[webkit-changes] [295748] trunk
Title: [295748] trunk Revision 295748 Author sbar...@apple.com Date 2022-06-22 14:01:40 -0700 (Wed, 22 Jun 2022) Log Message Don't install webpushd on catalyst https://bugs.webkit.org/show_bug.cgi?id=241860 Reviewed by Alexey Proskuryakov. * Source/_javascript_Core/Configurations/SDKVariant.xcconfig: * Source/ThirdParty/ANGLE/Configurations/SDKVariant.xcconfig: * Source/ThirdParty/gtest/xcode/Config/SDKVariant.xcconfig: * Source/ThirdParty/libwebrtc/Configurations/SDKVariant.xcconfig: * Source/WTF/Configurations/SDKVariant.xcconfig: * Source/WebCore/Configurations/SDKVariant.xcconfig: * Source/WebCore/PAL/Configurations/SDKVariant.xcconfig: * Source/WebGPU/Configurations/SDKVariant.xcconfig: * Source/WebInspectorUI/Configurations/SDKVariant.xcconfig: * Source/WebKit/Configurations/BaseTarget.xcconfig: * Source/WebKit/Configurations/SDKVariant.xcconfig: * Source/WebKitLegacy/mac/Configurations/SDKVariant.xcconfig: * Source/bmalloc/Configurations/SDKVariant.xcconfig: Canonical link: https://commits.webkit.org/251753@main Modified Paths trunk/PerformanceTests/MediaTime/Configurations/SDKVariant.xcconfig trunk/Source/_javascript_Core/Configurations/SDKVariant.xcconfig trunk/Source/ThirdParty/ANGLE/Configurations/SDKVariant.xcconfig trunk/Source/ThirdParty/gtest/xcode/Config/SDKVariant.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/SDKVariant.xcconfig trunk/Source/WTF/Configurations/SDKVariant.xcconfig trunk/Source/WebCore/Configurations/SDKVariant.xcconfig trunk/Source/WebCore/PAL/Configurations/SDKVariant.xcconfig trunk/Source/WebGPU/Configurations/SDKVariant.xcconfig trunk/Source/WebInspectorUI/Configurations/SDKVariant.xcconfig trunk/Source/WebKit/Configurations/BaseTarget.xcconfig trunk/Source/WebKit/Configurations/SDKVariant.xcconfig trunk/Source/WebKitLegacy/mac/Configurations/SDKVariant.xcconfig trunk/Source/bmalloc/Configurations/SDKVariant.xcconfig trunk/Tools/ContentExtensionTester/Configurations/SDKVariant.xcconfig trunk/Tools/DumpRenderTree/mac/Configurations/SDKVariant.xcconfig trunk/Tools/ImageDiff/cg/Configurations/SDKVariant.xcconfig trunk/Tools/MiniBrowser/Configurations/SDKVariant.xcconfig trunk/Tools/MobileMiniBrowser/Configurations/SDKVariant.xcconfig trunk/Tools/TestWebKitAPI/Configurations/SDKVariant.xcconfig trunk/Tools/WebEditingTester/Configurations/SDKVariant.xcconfig trunk/Tools/WebKitTestRunner/Configurations/SDKVariant.xcconfig trunk/Tools/lldb/lldbWebKitTester/Configurations/SDKVariant.xcconfig trunk/Tools/sanitizer/sanitizer.xcconfig Diff Modified: trunk/PerformanceTests/MediaTime/Configurations/SDKVariant.xcconfig (295747 => 295748) --- trunk/PerformanceTests/MediaTime/Configurations/SDKVariant.xcconfig 2022-06-22 20:11:59 UTC (rev 295747) +++ trunk/PerformanceTests/MediaTime/Configurations/SDKVariant.xcconfig 2022-06-22 21:01:40 UTC (rev 295748) @@ -26,6 +26,16 @@ WK_NOT_NO = YES; WK_NOT_YES = NO; +WK_OR__ = NO +WK_OR_NO_NO = NO +WK_OR__NO = NO +WK_OR_NO_ = NO +WK_OR_YES_ = YES +WK_OR__YES = YES +WK_OR_YES_NO = YES +WK_OR_NO_YES = YES +WK_OR_YES_YES = YES + WK_DEFAULT_PLATFORM_NAME = $(WK_DEFAULT_PLATFORM_NAME_$(WK_EMPTY_$(FALLBACK_PLATFORM_NAME))); WK_DEFAULT_PLATFORM_NAME_YES = $(PLATFORM_NAME); WK_DEFAULT_PLATFORM_NAME_ = $(FALLBACK_PLATFORM_NAME); Modified: trunk/Source/_javascript_Core/Configurations/SDKVariant.xcconfig (295747 => 295748) --- trunk/Source/_javascript_Core/Configurations/SDKVariant.xcconfig 2022-06-22 20:11:59 UTC (rev 295747) +++ trunk/Source/_javascript_Core/Configurations/SDKVariant.xcconfig 2022-06-22 21:01:40 UTC (rev 295748) @@ -26,6 +26,16 @@ WK_NOT_NO = YES; WK_NOT_YES = NO; +WK_OR__ = NO +WK_OR_NO_NO = NO +WK_OR__NO = NO +WK_OR_NO_ = NO +WK_OR_YES_ = YES +WK_OR__YES = YES +WK_OR_YES_NO = YES +WK_OR_NO_YES = YES +WK_OR_YES_YES = YES + WK_DEFAULT_PLATFORM_NAME = $(WK_DEFAULT_PLATFORM_NAME_$(WK_EMPTY_$(FALLBACK_PLATFORM_NAME))); WK_DEFAULT_PLATFORM_NAME_YES = $(PLATFORM_NAME); WK_DEFAULT_PLATFORM_NAME_ = $(FALLBACK_PLATFORM_NAME); Modified: trunk/Source/ThirdParty/ANGLE/Configurations/SDKVariant.xcconfig (295747 => 295748) --- trunk/Source/ThirdParty/ANGLE/Configurations/SDKVariant.xcconfig 2022-06-22 20:11:59 UTC (rev 295747) +++ trunk/Source/ThirdParty/ANGLE/Configurations/SDKVariant.xcconfig 2022-06-22 21:01:40 UTC (rev 295748) @@ -26,6 +26,16 @@ WK_NOT_NO = YES; WK_NOT_YES = NO; +WK_OR__ = NO +WK_OR_NO_NO = NO +WK_OR__NO = NO +WK_OR_NO_ = NO +WK_OR_YES_ = YES +WK_OR__YES = YES +WK_OR_YES_NO = YES +WK_OR_NO_YES = YES +WK_OR_YES_YES = YES + WK_DEFAULT_PLATFORM_NAME = $(WK_DEFAULT_PLATFORM_NAME_$(WK_EMPTY_$(FALLBACK_PLATFORM_NAME))); WK_DEFAULT_PLATFORM_NAME_YES = $(PLATFORM_NAME); WK_DEFAULT_PLATFORM_NAME_ = $(FALLBACK_PLATFORM_NAME); Modified: trunk/Source/ThirdParty/gtest/xcode/Config/SDKVariant.xcconfig (295747 => 295748) --- trunk/Source/ThirdParty/gtest/xcode/Config/SDKVariant.xcconfig 2022-06-22 20:11:59 UTC (rev 295747) +++
[webkit-changes] [295606] trunk/Source/JavaScriptCore/b3/air/ AirAllocateRegistersAndStackAndGenerateCode.cpp
Title: [295606] trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp Revision 295606 Author sbar...@apple.com Date 2022-06-16 12:51:36 -0700 (Thu, 16 Jun 2022) Log Message Change how we rewind instructions in Air's O0 register allocator https://bugs.webkit.org/show_bug.cgi?id=241687 Reviewed by Mark Lam. * Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: (JSC::B3::Air::GenerateAndAllocateRegisters::generate): Canonical link: https://commits.webkit.org/251611@main Modified Paths trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp Diff Modified: trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp (295605 => 295606) --- trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp 2022-06-16 19:44:58 UTC (rev 295605) +++ trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp 2022-06-16 19:51:36 UTC (rev 295606) @@ -590,6 +590,7 @@ context.indexInBlock = instIndex; Inst& inst = block->at(instIndex); +Inst instCopy = inst; m_namedUsedRegs = RegisterSet(); m_namedDefdRegs = RegisterSet(); @@ -753,26 +754,7 @@ if (!success) { RELEASE_ASSERT(!isReplayingSameInst); // We should only need to do the below at most once per inst. -// We need to capture the register state before we start spilling things -// since we may have multiple arguments that are the same register. -IndexMap allocationSnapshot = currentAllocation; - -// We rewind this Inst to be in its previous state, however, if any arg admits stack, -// we move to providing that arg in stack form. This will allow us to fully allocate -// this inst when we rewind. -inst.forEachTmpFast([&] (Tmp& tmp) { -if (!tmp.isReg()) -return; -if (isDisallowedRegister(tmp.reg())) -return; -Tmp originalTmp = allocationSnapshot[tmp.reg()]; -if (originalTmp.isReg()) { -ASSERT(tmp.reg() == originalTmp.reg()); -// This means this Inst referred to this reg directly. We leave these as is. -return; -} -tmp = originalTmp; -}); +inst = instCopy; inst.forEachArg([&] (Arg& arg, Arg::Role, Bank, Width) { if (arg.isTmp() && !arg.tmp().isReg() && inst.admitsStack(arg)) { Tmp tmp = arg.tmp(); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295585] trunk/Source/JavaScriptCore
Title: [295585] trunk/Source/_javascript_Core Revision 295585 Author sbar...@apple.com Date 2022-06-15 22:31:25 -0700 (Wed, 15 Jun 2022) Log Message Don't clear both prototype ICs for LLInt iterator_next https://bugs.webkit.org/show_bug.cgi?id=241663 Reviewed by Yusuke Suzuki. If we use BytecodeIndex instead of a bytecode offset, we don't need to clear both ICs. We can just clear the one that the watchpoint fired for. * Source/_javascript_Core/bytecode/CodeBlock.cpp: (JSC::CodeBlock::finalizeLLIntInlineCaches): * Source/_javascript_Core/bytecode/CodeBlock.h: * Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint): (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::initialize): (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal): * Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: * Source/_javascript_Core/llint/LLIntSlowPaths.cpp: (JSC::LLInt::setupGetByIdPrototypeCache): (JSC::LLInt::performLLIntGetByID): (JSC::LLInt::LLINT_SLOW_PATH_DECL): Canonical link: https://commits.webkit.org/251590@main Modified Paths trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp trunk/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp Diff Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (295584 => 295585) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2022-06-16 04:57:11 UTC (rev 295584) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2022-06-16 05:31:25 UTC (rev 295585) @@ -1547,7 +1547,8 @@ // then cleared the cache without GCing in between. m_llintGetByIdWatchpointMap.removeIf([&] (const StructureWatchpointMap::KeyValuePairType& pair) -> bool { auto clear = [&] () { -auto& instruction = instructions().at(std::get<1>(pair.key)); +BytecodeIndex bytecodeIndex = std::get<1>(pair.key); +auto& instruction = instructions().at(bytecodeIndex.offset()); OpcodeID opcode = instruction->opcodeID(); switch (opcode) { case op_get_by_id: { Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (295584 => 295585) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2022-06-16 04:57:11 UTC (rev 295584) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2022-06-16 05:31:25 UTC (rev 295585) @@ -591,7 +591,7 @@ return m_unlinkedCode->llintExecuteCounter(); } -typedef HashMap, FixedVector> StructureWatchpointMap; +typedef HashMap, FixedVector> StructureWatchpointMap; StructureWatchpointMap& llintGetByIdWatchpointMap() { return m_llintGetByIdWatchpointMap; } // Functions for controlling when tiered compilation kicks in. This Modified: trunk/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp (295584 => 295585) --- trunk/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp 2022-06-16 04:57:11 UTC (rev 295584) +++ trunk/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp 2022-06-16 05:31:25 UTC (rev 295585) @@ -32,10 +32,10 @@ namespace JSC { -LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint(CodeBlock* owner, const ObjectPropertyCondition& key, unsigned bytecodeOffset) +LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint(CodeBlock* owner, const ObjectPropertyCondition& key, BytecodeIndex bytecodeIndex) : Watchpoint(Watchpoint::Type::LLIntPrototypeLoadAdaptiveStructure) , m_owner(owner) -, m_bytecodeOffset(bytecodeOffset) +, m_bytecodeIndex(bytecodeIndex) , m_key(key) { RELEASE_ASSERT(key.watchingRequiresStructureTransitionWatchpoint()); @@ -45,14 +45,13 @@ LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint() : Watchpoint(Watchpoint::Type::LLIntPrototypeLoadAdaptiveStructure) , m_owner(nullptr) -, m_bytecodeOffset(0) { } -void LLIntPrototypeLoadAdaptiveStructureWatchpoint::initialize(CodeBlock* codeBlock, const ObjectPropertyCondition& key, unsigned bytecodeOffset) +void LLIntPrototypeLoadAdaptiveStructureWatchpoint::initialize(CodeBlock* codeBlock, const ObjectPropertyCondition& key, BytecodeIndex bytecodeOffset) { m_owner = codeBlock; -m_bytecodeOffset = bytecodeOffset; +m_bytecodeIndex = bytecodeOffset; m_key = key; } @@ -73,7 +72,7 @@ return; } -auto& instruction = m_owner->instructions().at(m_bytecodeOffset.get()); +auto& instruction = m_owner->instructions().at(m_bytecodeIndex.get().offset()); switch (instruction->opcodeID())
[webkit-changes] [294917] trunk/Source/JavaScriptCore
Title: [294917] trunk/Source/_javascript_Core Revision 294917 Author sbar...@apple.com Date 2022-05-26 17:56:40 -0700 (Thu, 26 May 2022) Log Message Rename putDirect to putDirectOffset https://bugs.webkit.org/show_bug.cgi?id=240992 Reviewed by Mark Lam. * Source/_javascript_Core/dfg/DFGOperations.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION): * Source/_javascript_Core/ftl/FTLOperations.cpp: (JSC::FTL::JSC_DEFINE_JIT_OPERATION): * Source/_javascript_Core/runtime/ClonedArguments.cpp: (JSC::ClonedArguments::createEmpty): * Source/_javascript_Core/runtime/CommonSlowPaths.cpp: (JSC::JSC_DEFINE_COMMON_SLOW_PATH): * Source/_javascript_Core/runtime/IteratorOperations.cpp: (JSC::createIteratorResultObject): * Source/_javascript_Core/runtime/JSONObject.cpp: (JSC::Walker::walk): * Source/_javascript_Core/runtime/JSObject.cpp: (JSC::JSObject::setPrototypeDirect): (JSC::JSObject::putDirectCustomGetterSetterWithoutTransition): (JSC::JSObject::putDirectNonIndexAccessorWithoutTransition): * Source/_javascript_Core/runtime/JSObject.h: (JSC::JSObject::putDirectOffset): (JSC::JSObject::putDirectWithoutBarrier): (JSC::JSObject::putDirectUndefined): Deleted. * Source/_javascript_Core/runtime/JSObjectInlines.h: (JSC::JSObject::putDirectWithoutTransition): (JSC::JSObject::putDirectInternal): * Source/_javascript_Core/runtime/ObjectConstructor.h: (JSC::constructObjectFromPropertyDescriptor): * Source/_javascript_Core/runtime/RegExpMatchesArray.h: (JSC::createRegExpMatchesArray): * Source/_javascript_Core/runtime/Structure.cpp: (JSC::Structure::flattenDictionaryStructure): Canonical link: https://commits.webkit.org/251035@main Modified Paths trunk/Source/_javascript_Core/dfg/DFGOperations.cpp trunk/Source/_javascript_Core/ftl/FTLOperations.cpp trunk/Source/_javascript_Core/runtime/ClonedArguments.cpp trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp trunk/Source/_javascript_Core/runtime/IteratorOperations.cpp trunk/Source/_javascript_Core/runtime/JSONObject.cpp trunk/Source/_javascript_Core/runtime/JSObject.cpp trunk/Source/_javascript_Core/runtime/JSObject.h trunk/Source/_javascript_Core/runtime/JSObjectInlines.h trunk/Source/_javascript_Core/runtime/ObjectConstructor.h trunk/Source/_javascript_Core/runtime/RegExpMatchesArray.h trunk/Source/_javascript_Core/runtime/Structure.cpp Diff Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (294916 => 294917) --- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2022-05-27 00:50:02 UTC (rev 294916) +++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2022-05-27 00:56:40 UTC (rev 294917) @@ -417,7 +417,7 @@ if (structure->hasPolyProto()) { JSObject* prototype = allocationProfile->prototype(); ASSERT(prototype == jsCast(constructor)->prototypeForConstruction(vm, globalObject)); -result->putDirect(vm, knownPolyProtoOffset, prototype); +result->putDirectOffset(vm, knownPolyProtoOffset, prototype); prototype->didBecomePrototype(); ASSERT_WITH_MESSAGE(!hasIndexedProperties(result->indexingType()), "We rely on JSFinalObject not starting out with an indexing type otherwise we would potentially need to convert to slow put storage"); } Modified: trunk/Source/_javascript_Core/ftl/FTLOperations.cpp (294916 => 294917) --- trunk/Source/_javascript_Core/ftl/FTLOperations.cpp 2022-05-27 00:50:02 UTC (rev 294916) +++ trunk/Source/_javascript_Core/ftl/FTLOperations.cpp 2022-05-27 00:56:40 UTC (rev 294917) @@ -88,7 +88,7 @@ if (codeBlock->identifier(property.location().info()).impl() != entry.key()) continue; -object->putDirect(vm, entry.offset(), JSValue::decode(values[i])); +object->putDirectOffset(vm, entry.offset(), JSValue::decode(values[i])); } } break; @@ -225,7 +225,7 @@ // We use a random-ish number instead of a sensible value like // undefined to make possible bugs easier to track. for (const PropertyTableEntry& entry : structure->getPropertiesConcurrently()) -result->putDirect(vm, entry.offset(), jsNumber(19723)); +result->putDirectOffset(vm, entry.offset(), jsNumber(19723)); return result; } Modified: trunk/Source/_javascript_Core/runtime/ClonedArguments.cpp (294916 => 294917) --- trunk/Source/_javascript_Core/runtime/ClonedArguments.cpp 2022-05-27 00:50:02 UTC (rev 294916) +++ trunk/Source/_javascript_Core/runtime/ClonedArguments.cpp 2022-05-27 00:56:40 UTC (rev 294917) @@ -69,7 +69,7 @@ result->finishCreation(vm); result->m_callee.set(vm, result, callee); -result->putDirect(vm, clonedArgumentsLengthPropertyOffset, jsNumber(length)); +result->putDirectOffset(vm, clonedArgumentsLengthPropertyOffset, jsNumber(length)); return result; } Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp (294916 => 294917) ---
[webkit-changes] [294284] trunk/Source/JavaScriptCore
Title: [294284] trunk/Source/_javascript_Core Revision 294284 Author sbar...@apple.com Date 2022-05-16 18:34:39 -0700 (Mon, 16 May 2022) Log Message Move around some NaN handling code https://bugs.webkit.org/show_bug.cgi?id=240493 Reviewed by Yusuke Suzuki. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueRep): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::purifyNaN): (JSC::FTL::DFG::LowerDFGToB3::compileValueRep): (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): Canonical link: https://commits.webkit.org/250628@main Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (294283 => 294284) --- trunk/Source/_javascript_Core/ChangeLog 2022-05-17 01:32:50 UTC (rev 294283) +++ trunk/Source/_javascript_Core/ChangeLog 2022-05-17 01:34:39 UTC (rev 294284) @@ -1,3 +1,18 @@ +2022-05-16 Saam Barati + +Move around some NaN handling code +https://bugs.webkit.org/show_bug.cgi?id=240493 + + +Reviewed by Yusuke Suzuki. + +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::compileValueRep): +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::purifyNaN): +(JSC::FTL::DFG::LowerDFGToB3::compileValueRep): +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): + 2022-05-16 Patrick Angle Web Inspector: Regression(r266885) Crash sometimes when rehydrating imported audit results Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (294283 => 294284) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2022-05-17 01:32:50 UTC (rev 294283) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2022-05-17 01:34:39 UTC (rev 294284) @@ -3484,7 +3484,7 @@ // anymore. Unfortunately, this would be unsound. If it's a GetLocal or if the value was // subject to a prior SetLocal, filtering the value would imply that the corresponding // local was purified. -if (needsTypeCheck(node->child1(), ~SpecDoubleImpureNaN)) +if (m_state.forNode(node->child1()).couldBeType(SpecDoubleImpureNaN)) m_jit.purifyNaN(valueFPR); boxDouble(valueFPR, resultRegs); @@ -4007,6 +4007,7 @@ } if (format == DataFormatJS) { +m_jit.purifyNaN(resultReg); m_jit.boxDouble(resultReg, resultRegs); jsValueResult(resultRegs, node); } else { Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (294283 => 294284) --- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2022-05-17 01:32:50 UTC (rev 294283) +++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2022-05-17 01:34:39 UTC (rev 294284) @@ -1964,6 +1964,11 @@ setInt32(integerValue); } +LValue purifyNaN(LValue value) +{ +return m_out.select(m_out.doubleEqual(value, value), value, m_out.constDouble(PNaN)); +} + void compileValueRep() { switch (m_node->child1().useKind()) { @@ -1970,10 +1975,8 @@ case DoubleRepUse: { LValue value = lowDouble(m_node->child1()); -if (m_interpreter.needsTypeCheck(m_node->child1(), ~SpecDoubleImpureNaN)) { -value = m_out.select( -m_out.doubleEqual(value, value), value, m_out.constDouble(PNaN)); -} +if (abstractValue(m_node->child1()).couldBeType(SpecDoubleImpureNaN)) +value = purifyNaN(value); setJSValue(boxDouble(value)); return; @@ -13780,7 +13783,7 @@ else genericResult = strictInt52ToJSValue(m_out.zeroExt(genericResult, Int64)); } else if (genericResult->type() == Double) -genericResult = boxDouble(genericResult); +genericResult = boxDouble(purifyNaN(genericResult)); results.append(m_out.anchor(genericResult)); m_out.jump(continuation); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [294087] trunk/Source/JavaScriptCore
Title: [294087] trunk/Source/_javascript_Core Revision 294087 Author sbar...@apple.com Date 2022-05-11 19:06:37 -0700 (Wed, 11 May 2022) Log Message Better handle clobbered registers in O0 register allocation https://bugs.webkit.org/show_bug.cgi?id=240205 Reviewed by Yusuke Suzuki. This patch makes Air's O0 register allocator better handle clobbered registers. We now model both early and late clobber directly, and use this to perform a basic interference analysis when allocating a register to a Tmp. An early clobber interferes with any Use in an instruction, and any early Defs. A late clobber interferes with any Defs in an instruction, and any late Uses. What this enables is an early Use can be allocated to a register that is only late clobbered. And a result can be allocated to a register that is only early clobbered. Prior to this, the algorithm had a bug where a Use may be allocated to a register that is early clobbered. * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges): (JSC::B3::Air::GenerateAndAllocateRegisters::alloc): (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded): (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp): (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration): (JSC::B3::Air::GenerateAndAllocateRegisters::generate): * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: * b3/air/testair.cpp: * jit/RegisterSet.h: Canonical link: https://commits.webkit.org/250477@main Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.h trunk/Source/_javascript_Core/b3/air/testair.cpp trunk/Source/_javascript_Core/jit/RegisterSet.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (294086 => 294087) --- trunk/Source/_javascript_Core/ChangeLog 2022-05-12 01:44:45 UTC (rev 294086) +++ trunk/Source/_javascript_Core/ChangeLog 2022-05-12 02:06:37 UTC (rev 294087) @@ -1,3 +1,34 @@ +2022-05-08 Saam Barati + +Better handle clobbered registers in O0 register allocation +https://bugs.webkit.org/show_bug.cgi?id=240205 + + +Reviewed by Yusuke Suzuki. + +This patch makes Air's O0 register allocator better handle clobbered +registers. We now model both early and late clobber directly, and use +this to perform a basic interference analysis when allocating a register +to a Tmp. An early clobber interferes with any Use in an instruction, and +any early Defs. A late clobber interferes with any Defs in an instruction, +and any late Uses. What this enables is an early Use can be allocated +to a register that is only late clobbered. And a result can be allocated +to a register that is only early clobbered. + +Prior to this, the algorithm had a bug where a Use may be allocated to +a register that is early clobbered. + +* b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: +(JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges): +(JSC::B3::Air::GenerateAndAllocateRegisters::alloc): +(JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded): +(JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp): +(JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration): +(JSC::B3::Air::GenerateAndAllocateRegisters::generate): +* b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: +* b3/air/testair.cpp: +* jit/RegisterSet.h: + 2022-05-11 Patrick Angle Web Inspector: Parse InjectedScriptSource as a built-in to get guaranteed non-user-overriden JSC built-ins Modified: trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp (294086 => 294087) --- trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp 2022-05-12 01:44:45 UTC (rev 294086) +++ trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp 2022-05-12 02:06:37 UTC (rev 294087) @@ -78,7 +78,7 @@ { m_liveRangeEnd = TmpMap(m_code, 0); -m_globalInstIndex = 0; +m_globalInstIndex = 1; for (BasicBlock* block : m_code) { for (Tmp tmp : liveness.liveAtHead(block)) { if (!tmp.isReg()) @@ -180,11 +180,12 @@ { ASSERT(reg); ASSERT(m_map[tmp].reg == reg); +ASSERT(tmp.isReg() || m_liveRangeEnd[tmp] >= m_globalInstIndex); flush(tmp, reg); release(tmp, reg); } -ALWAYS_INLINE void GenerateAndAllocateRegisters::alloc(Tmp tmp, Reg reg, bool isDef) +ALWAYS_INLINE void GenerateAndAllocateRegisters::alloc(Tmp tmp, Reg reg, Arg::Role role) { if (Tmp occupyingTmp = m_currentAllocation->at(reg)) spill(occupyingTmp, reg); @@ -197,7 +198,7 @@ m_availableRegs[tmp.bank()].clear(reg);
[webkit-changes] [292926] trunk
Title: [292926] trunk Revision 292926 Author sbar...@apple.com Date 2022-04-15 15:56:46 -0700 (Fri, 15 Apr 2022) Log Message Unreviewed. Add my github into to contributors.json. * metadata/contributors.json: Modified Paths trunk/ChangeLog trunk/metadata/contributors.json Diff Modified: trunk/ChangeLog (292925 => 292926) --- trunk/ChangeLog 2022-04-15 22:37:06 UTC (rev 292925) +++ trunk/ChangeLog 2022-04-15 22:56:46 UTC (rev 292926) @@ -1,3 +1,9 @@ +2022-04-15 Saam Barati + +Unreviewed. Add my github into to contributors.json. + +* metadata/contributors.json: + 2022-04-14 Jonathan Bedard Add .github/pull_request_template.md Modified: trunk/metadata/contributors.json (292925 => 292926) --- trunk/metadata/contributors.json 2022-04-15 22:37:06 UTC (rev 292925) +++ trunk/metadata/contributors.json 2022-04-15 22:56:46 UTC (rev 292926) @@ -5858,6 +5858,7 @@ "nicks" : [ "saamyjoon" ], + "github" : "saambarati", "status" : "reviewer" }, { @@ -7169,4 +7170,4 @@ ], "status" : "reviewer" } -] \ No newline at end of file +] ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [292493] trunk/Source/JavaScriptCore
