[webkit-changes] [295428] trunk
Title: [295428] trunk Revision 295428 Author keith_mil...@apple.com Date 2022-06-09 12:05:16 -0700 (Thu, 09 Jun 2022) Log Message jsc's settimeout should properly handle a delay https://bugs.webkit.org/show_bug.cgi?id=240467 Reviewed by Yusuke Suzuki. This patch makes it so that we properly handle a timeout passed to the JSC CLI setTimeout API. Previously we would just run the callback on the next runloop tick regardless of the passed value. * Source/_javascript_Core/jsc.cpp: (JSC_DEFINE_HOST_FUNCTION): Canonical link: https://commits.webkit.org/251434@main Modified Paths trunk/Source/_javascript_Core/jsc.cpp Added Paths trunk/JSTests/stress/setTimeout-with-delay.js Diff Added: trunk/JSTests/stress/setTimeout-with-delay.js (0 => 295428) --- trunk/JSTests/stress/setTimeout-with-delay.js (rev 0) +++ trunk/JSTests/stress/setTimeout-with-delay.js 2022-06-09 19:05:16 UTC (rev 295428) @@ -0,0 +1,7 @@ +let startTime = Date.now(); +let waitTime = 1000; + +setTimeout(() => { +if (startTime + waitTime > Date.now()) +throw new Error(); +}, waitTime); \ No newline at end of file Modified: trunk/Source/_javascript_Core/jsc.cpp (295427 => 295428) --- trunk/Source/_javascript_Core/jsc.cpp 2022-06-09 18:57:46 UTC (rev 295427) +++ trunk/Source/_javascript_Core/jsc.cpp 2022-06-09 19:05:16 UTC (rev 295428) @@ -2525,13 +2525,21 @@ if (!callback) return throwVMTypeError(globalObject, scope, "First argument is not a JS function"_s); -// FIXME: We don't look at the timeout parameter because we don't have a schedule work later API. auto ticket = vm.deferredWorkTimer->addPendingWork(vm, callback, { }); -vm.deferredWorkTimer->scheduleWorkSoon(ticket, [callback](DeferredWorkTimer::Ticket) { -JSGlobalObject* globalObject = callback->globalObject(); -MarkedArgumentBuffer args; -call(globalObject, callback, jsUndefined(), args, "You shouldn't see this..."_s); -}); +auto dispatch = [callback, ticket] { +callback->vm().deferredWorkTimer->scheduleWorkSoon(ticket, [callback](DeferredWorkTimer::Ticket) { +JSGlobalObject* globalObject = callback->globalObject(); +MarkedArgumentBuffer args; +call(globalObject, callback, jsUndefined(), args, "You shouldn't see this..."_s); +}); +}; + +JSValue timeout = callFrame->argument(1); +if (timeout.isNumber() && timeout.asNumber()) +RunLoop::current().dispatchAfter(Seconds::fromMilliseconds(timeout.asNumber()), WTFMove(dispatch)); +else +dispatch(); + return JSValue::encode(jsUndefined()); } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295423] trunk/Source/JavaScriptCore/bytecode/Repatch.cpp
Title: [295423] trunk/Source/_javascript_Core/bytecode/Repatch.cpp Revision 295423 Author keith_mil...@apple.com Date 2022-06-09 10:20:40 -0700 (Thu, 09 Jun 2022) Log Message Repatch should be able to polymorphic call with arity fixup. https://bugs.webkit.org/show_bug.cgi?id=240911 Reviewed by Saam Barati. Right now repatch will emit a virtual call any time it has a case that requires arity fixup. Instead it should just pick the arity fixup entrypoint. Canonical link: https://commits.webkit.org/251429@main Modified Paths trunk/Source/_javascript_Core/bytecode/Repatch.cpp Diff Modified: trunk/Source/_javascript_Core/bytecode/Repatch.cpp (295422 => 295423) --- trunk/Source/_javascript_Core/bytecode/Repatch.cpp 2022-06-09 17:16:02 UTC (rev 295422) +++ trunk/Source/_javascript_Core/bytecode/Repatch.cpp 2022-06-09 17:20:40 UTC (rev 295423) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2021 Apple Inc. All rights reserved. + * Copyright (C) 2011-2022 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -1657,9 +1657,9 @@ if (variant.executable() && !variant.executable()->isHostFunction()) { ExecutableBase* executable = variant.executable(); codeBlock = jsCast(executable)->codeBlockForCall(); -// If we cannot handle a callee, either because we don't have a CodeBlock or because arity mismatch, +// If we cannot handle a callee, because we don't have a CodeBlock, // assume that it's better for this whole thing to be a virtual call. -if (!codeBlock || callFrame->argumentCountIncludingThis() < static_cast(codeBlock->numParameters()) || callLinkInfo.isVarargs()) { +if (!codeBlock) { linkVirtualFor(vm, callFrame, callLinkInfo); return; } @@ -1813,8 +1813,16 @@ ASSERT(variant.executable()->hasJITCodeForCall()); codePtr = jsToWasmICCodePtr(callLinkInfo.specializationKind(), variant.function()); -if (!codePtr) -codePtr = variant.executable()->generatedJITCodeForCall()->addressForCall(ArityCheckNotRequired); +if (!codePtr) { +ArityCheckMode arityCheck = ArityCheckNotRequired; +if (auto* codeBlock = callCase.codeBlock()) { +ASSERT(!variant.executable()->isHostFunction()); +if ((callFrame->argumentCountIncludingThis() < static_cast(callCase.codeBlock()->numParameters()) || callLinkInfo.isVarargs())) +arityCheck = MustCheckArity; + +} +codePtr = variant.executable()->generatedJITCodeForCall()->addressForCall(arityCheck); +} } else { ASSERT(variant.internalFunction()); codePtr = vm.getCTIInternalFunctionTrampolineFor(CodeForCall); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [294805] trunk/Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/ pull_request.py
Title: [294805] trunk/Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py Revision 294805 Author keith_mil...@apple.com Date 2022-05-25 10:43:05 -0700 (Wed, 25 May 2022) Log Message git-webkit pr crashes when run from detached HEAD https://bugs.webkit.org/show_bug.cgi?id=240468 Reviewed by Jonathan Bedard. repository.branch is None when on a detached HEAD. This causes us to throw an Error when performing a regex on the branch name. This patch treats a detached HEAD the same as being on main. * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py: (PullRequest.pull_request_branch_point): Canonical link: https://commits.webkit.org/250961@main Modified Paths trunk/Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py Diff Modified: trunk/Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py (294804 => 294805) --- trunk/Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py 2022-05-25 17:29:16 UTC (rev 294804) +++ trunk/Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py 2022-05-25 17:43:05 UTC (rev 294805) @@ -159,7 +159,7 @@ # FIXME: We can do better by infering the remote from the branch point, if it's not specified source_remote = args.remote or 'origin' -if repository.branch in repository.DEFAULT_BRANCHES or repository.PROD_BRANCHES.match(repository.branch): +if repository.branch is None or repository.branch in repository.DEFAULT_BRANCHES or repository.PROD_BRANCHES.match(repository.branch): if Branch.main( args, repository, why="'{}' is not a pull request branch".format(repository.branch), ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293974] trunk/JSTests
Title: [293974] trunk/JSTests Revision 293974 Author keith_mil...@apple.com Date 2022-05-09 07:57:30 -0700 (Mon, 09 May 2022) Log Message Unreviewed test gardening. * test262/expectations.yaml: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/test262/expectations.yaml Diff Modified: trunk/JSTests/ChangeLog (293973 => 293974) --- trunk/JSTests/ChangeLog 2022-05-09 14:46:18 UTC (rev 293973) +++ trunk/JSTests/ChangeLog 2022-05-09 14:57:30 UTC (rev 293974) @@ -1,3 +1,9 @@ +2022-05-09 Keith Miller + +Unreviewed test gardening. + +* test262/expectations.yaml: + 2022-05-06 Ross Kirsling Temporal.Duration#toString should never ignore fractionalSecondDigits Modified: trunk/JSTests/test262/expectations.yaml (293973 => 293974) --- trunk/JSTests/test262/expectations.yaml 2022-05-09 14:46:18 UTC (rev 293973) +++ trunk/JSTests/test262/expectations.yaml 2022-05-09 14:57:30 UTC (rev 293974) @@ -1317,6 +1317,9 @@ test/intl402/Locale/prototype/minimize/removing-likely-subtags-first-adds-likely-subtags.js: default: 'Test262Error: "und".minimize() should be "en" Expected SameValue(«en-u-va-posix», «en») to be true' strict mode: 'Test262Error: "und".minimize() should be "en" Expected SameValue(«en-u-va-posix», «en») to be true' +test/intl402/NumberFormat/constructor-roundingIncrement-invalid.js: + default: 'Test262Error: "maximumFractionDigits" is not equal to "minimumFractionDigits" Expected a RangeError to be thrown but no exception was thrown at all' + strict mode: 'Test262Error: "maximumFractionDigits" is not equal to "minimumFractionDigits" Expected a RangeError to be thrown but no exception was thrown at all' test/intl402/NumberFormat/prototype/format/format-rounding-priority-less-precision.js: default: 'Test262Error: Formatted value for 1, en-US-u-nu-arab and options {"useGrouping":false,"roundingPriority":"lessPrecision","minimumSignificantDigits":3,"minimumFractionDigits":1} is ١٫٠٠; expected ١٫٠.' strict mode: 'Test262Error: Formatted value for 1, en-US-u-nu-arab and options {"useGrouping":false,"roundingPriority":"lessPrecision","minimumSignificantDigits":3,"minimumFractionDigits":1} is ١٫٠٠; expected ١٫٠.' ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293973] trunk/Tools
Title: [293973] trunk/Tools Revision 293973 Author keith_mil...@apple.com Date 2022-05-09 07:46:18 -0700 (Mon, 09 May 2022) Log Message Test262 runner should show progress https://bugs.webkit.org/show_bug.cgi?id=240181 Reviewed by Yusuke Suzuki. The progress will appear as something like [42/245669]. * Scripts/test262/Runner.pm: (processCLI): (main): Canonical link: https://commits.webkit.org/250411@main Modified Paths trunk/Tools/ChangeLog trunk/Tools/Scripts/test262/Runner.pm Diff Modified: trunk/Tools/ChangeLog (293972 => 293973) --- trunk/Tools/ChangeLog 2022-05-09 14:05:21 UTC (rev 293972) +++ trunk/Tools/ChangeLog 2022-05-09 14:46:18 UTC (rev 293973) @@ -1,3 +1,16 @@ +2022-05-06 Keith Miller + +Test262 runner should show progress +https://bugs.webkit.org/show_bug.cgi?id=240181 + +Reviewed by Yusuke Suzuki. + +The progress will appear as something like [42/245669]. + +* Scripts/test262/Runner.pm: +(processCLI): +(main): + 2022-05-08 Antti Koivisto Avoid resolving style for elements that only inherit changes from parent Modified: trunk/Tools/Scripts/test262/Runner.pm (293972 => 293973) --- trunk/Tools/Scripts/test262/Runner.pm 2022-05-09 14:05:21 UTC (rev 293972) +++ trunk/Tools/Scripts/test262/Runner.pm 2022-05-09 14:46:18 UTC (rev 293973) @@ -132,6 +132,7 @@ my $runningAllTests; my $timeout; my $skippedOnly; +my $noProgress; my $test262Dir; my $webkitTest262Dir = abs_path("$Bin/../../../JSTests/test262"); @@ -176,7 +177,7 @@ 'f|features=s@' => \@features, 'c|config=s' => \$configFile, 'i|ignore-config' => \$ignoreConfig, -'s|save' => \$saveExpectations, +'save' => \$saveExpectations, 'e|expectations=s' => \$specifiedExpectationsFile, 'x|ignore-expectations' => \$ignoreExpectations, 'F|failing-files' => \$failingOnly, @@ -185,6 +186,7 @@ 'r|results=s' => \$specifiedResultsFile, 'timeout=i' => \$timeout, 'S|skipped-files' => \$skippedOnly, +'no-progress' => \$noProgress, ); if ($help) { @@ -355,6 +357,9 @@ } } +my $numFiles = scalar(@files); +my $completedFiles = 0; + my $pm = Parallel::ForkManager->new($maxProcesses); my $select = IO::Select->new(); @@ -423,8 +428,12 @@ $activeChildren--; my $file = shift @files; if ($file) { +$completedFiles++; chomp $file; print $readyChild "$file\n"; +if (!$noProgress) { +print "[$completedFiles/$numFiles]\r"; +} $activeChildren++; } elsif (!$activeChildren) { last FILES; @@ -1338,7 +1347,7 @@ Specify one or more specific test262 directory of test to run, relative to the root test262 directory. For example, --test-only 'test/built-ins/Number/prototype' -=item B<--save, -s> +=item B<--save> Overwrites the test262-expectations.yaml file with the current list of test262 files and test results. @@ -1366,6 +1375,10 @@ Calculate conformance statistics from results/results.yaml file or a supplied results file (--results). Saves results in results/summary.txt and results/summary.yaml. +=item B<--no-progress> + +Don't show progress while running tests. + =item B<--results, -r> Specifies a results file for the --stats or --failing-files options. ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293869] trunk/JSTests
Title: [293869] trunk/JSTests Revision 293869 Author keith_mil...@apple.com Date 2022-05-05 16:43:45 -0700 (Thu, 05 May 2022) Log Message Rebaseline icu tests to public sdk's icu https://bugs.webkit.org/show_bug.cgi?id=240142 Reviewed by Yusuke Suzuki. * test262/expectations.yaml: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/test262/expectations.yaml Diff Modified: trunk/JSTests/ChangeLog (293868 => 293869) --- trunk/JSTests/ChangeLog 2022-05-05 23:28:27 UTC (rev 293868) +++ trunk/JSTests/ChangeLog 2022-05-05 23:43:45 UTC (rev 293869) @@ -1,3 +1,12 @@ +2022-05-05 Keith Miller + +Rebaseline icu tests to public sdk's icu +https://bugs.webkit.org/show_bug.cgi?id=240142 + +Reviewed by Yusuke Suzuki. + +* test262/expectations.yaml: + 2022-05-04 Yusuke Suzuki [JSC] Intl.NumberFormat lacks some validation for rounding-increment Modified: trunk/JSTests/test262/expectations.yaml (293868 => 293869) --- trunk/JSTests/test262/expectations.yaml 2022-05-05 23:28:27 UTC (rev 293868) +++ trunk/JSTests/test262/expectations.yaml 2022-05-05 23:43:45 UTC (rev 293869) @@ -1344,9 +1344,27 @@ test/intl402/Intl/getCanonicalLocales/non-iana-canon.js: default: 'Test262Error: The value of Intl.getCanonicalLocales(tag)[0] equals the value of `canonical` Expected SameValue(«en-US-u-va-posix», «posix») to be true' strict mode: 'Test262Error: The value of Intl.getCanonicalLocales(tag)[0] equals the value of `canonical` Expected SameValue(«en-US-u-va-posix», «posix») to be true' +test/intl402/Intl/getCanonicalLocales/preferred-grandfathered.js: + default: 'Test262Error: Expected SameValue(«cel-gaulish», «xtg») to be true' + strict mode: 'Test262Error: Expected SameValue(«cel-gaulish», «xtg») to be true' +test/intl402/Intl/getCanonicalLocales/transformed-ext-canonical.js: + default: 'Test262Error: Expected SameValue(«sl-t-sl-rozaj-biske-1994», «sl-t-sl-1994-biske-rozaj») to be true' + strict mode: 'Test262Error: Expected SameValue(«sl-t-sl-rozaj-biske-1994», «sl-t-sl-1994-biske-rozaj») to be true' +test/intl402/Intl/getCanonicalLocales/unicode-ext-canonicalize-region.js: + default: 'Test262Error: Expected SameValue(«und-u-rg-no23», «und-u-rg-no50») to be true' + strict mode: 'Test262Error: Expected SameValue(«und-u-rg-no23», «und-u-rg-no50») to be true' +test/intl402/Intl/getCanonicalLocales/unicode-ext-canonicalize-subdivision.js: + default: 'Test262Error: Expected SameValue(«und-NO-u-sd-no23», «und-NO-u-sd-no50») to be true' + strict mode: 'Test262Error: Expected SameValue(«und-NO-u-sd-no23», «und-NO-u-sd-no50») to be true' test/intl402/Locale/extensions-grandfathered.js: default: 'Test262Error: Expected SameValue(«fr-Cyrl-FR-gaulish-u-nu-latn», «fr-Cyrl-FR-u-nu-latn») to be true' strict mode: 'Test262Error: Expected SameValue(«fr-Cyrl-FR-gaulish-u-nu-latn», «fr-Cyrl-FR-u-nu-latn») to be true' +test/intl402/Locale/getters-grandfathered.js: + default: 'Test262Error: Expected SameValue(«cel-gaulish», «xtg») to be true' + strict mode: 'Test262Error: Expected SameValue(«cel-gaulish», «xtg») to be true' +test/intl402/Locale/likely-subtags-grandfathered.js: + default: 'Test262Error: Expected SameValue(«cel-gaulish», «xtg») to be true' + strict mode: 'Test262Error: Expected SameValue(«cel-gaulish», «xtg») to be true' test/intl402/Locale/prototype/minimize/removing-likely-subtags-first-adds-likely-subtags.js: default: 'Test262Error: "und".minimize() should be "en" Expected SameValue(«en-u-va-posix», «en») to be true' strict mode: 'Test262Error: "und".minimize() should be "en" Expected SameValue(«en-u-va-posix», «en») to be true' @@ -1362,6 +1380,78 @@ test/intl402/NumberFormat/prototype/format/value-decimal-string.js: default: 'Test262Error: Expected SameValue(«1», «1.0001») to be true' strict mode: 'Test262Error: Expected SameValue(«1», «1.0001») to be true' +test/intl402/NumberFormat/prototype/formatRange/builtin.js: + default: 'Test262Error: The [[Class]] internal property of a built-in function must be "Function". Expected SameValue(«[object Undefined]», «[object Function]») to be true' + strict mode: 'Test262Error: The [[Class]] internal property of a built-in function must be "Function". Expected SameValue(«[object Undefined]», «[object Function]») to be true' +test/intl402/NumberFormat/prototype/formatRange/en-US.js: + default: "TypeError: nf.formatRange is not a function. (In 'nf.formatRange(3, 5)', 'nf.formatRange' is undefined)" + strict mode: "TypeError: nf.formatRange is not a function. (In 'nf.formatRange(3, 5)', 'nf.formatRange' is undefined)" +test/intl402/NumberFormat/prototype/formatRange/invoked-as-func.js: + default: 'Test262Error: Expected SameValue(«undefined», «function») to be true' + strict mode: 'Test262Error: Expected SameValue(«undefined», «function») to be true' +test/intl402/NumberFormat/prototype/formatRange/length.js: + default: "TypeError: undefined is not an obje
[webkit-changes] [293393] trunk/Source/JavaScriptCore
Title: [293393] trunk/Source/_javascript_Core Revision 293393 Author keith_mil...@apple.com Date 2022-04-25 18:36:25 -0700 (Mon, 25 Apr 2022) Log Message structureIDToStructureWithScratch should only do things if ADDRESS64 https://bugs.webkit.org/show_bug.cgi?id=239749 Reviewed by Saam Barati. * llint/LowLevelInterpreter64.asm: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293392 => 293393) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-26 01:31:52 UTC (rev 293392) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-26 01:36:25 UTC (rev 293393) @@ -1,3 +1,12 @@ +2022-04-25 Keith Miller + +structureIDToStructureWithScratch should only do things if ADDRESS64 +https://bugs.webkit.org/show_bug.cgi?id=239749 + +Reviewed by Saam Barati. + +* llint/LowLevelInterpreter64.asm: + 2022-04-22 Yusuke Suzuki [JSC] Enable change-array-by-copy Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (293392 => 293393) --- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2022-04-26 01:31:52 UTC (rev 293392) +++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2022-04-26 01:36:25 UTC (rev 293393) @@ -741,10 +741,12 @@ end macro structureIDToStructureWithScratch(structureIDThenStructure, scratch) -andq constexpr structureIDMask, structureIDThenStructure -leap JSCConfig + constexpr JSC::offsetOfJSCConfigStartOfStructureHeap, scratch -loadp [scratch], scratch -addp scratch, structureIDThenStructure +if ADDRESS64 +andq constexpr structureIDMask, structureIDThenStructure +leap JSCConfig + constexpr JSC::offsetOfJSCConfigStartOfStructureHeap, scratch +loadp [scratch], scratch +addp scratch, structureIDThenStructure +end end macro loadStructureWithScratch(cell, structure, scratch) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [292609] trunk/Source
Title: [292609] trunk/Source Revision 292609 Author keith_mil...@apple.com Date 2022-04-08 09:41:05 -0700 (Fri, 08 Apr 2022) Log Message Broaden TypedArray API fix to all apps not just Bleacher Report https://bugs.webkit.org/show_bug.cgi?id=238955 Reviewed by Saam Barati. Source/_javascript_Core: * API/JSTypedArray.cpp: (isLinkedBeforeTypedArrayLengthQuirk): (JSObjectGetArrayBufferByteLength): (isBleecherReport): Deleted. Source/WTF: * wtf/cocoa/RuntimeApplicationChecksCocoa.h: Modified Paths trunk/Source/_javascript_Core/API/JSTypedArray.cpp trunk/Source/_javascript_Core/ChangeLog trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h Diff Modified: trunk/Source/_javascript_Core/API/JSTypedArray.cpp (292608 => 292609) --- trunk/Source/_javascript_Core/API/JSTypedArray.cpp 2022-04-08 15:16:59 UTC (rev 292608) +++ trunk/Source/_javascript_Core/API/JSTypedArray.cpp 2022-04-08 16:41:05 UTC (rev 292609) @@ -366,15 +366,12 @@ } #if PLATFORM(IOS) -inline static bool isBleecherReport() +inline static bool isLinkedBeforeTypedArrayLengthQuirk() { -auto bundleID = CFBundleGetIdentifier(CFBundleGetMainBundle()); -return bundleID -&& CFEqual(bundleID, CFSTR("com.bleacherreport.TeamStream")) -&& !linkedOnOrAfter(SDKVersion::FirstWithoutBleecherReportQuirk); +return !linkedOnOrAfter(SDKVersion::FirstWithoutTypedArrayAPIQuirk); } #else -inline static bool isBleecherReport() { return false; } +inline static bool isLinkedBeforeTypedArrayLengthQuirk() { return false; } #endif size_t JSObjectGetArrayBufferByteLength(JSContextRef ctx, JSObjectRef objectRef, JSValueRef*) @@ -386,7 +383,7 @@ if (!object) { // For some reason prior to https://bugs.webkit.org/show_bug.cgi?id=235720 Clang would emit code // to early return if objectRef is 0 but not after. Passing 0 should be invalid API use. -static bool shouldntCrash = isBleecherReport(); +static bool shouldntCrash = isLinkedBeforeTypedArrayLengthQuirk(); RELEASE_ASSERT(shouldntCrash); return 0; } Modified: trunk/Source/_javascript_Core/ChangeLog (292608 => 292609) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-08 15:16:59 UTC (rev 292608) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-08 16:41:05 UTC (rev 292609) @@ -1,3 +1,15 @@ +2022-04-08 Keith Miller + +Broaden TypedArray API fix to all apps not just Bleacher Report +https://bugs.webkit.org/show_bug.cgi?id=238955 + +Reviewed by Saam Barati. + +* API/JSTypedArray.cpp: +(isLinkedBeforeTypedArrayLengthQuirk): +(JSObjectGetArrayBufferByteLength): +(isBleecherReport): Deleted. + 2022-04-07 Yusuke Suzuki [JSC] Fire structure transition watchpoint in Structure::finishCreation instead of Structure constructor Modified: trunk/Source/WTF/ChangeLog (292608 => 292609) --- trunk/Source/WTF/ChangeLog 2022-04-08 15:16:59 UTC (rev 292608) +++ trunk/Source/WTF/ChangeLog 2022-04-08 16:41:05 UTC (rev 292609) @@ -1,3 +1,12 @@ +2022-04-08 Keith Miller + +Broaden TypedArray API fix to all apps not just Bleacher Report +https://bugs.webkit.org/show_bug.cgi?id=238955 + +Reviewed by Saam Barati. + +* wtf/cocoa/RuntimeApplicationChecksCocoa.h: + 2022-04-07 Elliott Williams [XCBuild] Enable dependency validation by default Modified: trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h (292608 => 292609) --- trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h 2022-04-08 15:16:59 UTC (rev 292608) +++ trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h 2022-04-08 16:41:05 UTC (rev 292609) @@ -86,7 +86,7 @@ FirstWithoutExpandoIndexedPropertiesOnWindow = DYLD_IOS_VERSION_15_0, FirstThatDoesNotDrainTheMicrotaskQueueWhenCallingObjC = DYLD_IOS_VERSION_15_0, FirstWithAuthorizationHeaderOnSameOriginRedirects = DYLD_IOS_VERSION_15_4, -FirstWithoutBleecherReportQuirk = DYLD_IOS_VERSION_16_0, +FirstWithoutTypedArrayAPIQuirk = DYLD_IOS_VERSION_16_0, FirstForbiddingDotPrefixedFonts = DYLD_IOS_VERSION_16_0, #elif PLATFORM(MAC) FirstVersionThatSupportsInitConstructors = 0xA0A00, // OS X 10.10 ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [292269] trunk/Source/JavaScriptCore
