[webkit-changes] [295428] trunk
Title: [295428] trunk
Revision 295428
Author keith_mil...@apple.com
Date 2022-06-09 12:05:16 -0700 (Thu, 09 Jun 2022)
Log Message
jsc's settimeout should properly handle a delay
https://bugs.webkit.org/show_bug.cgi?id=240467
Reviewed by Yusuke Suzuki.
This patch makes it so that we properly handle a timeout passed to the JSC CLI setTimeout API. Previously we would just run the callback on the next runloop tick regardless of the passed value.
* Source/_javascript_Core/jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
Canonical link: https://commits.webkit.org/251434@main
Modified Paths
trunk/Source/_javascript_Core/jsc.cpp
Added Paths
trunk/JSTests/stress/setTimeout-with-delay.js
Diff
Added: trunk/JSTests/stress/setTimeout-with-delay.js (0 => 295428)
--- trunk/JSTests/stress/setTimeout-with-delay.js (rev 0)
+++ trunk/JSTests/stress/setTimeout-with-delay.js 2022-06-09 19:05:16 UTC (rev 295428)
@@ -0,0 +1,7 @@
+let startTime = Date.now();
+let waitTime = 1000;
+
+setTimeout(() => {
+if (startTime + waitTime > Date.now())
+throw new Error();
+}, waitTime);
\ No newline at end of file
Modified: trunk/Source/_javascript_Core/jsc.cpp (295427 => 295428)
--- trunk/Source/_javascript_Core/jsc.cpp 2022-06-09 18:57:46 UTC (rev 295427)
+++ trunk/Source/_javascript_Core/jsc.cpp 2022-06-09 19:05:16 UTC (rev 295428)
@@ -2525,13 +2525,21 @@
if (!callback)
return throwVMTypeError(globalObject, scope, "First argument is not a JS function"_s);
-// FIXME: We don't look at the timeout parameter because we don't have a schedule work later API.
auto ticket = vm.deferredWorkTimer->addPendingWork(vm, callback, { });
-vm.deferredWorkTimer->scheduleWorkSoon(ticket, [callback](DeferredWorkTimer::Ticket) {
-JSGlobalObject* globalObject = callback->globalObject();
-MarkedArgumentBuffer args;
-call(globalObject, callback, jsUndefined(), args, "You shouldn't see this..."_s);
-});
+auto dispatch = [callback, ticket] {
+callback->vm().deferredWorkTimer->scheduleWorkSoon(ticket, [callback](DeferredWorkTimer::Ticket) {
+JSGlobalObject* globalObject = callback->globalObject();
+MarkedArgumentBuffer args;
+call(globalObject, callback, jsUndefined(), args, "You shouldn't see this..."_s);
+});
+};
+
+JSValue timeout = callFrame->argument(1);
+if (timeout.isNumber() && timeout.asNumber())
+RunLoop::current().dispatchAfter(Seconds::fromMilliseconds(timeout.asNumber()), WTFMove(dispatch));
+else
+dispatch();
+
return JSValue::encode(jsUndefined());
}
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295423] trunk/Source/JavaScriptCore/bytecode/Repatch.cpp
Title: [295423] trunk/Source/_javascript_Core/bytecode/Repatch.cpp
Revision 295423
Author keith_mil...@apple.com
Date 2022-06-09 10:20:40 -0700 (Thu, 09 Jun 2022)
Log Message
Repatch should be able to polymorphic call with arity fixup.
https://bugs.webkit.org/show_bug.cgi?id=240911
Reviewed by Saam Barati.
Right now repatch will emit a virtual call any time it has a case that requires arity fixup. Instead it should just pick the arity fixup entrypoint.
Canonical link: https://commits.webkit.org/251429@main
Modified Paths
trunk/Source/_javascript_Core/bytecode/Repatch.cpp
Diff
Modified: trunk/Source/_javascript_Core/bytecode/Repatch.cpp (295422 => 295423)
--- trunk/Source/_javascript_Core/bytecode/Repatch.cpp 2022-06-09 17:16:02 UTC (rev 295422)
+++ trunk/Source/_javascript_Core/bytecode/Repatch.cpp 2022-06-09 17:20:40 UTC (rev 295423)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2022 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -1657,9 +1657,9 @@
if (variant.executable() && !variant.executable()->isHostFunction()) {
ExecutableBase* executable = variant.executable();
codeBlock = jsCast(executable)->codeBlockForCall();
-// If we cannot handle a callee, either because we don't have a CodeBlock or because arity mismatch,
+// If we cannot handle a callee, because we don't have a CodeBlock,
// assume that it's better for this whole thing to be a virtual call.
-if (!codeBlock || callFrame->argumentCountIncludingThis() < static_cast(codeBlock->numParameters()) || callLinkInfo.isVarargs()) {
+if (!codeBlock) {
linkVirtualFor(vm, callFrame, callLinkInfo);
return;
}
@@ -1813,8 +1813,16 @@
ASSERT(variant.executable()->hasJITCodeForCall());
codePtr = jsToWasmICCodePtr(callLinkInfo.specializationKind(), variant.function());
-if (!codePtr)
-codePtr = variant.executable()->generatedJITCodeForCall()->addressForCall(ArityCheckNotRequired);
+if (!codePtr) {
+ArityCheckMode arityCheck = ArityCheckNotRequired;
+if (auto* codeBlock = callCase.codeBlock()) {
+ASSERT(!variant.executable()->isHostFunction());
+if ((callFrame->argumentCountIncludingThis() < static_cast(callCase.codeBlock()->numParameters()) || callLinkInfo.isVarargs()))
+arityCheck = MustCheckArity;
+
+}
+codePtr = variant.executable()->generatedJITCodeForCall()->addressForCall(arityCheck);
+}
} else {
ASSERT(variant.internalFunction());
codePtr = vm.getCTIInternalFunctionTrampolineFor(CodeForCall);
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [294805] trunk/Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/ pull_request.py
Title: [294805] trunk/Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py
Revision 294805
Author keith_mil...@apple.com
Date 2022-05-25 10:43:05 -0700 (Wed, 25 May 2022)
Log Message
git-webkit pr crashes when run from detached HEAD
https://bugs.webkit.org/show_bug.cgi?id=240468
Reviewed by Jonathan Bedard.
repository.branch is None when on a detached HEAD. This causes us to throw an Error when performing a regex on the branch name.
This patch treats a detached HEAD the same as being on main.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py:
(PullRequest.pull_request_branch_point):
Canonical link: https://commits.webkit.org/250961@main
Modified Paths
trunk/Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py
Diff
Modified: trunk/Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py (294804 => 294805)
--- trunk/Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py 2022-05-25 17:29:16 UTC (rev 294804)
+++ trunk/Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py 2022-05-25 17:43:05 UTC (rev 294805)
@@ -159,7 +159,7 @@
# FIXME: We can do better by infering the remote from the branch point, if it's not specified
source_remote = args.remote or 'origin'
-if repository.branch in repository.DEFAULT_BRANCHES or repository.PROD_BRANCHES.match(repository.branch):
+if repository.branch is None or repository.branch in repository.DEFAULT_BRANCHES or repository.PROD_BRANCHES.match(repository.branch):
if Branch.main(
args, repository,
why="'{}' is not a pull request branch".format(repository.branch),
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293974] trunk/JSTests
Title: [293974] trunk/JSTests
Revision 293974
Author keith_mil...@apple.com
Date 2022-05-09 07:57:30 -0700 (Mon, 09 May 2022)
Log Message
Unreviewed test gardening.
* test262/expectations.yaml:
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/test262/expectations.yaml
Diff
Modified: trunk/JSTests/ChangeLog (293973 => 293974)
--- trunk/JSTests/ChangeLog 2022-05-09 14:46:18 UTC (rev 293973)
+++ trunk/JSTests/ChangeLog 2022-05-09 14:57:30 UTC (rev 293974)
@@ -1,3 +1,9 @@
+2022-05-09 Keith Miller
+
+Unreviewed test gardening.
+
+* test262/expectations.yaml:
+
2022-05-06 Ross Kirsling
Temporal.Duration#toString should never ignore fractionalSecondDigits
Modified: trunk/JSTests/test262/expectations.yaml (293973 => 293974)
--- trunk/JSTests/test262/expectations.yaml 2022-05-09 14:46:18 UTC (rev 293973)
+++ trunk/JSTests/test262/expectations.yaml 2022-05-09 14:57:30 UTC (rev 293974)
@@ -1317,6 +1317,9 @@
test/intl402/Locale/prototype/minimize/removing-likely-subtags-first-adds-likely-subtags.js:
default: 'Test262Error: "und".minimize() should be "en" Expected SameValue(«en-u-va-posix», «en») to be true'
strict mode: 'Test262Error: "und".minimize() should be "en" Expected SameValue(«en-u-va-posix», «en») to be true'
+test/intl402/NumberFormat/constructor-roundingIncrement-invalid.js:
+ default: 'Test262Error: "maximumFractionDigits" is not equal to "minimumFractionDigits" Expected a RangeError to be thrown but no exception was thrown at all'
+ strict mode: 'Test262Error: "maximumFractionDigits" is not equal to "minimumFractionDigits" Expected a RangeError to be thrown but no exception was thrown at all'
test/intl402/NumberFormat/prototype/format/format-rounding-priority-less-precision.js:
default: 'Test262Error: Formatted value for 1, en-US-u-nu-arab and options {"useGrouping":false,"roundingPriority":"lessPrecision","minimumSignificantDigits":3,"minimumFractionDigits":1} is ١٫٠٠; expected ١٫٠.'
strict mode: 'Test262Error: Formatted value for 1, en-US-u-nu-arab and options {"useGrouping":false,"roundingPriority":"lessPrecision","minimumSignificantDigits":3,"minimumFractionDigits":1} is ١٫٠٠; expected ١٫٠.'
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293973] trunk/Tools
Title: [293973] trunk/Tools
Revision 293973
Author keith_mil...@apple.com
Date 2022-05-09 07:46:18 -0700 (Mon, 09 May 2022)
Log Message
Test262 runner should show progress
https://bugs.webkit.org/show_bug.cgi?id=240181
Reviewed by Yusuke Suzuki.
The progress will appear as something like [42/245669].
* Scripts/test262/Runner.pm:
(processCLI):
(main):
Canonical link: https://commits.webkit.org/250411@main
Modified Paths
trunk/Tools/ChangeLog
trunk/Tools/Scripts/test262/Runner.pm
Diff
Modified: trunk/Tools/ChangeLog (293972 => 293973)
--- trunk/Tools/ChangeLog 2022-05-09 14:05:21 UTC (rev 293972)
+++ trunk/Tools/ChangeLog 2022-05-09 14:46:18 UTC (rev 293973)
@@ -1,3 +1,16 @@
+2022-05-06 Keith Miller
+
+Test262 runner should show progress
+https://bugs.webkit.org/show_bug.cgi?id=240181
+
+Reviewed by Yusuke Suzuki.
+
+The progress will appear as something like [42/245669].
+
+* Scripts/test262/Runner.pm:
+(processCLI):
+(main):
+
2022-05-08 Antti Koivisto
Avoid resolving style for elements that only inherit changes from parent
Modified: trunk/Tools/Scripts/test262/Runner.pm (293972 => 293973)
--- trunk/Tools/Scripts/test262/Runner.pm 2022-05-09 14:05:21 UTC (rev 293972)
+++ trunk/Tools/Scripts/test262/Runner.pm 2022-05-09 14:46:18 UTC (rev 293973)
@@ -132,6 +132,7 @@
my $runningAllTests;
my $timeout;
my $skippedOnly;
+my $noProgress;
my $test262Dir;
my $webkitTest262Dir = abs_path("$Bin/../../../JSTests/test262");
@@ -176,7 +177,7 @@
'f|features=s@' => \@features,
'c|config=s' => \$configFile,
'i|ignore-config' => \$ignoreConfig,
-'s|save' => \$saveExpectations,
+'save' => \$saveExpectations,
'e|expectations=s' => \$specifiedExpectationsFile,
'x|ignore-expectations' => \$ignoreExpectations,
'F|failing-files' => \$failingOnly,
@@ -185,6 +186,7 @@
'r|results=s' => \$specifiedResultsFile,
'timeout=i' => \$timeout,
'S|skipped-files' => \$skippedOnly,
+'no-progress' => \$noProgress,
);
if ($help) {
@@ -355,6 +357,9 @@
}
}
+my $numFiles = scalar(@files);
+my $completedFiles = 0;
+
my $pm = Parallel::ForkManager->new($maxProcesses);
my $select = IO::Select->new();
@@ -423,8 +428,12 @@
$activeChildren--;
my $file = shift @files;
if ($file) {
+$completedFiles++;
chomp $file;
print $readyChild "$file\n";
+if (!$noProgress) {
+print "[$completedFiles/$numFiles]\r";
+}
$activeChildren++;
} elsif (!$activeChildren) {
last FILES;
@@ -1338,7 +1347,7 @@
Specify one or more specific test262 directory of test to run, relative to the root test262 directory. For example, --test-only 'test/built-ins/Number/prototype'
-=item B<--save, -s>
+=item B<--save>
Overwrites the test262-expectations.yaml file with the current list of test262 files and test results.
@@ -1366,6 +1375,10 @@
Calculate conformance statistics from results/results.yaml file or a supplied results file (--results). Saves results in results/summary.txt and results/summary.yaml.
+=item B<--no-progress>
+
+Don't show progress while running tests.
+
=item B<--results, -r>
Specifies a results file for the --stats or --failing-files options.
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293869] trunk/JSTests
Title: [293869] trunk/JSTests Revision 293869 Author keith_mil...@apple.com Date 2022-05-05 16:43:45 -0700 (Thu, 05 May 2022) Log Message Rebaseline icu tests to public sdk's icu https://bugs.webkit.org/show_bug.cgi?id=240142 Reviewed by Yusuke Suzuki. * test262/expectations.yaml: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/test262/expectations.yaml Diff Modified: trunk/JSTests/ChangeLog (293868 => 293869) --- trunk/JSTests/ChangeLog 2022-05-05 23:28:27 UTC (rev 293868) +++ trunk/JSTests/ChangeLog 2022-05-05 23:43:45 UTC (rev 293869) @@ -1,3 +1,12 @@ +2022-05-05 Keith Miller + +Rebaseline icu tests to public sdk's icu +https://bugs.webkit.org/show_bug.cgi?id=240142 + +Reviewed by Yusuke Suzuki. + +* test262/expectations.yaml: + 2022-05-04 Yusuke Suzuki [JSC] Intl.NumberFormat lacks some validation for rounding-increment Modified: trunk/JSTests/test262/expectations.yaml (293868 => 293869) --- trunk/JSTests/test262/expectations.yaml 2022-05-05 23:28:27 UTC (rev 293868) +++ trunk/JSTests/test262/expectations.yaml 2022-05-05 23:43:45 UTC (rev 293869) @@ -1344,9 +1344,27 @@ test/intl402/Intl/getCanonicalLocales/non-iana-canon.js: default: 'Test262Error: The value of Intl.getCanonicalLocales(tag)[0] equals the value of `canonical` Expected SameValue(«en-US-u-va-posix», «posix») to be true' strict mode: 'Test262Error: The value of Intl.getCanonicalLocales(tag)[0] equals the value of `canonical` Expected SameValue(«en-US-u-va-posix», «posix») to be true' +test/intl402/Intl/getCanonicalLocales/preferred-grandfathered.js: + default: 'Test262Error: Expected SameValue(«cel-gaulish», «xtg») to be true' + strict mode: 'Test262Error: Expected SameValue(«cel-gaulish», «xtg») to be true' +test/intl402/Intl/getCanonicalLocales/transformed-ext-canonical.js: + default: 'Test262Error: Expected SameValue(«sl-t-sl-rozaj-biske-1994», «sl-t-sl-1994-biske-rozaj») to be true' + strict mode: 'Test262Error: Expected SameValue(«sl-t-sl-rozaj-biske-1994», «sl-t-sl-1994-biske-rozaj») to be true' +test/intl402/Intl/getCanonicalLocales/unicode-ext-canonicalize-region.js: + default: 'Test262Error: Expected SameValue(«und-u-rg-no23», «und-u-rg-no50») to be true' + strict mode: 'Test262Error: Expected SameValue(«und-u-rg-no23», «und-u-rg-no50») to be true' +test/intl402/Intl/getCanonicalLocales/unicode-ext-canonicalize-subdivision.js: + default: 'Test262Error: Expected SameValue(«und-NO-u-sd-no23», «und-NO-u-sd-no50») to be true' + strict mode: 'Test262Error: Expected SameValue(«und-NO-u-sd-no23», «und-NO-u-sd-no50») to be true' test/intl402/Locale/extensions-grandfathered.js: default: 'Test262Error: Expected SameValue(«fr-Cyrl-FR-gaulish-u-nu-latn», «fr-Cyrl-FR-u-nu-latn») to be true' strict mode: 'Test262Error: Expected SameValue(«fr-Cyrl-FR-gaulish-u-nu-latn», «fr-Cyrl-FR-u-nu-latn») to be true' +test/intl402/Locale/getters-grandfathered.js: + default: 'Test262Error: Expected SameValue(«cel-gaulish», «xtg») to be true' + strict mode: 'Test262Error: Expected SameValue(«cel-gaulish», «xtg») to be true' +test/intl402/Locale/likely-subtags-grandfathered.js: + default: 'Test262Error: Expected SameValue(«cel-gaulish», «xtg») to be true' + strict mode: 'Test262Error: Expected SameValue(«cel-gaulish», «xtg») to be true' test/intl402/Locale/prototype/minimize/removing-likely-subtags-first-adds-likely-subtags.js: default: 'Test262Error: "und".minimize() should be "en" Expected SameValue(«en-u-va-posix», «en») to be true' strict mode: 'Test262Error: "und".minimize() should be "en" Expected SameValue(«en-u-va-posix», «en») to be true' @@ -1362,6 +1380,78 @@ test/intl402/NumberFormat/prototype/format/value-decimal-string.js: default: 'Test262Error: Expected SameValue(«1», «1.0001») to be true' strict mode: 'Test262Error: Expected SameValue(«1», «1.0001») to be true' +test/intl402/NumberFormat/prototype/formatRange/builtin.js: + default: 'Test262Error: The [[Class]] internal property of a built-in function must be "Function". Expected SameValue(«[object Undefined]», «[object Function]») to be true' + strict mode: 'Test262Error: The [[Class]] internal property of a built-in function must be "Function". Expected SameValue(«[object Undefined]», «[object Function]») to be true' +test/intl402/NumberFormat/prototype/formatRange/en-US.js: + default: "TypeError: nf.formatRange is not a function. (In 'nf.formatRange(3, 5)', 'nf.formatRange' is undefined)" + strict mode: "TypeError: nf.formatRange is not a function. (In 'nf.formatRange(3, 5)', 'nf.formatRange' is undefined)" +test/intl402/NumberFormat/prototype/formatRange/invoked-as-func.js: + default: 'Test262Error: Expected SameValue(«undefined», «function») to be true' + strict mode: 'Test262Error: Expected SameValue(«undefined», «function») to be true' +test/intl402/NumberFormat/prototype/formatRange/length.js: + default: "TypeError: undefined is not an obje
[webkit-changes] [293393] trunk/Source/JavaScriptCore
Title: [293393] trunk/Source/_javascript_Core Revision 293393 Author keith_mil...@apple.com Date 2022-04-25 18:36:25 -0700 (Mon, 25 Apr 2022) Log Message structureIDToStructureWithScratch should only do things if ADDRESS64 https://bugs.webkit.org/show_bug.cgi?id=239749 Reviewed by Saam Barati. * llint/LowLevelInterpreter64.asm: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293392 => 293393) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-26 01:31:52 UTC (rev 293392) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-26 01:36:25 UTC (rev 293393) @@ -1,3 +1,12 @@ +2022-04-25 Keith Miller + +structureIDToStructureWithScratch should only do things if ADDRESS64 +https://bugs.webkit.org/show_bug.cgi?id=239749 + +Reviewed by Saam Barati. + +* llint/LowLevelInterpreter64.asm: + 2022-04-22 Yusuke Suzuki [JSC] Enable change-array-by-copy Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (293392 => 293393) --- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2022-04-26 01:31:52 UTC (rev 293392) +++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2022-04-26 01:36:25 UTC (rev 293393) @@ -741,10 +741,12 @@ end macro structureIDToStructureWithScratch(structureIDThenStructure, scratch) -andq constexpr structureIDMask, structureIDThenStructure -leap JSCConfig + constexpr JSC::offsetOfJSCConfigStartOfStructureHeap, scratch -loadp [scratch], scratch -addp scratch, structureIDThenStructure +if ADDRESS64 +andq constexpr structureIDMask, structureIDThenStructure +leap JSCConfig + constexpr JSC::offsetOfJSCConfigStartOfStructureHeap, scratch +loadp [scratch], scratch +addp scratch, structureIDThenStructure +end end macro loadStructureWithScratch(cell, structure, scratch) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [292609] trunk/Source
Title: [292609] trunk/Source
Revision 292609
Author keith_mil...@apple.com
Date 2022-04-08 09:41:05 -0700 (Fri, 08 Apr 2022)
Log Message
Broaden TypedArray API fix to all apps not just Bleacher Report
https://bugs.webkit.org/show_bug.cgi?id=238955
Reviewed by Saam Barati.
Source/_javascript_Core:
* API/JSTypedArray.cpp:
(isLinkedBeforeTypedArrayLengthQuirk):
(JSObjectGetArrayBufferByteLength):
(isBleecherReport): Deleted.
Source/WTF:
* wtf/cocoa/RuntimeApplicationChecksCocoa.h:
Modified Paths
trunk/Source/_javascript_Core/API/JSTypedArray.cpp
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h
Diff
Modified: trunk/Source/_javascript_Core/API/JSTypedArray.cpp (292608 => 292609)
--- trunk/Source/_javascript_Core/API/JSTypedArray.cpp 2022-04-08 15:16:59 UTC (rev 292608)
+++ trunk/Source/_javascript_Core/API/JSTypedArray.cpp 2022-04-08 16:41:05 UTC (rev 292609)
@@ -366,15 +366,12 @@
}
#if PLATFORM(IOS)
-inline static bool isBleecherReport()
+inline static bool isLinkedBeforeTypedArrayLengthQuirk()
{
-auto bundleID = CFBundleGetIdentifier(CFBundleGetMainBundle());
-return bundleID
-&& CFEqual(bundleID, CFSTR("com.bleacherreport.TeamStream"))
-&& !linkedOnOrAfter(SDKVersion::FirstWithoutBleecherReportQuirk);
+return !linkedOnOrAfter(SDKVersion::FirstWithoutTypedArrayAPIQuirk);
}
#else
-inline static bool isBleecherReport() { return false; }
+inline static bool isLinkedBeforeTypedArrayLengthQuirk() { return false; }
#endif
size_t JSObjectGetArrayBufferByteLength(JSContextRef ctx, JSObjectRef objectRef, JSValueRef*)
@@ -386,7 +383,7 @@
if (!object) {
// For some reason prior to https://bugs.webkit.org/show_bug.cgi?id=235720 Clang would emit code
// to early return if objectRef is 0 but not after. Passing 0 should be invalid API use.
-static bool shouldntCrash = isBleecherReport();
+static bool shouldntCrash = isLinkedBeforeTypedArrayLengthQuirk();
RELEASE_ASSERT(shouldntCrash);
return 0;
}
Modified: trunk/Source/_javascript_Core/ChangeLog (292608 => 292609)
--- trunk/Source/_javascript_Core/ChangeLog 2022-04-08 15:16:59 UTC (rev 292608)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-04-08 16:41:05 UTC (rev 292609)
@@ -1,3 +1,15 @@
+2022-04-08 Keith Miller
+
+Broaden TypedArray API fix to all apps not just Bleacher Report
+https://bugs.webkit.org/show_bug.cgi?id=238955
+
+Reviewed by Saam Barati.
+
+* API/JSTypedArray.cpp:
+(isLinkedBeforeTypedArrayLengthQuirk):
+(JSObjectGetArrayBufferByteLength):
+(isBleecherReport): Deleted.
+
2022-04-07 Yusuke Suzuki
[JSC] Fire structure transition watchpoint in Structure::finishCreation instead of Structure constructor
Modified: trunk/Source/WTF/ChangeLog (292608 => 292609)
--- trunk/Source/WTF/ChangeLog 2022-04-08 15:16:59 UTC (rev 292608)
+++ trunk/Source/WTF/ChangeLog 2022-04-08 16:41:05 UTC (rev 292609)
@@ -1,3 +1,12 @@
+2022-04-08 Keith Miller
+
+Broaden TypedArray API fix to all apps not just Bleacher Report
+https://bugs.webkit.org/show_bug.cgi?id=238955
+
+Reviewed by Saam Barati.
+
+* wtf/cocoa/RuntimeApplicationChecksCocoa.h:
+
2022-04-07 Elliott Williams
[XCBuild] Enable dependency validation by default
Modified: trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h (292608 => 292609)
--- trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h 2022-04-08 15:16:59 UTC (rev 292608)
+++ trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h 2022-04-08 16:41:05 UTC (rev 292609)
@@ -86,7 +86,7 @@
FirstWithoutExpandoIndexedPropertiesOnWindow = DYLD_IOS_VERSION_15_0,
FirstThatDoesNotDrainTheMicrotaskQueueWhenCallingObjC = DYLD_IOS_VERSION_15_0,
FirstWithAuthorizationHeaderOnSameOriginRedirects = DYLD_IOS_VERSION_15_4,
-FirstWithoutBleecherReportQuirk = DYLD_IOS_VERSION_16_0,
+FirstWithoutTypedArrayAPIQuirk = DYLD_IOS_VERSION_16_0,
FirstForbiddingDotPrefixedFonts = DYLD_IOS_VERSION_16_0,
#elif PLATFORM(MAC)
FirstVersionThatSupportsInitConstructors = 0xA0A00, // OS X 10.10
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [292269] trunk/Source/JavaScriptCore
Title: [292269] trunk/Source/_javascript_Core
Revision 292269
Author keith_mil...@apple.com
Date 2022-04-02 13:36:24 -0700 (Sat, 02 Apr 2022)
Log Message
AI should do int32 optimization in ValueRep
https://bugs.webkit.org/show_bug.cgi?id=238699
Reviewed by Saam Barati.