Title: [292493] trunk/Source/_javascript_Core Revision 292493 Author sbar...@apple.com Date 2022-04-06 12:35:37 -0700 (Wed, 06 Apr 2022) Log Message Call Structure::get instead of Structure::getConcurrently on the mutator thread https://bugs.webkit.org/show_bug.cgi?id=238823 Reviewed by Yusuke Suzuki. We try to call Structure::get instead of Structure::getConcurrently when we know for sure we're on the main thread. This is because getConcurrently is slower than get. * bytecode/AccessCase.cpp: (JSC::AccessCase::couldStillSucceed const): (JSC::AccessCase::generateImpl): * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp: (JSC::AdaptiveInferredPropertyValueWatchpointBase::install): * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install): * bytecode/ObjectPropertyCondition.cpp: (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint const): (JSC::ObjectPropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): (JSC::ObjectPropertyCondition::isStillValid const): (JSC::ObjectPropertyCondition::structureEnsuresValidity const): * bytecode/ObjectPropertyCondition.h: * bytecode/ObjectPropertyConditionSet.cpp: (JSC::ObjectPropertyConditionSet::structuresEnsureValidity const): (JSC::generateConditionsForPropertyMiss): (JSC::generateConditionsForPropertySetterMiss): (JSC::generateConditionsForPrototypePropertyHit): (JSC::generateConditionsForPrototypePropertyHitCustom): (JSC::generateConditionsForPrototypeEquivalenceConcurrently): (JSC::generateConditionsForPropertyMissConcurrently): (JSC::generateConditionsForPropertySetterMissConcurrently): (JSC::generateConditionForSelfEquivalence): (JSC::ObjectPropertyConditionSet::structuresEnsureValidityAssumingImpurePropertyWatchpoint const): Deleted. (JSC::ObjectPropertyConditionSet::isValidAndWatchable const): Deleted. * bytecode/ObjectPropertyConditionSet.h: * bytecode/PropertyCondition.cpp: (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): (JSC::watchabilityToConcurrency): (JSC::PropertyCondition::isStillValid const): (JSC::PropertyCondition::isWatchableWhenValid const): (JSC::PropertyCondition::isWatchableAssumingImpurePropertyWatchpoint const): (JSC::PropertyCondition::isWatchable const): * bytecode/PropertyCondition.h: * dfg/DFGAdaptiveStructureWatchpoint.cpp: (JSC::DFG::AdaptiveStructureWatchpoint::install): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::check): (JSC::DFG::ByteCodeParser::planLoad): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset): * dfg/DFGDesiredWatchpoints.h: (JSC::DFG::AdaptiveStructureWatchpointAdaptor::hasBeenInvalidated): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::watchCondition): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::setupGetByIdPrototypeCache): * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp: (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::install): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::tryInstallSpeciesWatchpoint): * runtime/JSObject.h: (JSC::JSObject::getDirect const): * runtime/Structure.h: (JSC::Structure::get): * runtime/StructureRareData.cpp: (JSC::StructureRareData::cacheSpecialPropertySlow): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/AccessCase.cpp trunk/Source/_javascript_Core/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp trunk/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp trunk/Source/_javascript_Core/bytecode/ObjectPropertyCondition.cpp trunk/Source/_javascript_Core/bytecode/ObjectPropertyCondition.h trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.cpp trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.h trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp trunk/Source/_javascript_Core/bytecode/PropertyCondition.h trunk/Source/_javascript_Core/dfg/DFGAdaptiveStructureWatchpoint.cpp trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp trunk/Source/_javascript_Core/dfg/DFGDesiredWatchpoints.h trunk/Source/_javascript_Core/dfg/DFGGraph.cpp trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp trunk/Source/_javascript_Core/runtime/JSObject.h trunk/Source/_javascript_Core/runtime/Structure.h trunk/Source/_javascript_Core/runtime/StructureRareData.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292492 => 292493) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-06 19:33:49 UTC (rev 292492) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-06 19:35:37 UTC (rev 292493) @@ -1,3 +1,72 @@ +2022-04-06 Saam Barati + +Call Structure::get instead of Structure::getConcurrently on the mutator thread +
[webkit-changes] [292369] trunk
Title: [292369] trunk Revision 292369 Author sbar...@apple.com Date 2022-04-04 20:32:00 -0700 (Mon, 04 Apr 2022) Log Message Turn off LLInt ICs in captive portal mode https://bugs.webkit.org/show_bug.cgi?id=238778 Reviewed by Yusuke Suzuki. Source/_javascript_Core: * bytecode/CallLinkInfo.cpp: (JSC::BaselineCallLinkInfo::initialize): * bytecode/Repatch.cpp: (JSC::unlinkCall): * llint/LLIntCommon.h: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::performLLIntGetByID): * runtime/OptionsList.h: Source/WebKit: * Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.h: (WebKit::XPCServiceInitializer): Tools: * Scripts/run-jsc-stress-tests: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CallLinkInfo.cpp trunk/Source/_javascript_Core/bytecode/Repatch.cpp trunk/Source/_javascript_Core/llint/LLIntCommon.h trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/runtime/OptionsList.h trunk/Source/WebKit/ChangeLog trunk/Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.h trunk/Tools/ChangeLog trunk/Tools/Scripts/run-jsc-stress-tests Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292368 => 292369) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-05 03:29:17 UTC (rev 292368) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-05 03:32:00 UTC (rev 292369) @@ -1,3 +1,21 @@ +2022-04-04 Saam Barati + +Turn off LLInt ICs in captive portal mode +https://bugs.webkit.org/show_bug.cgi?id=238778 + + +Reviewed by Yusuke Suzuki. + +* bytecode/CallLinkInfo.cpp: +(JSC::BaselineCallLinkInfo::initialize): +* bytecode/Repatch.cpp: +(JSC::unlinkCall): +* llint/LLIntCommon.h: +* llint/LLIntSlowPaths.cpp: +(JSC::LLInt::LLINT_SLOW_PATH_DECL): +(JSC::LLInt::performLLIntGetByID): +* runtime/OptionsList.h: + 2022-04-04 Geoffrey Garen Only check isPagedOut() under memory pressure Modified: trunk/Source/_javascript_Core/bytecode/CallLinkInfo.cpp (292368 => 292369) --- trunk/Source/_javascript_Core/bytecode/CallLinkInfo.cpp 2022-04-05 03:29:17 UTC (rev 292368) +++ trunk/Source/_javascript_Core/bytecode/CallLinkInfo.cpp 2022-04-05 03:32:00 UTC (rev 292369) @@ -324,7 +324,10 @@ m_frameShuffleData = makeUnique(*frameShuffleData); } #endif -setSlowPathCallDestination(vm.getCTILinkCall().code()); +if (LIKELY(Options::useLLIntICs())) +setSlowPathCallDestination(vm.getCTILinkCall().code()); +else +setSlowPathCallDestination(vm.getCTIVirtualCall(callMode()).retagged().code()); // If JIT is disabled, we should not support dynamically generated call IC. if (!Options::useJIT()) disallowStubs(); Modified: trunk/Source/_javascript_Core/bytecode/Repatch.cpp (292368 => 292369) --- trunk/Source/_javascript_Core/bytecode/Repatch.cpp 2022-04-05 03:29:17 UTC (rev 292368) +++ trunk/Source/_javascript_Core/bytecode/Repatch.cpp 2022-04-05 03:32:00 UTC (rev 292369) @@ -163,7 +163,10 @@ { dataLogLnIf(Options::dumpDisassembly(), "Unlinking CallLinkInfo: ", RawPointer()); -revertCall(vm, callLinkInfo, vm.getCTILinkCall().retagged()); +if (UNLIKELY(!Options::useLLIntICs() && callLinkInfo.type() == CallLinkInfo::Type::Baseline)) +revertCall(vm, callLinkInfo, vm.getCTIVirtualCall(callLinkInfo.callMode())); +else +revertCall(vm, callLinkInfo, vm.getCTILinkCall().retagged()); } MacroAssemblerCodePtr jsToWasmICCodePtr(VM& vm, CodeSpecializationKind kind, JSObject* callee) Modified: trunk/Source/_javascript_Core/llint/LLIntCommon.h (292368 => 292369) --- trunk/Source/_javascript_Core/llint/LLIntCommon.h 2022-04-05 03:29:17 UTC (rev 292368) +++ trunk/Source/_javascript_Core/llint/LLIntCommon.h 2022-04-05 03:32:00 UTC (rev 292369) @@ -38,6 +38,3 @@ #else #define LLINT_ALWAYS_ALLOCATE_SLOW 0 #endif - -// Disable inline caching of get_by_id and put_by_id. -#define LLINT_ALWAYS_ACCESS_SLOW 0 Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (292368 => 292369) --- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2022-04-05 03:29:17 UTC (rev 292368) +++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2022-04-05 03:32:00 UTC (rev 292369) @@ -647,7 +647,7 @@ baseValue.getPropertySlot(globalObject, ident, slot); JSValue result = slot.getPureResult(); -if (!LLINT_ALWAYS_ACCESS_SLOW && slot.isCacheable() && !slot.isUnset()) { +if (Options::useLLIntICs() && slot.isCacheable() && !slot.isUnset()) { ASSERT(!slot.isTaintedByOpaqueObject()); ASSERT(baseValue.isCell()); @@ -699,7 +699,7 @@ JSValue result = found ? slot.getValue(globalObject, ident) : jsUndefined(); LLINT_CHECK_EXCEPTION(); -if (!LLINT_ALWAYS_ACCESS_SLOW && slot.isCacheable() && !slot.isUnset()) { +if (Options::useLLIntICs()
[webkit-changes] [291602] trunk/Source/JavaScriptCore
Title: [291602] trunk/Source/_javascript_Core Revision 291602 Author sbar...@apple.com Date 2022-03-21 20:54:43 -0700 (Mon, 21 Mar 2022) Log Message Fix bug in Relationship::mergeImpl https://bugs.webkit.org/show_bug.cgi?id=238183 Reviewed by Yusuke Suzuki. * dfg/DFGIntegerRangeOptimizationPhase.cpp: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (291601 => 291602) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-22 03:52:50 UTC (rev 291601) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-22 03:54:43 UTC (rev 291602) @@ -1,5 +1,15 @@ 2022-03-21 Saam Barati +Fix bug in Relationship::mergeImpl +https://bugs.webkit.org/show_bug.cgi?id=238183 + + +Reviewed by Yusuke Suzuki. + +* dfg/DFGIntegerRangeOptimizationPhase.cpp: + +2022-03-21 Saam Barati + AirFixObviousSpills needs to consider a PreIndex and PostIndex as clobbering the Reg used for indexing https://bugs.webkit.org/show_bug.cgi?id=238178 Modified: trunk/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp (291601 => 291602) --- trunk/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp 2022-03-22 03:52:50 UTC (rev 291601) +++ trunk/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp 2022-03-22 03:54:43 UTC (rev 291602) @@ -749,6 +749,9 @@ // // @a < @b + max(C, D + 1) +if (sumOverflows(other.m_offset, 1)) +return Relationship(); + int bestOffset = std::max(m_offset, other.m_offset + 1); // We have something like @a < @b + 2. We can't do it. ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291601] trunk/Source/JavaScriptCore
Title: [291601] trunk/Source/_javascript_Core Revision 291601 Author sbar...@apple.com Date 2022-03-21 20:52:50 -0700 (Mon, 21 Mar 2022) Log Message AirFixObviousSpills needs to consider a PreIndex and PostIndex as clobbering the Reg used for indexing https://bugs.webkit.org/show_bug.cgi?id=238178 Reviewed by Mark Lam. Inside AirFixObviousSpills, we run a basic alias analysis for StackSlots and registers. For example, when we overwrite a register, we clear anything it's aliased with. However, the way we were doing this was by looking at each Arg that was Defd. However, this iteration was missing that PostIndex/PreIndex mutate the register that feeds into the address Arg. This patch fixes the issue by walking the instruction in such a way that we visit all the Defs we care about, both Regs and StackSlots. * b3/air/AirFixObviousSpills.cpp: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/b3/air/AirFixObviousSpills.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (291600 => 291601) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-22 03:49:48 UTC (rev 291600) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-22 03:52:50 UTC (rev 291601) @@ -1,3 +1,21 @@ +2022-03-21 Saam Barati + +AirFixObviousSpills needs to consider a PreIndex and PostIndex as clobbering the Reg used for indexing +https://bugs.webkit.org/show_bug.cgi?id=238178 + + +Reviewed by Mark Lam. + +Inside AirFixObviousSpills, we run a basic alias analysis for StackSlots and +registers. For example, when we overwrite a register, we clear anything +it's aliased with. However, the way we were doing this was by looking at +each Arg that was Defd. However, this iteration was missing that +PostIndex/PreIndex mutate the register that feeds into the address Arg. +This patch fixes the issue by walking the instruction in such a way that +we visit all the Defs we care about, both Regs and StackSlots. + +* b3/air/AirFixObviousSpills.cpp: + 2022-03-21 Yusuke Suzuki [JSC] ReferenceError when using extra parens in class fields Modified: trunk/Source/_javascript_Core/b3/air/AirFixObviousSpills.cpp (291600 => 291601) --- trunk/Source/_javascript_Core/b3/air/AirFixObviousSpills.cpp 2022-03-22 03:49:48 UTC (rev 291600) +++ trunk/Source/_javascript_Core/b3/air/AirFixObviousSpills.cpp 2022-03-22 03:52:50 UTC (rev 291601) @@ -188,14 +188,20 @@ if (AirFixObviousSpillsInternal::verbose) dataLog("Executing ", inst, ": ", m_state, "\n"); -Inst::forEachDefWithExtraClobberedRegs( -, , -[&] (const Arg& arg, Arg::Role, Bank, Width) { +Inst::forEachDefWithExtraClobberedRegs(, , +[&] (const Reg& reg, Arg::Role, Bank, Width) { if (AirFixObviousSpillsInternal::verbose) -dataLog("Clobbering ", arg, "\n"); -m_state.clobber(arg); +dataLog("Clobbering ", reg, "\n"); +m_state.clobber(reg); }); - + +Inst::forEachDef(, , +[&] (StackSlot* slot, Arg::Role, Bank, Width) { +if (AirFixObviousSpillsInternal::verbose) +dataLog("Clobbering ", *slot, "\n"); +m_state.clobber(slot); +}); + forAllAliases( [&] (const auto& alias) { m_state.addAlias(alias); @@ -558,31 +564,30 @@ return std::nullopt; } -void clobber(const Arg& arg) +void clobber(const Reg& reg) { -if (arg.isReg()) { -regConst.removeAllMatching( -[&] (const RegConst& alias) -> bool { -return alias.reg == arg.reg(); -}); -regSlot.removeAllMatching( -[&] (const RegSlot& alias) -> bool { -return alias.reg == arg.reg(); -}); -return; -} -if (arg.isStack()) { -slotConst.removeAllMatching( -[&] (const SlotConst& alias) -> bool { -return alias.slot == arg.stackSlot(); -}); -regSlot.removeAllMatching( -[&] (const RegSlot& alias) -> bool { -return alias.slot == arg.stackSlot(); -}); -} +regConst.removeAllMatching( +[&] (const RegConst& alias) -> bool { +return alias.reg == reg; +}); +regSlot.removeAllMatching( +[&] (const RegSlot& alias) -> bool { +return alias.reg == reg; +}); } +void clobber(StackSlot* slot) +{ +slotConst.removeAllMatching(
[webkit-changes] [291436] trunk/Tools
Title: [291436] trunk/Tools Revision 291436 Author sbar...@apple.com Date 2022-03-17 13:22:19 -0700 (Thu, 17 Mar 2022) Log Message compare-results should break down sync vs async time in Speedometer2 https://bugs.webkit.org/show_bug.cgi?id=237993 Reviewed by Alexey Shvayka. * Scripts/compare-results: (speedometer2Breakdown): (speedometer2BreakdownSyncAsync): (dumpBreakdowns): (getOptions): (main): Modified Paths trunk/Tools/ChangeLog trunk/Tools/Scripts/compare-results Diff Modified: trunk/Tools/ChangeLog (291435 => 291436) --- trunk/Tools/ChangeLog 2022-03-17 20:19:28 UTC (rev 291435) +++ trunk/Tools/ChangeLog 2022-03-17 20:22:19 UTC (rev 291436) @@ -1,3 +1,17 @@ +2022-03-17 Saam Barati + +compare-results should break down sync vs async time in Speedometer2 +https://bugs.webkit.org/show_bug.cgi?id=237993 + +Reviewed by Alexey Shvayka. + +* Scripts/compare-results: +(speedometer2Breakdown): +(speedometer2BreakdownSyncAsync): +(dumpBreakdowns): +(getOptions): +(main): + 2022-03-17 Myles C. Maxfield Delete Tools/jsc-cli in favor of the jsc target in _javascript_Core itself Modified: trunk/Tools/Scripts/compare-results (291435 => 291436) --- trunk/Tools/Scripts/compare-results 2022-03-17 20:19:28 UTC (rev 291435) +++ trunk/Tools/Scripts/compare-results 2022-03-17 20:22:19 UTC (rev 291436) @@ -72,6 +72,26 @@ result[test] = breakdown._results["Speedometer-2"]["tests"][test]["metrics"]["Time"]["Total"]["current"] return result +def speedometer2BreakdownSyncAsync(jsonObject): +breakdown = BenchmarkResults(jsonObject) +result = {} +result[unitMarker] = "ms" +for test in breakdown._results["Speedometer-2"]["tests"].keys(): +syncTime = None +asyncTime = None +for value in breakdown._results["Speedometer-2"]["tests"][test]["tests"].values(): +syncArray = value["tests"]["Sync"]["metrics"]["Time"][None]["current"] +asyncArray = value["tests"]["Async"]["metrics"]["Time"][None]["current"] +if not syncTime: +syncTime = syncArray +asyncTime = asyncArray +else: +syncTime = [x + y for x, y in zip(syncTime, syncArray)] +asyncTime = [x + y for x, y in zip(asyncTime, asyncArray)] +result[test + "-sync"] = syncTime +result[test + "-async"] = asyncTime +return result + def jetStream2Breakdown(jsonObject): breakdown = BenchmarkResults(jsonObject) result = {} @@ -239,7 +259,7 @@ strings = [] strings.append("|{key:^{nameLength}}|{aScore:^{aLength}} |{bScore:^{bLength}} |{compare:^{ratioLength}}|{pMarker:^{pLength}}|".format(key="subtest", aScore=a[unitMarker], bScore=b[unitMarker], nameLength=nameLength, aLength=aLength, bLength=bLength , compare="b / a", ratioLength=ratioLength, pMarker=pValueHeader, pLength=pLength)) -for key in a.keys(): +for key in sorted(a.keys()): if key == unitMarker: continue @@ -495,6 +515,9 @@ parser.add_argument("--breakdown", action="" default=False, help="Print a per subtest breakdown.") +parser.add_argument("--sync-vs-async", action="" +default=False, help="Print a per subtest breakdown in Speedometer2 by sync and async time.") + return parser.parse_known_args()[0] @@ -529,7 +552,10 @@ writeCSV(jetStream2Breakdown(a), jetStream2Breakdown(b), args.csv) elif typeA == Speedometer2: if args.breakdown: -dumpBreakdowns(speedometer2Breakdown(a), speedometer2Breakdown(b)) +if args.sync_vs_async: +dumpBreakdowns(speedometer2BreakdownSyncAsync(a), speedometer2BreakdownSyncAsync(b)) +else: +dumpBreakdowns(speedometer2Breakdown(a), speedometer2Breakdown(b)) ttest(typeA, Speedometer2Results(a), Speedometer2Results(b)) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291325] trunk/Tools
Title: [291325] trunk/Tools Revision 291325 Author sbar...@apple.com Date 2022-03-15 19:35:33 -0700 (Tue, 15 Mar 2022) Log Message Add support for chrome-beta and chrome-dev to run-benchmark https://bugs.webkit.org/show_bug.cgi?id=237937 Reviewed by Stephanie Lewis. * Scripts/webkitpy/benchmark_runner/browser_driver/osx_chrome_driver.py: (set_binary_location_impl): (OSXChromeDriver._set_chrome_binary_location): (OSXChromeCanaryDriver): (OSXChromeCanaryDriver._set_chrome_binary_location): (OSXChromeBetaDriver): (OSXChromeBetaDriver._set_chrome_binary_location): (OSXChromeDevDriver): (OSXChromeDevDriver._set_chrome_binary_location): Modified Paths trunk/Tools/ChangeLog trunk/Tools/Scripts/webkitpy/benchmark_runner/browser_driver/osx_chrome_driver.py Diff Modified: trunk/Tools/ChangeLog (291324 => 291325) --- trunk/Tools/ChangeLog 2022-03-16 00:51:40 UTC (rev 291324) +++ trunk/Tools/ChangeLog 2022-03-16 02:35:33 UTC (rev 291325) @@ -1,3 +1,20 @@ +2022-03-15 Saam Barati + +Add support for chrome-beta and chrome-dev to run-benchmark +https://bugs.webkit.org/show_bug.cgi?id=237937 + +Reviewed by Stephanie Lewis. + +* Scripts/webkitpy/benchmark_runner/browser_driver/osx_chrome_driver.py: +(set_binary_location_impl): +(OSXChromeDriver._set_chrome_binary_location): +(OSXChromeCanaryDriver): +(OSXChromeCanaryDriver._set_chrome_binary_location): +(OSXChromeBetaDriver): +(OSXChromeBetaDriver._set_chrome_binary_location): +(OSXChromeDevDriver): +(OSXChromeDevDriver._set_chrome_binary_location): + 2022-03-15 Jonathan Bedard [Merge-Queue] Rename bugzilla_comment_text Modified: trunk/Tools/Scripts/webkitpy/benchmark_runner/browser_driver/osx_chrome_driver.py (291324 => 291325) --- trunk/Tools/Scripts/webkitpy/benchmark_runner/browser_driver/osx_chrome_driver.py 2022-03-16 00:51:40 UTC (rev 291324) +++ trunk/Tools/Scripts/webkitpy/benchmark_runner/browser_driver/osx_chrome_driver.py 2022-03-16 02:35:33 UTC (rev 291325) @@ -41,7 +41,14 @@ def _set_chrome_binary_location(self, options, browser_build_path): pass +def set_binary_location_impl(options, browser_build_path, app_name, process_name): +if not browser_build_path: +return +app_path = os.path.join(browser_build_path, app_name) +binary_path = os.path.join(app_path, "Contents/MacOS", process_name) +options.binary_location = binary_path + class OSXChromeDriver(OSXChromeDriverBase): process_name = 'Google Chrome' browser_name = 'chrome' @@ -49,14 +56,10 @@ bundle_id = 'com.google.Chrome' def _set_chrome_binary_location(self, options, browser_build_path): -if not browser_build_path: -return -app_path = os.path.join(browser_build_path, self.app_name) -binary_path = os.path.join(app_path, "Contents/MacOS", self.process_name) -options.binary_location = binary_path +set_binary_location_impl(options, browser_build_path, self.app_name, self.process_name) -class OSXChromeCanaryDriver(OSXBrowserDriver): +class OSXChromeCanaryDriver(OSXChromeDriverBase): process_name = 'Google Chrome Canary' browser_name = 'chrome-canary' app_name = 'Google Chrome Canary.app' @@ -63,8 +66,23 @@ bundle_id = 'com.google.Chrome.canary' def _set_chrome_binary_location(self, options, browser_build_path): -if not browser_build_path: -browser_build_path = '/Applications/' -app_path = os.path.join(browser_build_path, self.app_name) -binary_path = os.path.join(app_path, "Contents/MacOS", self.process_name) -options.binary_location = binary_path +set_binary_location_impl(options, browser_build_path, self.app_name, self.process_name) + + +class OSXChromeBetaDriver(OSXChromeDriverBase): +process_name = 'Google Chrome Beta' +browser_name = 'chrome-beta' +app_name = 'Google Chrome Beta.app' +bundle_id = 'com.google.Chrome.beta' + +def _set_chrome_binary_location(self, options, browser_build_path): +set_binary_location_impl(options, browser_build_path, self.app_name, self.process_name) + +class OSXChromeDevDriver(OSXChromeDriverBase): +process_name = 'Google Chrome Dev' +browser_name = 'chrome-dev' +app_name = 'Google Chrome Dev.app' +bundle_id = 'com.google.Chrome.dev' + +def _set_chrome_binary_location(self, options, browser_build_path): +set_binary_location_impl(options, browser_build_path, self.app_name, self.process_name) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291087] trunk/Source/JavaScriptCore
Title: [291087] trunk/Source/_javascript_Core Revision 291087 Author sbar...@apple.com Date 2022-03-09 19:31:10 -0800 (Wed, 09 Mar 2022) Log Message Limit WK_XCODE_SUPPORTS_LTO in _javascript_Core based on target OS https://bugs.webkit.org/show_bug.cgi?id=237682 Reviewed by Alexey Proskuryakov. * Configurations/Base.xcconfig: * Configurations/WebKitTargetConditionals.xcconfig: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/Configurations/Base.xcconfig trunk/Source/_javascript_Core/Configurations/WebKitTargetConditionals.xcconfig Diff Modified: trunk/Source/_javascript_Core/ChangeLog (291086 => 291087) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-10 03:18:08 UTC (rev 291086) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-10 03:31:10 UTC (rev 291087) @@ -1,3 +1,13 @@ +2022-03-09 Saam Barati + +Limit WK_XCODE_SUPPORTS_LTO in _javascript_Core based on target OS +https://bugs.webkit.org/show_bug.cgi?id=237682 + +Reviewed by Alexey Proskuryakov. + +* Configurations/Base.xcconfig: +* Configurations/WebKitTargetConditionals.xcconfig: + 2022-03-09 Carlos Garcia Campos [GTK][WPE] Stop using the env var WEBKIT_INSPECTOR_SERVER to connect to the inspector Modified: trunk/Source/_javascript_Core/Configurations/Base.xcconfig (291086 => 291087) --- trunk/Source/_javascript_Core/Configurations/Base.xcconfig 2022-03-10 03:18:08 UTC (rev 291086) +++ trunk/Source/_javascript_Core/Configurations/Base.xcconfig 2022-03-10 03:31:10 UTC (rev 291087) @@ -194,8 +194,11 @@ WK_LLVM_LTO_NO = NO; WK_LLVM_LTO_YES = $(WK_USER_LTO_MODE); -WK_XCODE_SUPPORTS_LTO = $(WK_NOT_$(WK_XCODE_VERSION_BEFORE_10_2_$(XCODE_VERSION_MAJOR))); -WK_XCODE_SUPPORTS_LTO[arch=arm*] = $(WK_NOT_$(WK_XCODE_VERSION_BEFORE_11_4_$(XCODE_VERSION_MAJOR))); +WK_XCODE_SUPPORTS_LTO[sdk=macos*] = $(WK_NOT_$(WK_MACOS_BEFORE_1300)); +WK_XCODE_SUPPORTS_LTO[sdk=iphone*] = $(WK_NOT_$(WK_IOS_BEFORE_16)); +WK_XCODE_SUPPORTS_LTO[sdk=appletv*] = $(WK_NOT_$(WK_TVOS_BEFORE_16)); +// FIXME: This can follow the above pattern once rdar://90049836 is resolved. +WK_XCODE_SUPPORTS_LTO[sdk=watch*] = NO; WK_XCODE_VERSION_BEFORE_10_2_0800 = YES; WK_XCODE_VERSION_BEFORE_10_2_0900 = YES; Modified: trunk/Source/_javascript_Core/Configurations/WebKitTargetConditionals.xcconfig (291086 => 291087) --- trunk/Source/_javascript_Core/Configurations/WebKitTargetConditionals.xcconfig 2022-03-10 03:18:08 UTC (rev 291086) +++ trunk/Source/_javascript_Core/Configurations/WebKitTargetConditionals.xcconfig 2022-03-10 03:31:10 UTC (rev 291087) @@ -217,3 +217,11 @@ WK_IOS_16 = $(WK_IOS_16_$(WK_IOS_BEFORE_16)); WK_IOS_16_ = _IOS_SINCE_16; WK_IOS_16_YES = _IOS_BEFORE_16; + + +// tvOS +WK_TVOS_BEFORE_16 = $(WK_TVOS_BEFORE_16_$(TVOS_DEPLOYMENT_TARGET:base)); +WK_TVOS_BEFORE_16_13 = YES; +WK_TVOS_BEFORE_16_14 = YES; +WK_TVOS_BEFORE_16_15 = YES; + ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [290993] trunk/Source/JavaScriptCore
Title: [290993] trunk/Source/_javascript_Core Revision 290993 Author sbar...@apple.com Date 2022-03-08 08:42:32 -0800 (Tue, 08 Mar 2022) Log Message [JSC] Enable ThinLTO https://bugs.webkit.org/show_bug.cgi?id=229019 Reviewed by Mark Lam. It's a 1% speedup on Speedometer2 across x86 and arm64, and 0.5-1% speedup on JetStream2 depending on the device. * Configurations/Base.xcconfig: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/Configurations/Base.xcconfig Diff Modified: trunk/Source/_javascript_Core/ChangeLog (290992 => 290993) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-08 16:24:11 UTC (rev 290992) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-08 16:42:32 UTC (rev 290993) @@ -1,3 +1,16 @@ +2022-03-08 Saam Barati + +[JSC] Enable ThinLTO +https://bugs.webkit.org/show_bug.cgi?id=229019 + + +Reviewed by Mark Lam. + +It's a 1% speedup on Speedometer2 across x86 and arm64, and 0.5-1% speedup on +JetStream2 depending on the device. + +* Configurations/Base.xcconfig: + 2022-03-08 Chris Dumez Unreviewed, reverting r290975. Modified: trunk/Source/_javascript_Core/Configurations/Base.xcconfig (290992 => 290993) --- trunk/Source/_javascript_Core/Configurations/Base.xcconfig 2022-03-08 16:24:11 UTC (rev 290992) +++ trunk/Source/_javascript_Core/Configurations/Base.xcconfig 2022-03-08 16:42:32 UTC (rev 290993) @@ -190,9 +190,7 @@ WK_WEBKITADDITIONS_INSTALL_PATH = /usr/local/include/WebKitAdditions WK_WEBKITADDITIONS_HEADERS_FOLDER_PATH = $(SDKROOT)/$(WK_WEBKITADDITIONS_INSTALL_PATH) -// Disable LTO for _javascript_Core, due to . Add back the following line and delete the one that says "LLVM_LTO = NO" when that issue is resolved. -// LLVM_LTO = $(WK_LLVM_LTO_$(WK_XCODE_SUPPORTS_LTO)); -LLVM_LTO = NO; +LLVM_LTO = $(WK_LLVM_LTO_$(WK_XCODE_SUPPORTS_LTO)); WK_LLVM_LTO_NO = NO; WK_LLVM_LTO_YES = $(WK_USER_LTO_MODE); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [290788] trunk/Source/JavaScriptCore