Title: [292269] trunk/Source/_javascript_Core Revision 292269 Author keith_mil...@apple.com Date 2022-04-02 13:36:24 -0700 (Sat, 02 Apr 2022) Log Message AI should do int32 optimization in ValueRep https://bugs.webkit.org/show_bug.cgi?id=238699 Reviewed by Saam Barati. When constant folding an int52 into a ValueRep AI doesn't do our normal int32 boxing optimization. I'm not sure if it matters since I couldn't find a test but it probably doesn't hurt. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292268 => 292269) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-02 18:38:23 UTC (rev 292268) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-02 20:36:24 UTC (rev 292269) @@ -1,3 +1,18 @@ +2022-04-02 Keith Miller + +AI should do int32 optimization in ValueRep +https://bugs.webkit.org/show_bug.cgi?id=238699 + +Reviewed by Saam Barati. + +When constant folding an int52 into a ValueRep AI doesn't +do our normal int32 boxing optimization. I'm not sure if +it matters since I couldn't find a test but it probably +doesn't hurt. + +* dfg/DFGAbstractInterpreterInlines.h: +(JSC::DFG::AbstractInterpreter::executeEffects): + 2022-04-02 Adrian Perez de Castro [GTK] Replace gtk-doc with gi-docgen Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (292268 => 292269) --- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2022-04-02 18:38:23 UTC (rev 292268) +++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2022-04-02 20:36:24 UTC (rev 292269) @@ -750,6 +750,10 @@ case ValueRep: { JSValue value = forNode(node->child1()).value(); if (value) { +if (node->child1().useKind() == Int52RepUse) { +if (auto int32 = value.tryGetAsInt32()) +value = jsNumber(*int32); +} setConstant(node, value); break; } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291871] trunk/Source/JavaScriptCore
Title: [291871] trunk/Source/_javascript_Core Revision 291871 Author keith_mil...@apple.com Date 2022-03-25 11:52:54 -0700 (Fri, 25 Mar 2022) Log Message Remove unused JITOperation, operationTryOSREnterAtCatch. https://bugs.webkit.org/show_bug.cgi?id=238379 Reviewed by Mark Lam. * jit/JITOperations.cpp: * jit/JITOperations.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/JITOperations.cpp trunk/Source/_javascript_Core/jit/JITOperations.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (291870 => 291871) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-25 18:46:34 UTC (rev 291870) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-25 18:52:54 UTC (rev 291871) @@ -1,3 +1,13 @@ +2022-03-25 Keith Miller + +Remove unused JITOperation, operationTryOSREnterAtCatch. +https://bugs.webkit.org/show_bug.cgi?id=238379 + +Reviewed by Mark Lam. + +* jit/JITOperations.cpp: +* jit/JITOperations.h: + 2022-03-25 Chris Dumez Start preparing WebCore for making the String(const char*) constructor explicit Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (291870 => 291871) --- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2022-03-25 18:46:34 UTC (rev 291870) +++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2022-03-25 18:52:54 UTC (rev 291871) @@ -2084,30 +2084,6 @@ return encodeResult(nullptr, nullptr); } -JSC_DEFINE_JIT_OPERATION(operationTryOSREnterAtCatch, char*, (VM* vmPointer, uint32_t bytecodeIndexBits)) -{ -VM& vm = *vmPointer; -CallFrame* callFrame = DECLARE_CALL_FRAME(vm); -JITOperationPrologueCallFrameTracer tracer(vm, callFrame); -BytecodeIndex bytecodeIndex = BytecodeIndex::fromBits(bytecodeIndexBits); - -CodeBlock* codeBlock = callFrame->codeBlock(); -CodeBlock* optimizedReplacement = codeBlock->replacement(); -if (UNLIKELY(!optimizedReplacement)) -return nullptr; - -switch (optimizedReplacement->jitType()) { -case JITType::DFGJIT: -case JITType::FTLJIT: { -MacroAssemblerCodePtr entry = DFG::prepareCatchOSREntry(vm, callFrame, codeBlock, optimizedReplacement, bytecodeIndex); -return entry.executableAddress(); -} -default: -break; -} -return nullptr; -} - JSC_DEFINE_JIT_OPERATION(operationTryOSREnterAtCatchAndValueProfile, char*, (VM* vmPointer, uint32_t bytecodeIndexBits)) { VM& vm = *vmPointer; Modified: trunk/Source/_javascript_Core/jit/JITOperations.h (291870 => 291871) --- trunk/Source/_javascript_Core/jit/JITOperations.h 2022-03-25 18:46:34 UTC (rev 291870) +++ trunk/Source/_javascript_Core/jit/JITOperations.h 2022-03-25 18:52:54 UTC (rev 291871) @@ -260,7 +260,6 @@ JSC_DECLARE_JIT_OPERATION(operationDebug, void, (VM*, int32_t)); #if ENABLE(DFG_JIT) JSC_DECLARE_JIT_OPERATION(operationOptimize, SlowPathReturnType, (VM*, uint32_t)); -JSC_DECLARE_JIT_OPERATION(operationTryOSREnterAtCatch, char*, (VM*, uint32_t)); JSC_DECLARE_JIT_OPERATION(operationTryOSREnterAtCatchAndValueProfile, char*, (VM*, uint32_t)); #endif JSC_DECLARE_JIT_OPERATION(operationPutGetterById, void, (JSGlobalObject*, JSCell*, UniquedStringImpl*, int32_t options, JSCell*)); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291456] trunk/Source/WTF
Title: [291456] trunk/Source/WTF Revision 291456 Author keith_mil...@apple.com Date 2022-03-17 17:48:31 -0700 (Thu, 17 Mar 2022) Log Message tryReserveUncommittedAligned should round up to alignment not bytes requested https://bugs.webkit.org/show_bug.cgi?id=238052 Reviewed by Yusuke Suzuki. * wtf/posix/OSAllocatorPOSIX.cpp: (WTF::OSAllocator::tryReserveUncommittedAligned): Modified Paths trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp Diff Modified: trunk/Source/WTF/ChangeLog (291455 => 291456) --- trunk/Source/WTF/ChangeLog 2022-03-18 00:46:15 UTC (rev 291455) +++ trunk/Source/WTF/ChangeLog 2022-03-18 00:48:31 UTC (rev 291456) @@ -1,5 +1,15 @@ 2022-03-17 Keith Miller +tryReserveUncommittedAligned should round up to alignment not bytes requested +https://bugs.webkit.org/show_bug.cgi?id=238052 + +Reviewed by Yusuke Suzuki. + +* wtf/posix/OSAllocatorPOSIX.cpp: +(WTF::OSAllocator::tryReserveUncommittedAligned): + +2022-03-17 Keith Miller + Fix crash in Bleacher Report due to bad JSObjectRef passed to API https://bugs.webkit.org/show_bug.cgi?id=238048 Modified: trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp (291455 => 291456) --- trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp 2022-03-18 00:46:15 UTC (rev 291455) +++ trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp 2022-03-18 00:48:31 UTC (rev 291456) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010 Apple Inc. All rights reserved. + * Copyright (C) 2010-2022 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -200,7 +200,7 @@ char* mapped = reinterpret_cast(tryReserveUncommitted(mappedSize, usage, writable, executable, jitCageEnabled, includesGuardPages)); char* mappedEnd = mapped + mappedSize; -char* aligned = reinterpret_cast(roundUpToMultipleOf(bytes, reinterpret_cast(mapped))); +char* aligned = reinterpret_cast(roundUpToMultipleOf(alignment, reinterpret_cast(mapped))); char* alignedEnd = aligned + bytes; RELEASE_ASSERT(alignedEnd <= mappedEnd); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291448] trunk/Source
Title: [291448] trunk/Source Revision 291448 Author keith_mil...@apple.com Date 2022-03-17 16:34:16 -0700 (Thu, 17 Mar 2022) Log Message Fix crash in Bleacher Report due to bad JSObjectRef passed to API https://bugs.webkit.org/show_bug.cgi?id=238048 Reviewed by Yusuke Suzuki. Source/_javascript_Core: Prior to the StructureID overhaul the JSObjectGetArrayBufferByteLength would automatically check if the JSObjectRef passed to that function was null before short circuiting to the non-typed array return value, 0. While technically valid since derefencing null is UB, this meant the Clang was covering up this crash. To fix this I'm adding an app specific workaround for the time being so Bleacher Report can fix their code to no longer pass this nullptr. * API/JSTypedArray.cpp: (isBleecherReport): (JSObjectGetArrayBufferByteLength): Source/WTF: * wtf/cocoa/RuntimeApplicationChecksCocoa.h: Modified Paths trunk/Source/_javascript_Core/API/JSTypedArray.cpp trunk/Source/_javascript_Core/ChangeLog trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h Diff Modified: trunk/Source/_javascript_Core/API/JSTypedArray.cpp (291447 => 291448) --- trunk/Source/_javascript_Core/API/JSTypedArray.cpp 2022-03-17 22:55:21 UTC (rev 291447) +++ trunk/Source/_javascript_Core/API/JSTypedArray.cpp 2022-03-17 23:34:16 UTC (rev 291448) @@ -1,6 +1,6 @@ /* * Copyright (C) 2015 Dominic Szablewski (domi...@phoboslab.org) - * Copyright (C) 2016 Apple Inc. All rights reserved. + * Copyright (C) 2016-2022 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -36,6 +36,10 @@ #include "TypedArrayController.h" #include +#if PLATFORM(IOS) +#include +#endif + using namespace JSC; // Helper functions. @@ -361,6 +365,18 @@ return nullptr; } +#if PLATFORM(IOS) +inline static bool isBleecherReport() +{ +auto bundleID = CFBundleGetIdentifier(CFBundleGetMainBundle()); +return bundleID +&& CFEqual(bundleID, CFSTR("com.bleacherreport.TeamStream")) +&& !linkedOnOrAfter(SDKVersion::FirstWithoutBleecherReportQuirk); +} +#else +inline static bool isBleecherReport() { return false; } +#endif + size_t JSObjectGetArrayBufferByteLength(JSContextRef ctx, JSObjectRef objectRef, JSValueRef*) { JSGlobalObject* globalObject = toJS(ctx); @@ -367,6 +383,14 @@ VM& vm = globalObject->vm(); JSObject* object = toJS(objectRef); +if (!object) { +// For some reason prior to https://bugs.webkit.org/show_bug.cgi?id=235720 Clang would emit code +// to early return if objectRef is 0 but not after. Passing 0 should be invalid API use. +static bool shouldntCrash = isBleecherReport(); +RELEASE_ASSERT(shouldntCrash); +return 0; +} + if (JSArrayBuffer* jsBuffer = jsDynamicCast(vm, object)) return jsBuffer->impl()->byteLength(); Modified: trunk/Source/_javascript_Core/ChangeLog (291447 => 291448) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-17 22:55:21 UTC (rev 291447) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-17 23:34:16 UTC (rev 291448) @@ -1,3 +1,22 @@ +2022-03-17 Keith Miller + +Fix crash in Bleacher Report due to bad JSObjectRef passed to API +https://bugs.webkit.org/show_bug.cgi?id=238048 + + +Reviewed by Yusuke Suzuki. + +Prior to the StructureID overhaul the JSObjectGetArrayBufferByteLength would +automatically check if the JSObjectRef passed to that function was null before +short circuiting to the non-typed array return value, 0. While technically valid +since derefencing null is UB, this meant the Clang was covering up this crash. +To fix this I'm adding an app specific workaround for the time being so Bleacher +Report can fix their code to no longer pass this nullptr. + +* API/JSTypedArray.cpp: +(isBleecherReport): +(JSObjectGetArrayBufferByteLength): + 2022-03-17 Mikhail R. Gadelha Unreviewed, non-unified build fix Modified: trunk/Source/WTF/ChangeLog (291447 => 291448) --- trunk/Source/WTF/ChangeLog 2022-03-17 22:55:21 UTC (rev 291447) +++ trunk/Source/WTF/ChangeLog 2022-03-17 23:34:16 UTC (rev 291448) @@ -1,3 +1,13 @@ +2022-03-17 Keith Miller + +Fix crash in Bleacher Report due to bad JSObjectRef passed to API +https://bugs.webkit.org/show_bug.cgi?id=238048 + + +Reviewed by Yusuke Suzuki. + +* wtf/cocoa/RuntimeApplicationChecksCocoa.h: + 2022-03-16 Myles C. Maxfield [WebGPU] Implement first draft of buffer mapping according to the spec Modified: trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h (291447 => 291448) --- trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h 2022-03-17 22:55:21 UTC (rev 291447) +++ trunk/Source/WTF/wtf/cocoa/RuntimeApplica
[webkit-changes] [289718] trunk/Source/JavaScriptCore
Title: [289718] trunk/Source/_javascript_Core Revision 289718 Author keith_mil...@apple.com Date 2022-02-13 12:26:12 -0800 (Sun, 13 Feb 2022) Log Message Add comment on how StructureMemoryManager grows the free list when there are no free blocks. https://bugs.webkit.org/show_bug.cgi?id=236568 Reviewed by Saam Barati. Also, use uint8_t* rather than rely on the fact that `sizeof(MarkedBlock) == 1`. * heap/StructureAlignedMemoryAllocator.cpp: (JSC::StructureMemoryManager::tryMallocStructureBlock): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (289717 => 289718) --- trunk/Source/_javascript_Core/ChangeLog 2022-02-13 20:22:24 UTC (rev 289717) +++ trunk/Source/_javascript_Core/ChangeLog 2022-02-13 20:26:12 UTC (rev 289718) @@ -1,5 +1,17 @@ 2022-02-13 Keith Miller +Add comment on how StructureMemoryManager grows the free list when there are no free blocks. +https://bugs.webkit.org/show_bug.cgi?id=236568 + +Reviewed by Saam Barati. + +Also, use uint8_t* rather than rely on the fact that `sizeof(MarkedBlock) == 1`. + +* heap/StructureAlignedMemoryAllocator.cpp: +(JSC::StructureMemoryManager::tryMallocStructureBlock): + +2022-02-13 Keith Miller + Make StructureMemoryManager alignment assert a RELEASE_ASSERT https://bugs.webkit.org/show_bug.cgi?id=236567 Modified: trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp (289717 => 289718) --- trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-02-13 20:22:24 UTC (rev 289717) +++ trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-02-13 20:26:12 UTC (rev 289718) @@ -96,10 +96,11 @@ RELEASE_ASSERT(m_mappedHeapSize <= structureHeapAddressSize); if (freeIndex * MarkedBlock::blockSize >= m_mappedHeapSize) return nullptr; +// If we can't find a free block then `freeIndex == m_usedBlocks.bitCount()` and this set will grow the bit vector. m_usedBlocks.set(freeIndex); } -MarkedBlock* block = reinterpret_cast(g_jscConfig.startOfStructureHeap) + freeIndex * MarkedBlock::blockSize; +auto* block = reinterpret_cast(g_jscConfig.startOfStructureHeap) + freeIndex * MarkedBlock::blockSize; commitBlock(block); return block; } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [289717] trunk/Source/JavaScriptCore
Title: [289717] trunk/Source/_javascript_Core Revision 289717 Author keith_mil...@apple.com Date 2022-02-13 12:22:24 -0800 (Sun, 13 Feb 2022) Log Message Make StructureMemoryManager alignment assert a RELEASE_ASSERT https://bugs.webkit.org/show_bug.cgi?id=236567 Reviewed by Saam Barati. Also, check the structure base pointer is non-zero. * heap/StructureAlignedMemoryAllocator.cpp: (JSC::StructureMemoryManager::StructureMemoryManager): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (289716 => 289717) --- trunk/Source/_javascript_Core/ChangeLog 2022-02-13 18:06:27 UTC (rev 289716) +++ trunk/Source/_javascript_Core/ChangeLog 2022-02-13 20:22:24 UTC (rev 289717) @@ -1,3 +1,15 @@ +2022-02-13 Keith Miller + +Make StructureMemoryManager alignment assert a RELEASE_ASSERT +https://bugs.webkit.org/show_bug.cgi?id=236567 + +Reviewed by Saam Barati. + +Also, check the structure base pointer is non-zero. + +* heap/StructureAlignedMemoryAllocator.cpp: +(JSC::StructureMemoryManager::StructureMemoryManager): + 2022-02-12 Adrian Perez de Castro [CMake] REGRESSION(r289611): Debug builds fail linking binaries with ld.lld Modified: trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp (289716 => 289717) --- trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-02-13 18:06:27 UTC (rev 289716) +++ trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-02-13 20:22:24 UTC (rev 289717) @@ -82,7 +82,7 @@ m_mappedHeapSize /= 2; } -ASSERT((g_jscConfig.startOfStructureHeap & ~structureIDMask) == g_jscConfig.startOfStructureHeap); +RELEASE_ASSERT(g_jscConfig.startOfStructureHeap && ((g_jscConfig.startOfStructureHeap & ~structureIDMask) == g_jscConfig.startOfStructureHeap)); } void* tryMallocStructureBlock() ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [289592] trunk/Source
Title: [289592] trunk/Source Revision 289592 Author keith_mil...@apple.com Date 2022-02-10 16:20:21 -0800 (Thu, 10 Feb 2022) Log Message tryReserveUncommittedAligned should explicitly take the alignment requested https://bugs.webkit.org/show_bug.cgi?id=236460 Reviewed by Yusuke Suzuki. Source/_javascript_Core: When reducing the size of VA space reserved for Structures, we didn't take care to ensure the alignment matched the required alignment for our bit mask. To fix this we need to pass the original alignment to the allocator as a new parameter. * heap/StructureAlignedMemoryAllocator.cpp: (JSC::StructureMemoryManager::StructureMemoryManager): Source/WTF: This patch adds a new ifdef for Unix flavors that support the MAP_ALIGNED macro/parameter to mmap. Also, fix a bug where on windows we wouldn't request enough space to guarantee that allocation is aligned. * wtf/OSAllocator.h: * wtf/posix/OSAllocatorPOSIX.cpp: (WTF::OSAllocator::tryReserveUncommittedAligned): * wtf/win/OSAllocatorWin.cpp: (WTF::OSAllocator::tryReserveUncommittedAligned): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/OSAllocator.h trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp trunk/Source/WTF/wtf/win/OSAllocatorWin.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (289591 => 289592) --- trunk/Source/_javascript_Core/ChangeLog 2022-02-10 23:57:17 UTC (rev 289591) +++ trunk/Source/_javascript_Core/ChangeLog 2022-02-11 00:20:21 UTC (rev 289592) @@ -1,3 +1,18 @@ +2022-02-10 Keith Miller + +tryReserveUncommittedAligned should explicitly take the alignment requested +https://bugs.webkit.org/show_bug.cgi?id=236460 + +Reviewed by Yusuke Suzuki. + +When reducing the size of VA space reserved for Structures, we +didn't take care to ensure the alignment matched the required +alignment for our bit mask. To fix this we need to pass the +original alignment to the allocator as a new parameter. + +* heap/StructureAlignedMemoryAllocator.cpp: +(JSC::StructureMemoryManager::StructureMemoryManager): + 2022-01-24 Filip Pizlo [libpas] jit_heap should support the segregated heap Modified: trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp (289591 => 289592) --- trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-02-10 23:57:17 UTC (rev 289591) +++ trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-02-11 00:20:21 UTC (rev 289592) @@ -76,7 +76,7 @@ m_mappedHeapSize = structureHeapAddressSize; for (unsigned i = 0; i < 8; ++i) { -g_jscConfig.startOfStructureHeap = reinterpret_cast(OSAllocator::tryReserveUncommittedAligned(m_mappedHeapSize, OSAllocator::FastMallocPages)); +g_jscConfig.startOfStructureHeap = reinterpret_cast(OSAllocator::tryReserveUncommittedAligned(m_mappedHeapSize, structureHeapAddressSize, OSAllocator::FastMallocPages)); if (g_jscConfig.startOfStructureHeap) break; m_mappedHeapSize /= 2; Modified: trunk/Source/WTF/ChangeLog (289591 => 289592) --- trunk/Source/WTF/ChangeLog 2022-02-10 23:57:17 UTC (rev 289591) +++ trunk/Source/WTF/ChangeLog 2022-02-11 00:20:21 UTC (rev 289592) @@ -1,3 +1,23 @@ +2022-02-10 Keith Miller + +tryReserveUncommittedAligned should explicitly take the alignment requested +https://bugs.webkit.org/show_bug.cgi?id=236460 + +Reviewed by Yusuke Suzuki. + +This patch adds a new ifdef for Unix flavors that support the +MAP_ALIGNED macro/parameter to mmap. + +Also, fix a bug where on windows we wouldn't request enough +space to guarantee that allocation is aligned. + + +* wtf/OSAllocator.h: +* wtf/posix/OSAllocatorPOSIX.cpp: +(WTF::OSAllocator::tryReserveUncommittedAligned): +* wtf/win/OSAllocatorWin.cpp: +(WTF::OSAllocator::tryReserveUncommittedAligned): + 2022-02-10 Elliott Williams Copy SignedPtr.h in WTF.xcodeproj Modified: trunk/Source/WTF/wtf/OSAllocator.h (289591 => 289592) --- trunk/Source/WTF/wtf/OSAllocator.h 2022-02-10 23:57:17 UTC (rev 289591) +++ trunk/Source/WTF/wtf/OSAllocator.h 2022-02-11 00:20:21 UTC (rev 289592) @@ -39,15 +39,18 @@ JSJITCodePages = VM_TAG_FOR_EXECUTABLEALLOCATOR_MEMORY, }; -// These methods are symmetric; reserveUncommitted(Aligned) allocates VM in an uncommitted state, +// The requested alignment must be a power of two and greater than the system page size. +// The memory returned by this cannot be released as on Windows there's no guaranteed API to +// get an aligned address and the size + alignment then rounding trick cannot release the unused parts +// due to how the Windows syscalls work. +WTF_EXPORT_PRIVATE static void* tryReserv
[webkit-changes] [286849] trunk/Source/WTF
Title: [286849] trunk/Source/WTF Revision 286849 Author keith_mil...@apple.com Date 2021-12-10 06:28:35 -0800 (Fri, 10 Dec 2021) Log Message Reduce maximum mmap size for Structure regions to help placate ios https://bugs.webkit.org/show_bug.cgi?id=234091 Reviewed by Saam Barati. Use mach_vm_map since that supports memory alignement so we don't have to map 2x desired address space then free then trim. * wtf/PlatformHave.h: * wtf/posix/OSAllocatorPOSIX.cpp: (WTF::OSAllocator::reserveUncommittedAligned): Modified Paths trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp Diff Modified: trunk/Source/WTF/ChangeLog (286848 => 286849) --- trunk/Source/WTF/ChangeLog 2021-12-10 14:27:04 UTC (rev 286848) +++ trunk/Source/WTF/ChangeLog 2021-12-10 14:28:35 UTC (rev 286849) @@ -1,3 +1,16 @@ +2021-12-10 Keith Miller + +Reduce maximum mmap size for Structure regions to help placate ios +https://bugs.webkit.org/show_bug.cgi?id=234091 + +Reviewed by Saam Barati. + +Use mach_vm_map since that supports memory alignement so we don't have to map 2x desired address space then free then trim. + +* wtf/PlatformHave.h: +* wtf/posix/OSAllocatorPOSIX.cpp: +(WTF::OSAllocator::reserveUncommittedAligned): + 2021-12-10 Antti Koivisto [CSS Container Queries] Basic @container at-rule parsing support Modified: trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp (286848 => 286849) --- trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp 2021-12-10 14:27:04 UTC (rev 286848) +++ trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp 2021-12-10 14:28:35 UTC (rev 286849) @@ -44,6 +44,10 @@ #endif // OS(DARWIN) #endif // ENABLE(JIT_CAGE) +#if OS(DARWIN) +#include +#endif + namespace WTF { void* OSAllocator::reserveUncommitted(size_t bytes, Usage usage, bool writable, bool executable, bool jitCageEnabled, bool includesGuardPages) @@ -73,11 +77,36 @@ return result; } - -// FIXME: Make a smarter version of this for Linux flavors that have aligned mmap. void* OSAllocator::reserveUncommittedAligned(size_t bytes, Usage usage, bool writable, bool executable, bool jitCageEnabled, bool includesGuardPages) { ASSERT(hasOneBitSet(bytes) && bytes >= pageSize()); + +#if PLATFORM(MAC) || USE(APPLE_INTERNAL_SDK) +UNUSED_PARAM(usage); // Not supported for mach API. +ASSERT_UNUSED(includesGuardPages, !includesGuardPages); +ASSERT_UNUSED(jitCageEnabled, !jitCageEnabled); // Not supported for mach API. +vm_prot_t protections = VM_PROT_READ; +if (writable) +protections |= VM_PROT_WRITE; +if (executable) +protections |= VM_PROT_EXECUTE; + +const vm_inherit_t childProcessInheritance = VM_INHERIT_DEFAULT; +const bool copy = false; +const int flags = VM_FLAGS_ANYWHERE; + +void* aligned = nullptr; +kern_return_t result = mach_vm_map(mach_task_self(), reinterpret_cast(&aligned), bytes, bytes - 1, flags, MEMORY_OBJECT_NULL, 0, copy, protections, protections, childProcessInheritance); +RELEASE_ASSERT(result == KERN_SUCCESS, result, bytes); +#if HAVE(MADV_FREE_REUSE) +if (aligned) { +// To support the "reserve then commit" model, we have to initially decommit. +while (madvise(aligned, bytes, MADV_FREE_REUSABLE) == -1 && errno == EAGAIN) { } +} +#endif + +return aligned; +#else // Double the size so we can ensure enough mapped memory to get an aligned start. size_t mappedSize = bytes * 2; char* mapped = reinterpret_cast(reserveUncommitted(mappedSize, usage, writable, executable, jitCageEnabled, includesGuardPages)); @@ -95,6 +124,7 @@ releaseDecommitted(alignedEnd, rightExtra); return aligned; +#endif } void* OSAllocator::reserveAndCommit(size_t bytes, Usage usage, bool writable, bool executable, bool jitCageEnabled, bool includesGuardPages) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [286804] trunk/Source/WTF
