[webkit-changes] [WebKit/WebKit] 08d505: [WebInspector] Implement runOpenFile for GTK
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 08d5053205be6f3c8ab59c994d3be755c7825fc9 https://github.com/WebKit/WebKit/commit/08d5053205be6f3c8ab59c994d3be755c7825fc9 Author: Justin Michaud Date: 2024-07-31 (Wed, 31 Jul 2024) Changed paths: M Source/WTF/wtf/PrintStream.h M Source/WebKit/UIProcess/Inspector/gtk/WebInspectorUIProxyGtk.cpp Log Message: --- [WebInspector] Implement runOpenFile for GTK https://bugs.webkit.org/show_bug.cgi?id=277358 Reviewed by Michael Catanzaro. In order to import GC debugging snapshots into WebInspector, the import button needs to work. This patch implements the required callback to launch the file chooser dialog. * Source/WTF/wtf/PrintStream.h: * Source/WebKit/UIProcess/Inspector/gtk/WebInspectorUIProxyGtk.cpp: (WebKit::runOpenPanel): (WebKit::WebInspectorUIProxy::platformCreateFrontendPage): Canonical link: https://commits.webkit.org/281647@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] a2db78: WASM tail calls should work in OMG tier
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: a2db78b8fdbef3caa09cb0165315ef552a073590 https://github.com/WebKit/WebKit/commit/a2db78b8fdbef3caa09cb0165315ef552a073590 Author: Justin Michaud Date: 2024-07-18 (Thu, 18 Jul 2024) Changed paths: M JSTests/wasm.yaml M JSTests/wasm/stress/cc-int-to-int-tail-call.js A JSTests/wasm/stress/simd-tail-call-simple.js M JSTests/wasm/stress/simd-tail-calls-throw.js A JSTests/wasm/stress/tail-call-double.js A JSTests/wasm/stress/tail-call-js-inline.js A JSTests/wasm/stress/tail-call-js.js A JSTests/wasm/stress/tail-call-simple-int.js A JSTests/wasm/stress/tail-call-simple.js M JSTests/wasm/stress/tail-call.js M Source/JavaScriptCore/assembler/MacroAssembler.cpp M Source/JavaScriptCore/assembler/MacroAssembler.h M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp M Source/JavaScriptCore/jit/CCallHelpers.h M Source/JavaScriptCore/llint/WebAssembly.asm M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp Log Message: --- WASM tail calls should work in OMG tier https://bugs.webkit.org/show_bug.cgi?id=273875 Reviewed by Keith Miller. Tom's original patch was correct, but we told him to elide moves to temporary storage when they weren't needed. Unfortunately, the current version on ToT clobbers a bunch of important stuff. Let's fix that. We also fix up LLInt, since it had a bit of bit rot. Finally, we add a new kind of tail call, a fake tail call, for the case when an inlined call makes a tail call. There is still more work to be done to ensure that this code is correct; Tests for stack traces, inlined calls that clobber instance, and more advanced stack / regalloc situations are all still needed. * JSTests/wasm/stress/simd-tail-call-simple.js: Added. * JSTests/wasm/stress/tail-call-js.js: Added. * JSTests/wasm/stress/tail-call-simple.js: Added. * Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp: Canonical link: https://commits.webkit.org/281110@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] e812e2: Enable JSC_validateOptions on GTK
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: e812e22f41af8668b5e38b398307d0ed8857f1ce https://github.com/WebKit/WebKit/commit/e812e22f41af8668b5e38b398307d0ed8857f1ce Author: Justin Michaud Date: 2024-07-18 (Thu, 18 Jul 2024) Changed paths: M Source/JavaScriptCore/runtime/Options.cpp Log Message: --- Enable JSC_validateOptions on GTK https://bugs.webkit.org/show_bug.cgi?id=276741 Reviewed by Yusuke Suzuki. Running with JSC_validateOptions is useful when debugging; Enable this on linux too. * Source/JavaScriptCore/runtime/Options.cpp: (JSC::Options::initialize): Canonical link: https://commits.webkit.org/281106@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] e76073: Add operation-based jitless wasm entry thunk
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: e7607367125042a0211b278c6a5cee43eb7fbdff https://github.com/WebKit/WebKit/commit/e7607367125042a0211b278c6a5cee43eb7fbdff Author: Justin Michaud Date: 2024-06-28 (Fri, 28 Jun 2024) Changed paths: M JSTests/microbenchmarks/wasm-cc-int-to-int.js M JSTests/wasm/lowExecutableMemory/executable-memory-oom.js A JSTests/wasm/stress/cc-double-to-double.js A JSTests/wasm/stress/cc-f32-kitchen-sink.js A JSTests/wasm/stress/cc-float-to-float.js A JSTests/wasm/stress/cc-i32-kitchen-sink-neg.js M JSTests/wasm/stress/cc-i32-kitchen-sink.js A JSTests/wasm/stress/cc-i64-kitchen-sink-neg.js A JSTests/wasm/stress/cc-i64-kitchen-sink.js M JSTests/wasm/stress/cc-int-to-int-cross-module-with-exception.js M JSTests/wasm/stress/cc-int-to-int-cross-module.js M JSTests/wasm/stress/cc-int-to-int-jit-to-llint.js M JSTests/wasm/stress/cc-int-to-int-memory.js M JSTests/wasm/stress/cc-int-to-int-no-jit.js M JSTests/wasm/stress/cc-int-to-int-tail-call.js M JSTests/wasm/stress/cc-int-to-int.js M Source/JavaScriptCore/interpreter/CallFrame.h M Source/JavaScriptCore/interpreter/CallFrameInlines.h M Source/JavaScriptCore/jit/FPRInfo.h M Source/JavaScriptCore/jit/GPRInfo.h M Source/JavaScriptCore/llint/InPlaceInterpreter.cpp M Source/JavaScriptCore/llint/InPlaceInterpreter.h M Source/JavaScriptCore/llint/WebAssembly.asm M Source/JavaScriptCore/runtime/Options.cpp M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp M Source/JavaScriptCore/wasm/WasmCallee.cpp M Source/JavaScriptCore/wasm/WasmCallee.h M Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp M Source/JavaScriptCore/wasm/WasmOMGPlan.cpp M Source/JavaScriptCore/wasm/WasmOMGPlan.h M Source/JavaScriptCore/wasm/WasmOperations.cpp M Source/JavaScriptCore/wasm/WasmOperations.h M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h Log Message: --- Add operation-based jitless wasm entry thunk https://bugs.webkit.org/show_bug.cgi?id=275397 Reviewed by Yusuke Suzuki. Previously, we tried to implement jitless wasm entry by interpreting bytecode. It seems way easier to just call into cpp to prepare the frame instead, and the performance difference should not be too big. * JSTests/wasm/stress/cc-i32-kitchen-sink.js: * JSTests/wasm/stress/cc-int-to-int-cross-module-with-exception.js: * JSTests/wasm/stress/cc-int-to-int-cross-module.js: * JSTests/wasm/stress/cc-int-to-int-jit-to-llint.js: * JSTests/wasm/stress/cc-int-to-int-memory.js: * JSTests/wasm/stress/cc-int-to-int-no-jit.js: * JSTests/wasm/stress/cc-int-to-int-tail-call.js: * JSTests/wasm/stress/cc-int-to-int.js: * Source/JavaScriptCore/llint/WebAssembly.asm: * Source/JavaScriptCore/wasm/WasmCallee.cpp: (JSC::Wasm::JSEntrypointInterpreterCallee::JSEntrypointInterpreterCallee): (JSC::Wasm::JSEntrypointInterpreterCallee::calleeSaveRegistersImpl): * Source/JavaScriptCore/wasm/WasmCallee.h: (JSC::Wasm::jsEntrypointMetadataForGPR): Deleted. (JSC::Wasm::jsEntrypointMetadataForFPR): Deleted. (JSC::Wasm::dumpJSEntrypointInterpreterCalleeMetadata): Deleted. * Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp: (JSC::Wasm::LLIntPlan::tryCreateInterpretedJSToWasmCallee): * Source/JavaScriptCore/wasm/WasmOperations.cpp: (JSC::Wasm::JSC_DEFINE_NOEXCEPT_JIT_OPERATION): * Source/JavaScriptCore/wasm/WasmOperations.h: Canonical link: https://commits.webkit.org/280485@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 9dd3ce: Canonicalize wasm options
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 9dd3ce144c26c8d10468250e36eebc8e9968716e https://github.com/WebKit/WebKit/commit/9dd3ce144c26c8d10468250e36eebc8e9968716e Author: Justin Michaud Date: 2024-06-25 (Tue, 25 Jun 2024) Changed paths: M JSTests/wasm/ipint-tests/perf.py M JSTests/wasm/stress/cc-int-to-int-cross-module-with-exception.js M JSTests/wasm/stress/cc-int-to-int-jit-to-llint.js M JSTests/wasm/stress/simd-regalloc-stress-2.js M JSTests/wasm/stress/simd-unreachable.js M JSTests/wasm/stress/simple-inline-stacktrace-2.js M JSTests/wasm/stress/simple-inline-stacktrace-with-catch-2.js M JSTests/wasm/stress/tail-call.js M JSTests/wasm/v8/adapter-frame.js M JSTests/wasm/v8/add-getters.js M JSTests/wasm/v8/anyfunc.js M JSTests/wasm/v8/array-copy-benchmark.js M JSTests/wasm/v8/array-init-from-segment.js M JSTests/wasm/v8/asm-wasm-copy.js M JSTests/wasm/v8/asm-wasm-deopt.js M JSTests/wasm/v8/asm-wasm-exception-in-tonumber.js M JSTests/wasm/v8/asm-wasm-expr.js M JSTests/wasm/v8/asm-wasm-f32.js M JSTests/wasm/v8/asm-wasm-f64.js M JSTests/wasm/v8/asm-wasm-heap.js M JSTests/wasm/v8/asm-wasm-i32.js M JSTests/wasm/v8/asm-wasm-imports.js M JSTests/wasm/v8/asm-wasm-literals.js M JSTests/wasm/v8/asm-wasm-math-intrinsic.js M JSTests/wasm/v8/asm-wasm-memory.js M JSTests/wasm/v8/asm-wasm-names.js M JSTests/wasm/v8/asm-wasm-stack.js M JSTests/wasm/v8/asm-wasm-stdlib.js M JSTests/wasm/v8/asm-wasm-switch.js M JSTests/wasm/v8/asm-wasm-u32.js M JSTests/wasm/v8/asm-wasm.js M JSTests/wasm/v8/asm-with-wasm-off.js M JSTests/wasm/v8/atomics-non-shared.js M JSTests/wasm/v8/atomics-stress.js M JSTests/wasm/v8/atomics.js M JSTests/wasm/v8/atomics64-stress.js M JSTests/wasm/v8/bigint-i64-to-imported-js-func.js M JSTests/wasm/v8/bigint-opt.js M JSTests/wasm/v8/bigint-rematerialize.js M JSTests/wasm/v8/bigint.js M JSTests/wasm/v8/bit-shift-right.js M JSTests/wasm/v8/bounds-check-64bit.js M JSTests/wasm/v8/bounds-check-turbofan.js M JSTests/wasm/v8/bulk-memory.js M JSTests/wasm/v8/call-ref.js M JSTests/wasm/v8/call_indirect.js M JSTests/wasm/v8/calls.js M JSTests/wasm/v8/code-space-overflow.js M JSTests/wasm/v8/committed-code-exhaustion.js M JSTests/wasm/v8/compare-exchange-stress.js M JSTests/wasm/v8/compare-exchange64-stress.js M JSTests/wasm/v8/compilation-hints-async-compilation.js M JSTests/wasm/v8/compilation-hints-decoder.js M JSTests/wasm/v8/compilation-hints-ignored.js M JSTests/wasm/v8/compilation-hints-lazy-validation.js M JSTests/wasm/v8/compilation-hints-streaming-compilation.js M JSTests/wasm/v8/compilation-hints-streaming-lazy-validation.js M JSTests/wasm/v8/compilation-hints-sync-compilation.js M JSTests/wasm/v8/compilation-limits-asm.js M JSTests/wasm/v8/compilation-limits.js M JSTests/wasm/v8/compiled-module-management.js M JSTests/wasm/v8/compiled-module-serialization.js M JSTests/wasm/v8/data-segments.js M JSTests/wasm/v8/disable-trap-handler.js M JSTests/wasm/v8/disallow-codegen.js M JSTests/wasm/v8/divrem-trap.js M JSTests/wasm/v8/element-segments-with-reftypes.js M JSTests/wasm/v8/empirical_max_memory.js M JSTests/wasm/v8/ensure-wasm-binaries-up-to-date.js M JSTests/wasm/v8/errors.js M JSTests/wasm/v8/export-global.js M JSTests/wasm/v8/export-identity.js M JSTests/wasm/v8/export-mutable-global.js M JSTests/wasm/v8/export-table.js M JSTests/wasm/v8/expose-wasm.js M JSTests/wasm/v8/extended-constants.js M JSTests/wasm/v8/externref-globals.js M JSTests/wasm/v8/externref-table.js M JSTests/wasm/v8/externref.js M JSTests/wasm/v8/ffi-error.js M JSTests/wasm/v8/ffi.js M JSTests/wasm/v8/float-constant-folding.js M JSTests/wasm/v8/function-names.js M JSTests/wasm/v8/function-prototype.js M JSTests/wasm/v8/futex.js M JSTests/wasm/v8/gc-buffer.js M JSTests/wasm/v8/gc-casts-from-any.js M JSTests/wasm/v8/gc-casts-invalid.js M JSTests/wasm/v8/gc-casts-subtypes.js M JSTests/wasm/v8/gc-experimental-string-conversions.js M JSTests/wasm/v8/gc-experiments.js M JSTests/wasm/v8/gc-frame.js M JSTests/wasm/v8/gc-js-interop-async-debugger.js M JSTests/wasm/v8/gc-js-interop-collections.js M JSTests/wasm/v8/gc-js-interop-export.mjs M JSTests/wasm/v8/gc-js-interop-global-constructors.js M JSTests/wasm/v8/gc-js-interop-import.mjs M JSTests/wasm/v8/gc-js-interop-numeric.js M JSTests/wasm/v8/gc-js-interop-objects.js M JSTests/wasm/v8/gc-js-interop-wasm.js M JSTests/wasm/v8/gc-js-interop.js M JSTests/wasm/v8/gc-memory.js M JSTests/wasm/v8/gc-nominal.js M JSTests/wasm/v8/gc-optimizations.js M JSTests/wasm/v8/gc-stress.js M JSTests/wasm/v8/gc-typecheck-reducer.js M
[webkit-changes] [WebKit/WebKit] 4059ad: Fix Wasm GC bulk-array test
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 4059ad2d8fa49984c4f934904d5a7288204b22dd https://github.com/WebKit/WebKit/commit/4059ad2d8fa49984c4f934904d5a7288204b22dd Author: Justin Michaud Date: 2024-06-25 (Tue, 25 Jun 2024) Changed paths: M JSTests/wasm/gc-spec-tests/type-subtyping.wast.js M JSTests/wasm/gc/bulk-array.js M Source/JavaScriptCore/b3/B3PatchpointSpecial.cpp M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp M Source/JavaScriptCore/wasm/WasmIPIntPlan.cpp M Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp M Source/JavaScriptCore/wasm/WasmOMGPlan.cpp M Source/JavaScriptCore/wasm/WasmOSREntryPlan.cpp M Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp Log Message: --- Fix Wasm GC bulk-array test https://bugs.webkit.org/show_bug.cgi?id=275858 Reviewed by Yusuke Suzuki. We were missing some .expand(), and a float->i32 cast, causing builk-array to fail in OMG. We expand a type signature to turn it from a recursion group into a FunctionSignature. We need to do this everywhere we may see a GC-enabled type, although the tests don't seem to stress this very much. Some of these expand()s are not strictly needed to fix this test, but I predict that they may be the cause of some of the other flaky failures. Logically we should be expanding function signatures in these places anyway. * JSTests/wasm/gc-spec-tests/type-subtyping.wast.js: * JSTests/wasm/gc/bulk-array.js: * Source/JavaScriptCore/b3/B3PatchpointSpecial.cpp: (JSC::B3::PatchpointSpecial::generate): * Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * Source/JavaScriptCore/wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::compileFunction): (JSC::Wasm::BBQPlan::didCompleteCompilation): * Source/JavaScriptCore/wasm/WasmIPIntPlan.cpp: (JSC::Wasm::IPIntPlan::compileFunction): * Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp: (JSC::Wasm::LLIntPlan::compileFunction): * Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp: (JSC::Wasm::OMGIRGenerator::addArrayFill): * Source/JavaScriptCore/wasm/WasmOMGPlan.cpp: (JSC::Wasm::OMGPlan::work): * Source/JavaScriptCore/wasm/WasmOSREntryPlan.cpp: (JSC::Wasm::OSREntryPlan::work): * Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp: (JSC::Wasm::TypeInformation::castReference): Canonical link: https://commits.webkit.org/280348@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 5f2636: Make it harder to use roundUpToMultipleOf wrong by...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 5f263646ba7e0316cf5a77f21eb89a9f5eb95243 https://github.com/WebKit/WebKit/commit/5f263646ba7e0316cf5a77f21eb89a9f5eb95243 Author: Justin Michaud Date: 2024-06-24 (Mon, 24 Jun 2024) Changed paths: M Source/JavaScriptCore/b3/air/AirCCallingConvention.cpp M Source/JavaScriptCore/b3/air/AirCode.cpp M Source/JavaScriptCore/b3/air/AirCode.h M Source/JavaScriptCore/b3/air/AirStackAllocation.cpp M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp M Source/JavaScriptCore/jit/AssemblyHelpers.cpp M Source/JavaScriptCore/jit/JITCall.cpp M Source/JavaScriptCore/jit/ScratchRegisterAllocator.cpp M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp M Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp M Source/JavaScriptCore/wasm/WasmBBQJIT32_64.h M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp M Source/JavaScriptCore/wasm/WasmBBQJIT64.h M Source/JavaScriptCore/wasm/WasmCallingConvention.h M Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp M Source/JavaScriptCore/wasm/WasmThunks.cpp M Source/JavaScriptCore/wasm/js/JSToWasm.cpp M Source/JavaScriptCore/wasm/js/WasmToJS.cpp M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp Log Message: --- Make it harder to use roundUpToMultipleOf wrong by using template argument for alignment https://bugs.webkit.org/show_bug.cgi?id=275738 Reviewed by Darin Adler. It is easy to get the order of these parameters wrong otherwise, so we adopt the template argument whenever we round up for stack alignment. * Source/JavaScriptCore/b3/air/AirCCallingConvention.cpp: (JSC::B3::Air::computeCCallingConvention): * Source/JavaScriptCore/b3/air/AirCode.cpp: (JSC::B3::Air::Code::addStackSlot): * Source/JavaScriptCore/b3/air/AirCode.h: (JSC::B3::Air::Code::requestCallArgAreaSizeInBytes): * Source/JavaScriptCore/b3/air/AirStackAllocation.cpp: * Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp: (JSC::InlineCacheCompiler::generateAccessCase): (JSC::InlineCacheCompiler::emitProxyObjectAccess): (JSC::getByIdGetterHandler): (JSC::getByIdProxyObjectLoadHandler): (JSC::putByIdSetterHandlerImpl): * Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * Source/JavaScriptCore/jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::makeSpaceOnStackForCCall): (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall): * Source/JavaScriptCore/jit/JITCall.cpp: (JSC::JIT::compileSetupFrame): * Source/JavaScriptCore/jit/ScratchRegisterAllocator.cpp: (JSC::ScratchRegisterAllocator::preserveRegistersToStackForCall): (JSC::ScratchRegisterAllocator::restoreRegistersFromStackForCall): * Source/JavaScriptCore/wasm/WasmBBQJIT.cpp: (JSC::Wasm::BBQJITImpl::BBQJIT::addThrow): (JSC::Wasm::BBQJITImpl::BBQJIT::addCall): (JSC::Wasm::BBQJITImpl::BBQJIT::emitIndirectCall): * Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp: (JSC::Wasm::BBQJITImpl::BBQJIT::alignedFrameSize const): (JSC::Wasm::BBQJITImpl::BBQJIT::addCallRef): * Source/JavaScriptCore/wasm/WasmBBQJIT32_64.h: (JSC::Wasm::BBQJITImpl::BBQJIT::emitCCall): * Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp: (JSC::Wasm::BBQJITImpl::BBQJIT::alignedFrameSize const): (JSC::Wasm::BBQJITImpl::BBQJIT::addCallRef): * Source/JavaScriptCore/wasm/WasmBBQJIT64.h: (JSC::Wasm::BBQJITImpl::BBQJIT::emitCCall): * Source/JavaScriptCore/wasm/WasmCallingConvention.h: (JSC::Wasm::WasmCallingConvention::callInformationFor const): (JSC::Wasm::CCallingConventionArmThumb2::callInformationFor const): * Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp: (JSC::Wasm::LLIntPlan::tryCreateInterpretedJSToWasmCallee): * Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp: (JSC::Wasm::OMGIRGenerator::computeStackCheckSize): (JSC::Wasm::OMGIRGenerator::emitIndirectCall): (JSC::Wasm::OMGIRGenerator::createTailCallPatchpoint): (JSC::Wasm::OMGIRGenerator::addCall): * Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp: (JSC::Wasm::OMGIRGenerator::computeStackCheckSize): (JSC::Wasm::OMGIRGenerator::emitIndirectCall): (JSC::Wasm::OMGIRGenerator::createTailCallPatchpoint): (JSC::Wasm::OMGIRGenerator::addCall): * Source/JavaScriptCore/wasm/WasmThunks.cpp: (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator): * Source/JavaScriptCore/wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper
[webkit-changes] [WebKit/WebKit] b7c62d: Handler IC build fix for armv7
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: b7c62d71ee8f97b70918f9c3b0882e0dd705e1a6 https://github.com/WebKit/WebKit/commit/b7c62d71ee8f97b70918f9c3b0882e0dd705e1a6 Author: Justin Michaud Date: 2024-06-22 (Sat, 22 Jun 2024) Changed paths: M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp M Source/JavaScriptCore/jit/GPRInfo.h Log Message: --- Handler IC build fix for armv7 https://bugs.webkit.org/show_bug.cgi?id=275762 Reviewed by Yusuke Suzuki. If the register set has overlap, then the scratch register allocator allocates everything as r0. We fix that and pick a register for the handler ICs that is least likely to overlap with a desired argument register on armv7. * Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp: * Source/JavaScriptCore/jit/GPRInfo.h: Canonical link: https://commits.webkit.org/280283@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 36e90e: Enable offline asm alt entries on linux and on deb...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 36e90ed8d1ae8d0955f24a1916375e0fbd1c3d7d https://github.com/WebKit/WebKit/commit/36e90ed8d1ae8d0955f24a1916375e0fbd1c3d7d Author: Justin Michaud Date: 2024-06-21 (Fri, 21 Jun 2024) Changed paths: M Source/WTF/wtf/PlatformEnable.h Log Message: --- Enable offline asm alt entries on linux and on debug builds https://bugs.webkit.org/show_bug.cgi?id=275643 Reviewed by Yusuke Suzuki. On versions of clang and gcc that do not relocate offline asm symbols improperly, we should enable alt entries to make debugging easier. Also, since at-desk debug builds seem to work fine, enable them there too. * Source/WTF/wtf/PlatformEnable.h: Canonical link: https://commits.webkit.org/280250@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] d152fc: Fix run-jsc-stress-tests after 279634@main
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: d152fc95b00841485888a44f4097891e2dede556 https://github.com/WebKit/WebKit/commit/d152fc95b00841485888a44f4097891e2dede556 Author: Justin Michaud Date: 2024-06-21 (Fri, 21 Jun 2024) Changed paths: M Tools/Scripts/run-jsc-stress-tests Log Message: --- Fix run-jsc-stress-tests after 279634@main https://bugs.webkit.org/show_bug.cgi?id=275697 Reviewed by Yusuke Suzuki. At-desk stress test runs became broken after https://commits.webkit.org/279634@main * Tools/Scripts/run-jsc-stress-tests: Canonical link: https://commits.webkit.org/280249@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 659d03: Add libbacktrace support to JSCOnly port
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 659d0385e3f6c2dfba598d8ee3d4b776758e831f https://github.com/WebKit/WebKit/commit/659d0385e3f6c2dfba598d8ee3d4b776758e831f Author: Justin Michaud Date: 2024-05-30 (Thu, 30 May 2024) Changed paths: M Source/JavaScriptCore/PlatformJSCOnly.cmake M Source/WTF/wtf/PlatformJSCOnly.cmake M Source/cmake/OptionsJSCOnly.cmake Log Message: --- Add libbacktrace support to JSCOnly port https://bugs.webkit.org/show_bug.cgi?id=273770 Reviewed by Yusuke Suzuki, Elliott Williams and Carlos Alberto Lopez Perez. This makes WTFReportBacktrace() work properly, and matches the WPE and GTK ports. * Source/JavaScriptCore/PlatformJSCOnly.cmake: * Source/WTF/wtf/PlatformJSCOnly.cmake: * Source/cmake/OptionsJSCOnly.cmake: Canonical link: https://commits.webkit.org/279501@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 7a1fe3: Avoid saving extra register for IPInt JS->Wasm wra...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 7a1fe31ef5a7a4ebdbf52c296d76189fad22dd78 https://github.com/WebKit/WebKit/commit/7a1fe31ef5a7a4ebdbf52c296d76189fad22dd78 Author: Justin Michaud Date: 2024-05-29 (Wed, 29 May 2024) Changed paths: M JSTests/wasm/stress/cc-i32-kitchen-sink.js M JSTests/wasm/stress/cc-int-to-int-cross-module-with-exception.js M JSTests/wasm/stress/cc-int-to-int-cross-module.js M JSTests/wasm/stress/cc-int-to-int-memory.js M JSTests/wasm/stress/cc-int-to-int-no-jit.js M JSTests/wasm/stress/cc-int-to-int-tail-call.js M JSTests/wasm/stress/cc-int-to-int.js M Source/JavaScriptCore/jit/RegisterSet.cpp M Source/JavaScriptCore/llint/InPlaceInterpreter.cpp M Source/JavaScriptCore/llint/WebAssembly.asm M Source/JavaScriptCore/runtime/InitializeThreading.cpp M Source/JavaScriptCore/runtime/Options.cpp M Source/JavaScriptCore/runtime/OptionsList.h M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp M Source/JavaScriptCore/wasm/WasmCallee.cpp M Source/JavaScriptCore/wasm/WasmCallee.h M Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp Log Message: --- Avoid saving extra register for IPInt JS->Wasm wrappers. https://bugs.webkit.org/show_bug.cgi?id=274043 Reviewed by Keith Miller and Yusuke Suzuki. Adding this register to the pinned register set causes a bunch of places to save it. We should just spill it inside the JS->WASM interpreted entry thunk. * Source/JavaScriptCore/jit/RegisterSet.cpp: (JSC::RegisterSetBuilder::wasmPinnedRegisters): * Source/JavaScriptCore/llint/WebAssembly.asm: * Source/JavaScriptCore/runtime/OptionsList.h: * Source/JavaScriptCore/wasm/WasmCallee.cpp: (JSC::Wasm::JSEntrypointInterpreterCallee::calleeSaveRegistersImpl): * Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp: (JSC::Wasm::LLIntPlan::makeInterpretedJSToWasmCallee): Canonical link: https://commits.webkit.org/279435@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 326ac9: Fix ARMv7 silent spills
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 326ac9397cf30659d60157e5b18e08ceb682785d https://github.com/WebKit/WebKit/commit/326ac9397cf30659d60157e5b18e08ceb682785d Author: Justin Michaud Date: 2024-05-28 (Tue, 28 May 2024) Changed paths: M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp M Source/JavaScriptCore/runtime/MapPrototype.cpp Log Message: --- Fix ARMv7 silent spills https://bugs.webkit.org/show_bug.cgi?id=274770 Reviewed by Keith Miller. After https://commits.webkit.org/279031@main and https://commits.webkit.org/279337@main, we saw some armv7 test failures. These changes match the 64-bit port. * Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): (JSC::DFG::SpeculativeJIT::genericJSValueNonPeepholeStrictEq): (JSC::DFG::SpeculativeJIT::emitCall): (JSC::DFG::SpeculativeJIT::compileGetByVal): (JSC::DFG::SpeculativeJIT::compile): * Source/JavaScriptCore/runtime/MapPrototype.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): Canonical link: https://commits.webkit.org/279383@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 251a60: Fix dfg-ai-direct-get-by-id-attribute-change-trans...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 251a60a7bce609e41f83faf86e50c9e25aa1cc7e https://github.com/WebKit/WebKit/commit/251a60a7bce609e41f83faf86e50c9e25aa1cc7e Author: Justin Michaud Date: 2024-05-23 (Thu, 23 May 2024) Changed paths: M JSTests/stress/dfg-ai-direct-get-by-id-attribute-change-transition.js Log Message: --- Fix dfg-ai-direct-get-by-id-attribute-change-transition.js on armv7 https://bugs.webkit.org/show_bug.cgi?id=274589 Reviewed by Yusuke Suzuki. * JSTests/stress/dfg-ai-direct-get-by-id-attribute-change-transition.js: (getStructureID): Canonical link: https://commits.webkit.org/279221@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] c88311: Refactor OMG call patchpoint and tail call patchpoint
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: c88311640e5fed73c815ddc6e06c4575b4364fcf https://github.com/WebKit/WebKit/commit/c88311640e5fed73c815ddc6e06c4575b4364fcf Author: Justin Michaud Date: 2024-05-21 (Tue, 21 May 2024) Changed paths: A JSTests/wasm/stress/cc-int-to-int-tail-call.js M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp M Source/JavaScriptCore/runtime/Options.cpp M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp M Source/JavaScriptCore/wasm/js/WasmToJS.cpp Log Message: --- Refactor OMG call patchpoint and tail call patchpoint https://bugs.webkit.org/show_bug.cgi?id=273823 Reviewed by Yusuke Suzuki. The wasm tail calls feature does not currently work when the new frame overlaps the old frame in interesting ways, so the tail calls tests were disabled. Then, OMG inlining broke tail calls, causing an assertion failure. This patch does not fix tail calls, but it does fix that assertion. It also refactors both versions of create[Tail]CallPatchpoint to look the same. This makes it a little nicer to read, but more importantly, it makes it easier for a follow-up patch to fix OMG tail calls. The main reason for this change is so that the follow-up patch is easier to read. * Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp: (JSC::Wasm::OMGIRGenerator::emitIndirectCall): (JSC::Wasm::OMGIRGenerator::createCallPatchpoint): (JSC::Wasm::OMGIRGenerator::createTailCallPatchpoint): (JSC::Wasm::OMGIRGenerator::addCall): Canonical link: https://commits.webkit.org/279055@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 451b7c: Add my igalia email to contributors.json
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 451b7c7c97bd7c2ad7bd5a2918020ac039334145 https://github.com/WebKit/WebKit/commit/451b7c7c97bd7c2ad7bd5a2918020ac039334145 Author: Justin Michaud Date: 2024-05-20 (Mon, 20 May 2024) Changed paths: M metadata/contributors.json Log Message: --- Add my igalia email to contributors.json https://bugs.webkit.org/show_bug.cgi?id=274162 Unreviewed. * metadata/contributors.json: Canonical link: https://commits.webkit.org/278990@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 31319e: Difference in semantics between jsTypeStringForVal...