When constant folding an int52 into a ValueRep AI doesn't
do our normal int32 boxing optimization. I'm not sure if
it matters since I couldn't find a test but it probably
doesn't hurt.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter::executeEffects):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (292268 => 292269)
--- trunk/Source/_javascript_Core/ChangeLog 2022-04-02 18:38:23 UTC (rev 292268)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-04-02 20:36:24 UTC (rev 292269)
@@ -1,3 +1,18 @@
+2022-04-02 Keith Miller
+
+AI should do int32 optimization in ValueRep
+https://bugs.webkit.org/show_bug.cgi?id=238699
+
+Reviewed by Saam Barati.
+
+When constant folding an int52 into a ValueRep AI doesn't
+do our normal int32 boxing optimization. I'm not sure if
+it matters since I couldn't find a test but it probably
+doesn't hurt.
+
+* dfg/DFGAbstractInterpreterInlines.h:
+(JSC::DFG::AbstractInterpreter::executeEffects):
+
2022-04-02 Adrian Perez de Castro
[GTK] Replace gtk-doc with gi-docgen
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (292268 => 292269)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2022-04-02 18:38:23 UTC (rev 292268)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2022-04-02 20:36:24 UTC (rev 292269)
@@ -750,6 +750,10 @@
case ValueRep: {
JSValue value = forNode(node->child1()).value();
if (value) {
+if (node->child1().useKind() == Int52RepUse) {
+if (auto int32 = value.tryGetAsInt32())
+value = jsNumber(*int32);
+}
setConstant(node, value);
break;
}
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291871] trunk/Source/JavaScriptCore
Title: [291871] trunk/Source/_javascript_Core
Revision 291871
Author keith_mil...@apple.com
Date 2022-03-25 11:52:54 -0700 (Fri, 25 Mar 2022)
Log Message
Remove unused JITOperation, operationTryOSREnterAtCatch.
https://bugs.webkit.org/show_bug.cgi?id=238379
Reviewed by Mark Lam.
* jit/JITOperations.cpp:
* jit/JITOperations.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/JITOperations.cpp
trunk/Source/_javascript_Core/jit/JITOperations.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (291870 => 291871)
--- trunk/Source/_javascript_Core/ChangeLog 2022-03-25 18:46:34 UTC (rev 291870)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-03-25 18:52:54 UTC (rev 291871)
@@ -1,3 +1,13 @@
+2022-03-25 Keith Miller
+
+Remove unused JITOperation, operationTryOSREnterAtCatch.
+https://bugs.webkit.org/show_bug.cgi?id=238379
+
+Reviewed by Mark Lam.
+
+* jit/JITOperations.cpp:
+* jit/JITOperations.h:
+
2022-03-25 Chris Dumez
Start preparing WebCore for making the String(const char*) constructor explicit
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (291870 => 291871)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2022-03-25 18:46:34 UTC (rev 291870)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2022-03-25 18:52:54 UTC (rev 291871)
@@ -2084,30 +2084,6 @@
return encodeResult(nullptr, nullptr);
}
-JSC_DEFINE_JIT_OPERATION(operationTryOSREnterAtCatch, char*, (VM* vmPointer, uint32_t bytecodeIndexBits))
-{
-VM& vm = *vmPointer;
-CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
-JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
-BytecodeIndex bytecodeIndex = BytecodeIndex::fromBits(bytecodeIndexBits);
-
-CodeBlock* codeBlock = callFrame->codeBlock();
-CodeBlock* optimizedReplacement = codeBlock->replacement();
-if (UNLIKELY(!optimizedReplacement))
-return nullptr;
-
-switch (optimizedReplacement->jitType()) {
-case JITType::DFGJIT:
-case JITType::FTLJIT: {
-MacroAssemblerCodePtr entry = DFG::prepareCatchOSREntry(vm, callFrame, codeBlock, optimizedReplacement, bytecodeIndex);
-return entry.executableAddress();
-}
-default:
-break;
-}
-return nullptr;
-}
-
JSC_DEFINE_JIT_OPERATION(operationTryOSREnterAtCatchAndValueProfile, char*, (VM* vmPointer, uint32_t bytecodeIndexBits))
{
VM& vm = *vmPointer;
Modified: trunk/Source/_javascript_Core/jit/JITOperations.h (291870 => 291871)
--- trunk/Source/_javascript_Core/jit/JITOperations.h 2022-03-25 18:46:34 UTC (rev 291870)
+++ trunk/Source/_javascript_Core/jit/JITOperations.h 2022-03-25 18:52:54 UTC (rev 291871)
@@ -260,7 +260,6 @@
JSC_DECLARE_JIT_OPERATION(operationDebug, void, (VM*, int32_t));
#if ENABLE(DFG_JIT)
JSC_DECLARE_JIT_OPERATION(operationOptimize, SlowPathReturnType, (VM*, uint32_t));
-JSC_DECLARE_JIT_OPERATION(operationTryOSREnterAtCatch, char*, (VM*, uint32_t));
JSC_DECLARE_JIT_OPERATION(operationTryOSREnterAtCatchAndValueProfile, char*, (VM*, uint32_t));
#endif
JSC_DECLARE_JIT_OPERATION(operationPutGetterById, void, (JSGlobalObject*, JSCell*, UniquedStringImpl*, int32_t options, JSCell*));
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291456] trunk/Source/WTF
Title: [291456] trunk/Source/WTF Revision 291456 Author keith_mil...@apple.com Date 2022-03-17 17:48:31 -0700 (Thu, 17 Mar 2022) Log Message tryReserveUncommittedAligned should round up to alignment not bytes requested https://bugs.webkit.org/show_bug.cgi?id=238052 Reviewed by Yusuke Suzuki. * wtf/posix/OSAllocatorPOSIX.cpp: (WTF::OSAllocator::tryReserveUncommittedAligned): Modified Paths trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp Diff Modified: trunk/Source/WTF/ChangeLog (291455 => 291456) --- trunk/Source/WTF/ChangeLog 2022-03-18 00:46:15 UTC (rev 291455) +++ trunk/Source/WTF/ChangeLog 2022-03-18 00:48:31 UTC (rev 291456) @@ -1,5 +1,15 @@ 2022-03-17 Keith Miller +tryReserveUncommittedAligned should round up to alignment not bytes requested +https://bugs.webkit.org/show_bug.cgi?id=238052 + +Reviewed by Yusuke Suzuki. + +* wtf/posix/OSAllocatorPOSIX.cpp: +(WTF::OSAllocator::tryReserveUncommittedAligned): + +2022-03-17 Keith Miller + Fix crash in Bleacher Report due to bad JSObjectRef passed to API https://bugs.webkit.org/show_bug.cgi?id=238048 Modified: trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp (291455 => 291456) --- trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp 2022-03-18 00:46:15 UTC (rev 291455) +++ trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp 2022-03-18 00:48:31 UTC (rev 291456) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010 Apple Inc. All rights reserved. + * Copyright (C) 2010-2022 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -200,7 +200,7 @@ char* mapped = reinterpret_cast(tryReserveUncommitted(mappedSize, usage, writable, executable, jitCageEnabled, includesGuardPages)); char* mappedEnd = mapped + mappedSize; -char* aligned = reinterpret_cast(roundUpToMultipleOf(bytes, reinterpret_cast(mapped))); +char* aligned = reinterpret_cast(roundUpToMultipleOf(alignment, reinterpret_cast(mapped))); char* alignedEnd = aligned + bytes; RELEASE_ASSERT(alignedEnd <= mappedEnd); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291448] trunk/Source
Title: [291448] trunk/Source
Revision 291448
Author keith_mil...@apple.com
Date 2022-03-17 16:34:16 -0700 (Thu, 17 Mar 2022)
Log Message
Fix crash in Bleacher Report due to bad JSObjectRef passed to API
https://bugs.webkit.org/show_bug.cgi?id=238048
Reviewed by Yusuke Suzuki.
Source/_javascript_Core:
Prior to the StructureID overhaul the JSObjectGetArrayBufferByteLength would
automatically check if the JSObjectRef passed to that function was null before
short circuiting to the non-typed array return value, 0. While technically valid
since derefencing null is UB, this meant the Clang was covering up this crash.
To fix this I'm adding an app specific workaround for the time being so Bleacher
Report can fix their code to no longer pass this nullptr.
* API/JSTypedArray.cpp:
(isBleecherReport):
(JSObjectGetArrayBufferByteLength):
Source/WTF:
* wtf/cocoa/RuntimeApplicationChecksCocoa.h:
Modified Paths
trunk/Source/_javascript_Core/API/JSTypedArray.cpp
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h
Diff
Modified: trunk/Source/_javascript_Core/API/JSTypedArray.cpp (291447 => 291448)
--- trunk/Source/_javascript_Core/API/JSTypedArray.cpp 2022-03-17 22:55:21 UTC (rev 291447)
+++ trunk/Source/_javascript_Core/API/JSTypedArray.cpp 2022-03-17 23:34:16 UTC (rev 291448)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Dominic Szablewski (domi...@phoboslab.org)
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2022 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -36,6 +36,10 @@
#include "TypedArrayController.h"
#include
+#if PLATFORM(IOS)
+#include
+#endif
+
using namespace JSC;
// Helper functions.
@@ -361,6 +365,18 @@
return nullptr;
}
+#if PLATFORM(IOS)
+inline static bool isBleecherReport()
+{
+auto bundleID = CFBundleGetIdentifier(CFBundleGetMainBundle());
+return bundleID
+&& CFEqual(bundleID, CFSTR("com.bleacherreport.TeamStream"))
+&& !linkedOnOrAfter(SDKVersion::FirstWithoutBleecherReportQuirk);
+}
+#else
+inline static bool isBleecherReport() { return false; }
+#endif
+
size_t JSObjectGetArrayBufferByteLength(JSContextRef ctx, JSObjectRef objectRef, JSValueRef*)
{
JSGlobalObject* globalObject = toJS(ctx);
@@ -367,6 +383,14 @@
VM& vm = globalObject->vm();
JSObject* object = toJS(objectRef);
+if (!object) {
+// For some reason prior to https://bugs.webkit.org/show_bug.cgi?id=235720 Clang would emit code
+// to early return if objectRef is 0 but not after. Passing 0 should be invalid API use.
+static bool shouldntCrash = isBleecherReport();
+RELEASE_ASSERT(shouldntCrash);
+return 0;
+}
+
if (JSArrayBuffer* jsBuffer = jsDynamicCast(vm, object))
return jsBuffer->impl()->byteLength();
Modified: trunk/Source/_javascript_Core/ChangeLog (291447 => 291448)
--- trunk/Source/_javascript_Core/ChangeLog 2022-03-17 22:55:21 UTC (rev 291447)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-03-17 23:34:16 UTC (rev 291448)
@@ -1,3 +1,22 @@
+2022-03-17 Keith Miller
+
+Fix crash in Bleacher Report due to bad JSObjectRef passed to API
+https://bugs.webkit.org/show_bug.cgi?id=238048
+
+
+Reviewed by Yusuke Suzuki.
+
+Prior to the StructureID overhaul the JSObjectGetArrayBufferByteLength would
+automatically check if the JSObjectRef passed to that function was null before
+short circuiting to the non-typed array return value, 0. While technically valid
+since derefencing null is UB, this meant the Clang was covering up this crash.
+To fix this I'm adding an app specific workaround for the time being so Bleacher
+Report can fix their code to no longer pass this nullptr.
+
+* API/JSTypedArray.cpp:
+(isBleecherReport):
+(JSObjectGetArrayBufferByteLength):
+
2022-03-17 Mikhail R. Gadelha
Unreviewed, non-unified build fix
Modified: trunk/Source/WTF/ChangeLog (291447 => 291448)
--- trunk/Source/WTF/ChangeLog 2022-03-17 22:55:21 UTC (rev 291447)
+++ trunk/Source/WTF/ChangeLog 2022-03-17 23:34:16 UTC (rev 291448)
@@ -1,3 +1,13 @@
+2022-03-17 Keith Miller
+
+Fix crash in Bleacher Report due to bad JSObjectRef passed to API
+https://bugs.webkit.org/show_bug.cgi?id=238048
+
+
+Reviewed by Yusuke Suzuki.
+
+* wtf/cocoa/RuntimeApplicationChecksCocoa.h:
+
2022-03-16 Myles C. Maxfield
[WebGPU] Implement first draft of buffer mapping according to the spec
Modified: trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h (291447 => 291448)
--- trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h 2022-03-17 22:55:21 UTC (rev 291447)
+++ trunk/Source/WTF/wtf/cocoa/RuntimeApplica
[webkit-changes] [289718] trunk/Source/JavaScriptCore
Title: [289718] trunk/Source/_javascript_Core Revision 289718 Author keith_mil...@apple.com Date 2022-02-13 12:26:12 -0800 (Sun, 13 Feb 2022) Log Message Add comment on how StructureMemoryManager grows the free list when there are no free blocks. https://bugs.webkit.org/show_bug.cgi?id=236568 Reviewed by Saam Barati. Also, use uint8_t* rather than rely on the fact that `sizeof(MarkedBlock) == 1`. * heap/StructureAlignedMemoryAllocator.cpp: (JSC::StructureMemoryManager::tryMallocStructureBlock): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (289717 => 289718) --- trunk/Source/_javascript_Core/ChangeLog 2022-02-13 20:22:24 UTC (rev 289717) +++ trunk/Source/_javascript_Core/ChangeLog 2022-02-13 20:26:12 UTC (rev 289718) @@ -1,5 +1,17 @@ 2022-02-13 Keith Miller +Add comment on how StructureMemoryManager grows the free list when there are no free blocks. +https://bugs.webkit.org/show_bug.cgi?id=236568 + +Reviewed by Saam Barati. + +Also, use uint8_t* rather than rely on the fact that `sizeof(MarkedBlock) == 1`. + +* heap/StructureAlignedMemoryAllocator.cpp: +(JSC::StructureMemoryManager::tryMallocStructureBlock): + +2022-02-13 Keith Miller + Make StructureMemoryManager alignment assert a RELEASE_ASSERT https://bugs.webkit.org/show_bug.cgi?id=236567 Modified: trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp (289717 => 289718) --- trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-02-13 20:22:24 UTC (rev 289717) +++ trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-02-13 20:26:12 UTC (rev 289718) @@ -96,10 +96,11 @@ RELEASE_ASSERT(m_mappedHeapSize <= structureHeapAddressSize); if (freeIndex * MarkedBlock::blockSize >= m_mappedHeapSize) return nullptr; +// If we can't find a free block then `freeIndex == m_usedBlocks.bitCount()` and this set will grow the bit vector. m_usedBlocks.set(freeIndex); } -MarkedBlock* block = reinterpret_cast(g_jscConfig.startOfStructureHeap) + freeIndex * MarkedBlock::blockSize; +auto* block = reinterpret_cast(g_jscConfig.startOfStructureHeap) + freeIndex * MarkedBlock::blockSize; commitBlock(block); return block; } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [289717] trunk/Source/JavaScriptCore
Title: [289717] trunk/Source/_javascript_Core Revision 289717 Author keith_mil...@apple.com Date 2022-02-13 12:22:24 -0800 (Sun, 13 Feb 2022) Log Message Make StructureMemoryManager alignment assert a RELEASE_ASSERT https://bugs.webkit.org/show_bug.cgi?id=236567 Reviewed by Saam Barati. Also, check the structure base pointer is non-zero. * heap/StructureAlignedMemoryAllocator.cpp: (JSC::StructureMemoryManager::StructureMemoryManager): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (289716 => 289717) --- trunk/Source/_javascript_Core/ChangeLog 2022-02-13 18:06:27 UTC (rev 289716) +++ trunk/Source/_javascript_Core/ChangeLog 2022-02-13 20:22:24 UTC (rev 289717) @@ -1,3 +1,15 @@ +2022-02-13 Keith Miller + +Make StructureMemoryManager alignment assert a RELEASE_ASSERT +https://bugs.webkit.org/show_bug.cgi?id=236567 + +Reviewed by Saam Barati. + +Also, check the structure base pointer is non-zero. + +* heap/StructureAlignedMemoryAllocator.cpp: +(JSC::StructureMemoryManager::StructureMemoryManager): + 2022-02-12 Adrian Perez de Castro [CMake] REGRESSION(r289611): Debug builds fail linking binaries with ld.lld Modified: trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp (289716 => 289717) --- trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-02-13 18:06:27 UTC (rev 289716) +++ trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-02-13 20:22:24 UTC (rev 289717) @@ -82,7 +82,7 @@ m_mappedHeapSize /= 2; } -ASSERT((g_jscConfig.startOfStructureHeap & ~structureIDMask) == g_jscConfig.startOfStructureHeap); +RELEASE_ASSERT(g_jscConfig.startOfStructureHeap && ((g_jscConfig.startOfStructureHeap & ~structureIDMask) == g_jscConfig.startOfStructureHeap)); } void* tryMallocStructureBlock() ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [289592] trunk/Source
Title: [289592] trunk/Source
Revision 289592
Author keith_mil...@apple.com
Date 2022-02-10 16:20:21 -0800 (Thu, 10 Feb 2022)
Log Message
tryReserveUncommittedAligned should explicitly take the alignment requested
https://bugs.webkit.org/show_bug.cgi?id=236460
Reviewed by Yusuke Suzuki.
Source/_javascript_Core:
When reducing the size of VA space reserved for Structures, we
didn't take care to ensure the alignment matched the required
alignment for our bit mask. To fix this we need to pass the
original alignment to the allocator as a new parameter.
* heap/StructureAlignedMemoryAllocator.cpp:
(JSC::StructureMemoryManager::StructureMemoryManager):
Source/WTF:
This patch adds a new ifdef for Unix flavors that support the
MAP_ALIGNED macro/parameter to mmap.
Also, fix a bug where on windows we wouldn't request enough
space to guarantee that allocation is aligned.
* wtf/OSAllocator.h:
* wtf/posix/OSAllocatorPOSIX.cpp:
(WTF::OSAllocator::tryReserveUncommittedAligned):
* wtf/win/OSAllocatorWin.cpp:
(WTF::OSAllocator::tryReserveUncommittedAligned):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/OSAllocator.h
trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp
trunk/Source/WTF/wtf/win/OSAllocatorWin.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (289591 => 289592)
--- trunk/Source/_javascript_Core/ChangeLog 2022-02-10 23:57:17 UTC (rev 289591)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-02-11 00:20:21 UTC (rev 289592)
@@ -1,3 +1,18 @@
+2022-02-10 Keith Miller
+
+tryReserveUncommittedAligned should explicitly take the alignment requested
+https://bugs.webkit.org/show_bug.cgi?id=236460
+
+Reviewed by Yusuke Suzuki.
+
+When reducing the size of VA space reserved for Structures, we
+didn't take care to ensure the alignment matched the required
+alignment for our bit mask. To fix this we need to pass the
+original alignment to the allocator as a new parameter.
+
+* heap/StructureAlignedMemoryAllocator.cpp:
+(JSC::StructureMemoryManager::StructureMemoryManager):
+
2022-01-24 Filip Pizlo
[libpas] jit_heap should support the segregated heap
Modified: trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp (289591 => 289592)
--- trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-02-10 23:57:17 UTC (rev 289591)
+++ trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-02-11 00:20:21 UTC (rev 289592)
@@ -76,7 +76,7 @@
m_mappedHeapSize = structureHeapAddressSize;
for (unsigned i = 0; i < 8; ++i) {
-g_jscConfig.startOfStructureHeap = reinterpret_cast(OSAllocator::tryReserveUncommittedAligned(m_mappedHeapSize, OSAllocator::FastMallocPages));
+g_jscConfig.startOfStructureHeap = reinterpret_cast(OSAllocator::tryReserveUncommittedAligned(m_mappedHeapSize, structureHeapAddressSize, OSAllocator::FastMallocPages));
if (g_jscConfig.startOfStructureHeap)
break;
m_mappedHeapSize /= 2;
Modified: trunk/Source/WTF/ChangeLog (289591 => 289592)
--- trunk/Source/WTF/ChangeLog 2022-02-10 23:57:17 UTC (rev 289591)
+++ trunk/Source/WTF/ChangeLog 2022-02-11 00:20:21 UTC (rev 289592)
@@ -1,3 +1,23 @@
+2022-02-10 Keith Miller
+
+tryReserveUncommittedAligned should explicitly take the alignment requested
+https://bugs.webkit.org/show_bug.cgi?id=236460
+
+Reviewed by Yusuke Suzuki.
+
+This patch adds a new ifdef for Unix flavors that support the
+MAP_ALIGNED macro/parameter to mmap.
+
+Also, fix a bug where on windows we wouldn't request enough
+space to guarantee that allocation is aligned.
+
+
+* wtf/OSAllocator.h:
+* wtf/posix/OSAllocatorPOSIX.cpp:
+(WTF::OSAllocator::tryReserveUncommittedAligned):
+* wtf/win/OSAllocatorWin.cpp:
+(WTF::OSAllocator::tryReserveUncommittedAligned):
+
2022-02-10 Elliott Williams
Copy SignedPtr.h in WTF.xcodeproj
Modified: trunk/Source/WTF/wtf/OSAllocator.h (289591 => 289592)
--- trunk/Source/WTF/wtf/OSAllocator.h 2022-02-10 23:57:17 UTC (rev 289591)
+++ trunk/Source/WTF/wtf/OSAllocator.h 2022-02-11 00:20:21 UTC (rev 289592)
@@ -39,15 +39,18 @@
JSJITCodePages = VM_TAG_FOR_EXECUTABLEALLOCATOR_MEMORY,
};
-// These methods are symmetric; reserveUncommitted(Aligned) allocates VM in an uncommitted state,
+// The requested alignment must be a power of two and greater than the system page size.
+// The memory returned by this cannot be released as on Windows there's no guaranteed API to
+// get an aligned address and the size + alignment then rounding trick cannot release the unused parts
+// due to how the Windows syscalls work.
+WTF_EXPORT_PRIVATE static void* tryReserv
[webkit-changes] [286849] trunk/Source/WTF
Title: [286849] trunk/Source/WTF
Revision 286849
Author keith_mil...@apple.com
Date 2021-12-10 06:28:35 -0800 (Fri, 10 Dec 2021)
Log Message
Reduce maximum mmap size for Structure regions to help placate ios
https://bugs.webkit.org/show_bug.cgi?id=234091
Reviewed by Saam Barati.
Use mach_vm_map since that supports memory alignement so we don't have to map 2x desired address space then free then trim.
* wtf/PlatformHave.h:
* wtf/posix/OSAllocatorPOSIX.cpp:
(WTF::OSAllocator::reserveUncommittedAligned):
Modified Paths
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp
Diff
Modified: trunk/Source/WTF/ChangeLog (286848 => 286849)
--- trunk/Source/WTF/ChangeLog 2021-12-10 14:27:04 UTC (rev 286848)
+++ trunk/Source/WTF/ChangeLog 2021-12-10 14:28:35 UTC (rev 286849)
@@ -1,3 +1,16 @@
+2021-12-10 Keith Miller
+
+Reduce maximum mmap size for Structure regions to help placate ios
+https://bugs.webkit.org/show_bug.cgi?id=234091
+
+Reviewed by Saam Barati.
+
+Use mach_vm_map since that supports memory alignement so we don't have to map 2x desired address space then free then trim.
+
+* wtf/PlatformHave.h:
+* wtf/posix/OSAllocatorPOSIX.cpp:
+(WTF::OSAllocator::reserveUncommittedAligned):
+
2021-12-10 Antti Koivisto
[CSS Container Queries] Basic @container at-rule parsing support
Modified: trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp (286848 => 286849)
--- trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp 2021-12-10 14:27:04 UTC (rev 286848)
+++ trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp 2021-12-10 14:28:35 UTC (rev 286849)
@@ -44,6 +44,10 @@
#endif // OS(DARWIN)
#endif // ENABLE(JIT_CAGE)
+#if OS(DARWIN)
+#include
+#endif
+
namespace WTF {
void* OSAllocator::reserveUncommitted(size_t bytes, Usage usage, bool writable, bool executable, bool jitCageEnabled, bool includesGuardPages)
@@ -73,11 +77,36 @@
return result;
}
-
-// FIXME: Make a smarter version of this for Linux flavors that have aligned mmap.
void* OSAllocator::reserveUncommittedAligned(size_t bytes, Usage usage, bool writable, bool executable, bool jitCageEnabled, bool includesGuardPages)
{
ASSERT(hasOneBitSet(bytes) && bytes >= pageSize());
+
+#if PLATFORM(MAC) || USE(APPLE_INTERNAL_SDK)
+UNUSED_PARAM(usage); // Not supported for mach API.
+ASSERT_UNUSED(includesGuardPages, !includesGuardPages);
+ASSERT_UNUSED(jitCageEnabled, !jitCageEnabled); // Not supported for mach API.
+vm_prot_t protections = VM_PROT_READ;
+if (writable)
+protections |= VM_PROT_WRITE;
+if (executable)
+protections |= VM_PROT_EXECUTE;
+
+const vm_inherit_t childProcessInheritance = VM_INHERIT_DEFAULT;
+const bool copy = false;
+const int flags = VM_FLAGS_ANYWHERE;
+
+void* aligned = nullptr;
+kern_return_t result = mach_vm_map(mach_task_self(), reinterpret_cast(&aligned), bytes, bytes - 1, flags, MEMORY_OBJECT_NULL, 0, copy, protections, protections, childProcessInheritance);
+RELEASE_ASSERT(result == KERN_SUCCESS, result, bytes);
+#if HAVE(MADV_FREE_REUSE)
+if (aligned) {
+// To support the "reserve then commit" model, we have to initially decommit.
+while (madvise(aligned, bytes, MADV_FREE_REUSABLE) == -1 && errno == EAGAIN) { }
+}
+#endif
+
+return aligned;
+#else
// Double the size so we can ensure enough mapped memory to get an aligned start.
size_t mappedSize = bytes * 2;
char* mapped = reinterpret_cast(reserveUncommitted(mappedSize, usage, writable, executable, jitCageEnabled, includesGuardPages));
@@ -95,6 +124,7 @@
releaseDecommitted(alignedEnd, rightExtra);
return aligned;
+#endif
}
void* OSAllocator::reserveAndCommit(size_t bytes, Usage usage, bool writable, bool executable, bool jitCageEnabled, bool includesGuardPages)
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [286804] trunk/Source/WTF
Title: [286804] trunk/Source/WTF
Revision 286804
Author keith_mil...@apple.com
Date 2021-12-09 14:56:06 -0800 (Thu, 09 Dec 2021)
Log Message
Reduce maximum mmap size for Structure regions to help placate ios
https://bugs.webkit.org/show_bug.cgi?id=234091
Reviewed by Saam Barati.