Title: [286804] trunk/Source/WTF Revision 286804 Author keith_mil...@apple.com Date 2021-12-09 14:56:06 -0800 (Thu, 09 Dec 2021) Log Message Reduce maximum mmap size for Structure regions to help placate ios https://bugs.webkit.org/show_bug.cgi?id=234091 Reviewed by Saam Barati. Use mach_vm_map since that supports memory alignement so we don't have to map 2x desired address space then free then trim. * wtf/PlatformHave.h: * wtf/posix/OSAllocatorPOSIX.cpp: (WTF::OSAllocator::reserveUncommittedAligned): Modified Paths trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp Diff Modified: trunk/Source/WTF/ChangeLog (286803 => 286804) --- trunk/Source/WTF/ChangeLog 2021-12-09 22:47:24 UTC (rev 286803) +++ trunk/Source/WTF/ChangeLog 2021-12-09 22:56:06 UTC (rev 286804) @@ -1,3 +1,16 @@ +2021-12-09 Keith Miller + +Reduce maximum mmap size for Structure regions to help placate ios +https://bugs.webkit.org/show_bug.cgi?id=234091 + +Reviewed by Saam Barati. + +Use mach_vm_map since that supports memory alignement so we don't have to map 2x desired address space then free then trim. + +* wtf/PlatformHave.h: +* wtf/posix/OSAllocatorPOSIX.cpp: +(WTF::OSAllocator::reserveUncommittedAligned): + 2021-12-09 Antti Koivisto Enable :focus-visible pseudo-class by default Modified: trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp (286803 => 286804) --- trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp 2021-12-09 22:47:24 UTC (rev 286803) +++ trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp 2021-12-09 22:56:06 UTC (rev 286804) @@ -38,6 +38,7 @@ #if OS(DARWIN) #define MAP_EXECUTABLE_FOR_JIT MAP_JIT #define MAP_EXECUTABLE_FOR_JIT_WITH_JIT_CAGE MAP_JIT +#include #else // OS(DARWIN) #define MAP_EXECUTABLE_FOR_JIT 0 #define MAP_EXECUTABLE_FOR_JIT_WITH_JIT_CAGE 0 @@ -73,11 +74,37 @@ return result; } - -// FIXME: Make a smarter version of this for Linux flavors that have aligned mmap. void* OSAllocator::reserveUncommittedAligned(size_t bytes, Usage usage, bool writable, bool executable, bool jitCageEnabled, bool includesGuardPages) { ASSERT(hasOneBitSet(bytes) && bytes >= pageSize()); + +#if PLATFORM(MAC) || USE(APPLE_INTERNAL_SDK) +UNUSED_PARAM(usage); // Not supported for mach API. +ASSERT_UNUSED(includesGuardPages, !includesGuardPages); +ASSERT_UNUSED(jitCageEnabled, !jitCageEnabled); // Not supported for mach API. +vm_prot_t protections = VM_PROT_READ; +if (writable) +protections |= VM_PROT_WRITE; +if (executable) +protections |= VM_PROT_EXECUTE; + +const vm_inherit_t childProcessInheritance = VM_INHERIT_DEFAULT; + +void* aligned = nullptr; +const bool copy = false; +const int flags = VM_FLAGS_ANYWHERE; + +kern_return_t result = mach_vm_map(mach_task_self(), reinterpret_cast(&aligned), bytes, bytes - 1, flags, MEMORY_OBJECT_NULL, 0, copy, protections, protections, childProcessInheritance); +RELEASE_ASSERT(result == KERN_SUCCESS, result, bytes); +#if HAVE(MADV_FREE_REUSE) +if (aligned) { +// To support the "reserve then commit" model, we have to initially decommit. +while (madvise(aligned, bytes, MADV_FREE_REUSABLE) == -1 && errno == EAGAIN) { } +} +#endif + +return aligned; +#else // Double the size so we can ensure enough mapped memory to get an aligned start. size_t mappedSize = bytes * 2; char* mapped = reinterpret_cast(reserveUncommitted(mappedSize, usage, writable, executable, jitCageEnabled, includesGuardPages)); @@ -95,6 +122,7 @@ releaseDecommitted(alignedEnd, rightExtra); return aligned; +#endif } void* OSAllocator::reserveAndCommit(size_t bytes, Usage usage, bool writable, bool executable, bool jitCageEnabled, bool includesGuardPages) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [286580] trunk/Source/JavaScriptCore
Title: [286580] trunk/Source/_javascript_Core Revision 286580 Author keith_mil...@apple.com Date 2021-12-06 17:13:33 -0800 (Mon, 06 Dec 2021) Log Message TypeInfo should be materializable from Structures as a single load. https://bugs.webkit.org/show_bug.cgi?id=233875 Reviewed by Mark Lam. This is mostly just the members of Structure and JSCell so that JSType and InlineTypeFlags are at the end of the JSCell header. * assembler/testmasm.cpp: (JSC::testBranchIfType): (JSC::testBranchIfNotType): * ftl/FTLAbstractHeapRepository.cpp: (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::JSCell): * runtime/Structure.h: (JSC::Structure::typeInfo const): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/testmasm.cpp trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp trunk/Source/_javascript_Core/runtime/JSCell.h trunk/Source/_javascript_Core/runtime/JSCellInlines.h trunk/Source/_javascript_Core/runtime/Structure.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (286579 => 286580) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-07 00:38:11 UTC (rev 286579) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-07 01:13:33 UTC (rev 286580) @@ -1,3 +1,24 @@ +2021-12-06 Keith Miller + +TypeInfo should be materializable from Structures as a single load. +https://bugs.webkit.org/show_bug.cgi?id=233875 + +Reviewed by Mark Lam. + +This is mostly just the members of Structure and JSCell so that +JSType and InlineTypeFlags are at the end of the JSCell header. + +* assembler/testmasm.cpp: +(JSC::testBranchIfType): +(JSC::testBranchIfNotType): +* ftl/FTLAbstractHeapRepository.cpp: +(JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): +* runtime/JSCell.h: +* runtime/JSCellInlines.h: +(JSC::JSCell::JSCell): +* runtime/Structure.h: +(JSC::Structure::typeInfo const): + 2021-12-06 Mark Lam Remove unneeded virtual allocator methods from Subspace. Modified: trunk/Source/_javascript_Core/assembler/testmasm.cpp (286579 => 286580) --- trunk/Source/_javascript_Core/assembler/testmasm.cpp 2021-12-07 00:38:11 UTC (rev 286579) +++ trunk/Source/_javascript_Core/assembler/testmasm.cpp 2021-12-07 01:13:33 UTC (rev 286580) @@ -5613,6 +5613,7 @@ struct CellLike { uint32_t structureID; uint8_t indexingType; +uint8_t cellState; JSType type; }; CHECK_EQ(JSCell::typeInfoTypeOffset(), OBJECT_OFFSETOF(CellLike, type)); @@ -5647,6 +5648,7 @@ struct CellLike { uint32_t structureID; uint8_t indexingType; +uint8_t cellState; JSType type; }; CHECK_EQ(JSCell::typeInfoTypeOffset(), OBJECT_OFFSETOF(CellLike, type)); Modified: trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp (286579 => 286580) --- trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp 2021-12-07 00:38:11 UTC (rev 286579) +++ trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp 2021-12-07 01:13:33 UTC (rev 286580) @@ -78,9 +78,9 @@ // Make sure that our explicit assumptions about the StructureIDBlob match reality. RELEASE_ASSERT(!(JSCell_indexingTypeAndMisc.offset() & (sizeof(int32_t) - 1))); -RELEASE_ASSERT(JSCell_indexingTypeAndMisc.offset() + 1 == JSCell_typeInfoType.offset()); -RELEASE_ASSERT(JSCell_indexingTypeAndMisc.offset() + 2 == JSCell_typeInfoFlags.offset()); -RELEASE_ASSERT(JSCell_indexingTypeAndMisc.offset() + 3 == JSCell_cellState.offset()); +RELEASE_ASSERT(JSCell_indexingTypeAndMisc.offset() + 1 == JSCell_cellState.offset()); +RELEASE_ASSERT(JSCell_indexingTypeAndMisc.offset() + 2 == JSCell_typeInfoType.offset()); +RELEASE_ASSERT(JSCell_indexingTypeAndMisc.offset() + 3 == JSCell_typeInfoFlags.offset()); JSCell_structureID.changeParent(&JSCell_header); JSCell_usefulBytes.changeParent(&JSCell_header); Modified: trunk/Source/_javascript_Core/runtime/JSCell.h (286579 => 286580) --- trunk/Source/_javascript_Core/runtime/JSCell.h 2021-12-07 00:38:11 UTC (rev 286579) +++ trunk/Source/_javascript_Core/runtime/JSCell.h 2021-12-07 01:13:33 UTC (rev 286580) @@ -266,9 +266,9 @@ StructureID m_structureID; IndexingType m_indexingTypeAndMisc; // DO NOT store to this field. Always CAS. +CellState m_cellState; JSType m_type; TypeInfo::InlineTypeFlags m_flags; -CellState m_cellState; }; class JSCellLock : public JSCell { Modified: trunk/Source/_javascript_Core/runtime/JSCellInlines.h (286579 => 286580) --- trunk/Source/_javascript_Core/runtime/JSCellInlines.h 2021-12-07 00:38:11 UTC (rev 286579) +++ trunk/Source/_javascript_Core/runtime/JSCellInlines.h 2021-12-07 01:13:33 UTC (rev 286580) @@ -58,9 +58,9 @@ inline JSCell::JSCell(VM&, Structure* structure) : m_structureID(st
[webkit-changes] [286502] trunk/Source/JavaScriptCore
Title: [286502] trunk/Source/_javascript_Core Revision 286502 Author keith_mil...@apple.com Date 2021-12-03 10:30:11 -0800 (Fri, 03 Dec 2021) Log Message Remove StructureIDBlob https://bugs.webkit.org/show_bug.cgi?id=233723 Reviewed by Yusuke Suzuki. StructureIDBlob isn't very useful now that StructureIDs are just the bottom bits of the pointer on 64 bit platforms. In a follow up patch I'll change the layout of JSCell and Structure so that TypeInfo creation can be a single load platforms that allow (and don't penalize) misaligned loads. * CMakeLists.txt: * _javascript_Core.xcodeproj/project.pbxproj: * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_to_scope): * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::addNewPropertyTransition): (JSC::Structure::removeNewPropertyTransition): (JSC::Structure::attributeChangeTransition): (JSC::Structure::nonPropertyTransitionSlow): (JSC::Structure::setBrandTransition): * runtime/Structure.h: (JSC::Structure::id const): (JSC::Structure::objectInitializationBlob const): (JSC::Structure::idBlob const): (JSC::Structure::isProxy const): (JSC::Structure::typeInfo const): (JSC::Structure::indexingType const): (JSC::Structure::indexingMode const): (JSC::Structure::fencedIndexingMode): (JSC::Structure::indexingModeIncludingHistory const): (JSC::Structure::indexingModeIncludingHistoryOffset): (JSC::Structure::structureIDOffset): Deleted. * runtime/StructureIDBlob.h: Removed. * runtime/StructureInlines.h: (JSC::Structure::hasIndexingHeader const): * tools/VMInspectorInlines.h: (JSC::VMInspector::verifyCellSize): Modified Paths trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/jit/AssemblyHelpers.h trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp trunk/Source/_javascript_Core/runtime/Structure.cpp trunk/Source/_javascript_Core/runtime/Structure.h trunk/Source/_javascript_Core/runtime/StructureInlines.h trunk/Source/_javascript_Core/tools/VMInspectorInlines.h Removed Paths trunk/Source/_javascript_Core/runtime/StructureIDBlob.h Diff Modified: trunk/Source/_javascript_Core/CMakeLists.txt (286501 => 286502) --- trunk/Source/_javascript_Core/CMakeLists.txt 2021-12-03 18:29:32 UTC (rev 286501) +++ trunk/Source/_javascript_Core/CMakeLists.txt 2021-12-03 18:30:11 UTC (rev 286502) @@ -1186,7 +1186,6 @@ runtime/StructureCache.h runtime/StructureChain.h runtime/StructureID.h -runtime/StructureIDBlob.h runtime/StructureInlines.h runtime/StructureRareData.h runtime/StructureRareDataInlines.h Modified: trunk/Source/_javascript_Core/ChangeLog (286501 => 286502) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-03 18:29:32 UTC (rev 286501) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-03 18:30:11 UTC (rev 286502) @@ -1,3 +1,49 @@ +2021-12-03 Keith Miller + +Remove StructureIDBlob +https://bugs.webkit.org/show_bug.cgi?id=233723 + +Reviewed by Yusuke Suzuki. + +StructureIDBlob isn't very useful now that StructureIDs are just the +bottom bits of the pointer on 64 bit platforms. In a follow up patch +I'll change the layout of JSCell and Structure so that TypeInfo creation +can be a single load platforms that allow (and don't penalize) misaligned loads. + +* CMakeLists.txt: +* _javascript_Core.xcodeproj/project.pbxproj: +* ftl/FTLAbstractHeapRepository.h: +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): +* jit/AssemblyHelpers.h: +(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): +* jit/JITPropertyAccess.cpp: +(JSC::JIT::emit_op_put_to_scope): +* runtime/Structure.cpp: +(JSC::Structure::Structure): +(JSC::Structure::addNewPropertyTransition): +(JSC::Structure::removeNewPropertyTransition): +(JSC::Structure::attributeChangeTransition): +(JSC::Structure::nonPropertyTransitionSlow): +(JSC::Structure::setBrandTransition): +* runtime/Structure.h: +(JSC::Structure::id const): +(JSC::Structure::objectInitializationBlob const): +(JSC::Structure::idBlob const): +(JSC::Structure::isProxy const): +(JSC::Structure::typeInfo const): +(JSC::Structure::indexingType const): +(JSC::Structure::indexingMode const): +(JSC::Structure::fencedIndexingMode): +(JSC::Structure::indexingModeIncludingHistory const): +(JSC::Structure::indexingModeIncludingHistoryOffset): +
[webkit-changes] [286387] trunk/Source/JavaScriptCore
Title: [286387] trunk/Source/_javascript_Core Revision 286387 Author keith_mil...@apple.com Date 2021-12-01 14:24:43 -0800 (Wed, 01 Dec 2021) Log Message Add static_assert the value we use to initialize a StructureID buffer should be 0. https://bugs.webkit.org/show_bug.cgi?id=233720 Reviewed by Yusuke Suzuki. Also, add static assert that the zero we are putting into the buffer matches the default StructureID constructor. * runtime/StructureChain.cpp: (JSC::StructureChain::create): * runtime/StructureID.h: (JSC::StructureID::bits const): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/StructureChain.cpp trunk/Source/_javascript_Core/runtime/StructureID.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (286386 => 286387) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-01 22:02:06 UTC (rev 286386) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-01 22:24:43 UTC (rev 286387) @@ -1,3 +1,18 @@ +2021-12-01 Keith Miller + +Add static_assert the value we use to initialize a StructureID buffer should be 0. +https://bugs.webkit.org/show_bug.cgi?id=233720 + +Reviewed by Yusuke Suzuki. + +Also, add static assert that the zero we are putting into the buffer +matches the default StructureID constructor. + +* runtime/StructureChain.cpp: +(JSC::StructureChain::create): +* runtime/StructureID.h: +(JSC::StructureID::bits const): + 2021-12-01 Yusuke Suzuki Unreviewed, use void* to suppress GCC warning Modified: trunk/Source/_javascript_Core/runtime/StructureChain.cpp (286386 => 286387) --- trunk/Source/_javascript_Core/runtime/StructureChain.cpp 2021-12-01 22:02:06 UTC (rev 286386) +++ trunk/Source/_javascript_Core/runtime/StructureChain.cpp 2021-12-01 22:24:43 UTC (rev 286387) @@ -49,6 +49,7 @@ ++size; // Sentinel nullptr. size_t bytes = Checked(size) * sizeof(StructureID); void* vector = vm.jsValueGigacageAuxiliarySpace().allocateNonVirtual(vm, bytes, nullptr, AllocationFailureMode::Assert); +static_assert(!StructureID().bits(), "Make sure the value we're going to memcpy below matches the default StructureID"); memset(vector, 0, bytes); StructureChain* chain = new (NotNull, allocateCell(vm)) StructureChain(vm, vm.structureChainStructure.get(), static_cast(vector)); chain->finishCreation(vm, head); Modified: trunk/Source/_javascript_Core/runtime/StructureID.h (286386 => 286387) --- trunk/Source/_javascript_Core/runtime/StructureID.h 2021-12-01 22:02:06 UTC (rev 286386) +++ trunk/Source/_javascript_Core/runtime/StructureID.h 2021-12-01 22:24:43 UTC (rev 286387) @@ -52,7 +52,7 @@ explicit operator bool() const { return !!m_bits; } bool operator==(StructureID const& other) const { return m_bits == other.m_bits; } bool operator!=(StructureID const& other) const { return m_bits != other.m_bits; } -uint32_t bits() const { return m_bits; } +constexpr uint32_t bits() const { return m_bits; } StructureID(WTF::HashTableDeletedValueType) : m_bits(nukedStructureIDBit) { } bool isHashTableDeletedValue() const { return *this == StructureID(WTF::HashTableDeletedValue); } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [283903] trunk/Source/JavaScriptCore
Title: [283903] trunk/Source/_javascript_Core Revision 283903 Author keith_mil...@apple.com Date 2021-10-11 09:58:40 -0700 (Mon, 11 Oct 2021) Log Message SourceID should have a type name and only be 32-bits https://bugs.webkit.org/show_bug.cgi?id=231436 Reviewed by Filip Pizlo. This patch gives SourceID a proper type name and shrinks it to 32-bits on 64-bit systems. Shrinking the size makes room on SourceProvider for metadata in a future patch I'm working on. It's also pretty unlikely that any system has more than ~4 billion script tags, evals, wasm modules so shinking the size is unlikely to cause any debugger/profiling issues. * CMakeLists.txt: * _javascript_Core.xcodeproj/project.pbxproj: * bytecode/TypeLocation.h: * debugger/Debugger.cpp: (JSC::Debugger::toggleBreakpoint): (JSC::Debugger::pauseIfNeeded): * debugger/DebuggerLocation.h: (JSC::DebuggerLocation::DebuggerLocation): * debugger/DebuggerPrimitives.h: * inspector/_javascript_CallFrame.h: (Inspector::_javascript_CallFrame::sourceID const): * inspector/ScriptCallStackFactory.cpp: (Inspector::CreateScriptCallStackFunctor::operator() const): (Inspector::createScriptCallStackFromException): * interpreter/StackVisitor.cpp: (JSC::StackVisitor::Frame::sourceID): * interpreter/StackVisitor.h: * parser/Nodes.h: (JSC::ScopeNode::sourceID const): * parser/SourceCode.h: (JSC::SourceCode::SourceCode): (JSC::SourceCode::firstLine const): (JSC::SourceCode::startColumn const): (JSC::SourceCode::providerID const): (JSC::SourceCode::provider const): (JSC::SourceCode::operator== const): (JSC::SourceCode::operator!= const): (JSC::makeSource): (JSC::SourceCode::subExpression const): * parser/SourceProvider.cpp: (JSC::SourceProvider::getID): * parser/SourceProvider.h: (JSC::SourceProvider::asID): * runtime/ControlFlowProfiler.cpp: (JSC::ControlFlowProfiler::getBasicBlockLocation): (JSC::ControlFlowProfiler::getBasicBlocksForSourceID const): (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted): (JSC::ControlFlowProfiler::basicBlockExecutionCountAtTextOffset): * runtime/ControlFlowProfiler.h: * runtime/FunctionHasExecutedCache.cpp: (JSC::FunctionHasExecutedCache::hasExecutedAtOffset): (JSC::FunctionHasExecutedCache::insertUnexecutedRange): (JSC::FunctionHasExecutedCache::removeUnexecutedRange): (JSC::FunctionHasExecutedCache::getFunctionRanges): * runtime/FunctionHasExecutedCache.h: * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::StackFrame::sourceID): * runtime/SamplingProfiler.h: * runtime/ScriptExecutable.h: (JSC::ScriptExecutable::sourceID const): * runtime/StackFrame.cpp: (JSC::StackFrame::sourceID const): * runtime/StackFrame.h: * runtime/TypeLocationCache.cpp: (JSC::TypeLocationCache::getTypeLocation): * runtime/TypeLocationCache.h: * runtime/TypeProfiler.cpp: (JSC::TypeProfiler::typeInformationForExpressionAtOffset): (JSC::TypeProfiler::findLocation): * runtime/TypeProfiler.h: (JSC::QueryKey::QueryKey): (JSC::QueryKey::isHashTableDeletedValue const): Modified Paths trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/bytecode/TypeLocation.h trunk/Source/_javascript_Core/debugger/Debugger.cpp trunk/Source/_javascript_Core/debugger/DebuggerLocation.h trunk/Source/_javascript_Core/debugger/DebuggerPrimitives.h trunk/Source/_javascript_Core/inspector/_javascript_CallFrame.h trunk/Source/_javascript_Core/inspector/ScriptCallStackFactory.cpp trunk/Source/_javascript_Core/interpreter/StackVisitor.cpp trunk/Source/_javascript_Core/interpreter/StackVisitor.h trunk/Source/_javascript_Core/parser/Nodes.h trunk/Source/_javascript_Core/parser/SourceCode.h trunk/Source/_javascript_Core/parser/SourceProvider.cpp trunk/Source/_javascript_Core/parser/SourceProvider.h trunk/Source/_javascript_Core/runtime/ControlFlowProfiler.cpp trunk/Source/_javascript_Core/runtime/ControlFlowProfiler.h trunk/Source/_javascript_Core/runtime/FunctionHasExecutedCache.cpp trunk/Source/_javascript_Core/runtime/FunctionHasExecutedCache.h trunk/Source/_javascript_Core/runtime/SamplingProfiler.cpp trunk/Source/_javascript_Core/runtime/SamplingProfiler.h trunk/Source/_javascript_Core/runtime/ScriptExecutable.h trunk/Source/_javascript_Core/runtime/StackFrame.cpp trunk/Source/_javascript_Core/runtime/StackFrame.h trunk/Source/_javascript_Core/runtime/TypeLocationCache.cpp trunk/Source/_javascript_Core/runtime/TypeLocationCache.h trunk/Source/_javascript_Core/runtime/TypeProfiler.cpp trunk/Source/_javascript_Core/runtime/TypeProfiler.h Added Paths trunk/Source/_javascript_Core/bytecode/SourceID.h Diff Modified: trunk/Source/_javascript_Core/CMakeLists.txt (283902 => 283903) --- trunk/Source/_javascript_Core/CMakeLists.txt 2021-10-11 16:54:18 UTC (rev 283902) +++ trunk/Source/_javascript_Core/CMakeLists.txt 2021-10-11 16:58:40 UTC (rev 283903) @@ -664,6 +664,7 @@ bytecode/PutByIdFlags.h bytecode/SetPrivateBrandStatus.h
[webkit-changes] [281743] trunk/Source/JavaScriptCore
Title: [281743] trunk/Source/_javascript_Core Revision 281743 Author keith_mil...@apple.com Date 2021-08-29 08:14:13 -0700 (Sun, 29 Aug 2021) Log Message Add openFile function to jsc.cpp that links to file backed memory https://bugs.webkit.org/show_bug.cgi?id=229621 Reviewed by Saam Barati. This patch uses fopen directly rather than use WTF::MappedFileData so there were less changes to readline. * jsc.cpp: (computeFilePath): (JSC_DEFINE_HOST_FUNCTION): (JSFileDescriptor::subspaceFor): (JSFileDescriptor::createStructure): (JSFileDescriptor::create): (JSFileDescriptor::finishCreation): (JSFileDescriptor::destroy): (JSFileDescriptor::descriptor const): (JSFileDescriptor::JSFileDescriptor): (JSFileDescriptor::~JSFileDescriptor): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jsc.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (281742 => 281743) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-29 13:52:20 UTC (rev 281742) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-29 15:14:13 UTC (rev 281743) @@ -1,3 +1,25 @@ +2021-08-29 Keith Miller + +Add openFile function to jsc.cpp that links to file backed memory +https://bugs.webkit.org/show_bug.cgi?id=229621 + +Reviewed by Saam Barati. + +This patch uses fopen directly rather than use WTF::MappedFileData so there were less changes to +readline. + +* jsc.cpp: +(computeFilePath): +(JSC_DEFINE_HOST_FUNCTION): +(JSFileDescriptor::subspaceFor): +(JSFileDescriptor::createStructure): +(JSFileDescriptor::create): +(JSFileDescriptor::finishCreation): +(JSFileDescriptor::destroy): +(JSFileDescriptor::descriptor const): +(JSFileDescriptor::JSFileDescriptor): +(JSFileDescriptor::~JSFileDescriptor): + 2021-08-29 Joonghun Park Unreviewed. Remove the build warning below since r281615. Modified: trunk/Source/_javascript_Core/jsc.cpp (281742 => 281743) --- trunk/Source/_javascript_Core/jsc.cpp 2021-08-29 13:52:20 UTC (rev 281742) +++ trunk/Source/_javascript_Core/jsc.cpp 2021-08-29 15:14:13 UTC (rev 281743) @@ -295,6 +295,7 @@ static JSC_DECLARE_HOST_FUNCTION(functionLoadString); static JSC_DECLARE_HOST_FUNCTION(functionReadFile); static JSC_DECLARE_HOST_FUNCTION(functionCheckSyntax); +static JSC_DECLARE_HOST_FUNCTION(functionOpenFile); static JSC_DECLARE_HOST_FUNCTION(functionReadline); static JSC_DECLARE_HOST_FUNCTION(functionPreciseTime); static JSC_DECLARE_HOST_FUNCTION(functionNeverInlineFunction); @@ -540,6 +541,7 @@ addFunction(vm, "checkSyntax", functionCheckSyntax, 1); addFunction(vm, "sleepSeconds", functionSleepSeconds, 1); addFunction(vm, "jscStack", functionJSCStack, 1); +addFunction(vm, "openFile", functionOpenFile, 1); addFunction(vm, "readline", functionReadline, 0); addFunction(vm, "preciseTime", functionPreciseTime, 0); addFunction(vm, "neverInlineFunction", functionNeverInlineFunction, 1); @@ -1559,30 +1561,42 @@ return JSValue::encode(realm); } -JSC_DEFINE_HOST_FUNCTION(functionLoad, (JSGlobalObject* globalObject, CallFrame* callFrame)) +static URL computeFilePath(VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame) { -VM& vm = globalObject->vm(); auto scope = DECLARE_THROW_SCOPE(vm); bool callerRelative = callFrame->argument(1).getString(globalObject) == "caller relative"_s; -RETURN_IF_EXCEPTION(scope, encodedJSValue()); +RETURN_IF_EXCEPTION(scope, URL()); String fileName = callFrame->argument(0).toWTFString(globalObject); -RETURN_IF_EXCEPTION(scope, encodedJSValue()); +RETURN_IF_EXCEPTION(scope, URL()); URL path; if (callerRelative) { path = URL(callFrame->callerSourceOrigin(vm).url(), fileName); -if (!path.isLocalFile()) -return throwVMException(globalObject, scope, createURIError(globalObject, makeString("caller relative URL path is not a local file: ", path.string(; +if (!path.isLocalFile()) { +throwException(globalObject, scope, createURIError(globalObject, makeString("caller relative URL path is not a local file: ", path.string(; +return URL(); +} } else path = absolutePath(fileName); +return path; +} + +JSC_DEFINE_HOST_FUNCTION(functionLoad, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ +VM& vm = globalObject->vm(); +auto scope = DECLARE_THROW_SCOPE(vm); + +URL path = computeFilePath(vm, globalObject, callFrame); +RETURN_IF_EXCEPTION(scope, encodedJSValue()); + Vector script; if (!fetchScriptFromLocalFileSystem(path.fileSystemPath(), script)) return JSValue::encode(throwException(globalObject, scope, createError(globalObject, "Could not open file."_s))); NakedPtr evaluationException; -JSValue result = evaluate(globalObject, jscSource(script, SourceOrig