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 31319e7a0b96c61cd61e17377adc648e4b8b5692
https://github.com/WebKit/WebKit/commit/31319e7a0b96c61cd61e17377adc648e4b8b5692
Author: Justin Michaud
Date: 2024-05-16 (Thu, 16 May 2024)
Changed paths:
A JSTests/stress/getter-setter-ai.js
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/JavaScriptCore/runtime/Operations.cpp
Log Message:
---
Difference in semantics between jsTypeStringForValueWithConcurrency and
buildTypeOf
https://bugs.webkit.org/show_bug.cgi?id=270659
rdar://124116542
Reviewed by Yusuke Suzuki.
Consider the given test case:
Object1: 0x3bba0 %DL (should never getByOffset p3 of this, it is a
GetterSetter)
Object2: 0x3bc10 %DS (p3 is fine)
Before LICM:
32 0 40: D@26: FilterGetByStatus(Check:Untyped:D@7, MustGen, (Simple,
, seenInJIT = true),
W:SideState, bc#4, ExitValid)
33 0 40: D@15: AssertNotEmpty(Check:Untyped:D@7, MustGen, W:SideState,
Exits, bc#4, ExitValid)
34 0 40: D@28: CheckStructure(Cell:D@7, MustGen, [%DS:Function,
%DL:Function], R:JSCell_structureID, Exits, bc#4, ExitValid)
35 0 40: D@29:< 2:-> GetButterfly(Cell:D@7,
Storage|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Other,
R:JSObject_butterfly, bc#4, ExitValid)
36 0 40: D@30:< 1:-> GetByOffset(Check:Untyped:D@29, KnownCell:D@7,
JS|PureInt, Int32, id0{p1}, 64, R:NamedProperties(0), bc#4, ExitValid)
predicting Int32
... branching
6 7 40: D@87: FilterGetByStatus(Check:Untyped:D@7, MustGen, (Simple,
,
seenInJIT = true), W:SideState, bc#45, ExitValid)
7 7 40: D@89: CheckStructure(Cell:D@7, MustGen, [%DS:Function],
R:JSCell_structureID, Exits, bc#45, ExitValid)
8 7 40: D@91:< 2:-> GetByOffset(Check:Untyped:D@29, KnownCell:D@7,
JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, BoolInt32, id3{p3}, 66,
R:NamedProperties(3), bc#45, ExitValid) predicting BoolInt32
11 7 40: D@94:< 2:-> TypeOf(Check:Untyped:Kill:D@91,
JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, StringIdent, Exits,
bc#51, ExitValid)
Note that we never get p3 of DL
After LICM blind hoist:
34 0 41: D@28:CheckStructure(Cell:D@7, MustGen,
[%DS:Function, %DL:Function], R:JSCell_structureID, Exits, bc#4, ExitValid)
35 0 41: D@29:< 2:->GetButterfly(Cell:D@7,
Storage|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Other,
R:JSObject_butterfly, bc#4, ExitValid)
36 0 41: D@30:< 1:->GetByOffset(Check:Untyped:D@29, KnownCell:D@7,
JS|PureInt, Int32, id0{p1}, 64, R:NamedProperties(0), bc#4, ExitValid)
predicting Int32
44 0 41: D@48:CheckIsConstant(Cell:D@7, MustGen,
<0x13908f140, Function>, object1#B5FU55/:[0x13909da00], Exits, bc#25,
exit: bc#17, ExitValid, WasHoisted)
45 0 41: D@91:< 2:->GetByOffset(Check:Untyped:D@29, KnownCell:D@7,
JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, BoolInt32, id3{p3}, 66,
R:NamedProperties(3), bc#45, exit: bc#17, ExitValid) predicting BoolInt32
46 0 41: D@94:< 2:->TypeOf(Check:Untyped:Kill:D@91,
JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, StringIdent, Exits,
bc#51, exit: bc#17, ExitValid, WasHoisted)
The GetByOffset is hoisted without its guarding CheckStructure, and it accesses
p3 unexpectedly. SafeToExecute says it is
safe because it won't crash or produce a malformed JSValue. Honestly, fair.
This patch fixes the semantic difference between AI and runtime for
GetterSetter objects.
Stopping the GetterSetter from being hoisted may be too costly and restrictive,
and it
doesn't get leaked anyway.
The string result (which was [object] but is now [symbol]) doesn't really
matter, it should
never leak to user code anyway. Even if it does, it is just a string.
* JSTests/stress/getter-setter-ai.js: Added.
(opt):
(watchP3.cache):
(watchP3):
(main.let.object1):
(main.let.object2):
(main):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/runtime/Operations.cpp:
(JSC::jsTypeStringForValueWithConcurrency):
Originally-landed-as: 272448.708@safari-7618-branch (b42cc4168b71).
rdar://128089110
Canonical link: https://commits.webkit.org/278868@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] fc8a91: GetWebAssemblyInstanceExports nodes should not be ...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: fc8a911ed08115172c50eac41b9ced4e3415d234 https://github.com/WebKit/WebKit/commit/fc8a911ed08115172c50eac41b9ced4e3415d234 Author: Justin Michaud Date: 2024-05-16 (Thu, 16 May 2024) Changed paths: A JSTests/stress/hoist-get-wasm-exports.js M Source/JavaScriptCore/dfg/DFGSafeToExecute.h Log Message: --- GetWebAssemblyInstanceExports nodes should not be blindly hoisted https://bugs.webkit.org/show_bug.cgi?id=270259 rdar://123617167 Reviewed by Alexey Shvayka. GetWebAssemblyInstanceExports nodes should not be blindly hoisted above their structure check. ``` case WebAssemblyInstanceExportsIntrinsic: ... addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(variant.structureSet())), thisNode); set(result, addToGraph(GetWebAssemblyInstanceExports, Edge(thisNode, KnownCellUse))); ``` Similar to GetByOffset, we should only hoist this node if we have proven that the child has the structure of a WebAssembly Instance. * JSTests/stress/hoist-get-wasm-exports.js: Added. (opt): (main): * Source/JavaScriptCore/dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): Originally-landed-as: 272448.653@safari-7618-branch (f6e2c3bb0a72). rdar://128090197 Canonical link: https://commits.webkit.org/278866@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 09d85c: [cocoa] Explicitly check the file extension for we...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 09d85cb271e93516c5f1e8bd00898394683772c3 https://github.com/WebKit/WebKit/commit/09d85cb271e93516c5f1e8bd00898394683772c3 Author: Matthew Finkel Date: 2024-05-15 (Wed, 15 May 2024) Changed paths: M Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm Log Message: --- [cocoa] Explicitly check the file extension for webarchives when deciding quarantine https://bugs.webkit.org/show_bug.cgi?id=271793 rdar://123902597 Reviewed by Brent Fulgham and Sihui Liu. Currently we only check the string suffix to see if the requested file path is a webarchive, but this isn't sufficient because the file extension isn't guaranteed to be at the end of the string. This patch parses the string as a file URL and then checks the file extension. * Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm: (WebKit::WebPageProxy::isQuarantinedAndNotUserApproved): Originally-landed-as: 272448.832@safari-7618-branch (61f821826ece). rdar://128085972 Canonical link: https://commits.webkit.org/278838@main Commit: ea17d49efaade98f0f494de085a44bff77d5be07 https://github.com/WebKit/WebKit/commit/ea17d49efaade98f0f494de085a44bff77d5be07 Author: Charlie Wolfe Date: 2024-05-15 (Wed, 15 May 2024) Changed paths: A LayoutTests/ipc/validate-media-constraint-expected.txt A LayoutTests/ipc/validate-media-constraint.html M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in Log Message: --- Add IPC validation for `WebCore::MediaConstraint` https://bugs.webkit.org/show_bug.cgi?id=271816 rdar://125343106 Reviewed by Pascoe. * LayoutTests/ipc/validate-media-constraint-expected.txt: Added. * LayoutTests/ipc/validate-media-constraint.html: Added. * Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in: Originally-landed-as: 272448.817@safari-7618-branch (a734205bc9a9). rdar://128087364 Canonical link: https://commits.webkit.org/278839@main Commit: 475e0f544b6f8c97cf9506650cf144cb124d375c https://github.com/WebKit/WebKit/commit/475e0f544b6f8c97cf9506650cf144cb124d375c Author: Charlie Wolfe Date: 2024-05-15 (Wed, 15 May 2024) Changed paths: A LayoutTests/ipc/dirty-region-overflow-expected.txt A LayoutTests/ipc/dirty-region-overflow.html M Source/WebCore/platform/graphics/Region.cpp M Source/WebCore/platform/graphics/Region.h M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in Log Message: --- Add IPC validation for `WebCore::Region::Shape` https://bugs.webkit.org/show_bug.cgi?id=271741 rdar://125348548 Reviewed by Matt Woodrow. * LayoutTests/ipc/dirty-region-overflow-expected.txt: Added. * LayoutTests/ipc/dirty-region-overflow.html: Added. * Source/WebCore/platform/graphics/Region.cpp: (WebCore::Region::Shape::isValid const): * Source/WebCore/platform/graphics/Region.h: * Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in: Originally-landed-as: 272448.816@safari-7618-branch (63e5787d715c). rdar://128087353 Canonical link: https://commits.webkit.org/278840@main Commit: ab0d7793f15cf087af2e8d0f1508152881a2187b https://github.com/WebKit/WebKit/commit/ab0d7793f15cf087af2e8d0f1508152881a2187b Author: Kimmo Kinnunen Date: 2024-05-15 (Wed, 15 May 2024) Changed paths: M Source/WebCore/platform/graphics/angle/GraphicsContextGLANGLE.cpp M Source/WebCore/platform/graphics/angle/GraphicsContextGLANGLE.h M Tools/TestWebKitAPI/Tests/WebCore/cocoa/TestGraphicsContextGLCocoa.mm Log Message: --- GraphicsContextGLANGLE does not validate clearBuffers value length https://bugs.webkit.org/show_bug.cgi?id=271634 rdar://125222153 Reviewed by Dan Glastonbury. Avoid passing too long or small arrays as GL_clearBuffer*v values. * Source/WebCore/platform/graphics/angle/GraphicsContextGLANGLE.cpp: (WebCore::GraphicsContextGLANGLE::clearBufferiv): (WebCore::GraphicsContextGLANGLE::clearBufferuiv): (WebCore::GraphicsContextGLANGLE::clearBufferfv): (WebCore::GraphicsContextGLANGLE::validateClearBufferv): * Source/WebCore/platform/graphics/angle/GraphicsContextGLANGLE.h: * Tools/TestWebKitAPI/Tests/WebCore/cocoa/TestGraphicsContextGLCocoa.mm: (TestWebKitAPI::TEST_F): Originally-landed-as: 272448.803@safari-7618-branch (89ee93bd2ea4). rdar://128087675 Canonical link: https://commits.webkit.org/278841@main Commit: d7a70fb281247e8baeba6030d69b58b2126b022a https://github.com/WebKit/WebKit/commit/d7a70fb281247e8baeba6030d69b58b2126b022a Author: Justin Michaud Date: 2024-05-15 (Wed, 15 May 2024) Changed paths: A JSTests/stress/get-by-val-hoist-above-structure-2.js A JSTests/stress/get-by-val-hoist-above-structure.js M LayoutTests/platform/mac/TestExpectations M Source/JavaScriptCore/dfg/DFGBasicBlock.h M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp M Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp M Source/JavaScriptCore/dfg
[webkit-changes] [WebKit/WebKit] 1ea4ef: SBFX should not allow imm overflow
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 1ea4ef8127276fd00ca43ffcb22bed162072abde https://github.com/WebKit/WebKit/commit/1ea4ef8127276fd00ca43ffcb22bed162072abde Author: Justin Michaud Date: 2024-05-15 (Wed, 15 May 2024) Changed paths: A JSTests/stress/sbfx-offset-overflow.js M Source/JavaScriptCore/b3/B3LowerToAir.cpp Log Message: --- SBFX should not allow imm overflow https://bugs.webkit.org/show_bug.cgi?id=271491 rdar://125127373 Reviewed by Yusuke Suzuki. These isel patterns should be a bit more careful with overflow. * JSTests/stress/sbfx-offset-overflow.js: Added. (foo): * Source/JavaScriptCore/b3/B3LowerToAir.cpp: Originally-landed-as: 272448.797@safari-7618-branch (d7ad67d3fe10). rdar://128087738 Canonical link: https://commits.webkit.org/278819@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] b15662: Enable llint alt entries on linux
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: b1566212665ffbd1f258ffc50fe4075baeb1f3e6 https://github.com/WebKit/WebKit/commit/b1566212665ffbd1f258ffc50fe4075baeb1f3e6 Author: Justin Michaud Date: 2024-05-15 (Wed, 15 May 2024) Changed paths: M Source/WTF/wtf/PlatformEnable.h Log Message: --- Enable llint alt entries on linux https://bugs.webkit.org/show_bug.cgi?id=274160 Reviewed by Yusuke Suzuki. I have not seen any evidence that this linker bug affected linux toolchains, so let's try enabling linux alt entries. * Source/WTF/wtf/PlatformEnable.h: Canonical link: https://commits.webkit.org/278801@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 058806: Cherry-pick ea1cc85f82ed. rdar://125040242
Networking process, since notification changes are only being pushed to the WebContent process. * Source/WTF/wtf/spi/darwin/XPCSPI.h: * Source/WebKit/Scripts/process-entitlements.sh: * Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceMain.mm: (WebKit::shouldRestrictNotifyd): (WebKit::setNotifyOptions): Canonical link: https://commits.webkit.org/276376@main Identifier: 276246.10@safari-7619.1.6-branch Commit: 0c73ca746576d2e54ad20426870ca352668994c7 https://github.com/WebKit/WebKit/commit/0c73ca746576d2e54ad20426870ca352668994c7 Author: Myah Cobbs Date: 2024-03-22 (Fri, 22 Mar 2024) Changed paths: M Configurations/Version.xcconfig Log Message: --- Versioning. WebKit-619.1.6.2 Identifier: 276246.11@safari-7619.1.6-branch Commit: 1c151e692e6b8658cc8247e73f8e0ec9b0c22115 https://github.com/WebKit/WebKit/commit/1c151e692e6b8658cc8247e73f8e0ec9b0c22115 Author: Myah Cobbs Date: 2024-03-25 (Mon, 25 Mar 2024) Changed paths: M Configurations/Version.xcconfig Log Message: --- Versioning. WebKit-619.1.6.3 Identifier: 276246.12@safari-7619.1.6-branch Commit: f093af5b10b086b48c02ad37f27638e03a60d216 https://github.com/WebKit/WebKit/commit/f093af5b10b086b48c02ad37f27638e03a60d216 Author: Justin Michaud Date: 2024-03-25 (Mon, 25 Mar 2024) Changed paths: M Source/JavaScriptCore/Configurations/Base.xcconfig M Source/WTF/wtf/PlatformUse.h M Source/WebCore/Configurations/WebCore.xcconfig Log Message: --- Cherry-pick 5a21270b8270. rdar://125362649 Revert BECore cleanup. https://bugs.webkit.org/show_bug.cgi?id=271661 rdar://125362649 Reviewed by Wenson Hsieh. This broke some builds. * Source/JavaScriptCore/Configurations/Base.xcconfig: * Source/WTF/wtf/PlatformUse.h: * Source/WebCore/Configurations/WebCore.xcconfig: Canonical link: https://commits.webkit.org/276634@main Identifier: 276246.13@safari-7619.1.6-branch Compare: https://github.com/WebKit/WebKit/compare/058806879e07%5E...f093af5b10b0 To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 60f3e4: [JSC] (Re-land 2) Add aligned label annotation to ...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 60f3e42f749884b3dad3d737097f5b3211bd870b https://github.com/WebKit/WebKit/commit/60f3e42f749884b3dad3d737097f5b3211bd870b Author: Justin Michaud Date: 2024-05-14 (Tue, 14 May 2024) Changed paths: M Source/JavaScriptCore/llint/InPlaceInterpreter.asm M Source/JavaScriptCore/llint/LowLevelInterpreter.cpp M Source/JavaScriptCore/offlineasm/asm.rb M Source/JavaScriptCore/offlineasm/ast.rb M Source/JavaScriptCore/offlineasm/backends.rb M Source/JavaScriptCore/offlineasm/parser.rb M Source/JavaScriptCore/offlineasm/transform.rb Log Message: --- [JSC] (Re-land 2) Add aligned label annotation to offlineasm https://bugs.webkit.org/show_bug.cgi?id=273138 Reviewed by Yusuke Suzuki. In https://commits.webkit.org/277134@main, I tried to re-land Max's patch to add aligned label annotations to offlineasm. It also broke PGO+LTO Production macOS builds. This patch removes most of the uses of this new annotation, and hopefully won't break things this time. * Source/JavaScriptCore/llint/InPlaceInterpreter.asm: * Source/JavaScriptCore/llint/LowLevelInterpreter.cpp: * Source/JavaScriptCore/offlineasm/asm.rb: * Source/JavaScriptCore/offlineasm/ast.rb: * Source/JavaScriptCore/offlineasm/backends.rb: * Source/JavaScriptCore/offlineasm/parser.rb: * Source/JavaScriptCore/offlineasm/transform.rb: Canonical link: https://commits.webkit.org/278753@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] dd78bd: Restore constexpr after build fix for 278486@main
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: dd78bd9548b7ec75b286a16d21760254bec0f437 https://github.com/WebKit/WebKit/commit/dd78bd9548b7ec75b286a16d21760254bec0f437 Author: Justin Michaud Date: 2024-05-13 (Mon, 13 May 2024) Changed paths: M Source/JavaScriptCore/runtime/JSONObject.cpp Log Message: --- Restore constexpr after build fix for 278486@main https://bugs.webkit.org/show_bug.cgi?id=274096 Reviewed by Yusuke Suzuki. * Source/JavaScriptCore/runtime/JSONObject.cpp: (JSC::FastStringifier::append): Canonical link: https://commits.webkit.org/278737@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 5aa644: [Armv7] Enable BBQ loop tier-up
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 5aa644ca5bd931ecb0d44d5d3e1dfb47081aa985 https://github.com/WebKit/WebKit/commit/5aa644ca5bd931ecb0d44d5d3e1dfb47081aa985 Author: Justin Michaud Date: 2024-05-10 (Fri, 10 May 2024) Changed paths: M Source/JavaScriptCore/llint/WebAssembly.asm M Source/JavaScriptCore/runtime/Options.cpp M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp M Source/JavaScriptCore/wasm/WasmBBQJIT.h M Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp M Source/JavaScriptCore/wasm/WasmOperations.cpp M Source/JavaScriptCore/wasm/WasmSlowPaths.cpp Log Message: --- [Armv7] Enable BBQ loop tier-up https://bugs.webkit.org/show_bug.cgi?id=273771 Reviewed by Keith Miller. Today, ARMv7 does not support LLInt->BBQ loop osr. This is primarily because OMG is not supported on ARMv7, and LLInt->BBQ loop osr re-uses the stackmap from BBQ->OMG loop osr. This patch generates that stack map in all cases. It also fixes a stack alignemnt bug in loop osr, which is missing an armv7 case. * Source/JavaScriptCore/llint/WebAssembly.asm: * Source/JavaScriptCore/runtime/Options.cpp: (JSC::Options::notifyOptionsChanged): * Source/JavaScriptCore/wasm/WasmBBQJIT.cpp: (JSC::Wasm::BBQJITImpl::BBQJIT::emitEntryTierUpCheck): (JSC::Wasm::BBQJITImpl::BBQJIT::emitLoopTierUpCheckAndOSREntryData): (JSC::Wasm::BBQJITImpl::BBQJIT::addLoop): (JSC::Wasm::BBQJITImpl::BBQJIT::endTopLevel): (JSC::Wasm::BBQJITImpl::BBQJIT::emitLoopTierUpCheck): Deleted. * Source/JavaScriptCore/wasm/WasmBBQJIT.h: (JSC::Wasm::BBQJITImpl::BBQJIT::stackCheckSize const): * Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp: (JSC::Wasm::BBQJITImpl::BBQJIT::alignedFrameSize const): (JSC::Wasm::BBQJITImpl::BBQJIT::alignedFrameSize): Deleted. * Source/JavaScriptCore/wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::work): * Source/JavaScriptCore/wasm/WasmOperations.cpp: (JSC::Wasm::shouldJIT): * Source/JavaScriptCore/wasm/WasmSlowPaths.cpp: (JSC::LLInt::WASM_SLOW_PATH_DECL): Canonical link: https://commits.webkit.org/278609@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] d8da68: Await some JS stress test results