Title: [290788] trunk/Source/_javascript_Core Revision 290788 Author sbar...@apple.com Date 2022-03-03 11:51:30 -0800 (Thu, 03 Mar 2022) Log Message Add a DeferTraps scope https://bugs.webkit.org/show_bug.cgi?id=237306 Reviewed by Mark Lam. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::jettison): (JSC::CodeBlock::noticeIncomingCall): * bytecode/CodeBlock.h: * bytecode/RepatchInlines.h: (JSC::linkFor): (JSC::virtualForWithFunction): * dfg/DFGOperations.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION): * interpreter/Interpreter.cpp: (JSC::Interpreter::executeProgram): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): (JSC::Interpreter::execute): (JSC::Interpreter::executeModuleProgram): * interpreter/InterpreterInlines.h: (JSC::Interpreter::execute): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::setUpCall): * runtime/ExceptionScope.h: * runtime/ScriptExecutable.cpp: (JSC::ScriptExecutable::installCode): * runtime/VMTraps.cpp: (JSC::VMTraps::handleTraps): (JSC::VMTraps::takeTopPriorityTrap): * runtime/VMTraps.h: (JSC::VMTraps::needHandling const): (JSC::VMTraps::maybeNeedHandling const): (JSC::VMTraps::hasTrapBit): (JSC::VMTraps::setTrapBit): * runtime/VMTrapsInlines.h: (JSC::DeferTraps::DeferTraps): (JSC::DeferTraps::~DeferTraps): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/bytecode/RepatchInlines.h trunk/Source/_javascript_Core/dfg/DFGOperations.cpp trunk/Source/_javascript_Core/interpreter/Interpreter.cpp trunk/Source/_javascript_Core/interpreter/InterpreterInlines.h trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/runtime/ExceptionScope.h trunk/Source/_javascript_Core/runtime/ScriptExecutable.cpp trunk/Source/_javascript_Core/runtime/VMTraps.cpp trunk/Source/_javascript_Core/runtime/VMTraps.h trunk/Source/_javascript_Core/runtime/VMTrapsInlines.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (290787 => 290788) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-03 19:04:10 UTC (rev 290787) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-03 19:51:30 UTC (rev 290788) @@ -1,3 +1,46 @@ +2022-03-03 Saam Barati + +Add a DeferTraps scope +https://bugs.webkit.org/show_bug.cgi?id=237306 + + +Reviewed by Mark Lam. + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::CodeBlock): +(JSC::CodeBlock::jettison): +(JSC::CodeBlock::noticeIncomingCall): +* bytecode/CodeBlock.h: +* bytecode/RepatchInlines.h: +(JSC::linkFor): +(JSC::virtualForWithFunction): +* dfg/DFGOperations.cpp: +(JSC::DFG::JSC_DEFINE_JIT_OPERATION): +* interpreter/Interpreter.cpp: +(JSC::Interpreter::executeProgram): +(JSC::Interpreter::executeCall): +(JSC::Interpreter::executeConstruct): +(JSC::Interpreter::execute): +(JSC::Interpreter::executeModuleProgram): +* interpreter/InterpreterInlines.h: +(JSC::Interpreter::execute): +* llint/LLIntSlowPaths.cpp: +(JSC::LLInt::setUpCall): +* runtime/ExceptionScope.h: +* runtime/ScriptExecutable.cpp: +(JSC::ScriptExecutable::installCode): +* runtime/VMTraps.cpp: +(JSC::VMTraps::handleTraps): +(JSC::VMTraps::takeTopPriorityTrap): +* runtime/VMTraps.h: +(JSC::VMTraps::needHandling const): +(JSC::VMTraps::maybeNeedHandling const): +(JSC::VMTraps::hasTrapBit): +(JSC::VMTraps::setTrapBit): +* runtime/VMTrapsInlines.h: +(JSC::DeferTraps::DeferTraps): +(JSC::DeferTraps::~DeferTraps): + 2022-03-03 Adrian Perez de Castro Non-unified build fixes, early March 2022 edition Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (290787 => 290788) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2022-03-03 19:04:10 UTC (rev 290787) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2022-03-03 19:51:30 UTC (rev 290788) @@ -279,6 +279,7 @@ , m_didFailJITCompilation(false) , m_didFailFTLCompilation(false) , m_hasBeenCompiledWithFTL(false) +, m_isJettisoned(false) , m_numCalleeLocals(other.m_numCalleeLocals) , m_numVars(other.m_numVars) , m_numberOfArgumentsToSkip(other.m_numberOfArgumentsToSkip) @@ -330,6 +331,7 @@ , m_didFailJITCompilation(false) , m_didFailFTLCompilation(false) , m_hasBeenCompiledWithFTL(false) +, m_isJettisoned(false) , m_numCalleeLocals(unlinkedCodeBlock->numCalleeLocals()) , m_numVars(unlinkedCodeBlock->numVars()) , m_hasDebuggerStatement(false) @@ -2191,6 +2193,8 @@ VM& vm = *m_vm; +m_isJettisoned = true; + CodeBlock* codeBlock = this; // Placate GCC for use in CODEBLOCK_LOG_EVENT (does not like this). CODEBLOCK_LOG_EVENT(codeBlock,
[webkit-changes] [290717] trunk/Source/JavaScriptCore
Title: [290717] trunk/Source/_javascript_Core Revision 290717 Author sbar...@apple.com Date 2022-03-01 19:42:31 -0800 (Tue, 01 Mar 2022) Log Message Add a DeferTraps scope https://bugs.webkit.org/show_bug.cgi?id=237306 Reviewed by Mark Lam. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::jettison): (JSC::CodeBlock::noticeIncomingCall): * bytecode/CodeBlock.h: * bytecode/RepatchInlines.h: (JSC::linkFor): (JSC::virtualForWithFunction): * dfg/DFGOperations.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION): * interpreter/Interpreter.cpp: (JSC::Interpreter::executeProgram): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): (JSC::Interpreter::execute): (JSC::Interpreter::executeModuleProgram): * interpreter/InterpreterInlines.h: (JSC::Interpreter::execute): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::setUpCall): * runtime/ScriptExecutable.cpp: (JSC::ScriptExecutable::installCode): * runtime/VMTraps.cpp: (JSC::VMTraps::handleTraps): (JSC::VMTraps::takeTopPriorityTrap): * runtime/VMTraps.h: (JSC::VMTraps::needHandling const): (JSC::VMTraps::hasTrapBit): (JSC::VMTraps::setTrapBit): * runtime/VMTrapsInlines.h: (JSC::DeferTraps::DeferTraps): (JSC::DeferTraps::~DeferTraps): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/bytecode/RepatchInlines.h trunk/Source/_javascript_Core/dfg/DFGOperations.cpp trunk/Source/_javascript_Core/interpreter/Interpreter.cpp trunk/Source/_javascript_Core/interpreter/InterpreterInlines.h trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/runtime/ScriptExecutable.cpp trunk/Source/_javascript_Core/runtime/VMTraps.cpp trunk/Source/_javascript_Core/runtime/VMTraps.h trunk/Source/_javascript_Core/runtime/VMTrapsInlines.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (290716 => 290717) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-02 02:11:05 UTC (rev 290716) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-02 03:42:31 UTC (rev 290717) @@ -1,3 +1,44 @@ +2022-03-01 Saam Barati + +Add a DeferTraps scope +https://bugs.webkit.org/show_bug.cgi?id=237306 + + +Reviewed by Mark Lam. + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::CodeBlock): +(JSC::CodeBlock::jettison): +(JSC::CodeBlock::noticeIncomingCall): +* bytecode/CodeBlock.h: +* bytecode/RepatchInlines.h: +(JSC::linkFor): +(JSC::virtualForWithFunction): +* dfg/DFGOperations.cpp: +(JSC::DFG::JSC_DEFINE_JIT_OPERATION): +* interpreter/Interpreter.cpp: +(JSC::Interpreter::executeProgram): +(JSC::Interpreter::executeCall): +(JSC::Interpreter::executeConstruct): +(JSC::Interpreter::execute): +(JSC::Interpreter::executeModuleProgram): +* interpreter/InterpreterInlines.h: +(JSC::Interpreter::execute): +* llint/LLIntSlowPaths.cpp: +(JSC::LLInt::setUpCall): +* runtime/ScriptExecutable.cpp: +(JSC::ScriptExecutable::installCode): +* runtime/VMTraps.cpp: +(JSC::VMTraps::handleTraps): +(JSC::VMTraps::takeTopPriorityTrap): +* runtime/VMTraps.h: +(JSC::VMTraps::needHandling const): +(JSC::VMTraps::hasTrapBit): +(JSC::VMTraps::setTrapBit): +* runtime/VMTrapsInlines.h: +(JSC::DeferTraps::DeferTraps): +(JSC::DeferTraps::~DeferTraps): + 2022-03-01 Fujii Hironori WTF::SentinelLinkedList::iterator should have operator++ for range-for loop Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (290716 => 290717) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2022-03-02 02:11:05 UTC (rev 290716) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2022-03-02 03:42:31 UTC (rev 290717) @@ -279,6 +279,7 @@ , m_didFailJITCompilation(false) , m_didFailFTLCompilation(false) , m_hasBeenCompiledWithFTL(false) +, m_isJettisoned(false) , m_numCalleeLocals(other.m_numCalleeLocals) , m_numVars(other.m_numVars) , m_numberOfArgumentsToSkip(other.m_numberOfArgumentsToSkip) @@ -330,6 +331,7 @@ , m_didFailJITCompilation(false) , m_didFailFTLCompilation(false) , m_hasBeenCompiledWithFTL(false) +, m_isJettisoned(false) , m_numCalleeLocals(unlinkedCodeBlock->numCalleeLocals()) , m_numVars(unlinkedCodeBlock->numVars()) , m_hasDebuggerStatement(false) @@ -2190,6 +2192,8 @@ VM& vm = *m_vm; +m_isJettisoned = true; + CodeBlock* codeBlock = this; // Placate GCC for use in CODEBLOCK_LOG_EVENT (does not like this). CODEBLOCK_LOG_EVENT(codeBlock, "jettison", ("due to ", reason, ", counting = ", mode == CountReoptimization, ", detail = ", pointerDump(detail))); @@ -2356,6 +2360,8 @@ void CodeBlock::noticeIncomingCall(CallFrame*
[webkit-changes] [290145] trunk/Source/ThirdParty/ANGLE
Title: [290145] trunk/Source/ThirdParty/ANGLE Revision 290145 Author sbar...@apple.com Date 2022-02-18 10:59:32 -0800 (Fri, 18 Feb 2022) Log Message Remove ANGLE-static.xcconfig https://bugs.webkit.org/show_bug.cgi?id=236827 Reviewed by Dean Jackson. It was unused. * ANGLE.xcodeproj/project.pbxproj: * Configurations/ANGLE-static.xcconfig: Removed. * Configurations/Base.xcconfig: Modified Paths trunk/Source/ThirdParty/ANGLE/ANGLE.xcodeproj/project.pbxproj trunk/Source/ThirdParty/ANGLE/ChangeLog trunk/Source/ThirdParty/ANGLE/Configurations/Base.xcconfig Removed Paths trunk/Source/ThirdParty/ANGLE/Configurations/ANGLE-static.xcconfig Diff Modified: trunk/Source/ThirdParty/ANGLE/ANGLE.xcodeproj/project.pbxproj (290144 => 290145) --- trunk/Source/ThirdParty/ANGLE/ANGLE.xcodeproj/project.pbxproj 2022-02-18 18:54:31 UTC (rev 290144) +++ trunk/Source/ThirdParty/ANGLE/ANGLE.xcodeproj/project.pbxproj 2022-02-18 18:59:32 UTC (rev 290145) @@ -1003,7 +1003,6 @@ 31B1571F236B7FAE00CAA4FD /* SystemInfo_ios.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SystemInfo_ios.cpp; sourceTree = ""; }; 31B15721236B803300CAA4FD /* SystemInfo_internal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SystemInfo_internal.h; sourceTree = ""; }; 31CDFDEE24917F8900486F27 /* ANGLE-dynamic.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = "ANGLE-dynamic.xcconfig"; sourceTree = ""; }; - 31CDFDEF24917F8900486F27 /* ANGLE-static.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = "ANGLE-static.xcconfig"; sourceTree = ""; }; 31CDFDF42491819E00486F27 /* libANGLE-shared.dylib */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.dylib"; includeInIndex = 0; path = "libANGLE-shared.dylib"; sourceTree = BUILT_PRODUCTS_DIR; }; 5C1BAA961DFB60FF002906BB /* gl3.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = gl3.h; path = include/GLES3/gl3.h; sourceTree = ""; }; 5C1BAA971DFB60FF002906BB /* gl3platform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = gl3platform.h; path = include/GLES3/gl3platform.h; sourceTree = ""; }; @@ -2693,7 +2692,6 @@ isa = PBXGroup; children = ( 31CDFDEE24917F8900486F27 /* ANGLE-dynamic.xcconfig */, -31CDFDEF24917F8900486F27 /* ANGLE-static.xcconfig */, FFE0D91526A0B4E80071ADAE /* AngleMetalLib.xcconfig */, 5D7C59C61208C68B001C873E /* Base.xcconfig */, 5D7C59C71208C68B001C873E /* DebugRelease.xcconfig */, Modified: trunk/Source/ThirdParty/ANGLE/ChangeLog (290144 => 290145) --- trunk/Source/ThirdParty/ANGLE/ChangeLog 2022-02-18 18:54:31 UTC (rev 290144) +++ trunk/Source/ThirdParty/ANGLE/ChangeLog 2022-02-18 18:59:32 UTC (rev 290145) @@ -1,3 +1,16 @@ +2022-02-18 Saam Barati + +Remove ANGLE-static.xcconfig +https://bugs.webkit.org/show_bug.cgi?id=236827 + +Reviewed by Dean Jackson. + +It was unused. + +* ANGLE.xcodeproj/project.pbxproj: +* Configurations/ANGLE-static.xcconfig: Removed. +* Configurations/Base.xcconfig: + 2022-02-18 Adrian Perez de Castro [CMake] Cannot find OpenGL when system provides opengl.pc instead of gl.pc Deleted: trunk/Source/ThirdParty/ANGLE/Configurations/ANGLE-static.xcconfig (290144 => 290145) --- trunk/Source/ThirdParty/ANGLE/Configurations/ANGLE-static.xcconfig 2022-02-18 18:54:31 UTC (rev 290144) +++ trunk/Source/ThirdParty/ANGLE/Configurations/ANGLE-static.xcconfig 2022-02-18 18:59:32 UTC (rev 290145) @@ -1,31 +0,0 @@ -#include "Version.xcconfig" -#include "WebKitTargetConditionals.xcconfig" - -PRODUCT_NAME = ANGLE; -EXECUTABLE_PREFIX = lib; - -ANGLE_OTHER_LDFLAGS = -allowable_client WebCore -allowable_client WebCoreTestSupport $(ANGLE_OTHER_LDFLAGS_$(WK_PLATFORM_NAME)); -ANGLE_OTHER_LDFLAGS_iphoneos = -framework IOSurface -lz; -ANGLE_OTHER_LDFLAGS_iphonesimulator = $(ANGLE_OTHER_LDFLAGS_iphoneos); -ANGLE_OTHER_LDFLAGS_watchos = $(ANGLE_OTHER_LDFLAGS_iphoneos); -ANGLE_OTHER_LDFLAGS_watchsimulator = $(ANGLE_OTHER_LDFLAGS_iphonesimulator); -ANGLE_OTHER_LDFLAGS_appletvos = $(ANGLE_OTHER_LDFLAGS_iphoneos); -ANGLE_OTHER_LDFLAGS_appletvsimulator = $(ANGLE_OTHER_LDFLAGS_iphonesimulator); -ANGLE_OTHER_LDFLAGS_maccatalyst = -framework IOKit -framework IOSurface -lz; -ANGLE_OTHER_LDFLAGS_macosx = -framework IOKit -framework IOSurface -lz; - -INSTALL_PATH = $(ANGLE_INSTALL_PATH_PREFIX)/usr/local/lib; - -HEADER_SEARCH_PATHS = include src src/common/third_party/numerics third_party/base src/common/third_party/base third_party/zlib/google; - -ANGLE_HEADERS_FOLDER_PATH = /usr/local/include/ANGLE; - -PUBLIC_HEADERS_FOLDER_PATH = $(ANGLE_INSTALL_PATH_PREFIX)/usr/local/include/ANGLE; - -GCC_PREPROCESSOR_DEFINITIONS = $(DEBUG_DEFINES) LIBGLESV2_IMPLEMENTATION
[webkit-changes] [290117] trunk/Source
Title: [290117] trunk/Source Revision 290117 Author sbar...@apple.com Date 2022-02-18 00:16:54 -0800 (Fri, 18 Feb 2022) Log Message Add LC_SOURCE_VERSION to compile targets https://bugs.webkit.org/show_bug.cgi?id=236720 Reviewed by Michael Saboff. Source/_javascript_Core: * Configurations/JSC.xcconfig: * Configurations/_javascript_Core.xcconfig: * Configurations/TestAPI.xcconfig: * Configurations/ToolExecutable.xcconfig: * Configurations/Version.xcconfig: Source/ThirdParty/ANGLE: * Configurations/Base.xcconfig: * Configurations/Version.xcconfig: Source/ThirdParty/libwebrtc: * Configurations/Version.xcconfig: * Configurations/boringssl.xcconfig: * Configurations/libsrtp.xcconfig: * Configurations/libvpx.xcconfig: * Configurations/libwebm.xcconfig: * Configurations/libwebrtc.xcconfig: * Configurations/libyuv.xcconfig: * Configurations/opus.xcconfig: * Configurations/usrsctp.xcconfig: * Configurations/yasm.xcconfig: Source/WebCore: * Configurations/Version.xcconfig: * Configurations/WebCore.xcconfig: * Configurations/WebCoreTestSupport.xcconfig: Source/WebCore/PAL: * Configurations/Version.xcconfig: Source/WebGPU: * Configurations/Version.xcconfig: * Configurations/WGSL.xcconfig: * Configurations/WGSLUnitTests.xcconfig: * Configurations/WebGPU.xcconfig: Source/WebInspectorUI: * Configurations/Version.xcconfig: * Configurations/WebInspectorUIFramework.xcconfig: Source/WebKit: * Configurations/GPUService.xcconfig: * Configurations/NetworkService.xcconfig: * Configurations/Version.xcconfig: * Configurations/WebAuthnService.xcconfig: * Configurations/WebContentService.xcconfig: * Configurations/WebKit.xcconfig: * Configurations/WebKitSwift.xcconfig: * Configurations/adattributiond.xcconfig: * Configurations/webpushd.xcconfig: * Configurations/webpushtool.xcconfig: Source/WebKitLegacy/mac: * Configurations/Version.xcconfig: * Configurations/WebKitLegacy.xcconfig: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/Configurations/JSC.xcconfig trunk/Source/_javascript_Core/Configurations/_javascript_Core.xcconfig trunk/Source/_javascript_Core/Configurations/TestAPI.xcconfig trunk/Source/_javascript_Core/Configurations/ToolExecutable.xcconfig trunk/Source/_javascript_Core/Configurations/Version.xcconfig trunk/Source/ThirdParty/ANGLE/ChangeLog trunk/Source/ThirdParty/ANGLE/Configurations/Base.xcconfig trunk/Source/ThirdParty/ANGLE/Configurations/Version.xcconfig trunk/Source/ThirdParty/libwebrtc/ChangeLog trunk/Source/ThirdParty/libwebrtc/Configurations/Version.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/boringssl.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/libsrtp.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/libvpx.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/libwebm.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/libwebrtc.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/libyuv.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/opus.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/usrsctp.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/yasm.xcconfig trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/Configurations/Version.xcconfig trunk/Source/WebCore/Configurations/WebCore.xcconfig trunk/Source/WebCore/Configurations/WebCoreTestSupport.xcconfig trunk/Source/WebCore/PAL/ChangeLog trunk/Source/WebCore/PAL/Configurations/Version.xcconfig trunk/Source/WebGPU/ChangeLog trunk/Source/WebGPU/Configurations/Version.xcconfig trunk/Source/WebGPU/Configurations/WGSL.xcconfig trunk/Source/WebGPU/Configurations/WGSLUnitTests.xcconfig trunk/Source/WebGPU/Configurations/WebGPU.xcconfig trunk/Source/WebInspectorUI/ChangeLog trunk/Source/WebInspectorUI/Configurations/Version.xcconfig trunk/Source/WebInspectorUI/Configurations/WebInspectorUIFramework.xcconfig trunk/Source/WebKit/ChangeLog trunk/Source/WebKit/Configurations/GPUService.xcconfig trunk/Source/WebKit/Configurations/NetworkService.xcconfig trunk/Source/WebKit/Configurations/Version.xcconfig trunk/Source/WebKit/Configurations/WebAuthnService.xcconfig trunk/Source/WebKit/Configurations/WebContentService.xcconfig trunk/Source/WebKit/Configurations/WebKit.xcconfig trunk/Source/WebKit/Configurations/WebKitSwift.xcconfig trunk/Source/WebKit/Configurations/adattributiond.xcconfig trunk/Source/WebKit/Configurations/webpushd.xcconfig trunk/Source/WebKit/Configurations/webpushtool.xcconfig trunk/Source/WebKitLegacy/mac/ChangeLog trunk/Source/WebKitLegacy/mac/Configurations/Version.xcconfig trunk/Source/WebKitLegacy/mac/Configurations/WebKitLegacy.xcconfig Diff Modified: trunk/Source/_javascript_Core/ChangeLog (290116 => 290117) --- trunk/Source/_javascript_Core/ChangeLog 2022-02-18 07:55:32 UTC (rev 290116) +++ trunk/Source/_javascript_Core/ChangeLog 2022-02-18 08:16:54 UTC (rev 290117) @@ -1,3 +1,17 @@ +2022-02-18 Saam Barati + +Add LC_SOURCE_VERSION to compile targets +
[webkit-changes] [289462] trunk
Title: [289462] trunk Revision 289462 Author sbar...@apple.com Date 2022-02-09 01:15:58 -0800 (Wed, 09 Feb 2022) Log Message Don't return an empty value from AbortController.signal.reason and make it harder to return empty values from JSValueInWrappedObject https://bugs.webkit.org/show_bug.cgi?id=236318 Reviewed by Mark Lam. Source/WebCore: This patch makes it so we might not accidentally return the empty value to _javascript_ code from JSValueInWrappedObject. Previously, JSValueInWrappedObject had an "operator JSValue()" method. This patch removes that, adds a new conversion method for converting between JSValueInWrappedObject and JSValue, and makes JSValueInWrappedObject return undefined inside this method when it used to return the empty value. This fixes a crash where we'd return the empty value to JS JIT code, and crash dereferencing a nullptr. It's never valid for a JS function call (or getter, etc) to return the empty value. Test: fast/dom/AbortSignal-reason-crash-2.html * Modules/webaudio/AudioBuffer.cpp: (WebCore::AudioBuffer::getChannelData): * Modules/webaudio/AudioWorkletProcessor.cpp: (WebCore::toJSArray): (WebCore::toJSObject): (WebCore::AudioWorkletProcessor::buildJSArguments): * bindings/js/JSCustomEventCustom.cpp: (WebCore::JSCustomEvent::detail const): * bindings/js/JSDOMConvertAny.h: (WebCore::JSConverter::convert): * bindings/js/JSMessageEventCustom.cpp: (WebCore::JSMessageEvent::data const): * bindings/js/JSPaymentMethodChangeEventCustom.cpp: (WebCore::JSPaymentMethodChangeEvent::methodDetails const): * bindings/js/JSPopStateEventCustom.cpp: (WebCore::JSPopStateEvent::state const): * bindings/js/JSValueInWrappedObject.h: (WebCore::JSValueInWrappedObject::getValue const): (WebCore::JSValueInWrappedObject::operator bool const): (WebCore::cachedPropertyValue): (WebCore::JSValueInWrappedObject::operator JSC::JSValue const): Deleted. * dom/AbortSignal.cpp: (WebCore::AbortSignal::signalFollow): (WebCore::AbortSignal::throwIfAborted): * dom/ErrorEvent.cpp: (WebCore::ErrorEvent::error): (WebCore::ErrorEvent::trySerializeError): * dom/PopStateEvent.cpp: (WebCore::PopStateEvent::trySerializeState): * page/History.cpp: (WebCore::History::cachedState): LayoutTests: * fast/dom/AbortSignal-reason-crash-2-expected.txt: Added. * fast/dom/AbortSignal-reason-crash-2.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/Modules/webaudio/AudioBuffer.cpp trunk/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp trunk/Source/WebCore/bindings/js/JSCustomEventCustom.cpp trunk/Source/WebCore/bindings/js/JSDOMConvertAny.h trunk/Source/WebCore/bindings/js/JSMessageEventCustom.cpp trunk/Source/WebCore/bindings/js/JSPaymentMethodChangeEventCustom.cpp trunk/Source/WebCore/bindings/js/JSPopStateEventCustom.cpp trunk/Source/WebCore/bindings/js/JSValueInWrappedObject.h trunk/Source/WebCore/dom/AbortSignal.cpp trunk/Source/WebCore/dom/ErrorEvent.cpp trunk/Source/WebCore/dom/PopStateEvent.cpp trunk/Source/WebCore/page/History.cpp Added Paths trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2-expected.txt trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2.html Diff Modified: trunk/LayoutTests/ChangeLog (289461 => 289462) --- trunk/LayoutTests/ChangeLog 2022-02-09 09:14:53 UTC (rev 289461) +++ trunk/LayoutTests/ChangeLog 2022-02-09 09:15:58 UTC (rev 289462) @@ -1,3 +1,14 @@ +2022-02-09 Saam Barati + +Don't return an empty value from AbortController.signal.reason and make it harder to return empty values from JSValueInWrappedObject +https://bugs.webkit.org/show_bug.cgi?id=236318 + + +Reviewed by Mark Lam. + +* fast/dom/AbortSignal-reason-crash-2-expected.txt: Added. +* fast/dom/AbortSignal-reason-crash-2.html: Added. + 2022-02-09 Diego Pino Garcia [GTK][WPE] Update baselines after r288944 Added: trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2-expected.txt (0 => 289462) --- trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2-expected.txt (rev 0) +++ trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2-expected.txt 2022-02-09 09:15:58 UTC (rev 289462) @@ -0,0 +1,12 @@ +Test should not crash + +On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". + + +PASS successfullyParsed is true + +TEST COMPLETE +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2.html (0 => 289462) --- trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2.html (rev 0) +++ trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2.html 2022-02-09 09:15:58 UTC (rev 289462) @@ -0,0 +1,26 @@ + + + + + +description("Test should not crash"); +window.jsTestIsAsync = true; +(async () => { +try { +let abortController = new AbortController(); +abortController.abort(); +GCController.collect(); +let x =
[webkit-changes] [289354] trunk/Source/JavaScriptCore
Title: [289354] trunk/Source/_javascript_Core Revision 289354 Author sbar...@apple.com Date 2022-02-07 19:00:28 -0800 (Mon, 07 Feb 2022) Log Message Wasm crash on https://copy.sh/v86/?profile="" https://bugs.webkit.org/show_bug.cgi?id=236037 rdar://88358719 Reviewed by Mark Lam. Lower stack args in Air had a bug where it was emitting a constant materialization at the wrong instruction offset for certain types of spill instructions. This happens when we have a stack slot that is 8 bytes wide, but we're emitting a zero def Move32. We need to zero the upper 4 bytes. However, there is also code inside lower stack args that uses the temp register when encountering offsets that are too large to encode in a single instruction. However, this offset materialization code for the second Move32 to zero the upper bytes was happening before the actual store. For example, we'd end up with: movz x16, #k movz x16, #k2 stur x1, [x16] stur zr, [x16] instead of movz x16, #k stur x1, [x16] movz x16, #k2 stur zr, [x16] * b3/air/AirLowerStackArgs.cpp: (JSC::B3::Air::lowerStackArgs): * b3/air/testair.cpp: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/b3/air/AirLowerStackArgs.cpp trunk/Source/_javascript_Core/b3/air/testair.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (289353 => 289354) --- trunk/Source/_javascript_Core/ChangeLog 2022-02-08 02:58:30 UTC (rev 289353) +++ trunk/Source/_javascript_Core/ChangeLog 2022-02-08 03:00:28 UTC (rev 289354) @@ -1,3 +1,36 @@ +2022-02-07 Saam Barati + +Wasm crash on https://copy.sh/v86/?profile="" +https://bugs.webkit.org/show_bug.cgi?id=236037 +rdar://88358719 + +Reviewed by Mark Lam. + +Lower stack args in Air had a bug where it was emitting a constant +materialization at the wrong instruction offset for certain types +of spill instructions. This happens when we have a stack slot that +is 8 bytes wide, but we're emitting a zero def Move32. We need to +zero the upper 4 bytes. However, there is also code inside lower +stack args that uses the temp register when encountering offsets +that are too large to encode in a single instruction. However, +this offset materialization code for the second Move32 to zero +the upper bytes was happening before the actual store. For example, +we'd end up with: +movz x16, #k +movz x16, #k2 +stur x1, [x16] +stur zr, [x16] + +instead of +movz x16, #k +stur x1, [x16] +movz x16, #k2 +stur zr, [x16] + +* b3/air/AirLowerStackArgs.cpp: +(JSC::B3::Air::lowerStackArgs): +* b3/air/testair.cpp: + 2022-02-06 Lauro Moura Unreviewed, non-unified build fixes Modified: trunk/Source/_javascript_Core/b3/air/AirLowerStackArgs.cpp (289353 => 289354) --- trunk/Source/_javascript_Core/b3/air/AirLowerStackArgs.cpp 2022-02-08 02:58:30 UTC (rev 289353) +++ trunk/Source/_javascript_Core/b3/air/AirLowerStackArgs.cpp 2022-02-08 03:00:28 UTC (rev 289354) @@ -110,7 +110,7 @@ inst.forEachArg( [&] (Arg& arg, Arg::Role role, Bank, Width width) { -auto stackAddr = [&] (Value::OffsetType offsetFromFP) -> Arg { +auto stackAddr = [&] (unsigned instIndex, Value::OffsetType offsetFromFP) -> Arg { int32_t offsetFromSP = offsetFromFP + code.frameSize(); if (inst.admitsExtendedOffsetAddr(arg)) { @@ -137,6 +137,7 @@ result = Arg::addr(tmp, 0); return result; #elif CPU(X86_64) +UNUSED_PARAM(instIndex); // Can't happen on x86: immediates are always big enough for frame size. RELEASE_ASSERT_NOT_REACHED(); #else @@ -171,13 +172,13 @@ RELEASE_ASSERT(isValidForm(storeOpcode, operandKind, Arg::Stack)); insertionSet.insert( instIndex + 1, storeOpcode, inst.origin, operand, -stackAddr(arg.offset() + 4 + slot->offsetFromFP())); +stackAddr(instIndex + 1, arg.offset() + 4 + slot->offsetFromFP())); } -arg = stackAddr(arg.offset() + slot->offsetFromFP()); +arg = stackAddr(instIndex, arg.offset() + slot->offsetFromFP()); break; } case Arg::CallArg: -arg = stackAddr(arg.offset() - code.frameSize()); +arg = stackAddr(instIndex, arg.offset() - code.frameSize()); break; default: break; Modified: trunk/Source/_javascript_Core/b3/air/testair.cpp (289353 => 289354)
[webkit-changes] [289024] trunk/Source/JavaScriptCore
Title: [289024] trunk/Source/_javascript_Core Revision 289024 Author sbar...@apple.com Date 2022-02-02 20:16:14 -0800 (Wed, 02 Feb 2022) Log Message SecureARM64EHashPins should check g_jscConfig.useFastJITPermissions https://bugs.webkit.org/show_bug.cgi?id=236055 Reviewed by Mark Lam. * assembler/SecureARM64EHashPins.cpp: (JSC::SecureARM64EHashPins::initializeAtStartup): (JSC::SecureARM64EHashPins::allocatePinForCurrentThread): (JSC::SecureARM64EHashPins::deallocatePinForCurrentThread): * assembler/SecureARM64EHashPinsInlines.h: (JSC::SecureARM64EHashPins::pinForCurrentThread): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/SecureARM64EHashPins.cpp trunk/Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (289023 => 289024) --- trunk/Source/_javascript_Core/ChangeLog 2022-02-03 02:19:08 UTC (rev 289023) +++ trunk/Source/_javascript_Core/ChangeLog 2022-02-03 04:16:14 UTC (rev 289024) @@ -1,3 +1,18 @@ +2022-02-02 Saam Barati + +SecureARM64EHashPins should check g_jscConfig.useFastJITPermissions +https://bugs.webkit.org/show_bug.cgi?id=236055 + + +Reviewed by Mark Lam. + +* assembler/SecureARM64EHashPins.cpp: +(JSC::SecureARM64EHashPins::initializeAtStartup): +(JSC::SecureARM64EHashPins::allocatePinForCurrentThread): +(JSC::SecureARM64EHashPins::deallocatePinForCurrentThread): +* assembler/SecureARM64EHashPinsInlines.h: +(JSC::SecureARM64EHashPins::pinForCurrentThread): + 2022-02-02 Alexey Shvayka Speed-up JSON.stringify() by avoiding "toJSON" property lookups Modified: trunk/Source/_javascript_Core/assembler/SecureARM64EHashPins.cpp (289023 => 289024) --- trunk/Source/_javascript_Core/assembler/SecureARM64EHashPins.cpp 2022-02-03 02:19:08 UTC (rev 289023) +++ trunk/Source/_javascript_Core/assembler/SecureARM64EHashPins.cpp 2022-02-03 04:16:14 UTC (rev 289024) @@ -100,6 +100,9 @@ void SecureARM64EHashPins::initializeAtStartup() { +if (!g_jscConfig.useFastJITPermissions) +return; + VALIDATE_THIS_VALUE(); RELEASE_ASSERT(!m_memory); @@ -173,6 +176,9 @@ void SecureARM64EHashPins::allocatePinForCurrentThread() { +if (!g_jscConfig.useFastJITPermissions) +return; + VALIDATE_THIS_VALUE(); Locker locker { hashPinsLock }; @@ -205,6 +211,9 @@ void SecureARM64EHashPins::deallocatePinForCurrentThread() { +if (!g_jscConfig.useFastJITPermissions) +return; + VALIDATE_THIS_VALUE(); Locker locker { hashPinsLock }; Modified: trunk/Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h (289023 => 289024) --- trunk/Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h 2022-02-03 02:19:08 UTC (rev 289023) +++ trunk/Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h 2022-02-03 04:16:14 UTC (rev 289024) @@ -101,7 +101,9 @@ ALWAYS_INLINE uint64_t SecureARM64EHashPins::pinForCurrentThread() { -return findFirstEntry().entry->pin; +if (LIKELY(g_jscConfig.useFastJITPermissions)) +return findFirstEntry().entry->pin; +return 1; } } // namespace JSC ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [288261] trunk/Source