[webkit-changes] [281565] trunk/Source/JavaScriptCore
Title: [281565] trunk/Source/_javascript_Core Revision 281565 Author keith_mil...@apple.com Date 2021-08-25 10:59:53 -0700 (Wed, 25 Aug 2021) Log Message Add for-in OwnStructureMode optimizations to LLInt https://bugs.webkit.org/show_bug.cgi?id=229038 Reviewed by Saam Barati. This patch adds the optimizations we have for OwnStructureMode in the Baseline to the LLInt. The patch also adds redundant self move (i.e. move a, a) elimination to arm64. Finally, a bunch of the property offset functions are now marked constexpr and return intptr_t rather than size_t as the values can be negative. There's also a minor fix to disable MSVC's signed to unsigned cast warning for LLIntOffsetsExtractor as we don't care about signedness for extracting constants. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_enumerator_get_by_val): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/generate_offset_extractor.rb: * runtime/Butterfly.h: (JSC::Butterfly::indexOfPropertyStorage): * runtime/JSObject.h: (JSC::offsetInButterfly): * runtime/PropertyOffset.h: (JSC::checkOffset): (JSC::validateOffset): (JSC::isValidOffset): (JSC::isInlineOffset): (JSC::isOutOfLineOffset): (JSC::offsetInInlineStorage): (JSC::offsetInOutOfLineStorage): (JSC::offsetInRespectiveStorage): (JSC::numberOfOutOfLineSlotsForMaxOffset): (JSC::numberOfSlotsForMaxOffset): (JSC::offsetForPropertyNumber): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/offlineasm/arm64.rb trunk/Source/_javascript_Core/offlineasm/generate_offset_extractor.rb trunk/Source/_javascript_Core/runtime/Butterfly.h trunk/Source/_javascript_Core/runtime/JSObject.h trunk/Source/_javascript_Core/runtime/PropertyOffset.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (281564 => 281565) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-25 17:46:34 UTC (rev 281564) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-25 17:59:53 UTC (rev 281565) @@ -1,3 +1,48 @@ +2021-08-25 Keith Miller + +Add for-in OwnStructureMode optimizations to LLInt +https://bugs.webkit.org/show_bug.cgi?id=229038 + +Reviewed by Saam Barati. + +This patch adds the optimizations we have for OwnStructureMode in +the Baseline to the LLInt. The patch also adds redundant self move +(i.e. move a, a) elimination to arm64. Finally, a bunch of the +property offset functions are now marked constexpr and return +intptr_t rather than size_t as the values can be negative. + +There's also a minor fix to disable MSVC's signed to unsigned +cast warning for LLIntOffsetsExtractor as we don't care about +signedness for extracting constants. + +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal): +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): +* jit/JITPropertyAccess.cpp: +(JSC::JIT::emit_op_enumerator_get_by_val): +* llint/LowLevelInterpreter.asm: +* llint/LowLevelInterpreter32_64.asm: +* llint/LowLevelInterpreter64.asm: +* offlineasm/arm64.rb: +* offlineasm/generate_offset_extractor.rb: +* runtime/Butterfly.h: +(JSC::Butterfly::indexOfPropertyStorage): +* runtime/JSObject.h: +(JSC::offsetInButterfly): +* runtime/PropertyOffset.h: +(JSC::checkOffset): +(JSC::validateOffset): +(JSC::isValidOffset): +(JSC::isInlineOffset): +(JSC::isOutOfLineOffset): +(JSC::offsetInInlineStorage): +(JSC::offsetInOutOfLineStorage): +(JSC::offsetInRespectiveStorage): +(JSC::numberOfOutOfLineSlotsForMaxOffset): +(JSC::numberOfSlotsForMaxOffset): +(JSC::offsetForPropertyNumber): + 2021-08-25 Commit Queue Unreviewed, reverting r281523. Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (281564 => 281565) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-25 17:46:34 UTC (rev 281564) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-25 17:59:53 UTC (rev 281565) @@ -13647,7 +13647,7 @@ m_jit.signExtend32ToPtr(scratchGPR, scratchGPR); if (!haveStorage) m_jit.loadPtr(MacroAssembler::Address(baseCellGPR, JSObject::but
[webkit-changes] [281523] trunk/Source/JavaScriptCore
Title: [281523] trunk/Source/_javascript_Core Revision 281523 Author keith_mil...@apple.com Date 2021-08-24 16:04:18 -0700 (Tue, 24 Aug 2021) Log Message Add for-in OwnStructureMode optimizations to LLInt https://bugs.webkit.org/show_bug.cgi?id=229038 Reviewed by Saam Barati. This patch adds the optimizations we have for OwnStructureMode in the Baseline to the LLInt. The patch also adds redundant self move (i.e. move a, a) elimination to arm64. Finally, a bunch of the property offset functions are now marked constexpr and return intptr_t rather than size_t as the values can be negative. There's also a minor fix to disable MSVC's signed to unsigned cast warning for LLIntOffsetsExtractor as we don't care about signedness for extracting constants. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_enumerator_get_by_val): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/generate_offset_extractor.rb: * runtime/Butterfly.h: (JSC::Butterfly::indexOfPropertyStorage): * runtime/JSObject.h: (JSC::offsetInButterfly): * runtime/PropertyOffset.h: (JSC::checkOffset): (JSC::validateOffset): (JSC::isValidOffset): (JSC::isInlineOffset): (JSC::isOutOfLineOffset): (JSC::offsetInInlineStorage): (JSC::offsetInOutOfLineStorage): (JSC::offsetInRespectiveStorage): (JSC::numberOfOutOfLineSlotsForMaxOffset): (JSC::numberOfSlotsForMaxOffset): (JSC::offsetForPropertyNumber): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/offlineasm/arm64.rb trunk/Source/_javascript_Core/offlineasm/generate_offset_extractor.rb trunk/Source/_javascript_Core/runtime/Butterfly.h trunk/Source/_javascript_Core/runtime/JSObject.h trunk/Source/_javascript_Core/runtime/PropertyOffset.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (281522 => 281523) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-24 22:58:46 UTC (rev 281522) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-24 23:04:18 UTC (rev 281523) @@ -1,3 +1,48 @@ +2021-08-24 Keith Miller + +Add for-in OwnStructureMode optimizations to LLInt +https://bugs.webkit.org/show_bug.cgi?id=229038 + +Reviewed by Saam Barati. + +This patch adds the optimizations we have for OwnStructureMode in +the Baseline to the LLInt. The patch also adds redundant self move +(i.e. move a, a) elimination to arm64. Finally, a bunch of the +property offset functions are now marked constexpr and return +intptr_t rather than size_t as the values can be negative. + +There's also a minor fix to disable MSVC's signed to unsigned +cast warning for LLIntOffsetsExtractor as we don't care about +signedness for extracting constants. + +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal): +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): +* jit/JITPropertyAccess.cpp: +(JSC::JIT::emit_op_enumerator_get_by_val): +* llint/LowLevelInterpreter.asm: +* llint/LowLevelInterpreter32_64.asm: +* llint/LowLevelInterpreter64.asm: +* offlineasm/arm64.rb: +* offlineasm/generate_offset_extractor.rb: +* runtime/Butterfly.h: +(JSC::Butterfly::indexOfPropertyStorage): +* runtime/JSObject.h: +(JSC::offsetInButterfly): +* runtime/PropertyOffset.h: +(JSC::checkOffset): +(JSC::validateOffset): +(JSC::isValidOffset): +(JSC::isInlineOffset): +(JSC::isOutOfLineOffset): +(JSC::offsetInInlineStorage): +(JSC::offsetInOutOfLineStorage): +(JSC::offsetInRespectiveStorage): +(JSC::numberOfOutOfLineSlotsForMaxOffset): +(JSC::numberOfSlotsForMaxOffset): +(JSC::offsetForPropertyNumber): + 2021-08-24 Yusuke Suzuki [JSC] Add Intl Enumeration APIs Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (281522 => 281523) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-24 22:58:46 UTC (rev 281522) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-24 23:04:18 UTC (rev 281523) @@ -13647,7 +13647,7 @@ m_jit.signExtend32ToPtr(scratchGPR, scratchGPR); if (!haveStorage) m_jit.loadPtr(MacroAssembler::Address(baseCellGPR, JSObject::b
[webkit-changes] [281500] trunk
Title: [281500] trunk Revision 281500 Author keith_mil...@apple.com Date 2021-08-24 10:58:29 -0700 (Tue, 24 Aug 2021) Log Message (r281473) stress/for-in-has-own-property-shouldnt-flush-registers.js failing on Debug https://bugs.webkit.org/show_bug.cgi?id=229448 Reviewed by Mark Lam. JSTests: Fix typo in test name. * stress/for-in-in-by-val-should-flush-registers.js: Renamed from JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js. Source/_javascript_Core: Add missing exception checks. * dfg/DFGOperations.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGOperations.cpp Added Paths trunk/JSTests/stress/for-in-in-by-val-should-flush-registers.js Removed Paths trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js Diff Modified: trunk/JSTests/ChangeLog (281499 => 281500) --- trunk/JSTests/ChangeLog 2021-08-24 17:57:38 UTC (rev 281499) +++ trunk/JSTests/ChangeLog 2021-08-24 17:58:29 UTC (rev 281500) @@ -1,3 +1,14 @@ +2021-08-24 Keith Miller + +(r281473) stress/for-in-has-own-property-shouldnt-flush-registers.js failing on Debug +https://bugs.webkit.org/show_bug.cgi?id=229448 + +Reviewed by Mark Lam. + +Fix typo in test name. + +* stress/for-in-in-by-val-should-flush-registers.js: Renamed from JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js. + 2021-08-23 Saam Barati Disable peephole optimizations in the byte code generator after rewriting instructions for for-in Copied: trunk/JSTests/stress/for-in-in-by-val-should-flush-registers.js (from rev 281499, trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js) (0 => 281500) --- trunk/JSTests/stress/for-in-in-by-val-should-flush-registers.js (rev 0) +++ trunk/JSTests/stress/for-in-in-by-val-should-flush-registers.js 2021-08-24 17:58:29 UTC (rev 281500) @@ -0,0 +1,13 @@ +const a = [undefined]; +a.toString = ()=>{}; + +function foo() { +for (let x in a) { + x in a; + +x; +} +} + +for (let i=0; i<1; i++) { + foo(); +} Deleted: trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js (281499 => 281500) --- trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js 2021-08-24 17:57:38 UTC (rev 281499) +++ trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js 2021-08-24 17:58:29 UTC (rev 281500) @@ -1,13 +0,0 @@ -const a = [undefined]; -a.toString = ()=>{}; - -function foo() { -for (let x in a) { - x in a; - +x; -} -} - -for (let i=0; i<1; i++) { - foo(); -} Modified: trunk/Source/_javascript_Core/ChangeLog (281499 => 281500) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-24 17:57:38 UTC (rev 281499) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-24 17:58:29 UTC (rev 281500) @@ -1,3 +1,15 @@ +2021-08-24 Keith Miller + +(r281473) stress/for-in-has-own-property-shouldnt-flush-registers.js failing on Debug +https://bugs.webkit.org/show_bug.cgi?id=229448 + +Reviewed by Mark Lam. + +Add missing exception checks. + +* dfg/DFGOperations.cpp: +(JSC::DFG::JSC_DEFINE_JIT_OPERATION): + 2021-08-24 Commit Queue Unreviewed, reverting r281321. Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (281499 => 281500) --- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2021-08-24 17:57:38 UTC (rev 281499) +++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2021-08-24 17:58:29 UTC (rev 281500) @@ -2532,7 +2532,7 @@ JSValue base = JSValue::decode(baseValue); RETURN_IF_EXCEPTION(scope, { }); if (modeNumber == JSPropertyNameEnumerator::IndexedMode && base.isObject()) -return JSValue::encode(jsBoolean(jsCast(base)->hasProperty(globalObject, index))); +RELEASE_AND_RETURN(scope, JSValue::encode(jsBoolean(jsCast(base)->hasProperty(globalObject, index; JSString* propertyName = jsSecureCast(vm, JSValue::decode(propertyNameValue)); RELEASE_AND_RETURN(scope, JSValue::encode(jsBoolean(CommonSlowPaths::opInByVal(globalObject, base, propertyName; @@ -2548,7 +2548,7 @@ JSValue base = JSValue::decode(baseValue); RETURN_IF_EXCEPTION(scope, { }); if (modeNumber == JSPropertyNameEnumerator::IndexedMode && base.isObject()) -return JSValue::encode(jsBoolean(jsCast(base)->hasOwnProperty(globalObject, index))); +RELEASE_AND_RETURN(scope, JSValue::encode(jsBoolean(jsCast(base)->hasOwnProperty(globalObject, index; JSString* propertyName = jsSecureCast(vm, JSValue::decode(propertyNameValue)); auto identifier = propertyName->toIdentifier(globalObject); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [281029] trunk
Title: [281029] trunk Revision 281029 Author keith_mil...@apple.com Date 2021-08-13 12:29:04 -0700 (Fri, 13 Aug 2021) Log Message EnumeratorNextUpdatePropertyName always needs to be able to handle IndexedMode https://bugs.webkit.org/show_bug.cgi?id=229087 Reviewed by Filip Pizlo. JSTests: * stress/for-in-own-structure-and-generic-with-late-add-indexed.js: Added. (test): (Foo): Source/_javascript_Core: Right now, this operation incorrectly assumes that EnumeratorNextUpdateIndexAndMode will guarantee the mode matches the seen mode set. But no speculation is guaranteed and adding such a guarantee would require adding checkpoints, which is likely not worth it. Instead, this patch just makes sure we always handle the allocation for IndexedMode. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileEnumeratorNextUpdatePropertyName): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp Added Paths trunk/JSTests/stress/for-in-own-structure-and-generic-with-late-add-indexed.js Diff Modified: trunk/JSTests/ChangeLog (281028 => 281029) --- trunk/JSTests/ChangeLog 2021-08-13 19:10:25 UTC (rev 281028) +++ trunk/JSTests/ChangeLog 2021-08-13 19:29:04 UTC (rev 281029) @@ -1,3 +1,14 @@ +2021-08-13 Keith Miller + +EnumeratorNextUpdatePropertyName always needs to be able to handle IndexedMode +https://bugs.webkit.org/show_bug.cgi?id=229087 + +Reviewed by Filip Pizlo. + +* stress/for-in-own-structure-and-generic-with-late-add-indexed.js: Added. +(test): +(Foo): + 2021-08-11 Yusuke Suzuki WTFCrash in JSC::Lexer::append8 Added: trunk/JSTests/stress/for-in-own-structure-and-generic-with-late-add-indexed.js (0 => 281029) --- trunk/JSTests/stress/for-in-own-structure-and-generic-with-late-add-indexed.js (rev 0) +++ trunk/JSTests/stress/for-in-own-structure-and-generic-with-late-add-indexed.js 2021-08-13 19:29:04 UTC (rev 281029) @@ -0,0 +1,28 @@ +function test(o) { +let sum = 0; +for (let i in o) +sum += o[i]; +return sum; +} +noInline(test); + +Object.defineProperty(Object.prototype, "foo", { enumerable: true, value: 4 }); + +class Foo extends Array { +b = 1; +} + +let object = new Foo(); +let object2 = new Foo(); +object2.length = 100; +object2.fill(1); + +for (let i = 0; i < 1e5; ++i) { +let sum = test(object); +if (sum !== 5) +throw new Error(sum); +} + +let sum = test(object2); +if (sum !== 105) +throw new Error(sum); Modified: trunk/Source/_javascript_Core/ChangeLog (281028 => 281029) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-13 19:10:25 UTC (rev 281028) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-13 19:29:04 UTC (rev 281029) @@ -1,3 +1,20 @@ +2021-08-13 Keith Miller + +EnumeratorNextUpdatePropertyName always needs to be able to handle IndexedMode +https://bugs.webkit.org/show_bug.cgi?id=229087 + +Reviewed by Filip Pizlo. + +Right now, this operation incorrectly assumes that EnumeratorNextUpdateIndexAndMode will guarantee +the mode matches the seen mode set. But no speculation is guaranteed and adding such a guarantee +would require adding checkpoints, which is likely not worth it. Instead, this patch just makes +sure we always handle the allocation for IndexedMode. + +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::compileEnumeratorNextUpdatePropertyName): +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): + 2021-08-12 Mark Lam Refactor some ARM64EHash code. Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (281028 => 281029) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-13 19:10:25 UTC (rev 281028) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-13 19:29:04 UTC (rev 281029) @@ -13591,17 +13591,13 @@ MacroAssembler::JumpList doneCases; MacroAssembler::Jump operationCall; -bool needsOperation = seenModes.contains(JSPropertyNameEnumerator::IndexedMode); +// Make sure we flush on all code paths if we will call the operation. +// Note: we can't omit the operation because we are not guaranteed EnumeratorUpdateIndexAndMode will speculate on the mode. +flushRegisters(); -// Make sure we flush on all code paths if we could call the operation. -if (needsOperation) -flushRegisters(); - if (seenModes.containsAny({ JSPropertyNameEnumerator::OwnStructureMode, JSPropertyNameEnumerator::GenericMode })) { +operationCall = m_jit.branchTest32(MacroAssembler::NonZero, mode, TrustedImm32(JSPropertyNameEnumerator::IndexedMode)); -if (needsOperation) -opera
[webkit-changes] [280858] trunk/Source
Title: [280858] trunk/Source Revision 280858 Author keith_mil...@apple.com Date 2021-08-10 11:17:15 -0700 (Tue, 10 Aug 2021) Log Message CallFrame::returnPC should untag the return address before passing it to ReturnAddressPtr https://bugs.webkit.org/show_bug.cgi?id=228931 Reviewed by Mark Lam. Source/_javascript_Core: Right now current debugging code expects that the JS return PC on the stack is already unsigned. This is not true on arm64e. This patch now properly unsigns the return PC before passing it to the ReturnAddressPC constructor. * assembler/MacroAssemblerCodeRef.h: (JSC::ReturnAddressPtr::fromTaggedPC): * interpreter/AbstractPC.cpp: (JSC::AbstractPC::AbstractPC): * interpreter/AbstractPC.h: (JSC::AbstractPC::AbstractPC): (JSC::AbstractPC::jitReturnAddress const): * interpreter/CallFrame.h: (JSC::CallFrame::returnPC const): Source/WTF: Add a new helper to untag the return pc from a stack frame. * wtf/PtrTag.h: (WTF::untagReturnPC): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h trunk/Source/_javascript_Core/interpreter/AbstractPC.cpp trunk/Source/_javascript_Core/interpreter/AbstractPC.h trunk/Source/_javascript_Core/interpreter/CallFrame.h trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/PtrTag.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (280857 => 280858) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-10 18:06:55 UTC (rev 280857) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-10 18:17:15 UTC (rev 280858) @@ -1,3 +1,25 @@ +2021-08-10 Keith Miller + +CallFrame::returnPC should untag the return address before passing it to ReturnAddressPtr +https://bugs.webkit.org/show_bug.cgi?id=228931 + +Reviewed by Mark Lam. + +Right now current debugging code expects that the JS return PC on +the stack is already unsigned. This is not true on arm64e. +This patch now properly unsigns the return PC before passing it to +the ReturnAddressPC constructor. + +* assembler/MacroAssemblerCodeRef.h: +(JSC::ReturnAddressPtr::fromTaggedPC): +* interpreter/AbstractPC.cpp: +(JSC::AbstractPC::AbstractPC): +* interpreter/AbstractPC.h: +(JSC::AbstractPC::AbstractPC): +(JSC::AbstractPC::jitReturnAddress const): +* interpreter/CallFrame.h: +(JSC::CallFrame::returnPC const): + 2021-08-10 Kimmo Kinnunen Scripts/generate-derived-sources.sh: line 19: [: binary operator expected while building Source/WebKit Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h (280857 => 280858) --- trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h 2021-08-10 18:06:55 UTC (rev 280857) +++ trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h 2021-08-10 18:17:15 UTC (rev 280858) @@ -243,6 +243,11 @@ ASSERT_VALID_CODE_POINTER(m_value); } +static ReturnAddressPtr fromTaggedPC(const void* pc, const void* sp) +{ +return ReturnAddressPtr(untagReturnPC(pc, sp)); +} + const void* value() const { return m_value; Modified: trunk/Source/_javascript_Core/interpreter/AbstractPC.cpp (280857 => 280858) --- trunk/Source/_javascript_Core/interpreter/AbstractPC.cpp 2021-08-10 18:06:55 UTC (rev 280857) +++ trunk/Source/_javascript_Core/interpreter/AbstractPC.cpp 2021-08-10 18:17:15 UTC (rev 280858) @@ -38,7 +38,7 @@ #if ENABLE(JIT) if (Options::useJIT()) { -m_pointer = callFrame->returnPC().value(); +m_pointer = callFrame->returnPC(); m_mode = JIT; return; } Modified: trunk/Source/_javascript_Core/interpreter/AbstractPC.h (280857 => 280858) --- trunk/Source/_javascript_Core/interpreter/AbstractPC.h 2021-08-10 18:06:55 UTC (rev 280857) +++ trunk/Source/_javascript_Core/interpreter/AbstractPC.h 2021-08-10 18:17:15 UTC (rev 280858) @@ -44,10 +44,9 @@ #if ENABLE(JIT) AbstractPC(ReturnAddressPtr ptr) -: m_pointer(ptr.value()) +: m_pointer(ptr) , m_mode(JIT) { -assertIsTaggedWith(m_pointer); } bool hasJITReturnAddress() const { return m_mode == JIT; } @@ -54,7 +53,7 @@ ReturnAddressPtr jitReturnAddress() const { ASSERT(hasJITReturnAddress()); -return ReturnAddressPtr(m_pointer); +return m_pointer; } #endif @@ -63,7 +62,7 @@ private: #if ENABLE(JIT) -const void* m_pointer { nullptr }; +ReturnAddressPtr m_pointer; #endif enum Mode { None, JIT, Interpreter }; Modified: trunk/Source/_javascript_Core/interpreter/CallFrame.h (280857 => 280858) --- trunk/Source/_javascript_Core/interpreter/CallFrame.h 2021-08-10 18:06:55 UTC (rev 280857) +++ trunk/Source/_javascript_Core/interpreter/CallFrame.h 2021-08-10 18:17:15 UTC (rev 280858) @@ -149,7 +149,7 @@ static ptrdiff_t callerFrameOffset() { return OBJECT_OFFSETOF(CallerFrameAnd
[webkit-changes] [280799] trunk/Source/JavaScriptCore
Title: [280799] trunk/Source/_javascript_Core Revision 280799 Author keith_mil...@apple.com Date 2021-08-09 14:38:38 -0700 (Mon, 09 Aug 2021) Log Message Revert bad assert about the number of upsilons going into a phi https://bugs.webkit.org/show_bug.cgi?id=228922 Reviewed by Yusuke Suzuki. This assert was invalid because we sometimes emit unreachable phis that don't have any incoming upsilons. Specifically for MultiGetByOffset. * ftl/FTLOutput.h: (JSC::FTL::Output::phi): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/ftl/FTLOutput.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (280798 => 280799) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-09 21:24:50 UTC (rev 280798) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-09 21:38:38 UTC (rev 280799) @@ -1,3 +1,16 @@ +2021-08-09 Keith Miller + +Revert bad assert about the number of upsilons going into a phi +https://bugs.webkit.org/show_bug.cgi?id=228922 + +Reviewed by Yusuke Suzuki. + +This assert was invalid because we sometimes emit unreachable phis +that don't have any incoming upsilons. Specifically for MultiGetByOffset. + +* ftl/FTLOutput.h: +(JSC::FTL::Output::phi): + 2021-08-09 Michael Catanzaro Adding missing REFERENCED_FROM_ASM annotations to facilitate LTO Modified: trunk/Source/_javascript_Core/ftl/FTLOutput.h (280798 => 280799) --- trunk/Source/_javascript_Core/ftl/FTLOutput.h 2021-08-09 21:24:50 UTC (rev 280798) +++ trunk/Source/_javascript_Core/ftl/FTLOutput.h 2021-08-09 21:38:38 UTC (rev 280799) @@ -482,7 +482,6 @@ template inline LValue Output::phi(LType type, const VectorType& vector) { -ASSERT(vector.size()); LValue phiNode = phi(type); for (const ValueFromBlock& valueFromBlock : vector) addIncomingToPhi(phiNode, valueFromBlock); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [280191] trunk/Source/JavaScriptCore