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: d8da684898d009470ea44c68bb434bd974213ed9 https://github.com/WebKit/WebKit/commit/d8da684898d009470ea44c68bb434bd974213ed9 Author: Justin Michaud Date: 2024-05-06 (Mon, 06 May 2024) Changed paths: M JSTests/wasm/extended-const/extended-const.js M JSTests/wasm/extended-const/flag-turned-off.js M JSTests/wasm/function-references/block_signature.js M JSTests/wasm/function-references/br_on_null.js M JSTests/wasm/function-references/bug243265.js M JSTests/wasm/function-references/call_ref.js M JSTests/wasm/function-references/local_init.js M JSTests/wasm/function-references/ref_as_non_null.js M JSTests/wasm/function-references/ref_types.js M JSTests/wasm/function-references/table.js M JSTests/wasm/function-references/table_init.js M JSTests/wasm/function-tests/trap-from-start-async.js M JSTests/wasm/gc/const-exprs-flag-off.js M JSTests/wasm/gc/const-exprs.js M JSTests/wasm/ipint-tests/ipint-error-check-call-null.js M JSTests/wasm/ipint-tests/ipint-error-check-call-sig.js M JSTests/wasm/ipint-tests/ipint-error-check-div-0.js M JSTests/wasm/ipint-tests/ipint-error-check-mem-outofbounds.js M JSTests/wasm/ipint-tests/ipint-error-check-trunc-outofbounds.js M JSTests/wasm/ipint-tests/ipint-error-check-unreachable.js M JSTests/wasm/ipint-tests/ipint-stress-loop.js M JSTests/wasm/ipint-tests/ipint-test-add32.js M JSTests/wasm/ipint-tests/ipint-test-block-nobr.js M JSTests/wasm/ipint-tests/ipint-test-block-nopop.js M JSTests/wasm/ipint-tests/ipint-test-block.js M JSTests/wasm/ipint-tests/ipint-test-branch-table.js M JSTests/wasm/ipint-tests/ipint-test-call-add12.js M JSTests/wasm/ipint-tests/ipint-test-call-arg-order.js M JSTests/wasm/ipint-tests/ipint-test-call-arg.js M JSTests/wasm/ipint-tests/ipint-test-call-empty.js M JSTests/wasm/ipint-tests/ipint-test-call-fparg.js M JSTests/wasm/ipint-tests/ipint-test-call-noarg.js M JSTests/wasm/ipint-tests/ipint-test-call-stack-arg.js M JSTests/wasm/ipint-tests/ipint-test-data-drop.js M JSTests/wasm/ipint-tests/ipint-test-elem-drop.js M JSTests/wasm/ipint-tests/ipint-test-f32-comparisons.js M JSTests/wasm/ipint-tests/ipint-test-f32-ops.js M JSTests/wasm/ipint-tests/ipint-test-f64-comparisons.js M JSTests/wasm/ipint-tests/ipint-test-f64-ops.js M JSTests/wasm/ipint-tests/ipint-test-fibonacci.js M JSTests/wasm/ipint-tests/ipint-test-global.js M JSTests/wasm/ipint-tests/ipint-test-hot-12.js M JSTests/wasm/ipint-tests/ipint-test-hot-loop.js M JSTests/wasm/ipint-tests/ipint-test-hot.js M JSTests/wasm/ipint-tests/ipint-test-i32-comparisons.js M JSTests/wasm/ipint-tests/ipint-test-i32-ops.js M JSTests/wasm/ipint-tests/ipint-test-i64-comparisons.js M JSTests/wasm/ipint-tests/ipint-test-i64-ops.js M JSTests/wasm/ipint-tests/ipint-test-if-else-multiret.js M JSTests/wasm/ipint-tests/ipint-test-if-else.js M JSTests/wasm/ipint-tests/ipint-test-if-emptyelse.js M JSTests/wasm/ipint-tests/ipint-test-if.js M JSTests/wasm/ipint-tests/ipint-test-local-large.js M JSTests/wasm/ipint-tests/ipint-test-local.js M JSTests/wasm/ipint-tests/ipint-test-loop-add.js M JSTests/wasm/ipint-tests/ipint-test-loop-nobr.js M JSTests/wasm/ipint-tests/ipint-test-loop.js M JSTests/wasm/ipint-tests/ipint-test-memory-copy.js M JSTests/wasm/ipint-tests/ipint-test-memory-fill.js M JSTests/wasm/ipint-tests/ipint-test-memory-init.js M JSTests/wasm/ipint-tests/ipint-test-memory-read-sizes.js M JSTests/wasm/ipint-tests/ipint-test-memory-read.js M JSTests/wasm/ipint-tests/ipint-test-memory-simple.js M JSTests/wasm/ipint-tests/ipint-test-memory-size.js M JSTests/wasm/ipint-tests/ipint-test-memory-write-sizes.js M JSTests/wasm/ipint-tests/ipint-test-mixed-params.js M JSTests/wasm/ipint-tests/ipint-test-nesting.js M JSTests/wasm/ipint-tests/ipint-test-param.js M JSTests/wasm/ipint-tests/ipint-test-recursion.js M JSTests/wasm/ipint-tests/ipint-test-return-minus.js M JSTests/wasm/ipint-tests/ipint-test-return32.js M JSTests/wasm/ipint-tests/ipint-test-return64.js M JSTests/wasm/ipint-tests/ipint-test-returnf32.js M JSTests/wasm/ipint-tests/ipint-test-returnf64.js M JSTests/wasm/ipint-tests/ipint-test-returnlarge32.js M JSTests/wasm/ipint-tests/ipint-test-select.js M JSTests/wasm/ipint-tests/ipint-test-simd.js M JSTests/wasm/ipint-tests/ipint-test-table-copy.js M JSTests/wasm/ipint-tests/ipint-test-table-fill.js M JSTests/wasm/ipint-tests/ipint-test-table-grow.js M JSTests/wasm/ipint-tests/ipint-test-table-init.js M JSTests/wasm/ipint-tests/ipint-test-table-read.js M JSTests/wasm/ipint-tests/ipint-test-trunc-sat.js M JSTests/wasm/ipint-tests/ipint-test-type-conversion.js M JSTests/wasm/ipint-tests/ipint
[webkit-changes] [WebKit/WebKit] ecb7a6: [ArmV7] proxy-is-array.js is a constant failure
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: ecb7a69e6acd372f569c4f07a7bbfe11269b46a9 https://github.com/WebKit/WebKit/commit/ecb7a69e6acd372f569c4f07a7bbfe11269b46a9 Author: Justin Michaud Date: 2024-05-03 (Fri, 03 May 2024) Changed paths: M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp Log Message: --- [ArmV7] proxy-is-array.js is a constant failure https://bugs.webkit.org/show_bug.cgi?id=273626 Reviewed by Yusuke Suzuki. In 277977@main, I opted in the 32-bit direct call path into DataIC, except the change makes absolutely no sense. It is still calling repatch just below, and the 64-bit ports don't use DataIC here either, so this just broke direct call repatching. * Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): Canonical link: https://commits.webkit.org/278308@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] e9b556: [ARMv7] Fix concurrent BBQ repatching
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: e9b5568186739399f480a72072955bb38563436e https://github.com/WebKit/WebKit/commit/e9b5568186739399f480a72072955bb38563436e Author: Justin Michaud Date: 2024-05-03 (Fri, 03 May 2024) Changed paths: M Source/JavaScriptCore/assembler/ARMv7Assembler.h M Source/JavaScriptCore/assembler/AssemblerCommon.h M Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h Log Message: --- [ARMv7] Fix concurrent BBQ repatching https://bugs.webkit.org/show_bug.cgi?id=273545 Reviewed by Keith Miller and Yusuke Suzuki. Armv7 places a few interesting constraints on repatching in thumb mode: - As far as I can tell, you cannot concurrently repatch a mov without an isb - bl and family can be repatched without an isb, but bl is a 32-bit instruction. So to repatch it concurrently, we need it to be 4-byte aligned. This patch fixes this. I also added some debug assertions that verified that this was the only place in our test case that tried to concurrently repatch an unaligned bl, but the assertions were too involved to upstream. This should fix export-arity.js crashes on armv7 on ToT. * Source/JavaScriptCore/assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::alignWithNop): * Source/JavaScriptCore/assembler/AssemblerCommon.h: (JSC::machineCodeCopy): * Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::threadSafePatchableNearCall): (JSC::MacroAssemblerARMv7::threadSafePatchableNearTailCall): Canonical link: https://commits.webkit.org/278305@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 7f93c6: Spurious assertion after direct call data ic on 32...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 7f93c606efccc5df180d461167efe78f1824ffb8 https://github.com/WebKit/WebKit/commit/7f93c606efccc5df180d461167efe78f1824ffb8 Author: Justin Michaud Date: 2024-04-25 (Thu, 25 Apr 2024) Changed paths: M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp M Source/JavaScriptCore/jit/CallFrameShuffler.h Log Message: --- Spurious assertion after direct call data ic on 32 bits https://bugs.webkit.org/show_bug.cgi?id=273183 Reviewed by Yusuke Suzuki. This assertion made sense before DataIC. It is asserting that we only see boxed ints, because unboxed ints should use the other version of the addNew method that takes JSValueRegs. Essentially, on 32-bit, we may have separate Tag and Payload recoveries that should map to the same cachedRecovery. When we iterate over each register in CallFrameShuffler(), we lose this information, so addNew really becomes addNew (or update the tag register). Now though, recent DataIC changes mean the CallLinkInfo* needs to be mainained by the call frame shuffler in the DirectTailCall case, unboxed. So, we just move the assertion to the case where it actually matters. * Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * Source/JavaScriptCore/jit/CallFrameShuffler.h: (JSC::CallFrameShuffler::addNew): Canonical link: https://commits.webkit.org/277977@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 3584ed: Change contributor email for Justin Michaud
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 3584ed8d51465899cae685f0019b44c42a379e14 https://github.com/WebKit/WebKit/commit/3584ed8d51465899cae685f0019b44c42a379e14 Author: Justin Michaud Date: 2024-04-22 (Mon, 22 Apr 2024) Changed paths: M metadata/contributors.json Log Message: --- Change contributor email for Justin Michaud https://bugs.webkit.org/show_bug.cgi?id=273064 Reviewed by Keith Miller. * metadata/contributors.json: Canonical link: https://commits.webkit.org/277813@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 4706d2: Remove simple JS->Wasm entry thunks by using metadata
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 4706d27c38ec93dd7ac88bb6f35ae781cf23e850 https://github.com/WebKit/WebKit/commit/4706d27c38ec93dd7ac88bb6f35ae781cf23e850 Author: Justin Michaud Date: 2024-04-19 (Fri, 19 Apr 2024) Changed paths: A JSTests/microbenchmarks/wasm-cc-int-to-int.js A JSTests/microbenchmarks/wasm-cc-int-to-int.wasm A JSTests/microbenchmarks/wasm-cc-int-to-int.wat A JSTests/wasm/stress/cc-i32-kitchen-sink.js A JSTests/wasm/stress/cc-int-to-int-cross-module-with-exception.js M JSTests/wasm/stress/cc-int-to-int-cross-module.js A JSTests/wasm/stress/cc-int-to-int-memory.js A JSTests/wasm/stress/cc-int-to-int-no-jit.js M JSTests/wasm/stress/cc-int-to-int.js M Source/JavaScriptCore/llint/InPlaceInterpreter.cpp M Source/JavaScriptCore/llint/InPlaceInterpreter.h M Source/JavaScriptCore/llint/WebAssembly.asm M Source/JavaScriptCore/runtime/Options.cpp M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp M Source/JavaScriptCore/wasm/WasmCallee.cpp M Source/JavaScriptCore/wasm/WasmCallee.h M Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp M Source/JavaScriptCore/wasm/WasmLLIntPlan.h M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h Log Message: --- Remove simple JS->Wasm entry thunks by using metadata https://bugs.webkit.org/show_bug.cgi?id=267481 rdar://120933304 Reviewed by Yusuke Suzuki. This is a re-land of the first patch, but disabled by default after it was reverted. This patch lays the groundwork for a new way to call wasm functions without JIT. We opt in only the simplest cases for now, but in those cases, we can skip the generated JS->WASM entry thunk. Future work can expand this to more signatures. This also changes the way tier-up works. Today, we re-write the JS->Wasm entrypoint call pointer. This won't work anymore, so we instead check when loading the entrypoint for interpreted-entry callees. This shouldn't affect the jsCallEntrypoint IC, so this is a step in the direction of completely removing these non-ic jit thunks in the future. * JSTests/microbenchmarks/wasm-cc-int-to-int.js: Added. (wasm_instance.exports): * JSTests/microbenchmarks/wasm-cc-int-to-int.wasm: Added. * JSTests/microbenchmarks/wasm-cc-int-to-int.wat: Added. * JSTests/wasm/stress/cc-i32-kitchen-sink.js: Added. (from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.func.f0.export.string_appeared_here.param.x0.i32.param.x1.i32.param.x2.i32.param.x3.i32.param.x4.i32.param.x5.i32.param.x6.i32.param.x7.i32.result.i32.i32.add.local.x0.i32.add.local.x1.i32.add.local.x2.i32.add.local.x3.i32.add.local.x4.i32.add.local.x5.i32.add.local.x6.local.x7.func.f1.export.string_appeared_here.param.x0.i32.param.x1.i32.param.x2.i32.param.x3.i32.param.x4.i32.param.x5.i32.param.x6.i32.param.x7.i32.param.x8.i32.param.x9.i32.param.x10.i32.param.x11.i32.result.i32.i32.add.local.x0.i32.add.local.x1.i32.add.local.x2.i32.add.local.x3.i32.add.local.x4.i32.add.local.x5.i32.add.local.x6.i32.add.local.x7.i32.add.local.x8.i32.add.local.x9.i32.add.local.x10.local.x11.func.f2.export.string_appeared_here.param.x0.i32.param.x1.i32.param.x2.i32.param.x3.i32.param.x4.i32.param.x5.i32.param.x6.i32.param.x7.i32.param.x8.i32.param.x9.i32.param.x10.i32.param.x11.i32.result.i32.i32.add.local.x0.local.x11 * JSTests/wasm/stress/cc-int-to-int-cross-module-with-exception.js: Added. (from.string_appeared_here.import.as.assert.from.string_appeared_here.let.watA.module.import.string_appeared_here.string_appeared_here.func.functionB.param.x.i32.result.i32.import.string_appeared_here.string_appeared_here.func.doThrow.param.i32.import.string_appeared_here.string_appeared_here.func.log.param.i32.memory.1.tag.e.func.fillerSoNoJIT1.func.fillerSoNoJIT2.func.fillerSoNoJIT3.func.fillerSoNoJIT4.func.fillerSoNoJIT5.func.fillerSoNoJIT6.func.fillerSoNoJIT7.func.fillerSoNoJIT8.func.fillerSoNoJIT9.func.fillerSoNoJIT10.func.functionA.export.string_appeared_here.param.x.f64.result.f64.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.i32.local.l0.i32.local.l0.i32.const.5.i32.ne.i32. (noInline.doTest.async test.doThrow): (noInline.doTest.async test.log): (noInline.doTest.async test): * JSTests/wasm/stress/cc-int-to-int-cross-module.js: * JSTests/wasm/stress/cc-int-to-int-memory.js: Added. (from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.memory.1.data.i32.const.0.string_appeared_here.func.test.export.string_appeared_here.param.x.i32.result.i32.i32.add.local.x.i32.load.i32.const.0.async test): * JSTests/wasm/
[webkit-changes] [WebKit/WebKit] 4bd209: Remove simple JS->Wasm entry thunks by using metadata
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 4bd20953a44ff01714fff5d40d746f8358be77d5 https://github.com/WebKit/WebKit/commit/4bd20953a44ff01714fff5d40d746f8358be77d5 Author: Justin Michaud Date: 2024-04-16 (Tue, 16 Apr 2024) Changed paths: A JSTests/microbenchmarks/wasm-cc-int-to-int.js A JSTests/microbenchmarks/wasm-cc-int-to-int.wasm A JSTests/microbenchmarks/wasm-cc-int-to-int.wat A JSTests/wasm/stress/cc-i32-kitchen-sink.js A JSTests/wasm/stress/cc-int-to-int-cross-module-with-exception.js M JSTests/wasm/stress/cc-int-to-int-cross-module.js A JSTests/wasm/stress/cc-int-to-int-memory.js A JSTests/wasm/stress/cc-int-to-int-no-jit.js M JSTests/wasm/stress/cc-int-to-int.js M Source/JavaScriptCore/llint/InPlaceInterpreter.cpp M Source/JavaScriptCore/llint/InPlaceInterpreter.h M Source/JavaScriptCore/llint/WebAssembly.asm M Source/JavaScriptCore/runtime/Options.cpp M Source/JavaScriptCore/runtime/OptionsList.h M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp M Source/JavaScriptCore/wasm/WasmCallee.cpp M Source/JavaScriptCore/wasm/WasmCallee.h M Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp M Source/JavaScriptCore/wasm/WasmLLIntPlan.h M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h Log Message: --- Remove simple JS->Wasm entry thunks by using metadata https://bugs.webkit.org/show_bug.cgi?id=267481 rdar://120933304 Reviewed by Yusuke Suzuki. This patch lays the groundwork for a new way to call wasm functions without JIT. We opt in only the simplest cases for now, but in those cases, we can skip the generated JS->WASM entry thunk. Future work can expand this to more signatures. This also changes the way tier-up works. Today, we re-write the JS->Wasm entrypoint call pointer. This won't work anymore, so we instead check when loading the entrypoint for interpreted-entry callees. This shouldn't affect the jsCallEntrypoint IC, so this is a step in the direction of completely removing these non-ic jit thunks in the future. * JSTests/wasm/stress/cc-int-to-int.js: Added. (from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.type.sig_test.func.param.i32.result.i32.table.t.1.funcref.elem.i32.const.0.test.func.test.export.string_appeared_here.param.x.i32.result.i32.i32.add.local.x.i32.const.42.func.export.string_appeared_here.param.x.i32.result.i32.i32.add.local.x.call.test.i32.const.1337.func.export.string_appeared_here.param.x.i32.result.i32.local.x.i32.const.98.call_indirect.t.type.sig_test.i32.const.0.i32.add.async test): * Source/JavaScriptCore/assembler/JITOperationList.cpp: (JSC::llintOperations): * Source/JavaScriptCore/bytecode/BytecodeList.rb: * Source/JavaScriptCore/llint/LowLevelInterpreter.cpp: * Source/JavaScriptCore/llint/WebAssembly.asm: * Source/JavaScriptCore/runtime/SamplingProfiler.cpp: (JSC::tierName): * Source/JavaScriptCore/wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::initializeCallees): * Source/JavaScriptCore/wasm/WasmBBQPlan.h: * Source/JavaScriptCore/wasm/WasmCallee.cpp: (JSC::Wasm::Callee::runWithDowncast): (JSC::Wasm::JSEntrypointInterpreterCallee::entrypointImpl const): * Source/JavaScriptCore/wasm/WasmCallee.h: * Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp: (JSC::Wasm::CalleeGroup::CalleeGroup): * Source/JavaScriptCore/wasm/WasmCalleeGroup.h: * Source/JavaScriptCore/wasm/WasmCompilationMode.cpp: (JSC::Wasm::makeString): * Source/JavaScriptCore/wasm/WasmCompilationMode.h: (JSC::Wasm::isOSREntry): (JSC::Wasm::isAnyBBQ): (JSC::Wasm::isAnyOMG): * Source/JavaScriptCore/wasm/WasmIPIntPlan.cpp: (JSC::Wasm::IPIntPlan::didCompleteCompilation): * Source/JavaScriptCore/wasm/WasmIPIntPlan.h: * Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp: (JSC::Wasm::LLIntPlan::didCompleteCompilation): * Source/JavaScriptCore/wasm/WasmLLIntPlan.h: Canonical link: https://commits.webkit.org/277566@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 8d67eb: Unreviewed CLoop build fix
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 8d67ebc14bf4e30058763fe654172a82deb74aa1 https://github.com/WebKit/WebKit/commit/8d67ebc14bf4e30058763fe654172a82deb74aa1 Author: Justin Michaud Date: 2024-04-15 (Mon, 15 Apr 2024) Changed paths: M Source/WTF/wtf/PlatformEnable.h Log Message: --- Unreviewed CLoop build fix https://bugs.webkit.org/show_bug.cgi?id=272701 rdar://126506006 Unreviewed build fix. * Source/WTF/wtf/PlatformEnable.h: Canonical link: https://commits.webkit.org/277511@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 54a2d1: Split JSEntrypointCallee into JIT/Interpreted vers...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 54a2d13bf308180a83e7832cb1160030a5a90b11 https://github.com/WebKit/WebKit/commit/54a2d13bf308180a83e7832cb1160030a5a90b11 Author: Justin Michaud Date: 2024-04-11 (Thu, 11 Apr 2024) Changed paths: M Source/JavaScriptCore/llint/LLIntData.h M Source/JavaScriptCore/llint/LLIntThunks.cpp M Source/JavaScriptCore/runtime/SamplingProfiler.cpp M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp M Source/JavaScriptCore/wasm/WasmBBQPlan.h M Source/JavaScriptCore/wasm/WasmCallee.cpp M Source/JavaScriptCore/wasm/WasmCallee.h M Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp M Source/JavaScriptCore/wasm/WasmCalleeGroup.h M Source/JavaScriptCore/wasm/WasmCompilationMode.cpp M Source/JavaScriptCore/wasm/WasmCompilationMode.h M Source/JavaScriptCore/wasm/WasmIPIntPlan.cpp M Source/JavaScriptCore/wasm/WasmIPIntPlan.h M Source/JavaScriptCore/wasm/WasmInstance.cpp M Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp M Source/JavaScriptCore/wasm/WasmLLIntPlan.h M Source/JavaScriptCore/wasm/js/JSToWasm.cpp M Source/JavaScriptCore/wasm/js/JSToWasm.h M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h M Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp M Source/WTF/wtf/PlatformEnable.h Log Message: --- Split JSEntrypointCallee into JIT/Interpreted versions; fix no-jit build https://bugs.webkit.org/show_bug.cgi?id=272431 rdar://126177707 Reviewed by Yusuke Suzuki and Ross Kirsling. This is leading up to the first jit-less wasm entrypoint thunks. The last patch broke some non-jit builds, so this patch aims to fix that. This also splits JSEntrypointCallee into JIT/Interpreted versions. The interpreted version does nothing so far, but this should ensure that all of the ifdef magic is correct for non-jit builds. * Source/JavaScriptCore/llint/LLIntData.h: * Source/JavaScriptCore/llint/LLIntThunks.cpp: (JSC::LLInt::wasmFunctionEntryThunk): (JSC::LLInt::wasmFunctionEntryThunkSIMD): * Source/JavaScriptCore/runtime/SamplingProfiler.cpp: (JSC::tierName): * Source/JavaScriptCore/wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::compileFunction): (JSC::Wasm::BBQPlan::initializeCallees): * Source/JavaScriptCore/wasm/WasmBBQPlan.h: * Source/JavaScriptCore/wasm/WasmCallee.cpp: (JSC::Wasm::Callee::runWithDowncast): (JSC::Wasm::JSEntrypointJITCallee::setEntrypoint): (JSC::Wasm::JSEntrypointInterpreterCallee::JSEntrypointInterpreterCallee): (JSC::Wasm::JSEntrypointInterpreterCallee::entrypointImpl const): (JSC::Wasm::JSEntrypointInterpreterCallee::calleeSaveRegistersImpl): * Source/JavaScriptCore/wasm/WasmCallee.h: (JSC::Wasm::JSEntrypointCallee::JSEntrypointCallee): * Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp: (JSC::Wasm::CalleeGroup::CalleeGroup): * Source/JavaScriptCore/wasm/WasmCalleeGroup.h: * Source/JavaScriptCore/wasm/WasmCompilationMode.cpp: (JSC::Wasm::makeString): * Source/JavaScriptCore/wasm/WasmCompilationMode.h: (JSC::Wasm::isOSREntry): (JSC::Wasm::isAnyBBQ): (JSC::Wasm::isAnyOMG): * Source/JavaScriptCore/wasm/WasmIPIntPlan.cpp: (JSC::Wasm::IPIntPlan::didCompleteCompilation): * Source/JavaScriptCore/wasm/WasmIPIntPlan.h: * Source/JavaScriptCore/wasm/WasmInstance.cpp: (JSC::Wasm::Instance::initElementSegment): * Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp: (JSC::Wasm::LLIntPlan::didCompleteCompilation): * Source/JavaScriptCore/wasm/WasmLLIntPlan.h: * Source/JavaScriptCore/wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): * Source/JavaScriptCore/wasm/js/JSToWasm.h: * Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp: (JSC::WebAssemblyFunction::create): (JSC::WebAssemblyFunction::WebAssemblyFunction): * Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h: * Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::initializeExports): * Source/WTF/wtf/PlatformEnable.h: Canonical link: https://commits.webkit.org/277402@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 5144a8: (Re-land) Don't initialize mach exceptions if we d...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 5144a8edcfab04c9cd2f55ab80b8fe670cb9d2e4 https://github.com/WebKit/WebKit/commit/5144a8edcfab04c9cd2f55ab80b8fe670cb9d2e4 Author: Justin Michaud Date: 2024-04-09 (Tue, 09 Apr 2024) Changed paths: M Source/WTF/wtf/threads/Signals.cpp Log Message: --- (Re-land) Don't initialize mach exceptions if we didn't register any. https://bugs.webkit.org/show_bug.cgi?id=272261 rdar://126000755 The original patch by Keith was reverted because it came after the enablement patch for the new exceptions API. It turns out that even after reverting, we still need this fix. Original patch: Don't initialize mach exceptions if we didn't register any. https://bugs.webkit.org/show_bug.cgi?id=272261 rdar://126000755 Reviewed by Justin Michaud. This also fixes GPU process crashing on launch because the sandbox doesn't allow `task_register_hardened_exception_handler`. * Source/WTF/wtf/threads/Signals.cpp: (WTF::initMachExceptionHandlerThread): Canonical link: https://commits.webkit.org/277143@main Canonical link: https://commits.webkit.org/277281@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 138cae: Poisoned commit