Use mach_vm_map since that supports memory alignement so we don't have to map 2x desired address space then free then trim.
* wtf/PlatformHave.h:
* wtf/posix/OSAllocatorPOSIX.cpp:
(WTF::OSAllocator::reserveUncommittedAligned):
Modified Paths
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp
Diff
Modified: trunk/Source/WTF/ChangeLog (286803 => 286804)
--- trunk/Source/WTF/ChangeLog 2021-12-09 22:47:24 UTC (rev 286803)
+++ trunk/Source/WTF/ChangeLog 2021-12-09 22:56:06 UTC (rev 286804)
@@ -1,3 +1,16 @@
+2021-12-09 Keith Miller
+
+Reduce maximum mmap size for Structure regions to help placate ios
+https://bugs.webkit.org/show_bug.cgi?id=234091
+
+Reviewed by Saam Barati.
+
+Use mach_vm_map since that supports memory alignement so we don't have to map 2x desired address space then free then trim.
+
+* wtf/PlatformHave.h:
+* wtf/posix/OSAllocatorPOSIX.cpp:
+(WTF::OSAllocator::reserveUncommittedAligned):
+
2021-12-09 Antti Koivisto
Enable :focus-visible pseudo-class by default
Modified: trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp (286803 => 286804)
--- trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp 2021-12-09 22:47:24 UTC (rev 286803)
+++ trunk/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp 2021-12-09 22:56:06 UTC (rev 286804)
@@ -38,6 +38,7 @@
#if OS(DARWIN)
#define MAP_EXECUTABLE_FOR_JIT MAP_JIT
#define MAP_EXECUTABLE_FOR_JIT_WITH_JIT_CAGE MAP_JIT
+#include
#else // OS(DARWIN)
#define MAP_EXECUTABLE_FOR_JIT 0
#define MAP_EXECUTABLE_FOR_JIT_WITH_JIT_CAGE 0
@@ -73,11 +74,37 @@
return result;
}
-
-// FIXME: Make a smarter version of this for Linux flavors that have aligned mmap.
void* OSAllocator::reserveUncommittedAligned(size_t bytes, Usage usage, bool writable, bool executable, bool jitCageEnabled, bool includesGuardPages)
{
ASSERT(hasOneBitSet(bytes) && bytes >= pageSize());
+
+#if PLATFORM(MAC) || USE(APPLE_INTERNAL_SDK)
+UNUSED_PARAM(usage); // Not supported for mach API.
+ASSERT_UNUSED(includesGuardPages, !includesGuardPages);
+ASSERT_UNUSED(jitCageEnabled, !jitCageEnabled); // Not supported for mach API.
+vm_prot_t protections = VM_PROT_READ;
+if (writable)
+protections |= VM_PROT_WRITE;
+if (executable)
+protections |= VM_PROT_EXECUTE;
+
+const vm_inherit_t childProcessInheritance = VM_INHERIT_DEFAULT;
+
+void* aligned = nullptr;
+const bool copy = false;
+const int flags = VM_FLAGS_ANYWHERE;
+
+kern_return_t result = mach_vm_map(mach_task_self(), reinterpret_cast(&aligned), bytes, bytes - 1, flags, MEMORY_OBJECT_NULL, 0, copy, protections, protections, childProcessInheritance);
+RELEASE_ASSERT(result == KERN_SUCCESS, result, bytes);
+#if HAVE(MADV_FREE_REUSE)
+if (aligned) {
+// To support the "reserve then commit" model, we have to initially decommit.
+while (madvise(aligned, bytes, MADV_FREE_REUSABLE) == -1 && errno == EAGAIN) { }
+}
+#endif
+
+return aligned;
+#else
// Double the size so we can ensure enough mapped memory to get an aligned start.
size_t mappedSize = bytes * 2;
char* mapped = reinterpret_cast(reserveUncommitted(mappedSize, usage, writable, executable, jitCageEnabled, includesGuardPages));
@@ -95,6 +122,7 @@
releaseDecommitted(alignedEnd, rightExtra);
return aligned;
+#endif
}
void* OSAllocator::reserveAndCommit(size_t bytes, Usage usage, bool writable, bool executable, bool jitCageEnabled, bool includesGuardPages)
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [286580] trunk/Source/JavaScriptCore
Title: [286580] trunk/Source/_javascript_Core
Revision 286580
Author keith_mil...@apple.com
Date 2021-12-06 17:13:33 -0800 (Mon, 06 Dec 2021)
Log Message
TypeInfo should be materializable from Structures as a single load.
https://bugs.webkit.org/show_bug.cgi?id=233875
Reviewed by Mark Lam.
This is mostly just the members of Structure and JSCell so that
JSType and InlineTypeFlags are at the end of the JSCell header.
* assembler/testmasm.cpp:
(JSC::testBranchIfType):
(JSC::testBranchIfNotType):
* ftl/FTLAbstractHeapRepository.cpp:
(JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
* runtime/JSCell.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::JSCell):
* runtime/Structure.h:
(JSC::Structure::typeInfo const):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/assembler/testmasm.cpp
trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp
trunk/Source/_javascript_Core/runtime/JSCell.h
trunk/Source/_javascript_Core/runtime/JSCellInlines.h
trunk/Source/_javascript_Core/runtime/Structure.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (286579 => 286580)
--- trunk/Source/_javascript_Core/ChangeLog 2021-12-07 00:38:11 UTC (rev 286579)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-12-07 01:13:33 UTC (rev 286580)
@@ -1,3 +1,24 @@
+2021-12-06 Keith Miller
+
+TypeInfo should be materializable from Structures as a single load.
+https://bugs.webkit.org/show_bug.cgi?id=233875
+
+Reviewed by Mark Lam.
+
+This is mostly just the members of Structure and JSCell so that
+JSType and InlineTypeFlags are at the end of the JSCell header.
+
+* assembler/testmasm.cpp:
+(JSC::testBranchIfType):
+(JSC::testBranchIfNotType):
+* ftl/FTLAbstractHeapRepository.cpp:
+(JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
+* runtime/JSCell.h:
+* runtime/JSCellInlines.h:
+(JSC::JSCell::JSCell):
+* runtime/Structure.h:
+(JSC::Structure::typeInfo const):
+
2021-12-06 Mark Lam
Remove unneeded virtual allocator methods from Subspace.
Modified: trunk/Source/_javascript_Core/assembler/testmasm.cpp (286579 => 286580)
--- trunk/Source/_javascript_Core/assembler/testmasm.cpp 2021-12-07 00:38:11 UTC (rev 286579)
+++ trunk/Source/_javascript_Core/assembler/testmasm.cpp 2021-12-07 01:13:33 UTC (rev 286580)
@@ -5613,6 +5613,7 @@
struct CellLike {
uint32_t structureID;
uint8_t indexingType;
+uint8_t cellState;
JSType type;
};
CHECK_EQ(JSCell::typeInfoTypeOffset(), OBJECT_OFFSETOF(CellLike, type));
@@ -5647,6 +5648,7 @@
struct CellLike {
uint32_t structureID;
uint8_t indexingType;
+uint8_t cellState;
JSType type;
};
CHECK_EQ(JSCell::typeInfoTypeOffset(), OBJECT_OFFSETOF(CellLike, type));
Modified: trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp (286579 => 286580)
--- trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp 2021-12-07 00:38:11 UTC (rev 286579)
+++ trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp 2021-12-07 01:13:33 UTC (rev 286580)
@@ -78,9 +78,9 @@
// Make sure that our explicit assumptions about the StructureIDBlob match reality.
RELEASE_ASSERT(!(JSCell_indexingTypeAndMisc.offset() & (sizeof(int32_t) - 1)));
-RELEASE_ASSERT(JSCell_indexingTypeAndMisc.offset() + 1 == JSCell_typeInfoType.offset());
-RELEASE_ASSERT(JSCell_indexingTypeAndMisc.offset() + 2 == JSCell_typeInfoFlags.offset());
-RELEASE_ASSERT(JSCell_indexingTypeAndMisc.offset() + 3 == JSCell_cellState.offset());
+RELEASE_ASSERT(JSCell_indexingTypeAndMisc.offset() + 1 == JSCell_cellState.offset());
+RELEASE_ASSERT(JSCell_indexingTypeAndMisc.offset() + 2 == JSCell_typeInfoType.offset());
+RELEASE_ASSERT(JSCell_indexingTypeAndMisc.offset() + 3 == JSCell_typeInfoFlags.offset());
JSCell_structureID.changeParent(&JSCell_header);
JSCell_usefulBytes.changeParent(&JSCell_header);
Modified: trunk/Source/_javascript_Core/runtime/JSCell.h (286579 => 286580)
--- trunk/Source/_javascript_Core/runtime/JSCell.h 2021-12-07 00:38:11 UTC (rev 286579)
+++ trunk/Source/_javascript_Core/runtime/JSCell.h 2021-12-07 01:13:33 UTC (rev 286580)
@@ -266,9 +266,9 @@
StructureID m_structureID;
IndexingType m_indexingTypeAndMisc; // DO NOT store to this field. Always CAS.
+CellState m_cellState;
JSType m_type;
TypeInfo::InlineTypeFlags m_flags;
-CellState m_cellState;
};
class JSCellLock : public JSCell {
Modified: trunk/Source/_javascript_Core/runtime/JSCellInlines.h (286579 => 286580)
--- trunk/Source/_javascript_Core/runtime/JSCellInlines.h 2021-12-07 00:38:11 UTC (rev 286579)
+++ trunk/Source/_javascript_Core/runtime/JSCellInlines.h 2021-12-07 01:13:33 UTC (rev 286580)
@@ -58,9 +58,9 @@
inline JSCell::JSCell(VM&, Structure* structure)
: m_structureID(st
[webkit-changes] [286502] trunk/Source/JavaScriptCore
Title: [286502] trunk/Source/_javascript_Core Revision 286502 Author keith_mil...@apple.com Date 2021-12-03 10:30:11 -0800 (Fri, 03 Dec 2021) Log Message Remove StructureIDBlob https://bugs.webkit.org/show_bug.cgi?id=233723 Reviewed by Yusuke Suzuki. StructureIDBlob isn't very useful now that StructureIDs are just the bottom bits of the pointer on 64 bit platforms. In a follow up patch I'll change the layout of JSCell and Structure so that TypeInfo creation can be a single load platforms that allow (and don't penalize) misaligned loads. * CMakeLists.txt: * _javascript_Core.xcodeproj/project.pbxproj: * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_to_scope): * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::addNewPropertyTransition): (JSC::Structure::removeNewPropertyTransition): (JSC::Structure::attributeChangeTransition): (JSC::Structure::nonPropertyTransitionSlow): (JSC::Structure::setBrandTransition): * runtime/Structure.h: (JSC::Structure::id const): (JSC::Structure::objectInitializationBlob const): (JSC::Structure::idBlob const): (JSC::Structure::isProxy const): (JSC::Structure::typeInfo const): (JSC::Structure::indexingType const): (JSC::Structure::indexingMode const): (JSC::Structure::fencedIndexingMode): (JSC::Structure::indexingModeIncludingHistory const): (JSC::Structure::indexingModeIncludingHistoryOffset): (JSC::Structure::structureIDOffset): Deleted. * runtime/StructureIDBlob.h: Removed. * runtime/StructureInlines.h: (JSC::Structure::hasIndexingHeader const): * tools/VMInspectorInlines.h: (JSC::VMInspector::verifyCellSize): Modified Paths trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/jit/AssemblyHelpers.h trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp trunk/Source/_javascript_Core/runtime/Structure.cpp trunk/Source/_javascript_Core/runtime/Structure.h trunk/Source/_javascript_Core/runtime/StructureInlines.h trunk/Source/_javascript_Core/tools/VMInspectorInlines.h Removed Paths trunk/Source/_javascript_Core/runtime/StructureIDBlob.h Diff Modified: trunk/Source/_javascript_Core/CMakeLists.txt (286501 => 286502) --- trunk/Source/_javascript_Core/CMakeLists.txt 2021-12-03 18:29:32 UTC (rev 286501) +++ trunk/Source/_javascript_Core/CMakeLists.txt 2021-12-03 18:30:11 UTC (rev 286502) @@ -1186,7 +1186,6 @@ runtime/StructureCache.h runtime/StructureChain.h runtime/StructureID.h -runtime/StructureIDBlob.h runtime/StructureInlines.h runtime/StructureRareData.h runtime/StructureRareDataInlines.h Modified: trunk/Source/_javascript_Core/ChangeLog (286501 => 286502) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-03 18:29:32 UTC (rev 286501) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-03 18:30:11 UTC (rev 286502) @@ -1,3 +1,49 @@ +2021-12-03 Keith Miller + +Remove StructureIDBlob +https://bugs.webkit.org/show_bug.cgi?id=233723 + +Reviewed by Yusuke Suzuki. + +StructureIDBlob isn't very useful now that StructureIDs are just the +bottom bits of the pointer on 64 bit platforms. In a follow up patch +I'll change the layout of JSCell and Structure so that TypeInfo creation +can be a single load platforms that allow (and don't penalize) misaligned loads. + +* CMakeLists.txt: +* _javascript_Core.xcodeproj/project.pbxproj: +* ftl/FTLAbstractHeapRepository.h: +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): +* jit/AssemblyHelpers.h: +(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): +* jit/JITPropertyAccess.cpp: +(JSC::JIT::emit_op_put_to_scope): +* runtime/Structure.cpp: +(JSC::Structure::Structure): +(JSC::Structure::addNewPropertyTransition): +(JSC::Structure::removeNewPropertyTransition): +(JSC::Structure::attributeChangeTransition): +(JSC::Structure::nonPropertyTransitionSlow): +(JSC::Structure::setBrandTransition): +* runtime/Structure.h: +(JSC::Structure::id const): +(JSC::Structure::objectInitializationBlob const): +(JSC::Structure::idBlob const): +(JSC::Structure::isProxy const): +(JSC::Structure::typeInfo const): +(JSC::Structure::indexingType const): +(JSC::Structure::indexingMode const): +(JSC::Structure::fencedIndexingMode): +(JSC::Structure::indexingModeIncludingHistory const): +(JSC::Structure::indexingModeIncludingHistoryOffset): +
[webkit-changes] [286387] trunk/Source/JavaScriptCore
Title: [286387] trunk/Source/_javascript_Core
Revision 286387
Author keith_mil...@apple.com
Date 2021-12-01 14:24:43 -0800 (Wed, 01 Dec 2021)
Log Message
Add static_assert the value we use to initialize a StructureID buffer should be 0.
https://bugs.webkit.org/show_bug.cgi?id=233720
Reviewed by Yusuke Suzuki.
Also, add static assert that the zero we are putting into the buffer
matches the default StructureID constructor.
* runtime/StructureChain.cpp:
(JSC::StructureChain::create):
* runtime/StructureID.h:
(JSC::StructureID::bits const):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/StructureChain.cpp
trunk/Source/_javascript_Core/runtime/StructureID.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (286386 => 286387)
--- trunk/Source/_javascript_Core/ChangeLog 2021-12-01 22:02:06 UTC (rev 286386)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-12-01 22:24:43 UTC (rev 286387)
@@ -1,3 +1,18 @@
+2021-12-01 Keith Miller
+
+Add static_assert the value we use to initialize a StructureID buffer should be 0.
+https://bugs.webkit.org/show_bug.cgi?id=233720
+
+Reviewed by Yusuke Suzuki.
+
+Also, add static assert that the zero we are putting into the buffer
+matches the default StructureID constructor.
+
+* runtime/StructureChain.cpp:
+(JSC::StructureChain::create):
+* runtime/StructureID.h:
+(JSC::StructureID::bits const):
+
2021-12-01 Yusuke Suzuki
Unreviewed, use void* to suppress GCC warning
Modified: trunk/Source/_javascript_Core/runtime/StructureChain.cpp (286386 => 286387)
--- trunk/Source/_javascript_Core/runtime/StructureChain.cpp 2021-12-01 22:02:06 UTC (rev 286386)
+++ trunk/Source/_javascript_Core/runtime/StructureChain.cpp 2021-12-01 22:24:43 UTC (rev 286387)
@@ -49,6 +49,7 @@
++size; // Sentinel nullptr.
size_t bytes = Checked(size) * sizeof(StructureID);
void* vector = vm.jsValueGigacageAuxiliarySpace().allocateNonVirtual(vm, bytes, nullptr, AllocationFailureMode::Assert);
+static_assert(!StructureID().bits(), "Make sure the value we're going to memcpy below matches the default StructureID");
memset(vector, 0, bytes);
StructureChain* chain = new (NotNull, allocateCell(vm)) StructureChain(vm, vm.structureChainStructure.get(), static_cast(vector));
chain->finishCreation(vm, head);
Modified: trunk/Source/_javascript_Core/runtime/StructureID.h (286386 => 286387)
--- trunk/Source/_javascript_Core/runtime/StructureID.h 2021-12-01 22:02:06 UTC (rev 286386)
+++ trunk/Source/_javascript_Core/runtime/StructureID.h 2021-12-01 22:24:43 UTC (rev 286387)
@@ -52,7 +52,7 @@
explicit operator bool() const { return !!m_bits; }
bool operator==(StructureID const& other) const { return m_bits == other.m_bits; }
bool operator!=(StructureID const& other) const { return m_bits != other.m_bits; }
-uint32_t bits() const { return m_bits; }
+constexpr uint32_t bits() const { return m_bits; }
StructureID(WTF::HashTableDeletedValueType) : m_bits(nukedStructureIDBit) { }
bool isHashTableDeletedValue() const { return *this == StructureID(WTF::HashTableDeletedValue); }
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [283903] trunk/Source/JavaScriptCore
Title: [283903] trunk/Source/_javascript_Core Revision 283903 Author keith_mil...@apple.com Date 2021-10-11 09:58:40 -0700 (Mon, 11 Oct 2021) Log Message SourceID should have a type name and only be 32-bits https://bugs.webkit.org/show_bug.cgi?id=231436 Reviewed by Filip Pizlo. This patch gives SourceID a proper type name and shrinks it to 32-bits on 64-bit systems. Shrinking the size makes room on SourceProvider for metadata in a future patch I'm working on. It's also pretty unlikely that any system has more than ~4 billion script tags, evals, wasm modules so shinking the size is unlikely to cause any debugger/profiling issues. * CMakeLists.txt: * _javascript_Core.xcodeproj/project.pbxproj: * bytecode/TypeLocation.h: * debugger/Debugger.cpp: (JSC::Debugger::toggleBreakpoint): (JSC::Debugger::pauseIfNeeded): * debugger/DebuggerLocation.h: (JSC::DebuggerLocation::DebuggerLocation): * debugger/DebuggerPrimitives.h: * inspector/_javascript_CallFrame.h: (Inspector::_javascript_CallFrame::sourceID const): * inspector/ScriptCallStackFactory.cpp: (Inspector::CreateScriptCallStackFunctor::operator() const): (Inspector::createScriptCallStackFromException): * interpreter/StackVisitor.cpp: (JSC::StackVisitor::Frame::sourceID): * interpreter/StackVisitor.h: * parser/Nodes.h: (JSC::ScopeNode::sourceID const): * parser/SourceCode.h: (JSC::SourceCode::SourceCode): (JSC::SourceCode::firstLine const): (JSC::SourceCode::startColumn const): (JSC::SourceCode::providerID const): (JSC::SourceCode::provider const): (JSC::SourceCode::operator== const): (JSC::SourceCode::operator!= const): (JSC::makeSource): (JSC::SourceCode::subExpression const): * parser/SourceProvider.cpp: (JSC::SourceProvider::getID): * parser/SourceProvider.h: (JSC::SourceProvider::asID): * runtime/ControlFlowProfiler.cpp: (JSC::ControlFlowProfiler::getBasicBlockLocation): (JSC::ControlFlowProfiler::getBasicBlocksForSourceID const): (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted): (JSC::ControlFlowProfiler::basicBlockExecutionCountAtTextOffset): * runtime/ControlFlowProfiler.h: * runtime/FunctionHasExecutedCache.cpp: (JSC::FunctionHasExecutedCache::hasExecutedAtOffset): (JSC::FunctionHasExecutedCache::insertUnexecutedRange): (JSC::FunctionHasExecutedCache::removeUnexecutedRange): (JSC::FunctionHasExecutedCache::getFunctionRanges): * runtime/FunctionHasExecutedCache.h: * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::StackFrame::sourceID): * runtime/SamplingProfiler.h: * runtime/ScriptExecutable.h: (JSC::ScriptExecutable::sourceID const): * runtime/StackFrame.cpp: (JSC::StackFrame::sourceID const): * runtime/StackFrame.h: * runtime/TypeLocationCache.cpp: (JSC::TypeLocationCache::getTypeLocation): * runtime/TypeLocationCache.h: * runtime/TypeProfiler.cpp: (JSC::TypeProfiler::typeInformationForExpressionAtOffset): (JSC::TypeProfiler::findLocation): * runtime/TypeProfiler.h: (JSC::QueryKey::QueryKey): (JSC::QueryKey::isHashTableDeletedValue const): Modified Paths trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/bytecode/TypeLocation.h trunk/Source/_javascript_Core/debugger/Debugger.cpp trunk/Source/_javascript_Core/debugger/DebuggerLocation.h trunk/Source/_javascript_Core/debugger/DebuggerPrimitives.h trunk/Source/_javascript_Core/inspector/_javascript_CallFrame.h trunk/Source/_javascript_Core/inspector/ScriptCallStackFactory.cpp trunk/Source/_javascript_Core/interpreter/StackVisitor.cpp trunk/Source/_javascript_Core/interpreter/StackVisitor.h trunk/Source/_javascript_Core/parser/Nodes.h trunk/Source/_javascript_Core/parser/SourceCode.h trunk/Source/_javascript_Core/parser/SourceProvider.cpp trunk/Source/_javascript_Core/parser/SourceProvider.h trunk/Source/_javascript_Core/runtime/ControlFlowProfiler.cpp trunk/Source/_javascript_Core/runtime/ControlFlowProfiler.h trunk/Source/_javascript_Core/runtime/FunctionHasExecutedCache.cpp trunk/Source/_javascript_Core/runtime/FunctionHasExecutedCache.h trunk/Source/_javascript_Core/runtime/SamplingProfiler.cpp trunk/Source/_javascript_Core/runtime/SamplingProfiler.h trunk/Source/_javascript_Core/runtime/ScriptExecutable.h trunk/Source/_javascript_Core/runtime/StackFrame.cpp trunk/Source/_javascript_Core/runtime/StackFrame.h trunk/Source/_javascript_Core/runtime/TypeLocationCache.cpp trunk/Source/_javascript_Core/runtime/TypeLocationCache.h trunk/Source/_javascript_Core/runtime/TypeProfiler.cpp trunk/Source/_javascript_Core/runtime/TypeProfiler.h Added Paths trunk/Source/_javascript_Core/bytecode/SourceID.h Diff Modified: trunk/Source/_javascript_Core/CMakeLists.txt (283902 => 283903) --- trunk/Source/_javascript_Core/CMakeLists.txt 2021-10-11 16:54:18 UTC (rev 283902) +++ trunk/Source/_javascript_Core/CMakeLists.txt 2021-10-11 16:58:40 UTC (rev 283903) @@ -664,6 +664,7 @@ bytecode/PutByIdFlags.h bytecode/SetPrivateBrandStatus.h
[webkit-changes] [281743] trunk/Source/JavaScriptCore
Title: [281743] trunk/Source/_javascript_Core
Revision 281743
Author keith_mil...@apple.com
Date 2021-08-29 08:14:13 -0700 (Sun, 29 Aug 2021)
Log Message
Add openFile function to jsc.cpp that links to file backed memory
https://bugs.webkit.org/show_bug.cgi?id=229621
Reviewed by Saam Barati.
This patch uses fopen directly rather than use WTF::MappedFileData so there were less changes to
readline.
* jsc.cpp:
(computeFilePath):
(JSC_DEFINE_HOST_FUNCTION):
(JSFileDescriptor::subspaceFor):
(JSFileDescriptor::createStructure):
(JSFileDescriptor::create):
(JSFileDescriptor::finishCreation):
(JSFileDescriptor::destroy):
(JSFileDescriptor::descriptor const):
(JSFileDescriptor::JSFileDescriptor):
(JSFileDescriptor::~JSFileDescriptor):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jsc.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (281742 => 281743)
--- trunk/Source/_javascript_Core/ChangeLog 2021-08-29 13:52:20 UTC (rev 281742)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-08-29 15:14:13 UTC (rev 281743)
@@ -1,3 +1,25 @@
+2021-08-29 Keith Miller
+
+Add openFile function to jsc.cpp that links to file backed memory
+https://bugs.webkit.org/show_bug.cgi?id=229621
+
+Reviewed by Saam Barati.
+
+This patch uses fopen directly rather than use WTF::MappedFileData so there were less changes to
+readline.
+
+* jsc.cpp:
+(computeFilePath):
+(JSC_DEFINE_HOST_FUNCTION):
+(JSFileDescriptor::subspaceFor):
+(JSFileDescriptor::createStructure):
+(JSFileDescriptor::create):
+(JSFileDescriptor::finishCreation):
+(JSFileDescriptor::destroy):
+(JSFileDescriptor::descriptor const):
+(JSFileDescriptor::JSFileDescriptor):
+(JSFileDescriptor::~JSFileDescriptor):
+
2021-08-29 Joonghun Park
Unreviewed. Remove the build warning below since r281615.