Title: [280191] trunk/Source/_javascript_Core Revision 280191 Author keith_mil...@apple.com Date 2021-07-22 12:12:21 -0700 (Thu, 22 Jul 2021) Log Message useProfiler option should automatically disable concurrent JIT https://bugs.webkit.org/show_bug.cgi?id=228152 Reviewed by Saam Barati. The bytecode profiler is not thread safe so we should have recomputeDependentOptions() disable concurrent JIT. Also, fix the jsc CLI to set the useProfiler option rather than have its own state. Note, we call Options::setOption() rather than setting the Options::useProfiler() option directly as setOption calls recomputeDependentOptions() for us. * jsc.cpp: (CommandLine::parseArguments): (runJSC): * runtime/Options.cpp: (JSC::Options::recomputeDependentOptions): (JSC::Options::ensureOptionsAreCoherent): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jsc.cpp trunk/Source/_javascript_Core/runtime/Options.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (280190 => 280191) --- trunk/Source/_javascript_Core/ChangeLog 2021-07-22 19:00:36 UTC (rev 280190) +++ trunk/Source/_javascript_Core/ChangeLog 2021-07-22 19:12:21 UTC (rev 280191) @@ -1,3 +1,24 @@ +2021-07-22 Keith Miller + +useProfiler option should automatically disable concurrent JIT +https://bugs.webkit.org/show_bug.cgi?id=228152 + +Reviewed by Saam Barati. + +The bytecode profiler is not thread safe so we should have +recomputeDependentOptions() disable concurrent JIT. Also, fix the +jsc CLI to set the useProfiler option rather than have its own +state. Note, we call Options::setOption() rather than setting the +Options::useProfiler() option directly as setOption calls +recomputeDependentOptions() for us. + +* jsc.cpp: +(CommandLine::parseArguments): +(runJSC): +* runtime/Options.cpp: +(JSC::Options::recomputeDependentOptions): +(JSC::Options::ensureOptionsAreCoherent): + 2021-07-21 Yijia Huang Fix type check error in testb3 Modified: trunk/Source/_javascript_Core/jsc.cpp (280190 => 280191) --- trunk/Source/_javascript_Core/jsc.cpp 2021-07-22 19:00:36 UTC (rev 280190) +++ trunk/Source/_javascript_Core/jsc.cpp 2021-07-22 19:12:21 UTC (rev 280191) @@ -429,7 +429,6 @@ bool m_module { false }; bool m_exitCode { false }; bool m_destroyVM { false }; -bool m_profile { false }; bool m_treatWatchdogExceptionAsSuccess { false }; bool m_alwaysDumpUncaughtException { false }; bool m_dumpMemoryFootprint { false }; @@ -3265,7 +3264,7 @@ if (!strcmp(arg, "-p")) { if (++i == argc) printUsageStatement(); -m_profile = true; +Options::setOption("useProfiler=1"); m_profilerOutput = argv[i]; continue; } @@ -3454,9 +3453,6 @@ JSLockHolder locker(vm); startTimeoutThreadIfNeeded(vm); -if (options.m_profile && !vm.m_perBytecodeProfiler) -vm.m_perBytecodeProfiler = makeUnique(vm); - globalObject = GlobalObject::create(vm, GlobalObject::createStructure(vm, jsNull()), options.m_arguments); globalObject->setRemoteDebuggingEnabled(options.m_enableRemoteDebugging); func(vm, globalObject, success); @@ -3478,7 +3474,7 @@ printf("\n"); } -if (options.m_profile) { +if (Options::useProfiler()) { JSLockHolder locker(vm); if (!vm.m_perBytecodeProfiler->save(options.m_profilerOutput.utf8().data())) fprintf(stderr, "could not save profiler output.\n"); Modified: trunk/Source/_javascript_Core/runtime/Options.cpp (280190 => 280191) --- trunk/Source/_javascript_Core/runtime/Options.cpp 2021-07-22 19:00:36 UTC (rev 280190) +++ trunk/Source/_javascript_Core/runtime/Options.cpp 2021-07-22 19:12:21 UTC (rev 280191) @@ -508,6 +508,9 @@ Options::useConcurrentJIT() = false; } +if (Options::useProfiler()) +Options::useConcurrentJIT() = false; + if (Options::alwaysUseShadowChicken()) Options::maximumInliningDepth() = 1; @@ -1037,6 +1040,10 @@ coherent = false; dataLog("INCOHERENT OPTIONS: at least one of useWasmLLInt or useBBQJIT must be true\n"); } +if (useProfiler() && useConcurrentJIT()) { +coherent = false; +dataLogLn("Bytecode profiler is not concurrent JIT safe."); +} if (!coherent) CRASH(); } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [280149] trunk/Source/JavaScriptCore
Title: [280149] trunk/Source/_javascript_Core Revision 280149 Author keith_mil...@apple.com Date 2021-07-21 10:48:56 -0700 (Wed, 21 Jul 2021) Log Message speculateNeitherDoubleNorStringNorHeapBigInt should only have a single JSType branch https://bugs.webkit.org/show_bug.cgi?id=228146 Reviewed by Robin Morisset. Since StringType and HeapBigIntType are adjacent JSTypes we can do an integer range check rather than two separate JSType checks. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigIntNorString): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (280148 => 280149) --- trunk/Source/_javascript_Core/ChangeLog 2021-07-21 17:24:44 UTC (rev 280148) +++ trunk/Source/_javascript_Core/ChangeLog 2021-07-21 17:48:56 UTC (rev 280149) @@ -1,3 +1,19 @@ +2021-07-21 Keith Miller + +speculateNeitherDoubleNorStringNorHeapBigInt should only have a single JSType branch +https://bugs.webkit.org/show_bug.cgi?id=228146 + +Reviewed by Robin Morisset. + +Since StringType and HeapBigIntType are adjacent JSTypes +we can do an integer range check rather than two separate +JSType checks. + +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigIntNorString): +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): + 2021-07-20 Yijia Huang Add ARM64 EON opcode and select it in AIR Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (280148 => 280149) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-07-21 17:24:44 UTC (rev 280148) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-07-21 17:48:56 UTC (rev 280149) @@ -11788,8 +11788,8 @@ if (mayNotBeCell) done.append(m_jit.branchIfNotCell(regs)); -DFG_TYPE_CHECK(regs, edge, ~SpecString, m_jit.branchIfString(regs.payloadGPR())); -DFG_TYPE_CHECK(regs, edge, ~SpecHeapBigInt, m_jit.branchIfHeapBigInt(regs.payloadGPR())); +static_assert(StringType + 1 == HeapBigIntType); +DFG_TYPE_CHECK(regs, edge, ~(SpecString | SpecHeapBigInt), m_jit.branchIfType(regs.payloadGPR(), JSTypeRange { StringType, HeapBigIntType })); if (mayBeInt32 || mayNotBeCell) done.link(&m_jit); Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (280148 => 280149) --- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-07-21 17:24:44 UTC (rev 280148) +++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-07-21 17:48:56 UTC (rev 280149) @@ -18665,8 +18665,9 @@ m_out.branch(isCell(value, provenType(edge)), unsure(isCellBlock), unsure(continuation)); m_out.appendTo(isCellBlock, continuation); -FTL_TYPE_CHECK(jsValueValue(value), edge, ~SpecString, isString(value)); -FTL_TYPE_CHECK(jsValueValue(value), edge, ~SpecHeapBigInt, isHeapBigInt(value)); + +static_assert(StringType + 1 == HeapBigIntType); +FTL_TYPE_CHECK(jsValueValue(value), edge, ~(SpecString | SpecHeapBigInt), isType(value, JSTypeRange { StringType, HeapBigIntType })); m_out.jump(continuation); m_out.appendTo(continuation, lastNext); @@ -19007,11 +19008,23 @@ m_out.constInt32(MasqueradesAsUndefined | OverridesGetCallData)); } +LValue isType(LValue cell, JSTypeRange range) +{ +if (range.last == range.first) { +return m_out.equal( +m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType), +m_out.constInt32(range.first)); +} + +ASSERT(range.last > range.first); +return m_out.belowOrEqual( +m_out.sub(m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType), m_out.constInt32(range.first)), +m_out.constInt32(range.last - range.first)); +} + LValue isType(LValue cell, JSType type) { -return m_out.equal( -m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType), -m_out.constInt32(type)); +return isType(cell, JSTypeRange { type, type }); } LValue isNotType(LValue cell, JSType type) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279977] trunk/Source/JavaScriptCore
Title: [279977] trunk/Source/_javascript_Core Revision 279977 Author keith_mil...@apple.com Date 2021-07-15 22:02:05 -0700 (Thu, 15 Jul 2021) Log Message Alias JSC graph dumping options https://bugs.webkit.org/show_bug.cgi?id=228015 Reviewed by Yusuke Suzuki. My brain seems to associate the phases with the tier we are compiling in rather than the type of graph we are processing. At this point it's probably easier to just add an alias rather than convince me otherwise. * runtime/OptionsList.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/OptionsList.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (279976 => 279977) --- trunk/Source/_javascript_Core/ChangeLog 2021-07-16 04:10:49 UTC (rev 279976) +++ trunk/Source/_javascript_Core/ChangeLog 2021-07-16 05:02:05 UTC (rev 279977) @@ -1,3 +1,16 @@ +2021-07-15 Keith Miller + +Alias JSC graph dumping options +https://bugs.webkit.org/show_bug.cgi?id=228015 + +Reviewed by Yusuke Suzuki. + +My brain seems to associate the phases with the tier we are compiling in +rather than the type of graph we are processing. At this point it's +probably easier to just add an alias rather than convince me otherwise. + +* runtime/OptionsList.h: + 2021-07-15 Yusuke Suzuki [JSC] SamplingProfiler should recognize RegExp execution Modified: trunk/Source/_javascript_Core/runtime/OptionsList.h (279976 => 279977) --- trunk/Source/_javascript_Core/runtime/OptionsList.h 2021-07-16 04:10:49 UTC (rev 279976) +++ trunk/Source/_javascript_Core/runtime/OptionsList.h 2021-07-16 05:02:05 UTC (rev 279977) @@ -565,6 +565,10 @@ v(showDisassembly, dumpDisassembly, SameOption) \ v(showDFGDisassembly, dumpDFGDisassembly, SameOption) \ v(showFTLDisassembly, dumpFTLDisassembly, SameOption) \ +v(dumpGraphAtEachDFGFTLPhase, dumpDFGFTLGraphAtEachPhase, SameOption) \ +v(dumpGraphAtEachDFGPhase, dumpDFGGraphAtEachPhase, SameOption) \ +v(dumpGraphAtEachB3Phase, dumpB3GraphAtEachPhase, SameOption) \ +v(dumpGraphAtEachAirPhase, dumpAirGraphAtEachPhase, SameOption) \ v(alwaysDoFullCollection, useGenerationalGC, InvertedOption) \ v(enableOSREntryToDFG, useOSREntryToDFG, SameOption) \ v(enableOSREntryToFTL, useOSREntryToFTL, SameOption) \ ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279923] trunk/JSTests
Title: [279923] trunk/JSTests Revision 279923 Author keith_mil...@apple.com Date 2021-07-14 15:04:39 -0700 (Wed, 14 Jul 2021) Log Message Unreviewed, test gardening. * stress/bit-op-with-object-returning-int32.js: * stress/bitwise-not-fixup-rules.js: (jscOptions): Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/bit-op-with-object-returning-int32.js trunk/JSTests/stress/bitwise-not-fixup-rules.js Diff Modified: trunk/JSTests/ChangeLog (279922 => 279923) --- trunk/JSTests/ChangeLog 2021-07-14 21:18:22 UTC (rev 279922) +++ trunk/JSTests/ChangeLog 2021-07-14 22:04:39 UTC (rev 279923) @@ -1,3 +1,11 @@ +2021-07-14 Keith Miller + +Unreviewed, test gardening. + +* stress/bit-op-with-object-returning-int32.js: +* stress/bitwise-not-fixup-rules.js: +(jscOptions): + 2021-07-14 Mark Lam Check for out of memory in JSC::globalFuncEscape() and JSC::globalFuncUnescape(). Modified: trunk/JSTests/stress/bit-op-with-object-returning-int32.js (279922 => 279923) --- trunk/JSTests/stress/bit-op-with-object-returning-int32.js 2021-07-14 21:18:22 UTC (rev 279922) +++ trunk/JSTests/stress/bit-op-with-object-returning-int32.js 2021-07-14 22:04:39 UTC (rev 279923) @@ -9,7 +9,7 @@ } noInline(bitAnd); -if (jscOptions().useExecutableAllocationFuzz !== true) { +if (!jscOptions().useExecutableAllocationFuzz) { var o = { valueOf: () => 0b1101 }; Modified: trunk/JSTests/stress/bitwise-not-fixup-rules.js (279922 => 279923) --- trunk/JSTests/stress/bitwise-not-fixup-rules.js 2021-07-14 21:18:22 UTC (rev 279922) +++ trunk/JSTests/stress/bitwise-not-fixup-rules.js 2021-07-14 22:04:39 UTC (rev 279923) @@ -10,7 +10,7 @@ } noInline(foo); -if (jscOptions().useExecutableAllocationFuzz !== true) { +if (!jscOptions().useExecutableAllocationFuzz) { let c = 0; let o = { valueOf: () => { ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279916] trunk
Title: [279916] trunk Revision 279916 Author keith_mil...@apple.com Date 2021-07-14 12:58:16 -0700 (Wed, 14 Jul 2021) Log Message Convert small JIT pool tests into executable fuzzing https://bugs.webkit.org/show_bug.cgi?id=226279 Source/_javascript_Core: Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit. Instead of testing such a small pool we should just fuzz each executable allocation that says it can fail. The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command. Reviewed by Michael Saboff. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::numberOfDFGCompiles): * jit/ExecutableAllocationFuzz.cpp: (JSC::doExecutableAllocationFuzzing): * jsc.cpp: (runJSC): Tools: Reviewed by Michael Saboff. Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit. Instead of testing such a small pool we should just fuzz each executable allocation that says it can fail. The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command. * Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz: * Scripts/run-jsc-stress-tests: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp trunk/Tools/ChangeLog trunk/Tools/Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz trunk/Tools/Scripts/run-jsc-stress-tests Diff Modified: trunk/Source/_javascript_Core/ChangeLog (279915 => 279916) --- trunk/Source/_javascript_Core/ChangeLog 2021-07-14 19:15:56 UTC (rev 279915) +++ trunk/Source/_javascript_Core/ChangeLog 2021-07-14 19:58:16 UTC (rev 279916) @@ -1,3 +1,27 @@ +2021-07-14 Keith Miller + +Convert small JIT pool tests into executable fuzzing +https://bugs.webkit.org/show_bug.cgi?id=226279 + +Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any +actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit. +Instead of testing such a small pool we should just fuzz each executable allocation that says it +can fail. + +The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations +fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked +by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see +flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command. + +Reviewed by Michael Saboff. + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::numberOfDFGCompiles): +* jit/ExecutableAllocationFuzz.cpp: +(JSC::doExecutableAllocationFuzzing): +* jsc.cpp: +(runJSC): + 2021-07-14 Mark Lam Check for out of memory in JSC::globalFuncEscape() and JSC::globalFuncUnescape(). Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (279915 => 279916) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-07-14 19:15:56 UTC (rev 279915) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-07-14 19:58:16 UTC (rev 279916) @@ -2481,6 +2481,10 @@ unsigned CodeBlock::numberOfDFGCompiles() { ASSERT(JITCode::isBaselineCode(jitType())); + +// FIXME: We don't really do a good job tracking when a compilation failed because of executable allocation fuzzing. https://bugs.webkit.org/show_bug.cgi?id=226276 +if (Options::useExecutableAllocationFuzz()) +return 100; if (Options::testTheFTL()) { if (m_didFailFTLCompilation) return 100; Modified: trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp (279915 => 279916) --- trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp 2021-07-14 19:15:56 UTC (rev 279915) +++ trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp 2021-07-14 19:58:16 UTC (rev 279916) @@ -41,6 +41,8 @@ ExecutableAllocationFuzzResult doExecutableAllocationFuzzing() { +static W
[webkit-changes] [279909] trunk/JSTests
Title: [279909] trunk/JSTests Revision 279909 Author keith_mil...@apple.com Date 2021-07-14 08:00:39 -0700 (Wed, 14 Jul 2021) Log Message Fix more tests around fuzzing executable allocations https://bugs.webkit.org/show_bug.cgi?id=226663 Reviewed by Mark Lam. * stress/bit-op-with-object-returning-int32.js: (numberOfDFGCompiles): Deleted. * stress/bitwise-not-fixup-rules.js: (jscOptions): (numberOfDFGCompiles): Deleted. Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/bit-op-with-object-returning-int32.js trunk/JSTests/stress/bitwise-not-fixup-rules.js Diff Modified: trunk/JSTests/ChangeLog (279908 => 279909) --- trunk/JSTests/ChangeLog 2021-07-14 11:55:18 UTC (rev 279908) +++ trunk/JSTests/ChangeLog 2021-07-14 15:00:39 UTC (rev 279909) @@ -1,3 +1,16 @@ +2021-07-14 Keith Miller + +Fix more tests around fuzzing executable allocations +https://bugs.webkit.org/show_bug.cgi?id=226663 + +Reviewed by Mark Lam. + +* stress/bit-op-with-object-returning-int32.js: +(numberOfDFGCompiles): Deleted. +* stress/bitwise-not-fixup-rules.js: +(jscOptions): +(numberOfDFGCompiles): Deleted. + 2021-07-12 Saam Barati Run some tests for fewer iterations to prevent test timeouts Modified: trunk/JSTests/stress/bit-op-with-object-returning-int32.js (279908 => 279909) --- trunk/JSTests/stress/bit-op-with-object-returning-int32.js 2021-07-14 11:55:18 UTC (rev 279908) +++ trunk/JSTests/stress/bit-op-with-object-returning-int32.js 2021-07-14 15:00:39 UTC (rev 279909) @@ -9,8 +9,7 @@ } noInline(bitAnd); -// This can fail if we are fuzzing executable allocation . -if (numberOfDFGCompiles(bitAnd) === 0) { +if (jscOptions().useExecutableAllocationFuzz !== true) { var o = { valueOf: () => 0b1101 }; Modified: trunk/JSTests/stress/bitwise-not-fixup-rules.js (279908 => 279909) --- trunk/JSTests/stress/bitwise-not-fixup-rules.js 2021-07-14 11:55:18 UTC (rev 279908) +++ trunk/JSTests/stress/bitwise-not-fixup-rules.js 2021-07-14 15:00:39 UTC (rev 279909) @@ -10,8 +10,7 @@ } noInline(foo); -// This can fail when we are fuzzing executable allocation. -if (!numberOfDFGCompiles(foo)) { +if (jscOptions().useExecutableAllocationFuzz !== true) { let c = 0; let o = { valueOf: () => { ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279740] trunk/Source/JavaScriptCore
Title: [279740] trunk/Source/_javascript_Core Revision 279740 Author keith_mil...@apple.com Date 2021-07-08 11:54:16 -0700 (Thu, 08 Jul 2021) Log Message display-profiler-output should be able to print disassembly for the FTL https://bugs.webkit.org/show_bug.cgi?id=227798 Reviewed by Saam Barati. Right now running JSC with the bytecode profiler will not print disassembly for FTL code. This patch adds this support. In order to get execution counts there is a callback at the transition between each DFG node in the Air disassembler. Since B3 code move parts of DFG nodes to different basic blocks we don't include execution counts in the dump. However, the DFG-only graph printed before the disassembly will still have the counts. * ftl/FTLCompile.cpp: (JSC::FTL::compile): * ftl/FTLLink.cpp: (JSC::FTL::link): * ftl/FTLState.cpp: (JSC::FTL::State::dumpDisassembly): * ftl/FTLState.h: (JSC::FTL::State::dumpDisassembly): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/ftl/FTLCompile.cpp trunk/Source/_javascript_Core/ftl/FTLLink.cpp trunk/Source/_javascript_Core/ftl/FTLState.cpp trunk/Source/_javascript_Core/ftl/FTLState.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (279739 => 279740) --- trunk/Source/_javascript_Core/ChangeLog 2021-07-08 18:48:12 UTC (rev 279739) +++ trunk/Source/_javascript_Core/ChangeLog 2021-07-08 18:54:16 UTC (rev 279740) @@ -1,3 +1,27 @@ +2021-07-08 Keith Miller + +display-profiler-output should be able to print disassembly for the FTL +https://bugs.webkit.org/show_bug.cgi?id=227798 + +Reviewed by Saam Barati. + +Right now running JSC with the bytecode profiler will not print +disassembly for FTL code. This patch adds this support. In order to get +execution counts there is a callback at the transition between each +DFG node in the Air disassembler. Since B3 code move parts of +DFG nodes to different basic blocks we don't include execution +counts in the dump. However, the DFG-only graph printed before +the disassembly will still have the counts. + +* ftl/FTLCompile.cpp: +(JSC::FTL::compile): +* ftl/FTLLink.cpp: +(JSC::FTL::link): +* ftl/FTLState.cpp: +(JSC::FTL::State::dumpDisassembly): +* ftl/FTLState.h: +(JSC::FTL::State::dumpDisassembly): + 2021-07-08 Yusuke Suzuki Use JSC::Yarr::flagsString to get string representation of RegExp flags Modified: trunk/Source/_javascript_Core/ftl/FTLCompile.cpp (279739 => 279740) --- trunk/Source/_javascript_Core/ftl/FTLCompile.cpp 2021-07-08 18:48:12 UTC (rev 279739) +++ trunk/Source/_javascript_Core/ftl/FTLCompile.cpp 2021-07-08 18:54:16 UTC (rev 279740) @@ -55,7 +55,7 @@ CodeBlock* codeBlock = graph.m_codeBlock; VM& vm = graph.m_vm; -if (shouldDumpDisassembly()) +if (shouldDumpDisassembly() || vm.m_perBytecodeProfiler) state.proc->code().setDisassembler(makeUnique()); if (!shouldDumpDisassembly() && !Options::asyncDisassembly() && !graph.compilation() && !state.proc->needsPCToOriginMap()) @@ -171,79 +171,74 @@ } state.jitCode->common.finalizeCatchEntrypoints(WTFMove(state.graph.m_catchEntrypoints)); -if (B3::Air::Disassembler* disassembler = state.proc->code().disassembler()) { -PrintStream& out = WTF::dataFile(); +if (shouldDumpDisassembly()) +state.dumpDisassembly(WTF::dataFile()); -out.print("Generated ", state.graph.m_plan.mode(), " code for ", CodeBlockWithJITType(state.graph.m_codeBlock, JITType::FTLJIT), ", instructions size = ", state.graph.m_codeBlock->instructionsSize(), ":\n"); +Profiler::Compilation* compilation = graph.compilation(); +if (UNLIKELY(compilation)) { +compilation->addDescription( +Profiler::OriginStack(), +toCString("Generated FTL DFG IR for ", CodeBlockWithJITType(codeBlock, JITType::FTLJIT), ", instructions size = ", graph.m_codeBlock->instructionsSize(), ":\n")); -LinkBuffer& linkBuffer = *state.finalizer->b3CodeLinkBuffer; -B3::Value* currentB3Value = nullptr; -Node* currentDFGNode = nullptr; +graph.ensureSSADominators(); +graph.ensureSSANaturalLoops(); -HashSet printedValues; -HashSet printedNodes; -const char* dfgPrefix = "DFG " ""; -const char* b3Prefix = "b3 " " "; -const char* airPrefix = "Air " " "; -const char* asmPrefix = "asm " ""; +const char* prefix = ""; -auto printDFGNode = [&] (Node* node) { -if (currentDFGNode == node) -return; +DumpContext dumpContext; +StringPrintStream out; +Node* lastNode = nullptr; +for (size_t blockIndex = 0; blockIndex < graph.numBlocks(); ++blockIndex) { +DFG::BasicBlock* block = graph.block(blockIndex); +
[webkit-changes] [279520] trunk/Source/JavaScriptCore
