueMul): + (JSC::DFG::SpeculativeJIT::compileValueDiv): + (JSC::DFG::SpeculativeJIT::speculateHeapBigInt): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): + (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): + (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): + (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv): + +2020-04-25 Ross Kirsling + + [JSC] isCallable is redundant with isFunction + https://bugs.webkit.org/show_bug.cgi?id=211037 + + Reviewed by Yusuke Suzuki. + + isCallable is only being used in two places and has the same definition as isFunction (aside from out params). + Where CallData is needed, getCallData should be used; where CallData is not needed, isFunction should be used. + + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::isCallable const): Deleted. + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::isCallable): Deleted. + Remove isCallable. + + * runtime/JSONObject.cpp: + (JSC::Stringifier::Stringifier): + (JSC::Stringifier::toJSON): + Use getCallData if you need CallData. + + * runtime/ExceptionHelpers.cpp: + (JSC::errorDescriptionForValue): + * runtime/ObjectConstructor.cpp: + (JSC::toPropertyDescriptor): + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncDefineGetter): + (JSC::objectProtoFuncDefineSetter): + Don't use getCallData if you don't need CallData. + +2020-04-25 Yusuke Suzuki + + [JSC] Handle BigInt32 INT32_MIN shift amount + https://bugs.webkit.org/show_bug.cgi?id=211030 + + Reviewed by Darin Adler. + + Our BigInt shift-operation does not correctly handle INT32_MIN shift amount, and producing a wrong result. + This patch fixes it. + + * runtime/Operations.h: + (JSC::shift): + +2020-04-25 Darin Adler + + [Cocoa] Deal with another round of Xcode upgrade checks + https://bugs.webkit.org/show_bug.cgi?id=211027 + + Reviewed by Alexey Proskuryakov. + + * JavaScriptCore.xcodeproj/project.pbxproj: Bump the upgrade check version. + Add a harmless base localization; this project contains nothing localized. + +2020-04-25 Yusuke Suzuki + + [JSC] Add fast path for BigInt32 left-shift + https://bugs.webkit.org/show_bug.cgi?id=211029 + + Reviewed by Saam Barati. + + Currently, the left-shift operation misses the fast path for BigInt32 <> BigInt32 case. This patch adds it. We also fixes + prediction-propagation for left/right shift to use existing heap prediction instead of polluting the result with SpecBigInt. + This offer 4.5% improvement in microbenchmarks/sunspider-sha1-big-int.js. + + * dfg/DFGPredictionPropagationPhase.cpp: + * runtime/Operations.h: + (JSC::shift): + +2020-04-25 Ross Kirsling + + Unreviewed fix for JSC Debug tests following r210853. + + * runtime/IntlObject.cpp: + (JSC::canonicalizeLanguageTag): + (JSC::canonicalizeLocaleList): + (JSC::defaultLocale): + Deal with unchecked exception by moving tryGetUtf8 call out of canonicalizeLanguageTag; it's meant to + verify the user input from canonicalizeLocaleList and needn't change the noexcept-ness of defaultLocale. + +2020-04-25 Alex Christensen + + Prepare to remove automatic URL->String conversion operators + https://bugs.webkit.org/show_bug.cgi?id=211007 + + Reviewed by Darin Adler. + + * API/JSAPIGlobalObject.mm: + (JSC::JSAPIGlobalObject::moduleLoaderResolve): + (JSC::JSAPIGlobalObject::moduleLoaderImportModule): + * API/JSScript.mm: + (validateBytecodeCachePath): + (+[JSScript scriptOfType:memoryMappedFromASCIIFile:withSourceURL:andBytecodeCache:inVirtualMachine:error:]): + * inspector/ScriptDebugServer.cpp: + (Inspector::ScriptDebugServer::sourceParsed): + * parser/Nodes.h: + (JSC::ScopeNode::sourceURL const): + * runtime/CachedTypes.cpp: + (JSC::CachedSourceProviderShape::encode): + * runtime/Error.cpp: + (JSC::addErrorInfo): + * runtime/ScriptExecutable.h: + (JSC::ScriptExecutable::sourceURL const): + +2020-04-25 Ross Kirsling + + [Intl] Locale validation/canonicalization should defer to ICU + https://bugs.webkit.org/show_bug.cgi?id=210853 + + Reviewed by Darin Adler. + + The mappings for locale canonicalization in latest CLDR are sufficiently complex + that it really no longer makes sense not to have ICU do this work for us. + + This means the UTS 35 canonicalization desired by ECMA-402 will not be fully achievable until ICU ~67, + but it's better than reaching right into CLDR and pretending that we *are* ICU. + (On this point, we thus align with V8 and diverge from SM.) + + Of course, we can still add our own pre-validations / post-canonicalizations if desired. + + * CMakeLists.txt: + * DerivedSources-input.xcfilelist: + * DerivedSources-output.xcfilelist: + * DerivedSources.make: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Scripts/generateIntlCanonicalizeLanguage.py: Removed. + * runtime/IntlObject.cpp: + (JSC::intlAvailableLocales): + (JSC::intlCollatorAvailableLocales): + (JSC::canonicalizeLanguageTag): + (JSC::canonicalizeLocaleList): + (JSC::defaultLocale): + (JSC::removeUnicodeLocaleExtension): + (JSC::addMissingScriptLocales): Deleted. This one was ostensibly a fix for an old ICU bug. + (JSC::privateUseLangTag): Deleted. + (JSC::preferredLanguage): Deleted. + (JSC::preferredRegion): Deleted. + (JSC::canonicalLangTag): Deleted. + * ucd/language-subtag-registry.txt: Removed. + +2020-04-24 Yusuke Suzuki + + Fix internal build by using strcmp instead of using string literal comparison + https://bugs.webkit.org/show_bug.cgi?id=211011 + + Reviewed by Keith Miller. + + Use strcmp for string literal comparison to expect that this is fully handled by compiler and converted into constant at compile time. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + +2020-04-24 Mark Lam + + Suppress ASan on DFG::clobberize() to work around an ASan bug. + https://bugs.webkit.org/show_bug.cgi?id=211012 + + + Reviewed by Yusuke Suzuki. + + ASan was incorrectly thinking that we're accessing invalid stack memory when we're not. + + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + +2020-04-24 Alexey Shvayka + + Fix WASM Error classes and re-sync wpt/wasm/jsapi from upstream + https://bugs.webkit.org/show_bug.cgi?id=210980 + + Reviewed by Keith Miller. + + assert_throws_js() harness, which is extensively used by wpt/wasm/jsapi tests, + was recently updated to assert that passed constructors subclass Error in + spec-perfect way. + + With this patch, WebAssembly errors have Error as [[Prototype]] of their constructors + and define correct "name" and "message" properties on their prototypes, aligning JSC + with the spec [1], V8 and SpiderMonkey. + + [1]: https://webassembly.github.io/spec/js-api/#error-objects + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * wasm/js/WebAssemblyCompileErrorPrototype.cpp: + (JSC::WebAssemblyCompileErrorPrototype::finishCreation): + * wasm/js/WebAssemblyLinkErrorPrototype.cpp: + (JSC::WebAssemblyLinkErrorPrototype::finishCreation): + * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp: + (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation): + +2020-04-24 Saam Barati + + Return BigInt32 whenever we can + https://bugs.webkit.org/show_bug.cgi?id=210922 + + Reviewed by Yusuke Suzuki. + + This patch makes it so our runtime functions for big int math on heap + big ints converts the result to a big int 32 when possible. + + The inspiration for this patch came from converting SunSpider's sha1 benchmark to + using big ints. I found that that original implementation of big int 32 + was a ~35% slowdown here. This patch speeds it up by 86% from ToT, and + 36% faster than before big int 32 was introduced. + + To make this sound in the DFG/FTL, we are currently reporting that all + HeapBigInt math ops return SpecBigInt, instead of SpecHeapBigInt. + However, we want to do better in a follow up. We need some kind of profiling + system where we determine if we should speculate if the result is big int + 32, a heap big int, or both: + https://bugs.webkit.org/show_bug.cgi?id=210982 + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileValueBitNot): + (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp): + (JSC::DFG::SpeculativeJIT::compileValueLShiftOp): + (JSC::DFG::SpeculativeJIT::compileValueBitRShift): + (JSC::DFG::SpeculativeJIT::compileValueAdd): + (JSC::DFG::SpeculativeJIT::compileValueSub): + (JSC::DFG::SpeculativeJIT::compileValueMul): + (JSC::DFG::SpeculativeJIT::compileValueDiv): + (JSC::DFG::SpeculativeJIT::compileValueMod): + (JSC::DFG::SpeculativeJIT::compileValuePow): + * jit/JITOperations.cpp: + * jsc.cpp: + (functionCreateBigInt32): + * runtime/BigIntConstructor.cpp: + (JSC::toBigInt): + (JSC::callBigIntConstructor): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::exponentiateHeap): + (JSC::JSBigInt::multiplyHeap): + (JSC::JSBigInt::divideHeap): + (JSC::JSBigInt::unaryMinusHeap): + (JSC::JSBigInt::remainderHeap): + (JSC::JSBigInt::incHeap): + (JSC::JSBigInt::decHeap): + (JSC::JSBigInt::addHeap): + (JSC::JSBigInt::subHeap): + (JSC::JSBigInt::bitwiseAndHeap): + (JSC::JSBigInt::bitwiseOrHeap): + (JSC::JSBigInt::bitwiseXorHeap): + (JSC::JSBigInt::leftShiftHeap): + (JSC::JSBigInt::signedRightShiftHeap): + (JSC::JSBigInt::bitwiseNotHeap): + (JSC::JSBigInt::absoluteAdd): + (JSC::JSBigInt::absoluteSub): + (JSC::JSBigInt::parseInt): + (JSC::JSBigInt::exponentiate): Deleted. + (JSC::JSBigInt::multiply): Deleted. + (JSC::JSBigInt::divide): Deleted. + (JSC::JSBigInt::unaryMinus): Deleted. + (JSC::JSBigInt::remainder): Deleted. + (JSC::JSBigInt::inc): Deleted. + (JSC::JSBigInt::dec): Deleted. + (JSC::JSBigInt::add): Deleted. + (JSC::JSBigInt::sub): Deleted. + (JSC::JSBigInt::bitwiseAnd): Deleted. + (JSC::JSBigInt::bitwiseOr): Deleted. + (JSC::JSBigInt::bitwiseXor): Deleted. + (JSC::JSBigInt::leftShift): Deleted. + (JSC::JSBigInt::signedRightShift): Deleted. + (JSC::JSBigInt::bitwiseNot): Deleted. + * runtime/JSBigInt.h: + * runtime/JSCJSValue.h: + (JSC::jsBigInt32): + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::JSValue): + * runtime/Operations.cpp: + (JSC::jsAddSlowCase): + * runtime/Operations.h: + (JSC::jsSub): + (JSC::jsMul): + (JSC::jsDiv): + (JSC::jsInc): + (JSC::jsDec): + (JSC::jsBitwiseNot): + (JSC::shift): + (JSC::bitwiseBinaryOp): + +2020-04-24 Michael Catanzaro + + [GTK][WPE][JSCOnly] compile error when -DWTF_CPU_ARM64_CORTEXA53=ON set for arm64 + https://bugs.webkit.org/show_bug.cgi?id=197192 + + Reviewed by Yusuke Suzuki. + + This workaround is supposed to fix WebKit on old Cortex A53 CPUs, but it has been broken + since 2018, and people would like to use WebKit on modern Cortex A53. If anyone using WebKit + on the original hardware wants to fix and reimplement the workaround, feel free. + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::adrp): + (JSC::ARM64Assembler::madd): + (JSC::ARM64Assembler::msub): + (JSC::ARM64Assembler::smaddl): + (JSC::ARM64Assembler::smsubl): + (JSC::ARM64Assembler::umaddl): + (JSC::ARM64Assembler::umsubl): + (JSC::ARM64Assembler::nopCortexA53Fix835769): Deleted. + (JSC::ARM64Assembler::nopCortexA53Fix843419): Deleted. + * offlineasm/arm64.rb: + * offlineasm/instructions.rb: + +2020-04-24 Yusuke Suzuki + + [JSC] Fix DataFormatJSBigInt32 missing part + https://bugs.webkit.org/show_bug.cgi?id=210986 + + Reviewed by Mark Lam. + + Add missing part of DataFormatJSBigInt32 implementation. + + * bytecode/DataFormat.h: + (JSC::dataFormatToString): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): + +2020-04-24 Yusuke Suzuki + + Unreviewed, build fix in Windows + https://bugs.webkit.org/show_bug.cgi?id=210892 + + Windows MSVC does not have proper understanding of IGNORE_RETURN_TYPE_WARNINGS_BEGIN. + + * runtime/JSBigInt.h: + (JSC::invertBigIntCompareResult): + +2020-04-24 Yusuke Suzuki + + [JSC] DFG compare should speculate BigInt well + https://bugs.webkit.org/show_bug.cgi?id=210892 + + Reviewed by Saam Barati. + + Compare operations in DFG does not support BigInt related speculations. As a result, DFG fixup phase emits DoubleRep for operands, and + causes OSR exit. This patch adds BigInt32, HeapBigInt, and AnyBigIntUse support to DFG compare operations to avoid OSR exits. + We also introduce JSBigInt::compareToInt32 to avoid allocating JSBigInt only for comparison, and optimize C++ runtime for JSBigInt comparison. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileValueAdd): + (JSC::DFG::SpeculativeJIT::compileValueSub): + (JSC::DFG::SpeculativeJIT::compileValueMul): + (JSC::DFG::SpeculativeJIT::compare): + (JSC::DFG::SpeculativeJIT::genericJSValueNonPeepholeCompare): + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted. + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compileBigInt32Compare): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq): + (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): + (JSC::FTL::DFG::LowerDFGToB3::compare): + (JSC::FTL::DFG::LowerDFGToB3::genericJSValueCompare): + (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare): Deleted. + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::unboxBigInt32): + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::compareToInt32): + * runtime/JSBigInt.h: + (JSC::swapBigIntCompareResult): + * runtime/Operations.h: + (JSC::compareBigInt): + (JSC::compareBigInt32ToOtherPrimitive): + (JSC::bigIntCompare): + +2020-04-24 Alexey Shvayka + + Proxy.revocable should not have [[Construct]] slot + https://bugs.webkit.org/show_bug.cgi?id=210959 + + Reviewed by Darin Adler. + + This change removes proxyRevocableConstructorThrowError() since its presence is + observable when, for example, Proxy.revocable is a [[ProxyTarget]] itself [1]. + Also removes unnecessary newTarget() check in constructProxyObject() and + 2 extra ArgList instances. + + This patch aligns JSC with the spec [2], V8 and SpiderMonkey. + + [1]: https://tc39.es/ecma262/#sec-proxycreate (step 7.b) + [2]: https://tc39.es/ecma262/#sec-ecmascript-standard-built-in-objects + + * runtime/ProxyConstructor.cpp: + (JSC::makeRevocableProxy): + (JSC::ProxyConstructor::finishCreation): + (JSC::constructProxyObject): + (JSC::proxyRevocableConstructorThrowError): Deleted. + +2020-04-24 Yusuke Suzuki + + [JSC] DFG AI for some bitops + BigInt32 should be precise + https://bugs.webkit.org/show_bug.cgi?id=210956 + + Reviewed by Keith Miller. + + Use SpecBigInt32 for ValueBitXor, ValueBitAnd, and ValueBitOr since they are always producing BigInt32 and they have inlined implementations in DFG / FTL. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + +2020-04-23 Alexey Shvayka + + Remove revoked Proxy checks from ProxyCreate + https://bugs.webkit.org/show_bug.cgi?id=210862 + + Reviewed by Ross Kirsling. + + This change removes revoked Proxy checks from ProxyCreate [1], implementing + https://github.com/tc39/ecma262/pull/1814 and aligning JSC with SpiderMonkey. + Also cleans up ProxyObject creation by using isFunction() instead of + isCallable(), which are identical. + + [1]: https://tc39.es/ecma262/#sec-proxycreate (steps 2, 4) + + * runtime/ProxyObject.cpp: + (JSC::ProxyObject::structureForTarget): + (JSC::ProxyObject::finishCreation): + +2020-04-22 Keith Miller + + Fix OSR exiting/iterator object checks in for-of bytecodes + https://bugs.webkit.org/show_bug.cgi?id=210882 + + Reviewed by Saam Barati. + + This patch fixes some bugs in the DFGBytecodeParser where we would + set the exit origin for the SetLocal following the iterator_open/next + first call to the next bytecode. This meant that if out-of-line + Symbol.iterator or next functions returned an unexpected non-cell + we would OSR past the rest of the next bytecode rather than to the + first checkpoint. + + This patch also makes sure we properly throw for non-objects returned + from either of the above functions in all tiers (and adds tests). + + Finally, this patch makes a small optimization where we just ArithBitOr the + iterator's closed state (index == -1) and index is out of bounds. We can't + do a CompareBelow check because the index is effectively an int33_t. + + * bytecode/BytecodeIndex.h: + (JSC::BytecodeIndex::withCheckpoint const): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::nextOpcodeIndex const): + (JSC::DFG::ByteCodeParser::nextCheckpoint const): + (JSC::DFG::ByteCodeParser::progressToNextCheckpoint): + (JSC::DFG::ByteCodeParser::handleCall): + (JSC::DFG::ByteCodeParser::handleCallVariant): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::handlePutById): + (JSC::DFG::ByteCodeParser::parseGetById): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::handlePutByVal): + * jit/JITCall.cpp: + (JSC::JIT::emitSlow_op_iterator_open): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + (JSC::LLInt::handleIteratorNextCheckpoint): + +2020-04-22 Darin Adler + + [Cocoa] Build with UChar as char16_t even in builds that use Apple's internal SDK + https://bugs.webkit.org/show_bug.cgi?id=210845 + + Reviewed by Anders Carlsson. + + * Configurations/Base.xcconfig: Move ICU-configuring macros to Platform.h. + +2020-04-22 Yusuke Suzuki + + [JSC] branchIfBigInt32 can use BigInt32Mask and remove branchIfNumber filter + https://bugs.webkit.org/show_bug.cgi?id=210870 + + Reviewed by Saam Barati. + + By using BigInt32Mask, we can detect BigInt32 without filtering Numbers. In this patch, + + 1. Remove branchIfBigInt32KnownNotNumber and branchIfNotBigInt32KnownNotNumber. And always use branchBigInt32 and branchNotBigInt32 instead. + 2. Remove branchIfNumber type filtering in DFG. + 3. Use BigInt32Mask based scheme in FTL. + 4. Add and64(TrustedImm64, RegisterID) implementations in MacroAssembler. + 5. Add TagRegistersMode version in branchIfBigInt. We use numberTagRegister to produce really efficient code[1] by avoiding large constant materialization. + + [1]: From + mov %rax, %rdx + mov $0xfffe000000000012, %r11 + and %r11, %rdx + cmp $0x12, %rdx + To + lea 0x12(%r14), %rdx + and %rax, %rdx + cmp $0x12, %rdx + + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::and64): + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::and64): + * bytecode/ArithProfile.cpp: + (JSC::ArithProfile::emitObserveResult): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateBigInt32): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric): + (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): + (JSC::FTL::DFG::LowerDFGToB3::compileIsBigInt): + (JSC::FTL::DFG::LowerDFGToB3::boolify): + (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): + (JSC::FTL::DFG::LowerDFGToB3::lowBigInt32): + (JSC::FTL::DFG::LowerDFGToB3::isBigInt32): + (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32): + (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigInt): + (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt32): + (JSC::FTL::DFG::LowerDFGToB3::speculateAnyBigInt): + (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotCell): Deleted. + (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotNumber): Deleted. + (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32KnownNotNumber): Deleted. + (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigIntKnownNotNumber): Deleted. + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::emitConvertValueToBoolean): + (JSC::AssemblyHelpers::branchIfValue): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::branchIfBigInt32): + (JSC::AssemblyHelpers::branchIfNotBigInt32): + (JSC::AssemblyHelpers::emitTypeOf): + (JSC::AssemblyHelpers::branchIfBigInt32KnownNotNumber): Deleted. + (JSC::AssemblyHelpers::branchIfNotBigInt32KnownNotNumber): Deleted. + +2020-04-22 Saam Barati + + BigInt32 parsing should be precise + https://bugs.webkit.org/show_bug.cgi?id=210869 + + Reviewed by Robin Morisset. + + Our algorithm before was conservative, and might produce a heap big int even + if the value could be an int32. This patch makes the algorithm precise on + 64-bit, always producing a bigint32 if the number is indeed an int32. + + * jsc.cpp: + (functionUseBigInt32): + (functionIsBigInt32): + (functionIsHeapBigInt): + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::parseInt): + +2020-04-22 Saam Barati + + Edge use kind asserts are wrong for BigInt32 on ValueBitLShift + https://bugs.webkit.org/show_bug.cgi?id=210872 + + Reviewed by Yusuke Suzuki, Mark Lam, and Robin Morisset. + + This is already covered by the v8 tests Yusuke checked in. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitUntypedOrAnyBigIntBitOp): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift): + (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet): + +2020-04-22 Yusuke Suzuki + + [JSC] JSBigInt inc operation does not produce right HeapBigInt zero + https://bugs.webkit.org/show_bug.cgi?id=210860 + + Reviewed by Mark Lam. + + JSBigInt::inc can produce signed HeapBigInt zero, which is not meeting the invariant of JSBigInt. + This patch fixes it by checking zero status before setting `setSign(true)`. + + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::inc): + * runtime/JSCJSValue.cpp: + (JSC::JSValue::dumpInContextAssumingStructure const): + +2020-04-22 Devin Rousso + + Web Inspector: Debugger: Step Over should only step through comma expressions if they are comma statements + https://bugs.webkit.org/show_bug.cgi?id=210588 + + Reviewed by Brian Burg. + + * parser/Nodes.h: + (JSC::ExpressionNode::isStatement const): Added. + (JSC::ExpressionNode::setIsStatement): Added. + * parser/NodeConstructors.h: + (JSC::ExprStatementNode::ExprStatementNode): + (JSC::DeclarationStatement::DeclarationStatement): + (JSC::ReturnNode::ReturnNode): + (JSC::ThrowNode::ThrowNode): + * bytecompiler/NodesCodegen.cpp: + (JSC::CommaNode::emitBytecode): + Only emit `WillExecuteStatement` debug hooks inside `CommaNode` if it's the only child of a + statement parent node (e.g. `a(), b(), c()` vs `true && (a(), b(), c()) && true`). + + * parser/Parser.h: + * parser/Parser.cpp: + (JSC::Parser::parseReturnStatement): + (JSC::Parser::parseThrowStatement): + (JSC::Parser::parseExpressionOrLabelStatement): + (JSC::Parser::parseExpressionStatement): + (JSC::Parser::parseExpression): + Only record a pause location for each sub-expression in a comma separated expression if it's + the only child of a statement (e.g. `a(), b(), c()` vs `true && (a(), b(), c()) && true`). + +2020-04-22 Saam Barati + + ValueBitNot is wrong in FTL with AnyBigIntUse + https://bugs.webkit.org/show_bug.cgi?id=210846 + + Reviewed by Yusuke Suzuki. + + We forgot to speculate. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot): + +2020-04-22 Yusuke Suzuki + + [JSC] AI results of BigInt32 Bitwise shift operation does not match to runtime results + https://bugs.webkit.org/show_bug.cgi?id=210839 + + Reviewed by Saam Barati. + + While runtime function of bitwise ops with BigInt32 sometimes returns HeapBigInt, DFG AI is setting SpecBigInt32 + as a result value. This leads to miscompilation particularly in FTL since FTL uses this information to remove + a lot of branches. + + And we found that FTL BigInt32 predicate is not correctly checking state. This patch fixes it too. + + Added test case found this (v8-bigint32-sar.js). + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift): + (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric): + (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): + (JSC::FTL::DFG::LowerDFGToB3::compileIsBigInt): + (JSC::FTL::DFG::LowerDFGToB3::boolify): + (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): + (JSC::FTL::DFG::LowerDFGToB3::lowBigInt32): + (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotCell): + (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotNumber): + (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32KnownNotNumber): + (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigIntKnownNotNumber): + (JSC::FTL::DFG::LowerDFGToB3::isNotHeapBigIntUnknownWhetherCell): + (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt32): + (JSC::FTL::DFG::LowerDFGToB3::speculateAnyBigInt): + (JSC::FTL::DFG::LowerDFGToB3::isBigInt32): Deleted. + (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32): Deleted. + (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigInt): Deleted. + +2020-04-21 Yusuke Suzuki + + Unreviewed, build fix for watchOS + https://bugs.webkit.org/show_bug.cgi?id=210832 + + If function is not defined, static declaration should not be declared, otherwise, unused-function-error happens. + + * jsc.cpp: + +2020-04-21 Yusuke Suzuki + + Unreviewd, speculative Windows build fix part 2 + https://bugs.webkit.org/show_bug.cgi?id=210834 + + * runtime/Options.cpp: + (JSC::strncasecmp): + +2020-04-21 Yusuke Suzuki + + Unreviewed, fix windows build failure + https://bugs.webkit.org/show_bug.cgi?id=210834 + + * runtime/Options.cpp: + (JSC::strncasecmp): + +2020-04-21 Yusuke Suzuki + + [JSC] SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq should expect AnyBigIntUse + https://bugs.webkit.org/show_bug.cgi?id=210832 + + Reviewed by Mark Lam. + + SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq will get AnyBigIntUse now. We should use ManualOperandSpeculation + and speculate function to perform speculation check. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): + * jsc.cpp: + (functionCreateHeapBigInt): + (functionCreateBigInt32): + * runtime/BigIntConstructor.cpp: + (JSC::toBigInt): + (JSC::callBigIntConstructor): + * runtime/BigIntConstructor.h: + * runtime/JSBigInt.h: + +2020-04-21 Yusuke Suzuki + + Canonicalize JSBigInt generated by structured-cloning by calling rightTrim + https://bugs.webkit.org/show_bug.cgi?id=210816 + + Reviewed by Keith Miller and Darin Adler. + + * runtime/JSBigInt.h: + +2020-04-21 Peng Liu + + Fix MACCATALYST build failures + https://bugs.webkit.org/show_bug.cgi?id=210815 Reviewed by Tim Horton. * Configurations/FeatureDefines.xcconfig: -2019-06-10 Adrian Perez de Castro +2020-04-21 Keith Miller - [JSC] Linker fails when unified sources are not in use - https://bugs.webkit.org/show_bug.cgi?id=198722 + JSC's options should be case insensitive + https://bugs.webkit.org/show_bug.cgi?id=210834 + + Reviewed by Yusuke Suzuki. + + * runtime/Options.cpp: + (JSC::Options::setOptionWithoutAlias): + (JSC::Options::setAliasedOption): + * runtime/OptionsList.h: + +2020-04-21 Alexey Shvayka + + constructObjectFromPropertyDescriptor() is incorrect with partial descriptors + https://bugs.webkit.org/show_bug.cgi?id=184629 + + Reviewed by Ross Kirsling. + + Before this change, constructObjectFromPropertyDescriptor() serialized a value-only descriptor + with nullish m_seenAttributes to {value, writable: false, enumerable: false, configurable: false} + instead of just {value}. This was observable when ordinarySetSlow() was called on a Proxy + `receiver` with "defineProperty" trap. + + This patch makes constructObjectFromPropertyDescriptor() 1:1 with the spec [2], aligning JSC + with V8 and SpiderMonkey, and also cleans up its call sites from handling exceptions and + `undefined` value returns. + + [1]: https://tc39.es/ecma262/#sec-ordinarysetwithowndescriptor (step 3.d.iv) + [2]: https://tc39.es/ecma262/#sec-frompropertydescriptor + + * runtime/ObjectConstructor.cpp: + (JSC::objectConstructorGetOwnPropertyDescriptor): + (JSC::objectConstructorGetOwnPropertyDescriptors): + * runtime/ObjectConstructor.h: + (JSC::constructObjectFromPropertyDescriptor): + * runtime/ProxyObject.cpp: + (JSC::ProxyObject::performDefineOwnProperty): + +2020-04-20 Yusuke Suzuki + + Check Structure attributes in Object.assign exhaustively + https://bugs.webkit.org/show_bug.cgi?id=210782 + + + Reviewed by Mark Lam. + + * runtime/ObjectConstructor.cpp: + (JSC::objectConstructorAssign): + +2020-04-21 Adrian Perez de Castro + + Non-unified build fixes late February 2020 edition + https://bugs.webkit.org/show_bug.cgi?id=210767 + + Unreviewed build fix. + + * dfg/DFGValueRepReductionPhase.cpp: Add missing JSCJSValueInlines.h header. + * jit/JITCall.cpp: Add missing SlowPathCall.h header. + * runtime/AggregateError.cpp: Add missing JSCJSValueInlines.h, JSCellInlines.h, and + JSGlobalObjectInlines.h headers. + * runtime/AggregateErrorConstructor.cpp: Added missing JSCJSValueInlines.h, JSCellInlines.h, + and VMInlines.h headers. + * runtime/AggregateErrorPrototype.cpp: Added missing AggregateError.h, IdentifierInlines.h, + JSCJSValueInlines.h, JSCellInlines.h, JSGlobalObjectInlines.h, and VMInlines.h headers. + * runtime/Intrinsic.h: Added missing wtf/Optional.h header. + +2020-04-20 Ross Kirsling + + Classes marked final should not use protected access specifier + https://bugs.webkit.org/show_bug.cgi?id=210775 + + Reviewed by Daniel Bates. + + * API/JSAPIValueWrapper.h: + * API/JSCallbackConstructor.h: + * API/JSCallbackObject.h: + * b3/B3ExtractValue.h: + * bytecode/UnlinkedFunctionExecutable.h: + * inspector/JSGlobalObjectConsoleClient.h: + * inspector/JSInjectedScriptHost.h: + * inspector/JSJavaScriptCallFrame.h: + * jsc.cpp: + * runtime/AggregateError.h: + * runtime/AggregateErrorPrototype.h: + * runtime/ArrayConstructor.h: + * runtime/ArrayPrototype.h: + * runtime/AsyncFunctionPrototype.h: + * runtime/AsyncGeneratorFunctionPrototype.h: + * runtime/AtomicsObject.h: + * runtime/BigIntConstructor.h: + * runtime/BigIntObject.h: + * runtime/BigIntPrototype.h: + * runtime/BooleanConstructor.h: + * runtime/BooleanPrototype.h: + * runtime/ConsoleObject.h: + * runtime/DateConstructor.h: + * runtime/DatePrototype.h: + * runtime/ErrorConstructor.h: + * runtime/ErrorPrototype.h: + * runtime/FileBasedFuzzerAgent.h: + * runtime/FunctionPrototype.h: + * runtime/FunctionRareData.h: + * runtime/GeneratorFunctionPrototype.h: + * runtime/GenericTypedArrayView.h: + * runtime/InspectorInstrumentationObject.h: + * runtime/IntlCollator.h: + * runtime/IntlCollatorConstructor.h: + * runtime/IntlCollatorPrototype.h: + * runtime/IntlDateTimeFormat.h: + * runtime/IntlDateTimeFormatConstructor.h: + * runtime/IntlDateTimeFormatPrototype.h: + * runtime/IntlNumberFormat.h: + * runtime/IntlNumberFormatConstructor.h: + * runtime/IntlNumberFormatPrototype.h: + * runtime/IntlPluralRules.h: + * runtime/IntlPluralRulesConstructor.h: + * runtime/IntlPluralRulesPrototype.h: + * runtime/IntlRelativeTimeFormatConstructor.h: + * runtime/IntlRelativeTimeFormatPrototype.h: + * runtime/JSArrayBuffer.h: + * runtime/JSArrayBufferConstructor.h: + * runtime/JSArrayBufferPrototype.h: + * runtime/JSAsyncGenerator.h: + * runtime/JSBoundFunction.h: + * runtime/JSCustomGetterSetterFunction.h: + * runtime/JSDataView.h: + * runtime/JSDataViewPrototype.h: + * runtime/JSGenerator.h: + * runtime/JSGenericTypedArrayView.h: + * runtime/JSGenericTypedArrayViewConstructor.h: + * runtime/JSGenericTypedArrayViewPrototype.h: + * runtime/JSGlobalLexicalEnvironment.h: + * runtime/JSModuleLoader.h: + * runtime/JSModuleNamespaceObject.h: + * runtime/JSNativeStdFunction.h: + * runtime/JSONObject.h: + * runtime/JSObject.h: + * runtime/JSTemplateObjectDescriptor.h: + * runtime/JSTypedArrayViewConstructor.h: + * runtime/JSTypedArrayViewPrototype.h: + * runtime/MathObject.h: + * runtime/NativeExecutable.h: + * runtime/NumberConstructor.h: + * runtime/NumberPrototype.h: + * runtime/ObjectConstructor.h: + * runtime/ObjectPrototype.h: + * runtime/PredictionFileCreatingFuzzerAgent.h: + * runtime/ReflectObject.h: + * runtime/RegExp.h: + * runtime/RegExpConstructor.h: + * runtime/RegExpObject.h: + * runtime/RegExpPrototype.h: + * runtime/StringPrototype.h: + * runtime/Structure.h: + * runtime/Symbol.h: + * runtime/SymbolConstructor.h: + * runtime/SymbolObject.h: + * runtime/SymbolPrototype.h: + * runtime/VMTraps.cpp: + * testRegExp.cpp: + * wasm/WasmBBQPlan.h: + * wasm/WasmLLIntPlan.h: + * wasm/WasmWorklist.cpp: + * wasm/js/JSWebAssembly.h: + * wasm/js/JSWebAssemblyCompileError.h: + * wasm/js/JSWebAssemblyInstance.h: + * wasm/js/JSWebAssemblyLinkError.h: + * wasm/js/JSWebAssemblyRuntimeError.h: + * wasm/js/WebAssemblyCompileErrorConstructor.h: + * wasm/js/WebAssemblyCompileErrorPrototype.h: + * wasm/js/WebAssemblyGlobalConstructor.h: + * wasm/js/WebAssemblyGlobalPrototype.h: + * wasm/js/WebAssemblyInstanceConstructor.h: + * wasm/js/WebAssemblyInstancePrototype.h: + * wasm/js/WebAssemblyLinkErrorConstructor.h: + * wasm/js/WebAssemblyLinkErrorPrototype.h: + * wasm/js/WebAssemblyMemoryConstructor.h: + * wasm/js/WebAssemblyMemoryPrototype.h: + * wasm/js/WebAssemblyModuleConstructor.h: + * wasm/js/WebAssemblyModulePrototype.h: + * wasm/js/WebAssemblyRuntimeErrorConstructor.h: + * wasm/js/WebAssemblyRuntimeErrorPrototype.h: + * wasm/js/WebAssemblyTableConstructor.h: + * wasm/js/WebAssemblyTablePrototype.h: + * wasm/js/WebAssemblyWrapperFunction.h: + +2020-04-20 Peng Liu + + Fix build failures when video fullscreen and picture-in-picture is disabled + https://bugs.webkit.org/show_bug.cgi?id=210777 + + Reviewed by Eric Carlson. + + * Configurations/FeatureDefines.xcconfig: + +2020-04-20 Ross Kirsling + + Intl classes shouldn't need an m_initialized* field + https://bugs.webkit.org/show_bug.cgi?id=210764 + + Reviewed by Darin Adler. + + Existing Intl classes each have a field like m_initializedNumberFormat, but this is unnecessary on two levels: + 1. The thing that gets initialized is a unique pointer to an ICU struct, so we can check it directly. + 2. Everywhere we're checking this is redundant since we've already done the same check on the prototype side, + therefore we can just ASSERT before using said ICU struct. + + While we're at it, clean up other stuff like: + - Move stuff that doesn't need to be part of the class to the CPP file (e.g. UFieldPositionIteratorDeleter). + - Merge createCollator into initializeCollator (seems like this is probably the oldest code in this space). + + * runtime/IntlCollator.cpp: + (JSC::IntlCollator::initializeCollator): + (JSC::IntlCollator::compareStrings): + (JSC::IntlCollator::resolvedOptions): + (JSC::IntlCollator::createCollator): Deleted. + * runtime/IntlCollator.h: + * runtime/IntlDateTimeFormat.cpp: + (JSC::UFieldPositionIteratorDeleter::operator() const): + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + (JSC::IntlDateTimeFormat::resolvedOptions): + (JSC::IntlDateTimeFormat::format): + (JSC::partTypeString): + (JSC::IntlDateTimeFormat::formatToParts): + (JSC::IntlDateTimeFormat::UFieldPositionIteratorDeleter::operator() const): Deleted. + (JSC::IntlDateTimeFormat::partTypeString): Deleted. + * runtime/IntlDateTimeFormat.h: + * runtime/IntlNumberFormat.cpp: + (JSC::UFieldPositionIteratorDeleter::operator() const): + (JSC::IntlNumberFormatField::IntlNumberFormatField): + (JSC::IntlNumberFormat::initializeNumberFormat): + (JSC::IntlNumberFormat::format): + (JSC::IntlNumberFormat::resolvedOptions): + (JSC::partTypeString): + (JSC::IntlNumberFormat::formatToParts): + (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const): Deleted. + (JSC::IntlNumberFormat::partTypeString): Deleted. + * runtime/IntlNumberFormat.h: + * runtime/IntlPluralRules.cpp: + (JSC::localeData): + (JSC::IntlPluralRules::initializePluralRules): + (JSC::IntlPluralRules::resolvedOptions): + (JSC::IntlPluralRules::select): + (JSC::IntlPRInternal::localeData): Deleted. + * runtime/IntlPluralRules.h: + +2020-04-20 Keith Miller + + FTL doesn't observe the use kind of CheckIsConstant's child1 + https://bugs.webkit.org/show_bug.cgi?id=210763 + + Reviewed by Yusuke Suzuki. + + Somehow, this didn't get added when I changed CheckIsConstant and didn't show up + when I tested r260377 because I tested in release. Fortunately, the produced + DFG IR will be the same. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileCheckIsConstant): + +2020-04-20 Yusuke Suzuki + + [JSC] Skip test262 for non-safe-integer range BigIntConstructor + https://bugs.webkit.org/show_bug.cgi?id=210749 Reviewed by Keith Miller. - Added missing inclusions of headers in several files which make use of inline functions. + * runtime/BigIntConstructor.cpp: + (JSC::callBigIntConstructor): - * b3/B3AtomicValue.cpp: - * b3/B3BlockInsertionSet.cpp: - * b3/B3FenceValue.cpp: - * b3/B3LowerMacrosAfterOptimizations.cpp: - * b3/B3PureCSE.cpp: - * b3/B3StackmapValue.cpp: - * b3/B3SwitchValue.cpp: - * b3/B3UseCounts.cpp: - * b3/B3VariableValue.cpp: - * b3/B3WasmAddressValue.cpp: - * b3/B3WasmBoundsCheckValue.cpp: - * ftl/FTLCompile.cpp: - * wasm/WasmSectionParser.cpp: - * wasm/WasmTable.cpp: - * wasm/WasmValidate.cpp: +2020-04-20 Keith Miller -2019-06-10 Keith Miller - - Make new Symbol/Promise API public - https://bugs.webkit.org/show_bug.cgi?id=198709 + Fix CheckIsConstant for non-constant values and checking for empty + https://bugs.webkit.org/show_bug.cgi?id=210752 Reviewed by Saam Barati. - We also need to #ifdef some tests when building for older - platforms because the signatures for some methods are outdated on - those platforms. - - * API/JSObjectRef.h: - * API/JSObjectRefPrivate.h: - * API/JSValue.h: - * API/JSValuePrivate.h: - * API/JSValueRef.h: - * API/tests/testapi.mm: - (testObjectiveCAPIMain): - -2019-06-09 Commit Queue - - Unreviewed, rolling out r246150, r246160, and r246166. - https://bugs.webkit.org/show_bug.cgi?id=198698 - - Regresses page loading time on iOS 13 (Requested by keith_m__ - on #webkit). - - Reverted changesets: - - "Reenable Gigacage on ARM64." - https://bugs.webkit.org/show_bug.cgi?id=198453 - https://trac.webkit.org/changeset/246150 - - "Unrevied build fix for FTL without Gigacage." - https://trac.webkit.org/changeset/246160 - - "Fix typo in cageWithoutUntagging" - https://bugs.webkit.org/show_bug.cgi?id=198617 - https://trac.webkit.org/changeset/246166 - -2019-06-09 Yusuke Suzuki - - [JSC] Use mergePrediction in ValuePow prediction propagation - https://bugs.webkit.org/show_bug.cgi?id=198648 - - Reviewed by Saam Barati. - - We are accidentally using setPrediction. This is wrong since prediction propagation (not processInvariant) - must extend the speculation types to ensure we eventually reach to the fixed point. setPrediction can discard - previously configured predictions, can lead to oscillation potentially. Use mergePrediction instead. - - * dfg/DFGPredictionPropagationPhase.cpp: - -2019-06-07 Tadeu Zagallo - - AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset - https://bugs.webkit.org/show_bug.cgi?id=198581 - - - Reviewed by Saam Barati. - - For GetGetterSetterByOffset, when the abstract interpreter fails to read the property - from the object, it gets the GetterSetter structure from the CodeBlock's global object. - However, that's not correct, since the global object for the base object might differ - from the CodeBlock's. Instead, we try to get the global object from the base, when it's - a constant object. Otherwise, we can't infer the value and only set the type. + We need to make sure that we only have one speculated type if our value + is empty. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): -2019-06-06 Devin Rousso +2020-04-20 Darin Adler - Web Inspector: create CommandLineAPIHost lazily like the other agents - https://bugs.webkit.org/show_bug.cgi?id=196047 - + Use #import instead of #include in Objective-C and don't use #pragma once + https://bugs.webkit.org/show_bug.cgi?id=210724 - Reviewed by Timothy Hatcher. + Reviewed by David Kilzer. - * inspector/InjectedScriptManager.h: - * inspector/InjectedScriptManager.cpp: - (Inspector::InjectedScriptManager::connect): Added. + * API/JSAPIWrapperObject.mm: + * API/JSContext.h: + * API/JSContext.mm: + * API/JSScriptInternal.h: + * API/JSValue.mm: + * API/JSVirtualMachine.mm: + * API/JSVirtualMachinePrivate.h: + * API/JSWrapperMap.mm: + * API/ObjCCallbackFunction.mm: + * API/tests/CurrentThisInsideBlockGetterTest.mm: + More #import, less #pragma once. -2019-06-06 Keith Miller +2020-04-20 Yusuke Suzuki - Fix typo in cageWithoutUntagging - https://bugs.webkit.org/show_bug.cgi?id=198617 + StructuredClone algorithm should be aware of BigInt + https://bugs.webkit.org/show_bug.cgi?id=210728 + + Reviewed by Mark Lam. + + * CMakeLists.txt: + * runtime/BigIntObject.h: + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::digit): Deleted. + (JSC::JSBigInt::setDigit): Deleted. + * runtime/JSBigInt.h: + (JSC::JSBigInt::digit): + (JSC::JSBigInt::setDigit): + +2020-04-19 Ross Kirsling + + [ECMA-402] Intl.RelativeTimeFormat missing in WebKit + https://bugs.webkit.org/show_bug.cgi?id=209770 + + Reviewed by Darin Adler. + + This patch implements the recent ECMA-402 feature Intl.RelativeTimeFormat. + + RelativeTimeFormat has format / formatToParts functions like NumberFormat / DateTimeFormat + and is used to turn a number and unit into a formatted relative time string, e.g.: + + new Intl.RelativeTimeFormat('en').format(10, 'day') + > 'in 10 days' + + new Intl.RelativeTimeFormat('en', { numeric: 'auto' }).format(0, 'day') + > 'today' + + Implementation of RelativeTimeFormat#formatToParts makes direct use of NumberFormat#formatToParts, + as the relative time string consists of at most one formatted number with optional literal text on either side. + + This feature is runtime-guarded by the `useIntlRelativeTimeFormat` option. + + * CMakeLists.txt: + * DerivedSources-input.xcfilelist: + * DerivedSources-output.xcfilelist: + * DerivedSources.make: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * runtime/CommonIdentifiers.h: + * runtime/IntlRelativeTimeFormat.cpp: Added. + * runtime/IntlRelativeTimeFormat.h: Added. + * runtime/IntlRelativeTimeFormatConstructor.cpp: Added. + * runtime/IntlRelativeTimeFormatConstructor.h: Added. + * runtime/IntlRelativeTimeFormatPrototype.cpp: Added. + * runtime/IntlRelativeTimeFormatPrototype.h: Added. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::relativeTimeFormatStructure): + * runtime/OptionsList.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + Add feature and runtime option. + + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::formatToParts): + * runtime/IntlPluralRules.cpp: + (JSC::IntlPluralRules::initializePluralRules): + (JSC::IntlPluralRules::resolvedOptions): + Make "type" a property name. + + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::initializeNumberFormat): + (JSC::IntlNumberFormat::resolvedOptions): + (JSC::IntlNumberFormat::formatToPartsInternal): + (JSC::IntlNumberFormat::formatToParts): + * runtime/IntlNumberFormat.h: + Factor out formatToPartsInternal so that RelativeTimeFormat can use it with its own UNumberFormat. + (This logic is too complicated to duplicate; it's because ICU won't split, e.g., "10,000" into parts for us.) + + * runtime/IntlObject.cpp: + (JSC::IntlObject::IntlObject): + (JSC::IntlObject::create): + (JSC::IntlObject::finishCreation): + (JSC::intlAvailableLocales): + (JSC::intlCollatorAvailableLocales): + (JSC::isUnicodeLocaleIdentifierType): + (JSC::supportedLocales): + (JSC::intlDateTimeFormatAvailableLocales): Deleted. + (JSC::intlNumberFormatAvailableLocales): Deleted. + * runtime/IntlObject.h: + (JSC::intlDateTimeFormatAvailableLocales): + (JSC::intlNumberFormatAvailableLocales): + (JSC::intlPluralRulesAvailableLocales): + (JSC::intlRelativeTimeFormatAvailableLocales): + Perform three corrections for Intl classes: + 1. Collator should be the only class with unique "available locales". + [unum|udat]_getAvailable exist but they've deferred to uloc_getAvailable for 20 years. + 2. isUnicodeLocaleIdentifierType isn't just `alphanum{3,8}` but rather `alphanum{3,8} (sep alphanum{3,8})*`. + This is my own mistake from r239941. + 3. supportedLocalesOf entries should not be frozen. + Changed in https://github.com/tc39/ecma402/pull/278. + + * tools/JSDollarVM.cpp: + (JSC::functionICUVersion): + (JSC::JSDollarVM::finishCreation): + Add $vm.icuVersion so that we can add per-line skips to stress tests. + +2020-04-19 Yusuke Suzuki + + [JSC] SlowPathCall is not supported by callOperation in Windows + https://bugs.webkit.org/show_bug.cgi?id=210727 + + Reviewed by Ross Kirsling. + + In Windows, SlowPathCall should be handled by JITSlowPathCall, otherwise, stack is not correctly allocated. + + * jit/JITCall.cpp: + (JSC::JIT::emit_op_iterator_open): + (JSC::JIT::emit_op_iterator_next): + * jit/SlowPathCall.h: + (JSC::JITSlowPathCall::call): + +2020-04-19 Yusuke Suzuki + + [JSC] Enable BigInt + https://bugs.webkit.org/show_bug.cgi?id=210726 + + Reviewed by Mark Lam. + + * runtime/OptionsList.h: + +2020-04-19 Yusuke Suzuki + + [JSC] LLInt slow path call should not have third argument + https://bugs.webkit.org/show_bug.cgi?id=210721 + + Reviewed by Mark Lam. + + LLInt callSlowPath does not work with third argument in Windows, CLoop etc. LLInt slow-path should not take third argument, + instead, use `bytecode.metadata(...)` to get metadata. + + * jit/JITCall.cpp: + (JSC::JIT::emit_op_iterator_open): + (JSC::JIT::emit_op_iterator_next): + * llint/LowLevelInterpreter64.asm: + * runtime/CommonSlowPaths.cpp: + (JSC::iterator_open_try_fast): + (JSC::SLOW_PATH_DECL): + (JSC::iterator_next_try_fast): + (JSC::iterator_open_try_fast_narrow): Deleted. + (JSC::iterator_open_try_fast_wide16): Deleted. + (JSC::iterator_open_try_fast_wide32): Deleted. + (JSC::iterator_next_try_fast_narrow): Deleted. + (JSC::iterator_next_try_fast_wide16): Deleted. + (JSC::iterator_next_try_fast_wide32): Deleted. + * runtime/CommonSlowPaths.h: + +2020-04-19 Mark Lam + + Fix missing exception checks and handling in JSC APIs. + https://bugs.webkit.org/show_bug.cgi?id=210715 + Reviewed by Saam Barati. - * assembler/testmasm.cpp: - (JSC::testCagePreservesPACFailureBit): + * API/APICallbackFunction.h: + (JSC::APICallbackFunction::call): + - We should return early if an exception was thrown. We should not be using the + result in any way since we cannot rely on it having any sane value. + (JSC::APICallbackFunction::construct): + - For consistency, also return an undefined here when an exception was thrown. + + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::construct): + (JSC::JSCallbackObject::call): + - Return an undefined if an exception was thrown. Don't return the potentially + garbage result value. Who knows what the client code will do with it. Returning + an undefined here makes the code more robust. + + * API/JSObjectRef.cpp: + (JSObjectGetProperty): + (JSObjectHasPropertyForKey): + (JSObjectGetPropertyForKey): + (JSObjectDeletePropertyForKey): + (JSObjectGetPropertyAtIndex): + (JSObjectDeleteProperty): + - Explicitly return a nullptr if an exception was thrown. The toRef() on the + result that follows the exception check may or may not return a nullptr + (also see toRef(JSC::VM& vm, JSC::JSValue v) for !CPU(ADDRESS64)). + + * API/JSValueRef.cpp: + (JSValueIsEqual): + (JSValueIsInstanceOfConstructor): + - For consistency, make these return false if an exception is thrown. + + * API/ObjCCallbackFunction.mm: + (JSC::objCCallbackFunctionCallAsFunction): + (JSC::objCCallbackFunctionCallAsConstructor): + (JSC::ObjCCallbackFunctionImpl::call): + - Add some assertions and return early if an exception was thrown. + +2020-04-18 Keith Miller + + Fix CLoop build for iterator opcodes + https://bugs.webkit.org/show_bug.cgi?id=210709 + + Reviewed by Robin Morisset. + + We need to add a default paramater for the metadata pointer + in the CLoop build. Additionally, the helper declarations need + to be in the various slow path header files. Lastly we need + opcode labels for our new JS call return points. + + * bytecode/BytecodeList.rb: + * llint/LLIntSlowPaths.cpp: + * llint/LLIntSlowPaths.h: + * runtime/CommonSlowPaths.h: + +2020-04-18 Robin Morisset + + Support an inlined representation in JSValue of small BigInts ("BigInt32") + https://bugs.webkit.org/show_bug.cgi?id=206182 + + Reviewed by Yusuke Suzuki. + + This patch attempts to optimize the performance of BigInts, when they are small (32 bit or less). + It works by inlining them into JSValue on 64-bit platforms, avoiding the allocation of a JSBigInt. + The bit pattern we use is 0000:XXXX:XXXX:0012 + This representation works because of the following things: + - It cannot be confused with a Double or Integer thanks to the top bits + - It cannot be confused with a pointer to a Cell, thanks to bit 1 which is set to true + - It cannot be confused with a pointer to wasm thanks to bit 0 which is set to false + - It cannot be confused with true/false because bit 2 is set to false + - It cannot be confused for null/undefined because bit 4 is set to true + + This entire change is gated by USE(BIGINT32), to make it easier to disable if it turns out to have bugs. + It should also make it much easier to verify if a given bug comes from it or from something else. + + Note that in this patch we create BigInt32s when parsing small BigInt constants, and most operations (e.g. Add or BitOr) produce a BigInt32 if both of their operands are BigInt32, + but we don't produce a BigInt32 from for example the substraction/division of two large heap-allocated JSBigInts, even if the result fits in 32-bits. + As a result, small BigInts can now either be heap-allocated or inlined in the JSValue. + + This patch includes a significant refactor of various slow paths, which are now grouped together in Operations.h + Because this increased the size of Operations.h significantly, I split the parts of Operations.h which are only used by the GC into Scribble.h, to avoid bloating compile times. + + In the DFG and FTL we now have 3 UseKinds for BigInts: HeapBigIntUse, BigInt32Use and AnyBigIntUse. + The latter is useful when we know that we are receiving BigInts, but speculation indicates a mix of heap-allocated and small (inlined) big-ints. + + Unfortunately, a naive implementation of this patch significantly regresses the performance of StrictEq (and its variants), as it is no longer true that a cell and a non-cell cannot be equal. + Before this patch, the code was jumping to a slow path if either: + - at least one operand is a double + - or both operands are cells + Now, it also needs to jump to the slow path if at least one is a cell. + To recover this performance cost, I significantly rewrote this code, from + if (left is Cell && right is Cell) { + if (left == right) + return true; + goto slowPath; + } + if (! left is Int32) { + if (left is Number) + goto slowPath + } + if (! right is Int32) { + if (right is Number) + goto slowPath + } + return left == right + To the following: + if (left is Double || right is Double) + goto slowPath + if (left == right) + return true; + if (left is Cell || right is Cell) + goto slowPath + return false; + I believe this to be faster than just replacing (left is Cell && right is Cell) by an ||, because I found a bit-trick to check (left is Double || right is Double) which should help reduce the pressure on the branch predictor. + Early JetStream2 tests appear to confirm that this patch is roughly neutral while it was a 0.5% regression before I used this trick, but the numbers are still too noisy, I plan to do more measurements before landing this patch. + + I don't yet have performance numbers for this patch on a BigInt benchmark, I will get such numbers before trying to land it, but I'd like some review in the meantime. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * assembler/X86Assembler.h: + (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM): + * bytecode/ArithProfile.cpp: + (JSC::ArithProfile::emitObserveResult): + (JSC::ArithProfile::shouldEmitSetBigInt32 const): + (JSC::ArithProfile::shouldEmitSetHeapBigInt const): + (JSC::ArithProfile::emitSetHeapBigInt const): + (JSC::ArithProfile::emitSetBigInt32 const): + (WTF::printInternal): + * bytecode/ArithProfile.h: + (JSC::ObservedResults::didObserveNonInt32): + (JSC::ObservedResults::didObserveBigInt): + (JSC::ObservedResults::didObserveHeapBigInt): + (JSC::ObservedResults::didObserveBigInt32): + (JSC::ArithProfile::didObserveHeapBigInt const): + (JSC::ArithProfile::didObserveBigInt32 const): + (JSC::ArithProfile::setObservedHeapBigInt): + (JSC::ArithProfile::setObservedBigInt32): + (JSC::ArithProfile::observeResult): + * bytecode/BytecodeList.rb: + * bytecode/BytecodeLivenessAnalysisInlines.h: + * bytecode/BytecodeUseDef.cpp: + (JSC::computeUsesForBytecodeIndexImpl): + (JSC::computeDefsForBytecodeIndexImpl): + * bytecode/CodeBlock.cpp: + * bytecode/DataFormat.h: + * bytecode/MethodOfGettingAValueProfile.cpp: + (JSC::MethodOfGettingAValueProfile::emitReportValue const): + * bytecode/MethodOfGettingAValueProfile.h: + * bytecode/SpeculatedType.cpp: + (JSC::dumpSpeculation): + (JSC::speculationFromClassInfo): + (JSC::speculationFromStructure): + (JSC::speculationFromValue): + (JSC::speculationFromJSType): + (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations): + * bytecode/SpeculatedType.h: + (JSC::isBigInt32Speculation): + (JSC::isHeapBigIntSpeculation): + (JSC::isBigIntSpeculation): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitEqualityOpImpl): + (JSC::BytecodeGenerator::addBigIntConstant): + * bytecompiler/BytecodeGenerator.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::isToThisAnIdentity): + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::fixupToThis): + (JSC::DFG::FixupPhase::fixupToNumeric): + (JSC::DFG::FixupPhase::observeUseKindOnNode): + (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue): + * dfg/DFGMayExit.cpp: + * dfg/DFGNode.h: + (JSC::DFG::Node::shouldSpeculateBigInt32): + (JSC::DFG::Node::shouldSpeculateHeapBigInt): + * dfg/DFGNodeType.h: + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::compileExit): + * dfg/DFGOSRExit.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): - (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): - * jit/AssemblyHelpers.h: - (JSC::AssemblyHelpers::cageWithoutUntagging): - (JSC::AssemblyHelpers::cageConditionally): - (JSC::AssemblyHelpers::cageWithoutUntaging): Deleted. - -2019-06-06 Alexey Shvayka - - JSON.parse throws incorrect exception when called w/o arguments - https://bugs.webkit.org/show_bug.cgi?id=198574 - - Reviewed by Yusuke Suzuki. - - Always coerce first argument to string and attempt to parse it. - (steps 1-2 of https://tc39.github.io/ecma262/#sec-json.parse) - - * runtime/JSONObject.cpp: - (JSC::JSONProtoFuncParse): Remove argumentCount check. - -2019-06-06 Keith Miller - - Unrevied build fix for FTL without Gigacage. - + (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): + (JSC::DFG::SpeculativeJIT::compileValueBitNot): + (JSC::DFG::SpeculativeJIT::emitUntypedOrAnyBigIntBitOp): + (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp): + (JSC::DFG::SpeculativeJIT::emitUntypedOrBigIntRightShiftBitOp): + (JSC::DFG::SpeculativeJIT::compileValueLShiftOp): + (JSC::DFG::SpeculativeJIT::compileValueBitRShift): + (JSC::DFG::SpeculativeJIT::compileShiftOp): + (JSC::DFG::SpeculativeJIT::compileValueAdd): + (JSC::DFG::SpeculativeJIT::compileValueSub): + (JSC::DFG::SpeculativeJIT::compileIncOrDec): + (JSC::DFG::SpeculativeJIT::compileValueNegate): + (JSC::DFG::SpeculativeJIT::compileValueMul): + (JSC::DFG::SpeculativeJIT::compileValueDiv): + (JSC::DFG::SpeculativeJIT::compileValueMod): + (JSC::DFG::SpeculativeJIT::compileValuePow): + (JSC::DFG::SpeculativeJIT::compare): + (JSC::DFG::SpeculativeJIT::compileStrictEq): + (JSC::DFG::SpeculativeJIT::speculateHeapBigInt): + (JSC::DFG::SpeculativeJIT::speculate): + (JSC::DFG::SpeculativeJIT::compileToNumeric): + (JSC::DFG::SpeculativeJIT::compileHeapBigIntEquality): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculateBigInt32Operand::SpeculateBigInt32Operand): + (JSC::DFG::SpeculateBigInt32Operand::~SpeculateBigInt32Operand): + (JSC::DFG::SpeculateBigInt32Operand::edge const): + (JSC::DFG::SpeculateBigInt32Operand::node const): + (JSC::DFG::SpeculateBigInt32Operand::gpr): + (JSC::DFG::SpeculateBigInt32Operand::use): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillJSValue): + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): + (JSC::DFG::SpeculativeJIT::speculateBigInt32): + (JSC::DFG::SpeculativeJIT::speculateAnyBigInt): + (JSC::DFG::SpeculativeJIT::fillSpeculateBigInt32): + (JSC::DFG::SpeculativeJIT::compileBigInt32Compare): + (JSC::DFG::SpeculativeJIT::compilePeepHoleBigInt32Branch): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + (JSC::DFG::isCell): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLCommonValues.cpp: + (JSC::FTL::CommonValues::initializeConstants): + * ftl/FTLCommonValues.h: * ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::caged): + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd): + (JSC::FTL::DFG::LowerDFGToB3::compileValueSub): + (JSC::FTL::DFG::LowerDFGToB3::compileValueMul): + (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC): + (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv): + (JSC::FTL::DFG::LowerDFGToB3::compileValueMod): + (JSC::FTL::DFG::LowerDFGToB3::compileValuePow): + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot): + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd): + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr): + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor): + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift): + (JSC::FTL::DFG::LowerDFGToB3::compileArithBitRShift): + (JSC::FTL::DFG::LowerDFGToB3::compileArithBitLShift): + (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift): + (JSC::FTL::DFG::LowerDFGToB3::compileBitURShift): + (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric): + (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq): + (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): + (JSC::FTL::DFG::LowerDFGToB3::compileIsBigInt): + (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet): + (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet): + (JSC::FTL::DFG::LowerDFGToB3::boolify): + (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): + (JSC::FTL::DFG::LowerDFGToB3::lowHeapBigInt): + (JSC::FTL::DFG::LowerDFGToB3::lowBigInt32): + (JSC::FTL::DFG::LowerDFGToB3::isBigInt32): + (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32): + (JSC::FTL::DFG::LowerDFGToB3::unboxBigInt32): + (JSC::FTL::DFG::LowerDFGToB3::boxBigInt32): + (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigInt): + (JSC::FTL::DFG::LowerDFGToB3::speculate): + (JSC::FTL::DFG::LowerDFGToB3::isNotHeapBigIntUnknownWhetherCell): + (JSC::FTL::DFG::LowerDFGToB3::isNotHeapBigInt): + (JSC::FTL::DFG::LowerDFGToB3::isHeapBigInt): + (JSC::FTL::DFG::LowerDFGToB3::speculateHeapBigInt): + (JSC::FTL::DFG::LowerDFGToB3::speculateHeapBigIntUnknownWhetherCell): + (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt32): + (JSC::FTL::DFG::LowerDFGToB3::speculateAnyBigInt): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * heap/HeapSnapshotBuilder.cpp: + (JSC::HeapSnapshotBuilder::json): + * heap/MarkedBlockInlines.h: + * heap/PreciseAllocation.cpp: + * inspector/agents/InspectorHeapAgent.cpp: + (Inspector::InspectorHeapAgent::getPreview): + * interpreter/Interpreter.cpp: + (JSC::sizeOfVarargs): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::emitConvertValueToBoolean): + (JSC::AssemblyHelpers::branchIfValue): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::branchIfBigInt32): + (JSC::AssemblyHelpers::branchIfBigInt32KnownNotNumber): + (JSC::AssemblyHelpers::branchIfNotBigInt32KnownNotNumber): + (JSC::AssemblyHelpers::branchIfHeapBigInt): + (JSC::AssemblyHelpers::branchIfNotHeapBigInt): + (JSC::AssemblyHelpers::unboxBigInt32): + (JSC::AssemblyHelpers::boxBigInt32): + (JSC::AssemblyHelpers::emitTypeOf): + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + * jit/JIT.h: + * jit/JITArithmetic.cpp: + (JSC::JIT::emit_op_negate): + (JSC::JIT::emitSlow_op_negate): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_is_big_int): + (JSC::JIT::compileOpStrictEq): + (JSC::JIT::compileOpStrictEqJump): + (JSC::JIT::emit_op_to_numeric): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_is_big_int): + (JSC::JIT::emit_op_to_numeric): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * llint/LLIntOfflineAsmConfig.h: + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter64.asm: + * parser/ParserArena.cpp: + (JSC::IdentifierArena::makeBigIntDecimalIdentifier): + * runtime/ArrayPrototype.cpp: + * runtime/BigIntConstructor.cpp: + (JSC::toBigInt): + (JSC::callBigIntConstructor): + * runtime/BigIntObject.cpp: + (JSC::BigIntObject::create): + (JSC::BigIntObject::finishCreation): + * runtime/BigIntObject.h: + * runtime/BigIntPrototype.cpp: + (JSC::toThisBigIntValue): + (JSC::bigIntProtoFuncToStringImpl): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + (JSC::updateArithProfileForUnaryArithOp): + (JSC::updateArithProfileForBinaryArithOp): + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::createStructure): + (JSC::JSBigInt::parseInt): + (JSC::JSBigInt::stringToBigInt): + (JSC::JSBigInt::inc): + (JSC::JSBigInt::dec): + (JSC::JSBigInt::bitwiseAnd): + (JSC::JSBigInt::toStringGeneric): + (JSC::JSBigInt::equalsToNumber): + (JSC::JSBigInt::equalsToInt32): + * runtime/JSBigInt.h: + (JSC::asHeapBigInt): + * runtime/JSCJSValue.cpp: + (JSC::JSValue::toNumberSlowCase const): + (JSC::JSValue::toObjectSlowCase const): + (JSC::JSValue::toThisSlowCase const): + (JSC::JSValue::synthesizePrototype const): + (JSC::JSValue::dumpInContextAssumingStructure const): + (JSC::JSValue::dumpForBacktrace const): + (JSC::JSValue::toStringSlowCase const): + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::JSValue): + (JSC::JSValue::asHeapBigInt const): + (JSC::JSValue::isBigInt const): + (JSC::JSValue::isHeapBigInt const): + (JSC::JSValue::isBigInt32 const): + (JSC::JSValue::bigInt32AsInt32 const): + (JSC::JSValue::isPrimitive const): + (JSC::JSValue::getPrimitiveNumber): + (JSC::JSValue::toNumeric const): + (JSC::JSValue::toBigIntOrInt32 const): + (JSC::JSValue::equalSlowCaseInline): + (JSC::JSValue::strictEqualForCells): + (JSC::JSValue::strictEqual): + (JSC::JSValue::pureStrictEqual): + (JSC::JSValue::pureToBoolean const): + * runtime/JSCell.cpp: + (JSC::JSCell::put): + (JSC::JSCell::putByIndex): + (JSC::JSCell::toPrimitive const): + (JSC::JSCell::getPrimitiveNumber const): + (JSC::JSCell::toNumber const): + (JSC::JSCell::toObjectSlow const): + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::isHeapBigInt const): + (JSC::JSCell::toBoolean const): + (JSC::JSCell::pureToBoolean const): + * runtime/JSString.h: + (JSC::JSValue::toBoolean const): + * runtime/JSType.cpp: + (WTF::printInternal): + * runtime/JSType.h: + * runtime/JSTypeInfo.h: + * runtime/ObjectInitializationScope.cpp: + * runtime/Operations.cpp: + (JSC::jsAddSlowCase): + (JSC::jsIsObjectTypeOrNull): + * runtime/Operations.h: + (JSC::compareBigIntToOtherPrimitive): + (JSC::bigIntCompare): + (JSC::jsLess): + (JSC::jsLessEq): + (JSC::arithmeticBinaryOp): + (JSC::jsSub): + (JSC::jsMul): + (JSC::jsDiv): + (JSC::jsRemainder): + (JSC::jsPow): + (JSC::jsInc): + (JSC::jsDec): + (JSC::jsBitwiseNot): + (JSC::shift): + (JSC::jsLShift): + (JSC::jsRShift): + (JSC::bitwiseBinaryOp): + (JSC::jsBitwiseAnd): + (JSC::jsBitwiseOr): + (JSC::jsBitwiseXor): + * runtime/Scribble.h: Copied from Source/JavaScriptCore/runtime/BigIntObject.h. + (JSC::scribbleFreeCells): + (JSC::isScribbledValue): + (JSC::scribble): + * runtime/StructureInlines.h: + (JSC::prototypeForLookupPrimitiveImpl): -2019-06-06 Michael Catanzaro +2020-04-18 Keith Miller - aarch64: ‘JSC::ARM64Assembler::LinkRecord::::RealTypes::m_compareRegister’ is too small to hold all values of ‘JSC::ARM64Assembler::RegisterID’ {aka ‘enum JSC::ARM64Registers::RegisterID’} - https://bugs.webkit.org/show_bug.cgi?id=198014 + Unreviewed, remove commented out/dead code that didn't failed to + get removed when landing r260323. + + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/CommonSlowPaths.cpp: + (JSC::iterator_next_try_fast): + +2020-04-18 Keith Miller + + Redesign how we do for-of iteration for JSArrays + https://bugs.webkit.org/show_bug.cgi?id=175454 + + Reviewed by Filip Pizlo and Saam Barati. + + This patch intrinsics for-of iteration for JSArrays when they are + being iterated with the built-in Symbol.iterator. We do this by + adding two new bytecodes op_iterator_open and + op_iterator_next. These bytecodes are essentially a fused set of + existing bytecodes with a special case for our intrinsiced JSArray + case. This patch only adds support for these instructions on + 64-bit. + + + The op_iterator_open bytecode is semantically the same as: + iterator = symbolIterator.@call(iterable); + next = iterator.next; + + where iterable is the rhs of the for-of and symbolIterator is the + result of running iterable.symbolIterator; + + + The op_iterator_next bytecode is semantically the same as: + nextResult = next.@call(iterator); + done = nextResult.done; + value = done ? (undefined / bottom) : nextResult.value; + + where nextResult is a temporary (the value VirtualRegister in the + LLInt/Baseline and a tmp in the DFG). + + In order to make sure these bytecodes have the same perfomance as + the existing bytecode sequence, we need to make sure we have the + same profiling data and inline caching. Most of the existing + get_by_id code assumed a particular bytecode member name was the + same in each flavor get_by_id access. This patch adds template + specialized functions that vend the correct + Profile/VirtualRegister for the current bytecode/checkpoint. This + means we can have meaningful names for our Bytecode structs and + still use the generic functions. + + In the LLInt most of the logic for calls/get_by_id had to be + factored into helper macros, so we could have bytecodes that are + some combination of those. + + The trickiest part of this patch was getting the hand rolled DFG + IR to work correctly. This is because we don't have a great way to + express large chucks of DFG graph that doesn't involve manually + tracking all the DFG's invariants. Such as: + + 1) Flushing/Phantoming values at the end of each block. + 2) Rolling forwards and backwards the BytecodeIndex when switching + blocks. + 3) Remembering to GetLocal each variable at the top of every block. + 4) Ensuring that the JSValue stored to the op_iterator_next.m_value + local does not cause us to OSR exit at the set local. + + (4) is handled by a new function, bottomValueMatchingSpeculation, + on DFGGraph that produces a FrozenValue that is roughly the bottom + for a given speculated type. In a future patch we should make this + more complete, probably by adding a VM::bottomCellForSetLocal that + prediction propagation and AI know how treat as a true bottom + value. See: https://bugs.webkit.org/show_bug.cgi?id=210694 + + Lastly, this patch changes the DFG NodeType, CheckCell to be + CheckIsConstant. CheckIsConstant is equivalent to the == operator + on JSValue where it just checks the register values are the + same. In order to keep the same perf that we had for CheckCell, + CheckIsConstant supports CellUse. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::or8): + (JSC::MacroAssemblerARM64::store8): + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::or8): + * bytecode/ArrayProfile.h: + (JSC::ArrayProfile::observeStructureID): + (JSC::ArrayProfile::observeStructure): + * bytecode/BytecodeList.rb: + * bytecode/BytecodeLivenessAnalysis.cpp: + (JSC::tmpLivenessForCheckpoint): + * bytecode/BytecodeOperandsForCheckpoint.h: Added. + (JSC::arrayProfileForImpl): + (JSC::hasArrayProfileFor): + (JSC::arrayProfileFor): + (JSC::valueProfileForImpl): + (JSC::hasValueProfileFor): + (JSC::valueProfileFor): + (JSC::destinationFor): + (JSC::calleeFor): + (JSC::argumentCountIncludingThisFor): + (JSC::stackOffsetInRegistersForCall): + (JSC::callLinkInfoFor): + * bytecode/BytecodeUseDef.cpp: + (JSC::computeUsesForBytecodeIndexImpl): + (JSC::computeDefsForBytecodeIndexImpl): + * bytecode/CallLinkInfo.cpp: + (JSC::CallLinkInfo::callTypeFor): + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeFromLLInt): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finishCreation): + (JSC::CodeBlock::finalizeLLIntInlineCaches): + (JSC::CodeBlock::tryGetValueProfileForBytecodeIndex): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::instructionAt const): + * bytecode/CodeBlockInlines.h: + (JSC::CodeBlock::forEachValueProfile): + (JSC::CodeBlock::forEachArrayProfile): + * bytecode/GetByStatus.cpp: + (JSC::GetByStatus::computeFromLLInt): + * bytecode/Instruction.h: + (JSC::BaseInstruction::width const): + (JSC::BaseInstruction::hasCheckpoints const): + (JSC::BaseInstruction::asKnownWidth const): + (JSC::BaseInstruction::wide16 const): + (JSC::BaseInstruction::wide32 const): + * bytecode/InstructionStream.h: + * bytecode/IterationModeMetadata.h: Copied from Source/JavaScriptCore/bytecode/SuperSampler.h. + * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: + (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal): + (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache): + * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: + * bytecode/Opcode.h: + * bytecode/SpeculatedType.h: + (JSC::isSubtypeSpeculation): + (JSC::speculationContains): + * bytecode/SuperSampler.h: + (JSC::SuperSamplerScope::release): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitGenericEnumeration): + (JSC::BytecodeGenerator::emitEnumeration): + (JSC::BytecodeGenerator::emitIsEmpty): + (JSC::BytecodeGenerator::emitIteratorOpen): + (JSC::BytecodeGenerator::emitIteratorNext): + (JSC::BytecodeGenerator::emitGetGenericIterator): + (JSC::BytecodeGenerator::emitIteratorGenericNext): + (JSC::BytecodeGenerator::emitIteratorGenericNextWithValue): + (JSC::BytecodeGenerator::emitIteratorGenericClose): + (JSC::BytecodeGenerator::emitGetAsyncIterator): + (JSC::BytecodeGenerator::emitDelegateYield): + (JSC::BytecodeGenerator::emitIteratorNextWithValue): Deleted. + (JSC::BytecodeGenerator::emitIteratorClose): Deleted. + (JSC::BytecodeGenerator::emitGetIterator): Deleted. + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::ArrayPatternNode::bindValue const): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + (JSC::DFG::AbstractInterpreter::forAllValues): + * dfg/DFGAtTailAbstractState.h: + (JSC::DFG::AtTailAbstractState::size const): + (JSC::DFG::AtTailAbstractState::numberOfTmps const): + (JSC::DFG::AtTailAbstractState::atIndex): + (JSC::DFG::AtTailAbstractState::tmp): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::progressToNextCheckpoint): + (JSC::DFG::ByteCodeParser::get): + (JSC::DFG::ByteCodeParser::set): + (JSC::DFG::ByteCodeParser::jsConstant): + (JSC::DFG::ByteCodeParser::weakJSConstant): + (JSC::DFG::ByteCodeParser::addCall): + (JSC::DFG::ByteCodeParser::allocateUntargetableBlock): + (JSC::DFG::ByteCodeParser::handleCall): + (JSC::DFG::ByteCodeParser::emitFunctionChecks): + (JSC::DFG::ByteCodeParser::inlineCall): + (JSC::DFG::ByteCodeParser::handleCallVariant): + (JSC::DFG::ByteCodeParser::handleVarargsInlining): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::handleMinMax): + (JSC::DFG::ByteCodeParser::handleIntrinsicCall): + (JSC::DFG::ByteCodeParser::handleDOMJITCall): + (JSC::DFG::ByteCodeParser::handleIntrinsicGetter): + (JSC::DFG::ByteCodeParser::handleDOMJITGetter): + (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad): + (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor): + (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + (JSC::DFG::ByteCodeParser::handlePutByVal): + (JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject): + (JSC::DFG::ByteCodeParser::parse): + * dfg/DFGCFGSimplificationPhase.cpp: + (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): + (JSC::DFG::CFGSimplificationPhase::jettisonBlock): + (JSC::DFG::CFGSimplificationPhase::mergeBlocks): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::addStringReplacePrimordialChecks): + * dfg/DFGForAllKills.h: + (JSC::DFG::forAllKilledOperands): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::bottomValueMatchingSpeculation): + * dfg/DFGGraph.h: + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::beginBasicBlock): + (JSC::DFG::InPlaceAbstractState::initialize): + (JSC::DFG::InPlaceAbstractState::endBasicBlock): + (JSC::DFG::InPlaceAbstractState::merge): + * dfg/DFGInPlaceAbstractState.h: + (JSC::DFG::InPlaceAbstractState::size const): + (JSC::DFG::InPlaceAbstractState::numberOfTmps const): + (JSC::DFG::InPlaceAbstractState::atIndex): + (JSC::DFG::InPlaceAbstractState::operand): + (JSC::DFG::InPlaceAbstractState::local): + (JSC::DFG::InPlaceAbstractState::argument): + (JSC::DFG::InPlaceAbstractState::variableAt): Deleted. + * dfg/DFGLazyJSValue.h: + (JSC::DFG::LazyJSValue::speculatedType const): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasConstant): + (JSC::DFG::Node::hasCellOperand): + * dfg/DFGNodeType.h: + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::callerReturnPC): + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCheckIsConstant): + (JSC::DFG::SpeculativeJIT::compileCheckCell): Deleted. + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGValidate.cpp: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckIsConstant): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckCell): Deleted. + * generator/DSL.rb: + * generator/Metadata.rb: + * generator/Section.rb: + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + * jit/JIT.h: + * jit/JITCall.cpp: + (JSC::JIT::emitPutCallResult): + (JSC::JIT::compileSetupFrame): + (JSC::JIT::compileOpCall): + (JSC::JIT::emit_op_iterator_open): + (JSC::JIT::emitSlow_op_iterator_open): + (JSC::JIT::emit_op_iterator_next): + (JSC::JIT::emitSlow_op_iterator_next): + * jit/JITCall32_64.cpp: + (JSC::JIT::emit_op_iterator_open): + (JSC::JIT::emitSlow_op_iterator_open): + (JSC::JIT::emit_op_iterator_next): + (JSC::JIT::emitSlow_op_iterator_next): + * jit/JITInlines.h: + (JSC::JIT::updateTopCallFrame): + (JSC::JIT::advanceToNextCheckpoint): + (JSC::JIT::emitJumpSlowToHotForCheckpoint): + (JSC::JIT::emitValueProfilingSite): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::setupGetByIdPrototypeCache): + (JSC::LLInt::performLLIntGetByID): + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + (JSC::LLInt::genericCall): + (JSC::LLInt::handleIteratorOpenCheckpoint): + (JSC::LLInt::handleIteratorNextCheckpoint): + (JSC::LLInt::slow_path_checkpoint_osr_exit): + (JSC::LLInt::llint_dump_value): + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * offlineasm/transform.rb: + * runtime/CommonSlowPaths.cpp: + (JSC::iterator_open_try_fast): + (JSC::iterator_open_try_fast_narrow): + (JSC::iterator_open_try_fast_wide16): + (JSC::iterator_open_try_fast_wide32): + (JSC::iterator_next_try_fast): + (JSC::iterator_next_try_fast_narrow): + (JSC::iterator_next_try_fast_wide16): + (JSC::iterator_next_try_fast_wide32): + * runtime/CommonSlowPaths.h: + * runtime/Intrinsic.cpp: + (JSC::interationKindForIntrinsic): + * runtime/Intrinsic.h: + * runtime/JSArrayIterator.h: + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::isCallable const): + * runtime/JSCast.h: + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::arrayProtoValuesFunctionConcurrently const): + * runtime/OptionsList.h: + * runtime/Structure.cpp: + (JSC::Structure::dumpBrief const): + +2020-04-18 Yusuke Suzuki + + [JSC] Replace DFG NewPromise with NewInternalFieldObject + https://bugs.webkit.org/show_bug.cgi?id=210687 + + Reviewed by Saam Barati. + + The feature of DFG::NewPromise can be implemented completely with DFG::NewInternalFieldObject. This reduces code duplication, and furthermore, + this offers Object Allocation Sinking support for free. This patch replaces DFG::NewPromise with DFG::NewInternalFieldObject and remove DFG::NewPromise + completely. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGClobbersExitState.cpp: + (JSC::DFG::clobbersExitState): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToNewInternalFieldObject): + (JSC::DFG::Node::convertToNewInternalFieldObjectWithInlineFields): + (JSC::DFG::Node::hasIsInternalPromise): + (JSC::DFG::Node::hasStructure): + (JSC::DFG::Node::convertToNewPromise): Deleted. + * dfg/DFGNodeType.h: + * dfg/DFGObjectAllocationSinkingPhase.cpp: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObject): + (JSC::DFG::SpeculativeJIT::compileNewPromise): Deleted. + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStoreBarrierInsertionPhase.cpp: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject): + (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewInternalFieldObject): + (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise): Deleted. + * ftl/FTLOperations.cpp: + (JSC::FTL::operationPopulateObjectInOSR): + (JSC::FTL::operationMaterializeObjectInOSR): + * runtime/JSInternalPromise.cpp: + (JSC::JSInternalPromise::createWithInitialValues): + * runtime/JSInternalPromise.h: + * runtime/JSPromise.cpp: + (JSC::JSPromise::createWithInitialValues): + (JSC::JSPromise::finishCreation): + (JSC::JSPromise::status const): + (JSC::JSPromise::result const): + (JSC::JSPromise::flags const): + (JSC::JSPromise::resolve): + (JSC::JSPromise::reject): + (JSC::JSPromise::rejectAsHandled): + * runtime/JSPromise.h: + (JSC::JSPromise::initialValues): + (JSC::JSPromise::internalField const): + (JSC::JSPromise::internalField): + +2020-04-18 Yusuke Suzuki + + Unreviewed, build fix for ARM64E after r260310 + https://bugs.webkit.org/show_bug.cgi?id=207330 + + r260310 uses undefined function Instruction.cloneWithNewOperands in arm64e.rb and throws an error. + This patch calls `node.cloneWithNewOperands`. + + * offlineasm/arm64e.rb: + +2020-04-18 Alexey Shvayka + + RegExp.prototype[@@search] should use SameValue + https://bugs.webkit.org/show_bug.cgi?id=173226 Reviewed by Yusuke Suzuki. - When building for aarch64, there is a huge warning spam here. It's impossible to see any - other warnings. This has been ongoing for so long I've begun to suspect that nobody works - on this architecture. + This change exposes Object.is implementation as link-time-constant @sameValue and utilizes + it in RegExp.prototype[@@search] per spec [1], aligning JSC with V8 and SpiderMonkey. - Anyway, the problem is because we need eight bits to store all possible RegisterID values, - but the bitfield is only six bits wide. Fix it. The COMPILE_ASSERT checking the size of this - struct is still happy, so I presume the change is OK. + [1]: https://tc39.es/ecma262/#sec-regexp.prototype-@@search (steps 5, 8) - * assembler/ARM64Assembler.h: + * builtins/BuiltinNames.h: + * builtins/RegExpPrototype.js: + (Symbol.search): + * bytecode/LinkTimeConstant.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/ObjectConstructor.cpp: + * runtime/ObjectConstructor.h: -2019-06-06 Keith Miller +2020-04-18 Angelos Oikonomopoulos - Reenable Gigacage on ARM64. - https://bugs.webkit.org/show_bug.cgi?id=198453 + Fix code origin when lowering offlineasm instructions on MIPS/ARM64E + https://bugs.webkit.org/show_bug.cgi?id=207330 + + Reviewed by Mark Lam. + + Instruction operands are mapped to RegisterID in RegisterID.forName + and the operation is memoized. Therefore, we can't use the codeOrigin + of the operand at that point. Use the codeOrigin of the original + instruction instead. + + * offlineasm/arm64e.rb: + * offlineasm/ast.rb: + * offlineasm/mips.rb: + * offlineasm/risc.rb: + +2020-04-18 Angelos Oikonomopoulos + + REGRESSION(r260246): It broke build on MIPS32 + https://bugs.webkit.org/show_bug.cgi?id=210665 + + Reviewed by Aakash Jain. + + The mnemonic for 'store halfword' is 'sh', not 'shv'. This appears to + be a typo in a path that was never exercised. + + Exposed by r260246; riscLowerMisplacedAddresses now calls into + riscAsRegisters with an 'h' suffix, which results in a 'storeh' + instruction. The storeh is then lowered to the non-existent 'shv'. + + * offlineasm/mips.rb: + +2020-04-17 Commit Queue + + Unreviewed, reverting r260279. + https://bugs.webkit.org/show_bug.cgi?id=210678 + + Throwing error would be more efficient, having a generic code + is still worth doing (Requested by yusukesuzuki on #webkit). + + Reverted changeset: + + "[JSC] We do not need to have exit-check for Map/Set iterator + functions" + https://bugs.webkit.org/show_bug.cgi?id=210667 + https://trac.webkit.org/changeset/260279 + +2020-04-17 Saam Barati + + GetTypedArrayByteOffset is broken on arm64e + https://bugs.webkit.org/show_bug.cgi?id=210631 + + Reviewed by Mark Lam. + + The vector of JSArrayBufferView is signed even when null on arm64e. However, we were + comparing against zero, which is wrong. This patch changes it so we do the right thing + and instead compare against whatever constant (ptr=nullptr,size=0) signs as. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): + * runtime/CagedBarrierPtr.h: + (JSC::CagedBarrierPtr::rawBits const): + * runtime/JSArrayBufferView.h: + (JSC::JSArrayBufferView::nullVectorPtr): + +2020-04-17 Yusuke Suzuki + + [JSC] We do not need to have exit-check for Map/Set iterator functions + https://bugs.webkit.org/show_bug.cgi?id=210667 Reviewed by Michael Saboff. - This patch adds back Gigacaging on Apple's ARM64 ports. Unlike the - old Gigacage however, arm64e uses both Gigacaging and PAC. In - order to ensure the PAC bits are not stripped in the caging - process we use the bit field insert instruction to take the low - bits from caging and the high bits from the PAC authentication. + If the intrinsic's DFG node does not support general cases, we should check exit-frequency to avoid exit-recompile loop. + However, Map/Set iterator creation functions (values, keys, entries) always require Map / Set types. And throwing an error + when this is not met. So, the current DFG nodes for these intrinsic supports all the cases except for the case throwing an + error, and error will exit anyway. So we do not need to have this exit-frequency guard here. - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::bitFieldInsert64): - * assembler/MacroAssemblerARM64E.h: - * assembler/testmasm.cpp: - (JSC::testCagePreservesPACFailureBit): - (JSC::run): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): - (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): - (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): - (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): - * ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): - (JSC::FTL::DFG::LowerDFGToB3::caged): - * jit/AssemblyHelpers.h: - (JSC::AssemblyHelpers::cageWithoutUntaging): - (JSC::AssemblyHelpers::cageConditionally): - (JSC::AssemblyHelpers::cage): Deleted. - * jit/JITPropertyAccess.cpp: - (JSC::JIT::emitIntTypedArrayGetByVal): - (JSC::JIT::emitFloatTypedArrayGetByVal): - (JSC::JIT::emitIntTypedArrayPutByVal): - (JSC::JIT::emitFloatTypedArrayPutByVal): - * llint/LowLevelInterpreter.asm: - * llint/LowLevelInterpreter64.asm: - * offlineasm/arm64.rb: - * offlineasm/instructions.rb: - * offlineasm/registers.rb: - * wasm/WasmAirIRGenerator.cpp: - (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): - (JSC::Wasm::AirIRGenerator::addCallIndirect): - * wasm/WasmB3IRGenerator.cpp: - (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): - (JSC::Wasm::B3IRGenerator::addCallIndirect): - * wasm/WasmBinding.cpp: - (JSC::Wasm::wasmToWasm): - * wasm/js/JSToWasm.cpp: - (JSC::Wasm::createJSToWasmWrapper): - * wasm/js/WebAssemblyFunction.cpp: - (JSC::WebAssemblyFunction::jsCallEntrypointSlow): + This path is already tested by map-iterator-check-before-fail.js / set-iterator-check-before-fail.js. -2019-06-06 Michael Saboff + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsicCall): - [ARM64E]: Add disassembler support for authenticated instructions - https://bugs.webkit.org/show_bug.cgi?id=198562 +2020-04-17 Devin Rousso + + Rename NullishEq / NULLISHEQUAL to CoalesceEq / COALESCEEQUAL to match the spec + https://bugs.webkit.org/show_bug.cgi?id=210663 + + Reviewed by Ross Kirsling. + + * bytecompiler/NodesCodegen.cpp: + (JSC::emitShortCircuitAssignment): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::makeAssignNode): + * parser/Lexer.cpp: + (JSC::Lexer::lexWithoutClearingLineTerminator): + * parser/Nodes.h: + * parser/Parser.cpp: + (JSC::Parser::parseAssignmentExpression): + * parser/ParserTokens.h: + +2020-04-17 Devin Rousso + + Implement Promise.any and AggregateError + https://bugs.webkit.org/show_bug.cgi?id=202566 + + Reviewed by Yusuke Suzuki. + + `Promise.any` resolves when any of the given `promises` resolve, but only rejects if _all_ + of the given `promises` reject. In order to support aggregating all of the `reason` values + for all of the rejections, a new error type `AggregateError` is introduced which has an + `get errors` that returns an aggregated array of the `reason` values. + + * builtins/PromiseConstructor.js: + (all.newResolveElement): + (allSettled.newResolveRejectElements): + (any): Added. + (any.newRejectElement): Added. + * runtime/JSPromiseConstructor.cpp: + + * builtins/BuiltinNames.h: + * bytecode/LinkTimeConstant.h: + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::errorStructure const): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::initializeAggregateErrorConstructor): Added. + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + Expose `@AggregateError` for builtins. + + * runtime/AggregateError.h: Added. + (JSC::AggregateError::destroy): + (JSC::AggregateError::subspaceFor): + (JSC::AggregateError::createStructure): + (JSC::AggregateError::create): + (JSC::AggregateError::errors const): + * runtime/AggregateError.cpp: Added. + (JSC::AggregateError::AggregateError): + (JSC::AggregateError::visitChildren): + (JSC::AggregateError::create): + (JSC::AggregateError::finishCreation): + * runtime/AggregateErrorPrototype.h: Added. + * runtime/AggregateErrorPrototype.cpp: Added. + (JSC::AggregateErrorPrototype::AggregateErrorPrototype): + (JSC::AggregateErrorPrototype::finishCreation): + (JSC::aggregateErrorPrototypeAccessorErrors): + * runtime/AggregateErrorConstructor.h: Added. + * runtime/AggregateErrorConstructor.cpp: Added. + (JSC::callAggregateErrorConstructor): + (JSC::constructAggregateErrorConstructor): + (JSC::AggregateErrorConstructor::AggregateErrorConstructor): + (JSC::AggregateErrorConstructor::finishCreation): + * runtime/ErrorType.h: + * runtime/ErrorType.cpp: + (JSC::errorTypeName): + + * runtime/VM.h: + * runtime/VM.cpp: + (JSC::VM::VM): + Make an `IsoSubspace` for `AggregateError` as it has a different size than `ErrorInstance`. + + * runtime/ErrorInstance.h: + (JSC::ErrorInstance::create): + * runtime/ErrorInstance.cpp: + (JSC::ErrorInstance::finishCreation): + * wasm/js/JSWebAssemblyCompileError.cpp: + (JSC::JSWebAssemblyCompileError::create): + * wasm/js/JSWebAssemblyLinkError.cpp: + (JSC::JSWebAssemblyLinkError::create): + * wasm/js/JSWebAssemblyRuntimeError.cpp: + (JSC::JSWebAssemblyRuntimeError::create): + Assign to `ErrorInstance` member variables inside `ErrorInstance::finishCreation` instead of + inside `ErrorInstance::create` so that subclasses don't have to do the work as well. + + * runtime/Error.cpp: + (JSC::createError): + + * runtime/ErrorPrototype.h: + (JSC::ErrorPrototype::createStructure): + * runtime/NativeErrorPrototype.h: + (JSC::NativeErrorPrototype::createStructure): + Drive-by: fix incorrect usage of `ErrorInstanceType` since `ErrorPrototype` does not inherit + from `ErrorInstance` (and therefore neither does `NativeErrorPrototype`). + + * runtime/ArgList.h: + Add `WTF_MAKE_NONMOVABLE` to `MarkedArgumentBuffer`. + + * Sources.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + +2020-04-17 Ross Kirsling + + Clean up some Intl classes following the ICU upgrade + https://bugs.webkit.org/show_bug.cgi?id=210637 + + Reviewed by Yusuke Suzuki. + + In r259606, I removed the compile-time guards for {DateTimeFormat, NumberFormat}.prototype.formatToParts, + but I forgot to move the method setup back to the lookup table. + + This patch addresses that and prunes various other unnecessary includes and forward declarations. + + * runtime/IntlCollator.h: + * runtime/IntlCollatorConstructor.h: + * runtime/IntlDateTimeFormat.h: + * runtime/IntlDateTimeFormatConstructor.h: + * runtime/IntlDateTimeFormatPrototype.cpp: + (JSC::IntlDateTimeFormatPrototype::create): + (JSC::IntlDateTimeFormatPrototype::finishCreation): + * runtime/IntlDateTimeFormatPrototype.h: + * runtime/IntlNumberFormat.h: + * runtime/IntlNumberFormatConstructor.h: + * runtime/IntlNumberFormatPrototype.cpp: + (JSC::IntlNumberFormatPrototype::create): + (JSC::IntlNumberFormatPrototype::finishCreation): + * runtime/IntlNumberFormatPrototype.h: + * runtime/IntlObject.h: + * runtime/IntlPluralRules.h: + * runtime/IntlPluralRulesConstructor.h: + * runtime/IntlPluralRulesPrototype.cpp: + (JSC::IntlPluralRulesPrototype::create): + (JSC::IntlPluralRulesPrototype::finishCreation): + * runtime/IntlPluralRulesPrototype.h: + +2020-04-17 Yusuke Suzuki + + [JSC] Map/Set iterator creation functions should fail with BadType etc. before executing insertChecks + https://bugs.webkit.org/show_bug.cgi?id=210649 + + + Reviewed by Mark Lam. + + Since insertChecks adds some DFG nodes, we should determine whether this intrinsic handling is OK or not before executing insertChecks. + Otherwise, we will hit an assertion with `!didInsertChecks`. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsicCall): + +2020-04-17 Mark Lam + + offlineasm is generating the wrong load/store for the "orh" instruction. + https://bugs.webkit.org/show_bug.cgi?id=210639 + + + Reviewed by Robin Morisset. + + For example, on ARM64E, the "orh" instruction was generating the following: + + "\tldr w17, [x1, #0]\n" // JavaScriptCore/llint/LowLevelInterpreter64.asm:919 + "\torr w17, w17, #64\n" // JavaScriptCore/llint/LowLevelInterpreter64.asm:919 + "\tstr w17, [x1, #0]\n" // JavaScriptCore/llint/LowLevelInterpreter64.asm:919 + + i.e. a 32-bit load, followed by a 32-bit OR, followed by a 32-bit store. + + Instead, it should be generating the following: + + "\tldrh w17, [x1, #0]\n" // JavaScriptCore/llint/LowLevelInterpreter64.asm:919 + "\torr w17, w17, #64\n" // JavaScriptCore/llint/LowLevelInterpreter64.asm:919 + "\tstrh w17, [x1, #0]\n" // JavaScriptCore/llint/LowLevelInterpreter64.asm:919 + + i.e. a 16-bit load, followed by a 32-bit OR, followed by a 16-bit store. + + This bug also affects ARM64, ARMv7, and MIPS (basically any backend that uses + riscLowerMisplacedAddresses() from rise.rb). It does not affect x86, x86_64, and + C_LOOP (which was written based on x86). + + * offlineasm/risc.rb: + +2020-04-16 Ross Kirsling + + REGRESSION(r259480): Two new failing i18n tests + https://bugs.webkit.org/show_bug.cgi?id=210605 + + Reviewed by Darin Adler. + + * runtime/IntlDateTimeFormat.cpp: + (JSC::isUTCEquivalent): + (JSC::defaultTimeZone): + (JSC::canonicalizeTimeZoneName): + The default time zone needs to be canonicalized too. + + * runtime/IntlObject.cpp: + (JSC::canonicalLangTag): + (JSC::resolveLocale): + Deal with some odd ""_s cases from my previous patch. + (Drive-by fix inspired by Darin's comments on this one.) + +2020-04-16 Sergio Villar Senin + + Unreviewed build fix for non unified builds. + + * dfg/DFGOperations.cpp: Added missing includes. + +2020-04-16 Mark Lam + + [Re-landing] Use more PAC diversity for JIT probe code. + https://bugs.webkit.org/show_bug.cgi?id=210252 + Reviewed by Keith Miller. - Added support for all the instructions supported in ARM64EAssembler.h. + Introducing new PtrTags: + JITProbePtrTag - for the client probe function. + JITProbeTrampolinePtrTag - for calling the ctiMasmProbeTrampoline. + JITProbeExecutorPtrTag - for calling the probe executor. + Currently, this is only the Probe::executeProbe(). + JITProbeStackInitializationFunctionPtrTag - for calling the optional stack + initialization function that the client probe function may set. - * disassembler/ARM64/A64DOpcode.cpp: - (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::format): - (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::format): - (JSC::ARM64Disassembler::A64DOpcodeHint::format): - (JSC::ARM64Disassembler::A64DOpcodeHint::opName): - (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::format): - (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::authOpName): - (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::format): - * disassembler/ARM64/A64DOpcode.h: - (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::opNameIndex): - (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::opName): - (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::opNum): - (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::mBit): - (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::sBit): - (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::wBit): - (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::immediate10): - (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::authOpCode): - (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op2): - (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op3): - (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op4): - (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::mBit): - (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::rm): - (JSC::ARM64Disassembler::A64DOpcodeHint::opName): Deleted. + We'll now use these in the JIT probe mechanism instead of adopting the default + CFunctionPtrTag. -2019-06-05 Justin Michaud - - [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only). - https://bugs.webkit.org/show_bug.cgi?id=198398 - - Reviewed by Saam Barati. - - Create a new table subtype called FuncRefTable (note: Anyfunc was renamed to Funcref in the references spec). - Table now write-barriers and visits its children's wrapper objects. FuncRefTable caches some extra data to - support calling from wasm. A JSWebAssemblyTable is required to set an anyref element, but this is only because - we need to write barrier it (so it should not restrict how we implement threads). This patch does, however, - restrict the implementation of function references to require every Ref.func to have an associated wrapper. This - can be done statically, so this too should not restrict our threads implementation. + Fixed an assert in MacroAssemblerARM64.cpp which does not apply to non ARM64E + builds. + * assembler/MacroAssembler.cpp: + (JSC::MacroAssembler::probe): + * assembler/MacroAssemblerARM64.cpp: + (JSC::MacroAssembler::probe): + * assembler/MacroAssemblerPrinter.h: + (JSC::MacroAssembler::print): + * assembler/ProbeContext.h: + * runtime/JSCPtrTag.h: + * tools/JSDollarVM.cpp: + (JSC::callWithStackSizeProbeFunction): * wasm/WasmAirIRGenerator.cpp: - (JSC::Wasm::AirIRGenerator::addTableGet): - (JSC::Wasm::AirIRGenerator::addTableSet): - (JSC::Wasm::AirIRGenerator::addCallIndirect): + (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): * wasm/WasmB3IRGenerator.cpp: - (JSC::Wasm::B3IRGenerator::addLocal): - (JSC::Wasm::B3IRGenerator::addTableGet): - (JSC::Wasm::B3IRGenerator::addTableSet): - (JSC::Wasm::B3IRGenerator::addCallIndirect): - * wasm/WasmFormat.h: - (JSC::Wasm::TableInformation::TableInformation): - (JSC::Wasm::TableInformation::type const): - * wasm/WasmFunctionParser.h: - (JSC::Wasm::FunctionParser::parseExpression): - (JSC::Wasm::FunctionParser::parseUnreachableExpression): - * wasm/WasmSectionParser.cpp: - (JSC::Wasm::SectionParser::parseTableHelper): - * wasm/WasmTable.cpp: - (JSC::Wasm::Table::Table): - (JSC::Wasm::Table::tryCreate): - (JSC::Wasm::Table::grow): - (JSC::Wasm::Table::clear): - (JSC::Wasm::Table::set): - (JSC::Wasm::Table::get): - (JSC::Wasm::Table::visitChildren): - (JSC::Wasm::FuncRefTable::FuncRefTable): - (JSC::Wasm::FuncRefTable::setFunction): - (JSC::Wasm::Table::~Table): Deleted. - (JSC::Wasm::Table::clearFunction): Deleted. - (JSC::Wasm::Table::setFunction): Deleted. - * wasm/WasmTable.h: - (JSC::Wasm::Table::length const): - (JSC::Wasm::Table::type const): - (JSC::Wasm::Table::setOwner): - (JSC::Wasm::FuncRefTable::offsetOfFunctions): - (JSC::Wasm::FuncRefTable::offsetOfInstances): - (JSC::Wasm::Table::offsetOfFunctions): Deleted. - (JSC::Wasm::Table::offsetOfInstances): Deleted. - * wasm/WasmValidate.cpp: - (JSC::Wasm::Validate::addTableGet): - (JSC::Wasm::Validate::addTableSet): - (JSC::Wasm::Validate::addCallIndirect): - * wasm/js/JSWebAssemblyTable.cpp: - (JSC::JSWebAssemblyTable::JSWebAssemblyTable): - (JSC::JSWebAssemblyTable::finishCreation): - (JSC::JSWebAssemblyTable::visitChildren): - (JSC::JSWebAssemblyTable::grow): - (JSC::JSWebAssemblyTable::get): - (JSC::JSWebAssemblyTable::set): - (JSC::JSWebAssemblyTable::clear): - (JSC::JSWebAssemblyTable::getFunction): Deleted. - (JSC::JSWebAssemblyTable::clearFunction): Deleted. - (JSC::JSWebAssemblyTable::setFunction): Deleted. - * wasm/js/JSWebAssemblyTable.h: - * wasm/js/WebAssemblyModuleRecord.cpp: - (JSC::WebAssemblyModuleRecord::link): - (JSC::WebAssemblyModuleRecord::evaluate): - * wasm/js/WebAssemblyTableConstructor.cpp: - (JSC::constructJSWebAssemblyTable): - * wasm/js/WebAssemblyTablePrototype.cpp: - (JSC::webAssemblyTableProtoFuncGet): - (JSC::webAssemblyTableProtoFuncSet): - * wasm/wasm.json: + (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck): -2019-06-05 Justin Michaud +2020-04-16 Mark Lam - WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0 - https://bugs.webkit.org/show_bug.cgi?id=198106 + Rolling out r259897: Causing crashes on iOS. + https://bugs.webkit.org/show_bug.cgi?id=210252 - Reviewed by Saam Barati. + Not reviewed. - Fix bug caused by using fcsel sX instead of fcsel dX on an f64 value in moveDoubleConditionally32. + * assembler/MacroAssembler.cpp: + (JSC::MacroAssembler::probe): + * assembler/MacroAssemblerARM64.cpp: + (JSC::MacroAssembler::probe): + * assembler/MacroAssemblerPrinter.h: + (JSC::MacroAssembler::print): + * assembler/ProbeContext.h: + * runtime/JSCPtrTag.h: + * tools/JSDollarVM.cpp: + (JSC::callWithStackSizeProbeFunction): + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck): - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::moveDoubleConditionally32): +2020-04-16 Yusuke Suzuki -2019-06-05 Alex Christensen + [JSC] Implement JSMapIterator/JSSetIterator with JSInternalFieldObjectImpl + https://bugs.webkit.org/show_bug.cgi?id=210023 - Progress towards resurrecting Mac CMake build - https://bugs.webkit.org/show_bug.cgi?id=197132 + Reviewed by Keith Miller. - Reviewed by Don Olmstead. + This patch reimplement JSMapIterator/JSSetIterator with JSInternalFieldObjectImpl. + This makes current JSFinalObject-based Map/SetIterator simple and small. + We generalize NewArrayIterator/PhantomNewArrayIterator to convert them to NewInternalFieldObject/PhantomNewInternalFieldObject + to support JSMapIterator/JSSetIterator too in DFG / FTL. This makes allocation efficient and object-allocation-sinking aware. + + * builtins/BuiltinNames.h: + * builtins/MapIteratorPrototype.js: + (globalPrivate.mapIteratorNext): + (next): + * builtins/MapPrototype.js: + (globalPrivate.MapIterator): Deleted. + (values): Deleted. + (keys): Deleted. + (entries): Deleted. + * builtins/SetIteratorPrototype.js: + (globalPrivate.setIteratorNext): + (next): + * builtins/SetPrototype.js: + (globalPrivate.SetIterator): Deleted. + (values): Deleted. + (entries): Deleted. + * bytecode/BytecodeIntrinsicRegistry.cpp: + (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): + * bytecode/BytecodeIntrinsicRegistry.h: + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::emitIsMapIterator): + (JSC::BytecodeGenerator::emitIsSetIterator): + * bytecompiler/NodesCodegen.cpp: + (JSC::mapIteratorInternalFieldIndex): + (JSC::setIteratorInternalFieldIndex): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_getMapIteratorInternalField): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_getSetIteratorInternalField): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_putMapIteratorInternalField): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_putSetIteratorInternalField): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsicCall): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGClobbersExitState.cpp: + (JSC::DFG::clobbersExitState): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGMayExit.cpp: + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToPhantomNewInternalFieldObject): + (JSC::DFG::Node::hasStructure): + (JSC::DFG::Node::isPhantomAllocation): + (JSC::DFG::Node::convertToPhantomNewArrayIterator): Deleted. + * dfg/DFGNodeType.h: + * dfg/DFGObjectAllocationSinkingPhase.cpp: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObjectImpl): + (JSC::DFG::SpeculativeJIT::compileNewGenerator): + (JSC::DFG::SpeculativeJIT::compileNewAsyncGenerator): + (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObject): + (JSC::DFG::SpeculativeJIT::compileNewArrayIterator): Deleted. + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStoreBarrierInsertionPhase.cpp: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObjectImpl): + (JSC::FTL::DFG::LowerDFGToB3::compileNewGenerator): + (JSC::FTL::DFG::LowerDFGToB3::compileNewAsyncGenerator): + (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject): + (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewInternalFieldObject): + (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayIterator): Deleted. + * ftl/FTLOperations.cpp: + (JSC::FTL::operationPopulateObjectInOSR): + (JSC::FTL::operationMaterializeObjectInOSR): + * inspector/JSInjectedScriptHost.cpp: + (Inspector::JSInjectedScriptHost::subtype): + (Inspector::JSInjectedScriptHost::getInternalProperties): + (Inspector::cloneMapIteratorObject): + (Inspector::cloneSetIteratorObject): + (Inspector::JSInjectedScriptHost::iteratorEntries): + * runtime/CommonIdentifiers.h: + * runtime/Intrinsic.cpp: + (JSC::intrinsicName): + * runtime/Intrinsic.h: + * runtime/JSArrayIterator.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::mapIteratorPrototype const): + (JSC::JSGlobalObject::setIteratorPrototype const): + (JSC::JSGlobalObject::mapIteratorStructure const): + (JSC::JSGlobalObject::setIteratorStructure const): + * runtime/JSMapIterator.cpp: + (JSC::JSMapIterator::createWithInitialValues): + (JSC::JSMapIterator::finishCreation): + (JSC::JSMapIterator::visitChildren): + * runtime/JSMapIterator.h: + * runtime/JSSetIterator.cpp: + (JSC::JSSetIterator::createWithInitialValues): + (JSC::JSSetIterator::finishCreation): + (JSC::JSSetIterator::visitChildren): + * runtime/JSSetIterator.h: + * runtime/JSType.cpp: + (WTF::printInternal): + * runtime/JSType.h: + * runtime/JSTypedArrayViewPrototype.cpp: + (JSC::JSTypedArrayViewPrototype::finishCreation): + * runtime/MapPrototype.cpp: + (JSC::MapPrototype::finishCreation): + (JSC::createMapIteratorObject): + (JSC::mapProtoFuncValues): + (JSC::mapProtoFuncKeys): + (JSC::mapProtoFuncEntries): + * runtime/SetPrototype.cpp: + (JSC::SetPrototype::finishCreation): + (JSC::createSetIteratorObject): + (JSC::setProtoFuncValues): + (JSC::setProtoFuncEntries): + * runtime/VM.cpp: + (JSC::VM::setIteratorStructureSlow): Deleted. + (JSC::VM::mapIteratorStructureSlow): Deleted. + * runtime/VM.h: + (JSC::VM::setIteratorStructure): Deleted. + (JSC::VM::mapIteratorStructure): Deleted. + +2020-04-15 Yusuke Suzuki + + [JSC] Use ensureStillAliveHere in FTL when content of storage should be kept alive + https://bugs.webkit.org/show_bug.cgi?id=210583 + + + Reviewed by Mark Lam. + + The content of Butterfly / ArrayStorage is kept alive only when the owner JSCell is alive. + This means that we should keep the owner JSCell alive if we are loading content of storage + which includes JSCells. This patch inserts ensureStillAliveHere in FTL to ensure this invariant. + + * ftl/FTLJITCode.cpp: + (JSC::FTL::JITCode::~JITCode): Found that we get crash with `dumpDisassembly` if FTL::JITCode is destroyed while it fails to generate code while testing this. + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): + (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf): + (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop): + (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): + (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt): + (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt): + (JSC::FTL::DFG::LowerDFGToB3::compileGetByOffset): + (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset): + +2020-04-15 Keith Miller + + Disable Store-load pair auto-vectorization for JSC + https://bugs.webkit.org/show_bug.cgi?id=210574 + + Reviewed by Geoffrey Garen. + + slp-vectorization appears to make our slow path code significantly + slower. That's because when we materialize our constant bytecode + structs into C++ we load all the fields at the same time then + widen them to the struct's member C++ size. Since we have 3 + different possible sizes Clang generates a total mess of + code. Disabling this does not appear to be a regression on any + platform I tested and improves the performance of slow path code + significantly in micro benchmarks. - * API/JSScript.mm: - (-[JSScript readCache]): - (-[JSScript sourceCode]): - (-[JSScript jsSourceCode]): - (-[JSScript writeCache:]): * CMakeLists.txt: + * Configurations/JavaScriptCore.xcconfig: -== Rolled over to ChangeLog-2019-06-05 == +2020-04-15 Robin Morisset + + Flaky Test: fetch/fetch-worker-crash.html + https://bugs.webkit.org/show_bug.cgi?id=187257 + + + Reviewed by Yusuke Suzuki. + + The crash is coming from setExceptionPorts which is inlined in WTF::registerThreadForMachExceptionHandling. + From the error message we know that the problem is an "invalid port right". + http://web.mit.edu/darwin/src/modules/xnu/osfmk/man/thread_set_exception_ports.html tells us that the "port right" is the third parameter to thread_set_exception_ports, which is exceptionPort in our case. + exceptionPort is a global variable defined at the top of Signals.cpp: + static mach_port_t exceptionPort; + It is set in exactly one place: + kern_return_t kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &exceptionPort); + in a std::call_once, in startMachExceptionHandlerThread(). + Note that startMachExceptionHandlerThread() is called from the main thread just before the point where we are stuck.. and there is no synchronization to make sure it completed and its effect is visible to the worker thread before it uses exceptionPort. + + So I think the crash is due to this race between allocating exceptionPort and using it, resulting in an invalid exceptionPort being sometimes passed to the kernel. + So this patch is a simple speculative fix, by running startMachExceptionHandlerThread() in initializeThreading(), before JSLock()::lock() can be run. + + * runtime/InitializeThreading.cpp: + (JSC::initializeThreading): + +2020-04-15 Ross Kirsling + + Unreviewed build fix for r260161. + + * runtime/IntlObject.cpp: + (JSC::canonicalLangTag): + +2020-04-15 Ross Kirsling + + Unreviewed, address Darin's feedback on r260151. + + * runtime/IntlObject.cpp: + (JSC::canonicalLangTag): + +2020-04-15 Ross Kirsling + + [ECMA-402] Extension values should default to true, canonicalize without "-true" + https://bugs.webkit.org/show_bug.cgi?id=210457 + + Reviewed by Yusuke Suzuki. + + This patch implements two simple intertwining updates to ECMA-402: + + - Valueless extension keys should not be dropped when resolving locale + https://tc39.es/ecma402/#sec-resolvelocale (9.h.4.b) + + - Following UTS 35, "-true" should not appear in canonicalized locale ids + https://tc39.es/ecma402/#sec-canonicalizeunicodelocaleid + https://unicode.org/reports/tr35/#Canonical_Unicode_Locale_Identifiers + ('Any type or tfield value "true" is removed.') + + * runtime/IntlObject.cpp: + (JSC::canonicalLangTag): + (JSC::resolveLocale): + +2020-04-15 Ross Kirsling + + [ECMA-402] Fix Intl.DateTimeFormat patterns and fields in WebKit + https://bugs.webkit.org/show_bug.cgi?id=209783 + + Reviewed by Keith Miller. + + This patch implements two intertwining normative changes to Intl.DateTimeFormat: + - Calendar setting must be taken into account when choosing a date-time pattern + https://github.com/tc39/ecma402/pull/349 + - formatToParts must recognize relatedYear and yearName parts + https://github.com/tc39/ecma402/pull/349 + + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + (JSC::IntlDateTimeFormat::partTypeString): + +2020-04-15 Devin Rousso + + [ESNext] Implement logical assignment operators + https://bugs.webkit.org/show_bug.cgi?id=209716 + + Reviewed by Ross Kirsling. + + Implement the logical assignment operators proposal, which is now Stage 3. It introduces + three new assignment operators which will only store the result of the rhs in the lhs if the + lhs meets the given condition: + - `??=`, for if the lhs is nullish (`null` or `undefined`) + - `||=`, for if the lhs is falsy + - `&&=`, for if the lhs is truthy + + This short circuiting can be beneficial as it can avoid a redundant store when used in the + common JavaScript programming pattern of "defaulting" a parameter. + + ```js + function foo(x) { + x = x || 42; + } + ``` + + If `x` is a truthy value, it would result in the rhs `x` being stored back into the lhs `x`. + In some situations, this can have negative unintended side-effects, such as for `innerHTML`. + + Logical assignment operators, however, are defined such that they only store if the rhs is + to actually be needed/used, skipping the redundant store and simply returning lhs otherwise. + + In the case of readonly references, this means that an error is only thrown when the + assignment occurs, meaning that if the lhs already satisfies the condition it will be used + and returned with no error. + + * parser/ParserTokens.h: + * parser/Lexer.cpp: + (JSC::Lexer::lexWithoutClearingLineTerminator): + * parser/Parser.cpp: + (JSC::Parser::parseAssignmentExpression): + + * parser/ASTBuilder.h: + (JSC::ASTBuilder::makeAssignNode): + * parser/Nodes.h: + * parser/NodeConstructors.h: + (JSC::ShortCircuitReadModifyResolveNode::ShortCircuitReadModifyResolveNode): Added. + (JSC::ShortCircuitReadModifyBracketNode::ShortCircuitReadModifyBracketNode): Added. + (JSC::ShortCircuitReadModifyDotNode::ShortCircuitReadModifyDotNode): Added. + * bytecompiler/NodesCodegen.cpp: + (JSC::emitShortCircuitAssignment): Added. + (JSC::ShortCircuitReadModifyResolveNode::emitBytecode): Added. + (JSC::ShortCircuitReadModifyDotNode::emitBytecode): Added. + (JSC::ShortCircuitReadModifyBracketNode::emitBytecode): Added. + + * runtime/OptionsList.h: + Add a `useLogicalAssignmentOperators` setting for controlling this feature. + +2020-04-14 Devin Rousso + + Web Inspector: Debugger: add a Step next that steps by expression + https://bugs.webkit.org/show_bug.cgi?id=210324 + + Reviewed by Timothy Hatcher. + + Step next is a hybrid of Step over and Step into which continues execution to the next pause + opportunity within the current (or ancestor) call frame. It is especially useful when trying + to debug minified code, such as trying to continue to `c()` in `a() && b() && c();`, where + Step over would continue to the next statement (i.e. after the `;`) and Step in would + continue to the first line inside `a()` (and would require a Step out to get back). + + * inspector/protocol/Debugger.json: + * inspector/agents/InspectorDebuggerAgent.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::stepNext): Added. + + * debugger/Debugger.h: + * debugger/Debugger.cpp: + (JSC::Debugger::stepNextExpression): Added. + (JSC::Debugger::atExpression): + (JSC::Debugger::clearNextPauseState): + +2020-04-13 Alexey Shvayka + + REGRESSION (r259587): bterlson/eshost throws during init in strict mode + https://bugs.webkit.org/show_bug.cgi?id=210470 + + Reviewed by Ross Kirsling. + + This change makes $262.IsHTMLDDA of JSC shell a CustomValue, allowing it to be reassigned + and restoring compatibility with any version of https://github.com/bterlson/eshost. + + Since putDirectCustomAccessor() is now used instead of putGetter(), scope exception assert + is no longer needed and can be safely removed, as well as JSObject::putGetter() export. + + * jsc.cpp: + * runtime/JSObject.h: + +2020-04-13 David Kilzer + + Replace use of Checked with CheckedSize + + + Reviewed by Mark Lam. + + * heap/Heap.cpp: + (JSC::Heap::deprecatedReportExtraMemorySlowCase): + (JSC::Heap::extraMemorySize): + (JSC::Heap::updateAllocationLimits): + (JSC::Heap::reportExtraMemoryVisited): + * heap/SlotVisitor.h: + * runtime/ArgList.cpp: + (JSC::MarkedArgumentBuffer::expandCapacity): + +2020-04-10 Michael Saboff + + [YARR] Allow for Unicode named capture group identifiers in non-Unicode regular expressions + https://bugs.webkit.org/show_bug.cgi?id=210309 + + Reviewed by Ross Kirsling. + + Update YARR pattern processing to allow for non-BMP unicode identifier characters in named capture groups. + + This change was discussed and approved at the March/April 2020 TC-39 meeting. + See https://github.com/tc39/ecma262/pull/1869 for the discussion and change. + + Updated tryConsumeUnicodeEscape() to allow for unicode escapes in non-unicode flagged regex's. + Added the same support to consumePossibleSurrogatePair(). + + * yarr/YarrParser.h: + (JSC::Yarr::Parser::consumePossibleSurrogatePair): + (JSC::Yarr::Parser::parseCharacterClass): + (JSC::Yarr::Parser::parseTokens): + (JSC::Yarr::Parser::tryConsumeUnicodeEscape): + (JSC::Yarr::Parser::tryConsumeIdentifierCharacter): + +2020-04-13 Michael Catanzaro + + Fix various build warnings + https://bugs.webkit.org/show_bug.cgi?id=210429 + + Reviewed by Mark Lam. + + Fix -Wimplicit-fallthrough warning by adding a default case CRASH() to prevent the inner + switch from falling through to the outer switch. + + * dfg/DFGArrayMode.cpp: + (JSC::DFG::ArrayMode::alreadyChecked const): + +2020-04-12 Mark Lam + + Enable the ability to build the ASM LLInt for ARMv7k. + https://bugs.webkit.org/show_bug.cgi?id=210412 + + Reviewed by Sam Weinig. + + Fix the offlineasm so that it can build the ASM LLInt for ARMv7k. This patch does + not actually enable the ASM LLInt. The ARMv7k port still build the C Loop LLInt. + + Also, the ARMv7k ASM LLInt is still broken and needs additional work before it + can run. This patch only fixes things so that it will build. + + * JavaScriptCore.xcodeproj/project.pbxproj: + - Added generate_settings_extractor.rb to the project so that we can view it from + inside Xcode. + + * offlineasm/arm.rb: + - Added support for the globaladdr LLInt instruction for ARMv7k. + + * offlineasm/backends.rb: + - Fix the backend to enable ARMV7 also when building for ARMv7k. + +2020-04-12 Darin Adler + + Fix a few mispellings of descendant and propagation + https://bugs.webkit.org/show_bug.cgi?id=210409 + + Reviewed by Mark Lam. + + * ftl/FTLAbstractHeap.h: "descendants" + * offlineasm/ast.rb: "descendants" + +2020-04-12 Ross Kirsling + + [ECMA-402] WebKit Intl does not allow calendar and numberingSystem options + https://bugs.webkit.org/show_bug.cgi?id=209784 + + Reviewed by Myles C. Maxfield. + + As an alternative to using `ca` and `nu` extensions in the locale string: + - the Intl.DateTimeFormat constructor needs to be able to take `calendar` and `numberingSystem` options + https://tc39.es/ecma402/#sec-initializedatetimeformat + - the Intl.NumberFormat needs to be able to take a `numberingSystem` option + https://tc39.es/ecma402/#sec-initializenumberformat + + Since we already support `ca` and `nu`, this is a very simple addition. + The only interesting part is that we must verify that values for these options are 3-8 alphanumeric characters. + + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::initializeNumberFormat): + (JSC::IntlNumberFormat::resolvedOptions): + * runtime/IntlObject.cpp: + (JSC::isUnicodeLocaleIdentifierType): + * runtime/IntlObject.h: + +2020-04-10 Ross Kirsling + + [ECMA-402] Properly implement BigInt.prototype.toLocaleString + https://bugs.webkit.org/show_bug.cgi?id=209782 + + Reviewed by Darin Adler. + + Our BigInt's toLocaleString has been simply falling back to toString instead of following ECMA-402. + (https://tc39.es/ecma402/#sup-bigint.prototype.tolocalestring) + + Since {Number, BigInt}.prototype.toLocaleString are internally the same as Intl.NumberFormat.prototype.format, + this patch simultaneously lets the latter method take a BigInt argument. + (https://tc39.es/ecma402/#sec-number-format-functions) + + This patch continues to use the old unum_* API instead of ICU 62's new unumf_* API, + as the latter would require a large refactor as well as fallback paths. + (This will, however, be a prerequisite for https://bugs.webkit.org/show_bug.cgi?id=209774.) + + * runtime/BigIntPrototype.cpp: + (JSC::bigIntProtoFuncToString): + (JSC::bigIntProtoFuncToLocaleString): + (JSC::bigIntProtoFuncToStringImpl): Deleted. + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::format): + (JSC::IntlNumberFormat::formatNumber): Deleted. + * runtime/IntlNumberFormat.h: + * runtime/IntlNumberFormatPrototype.cpp: + (JSC::IntlNumberFormatFuncFormat): + (JSC::IntlNumberFormatPrototypeGetterFormat): + (JSC::IntlNumberFormatFuncFormatNumber): Deleted. + * runtime/NumberPrototype.cpp: + (JSC::numberProtoFuncToLocaleString): + +2020-04-10 Devin Rousso + + The rhs in `ReadModifyResolveNode` should be evaluated before throwing an exception if the lhs is read-only + https://bugs.webkit.org/show_bug.cgi?id=210317 + + Reviewed by Ross Kirsling. + + * bytecompiler/NodesCodegen.cpp: + (JSC::emitReadModifyAssignment): + (JSC::ReadModifyResolveNode::emitBytecode): + If the corresponding `Variable` is read-only, pass it to `emitReadModifyAssignment` as an + additional optionl argument, where it will be used to `emitReadOnlyExceptionIfNeeded` after + the rhs is emitted. + +2020-04-10 Mark Lam + + Use more PAC diversity for JIT probe code. + https://bugs.webkit.org/show_bug.cgi?id=210252 + + + Reviewed by Keith Miller. + + Introducing new PtrTags: + JITProbePtrTag - for the client probe function. + JITProbeTrampolinePtrTag - for calling the ctiMasmProbeTrampoline. + JITProbeExecutorPtrTag - for calling the probe executor. + Currently, this is only the Probe::executeProbe(). + JITProbeStackInitializationFunctionPtrTag - for calling the optional stack + initialization function that the client probe function may set. + + We'll now use these in the JIT probe mechanism instead of adopting the default + CFunctionPtrTag. + + * assembler/MacroAssembler.cpp: + (JSC::MacroAssembler::probe): + * assembler/MacroAssemblerARM64.cpp: + (JSC::MacroAssembler::probe): + * assembler/MacroAssemblerPrinter.h: + (JSC::MacroAssembler::print): + * assembler/ProbeContext.h: + * runtime/JSCPtrTag.h: + * tools/JSDollarVM.cpp: + (JSC::callWithStackSizeProbeFunction): + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck): + +2020-04-10 Mark Lam + + [Follow up] Fix bad tests in testmasm's testCagePreservesPACFailureBit(). + https://bugs.webkit.org/show_bug.cgi?id=210314 + + + Not reviewed. + + Applying Keith's feedback in https://bugs.webkit.org/show_bug.cgi?id=210314#c5: + added the stronger test but kept the weaker one as well. + + * assembler/testmasm.cpp: + (JSC::testCagePreservesPACFailureBit): + +== Rolled over to ChangeLog-2020-04-10 == diff --git a/ChangeLog-2020-04-10 b/ChangeLog-2020-04-10 new file mode 100644 index 0000000..fa895c6 --- /dev/null +++ b/ChangeLog-2020-04-10 @@ -0,0 +1,43318 @@ +2020-04-10 Caio Lima + + [LLInt] Add fast path for TypedArray access on LLInt 32-bits + https://bugs.webkit.org/show_bug.cgi?id=210217 + + Reviewed by Yusuke Suzuki. + + This patch is adding fast path case for in-bound TypedArray access on + 32-bits LLInt. Since instructions are the same for both architectures, + we are refactoring this part of code to `LowLevelInterpreter.asm` and + reusing it into `LowLevelInterpreter32_64.asm`. + + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2020-04-10 Commit Queue + + Unreviewed, reverting r259849 and r259851. + https://bugs.webkit.org/show_bug.cgi?id=210328 + + Crash in LayoutTests (Requested by yusukesuzuki on #webkit). + + Reverted changesets: + + "[JSC] Use UnconditionalWriteBarrier in Baseline effectively + to reduce code size" + https://bugs.webkit.org/show_bug.cgi?id=209395 + https://trac.webkit.org/changeset/259849 + + "Unreviewed, fix typo in comment" + https://bugs.webkit.org/show_bug.cgi?id=209395 + https://trac.webkit.org/changeset/259851 + +2020-04-10 Yusuke Suzuki + + Unreviewed, fix typo in comment + https://bugs.webkit.org/show_bug.cgi?id=209395 + + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emit_op_del_by_id): + (JSC::JIT::emit_op_del_by_val): + (JSC::JIT::emit_op_put_by_id): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emit_op_put_by_id): + +2020-04-09 Yusuke Suzuki + + [JSC] Use UnconditionalWriteBarrier in Baseline effectively to reduce code size + https://bugs.webkit.org/show_bug.cgi?id=209395 + + Reviewed by Tadeu Zagallo. + + In put/delete we always need to emit write-barrier if the base is a cell since IC can write things (writing new StructureID etc.). + We should use emitWriteBarrier with UnconditionalWriteBarrier to remove unnecessary branch. + + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emit_op_del_by_id): + (JSC::JIT::emit_op_del_by_val): + (JSC::JIT::emit_op_put_by_id): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emit_op_put_by_id): + +2020-04-09 Mark Lam + + Fix bad tests in testmasm's testCagePreservesPACFailureBit(). + https://bugs.webkit.org/show_bug.cgi?id=210314 + + + Reviewed by Yusuke Suzuki. + + Some of these tests will crash when validated untagging is enabled. + + * assembler/testmasm.cpp: + (JSC::testCagePreservesPACFailureBit): + +2020-04-08 Darin Adler + + [Cocoa] Simplify NSArray, NSDictionary, and NSNumber idioms throughout WebKit + https://bugs.webkit.org/show_bug.cgi?id=210138 + + Reviewed by Alex Christensen. + + * API/JSValue.mm: + (valueToObjectWithoutCopy): Use @(). + (valueToNumber): Ditto. + * API/tests/testapi.mm: + (-[TestObject callback:]): Use @[], @(), and @{}. + (-[TextXYZ click]): Ditto. + (testObjectiveCAPIMain): Ditto. + +2020-04-09 Devin Rousso + + Don't emit the rhs twice in `AssignResolveNode` + https://bugs.webkit.org/show_bug.cgi?id=210312 + + Reviewed by Yusuke Suzuki. + + * bytecompiler/NodesCodegen.cpp: + (JSC::AssignResolveNode::emitBytecode): + +2020-04-09 Yusuke Suzuki + + [JSC] ModuleEnvironment do not have JSGlobalLexicalEnvironment as its upper scope + https://bugs.webkit.org/show_bug.cgi?id=193347 + + Reviewed by Tadeu Zagallo. + + The upper scope of module scope should be global lexical environment instead of global object. + This patch fixes it to allow modules to access global lexical environment's variables. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::notifyLexicalBindingUpdate): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * runtime/JSModuleEnvironment.h: + * runtime/JSModuleRecord.cpp: + (JSC::JSModuleRecord::instantiateDeclarations): + +2020-04-09 Alexey Shvayka + + ProxyObject::defineOwnProperty() should conditionally throw on falsy trap result + https://bugs.webkit.org/show_bug.cgi?id=210267 + + Reviewed by Ross Kirsling. + + This change adds conditional TypeError for falsy trap result [1], like there is in + ProxyObject::performPut(), aligning JSC with V8 and SpiderMonkey. Also replaces + throwVMTypeError() calls which results are unused with throwTypeError(). + + [1]: https://tc39.es/ecma262/#sec-definepropertyorthrow (step 4) + + * runtime/ProxyObject.cpp: + (JSC::ProxyObject::performDefineOwnProperty) + +2020-04-09 Devin Rousso + + Web Inspector: Debugger: debug hooks should also be emitted for the first sub-expression in a comma expression + https://bugs.webkit.org/show_bug.cgi?id=210253 + + Reviewed by Joseph Pecoraro. + + * bytecompiler/NodesCodegen.cpp: + (JSC::CommaNode::emitBytecode): + * parser/Parser.cpp: + (JSC::Parser::parseVariableDeclarationList): + (JSC::Parser::parseExpression): + We should emit debug hooks and record pause locations for the first sub-expression in comma + expressions, as the comma expression is not always standalone (e.g. `true && (a(), b())`). + + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitDebugHook): + Save the `JSTextPosition` and `DebugHookType` of the last debug hook, using them to prevent + any additional debug hooks from being emitted if they have the same `JSTextPosition` and + `DebugHookType`. This prevents the debugger from pausing twice at the beginning of an + expression statement (e.g. `|a(), b();`). + +2020-04-09 Saam Barati + + We can still cache delete in strict mode as long as the property is not "non-configurable" + https://bugs.webkit.org/show_bug.cgi?id=210148 + + Reviewed by Tadeu Zagallo. + + We were incorrectly not inline caching all delete misses in strict mode. + We only must to not cache deletes on non-configurable properties in strict + mode, as that should throw a runtime error. Delete misses can still be cached + in strict mode without any issues. This is a 4x speedup on the microbenchmark. + + * jit/Repatch.cpp: + (JSC::tryCacheDeleteBy): + +2020-04-09 Sergio Villar Senin + + [Wasm] Build fix for non-unified builds + https://bugs.webkit.org/show_bug.cgi?id=210277 + + Reviewed by Yusuke Suzuki. + + * wasm/WasmPlan.cpp: Added missing includes. + * wasm/WasmPlan.h: Forward declare CodeBlock. + +2020-04-09 Alexey Shvayka + + getOwnPropertyDescriptor() is incorrect with Proxy of exotic object + https://bugs.webkit.org/show_bug.cgi?id=200560 + + Reviewed by Yusuke Suzuki. + + PropertyAttribute::CustomValue path in JSObject::getOwnPropertyDescriptor() needs to perform + getDirect() on correct target. A correct target may be different since getOwnPropertySlot() + may return not *own* property. + + This change removes a hack that was covering only JSProxy case and invokes getDirect() on + slotBase(), ensuring ProxyObject instances with exotic targets return correct descriptors + and aligning JSC with V8 and SpiderMonkey. + + getDirect() can be safely called on slotBase(): if getOwnPropertySlot() result is returned + from JS code of ProxyObject's trap, it will never be a PropertyAttribute::CustomValue. + + This patch also moves setCustomDescriptor() down below to avoid mutating a descriptor when + returning `false`. + + * runtime/JSObject.cpp: + (JSC::JSObject::getOwnPropertyDescriptor): + +2020-04-09 Angelos Oikonomopoulos + + Fix CLOOP build + https://bugs.webkit.org/show_bug.cgi?id=207119 + + Reviewed by Aakash Jain. + + * CMakeLists.txt: + +2020-04-09 Mark Lam + + Implement a more efficient tagCFunction() tool. + https://bugs.webkit.org/show_bug.cgi?id=210254 + + Reviewed by Keith Miller. + + Putting tagCFunction() to use. + + * b3/B3LowerMacros.cpp: + * b3/B3LowerMacrosAfterOptimizations.cpp: + * b3/B3MathExtras.cpp: + * b3/B3ReduceLoopStrength.cpp: + (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy): + * b3/B3ReduceStrength.cpp: + * b3/testb3_5.cpp: + (testCallSimple): + (testCallRare): + (testCallRareLive): + (testCallSimplePure): + (testCallFunctionWithHellaArguments): + (testCallFunctionWithHellaArguments2): + (testCallFunctionWithHellaArguments3): + (testCallSimpleDouble): + (testCallSimpleFloat): + (testCallFunctionWithHellaDoubleArguments): + (testCallFunctionWithHellaFloatArguments): + (testLinearScanWithCalleeOnStack): + * b3/testb3_6.cpp: + (testInterpreter): + * b3/testb3_7.cpp: + (testLICMPure): + (testLICMPureSideExits): + (testLICMPureWritesPinned): + (testLICMPureWrites): + (testLICMReadsLocalState): + (testLICMReadsPinned): + (testLICMReads): + (testLICMPureNotBackwardsDominant): + (testLICMPureFoiledByChild): + (testLICMPureNotBackwardsDominantFoiledByChild): + (testLICMExitsSideways): + (testLICMWritesLocalState): + (testLICMWrites): + (testLICMFence): + (testLICMWritesPinned): + (testLICMControlDependent): + (testLICMControlDependentNotBackwardsDominant): + (testLICMControlDependentSideExits): + (testLICMReadsPinnedWritesPinned): + (testLICMReadsWritesDifferentHeaps): + (testLICMReadsWritesOverlappingHeaps): + (testLICMDefaultCall): + (testShuffleDoesntTrashCalleeSaves): + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::emitRestoreArguments): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::handleExitCounts): + (JSC::DFG::osrWriteBarrier): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): + (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): + (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::callExceptionFuzz): + * jit/CCallHelpers.cpp: + (JSC::CCallHelpers::ensureShadowChickenPacket): + * jit/JITOperations.cpp: + * jit/ThunkGenerators.cpp: + (JSC::throwExceptionFromCallSlowPathGenerator): + (JSC::slowPathFor): + (JSC::nativeForGenerator): + (JSC::boundFunctionCallGenerator): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::addTableGet): + (JSC::Wasm::B3IRGenerator::addTableSet): + (JSC::Wasm::B3IRGenerator::addRefFunc): + (JSC::Wasm::B3IRGenerator::addTableSize): + (JSC::Wasm::B3IRGenerator::addTableGrow): + (JSC::Wasm::B3IRGenerator::addTableFill): + (JSC::Wasm::B3IRGenerator::addGrowMemory): + (JSC::Wasm::B3IRGenerator::setGlobal): + (JSC::Wasm::B3IRGenerator::emitWriteBarrierForJSWrapper): + (JSC::Wasm::B3IRGenerator::addOp): + (JSC::Wasm::B3IRGenerator::addOp): + * wasm/WasmThunks.cpp: + (JSC::Wasm::triggerOMGEntryTierUpThunkGenerator): + +2020-04-08 Devin Rousso + + Web Inspector: Debugger: treat comma sub-expressions as separate statements + https://bugs.webkit.org/show_bug.cgi?id=209998 + + Reviewed by Joseph Pecoraro. + + Minifiers sometimes use `,` instead of `;` as a way of compressing multiple statements into + a single statement (e.g. inside an `if` conditional). This makes stepping through minified + code much less useful, as our current stepping logic is based on expressions (not including + step in or step out). In most cases, we do actually want to treat each sub-expression in a + comma expression as a statement so as to emulate the behaviour as if there were `;` instead. + + * bytecompiler/NodesCodegen.cpp: + (JSC::CommaNode::emitBytecode): + + * parser/Parser.cpp: + (JSC::Parser::parseVariableDeclarationList): + (Parser::parseExpression): + Shift the location of subsequent sub-expressions to be after the comma. Add breakpoint pause + locations for each subsequent sub-expression. + +2020-04-08 Ross Kirsling + + Remove ENABLE_INTL define + https://bugs.webkit.org/show_bug.cgi?id=210164 + + Reviewed by Darin Adler. + + * Scripts/generateIntlCanonicalizeLanguage.py: + * builtins/DatePrototype.js: + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncToLocaleString): + * runtime/DatePrototype.cpp: + (JSC::DatePrototype::finishCreation): + * runtime/IntlCollator.cpp: + * runtime/IntlCollator.h: + * runtime/IntlCollatorConstructor.cpp: + * runtime/IntlCollatorConstructor.h: + * runtime/IntlCollatorPrototype.cpp: + * runtime/IntlCollatorPrototype.h: + * runtime/IntlDateTimeFormat.cpp: + * runtime/IntlDateTimeFormat.h: + * runtime/IntlDateTimeFormatConstructor.cpp: + * runtime/IntlDateTimeFormatConstructor.h: + * runtime/IntlDateTimeFormatPrototype.cpp: + * runtime/IntlDateTimeFormatPrototype.h: + * runtime/IntlNumberFormat.cpp: + * runtime/IntlNumberFormat.h: + * runtime/IntlNumberFormatConstructor.cpp: + * runtime/IntlNumberFormatConstructor.h: + * runtime/IntlNumberFormatPrototype.cpp: + * runtime/IntlNumberFormatPrototype.h: + * runtime/IntlObject.cpp: + * runtime/IntlObject.h: + * runtime/IntlObjectInlines.h: + * runtime/IntlPluralRules.cpp: + * runtime/IntlPluralRules.h: + * runtime/IntlPluralRulesConstructor.cpp: + * runtime/IntlPluralRulesConstructor.h: + * runtime/IntlPluralRulesPrototype.cpp: + * runtime/IntlPluralRulesPrototype.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::defaultCollator const): + (JSC::JSGlobalObject::pluralRulesStructure): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncDateTimeFormat): + * runtime/NumberPrototype.cpp: + (JSC::numberProtoFuncToLocaleString): + * runtime/StringPrototype.cpp: + (JSC::StringPrototype::finishCreation): + (JSC::stringProtoFuncLocaleCompare): + (JSC::stringProtoFuncToLocaleUpperCase): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2020-04-08 Daniel Bates + + Track editable elements on screen + https://bugs.webkit.org/show_bug.cgi?id=209888 + + + Reviewed by Simon Fraser. + + Add feature define to track editable elements on screen (enabled by default on iOS and iOS Simulator). + + * Configurations/FeatureDefines.xcconfig: + +2020-04-08 Yusuke Suzuki + + [JSC] Threading JSGlobalObject in RegExp::match properly + https://bugs.webkit.org/show_bug.cgi?id=210174 + + Reviewed by Saam Barati. + + We thread JSGlobalObject* properly in RegExp::match instead of accessing VM::topCallFrame, which is too hacky. + + * runtime/RegExp.cpp: + (JSC::RegExp::match): + (JSC::RegExp::matchConcurrently): + * runtime/RegExp.h: + * runtime/RegExpGlobalData.h: + * runtime/RegExpGlobalDataInlines.h: + (JSC::RegExpGlobalData::performMatch): + * runtime/RegExpInlines.h: + (JSC::RegExp::matchInline): + * runtime/RegExpMatchesArray.h: + (JSC::createRegExpMatchesArray): + * runtime/RegExpObjectInlines.h: + (JSC::RegExpObject::matchInline): + (JSC::collectMatches): + * runtime/RegExpPrototype.cpp: + (JSC::regExpProtoFuncSearchFast): + (JSC::genericSplit): + (JSC::regExpProtoFuncSplitFast): + * runtime/StringPrototype.cpp: + (JSC::removeUsingRegExpSearch): + (JSC::replaceUsingRegExpSearch): + * testRegExp.cpp: + (testOneRegExp): + (runFromFiles): + +2020-04-08 Devin Rousso + + Web Inspector: Storage: cannot clear out multiple or all local storage entries + https://bugs.webkit.org/show_bug.cgi?id=209867 + + Reviewed by Timothy Hatcher. + + * inspector/protocol/DOMStorage.json: + Add a `clearDOMStorageItems` command instead of calling `removeDOMStorageItem` for each key. + +2020-04-08 Yusuke Suzuki + + [JSC] MultiDeleteByOffset should tell correct result AbstractValue in AI + https://bugs.webkit.org/show_bug.cgi?id=210175 + + + Reviewed by Saam Barati. + + Since the result value of MultiDeleteByOffset should be used, AI should set boolean AbstractValue as a result of MultiDeleteByOffset. + We also add MultiDeleteByOffset to DFGStoreBarrierInsertionPhase since it can write StructureID: this means that write-barrier is necessary. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGStoreBarrierInsertionPhase.cpp: + +2020-04-08 Angelos Oikonomopoulos + + Enable offlineasm debug annotations for GCC + https://bugs.webkit.org/show_bug.cgi?id=207119 + + Reviewed by Darin Adler. + + This simply reuses the existing code that generates debug + annotations, adding two workarounds for limitations in GCC and + GDB. + + First, the .file directives that offlineasm inserts in inline asm + use file slots that conflict with those in the compilation unit + that includes LLIntAssembly.h (specifically, + LowLevelInterpreter.cpp). Clang's built-in assembler will + transparently fix that for us, but for GCC we need to + post-process the generated assembler. + + Unfortunately, cmake doesn't allow us to introduce a compiler wrapper for a + single source file, so we need to create a separate target for it. This + wrapping only happens when building with GCC and the user has explicitly + requested debug information, either by selecting a Debug/RelWithDebInfo build + or setting GCC_OFFLINEASM_SOURCE_MAP. + + Second, GDB will only look at the line table for a compilation unit if + it can first resolve the address to one of the known symbols in the + file. Introduce marker symbols to work around this bug. + + * CMakeLists.txt: + +2020-04-08 Truitt Savell + + Unreviewed, reverting r259708. + + Broke the iOS device Build + + Reverted changeset: + + "Enable the use of XCBuild by default in Apple builds" + https://bugs.webkit.org/show_bug.cgi?id=209890 + https://trac.webkit.org/changeset/259708 + +2020-04-08 Guillaume Emont + + [JSC][32-bits] Build failure after r259676 (Not using strict mode within ClassDeclaration statement) + https://bugs.webkit.org/show_bug.cgi?id=210176 + + Reviewed by Aakash Jain. + + Fixed 32-bit paths to match changes in r259676. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::compileDeleteById): + (JSC::DFG::SpeculativeJIT::compileDeleteByVal): + * jit/JITCall32_64.cpp: + (JSC::JIT::compileCallEval): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_del_by_id): + (JSC::JIT::emit_op_del_by_val): + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emitSlow_op_put_by_val): + (JSC::JIT::emit_op_put_by_id): + +2020-04-08 Tim Horton + + Rearrange and simplify some JSC feature flags + https://bugs.webkit.org/show_bug.cgi?id=210152 + + Reviewed by Saam Barati. + + * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm: + (Inspector::RemoteConnectionToTarget::dispatchAsyncOnTarget): + * jit/ExecutableAllocator.cpp: + (JSC::isJITEnabled): + (JSC::ExecutableAllocator::setJITEnabled): + * runtime/Options.cpp: + (JSC::overrideDefaults): + +2020-04-08 Keith Rollin + + Enable the use of XCBuild by default in Apple builds + https://bugs.webkit.org/show_bug.cgi?id=209890 + + + Reviewed by Darin Adler. + + Switch from the "legacy" Xcode build system to the "new" build system + (also known as "XCBuild"). Switching to the new system speeds up + builds by a small percentage, better validates projects for + build-related issues (such as dependency cycles), lets WebKit benefit + from future improvements in XCBuild such as those coming from the + underlying llbuild open source project, and prepares us for any other + tools built for this new ecosystem. + + Specific changes: + + - Remove Xcode project and workspace settings that selected the Build + system, allowing the default to take hold (which is currently the + New build system). + - Updated webkitdirs.pm with a terser check for Xcode version. + - Update build-webkit and Makefile.shared to be explicit when using + the old build system (no longer treat it as a default or fall-back + configuration). + - Update various xcconfig files similarly to treat the default as + using the new build system. + - Update various post-processing build steps to check for Xcode 11.4 + and to no longer treat the default as using the old build system. + + * Configurations/JavaScriptCore.xcconfig: + * JavaScriptCore.xcodeproj/project.pbxproj: + +2020-04-07 Yusuke Suzuki + + [JSC] Collect-continuously thread should take m_collectContinuouslyLock while it is waking up concurrent collector thread + https://bugs.webkit.org/show_bug.cgi?id=210163 + + Reviewed by Saam Barati. + + Collect-Continuously thread has fancy race issue. + + In Heap::preventCollection, we first take m_collectContinuouslyLock to ensure collect-continuously thread is not working, and then + we ensure collector thread is stopped by using waitForCollector. However our collect-continuously thread is implemented like this. + + while (!m_shouldStopCollectingContinuously) { + { // (A) + LockHolder locker(*m_threadLock); + if (m_requests.isEmpty()) { + m_requests.append(WTF::nullopt); + m_lastGrantedTicket++; + m_threadCondition->notifyOne(locker); // (B) WAKING UP concurrent collector thread. + } + } + + { + LockHolder locker(m_collectContinuouslyLock); + ... + while (!hasElapsed(timeToWakeUp) && !m_shouldStopCollectingContinuously) + m_collectContinuouslyCondition.waitUntil(m_collectContinuouslyLock, timeToWakeUp); + } + } + + Even if m_collectContinuouslyLock is taken, collect-continuously thread is still able to wake up concurrent collector thread + since (B)'s code is not guarded by m_collectContinuouslyLock. The following sequence can happen, + + 1. The main thread calls Heap::preventCollection to ensure all collection is stopped. + 2. The collect-continuously thread is at (A) point. + 3. The main thread takes m_collectContinuouslyLock. This is OK. + 4. The main thread calls waitForCollector to ensure that concurrent collector thread is stopped. + 5. The collect-continuously thread executes (B). It is allowed since this is not guarded by m_collectContinuouslyLock. So, concurrent collector starts working. + 6. While the main thread called Heap::preventCollection, concurrent collector starts collection! + + We should guard (A)'s block with m_collectContinuouslyLock too. + + * heap/Heap.cpp: + (JSC::Heap::notifyIsSafeToCollect): + +2020-04-07 Saam Barati + + Delete ICs can't cache dictionaries + https://bugs.webkit.org/show_bug.cgi?id=210147 + + + Reviewed by Tadeu Zagallo. + + We were happily caching delete IC cases on a dictionary object. + This is clearly wrong, as we might cache a miss on a dictionary + on a property "P", even though we might add "P" to the structure + without transitioning it. + + * jit/Repatch.cpp: + (JSC::tryCacheDeleteBy): + +2020-04-07 Tadeu Zagallo + + Not using strict mode within ClassDeclaration statement + https://bugs.webkit.org/show_bug.cgi?id=205578 + + + Reviewed by Yusuke Suzuki. + + We correctly set strict mode when parsing classes, but we did not set it when emitting bytecode. + However, that means that we can now have a subset of a code block's bytecode that must be run in + strict mode, even when the code block itself is not strict. As it turns out, there are only ten + opcodes that need to be aware of strictness, so an extra `mode` operand was added to these opcodes. + The mode then needs to be propagated through baseline, DFG and FTL. + + * API/APICallbackFunction.h: + (JSC::APICallbackFunction::call): + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::call): + * API/JSContextRef.cpp: + (JSContextGetGlobalObject): + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * bytecode/BytecodeDumper.cpp: + * bytecode/BytecodeGeneratorification.cpp: + (JSC::BytecodeGeneratorification::run): + * bytecode/BytecodeList.rb: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpAssumingJITType const): + (JSC::CodeBlock::finishCreation): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::isConstructor const): + (JSC::CodeBlock::isKnownCell): + * bytecode/ExecutableInfo.h: + (JSC::ExecutableInfo::ExecutableInfo): + (JSC::ExecutableInfo::usesEval const): + * bytecode/Fits.h: + * bytecode/InlineCallFrame.cpp: + (JSC::InlineCallFrame::dumpInContext const): + * bytecode/InlineCallFrame.h: + (JSC::InlineCallFrame::isInStrictContext const): + * bytecode/PutByIdFlags.cpp: + (WTF::printInternal): + * bytecode/PutByIdFlags.h: + (JSC::PutByIdFlags::create): + (JSC::PutByIdFlags::createDirect): + (JSC::PutByIdFlags::isDirect const): + (JSC::PutByIdFlags::ecmaMode const): + (JSC::PutByIdFlags::PutByIdFlags): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFromLLInt): + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedCodeBlock::isConstructor const): + * bytecode/UnlinkedCodeBlockGenerator.h: + (JSC::UnlinkedCodeBlockGenerator::needsClassFieldInitializer const): + * bytecode/UnlinkedFunctionExecutable.cpp: + (JSC::generateUnlinkedFunctionCodeBlock): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + (JSC::BytecodeGenerator::emitGetFromScope): + (JSC::BytecodeGenerator::emitPutToScope): + (JSC::BytecodeGenerator::emitPutById): + (JSC::BytecodeGenerator::emitDirectPutById): + (JSC::BytecodeGenerator::emitDeleteById): + (JSC::BytecodeGenerator::emitPutByVal): + (JSC::BytecodeGenerator::emitDirectPutByVal): + (JSC::BytecodeGenerator::emitDeleteByVal): + (JSC::BytecodeGenerator::emitCall): + (JSC::BytecodeGenerator::emitPushFunctionNameScope): + (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded): + (JSC::BytecodeGenerator::emitToThis): + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::generate): + (JSC::BytecodeGenerator::ecmaMode const): + (JSC::StrictModeScope::StrictModeScope): + * bytecompiler/NodesCodegen.cpp: + (JSC::AssignResolveNode::emitBytecode): + (JSC::EmptyLetExpression::emitBytecode): + (JSC::ForInNode::emitLoopHeader): + (JSC::ForOfNode::emitBytecode): + (JSC::ClassExprNode::emitBytecode): + (JSC::BindingNode::bindValue const): + (JSC::AssignmentElementNode::bindValue const): + * debugger/DebuggerCallFrame.cpp: + (JSC::DebuggerCallFrame::thisValue const): + (JSC::DebuggerCallFrame::evaluateWithScopeExtension): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::isToThisAnIdentity): + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::addCall): + (JSC::DFG::ByteCodeParser::handleCall): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::handleDOMJITCall): + (JSC::DFG::ByteCodeParser::handleDeleteById): + (JSC::DFG::ByteCodeParser::emitPutById): + (JSC::DFG::ByteCodeParser::handlePutById): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::parseCodeBlock): + (JSC::DFG::ByteCodeParser::handlePutByVal): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupToThis): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::globalThisObjectFor): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasECMAMode): + (JSC::DFG::Node::ecmaMode): + * dfg/DFGOpInfo.h: + (JSC::DFG::OpInfo::OpInfo): + * dfg/DFGOperations.cpp: + * dfg/DFGPreciseLocalClobberize.h: + (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileDoublePutByVal): + (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): + (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString): + (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol): + (JSC::DFG::SpeculativeJIT::compilePutDynamicVar): + (JSC::DFG::SpeculativeJIT::compilePutByIdFlush): + (JSC::DFG::SpeculativeJIT::compilePutById): + (JSC::DFG::SpeculativeJIT::compilePutByIdDirect): + (JSC::DFG::SpeculativeJIT::compilePutByIdWithThis): + (JSC::DFG::SpeculativeJIT::compileToThis): + (JSC::DFG::SpeculativeJIT::cachedPutById): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::compileDeleteById): + (JSC::DFG::SpeculativeJIT::compileDeleteByVal): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileToThis): + (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis): + (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis): + (JSC::FTL::DFG::LowerDFGToB3::compilePutById): + (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): + (JSC::FTL::DFG::LowerDFGToB3::compileDelBy): + (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById): + (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal): + (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): + (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar): + * inspector/JSInjectedScriptHost.cpp: + (Inspector::JSInjectedScriptHost::internalConstructorName): + * interpreter/Interpreter.cpp: + (JSC::eval): + (JSC::Interpreter::execute): + * interpreter/Interpreter.h: + * jit/AssemblyHelpers.h: + * jit/JITCall.cpp: + (JSC::JIT::compileCallEval): + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITPutByIdGenerator::slowPathFunction): + * jit/JITInlineCacheGenerator.h: + (JSC::JITPutByIdGenerator::JITPutByIdGenerator): + * jit/JITInlines.h: + (JSC::JIT::linkSlowCaseIfNotJSCell): + (JSC::JIT::emitJumpSlowCaseIfNotJSCell): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emitSlow_op_put_by_val): + (JSC::JIT::emitSlow_op_del_by_id): + (JSC::JIT::emitSlow_op_del_by_val): + (JSC::JIT::emit_op_put_by_id): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitSlow_op_put_by_val): + * jit/Repatch.cpp: + (JSC::tryCacheDeleteBy): + (JSC::repatchDeleteBy): + * jit/Repatch.h: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + (JSC::LLInt::commonCallEval): + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncToString): + (JSC::arrayProtoFuncToLocaleString): + (JSC::arrayProtoFuncJoin): + (JSC::arrayProtoFuncPop): + (JSC::arrayProtoFuncPush): + (JSC::arrayProtoFuncReverse): + (JSC::arrayProtoFuncShift): + (JSC::arrayProtoFuncSlice): + (JSC::arrayProtoFuncSplice): + (JSC::arrayProtoFuncUnShift): + (JSC::arrayProtoFuncIndexOf): + (JSC::arrayProtoFuncLastIndexOf): + * runtime/CachedTypes.cpp: + (JSC::CachedCodeBlock::usesEval const): + (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): + (JSC::CachedCodeBlock::encode): + * runtime/ClonedArguments.cpp: + (JSC::ClonedArguments::getOwnPropertySlot): + (JSC::ClonedArguments::materializeSpecials): + * runtime/CodeCache.cpp: + (JSC::generateUnlinkedCodeBlockImpl): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/CommonSlowPathsInlines.h: + (JSC::CommonSlowPaths::tryCachePutToScopeGlobal): + (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal): + * runtime/Completion.cpp: + (JSC::evaluate): + * runtime/DirectEvalExecutable.cpp: + (JSC::DirectEvalExecutable::create): + * runtime/DirectEvalExecutable.h: + * runtime/ECMAMode.cpp: Copied from Source/JavaScriptCore/bytecode/PutByIdFlags.cpp. + (JSC::ECMAMode::dump const): + * runtime/ECMAMode.h: Copied from Source/JavaScriptCore/bytecode/PutByIdFlags.h. + (JSC::ECMAMode::fromByte): + (JSC::ECMAMode::strict): + (JSC::ECMAMode::sloppy): + (JSC::ECMAMode::isStrict const): + (JSC::ECMAMode::value const): + (JSC::ECMAMode::ECMAMode): + * runtime/EvalExecutable.h: + (JSC::EvalExecutable::executableInfo const): + * runtime/FunctionExecutable.h: + * runtime/GetPutInfo.cpp: + (JSC::GetPutInfo::dump const): + * runtime/GetPutInfo.h: + (JSC::GetPutInfo::GetPutInfo): + (JSC::GetPutInfo::ecmaMode const): + * runtime/GetterSetter.cpp: + (JSC::callSetter): + * runtime/IndirectEvalExecutable.cpp: + (JSC::IndirectEvalExecutable::create): + (JSC::IndirectEvalExecutable::IndirectEvalExecutable): + * runtime/IndirectEvalExecutable.h: + * runtime/JSCJSValue.cpp: + (JSC::JSValue::toThisSlowCase const): + (JSC::JSValue::putToPrimitive): + * runtime/JSCJSValue.h: + * runtime/JSCell.cpp: + (JSC::JSCell::toThis): + * runtime/JSFunction.cpp: + (JSC::JSFunction::selectStructureForNewFuncExp): + (JSC::JSFunction::callerGetter): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncEval): + (JSC::globalFuncProtoGetter): + (JSC::globalFuncProtoSetter): + * runtime/JSObject.cpp: + (JSC::JSObject::putInlineSlow): + (JSC::JSObject::setPrototypeWithCycleCheck): + * runtime/JSScope.cpp: + (JSC::JSScope::toThis): + * runtime/JSString.cpp: + (JSC::JSString::toThis): + * runtime/LiteralParser.cpp: + (JSC::LiteralParser::parse): + * runtime/ModuleProgramExecutable.h: + * runtime/NullSetterFunction.cpp: + (JSC::GetCallerStrictnessFunctor::operator() const): + (JSC::NullSetterFunctionInternal::callReturnUndefined): + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncValueOf): + (JSC::objectProtoFuncHasOwnProperty): + (JSC::objectProtoFuncIsPrototypeOf): + (JSC::objectProtoFuncDefineGetter): + (JSC::objectProtoFuncDefineSetter): + (JSC::objectProtoFuncLookupGetter): + (JSC::objectProtoFuncLookupSetter): + (JSC::objectProtoFuncPropertyIsEnumerable): + (JSC::objectProtoFuncToLocaleString): + (JSC::objectProtoFuncToString): + * runtime/ProgramExecutable.cpp: + (JSC::ProgramExecutable::initializeGlobalProperties): + * runtime/ProgramExecutable.h: + * runtime/ProxyObject.cpp: + (JSC::performProxyCall): + * runtime/ScriptExecutable.h: + (JSC::ScriptExecutable::isArrowFunctionContext const): + (JSC::ScriptExecutable::isInStrictContext const): + * runtime/SparseArrayValueMap.cpp: + (JSC::SparseArrayEntry::put): + +2020-04-07 Saam Barati + + RAMification should have a way of gathering vmmaps for each test at the end of each run + https://bugs.webkit.org/show_bug.cgi?id=210060 + + Reviewed by Yusuke Suzuki. + + * jsc.cpp: + (main): + +2020-04-07 Yusuke Suzuki + + [JSC] ScopedArgumentsTable should handle OOM in tolerant manner + https://bugs.webkit.org/show_bug.cgi?id=210126 + + Reviewed by Mark Lam. + + This patch makes ScopedArgumentsTable allocations OOM tolerant to throw OOM error when allocation fails. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + * runtime/CachedTypes.cpp: + (JSC::CachedScopedArgumentsTable::decode const): + * runtime/ScopedArguments.cpp: + (JSC::ScopedArguments::unmapArgument): + * runtime/ScopedArgumentsTable.cpp: + (JSC::ScopedArgumentsTable::tryClone): + (JSC::ScopedArgumentsTable::trySetLength): + (JSC::ScopedArgumentsTable::trySet): + (JSC::ScopedArgumentsTable::clone): Deleted. + (JSC::ScopedArgumentsTable::setLength): Deleted. + (JSC::ScopedArgumentsTable::set): Deleted. + * runtime/ScopedArgumentsTable.h: + * runtime/SymbolTable.h: + +2020-04-07 Yusuke Suzuki + + [JSC] JSWrapperObject should use JSInternalFieldObjectImpl + https://bugs.webkit.org/show_bug.cgi?id=210019 + + Reviewed by Mark Lam. + + JSWrapperObject's mechanism can be basically implemented by using JSInternalFieldObjectImpl. + We should leverage JSInternalFieldObjectImpl to implement JSWrapperObject since it can pave + the way to implementing Object-Allocation-Sinking and faster access to value etc. in DFG without + duplicating code. + + We also noticed that we are storing classInfo to JSWrapperObject when allocating StringObject in + DFG and FTL while JSWrapperObject is no longer inheriting JSDestructibleObject! But it turned out + that this is safe since the subsequent JSWrapperObject::internalValue setting can overwrite it. + We remove this wrong store. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileNewStringObject): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject): Deleted. + * ftl/FTLAbstractHeapRepository.cpp: + (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject): + (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted. + * runtime/BigIntObject.h: + * runtime/BooleanObject.h: + * runtime/JSDestructibleObject.h: + (JSC::JSDestructibleObject::classInfo const): + (JSC::JSDestructibleObject::classInfoOffset): Deleted. + * runtime/JSWrapperObject.cpp: + (JSC::JSWrapperObject::visitChildren): + * runtime/JSWrapperObject.h: + (JSC::JSWrapperObject::internalValueOffset): + (JSC::JSWrapperObject::internalValue const): + (JSC::JSWrapperObject::setInternalValue): + (JSC::JSWrapperObject::createStructure): Deleted. + * runtime/NumberObject.h: + * runtime/StringObject.h: + * runtime/SymbolObject.h: + +2020-04-07 Yusuke Suzuki + + [JSC] Inlined IC should get right JSGlobalObject + https://bugs.webkit.org/show_bug.cgi?id=210092 + + Reviewed by Tadeu Zagallo. + + In DFG / FTL, CodeBlock in AccessCase is the DFG / FTL CodeBlock which includes all the inlined CodeBlocks. + If inlining happens with CodeBlock which has different JSGlobalObject, CodeBlock->globalObject() is different + to the actual lexical JSGlobalObject of the IC. So basically, we should not rely on codeBlock->globalObject() in IC. + + This patch passes the correct lexical JSGlobalObject to IC to use. We do not retain this JSGlobalObject. + Since this is lexical JSGlobalObject of that IC, the owner CodeBlock of this IC should already retain it (even if this + JSGlobalObject is one of inlined CodeBlock since the owner CodeBlock retains inlined lower-tier CodeBlocks). + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateImpl): + * bytecode/PolymorphicAccess.cpp: + (JSC::PolymorphicAccess::regenerate): + * bytecode/PolymorphicAccess.h: + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::addAccessCase): + * bytecode/StructureStubInfo.h: + * jit/Repatch.cpp: + (JSC::tryCacheGetBy): + (JSC::tryCacheArrayGetByVal): + (JSC::tryCachePutByID): + (JSC::tryCacheDeleteBy): + (JSC::tryCacheInByID): + (JSC::tryCacheInstanceOf): + * tools/JSDollarVM.cpp: + +2020-04-07 Yusuke Suzuki + + [JSC] $.evalScript should check exception when accessing "global" + https://bugs.webkit.org/show_bug.cgi?id=210114 + + + Reviewed by Keith Miller. + + $.evalScript should check exception after "global" property access since it can throw an error if it is an accessor. + + * jsc.cpp: + (functionDollarEvalScript): + +2020-04-06 Devin Rousso + + Web Inspector: `console.log(...)` appear as `CONSOLE LOG LOG` in the system console + https://bugs.webkit.org/show_bug.cgi?id=210083 + + Reviewed by Timothy Hatcher. + + * runtime/ConsoleClient.cpp: + (JSC::appendMessagePrefix): + +2020-04-06 Mark Lam + + REGRESSION: 68000 JSC tests failing. + https://bugs.webkit.org/show_bug.cgi?id=210078 + + + Reviewed by Yusuke Suzuki. + + The missing exception check is in jsc shell's GlobalObject::finishCreation(). + Since this is just a debugging tool, and this exception will never be thrown in + practice, I've placated the validator by RELEASE_ASSERT'ing that the exception + will never be thrown. + + * jsc.cpp: + +2020-04-06 Ross Kirsling + + Update minimum ICU version to 60.2 + https://bugs.webkit.org/show_bug.cgi?id=209694 + + Reviewed by Darin Adler. + + * icu/LICENSE: Deleted. + * icu/README: Deleted. + Remove leftover files following r219155. + + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::UFieldPositionIteratorDeleter::operator() const): + (JSC::IntlDateTimeFormat::partTypeString): + (JSC::IntlDateTimeFormat::formatToParts): + * runtime/IntlDateTimeFormat.h: + * runtime/IntlDateTimeFormatPrototype.cpp: + (JSC::IntlDateTimeFormatPrototype::finishCreation): + (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts): + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::partTypeString): + (JSC::IntlNumberFormat::formatToParts): + * runtime/IntlNumberFormat.h: + * runtime/IntlNumberFormatPrototype.cpp: + (JSC::IntlNumberFormatPrototype::finishCreation): + (JSC::IntlNumberFormatPrototypeFuncFormatToParts): + * runtime/IntlPluralRules.cpp: + (JSC::IntlPluralRules::resolvedOptions): + (JSC::IntlPluralRules::select): + * runtime/IntlPluralRules.h: + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::decode): + Remove obsoleted compile-time version checks. + +2020-04-06 Fujii Hironori + + [Clang 10] Fix -Wimplicit-int-float-conversion compilation warnings in JavaScriptCore + https://bugs.webkit.org/show_bug.cgi?id=210038 + + Reviewed by Darin Adler. + + Clang 10 reports a compilation warning in JavaScriptCore: + > ..\..\Source\JavaScriptCore\bytecode/CodeBlock.cpp(3002,24): warning: implicit conversion from 'unsigned long long' to 'double' changes value from 18446744073709551615 to 18446744073709551616 [-Wimplicit-int-float-conversion] + > if (doubleResult > std::numeric_limits::max()) + > ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Use a template variable maxPlusOne which was added by r259537 + for the purpose. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::predictedMachineCodeSize): Replaced '>' with '>=', + and std::numeric_limits::max() with maxPlusOne. + +2020-04-06 Rick Waldron and Alexey Shvayka + + Remove unnecessary Test262 harness file and implement $262.IsHTMLDDA + https://bugs.webkit.org/show_bug.cgi?id=187526 + + Reviewed by Darin Adler. + + Test262 harness requires [1] $262.IsHTMLDDA to be an object with [[IsHTMLDDA]] slot [2], + much like `document.all`. It is used in a few tests to make sure that runtimes strictly + compare values with `null` and `undefined`. + + With this change, `makeMasquerader` returns callable masquerader to mimic `document.all` + in the wild. In order to avoid `masqueradesAsUndefinedWatchpoint` being fired during + initialization of JSC shell, $262.IsHTMLDDA is a getter. + + [1]: https://github.com/tc39/test262/blob/master/INTERPRETING.md#host-defined-functions + [2]: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot + + * jsc.cpp: + (functionMakeMasquerader): + (functionCallMasquerader): + (JSC::Masquerader::Masquerader): Deleted. + (JSC::Masquerader::subspaceFor): Deleted. + (JSC::Masquerader::create): Deleted. + (JSC::Masquerader::createStructure): Deleted. + * runtime/JSObject.h: + +2020-04-06 Justin Michaud + + Allow deleteById to be cached in the DFG + https://bugs.webkit.org/show_bug.cgi?id=208664 + + Reviewed by Saam Barati. + + When we see that the deleteById inline cache only saw one structure, we inline it into the DFG. This involves + creating a new node, FilterDeleteByStatus, and then turning these DeleteById nodes into a FilterDeleteByStatus, + CheckStructure, PutByOffset, then PutStructure (or just a CheckStructure in the case of a miss). The logic for + pessimising this optimization is the same as for PutById, giving inlined functions the opportunity to use only + the DFG profiling information, while everything else uses the DFG+Baseline information. + + This also adds a MultiDeleteByOffset node, for the case when there are multiple structures seen by the delete. If + all of the cases are the same kind of miss, then we only emit a CheckStructure and constant. + + Finally, if we see a delete by val with a single identifier, we inline that too. + + This patch removes a dead code path from deleteProperty that checks if we need to nuke the object's butterfly. + This also fixes a bug where we were checking the neutering status of typed arrays for named properties when we should + only check for indexed properties. The behavior of this now matches for all tiers including when cached. + + The benchmark shows a 2x improvement on polyvariant-delete-property, and a 50% improvement on delete-property-allocation-sinking. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * bytecode/AccessCase.cpp: + (JSC::AccessCase::createDelete): + (JSC::AccessCase::generateImpl): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::getICStatusMap): + * bytecode/DeleteByIdVariant.cpp: Added. + (JSC::DeleteByIdVariant::DeleteByIdVariant): + (JSC::DeleteByIdVariant::~DeleteByIdVariant): + (JSC::DeleteByIdVariant::operator=): + (JSC::DeleteByIdVariant::attemptToMerge): + (JSC::DeleteByIdVariant::writesStructures const): + (JSC::DeleteByIdVariant::visitAggregate): + (JSC::DeleteByIdVariant::markIfCheap): + (JSC::DeleteByIdVariant::dump const): + (JSC::DeleteByIdVariant::finalize): + (JSC::DeleteByIdVariant::dumpInContext const): + * bytecode/DeleteByIdVariant.h: Added. + (JSC::DeleteByIdVariant::oldStructure const): + (JSC::DeleteByIdVariant::newStructure const): + (JSC::DeleteByIdVariant::result const): + (JSC::DeleteByIdVariant::offset const): + (JSC::DeleteByIdVariant::isPropertyUnset const): + (JSC::DeleteByIdVariant::identifier const): + (JSC::DeleteByIdVariant::overlaps): + * bytecode/DeleteByStatus.cpp: Added. + (JSC::DeleteByStatus::appendVariant): + (JSC::DeleteByStatus::computeForBaseline): + (JSC::DeleteByStatus::DeleteByStatus): + (JSC::DeleteByStatus::computeForStubInfoWithoutExitSiteFeedback): + (JSC::DeleteByStatus::computeFor): + (JSC::DeleteByStatus::slowVersion const): + (JSC::DeleteByStatus::merge): + (JSC::DeleteByStatus::filter): + (JSC::DeleteByStatus::singleIdentifier const): + (JSC::DeleteByStatus::visitAggregate): + (JSC::DeleteByStatus::markIfCheap): + (JSC::DeleteByStatus::finalize): + (JSC::DeleteByStatus::dump const): + * bytecode/DeleteByStatus.h: Added. + * bytecode/ICStatusMap.h: + * bytecode/RecordedStatuses.cpp: + (JSC::RecordedStatuses::operator=): + (JSC::RecordedStatuses::addDeleteByStatus): + (JSC::RecordedStatuses::visitAggregate): + (JSC::RecordedStatuses::markIfCheap): + * bytecode/RecordedStatuses.h: + (JSC::RecordedStatuses::forEachVector): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + (JSC::DFG::AbstractInterpreter::filterICStatus): + * dfg/DFGArgumentsEliminationPhase.cpp: + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleDeleteById): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGClobbersExitState.cpp: + (JSC::DFG::clobbersExitState): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::emitDeleteByOffset): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + * dfg/DFGGraph.h: + * dfg/DFGMayExit.cpp: + * dfg/DFGNode.cpp: + (JSC::DFG::MultiDeleteByOffsetData::writesStructures const): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasMultiDeleteByOffsetData): + (JSC::DFG::Node::multiDeleteByOffsetData): + (JSC::DFG::Node::hasDeleteByStatus): + (JSC::DFG::Node::deleteByStatus): + * dfg/DFGNodeType.h: + * dfg/DFGObjectAllocationSinkingPhase.cpp: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGTypeCheckHoistingPhase.cpp: + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): + * dfg/DFGValidate.cpp: + * dfg/DFGVarargsForwardingPhase.cpp: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileMultiDeleteByOffset): + * runtime/JSGenericTypedArrayViewInlines.h: + (JSC::JSGenericTypedArrayView::deleteProperty): + * runtime/JSObject.cpp: + (JSC::JSObject::deleteProperty): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::mayHaveIndexingHeader const): Deleted. + (JSC::Structure::canCacheDeleteIC const): Deleted. + +2020-04-06 Saam Barati + + Implement 1GB of executable memory on arm64 + https://bugs.webkit.org/show_bug.cgi?id=208490 + + + Reviewed by Keith Miller. + + This patch implements the 1GB executable memory space on arm64. To make this + work, we implement jumps larger than +/-128MB to use jump islands. Jump islands + work by splitting up the ~1GB region into 9 112MB chunks (1008 MB total). Each + chunk is split into two: 96MB of executable region, and 16MB of jump island region. + With this split, any jump inside a jump island region can get to the adjacent + island (forwards or backwards) in a single +/-128MB jump. When linking a jump + from A to B, where |A - B| > 128MB, we instead point the jump to an island, + where this island has a potential series of jumps that finally lands at B. + + To allocate executable memory, use a MetaAllocator for each 96MB chunk. To + allocate islands, we have a bit vector we use to track used and freed islands. + We only grow this bit vector as islands are allocated, so it frequently + remains empty or very small. + + The goal of this patch is to have minimal perf impact when not using islands, + so the data structures are designed to only incur overhead when actually using + islands. We expect the use of islands to be minimal. We use a red black tree + to track all island locations. This allows us to deallocate all islands when + an executable memory handle is freed. Typically, this red black tree is empty, + so freeing an executable memory handle incurs no extra overhead. + + To make islands work for Wasm, we now have to link tier up code in two phases. + Previously, we would just patch jumps concurrently to Wasm threads running after + resetting the icache, knowing that we would be able to atomically update the jump + instruction to point to the new destination. However, now when repatching these + jumps in a world with jump islands, we might need to allocate islands depending + on the jump location and its target. So we now allocate and collect the set of islands, + then reset the icache, then atomically update the branch to point to the destination + (or an island that jumps to the destination). One important implementation detail + here is that for normal island repatching, if we have a jump from A to B, and it + allocates a set if islands X, we usually can deallocate X when repatching A to go to B'. + This is because the typical repatch scenario in JS happens when that code is not being + executed. For Wasm though, those islands X might be running while we want to repatch + A to go to B'. So instead of deallocating X, we just append to X in this scenario, and + we free the new set X' when the code itself is freed. + + (This patch also fixes a bug in the Wasm LLInt to BBQ tier up that I spotted, + where we would publish a LLInt callee's BBQ replacement before we finished + linking the outgoing calls of the BBQ replacement.) + + This patch also removes the old "CodeProfiling" code that has been unused for + a long time. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::b): + (JSC::ARM64Assembler::bl): + (JSC::ARM64Assembler::replaceWithJump): + (JSC::ARM64Assembler::prepareForAtomicRelinkJumpConcurrently): + (JSC::ARM64Assembler::prepareForAtomicRelinkCallConcurrently): + (JSC::ARM64Assembler::computeJumpType): + (JSC::ARM64Assembler::canEmitJump): + (JSC::ARM64Assembler::linkJumpOrCall): + (JSC::ARM64Assembler::linkCompareAndBranch): + (JSC::ARM64Assembler::linkConditionalBranch): + (JSC::ARM64Assembler::linkTestAndBranch): + * assembler/AbstractMacroAssembler.h: + (JSC::AbstractMacroAssembler::prepareForAtomicRepatchNearCallConcurrently): + * assembler/LinkBuffer.cpp: + (JSC::LinkBuffer::copyCompactAndLinkCode): + (JSC::LinkBuffer::linkCode): + (JSC::LinkBuffer::allocate): + (JSC::LinkBuffer::performFinalization): + * assembler/LinkBuffer.h: + (JSC::LinkBuffer::LinkBuffer): + (JSC::LinkBuffer::setIsJumpIsland): + * assembler/MacroAssemblerCodeRef.h: + (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef): + * jit/ExecutableAllocator.cpp: + (JSC::initializeJITPageReservation): + (JSC::ExecutableAllocator::initializeUnderlyingAllocator): + (JSC::ExecutableAllocator::isValid const): + (JSC::ExecutableAllocator::allocate): + (JSC::ExecutableAllocator::getJumpIslandTo): + (JSC::ExecutableAllocator::getJumpIslandToConcurrently): + (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator): Deleted. + * jit/ExecutableAllocator.h: + (JSC::ExecutableAllocatorBase::allocate): + * runtime/CommonSlowPaths.cpp: + * runtime/Completion.cpp: + (JSC::evaluate): + * runtime/JSModuleLoader.cpp: + (JSC::moduleLoaderParseModule): + * runtime/OptionsList.h: + * tools/CodeProfile.cpp: + (JSC::truncateTrace): Deleted. + (JSC::CodeProfile::sample): Deleted. + (JSC::CodeProfile::report): Deleted. + * tools/CodeProfile.h: + (JSC::CodeProfile::CodeProfile): Deleted. + (JSC::CodeProfile::parent): Deleted. + (JSC::CodeProfile::addChild): Deleted. + (): Deleted. + (JSC::CodeProfile::CodeRecord::CodeRecord): Deleted. + * tools/CodeProfiling.cpp: + (JSC::setProfileTimer): Deleted. + (JSC::profilingTimer): Deleted. + (JSC::CodeProfiling::sample): Deleted. + (JSC::CodeProfiling::notifyAllocator): Deleted. + (JSC::CodeProfiling::getOwnerUIDForPC): Deleted. + (JSC::CodeProfiling::begin): Deleted. + (JSC::CodeProfiling::end): Deleted. + * tools/CodeProfiling.h: + (): Deleted. + (JSC::CodeProfiling::CodeProfiling): Deleted. + (JSC::CodeProfiling::~CodeProfiling): Deleted. + (JSC::CodeProfiling::enabled): Deleted. + (JSC::CodeProfiling::beVerbose): Deleted. + (JSC::CodeProfiling::beVeryVerbose): Deleted. + * wasm/WasmBBQPlan.cpp: + (JSC::Wasm::BBQPlan::work): + * wasm/WasmCodeBlock.h: + * wasm/WasmOMGForOSREntryPlan.cpp: + (JSC::Wasm::OMGForOSREntryPlan::work): + * wasm/WasmOMGPlan.cpp: + (JSC::Wasm::OMGPlan::work): + * wasm/WasmPlan.cpp: + (JSC::Wasm::Plan::updateCallSitesToCallUs): + * wasm/WasmPlan.h: + +2020-04-06 Yusuke Suzuki + + [JSC] Since ArrayBufferViewWatchpointAdaptor::add can fire watchpoints, DFG::Plan should check validity of CodeBlock after executing reallyAdd + https://bugs.webkit.org/show_bug.cgi?id=210055 + + + Reviewed by Keith Miller. + + Since ArrayBufferViewWatchpointAdaptor::add can fire watchpoints, it is possible that the DFG CodeBlock is already invalidated after executing DFG::Plan::reallyAdd. + We should check CodeBlock's validity again and terminate DFG::Plan::finalizeWithoutNotifyingCallback with CompilationInvalidated if CodeBlock got invalidated. + + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): + +2020-04-06 Yusuke Suzuki + + [JSC] Put ensureStillAliveHere for Integer TypedArrays in GetByVal + https://bugs.webkit.org/show_bug.cgi?id=210047 + + Reviewed by Mark Lam. + + While r258381 puts ensureStillAliveHere in FTL to keep base alive for float/double TypedArrays, + we need to do the same thing for integer TypedArrays too. This patch places it. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): + +2020-04-05 Gus Caplan and Ross Kirsling + + DLLLauncherMain print to console instead of opening window on fatal error + https://bugs.webkit.org/show_bug.cgi?id=206537 + + Reviewed by Fujii Hironori. + + * shell/DLLLauncherMain.cpp: + (fatalError): + +2020-04-05 Ross Kirsling + + JSC shell shouldn't treat NUL as a terminator when printing a JS string + https://bugs.webkit.org/show_bug.cgi?id=210037 + + Reviewed by Darin Adler. + + Since JS strings aren't null-terminated, it's probably a better experience to not stop printing when we see \0. + That is, 'abc\0def' should be printed as `abcdef` and not `abc`. + + This patch updates our printing of evaluation results as well as the print / printErr / debug functions. + + * jsc.cpp: + (printInternal): + (functionDebug): + (runInteractive): + +2020-04-05 Yusuke Suzuki + + Putting "memory" back to ensureStillAliveHere + https://bugs.webkit.org/show_bug.cgi?id=210028 + + Reviewed by Keith Miller. + + We put "memory" back to make ensureStillAliveHere compiler-barrier. + + * runtime/EnsureStillAliveHere.h: + (JSC::ensureStillAliveHere): + * runtime/JSCJSValue.h: + (JSC::ensureStillAliveHere): + +2020-04-05 Mark Lam + + ARM64 moveConditionallyDouble() for DoubleNotEqualAndOrdered is wrong. + https://bugs.webkit.org/show_bug.cgi?id=210039 + + + Reviewed by Yusuke Suzuki. + + For the scenario where the dest register is same as the then case register, there + is one csel instruction that should be checking the overflow condition to test + for unordered operands. Instead, we were testing for the not equal condition. + This patch fixes it to check for the overflow condition. + + This bug was caught by testmasm. + + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare): + +2020-04-05 David Kilzer + + Sort JavaScriptCore Xcode project file + + * JavaScriptCore.xcodeproj/project.pbxproj: Sort the project + file to try to force buildbots to rebuild and resign + JavaScriptCore.framework. Some bots are stuck with a codesign + error after r259545. + +2020-04-05 Keith Miller + + ensureStillAliveHere can take the value in any location + https://bugs.webkit.org/show_bug.cgi?id=210028 + + Reviewed by Mark Lam. + + It shouldn't matter if the value is on the stack or in a register + because we're not going to do anything with it. Also, there's no + reason to clobber memory. + + * runtime/EnsureStillAliveHere.h: + (JSC::ensureStillAliveHere): + +2020-04-05 Zan Dobersek + + Unreviewed, adding missing header inclusions to get + non-unified build building. + + * heap/HeapSnapshotBuilder.h: + * tools/Integrity.h: + +2020-04-05 Mark Lam + + Change s_entropyBitsShiftForStructurePointer to 48 bits. + https://bugs.webkit.org/show_bug.cgi?id=210022 + + + Reviewed by Keith Miller. + + This is ok because the top 16 bits of the 64-bit address is not used. We can + fill out the top 16-bits of the encodedStructureBits with the lowest 16-bits of + the StructureID (which includes the 7-bits of entropy). + + * runtime/StructureIDTable.h: + +2020-04-05 Yusuke Suzuki + + [JSC] JSArrayIterator's size is wrong + https://bugs.webkit.org/show_bug.cgi?id=210020 + + Reviewed by Mark Lam. + + Internal-size of JSArrayIterator should be 3, not 4. + + * runtime/JSArrayIterator.h: + +2020-04-05 Mark Lam + + Rolling out r259545: causing CodeSigning error in jsc EWS bot. + https://bugs.webkit.org/show_bug.cgi?id=210018 + + Not reviewed. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2020-04-05 Mark Lam + + Add some structureID integrity checks to various runtime functions. + https://bugs.webkit.org/show_bug.cgi?id=210015 + + + Reviewed by Keith Miller. + + Specifically, implementations of toString(), toValue(), and a few others. + I also moved the HeapCell version of ensureStillAliveHere() into the new + EnsureStillAliveHere.h/cpp since it's useful for any pointers, not just HeapCells. + + This change is performance neutral on JetStream 2.0, Speedometer-2, and PLT5. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * heap/HeapCell.cpp: + (JSC::ensureStillAliveHere): Deleted. + * heap/HeapCell.h: + (JSC::ensureStillAliveHere): Deleted. + * heap/SlotVisitor.cpp: + (JSC::SlotVisitor::appendJSCellOrAuxiliary): + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncToString): + * runtime/BigIntPrototype.cpp: + (JSC::bigIntProtoFuncToStringImpl): + (JSC::bigIntProtoFuncValueOf): + * runtime/BooleanPrototype.cpp: + (JSC::booleanProtoFuncToString): + (JSC::booleanProtoFuncValueOf): + * runtime/DatePrototype.cpp: + (JSC::formatLocaleDate): + (JSC::formateDateInstance): + (JSC::dateProtoFuncToISOString): + (JSC::dateProtoFuncToPrimitiveSymbol): + * runtime/EnsureStillAliveHere.cpp: Added. + (JSC::ensureStillAliveHere): + * runtime/EnsureStillAliveHere.h: Added. + (JSC::ensureStillAliveHere): + * runtime/ErrorInstance.cpp: + (JSC::ErrorInstance::sanitizedToString): + * runtime/ErrorPrototype.cpp: + (JSC::errorProtoFuncToString): + * runtime/FunctionPrototype.cpp: + (JSC::functionProtoFuncToString): + * runtime/JSCell.cpp: + (JSC::JSCell::toObjectSlow const): + * runtime/NumberPrototype.cpp: + (JSC::toThisNumber): + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncValueOf): + (JSC::objectProtoFuncToString): + * runtime/RegExpPrototype.cpp: + (JSC::regExpProtoFuncToString): + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncToString): + * runtime/StructureIDTable.h: + (JSC::StructureIDTable::validate): + (JSC::StructureIDTable::isValid): Deleted. + * runtime/SymbolPrototype.cpp: + (JSC::symbolProtoGetterDescription): + (JSC::symbolProtoFuncToString): + (JSC::symbolProtoFuncValueOf): + * tools/Integrity.h: + * tools/IntegrityInlines.h: + (JSC::Integrity::auditStructureID): + * wasm/js/WebAssemblyGlobalPrototype.cpp: + (JSC::getGlobal): + +2020-04-05 Alexey Shvayka + + Octal escapes should be max 3 digits and syntax errors in Unicode patterns + https://bugs.webkit.org/show_bug.cgi?id=167067 + + Reviewed by Ross Kirsling. + + This patch: + + a) Adds SyntaxError for octal escapes in Unicode patterns, while preserving /\0/u + being parsed as null character escape. Grammar: https://tc39.es/ecma262/#prod-CharacterEscape + + b) Limits consumeOctal() to 3 digits only, preventing it from consuming leading zeros. + Grammar: https://tc39.es/ecma262/#prod-annexB-LegacyOctalEscapeSequence + + Both changes align JSC with V8 and SpiderMonkey. + + * yarr/YarrErrorCode.cpp: + (JSC::Yarr::errorMessage): + (JSC::Yarr::errorToThrow): + * yarr/YarrErrorCode.h: + * yarr/YarrParser.h: + (JSC::Yarr::Parser::parseEscape): + (JSC::Yarr::Parser::consumeOctal): + +2020-04-04 Keith Miller + + copy jsc CLI into JavaScriptCore.framework earlier + https://bugs.webkit.org/show_bug.cgi?id=210018 + + Reviewed by Mark Lam. + + Some of our test scripts only copy the JavaScriptCore.framework + into the test directory and try to run jsc from there. We should + copy the jsc CLI ASAP so we don't need to build all the other test + binaries unless we actually need them. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2020-04-04 Alexey Shvayka + + '\u' should throw an early SyntaxError exception, but instead evaluates to 'u' + https://bugs.webkit.org/show_bug.cgi?id=198790 + + Reviewed by Yusuke Suzuki. + + This change removes special-case for '\u', invoking parseUnicodeEscape() right away, + aligning string literals with ES6 template literals. parseComplexEscape() method + signature is greatly simplified, JSC is aligned with V8 and SpiderMonkey. + + Grammar: https://tc39.es/ecma262/#prod-UnicodeEscapeSequence + (Hex4Digits or '{' is required, otherwise parsing fails) + + * parser/Lexer.cpp: + (JSC::Lexer::parseComplexEscape): + (JSC::Lexer::parseStringSlowCase): + (JSC::Lexer::parseTemplateLiteral): + * parser/Lexer.h: + +2020-04-03 Yusuke Suzuki + + [JSC] canonicalizeLocaleList should gracefully throw OOM error if input + error message is too large + https://bugs.webkit.org/show_bug.cgi?id=209971 + + + Reviewed by Mark Lam. + + canonicalizeLocaleList generates error-message with input. If input is too large, error-message string + generation could fail due to OOM. We should gracefully throw OOM error instead of crashing. This strategy + follows to `createError`'s error-message generation: if error-message generation fails, throwing OOM error. + + * runtime/IntlObject.cpp: + (JSC::canonicalizeLocaleList): + +2020-04-03 Ross Kirsling + + Move Intl tests from LayoutTests to JSTests + https://bugs.webkit.org/show_bug.cgi?id=209922 + + Reviewed by Yusuke Suzuki. + + * tools/JSDollarVM.cpp: + (JSC::functionSetUserPreferredLanguages): + (JSC::JSDollarVM::finishCreation): + Add $vm.setUserPreferredLanguages, as needed by stress/intl-default-locale.js. + +2020-04-03 Devin Rousso + + Web Inspector: increase the auto-inspect debugger timeout delay to account for slower networks/devices + https://bugs.webkit.org/show_bug.cgi?id=209940 + + + Reviewed by Joseph Pecoraro. + + * inspector/remote/cocoa/RemoteInspectorCocoa.mm: + (Inspector::RemoteInspector::updateAutomaticInspectionCandidate): + +2020-04-03 Yusuke Suzuki + + [JSC] TypedArray#subarray should throw OOM error gracefully + https://bugs.webkit.org/show_bug.cgi?id=209974 + + + Reviewed by Mark Lam. + + After r259069 change, possiblySharedBuffer can return nullptr if OOM happens. + However, TypedArray#subarray didn't handle this case properly. This patch throws + an OOM error appropriately if possiblySharedBuffer returns nullptr in TypedArray#subarray. + + * runtime/JSGenericTypedArrayViewPrototypeFunctions.h: + (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate): + +2020-04-03 David Kilzer + + [Xcode] Replace ASAN_OTHER_CFLAGS and ASAN_OTHER_CPLUSPLUSFLAGS with $(inherited) + + + + Reviewed by Alexey Proskuryakov. + + * Configurations/Base.xcconfig: + * Configurations/ToolExecutable.xcconfig: + - Remove ASAN_OTHER_CFLAGS, ASAN_OTHER_CPLUSPLUSFLAGS and + ASAN_OTHER_LDFLAGS. + +2020-04-03 Yusuke Suzuki + + Unreviewed, partially reverting Structure change due to Speedometer2 regression + https://bugs.webkit.org/show_bug.cgi?id=207827 + + Not reverting WTF changes. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::createTransition): + (JSC::AccessCase::createDelete): + (JSC::AccessCase::propagateTransitions const): + * bytecode/AccessCase.h: + (JSC::AccessCase::structure const): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCheckSubClass): + (JSC::DFG::SpeculativeJIT::compileObjectKeys): + (JSC::DFG::SpeculativeJIT::compileCreateThis): + (JSC::DFG::SpeculativeJIT::compileCreatePromise): + (JSC::DFG::SpeculativeJIT::compileCreateInternalFieldObject): + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys): + (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): + (JSC::FTL::DFG::LowerDFGToB3::loadStructureClassInfo): Deleted. + (JSC::FTL::DFG::LowerDFGToB3::loadStructureCachedPrototypeChainOrRareData): Deleted. + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::emitLoadClassInfoFromStructure): Deleted. + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_create_this): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_create_this): + * jit/Repatch.cpp: + (JSC::tryCachePutByID): + (JSC::tryCacheDeleteBy): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/ClonedArguments.cpp: + (JSC::ClonedArguments::createStructure): + * runtime/ConcurrentJSLock.h: + (JSC::ConcurrentJSLockerBase::ConcurrentJSLockerBase): + (JSC::GCSafeConcurrentJSLocker::GCSafeConcurrentJSLocker): + (JSC::GCSafeConcurrentJSLocker::~GCSafeConcurrentJSLocker): + (JSC::ConcurrentJSLocker::ConcurrentJSLocker): + (JSC::GCSafeConcurrentJSLockerImpl::GCSafeConcurrentJSLockerImpl): Deleted. + (JSC::GCSafeConcurrentJSLockerImpl::~GCSafeConcurrentJSLockerImpl): Deleted. + (JSC::ConcurrentJSLockerImpl::ConcurrentJSLockerImpl): Deleted. + * runtime/JSCell.h: + * runtime/JSObject.cpp: + (JSC::JSObject::deleteProperty): + (JSC::JSObject::shiftButterflyAfterFlattening): + * runtime/JSObject.h: + (JSC::JSObject::getDirectConcurrently const): + * runtime/JSObjectInlines.h: + (JSC::JSObject::prepareToPutDirectWithoutTransition): + * runtime/JSType.cpp: + (WTF::printInternal): + * runtime/JSType.h: + * runtime/Structure.cpp: + (JSC::StructureTransitionTable::contains const): + (JSC::StructureTransitionTable::get const): + (JSC::StructureTransitionTable::add): + (JSC::Structure::dumpStatistics): + (JSC::Structure::Structure): + (JSC::Structure::create): + (JSC::Structure::findStructuresAndMapForMaterialization): + (JSC::Structure::materializePropertyTable): + (JSC::Structure::addPropertyTransitionToExistingStructureImpl): + (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently): + (JSC::Structure::addNewPropertyTransition): + (JSC::Structure::removePropertyTransitionFromExistingStructureConcurrently): + (JSC::Structure::removeNewPropertyTransition): + (JSC::Structure::changePrototypeTransition): + (JSC::Structure::attributeChangeTransition): + (JSC::Structure::toDictionaryTransition): + (JSC::Structure::takePropertyTableOrCloneIfPinned): + (JSC::Structure::nonPropertyTransitionSlow): + (JSC::Structure::flattenDictionaryStructure): + (JSC::Structure::pin): + (JSC::Structure::pinForCaching): + (JSC::Structure::allocateRareData): + (JSC::Structure::ensurePropertyReplacementWatchpointSet): + (JSC::Structure::copyPropertyTableForPinning): + (JSC::Structure::add): + (JSC::Structure::remove): + (JSC::Structure::visitChildren): + (JSC::Structure::canCachePropertyNameEnumerator const): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::get): + (JSC::Structure::forEachPropertyConcurrently): + (JSC::Structure::transitivelyTransitionedFrom): + (JSC::Structure::prototypeChain const): + (JSC::Structure::propertyReplacementWatchpointSet): + (JSC::Structure::checkOffsetConsistency const): + (JSC::Structure::add): + (JSC::Structure::remove): + (JSC::Structure::removePropertyWithoutTransition): + (JSC::Structure::setPropertyTable): + (JSC::Structure::setPreviousID): + (JSC::Structure::ruleOutUnseenProperty const): Deleted. + (JSC::Structure::seenProperties const): Deleted. + (JSC::Structure::addPropertyHashAndSeenProperty): Deleted. + (JSC::Structure::cachedPrototypeChain const): Deleted. + (JSC::Structure::setCachedPrototypeChain): Deleted. + (JSC::Structure::clearPropertyTable): Deleted. + (JSC::Structure::setOutOfLineTypeFlags): Deleted. + (JSC::Structure::setInlineCapacity): Deleted. + (JSC::Structure::setClassInfo): Deleted. + (JSC::Structure::clearPreviousID): Deleted. + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::createStructure): + (JSC::StructureRareData::create): + (JSC::StructureRareData::StructureRareData): + (JSC::StructureRareData::visitChildren): + * runtime/StructureRareData.h: + * runtime/StructureRareDataInlines.h: + (JSC::StructureRareData::setPreviousID): + (JSC::StructureRareData::clearPreviousID): + (JSC::StructureRareData::setCachedPrototypeChain): Deleted. + * runtime/StructureTransitionTable.h: + * tools/JSDollarVM.cpp: + (JSC::JSDollarVMHelper::functionGetStructureTransitionList): + * wasm/js/WebAssemblyFunction.cpp: + (JSC::WebAssemblyFunction::jsCallEntrypointSlow): + +2020-04-02 Alexey Shvayka + + TypedArray's [[DefineOwnProperty]] is incorrect with partial descriptors + https://bugs.webkit.org/show_bug.cgi?id=188875 + + Reviewed by Ross Kirsling. + + This change implements steps 3.b.iv-v of TypedArray's [[DefineOwnProperty]] method [1], + preventing type errors from being thrown if descriptor lacks [[Enumerable]] or [[Writable]] + field and aligning JSC with V8 and SpiderMonkey. + + [1]: https://tc39.es/ecma262/#sec-integer-indexed-exotic-objects-defineownproperty-p-desc + + * runtime/JSGenericTypedArrayViewInlines.h: + (JSC::JSGenericTypedArrayView::defineOwnProperty): + +2020-04-02 Commit Queue + + Unreviewed, reverting r259390. + https://bugs.webkit.org/show_bug.cgi?id=209944 + + It broke WinCairo builds (Requested by fujihiro on #webkit). + + Reverted changeset: + + "Enable offlineasm debug annotations for GCC" + https://bugs.webkit.org/show_bug.cgi?id=207119 + https://trac.webkit.org/changeset/259390 + +2020-04-02 Yusuke Suzuki + + [JSC] RecordedStatuses's assignment should be guarded by CodeBlock's lock + https://bugs.webkit.org/show_bug.cgi?id=209935 + + + Reviewed by Mark Lam. + + Previously RecordedStatuses are not touched by GC. But now, GC visits RecordedStatuses. + This means that modifying RecordedStatuses should be guarded by CodeBlock's lock if + it is reachable from CodeBlock. + In DFG::Plan::reallyAdd, we already installed DFG::JITCode into the CodeBlock so that + RecordedStatuses is reachable from CodeBlock. We should lock CodeBlock's lock while + performing `WTFMove(RecordedStatuses)`. + + We do not need to emit write-barrier here because (1) DFG::Plan::reallyAdd is executed + while GC is deferred and (2) we emit write-barrier to CodeBlock before deferred GC is executed. + + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::reallyAdd): + +2020-04-02 Mark Lam + + HeapSnapshotBuilder::analyzeNode() should filter out duplicate cells. + https://bugs.webkit.org/show_bug.cgi?id=209929 + + + Reviewed by Keith Miller. + + HeapSnapshot::finalize() assumes that its list of cells contain no duplicate cells. + HeapSnapshot::appendNode() expects to only be called once for a cell. It doesn't + check for duplicates. + + However, with the concurrent GC marker, there’s a racy chance that the same cell + is visited more than once by SlotVisitor, and therefore, SlotVisitor may call + HeapSnapshotBuilder::analyzeNode() (and HeapSnapshot::appendNode()) more than once + for the same cell. + + The easiest and cleanest fix for this is to simply keep a HashSet of appended + cells in HeapSnapshotBuilder while it is building the snapshot. We can then use + the hash set to filter out already appended cells, and avoid adding duplicates to + the HeapSnapshot. + + * heap/HeapSnapshotBuilder.cpp: + (JSC::HeapSnapshotBuilder::buildSnapshot): + (JSC::HeapSnapshotBuilder::analyzeNode): + * heap/HeapSnapshotBuilder.h: + +2020-04-02 Angelos Oikonomopoulos + + Enable offlineasm debug annotations for GCC + https://bugs.webkit.org/show_bug.cgi?id=207119 + + Reviewed by Darin Adler. + + This simply reuses the existing code that generates debug + annotations, adding two workarounds for limitations in GCC and + GDB. + + First, the .file directives that offlineasm inserts in inline asm + use file slots that conflict with those in the compilation unit + that includes LLIntAssembly.h (specifically, + LowLevelInterpreter.cpp). Clang's built-in assembler will + transparently fix that for us, but for GCC we need to + post-process the generated assembler. + + Unfortunately, cmake doesn't allow us to introduce a compiler wrapper for a + single source file, so we need to create a separate target for it. This + wrapping only happens when building with GCC and the user has explicitly + requested debug information, either by selecting a Debug/RelWithDebInfo build + or setting GCC_OFFLINEASM_SOURCE_MAP. + + Second, GDB will only look at the line table for a compilation unit if + it can first resolve the address to one of the known symbols in the + file. Introduce marker symbols to work around this bug. + + * CMakeLists.txt: + +2020-04-01 Ross Kirsling + + Intl.NumberFormat.prototype.format must preserve sign of -0 + https://bugs.webkit.org/show_bug.cgi?id=209880 + + Reviewed by Keith Miller. + + The spec changed here two years ago: + https://github.com/tc39/ecma402/pull/232 + + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::formatNumber): + Do NOT throw away the sign of -0. + +2020-04-01 Justin Michaud + + Delete IC incorrectly caches for proxies + https://bugs.webkit.org/show_bug.cgi?id=209777 + + Reviewed by Mark Lam. + + Proxy's do not change their structure ID when properties are added, so we cannot cache deletes + for them. + + * jit/Repatch.cpp: + (JSC::tryCacheDeleteBy): + +2020-04-01 Keith Miller + + Bindings that override getOwnPropertySlotByIndex need to say they MayHaveIndexedAccessors + https://bugs.webkit.org/show_bug.cgi?id=209762 + + Reviewed by Darin Adler. + + Change indexingType to indexingModeIncludingHistory to more + clearly indicate the expected range of possible valid values. + + * runtime/StructureInlines.h: + (JSC::Structure::create): + +2020-03-31 Yusuke Suzuki + + [JSC] Introduce UCPUStrictInt32 for result type of DFG operations + https://bugs.webkit.org/show_bug.cgi?id=209832 + + Reviewed by Saam Barati. + + Let's introduce UCPUStrictInt32 to DFG operations to offload StrictInt32 code into operations C++ code. + UCPUStrictInt32 is the same size to UCPURegister, and it is used for StrictInt32, which requires upper 32-bits + are zeroed. + + * assembler/CPU.