Modified: trunk/Source/_javascript_Core/jsc.cpp (281742 => 281743)
--- trunk/Source/_javascript_Core/jsc.cpp 2021-08-29 13:52:20 UTC (rev 281742)
+++ trunk/Source/_javascript_Core/jsc.cpp 2021-08-29 15:14:13 UTC (rev 281743)
@@ -295,6 +295,7 @@
static JSC_DECLARE_HOST_FUNCTION(functionLoadString);
static JSC_DECLARE_HOST_FUNCTION(functionReadFile);
static JSC_DECLARE_HOST_FUNCTION(functionCheckSyntax);
+static JSC_DECLARE_HOST_FUNCTION(functionOpenFile);
static JSC_DECLARE_HOST_FUNCTION(functionReadline);
static JSC_DECLARE_HOST_FUNCTION(functionPreciseTime);
static JSC_DECLARE_HOST_FUNCTION(functionNeverInlineFunction);
@@ -540,6 +541,7 @@
addFunction(vm, "checkSyntax", functionCheckSyntax, 1);
addFunction(vm, "sleepSeconds", functionSleepSeconds, 1);
addFunction(vm, "jscStack", functionJSCStack, 1);
+addFunction(vm, "openFile", functionOpenFile, 1);
addFunction(vm, "readline", functionReadline, 0);
addFunction(vm, "preciseTime", functionPreciseTime, 0);
addFunction(vm, "neverInlineFunction", functionNeverInlineFunction, 1);
@@ -1559,30 +1561,42 @@
return JSValue::encode(realm);
}
-JSC_DEFINE_HOST_FUNCTION(functionLoad, (JSGlobalObject* globalObject, CallFrame* callFrame))
+static URL computeFilePath(VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame)
{
-VM& vm = globalObject->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
bool callerRelative = callFrame->argument(1).getString(globalObject) == "caller relative"_s;
-RETURN_IF_EXCEPTION(scope, encodedJSValue());
+RETURN_IF_EXCEPTION(scope, URL());
String fileName = callFrame->argument(0).toWTFString(globalObject);
-RETURN_IF_EXCEPTION(scope, encodedJSValue());
+RETURN_IF_EXCEPTION(scope, URL());
URL path;
if (callerRelative) {
path = URL(callFrame->callerSourceOrigin(vm).url(), fileName);
-if (!path.isLocalFile())
-return throwVMException(globalObject, scope, createURIError(globalObject, makeString("caller relative URL path is not a local file: ", path.string(;
+if (!path.isLocalFile()) {
+throwException(globalObject, scope, createURIError(globalObject, makeString("caller relative URL path is not a local file: ", path.string(;
+return URL();
+}
} else
path = absolutePath(fileName);
+return path;
+}
+
+JSC_DEFINE_HOST_FUNCTION(functionLoad, (JSGlobalObject* globalObject, CallFrame* callFrame))
+{
+VM& vm = globalObject->vm();
+auto scope = DECLARE_THROW_SCOPE(vm);
+
+URL path = computeFilePath(vm, globalObject, callFrame);
+RETURN_IF_EXCEPTION(scope, encodedJSValue());
+
Vector script;
if (!fetchScriptFromLocalFileSystem(path.fileSystemPath(), script))
return JSValue::encode(throwException(globalObject, scope, createError(globalObject, "Could not open file."_s)));
NakedPtr evaluationException;
-JSValue result = evaluate(globalObject, jscSource(script, SourceOrig
[webkit-changes] [281565] trunk/Source/JavaScriptCore
Title: [281565] trunk/Source/_javascript_Core Revision 281565 Author keith_mil...@apple.com Date 2021-08-25 10:59:53 -0700 (Wed, 25 Aug 2021) Log Message Add for-in OwnStructureMode optimizations to LLInt https://bugs.webkit.org/show_bug.cgi?id=229038 Reviewed by Saam Barati. This patch adds the optimizations we have for OwnStructureMode in the Baseline to the LLInt. The patch also adds redundant self move (i.e. move a, a) elimination to arm64. Finally, a bunch of the property offset functions are now marked constexpr and return intptr_t rather than size_t as the values can be negative. There's also a minor fix to disable MSVC's signed to unsigned cast warning for LLIntOffsetsExtractor as we don't care about signedness for extracting constants. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_enumerator_get_by_val): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/generate_offset_extractor.rb: * runtime/Butterfly.h: (JSC::Butterfly::indexOfPropertyStorage): * runtime/JSObject.h: (JSC::offsetInButterfly): * runtime/PropertyOffset.h: (JSC::checkOffset): (JSC::validateOffset): (JSC::isValidOffset): (JSC::isInlineOffset): (JSC::isOutOfLineOffset): (JSC::offsetInInlineStorage): (JSC::offsetInOutOfLineStorage): (JSC::offsetInRespectiveStorage): (JSC::numberOfOutOfLineSlotsForMaxOffset): (JSC::numberOfSlotsForMaxOffset): (JSC::offsetForPropertyNumber): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/offlineasm/arm64.rb trunk/Source/_javascript_Core/offlineasm/generate_offset_extractor.rb trunk/Source/_javascript_Core/runtime/Butterfly.h trunk/Source/_javascript_Core/runtime/JSObject.h trunk/Source/_javascript_Core/runtime/PropertyOffset.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (281564 => 281565) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-25 17:46:34 UTC (rev 281564) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-25 17:59:53 UTC (rev 281565) @@ -1,3 +1,48 @@ +2021-08-25 Keith Miller + +Add for-in OwnStructureMode optimizations to LLInt +https://bugs.webkit.org/show_bug.cgi?id=229038 + +Reviewed by Saam Barati. + +This patch adds the optimizations we have for OwnStructureMode in +the Baseline to the LLInt. The patch also adds redundant self move +(i.e. move a, a) elimination to arm64. Finally, a bunch of the +property offset functions are now marked constexpr and return +intptr_t rather than size_t as the values can be negative. + +There's also a minor fix to disable MSVC's signed to unsigned +cast warning for LLIntOffsetsExtractor as we don't care about +signedness for extracting constants. + +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal): +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): +* jit/JITPropertyAccess.cpp: +(JSC::JIT::emit_op_enumerator_get_by_val): +* llint/LowLevelInterpreter.asm: +* llint/LowLevelInterpreter32_64.asm: +* llint/LowLevelInterpreter64.asm: +* offlineasm/arm64.rb: +* offlineasm/generate_offset_extractor.rb: +* runtime/Butterfly.h: +(JSC::Butterfly::indexOfPropertyStorage): +* runtime/JSObject.h: +(JSC::offsetInButterfly): +* runtime/PropertyOffset.h: +(JSC::checkOffset): +(JSC::validateOffset): +(JSC::isValidOffset): +(JSC::isInlineOffset): +(JSC::isOutOfLineOffset): +(JSC::offsetInInlineStorage): +(JSC::offsetInOutOfLineStorage): +(JSC::offsetInRespectiveStorage): +(JSC::numberOfOutOfLineSlotsForMaxOffset): +(JSC::numberOfSlotsForMaxOffset): +(JSC::offsetForPropertyNumber): + 2021-08-25 Commit Queue Unreviewed, reverting r281523. Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (281564 => 281565) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-25 17:46:34 UTC (rev 281564) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-25 17:59:53 UTC (rev 281565) @@ -13647,7 +13647,7 @@ m_jit.signExtend32ToPtr(scratchGPR, scratchGPR); if (!haveStorage) m_jit.loadPtr(MacroAssembler::Address(baseCellGPR, JSObject::but
[webkit-changes] [281523] trunk/Source/JavaScriptCore
Title: [281523] trunk/Source/_javascript_Core Revision 281523 Author keith_mil...@apple.com Date 2021-08-24 16:04:18 -0700 (Tue, 24 Aug 2021) Log Message Add for-in OwnStructureMode optimizations to LLInt https://bugs.webkit.org/show_bug.cgi?id=229038 Reviewed by Saam Barati. This patch adds the optimizations we have for OwnStructureMode in the Baseline to the LLInt. The patch also adds redundant self move (i.e. move a, a) elimination to arm64. Finally, a bunch of the property offset functions are now marked constexpr and return intptr_t rather than size_t as the values can be negative. There's also a minor fix to disable MSVC's signed to unsigned cast warning for LLIntOffsetsExtractor as we don't care about signedness for extracting constants. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_enumerator_get_by_val): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/generate_offset_extractor.rb: * runtime/Butterfly.h: (JSC::Butterfly::indexOfPropertyStorage): * runtime/JSObject.h: (JSC::offsetInButterfly): * runtime/PropertyOffset.h: (JSC::checkOffset): (JSC::validateOffset): (JSC::isValidOffset): (JSC::isInlineOffset): (JSC::isOutOfLineOffset): (JSC::offsetInInlineStorage): (JSC::offsetInOutOfLineStorage): (JSC::offsetInRespectiveStorage): (JSC::numberOfOutOfLineSlotsForMaxOffset): (JSC::numberOfSlotsForMaxOffset): (JSC::offsetForPropertyNumber): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/offlineasm/arm64.rb trunk/Source/_javascript_Core/offlineasm/generate_offset_extractor.rb trunk/Source/_javascript_Core/runtime/Butterfly.h trunk/Source/_javascript_Core/runtime/JSObject.h trunk/Source/_javascript_Core/runtime/PropertyOffset.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (281522 => 281523) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-24 22:58:46 UTC (rev 281522) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-24 23:04:18 UTC (rev 281523) @@ -1,3 +1,48 @@ +2021-08-24 Keith Miller + +Add for-in OwnStructureMode optimizations to LLInt +https://bugs.webkit.org/show_bug.cgi?id=229038 + +Reviewed by Saam Barati. + +This patch adds the optimizations we have for OwnStructureMode in +the Baseline to the LLInt. The patch also adds redundant self move +(i.e. move a, a) elimination to arm64. Finally, a bunch of the +property offset functions are now marked constexpr and return +intptr_t rather than size_t as the values can be negative. + +There's also a minor fix to disable MSVC's signed to unsigned +cast warning for LLIntOffsetsExtractor as we don't care about +signedness for extracting constants. + +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal): +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): +* jit/JITPropertyAccess.cpp: +(JSC::JIT::emit_op_enumerator_get_by_val): +* llint/LowLevelInterpreter.asm: +* llint/LowLevelInterpreter32_64.asm: +* llint/LowLevelInterpreter64.asm: +* offlineasm/arm64.rb: +* offlineasm/generate_offset_extractor.rb: +* runtime/Butterfly.h: +(JSC::Butterfly::indexOfPropertyStorage): +* runtime/JSObject.h: +(JSC::offsetInButterfly): +* runtime/PropertyOffset.h: +(JSC::checkOffset): +(JSC::validateOffset): +(JSC::isValidOffset): +(JSC::isInlineOffset): +(JSC::isOutOfLineOffset): +(JSC::offsetInInlineStorage): +(JSC::offsetInOutOfLineStorage): +(JSC::offsetInRespectiveStorage): +(JSC::numberOfOutOfLineSlotsForMaxOffset): +(JSC::numberOfSlotsForMaxOffset): +(JSC::offsetForPropertyNumber): + 2021-08-24 Yusuke Suzuki [JSC] Add Intl Enumeration APIs Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (281522 => 281523) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-24 22:58:46 UTC (rev 281522) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-24 23:04:18 UTC (rev 281523) @@ -13647,7 +13647,7 @@ m_jit.signExtend32ToPtr(scratchGPR, scratchGPR); if (!haveStorage) m_jit.loadPtr(MacroAssembler::Address(baseCellGPR, JSObject::b
[webkit-changes] [281500] trunk
Title: [281500] trunk
Revision 281500
Author keith_mil...@apple.com
Date 2021-08-24 10:58:29 -0700 (Tue, 24 Aug 2021)
Log Message
(r281473) stress/for-in-has-own-property-shouldnt-flush-registers.js failing on Debug
https://bugs.webkit.org/show_bug.cgi?id=229448
Reviewed by Mark Lam.
JSTests:
Fix typo in test name.
* stress/for-in-in-by-val-should-flush-registers.js: Renamed from JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js.
Source/_javascript_Core:
Add missing exception checks.
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGOperations.cpp
Added Paths
trunk/JSTests/stress/for-in-in-by-val-should-flush-registers.js
Removed Paths
trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js
Diff
Modified: trunk/JSTests/ChangeLog (281499 => 281500)
--- trunk/JSTests/ChangeLog 2021-08-24 17:57:38 UTC (rev 281499)
+++ trunk/JSTests/ChangeLog 2021-08-24 17:58:29 UTC (rev 281500)
@@ -1,3 +1,14 @@
+2021-08-24 Keith Miller
+
+(r281473) stress/for-in-has-own-property-shouldnt-flush-registers.js failing on Debug
+https://bugs.webkit.org/show_bug.cgi?id=229448
+
+Reviewed by Mark Lam.
+
+Fix typo in test name.
+
+* stress/for-in-in-by-val-should-flush-registers.js: Renamed from JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js.
+
2021-08-23 Saam Barati
Disable peephole optimizations in the byte code generator after rewriting instructions for for-in
Copied: trunk/JSTests/stress/for-in-in-by-val-should-flush-registers.js (from rev 281499, trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js) (0 => 281500)
--- trunk/JSTests/stress/for-in-in-by-val-should-flush-registers.js (rev 0)
+++ trunk/JSTests/stress/for-in-in-by-val-should-flush-registers.js 2021-08-24 17:58:29 UTC (rev 281500)
@@ -0,0 +1,13 @@
+const a = [undefined];
+a.toString = ()=>{};
+
+function foo() {
+for (let x in a) {
+ x in a;
+ +x;
+}
+}
+
+for (let i=0; i<1; i++) {
+ foo();
+}
Deleted: trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js (281499 => 281500)
--- trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js 2021-08-24 17:57:38 UTC (rev 281499)
+++ trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js 2021-08-24 17:58:29 UTC (rev 281500)
@@ -1,13 +0,0 @@
-const a = [undefined];
-a.toString = ()=>{};
-
-function foo() {
-for (let x in a) {
- x in a;
- +x;
-}
-}
-
-for (let i=0; i<1; i++) {
- foo();
-}
Modified: trunk/Source/_javascript_Core/ChangeLog (281499 => 281500)
--- trunk/Source/_javascript_Core/ChangeLog 2021-08-24 17:57:38 UTC (rev 281499)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-08-24 17:58:29 UTC (rev 281500)
@@ -1,3 +1,15 @@
+2021-08-24 Keith Miller
+
+(r281473) stress/for-in-has-own-property-shouldnt-flush-registers.js failing on Debug
+https://bugs.webkit.org/show_bug.cgi?id=229448
+
+Reviewed by Mark Lam.
+
+Add missing exception checks.
+
+* dfg/DFGOperations.cpp:
+(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+
2021-08-24 Commit Queue
Unreviewed, reverting r281321.
Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (281499 => 281500)
--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2021-08-24 17:57:38 UTC (rev 281499)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2021-08-24 17:58:29 UTC (rev 281500)
@@ -2532,7 +2532,7 @@
JSValue base = JSValue::decode(baseValue);
RETURN_IF_EXCEPTION(scope, { });
if (modeNumber == JSPropertyNameEnumerator::IndexedMode && base.isObject())
-return JSValue::encode(jsBoolean(jsCast(base)->hasProperty(globalObject, index)));
+RELEASE_AND_RETURN(scope, JSValue::encode(jsBoolean(jsCast(base)->hasProperty(globalObject, index;
JSString* propertyName = jsSecureCast(vm, JSValue::decode(propertyNameValue));
RELEASE_AND_RETURN(scope, JSValue::encode(jsBoolean(CommonSlowPaths::opInByVal(globalObject, base, propertyName;
@@ -2548,7 +2548,7 @@
JSValue base = JSValue::decode(baseValue);
RETURN_IF_EXCEPTION(scope, { });
if (modeNumber == JSPropertyNameEnumerator::IndexedMode && base.isObject())
-return JSValue::encode(jsBoolean(jsCast(base)->hasOwnProperty(globalObject, index)));
+RELEASE_AND_RETURN(scope, JSValue::encode(jsBoolean(jsCast(base)->hasOwnProperty(globalObject, index;
JSString* propertyName = jsSecureCast(vm, JSValue::decode(propertyNameValue));
auto identifier = propertyName->toIdentifier(globalObject);
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [281029] trunk
Title: [281029] trunk
Revision 281029
Author keith_mil...@apple.com
Date 2021-08-13 12:29:04 -0700 (Fri, 13 Aug 2021)
Log Message
EnumeratorNextUpdatePropertyName always needs to be able to handle IndexedMode
https://bugs.webkit.org/show_bug.cgi?id=229087
Reviewed by Filip Pizlo.
JSTests:
* stress/for-in-own-structure-and-generic-with-late-add-indexed.js: Added.
(test):
(Foo):
Source/_javascript_Core:
Right now, this operation incorrectly assumes that EnumeratorNextUpdateIndexAndMode will guarantee
the mode matches the seen mode set. But no speculation is guaranteed and adding such a guarantee
would require adding checkpoints, which is likely not worth it. Instead, this patch just makes
sure we always handle the allocation for IndexedMode.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextUpdatePropertyName):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
Added Paths
trunk/JSTests/stress/for-in-own-structure-and-generic-with-late-add-indexed.js
Diff
Modified: trunk/JSTests/ChangeLog (281028 => 281029)
--- trunk/JSTests/ChangeLog 2021-08-13 19:10:25 UTC (rev 281028)
+++ trunk/JSTests/ChangeLog 2021-08-13 19:29:04 UTC (rev 281029)
@@ -1,3 +1,14 @@
+2021-08-13 Keith Miller
+
+EnumeratorNextUpdatePropertyName always needs to be able to handle IndexedMode
+https://bugs.webkit.org/show_bug.cgi?id=229087
+
+Reviewed by Filip Pizlo.
+
+* stress/for-in-own-structure-and-generic-with-late-add-indexed.js: Added.
+(test):
+(Foo):
+
2021-08-11 Yusuke Suzuki
WTFCrash in JSC::Lexer::append8
Added: trunk/JSTests/stress/for-in-own-structure-and-generic-with-late-add-indexed.js (0 => 281029)
--- trunk/JSTests/stress/for-in-own-structure-and-generic-with-late-add-indexed.js (rev 0)
+++ trunk/JSTests/stress/for-in-own-structure-and-generic-with-late-add-indexed.js 2021-08-13 19:29:04 UTC (rev 281029)
@@ -0,0 +1,28 @@
+function test(o) {
+let sum = 0;
+for (let i in o)
+sum += o[i];
+return sum;
+}
+noInline(test);
+
+Object.defineProperty(Object.prototype, "foo", { enumerable: true, value: 4 });
+
+class Foo extends Array {
+b = 1;
+}
+
+let object = new Foo();
+let object2 = new Foo();
+object2.length = 100;
+object2.fill(1);
+
+for (let i = 0; i < 1e5; ++i) {
+let sum = test(object);
+if (sum !== 5)
+throw new Error(sum);
+}
+
+let sum = test(object2);
+if (sum !== 105)
+throw new Error(sum);
Modified: trunk/Source/_javascript_Core/ChangeLog (281028 => 281029)
--- trunk/Source/_javascript_Core/ChangeLog 2021-08-13 19:10:25 UTC (rev 281028)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-08-13 19:29:04 UTC (rev 281029)
@@ -1,3 +1,20 @@
+2021-08-13 Keith Miller
+
+EnumeratorNextUpdatePropertyName always needs to be able to handle IndexedMode
+https://bugs.webkit.org/show_bug.cgi?id=229087
+
+Reviewed by Filip Pizlo.
+
+Right now, this operation incorrectly assumes that EnumeratorNextUpdateIndexAndMode will guarantee
+the mode matches the seen mode set. But no speculation is guaranteed and adding such a guarantee
+would require adding checkpoints, which is likely not worth it. Instead, this patch just makes
+sure we always handle the allocation for IndexedMode.
+
+* dfg/DFGSpeculativeJIT.cpp:
+(JSC::DFG::SpeculativeJIT::compileEnumeratorNextUpdatePropertyName):
+* ftl/FTLLowerDFGToB3.cpp:
+(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+
2021-08-12 Mark Lam
Refactor some ARM64EHash code.
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (281028 => 281029)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-13 19:10:25 UTC (rev 281028)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-13 19:29:04 UTC (rev 281029)
@@ -13591,17 +13591,13 @@
MacroAssembler::JumpList doneCases;
MacroAssembler::Jump operationCall;
-bool needsOperation = seenModes.contains(JSPropertyNameEnumerator::IndexedMode);
+// Make sure we flush on all code paths if we will call the operation.
+// Note: we can't omit the operation because we are not guaranteed EnumeratorUpdateIndexAndMode will speculate on the mode.
+flushRegisters();
-// Make sure we flush on all code paths if we could call the operation.
-if (needsOperation)
-flushRegisters();
-
if (seenModes.containsAny({ JSPropertyNameEnumerator::OwnStructureMode, JSPropertyNameEnumerator::GenericMode })) {
+operationCall = m_jit.branchTest32(MacroAssembler::NonZero, mode, TrustedImm32(JSPropertyNameEnumerator::IndexedMode));
-if (needsOperation)
-opera
[webkit-changes] [280858] trunk/Source
Title: [280858] trunk/Source
Revision 280858
Author keith_mil...@apple.com
Date 2021-08-10 11:17:15 -0700 (Tue, 10 Aug 2021)
Log Message
CallFrame::returnPC should untag the return address before passing it to ReturnAddressPtr
https://bugs.webkit.org/show_bug.cgi?id=228931
Reviewed by Mark Lam.
Source/_javascript_Core:
Right now current debugging code expects that the JS return PC on
the stack is already unsigned. This is not true on arm64e.
This patch now properly unsigns the return PC before passing it to
the ReturnAddressPC constructor.
* assembler/MacroAssemblerCodeRef.h:
(JSC::ReturnAddressPtr::fromTaggedPC):
* interpreter/AbstractPC.cpp:
(JSC::AbstractPC::AbstractPC):
* interpreter/AbstractPC.h:
(JSC::AbstractPC::AbstractPC):
(JSC::AbstractPC::jitReturnAddress const):
* interpreter/CallFrame.h:
(JSC::CallFrame::returnPC const):
Source/WTF:
Add a new helper to untag the return pc from a stack frame.
* wtf/PtrTag.h:
(WTF::untagReturnPC):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h
trunk/Source/_javascript_Core/interpreter/AbstractPC.cpp
trunk/Source/_javascript_Core/interpreter/AbstractPC.h
trunk/Source/_javascript_Core/interpreter/CallFrame.h
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/PtrTag.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (280857 => 280858)
--- trunk/Source/_javascript_Core/ChangeLog 2021-08-10 18:06:55 UTC (rev 280857)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-08-10 18:17:15 UTC (rev 280858)
@@ -1,3 +1,25 @@
+2021-08-10 Keith Miller
+
+CallFrame::returnPC should untag the return address before passing it to ReturnAddressPtr
+https://bugs.webkit.org/show_bug.cgi?id=228931
+
+Reviewed by Mark Lam.
+
+Right now current debugging code expects that the JS return PC on
+the stack is already unsigned. This is not true on arm64e.
+This patch now properly unsigns the return PC before passing it to
+the ReturnAddressPC constructor.
+
+* assembler/MacroAssemblerCodeRef.h:
+(JSC::ReturnAddressPtr::fromTaggedPC):
+* interpreter/AbstractPC.cpp:
+(JSC::AbstractPC::AbstractPC):
+* interpreter/AbstractPC.h:
+(JSC::AbstractPC::AbstractPC):
+(JSC::AbstractPC::jitReturnAddress const):
+* interpreter/CallFrame.h:
+(JSC::CallFrame::returnPC const):
+
2021-08-10 Kimmo Kinnunen
Scripts/generate-derived-sources.sh: line 19: [: binary operator expected while building Source/WebKit
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h (280857 => 280858)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h 2021-08-10 18:06:55 UTC (rev 280857)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h 2021-08-10 18:17:15 UTC (rev 280858)
@@ -243,6 +243,11 @@
ASSERT_VALID_CODE_POINTER(m_value);
}
+static ReturnAddressPtr fromTaggedPC(const void* pc, const void* sp)
+{
+return ReturnAddressPtr(untagReturnPC(pc, sp));
+}
+
const void* value() const
{
return m_value;
Modified: trunk/Source/_javascript_Core/interpreter/AbstractPC.cpp (280857 => 280858)
--- trunk/Source/_javascript_Core/interpreter/AbstractPC.cpp 2021-08-10 18:06:55 UTC (rev 280857)
+++ trunk/Source/_javascript_Core/interpreter/AbstractPC.cpp 2021-08-10 18:17:15 UTC (rev 280858)
@@ -38,7 +38,7 @@
#if ENABLE(JIT)
if (Options::useJIT()) {
-m_pointer = callFrame->returnPC().value();
+m_pointer = callFrame->returnPC();
m_mode = JIT;
return;
}
Modified: trunk/Source/_javascript_Core/interpreter/AbstractPC.h (280857 => 280858)
--- trunk/Source/_javascript_Core/interpreter/AbstractPC.h 2021-08-10 18:06:55 UTC (rev 280857)
+++ trunk/Source/_javascript_Core/interpreter/AbstractPC.h 2021-08-10 18:17:15 UTC (rev 280858)
@@ -44,10 +44,9 @@
#if ENABLE(JIT)
AbstractPC(ReturnAddressPtr ptr)
-: m_pointer(ptr.value())
+: m_pointer(ptr)
, m_mode(JIT)
{
-assertIsTaggedWith(m_pointer);
}
bool hasJITReturnAddress() const { return m_mode == JIT; }
@@ -54,7 +53,7 @@
ReturnAddressPtr jitReturnAddress() const
{
ASSERT(hasJITReturnAddress());
-return ReturnAddressPtr(m_pointer);
+return m_pointer;
}
#endif
@@ -63,7 +62,7 @@
private:
#if ENABLE(JIT)
-const void* m_pointer { nullptr };
+ReturnAddressPtr m_pointer;
#endif
enum Mode { None, JIT, Interpreter };
Modified: trunk/Source/_javascript_Core/interpreter/CallFrame.h (280857 => 280858)
--- trunk/Source/_javascript_Core/interpreter/CallFrame.h 2021-08-10 18:06:55 UTC (rev 280857)
+++ trunk/Source/_javascript_Core/interpreter/CallFrame.h 2021-08-10 18:17:15 UTC (rev 280858)
@@ -149,7 +149,7 @@
static ptrdiff_t callerFrameOffset() { return OBJECT_OFFSETOF(CallerFrameAnd
[webkit-changes] [280799] trunk/Source/JavaScriptCore
Title: [280799] trunk/Source/_javascript_Core
Revision 280799
Author keith_mil...@apple.com
Date 2021-08-09 14:38:38 -0700 (Mon, 09 Aug 2021)
Log Message
Revert bad assert about the number of upsilons going into a phi
https://bugs.webkit.org/show_bug.cgi?id=228922
Reviewed by Yusuke Suzuki.
This assert was invalid because we sometimes emit unreachable phis
that don't have any incoming upsilons. Specifically for MultiGetByOffset.
* ftl/FTLOutput.h:
(JSC::FTL::Output::phi):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/ftl/FTLOutput.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (280798 => 280799)
--- trunk/Source/_javascript_Core/ChangeLog 2021-08-09 21:24:50 UTC (rev 280798)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-08-09 21:38:38 UTC (rev 280799)
@@ -1,3 +1,16 @@
+2021-08-09 Keith Miller
+
+Revert bad assert about the number of upsilons going into a phi
+https://bugs.webkit.org/show_bug.cgi?id=228922
+
+Reviewed by Yusuke Suzuki.