Title: [279520] trunk/Source/_javascript_Core Revision 279520 Author keith_mil...@apple.com Date 2021-07-02 15:40:19 -0700 (Fri, 02 Jul 2021) Log Message Add 10 more unified source cpp files for JSC https://bugs.webkit.org/show_bug.cgi?id=227643 Reviewed by Alex Christensen. * _javascript_Core.xcodeproj/project.pbxproj: * Scripts/generate-unified-sources.sh: * UnifiedSources-output.xcfilelist: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/Scripts/generate-unified-sources.sh trunk/Source/_javascript_Core/UnifiedSources-output.xcfilelist Diff Modified: trunk/Source/_javascript_Core/ChangeLog (279519 => 279520) --- trunk/Source/_javascript_Core/ChangeLog 2021-07-02 22:33:24 UTC (rev 279519) +++ trunk/Source/_javascript_Core/ChangeLog 2021-07-02 22:40:19 UTC (rev 279520) @@ -1,3 +1,14 @@ +2021-07-02 Keith Miller + +Add 10 more unified source cpp files for JSC +https://bugs.webkit.org/show_bug.cgi?id=227643 + +Reviewed by Alex Christensen. + +* _javascript_Core.xcodeproj/project.pbxproj: +* Scripts/generate-unified-sources.sh: +* UnifiedSources-output.xcfilelist: + 2021-07-02 Philippe Normand [GTK] Add new revision variable in pkgconfig file Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (279519 => 279520) --- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2021-07-02 22:33:24 UTC (rev 279519) +++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2021-07-02 22:40:19 UTC (rev 279520) @@ -1084,6 +1084,16 @@ 5370806B1FE232DF00299E44 /* JSArrayBufferView.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2B66BB17B6B5AB00A7AE3F /* JSArrayBufferView.h */; }; 5370B4F61BF26205005C40FC /* AdaptiveInferredPropertyValueWatchpointBase.h in Headers */ = {isa = PBXBuildFile; fileRef = 5370B4F41BF25EA2005C40FC /* AdaptiveInferredPropertyValueWatchpointBase.h */; }; 5381B9391E60E97D0090F794 /* WasmFaultSignalHandler.h in Headers */ = {isa = PBXBuildFile; fileRef = 5381B9381E60E97D0090F794 /* WasmFaultSignalHandler.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 538F15E7268FBBB600D601C4 /* UnifiedSource148.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15DD268FBBB300D601C4 /* UnifiedSource148.cpp */; }; + 538F15E8268FBBB600D601C4 /* UnifiedSource151.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15DE268FBBB300D601C4 /* UnifiedSource151.cpp */; }; + 538F15E9268FBBB600D601C4 /* UnifiedSource152.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15DF268FBBB300D601C4 /* UnifiedSource152.cpp */; }; + 538F15EA268FBBB600D601C4 /* UnifiedSource154.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15E0268FBBB400D601C4 /* UnifiedSource154.cpp */; }; + 538F15EB268FBBB600D601C4 /* UnifiedSource150.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15E1268FBBB400D601C4 /* UnifiedSource150.cpp */; }; + 538F15ED268FBBB600D601C4 /* UnifiedSource153.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15E3268FBBB500D601C4 /* UnifiedSource153.cpp */; }; + 538F15EE268FBBB600D601C4 /* UnifiedSource147.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15E4268FBBB500D601C4 /* UnifiedSource147.cpp */; }; + 538F15EF268FBBB600D601C4 /* UnifiedSource155.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15E5268FBBB500D601C4 /* UnifiedSource155.cpp */; }; + 538F15F0268FBBB600D601C4 /* UnifiedSource149.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15E6268FBBB600D601C4 /* UnifiedSource149.cpp */; }; + 538F15F2268FBC7B00D601C4 /* UnifiedSource146.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15F1268FBC7B00D601C4 /* UnifiedSource146.cpp */; }; 53917E7B1B7906FA000EBD33 /* JSGenericTypedArrayViewPrototypeFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = 53917E7A1B7906E4000EBD33 /* JSGenericTypedArrayViewPrototypeFunctions.h */; }; 539930C822AD3B9A0051CDE2 /* WeakObjectRefConstructor.h in Headers */ = {isa = PBXBuildFile; fileRef = 539930C722AD3B9A0051CDE2 /* WeakObjectRefConstructor.h */; }; 539BFBAE22AD3C3A0023F4C0 /* WeakObjectRefPrototype.h in Headers */ = {isa = PBXBuildFile; fileRef = 539BFBAD22AD3C3A0023F4C0 /* WeakObjectRefPrototype.h */; }; @@ -3859,6 +3869,16 @@ 5381B9361E60E9660090F794 /* WasmFaultSignalHandler.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WasmFaultSignalHandler.cpp; sourceTree = ""; }; 5381B9381E60E97D0090F794 /* WasmFaultSignalHandler.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmFaultSignalHandler.h; sourceTree = ""; }; 5383AA2F1E65E8A100A532FC /* JSWebAssemblyCodeBlock.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = JSWebAssemblyCodeBlock.cpp; path = js/JSWebAssemblyCodeBlock.cpp; sourceTree
[webkit-changes] [279179] trunk/Source/JavaScriptCore
Title: [279179] trunk/Source/_javascript_Core Revision 279179 Author keith_mil...@apple.com Date 2021-06-23 12:20:02 -0700 (Wed, 23 Jun 2021) Log Message add/removeManagedReference:withOwner: should have autoreleasepools https://bugs.webkit.org/show_bug.cgi?id=227308 Reviewed by Darin Adler. Since these APIs create autoreleased objects as an implementation detail but don't return any to the caller there's no indication such autoreleased objects could be accumulating. Additionally, it's entirely reasonable to call these methods in a loop an a large set of objects, which further exacerbates the problem. * API/JSVirtualMachine.mm: (-[JSVirtualMachine addManagedReference:withOwner:]): (-[JSVirtualMachine removeManagedReference:withOwner:]): Modified Paths trunk/Source/_javascript_Core/API/JSVirtualMachine.mm trunk/Source/_javascript_Core/ChangeLog Diff Modified: trunk/Source/_javascript_Core/API/JSVirtualMachine.mm (279178 => 279179) --- trunk/Source/_javascript_Core/API/JSVirtualMachine.mm 2021-06-23 19:11:59 UTC (rev 279178) +++ trunk/Source/_javascript_Core/API/JSVirtualMachine.mm 2021-06-23 19:20:02 UTC (rev 279179) @@ -162,64 +162,68 @@ } - (void)addManagedReference:(id)object withOwner:(id)owner -{ -if ([object isKindOfClass:[JSManagedValue class]]) -[object didAddOwner:owner]; - -object = getInternalObjcObject(object); -owner = getInternalObjcObject(owner); - -if (!object || !owner) -return; - -JSC::JSLockHolder locker(toJS(m_group)); -if ([self isOldExternalObject:owner] && ![self isOldExternalObject:object]) -[self addExternalRememberedObject:owner]; - -Locker externalDataMutexLocker { m_externalDataMutex }; -RetainPtr ownedObjects = [m_externalObjectGraph objectForKey:owner]; -if (!ownedObjects) { -NSPointerFunctionsOptions weakIDOptions = NSPointerFunctionsWeakMemory | NSPointerFunctionsObjectPersonality; -NSPointerFunctionsOptions integerOptions = NSPointerFunctionsOpaqueMemory | NSPointerFunctionsIntegerPersonality; -ownedObjects = adoptNS([[NSMapTable alloc] initWithKeyOptions:weakIDOptions valueOptions:integerOptions capacity:1]); +{ +@autoreleasepool { +if ([object isKindOfClass:[JSManagedValue class]]) +[object didAddOwner:owner]; -[m_externalObjectGraph setObject:ownedObjects.get() forKey:owner]; +object = getInternalObjcObject(object); +owner = getInternalObjcObject(owner); + +if (!object || !owner) +return; + +JSC::JSLockHolder locker(toJS(m_group)); +if ([self isOldExternalObject:owner] && ![self isOldExternalObject:object]) +[self addExternalRememberedObject:owner]; + +Locker externalDataMutexLocker { m_externalDataMutex }; +RetainPtr ownedObjects = [m_externalObjectGraph objectForKey:owner]; +if (!ownedObjects) { +NSPointerFunctionsOptions weakIDOptions = NSPointerFunctionsWeakMemory | NSPointerFunctionsObjectPersonality; +NSPointerFunctionsOptions integerOptions = NSPointerFunctionsOpaqueMemory | NSPointerFunctionsIntegerPersonality; +ownedObjects = adoptNS([[NSMapTable alloc] initWithKeyOptions:weakIDOptions valueOptions:integerOptions capacity:1]); + +[m_externalObjectGraph setObject:ownedObjects.get() forKey:owner]; +} + +size_t count = reinterpret_cast(NSMapGet(ownedObjects.get(), (__bridge void*)object)); +NSMapInsert(ownedObjects.get(), (__bridge void*)object, reinterpret_cast(count + 1)); } - -size_t count = reinterpret_cast(NSMapGet(ownedObjects.get(), (__bridge void*)object)); -NSMapInsert(ownedObjects.get(), (__bridge void*)object, reinterpret_cast(count + 1)); } - (void)removeManagedReference:(id)object withOwner:(id)owner { -if ([object isKindOfClass:[JSManagedValue class]]) -[object didRemoveOwner:owner]; +@autoreleasepool { +if ([object isKindOfClass:[JSManagedValue class]]) +[object didRemoveOwner:owner]; -object = getInternalObjcObject(object); -owner = getInternalObjcObject(owner); - -if (!object || !owner) -return; - -JSC::JSLockHolder locker(toJS(m_group)); - -Locker externalDataMutexLocker { m_externalDataMutex }; -NSMapTable *ownedObjects = [m_externalObjectGraph objectForKey:owner]; -if (!ownedObjects) -return; - -size_t count = reinterpret_cast(NSMapGet(ownedObjects, (__bridge void*)object)); -if (count > 1) { -NSMapInsert(ownedObjects, (__bridge void*)object, reinterpret_cast(count - 1)); -return; -} - -if (count == 1) -NSMapRemove(ownedObjects, (__bridge void*)object); +object = getInternalObjcObject(object); +owner = getInternalObjcObject(owner); -if (![ownedObjects count]) { -[m_externalObjectGraph removeObjectForKey:owner]; -[m_externalRememberedSe
[webkit-changes] [278888] trunk/Source/JavaScriptCore
Title: [27] trunk/Source/_javascript_Core Revision 27 Author keith_mil...@apple.com Date 2021-06-15 11:39:27 -0700 (Tue, 15 Jun 2021) Log Message Shouldn't drain the micro task queue when calling out to ObjC https://bugs.webkit.org/show_bug.cgi?id=161942 Unreviewed, relanding r278734. * API/tests/testapi.cpp: (TestAPI::promiseDrainDoesNotEatExceptions): (testCAPIViaCpp): * API/tests/testapi.mm: (testMicrotaskWithFunction): (testObjectiveCAPI): * runtime/JSLock.cpp: (JSC::JSLock::willReleaseLock): * runtime/ObjectPrototype.cpp: (JSC::isPokerBros): * runtime/VM.cpp: (JSC::VM::didExhaustMicrotaskQueue): Modified Paths trunk/Source/_javascript_Core/API/tests/testapi.cpp trunk/Source/_javascript_Core/API/tests/testapi.mm trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSLock.cpp trunk/Source/_javascript_Core/runtime/ObjectPrototype.cpp trunk/Source/_javascript_Core/runtime/VM.cpp Diff Modified: trunk/Source/_javascript_Core/API/tests/testapi.cpp (278887 => 27) --- trunk/Source/_javascript_Core/API/tests/testapi.cpp 2021-06-15 18:25:07 UTC (rev 278887) +++ trunk/Source/_javascript_Core/API/tests/testapi.cpp 2021-06-15 18:39:27 UTC (rev 27) @@ -38,6 +38,10 @@ #include #include +#if PLATFORM(COCOA) +#include +#endif + extern "C" void configureJSCForTesting(); extern "C" int testCAPIViaCpp(const char* filter); extern "C" void JSSynchronousGarbageCollectForDebugging(JSContextRef); @@ -147,6 +151,7 @@ void promiseUnhandledRejection(); void promiseUnhandledRejectionFromUnhandledRejectionCallback(); void promiseEarlyHandledRejections(); +void promiseDrainDoesNotEatExceptions(); void topCallFrameAccess(); void markedJSValueArrayAndGC(); void classDefinitionWithJSSubclass(); @@ -609,6 +614,28 @@ check(!callbackCalled, "unhandled rejection callback should not be called for asynchronous early-handled rejection"); } +void TestAPI::promiseDrainDoesNotEatExceptions() +{ +#if PLATFORM(COCOA) +bool useLegacyDrain = false; +#if PLATFORM(MAC) +useLegacyDrain = applicationSDKVersion() < DYLD_MACOSX_VERSION_12_00; +#elif PLATFORM(WATCH) +// Don't check, JSC isn't API on watch anyway. +#elif PLATFORM(IOS_FAMILY) +useLegacyDrain = applicationSDKVersion() < DYLD_IOS_VERSION_15_0; +#else +#error "Unsupported Cocoa Platform" +#endif +if (useLegacyDrain) +return; +#endif + +ScriptResult result = callFunction("(function() { Promise.resolve().then(() => { throw 2; }); throw 1; })"); +check(!result, "function should throw an error"); +check(JSValueIsNumber(context, result.error()) && JSValueToNumber(context, result.error(), nullptr) == 1, "exception payload should have been 1"); +} + void TestAPI::topCallFrameAccess() { { @@ -760,6 +787,7 @@ RUN(promiseRejectTrue()); RUN(promiseUnhandledRejection()); RUN(promiseUnhandledRejectionFromUnhandledRejectionCallback()); +RUN(promiseDrainDoesNotEatExceptions()); RUN(promiseEarlyHandledRejections()); RUN(markedJSValueArrayAndGC()); RUN(classDefinitionWithJSSubclass()); @@ -766,10 +794,8 @@ RUN(proxyReturnedWithJSSubclassing()); RUN(testJSObjectSetOnGlobalObjectSubclassDefinition()); -if (tasks.isEmpty()) { -dataLogLn("Filtered all tests: ERROR"); -return 1; -} +if (tasks.isEmpty()) +return 0; Lock lock; Modified: trunk/Source/_javascript_Core/API/tests/testapi.mm (278887 => 27) --- trunk/Source/_javascript_Core/API/tests/testapi.mm 2021-06-15 18:25:07 UTC (rev 278887) +++ trunk/Source/_javascript_Core/API/tests/testapi.mm 2021-06-15 18:39:27 UTC (rev 27) @@ -41,6 +41,11 @@ #import "Regress141809.h" #import + +#if PLATFORM(COCOA) +#import +#endif + #if __has_include() #define HAS_LIBPROC 1 #import @@ -2730,6 +2735,40 @@ } } +static void testMicrotaskWithFunction() +{ +@autoreleasepool { +#if PLATFORM(COCOA) +bool useLegacyDrain = false; +#if PLATFORM(MAC) +useLegacyDrain = applicationSDKVersion() < DYLD_MACOSX_VERSION_12_00; +#elif PLATFORM(WATCH) +// Don't check, JSC isn't API on watch anyway. +#elif PLATFORM(IOS_FAMILY) +useLegacyDrain = applicationSDKVersion() < DYLD_IOS_VERSION_15_0; +#else +#error "Unsupported Cocoa Platform" +#endif +if (useLegacyDrain) +return; +#endif + +JSContext *context = [[JSContext alloc] init]; + +JSValue *globalObject = context.globalObject; + +auto block = ^() { +return 1+1; +}; + +[globalObject setValue:block forProperty:@"setTimeout"]; +JSValue *arr = [context evaluateScript:@"var arr = []; (async () => { await 1; arr.push(3); })(); arr.push(1); setTimeout(); arr.push(2); arr;"]; +checkResult(@"arr[0] should be 1", [arr[@0] toInt32] == 1); +checkResult(@"arr[1] should be 2", [arr[@1] toInt32] == 2); +checkResult(@"arr[2] should be 3", [arr[
[webkit-changes] [278854] trunk/Tools
Title: [278854] trunk/Tools Revision 278854 Author keith_mil...@apple.com Date 2021-06-14 17:54:08 -0700 (Mon, 14 Jun 2021) Log Message run-_javascript_core-tests should print output when a test binary fails by default https://bugs.webkit.org/show_bug.cgi?id=226985 Reviewed by Mark Lam. * Scripts/run-_javascript_core-tests: (runTest): Modified Paths trunk/Tools/ChangeLog trunk/Tools/Scripts/run-_javascript_core-tests Diff Modified: trunk/Tools/ChangeLog (278853 => 278854) --- trunk/Tools/ChangeLog 2021-06-15 00:46:19 UTC (rev 278853) +++ trunk/Tools/ChangeLog 2021-06-15 00:54:08 UTC (rev 278854) @@ -1,3 +1,13 @@ +2021-06-14 Keith Miller + +run-_javascript_core-tests should print output when a test binary fails by default +https://bugs.webkit.org/show_bug.cgi?id=226985 + +Reviewed by Mark Lam. + +* Scripts/run-_javascript_core-tests: +(runTest): + 2021-06-14 Ryan Haddad Bring up an Apple-BigSur-AppleSilicon-Release-Test262-Tests queue Modified: trunk/Tools/Scripts/run-_javascript_core-tests (278853 => 278854) --- trunk/Tools/Scripts/run-_javascript_core-tests 2021-06-15 00:46:19 UTC (rev 278853) +++ trunk/Tools/Scripts/run-_javascript_core-tests 2021-06-15 00:54:08 UTC (rev 278854) @@ -630,13 +630,16 @@ my $lastOptimizeLevel; open(TEST, "-|", "@command 2>&1") or die "Failed to run @command"; +my $testOutput = ""; while ( my $line = ) { -print $line if ($verbose); +$testOutput .= $line; } $testResult = close(TEST) ? 0 : $?; $reportData{$testName} = $testResult ? {actual => "FAIL"} : {actual => "PASS"}; my $exitStatus = exitStatus($testResult); + +print "$testOutput" if ($verbose or $testResult); print "$testName completed with rc=$testResult ($exitStatus)\n\n"; if ($testResult) { ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [278734] trunk/Source/JavaScriptCore
Title: [278734] trunk/Source/_javascript_Core Revision 278734 Author keith_mil...@apple.com Date 2021-06-10 14:54:36 -0700 (Thu, 10 Jun 2021) Log Message Shouldn't drain the micro task queue when calling out to ObjC https://bugs.webkit.org/show_bug.cgi?id=161942 Reviewed by Saam Barati. It looks like the issue is that we aren't checking for the presence of dropped locks when deciding to drain microtasks during JSLock::unlock. This meant that when we drop all locks when calling out to API clients we would drain our microtasks at that point. An alternative would be to pass an extra parameter to the unlock function that says not to drain microtasks. I chose not to do that since it seemed a bit less robust. This patch is very likely to break existing API users. So I'm adding a linked on or after check to protect existing Apps. Lastly, change our Poker Bros check to use applicationSDKVersion too so others trying to add a linked on or after check don't use the dyld function directly too. * API/tests/testapi.cpp: (TestAPI::promiseDrainDoesNotEatExceptions): (testCAPIViaCpp): * API/tests/testapi.mm: (testMicrotaskWithFunction): (testObjectiveCAPI): * runtime/JSLock.cpp: (JSC::JSLock::willReleaseLock): * runtime/ObjectPrototype.cpp: (JSC::isPokerBros): * runtime/VM.cpp: (JSC::VM::didExhaustMicrotaskQueue): Modified Paths trunk/Source/_javascript_Core/API/tests/testapi.cpp trunk/Source/_javascript_Core/API/tests/testapi.mm trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSLock.cpp trunk/Source/_javascript_Core/runtime/ObjectPrototype.cpp trunk/Source/_javascript_Core/runtime/VM.cpp Diff Modified: trunk/Source/_javascript_Core/API/tests/testapi.cpp (278733 => 278734) --- trunk/Source/_javascript_Core/API/tests/testapi.cpp 2021-06-10 21:19:59 UTC (rev 278733) +++ trunk/Source/_javascript_Core/API/tests/testapi.cpp 2021-06-10 21:54:36 UTC (rev 278734) @@ -38,6 +38,10 @@ #include #include +#if PLATFORM(COCOA) +#include +#endif + extern "C" void configureJSCForTesting(); extern "C" int testCAPIViaCpp(const char* filter); extern "C" void JSSynchronousGarbageCollectForDebugging(JSContextRef); @@ -147,6 +151,7 @@ void promiseUnhandledRejection(); void promiseUnhandledRejectionFromUnhandledRejectionCallback(); void promiseEarlyHandledRejections(); +void promiseDrainDoesNotEatExceptions(); void topCallFrameAccess(); void markedJSValueArrayAndGC(); void classDefinitionWithJSSubclass(); @@ -609,6 +614,27 @@ check(!callbackCalled, "unhandled rejection callback should not be called for asynchronous early-handled rejection"); } +void TestAPI::promiseDrainDoesNotEatExceptions() +{ +#if PLATFORM(COCOA) +bool useLegacyDrain = false; +#if PLATFORM(MAC) +useLegacyDrain = applicationSDKVersion() < DYLD_MACOSX_VERSION_12_00; +#elif PLATFORM(WATCH) +// Don't check, JSC isn't API on watch anyway. +#elif PLATFORM(IOS_FAMILY) +useLegacyDrain = applicationSDKVersion() < DYLD_IOS_VERSION_15_0; +#else +#error "Unsupported Cocoa Platform" +#endif +if (useLegacyDrain) +return; +#endif +ScriptResult result = callFunction("(function() { Promise.resolve().then(() => { throw 2; }); throw 1; })"); +check(!result, "function should throw an error"); +check(JSValueIsNumber(context, result.error()) && JSValueToNumber(context, result.error(), nullptr) == 1, "exception payload should have been 1"); +} + void TestAPI::topCallFrameAccess() { { @@ -760,6 +786,7 @@ RUN(promiseRejectTrue()); RUN(promiseUnhandledRejection()); RUN(promiseUnhandledRejectionFromUnhandledRejectionCallback()); +RUN(promiseDrainDoesNotEatExceptions()); RUN(promiseEarlyHandledRejections()); RUN(markedJSValueArrayAndGC()); RUN(classDefinitionWithJSSubclass()); @@ -766,10 +793,8 @@ RUN(proxyReturnedWithJSSubclassing()); RUN(testJSObjectSetOnGlobalObjectSubclassDefinition()); -if (tasks.isEmpty()) { -dataLogLn("Filtered all tests: ERROR"); -return 1; -} +if (tasks.isEmpty()) +return 0; Lock lock; Modified: trunk/Source/_javascript_Core/API/tests/testapi.mm (278733 => 278734) --- trunk/Source/_javascript_Core/API/tests/testapi.mm 2021-06-10 21:19:59 UTC (rev 278733) +++ trunk/Source/_javascript_Core/API/tests/testapi.mm 2021-06-10 21:54:36 UTC (rev 278734) @@ -2730,6 +2730,25 @@ } } +static void testMicrotaskWithFunction() +{ +@autoreleasepool { +JSContext *context = [[JSContext alloc] init]; + +JSValue *globalObject = context.globalObject; + +auto block = ^() { +return 1+1; +}; + +[globalObject setValue:block forProperty:@"setTimeout"]; +JSValue *arr = [context evaluateScript:@"var arr = []; (async () => { await 1; arr.push(3); })(); arr.push(1); setTimeout(); arr.push(2); arr;"]; +checkResult(@"arr[0] should be 1", [arr[@0] toInt32] == 1); +
[webkit-changes] [278464] trunk/JSTests
Title: [278464] trunk/JSTests Revision 278464 Author keith_mil...@apple.com Date 2021-06-04 09:08:45 -0700 (Fri, 04 Jun 2021) Log Message Fix tests that fail under executable allocation fuzzing https://bugs.webkit.org/show_bug.cgi?id=226593 Reviewed by Mark Lam. * microbenchmarks/memcpy-wasm-large.js: (typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): (typeof.WebAssembly.string_appeared_here.catch): (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. * microbenchmarks/memcpy-wasm-medium.js: (typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): (typeof.WebAssembly.string_appeared_here.catch): (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. * microbenchmarks/memcpy-wasm-small.js: (typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): (typeof.WebAssembly.string_appeared_here.catch): (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. * microbenchmarks/memcpy-wasm.js: (typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): (typeof.WebAssembly.string_appeared_here.catch): (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. * stress/bit-op-with-object-returning-int32.js: (numberOfDFGCompiles): (bitOr): Deleted. (bitXor): Deleted. (bitNot): Deleted. (bitLShift): Deleted. * stress/bitwise-not-fixup-rules.js: (numberOfDFGCompiles): (let.o.valueOf): Deleted. Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/microbenchmarks/memcpy-wasm-large.js trunk/JSTests/microbenchmarks/memcpy-wasm-medium.js trunk/JSTests/microbenchmarks/memcpy-wasm-small.js trunk/JSTests/microbenchmarks/memcpy-wasm.js trunk/JSTests/stress/bit-op-with-object-returning-int32.js trunk/JSTests/stress/bitwise-not-fixup-rules.js Diff Modified: trunk/JSTests/ChangeLog (278463 => 278464) --- trunk/JSTests/ChangeLog 2021-06-04 16:04:35 UTC (rev 278463) +++ trunk/JSTests/ChangeLog 2021-06-04 16:08:45 UTC (rev 278464) @@ -1,3 +1,36 @@ +2021-06-04 Keith Miller + +Fix tests that fail under executable allocation fuzzing +https://bugs.webkit.org/show_bug.cgi?id=226593 + +Reviewed by Mark Lam. + +* microbenchmarks/memcpy-wasm-large.js: +(typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): +(typeof.WebAssembly.string_appeared_here.catch): +(typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. +* microbenchmarks/memcpy-wasm-medium.js: +(typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): +(typeof.WebAssembly.string_appeared_here.catch): +(typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. +* microbenchmarks/memcpy-wasm-small.js: +(typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): +(typeof.WebAssembly.string_appeared_here.catch): +(typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. +* microbenchmarks/memcpy-wasm.js: +(typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): +(typeof.WebAssembly.string_appeared_here.catch): +(typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. +* stress/bit-op-with-object-returning-int32.js: +(numberOfDFGCompiles): +(bitOr): Deleted. +(bitXor): Deleted. +(bitNot): Deleted. +(bitLShift): Deleted. +* stress/bitwise-not-fixup-rules.js: +(numberOfDFGCompiles): +(let.o.valueOf): Deleted. + 2021-06-04 Tadeu Zagallo Optimize Function.prototype.toString Modified: trunk/JSTests/microbenchmarks/memcpy-wasm-large.js (278463 => 278464) --- trunk/JSTests/microbenchmarks/memcpy-wasm-large.js 2021-06-04 16:04:35 UTC (rev 278463) +++ trunk/JSTests/microbenchmarks/memcpy-wasm-large.js 2021-06-04 16:08:45 UTC (rev 278464) @@ -15,21 +15,25 @@ i32[i] = i; } -const $1 = new WebAssembly.Instance(new WebAssembly.Module(new Uint8Array([ -0,97,115,109,1,0,0,0,1,7,1,96,3,127,127,127,0,2,12,1,2,106,115,3,109,101,109,2,1,pages,pages,3,2,1,0,6,1,0,7,13,1,9,100,111,95,109,101,109,99,112,121,0,0,10,57,1,55,1,1,127,65,0,33,3,3,64,2
[webkit-changes] [278366] trunk/Source/JavaScriptCore