Branch: refs/heads/webkit-2023.7-embargoed Home: https://github.com/WebKit/WebKit Commit: 138cae6714866e1934e288e90552ccf7e577d93a https://github.com/WebKit/WebKit/commit/138cae6714866e1934e288e90552ccf7e577d93a Author: Jonathan Bedard Date: 2023-07-10 (Mon, 10 Jul 2023) Changed paths: A metadata/poison.txt Log Message: --- Poisoned commit Unreviewed branch poisoning. Insert revoked credential into repository to prevent contributors from accidently publishing this branch to their personal public forks. * metadata/poison.txt: Add poison. Canonical link: https://commits.webkit.org/265870.1@webkit-2023.7-embargoed Commit: 8d500250a372682b3b30b861bdc400b4326c4e92 https://github.com/WebKit/WebKit/commit/8d500250a372682b3b30b861bdc400b4326c4e92 Author: Rob Buis Date: 2023-07-11 (Tue, 11 Jul 2023) Changed paths: A LayoutTests/fast/media/print-video-crash-expected.txt A LayoutTests/fast/media/print-video-crash.html M Source/WebKit/UIProcess/WebPageProxy.cpp M Source/WebKit/UIProcess/WebPageProxy.h M Source/WebKit/WebProcess/WebPage/WebPage.cpp M Source/WebKit/WebProcess/WebPage/WebPage.h M Source/WebKit/WebProcess/WebPage/WebPage.messages.in M Tools/WebKitTestRunner/TestController.cpp Log Message: --- Cherry-pick 263022.8@webkit-2023.4-embargoed (221c50b850f8). rdar://89084798 Make sure end printing is handled before PrintFrame https://bugs.webkit.org/show_bug.cgi?id=237291 Reviewed by Chris Dumez. To ensure end printing is handled (and layer tree is unfrozen) introduce a completion handler on EndPrinting and tie its completion to the completion handler in WebPageProxy::printFrame. Also do not call endPrinting from TestController.cpp since WebPageProxy::printFrame takes care of that. * LayoutTests/fast/media/print-video-crash-expected.txt: Added. * LayoutTests/fast/media/print-video-crash.html: Added. * Source/WebKit/UIProcess/WebPageProxy.cpp: (WebKit::WebPageProxy::printFrame): (WebKit::WebPageProxy::endPrinting): * Source/WebKit/UIProcess/WebPageProxy.h: * Source/WebKit/WebProcess/WebPage/WebPage.cpp: (WebKit::WebPage::endPrinting): * Source/WebKit/WebProcess/WebPage/WebPage.h: (WebKit::WebPage::endPrinting): (WebKit::WebPage::endPrintingDuringDOMPrintOperation): * Source/WebKit/WebProcess/WebPage/WebPage.messages.in: * Tools/WebKitTestRunner/TestController.cpp: (WTR::printFrame): Canonical link: https://commits.webkit.org/263022.8@webkit-2023.4-embargoed Canonical link: https://commits.webkit.org/265870.2@webkit-2023.7-embargoed Commit: 3196b4597918dcef7df9c8b7656ca2f263455b72 https://github.com/WebKit/WebKit/commit/3196b4597918dcef7df9c8b7656ca2f263455b72 Author: Rob Buis Date: 2023-07-11 (Tue, 11 Jul 2023) Changed paths: A LayoutTests/fast/canvas/canvas-print-crash-expected.txt A LayoutTests/fast/canvas/canvas-print-crash.html Log Message: --- Cherry-pick 263022.9@webkit-2023.4-embargoed (a0645306d06d). rdar://102860360 Add test case for bug 251370 https://bugs.webkit.org/show_bug.cgi?id=251370 Reviewed by Chris Dumez. Already fixed by https://commits.webkit.org/263022.8@webkit-2023.4-embargoed, but add this test for completeness. * LayoutTests/fast/canvas/canvas-print-crash-expected.txt: Added. * LayoutTests/fast/canvas/canvas-print-crash.html: Added. Canonical link: https://commits.webkit.org/263022.9@webkit-2023.4-embargoed Canonical link: https://commits.webkit.org/265870.3@webkit-2023.7-embargoed Commit: bf54db6478c17e5e9d96c80db3b58e002de0aa3e https://github.com/WebKit/WebKit/commit/bf54db6478c17e5e9d96c80db3b58e002de0aa3e Author: Justin Michaud Date: 2023-07-17 (Mon, 17 Jul 2023) Changed paths: M Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h Log Message: --- Cherry-pick 259548.856@safari-7615-branch (c3d2e3627b45). https://bugs.webkit.org/show_bug.cgi?id=259231 CallVarargs should identify that it can read inline call frame arguments. rdar://111361499 Reviewed by Yusuke Suzuki. Call already does this, but CallVarargs has a special case that forgot. We should not be allowed to push PutStacks below a call of any kind, since it might access our call frame's arguments via foo.arguments, unless we are strict. The only exception is TailCall (but not TailCallForwardVarargsInlinedCaller), because it will destroy the entire frame. We do not un-pessimize TailCall yet to reduce risk, but it could be made to match TailCallForwardVarargs in the future. * Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h: (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): Canonical link: https://commits.webkit.org/259548.856@safari-7615-branch Canonical link: https://commits.webkit.org/265870.4@webkit-2023.7-embargoed
[webkit-changes] [WebKit/WebKit] 885441: Unreviewed, reverting 277134@main
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 885441cde700cbcc0772b2d30be3ea8d080b620e https://github.com/WebKit/WebKit/commit/885441cde700cbcc0772b2d30be3ea8d080b620e Author: Justin Michaud Date: 2024-04-08 (Mon, 08 Apr 2024) Changed paths: M Source/JavaScriptCore/llint/InPlaceInterpreter.asm M Source/JavaScriptCore/llint/InPlaceInterpreter.h M Source/JavaScriptCore/llint/LowLevelInterpreter.cpp M Source/JavaScriptCore/offlineasm/asm.rb M Source/JavaScriptCore/offlineasm/ast.rb M Source/JavaScriptCore/offlineasm/backends.rb M Source/JavaScriptCore/offlineasm/parser.rb M Source/JavaScriptCore/offlineasm/transform.rb Log Message: --- Unreviewed, reverting 277134@main https://bugs.webkit.org/show_bug.cgi?id=270699 rdar://126085546 Breaks iOS builds Reverted change: [JSC] (Re-land) Add aligned label annotation to offlineasm https://bugs.webkit.org/show_bug.cgi?id=270699 rdar://113594783 https://commits.webkit.org/277134@main Canonical link: https://commits.webkit.org/277212@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] eb9db9: Unreviewed, Revert 277136@main "Clean up Signals a...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: eb9db9d4c5a2c74ead9656d6abe429b26cecb4f7 https://github.com/WebKit/WebKit/commit/eb9db9d4c5a2c74ead9656d6abe429b26cecb4f7 Author: Justin Michaud Date: 2024-04-08 (Mon, 08 Apr 2024) Changed paths: M Source/JavaScriptCore/jsc.cpp M Source/JavaScriptCore/runtime/InitializeThreading.cpp M Source/JavaScriptCore/runtime/JSCConfig.cpp M Source/JavaScriptCore/runtime/JSCConfig.h M Source/JavaScriptCore/runtime/VM.cpp M Source/JavaScriptCore/runtime/VMEntryScope.cpp M Source/JavaScriptCore/runtime/VMTraps.cpp M Source/JavaScriptCore/tools/JSDollarVM.cpp M Source/JavaScriptCore/wasm/WasmFaultSignalHandler.cpp M Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h M Source/WTF/wtf/PlatformRegisters.cpp M Source/WTF/wtf/Threading.cpp M Source/WTF/wtf/WTFConfig.cpp M Source/WTF/wtf/WTFConfig.h M Source/WTF/wtf/threads/Signals.cpp M Source/WTF/wtf/threads/Signals.h M Source/WTF/wtf/win/SignalsWin.cpp M Source/WebKit/GPUProcess/EntryPoint/Cocoa/XPCService/GPUServiceEntryPoint.mm M Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb.in M Tools/TestWebKitAPI/Tests/WTF/Signals.cpp Log Message: --- Unreviewed, Revert 277136@main "Clean up Signals and remove hardened fallback" https://bugs.webkit.org/show_bug.cgi?id=272335 rdar://126077721 Breaks OBJC API Reverted change: Clean up Signals and remove hardened fallback https://bugs.webkit.org/show_bug.cgi?id=271766 rdar://125256111 https://commits.webkit.org/277136@main Canonical link: https://commits.webkit.org/277210@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] cdadd1: Unreviewed, reverting 277143@main
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: cdadd16e6fa8270afc0f9b13979aaa3cd4828298 https://github.com/WebKit/WebKit/commit/cdadd16e6fa8270afc0f9b13979aaa3cd4828298 Author: Justin Michaud Date: 2024-04-08 (Mon, 08 Apr 2024) Changed paths: M Source/WTF/wtf/threads/Signals.cpp Log Message: --- Unreviewed, reverting 277143@main https://bugs.webkit.org/show_bug.cgi?id=272335 rdar://126077721 Breaks OBJC API Reverted change: Don't initialize mach exceptions if we didn't register any. https://bugs.webkit.org/show_bug.cgi?id=272261 rdar://126000755 https://commits.webkit.org/277143@main Canonical link: https://commits.webkit.org/277200@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 75713d: [JSC] (Re-land) Add aligned label annotation to of...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 75713dba17877b118b2203af2d8b7a44cb3c17c5 https://github.com/WebKit/WebKit/commit/75713dba17877b118b2203af2d8b7a44cb3c17c5 Author: Justin Michaud Date: 2024-04-05 (Fri, 05 Apr 2024) Changed paths: M Source/JavaScriptCore/llint/InPlaceInterpreter.asm M Source/JavaScriptCore/llint/InPlaceInterpreter.h M Source/JavaScriptCore/llint/LowLevelInterpreter.cpp M Source/JavaScriptCore/offlineasm/asm.rb M Source/JavaScriptCore/offlineasm/ast.rb M Source/JavaScriptCore/offlineasm/backends.rb M Source/JavaScriptCore/offlineasm/parser.rb M Source/JavaScriptCore/offlineasm/transform.rb Log Message: --- [JSC] (Re-land) Add aligned label annotation to offlineasm https://bugs.webkit.org/show_bug.cgi?id=270699 rdar://113594783 Reviewed by Mark Lam. Original patch by Max Rottenkolber. In https://commits.webkit.org/276085@main, we tried to add a new aligned label directive to offlineasm to make padding more deterministic. This broke some Apple builds because of LTO. This patch makes sure these labels are referenced from cpp to stop the linker from removing them. * Source/JavaScriptCore/llint/InPlaceInterpreter.asm: * Source/JavaScriptCore/llint/InPlaceInterpreter.h: * Source/JavaScriptCore/llint/LowLevelInterpreter.cpp: * Source/JavaScriptCore/offlineasm/asm.rb: * Source/JavaScriptCore/offlineasm/ast.rb: * Source/JavaScriptCore/offlineasm/backends.rb: * Source/JavaScriptCore/offlineasm/parser.rb: * Source/JavaScriptCore/offlineasm/transform.rb: Canonical link: https://commits.webkit.org/277134@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] ce5859: (3) Adopt com.apple.developer.cs.allow-jit entitle...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: ce585987e8f9925db07f95dd06cc7ffa78e7dbfa https://github.com/WebKit/WebKit/commit/ce585987e8f9925db07f95dd06cc7ffa78e7dbfa Author: Justin Michaud Date: 2024-04-05 (Fri, 05 Apr 2024) Changed paths: M Source/JavaScriptCore/Scripts/process-entitlements.sh M Source/JavaScriptCore/jit/ExecutableAllocator.cpp M Source/WebKit/Scripts/process-entitlements.sh Log Message: --- (3) Adopt com.apple.developer.cs.allow-jit entitlement for iOS. https://bugs.webkit.org/show_bug.cgi?id=270723 rdar://122841355 Reviewed by Yusuke Suzuki. * Source/JavaScriptCore/Scripts/process-entitlements.sh: * Source/JavaScriptCore/jit/ExecutableAllocator.cpp: (JSC::isJITEnabled): (JSC::ExecutableAllocator::disableJIT): * Source/WebKit/Scripts/process-entitlements.sh: Canonical link: https://commits.webkit.org/277127@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] dc794e: Add stub for new jit-less js->wasm entrypoint
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: dc794ece05e682e4fe156bdea696620bc3727261 https://github.com/WebKit/WebKit/commit/dc794ece05e682e4fe156bdea696620bc3727261 Author: Justin Michaud Date: 2024-04-05 (Fri, 05 Apr 2024) Changed paths: M Source/JavaScriptCore/assembler/JITOperationList.cpp M Source/JavaScriptCore/bytecode/BytecodeList.rb M Source/JavaScriptCore/jit/RegisterSet.cpp M Source/JavaScriptCore/llint/InPlaceInterpreter.h M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp M Source/JavaScriptCore/llint/LLIntSlowPaths.h M Source/JavaScriptCore/llint/LowLevelInterpreter.asm M Source/JavaScriptCore/llint/WebAssembly.asm M Source/JavaScriptCore/runtime/InitializeThreading.cpp M Source/JavaScriptCore/runtime/JSCPtrTag.h M Source/JavaScriptCore/runtime/OptionsList.h M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp M Source/JavaScriptCore/wasm/WasmBBQPlan.h M Source/JavaScriptCore/wasm/WasmCallee.cpp M Source/JavaScriptCore/wasm/WasmCallee.h M Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp M Source/JavaScriptCore/wasm/WasmCalleeGroup.h M Source/JavaScriptCore/wasm/WasmIPIntPlan.cpp M Source/JavaScriptCore/wasm/WasmIPIntPlan.h M Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp M Source/JavaScriptCore/wasm/WasmLLIntPlan.h M Source/bmalloc/bmalloc/Gigacage.h Log Message: --- Add stub for new jit-less js->wasm entrypoint https://bugs.webkit.org/show_bug.cgi?id=272176 rdar://125923445 Reviewed by Mark Lam and Yusuke Suzuki. A subsequent patch will fill this out with a new jit-less js->wasm stub, but this patch handles all of the mechanical bits. This is split out because this patch was causing some linker issues, so this will make it easier to isolate any fallout from landing. * Source/JavaScriptCore/assembler/CPU.h: (JSC::isJSValue3264): * Source/JavaScriptCore/assembler/JITOperationList.cpp: (JSC::llintOperations): * Source/JavaScriptCore/bytecode/BytecodeList.rb: * Source/JavaScriptCore/jit/RegisterSet.cpp: (JSC::RegisterSetBuilder::wasmPinnedRegisters): * Source/JavaScriptCore/llint/InPlaceInterpreter.h: * Source/JavaScriptCore/llint/LLIntSlowPaths.cpp: (JSC::LLInt::logWasmPrologue): * Source/JavaScriptCore/llint/LLIntSlowPaths.h: * Source/JavaScriptCore/llint/LowLevelInterpreter.asm: * Source/JavaScriptCore/llint/WebAssembly.asm: * Source/JavaScriptCore/runtime/InitializeThreading.cpp: (JSC::initialize): * Source/JavaScriptCore/runtime/JSCPtrTag.h: * Source/JavaScriptCore/runtime/OptionsList.h: * Source/JavaScriptCore/wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::initializeCallees): * Source/JavaScriptCore/wasm/WasmBBQPlan.h: * Source/JavaScriptCore/wasm/WasmCallee.cpp: * Source/JavaScriptCore/wasm/WasmCallee.h: * Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp: (JSC::Wasm::CalleeGroup::CalleeGroup): * Source/JavaScriptCore/wasm/WasmCalleeGroup.h: * Source/JavaScriptCore/wasm/WasmIPIntPlan.cpp: (JSC::Wasm::IPIntPlan::didCompleteCompilation): * Source/JavaScriptCore/wasm/WasmIPIntPlan.h: * Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp: (JSC::Wasm::LLIntPlan::didCompleteCompilation): * Source/JavaScriptCore/wasm/WasmLLIntPlan.h: * Source/bmalloc/bmalloc/Gigacage.h: (Gigacage::maxSize): (Gigacage::mask): Canonical link: https://commits.webkit.org/277125@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 8d1b8b: CallWebAssemblyFunction should mark gc types
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 8d1b8ba47bb53481f6b470c0da9f68b8caac7899 https://github.com/WebKit/WebKit/commit/8d1b8ba47bb53481f6b470c0da9f68b8caac7899 Author: Justin Michaud Date: 2024-04-04 (Thu, 04 Apr 2024) Changed paths: M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp Log Message: --- CallWebAssemblyFunction should mark gc types https://bugs.webkit.org/show_bug.cgi?id=272122 rdar://125878087 Reviewed by Yusuke Suzuki. CallWebAssemblyFunction should mark GC'd arguments in case they don't get kept alive until they make it to the stack or a register. * Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): Canonical link: https://commits.webkit.org/277091@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 5c78bf: BBQ has spurious assertion for zero-frame leaf fun...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 5c78bf00205e1af497ee267a81415a01f4201193 https://github.com/WebKit/WebKit/commit/5c78bf00205e1af497ee267a81415a01f4201193 Author: Justin Michaud Date: 2024-04-03 (Wed, 03 Apr 2024) Changed paths: M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp Log Message: --- BBQ has spurious assertion for zero-frame leaf functions https://bugs.webkit.org/show_bug.cgi?id=272066 rdar://125620937 Reviewed by Yusuke Suzuki. It's fine for there to be a zero-sized stack check from BBQ. * Source/JavaScriptCore/wasm/WasmBBQJIT.cpp: (JSC::Wasm::parseAndCompileBBQ): Canonical link: https://commits.webkit.org/277029@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] f801d9: Unreviewed, reverting 276913@main
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: f801d95c087463e4bf4fa68908358f81a00e223d https://github.com/WebKit/WebKit/commit/f801d95c087463e4bf4fa68908358f81a00e223d Author: Justin Michaud Date: 2024-04-02 (Tue, 02 Apr 2024) Changed paths: M Source/JavaScriptCore/Scripts/process-entitlements.sh M Source/JavaScriptCore/jit/ExecutableAllocator.cpp M Source/WebKit/Scripts/process-entitlements.sh M Tools/WebKitTestRunner/Configurations/WebKitTestRunner-internal.entitlements M Tools/WebKitTestRunner/Configurations/WebKitTestRunnerApp-iOS.entitlements Log Message: --- Unreviewed, reverting 276913@main https://bugs.webkit.org/show_bug.cgi?id=272038 rdar://125791511 REGRESSION(276913@main): broke internal builds Reverted change: (2) Adopt com.apple.developer.cs.allow-jit entitlement for iOS. rdar://122841355 https://bugs.webkit.org/show_bug.cgi?id=270723 https://commits.webkit.org/276913@main Canonical link: https://commits.webkit.org/276949@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] b1d861: (2) Adopt com.apple.developer.cs.allow-jit entitle...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: b1d861f1f579588da2b6d8b13ba5aa138a7afc46 https://github.com/WebKit/WebKit/commit/b1d861f1f579588da2b6d8b13ba5aa138a7afc46 Author: Justin Michaud Date: 2024-04-01 (Mon, 01 Apr 2024) Changed paths: M Source/JavaScriptCore/Scripts/process-entitlements.sh M Source/JavaScriptCore/jit/ExecutableAllocator.cpp M Source/WebKit/Scripts/process-entitlements.sh M Tools/WebKitTestRunner/Configurations/WebKitTestRunner-internal.entitlements M Tools/WebKitTestRunner/Configurations/WebKitTestRunnerApp-iOS.entitlements Log Message: --- (2) Adopt com.apple.developer.cs.allow-jit entitlement for iOS. rdar://122841355 https://bugs.webkit.org/show_bug.cgi?id=270723 Reviewed by Keith Miller. * Source/JavaScriptCore/Scripts/process-entitlements.sh: * Source/JavaScriptCore/jit/ExecutableAllocator.cpp: (JSC::isJITEnabled): (JSC::ExecutableAllocator::disableJIT): * Source/WebKit/Scripts/process-entitlements.sh: * Tools/WebKitTestRunner/Configurations/WebKitTestRunner-internal.entitlements: * Tools/WebKitTestRunner/Configurations/WebKitTestRunnerApp-iOS.entitlements: Canonical link: https://commits.webkit.org/276913@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] e8b59e: Clean up inline jit permissions macros (2)
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: e8b59ec70b6894b1d59f46fe2db16954ed3ae9c7 https://github.com/WebKit/WebKit/commit/e8b59ec70b6894b1d59f46fe2db16954ed3ae9c7 Author: Justin Michaud Date: 2024-04-01 (Mon, 01 Apr 2024) Changed paths: M Source/JavaScriptCore/Configurations/Base.xcconfig M Source/WTF/wtf/PlatformUse.h M Source/WebCore/Configurations/WebCore.xcconfig Log Message: --- Clean up inline jit permissions macros (2) https://bugs.webkit.org/show_bug.cgi?id=270937 rdar://125616477 Reviewed by Mark Lam. Clean up inline jit permissions macros (2). * Source/WTF/wtf/PlatformUse.h: Canonical link: https://commits.webkit.org/276903@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 583899: Signed loads should not zero-def their destination.