Title: [288261] trunk/Source Revision 288261 Author sbar...@apple.com Date 2022-01-19 17:39:29 -0800 (Wed, 19 Jan 2022) Log Message Update ARM64EHash https://bugs.webkit.org/show_bug.cgi?id=235192 Reviewed by Mark Lam. Source/_javascript_Core: * CMakeLists.txt: * _javascript_Core.xcodeproj/project.pbxproj: * Sources.txt: * assembler/AssemblerBuffer.h: (JSC::ARM64EHash::ARM64EHash): (JSC::ARM64EHash::~ARM64EHash): (JSC::ARM64EHash::allocatePinForCurrentThreadAndInitializeHash): (JSC::ARM64EHash::deallocatePinForCurrentThread): (JSC::ARM64EHash::update): (JSC::ARM64EHash::pin): (JSC::ARM64EHash::currentHash): (JSC::ARM64EHash::setUpdatedHash): (JSC::AssemblerBuffer::AssemblerBuffer): (JSC::AssemblerBuffer::arm64eHash): (JSC::AssemblerBuffer::putIntegralUnchecked): (JSC::ARM64EHash::bitsForDiversifier): Deleted. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): (JSC::LinkBuffer::allocate): * assembler/SecureARM64EHashPins.cpp: Added. (JSC::WriteToJITRegionScope::WriteToJITRegionScope): (JSC::WriteToJITRegionScope::~WriteToJITRegionScope): (JSC::ValidateNonReentrancyScope::ValidateNonReentrancyScope): (JSC::ValidateNonReentrancyScope::~ValidateNonReentrancyScope): (JSC::allocateInExecutableMemory): (JSC::SecureARM64EHashPins::Page::Page): (JSC::initializePage): (JSC::SecureARM64EHashPins::metadata): (JSC::SecureARM64EHashPins::initializeAtStartup): (JSC::SecureARM64EHashPins::allocatePinForCurrentThreadImpl): (JSC::SecureARM64EHashPins::allocatePinForCurrentThread): (JSC::SecureARM64EHashPins::deallocatePinForCurrentThread): * assembler/SecureARM64EHashPins.h: Added. (JSC::SecureARM64EHashPins::firstPage): * assembler/SecureARM64EHashPinsInlines.h: Added. (JSC::SecureARM64EHashPins::keyForCurrentThread): (JSC::SecureARM64EHashPins::forEachPage): (JSC::SecureARM64EHashPins::forEachEntry): (JSC::SecureARM64EHashPins::findFirstEntry): (JSC::SecureARM64EHashPins::pinForCurrentThread): * heap/MarkedBlock.h: * heap/MarkedSpace.h: * heap/SlotVisitor.h: * jit/BaselineJITPlan.cpp: (JSC::BaselineJITPlan::BaselineJITPlan): (JSC::BaselineJITPlan::compileInThreadImpl): * jit/ExecutableAllocator.cpp: * parser/Parser.h: * runtime/InitializeThreading.cpp: (JSC::initialize): * runtime/IterationStatus.h: Removed. * runtime/JSCConfig.h: * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::parseAndCompileAir): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::parseAndCompileB3): * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::compileFunction): Source/WTF: * WTF.xcodeproj/project.pbxproj: * wtf/Bitmap.h: (WTF::WordType>::set): (WTF::WordType>::forEachSetBit const): * wtf/CMakeLists.txt: * wtf/IterationStatus.h: Added. Modified Paths trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/Sources.txt trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h trunk/Source/_javascript_Core/assembler/LinkBuffer.cpp trunk/Source/_javascript_Core/heap/MarkedBlock.h trunk/Source/_javascript_Core/heap/MarkedSpace.h trunk/Source/_javascript_Core/heap/SlotVisitor.h trunk/Source/_javascript_Core/jit/BaselineJITPlan.cpp trunk/Source/_javascript_Core/jit/ExecutableAllocator.cpp trunk/Source/_javascript_Core/parser/Parser.h trunk/Source/_javascript_Core/runtime/InitializeThreading.cpp trunk/Source/_javascript_Core/runtime/JSCConfig.h trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp trunk/Source/WTF/ChangeLog trunk/Source/WTF/WTF.xcodeproj/project.pbxproj trunk/Source/WTF/wtf/Bitmap.h trunk/Source/WTF/wtf/CMakeLists.txt Added Paths trunk/Source/_javascript_Core/assembler/SecureARM64EHashPins.cpp trunk/Source/_javascript_Core/assembler/SecureARM64EHashPins.h trunk/Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h trunk/Source/WTF/wtf/IterationStatus.h Removed Paths trunk/Source/_javascript_Core/runtime/IterationStatus.h Diff Modified: trunk/Source/_javascript_Core/CMakeLists.txt (288260 => 288261) --- trunk/Source/_javascript_Core/CMakeLists.txt 2022-01-20 01:35:06 UTC (rev 288260) +++ trunk/Source/_javascript_Core/CMakeLists.txt 2022-01-20 01:39:29 UTC (rev 288261) @@ -593,6 +593,8 @@ assembler/RISCV64Assembler.h assembler/RISCV64Registers.h assembler/RegisterInfo.h +assembler/SecureARM64EHashPins.h +assembler/SecureARM64EHashPinsInlines.h assembler/X86Assembler.h assembler/X86Registers.h assembler/X86_64Registers.h @@ -1023,7 +1025,6 @@ runtime/InternalFunction.h runtime/Intrinsic.h runtime/IterationKind.h -runtime/IterationStatus.h runtime/IteratorOperations.h runtime/IteratorPrototype.h runtime/JSArray.h Modified: trunk/Source/_javascript_Core/ChangeLog (288260 => 288261) --- trunk/Source/_javascript_Core/ChangeLog 2022-01-20 01:35:06 UTC (rev 288260) +++
[webkit-changes] [288028] trunk/Source/JavaScriptCore
Title: [288028] trunk/Source/_javascript_Core Revision 288028 Author sbar...@apple.com Date 2022-01-14 13:07:47 -0800 (Fri, 14 Jan 2022) Log Message Make isJITPC fast https://bugs.webkit.org/show_bug.cgi?id=235241 Reviewed by Yusuke Suzuki. Make it an inlined function, and stop tagging g_jscConfig.startExecutableMemory and g_jscConfig.endExecutableMemory, since they're in the Config page, and not mutable after it's frozen. * jit/ExecutableAllocator.cpp: (JSC::initializeJITPageReservation): (JSC::isJITPC): Deleted. * jit/ExecutableAllocator.h: (JSC::isJITPC): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/ExecutableAllocator.cpp trunk/Source/_javascript_Core/jit/ExecutableAllocator.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (288027 => 288028) --- trunk/Source/_javascript_Core/ChangeLog 2022-01-14 21:04:10 UTC (rev 288027) +++ trunk/Source/_javascript_Core/ChangeLog 2022-01-14 21:07:47 UTC (rev 288028) @@ -1,5 +1,22 @@ 2022-01-14 Saam Barati +Make isJITPC fast +https://bugs.webkit.org/show_bug.cgi?id=235241 + +Reviewed by Yusuke Suzuki. + +Make it an inlined function, and stop tagging g_jscConfig.startExecutableMemory +and g_jscConfig.endExecutableMemory, since they're in the Config page, and +not mutable after it's frozen. + +* jit/ExecutableAllocator.cpp: +(JSC::initializeJITPageReservation): +(JSC::isJITPC): Deleted. +* jit/ExecutableAllocator.h: +(JSC::isJITPC): + +2022-01-14 Saam Barati + Use IRC for Wasm, and Briggs for JS on ARM64 https://bugs.webkit.org/show_bug.cgi?id=235235 Modified: trunk/Source/_javascript_Core/jit/ExecutableAllocator.cpp (288027 => 288028) --- trunk/Source/_javascript_Core/jit/ExecutableAllocator.cpp 2022-01-14 21:04:10 UTC (rev 288027) +++ trunk/Source/_javascript_Core/jit/ExecutableAllocator.cpp 2022-01-14 21:07:47 UTC (rev 288028) @@ -400,8 +400,8 @@ #endif void* reservationEnd = reinterpret_cast(reservation.base) + reservation.size; -g_jscConfig.startExecutableMemory = tagCodePtr(reservation.base); -g_jscConfig.endExecutableMemory = tagCodePtr(reservationEnd); +g_jscConfig.startExecutableMemory = reservation.base; +g_jscConfig.endExecutableMemory = reservationEnd; #if !USE(SYSTEM_MALLOC) && ENABLE(UNIFIED_AND_FREEZABLE_CONFIG_RECORD) WebConfig::g_config[0] = bitwise_cast(reservation.base); @@ -471,9 +471,8 @@ m_reservation.deallocate(); } -void* memoryStart() { return untagCodePtr(g_jscConfig.startExecutableMemory); } -void* memoryEnd() { return untagCodePtr(g_jscConfig.endExecutableMemory); } -bool isJITPC(void* pc) { return memoryStart() <= pc && pc < memoryEnd(); } +void* memoryStart() { return g_jscConfig.startExecutableMemory; } +void* memoryEnd() { return g_jscConfig.endExecutableMemory; } bool isValid() { return !!m_reservation; } RefPtr allocate(size_t sizeInBytes) @@ -1129,12 +1128,6 @@ return allocator->memoryEnd(); } -bool isJITPC(void* pc) -{ -FixedVMPoolExecutableAllocator* allocator = g_jscConfig.fixedVMPoolExecutableAllocator; -return allocator && allocator->isJITPC(pc); -} - void dumpJITMemory(const void* dst, const void* src, size_t size) { RELEASE_ASSERT(Options::dumpJITMemoryPath()); Modified: trunk/Source/_javascript_Core/jit/ExecutableAllocator.h (288027 => 288028) --- trunk/Source/_javascript_Core/jit/ExecutableAllocator.h 2022-01-14 21:04:10 UTC (rev 288027) +++ trunk/Source/_javascript_Core/jit/ExecutableAllocator.h 2022-01-14 21:07:47 UTC (rev 288028) @@ -108,7 +108,10 @@ return bitwise_cast(endOfFixedExecutableMemoryPoolImpl()); } -JS_EXPORT_PRIVATE bool isJITPC(void* pc); +ALWAYS_INLINE bool isJITPC(void* pc) +{ +return g_jscConfig.startExecutableMemory <= pc && pc < g_jscConfig.endExecutableMemory; +} JS_EXPORT_PRIVATE void dumpJITMemory(const void*, const void*, size_t); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [288023] trunk/Source/JavaScriptCore
Title: [288023] trunk/Source/_javascript_Core Revision 288023 Author sbar...@apple.com Date 2022-01-14 12:05:39 -0800 (Fri, 14 Jan 2022) Log Message Use IRC for Wasm, and Briggs for JS on ARM64 https://bugs.webkit.org/show_bug.cgi?id=235235 Reviewed by Yusuke Suzuki and Robin Morisset. When I turned on IRC for everything in r287218, we saw some regressions on iOS on JetStream2. So, this patch makes it so JS code on arm64 goes back to using Briggs, and Wasm will use IRC. * b3/air/AirAllocateRegistersByGraphColoring.cpp: * b3/air/AirCode.h: (JSC::B3::Air::Code::setForceIRCRegisterAllocation): (JSC::B3::Air::Code::forceIRCRegisterAllocation): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::parseAndCompileB3): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp trunk/Source/_javascript_Core/b3/air/AirCode.h trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (288022 => 288023) --- trunk/Source/_javascript_Core/ChangeLog 2022-01-14 19:57:25 UTC (rev 288022) +++ trunk/Source/_javascript_Core/ChangeLog 2022-01-14 20:05:39 UTC (rev 288023) @@ -1,3 +1,23 @@ +2022-01-14 Saam Barati + +Use IRC for Wasm, and Briggs for JS on ARM64 +https://bugs.webkit.org/show_bug.cgi?id=235235 + + +Reviewed by Yusuke Suzuki and Robin Morisset. + +When I turned on IRC for everything in r287218, we saw some +regressions on iOS on JetStream2. So, this patch makes it so +JS code on arm64 goes back to using Briggs, and Wasm will +use IRC. + +* b3/air/AirAllocateRegistersByGraphColoring.cpp: +* b3/air/AirCode.h: +(JSC::B3::Air::Code::setForceIRCRegisterAllocation): +(JSC::B3::Air::Code::forceIRCRegisterAllocation): +* wasm/WasmB3IRGenerator.cpp: +(JSC::Wasm::parseAndCompileB3): + 2022-01-13 Zan Dobersek [RISCV64] riscv64 backend should lower offlineasm instructions Modified: trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp (288022 => 288023) --- trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp 2022-01-14 19:57:25 UTC (rev 288022) +++ trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp 2022-01-14 20:05:39 UTC (rev 288023) @@ -1815,8 +1815,14 @@ return false; }; -auto useIRC = [] { -return Options::airForceIRCAllocator() || !Options::airForceBriggsAllocator(); +auto useIRC = [&] { +if (Options::airForceBriggsAllocator()) +return false; +if (m_code.forceIRCRegisterAllocation() || Options::airForceIRCAllocator()) +return true; +if (isARM64()) +return false; +return true; }; if (m_code.numTmps(bank) < WTF::maxSizeForSmallInterferenceGraph) { Modified: trunk/Source/_javascript_Core/b3/air/AirCode.h (288022 => 288023) --- trunk/Source/_javascript_Core/b3/air/AirCode.h 2022-01-14 19:57:25 UTC (rev 288022) +++ trunk/Source/_javascript_Core/b3/air/AirCode.h 2022-01-14 20:05:39 UTC (rev 288023) @@ -361,6 +361,9 @@ void emitEpilogue(CCallHelpers&); std::unique_ptr m_generateAndAllocateRegisters; + +void setForceIRCRegisterAllocation() { m_forceIRC = true; } +bool forceIRCRegisterAllocation() { return m_forceIRC; } private: friend class ::JSC::B3::Procedure; @@ -400,6 +403,7 @@ unsigned m_optLevel { defaultOptLevel() }; bool m_stackIsAllocated { false }; bool m_preserveB3Origins { true }; +bool m_forceIRC { false }; RegisterAtOffsetList m_uncorrectedCalleeSaveRegisterAtOffsetList; RegisterSet m_calleeSaveRegisters; StackSlot* m_calleeSaveStackSlot { nullptr }; Modified: trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (288022 => 288023) --- trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2022-01-14 19:57:25 UTC (rev 288022) +++ trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2022-01-14 20:05:39 UTC (rev 288023) @@ -3174,6 +3174,8 @@ ? Options::webAssemblyBBQB3OptimizationLevel() : Options::webAssemblyOMGOptimizationLevel()); +procedure.code().setForceIRCRegisterAllocation(); + B3IRGenerator irGenerator(info, procedure, result.get(), unlinkedWasmToWasmCalls, result->osrEntryScratchBufferSize, mode, compilationMode, functionIndex, loopIndexForOSREntry, tierUp); FunctionParser parser(irGenerator, function.data.data(), function.data.size(), signature, info); WASM_FAIL_IF_HELPER_FAILS(parser.parse()); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [288002] trunk/Source/JavaScriptCore
Title: [288002] trunk/Source/_javascript_Core Revision 288002 Author sbar...@apple.com Date 2022-01-13 18:40:08 -0800 (Thu, 13 Jan 2022) Log Message Link Wasm code on the same thread that JITs https://bugs.webkit.org/show_bug.cgi?id=235201 Reviewed by Yusuke Suzuki and Mark Lam. This is preparing us for the changes that'll be needed by https://bugs.webkit.org/show_bug.cgi?id=235192. It should also be a small perf improvement, as we're now linking in parallel instead of doing it after all compilations have finished. * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::parseAndCompileB3): * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::prepareImpl): (JSC::Wasm::BBQPlan::compileFunction): (JSC::Wasm::BBQPlan::didCompleteCompilation): (JSC::Wasm::BBQPlan::initializeCallees): * wasm/WasmBBQPlan.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp trunk/Source/_javascript_Core/wasm/WasmBBQPlan.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (288001 => 288002) --- trunk/Source/_javascript_Core/ChangeLog 2022-01-14 01:57:40 UTC (rev 288001) +++ trunk/Source/_javascript_Core/ChangeLog 2022-01-14 02:40:08 UTC (rev 288002) @@ -1,3 +1,25 @@ +2022-01-13 Saam Barati + +Link Wasm code on the same thread that JITs +https://bugs.webkit.org/show_bug.cgi?id=235201 + +Reviewed by Yusuke Suzuki and Mark Lam. + +This is preparing us for the changes that'll be needed by +https://bugs.webkit.org/show_bug.cgi?id=235192. + +It should also be a small perf improvement, as we're now linking +in parallel instead of doing it after all compilations have finished. + +* wasm/WasmB3IRGenerator.cpp: +(JSC::Wasm::parseAndCompileB3): +* wasm/WasmBBQPlan.cpp: +(JSC::Wasm::BBQPlan::prepareImpl): +(JSC::Wasm::BBQPlan::compileFunction): +(JSC::Wasm::BBQPlan::didCompleteCompilation): +(JSC::Wasm::BBQPlan::initializeCallees): +* wasm/WasmBBQPlan.h: + 2022-01-13 Elliott Williams [XCBuild] Add "product dependencies" which influence workspace build order Modified: trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (288001 => 288002) --- trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2022-01-14 01:57:40 UTC (rev 288001) +++ trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2022-01-14 02:40:08 UTC (rev 288002) @@ -3150,7 +3150,6 @@ if (shouldDumpIRFor(functionIndex + info.importFunctionCount())) procedure.setShouldDumpIR(); -compilationContext.wasmEntrypointJIT = makeUnique(); if (Options::useSamplingProfiler()) { // FIXME: We should do this based on VM relevant info. Modified: trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp (288001 => 288002) --- trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp 2022-01-14 01:57:40 UTC (rev 288001) +++ trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp 2022-01-14 02:40:08 UTC (rev 288002) @@ -63,6 +63,7 @@ { const auto& functions = m_moduleInformation->functions; if (!tryReserveCapacity(m_wasmInternalFunctions, functions.size(), " WebAssembly functions") +|| !tryReserveCapacity(m_wasmInternalFunctionLinkBuffers, functions.size(), " compilation contexts") || !tryReserveCapacity(m_compilationContexts, functions.size(), " compilation contexts") || !tryReserveCapacity(m_tierUpCounts, functions.size(), " tier-up counts") || !tryReserveCapacity(m_allLoopEntrypoints, functions.size(), " loop entrypoints")) @@ -69,6 +70,7 @@ return false; m_wasmInternalFunctions.resize(functions.size()); +m_wasmInternalFunctionLinkBuffers.resize(functions.size()); m_exceptionHandlerLocations.resize(functions.size()); m_compilationContexts.resize(functions.size()); m_tierUpCounts.resize(functions.size()); @@ -182,12 +184,21 @@ m_tierUpCounts[functionIndex] = nullptr; m_wasmInternalFunctions[functionIndex] = compileFunction(functionIndex, m_compilationContexts[functionIndex], m_unlinkedWasmToWasmCalls[functionIndex], m_tierUpCounts[functionIndex].get()); +{ +auto linkBuffer = makeUnique(*m_compilationContexts[functionIndex].wasmEntrypointJIT, nullptr, LinkBuffer::Profile::Wasm, JITCompilationCanFail); +if (linkBuffer->isValid()) +m_wasmInternalFunctionLinkBuffers[functionIndex] = WTFMove(linkBuffer); +} if (m_exportedFunctionIndices.contains(functionIndex) || m_moduleInformation->referencedFunctions().contains(functionIndex)) { Locker locker { m_lock }; SignatureIndex signatureIndex = m_moduleInformation->internalFunctionSignatureIndices[functionIndex]; const Signature& signature = SignatureInformation::get(signatureIndex); -auto result = m_embedderToWasmInternalFunctions.add(functionIndex,
[webkit-changes] [287864] trunk/Source/JavaScriptCore
Title: [287864] trunk/Source/_javascript_Core Revision 287864 Author sbar...@apple.com Date 2022-01-10 17:36:00 -0800 (Mon, 10 Jan 2022) Log Message Allow loop tier up to the Air tier https://bugs.webkit.org/show_bug.cgi?id=234587 Reviewed by Yusuke Suzuki. This patch adds loop tier up from LLInt -> Air. To implement this, we use EntrySwitch to point at each loop header, making each loop an entrypoint. This is unlike BBQ->OMG tier up, where we compile a special OSR entry OMG callee. This seems like a good architecture for the Air tier, since we might end up with slightly worse throughput, but we won't need a different compilation for loops vs call entrypoints. This patch also fixes a bug in Air's O0 register allocation where it didn't properly account for all named registers in an instruction. There was a silly bug where we asked each arg if it were a temp, instead of asking the Inst for each of its temps, since an Arg can be an address but still use temps. * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: (JSC::B3::Air::GenerateAndAllocateRegisters::generate): * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::emitLoad): (JSC::Wasm::AirIRGenerator::AirIRGenerator): (JSC::Wasm::AirIRGenerator::finalizeEntrypoints): (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): (JSC::Wasm::AirIRGenerator::addLoop): (JSC::Wasm::parseAndCompileAir): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::B3IRGenerator): (JSC::Wasm::parseAndCompileB3): (JSC::Wasm::parseAndCompile): Deleted. * wasm/WasmB3IRGenerator.h: * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::prepareImpl): (JSC::Wasm::BBQPlan::work): (JSC::Wasm::BBQPlan::compileFunction): (JSC::Wasm::BBQPlan::didCompleteCompilation): (JSC::Wasm::BBQPlan::initializeCallees): * wasm/WasmBBQPlan.h: * wasm/WasmCallee.h: * wasm/WasmCalleeGroup.h: * wasm/WasmFormat.h: * wasm/WasmIRGeneratorHelpers.h: (JSC::Wasm::computeExceptionHandlerAndLoopEntrypointLocations): (JSC::Wasm::computeExceptionHandlerLocations): * wasm/WasmLLIntPlan.cpp: (JSC::Wasm::LLIntPlan::didCompleteCompilation): * wasm/WasmOMGPlan.cpp: (JSC::Wasm::OMGPlan::work): * wasm/WasmOSREntryPlan.cpp: (JSC::Wasm::OSREntryPlan::work): * wasm/WasmSlowPaths.cpp: (JSC::LLInt::WASM_SLOW_PATH_DECL): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.h trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp trunk/Source/_javascript_Core/wasm/WasmBBQPlan.h trunk/Source/_javascript_Core/wasm/WasmCallee.h trunk/Source/_javascript_Core/wasm/WasmCalleeGroup.h trunk/Source/_javascript_Core/wasm/WasmFormat.h trunk/Source/_javascript_Core/wasm/WasmIRGeneratorHelpers.h trunk/Source/_javascript_Core/wasm/WasmLLIntPlan.cpp trunk/Source/_javascript_Core/wasm/WasmOMGPlan.cpp trunk/Source/_javascript_Core/wasm/WasmOSREntryPlan.cpp trunk/Source/_javascript_Core/wasm/WasmSlowPaths.cpp trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (287863 => 287864) --- trunk/Source/_javascript_Core/ChangeLog 2022-01-10 23:48:40 UTC (rev 287863) +++ trunk/Source/_javascript_Core/ChangeLog 2022-01-11 01:36:00 UTC (rev 287864) @@ -1,3 +1,62 @@ +2022-01-10 Saam Barati + +Allow loop tier up to the Air tier +https://bugs.webkit.org/show_bug.cgi?id=234587 + + +Reviewed by Yusuke Suzuki. + +This patch adds loop tier up from LLInt -> Air. To implement this, we use +EntrySwitch to point at each loop header, making each loop an entrypoint. +This is unlike BBQ->OMG tier up, where we compile a special OSR entry OMG +callee. This seems like a good architecture for the Air tier, since we might end +up with slightly worse throughput, but we won't need a different compilation +for loops vs call entrypoints. + +This patch also fixes a bug in Air's O0 register allocation where it +didn't properly account for all named registers in an instruction. There +was a silly bug where we asked each arg if it were a temp, instead of +asking the Inst for each of its temps, since an Arg can be an address +but still use temps. + +* b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: +(JSC::B3::Air::GenerateAndAllocateRegisters::generate): +* wasm/WasmAirIRGenerator.cpp: +(JSC::Wasm::AirIRGenerator::emitLoad): +(JSC::Wasm::AirIRGenerator::AirIRGenerator): +(JSC::Wasm::AirIRGenerator::finalizeEntrypoints): +(JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): +(JSC::Wasm::AirIRGenerator::addLoop): +(JSC::Wasm::parseAndCompileAir): +* wasm/WasmB3IRGenerator.cpp: +
[webkit-changes] [287806] trunk/Source/JavaScriptCore
Title: [287806] trunk/Source/_javascript_Core Revision 287806 Author sbar...@apple.com Date 2022-01-07 19:42:42 -0800 (Fri, 07 Jan 2022) Log Message Unreviewed. Appease an assertion that was broken by r287801 by slightly refactoring code so we don't clobber the same named register twice. * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: (JSC::B3::Air::GenerateAndAllocateRegisters::generate): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (287805 => 287806) --- trunk/Source/_javascript_Core/ChangeLog 2022-01-08 03:18:59 UTC (rev 287805) +++ trunk/Source/_javascript_Core/ChangeLog 2022-01-08 03:42:42 UTC (rev 287806) @@ -1,5 +1,13 @@ 2022-01-07 Saam Barati +Unreviewed. Appease an assertion that was broken by r287801 by slightly +refactoring code so we don't clobber the same named register twice. + +* b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: +(JSC::B3::Air::GenerateAndAllocateRegisters::generate): + +2022-01-07 Saam Barati + Add support for Wasm exceptions in the Air generator https://bugs.webkit.org/show_bug.cgi?id=231211 Modified: trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp (287805 => 287806) --- trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp 2022-01-08 03:18:59 UTC (rev 287805) +++ trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp 2022-01-08 03:42:42 UTC (rev 287806) @@ -758,8 +758,8 @@ ASSERT_UNUSED(jump, !jump.isSet()); allocNamed(earlyNextClobberedRegisters, true); +clobberedRegisters.merge(earlyNextClobberedRegisters); clobber(clobberedRegisters); -clobber(earlyNextClobberedRegisters); } else { ASSERT(needsToGenerate); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [287801] trunk/Source/JavaScriptCore