Title: [278366] trunk/Source/_javascript_Core Revision 278366 Author keith_mil...@apple.com Date 2021-06-02 11:14:23 -0700 (Wed, 02 Jun 2021) Log Message Add globalObject API set property test https://bugs.webkit.org/show_bug.cgi?id=226542 Reviewed by Alexey Shvayka. * API/tests/testapi.cpp: (TestAPI::testJSObjectSetOnGlobalObjectSubclassDefinition): (testCAPIViaCpp): Modified Paths trunk/Source/_javascript_Core/API/tests/testapi.cpp trunk/Source/_javascript_Core/ChangeLog Diff Modified: trunk/Source/_javascript_Core/API/tests/testapi.cpp (278365 => 278366) --- trunk/Source/_javascript_Core/API/tests/testapi.cpp 2021-06-02 17:40:50 UTC (rev 278365) +++ trunk/Source/_javascript_Core/API/tests/testapi.cpp 2021-06-02 18:14:23 UTC (rev 278366) @@ -151,6 +151,7 @@ void markedJSValueArrayAndGC(); void classDefinitionWithJSSubclass(); void proxyReturnedWithJSSubclassing(); +void testJSObjectSetOnGlobalObjectSubclassDefinition(); int failed() const { return m_failed; } @@ -705,6 +706,22 @@ check(functionReturnsTrue("(function (subclass, Superclass) { return subclass.__proto__ == Superclass.prototype; })", subclass, Superclass), "proxy's prototype should match Superclass.prototype"); } +void TestAPI::testJSObjectSetOnGlobalObjectSubclassDefinition() +{ +JSClassDefinition globalClassDef = kJSClassDefinitionEmpty; +globalClassDef.className = "CustomGlobalClass"; +JSClassRef globalClassRef = JSClassCreate(&globalClassDef); + +JSContextRef context = JSGlobalContextCreate(globalClassRef); +JSObjectRef newObject = JSObjectMake(context, nullptr, nullptr); + +JSObjectRef globalObject = JSContextGetGlobalObject(context); +APIString propertyName("myObject"); +JSObjectSetProperty(context, globalObject, propertyName, newObject, 0, nullptr); + +check(JSEvaluateScript(context, propertyName, globalObject, nullptr, 1, nullptr) == newObject, "Setting a property on a custom global object should set the property"); +} + void configureJSCForTesting() { JSC::Config::configureForTesting(); @@ -747,6 +764,7 @@ RUN(markedJSValueArrayAndGC()); RUN(classDefinitionWithJSSubclass()); RUN(proxyReturnedWithJSSubclassing()); +RUN(testJSObjectSetOnGlobalObjectSubclassDefinition()); if (tasks.isEmpty()) { dataLogLn("Filtered all tests: ERROR"); Modified: trunk/Source/_javascript_Core/ChangeLog (278365 => 278366) --- trunk/Source/_javascript_Core/ChangeLog 2021-06-02 17:40:50 UTC (rev 278365) +++ trunk/Source/_javascript_Core/ChangeLog 2021-06-02 18:14:23 UTC (rev 278366) @@ -1,5 +1,17 @@ 2021-06-02 Keith Miller +Add globalObject API set property test +https://bugs.webkit.org/show_bug.cgi?id=226542 + + +Reviewed by Alexey Shvayka. + +* API/tests/testapi.cpp: +(TestAPI::testJSObjectSetOnGlobalObjectSubclassDefinition): +(testCAPIViaCpp): + +2021-06-02 Keith Miller + Convert small JIT pool tests into executable fuzzing https://bugs.webkit.org/show_bug.cgi?id=226279 ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [278356] trunk
Title: [278356] trunk Revision 278356 Author keith_mil...@apple.com Date 2021-06-02 09:26:00 -0700 (Wed, 02 Jun 2021) Log Message Convert small JIT pool tests into executable fuzzing https://bugs.webkit.org/show_bug.cgi?id=226279 Source/_javascript_Core: Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit. Instead of testing such a small pool we should just fuzz each executable allocation that says it can fail. The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command. Reviewed by Michael Saboff. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::numberOfDFGCompiles): * jit/ExecutableAllocationFuzz.cpp: (JSC::doExecutableAllocationFuzzing): * jsc.cpp: (runJSC): Tools: Reviewed by Michael Saboff. Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit. Instead of testing such a small pool we should just fuzz each executable allocation that says it can fail. The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command. * Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz: * Scripts/run-jsc-stress-tests: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp trunk/Source/_javascript_Core/jsc.cpp trunk/Tools/ChangeLog trunk/Tools/Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz trunk/Tools/Scripts/run-jsc-stress-tests Diff Modified: trunk/Source/_javascript_Core/ChangeLog (278355 => 278356) --- trunk/Source/_javascript_Core/ChangeLog 2021-06-02 16:21:15 UTC (rev 278355) +++ trunk/Source/_javascript_Core/ChangeLog 2021-06-02 16:26:00 UTC (rev 278356) @@ -1,3 +1,27 @@ +2021-06-02 Keith Miller + +Convert small JIT pool tests into executable fuzzing +https://bugs.webkit.org/show_bug.cgi?id=226279 + +Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any +actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit. +Instead of testing such a small pool we should just fuzz each executable allocation that says it +can fail. + +The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations +fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked +by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see +flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command. + +Reviewed by Michael Saboff. + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::numberOfDFGCompiles): +* jit/ExecutableAllocationFuzz.cpp: +(JSC::doExecutableAllocationFuzzing): +* jsc.cpp: +(runJSC): + 2021-06-02 Chris Dumez Use Checked aliases instead of Checked Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (278355 => 278356) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-06-02 16:21:15 UTC (rev 278355) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-06-02 16:26:00 UTC (rev 278356) @@ -2481,6 +2481,10 @@ unsigned CodeBlock::numberOfDFGCompiles() { ASSERT(JITCode::isBaselineCode(jitType())); + +// FIXME: We don't really do a good job tracking when a compilation failed because of executable allocation fuzzing. https://bugs.webkit.org/show_bug.cgi?id=226276 +if (Options::useExecutableAllocationFuzz()) +return 100; if (Options::testTheFTL()) { if (m_didFailFTLCompilation) return 100; Modified: trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp (278355 => 278356) --- trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp 2021-06-02 16:21:15 UTC (rev 278355) +++ trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp 2021-06-02 16:26:00 UTC (rev 278356) @@ -29,6 +29,7 @@ #include "TestRunnerUtils.h" #include #include +#include namespace JSC {
[webkit-changes] [278041] trunk/Tools
Title: [278041] trunk/Tools Revision 278041 Author keith_mil...@apple.com Date 2021-05-25 13:29:12 -0700 (Tue, 25 May 2021) Log Message Wasm low memory tests should have a larger executable pool https://bugs.webkit.org/show_bug.cgi?id=226233 Reviewed by Saam Barati. With some other recent JSC changes we can sometimes go over the allocation pool we set aside. Let's bump the number. * Scripts/run-jsc-stress-tests: Modified Paths trunk/Tools/ChangeLog trunk/Tools/Scripts/run-jsc-stress-tests Diff Modified: trunk/Tools/ChangeLog (278040 => 278041) --- trunk/Tools/ChangeLog 2021-05-25 20:27:57 UTC (rev 278040) +++ trunk/Tools/ChangeLog 2021-05-25 20:29:12 UTC (rev 278041) @@ -1,3 +1,14 @@ +2021-05-25 Keith Miller + +Wasm low memory tests should have a larger executable pool +https://bugs.webkit.org/show_bug.cgi?id=226233 + +Reviewed by Saam Barati. + +With some other recent JSC changes we can sometimes go over the allocation pool we set aside. Let's bump the number. + +* Scripts/run-jsc-stress-tests: + 2021-05-25 Sam Sneddon Run webkitpy integration tests under pytest by default Modified: trunk/Tools/Scripts/run-jsc-stress-tests (278040 => 278041) --- trunk/Tools/Scripts/run-jsc-stress-tests 2021-05-25 20:27:57 UTC (rev 278040) +++ trunk/Tools/Scripts/run-jsc-stress-tests 2021-05-25 20:29:12 UTC (rev 278041) @@ -1315,7 +1315,7 @@ prepareExtraAbsoluteFiles(WASMTESTS_PATH, ["wasm.json"]) prepareExtraRelativeFiles(modules.map { |f| "../" + f }, $collection) # Only let WebAssembly get executable memory. -run("default-wasm", "--useConcurrentGC=0" , "--useConcurrentJIT=0", "--jitMemoryReservationSize=15000", "--useBaselineJIT=0", "--useDFGJIT=0", "--useFTLJIT=0", "-m") +run("default-wasm", "--useConcurrentGC=0" , "--useConcurrentJIT=0", "--jitMemoryReservationSize=2", "--useBaselineJIT=0", "--useDFGJIT=0", "--useFTLJIT=0", "-m") end def runChakra(mode, exception, baselineFile, extraFiles) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [277963] trunk/Source
Title: [277963] trunk/Source Revision 277963 Author keith_mil...@apple.com Date 2021-05-24 12:29:38 -0700 (Mon, 24 May 2021) Log Message Unreviewed, revert r276610 because it causes a 1% PLT regression. Source/_javascript_Core: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitChildren): (JSC::CodeBlock::JITData::size const): Deleted. * bytecode/CodeBlock.h: * jit/JITCodeMap.h: (JSC::JITCodeMap::memorySize const): Deleted. Source/WTF: * wtf/Bag.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/jit/JITCodeMap.h trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/Bag.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (277962 => 277963) --- trunk/Source/_javascript_Core/ChangeLog 2021-05-24 18:58:39 UTC (rev 277962) +++ trunk/Source/_javascript_Core/ChangeLog 2021-05-24 19:29:38 UTC (rev 277963) @@ -1,3 +1,14 @@ +2021-05-24 Keith Miller + +Unreviewed, revert r276610 because it causes a 1% PLT regression. + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::visitChildren): +(JSC::CodeBlock::JITData::size const): Deleted. +* bytecode/CodeBlock.h: +* jit/JITCodeMap.h: +(JSC::JITCodeMap::memorySize const): Deleted. + 2021-05-24 Chris Dumez Drop CheckedLock / CheckedCondition aliases Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (277962 => 277963) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-05-24 18:58:39 UTC (rev 277962) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-05-24 19:29:38 UTC (rev 277963) @@ -984,14 +984,6 @@ extraMemory += m_metadata->sizeInBytes(); if (m_jitCode && !m_jitCode->isShared()) extraMemory += m_jitCode->size(); -#if ENABLE(JIT) -if (m_jitData) -extraMemory += m_jitData->size(locker); -#endif -extraMemory += m_argumentValueProfiles.size() * sizeof(ValueProfile); -extraMemory += m_functionDecls.size() * sizeof(decltype(*m_functionDecls.data())); -extraMemory += m_functionExprs.size() * sizeof(decltype(*m_functionExprs.data())); - visitor.reportExtraMemoryVisited(extraMemory); stronglyVisitStrongReferences(locker, visitor); @@ -1029,28 +1021,6 @@ template bool CodeBlock::shouldVisitStrongly(const ConcurrentJSLocker&, AbstractSlotVisitor&); template bool CodeBlock::shouldVisitStrongly(const ConcurrentJSLocker&, SlotVisitor&); -#if ENABLE(JIT) -size_t CodeBlock::JITData::size(const ConcurrentJSLocker&) const -{ -size_t size = sizeof(JITData); -size += m_stubInfos.estimatedAllocationSizeInBytes(); -size += m_addICs.estimatedAllocationSizeInBytes(); -size += m_mulICs.estimatedAllocationSizeInBytes(); -size += m_negICs.estimatedAllocationSizeInBytes(); -size += m_subICs.estimatedAllocationSizeInBytes(); -size += m_byValInfos.estimatedAllocationSizeInBytes(); -size += m_callLinkInfos.estimatedAllocationSizeInBytes(); -size += m_switchJumpTables.size() * sizeof(decltype(*m_switchJumpTables.data())); -size += m_stringSwitchJumpTables.size() * sizeof(decltype(*m_stringSwitchJumpTables.data())); -// FIXME: account for m_calleeSaveRegisters but it's not a big deal since it's a fixed size and small. -if (m_pcToCodeOriginMap) -size += m_pcToCodeOriginMap->memorySize(); -if (m_jitCodeMap) -size += m_jitCodeMap.memorySize(); -return size; -} -#endif - bool CodeBlock::shouldJettisonDueToWeakReference(VM& vm) { if (!JITCode::isOptimizingJIT(jitType())) Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (277962 => 277963) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2021-05-24 18:58:39 UTC (rev 277962) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2021-05-24 19:29:38 UTC (rev 277963) @@ -270,8 +270,6 @@ struct JITData { WTF_MAKE_STRUCT_FAST_ALLOCATED; -size_t size(const ConcurrentJSLocker&) const; - Bag m_stubInfos; Bag m_addICs; Bag m_mulICs; Modified: trunk/Source/_javascript_Core/jit/JITCodeMap.h (277962 => 277963) --- trunk/Source/_javascript_Core/jit/JITCodeMap.h 2021-05-24 18:58:39 UTC (rev 277962) +++ trunk/Source/_javascript_Core/jit/JITCodeMap.h 2021-05-24 19:29:38 UTC (rev 277963) @@ -58,8 +58,6 @@ explicit operator bool() const { return m_size; } -size_t memorySize() const { return sizeof(CodeLocationLabel) * m_size + sizeof(BytecodeIndex) * m_size; } - private: CodeLocationLabel* codeLocations() const { Modified: trunk/Source/WTF/ChangeLog (277962 => 277963) --- trunk/Source/WTF/ChangeLog 2021-05-24 18:58:39 UTC (rev 277962) +++ trunk/Source/WTF/ChangeLog 2021-05-24 19:29:38 UTC (rev 277963) @@ -1,3 +1,9 @@ +2021-05-24 Keith Miller + +Unreviewed, revert r276610 because it causes a 1% PLT regression. + +* wtf/Bag.h: + 2021-05-24 Chris Dumez
[webkit-changes] [277572] trunk/Source/JavaScriptCore
Title: [277572] trunk/Source/_javascript_Core Revision 277572 Author keith_mil...@apple.com Date 2021-05-16 10:46:33 -0700 (Sun, 16 May 2021) Log Message IsoAlignedMemoryAllocator should use BitVector https://bugs.webkit.org/show_bug.cgi?id=225852 Reviewed by Mark Lam. Right now IsoAlignedMemoryAllocator uses FastBitVector, which does not have inline storage for small sizes. However, it's not uncommon for IsoAlignedMemoryAllocator to be holding onto only a few blocks. Those blocks may exist for a long time, which some data indicates causes IsoAlignedMemoryAllocator's FastBitVector to pin a full physical page for one 8 byte allocation. Since accessing the commited blocks list is not a particularly hot operation, we should just use a BitVector instead. This seems to be perf neutral on benchmarks. * heap/IsoAlignedMemoryAllocator.cpp: (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator): (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory): (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory): * heap/IsoAlignedMemoryAllocator.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.cpp trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (277571 => 277572) --- trunk/Source/_javascript_Core/ChangeLog 2021-05-16 17:18:30 UTC (rev 277571) +++ trunk/Source/_javascript_Core/ChangeLog 2021-05-16 17:46:33 UTC (rev 277572) @@ -1,3 +1,27 @@ +2021-05-16 Keith Miller + +IsoAlignedMemoryAllocator should use BitVector +https://bugs.webkit.org/show_bug.cgi?id=225852 + +Reviewed by Mark Lam. + +Right now IsoAlignedMemoryAllocator uses FastBitVector, which does +not have inline storage for small sizes. However, it's not +uncommon for IsoAlignedMemoryAllocator to be holding onto only a +few blocks. Those blocks may exist for a long time, which some +data indicates causes IsoAlignedMemoryAllocator's FastBitVector to +pin a full physical page for one 8 byte allocation. Since +accessing the commited blocks list is not a particularly hot +operation, we should just use a BitVector instead. + +This seems to be perf neutral on benchmarks. + +* heap/IsoAlignedMemoryAllocator.cpp: +(JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator): +(JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory): +(JSC::IsoAlignedMemoryAllocator::freeAlignedMemory): +* heap/IsoAlignedMemoryAllocator.h: + 2021-05-16 Saam Barati DFGVarargsForwardingPhase shouldn't consult Flush Modified: trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.cpp (277571 => 277572) --- trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.cpp 2021-05-16 17:18:30 UTC (rev 277571) +++ trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.cpp 2021-05-16 17:46:33 UTC (rev 277572) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2017 Apple Inc. All rights reserved. + * Copyright (C) 2017-2021 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -42,7 +42,7 @@ #if !ENABLE(MALLOC_HEAP_BREAKDOWN) for (unsigned i = 0; i < m_blocks.size(); ++i) { void* block = m_blocks[i]; -if (!m_committed[i]) +if (!m_committed.quickGet(i)) WTF::fastCommitAlignedMemory(block, MarkedBlock::blockSize); fastAlignedFree(block); } @@ -63,7 +63,7 @@ m_firstUncommitted = m_committed.findBit(m_firstUncommitted, false); if (m_firstUncommitted < m_blocks.size()) { -m_committed[m_firstUncommitted] = true; +m_committed.quickSet(m_firstUncommitted); void* result = m_blocks[m_firstUncommitted]; WTF::fastCommitAlignedMemory(result, MarkedBlock::blockSize); return result; @@ -77,7 +77,7 @@ m_blockIndices.add(result, index); if (m_blocks.capacity() != m_committed.size()) m_committed.resize(m_blocks.capacity()); -m_committed[index] = true; +m_committed.quickSet(index); return result; #endif } @@ -92,7 +92,7 @@ auto iter = m_blockIndices.find(basePtr); RELEASE_ASSERT(iter != m_blockIndices.end()); unsigned index = iter->value; -m_committed[index] = false; +m_committed.quickClear(index); m_firstUncommitted = std::min(index, m_firstUncommitted); WTF::fastDecommitAlignedMemory(basePtr, MarkedBlock::blockSize); #endif Modified: trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.h (277571 => 277572) --- trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.h 2021-05-16 17:18:30 UTC (rev 277571) +++ trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.h 2021-05-16 17:46:33 UTC (rev 277572) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2017 Apple Inc. All rights reser
[webkit-changes] [276655] trunk/Source/JavaScriptCore
Title: [276655] trunk/Source/_javascript_Core Revision 276655 Author keith_mil...@apple.com Date 2021-04-27 12:49:45 -0700 (Tue, 27 Apr 2021) Log Message StructureStubInfo and PolymorphicAccess should account for their non-GC memory https://bugs.webkit.org/show_bug.cgi?id=225113 Reviewed by Mark Lam. We don't pass the ConcurrentJSLocker to the helper methods here since the DECLARE_VISIT_AGGREGATE macro does not allow for extra parameters to be passed. I filed https://bugs.webkit.org/show_bug.cgi?id=225114 to track that. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::JITData::size const): * bytecode/PolymorphicAccess.cpp: (JSC::PolymorphicAccess::extraMemoryInBytes const): * bytecode/PolymorphicAccess.h: * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::extraMemoryInBytes): * bytecode/StructureStubInfo.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.h trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.cpp trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.h trunk/Source/_javascript_Core/bytecode/StructureStubInfo.cpp trunk/Source/_javascript_Core/bytecode/StructureStubInfo.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (276654 => 276655) --- trunk/Source/_javascript_Core/ChangeLog 2021-04-27 19:41:22 UTC (rev 276654) +++ trunk/Source/_javascript_Core/ChangeLog 2021-04-27 19:49:45 UTC (rev 276655) @@ -1,3 +1,23 @@ +2021-04-27 Keith Miller + +StructureStubInfo and PolymorphicAccess should account for their non-GC memory +https://bugs.webkit.org/show_bug.cgi?id=225113 + +Reviewed by Mark Lam. + +We don't pass the ConcurrentJSLocker to the helper methods here since the +DECLARE_VISIT_AGGREGATE macro does not allow for extra parameters to be passed. +I filed https://bugs.webkit.org/show_bug.cgi?id=225114 to track that. + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::JITData::size const): +* bytecode/PolymorphicAccess.cpp: +(JSC::PolymorphicAccess::extraMemoryInBytes const): +* bytecode/PolymorphicAccess.h: +* bytecode/StructureStubInfo.cpp: +(JSC::StructureStubInfo::extraMemoryInBytes): +* bytecode/StructureStubInfo.h: + 2021-04-26 Keith Miller UnlinkedCodeBlock should have better accounting for extra memory Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (276654 => 276655) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-04-27 19:41:22 UTC (rev 276654) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-04-27 19:49:45 UTC (rev 276655) @@ -1034,6 +1034,8 @@ { size_t size = sizeof(JITData); size += m_stubInfos.estimatedAllocationSizeInBytes(); +for (StructureStubInfo* stub : m_stubInfos) +size += stub->extraMemoryInBytes(); size += m_addICs.estimatedAllocationSizeInBytes(); size += m_mulICs.estimatedAllocationSizeInBytes(); size += m_negICs.estimatedAllocationSizeInBytes(); Modified: trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp (276654 => 276655) --- trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp 2021-04-27 19:41:22 UTC (rev 276654) +++ trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp 2021-04-27 19:49:45 UTC (rev 276655) @@ -377,6 +377,20 @@ DEFINE_VISIT_AGGREGATE(PolymorphicAccess); +size_t PolymorphicAccess::extraMemoryInBytes() const +{ +size_t size = 0; +size += m_list.sizeInBytes(); +// FIXME: Account for the size of the various access cases. +size += m_list.size() * sizeof(AccessCase); +if (m_stubRoutine) +size += sizeof(JITStubRoutine) + m_stubRoutine->code().size(); +if (m_watchpoints) +size += sizeof(WatchpointsOnStructureStubInfo) + m_watchpoints->extraMemoryInBytes(); +size += m_weakReferences.byteSize(); +return size; +} + void PolymorphicAccess::dump(PrintStream& out) const { out.print(RawPointer(this), ":["); Modified: trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.h (276654 => 276655) --- trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.h 2021-04-27 19:41:22 UTC (rev 276654) +++ trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.h 2021-04-27 19:49:45 UTC (rev 276655) @@ -157,6 +157,8 @@ // If this returns false then we are requesting a reset of the owning StructureStubInfo. bool visitWeak(VM&) const; + +size_t extraMemoryInBytes() const; // This returns true if it has marked everything it will ever marked. This can be used as an // optimization to then avoid calling this method again during the fixpoint. Modified: trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.cpp (276654 => 276655) --- trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoin
[webkit-changes] [276625] trunk/Source/JavaScriptCore
Title: [276625] trunk/Source/_javascript_Core Revision 276625 Author keith_mil...@apple.com Date 2021-04-26 18:09:59 -0700 (Mon, 26 Apr 2021) Log Message UnlinkedCodeBlock should have better accounting for extra memory https://bugs.webkit.org/show_bug.cgi?id=225080 Reviewed by Mark Lam. Right now we aren't telling the JS GC about the extra memory attached to UnlinkedCodeBlocks. It looks like on at least some sites this can be a fairly large percentage of the total memory retained by the JS object graph. This is very similar to the change we made for CodeBlocks in r276610. * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::visitChildrenImpl): (JSC::UnlinkedCodeBlock::RareData::sizeInBytes const): * bytecode/UnlinkedCodeBlock.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (276624 => 276625) --- trunk/Source/_javascript_Core/ChangeLog 2021-04-27 00:34:28 UTC (rev 276624) +++ trunk/Source/_javascript_Core/ChangeLog 2021-04-27 01:09:59 UTC (rev 276625) @@ -1,3 +1,21 @@ +2021-04-26 Keith Miller + +UnlinkedCodeBlock should have better accounting for extra memory +https://bugs.webkit.org/show_bug.cgi?id=225080 + +Reviewed by Mark Lam. + +Right now we aren't telling the JS GC about the extra memory +attached to UnlinkedCodeBlocks. It looks like on at least some sites this +can be a fairly large percentage of the total memory retained by +the JS object graph. This is very similar to the change we made for +CodeBlocks in r276610. + +* bytecode/UnlinkedCodeBlock.cpp: +(JSC::UnlinkedCodeBlock::visitChildrenImpl): +(JSC::UnlinkedCodeBlock::RareData::sizeInBytes const): +* bytecode/UnlinkedCodeBlock.h: + 2021-04-26 Alex Christensen Update Mac-specific CMake files Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp (276624 => 276625) --- trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp 2021-04-27 00:34:28 UTC (rev 276624) +++ trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp 2021-04-27 01:09:59 UTC (rev 276625) @@ -66,11 +66,13 @@ ASSERT(m_codeType == static_cast(codeType)); ASSERT(m_didOptimize == static_cast(TriState::Indeterminate)); if (info.needsClassFieldInitializer() == NeedsClassFieldInitializer::Yes) { -createRareDataIfNecessary(holdLock(cellLock())); +auto locker = holdLock(cellLock()); +createRareDataIfNecessary(locker); m_rareData->m_needsClassFieldInitializer = static_cast(NeedsClassFieldInitializer::Yes); } if (info.privateBrandRequirement() == PrivateBrandRequirement::Needed) { -createRareDataIfNecessary(holdLock(cellLock())); +auto locker = holdLock(cellLock()); +createRareDataIfNecessary(locker); m_rareData->m_privateBrandRequirement = static_cast(PrivateBrandRequirement::Needed); } } @@ -92,6 +94,16 @@ size_t extraMemory = thisObject->m_metadata->sizeInBytes(); if (thisObject->m_instructions) extraMemory += thisObject->m_instructions->sizeInBytes(); +if (thisObject->hasRareData()) +extraMemory += thisObject->m_rareData->sizeInBytes(locker); + +extraMemory += thisObject->m_jumpTargets.byteSize(); +extraMemory += thisObject->m_identifiers.byteSize(); +extraMemory += thisObject->m_constantRegisters.byteSize(); +extraMemory += thisObject->m_constantsSourceCodeRepresentation.byteSize(); +extraMemory += thisObject->m_functionDecls.byteSize(); +extraMemory += thisObject->m_functionExprs.byteSize(); + visitor.reportExtraMemoryVisited(extraMemory); } @@ -106,6 +118,23 @@ return Base::estimatedSize(cell, vm) + extraSize; } +size_t UnlinkedCodeBlock::RareData::sizeInBytes(const AbstractLocker&) const +{ +size_t size = sizeof(RareData); +size += m_exceptionHandlers.byteSize(); +size += m_unlinkedSwitchJumpTables.byteSize(); +size += m_unlinkedStringSwitchJumpTables.byteSize(); +size += m_expressionInfoFatPositions.byteSize(); +size += m_typeProfilerInfoMap.capacity() * sizeof(decltype(m_typeProfilerInfoMap)::KeyValuePairType); +size += m_opProfileControlFlowBytecodeOffsets.byteSize(); +size += m_bitVectors.byteSize(); +// FIXME: account for each bit vector. +size += m_constantIdentifierSets.byteSize(); +for (const auto& identifierSet : m_constantIdentifierSets) +size += identifierSet.capacity() * sizeof(std::remove_reference_t::ValueType); +return size; +} + int UnlinkedCodeBlock::lineNumberForBytecodeIndex(BytecodeIndex bytecodeIndex) { ASSERT(bytecodeIndex.offset() < instructions().size()); Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h (276624 => 276625) --- trunk/Source/_javascript_Core/bytecod