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 58389979b17a533801e90121829b5e1e2b4068cc
https://github.com/WebKit/WebKit/commit/58389979b17a533801e90121829b5e1e2b4068cc
Author: Justin Michaud
Date: 2024-03-29 (Fri, 29 Mar 2024)
Changed paths:
M Source/JavaScriptCore/b3/air/AirOpcode.opcodes
Log Message:
---
Signed loads should not zero-def their destination.
https://bugs.webkit.org/show_bug.cgi?id=271866
rdar://122959696
Reviewed by Yusuke Suzuki.
This fixes a hang in Google Meet when applying the Black Noir filter.
Suppose we have:
```
@a = Load8SignedExtendTo32(@x)
@b = Trunc(ZExt32(@a))
```
B3 reduceStrength will convert @b to @a. The Air register allocator will
see that we ZDef 64 bits in @a, but on ARM64, we actually sign-extend them.
This was caught by changing reduceStrength:
```
case Trunc:
// Turn this: Trunc(SExt32(value)) or Trunc(ZExt32(value))
// Into this: value
if (m_value->child(0)->opcode() == SExt32 || m_value->child(0)->opcode() ==
ZExt32) {
auto* value = m_value->child(0)->child(0);
auto* patchpoint = m_insertionSet.insert(
m_index, m_value->type(), m_value->origin());
patchpoint->effects = Effects();
patchpoint->effects.reads = HeapRange::top();
patchpoint->effects.exitsSideways = true;
patchpoint->append(value);
patchpoint->setGenerator([&] (CCallHelpers& jit, const
StackmapGenerationParams& params) {
RELEASE_ASSERT(params.size() == 2);
RELEASE_ASSERT(params[0].isGPR());
RELEASE_ASSERT(params[1].isGPR());
auto dst = params[0].gpr();
auto a = params[1].gpr();
auto branch = jit.branchTest64(CCallHelpers::Zero, a,
MacroAssembler::TrustedImm64(0x));
jit.breakpoint();
jit.breakpoint(0);
jit.breakpoint(1);
jit.breakpoint(2);
branch.link();
jit.move(a, dst);
});
replaceWithNew(Identity, m_value->origin(), patchpoint);
```
* Source/JavaScriptCore/b3/air/AirOpcode.opcodes:
Canonical link: https://commits.webkit.org/276829@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 569a5b: Adopt Fatal Exceptions Entitlement (2)
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 569a5bc33cff09cbe15de7a91c47466ee5efbe70 https://github.com/WebKit/WebKit/commit/569a5bc33cff09cbe15de7a91c47466ee5efbe70 Author: Justin Michaud Date: 2024-03-26 (Tue, 26 Mar 2024) Changed paths: M Source/JavaScriptCore/Scripts/process-entitlements.sh M Source/WebKit/Scripts/process-entitlements.sh Log Message: --- Adopt Fatal Exceptions Entitlement (2) https://bugs.webkit.org/show_bug.cgi?id=271663 rdar://125261792 Reviewed by Mark Lam. Adopt Fatal Exceptions Entitlement. This entitlement should be safe to adopt on all Apple platforms. The first version of this patch broke EWS, so we remove the simulator changes. * Source/JavaScriptCore/Scripts/process-entitlements.sh: * Source/JavaScriptCore/entitlements.plist: * Source/WebKit/Scripts/process-entitlements.sh: * Source/WebKit/Shared/AuxiliaryProcessExtensions/WebContentProcessExtension.entitlements: Canonical link: https://commits.webkit.org/276691@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 4322c3: Stack check size can be zero if omg skips stack ch...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 4322c3bd5293d6b328b3745ef628cf9c41ca9cdb https://github.com/WebKit/WebKit/commit/4322c3bd5293d6b328b3745ef628cf9c41ca9cdb Author: Justin Michaud Date: 2024-03-26 (Tue, 26 Mar 2024) Changed paths: A JSTests/wasm/stress/omg-osr-stack-check-2.js A JSTests/wasm/stress/omg-osr-stack-check-2.wasm M Source/JavaScriptCore/wasm/WasmCallee.h M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp M Source/JavaScriptCore/wasm/WasmOperations.cpp M Source/JavaScriptCore/wasm/WasmSlowPaths.cpp Log Message: --- Stack check size can be zero if omg skips stack checks. https://bugs.webkit.org/show_bug.cgi?id=271011 rdar://124390384 Reviewed by Yusuke Suzuki. For leaf functions that have really small stacks, this stack check can be skipped and the ASSERT(stackCheckSize()) is wrong. We change the assert to ensure that the stack check size is set, but if it is not needed, we can skip the stack check. * Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::parseAndCompileB3): * Source/JavaScriptCore/wasm/WasmCallee.h: Originally-landed-as: 272448.753@safari-7618-branch (aef93328873d). rdar://124390384 Canonical link: https://commits.webkit.org/276682@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 3a0671: Add missing stack check to bbq->omg OSR
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 3a0671fdf83143eb848ccf3e2f565d2fd4bded7b https://github.com/WebKit/WebKit/commit/3a0671fdf83143eb848ccf3e2f565d2fd4bded7b Author: Justin Michaud Date: 2024-03-25 (Mon, 25 Mar 2024) Changed paths: A JSTests/wasm/stress/omg-stack-overflow.js A JSTests/wasm/stress/omg-stack-overflow.wasm M Source/JavaScriptCore/wasm/WasmOperations.cpp Log Message: --- Add missing stack check to bbq->omg OSR https://bugs.webkit.org/show_bug.cgi?id=270605 rdar://124060272 Reviewed by Keith Miller. In https://commits.webkit.org/272448.466@safari-7618-branch, we turned a stack overflow during OSR entry into a crash, preventing a security issue. While the crash prevents memory corruption, it should never happen. This patch fixes a case that was missed in the first patch. Note: the test case currently runs forever, so it is skipped until we fix the watchdog in wasm. * JSTests/wasm/stress/omg-stack-overflow.js: Added. (globalThis.callerIsBBQOrOMGCompiled.instantiateJsc): (else.instantiateBrowser): (async let): * JSTests/wasm/stress/omg-stack-overflow.wasm: Added. * Source/JavaScriptCore/wasm/WasmOperations.cpp: (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): Originally-landed-as: 272448.704@safari-7618-branch (36930ea8be72). rdar://125261536 Canonical link: https://commits.webkit.org/276645@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 5a2127: Revert BECore cleanup.
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 5a21270b827059302cbd0fafb6a145d1bbf78709 https://github.com/WebKit/WebKit/commit/5a21270b827059302cbd0fafb6a145d1bbf78709 Author: Justin Michaud Date: 2024-03-25 (Mon, 25 Mar 2024) Changed paths: M Source/JavaScriptCore/Configurations/Base.xcconfig M Source/WTF/wtf/PlatformUse.h M Source/WebCore/Configurations/WebCore.xcconfig Log Message: --- Revert BECore cleanup. https://bugs.webkit.org/show_bug.cgi?id=271661 rdar://125362649 Reviewed by Wenson Hsieh. This broke some builds. * Source/JavaScriptCore/Configurations/Base.xcconfig: * Source/WTF/wtf/PlatformUse.h: * Source/WebCore/Configurations/WebCore.xcconfig: Canonical link: https://commits.webkit.org/276634@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 28e1e8: Adopt Fatal Exceptions Entitlement
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 28e1e825b7afcabf416710850df55686420ab3f1 https://github.com/WebKit/WebKit/commit/28e1e825b7afcabf416710850df55686420ab3f1 Author: Justin Michaud Date: 2024-03-23 (Sat, 23 Mar 2024) Changed paths: M Source/JavaScriptCore/Scripts/process-entitlements.sh M Source/JavaScriptCore/entitlements.plist M Source/WebKit/Scripts/process-entitlements.sh M Source/WebKit/Shared/AuxiliaryProcessExtensions/WebContentProcessExtension.entitlements Log Message: --- Adopt Fatal Exceptions Entitlement https://bugs.webkit.org/show_bug.cgi?id=271496 rdar://125261792 Reviewed by Mark Lam. Adopt Fatal Exceptions Entitlement. This entitlement should be safe to adopt on all Apple platforms. * Source/JavaScriptCore/Scripts/process-entitlements.sh: * Source/JavaScriptCore/entitlements.plist: * Source/WebKit/Scripts/process-entitlements.sh: * Source/WebKit/Shared/AuxiliaryProcessExtensions/WebContentProcessExtension.entitlements: Canonical link: https://commits.webkit.org/276590@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 41005c: Support arm64 devices for inline jit toggle api fo...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 41005c9bbd29a09c26fae9fceae8c52a5908da9a https://github.com/WebKit/WebKit/commit/41005c9bbd29a09c26fae9fceae8c52a5908da9a Author: Justin Michaud Date: 2024-03-20 (Wed, 20 Mar 2024) Changed paths: M Source/WTF/wtf/PlatformUse.h Log Message: --- Support arm64 devices for inline jit toggle api for testing. https://bugs.webkit.org/show_bug.cgi?id=271256 rdar://124978350 Reviewed by Mark Lam. Support arm64 devices for inline jit toggle api for testing. * Source/WTF/wtf/PlatformUse.h: Canonical link: https://commits.webkit.org/276423@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] e09543: BBQJIT OSR Entry throws stack overflow from invali...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: e0954318753da3a4c14b63c1a20d36a16c1053b2 https://github.com/WebKit/WebKit/commit/e0954318753da3a4c14b63c1a20d36a16c1053b2 Author: Justin Michaud Date: 2024-03-20 (Wed, 20 Mar 2024) Changed paths: A JSTests/wasm/stress/repro_1289.js A JSTests/wasm/stress/repro_1289.wasm A JSTests/wasm/stress/repro_1289.wat M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp M Source/JavaScriptCore/wasm/WasmBBQJIT.h M Source/JavaScriptCore/wasm/WasmCallee.h M Source/JavaScriptCore/wasm/WasmInstance.h M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp M Source/JavaScriptCore/wasm/WasmOperations.cpp M Source/JavaScriptCore/wasm/WasmOperations.h M Source/JavaScriptCore/wasm/WasmSlowPaths.cpp M Source/JavaScriptCore/wasm/WasmThunks.cpp M Source/JavaScriptCore/wasm/WasmThunks.h Log Message: --- BBQJIT OSR Entry throws stack overflow from invalid frame https://bugs.webkit.org/show_bug.cgi?id=268424 rdar://121251778 Reviewed by Yusuke Suzuki. In this test case, we end up in a situation where the current LLInt frame is above the soft stack limit. We then loop osr entry into BBQ, where we perform a stack check and fail, but before we finish writing the OSR entry buffer into our stack frame. The stack unwinder sees the BBQ callee and we jump to that, but the frame is uninitialized. The fix is two fold; we first make BBQ crash in this case to avoid a security issue. We do the same for OMG, just in case this bug is exploitable there too. Second, we do a stack check before performing OSR entry, and fail early. * JSTests/wasm/stress/repro_1289.js: Added. (debuggingHelper): (instantiateJsc): (async let): * JSTests/wasm/stress/repro_1289.wasm: Added. * JSTests/wasm/stress/repro_1289.wat: Added. * Source/JavaScriptCore/wasm/WasmBBQJIT.cpp: (JSC::Wasm::BBQJIT::stackCheckSize const): (JSC::Wasm::BBQJIT::addLoopOSREntrypoint): (JSC::Wasm::parseAndCompileBBQ): * Source/JavaScriptCore/wasm/WasmCallee.h: * Source/JavaScriptCore/wasm/WasmInstance.h: (JSC::Wasm::Instance::softStackLimit const): * Source/JavaScriptCore/wasm/WasmOperations.cpp: (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): * Source/JavaScriptCore/wasm/WasmOperations.h: * Source/JavaScriptCore/wasm/WasmSlowPaths.cpp: (JSC::LLInt::WASM_SLOW_PATH_DECL): * Source/JavaScriptCore/wasm/WasmThunks.cpp: (JSC::Wasm::crashDueToBBQStackOverflow): * Source/JavaScriptCore/wasm/WasmThunks.h: Originally-landed-as: 272448.466@safari-7618-branch (a08ba6e8c208). rdar://124558656 Canonical link: https://commits.webkit.org/276403@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 588ac0: [ iOS tvOS ]10X wasm.yaml/wasm/v8/table* (jsc-test...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 588ac09a2bad9e71f7cd5f315d7114464de24104 https://github.com/WebKit/WebKit/commit/588ac09a2bad9e71f7cd5f315d7114464de24104 Author: Justin Michaud Date: 2024-03-15 (Fri, 15 Mar 2024) Changed paths: M JSTests/wasm/v8/table.js M Tools/Scripts/run-jsc-stress-tests Log Message: --- [ iOS tvOS ]10X wasm.yaml/wasm/v8/table* (jsc-tests) are constant failures https://bugs.webkit.org/show_bug.cgi?id=270950 rdar://124479459 Reviewed by Keith Miller. Some of the more intensive modes cause this test to be OOM killed, so let's just skip them. * JSTests/wasm/v8/table.js: Canonical link: https://commits.webkit.org/276206@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] bcd671: Cherry-pick 276012@main (910ab18a82d4). https://bu...
ebCore/bindings/js/SerializedScriptValue.h Log Message: --- Cherry-pick c3c2a42ade13. https://bugs.webkit.org/show_bug.cgi?id=266806 Safari's IndexedDB data may not be deserialized correctly after system upgrades https://bugs.webkit.org/show_bug.cgi?id=266806 rdar://120031024 Reviewed by NOBODY (OOPS!). To fix rdar://119834827, we introduce version 12.1 to SerializeScriptValue, which changed the terminator of the indexed property section in array compared to version 12. To make sure deserializer knows to deserialize version 12.1, we encode the minor version in the highest 8 bits of version number. We keep the lowest 24 bit as major version number for backward compatibility (the previously stored 32-bit major version number can be intepreted as major version with minor version 0). * Source/WebCore/bindings/js/SerializedScriptValue.cpp: (WebCore::majorVersionFor): (WebCore::minorVersionFor): (WebCore::makeVersion): (WebCore::currentVersion): (WebCore::CloneSerializer::serialize): (WebCore::CloneSerializer::CloneSerializer): (WebCore::CloneDeserializer::deserializeString): (WebCore::CloneDeserializer::deserialize): (WebCore::CloneDeserializer::isValid const): (WebCore::CloneDeserializer::shouldRetryWithVersionUpgrade): (WebCore::CloneDeserializer::upgradeVersion): (WebCore::CloneDeserializer::read): (WebCore::CloneDeserializer::readFile): (WebCore::CloneDeserializer::readArrayBuffer): (WebCore::CloneDeserializer::readArrayBufferView): (WebCore::CloneDeserializer::readImageBitmap): (WebCore::CloneDeserializer::readTerminal): (WebCore::CloneDeserializer::version const): Deleted. (WebCore::SerializedScriptValue::wireFormatVersion): Deleted. * Source/WebCore/bindings/js/SerializedScriptValue.h: Canonical link: https://commits.webkit.org/267815.665@safari-7617.2.4.10-branch Identifier: 270272.2255@safari-7618-branch Canonical link: https://commits.webkit.org/274313.92@webkitglib/2.44 Commit: 6789d169e841c6c69cf4fc778fd139a3a2b1ac10 https://github.com/WebKit/WebKit/commit/6789d169e841c6c69cf4fc778fd139a3a2b1ac10 Author: Justin Michaud Date: 2024-03-15 (Fri, 15 Mar 2024) Changed paths: A JSTests/wasm/stress/repro_1289.js A JSTests/wasm/stress/repro_1289.wasm A JSTests/wasm/stress/repro_1289.wat M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp M Source/JavaScriptCore/wasm/WasmBBQJIT.h M Source/JavaScriptCore/wasm/WasmCallee.h M Source/JavaScriptCore/wasm/WasmInstance.h M Source/JavaScriptCore/wasm/WasmOperations.cpp M Source/JavaScriptCore/wasm/WasmOperations.h M Source/JavaScriptCore/wasm/WasmSlowPaths.cpp M Source/JavaScriptCore/wasm/WasmThunks.cpp M Source/JavaScriptCore/wasm/WasmThunks.h Log Message: --- Cherry-pick 272448.466@safari-7618-branch (a08ba6e8c208). https://bugs.webkit.org/show_bug.cgi?id=268424 BBQJIT OSR Entry throws stack overflow from invalid frame https://bugs.webkit.org/show_bug.cgi?id=268424 rdar://121251778 Reviewed by Yusuke Suzuki. In this test case, we end up in a situation where the current LLInt frame is above the soft stack limit. We then loop osr entry into BBQ, where we perform a stack check and fail, but before we finish writing the OSR entry buffer into our stack frame. The stack unwinder sees the BBQ callee and we jump to that, but the frame is uninitialized. The fix is two fold; we first make BBQ crash in this case to avoid a security issue. We do the same for OMG, just in case this bug is exploitable there too. Second, we do a stack check before performing OSR entry, and fail early. * JSTests/wasm/stress/repro_1289.js: Added. (debuggingHelper): (instantiateJsc): (async let): * JSTests/wasm/stress/repro_1289.wasm: Added. * JSTests/wasm/stress/repro_1289.wat: Added. * Source/JavaScriptCore/wasm/WasmBBQJIT.cpp: (JSC::Wasm::BBQJIT::stackCheckSize const): (JSC::Wasm::BBQJIT::addLoopOSREntrypoint): (JSC::Wasm::parseAndCompileBBQ): * Source/JavaScriptCore/wasm/WasmCallee.h: * Source/JavaScriptCore/wasm/WasmInstance.h: (JSC::Wasm::Instance::softStackLimit const): * Source/JavaScriptCore/wasm/WasmOperations.cpp: (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): * Source/JavaScriptCore/wasm/WasmOperations.h: * Source/JavaScriptCore/wasm/WasmSlowPaths.cpp: (JSC::LLInt::WASM_SLOW_PATH_DECL): * Source/JavaScriptCore/wasm/WasmThunks.cpp: (JSC::Wasm::crashDueToBBQStackOverflow): * Source/JavaScriptCore/wasm/WasmThunks.h: Canonical link: https://commits.webkit.org/272448.466@safari-7618-branch Canonical link: https://commits.webkit.org/274313.93@webkitglib/2.44 Compare: https://github.com/WebKit/WebKit/compare/3cf2b08d49dd...6789d169e841 To unsubscribe from these emails, change your not
[webkit-changes] [WebKit/WebKit] c0307b: Clean up inline jit permissions macros
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: c0307b8afe4d721b543b9c3246e20afac2da6866 https://github.com/WebKit/WebKit/commit/c0307b8afe4d721b543b9c3246e20afac2da6866 Author: Justin Michaud Date: 2024-03-13 (Wed, 13 Mar 2024) Changed paths: M Source/WTF/wtf/PlatformUse.h Log Message: --- Clean up inline jit permissions macros https://bugs.webkit.org/show_bug.cgi?id=270937 rdar://124558039 Reviewed by Wenson Hsieh. Clean up inline jit permissions macros. * Source/WTF/wtf/PlatformUse.h: Canonical link: https://commits.webkit.org/276061@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] ef0ad7: Versioning.