Title: [287801] trunk/Source/_javascript_Core Revision 287801 Author sbar...@apple.com Date 2022-01-07 17:57:04 -0800 (Fri, 07 Jan 2022) Log Message Add support for Wasm exceptions in the Air generator https://bugs.webkit.org/show_bug.cgi?id=231211 Reviewed by Filip Pizlo. This patch adds support to Air for Wasm exceptions. The implementation is very similar to how we implement it in the B3 Wasm tier. This patch shares code with the B3 tier where it can. This patch also fixes a bug where you the early clobbered registers of a patchpoint could prevent the prior instruction from register allocating. For example, you can have the instructions I1, I2. Where I2 clobbers the entire register file. It doesn't mean I1 shouldn't be able to allocate registers. Instead, the clobber should occur after I1 executes. This patch fixes the issue. * _javascript_Core.xcodeproj/project.pbxproj: * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: (JSC::B3::Air::GenerateAndAllocateRegisters::generate): * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::ControlData::ControlData): (JSC::Wasm::AirIRGenerator::ControlData::isTry): (JSC::Wasm::AirIRGenerator::ControlData::isCatch): (JSC::Wasm::AirIRGenerator::ControlData::convertTryToCatch): (JSC::Wasm::AirIRGenerator::ControlData::convertTryToCatchAll): (JSC::Wasm::AirIRGenerator::ControlData::tryStart const): (JSC::Wasm::AirIRGenerator::ControlData::tryEnd const): (JSC::Wasm::AirIRGenerator::ControlData::tryDepth const): (JSC::Wasm::AirIRGenerator::ControlData::catchKind const): (JSC::Wasm::AirIRGenerator::ControlData::exception const): (JSC::Wasm::AirIRGenerator::emitCallPatchpoint): (JSC::Wasm::AirIRGenerator::addStackMap): (JSC::Wasm::AirIRGenerator::takeStackmaps): (JSC::Wasm::AirIRGenerator::takeExceptionHandlers): (JSC::Wasm::AirIRGenerator::newTmp): (JSC::Wasm::AirIRGenerator::emitPatchpoint): (JSC::Wasm::AirIRGenerator::emitLoad): (JSC::Wasm::AirIRGenerator::AirIRGenerator): (JSC::Wasm::AirIRGenerator::finalizeEntrypoints): (JSC::Wasm::AirIRGenerator::forEachLiveValue): (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): (JSC::Wasm::AirIRGenerator::addTry): (JSC::Wasm::AirIRGenerator::addCatch): (JSC::Wasm::AirIRGenerator::addCatchAll): (JSC::Wasm::AirIRGenerator::addCatchToUnreachable): (JSC::Wasm::AirIRGenerator::addCatchAllToUnreachable): (JSC::Wasm::AirIRGenerator::emitCatchImpl): (JSC::Wasm::AirIRGenerator::addDelegate): (JSC::Wasm::AirIRGenerator::addDelegateToUnreachable): (JSC::Wasm::AirIRGenerator::addThrow): (JSC::Wasm::AirIRGenerator::addRethrow): (JSC::Wasm::AirIRGenerator::addEndToUnreachable): (JSC::Wasm::AirIRGenerator::addCall): (JSC::Wasm::AirIRGenerator::emitIndirectCall): (JSC::Wasm::parseAndCompileAir): (JSC::Wasm::AirIRGenerator::preparePatchpointForExceptions): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::insertEntrySwitch): (JSC::Wasm::B3IRGenerator::emitCatchImpl): (JSC::Wasm::B3IRGenerator::addThrow): (JSC::Wasm::B3IRGenerator::addRethrow): (JSC::Wasm::PatchpointExceptionHandle::generate const): Deleted. (JSC::Wasm::buildEntryBufferForCatch): Deleted. (JSC::Wasm::computeExceptionHandlerLocations): Deleted. * wasm/WasmB3IRGenerator.h: * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::compileFunction): * wasm/WasmIRGeneratorHelpers.h: Added. (JSC::Wasm::PatchpointExceptionHandle::generate const): (JSC::Wasm::computeExceptionHandlerLocations): (JSC::Wasm::emitRethrowImpl): (JSC::Wasm::emitThrowImpl): (JSC::Wasm::buildEntryBufferForCatch): (JSC::Wasm::emitCatchPrologueShared): * wasm/WasmLLIntGenerator.cpp: (JSC::Wasm::LLIntGenerator::finalize): * wasm/WasmModuleInformation.h: * wasm/WasmOMGPlan.cpp: * wasm/WasmOSREntryPlan.cpp: * wasm/WasmStreamingParser.cpp: (JSC::Wasm::StreamingParser::parseCodeSectionSize): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.h trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp trunk/Source/_javascript_Core/wasm/WasmLLIntGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmModuleInformation.h trunk/Source/_javascript_Core/wasm/WasmOMGPlan.cpp trunk/Source/_javascript_Core/wasm/WasmOSREntryPlan.cpp trunk/Source/_javascript_Core/wasm/WasmStreamingParser.cpp Added Paths trunk/Source/_javascript_Core/wasm/WasmIRGeneratorHelpers.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (287800 => 287801) --- trunk/Source/_javascript_Core/ChangeLog 2022-01-08 01:52:18 UTC (rev 287800) +++ trunk/Source/_javascript_Core/ChangeLog 2022-01-08 01:57:04 UTC (rev 287801) @@ -1,3 +1,88 @@ +2022-01-07 Saam Barati + +Add support for Wasm exceptions in the Air generator +https://bugs.webkit.org/show_bug.cgi?id=231211 + + +Reviewed
[webkit-changes] [287738] trunk
Title: [287738] trunk Revision 287738 Author sbar...@apple.com Date 2022-01-06 20:54:03 -0800 (Thu, 06 Jan 2022) Log Message preparePatchpointForExceptions needs to handle tuples https://bugs.webkit.org/show_bug.cgi?id=234909 Reviewed by Yusuke Suzuki. JSTests: Add support to the builder to have functions return tuples. * wasm/Builder.js: (const._normalizeFunctionSignature): (const._maybeRegisterType): * wasm/Builder_WebAssemblyBinary.js: (const.emitters.Type): * wasm/stress/exception-throw-from-function-returning-tuple.js: Added. (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.testCatchWithExceptionThrownFromFunctionReturningTuple): Source/_javascript_Core: We got the offsets wrong when building a stackmap in B3IRGenerator for exception sites. We need to index into StackmapGenerationParams differently from indexing into the patchpoint's children. StackmapGenerationParams reserves its first N entries for the N return values. The patchpoint's children contains no results though, so we don't need to account for the number of return values when indexing into the children() vector of the PatchpointValue. To make this code simpler, we keep track of the number of live values we need when throwing. These values are both at the end of StackmapGenerationParams and at the end of the children() vector. So we just look at the last "number of live values" in both vectors to get the correct ValueRep and correct type. The code for calls also didn't account for the fact that call arguments will be appended after the live values we're building into a stackmap. This patch fixes that code to always put the live values last. * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::PatchpointExceptionHandle::generate const): (JSC::Wasm::B3IRGenerator::preparePatchpointForExceptions): Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/wasm/Builder.js trunk/JSTests/wasm/Builder_WebAssemblyBinary.js trunk/JSTests/wasm/self-test/test_BuilderJSON.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp Added Paths trunk/JSTests/wasm/stress/exception-throw-from-function-returning-tuple.js Diff Modified: trunk/JSTests/ChangeLog (287737 => 287738) --- trunk/JSTests/ChangeLog 2022-01-07 04:28:29 UTC (rev 287737) +++ trunk/JSTests/ChangeLog 2022-01-07 04:54:03 UTC (rev 287738) @@ -1,3 +1,20 @@ +2022-01-06 Saam Barati + +preparePatchpointForExceptions needs to handle tuples +https://bugs.webkit.org/show_bug.cgi?id=234909 + +Reviewed by Yusuke Suzuki. + +Add support to the builder to have functions return tuples. + +* wasm/Builder.js: +(const._normalizeFunctionSignature): +(const._maybeRegisterType): +* wasm/Builder_WebAssemblyBinary.js: +(const.emitters.Type): +* wasm/stress/exception-throw-from-function-returning-tuple.js: Added. +(import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.testCatchWithExceptionThrownFromFunctionReturningTuple): + 2022-01-03 Yusuke Suzuki Array.prototype.toLocaleString does not respect deletion of Object.prototype.toLocaleString Modified: trunk/JSTests/wasm/Builder.js (287737 => 287738) --- trunk/JSTests/wasm/Builder.js 2022-01-07 04:28:29 UTC (rev 287737) +++ trunk/JSTests/wasm/Builder.js 2022-01-07 04:54:03 UTC (rev 287738) @@ -46,10 +46,16 @@ assert.isArray(params); for (const p of params) assert.truthy(WASM.isValidValueType(p) || p === "void", `Type parameter ${p} needs a valid value type`); -if (typeof(ret) === "undefined") -ret = "void"; -assert.isNotArray(ret, `Multiple return values not supported by WebAssembly yet`); -assert.truthy(WASM.isValidBlockType(ret), `Type return ${ret} must be valid block type`); +if (typeof ret === "undefined") +ret = []; +else if (typeof ret === "string") { +if (ret === "void") +ret = []; +else +ret = [ret]; +} +for (let type of ret) +assert.truthy(WASM.isValidBlockType(type), `Type return ${type} must be valid block type`); return [params, ret]; }; @@ -77,14 +83,19 @@ const [params, ret] = _normalizeFunctionSignature(type.params, type.ret); assert.isNotUndef(typeSection, `Can not add type if a type section is not present`); // Try reusing an equivalent type from the type section. -types: for (let i = 0; i !== typeSection.data.length; ++i) { +let shallowEqual = (a, b) => { +if (a.length !== b.length) +return false; +for (let i = 0; i < a.length; ++i) { +if (a[i] !== b[i]) +return false; +} +return true; +}; + const t = typeSection.data[i]; -if (t.ret === ret && params.length === t.params.length) { -for (let j = 0; j !== t.params.length; ++j) { -
[webkit-changes] [287379] trunk
Title: [287379] trunk Revision 287379 Author sbar...@apple.com Date 2021-12-22 17:12:14 -0800 (Wed, 22 Dec 2021) Log Message LLInt should loop OSR into BBQ and BBQ should loop OSR into OMG https://bugs.webkit.org/show_bug.cgi?id=234542 Reviewed by Yusuke Suzuki. JSTests: * wasm/wast-tests/harness.js: Source/_javascript_Core: It's a startup perf improvement on some Wasm benchmarks I'm running to have Wasm LLInt do loop OSR entry into BBQ instead of OMG. This improves this benchmark by 5%. There is probably more perf to be had here. Currently, we're just OSR entering into B3 BBQ O1. However, in the future, we should just compile a single Air BBQ Callee that allows for OSR entry at loop boundaries. Maybe we can model this using EntrySwitch without any real harm to throughput. * _javascript_Core.xcodeproj/project.pbxproj: * Sources.txt: * assembler/MacroAssemblerCodeRef.cpp: (JSC::shouldDumpDisassemblyFor): * jsc.cpp: (JSC_DEFINE_HOST_FUNCTION): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::B3IRGenerator): (JSC::Wasm::parseAndCompile): * wasm/WasmCallee.h: (JSC::Wasm::Callee::setOSREntryCallee): Deleted. * wasm/WasmCalleeGroup.h: * wasm/WasmCompilationMode.cpp: (JSC::Wasm::makeString): * wasm/WasmCompilationMode.h: (JSC::Wasm::isOSREntry): (JSC::Wasm::isAnyBBQ): (JSC::Wasm::isAnyOMG): * wasm/WasmOMGForOSREntryPlan.cpp: Removed. * wasm/WasmOMGForOSREntryPlan.h: Removed. * wasm/WasmOSREntryPlan.cpp: Copied from Source/_javascript_Core/wasm/WasmOMGForOSREntryPlan.cpp. (JSC::Wasm::OSREntryPlan::OSREntryPlan): (JSC::Wasm::OSREntryPlan::work): (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan): Deleted. (JSC::Wasm::OMGForOSREntryPlan::work): Deleted. * wasm/WasmOSREntryPlan.h: Copied from Source/_javascript_Core/wasm/WasmOMGForOSREntryPlan.h. * wasm/WasmOperations.cpp: (JSC::Wasm::doOSREntry): (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): * wasm/WasmPlan.cpp: (JSC::Wasm::Plan::updateCallSitesToCallUs): * wasm/WasmSlowPaths.cpp: (JSC::LLInt::WASM_SLOW_PATH_DECL): Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/callerIsOMGCompiled-should-be-robust.js trunk/JSTests/wasm/wast-tests/harness.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/Sources.txt trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.cpp trunk/Source/_javascript_Core/jsc.cpp trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmCallee.h trunk/Source/_javascript_Core/wasm/WasmCalleeGroup.h trunk/Source/_javascript_Core/wasm/WasmCompilationMode.cpp trunk/Source/_javascript_Core/wasm/WasmCompilationMode.h trunk/Source/_javascript_Core/wasm/WasmOperations.cpp trunk/Source/_javascript_Core/wasm/WasmPlan.cpp trunk/Source/_javascript_Core/wasm/WasmSlowPaths.cpp Added Paths trunk/Source/_javascript_Core/wasm/WasmOSREntryPlan.cpp trunk/Source/_javascript_Core/wasm/WasmOSREntryPlan.h Removed Paths trunk/Source/_javascript_Core/wasm/WasmOMGForOSREntryPlan.cpp trunk/Source/_javascript_Core/wasm/WasmOMGForOSREntryPlan.h Diff Modified: trunk/JSTests/ChangeLog (287378 => 287379) --- trunk/JSTests/ChangeLog 2021-12-23 00:49:44 UTC (rev 287378) +++ trunk/JSTests/ChangeLog 2021-12-23 01:12:14 UTC (rev 287379) @@ -1,3 +1,12 @@ +2021-12-22 Saam Barati + +LLInt should loop OSR into BBQ and BBQ should loop OSR into OMG +https://bugs.webkit.org/show_bug.cgi?id=234542 + +Reviewed by Yusuke Suzuki. + +* wasm/wast-tests/harness.js: + 2021-12-19 Ross Kirsling [JSC] OpPow should have a "small int exponent" fast path at lower tiers Modified: trunk/JSTests/stress/callerIsOMGCompiled-should-be-robust.js (287378 => 287379) --- trunk/JSTests/stress/callerIsOMGCompiled-should-be-robust.js 2021-12-23 00:49:44 UTC (rev 287378) +++ trunk/JSTests/stress/callerIsOMGCompiled-should-be-robust.js 2021-12-23 01:12:14 UTC (rev 287379) @@ -1,2 +1,2 @@ -setUnhandledRejectionCallback(callerIsOMGCompiled); +setUnhandledRejectionCallback(callerIsBBQOrOMGCompiled); Promise.reject(); Modified: trunk/JSTests/wasm/wast-tests/harness.js (287378 => 287379) --- trunk/JSTests/wasm/wast-tests/harness.js 2021-12-23 00:49:44 UTC (rev 287378) +++ trunk/JSTests/wasm/wast-tests/harness.js 2021-12-23 01:12:14 UTC (rev 287379) @@ -4,6 +4,7 @@ }; globalThis.__linear_memory = new WebAssembly.Memory({ initial: 1 }); +globalThis.callerIsOMGCompiled = callerIsBBQOrOMGCompiled; // Can't change the .wast easily... async function runWasmFile(filePath) { let blob = readFile(filePath, "binary"); Modified: trunk/Source/_javascript_Core/ChangeLog (287378 => 287379) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-23 00:49:44 UTC (rev 287378) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-23 01:12:14 UTC (rev 287379) @@ -1,3 +1,52 @@ +2021-12-22 Saam Barati + +LLInt should loop OSR into BBQ and BBQ should loop OSR into OMG +
[webkit-changes] [287218] trunk/Source/JavaScriptCore
Title: [287218] trunk/Source/_javascript_Core Revision 287218 Author sbar...@apple.com Date 2021-12-17 19:35:22 -0800 (Fri, 17 Dec 2021) Log Message Use IRC by default on arm64 https://bugs.webkit.org/show_bug.cgi?id=234449 Reviewed by Yusuke Suzuki. I'm seeing a Wasm perf improvement on some benchmarks of ~12% by switching from Briggs to IRC. Let's make IRC the default on arm64. * b3/air/AirAllocateRegistersByGraphColoring.cpp: * b3/air/AirAllocateRegistersByGraphColoring.h: (JSC::B3::Air::useIRC): Deleted. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (287217 => 287218) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-18 03:06:39 UTC (rev 287217) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-18 03:35:22 UTC (rev 287218) @@ -1,5 +1,19 @@ 2021-12-17 Saam Barati +Use IRC by default on arm64 +https://bugs.webkit.org/show_bug.cgi?id=234449 + +Reviewed by Yusuke Suzuki. + +I'm seeing a Wasm perf improvement on some benchmarks of ~12% by switching +from Briggs to IRC. Let's make IRC the default on arm64. + +* b3/air/AirAllocateRegistersByGraphColoring.cpp: +* b3/air/AirAllocateRegistersByGraphColoring.h: +(JSC::B3::Air::useIRC): Deleted. + +2021-12-17 Saam Barati + Support WasmAddress in B3 CSE https://bugs.webkit.org/show_bug.cgi?id=234051 Modified: trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp (287217 => 287218) --- trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp 2021-12-18 03:06:39 UTC (rev 287217) +++ trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp 2021-12-18 03:35:22 UTC (rev 287218) @@ -1815,6 +1815,10 @@ return false; }; +auto useIRC = [] { +return Options::airForceIRCAllocator() || !Options::airForceBriggsAllocator(); +}; + if (m_code.numTmps(bank) < WTF::maxSizeForSmallInterferenceGraph) { if (useIRC()) { ColoringAllocator allocator(m_code, m_tmpWidth, m_useCounts, unspillableTmps); Modified: trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.h (287217 => 287218) --- trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.h 2021-12-18 03:06:39 UTC (rev 287217) +++ trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.h 2021-12-18 03:35:22 UTC (rev 287218) @@ -34,12 +34,6 @@ class Code; -inline bool useIRC() -{ -return Options::airForceIRCAllocator() -|| (!isARM64() && !Options::airForceBriggsAllocator()); -} - // We have two register allocators, both fundamentally derived from Chaitin's Yorktown // allocator: // http://cs.gmu.edu/~white/CS640/p98-chaitin.pdf ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [287203] trunk/Source/JavaScriptCore
Title: [287203] trunk/Source/_javascript_Core Revision 287203 Author sbar...@apple.com Date 2021-12-17 13:05:42 -0800 (Fri, 17 Dec 2021) Log Message Support WasmAddress in B3 CSE https://bugs.webkit.org/show_bug.cgi?id=234051 Reviewed by Filip Pizlo and Yusuke Suzuki. This patch adds support in B3's CSE phase to handle WasmAddressValue computations. The reason this can't partake in pure CSE is that WasmAddressValue reads pinned. To support this, we keep track of which blocks write pinned. If we're trying to replace a value V2 with V1 because it appears there is a redundancy, we check if any paths from V1 to V2 write pinned. If none do, we proceed with the replacement. * b3/B3EliminateCommonSubexpressions.cpp: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/b3/B3EliminateCommonSubexpressions.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (287202 => 287203) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-17 20:55:28 UTC (rev 287202) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-17 21:05:42 UTC (rev 287203) @@ -1,3 +1,19 @@ +2021-12-17 Saam Barati + +Support WasmAddress in B3 CSE +https://bugs.webkit.org/show_bug.cgi?id=234051 + + +Reviewed by Filip Pizlo and Yusuke Suzuki. + +This patch adds support in B3's CSE phase to handle WasmAddressValue computations. +The reason this can't partake in pure CSE is that WasmAddressValue reads pinned. +To support this, we keep track of which blocks write pinned. If we're trying to +replace a value V2 with V1 because it appears there is a redundancy, we check if +any paths from V1 to V2 write pinned. If none do, we proceed with the replacement. + +* b3/B3EliminateCommonSubexpressions.cpp: + 2021-12-17 Zan Dobersek [RISCV64] Implement linking and patching support in RISCV64Assembler Modified: trunk/Source/_javascript_Core/b3/B3EliminateCommonSubexpressions.cpp (287202 => 287203) --- trunk/Source/_javascript_Core/b3/B3EliminateCommonSubexpressions.cpp 2021-12-17 20:55:28 UTC (rev 287202) +++ trunk/Source/_javascript_Core/b3/B3EliminateCommonSubexpressions.cpp 2021-12-17 21:05:42 UTC (rev 287203) @@ -42,6 +42,7 @@ #include #include #include +#include namespace JSC { namespace B3 { @@ -144,10 +145,14 @@ RangeSet reads; // This only gets used for forward store elimination. RangeSet writes; // This gets used for both load and store elimination. -bool fence; +bool fence { false }; +bool writesPinned { false }; MemoryValueMap storesAtHead; MemoryValueMap memoryValuesAtTail; + +// This Maps x->y in "y = WasmAddress(@x)" +HashMap m_candidateWasmAddressesAtTail; }; class CSE { @@ -188,6 +193,14 @@ if (memory) data.memoryValuesAtTail.add(memory); + +if (WasmAddressValue* wasmAddress = value->as()) +data.m_candidateWasmAddressesAtTail.add(wasmAddress->child(0), wasmAddress); + +if (effects.writesPinned) { +data.writesPinned = true; +data.m_candidateWasmAddressesAtTail.clear(); +} } if (B3EliminateCommonSubexpressionsInternal::verbose) @@ -237,15 +250,28 @@ if (m_pureCSE.process(m_value, m_dominators)) { ASSERT(!m_value->effects().writes); +ASSERT(!m_value->effects().writesPinned); m_changed = true; return; } +if (WasmAddressValue* wasmAddress = m_value->as()) { +processWasmAddressValue(wasmAddress); +return; +} + +Effects effects = m_value->effects(); + +if (effects.writesPinned) { +m_data.writesPinned = true; +m_data.m_candidateWasmAddressesAtTail.clear(); +} + MemoryValue* memory = m_value->as(); if (memory && processMemoryBeforeClobber(memory)) return; -if (HeapRange writes = m_value->effects().writes) +if (HeapRange writes = effects.writes) clobber(m_data, writes); if (memory) @@ -694,6 +720,59 @@ return matches; } +void processWasmAddressValue(WasmAddressValue* wasmAddress) +{ +Value* ptr = wasmAddress->child(0); + +if (Value* replacement = m_data.m_candidateWasmAddressesAtTail.get(ptr)) { +wasmAddress->replaceWithIdentity(replacement); +m_changed = true; +return; +} + +auto addPtrOnScopeExit = makeScopeExit([&] { +m_data.m_candidateWasmAddressesAtTail.add(ptr, wasmAddress); +}); + +if (m_data.writesPinned) { +// Someone before us in this block wrote to pinned. So we have no +// hope of finding a match if the above search failed. +return; +} + +Value*
[webkit-changes] [287160] trunk/Source/JavaScriptCore
Title: [287160] trunk/Source/_javascript_Core Revision 287160 Author sbar...@apple.com Date 2021-12-16 15:30:22 -0800 (Thu, 16 Dec 2021) Log Message Use arm64's fmax/fmin instructions in Wasm https://bugs.webkit.org/show_bug.cgi?id=234367 Reviewed by Keith Miller. This patch adds support in B3 for FMax and FMin. We use this for Wasm's f32/64 min/max operations. On arm64, we select the arm64 fmin/fmax instructions for these B3 opcodes. On x86, we lower these to control flow to calculate the result inside of lower macros. This speeds up Wasm programs that make heavy usage of min/max. * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::floatMax): (JSC::MacroAssemblerARM64::floatMin): (JSC::MacroAssemblerARM64::doubleMax): (JSC::MacroAssemblerARM64::doubleMin): * b3/B3Common.h: (JSC::B3::fMax): (JSC::B3::fMin): * b3/B3ConstDoubleValue.cpp: (JSC::B3::ConstDoubleValue::fMinConstant const): (JSC::B3::ConstDoubleValue::fMaxConstant const): * b3/B3ConstDoubleValue.h: * b3/B3ConstFloatValue.cpp: (JSC::B3::ConstFloatValue::fMinConstant const): (JSC::B3::ConstFloatValue::fMaxConstant const): * b3/B3ConstFloatValue.h: * b3/B3LowerMacros.cpp: * b3/B3LowerToAir.cpp: * b3/B3Opcode.cpp: (WTF::printInternal): * b3/B3Opcode.h: * b3/B3ReduceStrength.cpp: * b3/B3Validate.cpp: * b3/B3Value.cpp: (JSC::B3::Value::fMinConstant const): (JSC::B3::Value::fMaxConstant const): (JSC::B3::Value::effects const): (JSC::B3::Value::key const): (JSC::B3::Value::typeFor): * b3/B3Value.h: * b3/B3ValueInlines.h: * b3/B3ValueKey.cpp: (JSC::B3::ValueKey::materialize const): * b3/air/AirOpcode.opcodes: * b3/testb3.h: * b3/testb3_1.cpp: (run): * b3/testb3_7.cpp: (testFMaxMin): (testFloatMaxMin): (testDoubleMaxMin): * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::addFloatingPointMinOrMax): (JSC::Wasm::AirIRGenerator::addOp): * wasm/wasm.json: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.h trunk/Source/_javascript_Core/b3/B3Common.h trunk/Source/_javascript_Core/b3/B3ConstDoubleValue.cpp trunk/Source/_javascript_Core/b3/B3ConstDoubleValue.h trunk/Source/_javascript_Core/b3/B3ConstFloatValue.cpp trunk/Source/_javascript_Core/b3/B3ConstFloatValue.h trunk/Source/_javascript_Core/b3/B3LowerMacros.cpp trunk/Source/_javascript_Core/b3/B3LowerToAir.cpp trunk/Source/_javascript_Core/b3/B3Opcode.cpp trunk/Source/_javascript_Core/b3/B3Opcode.h trunk/Source/_javascript_Core/b3/B3ReduceStrength.cpp trunk/Source/_javascript_Core/b3/B3Validate.cpp trunk/Source/_javascript_Core/b3/B3Value.cpp trunk/Source/_javascript_Core/b3/B3Value.h trunk/Source/_javascript_Core/b3/B3ValueInlines.h trunk/Source/_javascript_Core/b3/B3ValueKey.cpp trunk/Source/_javascript_Core/b3/air/AirOpcode.opcodes trunk/Source/_javascript_Core/b3/testb3.h trunk/Source/_javascript_Core/b3/testb3_1.cpp trunk/Source/_javascript_Core/b3/testb3_7.cpp trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp trunk/Source/_javascript_Core/wasm/wasm.json Diff Modified: trunk/Source/_javascript_Core/ChangeLog (287159 => 287160) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-16 22:37:47 UTC (rev 287159) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-16 23:30:22 UTC (rev 287160) @@ -1,3 +1,63 @@ +2021-12-16 Saam Barati + +Use arm64's fmax/fmin instructions in Wasm +https://bugs.webkit.org/show_bug.cgi?id=234367 + +Reviewed by Keith Miller. + +This patch adds support in B3 for FMax and FMin. We use this for Wasm's f32/64 +min/max operations. On arm64, we select the arm64 fmin/fmax instructions +for these B3 opcodes. On x86, we lower these to control flow to calculate the +result inside of lower macros. + +This speeds up Wasm programs that make heavy usage of min/max. + +* assembler/MacroAssemblerARM64.h: +(JSC::MacroAssemblerARM64::floatMax): +(JSC::MacroAssemblerARM64::floatMin): +(JSC::MacroAssemblerARM64::doubleMax): +(JSC::MacroAssemblerARM64::doubleMin): +* b3/B3Common.h: +(JSC::B3::fMax): +(JSC::B3::fMin): +* b3/B3ConstDoubleValue.cpp: +(JSC::B3::ConstDoubleValue::fMinConstant const): +(JSC::B3::ConstDoubleValue::fMaxConstant const): +* b3/B3ConstDoubleValue.h: +* b3/B3ConstFloatValue.cpp: +(JSC::B3::ConstFloatValue::fMinConstant const): +(JSC::B3::ConstFloatValue::fMaxConstant const): +* b3/B3ConstFloatValue.h: +* b3/B3LowerMacros.cpp: +* b3/B3LowerToAir.cpp: +* b3/B3Opcode.cpp: +(WTF::printInternal): +* b3/B3Opcode.h: +* b3/B3ReduceStrength.cpp: +* b3/B3Validate.cpp: +* b3/B3Value.cpp: +(JSC::B3::Value::fMinConstant const): +(JSC::B3::Value::fMaxConstant const): +(JSC::B3::Value::effects const): +(JSC::B3::Value::key const): +(JSC::B3::Value::typeFor): +* b3/B3Value.h:
[webkit-changes] [287012] trunk/Source/JavaScriptCore
Title: [287012] trunk/Source/_javascript_Core Revision 287012 Author sbar...@apple.com Date 2021-12-13 23:07:39 -0800 (Mon, 13 Dec 2021) Log Message WasmB3IRGenerator should estimate static execution counts https://bugs.webkit.org/show_bug.cgi?id=234284 Reviewed by Filip Pizlo. This enables the register allocator to make better decisions. * _javascript_Core.xcodeproj/project.pbxproj: * Sources.txt: * b3/B3BasicBlock.h: (JSC::B3::BasicBlock::setFrequency): * b3/B3EstimateStaticExecutionCounts.cpp: Added. (JSC::B3::estimateStaticExecutionCounts): * b3/B3EstimateStaticExecutionCounts.h: Added. * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::parseAndCompile): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/Sources.txt trunk/Source/_javascript_Core/b3/B3BasicBlock.h trunk/Source/_javascript_Core/b3/B3Procedure.h trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp Added Paths trunk/Source/_javascript_Core/b3/B3EstimateStaticExecutionCounts.cpp trunk/Source/_javascript_Core/b3/B3EstimateStaticExecutionCounts.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (287011 => 287012) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-14 04:55:38 UTC (rev 287011) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-14 07:07:39 UTC (rev 287012) @@ -1,3 +1,22 @@ +2021-12-13 Saam Barati + +WasmB3IRGenerator should estimate static execution counts +https://bugs.webkit.org/show_bug.cgi?id=234284 + +Reviewed by Filip Pizlo. + +This enables the register allocator to make better decisions. + +* _javascript_Core.xcodeproj/project.pbxproj: +* Sources.txt: +* b3/B3BasicBlock.h: +(JSC::B3::BasicBlock::setFrequency): +* b3/B3EstimateStaticExecutionCounts.cpp: Added. +(JSC::B3::estimateStaticExecutionCounts): +* b3/B3EstimateStaticExecutionCounts.h: Added. +* wasm/WasmB3IRGenerator.cpp: +(JSC::Wasm::parseAndCompile): + 2021-12-13 Brady Eidson Teach webpushtool to register and "host" the daemon. Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (287011 => 287012) --- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2021-12-14 04:55:38 UTC (rev 287011) +++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2021-12-14 07:07:39 UTC (rev 287012) @@ -906,6 +906,8 @@ 52CD0F5E2242F569004A18A5 /* _javascript_Core.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 932F5BD90822A1C700736975 /* _javascript_Core.framework */; }; 52CD0F682242F71C004A18A5 /* testdfg.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 52CD0F672242F71C004A18A5 /* testdfg.cpp */; }; 52DD000826E039B90054E408 /* BaselineJITCode.h in Headers */ = {isa = PBXBuildFile; fileRef = 52DD000626E039B30054E408 /* BaselineJITCode.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 52E65A1C27682760002B4C0A /* B3EstimateStaticExecutionCounts.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 52E65A1A27682760002B4C0A /* B3EstimateStaticExecutionCounts.cpp */; }; + 52E65A1E27682771002B4C0A /* B3EstimateStaticExecutionCounts.h in Headers */ = {isa = PBXBuildFile; fileRef = 52E65A1B27682760002B4C0A /* B3EstimateStaticExecutionCounts.h */; }; 52EED7942492B870008F4C93 /* FunctionAllowlist.h in Headers */ = {isa = PBXBuildFile; fileRef = 52EED7932492B868008F4C93 /* FunctionAllowlist.h */; }; 52F6C35E1E71EB080081F4CC /* WebAssemblyWrapperFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = 52F6C35C1E71EB080081F4CC /* WebAssemblyWrapperFunction.h */; }; 530A66B91FA3E78B0026A545 /* UnifiedSource3-mm.mm in Sources */ = {isa = PBXBuildFile; fileRef = 530A66B11FA3E77A0026A545 /* UnifiedSource3-mm.mm */; }; @@ -3717,6 +3719,8 @@ 52D1308F221CE03A009C836C /* foo.js */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode._javascript_; path = foo.js; sourceTree = ""; }; 52DD000626E039B30054E408 /* BaselineJITCode.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = BaselineJITCode.h; sourceTree = ""; }; 52DD000726E039B40054E408 /* BaselineJITCode.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = BaselineJITCode.cpp; sourceTree = ""; }; + 52E65A1A27682760002B4C0A /* B3EstimateStaticExecutionCounts.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = B3EstimateStaticExecutionCounts.cpp; path = b3/B3EstimateStaticExecutionCounts.cpp; sourceTree = ""; }; + 52E65A1B27682760002B4C0A /* B3EstimateStaticExecutionCounts.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = B3EstimateStaticExecutionCounts.h; path = b3/B3EstimateStaticExecutionCounts.h; sourceTree = ""; }; 52EED7922492B868008F4C93 /* FunctionAllowlist.cpp */ = {isa = PBXFileReference; lastKnownFileType =