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt): + (JSC::DFG::SpeculativeJIT::compileValueToInt32): + (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber): + (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32): + (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult): + (JSC::DFG::SpeculativeJIT::compileBitwiseNot): + (JSC::DFG::SpeculativeJIT::compileBitwiseOp): + (JSC::DFG::SpeculativeJIT::compileShiftOp): + (JSC::DFG::SpeculativeJIT::compileArithAdd): + (JSC::DFG::SpeculativeJIT::compileArithAbs): + (JSC::DFG::SpeculativeJIT::compileArithClz32): + (JSC::DFG::SpeculativeJIT::compileArithSub): + (JSC::DFG::SpeculativeJIT::compileArithNegate): + (JSC::DFG::SpeculativeJIT::compileArithMul): + (JSC::DFG::SpeculativeJIT::compileArithDiv): + (JSC::DFG::SpeculativeJIT::compileArithMod): + (JSC::DFG::SpeculativeJIT::compileArithRounding): + (JSC::DFG::SpeculativeJIT::compileArithMinMax): + (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): + (JSC::DFG::SpeculativeJIT::compileGetArrayLength): + (JSC::DFG::SpeculativeJIT::compileVarargsLength): + (JSC::DFG::SpeculativeJIT::compileGetRestLength): + (JSC::DFG::SpeculativeJIT::compileArrayIndexOf): + (JSC::DFG::SpeculativeJIT::compileGetEnumerableLength): + (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::strictInt32Result): + (JSC::DFG::SpeculativeJIT::int32Result): Deleted. + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::compileStringCodePointAt): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32): + (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf): + (JSC::FTL::DFG::LowerDFGToB3::compileVarargsLength): + (JSC::FTL::DFG::LowerDFGToB3::mapHashString): + (JSC::FTL::DFG::LowerDFGToB3::compileMapHash): + (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty): + (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom): + (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32): + (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32): + * ftl/FTLOperations.cpp: + (JSC::FTL::operationSwitchStringAndGetBranchOffset): + (JSC::FTL::operationTypeOfObjectAsTypeofType): + * ftl/FTLOperations.h: + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * runtime/MathCommon.cpp: + (JSC::operationToInt32): + (JSC::operationToInt32SensibleSlow): + * runtime/MathCommon.h: + (JSC::toUCPUStrictInt32): + +2020-03-31 Ross Kirsling + + REGRESSION: ASSERTION FAILED: regExpObjectNode in JSC::DFG::StrengthReductionPhase::handleNode + https://bugs.webkit.org/show_bug.cgi?id=209824 + + Reviewed by Mark Lam. + + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + It's true that we need to verify lastIndex even when a RegExp is neither global nor sticky, + but if DFG's already converted RegExpExec to RegExpExecNonGlobalOrSticky, that means we've thrown away + the RegExpObject node, so we shouldn't try to reverify lastIndex when we reconsider folding to constant. + +2020-03-30 Yusuke Suzuki + + [JSC] DFGArrayMode::alreadyChecked should have NonArray check when ArrayMode is NonArray+SlowPutArrayStorage + https://bugs.webkit.org/show_bug.cgi?id=209791 + + Reviewed by Saam Barati. + + DFGArrayMode::alreadyChecked with NonArray+SlowPutArrayStorage should check NonArray condition. + + * dfg/DFGArrayMode.cpp: + (JSC::DFG::ArrayMode::alreadyChecked const): + * dfg/DFGArrayMode.h: + (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const): + +2020-03-30 Alexey Shvayka + + Add support in named capture group identifiers for direct surrogate pairs + https://bugs.webkit.org/show_bug.cgi?id=178174 + + Reviewed by Darin Adler and Michael Saboff. + + This change: + + a) Adds support for unescaped astral symbols in RegExp identifier names [1], + aligning JSC with V8. + + b) Rewords InvalidUnicodeEscape error code to be used for \uXXXX escapes in + Unicode patterns and named groups/references instead of InvalidIdentityEscape, + matching error messages in V8 and SpiderMonkey. + + c) Adds hasError() checks after tryConsumeGroupName() so errors generated in + tryConsumeIdentifierCharacter() would not get overriden. + + d) Removes code duplication by using tryConsumeUnicodeEscape() for parsing \u + in parseEscape(); cleans up parsing \u{} escapes a bit, preferring ASSERTs + over hasError() checks. + + [1]: https://tc39.es/ecma262/#prod-RegExpIdentifierName + + * yarr/YarrErrorCode.cpp: + (JSC::Yarr::errorMessage): + (JSC::Yarr::errorToThrow): + * yarr/YarrErrorCode.h: + * yarr/YarrParser.h: + (JSC::Yarr::Parser::parseEscape): + (JSC::Yarr::Parser::parseParenthesesBegin): + (JSC::Yarr::Parser::tryConsumeUnicodeEscape): + (JSC::Yarr::Parser::tryConsumeIdentifierCharacter): + +2020-03-30 Ross Kirsling + + RegExp.prototype.exec must always access lastIndex + https://bugs.webkit.org/show_bug.cgi?id=209375 + + Reviewed by Saam Barati. + + From https://tc39.es/ecma262/#sec-regexpbuiltinexec: + 21.2.5.2.2 Runtime Semantics: RegExpBuiltinExec ( R, S ) + ... + 4. Let lastIndex be ? ToLength(? Get(R, "lastIndex")). + ... + 8. If global is false and sticky is false, set lastIndex to 0. + + That is, we're always obliged to verify that lastIndex is Number-coercible, even if we don't use the value. + + DFG, in particular, must make sure strength reductions don't apply when lastIndex isn't an unsigned integer + (i.e., when user code has written something strange to it). + foldToConstant already has an early out for this, but it needs to apply to convertToStatic too. + + Furthermore, ToLength clamps negative values to 0, so correct getRegExpObjectLastIndexAsUnsigned accordingly. + + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + * runtime/RegExpObjectInlines.h: + (JSC::getRegExpObjectLastIndexAsUnsigned): + (JSC::RegExpObject::execInline): + (JSC::RegExpObject::matchInline): + +2020-03-30 Don Olmstead + + Non-unified build fixes late March 2020 edition + https://bugs.webkit.org/show_bug.cgi?id=209781 + + Unreviewed build fix. + + * jit/JITInlineCacheGenerator.h: + +2020-03-30 Devin Rousso + + Web Inspector: provide a way to log messages from the network process + https://bugs.webkit.org/show_bug.cgi?id=204775 + + Reviewed by Brian Burg. + + ITP can be influenced by multiple pages simultaneously, meaning that sending a console + message to the Web Inspector that's connected to the page that caused a change may not be + useful as developers often don't test in complete isolation. As such, having a way to + broadcast a console message to all Web Inspectors ensures that any changes caused by any + page are always able to be seen, no matter which page is being actively inspected. + + * inspector/protocol/Console.json: + * inspector/scripts/codegen/generator.py: + * runtime/ConsoleTypes.h: + * runtime/ConsoleClient.cpp: + (JSC::appendMessagePrefix): + * inspector/ConsoleMessage.cpp: + (Inspector::messageSourceValue): + Add `ITPDebug` and `AdClickAttribution` message sources. + +2020-03-30 Keith Miller + + Unreviewed, add FIXME. + + * runtime/IndexingType.h: + +2020-03-30 Caio Lima + + [JSC] Public class field should accept "static" as field name + https://bugs.webkit.org/show_bug.cgi?id=209703 + + Reviewed by Ross Kirsling. + + It allows class fields being created using "static" as identifier + (https://tc39.es/ecma262/#prod-IdentifierName). + + * parser/Parser.cpp: + (JSC::Parser::parseClass): + +2020-03-28 Yusuke Suzuki + + [JSC] Use CacheableIdentifier for all ById case + https://bugs.webkit.org/show_bug.cgi?id=209698 + + Reviewed by Saam Barati. + + StructureStubInfo & AccessCase holds CacheableIdentifier to keep cell identifiers alive. + We are assuming that operationGetById...'s identifier is always owned by CodeBlock, and + we call CacheableIdentifier::createFromIdentifierOwnedByCodeBlock for UniquedStringImpl*. + + This is wrong since GetById IC can be generated with identifier which is not owned by CodeBlock. + Let's consider the following case, + + 1. op_get_by_val gets GetById IC. CacheableIdentifier is kept by StructureStubInfo/AccessCase correctly. + 2. This CodeBlock gets DFG. + 3. DFG understand op_get_by_val and emit GetById DFG node since it only has one identifier. + 4. Then, DFG can generate GetById DFG code which generates GetById IC + 5. (4)'s GetById IC gets executed. But this IC considers that identifier is owned by CodeBlock since this is ById IC. + 6. New DFG CodeBlock starts compilation. And it gets feedback from (2)'s get_by_val's StructureStubInfo, so it emits GetById with non-cell CacheableIdentifier! + So it does not retain the cell. It just registers desired identifier. + 7. While compiling (6) (after parsing bytecode), (2)'s CodeBlock's DFG code & IC gets jettisoned. And then, identifier used in (6) gets destroyed too. + 8. (6)'s CodeBlock finalizes its compilation, registering desired identifiers to the actual CodeBlock. And it found the identifier gets destroyed. + + In this patch, + + 1. CacheableIdentifier::createFromIdentifierOwnedByCodeBlock is called only when the creator knowns that this is owned by the CodeBlock. + Typically, this is when the code generator generates IC. + 2. operationGetById... functions get CacheableIdentifier instead of UniquedStringImpl*. So it propagates whether the given CacheableIdentifier + is created from CodeBlock's identifier or cells. + 3. AccessCase holds this propagated CacheableIdentifiers. If CacheableIdentifiers is created from a cell in some tier's IC, then it continues to be represented as + a cell-origin CacheableIdentifiers regardless of whether the current IC is GetById / GetByVal. Then GC marks it correctly. + 4. This patch does the same thing to all the ICs. + 5. This patch extends StructureStubInfo / AccessCase to pave the way to use them in PutByVal / InByVal by introducing CacheableIdentifier for Put and In. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::fromStructureStubInfo): + * bytecode/GetByStatus.cpp: + (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::initGetByIdSelf): + (JSC::StructureStubInfo::initPutByIdReplace): + (JSC::StructureStubInfo::initInByIdSelf): + (JSC::StructureStubInfo::visitAggregate): + (JSC::StructureStubInfo::setCacheType): + * bytecode/StructureStubInfo.h: + (JSC::StructureStubInfo::identifier): + (JSC::StructureStubInfo::considerCachingBy): + (JSC::StructureStubInfo::getByIdSelfIdentifier): Deleted. + (JSC::StructureStubInfo::considerCachingById): Deleted. + (JSC::StructureStubInfo::considerCachingByVal): Deleted. + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGArrayMode.cpp: + (JSC::DFG::canBecomeGetArrayLength): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsicCall): + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::emitPutById): + (JSC::DFG::ByteCodeParser::handlePutById): + (JSC::DFG::ByteCodeParser::parseGetById): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::handlePutByVal): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::addStringReplacePrimordialChecks): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToInById): + (JSC::DFG::Node::hasCacheableIdentifier): + (JSC::DFG::Node::cacheableIdentifier): + (JSC::DFG::Node::hasIdentifier): + (JSC::DFG::Node::OpInfoWrapper::OpInfoWrapper): + (JSC::DFG::Node::OpInfoWrapper::operator=): + * dfg/DFGOpInfo.h: + (JSC::DFG::OpInfo::OpInfo): + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileGetById): + (JSC::DFG::SpeculativeJIT::compileGetByIdFlush): + (JSC::DFG::SpeculativeJIT::compileInById): + (JSC::DFG::SpeculativeJIT::compilePutByIdFlush): + (JSC::DFG::SpeculativeJIT::compilePutById): + (JSC::DFG::SpeculativeJIT::compilePutByIdDirect): + (JSC::DFG::SpeculativeJIT::compilePutByIdWithThis): + (JSC::DFG::SpeculativeJIT::cachedPutById): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): + (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::compileDeleteById): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): + (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::compileDeleteById): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileGetById): + (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis): + (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis): + (JSC::FTL::DFG::LowerDFGToB3::compilePutById): + (JSC::FTL::DFG::LowerDFGToB3::compileDelBy): + (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById): + (JSC::FTL::DFG::LowerDFGToB3::compileInById): + (JSC::FTL::DFG::LowerDFGToB3::getById): + (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis): + * jit/JIT.h: + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITGetByIdGenerator::JITGetByIdGenerator): + (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator): + (JSC::JITPutByIdGenerator::JITPutByIdGenerator): + (JSC::JITPutByIdGenerator::slowPathFunction): + (JSC::JITDelByIdGenerator::JITDelByIdGenerator): + (JSC::JITInByIdGenerator::JITInByIdGenerator): + * jit/JITInlineCacheGenerator.h: + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emit_op_del_by_id): + (JSC::JIT::emitSlow_op_del_by_id): + (JSC::JIT::emit_op_try_get_by_id): + (JSC::JIT::emitSlow_op_try_get_by_id): + (JSC::JIT::emit_op_get_by_id_direct): + (JSC::JIT::emitSlow_op_get_by_id_direct): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_get_by_id_with_this): + (JSC::JIT::emitSlow_op_get_by_id): + (JSC::JIT::emitSlow_op_get_by_id_with_this): + (JSC::JIT::emit_op_put_by_id): + (JSC::JIT::emitSlow_op_put_by_id): + (JSC::JIT::emit_op_in_by_id): + (JSC::JIT::emitSlow_op_in_by_id): + (JSC::JIT::emitByValIdentifierCheck): + (JSC::JIT::privateCompilePutByValWithCachedId): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_del_by_id): + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emit_op_try_get_by_id): + (JSC::JIT::emitSlow_op_try_get_by_id): + (JSC::JIT::emit_op_get_by_id_direct): + (JSC::JIT::emitSlow_op_get_by_id_direct): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emitSlow_op_get_by_id): + (JSC::JIT::emit_op_get_by_id_with_this): + (JSC::JIT::emitSlow_op_get_by_id_with_this): + (JSC::JIT::emit_op_put_by_id): + (JSC::JIT::emitSlow_op_put_by_id): + (JSC::JIT::emit_op_in_by_id): + (JSC::JIT::emitSlow_op_in_by_id): + * jit/Repatch.cpp: + (JSC::appropriateGenericPutByIdFunction): + (JSC::appropriateOptimizingPutByIdFunction): + (JSC::tryCachePutByID): + (JSC::repatchPutByID): + (JSC::tryCacheInByID): + (JSC::repatchInByID): + (JSC::resetPutByID): + * jit/Repatch.h: + * runtime/CacheableIdentifier.cpp: + (JSC::CacheableIdentifier::dump const): + * runtime/CacheableIdentifier.h: + (JSC::CacheableIdentifier::createFromRawBits): + (JSC::CacheableIdentifier::rawBits const): + (JSC::CacheableIdentifier::CacheableIdentifier): + * runtime/CacheableIdentifierInlines.h: + (JSC::CacheableIdentifier::createFromIdentifierOwnedByCodeBlock): + (JSC::CacheableIdentifier::createFromImmortalIdentifier): + (JSC::CacheableIdentifier::CacheableIdentifier): + +2020-03-28 Devin Rousso + + Web Inspector: support editing cookie key/values from inspector + https://bugs.webkit.org/show_bug.cgi?id=31157 + + + Reviewed by Timothy Hatcher. + + * inspector/protocol/Page.json: + Add a `session` parameter to `Page.Cookie` type and a new `Page.setCookie` command. + Remove the `size` parameter from `Page.Cookie` as this can be calculated in the frontend. + +2020-03-27 Ross Kirsling + + [JSC] Make Operator an enum class to avoid Op* identifiers + https://bugs.webkit.org/show_bug.cgi?id=209637 + + Reviewed by Darin Adler. + + Currently, (e.g.) OpLShift is a value of enum Operator while OpLshift is an opcode. + Capitalization aside, it's confusing to be using Op* for disparate purposes like this. + Let's modernize the enum so that this confusion can go away as a side effect. + + * bytecompiler/NodesCodegen.cpp: + (JSC::emitIncOrDec): + (JSC::PostfixNode::emitBytecode): + (JSC::PrefixNode::emitBytecode): + (JSC::LogicalOpNode::emitBytecode): + (JSC::LogicalOpNode::emitBytecodeInConditionContext): + (JSC::emitReadModifyAssignment): + (JSC::ReadModifyDotNode::emitBytecode): + (JSC::ReadModifyBracketNode::emitBytecode): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::makeBinaryNode): + (JSC::ASTBuilder::makeAssignNode): + * parser/Nodes.h: + * parser/Parser.cpp: + (JSC::Parser::parseAssignmentExpression): + (JSC::Parser::parseUnaryExpression): + +2020-03-19 Tadeu Zagallo + + Fix instances of new.target that should be syntax errors + https://bugs.webkit.org/show_bug.cgi?id=208040 + + + Reviewed by Michael Saboff. + + We were not throwing the appropriate syntax errors for the following usages of new.target: + - Class field initializers outside ordinary functions: we were missing a check that the + closestOrdinaryFunctionScope was not the global scope. + - Within an eval inside an arrow function: we were only checking that the EvalContextType should + be FunctionEvalContext, but that does not tell us whether it's an arrow function or an ordinary + function. To fix that we must thread that information from the executables to the parser. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finishCreation): + * bytecode/UnlinkedFunctionExecutable.cpp: + (JSC::UnlinkedFunctionExecutable::link): + * bytecode/UnlinkedFunctionExecutable.h: + * debugger/DebuggerCallFrame.cpp: + (JSC::DebuggerCallFrame::evaluateWithScopeExtension): + * interpreter/Interpreter.cpp: + (JSC::eval): + * parser/Parser.cpp: + (JSC::Parser::Parser): + (JSC::Parser::parseMemberExpression): + * parser/Parser.h: + (JSC::parse): + * runtime/CodeCache.cpp: + (JSC::generateUnlinkedCodeBlockImpl): + * runtime/DirectEvalExecutable.cpp: + (JSC::DirectEvalExecutable::create): + (JSC::DirectEvalExecutable::DirectEvalExecutable): + * runtime/DirectEvalExecutable.h: + * runtime/EvalExecutable.cpp: + (JSC::EvalExecutable::EvalExecutable): + * runtime/EvalExecutable.h: + * runtime/FunctionExecutable.cpp: + (JSC::FunctionExecutable::FunctionExecutable): + * runtime/FunctionExecutable.h: + * runtime/GlobalExecutable.h: + (JSC::GlobalExecutable::GlobalExecutable): + * runtime/IndirectEvalExecutable.cpp: + (JSC::IndirectEvalExecutable::IndirectEvalExecutable): + * runtime/ModuleProgramExecutable.cpp: + (JSC::ModuleProgramExecutable::ModuleProgramExecutable): + * runtime/ProgramExecutable.cpp: + (JSC::ProgramExecutable::ProgramExecutable): + * runtime/ScriptExecutable.cpp: + (JSC::ScriptExecutable::ScriptExecutable): + * runtime/ScriptExecutable.h: + (JSC::ScriptExecutable::isInsideOrdinaryFunction const): + +2020-03-27 Keith Miller + + Add missing scope release to DataView's buffer getter + https://bugs.webkit.org/show_bug.cgi?id=209663 + + Reviewed by Yusuke Suzuki. + + * runtime/JSDataViewPrototype.cpp: + (JSC::dataViewProtoGetterBuffer): + +2020-03-26 Mark Lam + + Clear the entropy bits in the encodedStructureBits when deallocating a structureID. + https://bugs.webkit.org/show_bug.cgi?id=209632 + + + Reviewed by Saam Barati. + + We currently only use a 32-bit offset in the StructureIDTable's StructureOrOffset. + Though we will never store an offset value that is near 32-bit in size, let alone + 64-bit, there's no reason why we can't just use all 64-bits for the offset. + Doing so will also have the benefit of zero'ing out the entropy bits in the old + encodedStructureBits. This guarantees that there's no chance of coalition between + a "freed" structureID's entropy bits and the entropy bits in a dead cell due to + GC bugs. + + * runtime/StructureIDTable.h: + +2020-03-26 Fujii Hironori + + [Win] lld-link: error: /manifestdependency: is not allowed in .drectve + https://bugs.webkit.org/show_bug.cgi?id=204831 + + Reviewed by Ross Kirsling. + + * shell/DLLLauncherMain.cpp: Removed /manifestdependency for Microsoft.VC80.CRT which seems leftover of Bug 116562 (r178530). + +2020-03-26 Ross Kirsling + + [JSC] Rename ANDEQUAL to BITANDEQUAL (etc.) throughout frontend + https://bugs.webkit.org/show_bug.cgi?id=209626 + + Reviewed by Mark Lam. + + Our frontend refers to `&=` `|=` `^=` as `ANDEQUAL` `OREQUAL` `XOREQUAL`, leaving the bitwiseness implied. + It's important to resolve this ambiguity now, as `&&=` `||=` `??=` are expected to reach Stage 3 next week. + + * bytecompiler/NodesCodegen.cpp: + (JSC::emitReadModifyAssignment): + * parser/Lexer.cpp: + (JSC::Lexer::lexWithoutClearingLineTerminator): + * parser/Nodes.h: + * parser/Parser.cpp: + (JSC::Parser::parseAssignmentExpression): + * parser/ParserTokens.h: + +2020-03-26 Michael Saboff + + Refactor YARR Stack Overflow Checks + https://bugs.webkit.org/show_bug.cgi?id=209435 + rdar://problem/58988252 + + Reviewed by Mark Lam. + + Refactored stack checks in YARR code including adding a stack check to the YARR JIT'ed code. + The C++ code including the parser, byte code compiler and interpreter now all use StackCheck. + The JIT'ed code needs a stack limit passed via a parameter since the JIT'ed code can be + called from the compiler thread when compiling DFG / FTL code. + + Instead of adding a new parameter, consolidated the two pattern context buffer values, buffer + pointer and size, with the new stack limit into a new MatchingContextHolder, an RAII object. + The MatchingContextHolder constructor uses either the VM stack limit or the current thread's + stack limit depending on how it is called. + + * runtime/RegExp.cpp: + (JSC::RegExp::finishCreation): + (JSC::RegExp::byteCodeCompileIfNecessary): + (JSC::RegExp::compile): + (JSC::RegExp::matchConcurrently): + (JSC::RegExp::compileMatchOnly): + * runtime/RegExp.h: + * runtime/RegExpInlines.h: + (JSC::RegExp::matchInline): + (JSC::PatternContextBufferHolder::PatternContextBufferHolder): Deleted. + (JSC::PatternContextBufferHolder::~PatternContextBufferHolder): Deleted. + (JSC::PatternContextBufferHolder::buffer): Deleted. + (JSC::PatternContextBufferHolder::size): Deleted. + (): Deleted. + * yarr/Yarr.h: + * yarr/YarrInterpreter.cpp: + (JSC::Yarr::Interpreter::matchDisjunction): + (JSC::Yarr::Interpreter::isSafeToRecurse): + * yarr/YarrJIT.cpp: + (JSC::Yarr::MatchingContextHolder::MatchingContextHolder): + (JSC::Yarr::MatchingContextHolder::~MatchingContextHolder): + (JSC::Yarr::YarrGenerator::initParenContextFreeList): + (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes): + (JSC::Yarr::YarrGenerator::compile): + (JSC::Yarr::YarrGenerator::initCallFrame): Deleted. + * yarr/YarrJIT.h: + (JSC::Yarr::MatchingContextHolder::offsetOfStackLimit): + (JSC::Yarr::MatchingContextHolder::offsetOfPatternContextBuffer): + (JSC::Yarr::MatchingContextHolder::offsetOfPatternContextBufferSize): + (JSC::Yarr::YarrCodeBlock::execute): + * yarr/YarrPattern.cpp: + (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor): + (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse): + (JSC::Yarr::YarrPattern::compile): + (JSC::Yarr::YarrPattern::YarrPattern): + (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const): Deleted. + * yarr/YarrPattern.h: + +2020-03-26 Keith Miller + + TypedArrays should more gracefully handle OOM during slowDownAndWasteMemory + https://bugs.webkit.org/show_bug.cgi?id=209611 + + Reviewed by Tadeu Zagallo. + + Right now if we cannot allocate an ArrayBuffer for a TypedArray we + crash. However, since we use the primitive gigacage for + ArrayBuffer allocations we can likely still allocate an OOM error + object. In order to do this some changes were needed in + slowDownAndWasteMemory. Namely, we should not allocate the + butterfly until we know we have an ArrayBuffer. I also check that + all the transitive callers of slowDownAndWasteMemory can handle + failure. + + Lastly, this patch makes it so failure to allocate an ArrayBuffer + for a TypeArray during DFG watchpoint addition causes the code + block to be thrown away, rather than crash the process. + + * API/JSTypedArray.cpp: + (JSObjectGetTypedArrayBytesPtr): + (JSObjectGetTypedArrayBuffer): + * bytecode/Watchpoint.h: + * dfg/DFGDesiredWatchpoints.cpp: + (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add): + * runtime/GenericTypedArrayViewInlines.h: + (JSC::GenericTypedArrayView::tryCreate): + * runtime/JSArrayBufferView.cpp: + (JSC::JSArrayBufferView::unsharedBuffer): + (JSC::JSArrayBufferView::unsharedJSBuffer): + (JSC::JSArrayBufferView::possiblySharedJSBuffer): + (JSC::JSArrayBufferView::slowDownAndWasteMemory): + (JSC::JSArrayBufferView::possiblySharedImpl): + * runtime/JSArrayBufferViewInlines.h: + (JSC::JSArrayBufferView::byteOffsetImpl): + +2020-03-26 Commit Queue + + Unreviewed, reverting r259035. + https://bugs.webkit.org/show_bug.cgi?id=209597 + + broke windows layout-tests (Requested by aakashjain on + #webkit). + + Reverted changeset: + + "[Win] lld-link: error: /manifestdependency: is not allowed in + .drectve" + https://bugs.webkit.org/show_bug.cgi?id=204831 + https://trac.webkit.org/changeset/259035 + +2020-03-25 Fujii Hironori + + [Win] lld-link: error: /manifestdependency: is not allowed in .drectve + https://bugs.webkit.org/show_bug.cgi?id=204831 + + Reviewed by Ross Kirsling. + + * shell/DLLLauncherMain.cpp: Removed /manifestdependency for Microsoft.VC80.CRT which seems leftover of Bug 116562 (r178530). + +2020-03-25 Alexey Shvayka + + RegExp.prototype[@@replace] relies on globals and doesn't perform ToLength + https://bugs.webkit.org/show_bug.cgi?id=173867 + + Reviewed by Ross Kirsling. + + This change: + + a) Adds "lastIndex" ToLength coercion [1], which is observable, unlike ToLength coercion + of RegExpExec result [2] that we omit, just like the one in @@split [3]. + + b) Removes `lastPosition` checks/updates, as there are none in the spec, and it was + equivalent to checking `nextSourcePosition`. + + c) Removes reliance of @@replace on globals and also replaces @stringSubstrInternal + built-in with @stringSubstringInternal, as the former is Annex B and accepts size + as 2nd paramter, which is not very handy because ECMA-262 usually says "substring + of S consisting of the code units at indices X (inclusive) through Y (exclusive)". + + [1]: https://tc39.es/ecma262/#sec-regexp.prototype-@@replace (step 11.c.iii.2.a) + [2]: https://tc39.es/ecma262/#sec-regexp.prototype-@@replace (step 14.a) + [3]: https://tc39.es/ecma262/#sec-regexp.prototype-@@split (step 19.d.iv.6) + + * builtins/BuiltinNames.h: + * builtins/RegExpPrototype.js: + (getSubstitution): + (Symbol.replace): + (Symbol.split): + * builtins/StringPrototype.js: + (globalPrivate.repeatCharactersSlowPath): + * bytecode/LinkTimeConstant.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/StringPrototype.cpp: + (JSC::stringIndexOfImpl): + (JSC::stringProtoFuncIndexOf): + (JSC::builtinStringIndexOfInternal): + (JSC::stringProtoFuncSubstr): + (JSC::stringSubstringImpl): + (JSC::stringProtoFuncSubstring): + (JSC::builtinStringSubstringInternal): + (JSC::stringProtoFuncSubstrImpl): Deleted. + (JSC::builtinStringSubstrInternal): Deleted. + * runtime/StringPrototype.h: + +2020-03-25 Alexey Shvayka + + Invalid numeric and named references should be early syntax errors + https://bugs.webkit.org/show_bug.cgi?id=178175 + + Reviewed by Ross Kirsling. + + This patch: + + 1. Fixes named reference parsing in parseEscape(), making /\k/u throw SyntaxError per spec [1]. + + 2. Reworks containsIllegalNamedForwardReferences(), making dangling (e.g. /\k(?.)/) and + incomplete (e.g. /\k<(?.)/) named references throw SyntaxError if the non-Unicode pattern + contains a named group [2]. + + 3. Moves reparsing logic from YarrPattern to YarrParser, ensuring syntax errors due to illegal + references (named & numeric) are thrown at parse time; drops isValidNamedForwardReference() + from Delegate, refactors saveUnmatchedNamedForwardReferences(), and overall improves cohesion + of illegal references logic. + + [1]: https://tc39.es/ecma262/#prod-IdentityEscape + [2]: https://tc39.es/ecma262/#sec-regexpinitialize (step 7.b) + + * yarr/YarrErrorCode.cpp: + (JSC::Yarr::errorMessage): + (JSC::Yarr::errorToThrow): + * yarr/YarrErrorCode.h: + * yarr/YarrParser.h: + (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference): + (JSC::Yarr::Parser::Parser): + (JSC::Yarr::Parser::parseEscape): + (JSC::Yarr::Parser::parseParenthesesBegin): + (JSC::Yarr::Parser::parse): + (JSC::Yarr::Parser::handleIllegalReferences): + (JSC::Yarr::Parser::containsIllegalNamedForwardReference): + (JSC::Yarr::Parser::resetForReparsing): + (JSC::Yarr::parse): + (JSC::Yarr::Parser::CharacterClassParserDelegate::isValidNamedForwardReference): Deleted. + * yarr/YarrPattern.cpp: + (JSC::Yarr::YarrPatternConstructor::atomBackReference): + (JSC::Yarr::YarrPatternConstructor::atomNamedForwardReference): + (JSC::Yarr::YarrPattern::compile): + (JSC::Yarr::YarrPatternConstructor::saveUnmatchedNamedForwardReferences): Deleted. + (JSC::Yarr::YarrPatternConstructor::isValidNamedForwardReference): Deleted. + * yarr/YarrPattern.h: + (JSC::Yarr::YarrPattern::resetForReparsing): + (JSC::Yarr::YarrPattern::containsIllegalBackReference): Deleted. + (JSC::Yarr::YarrPattern::containsIllegalNamedForwardReferences): Deleted. + * yarr/YarrSyntaxChecker.cpp: + (JSC::Yarr::SyntaxChecker::atomNamedBackReference): + (JSC::Yarr::SyntaxChecker::resetForReparsing): + (JSC::Yarr::SyntaxChecker::isValidNamedForwardReference): Deleted. + +2020-03-25 Chris Dumez + + Use JSC::EnsureStillAliveScope RAII object in the generated bindings code + https://bugs.webkit.org/show_bug.cgi?id=209552 + + Reviewed by Yusuke Suzuki. + + Add method to EnsureStillAliveScope to retrieve its internal JSValue. + + * runtime/JSCJSValue.h: + (JSC::EnsureStillAliveScope::value const): + +2020-03-25 Chris Dumez + + Event listeners registered with 'once' option may get garbage collected too soon + https://bugs.webkit.org/show_bug.cgi?id=209504 + + + Reviewed by Yusuke Suzuki. + + Add EnsureStillAliveScope RAII object for ensureStillAliveHere(). + + * runtime/JSCJSValue.h: + (JSC::EnsureStillAliveScope::EnsureStillAliveScope): + (JSC::EnsureStillAliveScope::~EnsureStillAliveScope): + +2020-03-25 Alexey Shvayka + + \b escapes inside character classes should be valid in Unicode patterns + https://bugs.webkit.org/show_bug.cgi?id=209528 + + Reviewed by Darin Adler. + + This change removes isIdentityEscapeAnError('b') check, allowing \b escapes + inside character classes in Unicode patterns match U+0008 (BACKSPACE) characters, + aligning JSC with V8 and SpiderMonkey. + + Grammar: https://tc39.es/ecma262/#prod-ClassEscape + ('b' comes before CharacterEscape :: IdentityEscape) + + * yarr/YarrParser.h: + (JSC::Yarr::Parser::parseEscape): + +2020-03-24 Ross Kirsling + + Introduce @tryGetByIdWithWellKnownSymbol instead of repurposing @tryGetById itself + https://bugs.webkit.org/show_bug.cgi?id=209524 + + Reviewed by Saam Barati and Yusuke Suzuki. + + r258865 allowed @tryGetById to take any ResolveNode, such that a built-in could pass a well-known symbol. + This is much more permissive than necessary, since we shouldn't really need a ResolveNode in the first place; + instead, let's make a new bytecode intrinsic function @tryGetByIdWithWellKnownSymbol for this purpose. + + * builtins/RegExpPrototype.js: + (globalPrivate.hasObservableSideEffectsForRegExpSplit): + * bytecode/BytecodeIntrinsicRegistry.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById): Revert change from r258865. + (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetByIdWithWellKnownSymbol): Added. + +2020-03-24 Tadeu Zagallo + + LLIntGenerator must link switch jumps to otherwise redundant labels + https://bugs.webkit.org/show_bug.cgi?id=209333 + + + Reviewed by Saam Barati. + + The LLIntGenerator optimizes jumps at the end of blocks. It does so when a block ends, by checking if + the last instruction emitted was a jump, if it pointed to the end of the current block and if it was + the only jump that pointed there. If all those conditions are satisfied, the jump is removed and it's + not necessary to emit the label at the end of block, since the only jump that pointed to it was removed. + However, switches (br_table) are handled specially by the LLIntGenerator and therefore are not counted + in Label::unresolvedJumps, which was used to check whether we could skip emitting the label. + The end result is that we might skip linking a switch jump if it points to a block that ends with a jump. + + + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::addEndToUnreachable): + (JSC::Wasm::LLIntGenerator::linkSwitchTargets): + (JSC::GenericLabel::setLocation): + +2020-03-24 Saam Barati + + Memory::fastMappedBytes() is wrong + https://bugs.webkit.org/show_bug.cgi?id=209488 + + Reviewed by Mark Lam. + + * wasm/WasmMemory.cpp: + (JSC::Wasm::Memory::fastMappedBytes): + +2020-03-24 Keith Miller + + Fix isEmpty AssemblyHelpers function and add isNotEmpty + https://bugs.webkit.org/show_bug.cgi?id=209507 + + Reviewed by Saam Barati. + + This fixes the 32 version of my HasIndexedProperty patch as well + as properly names the functions for what they do. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::isEmpty): + (JSC::AssemblyHelpers::isNotEmpty): + +2020-03-23 Keith Miller + + HasIndexedProperty should know about sane chain + https://bugs.webkit.org/show_bug.cgi?id=209457 + + Reviewed by Saam Barati. + + This patch makes it so HasIndexedProperty is aware of + sane chain. This is useful because, most of the time we do an + indexed in it is on an array. If the array has a sane chain (i.e. + no indexed properties on it's prototypes and has the default + prototype chain) then we can just test for the index being a hole. + + Note, we could also just convert OOB indices into false but that + should happen in another patch. + https://bugs.webkit.org/show_bug.cgi?id=209456 + + I didn't add any tests because it turns out we already have a ton. + I know this because I broke most of them repeatedly... >.> + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::setSaneChainIfPossible): + (JSC::DFG::FixupPhase::convertToHasIndexedProperty): + * dfg/DFGNodeType.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty): + (JSC::FTL::DFG::LowerDFGToB3::speculateAndJump): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::isEmpty): + +2020-03-23 Yusuke Suzuki + + [JSC] Caller of Delete IC should emit write-barrier onto owner + https://bugs.webkit.org/show_bug.cgi?id=209392 + + + Reviewed by Saam Barati. + + DeleteIC can change Structure of the owner cell in the fast path. However it is not emitting write-barrier, + while we are writing a Structure cell id into a JSObject's header. + In this patch, + + 1. Emit write-barrier in baseline. Be careful about when emitting write-barrier since it clobbers registers. + 2. DFG and FTL recognize DeleteById / DeleteByVal in DFGStoreBarrierInsertionPhase. + 3. DFGStoreBarrierInsertionPhase only accepts nodes which base is speculated as a Cell. Current DeleteById / DeleteByVal + can have UntypedUse base value, but we miss emitting write-barrier DeleteById / DeleteByVal with UntypedUse in the fast path. + In this patch, we optimize DeleteById / DeleteByVal only when we speculate child1 as a cell. We can take the further + steps after fixing this bug, e.g. (1) accepting UntypedUse in store-barrier-insertion[1] or (2) emitting write-barrier + if child1's speculation is UntypedUse. For now, we fix the bug by taking a generic path when child1 is not speculated + as a cell. And we can optimize it in a separate change[2]. + + This is following the design of PutIC. + Currently, we use ShouldFilterBase for emitWriteBarrier. But we could use UnconditionalWriteBarrier here since + we already filter non-cells in Baseline's hot path. I filed it as a separate bug in [3]. + + [1]: https://bugs.webkit.org/show_bug.cgi?id=209396 + [2]: https://bugs.webkit.org/show_bug.cgi?id=209397 + [3]: https://bugs.webkit.org/show_bug.cgi?id=209395 + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compileDeleteById): + (JSC::DFG::SpeculativeJIT::compileDeleteByVal): + * dfg/DFGStoreBarrierInsertionPhase.cpp: + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById): + (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal): + * jit/JIT.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emit_op_del_by_id): + (JSC::JIT::emit_op_del_by_val): + (JSC::JIT::emit_op_put_by_id): + (JSC::JIT::emitWriteBarrier): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emit_op_put_by_id): + +2020-03-23 Yusuke Suzuki + + [JSC] DFG OSR exit cannot find StructureStubInfo for put_by_val if CodeBlock is once converved from Baseline to LLInt + https://bugs.webkit.org/show_bug.cgi?id=209327 + + + Reviewed by Saam Barati. + + DFG compiles op_put_by_val as PutById and inlines SetterCall only when DFG found StructureStubInfo for this op_put_by_val. + However, it is still possible that DFG OSR exit cannot find StructureStubInfo for SetterCall generated by op_put_by_val. + Let's consider the following scenario. + + 1. Baseline CodeBlock (A) is compiled. + 2. (A) gets DFG (B). + 3. Since (A) collects enough information for put_by_val, (B) can get StructureStubInfo from (A) and compile it as inlined Setter call. + 4. (A)'s JITData is destroyed since it is not executed. Then, (A) becomes LLInt. + 5. The CodeBlock inlining (A) gets OSR exit. So (A) is executed and (A) eventually gets Baseline CodeBlock again. + 6. (B) gets OSR exit. (B) attempts to search for StructureStubInfo in (A) for PutById (originally, put_by_val). But it does not exist since (A)'s JITData is cleared once. + + We should just link to doneTarget of ByValInfo when the SetterCall is generated by `op_put_by_val`. ByValInfo and its doneTarget always exists per op_put_by_val. + + * bytecode/ByValInfo.h: + (JSC::ByValInfo::ByValInfo): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::findByValInfo): + * bytecode/CodeBlock.h: + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::callerReturnPC): + * jit/JITOpcodes.cpp: + (JSC::JIT::privateCompileHasIndexedProperty): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::privateCompileHasIndexedProperty): + * jit/JITPropertyAccess.cpp: + (JSC::JIT::privateCompilePutByVal): + (JSC::JIT::privateCompilePutByValWithCachedId): + +2020-03-23 Ross Kirsling + + Unreviewed, address Yusuke's feedback on r258801. + + * builtins/RegExpPrototype.js: + (globalPrivate.hasObservableSideEffectsForRegExpSplit): + * bytecompiler/NodesCodegen.cpp: + (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById): + +2020-03-23 Ross Kirsling + + Catch parameters must not be lexically redeclared + https://bugs.webkit.org/show_bug.cgi?id=208976 + + Reviewed by Keith Miller. + + From https://tc39.es/ecma262/#sec-try-statement-static-semantics-early-errors: + Catch : catch ( CatchParameter ) Block + It is a Syntax Error if any element of the BoundNames of CatchParameter + also occurs in the LexicallyDeclaredNames of Block. + + In other words, let/const/class/function declarations in the immediate catch block scope + must not shadow catch parameters. + + * parser/Parser.cpp: + (JSC::Parser::parseTryStatement): + (JSC::Parser::parseBlockStatement): + * parser/Parser.h: + (JSC::Scope::Scope): + (JSC::Scope::setIsCatchBlockScope): Added. + (JSC::Scope::isCatchBlockScope): Added. + (JSC::Parser::declareVariable): + (JSC::Parser::declareFunction): + +2020-03-23 Michael Catanzaro + + REGRESSION(r249808): [GTK] Crash in JSC Config::permanentlyFreeze() on architecture ppc64el + https://bugs.webkit.org/show_bug.cgi?id=209236 + + Reviewed by Mark Lam. + + * heap/MarkedBlock.h: Use new CeilingOnPageSize. + * runtime/JSCConfig.cpp: + (JSC::Config::permanentlyFreeze): Use pageSize instead of vmPageSize. + * runtime/JSCConfig.h: Use new CeilingOnPageSize. + +2020-03-22 Yusuke Suzuki + + Unreviewed, rename keepAlive to ensureStillAliveHere + https://bugs.webkit.org/show_bug.cgi?id=209398 + + Based on Geoff and Mark's feedback, renaming keepAlive to ensureStillAliveHere + to make the effect of keepAlive clear. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite): + (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): + (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): + (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice): + (JSC::FTL::DFG::LowerDFGToB3::ensureStillAliveHere): + (JSC::FTL::DFG::LowerDFGToB3::keepAlive): Deleted. + * heap/HeapCell.cpp: + (JSC::ensureStillAliveHere): + (JSC::keepAlive): Deleted. + * heap/HeapCell.h: + (JSC::ensureStillAliveHere): + (JSC::HeapCell::use const): + (JSC::keepAlive): Deleted. + * runtime/JSCJSValue.cpp: + (JSC::ensureStillAliveHere): + (JSC::keepAlive): Deleted. + * runtime/JSCJSValue.h: + (JSC::ensureStillAliveHere): + (JSC::keepAlive): Deleted. + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::link): + +2020-03-22 Yusuke Suzuki + + [JSC] Add JSC::keepAlive(JSValue) + https://bugs.webkit.org/show_bug.cgi?id=209398 + + Reviewed by Mark Lam. + + Add JSC::keepAlive(JSValue). This is useful to make some JSValue variable alive from GC. + + * heap/HeapCell.cpp: + * runtime/JSCJSValue.cpp: + (JSC::keepAlive): + * runtime/JSCJSValue.h: + (JSC::keepAlive): + +2020-03-20 Ross Kirsling + + hasObservableSideEffectsForRegExpSplit doesn't check for @@match override + https://bugs.webkit.org/show_bug.cgi?id=209363 + + Reviewed by Michael Saboff. + + Our RegExp.prototype[@@split] implementation has a fast path for unadultered RegExp objects, + but we're using that fast path even when @@match has been overridden. + + This is illegitimate because the RegExp species constructor calls IsRegExp, which hits the @@match getter. + + * builtins/BuiltinNames.h: + * builtins/RegExpPrototype.js: + (globalPrivate.hasObservableSideEffectsForRegExpSplit): + * bytecode/LinkTimeConstant.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + +2020-03-20 Ross Kirsling + + RegExp.prototype[@@replace] doesn't coerce result index to integer + https://bugs.webkit.org/show_bug.cgi?id=209323 + + Reviewed by Yusuke Suzuki. + + From https://tc39.es/ecma262/#sec-regexp.prototype-@@replace: + 21.2.5.10 RegExp.prototype [ @@replace ] ( string, replaceValue ) + ... + 14. For each result in results, do + ... + e. Let position be ? ToInteger(? Get(result, "index")). + f. Set position to max(min(position, lengthS), 0). + + result.index may be undefined, so it doesn't suffice to coerce it with comparison operators. + + * builtins/RegExpPrototype.js: + +2020-03-20 Justin Michaud + + Fix JSCOnly build without unified sources + https://bugs.webkit.org/show_bug.cgi?id=209343 + + Reviewed by Keith Miller. + + I managed to get clangd to work for code completion using the following command: + + ./Tools/Scripts/build-webkit --jsc-only --cmakeargs="-DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DENABLE_UNIFIED_BUILDS=OFF" && compdb -p WebKitBuild/Release/ list > compile_commands.json + + This patch fixes the build for non-unified sources, and adds some extra clangd files to .gitignore. + + * API/MarkedJSValueRefArray.h: + * jit/JITPropertyAccess.cpp: + +2020-03-20 Tim Horton + + Upstream a variety of Cocoa-platform HAVE and ENABLE macros + https://bugs.webkit.org/show_bug.cgi?id=209307 + + Reviewed by Andy Estes. + + * Configurations/FeatureDefines.xcconfig: + +2020-03-20 Jacob Uphoff + + Unreviewed, reverting r258748. + + This commit broke the Catalina build + + Reverted changeset: + + "Upstream a variety of Cocoa-platform HAVE and ENABLE macros" + https://bugs.webkit.org/show_bug.cgi?id=209307 + https://trac.webkit.org/changeset/258748 + +2020-03-19 Tim Horton + + Upstream a variety of Cocoa-platform HAVE and ENABLE macros + https://bugs.webkit.org/show_bug.cgi?id=209307 + + Reviewed by Andy Estes. + + * Configurations/FeatureDefines.xcconfig: + +2020-03-19 Yusuke Suzuki + + [JSC] StructureStubInfo::bufferedStructures should not ref/deref UniquedStringImpl + https://bugs.webkit.org/show_bug.cgi?id=209266 + + + Reviewed by Saam Barati. + + StructureStubInfo::bufferedStructures includes RefPtr. So destroying StructureStubInfo in + CodeBlock::finalizeUnconditionally can access to AtomStringTable, and get nullptr AtomStringTable since + CodeBlock::finalizeUnconditionally can be executed in heap-thread. + + Temporarily setting AtomStringTable in the heap-thread when executing GC End phase is dangerous: Web worker's + JSC VM is releasing heapAccess when waiting for the next message in the RunLoop. This potentially means that + Web worker's main thread can run concurrently with Web worker's JSC VM's End phase heap-thread until the web + worker takes JSLock. (This is not a problem in WebCore since WebCore JSC VM never releases heapAccess. We cannot + take the same design since we would like to run End phase even if web worker is not getting any messages). + + And removing resetJITData in CodeBlock::finalizeUnconditionally does not fix as well since CodeBlock::finalizeUnconditionally + calls StructureStubInfo::visitWeakReferences, and it removes some of entries of StructureStubInfo::bufferedStructures after + ByVal extension is introduced into StructureStubInfo. + + This patch uses CacheableIdentifier for bufferedStructures. We make BufferedStructure class which holds Structure and CacheableIdentifier. + And StructureStubInfo holds HashSet. We also visit CacheableIdentifier in StructureStubInfo::visitAggregate. To allow + concurrent collector to run this, we introduce m_bufferedStructuresLock in StructureStubInfo to guard m_bufferedStructures. + + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::StructureStubInfo): + (JSC::StructureStubInfo::addAccessCase): + (JSC::StructureStubInfo::reset): + (JSC::StructureStubInfo::visitAggregate): + (JSC::StructureStubInfo::visitWeakReferences): + * bytecode/StructureStubInfo.h: + (JSC::StructureStubInfo::considerCaching): + (JSC::StructureStubInfo::getByIdSelfIdentifier): + (JSC::StructureStubInfo::cacheType const): + (JSC::StructureStubInfo::clearBufferedStructures): + (JSC::StructureStubInfo::BufferedStructure::BufferedStructure): + (JSC::StructureStubInfo::BufferedStructure::isHashTableDeletedValue const): + (JSC::StructureStubInfo::BufferedStructure::hash const): + (JSC::StructureStubInfo::BufferedStructure::operator==): + (JSC::StructureStubInfo::BufferedStructure::operator!=): + (JSC::StructureStubInfo::BufferedStructure::Hash::hash): + (JSC::StructureStubInfo::BufferedStructure::Hash::equal): + (JSC::StructureStubInfo::BufferedStructure::structure const): + (JSC::StructureStubInfo::BufferedStructure::byValId const): + * jit/JITOperations.cpp: + * runtime/CacheableIdentifier.h: + (JSC::CacheableIdentifier::hash const): + +2020-03-19 Yusuke Suzuki + + Unreviewed, build fix after r258717 + https://bugs.webkit.org/show_bug.cgi?id=199295 + + * llint/LowLevelInterpreter.asm: + +2020-03-18 Yusuke Suzuki + + sanitizeStackForVMImpl writes below stack pointer, triggers huge warning spam from valgrind + https://bugs.webkit.org/show_bug.cgi?id=199295 + + Reviewed by Mark Lam. + + During sanitizeStackForVMImpl, we should not access to the region beyond the stack-pointer. + This patch changes stack-pointer while sanitizeStackForVMImpl is zero-filling the old stack region. + + * llint/LowLevelInterpreter.asm: + +2020-03-19 Charlie Turner + + Fix many warnings with Clang 7.0 on GTK x86-64 in Debug. + https://bugs.webkit.org/show_bug.cgi?id=209146 + + Reviewed by Darin Adler. + + * runtime/JSCellInlines.h: + (JSC::CallFrame::deprecatedVM const): A reference may not be NULL, so + this ASSERT() can never trip. + +2020-03-18 Yusuke Suzuki + + Add a way to mark a rejected promise as handled + https://bugs.webkit.org/show_bug.cgi?id=209241 + + Reviewed by Michael Saboff. + + Some of WebCore promise implementations (WebAnimation etc.) want to reject promise + as handled state to suppress UnhandledPromiseRejection tracking. For example, a + lot of WebCore implementations expose Promise DOM attributes which will be rejected + at some conditions. But we do not want to force users setting a handler for each such an + attribute. + + This patch adds `JSPromise::rejectAsHandled` C++ function. This simply sets isHandledFlag + before executing `JSPromise::reject` if we are not calling a reject function yet. + + * runtime/JSPromise.cpp: + (JSC::JSPromise::rejectAsHandled): + * runtime/JSPromise.h: + * tools/JSDollarVM.cpp: + (JSC::functionRejectPromiseAsHandled): + (JSC::JSDollarVM::finishCreation): + +2020-03-17 Yusuke Suzuki + + [JSC] DeleteIC patchpoint in FTL should require tag and mask registers + https://bugs.webkit.org/show_bug.cgi?id=209197 + + + Reviewed by Tadeu Zagallo and Saam Barati. + + DeleteIC patchpoint is emitting `branchIfNotCell` machine code. This requires a mask register + while we are not reserving them when creating a patchpoint. + + In general, our IC code is assuming usual CCallHelpers environment which provides macro-assembler + scratch, tag, and mask registers. We should offer them even if IC is emitted from FTL. In this + patch, we offer tag and mask registers for Delete IC even if this IC is not currently using tag + register. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileDelBy): + +2020-03-17 Tadeu Zagallo + + AccessCase::canReplace should allow a Getter to replace an IntrinsicGetter + https://bugs.webkit.org/show_bug.cgi?id=209158 + + + Reviewed by Saam Barati. + + When we override an intrinsic getter with a user defined getter, we might end up with the + same offset and attributes. In which case, an inline cache that contained an entry for the + intrisic getter will believe that it is still valid, and add a new getter access case, + leading to duplicate entries for the same structure. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::canReplace const): + +2020-03-16 Yusuke Suzuki + + [JSC] JSMapIterator and JSSetIterator are CellType + https://bugs.webkit.org/show_bug.cgi?id=209168 + + + Reviewed by Saam Barati. + + They are JSCell, not JSObject since they are not used as a user-observable set/map iterators in JSC. + However, their JSType is ObjectType. They should use CellType instead. + + * runtime/JSMapIterator.h: + * runtime/JSSetIterator.h: + +2020-03-16 Keith Miller + + JavaScript identifier grammar supports unescaped astral symbols, but JSC doesn’t + https://bugs.webkit.org/show_bug.cgi?id=208998 + + Reviewed by Michael Saboff. + + This patch fixes a bug in the parser that allows for surrogate pairs when parsing identifiers. + It also makes a few other changes to the parser: + + 1) When looking for keywords we just need to check that subsequent + character cannot be a identifier part or an escape start. + + 2) The only time we call parseIdentifierSlowCase is when we hit an + escape start or a surrogate pair so we can optimize that to just + copy everything up slow character into our buffer. + + 3) We shouldn't allow for asking if a UChar is an identifier start/part. + + * KeywordLookupGenerator.py: + (Trie.printSubTreeAsC): + (Trie.printAsC): + * parser/Lexer.cpp: + (JSC::isNonLatin1IdentStart): + (JSC::isIdentStart): + (JSC::isSingleCharacterIdentStart): + (JSC::cannotBeIdentStart): + (JSC::isIdentPart): + (JSC::isSingleCharacterIdentPart): + (JSC::cannotBeIdentPartOrEscapeStart): + (JSC::Lexer::currentCodePoint const): + (JSC::Lexer::currentCodePoint const): + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifierSlowCase): + (JSC::Lexer::lexWithoutClearingLineTerminator): + (JSC::Lexer::scanRegExp): + (JSC::isIdentPartIncludingEscapeTemplate): Deleted. + (JSC::isIdentPartIncludingEscape): Deleted. + * parser/Lexer.h: + (JSC::Lexer::setOffsetFromSourcePtr): Deleted. + * parser/Parser.cpp: + (JSC::Parser::printUnexpectedTokenText): + * parser/ParserTokens.h: + +2020-03-13 Sergio Villar Senin + + [WebXR] IDLs, stubs and build configuration for WPE + https://bugs.webkit.org/show_bug.cgi?id=208702 + + Reviewed by Dean Jackson. + + * Configurations/FeatureDefines.xcconfig: Added ENABLE_WEBXR, off by default. + +2020-03-15 Yusuke Suzuki + + reportZappedCellAndCrash should handle PreciseAllocation in IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=209042 + + Reviewed by Mark Lam. + + This patch adds support of PreciseAllocation cells to reportZappedCellAndCrash, since now it is frequently used + as a lower-tier cells in IsoSubspace. + + * heap/IsoSubspace.h: + * heap/IsoSubspaceInlines.h: + (JSC::IsoSubspace::forEachLowerTierFreeListedPreciseAllocation): + * runtime/JSCell.cpp: + (JSC::reportZappedCellAndCrash): + +2020-03-15 Yusuke Suzuki + + Should not use variable-length-array (VLA) + https://bugs.webkit.org/show_bug.cgi?id=209043 + + Reviewed by Mark Lam. + + This patch disables variable-length-array (VLA). If this feature uses user-input, user can + control the stack height consumed by C++ code. This patch avoids using VLA. To achieve that, + + 1. We set `-Wvla` warning option to trigger warnings if it is used. + 2. Introduce MarkedJSValueRefArray for API. This replaces `JSValueRef arguments[variableLength]` use case. + MarkedJSValueRefArray registers itself to JSC GC so that GC can mark it as a strong root. + + * API/JSContext.mm: + (+[JSContext currentArguments]): + * API/JSValue.mm: + (-[JSValue callWithArguments:]): + (-[JSValue constructWithArguments:]): + (-[JSValue invokeMethod:withArguments:]): + * API/MarkedJSValueRefArray.cpp: Added. + (JSC::MarkedJSValueRefArray::MarkedJSValueRefArray): + (JSC::MarkedJSValueRefArray::~MarkedJSValueRefArray): + (JSC::MarkedJSValueRefArray::visitAggregate): + * API/MarkedJSValueRefArray.h: Added. + * API/tests/minidom.c: + (print): + * API/tests/testapi.cpp: + (TestAPI::markedJSValueArrayAndGC): + (testCAPIViaCpp): + * Configurations/Base.xcconfig: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * heap/Heap.cpp: + (JSC::Heap::addCoreConstraints): + (JSC::Heap::addMarkedJSValueRefArray): + * heap/Heap.h: + * heap/MarkedSpace.h: + (JSC::MarkedSpace::activeWeakSetsBegin): Deleted. + (JSC::MarkedSpace::activeWeakSetsEnd): Deleted. + (JSC::MarkedSpace::newActiveWeakSetsBegin): Deleted. + (JSC::MarkedSpace::newActiveWeakSetsEnd): Deleted. + * runtime/ArgList.h: + +2020-03-14 Saam Barati + + Unreviewed. Fix windows build by making configSizeToProtect stay 4KB. + + * runtime/JSCConfig.h: + +2020-03-13 Saam Barati + + configSizeToProtect should be 16KB + https://bugs.webkit.org/show_bug.cgi?id=209068 + + Reviewed by Keith Miller. + + * runtime/JSCConfig.h: + +2020-03-13 Yusuke Suzuki + + Unreviewed, fix JSC / test262 tests + https://bugs.webkit.org/show_bug.cgi?id=209033 + + + Follow-up change for DisallowGC causes crash because CodeBlock is nullptr when function call is non JS calls. + + * interpreter/Interpreter.cpp: + (JSC::Interpreter::executeCall): + (JSC::Interpreter::executeConstruct): + +2020-03-13 Tadeu Zagallo + + Missing arithMode for ArithAbs and ArithNegate in DFGClobberize + https://bugs.webkit.org/show_bug.cgi?id=208685 + + + Reviewed by Saam Barati. + + In the pure case of ArithNegate and ArithAbs in DFGClobberize, their PureValues did not include their + respective ArithMode. That means that e.g. a CheckOverflow ArithNegate/Abs could be considered equivalent + to an Unchecked version of the same node. + + Thanks to Samuel Groß of Google Project Zero for identifying this bug. + + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + +2020-03-13 Myles C. Maxfield + + [Cocoa] Push applicationSDKVersion() down from WebCore into WTF + https://bugs.webkit.org/show_bug.cgi?id=209030 + + Reviewed by Simon Fraser. + + dyld_get_program_sdk_version() gives you the wrong answer in the Web Process (or at least + not the answer you actually want). There are already facilities for the UI Process to tell + the Web Process what the real value is, but those functions are currently in WebCore, + which is inaccessible to WTF. This patch is in preparation for + https://bugs.webkit.org/show_bug.cgi?id=208969 which needs to know this information in WTF. + + I also found a few places which were calling dyld_get_program_sdk_version() in JavaScriptCore + and WebCore (which is wrong because those libraries exist in the Web Process), and have fixed + them up to use applicationSDKVersion() instead. + + * API/JSWrapperMap.mm: + (supportsInitMethodConstructors): + +2020-03-13 Yusuke Suzuki + + [JSC] Reload CodeBlock or suppress GC while setting up calls + https://bugs.webkit.org/show_bug.cgi?id=209033 + + + Reviewed by Saam Barati. + + The sequence of Interpreter::execute is the following. + + 1. Getting CodeBlock from Executable + 2. Doing a lot of setups + 3. Setting (1)'s CodeBlock to ProtoFrame + 4. Calling code through Executable + + During (2), it would be possible that GC happens and it replaces CodeBlock in Executable. + Then, when executing JITCode with CodeBlock in (4), we use new JITCode with old CodeBlock. + + In this patch, + + For ProgramExecutable, FunctionExecutable, ModuleProgramExecutable, we ensure that no GC happens + after getting CodeBlock by placing DisallowGC. For EvalExecutable, we reload CodeBlock after setting + up environment. It is possible that FunctionExecutable* stored in CodeBlock can be different when + executing a new CodeBlock, but this is OK since this different does not appear and we do not rely on + this: we are touching `name` of FunctionExecutable* which is retrieved from CodeBlock. But this name + will not be changed since this is derived from UnlinkedFunctionExecutable which is shared by multiple + CodeBlocks. And FunctionExecutable* generation ordering must be the same for every CodeBlock generation + from the same UnlinkedCodeBlock. + + * bytecode/CodeBlock.h: + (JSC::ScriptExecutable::prepareForExecution): + * interpreter/Interpreter.cpp: + (JSC::Interpreter::executeProgram): + (JSC::Interpreter::executeCall): + (JSC::Interpreter::executeConstruct): + (JSC::Interpreter::execute): + (JSC::Interpreter::executeModuleProgram): + * interpreter/InterpreterInlines.h: + (JSC::Interpreter::execute): + * runtime/DisallowScope.h: + (JSC::DisallowScope::disable): + * runtime/StringPrototype.cpp: + +2020-03-12 Yusuke Suzuki + + [JSC] Delete IC creation should check mayNeedToCheckCell/canCacheDeleteIC regardless of Structure::outOfLineCapacity + https://bugs.webkit.org/show_bug.cgi?id=209027 + + Reviewed by Saam Barati. + + Delete IC code generation assumes that mayNeedToCheckCell (it is replaced with canCacheDeleteIC) is false + while we are looking into this status only if Structure::outOfLineCapacity meets a certain condition. We should avoid + create Delete IC when mayNeedToCheckCell/canCacheDeleteIC is true regardless of Structure::outOfLineCapacity + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::createDelete): + (JSC::AccessCase::generateImpl): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::mayHaveIndexingHeader const): + (JSC::Structure::canCacheDeleteIC const): + +2020-03-13 Alexey Shvayka + + Bound functions should pass correct NewTarget value + https://bugs.webkit.org/show_bug.cgi?id=209057 + + Reviewed by Keith Miller. + + This change implements steps 5-6 of bound function's [[Construct]] method [1], + fixing bound function subclasses and aligning JSC with V8 and SpiderMonkey. + + [1]: https://tc39.es/ecma262/#sec-bound-function-exotic-objects-construct-argumentslist-newtarget + + * runtime/JSBoundFunction.cpp: + (JSC::boundThisNoArgsFunctionConstruct): + (JSC::boundFunctionConstruct): + +2020-03-13 Yusuke Suzuki + + Unreviewed, change ASSERT to ASSERT_WITH_SECURITY_IMPLICATION since it is now enabled under ENABLE(SECURITY_ASSERTIONS) + https://bugs.webkit.org/show_bug.cgi?id=209041 + + + * runtime/JSCast.h: + (JSC::jsCast): + +2020-03-12 Yusuke Suzuki + + Report crashed cell in jsCast in debug builds + https://bugs.webkit.org/show_bug.cgi?id=209041 + + + Reviewed by Mark Lam. + + To collect more information when crashing with jsCast, we attempt to use reportZappedCellAndCrash. + If it succeeds, we can get more information in registers. We enable this only for ASSERT_ENABLED + build. For non ASSERT_ENABLED, we keep the original assertion since this assertion can be enabled + via ENABLE(SECURITY_ASSERTIONS). + + * heap/SlotVisitor.cpp: + (JSC::SlotVisitor::appendToMarkStack): + (JSC::SlotVisitor::visitChildren): + (JSC::SlotVisitor::reportZappedCellAndCrash): Deleted. + * heap/SlotVisitor.h: + * runtime/JSCast.h: + (JSC::jsCast): + * runtime/JSCell.cpp: + (JSC::reportZappedCellAndCrash): + * runtime/JSCell.h: + +2020-03-12 Keith Miller + + DFG nodes that take a TypedArray's storage need to keepAlive the TypedArray + https://bugs.webkit.org/show_bug.cgi?id=209035 + + Reviewed by Saam Barati. + + It might be possible to produce a graph where the last reference to a TypedArray + is via a GetByVal or PutByVal. Since those nodes don't create any reference to the + TypedArray in B3 we may end up not keeping the TypedArray alive until after the + storage access. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite): + (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): + (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): + +2020-03-12 Yusuke Suzuki + + [JSC] Use CacheableIdentifier in ByValInfo + https://bugs.webkit.org/show_bug.cgi?id=208978 + + Reviewed by Saam Barati. + + CodeBlock::finalizeUnconditionally discards JITData. And this includes ByValInfo, which holds Identifier. + However, finalizeUnconditionally is only guaranteeing that the main thread is not working. It can be invoked + in the heap thread, and it is not not setting the AtomStringTable for this heap thread. If Identifier destroys + AtomStringImpl, which fails to unregister itself from the table. + + In this patch, + + 1. We explicitly set nullptr for the current AtomStringTable to catch the bug as soon as possible in GC end phase. + 2. We use CacheableIdentifier in ByValInfo to avoid destroying Identifier in CodeBlock::finalizeUnconditionally. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * bytecode/ByValInfo.cpp: Added. + (JSC::ByValInfo::visitAggregate): + * bytecode/ByValInfo.h: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::stronglyVisitStrongReferences): + * bytecode/CodeBlock.h: + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handlePutByVal): + * heap/Heap.cpp: + (JSC::Heap::runEndPhase): + * jit/JIT.h: + * jit/JITOperations.cpp: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitByValIdentifierCheck): + * runtime/CacheableIdentifier.h: + +2020-03-11 Keith Miller + + Test262-runner should always consider crashes as new failures + https://bugs.webkit.org/show_bug.cgi?id=208943 + + Reviewed by Yusuke Suzuki. + + BigInt.asUintN() / BigInt.asIntN() should not crash when called even if we have + not implemented them yet... + + * runtime/BigIntConstructor.cpp: + (JSC::bigIntConstructorFuncAsUintN): + (JSC::bigIntConstructorFuncAsIntN): + +2020-03-11 Keith Miller + + Throws incorrectly a syntax error when declaring a top level catch variable the same as a parameter + https://bugs.webkit.org/show_bug.cgi?id=189914 + + Reviewed by Saam Barati. + + When we are parsing catch block parameters we should increment the statement depth so we don't think + we are trying to shadow top level lexical variables in the same statement depth. + + * parser/Parser.cpp: + (JSC::Parser::parseTryStatement): + +2020-03-10 Yusuke Suzuki + + [JSC] Fix iso-subspace static_assert for JSJavaScriptCallFramePrototype + https://bugs.webkit.org/show_bug.cgi?id=208874 + + Reviewed by Saam Barati. + + This static_assert should ensure the condition for JSJavaScriptCallFramePrototype, not for JSInjectedScriptHostPrototype. + + * inspector/JSJavaScriptCallFramePrototype.h: + +2020-03-09 Don Olmstead + + Remove obsolete feature flags + https://bugs.webkit.org/show_bug.cgi?id=208830 + + Reviewed by Alex Christensen. + + Remove ENABLE_CUSTOM_SCHEME_HANDLER and ENABLE_MAC_VIDEO_TOOLBOX since they + are no longer used. + + * Configurations/FeatureDefines.xcconfig: + +2020-03-09 Alexey Shvayka + + @putByValDirect does not perform [[DefineOwnProperty]] correctly + https://bugs.webkit.org/show_bug.cgi?id=208708 + + Reviewed by Yusuke Suzuki. + + This change adds inSparseIndexingMode() check to canDoFastPutDirectIndex(), fixing slow path + of @putByValDirect() to perform [[DefineOwnProperty]] according to spec [1] and aligning JSC + with V8 and SpiderMonkey. + + This patch preserves existing behavior for Arguments exotic objects (thus the checks order) + and aligns slow path checks in JSObject::putDirectIndexSlowOrBeyondVectorLength + with JSObject::defineOwnIndexedProperty. + + JetStream2 benchmark is neutral. + + [1]: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor + + * runtime/JSObject.cpp: + (JSC::canDoFastPutDirectIndex): + +2020-03-09 Antoine Quint + + Remove the compile-time flag for Pointer Events + https://bugs.webkit.org/show_bug.cgi?id=208821 + + + Reviewed by Dean Jackson. + + * Configurations/FeatureDefines.xcconfig: + +2020-03-09 Caio Lima + + Tail calls are broken on ARM_THUMB2 and MIPS + https://bugs.webkit.org/show_bug.cgi?id=197797 + + Reviewed by Yusuke Suzuki. + + `prepareForTailCall` operation expects that header size + parameters + size is aligned with stack (alignment is 16-bytes for every architecture). + This means that headerSizeInBytes + argumentsIncludingThisInBytes needs + to be multiple of 16. This was not being preserved during getter IC code + for 32-bits. The code generated was taking in account only + headerSizeInRegisters (it is 4 on 32-bits) and argumentsIncludingThis + (that is always 1 for getters) and allocating 32-bytes when applying + operation `(headerSize + argumentsIncludingThis) * 8 - sizeof(CallerFrameAndPC)`. + This results in a stack frame with size of 40 bytes (after we push + `lr` and `sp`). Since `prepareForTailCall` expects frames to be + 16-bytes aligned, it will then calculate the top of such frame + considering it is 48 bytes, cloberring values of previous frame and + causing unexpected behavior. This patch is fixing how this IC code + calculates the stack frame using `roundArgumentCountToAlignFrame(numberOfParameters)` + aligning with what we do on code without IC installed. + This was not a problem for getter and setter IC on 64-bits because + `roundArgumentCountToAlignFrame(1) == 1` and `roundArgumentCountToAlignFrame(2) == 3` + while it is `roundArgumentCountToAlignFrame(1) == 2` and + `roundArgumentCountToAlignFrame(2) == 2` for MIPS and ARMv7. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateImpl): + +2020-03-08 Brady Eidson + + Remember completed subranges during incremental PDF loading. + https://bugs.webkit.org/show_bug.cgi?id=208785 + + Reviewed by Tim Horton. + + Move 'using WTF::Range' from the WTF/Range.h header to these JSC users. + + The alternative to making these 3 changes was to make over 20 changes up in the WebCore/WebKits + to resolve the conflict with WebCore::Range. + + * b3/B3HeapRange.h: + * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: + * heap/JITStubRoutineSet.h: + +2020-03-07 Alexey Shvayka + + REGRESSION (r258049): Unchecked JS exception in jsc::Stringifier::toJSON + https://bugs.webkit.org/show_bug.cgi?id=208766 + + Reviewed by Yusuke Suzuki. + + * runtime/JSONObject.cpp: + (JSC::Stringifier::toJSON): Add missing RELEASE_AND_RETURN. + +2020-03-07 Mark Lam + + Remove bad assertion in FTLLowerDFGToB3's compileDelBy(). + https://bugs.webkit.org/show_bug.cgi?id=208764 + + + Reviewed by Keith Miller. + + The assertion ASSERT(base.gpr() != params[2].gpr()) is wrong because it is legal + JS to pass in the same value as the base and subscript. The runtime will handle + it properly. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileDelBy): + +2020-03-05 Sam Weinig + + Move JavaScriptCore related feature defines from FeatureDefines.xcconfig to PlatformEnableCocoa.h + https://bugs.webkit.org/show_bug.cgi?id=207436 + + + Reviewed by Darin Adler. + + * Configurations/FeatureDefines.xcconfig: + Remove JSC related defines. + +2020-03-06 Yusuke Suzuki + + [JSC] Enable public class fields + https://bugs.webkit.org/show_bug.cgi?id=208756 + + Reviewed by Mark Lam. + + This patch turns public-class-fields feature on, implemented in r254653. + To separate from private-class-fields, this patch renames the flag from useClassFields to usePublicClassFields, + and first enable public-class-fields feature. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + * bytecompiler/NodesCodegen.cpp: + (JSC::FunctionCallValueNode::emitBytecode): + * parser/Parser.cpp: + (JSC::Parser::parseClass): + * runtime/OptionsList.h: + +2020-03-06 Mark Lam + + Add "AndOrdered" to the names of ordered DoubleConditions. + https://bugs.webkit.org/show_bug.cgi?id=208736 + + Reviewed by Keith Miller. + + Renamed the following: + DoubleEqual ==> DoubleEqualAndOrdered + DoubleNotEqual ==> DoubleNotEqualAndOrdered + DoubleGreaterThan ==> DoubleGreaterThanAndOrdered + DoubleGreaterThanOrEqual ==> DoubleGreaterThanOrEqualAndOrdered + DoubleLessThan ==> DoubleLessThanAndOrdered + DoubleLessThanOrEqual ==> DoubleLessThanOrEqualAndOrdered + + The comment for these enums in MacroAssemblerARM64.h says: + // These conditions will only evaluate to true if the comparison is ordered - i.e. neither operand is NaN. + + Adding "AndOrdered" to their names makes this property explicit. + + From reading the original names, one might intuitively think that these conditions + map directly to the C++ double comparisons. This intuition is incorrect. + Consider the DoubleNotEqual case: let's compare 2 doubles, a and b: + + result = (a != b); + + For C++, if either a or b are NaNs, then a != b will actually return true. + This is contrary to the behavior documented in the MacroAssemblerARM64.h comment + above about how DoubleNotEqual should behave. In our code, DoubleNotEqual actually + means DoubleNotEqualAndOrdered. The C++ != behavior actually matches our + DoubleNotEqualOrUnordered condition instead. + + The tendency to want to associate DoubleNotEqual with the behavior of the C++ + != operator is precisely why we should give these conditions better names. + Adding the "AndOperand" name make the expected behavior explicit in the name, and + leave no room for confusion with C++ double comparison semantics. + + * assembler/MacroAssembler.cpp: + (WTF::printInternal): + * assembler/MacroAssembler.h: + (JSC::MacroAssembler::invert): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare): + (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare): + (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare): + (JSC::MacroAssemblerARM64::floatingPointCompare): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::branchDouble): + * assembler/MacroAssemblerMIPS.h: + (JSC::MacroAssemblerMIPS::branchDouble): + (JSC::MacroAssemblerMIPS::branchDoubleNonZero): + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::branchDoubleNonZero): + (JSC::MacroAssemblerX86Common::moveConditionallyDouble): + (JSC::MacroAssemblerX86Common::invert): + (JSC::MacroAssemblerX86Common::floatingPointCompare): + (JSC::MacroAssemblerX86Common::jumpAfterFloatingPointCompare): + (JSC::MacroAssemblerX86Common::moveConditionallyAfterFloatingPointCompare): + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::truncateDoubleToUint64): + (JSC::MacroAssemblerX86_64::truncateFloatToUint64): + * assembler/testmasm.cpp: + (JSC::testCompareDouble): + (JSC::testCompareDoubleSameArg): + (JSC::testMoveConditionallyFloatingPoint): + (JSC::testMoveDoubleConditionallyDouble): + (JSC::testMoveDoubleConditionallyDoubleDestSameAsThenCase): + (JSC::testMoveDoubleConditionallyDoubleDestSameAsElseCase): + (JSC::testMoveDoubleConditionallyFloat): + (JSC::testMoveDoubleConditionallyFloatDestSameAsThenCase): + (JSC::testMoveDoubleConditionallyFloatDestSameAsElseCase): + (JSC::testMoveConditionallyFloatingPointSameArg): + (JSC::run): + * b3/B3LowerToAir.cpp: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::compileClampDoubleToByte): + (JSC::DFG::SpeculativeJIT::compileArithRounding): + (JSC::DFG::SpeculativeJIT::compileArithMinMax): + (JSC::DFG::SpeculativeJIT::compileArithPow): + (JSC::DFG::SpeculativeJIT::compileStrictEq): + (JSC::DFG::SpeculativeJIT::compileArrayIndexOf): + (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::branchIfNotNaN): + * jit/JITArithmetic.cpp: + (JSC::JIT::emitSlow_op_jless): + (JSC::JIT::emitSlow_op_jlesseq): + (JSC::JIT::emitSlow_op_jgreater): + (JSC::JIT::emitSlow_op_jgreatereq): + * jit/JITArithmetic32_64.cpp: + (JSC::JIT::emitBinaryDoubleOp): + * jit/ThunkGenerators.cpp: + (JSC::floorThunkGenerator): + (JSC::roundThunkGenerator): + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::addOp): + (JSC::Wasm::AirIRGenerator::addOp): + (JSC::Wasm::AirIRGenerator::addFloatingPointMinOrMax): + (JSC::Wasm::AirIRGenerator::addOp): + (JSC::Wasm::AirIRGenerator::addOp): + (JSC::Wasm::AirIRGenerator::addOp): + (JSC::Wasm::AirIRGenerator::addOp): + (JSC::Wasm::AirIRGenerator::addOp): + (JSC::Wasm::AirIRGenerator::addOp): + (JSC::Wasm::AirIRGenerator::addOp): + (JSC::Wasm::AirIRGenerator::addOp): + +2020-03-06 David Kilzer + + REGRESSION (r258038): Build failure on Windows 10 bots + + + + * assembler/testmasm.cpp: + (JSC::testCompareDouble): + (JSC::testCompareDoubleSameArg): + (JSC::testMoveConditionallyFloatingPoint): + (JSC::testMoveConditionallyFloatingPointSameArg): + - Add RELEASE_ASSERT_NOT_REACHED() statements to try to fix the + bots. + +2020-03-06 Yusuke Suzuki + + Put remaining fixed-sized cells into IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=208754 + + Reviewed by Keith Miller. + + Put remaining fixed-sized cells into IsoSubspace. Now all the fixed-sized cells have their own IsoSubspaces. + + 1. JSArray (We need to care about RAMification number, or compensate RAMification regression with improvements). + 2. Inspector's objects + 3. All prototype objects have one IsoSubspace since they are plain objects. + + * inspector/JSInjectedScriptHost.cpp: + (Inspector::JSInjectedScriptHost::JSInjectedScriptHost): + * inspector/JSInjectedScriptHost.h: + * inspector/JSInjectedScriptHostPrototype.h: + * inspector/JSJavaScriptCallFrame.cpp: + (Inspector::JSJavaScriptCallFrame::JSJavaScriptCallFrame): + * inspector/JSJavaScriptCallFrame.h: + * inspector/JSJavaScriptCallFramePrototype.h: + * jsc.cpp: + (JSC::Masquerader::subspaceFor): + (JSCMemoryFootprint::subspaceFor): + * runtime/ArrayIteratorPrototype.h: + * runtime/ArrayPrototype.h: + * runtime/AsyncFromSyncIteratorPrototype.h: + * runtime/AsyncFunctionPrototype.h: + * runtime/AsyncGeneratorFunctionPrototype.h: + * runtime/AsyncGeneratorPrototype.h: + * runtime/AsyncIteratorPrototype.h: + * runtime/AtomicsObject.h: + * runtime/BigIntPrototype.h: + * runtime/ConsoleObject.h: + * runtime/DatePrototype.h: + * runtime/ErrorPrototype.h: + * runtime/ExceptionHelpers.h: + * runtime/GeneratorFunctionPrototype.h: + * runtime/GeneratorPrototype.h: + * runtime/InspectorInstrumentationObject.h: + * runtime/IntlCollatorPrototype.h: + * runtime/IntlDateTimeFormatPrototype.h: + * runtime/IntlNumberFormatPrototype.h: + * runtime/IntlObject.h: + * runtime/IntlPluralRulesPrototype.h: + * runtime/IteratorPrototype.h: + * runtime/JSArray.h: + (JSC::JSArray::subspaceFor): + * runtime/JSArrayBufferPrototype.h: + * runtime/JSDataViewPrototype.h: + * runtime/JSDestructibleObject.h: + (JSC::JSDestructibleObject::subspaceFor): Deleted. + * runtime/JSGenericTypedArrayViewPrototype.h: + * runtime/JSModuleLoader.h: + * runtime/JSONObject.h: + * runtime/JSObject.h: + * runtime/JSObjectInlines.h: + (JSC::JSFinalObject::subspaceFor): + (JSC::JSObject::subspaceFor): Deleted. + * runtime/JSPromisePrototype.h: + (JSC::JSPromisePrototype::subspaceFor): + * runtime/JSTypedArrayViewPrototype.h: + * runtime/MapIteratorPrototype.h: + * runtime/MapPrototype.h: + * runtime/MathObject.h: + * runtime/NativeErrorPrototype.h: + * runtime/ObjectPrototype.h: + * runtime/ReflectObject.h: + * runtime/RegExpPrototype.h: + * runtime/RegExpStringIteratorPrototype.h: + * runtime/SetIteratorPrototype.h: + * runtime/SetPrototype.h: + * runtime/StringIteratorPrototype.h: + * runtime/SymbolPrototype.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + * runtime/WeakMapPrototype.h: + * runtime/WeakObjectRefPrototype.h: + * runtime/WeakSetPrototype.h: + * tools/JSDollarVM.cpp: + * tools/JSDollarVM.h: + * wasm/js/JSWebAssembly.h: + * wasm/js/WebAssemblyCompileErrorPrototype.h: + * wasm/js/WebAssemblyGlobalPrototype.h: + * wasm/js/WebAssemblyInstancePrototype.h: + * wasm/js/WebAssemblyLinkErrorPrototype.h: + * wasm/js/WebAssemblyMemoryPrototype.h: + * wasm/js/WebAssemblyModulePrototype.h: + * wasm/js/WebAssemblyRuntimeErrorPrototype.h: + * wasm/js/WebAssemblyTablePrototype.h: + +2020-03-06 Alexey Shvayka + + JSON.stringify should call replacer on deleted properties + https://bugs.webkit.org/show_bug.cgi?id=208725 + + Reviewed by Ross Kirsling. + + This change removes extra `hasProperty` check from `appendNextProperty` as + it does not exist in the spec [1], aligning JSC with V8 and SpiderMonkey. + + This patch also replaces 3 usages of `getPropertySlot` with semantically + equivalent (yet more concise) `get` and inlines `toJSONImpl` (this change + is performance-neutral). + + [1]: https://tc39.es/ecma262/#sec-serializejsonobject (steps 6, 8.a) + + * runtime/JSONObject.cpp: + (JSC::Stringifier::toJSON): + (JSC::Stringifier::Holder::appendNextProperty): + (JSC::Stringifier::toJSONImpl): Deleted. + +2020-03-06 Mark Lam + + Fix some issues in the ARM64 moveConditionallyAfterFloatingPointCompare() and moveDoubleConditionallyAfterFloatingPointCompare(). + https://bugs.webkit.org/show_bug.cgi?id=208731 + + + Reviewed by Saam Barati. + + Both the ARM64 moveConditionallyAfterFloatingPointCompare() and + moveDoubleConditionallyAfterFloatingPointCompare() had the following issues: + + 1. For the DoubleNotEqual condition, they fail to set the result register if + one or both of the comparison operands is a NaN. + + 2. For the DoubleEqualOrUnordered condition, they can clobber the else case + input register if one of the comparison operands is a NaN. + + This patch fixes both of these, and exhaustive testmasm test cases for affected + MacroAssembler instruction emitters using these functions. + + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare): + (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare): + * assembler/testmasm.cpp: + (JSC::testCompareDouble): + (JSC::testCompareDoubleSameArg): + (JSC::testMoveConditionallyFloatingPoint): + (JSC::testMoveConditionallyDouble2): + (JSC::testMoveConditionallyDouble3): + (JSC::testMoveConditionallyDouble3DestSameAsThenCase): + (JSC::testMoveConditionallyDouble3DestSameAsElseCase): + (JSC::testMoveConditionallyFloat2): + (JSC::testMoveConditionallyFloat3): + (JSC::testMoveConditionallyFloat3DestSameAsThenCase): + (JSC::testMoveConditionallyFloat3DestSameAsElseCase): + (JSC::testMoveDoubleConditionallyDouble): + (JSC::testMoveDoubleConditionallyDoubleDestSameAsThenCase): + (JSC::testMoveDoubleConditionallyDoubleDestSameAsElseCase): + (JSC::testMoveDoubleConditionallyFloat): + (JSC::testMoveDoubleConditionallyFloatDestSameAsThenCase): + (JSC::testMoveDoubleConditionallyFloatDestSameAsElseCase): + (JSC::testMoveConditionallyFloatingPointSameArg): + (JSC::testMoveConditionallyDouble2SameArg): + (JSC::testMoveConditionallyDouble3SameArg): + (JSC::testMoveConditionallyFloat2SameArg): + (JSC::testMoveConditionallyFloat3SameArg): + (JSC::testMoveDoubleConditionallyDoubleSameArg): + (JSC::testMoveDoubleConditionallyFloatSameArg): + (JSC::run): + +2020-03-05 Paulo Matos + + [JSCOnly] 32-bits warning on memset of JSValue + https://bugs.webkit.org/show_bug.cgi?id=204411 + + Reviewed by Mark Lam. + + Fixes warning on 32bit builds. This is required because GCC knows + it is not safe to use memset on non-POD types and warns against its use. + + * heap/GCMemoryOperations.h: + (JSC::gcSafeZeroMemory): + +2020-03-04 Mark Lam + + Handle an out of memory error while constructing the BytecodeGenerator. + https://bugs.webkit.org/show_bug.cgi?id=208622 + + + Reviewed by Saam Barati. + + Added the ability to handle out of memory errors encountered during the + construction of the BytecodeGenerator. Currently, we only use this for the + case where we fail to instantiate a ScopedArgumentsTable. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::generate): + (JSC::BytecodeGenerator::BytecodeGenerator): + * bytecompiler/BytecodeGeneratorBase.h: + * runtime/ScopedArgumentsTable.cpp: + (JSC::ScopedArgumentsTable::tryCreate): + * runtime/ScopedArgumentsTable.h: + * runtime/SymbolTable.h: + +2020-03-04 Paulo Matos + + JSC 32bits broken in debug mode by r257399 + https://bugs.webkit.org/show_bug.cgi?id=208439 + + Reviewed by Carlos Alberto Lopez Perez. + + Use uses() method call instead of gpr() on assert to that it + works for both 64 and 32 bits. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateImpl): + +2020-03-03 Saam Barati + + Refactor FixedVMPoolExecutableAllocator to not have member functions which are really just helper functions + https://bugs.webkit.org/show_bug.cgi?id=208537 + + Reviewed by Mark Lam. + + There were a few member functions in FixedVMPoolExecutableAllocator that were + essentially helper functions. I've factored them out, and made FixedVMPoolExecutableAllocator + call them directly. This refactoring is needed when I implement the 1GB + executable pool on arm64 since the implementation of that will create split + implementations of something like FixedVMPoolExecutableAllocator. + + * jit/ExecutableAllocator.cpp: + (JSC::jitWriteThunkGenerator): + (JSC::genericWriteToJITRegion): + (JSC::initializeSeparatedWXHeaps): + (JSC::initializeJITPageReservation): + (JSC::ExecutableAllocator::isValid const): + (JSC::ExecutableAllocator::underMemoryPressure): + (JSC::ExecutableAllocator::memoryPressureMultiplier): + (JSC::ExecutableAllocator::allocate): + (JSC::ExecutableAllocator::isValidExecutableMemory): + (JSC::ExecutableAllocator::getLock const): + (JSC::ExecutableAllocator::committedByteCount): + (JSC::ExecutableAllocator::dumpProfile): + (JSC::startOfFixedExecutableMemoryPoolImpl): + (JSC::endOfFixedExecutableMemoryPoolImpl): + (JSC::isJITPC): + +2020-03-03 Ross Kirsling + + Introduce JSRemoteInspectorServerStart API for socket-based RWI. + https://bugs.webkit.org/show_bug.cgi?id=208349 + + Reviewed by Joseph Pecoraro. + + * API/JSRemoteInspectorServer.cpp: Added. + (JSRemoteInspectorServerStart): + * API/JSRemoteInspectorServer.h: Added. + * CMakeLists.txt: + +2020-03-03 Basuke Suzuki + + [WinCairo][PlayStation] Add interface to get listening port of RemoteInspectorServer + https://bugs.webkit.org/show_bug.cgi?id=208391 + + Reviewed by Don Olmstead. + + When passing zero as a port argument, system will pick an available port for it. + Without this method, client cannot get which port is listening. + + * inspector/remote/socket/RemoteInspectorServer.cpp: + (Inspector::RemoteInspectorServer::start): + (Inspector::RemoteInspectorServer::getPort): + * inspector/remote/socket/RemoteInspectorServer.h: + +2020-03-03 Yusuke Suzuki + + [JSC] @hasOwnLengthProperty returns wrong value if "length" is attempted to be modified + https://bugs.webkit.org/show_bug.cgi?id=208497 + + + Reviewed by Mark Lam. + + When "length" of JSFunction is attempted to be modified, we put a flag. And @hasOwnLengthProperty + does not correctly use this flag to return a value for the fast path. This affects on "length" + property of bound functions. For example, + + function userFunction(a) { } + userFunction.length = 20; // This field is read-only. So, it is not changed. + userFunction.bind().length; // Should be 1, but it returns 0. + + 1. We rename m_hasModifiedLength to m_hasModifiedLengthForNonHostFunction and m_hasModifiedName + to m_hasModifiedNameForNonHostFunction since we are not tracking these states for host-functions + which can eagerly initialize them. + 2. We rename areNameAndLengthOriginal to canAssumeNameAndLengthAreOriginal to allow it to return + "false" for host functions. If it returns true, we go to the fast path. + 3. Correctly use canAssumeNameAndLengthAreOriginal information in @hasOwnLengthProperty. + + * runtime/FunctionRareData.cpp: + (JSC::FunctionRareData::FunctionRareData): + * runtime/FunctionRareData.h: + * runtime/JSFunction.cpp: + (JSC::JSFunction::put): + (JSC::JSFunction::deleteProperty): + (JSC::JSFunction::defineOwnProperty): + * runtime/JSFunction.h: + * runtime/JSFunctionInlines.h: + (JSC::JSFunction::canAssumeNameAndLengthAreOriginal): + (JSC::JSFunction::areNameAndLengthOriginal): Deleted. + * runtime/JSGlobalObject.cpp: + (JSC::hasOwnLengthProperty): + * tools/JSDollarVM.cpp: + (JSC::functionHasOwnLengthProperty): + +2020-03-02 Alan Coon + + Add new Mac target numbers + https://bugs.webkit.org/show_bug.cgi?id=208398 + + Reviewed by Alexey Proskuryakov. + + * Configurations/Base.xcconfig: + * Configurations/DebugRelease.xcconfig: + * Configurations/Version.xcconfig: + * Configurations/WebKitTargetConditionals.xcconfig: + +2020-03-02 Justin Michaud + + Delete by val caching does not keep the subscript alive + https://bugs.webkit.org/show_bug.cgi?id=208393 + + Reviewed by Yusuke Suzuki. + + Before, the provided test case crashed with asan because we did not keep deleteByVal + subscripts alive. This patch changes CacheableIdentifier to make this mistake harder + to make again, by making the constructor calls more explicit when CacheableIdentifier + will not keep an Identifier alive. + + * jit/JITOperations.cpp: + * jit/Repatch.cpp: + (JSC::tryCachePutByID): + (JSC::tryCacheDeleteBy): + (JSC::repatchDeleteBy): + (JSC::tryCacheInByID): + (JSC::tryCacheInstanceOf): + (JSC::tryCacheDelBy): Deleted. + (JSC::repatchDelBy): Deleted. + * jit/Repatch.h: + * runtime/CacheableIdentifier.h: + * runtime/CacheableIdentifierInlines.h: + (JSC::CacheableIdentifier::createFromIdentifierOwnedByCodeBlock): + (JSC::CacheableIdentifier::createFromCell): + +2020-03-02 Paulo Matos + + Fix JSC 32bit alignment increase gcc warning + https://bugs.webkit.org/show_bug.cgi?id=208445 + + Reviewed by Yusuke Suzuki. + + Use reinterpret_cast_ptr<>() instead of reinterpret_cast<>() to + avoid GCC warning about increase in alignment requirement for cast + target type. + + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::compileExit): + +2020-03-02 Yusuke Suzuki + + Unreviewed, fix wrong assertion + https://bugs.webkit.org/show_bug.cgi?id=208404 + + + * runtime/CachedTypes.cpp: + (JSC::CachedUniquedStringImplBase::decode const): + +2020-03-01 Charles Turner + + undefined reference to `JSC::ExecutableBase::hasJITCodeForCall() const' + https://bugs.webkit.org/show_bug.cgi?id=207890 + + Reviewed by Yusuke Suzuki. + + Encountered on arm-buildroot-linux-gnueabihf with GCC 9.2.0. + + * runtime/NativeExecutable.cpp: Inclusion of + ExecutableBaseInlines.h resolves the issue for me. + +2020-02-29 Yusuke Suzuki + + Remove std::lock_guard + https://bugs.webkit.org/show_bug.cgi?id=206451 + + Reviewed by Anders Carlsson. + + * API/JSVirtualMachine.mm: + (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): + (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): + * API/glib/JSCVirtualMachine.cpp: + (addWrapper): + (removeWrapper): + * heap/HeapSnapshotBuilder.cpp: + (JSC::HeapSnapshotBuilder::analyzeNode): + (JSC::HeapSnapshotBuilder::analyzeEdge): + (JSC::HeapSnapshotBuilder::analyzePropertyNameEdge): + (JSC::HeapSnapshotBuilder::analyzeVariableNameEdge): + (JSC::HeapSnapshotBuilder::analyzeIndexEdge): + (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell): + * heap/MachineStackMarker.cpp: + (JSC::MachineThreads::tryCopyOtherThreadStacks): + * runtime/JSRunLoopTimer.cpp: + (JSC::JSRunLoopTimer::timerDidFire): + +2020-02-28 Yusuke Suzuki + + [JSC] BuiltinNames' HashMap should be small + https://bugs.webkit.org/show_bug.cgi?id=208404 + + Reviewed by Mark Lam. + + This patch converts public-to-private-name-map from HashMap, SymbolImpl*> to HashSet to save half of memory. + The key is that private names have the same string content to the public names. We can just query with string content to the HashSet of + private names, and we can get private names. + + The problem is that we also have a hack inserting string <-> non-private well-known Symbol mappings into this table. These symbols do not have + the same content to the public string. So the above assumption is broken. + + To make the above assumption valid, we have a separate small HashMap which holds string <-> non-private well-known Symbol mappings. Since # of + well-known Symbols are only 13, this new HashMap is taking at most 512B for entries, which is much smaller compared to the saved memory by + converting HashMap to HashSet for private names (32KB). + + To allow it, we introduce new well-known Symbol identifier syntax to builtin JS, which is "@@iterator" format. If there is two "@", we parse this + identifier as a well-known Symbol. + + * builtins/ArrayConstructor.js: + (from.wrapper.iterator): + (from): + (from.wrapper.iteratorSymbol): Deleted. + * builtins/ArrayPrototype.js: + (globalPrivate.concatSlowPath): + (concat): + * builtins/BuiltinNames.cpp: + (JSC::BuiltinNames::BuiltinNames): + (JSC::CharBufferSeacher::hash): + (JSC::CharBufferSeacher::equal): + (JSC::lookUpPrivateNameImpl): + (JSC::lookUpWellKnownSymbolImpl): + (JSC::BuiltinNames::lookUpPrivateName const): + (JSC::BuiltinNames::lookUpWellKnownSymbol const): + * builtins/BuiltinNames.h: + (JSC::BuiltinNames::lookUpPrivateName const): + (JSC::BuiltinNames::lookUpWellKnownSymbol const): + (JSC::BuiltinNames::checkPublicToPrivateMapConsistency): + (JSC::BuiltinNames::appendExternalName): + (JSC::BuiltinNames::getPublicName const): Deleted. + * builtins/GlobalOperations.js: + (globalPrivate.speciesConstructor): + * builtins/IteratorHelpers.js: + (performIteration): + * builtins/StringPrototype.js: + (match): + (matchAll): + (intrinsic.StringPrototypeReplaceIntrinsic.replace): + (replaceAll): + (search): + (split): + * builtins/TypedArrayConstructor.js: + (from.wrapper.iterator): + (from): + (from.wrapper.iteratorSymbol): Deleted. + * builtins/TypedArrayPrototype.js: + (globalPrivate.typedArraySpeciesConstructor): + (map): + (filter): + * bytecompiler/NodesCodegen.cpp: + (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate): + * parser/Lexer.cpp: + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifier): + * runtime/CachedTypes.cpp: + (JSC::CachedUniquedStringImplBase::encode): + (JSC::CachedUniquedStringImplBase::decode const): + * runtime/CommonIdentifiers.cpp: + (JSC::CommonIdentifiers::CommonIdentifiers): + (JSC::CommonIdentifiers::lookUpPrivateName const): Deleted. + (JSC::CommonIdentifiers::getPublicName const): Deleted. + * runtime/CommonIdentifiers.h: + * tools/JSDollarVM.cpp: + (JSC::functionGetPrivateProperty): + +2020-02-28 Saam Barati + + Clean up code with how we choose Gigacage sizes and whether or not to use Wasm fast memory + https://bugs.webkit.org/show_bug.cgi?id=208392 + + Reviewed by Yusuke Suzuki. + + * runtime/OptionsList.h: + +2020-02-27 Saam Barati + + Fix debug arm64 Wasm tests + https://bugs.webkit.org/show_bug.cgi?id=208362 + + Reviewed by Yusuke Suzuki. + + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv): + + We were assuming that "-1" is a valid imm on arm64, but it's not, we need + to use big imm. + +2020-02-27 Justin Michaud + + Poly proto should work with property delete transitions + https://bugs.webkit.org/show_bug.cgi?id=208261 + + Reviewed by Saam Barati. + + This patch fixes a bug where the combination of inline caching + and poly proto cause us to cache a setter call along a prototype chain that + is no longer the correct setter to call. This is exposed as a result of + https://bugs.webkit.org/show_bug.cgi?id=206430 since DefineOwnProperty used + to transition to uncacheable dictionary. + + The case looks like this: + A - setter for x redefines x + | + B + | + C + + We set (new C).x + + Right now, we first call A's setter, then we try to figure out what the state of things + were before it was called in order to cache it. We just assume that A's setter still exists, and we cache it + without ever checking, In this patch, we ensure that the property exists and the attributes match in order to prevent crashing. + + In the code, A = target, C = base. + + Get is correct because it collects caching information before any calls. + + The bug https://bugs.webkit.org/show_bug.cgi?id=208337 tracks the remaining semantic bugs around this code. + + * jit/Repatch.cpp: + (JSC::tryCachePutByID): + +2020-02-27 Basuke Suzuki + + [WinCairo] Fix RemoteInspector reconnect issue + https://bugs.webkit.org/show_bug.cgi?id=208256 + + Reviewed by Devin Rousso. + + Call target's disconnection sequence asynchronously to avoid deadlock. + + * inspector/remote/RemoteConnectionToTarget.cpp: + (Inspector::RemoteConnectionToTarget::close): + * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: + (Inspector::RemoteInspectorSocketEndpoint::workerThread): + +2020-02-26 Mark Lam + + Enhance JSObjectGetProperty() to mitigate against null object pointers. + https://bugs.webkit.org/show_bug.cgi?id=208275 + + + Reviewed by Robin Morisset. + + * API/JSObjectRef.cpp: + (JSObjectGetProperty): + +2020-02-26 Saam Barati + + Make testair pass on arm64 + https://bugs.webkit.org/show_bug.cgi?id=208258 + + Reviewed by Tadeu Zagallo. + + testElideMoveThenRealloc and testElideSimpleMove were never tested + on arm64. This patch makes those tests work. + - testElideMoveThenRealloc was using a BitImm that is invalid on arm64 + - testElideSimpleMove was testing for the wrong disassembly + + * b3/air/testair.cpp: + +2020-02-26 Don Olmstead + + Allow setting of stack sizes for threads + https://bugs.webkit.org/show_bug.cgi?id=208223 + + Reviewed by Yusuke Suzuki. + + Specify ThreadType at the Thread::create callsite. + + * heap/Heap.cpp: + (JSC::Heap::notifyIsSafeToCollect): + +2020-02-26 Caio Lima + + [JSC][MIPS] Adding support to Checkpoints + https://bugs.webkit.org/show_bug.cgi?id=208196 + + Reviewed by Yusuke Suzuki. + + This patch is adding changes to properly support OSR to + checkpoints on MIPS. It required fixes on JIT probe and some + adjustment on Offlineasm to correct generate `$gp` load when executing + `checkpoint_osr_exit_from_inlined_call_trampoline`. + + * assembler/MacroAssemblerMIPS.cpp: + + Probe trampoline needs to allocate 16 bytes for 4 arguments to + properly follow C calling conventions. This space is used by callee + when the JSC is compiled with `-O0` flags + (Check "DEFAULT C CALLING CONVENTION (O32)" section on + https://www.mips.com/downloads/mips32-instruction-set-quick-reference-v1-01). + + * llint/LowLevelInterpreter.asm: + + As we need to do on ARMv7, 64-bits arguments needs to be passed in + register pairs `$a1:$a0` or `$a3:$a2` (little-endian mode). Since `$a0` + contais `CallFrame*`, we need to pass `EncodedJSValue` on `$a3:$a2` + pair. + + * offlineasm/mips.rb: + + Following the same reason for return locations on OSR to LLInt, we + need to adjust `$gp` using `$ra` instead of `$t9` on + `checkpoint_osr_exit_from_inlined_call_trampoline`, given it is only + reachable through `ret` operations. For detailed explanation, check + ChangeLog of https://trac.webkit.org/changeset/252713. + +2020-02-25 Devin Rousso + + Web Inspector: safari app extension isolated worlds and injected files use the extension's identifier instead of its name + https://bugs.webkit.org/show_bug.cgi?id=206911 + + + Reviewed by Brian Burg. + + * inspector/protocol/Browser.json: Added. + Add a `Browser` agent that can communicate with the inspected page's containing browser. It + lives in the UIProcess alongside the `Target` agent (meaning there should only be one per + debuggable rather than one per target) and as such is not routed through the `Target` agent. + + * CMakeLists.txt: + * DerivedSources-input.xcfilelist: + * DerivedSources.make: + +2020-02-25 Justin Michaud + + Inline Cache delete by id/val + https://bugs.webkit.org/show_bug.cgi?id=207522 + + Reviewed by Keith Miller and Filip Pizlo. + + We add inline caching for deleteById/val for baseline only. We also fix a concurrency bug in ICStats used for testing. + We add three new access cases (no inline code is emitted at this time): + - Delete is a cached delete of an existing property + - DeleteMiss is a delete of a property that does not exist + - DeleteNonConfigurable is a delete of a property that exists, but should not be deleted. + There are no conditions required for these caches, since the structure id must change and the prototype does not matter. + This gives the following microbenchmark results: + + delete-property-keeps-cacheable-structure (neutral) + delete-property-inline-cache definitely 3.9096x faster + delete-property-inline-cache-polymorphic definitely 1.5239x faster + delete-property-from-prototype-chain (neutral) + + * API/JSCallbackObject.h: + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::deleteProperty): + (JSC::JSCallbackObject::deletePropertyByIndex): + * API/JSObjectRef.cpp: + (JSObjectDeletePropertyForKey): + (JSObjectDeleteProperty): + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/AccessCase.cpp: + (JSC::AccessCase::create): + (JSC::AccessCase::createTransition): + (JSC::AccessCase::createDelete): + (JSC::AccessCase::requiresIdentifierNameMatch const): + (JSC::AccessCase::requiresInt32PropertyCheck const): + (JSC::AccessCase::needsScratchFPR const): + (JSC::AccessCase::forEachDependentCell const): + (JSC::AccessCase::doesCalls const): + (JSC::AccessCase::canReplace const): + (JSC::AccessCase::dump const): + (JSC::AccessCase::propagateTransitions const): + (JSC::AccessCase::generateImpl): + * bytecode/AccessCase.h: + (JSC::AccessCase::structure const): + (JSC::AccessCase::newStructure const): + * bytecode/PolymorphicAccess.cpp: + (WTF::printInternal): + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::reset): + * bytecode/StructureStubInfo.h: + * debugger/DebuggerScope.cpp: + (JSC::DebuggerScope::deleteProperty): + * debugger/DebuggerScope.h: + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::link): + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::addDelById): + (JSC::DFG::JITCompiler::addDelByVal): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileDeleteById): Deleted. + (JSC::DFG::SpeculativeJIT::compileDeleteByVal): Deleted. + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compileDeleteById): + (JSC::DFG::SpeculativeJIT::compileDeleteByVal): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compileDeleteById): + (JSC::DFG::SpeculativeJIT::compileDeleteByVal): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileDelBy): + (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById): + (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal): + * jit/ICStats.h: + * jit/JIT.cpp: + (JSC::JIT::privateCompileSlowCases): + (JSC::JIT::link): + * jit/JIT.h: + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITDelByValGenerator::JITDelByValGenerator): + (JSC::JITDelByValGenerator::generateFastPath): + (JSC::JITDelByValGenerator::finalize): + (JSC::JITDelByIdGenerator::JITDelByIdGenerator): + (JSC::JITDelByIdGenerator::generateFastPath): + (JSC::JITDelByIdGenerator::finalize): + * jit/JITInlineCacheGenerator.h: + (JSC::JITDelByValGenerator::JITDelByValGenerator): + (JSC::JITDelByValGenerator::slowPathJump const): + (JSC::JITDelByIdGenerator::JITDelByIdGenerator): + (JSC::JITDelByIdGenerator::slowPathJump const): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_del_by_id): + (JSC::JIT::emitSlow_op_del_by_id): + (JSC::JIT::emit_op_del_by_val): + (JSC::JIT::emitSlow_op_del_by_val): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_del_by_id): + (JSC::JIT::emit_op_del_by_val): + (JSC::JIT::emitSlow_op_del_by_val): + (JSC::JIT::emitSlow_op_del_by_id): + * jit/Repatch.cpp: + (JSC::tryCachePutByID): + (JSC::tryCacheDelBy): + (JSC::repatchDelBy): + (JSC::resetPutByID): + (JSC::resetDelBy): + * jit/Repatch.h: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/CacheableIdentifierInlines.h: + (JSC::CacheableIdentifier::CacheableIdentifier): + * runtime/ClassInfo.h: + * runtime/ClonedArguments.cpp: + (JSC::ClonedArguments::deleteProperty): + * runtime/ClonedArguments.h: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/DeletePropertySlot.h: Added. + (JSC::DeletePropertySlot::DeletePropertySlot): + (JSC::DeletePropertySlot::setConfigurableMiss): + (JSC::DeletePropertySlot::setNonconfigurable): + (JSC::DeletePropertySlot::setHit): + (JSC::DeletePropertySlot::isCacheableDelete const): + (JSC::DeletePropertySlot::isDeleteHit const): + (JSC::DeletePropertySlot::isConfigurableDeleteMiss const): + (JSC::DeletePropertySlot::isNonconfigurable const): + (JSC::DeletePropertySlot::cachedOffset const): + (JSC::DeletePropertySlot::disableCaching): + (JSC::DeletePropertySlot::isCacheable const): + * runtime/ErrorConstructor.cpp: + (JSC::ErrorConstructor::deleteProperty): + * runtime/ErrorConstructor.h: + * runtime/ErrorInstance.cpp: + (JSC::ErrorInstance::deleteProperty): + * runtime/ErrorInstance.h: + * runtime/GenericArguments.h: + * runtime/GenericArgumentsInlines.h: + (JSC::GenericArguments::put): + (JSC::GenericArguments::deleteProperty): + * runtime/GetterSetter.h: + * runtime/JSArray.cpp: + (JSC::JSArray::deleteProperty): + * runtime/JSArray.h: + * runtime/JSCJSValue.h: + * runtime/JSCell.cpp: + (JSC::JSCell::deleteProperty): + * runtime/JSCell.h: + * runtime/JSDataView.cpp: + (JSC::JSDataView::deleteProperty): + * runtime/JSDataView.h: + * runtime/JSFunction.cpp: + (JSC::JSFunction::deleteProperty): + * runtime/JSFunction.h: + * runtime/JSGenericTypedArrayView.h: + * runtime/JSGenericTypedArrayViewInlines.h: + (JSC::JSGenericTypedArrayView::deleteProperty): + (JSC::JSGenericTypedArrayView::deletePropertyByIndex): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::addFunction): + * runtime/JSLexicalEnvironment.cpp: + (JSC::JSLexicalEnvironment::deleteProperty): + * runtime/JSLexicalEnvironment.h: + * runtime/JSModuleEnvironment.cpp: + (JSC::JSModuleEnvironment::deleteProperty): + * runtime/JSModuleEnvironment.h: + * runtime/JSModuleNamespaceObject.cpp: + (JSC::JSModuleNamespaceObject::deleteProperty): + * runtime/JSModuleNamespaceObject.h: + * runtime/JSONObject.cpp: + (JSC::Walker::walk): + * runtime/JSObject.cpp: + (JSC::JSObject::deleteProperty): + (JSC::JSObject::deletePropertyByIndex): + (JSC::validateAndApplyPropertyDescriptor): + * runtime/JSObject.h: + * runtime/JSProxy.cpp: + (JSC::JSProxy::deleteProperty): + * runtime/JSProxy.h: + * runtime/JSSymbolTableObject.cpp: + (JSC::JSSymbolTableObject::deleteProperty): + * runtime/JSSymbolTableObject.h: + * runtime/ProxyObject.cpp: + (JSC::ProxyObject::deleteProperty): + * runtime/ProxyObject.h: + * runtime/RegExpObject.cpp: + (JSC::RegExpObject::deleteProperty): + * runtime/RegExpObject.h: + * runtime/StrictEvalActivation.cpp: + (JSC::StrictEvalActivation::deleteProperty): + * runtime/StrictEvalActivation.h: + * runtime/StringObject.cpp: + (JSC::StringObject::deleteProperty): + * runtime/StringObject.h: + * runtime/Structure.cpp: + (JSC::Structure::removePropertyTransition): + (JSC::Structure::removePropertyTransitionFromExistingStructureImpl): + (JSC::Structure::removePropertyTransitionFromExistingStructure): + (JSC::Structure::removePropertyTransitionFromExistingStructureConcurrently): + (JSC::Structure::removeNewPropertyTransition): + (JSC::Structure::dump const): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::hasIndexingHeader const): + (JSC::Structure::mayHaveIndexingHeader const): + * tools/JSDollarVM.cpp: + (JSC::functionHasOwnLengthProperty): + (JSC::JSDollarVM::finishCreation): + +2020-02-24 Yusuke Suzuki + + [WTF] Attach WARN_UNUSED_RETURN to makeScopeExit and fix existing wrong usage + https://bugs.webkit.org/show_bug.cgi?id=208162 + + Reviewed by Robin Morisset. + + * parser/Parser.cpp: + (JSC::Parser::parseUnaryExpression): + +2020-02-24 Keith Miller + + LLInt should fast path for jtrue/false on Symbols and Objects + https://bugs.webkit.org/show_bug.cgi?id=208151 + + Reviewed by Yusuke Suzuki. + + 64-bit interpreter can fast path the case where an object or symbol + is passed to a jtrue or jfalse opcode. This is because these values + are always truthy. + + Also, fix some weird indentation in LowLevelInterpreter.asm. + + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/JSType.h: + +2020-02-24 Caio Lima + + [JSC] 32-bits debug build broken after r257212 + https://bugs.webkit.org/show_bug.cgi?id=208149 + + Reviewed by Yusuke Suzuki. + + Changing `Structure::setCachedPrototypeChain` to use + `m_cachedPrototypeChainOrRareData.setMayBeNull`, since `chain` may be + null. + + * runtime/StructureInlines.h: + (JSC::Structure::setCachedPrototypeChain): + +2020-02-24 Yusuke Suzuki + + Unreviewed, fix watchOS build + https://bugs.webkit.org/show_bug.cgi?id=207827 + + While watchOS does not use FTL at all, it still compiles. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys): + (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): + (JSC::FTL::DFG::LowerDFGToB3::loadStructureClassInfo): + (JSC::FTL::DFG::LowerDFGToB3::loadStructureCachedPrototypeChainOrRareData): + +2020-02-24 Yusuke Suzuki + + Unreviewed, build fix for 32bit pointer architectures + https://bugs.webkit.org/show_bug.cgi?id=207827 + + * runtime/Structure.h: + +2020-02-23 Yusuke Suzuki + + [JSC] Shrink Structure + https://bugs.webkit.org/show_bug.cgi?id=207827 + + Reviewed by Saam Barati. + + This patch shrinks sizeof(Structure) from 112 to 96 (16 bytes) in architectures using 64 bit pointers. + Structure is one of the most frequently allocated JSCell in JSC. So it is worth doing + all the sort of bit hacks to make it compact as much as possible. + + 1. Put outOfLineTypeFlags, maxOffset and transitionOffset into highest bits of m_propertyTableUnsafe, + m_cachedPrototypeChain, m_classInfo, and m_transitionPropertyName. Do not use PackedPtr here since + some of them are concurrently accessed by GC. + 2. Put m_inlineCapacity into lower 8 bits of m_propertyHash. + 3. Remove m_lock, and use Structure::cellLock() instead. + 4. Remove m_cachedPrototypeChain clearing from the concurrent collector since it is dead code, it was old code. + We were setting m_cachedPrototypeChain only if Structure is for JSObject. Clearing happened only if it was not + a Structure for JSObject. + 5. Previous Structure is held as StructureID m_previous. And m_previousOrRareData becomes m_cachedPrototypeChainOrRareData. + + Many pairs are using CompactPointerTuple to make code clean. + Combining all of the above techniques saves us 16 bytes. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::create): + (JSC::AccessCase::propagateTransitions const): + * bytecode/AccessCase.h: + (JSC::AccessCase::structure const): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCheckSubClass): + (JSC::DFG::SpeculativeJIT::compileObjectKeys): + (JSC::DFG::SpeculativeJIT::compileCreateThis): + (JSC::DFG::SpeculativeJIT::compileCreatePromise): + (JSC::DFG::SpeculativeJIT::compileCreateInternalFieldObject): + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys): + (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::emitLoadClassInfoFromStructure): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_create_this): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_create_this): + * jit/Repatch.cpp: + (JSC::tryCachePutByID): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/ClonedArguments.cpp: + (JSC::ClonedArguments::createStructure): + * runtime/ConcurrentJSLock.h: + (JSC::ConcurrentJSLockerBase::ConcurrentJSLockerBase): + (JSC::GCSafeConcurrentJSLockerImpl::GCSafeConcurrentJSLockerImpl): + (JSC::GCSafeConcurrentJSLockerImpl::~GCSafeConcurrentJSLockerImpl): + (JSC::ConcurrentJSLockerImpl::ConcurrentJSLockerImpl): + (JSC::GCSafeConcurrentJSLocker::GCSafeConcurrentJSLocker): Deleted. + (JSC::GCSafeConcurrentJSLocker::~GCSafeConcurrentJSLocker): Deleted. + (JSC::ConcurrentJSLocker::ConcurrentJSLocker): Deleted. + * runtime/JSCell.h: + * runtime/JSObject.cpp: + (JSC::JSObject::deleteProperty): + (JSC::JSObject::shiftButterflyAfterFlattening): + * runtime/JSObject.h: + (JSC::JSObject::getDirectConcurrently const): + * runtime/JSObjectInlines.h: + (JSC::JSObject::prepareToPutDirectWithoutTransition): + * runtime/JSType.cpp: + (WTF::printInternal): + * runtime/JSType.h: + * runtime/Structure.cpp: + (JSC::StructureTransitionTable::contains const): + (JSC::StructureTransitionTable::get const): + (JSC::StructureTransitionTable::add): + (JSC::Structure::dumpStatistics): + (JSC::Structure::Structure): + (JSC::Structure::create): + (JSC::Structure::findStructuresAndMapForMaterialization): + (JSC::Structure::materializePropertyTable): + (JSC::Structure::addPropertyTransitionToExistingStructureImpl): + (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently): + (JSC::Structure::addNewPropertyTransition): + (JSC::Structure::removeNewPropertyTransition): + (JSC::Structure::changePrototypeTransition): + (JSC::Structure::attributeChangeTransition): + (JSC::Structure::toDictionaryTransition): + (JSC::Structure::takePropertyTableOrCloneIfPinned): + (JSC::Structure::nonPropertyTransitionSlow): + (JSC::Structure::flattenDictionaryStructure): + (JSC::Structure::pin): + (JSC::Structure::pinForCaching): + (JSC::Structure::allocateRareData): + (JSC::Structure::ensurePropertyReplacementWatchpointSet): + (JSC::Structure::copyPropertyTableForPinning): + (JSC::Structure::add): + (JSC::Structure::remove): + (JSC::Structure::visitChildren): + (JSC::Structure::canCachePropertyNameEnumerator const): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::get): + (JSC::Structure::ruleOutUnseenProperty const): + (JSC::Structure::seenProperties const): + (JSC::Structure::addPropertyHashAndSeenProperty): + (JSC::Structure::forEachPropertyConcurrently): + (JSC::Structure::transitivelyTransitionedFrom): + (JSC::Structure::cachedPrototypeChain const): + (JSC::Structure::setCachedPrototypeChain): + (JSC::Structure::prototypeChain const): + (JSC::Structure::propertyReplacementWatchpointSet): + (JSC::Structure::checkOffsetConsistency const): + (JSC::Structure::add): + (JSC::Structure::remove): + (JSC::Structure::removePropertyWithoutTransition): + (JSC::Structure::setPropertyTable): + (JSC::Structure::clearPropertyTable): + (JSC::Structure::setOutOfLineTypeFlags): + (JSC::Structure::setInlineCapacity): + (JSC::Structure::setClassInfo): + (JSC::Structure::setPreviousID): + (JSC::Structure::clearPreviousID): + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::createStructure): + (JSC::StructureRareData::create): + (JSC::StructureRareData::StructureRareData): + (JSC::StructureRareData::visitChildren): + * runtime/StructureRareData.h: + * runtime/StructureRareDataInlines.h: + (JSC::StructureRareData::setCachedPrototypeChain): + (JSC::StructureRareData::setPreviousID): Deleted. + (JSC::StructureRareData::clearPreviousID): Deleted. + * tools/JSDollarVM.cpp: + (JSC::JSDollarVMHelper::functionGetStructureTransitionList): + * wasm/js/WebAssemblyFunction.cpp: + (JSC::WebAssemblyFunction::jsCallEntrypointSlow): + +2020-02-20 Mark Lam + + Make support for bytecode caching more robust against file corruption. + https://bugs.webkit.org/show_bug.cgi?id=207972 + + + Reviewed by Yusuke Suzuki. + + If a bytecode cache file is corrupted, we currently will always crash every time + we try to read it (in perpetuity as long as the corrupted cache file continues to + exist on disk). To guard against this, we'll harden the bytecode caching mechanism + as follows: + + 1. Modify the writeCache operation to always write the cache file in a transactional + manner i.e. we'll first write to a .tmp file, and then rename the .tmp file to + the cache file only if the entire file has been written in completeness. + + This ensures that we won't get corrupted cache files due to interrupted writes. + + 2. Modify the writeCache operation to also compute a SHA1 hash of the cache file + and append the hash at end of the file. Modify the readCache operation to + first authenticate the SHA1 hash before allowing the cache file to be used. + If the hash does not match, the file is bad, and we'll just delete it. + + This ensures that we won't be crashing while decoding a corrupted cache file. + + Manually tested with the following scenarios and ensuring that the client recovers + with no crashes: + + 1. no cache file on disk. + 2. a 0-sized cache file on a disk. + 3. a truncated cache file on disk. + 4. a corrupted cache file on disk. + 5. an uncorrupted cache file on disk. + + Also added some static_asserts in CachedTypes.cpp to document some invariants that + the pre-existing code is dependent on. + + * API/JSScript.mm: + (-[JSScript readCache]): + (-[JSScript writeCache:]): + * runtime/CachedTypes.cpp: + +2020-02-19 Ross Kirsling + + Computed Properties with increment sometimes produces incorrect results + https://bugs.webkit.org/show_bug.cgi?id=170934 + + Reviewed by Yusuke Suzuki. + + When the key and value of a computed property each have side effects, the eval order should be key-before-value. + Not only have we had this backwards, we've also been giving them both the same target register. + + * bytecompiler/NodesCodegen.cpp: + (JSC::PropertyListNode::emitPutConstantProperty): + +2020-02-19 Keith Miller + + Disable Wasm reference types by default + https://bugs.webkit.org/show_bug.cgi?id=207952 + + Reviewed by Mark Lam. + + * runtime/OptionsList.h: + +2020-02-19 Stephan Szabo + + [PlayStation] Get jsc test wrappers using find_package + https://bugs.webkit.org/show_bug.cgi?id=207914 + + Reviewed by Ross Kirsling. + + * shell/PlatformPlayStation.cmake: + +2020-02-18 Keith Miller + + Add an os_log PrintStream + https://bugs.webkit.org/show_bug.cgi?id=207898 + + Reviewed by Mark Lam. + + Add jsc option to write dataLogs to os_log. + + * runtime/Options.cpp: + (JSC::Options::initialize): + * runtime/OptionsList.h: + +2020-02-18 Paulo Matos + + Fix order (in MIPS) under which CS-registers are saved/restored + https://bugs.webkit.org/show_bug.cgi?id=207752 + + Reviewed by Keith Miller. + + This has been causing several segfaults on MIPS with JIT enabled + because during an OSR to baseline, the order in which LLInt was + saving the registers was not in sync with the way baseline was + restoring them. + + * llint/LowLevelInterpreter.asm: + +2020-02-18 Ross Kirsling + + [JSC] Computed function properties compute their keys twice + https://bugs.webkit.org/show_bug.cgi?id=207297 + + Reviewed by Keith Miller. + + If a pseudo-String is used as the key of a computed function property, + any side effects from resolving the string value occur in duplicate. + + The cause has two parts: + - We aren't ensuring that the string value is resolved before doing SetFunctionName and PutByVal. + - Our implementation of SetFunctionName (https://tc39.es/ecma262/#sec-setfunctionname) + calls toString on a non-symbol argument, instead of assuming the type is a string. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::shouldSetFunctionName): Added. + (JSC::BytecodeGenerator::emitSetFunctionName): Added. + (JSC::BytecodeGenerator::emitSetFunctionNameIfNeededImpl): Deleted. + (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded): Deleted. + * bytecompiler/BytecodeGenerator.h: + Split the "if needed" logic out into its own function. + + * bytecompiler/NodesCodegen.cpp: + (JSC::PropertyListNode::emitBytecode): + (JSC::PropertyListNode::emitPutConstantProperty): + (JSC::DefineFieldNode::emitBytecode): + Never emit OpSetFunctionName for a name of unknown type. + (But also, don't perform a needless ToPropertyKey for non-function computed property keys.) + + * runtime/JSFunction.cpp: + (JSC::JSFunction::setFunctionName): + Don't call toString, assert isString. + +2020-02-17 Yusuke Suzuki + + [JSC] JITThunk should be HashSet> with appropriate GC weakness handling + https://bugs.webkit.org/show_bug.cgi?id=207715 + + Reviewed by Darin Adler. + + This patch refines JITThunks GC-aware Weak hash map for NativeExecutable. Previously, we have + HashMap, Weak> table. + But this is not good because the first tuple's information is already in NativeExecutable. + But we were using this design since Weak can be nullified because of Weak<>. If this + happens, we could have invalid Entry in HashMap which does not have corresponding values. This will + cause crash when rehasing requires hash code for this entry. + + But this HashMap is very bad in terms of memory usage. Each entry has 32 bytes, and this table gets enough + large. We identified that this table is consuming much memory in Membuster. So it is worth designing + carefully crafted data structure which only holds Weak by leveraging the deep interaction + with our GC implementation. + + This patch implements new design of JITThunks, which uses HashSet> and carefully crafted + HashTraits / KeyTraits to handle Weak<> well. + + 1. Each Weak should have finalizer, and this finalizer should remove dead Weak from HashSet. + + This is ensuring that all the keys in HashSet is, even if Weak<> is saying it is Dead, it still has an way + to access content of NativeExecutable if the content is not a JS objects. For example, we can get function + pointer from dead Weak if it is not yet finalized. Since we remove all finalized Weak<> + from the table, this finalizer mechanism allows us to access function pointers etc. from Weak + so long as it is held in this table. + + 2. Getting NativeExecutable* from JITThunks should have special protocol. + + When getting NativeExecutable* from JITThunks, we do the following, + + 1. First, we check we have an Entry in JITThunks. If it does not exist, we should insert it anyway. + 1.1. If it exists, we should check whether this Weak is dead or not. It is possible that + dead one is still in the table because "dead" does not mean that it is "finalized". Until finalizing happens (and + it can be delayed by incremental-sweeper), Weak can be dead but still accessible. So the table + is still holding dead one. If we get dead one, we should insert a new one. + 1.2. If it is not dead, we return it. + 2. Second, we create a new NativeExecutable and insert it. In that case, it is possible that the table already has Weak, + but it is dead. In that case, we need to explicitly replace it with newly created one since old one is holding old content. If we + replaced, finalizer of Weak<> will not be invoked since it immediately deallocates Weak<>. So, it does not happen that this newly + inserted NativeExecutable* is removed by the finalizer registered by the old Weak<>. + + This change makes memory usage of JITThunks table 1/4. + + * heap/Weak.cpp: + (JSC::weakClearSlowCase): + * heap/Weak.h: + (JSC::Weak::Weak): + (JSC::Weak::isHashTableEmptyValue const): + (JSC::Weak::unsafeImpl const): + (WTF::HashTraits>::isEmptyValue): + * heap/WeakInlines.h: + (JSC::Weak::Weak): + * jit/JITThunks.cpp: + (JSC::JITThunks::JITThunks): + (JSC::JITThunks::WeakNativeExecutableHash::hash): + (JSC::JITThunks::WeakNativeExecutableHash::equal): + (JSC::JITThunks::HostKeySearcher::hash): + (JSC::JITThunks::HostKeySearcher::equal): + (JSC::JITThunks::NativeExecutableTranslator::hash): + (JSC::JITThunks::NativeExecutableTranslator::equal): + (JSC::JITThunks::NativeExecutableTranslator::translate): + (JSC::JITThunks::finalize): + (JSC::JITThunks::hostFunctionStub): + (JSC::JITThunks::clearHostFunctionStubs): Deleted. + * jit/JITThunks.h: + * runtime/NativeExecutable.h: + * tools/JSDollarVM.cpp: + (JSC::functionGCSweepAsynchronously): + (JSC::functionCreateEmptyFunctionWithName): + (JSC::JSDollarVM::finishCreation): + +2020-02-17 Tadeu Zagallo + + [Wasm] REGRESSION(r256665): Wasm->JS call IC needs to save memory size register + https://bugs.webkit.org/show_bug.cgi?id=207849 + + Reviewed by Mark Lam. + + When generating the call IC, we should select the callee saves using BoundsChecking mode in order + to obey to the calling conventions described in r256665. Currently, we won't restore the memory size + register when calling the Wasm LLInt through the call IC. + + * wasm/js/WebAssemblyFunction.cpp: + (JSC::WebAssemblyFunction::calleeSaves const): + +2020-02-17 Per Arne Vollan + + Mach lookup to com.apple.webinspector should not be allowed in WebKit's WebContent process + https://bugs.webkit.org/show_bug.cgi?id=203214 + + Reviewed by Brent Fulgham. + + Add static flag in RemoteInspector to indicate whether a sandbox extension is needed. The remote inspector will only be + started if the sandbox extension is not needed. Only the WebContent process will need a sandbox extension, since this + patch removes mach access to 'com.apple.webinspector' for this process. Also add name and domain for the + 'Enable Remote Inspector' setting, since this will be used in the UI process. + + * inspector/remote/RemoteInspector.cpp: + * inspector/remote/RemoteInspector.h: + * inspector/remote/RemoteInspectorConstants.h: + * inspector/remote/cocoa/RemoteInspectorCocoa.mm: + (Inspector::RemoteInspector::singleton): + +2020-02-16 Fujii Hironori + + Remove remaining WTF_EXPORT and WTF_IMPORT by replacing them with WTF_EXPORT_DECLARATION and WTF_IMPORT_DECLARATION + https://bugs.webkit.org/show_bug.cgi?id=207746 + + Reviewed by Don Olmstead. + + * runtime/JSExportMacros.h: + +2020-02-16 Paulo Matos + + Remove nonArgGPR1 for ARMv7 and ARM64 (unused) + https://bugs.webkit.org/show_bug.cgi?id=207753 + + Reviewed by Darin Adler. + + Cleanup commit - nonArgGPR1 is unused for both ARMv7 + and ARM64. + + * jit/GPRInfo.h: + +2020-02-14 Tadeu Zagallo and Michael Saboff + + [WASM] Wasm interpreter's calling convention doesn't match Wasm JIT's convention. + https://bugs.webkit.org/show_bug.cgi?id=207727 + + Reviewed by Mark Lam. + + The Wasm JIT has unusual calling conventions, which were further complicated by the addition + of the interpreter, and the interpreter did not correctly follow these conventions (by incorrectly + saving and restoring the callee save registers used for the memory base and size). Here's a summary + of the calling convention: + + - When entering Wasm from JS, the wrapper must: + - Preserve the base and size when entering LLInt regardless of the mode. (Prior to this + patch we only preserved the base in Signaling mode) + - Preserve the memory base in either mode, and the size for BoundsChecking. + - Both tiers must preserve every *other* register they use. e.g. the LLInt must preserve PB + and wasmInstance, but must *not* preserve memoryBase and memorySize. + - Changes to memoryBase and memorySize are visible to the caller. This means that: + - Intra-module calls can assume these registers are up-to-date even if the memory was + resized. The only exception here is if the LLInt calls a signaling JIT, in which case + the JIT will not update the size register, since it won't be using it. + - Inter-module and JS calls require the caller to reload these registers. These calls may + result in memory changes (e.g. the callee may call memory.grow). + - A Signaling JIT caller must be aware that the LLInt may trash the size register, since + it always bounds checks. + + * llint/WebAssembly.asm: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::addCall): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::addCall): + * wasm/WasmCallee.cpp: + (JSC::Wasm::LLIntCallee::calleeSaveRegisters): + * wasm/WasmCallingConvention.h: + * wasm/WasmLLIntPlan.cpp: + (JSC::Wasm::LLIntPlan::didCompleteCompilation): + * wasm/WasmMemoryInformation.cpp: + (JSC::Wasm::PinnedRegisterInfo::get): + (JSC::Wasm::getPinnedRegisters): Deleted. + +2020-02-13 Stephan Szabo + + [PlayStation] Make special udis86 C file handling only happen for Visual Studio + https://bugs.webkit.org/show_bug.cgi?id=207729 + + Reviewed by Don Olmstead. + + * PlatformPlayStation.cmake: + +2020-02-13 Caio Lima + + [ESNext][BigInt] We don't support BigInt literal as PropertyName + https://bugs.webkit.org/show_bug.cgi?id=206888 + + Reviewed by Ross Kirsling. + + According to spec (https://tc39.es/ecma262/#prod-PropertyName), + BigInt literals are valid property names. Given that, we should not + throw a SyntaxError when using BigInt literals on destructuring + pattern, method declaration, object literals, etc. + This patch is adding BigInt literal as a valid syntax to PropertyName. + + * parser/Parser.cpp: + (JSC::Parser::parseDestructuringPattern): + (JSC::Parser::parseClass): + (JSC::Parser::parseInstanceFieldInitializerSourceElements): + (JSC::Parser::parseProperty): + (JSC::Parser::parseGetterSetter): + * parser/ParserArena.cpp: + (JSC::IdentifierArena::makeBigIntDecimalIdentifier): + * parser/ParserArena.h: + +2020-02-12 Mark Lam + + Add options for debugging WASM code. + https://bugs.webkit.org/show_bug.cgi?id=207677 + + + Reviewed by Yusuke Suzuki. + + Specifically ... + + JSC_useBBQJIT - allows the BBQ JIT to be used if true + JSC_useOMGJIT - allows the OMG JIT to be used if true + JSC_useWasmLLIntPrologueOSR - allows prologue OSR from Wasm LLInt if true + JSC_useWasmLLIntLoopOSR - allows loop OSR from Wasm LLInt if true + JSC_useWasmLLIntEpilogueOSR - allows epilogue OSR from Wasm LLInt if true + JSC_wasmFunctionIndexRangeToCompile=N:M - wasm function index range to allow compilation on, e.g. 1:100 + + * JavaScriptCore.xcodeproj/project.pbxproj: + * runtime/Options.cpp: + (JSC::Options::ensureOptionsAreCoherent): + * runtime/OptionsList.h: + * wasm/WasmBBQPlan.cpp: + (JSC::Wasm::BBQPlan::BBQPlan): + * wasm/WasmOMGForOSREntryPlan.cpp: + (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan): + * wasm/WasmOMGPlan.cpp: + (JSC::Wasm::OMGPlan::OMGPlan): + * wasm/WasmOperations.cpp: + (JSC::Wasm::shouldJIT): + (JSC::Wasm::operationWasmTriggerOSREntryNow): + (JSC::Wasm::operationWasmTriggerTierUpNow): + * wasm/WasmSlowPaths.cpp: + (JSC::LLInt::shouldJIT): + (JSC::LLInt::WASM_SLOW_PATH_DECL): + +2020-02-12 Yusuke Suzuki + + [JSC] Compact JITCodeMap by storing BytecodeIndex and CodeLocation separately + https://bugs.webkit.org/show_bug.cgi?id=207673 + + Reviewed by Mark Lam. + + While BytecodeIndex is 4 bytes, CodeLocation is 8 bytes. So the tuple of them "JITCodeMap::Entry" + becomes 16 bytes because it adds 4 bytes padding. We should store BytecodeIndex and CodeLocation separately + to avoid this padding. + + This patch introduces JITCodeMapBuilder. We use this to build JITCodeMap data structure as a immutable final result. + + * jit/JIT.cpp: + (JSC::JIT::link): + * jit/JITCodeMap.h: + (JSC::JITCodeMap::JITCodeMap): + (JSC::JITCodeMap::find const): + (JSC::JITCodeMap::operator bool const): + (JSC::JITCodeMap::codeLocations const): + (JSC::JITCodeMap::indexes const): + (JSC::JITCodeMapBuilder::append): + (JSC::JITCodeMapBuilder::finalize): + (JSC::JITCodeMap::Entry::Entry): Deleted. + (JSC::JITCodeMap::Entry::bytecodeIndex const): Deleted. + (JSC::JITCodeMap::Entry::codeLocation): Deleted. + (JSC::JITCodeMap::append): Deleted. + (JSC::JITCodeMap::finish): Deleted. + +2020-02-12 Pavel Feldman + + Web Inspector: encode binary web socket frames using base64 + https://bugs.webkit.org/show_bug.cgi?id=207448 + + Previous representation of binary frames is lossy using fromUTF8WithLatin1Fallback, + this patch consistently encodes binary data using base64. + + Reviewed by Timothy Hatcher. + + * inspector/protocol/Network.json: + +2020-02-12 Simon Fraser + + Remove CSS_DEVICE_ADAPTATION + https://bugs.webkit.org/show_bug.cgi?id=203479 + + Reviewed by Tim Horton. + + CSS Working Group resolved to remove @viewport , + so remove the code. + + * Configurations/FeatureDefines.xcconfig: + +2020-02-12 Yusuke Suzuki + + [JSC] Compact StructureTransitionTable + https://bugs.webkit.org/show_bug.cgi?id=207616 + + Reviewed by Mark Lam. + + Some of StructureTransitionTable are shown as very large HashMap and we can compact it by encoding key. + We leverage 48bit pointers and 8byte alignment of UniquedStringImpl* to encode other parameters into it. + + * runtime/Structure.cpp: + (JSC::StructureTransitionTable::contains const): + (JSC::StructureTransitionTable::get const): + (JSC::StructureTransitionTable::add): + * runtime/Structure.h: + * runtime/StructureTransitionTable.h: + (JSC::StructureTransitionTable::Hash::Key::Key): + (JSC::StructureTransitionTable::Hash::Key::isHashTableDeletedValue const): + (JSC::StructureTransitionTable::Hash::Key::impl const): + (JSC::StructureTransitionTable::Hash::Key::isAddition const): + (JSC::StructureTransitionTable::Hash::Key::attributes const): + (JSC::StructureTransitionTable::Hash::Key::operator==): + (JSC::StructureTransitionTable::Hash::Key::operator!=): + (JSC::StructureTransitionTable::Hash::hash): + (JSC::StructureTransitionTable::Hash::equal): + +2020-02-12 Yusuke Suzuki + + [JSC] Make RegExpCache small + https://bugs.webkit.org/show_bug.cgi?id=207619 + + Reviewed by Mark Lam. + + We can compact RegExpKey by using PackedRefPtr, so that we can shrink memory consumption of RegExpCache. + + * runtime/RegExpKey.h: + +2020-02-10 Mark Lam + + Placate exception check validator in GenericArguments::put(). + https://bugs.webkit.org/show_bug.cgi?id=207485 + + + Reviewed by Robin Morisset. + + * runtime/GenericArgumentsInlines.h: + (JSC::GenericArguments::put): + +2020-02-10 Mark Lam + + Missing exception check in GenericArguments::deletePropertyByIndex(). + https://bugs.webkit.org/show_bug.cgi?id=207483 + + + Reviewed by Yusuke Suzuki. + + * runtime/GenericArgumentsInlines.h: + (JSC::GenericArguments::deletePropertyByIndex): + +2020-02-10 Truitt Savell + + Unreviewed, rolling out r256091. + + Broke internal builds + + Reverted changeset: + + "Move trivial definitions from FeatureDefines.xcconfig to + PlatformEnableCocoa.h" + https://bugs.webkit.org/show_bug.cgi?id=207155 + https://trac.webkit.org/changeset/256091 + +2020-02-10 Truitt Savell + + Unreviewed, rolling out r256103. + + This patch is blocking the rollout of r256091 + + Reverted changeset: + + "Move JavaScriptCore related feature defines from + FeatureDefines.xcconfig to PlatformEnableCocoa.h" + https://bugs.webkit.org/show_bug.cgi?id=207436 + https://trac.webkit.org/changeset/256103 + +2020-02-09 Keith Rollin + + Re-enable LTO for ARM builds + https://bugs.webkit.org/show_bug.cgi?id=207402 + + + Reviewed by Sam Weinig. + + Bug 190758 re-enabled LTO for Production builds for x86-family CPUs. + Enabling it for ARM was left out due to a compiler issue. That issue + has been fixed, and so now we can re-enable LTO for ARM. + + * Configurations/Base.xcconfig: + +2020-02-08 Sam Weinig + + Move JavaScriptCore related feature defines from FeatureDefines.xcconfig to PlatformEnableCocoa.h + https://bugs.webkit.org/show_bug.cgi?id=207436 + + Reviewed by Tim Horton. + + * Configurations/FeatureDefines.xcconfig: + Remove ENABLE_FAST_JIT_PERMISSIONS and ENABLE_FTL_JIT. + +2020-02-08 Sam Weinig + + Move trivial definitions from FeatureDefines.xcconfig to PlatformEnableCocoa.h + https://bugs.webkit.org/show_bug.cgi?id=207155 + + Reviewed by Tim Horton. + + Move all trivial definitions (just ENABLE_FOO = ENABLE_FOO; or ENABLE_BAR = ;) + from the FeatureDefines.xcconfigs to PlatformEnableCocoa.h, ensuring each one + also has a default value in PlatformEnable.h + + To support the move, DerivedSources.make has been updated to generate the list + of ENABLE_* features by directly from preprocessing Platform.h, rather than + just getting the partial list from the xcconfig file. + + * Configurations/FeatureDefines.xcconfig: + * DerivedSources.make: + +2020-02-07 Robin Morisset + + Throw OutOfMemory exception instead of crashing if DirectArguments/ScopedArguments can't be created + https://bugs.webkit.org/show_bug.cgi?id=207423 + + Reviewed by Mark Lam. + + AllocationFailureMode::Assert is problematic because fuzzers keep producing spurious error reports when they generate code that tries allocating infinite amount of memory. + The right approach is to use AllocationFailureMode::ReturnNull, and throw a JS exception upon receiving null. + + In this patch I fixed two functions that were using AllocationFailureMode::Assert: + DirectArguments::DirectArguments::overrideThings + GenericArguments::initModifiedArgumentsDescriptor + + No test added, because the only test we have is highly non-deterministic/flaky (only triggers about 10 to 20% of the time even before the fix). + + * runtime/DirectArguments.h: + * runtime/GenericArguments.h: + * runtime/GenericArgumentsInlines.h: + (JSC::GenericArguments::deletePropertyByIndex): + (JSC::GenericArguments::defineOwnProperty): + (JSC::GenericArguments::initModifiedArgumentsDescriptor): + (JSC::GenericArguments::initModifiedArgumentsDescriptorIfNecessary): + (JSC::GenericArguments::setModifiedArgumentDescriptor): + * runtime/ScopedArguments.h: + +2020-02-07 Ryan Haddad + + Unreviewed, rolling out r256051. + + Broke internal builds. + + Reverted changeset: + + "Move trivial definitions from FeatureDefines.xcconfig to + PlatformEnableCocoa.h" + https://bugs.webkit.org/show_bug.cgi?id=207155 + https://trac.webkit.org/changeset/256051 + +2020-02-07 Sam Weinig + + Move trivial definitions from FeatureDefines.xcconfig to PlatformEnableCocoa.h + https://bugs.webkit.org/show_bug.cgi?id=207155 + + Reviewed by Tim Horton. + + Move all trivial definitions (just ENABLE_FOO = ENABLE_FOO; or ENABLE_BAR = ;) + from the FeatureDefines.xcconfigs to PlatformEnableCocoa.h, ensuring each one + also has a default value in PlatformEnable.h + + To support the move, DerivedSources.make has been updated to generate the list + of ENABLE_* features by directly from preprocessing Platform.h, rather than + just getting the partial list from the xcconfig file. + + * Configurations/FeatureDefines.xcconfig: + * DerivedSources.make: + +2020-02-07 Yusuke Suzuki + + [JSC] CodeBlock::shrinkToFit should shrink m_constantRegisters and m_constantsSourceCodeRepresentation in 64bit architectures + https://bugs.webkit.org/show_bug.cgi?id=207356 + + Reviewed by Mark Lam. + + Only 32bit architectures are using m_constantRegisters's address. 64bit architectures are not relying on m_constantRegisters's address. + This patches fixes the thing so that CodeBlock::shrinkToFit will shrink m_constantRegisters and m_constantsSourceCodeRepresentation + regardless of whether this is EarlyShrink or not. We also move DFG/FTL's LateShrink call to the place after calling DFGCommon reallyAdd + since they can add more constant registers. + + Relanding it by fixing dead-lock. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::shrinkToFit): + * bytecode/CodeBlock.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::compile): + (JSC::DFG::JITCompiler::compileFunction): + * dfg/DFGJITFinalizer.cpp: + (JSC::DFG::JITFinalizer::finalizeCommon): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): + * jit/JIT.cpp: + (JSC::JIT::link): + * jit/JIT.h: + * jit/JITInlines.h: + (JSC::JIT::emitLoadDouble): + (JSC::JIT::emitLoadInt32ToDouble): Deleted. + +2020-02-06 Robin Morisset + + Most of B3 and Air does not need to include CCallHelpers.h + https://bugs.webkit.org/show_bug.cgi?id=206975 + + Reviewed by Mark Lam. + + They only do to use CCallHelpers::Jump or CCallHelpers::Label. + But CCallHelpers inherit those from MacroAssembler. And MacroAssembler.h is dramatically cheaper to include (since CCallHelpers includes AssemblyHelpers which includes CodeBlock.h which includes roughly the entire runtime). + + * b3/B3CheckSpecial.cpp: + * b3/B3CheckSpecial.h: + * b3/B3LowerMacros.cpp: + * b3/B3PatchpointSpecial.cpp: + (JSC::B3::PatchpointSpecial::generate): + * b3/B3PatchpointSpecial.h: + * b3/B3StackmapGenerationParams.cpp: + (JSC::B3::StackmapGenerationParams::successorLabels const): + * b3/B3StackmapGenerationParams.h: + * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: + * b3/air/AirCCallSpecial.cpp: + * b3/air/AirCCallSpecial.h: + * b3/air/AirCode.cpp: + * b3/air/AirCode.h: + (JSC::B3::Air::Code::entrypointLabel const): + * b3/air/AirCustom.cpp: + (JSC::B3::Air::CCallCustom::generate): + (JSC::B3::Air::ShuffleCustom::generate): + (JSC::B3::Air::WasmBoundsCheckCustom::generate): + * b3/air/AirCustom.h: + (JSC::B3::Air::PatchCustom::generate): + (JSC::B3::Air::EntrySwitchCustom::generate): + * b3/air/AirDisassembler.cpp: + (JSC::B3::Air::Disassembler::addInst): + * b3/air/AirDisassembler.h: + * b3/air/AirGenerationContext.h: + * b3/air/AirInst.h: + * b3/air/AirPrintSpecial.cpp: + (JSC::B3::Air::PrintSpecial::generate): + * b3/air/AirPrintSpecial.h: + * b3/air/AirSpecial.h: + * b3/air/AirValidate.cpp: + * b3/air/opcode_generator.rb: + +2020-02-06 Commit Queue + + Unreviewed, rolling out r255987. + https://bugs.webkit.org/show_bug.cgi?id=207369 + + JSTests failures (Requested by yusukesuzuki on #webkit). + + Reverted changeset: + + "[JSC] CodeBlock::shrinkToFit should shrink + m_constantRegisters and m_constantsSourceCodeRepresentation in + 64bit architectures" + https://bugs.webkit.org/show_bug.cgi?id=207356 + https://trac.webkit.org/changeset/255987 + +2020-02-06 Yusuke Suzuki + + [JSC] CodeBlock::shrinkToFit should shrink m_constantRegisters and m_constantsSourceCodeRepresentation in 64bit architectures + https://bugs.webkit.org/show_bug.cgi?id=207356 + + Reviewed by Mark Lam. + + Only 32bit architectures are using m_constantRegisters's address. 64bit architectures are not relying on m_constantRegisters's address. + This patches fixes the thing so that CodeBlock::shrinkToFit will shrink m_constantRegisters and m_constantsSourceCodeRepresentation + regardless of whether this is EarlyShrink or not. We also move DFG/FTL's LateShrink call to the place after calling DFGCommon reallyAdd + since they can add more constant registers. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::shrinkToFit): + * bytecode/CodeBlock.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::compile): + (JSC::DFG::JITCompiler::compileFunction): + * dfg/DFGJITFinalizer.cpp: + (JSC::DFG::JITFinalizer::finalizeCommon): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): + * jit/JIT.cpp: + (JSC::JIT::link): + * jit/JIT.h: + * jit/JITInlines.h: + (JSC::JIT::emitLoadDouble): + (JSC::JIT::emitLoadInt32ToDouble): Deleted. + +2020-02-05 Don Olmstead + + [PlayStation] Build a shared JavaScriptCore + https://bugs.webkit.org/show_bug.cgi?id=198446 + + Reviewed by Fujii Hironori. + + Add TARGET_OBJECTS for bmalloc and WTF so JavaScriptCore links. Add bmalloc and + WTF compile definitions so exports are exposed. + + * PlatformPlayStation.cmake: + +2020-02-05 Justin Michaud + + Deleting a property should not turn structures into uncacheable dictionaries + https://bugs.webkit.org/show_bug.cgi?id=206430 + + Reviewed by Yusuke Suzuki. + + Right now, deleteProperty/removePropertyTransition causes a structure transition to uncacheable dictionary. Instead, we should allow it to transition to a new regular structure like adding a property does. This means that we have to: + + 1) Break the assumption that structure transition offsets increase monotonically + + We add a new flag to tell that a structure has deleted its property, and update materializePropertyTable to use it. + + 2) Add a new transition map and transition kind for deletes + + We cache the delete transition. We will not transition back to a previous structure if you add then immediately remove a property. + + 3) Find some heuristic for when we should actually transition to uncacheable dictionary. + + Since deleting properties is expected to be rare, we just walk the structure list and count its size on removal. + + This patch also fixes a related bug in addProperty, where we did not use a GCSafeConcurrentJSLocker, and adds an option to trigger the bug. Finally, we add some helper methods to dollarVM to test. + + This gives a 24x speedup on delete-property-keeps-cacheable-structure.js, and is neutral on delete-property-from-prototype-chain.js (which was already generating code using the inline cache). + + * heap/HeapInlines.h: + (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): + * runtime/JSObject.cpp: + (JSC::JSObject::deleteProperty): + * runtime/OptionsList.h: + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::get): + (JSC::PropertyTable::add): + (JSC::PropertyTable::addDeletedOffset): + (JSC::PropertyTable::reinsert): + * runtime/Structure.cpp: + (JSC::StructureTransitionTable::contains const): + (JSC::StructureTransitionTable::get const): + (JSC::StructureTransitionTable::add): + (JSC::Structure::Structure): + (JSC::Structure::materializePropertyTable): + (JSC::Structure::addNewPropertyTransition): + (JSC::Structure::removePropertyTransition): + (JSC::Structure::removePropertyTransitionFromExistingStructure): + (JSC::Structure::removeNewPropertyTransition): + (JSC::Structure::toUncacheableDictionaryTransition): + (JSC::Structure::remove): + (JSC::Structure::visitChildren): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::forEachPropertyConcurrently): + (JSC::Structure::add): + (JSC::Structure::remove): + (JSC::Structure::removePropertyWithoutTransition): + * runtime/StructureTransitionTable.h: + (JSC::StructureTransitionTable::Hash::hash): + * tools/JSDollarVM.cpp: + (JSC::JSDollarVMHelper::functionGetStructureTransitionList): + (JSC::functionGetConcurrently): + (JSC::JSDollarVM::finishCreation): + +2020-02-05 Devin Rousso + + Web Inspector: Sources: add a special breakpoint for controlling whether `debugger` statements pause + https://bugs.webkit.org/show_bug.cgi?id=206818 + + Reviewed by Timothy Hatcher. + + * inspector/protocol/Debugger.json: + * inspector/agents/InspectorDebuggerAgent.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::setPauseOnDebuggerStatements): Added. + + * bytecompiler/NodesCodegen.cpp: + (JSC::DebuggerStatementNode::emitBytecode): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finishCreation): + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::dumpLineColumnEntry): + * interpreter/Interpreter.h: + * interpreter/Interpreter.cpp: + (JSC::Interpreter::debug): + (WTF::printInternal): + * debugger/Debugger.h: + (JSC::Debugger::setPauseOnDebuggerStatements): Added. + * debugger/Debugger.cpp: + (JSC::Debugger::didReachDebuggerStatement): Added. + (JSC::Debugger::didReachBreakpoint): Deleted. + Replace `DebugHookType::DidReachBreakpoint` with `DebugHookType::DidReachDebuggerStatement`, + as it is only actually used for `debugger;` statements, not breakpoints. + +2020-02-04 Yusuke Suzuki + + [JSC] Structure::setMaxOffset and setTransitionOffset are racy + https://bugs.webkit.org/show_bug.cgi?id=207249 + + Reviewed by Mark Lam. + + We hit crash in JSTests/stress/array-slice-osr-exit-2.js. The situation is following. + + 1. The mutator thread (A) is working. + 2. The concurrent collector (B) is working. + 3. A attempts to set m_maxOffset in StructureRareData by allocating it. First, A sets Structure::m_maxOffset to useRareDataFlag. + 3. B is in JSObject::visitButterflyImpl, and executing Structure::maxOffset(). + 4. B detects that m_maxOffset is useRareDataFlag. + 5. B attempts to load rareData, but this is not a StructureRareData since A is just now setting up StructureRareData. + 6. B crashes. + + Set useRareDataFlag after StructureRareData is set. Ensuring this store-order by using storeStoreFence. + + * runtime/Structure.h: + +2020-02-04 Adrian Perez de Castro + + Non-unified build fixes early February 2020 edition + https://bugs.webkit.org/show_bug.cgi?id=207227 + + Reviewed by Don Olmstead. + + * bytecode/PolyProtoAccessChain.h: Add missing inclusions of StructureIDTable.h and VM.h + +2020-02-04 Alex Christensen + + Fix Mac CMake build + https://bugs.webkit.org/show_bug.cgi?id=207231 + + * PlatformMac.cmake: + +2020-02-04 Yusuke Suzuki + + [JSC] Use PackedRefPtr in UnlinkedCodeBlock + https://bugs.webkit.org/show_bug.cgi?id=207229 + + Reviewed by Mark Lam. + + Use PackedRefPtr in UnlinkedCodeBlock to compact it from 168 to 160, which saves 16 bytes (10%) per UnlinkedCodeBlock since + we have 16 bytes alignment for GC cells. + + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedCodeBlock::sourceURLDirective const): + (JSC::UnlinkedCodeBlock::sourceMappingURLDirective const): + (JSC::UnlinkedCodeBlock::setSourceURLDirective): + (JSC::UnlinkedCodeBlock::setSourceMappingURLDirective): + * runtime/CachedTypes.cpp: + (JSC::CachedCodeBlock::sourceURLDirective const): + (JSC::CachedCodeBlock::sourceMappingURLDirective const): + (JSC::CachedCodeBlock::encode): + * runtime/CodeCache.cpp: + (JSC::CodeCache::getUnlinkedGlobalCodeBlock): + +2020-02-04 Alexey Shvayka + + Quantifiers after lookahead assertions should be syntax errors in Unicode patterns only + https://bugs.webkit.org/show_bug.cgi?id=206988 + + Reviewed by Darin Adler and Ross Kirsling. + + This change adds SyntaxError for quantifiable assertions in Unicode patterns, + aligning JSC with V8 and SpiderMonkey. + + Grammar: https://tc39.es/ecma262/#prod-annexB-Term + (/u flag precludes the use of QuantifiableAssertion) + + Return value of parseParenthesesEnd() now matches with parseEscape() and + parseAtomEscape(). + + * yarr/YarrParser.h: + (JSC::Yarr::Parser::parseParenthesesBegin): + (JSC::Yarr::Parser::parseParenthesesEnd): + (JSC::Yarr::Parser::parseTokens): + +2020-02-04 Yusuke Suzuki + + [JSC] Introduce UnlinkedCodeBlockGenerator and reduce sizeof(UnlinkedCodeBlock) + https://bugs.webkit.org/show_bug.cgi?id=207087 + + Reviewed by Tadeu Zagallo. + + While UnlinkedCodeBlock is immutable once it is created from BytecodeGenerator, it has many mutable Vectors. + This is because we are using UnlinkedCodeBlock as a builder of UnlinkedCodeBlock itself too in BytecodeGenerator. + Since Vector takes 16 bytes to allow efficient expansions, it is nice if we can use RefCountedArray instead when + we know this Vector is immutable. + + In this patch, we introduce UnlinkedCodeBlockGenerator wrapper. BytecodeGenerator, BytecodeRewriter, BytecodeDumper, + and BytecodeGeneratorification interact with UnlinkedCodeBlockGenerator instead of UnlinkedCodeBlock. And UnlinkedCodeBlockGenerator + will generate the finalized UnlinkedCodeBlock. This design allows us to use RefCountedArray for data in UnlinkedCodeBlock, + which is (1) smaller and (2) doing shrinkToFit operation when creating it from Vector. + + This patch reduces sizeof(UnlinkedCodeBlock) from 256 to 168, 88 bytes reduction. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * bytecode/BytecodeBasicBlock.cpp: + (JSC::BytecodeBasicBlock::compute): + * bytecode/BytecodeBasicBlock.h: + * bytecode/BytecodeDumper.cpp: + * bytecode/BytecodeGeneratorification.cpp: + (JSC::BytecodeGeneratorification::BytecodeGeneratorification): + (JSC::GeneratorLivenessAnalysis::run): + (JSC::BytecodeGeneratorification::run): + (JSC::performGeneratorification): + * bytecode/BytecodeGeneratorification.h: + * bytecode/BytecodeRewriter.h: + (JSC::BytecodeRewriter::BytecodeRewriter): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finishCreation): + (JSC::CodeBlock::setConstantIdentifierSetRegisters): + (JSC::CodeBlock::setConstantRegisters): + (JSC::CodeBlock::handlerForIndex): + (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::numberOfSwitchJumpTables const): + (JSC::CodeBlock::numberOfStringSwitchJumpTables const): + (JSC::CodeBlock::addSwitchJumpTable): Deleted. + (JSC::CodeBlock::addStringSwitchJumpTable): Deleted. + * bytecode/HandlerInfo.h: + (JSC::HandlerInfoBase::handlerForIndex): + * bytecode/JumpTable.h: + (JSC::SimpleJumpTable::add): Deleted. + * bytecode/PreciseJumpTargets.cpp: + (JSC::computePreciseJumpTargets): + (JSC::recomputePreciseJumpTargets): + (JSC::findJumpTargetsForInstruction): + * bytecode/PreciseJumpTargets.h: + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): + (JSC::UnlinkedCodeBlock::visitChildren): + (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): + (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeIndex const): + (JSC::UnlinkedCodeBlock::handlerForIndex): + (JSC::UnlinkedCodeBlock::addExpressionInfo): Deleted. + (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): Deleted. + (JSC::UnlinkedCodeBlock::setInstructions): Deleted. + (JSC::UnlinkedCodeBlock::applyModification): Deleted. + (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted. + (JSC::UnlinkedCodeBlock::addOutOfLineJumpTarget): Deleted. + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedCodeBlock::expressionInfo): + (JSC::UnlinkedCodeBlock::setNumParameters): + (JSC::UnlinkedCodeBlock::numberOfIdentifiers const): + (JSC::UnlinkedCodeBlock::identifiers const): + (JSC::UnlinkedCodeBlock::bitVector): + (JSC::UnlinkedCodeBlock::constantRegisters): + (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): + (JSC::UnlinkedCodeBlock::constantIdentifierSets): + (JSC::UnlinkedCodeBlock::numberOfJumpTargets const): + (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables const): + (JSC::UnlinkedCodeBlock::numberOfStringSwitchJumpTables const): + (JSC::UnlinkedCodeBlock::numberOfFunctionDecls): + (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers const): + (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets const): + (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): + (JSC::UnlinkedCodeBlock::addParameter): Deleted. + (JSC::UnlinkedCodeBlock::addIdentifier): Deleted. + (JSC::UnlinkedCodeBlock::addBitVector): Deleted. + (JSC::UnlinkedCodeBlock::addSetConstant): Deleted. + (JSC::UnlinkedCodeBlock::addConstant): Deleted. + (JSC::UnlinkedCodeBlock::addJumpTarget): Deleted. + (JSC::UnlinkedCodeBlock::addSwitchJumpTable): Deleted. + (JSC::UnlinkedCodeBlock::addStringSwitchJumpTable): Deleted. + (JSC::UnlinkedCodeBlock::addFunctionDecl): Deleted. + (JSC::UnlinkedCodeBlock::addFunctionExpr): Deleted. + (JSC::UnlinkedCodeBlock::addExceptionHandler): Deleted. + (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): Deleted. + (JSC::UnlinkedCodeBlock::replaceOutOfLineJumpTargets): Deleted. + * bytecode/UnlinkedCodeBlockGenerator.cpp: Added. + (JSC::UnlinkedCodeBlockGenerator::getLineAndColumn const): + (JSC::UnlinkedCodeBlockGenerator::addExpressionInfo): + (JSC::UnlinkedCodeBlockGenerator::addTypeProfilerExpressionInfo): + (JSC::UnlinkedCodeBlockGenerator::finalize): + (JSC::UnlinkedCodeBlockGenerator::handlerForBytecodeIndex): + (JSC::UnlinkedCodeBlockGenerator::handlerForIndex): + (JSC::UnlinkedCodeBlockGenerator::applyModification): + (JSC::UnlinkedCodeBlockGenerator::addOutOfLineJumpTarget): + (JSC::UnlinkedCodeBlockGenerator::outOfLineJumpOffset): + (JSC::UnlinkedCodeBlockGenerator::dump const): + * bytecode/UnlinkedCodeBlockGenerator.h: Added. + (JSC::UnlinkedCodeBlockGenerator::UnlinkedCodeBlockGenerator): + (JSC::UnlinkedCodeBlockGenerator::vm): + (JSC::UnlinkedCodeBlockGenerator::isConstructor const): + (JSC::UnlinkedCodeBlockGenerator::constructorKind const): + (JSC::UnlinkedCodeBlockGenerator::superBinding const): + (JSC::UnlinkedCodeBlockGenerator::scriptMode const): + (JSC::UnlinkedCodeBlockGenerator::needsClassFieldInitializer const): + (JSC::UnlinkedCodeBlockGenerator::isStrictMode const): + (JSC::UnlinkedCodeBlockGenerator::usesEval const): + (JSC::UnlinkedCodeBlockGenerator::parseMode const): + (JSC::UnlinkedCodeBlockGenerator::isArrowFunction): + (JSC::UnlinkedCodeBlockGenerator::derivedContextType const): + (JSC::UnlinkedCodeBlockGenerator::evalContextType const): + (JSC::UnlinkedCodeBlockGenerator::isArrowFunctionContext const): + (JSC::UnlinkedCodeBlockGenerator::isClassContext const): + (JSC::UnlinkedCodeBlockGenerator::numCalleeLocals const): + (JSC::UnlinkedCodeBlockGenerator::numVars const): + (JSC::UnlinkedCodeBlockGenerator::numParameters const): + (JSC::UnlinkedCodeBlockGenerator::thisRegister const): + (JSC::UnlinkedCodeBlockGenerator::scopeRegister const): + (JSC::UnlinkedCodeBlockGenerator::wasCompiledWithDebuggingOpcodes const): + (JSC::UnlinkedCodeBlockGenerator::hasCheckpoints const): + (JSC::UnlinkedCodeBlockGenerator::hasTailCalls const): + (JSC::UnlinkedCodeBlockGenerator::setHasCheckpoints): + (JSC::UnlinkedCodeBlockGenerator::setHasTailCalls): + (JSC::UnlinkedCodeBlockGenerator::setNumCalleeLocals): + (JSC::UnlinkedCodeBlockGenerator::setNumVars): + (JSC::UnlinkedCodeBlockGenerator::setThisRegister): + (JSC::UnlinkedCodeBlockGenerator::setScopeRegister): + (JSC::UnlinkedCodeBlockGenerator::setNumParameters): + (JSC::UnlinkedCodeBlockGenerator::metadata): + (JSC::UnlinkedCodeBlockGenerator::addOpProfileControlFlowBytecodeOffset): + (JSC::UnlinkedCodeBlockGenerator::numberOfJumpTargets const): + (JSC::UnlinkedCodeBlockGenerator::addJumpTarget): + (JSC::UnlinkedCodeBlockGenerator::jumpTarget const): + (JSC::UnlinkedCodeBlockGenerator::lastJumpTarget const): + (JSC::UnlinkedCodeBlockGenerator::numberOfSwitchJumpTables const): + (JSC::UnlinkedCodeBlockGenerator::addSwitchJumpTable): + (JSC::UnlinkedCodeBlockGenerator::switchJumpTable): + (JSC::UnlinkedCodeBlockGenerator::numberOfStringSwitchJumpTables const): + (JSC::UnlinkedCodeBlockGenerator::addStringSwitchJumpTable): + (JSC::UnlinkedCodeBlockGenerator::stringSwitchJumpTable): + (JSC::UnlinkedCodeBlockGenerator::numberOfExceptionHandlers const): + (JSC::UnlinkedCodeBlockGenerator::exceptionHandler): + (JSC::UnlinkedCodeBlockGenerator::addExceptionHandler): + (JSC::UnlinkedCodeBlockGenerator::bitVector): + (JSC::UnlinkedCodeBlockGenerator::addBitVector): + (JSC::UnlinkedCodeBlockGenerator::numberOfConstantIdentifierSets const): + (JSC::UnlinkedCodeBlockGenerator::constantIdentifierSets): + (JSC::UnlinkedCodeBlockGenerator::addSetConstant): + (JSC::UnlinkedCodeBlockGenerator::constantRegister const): + (JSC::UnlinkedCodeBlockGenerator::constantRegisters): + (JSC::UnlinkedCodeBlockGenerator::getConstant const): + (JSC::UnlinkedCodeBlockGenerator::constantsSourceCodeRepresentation): + (JSC::UnlinkedCodeBlockGenerator::addConstant): + (JSC::UnlinkedCodeBlockGenerator::addFunctionDecl): + (JSC::UnlinkedCodeBlockGenerator::addFunctionExpr): + (JSC::UnlinkedCodeBlockGenerator::numberOfIdentifiers const): + (JSC::UnlinkedCodeBlockGenerator::identifier const): + (JSC::UnlinkedCodeBlockGenerator::addIdentifier): + (JSC::UnlinkedCodeBlockGenerator::outOfLineJumpOffset): + (JSC::UnlinkedCodeBlockGenerator::replaceOutOfLineJumpTargets): + (JSC::UnlinkedCodeBlockGenerator::metadataSizeInBytes): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::generate): + (JSC::BytecodeGenerator::BytecodeGenerator): + (JSC::BytecodeGenerator::initializeNextParameter): + (JSC::BytecodeGenerator::emitPushFunctionNameScope): + (JSC::prepareJumpTableForSwitch): + (JSC::ForInContext::finalize): + (JSC::StructureForInContext::finalize): + (JSC::IndexedForInContext::finalize): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/BytecodeGeneratorBaseInlines.h: + (JSC::BytecodeGeneratorBase::newRegister): + (JSC::BytecodeGeneratorBase::addVar): + * runtime/CachedTypes.cpp: + (JSC::CachedVector::encode): + (JSC::CachedVector::decode const): + * wasm/WasmFunctionCodeBlock.h: + (JSC::Wasm::FunctionCodeBlock::setNumVars): + (JSC::Wasm::FunctionCodeBlock::setNumCalleeLocals): + +2020-02-04 Devin Rousso + + Web Inspector: REGRESSION(r248287): Console: function objects saved to a $n will be invoked instead of just referenced when evaluating in the Console + https://bugs.webkit.org/show_bug.cgi?id=207180 + + + Reviewed by Joseph Pecoraro. + + * inspector/InjectedScriptSource.js: + (CommandLineAPI): + Instead of deciding whether to wrap the value given for a `$n` getter based on if the value + is already a function, always wrap getter values in a function so that if the value being + stored in the getter is already a function, it isn't used as the callback for the getter and + therefore invoked when the getter is referenced. + +2020-02-03 Yusuke Suzuki + + [JSC] Use PackedPtr for VariableEnvironment + https://bugs.webkit.org/show_bug.cgi?id=207172 + + Reviewed by Mark Lam. + + Since VariableEnvironment's KeyValue is key: pointer + value: 2 byte, using PackedPtr can make it 8 bytes, 50% reduction. + + * parser/VariableEnvironment.h: + * runtime/CachedTypes.cpp: + (JSC::CachedRefPtr::encode): + (JSC::CachedRefPtr::decode const): CachedTypes should handle PackedPtr too since VariableEnvironment starts using it. + +2020-02-03 Alexey Shvayka + + \0 identity escapes should be syntax errors in Unicode patterns only + https://bugs.webkit.org/show_bug.cgi?id=207114 + + Reviewed by Darin Adler. + + This change adds a separate check for null character because `strchr` + always returns a non-null pointer when called with '\0' as second argument. + + Grammar: https://tc39.es/ecma262/#prod-annexB-IdentityEscape + (/u flag precludes the use of SourceCharacterIdentityEscape) + + * yarr/YarrParser.h: + (JSC::Yarr::Parser::isIdentityEscapeAnError): + +2020-02-01 Alexey Shvayka + + Non-alphabetical \c escapes should be syntax errors in Unicode patterns only + https://bugs.webkit.org/show_bug.cgi?id=207091 + + Reviewed by Darin Adler. + + This change adds SyntaxError for non-alphabetical and identity \c escapes + in Unicode patterns, aligning JSC with V8 and SpiderMonkey. + + Grammar: https://tc39.es/ecma262/#prod-annexB-ClassEscape + (/u flag precludes the use of ClassControlLetter) + + * yarr/YarrErrorCode.cpp: + (JSC::Yarr::errorMessage): + (JSC::Yarr::errorToThrow): + * yarr/YarrErrorCode.h: + * yarr/YarrParser.h: + (JSC::Yarr::Parser::parseEscape): + +2020-01-31 Yusuke Suzuki + + [JSC] Hold StructureID instead of Structure* in PolyProtoAccessChain and DFG::CommonData + https://bugs.webkit.org/show_bug.cgi?id=207086 + + Reviewed by Mark Lam. + + PolyProtoAccessChain and DFG::CommonData are kept alive so long as associated AccessCase / DFG/FTL CodeBlock + is alive. They hold Vector / Vector>, but access frequency is low. And + We should hold Vector instead to cut 50% of the size. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::commit): + (JSC::AccessCase::forEachDependentCell const): + (JSC::AccessCase::doesCalls const): + (JSC::AccessCase::visitWeak const): + (JSC::AccessCase::propagateTransitions const): + (JSC::AccessCase::generateWithGuard): + * bytecode/AccessCase.h: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::propagateTransitions): + (JSC::CodeBlock::determineLiveness): + (JSC::CodeBlock::stronglyVisitWeakReferences): + * bytecode/GetByStatus.cpp: + (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): + * bytecode/InByIdStatus.cpp: + (JSC::InByIdStatus::computeFor): + (JSC::InByIdStatus::computeForStubInfo): + (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback): + * bytecode/InByIdStatus.h: + * bytecode/InstanceOfStatus.cpp: + (JSC::InstanceOfStatus::computeFor): + (JSC::InstanceOfStatus::computeForStubInfo): + * bytecode/InstanceOfStatus.h: + * bytecode/PolyProtoAccessChain.cpp: + (JSC::PolyProtoAccessChain::create): + (JSC::PolyProtoAccessChain::needImpurePropertyWatchpoint const): + (JSC::PolyProtoAccessChain::dump const): + * bytecode/PolyProtoAccessChain.h: + (JSC::PolyProtoAccessChain::chain const): + (JSC::PolyProtoAccessChain::forEach const): + (JSC::PolyProtoAccessChain::slotBaseStructure const): + (JSC::PolyProtoAccessChain:: const): Deleted. + * bytecode/PolymorphicAccess.cpp: + (JSC::PolymorphicAccess::regenerate): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeForStubInfo): + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::summary const): + (JSC::StructureStubInfo::summary): + * bytecode/StructureStubInfo.h: + * dfg/DFGCommonData.h: + * dfg/DFGDesiredWeakReferences.cpp: + (JSC::DFG::DesiredWeakReferences::reallyAdd): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): + * jit/Repatch.cpp: + (JSC::tryCacheGetBy): + (JSC::tryCachePutByID): + (JSC::tryCacheInByID): + +2020-01-31 Yusuke Suzuki + + [JSC] ShrinkToFit some vectors kept by JIT data structures + https://bugs.webkit.org/show_bug.cgi?id=207085 + + Reviewed by Mark Lam. + + 1. We are allocating RareCaseProfile by using SegmentedVector since JIT code is directly accessing to RareCaseProfile*. But when creating RareCaseProfile, we can know + how many RareCaseProfiles should we create: RareCaseProfile is created per slow paths of Baseline JIT bytecode. Since we already scan bytecode for the main paths, + we can count it and use this number when creating RareCaseProfile. + 2. Vectors held by PolymorphicAccess and PolymorphicCallStubRoutine should be kept small by calling shrinkToFit. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::setRareCaseProfiles): + (JSC::CodeBlock::shrinkToFit): + (JSC::CodeBlock::addRareCaseProfile): Deleted. + * bytecode/CodeBlock.h: + * bytecode/PolyProtoAccessChain.cpp: + (JSC::PolyProtoAccessChain::create): + * bytecode/PolymorphicAccess.cpp: + (JSC::PolymorphicAccess::regenerate): + * bytecode/ValueProfile.h: + (JSC::RareCaseProfile::RareCaseProfile): + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + * jit/JIT.h: + * jit/PolymorphicCallStubRoutine.cpp: + (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine): + +2020-01-31 Yusuke Suzuki + + [JSC] DFG::CommonData::shrinkToFit called before DFG::Plan::reallyAdd is called + https://bugs.webkit.org/show_bug.cgi?id=207083 + + Reviewed by Mark Lam. + + We are calling DFG::CommonData::shrinkToFit, but calling this too early: we execute + DFG::Plan::reallyAdd(DFG::CommonData*) after that, and this adds many entries to + DFG::CommonData*. We should call DFG::CommonData::shrinkToFit after calling DFG::Plan::reallyAdd. + + To implement it, we make DFG::JITCode::shrinkToFit virtual function in JSC::JITCode. Then, we + can also implement FTL::JITCode::shrinkToFit which was previously not implemented. + + * dfg/DFGJITCode.cpp: + (JSC::DFG::JITCode::shrinkToFit): + * dfg/DFGJITCode.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::compile): + (JSC::DFG::JITCompiler::compileFunction): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): + * ftl/FTLJITCode.cpp: + (JSC::FTL::JITCode::shrinkToFit): + * ftl/FTLJITCode.h: + * jit/JITCode.cpp: + (JSC::JITCode::shrinkToFit): + * jit/JITCode.h: + +2020-01-31 Saam Barati + + GetButterfly should check if the input value is an object in safe to execute + https://bugs.webkit.org/show_bug.cgi?id=207082 + + Reviewed by Mark Lam. + + We can only hoist GetButterfly when we know the incoming value is an object. + We might want to reconsider making GetButterfly use ObjectUse as its edge + kind, but that's out of the scope of this patch. Currently, we use CellUse + for GetButterfly node's child1. + + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + +2020-01-31 Saam Barati + + safe to execute should return false when we know code won't be moved + https://bugs.webkit.org/show_bug.cgi?id=207074 + + Reviewed by Yusuke Suzuki. + + We use safeToExecute to determine inside LICM whether it's safe to execute + a node somewhere else in the program. We were returning true for nodes + we knew would never be moved, because they were effectful. Things like Call + and GetById. This patch makes those nodes return false now, since we want + to make it easier to audit the nodes that return true. This makes that audit + easier, since it gets rid of the obvious things that will never be hoisted. + + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + +2020-01-31 Saam Barati + + GetGetterSetterByOffset and GetGetter/GetSetter are not always safe to execute + https://bugs.webkit.org/show_bug.cgi?id=206805 + + + Reviewed by Yusuke Suzuki. + + This patch fixes two bugs. The first is GetGetterSetterByOffset. Previously, + we were just checking that we could load the value safely. However, because + GetGetterSetterByOffset returns a GetterSetter object, we can only safely + move this node into a context where it's guaranteed that the offset loaded + will return a GetterSetter. + + The second fix is GetGetter/GetSetter were both always marked as safe to execute. + However, they're only safe to execute when the incoming value to load from + is a GetterSetter object. + + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + +2020-01-31 Alexey Shvayka + + Unmatched ] or } brackets should be syntax errors in Unicode patterns only + https://bugs.webkit.org/show_bug.cgi?id=207023 + + Reviewed by Darin Adler. + + This change adds SyntaxError for Unicode patterns, aligning JSC with + V8 and SpiderMonkey. + + Grammar: https://tc39.es/ecma262/#prod-annexB-Term + (/u flag precludes the use of ExtendedAtom and thus ExtendedPatternCharacter) + + * yarr/YarrErrorCode.cpp: + (JSC::Yarr::errorMessage): + (JSC::Yarr::errorToThrow): + * yarr/YarrErrorCode.h: + * yarr/YarrParser.h: + (JSC::Yarr::Parser::parseTokens): + +2020-01-31 Don Olmstead + + [CMake] Add _PRIVATE_LIBRARIES to framework + https://bugs.webkit.org/show_bug.cgi?id=207004 + + Reviewed by Konstantin Tokarev. + + Move uses of PRIVATE within _LIBRARIES to _PRIVATE_LIBRARIES. Any _LIBRARIES appended + afterwards will have that visibility set erroneously. + + * PlatformFTW.cmake: + +2020-01-30 Mark Lam + + Some improvements to DFG and FTL dumps to improve readability and searchability. + https://bugs.webkit.org/show_bug.cgi?id=207024 + + Reviewed by Saam Barati. + + This patch applies the following changes: + + 1. Prefix Air and B2 dumps with a tierName prefix. + The tierName prefix strings are as follows: + + "FTL ", "DFG ", "b3 ", "Air ", "asm " + + The choice to use a lowercase "b3" and "asm" with upper case "Air" is + deliberate because I found this combination to be easier to read and scan as + prefixes of the dump lines. See dump samples below. + + 2. Make DFG node IDs consistently expressed as D@ e.g. D@104. + The definition of the node will be the id followed by a colon e.g. D@104: + This makes it easy to search references to this node anywhere in the dump. + + Make B3 nodes expressed as b@ e.g. b@542. + This also makes it searchable since there's now no ambiguity between b@542 and + D@542. + + The choice to use a lowercase "b" and an uppercase "D" is intentional because + "b@542" and "d@542" looks too similar, and I prefer to not use too much + uppercase. Plus this makes the node consistent in capitalization with the + tierName prefixes above of "b3 " and "DFG " respectively. + + Here's a sample of what the dumps now look like: + + DFG graph dump: + + ... + 6 55: <-- foo#DFndCW:<0x62d0000b8140, bc#65, Call, known callee: Object: 0x62d000035920 with butterfly 0x0 (Structure %AN:Function), StructureID: 12711, numArgs+this = 1, numFixup = 0, stackOffset = -16 (loc0 maps to loc16)> + 3 6 55: D@79:< 3:-> ArithAdd(Int32:Kill:D@95, Int32:D@42, Int32|PureNum|UseAsOther, Int32, CheckOverflow, Exits, bc#71, ExitValid) + 4 6 55: D@3: KillStack(MustGen, loc7, W:Stack(loc7), ClobbersExit, bc#71, ExitInvalid) + 5 6 55: D@85: MovHint(Check:Untyped:D@79, MustGen, loc7, W:SideState, ClobbersExit, bc#71, ExitInvalid) + 6 6 55: D@102:< 1:-> CompareLess(Int32:D@79, Int32:D@89, Boolean|UseAsOther, Bool, Exits, bc#74, ExitValid) + 7 6 55: D@104: Branch(KnownBoolean:Kill:D@102, MustGen, T:#1/w:10.000000, F:#7/w:1.000000, W:SideState, bc#74, ExitInvalid) + ... + + + B3 graph dump: + + ... + b3 BB#14: ; frequency = 10.000000 + b3 Predecessors: #13 + b3 Int32 b@531 = CheckAdd(b@10:WarmAny, $1(b@1):WarmAny, b@64:ColdAny, b@10:ColdAny, generator = 0x606000022e80, earlyClobbered = [], lateClobbered = [], usedRegisters = [], ExitsSideways|Reads:Top, D@79) + b3 Int32 b@539 = LessThan(b@531, $100(b@578), D@102) + b3 Void b@542 = Branch(b@539, Terminal, D@104) + b3 Successors: Then:#2, Else:#15 + ... + + + Air graph dump: + + ... + Air BB#5: ; frequency = 10.000000 + Air Predecessors: #4 + Air Move -96(%rbp), %rax, b@531 + Air Patch &BranchAdd32(3,ForceLateUseUnlessRecoverable)3, Overflow, $1, %rax, -104(%rbp), -96(%rbp), b@531 + Air Branch32 LessThan, %rax, $100, b@542 + Air Successors: #1, #6 + ... + + + FTL disassembly dump: + + ... + Air BB#5: ; frequency = 10.000000 + Air Predecessors: #4 + DFG D@42:< 2:-> JSConstant(JS|PureInt, Int32, Int32: 1, bc#0, ExitInvalid) + DFG D@79:< 3:-> ArithAdd(Int32:Kill:D@95, Int32:D@42, Int32|PureNum|UseAsOther, Int32, CheckOverflow, Exits, bc#71, ExitValid) + b3 Int32 b@1 = Const32(1) + b3 Int32 b@531 = CheckAdd(b@10:WarmAny, $1(b@1):WarmAny, b@64:ColdAny, b@10:ColdAny, generator = 0x606000022e80, earlyClobbered = [], lateClobbered = [], usedRegisters = [%rax, %rbx, %rbp, %r12], ExitsSideways|Reads:Top, D@79) + Air Move -96(%rbp), %rax, b@531 + asm 0x4576b9c04712: mov -0x60(%rbp), %rax + Air Patch &BranchAdd32(3,ForceLateUseUnlessRecoverable)3, Overflow, $1, %rax, -104(%rbp), -96(%rbp), b@531 + asm 0x4576b9c04716: inc %eax + asm 0x4576b9c04718: jo 0x4576b9c04861 + DFG D@89:< 1:-> JSConstant(JS|PureNum|UseAsOther, NonBoolInt32, Int32: 100, bc#0, ExitInvalid) + DFG D@102:< 1:-> CompareLess(Int32:D@79, Int32:D@89, Boolean|UseAsOther, Bool, Exits, bc#74, ExitValid) + DFG D@104: Branch(KnownBoolean:Kill:D@102, MustGen, T:#1/w:10.000000, F:#7/w:1.000000, W:SideState, bc#74, ExitInvalid) + b3 Int32 b@578 = Const32(100, D@89) + b3 Int32 b@539 = LessThan(b@531, $100(b@578), D@102) + b3 Void b@542 = Branch(b@539, Terminal, D@104) + Air Branch32 LessThan, %rax, $100, b@542 + asm 0x4576b9c0471e: cmp $0x64, %eax + asm 0x4576b9c04721: jl 0x4576b9c0462f + Air Successors: #1, #6 + ... + + + * b3/B3BasicBlock.cpp: + (JSC::B3::BasicBlock::deepDump const): + * b3/B3Common.cpp: + * b3/B3Common.h: + * b3/B3Generate.cpp: + (JSC::B3::generateToAir): + * b3/B3Procedure.cpp: + (JSC::B3::Procedure::dump const): + * b3/B3Value.cpp: + * b3/air/AirBasicBlock.cpp: + (JSC::B3::Air::BasicBlock::deepDump const): + (JSC::B3::Air::BasicBlock::dumpHeader const): + (JSC::B3::Air::BasicBlock::dumpFooter const): + * b3/air/AirCode.cpp: + (JSC::B3::Air::Code::dump const): + * b3/air/AirCode.h: + * b3/air/AirDisassembler.cpp: + (JSC::B3::Air::Disassembler::dump): + * b3/air/AirGenerate.cpp: + (JSC::B3::Air::prepareForGeneration): + * dfg/DFGCommon.cpp: + * dfg/DFGCommon.h: + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + (JSC::DFG::Graph::dumpBlockHeader): + * dfg/DFGNode.cpp: + (WTF::printInternal): + * ftl/FTLCompile.cpp: + (JSC::FTL::compile): + * ftl/FTLCompile.h: + * ftl/FTLState.cpp: + (JSC::FTL::State::State): + +2020-01-30 Yusuke Suzuki + + [WTF] Remove PackedIntVector + https://bugs.webkit.org/show_bug.cgi?id=207018 + + Reviewed by Mark Lam. + + * bytecode/BytecodeBasicBlock.h: + +2020-01-30 Yusuke Suzuki + + [JSC] Remove unnecessary allocations in BytecodeBasicBlock + https://bugs.webkit.org/show_bug.cgi?id=206986 + + Reviewed by Mark Lam. + + We know that BytecodeBasicBlock itself takes 2MB in Gmail. And each BytecodeBasicBlock has Vector + and Vector. + + BytecodeBasicBlock holds all the offset per bytecode as unsigned in m_offsets. But this offset is + only used when reverse iterating a bytecode in a BytecodeBasicBlock. We can hold a length of each + bytecode instead, which is much smaller (unsigned v.s. uint8_t). + + Since each BytecodeBasicBlock has index, we should hold successors in Vector instead of Vector. + + We are also allocating BytecodeBasicBlock in makeUnique<> and having them in Vector>. + But this is not necessary since only BytecodeBasicBlock::compute can modify this vector. We should generate Vector + from BytecodeBasicBlock::compute. + + We are also planning purging BytecodeBasicBlock in UnlinkedCodeBlock if it is not used so much. But this will be done in a separate patch. + + * bytecode/BytecodeBasicBlock.cpp: + (JSC::BytecodeBasicBlock::BytecodeBasicBlock): + (JSC::BytecodeBasicBlock::addLength): + (JSC::BytecodeBasicBlock::shrinkToFit): + (JSC::BytecodeBasicBlock::computeImpl): + (JSC::BytecodeBasicBlock::compute): + * bytecode/BytecodeBasicBlock.h: + (JSC::BytecodeBasicBlock::delta const): + (JSC::BytecodeBasicBlock::successors const): + (JSC::BytecodeBasicBlock::operator bool const): + (JSC::BytecodeBasicBlock::addSuccessor): + (JSC::BytecodeBasicBlock::offsets const): Deleted. + (JSC::BytecodeBasicBlock:: const): Deleted. + (JSC::BytecodeBasicBlock::BytecodeBasicBlock): Deleted. + (JSC::BytecodeBasicBlock::addLength): Deleted. + * bytecode/BytecodeGeneratorification.cpp: + (JSC::BytecodeGeneratorification::BytecodeGeneratorification): + * bytecode/BytecodeGraph.h: + (JSC::BytecodeGraph::blockContainsBytecodeOffset): + (JSC::BytecodeGraph::findBasicBlockForBytecodeOffset): + (JSC::BytecodeGraph::findBasicBlockWithLeaderOffset): + (JSC::BytecodeGraph::at const): + (JSC::BytecodeGraph::operator[] const): + (JSC::BytecodeGraph::begin): + (JSC::BytecodeGraph::end): + (JSC::BytecodeGraph::first): + (JSC::BytecodeGraph::last): + (JSC::BytecodeGraph::BytecodeGraph): + (JSC::BytecodeGraph::begin const): Deleted. + (JSC::BytecodeGraph::end const): Deleted. + * bytecode/BytecodeLivenessAnalysis.cpp: + (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeIndex): + (JSC::BytecodeLivenessAnalysis::computeFullLiveness): + (JSC::BytecodeLivenessAnalysis::computeKills): + (JSC::BytecodeLivenessAnalysis::dumpResults): + * bytecode/BytecodeLivenessAnalysis.h: + * bytecode/BytecodeLivenessAnalysisInlines.h: + (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeIndex): + (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock): + (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeIndex): + (JSC::BytecodeLivenessPropagation::runLivenessFixpoint): + * bytecode/InstructionStream.h: + (JSC::InstructionStream::MutableRef::operator-> const): + (JSC::InstructionStream::MutableRef::ptr const): + (JSC::InstructionStream::MutableRef::unwrap const): + * bytecode/Opcode.h: + * generator/Section.rb: + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + * llint/LLIntData.cpp: + (JSC::LLInt::initialize): + * llint/LowLevelInterpreter.cpp: + (JSC::CLoop::execute): + +2020-01-30 Alexey Shvayka + + Incomplete braced quantifiers should be banned in Unicode patterns only + https://bugs.webkit.org/show_bug.cgi?id=206776 + + Reviewed by Darin Adler. + + This change adds SyntaxError for Unicode patterns, aligning JSC with + V8 and SpiderMonkey, and also capitalizes "Unicode" in error messages. + + Grammar: https://tc39.es/ecma262/#prod-annexB-Term + (/u flag precludes the use of ExtendedAtom and thus InvalidBracedQuantifier) + + * yarr/YarrErrorCode.cpp: + (JSC::Yarr::errorMessage): + (JSC::Yarr::errorToThrow): + * yarr/YarrErrorCode.h: + * yarr/YarrParser.h: + (JSC::Yarr::Parser::parseTokens): + +2020-01-30 Yusuke Suzuki + + [JSC] Make SourceProviderCacheItem small + https://bugs.webkit.org/show_bug.cgi?id=206987 + + Reviewed by Mark Lam. + + We know this becomes very large when parsing a large script, and it is noticeable in some of RAMification tests. + We should use PackedPtr to shrink size of SourceProviderCacheItem. + + * parser/Parser.h: + (JSC::Scope::restoreFromSourceProviderCache): + * parser/SourceProviderCacheItem.h: + (JSC::SourceProviderCacheItem::usedVariables const): + (JSC::SourceProviderCacheItem::SourceProviderCacheItem): + +2020-01-30 Keith Miller + + Parser needs to restore unary stack state when backtracking + https://bugs.webkit.org/show_bug.cgi?id=206972 + + Reviewed by Saam Barati. + + Previously we would try to parse possibly stale unary operator + stack entries after backtracking from a parse error. This would + cause us to think one token was a different token while reparsing + after backtracking. Additionally, this patch fixes an issue where + the syntax checker would think assignment expressions were resolve + expressions. Intrestingly, this was not tested in test262. + + Lastly, I tried adding some assertions to improve help diagnose + when our source text locations are incorrect. + + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::emitExpressionInfo): + * bytecompiler/NodesCodegen.cpp: + (JSC::ThisNode::emitBytecode): + (JSC::ResolveNode::emitBytecode): + (JSC::EmptyVarExpression::emitBytecode): + (JSC::EmptyLetExpression::emitBytecode): + (JSC::ForInNode::emitLoopHeader): + (JSC::ForOfNode::emitBytecode): + (JSC::DefineFieldNode::emitBytecode): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::unaryTokenStackDepth const): + (JSC::ASTBuilder::setUnaryTokenStackDepth): + * parser/Lexer.cpp: + (JSC::Lexer::Lexer): + * parser/Lexer.h: + (JSC::Lexer::setLineNumber): + * parser/Nodes.cpp: + (JSC::FunctionMetadataNode::operator== const): + * parser/Nodes.h: + (JSC::ThrowableExpressionData::ThrowableExpressionData): + (JSC::ThrowableExpressionData::setExceptionSourceCode): + (JSC::ThrowableExpressionData::checkConsistency const): + * parser/Parser.cpp: + (JSC::Parser::isArrowFunctionParameters): + (JSC::Parser::parseSourceElements): + (JSC::Parser::parseModuleSourceElements): + (JSC::Parser::parseStatementListItem): + (JSC::Parser::parseAssignmentElement): + (JSC::Parser::parseForStatement): + (JSC::Parser::maybeParseAsyncFunctionDeclarationStatement): + (JSC::Parser::parseFunctionInfo): + (JSC::Parser::parseClass): + (JSC::Parser::parseExportDeclaration): + (JSC::Parser::parseAssignmentExpression): + (JSC::Parser::parseYieldExpression): + (JSC::Parser::parseProperty): + (JSC::Parser::parseMemberExpression): + (JSC::Parser::parseUnaryExpression): + * parser/Parser.h: + (JSC::Parser::lexCurrentTokenAgainUnderCurrentContext): + (JSC::Parser::internalSaveParserState): + (JSC::Parser::restoreParserState): + (JSC::Parser::internalSaveState): + (JSC::Parser::swapSavePointForError): + (JSC::Parser::createSavePoint): + (JSC::Parser::internalRestoreState): + (JSC::Parser::restoreSavePointWithError): + (JSC::Parser::restoreSavePoint): + (JSC::Parser::createSavePointForError): Deleted. + * parser/ParserTokens.h: + (JSC::JSTextPosition::JSTextPosition): + (JSC::JSTextPosition::checkConsistency): + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::operatorStackPop): + +2020-01-29 Mark Lam + + Fix bad assertion in InternalFunctionAllocationProfile::createAllocationStructureFromBase(). + https://bugs.webkit.org/show_bug.cgi?id=206981 + + + Reviewed by Keith Miller. + + InternalFunctionAllocationProfile::createAllocationStructureFromBase() is only + called from FunctionRareData::createInternalFunctionAllocationStructureFromBase(), + which in turn is only called from InternalFunction::createSubclassStructureSlow(). + + InternalFunction::createSubclassStructureSlow() only allows a call to + FunctionRareData::createInternalFunctionAllocationStructureFromBase() under + certain conditions. One of these conditions is that the baseGlobalObject is + different than the newTarget's globalObject. + + InternalFunctionAllocationProfile::createAllocationStructureFromBase() has an + ASSERT on the same set of conditions, with one ommission: the one above. This + patch fixes the ASSERT by adding the missing condition to match the check in + InternalFunction::createSubclassStructureSlow(). + + * bytecode/InternalFunctionAllocationProfile.h: + (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase): + +2020-01-29 Robin Morisset + + Remove Options::enableSpectreMitigations + https://bugs.webkit.org/show_bug.cgi?id=193885 + + Reviewed by Saam Barati. + + From what I remember we decided to remove the spectre-specific mitigations we had tried (in favor of things like process-per-origin). + I don't think anyone is using the SpectreGadget we had added for experiments either. + So this patch removes the following three options, and all the code that depended on them: + - enableSpectreMitigations (was true, only used in one place) + - enableSpectreGadgets (was false) + - zeroStackFrame (was false, and was an experiment about Spectre variant 4 if I remember correctly) + + * b3/air/AirCode.cpp: + (JSC::B3::Air::defaultPrologueGenerator): + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::compile): + (JSC::DFG::JITCompiler::compileFunction): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::lower): + * jit/AssemblyHelpers.h: + * jit/JIT.cpp: + (JSC::JIT::compileWithoutLinking): + * runtime/OptionsList.h: + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::addCallIndirect): + * yarr/YarrJIT.cpp: + (JSC::Yarr::YarrGenerator::initCallFrame): + +2020-01-29 Devin Rousso + + Web Inspector: add instrumentation for showing existing Web Animations + https://bugs.webkit.org/show_bug.cgi?id=205434 + + + Reviewed by Brian Burg. + + * inspector/protocol/Animation.json: + Add types/commands/events for instrumenting the lifecycle of `Animation` objects, as well as + commands for getting the JavaScript wrapper object and the target DOM node. + +2020-01-29 Robin Morisset + + Don't include CCallHelpers.h in B3Procedure.h + https://bugs.webkit.org/show_bug.cgi?id=206966 + + Reviewed by Saam Barati. + + I verified through -ftime-trace and it massively speeds up a few of the compilation units (e.g. UnifiedSource10.cpp). + + * b3/B3Procedure.cpp: + * b3/B3Procedure.h: + * b3/testb3_6.cpp: + (testEntrySwitchSimple): + (testEntrySwitchNoEntrySwitch): + (testEntrySwitchWithCommonPaths): + (testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint): + (testEntrySwitchLoop): + * ftl/FTLCompile.cpp: + (JSC::FTL::compile): + * wasm/WasmParser.h: + +2020-01-29 Justin Michaud + + Fix small memory regression caused by r206365 + https://bugs.webkit.org/show_bug.cgi?id=206557 + + Reviewed by Yusuke Suzuki. + + Put StructureRareData::m_giveUpOnObjectToStringValueCache into m_objectToStringValue to prevent increasing StructureRareData's size. We make a special value for the pointer + objectToStringCacheGiveUpMarker() to signal that we should not cache the string value. As a result, adding m_transitionOffset does not increase the size of the class. + + * runtime/Structure.h: + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::StructureRareData): + (JSC::StructureRareData::visitChildren): + (JSC::StructureRareData::setObjectToStringValue): + (JSC::StructureRareData::clearObjectToStringValue): + * runtime/StructureRareData.h: + * runtime/StructureRareDataInlines.h: + (JSC::StructureRareData::objectToStringValue const): + +2020-01-28 Yusuke Suzuki + + [JSC] Give up IC when unknown structure transition happens + https://bugs.webkit.org/show_bug.cgi?id=206846 + + Reviewed by Mark Lam. + + When we are creating Put IC for a new property, we grab the old Structure before performing + the put. For a custom ::put, our convention is that the implemented ::put should mark the PutPropertySlot + as non-cachable. The IC code relies on this in order to work correctly. If we didn't mark it as non-cacheable, + a semantic failure can happen. This patch hardens the code against this semantic failure case by giving up trying + to cache the IC when the newStructure calculated from oldStructure does not match against + the actual structure after the put operation. + + * jit/Repatch.cpp: + (JSC::tryCachePutByID): + (JSC::repatchPutByID): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/Structure.cpp: + (JSC::Structure::flattenDictionaryStructure): + * tools/JSDollarVM.cpp: + (JSC::functionCreateObjectDoingSideEffectPutWithoutCorrectSlotStatus): + (JSC::JSDollarVM::finishCreation): + (JSC::JSDollarVM::visitChildren): + * tools/JSDollarVM.h: + +2020-01-28 Robin Morisset + + Remove the include of BytecodeGenerator.h in CodeCache.h + https://bugs.webkit.org/show_bug.cgi?id=206851 + + Reviewed by Tadeu Zagallo. + + This reduces the number of times that BytecodeStructs.h has to be parsed from 33 to 25 times, and unblocks https://bugs.webkit.org/show_bug.cgi?id=206720. + + * runtime/CodeCache.cpp: + (JSC::generateUnlinkedCodeBlockForFunctions): + (JSC::generateUnlinkedCodeBlockImpl): + (JSC::generateUnlinkedCodeBlock): + (JSC::generateUnlinkedCodeBlockForDirectEval): + (JSC::recursivelyGenerateUnlinkedCodeBlockForProgram): + (JSC::recursivelyGenerateUnlinkedCodeBlockForModuleProgram): + * runtime/CodeCache.h: + * runtime/Completion.cpp: + (JSC::generateProgramBytecode): + (JSC::generateModuleBytecode): + * runtime/DirectEvalExecutable.cpp: + (JSC::DirectEvalExecutable::create): + * runtime/JSGlobalObject.cpp: + * runtime/VM.cpp: + +2020-01-28 Mark Lam + + Some website needs more stack space. + https://bugs.webkit.org/show_bug.cgi?id=206891 + + Reviewed by Saam Barati. + + We're bumping the maximum stack usage limit (JSC_maxPerThreadStackUsage) to 5M + to give websites a little more stack space when available. The actual useable + stack space is still the minimum of JSC_maxPerThreadStackUsage and the stack size + that the OS provisions, minus some overhead. + + * runtime/OptionsList.h: + +2020-01-27 Carlos Garcia Campos + + [GTK] Remote Inspector: add support for service workers targets + https://bugs.webkit.org/show_bug.cgi?id=206821 + + Reviewed by Žan Doberšek. + + Handle ServiceWorker target type. + + * inspector/remote/glib/RemoteInspectorGlib.cpp: + (Inspector::targetDebuggableType): + (Inspector::RemoteInspector::listingForInspectionTarget const): + +2020-01-27 Jonathan Bedard + + Fix OpenSource iphoneos arm64e build + https://bugs.webkit.org/show_bug.cgi?id=206703 + + Reviewed by Yusuke Suzuki. + + * runtime/MachineContext.h: + (JSC::MachineContext::stackPointerImpl): Conditionalize function existence on + USE(DARWIN_REGISTER_MACROS). + (JSC::MachineContext::stackPointer): Use Darwin's register macros if available. + (JSC::MachineContext::setStackPointer): Ditto. + (JSC::MachineContext::instructionPointerImpl): Conditionalize function existence + on USE(DARWIN_REGISTER_MACROS). + (JSC::MachineContext::instructionPointer): Use Darwin's register macros if available. + (JSC::MachineContext::setInstructionPointer): Ditto. + (JSC::MachineContext::linkRegister): Ditto. + (JSC::MachineContext::setLinkRegister): Ditto. + (JSC::MachineContext::linkRegisterImpl): Deleted. + +2020-01-27 Devin Rousso + + Web Inspector: unable to evaluate in the isolated world of content scripts injected by safari app extensions + https://bugs.webkit.org/show_bug.cgi?id=206110 + + + Reviewed by Timothy Hatcher, Joseph Pecoraro, and Brian Burg. + + In addition to evaluating in subframe execution contexts, add the ability for Web Inspector + to evaluate in non-normal isolated worlds. + + * inspector/protocol/Runtime.json: + Introduce an `ExecutionContextType` enum instead of `isPageContext` so the frontend can + decide whether/how to show a picker for that execution context. + +2020-01-27 Stephan Szabo + + Python 3: generate-js-builtins hits SyntaxWarning for "is 0" + https://bugs.webkit.org/show_bug.cgi?id=206840 + + Reviewed by Jonathan Bedard. + + * Scripts/generate-js-builtins.py: Replace is 0 with == 0 + +2020-01-27 David Kilzer + + REGRESSION (r250009): testair crashes in (anonymous namespace)::matchAll + + + + Reviewed by Yusuke Suzuki. + + * b3/air/testair.cpp: + ((anonymous namespace)::matchAll): Don't replace `str` in the + body of the for loop since `match` references it. + +2020-01-27 Ryan Haddad + + Unreviewed, rolling out r255159. + + Broke the watchOS build. + + Reverted changeset: + + "Fix OpenSource iphoneos arm64e build" + https://bugs.webkit.org/show_bug.cgi?id=206703 + https://trac.webkit.org/changeset/255159 + +2020-01-27 Jonathan Bedard + + Fix OpenSource iphoneos arm64e build + https://bugs.webkit.org/show_bug.cgi?id=206703 + + Reviewed by Yusuke Suzuki. + + * runtime/MachineContext.h: + (JSC::MachineContext::stackPointerImpl): Conditionalize function existence on + USE(DARWIN_REGISTER_MACROS). + (JSC::MachineContext::stackPointer): Use Darwin's register macros if available. + (JSC::MachineContext::setStackPointer): Ditto. + (JSC::MachineContext::instructionPointerImpl): Conditionalize function existence + on USE(DARWIN_REGISTER_MACROS). + (JSC::MachineContext::instructionPointer): Use Darwin's register macros if available. + (JSC::MachineContext::setInstructionPointer): Ditto. + (JSC::MachineContext::linkRegister): Ditto. + (JSC::MachineContext::setLinkRegister): Ditto. + (JSC::MachineContext::linkRegisterImpl): Deleted. + +2020-01-27 Paulo Matos + + Remove internal fields in promise assertion for 32bits + https://bugs.webkit.org/show_bug.cgi?id=206823 + + Reviewed by Mark Lam. + + This assertion was removed for 64bits under bug 201159 but left around + in 32bits. + + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_internal_field): + (JSC::JIT::emit_op_put_internal_field): + +2020-01-26 Alexey Shvayka + + Invalid ranges in character classes should be banned in Unicode patterns only + https://bugs.webkit.org/show_bug.cgi?id=206768 + + Reviewed by Darin Adler. + + In ES5, grammar of CharacterRange was ambiguous, resulting in invalid ranges + like /[\d-a]/ being allowed. As of ES2015, invalid ranges are SyntaxError in + Unicode patterns, yet still allowed in regular ones to avoid breaking the web. + (https://tc39.es/ecma262/#sec-patterns-static-semantics-early-errors-annexb) + + This change adds SyntaxError for Unicode patterns and updates explanatory + comments. ErrorCode::CharacterClassOutOfOrder is renamed for consistency + with newly added error code and ErrorCode::ParenthesesTypeInvalid. + + * yarr/YarrErrorCode.cpp: + (JSC::Yarr::errorMessage): + (JSC::Yarr::errorToThrow): + * yarr/YarrErrorCode.h: + * yarr/YarrParser.h: + (JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate): + (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter): + (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBuiltInCharacterClass): + (JSC::Yarr::Parser::parseCharacterClass): + +2020-01-24 Mark Lam + + Move singleton Intl string locales out of JSGlobalObject. + https://bugs.webkit.org/show_bug.cgi?id=206791 + + + Reviewed by Yusuke Suzuki and Andy Wagoner. + + We were creating an instance of these for each JSGlobalObject when they can be a + global singleton since they are always initialized with the same intl data + (barring a mid-flight change in intl settings, which we don't support even in the + existing code). + + It turns out that intlPluralRulesAvailableLocales() wasn't called anywhere. + IntlPluralRules code currently just uses intlNumberFormatAvailableLocales(). + To document that this is intentional, we do the following: + 1. have IntlPluralRules code call intlPluralRulesAvailableLocales(), and + 2. have intlPluralRulesAvailableLocales() call intlNumberFormatAvailableLocales() + for its implementation. + See https://bugs.webkit.org/show_bug.cgi?id=206791#c7 and + https://bugs.webkit.org/show_bug.cgi?id=206791#c8. + + In addMissingScriptLocales(), I'm deliberately naming the string with underscores + because it's much easier to read pa_PK_String and see that it refers to "pa-PK" + as opposed to paPKString. Ditto for zh_CN_String, zh_HK_String, zh_SG_String, + and zh_TW_String. + + * runtime/IntlCollator.cpp: + (JSC::IntlCollator::initializeCollator): + * runtime/IntlCollatorConstructor.cpp: + (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::initializeDateTimeFormat): + * runtime/IntlDateTimeFormatConstructor.cpp: + (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::initializeNumberFormat): + * runtime/IntlNumberFormatConstructor.cpp: + (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): + * runtime/IntlObject.cpp: + (JSC::convertICULocaleToBCP47LanguageTag): + (JSC::addMissingScriptLocales): + (JSC::intlCollatorAvailableLocales): + (JSC::intlDateTimeFormatAvailableLocales): + (JSC::intlNumberFormatAvailableLocales): + (JSC::defaultLocale): + * runtime/IntlObject.h: + * runtime/IntlPluralRules.cpp: + (JSC::IntlPluralRules::initializePluralRules): + * runtime/IntlPluralRulesConstructor.cpp: + (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf): + * runtime/JSGlobalObject.cpp: + (JSC::addMissingScriptLocales): Deleted. + (JSC::JSGlobalObject::intlCollatorAvailableLocales): Deleted. + (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales): Deleted. + (JSC::JSGlobalObject::intlNumberFormatAvailableLocales): Deleted. + (JSC::JSGlobalObject::intlPluralRulesAvailableLocales): Deleted. + * runtime/JSGlobalObject.h: + +2020-01-24 Mark Lam + + IntlObject's cached strings should be immortal and safe for concurrent access. + https://bugs.webkit.org/show_bug.cgi?id=206779 + + + Reviewed by Yusuke Suzuki. + + In IntlObject's numberingSystemsForLocale(), we have a never destroyed + cachedNumberingSystems which is a singleton vector of Strings which are shared + multiple VMs. Hence, the strings in this vector should be a StaticStringImpl + so that it will be immortal, and can be access concurrently from multiple VMs + on different threads without any ref/deref'ing race issues. + + * runtime/IntlObject.cpp: + (JSC::numberingSystemsForLocale): + +2020-01-24 Caio Lima + + [ARMv7][JIT] Implement checkpoint support + https://bugs.webkit.org/show_bug.cgi?id=206611 + + Reviewed by Yusuke Suzuki. + + This patch is adding code path to properly support checkpoint on ARMv7. + + * dfg/DFGOSREntry.cpp: + (JSC::DFG::prepareOSREntry): + + We changed the scratch buffer population to properly handle + callee-saved registers on 32-bits. For more details, check comments on + source code. + + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::compileExit): + * jit/GPRInfo.h: + (JSC::GPRInfo::toRegister): + (JSC::GPRInfo::toIndex): + + We are adding back `regCS1` to be used as GPRReg on DFG and + scratch registers. This was necessary because some code generated by + GetByVal IC requires at least 9 registers available. + Given that, we also added such register to `dfgCalleeSaveRegisters` + set. + + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitPutByValWithCachedId): + * jit/RegisterSet.cpp: + (JSC::RegisterSet::dfgCalleeSaveRegisters): + * llint/LowLevelInterpreter.asm: + +2020-01-24 Keith Miller + + JSC should produce a module map. + https://bugs.webkit.org/show_bug.cgi?id=206717 + + Reviewed by Mark Lam. + + * Configurations/JavaScriptCore.xcconfig: + * JavaScriptCore.modulemap: + +2020-01-24 Commit Queue + + Unreviewed, rolling out r255052. + https://bugs.webkit.org/show_bug.cgi?id=206758 + + "Broke production builds" (Requested by rmorisset on #webkit). + + Reverted changeset: + + "Break the dependency between jsc and DerivedSources" + https://bugs.webkit.org/show_bug.cgi?id=206720 + https://trac.webkit.org/changeset/255052 + +2020-01-24 Adrian Perez de Castro + + Fix various non-unified build issues introduced since r254751 + https://bugs.webkit.org/show_bug.cgi?id=206736 + + Reviewed by Carlos Garcia Campos. + + * tools/CompilerTimingScope.cpp: Add missing inclusions of wtf/Vector.h and wtf/text/WTFString.h + +2020-01-24 Paulo Matos + + Fix number of callee saved register count on MIPS + https://bugs.webkit.org/show_bug.cgi?id=206732 + + Reviewed by Žan Doberšek. + + MIPS has been issuing illegal instruction errors due to stack corruption. + This is caused by an incorrect number of CalleeSaveRegisterCount + that should be set to 3 since r254674. + + * llint/LowLevelInterpreter.asm: + +2020-01-23 Yusuke Suzuki + + [JSC] DFG OSR exit is not marking CodeBlock::m_hasLinkedOSRExit when the exit target is checkpoint + https://bugs.webkit.org/show_bug.cgi?id=206726 + + + Reviewed by Saam Barati. + + The problem was that DFG OSR exit is not marking CodeBlock::m_hasLinkedOSRExit appropriately when an exit target bytecode-index is a checkpoint. + Let's consider the following scenario. + + 1. The caller CodeBlock "A" has Baseline code. + 2. Compile DFG code exiting to the checkpoint of "A". We are not marking "A"'s CodeBlock::m_hasLinkedOSRExit. + 3. GC happens and we decide dropping Baseline code for "A" since it is not marked. Switching it to LLInt. + 4. However, DFG OSR exit code is compiled by assuming that "A" is Baseline. So LLInt registers are not recovered correctly. + 5. Then, exiting to LLInt of "A", LLInt sees that LLInt registers have garbage. + + In this patch, we correctly set a bit of CodeBlock::m_hasLinkedOSRExit when the exit target is checkpoint. + + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::callerReturnPC): + +2020-01-23 Yusuke Suzuki + + Unreviewed, build fix for Windows + https://bugs.webkit.org/show_bug.cgi?id=206706 + + Definition still existed. + + * parser/Parser.h: + +2020-01-23 Robin Morisset + + Break the dependency between jsc and DerivedSources + https://bugs.webkit.org/show_bug.cgi?id=206720 + + Reviewed by Mark Lam. + + According to Tadeu, the slowdown of production builds (by more than 20%) when he landed his bytecode patch was caused by a new dependency of the jsc binary on DerivedSources/, which was needed because of DerivedSources/BytecodeStructs.h being included in CommonSlowPaths.h which is transitively included in jsc.cpp. + Now that BytecodeStructs.h is no longer included in CommonSlowPaths.h (see https://bugs.webkit.org/show_bug.cgi?id=206566), I'm trying to break the dependency, to recover from this compile time regression. + + * Configurations/JSC.xcconfig: + * JavaScriptCore.xcodeproj/project.pbxproj: + +2020-01-23 Robin Morisset + + Remove dead option useFTLTBAA + https://bugs.webkit.org/show_bug.cgi?id=206725 + + Reviewed by Mark Lam. + + It is likely from when the FTL used LLVM, before B3/Air were written, making this option completely obsolete (and it is currently unused). + + * runtime/OptionsList.h: + +2020-01-23 Robin Morisset + + Remove dead options "dumpAllDFGNodes"/"showAllDFGNodes" + https://bugs.webkit.org/show_bug.cgi?id=204372 + + Reviewed by Keith Miller. + + * runtime/OptionsList.h: + +2020-01-23 Saam Barati + + Get rid of didFinishParsing and make parseInner return its results + https://bugs.webkit.org/show_bug.cgi?id=206706 + + Reviewed by Mark Lam and Keith Miller and Yusuke Suzuki. + + This is paving the way for eagerly parsing immediately invoked functions. + Before, we'd just end up setting member fields inside ::didFinishParsing, + and then read them out inside ::parse. However, this is not going to work + when we are in a world where we're generating AST nodes for more than one + function at a time. This patch paves the way for that. + + * parser/Parser.cpp: + (JSC::Parser::Parser): + (JSC::Parser::parseInner): + (JSC::Parser::didFinishParsing): Deleted. + * parser/Parser.h: + (JSC::Parser::parse): + +2020-01-23 Robin Morisset + + Don't include BytecodeStructs.h in CommonSlowPaths.h + https://bugs.webkit.org/show_bug.cgi?id=206566 + + Reviewed by Tadeu Zagallo. + + Simple improvement to compile times. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGOSREntry.cpp: + * jit/JIT.h: + * jit/JITInlines.h: + * jit/JITOperations.cpp: + * llint/LLIntSlowPaths.cpp: + * runtime/CommonSlowPaths.h: + * wasm/WasmSlowPaths.cpp: + +2020-01-23 Saam Barati + + OptimizeAssociativeExpressionTrees should reset value owners before running + https://bugs.webkit.org/show_bug.cgi?id=206670 + + + Reviewed by Robin Morisset. + + We have a crash inside OptimizeAssociativeExpressionTrees and we don't know + how to reproduce it. Also, based on Mark's auditing of the crash site's + assembly, Mark thinks we're crashing on a "currupt" basic block. + + After I audited the code, I saw that we rely on value owners in this phase. + However, we don't actually reset them before running the phase. This patch + adds that as a speculative fix for the crash we're seeing. + + * b3/B3OptimizeAssociativeExpressionTrees.cpp: + (JSC::B3::OptimizeAssociativeExpressionTrees::run): + +2020-01-23 Yusuke Suzuki + + Unreviewed, fix calculation of kindBits + https://bugs.webkit.org/show_bug.cgi?id=206650 + + * bytecode/Operands.h: + +2020-01-22 Yusuke Suzuki + + [JSC] Bits from Operand should fit in bits reserved in AbstractHeap's Payload + https://bugs.webkit.org/show_bug.cgi?id=206619 + + + Reviewed by Keith Miller. + + We extended JSC::Operand to have an additional field representing OperandKind. + However, we have restriction in DFG::AbstractHeap's Payload that Operand's raw + bits format need to fit in reserved bits in Payload's raw bits format, 49 bits. + Since we ordered fields of Operand "m_kind" and "m_operand", in little endian + architecture, raw bits format of Operand can exceed 49 bits if m_operand is + large enough. + + This patch fixes the order to ensure that Operand's raw bit format always fits + in 49 bits. + + * bytecode/Operands.h: + (JSC::Operand::Operand): + (JSC::Operand::asBits const): + * dfg/DFGAbstractHeap.h: + +2020-01-22 Mark Lam + + Restore nullification of DFG::Plan::m_vm when the plan is cancelled. + https://bugs.webkit.org/show_bug.cgi?id=206633 + + + Reviewed by Robin Morisset. + + In r253243, I replaced the nullification of Plan::m_vm in Plan::cancel() with + code to decorate the m_vm pointer with a nuke bit. The thinking is that keeping + the VM pointer in nuked form allows us to do certain assertions, as well as + implementing code in support of keeping Boxs alive. It is only + correct to use the nuked VM pointer if and only if the VM is guaranteed to + outlive the Plan. r253243 guarantees this condition. + + In r254464, I replaced the use of Box with CacheableIdentifier. + This obviated all the support code added above, and rolled out most of it. + However, I opted to keep the nuked VM pointer in the DFG::Plan to as a debugging + aid (it's nice to be able to know which VM the Plan came from). + + However, r254464 also undid the guarantee that the VM will outlive the Plan. + As a result, a nuked VM pointer is no longer guaranteed to point to a valid VM. + Some worker layout tests, run on an ASAN build, detected that the pointer is + pointing to an already freed VM and failed with a crash. + + This patch fixes this issue by completely reverting the nuked VM pointer code, + and restores nullification of the m_vm pointer in Plan::cancel(). + + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::computeCompileTimes const): + (JSC::DFG::Plan::cancel): + * dfg/DFGPlan.h: + (JSC::DFG::Plan::vm const): + (JSC::DFG::Plan::unnukedVM const): Deleted. + (JSC::DFG::Plan::nuke): Deleted. + (JSC::DFG::Plan::unnuke): Deleted. + +2020-01-22 Keith Miller + + Remove DFGAbstractHeap::typeInfoType since it's immutable + https://bugs.webkit.org/show_bug.cgi?id=206638 + + Reviewed by Yusuke Suzuki. + + * dfg/DFGAbstractHeap.h: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + +2020-01-22 Keith Miller + + InternalField and CheckNeutered DFG nodes are not always safe to execute + https://bugs.webkit.org/show_bug.cgi?id=206632 + + Reviewed by Saam Barati. + + We currently mark (Get/Set)InternalField/CheckNeutered nodes as safe to execute everywhere. However, + GetInternalField, etc. rely on a proof that the cell passed to it is a subclass of InteralFieldObject. + This combination means we may hoist the nodes past the check guarding them. + + Also, remove a bogus assertion that we will have proven the value passed to CheckNeutered is a TypedArray. + It's not valid to require that AI preserve a precise model of all invariants since phases can make changes + that AI doesn't understand. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCheckNeutered): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileCheckNeutered): + +2020-01-22 Saam Barati + + Add an option for logging total phase times + https://bugs.webkit.org/show_bug.cgi?id=206623 + + Reviewed by Robin Morisset and Keith Miller. + + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * jsc.cpp: + (runJSC): + * runtime/OptionsList.h: + * tools/CompilerTimingScope.cpp: + (JSC::CompilerTimingScope::CompilerTimingScope): + (JSC::CompilerTimingScope::~CompilerTimingScope): + (JSC::logTotalPhaseTimes): + * tools/CompilerTimingScope.h: + +2020-01-22 Caio Lima + + [32-bits][JIT] Fix build issues. + https://bugs.webkit.org/show_bug.cgi?id=206603 + + Reviewed by Yusuke Suzuki. + + This patch is adjusting places to use VirtualRegister instead of + offset directly, to make 32-bit JIT compilable again. Original authors + of this patch are Paulo Matos and Guillaume Emont. + + * jit/JIT.h: + * jit/JITArithmetic32_64.cpp: + (JSC::JIT::emit_compareAndJump): + (JSC::JIT::emit_compareUnsignedAndJump): + (JSC::JIT::emit_compareUnsigned): + (JSC::JIT::emit_compareAndJumpSlow): + (JSC::JIT::emit_op_unsigned): + (JSC::JIT::emit_op_inc): + (JSC::JIT::emit_op_dec): + (JSC::JIT::emitBinaryDoubleOp): + * jit/JITCall32_64.cpp: + (JSC::JIT::emitPutCallResult): + (JSC::JIT::emit_op_ret): + (JSC::JIT::compileSetupFrame): + (JSC::JIT::compileCallEvalSlowCase): + (JSC::JIT::compileOpCall): + * jit/JITInlines.h: + (JSC::JIT::emitLoadTag): + (JSC::JIT::emitLoadPayload): + (JSC::JIT::emitGetVirtualRegister): + (JSC::JIT::emitJumpSlowCaseIfNotJSCell): + (JSC::JIT::getOperandConstantInt): + (JSC::JIT::emitGet): Deleted. + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_mov): + (JSC::JIT::emit_op_end): + (JSC::JIT::emit_op_new_object): + (JSC::JIT::emitSlow_op_new_object): + (JSC::JIT::emit_op_overrides_has_instance): + (JSC::JIT::emit_op_instanceof): + (JSC::JIT::emitSlow_op_instanceof): + (JSC::JIT::emitSlow_op_instanceof_custom): + (JSC::JIT::emit_op_is_empty): + (JSC::JIT::emit_op_is_undefined): + (JSC::JIT::emit_op_is_undefined_or_null): + (JSC::JIT::emit_op_is_boolean): + (JSC::JIT::emit_op_is_number): + (JSC::JIT::emit_op_is_cell_with_type): + (JSC::JIT::emit_op_is_object): + (JSC::JIT::emit_op_to_primitive): + (JSC::JIT::emit_op_set_function_name): + (JSC::JIT::emit_op_not): + (JSC::JIT::emit_op_jfalse): + (JSC::JIT::emit_op_jtrue): + (JSC::JIT::emit_op_jeq_null): + (JSC::JIT::emit_op_jneq_null): + (JSC::JIT::emit_op_jundefined_or_null): + (JSC::JIT::emit_op_jnundefined_or_null): + (JSC::JIT::emit_op_jneq_ptr): + (JSC::JIT::emit_op_eq): + (JSC::JIT::emitSlow_op_eq): + (JSC::JIT::emit_op_jeq): + (JSC::JIT::emit_op_neq): + (JSC::JIT::emitSlow_op_neq): + (JSC::JIT::emit_op_jneq): + (JSC::JIT::compileOpStrictEq): + (JSC::JIT::compileOpStrictEqJump): + (JSC::JIT::emit_op_eq_null): + (JSC::JIT::emit_op_neq_null): + (JSC::JIT::emit_op_throw): + (JSC::JIT::emit_op_to_number): + (JSC::JIT::emit_op_to_numeric): + (JSC::JIT::emit_op_to_string): + (JSC::JIT::emit_op_to_object): + (JSC::JIT::emit_op_catch): + (JSC::JIT::emit_op_get_parent_scope): + (JSC::JIT::emit_op_switch_imm): + (JSC::JIT::emit_op_switch_char): + (JSC::JIT::emit_op_switch_string): + (JSC::JIT::emit_op_enter): + (JSC::JIT::emit_op_get_scope): + (JSC::JIT::emit_op_create_this): + (JSC::JIT::emit_op_to_this): + (JSC::JIT::emit_op_check_tdz): + (JSC::JIT::emit_op_has_structure_property): + (JSC::JIT::emit_op_has_indexed_property): + (JSC::JIT::emitSlow_op_has_indexed_property): + (JSC::JIT::emit_op_get_direct_pname): + (JSC::JIT::emit_op_enumerator_structure_pname): + (JSC::JIT::emit_op_enumerator_generic_pname): + (JSC::JIT::emit_op_profile_type): + (JSC::JIT::emit_op_log_shadow_chicken_prologue): + (JSC::JIT::emit_op_log_shadow_chicken_tail): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_put_getter_by_id): + (JSC::JIT::emit_op_put_setter_by_id): + (JSC::JIT::emit_op_put_getter_setter_by_id): + (JSC::JIT::emit_op_put_getter_by_val): + (JSC::JIT::emit_op_put_setter_by_val): + (JSC::JIT::emit_op_del_by_id): + (JSC::JIT::emit_op_del_by_val): + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emitSlow_op_get_by_val): + (JSC::JIT::emit_op_put_by_val): + (JSC::JIT::emitGenericContiguousPutByVal): + (JSC::JIT::emitArrayStoragePutByVal): + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emitSlow_op_put_by_val): + (JSC::JIT::emit_op_try_get_by_id): + (JSC::JIT::emitSlow_op_try_get_by_id): + (JSC::JIT::emit_op_get_by_id_direct): + (JSC::JIT::emitSlow_op_get_by_id_direct): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emitSlow_op_get_by_id): + (JSC::JIT::emit_op_get_by_id_with_this): + (JSC::JIT::emitSlow_op_get_by_id_with_this): + (JSC::JIT::emit_op_put_by_id): + (JSC::JIT::emitSlow_op_put_by_id): + (JSC::JIT::emit_op_in_by_id): + (JSC::JIT::emitSlow_op_in_by_id): + (JSC::JIT::emitResolveClosure): + (JSC::JIT::emit_op_resolve_scope): + (JSC::JIT::emitLoadWithStructureCheck): + (JSC::JIT::emitGetClosureVar): + (JSC::JIT::emit_op_get_from_scope): + (JSC::JIT::emitSlow_op_get_from_scope): + (JSC::JIT::emitPutGlobalVariable): + (JSC::JIT::emitPutGlobalVariableIndirect): + (JSC::JIT::emitPutClosureVar): + (JSC::JIT::emit_op_put_to_scope): + (JSC::JIT::emit_op_get_from_arguments): + (JSC::JIT::emit_op_put_to_arguments): + (JSC::JIT::emit_op_get_internal_field): + (JSC::JIT::emit_op_put_internal_field): + * jit/JSInterfaceJIT.h: + (JSC::JSInterfaceJIT::emitJumpIfNotJSCell): + (JSC::JSInterfaceJIT::emitLoadInt32): + (JSC::JSInterfaceJIT::emitLoadDouble): + +2020-01-22 Caio Lima + + [ARMv7] Assembler is generating wrong instruction for ldr r2, [r3, #7] + https://bugs.webkit.org/show_bug.cgi?id=206231 + + Reviewed by Mark Lam. + + When generating code for `ldr` on ARMv7, we were encoding immediates not + multiple of 4 using Encoding T1, which only accepts multiple of 4 as + immediates. This patch fixes such issue and allow us generate proper + code when offset imemdiates are not multiple of 4. + + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::ldr): + +2020-01-22 Yusuke Suzuki + + [JSC] Add CheckArrayOrEmpty to handle the case when hoisting CheckArray for places where input can be empty + https://bugs.webkit.org/show_bug.cgi?id=206571 + + + Reviewed by Saam Barati. + + Since we hoist CheckArray too in DFGTypeCheckHoistingPhase, we have the same problem to CheckStructureOrEmpty: we + could insert CheckArray where the input can include Empty. We should have CheckArrayOrEmpty as we have CheckStructureOrEmpty + for CheckStructure: CheckArrayOrEmpty accepts empty or cell with specified array-modes. + + * dfg/DFGAbstractInterpreter.h: + (JSC::DFG::AbstractInterpreter::filterArrayModes): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + (JSC::DFG::AbstractInterpreter::filterArrayModes): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::filterArrayModes): + * dfg/DFGAbstractValue.h: + * dfg/DFGArgumentsEliminationPhase.cpp: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::convertCheckArrayOrEmptyToCheckArray): + (JSC::DFG::Node::hasArrayMode): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::checkArray): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGTypeCheckHoistingPhase.cpp: + (JSC::DFG::TypeCheckHoistingPhase::run): + * dfg/DFGValidate.cpp: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckArrayOrEmpty): + +2020-01-22 Yusuke Suzuki + + [JSC] Attempt to fix BytecodeIndex handling in 32bit + https://bugs.webkit.org/show_bug.cgi?id=206577 + + Reviewed by Keith Miller. + + This patch mechanically lists up places using Instruction* as BytecodeIndex and fixes it, + since 32bit also starts using an offset as BytecodeIndex. This patch also fixes several + places where LLInt PB is not handled correctly in 32bit after we start using PB register + even in 32bit. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::bytecodeIndexFromCallSiteIndex): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::reifyInlinedCallFrames): + (JSC::DFG::adjustAndJumpToTarget): + * jit/JITCall32_64.cpp: + (JSC::JIT::compileOpCall): + * jit/JITInlines.h: + (JSC::JIT::updateTopCallFrame): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_log_shadow_chicken_tail): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emit_op_try_get_by_id): + (JSC::JIT::emit_op_get_by_id_direct): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_get_by_id_with_this): + (JSC::JIT::emit_op_put_by_id): + (JSC::JIT::emit_op_in_by_id): + * llint/LLIntData.cpp: + (JSC::LLInt::Data::performAssertions): + * llint/LowLevelInterpreter.cpp: + (JSC::CLoop::execute): + * runtime/SamplingProfiler.cpp: + (JSC::tryGetBytecodeIndex): + (JSC::SamplingProfiler::processUnverifiedStackTraces): + +2020-01-22 Saam Barati + + Throw away baseline code if there is an optimized replacement + https://bugs.webkit.org/show_bug.cgi?id=202503 + + + Reviewed by Yusuke Suzuki. + + This patch's goal is to help us save JIT executable memory by throwing + away baseline code when it has an optimized replacement. To make it + easy to reason about, we do this when finalizing a GC, when the CodeBlock + is not on the stack, and when no OSR exits are linked to jump to the baseline + code. Also, as a measure to combat a performance regression, we only throw + away code on the second GC cycle in which it is eligible for this. + When we downgrade Baseline to LLInt, we also throw away all JIT data + and unlink all incoming calls. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): + (JSC::CodeBlock::finishCreation): + (JSC::CodeBlock::finalizeUnconditionally): + (JSC::CodeBlock::resetJITData): + (JSC::CodeBlock::optimizedReplacement): + (JSC::CodeBlock::hasOptimizedReplacement): + (JSC::CodeBlock::tallyFrequentExitSites): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::setJITCode): + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::callerReturnPC): + (JSC::DFG::adjustAndJumpToTarget): + * heap/CodeBlockSet.cpp: + (JSC::CodeBlockSet::isCurrentlyExecuting): + * heap/CodeBlockSet.h: + * heap/Heap.cpp: + (JSC::Heap::finalizeUnconditionalFinalizers): + (JSC::Heap::runEndPhase): + +2020-01-21 Ross Kirsling + + [JSC] Date parse logic should be less redundant + https://bugs.webkit.org/show_bug.cgi?id=206560 + + Reviewed by Darin Adler. + + Our date parsing logic is doing an excessive amount of NaN-checking; + let's streamline this by having one JSC-side helper function instead of two. + + * runtime/JSDateMath.cpp: + (JSC::parseDate): + (JSC::parseDateFromNullTerminatedCharacters): Deleted. + (JSC::parseES5DateFromNullTerminatedCharacters): Deleted. + +2020-01-21 Rob Buis + + Add build flag for stale-while-revalidate + https://bugs.webkit.org/show_bug.cgi?id=204169 + + Reviewed by Youenn Fablet. + + * Configurations/FeatureDefines.xcconfig: + +2020-01-21 Tadeu Zagallo + + Object allocation sinking is missing PutHint for sunken allocations + https://bugs.webkit.org/show_bug.cgi?id=203799 + + + Reviewed by Saam Barati. + + Consider the following graph: + + Block #0: + 1: PhantomCreateActivation() + 2: PhantomNewFunction() + PutHint(@2, @1, FunctionActivationPLoc) + Branch(#1, #2) + + Block #1: + 3: MaterializeCreateActivation() + PutHint(@2, @3, FunctionActivationPLoc) + Upsilon(@3, ^5) + Jump(#3) + + Block #2: + 4: MaterializeCreateActivation() + PutHint(@2, @4, FunctionActivationPLoc) + Upsilon(@4, ^5) + Jump(#3) + + Block #3: + 5: Phi() + ExitOK() + + On Block #3, we need to emit a PutHint after the Phi, since we might exit after it. However, + object allocation sinking skipped this Phi because it was checking whether the base of the + location that caused us to create this Phi (@2) was live, but it's dead in the graph (there + are no pointers to it). The issue is that, even though there are no pointers to the base, the + location `PromotedHeapLocation(@2, FunctionActivationPLoc)` is still live, so we should PutHint + to it. We fix it by checking for liveness of the location rather than its base. + + * dfg/DFGObjectAllocationSinkingPhase.cpp: + +2020-01-21 Mark Lam + + Rename JSPromiseFields abstract heap to JSInternalFields. + https://bugs.webkit.org/show_bug.cgi?id=206518 + + + Reviewed by Yusuke Suzuki. + + This is because it is used for all internal fields, not just the ones in JSPromise. + + * dfg/DFGAbstractHeap.h: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + +2020-01-17 Sam Weinig + + Platform.h is out of control Part 8: Macros are used inconsistently + https://bugs.webkit.org/show_bug.cgi?id=206425 + + Reviewed by Darin Adler. + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::cacheFlush): + (JSC::ARM64Assembler::xOrSp): + (JSC::ARM64Assembler::xOrZr): + * assembler/ARM64Registers.h: + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::cacheFlush): + * assembler/ARMv7Registers.h: + * assembler/AssemblerCommon.h: + (JSC::isDarwin): + * b3/air/AirCCallingConvention.cpp: + * jit/ExecutableAllocator.h: + * jit/ThunkGenerators.cpp: + * jsc.cpp: + * runtime/MathCommon.cpp: + Use OS(DARWIN) more consistently for darwin level functionality. + + * bytecode/CodeOrigin.h: + * runtime/JSString.h: + Update to use OS_CONSTANT. + + * disassembler/ARM64/A64DOpcode.cpp: + * disassembler/ARM64Disassembler.cpp: + * disassembler/UDis86Disassembler.cpp: + * disassembler/UDis86Disassembler.h: + * disassembler/X86Disassembler.cpp: + * disassembler/udis86/udis86.c: + * disassembler/udis86/udis86_decode.c: + * disassembler/udis86/udis86_itab_holder.c: + * disassembler/udis86/udis86_syn-att.c: + * disassembler/udis86/udis86_syn-intel.c: + * disassembler/udis86/udis86_syn.c: + * interpreter/Interpreter.cpp: + * interpreter/Interpreter.h: + * interpreter/InterpreterInlines.h: + (JSC::Interpreter::getOpcodeID): + * llint/LowLevelInterpreter.cpp: + * tools/SigillCrashAnalyzer.cpp: + Switch to using ENABLE rather than USE for features internal to WebKit + +2020-01-20 Gus Caplan + + Remove own toString from NativeError prototype + https://bugs.webkit.org/show_bug.cgi?id=204629 + + Reviewed by Ross Kirsling. + + NativeError prototypes are expected to inherit toString from + Error.prototype. See https://github.com/tc39/ecma262/issues/1794 + for additional details. + + * runtime/ErrorPrototype.cpp: + (JSC::ErrorPrototypeBase::ErrorPrototypeBase): + (JSC::ErrorPrototypeBase::finishCreation): + (JSC::ErrorPrototype::ErrorPrototype): + (JSC::ErrorPrototype::create): Deleted. + (JSC::ErrorPrototype::finishCreation): Deleted. + * runtime/ErrorPrototype.h: + (JSC::ErrorPrototype::createStructure): Deleted. + * runtime/NativeErrorPrototype.cpp: + (JSC::NativeErrorPrototype::NativeErrorPrototype): + * runtime/NativeErrorPrototype.h: + +2020-01-20 David Kilzer + + Fix missing header guards and clean up empty files in bmalloc, WTF, JavaScriptCore + + + Reviewed by Darin Adler. + + * dfg/DFGPrePostNumbering.cpp: Remove empty file. + * dfg/DFGPrePostNumbering.h: Remove empty file. + * runtime/OptionEntry.h: Remove empty file. + + * API/JSCallbackObjectFunctions.h: + * b3/testb3.h: + * heap/IsoInlinedHeapCellType.h: + * wasm/WasmGeneratorTraits.h: + - Add #pragma once. + +2020-01-18 Caitlin Potter + + [JSC] add DFG/FTL support for op_to_property_key + https://bugs.webkit.org/show_bug.cgi?id=206368 + + Reviewed by Saam Barati. + + Implement DFG/FTL support for the op_to_property_key opcode. This operates + similar to the LLInt and base JIT implementations, in which we avoid invoking + the full ToPropertyKey operation if the source operand is already a String or + Symbol at runtime. + + If DFG/FTL are confident the value will be a String or Symbol at compile time, + the operation is omitted entirely in the final graph. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToToString): + * dfg/DFGNodeType.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileToPrimitive): + (JSC::DFG::SpeculativeJIT::compileToPropertyKey): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileToPropertyKey): + +2020-01-17 Saam Barati + + Air O0 should have better stack allocation + https://bugs.webkit.org/show_bug.cgi?id=206436 + + Reviewed by Tadeu Zagallo. + + This patch adds a simple stack slot allocator to Air O0 to make code + use smaller stack frames. The huge stack frames from the old stack + allocator were leading to stack overflows in some programs. Before, + each Tmp got its own stack slot. The new allocator works similar to O0's + register allocator. This stack allocator linearizes the program and uses live + range end as an opportunity to place the stack slot on a free list of + available stack slots. This patch also fixes an issue in our linearization code + where the head of a block and the tail of another block would share the + same linearization index. This didn't matter for register allocation, but + does matter for the stack allocator. So "live at head", and "live at tail" + now get their own linearization index. + + * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: + (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges): + (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration): + (JSC::B3::Air::GenerateAndAllocateRegisters::generate): + * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: + * b3/air/AirLiveness.h: + +2020-01-17 David Kilzer + + [JSC] Add missing header guards + + + Reviewed by Mark Lam. + + * heap/IsoHeapCellType.h: + * wasm/WasmFaultSignalHandler.h: + - Add #pragma once header guard. + +2020-01-17 Mark Lam + + JSModuleLoader's printableModuleKey() should never throw. + https://bugs.webkit.org/show_bug.cgi?id=206461 + + + Reviewed by Michael Saboff. + + Hence, it should be using a CatchScope instead of a ThrowScope. + + * runtime/JSModuleLoader.cpp: + (JSC::printableModuleKey): + +2020-01-17 Justin Michaud + + Separate storage of Structure::m_offset into transition and max offset + https://bugs.webkit.org/show_bug.cgi?id=206365 + + Reviewed by Saam Barati. + + Right now, deleteProperty/removePropertyTransition causes a structure transition to uncacheable dictionary. Other transitions + assume that the transition offset (m_offset) is monotonically increasing. In order to support structure transitions for deletion that + do not involve turning into a dictionary (), we first need to separate the transition + offset (the offset of the property that was added/deleted) from the maximum offset. + + For example, suppose we have the following operations: + Structure 1 (pinned property table, transitionOffset = _, maxOffset = 2): x y z (delete y, assuming that deletion transitions have been added) + Structure 2 (transitionOffset = 1, maxOffset = 2): x _ z (add w) + Structure 3 (transitionOffset = 1, maxOffset = 2): x w z + + Note that without splitting the two, Structures 2/3 would be impossible to represent. + + This change: + + We split the existing Structure::m_offset into two 16-bit fields, transitionOffset and maxOffset, and put them in 32-bit rare data fields if they overflow. We also rename _inPrevious fields to + transition_ and lastOffset to maxOffset to make the code more clear. + + * runtime/ClonedArguments.cpp: + (JSC::ClonedArguments::createStructure): + * runtime/JSObject.cpp: + (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties): + (JSC::JSObject::visitButterflyImpl): + * runtime/JSObject.h: + * runtime/JSObjectInlines.h: + (JSC::JSObject::prepareToPutDirectWithoutTransition): + * runtime/ObjectInitializationScope.cpp: + (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized): + * runtime/PropertyOffset.h: + (JSC::numberOfOutOfLineSlotsForMaxOffset): + (JSC::numberOfSlotsForMaxOffset): + (JSC::numberOfOutOfLineSlotsForLastOffset): Deleted. + (JSC::numberOfSlotsForLastOffset): Deleted. + * runtime/Structure.cpp: + (JSC::StructureTransitionTable::contains const): + (JSC::StructureTransitionTable::get const): + (JSC::StructureTransitionTable::add): + (JSC::Structure::Structure): + (JSC::Structure::create): + (JSC::Structure::materializePropertyTable): + (JSC::Structure::addPropertyTransitionToExistingStructureImpl): + (JSC::Structure::addNewPropertyTransition): + (JSC::Structure::changePrototypeTransition): + (JSC::Structure::attributeChangeTransition): + (JSC::Structure::toDictionaryTransition): + (JSC::Structure::nonPropertyTransitionSlow): + (JSC::Structure::flattenDictionaryStructure): + (JSC::Structure::pin): + (JSC::Structure::pinForCaching): + (JSC::Structure::add): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::forEachPropertyConcurrently): + (JSC::Structure::checkOffsetConsistency const): + (JSC::Structure::add): + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::StructureRareData): + * runtime/StructureRareData.h: + +2020-01-17 Alexey Shvayka + + JSON.parse should lookup prototype chains during revival + https://bugs.webkit.org/show_bug.cgi?id=205769 + + Reviewed by Saam Barati. + + This patch makes JSON.parse use [[Get]] instead of [[GetOwnProperty]] during revival, + aligning JSC with the spec (step 1 of https://tc39.es/ecma262/#sec-internalizejsonproperty), + SpiderMonkey, and V8. + + User-provided `reviver` can delete properties that are not yet inspected by itself, + making usage [[GetOwnProperty]] non-compliant to the spec. + + * runtime/JSONObject.cpp: + (JSC::Walker::walk): + +2020-01-17 Caio Lima + + Bytecode checkpoints break 32bit tests + https://bugs.webkit.org/show_bug.cgi?id=206404 + + Unreviewed. + + * llint/LowLevelInterpreter32_64.asm: + + Reverting change introduced by r254735 that makes 32-bit codes crash + when calling into LLInt slow path. + +2020-01-16 Robin Morisset + + [ESNext] Enables a way to throw an error on ByteCodeGenerator step + https://bugs.webkit.org/show_bug.cgi?id=180139 + + Reviewed by Mark Lam. + + This is a minimal fix that only deals with overly huge BigInts. + A more thorough solution is rather low priority (since it has neither securities nor performance impact). + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::addBigIntConstant): + * bytecompiler/NodesCodegen.cpp: + (JSC::ConstantNode::emitBytecode): + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::parseInt): + +2020-01-16 Keith Miller + + Reland bytecode checkpoints since bugs have been fixed + https://bugs.webkit.org/show_bug.cgi?id=206361 + + Unreviewed, reland. + + The watch bugs have been fixed by https://trac.webkit.org/changeset/254674 + + * CMakeLists.txt: + * DerivedSources-input.xcfilelist: + * JavaScriptCore.xcodeproj/project.pbxproj: + * assembler/MacroAssemblerCodeRef.h: + * assembler/ProbeFrame.h: + (JSC::Probe::Frame::operand): + (JSC::Probe::Frame::setOperand): + * b3/testb3.h: + (populateWithInterestingValues): + (floatingPointOperands): + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateImpl): + * bytecode/AccessCaseSnippetParams.cpp: + (JSC::SlowPathCallGeneratorWithArguments::generateImpl): + * bytecode/BytecodeDumper.cpp: + (JSC::BytecodeDumperBase::dumpValue): + (JSC::BytecodeDumper::registerName const): + (JSC::BytecodeDumper::constantName const): + (JSC::Wasm::BytecodeDumper::constantName const): + * bytecode/BytecodeDumper.h: + * bytecode/BytecodeIndex.cpp: + (JSC::BytecodeIndex::dump const): + * bytecode/BytecodeIndex.h: + (JSC::BytecodeIndex::BytecodeIndex): + (JSC::BytecodeIndex::offset const): + (JSC::BytecodeIndex::checkpoint const): + (JSC::BytecodeIndex::asBits const): + (JSC::BytecodeIndex::hash const): + (JSC::BytecodeIndex::operator bool const): + (JSC::BytecodeIndex::pack): + (JSC::BytecodeIndex::fromBits): + * bytecode/BytecodeList.rb: + * bytecode/BytecodeLivenessAnalysis.cpp: + (JSC::enumValuesEqualAsIntegral): + (JSC::tmpLivenessForCheckpoint): + * bytecode/BytecodeLivenessAnalysis.h: + * bytecode/BytecodeLivenessAnalysisInlines.h: + (JSC::virtualRegisterIsAlwaysLive): + (JSC::virtualRegisterThatIsNotAlwaysLiveIsLive): + (JSC::virtualRegisterIsLive): + (JSC::operandIsAlwaysLive): Deleted. + (JSC::operandThatIsNotAlwaysLiveIsLive): Deleted. + (JSC::operandIsLive): Deleted. + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finishCreation): + (JSC::CodeBlock::bytecodeIndexForExit const): + (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndexSlow): + (JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::numTmps const): + (JSC::CodeBlock::isKnownNotImmediate): + (JSC::CodeBlock::isTemporaryRegister): + (JSC::CodeBlock::constantRegister): + (JSC::CodeBlock::getConstant const): + (JSC::CodeBlock::constantSourceCodeRepresentation const): + (JSC::CodeBlock::replaceConstant): + (JSC::CodeBlock::isTemporaryRegisterIndex): Deleted. + (JSC::CodeBlock::isConstantRegisterIndex): Deleted. + * bytecode/CodeOrigin.h: + * bytecode/FullBytecodeLiveness.h: + (JSC::FullBytecodeLiveness::virtualRegisterIsLive const): + (JSC::FullBytecodeLiveness::operandIsLive const): Deleted. + * bytecode/InlineCallFrame.h: + (JSC::InlineCallFrame::InlineCallFrame): + (JSC::InlineCallFrame::setTmpOffset): + (JSC::CodeOrigin::walkUpInlineStack const): + (JSC::CodeOrigin::inlineStackContainsActiveCheckpoint const): + (JSC::remapOperand): + (JSC::unmapOperand): + (JSC::CodeOrigin::walkUpInlineStack): Deleted. + * bytecode/LazyOperandValueProfile.h: + (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey): + (JSC::LazyOperandValueProfileKey::hash const): + (JSC::LazyOperandValueProfileKey::operand const): + * bytecode/MethodOfGettingAValueProfile.cpp: + (JSC::MethodOfGettingAValueProfile::fromLazyOperand): + (JSC::MethodOfGettingAValueProfile::emitReportValue const): + (JSC::MethodOfGettingAValueProfile::reportValue): + * bytecode/MethodOfGettingAValueProfile.h: + * bytecode/Operands.h: + (JSC::Operand::Operand): + (JSC::Operand::tmp): + (JSC::Operand::kind const): + (JSC::Operand::value const): + (JSC::Operand::virtualRegister const): + (JSC::Operand::asBits const): + (JSC::Operand::isTmp const): + (JSC::Operand::isArgument const): + (JSC::Operand::isLocal const): + (JSC::Operand::isHeader const): + (JSC::Operand::isConstant const): + (JSC::Operand::toArgument const): + (JSC::Operand::toLocal const): + (JSC::Operand::operator== const): + (JSC::Operand::isValid const): + (JSC::Operand::fromBits): + (JSC::Operands::Operands): + (JSC::Operands::numberOfLocals const): + (JSC::Operands::numberOfTmps const): + (JSC::Operands::tmpIndex const): + (JSC::Operands::argumentIndex const): + (JSC::Operands::localIndex const): + (JSC::Operands::tmp): + (JSC::Operands::tmp const): + (JSC::Operands::argument): + (JSC::Operands::argument const): + (JSC::Operands::local): + (JSC::Operands::local const): + (JSC::Operands::sizeFor const): + (JSC::Operands::atFor): + (JSC::Operands::atFor const): + (JSC::Operands::ensureLocals): + (JSC::Operands::ensureTmps): + (JSC::Operands::getForOperandIndex): + (JSC::Operands::getForOperandIndex const): + (JSC::Operands::operandIndex const): + (JSC::Operands::operand): + (JSC::Operands::operand const): + (JSC::Operands::hasOperand const): + (JSC::Operands::setOperand): + (JSC::Operands::at const): + (JSC::Operands::at): + (JSC::Operands::operator[] const): + (JSC::Operands::operator[]): + (JSC::Operands::operandForIndex const): + (JSC::Operands::operator== const): + (JSC::Operands::isArgument const): Deleted. + (JSC::Operands::isLocal const): Deleted. + (JSC::Operands::virtualRegisterForIndex const): Deleted. + (JSC::Operands::setOperandFirstTime): Deleted. + * bytecode/OperandsInlines.h: + (JSC::Operand::dump const): + (JSC::Operands::dumpInContext const): + (JSC::Operands::dump const): + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedCodeBlock::hasCheckpoints const): + (JSC::UnlinkedCodeBlock::setHasCheckpoints): + (JSC::UnlinkedCodeBlock::constantRegister const): + (JSC::UnlinkedCodeBlock::getConstant const): + (JSC::UnlinkedCodeBlock::isConstantRegisterIndex const): Deleted. + * bytecode/ValueProfile.h: + (JSC::ValueProfileAndVirtualRegisterBuffer::ValueProfileAndVirtualRegisterBuffer): + (JSC::ValueProfileAndVirtualRegisterBuffer::~ValueProfileAndVirtualRegisterBuffer): + (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer): Deleted. + (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer): Deleted. + (JSC::ValueProfileAndOperandBuffer::forEach): Deleted. + * bytecode/ValueRecovery.cpp: + (JSC::ValueRecovery::recover const): + * bytecode/ValueRecovery.h: + * bytecode/VirtualRegister.h: + (JSC::virtualRegisterIsLocal): + (JSC::virtualRegisterIsArgument): + (JSC::VirtualRegister::VirtualRegister): + (JSC::VirtualRegister::isValid const): + (JSC::VirtualRegister::isLocal const): + (JSC::VirtualRegister::isArgument const): + (JSC::VirtualRegister::isConstant const): + (JSC::VirtualRegister::toConstantIndex const): + (JSC::operandIsLocal): Deleted. + (JSC::operandIsArgument): Deleted. + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::initializeNextParameter): + (JSC::BytecodeGenerator::initializeParameters): + (JSC::BytecodeGenerator::emitEqualityOpImpl): + (JSC::BytecodeGenerator::emitCallVarargs): + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::setUsesCheckpoints): + * bytecompiler/RegisterID.h: + (JSC::RegisterID::setIndex): + * dfg/DFGAbstractHeap.cpp: + (JSC::DFG::AbstractHeap::Payload::dumpAsOperand const): + (JSC::DFG::AbstractHeap::dump const): + * dfg/DFGAbstractHeap.h: + (JSC::DFG::AbstractHeap::Payload::Payload): + (JSC::DFG::AbstractHeap::AbstractHeap): + (JSC::DFG::AbstractHeap::operand const): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGArgumentPosition.h: + (JSC::DFG::ArgumentPosition::dump): + * dfg/DFGArgumentsEliminationPhase.cpp: + * dfg/DFGArgumentsUtilities.cpp: + (JSC::DFG::argumentsInvolveStackSlot): + (JSC::DFG::emitCodeToGetArgumentsArrayLength): + * dfg/DFGArgumentsUtilities.h: + * dfg/DFGAtTailAbstractState.h: + (JSC::DFG::AtTailAbstractState::operand): + * dfg/DFGAvailabilityMap.cpp: + (JSC::DFG::AvailabilityMap::pruneByLiveness): + * dfg/DFGAvailabilityMap.h: + (JSC::DFG::AvailabilityMap::closeStartingWithLocal): + * dfg/DFGBasicBlock.cpp: + (JSC::DFG::BasicBlock::BasicBlock): + (JSC::DFG::BasicBlock::ensureTmps): + * dfg/DFGBasicBlock.h: + * dfg/DFGBlockInsertionSet.cpp: + (JSC::DFG::BlockInsertionSet::insert): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::ByteCodeParser): + (JSC::DFG::ByteCodeParser::ensureTmps): + (JSC::DFG::ByteCodeParser::progressToNextCheckpoint): + (JSC::DFG::ByteCodeParser::newVariableAccessData): + (JSC::DFG::ByteCodeParser::getDirect): + (JSC::DFG::ByteCodeParser::get): + (JSC::DFG::ByteCodeParser::setDirect): + (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation): + (JSC::DFG::ByteCodeParser::getLocalOrTmp): + (JSC::DFG::ByteCodeParser::setLocalOrTmp): + (JSC::DFG::ByteCodeParser::setArgument): + (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal): + (JSC::DFG::ByteCodeParser::findArgumentPosition): + (JSC::DFG::ByteCodeParser::flushImpl): + (JSC::DFG::ByteCodeParser::flushForTerminalImpl): + (JSC::DFG::ByteCodeParser::flush): + (JSC::DFG::ByteCodeParser::flushDirect): + (JSC::DFG::ByteCodeParser::addFlushOrPhantomLocal): + (JSC::DFG::ByteCodeParser::phantomLocalDirect): + (JSC::DFG::ByteCodeParser::flushForTerminal): + (JSC::DFG::ByteCodeParser::addToGraph): + (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand const): + (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal): + (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute): + (JSC::DFG::ByteCodeParser::allocateTargetableBlock): + (JSC::DFG::ByteCodeParser::allocateUntargetableBlock): + (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): + (JSC::DFG::ByteCodeParser::inlineCall): + (JSC::DFG::ByteCodeParser::handleVarargsInlining): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + (JSC::DFG::ByteCodeParser::parse): + (JSC::DFG::ByteCodeParser::getLocal): Deleted. + (JSC::DFG::ByteCodeParser::setLocal): Deleted. + * dfg/DFGCFAPhase.cpp: + (JSC::DFG::CFAPhase::injectOSR): + * dfg/DFGCPSRethreadingPhase.cpp: + (JSC::DFG::CPSRethreadingPhase::run): + (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal): + (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): + (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal): + (JSC::DFG::CPSRethreadingPhase::canonicalizeSet): + (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock): + (JSC::DFG::CPSRethreadingPhase::propagatePhis): + (JSC::DFG::CPSRethreadingPhase::phiStackFor): + * dfg/DFGCSEPhase.cpp: + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGCombinedLiveness.cpp: + (JSC::DFG::addBytecodeLiveness): + * dfg/DFGCommonData.cpp: + (JSC::DFG::CommonData::addCodeOrigin): + (JSC::DFG::CommonData::addUniqueCallSiteIndex): + (JSC::DFG::CommonData::lastCallSite const): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGForAllKills.h: + (JSC::DFG::forAllKilledOperands): + (JSC::DFG::forAllKilledNodesAtNodeIndex): + (JSC::DFG::forAllKillsInBlock): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + (JSC::DFG::Graph::dumpBlockHeader): + (JSC::DFG::Graph::substituteGetLocal): + (JSC::DFG::Graph::isLiveInBytecode): + (JSC::DFG::Graph::localsAndTmpsLiveInBytecode): + (JSC::DFG::Graph::methodOfGettingAValueProfileFor): + (JSC::DFG::Graph::localsLiveInBytecode): Deleted. + * dfg/DFGGraph.h: + (JSC::DFG::Graph::forAllLocalsAndTmpsLiveInBytecode): + (JSC::DFG::Graph::forAllLiveInBytecode): + (JSC::DFG::Graph::forAllLocalsLiveInBytecode): Deleted. + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState): + * dfg/DFGInPlaceAbstractState.h: + (JSC::DFG::InPlaceAbstractState::operand): + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::linkOSRExits): + (JSC::DFG::JITCompiler::noticeOSREntry): + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::emitStoreCallSiteIndex): + * dfg/DFGLiveCatchVariablePreservationPhase.cpp: + (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation): + (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch): + (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData): + * dfg/DFGMovHintRemovalPhase.cpp: + * dfg/DFGNode.h: + (JSC::DFG::StackAccessData::StackAccessData): + (JSC::DFG::Node::hasArgumentsChild): + (JSC::DFG::Node::argumentsChild): + (JSC::DFG::Node::operand): + (JSC::DFG::Node::hasUnlinkedOperand): + (JSC::DFG::Node::unlinkedOperand): + (JSC::DFG::Node::hasLoadVarargsData): + (JSC::DFG::Node::local): Deleted. + (JSC::DFG::Node::hasUnlinkedLocal): Deleted. + (JSC::DFG::Node::unlinkedLocal): Deleted. + * dfg/DFGNodeType.h: + * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: + (JSC::DFG::OSRAvailabilityAnalysisPhase::run): + (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): + * dfg/DFGOSREntry.cpp: + (JSC::DFG::prepareOSREntry): + (JSC::DFG::prepareCatchOSREntry): + * dfg/DFGOSREntrypointCreationPhase.cpp: + (JSC::DFG::OSREntrypointCreationPhase::run): + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::emitRestoreArguments): + (JSC::DFG::OSRExit::compileExit): + (JSC::DFG::jsValueFor): Deleted. + (JSC::DFG::restoreCalleeSavesFor): Deleted. + (JSC::DFG::saveCalleeSavesFor): Deleted. + (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted. + (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted. + (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted. + (JSC::DFG::createDirectArgumentsDuringExit): Deleted. + (JSC::DFG::createClonedArgumentsDuringExit): Deleted. + (JSC::DFG::emitRestoreArguments): Deleted. + (JSC::DFG::OSRExit::executeOSRExit): Deleted. + (JSC::DFG::reifyInlinedCallFrames): Deleted. + (JSC::DFG::adjustAndJumpToTarget): Deleted. + (JSC::DFG::printOSRExit): Deleted. + * dfg/DFGOSRExit.h: + * dfg/DFGOSRExitBase.h: + (JSC::DFG::OSRExitBase::isExitingToCheckpointHandler const): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::callerReturnPC): + (JSC::DFG::reifyInlinedCallFrames): + (JSC::DFG::adjustAndJumpToTarget): + * dfg/DFGObjectAllocationSinkingPhase.cpp: + * dfg/DFGOpInfo.h: + (JSC::DFG::OpInfo::OpInfo): + * dfg/DFGOperations.cpp: + * dfg/DFGPhantomInsertionPhase.cpp: + * dfg/DFGPreciseLocalClobberize.h: + (JSC::DFG::PreciseLocalClobberizeAdaptor::read): + (JSC::DFG::PreciseLocalClobberizeAdaptor::write): + (JSC::DFG::PreciseLocalClobberizeAdaptor::def): + (JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate): + * dfg/DFGPredictionInjectionPhase.cpp: + (JSC::DFG::PredictionInjectionPhase::run): + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGPutStackSinkingPhase.cpp: + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileMovHint): + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): + (JSC::DFG::SpeculativeJIT::checkArgumentTypes): + (JSC::DFG::SpeculativeJIT::compileVarargsLength): + (JSC::DFG::SpeculativeJIT::compileLoadVarargs): + (JSC::DFG::SpeculativeJIT::compileForwardVarargs): + (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): + (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::recordSetLocal): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStackLayoutPhase.cpp: + (JSC::DFG::StackLayoutPhase::run): + (JSC::DFG::StackLayoutPhase::assign): + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + * dfg/DFGThunks.cpp: + (JSC::DFG::osrExitThunkGenerator): Deleted. + * dfg/DFGThunks.h: + * dfg/DFGTypeCheckHoistingPhase.cpp: + (JSC::DFG::TypeCheckHoistingPhase::run): + (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries): + * dfg/DFGValidate.cpp: + * dfg/DFGVarargsForwardingPhase.cpp: + * dfg/DFGVariableAccessData.cpp: + (JSC::DFG::VariableAccessData::VariableAccessData): + (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): + (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): + (JSC::DFG::VariableAccessData::couldRepresentInt52Impl): + * dfg/DFGVariableAccessData.h: + (JSC::DFG::VariableAccessData::operand): + (JSC::DFG::VariableAccessData::local): Deleted. + * dfg/DFGVariableEvent.cpp: + (JSC::DFG::VariableEvent::dump const): + * dfg/DFGVariableEvent.h: + (JSC::DFG::VariableEvent::spill): + (JSC::DFG::VariableEvent::setLocal): + (JSC::DFG::VariableEvent::movHint): + (JSC::DFG::VariableEvent::spillRegister const): + (JSC::DFG::VariableEvent::operand const): + (JSC::DFG::VariableEvent::bytecodeRegister const): Deleted. + * dfg/DFGVariableEventStream.cpp: + (JSC::DFG::VariableEventStream::logEvent): + (JSC::DFG::VariableEventStream::reconstruct const): + * dfg/DFGVariableEventStream.h: + (JSC::DFG::VariableEventStream::appendAndLog): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLForOSREntryJITCode.cpp: + (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::lower): + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileExtractOSREntryLocal): + (JSC::FTL::DFG::LowerDFGToB3::compileGetStack): + (JSC::FTL::DFG::LowerDFGToB3::compileGetCallee): + (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee): + (JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis): + (JSC::FTL::DFG::LowerDFGToB3::compileVarargsLength): + (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs): + (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs): + (JSC::FTL::DFG::LowerDFGToB3::getSpreadLengthFromInlineCallFrame): + (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread): + (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue): + (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength): + (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee): + (JSC::FTL::DFG::LowerDFGToB3::callPreflight): + (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor): + (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments): + (JSC::FTL::DFG::LowerDFGToB3::addressFor): + (JSC::FTL::DFG::LowerDFGToB3::payloadFor): + (JSC::FTL::DFG::LowerDFGToB3::tagFor): + * ftl/FTLOSREntry.cpp: + (JSC::FTL::prepareOSREntry): + * ftl/FTLOSRExit.cpp: + (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor): + * ftl/FTLOSRExit.h: + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * ftl/FTLOperations.cpp: + (JSC::FTL::operationMaterializeObjectInOSR): + * ftl/FTLOutput.cpp: + (JSC::FTL::Output::select): + * ftl/FTLOutput.h: + * ftl/FTLSelectPredictability.h: Copied from Source/JavaScriptCore/ftl/FTLForOSREntryJITCode.cpp. + * ftl/FTLSlowPathCall.h: + (JSC::FTL::callOperation): + * generator/Checkpoints.rb: Added. + * generator/Opcode.rb: + * generator/Section.rb: + * heap/Heap.cpp: + (JSC::Heap::gatherScratchBufferRoots): + * interpreter/CallFrame.cpp: + (JSC::CallFrame::callSiteAsRawBits const): + (JSC::CallFrame::unsafeCallSiteAsRawBits const): + (JSC::CallFrame::callSiteIndex const): + (JSC::CallFrame::unsafeCallSiteIndex const): + (JSC::CallFrame::setCurrentVPC): + (JSC::CallFrame::bytecodeIndex): + (JSC::CallFrame::codeOrigin): + * interpreter/CallFrame.h: + (JSC::CallSiteIndex::CallSiteIndex): + (JSC::CallSiteIndex::operator bool const): + (JSC::CallSiteIndex::operator== const): + (JSC::CallSiteIndex::bits const): + (JSC::CallSiteIndex::fromBits): + (JSC::CallSiteIndex::bytecodeIndex const): + (JSC::DisposableCallSiteIndex::DisposableCallSiteIndex): + (JSC::CallFrame::callee const): + (JSC::CallFrame::unsafeCallee const): + (JSC::CallFrame::addressOfCodeBlock const): + (JSC::CallFrame::argumentCountIncludingThis const): + (JSC::CallFrame::offsetFor): + (JSC::CallFrame::setArgumentCountIncludingThis): + (JSC::CallFrame::setReturnPC): + * interpreter/CallFrameInlines.h: + (JSC::CallFrame::r): + (JSC::CallFrame::uncheckedR): + (JSC::CallFrame::guaranteedJSValueCallee const): + (JSC::CallFrame::jsCallee const): + (JSC::CallFrame::codeBlock const): + (JSC::CallFrame::unsafeCodeBlock const): + (JSC::CallFrame::setCallee): + (JSC::CallFrame::setCodeBlock): + * interpreter/CheckpointOSRExitSideState.h: Copied from Source/JavaScriptCore/dfg/DFGThunks.h. + * interpreter/Interpreter.cpp: + (JSC::eval): + (JSC::sizeOfVarargs): + (JSC::loadVarargs): + (JSC::setupVarargsFrame): + (JSC::UnwindFunctor::operator() const): + (JSC::Interpreter::executeCall): + (JSC::Interpreter::executeConstruct): + * interpreter/Interpreter.h: + * interpreter/StackVisitor.cpp: + (JSC::StackVisitor::readInlinedFrame): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr): + (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32): + (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64): + (JSC::AssemblyHelpers::emitPutToCallFrameHeader): + (JSC::AssemblyHelpers::emitPutToCallFrameHeaderBeforePrologue): + (JSC::AssemblyHelpers::emitPutPayloadToCallFrameHeaderBeforePrologue): + (JSC::AssemblyHelpers::emitPutTagToCallFrameHeaderBeforePrologue): + (JSC::AssemblyHelpers::addressFor): + (JSC::AssemblyHelpers::tagFor): + (JSC::AssemblyHelpers::payloadFor): + (JSC::AssemblyHelpers::calleeFrameSlot): + (JSC::AssemblyHelpers::calleeArgumentSlot): + (JSC::AssemblyHelpers::calleeFrameTagSlot): + (JSC::AssemblyHelpers::calleeFramePayloadSlot): + (JSC::AssemblyHelpers::calleeFrameCallerFrame): + (JSC::AssemblyHelpers::argumentCount): + * jit/CallFrameShuffler.cpp: + (JSC::CallFrameShuffler::CallFrameShuffler): + * jit/CallFrameShuffler.h: + (JSC::CallFrameShuffler::setCalleeJSValueRegs): + (JSC::CallFrameShuffler::assumeCalleeIsCell): + * jit/JIT.h: + * jit/JITArithmetic.cpp: + (JSC::JIT::emit_op_unsigned): + (JSC::JIT::emit_compareAndJump): + (JSC::JIT::emit_compareAndJumpImpl): + (JSC::JIT::emit_compareUnsignedAndJump): + (JSC::JIT::emit_compareUnsignedAndJumpImpl): + (JSC::JIT::emit_compareUnsigned): + (JSC::JIT::emit_compareUnsignedImpl): + (JSC::JIT::emit_compareAndJumpSlow): + (JSC::JIT::emit_compareAndJumpSlowImpl): + (JSC::JIT::emit_op_inc): + (JSC::JIT::emit_op_dec): + (JSC::JIT::emit_op_mod): + (JSC::JIT::emitBitBinaryOpFastPath): + (JSC::JIT::emit_op_bitnot): + (JSC::JIT::emitRightShiftFastPath): + (JSC::JIT::emitMathICFast): + (JSC::JIT::emitMathICSlow): + (JSC::JIT::emit_op_div): + * jit/JITCall.cpp: + (JSC::JIT::emitPutCallResult): + (JSC::JIT::compileSetupFrame): + (JSC::JIT::compileOpCall): + * jit/JITExceptions.cpp: + (JSC::genericUnwind): + * jit/JITInlines.h: + (JSC::JIT::isOperandConstantDouble): + (JSC::JIT::getConstantOperand): + (JSC::JIT::emitPutIntToCallFrameHeader): + (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult): + (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile): + (JSC::JIT::linkSlowCaseIfNotJSCell): + (JSC::JIT::isOperandConstantChar): + (JSC::JIT::getOperandConstantInt): + (JSC::JIT::getOperandConstantDouble): + (JSC::JIT::emitInitRegister): + (JSC::JIT::emitLoadTag): + (JSC::JIT::emitLoadPayload): + (JSC::JIT::emitGet): + (JSC::JIT::emitPutVirtualRegister): + (JSC::JIT::emitLoad): + (JSC::JIT::emitLoad2): + (JSC::JIT::emitLoadDouble): + (JSC::JIT::emitLoadInt32ToDouble): + (JSC::JIT::emitStore): + (JSC::JIT::emitStoreInt32): + (JSC::JIT::emitStoreCell): + (JSC::JIT::emitStoreBool): + (JSC::JIT::emitStoreDouble): + (JSC::JIT::emitJumpSlowCaseIfNotJSCell): + (JSC::JIT::isOperandConstantInt): + (JSC::JIT::emitGetVirtualRegister): + (JSC::JIT::emitGetVirtualRegisters): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_mov): + (JSC::JIT::emit_op_end): + (JSC::JIT::emit_op_new_object): + (JSC::JIT::emitSlow_op_new_object): + (JSC::JIT::emit_op_overrides_has_instance): + (JSC::JIT::emit_op_instanceof): + (JSC::JIT::emitSlow_op_instanceof): + (JSC::JIT::emit_op_is_empty): + (JSC::JIT::emit_op_is_undefined): + (JSC::JIT::emit_op_is_undefined_or_null): + (JSC::JIT::emit_op_is_boolean): + (JSC::JIT::emit_op_is_number): + (JSC::JIT::emit_op_is_cell_with_type): + (JSC::JIT::emit_op_is_object): + (JSC::JIT::emit_op_ret): + (JSC::JIT::emit_op_to_primitive): + (JSC::JIT::emit_op_set_function_name): + (JSC::JIT::emit_op_not): + (JSC::JIT::emit_op_jfalse): + (JSC::JIT::emit_op_jeq_null): + (JSC::JIT::emit_op_jneq_null): + (JSC::JIT::emit_op_jundefined_or_null): + (JSC::JIT::emit_op_jnundefined_or_null): + (JSC::JIT::emit_op_jneq_ptr): + (JSC::JIT::emit_op_eq): + (JSC::JIT::emit_op_jeq): + (JSC::JIT::emit_op_jtrue): + (JSC::JIT::emit_op_neq): + (JSC::JIT::emit_op_jneq): + (JSC::JIT::emit_op_throw): + (JSC::JIT::compileOpStrictEq): + (JSC::JIT::compileOpStrictEqJump): + (JSC::JIT::emit_op_to_number): + (JSC::JIT::emit_op_to_numeric): + (JSC::JIT::emit_op_to_string): + (JSC::JIT::emit_op_to_object): + (JSC::JIT::emit_op_catch): + (JSC::JIT::emit_op_get_parent_scope): + (JSC::JIT::emit_op_switch_imm): + (JSC::JIT::emit_op_switch_char): + (JSC::JIT::emit_op_switch_string): + (JSC::JIT::emit_op_eq_null): + (JSC::JIT::emit_op_neq_null): + (JSC::JIT::emit_op_enter): + (JSC::JIT::emit_op_get_scope): + (JSC::JIT::emit_op_to_this): + (JSC::JIT::emit_op_create_this): + (JSC::JIT::emit_op_check_tdz): + (JSC::JIT::emitSlow_op_eq): + (JSC::JIT::emitSlow_op_neq): + (JSC::JIT::emitSlow_op_instanceof_custom): + (JSC::JIT::emit_op_new_regexp): + (JSC::JIT::emitNewFuncCommon): + (JSC::JIT::emitNewFuncExprCommon): + (JSC::JIT::emit_op_new_array): + (JSC::JIT::emit_op_new_array_with_size): + (JSC::JIT::emit_op_has_structure_property): + (JSC::JIT::emit_op_has_indexed_property): + (JSC::JIT::emitSlow_op_has_indexed_property): + (JSC::JIT::emit_op_get_direct_pname): + (JSC::JIT::emit_op_enumerator_structure_pname): + (JSC::JIT::emit_op_enumerator_generic_pname): + (JSC::JIT::emit_op_profile_type): + (JSC::JIT::emit_op_log_shadow_chicken_prologue): + (JSC::JIT::emit_op_log_shadow_chicken_tail): + (JSC::JIT::emit_op_argument_count): + (JSC::JIT::emit_op_get_rest_length): + (JSC::JIT::emit_op_get_argument): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_catch): + * jit/JITOperations.cpp: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emitSlow_op_get_by_val): + (JSC::JIT::emit_op_put_by_val): + (JSC::JIT::emitGenericContiguousPutByVal): + (JSC::JIT::emitArrayStoragePutByVal): + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emitSlow_op_put_by_val): + (JSC::JIT::emit_op_put_getter_by_id): + (JSC::JIT::emit_op_put_setter_by_id): + (JSC::JIT::emit_op_put_getter_setter_by_id): + (JSC::JIT::emit_op_put_getter_by_val): + (JSC::JIT::emit_op_put_setter_by_val): + (JSC::JIT::emit_op_del_by_id): + (JSC::JIT::emit_op_del_by_val): + (JSC::JIT::emit_op_try_get_by_id): + (JSC::JIT::emitSlow_op_try_get_by_id): + (JSC::JIT::emit_op_get_by_id_direct): + (JSC::JIT::emitSlow_op_get_by_id_direct): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_get_by_id_with_this): + (JSC::JIT::emitSlow_op_get_by_id): + (JSC::JIT::emitSlow_op_get_by_id_with_this): + (JSC::JIT::emit_op_put_by_id): + (JSC::JIT::emit_op_in_by_id): + (JSC::JIT::emitSlow_op_in_by_id): + (JSC::JIT::emitResolveClosure): + (JSC::JIT::emit_op_resolve_scope): + (JSC::JIT::emitLoadWithStructureCheck): + (JSC::JIT::emitGetClosureVar): + (JSC::JIT::emit_op_get_from_scope): + (JSC::JIT::emitSlow_op_get_from_scope): + (JSC::JIT::emitPutGlobalVariable): + (JSC::JIT::emitPutGlobalVariableIndirect): + (JSC::JIT::emitPutClosureVar): + (JSC::JIT::emit_op_put_to_scope): + (JSC::JIT::emit_op_get_from_arguments): + (JSC::JIT::emit_op_put_to_arguments): + (JSC::JIT::emitWriteBarrier): + (JSC::JIT::emit_op_get_internal_field): + (JSC::JIT::emit_op_put_internal_field): + (JSC::JIT::emitIntTypedArrayPutByVal): + (JSC::JIT::emitFloatTypedArrayPutByVal): + * jit/JSInterfaceJIT.h: + (JSC::JSInterfaceJIT::emitLoadJSCell): + (JSC::JSInterfaceJIT::emitJumpIfNotJSCell): + (JSC::JSInterfaceJIT::emitLoadInt32): + (JSC::JSInterfaceJIT::emitLoadDouble): + (JSC::JSInterfaceJIT::emitGetFromCallFrameHeaderPtr): + (JSC::JSInterfaceJIT::emitPutToCallFrameHeader): + (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader): + * jit/SetupVarargsFrame.cpp: + (JSC::emitSetupVarargsFrameFastCase): + * jit/SpecializedThunkJIT.h: + (JSC::SpecializedThunkJIT::loadDoubleArgument): + (JSC::SpecializedThunkJIT::loadCellArgument): + (JSC::SpecializedThunkJIT::loadInt32Argument): + * jit/ThunkGenerators.cpp: + (JSC::absThunkGenerator): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::getNonConstantOperand): + (JSC::LLInt::getOperand): + (JSC::LLInt::genericCall): + (JSC::LLInt::varargsSetup): + (JSC::LLInt::commonCallEval): + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + (JSC::LLInt::handleVarargsCheckpoint): + (JSC::LLInt::dispatchToNextInstruction): + (JSC::LLInt::slow_path_checkpoint_osr_exit_from_inlined_call): + (JSC::LLInt::slow_path_checkpoint_osr_exit): + (JSC::LLInt::llint_throw_stack_overflow_error): + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/ArgList.h: + (JSC::MarkedArgumentBuffer::fill): + * runtime/CachedTypes.cpp: + (JSC::CachedCodeBlock::hasCheckpoints const): + (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): + (JSC::CachedCodeBlock::encode): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/ConstructData.cpp: + (JSC::construct): + * runtime/ConstructData.h: + * runtime/DirectArguments.cpp: + (JSC::DirectArguments::copyToArguments): + * runtime/DirectArguments.h: + * runtime/GenericArguments.h: + * runtime/GenericArgumentsInlines.h: + (JSC::GenericArguments::copyToArguments): + * runtime/JSArray.cpp: + (JSC::JSArray::copyToArguments): + * runtime/JSArray.h: + * runtime/JSImmutableButterfly.cpp: + (JSC::JSImmutableButterfly::copyToArguments): + * runtime/JSImmutableButterfly.h: + * runtime/JSLock.cpp: + (JSC::JSLock::willReleaseLock): + * runtime/ModuleProgramExecutable.cpp: + (JSC::ModuleProgramExecutable::create): + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + * runtime/ScopedArguments.cpp: + (JSC::ScopedArguments::copyToArguments): + * runtime/ScopedArguments.h: + * runtime/VM.cpp: + (JSC::VM::scanSideState const): + (JSC::VM::addCheckpointOSRSideState): + (JSC::VM::findCheckpointOSRSideState): + * runtime/VM.h: + (JSC::VM::hasCheckpointOSRSideState const): + * tools/VMInspector.cpp: + (JSC::VMInspector::dumpRegisters): + * wasm/WasmFunctionCodeBlock.h: + (JSC::Wasm::FunctionCodeBlock::getConstant const): + (JSC::Wasm::FunctionCodeBlock::getConstantType const): + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::setUsesCheckpoints const): + * wasm/WasmOperations.cpp: + (JSC::Wasm::operationWasmToJSException): + * wasm/WasmSlowPaths.cpp: + +2020-01-16 Keith Miller + + Revert 254725 since it breaks tests + https://bugs.webkit.org/show_bug.cgi?id=206391 + + Unreviewed, revert. + + * dfg/DFGObjectAllocationSinkingPhase.cpp: + +2020-01-16 Tadeu Zagallo + + Object allocation sinking is missing PutHint for sunken allocations + https://bugs.webkit.org/show_bug.cgi?id=203799 + + + Reviewed by Saam Barati. + + Consider the following graph: + + Block #0: + 1: PhantomCreateActivation() + 2: PhantomNewFunction() + PutHint(@2, @1, FunctionActivationPLoc) + Branch(#1, #2) + + Block #1: + 3: MaterializeCreateActivation() + PutHint(@2, @3, FunctionActivationPLoc) + Upsilon(@3, ^5) + Jump(#3) + + Block #2: + 4: MaterializeCreateActivation() + PutHint(@2, @4, FunctionActivationPLoc) + Upsilon(@4, ^5) + Jump(#3) + + Block #3: + 5: Phi() + ExitOK() + + On Block #3, we need to emit a PutHint after the Phi, since we might exit after it. However, + object allocation sinking skipped this Phi because it was checking whether the base of the + location that caused us to create this Phi (@2) was live, but it's dead in the graph (there + are no pointers to it). The issue is that, even though there are no pointers to the base, the + location `PromotedHeapLocation(@2, FunctionActivationPLoc)` is still live, so we should PutHint + to it. We fix it by checking for liveness of the location rather than its base. + + * dfg/DFGObjectAllocationSinkingPhase.cpp: + +2020-01-16 Robin Morisset + + Try to simplify the template deduction used by callOperation in DFGSpeculativeJIT + https://bugs.webkit.org/show_bug.cgi?id=206329 + + Reviewed by Keith Miller. + + The change is very simple: stop using NoResultTag in callOperation, since it is redundant with !FunctionTraits::hasResult + + * dfg/DFGSlowPathGenerator.h: + (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compilePutAccessorById): + (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById): + (JSC::DFG::SpeculativeJIT::compilePutDynamicVar): + (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal): + (JSC::DFG::SpeculativeJIT::compileDefineDataProperty): + (JSC::DFG::SpeculativeJIT::compileDefineAccessorProperty): + (JSC::DFG::SpeculativeJIT::compilePutByIdWithThis): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::callOperation): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + +2020-01-16 Robin Morisset + + Teach the bytecode that arithmetic operations can return bigints + https://bugs.webkit.org/show_bug.cgi?id=205416 + + Reviewed by Yusuke Suzuki. + + Add already has the correct ResultType, but previously Sub/Mult/Div/Mod/Pow/Negate were always claimed to return Number, + and when BigInt is enabled they can also return BigInt. + UnaryPlus is left unchanged as it is invalid on a BigInt (to keep asm.js working as intended). + + * parser/NodeConstructors.h: + (JSC::NegateNode::NegateNode): + (JSC::PowNode::PowNode): + (JSC::MultNode::MultNode): + (JSC::DivNode::DivNode): + (JSC::ModNode::ModNode): + (JSC::SubNode::SubNode): + * parser/ResultType.h: + (JSC::ResultType::bigIntOrNumberType): Added. + (JSC::ResultType::forNonAddArith): + (JSC::ResultType::forUnaryArith): + +2020-01-16 Robin Morisset + + Use dataLogIf more regularly + https://bugs.webkit.org/show_bug.cgi?id=206332 + + Reviewed by Keith Miller. + + There is lots of code that reads + if (Options::foobar()) + dataLogLn("...") + + There are a couple of benefits to replacing those by dataLogLnIf(Options::foobar(), "..."): + - Readability, by reducing the number of lines taken by logging + - Less lines appearing as not-taken in test coverage wrongly (wrongly because we probably don't care for the coverage of logging code) + - possibly a tiny perf benefit since dataLogIf correctly uses UNLIKELY. + + This patch is a fairly trivial refactoring where I looked for that pattern and replaced it everywhere it appeared in JSC. + + * bytecode/BytecodeGeneratorification.cpp: + (JSC::performGeneratorification): + * bytecode/BytecodeLivenessAnalysis.cpp: + (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis): + * bytecode/CallLinkInfo.cpp: + (JSC::CallLinkInfo::visitWeak): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finalizeLLIntInlineCaches): + (JSC::CodeBlock::noticeIncomingCall): + (JSC::CodeBlock::optimizationThresholdScalingFactor): + (JSC::CodeBlock::optimizeNextInvocation): + (JSC::CodeBlock::dontOptimizeAnytimeSoon): + (JSC::CodeBlock::optimizeAfterWarmUp): + (JSC::CodeBlock::optimizeAfterLongWarmUp): + (JSC::CodeBlock::optimizeSoon): + (JSC::CodeBlock::forceOptimizationSlowPathConcurrently): + (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): + (JSC::CodeBlock::shouldOptimizeNow): + * bytecode/DFGExitProfile.cpp: + (JSC::DFG::ExitProfile::add): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseCodeBlock): + * dfg/DFGCFAPhase.cpp: + * dfg/DFGJITCode.cpp: + (JSC::DFG::JITCode::optimizeNextInvocation): + (JSC::DFG::JITCode::dontOptimizeAnytimeSoon): + (JSC::DFG::JITCode::optimizeAfterWarmUp): + (JSC::DFG::JITCode::optimizeSoon): + (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently): + (JSC::DFG::JITCode::setOSREntryBlock): + * dfg/DFGJumpReplacement.cpp: + (JSC::DFG::JumpReplacement::fire): + * dfg/DFGOSREntry.cpp: + (JSC::DFG::prepareOSREntry): + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::compileExit): + * dfg/DFGObjectAllocationSinkingPhase.cpp: + * dfg/DFGOperations.cpp: + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGToFTLDeferredCompilationCallback.cpp: + (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously): + (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete): + * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: + (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously): + (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete): + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::completeAllReadyPlansForVM): + * ftl/FTLOSREntry.cpp: + (JSC::FTL::prepareOSREntry): + * heap/Heap.cpp: + (JSC::Heap::lastChanceToFinalize): + (JSC::Heap::sweepSynchronously): + (JSC::Heap::collectNow): + (JSC::Heap::runBeginPhase): + (JSC::Heap::runFixpointPhase): + (JSC::Heap::runReloopPhase): + (JSC::Heap::runEndPhase): + (JSC::Heap::finalize): + (JSC::Heap::willStartCollection): + (JSC::Heap::updateAllocationLimits): + (JSC::Heap::notifyIsSafeToCollect): + * heap/MarkStackMergingConstraint.cpp: + (JSC::MarkStackMergingConstraint::prepareToExecuteImpl): + * heap/MarkedSpace.cpp: + * heap/MarkingConstraint.cpp: + (JSC::MarkingConstraint::prepareToExecute): + * heap/MarkingConstraintSet.cpp: + (JSC::MarkingConstraintSet::executeConvergence): + (JSC::MarkingConstraintSet::executeConvergenceImpl): + (JSC::MarkingConstraintSet::executeAll): + * heap/MarkingConstraintSolver.cpp: + (JSC::MarkingConstraintSolver::execute): + * heap/SlotVisitor.cpp: + (JSC::SlotVisitor::appendToMarkStack): + (JSC::SlotVisitor::visitChildren): + (JSC::SlotVisitor::didRace): + * heap/StochasticSpaceTimeMutatorScheduler.cpp: + (JSC::StochasticSpaceTimeMutatorScheduler::beginCollection): + (JSC::StochasticSpaceTimeMutatorScheduler::didExecuteConstraints): + * jit/JIT.cpp: + (JSC::JIT::link): + * jit/JITExceptions.cpp: + (JSC::genericUnwind): + * jit/JITOperations.cpp: + * jit/JITToDFGDeferredCompilationCallback.cpp: + (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously): + (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete): + * jit/JITWorklist.cpp: + (JSC::JITWorklist::Plan::finalize): + * jit/PolymorphicCallStubRoutine.cpp: + (JSC::PolymorphicCallNode::unlink): + * jit/Repatch.cpp: + (JSC::unlinkFor): + (JSC::linkVirtualFor): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::jitCompileAndSetHeuristics): + (JSC::LLInt::entryOSR): + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * parser/ModuleAnalyzer.cpp: + (JSC::ModuleAnalyzer::analyze): + * runtime/JSModuleLoader.cpp: + (JSC::JSModuleLoader::importModule): + (JSC::JSModuleLoader::resolveSync): + (JSC::JSModuleLoader::fetch): + (JSC::JSModuleLoader::evaluate): + (JSC::moduleLoaderModuleDeclarationInstantiation): + * runtime/ScriptExecutable.cpp: + (JSC::ScriptExecutable::installCode): + * runtime/VM.cpp: + (JSC::VM::throwException): + * tools/CompilerTimingScope.cpp: + (JSC::CompilerTimingScope::CompilerTimingScope): + (JSC::CompilerTimingScope::~CompilerTimingScope): + * wasm/WasmMemory.cpp: + * wasm/js/JSWebAssembly.cpp: + (JSC::resolve): + * yarr/YarrJIT.cpp: + (JSC::Yarr::jitCompile): + * yarr/YarrPattern.cpp: + (JSC::Yarr::YarrPattern::compile): + +2020-01-16 Robin Morisset + + Reduce the code generated by DFGSlowPathGenerator.h + https://bugs.webkit.org/show_bug.cgi?id=206330 + + Reviewed by Mark Lam. + + The FunctionType parameter is only needed by CallResultAndArgumentsSlowPathGenerator, not by its base class CallSlowPathGenerator. + Moving it allows saving about 200kB from JavaScriptCore (in Release mode), by reducing the number of instantiations of the methods of CallSlowPathGenerator. + + * dfg/DFGSlowPathGenerator.h: + (JSC::DFG::CallSlowPathGenerator::CallSlowPathGenerator): + (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator): + +2020-01-16 Don Olmstead + + Non-unified build fixes mid January 2020 edition + https://bugs.webkit.org/show_bug.cgi?id=206363 + + Unreviewed build fix. + + * interpreter/StackVisitor.cpp: + +2020-01-16 Jonathan Bedard + + Pass JSToken by const reference + https://bugs.webkit.org/show_bug.cgi?id=206321 + + Reviewed by Saam Barati. + + * parser/Parser.cpp: + (JSC::Parser::createBindingPattern): Pass JSToken by const reference. + * parser/Parser.h: Ditto. + +2020-01-16 Mark Lam + + operationToObject() should check for a null errorMessage. + https://bugs.webkit.org/show_bug.cgi?id=206339 + + + Reviewed by Yusuke Suzuki. + + r224280 introduced operationToObject() with an option to specify a custom error + message. r254252 added a scenario where the passed in error message is null but + did not update operationToObject() to allow for this. This patch adds the + missing null check. + + * dfg/DFGOperations.cpp: + +2020-01-16 Per Arne Vollan + + [Win] Fix AppleWin build + https://bugs.webkit.org/show_bug.cgi?id=206299 + + Reviewed by Brent Fulgham. + + Include required target. Build internal builds with VS2019. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.proj: + +2020-01-16 Caio Lima + + [JSC] 32-bit platforms should use a PC base register + https://bugs.webkit.org/show_bug.cgi?id=203563 + + Reviewed by Keith Miller. + + We are moving 32-bits LLInt implementation to follow the model useb by + 64-bits architectures. It means that we now use PC and PB registers to + represent current Instruction. This patch will reduce the changes + we have from those architectures and mainly allow the usage of new + version of BytecodeIndex::m_packedBits. This also allow us remove + divergences on CallSiteIndex. + The change required the inclusion of a new callee-save register on + ARMv7 (r10), MIPS($s1) and CLOOP. Further changes necessary for + Baseline and DFG will come in a following patch. + + * assembler/MIPSRegisters.h: + * interpreter/CallFrame.cpp: + * jit/GPRInfo.h: + (JSC::GPRInfo::toRegister): + (JSC::GPRInfo::toIndex): + * jit/RegisterSet.cpp: + (JSC::RegisterSet::vmCalleeSaveRegisters): + (JSC::RegisterSet::llintBaselineCalleeSaveRegisters): + * llint/LLIntData.h: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter.cpp: + (JSC::CLoop::execute): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * offlineasm/arm.rb: + * offlineasm/mips.rb: + +2020-01-15 Caitlin Potter + + [JSC] Add support for public class fields + https://bugs.webkit.org/show_bug.cgi?id=174212 + + Reviewed by Yusuke Suzuki. + + Implements the instance class fields proposal (https://tc39.es/proposal-class-fields/), + minus support for private fields (split into a separate patch). + + In summary, class fields are initialized by a synthetic JSFunction. In its unlinked state, + the UnlinkedFunctionExecutable for the function includes an ordered list of JSTokenLocations + pointing to the start of each class field in the class. Each of these fields are parsed and + included as DefineFieldNodes, which implement the appropriate DefineField behaviour in the + proposal. This synthetic function is only created, and only loaded, if there are class fields + present. The decision to use a synthetic function was for simplicity. There are a number of + factors which make inlining the initialization complicated, though we may opt to do this in + the future. For reference, the complexities are: instance fields and constructor in different + currently in different parsing arenas, distinct scopes between the 2 which require work to manage, + and complexity in doing to this work for child classes, where the location of initialization can + depend, and in some cases occur more than once. + + Computed property fields require a new bytecode, op_to_property_key, as an implementation + detail. It is necessary in the proposal to convert computed properties to property keys + during class evaluation, rather than during field initialization. Additionally, we allocate + the class lexical scope when computed class fields are used (previously, only when there was + a class name), as a location to keep the computed property keys. They can be loaded from the + scope via indexed keys. + + To illustrate computed field names in action, consider the following pseudocode: + + + 1) fieldName = emitNode({expr}) + 2) fieldName = emitToPropertyKey(fieldName) + 3) classScope[numComputedNames++] = fieldName + + + 1) fieldName = emitGetFromScope(classScope, computedFieldNameIndex++) + 2) value = emitNode({initializer}) + 3) instance[fieldName] = value + + The feature is currently hidden behind the feature flag JSC::Options::useClassFields. + +2020-01-15 Adrian Perez de Castro + + Offlineasm warnings with newer Ruby versions + https://bugs.webkit.org/show_bug.cgi?id=206233 + + Reviewed by Yusuke Suzuki. + + Avoid a warning about using Object#=~ on Annotation instances, which + has been deprecated in Ruby 2.7. + + * offlineasm/parser.rb: Swap checks to prevent applying the =~ operator + to Annotation instances, which do not define it. + +2020-01-15 Keith Miller + + Revert bytecode checkpoints since it breaks watch + https://bugs.webkit.org/show_bug.cgi?id=206301 + + Unreviewed, revert. + +2020-01-15 Alexey Shvayka + + Object.preventExtensions should throw if not successful + https://bugs.webkit.org/show_bug.cgi?id=206131 + + Reviewed by Ross Kirsling. + + With this change, Object.preventExtensions throws TypeError if [[PreventExtensions]] + returns `false`. This is possible if Object.preventExtensions is called on a Proxy object. + (step 3 of https://tc39.es/ecma262/#sec-object.preventextensions) + + * runtime/ObjectConstructor.cpp: + (JSC::objectConstructorPreventExtensions): + +2020-01-15 Jonathan Bedard + + webkitpy: Remove self assignments + https://bugs.webkit.org/show_bug.cgi?id=206294 + + Reviewed by Aakash Jain. + + * inspector/scripts/codegen/generator.py: + (Generator.js_name_for_parameter_type): + +2020-01-14 Commit Queue + + Unreviewed, rolling out r254480, r254496, and r254517. + https://bugs.webkit.org/show_bug.cgi?id=206278 + + "It regressed JetStream2 and Speedometer2" (Requested by + saamyjoon on #webkit). + + Reverted changesets: + + "Throw away baseline code if there is an optimized + replacement" + https://bugs.webkit.org/show_bug.cgi?id=202503 + https://trac.webkit.org/changeset/254480 + + "Unreviewed. Change useLLInt=0 to forceBaseline=1" + https://trac.webkit.org/changeset/254496 + + "Add an option that enables/disables throwing away baseline + JIT code" + https://bugs.webkit.org/show_bug.cgi?id=206244 + https://trac.webkit.org/changeset/254517 + +2020-01-14 Keith Miller + + Fix scanSideState assertion + https://bugs.webkit.org/show_bug.cgi?id=206257 + + Reviewed by Yusuke Suzuki. + + * runtime/VM.cpp: + (JSC::VM::scanSideState const): + +2020-01-14 Devin Rousso + + Web Inspector: crash in DumpRenderTree at com.apple.JavaScriptCore: WTF::RefCountedBase::hasOneRef const + https://bugs.webkit.org/show_bug.cgi?id=206191 + + + Reviewed by Joseph Pecoraro. + + * debugger/Debugger.cpp: + (JSC::Debugger::attach): + (GatherSourceProviders::GatherSourceProviders): Deleted. + (GatherSourceProviders::operator()): Deleted. + Use `RefPtr` instead of `SourceProvider*` in case the `FunctionExecutable` + is destroyed after the `SourceProvider*` is saved, which would destroy the `SourceProvider` + as well. + +2020-01-14 Saam Barati + + Add an option that enables/disables throwing away baseline JIT code + https://bugs.webkit.org/show_bug.cgi?id=206244 + + Reviewed by Robin Morisset. + + This option is now set to false as I investigate a perf regression with + the original patch. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finalizeUnconditionally): + * runtime/OptionsList.h: + +2020-01-13 Darin Adler + + Use even more "shortest form" formatting, and less "fixed precision" and "fixed width" + https://bugs.webkit.org/show_bug.cgi?id=198918 + + Reviewed by Sam Weinig. + + * API/tests/ExecutionTimeLimitTest.cpp: + (testExecutionTimeLimit): Rewrote the string creation code to use makeString instead + of StringBuilder and no longer use any fixed precision. + + * runtime/Options.cpp: + (JSC::OptionReader::Option::dump const): Dump doubles with shortest form instead of + fixed precision. + +2020-01-14 David Kilzer + + Enable -Wconditional-uninitialized in bmalloc, WTF, JavaScriptCore + + + + Reviewed by Mark Lam. + + Initialize stack variables to fix warnings. + + * Configurations/Base.xcconfig: + (WARNING_CFLAGS): Add -Wconditional-uninitialized. + * b3/B3LowerToAir.cpp: + (LowerToAir::appendCAS): + * b3/testb3_4.cpp: + (testLoadAddrShift): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureOrEmpty): + Move declaration of `notEmpty` into if block since it's not used + outside that scope. + (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter): + * ftl/FTLThunks.cpp: + (JSC::FTL::registerClobberCheck): + * wasm/js/WebAssemblyTablePrototype.cpp: + (JSC::webAssemblyTableProtoFuncSet): + variables. + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::parseBody): + +2020-01-13 Fujii Hironori + + Unreviewed sort-Xcode-project-file + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2020-01-13 Keith Miller + + scanSideState scans too much side state + https://bugs.webkit.org/show_bug.cgi?id=206166 + + Reviewed by Tadeu Zagallo. + + The old code would would scan tmps + sizeof(tmps) but sizeof(tmps) + is not the length of the array. instead we should scan tmps + + maxNumCheckpointTmps. + + * interpreter/CheckpointOSRExitSideState.h: + * runtime/VM.cpp: + (JSC::VM::scanSideState const): + +2020-01-13 Saam Barati + + Throw away baseline code if there is an optimized replacement + https://bugs.webkit.org/show_bug.cgi?id=202503 + + Reviewed by Yusuke Suzuki. + + This patch's goal is to help us save JIT executable memory by throwing + away baseline code when it has an optimized replacement. To make it + easy to reason about, we do this when finalizing a GC, and when the + CodeBlock is not on the stack. When we do this, we throw away all JIT + data and unlink all incoming calls. + + This patch also paves the way for the LOL tier by making it so we always + exit to the LLInt. This allows the code in CodeBlock finalization to not + have to consider whether or not an an OSR exit is wired to baseline + JIT code, since all exits are now to the LLInt. Because of this, this + patch removes the forceOSRExitToLLInt option. Also, this patch renames + the useLLInt option to forceBaseline and inverts its meaning. + Options::forceBaseline=true implies that code will start off executing in + the baseline JIT instead of the LLInt. However, it won't prevent us from + emitting an OSR exit which jumps to LLInt code. + + * API/tests/ExecutionTimeLimitTest.cpp: + (testExecutionTimeLimit): + * API/tests/PingPongStackOverflowTest.cpp: + (testPingPongStackOverflow): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finishCreation): + (JSC::CodeBlock::finalizeUnconditionally): + (JSC::CodeBlock::resetJITData): + (JSC::CodeBlock::optimizedReplacement): + (JSC::CodeBlock::hasOptimizedReplacement): + (JSC::CodeBlock::tallyFrequentExitSites): + (JSC::CodeBlock::findStubInfo): Deleted. + (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): Deleted. + * bytecode/CodeBlock.h: + (JSC::CodeBlock::setJITCode): + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::callerReturnPC): + (JSC::DFG::reifyInlinedCallFrames): + (JSC::DFG::adjustAndJumpToTarget): + * dfg/DFGOSRExitCompilerCommon.h: + * heap/CodeBlockSet.cpp: + (JSC::CodeBlockSet::isCurrentlyExecuting): + * heap/CodeBlockSet.h: + * heap/Heap.cpp: + (JSC::Heap::finalizeUnconditionalFinalizers): + (JSC::Heap::runEndPhase): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::dispatchToNextInstruction): + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + (JSC::Options::initialize): + (JSC::Options::ensureOptionsAreCoherent): + * runtime/OptionsList.h: + * runtime/ScriptExecutable.cpp: + (JSC::ScriptExecutable::prepareForExecutionImpl): + +2020-01-13 Mark Lam + + Replace uses of Box with a new CacheableIdentifier class. + https://bugs.webkit.org/show_bug.cgi?id=205544 + + + Reviewed by Saam Barati. + + The introduction of the use of Box was to get around having to + ref/deref the underlying UniqedStringImpl in Identifiers from the compiler + and GC threads. However, it proves to be difficult to control when these + Boxs get destructed, and requires that we find all the places in + the compier and GC threads where this can happen, and apply keep alive tactics + there to defer destruction of the Box to the mutator thread. + + This patch fixes this by replacing uses of Box with + CacheableIdentifier, which is effectively a tagged union of a JSCell* or a + UniquedStringImpl*. The JSCell*, in this case, can be either a Symbol* or a + JSString* that is backed by an atom string. The VM runtime ensures that we'll + never try to cache an identifier from a JSCell that is not one of these. This + CacheableIdentifier can be destructed from the compiler or GC thread. Since it + doesn't hold a ref of the underlying UniquedStringImpl, it won't try to deref + it on destruction. + + Instead, we'll need to visit CacheableIdentifiers during GC scans to keep the + JSCell in it alive, and that JSCell will, in turn, keep the underlying + UniquedStringImpl alive. + + This patch also does the following: + + 1. Add a visitAggregate() method to StructureStubInfo, PolymorphicAccess, and + AccessCase to visit the CacheableIdentifier's JSCell identifier. This + visitAggregate() is called from CodeBlock::stronglyVisitStrongReferences(). + + When we write barrier a CodeBlock, it guarantees that its visitAggregate() + methods is called. However, it does not guarantee that its propagateTransitions() + method will be called. Since the CacheableIdentifier's reference to a cell + should be a strong reference, visiting it via a StructureStubInfo::visitAggregate() + method is the right thing to do. + See https://bugs.webkit.org/show_bug.cgi?id=205544#c7 for an example of why + propagateTransitions() doesn't always do the job. + + StructureStubInfo::visitWeakReferences() is also inappropriate for this + because it is only called after all marking is done. It is also not meant + to keep cells alive but merely for clearing weak references to dead cells. + + 2. Also add to visitAggregate() for ModuleNamespaceData's m_identifier in + GetByStatus::markIfCheap(). + + 3. Remove previously applied keep alive tactics to work around Box + destruction. This also retores the allowance to destruct DFG::Plans on a + compiler thread. + + 4. Added a JSString:getValueImpl() helper. + + 5. Added a write barrier in DFG and FTL JITFinalizer's finalizeCommon() to ensure + that frozen values are scanned by the GC. + + During compilation, the frozen values were previously protected by the Plan. + After finalization, they should be protected by the CodeBlock. Hence, we + should barrier the CodeBlock since the last GC scan of the CodeBlock may have + happened before the frozen values were registered with the CodeBlock. + + GC considerations: + ================== + The following also addresses Yusuke's concerns in https://bugs.webkit.org/show_bug.cgi?id=205544#c10. + + CacheableIdentifier is only stored as fields in 4 classes/structs: + + 1. AccessCase::m_identifier + 2. GetByIdVariant::m_identifier + 3. ModuleNamespaceData::m_identifier + 4. StructureStubInfo::m_getByIdSelfIdentifier + + AccessCase::m_identifier + ======================== + While the access case is being created and added in tryCacheGetBy(), the + CacheableIdentifier is still on the stack and protected from the GC. At the + bottom of tryCacheGetBy(), StructureStubInfo::addAccessCase() is called to add + the access case. + + StructureStubInfo::addAccessCase() will barrier the owner CodeBlock at its end, + and CodeBlock::stronglyVisitStrongReferences() will visit the StructureStubInfo, + which in turn visits the AccessCase. StructureStubInfo::visitAggregate() has + been added for this purpose. + + GetByIdVariant::m_identifier + ============================ + GetByIdVariant is only stored in GetByStatus. Both GetByIdVariant and GetByStatus + are only created and handled in the DFG/FTL compiler threads. While the compiler + thread is working with them, they are safe from the GC because the GC won't collect + objects until the compiler thread is at a SafePoint. + + At compiler SafePoints, any GetByStatus that needs to be persisted is stored in + DFG::Plan::m_recordedStatuses. The Plan will visit the m_recordedStatuses in + Plan::checkLivenessAndVisitChildren(). + + At the end of compilation, Plan::m_recordedStatuses is transferred over to the owner + CodeBlock's DFG::CommonData in Plan::finalizeWithoutNotifyingCallback(). + Plan::finalizeWithoutNotifyingCallback() will also barrier the owner CodeBlock at + its end. + + Thereafter, CodeBlock::stronglyVisitStrongReferences() will visit the recordedStatuses. + + ModuleNamespaceData::m_identifier + ================================= + ModuleNamespaceData is only stored in a GetByStatus, and is therefore protected + similarly as the GetByIdVariant::m_identifier case above. + + StructureStubInfo::m_getByIdSelfIdentifier + ========================================== + StructureStubInfo::initGetByIdSelf() is called from inside tryCacheGetBy(). + StructureStubInfo::initGetByIdSelf() will barrier the owner CodeBlock. The + CacheableIdentifier here is protected in the same way as the AccessCase::m_identifier + case above. + + DesiredIdentifiers + ================== + The compiler thread may also stash a CacheableIdentifier's uid in its + DesiredIdentifiers. Normally, the identifiers stashed in DesiredIdentifiers are + from identifiers that the CodeBlock already knows abut and manages (e.g. from + GetByIds). For uids from a cell-based CacheableIdentifier variable is passed to + a GetByVal, we need kep the cell alive in order to keep the uid alive. This is + achieved by freezing the cell with freezeStrong() in the op_get_by_val case in + the DFG BytecodeParser. + + Reseting a StructureStubInfo while its IC code is still executing on the stack + ============================================================================== + The concern is that IC code may call slow path / getter functions that may in turn: + + 1. reset the IC, and + 2. run the GC. + + This can be a problem if: + + 1. there is a scenario where we return from the slow path / getter function + and run IC code that uses the cell / uid from the CacheableIdentifier. + + This is because the StructureStubInfo is what visits the that cell, which + in turn its uid alive. Once the StructureStubInfo is reset, it will no + longer be associated with any AccessCase or the m_getByIdSelfIdentifier. + As such they will not be visited, and the CacheableIdentifier may be collected + by the GC. + + In practice, the generated IC code never uses the cell / uid after it calls + any slow path / getter function. I've verified this by auditing the code + generation in InlineAccess::generateSelfInAccess() and PolymorphicAccess::regenerate(). + Hence, there's no issue with using a collected cell / uid. + + 2. there is a scenario where a slow path / getter function makes use of the cell / uid + from the CacheableIdentifier but does not protect it. + + The only 2 slow path functions: + operationGetByValGeneric() + operationGetByValOptimize() + + operationGetByValGeneric() does not use any CacheableIdentifier from the StructureStubInfo. + + operationGetByValOptimize() modifies the StructureStubInfo in tryCacheGetBy() + under the protection of a GCSafeConcurrentJSLocker, and can reset the + StructureStubInfo. However, it does not use any CacheableIdentifier after + that. + + Hence, there's also no GC issue here. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * bytecode/AccessCase.cpp: + (JSC::AccessCase::AccessCase): + (JSC::AccessCase::create): + (JSC::AccessCase::fromStructureStubInfo): + (JSC::AccessCase::commit): + (JSC::AccessCase::canReplace const): + (JSC::AccessCase::dump const): + (JSC::AccessCase::visitAggregate const): + (JSC::AccessCase::generateWithGuard): + (JSC::AccessCase::generateImpl): + * bytecode/AccessCase.h: + (JSC::AccessCase::uid const): + (JSC::AccessCase::identifier const): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::propagateTransitions): + (JSC::CodeBlock::stronglyVisitStrongReferences): + * bytecode/GetByIdVariant.cpp: + (JSC::GetByIdVariant::GetByIdVariant): + (JSC::GetByIdVariant::attemptToMerge): + (JSC::GetByIdVariant::visitAggregate): + (JSC::GetByIdVariant::dumpInContext const): + * bytecode/GetByIdVariant.h: + (JSC::GetByIdVariant::identifier const): + (JSC::GetByIdVariant::overlaps): + * bytecode/GetByStatus.cpp: + (JSC::GetByStatus::computeFromLLInt): + (JSC::GetByStatus::computeFor): + (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): + (JSC::GetByStatus::visitAggregate): + (JSC::GetByStatus::singleIdentifier const): + * bytecode/GetByStatus.h: + * bytecode/GetterSetterAccessCase.cpp: + (JSC::GetterSetterAccessCase::GetterSetterAccessCase): + (JSC::GetterSetterAccessCase::create): + * bytecode/GetterSetterAccessCase.h: + * bytecode/InstanceOfAccessCase.cpp: + (JSC::InstanceOfAccessCase::InstanceOfAccessCase): + * bytecode/IntrinsicGetterAccessCase.cpp: + (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase): + (JSC::IntrinsicGetterAccessCase::create): + * bytecode/IntrinsicGetterAccessCase.h: + * bytecode/ModuleNamespaceAccessCase.cpp: + (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase): + (JSC::ModuleNamespaceAccessCase::create): + * bytecode/ModuleNamespaceAccessCase.h: + * bytecode/PolymorphicAccess.cpp: + (JSC::PolymorphicAccess::visitAggregate): + (JSC::PolymorphicAccess::regenerate): + * bytecode/PolymorphicAccess.h: + * bytecode/ProxyableAccessCase.cpp: + (JSC::ProxyableAccessCase::ProxyableAccessCase): + (JSC::ProxyableAccessCase::create): + * bytecode/ProxyableAccessCase.h: + * bytecode/RecordedStatuses.cpp: + (JSC::RecordedStatuses::visitAggregate): + * bytecode/RecordedStatuses.h: + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::initGetByIdSelf): + (JSC::StructureStubInfo::addAccessCase): + (JSC::StructureStubInfo::visitAggregate): + * bytecode/StructureStubInfo.h: + (JSC::StructureStubInfo::getByIdSelfIdentifier): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseGetById): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGDesiredIdentifiers.cpp: + (JSC::DFG::DesiredIdentifiers::ensure): + (JSC::DFG::DesiredIdentifiers::at const): + (JSC::DFG::DesiredIdentifiers::reallyAdd): + (JSC::DFG::DesiredIdentifiers::processCodeBlockIdentifiersIfNeeded): Deleted. + * dfg/DFGDesiredIdentifiers.h: + * dfg/DFGJITFinalizer.cpp: + (JSC::DFG::JITFinalizer::finalizeCommon): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::~Plan): + (JSC::DFG::Plan::checkLivenessAndVisitChildren): + (JSC::DFG::Plan::cancel): + * dfg/DFGPlan.h: + (JSC::DFG::Plan::keepAliveIdentifier): Deleted. + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::removeAllReadyPlansForVM): + (JSC::DFG::Worklist::removeDeadPlans): + (JSC::DFG::Worklist::removeNonCompilingPlansForVM): + (JSC::DFG::Worklist::deleteCancelledPlansForVM): Deleted. + * dfg/DFGWorklist.h: + * ftl/FTLJITFinalizer.cpp: + (JSC::FTL::JITFinalizer::finalizeCommon): + * jit/JITOperations.cpp: + * jit/Repatch.cpp: + (JSC::tryCacheGetBy): + (JSC::repatchGetBy): + (JSC::tryCacheArrayGetByVal): + (JSC::tryCacheInstanceOf): + * jit/Repatch.h: + * runtime/CacheableIdentifier.cpp: Added. + (JSC::CacheableIdentifier::dump const): + * runtime/CacheableIdentifier.h: Added. + (JSC::CacheableIdentifier::CacheableIdentifier): + (JSC::CacheableIdentifier::isUid const): + (JSC::CacheableIdentifier::isCell const): + (JSC::CacheableIdentifier::isSymbol const): + (JSC::CacheableIdentifier::operator bool const): + * runtime/CacheableIdentifierInlines.h: Added. + (JSC::CacheableIdentifier::CacheableIdentifier): + (JSC::CacheableIdentifier::cell const): + (JSC::CacheableIdentifier::uid const): + (JSC::CacheableIdentifier::isCacheableIdentifierCell): + (JSC::CacheableIdentifier::isSymbolCell const): + (JSC::CacheableIdentifier::isStringCell const): + (JSC::CacheableIdentifier::setCellBits): + (JSC::CacheableIdentifier::setUidBits): + (JSC::CacheableIdentifier::visitAggregate const): + (JSC::CacheableIdentifier::operator== const): + (JSC::CacheableIdentifier::operator!= const): + * runtime/ExceptionHelpers.cpp: + (JSC::functionCallBase): + * runtime/JSString.h: + (JSC::JSString::getValueImpl const): + * runtime/VM.cpp: + (JSC::VM::ensureWatchpointSetForImpureProperty): + (JSC::VM::addImpureProperty): + (JSC::VM::registerWatchpointForImpureProperty): Deleted. + * runtime/VM.h: + +2020-01-13 Yusuke Suzuki + + [JSC] Put JSProxy in IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=206187 + + Reviewed by Mark Lam. + + 1. Put JSProxy in IsoSubspace. + 2. Make JSProxy non-destructible since derived class JSWindowProxy is having its own IsoSubspace with destructibility. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::resetPrototype): + (JSC::JSGlobalObject::finishCreation): + * runtime/JSNonDestructibleProxy.cpp: Removed. + * runtime/JSNonDestructibleProxy.h: Removed. + * runtime/JSProxy.h: + (JSC::JSProxy::subspaceFor): + * runtime/JSStringIterator.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2020-01-11 Keith Miller + + CheckNeutered needs to claim it reads JSType in clobberize. + https://bugs.webkit.org/show_bug.cgi?id=206136 + + Reviewed by Yusuke Suzuki. + + CheckNeutered needs to read JSType otherwise it can get hoisted + past the TypedArray check guarding it. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + +2020-01-12 Yusuke Suzuki + + [JSC] Use internal object field mechanism to implement JSStringIterator + https://bugs.webkit.org/show_bug.cgi?id=206144 + + Reviewed by Ross Kirsling. + + This patch uses internal object field mechanism to implement JSStringIterator, + and we also put JSStringIterator into IsoSubspace. + + * builtins/BuiltinNames.h: + * builtins/StringIteratorPrototype.js: + (next): + * bytecode/BytecodeIntrinsicRegistry.cpp: + (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): + * bytecode/BytecodeIntrinsicRegistry.h: + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::emitIsStringIterator): + * bytecompiler/NodesCodegen.cpp: + (JSC::stringIteratorInternalFieldIndex): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_getStringIteratorInternalField): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_putStringIteratorInternalField): + * inspector/JSInjectedScriptHost.cpp: + (Inspector::JSInjectedScriptHost::getInternalProperties): + * runtime/JSCast.h: + * runtime/JSStringIterator.cpp: + (JSC::JSStringIterator::finishCreation): + (JSC::JSStringIterator::clone): + (JSC::JSStringIterator::visitChildren): + (JSC::JSStringIterator::iteratedValue const): Deleted. + * runtime/JSStringIterator.h: + * runtime/JSType.cpp: + (WTF::printInternal): + * runtime/JSType.h: + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncIterator): + * runtime/VM.cpp: + * runtime/VM.h: + +2020-01-12 Yusuke Suzuki + + [JSC] Remove IsDone from JSArrayIterator + https://bugs.webkit.org/show_bug.cgi?id=206140 + + Reviewed by Keith Miller. + + We can store `-1` in Index field to represent whether the iterator is closed. + While this patch does not change the allocation size of JSArrayIterator, this style can + shrink the size of JSStringIterator when we implement it in the same style. + + We also rename iterationKindKeyValue to iterationKindEntries. + + * builtins/ArrayIteratorPrototype.js: + (globalPrivate.arrayIteratorNextHelper): + * builtins/MapIteratorPrototype.js: + (globalPrivate.mapIteratorNext): + * builtins/MapPrototype.js: + (entries): + * builtins/SetIteratorPrototype.js: + (globalPrivate.setIteratorNext): + * builtins/SetPrototype.js: + (entries): + * bytecode/BytecodeIntrinsicRegistry.cpp: + (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): + * bytecode/BytecodeIntrinsicRegistry.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::arrayIteratorInternalFieldIndex): + * inspector/JSInjectedScriptHost.cpp: + (Inspector::cloneArrayIteratorObject): + * runtime/JSArrayIterator.cpp: + (JSC::JSArrayIterator::finishCreation): + * runtime/JSArrayIterator.h: + +2020-01-12 Yusuke Suzuki + + [JSC] Consistently use "var" in builtin JS + https://bugs.webkit.org/show_bug.cgi?id=206157 + + Reviewed by Mark Lam. + + let / const requires additional bytecode to make it Empty initialized for now. + For builtin JS, we would like to keep it as efficient and compact as we can + so we should use `var` consistently. + + * builtins/ArrayPrototype.js: + (sort.stringComparator): + (sort.compactSparse): + (sort.compactSlow): + (sort.compact): + (sort.merge): + (sort.mergeSort): + (sort.bucketSort): + (sort.comparatorSort): + (sort.stringSort): + (sort): + (globalPrivate.concatSlowPath): + (concat): + * builtins/FunctionPrototype.js: + (call): + (overriddenName.string_appeared_here.symbolHasInstance): + * builtins/GlobalOperations.js: + (globalPrivate.copyDataProperties): + (globalPrivate.copyDataPropertiesNoExclusions): + * builtins/IteratorHelpers.js: + (performIteration): + * builtins/ModuleLoader.js: + (async loadModule): + (async loadAndEvaluateModule): + (async requestImportModule): + (dependencyKeysIfEvaluated): + * builtins/ObjectConstructor.js: + (fromEntries): + * builtins/PromisePrototype.js: + (finally): + (valueThunk): + (globalPrivate.getThenFinally): + (thrower): + (globalPrivate.getCatchFinally): + (const.valueThunk): Deleted. + (const.thrower): Deleted. + * builtins/RegExpPrototype.js: + (globalPrivate.advanceStringIndex): + (globalPrivate.regExpExec): + (globalPrivate.hasObservableSideEffectsForRegExpMatch): + (globalPrivate.matchSlow): + (overriddenName.string_appeared_here.match): + (overriddenName.string_appeared_here.matchAll): + (getSubstitution): + (overriddenName.string_appeared_here.replace): + (overriddenName.string_appeared_here.search): + (globalPrivate.hasObservableSideEffectsForRegExpSplit): + (overriddenName.string_appeared_here.split): + (intrinsic.RegExpTestIntrinsic.test): + * builtins/RegExpStringIteratorPrototype.js: + (next): + * builtins/StringPrototype.js: + (match): + (matchAll): + (globalPrivate.hasObservableSideEffectsForStringReplace): + (intrinsic.StringPrototypeReplaceIntrinsic.replace): + (globalPrivate.createHTML): + * builtins/TypedArrayConstructor.js: + (of): + (from): + * builtins/TypedArrayPrototype.js: + (globalPrivate.typedArraySpeciesConstructor): + (globalPrivate.typedArrayClampArgumentToStartOrEnd): + (fill): + (find): + (subarray): + +2020-01-12 Yusuke Suzuki + + [WebCore] Reorganize JSType in WebCore to offer more bits to JSC + https://bugs.webkit.org/show_bug.cgi?id=206141 + + Reviewed by Keith Miller. + + * runtime/JSType.h: + +2020-01-11 Yusuke Suzuki + + Unreviewed, suppress warnings in GCC, part 2 + https://bugs.webkit.org/show_bug.cgi?id=202832 + + * bytecode/ArithProfile.h: + +2020-01-11 Yusuke Suzuki + + Unreviewed, suppress warnings in GCC + https://bugs.webkit.org/show_bug.cgi?id=202832 + + * bytecode/ArithProfile.h: + +2020-01-10 Yusuke Suzuki + + [JSC] Flush old tables in End phase + https://bugs.webkit.org/show_bug.cgi?id=206120 + + + Reviewed by Mark Lam. + + stopThePeriphery is stopping compiler threads and main thread (mutator), which means making m_worldIsStopped = true. + It is not for stopping all heap threads including a concurrent marker. The concurrent collector can work while executing + stopThePeriphery. This means that concurrent collectors can access to the old StructureIDTable while it is destroyed + in stopThePeriphery. Destroying old StructureIDTable in GC End phase, this is appropriate phase that we can ensure no + other threads (accessing to heap) are working including concurrent markers, mutator, and compiler threads. + + * heap/Heap.cpp: + (JSC::Heap::runEndPhase): + (JSC::Heap::stopThePeriphery): + +2020-01-10 Caitlin Potter and Alexey Shvayka + + Object.keys should throw if called on module namespace object with uninitialized binding + https://bugs.webkit.org/show_bug.cgi?id=205983 + + Reviewed by Yusuke Suzuki. + + If JSModuleNamespaceObject::getOwnPropertyNames method is called by + Object.keys or for/in loop, it should invoke [[GetOwnProperty]] on + every binding so a ReferenceError is thrown if the binding is uninitialized. + + Complete call stack of internal methods and abstract ops is in "info" meta of + JSTests/test262/test/language/module-code/namespace/internals/object-keys-binding-uninit.js + + * runtime/JSModuleNamespaceObject.cpp: + (JSC::JSModuleNamespaceObject::getOwnPropertyNames): + +2020-01-10 Saam Barati + + ObjectAllocationSinkingPhase doesn't model pointers to allocations in control flow properly + https://bugs.webkit.org/show_bug.cgi?id=204738 + + + Reviewed by Yusuke Suzuki. + + Allocation sinking phase conducts a points to analysis. It uses this + information for programs like: + + ``` + 1: NewObject + 2: NewObject + 3: PutByOffset(@2, @1, "x") + 4: GetByOffset(@2, "x") + ``` + + It solves the points to problem knowing @4 points to @1. + + It tracks this data in the LocalHeap data structure. This is used to track + the heap across blocks, and it includes a merge function to handle control + flow merges. However, this merge function would not always merge the pointer + sets together. It sometimes would merge them together, since it had a fast + path check inside merge, which would just copy the contents of the block to be + merged with itself if it were this block's first time merging. This fast path happened + to hide the bug in general case merge code. If we didn't take this fast path, + we would just never transfer pointer sets from predecessor to successor. This + could lead to all kinds of issues, including using the incorrect phantom node + in IR instead of its materialized version. It could also lead to the phase not + sinking objects it is capable of sinking. + + This patch makes it so that we merge together the pointer sets. We always add + new pointers to the set. So in pointer A->B, if the set has yet to see A, we + add it. If the set already contains pointer A->B, and we encounter a new + pointer A->C, or if we encounter a merge without any A->* pointer, we mark + the A pointer as top, marking it A->TOP. We do this to ensure that we fixpoint. + We're guaranteed that m_pointers is monotonically increasing (module liveness + pruning, which is a constant). And once something is TOP, it never becomes + anything else. (Instead of marking a pointer top, we used to just remove it + from the set, but this has issues, as it could lead to us ping-ponging in + our fixpoint analysis, add, remove, add, remove, etc.) + + So the merge rules are: + {A->B} merge {A->B} => {A->B} + {A->B} merge {A->C} => {A->TOP} + {A->B} merge {A->TOP} => {A->TOP} + {A->B} merge {} => {A->TOP} + + + Thanks to Samuel Groß of Google Project Zero for identifying this bug. + + * dfg/DFGObjectAllocationSinkingPhase.cpp: + +2020-01-10 Carlos Garcia Campos + + Unreviewed. Fix GTK and WPE API docs generation + + Add index for new symbols in 2.28. + + * API/glib/docs/jsc-glib-docs.sgml: + +2020-01-10 Carlos Garcia Campos + + [GLIB] Add GLib specific API for JSC JSValueRef.h's JSValueMakeFromJSONString and JSValueCreateJSONString methods + https://bugs.webkit.org/show_bug.cgi?id=205161 + + Reviewed by Adrian Perez de Castro. + + Add jsc_value_new_from_json() and jsc_value_to_json(). + + * API/glib/JSCValue.cpp: + (jsc_value_new_from_json): + (jsc_value_to_json): + * API/glib/JSCValue.h: + * API/glib/docs/jsc-glib-4.0-sections.txt: + +2020-01-10 Adrian Perez de Castro + + Fix various non-unified build issues introduced since r253538 + https://bugs.webkit.org/show_bug.cgi?id=205996 + + Reviewed by Youenn Fablet. + + * bytecode/ExecutableToCodeBlockEdge.cpp: Add missing inclusion of JSObjectInlines.h and + StructureInlines.h + * dfg/DFGVariableEvent.cpp: Add missing inclusion of OperandsInlines.h + * runtime/NarrowingNumberPredictionFuzzerAgent.cpp: Add missing inclusion of CodeBlock.h + * runtime/WideningNumberPredictionFuzzerAgent.cpp: Ditto. + * wasm/WasmOperations.cpp: Add missing inclusion of ButterflyInlines.h + +2020-01-09 Commit Queue + + Unreviewed, rolling out r254234. + https://bugs.webkit.org/show_bug.cgi?id=206011 + + Broke production builds (Requested by ap on #webkit). + + Reverted changeset: + + "build-jsc should invoke make instead of calling xcodebuild + directly" + https://bugs.webkit.org/show_bug.cgi?id=205960 + https://trac.webkit.org/changeset/254234 + +2020-01-08 Keith Miller + + [JSC] Introduce JSArrayIterator + https://bugs.webkit.org/show_bug.cgi?id=204043 + + Reviewed by Yusuke Suzuki. + + This patch introduces JSArrayIterator that changes the iterator object + from a JSFinalObject to an InternalFieldsObject. This makes accessing it + much easier from C++ code and makes the iterator object smaller. It also + means that the JS code for the next function is much simpler and can *almost* + be inlined without shenanigans. + + As part of this patch the keys/values/entries functions have been converted to + C++ with intrinsics since that's slightly more efficient in the LLInt/Baseline. + + Lastly, this patch also add a custom ISOSubspace for JSArrayIterator objects. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * builtins/ArrayIteratorPrototype.js: + (next): + (globalPrivate.arrayIteratorNextHelper): + (globalPrivate.arrayIteratorValueNext): Deleted. + (globalPrivate.arrayIteratorKeyNext): Deleted. + (globalPrivate.arrayIteratorKeyValueNext): Deleted. + * builtins/ArrayPrototype.js: + (globalPrivate.ArrayIterator): Deleted. + (values): Deleted. + (keys): Deleted. + (entries): Deleted. + * builtins/TypedArrayPrototype.js: + (values): Deleted. + (keys): Deleted. + (entries): Deleted. + * bytecode/BytecodeIntrinsicRegistry.cpp: + (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): + * bytecode/BytecodeIntrinsicRegistry.h: + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::emitIsArrayIterator): + * bytecompiler/NodesCodegen.cpp: + (JSC::arrayIteratorInternalFieldIndex): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_getArrayIteratorInternalField): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_putArrayIteratorInternalField): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_isGenerator): Deleted. + (JSC::BytecodeIntrinsicNode::emit_intrinsic_isAsyncGenerator): Deleted. + (JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray): Deleted. + (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise): Deleted. + (JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject): Deleted. + (JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject): Deleted. + (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject): Deleted. + (JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray): Deleted. + (JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap): Deleted. + (JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet): Deleted. + (JSC::BytecodeIntrinsicNode::emit_intrinsic_isUndefinedOrNull): Deleted. + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsicCall): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGClobbersExitState.cpp: + (JSC::DFG::clobbersExitState): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + * dfg/DFGHeapLocation.cpp: + (WTF::printInternal): + * dfg/DFGHeapLocation.h: + * dfg/DFGMayExit.cpp: + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToPhantomNewObject): + (JSC::DFG::Node::convertToPhantomNewArrayIterator): + (JSC::DFG::Node::convertToPhantomCreateActivation): + (JSC::DFG::Node::hasStructure): + (JSC::DFG::Node::hasObjectMaterializationData): + (JSC::DFG::Node::isPhantomAllocation): + * dfg/DFGNodeType.h: + * dfg/DFGObjectAllocationSinkingPhase.cpp: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGPromotedHeapLocation.cpp: + (WTF::printInternal): + * dfg/DFGPromotedHeapLocation.h: + (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization const): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCheckNeutered): + (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor): + (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObject): + (JSC::DFG::SpeculativeJIT::compileNewArrayIterator): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStoreBarrierInsertionPhase.cpp: + * dfg/DFGTypeCheckHoistingPhase.cpp: + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): + * dfg/DFGValidate.cpp: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckArray): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckNeutered): + (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject): + (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayIterator): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): + (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewInternalFieldObjectImpl): + (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewInternalFieldObject): + * ftl/FTLOperations.cpp: + (JSC::FTL::operationPopulateObjectInOSR): + (JSC::FTL::operationMaterializeObjectInOSR): + * inspector/JSInjectedScriptHost.cpp: + (Inspector::JSInjectedScriptHost::subtype): + (Inspector::JSInjectedScriptHost::getInternalProperties): + (Inspector::cloneArrayIteratorObject): + (Inspector::JSInjectedScriptHost::iteratorEntries): + * runtime/ArrayPrototype.cpp: + (JSC::ArrayPrototype::finishCreation): + (JSC::createArrayIteratorObject): + (JSC::arrayProtoFuncValues): + (JSC::arrayProtoFuncEntries): + (JSC::arrayProtoFuncKeys): + * runtime/CommonIdentifiers.h: + * runtime/Intrinsic.cpp: + (JSC::intrinsicName): + * runtime/Intrinsic.h: + * runtime/IterationKind.h: + (): Deleted. + * runtime/JSArrayIterator.cpp: Added. + (JSC::JSArrayIterator::create): + (JSC::JSArrayIterator::createWithInitialValues): + (JSC::JSArrayIterator::createStructure): + (JSC::JSArrayIterator::JSArrayIterator): + (JSC::JSArrayIterator::finishCreation): + (JSC::JSArrayIterator::visitChildren): + * runtime/JSArrayIterator.h: Added. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::arrayIteratorPrototype const): + (JSC::JSGlobalObject::arrayIteratorStructure const): + * runtime/JSMapIterator.h: + * runtime/JSSetIterator.h: + * runtime/JSType.cpp: + (WTF::printInternal): + * runtime/JSType.h: + * runtime/JSTypedArrayViewPrototype.cpp: + (JSC::createTypedArrayIteratorObject): + (JSC::typedArrayViewProtoFuncValues): + (JSC::typedArrayProtoViewFuncEntries): + (JSC::typedArrayViewProtoFuncKeys): + (JSC::JSTypedArrayViewPrototype::finishCreation): + * runtime/VM.cpp: + * runtime/VM.h: + +2020-01-08 Michael Saboff + + Instruction.h: Multiplication result converted to larger type + https://bugs.webkit.org/show_bug.cgi?id=205945 + + Reviewed by Mark Lam. + + * bytecode/Instruction.h: + (JSC::BaseInstruction::size const): + Changed the types to size_t so that the computation is computed accordingly. + + +2020-01-08 Yusuke Suzuki + + Reduce binary size by purging C++ type information in Objective-C fields and parameters + https://bugs.webkit.org/show_bug.cgi?id=205905 + + Reviewed by Saam Barati. + + * API/JSWrapperMap.mm: + (-[JSObjCClassInfo dealloc]): + +2020-01-08 Saam Barati + + build-jsc should invoke make instead of calling xcodebuild directly + https://bugs.webkit.org/show_bug.cgi?id=205960 + + Reviewed by Keith Miller. + + The various jsc, and test* binaries can all be compiled in parallel. + This patch makes that happen when building with make via the CLI + that these are built in parallel. To make this work, in Xcode, I needed + to mark these binaries as depending on JavaScriptCore.framework. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Makefile: + +2020-01-08 Tuomas Karkkainen + + Add FuzzerAgents that narrow and widen number predictions + https://bugs.webkit.org/show_bug.cgi?id=203993 + + Reviewed by Yusuke Suzuki. + + Add two FuzzerAgents such that for any predictions that are originally subsets of SpecFullNumber: + - one adds more number types to the prediction + - the other removes some of the number types from the prediction + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * runtime/NarrowingNumberPredictionFuzzerAgent.cpp: Added. + * runtime/NarrowingNumberPredictionFuzzerAgent.h: Added. + * runtime/NumberPredictionFuzzerAgent.cpp: Added. + * runtime/NumberPredictionFuzzerAgent.h: Added. + * runtime/OptionsList.h: + * runtime/VM.cpp: + * runtime/WideningNumberPredictionFuzzerAgent.cpp: Added. + * runtime/WideningNumberPredictionFuzzerAgent.h: Added. + +2020-01-08 Michael Saboff + + TypeProfiler.h: Multiplication result converted to larger type + https://bugs.webkit.org/show_bug.cgi?id=205947 + + Reviewed by Mark Lam. + + Added cast to keep the hash() calculation unsigned. + + * runtime/TypeProfiler.h: + (JSC::QueryKey::hash const): + +2020-01-08 Michael Saboff + + JSArrayBufferView.h: Multiplication result converted to larger type + https://bugs.webkit.org/show_bug.cgi?id=205943 + + Reviewed by Saam Barati. + + Added cast to size_t to make the whole calculation size_t. + + * runtime/JSArrayBufferView.h: + (JSC::JSArrayBufferView::sizeOf): + +2020-01-08 Alexey Shvayka + + Proxy's [[OwnPropertyKeys]] is correct only in PropertyNameMode::StringsAndSymbols + https://bugs.webkit.org/show_bug.cgi?id=205772 + + Reviewed by Ross Kirsling. + + This change fixes two spec compatibility issues: + (steps 8-11 of https://tc39.es/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-ownpropertykeys) + + 1. If Object.getOwnPropertyNames is called on Proxy with "ownKeys" trap, + symbol keys of Proxy's target are ignored during invariants validation. + + 2. If Object.getOwnPropertySymbols is called on Proxy with "ownKeys" trap, + string keys of Proxy's target are ignored during invariants validation. + + Given that per spec `uncheckedResultKeys` contains both strings and symbols, + `seenKeys` and explanation comment about it is removed. + + Specifying PrivateSymbolMode::Exclude eliminates any chance of false TypeErrors + during invariants validation, since user code can't possibly return a private symbol + from "ownKeys" trap, yet an object with private symbols can be Proxy's target. + + * runtime/ProxyObject.cpp: + (JSC::ProxyObject::performGetOwnPropertyNames): + +2020-01-08 Alexey Shvayka + + RegExp.prototype[Symbol.replace] does not support named capture groups + https://bugs.webkit.org/show_bug.cgi?id=205783 + + Reviewed by Ross Kirsling. + + This patch adds named capture groups support to RegExp.prototype[Symbol.replace], + for both functional and string pattern replacement. + (steps 14.j-l of https://tc39.es/ecma262/#sec-regexp.prototype-@@replace) + + This method is used in slow path of String.prototype.replace (RegExp subclass handling), + yet it also can be invoked directly in user code. + + * builtins/RegExpPrototype.js: + (getSubstitution): + (Symbol.replace): + +2020-01-07 Saam Barati + + AI rule for ValueMod/ValueDiv produce constants with the wrong format when the result can be an int32 + https://bugs.webkit.org/show_bug.cgi?id=205906 + + + Reviewed by Yusuke Suzuki. + + The runtime code for ValueMod and ValueDiv produces an int32 when the result + is of int32 value. However, the AI was saying the result is in double format. + This patch fixes AI to produce a JSValue in the right format. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::handleConstantDivOp): + +2020-01-07 Said Abou-Hallawa + + Implement css3-images image-orientation + https://bugs.webkit.org/show_bug.cgi?id=89052 + + Reviewed by Simon Fraser. + + Remove the ENABLE_CSS_IMAGE_ORIENTATION feature flag. + + * Configurations/FeatureDefines.xcconfig: + +2020-01-07 Ross Kirsling + + Unreviewed restabilization of non-unified build. + + * bytecode/MethodOfGettingAValueProfile.h: + * dfg/DFGVariableEvent.h: + * dfg/DFGVariableEventStream.cpp: + * interpreter/CheckpointOSRExitSideState.h: + +2020-01-07 Yusuke Suzuki + + [JSC] Remove vm accessor in JSVirtualMachine to reduce binary size + https://bugs.webkit.org/show_bug.cgi?id=205880 + + Reviewed by Mark Lam. + + Objective-C has reflection mechanism. This means that fields, methods, and their types + need to hold its string representations in binary even if we are using release build. + While typical Objective-C class does not have large size of type names, C++ struct / class + has very large one, and putting them in Objective-C method names, parameter types, or fields + makes binary size very large. + + By analyzing JavaScriptCore binary, I found that Objective-C method type symbols are taking 200~KB + binary size. (Section __objc_methtype: 235081 (addr 0x105e9a3 offset 17164707)). And it is due to + JSC::VM type included in `[JSVirtualMachine vm]` accessor. + + This patch removes this accessor and gets 200KB binary size reduction. + + * API/JSScript.mm: + (-[JSScript readCache]): + (-[JSScript sourceCode]): + (-[JSScript jsSourceCode]): + (-[JSScript writeCache:]): + * API/JSVirtualMachine.mm: + (-[JSVirtualMachine JSContextGroupRef]): + (-[JSVirtualMachine isWebThreadAware]): + (-[JSVirtualMachine vm]): Deleted. + * API/JSVirtualMachineInternal.h: + +2020-01-07 Keith Miller + + Unreviewed non-arm64e build fix. + + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::reifyInlinedCallFrames): + +2020-01-07 Keith Miller + + Bytecode checkpoint fixes for arm64(e) + https://bugs.webkit.org/show_bug.cgi?id=205871 + + Reviewed by Michael Saboff. + + The original bytecode checkpoint patch had a couple of bugs on + arm64(e). For arm64 generally, when osr exiting to an inline + varargs frame we didn't set the return value of callee before + moving the call frame register into a0 for the slow path + call. This meant we clobber the return value on arm64 as a0 == r0. + + On arm64e the osr exit compiler set the tag for the return pc for + an inline frame to JSEntryTag but the code expected + NoTag. Additionally, in the stack unwinder, we were using the + JSEntryTag but we should have been stripping the tag from the + stack value. + + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::callerReturnPC): + (JSC::DFG::reifyInlinedCallFrames): + * dfg/DFGOSRExitCompilerCommon.h: + * interpreter/Interpreter.cpp: + (JSC::UnwindFunctor::operator() const): + * llint/LowLevelInterpreter.asm: + +2020-01-07 Chris Fleizach + + AX: Enable ACCESSIBILITY_ISOLATED_TREE + https://bugs.webkit.org/show_bug.cgi?id=205535 + + + Reviewed by Zalan Bujtas. + + * Configurations/FeatureDefines.xcconfig: + +2020-01-06 Yoshiaki Jitsukawa + + [PlayStation] Update port cmake + https://bugs.webkit.org/show_bug.cgi?id=205846 + + Reviewed by Don Olmstead. + + * PlatformPlayStation.cmake: + Workaround of compilation errors with VisualStudio generator, which gives -std=c++* options to C sources. + +2020-01-06 Alexey Shvayka + + String.prototype.replace() incorrectly handles named references on RegExp w/o named groups + https://bugs.webkit.org/show_bug.cgi?id=205785 + + Reviewed by Ross Kirsling. + + This patch fixes substitution of named references by ignoring "$<" sequences + for a RegExp without named capture groups, removing some index tweaking. + (step 11 of https://tc39.es/ecma262/#sec-getsubstitution) + + Also this change removes 2 obsolete FIXMEs regarding possible spec changes. + + * runtime/StringPrototype.cpp: + (JSC::substituteBackreferencesSlow): + +2020-01-06 Mark Lam + + Convert ASSERT_DISABLED to ASSERT_ENABLED, and fix some tests of NDEBUG that should actually test for ASSERT_ENABLED. + https://bugs.webkit.org/show_bug.cgi?id=205776 + + Reviewed by Saam Barati. + + * API/tests/testapi.c: + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::replaceWithLoad): + (JSC::ARM64Assembler::replaceWithAddressComputation): + * assembler/AssemblerBuffer.h: + (JSC::AssemblerBuffer::LocalWriter::LocalWriter): + * assembler/LinkBuffer.cpp: + (JSC::LinkBuffer::copyCompactAndLinkCode): + * assembler/ProbeStack.cpp: + (JSC::Probe::Stack::Stack): + * assembler/ProbeStack.h: + * b3/B3FoldPathConstants.cpp: + * b3/B3LowerToAir.cpp: + * b3/B3MemoryValue.cpp: + (JSC::B3::MemoryValue::MemoryValue): + * b3/B3Opcode.cpp: + * b3/B3Type.h: + * b3/B3TypeMap.h: + * b3/B3Width.h: + * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: + (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration): + (JSC::B3::Air::GenerateAndAllocateRegisters::generate): + * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: + * b3/air/AirAllocateRegistersByGraphColoring.cpp: + * b3/air/AirArg.cpp: + * b3/air/AirArg.h: + * b3/air/AirCode.h: + * b3/air/AirEmitShuffle.cpp: + (JSC::B3::Air::emitShuffle): + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::createExecutable): + * bytecode/AccessCase.cpp: + * bytecode/AccessCase.h: + * bytecode/CallVariant.cpp: + (JSC::variantListWithVariant): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndex): + * bytecode/CodeBlockHash.cpp: + (JSC::CodeBlockHash::dump const): + * bytecode/StructureStubInfo.cpp: + * bytecode/StructureStubInfo.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::FunctionCallResolveNode::emitBytecode): + * bytecompiler/RegisterID.h: + (JSC::RegisterID::RegisterID): + (JSC::RegisterID::setIndex): + * debugger/Debugger.cpp: + (JSC::Debugger::removeBreakpoint): + * debugger/DebuggerEvalEnabler.h: + (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler): + (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::observeTransitions): + * dfg/DFGAbstractValue.cpp: + * dfg/DFGAbstractValue.h: + (JSC::DFG::AbstractValue::merge): + (JSC::DFG::AbstractValue::checkConsistency const): + (JSC::DFG::AbstractValue::assertIsRegistered const): + * dfg/DFGArithMode.h: + (JSC::DFG::doesOverflow): + * dfg/DFGBasicBlock.cpp: + (JSC::DFG::BasicBlock::BasicBlock): + * dfg/DFGBasicBlock.h: + (JSC::DFG::BasicBlock::didLink): + * dfg/DFGCFAPhase.cpp: + (JSC::DFG::CFAPhase::performBlockCFA): + * dfg/DFGCommon.h: + (JSC::DFG::validationEnabled): + * dfg/DFGCommonData.cpp: + (JSC::DFG::CommonData::finalizeCatchEntrypoints): + * dfg/DFGDesiredWatchpoints.h: + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGEdge.h: + (JSC::DFG::Edge::makeWord): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGJITCode.cpp: + (JSC::DFG::JITCode::finalizeOSREntrypoints): + * dfg/DFGObjectAllocationSinkingPhase.cpp: + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + * dfg/DFGScoreBoard.h: + (JSC::DFG::ScoreBoard::assertClear): + * dfg/DFGSlowPathGenerator.h: + (JSC::DFG::SlowPathGenerator::generate): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): + (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse): + (JSC::DFG::SpeculativeJIT::emitAllocateButterfly): + (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): + (JSC::DFG::SpeculativeJIT::compileMakeRope): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + * dfg/DFGStructureAbstractValue.cpp: + * dfg/DFGStructureAbstractValue.h: + (JSC::DFG::StructureAbstractValue::assertIsRegistered const): + * dfg/DFGVarargsForwardingPhase.cpp: + * dfg/DFGVirtualRegisterAllocationPhase.cpp: + (JSC::DFG::VirtualRegisterAllocationPhase::run): + * ftl/FTLLink.cpp: + (JSC::FTL::link): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::callPreflight): + (JSC::FTL::DFG::LowerDFGToB3::callCheck): + (JSC::FTL::DFG::LowerDFGToB3::crash): + * ftl/FTLOperations.cpp: + (JSC::FTL::operationMaterializeObjectInOSR): + * heap/BlockDirectory.cpp: + (JSC::BlockDirectory::assertNoUnswept): + * heap/GCSegmentedArray.h: + (JSC::GCArraySegment::GCArraySegment): + * heap/GCSegmentedArrayInlines.h: + (JSC::GCSegmentedArray::clear): + (JSC::GCSegmentedArray::expand): + (JSC::GCSegmentedArray::validatePrevious): + * heap/HandleSet.cpp: + * heap/HandleSet.h: + * heap/Heap.cpp: + (JSC::Heap::updateAllocationLimits): + * heap/Heap.h: + * heap/MarkedBlock.cpp: + * heap/MarkedBlock.h: + (JSC::MarkedBlock::assertValidCell const): + (JSC::MarkedBlock::assertMarksNotStale): + * heap/MarkedSpace.cpp: + (JSC::MarkedSpace::beginMarking): + (JSC::MarkedSpace::endMarking): + (JSC::MarkedSpace::assertNoUnswept): + * heap/PreciseAllocation.cpp: + * heap/PreciseAllocation.h: + (JSC::PreciseAllocation::assertValidCell const): + * heap/SlotVisitor.cpp: + (JSC::SlotVisitor::SlotVisitor): + (JSC::SlotVisitor::appendJSCellOrAuxiliary): + * heap/SlotVisitor.h: + * inspector/InspectorProtocolTypes.h: + (Inspector::Protocol::BindingTraits>::assertValueHasExpectedType): + * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py: + (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): + (CppProtocolTypesImplementationGenerator): + (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum): + * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result: + * interpreter/FrameTracers.h: + (JSC::JITOperationPrologueCallFrameTracer::JITOperationPrologueCallFrameTracer): + * interpreter/Interpreter.cpp: + (JSC::Interpreter::Interpreter): + * interpreter/Interpreter.h: + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::prepareCallOperation): + * jit/BinarySwitch.cpp: + (JSC::BinarySwitch::BinarySwitch): + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupStubArgs): + * jit/CallFrameShuffler.cpp: + (JSC::CallFrameShuffler::emitDeltaCheck): + (JSC::CallFrameShuffler::prepareAny): + * jit/JIT.cpp: + (JSC::JIT::assertStackPointerOffset): + (JSC::JIT::compileWithoutLinking): + * jit/JITOpcodes.cpp: + (JSC::JIT::emitSlow_op_loop_hint): + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_from_scope): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_from_scope): + * jit/Repatch.cpp: + (JSC::linkPolymorphicCall): + * jit/ThunkGenerators.cpp: + (JSC::emitPointerValidation): + * llint/LLIntData.cpp: + (JSC::LLInt::Data::performAssertions): + * llint/LLIntOfflineAsmConfig.h: + * parser/Lexer.cpp: + * parser/Lexer.h: + (JSC::isSafeBuiltinIdentifier): + (JSC::Lexer::lexExpectIdentifier): + * runtime/ArgList.h: + (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck): + (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck): + * runtime/Butterfly.h: + (JSC::ContiguousData::ContiguousData): + (JSC::ContiguousData::Data::Data): + * runtime/HashMapImpl.h: + (JSC::HashMapImpl::checkConsistency const): + (JSC::HashMapImpl::assertBufferIsEmpty const): + * runtime/JSCellInlines.h: + (JSC::JSCell::methodTable const): + * runtime/JSFunction.cpp: + * runtime/JSFunction.h: + (JSC::JSFunction::assertTypeInfoFlagInvariants): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/JSGlobalObject.h: + * runtime/JSObject.cpp: + (JSC::JSObject::visitChildren): + (JSC::JSFinalObject::visitChildren): + * runtime/JSObjectInlines.h: + (JSC::JSObject::validatePutOwnDataProperty): + * runtime/JSSegmentedVariableObject.h: + (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject): + * runtime/LiteralParser.cpp: + (JSC::LiteralParser::Lexer::lex): + * runtime/LiteralParser.h: + * runtime/Operations.h: + (JSC::scribbleFreeCells): + * runtime/OptionsList.h: + * runtime/VM.cpp: + (JSC::VM::computeCanUseJIT): + * runtime/VM.h: + (JSC::VM::canUseJIT): + * runtime/VarOffset.h: + (JSC::VarOffset::checkSanity const): + * runtime/WeakMapImpl.h: + (JSC::WeakMapImpl::checkConsistency const): + (JSC::WeakMapImpl::assertBufferIsEmpty const): + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::validateInst): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::parseAndCompile): + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::validationFail const): + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::checkConsistency): + * wasm/WasmPlan.cpp: + (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast): + * wasm/WasmSectionParser.h: + * wasm/WasmSections.h: + * wasm/WasmSignatureInlines.h: + (JSC::Wasm::SignatureInformation::get): + * wasm/WasmWorklist.cpp: + (JSC::Wasm::Worklist::enqueue): + * wasm/js/JSToWasm.cpp: + (JSC::Wasm::createJSToWasmWrapper): + * wasm/js/WebAssemblyFunction.cpp: + (JSC::WebAssemblyFunction::previousInstanceOffset const): + +2020-01-06 Alexey Shvayka + + Proxy's [[OwnPropertyKeys]] is incorrect in DontEnumPropertiesMode::Exclude + https://bugs.webkit.org/show_bug.cgi?id=203818 + + Reviewed by Keith Miller. + + This change fixes two spec compatibility issues: + + 1. If Object.keys is called on Proxy w/o "ownKeys" trap, filtering non-enumerable + properties are not observed by "getOwnPropertyDescriptor" trap. + (step 4 of https://tc39.es/ecma262/#sec-enumerableownpropertynames) + + 2. If Object.keys is called on Proxy with "ownKeys" trap, non-enumerable + properties of Proxy's target are ignored during invariants validation. + (step 11 of https://tc39.es/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-ownpropertykeys) + + Instead of extracting DontEnum filtering to lambda function, a wrapper method for + ProxyObject::performGetOwnPropertyNames was introduced to avoid creating & + filling intermediate PropertyNameArray instance (in case of DontEnumPropertiesMode::Include) + and avoid having inner EnumerationMode in ProxyObject::performGetOwnPropertyNames. + + * runtime/ProxyObject.cpp: + (JSC::ProxyObject::performGetOwnPropertyNames): + (JSC::ProxyObject::performGetOwnEnumerablePropertyNames): + (JSC::ProxyObject::getOwnPropertyNames): + * runtime/ProxyObject.h: + +2020-01-05 Sam Weinig + + Further simplify StringBuilder usage by standardizing hex formating to a single hex() function + https://bugs.webkit.org/show_bug.cgi?id=205759 + + Reviewed by Dean Jackson. + + * heap/HeapSnapshotBuilder.cpp: + (JSC::HeapSnapshotBuilder::json): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::encode): + (JSC::globalFuncEscape): + Replace appendUnsignedAsHex() and appendByteAsHex() with append(hex()). + +2020-01-05 Ross Kirsling + + JavaScript: Invalid date parse for ISO 8601 strings when no timezone given + https://bugs.webkit.org/show_bug.cgi?id=89071 + + Reviewed by Darin Adler. + + Since ES2016, the specification for Date.parse has included the following statement: + When the UTC offset representation is absent, date-only forms are interpreted as a UTC time + and date-time forms are interpreted as a local time. + + This patch updates us from the old ES5 behavior, which treated offsetless date-time forms as UTC. + + * runtime/JSDateMath.cpp: + (JSC::parseDateFromNullTerminatedCharacters): + (JSC::parseES5DateFromNullTerminatedCharacters): Added. + (JSC::parseDate): + * runtime/JSDateMath.h: + Make a local time adjustment if necessary after calling WTF::parseES5DateFromNullTerminatedCharacters. + +2020-01-04 Alexey Shvayka + + JSON.parse should initialize wrapper object with [[DefineOwnProperty]] + https://bugs.webkit.org/show_bug.cgi?id=205767 + + Reviewed by Darin Adler. + + This patch makes JSON.parse use [[DefineOwnProperty]] instead of [[Set]] to initialize wrapper object, + aligning JSC with the spec (step 7.c of https://tc39.es/ecma262/#sec-json.parse) and other engines. + Performing [[Set]] was observable by a setter on Object.prototype (with empty String key). + Also removes two extra exceptions checks. + + * runtime/JSONObject.cpp: + (JSC::Stringifier::stringify): + (JSC::Walker::walk): + +2020-01-02 Yusuke Suzuki + + [JSC] MarkedBlock::Handle and BlockDirectory should be shrunk + https://bugs.webkit.org/show_bug.cgi?id=205712 + + Reviewed by Mark Lam. + + This patch shrinks MarkedBlock::Handle and BlockDirectory by leveraging the fact that Vector's size and capacity is unsigned. + In these data structures, we use `size_t` to hold a index, but this can be converted to unsigned since we guarantee that this + never exceeds unsigned since these numbers are derived from Vector's size / capacity, or index inside MarkedBlock (which is up + to 64KB in some architectures). MarkedBlock::Handle is allocated per MarkedBlock, and in Gmail, it takes 1MB. We can save + some bytes just using `unsigned`. In addition, this patch removes `m_prev` and `m_next` fields in MarkedBlock::Handle since + it is never used. + + * heap/AtomIndices.h: + * heap/BlockDirectory.cpp: + (JSC::BlockDirectory::findBlockForAllocation): + (JSC::BlockDirectory::addBlock): + * heap/IsoCellSet.cpp: + (JSC::IsoCellSet::addSlow): + (JSC::IsoCellSet::didResizeBits): + (JSC::IsoCellSet::didRemoveBlock): + * heap/IsoCellSet.h: + * heap/IsoCellSetInlines.h: + (JSC::IsoCellSet::forEachMarkedCell): + (JSC::IsoCellSet::forEachMarkedCellInParallel): + (JSC::IsoCellSet::forEachLiveCell): + * heap/IsoSubspace.cpp: + (JSC::IsoSubspace::didResizeBits): + (JSC::IsoSubspace::didRemoveBlock): + * heap/IsoSubspace.h: + * heap/LocalAllocator.h: + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::Handle::didAddToDirectory): + (JSC::MarkedBlock::Handle::didRemoveFromDirectory): + * heap/MarkedBlock.h: + (JSC::MarkedBlock::Handle::index const): + * heap/Subspace.cpp: + (JSC::Subspace::didResizeBits): + (JSC::Subspace::didRemoveBlock): + * heap/Subspace.h: + +2020-01-03 Simon Fraser + + Add some shared schemes to the WebKit.xcworkspace + https://bugs.webkit.org/show_bug.cgi?id=205698 + + Reviewed by Tim Horton. + + Make WebKit.xcworkspace show the following schemes by default: + All Source + All Tools + WTF + JavaScriptCore + WebCore + WebKit + WebKitLegacy + DumpRenderTree + WebKitTestRunner + TestWebKitAPI + MiniBrowser + MobileMiniBrowser. + + Also remove the MobileMiniBrowserUITests scheme. + + * JavaScriptCore.xcodeproj/xcshareddata/xcschemes/JavaScriptCore.xcscheme: Copied from Tools/MobileMiniBrowser/MobileMiniBrowser.xcodeproj/xcshareddata/xcschemes/MobileMiniBrowserUITests.xcscheme. + +2020-01-03 Saam Barati + + B3::ReduceLoopStrength should not do range based iteration on a vector it's mutating + https://bugs.webkit.org/show_bug.cgi?id=205703 + + + Reviewed by Mark Lam. + + B3::ReduceLoopStrength had code that did: + ``` + for (BasicBlock* pred : loopPostfooter->predecessors()) + loopPostfooter->removePredecessor(pred); + ``` + + This is wrong, since it's doing a range based iteration over the vector it is + mutating. The fix is to just do: + ``` + while (loopPostfooter->predecessors().size()) + loopPostfooter->removePredecessor(loopPostfooter->predecessors()[0]); + ``` + + * b3/B3ReduceLoopStrength.cpp: + (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy): + +2020-01-03 Saam Barati + + AI rule for PutById can only observe transitions when it watches the condition + https://bugs.webkit.org/show_bug.cgi?id=205697 + + + Reviewed by Yusuke Suzuki. + + There was a bug in AI where we were capturing a PutByIdStatus and + emitting a structure transition in AI state based on the variants inside this + PutByIdStatus. This, in principal, is a valid static analysis to perform. + However, we can only do this if we ensure that the snapshot we have in the + PutByIdStatus holds at runtime. We can do this by watching the property conditions + for the various variants. AI forgot to watch these conditions. This patch fixes that. + In practice, this also means we need to be slightly more strict about stating to + AI when we transition since some object property conditions aren't watchable, and need + to be verified at runtime via structure checks. This is ok in practice, since + we'll emit the code to do that inside constant folding (constant folding was + already doing this), which will continue to report the precise transition in + the abstract state. + + * dfg/DFGAbstractInterpreter.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + +2020-01-02 Yusuke Suzuki and Simon Fraser + + Experiment: create lots of different malloc zones for easier accounting of memory use + https://bugs.webkit.org/show_bug.cgi?id=186422 + + Reviewed by Saam Barati. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * assembler/AssemblerBuffer.cpp: Copied from Source/JavaScriptCore/bytecode/InstructionStream.cpp. + * assembler/AssemblerBuffer.h: + (JSC::AssemblerData::AssemblerData): + (JSC::AssemblerData::operator=): + (JSC::AssemblerData::~AssemblerData): + (JSC::AssemblerData::grow): + * bytecode/AccessCase.cpp: + * bytecode/AccessCase.h: + * bytecode/BytecodeBasicBlock.cpp: + * bytecode/BytecodeBasicBlock.h: + * bytecode/CodeBlock.cpp: + * bytecode/CodeBlock.h: + * bytecode/InstructionStream.cpp: + * bytecode/InstructionStream.h: + * bytecode/PolymorphicAccess.cpp: + * bytecode/PolymorphicAccess.h: + * bytecode/UnlinkedMetadataTable.cpp: + (JSC::UnlinkedMetadataTable::finalize): + * bytecode/UnlinkedMetadataTable.h: + * bytecode/UnlinkedMetadataTableInlines.h: + (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable): + (JSC::UnlinkedMetadataTable::~UnlinkedMetadataTable): + (JSC::UnlinkedMetadataTable::link): + (JSC::UnlinkedMetadataTable::unlink): + * bytecode/ValueProfile.h: + (JSC::ValueProfileAndVirtualRegisterBuffer::ValueProfileAndVirtualRegisterBuffer): + * bytecode/Watchpoint.cpp: + * bytecode/Watchpoint.h: + * dfg/DFGBasicBlock.cpp: + * dfg/DFGBasicBlock.h: + * dfg/DFGNode.cpp: + * dfg/DFGNode.h: + * dfg/DFGSpeculativeJIT.cpp: + * dfg/DFGSpeculativeJIT.h: + * heap/BlockDirectory.cpp: + * heap/BlockDirectory.h: + * heap/FastMallocAlignedMemoryAllocator.cpp: + (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator): + (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory): + (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory): + (JSC::FastMallocAlignedMemoryAllocator::tryAllocateMemory): + (JSC::FastMallocAlignedMemoryAllocator::freeMemory): + (JSC::FastMallocAlignedMemoryAllocator::tryReallocateMemory): + * heap/FastMallocAlignedMemoryAllocator.h: + * heap/GCSegmentedArray.cpp: Copied from Source/JavaScriptCore/parser/SourceProviderCache.cpp. + * heap/GCSegmentedArray.h: + * heap/GCSegmentedArrayInlines.h: + (JSC::GCArraySegment::create): + (JSC::GCArraySegment::destroy): + * heap/GigacageAlignedMemoryAllocator.cpp: + (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator): + (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory): + (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory): + (JSC::GigacageAlignedMemoryAllocator::tryAllocateMemory): + (JSC::GigacageAlignedMemoryAllocator::freeMemory): + (JSC::GigacageAlignedMemoryAllocator::tryReallocateMemory): + * heap/GigacageAlignedMemoryAllocator.h: + * heap/IsoAlignedMemoryAllocator.cpp: + (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator): + (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator): + (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory): + (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory): + (JSC::IsoAlignedMemoryAllocator::tryAllocateMemory): + (JSC::IsoAlignedMemoryAllocator::freeMemory): + * heap/IsoAlignedMemoryAllocator.h: + * heap/IsoSubspace.cpp: + (JSC::IsoSubspace::IsoSubspace): + * heap/MarkedBlock.cpp: + * heap/MarkedBlock.h: + * heap/WeakBlock.cpp: + (JSC::WeakBlock::create): + (JSC::WeakBlock::destroy): + * heap/WeakBlock.h: + * jit/JITCode.cpp: + * jit/JITCode.h: + * jit/RegisterAtOffsetList.cpp: + * jit/RegisterAtOffsetList.h: + * parser/Nodes.cpp: + * parser/Nodes.h: + * parser/ParserArena.cpp: + (JSC::ParserArena::deallocateObjects): + (JSC::ParserArena::allocateFreeablePool): + * parser/ParserArena.h: + * parser/SourceProvider.cpp: + * parser/SourceProvider.h: + * parser/SourceProviderCache.cpp: + * parser/SourceProviderCache.h: + * parser/SourceProviderCacheItem.h: + (JSC::SourceProviderCacheItem::create): + * runtime/CachePayload.cpp: + (JSC::CachePayload::makeMallocPayload): + * runtime/CachePayload.h: + * runtime/CachedBytecode.h: + (JSC::CachedBytecode::create): + * runtime/CachedTypes.cpp: + (JSC::Encoder::release): + (JSC::Encoder::Page::Page): + (JSC::CachedVector::encode): + (JSC::CachedVector::decode const): + (JSC::CachedInstructionStream::decode const): + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::rehash): + * runtime/PropertyTable.cpp: + (JSC::PropertyTable::PropertyTable): + (JSC::PropertyTable::~PropertyTable): + * runtime/SymbolTable.cpp: + * runtime/SymbolTable.h: + * runtime/VM.cpp: + (JSC::VM::~VM): + * runtime/VM.h: + (JSC::ScratchBuffer::create): + (JSC::VM::exceptionFuzzingBuffer): + * wasm/WasmInstance.cpp: + (JSC::Wasm::Instance::Instance): + * wasm/WasmInstance.h: + * wasm/WasmTable.cpp: + (JSC::Wasm::Table::Table): + (JSC::Wasm::FuncRefTable::FuncRefTable): + * wasm/WasmTable.h: + +2020-01-02 Yusuke Suzuki + + REGRESSION (r253867): Six test262 tests broken + https://bugs.webkit.org/show_bug.cgi?id=205583 + + Reviewed by Mark Lam. + + If a function has empty name, a bound function should have "bound " name. + But Intl prototypes' bound functions are exceptions: these JSBoundFunctions have empty name. + In this patch, we pass `nullptr` for the JSBoundFunction::create's nameMayBeNull parameter of Intl prototypes' bound functions, + to generate empty string name for these bound functions instead of "bound "[1]. + This fixes test262 failures. + + [1]: https://tc39.es/ecma402/#sec-collator-compare-functions + + * runtime/IntlCollatorPrototype.cpp: + (JSC::IntlCollatorPrototypeGetterCompare): + * runtime/IntlDateTimeFormatPrototype.cpp: + (JSC::IntlDateTimeFormatPrototypeGetterFormat): + * runtime/IntlNumberFormatPrototype.cpp: + (JSC::IntlNumberFormatPrototypeGetterFormat): + * runtime/JSBoundFunction.cpp: + (JSC::JSBoundFunction::create): + (JSC::JSBoundFunction::JSBoundFunction): + (JSC::JSBoundFunction::visitChildren): + * runtime/JSBoundFunction.h: + * runtime/JSFunction.cpp: + (JSC::JSFunction::reifyLazyBoundNameIfNeeded): + * runtime/SmallStrings.cpp: + (JSC::SmallStrings::initializeCommonStrings): + * runtime/SmallStrings.h: + (JSC::SmallStrings::boundPrefixString const): + +2020-01-02 Sam Weinig + + Simplify StringBuilder API/align with makeString by removing appendFixed* functions and using FormatNumber struct instead + https://bugs.webkit.org/show_bug.cgi?id=205671 + + Reviewed by Alex Christensen. + + * API/tests/ExecutionTimeLimitTest.cpp: + (testExecutionTimeLimit): + * runtime/Options.cpp: + (JSC::OptionReader::Option::dump const): + Replace all uses of builder.appendFixedPrecisionNumber(...) with builder.append(FormattedNumber::fixedPrecision(...)). + +2020-01-01 Mark Lam + + Declare some classes as final. + https://bugs.webkit.org/show_bug.cgi?id=205670 + + Reviewed by Sam Weinig. + + There are a few "Status" classes, all of whom have static computeFor() methods. + All of these classes do not have derived classes, and are independent of each + others in terms of inheritance relationships. By explicitly declaring them as + final, we can make it clear that a call to any unqualified computeFor() methods + within one of these classes must be from the self class, and that external calls + to any given computeFor() method qualified with a class name is defined in that + class (and is not inherited from another class). + + This detail may already be known to folks who are familiar with these classes. + Declaring them as final helps surface this independence for readers of the code + who is not already in the know. + + * bytecode/CallLinkStatus.h: + * bytecode/ComplexGetStatus.h: + * bytecode/GetByStatus.h: + * bytecode/InByIdStatus.h: + * bytecode/InstanceOfStatus.h: + * bytecode/PutByIdStatus.h: + +2019-12-22 Jeff Miller + + Update user-visible copyright strings to include 2020 + https://bugs.webkit.org/show_bug.cgi?id=205552 + + Reviewed by Darin Adler. + + * Info.plist: + +2019-12-20 Darin Adler + + Tidy a bit of StringBuilder usage + https://bugs.webkit.org/show_bug.cgi?id=205509 + + Reviewed by Sam Weinig. + + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): Remove unneeded check that + duplicates range checking that StringBuilder::appendSubstring does. + +2019-12-30 Yusuke Suzuki + + Unreviewed, build fix after r253904 + https://bugs.webkit.org/show_bug.cgi?id=205553 + + * bytecompiler/BytecodeGeneratorBaseInlines.h: + (JSC::BytecodeGeneratorBase::alignWideOpcode16): + (JSC::BytecodeGeneratorBase::alignWideOpcode32): + +2019-12-30 Carlos Alberto Lopez Perez + + REGRESSION(r253896): [GTK][WPE] Broke the build with GCC-7 + https://bugs.webkit.org/show_bug.cgi?id=205649 + + Reviewed by Mark Lam. + + Add WTF_INTERNAL macro to explicitly adjust the symbol visibility. + + * llint/LLIntSlowPaths.h: + +2019-12-29 Yusuke Suzuki + + [JSC] Remove WTF::loadLoadFence from JSFunction::rareData() + https://bugs.webkit.org/show_bug.cgi?id=205625 + + Reviewed by Mark Lam. + + WTF::loadLoadFence() is not necessary when loading FunctionRareData from JSFunction since we ensured that stored FunctionRareData + is already baked by emitting WTF::storeStoreFence(). + + * runtime/JSFunction.h: + (JSC::JSFunction::rareData const): + (JSC::JSFunction::rareData): Deleted. + * runtime/JSFunctionInlines.h: + (JSC::JSFunction::hasReifiedLength const): + (JSC::JSFunction::hasReifiedName const): + (JSC::JSFunction::areNameAndLengthOriginal): + (JSC::JSFunction::ensureRareDataAndAllocationProfile): + +2019-12-28 Yusuke Suzuki + + Unreviewed, rename `.executable` to `.isExecutable` + https://bugs.webkit.org/show_bug.cgi?id=205554 + + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2019-12-28 Yusuke Suzuki + + [JSC] JSFunction's m_executable / m_rareData should be merged + https://bugs.webkit.org/show_bug.cgi?id=205554 + + Reviewed by Mark Lam. + + This patch merges JSFunction::m_executable and JSFunction::m_rareData fields into one JSFunction::m_executableOrRareData field. + JSFunction is one of the most frequently allocated objects (e.g. it is common that anonymous JSFunction expression is used as a scope). + If we can save sizeof(JSFunction), we can get great savings in memory usage. + + JSFunction::m_scope field is touched every time we execute this function. (op_get_scope, or obtaining JSGlobalObject for host functions). + On the other hand, m_executable field can be skipped if JSFunction call is cached by CallLinkInfo. So compared to JSFunction::m_scope, + this field is less frequently touched. So, we merge m_executable and m_rareData fields into one, m_executableOrRareData. When it holds + ExecutableBase*, we do nothing. But when we create FunctionRareData, we put ExecutableBase in FunctionRareData and store FunctionRareData + to JSFunction::m_executableOrRareData field with `0x1` flag. + + This patch reduces sizeof(JSFunction) from 48 to 32. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): + (JSC::DFG::SpeculativeJIT::compileGetExecutable): + (JSC::DFG::SpeculativeJIT::compileCreateThis): + (JSC::DFG::SpeculativeJIT::compileCreatePromise): + (JSC::DFG::SpeculativeJIT::compileCreateInternalFieldObject): + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable): + (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis): + (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_create_this): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_create_this): + * jit/Repatch.cpp: + (JSC::linkPolymorphicCall): + * jit/ThunkGenerators.cpp: + (JSC::virtualThunkFor): + (JSC::nativeForGenerator): + (JSC::boundFunctionCallGenerator): + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/FunctionRareData.cpp: + (JSC::FunctionRareData::create): + (JSC::FunctionRareData::visitChildren): + (JSC::FunctionRareData::FunctionRareData): + * runtime/FunctionRareData.h: + * runtime/JSBoundFunction.cpp: + (JSC::JSBoundFunction::create): + (JSC::JSBoundFunction::JSBoundFunction): + * runtime/JSBoundFunction.h: + * runtime/JSCustomGetterSetterFunction.cpp: + (JSC::JSCustomGetterSetterFunction::JSCustomGetterSetterFunction): + (JSC::JSCustomGetterSetterFunction::create): + * runtime/JSCustomGetterSetterFunction.h: + * runtime/JSFunction.cpp: + (JSC::JSFunction::create): + (JSC::JSFunction::createFunctionThatMasqueradesAsUndefined): + (JSC::JSFunction::JSFunction): + (JSC::JSFunction::finishCreation): + (JSC::JSFunction::allocateRareData): + (JSC::JSFunction::allocateAndInitializeRareData): + (JSC::JSFunction::initializeRareData): + (JSC::JSFunction::visitChildren): + (JSC::JSFunction::put): + (JSC::JSFunction::defineOwnProperty): + * runtime/JSFunction.h: + (JSC::JSFunction::executable const): + (JSC::JSFunction::offsetOfExecutableOrRareData): + (JSC::JSFunction::rareData): + (JSC::JSFunction::offsetOfExecutable): Deleted. + (JSC::JSFunction::offsetOfRareData): Deleted. + * runtime/JSFunctionInlines.h: + (JSC::JSFunction::JSFunction): + (JSC::JSFunction::jsExecutable const): + (JSC::JSFunction::isHostFunction const): + (JSC::JSFunction::nativeFunction): + (JSC::JSFunction::nativeConstructor): + (JSC::JSFunction::hasReifiedLength const): + (JSC::JSFunction::hasReifiedName const): + (JSC::JSFunction::areNameAndLengthOriginal): + (JSC::JSFunction::ensureRareDataAndAllocationProfile): + * runtime/JSNativeStdFunction.cpp: + (JSC::JSNativeStdFunction::JSNativeStdFunction): + (JSC::JSNativeStdFunction::create): + * runtime/JSNativeStdFunction.h: + * wasm/js/WebAssemblyFunction.cpp: + (JSC::WebAssemblyFunction::create): + (JSC::WebAssemblyFunction::WebAssemblyFunction): + * wasm/js/WebAssemblyFunction.h: + * wasm/js/WebAssemblyFunctionBase.cpp: + (JSC::WebAssemblyFunctionBase::WebAssemblyFunctionBase): + * wasm/js/WebAssemblyFunctionBase.h: + * wasm/js/WebAssemblyWrapperFunction.cpp: + (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction): + (JSC::WebAssemblyWrapperFunction::create): + * wasm/js/WebAssemblyWrapperFunction.h: + +2019-12-28 Yusuke Suzuki + + [JSC] StructureChain should hold vector of StructureID + https://bugs.webkit.org/show_bug.cgi?id=205592 + + Reviewed by Mark Lam. + + StructureChain should keep vector of StructureID instead of Structure* to minimize the size of vector. + + * llint/LowLevelInterpreter64.asm: + * runtime/JSPropertyNameEnumerator.h: + (JSC::propertyNameEnumerator): + * runtime/ProxyObject.h: + * runtime/Structure.cpp: + (JSC::Structure::canCachePropertyNameEnumerator const): + * runtime/Structure.h: + * runtime/StructureChain.cpp: + (JSC::StructureChain::StructureChain): + (JSC::StructureChain::create): + (JSC::StructureChain::finishCreation): + (JSC::StructureChain::visitChildren): + * runtime/StructureChain.h: + * runtime/StructureInlines.h: + (JSC::Structure::isValid const): + +2019-12-25 Yusuke Suzuki + + [JSC] Compact Bytecodes more by emitting 1-byte Opcode + https://bugs.webkit.org/show_bug.cgi?id=205553 + + Reviewed by Keith Miller. + + When emitting 16bit / 32bit bytecodes, we also emit 16bit / 32bit Opcode. + So the layout is the following. + + 8bit 16bit 16bit 16bit + - [op_wide16][ Opcode ][ Operand0 ][ Operand1 ] + + But this is unnecessary since Opcode must fit in 8bit. We should emit Opcode in 8bit in all cases. + + 8bit 8bit 16bit 16bit + - [op_wide16][Opcode][ Operand0 ][ Operand1 ] + + * bytecode/Instruction.h: + (JSC::BaseInstruction::size const): + * bytecompiler/BytecodeGeneratorBaseInlines.h: + (JSC::BytecodeGeneratorBase::alignWideOpcode16): + (JSC::BytecodeGeneratorBase::alignWideOpcode32): + * generator/Argument.rb: + * generator/Opcode.rb: + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * llint/WebAssembly.asm: + +2019-12-24 Keith Miller + + Fix ARM64E by adding missing pointer tag. + + * llint/LowLevelInterpreter.asm: + +2019-12-23 Keith Miller + + DFG/FTL should be able to exit to the middle of a bytecode + https://bugs.webkit.org/show_bug.cgi?id=205232 + + Reviewed by Saam Barati. + + It can be valuable to exit to the middle of a bytecode for a couple of reasons. + 1) It can be used to combine bytecodes that share a majority of their operands, reducing bytecode steam size. + 2) It enables creating bytecodes that are easier to reconstruct useful optimization information from. + + To make exiting to the middle of a bytecode possible this patch + introduces the concept of a temporary operand. A temporary operand + is one that contains the result of effectful operations during the + process of executing a bytecode. tmp operands have no meaning when + executing in the LLInt or Baseline and are only used in the DFG to + preserve information for OSR exit. We use the term checkpoint to + refer to any point where an effectful component of a bytecode executes. + For example, in op_call_varargs there are two checkpoints the first is + before we have determined the number of variable arguments and the second + is the actual call. + + When the DFG OSR exits if there are any active checkpoints inline + call stack we will emit a jit probe that allocates a side state + object keyed off the frame pointer of the bytecode whose + checkpoint needs to be finished. We need side state because we may + recursively inline several copies of the same + function. Alternatively, we could call back into ourselves after + OSR and exit again from optimized code before finishing the + checkpoint of our caller. + + Another thing we need to be careful of is making sure we remove + side state as we unwind for an exception. To make sure we do this + correctly I've added an assertion to JSLock that there are no + pending checkpoint side states on the vm when releasing the lock. + + A large amount of this patch is trying to remove as much code that + refers to virtual registers as an int as possible. Instead, this + patch replaces them with the VirtualRegister class. There are also + a couple of new classes/enums added to JSC: + + 1) There is now a class, Operand, that represents the combination + of a VirtualRegister and a temporary. This is handy in the DFG to + model OSR exit values all together. Additionally, Operands has + been updated to work with respect to Operand values. + + 2) CallFrameSlot is now an enum class instead of a struct of + constexpr values. This lets us implicitly convert CallFrameSlots + to VirtualRegisters without allowing all ints to implicity + convert. + + 3) FTL::SelectPredictability is a new enum that describes to the + FTL whether or not we think a select is going to be + predictable. SelectPredictability has four options: Unpredictable, + Predictable, LeftLikely, and RightLikely. Unpredictable means we + think a branch predictor won't do a good job guessing this value + so we should compile the select to a cmov. The other options mean + we either think we are going to pick the same value every time or + there's a reasonable chance the branch predictor will be able to + guess the value. + + In order to validate the correctness of this patch the various + varargs call opcodes have been reworked to use checkpoints. This + also fixed a long-standing issue where we could call length + getters twice if we OSR exit during LoadVarargs but before the + actually call. + + Lastly, we have not enabled the probe-based OSR exit for a long + time in production, thus this patch removes that code since it + would be a non-trivial amount of work to get checkpoints working + with probe OSR. + + * CMakeLists.txt: + * DerivedSources-input.xcfilelist: + * JavaScriptCore.xcodeproj/project.pbxproj: + * assembler/MacroAssemblerCodeRef.h: + * assembler/ProbeFrame.h: + (JSC::Probe::Frame::operand): + (JSC::Probe::Frame::setOperand): + * b3/testb3.h: + (populateWithInterestingValues): + (floatingPointOperands): + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateImpl): + * bytecode/AccessCaseSnippetParams.cpp: + (JSC::SlowPathCallGeneratorWithArguments::generateImpl): + * bytecode/BytecodeDumper.cpp: + (JSC::BytecodeDumperBase::dumpValue): + (JSC::BytecodeDumper::registerName const): + (JSC::BytecodeDumper::constantName const): + (JSC::Wasm::BytecodeDumper::constantName const): + * bytecode/BytecodeDumper.h: + * bytecode/BytecodeIndex.cpp: + (JSC::BytecodeIndex::dump const): + * bytecode/BytecodeIndex.h: + (JSC::BytecodeIndex::BytecodeIndex): + (JSC::BytecodeIndex::offset const): + (JSC::BytecodeIndex::checkpoint const): + (JSC::BytecodeIndex::asBits const): + (JSC::BytecodeIndex::hash const): + (JSC::BytecodeIndex::operator bool const): + (JSC::BytecodeIndex::pack): + (JSC::BytecodeIndex::fromBits): + * bytecode/BytecodeList.rb: + * bytecode/BytecodeLivenessAnalysis.cpp: + (JSC::enumValuesEqualAsIntegral): + (JSC::tmpLivenessForCheckpoint): + * bytecode/BytecodeLivenessAnalysis.h: + * bytecode/BytecodeLivenessAnalysisInlines.h: + (JSC::virtualRegisterIsAlwaysLive): + (JSC::virtualRegisterThatIsNotAlwaysLiveIsLive): + (JSC::virtualRegisterIsLive): + (JSC::operandIsAlwaysLive): Deleted. + (JSC::operandThatIsNotAlwaysLiveIsLive): Deleted. + (JSC::operandIsLive): Deleted. + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finishCreation): + (JSC::CodeBlock::bytecodeIndexForExit const): + (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndexSlow): + (JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::numTmps const): + (JSC::CodeBlock::isKnownNotImmediate): + (JSC::CodeBlock::isTemporaryRegister): + (JSC::CodeBlock::constantRegister): + (JSC::CodeBlock::getConstant const): + (JSC::CodeBlock::constantSourceCodeRepresentation const): + (JSC::CodeBlock::replaceConstant): + (JSC::CodeBlock::isTemporaryRegisterIndex): Deleted. + (JSC::CodeBlock::isConstantRegisterIndex): Deleted. + * bytecode/CodeOrigin.h: + * bytecode/FullBytecodeLiveness.h: + (JSC::FullBytecodeLiveness::virtualRegisterIsLive const): + (JSC::FullBytecodeLiveness::operandIsLive const): Deleted. + * bytecode/InlineCallFrame.h: + (JSC::InlineCallFrame::InlineCallFrame): + (JSC::InlineCallFrame::setTmpOffset): + (JSC::CodeOrigin::walkUpInlineStack const): + (JSC::CodeOrigin::inlineStackContainsActiveCheckpoint const): + (JSC::remapOperand): + (JSC::unmapOperand): + (JSC::CodeOrigin::walkUpInlineStack): Deleted. + * bytecode/LazyOperandValueProfile.h: + (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey): + (JSC::LazyOperandValueProfileKey::hash const): + (JSC::LazyOperandValueProfileKey::operand const): + * bytecode/MethodOfGettingAValueProfile.cpp: + (JSC::MethodOfGettingAValueProfile::fromLazyOperand): + (JSC::MethodOfGettingAValueProfile::emitReportValue const): + (JSC::MethodOfGettingAValueProfile::reportValue): + * bytecode/MethodOfGettingAValueProfile.h: + * bytecode/Operands.h: + (JSC::Operand::Operand): + (JSC::Operand::tmp): + (JSC::Operand::kind const): + (JSC::Operand::value const): + (JSC::Operand::virtualRegister const): + (JSC::Operand::asBits const): + (JSC::Operand::isTmp const): + (JSC::Operand::isArgument const): + (JSC::Operand::isLocal const): + (JSC::Operand::isHeader const): + (JSC::Operand::isConstant const): + (JSC::Operand::toArgument const): + (JSC::Operand::toLocal const): + (JSC::Operand::operator== const): + (JSC::Operand::isValid const): + (JSC::Operand::fromBits): + (JSC::Operands::Operands): + (JSC::Operands::numberOfLocals const): + (JSC::Operands::numberOfTmps const): + (JSC::Operands::tmpIndex const): + (JSC::Operands::argumentIndex const): + (JSC::Operands::localIndex const): + (JSC::Operands::tmp): + (JSC::Operands::tmp const): + (JSC::Operands::argument): + (JSC::Operands::argument const): + (JSC::Operands::local): + (JSC::Operands::local const): + (JSC::Operands::sizeFor const): + (JSC::Operands::atFor): + (JSC::Operands::atFor const): + (JSC::Operands::ensureLocals): + (JSC::Operands::ensureTmps): + (JSC::Operands::getForOperandIndex): + (JSC::Operands::getForOperandIndex const): + (JSC::Operands::operandIndex const): + (JSC::Operands::operand): + (JSC::Operands::operand const): + (JSC::Operands::hasOperand const): + (JSC::Operands::setOperand): + (JSC::Operands::at const): + (JSC::Operands::at): + (JSC::Operands::operator[] const): + (JSC::Operands::operator[]): + (JSC::Operands::operandForIndex const): + (JSC::Operands::operator== const): + (JSC::Operands::isArgument const): Deleted. + (JSC::Operands::isLocal const): Deleted. + (JSC::Operands::virtualRegisterForIndex const): Deleted. + (JSC::Operands::setOperandFirstTime): Deleted. + * bytecode/OperandsInlines.h: + (JSC::Operand::dump const): + (JSC::Operands::dumpInContext const): + (JSC::Operands::dump const): + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedCodeBlock::hasCheckpoints const): + (JSC::UnlinkedCodeBlock::setHasCheckpoints): + (JSC::UnlinkedCodeBlock::constantRegister const): + (JSC::UnlinkedCodeBlock::getConstant const): + (JSC::UnlinkedCodeBlock::isConstantRegisterIndex const): Deleted. + * bytecode/ValueProfile.h: + (JSC::ValueProfileAndVirtualRegisterBuffer::ValueProfileAndVirtualRegisterBuffer): + (JSC::ValueProfileAndVirtualRegisterBuffer::~ValueProfileAndVirtualRegisterBuffer): + (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer): Deleted. + (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer): Deleted. + (JSC::ValueProfileAndOperandBuffer::forEach): Deleted. + * bytecode/ValueRecovery.cpp: + (JSC::ValueRecovery::recover const): + * bytecode/ValueRecovery.h: + * bytecode/VirtualRegister.h: + (JSC::virtualRegisterIsLocal): + (JSC::virtualRegisterIsArgument): + (JSC::VirtualRegister::VirtualRegister): + (JSC::VirtualRegister::isValid const): + (JSC::VirtualRegister::isLocal const): + (JSC::VirtualRegister::isArgument const): + (JSC::VirtualRegister::isConstant const): + (JSC::VirtualRegister::toConstantIndex const): + (JSC::operandIsLocal): Deleted. + (JSC::operandIsArgument): Deleted. + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::initializeNextParameter): + (JSC::BytecodeGenerator::initializeParameters): + (JSC::BytecodeGenerator::emitEqualityOpImpl): + (JSC::BytecodeGenerator::emitCallVarargs): + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::setUsesCheckpoints): + * bytecompiler/RegisterID.h: + (JSC::RegisterID::setIndex): + * dfg/DFGAbstractHeap.cpp: + (JSC::DFG::AbstractHeap::Payload::dumpAsOperand const): + (JSC::DFG::AbstractHeap::dump const): + * dfg/DFGAbstractHeap.h: + (JSC::DFG::AbstractHeap::Payload::Payload): + (JSC::DFG::AbstractHeap::AbstractHeap): + (JSC::DFG::AbstractHeap::operand const): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGArgumentPosition.h: + (JSC::DFG::ArgumentPosition::dump): + * dfg/DFGArgumentsEliminationPhase.cpp: + * dfg/DFGArgumentsUtilities.cpp: + (JSC::DFG::argumentsInvolveStackSlot): + (JSC::DFG::emitCodeToGetArgumentsArrayLength): + * dfg/DFGArgumentsUtilities.h: + * dfg/DFGAtTailAbstractState.h: + (JSC::DFG::AtTailAbstractState::operand): + * dfg/DFGAvailabilityMap.cpp: + (JSC::DFG::AvailabilityMap::pruneByLiveness): + * dfg/DFGAvailabilityMap.h: + (JSC::DFG::AvailabilityMap::closeStartingWithLocal): + * dfg/DFGBasicBlock.cpp: + (JSC::DFG::BasicBlock::BasicBlock): + (JSC::DFG::BasicBlock::ensureTmps): + * dfg/DFGBasicBlock.h: + * dfg/DFGBlockInsertionSet.cpp: + (JSC::DFG::BlockInsertionSet::insert): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::ByteCodeParser): + (JSC::DFG::ByteCodeParser::ensureTmps): + (JSC::DFG::ByteCodeParser::progressToNextCheckpoint): + (JSC::DFG::ByteCodeParser::newVariableAccessData): + (JSC::DFG::ByteCodeParser::getDirect): + (JSC::DFG::ByteCodeParser::get): + (JSC::DFG::ByteCodeParser::setDirect): + (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation): + (JSC::DFG::ByteCodeParser::getLocalOrTmp): + (JSC::DFG::ByteCodeParser::setLocalOrTmp): + (JSC::DFG::ByteCodeParser::setArgument): + (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal): + (JSC::DFG::ByteCodeParser::findArgumentPosition): + (JSC::DFG::ByteCodeParser::flushImpl): + (JSC::DFG::ByteCodeParser::flushForTerminalImpl): + (JSC::DFG::ByteCodeParser::flush): + (JSC::DFG::ByteCodeParser::flushDirect): + (JSC::DFG::ByteCodeParser::addFlushOrPhantomLocal): + (JSC::DFG::ByteCodeParser::phantomLocalDirect): + (JSC::DFG::ByteCodeParser::flushForTerminal): + (JSC::DFG::ByteCodeParser::addToGraph): + (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand const): + (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal): + (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute): + (JSC::DFG::ByteCodeParser::allocateTargetableBlock): + (JSC::DFG::ByteCodeParser::allocateUntargetableBlock): + (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): + (JSC::DFG::ByteCodeParser::inlineCall): + (JSC::DFG::ByteCodeParser::handleVarargsInlining): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + (JSC::DFG::ByteCodeParser::parse): + (JSC::DFG::ByteCodeParser::getLocal): Deleted. + (JSC::DFG::ByteCodeParser::setLocal): Deleted. + * dfg/DFGCFAPhase.cpp: + (JSC::DFG::CFAPhase::injectOSR): + * dfg/DFGCPSRethreadingPhase.cpp: + (JSC::DFG::CPSRethreadingPhase::run): + (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal): + (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): + (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal): + (JSC::DFG::CPSRethreadingPhase::canonicalizeSet): + (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock): + (JSC::DFG::CPSRethreadingPhase::propagatePhis): + (JSC::DFG::CPSRethreadingPhase::phiStackFor): + * dfg/DFGCSEPhase.cpp: + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGCombinedLiveness.cpp: + (JSC::DFG::addBytecodeLiveness): + * dfg/DFGCommonData.cpp: + (JSC::DFG::CommonData::addCodeOrigin): + (JSC::DFG::CommonData::addUniqueCallSiteIndex): + (JSC::DFG::CommonData::lastCallSite const): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGForAllKills.h: + (JSC::DFG::forAllKilledOperands): + (JSC::DFG::forAllKilledNodesAtNodeIndex): + (JSC::DFG::forAllKillsInBlock): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + (JSC::DFG::Graph::dumpBlockHeader): + (JSC::DFG::Graph::substituteGetLocal): + (JSC::DFG::Graph::isLiveInBytecode): + (JSC::DFG::Graph::localsAndTmpsLiveInBytecode): + (JSC::DFG::Graph::methodOfGettingAValueProfileFor): + (JSC::DFG::Graph::localsLiveInBytecode): Deleted. + * dfg/DFGGraph.h: + (JSC::DFG::Graph::forAllLocalsAndTmpsLiveInBytecode): + (JSC::DFG::Graph::forAllLiveInBytecode): + (JSC::DFG::Graph::forAllLocalsLiveInBytecode): Deleted. + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState): + * dfg/DFGInPlaceAbstractState.h: + (JSC::DFG::InPlaceAbstractState::operand): + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::linkOSRExits): + (JSC::DFG::JITCompiler::noticeOSREntry): + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::emitStoreCallSiteIndex): + * dfg/DFGLiveCatchVariablePreservationPhase.cpp: + (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation): + (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch): + (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData): + * dfg/DFGMovHintRemovalPhase.cpp: + * dfg/DFGNode.h: + (JSC::DFG::StackAccessData::StackAccessData): + (JSC::DFG::Node::hasArgumentsChild): + (JSC::DFG::Node::argumentsChild): + (JSC::DFG::Node::operand): + (JSC::DFG::Node::hasUnlinkedOperand): + (JSC::DFG::Node::unlinkedOperand): + (JSC::DFG::Node::hasLoadVarargsData): + (JSC::DFG::Node::local): Deleted. + (JSC::DFG::Node::hasUnlinkedLocal): Deleted. + (JSC::DFG::Node::unlinkedLocal): Deleted. + * dfg/DFGNodeType.h: + * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: + (JSC::DFG::OSRAvailabilityAnalysisPhase::run): + (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): + * dfg/DFGOSREntry.cpp: + (JSC::DFG::prepareOSREntry): + (JSC::DFG::prepareCatchOSREntry): + * dfg/DFGOSREntrypointCreationPhase.cpp: + (JSC::DFG::OSREntrypointCreationPhase::run): + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::emitRestoreArguments): + (JSC::DFG::OSRExit::compileExit): + (JSC::DFG::jsValueFor): Deleted. + (JSC::DFG::restoreCalleeSavesFor): Deleted. + (JSC::DFG::saveCalleeSavesFor): Deleted. + (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted. + (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted. + (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted. + (JSC::DFG::createDirectArgumentsDuringExit): Deleted. + (JSC::DFG::createClonedArgumentsDuringExit): Deleted. + (JSC::DFG::emitRestoreArguments): Deleted. + (JSC::DFG::OSRExit::executeOSRExit): Deleted. + (JSC::DFG::reifyInlinedCallFrames): Deleted. + (JSC::DFG::adjustAndJumpToTarget): Deleted. + (JSC::DFG::printOSRExit): Deleted. + * dfg/DFGOSRExit.h: + * dfg/DFGOSRExitBase.h: + (JSC::DFG::OSRExitBase::isExitingToCheckpointHandler const): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::callerReturnPC): + (JSC::DFG::reifyInlinedCallFrames): + (JSC::DFG::adjustAndJumpToTarget): + * dfg/DFGObjectAllocationSinkingPhase.cpp: + * dfg/DFGOpInfo.h: + (JSC::DFG::OpInfo::OpInfo): + * dfg/DFGOperations.cpp: + * dfg/DFGPhantomInsertionPhase.cpp: + * dfg/DFGPreciseLocalClobberize.h: + (JSC::DFG::PreciseLocalClobberizeAdaptor::read): + (JSC::DFG::PreciseLocalClobberizeAdaptor::write): + (JSC::DFG::PreciseLocalClobberizeAdaptor::def): + (JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate): + * dfg/DFGPredictionInjectionPhase.cpp: + (JSC::DFG::PredictionInjectionPhase::run): + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGPutStackSinkingPhase.cpp: + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileMovHint): + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): + (JSC::DFG::SpeculativeJIT::checkArgumentTypes): + (JSC::DFG::SpeculativeJIT::compileVarargsLength): + (JSC::DFG::SpeculativeJIT::compileLoadVarargs): + (JSC::DFG::SpeculativeJIT::compileForwardVarargs): + (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): + (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::recordSetLocal): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStackLayoutPhase.cpp: + (JSC::DFG::StackLayoutPhase::run): + (JSC::DFG::StackLayoutPhase::assign): + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + * dfg/DFGThunks.cpp: + (JSC::DFG::osrExitThunkGenerator): Deleted. + * dfg/DFGThunks.h: + * dfg/DFGTypeCheckHoistingPhase.cpp: + (JSC::DFG::TypeCheckHoistingPhase::run): + (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries): + * dfg/DFGValidate.cpp: + * dfg/DFGVarargsForwardingPhase.cpp: + * dfg/DFGVariableAccessData.cpp: + (JSC::DFG::VariableAccessData::VariableAccessData): + (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): + (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): + (JSC::DFG::VariableAccessData::couldRepresentInt52Impl): + * dfg/DFGVariableAccessData.h: + (JSC::DFG::VariableAccessData::operand): + (JSC::DFG::VariableAccessData::local): Deleted. + * dfg/DFGVariableEvent.cpp: + (JSC::DFG::VariableEvent::dump const): + * dfg/DFGVariableEvent.h: + (JSC::DFG::VariableEvent::spill): + (JSC::DFG::VariableEvent::setLocal): + (JSC::DFG::VariableEvent::movHint): + (JSC::DFG::VariableEvent::spillRegister const): + (JSC::DFG::VariableEvent::operand const): + (JSC::DFG::VariableEvent::bytecodeRegister const): Deleted. + * dfg/DFGVariableEventStream.cpp: + (JSC::DFG::VariableEventStream::logEvent): + (JSC::DFG::VariableEventStream::reconstruct const): + * dfg/DFGVariableEventStream.h: + (JSC::DFG::VariableEventStream::appendAndLog): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLForOSREntryJITCode.cpp: + (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::lower): + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileExtractOSREntryLocal): + (JSC::FTL::DFG::LowerDFGToB3::compileGetStack): + (JSC::FTL::DFG::LowerDFGToB3::compileGetCallee): + (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee): + (JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis): + (JSC::FTL::DFG::LowerDFGToB3::compileVarargsLength): + (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs): + (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs): + (JSC::FTL::DFG::LowerDFGToB3::getSpreadLengthFromInlineCallFrame): + (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread): + (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue): + (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength): + (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee): + (JSC::FTL::DFG::LowerDFGToB3::callPreflight): + (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor): + (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments): + (JSC::FTL::DFG::LowerDFGToB3::addressFor): + (JSC::FTL::DFG::LowerDFGToB3::payloadFor): + (JSC::FTL::DFG::LowerDFGToB3::tagFor): + * ftl/FTLOSREntry.cpp: + (JSC::FTL::prepareOSREntry): + * ftl/FTLOSRExit.cpp: + (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor): + * ftl/FTLOSRExit.h: + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * ftl/FTLOperations.cpp: + (JSC::FTL::operationMaterializeObjectInOSR): + * ftl/FTLOutput.cpp: + (JSC::FTL::Output::select): + * ftl/FTLOutput.h: + * ftl/FTLSelectPredictability.h: Copied from Source/JavaScriptCore/ftl/FTLForOSREntryJITCode.cpp. + * ftl/FTLSlowPathCall.h: + (JSC::FTL::callOperation): + * generator/Checkpoints.rb: Added. + * generator/Opcode.rb: + * generator/Section.rb: + * heap/Heap.cpp: + (JSC::Heap::gatherStackRoots): + * interpreter/CallFrame.cpp: + (JSC::CallFrame::callSiteAsRawBits const): + (JSC::CallFrame::unsafeCallSiteAsRawBits const): + (JSC::CallFrame::callSiteIndex const): + (JSC::CallFrame::unsafeCallSiteIndex const): + (JSC::CallFrame::setCurrentVPC): + (JSC::CallFrame::bytecodeIndex): + (JSC::CallFrame::codeOrigin): + * interpreter/CallFrame.h: + (JSC::CallSiteIndex::CallSiteIndex): + (JSC::CallSiteIndex::operator bool const): + (JSC::CallSiteIndex::operator== const): + (JSC::CallSiteIndex::bits const): + (JSC::CallSiteIndex::fromBits): + (JSC::CallSiteIndex::bytecodeIndex const): + (JSC::DisposableCallSiteIndex::DisposableCallSiteIndex): + (JSC::CallFrame::callee const): + (JSC::CallFrame::unsafeCallee const): + (JSC::CallFrame::addressOfCodeBlock const): + (JSC::CallFrame::argumentCountIncludingThis const): + (JSC::CallFrame::offsetFor): + (JSC::CallFrame::setArgumentCountIncludingThis): + (JSC::CallFrame::setReturnPC): + * interpreter/CallFrameInlines.h: + (JSC::CallFrame::r): + (JSC::CallFrame::uncheckedR): + (JSC::CallFrame::guaranteedJSValueCallee const): + (JSC::CallFrame::jsCallee const): + (JSC::CallFrame::codeBlock const): + (JSC::CallFrame::unsafeCodeBlock const): + (JSC::CallFrame::setCallee): + (JSC::CallFrame::setCodeBlock): + * interpreter/CheckpointOSRExitSideState.h: Copied from Source/JavaScriptCore/dfg/DFGThunks.h. + * interpreter/Interpreter.cpp: + (JSC::eval): + (JSC::sizeOfVarargs): + (JSC::loadVarargs): + (JSC::setupVarargsFrame): + (JSC::UnwindFunctor::operator() const): + (JSC::Interpreter::executeCall): + (JSC::Interpreter::executeConstruct): + * interpreter/Interpreter.h: + * interpreter/StackVisitor.cpp: + (JSC::StackVisitor::readInlinedFrame): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr): + (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32): + (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64): + (JSC::AssemblyHelpers::emitPutToCallFrameHeader): + (JSC::AssemblyHelpers::emitPutToCallFrameHeaderBeforePrologue): + (JSC::AssemblyHelpers::emitPutPayloadToCallFrameHeaderBeforePrologue): + (JSC::AssemblyHelpers::emitPutTagToCallFrameHeaderBeforePrologue): + (JSC::AssemblyHelpers::addressFor): + (JSC::AssemblyHelpers::tagFor): + (JSC::AssemblyHelpers::payloadFor): + (JSC::AssemblyHelpers::calleeFrameSlot): + (JSC::AssemblyHelpers::calleeArgumentSlot): + (JSC::AssemblyHelpers::calleeFrameTagSlot): + (JSC::AssemblyHelpers::calleeFramePayloadSlot): + (JSC::AssemblyHelpers::calleeFrameCallerFrame): + (JSC::AssemblyHelpers::argumentCount): + * jit/CallFrameShuffler.cpp: + (JSC::CallFrameShuffler::CallFrameShuffler): + * jit/CallFrameShuffler.h: + (JSC::CallFrameShuffler::setCalleeJSValueRegs): + (JSC::CallFrameShuffler::assumeCalleeIsCell): + * jit/JIT.h: + * jit/JITArithmetic.cpp: + (JSC::JIT::emit_op_unsigned): + (JSC::JIT::emit_compareAndJump): + (JSC::JIT::emit_compareAndJumpImpl): + (JSC::JIT::emit_compareUnsignedAndJump): + (JSC::JIT::emit_compareUnsignedAndJumpImpl): + (JSC::JIT::emit_compareUnsigned): + (JSC::JIT::emit_compareUnsignedImpl): + (JSC::JIT::emit_compareAndJumpSlow): + (JSC::JIT::emit_compareAndJumpSlowImpl): + (JSC::JIT::emit_op_inc): + (JSC::JIT::emit_op_dec): + (JSC::JIT::emit_op_mod): + (JSC::JIT::emitBitBinaryOpFastPath): + (JSC::JIT::emit_op_bitnot): + (JSC::JIT::emitRightShiftFastPath): + (JSC::JIT::emitMathICFast): + (JSC::JIT::emitMathICSlow): + (JSC::JIT::emit_op_div): + * jit/JITCall.cpp: + (JSC::JIT::emitPutCallResult): + (JSC::JIT::compileSetupFrame): + (JSC::JIT::compileOpCall): + * jit/JITExceptions.cpp: + (JSC::genericUnwind): + * jit/JITInlines.h: + (JSC::JIT::isOperandConstantDouble): + (JSC::JIT::getConstantOperand): + (JSC::JIT::emitPutIntToCallFrameHeader): + (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult): + (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile): + (JSC::JIT::linkSlowCaseIfNotJSCell): + (JSC::JIT::isOperandConstantChar): + (JSC::JIT::getOperandConstantInt): + (JSC::JIT::getOperandConstantDouble): + (JSC::JIT::emitInitRegister): + (JSC::JIT::emitLoadTag): + (JSC::JIT::emitLoadPayload): + (JSC::JIT::emitGet): + (JSC::JIT::emitPutVirtualRegister): + (JSC::JIT::emitLoad): + (JSC::JIT::emitLoad2): + (JSC::JIT::emitLoadDouble): + (JSC::JIT::emitLoadInt32ToDouble): + (JSC::JIT::emitStore): + (JSC::JIT::emitStoreInt32): + (JSC::JIT::emitStoreCell): + (JSC::JIT::emitStoreBool): + (JSC::JIT::emitStoreDouble): + (JSC::JIT::emitJumpSlowCaseIfNotJSCell): + (JSC::JIT::isOperandConstantInt): + (JSC::JIT::emitGetVirtualRegister): + (JSC::JIT::emitGetVirtualRegisters): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_mov): + (JSC::JIT::emit_op_end): + (JSC::JIT::emit_op_new_object): + (JSC::JIT::emitSlow_op_new_object): + (JSC::JIT::emit_op_overrides_has_instance): + (JSC::JIT::emit_op_instanceof): + (JSC::JIT::emitSlow_op_instanceof): + (JSC::JIT::emit_op_is_empty): + (JSC::JIT::emit_op_is_undefined): + (JSC::JIT::emit_op_is_undefined_or_null): + (JSC::JIT::emit_op_is_boolean): + (JSC::JIT::emit_op_is_number): + (JSC::JIT::emit_op_is_cell_with_type): + (JSC::JIT::emit_op_is_object): + (JSC::JIT::emit_op_ret): + (JSC::JIT::emit_op_to_primitive): + (JSC::JIT::emit_op_set_function_name): + (JSC::JIT::emit_op_not): + (JSC::JIT::emit_op_jfalse): + (JSC::JIT::emit_op_jeq_null): + (JSC::JIT::emit_op_jneq_null): + (JSC::JIT::emit_op_jundefined_or_null): + (JSC::JIT::emit_op_jnundefined_or_null): + (JSC::JIT::emit_op_jneq_ptr): + (JSC::JIT::emit_op_eq): + (JSC::JIT::emit_op_jeq): + (JSC::JIT::emit_op_jtrue): + (JSC::JIT::emit_op_neq): + (JSC::JIT::emit_op_jneq): + (JSC::JIT::emit_op_throw): + (JSC::JIT::compileOpStrictEq): + (JSC::JIT::compileOpStrictEqJump): + (JSC::JIT::emit_op_to_number): + (JSC::JIT::emit_op_to_numeric): + (JSC::JIT::emit_op_to_string): + (JSC::JIT::emit_op_to_object): + (JSC::JIT::emit_op_catch): + (JSC::JIT::emit_op_get_parent_scope): + (JSC::JIT::emit_op_switch_imm): + (JSC::JIT::emit_op_switch_char): + (JSC::JIT::emit_op_switch_string): + (JSC::JIT::emit_op_eq_null): + (JSC::JIT::emit_op_neq_null): + (JSC::JIT::emit_op_enter): + (JSC::JIT::emit_op_get_scope): + (JSC::JIT::emit_op_to_this): + (JSC::JIT::emit_op_create_this): + (JSC::JIT::emit_op_check_tdz): + (JSC::JIT::emitSlow_op_eq): + (JSC::JIT::emitSlow_op_neq): + (JSC::JIT::emitSlow_op_instanceof_custom): + (JSC::JIT::emit_op_new_regexp): + (JSC::JIT::emitNewFuncCommon): + (JSC::JIT::emitNewFuncExprCommon): + (JSC::JIT::emit_op_new_array): + (JSC::JIT::emit_op_new_array_with_size): + (JSC::JIT::emit_op_has_structure_property): + (JSC::JIT::emit_op_has_indexed_property): + (JSC::JIT::emitSlow_op_has_indexed_property): + (JSC::JIT::emit_op_get_direct_pname): + (JSC::JIT::emit_op_enumerator_structure_pname): + (JSC::JIT::emit_op_enumerator_generic_pname): + (JSC::JIT::emit_op_profile_type): + (JSC::JIT::emit_op_log_shadow_chicken_prologue): + (JSC::JIT::emit_op_log_shadow_chicken_tail): + (JSC::JIT::emit_op_argument_count): + (JSC::JIT::emit_op_get_rest_length): + (JSC::JIT::emit_op_get_argument): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_catch): + * jit/JITOperations.cpp: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emitSlow_op_get_by_val): + (JSC::JIT::emit_op_put_by_val): + (JSC::JIT::emitGenericContiguousPutByVal): + (JSC::JIT::emitArrayStoragePutByVal): + (JSC::JIT::emitPutByValWithCachedId): + (JSC::JIT::emitSlow_op_put_by_val): + (JSC::JIT::emit_op_put_getter_by_id): + (JSC::JIT::emit_op_put_setter_by_id): + (JSC::JIT::emit_op_put_getter_setter_by_id): + (JSC::JIT::emit_op_put_getter_by_val): + (JSC::JIT::emit_op_put_setter_by_val): + (JSC::JIT::emit_op_del_by_id): + (JSC::JIT::emit_op_del_by_val): + (JSC::JIT::emit_op_try_get_by_id): + (JSC::JIT::emitSlow_op_try_get_by_id): + (JSC::JIT::emit_op_get_by_id_direct): + (JSC::JIT::emitSlow_op_get_by_id_direct): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_get_by_id_with_this): + (JSC::JIT::emitSlow_op_get_by_id): + (JSC::JIT::emitSlow_op_get_by_id_with_this): + (JSC::JIT::emit_op_put_by_id): + (JSC::JIT::emit_op_in_by_id): + (JSC::JIT::emitSlow_op_in_by_id): + (JSC::JIT::emitResolveClosure): + (JSC::JIT::emit_op_resolve_scope): + (JSC::JIT::emitLoadWithStructureCheck): + (JSC::JIT::emitGetClosureVar): + (JSC::JIT::emit_op_get_from_scope): + (JSC::JIT::emitSlow_op_get_from_scope): + (JSC::JIT::emitPutGlobalVariable): + (JSC::JIT::emitPutGlobalVariableIndirect): + (JSC::JIT::emitPutClosureVar): + (JSC::JIT::emit_op_put_to_scope): + (JSC::JIT::emit_op_get_from_arguments): + (JSC::JIT::emit_op_put_to_arguments): + (JSC::JIT::emitWriteBarrier): + (JSC::JIT::emit_op_get_internal_field): + (JSC::JIT::emit_op_put_internal_field): + (JSC::JIT::emitIntTypedArrayPutByVal): + (JSC::JIT::emitFloatTypedArrayPutByVal): + * jit/JSInterfaceJIT.h: + (JSC::JSInterfaceJIT::emitLoadJSCell): + (JSC::JSInterfaceJIT::emitJumpIfNotJSCell): + (JSC::JSInterfaceJIT::emitLoadInt32): + (JSC::JSInterfaceJIT::emitLoadDouble): + (JSC::JSInterfaceJIT::emitGetFromCallFrameHeaderPtr): + (JSC::JSInterfaceJIT::emitPutToCallFrameHeader): + (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader): + * jit/SetupVarargsFrame.cpp: + (JSC::emitSetupVarargsFrameFastCase): + * jit/SpecializedThunkJIT.h: + (JSC::SpecializedThunkJIT::loadDoubleArgument): + (JSC::SpecializedThunkJIT::loadCellArgument): + (JSC::SpecializedThunkJIT::loadInt32Argument): + * jit/ThunkGenerators.cpp: + (JSC::absThunkGenerator): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::getNonConstantOperand): + (JSC::LLInt::getOperand): + (JSC::LLInt::genericCall): + (JSC::LLInt::varargsSetup): + (JSC::LLInt::commonCallEval): + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + (JSC::LLInt::handleVarargsCheckpoint): + (JSC::LLInt::dispatchToNextInstruction): + (JSC::LLInt::slow_path_checkpoint_osr_exit_from_inlined_call): + (JSC::LLInt::slow_path_checkpoint_osr_exit): + (JSC::LLInt::llint_throw_stack_overflow_error): + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/ArgList.h: + (JSC::MarkedArgumentBuffer::fill): + * runtime/CachedTypes.cpp: + (JSC::CachedCodeBlock::hasCheckpoints const): + (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): + (JSC::CachedCodeBlock::encode): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/ConstructData.cpp: + (JSC::construct): + * runtime/ConstructData.h: + * runtime/DirectArguments.cpp: + (JSC::DirectArguments::copyToArguments): + * runtime/DirectArguments.h: + * runtime/GenericArguments.h: + * runtime/GenericArgumentsInlines.h: + (JSC::GenericArguments::copyToArguments): + * runtime/JSArray.cpp: + (JSC::JSArray::copyToArguments): + * runtime/JSArray.h: + * runtime/JSImmutableButterfly.cpp: + (JSC::JSImmutableButterfly::copyToArguments): + * runtime/JSImmutableButterfly.h: + * runtime/JSLock.cpp: + (JSC::JSLock::willReleaseLock): + * runtime/ModuleProgramExecutable.cpp: + (JSC::ModuleProgramExecutable::create): + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + * runtime/ScopedArguments.cpp: + (JSC::ScopedArguments::copyToArguments): + * runtime/ScopedArguments.h: + * runtime/VM.cpp: + (JSC::VM::addCheckpointOSRSideState): + (JSC::VM::findCheckpointOSRSideState): + (JSC::VM::scanSideState const): + * runtime/VM.h: + (JSC::VM::hasCheckpointOSRSideState const): + * tools/VMInspector.cpp: + (JSC::VMInspector::dumpRegisters): + * wasm/WasmFunctionCodeBlock.h: + (JSC::Wasm::FunctionCodeBlock::getConstant const): + (JSC::Wasm::FunctionCodeBlock::getConstantType const): + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::setUsesCheckpoints const): + * wasm/WasmOperations.cpp: + (JSC::Wasm::operationWasmToJSException): + * wasm/WasmSlowPaths.cpp: + +2019-12-23 Yusuke Suzuki + + [JSC] Wasm OSR entry should capture top-most enclosing-stack + https://bugs.webkit.org/show_bug.cgi?id=205571 + + Reviewed by Keith Miller. + + OSR entry should capture the top-most enclosing-stack too. + Otherwise the def-node can be unreachable (since it is defined in BB which is unreachable from OSR entry point), + and eliminated. + + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): + (JSC::Wasm::AirIRGenerator::addLoop): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck): + (JSC::Wasm::B3IRGenerator::addLoop): + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::addLoop): + +2019-12-23 Carlos Garcia Campos + + WebDriver: fix handling of session timeouts for values higher than MAX_INT + https://bugs.webkit.org/show_bug.cgi?id=204114 + + Reviewed by Brian Burg. + + Fix generation of code with optional number in stack variable. + + * inspector/scripts/codegen/cpp_generator.py: + (CppGenerator.cpp_type_for_stack_in_parameter): Do not use Optional for numbers either. + * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result: + +2019-12-22 Yusuke Suzuki + + Unreviewed, fix incorrect merging + https://bugs.webkit.org/show_bug.cgi?id=205327 + + r253862 and r253867 cause incorrect merging. This patch fixes it. + + * jit/ThunkGenerators.cpp: + (JSC::boundFunctionCallGenerator): + +2019-12-22 Yusuke Suzuki + + Unreviewed, fix debug failures due to missing exception checks + https://bugs.webkit.org/show_bug.cgi?id=205327 + + * runtime/JSFunction.cpp: + (JSC::JSFunction::getOwnNonIndexPropertyNames): + (JSC::JSFunction::put): + (JSC::JSFunction::defineOwnProperty): + * runtime/JSObject.cpp: + (JSC::JSObject::defineOwnNonIndexProperty): + +2019-12-21 Yusuke Suzuki + + [JSC] Improve our bound function implementation + https://bugs.webkit.org/show_bug.cgi?id=205327 + + Reviewed by Keith Miller. + + This patch improves Function#bind, and calling bound function with bound arguments. + + 1. Rename CallFrameSlot::argumentCount to CallFrameSlot::argumentCountIncludingThis. + 2. Do not include name in NativeExecutable for JSBoundFunction. Putting name in NativeExecutable is assuming that function + name pair is almost identical. + This is true in host functions except for JSBoundFunction. JSBoundFunction should hold its name in JSBoundFunction. + 3. Cache NativeExecutable for JSBoundFunction in the VM. We use a hash-map in JITThunk for NativeExecutables because we assume that host-function creation cannot be + done by the user program: each executable is pre-defined to exactly one object by the environment, and there is no way to create host-functions repeatedly from + the user-program. The only exception to this is JSBoundFunction so caching it on the VM avoids the hash-map lookup. This is not true for JSBoundFunction. + 4. ThunkGenerator should support JSBoundFunction call with bound arguments. It turns out that Speedometer2/React-Redux-TodoMVC is using bound function with + bound arguments. Additionally, it is used. This is really bad: when dispatching an event, we first call this function from C++, entering JS world, + going back to C++ world again, and entering JS world to call bound function again. By using ThunkGenerator, we can eliminate this back and forth by directly + calling the bound JS Executable from the thunk. Previously, bound arguments are stored in JSArray. But it is difficult to access them from thunk since we need to consider + have-a-bad-time case. Instead, we use JSImmutableButterfly to save bound arguments so that JIT thunk can quickly access arguments. To capture arguments as + JSImmutableButterfly in JS world, we introduce op_create_arguments_butterfly, and handle it in all tiers. + 5. It turns out that eager materialization of "length" in JSBoundFunction takes long time while it is rarely used. This patch makes length lazily reified for JSBoundFunction. + 6. To make Function.prototype.bind faster, we track whether "name" and "length" properties of JSFunction is modified or not. This skips has-own-length-property check, which + makes Function.prototype.bind 11~% faster. + + Combining things above, creation of JSBoundFunction is 80~% faster. And calling bound function with bound arguments is 3~x faster. + This improves Speedometer2/React-TodoMVC by ~3%. + + * builtins/FunctionPrototype.js: + (bind): + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateImpl): + * bytecode/AccessCaseSnippetParams.cpp: + (JSC::SlowPathCallGeneratorWithArguments::generateImpl): + * bytecode/BytecodeIntrinsicRegistry.h: + * bytecode/BytecodeList.rb: + * bytecode/BytecodeUseDef.cpp: + (JSC::computeUsesForBytecodeIndexImpl): + (JSC::computeDefsForBytecodeIndexImpl): + * bytecode/VirtualRegister.cpp: + (JSC::VirtualRegister::dump const): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitCreateArgumentsButterfly): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::BytecodeIntrinsicNode::emit_intrinsic_createArgumentsButterfly): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGArgumentsEliminationPhase.cpp: + * dfg/DFGArgumentsUtilities.cpp: + (JSC::DFG::argumentsInvolveStackSlot): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::flushImpl): + (JSC::DFG::ByteCodeParser::handleVarargsInlining): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::isLiveInBytecode): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::forAllLocalsLiveInBytecode): + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::compileFunction): + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::emitStoreCallSiteIndex): + * dfg/DFGNodeType.h: + * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: + (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): + * dfg/DFGOSRExit.cpp: + (JSC::DFG::emitRestoreArguments): + (JSC::DFG::reifyInlinedCallFrames): + (JSC::DFG::OSRExit::emitRestoreArguments): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::reifyInlinedCallFrames): + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPreciseLocalClobberize.h: + (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCreateArgumentsButterfly): + (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis): + (JSC::DFG::SpeculativeJIT::compileSetArgumentCountIncludingThis): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStackLayoutPhase.cpp: + (JSC::DFG::StackLayoutPhase::run): + * dfg/DFGStoreBarrierInsertionPhase.cpp: + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLink.cpp: + (JSC::FTL::link): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::lower): + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileCreateArgumentsButterfly): + (JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentCountIncludingThis): + (JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis): + (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct): + (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct): + (JSC::FTL::DFG::LowerDFGToB3::compileTailCall): + (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread): + (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs): + (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): + (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength): + (JSC::FTL::DFG::LowerDFGToB3::callPreflight): + * ftl/FTLSlowPathCall.h: + (JSC::FTL::callOperation): + * interpreter/CallFrame.cpp: + (JSC::CallFrame::callSiteAsRawBits const): + (JSC::CallFrame::unsafeCallSiteAsRawBits const): + (JSC::CallFrame::setCurrentVPC): + * interpreter/CallFrame.h: + (JSC::CallFrame::argumentCountIncludingThis const): + (JSC::CallFrame::setArgumentCountIncludingThis): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::jitAssertArgumentCountSane): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::argumentCount): + * jit/CCallHelpers.h: + (JSC::CCallHelpers::prepareForTailCallSlow): + * jit/CallFrameShuffler.cpp: + (JSC::CallFrameShuffler::dump const): + (JSC::CallFrameShuffler::prepareForTailCall): + (JSC::CallFrameShuffler::prepareAny): + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::compileWithoutLinking): + * jit/JITCall.cpp: + (JSC::JIT::compileSetupFrame): + (JSC::JIT::compileOpCall): + * jit/JITCall32_64.cpp: + (JSC::JIT::compileSetupFrame): + (JSC::JIT::compileOpCall): + * jit/JITInlines.h: + (JSC::JIT::updateTopCallFrame): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_argument_count): + (JSC::JIT::emit_op_get_rest_length): + (JSC::JIT::emit_op_get_argument): + * jit/SetupVarargsFrame.cpp: + (JSC::emitSetupVarargsFrameFastCase): + * jit/SpecializedThunkJIT.h: + (JSC::SpecializedThunkJIT::SpecializedThunkJIT): + * jit/ThunkGenerators.cpp: + (JSC::arityFixupGenerator): + (JSC::boundFunctionCallGenerator): + (JSC::boundThisNoArgsFunctionCallGenerator): Deleted. + * jit/ThunkGenerators.h: + * jsc.cpp: + * llint/LLIntData.cpp: + (JSC::LLInt::Data::performAssertions): + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * llint/WebAssembly.asm: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/CommonSlowPaths.h: + * runtime/ExecutableBase.h: + * runtime/FunctionRareData.cpp: + (JSC::FunctionRareData::FunctionRareData): + * runtime/FunctionRareData.h: + * runtime/IntlCollatorPrototype.cpp: + (JSC::IntlCollatorPrototypeGetterCompare): + * runtime/IntlDateTimeFormatPrototype.cpp: + (JSC::IntlDateTimeFormatPrototypeGetterFormat): + * runtime/IntlNumberFormatPrototype.cpp: + (JSC::IntlNumberFormatPrototypeGetterFormat): + * runtime/Intrinsic.cpp: + (JSC::intrinsicName): + * runtime/Intrinsic.h: + * runtime/JSBoundFunction.cpp: + (JSC::boundThisNoArgsFunctionCall): + (JSC::boundFunctionCall): + (JSC::boundThisNoArgsFunctionConstruct): + (JSC::boundFunctionConstruct): + (JSC::JSBoundFunction::create): + (JSC::JSBoundFunction::JSBoundFunction): + (JSC::JSBoundFunction::boundArgsCopy): + (JSC::JSBoundFunction::visitChildren): + * runtime/JSBoundFunction.h: + * runtime/JSFunction.cpp: + (JSC::JSFunction::finishCreation): + (JSC::JSFunction::name): + (JSC::JSFunction::getOwnPropertySlot): + (JSC::JSFunction::getOwnNonIndexPropertyNames): + (JSC::JSFunction::put): + (JSC::JSFunction::deleteProperty): + (JSC::JSFunction::defineOwnProperty): + (JSC::JSFunction::reifyLength): + (JSC::JSFunction::reifyLazyPropertyIfNeeded): + (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded): + (JSC::JSFunction::reifyLazyBoundNameIfNeeded): + * runtime/JSFunction.h: + * runtime/JSFunctionInlines.h: + (JSC::JSFunction::areNameAndLengthOriginal): + * runtime/JSGlobalObject.cpp: + (JSC::makeBoundFunction): + (JSC::hasOwnLengthProperty): + * runtime/JSObject.h: + (JSC::getJSFunction): + (JSC::getCallData): Deleted. + (JSC::getConstructData): Deleted. + * runtime/JSObjectInlines.h: + (JSC::getCallData): + (JSC::getConstructData): + * runtime/VM.cpp: + (JSC::thunkGeneratorForIntrinsic): + (JSC::VM::getBoundFunction): + * runtime/VM.h: + * wasm/js/WasmToJS.cpp: + (JSC::Wasm::wasmToJS): + * wasm/js/WebAssemblyFunction.cpp: + (JSC::WebAssemblyFunction::jsCallEntrypointSlow): + +2019-12-20 Darin Adler + + Make JSString values from literals in a single consistent style + https://bugs.webkit.org/show_bug.cgi?id=205517 + + Reviewed by Saam Barati. + + Some call sites did it like this: + + jsNontrivialString(vm, "literal"_s) + + Others did it one of these: + + jsString(vm, "literal") + jsNontrivialString(vm, "literal") + + Changed all the call sites to do it the first, *slightly* more efficient, way. + + * runtime/ArrayIteratorPrototype.cpp: + (JSC::ArrayIteratorPrototype::finishCreation): + * runtime/AsyncFunctionPrototype.cpp: + (JSC::AsyncFunctionPrototype::finishCreation): + * runtime/AsyncGeneratorFunctionPrototype.cpp: + (JSC::AsyncGeneratorFunctionPrototype::finishCreation): + * runtime/AsyncGeneratorPrototype.cpp: + (JSC::AsyncGeneratorPrototype::finishCreation): + * runtime/BigIntPrototype.cpp: + (JSC::BigIntPrototype::finishCreation): + * runtime/GeneratorFunctionPrototype.cpp: + (JSC::GeneratorFunctionPrototype::finishCreation): + * runtime/GeneratorPrototype.cpp: + (JSC::GeneratorPrototype::finishCreation): + * runtime/IntlCollatorPrototype.cpp: + (JSC::IntlCollatorPrototype::finishCreation): + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::formatToParts): + * runtime/IntlDateTimeFormatPrototype.cpp: + (JSC::IntlDateTimeFormatPrototype::finishCreation): + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::formatToParts): + * runtime/IntlNumberFormatPrototype.cpp: + (JSC::IntlNumberFormatPrototype::finishCreation): + * runtime/IntlPluralRulesPrototype.cpp: + (JSC::IntlPluralRulesPrototype::finishCreation): + * runtime/JSDataViewPrototype.cpp: + (JSC::JSDataViewPrototype::finishCreation): + * runtime/JSModuleNamespaceObject.cpp: + (JSC::JSModuleNamespaceObject::finishCreation): + * runtime/JSONObject.cpp: + (JSC::JSONObject::finishCreation): + * runtime/JSPromisePrototype.cpp: + (JSC::JSPromisePrototype::finishCreation): + * runtime/JSTypedArrayViewPrototype.cpp: + (JSC::typedArrayViewProtoGetterFuncToStringTag): + * runtime/MapIteratorPrototype.cpp: + (JSC::MapIteratorPrototype::finishCreation): + * runtime/MapPrototype.cpp: + (JSC::MapPrototype::finishCreation): + * runtime/MathObject.cpp: + (JSC::MathObject::finishCreation): + * runtime/RegExpPrototype.cpp: + (JSC::regExpProtoGetterSource): + * runtime/RegExpStringIteratorPrototype.cpp: + (JSC::RegExpStringIteratorPrototype::finishCreation): + * runtime/SetIteratorPrototype.cpp: + (JSC::SetIteratorPrototype::finishCreation): + * runtime/SetPrototype.cpp: + (JSC::SetPrototype::finishCreation): + * runtime/StringIteratorPrototype.cpp: + (JSC::StringIteratorPrototype::finishCreation): + * runtime/SymbolPrototype.cpp: + (JSC::SymbolPrototype::finishCreation): + * runtime/WeakMapPrototype.cpp: + (JSC::WeakMapPrototype::finishCreation): + * runtime/WeakObjectRefPrototype.cpp: + (JSC::WeakObjectRefPrototype::finishCreation): + * runtime/WeakSetPrototype.cpp: + (JSC::WeakSetPrototype::finishCreation): + Call jsNontrivialString instead of jsString and use the _s suffix. + +2019-12-21 Yusuke Suzuki + + [JSC] Remove m_globalObject field from JSFunction + https://bugs.webkit.org/show_bug.cgi?id=205533 + + Reviewed by Mark Lam. + + JSFunction::m_globalObject is used only when it is using NativeExecutable. + And when using NativeExecutable, JSCallee::m_scope is always pointing JSGlobalObject. + This patch removes JSFunction::m_globalObject field. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction): + * jit/ThunkGenerators.cpp: + (JSC::nativeForGenerator): + (JSC::boundThisNoArgsFunctionCallGenerator): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/JSFunction.cpp: + (JSC::JSFunction::JSFunction): + * runtime/JSFunction.h: + (JSC::JSFunction::offsetOfGlobalObject): Deleted. + (JSC::JSFunction::globalObject const): Deleted. + * runtime/JSFunctionInlines.h: + (JSC::JSFunction::JSFunction): + +2019-12-20 Ross Kirsling + + [JSC] Memory usage statistics should be attainable without WebCore + https://bugs.webkit.org/show_bug.cgi?id=205366 + + Reviewed by Keith Miller. + + * API/JSBase.cpp: + (JSGetMemoryUsageStatistics): + * API/JSBasePrivate.h: + Add a private JSC API exposing the same Heap stats as WebCore's PerformanceLogging::memoryUsageStatistics. + +2019-12-19 Saam Barati + + Don't cache self customs on dictionaries + https://bugs.webkit.org/show_bug.cgi?id=205466 + + + Reviewed by Mark Lam. + + We had a bug where we would cache a custom value/accessor on a self property + of a cacheable dictionary object. This turns out to be wrong because the + inline cache won't fail (because we won't transition structures) if that + property is replaced with something else. We would do the right thing when + the custom was on the prototype chain, but when it was a self property, we + didn't. The reason customs are different from values/normal accessors is that + we dynamically load values/getters/setters from the object itself. For + customs, we cache the actual pointer value of the C function. This patch makes + it so we don't cache customs on dictionaries. + + * bytecode/ObjectPropertyConditionSet.cpp: + (JSC::prepareChainForCaching): + (JSC::preparePrototypeChainForCaching): Deleted. + * bytecode/ObjectPropertyConditionSet.h: + * jit/Repatch.cpp: + (JSC::tryCacheGetBy): + (JSC::tryCachePutByID): + (JSC::tryCacheInByID): + (JSC::tryCacheInstanceOf): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::setupGetByIdPrototypeCache): + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::setObjectToStringValue): + +2019-12-19 Devin Rousso + + Web Inspector: TypeError: InjectedScriptHost.isPromiseRejectedWithNativeGetterTypeError first argument must be a Promise + https://bugs.webkit.org/show_bug.cgi?id=205439 + + Reviewed by Brian Burg. + + Before r244312, we noticed that when Web Inspector would preview native getters that return + a `Promise`, Web Inspector would prevent `rejectionhandled` events from being fired since it + would always add a `.catch(() => {}` to any `Promise` that it was about to instrument in the + Console to avoid errors being added to the Console while expanding/collapsing value previews. + In order to prevent this, logic was added so that the `.catch(() => {})` was only added if + the `Promise` was returned from a native getter, such as from a `PromiseRejectionEvent`. + + In r244312, we made it such that this logic _required_ the `Promise` to already be rejected, + which is unnecessarily restrictive and not always the case nowadays. Instead, just check to + see if the result of the `Promise` is a native getter type error. + + * inspector/JSInjectedScriptHost.cpp: + (Inspector::JSInjectedScriptHost::isPromiseRejectedWithNativeGetterTypeError): + +2019-12-18 Devin Rousso + + Web Inspector: Elements: restrict showing paint flashing and compositing borders to the Web Inspector session + https://bugs.webkit.org/show_bug.cgi?id=205201 + + Reviewed by Timothy Hatcher. + + We often get bugs from users who turn on paint flashing or compositing borders, close Web + Inspector, reopen Web Inspector, and are then surprised when the page flashes red or these + borders exist all over the page. + + Given that the dark mode and print styles toggles are limited to the Web Inspector session, + we should make these have the same behavior. + + * inspector/protocol/Page.json: + Allow Web Inspector to override the `showDebugBorders` and `showRepaintCounter` settings via + the `inspectorOverride` key, rather than setting them manually via a special `Page` command. + +2019-12-17 Yusuke Suzuki + + [JSC] 8Bit JSRopeString can contain 16Bit string in its rope + https://bugs.webkit.org/show_bug.cgi?id=205323 + + Reviewed by Mark Lam. + + When resolving JSRopeString, it is possible that 8Bit JSRopeString becomes 16Bit resolved JSString. + This happens when we attempt to resolve it to produce AtomicStringImpl, and 16Bit version of the + resolved content is already in AtomicStringTable. This means that 16Bit flag never changes after resolving + JSString, but that of JSRopeString is some sort of hint, which can be changed. + + This means that 8Bit JSRopeString can include 16Bit JSString, since some of children can be changed from + 8Bit JSRopeString to resolved 16Bit JSString. Even in that case, we can still ensure that resolved string + can be represented as 8Bit. Let's see the example. + + A => B + C, 8Bit Rope + B => D + E, 8Bit Rope + C => 8Bit String + + And when we convert B to 16Bit String since content of `D + E` is already registered as 16Bit String in AtomicStringTable. + + A => B + C, 8Bit Rope + B => 16Bit String + C => 8Bit String + + When resolving A, creating 8Bit string buffer is totally OK since we know that whole A string can be represented in 8Bit. + When copying the content of B into 8Bit buffer, we should ignore upper 8Bit since they must be zero. + + In this patch, we completely share the implementation of resolveRopeInternalNoSubstring and resolveRopeSlowCase in 8Bit and + 16Bit case: we take result buffer CharacterType, but the underlying code must check `is8Bit()` for each fiber. + + * runtime/JSCJSValue.cpp: + (JSC::JSValue::dumpInContextAssumingStructure const): + * runtime/JSString.cpp: + (JSC::JSRopeString::resolveRopeInternal8 const): + (JSC::JSRopeString::resolveRopeInternal16 const): + (JSC::JSRopeString::resolveRopeInternalNoSubstring const): + (JSC::JSRopeString::resolveRopeWithFunction const): + (JSC::JSRopeString::resolveRopeSlowCase const): + (JSC::JSRopeString::resolveRopeInternal8NoSubstring const): Deleted. + (JSC::JSRopeString::resolveRopeInternal16NoSubstring const): Deleted. + (JSC::JSRopeString::resolveRopeSlowCase8 const): Deleted. + * runtime/JSString.h: + +2019-12-17 Carlos Garcia Campos + + [GLIB] jsc_context_evaluate_in_object should take the API lock before calling setGlobalScopeExtension + https://bugs.webkit.org/show_bug.cgi?id=205331 + + Reviewed by Žan Doberšek. + + We are now getting a crash due to an assert because the api lock is not held. + + * API/glib/JSCContext.cpp: + (jsc_context_evaluate_in_object): + +2019-12-16 Mark Lam + + Relanding r253581: Changed jsc shell timeout mechanism to leverage the VMTraps and use CPUTime. + https://bugs.webkit.org/show_bug.cgi?id=205279 + + + Reviewed by Saam Barati. + + This fixes all the timeouts that occur due to CPU time starvation when + running JSC tests on a debug build. + + What this means is that the timeout mechanism may trigger asynchronous + OSR exits. If a test requires no OSR exits, that test should + requireOption("--usePollingTraps=true") so that the VMTraps will use its + polling implementation instead. + + I've tested this with a full run of the JSC stress tests with a debug + build and saw 0 timeouts. I've also tested it with a contrived tests that + loops forever, and saw the expected timeout crash. + + Will look into re-tuning needed timeout value (and other JSC tests timeout + cleanup) in https://bugs.webkit.org/show_bug.cgi?id=205298. + + Update: in the previously landed patch, I did a last minute sort of the cases + Int the switch statement in VMTraps::handleTraps() before posting my patch. + This is incorrect to do since one of the cases need to fall through to another + case. This patch undoes the sorting to the order I originally had the cases + in during development and testing. + + * interpreter/Interpreter.cpp: + (JSC::Interpreter::executeProgram): + (JSC::Interpreter::executeCall): + (JSC::Interpreter::executeConstruct): + (JSC::Interpreter::execute): + (JSC::Interpreter::executeModuleProgram): + * interpreter/InterpreterInlines.h: + (JSC::Interpreter::execute): + * jsc.cpp: + (startTimeoutTimer): + (timeoutCheckCallback): + (initializeTimeoutIfNeeded): + (startTimeoutThreadIfNeeded): + (runJSC): + (jscmain): + * runtime/JSCConfig.h: + * runtime/VM.h: + (JSC::VM::notifyNeedShellTimeoutCheck): + * runtime/VMTraps.cpp: + (JSC::VMTraps::handleTraps): + * runtime/VMTraps.h: + (JSC::VMTraps::Mask::Mask): + (JSC::VMTraps::Mask::allEventTypes): + (JSC::VMTraps::Mask::init): + (JSC::VMTraps::interruptingTraps): + * tools/VMInspector.cpp: + (JSC::VMInspector::forEachVM): + * tools/VMInspector.h: + +2019-12-16 Mark Lam + + Rolling out: r253581 is failing tests on a release build. + https://bugs.webkit.org/show_bug.cgi?id=205279 + + + Not reviewed. + + * interpreter/Interpreter.cpp: + (JSC::Interpreter::executeProgram): + (JSC::Interpreter::executeCall): + (JSC::Interpreter::executeConstruct): + (JSC::Interpreter::execute): + (JSC::Interpreter::executeModuleProgram): + * interpreter/InterpreterInlines.h: + (JSC::Interpreter::execute): + * jsc.cpp: + (startTimeoutThreadIfNeeded): + (runJSC): + (jscmain): + (startTimeoutTimer): Deleted. + (timeoutCheckCallback): Deleted. + (initializeTimeoutIfNeeded): Deleted. + * runtime/JSCConfig.h: + * runtime/VM.h: + (JSC::VM::notifyNeedDebuggerBreak): + (JSC::VM::notifyNeedShellTimeoutCheck): Deleted. + * runtime/VMTraps.cpp: + (JSC::VMTraps::handleTraps): + * runtime/VMTraps.h: + (JSC::VMTraps::Mask::Mask): + (JSC::VMTraps::Mask::allEventTypes): + (JSC::VMTraps::Mask::init): + (JSC::VMTraps::interruptingTraps): Deleted. + * tools/VMInspector.cpp: + (JSC::VMInspector::forEachVM): Deleted. + * tools/VMInspector.h: + +2019-12-16 Yusuke Suzuki + + ASSERTION FAILED: length <= maximumLength in js-fixed-array-out-of-memory.js + https://bugs.webkit.org/show_bug.cgi?id=205259 + + + Reviewed by Mark Lam. + + JSImmutableButterfly has moderate size limit on its length, while JSFixedArray does not. + We should check this maximumLength when creating it in Spread. And if it exceeds, we should + throw OOM error. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileSpread): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileSpread): + * runtime/ArrayConventions.h: + * runtime/IndexingHeader.h: + * runtime/JSImmutableButterfly.h: + (JSC::JSImmutableButterfly::tryCreate): + (JSC::JSImmutableButterfly::allocationSize): + +2019-12-16 Yusuke Suzuki + + [JSC] Put non-dynamic scope cells in IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=205311 + + Reviewed by Mark Lam. + + Put non-dynamic scope cells in IsoSubspace. + + - JSWithScope + - StrictEvalActivation + + * runtime/JSScope.h: + (JSC::JSScope::subspaceFor): + * runtime/JSSymbolTableObject.h: + * runtime/JSWithScope.h: + * runtime/StrictEvalActivation.h: + * runtime/VM.cpp: + * runtime/VM.h: + +2019-12-16 Yusuke Suzuki + + [JSC] Put DebuggerScope in IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=205303 + + Reviewed by Mark Lam. + + Put DebuggerScope in IsoSubspace, and refine empty `subspaceFor` implementations. + + * bytecode/CodeBlock.h: + (JSC::CodeBlock::subspaceFor): + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedCodeBlock::subspaceFor): + * debugger/DebuggerScope.h: + * runtime/AbstractModuleRecord.h: + (JSC::AbstractModuleRecord::subspaceFor): + * runtime/JSArrayBufferView.h: + (JSC::JSArrayBufferView::subspaceFor): + * runtime/JSInternalFieldObjectImpl.h: + (JSC::JSInternalFieldObjectImpl::subspaceFor): + * runtime/JSWrapperObject.h: + (JSC::JSWrapperObject::subspaceFor): + * runtime/VM.cpp: + * runtime/VM.h: + +2019-12-16 Yusuke Suzuki + + [JSC] Move JSCell::subspaceFor to JSObject::subspaceFor, removing destructibleCellSpace + https://bugs.webkit.org/show_bug.cgi?id=205300 + + Reviewed by Mark Lam. + + All non-JSObject JSCells have their own IsoSubspace / CompleteSubspace. We remove JSCell::subspaceFor function, + and move it to JSObject::subspaceFor. And we remove destructibleCellSpace since nobody uses it. + + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::subspaceFor): Deleted. + * runtime/JSObject.h: + * runtime/JSObjectInlines.h: + (JSC::JSObject::subspaceFor): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2019-12-16 Mark Lam + + Changed jsc shell timeout mechanism to leverage the VMTraps and use CPUTime. + https://bugs.webkit.org/show_bug.cgi?id=205279 + + + Reviewed by Saam Barati. + + This fixes all the timeouts that occur due to CPU time starvation when + running JSC tests on a debug build. + + What this means is that the timeout mechanism may trigger asynchronous + OSR exits. If a test requires no OSR exits, that test should + requireOption("--usePollingTraps=true") so that the VMTraps will use its + polling implementation instead. + + I've tested this with a full run of the JSC stress tests with a debug + build and saw 0 timeouts. I've also tested it with a contrived tests that + loops forever, and saw the expected timeout crash. + + Will look into re-tuning needed timeout value (and other JSC tests timeout + cleanup) in https://bugs.webkit.org/show_bug.cgi?id=205298. + + * interpreter/Interpreter.cpp: + (JSC::Interpreter::executeProgram): + (JSC::Interpreter::executeCall): + (JSC::Interpreter::executeConstruct): + (JSC::Interpreter::execute): + (JSC::Interpreter::executeModuleProgram): + * interpreter/InterpreterInlines.h: + (JSC::Interpreter::execute): + * jsc.cpp: + (timeoutCheckCallback): + (initializeTimeoutIfNeeded): + (startTimeoutThreadIfNeeded): + (runJSC): + (jscmain): + * runtime/JSCConfig.h: + * runtime/VM.h: + (JSC::VM::notifyNeedShellTimeoutCheck): + * runtime/VMTraps.cpp: + (JSC::VMTraps::handleTraps): + * runtime/VMTraps.h: + (JSC::VMTraps::Mask::Mask): + (JSC::VMTraps::Mask::allEventTypes): + (JSC::VMTraps::Mask::init): + (JSC::VMTraps::interruptingTraps): + * tools/VMInspector.cpp: + (JSC::VMInspector::forEachVM): + * tools/VMInspector.h: + +2019-12-16 Yusuke Suzuki + + [JSC] Remove ArrayBufferNeuteringWatchpointSet + https://bugs.webkit.org/show_bug.cgi?id=205194 + + Reviewed by Saam Barati. + + This patch removes ArrayBufferNeuteringWatchpointSet, and instead putting InlineWatchpointSet directly into ArrayBuffer, since this is much simpler. + The main reason why we are using ArrayBufferNeuteringWatchpointSet is not to increase sizeof(ArrayBuffer). But this complicates the implementation. + So, not to increase sizeof(ArrayBuffer), we use PackedRefPtr in ArrayBuffer, which is RefPtr while the pointer is packed. This gives us 8 bytes which is + suitable for placing InlineWatchpointSet without increasing sizeof(ArrayBuffer). We also convert Function<> in ArrayBuffer to PackedRefPtr>, + and share Gigacage::free destructor by multiple ArrayBuffer. This is memory efficient since this is the common case, and we can pack this field easily. + + * API/JSTypedArray.cpp: + (JSObjectMakeTypedArrayWithBytesNoCopy): + (JSObjectMakeArrayBufferWithBytesNoCopy): + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * dfg/DFGDesiredWatchpoints.cpp: + (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::tryGetFoldableView): + * runtime/ArrayBuffer.cpp: + (JSC::ArrayBuffer::primitiveGigacageDestructor): + (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): + (JSC::ArrayBufferContents::destroy): + (JSC::ArrayBufferContents::reset): + (JSC::ArrayBufferContents::tryAllocate): + (JSC::ArrayBufferContents::makeShared): + (JSC::ArrayBufferContents::shareWith): + (JSC::ArrayBuffer::createAdopted): + (JSC::ArrayBuffer::transferTo): + (JSC::ArrayBuffer::neuter): + (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer): + * runtime/ArrayBuffer.h: + (JSC::ArrayBuffer::neuteringWatchpointSet): + * runtime/ArrayBufferNeuteringWatchpointSet.cpp: Removed. + * runtime/FileBasedFuzzerAgent.cpp: + (JSC::FileBasedFuzzerAgent::getPredictionInternal): + * runtime/FileBasedFuzzerAgentBase.cpp: + (JSC::FileBasedFuzzerAgentBase::createLookupKey): + * runtime/PredictionFileCreatingFuzzerAgent.cpp: + (JSC::PredictionFileCreatingFuzzerAgent::getPredictionInternal): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + * wasm/js/JSWebAssemblyMemory.cpp: + (JSC::JSWebAssemblyMemory::buffer): + +2019-12-14 Adrian Perez de Castro + + [GTK][WPE] Fix various non-unified build issues introduced since r251698 + https://bugs.webkit.org/show_bug.cgi?id=204891 + + Reviewed by Alex Christensen. + + * API/JSCallbackConstructor.h: Add missing inclusion of JSObject.h + * bytecompiler/BytecodeGeneratorBaseInlines.h: Add missing "#pragma once", which + caused build breakage when the same unified source would result in multiple inclusions of + the header. + * bytecompiler/NodesCodegen.cpp: Add missing inclusion of BytecodeGeneratorBaseInlines.h + * dfg/DFGDesiredIdentifiers.h: Add missing inclusion of Identifier.h + * heap/IsoSubspacePerVM.cpp: Add missing inclusion of MarkedSpaceInlines.h + * jit/GCAwareJITStubRoutine.h: Add missing forward declaration for CallLinkInfo. + * runtime/PredictionFileCreatingFuzzerAgent.cpp: Add missing inclusion of wtf/DataLog.h + * runtime/ScopedArgumentsTable.h: Add missing inclusion of VM.h + * wasm/WasmCallee.cpp: Add missing inclusion of WasmCallingConvention.h + * wasm/WasmLLIntTierUpCounter.h: Add missing inclusion of InstructionStream.h + * wasm/WasmSlowPaths.cpp: Add missing inclusion of WasmSignatureInlines.h + +2019-12-13 Yusuke Suzuki + + [JSC] Remove JSFixedArray, and use JSImmutableButterfly instead + https://bugs.webkit.org/show_bug.cgi?id=204402 + + Reviewed by Mark Lam. + + This patch removes JSFixedArray, and use JSImmutableButterfly instead. JSFixedArray can be replaced by + JSImmutableButterfly with Contiguous shape. And further, we can create an array from JSImmutableButterfly + generated by Spread node in NewArrayBufferWithSpread. + + Currently, we are always creating contiguous JSImmutableButterfly from Spread. If it takes contiguous CoW + array, we can reuse JSImmutableButterfly of the input. But if it is CoW and not contiguous shape (like, + CopyOnWriteArrayWithInt32), we create a JSImmutableButterfly and copy it to this new butterfly. We can + extend it to accept non-contiguous JSImmutableButterfly in the future. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * bytecompiler/BytecodeGenerator.cpp: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileSpread): + (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread): + (JSC::DFG::SpeculativeJIT::compileObjectKeys): + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread): + (JSC::FTL::DFG::LowerDFGToB3::compileSpread): + (JSC::FTL::DFG::LowerDFGToB3::toButterfly): + * ftl/FTLOperations.cpp: + (JSC::FTL::operationMaterializeObjectInOSR): + * interpreter/Interpreter.cpp: + (JSC::sizeOfVarargs): + (JSC::loadVarargs): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/JSCast.h: + * runtime/JSFixedArray.cpp: Removed. + * runtime/JSFixedArray.h: Removed. + * runtime/JSImmutableButterfly.h: + (JSC::JSImmutableButterfly::createFromArray): + (JSC::JSImmutableButterfly::offsetOfPublicLength): + (JSC::JSImmutableButterfly::offsetOfVectorLength): + * runtime/JSType.cpp: + (WTF::printInternal): + * runtime/JSType.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2019-12-13 Saam Barati + + Structure should have a bloom filter of seen identifiers + https://bugs.webkit.org/show_bug.cgi?id=205182 + + Reviewed by Yusuke Suzuki and Tadeu Zagallo. + + This patch adds a bloom filter of seen identifiers to Structure. This usually allows + us to quickly determine if a Structure *has not* seen a particular property. Based + on some logging I added in JetStream2 and Speedometer2, 70% of calls to Structure::get + result in us returning invalidOffset (e.g, the property does not exist). This patch + allows that path to be even faster. This bloom filter is just modeling what goes inside + Structure's property table. For that reason, we don't need to consider things inside + the static property table. We reason about the static property table inside JSObject's + property lookup. + + This patch appears to be a 0.5% progression on Speedometer2. + + * runtime/Structure.cpp: + (JSC::Structure::Structure): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::get): + (JSC::Structure::add): + +2019-12-13 Mark Lam + + Fix bad exception assertion in ExceptionHelpers.cpp's createError(). + https://bugs.webkit.org/show_bug.cgi?id=205230 + + + Reviewed by Yusuke Suzuki. + + The code in createError() was doing the following: + + String valueDescription = errorDescriptionForValue(globalObject, value); + EXCEPTION_ASSERT(scope.exception() || !!valueDescription); + if (!valueDescription) { + scope.clearException(); + return createOutOfMemoryError(globalObject); + } + + If errorDescriptionForValue() throws an exception, then we expect the + valueDescription string to be null so that we can throw an OutOfMemoryError. + However, errorDescriptionForValue() can detect an imminent overflow in String + length and just return a null string without throwing an exception which fails + the above assertion. + + The fix is to simply do an explicit exception check in addition to the null string + check and remove the assertion. + + * runtime/ExceptionHelpers.cpp: + (JSC::createError): + +2019-12-13 Saam Barati + + Add a Heap::finalize function that takes WTF::Function + https://bugs.webkit.org/show_bug.cgi?id=205211 + + Reviewed by Geoffrey Garen. + + * heap/Heap.cpp: + (JSC::Heap::addFinalizer): + (JSC::Heap::FinalizerOwner::finalize): + * heap/Heap.h: + +2019-12-13 Jim Mason + + [GTK] WebKitGTK build hangs on g-ir-scanner + https://bugs.webkit.org/show_bug.cgi?id=204715 + + This patch fixes the static initialization order problem + introduced by Bug 204503. + + The patch replaces the static data members with statics that + are constructed only upon first access (i.e., the 'construct + on first use' idiom). + + Reviewed by Carlos Garcia Campos. + + * inspector/remote/RemoteInspector.h: + * inspector/remote/glib/RemoteInspectorGlib.cpp: + (Inspector::RemoteInspector::start): + (Inspector::RemoteInspector::messageHandlers): + * inspector/remote/glib/RemoteInspectorServer.cpp: + (Inspector::RemoteInspectorServer::messageHandlers): + (Inspector::RemoteInspectorServer::incomingConnectionCallback): + * inspector/remote/glib/RemoteInspectorServer.h: + +2019-12-12 Yusuke Suzuki + + [JSC] Puts fixed-sized cells into IsoSubspace more + https://bugs.webkit.org/show_bug.cgi?id=205183 + + Reviewed by Saam Barati. + + This patch puts many of fixed-sized cells into IsoSubspace. + + - Exception + - JSPropertyNameEnumerator + - RegExp + - StructureChain + - MapBucket + - JSMapIterator + - ScopedArgumentsTable + - SetBucket + - JSSetIterator + - JSScriptFetchParameters + - JSScriptFetcher + - JSSourceCode + - JSTemplateObjectDescriptor + + * runtime/Exception.h: + * runtime/HashMapImpl.h: + (JSC::HashMapBucket::selectStructure): Deleted. + (JSC::HashMapBucket::info): Deleted. + (JSC::HashMapBucket::createStructure): Deleted. + (JSC::HashMapBucket::create): Deleted. + (JSC::HashMapBucket::createSentinel): Deleted. + (JSC::HashMapBucket::HashMapBucket): Deleted. + (JSC::HashMapBucket::setNext): Deleted. + (JSC::HashMapBucket::setPrev): Deleted. + (JSC::HashMapBucket::setKey): Deleted. + (JSC::HashMapBucket::setValue): Deleted. + (JSC::HashMapBucket::key const): Deleted. + (JSC::HashMapBucket::value const): Deleted. + (JSC::HashMapBucket::next const): Deleted. + (JSC::HashMapBucket::prev const): Deleted. + (JSC::HashMapBucket::deleted const): Deleted. + (JSC::HashMapBucket::makeDeleted): Deleted. + (JSC::HashMapBucket::offsetOfKey): Deleted. + (JSC::HashMapBucket::offsetOfValue): Deleted. + (JSC::HashMapBucket::offsetOfNext): Deleted. + (JSC::HashMapBucket::extractValue): Deleted. + * runtime/JSMapIterator.h: + * runtime/JSPropertyNameEnumerator.h: + * runtime/JSScriptFetchParameters.h: + * runtime/JSScriptFetcher.h: + * runtime/JSSetIterator.h: + * runtime/JSSourceCode.h: + * runtime/JSTemplateObjectDescriptor.h: + * runtime/RegExp.h: + * runtime/ScopedArgumentsTable.h: + * runtime/StructureChain.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2019-12-12 Yusuke Suzuki + + [JSC] Wasm init-expr should reject mutable globals + https://bugs.webkit.org/show_bug.cgi?id=205191 + + Reviewed by Mark Lam. + + For init-expr, expr must be a constant[1]. Constant expr, which is defined in Wasm spec, requires that, if the expr is GetGlobal, + global's mutability is immutable. Previously our imported globals are always immutable, so we are using ASSERT instead of checking + mutability in WasmSectionParser. But now, we have ability to import mutable globals. We should check mutability when parsing init-expr. + We do not have this check previously, which leads to spec-correctness issue that we can initialize globals/elements/data-segments + with snapshot values of mutable globals (this is safe, but this is not spec-compliant, and it is not reasonable semantics), while + such an attempt should be rejected when compiling Wasm modules. + + This patch adds necessary checks. + + [1]: https://webassembly.github.io/spec/core/valid/instructions.html#valid-constant + + * wasm/WasmSectionParser.cpp: + (JSC::Wasm::SectionParser::parseInitExpr): + +2019-12-12 Mark Lam + + Fix missing exception in JSValue::toWTFStringSlowCase(). + https://bugs.webkit.org/show_bug.cgi?id=205176 + + + Reviewed by Yusuke Suzuki. + + Also fix all the new exception check failures that fall out of change. + Also replaced some ASSERTs with EXCEPTION_ASSERT so that we can run the exception + check validation on a release build. + + * dfg/DFGOperations.cpp: + * jsc.cpp: + (dumpException): + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncPush): + * runtime/ExceptionHelpers.cpp: + (JSC::createError): + * runtime/JSCJSValue.cpp: + (JSC::JSValue::toWTFStringSlowCase const): + +2019-12-12 Yusuke Suzuki + + [JSC] Lock-down JSGlobalObject and derived classes in IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=205108 + + Reviewed by Mark Lam. + + This patch puts JSGlobalLexicalEnvironment and JSGlobalObject (and its derived classes including JSDOMWindow etc.) in IsoSubspace. + We were using `addFinalizer` feature to call destructors for these objects since they do not inherit JSDestructibleObject. But now + each derived classes has its IsoSubspace. So we do not need to use finalizer feature: just setting specialized HeapCellType works. + + * API/JSAPIGlobalObject.h: + * API/JSCallbackObject.cpp: + * API/glib/JSAPIWrapperGlobalObject.cpp: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/SuperSampler.h: + * heap/CellAttributes.h: + * heap/FreeList.h: + * heap/IsoHeapCellType.cpp: + (JSC::IsoHeapCellType::IsoHeapCellType): + * heap/IsoHeapCellType.h: + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::Handle::setIsFreeListed): Deleted. + * heap/MarkedBlockInlines.h: + (JSC::MarkedBlock::Handle::setIsFreeListed): + * jsc.cpp: + (GlobalObject::create): Deleted. + (GlobalObject::createStructure): Deleted. + (GlobalObject::javaScriptRuntimeFlags): Deleted. + (GlobalObject::finishCreation): Deleted. + (GlobalObject::addFunction): Deleted. + * runtime/JSGlobalLexicalEnvironment.h: + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::subspaceFor): + * runtime/JSSegmentedVariableObject.cpp: + (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject): + (JSC::JSSegmentedVariableObject::finishCreation): + (JSC::JSSegmentedVariableObject::destroy): Deleted. + * runtime/JSSegmentedVariableObject.h: + (JSC::JSSegmentedVariableObject::subspaceFor): + (JSC::JSSegmentedVariableObject::classInfo const): Deleted. + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + * testRegExp.cpp: + (GlobalObject::create): Deleted. + (GlobalObject::createStructure): Deleted. + (GlobalObject::finishCreation): Deleted. + +2019-12-12 Mark Lam + + Fix missing exception check in JSON Stringifier's gap function. + https://bugs.webkit.org/show_bug.cgi?id=205171 + + + Reviewed by Yusuke Suzuki. + + * runtime/JSONObject.cpp: + (JSC::gap): + +2019-12-12 Mark Lam + + DFG and FTL expects String.prototype to not qualify for StringObjectUse. + https://bugs.webkit.org/show_bug.cgi?id=205147 + + + Reviewed by Saam Barati. + + Currently, String.prototype's JSType is StringObjectType. + + However, in the compiler, there are a few places that expect that the + String.prototype value to not qualify as StringObjectUse. These places are: + 1. SpeculatedType.cpp's speculationFromClassInfo() will speculate SpecObjectOther + for the StringPrototype object. + 2. DFGFixupPhase.cpp's addCheckStructureForOriginalStringObjectUse() only emits a + CheckStructure against globalObject->stringObjectStructure(). It does not + check against String.prototype's structure. + + To resolve this discrepancy, we can either do: + a. change String.prototype's JSType to something else. + b. fix the places in the compiler to accept String.prototype as StringObjectUse. + + (a) is trivial and cheap to do. (b) is doable but will result in less optimal + compiled code. Since passing String.prototype as a StringObject is expected to + be a rare thing in JS code, it's not worth incurring the cost for (b). In this + patch, we apply (a) to fix the discrepancy. + + Also added a specialization case to FOR_EACH_JS_DYNAMIC_CAST_JS_TYPE_OVERLOAD + for jsDynamicCast for completeness. + + * runtime/JSCast.h: + * runtime/JSType.cpp: + (WTF::printInternal): + * runtime/JSType.h: + * runtime/StringPrototype.h: + +2019-12-12 Yusuke Suzuki + + [JSC] IsoHeapCellType should have destroy function member instead of specializing template function + https://bugs.webkit.org/show_bug.cgi?id=205152 + + Reviewed by Saam Barati. + + We were specializing MarkedBlock::Handle::specializedSweep in 5 different ways for each IsoSubspace-ed cell. + This bloats binary. Instead of specializing it with CellType, we specialize it with one functor, which invokes + function pointer held by IsoHeapCellType. This requires one indirect function call per cell. But this is OK since, + + 1. We were using JSDestructibleObject's cell->classInfo->methodTable.destroy function call to dispatch destruction, + before IsoSubspace replaces them with IsoHeapCellType-based destruction. Compared to that, the new one is still + saving one pointer chasing basically (classInfo dereference, we assume cell deference is no cost since it will + be done anyway). + 2. We still keep JSString's destroy function inlining by using IsoInlinedHeapCellType. This is important since + it is critical to performance and we had JSStringHeapCellType before we replaced it with IsoHeapCellType. + But IsoInlinedHeapCellType specialization is for only one class so generated binary size is the same to the + old code using JSStringHeapCellType. + + This saves 480KB binary-size in JavaScriptCore. And more importantly, after this patch, adding IsoSubspace + will not bloat code, so we can simply put things into IsoSubspace. + + This patch also removes `using namespace JSC;` in global code in JavaScriptCore except for API codes, since + it starts causing build failure due to unified builds: API defines JSType enum in a global scope, which is + different from our JSC::JSType. If we do `using namespace JSC;` in a global scope, it can lead to ambiguity of + looking up. + + * API/JSHeapFinalizerPrivate.cpp: + (JSContextGroupAddHeapFinalizer): + (JSContextGroupRemoveHeapFinalizer): + * API/JSHeapFinalizerPrivate.h: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * assembler/AbstractMacroAssembler.cpp: + * bindings/ScriptFunctionCall.cpp: + * bindings/ScriptObject.cpp: + * bindings/ScriptValue.cpp: + * heap/IsoHeapCellType.cpp: Copied from Source/JavaScriptCore/assembler/AbstractMacroAssembler.cpp. + (JSC::IsoHeapCellType::finishSweep): + (JSC::IsoHeapCellType::destroy): + * heap/IsoHeapCellType.h: + * heap/IsoInlinedHeapCellType.h: Copied from Source/JavaScriptCore/heap/IsoHeapCellType.h. + * heap/MutatorState.cpp: + * heap/Synchronousness.cpp: + * inspector/InjectedScriptHost.cpp: + * inspector/InjectedScriptManager.cpp: + * inspector/JSGlobalObjectConsoleClient.cpp: + * inspector/JSGlobalObjectInspectorController.cpp: + * inspector/JSGlobalObjectScriptDebugServer.cpp: + * inspector/JSInjectedScriptHost.cpp: + * inspector/JSInjectedScriptHostPrototype.cpp: + * inspector/JSJavaScriptCallFrame.cpp: + * inspector/JSJavaScriptCallFramePrototype.cpp: + * inspector/JavaScriptCallFrame.cpp: + * inspector/PerGlobalObjectWrapperWorld.cpp: + * inspector/ScriptCallStackFactory.cpp: + * inspector/ScriptDebugServer.cpp: + * inspector/agents/InspectorHeapAgent.cpp: + * inspector/agents/InspectorScriptProfilerAgent.cpp: + * inspector/agents/JSGlobalObjectAuditAgent.cpp: + * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: + * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2019-12-11 Yusuke Suzuki + + [JSC] Put all API related JS cells into IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=205097 + + Reviewed by Mark Lam. + + This patch puts API related JS cells into IsoSubspace. + + * API/JSAPIGlobalObject.h: + (JSC::JSAPIGlobalObject::create): Deleted. + (JSC::JSAPIGlobalObject::createStructure): Deleted. + (JSC::JSAPIGlobalObject::JSAPIGlobalObject): Deleted. + * API/JSAPIValueWrapper.h: + * API/JSAPIWrapperObject.h: + (JSC::JSAPIWrapperObject::subspaceFor): + * API/JSAPIWrapperObject.mm: + (JSC::JSCallbackObject::subspaceForImpl): + * API/JSCallbackConstructor.cpp: + (JSC::JSCallbackConstructor::JSCallbackConstructor): + * API/JSCallbackConstructor.h: + * API/JSCallbackObject.cpp: + (JSC::JSCallbackObject::createStructure): + (JSC::JSCallbackObject::subspaceForImpl): + (JSC::JSCallbackObject::subspaceForImpl): + (JSC::JSCallbackObject::createStructure): Deleted. + * API/JSCallbackObject.h: + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::init): + * API/JSClassRef.cpp: + (OpaqueJSClass::prototype): + * API/JSObjectRef.cpp: + (JSObjectMake): + (JSObjectGetPrivate): + (JSObjectSetPrivate): + (JSObjectGetPrivateProperty): + (JSObjectSetPrivateProperty): + (JSObjectDeletePrivateProperty): + * API/JSValueRef.cpp: + (JSValueIsObjectOfClass): + * API/JSWeakObjectMapRefPrivate.cpp: + * API/glib/JSAPIWrapperGlobalObject.cpp: + (JSC::JSCallbackObject::subspaceForImpl): + * API/glib/JSAPIWrapperGlobalObject.h: + (JSC::JSAPIWrapperGlobalObject::subspaceFor): + * API/glib/JSAPIWrapperObjectGLib.cpp: + (JSC::JSCallbackObject::subspaceForImpl): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/JSSegmentedVariableObject.cpp: + (JSC::JSSegmentedVariableObject::finishCreation): + * runtime/JSSegmentedVariableObject.h: + (JSC::JSSegmentedVariableObject::classInfo const): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2019-12-10 Saam Barati + + BytecodeDumper should print out of line jump targets + https://bugs.webkit.org/show_bug.cgi?id=205091 + + Reviewed by Tadeu Zagallo and Yusuke Suzuki. + + * bytecode/BytecodeDumper.cpp: + (JSC::BytecodeDumperBase::dumpValue): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::outOfLineJumpOffset): + +2019-12-10 Yusuke Suzuki + + [JSC] Adhocly created CallLinkInfo in GetterSetterAccess should be owned by GCAwareJITStubRoutine + https://bugs.webkit.org/show_bug.cgi?id=204876 + + Reviewed by Saam Barati. + + When emitting GetterSetterAccessCase code in IC, we dynamically create CallLinkInfo which is owned by GetterSetterAccessCase, + and we use this pointer for GetterSetter calls (like, operationLinkCall etc.). The problem is that IC code is not destroyed + so long as it is live in the stack. For example, GetterSetterAccessCase might be destroyed when the StructureStubInfo is reset, + while executing the emitted code. So, the code is still pointing already-destroyed CallLinkInfo. + + In this patch, CallLinkInfo used for GetterSetterAccessCase code is owned by emitted code, which means, owned by + MarkingGCAwareJITStubRoutine. So it is kept so long as the code is live. We use Bag to create a CallLinkInfo, + and MarkingGCAwareJITStubRoutine owns it. + + The important question is whether we should call CallLinkInfo::visitWeak when the associated GetterSetterAccessCase is already + destroyed. We do not need to call it since (1) it is just clearing CallLinkInfo, and (2) this information will not be used + by anyone since associated GetterSetterAccessCase is already destroyed. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateImpl): + * bytecode/GetterSetterAccessCase.h: + (JSC::GetterSetterAccessCase::callLinkInfo const): + * bytecode/PolymorphicAccess.cpp: + (JSC::PolymorphicAccess::regenerate): + * bytecode/PolymorphicAccess.h: + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::emitDumbVirtualCall): + * jit/GCAwareJITStubRoutine.cpp: + (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine): + (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler): + (JSC::createJITStubRoutine): + * jit/GCAwareJITStubRoutine.h: + (JSC::GCAwareJITStubRoutine::create): + (JSC::createJITStubRoutine): Deleted. + * jit/Repatch.cpp: + (JSC::linkSlowFor): + (JSC::linkVirtualFor): + +2019-12-10 Mark Lam + + Worklist::deleteCancelledPlansForVM() should not assume that a cancelled plan is ready for deletion. + https://bugs.webkit.org/show_bug.cgi?id=205086 + + + Reviewed by Saam Barati. + + Consider this race scenario: + 1. The DFG thread finds a plan and started compiling, and it's holding a ref to + the plan while it's compiling. + 2. The GC thread discovers that we no longer need the plan and cancels it. + 3. After the plan is cancelled but while the DFG thread is still compiling, the + mutator thread calls Worklist::deleteCancelledPlansForVM(). + + Worklist::deleteCancelledPlansForVM() was assuming that by the time it is + called, Worklist::m_cancelledPlansPendingDestruction will contain the last ref + to the cancelled plan. However, this is an incorrect assumption, and the + assertion there that asserts refCount == 1 will fail. + + This patch fixes Worklist::deleteCancelledPlansForVM() to append the cancelled + plan back into m_cancelledPlansPendingDestruction if its refCount is not 1 + (implying that the compiler thread still has a ref to it), and defer deletion of + the plan to a subsequent call to deleteCancelledPlansForVM(). + + This patch also adds a WTFMove to Worklist::removeDeadPlans() when we append the + cancelled plan to m_cancelledPlansPendingDestruction there. This saves us one + unnecessary ref and deref of the plan. + + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::deleteCancelledPlansForVM): + (JSC::DFG::Worklist::removeDeadPlans): + +2019-12-10 Saam Barati + + methodOfGettingAValueProfileFor should return argument value profiles even when node and operandNode are the same origin + https://bugs.webkit.org/show_bug.cgi?id=205083 + + Reviewed by Yusuke Suzuki. + + Inside methodOfGettingAValueProfileFor, we only grab profiles when the child + node and the parent node were from different code origins. This policy doesn't + make sense when the child node is the load of an argument value. In that case, + we can always just grab the argument profile. + + We might want to reconsider this policy in general, since it's common for a + node to emit a GetLocal to grab its incoming arguments (this is frequently + done in the DFG when reloading locals across basic blocks). + + This fixes an OSR exit compile loop inside Speedometer 2's React-Redux-TodoMVC + benchmark. That benchmark would repeatedly exit inside CompareStrictEq by + repeatedly speculating Object. That node would run with 95% incoming Objects, + and 5% incoming strings, and because we didn't grab the argument value profile + during exit, we never updated the profile with the String type information. + + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::methodOfGettingAValueProfileFor): + +2019-12-10 Commit Queue + + Unreviewed, rolling out r253321. + https://bugs.webkit.org/show_bug.cgi?id=205084 + + 1% regression in RAMification (Requested by yusukesuzuki on + #webkit). + + Reverted changeset: + + "[JSC] Put JSArray in IsoSubspace" + https://bugs.webkit.org/show_bug.cgi?id=205049 + https://trac.webkit.org/changeset/253321 + +2019-12-10 Tadeu Zagallo + + Reduce JSC's binary size + https://bugs.webkit.org/show_bug.cgi?id=204549 + + Reviewed by Saam Barati. + + The Wasm interpreter landed in r251886 and significantly increased JSC's binary size. To try and + offset that, here and some easy fixes that get us ~200kb back: + - We were generating 2 instances of dumpBytecode, at 30kb each. I changed the generator to emit a cpp + file instead, avoiding the duplication. + - We had 3 instances of computeUsesForBytecodeIndex at 11kb each. I kept the work that depended on the + template type in the template function and moved the massive switch into computeUsesForBytecodeIndexImpl. + I also did the same for computeDefsForBytecodeIndex. + - We had 8 instances of emit_compareAndJump(Slow) at 8kb (7kb for Slow) each. I kept the code + that extracts the data from the bytecode in the template, but moved the bulk of the function + into emit_compareAndJump(Slow)Impl. + + * CMakeLists.txt: + * DerivedSources-output.xcfilelist: + * DerivedSources.make: + * Sources.txt: + * bytecode/BytecodeDumper.cpp: + (JSC::BytecodeDumperBase::printLocationAndOp): + (JSC::BytecodeDumperBase::dumpValue): + * bytecode/BytecodeDumper.h: + (JSC::BytecodeDumperBase::~BytecodeDumperBase): + (JSC::BytecodeDumperBase::dumpValue): + (JSC::BytecodeDumperBase::BytecodeDumperBase): + (JSC::BytecodeDumper::BytecodeDumper): + * bytecode/BytecodeUseDef.cpp: Copied from Source/JavaScriptCore/bytecode/BytecodeUseDef.h. + (JSC::computeUsesForBytecodeIndexImpl): + (JSC::computeDefsForBytecodeIndexImpl): + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeIndex): + (JSC::computeDefsForBytecodeIndex): + * generator/DSL.rb: + * generator/Opcode.rb: + * generator/Options.rb: + * jit/JIT.h: + * jit/JITArithmetic.cpp: + (JSC::JIT::emit_compareAndJump): + (JSC::JIT::emit_compareAndJumpImpl): + (JSC::JIT::emit_compareUnsignedAndJump): + (JSC::JIT::emit_compareUnsignedAndJumpImpl): + (JSC::JIT::emit_compareUnsigned): + (JSC::JIT::emit_compareUnsignedImpl): + (JSC::JIT::emit_compareAndJumpSlow): + (JSC::JIT::emit_compareAndJumpSlowImpl): + +2019-12-10 Yusuke Suzuki + + [JSC] Put JSArray in IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=205049 + + Reviewed by Mark Lam. + + Put JSArray in IsoSubspace. + + * runtime/ArrayPrototype.h: + * runtime/JSArray.h: + (JSC::JSArray::subspaceFor): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + * tools/JSDollarVM.cpp: + +2019-12-09 Mark Lam + + Fix the x86_64 probe so that we can get a full stack trace with libunwind and lldb. + https://bugs.webkit.org/show_bug.cgi?id=205050 + + Reviewed by Michael Saboff. + + Before this patch, the stack trace from inside a probe function is cut off at ctiMasmProbeTrampoline: + + (lldb) bt + * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) + ... + frame #4: 0x0000000100824607 JavaScriptCore`WTF::Function::operator(this=0x000000010b88bd00, in=0x00007ffeefbfd400)(JSC::Probe::Context&) const at Function.h:79:35 + frame #5: 0x0000000100823996 JavaScriptCore`JSC::stdFunctionCallback(context=0x00007ffeefbfd400) at MacroAssembler.cpp:53:5 + frame #6: 0x000000010082701e JavaScriptCore`JSC::Probe::executeProbe(state=0x00007ffeefbfd480) at ProbeContext.cpp:51:5 + frame #7: 0x000000010082614b JavaScriptCore`ctiMasmProbeTrampoline + 299 + (lldb) + + After this patch, we'll now get the full stack trace from inside the probe function: + + (lldb) bt + * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) + ... + frame #4: 0x0000000100826d17 JavaScriptCore`WTF::Function::operator(this=0x0000000106b878f8, in=0x00007ffeefbfd400)(JSC::Probe::Context&) const at Function.h:79:35 + frame #5: 0x0000000100826106 JavaScriptCore`JSC::stdFunctionCallback(context=0x00007ffeefbfd400) at MacroAssembler.cpp:53:5 + frame #6: 0x000000010082986e JavaScriptCore`JSC::Probe::executeProbe(state=0x00007ffeefbfd480) at ProbeContext.cpp:51:5 + frame #7: 0x00000001008289a2 JavaScriptCore`ctiMasmProbeTrampoline + 338 + frame #8: 0x0000466db28025be + frame #9: 0x0000000100754ffc JavaScriptCore`llint_entry at LowLevelInterpreter.asm:994 + frame #10: 0x0000000100738173 JavaScriptCore`vmEntryToJavaScript at LowLevelInterpreter64.asm:307 + frame #11: 0x0000000101489307 JavaScriptCore`JSC::JITCode::execute(this=0x0000000106ba1520, vm=0x0000000106d00000, protoCallFrame=0x00007ffeefbfd9b8) at JITCodeInlines.h:38:38 + frame #12: 0x0000000101488982 JavaScriptCore`JSC::Interpreter::executeProgram(this=0x0000000106bfd1f8, source=0x00007ffeefbff090, (null)=0x000000010d0e0000, thisObj=0x000000010d0e8020) at Interpreter.cpp:847:51 + frame #13: 0x00000001017d1f9c JavaScriptCore`JSC::evaluate(globalObject=0x000000010d0e0000, source=0x00007ffeefbff090, thisValue=JSValue @ 0x00007ffeefbfef60, returnedException=0x00007ffeefbff0b0) at Completion.cpp:146:38 + frame #14: 0x000000010005838f jsc`runWithOptions(globalObject=0x000000010d0e0000, options=0x00007ffeefbff620, success=0x00007ffeefbff48b) at jsc.cpp:2670:35 + frame #15: 0x000000010002a0da jsc`jscmain(this=0x00007ffeefbff5a0, vm=0x0000000106d00000, globalObject=0x000000010d0e0000, success=0x00007ffeefbff48b)::$_6::operator()(JSC::VM&, GlobalObject*, bool&) const at jsc.cpp:3157:13 + frame #16: 0x0000000100006eff jsc`int runJSC(options=0x00007ffeefbff620, isWorker=false, func=0x00007ffeefbff5a0)::$_6 const&) at jsc.cpp:3003:9 + frame #17: 0x0000000100005988 jsc`jscmain(argc=10, argv=0x00007ffeefbff6c8) at jsc.cpp:3150:18 + frame #18: 0x000000010000575e jsc`main(argc=10, argv=0x00007ffeefbff6c8) at jsc.cpp:2498:15 + frame #19: 0x00007fff6cfc4da9 libdyld.dylib`start + 1 + frame #20: 0x00007fff6cfc4da9 libdyld.dylib`start + 1 + (lldb) + + The difference is that the x86_64 ctiMasmProbeTrampoline now uses the standard + function prologue, and keeps %rbp pointing to trampoline function's semblance of + a frame that libunwind can understand while it calls the probe function. + + * assembler/MacroAssemblerX86Common.cpp: + +2019-12-09 Yusuke Suzuki + + [JSC] Put CustomGetterSetter and DOMAttributeGetterSetter in IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=205044 + + Reviewed by Sam Weinig. + + Put CustomGetterSetter and DOMAttributeGetterSetter in IsoSubspace. + + * runtime/CustomGetterSetter.h: + (JSC::CustomGetterSetter::subspaceFor): + * runtime/DOMAttributeGetterSetter.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2019-12-09 Yusuke Suzuki + + [JSC] Remove NativeStdFunctionCell + https://bugs.webkit.org/show_bug.cgi?id=205045 + + Reviewed by Sam Weinig. + + NativeStdFunctionCell is introduced because we were not able to make derived classes of JSFunction destructible. + But now we can do that by using IsoSubspace. And we already have IsoSubspace for JSNativeStdFunction. So we do + not need to have NativeStdFunctionCell cell. This patch removes it. And making JSNativeStdFunction destructible. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * inspector/InjectedScriptBase.cpp: + (Inspector::InjectedScriptBase::makeAsyncCall): + * runtime/JSNativeStdFunction.cpp: + (JSC::JSNativeStdFunction::JSNativeStdFunction): + (JSC::JSNativeStdFunction::visitChildren): + (JSC::JSNativeStdFunction::finishCreation): + (JSC::runStdFunction): + (JSC::JSNativeStdFunction::create): + * runtime/JSNativeStdFunction.h: + * runtime/NativeStdFunctionCell.cpp: Removed. + * runtime/NativeStdFunctionCell.h: Removed. + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2019-12-09 Tadeu Zagallo + + [WebAssembly] Remove WasmValidate + https://bugs.webkit.org/show_bug.cgi?id=205037 + + Reviewed by Saam Barati. + + It's currently only used when JSC_useWasmLLInt is false and it creates an additional instantiation + of Wasm::FunctionParser, which adds about 100kb to the binary size. This does not introduce any + behavior changes with the default options, but it means that we'll generate bytecode when calling + WebAssembly.validate/new WebAssembly.Module even when the WasmLLInt is disabled. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * wasm/WasmBBQPlan.cpp: + (JSC::Wasm::BBQPlan::didReceiveFunctionData): + * wasm/WasmEntryPlan.cpp: + * wasm/WasmLLIntPlan.cpp: + * wasm/WasmModule.cpp: + (JSC::Wasm::makeValidationResult): + (JSC::Wasm::makeValidationCallback): + (JSC::Wasm::Module::validateSync): + (JSC::Wasm::Module::validateAsync): + * wasm/WasmModule.h: + * wasm/WasmOMGForOSREntryPlan.cpp: + (JSC::Wasm::OMGForOSREntryPlan::work): + * wasm/WasmOMGPlan.cpp: + (JSC::Wasm::OMGPlan::work): + * wasm/WasmPlan.cpp: + * wasm/WasmValidate.cpp: Removed. + * wasm/WasmValidate.h: Removed. + +2019-12-09 Tadeu Zagallo + + REGRESSION(r253140): WebAssembly validation should check for unmatched else before calling addElse/addElseToUnreachable + https://bugs.webkit.org/show_bug.cgi?id=205022 + + + Reviewed by Saam Barati. + + When moving the validation code into the parser in r253140, I missed the validation check of whether + an if block was at the top of the control stack before calling addElse/addElseToUnreachable. + + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::parseExpression): + (JSC::Wasm::FunctionParser::parseUnreachableExpression): + +2019-12-09 Mark Lam + + GetByIdVariant::dumpInContext() should not ref UniqueStringImpls. + https://bugs.webkit.org/show_bug.cgi?id=205023 + + + Reviewed by Saam Barati. + + This is because GetByIdVariant::dumpInContext() may be called from the compiler + thread. GetByIdVariant::dumpInContext() inadvertently invoking the String copy + constructor on an Identifier, which in turn, refs the underlying UniqueStringImpl. + This results in a race against the mutator to adjust the refCount. + + The fix is to have GetByIdVariant::dumpInContext() print the underlying + StringImpl instead of the Identifier itself. + + * bytecode/GetByIdVariant.cpp: + (JSC::GetByIdVariant::dumpInContext const): + +2019-12-08 Yousuke Kimoto + + [WinCairo] Refine initialization and error handling in RemoteInspectorSocket + https://bugs.webkit.org/show_bug.cgi?id=204338 + + Reviewed by Fujii Hironori. + + RemoteInspectorSocket socket error handling is not enough, + which should be refined to avoid error cases. + + * inspector/remote/socket/RemoteInspectorSocket.h: Modifed return value checks to hanlde error cases. + * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp: Refined check error handling. + (Inspector::RemoteInspectorSocketEndpoint::createListener): + * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp: Ditto + (Inspector::Socket::connect): + (Inspector::Socket::listen): + (Inspector::Socket::setup): + (Inspector::Socket::isListening): + (Inspector::Socket::getPort): + (Inspector::Socket::preparePolling): + * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp: Ditto + (Inspector::Socket::Socket::create): + (Inspector::Socket::setOpt): + (Inspector::Socket::bindAndListen): + (Inspector::Socket::connect): + (Inspector::Socket::accept): + (Inspector::Socket::createPair): + (Inspector::Socket::setup): + (Inspector::Socket::isListening): + (Inspector::Socket::getPort): + (Inspector::Socket::read): + (Inspector::Socket::write): + (Inspector::Socket::preparePolling): Initialized 'poll' with zero + +2019-12-08 Tadeu Zagallo + + [WebAssembly] Fix LLIntGenerator's checkConsistency contract + https://bugs.webkit.org/show_bug.cgi?id=204998 + + + Reviewed by Mark Lam. + + We check the consistency of the WebAssembly parser's expression stack every time the LLIntGenerator calls + push to allocate a new stack value. However, if we call push more than once (e.g. in a loop), the stack + is no longer consistent, since those values have not yet been placed in the parser's expression stack, so + the generator and parser's stacks are out of sync. Instead, whenever we need to push multiple values, we + should first manually call checkConsistency before any pushes, and all pushes after that should be replaced + with push(NoConsistencyCheck). + + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::callInformationForCaller): + (JSC::Wasm::LLIntGenerator::addArguments): + (JSC::Wasm::LLIntGenerator::addLocal): + +2019-12-07 Mark Lam + + Object.prototype.isPrototypeOf() should check if the passed in value is a non-object first. + https://bugs.webkit.org/show_bug.cgi?id=204971 + + + Reviewed by Saam Barati. + + The spec says Object.prototype.isPrototypeOf() should do checks in the following + order: + 1. If Type(V) is not Object, return false. + 2. Let O be ? ToObject(this value). + ... + We were previously checking (2) before (1). This patch fixes this order. + + Ref: http://www.ecma-international.org/ecma-262/10.0/index.html#sec-object.prototype.isprototypeof + + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncIsPrototypeOf): + +2019-12-07 Saam Barati + + Unreviewed. Roll out r253201. It was not a progression on any benchmarks, and was 8% slower on JetStream 2 ML. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/BytecodeList.rb: + * bytecode/GetByValHistory.h: Added. + (JSC::GetByValHistory::observeNonUID): + (JSC::GetByValHistory::observe): + (JSC::GetByValHistory::count const): + (JSC::GetByValHistory::filter const): + (JSC::GetByValHistory::update): + * bytecode/PointerHistory.h: Removed. + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseGetById): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGGraph.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileGetById): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileGetById): + (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): + * generator/DSL.rb: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_try_get_by_id): + (JSC::JIT::emitSlow_op_try_get_by_id): + (JSC::JIT::emit_op_get_by_id_direct): + (JSC::JIT::emitSlow_op_get_by_id_direct): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emitSlow_op_get_by_id): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/OptionsList.h: + +2019-12-07 Mark Lam + + Remove invalid assertion in FTL's allocateJSArray(). + https://bugs.webkit.org/show_bug.cgi?id=204987 + + + Reviewed by Saam Barati. + + The assertion (in the compiler thread) does not take into account that the mutator + may be in the process of transiting to HavingABadTime. As a result, the assertion + may fail intermittently. This patch fixes this issue by removing this bad + assertion. + + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray): + +2019-12-07 Mark Lam + + Build fix for: The compiler thread should not adjust Identifier refCounts. + https://bugs.webkit.org/show_bug.cgi?id=204919 + + + Not reviewed. + + * bytecode/GetByStatus.cpp: + (JSC::GetByStatus::computeFor): + +2019-12-07 Joonghun Park + + Unreviewed. Remove the build warning below since r250009. + warning: comparison between signed and unsigned integer expressions [-Wsign-compare] + + This patch typecasts the "maybe signed" one as unsigned, which is the + same what the compilers would do, but making the typecast explicit + so that the warning go away. + + * b3/air/testair.cpp: + +2019-12-07 Yusuke Suzuki + + [JSC] Put JSWrapperObject derived classes in IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=204976 + + Reviewed by Mark Lam. + + Put JSWrapperObject derived classes in IsoSubspace. + + 1. StringObject + 2. NumberObject + 3. SymbolObject + 4. BigIntObject + 5. BooleanObject + + * runtime/BigIntObject.h: + * runtime/BooleanObject.h: + (JSC::BooleanObject::subspaceFor): + * runtime/BooleanPrototype.h: + * runtime/JSWrapperObject.h: + (JSC::JSWrapperObject::subspaceFor): + * runtime/NumberObject.h: + (JSC::NumberObject::subspaceFor): + * runtime/NumberPrototype.h: + * runtime/StringObject.h: + (JSC::StringObject::subspaceFor): + * runtime/StringPrototype.h: + * runtime/SymbolObject.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2019-12-07 Devin Rousso + + Web Inspector: non-regex Local Overrides and Script Blackboxing shouldn't apply to scripts that just contain the URL + https://bugs.webkit.org/show_bug.cgi?id=204954 + + Reviewed by Joseph Pecoraro. + + If `isRegex` is false, add `^` and `$` to the beginning and end of the search string to + ensure that the search string is exactly matched, not just contained within the potentially + intercepted URL. + + This doesn't actually change functionality because the Web Inspector frontend wouldn't + replace the network response for these containing matches, as the frontend JavaScript + already correctly performed this logic, and would therefore `Network.interceptContinue`. + + * inspector/ContentSearchUtilities.h: + * inspector/ContentSearchUtilities.cpp: + (Inspector::ContentSearchUtilities::escapeStringForRegularExpressionSource): Added. + (Inspector::ContentSearchUtilities::createRegularExpressionForSearchString): Added. + (Inspector::ContentSearchUtilities::searchInTextByLines): + (Inspector::ContentSearchUtilities::createSearchRegexSource): Deleted. + (Inspector::ContentSearchUtilities::createSearchRegex): Deleted. + Rename functions for clarity. + + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::shouldBlackboxURL const): + +2019-12-06 Zan Dobersek + + [GTK][WPE] Use bmalloc's memory footprint API for JSC heap growth management + https://bugs.webkit.org/show_bug.cgi?id=204576 + + Reviewed by Saam Barati. + + Use the new USE(BMALLOC_MEMORY_FOOTPRINT_API) build guard to enable + bmalloc-based JSC heap growth management on iOS family ports as well + as additionally the Linux-based ports, if the configuration allows it + (i.e. system malloc enforcement kept disabled). + + * heap/Heap.cpp: + (JSC::Heap::overCriticalMemoryThreshold): + (JSC::Heap::updateAllocationLimits): + (JSC::Heap::collectIfNecessaryOrDefer): + * heap/Heap.h: + Initialize the two member variables and fix a typo in one of them. + * runtime/Options.cpp: + (JSC::overrideDefaults): + Also guard two default overrides with the new flag. + +2019-12-06 Mark Lam + + The compiler thread should not adjust Identifier refCounts. + https://bugs.webkit.org/show_bug.cgi?id=204919 + + + Reviewed by Saam Barati. + + 1. Previously, in the compiler thread, we would get a Symbol uid via + Symbol::privateName().uid(). Symbol::privateName() returns a copy of its + PrivateName, which in turn results in ref'ing the underlying SymbolImpl. + This results in a race between the mutator and compiler threads to adjust the + SymbolImpl's refCount, which may result in corruption. + + This patch fixes this by adding Symbol::uid() which return the underlying + SymbolImpl without ref'ing it. + + 2. Previously, in the compiler thread, we also create Box via its + copy constructor. The original Box is instantiated in the mutator. + The Box refs its internal Data, which is ThreadSafeRefCounted and + shared by all Box for the same underlying Identifier. + This ensures that the compiler thread does not ref the underlying Identifier. + + However, when the Box is destructed, it will also check if it holds + the last ref to its internal Data. If so, it will destruct its Data, and the + Identifier that it embeds. This results in the compiler thread trying to deref + the StringImpl referenced by the Identifier in a race against the mutator. + + This patch fixes this by ensuring that for any Box instance used + by the compiler thread, we will register another instance in the DFG::Plan + m_identifiersKeptAliveForCleanUp list, and let the mutator destruct that + Box later in the mutator. This ensures that the compiler thread + will never see the last reference to a Box's internal Data and + avoid the race. + + 3. This patch also fixes the DFG::Worklist code to ensure that a DFG::Plan is + always destructed in the mutator, even if the Plan was cancelled. + + This, in turn, enables us to assert that the Plan is never destructed in the + compiler thread. + + * bytecode/GetByStatus.cpp: + (JSC::GetByStatus::computeFor): + (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): + * bytecode/GetByStatus.h: + * debugger/Debugger.cpp: + (JSC::Debugger::detach): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseGetById): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::~Plan): + (JSC::DFG::Plan::computeCompileTimes const): + (JSC::DFG::Plan::cancel): + * dfg/DFGPlan.h: + (JSC::DFG::Plan::unnukedVM const): + (JSC::DFG::Plan::keepAliveIdentifier): + (JSC::DFG::Plan::nuke): + (JSC::DFG::Plan::unnuke): + * dfg/DFGSafepoint.cpp: + (JSC::DFG::Safepoint::cancel): + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::deleteCancelledPlansForVM): + (JSC::DFG::Worklist::removeAllReadyPlansForVM): + (JSC::DFG::Worklist::removeDeadPlans): + (JSC::DFG::Worklist::removeNonCompilingPlansForVM): + * dfg/DFGWorklist.h: + * runtime/Symbol.h: + +2019-12-06 Yusuke Suzuki + + [JSC] Put JSModuleNamespaceObject in IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=204973 + + Reviewed by Mark Lam. + + We found that we do not need to embed AbstractModuleRecord vector inside JSModuleNamespaceObject: we can just put it + in ExportEntry. So we can make it non-variable-sized cell. Further, this patch puts it in IsoSubspace. + + * runtime/CellSize.h: + (JSC::isDynamicallySizedType): + (JSC::cellSize): + * runtime/JSModuleNamespaceObject.cpp: + (JSC::JSModuleNamespaceObject::finishCreation): + (JSC::JSModuleNamespaceObject::visitChildren): + (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon): + * runtime/JSModuleNamespaceObject.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2019-12-06 Yusuke Suzuki + + [JSC] Put ModuleRecords in IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=204972 + + Reviewed by Mark Lam. + + This patch is putting JSModuleRecord and WebAssemblyModuleRecord in IsoSubspace. + + * runtime/AbstractModuleRecord.cpp: + (JSC::AbstractModuleRecord::destroy): Deleted. + * runtime/AbstractModuleRecord.h: + (JSC::AbstractModuleRecord::subspaceFor): + * runtime/JSModuleRecord.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + * wasm/js/WebAssemblyModuleRecord.h: + +2019-12-06 Per Arne Vollan + + Unreviewed build fix. Initialize local variable. + + * API/tests/testapi.cpp: + (TestAPI::promiseUnhandledRejection): + +2019-12-06 Joonghun Park + + Unreviewed. Change the format string portable by using "%" PRIx64 + instead of "%llx" for uint64_t argument. + + This patch removes the build warning below since r252978. + + warning: format ‘%llx’ expects argument of type ‘long long unsigned int’, + but argument 3 has type ‘JSC::SpeculatedType {aka long unsigned int}’ [-Wformat=] + + * runtime/PredictionFileCreatingFuzzerAgent.cpp: + (JSC::PredictionFileCreatingFuzzerAgent::getPredictionInternal): + +2019-12-06 Commit Queue + + Unreviewed, rolling out r253218. + https://bugs.webkit.org/show_bug.cgi?id=204968 + + Broke the build (Requested by ap on #webkit). + + Reverted changeset: + + "Remove various .order files." + https://bugs.webkit.org/show_bug.cgi?id=204959 + https://trac.webkit.org/changeset/253218 + +2019-12-06 Yusuke Suzuki + + [JSC] JSCallee should be in IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=204961 + + Reviewed by Mark Lam. + + We should put JSCallee in IsoSubspace. Currently, we are also putting JSToWasmICCallee in IsoSusbapce + since it is a derived class of JSCallee, but I think we can remove this class completely. We are tracking + it in [1]. + + [1]: https://bugs.webkit.org/show_bug.cgi?id=204960 + + * debugger/DebuggerScope.h: + * interpreter/Interpreter.cpp: + (JSC::Interpreter::executeProgram): + (JSC::Interpreter::execute): + * runtime/JSCallee.h: + (JSC::JSCallee::subspaceFor): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::globalCallee): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + * wasm/js/JSToWasmICCallee.h: + (JSC::JSToWasmICCallee::function): Deleted. + (JSC::JSToWasmICCallee::JSToWasmICCallee): Deleted. + +2019-12-06 Devin Rousso + + Web Inspector: add compiler UNLIKELY hints when checking if developer extras are enabled + https://bugs.webkit.org/show_bug.cgi?id=204875 + + Reviewed by Joseph Pecoraro. + + Move the check for whether developer extras are enabled from the agent to the client so that + when inspecting a webpage, we don't check for it twice, since `InspectorInstrumentation` + already checks for it too. + + * inspector/agents/InspectorConsoleAgent.h: + * inspector/agents/InspectorConsoleAgent.cpp: + (Inspector::InspectorConsoleAgent::developerExtrasEnabled const): Added. + (Inspector::InspectorConsoleAgent::addMessageToConsole): + (Inspector::InspectorConsoleAgent::startTiming): + (Inspector::InspectorConsoleAgent::logTiming): + (Inspector::InspectorConsoleAgent::stopTiming): + (Inspector::InspectorConsoleAgent::takeHeapSnapshot): + (Inspector::InspectorConsoleAgent::count): + (Inspector::InspectorConsoleAgent::countReset): + (Inspector::InspectorConsoleAgent::addConsoleMessage): + + * inspector/JSGlobalObjectConsoleClient.cpp: + (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel): + (Inspector::JSGlobalObjectConsoleClient::count): + (Inspector::JSGlobalObjectConsoleClient::countReset): + (Inspector::JSGlobalObjectConsoleClient::profile): + (Inspector::JSGlobalObjectConsoleClient::profileEnd): + (Inspector::JSGlobalObjectConsoleClient::takeHeapSnapshot): + (Inspector::JSGlobalObjectConsoleClient::time): + (Inspector::JSGlobalObjectConsoleClient::timeLog): + (Inspector::JSGlobalObjectConsoleClient::timeEnd): + (Inspector::JSGlobalObjectConsoleClient::timeStamp): + (Inspector::JSGlobalObjectConsoleClient::record): + (Inspector::JSGlobalObjectConsoleClient::recordEnd): + (Inspector::JSGlobalObjectConsoleClient::screenshot): + +2019-12-06 Keith Miller + + Remove various .order files. + https://bugs.webkit.org/show_bug.cgi?id=204959 + + Reviewed by Yusuke Suzuki. + + These files are all super out of date and likely don't do anything anymore. + The signatures of the functions have changed thus the mangled name has changed. + + * JavaScriptCore.order: Removed. + +2019-12-06 Joonghun Park + + Unreviewed. Revert r253207 because it causes compile error in Mac and ios build. + + * runtime/PredictionFileCreatingFuzzerAgent.cpp: + (JSC::PredictionFileCreatingFuzzerAgent::getPredictionInternal): + +2019-12-06 Joonghun Park + + Unreviewed. Remove build warning below since r252978. + + warning: format ‘%llx’ expects argument of type ‘long long unsigned int’, + but argument 3 has type ‘JSC::SpeculatedType {aka long unsigned int}’ [-Wformat=] + + * runtime/PredictionFileCreatingFuzzerAgent.cpp: + (JSC::PredictionFileCreatingFuzzerAgent::getPredictionInternal): + +2019-12-05 Saam Barati + + get_by_id ICs should have a structure history used to indicate when we should skip generating an IC + https://bugs.webkit.org/show_bug.cgi?id=204904 + + + Reviewed by Yusuke Suzuki and Tadeu Zagallo. + + I implemented a similar policy for get_by_val for the number of unique seen + identifiers. This allows us to create a heuristic to directly call the slow + path when profiling information tells us if inline caching might not be + profitable. This patch implements a similar policy for get_by_id where we + profile the seen base value structures. If the LLInt observes enough + unique structures, we omit emitting the inline cache in the upper + tiers. + + The goal here was to try to speed up Speedometer2. Local testing showed + this patch to repeatedly be 0.5% faster, but all the P values I got were + insignificant. So it appears it's either neutral or slightly faster. + + This patch also adjusts the policy of seeing a non-identifier inside + the PointerHistory data structure. Instead of increasing it to reach the + limit when we see a non-identifier, we just treat each execution with + a non-identifier to increment the count by 1. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/BytecodeList.rb: + * bytecode/GetByValHistory.h: Removed. + * bytecode/PointerHistory.h: Copied from Source/JavaScriptCore/bytecode/GetByValHistory.h. + (JSC::PointerHistory::observe): + (JSC::PointerHistory::observeNull): + (JSC::GetByValHistory::observeNonUID): Deleted. + (JSC::GetByValHistory::observe): Deleted. + (JSC::GetByValHistory::count const): Deleted. + (JSC::GetByValHistory::filter const): Deleted. + (JSC::GetByValHistory::update): Deleted. + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseGetById): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGGraph.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileGetById): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileGetById): + (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): + * generator/DSL.rb: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_try_get_by_id): + (JSC::JIT::emitSlow_op_try_get_by_id): + (JSC::JIT::emit_op_get_by_id_direct): + (JSC::JIT::emitSlow_op_get_by_id_direct): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emitSlow_op_get_by_id): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/OptionsList.h: + +2019-12-05 Tadeu Zagallo + + [WebAssembly] Fix LLIntCallee's ownership + https://bugs.webkit.org/show_bug.cgi?id=204929 + + Reviewed by Saam Barati. + + Currently, after the LLIntPlan finished generating bytecode, the Module takes ownership of the Vector + of LLIntCallee's and passes a pointer to the Vector's storage to the CodeBlock. However, while we're + tiering up, the module might be destroyed and we'll try to access the LLIntCallee after we finish + compiling through the pointer held by the CodeBlock, which is now stale, since the Vector was owned + by the Module. In order to fix this, we move the Vector into a reference counted wrapper class, LLIntCallees, + and both the Module and the CodeBlock hold references to the wrapper. + + * wasm/WasmBBQPlan.cpp: + (JSC::Wasm::BBQPlan::work): + * wasm/WasmCallee.h: + (JSC::Wasm::LLIntCallees::create): + (JSC::Wasm::LLIntCallees::at const): + (JSC::Wasm::LLIntCallees::data const): + (JSC::Wasm::LLIntCallees::LLIntCallees): + * wasm/WasmCodeBlock.cpp: + (JSC::Wasm::CodeBlock::create): + (JSC::Wasm::CodeBlock::CodeBlock): + * wasm/WasmCodeBlock.h: + (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace): + * wasm/WasmModule.cpp: + (JSC::Wasm::Module::Module): + (JSC::Wasm::Module::getOrCreateCodeBlock): + * wasm/WasmModule.h: + * wasm/WasmOMGPlan.cpp: + (JSC::Wasm::OMGPlan::work): + +2019-12-05 Tadeu Zagallo + + REGRESSION(r253140): Wasm::FunctionParser needs to bounds check in SetLocal/TeeLocal + https://bugs.webkit.org/show_bug.cgi?id=204909 + + Reviewed by Keith Miller. + + When moving the code from WasmValidate.cpp to WasmFunctionParser.h, I missed that SetLocal and + TeeLocal used to call Wasm::Validate::getLocal, which would perform the bounds check. I just + added back the checks to the parser before accessing the local's type from m_locals. + + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::parseExpression): + +2019-12-05 Tadeu Zagallo + + [WebAssembly] Fix bad assertion in LLIntPlan + https://bugs.webkit.org/show_bug.cgi?id=204893 + + Reviewed by Mark Lam. + + Before landing r253140 I introduced an assertion in Wasm::LLIntPlan that the pointer to previously + compiled callees must be non-null. However, it's perfectly valid for the pointer to be null when the + module has no functions. + + * wasm/WasmLLIntPlan.cpp: + (JSC::Wasm::LLIntPlan::LLIntPlan): + +2019-12-05 Mark Lam + + computeIfUsingFuzzerAgent() is called before parsing command line arguments. + https://bugs.webkit.org/show_bug.cgi?id=204886 + + Reviewed by Saam Barati. + + Rolling out r253015 which introduced computeIfUsingFuzzerAgent(). + + * runtime/Options.cpp: + (JSC::Options::initialize): + (JSC::computeIfUsingFuzzerAgent): Deleted. + * runtime/Options.h: + (JSC::Options::isUsingFuzzerAgent): Deleted. + * runtime/OptionsList.h: + (JSC::OptionRange::operator bool const): Deleted. + * runtime/VM.cpp: + (JSC::VM::VM): + +2019-12-05 Simon Fraser + + Fix inspector/css test assertions after r253158 + https://bugs.webkit.org/show_bug.cgi?id=204924 + + Reviewed by Devin Rousso. + + Teach the inspector protocol about the ::highlight pseudoelement. + + * inspector/protocol/CSS.json: + +2019-12-04 Yusuke Suzuki + + [JSC] AI should convert IsCellWithType to constant when Structure set is finite + https://bugs.webkit.org/show_bug.cgi?id=204141 + + Reviewed by Mark Lam. + + We should fold IsCellWithType if Structure set is finite since we have a chance to know what JSType is. + The difference from the last patch is that we have `if (!(child.m_type & ~SpecCell))` check. Even if + structures meet the requirement, this structures do not guarantee that non cell types never come. We + should ensure it by using proven type. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + +2019-12-04 Yusuke Suzuki + + [JSC] Put TypedArrays in IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=204867 + + Reviewed by Mark Lam. + + This patch puts TypedArrays in IsoSubspace. + + - JSArrayBuffer + - JSDataView + - JSInt8Array + - JSInt16Array + - JSInt32Array + - JSUint8Array + - JSUint8ClampedArray + - JSUint16Array + - JSUint32Array + - JSFloat32Array + - JSFloat64Array + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): + * runtime/JSArrayBuffer.h: + * runtime/JSArrayBufferView.h: + (JSC::JSArrayBufferView::subspaceFor): + * runtime/JSDataView.h: + * runtime/JSGenericTypedArrayView.h: + * runtime/JSTypedArrays.h: + * runtime/TypedArrayAdaptors.h: + * runtime/VM.cpp: + * runtime/VM.h: + +2019-12-04 Tadeu Zagallo + + [WebAssembly] Validate and generate bytecode in one pass + https://bugs.webkit.org/show_bug.cgi?id=204474 + + Reviewed by Saam Barati. + + Currently, we traverse the WebAssembly code twice: + - a first serial pass that validates all functions + - a second concurrent pass that compiles all functions. + In this patch, we move the validation into the parser and update the LLIntPlan so that we no longer have + the first pass. Instead, we now validate concurrently at the same time we generate bytecode. + + As a result, when we call WebAssembly.validate, we'll still generate bytecode for the module, but it will + be thrown away. If the module is constructed with new WebAssembly.Module, we'll also eagerly generate + bytecode, but in this case the bytecode is kept and shared across all instantiations of this module. + + This is a 1.5x speedup when compiling the ZenGarden demo. + + * DerivedSources.make: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::ControlData::ControlData): + (JSC::Wasm::AirIRGenerator::ControlData::isIf): + (JSC::Wasm::AirIRGenerator::ControlData::isTopLevel): + (JSC::Wasm::AirIRGenerator::ControlData::branchTargetArity const): + (JSC::Wasm::AirIRGenerator::ControlData::branchTargetType const): + (JSC::Wasm::AirIRGenerator::emptyExpression): + (JSC::Wasm::AirIRGenerator::emitCallPatchpoint): + (JSC::Wasm::AirIRGenerator::tmpsForSignature): + (JSC::Wasm::AirIRGenerator::emitPatchpoint): + (JSC::Wasm::AirIRGenerator::AirIRGenerator): + (JSC::Wasm::AirIRGenerator::addRefIsNull): + (JSC::Wasm::AirIRGenerator::addTableGet): + (JSC::Wasm::AirIRGenerator::addTableSet): + (JSC::Wasm::AirIRGenerator::addTableGrow): + (JSC::Wasm::AirIRGenerator::addTableFill): + (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): + (JSC::Wasm::AirIRGenerator::addLoop): + (JSC::Wasm::AirIRGenerator::addBlock): + (JSC::Wasm::AirIRGenerator::addIf): + (JSC::Wasm::AirIRGenerator::addReturn): + (JSC::Wasm::AirIRGenerator::addEndToUnreachable): + (JSC::Wasm::AirIRGenerator::addCall): + (JSC::Wasm::AirIRGenerator::addCallIndirect): + (JSC::Wasm::AirIRGenerator::unify): + (JSC::Wasm::dumpExpressionStack): + (JSC::Wasm::AirIRGenerator::dump): + (JSC::Wasm::parseAndCompileAir): + (JSC::Wasm::AirIRGenerator::addOp): + (JSC::Wasm::AirIRGenerator::addOp): + * wasm/WasmAirIRGenerator.h: + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::ControlData::ControlData): + (JSC::Wasm::B3IRGenerator::ControlData::isIf): + (JSC::Wasm::B3IRGenerator::ControlData::isTopLevel): + (JSC::Wasm::B3IRGenerator::ControlData::signature const): + (JSC::Wasm::B3IRGenerator::ControlData::hasNonVoidresult const): + (JSC::Wasm::B3IRGenerator::ControlData::branchTargetArity const): + (JSC::Wasm::B3IRGenerator::ControlData::branchTargetType const): + (JSC::Wasm::B3IRGenerator::emptyExpression): + (JSC::Wasm::B3IRGenerator::B3IRGenerator): + (JSC::Wasm::B3IRGenerator::addRefIsNull): + (JSC::Wasm::B3IRGenerator::addTableGet): + (JSC::Wasm::B3IRGenerator::addTableSet): + (JSC::Wasm::B3IRGenerator::addTableGrow): + (JSC::Wasm::B3IRGenerator::addTableFill): + (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck): + (JSC::Wasm::B3IRGenerator::addLoop): + (JSC::Wasm::B3IRGenerator::addBlock): + (JSC::Wasm::B3IRGenerator::addIf): + (JSC::Wasm::B3IRGenerator::addReturn): + (JSC::Wasm::B3IRGenerator::endBlock): + (JSC::Wasm::B3IRGenerator::addEndToUnreachable): + (JSC::Wasm::dumpExpressionStack): + (JSC::Wasm::B3IRGenerator::dump): + (JSC::Wasm::parseAndCompile): + * wasm/WasmB3IRGenerator.h: + * wasm/WasmBBQPlan.cpp: + (JSC::Wasm::BBQPlan::BBQPlan): + (JSC::Wasm::BBQPlan::work): + (JSC::Wasm::BBQPlan::compileFunction): + (JSC::Wasm::BBQPlan::initializeCallees): + (JSC::Wasm::BBQPlan::didReceiveFunctionData): + * wasm/WasmBBQPlan.h: + * wasm/WasmCodeBlock.cpp: + (JSC::Wasm::CodeBlock::create): + (JSC::Wasm::CodeBlock::CodeBlock): + * wasm/WasmCodeBlock.h: + (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace): + * wasm/WasmEntryPlan.cpp: + (JSC::Wasm::EntryPlan::EntryPlan): + (JSC::Wasm::EntryPlan::parseAndValidateModule): + (JSC::Wasm::EntryPlan::prepare): + (JSC::Wasm::EntryPlan::compileFunctions): + (JSC::Wasm::EntryPlan::complete): + * wasm/WasmEntryPlan.h: + * wasm/WasmFunctionParser.h: + (JSC::Wasm::splitStack): + (JSC::Wasm::FunctionParser::TypedExpression::TypedExpression): + (JSC::Wasm::FunctionParser::TypedExpression::type const): + (JSC::Wasm::FunctionParser::TypedExpression::value const): + (JSC::Wasm::FunctionParser::TypedExpression::operator ExpressionType const): + (JSC::Wasm::FunctionParser::TypedExpression::operator-> const): + (JSC::Wasm::FunctionParser::controlStack): + (JSC::Wasm::FunctionParser::validationFail const): + (JSC::Wasm::FunctionParser::parse): + (JSC::Wasm::FunctionParser::binaryCase): + (JSC::Wasm::FunctionParser::unaryCase): + (JSC::Wasm::FunctionParser::load): + (JSC::Wasm::FunctionParser::store): + (JSC::Wasm::FunctionParser::checkBranchTarget): + (JSC::Wasm::FunctionParser::unify): + (JSC::Wasm::FunctionParser::parseExpression): + (JSC::Wasm::FunctionParser::parseUnreachableExpression): + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::ControlType::topLevel): + (JSC::Wasm::LLIntGenerator::ControlType::loop): + (JSC::Wasm::LLIntGenerator::ControlType::isIf): + (JSC::Wasm::LLIntGenerator::ControlType::isTopLevel): + (JSC::Wasm::LLIntGenerator::ControlType::stackSize const): + (JSC::Wasm::LLIntGenerator::ControlType::signature const): + (JSC::Wasm::LLIntGenerator::ControlType::branchTargetArity const): + (JSC::Wasm::LLIntGenerator::ControlType::branchTargetType const): + (JSC::Wasm::LLIntGenerator::emptyExpression): + (JSC::Wasm::LLIntGenerator::dump): + (JSC::Wasm::LLIntGenerator::getDropKeepCount): + (JSC::Wasm::LLIntGenerator::materializeConstantsAndLocals): + (JSC::Wasm::LLIntGenerator::splitStack): + (JSC::Wasm::parseAndCompileBytecode): + (JSC::Wasm::LLIntGenerator::LLIntGenerator): + (JSC::Wasm::LLIntGenerator::callInformationForCaller): + (JSC::Wasm::LLIntGenerator::addLocal): + (JSC::Wasm::LLIntGenerator::setLocal): + (JSC::Wasm::LLIntGenerator::addLoop): + (JSC::Wasm::LLIntGenerator::addBlock): + (JSC::Wasm::LLIntGenerator::addIf): + (JSC::Wasm::LLIntGenerator::addEndToUnreachable): + (JSC::Wasm::LLIntGenerator::addCall): + (JSC::Wasm::LLIntGenerator::addCallIndirect): + * wasm/WasmLLIntGenerator.h: + * wasm/WasmLLIntPlan.cpp: + (JSC::Wasm::LLIntPlan::LLIntPlan): + (JSC::Wasm::LLIntPlan::compileFunction): + (JSC::Wasm::LLIntPlan::didCompleteCompilation): + (JSC::Wasm::LLIntPlan::work): + (JSC::Wasm::LLIntPlan::didReceiveFunctionData): + * wasm/WasmLLIntPlan.h: + * wasm/WasmModule.cpp: + (JSC::Wasm::Module::Module): + (JSC::Wasm::makeValidationResult): + (JSC::Wasm::makeValidationCallback): + (JSC::Wasm::Module::validateSync): + (JSC::Wasm::Module::validateAsync): + (JSC::Wasm::Module::getOrCreateCodeBlock): + (JSC::Wasm::Module::compileSync): + (JSC::Wasm::Module::compileAsync): + * wasm/WasmModule.h: + (JSC::Wasm::Module::create): + * wasm/WasmOMGPlan.cpp: + (JSC::Wasm::OMGPlan::work): + * wasm/WasmPlan.cpp: + (JSC::Wasm::Plan::Plan): + * wasm/WasmPlan.h: + (JSC::Wasm::Plan::dontFinalize): + * wasm/WasmSlowPaths.cpp: + (JSC::LLInt::slow_path_wasm_throw_exception): + * wasm/WasmThunks.cpp: + (JSC::Wasm::throwExceptionFromWasmThunkGenerator): + * wasm/WasmThunks.h: + * wasm/WasmValidate.cpp: + (JSC::Wasm::Validate::ControlData::isIf): + (JSC::Wasm::Validate::ControlData::isTopLevel): + (JSC::Wasm::Validate::ControlData::blockType const): + (JSC::Wasm::Validate::ControlData::signature const): + (JSC::Wasm::Validate::ControlData::branchTargetArity const): + (JSC::Wasm::Validate::ControlData::branchTargetType const): + (JSC::Wasm::Validate::emptyExpression): + (JSC::Wasm::Validate::addConstant): + (JSC::Wasm::Validate::Validate): + (JSC::Wasm::Validate::addArguments): + (JSC::Wasm::Validate::addTableGet): + (JSC::Wasm::Validate::addTableSet): + (JSC::Wasm::Validate::addTableSize): + (JSC::Wasm::Validate::addTableGrow): + (JSC::Wasm::Validate::addTableFill): + (JSC::Wasm::Validate::addRefIsNull): + (JSC::Wasm::Validate::addRefFunc): + (JSC::Wasm::Validate::addLocal): + (JSC::Wasm::Validate::getLocal): + (JSC::Wasm::Validate::setLocal): + (JSC::Wasm::Validate::getGlobal): + (JSC::Wasm::Validate::setGlobal): + (JSC::Wasm::Validate::addBlock): + (JSC::Wasm::Validate::addLoop): + (JSC::Wasm::Validate::addSelect): + (JSC::Wasm::Validate::addIf): + (JSC::Wasm::Validate::addElse): + (JSC::Wasm::Validate::addElseToUnreachable): + (JSC::Wasm::Validate::addReturn): + (JSC::Wasm::Validate::addBranch): + (JSC::Wasm::Validate::addSwitch): + (JSC::Wasm::Validate::addGrowMemory): + (JSC::Wasm::Validate::addCurrentMemory): + (JSC::Wasm::Validate::endBlock): + (JSC::Wasm::Validate::addEndToUnreachable): + (JSC::Wasm::Validate::addCall): + (JSC::Wasm::Validate::addCallIndirect): + (JSC::Wasm::Validate::load): + (JSC::Wasm::Validate::store): + (JSC::Wasm::Validate::addOp): + (JSC::Wasm::dumpExpressionStack): + (JSC::Wasm::Validate::dump): + (JSC::Wasm::validateFunction): + * wasm/WasmWorklist.cpp: + (JSC::Wasm::Worklist::enqueue): + * wasm/generateWasmOpsHeader.py: + (cppType): + (cppMacro): + (opcodeMacroizer): + (opcodeWithTypesMacroizer): + (opcodeWithTypesMacroizer.modifier): + (memoryLoadMacroizer): + (memoryLoadMacroizer.modifier): + (memoryStoreMacroizer): + (memoryStoreMacroizer.modifier): + * wasm/generateWasmValidateInlinesHeader.py: Removed. + * wasm/js/JSWebAssembly.cpp: + (JSC::instantiate): + (JSC::webAssemblyValidateFunc): + * wasm/js/WebAssemblyInstanceConstructor.cpp: + (JSC::constructJSWebAssemblyInstance): + +2019-12-04 Mark Lam + + Fix missing exception check in ArrayPrototype's fastJoin(). + https://bugs.webkit.org/show_bug.cgi?id=204868 + + + Reviewed by Saam Barati. + + * runtime/ArrayPrototype.cpp: + (JSC::fastJoin): + +2019-12-04 Mark Lam + + Fix a broken assertion in GetByStatus::computeForStubInfoWithoutExitSiteFeedback(). + https://bugs.webkit.org/show_bug.cgi?id=204866 + + Reviewed by Saam Barati. + + The assertion wrong assumes that access.offset() cannot be invalid unless the + access.type() is a Miss. However, if the AccessCase is a Custom value or accessor, + the offset is always invalid. This patch fixes this assertion. + + * bytecode/AccessCase.h: + (JSC::AccessCase::isCustom const): + * bytecode/GetByStatus.cpp: + (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): + +2019-12-04 Yusuke Suzuki + + Unreviewed, rolling out r252416, vimeo does not work + https://bugs.webkit.org/show_bug.cgi?id=204141 + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + +2019-12-04 Yusuke Suzuki + + [JSC] JSWebAssemblyGlobal creation should have exception check + https://bugs.webkit.org/show_bug.cgi?id=204857 + + + Reviewed by Mark Lam. + + Each WebAssembly cells have a path throwing an exception if WebAssembly is disabled. We lack exception checking after calling JSWebAssemblyGlobal::create + in WebAssemblyModuleRecord linking phase. While exception is never thrown in this place since this happens only when WebAssembly is enabled, we should put + `scope.assertNoException()` to satisfy exception verifier requirement. We also rename factory function of Wasm cells from "create" to "tryCreate" since it + can fail potentially. + + * wasm/js/JSWebAssembly.cpp: + (JSC::instantiate): + * wasm/js/JSWebAssemblyGlobal.cpp: + (JSC::JSWebAssemblyGlobal::tryCreate): + (JSC::JSWebAssemblyGlobal::create): Deleted. + * wasm/js/JSWebAssemblyGlobal.h: + * wasm/js/JSWebAssemblyInstance.cpp: + (JSC::JSWebAssemblyInstance::tryCreate): + (JSC::JSWebAssemblyInstance::create): Deleted. + * wasm/js/JSWebAssemblyInstance.h: + * wasm/js/JSWebAssemblyMemory.cpp: + (JSC::JSWebAssemblyMemory::tryCreate): + (JSC::JSWebAssemblyMemory::create): Deleted. + * wasm/js/JSWebAssemblyMemory.h: + * wasm/js/JSWebAssemblyTable.cpp: + (JSC::JSWebAssemblyTable::tryCreate): + (JSC::JSWebAssemblyTable::create): Deleted. + * wasm/js/JSWebAssemblyTable.h: + * wasm/js/WebAssemblyGlobalConstructor.cpp: + (JSC::constructJSWebAssemblyGlobal): + * wasm/js/WebAssemblyInstanceConstructor.cpp: + (JSC::constructJSWebAssemblyInstance): + * wasm/js/WebAssemblyMemoryConstructor.cpp: + (JSC::constructJSWebAssemblyMemory): + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::link): + * wasm/js/WebAssemblyTableConstructor.cpp: + (JSC::constructJSWebAssemblyTable): + +2019-12-04 Yusuke Suzuki + + [JSC] Put more cells into IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=204845 + + Reviewed by Saam Barati. + + This patch puts following cells in IsoSubspace. + + - ClonedArguments + - JSMap + - JSSet + - RegExpObject + + * runtime/ClonedArguments.h: + * runtime/JSMap.h: + * runtime/JSSet.h: + * runtime/RegExpObject.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + * runtime/WeakMapImpl.h: + (JSC::WeakMapImpl::subspaceFor): + +2019-12-04 Yusuke Suzuki + + [JSC] Remove m_sharingMode field from JSArrayBufferPrototype and make it plain object + https://bugs.webkit.org/show_bug.cgi?id=204832 + + Reviewed by Saam Barati. + + m_sharingMode field is not necessary. Just remove it and make JSArrayBufferPrototype a plain object. + + * runtime/JSArrayBufferPrototype.cpp: + (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype): + (JSC::JSArrayBufferPrototype::finishCreation): + (JSC::JSArrayBufferPrototype::create): + * runtime/JSArrayBufferPrototype.h: + +2019-12-04 Yusuke Suzuki + + [JSC] Place Wasm cells in IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=204829 + + Reviewed by Saam Barati. + + This patch places Wasm cells in IsoSubspace. We remove JSDestructibleObject inheritance in wasm cells since we + can call destructor through HeapCellType's specialization. We do not need to rely on m_classInfo->methodTable->destroy. + This patch does not include JSToWasmICCallee since now I'm exploring the way to remove it completely. + + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + * wasm/js/JSWebAssemblyInstance.h: + * wasm/js/JSWebAssemblyMemory.cpp: + (JSC::JSWebAssemblyMemory::destroy): + * wasm/js/JSWebAssemblyMemory.h: + * wasm/js/JSWebAssemblyModule.h: + * wasm/js/JSWebAssemblyTable.h: + * wasm/js/WebAssemblyGlobalConstructor.h: + +2019-12-04 Tim Horton + + Introduce a GPU process + https://bugs.webkit.org/show_bug.cgi?id=204343 + + Reviewed by Simon Fraser. + + * Configurations/FeatureDefines.xcconfig: + Add ENABLE(GPU_PROCESS). + +2019-12-04 Yury Semikhatsky + + Web Inspector: allow inspector to pause provisional page load and restore its state + https://bugs.webkit.org/show_bug.cgi?id=204170 + + Reviewed by Devin Rousso. + + Added an option to Target domain to pause all new targets on start waiting for + explicit 'resume' command from the inspector front-end. This allows to configure + inspector backend (including user agent overrides, breakpoints and instrumentation) + before navigation starts. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * inspector/InspectorTarget.cpp: Added. + (Inspector::InspectorTarget::pause): + (Inspector::InspectorTarget::resume): + (Inspector::InspectorTarget::setResumeCallback): + * inspector/InspectorTarget.h: + * inspector/agents/InspectorTargetAgent.cpp: + (Inspector::InspectorTargetAgent::willDestroyFrontendAndBackend): + (Inspector::InspectorTargetAgent::setPauseOnStart): + (Inspector::InspectorTargetAgent::resume): + (Inspector::buildTargetInfoObject): + (Inspector::InspectorTargetAgent::targetCreated): + (Inspector::InspectorTargetAgent::targetDestroyed): + * inspector/agents/InspectorTargetAgent.h: + * inspector/protocol/Target.json: + +2019-12-03 Saam Barati + + Remove "patch" struct from StructureStubInfo because it adds unnecessary padding + https://bugs.webkit.org/show_bug.cgi?id=204392 + + Reviewed by Tadeu Zagallo. + + By doing this, we reduce the size of StructureStubInfo from 120 bytes to 112 + bytes. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateWithGuard): + (JSC::AccessCase::generateImpl): + * bytecode/GetterSetterAccessCase.cpp: + (JSC::GetterSetterAccessCase::emitDOMJITGetter): + * bytecode/InlineAccess.cpp: + (JSC::linkCodeInline): + (JSC::InlineAccess::generateSelfPropertyAccess): + (JSC::getScratchRegister): + (JSC::InlineAccess::generateSelfPropertyReplace): + (JSC::InlineAccess::generateArrayLength): + (JSC::InlineAccess::generateStringLength): + (JSC::InlineAccess::generateSelfInAccess): + (JSC::InlineAccess::rewireStubAsJump): + * bytecode/PolymorphicAccess.cpp: + (JSC::PolymorphicAccess::regenerate): + * bytecode/StructureStubInfo.h: + (JSC::StructureStubInfo::inlineSize const): + (JSC::StructureStubInfo::patchableJump): + (JSC::StructureStubInfo::valueRegs const): + (JSC::StructureStubInfo::propertyRegs const): + (JSC::StructureStubInfo::baseRegs const): + (JSC::StructureStubInfo::baseGPR const): Deleted. + (JSC::StructureStubInfo::slowPathCallLocation): Deleted. + (JSC::StructureStubInfo::doneLocation): Deleted. + (JSC::StructureStubInfo::slowPathStartLocation): Deleted. + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::callerReturnPC): + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator): + (JSC::JITInlineCacheGenerator::finalize): + (JSC::JITByIdGenerator::JITByIdGenerator): + (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator): + (JSC::JITPutByIdGenerator::JITPutByIdGenerator): + (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator): + (JSC::JITGetByValGenerator::JITGetByValGenerator): + * jit/Repatch.cpp: + (JSC::tryCacheGetBy): + (JSC::repatchGetBy): + (JSC::repatchArrayGetByVal): + (JSC::tryCachePutByID): + (JSC::repatchPutByID): + (JSC::tryCacheInByID): + (JSC::repatchInByID): + (JSC::repatchInstanceOf): + (JSC::resetGetBy): + (JSC::resetPutByID): + (JSC::resetPatchableJump): + (JSC::resetInByID): + +2019-12-03 Yusuke Suzuki + + Unreviewed, fix build failure + https://bugs.webkit.org/show_bug.cgi?id=186552 + + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::getGlobal): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::setGlobal): + +2019-12-03 Yusuke Suzuki + + [JSC] Remove WebAssemblyToJSCallee + https://bugs.webkit.org/show_bug.cgi?id=204808 + + Reviewed by Tadeu Zagallo. + + This patch drops WebAssemblyToJSCallee. It was originally required to put small cell to retrieve VM from callee. + But now this limitation is removed. We can just put JSWebAssemblyModule in callee place instead. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * interpreter/CallFrame.cpp: + (JSC::CallFrame::isAnyWasmCallee): + * interpreter/StackVisitor.cpp: + (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding): + * jit/Repatch.cpp: + (JSC::webAssemblyOwner): + (JSC::linkFor): + (JSC::linkPolymorphicCall): + * runtime/JSCast.h: + * runtime/JSCell.cpp: + * runtime/JSCellInlines.h: + (JSC::isWebAssemblyModule): + (JSC::isWebAssemblyToJSCallee): Deleted. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::webAssemblyWrapperFunctionStructure const): + (JSC::JSGlobalObject::webAssemblyToJSCalleeStructure const): Deleted. + * runtime/JSType.cpp: + (WTF::printInternal): + * runtime/JSType.h: + * wasm/WasmOperations.cpp: + (JSC::Wasm::operationWasmToJSException): + * wasm/js/JSWebAssemblyInstance.cpp: + (JSC::JSWebAssemblyInstance::finishCreation): + (JSC::JSWebAssemblyInstance::visitChildren): + * wasm/js/JSWebAssemblyInstance.h: + * wasm/js/JSWebAssemblyModule.cpp: + (JSC::JSWebAssemblyModule::createStructure): + (JSC::JSWebAssemblyModule::finishCreation): + (JSC::JSWebAssemblyModule::visitChildren): + (JSC::JSWebAssemblyModule::callee const): Deleted. + * wasm/js/JSWebAssemblyModule.h: + * wasm/js/WasmToJS.cpp: + (JSC::Wasm::handleBadI64Use): + (JSC::Wasm::wasmToJS): + * wasm/js/WebAssemblyToJSCallee.cpp: Removed. + * wasm/js/WebAssemblyToJSCallee.h: Removed. + +2019-12-03 Yusuke Suzuki + + Adopt the new WebAssembly.Global system + https://bugs.webkit.org/show_bug.cgi?id=186552 + + Reviewed by Keith Miller. + + This patch adds WebAssembly.Global implementation. It is already included in the Wasm spec (this means, it is not in + staging right now: it was stage-4, and included in the spec). WebAssembly.Global is a wrapper object around + "global" binding. This object can hold "immutable" and "mutable" global binding, and we can access Wasm globals through + this object. Furthermore, we can share mutable global binding through this object across WebAssembly modules. + + To implement it efficiently, this patch introduces BindingMode to Wasm globals. If the mode is EmbeddedInInstance, + we continue using the current existing mechanism. If the mode is Portable, we store a pointer to actual value in + Wasm globals array in Wasm::Instance, so that we can access it through one additional dereference. + And we mark all immutable globals as EmbeddedInInstance. If the binding is immutable, internally we do not need to + have one binding. We can just continue using the current mechanism since users cannot observe whether immutable bindings' + storage is shared or not. If the global is mutable, and it is exported outside of the module, we use Portable mode. + So, all the previously used wasm global bindings are EmbeddedInInstance. Only newly added "mutable" "exported" bindings + are Portable and requires one additional dereference. + + To access portable bindings efficiently, we add new Wasm bytecodes, `get_global_portable_binding`, `set_global_portable_binding`, + and `set_global_ref_portable_binding`. + + This patch improves WPT wasm coverage significantly. + + * CMakeLists.txt: + * DerivedSources-input.xcfilelist: + * DerivedSources-output.xcfilelist: + * DerivedSources.make: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * bytecode/BytecodeList.rb: + * heap/HeapCell.cpp: + (JSC::keepAlive): + (JSC::HeapCell::use const): Deleted. + * heap/HeapCell.h: + (JSC::keepAlive): + (JSC::HeapCell::use const): + * llint/WebAssembly.asm: + * runtime/JSGlobalObject.cpp: + * runtime/JSGlobalObject.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::getGlobal): + (JSC::Wasm::AirIRGenerator::setGlobal): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::getGlobal): + (JSC::Wasm::B3IRGenerator::setGlobal): + * wasm/WasmFormat.h: + * wasm/WasmGlobal.cpp: Added. + (JSC::Wasm::Global::get const): + (JSC::Wasm::Global::set): + (JSC::Wasm::Global::visitAggregate): + * wasm/WasmGlobal.h: Added. + * wasm/WasmInstance.cpp: + (JSC::Wasm::Instance::Instance): + (JSC::Wasm::Instance::setGlobal): + (JSC::Wasm::Instance::linkGlobal): + * wasm/WasmInstance.h: + (JSC::Wasm::Instance::loadI32Global const): + (JSC::Wasm::Instance::loadI64Global const): + (JSC::Wasm::Instance::setGlobal): + (JSC::Wasm::Instance::globalsToBinding): + (JSC::Wasm::Instance::getGlobalBinding): + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::getGlobal): + (JSC::Wasm::LLIntGenerator::setGlobal): + * wasm/WasmModuleInformation.h: + * wasm/WasmOperations.cpp: + (JSC::Wasm::operationWasmWriteBarrierSlowPath): + * wasm/WasmOperations.h: + * wasm/WasmSectionParser.cpp: + (JSC::Wasm::SectionParser::parseImport): + (JSC::Wasm::SectionParser::parseGlobal): + (JSC::Wasm::SectionParser::parseExport): + (JSC::Wasm::SectionParser::parseInitExpr): + (JSC::Wasm::SectionParser::parseGlobalType): + * wasm/WasmSectionParser.h: + * wasm/WasmSlowPaths.cpp: + (JSC::LLInt::WASM_SLOW_PATH_DECL): + * wasm/WasmSlowPaths.h: + * wasm/WasmValidate.cpp: + (JSC::Wasm::Validate::setGlobal): + * wasm/js/JSWebAssembly.cpp: + * wasm/js/JSWebAssemblyGlobal.cpp: Added. + (JSC::JSWebAssemblyGlobal::create): + (JSC::JSWebAssemblyGlobal::createStructure): + (JSC::JSWebAssemblyGlobal::JSWebAssemblyGlobal): + (JSC::JSWebAssemblyGlobal::finishCreation): + (JSC::JSWebAssemblyGlobal::destroy): + (JSC::JSWebAssemblyGlobal::visitChildren): + * wasm/js/JSWebAssemblyGlobal.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h. + * wasm/js/JSWebAssemblyInstance.cpp: + (JSC::JSWebAssemblyInstance::visitChildren): + * wasm/js/JSWebAssemblyInstance.h: + * wasm/js/JSWebAssemblyMemory.cpp: + (JSC::JSWebAssemblyMemory::destroy): + * wasm/js/JSWebAssemblyMemory.h: + * wasm/js/JSWebAssemblyModule.h: + * wasm/js/JSWebAssemblyTable.h: + * wasm/js/WebAssemblyGlobalConstructor.cpp: Added. + (JSC::constructJSWebAssemblyGlobal): + (JSC::callJSWebAssemblyGlobal): + (JSC::WebAssemblyGlobalConstructor::create): + (JSC::WebAssemblyGlobalConstructor::createStructure): + (JSC::WebAssemblyGlobalConstructor::finishCreation): + (JSC::WebAssemblyGlobalConstructor::WebAssemblyGlobalConstructor): + * wasm/js/WebAssemblyGlobalConstructor.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h. + * wasm/js/WebAssemblyGlobalPrototype.cpp: Added. + (JSC::getGlobal): + (JSC::webAssemblyGlobalProtoFuncValueOf): + (JSC::webAssemblyGlobalProtoGetterFuncValue): + (JSC::webAssemblyGlobalProtoSetterFuncValue): + (JSC::WebAssemblyGlobalPrototype::create): + (JSC::WebAssemblyGlobalPrototype::createStructure): + (JSC::WebAssemblyGlobalPrototype::finishCreation): + (JSC::WebAssemblyGlobalPrototype::WebAssemblyGlobalPrototype): + * wasm/js/WebAssemblyGlobalPrototype.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h. + * wasm/js/WebAssemblyModuleRecord.cpp: + (JSC::WebAssemblyModuleRecord::link): + +2019-12-02 Saam Barati + + PropertySlot should not have Customs have a PropertyOffset of zero + https://bugs.webkit.org/show_bug.cgi?id=204566 + + + Reviewed by Keith Miller. + + We used to say that PropertyOffset of a cacheable custom was always zero. We + did this because we were using "invalidOffset" to indicate things aren't + cacheable. This patch refactors PropertySlot to not look at PropertyOffset + for cacheability, but instead just uses the cacheability bit. With that + change, we now say that customs always have the invalid PropertyOffset. This + fixes a bug where we used to watch for property changes at the offset inside + an AccessCase. We were doing this for the zero property offset for all + customs. This could trigger a crash inside startWatchingPropertyForReplacements + because the prototype Structure was a dictionary. We allow dictionaries to + be property holders of customs as long as the property is a custom and has + DontDelete property attribute, since DontDelete proves the custom will never + change. + + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/PropertySlot.h: + (JSC::PropertySlot::PropertySlot): + (JSC::PropertySlot::isCacheable const): + (JSC::PropertySlot::setValue): + (JSC::PropertySlot::setCustom): + (JSC::PropertySlot::setCacheableCustom): + (JSC::PropertySlot::setCustomGetterSetter): + (JSC::PropertySlot::setGetterSlot): + (JSC::PropertySlot::setCacheableGetterSlot): + (JSC::PropertySlot::setUndefined): + +2019-12-02 Yusuke Suzuki + + [JSC] Put some destructible objects to IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=204771 + + Reviewed by Mark Lam. + + This patch puts DateInstance, ErrorInstance, and Intl objects in IsoSubspace. + By using specific IsoHeapCellType, we can use JSNonFinalObject as base-classes of + them instead of using JSDestructibleObject. We also introduce STATIC_ASSERT_ISO_SUBSPACE_SHARABLE + to ensure that derived class of some IsoSubspace'ed one is intentional and safe. + + * runtime/ArrayConstructor.h: + * runtime/AsyncFunctionConstructor.h: + * runtime/AsyncGeneratorFunctionConstructor.h: + * runtime/BigIntConstructor.h: + * runtime/BooleanConstructor.h: + * runtime/DateConstructor.h: + * runtime/DateInstance.cpp: + (JSC::DateInstance::destroy): Deleted. + * runtime/DateInstance.h: + * runtime/ErrorConstructor.h: + * runtime/ErrorInstance.cpp: + (JSC::ErrorInstance::destroy): Deleted. + * runtime/ErrorInstance.h: + (JSC::ErrorInstance::destroy): + (JSC::ErrorInstance::subspaceFor): + * runtime/FunctionConstructor.h: + * runtime/FunctionPrototype.h: + * runtime/GeneratorFunctionConstructor.h: + * runtime/IntlCollator.cpp: + (JSC::IntlCollator::IntlCollator): + (JSC::IntlCollator::destroy): Deleted. + * runtime/IntlCollator.h: + * runtime/IntlCollatorConstructor.h: + * runtime/IntlDateTimeFormat.cpp: + (JSC::IntlDateTimeFormat::IntlDateTimeFormat): + (JSC::IntlDateTimeFormat::destroy): Deleted. + * runtime/IntlDateTimeFormat.h: + * runtime/IntlDateTimeFormatConstructor.h: + * runtime/IntlNumberFormat.cpp: + (JSC::IntlNumberFormat::IntlNumberFormat): + (JSC::IntlNumberFormat::destroy): Deleted. + * runtime/IntlNumberFormat.h: + * runtime/IntlNumberFormatConstructor.h: + * runtime/IntlPluralRules.cpp: + (JSC::IntlPluralRules::IntlPluralRules): + (JSC::IntlPluralRules::destroy): Deleted. + * runtime/IntlPluralRules.h: + * runtime/IntlPluralRulesConstructor.h: + * runtime/JSArrayBufferConstructor.h: + * runtime/JSCell.h: + * runtime/JSObject.h: + * runtime/JSTypedArrayConstructors.h: + * runtime/JSTypedArrayViewConstructor.h: + * runtime/MapConstructor.h: + * runtime/NativeErrorConstructor.h: + * runtime/NullGetterFunction.h: + * runtime/NullSetterFunction.h: + * runtime/NumberConstructor.h: + * runtime/ObjectConstructor.h: + * runtime/ProxyConstructor.h: + * runtime/RegExpConstructor.h: + * runtime/SetConstructor.h: + * runtime/StringConstructor.h: + * runtime/SymbolConstructor.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + * runtime/WeakMapConstructor.h: + * runtime/WeakObjectRefConstructor.h: + * runtime/WeakSetConstructor.h: + * tools/JSDollarVM.cpp: + * wasm/js/JSWebAssemblyCompileError.h: + * wasm/js/JSWebAssemblyLinkError.h: + * wasm/js/JSWebAssemblyRuntimeError.h: + * wasm/js/WebAssemblyCompileErrorConstructor.h: + * wasm/js/WebAssemblyInstanceConstructor.h: + * wasm/js/WebAssemblyLinkErrorConstructor.h: + * wasm/js/WebAssemblyMemoryConstructor.h: + * wasm/js/WebAssemblyModuleConstructor.h: + * wasm/js/WebAssemblyRuntimeErrorConstructor.h: + * wasm/js/WebAssemblyTableConstructor.h: + +2019-12-02 Mark Lam + + Only check each use...FuzzerAgent() option in VM constructor if any of the options are enabled. + https://bugs.webkit.org/show_bug.cgi?id=204763 + + Reviewed by Keith Miller. + + We know that we'll never use fuzzer agents in deployment. Hence, we shouldn't + spend time checking for them in the normal use case. This probably doesn't matter + much for Web processes, but for clients of JSC that repeatedly spawn and kill VMs, + it might matter more. We might want to eventually widen this idiom to include + other debugging / development options, but for now, I'm only covering the fuzzer + agent options. + + * runtime/Options.cpp: + (JSC::computeIfUsingFuzzerAgent): + (JSC::Options::initialize): + * runtime/Options.h: + (JSC::Options::isUsingFuzzerAgent): + * runtime/OptionsList.h: + (JSC::OptionRange::operator bool const): + * runtime/VM.cpp: + (JSC::VM::VM): + +2019-12-02 Tadeu Zagallo + + [JSC] Remove BytecodeCacheVersion.h + https://bugs.webkit.org/show_bug.cgi?id=204760 + + Reviewed by Mark Lam. + + Having that as a phony make target causes a lot of unnecessary rebuilds. That was a workaround + the fact that we only need a new cache version when we rebuild CachedTypes.cpp, but there was + no straightforward way to get the current timestamp as an integer at that point. Instead, we now + just use a constexpr function that hashes __TIMESTAMP__. + + * CMakeLists.txt: + * DerivedSources-output.xcfilelist: + * DerivedSources.make: + * runtime/CachedTypes.cpp: + (JSC::jscBytecodeCacheVersion): + (JSC::GenericCacheEntry::isUpToDate const): + +2019-12-02 Mark Lam + + mozilla-tests.yaml/js1_5/Array/regress-101964.js is frequently failing on JSC EWS bots. + https://bugs.webkit.org/show_bug.cgi?id=200789 + + + Reviewed by Keith Miller. + + * tools/JSDollarVM.cpp: + (JSC::functionCurrentCPUTime): + (JSC::JSDollarVM::finishCreation): + +2019-12-02 Yusuke Suzuki + + [JSC] Put JSGenerator, JSAsyncGenerator, and JSPromise in IsoSubspace + https://bugs.webkit.org/show_bug.cgi?id=204764 + + Reviewed by Mark Lam. + + Put more things in IsoSubspace. They are defined by using JSInternalObjectImpl mechanism. + + - JSGenerator + - JSAsyncGenerator + - JSPromise + + * runtime/JSAsyncGenerator.h: + * runtime/JSGenerator.h: + * runtime/JSPromise.h: + (JSC::JSPromise::subspaceFor): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2019-12-01 Tuomas Karkkainen + + Add FuzzerAgent that reads predictions from a file + https://bugs.webkit.org/show_bug.cgi?id=203898 + + Reviewed by Mark Lam. + + This patch adds a FuzzerAgent that reads predictions from a file. The predictions in the file are + correlated with the prediction sites using the name of the JavaScript source file, the opcode, and + start and end offsets in the source. There is also a separate FuzzerAgent that can be used to create + the prediction files. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * runtime/FileBasedFuzzerAgent.cpp: Added. + * runtime/FileBasedFuzzerAgent.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp. + * runtime/FileBasedFuzzerAgentBase.cpp: Added. + * runtime/FileBasedFuzzerAgentBase.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp. + * runtime/FuzzerPredictions.cpp: Added. + * runtime/FuzzerPredictions.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp. + * runtime/Options.cpp: + * runtime/OptionsList.h: + * runtime/PredictionFileCreatingFuzzerAgent.cpp: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp. + * runtime/PredictionFileCreatingFuzzerAgent.h: Copied from Source/JavaScriptCore/runtime/RandomizingFuzzerAgent.cpp. + * runtime/RandomizingFuzzerAgent.cpp: + * runtime/VM.cpp: + +2019-12-01 Caio Lima + + [JSC][MIPS] CallFrame is being clobbered on InternalFunction execution + https://bugs.webkit.org/show_bug.cgi?id=203739 + + Reviewed by Saam Barati. + + MIPS calling conventions requires that we have stack space reserved + for 4 (16-bytes) arguments ($a0-$a3). The caller doesn't use + this space, but callee can still use it in case where they need to save + arguments or even reuse to another allocation. Since we were not + allocationg it during `makeHostFunctionCall`, the caller frame slot + was being clobberred by `callGenericTypedArrayView` execution, + resulting in a corrupted call frame stack. This patch is adjusting + this convention into ThunkGenerator and on `makeHostFunctionCall`. + + * jit/ThunkGenerators.cpp: + (JSC::nativeForGenerator): + * llint/LowLevelInterpreter32_64.asm: + +2019-12-01 Caio Lima + + Implement GetByVal inline caching for 32-bit JITs + https://bugs.webkit.org/show_bug.cgi?id=204082 + + Reviewed by Saam Barati. + + We are adding 32-bit support for GetByVal cases added on r252684. + This requires changes on some of the IC code generated to properly + support JSVALUE32_64. The major difference from JSVALUE64 is the + usage of tagGPR to inspect value types and store results. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateWithGuard): + (JSC::AccessCase::generateImpl): + * bytecode/GetterSetterAccessCase.cpp: + (JSC::GetterSetterAccessCase::emitDOMJITGetter): + * bytecode/PolymorphicAccess.cpp: + (JSC::PolymorphicAccess::regenerate): + * bytecode/StructureStubInfo.h: + + Since a generator can't have `thisGPR` and `propertyGPR` at se same time, + we created a new `union` to share `thisTagGPR` and `propertyTagGPR`, + matching the approach we have for `JITInlineCacheGenerator::patch.u`. + + (JSC::StructureStubInfo::propertyRegs const): + (JSC::StructureStubInfo::baseRegs const): + + To simplify scratch register allocation, we added `baseRegs()` and + `propertyRegs()` to `StructureStubInfo`, so we can easily retrive + payload and tag GPRs for those operands, keeping them locked. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITByIdGenerator::JITByIdGenerator): + (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator): + (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator): + (JSC::JITGetByValGenerator::JITGetByValGenerator): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emitSlow_op_get_by_val): + +2019-11-29 Eike Rathke + + Use default implementation for JSVALUE64 with GCC on unknown platform. + https://bugs.webkit.org/show_bug.cgi?id=204701 + + Building on ppc64le and s390x failed with + #error "Unknown architecture." + Use the default implementation as fallback in these cases. + + Reviewed by Saam Barati. + + * heap/GCMemoryOperations.h: + (JSC::gcSafeMemcpy): + (JSC::gcSafeMemmove): + (JSC::gcSafeZeroMemory): + +2019-11-28 Fujii Hironori + + Remove ENABLE_KEYBOARD_CODE_ATTRIBUTE and ENABLE_KEYBOARD_KEY_ATTRIBUTE macros + https://bugs.webkit.org/show_bug.cgi?id=204666 + + Reviewed by Ross Kirsling and Don Olmstead. + + * Configurations/FeatureDefines.xcconfig: + +2019-11-26 Tuomas Karkkainen + + Attempting to enable more than one FuzzerAgent should result in an error + https://bugs.webkit.org/show_bug.cgi?id=204607 + + Reviewed by Antti Koivisto. + + * runtime/VM.cpp: + * runtime/VM.h: + +2019-11-26 Carlos Garcia Campos + + [GLIB] The API lock should be held before calling JSC::createTypeError + https://bugs.webkit.org/show_bug.cgi?id=204573 + + Reviewed by Mark Lam. + + We are missing it in several places. This is causing a crash in test /jsc/object after r252298. + + * API/glib/JSCContext.cpp: + (jscContextGArrayToJSArray): + (jscContextJSArrayToGArray): + (jscContextGValueToJSValue): + (jscContextJSValueToGValue): + * API/glib/JSCValue.cpp: + (jsc_value_new_array): + (jscValueCallFunction): + +2019-11-25 Yusuke Suzuki + + [JSC] InternalFunction should be non-destructible + https://bugs.webkit.org/show_bug.cgi?id=204556 + + Reviewed by Mark Lam. + + InternalFunction and most of its subclasses should be non-destructible since they can be trivially + destructed and don't use a destroy function. For the few subclasses that do need a destroy function, + these should have different IsoSubspaces of their own. For each of these subclasses, we annotate + needsDestruction = true, define a specific HeapCellType for them, and pass the HeapCellType to their + IsoSubspace so that their destructors can be invoked. + + * API/ObjCCallbackFunction.h: + * API/glib/JSCCallbackFunction.cpp: + (JSC::JSCCallbackFunction::subspaceForImpl): Deleted. + * API/glib/JSCCallbackFunction.h: + (JSC::JSCCallbackFunction::subspaceFor): Deleted. + (JSC::JSCCallbackFunction::createStructure): Deleted. + (JSC::JSCCallbackFunction::functionCallback): Deleted. + (JSC::JSCCallbackFunction::constructCallback): Deleted. + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor): + (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): + * runtime/InternalFunction.cpp: + (JSC::InternalFunction::InternalFunction): + * runtime/InternalFunction.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2019-11-25 Saam Barati + + Unreviewed. Fix 32-bit build. + + * bytecode/GetByValHistory.h: + (JSC::GetByValHistory::observeNonUID): + (JSC::GetByValHistory::observe): + (JSC::GetByValHistory::count const): + (JSC::GetByValHistory::filter const): + +2019-11-24 Yusuke Suzuki + + [JSC] Introduce IsoHeapCellType + https://bugs.webkit.org/show_bug.cgi?id=204555 + + Reviewed by Mark Lam. + + We introduce IsoHeapCellType, which destroys cell based on CellType information, which should be in IsoSubspace. + By using this, we can avoid inheriting JSDestructibleObject. For each IsoSubspace, we know how to destroy cells if we use + IsoHeapCellType without using methodTable. We start using it for, JSString, JSWeakMap, JSWeakSet, WebAssemblyFunction, + and JSWebAssemblyCodeBlock. And we use JSNonFinalObject for the base of JSWeakMap and JSWeakSet, which shrinks size of them + from 48 to 32. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * heap/IsoHeapCellType.h: Renamed from Source/JavaScriptCore/wasm/js/WebAssemblyFunctionHeapCellType.h. + * runtime/JSString.cpp: + (JSC::JSString::destroy): Deleted. + * runtime/JSString.h: + (JSC::JSString::destroy): + * runtime/JSStringHeapCellType.cpp: Removed. + * runtime/JSStringHeapCellType.h: Removed. + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + * runtime/WeakMapImpl.h: + * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Removed. + * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Removed. + * wasm/js/WebAssemblyFunctionHeapCellType.cpp: Removed. + +2019-11-23 Ross Kirsling + + [JSC] GetSubstitution is performed incorrectly via RegExp.prototype[@@replace] + https://bugs.webkit.org/show_bug.cgi?id=204490 + + Reviewed by Mark Lam. + + String.prototype.replace and RegExp.prototype[Symbol.replace] are meant to perform the same substitution + of $-backreferences (called GetSubstitution in the spec: https://tc39.es/ecma262/#sec-getsubstitution). + + The implementation of this in StringPrototype.cpp is correct but the one in RegExpPrototype.js is not. + In particular, the latter *removes* backreferences with out-of-range indices, instead of leaving them as-is. + + One thing that is *not* broken in either implementation and thus maintained here is the fact $10 is interpreted + as $1 followed by a 0 when we have 1 <= n < 10 captures (and analogously for other invalid $nn backreferences). + This behavior is consistent across all engines but currently described incorrectly in the spec; this patch thus + aligns with the spec PR currently open to correct this (https://github.com/tc39/ecma262/pull/1732). + + * builtins/RegExpPrototype.js: + (getSubstitution): Ensure that invalid backreferences remain untouched in the output string. + (replace): Fix off-by-one error when populating captures list. We shouldn't be reserving a slot for the full match. + +2019-11-22 Saam Barati + + Use LLInt profiling to rule out generating an IC for get_by_val + https://bugs.webkit.org/show_bug.cgi?id=204536 + + Reviewed by Yusuke Suzuki. + + When I landed the get_by_val polymorphic inline caching patch, the prepack + benchmark in JetStream2 slowed down by 10%. Through some analysis, I found + out that we were slowing down because of the time we spent in the JITs + actually generating inline caches. This patch skips generating an inline + cache when it seems like it won't be profitable. The heuristic for doing this + is simple: + - If we see more than 4 identifiers in the LLInt, we won't generate an IC + in the upper tiers. + - If we see a non-identifier JSString in the LLInt, we won't generate an IC + in the upper tiers. + + This patch recovers the regression on prepack. + + * bytecode/BytecodeList.rb: + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * generator/main.rb: + * heap/TinyBloomFilter.h: + (JSC::TinyBloomFilter::bits const): + (JSC::TinyBloomFilter::TinyBloomFilter): + * jit/JIT.h: + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emitSlow_op_get_by_val): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/Operations.h: + (JSC::getByValWithIndex): + * runtime/OptionsList.h: + +2019-11-22 Per Arne Vollan + + Fix compile error in release mode + https://bugs.webkit.org/show_bug.cgi?id=204534 + + Reviewed by Mark Lam. + + A compiler error is thrown in release mode when compiling FullBytecodeLiveness::getLiveness, + since not all paths are returning a value. + + * bytecode/FullBytecodeLiveness.h: + (JSC::FullBytecodeLiveness::getLiveness const): + +2019-11-22 Tadeu Zagallo + + [WebAssembly] Improve Wasm::LLIntGenerator + https://bugs.webkit.org/show_bug.cgi?id=204092 + + Reviewed by Saam Barati. + + This improves the Wasm::LLIntGenerator by: + - Changing LLIntGenerator::ExpressionType from RefPtr to VirtualRegister: Instead of allocating and retaining + RegisterIDs we use VirtualRegisters directly and ensure that they match the WebAssembly stack, i.e. the parser's expression + stack should match the virtual registers. + - Removing redundant moves when materializing constants and performing local.get: instead of creating a new temporary + for each constant and local.get, we return the VirtualRegister for the constant/local slot directly. In order for this + to work, we still allocate the stack slot for the temporaries, since we have to materialize them before loops and branches. + - Adding a constructor to ControlType that takes the results ExpressionList as an rvalue instead of copying it + - Optimizing callInformationFor, which is now split into two functions. The callee does not care about arguments, and should + never allocate temporaries, and the caller case was optimized by avoiding unnecessary calls to newTemporary + - Delay holding the lock in LLintPlan::compileFunction, since we do not need to hold it while compiling the js-to-wasm entrypoint + + * bytecode/BytecodeList.rb: + * bytecompiler/Label.h: + (JSC::GenericLabel::location const): + (JSC::GenericLabel::unresolvedJumps const): + * generator/Wasm.rb: + * llint/WebAssembly.asm: + * wasm/WasmAirIRGenerator.cpp: + (JSC::Wasm::AirIRGenerator::endTopLevel): + (JSC::Wasm::AirIRGenerator::didPopValueFromStack): + * wasm/WasmB3IRGenerator.cpp: + (JSC::Wasm::B3IRGenerator::endTopLevel): + (JSC::Wasm::B3IRGenerator::didPopValueFromStack): + * wasm/WasmFunctionCodeBlock.cpp: + (JSC::Wasm::FunctionCodeBlock::addJumpTable): + * wasm/WasmFunctionCodeBlock.h: + * wasm/WasmFunctionParser.h: + (JSC::Wasm::FunctionParser::expressionStack): + (JSC::Wasm::FunctionParser::parseBody): + (JSC::Wasm::FunctionParser::parseExpression): + * wasm/WasmLLIntGenerator.cpp: + (JSC::Wasm::LLIntGenerator::ControlType::loop): + (JSC::Wasm::LLIntGenerator::ControlType::topLevel): + (JSC::Wasm::LLIntGenerator::ControlType::block): + (JSC::Wasm::LLIntGenerator::ControlType::if_): + (JSC::Wasm::LLIntGenerator::ControlType::targetArity const): + (JSC::Wasm::LLIntGenerator::ControlType::stackSize const): + (JSC::Wasm::LLIntGenerator::ControlType::ControlType): + (JSC::Wasm::LLIntGenerator::unifyValuesWithBlock): + (JSC::Wasm::LLIntGenerator::push): + (JSC::Wasm::LLIntGenerator::didPopValueFromStack): + (JSC::Wasm::LLIntGenerator::emptyExpression): + (JSC::Wasm::LLIntGenerator::addEndToUnreachable): + (JSC::Wasm::LLIntGenerator::dump): + (JSC::Wasm::LLIntGenerator::virtualRegisterForWasmLocal): + (JSC::Wasm::LLIntGenerator::jsNullConstant): + (JSC::Wasm::LLIntGenerator::zeroConstant): + (JSC::Wasm::LLIntGenerator::getDropKeepCount): + (JSC::Wasm::LLIntGenerator::dropKeep): + (JSC::Wasm::LLIntGenerator::walkExpressionStack): + (JSC::Wasm::LLIntGenerator::checkConsistency): + (JSC::Wasm::LLIntGenerator::materializeConstantsAndLocals): + (JSC::Wasm::LLIntGenerator::materializeLocals): + (JSC::Wasm::LLIntGenerator::ConstantMapHashTraits::constructDeletedValue): + (JSC::Wasm::LLIntGenerator::ConstantMapHashTraits::isDeletedValue): + (JSC::Wasm::LLIntGenerator::LLIntGenerator): + (JSC::Wasm::LLIntGenerator::finalize): + (JSC::Wasm::LLIntGenerator::callInformationForCaller): + (JSC::Wasm::LLIntGenerator::callInformationForCallee): + (JSC::Wasm::LLIntGenerator::addArguments): + (JSC::Wasm::LLIntGenerator::addLocal): + (JSC::Wasm::LLIntGenerator::didFinishParsingLocals): + (JSC::Wasm::LLIntGenerator::addConstant): + (JSC::Wasm::LLIntGenerator::getLocal): + (JSC::Wasm::LLIntGenerator::setLocal): + (JSC::Wasm::LLIntGenerator::getGlobal): + (JSC::Wasm::LLIntGenerator::addLoop): + (JSC::Wasm::LLIntGenerator::addTopLevel): + (JSC::Wasm::LLIntGenerator::addBlock): + (JSC::Wasm::LLIntGenerator::addIf): + (JSC::Wasm::LLIntGenerator::addElse): + (JSC::Wasm::LLIntGenerator::addElseToUnreachable): + (JSC::Wasm::LLIntGenerator::addReturn): + (JSC::Wasm::LLIntGenerator::addBranch): + (JSC::Wasm::LLIntGenerator::addSwitch): + (JSC::Wasm::LLIntGenerator::endBlock): + (JSC::Wasm::LLIntGenerator::endTopLevel): + (JSC::Wasm::LLIntGenerator::addCall): + (JSC::Wasm::LLIntGenerator::addCallIndirect): + (JSC::Wasm::LLIntGenerator::addRefIsNull): + (JSC::Wasm::LLIntGenerator::addRefFunc): + (JSC::Wasm::LLIntGenerator::addTableGet): + (JSC::Wasm::LLIntGenerator::addTableSize): + (JSC::Wasm::LLIntGenerator::addTableGrow): + (JSC::Wasm::LLIntGenerator::addCurrentMemory): + (JSC::Wasm::LLIntGenerator::addGrowMemory): + (JSC::Wasm::LLIntGenerator::addSelect): + (JSC::Wasm::LLIntGenerator::load): + (JSC::GenericLabel::setLocation): + * wasm/WasmLLIntPlan.cpp: + (JSC::Wasm::LLIntPlan::compileFunction): + * wasm/WasmValidate.cpp: + (JSC::Wasm::Validate::endTopLevel): + (JSC::Wasm::Validate::didPopValueFromStack): + +2019-11-22 Yusuke Suzuki + + [JSC] DFG terminal's liveness should respect caller's opcodeID + https://bugs.webkit.org/show_bug.cgi?id=204317 + + Reviewed by Saam Barati. + + Let's consider the following example, which is freqneutly seen in Speedometer2/EmberJS-Debug. + + "use strict"; + + function assertImpl(cond) + { + if (!cond) + throw new Error(); + } + + function assert() + { + assertImpl.apply(undefined, arguments); + } + noInline(assert); + + When compiling `throw`, we emit a terminal node and put Phantom/PhantomLocal based on the bytecode liveness. + When collecting liveness for each frame, we use the liveness information of the bytecode `op_call_varargs` in assert function. + This means that op_call_varargs's uses are considered as live (like, `arguments` in this example). + But it is not necessary to mark it "live": if we are in assertImpl, `arguments` is already loaded into the stack, and we no longer + use `arguments` when exiting, and the execution after the exit. Marking this `arguments` live makes this `arguments` allocated + in DFG, but this is wasteful. + + In this patch, we introduce BeforeUse and AfterUse concept into bytecode liveness information. And use AfterUse information when + collecting liveness in the caller's frame in DFG. We only enable this for varargs for now since (1) applying this to the other ones + is not profitable, and (2) we need to be careful to make stack arguments live to allow materialization of arguments objects. + In op_call_varargs / op_tail_call_varargs / op_construct_varargs cases, uses are happen only for |callee|, |this|, and |arguments|. + And these are no longer necessary after calling. + + We don't use liveness information in the next bytecode since it misses uses marked by exception handlers. + + * bytecode/BytecodeLivenessAnalysis.cpp: + (JSC::BytecodeLivenessAnalysis::computeFullLiveness): + * bytecode/BytecodeLivenessAnalysis.h: + (JSC::BytecodeLivenessAnalysis::graph): + * bytecode/BytecodeLivenessAnalysisInlines.h: + (JSC::BytecodeLivenessPropagation::stepOverInstructionDef): + (JSC::BytecodeLivenessPropagation::stepOverInstructionUse): + (JSC::BytecodeLivenessPropagation::stepOverInstructionUseInExceptionHandler): + (JSC::BytecodeLivenessPropagation::stepOverInstruction): + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeIndex): + (JSC::computeDefsForBytecodeIndex): + * bytecode/FullBytecodeLiveness.h: + (JSC::FullBytecodeLiveness::getLiveness const): + (JSC::FullBytecodeLiveness::operandIsLive const): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::ForInContext::finalize): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::flushForTerminalImpl): + * dfg/DFGForAllKills.h: + (JSC::DFG::forAllKilledOperands): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::isLiveInBytecode): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::forAllLocalsLiveInBytecode): + (JSC::DFG::Graph::appropriateLivenessCalculationPoint): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2019-11-22 Carlos Garcia Campos + + Unreviewed. Fix GTK/WPE debug build after r252770 + + Just remove the ASSERT instead, since it now always receive a newly created Ref. + + * inspector/remote/glib/RemoteInspectorGlib.cpp: + (Inspector::RemoteInspector::setupConnection): + +2019-11-22 Carlos Garcia Campos + + Unreviewed. Fix GTK/WPE debug build after r252770 + + * inspector/remote/glib/RemoteInspectorGlib.cpp: + (Inspector::RemoteInspector::setupConnection): + +2019-11-22 Carlos Garcia Campos + + [GTK][WPE] RemoteInspector: use sockets instead of DBus + https://bugs.webkit.org/show_bug.cgi?id=204503 + + Reviewed by Žan Doberšek. + + It turns out DBus is event slower than expected. Using GSockets API we can simplify the code and make it a lot + more efficient. This will drastically reduce the time to run WebDriver tests in the bots. + + * inspector/remote/RemoteInspector.h: + * inspector/remote/glib/RemoteInspectorGlib.cpp: + (Inspector::RemoteInspector::start): + (Inspector::RemoteInspector::stopInternal): + (Inspector::RemoteInspector::setupConnection): + (Inspector::RemoteInspector::pushListingsNow): + (Inspector::RemoteInspector::pushListingsSoon): + (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): + (Inspector::RemoteInspector::sendMessageToRemote): + * inspector/remote/glib/RemoteInspectorServer.cpp: + (Inspector::RemoteInspectorServer::~RemoteInspectorServer): + (Inspector::RemoteInspectorServer::start): + (Inspector::RemoteInspectorServer::incomingConnectionCallback): + (Inspector::RemoteInspectorServer::incomingConnection): + (Inspector::RemoteInspectorServer::setTargetList): + (Inspector::RemoteInspectorServer::setupInspectorClient): + (Inspector::RemoteInspectorServer::setup): + (Inspector::RemoteInspectorServer::close): + (Inspector::RemoteInspectorServer::connectionDidClose): + (Inspector::RemoteInspectorServer::sendMessageToBackend): + (Inspector::RemoteInspectorServer::sendMessageToFrontend): + (Inspector::RemoteInspectorServer::startAutomationSession): + * inspector/remote/glib/RemoteInspectorServer.h: + (Inspector::RemoteInspectorServer::isRunning const): + +2019-11-22 Mark Lam + + Fix missing exception check in replaceUsingStringSearch(). + https://bugs.webkit.org/show_bug.cgi?id=204496 + + Reviewed by Yusuke Suzuki. + + The CachedCall constructor can throw OutOfMemory or StackOverflow errors. + This was caught by existing JSC stress tests when we run with a debug build. + + Also placate the exception check validator in $vm's functionCallWithStackSize(). + + * runtime/StringPrototype.cpp: + (JSC::replaceUsingStringSearch): + * tools/JSDollarVM.cpp: + (JSC::functionCallWithStackSize): + +2019-11-21 Mark Lam + + replaceUsingStringSearch() should not use CachedCall with host functions. + https://bugs.webkit.org/show_bug.cgi?id=204494 + + + Reviewed by Ross Kirsling. + + The CachedCall mechanism does not support calling hist functions. + + * runtime/StringPrototype.cpp: + (JSC::replaceUsingStringSearch): + +2019-11-21 Saam Barati + + GetByStatus should not say it took the slow path for multiple identifiers and should have a way to indicate if the StructureStubInfo it saw took the slow path + https://bugs.webkit.org/show_bug.cgi?id=204435 + + Reviewed by Tadeu Zagallo. + + I discovered some issues with get by val ICs when re-running the microbenchmarks + I wrote. I noticed that we were faster when not running with the DFG. The reason + for this is that we were only emitting a get by val IC in the DFG/FTL when we + observe the GetByStatus says it didn't "go to the slow path". The logic in GetByStatus + for building up a variant list was wrong for ICs with multiple identifiers. We have + a consistency check when building up the list to ensure that no two variants have + structure sets which overlap, because we wouldn't know which one to choose. However, + we were accidentally saying two GetByIdVariants overlap when they had different identifiers. + This patch fixes that bug by also doing an identifier comparison check. Two GetByIdVariants + with different identifiers do not overlap. + + We also used to say a GetByStatus "goes to the slow path" if any of the cases were an + array-like load. I wrote that code thinking that ArrayProfile would just handle it. + However, sometimes we have a get by val IC that both has string properties and int32 properties. + In these kinds of scenarios, an IC is super profitable. This patch now distinguishes + between a GetByStatus saying "we're a slow path" and if we actually observed the StructureStubInfo + go to the slow path. In the DFG/FTL, we only forgo emitting a get by val IC when observing a + prior StructureStubInfo that went to the slow path. + + I also realized are call to StructureStubInfo::considerCaching was wrong for get by val ICs. + We were only considering the Structure in isolation, not the { Structure, Identifier } + pair. For get by val, we need to consider the pair together, since {s1, "a"} + and {s1, "b"} will be two different access cases. + + This patch demonstrates that on these microbenchmarks, get by val ICs can + be between 50-200% faster. + + * bytecode/GetByIdVariant.cpp: + (JSC::GetByIdVariant::dumpInContext const): + * bytecode/GetByIdVariant.h: + (JSC::GetByIdVariant::overlaps): + * bytecode/GetByStatus.cpp: + (JSC::GetByStatus::GetByStatus): + (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): + (JSC::GetByStatus::makesCalls const): + (JSC::GetByStatus::slowVersion const): + (JSC::GetByStatus::merge): + (JSC::GetByStatus::dump const): + * bytecode/GetByStatus.h: + (JSC::GetByStatus::GetByStatus): + (JSC::GetByStatus::takesSlowPath const): + (JSC::GetByStatus::observedStructureStubInfoSlowPath const): + * bytecode/ICStatusUtils.h: + (JSC::appendICStatusVariant): + * bytecode/InByIdVariant.h: + (JSC::InByIdVariant::overlaps): + * bytecode/InstanceOfVariant.h: + (JSC::InstanceOfVariant::overlaps): + * bytecode/PutByIdVariant.h: + (JSC::PutByIdVariant::overlaps): + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::visitWeakReferences): + * bytecode/StructureStubInfo.h: + (JSC::StructureStubInfo::considerCaching): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * jit/JITOperations.cpp: + +2019-11-21 Mark Lam + + Fix broken String.prototype.replace() and replaceAll(). + https://bugs.webkit.org/show_bug.cgi?id=204479 + + + Reviewed by Ross Kirsling and Yusuke Suzuki. + + String.prototype.replace() regressed due to r252683: + for webkit.org/b/202471. The patch failed to handle InternalFunctions. + + This patch also fixed a spec compliance bug for String.prototype.replace() i.e. + the replaceValue needs to be evaluated before we check if there's a match in the + source string. + Ref: 21.1.3.16-6 at https://www.ecma-international.org/ecma-262/10.0/#sec-string.prototype.replace + + For String.prototype.replaceAll(), make sure it "behaves just like + String.prototype.replace if searchValue is a global regular expression". + Ref: https://github.com/tc39/proposal-string-replaceall + + r252683 also made replaceUsingStringSearch() work the same way as + replaceUsingRegExpSearch(). I think this is the wrong trade off to make. + replaceUsingRegExpSearch() expects each search leg to do a RegExp search, which + is inherently expensive. We shouldn't make string searches slower just because + the RegExp search does it that way. + + However, at https://bugs.webkit.org/show_bug.cgi?id=202471#c22, Ross pointed out + that JetStream 2 results appeared to be neutral. I think we should double check + with a micro-benchmark as well. I'll leave this for a later patch. For now, the + goal of this patch is simply to achieve correctness. + Ref: https://bugs.webkit.org/show_bug.cgi?id=204481 + + * runtime/StringPrototype.cpp: + (JSC::replaceUsingRegExpSearch): + (JSC::replaceUsingStringSearch): + +2019-11-21 Per Arne Vollan + + Fix Win64 compile errors + https://bugs.webkit.org/show_bug.cgi?id=204471 + + Reviewed by Brent Fulgham. + + Fix warnings being treated as errors. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::requiresIdentifierNameMatch const): + (JSC::AccessCase::requiresInt32PropertyCheck const): + (JSC::AccessCase::needsScratchFPR const): + (JSC::AccessCase::doesCalls const): + (JSC::AccessCase::canReplace const): + * dfg/DFGOSRExit.cpp: + (JSC::DFG::OSRExit::executeOSRExit): + * jit/JITOperations.cpp: + (JSC::profiledAdd): + * jit/Repatch.cpp: + (JSC::appropriateOptimizingGetByFunction): + (JSC::appropriateGetByFunction): + * tools/JSDollarVM.cpp: + (JSC::functionCallWithStackSize): + +2019-11-21 Yusuke Suzuki + + Unreviewed, rolling in again, regression is not caused by it + https://bugs.webkit.org/show_bug.cgi?id=202471 + + * builtins/BuiltinNames.h: + * builtins/StringPrototype.js: + (replaceAll): + * runtime/StringPrototype.cpp: + (JSC::StringPrototype::finishCreation): + (JSC::jsSpliceSubstringsWithSeparators): + (JSC::replaceUsingStringSearch): + (JSC::replace): + (JSC::stringProtoFuncReplaceUsingStringSearch): + (JSC::stringProtoFuncReplaceAllUsingStringSearch): + +2019-11-21 Commit Queue + + Unreviewed, rolling out r252683 and r252721. + https://bugs.webkit.org/show_bug.cgi?id=204475 + + 13% regression in JetStream2/prepack-wtb (Requested by + yusukesuzuki on #webkit). + + Reverted changesets: + + "Implement String.prototype.replaceAll" + https://bugs.webkit.org/show_bug.cgi?id=202471 + https://trac.webkit.org/changeset/252683 + + "Unreviewed, address Darin's feedback on r252683." + https://trac.webkit.org/changeset/252721 + +2019-11-21 Devin Rousso + + Web Inspector: removing the blackbox for a specific script doesn't actually remove the blackbox + https://bugs.webkit.org/show_bug.cgi?id=204428 + + Reviewed by Timothy Hatcher. + + Previously, when updating the blackbox state of each existing script, we would only tell the + `Debugger` about when scripts should be blackboxed, not when they shouldn't. This means that + when a given script is un-blackboxed, the `Debugger` would never get told about it and would + therefore still defer pauses as if it was blackboxed. + + The solution to this is simple; update the blackboxed state of every script, not just those + that should be blackboxed, and tell the `Debugger` about each. + + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): + +2019-11-20 Yusuke Suzuki + + [JSC] Extend MacroAssemblerARM64::load/store for datasize = 16 + https://bugs.webkit.org/show_bug.cgi?id=204442 + + + Reviewed by Mark Lam. + + Our `void load16(const void* address, RegisterID dest)` and `void store16(RegisterID src, const void* address)` are not aware of + the condition that passed register can be memoryTempRegister, while `MacroAssemblerARM64::{load,store}` handles it correctly, e.g. + `load` invalidates `cachedMemoryTempRegister` if destination register is memoryTempRegister. As a result, when we are emitting + `or16(TrustedImm32 imm, AbsoluteAddress address)` with address where the address's value does not fit in imm, the generated code + is reusing memoryTempRegister incorrectly. + + 0xedf8d4fb4: mov x17, #0x7af0 + 0xedf8d4fb8: movk x17, #0xd5a, lsl #16 + 0xedf8d4fbc: movk x17, #0x1, lsl #32 // Construct imm register on x17. + 0xedf8d4fc0: ldrh w17, [x17] // Load half word from x17 to w17 (we should invalidate x17 memoryTempRegister here). + 0xedf8d4fc4: mov w16, #0x1b + 0xedf8d4fc8: orr w16, w17, w16 + 0xedf8d4fcc: strh w16, [x17] // x17 memoryTempRegister is reused while its content is invalid. + + The problem is that `load` and `store` functions are not supporting datasize = 16 case. This patch extends `MacroAssemblerARM64::{load,store}` + to support 16 so that `or16` implementation looks is similar to `or32` etc. + + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::load16): + (JSC::MacroAssemblerARM64::store16): + (JSC::MacroAssemblerARM64::load): + (JSC::MacroAssemblerARM64::store): + * assembler/testmasm.cpp: + (JSC::testOrImmMem): + +2019-11-20 Saam Barati + + Baseline JIT should fill in StructureStubInfo's propertyIsInt32 and the slow path should update the array profile more frequently + https://bugs.webkit.org/show_bug.cgi?id=204432 + + Reviewed by Tadeu Zagallo. + + When I added inline caching for get by val, I removed code which updated the + ArrayProfile with some frequency. This patch adds code that does that back, + which recovers some of the JetStream2 regressions we are seeing. + + * jit/JITOperations.cpp: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_val): + +2019-11-20 Ross Kirsling + + Unreviewed, address Darin's feedback on r252683. + + * runtime/StringPrototype.cpp: + (JSC::replaceUsingStringSearch): + (JSC::replace): + (JSC::stringProtoFuncReplaceUsingStringSearch): + (JSC::stringProtoFuncReplaceAllUsingStringSearch): + +2019-11-20 Caio Lima + + [JSC] OSR exit to LLInt is broken on MIPS + https://bugs.webkit.org/show_bug.cgi?id=203737 + + Reviewed by Yusuke Suzuki. + + This patch is adjusting the OSR to LLInt mechanism to MIPS. When we + use PIC on this architecture, we need to properly configure `$gp` + at some places to be able to access global variables. This is required + on LLInt to access Global Offset Table (got). According to MIPS ABI, + the `$gp` can be recalculated during function prologue using caller + register `$t9`. We also emit such instructions (we can see this as + `OFFLINE_ASM_CPLOAD` macro) immediately after a non-local label on + LLInt. With the introduction of OSR to LLInt mechanism, we now have + return location labels that are reached from `ret` LLInt instructions. + Such return locations are used to properly return to LLInt execution + whenever an OSR exits from inlined call on DFG or FTL to LLInt. When + OSR is materializing LLInt stack frames for inlined functions (or + accessors), it sets return address to its return location label. + This means that for such labels, we need to adjust `$gp` + using `$ra` instead of `$t9`, given that LLInt `ret` operation uses + `jr $ra` to jump the execution to there. + To implement this, we changed `mipsAddPICCode` to emit code + using the correct register required to recalculate `$gp`. + We also changed `callTargetFunction` to use the stubs as return + location points, since the declaration of global labels will emmit + `OFFLINE_ASM_CPLOAD($ra)` and we don't want to execute it during + normal LLInt execution. + + * llint/LowLevelInterpreter.asm: + * offlineasm/mips.rb: + +2019-11-20 Robin Morisset + + Fix load<16> on ARM64 + https://bugs.webkit.org/show_bug.cgi?id=204326 + + Reviewed by Mark Lam. + + On ARM64 I used load<16> in https://bugs.webkit.org/show_bug.cgi?id=202832. + Unfortunately it turns out to call ldr<16>, and ldr asserts that n is either 32 or 64. + This fix simply calls ldrh/strh directly. + + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::load16): + (JSC::MacroAssemblerARM64::store16): + +2019-11-20 Mark Lam + + Flaky JSC test: stress/stack-overflow-in-yarr-byteCompile.js.dfg-eager. + https://bugs.webkit.org/show_bug.cgi?id=204405 + + Reviewed by Alexey Proskuryakov. + + $vm.allWithStackSize() manipulates the stack in ways that will freak out ASan. + So, add SUPPRESS_ASAN to functionCallWithStackSize() to tell ASan to ignore it. + + * tools/JSDollarVM.cpp: + +2019-11-20 Caio Lima + + Regression (r252680): JSCOnly build broken: no matching function for call to JSC::DFG::SpeculativeJIT::jsValueResult + https://bugs.webkit.org/show_bug.cgi?id=204404 + + Reviewed by Saam Barati. + + Adjusting build after changes from r252684 and r252680. + + * bytecode/AccessCase.cpp: + (JSC::AccessCase::generateWithGuard): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIncOrDec): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_to_numeric): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emitSlow_op_get_by_val): + +2019-11-19 Saam Barati + + GetByVal should use polymorphic access and hook into a status object + https://bugs.webkit.org/show_bug.cgi?id=202767 + + Reviewed by Keith Miller. + + This patch puts get_by_val in our normal IC caching infrastructure. This means + building it on top of StructureStubInfo and PolymorphicAccess. For this to + work, AccessCase now supports all the array load variants that we used to have + fast paths for. For identifier based variants, it we just fall back to the + code we've already implemented, but only after doing a runtime check that + the identifier matches the expected identifier. This allows us to reuse all + the IC infrastructure we have for get_by_id. + + Our compilation strategy is that the baseline JIT always emits a get_by_val + IC. If that IC goes to the slow path, the DFG/FTL won't also emit the same IC, + since it's probable that we're seeing a megamorphic switch over strings. This + was needed to keep this patch neutral on Speedometer 2. It's likely there is + room to improve this heuristic: https://bugs.webkit.org/show_bug.cgi?id=204336 + + This now allows us to have inline caches which contain array loads, and uses + of different identifiers. They just show up as different access cases inside + polymorphic access. + + This patch is a progression on various microbenchmarks, especially those with + uses of a fixed set of multiple identifiers. It's neutral on JetStream 2 and + Speedometer 2. + + This patch also hooks in get_by_val ICs to our ICStatus infrastructure. This + is going to pave the way to allow us to eagerly throw away baseline code, since + when we go for an FTL compile, we will be able to use the IC status from the + prior compile without relying on baseline specific data structures. + + There are a few interesting tidbits in this patch that are worth + highlighting. + - Unlike get_by_id, when we take an IC snapshot for a get_by_val + IC, we're not guaranteed the various identifiers in question will outlive + the compile (get_by_id ensures this since they're in the constant pool of + CodeBlock). For get_by_val, the Identifiers in question are dynamic fields + of AccessCase, and AccessCase may get destroyed as we're compiling concurrently. + Also, String's reference counting isn't thread safe, so we can't just ref it. + Instead, we use a Box inside AccessCase. This allows us to safely + ref the Box without refing the underlying String. We're not worried about the + Box being destroyed while we're doing this, since we're holding a lock while + taking an IC snapshot inside GetByStatus. + - We no longer hold onto the actual JS symbol object in the inline cache. + This is what we used to do for inlining by val infos. Instead, this patch + extends the CheckStringIdent node to be able to handle symbols as well. This + patch also renames CheckStringIdent to CheckIdent. + + This patch also renames various IC related helpers from GetById* to GetBy*, + since they can both be used by get_by_val and get_by_id. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * Sources.txt: + * bytecode/AccessCase.cpp: + (JSC::AccessCase::AccessCase): + (JSC::AccessCase::create): + (JSC::AccessCase::fromStructureStubInfo): + (JSC::AccessCase::commit): + (JSC::AccessCase::guardedByStructureCheck const): + (JSC::AccessCase::guardedByStructureCheckSkippingConstantIdentifierCheck const): + (JSC::AccessCase::requiresIdentifierNameMatch const): + (JSC::AccessCase::requiresInt32PropertyCheck const): + (JSC::AccessCase::needsScratchFPR const): + (JSC::AccessCase::forEachDependentCell const): + (JSC::AccessCase::doesCalls const): + (JSC::AccessCase::canReplace const): + (JSC::AccessCase::dump const): + (JSC::AccessCase::generateWithGuard): + (JSC::AccessCase::generate): + (JSC::AccessCase::generateImpl): + (JSC::AccessCase::toTypedArrayType): + (JSC::AccessCase::checkConsistency): + * bytecode/AccessCase.h: + (JSC::AccessCase::uid const): + (JSC::AccessCase::identifier const): + (JSC::AccessCase::checkConsistency): + (JSC::AccessCase::AccessCase): + * bytecode/GetByIdStatus.cpp: Removed. + * bytecode/GetByIdStatus.h: Removed. + * bytecode/GetByIdVariant.cpp: + (JSC::GetByIdVariant::GetByIdVariant): + (JSC::GetByIdVariant::operator=): + (JSC::GetByIdVariant::attemptToMerge): + * bytecode/GetByIdVariant.h: + (JSC::GetByIdVariant::domAttribute const): + (JSC::GetByIdVariant::identifier const): + * bytecode/GetByStatus.cpp: Copied from Source/JavaScriptCore/bytecode/GetByIdStatus.cpp. + (JSC::GetByStatus::appendVariant): + (JSC::GetByStatus::computeFromLLInt): + (JSC::GetByStatus::computeFor): + (JSC::GetByStatus::GetByStatus): + (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): + (JSC::GetByStatus::makesCalls const): + (JSC::GetByStatus::slowVersion const): + (JSC::GetByStatus::merge): + (JSC::GetByStatus::filter): + (JSC::GetByStatus::markIfCheap): + (JSC::GetByStatus::finalize): + (JSC::GetByStatus::singleIdentifier const): + (JSC::GetByStatus::dump const): + (JSC::GetByIdStatus::appendVariant): Deleted. + (JSC::GetByIdStatus::computeFromLLInt): Deleted. + (JSC::GetByIdStatus::computeFor): Deleted. + (JSC::GetByIdStatus::computeForStubInfo): Deleted. + (JSC::GetByIdStatus::GetByIdStatus): Deleted. + (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback): Deleted. + (JSC::GetByIdStatus::makesCalls const): Deleted. + (JSC::GetByIdStatus::slowVersion const): Deleted. + (JSC::GetByIdStatus::merge): Deleted. + (JSC::GetByIdStatus::filter): Deleted. + (JSC::GetByIdStatus::markIfCheap): Deleted. + (JSC::GetByIdStatus::finalize): Deleted. + (JSC::GetByIdStatus::dump const): Deleted. + * bytecode/GetByStatus.h: Copied from Source/JavaScriptCore/bytecode/GetByIdStatus.h. + (JSC::GetByStatus::GetByStatus): + (JSC::GetByStatus::moduleNamespaceObject const): + (JSC::GetByStatus::moduleEnvironment const): + (JSC::GetByStatus::scopeOffset const): + (JSC::GetByIdStatus::GetByIdStatus): Deleted. + (JSC::GetByIdStatus::state const): Deleted. + (JSC::GetByIdStatus::isSet const): Deleted. + (JSC::GetByIdStatus::operator bool const): Deleted. + (JSC::GetByIdStatus::isSimple const): Deleted. + (JSC::GetByIdStatus::isCustom const): Deleted. + (JSC::GetByIdStatus::isModuleNamespace const): Deleted. + (JSC::GetByIdStatus::numVariants const): Deleted. + (JSC::GetByIdStatus::variants const): Deleted. + (JSC::GetByIdStatus::at const): Deleted. + (JSC::GetByIdStatus::operator[] const): Deleted. + (JSC::GetByIdStatus::takesSlowPath const): Deleted. + (JSC::GetByIdStatus::wasSeenInJIT const): Deleted. + (JSC::GetByIdStatus::moduleNamespaceObject const): Deleted. + (JSC::GetByIdStatus::moduleEnvironment const): Deleted. + (JSC::GetByIdStatus::scopeOffset const): Deleted. + * bytecode/GetterSetterAccessCase.cpp: + (JSC::GetterSetterAccessCase::GetterSetterAccessCase): + (JSC::GetterSetterAccessCase::create): + * bytecode/GetterSetterAccessCase.h: + * bytecode/ICStatusMap.h: + * bytecode/InByIdStatus.cpp: + (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback): + * bytecode/InlineAccess.cpp: + (JSC::InlineAccess::generateSelfPropertyAccess): + (JSC::InlineAccess::canGenerateSelfPropertyReplace): + (JSC::InlineAccess::generateSelfPropertyReplace): + (JSC::InlineAccess::isCacheableArrayLength): + (JSC::InlineAccess::generateArrayLength): + (JSC::InlineAccess::isCacheableStringLength): + (JSC::InlineAccess::generateStringLength): + (JSC::InlineAccess::generateSelfInAccess): + * bytecode/InstanceOfAccessCase.cpp: + (JSC::InstanceOfAccessCase::InstanceOfAccessCase): + * bytecode/InstanceOfStatus.cpp: + (JSC::InstanceOfStatus::computeForStubInfo): + * bytecode/IntrinsicGetterAccessCase.cpp: + (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase): + (JSC::IntrinsicGetterAccessCase::create): + * bytecode/IntrinsicGetterAccessCase.h: + * bytecode/ModuleNamespaceAccessCase.cpp: + (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase): + (JSC::ModuleNamespaceAccessCase::create): + * bytecode/ModuleNamespaceAccessCase.h: + * bytecode/PolymorphicAccess.cpp: + (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall): + (JSC::PolymorphicAccess::addCases): + (JSC::PolymorphicAccess::addCase): + (JSC::PolymorphicAccess::commit): + (JSC::PolymorphicAccess::regenerate): + (WTF::printInternal): + * bytecode/PolymorphicAccess.h: + * bytecode/ProxyableAccessCase.cpp: + (JSC::ProxyableAccessCase::ProxyableAccessCase): + (JSC::ProxyableAccessCase::create): + * bytecode/ProxyableAccessCase.h: + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeForStubInfo): + * bytecode/RecordedStatuses.cpp: + (JSC::RecordedStatuses::addGetByStatus): + (JSC::RecordedStatuses::addGetByIdStatus): Deleted. + * bytecode/RecordedStatuses.h: + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::StructureStubInfo): + (JSC::StructureStubInfo::initGetByIdSelf): + (JSC::StructureStubInfo::initArrayLength): + (JSC::StructureStubInfo::initStringLength): + (JSC::StructureStubInfo::initPutByIdReplace): + (JSC::StructureStubInfo::initInByIdSelf): + (JSC::StructureStubInfo::deref): + (JSC::StructureStubInfo::aboutToDie): + (JSC::StructureStubInfo::addAccessCase): + (JSC::StructureStubInfo::reset): + (JSC::StructureStubInfo::visitWeakReferences): + (JSC::StructureStubInfo::propagateTransitions): + (JSC::StructureStubInfo::summary const): + (JSC::StructureStubInfo::containsPC const): + (JSC::StructureStubInfo::setCacheType): + (JSC::StructureStubInfo::checkConsistency): + * bytecode/StructureStubInfo.h: + (JSC::StructureStubInfo::getByIdSelfIdentifier): + (JSC::StructureStubInfo::thisValueIsInThisGPR const): + (JSC::StructureStubInfo::checkConsistency): + (JSC::StructureStubInfo::cacheType const): + (JSC::appropriateOptimizingGetByIdFunction): + (JSC::appropriateGenericGetByIdFunction): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + (JSC::DFG::AbstractInterpreter::filterICStatus): + * dfg/DFGArgumentsEliminationPhase.cpp: + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleDOMJITGetter): + (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad): + (JSC::DFG::ByteCodeParser::load): + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::parseGetById): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::handlePutByVal): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGClobbersExitState.cpp: + (JSC::DFG::clobbersExitState): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDesiredIdentifiers.cpp: + (JSC::DFG::DesiredIdentifiers::processCodeBlockIdentifiersIfNeeded): + (JSC::DFG::DesiredIdentifiers::ensure): + (JSC::DFG::DesiredIdentifiers::at const): + (JSC::DFG::DesiredIdentifiers::reallyAdd): + * dfg/DFGDesiredIdentifiers.h: + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + * dfg/DFGGraph.h: + * dfg/DFGInPlaceAbstractState.cpp: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::link): + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::addGetByVal): + * dfg/DFGMayExit.cpp: + * dfg/DFGNode.h: + (JSC::DFG::Node::hasUidOperand): + (JSC::DFG::Node::hasGetByStatus): + (JSC::DFG::Node::getByStatus): + (JSC::DFG::Node::hasGetByIdStatus): Deleted. + (JSC::DFG::Node::getByIdStatus): Deleted. + * dfg/DFGNodeType.h: + * dfg/DFGObjectAllocationSinkingPhase.cpp: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileGetById): + (JSC::DFG::SpeculativeJIT::compileCheckIdent): + (JSC::DFG::SpeculativeJIT::compileCheckStringIdent): Deleted. + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGVarargsForwardingPhase.cpp: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent): + (JSC::FTL::DFG::LowerDFGToB3::compileGetById): + (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): + (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis): + (JSC::FTL::DFG::LowerDFGToB3::compileCheckStringIdent): Deleted. + * jit/ICStats.h: + * jit/JIT.cpp: + (JSC::JIT::privateCompileSlowCases): + (JSC::JIT::link): + * jit/JIT.h: + * jit/JITInlineCacheGenerator.cpp: + (JSC::garbageStubInfo): + (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator): + (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator): + (JSC::JITGetByValGenerator::JITGetByValGenerator): + (JSC::JITGetByValGenerator::generateFastPath): + (JSC::JITGetByValGenerator::finalize): + * jit/JITInlineCacheGenerator.h: + (JSC::JITGetByValGenerator::JITGetByValGenerator): + (JSC::JITGetByValGenerator::slowPathJump const): + * jit/JITInlines.h: + (JSC::JIT::emitDoubleGetByVal): Deleted. + (JSC::JIT::emitContiguousGetByVal): Deleted. + (JSC::JIT::emitArrayStorageGetByVal): Deleted. + * jit/JITOperations.cpp: + (JSC::getByVal): + (JSC::tryGetByValOptimize): Deleted. + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emitSlow_op_get_by_val): + (JSC::JIT::emit_op_try_get_by_id): + (JSC::JIT::emit_op_get_by_id_direct): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_get_by_id_with_this): + (JSC::JIT::emitGetByValWithCachedId): Deleted. + (JSC::JIT::privateCompileGetByVal): Deleted. + (JSC::JIT::privateCompileGetByValWithCachedId): Deleted. + (JSC::JIT::emitDirectArgumentsGetByVal): Deleted. + (JSC::JIT::emitScopedArgumentsGetByVal): Deleted. + (JSC::JIT::emitIntTypedArrayGetByVal): Deleted. + (JSC::JIT::emitFloatTypedArrayGetByVal): Deleted. + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emit_op_try_get_by_id): + (JSC::JIT::emit_op_get_by_id_direct): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_get_by_id_with_this): + (JSC::JIT::emitGetByValWithCachedId): Deleted. + * jit/Repatch.cpp: + (JSC::appropriateOptimizingGetByFunction): + (JSC::appropriateGetByFunction): + (JSC::tryCacheGetBy): + (JSC::repatchGetBy): + (JSC::tryCacheArrayGetByVal): + (JSC::repatchArrayGetByVal): + (JSC::tryCachePutByID): + (JSC::tryCacheInByID): + (JSC::tryCacheInstanceOf): + (JSC::resetGetBy): + (JSC::appropriateOptimizingGetByIdFunction): Deleted. + (JSC::appropriateGetByIdFunction): Deleted. + (JSC::tryCacheGetByID): Deleted. + (JSC::repatchGetByID): Deleted. + (JSC::resetGetByID): Deleted. + * jit/Repatch.h: + * llint/LowLevelInterpreter.h: + * runtime/DOMAnnotation.h: + * runtime/JSCJSValue.cpp: + (JSC::JSValue::dumpInContextAssumingStructure const): + * runtime/Structure.h: + +2019-11-19 Ross Kirsling + + Implement String.prototype.replaceAll + https://bugs.webkit.org/show_bug.cgi?id=202471 + + Reviewed by Yusuke Suzuki. + + Implement the stage 3 proposal here: + https://github.com/tc39/proposal-string-replaceall + + String.prototype.replaceAll is the same as String.prototype.replace, except: + 1. When the first argument is a string, all instances of the search string are replaced. + 2. When the first argument is a non-global regular expression, a TypeError is thrown. + + * builtins/BuiltinNames.h: + * builtins/StringPrototype.js: + (replaceAll): Added. + * runtime/StringPrototype.cpp: + (JSC::StringPrototype::finishCreation): + (JSC::jsSpliceSubstringsWithSeparators): Add early out for single-replacement case. + (JSC::replaceUsingStringSearch): Add global replacement logic, following replaceUsingRegExpSearch. + (JSC::replace): + (JSC::stringProtoFuncReplaceUsingStringSearch): + (JSC::stringProtoFuncReplaceAllUsingStringSearch): Added. + +2019-11-19 Robin Morisset + + [ESNext][BigInt] Add support for op_inc + https://bugs.webkit.org/show_bug.cgi?id=193240 + + Reviewed by Yusuke Suzuki. + + This patch adds support for both ++ and -- on BigInts. + + It required the following secondary changes: + - teaching FixupPhase how to replace it by ArithAdd/ArithSub/ValueAdd/ValueSub when the type is Int32/Double/BigInt + - pulling ObservedResults out of UnaryArithProfile/BinaryArithProfile, so that it can be used by ArithAdd regardless of whether it comes from an Inc or from an Add + - adding the constant 1n to the VM object so that it can be used by FixupPhase since it cannot allocate a new JSValue. + - adding an UnaryArithProfile to op_inc and op_dec, and teaching the llint to update them. + - adding ToNumeric (identity on bigints, same as toNumber on everything else) to all tiers + + * bytecode/ArithProfile.cpp: + (JSC::ArithProfile::shouldEmitSetDouble const): + (JSC::ArithProfile::emitSetDouble const): + (JSC::ArithProfile::shouldEmitSetNonNumeric const): + (JSC::ArithProfile::shouldEmitSetBigInt const): + (JSC::ArithProfile::emitSetNonNumeric const): + (JSC::ArithProfile::emitSetBigInt const): + * bytecode/ArithProfile.h: + (JSC::ObservedResults::ObservedResults): + (JSC::ObservedResults::didObserveNonInt32): + (JSC::ObservedResults::didObserveDouble): + (JSC::ObservedResults::didObserveNonNegZeroDouble): + (JSC::ObservedResults::didObserveNegZeroDouble): + (JSC::ObservedResults::didObserveNonNumeric): + (JSC::ObservedResults::didObserveBigInt): + (JSC::ObservedResults::didObserveInt32Overflow): + (JSC::ObservedResults::didObserveInt52Overflow): + (JSC::ArithProfile::observedResults const): + (JSC::ArithProfile::didObserveNonInt32 const): + (JSC::ArithProfile::didObserveDouble const): + (JSC::ArithProfile::didObserveNonNegZeroDouble const): + (JSC::ArithProfile::didObserveNegZeroDouble const): + (JSC::ArithProfile::didObserveNonNumeric const): + (JSC::ArithProfile::didObserveBigInt const): + (JSC::ArithProfile::didObserveInt32Overflow const): + (JSC::ArithProfile::didObserveInt52Overflow const): + (JSC::ArithProfile::setObservedNonNegZeroDouble): + (JSC::ArithProfile::setObservedNegZeroDouble): + (JSC::ArithProfile::setObservedNonNumeric): + (JSC::ArithProfile::setObservedBigInt): + (JSC::ArithProfile::setObservedInt32Overflow): + (JSC::ArithProfile::setObservedInt52Overflow): + (JSC::ArithProfile::observeResult): + * bytecode/BytecodeList.rb: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeIndex): + (JSC::computeDefsForBytecodeIndex): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::unaryArithProfileForPC): + * bytecode/ExitKind.h: + * bytecode/SpeculatedType.h: + (JSC::isInt32SpeculationForArithmetic): + (JSC::isInt32OrBooleanSpeculationForArithmetic): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitUnaryOp): + (JSC::BytecodeGenerator::emitToNumeric): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::emitPostIncOrDec): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGBackwardsPropagationPhase.cpp: + (JSC::DFG::BackwardsPropagationPhase::propagate): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::makeSafe): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::fixupToNumeric): + * dfg/DFGMayExit.cpp: + * dfg/DFGNode.h: + (JSC::DFG::Node::hasHeapPrediction): + * dfg/DFGNodeType.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIncOrDec): + (JSC::DFG::SpeculativeJIT::compileToPrimitive): + (JSC::DFG::SpeculativeJIT::compileToNumeric): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToB3.cpp: + (JSC::FTL::DFG::LowerDFGToB3::compileNode): + (JSC::FTL::DFG::LowerDFGToB3::compileIncOrDec): + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + * jit/JIT.h: + * jit/JITMathIC.h: + (JSC::JITMathIC::generateInline): + * jit/JITMulGenerator.cpp: + (JSC::JITMulGenerator::generateFastPath): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_to_numeric): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_to_numeric): + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/CommonSlowPaths.h: + * runtime/JSBigInt.cpp: + (JSC::JSBigInt::inc): + (JSC::JSBigInt::dec): + * runtime/JSBigInt.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2019-11-19 Yusuke Suzuki + + [JSC] MetadataTable::sizeInBytes should not touch m_rawBuffer in UnlinkedMetadataTable unless MetadataTable is linked to that UnlinkedMetadataTable + https://bugs.webkit.org/show_bug.cgi?id=204390 + + Reviewed by Mark Lam. + + We have a race issue here. When calling MetadataTable::sizeInBytes, we call UnlinkedMetadataTable::sizeInBytes since we change the result based on + whether this MetadataTable is linked to this UnlinkedMetadataTable or not. The problem is that we are calling `UnlinkedMetadataTable::totalSize` + unconditionally in UnlinkedMetadataTable::sizeInBytes, and this is touching m_rawBuffer unconditionally. This is not correct since it is possible + that this m_rawBuffer is realloced while we are calling MetadataTable::sizeInBytes in GC thread. + + 1. The GC thread is calling MetadataTable::sizeInBytes for MetadataTable "A". + 2. The main thread is destroying MetadataTable "B". + 3. MetadataTable "B" is linked to UnlinkedMetadataTable "C". + 4. MetadataTable "A" is pointing to UnlinkedMetadataTable "C". + 5. "A" is touching UnlinkedMetadataTable::m_rawBuffer in "C", called from MetadataTable::sizeInBytes. + 6. (2) destroys MetadataTable "B", and realloc UnlinkedMetadataTable::m_rawBuffer in "C". + 7. (5) can touch already freed buffer. + + This patch fixes UnlinkedMetadataTable::sizeInBytes: not touching m_rawBuffer unless it is owned by the caller's MetadataTable. We need to call + UnlinkedMetadataTable::sizeInBytes anyway since we need to adjust the result based on whether the caller MetadataTable is linked to this UnlinkedMetadataTable. + + * bytecode/UnlinkedMetadataTableInlines.h: + (JSC::UnlinkedMetadataTable::sizeInBytes): + +2019-11-19 Fujii Hironori + + [JSC] DisallowVMReentry and DeferGC should use WTF::ThreadSpecific instead of using WTF::threadSpecificKeyCreate directly + https://bugs.webkit.org/show_bug.cgi?id=204350 + + Reviewed by Yusuke Suzuki. + + WTF provides two thread specific storages, ThreadSpecific and + threadSpecificKeyCreate. Only DisallowVMReentry and DeferGC were + using the latter. They should use WTF::ThreadSpecific because it + is a useful type-safe wrapper class. + + * heap/DeferGC.cpp: + * heap/DeferGC.h: + (JSC::DisallowGC::initialize): + (JSC::DisallowGC::scopeReentryCount): + (JSC::DisallowGC::setScopeReentryCount): + * runtime/DisallowVMReentry.cpp: + * runtime/DisallowVMReentry.h: + (JSC::DisallowVMReentry::initialize): + (JSC::DisallowVMReentry::scopeReentryCount): + (JSC::DisallowVMReentry::setScopeReentryCount): + +2019-11-19 Yusuke Suzuki + + [JSC] Work-around Leaks' false-positive report about memory leaking + https://bugs.webkit.org/show_bug.cgi?id=204384 + + + Reviewed by Mark Lam. + + According to the radar, Leaks start reporting false-positive memory leaks about ExecutableAllocator and FixedVMPoolExecutableAllocator, + while they are per-process singleton and reachable through g_jscConfig. I'm guessing this is because Leaks start skipping scan for + readonly memory region. (g_jscConfig is now mprotected to readonly). + + To work-around this, we anchor these heap allocated things to global variables to help Leaks scan. Once it is fixed, we should remove it. + + * jit/ExecutableAllocator.cpp: + (JSC::ExecutableAllocator::initializeUnderlyingAllocator): + (JSC::ExecutableAllocator::initialize): + +2019-11-18 Mark Lam + + Always enable Optional parse(const char* string) for OS(DARWIN). + https://bugs.webkit.org/show_bug.cgi?id=204333 + + + Reviewed by Yusuke Suzuki. + + On OS(DARWIN), the compiler does not consider size_t and unsigned to be the same + type, even for 32-bit targets. Hence, we need the size_t version of the function + in addition to the unsigned version. + + * runtime/Options.cpp: + (JSC::parse): + +2019-11-18 Devin Rousso + + Web Inspector: Local Resource Overrides: allow substitution based on a url pattern + https://bugs.webkit.org/show_bug.cgi?id=202375 + + Reviewed by Brian Burg. + + Often, websites will load content with a timestamp-based URL query parameter for + cache-busting or logging purposes. If a developer is trying to override these resources (or + is trying to have an existing override also match these resources), they'd need to edit the + local override's URL to match in addition to editing the resource that loads it (e.g. change + the