+
+This assert was invalid because we sometimes emit unreachable phis
+that don't have any incoming upsilons. Specifically for MultiGetByOffset.
+
+* ftl/FTLOutput.h:
+(JSC::FTL::Output::phi):
+
2021-08-09 Michael Catanzaro
Adding missing REFERENCED_FROM_ASM annotations to facilitate LTO
Modified: trunk/Source/_javascript_Core/ftl/FTLOutput.h (280798 => 280799)
--- trunk/Source/_javascript_Core/ftl/FTLOutput.h 2021-08-09 21:24:50 UTC (rev 280798)
+++ trunk/Source/_javascript_Core/ftl/FTLOutput.h 2021-08-09 21:38:38 UTC (rev 280799)
@@ -482,7 +482,6 @@
template
inline LValue Output::phi(LType type, const VectorType& vector)
{
-ASSERT(vector.size());
LValue phiNode = phi(type);
for (const ValueFromBlock& valueFromBlock : vector)
addIncomingToPhi(phiNode, valueFromBlock);
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [280191] trunk/Source/JavaScriptCore
Title: [280191] trunk/Source/_javascript_Core
Revision 280191
Author keith_mil...@apple.com
Date 2021-07-22 12:12:21 -0700 (Thu, 22 Jul 2021)
Log Message
useProfiler option should automatically disable concurrent JIT
https://bugs.webkit.org/show_bug.cgi?id=228152
Reviewed by Saam Barati.
The bytecode profiler is not thread safe so we should have
recomputeDependentOptions() disable concurrent JIT. Also, fix the
jsc CLI to set the useProfiler option rather than have its own
state. Note, we call Options::setOption() rather than setting the
Options::useProfiler() option directly as setOption calls
recomputeDependentOptions() for us.
* jsc.cpp:
(CommandLine::parseArguments):
(runJSC):
* runtime/Options.cpp:
(JSC::Options::recomputeDependentOptions):
(JSC::Options::ensureOptionsAreCoherent):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jsc.cpp
trunk/Source/_javascript_Core/runtime/Options.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (280190 => 280191)
--- trunk/Source/_javascript_Core/ChangeLog 2021-07-22 19:00:36 UTC (rev 280190)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-07-22 19:12:21 UTC (rev 280191)
@@ -1,3 +1,24 @@
+2021-07-22 Keith Miller
+
+useProfiler option should automatically disable concurrent JIT
+https://bugs.webkit.org/show_bug.cgi?id=228152
+
+Reviewed by Saam Barati.
+
+The bytecode profiler is not thread safe so we should have
+recomputeDependentOptions() disable concurrent JIT. Also, fix the
+jsc CLI to set the useProfiler option rather than have its own
+state. Note, we call Options::setOption() rather than setting the
+Options::useProfiler() option directly as setOption calls
+recomputeDependentOptions() for us.
+
+* jsc.cpp:
+(CommandLine::parseArguments):
+(runJSC):
+* runtime/Options.cpp:
+(JSC::Options::recomputeDependentOptions):
+(JSC::Options::ensureOptionsAreCoherent):
+
2021-07-21 Yijia Huang
Fix type check error in testb3
Modified: trunk/Source/_javascript_Core/jsc.cpp (280190 => 280191)
--- trunk/Source/_javascript_Core/jsc.cpp 2021-07-22 19:00:36 UTC (rev 280190)
+++ trunk/Source/_javascript_Core/jsc.cpp 2021-07-22 19:12:21 UTC (rev 280191)
@@ -429,7 +429,6 @@
bool m_module { false };
bool m_exitCode { false };
bool m_destroyVM { false };
-bool m_profile { false };
bool m_treatWatchdogExceptionAsSuccess { false };
bool m_alwaysDumpUncaughtException { false };
bool m_dumpMemoryFootprint { false };
@@ -3265,7 +3264,7 @@
if (!strcmp(arg, "-p")) {
if (++i == argc)
printUsageStatement();
-m_profile = true;
+Options::setOption("useProfiler=1");
m_profilerOutput = argv[i];
continue;
}
@@ -3454,9 +3453,6 @@
JSLockHolder locker(vm);
startTimeoutThreadIfNeeded(vm);
-if (options.m_profile && !vm.m_perBytecodeProfiler)
-vm.m_perBytecodeProfiler = makeUnique(vm);
-
globalObject = GlobalObject::create(vm, GlobalObject::createStructure(vm, jsNull()), options.m_arguments);
globalObject->setRemoteDebuggingEnabled(options.m_enableRemoteDebugging);
func(vm, globalObject, success);
@@ -3478,7 +3474,7 @@
printf("\n");
}
-if (options.m_profile) {
+if (Options::useProfiler()) {
JSLockHolder locker(vm);
if (!vm.m_perBytecodeProfiler->save(options.m_profilerOutput.utf8().data()))
fprintf(stderr, "could not save profiler output.\n");
Modified: trunk/Source/_javascript_Core/runtime/Options.cpp (280190 => 280191)
--- trunk/Source/_javascript_Core/runtime/Options.cpp 2021-07-22 19:00:36 UTC (rev 280190)
+++ trunk/Source/_javascript_Core/runtime/Options.cpp 2021-07-22 19:12:21 UTC (rev 280191)
@@ -508,6 +508,9 @@
Options::useConcurrentJIT() = false;
}
+if (Options::useProfiler())
+Options::useConcurrentJIT() = false;
+
if (Options::alwaysUseShadowChicken())
Options::maximumInliningDepth() = 1;
@@ -1037,6 +1040,10 @@
coherent = false;
dataLog("INCOHERENT OPTIONS: at least one of useWasmLLInt or useBBQJIT must be true\n");
}
+if (useProfiler() && useConcurrentJIT()) {
+coherent = false;
+dataLogLn("Bytecode profiler is not concurrent JIT safe.");
+}
if (!coherent)
CRASH();
}
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [280149] trunk/Source/JavaScriptCore
Title: [280149] trunk/Source/_javascript_Core
Revision 280149
Author keith_mil...@apple.com
Date 2021-07-21 10:48:56 -0700 (Wed, 21 Jul 2021)
Log Message
speculateNeitherDoubleNorStringNorHeapBigInt should only have a single JSType branch
https://bugs.webkit.org/show_bug.cgi?id=228146
Reviewed by Robin Morisset.
Since StringType and HeapBigIntType are adjacent JSTypes
we can do an integer range check rather than two separate
JSType checks.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigIntNorString):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (280148 => 280149)
--- trunk/Source/_javascript_Core/ChangeLog 2021-07-21 17:24:44 UTC (rev 280148)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-07-21 17:48:56 UTC (rev 280149)
@@ -1,3 +1,19 @@
+2021-07-21 Keith Miller
+
+speculateNeitherDoubleNorStringNorHeapBigInt should only have a single JSType branch
+https://bugs.webkit.org/show_bug.cgi?id=228146
+
+Reviewed by Robin Morisset.
+
+Since StringType and HeapBigIntType are adjacent JSTypes
+we can do an integer range check rather than two separate
+JSType checks.
+
+* dfg/DFGSpeculativeJIT.cpp:
+(JSC::DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigIntNorString):
+* ftl/FTLLowerDFGToB3.cpp:
+(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+
2021-07-20 Yijia Huang
Add ARM64 EON opcode and select it in AIR
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (280148 => 280149)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-07-21 17:24:44 UTC (rev 280148)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-07-21 17:48:56 UTC (rev 280149)
@@ -11788,8 +11788,8 @@
if (mayNotBeCell)
done.append(m_jit.branchIfNotCell(regs));
-DFG_TYPE_CHECK(regs, edge, ~SpecString, m_jit.branchIfString(regs.payloadGPR()));
-DFG_TYPE_CHECK(regs, edge, ~SpecHeapBigInt, m_jit.branchIfHeapBigInt(regs.payloadGPR()));
+static_assert(StringType + 1 == HeapBigIntType);
+DFG_TYPE_CHECK(regs, edge, ~(SpecString | SpecHeapBigInt), m_jit.branchIfType(regs.payloadGPR(), JSTypeRange { StringType, HeapBigIntType }));
if (mayBeInt32 || mayNotBeCell)
done.link(&m_jit);
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (280148 => 280149)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-07-21 17:24:44 UTC (rev 280148)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-07-21 17:48:56 UTC (rev 280149)
@@ -18665,8 +18665,9 @@
m_out.branch(isCell(value, provenType(edge)), unsure(isCellBlock), unsure(continuation));
m_out.appendTo(isCellBlock, continuation);
-FTL_TYPE_CHECK(jsValueValue(value), edge, ~SpecString, isString(value));
-FTL_TYPE_CHECK(jsValueValue(value), edge, ~SpecHeapBigInt, isHeapBigInt(value));
+
+static_assert(StringType + 1 == HeapBigIntType);
+FTL_TYPE_CHECK(jsValueValue(value), edge, ~(SpecString | SpecHeapBigInt), isType(value, JSTypeRange { StringType, HeapBigIntType }));
m_out.jump(continuation);
m_out.appendTo(continuation, lastNext);
@@ -19007,11 +19008,23 @@
m_out.constInt32(MasqueradesAsUndefined | OverridesGetCallData));
}
+LValue isType(LValue cell, JSTypeRange range)
+{
+if (range.last == range.first) {
+return m_out.equal(
+m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType),
+m_out.constInt32(range.first));
+}
+
+ASSERT(range.last > range.first);
+return m_out.belowOrEqual(
+m_out.sub(m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType), m_out.constInt32(range.first)),
+m_out.constInt32(range.last - range.first));
+}
+
LValue isType(LValue cell, JSType type)
{
-return m_out.equal(
-m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType),
-m_out.constInt32(type));
+return isType(cell, JSTypeRange { type, type });
}
LValue isNotType(LValue cell, JSType type)
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279977] trunk/Source/JavaScriptCore
Title: [279977] trunk/Source/_javascript_Core Revision 279977 Author keith_mil...@apple.com Date 2021-07-15 22:02:05 -0700 (Thu, 15 Jul 2021) Log Message Alias JSC graph dumping options https://bugs.webkit.org/show_bug.cgi?id=228015 Reviewed by Yusuke Suzuki. My brain seems to associate the phases with the tier we are compiling in rather than the type of graph we are processing. At this point it's probably easier to just add an alias rather than convince me otherwise. * runtime/OptionsList.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/OptionsList.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (279976 => 279977) --- trunk/Source/_javascript_Core/ChangeLog 2021-07-16 04:10:49 UTC (rev 279976) +++ trunk/Source/_javascript_Core/ChangeLog 2021-07-16 05:02:05 UTC (rev 279977) @@ -1,3 +1,16 @@ +2021-07-15 Keith Miller + +Alias JSC graph dumping options +https://bugs.webkit.org/show_bug.cgi?id=228015 + +Reviewed by Yusuke Suzuki. + +My brain seems to associate the phases with the tier we are compiling in +rather than the type of graph we are processing. At this point it's +probably easier to just add an alias rather than convince me otherwise. + +* runtime/OptionsList.h: + 2021-07-15 Yusuke Suzuki [JSC] SamplingProfiler should recognize RegExp execution Modified: trunk/Source/_javascript_Core/runtime/OptionsList.h (279976 => 279977) --- trunk/Source/_javascript_Core/runtime/OptionsList.h 2021-07-16 04:10:49 UTC (rev 279976) +++ trunk/Source/_javascript_Core/runtime/OptionsList.h 2021-07-16 05:02:05 UTC (rev 279977) @@ -565,6 +565,10 @@ v(showDisassembly, dumpDisassembly, SameOption) \ v(showDFGDisassembly, dumpDFGDisassembly, SameOption) \ v(showFTLDisassembly, dumpFTLDisassembly, SameOption) \ +v(dumpGraphAtEachDFGFTLPhase, dumpDFGFTLGraphAtEachPhase, SameOption) \ +v(dumpGraphAtEachDFGPhase, dumpDFGGraphAtEachPhase, SameOption) \ +v(dumpGraphAtEachB3Phase, dumpB3GraphAtEachPhase, SameOption) \ +v(dumpGraphAtEachAirPhase, dumpAirGraphAtEachPhase, SameOption) \ v(alwaysDoFullCollection, useGenerationalGC, InvertedOption) \ v(enableOSREntryToDFG, useOSREntryToDFG, SameOption) \ v(enableOSREntryToFTL, useOSREntryToFTL, SameOption) \ ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279923] trunk/JSTests
Title: [279923] trunk/JSTests
Revision 279923
Author keith_mil...@apple.com
Date 2021-07-14 15:04:39 -0700 (Wed, 14 Jul 2021)
Log Message
Unreviewed, test gardening.
* stress/bit-op-with-object-returning-int32.js:
* stress/bitwise-not-fixup-rules.js:
(jscOptions):
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/stress/bit-op-with-object-returning-int32.js
trunk/JSTests/stress/bitwise-not-fixup-rules.js
Diff
Modified: trunk/JSTests/ChangeLog (279922 => 279923)
--- trunk/JSTests/ChangeLog 2021-07-14 21:18:22 UTC (rev 279922)
+++ trunk/JSTests/ChangeLog 2021-07-14 22:04:39 UTC (rev 279923)
@@ -1,3 +1,11 @@
+2021-07-14 Keith Miller
+
+Unreviewed, test gardening.
+
+* stress/bit-op-with-object-returning-int32.js:
+* stress/bitwise-not-fixup-rules.js:
+(jscOptions):
+
2021-07-14 Mark Lam
Check for out of memory in JSC::globalFuncEscape() and JSC::globalFuncUnescape().
Modified: trunk/JSTests/stress/bit-op-with-object-returning-int32.js (279922 => 279923)
--- trunk/JSTests/stress/bit-op-with-object-returning-int32.js 2021-07-14 21:18:22 UTC (rev 279922)
+++ trunk/JSTests/stress/bit-op-with-object-returning-int32.js 2021-07-14 22:04:39 UTC (rev 279923)
@@ -9,7 +9,7 @@
}
noInline(bitAnd);
-if (jscOptions().useExecutableAllocationFuzz !== true) {
+if (!jscOptions().useExecutableAllocationFuzz) {
var o = { valueOf: () => 0b1101 };
Modified: trunk/JSTests/stress/bitwise-not-fixup-rules.js (279922 => 279923)
--- trunk/JSTests/stress/bitwise-not-fixup-rules.js 2021-07-14 21:18:22 UTC (rev 279922)
+++ trunk/JSTests/stress/bitwise-not-fixup-rules.js 2021-07-14 22:04:39 UTC (rev 279923)
@@ -10,7 +10,7 @@
}
noInline(foo);
-if (jscOptions().useExecutableAllocationFuzz !== true) {
+if (!jscOptions().useExecutableAllocationFuzz) {
let c = 0;
let o = {
valueOf: () => {
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279916] trunk
Title: [279916] trunk
Revision 279916
Author keith_mil...@apple.com
Date 2021-07-14 12:58:16 -0700 (Wed, 14 Jul 2021)
Log Message
Convert small JIT pool tests into executable fuzzing
https://bugs.webkit.org/show_bug.cgi?id=226279
Source/_javascript_Core:
Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
Instead of testing such a small pool we should just fuzz each executable allocation that says it
can fail.
The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.
Reviewed by Michael Saboff.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::numberOfDFGCompiles):
* jit/ExecutableAllocationFuzz.cpp:
(JSC::doExecutableAllocationFuzzing):
* jsc.cpp:
(runJSC):
Tools:
Reviewed by Michael Saboff.
Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
Instead of testing such a small pool we should just fuzz each executable allocation that says it
can fail.
The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.
* Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz:
* Scripts/run-jsc-stress-tests:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp
trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp
trunk/Tools/ChangeLog
trunk/Tools/Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz
trunk/Tools/Scripts/run-jsc-stress-tests
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (279915 => 279916)
--- trunk/Source/_javascript_Core/ChangeLog 2021-07-14 19:15:56 UTC (rev 279915)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-07-14 19:58:16 UTC (rev 279916)
@@ -1,3 +1,27 @@
+2021-07-14 Keith Miller
+
+Convert small JIT pool tests into executable fuzzing
+https://bugs.webkit.org/show_bug.cgi?id=226279
+
+Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
+actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
+Instead of testing such a small pool we should just fuzz each executable allocation that says it
+can fail.
+
+The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
+fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
+by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
+flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.
+
+Reviewed by Michael Saboff.
+
+* bytecode/CodeBlock.cpp:
+(JSC::CodeBlock::numberOfDFGCompiles):
+* jit/ExecutableAllocationFuzz.cpp:
+(JSC::doExecutableAllocationFuzzing):
+* jsc.cpp:
+(runJSC):
+
2021-07-14 Mark Lam
Check for out of memory in JSC::globalFuncEscape() and JSC::globalFuncUnescape().
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (279915 => 279916)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-07-14 19:15:56 UTC (rev 279915)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-07-14 19:58:16 UTC (rev 279916)
@@ -2481,6 +2481,10 @@
unsigned CodeBlock::numberOfDFGCompiles()
{
ASSERT(JITCode::isBaselineCode(jitType()));
+
+// FIXME: We don't really do a good job tracking when a compilation failed because of executable allocation fuzzing. https://bugs.webkit.org/show_bug.cgi?id=226276
+if (Options::useExecutableAllocationFuzz())
+return 100;
if (Options::testTheFTL()) {
if (m_didFailFTLCompilation)
return 100;
Modified: trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp (279915 => 279916)
--- trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp 2021-07-14 19:15:56 UTC (rev 279915)
+++ trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp 2021-07-14 19:58:16 UTC (rev 279916)
@@ -41,6 +41,8 @@
ExecutableAllocationFuzzResult doExecutableAllocationFuzzing()
{
+static W
[webkit-changes] [279909] trunk/JSTests
Title: [279909] trunk/JSTests
Revision 279909
Author keith_mil...@apple.com
Date 2021-07-14 08:00:39 -0700 (Wed, 14 Jul 2021)
Log Message
Fix more tests around fuzzing executable allocations
https://bugs.webkit.org/show_bug.cgi?id=226663
Reviewed by Mark Lam.
* stress/bit-op-with-object-returning-int32.js:
(numberOfDFGCompiles): Deleted.
* stress/bitwise-not-fixup-rules.js:
(jscOptions):
(numberOfDFGCompiles): Deleted.
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/stress/bit-op-with-object-returning-int32.js
trunk/JSTests/stress/bitwise-not-fixup-rules.js
Diff
Modified: trunk/JSTests/ChangeLog (279908 => 279909)
--- trunk/JSTests/ChangeLog 2021-07-14 11:55:18 UTC (rev 279908)
+++ trunk/JSTests/ChangeLog 2021-07-14 15:00:39 UTC (rev 279909)
@@ -1,3 +1,16 @@
+2021-07-14 Keith Miller
+
+Fix more tests around fuzzing executable allocations
+https://bugs.webkit.org/show_bug.cgi?id=226663
+
+Reviewed by Mark Lam.
+
+* stress/bit-op-with-object-returning-int32.js:
+(numberOfDFGCompiles): Deleted.
+* stress/bitwise-not-fixup-rules.js:
+(jscOptions):
+(numberOfDFGCompiles): Deleted.
+
2021-07-12 Saam Barati
Run some tests for fewer iterations to prevent test timeouts
Modified: trunk/JSTests/stress/bit-op-with-object-returning-int32.js (279908 => 279909)
--- trunk/JSTests/stress/bit-op-with-object-returning-int32.js 2021-07-14 11:55:18 UTC (rev 279908)
+++ trunk/JSTests/stress/bit-op-with-object-returning-int32.js 2021-07-14 15:00:39 UTC (rev 279909)
@@ -9,8 +9,7 @@
}
noInline(bitAnd);
-// This can fail if we are fuzzing executable allocation .
-if (numberOfDFGCompiles(bitAnd) === 0) {
+if (jscOptions().useExecutableAllocationFuzz !== true) {
var o = { valueOf: () => 0b1101 };
Modified: trunk/JSTests/stress/bitwise-not-fixup-rules.js (279908 => 279909)
--- trunk/JSTests/stress/bitwise-not-fixup-rules.js 2021-07-14 11:55:18 UTC (rev 279908)
+++ trunk/JSTests/stress/bitwise-not-fixup-rules.js 2021-07-14 15:00:39 UTC (rev 279909)
@@ -10,8 +10,7 @@
}
noInline(foo);
-// This can fail when we are fuzzing executable allocation.
-if (!numberOfDFGCompiles(foo)) {
+if (jscOptions().useExecutableAllocationFuzz !== true) {
let c = 0;
let o = {
valueOf: () => {
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279740] trunk/Source/JavaScriptCore
Title: [279740] trunk/Source/_javascript_Core
Revision 279740
Author keith_mil...@apple.com
Date 2021-07-08 11:54:16 -0700 (Thu, 08 Jul 2021)
Log Message
display-profiler-output should be able to print disassembly for the FTL
https://bugs.webkit.org/show_bug.cgi?id=227798
Reviewed by Saam Barati.
Right now running JSC with the bytecode profiler will not print
disassembly for FTL code. This patch adds this support. In order to get
execution counts there is a callback at the transition between each
DFG node in the Air disassembler. Since B3 code move parts of
DFG nodes to different basic blocks we don't include execution
counts in the dump. However, the DFG-only graph printed before
the disassembly will still have the counts.
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLState.cpp:
(JSC::FTL::State::dumpDisassembly):
* ftl/FTLState.h:
(JSC::FTL::State::dumpDisassembly):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/ftl/FTLCompile.cpp
trunk/Source/_javascript_Core/ftl/FTLLink.cpp
trunk/Source/_javascript_Core/ftl/FTLState.cpp
trunk/Source/_javascript_Core/ftl/FTLState.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (279739 => 279740)
--- trunk/Source/_javascript_Core/ChangeLog 2021-07-08 18:48:12 UTC (rev 279739)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-07-08 18:54:16 UTC (rev 279740)
@@ -1,3 +1,27 @@
+2021-07-08 Keith Miller
+
+display-profiler-output should be able to print disassembly for the FTL
+https://bugs.webkit.org/show_bug.cgi?id=227798
+
+Reviewed by Saam Barati.
+
+Right now running JSC with the bytecode profiler will not print
+disassembly for FTL code. This patch adds this support. In order to get
+execution counts there is a callback at the transition between each
+DFG node in the Air disassembler. Since B3 code move parts of
+DFG nodes to different basic blocks we don't include execution
+counts in the dump. However, the DFG-only graph printed before
+the disassembly will still have the counts.
+
+* ftl/FTLCompile.cpp:
+(JSC::FTL::compile):
+* ftl/FTLLink.cpp:
+(JSC::FTL::link):
+* ftl/FTLState.cpp:
+(JSC::FTL::State::dumpDisassembly):
+* ftl/FTLState.h:
+(JSC::FTL::State::dumpDisassembly):
+
2021-07-08 Yusuke Suzuki
Use JSC::Yarr::flagsString to get string representation of RegExp flags
Modified: trunk/Source/_javascript_Core/ftl/FTLCompile.cpp (279739 => 279740)
--- trunk/Source/_javascript_Core/ftl/FTLCompile.cpp 2021-07-08 18:48:12 UTC (rev 279739)
+++ trunk/Source/_javascript_Core/ftl/FTLCompile.cpp 2021-07-08 18:54:16 UTC (rev 279740)
@@ -55,7 +55,7 @@
CodeBlock* codeBlock = graph.m_codeBlock;
VM& vm = graph.m_vm;
-if (shouldDumpDisassembly())
+if (shouldDumpDisassembly() || vm.m_perBytecodeProfiler)
state.proc->code().setDisassembler(makeUnique());
if (!shouldDumpDisassembly() && !Options::asyncDisassembly() && !graph.compilation() && !state.proc->needsPCToOriginMap())
@@ -171,79 +171,74 @@
}
state.jitCode->common.finalizeCatchEntrypoints(WTFMove(state.graph.m_catchEntrypoints));
-if (B3::Air::Disassembler* disassembler = state.proc->code().disassembler()) {
-PrintStream& out = WTF::dataFile();
+if (shouldDumpDisassembly())
+state.dumpDisassembly(WTF::dataFile());
-out.print("Generated ", state.graph.m_plan.mode(), " code for ", CodeBlockWithJITType(state.graph.m_codeBlock, JITType::FTLJIT), ", instructions size = ", state.graph.m_codeBlock->instructionsSize(), ":\n");
+Profiler::Compilation* compilation = graph.compilation();
+if (UNLIKELY(compilation)) {
+compilation->addDescription(
+Profiler::OriginStack(),
+toCString("Generated FTL DFG IR for ", CodeBlockWithJITType(codeBlock, JITType::FTLJIT), ", instructions size = ", graph.m_codeBlock->instructionsSize(), ":\n"));
-LinkBuffer& linkBuffer = *state.finalizer->b3CodeLinkBuffer;
-B3::Value* currentB3Value = nullptr;
-Node* currentDFGNode = nullptr;
+graph.ensureSSADominators();
+graph.ensureSSANaturalLoops();
-HashSet printedValues;
-HashSet printedNodes;
-const char* dfgPrefix = "DFG " "";
-const char* b3Prefix = "b3 " " ";
-const char* airPrefix = "Air " " ";
-const char* asmPrefix = "asm " "";
+const char* prefix = "";
-auto printDFGNode = [&] (Node* node) {
-if (currentDFGNode == node)
-return;
+DumpContext dumpContext;
+StringPrintStream out;
+Node* lastNode = nullptr;
+for (size_t blockIndex = 0; blockIndex < graph.numBlocks(); ++blockIndex) {
+DFG::BasicBlock* block = graph.block(blockIndex);
+
[webkit-changes] [279520] trunk/Source/JavaScriptCore
Title: [279520] trunk/Source/_javascript_Core
Revision 279520
Author keith_mil...@apple.com
Date 2021-07-02 15:40:19 -0700 (Fri, 02 Jul 2021)
Log Message
Add 10 more unified source cpp files for JSC
https://bugs.webkit.org/show_bug.cgi?id=227643
Reviewed by Alex Christensen.
* _javascript_Core.xcodeproj/project.pbxproj:
* Scripts/generate-unified-sources.sh:
* UnifiedSources-output.xcfilelist:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj
trunk/Source/_javascript_Core/Scripts/generate-unified-sources.sh
trunk/Source/_javascript_Core/UnifiedSources-output.xcfilelist
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (279519 => 279520)
--- trunk/Source/_javascript_Core/ChangeLog 2021-07-02 22:33:24 UTC (rev 279519)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-07-02 22:40:19 UTC (rev 279520)
@@ -1,3 +1,14 @@
+2021-07-02 Keith Miller
+
+Add 10 more unified source cpp files for JSC
+https://bugs.webkit.org/show_bug.cgi?id=227643
+
+Reviewed by Alex Christensen.