[webkit-changes] [286920] trunk/Source/JavaScriptCore
Title: [286920] trunk/Source/_javascript_Core Revision 286920 Author sbar...@apple.com Date 2021-12-11 16:39:57 -0800 (Sat, 11 Dec 2021) Log Message Teach the sampling profiler how to display origin data for B3 Wasm https://bugs.webkit.org/show_bug.cgi?id=234097 Reviewed by Yusuke Suzuki. This teaches the SamplingProfiler how to gather origin data for Wasm. We reuse the PCToCodeOriginMap from JS, and store the wasm function offset data inside of CodeOrigin's BytecodeIndex. For now, this patch is only doing this for B3, because the Air backend doesn't currently generate filled in OpcodeOrigin data. We'll fix that in: https://bugs.webkit.org/show_bug.cgi?id=234182 Also, this capability isn't yet supported in Web Inspector. We'll want to do that in a future change as we improve Web Inspector's ability to debug Wasm code. When that time comes, we'll have to generate the PCToCodeOriginMap based on debugging info, and not just 'useSamplingProfiler' JSC option. The data now shows up like this for hottest bytecodes: Hottest bytecodes as 524'.wasm-function[2373]:OMG:0x21a' 414'.wasm-function[2363]:OMG:0x1ae' 395'.wasm-function[2373]:OMG:0x418' 354'.wasm-function[2373]:OMG:0x34f' 270'.wasm-function[2373]:OMG:0x352' 256'.wasm-function[2363]:OMG:0x152' * ftl/FTLCompile.cpp: (JSC::FTL::compile): * jit/PCToCodeOriginMap.cpp: (JSC::PCToCodeOriginMapBuilder::PCToCodeOriginMapBuilder): * jit/PCToCodeOriginMap.h: * runtime/SamplingProfiler.cpp: (JSC::FrameWalker::recordJITFrame): (JSC::SamplingProfiler::processUnverifiedStackTraces): (JSC::SamplingProfiler::reportTopBytecodes): * runtime/SamplingProfiler.h: * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::origin): (JSC::Wasm::parseAndCompileAir): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::parseAndCompile): (JSC::Wasm::computePCToCodeOriginMap): * wasm/WasmB3IRGenerator.h: (): Deleted. * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::work): (JSC::Wasm::BBQPlan::didCompleteCompilation): (JSC::Wasm::BBQPlan::initializeCallees): * wasm/WasmCalleeRegistry.h: (JSC::Wasm::CalleeRegistry::unregisterCallee): (JSC::Wasm::CalleeRegistry::addPCToCodeOriginMap): (JSC::Wasm::CalleeRegistry::WTF_REQUIRES_LOCK): * wasm/WasmOMGPlan.cpp: (JSC::Wasm::OMGPlan::work): * wasm/WasmOpcodeOrigin.h: (JSC::Wasm::OpcodeOrigin::OpcodeOrigin): Modified Paths trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/ftl/FTLCompile.cpp trunk/Source/_javascript_Core/jit/PCToCodeOriginMap.cpp trunk/Source/_javascript_Core/jit/PCToCodeOriginMap.h trunk/Source/_javascript_Core/runtime/SamplingProfiler.cpp trunk/Source/_javascript_Core/runtime/SamplingProfiler.h trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.h trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp trunk/Source/_javascript_Core/wasm/WasmCalleeRegistry.h trunk/Source/_javascript_Core/wasm/WasmOMGPlan.cpp trunk/Source/_javascript_Core/wasm/WasmOpcodeOrigin.h Diff Modified: trunk/Source/_javascript_Core/CMakeLists.txt (286919 => 286920) --- trunk/Source/_javascript_Core/CMakeLists.txt 2021-12-12 00:38:08 UTC (rev 286919) +++ trunk/Source/_javascript_Core/CMakeLists.txt 2021-12-12 00:39:57 UTC (rev 286920) @@ -878,6 +878,7 @@ jit/JITOperations.h jit/JITStubRoutine.h jit/JITThunks.h +jit/PCToCodeOriginMap.h jit/PolymorphicCallStubRoutine.h jit/Reg.h jit/RegisterAtOffset.h Modified: trunk/Source/_javascript_Core/ChangeLog (286919 => 286920) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-12 00:38:08 UTC (rev 286919) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-12 00:39:57 UTC (rev 286920) @@ -1,3 +1,66 @@ +2021-12-11 Saam Barati + +Teach the sampling profiler how to display origin data for B3 Wasm +https://bugs.webkit.org/show_bug.cgi?id=234097 + +Reviewed by Yusuke Suzuki. + +This teaches the SamplingProfiler how to gather origin data for +Wasm. We reuse the PCToCodeOriginMap from JS, and store the wasm +function offset data inside of CodeOrigin's BytecodeIndex. + +For now, this patch is only doing this for B3, because the Air backend +doesn't currently generate filled in OpcodeOrigin data. We'll fix that +in: https://bugs.webkit.org/show_bug.cgi?id=234182 + +Also, this capability isn't yet supported in Web Inspector. We'll want +to do that in a future change as we improve Web Inspector's ability to +debug Wasm code. When that time comes, we'll have to generate the +PCToCodeOriginMap based on debugging info, and not just 'useSamplingProfiler' +JSC option. + +The data now shows up like this for hottest bytecodes: + +Hottest bytecodes as + 524'.wasm-function[2373]:OMG:0x21a' +
[webkit-changes] [286802] trunk/Source/JavaScriptCore
Title: [286802] trunk/Source/_javascript_Core Revision 286802 Author sbar...@apple.com Date 2021-12-09 13:49:45 -0800 (Thu, 09 Dec 2021) Log Message Procedure::setNeedsPCToOriginMap should call Code::forcePreservationOfB3Origins https://bugs.webkit.org/show_bug.cgi?id=234093 Reviewed by Yusuke Suzuki. We need to do this to ensure the sampling profiler works in FTL. The reason this was sometimes working was Air::Code's constructor was looking at Procedure's m_needsPCToOriginMap before it was initialized, in its constructor. This is because Procedure was constructing Code before all its fields were initialized. This patch fixes that bug to construct Code after Procedure has all its fields initialized. * b3/B3Procedure.cpp: (JSC::B3::Procedure::Procedure): (JSC::B3::Procedure::setNeedsPCToOriginMap): * b3/B3Procedure.h: (JSC::B3::Procedure::setNeedsPCToOriginMap): Deleted. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/b3/B3Procedure.cpp trunk/Source/_javascript_Core/b3/B3Procedure.h trunk/Source/_javascript_Core/b3/air/AirCode.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (286801 => 286802) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-09 21:28:22 UTC (rev 286801) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-09 21:49:45 UTC (rev 286802) @@ -1,5 +1,25 @@ 2021-12-09 Saam Barati +Procedure::setNeedsPCToOriginMap should call Code::forcePreservationOfB3Origins +https://bugs.webkit.org/show_bug.cgi?id=234093 + +Reviewed by Yusuke Suzuki. + +We need to do this to ensure the sampling profiler works in FTL. +The reason this was sometimes working was Air::Code's constructor +was looking at Procedure's m_needsPCToOriginMap before it was initialized, +in its constructor. This is because Procedure was constructing Code +before all its fields were initialized. This patch fixes that bug to +construct Code after Procedure has all its fields initialized. + +* b3/B3Procedure.cpp: +(JSC::B3::Procedure::Procedure): +(JSC::B3::Procedure::setNeedsPCToOriginMap): +* b3/B3Procedure.h: +(JSC::B3::Procedure::setNeedsPCToOriginMap): Deleted. + +2021-12-09 Saam Barati + Add an option to dump the B3 IR for an allowlist of Wasm function indices https://bugs.webkit.org/show_bug.cgi?id=234028 Modified: trunk/Source/_javascript_Core/b3/B3Procedure.cpp (286801 => 286802) --- trunk/Source/_javascript_Core/b3/B3Procedure.cpp 2021-12-09 21:28:22 UTC (rev 286801) +++ trunk/Source/_javascript_Core/b3/B3Procedure.cpp 2021-12-09 21:49:45 UTC (rev 286802) @@ -48,8 +48,10 @@ : m_cfg(new CFG(*this)) , m_lastPhaseName("initial") , m_byproducts(makeUnique()) -, m_code(new Air::Code(*this)) { +// Initialize all our fields before constructing Air::Code since +// it looks into our fields. +m_code = std::unique_ptr(new Air::Code(*this)); m_code->setNumEntrypoints(m_numEntrypoints); } @@ -486,6 +488,12 @@ m_code->forcePreservationOfB3Origins(); } +void Procedure::setNeedsPCToOriginMap() +{ +m_needsPCToOriginMap = true; +m_code->forcePreservationOfB3Origins(); +} + } } // namespace JSC::B3 #endif // ENABLE(B3_JIT) Modified: trunk/Source/_javascript_Core/b3/B3Procedure.h (286801 => 286802) --- trunk/Source/_javascript_Core/b3/B3Procedure.h 2021-12-09 21:28:22 UTC (rev 286801) +++ trunk/Source/_javascript_Core/b3/B3Procedure.h 2021-12-09 21:49:45 UTC (rev 286802) @@ -275,7 +275,7 @@ JS_EXPORT_PRIVATE RegisterSet mutableGPRs(); JS_EXPORT_PRIVATE RegisterSet mutableFPRs(); -void setNeedsPCToOriginMap() { m_needsPCToOriginMap = true; } +void setNeedsPCToOriginMap(); bool needsPCToOriginMap() { return m_needsPCToOriginMap; } JS_EXPORT_PRIVATE void freeUnneededB3ValuesAfterLowering(); Modified: trunk/Source/_javascript_Core/b3/air/AirCode.cpp (286801 => 286802) --- trunk/Source/_javascript_Core/b3/air/AirCode.cpp 2021-12-09 21:28:22 UTC (rev 286801) +++ trunk/Source/_javascript_Core/b3/air/AirCode.cpp 2021-12-09 21:49:45 UTC (rev 286802) @@ -56,7 +56,7 @@ Code::Code(Procedure& proc) : m_proc(proc) , m_cfg(new CFG(*this)) -, m_preserveB3Origins(proc.needsPCToOriginMap() || Options::dumpAirGraphAtEachPhase() || Options::dumpFTLDisassembly()) +, m_preserveB3Origins(Options::dumpAirGraphAtEachPhase() || Options::dumpFTLDisassembly()) , m_lastPhaseName("initial") , m_defaultPrologueGenerator(createSharedTask()) { ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [286790] trunk/Source/JavaScriptCore
Title: [286790] trunk/Source/_javascript_Core Revision 286790 Author sbar...@apple.com Date 2021-12-09 11:07:58 -0800 (Thu, 09 Dec 2021) Log Message Add an option to dump the B3 IR for an allowlist of Wasm function indices https://bugs.webkit.org/show_bug.cgi?id=234028 Reviewed by Tadeu Zagallo. * b3/B3Common.cpp: (JSC::B3::shouldDumpIR): * b3/B3Common.h: * b3/B3Generate.cpp: (JSC::B3::generateToAir): * b3/B3Procedure.cpp: (JSC::B3::Procedure::dump const): (JSC::B3::Procedure::setShouldDumpIR): * b3/B3Procedure.h: (JSC::B3::Procedure::shouldDumpIR const): * b3/air/AirGenerate.cpp: (JSC::B3::Air::prepareForGeneration): * b3/testb3.h: (shouldBeVerbose): (lowerToAirForTesting): * b3/testb3_6.cpp: (testInterpreter): (testMoveConstants): * b3/testb3_7.cpp: (testReduceStrengthReassociation): * runtime/OptionsList.h: * tools/FunctionAllowlist.cpp: (JSC::FunctionAllowlist::shouldDumpWasmFunction const): * tools/FunctionAllowlist.h: * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::shouldDumpIRFor): (JSC::Wasm::parseAndCompile): * wasm/WasmOMGForOSREntryPlan.cpp: (JSC::Wasm::OMGForOSREntryPlan::work): * wasm/WasmOMGPlan.cpp: (JSC::Wasm::OMGPlan::work): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/b3/B3Common.cpp trunk/Source/_javascript_Core/b3/B3Common.h trunk/Source/_javascript_Core/b3/B3Generate.cpp trunk/Source/_javascript_Core/b3/B3Procedure.cpp trunk/Source/_javascript_Core/b3/B3Procedure.h trunk/Source/_javascript_Core/b3/air/AirGenerate.cpp trunk/Source/_javascript_Core/b3/testb3.h trunk/Source/_javascript_Core/b3/testb3_6.cpp trunk/Source/_javascript_Core/b3/testb3_7.cpp trunk/Source/_javascript_Core/runtime/OptionsList.h trunk/Source/_javascript_Core/tools/FunctionAllowlist.cpp trunk/Source/_javascript_Core/tools/FunctionAllowlist.h trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmOMGForOSREntryPlan.cpp trunk/Source/_javascript_Core/wasm/WasmOMGPlan.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (286789 => 286790) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-09 19:01:10 UTC (rev 286789) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-09 19:07:58 UTC (rev 286790) @@ -1,3 +1,42 @@ +2021-12-09 Saam Barati + +Add an option to dump the B3 IR for an allowlist of Wasm function indices +https://bugs.webkit.org/show_bug.cgi?id=234028 + +Reviewed by Tadeu Zagallo. + +* b3/B3Common.cpp: +(JSC::B3::shouldDumpIR): +* b3/B3Common.h: +* b3/B3Generate.cpp: +(JSC::B3::generateToAir): +* b3/B3Procedure.cpp: +(JSC::B3::Procedure::dump const): +(JSC::B3::Procedure::setShouldDumpIR): +* b3/B3Procedure.h: +(JSC::B3::Procedure::shouldDumpIR const): +* b3/air/AirGenerate.cpp: +(JSC::B3::Air::prepareForGeneration): +* b3/testb3.h: +(shouldBeVerbose): +(lowerToAirForTesting): +* b3/testb3_6.cpp: +(testInterpreter): +(testMoveConstants): +* b3/testb3_7.cpp: +(testReduceStrengthReassociation): +* runtime/OptionsList.h: +* tools/FunctionAllowlist.cpp: +(JSC::FunctionAllowlist::shouldDumpWasmFunction const): +* tools/FunctionAllowlist.h: +* wasm/WasmB3IRGenerator.cpp: +(JSC::Wasm::shouldDumpIRFor): +(JSC::Wasm::parseAndCompile): +* wasm/WasmOMGForOSREntryPlan.cpp: +(JSC::Wasm::OMGForOSREntryPlan::work): +* wasm/WasmOMGPlan.cpp: +(JSC::Wasm::OMGPlan::work): + 2021-12-09 Yusuke Suzuki [JSC] Introduce BaselineCallLinkInfo and OptimizingCallLinkInfo to shrink sizeof(BaselineCallLinkInfo) Modified: trunk/Source/_javascript_Core/b3/B3Common.cpp (286789 => 286790) --- trunk/Source/_javascript_Core/b3/B3Common.cpp 2021-12-09 19:01:10 UTC (rev 286789) +++ trunk/Source/_javascript_Core/b3/B3Common.cpp 2021-12-09 19:07:58 UTC (rev 286790) @@ -36,8 +36,11 @@ const char* const tierName = "b3 "; -bool shouldDumpIR(B3CompilationMode mode) +bool shouldDumpIR(Procedure& procedure, B3CompilationMode mode) { +if (procedure.shouldDumpIR()) +return true; + #if ENABLE(FTL_JIT) return FTL::verboseCompilationEnabled() || FTL::shouldDumpDisassembly() || shouldDumpIRAtEachPhase(mode); #else Modified: trunk/Source/_javascript_Core/b3/B3Common.h (286789 => 286790) --- trunk/Source/_javascript_Core/b3/B3Common.h 2021-12-09 19:01:10 UTC (rev 286789) +++ trunk/Source/_javascript_Core/b3/B3Common.h 2021-12-09 19:07:58 UTC (rev 286790) @@ -34,6 +34,8 @@ namespace JSC { namespace B3 { +class Procedure; + extern const char* const tierName; enum B3CompilationMode { @@ -41,7 +43,7 @@ AirMode }; -JS_EXPORT_PRIVATE bool shouldDumpIR(B3CompilationMode); +JS_EXPORT_PRIVATE bool shouldDumpIR(Procedure&, B3CompilationMode); bool shouldDumpIRAtEachPhase(B3CompilationMode); bool shouldValidateIR(); bool
[webkit-changes] [286639] trunk
Title: [286639] trunk Revision 286639 Author sbar...@apple.com Date 2021-12-07 19:59:13 -0800 (Tue, 07 Dec 2021) Log Message TypedArray prototype set should go down the fast path when using non clamped integer types of the same byte size https://bugs.webkit.org/show_bug.cgi?id=233905 Reviewed by Keith Miller. JSTests: * microbenchmarks/typed-array-prototype-set.js: Added. * microbenchmarks/typed-array-prototype-set-order.js: Added. * stress/typed-array-prototype-set.js: Added. Source/_javascript_Core: We can use memmove in this scenario because the bitpattern of the data between the signed and unsigned values will be the same. This patch also fixes a bug where we were looking at the wrong pointer when determining to do a forward or backwards loop in our memmove. We were looking at the vector instead of vector+offset. * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView::set): LayoutTests: * js/script-tests/typedarray-set-overlapping-elements-of-same-size.js: * js/typedarray-set-overlapping-elements-of-same-size-expected.txt: Modified Paths trunk/JSTests/ChangeLog trunk/LayoutTests/ChangeLog trunk/LayoutTests/js/script-tests/typedarray-set-overlapping-elements-of-same-size.js trunk/LayoutTests/js/typedarray-set-overlapping-elements-of-same-size-expected.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h Added Paths trunk/JSTests/microbenchmarks/typed-array-prototype-set.js trunk/JSTests/stress/typed-array-prototype-set-order.js trunk/JSTests/stress/typed-array-prototype-set.js Diff Modified: trunk/JSTests/ChangeLog (286638 => 286639) --- trunk/JSTests/ChangeLog 2021-12-08 02:49:51 UTC (rev 286638) +++ trunk/JSTests/ChangeLog 2021-12-08 03:59:13 UTC (rev 286639) @@ -1,3 +1,14 @@ +2021-12-07 Saam Barati + +TypedArray prototype set should go down the fast path when using non clamped integer types of the same byte size +https://bugs.webkit.org/show_bug.cgi?id=233905 + +Reviewed by Keith Miller. + +* microbenchmarks/typed-array-prototype-set.js: Added. +* microbenchmarks/typed-array-prototype-set-order.js: Added. +* stress/typed-array-prototype-set.js: Added. + 2021-12-02 Yusuke Suzuki [JSC] shell's $.globalObjectFor is not safe for non object cells Added: trunk/JSTests/microbenchmarks/typed-array-prototype-set.js (0 => 286639) --- trunk/JSTests/microbenchmarks/typed-array-prototype-set.js (rev 0) +++ trunk/JSTests/microbenchmarks/typed-array-prototype-set.js 2021-12-08 03:59:13 UTC (rev 286639) @@ -0,0 +1,46 @@ +function test() { +let x = new Int8Array(1); +let y = new Uint8Array(1); +for (let i = 0; i < x.length; ++i) +x[i] = i; +for (let i = 0; i < 500; ++i) +y.set(x); +for (let i = 0; i < 500; ++i) +x.set(y); +} + +function test2() { +let x = new Int16Array(1); +let y = new Uint16Array(1); +for (let i = 0; i < x.length; ++i) +x[i] = i; +for (let i = 0; i < 500; ++i) +y.set(x); +for (let i = 0; i < 500; ++i) +x.set(y); +} + +function test3() { +let x = new Int32Array(1); +let y = new Uint32Array(1); +for (let i = 0; i < x.length; ++i) +x[i] = i; +for (let i = 0; i < 500; ++i) +y.set(x); +for (let i = 0; i < 500; ++i) +x.set(y); +} + +function test4() { +let x = new Uint8ClampedArray(1); +let y = new Int8Array(1); +for (let i = 0; i < x.length; ++i) +x[i] = i; +for (let i = 0; i < 500; ++i) +y.set(x); +} + +test(); +test2(); +test3(); +test4(); Added: trunk/JSTests/stress/typed-array-prototype-set-order.js (0 => 286639) --- trunk/JSTests/stress/typed-array-prototype-set-order.js (rev 0) +++ trunk/JSTests/stress/typed-array-prototype-set-order.js 2021-12-08 03:59:13 UTC (rev 286639) @@ -0,0 +1,13 @@ +function assert(b) { +if (!b) +throw new Error; +} + +function foo(n) { +var array = new Uint8ClampedArray(n + 1); +for (var i = 0; i < n; ++i) +array[i] = 42 + i; +array.set(new Int8Array(array.buffer, 0, n), 1); +return array; +} +assert(foo(10).toString() === "42,42,43,44,45,46,47,48,49,50,51"); Added: trunk/JSTests/stress/typed-array-prototype-set.js (0 => 286639) --- trunk/JSTests/stress/typed-array-prototype-set.js (rev 0) +++ trunk/JSTests/stress/typed-array-prototype-set.js 2021-12-08 03:59:13 UTC (rev 286639) @@ -0,0 +1,67 @@ +function assert(b) { +if (!b) +throw new Error; +} + +function test1() { +let x = new Int8Array(1); +let y = new Uint8Array(1); +x[0] = -1; +y.set(x); +assert(y[0] === 255); +} +test1(); + +function test2() { +let x = new Int8Array(1); +let y = new Uint8Array(1); +y[0] = 255; +x.set(y); +assert(x[0] === -1); +} +test2(); + +function test3() { +
[webkit-changes] [286471] trunk/Source/JavaScriptCore
Title: [286471] trunk/Source/_javascript_Core Revision 286471 Author sbar...@apple.com Date 2021-12-02 18:06:24 -0800 (Thu, 02 Dec 2021) Log Message Lower structureHeapAddressSize on more memory limited ARM64 devices https://bugs.webkit.org/show_bug.cgi?id=233786 Reviewed by Yusuke Suzuki. Some processes using JSC are failing the mmap for the 1GB region. Let's lower the region size to 512MB on lower memory iOS devices. * runtime/JSCConfig.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSCConfig.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (286470 => 286471) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-03 01:42:15 UTC (rev 286470) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-03 02:06:24 UTC (rev 286471) @@ -1,5 +1,18 @@ 2021-12-02 Saam Barati +Lower structureHeapAddressSize on more memory limited ARM64 devices +https://bugs.webkit.org/show_bug.cgi?id=233786 + + +Reviewed by Yusuke Suzuki. + +Some processes using JSC are failing the mmap for the 1GB region. +Let's lower the region size to 512MB on lower memory iOS devices. + +* runtime/JSCConfig.h: + +2021-12-02 Saam Barati + Fix OOM crash in JSValue::toWTFStringForConsole https://bugs.webkit.org/show_bug.cgi?id=233775 Modified: trunk/Source/_javascript_Core/runtime/JSCConfig.h (286470 => 286471) --- trunk/Source/_javascript_Core/runtime/JSCConfig.h 2021-12-03 01:42:15 UTC (rev 286470) +++ trunk/Source/_javascript_Core/runtime/JSCConfig.h 2021-12-03 02:06:24 UTC (rev 286471) @@ -40,7 +40,11 @@ using JITWriteSeparateHeapsFunction = void (*)(off_t, const void*, size_t); #endif +#if PLATFORM(IOS_FAMILY) && CPU(ARM64) && !CPU(ARM64E) +constexpr uintptr_t structureHeapAddressSize = 512 * MB; +#else constexpr uintptr_t structureHeapAddressSize = 1 * GB; +#endif struct Config { static Config& singleton(); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [286462] trunk
Title: [286462] trunk Revision 286462 Author sbar...@apple.com Date 2021-12-02 16:12:52 -0800 (Thu, 02 Dec 2021) Log Message Fix OOM crash in JSValue::toWTFStringForConsole https://bugs.webkit.org/show_bug.cgi?id=233775 Reviewed by Mark Lam. JSTests: * stress/pretty-print-oom.js: Added. Source/_javascript_Core: * runtime/JSCJSValue.cpp: (JSC::JSValue::toWTFStringForConsole const): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp Added Paths trunk/JSTests/stress/pretty-print-oom.js Diff Modified: trunk/JSTests/ChangeLog (286461 => 286462) --- trunk/JSTests/ChangeLog 2021-12-02 23:49:57 UTC (rev 286461) +++ trunk/JSTests/ChangeLog 2021-12-03 00:12:52 UTC (rev 286462) @@ -1,3 +1,13 @@ +2021-12-02 Saam Barati + +Fix OOM crash in JSValue::toWTFStringForConsole +https://bugs.webkit.org/show_bug.cgi?id=233775 + + +Reviewed by Mark Lam. + +* stress/pretty-print-oom.js: Added. + 2021-11-30 Saam Barati GetMyArgumentByValOutOfBounds needs to check for negative indices Added: trunk/JSTests/stress/pretty-print-oom.js (0 => 286462) --- trunk/JSTests/stress/pretty-print-oom.js (rev 0) +++ trunk/JSTests/stress/pretty-print-oom.js 2021-12-03 00:12:52 UTC (rev 286462) @@ -0,0 +1,4 @@ +//@ skip if $memoryLimited +//@ runNoisyTestDefault + +prettyPrint('a'.repeat(2 ** 31 - 1)); Modified: trunk/Source/_javascript_Core/ChangeLog (286461 => 286462) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-02 23:49:57 UTC (rev 286461) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-03 00:12:52 UTC (rev 286462) @@ -1,3 +1,14 @@ +2021-12-02 Saam Barati + +Fix OOM crash in JSValue::toWTFStringForConsole +https://bugs.webkit.org/show_bug.cgi?id=233775 + + +Reviewed by Mark Lam. + +* runtime/JSCJSValue.cpp: +(JSC::JSValue::toWTFStringForConsole const): + 2021-12-02 Zan Dobersek [RISCV64] Fix effective address loading for LabelReferences with offsets Modified: trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp (286461 => 286462) --- trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp 2021-12-02 23:49:57 UTC (rev 286461) +++ trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp 2021-12-03 00:12:52 UTC (rev 286462) @@ -474,9 +474,9 @@ String result = string->value(globalObject); RETURN_IF_EXCEPTION(scope, { }); if (isString()) -return makeString("\"", result, "\""); +return tryMakeString("\"", result, "\""); if (jsDynamicCast(vm, *this)) -return makeString("[", result, "]"); +return tryMakeString("[", result, "]"); return result; } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [286312] trunk
Title: [286312] trunk Revision 286312 Author sbar...@apple.com Date 2021-11-30 12:00:44 -0800 (Tue, 30 Nov 2021) Log Message GetMyArgumentByValOutOfBounds needs to check for negative indices https://bugs.webkit.org/show_bug.cgi?id=232966 Reviewed by Yusuke Suzuki. JSTests: * get-my-argument-by-val-negative-1.js: Added. * get-my-argument-by-val-negative-2.js: Added. * get-my-argument-by-val-negative-3.js: Added. Source/_javascript_Core: Negative indices inside of GetMyArgumentByValOutOfBounds would cause us to have the resulting value be undefined, instead of a full blown lookup that properly consults the prototype chain and such. The reason for this is negative indices would show up as "out of bounds", which would lead this node to result in undefined. But negative indices really should be treated as string property names, and can't be treated like normal out of bounds positive integers. This patch makes it so we speculate that we don't see negative indices. If we do see negative indices, we stop performing the transformation inside of arguments elimination so we don't end up in an OSR exit loop. * dfg/DFGArgumentsEliminationPhase.cpp: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp Added Paths trunk/JSTests/get-my-argument-by-val-negative-1.js trunk/JSTests/get-my-argument-by-val-negative-2.js trunk/JSTests/get-my-argument-by-val-negative-3.js Diff Modified: trunk/JSTests/ChangeLog (286311 => 286312) --- trunk/JSTests/ChangeLog 2021-11-30 19:52:28 UTC (rev 286311) +++ trunk/JSTests/ChangeLog 2021-11-30 20:00:44 UTC (rev 286312) @@ -1,3 +1,15 @@ +2021-11-30 Saam Barati + +GetMyArgumentByValOutOfBounds needs to check for negative indices +https://bugs.webkit.org/show_bug.cgi?id=232966 + + +Reviewed by Yusuke Suzuki. + +* get-my-argument-by-val-negative-1.js: Added. +* get-my-argument-by-val-negative-2.js: Added. +* get-my-argument-by-val-negative-3.js: Added. + 2021-11-29 Yusuke Suzuki [JSC] jumpForTypedArrayOutOfBounds should use asAnyInt since it uses isAnyInt Added: trunk/JSTests/get-my-argument-by-val-negative-1.js (0 => 286312) --- trunk/JSTests/get-my-argument-by-val-negative-1.js (rev 0) +++ trunk/JSTests/get-my-argument-by-val-negative-1.js 2021-11-30 20:00:44 UTC (rev 286312) @@ -0,0 +1,25 @@ +function assert(b) { +if (!b) +throw new Error; +} + +function main() { +let result; + +const v13 = [0, 0]; +Array.prototype[-80887344] = v13; + +const func = (i, ...rest) => { +result = rest[i]; +}; +noInline(func); + +for (let v30 = 0; v30 < 1; v30++) { +func(0); +} + +func(-80887344); +assert(result === v13); +} +noDFG(main); +main(); Added: trunk/JSTests/get-my-argument-by-val-negative-2.js (0 => 286312) --- trunk/JSTests/get-my-argument-by-val-negative-2.js (rev 0) +++ trunk/JSTests/get-my-argument-by-val-negative-2.js 2021-11-30 20:00:44 UTC (rev 286312) @@ -0,0 +1,25 @@ +function assert(b) { +if (!b) +throw new Error; +} + +function main() { +let result; + +const v13 = [0, 0]; +Object.prototype[-80887344] = v13; + +const func = function func(i) { +result = arguments[i]; +}; +noInline(func); + +for (let v30 = 0; v30 < 1; v30++) { +func(3); +} + +func(-80887344); +assert(result === v13); +} +noDFG(main); +main(); Added: trunk/JSTests/get-my-argument-by-val-negative-3.js (0 => 286312) --- trunk/JSTests/get-my-argument-by-val-negative-3.js (rev 0) +++ trunk/JSTests/get-my-argument-by-val-negative-3.js 2021-11-30 20:00:44 UTC (rev 286312) @@ -0,0 +1,25 @@ +function assert(b) { +if (!b) +throw new Error; +} + +function main() { +let result; + +const v13 = [0, 0]; +Array.prototype[-1] = v13; + +const func = function func(i, ...args) { +result = args[i]; +}; +noInline(func); + +for (let v30 = 0; v30 < 1; v30++) { +func(1000, 10); +} + +func(-1, 10); +assert(result === v13); +} +noDFG(main); +main(); Modified: trunk/Source/_javascript_Core/ChangeLog (286311 => 286312) --- trunk/Source/_javascript_Core/ChangeLog 2021-11-30 19:52:28 UTC (rev 286311) +++ trunk/Source/_javascript_Core/ChangeLog 2021-11-30 20:00:44 UTC (rev 286312) @@ -1,3 +1,27 @@ +2021-11-30 Saam Barati + +GetMyArgumentByValOutOfBounds needs to check for negative indices +https://bugs.webkit.org/show_bug.cgi?id=232966 + + +Reviewed by Yusuke Suzuki. + +Negative indices inside of GetMyArgumentByValOutOfBounds would cause +us to have the resulting value be