[webkit-changes] [276610] trunk/Source
Title: [276610] trunk/Source Revision 276610 Author keith_mil...@apple.com Date 2021-04-26 13:22:35 -0700 (Mon, 26 Apr 2021) Log Message CodeBlock should do a better job accounting for extra memory it allocates. https://bugs.webkit.org/show_bug.cgi?id=225068 Reviewed by Mark Lam. Source/_javascript_Core: Right now we aren't telling the JS GC about the extra memory attached to CodeBlocks. It looks like on at least some sites this can be a fairly large percentage of the total memory retained by the JS object graph. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitChildren): (JSC::CodeBlock::JITData::size const): * bytecode/CodeBlock.h: * jit/JITCodeMap.h: (JSC::JITCodeMap::memorySize const): Source/WTF: Small convenience function to help compute the memory used by a Bag for JS GC accounting. * wtf/Bag.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/jit/JITCodeMap.h trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/Bag.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (276609 => 276610) --- trunk/Source/_javascript_Core/ChangeLog 2021-04-26 20:20:13 UTC (rev 276609) +++ trunk/Source/_javascript_Core/ChangeLog 2021-04-26 20:22:35 UTC (rev 276610) @@ -1,5 +1,24 @@ 2021-04-26 Keith Miller +CodeBlock should do a better job accounting for extra memory it allocates. +https://bugs.webkit.org/show_bug.cgi?id=225068 + +Reviewed by Mark Lam. + +Right now we aren't telling the JS GC about the extra memory +attached to CodeBlocks. It looks like on at least some sites this +can be a fairly large percentage of the total memory retained by +the JS object graph. + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::visitChildren): +(JSC::CodeBlock::JITData::size const): +* bytecode/CodeBlock.h: +* jit/JITCodeMap.h: +(JSC::JITCodeMap::memorySize const): + +2021-04-26 Keith Miller + numCalleeLocals, numParameters, and numVars should be unsigned https://bugs.webkit.org/show_bug.cgi?id=224995 Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (276609 => 276610) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-04-26 20:20:13 UTC (rev 276609) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-04-26 20:22:35 UTC (rev 276610) @@ -984,6 +984,14 @@ extraMemory += m_metadata->sizeInBytes(); if (m_jitCode && !m_jitCode->isShared()) extraMemory += m_jitCode->size(); +#if ENABLE(JIT) +if (m_jitData) +extraMemory += m_jitData->size(locker); +#endif +extraMemory += m_argumentValueProfiles.size() * sizeof(ValueProfile); +extraMemory += m_functionDecls.size() * sizeof(decltype(*m_functionDecls.data())); +extraMemory += m_functionExprs.size() * sizeof(decltype(*m_functionExprs.data())); + visitor.reportExtraMemoryVisited(extraMemory); stronglyVisitStrongReferences(locker, visitor); @@ -1021,6 +1029,29 @@ template bool CodeBlock::shouldVisitStrongly(const ConcurrentJSLocker&, AbstractSlotVisitor&); template bool CodeBlock::shouldVisitStrongly(const ConcurrentJSLocker&, SlotVisitor&); +#if ENABLE(JIT) +size_t CodeBlock::JITData::size(const ConcurrentJSLocker&) const +{ +size_t size = sizeof(JITData); +size += m_stubInfos.estimatedAllocationSizeInBytes(); +size += m_addICs.estimatedAllocationSizeInBytes(); +size += m_mulICs.estimatedAllocationSizeInBytes(); +size += m_negICs.estimatedAllocationSizeInBytes(); +size += m_subICs.estimatedAllocationSizeInBytes(); +size += m_byValInfos.estimatedAllocationSizeInBytes(); +size += m_callLinkInfos.estimatedAllocationSizeInBytes(); +size += m_rareCaseProfiles.size() * sizeof(decltype(*m_rareCaseProfiles.data())); +size += m_switchJumpTables.size() * sizeof(decltype(*m_switchJumpTables.data())); +size += m_stringSwitchJumpTables.size() * sizeof(decltype(*m_stringSwitchJumpTables.data())); +// FIXME: account for m_calleeSaveRegisters but it's not a big deal since it's a fixed size and small. +if (m_pcToCodeOriginMap) +size += m_pcToCodeOriginMap->memorySize(); +if (m_jitCodeMap) +size += m_jitCodeMap.memorySize(); +return size; +} +#endif + bool CodeBlock::shouldJettisonDueToWeakReference(VM& vm) { if (!JITCode::isOptimizingJIT(jitType())) Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (276609 => 276610) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2021-04-26 20:20:13 UTC (rev 276609) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2021-04-26 20:22:35 UTC (rev 276610) @@ -268,6 +268,8 @@ struct JITData { WTF_MAKE_STRUCT_FAST_ALLOCATED; +size_t size(const ConcurrentJSLocker&) const; + Bag m_stubInfos; Bag m_addICs; Bag m_mulICs; Modified: trunk/Sour
[webkit-changes] [276609] trunk/Source/JavaScriptCore
Title: [276609] trunk/Source/_javascript_Core Revision 276609 Author keith_mil...@apple.com Date 2021-04-26 13:20:13 -0700 (Mon, 26 Apr 2021) Log Message numCalleeLocals, numParameters, and numVars should be unsigned https://bugs.webkit.org/show_bug.cgi?id=224995 Reviewed by Mark Lam. All of the various CodeBlock classes currently have the numCalleeLocals and numVars marked as ints. I believe this is just a historical artifact or because VirtualRegister's offset is an int to make handling constants easier. Regardless, it's a bit strange to not handle the sign conversion at the point of comparison between a VirtualRegister offset and the local/var count. This doesn't completely fix every place we use ints for these values but starts on the right track. Lastly, I also added some Checks to the wasm parser for sanity checking. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::setNumParameters): (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndexSlow): * bytecode/CodeBlock.h: (JSC::CodeBlock::numParameters const): (JSC::CodeBlock::numberOfArgumentsToSkip const): (JSC::CodeBlock::numCalleeLocals const): (JSC::CodeBlock::numVars const): (JSC::CodeBlock::numTmps const): (JSC::CodeBlock::addressOfNumParameters): (JSC::CodeBlock::isTemporaryRegister): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::numCalleeLocals const): (JSC::UnlinkedCodeBlock::numVars const): * bytecode/UnlinkedCodeBlockGenerator.h: (JSC::UnlinkedCodeBlockGenerator::numCalleeLocals const): (JSC::UnlinkedCodeBlockGenerator::numVars const): (JSC::UnlinkedCodeBlockGenerator::setNumCalleeLocals): (JSC::UnlinkedCodeBlockGenerator::setNumVars): (JSC::UnlinkedCodeBlockGenerator::setNumParameters): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::generate): (JSC::BytecodeGenerator::emitPushFunctionNameScope): * bytecompiler/BytecodeGeneratorBaseInlines.h: (JSC::BytecodeGeneratorBase::newRegister): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): (JSC::DFG::ByteCodeParser::inliningCost): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGOSREntrypointCreationPhase.cpp: (JSC::DFG::OSREntrypointCreationPhase::run): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::checkArgumentTypes): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lower): * ftl/FTLOSREntry.cpp: (JSC::FTL::prepareOSREntry): * interpreter/CallFrameClosure.h: * interpreter/ProtoCallFrameInlines.h: (JSC::ProtoCallFrame::init): * jit/JIT.cpp: (JSC::JIT::compileWithoutLinking): * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::numberOfStackPaddingSlots): (JSC::CommonSlowPaths::numberOfStackPaddingSlotsWithExtraSlots): * wasm/WasmFunctionCodeBlock.h: (JSC::Wasm::FunctionCodeBlock::numVars const): (JSC::Wasm::FunctionCodeBlock::numCalleeLocals const): (JSC::Wasm::FunctionCodeBlock::setNumVars): (JSC::Wasm::FunctionCodeBlock::setNumCalleeLocals): * wasm/WasmLLIntGenerator.cpp: (JSC::Wasm::LLIntGenerator::push): (JSC::Wasm::LLIntGenerator::getDropKeepCount): (JSC::Wasm::LLIntGenerator::walkExpressionStack): (JSC::Wasm::LLIntGenerator::checkConsistency): (JSC::Wasm::LLIntGenerator::materializeConstantsAndLocals): (JSC::Wasm::LLIntGenerator::splitStack): (JSC::Wasm::LLIntGenerator::finalize): (JSC::Wasm::LLIntGenerator::callInformationForCaller): (JSC::Wasm::LLIntGenerator::addLoop): (JSC::Wasm::LLIntGenerator::addTopLevel): (JSC::Wasm::LLIntGenerator::addBlock): (JSC::Wasm::LLIntGenerator::addIf): (JSC::Wasm::LLIntGenerator::addElseToUnreachable): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlockGenerator.h trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGeneratorBaseInlines.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGOSREntrypointCreationPhase.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/ftl/FTLOSREntry.cpp trunk/Source/_javascript_Core/interpreter/CallFrameClosure.h trunk/Source/_javascript_Core/interpreter/ProtoCallFrameInlines.h trunk/Source/_javascript_Core/jit/JIT.cpp trunk/Source/_javascript_Core/runtime/CommonSlowPaths.h trunk/Source/_javascript_Core/tools/VMInspector.cpp trunk/Source/_javascript_Core/wasm/WasmFunctionCodeBlock.h trunk/Source/_javascript_Core/wasm/WasmLLIntGenerator.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (276608 => 276609) --- trunk/Source/_javascript_Core/ChangeLog 2021-04-26 20:03:15 UTC (rev 276608) +++ trunk/Source/_javascript_Core/ChangeLog 2021-04-26 20:20:13 UTC (rev 276609) @@ -1,3 +1,85 @@ +2021-04-26 Keith Miller + +numCalleeLocals, numParameters, and numVars should be unsigned +https://bugs.webkit.
[webkit-changes] [276324] trunk/Source
Title: [276324] trunk/Source Revision 276324 Author keith_mil...@apple.com Date 2021-04-20 15:42:05 -0700 (Tue, 20 Apr 2021) Log Message FullGCActivityCallback should use the percentage of pages uncompressed in RAM to determine deferral. https://bugs.webkit.org/show_bug.cgi?id=224817 Reviewed by Filip Pizlo. Source/_javascript_Core: Right now we try to determine if too many pages are paged out by dereferencing them and bailing out of the GC if we go over a deadline. While this works if the only goal is to avoid causing extensive thrashing on spinny disks (HDD), it doesn't prevent thrashing when access to disk is fast (e.g. SSD). This is because on fast disks the proportional time to load the memory from disk is much lower. Additionally, on SSDs in particular we don't want to load the pages into RAM then bail as that will force a different page onto disk, increasing wear. This patch switches to asking the OS if each MarkedBlock is paged out. Then if we are over a threshold we wait until we would have GC'd anyway. This patch uses the (maxVMGrowthFactor - 1) as the percentage of "slow" pages (paged out or compressed) needed to defer the GC. The idea behind that threshold is that if we add that many pages then the same number of pages would be forced out of RAM for us to do a GC anyway (in the limit). * heap/BlockDirectory.cpp: (JSC::BlockDirectory::updatePercentageOfPagedOutPages): (JSC::BlockDirectory::isPagedOut): Deleted. * heap/BlockDirectory.h: * heap/FullGCActivityCallback.cpp: (JSC::FullGCActivityCallback::doCollection): * heap/Heap.cpp: (JSC::Heap::isPagedOut): * heap/Heap.h: * heap/MarkedSpace.cpp: (JSC::MarkedSpace::isPagedOut): * heap/MarkedSpace.h: * runtime/OptionsList.h: Source/WebKit: Add mincore to the acceptable syscall list. * WebProcess/com.apple.WebProcess.sb.in: Source/WTF: Add a noexcept flavor of FunctionTraits. On Linux mincore (and probably other syscalls) are marked noexcept so the existing overloads don't work. * wtf/FunctionTraits.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/heap/BlockDirectory.cpp trunk/Source/_javascript_Core/heap/BlockDirectory.h trunk/Source/_javascript_Core/heap/FullGCActivityCallback.cpp trunk/Source/_javascript_Core/heap/Heap.cpp trunk/Source/_javascript_Core/heap/Heap.h trunk/Source/_javascript_Core/heap/MarkedSpace.cpp trunk/Source/_javascript_Core/heap/MarkedSpace.h trunk/Source/_javascript_Core/runtime/OptionsList.h trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/FunctionTraits.h trunk/Source/WebKit/ChangeLog trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in Diff Modified: trunk/Source/_javascript_Core/ChangeLog (276323 => 276324) --- trunk/Source/_javascript_Core/ChangeLog 2021-04-20 22:37:05 UTC (rev 276323) +++ trunk/Source/_javascript_Core/ChangeLog 2021-04-20 22:42:05 UTC (rev 276324) @@ -1,3 +1,42 @@ +2021-04-20 Keith Miller + +FullGCActivityCallback should use the percentage of pages uncompressed in RAM to determine deferral. +https://bugs.webkit.org/show_bug.cgi?id=224817 + +Reviewed by Filip Pizlo. + +Right now we try to determine if too many pages are paged out by +dereferencing them and bailing out of the GC if we go over a +deadline. While this works if the only goal is to avoid causing +extensive thrashing on spinny disks (HDD), it doesn't prevent +thrashing when access to disk is fast (e.g. SSD). This is because +on fast disks the proportional time to load the memory from disk +is much lower. Additionally, on SSDs in particular we don't want +to load the pages into RAM then bail as that will force a +different page onto disk, increasing wear. + +This patch switches to asking the OS if each MarkedBlock is paged +out. Then if we are over a threshold we wait until we would have +GC'd anyway. This patch uses the (maxVMGrowthFactor - 1) as the +percentage of "slow" pages (paged out or compressed) needed to +defer the GC. The idea behind that threshold is that if we add +that many pages then the same number of pages would be forced +out of RAM for us to do a GC anyway (in the limit). + +* heap/BlockDirectory.cpp: +(JSC::BlockDirectory::updatePercentageOfPagedOutPages): +(JSC::BlockDirectory::isPagedOut): Deleted. +* heap/BlockDirectory.h: +* heap/FullGCActivityCallback.cpp: +(JSC::FullGCActivityCallback::doCollection): +* heap/Heap.cpp: +(JSC::Heap::isPagedOut): +* heap/Heap.h: +* heap/MarkedSpace.cpp: +(JSC::MarkedSpace::isPagedOut): +* heap/MarkedSpace.h: +* runtime/OptionsList.h: + 2021-04-20 Don Olmstead [CMake] Don't use FORWARDING_HEADERS_DIR for JSC GLib headers Modified: trunk/Source/_javascript_Core/heap/BlockDirectory.cpp (276323 => 276324) --- trunk/Source/_javascript_Core/heap/BlockDi
[webkit-changes] [276155] trunk/Source/JavaScriptCore
Title: [276155] trunk/Source/_javascript_Core Revision 276155 Author keith_mil...@apple.com Date 2021-04-16 12:24:22 -0700 (Fri, 16 Apr 2021) Log Message Before deleting a MarkedBlock we do not need to clear its m_directory pointer. https://bugs.webkit.org/show_bug.cgi?id=224677 Reviewed by Yusuke Suzuki. Right now when we are about to free a MarkedBlock we clear the m_directory pointer in the MarkedBlock's Handle. This has the downside, however, of potentially paging in the footer from disk / the compressor, which some data we have seen shows is happening. This patch prevents this uncessary store to hopefully reduce the number of pageins/decompressions caused by Safari web content. * heap/BlockDirectory.cpp: (JSC::BlockDirectory::removeBlock): (JSC::BlockDirectory::removeBlockForDeletion): * heap/BlockDirectory.h: * heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::~Handle): * heap/MarkedSpace.cpp: (JSC::MarkedSpace::freeBlock): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/heap/BlockDirectory.cpp trunk/Source/_javascript_Core/heap/BlockDirectory.h trunk/Source/_javascript_Core/heap/MarkedBlock.cpp trunk/Source/_javascript_Core/heap/MarkedSpace.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (276154 => 276155) --- trunk/Source/_javascript_Core/ChangeLog 2021-04-16 19:22:56 UTC (rev 276154) +++ trunk/Source/_javascript_Core/ChangeLog 2021-04-16 19:24:22 UTC (rev 276155) @@ -1,3 +1,26 @@ +2021-04-16 Keith Miller + +Before deleting a MarkedBlock we do not need to clear its m_directory pointer. +https://bugs.webkit.org/show_bug.cgi?id=224677 + +Reviewed by Yusuke Suzuki. + +Right now when we are about to free a MarkedBlock we clear the +m_directory pointer in the MarkedBlock's Handle. This has the +downside, however, of potentially paging in the footer from disk / +the compressor, which some data we have seen shows is happening. +This patch prevents this uncessary store to hopefully reduce the +number of pageins/decompressions caused by Safari web content. + +* heap/BlockDirectory.cpp: +(JSC::BlockDirectory::removeBlock): +(JSC::BlockDirectory::removeBlockForDeletion): +* heap/BlockDirectory.h: +* heap/MarkedBlock.cpp: +(JSC::MarkedBlock::Handle::~Handle): +* heap/MarkedSpace.cpp: +(JSC::MarkedSpace::freeBlock): + 2021-04-16 Mark Lam Build fix for Debug -O3 after r276069. Modified: trunk/Source/_javascript_Core/heap/BlockDirectory.cpp (276154 => 276155) --- trunk/Source/_javascript_Core/heap/BlockDirectory.cpp 2021-04-16 19:22:56 UTC (rev 276154) +++ trunk/Source/_javascript_Core/heap/BlockDirectory.cpp 2021-04-16 19:24:22 UTC (rev 276155) @@ -140,7 +140,7 @@ setIsEmpty(NoLockingNecessary, index, true); } -void BlockDirectory::removeBlock(MarkedBlock::Handle* block) +void BlockDirectory::removeBlock(MarkedBlock::Handle* block, WillDeleteBlock willDelete) { ASSERT(block->directory() == this); ASSERT(m_blocks[block->index()] == block); @@ -155,8 +155,9 @@ [&](auto vectorRef) { vectorRef[block->index()] = false; }); - -block->didRemoveFromDirectory(); + +if (willDelete == WillDeleteBlock::No) +block->didRemoveFromDirectory(); } void BlockDirectory::stopAllocating() Modified: trunk/Source/_javascript_Core/heap/BlockDirectory.h (276154 => 276155) --- trunk/Source/_javascript_Core/heap/BlockDirectory.h 2021-04-16 19:22:56 UTC (rev 276154) +++ trunk/Source/_javascript_Core/heap/BlockDirectory.h 2021-04-16 19:24:22 UTC (rev 276155) @@ -83,7 +83,9 @@ RefPtr> parallelNotEmptyBlockSource(); void addBlock(MarkedBlock::Handle*); -void removeBlock(MarkedBlock::Handle*); +enum class WillDeleteBlock { No, Yes }; +// If WillDeleteBlock::Yes is passed then the block will be left in an invalid state. We do this, however, to avoid potentially paging in / decompressing old blocks to update their handle just before freeing them. +void removeBlock(MarkedBlock::Handle*, WillDeleteBlock = WillDeleteBlock::No); bool isPagedOut(MonotonicTime deadline); Modified: trunk/Source/_javascript_Core/heap/MarkedBlock.cpp (276154 => 276155) --- trunk/Source/_javascript_Core/heap/MarkedBlock.cpp 2021-04-16 19:22:56 UTC (rev 276154) +++ trunk/Source/_javascript_Core/heap/MarkedBlock.cpp 2021-04-16 19:24:22 UTC (rev 276155) @@ -76,7 +76,7 @@ if (!(balance % 10)) dataLog("MarkedBlock Balance: ", balance, "\n"); } -removeFromDirectory(); +m_directory->removeBlock(this, BlockDirectory::WillDeleteBlock::Yes); m_block->~MarkedBlock(); m_alignedMemoryAllocator->freeAlignedMemory(m_block); heap.didFreeBlock(blockSize); Modified: trunk/Source/_javascript_Core/heap/MarkedSpace.cpp (276154 => 276155) --- trunk/Source/_javascript_Core/heap/MarkedSpace.cpp 2021-0
[webkit-changes] [275508] trunk
Title: [275508] trunk Revision 275508 Author keith_mil...@apple.com Date 2021-04-06 06:18:10 -0700 (Tue, 06 Apr 2021) Log Message CloneDeserializer should use ArrayBuffer::tryCreate https://bugs.webkit.org/show_bug.cgi?id=224218 Reviewed by Antti Koivisto. Source/WebCore: Right now CloneDeserializer assumes that every ArrayBuffer allocation during deserialization will succeed. This is silly since it's an array-like object. It should call tryCreate and fail the deserialization instead. Test: fast/dom/Window/post-message-large-array-buffer-should-not-crash.html * bindings/js/SerializedScriptValue.cpp: (WebCore::CloneDeserializer::readArrayBuffer): LayoutTests: This test was generated by a fuzzer so it allocates a large Array backing store by doing Object.defineProperty on a large offset. That said, I chose to leave it because it's sometimes useful to do things in different ways for testing. Also, skip the test on windows because we seem to throw a stack overflow error. Not sure why this happens but it's not super important that this particular test runs on all ports as we're mostly trying to just unblock the fuzzer. * fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt: Added. * fast/dom/Window/post-message-large-array-buffer-should-not-crash.html: Added. * platform/win/TestExpectations: Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/platform/win/TestExpectations trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp Added Paths trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash.html Diff Modified: trunk/LayoutTests/ChangeLog (275507 => 275508) --- trunk/LayoutTests/ChangeLog 2021-04-06 12:58:20 UTC (rev 275507) +++ trunk/LayoutTests/ChangeLog 2021-04-06 13:18:10 UTC (rev 275508) @@ -1,3 +1,22 @@ +2021-04-06 Keith Miller + +CloneDeserializer should use ArrayBuffer::tryCreate +https://bugs.webkit.org/show_bug.cgi?id=224218 + +Reviewed by Antti Koivisto. + +This test was generated by a fuzzer so it allocates a large Array backing store +by doing Object.defineProperty on a large offset. That said, I chose to leave it +because it's sometimes useful to do things in different ways for testing. + +Also, skip the test on windows because we seem to throw a stack overflow error. +Not sure why this happens but it's not super important that this particular +test runs on all ports as we're mostly trying to just unblock the fuzzer. + +* fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt: Added. +* fast/dom/Window/post-message-large-array-buffer-should-not-crash.html: Added. +* platform/win/TestExpectations: + 2021-04-06 Alicia Boya García [GStreamer][MediaStream] Unreviewed micro-gardening Added: trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt (0 => 275508) --- trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt (rev 0) +++ trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt 2021-04-06 13:18:10 UTC (rev 275508) @@ -0,0 +1,9 @@ +Check that trying to deserialize an ArrayBuffer when there's not enough memory does not crash (test may only fail flakily) + +On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". + + +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash.html (0 => 275508) --- trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash.html (rev 0) +++ trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash.html 2021-04-06 13:18:10 UTC (rev 275508) @@ -0,0 +1,28 @@ + + + + +