+
+* _javascript_Core.xcodeproj/project.pbxproj:
+* Scripts/generate-unified-sources.sh:
+* UnifiedSources-output.xcfilelist:
+
2021-07-02 Philippe Normand
[GTK] Add new revision variable in pkgconfig file
Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (279519 => 279520)
--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2021-07-02 22:33:24 UTC (rev 279519)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2021-07-02 22:40:19 UTC (rev 279520)
@@ -1084,6 +1084,16 @@
5370806B1FE232DF00299E44 /* JSArrayBufferView.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2B66BB17B6B5AB00A7AE3F /* JSArrayBufferView.h */; };
5370B4F61BF26205005C40FC /* AdaptiveInferredPropertyValueWatchpointBase.h in Headers */ = {isa = PBXBuildFile; fileRef = 5370B4F41BF25EA2005C40FC /* AdaptiveInferredPropertyValueWatchpointBase.h */; };
5381B9391E60E97D0090F794 /* WasmFaultSignalHandler.h in Headers */ = {isa = PBXBuildFile; fileRef = 5381B9381E60E97D0090F794 /* WasmFaultSignalHandler.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 538F15E7268FBBB600D601C4 /* UnifiedSource148.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15DD268FBBB300D601C4 /* UnifiedSource148.cpp */; };
+ 538F15E8268FBBB600D601C4 /* UnifiedSource151.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15DE268FBBB300D601C4 /* UnifiedSource151.cpp */; };
+ 538F15E9268FBBB600D601C4 /* UnifiedSource152.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15DF268FBBB300D601C4 /* UnifiedSource152.cpp */; };
+ 538F15EA268FBBB600D601C4 /* UnifiedSource154.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15E0268FBBB400D601C4 /* UnifiedSource154.cpp */; };
+ 538F15EB268FBBB600D601C4 /* UnifiedSource150.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15E1268FBBB400D601C4 /* UnifiedSource150.cpp */; };
+ 538F15ED268FBBB600D601C4 /* UnifiedSource153.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15E3268FBBB500D601C4 /* UnifiedSource153.cpp */; };
+ 538F15EE268FBBB600D601C4 /* UnifiedSource147.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15E4268FBBB500D601C4 /* UnifiedSource147.cpp */; };
+ 538F15EF268FBBB600D601C4 /* UnifiedSource155.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15E5268FBBB500D601C4 /* UnifiedSource155.cpp */; };
+ 538F15F0268FBBB600D601C4 /* UnifiedSource149.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15E6268FBBB600D601C4 /* UnifiedSource149.cpp */; };
+ 538F15F2268FBC7B00D601C4 /* UnifiedSource146.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15F1268FBC7B00D601C4 /* UnifiedSource146.cpp */; };
53917E7B1B7906FA000EBD33 /* JSGenericTypedArrayViewPrototypeFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = 53917E7A1B7906E4000EBD33 /* JSGenericTypedArrayViewPrototypeFunctions.h */; };
539930C822AD3B9A0051CDE2 /* WeakObjectRefConstructor.h in Headers */ = {isa = PBXBuildFile; fileRef = 539930C722AD3B9A0051CDE2 /* WeakObjectRefConstructor.h */; };
539BFBAE22AD3C3A0023F4C0 /* WeakObjectRefPrototype.h in Headers */ = {isa = PBXBuildFile; fileRef = 539BFBAD22AD3C3A0023F4C0 /* WeakObjectRefPrototype.h */; };
@@ -3859,6 +3869,16 @@
5381B9361E60E9660090F794 /* WasmFaultSignalHandler.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WasmFaultSignalHandler.cpp; sourceTree = ""; };
5381B9381E60E97D0090F794 /* WasmFaultSignalHandler.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmFaultSignalHandler.h; sourceTree = ""; };
5383AA2F1E65E8A100A532FC /* JSWebAssemblyCodeBlock.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = JSWebAssemblyCodeBlock.cpp; path = js/JSWebAssemblyCodeBlock.cpp; sourceTree
[webkit-changes] [279179] trunk/Source/JavaScriptCore
Title: [279179] trunk/Source/_javascript_Core
Revision 279179
Author keith_mil...@apple.com
Date 2021-06-23 12:20:02 -0700 (Wed, 23 Jun 2021)
Log Message
add/removeManagedReference:withOwner: should have autoreleasepools
https://bugs.webkit.org/show_bug.cgi?id=227308
Reviewed by Darin Adler.
Since these APIs create autoreleased objects as an implementation detail
but don't return any to the caller there's no indication such autoreleased
objects could be accumulating. Additionally, it's entirely reasonable to
call these methods in a loop an a large set of objects, which further
exacerbates the problem.
* API/JSVirtualMachine.mm:
(-[JSVirtualMachine addManagedReference:withOwner:]):
(-[JSVirtualMachine removeManagedReference:withOwner:]):
Modified Paths
trunk/Source/_javascript_Core/API/JSVirtualMachine.mm
trunk/Source/_javascript_Core/ChangeLog
Diff
Modified: trunk/Source/_javascript_Core/API/JSVirtualMachine.mm (279178 => 279179)
--- trunk/Source/_javascript_Core/API/JSVirtualMachine.mm 2021-06-23 19:11:59 UTC (rev 279178)
+++ trunk/Source/_javascript_Core/API/JSVirtualMachine.mm 2021-06-23 19:20:02 UTC (rev 279179)
@@ -162,64 +162,68 @@
}
- (void)addManagedReference:(id)object withOwner:(id)owner
-{
-if ([object isKindOfClass:[JSManagedValue class]])
-[object didAddOwner:owner];
-
-object = getInternalObjcObject(object);
-owner = getInternalObjcObject(owner);
-
-if (!object || !owner)
-return;
-
-JSC::JSLockHolder locker(toJS(m_group));
-if ([self isOldExternalObject:owner] && ![self isOldExternalObject:object])
-[self addExternalRememberedObject:owner];
-
-Locker externalDataMutexLocker { m_externalDataMutex };
-RetainPtr ownedObjects = [m_externalObjectGraph objectForKey:owner];
-if (!ownedObjects) {
-NSPointerFunctionsOptions weakIDOptions = NSPointerFunctionsWeakMemory | NSPointerFunctionsObjectPersonality;
-NSPointerFunctionsOptions integerOptions = NSPointerFunctionsOpaqueMemory | NSPointerFunctionsIntegerPersonality;
-ownedObjects = adoptNS([[NSMapTable alloc] initWithKeyOptions:weakIDOptions valueOptions:integerOptions capacity:1]);
+{
+@autoreleasepool {
+if ([object isKindOfClass:[JSManagedValue class]])
+[object didAddOwner:owner];
-[m_externalObjectGraph setObject:ownedObjects.get() forKey:owner];
+object = getInternalObjcObject(object);
+owner = getInternalObjcObject(owner);
+
+if (!object || !owner)
+return;
+
+JSC::JSLockHolder locker(toJS(m_group));
+if ([self isOldExternalObject:owner] && ![self isOldExternalObject:object])
+[self addExternalRememberedObject:owner];
+
+Locker externalDataMutexLocker { m_externalDataMutex };
+RetainPtr ownedObjects = [m_externalObjectGraph objectForKey:owner];
+if (!ownedObjects) {
+NSPointerFunctionsOptions weakIDOptions = NSPointerFunctionsWeakMemory | NSPointerFunctionsObjectPersonality;
+NSPointerFunctionsOptions integerOptions = NSPointerFunctionsOpaqueMemory | NSPointerFunctionsIntegerPersonality;
+ownedObjects = adoptNS([[NSMapTable alloc] initWithKeyOptions:weakIDOptions valueOptions:integerOptions capacity:1]);
+
+[m_externalObjectGraph setObject:ownedObjects.get() forKey:owner];
+}
+
+size_t count = reinterpret_cast(NSMapGet(ownedObjects.get(), (__bridge void*)object));
+NSMapInsert(ownedObjects.get(), (__bridge void*)object, reinterpret_cast(count + 1));
}
-
-size_t count = reinterpret_cast(NSMapGet(ownedObjects.get(), (__bridge void*)object));
-NSMapInsert(ownedObjects.get(), (__bridge void*)object, reinterpret_cast(count + 1));
}
- (void)removeManagedReference:(id)object withOwner:(id)owner
{
-if ([object isKindOfClass:[JSManagedValue class]])
-[object didRemoveOwner:owner];
+@autoreleasepool {
+if ([object isKindOfClass:[JSManagedValue class]])
+[object didRemoveOwner:owner];
-object = getInternalObjcObject(object);
-owner = getInternalObjcObject(owner);
-
-if (!object || !owner)
-return;
-
-JSC::JSLockHolder locker(toJS(m_group));
-
-Locker externalDataMutexLocker { m_externalDataMutex };
-NSMapTable *ownedObjects = [m_externalObjectGraph objectForKey:owner];
-if (!ownedObjects)
-return;
-
-size_t count = reinterpret_cast(NSMapGet(ownedObjects, (__bridge void*)object));
-if (count > 1) {
-NSMapInsert(ownedObjects, (__bridge void*)object, reinterpret_cast(count - 1));
-return;
-}
-
-if (count == 1)
-NSMapRemove(ownedObjects, (__bridge void*)object);
+object = getInternalObjcObject(object);
+owner = getInternalObjcObject(owner);
-if (![ownedObjects count]) {
-[m_externalObjectGraph removeObjectForKey:owner];
-[m_externalRememberedSe
[webkit-changes] [278888] trunk/Source/JavaScriptCore
Title: [27] trunk/Source/_javascript_Core
Revision 27
Author keith_mil...@apple.com
Date 2021-06-15 11:39:27 -0700 (Tue, 15 Jun 2021)
Log Message
Shouldn't drain the micro task queue when calling out to ObjC
https://bugs.webkit.org/show_bug.cgi?id=161942
Unreviewed, relanding r278734.
* API/tests/testapi.cpp:
(TestAPI::promiseDrainDoesNotEatExceptions):
(testCAPIViaCpp):
* API/tests/testapi.mm:
(testMicrotaskWithFunction):
(testObjectiveCAPI):
* runtime/JSLock.cpp:
(JSC::JSLock::willReleaseLock):
* runtime/ObjectPrototype.cpp:
(JSC::isPokerBros):
* runtime/VM.cpp:
(JSC::VM::didExhaustMicrotaskQueue):
Modified Paths
trunk/Source/_javascript_Core/API/tests/testapi.cpp
trunk/Source/_javascript_Core/API/tests/testapi.mm
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSLock.cpp
trunk/Source/_javascript_Core/runtime/ObjectPrototype.cpp
trunk/Source/_javascript_Core/runtime/VM.cpp
Diff
Modified: trunk/Source/_javascript_Core/API/tests/testapi.cpp (278887 => 27)
--- trunk/Source/_javascript_Core/API/tests/testapi.cpp 2021-06-15 18:25:07 UTC (rev 278887)
+++ trunk/Source/_javascript_Core/API/tests/testapi.cpp 2021-06-15 18:39:27 UTC (rev 27)
@@ -38,6 +38,10 @@
#include
#include
+#if PLATFORM(COCOA)
+#include
+#endif
+
extern "C" void configureJSCForTesting();
extern "C" int testCAPIViaCpp(const char* filter);
extern "C" void JSSynchronousGarbageCollectForDebugging(JSContextRef);
@@ -147,6 +151,7 @@
void promiseUnhandledRejection();
void promiseUnhandledRejectionFromUnhandledRejectionCallback();
void promiseEarlyHandledRejections();
+void promiseDrainDoesNotEatExceptions();
void topCallFrameAccess();
void markedJSValueArrayAndGC();
void classDefinitionWithJSSubclass();
@@ -609,6 +614,28 @@
check(!callbackCalled, "unhandled rejection callback should not be called for asynchronous early-handled rejection");
}
+void TestAPI::promiseDrainDoesNotEatExceptions()
+{
+#if PLATFORM(COCOA)
+bool useLegacyDrain = false;
+#if PLATFORM(MAC)
+useLegacyDrain = applicationSDKVersion() < DYLD_MACOSX_VERSION_12_00;
+#elif PLATFORM(WATCH)
+// Don't check, JSC isn't API on watch anyway.
+#elif PLATFORM(IOS_FAMILY)
+useLegacyDrain = applicationSDKVersion() < DYLD_IOS_VERSION_15_0;
+#else
+#error "Unsupported Cocoa Platform"
+#endif
+if (useLegacyDrain)
+return;
+#endif
+
+ScriptResult result = callFunction("(function() { Promise.resolve().then(() => { throw 2; }); throw 1; })");
+check(!result, "function should throw an error");
+check(JSValueIsNumber(context, result.error()) && JSValueToNumber(context, result.error(), nullptr) == 1, "exception payload should have been 1");
+}
+
void TestAPI::topCallFrameAccess()
{
{
@@ -760,6 +787,7 @@
RUN(promiseRejectTrue());
RUN(promiseUnhandledRejection());
RUN(promiseUnhandledRejectionFromUnhandledRejectionCallback());
+RUN(promiseDrainDoesNotEatExceptions());
RUN(promiseEarlyHandledRejections());
RUN(markedJSValueArrayAndGC());
RUN(classDefinitionWithJSSubclass());
@@ -766,10 +794,8 @@
RUN(proxyReturnedWithJSSubclassing());
RUN(testJSObjectSetOnGlobalObjectSubclassDefinition());
-if (tasks.isEmpty()) {
-dataLogLn("Filtered all tests: ERROR");
-return 1;
-}
+if (tasks.isEmpty())
+return 0;
Lock lock;
Modified: trunk/Source/_javascript_Core/API/tests/testapi.mm (278887 => 27)
--- trunk/Source/_javascript_Core/API/tests/testapi.mm 2021-06-15 18:25:07 UTC (rev 278887)
+++ trunk/Source/_javascript_Core/API/tests/testapi.mm 2021-06-15 18:39:27 UTC (rev 27)
@@ -41,6 +41,11 @@
#import "Regress141809.h"
#import
+
+#if PLATFORM(COCOA)
+#import
+#endif
+
#if __has_include()
#define HAS_LIBPROC 1
#import
@@ -2730,6 +2735,40 @@
}
}
+static void testMicrotaskWithFunction()
+{
+@autoreleasepool {
+#if PLATFORM(COCOA)
+bool useLegacyDrain = false;
+#if PLATFORM(MAC)
+useLegacyDrain = applicationSDKVersion() < DYLD_MACOSX_VERSION_12_00;
+#elif PLATFORM(WATCH)
+// Don't check, JSC isn't API on watch anyway.
+#elif PLATFORM(IOS_FAMILY)
+useLegacyDrain = applicationSDKVersion() < DYLD_IOS_VERSION_15_0;
+#else
+#error "Unsupported Cocoa Platform"
+#endif
+if (useLegacyDrain)
+return;
+#endif
+
+JSContext *context = [[JSContext alloc] init];
+
+JSValue *globalObject = context.globalObject;
+
+auto block = ^() {
+return 1+1;
+};
+
+[globalObject setValue:block forProperty:@"setTimeout"];
+JSValue *arr = [context evaluateScript:@"var arr = []; (async () => { await 1; arr.push(3); })(); arr.push(1); setTimeout(); arr.push(2); arr;"];
+checkResult(@"arr[0] should be 1", [arr[@0] toInt32] == 1);
+checkResult(@"arr[1] should be 2", [arr[@1] toInt32] == 2);
+checkResult(@"arr[2] should be 3", [arr[
[webkit-changes] [278854] trunk/Tools
Title: [278854] trunk/Tools
Revision 278854
Author keith_mil...@apple.com
Date 2021-06-14 17:54:08 -0700 (Mon, 14 Jun 2021)
Log Message
run-_javascript_core-tests should print output when a test binary fails by default
https://bugs.webkit.org/show_bug.cgi?id=226985
Reviewed by Mark Lam.
* Scripts/run-_javascript_core-tests:
(runTest):
Modified Paths
trunk/Tools/ChangeLog
trunk/Tools/Scripts/run-_javascript_core-tests
Diff
Modified: trunk/Tools/ChangeLog (278853 => 278854)
--- trunk/Tools/ChangeLog 2021-06-15 00:46:19 UTC (rev 278853)
+++ trunk/Tools/ChangeLog 2021-06-15 00:54:08 UTC (rev 278854)
@@ -1,3 +1,13 @@
+2021-06-14 Keith Miller
+
+run-_javascript_core-tests should print output when a test binary fails by default
+https://bugs.webkit.org/show_bug.cgi?id=226985
+
+Reviewed by Mark Lam.
+
+* Scripts/run-_javascript_core-tests:
+(runTest):
+
2021-06-14 Ryan Haddad
Bring up an Apple-BigSur-AppleSilicon-Release-Test262-Tests queue
Modified: trunk/Tools/Scripts/run-_javascript_core-tests (278853 => 278854)
--- trunk/Tools/Scripts/run-_javascript_core-tests 2021-06-15 00:46:19 UTC (rev 278853)
+++ trunk/Tools/Scripts/run-_javascript_core-tests 2021-06-15 00:54:08 UTC (rev 278854)
@@ -630,13 +630,16 @@
my $lastOptimizeLevel;
open(TEST, "-|", "@command 2>&1") or die "Failed to run @command";
+my $testOutput = "";
while ( my $line = ) {
-print $line if ($verbose);
+$testOutput .= $line;
}
$testResult = close(TEST) ? 0 : $?;
$reportData{$testName} = $testResult ? {actual => "FAIL"} : {actual => "PASS"};
my $exitStatus = exitStatus($testResult);
+
+print "$testOutput" if ($verbose or $testResult);
print "$testName completed with rc=$testResult ($exitStatus)\n\n";
if ($testResult) {
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [278734] trunk/Source/JavaScriptCore
Title: [278734] trunk/Source/_javascript_Core
Revision 278734
Author keith_mil...@apple.com
Date 2021-06-10 14:54:36 -0700 (Thu, 10 Jun 2021)
Log Message
Shouldn't drain the micro task queue when calling out to ObjC
https://bugs.webkit.org/show_bug.cgi?id=161942
Reviewed by Saam Barati.
It looks like the issue is that we aren't checking for the
presence of dropped locks when deciding to drain microtasks during
JSLock::unlock. This meant that when we drop all locks when
calling out to API clients we would drain our microtasks at that
point. An alternative would be to pass an extra parameter to the
unlock function that says not to drain microtasks. I chose not to
do that since it seemed a bit less robust.
This patch is very likely to break existing API users. So I'm adding
a linked on or after check to protect existing Apps.
Lastly, change our Poker Bros check to use applicationSDKVersion too
so others trying to add a linked on or after check don't use
the dyld function directly too.
* API/tests/testapi.cpp:
(TestAPI::promiseDrainDoesNotEatExceptions):
(testCAPIViaCpp):
* API/tests/testapi.mm:
(testMicrotaskWithFunction):
(testObjectiveCAPI):
* runtime/JSLock.cpp:
(JSC::JSLock::willReleaseLock):
* runtime/ObjectPrototype.cpp:
(JSC::isPokerBros):
* runtime/VM.cpp:
(JSC::VM::didExhaustMicrotaskQueue):
Modified Paths
trunk/Source/_javascript_Core/API/tests/testapi.cpp
trunk/Source/_javascript_Core/API/tests/testapi.mm
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSLock.cpp
trunk/Source/_javascript_Core/runtime/ObjectPrototype.cpp
trunk/Source/_javascript_Core/runtime/VM.cpp
Diff
Modified: trunk/Source/_javascript_Core/API/tests/testapi.cpp (278733 => 278734)
--- trunk/Source/_javascript_Core/API/tests/testapi.cpp 2021-06-10 21:19:59 UTC (rev 278733)
+++ trunk/Source/_javascript_Core/API/tests/testapi.cpp 2021-06-10 21:54:36 UTC (rev 278734)
@@ -38,6 +38,10 @@
#include
#include
+#if PLATFORM(COCOA)
+#include
+#endif
+
extern "C" void configureJSCForTesting();
extern "C" int testCAPIViaCpp(const char* filter);
extern "C" void JSSynchronousGarbageCollectForDebugging(JSContextRef);
@@ -147,6 +151,7 @@
void promiseUnhandledRejection();
void promiseUnhandledRejectionFromUnhandledRejectionCallback();
void promiseEarlyHandledRejections();
+void promiseDrainDoesNotEatExceptions();
void topCallFrameAccess();
void markedJSValueArrayAndGC();
void classDefinitionWithJSSubclass();
@@ -609,6 +614,27 @@
check(!callbackCalled, "unhandled rejection callback should not be called for asynchronous early-handled rejection");
}
+void TestAPI::promiseDrainDoesNotEatExceptions()
+{
+#if PLATFORM(COCOA)
+bool useLegacyDrain = false;
+#if PLATFORM(MAC)
+useLegacyDrain = applicationSDKVersion() < DYLD_MACOSX_VERSION_12_00;
+#elif PLATFORM(WATCH)
+// Don't check, JSC isn't API on watch anyway.
+#elif PLATFORM(IOS_FAMILY)
+useLegacyDrain = applicationSDKVersion() < DYLD_IOS_VERSION_15_0;
+#else
+#error "Unsupported Cocoa Platform"
+#endif
+if (useLegacyDrain)
+return;
+#endif
+ScriptResult result = callFunction("(function() { Promise.resolve().then(() => { throw 2; }); throw 1; })");
+check(!result, "function should throw an error");
+check(JSValueIsNumber(context, result.error()) && JSValueToNumber(context, result.error(), nullptr) == 1, "exception payload should have been 1");
+}
+
void TestAPI::topCallFrameAccess()
{
{
@@ -760,6 +786,7 @@
RUN(promiseRejectTrue());
RUN(promiseUnhandledRejection());
RUN(promiseUnhandledRejectionFromUnhandledRejectionCallback());
+RUN(promiseDrainDoesNotEatExceptions());
RUN(promiseEarlyHandledRejections());
RUN(markedJSValueArrayAndGC());
RUN(classDefinitionWithJSSubclass());
@@ -766,10 +793,8 @@
RUN(proxyReturnedWithJSSubclassing());
RUN(testJSObjectSetOnGlobalObjectSubclassDefinition());
-if (tasks.isEmpty()) {
-dataLogLn("Filtered all tests: ERROR");
-return 1;
-}
+if (tasks.isEmpty())
+return 0;
Lock lock;
Modified: trunk/Source/_javascript_Core/API/tests/testapi.mm (278733 => 278734)
--- trunk/Source/_javascript_Core/API/tests/testapi.mm 2021-06-10 21:19:59 UTC (rev 278733)
+++ trunk/Source/_javascript_Core/API/tests/testapi.mm 2021-06-10 21:54:36 UTC (rev 278734)
@@ -2730,6 +2730,25 @@
}
}
+static void testMicrotaskWithFunction()
+{
+@autoreleasepool {
+JSContext *context = [[JSContext alloc] init];
+
+JSValue *globalObject = context.globalObject;
+
+auto block = ^() {
+return 1+1;
+};
+
+[globalObject setValue:block forProperty:@"setTimeout"];
+JSValue *arr = [context evaluateScript:@"var arr = []; (async () => { await 1; arr.push(3); })(); arr.push(1); setTimeout(); arr.push(2); arr;"];
+checkResult(@"arr[0] should be 1", [arr[@0] toInt32] == 1);
+
[webkit-changes] [278464] trunk/JSTests
Title: [278464] trunk/JSTests Revision 278464 Author keith_mil...@apple.com Date 2021-06-04 09:08:45 -0700 (Fri, 04 Jun 2021) Log Message Fix tests that fail under executable allocation fuzzing https://bugs.webkit.org/show_bug.cgi?id=226593 Reviewed by Mark Lam. * microbenchmarks/memcpy-wasm-large.js: (typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): (typeof.WebAssembly.string_appeared_here.catch): (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. * microbenchmarks/memcpy-wasm-medium.js: (typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): (typeof.WebAssembly.string_appeared_here.catch): (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. * microbenchmarks/memcpy-wasm-small.js: (typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): (typeof.WebAssembly.string_appeared_here.catch): (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. * microbenchmarks/memcpy-wasm.js: (typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): (typeof.WebAssembly.string_appeared_here.catch): (typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. * stress/bit-op-with-object-returning-int32.js: (numberOfDFGCompiles): (bitOr): Deleted. (bitXor): Deleted. (bitNot): Deleted. (bitLShift): Deleted. * stress/bitwise-not-fixup-rules.js: (numberOfDFGCompiles): (let.o.valueOf): Deleted. Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/microbenchmarks/memcpy-wasm-large.js trunk/JSTests/microbenchmarks/memcpy-wasm-medium.js trunk/JSTests/microbenchmarks/memcpy-wasm-small.js trunk/JSTests/microbenchmarks/memcpy-wasm.js trunk/JSTests/stress/bit-op-with-object-returning-int32.js trunk/JSTests/stress/bitwise-not-fixup-rules.js Diff Modified: trunk/JSTests/ChangeLog (278463 => 278464) --- trunk/JSTests/ChangeLog 2021-06-04 16:04:35 UTC (rev 278463) +++ trunk/JSTests/ChangeLog 2021-06-04 16:08:45 UTC (rev 278464) @@ -1,3 +1,36 @@ +2021-06-04 Keith Miller + +Fix tests that fail under executable allocation fuzzing +https://bugs.webkit.org/show_bug.cgi?id=226593 + +Reviewed by Mark Lam. + +* microbenchmarks/memcpy-wasm-large.js: +(typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): +(typeof.WebAssembly.string_appeared_here.catch): +(typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. +* microbenchmarks/memcpy-wasm-medium.js: +(typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): +(typeof.WebAssembly.string_appeared_here.catch): +(typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. +* microbenchmarks/memcpy-wasm-small.js: +(typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): +(typeof.WebAssembly.string_appeared_here.catch): +(typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. +* microbenchmarks/memcpy-wasm.js: +(typeof.WebAssembly.string_appeared_here.try.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): +(typeof.WebAssembly.string_appeared_here.catch): +(typeof.WebAssembly.string_appeared_here.const.1.new.WebAssembly.Instance.new.WebAssembly.Module.new.Uint8Array): Deleted. +* stress/bit-op-with-object-returning-int32.js: +(numberOfDFGCompiles): +(bitOr): Deleted. +(bitXor): Deleted. +(bitNot): Deleted. +(bitLShift): Deleted. +* stress/bitwise-not-fixup-rules.js: +(numberOfDFGCompiles): +(let.o.valueOf): Deleted. + 2021-06-04 Tadeu Zagallo Optimize Function.prototype.toString Modified: trunk/JSTests/microbenchmarks/memcpy-wasm-large.js (278463 => 278464) --- trunk/JSTests/microbenchmarks/memcpy-wasm-large.js 2021-06-04 16:04:35 UTC (rev 278463) +++ trunk/JSTests/microbenchmarks/memcpy-wasm-large.js 2021-06-04 16:08:45 UTC (rev 278464) @@ -15,21 +15,25 @@ i32[i] = i; } -const $1 = new WebAssembly.Instance(new WebAssembly.Module(new Uint8Array([ -0,97,115,109,1,0,0,0,1,7,1,96,3,127,127,127,0,2,12,1,2,106,115,3,109,101,109,2,1,pages,pages,3,2,1,0,6,1,0,7,13,1,9,100,111,95,109,101,109,99,112,121,0,0,10,57,1,55,1,1,127,65,0,33,3,3,64,2
[webkit-changes] [278366] trunk/Source/JavaScriptCore
Title: [278366] trunk/Source/_javascript_Core
Revision 278366
Author keith_mil...@apple.com
Date 2021-06-02 11:14:23 -0700 (Wed, 02 Jun 2021)
Log Message
Add globalObject API set property test
https://bugs.webkit.org/show_bug.cgi?id=226542
Reviewed by Alexey Shvayka.