[webkit-changes] [286278] trunk
Title: [286278] trunk Revision 286278 Author sbar...@apple.com Date 2021-11-29 17:58:37 -0800 (Mon, 29 Nov 2021) Log Message FTL's implementation of HasIndexedProperty for InBounds accesses checks the inverse of what it should be checking when exiting by seeing a hole https://bugs.webkit.org/show_bug.cgi?id=233408 Reviewed by Mark Lam. JSTests: * stress/in-by-val-has-indexed-property-ftl-3.js: Added. * stress/in-by-val-has-indexed-property-ftl-2.js: Added. * stress/in-by-val-has-indexed-property-ftl.js: Added. Source/_javascript_Core: The implementation of an InBounds HasIndexedProperty in FTL, when speculating, we would exit when we did not see a hole, not when we did see a hole. This is the inverse of what we need to do, we should exit when we do see a hole. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * tools/JSDollarVM.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): (JSC::JSDollarVM::finishCreation): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/tools/JSDollarVM.cpp Added Paths trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-2.js trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-3.js trunk/JSTests/stress/in-by-val-has-indexed-property-ftl.js Diff Modified: trunk/JSTests/ChangeLog (286277 => 286278) --- trunk/JSTests/ChangeLog 2021-11-30 01:42:49 UTC (rev 286277) +++ trunk/JSTests/ChangeLog 2021-11-30 01:58:37 UTC (rev 286278) @@ -1,3 +1,15 @@ +2021-11-29 Saam Barati + +FTL's implementation of HasIndexedProperty for InBounds accesses checks the inverse of what it should be checking when exiting by seeing a hole +https://bugs.webkit.org/show_bug.cgi?id=233408 + + +Reviewed by Mark Lam. + +* stress/in-by-val-has-indexed-property-ftl-3.js: Added. +* stress/in-by-val-has-indexed-property-ftl-2.js: Added. +* stress/in-by-val-has-indexed-property-ftl.js: Added. + 2021-11-29 Yusuke Suzuki [JSC] slice should be aware of TerminationException Added: trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-2.js (0 => 286278) --- trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-2.js (rev 0) +++ trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-2.js 2021-11-30 01:58:37 UTC (rev 286278) @@ -0,0 +1,28 @@ +//@ runDefault("--validateOptions=true", "--useConcurrentJIT=false", "--useConcurrentGC=false", "--validateBCE=true", "--thresholdForJITSoon=1", "--thresholdForJITAfterWarmUp=7", "--thresholdForOptimizeAfterWarmUp=7", "--thresholdForOptimizeAfterLongWarmUp=7", "--thresholdForOptimizeSoon=1", "--thresholdForFTLOptimizeAfterWarmUp=10") + +function assert(b) { +if (!b) +throw new Error; +} + +function main() { +let v17 = {__proto__:[42,1]}; +v17[2] = 4; + +let v92 = 0; +for (let v95 = 0; v95 < 100; v95++) { +function doEvery(e, i) { +assert(e === 42); +assert(i === 0); +function doMap() { +v139 = v92++; +} +noInline(doMap); +[0].map(doMap); +} +noInline(doEvery); +v17.every(doEvery); +} +assert(v139 === 99); +} +main(); Added: trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-3.js (0 => 286278) --- trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-3.js (rev 0) +++ trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-3.js 2021-11-30 01:58:37 UTC (rev 286278) @@ -0,0 +1,97 @@ +function assert(b) { +if (!b) +throw new Error; +} + +function test1() { +function func(b, o) { +if (b) +return 2 in o; +return false; +} +noInline(func); + +let o = {__proto__:[0, 1]}; +o[3] = 42; + +for (let i = 0; i < 100; ++i) { +func(true, o); +func(false, o); +} + +for (let i = 0; i < 1; ++i) { +assert(!func(false, o)); +} +assert(!func(true, o)); +} +test1(); + +function test2() { +function func(b, o) { +if (b) +return 2 in o; +return false; +} +noInline(func); + +let o = {__proto__:[0, 1]}; +o[3] = {}; + +for (let i = 0; i < 100; ++i) { +func(true, o); +func(false, o); +} + +for (let i = 0; i < 1; ++i) { +assert(!func(false, o)); +} +assert(!func(true, o)); +} +test2(); + +function test3() { +function func(b, o) { +if (b) +return 2 in o; +return false; +} +noInline(func); + +let o = {__proto__:[0, 1]}; +o[3] = 42.2; + +for (let i = 0; i < 100; ++i) { +func(true, o); +func(false, o); +} + +for (let i = 0; i < 1; ++i) { +assert(!func(false, o)); +} +assert(!func(true, o)); +} +test3(); + +function test4() { +function func(b, o) { +
[webkit-changes] [286070] trunk
Title: [286070] trunk Revision 286070 Author sbar...@apple.com Date 2021-11-19 11:36:35 -0800 (Fri, 19 Nov 2021) Log Message Fix assertion added in r285592 https://bugs.webkit.org/show_bug.cgi?id=233373 JSTests: Reviewed by Keith Miller. * stress/validate-assert-uid-is-not-index-or-it-is-symbol.js: Added. (main.v11): (main.v29): (main): Source/_javascript_Core: rdar://85451012 Reviewed by Keith Miller. The assertion added in r285592 should not apply to Symbols. This patch fixes that error. We don't care if a Symbol can be parsed as an index since the string value in a Symbol is just its description, not the actual property. * dfg/DFGValidate.cpp: Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGValidate.cpp Added Paths trunk/JSTests/stress/validate-assert-uid-is-not-index-or-it-is-symbol.js Diff Modified: trunk/JSTests/ChangeLog (286069 => 286070) --- trunk/JSTests/ChangeLog 2021-11-19 19:17:04 UTC (rev 286069) +++ trunk/JSTests/ChangeLog 2021-11-19 19:36:35 UTC (rev 286070) @@ -1,3 +1,15 @@ +2021-11-19 Saam Barati + +Fix assertion added in r285592 +https://bugs.webkit.org/show_bug.cgi?id=233373 + +Reviewed by Keith Miller. + +* stress/validate-assert-uid-is-not-index-or-it-is-symbol.js: Added. +(main.v11): +(main.v29): +(main): + 2021-11-19 Joseph Griego [JSC] Shadow realms: set correct Function prototype on wrapped functions Added: trunk/JSTests/stress/validate-assert-uid-is-not-index-or-it-is-symbol.js (0 => 286070) --- trunk/JSTests/stress/validate-assert-uid-is-not-index-or-it-is-symbol.js (rev 0) +++ trunk/JSTests/stress/validate-assert-uid-is-not-index-or-it-is-symbol.js 2021-11-19 19:36:35 UTC (rev 286070) @@ -0,0 +1,26 @@ +//@ runDefault("--validateGraphAtEachPhase=1", "--useConcurrentJIT=false", "--thresholdForJITAfterWarmUp=1") + +function main() { + let v8 = 0; + let v9 = Symbol(v8); + + let v10 = 0; + function v11(v12,v13) { + ++v10; + } + + let v27 = 0; + while (v27 < 4096) { + function v29(v30,v31) { + do { + arguments[v9] = ReferenceError; + const v42 = v8++; + } while (v8 < 3); + v51 = ++v27; + } + const v53 = new Promise(v29); + } +} +noDFG(main); +noFTL(main); +main(); Modified: trunk/Source/_javascript_Core/ChangeLog (286069 => 286070) --- trunk/Source/_javascript_Core/ChangeLog 2021-11-19 19:17:04 UTC (rev 286069) +++ trunk/Source/_javascript_Core/ChangeLog 2021-11-19 19:36:35 UTC (rev 286070) @@ -1,3 +1,18 @@ +2021-11-19 Saam Barati + +Fix assertion added in r285592 +https://bugs.webkit.org/show_bug.cgi?id=233373 +rdar://85451012 + +Reviewed by Keith Miller. + +The assertion added in r285592 should not apply to Symbols. This patch +fixes that error. We don't care if a Symbol can be parsed as an index +since the string value in a Symbol is just its description, not the +actual property. + +* dfg/DFGValidate.cpp: + 2021-11-19 Joseph Griego [JSC] Shadow realms: set correct Function prototype on wrapped functions Modified: trunk/Source/_javascript_Core/dfg/DFGValidate.cpp (286069 => 286070) --- trunk/Source/_javascript_Core/dfg/DFGValidate.cpp 2021-11-19 19:17:04 UTC (rev 286069) +++ trunk/Source/_javascript_Core/dfg/DFGValidate.cpp 2021-11-19 19:36:35 UTC (rev 286070) @@ -238,7 +238,7 @@ if (node->hasCacheableIdentifier()) { auto* uid = node->cacheableIdentifier().uid(); -VALIDATE((node), !parseIndex(*uid)); +VALIDATE((node), uid->isSymbol() || !parseIndex(*uid)); } switch (node->op()) { ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [285971] trunk
Title: [285971] trunk Revision 285971 Author sbar...@apple.com Date 2021-11-17 18:47:45 -0800 (Wed, 17 Nov 2021) Log Message Run the memmove fast path in JSGenericTypedArrayView::set when using a combination of Uint8 and Uint8Clamped https://bugs.webkit.org/show_bug.cgi?id=233271 Reviewed by Yusuke Suzuki. JSTests: * microbenchmarks/typed-array-set-uint8-and-uint8clamped.js: Added. Source/_javascript_Core: We have a fast path for running memmove when both the thing being copied from and the thing being copied to have the same typed array type. However, when copying from a Uint8Array into a Uint8ClampedArray, or vice versa, we were going down the slow path. In this case, we can still take the fast path, since we're guaranteed that storing into a Uint8ClampedArray from a Uint8Array will never actually need to clamp values. And when storing from a Uint8ClampedArray into a Uint8Array, the values can trivially be copied over. This patch is a 100x speedup on the attached microbenchmark. * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView::set): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h Added Paths trunk/JSTests/microbenchmarks/typed-array-set-uint8-and-uint8clamped.js Diff Modified: trunk/JSTests/ChangeLog (285970 => 285971) --- trunk/JSTests/ChangeLog 2021-11-18 02:29:46 UTC (rev 285970) +++ trunk/JSTests/ChangeLog 2021-11-18 02:47:45 UTC (rev 285971) @@ -1,3 +1,13 @@ +2021-11-17 Saam Barati + +Run the memmove fast path in JSGenericTypedArrayView::set when using a combination of Uint8 and Uint8Clamped +https://bugs.webkit.org/show_bug.cgi?id=233271 + + +Reviewed by Yusuke Suzuki. + +* microbenchmarks/typed-array-set-uint8-and-uint8clamped.js: Added. + 2021-11-15 Yusuke Suzuki [JSC] Use operation path when PutByVal child1 is not speculated as a Cell Added: trunk/JSTests/microbenchmarks/typed-array-set-uint8-and-uint8clamped.js (0 => 285971) --- trunk/JSTests/microbenchmarks/typed-array-set-uint8-and-uint8clamped.js (rev 0) +++ trunk/JSTests/microbenchmarks/typed-array-set-uint8-and-uint8clamped.js 2021-11-18 02:47:45 UTC (rev 285971) @@ -0,0 +1,10 @@ +let x = new Uint8Array(1); +let y = new Uint8ClampedArray(1); + +let start = Date.now(); +for (let i = 0; i < 1; ++i) { +x.set(y); +y.set(x); +} +if (false) +print(Date.now() - start); Modified: trunk/Source/_javascript_Core/ChangeLog (285970 => 285971) --- trunk/Source/_javascript_Core/ChangeLog 2021-11-18 02:29:46 UTC (rev 285970) +++ trunk/Source/_javascript_Core/ChangeLog 2021-11-18 02:47:45 UTC (rev 285971) @@ -1,3 +1,25 @@ +2021-11-17 Saam Barati + +Run the memmove fast path in JSGenericTypedArrayView::set when using a combination of Uint8 and Uint8Clamped +https://bugs.webkit.org/show_bug.cgi?id=233271 + + +Reviewed by Yusuke Suzuki. + +We have a fast path for running memmove when both the thing being +copied from and the thing being copied to have the same typed array +type. However, when copying from a Uint8Array into a Uint8ClampedArray, +or vice versa, we were going down the slow path. In this case, +we can still take the fast path, since we're guaranteed that storing +into a Uint8ClampedArray from a Uint8Array will never actually need +to clamp values. And when storing from a Uint8ClampedArray into a +Uint8Array, the values can trivially be copied over. + +This patch is a 100x speedup on the attached microbenchmark. + +* runtime/JSGenericTypedArrayViewInlines.h: +(JSC::JSGenericTypedArrayView::set): + 2021-11-17 Yusuke Suzuki [JSC] Revise JSON.parse atomize policy Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h (285970 => 285971) --- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2021-11-18 02:29:46 UTC (rev 285970) +++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2021-11-18 02:47:45 UTC (rev 285971) @@ -255,10 +255,8 @@ VM& vm = globalObject->vm(); auto scope = DECLARE_THROW_SCOPE(vm); -const ClassInfo* ci = object->classInfo(vm); -if (ci->typedArrayStorageType == Adaptor::typeValue) { -// The super fast case: we can just memmove since we're the same type. -JSGenericTypedArrayView* other = jsCast(object); +auto memmoveFastPath = [&] (auto* other) { +// The super fast case: we can just memmove since we're the same underlying storage type. length = std::min(length, other->length()); RELEASE_ASSERT(other->canAccessRangeQuickly(objectOffset, length)); @@ -267,8 +265,22 @@ if (!success) return false; +RELEASE_ASSERT((std::is_same_vtypedVector())>));
[webkit-changes] [285592] trunk
Title: [285592] trunk Revision 285592 Author sbar...@apple.com Date 2021-11-10 10:54:59 -0800 (Wed, 10 Nov 2021) Log Message in_by_val should not constant fold to in_by_id when the property is a property index https://bugs.webkit.org/show_bug.cgi?id=232753 Reviewed by Yusuke Suzuki. JSTests: * stress/dont-in-by-id-when-index-2.js: Added. (assert): (main.v179): (main.async v244): (main): * stress/dont-in-by-id-when-index.js: Added. (assert): (test): Source/_javascript_Core: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGValidate.cpp: Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp trunk/Source/_javascript_Core/dfg/DFGValidate.cpp Added Paths trunk/JSTests/stress/dont-in-by-id-when-index-2.js trunk/JSTests/stress/dont-in-by-id-when-index.js Diff Modified: trunk/JSTests/ChangeLog (285591 => 285592) --- trunk/JSTests/ChangeLog 2021-11-10 18:46:31 UTC (rev 285591) +++ trunk/JSTests/ChangeLog 2021-11-10 18:54:59 UTC (rev 285592) @@ -1,3 +1,19 @@ +2021-11-10 Saam Barati + +in_by_val should not constant fold to in_by_id when the property is a property index +https://bugs.webkit.org/show_bug.cgi?id=232753 + +Reviewed by Yusuke Suzuki. + +* stress/dont-in-by-id-when-index-2.js: Added. +(assert): +(main.v179): +(main.async v244): +(main): +* stress/dont-in-by-id-when-index.js: Added. +(assert): +(test): + 2021-11-10 Xan Lopez [JSC][32bit] Unskip JSTests/stress/json-stringify-string-builder-overflow.js Added: trunk/JSTests/stress/dont-in-by-id-when-index-2.js (0 => 285592) --- trunk/JSTests/stress/dont-in-by-id-when-index-2.js (rev 0) +++ trunk/JSTests/stress/dont-in-by-id-when-index-2.js 2021-11-10 18:54:59 UTC (rev 285592) @@ -0,0 +1,37 @@ +//@ runDefault("--validateOptions=true", "--useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useFTLJIT=0") + +function assert(b) { +if (!b) +throw new Error; +} + +function main() { +let v249; + +const v178 = []; + +v179 = class V179 { +constructor(v181,v182,v183) { +} +}; + +const v195 = [v178,v179,1]; +const v203 = {}; +const v204 = [v179,v195]; +const v205 = v204.toLocaleString(); + +for (const v223 of v205) { +const v232 = {}; +v232[v223] = "number"; + +async function v244() { +v249 = "1" in v232; +const v250 = 0; +} +v244(); +} + +assert(v249 === true); +} + +main(); Added: trunk/JSTests/stress/dont-in-by-id-when-index.js (0 => 285592) --- trunk/JSTests/stress/dont-in-by-id-when-index.js (rev 0) +++ trunk/JSTests/stress/dont-in-by-id-when-index.js 2021-11-10 18:54:59 UTC (rev 285592) @@ -0,0 +1,15 @@ +function assert(b) { +if (!b) +throw new Error; +} + +function test(obj) { +return "1" in obj; +} +noInline(test); + +let o = [10, {}]; + +for (let i = 0; i < 1; ++i) { +assert(test(o) === true); +} Modified: trunk/Source/_javascript_Core/ChangeLog (285591 => 285592) --- trunk/Source/_javascript_Core/ChangeLog 2021-11-10 18:46:31 UTC (rev 285591) +++ trunk/Source/_javascript_Core/ChangeLog 2021-11-10 18:54:59 UTC (rev 285592) @@ -1,3 +1,16 @@ +2021-11-10 Saam Barati + +in_by_val should not constant fold to in_by_id when the property is a property index +https://bugs.webkit.org/show_bug.cgi?id=232753 + +Reviewed by Yusuke Suzuki. + +* dfg/DFGAbstractInterpreterInlines.h: +(JSC::DFG::AbstractInterpreter::executeEffects): +* dfg/DFGConstantFoldingPhase.cpp: +(JSC::DFG::ConstantFoldingPhase::foldConstants): +* dfg/DFGValidate.cpp: + 2021-11-09 Commit Queue Unreviewed, reverting r285246. Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (285591 => 285592) --- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2021-11-10 18:46:31 UTC (rev 285591) +++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2021-11-10 18:54:59 UTC (rev 285592) @@ -4248,7 +4248,7 @@ if (JSValue constant = property.value()) { if (constant.isString()) { JSString* string = asString(constant); -if (CacheableIdentifier::isCacheableIdentifierCell(string)) +if
[webkit-changes] [285525] trunk
Title: [285525] trunk Revision 285525 Author sbar...@apple.com Date 2021-11-09 12:49:41 -0800 (Tue, 09 Nov 2021) Log Message When inlining NewSymbol in the DFG don't universally call ToString on the input https://bugs.webkit.org/show_bug.cgi?id=232754 Reviewed by Robin Morisset. JSTests: * stress/inline-new-symbol-dfg-undefined-first-arg.js: Added. (assert): (foo): Source/_javascript_Core: When inlining Symbol(x) in the DFG, we were always calling ToString on x. However, this is wrong spec wise. If x is undefined, the symbol should produce a description value of `undefined`, but calling ToString on x was causing us to produce a description with the string `"undefined"`. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGClobbersExitState.cpp: (JSC::DFG::clobbersExitState): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGMayExit.cpp: * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION): * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileNewSymbol): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGClobberize.h trunk/Source/_javascript_Core/dfg/DFGClobbersExitState.cpp trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp trunk/Source/_javascript_Core/dfg/DFGMayExit.cpp trunk/Source/_javascript_Core/dfg/DFGNodeType.h trunk/Source/_javascript_Core/dfg/DFGOperations.cpp trunk/Source/_javascript_Core/dfg/DFGOperations.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp Added Paths trunk/JSTests/stress/inline-new-symbol-dfg-undefined-first-arg.js Diff Modified: trunk/JSTests/ChangeLog (285524 => 285525) --- trunk/JSTests/ChangeLog 2021-11-09 20:44:59 UTC (rev 285524) +++ trunk/JSTests/ChangeLog 2021-11-09 20:49:41 UTC (rev 285525) @@ -1,3 +1,14 @@ +2021-11-09 Saam Barati + +When inlining NewSymbol in the DFG don't universally call ToString on the input +https://bugs.webkit.org/show_bug.cgi?id=232754 + +Reviewed by Robin Morisset. + +* stress/inline-new-symbol-dfg-undefined-first-arg.js: Added. +(assert): +(foo): + 2021-11-09 Angelos Oikonomopoulos Unskip array-buffer-view-watchpoint-can-be-fired-in-really-add-in-dfg on ARM Added: trunk/JSTests/stress/inline-new-symbol-dfg-undefined-first-arg.js (0 => 285525) --- trunk/JSTests/stress/inline-new-symbol-dfg-undefined-first-arg.js (rev 0) +++ trunk/JSTests/stress/inline-new-symbol-dfg-undefined-first-arg.js 2021-11-09 20:49:41 UTC (rev 285525) @@ -0,0 +1,13 @@ +function assert(b) { +if (!b) +throw new Error; +} + +function foo(arg) { +return Symbol(arg); +} +noInline(foo); + +for (let i = 0; i < 1; ++i) { +assert(foo(undefined).description === undefined); +} Modified: trunk/Source/_javascript_Core/ChangeLog (285524 => 285525) --- trunk/Source/_javascript_Core/ChangeLog 2021-11-09 20:44:59 UTC (rev 285524) +++ trunk/Source/_javascript_Core/ChangeLog 2021-11-09 20:49:41 UTC (rev 285525) @@ -1,3 +1,35 @@ +2021-11-09 Saam Barati + +When inlining NewSymbol in the DFG don't universally call ToString on the input +https://bugs.webkit.org/show_bug.cgi?id=232754 + +Reviewed by Robin Morisset. + +When inlining Symbol(x) in the DFG, we were always calling ToString on x. +However, this is wrong spec wise. If x is undefined, the symbol should +produce a description value of `undefined`, but calling ToString on x was causing +us to produce a description with the string `"undefined"`. + +* dfg/DFGAbstractInterpreterInlines.h: +(JSC::DFG::AbstractInterpreter::executeEffects): +* dfg/DFGByteCodeParser.cpp: +(JSC::DFG::ByteCodeParser::handleConstantInternalFunction): +* dfg/DFGClobberize.h: +(JSC::DFG::clobberize): +* dfg/DFGClobbersExitState.cpp: +(JSC::DFG::clobbersExitState): +* dfg/DFGFixupPhase.cpp: +(JSC::DFG::FixupPhase::fixupNode): +* dfg/DFGMayExit.cpp: +* dfg/DFGNodeType.h: +* dfg/DFGOperations.cpp: +(JSC::DFG::JSC_DEFINE_JIT_OPERATION): +* dfg/DFGOperations.h: +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::compileNewSymbol): +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol): + 2021-11-09 Yusuke Suzuki Unreviewed, suppress scope check failures on Debug JSC tests Modified:
[webkit-changes] [285406] trunk
Title: [285406] trunk Revision 285406 Author sbar...@apple.com Date 2021-11-08 09:05:33 -0800 (Mon, 08 Nov 2021) Log Message We need to PreferNumber when calling toPrimitive for negate https://bugs.webkit.org/show_bug.cgi?id=232679 Reviewed by Alexey Shvayka. JSTests: * stress/negate-prefer-number-to-primitive.js Source/_javascript_Core: We were forgetting to do this in a few implementations of the negate bytecode. So depending on which variant you took, you could get different results. * jit/JITOperations.cpp: (JSC::JSC_DEFINE_JIT_OPERATION): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/JITOperations.cpp Added Paths trunk/JSTests/stress/negate-prefer-number-to-primitive.js Diff Modified: trunk/JSTests/ChangeLog (285405 => 285406) --- trunk/JSTests/ChangeLog 2021-11-08 16:58:13 UTC (rev 285405) +++ trunk/JSTests/ChangeLog 2021-11-08 17:05:33 UTC (rev 285406) @@ -1,3 +1,12 @@ +2021-11-08 Saam Barati + +We need to PreferNumber when calling toPrimitive for negate +https://bugs.webkit.org/show_bug.cgi?id=232679 + +Reviewed by Alexey Shvayka. + +* stress/negate-prefer-number-to-primitive.js + 2021-11-05 Russell Epstein Cherry-pick r284635. rdar://problem/85039977 Added: trunk/JSTests/stress/negate-prefer-number-to-primitive.js (0 => 285406) --- trunk/JSTests/stress/negate-prefer-number-to-primitive.js (rev 0) +++ trunk/JSTests/stress/negate-prefer-number-to-primitive.js 2021-11-08 17:05:33 UTC (rev 285406) @@ -0,0 +1,22 @@ +//@ runDefault("--validateOptions=true", "--useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useFTLJIT=1") + +function assert(b) { +if (!b) +throw new Error; +} + +function main() { +let result; +for (let i = 0; i < 7; ++i) { +function f() { +"a".charCodeAt(undefined); +const v44 = new Date(123); +result = -v44; +for (let j = -4096; j < 100; j++) { } +} +noInline(f); +f(); +assert(result === -123); +} +} +main(); Modified: trunk/Source/_javascript_Core/ChangeLog (285405 => 285406) --- trunk/Source/_javascript_Core/ChangeLog 2021-11-08 16:58:13 UTC (rev 285405) +++ trunk/Source/_javascript_Core/ChangeLog 2021-11-08 17:05:33 UTC (rev 285406) @@ -1,3 +1,17 @@ +2021-11-08 Saam Barati + +We need to PreferNumber when calling toPrimitive for negate +https://bugs.webkit.org/show_bug.cgi?id=232679 + +Reviewed by Alexey Shvayka. + +We were forgetting to do this in a few implementations of the negate +bytecode. So depending on which variant you took, you could get different +results. + +* jit/JITOperations.cpp: +(JSC::JSC_DEFINE_JIT_OPERATION): + 2021-11-05 Russell Epstein Cherry-pick r284635. rdar://problem/85039977 Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (285405 => 285406) --- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2021-11-08 16:58:13 UTC (rev 285405) +++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2021-11-08 17:05:33 UTC (rev 285406) @@ -3411,7 +3411,7 @@ JSValue operand = JSValue::decode(encodedOperand); arithProfile->observeArg(operand); -JSValue primValue = operand.toPrimitive(globalObject); +JSValue primValue = operand.toPrimitive(globalObject, PreferNumber); RETURN_IF_EXCEPTION(scope, encodedJSValue()); #if USE(BIGINT32) @@ -3455,7 +3455,7 @@ callFrame->codeBlock()->dumpMathICStats(); #endif -JSValue primValue = operand.toPrimitive(globalObject); +JSValue primValue = operand.toPrimitive(globalObject, PreferNumber); RETURN_IF_EXCEPTION(scope, encodedJSValue()); #if USE(BIGINT32) @@ -3498,7 +3498,7 @@ callFrame->codeBlock()->dumpMathICStats(); #endif -JSValue primValue = operand.toPrimitive(globalObject); +JSValue primValue = operand.toPrimitive(globalObject, PreferNumber); RETURN_IF_EXCEPTION(scope, encodedJSValue()); #if USE(BIGINT32) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [285167] trunk
Title: [285167] trunk Revision 285167 Author sbar...@apple.com Date 2021-11-02 10:25:46 -0700 (Tue, 02 Nov 2021) Log Message EnumeratorGetByVal for IndexedMode+OwnStructureMode doesn't always recover the property name https://bugs.webkit.org/show_bug.cgi?id=231321 Reviewed by Yusuke Suzuki. JSTests: * stress/enumerator-get-by-val-needs-to-recover-property-name.js: Added. Source/_javascript_Core: When running an EnumeratorGetByVal in IndexedMode+OwnStructureMode, we may go to the slow path. However, we were incorrectly going to the slow path before recovering the actual property name. Instead, we were passing in the integer index value to the get by val. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp Added Paths trunk/JSTests/stress/enumerator-get-by-val-needs-to-recover-property-name.js Diff Modified: trunk/JSTests/ChangeLog (285166 => 285167) --- trunk/JSTests/ChangeLog 2021-11-02 17:11:54 UTC (rev 285166) +++ trunk/JSTests/ChangeLog 2021-11-02 17:25:46 UTC (rev 285167) @@ -1,3 +1,13 @@ +2021-11-02 Saam Barati + +EnumeratorGetByVal for IndexedMode+OwnStructureMode doesn't always recover the property name +https://bugs.webkit.org/show_bug.cgi?id=231321 + + +Reviewed by Yusuke Suzuki. + +* stress/enumerator-get-by-val-needs-to-recover-property-name.js: Added. + 2021-11-01 Saam Barati ArrayBuffer species watchpoint being invalidated doesn't mean it's not an ArrayBuffer constructor from the same global object Added: trunk/JSTests/stress/enumerator-get-by-val-needs-to-recover-property-name.js (0 => 285167) --- trunk/JSTests/stress/enumerator-get-by-val-needs-to-recover-property-name.js (rev 0) +++ trunk/JSTests/stress/enumerator-get-by-val-needs-to-recover-property-name.js 2021-11-02 17:25:46 UTC (rev 285167) @@ -0,0 +1,32 @@ +//@ runDefault("--validateOptions=true", "--useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useFTLJIT=true") + +function assert(b) { +if (!b) +throw new Error; +} + +function main() { +let result; +const v35 = [0, 0, {b:"A"}]; + +async function v36(arr) { +edenGC(); // This is needed +for (let i = 0; i < 2; i++) { +const v201 = ` +var someVar; // this is needed + +for (let j = 0; j < 6; j++) { } + +const v222 = {"__proto__":[[]], "a":0, "b":0}; +for (const prop in v222) { +result = arr[prop]; +v222.__proto__ = {}; +} +`; +eval(v201); // moving code out of eval breaks differential +} +} +v35.filter(v36); +assert(result === "A"); +} +main(); Modified: trunk/Source/_javascript_Core/ChangeLog (285166 => 285167) --- trunk/Source/_javascript_Core/ChangeLog 2021-11-02 17:11:54 UTC (rev 285166) +++ trunk/Source/_javascript_Core/ChangeLog 2021-11-02 17:25:46 UTC (rev 285167) @@ -1,3 +1,21 @@ +2021-11-02 Saam Barati + +EnumeratorGetByVal for IndexedMode+OwnStructureMode doesn't always recover the property name +https://bugs.webkit.org/show_bug.cgi?id=231321 + + +Reviewed by Yusuke Suzuki. + +When running an EnumeratorGetByVal in IndexedMode+OwnStructureMode, we may +go to the slow path. However, we were incorrectly going to the slow path +before recovering the actual property name. Instead, we were passing in +the integer index value to the get by val. + +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal): +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): + 2021-11-02 Patrick Angle WebDriver: [Cocoa] support `acceptInsecureCerts` capability Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (285166 => 285167) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-11-02 17:11:54 UTC (rev 285166) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-11-02 17:25:46 UTC (rev 285167) @@ -15875,7 +15875,7 @@ JSValueRegs resultRegs; GPRReg indexGPR; GPRReg enumeratorGPR; -MacroAssembler::Jump badStructureSlowPath; +MacroAssembler::JumpList recoverGenericCase; compileGetByVal(node,