M Source/WTF/wtf/spi/cocoa/IOSurfaceSPI.h M Source/WTF/wtf/spi/darwin/XPCSPI.h M Source/WebCore/PAL/pal/spi/cocoa/AVFoundationSPI.h A Source/WebCore/PAL/pal/spi/ios/BrowserEngineKitSPI.h M Source/WebKit/Platform/spi/ios/UIKitSPI.h M Tools/TestRunnerShared/spi/UIKitSPIForTesting.h Log Message: --- Cherry-pick 5cdf58dba105. rdar://121706323 Cherry-pick 274016@main (98226f6cc5f3). rdar://problem/121706323 [iOS] Update SPI headers for iOS 17.4 https://bugs.webkit.org/show_bug.cgi?id=268210 rdar://problem/121706323 Reviewed by Jonathan Bedard and Alexey Proskuryakov. Add platform flags for libxpc (which is API as of iOS 17.4+) and for other SPI that were promoted to API as part of the BrowserEngineKit introduction. Use them to avoid redeclaring things that are now publicly available. Additionally, write new BrowserEngineKit SPI declarations for symbols that are used in testing and by SPI clients of WebKit. * Source/WTF/wtf/PlatformHave.h: * Source/WTF/wtf/spi/cocoa/IOSurfaceSPI.h: * Source/WTF/wtf/spi/darwin/XPCSPI.h: * Source/WebCore/PAL/pal/spi/cocoa/AVFoundationSPI.h: * Source/WebCore/PAL/pal/spi/ios/BrowserEngineKitSPI.h: * Source/WebKit/Platform/spi/ios/UIKitSPI.h: * Tools/TestRunnerShared/spi/UIKitSPIForTesting.h: Canonical link: https://commits.webkit.org/274016@main Canonical link: https://commits.webkit.org/272448.522@safari-7618-branch Identifier: 272448.530@safari-7618.1.15.13-branch Commit: 846891e52c8fe0ddf23e4443ce2faa8fdaede93e https://github.com/WebKit/WebKit/commit/846891e52c8fe0ddf23e4443ce2faa8fdaede93e Author: Myah Cobbs Date: 2024-02-08 (Thu, 08 Feb 2024) Changed paths: M Source/WTF/wtf/PlatformHave.h M Source/WTF/wtf/spi/cocoa/IOSurfaceSPI.h M Source/WTF/wtf/spi/darwin/XPCSPI.h M Source/WebCore/PAL/pal/spi/cocoa/AVFoundationSPI.h R Source/WebCore/PAL/pal/spi/ios/BrowserEngineKitSPI.h M Source/WebKit/Platform/spi/ios/UIKitSPI.h M Tools/TestRunnerShared/spi/UIKitSPIForTesting.h Log Message: --- Revert "Cherry-pick 5cdf58dba105. rdar://121706323" This reverts commit a666863e2773f8d067f4d8b5a85679d7aa57d80e. Identifier: 272448.531@safari-7618.1.15.13-branch Commit: 890ade78f88b5e462f8f1dee0cd56acaa4c86f22 https://github.com/WebKit/WebKit/commit/890ade78f88b5e462f8f1dee0cd56acaa4c86f22 Author: Dan Robson Date: 2024-02-15 (Thu, 15 Feb 2024) Changed paths: M Configurations/Version.xcconfig Log Message: --- Versioning. WebKit-618.1.15.13.2 Identifier: 272448.532@safari-7618.1.15.13-branch Commit: f3114daa88af2233557055b1c6527d468f41c1d1 https://github.com/WebKit/WebKit/commit/f3114daa88af2233557055b1c6527d468f41c1d1 Author: Justin Michaud Date: 2024-02-15 (Thu, 15 Feb 2024) Changed paths: M Source/JavaScriptCore/Scripts/process-entitlements.sh Log Message: --- Cherry-pick 8179ae2db1bf. rdar://122826926 Clean up JSC shell entitlements to fix RAMificaton. rdar://122826926 Reviewed by Yusuke Suzuki. In https://commits.webkit.org/272448.472@safari-7618-branch, we switched to the new allow-jit entitlement. This broke RAMiciation runs because the JSC binary doesn't have the com.apple.developer.web-browser-engine.webcontent entitlement. This patch adds it. * Source/JavaScriptCore/Scripts/process-entitlements.sh: Canonical link: https://commits.webkit.org/272448.538@safari-7618-branch Identifier: 272448.533@safari-7618.1.15.13-branch Compare: https://github.com/WebKit/WebKit/compare/ef0ad7f8ee46%5E...f3114daa88af To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] e6a859: Cherry-pick 26aaa25dcbdc. rdar://122309325
M Source/WTF/wtf/spi/cocoa/IOSurfaceSPI.h M Source/WTF/wtf/spi/darwin/XPCSPI.h M Source/WebCore/PAL/pal/spi/cocoa/AVFoundationSPI.h A Source/WebCore/PAL/pal/spi/ios/BrowserEngineKitSPI.h M Source/WebKit/Platform/spi/ios/UIKitSPI.h M Tools/TestRunnerShared/spi/UIKitSPIForTesting.h Log Message: --- Cherry-pick 5cdf58dba105. rdar://121706323 Cherry-pick 274016@main (98226f6cc5f3). rdar://problem/121706323 [iOS] Update SPI headers for iOS 17.4 https://bugs.webkit.org/show_bug.cgi?id=268210 rdar://problem/121706323 Reviewed by Jonathan Bedard and Alexey Proskuryakov. Add platform flags for libxpc (which is API as of iOS 17.4+) and for other SPI that were promoted to API as part of the BrowserEngineKit introduction. Use them to avoid redeclaring things that are now publicly available. Additionally, write new BrowserEngineKit SPI declarations for symbols that are used in testing and by SPI clients of WebKit. * Source/WTF/wtf/PlatformHave.h: * Source/WTF/wtf/spi/cocoa/IOSurfaceSPI.h: * Source/WTF/wtf/spi/darwin/XPCSPI.h: * Source/WebCore/PAL/pal/spi/cocoa/AVFoundationSPI.h: * Source/WebCore/PAL/pal/spi/ios/BrowserEngineKitSPI.h: * Source/WebKit/Platform/spi/ios/UIKitSPI.h: * Tools/TestRunnerShared/spi/UIKitSPIForTesting.h: Canonical link: https://commits.webkit.org/274016@main Canonical link: https://commits.webkit.org/272448.522@safari-7618-branch Identifier: 272448.530@safari-7618.1.15.12-branch Commit: f9c31bfd8bc3cf9eb83ff42fa470f7833e549e76 https://github.com/WebKit/WebKit/commit/f9c31bfd8bc3cf9eb83ff42fa470f7833e549e76 Author: Myah Cobbs Date: 2024-02-08 (Thu, 08 Feb 2024) Changed paths: M Source/WTF/wtf/PlatformHave.h M Source/WTF/wtf/spi/cocoa/IOSurfaceSPI.h M Source/WTF/wtf/spi/darwin/XPCSPI.h M Source/WebCore/PAL/pal/spi/cocoa/AVFoundationSPI.h R Source/WebCore/PAL/pal/spi/ios/BrowserEngineKitSPI.h M Source/WebKit/Platform/spi/ios/UIKitSPI.h M Tools/TestRunnerShared/spi/UIKitSPIForTesting.h Log Message: --- Revert "Cherry-pick 5cdf58dba105. rdar://121706323" This reverts commit 9952c70b8dc64278be024239d63f0e93b7edc55c. Identifier: 272448.531@safari-7618.1.15.12-branch Commit: 9dac2ef3ce41b21cb27908703dd76410ae999e47 https://github.com/WebKit/WebKit/commit/9dac2ef3ce41b21cb27908703dd76410ae999e47 Author: Dan Robson Date: 2024-02-15 (Thu, 15 Feb 2024) Changed paths: M Configurations/Version.xcconfig Log Message: --- Versioning. WebKit-618.1.15.12.2 Identifier: 272448.532@safari-7618.1.15.12-branch Commit: ce155b8048b9f1e541a2302054f3fa4e0a6a3deb https://github.com/WebKit/WebKit/commit/ce155b8048b9f1e541a2302054f3fa4e0a6a3deb Author: Justin Michaud Date: 2024-02-15 (Thu, 15 Feb 2024) Changed paths: M Source/JavaScriptCore/Scripts/process-entitlements.sh Log Message: --- Cherry-pick 8179ae2db1bf. rdar://122826926 Clean up JSC shell entitlements to fix RAMificaton. rdar://122826926 Reviewed by Yusuke Suzuki. In https://commits.webkit.org/272448.472@safari-7618-branch, we switched to the new allow-jit entitlement. This broke RAMiciation runs because the JSC binary doesn't have the com.apple.developer.web-browser-engine.webcontent entitlement. This patch adds it. * Source/JavaScriptCore/Scripts/process-entitlements.sh: Canonical link: https://commits.webkit.org/272448.538@safari-7618-branch Identifier: 272448.533@safari-7618.1.15.12-branch Compare: https://github.com/WebKit/WebKit/compare/e6a859812f68%5E...ce155b8048b9 To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] a9c33a: Wasm Callee should remain set even after tier-up
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: a9c33a2b496aeadd33e500d7e474710f4abfbf8a https://github.com/WebKit/WebKit/commit/a9c33a2b496aeadd33e500d7e474710f4abfbf8a Author: Justin Michaud Date: 2024-02-21 (Wed, 21 Feb 2024) Changed paths: M LayoutTests/platform/mac/TestExpectations M Source/JavaScriptCore/wasm/WasmCallsiteCollection.cpp Log Message: --- Wasm Callee should remain set even after tier-up https://bugs.webkit.org/show_bug.cgi?id=268990 rdar://123015079 Reviewed by Alexey Shvayka. We may still need to call into the LLInt after tier-up, so we shouldn't clear callee. * Source/JavaScriptCore/wasm/WasmCallsiteCollection.cpp: (JSC::Wasm::CallsiteCollection::updateCallsitesToCallUs): Canonical link: https://commits.webkit.org/275095@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] c9407f: REGRESSION (December 2023?): 2x increase in JSC-Te...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: c9407f23b73ea3d5b24c385330d2a2d413fe2b1f https://github.com/WebKit/WebKit/commit/c9407f23b73ea3d5b24c385330d2a2d413fe2b1f Author: Justin Michaud Date: 2024-02-14 (Wed, 14 Feb 2024) Changed paths: M Source/JavaScriptCore/runtime/Options.cpp Log Message: --- REGRESSION (December 2023?): 2x increase in JSC-Tests-EWS build duration https://bugs.webkit.org/show_bug.cgi?id=269245 rdar://121678486 Reviewed by Yusuke Suzuki. Skip useRandomizingExecutableIslandAllocation on x86 where we don't use jump islands anyway. * Source/JavaScriptCore/runtime/Options.cpp: (JSC::Options::notifyOptionsChanged): Canonical link: https://commits.webkit.org/274663@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] c2eee1: Change wasm calling convention; set callee from ca...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: c2eee1bb4cec95f71e53400d83a2985463423c17 https://github.com/WebKit/WebKit/commit/c2eee1bb4cec95f71e53400d83a2985463423c17 Author: Justin Michaud Date: 2024-02-01 (Thu, 01 Feb 2024) Changed paths: M JSTests/wasm/function-references/call_ref.js A JSTests/wasm/stress/cc-int-to-int-cross-module.js A JSTests/wasm/stress/cc-int-to-int-jit-to-llint.js A JSTests/wasm/stress/cc-int-to-int.js M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp M Source/JavaScriptCore/interpreter/CalleeBits.h M Source/JavaScriptCore/jit/CCallHelpers.h M Source/JavaScriptCore/llint/WebAssembly.asm M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp M Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp M Source/JavaScriptCore/wasm/WasmBinding.cpp M Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp M Source/JavaScriptCore/wasm/WasmCalleeGroup.h M Source/JavaScriptCore/wasm/WasmCallsiteCollection.cpp M Source/JavaScriptCore/wasm/WasmFormat.h M Source/JavaScriptCore/wasm/WasmIPIntPlan.cpp M Source/JavaScriptCore/wasm/WasmInstance.cpp M Source/JavaScriptCore/wasm/WasmInstance.h M Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp M Source/JavaScriptCore/wasm/WasmOMGPlan.cpp M Source/JavaScriptCore/wasm/WasmOSREntryPlan.cpp M Source/JavaScriptCore/wasm/WasmSlowPaths.cpp M Source/JavaScriptCore/wasm/js/JSToWasm.cpp M Source/JavaScriptCore/wasm/js/JSToWasm.h M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h M Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h M Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp Log Message: --- Change wasm calling convention; set callee from caller. https://bugs.webkit.org/show_bug.cgi?id=266779 rdar://120007206 Reviewed by Yusuke Suzuki. This is the first step to running wasm without jit. This calling convention change opens the door to removing the LLInt entry thunk by setting the wasm callee from the caller. When a call is made into wasm, we first create a frame with the JSWebAssemblyFunction as the callee. From this point on, callees are no longer JSObjects. The LLInt needs to read stuff from the callee to know what to execute. Today we have a unique address for each wasm function / tier. This change means that the LLInt or IPInt can make all functions share an entrypoint, and there is no more need for the LLInt/IPInt entry thunk. This patch doesn't actually remove the thunk yet, it replaces it with a debug assertion. JIT tiers don't need their callee's to be written this way, and they should continue to write them themselves. This way, we write the interpreter callee into our JIT callsites, and never have to worry about attomically repatching it when we update the entrypoint. == The path to JITless wasm == Once this patch is landed and stable, we can remove the debug assertion and remove the LLInt entry thunks. The next step is to start picking off some simple JS->Wasm thunk cases to replace with an IPInt-style metadata interpreter + some fixed fast paths. This should save us some memory initially, and we can eventually remove the entry/exit thunks completely. == Arm 32 == ( Fixes from Joseph Griego ) n 32-bit we have a totally different CalleeBits representation; it's morally a JSValue except it might have the NativeValueTag, so the tag needs to be written when this slot is initialized, either in the runtime or in JITted code. AFAICT there's no existing way to write to a CalleeBits location from C++ right now so I added some methods in CalleeBits to help with this--it would probably be better long-term to have a `Register::operator=(CalleeBits)` or something along those lines. * JSTests/wasm/stress/cc-int-to-int.js: Added. (from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.type.sig_test.func.param.i32.result.i32.table.t.1.funcref.elem.i32.const.0.test.func.test.export.string_appeared_here.param.x.i32.result.i32.i32.add.local.x.i32.const.42.func.export.string_appeared_here.param.x.i32.result.i32.i32.add.local.x.call.test.i32.const.1337.func.export.string_appeared_here.param.x.i32.result.i32.local.x.i32.const.98.call_indirect.t.type.sig_test.i32.const.0.i32.add.async test): * Source/JavaScriptCore/llint/LowLevelInterpreter.cpp: * Source/JavaScriptCore/llint/WebAssembly.asm: * Source/JavaScriptCore/offlineasm/arm.rb: * Source/JavaScriptCore/offlineasm/arm64.rb: * Source/JavaScriptCore/offlineasm/registers.rb: * Source/JavaScriptCore/runtime/Options.cpp: (JSC::Options::notifyOptionsChanged): * Source/JavaScriptCore/runtime/UGPRPair.h: (JSC::makeUGPRTriple): (JSC::encodeResult): (JSC::decodeResult): * Source/JavaScriptCore/w
[webkit-changes] [WebKit/WebKit] a4ada8: ARM64 build fix; Second attempt
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: a4ada8aea580b1cc071df840f208aac97328929d https://github.com/WebKit/WebKit/commit/a4ada8aea580b1cc071df840f208aac97328929d Author: Justin Michaud Date: 2024-02-01 (Thu, 01 Feb 2024) Changed paths: M Source/JavaScriptCore/assembler/FastJITPermissions.h M Source/JavaScriptCore/jit/ExecutableAllocator.cpp M Source/WTF/wtf/PlatformUse.h Log Message: --- ARM64 build fix; Second attempt https://bugs.webkit.org/show_bug.cgi?id=268558 rdar://122109093 Reviewed by Mark Lam. * Source/JavaScriptCore/assembler/FastJITPermissions.h: (threadSelfRestrictSupported): (threadSelfRestrictRWXToRW): (threadSelfRestrictRWXToRX): * Source/JavaScriptCore/jit/ExecutableAllocator.cpp: (JSC::initializeJITPageReservation): * Source/WTF/wtf/PlatformUse.h: Canonical link: https://commits.webkit.org/273926@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] d2ea11: Revert arm64 build fixes
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: d2ea11d2ec6050d30961ba4b2038c1b6a566b82a https://github.com/WebKit/WebKit/commit/d2ea11d2ec6050d30961ba4b2038c1b6a566b82a Author: Justin Michaud Date: 2024-01-31 (Wed, 31 Jan 2024) Changed paths: M Source/JavaScriptCore/assembler/FastJITPermissions.h M Source/JavaScriptCore/jit/ExecutableAllocator.cpp Log Message: --- Revert arm64 build fixes https://bugs.webkit.org/show_bug.cgi?id=268517 rdar://122018269 Unreviewed revert. Revert "ARM64 Build Fix (part 3)" This reverts commit 642c3a4c1b5e8d252d0bed6a6d9084a037fed03c. Revert "Fix ARM64 build (part 2)" This reverts commit 13ca1d4ad63fa5d8df592a7f45375929781d1c45. Revert "Build fix for arm64 builds" This reverts commit d21e6f3910e86f0b5553cb891594141c65d4049a. We will have a better build fix tomorrow. * Source/JavaScriptCore/assembler/FastJITPermissions.h: (be_memory_inline_jit_restrict_with_witness_supported): Deleted. (be_memory_inline_jit_restrict_rwx_to_rw_with_witness): Deleted. (be_memory_inline_jit_restrict_rwx_to_rx_with_witness): Deleted. * Source/JavaScriptCore/jit/ExecutableAllocator.cpp: (JSC::initializeJITPageReservation): Canonical link: https://commits.webkit.org/273873@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 642c3a: ARM64 Build Fix (part 3)
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 642c3a4c1b5e8d252d0bed6a6d9084a037fed03c https://github.com/WebKit/WebKit/commit/642c3a4c1b5e8d252d0bed6a6d9084a037fed03c Author: Justin Michaud Date: 2024-01-31 (Wed, 31 Jan 2024) Changed paths: M Source/JavaScriptCore/jit/ExecutableAllocator.cpp Log Message: --- ARM64 Build Fix (part 3) https://bugs.webkit.org/show_bug.cgi?id=268491 rdar://122037743 Reviewed by Mark Lam. * Source/JavaScriptCore/jit/ExecutableAllocator.cpp: (JSC::initializeJITPageReservation): Canonical link: https://commits.webkit.org/273861@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 13ca1d: Fix ARM64 build (part 2)
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 13ca1d4ad63fa5d8df592a7f45375929781d1c45 https://github.com/WebKit/WebKit/commit/13ca1d4ad63fa5d8df592a7f45375929781d1c45 Author: Justin Michaud Date: 2024-01-31 (Wed, 31 Jan 2024) Changed paths: M Source/JavaScriptCore/assembler/FastJITPermissions.h M Source/JavaScriptCore/jit/ExecutableAllocator.cpp Log Message: --- Fix ARM64 build (part 2) https://bugs.webkit.org/show_bug.cgi?id=268491 rdar://122037743 Reviewed by Yusuke Suzuki. * Source/JavaScriptCore/assembler/FastJITPermissions.h: (be_memory_inline_jit_restrict_with_witness_supported): * Source/JavaScriptCore/jit/ExecutableAllocator.cpp: Canonical link: https://commits.webkit.org/273857@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] d21e6f: Build fix for arm64 builds
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: d21e6f3910e86f0b5553cb891594141c65d4049a https://github.com/WebKit/WebKit/commit/d21e6f3910e86f0b5553cb891594141c65d4049a Author: Justin Michaud Date: 2024-01-31 (Wed, 31 Jan 2024) Changed paths: M Source/JavaScriptCore/assembler/FastJITPermissions.h Log Message: --- Build fix for arm64 builds https://bugs.webkit.org/show_bug.cgi?id=268467 rdar://122018269 Reviewed by Mark Lam and Yusuke Suzuki. * Source/JavaScriptCore/assembler/FastJITPermissions.h: (be_memory_inline_jit_restrict_rwx_to_rw_with_witness): (be_memory_inline_jit_restrict_rwx_to_rx_with_witness): Canonical link: https://commits.webkit.org/273843@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 676f13: Adopt BrowserEngineCore
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 676f1380f1d50dd92f84b952b1fb8305a0a83224 https://github.com/WebKit/WebKit/commit/676f1380f1d50dd92f84b952b1fb8305a0a83224 Author: Justin Michaud Date: 2024-01-26 (Fri, 26 Jan 2024) Changed paths: M Source/JavaScriptCore/Configurations/Base.xcconfig M Source/JavaScriptCore/assembler/FastJITPermissions.h M Source/JavaScriptCore/jit/ExecutableAllocator.cpp M Source/WTF/wtf/PlatformUse.h M Source/WebCore/Configurations/WebCore.xcconfig Log Message: --- Adopt BrowserEngineCore https://bugs.webkit.org/show_bug.cgi?id=268175 rdar://121675394 Reviewed by Wenson Hsieh and Elliott Williams. Adopt BrowserEngineCore, and compile-time assert that it is enabled. * Source/JavaScriptCore/Configurations/Base.xcconfig: * Source/JavaScriptCore/assembler/FastJITPermissions.h: (threadSelfRestrictRWXToRW): (threadSelfRestrictRWXToRX): * Source/JavaScriptCore/jit/ExecutableAllocator.cpp: (JSC::initializeJITPageReservation): * Source/WTF/wtf/PlatformUse.h: * Source/WebCore/Configurations/WebCore.xcconfig: Canonical link: https://commits.webkit.org/273590@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] cae26b: GC can run during B3::generate now, causing UAF in...
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: cae26b36ccb9cf7c1e507b01dd8537efabd12194
https://github.com/WebKit/WebKit/commit/cae26b36ccb9cf7c1e507b01dd8537efabd12194
Author: Justin Michaud
Date: 2024-01-05 (Fri, 05 Jan 2024)
Changed paths:
A JSTests/stress/gc-b3.js
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
M Source/JavaScriptCore/dfg/DFGPlan.cpp
Log Message:
---
GC can run during B3::generate now, causing UAF in patchpoints
https://bugs.webkit.org/show_bug.cgi?id=267112
rdar://120195529
Reviewed by Yusuke Suzuki.
Consider what happens when GC runs here:
{
SetForScope disallowFreeze { state.graph.m_frozenValuesAreFinalized, true };
GraphSafepoint safepoint(state.graph, safepointResult);
// HERE
B3::generate(*state.proc, jit);
}
We can see our global object and a bunch of plan state get collected.
Inside FTLLowerDFGToB3, we read the following pointers:
```
jit.codeBlock()->globalObjectFor(semanticNodeOrigin)
codeBlock()->inferredName() / hash(), which read ownerExecutable()
state->jitCode
``
The first case is fixed by this patch. The second case only happens when
dumping code. The third is not managed by the GC.
It is possible that we read more, but these were the cases that jumped out
to me.
We just add an early return to globalObjectFor to avoid reading the
freed value.