* API/tests/testapi.cpp:
(TestAPI::testJSObjectSetOnGlobalObjectSubclassDefinition):
(testCAPIViaCpp):
Modified Paths
trunk/Source/_javascript_Core/API/tests/testapi.cpp
trunk/Source/_javascript_Core/ChangeLog
Diff
Modified: trunk/Source/_javascript_Core/API/tests/testapi.cpp (278365 => 278366)
--- trunk/Source/_javascript_Core/API/tests/testapi.cpp 2021-06-02 17:40:50 UTC (rev 278365)
+++ trunk/Source/_javascript_Core/API/tests/testapi.cpp 2021-06-02 18:14:23 UTC (rev 278366)
@@ -151,6 +151,7 @@
void markedJSValueArrayAndGC();
void classDefinitionWithJSSubclass();
void proxyReturnedWithJSSubclassing();
+void testJSObjectSetOnGlobalObjectSubclassDefinition();
int failed() const { return m_failed; }
@@ -705,6 +706,22 @@
check(functionReturnsTrue("(function (subclass, Superclass) { return subclass.__proto__ == Superclass.prototype; })", subclass, Superclass), "proxy's prototype should match Superclass.prototype");
}
+void TestAPI::testJSObjectSetOnGlobalObjectSubclassDefinition()
+{
+JSClassDefinition globalClassDef = kJSClassDefinitionEmpty;
+globalClassDef.className = "CustomGlobalClass";
+JSClassRef globalClassRef = JSClassCreate(&globalClassDef);
+
+JSContextRef context = JSGlobalContextCreate(globalClassRef);
+JSObjectRef newObject = JSObjectMake(context, nullptr, nullptr);
+
+JSObjectRef globalObject = JSContextGetGlobalObject(context);
+APIString propertyName("myObject");
+JSObjectSetProperty(context, globalObject, propertyName, newObject, 0, nullptr);
+
+check(JSEvaluateScript(context, propertyName, globalObject, nullptr, 1, nullptr) == newObject, "Setting a property on a custom global object should set the property");
+}
+
void configureJSCForTesting()
{
JSC::Config::configureForTesting();
@@ -747,6 +764,7 @@
RUN(markedJSValueArrayAndGC());
RUN(classDefinitionWithJSSubclass());
RUN(proxyReturnedWithJSSubclassing());
+RUN(testJSObjectSetOnGlobalObjectSubclassDefinition());
if (tasks.isEmpty()) {
dataLogLn("Filtered all tests: ERROR");
Modified: trunk/Source/_javascript_Core/ChangeLog (278365 => 278366)
--- trunk/Source/_javascript_Core/ChangeLog 2021-06-02 17:40:50 UTC (rev 278365)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-06-02 18:14:23 UTC (rev 278366)
@@ -1,5 +1,17 @@
2021-06-02 Keith Miller
+Add globalObject API set property test
+https://bugs.webkit.org/show_bug.cgi?id=226542
+
+
+Reviewed by Alexey Shvayka.
+
+* API/tests/testapi.cpp:
+(TestAPI::testJSObjectSetOnGlobalObjectSubclassDefinition):
+(testCAPIViaCpp):
+
+2021-06-02 Keith Miller
+
Convert small JIT pool tests into executable fuzzing
https://bugs.webkit.org/show_bug.cgi?id=226279
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [278356] trunk
Title: [278356] trunk
Revision 278356
Author keith_mil...@apple.com
Date 2021-06-02 09:26:00 -0700 (Wed, 02 Jun 2021)
Log Message
Convert small JIT pool tests into executable fuzzing
https://bugs.webkit.org/show_bug.cgi?id=226279
Source/_javascript_Core:
Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
Instead of testing such a small pool we should just fuzz each executable allocation that says it
can fail.
The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.
Reviewed by Michael Saboff.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::numberOfDFGCompiles):
* jit/ExecutableAllocationFuzz.cpp:
(JSC::doExecutableAllocationFuzzing):
* jsc.cpp:
(runJSC):
Tools:
Reviewed by Michael Saboff.
Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
Instead of testing such a small pool we should just fuzz each executable allocation that says it
can fail.
The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.
* Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz:
* Scripts/run-jsc-stress-tests:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp
trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp
trunk/Source/_javascript_Core/jsc.cpp
trunk/Tools/ChangeLog
trunk/Tools/Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz
trunk/Tools/Scripts/run-jsc-stress-tests
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (278355 => 278356)
--- trunk/Source/_javascript_Core/ChangeLog 2021-06-02 16:21:15 UTC (rev 278355)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-06-02 16:26:00 UTC (rev 278356)
@@ -1,3 +1,27 @@
+2021-06-02 Keith Miller
+
+Convert small JIT pool tests into executable fuzzing
+https://bugs.webkit.org/show_bug.cgi?id=226279
+
+Right now, we try to test our engine on a small JIT pool. This isn't a known configuration for any
+actual ports and causes issues if we run out of JIT memory when we need to compile an OSR exit.
+Instead of testing such a small pool we should just fuzz each executable allocation that says it
+can fail.
+
+The current fuzzing doesn't do a good job tracking the number of DFG/FTL compiles when allocations
+fail, so when enabled those tests will just exit early. Also, right now we use a random seed picked
+by the engine for these tests, which makes it hard to reproduce crashes on the bots. If we see
+flakiness on the bots we can have the harness pass in a number so it gets logged in the repro command.
+
+Reviewed by Michael Saboff.
+
+* bytecode/CodeBlock.cpp:
+(JSC::CodeBlock::numberOfDFGCompiles):
+* jit/ExecutableAllocationFuzz.cpp:
+(JSC::doExecutableAllocationFuzzing):
+* jsc.cpp:
+(runJSC):
+
2021-06-02 Chris Dumez
Use Checked aliases instead of Checked
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (278355 => 278356)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-06-02 16:21:15 UTC (rev 278355)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-06-02 16:26:00 UTC (rev 278356)
@@ -2481,6 +2481,10 @@
unsigned CodeBlock::numberOfDFGCompiles()
{
ASSERT(JITCode::isBaselineCode(jitType()));
+
+// FIXME: We don't really do a good job tracking when a compilation failed because of executable allocation fuzzing. https://bugs.webkit.org/show_bug.cgi?id=226276
+if (Options::useExecutableAllocationFuzz())
+return 100;
if (Options::testTheFTL()) {
if (m_didFailFTLCompilation)
return 100;
Modified: trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp (278355 => 278356)
--- trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp 2021-06-02 16:21:15 UTC (rev 278355)
+++ trunk/Source/_javascript_Core/jit/ExecutableAllocationFuzz.cpp 2021-06-02 16:26:00 UTC (rev 278356)
@@ -29,6 +29,7 @@
#include "TestRunnerUtils.h"
#include
#include
+#include
namespace JSC {
[webkit-changes] [278041] trunk/Tools
Title: [278041] trunk/Tools
Revision 278041
Author keith_mil...@apple.com
Date 2021-05-25 13:29:12 -0700 (Tue, 25 May 2021)
Log Message
Wasm low memory tests should have a larger executable pool
https://bugs.webkit.org/show_bug.cgi?id=226233
Reviewed by Saam Barati.
With some other recent JSC changes we can sometimes go over the allocation pool we set aside. Let's bump the number.
* Scripts/run-jsc-stress-tests:
Modified Paths
trunk/Tools/ChangeLog
trunk/Tools/Scripts/run-jsc-stress-tests
Diff
Modified: trunk/Tools/ChangeLog (278040 => 278041)
--- trunk/Tools/ChangeLog 2021-05-25 20:27:57 UTC (rev 278040)
+++ trunk/Tools/ChangeLog 2021-05-25 20:29:12 UTC (rev 278041)
@@ -1,3 +1,14 @@
+2021-05-25 Keith Miller
+
+Wasm low memory tests should have a larger executable pool
+https://bugs.webkit.org/show_bug.cgi?id=226233
+
+Reviewed by Saam Barati.
+
+With some other recent JSC changes we can sometimes go over the allocation pool we set aside. Let's bump the number.
+
+* Scripts/run-jsc-stress-tests:
+
2021-05-25 Sam Sneddon
Run webkitpy integration tests under pytest by default
Modified: trunk/Tools/Scripts/run-jsc-stress-tests (278040 => 278041)
--- trunk/Tools/Scripts/run-jsc-stress-tests 2021-05-25 20:27:57 UTC (rev 278040)
+++ trunk/Tools/Scripts/run-jsc-stress-tests 2021-05-25 20:29:12 UTC (rev 278041)
@@ -1315,7 +1315,7 @@
prepareExtraAbsoluteFiles(WASMTESTS_PATH, ["wasm.json"])
prepareExtraRelativeFiles(modules.map { |f| "../" + f }, $collection)
# Only let WebAssembly get executable memory.
-run("default-wasm", "--useConcurrentGC=0" , "--useConcurrentJIT=0", "--jitMemoryReservationSize=15000", "--useBaselineJIT=0", "--useDFGJIT=0", "--useFTLJIT=0", "-m")
+run("default-wasm", "--useConcurrentGC=0" , "--useConcurrentJIT=0", "--jitMemoryReservationSize=2", "--useBaselineJIT=0", "--useDFGJIT=0", "--useFTLJIT=0", "-m")
end
def runChakra(mode, exception, baselineFile, extraFiles)
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [277963] trunk/Source
Title: [277963] trunk/Source
Revision 277963
Author keith_mil...@apple.com
Date 2021-05-24 12:29:38 -0700 (Mon, 24 May 2021)
Log Message
Unreviewed, revert r276610 because it causes a 1% PLT regression.
Source/_javascript_Core:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::JITData::size const): Deleted.
* bytecode/CodeBlock.h:
* jit/JITCodeMap.h:
(JSC::JITCodeMap::memorySize const): Deleted.
Source/WTF:
* wtf/Bag.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp
trunk/Source/_javascript_Core/bytecode/CodeBlock.h
trunk/Source/_javascript_Core/jit/JITCodeMap.h
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/Bag.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (277962 => 277963)
--- trunk/Source/_javascript_Core/ChangeLog 2021-05-24 18:58:39 UTC (rev 277962)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-05-24 19:29:38 UTC (rev 277963)
@@ -1,3 +1,14 @@
+2021-05-24 Keith Miller
+
+Unreviewed, revert r276610 because it causes a 1% PLT regression.
+
+* bytecode/CodeBlock.cpp:
+(JSC::CodeBlock::visitChildren):
+(JSC::CodeBlock::JITData::size const): Deleted.
+* bytecode/CodeBlock.h:
+* jit/JITCodeMap.h:
+(JSC::JITCodeMap::memorySize const): Deleted.
+
2021-05-24 Chris Dumez
Drop CheckedLock / CheckedCondition aliases
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (277962 => 277963)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-05-24 18:58:39 UTC (rev 277962)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-05-24 19:29:38 UTC (rev 277963)
@@ -984,14 +984,6 @@
extraMemory += m_metadata->sizeInBytes();
if (m_jitCode && !m_jitCode->isShared())
extraMemory += m_jitCode->size();
-#if ENABLE(JIT)
-if (m_jitData)
-extraMemory += m_jitData->size(locker);
-#endif
-extraMemory += m_argumentValueProfiles.size() * sizeof(ValueProfile);
-extraMemory += m_functionDecls.size() * sizeof(decltype(*m_functionDecls.data()));
-extraMemory += m_functionExprs.size() * sizeof(decltype(*m_functionExprs.data()));
-
visitor.reportExtraMemoryVisited(extraMemory);
stronglyVisitStrongReferences(locker, visitor);
@@ -1029,28 +1021,6 @@
template bool CodeBlock::shouldVisitStrongly(const ConcurrentJSLocker&, AbstractSlotVisitor&);
template bool CodeBlock::shouldVisitStrongly(const ConcurrentJSLocker&, SlotVisitor&);
-#if ENABLE(JIT)
-size_t CodeBlock::JITData::size(const ConcurrentJSLocker&) const
-{
-size_t size = sizeof(JITData);
-size += m_stubInfos.estimatedAllocationSizeInBytes();
-size += m_addICs.estimatedAllocationSizeInBytes();
-size += m_mulICs.estimatedAllocationSizeInBytes();
-size += m_negICs.estimatedAllocationSizeInBytes();
-size += m_subICs.estimatedAllocationSizeInBytes();
-size += m_byValInfos.estimatedAllocationSizeInBytes();
-size += m_callLinkInfos.estimatedAllocationSizeInBytes();
-size += m_switchJumpTables.size() * sizeof(decltype(*m_switchJumpTables.data()));
-size += m_stringSwitchJumpTables.size() * sizeof(decltype(*m_stringSwitchJumpTables.data()));
-// FIXME: account for m_calleeSaveRegisters but it's not a big deal since it's a fixed size and small.
-if (m_pcToCodeOriginMap)
-size += m_pcToCodeOriginMap->memorySize();
-if (m_jitCodeMap)
-size += m_jitCodeMap.memorySize();
-return size;
-}
-#endif
-
bool CodeBlock::shouldJettisonDueToWeakReference(VM& vm)
{
if (!JITCode::isOptimizingJIT(jitType()))
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (277962 => 277963)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2021-05-24 18:58:39 UTC (rev 277962)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2021-05-24 19:29:38 UTC (rev 277963)
@@ -270,8 +270,6 @@
struct JITData {
WTF_MAKE_STRUCT_FAST_ALLOCATED;
-size_t size(const ConcurrentJSLocker&) const;
-
Bag m_stubInfos;
Bag m_addICs;
Bag m_mulICs;
Modified: trunk/Source/_javascript_Core/jit/JITCodeMap.h (277962 => 277963)
--- trunk/Source/_javascript_Core/jit/JITCodeMap.h 2021-05-24 18:58:39 UTC (rev 277962)
+++ trunk/Source/_javascript_Core/jit/JITCodeMap.h 2021-05-24 19:29:38 UTC (rev 277963)
@@ -58,8 +58,6 @@
explicit operator bool() const { return m_size; }
-size_t memorySize() const { return sizeof(CodeLocationLabel) * m_size + sizeof(BytecodeIndex) * m_size; }
-
private:
CodeLocationLabel* codeLocations() const
{
Modified: trunk/Source/WTF/ChangeLog (277962 => 277963)
--- trunk/Source/WTF/ChangeLog 2021-05-24 18:58:39 UTC (rev 277962)
+++ trunk/Source/WTF/ChangeLog 2021-05-24 19:29:38 UTC (rev 277963)
@@ -1,3 +1,9 @@
+2021-05-24 Keith Miller
+
+Unreviewed, revert r276610 because it causes a 1% PLT regression.
+
+* wtf/Bag.h:
+
2021-05-24 Chris Dumez
[webkit-changes] [277572] trunk/Source/JavaScriptCore
Title: [277572] trunk/Source/_javascript_Core
Revision 277572
Author keith_mil...@apple.com
Date 2021-05-16 10:46:33 -0700 (Sun, 16 May 2021)
Log Message
IsoAlignedMemoryAllocator should use BitVector
https://bugs.webkit.org/show_bug.cgi?id=225852
Reviewed by Mark Lam.
Right now IsoAlignedMemoryAllocator uses FastBitVector, which does
not have inline storage for small sizes. However, it's not
uncommon for IsoAlignedMemoryAllocator to be holding onto only a
few blocks. Those blocks may exist for a long time, which some
data indicates causes IsoAlignedMemoryAllocator's FastBitVector to
pin a full physical page for one 8 byte allocation. Since
accessing the commited blocks list is not a particularly hot
operation, we should just use a BitVector instead.
This seems to be perf neutral on benchmarks.
* heap/IsoAlignedMemoryAllocator.cpp:
(JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
(JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
(JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
* heap/IsoAlignedMemoryAllocator.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.cpp
trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (277571 => 277572)
--- trunk/Source/_javascript_Core/ChangeLog 2021-05-16 17:18:30 UTC (rev 277571)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-05-16 17:46:33 UTC (rev 277572)
@@ -1,3 +1,27 @@
+2021-05-16 Keith Miller
+
+IsoAlignedMemoryAllocator should use BitVector
+https://bugs.webkit.org/show_bug.cgi?id=225852
+
+Reviewed by Mark Lam.
+
+Right now IsoAlignedMemoryAllocator uses FastBitVector, which does
+not have inline storage for small sizes. However, it's not
+uncommon for IsoAlignedMemoryAllocator to be holding onto only a
+few blocks. Those blocks may exist for a long time, which some
+data indicates causes IsoAlignedMemoryAllocator's FastBitVector to
+pin a full physical page for one 8 byte allocation. Since
+accessing the commited blocks list is not a particularly hot
+operation, we should just use a BitVector instead.
+
+This seems to be perf neutral on benchmarks.
+
+* heap/IsoAlignedMemoryAllocator.cpp:
+(JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
+(JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
+(JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
+* heap/IsoAlignedMemoryAllocator.h:
+
2021-05-16 Saam Barati
DFGVarargsForwardingPhase shouldn't consult Flush
Modified: trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.cpp (277571 => 277572)
--- trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.cpp 2021-05-16 17:18:30 UTC (rev 277571)
+++ trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.cpp 2021-05-16 17:46:33 UTC (rev 277572)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -42,7 +42,7 @@
#if !ENABLE(MALLOC_HEAP_BREAKDOWN)
for (unsigned i = 0; i < m_blocks.size(); ++i) {
void* block = m_blocks[i];
-if (!m_committed[i])
+if (!m_committed.quickGet(i))
WTF::fastCommitAlignedMemory(block, MarkedBlock::blockSize);
fastAlignedFree(block);
}
@@ -63,7 +63,7 @@
m_firstUncommitted = m_committed.findBit(m_firstUncommitted, false);
if (m_firstUncommitted < m_blocks.size()) {
-m_committed[m_firstUncommitted] = true;
+m_committed.quickSet(m_firstUncommitted);
void* result = m_blocks[m_firstUncommitted];
WTF::fastCommitAlignedMemory(result, MarkedBlock::blockSize);
return result;
@@ -77,7 +77,7 @@
m_blockIndices.add(result, index);
if (m_blocks.capacity() != m_committed.size())
m_committed.resize(m_blocks.capacity());
-m_committed[index] = true;
+m_committed.quickSet(index);
return result;
#endif
}
@@ -92,7 +92,7 @@
auto iter = m_blockIndices.find(basePtr);
RELEASE_ASSERT(iter != m_blockIndices.end());
unsigned index = iter->value;
-m_committed[index] = false;
+m_committed.quickClear(index);
m_firstUncommitted = std::min(index, m_firstUncommitted);
WTF::fastDecommitAlignedMemory(basePtr, MarkedBlock::blockSize);
#endif
Modified: trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.h (277571 => 277572)
--- trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.h 2021-05-16 17:18:30 UTC (rev 277571)
+++ trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.h 2021-05-16 17:46:33 UTC (rev 277572)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017 Apple Inc. All rights reser
[webkit-changes] [276655] trunk/Source/JavaScriptCore
Title: [276655] trunk/Source/_javascript_Core
Revision 276655
Author keith_mil...@apple.com
Date 2021-04-27 12:49:45 -0700 (Tue, 27 Apr 2021)
Log Message
StructureStubInfo and PolymorphicAccess should account for their non-GC memory
https://bugs.webkit.org/show_bug.cgi?id=225113
Reviewed by Mark Lam.
We don't pass the ConcurrentJSLocker to the helper methods here since the
DECLARE_VISIT_AGGREGATE macro does not allow for extra parameters to be passed.
I filed https://bugs.webkit.org/show_bug.cgi?id=225114 to track that.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::JITData::size const):
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::extraMemoryInBytes const):
* bytecode/PolymorphicAccess.h:
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::extraMemoryInBytes):
* bytecode/StructureStubInfo.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp
trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp
trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.h
trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.cpp
trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.h
trunk/Source/_javascript_Core/bytecode/StructureStubInfo.cpp
trunk/Source/_javascript_Core/bytecode/StructureStubInfo.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (276654 => 276655)
--- trunk/Source/_javascript_Core/ChangeLog 2021-04-27 19:41:22 UTC (rev 276654)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-04-27 19:49:45 UTC (rev 276655)
@@ -1,3 +1,23 @@
+2021-04-27 Keith Miller
+
+StructureStubInfo and PolymorphicAccess should account for their non-GC memory
+https://bugs.webkit.org/show_bug.cgi?id=225113
+
+Reviewed by Mark Lam.
+
+We don't pass the ConcurrentJSLocker to the helper methods here since the
+DECLARE_VISIT_AGGREGATE macro does not allow for extra parameters to be passed.
+I filed https://bugs.webkit.org/show_bug.cgi?id=225114 to track that.
+
+* bytecode/CodeBlock.cpp:
+(JSC::CodeBlock::JITData::size const):
+* bytecode/PolymorphicAccess.cpp:
+(JSC::PolymorphicAccess::extraMemoryInBytes const):
+* bytecode/PolymorphicAccess.h:
+* bytecode/StructureStubInfo.cpp:
+(JSC::StructureStubInfo::extraMemoryInBytes):
+* bytecode/StructureStubInfo.h:
+
2021-04-26 Keith Miller
UnlinkedCodeBlock should have better accounting for extra memory
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (276654 => 276655)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-04-27 19:41:22 UTC (rev 276654)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-04-27 19:49:45 UTC (rev 276655)
@@ -1034,6 +1034,8 @@
{
size_t size = sizeof(JITData);
size += m_stubInfos.estimatedAllocationSizeInBytes();
+for (StructureStubInfo* stub : m_stubInfos)
+size += stub->extraMemoryInBytes();
size += m_addICs.estimatedAllocationSizeInBytes();
size += m_mulICs.estimatedAllocationSizeInBytes();
size += m_negICs.estimatedAllocationSizeInBytes();
Modified: trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp (276654 => 276655)
--- trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp 2021-04-27 19:41:22 UTC (rev 276654)
+++ trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp 2021-04-27 19:49:45 UTC (rev 276655)
@@ -377,6 +377,20 @@
DEFINE_VISIT_AGGREGATE(PolymorphicAccess);
+size_t PolymorphicAccess::extraMemoryInBytes() const
+{
+size_t size = 0;
+size += m_list.sizeInBytes();
+// FIXME: Account for the size of the various access cases.
+size += m_list.size() * sizeof(AccessCase);
+if (m_stubRoutine)
+size += sizeof(JITStubRoutine) + m_stubRoutine->code().size();
+if (m_watchpoints)
+size += sizeof(WatchpointsOnStructureStubInfo) + m_watchpoints->extraMemoryInBytes();
+size += m_weakReferences.byteSize();
+return size;
+}
+
void PolymorphicAccess::dump(PrintStream& out) const
{
out.print(RawPointer(this), ":[");
Modified: trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.h (276654 => 276655)
--- trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.h 2021-04-27 19:41:22 UTC (rev 276654)
+++ trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.h 2021-04-27 19:49:45 UTC (rev 276655)
@@ -157,6 +157,8 @@
// If this returns false then we are requesting a reset of the owning StructureStubInfo.
bool visitWeak(VM&) const;
+
+size_t extraMemoryInBytes() const;
// This returns true if it has marked everything it will ever marked. This can be used as an
// optimization to then avoid calling this method again during the fixpoint.
Modified: trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.cpp (276654 => 276655)
--- trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoin
[webkit-changes] [276625] trunk/Source/JavaScriptCore
Title: [276625] trunk/Source/_javascript_Core
Revision 276625
Author keith_mil...@apple.com
Date 2021-04-26 18:09:59 -0700 (Mon, 26 Apr 2021)
Log Message
UnlinkedCodeBlock should have better accounting for extra memory
https://bugs.webkit.org/show_bug.cgi?id=225080
Reviewed by Mark Lam.
Right now we aren't telling the JS GC about the extra memory
attached to UnlinkedCodeBlocks. It looks like on at least some sites this
can be a fairly large percentage of the total memory retained by
the JS object graph. This is very similar to the change we made for
CodeBlocks in r276610.
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::visitChildrenImpl):
(JSC::UnlinkedCodeBlock::RareData::sizeInBytes const):
* bytecode/UnlinkedCodeBlock.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp
trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (276624 => 276625)
--- trunk/Source/_javascript_Core/ChangeLog 2021-04-27 00:34:28 UTC (rev 276624)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-04-27 01:09:59 UTC (rev 276625)
@@ -1,3 +1,21 @@
+2021-04-26 Keith Miller
+
+UnlinkedCodeBlock should have better accounting for extra memory
+https://bugs.webkit.org/show_bug.cgi?id=225080
+
+Reviewed by Mark Lam.
+
+Right now we aren't telling the JS GC about the extra memory
+attached to UnlinkedCodeBlocks. It looks like on at least some sites this
+can be a fairly large percentage of the total memory retained by
+the JS object graph. This is very similar to the change we made for
+CodeBlocks in r276610.
+
+* bytecode/UnlinkedCodeBlock.cpp:
+(JSC::UnlinkedCodeBlock::visitChildrenImpl):
+(JSC::UnlinkedCodeBlock::RareData::sizeInBytes const):
+* bytecode/UnlinkedCodeBlock.h:
+
2021-04-26 Alex Christensen
Update Mac-specific CMake files
Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp (276624 => 276625)
--- trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp 2021-04-27 00:34:28 UTC (rev 276624)
+++ trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp 2021-04-27 01:09:59 UTC (rev 276625)
@@ -66,11 +66,13 @@
ASSERT(m_codeType == static_cast(codeType));
ASSERT(m_didOptimize == static_cast(TriState::Indeterminate));
if (info.needsClassFieldInitializer() == NeedsClassFieldInitializer::Yes) {
-createRareDataIfNecessary(holdLock(cellLock()));
+auto locker = holdLock(cellLock());
+createRareDataIfNecessary(locker);
m_rareData->m_needsClassFieldInitializer = static_cast(NeedsClassFieldInitializer::Yes);
}
if (info.privateBrandRequirement() == PrivateBrandRequirement::Needed) {
-createRareDataIfNecessary(holdLock(cellLock()));
+auto locker = holdLock(cellLock());
+createRareDataIfNecessary(locker);
m_rareData->m_privateBrandRequirement = static_cast(PrivateBrandRequirement::Needed);
}
}
@@ -92,6 +94,16 @@
size_t extraMemory = thisObject->m_metadata->sizeInBytes();
if (thisObject->m_instructions)
extraMemory += thisObject->m_instructions->sizeInBytes();
+if (thisObject->hasRareData())
+extraMemory += thisObject->m_rareData->sizeInBytes(locker);
+
+extraMemory += thisObject->m_jumpTargets.byteSize();
+extraMemory += thisObject->m_identifiers.byteSize();
+extraMemory += thisObject->m_constantRegisters.byteSize();
+extraMemory += thisObject->m_constantsSourceCodeRepresentation.byteSize();
+extraMemory += thisObject->m_functionDecls.byteSize();
+extraMemory += thisObject->m_functionExprs.byteSize();
+
visitor.reportExtraMemoryVisited(extraMemory);
}
@@ -106,6 +118,23 @@
return Base::estimatedSize(cell, vm) + extraSize;
}
+size_t UnlinkedCodeBlock::RareData::sizeInBytes(const AbstractLocker&) const
+{
+size_t size = sizeof(RareData);
+size += m_exceptionHandlers.byteSize();
+size += m_unlinkedSwitchJumpTables.byteSize();
+size += m_unlinkedStringSwitchJumpTables.byteSize();
+size += m_expressionInfoFatPositions.byteSize();
+size += m_typeProfilerInfoMap.capacity() * sizeof(decltype(m_typeProfilerInfoMap)::KeyValuePairType);
+size += m_opProfileControlFlowBytecodeOffsets.byteSize();
+size += m_bitVectors.byteSize();
+// FIXME: account for each bit vector.
+size += m_constantIdentifierSets.byteSize();
+for (const auto& identifierSet : m_constantIdentifierSets)
+size += identifierSet.capacity() * sizeof(std::remove_reference_t::ValueType);
+return size;
+}
+
int UnlinkedCodeBlock::lineNumberForBytecodeIndex(BytecodeIndex bytecodeIndex)
{
ASSERT(bytecodeIndex.offset() < instructions().size());
Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h (276624 => 276625)
--- trunk/Source/_javascript_Core/bytecod
[webkit-changes] [276610] trunk/Source
Title: [276610] trunk/Source
Revision 276610
Author keith_mil...@apple.com
Date 2021-04-26 13:22:35 -0700 (Mon, 26 Apr 2021)
Log Message
CodeBlock should do a better job accounting for extra memory it allocates.
https://bugs.webkit.org/show_bug.cgi?id=225068
Reviewed by Mark Lam.
Source/_javascript_Core:
Right now we aren't telling the JS GC about the extra memory
attached to CodeBlocks. It looks like on at least some sites this
can be a fairly large percentage of the total memory retained by
the JS object graph.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::JITData::size const):
* bytecode/CodeBlock.h:
* jit/JITCodeMap.h:
(JSC::JITCodeMap::memorySize const):
Source/WTF:
Small convenience function to help compute the memory used by a Bag for JS GC
accounting.
* wtf/Bag.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp
trunk/Source/_javascript_Core/bytecode/CodeBlock.h
trunk/Source/_javascript_Core/jit/JITCodeMap.h
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/Bag.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (276609 => 276610)
--- trunk/Source/_javascript_Core/ChangeLog 2021-04-26 20:20:13 UTC (rev 276609)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-04-26 20:22:35 UTC (rev 276610)
@@ -1,5 +1,24 @@
2021-04-26 Keith Miller
+CodeBlock should do a better job accounting for extra memory it allocates.
+https://bugs.webkit.org/show_bug.cgi?id=225068
+
+Reviewed by Mark Lam.
+
+Right now we aren't telling the JS GC about the extra memory
+attached to CodeBlocks. It looks like on at least some sites this
+can be a fairly large percentage of the total memory retained by
+the JS object graph.
+
+* bytecode/CodeBlock.cpp:
+(JSC::CodeBlock::visitChildren):
+(JSC::CodeBlock::JITData::size const):
+* bytecode/CodeBlock.h:
+* jit/JITCodeMap.h:
+(JSC::JITCodeMap::memorySize const):
+
+2021-04-26 Keith Miller
+
numCalleeLocals, numParameters, and numVars should be unsigned
https://bugs.webkit.org/show_bug.cgi?id=224995
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (276609 => 276610)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-04-26 20:20:13 UTC (rev 276609)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-04-26 20:22:35 UTC (rev 276610)
@@ -984,6 +984,14 @@
extraMemory += m_metadata->sizeInBytes();
if (m_jitCode && !m_jitCode->isShared())
extraMemory += m_jitCode->size();
+#if ENABLE(JIT)
+if (m_jitData)
+extraMemory += m_jitData->size(locker);
+#endif
+extraMemory += m_argumentValueProfiles.size() * sizeof(ValueProfile);
+extraMemory += m_functionDecls.size() * sizeof(decltype(*m_functionDecls.data()));
+extraMemory += m_functionExprs.size() * sizeof(decltype(*m_functionExprs.data()));
+
visitor.reportExtraMemoryVisited(extraMemory);
stronglyVisitStrongReferences(locker, visitor);
@@ -1021,6 +1029,29 @@
template bool CodeBlock::shouldVisitStrongly(const ConcurrentJSLocker&, AbstractSlotVisitor&);
template bool CodeBlock::shouldVisitStrongly(const ConcurrentJSLocker&, SlotVisitor&);
+#if ENABLE(JIT)
+size_t CodeBlock::JITData::size(const ConcurrentJSLocker&) const
+{
+size_t size = sizeof(JITData);
+size += m_stubInfos.estimatedAllocationSizeInBytes();
+size += m_addICs.estimatedAllocationSizeInBytes();
+size += m_mulICs.estimatedAllocationSizeInBytes();
+size += m_negICs.estimatedAllocationSizeInBytes();
+size += m_subICs.estimatedAllocationSizeInBytes();
+size += m_byValInfos.estimatedAllocationSizeInBytes();
+size += m_callLinkInfos.estimatedAllocationSizeInBytes();
+size += m_rareCaseProfiles.size() * sizeof(decltype(*m_rareCaseProfiles.data()));
+size += m_switchJumpTables.size() * sizeof(decltype(*m_switchJumpTables.data()));
+size += m_stringSwitchJumpTables.size() * sizeof(decltype(*m_stringSwitchJumpTables.data()));
+// FIXME: account for m_calleeSaveRegisters but it's not a big deal since it's a fixed size and small.
+if (m_pcToCodeOriginMap)
+size += m_pcToCodeOriginMap->memorySize();
+if (m_jitCodeMap)
+size += m_jitCodeMap.memorySize();
+return size;
+}
+#endif
+
bool CodeBlock::shouldJettisonDueToWeakReference(VM& vm)
{
if (!JITCode::isOptimizingJIT(jitType()))
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (276609 => 276610)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2021-04-26 20:20:13 UTC (rev 276609)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2021-04-26 20:22:35 UTC (rev 276610)
@@ -268,6 +268,8 @@
struct JITData {
WTF_MAKE_STRUCT_FAST_ALLOCATED;
+size_t size(const ConcurrentJSLocker&) const;
+
Bag m_stubInfos;
Bag m_addICs;
Bag m_mulICs;
Modified: trunk/Sour
[webkit-changes] [276609] trunk/Source/JavaScriptCore
Title: [276609] trunk/Source/_javascript_Core Revision 276609 Author keith_mil...@apple.com Date 2021-04-26 13:20:13 -0700 (Mon, 26 Apr 2021) Log Message numCalleeLocals, numParameters, and numVars should be unsigned https://bugs.webkit.org/show_bug.cgi?id=224995 Reviewed by Mark Lam. All of the various CodeBlock classes currently have the numCalleeLocals and numVars marked as ints. I believe this is just a historical artifact or because VirtualRegister's offset is an int to make handling constants easier. Regardless, it's a bit strange to not handle the sign conversion at the point of comparison between a VirtualRegister offset and the local/var count. This doesn't completely fix every place we use ints for these values but starts on the right track. Lastly, I also added some Checks to the wasm parser for sanity checking. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::setNumParameters): (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeIndexSlow): * bytecode/CodeBlock.h: (JSC::CodeBlock::numParameters const): (JSC::CodeBlock::numberOfArgumentsToSkip const): (JSC::CodeBlock::numCalleeLocals const): (JSC::CodeBlock::numVars const): (JSC::CodeBlock::numTmps const): (JSC::CodeBlock::addressOfNumParameters): (JSC::CodeBlock::isTemporaryRegister): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::numCalleeLocals const): (JSC::UnlinkedCodeBlock::numVars const): * bytecode/UnlinkedCodeBlockGenerator.h: (JSC::UnlinkedCodeBlockGenerator::numCalleeLocals const): (JSC::UnlinkedCodeBlockGenerator::numVars const): (JSC::UnlinkedCodeBlockGenerator::setNumCalleeLocals): (JSC::UnlinkedCodeBlockGenerator::setNumVars): (JSC::UnlinkedCodeBlockGenerator::setNumParameters): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::generate): (JSC::BytecodeGenerator::emitPushFunctionNameScope): * bytecompiler/BytecodeGeneratorBaseInlines.h: (JSC::BytecodeGeneratorBase::newRegister): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): (JSC::DFG::ByteCodeParser::inliningCost): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGOSREntrypointCreationPhase.cpp: (JSC::DFG::OSREntrypointCreationPhase::run): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::checkArgumentTypes): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lower): * ftl/FTLOSREntry.cpp: (JSC::FTL::prepareOSREntry): * interpreter/CallFrameClosure.h: * interpreter/ProtoCallFrameInlines.h: (JSC::ProtoCallFrame::init): * jit/JIT.cpp: (JSC::JIT::compileWithoutLinking): * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::numberOfStackPaddingSlots): (JSC::CommonSlowPaths::numberOfStackPaddingSlotsWithExtraSlots): * wasm/WasmFunctionCodeBlock.h: (JSC::Wasm::FunctionCodeBlock::numVars const): (JSC::Wasm::FunctionCodeBlock::numCalleeLocals const): (JSC::Wasm::FunctionCodeBlock::setNumVars): (JSC::Wasm::FunctionCodeBlock::setNumCalleeLocals): * wasm/WasmLLIntGenerator.cpp: (JSC::Wasm::LLIntGenerator::push): (JSC::Wasm::LLIntGenerator::getDropKeepCount): (JSC::Wasm::LLIntGenerator::walkExpressionStack): (JSC::Wasm::LLIntGenerator::checkConsistency): (JSC::Wasm::LLIntGenerator::materializeConstantsAndLocals): (JSC::Wasm::LLIntGenerator::splitStack): (JSC::Wasm::LLIntGenerator::finalize): (JSC::Wasm::LLIntGenerator::callInformationForCaller): (JSC::Wasm::LLIntGenerator::addLoop): (JSC::Wasm::LLIntGenerator::addTopLevel): (JSC::Wasm::LLIntGenerator::addBlock): (JSC::Wasm::LLIntGenerator::addIf): (JSC::Wasm::LLIntGenerator::addElseToUnreachable): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlockGenerator.h trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGeneratorBaseInlines.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGOSREntrypointCreationPhase.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/ftl/FTLOSREntry.cpp trunk/Source/_javascript_Core/interpreter/CallFrameClosure.h trunk/Source/_javascript_Core/interpreter/ProtoCallFrameInlines.h trunk/Source/_javascript_Core/jit/JIT.cpp trunk/Source/_javascript_Core/runtime/CommonSlowPaths.h trunk/Source/_javascript_Core/tools/VMInspector.cpp trunk/Source/_javascript_Core/wasm/WasmFunctionCodeBlock.h trunk/Source/_javascript_Core/wasm/WasmLLIntGenerator.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (276608 => 276609) --- trunk/Source/_javascript_Core/ChangeLog 2021-04-26 20:03:15 UTC (rev 276608) +++ trunk/Source/_javascript_Core/ChangeLog 2021-04-26 20:20:13 UTC (rev 276609) @@ -1,3 +1,85 @@ +2021-04-26 Keith Miller + +numCalleeLocals, numParameters, and numVars should be unsigned +https://bugs.webkit.
[webkit-changes] [276324] trunk/Source
Title: [276324] trunk/Source Revision 276324 Author keith_mil...@apple.com Date 2021-04-20 15:42:05 -0700 (Tue, 20 Apr 2021) Log Message FullGCActivityCallback should use the percentage of pages uncompressed in RAM to determine deferral. https://bugs.webkit.org/show_bug.cgi?id=224817 Reviewed by Filip Pizlo. Source/_javascript_Core: Right now we try to determine if too many pages are paged out by dereferencing them and bailing out of the GC if we go over a deadline. While this works if the only goal is to avoid causing extensive thrashing on spinny disks (HDD), it doesn't prevent thrashing when access to disk is fast (e.g. SSD). This is because on fast disks the proportional time to load the memory from disk is much lower. Additionally, on SSDs in particular we don't want to load the pages into RAM then bail as that will force a different page onto disk, increasing wear. This patch switches to asking the OS if each MarkedBlock is paged out. Then if we are over a threshold we wait until we would have GC'd anyway. This patch uses the (maxVMGrowthFactor - 1) as the percentage of "slow" pages (paged out or compressed) needed to defer the GC. The idea behind that threshold is that if we add that many pages then the same number of pages would be forced out of RAM for us to do a GC anyway (in the limit). * heap/BlockDirectory.cpp: (JSC::BlockDirectory::updatePercentageOfPagedOutPages): (JSC::BlockDirectory::isPagedOut): Deleted. * heap/BlockDirectory.h: * heap/FullGCActivityCallback.cpp: (JSC::FullGCActivityCallback::doCollection): * heap/Heap.cpp: (JSC::Heap::isPagedOut): * heap/Heap.h: * heap/MarkedSpace.cpp: (JSC::MarkedSpace::isPagedOut): * heap/MarkedSpace.h: * runtime/OptionsList.h: Source/WebKit: Add mincore to the acceptable syscall list. * WebProcess/com.apple.WebProcess.sb.in: Source/WTF: Add a noexcept flavor of FunctionTraits. On Linux mincore (and probably other syscalls) are marked noexcept so the existing overloads don't work. * wtf/FunctionTraits.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/heap/BlockDirectory.cpp trunk/Source/_javascript_Core/heap/BlockDirectory.h trunk/Source/_javascript_Core/heap/FullGCActivityCallback.cpp trunk/Source/_javascript_Core/heap/Heap.cpp trunk/Source/_javascript_Core/heap/Heap.h trunk/Source/_javascript_Core/heap/MarkedSpace.cpp trunk/Source/_javascript_Core/heap/MarkedSpace.h trunk/Source/_javascript_Core/runtime/OptionsList.h trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/FunctionTraits.h trunk/Source/WebKit/ChangeLog trunk/Source/WebKit/WebProcess/com.apple.WebProcess.sb.in Diff Modified: trunk/Source/_javascript_Core/ChangeLog (276323 => 276324) --- trunk/Source/_javascript_Core/ChangeLog 2021-04-20 22:37:05 UTC (rev 276323) +++ trunk/Source/_javascript_Core/ChangeLog 2021-04-20 22:42:05 UTC (rev 276324) @@ -1,3 +1,42 @@ +2021-04-20 Keith Miller + +FullGCActivityCallback should use the percentage of pages uncompressed in RAM to determine deferral. +https://bugs.webkit.org/show_bug.cgi?id=224817 + +Reviewed by Filip Pizlo. + +Right now we try to determine if too many pages are paged out by +dereferencing them and bailing out of the GC if we go over a +deadline. While this works if the only goal is to avoid causing +extensive thrashing on spinny disks (HDD), it doesn't prevent +thrashing when access to disk is fast (e.g. SSD). This is because +on fast disks the proportional time to load the memory from disk +is much lower. Additionally, on SSDs in particular we don't want +to load the pages into RAM then bail as that will force a +different page onto disk, increasing wear. + +This patch switches to asking the OS if each MarkedBlock is paged +out. Then if we are over a threshold we wait until we would have +GC'd anyway. This patch uses the (maxVMGrowthFactor - 1) as the +percentage of "slow" pages (paged out or compressed) needed to +defer the GC. The idea behind that threshold is that if we add +that many pages then the same number of pages would be forced +out of RAM for us to do a GC anyway (in the limit). + +* heap/BlockDirectory.cpp: +(JSC::BlockDirectory::updatePercentageOfPagedOutPages): +(JSC::BlockDirectory::isPagedOut): Deleted. +* heap/BlockDirectory.h: +* heap/FullGCActivityCallback.cpp: +(JSC::FullGCActivityCallback::doCollection): +* heap/Heap.cpp: +(JSC::Heap::isPagedOut): +* heap/Heap.h: +* heap/MarkedSpace.cpp: +(JSC::MarkedSpace::isPagedOut): +* heap/MarkedSpace.h: +* runtime/OptionsList.h: + 2021-04-20 Don Olmstead [CMake] Don't use FORWARDING_HEADERS_DIR for JSC GLib headers Modified: trunk/Source/_javascript_Core/heap/BlockDirectory.cpp (276323 => 276324) --- trunk/Source/_javascript_Core/heap/BlockDi
[webkit-changes] [276155] trunk/Source/JavaScriptCore
Title: [276155] trunk/Source/_javascript_Core
Revision 276155
Author keith_mil...@apple.com
Date 2021-04-16 12:24:22 -0700 (Fri, 16 Apr 2021)
Log Message
Before deleting a MarkedBlock we do not need to clear its m_directory pointer.
https://bugs.webkit.org/show_bug.cgi?id=224677
Reviewed by Yusuke Suzuki.
Right now when we are about to free a MarkedBlock we clear the
m_directory pointer in the MarkedBlock's Handle. This has the
downside, however, of potentially paging in the footer from disk /
the compressor, which some data we have seen shows is happening.
This patch prevents this uncessary store to hopefully reduce the
number of pageins/decompressions caused by Safari web content.
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::removeBlock):
(JSC::BlockDirectory::removeBlockForDeletion):
* heap/BlockDirectory.h:
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::~Handle):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::freeBlock):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/heap/BlockDirectory.cpp
trunk/Source/_javascript_Core/heap/BlockDirectory.h
trunk/Source/_javascript_Core/heap/MarkedBlock.cpp
trunk/Source/_javascript_Core/heap/MarkedSpace.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (276154 => 276155)
--- trunk/Source/_javascript_Core/ChangeLog 2021-04-16 19:22:56 UTC (rev 276154)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-04-16 19:24:22 UTC (rev 276155)
@@ -1,3 +1,26 @@
+2021-04-16 Keith Miller
+
+Before deleting a MarkedBlock we do not need to clear its m_directory pointer.
+https://bugs.webkit.org/show_bug.cgi?id=224677
+
+Reviewed by Yusuke Suzuki.
+
+Right now when we are about to free a MarkedBlock we clear the
+m_directory pointer in the MarkedBlock's Handle. This has the
+downside, however, of potentially paging in the footer from disk /
+the compressor, which some data we have seen shows is happening.
+This patch prevents this uncessary store to hopefully reduce the
+number of pageins/decompressions caused by Safari web content.
+
+* heap/BlockDirectory.cpp:
+(JSC::BlockDirectory::removeBlock):
+(JSC::BlockDirectory::removeBlockForDeletion):
+* heap/BlockDirectory.h:
+* heap/MarkedBlock.cpp:
+(JSC::MarkedBlock::Handle::~Handle):
+* heap/MarkedSpace.cpp:
+(JSC::MarkedSpace::freeBlock):
+
2021-04-16 Mark Lam
Build fix for Debug -O3 after r276069.
Modified: trunk/Source/_javascript_Core/heap/BlockDirectory.cpp (276154 => 276155)
--- trunk/Source/_javascript_Core/heap/BlockDirectory.cpp 2021-04-16 19:22:56 UTC (rev 276154)
+++ trunk/Source/_javascript_Core/heap/BlockDirectory.cpp 2021-04-16 19:24:22 UTC (rev 276155)
@@ -140,7 +140,7 @@
setIsEmpty(NoLockingNecessary, index, true);
}
-void BlockDirectory::removeBlock(MarkedBlock::Handle* block)
+void BlockDirectory::removeBlock(MarkedBlock::Handle* block, WillDeleteBlock willDelete)
{
ASSERT(block->directory() == this);
ASSERT(m_blocks[block->index()] == block);
@@ -155,8 +155,9 @@
[&](auto vectorRef) {
vectorRef[block->index()] = false;
});
-
-block->didRemoveFromDirectory();
+
+if (willDelete == WillDeleteBlock::No)
+block->didRemoveFromDirectory();
}
void BlockDirectory::stopAllocating()
Modified: trunk/Source/_javascript_Core/heap/BlockDirectory.h (276154 => 276155)
--- trunk/Source/_javascript_Core/heap/BlockDirectory.h 2021-04-16 19:22:56 UTC (rev 276154)
+++ trunk/Source/_javascript_Core/heap/BlockDirectory.h 2021-04-16 19:24:22 UTC (rev 276155)
@@ -83,7 +83,9 @@
RefPtr> parallelNotEmptyBlockSource();
void addBlock(MarkedBlock::Handle*);
-void removeBlock(MarkedBlock::Handle*);
+enum class WillDeleteBlock { No, Yes };
+// If WillDeleteBlock::Yes is passed then the block will be left in an invalid state. We do this, however, to avoid potentially paging in / decompressing old blocks to update their handle just before freeing them.
+void removeBlock(MarkedBlock::Handle*, WillDeleteBlock = WillDeleteBlock::No);
bool isPagedOut(MonotonicTime deadline);
Modified: trunk/Source/_javascript_Core/heap/MarkedBlock.cpp (276154 => 276155)
--- trunk/Source/_javascript_Core/heap/MarkedBlock.cpp 2021-04-16 19:22:56 UTC (rev 276154)
+++ trunk/Source/_javascript_Core/heap/MarkedBlock.cpp 2021-04-16 19:24:22 UTC (rev 276155)
@@ -76,7 +76,7 @@
if (!(balance % 10))
dataLog("MarkedBlock Balance: ", balance, "\n");
}
-removeFromDirectory();
+m_directory->removeBlock(this, BlockDirectory::WillDeleteBlock::Yes);
m_block->~MarkedBlock();
m_alignedMemoryAllocator->freeAlignedMemory(m_block);
heap.didFreeBlock(blockSize);
Modified: trunk/Source/_javascript_Core/heap/MarkedSpace.cpp (276154 => 276155)
--- trunk/Source/_javascript_Core/heap/MarkedSpace.cpp 2021-0
[webkit-changes] [275508] trunk
Title: [275508] trunk Revision 275508 Author keith_mil...@apple.com Date 2021-04-06 06:18:10 -0700 (Tue, 06 Apr 2021) Log Message CloneDeserializer should use ArrayBuffer::tryCreate https://bugs.webkit.org/show_bug.cgi?id=224218 Reviewed by Antti Koivisto. Source/WebCore: Right now CloneDeserializer assumes that every ArrayBuffer allocation during deserialization will succeed. This is silly since it's an array-like object. It should call tryCreate and fail the deserialization instead. Test: fast/dom/Window/post-message-large-array-buffer-should-not-crash.html * bindings/js/SerializedScriptValue.cpp: (WebCore::CloneDeserializer::readArrayBuffer): LayoutTests: This test was generated by a fuzzer so it allocates a large Array backing store by doing Object.defineProperty on a large offset. That said, I chose to leave it because it's sometimes useful to do things in different ways for testing. Also, skip the test on windows because we seem to throw a stack overflow error. Not sure why this happens but it's not super important that this particular test runs on all ports as we're mostly trying to just unblock the fuzzer. * fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt: Added. * fast/dom/Window/post-message-large-array-buffer-should-not-crash.html: Added. * platform/win/TestExpectations: Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/platform/win/TestExpectations trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp Added Paths trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash.html Diff Modified: trunk/LayoutTests/ChangeLog (275507 => 275508) --- trunk/LayoutTests/ChangeLog 2021-04-06 12:58:20 UTC (rev 275507) +++ trunk/LayoutTests/ChangeLog 2021-04-06 13:18:10 UTC (rev 275508) @@ -1,3 +1,22 @@ +2021-04-06 Keith Miller + +CloneDeserializer should use ArrayBuffer::tryCreate +https://bugs.webkit.org/show_bug.cgi?id=224218 + +Reviewed by Antti Koivisto. + +This test was generated by a fuzzer so it allocates a large Array backing store +by doing Object.defineProperty on a large offset. That said, I chose to leave it +because it's sometimes useful to do things in different ways for testing. + +Also, skip the test on windows because we seem to throw a stack overflow error. +Not sure why this happens but it's not super important that this particular +test runs on all ports as we're mostly trying to just unblock the fuzzer. + +* fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt: Added. +* fast/dom/Window/post-message-large-array-buffer-should-not-crash.html: Added. +* platform/win/TestExpectations: + 2021-04-06 Alicia Boya García [GStreamer][MediaStream] Unreviewed micro-gardening Added: trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt (0 => 275508) --- trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt (rev 0) +++ trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt 2021-04-06 13:18:10 UTC (rev 275508) @@ -0,0 +1,9 @@ +Check that trying to deserialize an ArrayBuffer when there's not enough memory does not crash (test may only fail flakily) + +On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". + + +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash.html (0 => 275508) --- trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash.html (rev 0) +++ trunk/LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash.html 2021-04-06 13:18:10 UTC (rev 275508) @@ -0,0 +1,28 @@ + + + + +