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::globalObjectFor):
* Source/JavaScriptCore/dfg/DFGPlan.cpp:
(JSC::DFG::Plan::cancel):
* Source/JavaScriptCore/ftl/FTLCompile.cpp:
(JSC::FTL::compile):
Canonical link: https://commits.webkit.org/272710@main
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] f089c3: Fix name collision in IPint
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: f089c38ff44d7c8123cb814a6cc54fea890ce47e https://github.com/WebKit/WebKit/commit/f089c38ff44d7c8123cb814a6cc54fea890ce47e Author: Justin Michaud Date: 2024-01-05 (Fri, 05 Jan 2024) Changed paths: M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj M Source/JavaScriptCore/Sources.txt M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp M Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp M Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.h M Source/JavaScriptCore/wasm/WasmSlowPaths.cpp Log Message: --- Fix name collision in IPint https://bugs.webkit.org/show_bug.cgi?id=267013 rdar://120392413 Reviewed by Alexey Shvayka and Mark Lam. This was very confusing while debugging, since clang chose the IPInt copy of the function to use in the LLInt. Let's mark some functions as static, and just for good measure, mark them as no-unify so that the macros can't collide. * Source/JavaScriptCore/Sources.txt: * Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp: (JSC::LLInt::shouldJIT): Deleted. (JSC::LLInt::jitCompileAndSetHeuristics): Deleted. (JSC::LLInt::WASM_IPINT_EXTERN_CPP_DECL): Deleted. (JSC::LLInt::WASM_IPINT_EXTERN_CPP_DECL_1P): Deleted. (JSC::LLInt::doWasmCall): Deleted. (JSC::LLInt::doWasmCallIndirect): Deleted. Canonical link: https://commits.webkit.org/272692@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 0d5431: Make useRandomizingExecutableIslandAllocation do s...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 0d543178a0704db4a09d4b10ddbee1f964c47fbf https://github.com/WebKit/WebKit/commit/0d543178a0704db4a09d4b10ddbee1f964c47fbf Author: Justin Michaud Date: 2023-12-21 (Thu, 21 Dec 2023) Changed paths: M Source/JavaScriptCore/assembler/LinkBuffer.cpp M Source/JavaScriptCore/jit/ExecutableAllocator.cpp M Source/WTF/wtf/PlatformEnable.h Log Message: --- Make useRandomizingExecutableIslandAllocation do something when using libpas https://bugs.webkit.org/show_bug.cgi?id=266645 rdar://119876990 Reviewed by Alexey Shvayka. Make useRandomizingExecutableIslandAllocation do something when using libpas. Before enabling the libpas jit heap, this options randomized allocations of jit memory, allowing us to stress-test jump islands. This patch adds in some fragmentation. It is not as comprehensive as the original version of this option, but it is sufficient to trigger the creation of many jump islands while running JS2. * Source/JavaScriptCore/jit/ExecutableAllocator.cpp: * Source/WTF/wtf/PlatformEnable.h: Canonical link: https://commits.webkit.org/272434@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 470e56: BBQJIT if conditions are very wrong
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 470e562ed7b830ee06b73b892c6ae243e48b9af2 https://github.com/WebKit/WebKit/commit/470e562ed7b830ee06b73b892c6ae243e48b9af2 Author: Justin Michaud Date: 2023-12-19 (Tue, 19 Dec 2023) Changed paths: A JSTests/wasm/stress/bbq-parallel-move.js M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp Log Message: --- BBQJIT if conditions are very wrong https://bugs.webkit.org/show_bug.cgi?id=26 rdar://problem/116145012 Reviewed by Keith Miller. BBQJIT if conditions are very wrong. By random chance, the condition value happens to be allocated in nonPreservedNonArgumentGPR1, but if you use more than 8 registers, we end up just reading a completely random value. Let's not do that. We also add some extra debugging assertions for parallel move. These shouldn't ever actually be hit, but they help us avoid a potential problem in the future if we make BBQ register allocation smarter. Finally, we allow allocating eax on x86, and fix some bugs surrounding if/else as a result. * JSTests/wasm/stress/bbq-parallel-move.js: Added. (from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.func.log_value.import.string_appeared_here.string_appeared_here.param.i32.func.export.string_appeared_here.param.p0.i32.param.p1.i32.param.p2.i32.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.result.i32.local.p0.then.local.p2.local.p0.i32.const.0.else.i32.const.0.local.p2.call.f.func.f.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.pl.i32.call.log_value.local.pl.async test.): (from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.func.log_value.import.string_appeared_here.string_appeared_here.param.i32.func.export.string_appeared_here.param.p0.i32.param.p1.i32.param.p2.i32.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.result.i32.local.p0.then.local.p2.local.p0.i32.const.0.else.i32.const.0.local.p2.call.f.func.f.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.pl.i32.call.log_value.local.pl.async test): * Source/JavaScriptCore/wasm/WasmBBQJIT.cpp: (JSC::Wasm::BBQJIT::ControlData::ControlData): (JSC::Wasm::BBQJIT::addIf): (JSC::Wasm::BBQJIT::emitIndirectCall): (JSC::Wasm::BBQJIT::emitShuffle): Originally-landed-as: 267815.223@safari-7617-branch (3c476842d24c). rdar://119592377 Canonical link: https://commits.webkit.org/272297@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 455c80: Work around build error caused by weak linking and...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 455c80625db0021ae482d684e5c116712666378a https://github.com/WebKit/WebKit/commit/455c80625db0021ae482d684e5c116712666378a Author: Justin Michaud Date: 2023-12-14 (Thu, 14 Dec 2023) Changed paths: M Source/JavaScriptCore/jit/ExecutableAllocator.cpp Log Message: --- Work around build error caused by weak linking and the direct call attribute https://bugs.webkit.org/show_bug.cgi?id=266414 rdar://119669705 Reviewed by Wenson Hsieh. Work around build error caused by weak linking and the direct call attribute * Source/JavaScriptCore/jit/ExecutableAllocator.cpp: (JSC::initializeJITPageReservation): Canonical link: https://commits.webkit.org/272050@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 861cce: Add namespace qualifiers to a bunch of jsc types
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 861cce42f1988e8ac5b7269dbe43a8e54cd79c62 https://github.com/WebKit/WebKit/commit/861cce42f1988e8ac5b7269dbe43a8e54cd79c62 Author: Justin Michaud Date: 2023-12-14 (Thu, 14 Dec 2023) Changed paths: M Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.cpp M Source/JavaScriptCore/b3/air/AirOpcode.opcodes M Source/JavaScriptCore/bytecode/CallLinkInfo.h M Source/JavaScriptCore/bytecode/CodeBlock.cpp M Source/JavaScriptCore/bytecode/CodeBlock.h M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp M Source/JavaScriptCore/bytecode/Repatch.cpp M Source/JavaScriptCore/bytecode/StructureStubInfo.h M Source/JavaScriptCore/dfg/DFGJITCompiler.cpp M Source/JavaScriptCore/dfg/DFGJITCompiler.h M Source/JavaScriptCore/dfg/DFGJITFinalizer.cpp M Source/JavaScriptCore/dfg/DFGJITFinalizer.h M Source/JavaScriptCore/dfg/DFGOSREntry.cpp M Source/JavaScriptCore/dfg/DFGOperations.cpp M Source/JavaScriptCore/dfg/DFGPlan.cpp M Source/JavaScriptCore/dfg/DFGPlan.h M Source/JavaScriptCore/ftl/FTLJITFinalizer.h M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp M Source/JavaScriptCore/ftl/FTLState.h M Source/JavaScriptCore/heap/AbstractSlotVisitor.h M Source/JavaScriptCore/heap/AbstractSlotVisitorInlines.h M Source/JavaScriptCore/heap/AlignedMemoryAllocator.cpp M Source/JavaScriptCore/heap/AllocatingScope.h M Source/JavaScriptCore/heap/AllocatorInlines.h M Source/JavaScriptCore/heap/BlockDirectory.cpp M Source/JavaScriptCore/heap/CellContainer.h M Source/JavaScriptCore/heap/CellContainerInlines.h M Source/JavaScriptCore/heap/CollectingScope.h M Source/JavaScriptCore/heap/CompleteSubspace.cpp M Source/JavaScriptCore/heap/ConservativeRoots.cpp M Source/JavaScriptCore/heap/ConservativeRoots.h M Source/JavaScriptCore/heap/DeferGC.h M Source/JavaScriptCore/heap/EdenGCActivityCallback.cpp M Source/JavaScriptCore/heap/EdenGCActivityCallback.h M Source/JavaScriptCore/heap/FullGCActivityCallback.cpp M Source/JavaScriptCore/heap/FullGCActivityCallback.h M Source/JavaScriptCore/heap/GCActivityCallback.cpp M Source/JavaScriptCore/heap/Heap.cpp M Source/JavaScriptCore/heap/Heap.h M Source/JavaScriptCore/heap/HeapCell.h M Source/JavaScriptCore/heap/HeapCellInlines.h M Source/JavaScriptCore/heap/HeapInlines.h M Source/JavaScriptCore/heap/HeapIterationScope.h M Source/JavaScriptCore/heap/HeapUtil.h M Source/JavaScriptCore/heap/IncrementalSweeper.cpp M Source/JavaScriptCore/heap/IsoSubspace.cpp M Source/JavaScriptCore/heap/IsoSubspacePerVM.cpp M Source/JavaScriptCore/heap/LocalAllocator.cpp M Source/JavaScriptCore/heap/LocalAllocatorInlines.h M Source/JavaScriptCore/heap/MarkStackMergingConstraint.cpp M Source/JavaScriptCore/heap/MarkStackMergingConstraint.h M Source/JavaScriptCore/heap/MarkedBlock.cpp M Source/JavaScriptCore/heap/MarkedBlock.h M Source/JavaScriptCore/heap/MarkedBlockInlines.h M Source/JavaScriptCore/heap/MarkedSpace.cpp M Source/JavaScriptCore/heap/MarkedSpace.h M Source/JavaScriptCore/heap/MarkedSpaceInlines.h M Source/JavaScriptCore/heap/MarkingConstraintSet.cpp M Source/JavaScriptCore/heap/MarkingConstraintSet.h M Source/JavaScriptCore/heap/MarkingConstraintSolver.h M Source/JavaScriptCore/heap/PreciseAllocation.cpp M Source/JavaScriptCore/heap/PreciseAllocation.h M Source/JavaScriptCore/heap/PreventCollectionScope.h M Source/JavaScriptCore/heap/ReleaseHeapAccessScope.h M Source/JavaScriptCore/heap/RunningScope.h M Source/JavaScriptCore/heap/SlotVisitor.cpp M Source/JavaScriptCore/heap/SpaceTimeMutatorScheduler.cpp M Source/JavaScriptCore/heap/SpaceTimeMutatorScheduler.h M Source/JavaScriptCore/heap/StochasticSpaceTimeMutatorScheduler.cpp M Source/JavaScriptCore/heap/StochasticSpaceTimeMutatorScheduler.h M Source/JavaScriptCore/heap/Subspace.cpp M Source/JavaScriptCore/heap/SweepingScope.h M Source/JavaScriptCore/heap/VerifierSlotVisitor.cpp M Source/JavaScriptCore/heap/WeakBlock.cpp M Source/JavaScriptCore/heap/WeakSet.cpp M Source/JavaScriptCore/heap/WeakSet.h M Source/JavaScriptCore/interpreter/Interpreter.cpp M Source/JavaScriptCore/interpreter/Interpreter.h M Source/JavaScriptCore/interpreter/InterpreterInlines.h M Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp M Source/JavaScriptCore/jit/JITCode.h M Source/JavaScriptCore/jit/JITInlineCacheGenerator.h M Source/JavaScriptCore/jit/JITMathIC.h M Source/JavaScriptCore/jit/JITOperations.cpp M Source/JavaScriptCore/jit/JITThunks.cpp M Source/JavaScriptCore/jsc.cpp M Source/JavaScriptCore/llint/LLIntData.h M Source/JavaScriptCore/runtime/EvalExecutable.h M Source/JavaScriptCore/runtime/ExecutableBase.h M Source/JavaScriptCore
[webkit-changes] [WebKit/WebKit] e3f2a6: Inline some functions used in copyCompactAndLinkCode
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: e3f2a6f91ba48a9da351d92f82cd28f37a087f07 https://github.com/WebKit/WebKit/commit/e3f2a6f91ba48a9da351d92f82cd28f37a087f07 Author: Justin Michaud Date: 2023-12-14 (Thu, 14 Dec 2023) Changed paths: M Source/JavaScriptCore/assembler/ARM64Assembler.h M Source/JavaScriptCore/assembler/AssemblerBuffer.h M Source/JavaScriptCore/assembler/MacroAssemblerARM64.h Log Message: --- Inline some functions used in copyCompactAndLinkCode https://bugs.webkit.org/show_bug.cgi?id=266362 rdar://119627634 Reviewed by Mark Lam. Inline some functions used in copyCompactAndLinkCode, since we want to minimize register spilling there. * Source/JavaScriptCore/assembler/ARM64Assembler.h: (JSC::ARM64Assembler::buffer): (JSC::ARM64Assembler::LinkRecord::from const): (JSC::ARM64Assembler::LinkRecord::setFrom): (JSC::ARM64Assembler::LinkRecord::to const): (JSC::ARM64Assembler::LinkRecord::type const): (JSC::ARM64Assembler::LinkRecord::linkType const): (JSC::ARM64Assembler::LinkRecord::branchType const): (JSC::ARM64Assembler::LinkRecord::setLinkType): (JSC::ARM64Assembler::LinkRecord::condition const): (JSC::ARM64Assembler::LinkRecord::is64Bit const): (JSC::ARM64Assembler::LinkRecord::isThunk const): (JSC::ARM64Assembler::LinkRecord::bitNumber const): (JSC::ARM64Assembler::LinkRecord::compareRegister const): * Source/JavaScriptCore/assembler/AssemblerBuffer.h: (JSC::AssemblerBuffer::putInt): (JSC::AssemblerBuffer::releaseAssemblerData): * Source/JavaScriptCore/assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::MacroAssemblerARM64): (JSC::MacroAssemblerARM64::jumpsToLink): (JSC::MacroAssemblerARM64::canCompact): (JSC::MacroAssemblerARM64::computeJumpType): (JSC::MacroAssemblerARM64::jumpSizeDelta): (JSC::MacroAssemblerARM64::isCompactPtrAlignedAddressOffset): Canonical link: https://commits.webkit.org/272034@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 4314b6: Extr can overflow when imm=64, allowing a random r...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 4314b6ee6195aeb294402cce98bdb05dbdf83ad4 https://github.com/WebKit/WebKit/commit/4314b6ee6195aeb294402cce98bdb05dbdf83ad4 Author: Justin Michaud Date: 2023-12-07 (Thu, 07 Dec 2023) Changed paths: M Source/JavaScriptCore/b3/B3LowerToAir.cpp M Source/JavaScriptCore/b3/air/AirValidate.cpp Log Message: --- Extr can overflow when imm=64, allowing a random register to be read rdar://118515062 Reviewed by Yusuke Suzuki. Extr can overflow when imm=64, allowing a random register to be read. * Source/JavaScriptCore/b3/B3LowerToAir.cpp: * Source/JavaScriptCore/b3/air/AirValidate.cpp: Originally-landed-as: 267815.574@safari-7617-branch (49ba637c4abb). rdar://119327080 Canonical link: https://commits.webkit.org/271694@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 16f475: SECore build fix 3
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 16f475eac293efd139c5da6a7f8e461ff28dd32c https://github.com/WebKit/WebKit/commit/16f475eac293efd139c5da6a7f8e461ff28dd32c Author: Justin Michaud Date: 2023-11-15 (Wed, 15 Nov 2023) Changed paths: M Source/JavaScriptCore/Configurations/Base.xcconfig M Source/WebCore/Configurations/WebCore.xcconfig Log Message: --- SECore build fix 3 https://bugs.webkit.org/show_bug.cgi?id=264890 rdar://118467465 Unreviewed build fix. BUILD_SETTING[sdk=iphoneos*] lines in xcconfig also apply to tvos. * Source/JavaScriptCore/Configurations/Base.xcconfig: * Source/WebCore/Configurations/WebCore.xcconfig: Canonical link: https://commits.webkit.org/270780@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] fcf4eb: Build fix for SECore adoption, take 2
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: fcf4ebb722830ecb4724e4cf7c4238ab5cb2bace https://github.com/WebKit/WebKit/commit/fcf4ebb722830ecb4724e4cf7c4238ab5cb2bace Author: Justin Michaud Date: 2023-11-14 (Tue, 14 Nov 2023) Changed paths: M Source/JavaScriptCore/Configurations/Base.xcconfig M Source/WebCore/Configurations/WebCore.xcconfig Log Message: --- Build fix for SECore adoption, take 2 https://bugs.webkit.org/show_bug.cgi?id=264849 rdar://118428351 Rubber stamped by Wenson Hsieh. Numbers are hard. * Source/JavaScriptCore/Configurations/Base.xcconfig: * Source/WebCore/Configurations/WebCore.xcconfig: Canonical link: https://commits.webkit.org/270740@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] d818a9: Build fix weak linking SECore
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: d818a9114567f258212a26afc3c861439aca2812 https://github.com/WebKit/WebKit/commit/d818a9114567f258212a26afc3c861439aca2812 Author: Justin Michaud Date: 2023-11-14 (Tue, 14 Nov 2023) Changed paths: M Source/JavaScriptCore/jit/ExecutableAllocator.cpp Log Message: --- Build fix weak linking SECore https://bugs.webkit.org/show_bug.cgi?id=264822 rdar://118404992 Reviewed by Mark Lam. We need to tell clang that this symbol can be weak-linked. * Source/JavaScriptCore/jit/ExecutableAllocator.cpp: (JSC::initializeJITPageReservation): Canonical link: https://commits.webkit.org/270727@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 7c5f5e: Adopt new JIT permissions API
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 7c5f5e8c2eafda289129dbea135a7241cddf5dd3 https://github.com/WebKit/WebKit/commit/7c5f5e8c2eafda289129dbea135a7241cddf5dd3 Author: Justin Michaud Date: 2023-11-13 (Mon, 13 Nov 2023) Changed paths: M Source/JavaScriptCore/Configurations/Base.xcconfig M Source/JavaScriptCore/jit/ExecutableAllocator.cpp M Source/WTF/wtf/PlatformUse.h M Source/WebCore/Configurations/WebCore.xcconfig Log Message: --- Adopt new JIT permissions API https://bugs.webkit.org/show_bug.cgi?id=264694 rdar://116544588 Reviewed by Wenson Hsieh. Adopt new JIT permissions API. This is more secure than the one we were previously using. * Source/JavaScriptCore/Configurations/JavaScriptCore.xcconfig: * Source/WTF/wtf/PlatformUse.h: * Source/WebCore/Configurations/WebCore.xcconfig: Canonical link: https://commits.webkit.org/270693@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] ae0b70: Reflect.construct can churn cached internalFunctio...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: ae0b70efbe6b5326518eef3160144494748d8b11 https://github.com/WebKit/WebKit/commit/ae0b70efbe6b5326518eef3160144494748d8b11 Author: Justin Michaud Date: 2023-11-01 (Wed, 01 Nov 2023) Changed paths: A JSTests/stress/reflect-construct-reenter-prototype-get-different-global.js A JSTests/stress/reflect-construct-reenter-prototype-get.js M Source/JavaScriptCore/runtime/InternalFunction.cpp Log Message: --- Reflect.construct can churn cached internalFunctionAllocationStructure https://bugs.webkit.org/show_bug.cgi?id=263945 rdar://117556294 Reviewed by Keith Miller. Reviewed by Mark Lam. Reflect.construct can churn the cached internalFunctionAllocationStructure when calling the target's prototype getter, causing us to fail a debug assert. This isn't really a problem though, since accidentally making a second structure shouldn't break anything (like our watchpoints or structure transition logic). We just add an extra check to silence the debug assert and be slightly more optimal. * JSTests/stress/reflect-construct-reenter-prototype-get-different-global.js: Added. (newTarget): (get let): * JSTests/stress/reflect-construct-reenter-prototype-get.js: Added. (newTarget): (get let): * Source/JavaScriptCore/runtime/InternalFunction.cpp: (JSC::InternalFunction::createSubclassStructure): Canonical link: https://commits.webkit.org/270084@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] f9a3a2: WebAssembly SIMD results in incorrect float values...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: f9a3a2147af0a89a67c74b9da7a291387c6cb39c https://github.com/WebKit/WebKit/commit/f9a3a2147af0a89a67c74b9da7a291387c6cb39c Author: Justin Michaud Date: 2023-10-09 (Mon, 09 Oct 2023) Changed paths: A JSTests/wasm/stress/omg-simd-simple.js A JSTests/wasm/stress/omg-simd-stress.js A JSTests/wasm/stress/omg-simd-stress.wat M Source/JavaScriptCore/b3/air/AirLowerMacros.cpp Log Message: --- WebAssembly SIMD results in incorrect float values and non working bitwise operations https://bugs.webkit.org/show_bug.cgi?id=258302 rdar://111050621 Reviewed by Alexey Shvayka. We accidentally clobber our input, causing some random SIMD bugs. This was pretty difficult to isolate, even though the bug is so obvious. The included (larger) test case actually serves as a pretty general way to debug a differential jit-tier bug. * JSTests/wasm/stress/omg-simd-simple.js: Added. (from.string_appeared_here.import.as.assert.from.string_appeared_here.async test): * JSTests/wasm/stress/omg-simd-stress.js: Added. (from.string_appeared_here.import.as.assert.from.string_appeared_here.async test.): (from.string_appeared_here.import.as.assert.from.string_appeared_here.async test): * JSTests/wasm/stress/omg-simd-stress.wat: Added. * Source/JavaScriptCore/b3/air/AirLowerMacros.cpp: (JSC::B3::Air::lowerMacros): Canonical link: https://commits.webkit.org/269080@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 272d17: JSC should be killed when OOM (for real this time)
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 272d1789debb0097c8a7c80a876ed509e71ff1e8 https://github.com/WebKit/WebKit/commit/272d1789debb0097c8a7c80a876ed509e71ff1e8 Author: Justin Michaud Date: 2023-09-30 (Sat, 30 Sep 2023) Changed paths: M Source/JavaScriptCore/jsc.cpp Log Message: --- JSC should be killed when OOM (for real this time) https://bugs.webkit.org/show_bug.cgi?id=262225 rdar://115527742 Reviewed by Keith Miller. This code should actually compile on macos. * Source/JavaScriptCore/jsc.cpp: (main): Canonical link: https://commits.webkit.org/268696@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 2f65ef: Adopt new jit write toggle API
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 2f65efbad704d90dc41e45cb8581c99d70273943 https://github.com/WebKit/WebKit/commit/2f65efbad704d90dc41e45cb8581c99d70273943 Author: Justin Michaud Date: 2023-09-25 (Mon, 25 Sep 2023) Changed paths: M Source/JavaScriptCore/assembler/FastJITPermissions.h M Source/JavaScriptCore/jit/ExecutableAllocator.cpp Log Message: --- Adopt new jit write toggle API https://bugs.webkit.org/show_bug.cgi?id=261792 rdar://115758153 Reviewed by Mark Lam. Adopt new jit write toggle API, which has been renamed to be more descriptive. * Source/JavaScriptCore/assembler/FastJITPermissions.h: (threadSelfRestrictRWXToRW): (threadSelfRestrictRWXToRX): * Source/JavaScriptCore/jit/ExecutableAllocator.cpp: (JSC::initializeJITPageReservation): Canonical link: https://commits.webkit.org/268429@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 14530d: JSObject::getDirectConcurrently should take the ce...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 14530da9c09d490a1759b96da2231698f1aae0af https://github.com/WebKit/WebKit/commit/14530da9c09d490a1759b96da2231698f1aae0af Author: Justin Michaud Date: 2023-07-31 (Mon, 31 Jul 2023) Changed paths: A JSTests/stress/get-concurrently-should-take-cell-lock.js M Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp M Source/JavaScriptCore/bytecode/PropertyCondition.cpp M Source/JavaScriptCore/dfg/DFGGraph.cpp M Source/JavaScriptCore/runtime/JSArray.cpp M Source/JavaScriptCore/runtime/JSCell.h M Source/JavaScriptCore/runtime/JSObject.h Log Message: --- JSObject::getDirectConcurrently should take the cell lock. https://bugs.webkit.org/show_bug.cgi?id=257285 rdar://108166258 Reviewed by Yusuke Suzuki. `JSArray::unshiftCountWithArrayStorage` takes the cell lock and then the structure lock to prevent the compiler thread from accessing the butterfly before it is fully initialized. `JSObject::getDirectConcurrently` only takes the structure lock. This means that the compiler can take the structure lock, the cell can transition to a new structure, then unshift can mess up the butterfly, and finally the compiler thread proceeds to see garbage. The attached POC only reproduces if waits are introduced to extend the race window. It seems that the comment above cellLock is outdated, as our current concurrency protocol to prevent deadlocks is to take the cell lock then the structure lock. I could not find anywhere that uses the reverse, but if I missed something, a deadlock will be pretty easy to debug. * Source/JavaScriptCore/runtime/JSArray.cpp: (JSC::JSArray::unshiftCountWithArrayStorage): * Source/JavaScriptCore/runtime/JSCell.h: (JSC::JSCell::cellLock const): (JSC::JSCell::cellLock): Deleted. * Source/JavaScriptCore/runtime/JSObject.h: (JSC::JSObject::getDirectConcurrently const): Originally-landed-as: 259548.798@safari-7615-branch (b7e3ebd9c372). rdar://108166258 Canonical link: https://commits.webkit.org/266435@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] e5652c: CallVarargs should identify that it can read inlin...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: e5652c93dbd1e78bf2f4a0f38022287b30420da0 https://github.com/WebKit/WebKit/commit/e5652c93dbd1e78bf2f4a0f38022287b30420da0 Author: Justin Michaud Date: 2023-07-28 (Fri, 28 Jul 2023) Changed paths: A JSTests/stress/putstacksinking-callvarargs.js A JSTests/stress/putstacksinking-tailcallvarargs.js M Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h Log Message: --- CallVarargs should identify that it can read inline call frame arguments. rdar://112936988 Reviewed by Yusuke Suzuki. Call already does this, but CallVarargs has a special case that forgot. We should not be allowed to push PutStacks below a call of any kind, since it might access our call frame's arguments via foo.arguments, unless we are strict. The only exception is TailCall (but not TailCallForwardVarargsInlinedCaller), because it will destroy the entire frame. We do not un-pessimize TailCall yet to reduce risk, but it could be made to match TailCallForwardVarargs in the future. * JSTests/stress/putstacksinking-callvarargs.js: Added. (main.opt.x): (main.opt.y): (main.opt.z): (main.opt): (main): * JSTests/stress/putstacksinking-tailcallvarargs.js: Added. (main.opt.x): (main.opt.y): (main.opt.z): (main.opt): (main): * Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h: (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): Originally-landed-as: 259548.856@safari-7615-branch (c3d2e3627b45). rdar://111361499 Canonical link: https://commits.webkit.org/266393@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 00c679: REGRESSION(265930@main): [ iOS 16 ] TestWTF.WTF_Pa...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 00c679a9ae1b56c9a4e21f43aaab9bb26123222c https://github.com/WebKit/WebKit/commit/00c679a9ae1b56c9a4e21f43aaab9bb26123222c Author: Justin Michaud Date: 2023-07-24 (Mon, 24 Jul 2023) Changed paths: M Tools/TestWebKitAPI/Tests/WTF/Packed.cpp Log Message: --- REGRESSION(265930@main): [ iOS 16 ] TestWTF.WTF_Packed.PackedAlignedPtr is a constant failure https://bugs.webkit.org/show_bug.cgi?id=259366 rdar://112620141 Reviewed by Brent Fulgham. I missed a compile guard. * Tools/TestWebKitAPI/Tests/WTF/Packed.cpp: (TestWebKitAPI::TEST): Canonical link: https://commits.webkit.org/266263@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 4f99c0: Cherry-pick 259548.856@safari-7615-branch (c3d2e36...
Branch: refs/heads/webkitglib/2.40 Home: https://github.com/WebKit/WebKit Commit: 4f99c0670d2d91dbc51725a7af6909e186db1b07 https://github.com/WebKit/WebKit/commit/4f99c0670d2d91dbc51725a7af6909e186db1b07 Author: Justin Michaud Date: 2023-07-18 (Tue, 18 Jul 2023) Changed paths: M Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h Log Message: --- Cherry-pick 259548.856@safari-7615-branch (c3d2e3627b45). https://bugs.webkit.org/show_bug.cgi?id=259231 CallVarargs should identify that it can read inline call frame arguments. rdar://111361499 Reviewed by Yusuke Suzuki. Call already does this, but CallVarargs has a special case that forgot. We should not be allowed to push PutStacks below a call of any kind, since it might access our call frame's arguments via foo.arguments, unless we are strict. The only exception is TailCall (but not TailCallForwardVarargsInlinedCaller), because it will destroy the entire frame. We do not un-pessimize TailCall yet to reduce risk, but it could be made to match TailCallForwardVarargs in the future. * Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h: (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): Canonical link: https://commits.webkit.org/259548.856@safari-7615-branch Canonical link: https://commits.webkit.org/260527.380@webkitglib/2.40 ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] fa76f5: Simulator should have a 48-bit address space
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: fa76f5ed3119f79bbbcd597e446cf201183b33b4 https://github.com/WebKit/WebKit/commit/fa76f5ed3119f79bbbcd597e446cf201183b33b4 Author: Justin Michaud Date: 2023-07-10 (Mon, 10 Jul 2023) Changed paths: M Source/JavaScriptCore/runtime/StructureID.h M Source/WTF/wtf/CompactPtr.h M Source/WTF/wtf/PlatformHave.h M Source/WTF/wtf/PlatformOS.h M Source/bmalloc/bmalloc/BPlatform.h M Source/bmalloc/libpas/src/libpas/pas_root.c Log Message: --- Simulator should have a 48-bit address space https://bugs.webkit.org/show_bug.cgi?id=258999 rdar://37299 Reviewed by Yusuke Suzuki. If you allocate a lot of memory in the simulator, eventually you will fail one of the CompactPtr assertions because the simulator actually acts like macOS with respect to virtual memory. Mach's max address size is defined incorrectly for this case, so we guard against that on our side. * Source/JavaScriptCore/runtime/StructureID.h: * Source/WTF/wtf/CompactPtr.h: * Source/WTF/wtf/PlatformHave.h: * Source/WTF/wtf/PlatformOS.h: * Source/bmalloc/bmalloc/BPlatform.h: * Source/bmalloc/libpas/src/libpas/pas_root.c: Canonical link: https://commits.webkit.org/265930@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 2f7262: DFG should update backwards propogation after fixup.
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 2f7262436c990b072f944bc6ed08cf55746fb017 https://github.com/WebKit/WebKit/commit/2f7262436c990b072f944bc6ed08cf55746fb017 Author: Justin Michaud Date: 2023-07-06 (Thu, 06 Jul 2023) Changed paths: A JSTests/stress/propogate-PureInt-double-use.js M Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp M Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.h M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp M Source/JavaScriptCore/dfg/DFGPlan.cpp M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp Log Message: --- DFG should update backwards propogation after fixup. https://bugs.webkit.org/show_bug.cgi?id=257949 rdar://110661900 Reviewed by Keith Miller. PureInt means that we cannot observe a difference between this value when represented as a double or when represented as a UInt32. Today, PureInt is not a proven property, but rather a speculation guide. The DFG fixup phase is responsible for inserting speculations and fixing up edges to ensure that we can prove the properties that we want. UInt32ToNumber speculates that a value fits in an Int32. DoubleRep takes an Int32 and stuffs the bits appropriately to turn it into a double. ValueAdd is expecting a DoubleRep because it has a double argument. In FixupPhase, we remove UInt32ToNumber because we see that it is PureInt. If it is actually PureInt, then this is fine. But DoubleRep can observe it as non-PureInt, and DoubleRep not inserted until well after BackwardsPropogationPhase has run. We add a separate phase that runs after fixup, and pessimizes these speculation properties. Then, we are free to use them as proven properties. Finally, we move any checks in fixup that use these properties to strength reduction. * JSTests/stress/propogate-PureInt-double-use.js: Added. (opt): (noInline.opt.o): (noInline.o.main): * Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp: (JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase): (JSC::DFG::BackwardsPropagationPhase::propagate): (JSC::DFG::performBackwardsPropagation): (JSC::DFG::performBackwardsPropagationAfterFixup): * Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.h: * Source/JavaScriptCore/dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * Source/JavaScriptCore/dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber): * Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): fix . Canonical link: https://commits.webkit.org/265833@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 40df48: Add additional assertions to InlineCacheCompiler
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 40df48799883c603be2823a3c86c2172ecb4ef8d https://github.com/WebKit/WebKit/commit/40df48799883c603be2823a3c86c2172ecb4ef8d Author: Justin Michaud Date: 2023-07-04 (Tue, 04 Jul 2023) Changed paths: M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp M Source/JavaScriptCore/bytecode/InlineCacheCompiler.h M Source/JavaScriptCore/jit/RegisterSet.h Log Message: --- Add additional assertions to InlineCacheCompiler rdar://110382994 Reviewed by Mark Lam. We are sometimes finding ourselves in an inconsistent state where we have allocated stack space but have no live registers to preserve. Let's add some additional assertions to make it easier to find the root cause. * Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp: (JSC::InlineCacheCompiler::preserveLiveRegistersToStackForCall): (JSC::InlineCacheCompiler::preserveLiveRegistersToStackForCallWithoutExceptions): * Source/JavaScriptCore/bytecode/InlineCacheCompiler.h: (JSC::InlineCacheCompiler::setSpillStateForJSCall): (JSC::InlineCacheCompiler::spillStateForJSCall const): Canonical link: https://commits.webkit.org/265759@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 7b5f7e: Create SmallHeap for JSStrings
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 7b5f7e4443f57e7a4a1c755a49f18b50175696c1 https://github.com/WebKit/WebKit/commit/7b5f7e4443f57e7a4a1c755a49f18b50175696c1 Author: Justin Michaud Date: 2023-05-26 (Fri, 26 May 2023) Changed paths: M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp M Source/JavaScriptCore/heap/Heap.cpp M Source/JavaScriptCore/heap/Heap.h M Source/JavaScriptCore/heap/IsoSubspace.cpp M Source/JavaScriptCore/heap/IsoSubspace.h M Source/JavaScriptCore/jit/AssemblyHelpers.h M Source/JavaScriptCore/llint/LLIntOfflineAsmConfig.h M Source/JavaScriptCore/runtime/ClassInfo.h M Source/JavaScriptCore/runtime/JSString.h M Source/JavaScriptCore/tools/Integrity.cpp M Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp M Source/JavaScriptCore/wasm/WasmTypeDefinition.h M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp M Source/WTF/wtf/CompactPtr.h M Source/WTF/wtf/DebugHeap.h M Source/WTF/wtf/FastMalloc.h M Source/WTF/wtf/Gigacage.cpp M Source/WTF/wtf/Gigacage.h M Source/WTF/wtf/PlatformHave.h M Source/WTF/wtf/Threading.cpp M Source/WTF/wtf/text/StringImpl.cpp M Source/WTF/wtf/text/StringImpl.h M Source/WTF/wtf/text/UniquedStringImpl.h M Source/WebCore/accessibility/isolatedtree/AXIsolatedObject.cpp M Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceMain.mm M Source/WebKit/UIProcess/API/Cocoa/WKPreferences.mm M Source/bmalloc/bmalloc/BPlatform.h M Source/bmalloc/bmalloc/Gigacage.cpp M Source/bmalloc/bmalloc/Gigacage.h M Source/bmalloc/bmalloc/GigacageConfig.h M Source/bmalloc/bmalloc/GigacageKind.h M Source/bmalloc/bmalloc/HeapKind.h M Source/bmalloc/bmalloc/bmalloc.cpp M Tools/TestWebKitAPI/Tests/WTF/AlignedRefLogger.h M Tools/TestWebKitAPI/Tests/WTF/CompactRefPtr.cpp M Tools/TestWebKitAPI/Tests/WTF/JSONValue.cpp M Tools/TestWebKitAPI/Tests/WTF/PackedRefPtr.cpp M Tools/TestWebKitAPI/Tests/WTF/StringImpl.cpp M Tools/TestWebKitAPI/Tests/WebCore/FileMonitor.cpp M Tools/TestWebKitAPI/Tests/WebCore/PrivateClickMeasurement.cpp M Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm Log Message: --- Create SmallHeap for JSStrings https://bugs.webkit.org/show_bug.cgi?id=256815 rdar://109377647 Reviewed by Yusuke Suzuki. Create a space to allocate JSStrings from so that JSString* can fit in 32 bits (with 16-byte alignment). This space must work even if the gigacage is disabled, or in processes like Safari and MiniBrowser that should not allocate a full gigacage. For that reason, we initialize this region separately. A subsequent patch will make CompactPtr take advantage of this region, so we lay down the foundation for that here by adding CompactPtrTypeTraits to CompactPtr-able types. * Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp: * Source/JavaScriptCore/heap/Heap.cpp: (JSC::Heap::Heap): * Source/JavaScriptCore/heap/Heap.h: (JSC::Heap::gigacageAuxiliarySpace): * Source/JavaScriptCore/heap/IsoSubspace.cpp: (JSC::IsoSubspace::IsoSubspace): * Source/JavaScriptCore/heap/IsoSubspace.h: * Source/JavaScriptCore/jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::loadCompactPtr): (JSC::AssemblyHelpers::branchCompactPtr): * Source/JavaScriptCore/llint/LLIntOfflineAsmConfig.h: * Source/JavaScriptCore/runtime/ClassInfo.h: * Source/JavaScriptCore/runtime/JSString.h: (JSC::JSString::destroy): Deleted. (JSC::JSString::subspaceFor): Deleted. (JSC::JSString::uninitializedValueInternal const): Deleted. (JSC::JSString::valueInternal const): Deleted. (JSC::JSString::JSString): Deleted. (JSC::JSString::finishCreation): Deleted. (JSC::JSString::create): Deleted. (JSC::JSString::createHasOtherOwner): Deleted. (JSC::JSString::toBoolean const): Deleted. (JSC::JSString::canGetIndex): Deleted. (JSC::JSString::offsetOfValue): Deleted. (JSC::JSString::isRope const): Deleted. (JSC::JSString::fiberConcurrently const): Deleted. * Source/JavaScriptCore/tools/Integrity.cpp: (JSC::Integrity::Analyzer::analyzeCell): * Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h: (JSC::Wasm::ExpressionType>::emitLoadRTTFromFuncref): * Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::emitLoadRTTFromFuncref): * Source/JavaScriptCore/wasm/WasmTypeDefinition.h: * Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp: (JSC::WebAssemblyFunction::jsCallEntrypointSlow): * Source/WTF/wtf/CompactPtr.h: (WTF::BigHeapTypeTraits::encode): (WTF::BigHeapTypeTraits::decode): (WTF::CompactPtr::encode): (WTF::CompactPtr::decode): (WTF::CompactPtr::operator!=): (WTF::CompactPtr::storage const): * Source/WTF/wtf/DebugHeap.h: * Source/WTF/wtf/FastMalloc.h: (WTF::SmallHeapMalloc::malloc): (WTF::SmallHeapMalloc::tryMalloc): (WTF::SmallHeapMalloc::tryRealloc): (WTF::SmallHeapMalloc::free): * Source/WTF/wtf/Gigacage.
[webkit-changes] [WebKit/WebKit] 3a62d3: [merge-back]OMG should pop try arguments
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 3a62d3df302dbce15ff8235c45c8f3b40a43d21d https://github.com/WebKit/WebKit/commit/3a62d3df302dbce15ff8235c45c8f3b40a43d21d Author: Justin Michaud Date: 2023-05-25 (Thu, 25 May 2023) Changed paths: A JSTests/wasm/stress/block_end_aliasing.js A JSTests/wasm/stress/block_end_aliasing.wasm A JSTests/wasm/stress/block_end_aliasing_2.js A JSTests/wasm/stress/block_end_aliasing_2.wasm A JSTests/wasm/stress/block_end_aliasing_2.wat A JSTests/wasm/stress/if-block-arguments-2.js A JSTests/wasm/stress/if-block-arguments.js M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp Log Message: --- [merge-back]OMG should pop try arguments rdar://109857225 Reviewed by Yusuke Suzuki. The parser and the B3 generator both maintain their own separate wasm stacks. When we end a block, these two stacks can get out of sync because we forgot to pop on the b3 side. This can cause type confusion. The real fix for this is to fix the underlying design flaw. In the future, we should only store one copy of the stack state in the parser, including the wasm type, and refer exclusively to that. This is what the new BBQ tier does. For now, we just pop as needed. * JSTests/wasm/stress/block_end_aliasing.js: Added. (instantiate): (async let): * JSTests/wasm/stress/block_end_aliasing.wasm: Added. * JSTests/wasm/stress/block_end_aliasing_2.js: Added. (instantiate): (async let): (async let.i4.await.instantiate): * JSTests/wasm/stress/block_end_aliasing_2.wasm: Added. * JSTests/wasm/stress/block_end_aliasing_2.wat: Added. * JSTests/wasm/stress/loop-end-aliasing.js: Added. (from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.import.string_appeared_here.string_appeared_here.memory.mem.1.func.export.string_appeared_here.result.i64.funcref.i64.const.14.block.param.i64.end.ref.func.0.return.async test): * Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::didPopValueFromStack): (JSC::Wasm::B3IRGenerator::makePushVariable): (JSC::Wasm::B3IRGenerator::addEndToUnreachable): Originally-landed-as: 259548.624@safari-7615-branch (c9d960b1956a). rdar://109857225 Canonical link: https://commits.webkit.org/264551@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 39a1ff: Remove static strings and symbols
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 39a1ff098a4ebfd7b753243ba2d609fc5ef763eb https://github.com/WebKit/WebKit/commit/39a1ff098a4ebfd7b753243ba2d609fc5ef763eb Author: Justin Michaud Date: 2023-05-19 (Fri, 19 May 2023) Changed paths: M Source/JavaScriptCore/builtins/BuiltinExecutables.cpp M Source/JavaScriptCore/builtins/BuiltinExecutables.h M Source/JavaScriptCore/builtins/BuiltinNames.cpp M Source/JavaScriptCore/builtins/BuiltinNames.h M Source/JavaScriptCore/runtime/InitializeThreading.cpp M Source/JavaScriptCore/runtime/JSString.h M Source/JavaScriptCore/runtime/SmallStrings.cpp M Source/JavaScriptCore/runtime/SmallStrings.h M Source/JavaScriptCore/runtime/VM.cpp M Source/WTF/wtf/CompactPtr.h M Source/WTF/wtf/Threading.cpp M Source/WTF/wtf/URL.cpp M Source/WTF/wtf/spi/cocoa/MachVMSPI.h M Source/WTF/wtf/text/AtomString.cpp M Source/WTF/wtf/text/AtomString.h M Source/WTF/wtf/text/AtomStringImpl.cpp M Source/WTF/wtf/text/AtomStringImpl.h M Source/WTF/wtf/text/StringImpl.cpp M Source/WTF/wtf/text/StringImpl.h M Source/WTF/wtf/text/SymbolImpl.cpp M Source/WTF/wtf/text/SymbolImpl.h M Source/WTF/wtf/text/UniquedStringImpl.h M Source/WTF/wtf/text/WTFString.cpp M Source/WTF/wtf/text/WTFString.h M Source/WebCore/bindings/scripts/StaticString.pm M Source/WebCore/css/CSSFontFaceSet.cpp M Source/WebCore/css/CSSFontSelector.cpp M Source/WebCore/dom/Document.cpp M Source/WebCore/dom/Document.h M Source/WebCore/dom/Element.cpp M Source/WebCore/dom/make_names.pl M Source/WebCore/platform/graphics/FontCascadeFonts.cpp M Source/WebCore/style/StyleResolveForFontRaw.cpp M Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceMain.mm M Source/WebKit/UIProcess/API/Cocoa/WKPreferences.mm M Tools/TestWebKitAPI/Tests/WTF/JSONValue.cpp M Tools/TestWebKitAPI/Tests/WTF/StringImpl.cpp M Tools/TestWebKitAPI/Tests/WebCore/FileMonitor.cpp M Tools/TestWebKitAPI/Tests/WebCore/PrivateClickMeasurement.cpp M Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm Log Message: --- Remove static strings and symbols https://bugs.webkit.org/show_bug.cgi?id=256744 rdar://109287900 Reviewed by Yusuke Suzuki. We would like to make StringImpl*, JSString* and JSRopeString* fit into 32 bits. Why? - This has the potential to save memory and improve cache locallity. - Previously, when Yusuke made JSRopeString smaller by squishing the ropes together, it was a 1% Speedometer regression. This will let us undo that change while keeping the size of JSRopeString small. We need to: 1) Forbid precice allocation 2) Ensure 16-byte alignment This patch does both of these things, and should be sufficient to enable CompactPtr to work on iOS (although this patch doesn't do that). On macOS, pointers are 48-bit instead of 36-bit, so we have more work to do: 1) Make sure that all strings are allocated out of the same malloc region 2) Allocate a chunk of va space for them, and plumb the base pointer around This patch does the first thing. Isn't removing static strings going to be a memory regression? Well, hopefully not. Today we still increment the ref count of static strings, so the memory is dirtied. After applying this patch, the character data will still be static, but the StringImpl itself (which remember, was always dirty) will be placed next to its bretheren. This patch might introduce some concurrency bugs though. By inspection I have tried to match the existing invariants, but I don't know if I have spotted everything. * Source/JavaScriptCore/builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::defaultConstructorSourceCode): * Source/JavaScriptCore/builtins/BuiltinExecutables.h: * Source/JavaScriptCore/builtins/BuiltinNames.cpp: (JSC::Symbols::initializeStaticSymbols): (JSC::BuiltinNames::BuiltinNames): (): Deleted. * Source/JavaScriptCore/builtins/BuiltinNames.h: * Source/JavaScriptCore/runtime/InitializeThreading.cpp: (JSC::initialize): * Source/JavaScriptCore/runtime/JSString.h: (JSC::JSString::destroy): Deleted. (JSC::JSString::subspaceFor): Deleted. (JSC::JSString::uninitializedValueInternal const): Deleted. (JSC::JSString::valueInternal const): Deleted. (JSC::JSString::JSString): Deleted. (JSC::JSString::finishCreation): Deleted. (JSC::JSString::create): Deleted. (JSC::JSString::createHasOtherOwner): Deleted. (JSC::JSString::toBoolean const): Deleted. (JSC::JSString::canGetIndex): Deleted. (JSC::JSString::offsetOfValue): Deleted. (JSC::JSString::isRope const): Deleted. (JSC::JSString::fiberConcurrently const): Deleted. * Source/JavaScriptCore/runtime/SmallStrings.cpp: * Source/JavaScriptCore/runtime/SmallStrings.h: (JSC::SmallString::initializeJSStaticStrings): * Source/JavaScriptCore/runtime/VM.cpp: (JSC::VM::ensureTerminationException): (): Deleted. * Source/WTF/wtf
[webkit-changes] [WebKit/WebKit] d96b77: Add some JIT comments to make debugging easier
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: d96b776c8ffd9c44b64718722237e83556edcd83 https://github.com/WebKit/WebKit/commit/d96b776c8ffd9c44b64718722237e83556edcd83 Author: Justin Michaud Date: 2023-05-17 (Wed, 17 May 2023) Changed paths: M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp M Source/JavaScriptCore/ftl/FTLOutput.cpp M Source/JavaScriptCore/ftl/FTLOutput.h Log Message: --- Add some JIT comments to make debugging easier https://bugs.webkit.org/show_bug.cgi?id=256745 rdar://109288342 Reviewed by Yusuke Suzuki. Add some JIT comments to make debugging easier * Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp: (JSC::InlineCacheCompiler::generateWithGuard): (JSC::InlineCacheCompiler::regenerate): * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty): (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdMegamorphic): (JSC::FTL::DFG::LowerDFGToB3::compileGetByValMegamorphic): (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis): (JSC::FTL::DFG::LowerDFGToB3::getPrivateName): (JSC::FTL::DFG::LowerDFGToB3::compilePrivateBrandAccess): (JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateName): (JSC::FTL::DFG::LowerDFGToB3::cachedPutById): (JSC::FTL::DFG::LowerDFGToB3::emitGetTypedArrayByteOffsetExceptSettingResult): (JSC::FTL::DFG::LowerDFGToB3::typedArrayLength): (JSC::FTL::DFG::LowerDFGToB3::compileGetByValImpl): (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): (JSC::FTL::DFG::LowerDFGToB3::compileDelBy): (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * Source/JavaScriptCore/ftl/FTLOutput.cpp: (JSC::FTL::Output::probeDebugPrint): * Source/JavaScriptCore/ftl/FTLOutput.h: Canonical link: https://commits.webkit.org/264180@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 39dd6c: DFG tuples should not be queried for their state
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 39dd6c8334a66035cb396c8593a28dfca2b50f5e https://github.com/WebKit/WebKit/commit/39dd6c8334a66035cb396c8593a28dfca2b50f5e Author: Justin Michaud Date: 2023-04-26 (Wed, 26 Apr 2023) Changed paths: A JSTests/stress/dfg-tuple-ai.js M Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h M Source/JavaScriptCore/dfg/DFGAtTailAbstractState.cpp M Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h M Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h Log Message: --- DFG tuples should not be queried for their state rdar://107876378 https://bugs.webkit.org/show_bug.cgi?id=255279 Reviewed by Keith Miller. DFG tuples don't have a type themselves, they represent a collection of elements. We should only ask questions about the type of an element of a tuple, never the tuple directly. Edges to a tuple should always be Untyped. In this test case, we get garbage data when we ask for the type of EnumeratorNextUpdateIndexAndMode from ExtractFromTuple. We remove the assert for this case and add some extra assertions to make sure that nobody else is making the same mistake. * JSTests/stress/dfg-tuple-ai.js: Added. (f3.const.o7.set e): (f3): (const.v15.in.string_appeared_here.v16.v18.catch): * Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h: (JSC::DFG::AbstractInterpreter::forTupleNode): * Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::verifyEdge): * Source/JavaScriptCore/dfg/DFGAtTailAbstractState.cpp: (JSC::DFG::AtTailAbstractState::forNode): * Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h: (JSC::DFG::AtTailAbstractState::forNode): (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward): (JSC::DFG::AtTailAbstractState::clearForNode): (JSC::DFG::AtTailAbstractState::setForNode): (JSC::DFG::AtTailAbstractState::forTupleNodeWithoutFastForward): * Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h: (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward): (JSC::DFG::InPlaceAbstractState::forNode): (JSC::DFG::InPlaceAbstractState::clearForNode): (JSC::DFG::InPlaceAbstractState::setForNode): (JSC::DFG::InPlaceAbstractState::setTypeForNode): (JSC::DFG::InPlaceAbstractState::setNonCellTypeForNode): (JSC::DFG::InPlaceAbstractState::makeBytecodeTopForNode): (JSC::DFG::InPlaceAbstractState::makeHeapTopForNode): (JSC::DFG::InPlaceAbstractState::forTupleNodeWithoutFastForward): Canonical link: https://commits.webkit.org/263433@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 37b14a: Add OMG WASM tracing debug code
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 37b14a877442d6b80bac19213962e5376267a110 https://github.com/WebKit/WebKit/commit/37b14a877442d6b80bac19213962e5376267a110 Author: Justin Michaud Date: 2023-04-10 (Mon, 10 Apr 2023) Changed paths: M Source/JavaScriptCore/b3/B3Value.cpp M Source/JavaScriptCore/b3/B3Value.h M Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp M Source/JavaScriptCore/wasm/WasmFunctionParser.h M Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp M Source/JavaScriptCore/wasm/WasmOperations.cpp M Source/JavaScriptCore/wasm/WasmOperationsInlines.h M Source/JavaScriptCore/wasm/generateWasmB3IRGeneratorInlinesHeader.py Log Message: --- Add OMG WASM tracing debug code https://bugs.webkit.org/show_bug.cgi?id=254711 rdar://107394100 Reviewed by Yusuke Suzuki. Add some debugging tools to the OMG generator to trace WASM execution at runtime. * Source/JavaScriptCore/b3/B3Value.cpp: (JSC::B3::Value::generateCompilerConstructionSite): * Source/JavaScriptCore/b3/B3Value.h: * Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h: (JSC::Wasm::AirIRGeneratorBase::didPopValueFromStack): * Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::didPopValueFromStack): (JSC::Wasm::B3IRGenerator::makePushVariable): (JSC::Wasm::B3IRGenerator::push): (JSC::Wasm::B3IRGenerator::addRefFunc): (JSC::Wasm::B3IRGenerator::getLocal): (JSC::Wasm::B3IRGenerator::traceValue): (JSC::Wasm::B3IRGenerator::traceCF): (JSC::Wasm::B3IRGenerator::setLocal): (JSC::Wasm::B3IRGenerator::getGlobal): (JSC::Wasm::B3IRGenerator::setGlobal): (JSC::Wasm::B3IRGenerator::addLoop): (JSC::Wasm::B3IRGenerator::addIf): (JSC::Wasm::B3IRGenerator::addElseToUnreachable): (JSC::Wasm::B3IRGenerator::addTry): (JSC::Wasm::B3IRGenerator::emitCatchImpl): (JSC::Wasm::B3IRGenerator::addThrow): (JSC::Wasm::B3IRGenerator::addReturn): (JSC::Wasm::B3IRGenerator::addBranch): (JSC::Wasm::B3IRGenerator::addEndToUnreachable): (JSC::Wasm::B3IRGenerator::addCall): (JSC::Wasm::B3IRGenerator::addCallIndirect): (JSC::Wasm::B3IRGenerator::addCallRef): * Source/JavaScriptCore/wasm/WasmBBQJIT.cpp: (JSC::Wasm::BBQJIT::didPopValueFromStack): * Source/JavaScriptCore/wasm/WasmFunctionParser.h: (JSC::Wasm::FunctionParser::parseExpression): * Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp: (JSC::Wasm::LLIntGenerator::didPopValueFromStack): (JSC::Wasm::LLIntGenerator::atomicStore): * Source/JavaScriptCore/wasm/WasmOperations.cpp: (JSC::Wasm::loadValuesIntoBuffer): * Source/JavaScriptCore/wasm/WasmOperationsInlines.h: * Source/JavaScriptCore/wasm/generateWasmB3IRGeneratorInlinesHeader.py: (CodeGenerator.makeResult): Canonical link: https://commits.webkit.org/262784@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] 390aac: ASSERTION FAILED: Options::useWebAssemblyGC()
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 390aac0012e965bc5c6d043a2ea54c892b75214c https://github.com/WebKit/WebKit/commit/390aac0012e965bc5c6d043a2ea54c892b75214c Author: Justin Michaud Date: 2023-03-23 (Thu, 23 Mar 2023) Changed paths: M Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp Log Message: --- ASSERTION FAILED: Options::useWebAssemblyGC() https://bugs.webkit.org/show_bug.cgi?id=254362 rdar://107126788 Reviewed by Yusuke Suzuki. Quick assertion fix. * Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp: (JSC::Wasm::TypeInformation::TypeInformation): Canonical link: https://commits.webkit.org/262045@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [WebKit/WebKit] bb185d: Fix wasm name section parsing
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: bb185db3a774b5139bfb762f767ea3cdfbb6e18d https://github.com/WebKit/WebKit/commit/bb185db3a774b5139bfb762f767ea3cdfbb6e18d Author: Justin Michaud Date: 2023-03-15 (Wed, 15 Mar 2023) Changed paths: M JSTests/wasm/stress/simple-inline-stacktrace-2.js M JSTests/wasm/stress/simple-inline-stacktrace.js M Source/JavaScriptCore/runtime/OptionsList.h M Source/JavaScriptCore/wasm/WasmNameSectionParser.cpp M Source/JavaScriptCore/wasm/WasmSectionParser.cpp Log Message: --- Fix wasm name section parsing rdar://106657580 Reviewed by Yusuke Suzuki. Simple bug fix for wasm custom name section locals parsing. * JSTests/wasm/stress/simple-inline-stacktrace-2.js: (i.catch): * JSTests/wasm/stress/simple-inline-stacktrace.js: (i.catch): * Source/JavaScriptCore/runtime/OptionsList.h: * Source/JavaScriptCore/wasm/WasmNameSectionParser.cpp: (JSC::Wasm::NameSectionParser::parse): * Source/JavaScriptCore/wasm/WasmSectionParser.cpp: (JSC::Wasm::SectionParser::parseCustom): Canonical link: https://commits.webkit.org/261694@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