[webkit-changes] [285123] trunk
Title: [285123] trunk Revision 285123 Author sbar...@apple.com Date 2021-11-01 13:10:24 -0700 (Mon, 01 Nov 2021) Log Message ArrayBuffer species watchpoint being invalidated doesn't mean it's not an ArrayBuffer constructor from the same global object https://bugs.webkit.org/show_bug.cgi?id=231322 Reviewed by Yusuke Suzuki. JSTests: * stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js: Added. (main.async v23): (main): Source/_javascript_Core: We were relying on the watchpoint to tell us if the Array species watchpoint for 'constructor' is set to the right value. However, the watchpoint being fired doesn't guarantee that it won't be the right value. For example, we might not be able to install the watchpoint because the replacement watchpoint may already be fired. * runtime/JSArrayBufferPrototype.cpp: (JSC::arrayBufferSpeciesConstructorSlow): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSArrayBufferPrototype.cpp Added Paths trunk/JSTests/stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js Diff Modified: trunk/JSTests/ChangeLog (285122 => 285123) --- trunk/JSTests/ChangeLog 2021-11-01 20:08:01 UTC (rev 285122) +++ trunk/JSTests/ChangeLog 2021-11-01 20:10:24 UTC (rev 285123) @@ -1,3 +1,15 @@ +2021-11-01 Saam Barati + +ArrayBuffer species watchpoint being invalidated doesn't mean it's not an ArrayBuffer constructor from the same global object +https://bugs.webkit.org/show_bug.cgi?id=231322 + + +Reviewed by Yusuke Suzuki. + +* stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js: Added. +(main.async v23): +(main): + 2021-11-01 Robin Morisset JSGenericTypedArrayView::set crashes if the length + objectOffset is > UINT32_MAX Added: trunk/JSTests/stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js (0 => 285123) --- trunk/JSTests/stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js (rev 0) +++ trunk/JSTests/stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js 2021-11-01 20:10:24 UTC (rev 285123) @@ -0,0 +1,16 @@ +//@ runDefault("--useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useConcurrentJIT=0", "--dumpFTLDisassembly=0", "--useFTLJIT=0") + +function main() { +async function v23(v24) { +for (let v30 = 0; v30 < 6; v30++) { } +ArrayBuffer.prototype.constructor = ArrayBuffer; +} + +const v22 = [0, 0, 0]; +const v35 = v22.filter(v23); + +const v37 = [0, 0, 0] +const v42 = new Uint8ClampedArray(v37); +const v43 = new Uint32Array(v42); +} +main(); Modified: trunk/Source/_javascript_Core/ChangeLog (285122 => 285123) --- trunk/Source/_javascript_Core/ChangeLog 2021-11-01 20:08:01 UTC (rev 285122) +++ trunk/Source/_javascript_Core/ChangeLog 2021-11-01 20:10:24 UTC (rev 285123) @@ -1,3 +1,20 @@ +2021-11-01 Saam Barati + +ArrayBuffer species watchpoint being invalidated doesn't mean it's not an ArrayBuffer constructor from the same global object +https://bugs.webkit.org/show_bug.cgi?id=231322 + + +Reviewed by Yusuke Suzuki. + +We were relying on the watchpoint to tell us if the Array species watchpoint +for 'constructor' is set to the right value. However, the watchpoint being +fired doesn't guarantee that it won't be the right value. For example, we +might not be able to install the watchpoint because the replacement watchpoint +may already be fired. + +* runtime/JSArrayBufferPrototype.cpp: +(JSC::arrayBufferSpeciesConstructorSlow): + 2021-11-01 Robin Morisset JSGenericTypedArrayView::set crashes if the length + objectOffset is > UINT32_MAX Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferPrototype.cpp (285122 => 285123) --- trunk/Source/_javascript_Core/runtime/JSArrayBufferPrototype.cpp 2021-11-01 20:08:01 UTC (rev 285122) +++ trunk/Source/_javascript_Core/runtime/JSArrayBufferPrototype.cpp 2021-11-01 20:10:24 UTC (rev 285123) @@ -52,9 +52,8 @@ if (constructor.isConstructor(vm)) { JSObject* constructorObject = jsCast(constructor); JSGlobalObject* globalObjectFromConstructor = constructorObject->globalObject(vm); -bool isArrayBufferConstructorFromAnotherRealm = globalObject != globalObjectFromConstructor -&& constructorObject == globalObjectFromConstructor->arrayBufferConstructor(mode); -if
[webkit-changes] [285036] trunk/Source/WTF
Title: [285036] trunk/Source/WTF Revision 285036 Author sbar...@apple.com Date 2021-10-29 10:17:22 -0700 (Fri, 29 Oct 2021) Log Message Disable ENABLE_JIT on arm64_32 https://bugs.webkit.org/show_bug.cgi?id=232468 Reviewed by Yusuke Suzuki. We were disabling JIT via a runtime configuration before since we haven't yet implemented the JIT on arm64_32. However, not compiling ENABLE(JIT) code on arm64_32 saves 11MB in the binary size of _javascript_Core. In my local compiles, I'm going from 24M to 13M. * wtf/PlatformEnable.h: Modified Paths trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/PlatformEnable.h Diff Modified: trunk/Source/WTF/ChangeLog (285035 => 285036) --- trunk/Source/WTF/ChangeLog 2021-10-29 16:50:16 UTC (rev 285035) +++ trunk/Source/WTF/ChangeLog 2021-10-29 17:17:22 UTC (rev 285036) @@ -1,3 +1,18 @@ +2021-10-29 Saam Barati + +Disable ENABLE_JIT on arm64_32 +https://bugs.webkit.org/show_bug.cgi?id=232468 + +Reviewed by Yusuke Suzuki. + +We were disabling JIT via a runtime configuration before since we haven't +yet implemented the JIT on arm64_32. However, not compiling ENABLE(JIT) +code on arm64_32 saves 11MB in the binary size of _javascript_Core. + +In my local compiles, I'm going from 24M to 13M. + +* wtf/PlatformEnable.h: + 2021-10-28 Adrian Perez de Castro [WTF] Use mcontext_t on OpenBSD Modified: trunk/Source/WTF/wtf/PlatformEnable.h (285035 => 285036) --- trunk/Source/WTF/wtf/PlatformEnable.h 2021-10-29 16:50:16 UTC (rev 285035) +++ trunk/Source/WTF/wtf/PlatformEnable.h 2021-10-29 17:17:22 UTC (rev 285036) @@ -576,7 +576,7 @@ #endif /* The JIT is enabled by default on all x86-64 & ARM64 platforms. */ -#if !defined(ENABLE_JIT) && (CPU(X86_64) || CPU(ARM64)) && !CPU(APPLE_ARMV7K) +#if !defined(ENABLE_JIT) && (CPU(X86_64) || (CPU(ARM64) && CPU(ADDRESS64))) #define ENABLE_JIT 1 #endif @@ -600,7 +600,7 @@ #endif #if !defined(ENABLE_C_LOOP) -#if ENABLE(JIT) || CPU(X86_64) || (CPU(ARM64) && !defined(__ILP32__)) +#if ENABLE(JIT) || CPU(X86_64) || CPU(ARM64) #define ENABLE_C_LOOP 0 #else #define ENABLE_C_LOOP 1 ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [285004] trunk/Source/JavaScriptCore
Title: [285004] trunk/Source/_javascript_Core Revision 285004 Author sbar...@apple.com Date 2021-10-28 14:22:35 -0700 (Thu, 28 Oct 2021) Log Message Don't call type() on Structure, instead call type() on its typeInfo() https://bugs.webkit.org/show_bug.cgi?id=232414 Reviewed by Yusuke Suzuki. * dfg/DFGOperations.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * runtime/Structure.h: (JSC::Structure::type): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGOperations.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/runtime/Structure.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (285003 => 285004) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-28 21:21:39 UTC (rev 285003) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-28 21:22:35 UTC (rev 285004) @@ -1,3 +1,19 @@ +2021-10-28 Saam Barati + +Don't call type() on Structure, instead call type() on its typeInfo() +https://bugs.webkit.org/show_bug.cgi?id=232414 + +Reviewed by Yusuke Suzuki. + +* dfg/DFGOperations.cpp: +(JSC::DFG::JSC_DEFINE_JIT_OPERATION): +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::emitAllocateRawObject): +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): +* runtime/Structure.h: +(JSC::Structure::type): + 2021-10-27 Dmitry Bezhetskov [WASM-Function-References] Add call_ref spec tests Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (285003 => 285004) --- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2021-10-28 21:21:39 UTC (rev 285003) +++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2021-10-28 21:22:35 UTC (rev 285004) @@ -3114,7 +3114,7 @@ length * sizeof(EncodedJSValue)); } -if (structure->type() == JSType::ArrayType) +if (structure->typeInfo().type() == JSType::ArrayType) return bitwise_cast(JSArray::createWithButterfly(vm, nullptr, structure, butterfly)); return bitwise_cast(JSFinalObject::createWithButterfly(vm, structure, butterfly)); } @@ -3130,7 +3130,7 @@ vm, nullptr, 0, structure->outOfLineCapacity(), false, IndexingHeader(), 0); } -if (structure->type() == JSType::ArrayType) +if (structure->typeInfo().type() == JSType::ArrayType) return JSArray::createWithButterfly(vm, nullptr, structure, butterfly); return JSFinalObject::createWithButterfly(vm, structure, butterfly); } @@ -3152,7 +3152,7 @@ sizeof(EncodedJSValue) * length); } -if (structure->type() == JSType::ArrayType) +if (structure->typeInfo().type() == JSType::ArrayType) return JSArray::createWithButterfly(vm, nullptr, structure, butterfly); return JSFinalObject::createWithButterfly(vm, structure, butterfly); } Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (285003 => 285004) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-10-28 21:21:39 UTC (rev 285003) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-10-28 21:22:35 UTC (rev 285004) @@ -134,7 +134,7 @@ } Allocator allocator; -if (structure->type() == JSType::ArrayType) +if (structure->typeInfo().type() == JSType::ArrayType) allocator = allocatorForNonVirtualConcurrently(vm, JSArray::allocationSize(inlineCapacity), AllocatorForMode::AllocatorIfExists); else allocator = allocatorForNonVirtualConcurrently(vm, JSFinalObject::allocationSize(inlineCapacity), AllocatorForMode::AllocatorIfExists); Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (285003 => 285004) --- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-10-28 21:21:39 UTC (rev 285003) +++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-10-28 21:22:35 UTC (rev 285004) @@ -13866,7 +13866,7 @@ if (structure->outOfLineCapacity() || hasIndexedProperties(structure->indexingType())) { Allocator cellAllocator; -if (structure->type() == JSType::ArrayType) +if (structure->typeInfo().type() == JSType::ArrayType) cellAllocator = allocatorForNonVirtualConcurrently(vm(), JSArray::allocationSize(structure->inlineCapacity()), AllocatorForMode::AllocatorIfExists); else cellAllocator = allocatorForNonVirtualConcurrently(vm(), JSFinalObject::allocationSize(structure->inlineCapacity()), AllocatorForMode::AllocatorIfExists); Modified: trunk/Source/_javascript_Core/runtime/Structure.h (285003 => 285004) --- trunk/Source/_javascript_Core/runtime/Structure.h 2021-10-28 21:21:39 UTC (rev
[webkit-changes] [284699] trunk/Source/JavaScriptCore
Title: [284699] trunk/Source/_javascript_Core Revision 284699 Author sbar...@apple.com Date 2021-10-22 11:23:09 -0700 (Fri, 22 Oct 2021) Log Message canDoFastSpread should also check that the Structure is from the global object we're watching https://bugs.webkit.org/show_bug.cgi?id=231976 Reviewed by Keith Miller. Just reorder the checks for clarity. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::canDoFastSpread): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGGraph.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (284698 => 284699) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-22 18:22:22 UTC (rev 284698) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-22 18:23:09 UTC (rev 284699) @@ -1,3 +1,16 @@ +2021-10-22 Saam Barati + +canDoFastSpread should also check that the Structure is from the global object we're watching +https://bugs.webkit.org/show_bug.cgi?id=231976 + + +Reviewed by Keith Miller. + +Just reorder the checks for clarity. + +* dfg/DFGGraph.cpp: +(JSC::DFG::Graph::canDoFastSpread): + 2021-10-22 Robin Morisset --reportBytecodeCompileTimes=1 should correctly report the bytecode size Modified: trunk/Source/_javascript_Core/dfg/DFGGraph.cpp (284698 => 284699) --- trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2021-10-22 18:22:22 UTC (rev 284698) +++ trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2021-10-22 18:23:09 UTC (rev 284699) @@ -1847,8 +1847,8 @@ ArrayPrototype* arrayPrototype = globalObject->arrayPrototype(); bool allGood = true; value.m_structure.forEach([&] (RegisteredStructure structure) { -allGood &= structure->hasMonoProto() -&& structure->globalObject() == globalObject +allGood &= structure->globalObject() == globalObject +&& structure->hasMonoProto() && structure->storedPrototype() == arrayPrototype && !structure->isDictionary() && structure->getConcurrently(m_vm.propertyNames->iteratorSymbol.impl()) == invalidOffset ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [284664] trunk/Source
Title: [284664] trunk/Source Revision 284664 Author sbar...@apple.com Date 2021-10-21 21:31:45 -0700 (Thu, 21 Oct 2021) Log Message Clean up some code around checking the state of Watchpoints https://bugs.webkit.org/show_bug.cgi?id=232111 Reviewed by Yusuke Suzuki. Source/_javascript_Core: No need to have state() and stateOnJSThread(), since they're now the same. Also, there is no need to check the allocation watchpoint twice for the function/internal function allocation profiles. * bytecode/Watchpoint.h: (JSC::WatchpointSet::isStillValid const): (JSC::WatchpointSet::stateOnJSThread const): Deleted. (JSC::WatchpointSet::isStillValidOnJSThread const): Deleted. (JSC::InlineWatchpointSet::stateOnJSThread const): Deleted. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * runtime/ArrayPrototype.cpp: (JSC::speciesWatchpointIsValid): (JSC::canUseDefaultArrayJoinForToString): * runtime/InferredValue.h: (JSC::InferredValue::notifyWrite): (JSC::InferredValue::stateOnJSThread const): Deleted. * runtime/JSArrayBufferPrototypeInlines.h: (JSC::speciesWatchpointIsValid): * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: Source/WebCore: * bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::getOwnPropertySlot): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/Watchpoint.h trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp trunk/Source/_javascript_Core/runtime/InferredValue.h trunk/Source/_javascript_Core/runtime/JSArrayBufferPrototypeInlines.h trunk/Source/_javascript_Core/runtime/ObjectPropertyChangeAdaptiveWatchpoint.h trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (284663 => 284664) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-22 02:15:01 UTC (rev 284663) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-22 04:31:45 UTC (rev 284664) @@ -1,3 +1,36 @@ +2021-10-21 Saam Barati + +Clean up some code around checking the state of Watchpoints +https://bugs.webkit.org/show_bug.cgi?id=232111 + +Reviewed by Yusuke Suzuki. + +No need to have state() and stateOnJSThread(), since they're now the same. +Also, there is no need to check the allocation watchpoint twice for the +function/internal function allocation profiles. + +* bytecode/Watchpoint.h: +(JSC::WatchpointSet::isStillValid const): +(JSC::WatchpointSet::stateOnJSThread const): Deleted. +(JSC::WatchpointSet::isStillValidOnJSThread const): Deleted. +(JSC::InlineWatchpointSet::stateOnJSThread const): Deleted. +* dfg/DFGAbstractInterpreterInlines.h: +(JSC::DFG::AbstractInterpreter::executeEffects): +* dfg/DFGByteCodeParser.cpp: +(JSC::DFG::ByteCodeParser::parseBlock): +(JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject): +* dfg/DFGConstantFoldingPhase.cpp: +(JSC::DFG::ConstantFoldingPhase::foldConstants): +* runtime/ArrayPrototype.cpp: +(JSC::speciesWatchpointIsValid): +(JSC::canUseDefaultArrayJoinForToString): +* runtime/InferredValue.h: +(JSC::InferredValue::notifyWrite): +(JSC::InferredValue::stateOnJSThread const): Deleted. +* runtime/JSArrayBufferPrototypeInlines.h: +(JSC::speciesWatchpointIsValid): +* runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: + 2021-10-21 Mark Lam Remove an unused field: Heap::m_copyingRememberedSet. Modified: trunk/Source/_javascript_Core/bytecode/Watchpoint.h (284663 => 284664) --- trunk/Source/_javascript_Core/bytecode/Watchpoint.h 2021-10-22 02:15:01 UTC (rev 284663) +++ trunk/Source/_javascript_Core/bytecode/Watchpoint.h 2021-10-22 04:31:45 UTC (rev 284664) @@ -190,17 +190,14 @@ return adoptRef(*new WatchpointSet(state)); } -// Fast way of getting the state, which only works from the main thread. -WatchpointState stateOnJSThread() const -{ -return static_cast(m_state); -} - -// It is safe to call this from another thread. It may return an old -// state. Guarantees that if *first* read the state() of the thing being -// watched and it returned IsWatched and *second* you actually read its -// value then it's safe to assume that if the state being watched changes -// then also the watchpoint state() will change to IsInvalidated. +// It is always safe to call this from the main thread. +// It is also safe to call this
[webkit-changes] [284506] trunk/Source/JavaScriptCore
Title: [284506] trunk/Source/_javascript_Core Revision 284506 Author sbar...@apple.com Date 2021-10-19 15:48:26 -0700 (Tue, 19 Oct 2021) Log Message canDoFastSpread should also check that the Structure is from the global object we're watching https://bugs.webkit.org/show_bug.cgi?id=231976 Reviewed by Keith Miller. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::canDoFastSpread): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGGraph.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (284505 => 284506) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-19 22:37:56 UTC (rev 284505) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-19 22:48:26 UTC (rev 284506) @@ -1,3 +1,14 @@ +2021-10-19 Saam Barati + +canDoFastSpread should also check that the Structure is from the global object we're watching +https://bugs.webkit.org/show_bug.cgi?id=231976 + + +Reviewed by Keith Miller. + +* dfg/DFGGraph.cpp: +(JSC::DFG::Graph::canDoFastSpread): + 2021-10-19 Chris Dumez [clang 13] Suppress sign comparison warnings Modified: trunk/Source/_javascript_Core/dfg/DFGGraph.cpp (284505 => 284506) --- trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2021-10-19 22:37:56 UTC (rev 284505) +++ trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2021-10-19 22:48:26 UTC (rev 284506) @@ -1843,10 +1843,12 @@ if (!value.m_structure.isFinite()) return false; -ArrayPrototype* arrayPrototype = globalObjectFor(node->child1()->origin.semantic)->arrayPrototype(); +JSGlobalObject* globalObject = globalObjectFor(node->child1()->origin.semantic); +ArrayPrototype* arrayPrototype = globalObject->arrayPrototype(); bool allGood = true; value.m_structure.forEach([&] (RegisteredStructure structure) { allGood &= structure->hasMonoProto() +&& structure->globalObject() == globalObject && structure->storedPrototype() == arrayPrototype && !structure->isDictionary() && structure->getConcurrently(m_vm.propertyNames->iteratorSymbol.impl()) == invalidOffset ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [284396] trunk/Source/JavaScriptCore
Title: [284396] trunk/Source/_javascript_Core Revision 284396 Author sbar...@apple.com Date 2021-10-18 13:41:50 -0700 (Mon, 18 Oct 2021) Log Message Don't load metadata base pointer in EXTRA_CTI_THUNKS https://bugs.webkit.org/show_bug.cgi?id=231850 Reviewed by Yusuke Suzuki. We were loading the metadata table base pointer dynamically. But in unlinked baseline JIT, it's already pinned in a register. Let's just use the register instead of recomputing what's already there. This is a small speedup in throughput of unlinked baseline JIT code for scope operations. * jit/JITPropertyAccess.cpp: (JSC::JIT::generateOpResolveScopeThunk): (JSC::JIT::generateOpGetFromScopeThunk): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (284395 => 284396) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-18 20:34:22 UTC (rev 284395) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-18 20:41:50 UTC (rev 284396) @@ -1,3 +1,20 @@ +2021-10-18 Saam Barati + +Don't load metadata base pointer in EXTRA_CTI_THUNKS +https://bugs.webkit.org/show_bug.cgi?id=231850 + +Reviewed by Yusuke Suzuki. + +We were loading the metadata table base pointer dynamically. But in +unlinked baseline JIT, it's already pinned in a register. Let's just +use the register instead of recomputing what's already there. This is +a small speedup in throughput of unlinked baseline JIT code for scope +operations. + +* jit/JITPropertyAccess.cpp: +(JSC::JIT::generateOpResolveScopeThunk): +(JSC::JIT::generateOpGetFromScopeThunk): + 2021-10-18 Yusuke Suzuki [JSC] Use USE(LARGE_TYPED_ARRAY) Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (284395 => 284396) --- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-10-18 20:34:22 UTC (rev 284395) +++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-10-18 20:41:50 UTC (rev 284396) @@ -1961,7 +1961,7 @@ if (profiledResolveType == ModuleVar) loadPtrFromMetadata(bytecode, OpResolveScope::Metadata::offsetOfLexicalEnvironment(), regT0); else { -ptrdiff_t metadataOffset = m_unlinkedCodeBlock->metadata().offsetInMetadataTable(bytecode); +uint32_t metadataOffset = m_unlinkedCodeBlock->metadata().offsetInMetadataTable(bytecode); constexpr GPRReg metadataGPR = regT2; constexpr GPRReg scopeGPR = regT0; @@ -1968,7 +1968,8 @@ constexpr GPRReg bytecodeOffsetGPR = regT5; emitGetVirtualRegister(scope, scopeGPR); -move(TrustedImmPtr(metadataOffset), metadataGPR); +addPtr(TrustedImm32(metadataOffset), s_metadataGPR, metadataGPR); + move(TrustedImm32(bytecodeOffset), bytecodeOffsetGPR); MacroAssemblerCodeRef code; @@ -2015,10 +2016,6 @@ jit.tagReturnAddress(); -jit.loadPtr(addressFor(CallFrameSlot::codeBlock), regT3); -jit.loadPtr(Address(regT3, CodeBlock::offsetOfMetadataTable()), regT3); -jit.addPtr(regT3, metadataGPR); - JumpList slowCase; auto doVarInjectionCheck = [&] (bool needsVarInjectionChecks, GPRReg globalObjectGPR = InvalidGPRReg) { @@ -2368,10 +2365,10 @@ constexpr GPRReg scopeGPR = regT2; constexpr GPRReg bytecodeOffsetGPR = regT5; -ptrdiff_t metadataOffset = m_unlinkedCodeBlock->metadata().offsetInMetadataTable(bytecode); +uint32_t metadataOffset = m_unlinkedCodeBlock->metadata().offsetInMetadataTable(bytecode); emitGetVirtualRegister(scope, scopeGPR); -move(TrustedImmPtr(metadataOffset), metadataGPR); +addPtr(TrustedImm32(metadataOffset), s_metadataGPR, metadataGPR); move(TrustedImm32(bytecodeOffset), bytecodeOffsetGPR); MacroAssemblerCodeRef code; @@ -2411,10 +2408,6 @@ jit.tagReturnAddress(); -jit.loadPtr(addressFor(CallFrameSlot::codeBlock), regT3); -jit.loadPtr(Address(regT3, CodeBlock::offsetOfMetadataTable()), regT3); -jit.addPtr(regT3, metadataGPR); - JumpList slowCase; auto doVarInjectionCheck = [&] (bool needsVarInjectionChecks) { ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [284224] trunk/Source/JavaScriptCore
Title: [284224] trunk/Source/_javascript_Core Revision 284224 Author sbar...@apple.com Date 2021-10-14 18:49:44 -0700 (Thu, 14 Oct 2021) Log Message Make unlinked Baseline JIT scope operations bias the order of checks to the ResolveType that profiling tells us we are likely to be https://bugs.webkit.org/show_bug.cgi?id=231715 Reviewed by Yusuke Suzuki. This is a small throughout win in the code generated by unlinked baseline JIT. * jit/JIT.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_resolve_scope): (JSC::JIT::generateOpResolveScopeThunk): (JSC::JIT::emit_op_get_from_scope): (JSC::JIT::generateOpGetFromScopeThunk): (JSC::JIT::emit_op_put_to_scope): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/JIT.h trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (284223 => 284224) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-15 01:44:56 UTC (rev 284223) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-15 01:49:44 UTC (rev 284224) @@ -1,3 +1,20 @@ +2021-10-14 Saam Barati + +Make unlinked Baseline JIT scope operations bias the order of checks to the ResolveType that profiling tells us we are likely to be +https://bugs.webkit.org/show_bug.cgi?id=231715 + +Reviewed by Yusuke Suzuki. + +This is a small throughout win in the code generated by unlinked baseline JIT. + +* jit/JIT.h: +* jit/JITPropertyAccess.cpp: +(JSC::JIT::emit_op_resolve_scope): +(JSC::JIT::generateOpResolveScopeThunk): +(JSC::JIT::emit_op_get_from_scope): +(JSC::JIT::generateOpGetFromScopeThunk): +(JSC::JIT::emit_op_put_to_scope): + 2021-10-14 Alex Christensen Remove Variant.h Modified: trunk/Source/_javascript_Core/jit/JIT.h (284223 => 284224) --- trunk/Source/_javascript_Core/jit/JIT.h 2021-10-15 01:44:56 UTC (rev 284223) +++ trunk/Source/_javascript_Core/jit/JIT.h 2021-10-15 01:49:44 UTC (rev 284224) @@ -751,8 +751,10 @@ static MacroAssemblerCodeRef slow_op_get_from_scopeGenerator(VM&); static MacroAssemblerCodeRef slow_op_resolve_scopeGenerator(VM&); -static MacroAssemblerCodeRef generateOpGetFromScopeThunk(VM&, std::optional, const char* thunkName); -static MacroAssemblerCodeRef generateOpResolveScopeThunk(VM&, std::optional, const char* thunkName); +template +static MacroAssemblerCodeRef generateOpGetFromScopeThunk(VM&); +template +static MacroAssemblerCodeRef generateOpResolveScopeThunk(VM&); #endif // ENABLE(EXTRA_CTI_THUNKS) Jump getSlowCase(Vector::iterator& iter) Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (284223 => 284224) --- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-10-15 01:44:56 UTC (rev 284223) +++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-10-15 01:49:44 UTC (rev 284224) @@ -1963,18 +1963,6 @@ else { ptrdiff_t metadataOffset = m_unlinkedCodeBlock->metadata().offsetInMetadataTable(bytecode); -auto closureVarGenerator = [] (VM& vm) { -return JIT::generateOpResolveScopeThunk(vm, ClosureVar, "Baseline: op_resolve_scope ClosureVar"); -}; - -auto closureVarWithVarInjectionChecksGenerator = [] (VM& vm) { -return JIT::generateOpResolveScopeThunk(vm, ClosureVarWithVarInjectionChecks, "Baseline: op_resolve_scope ClosureVarWithVarInjectionChecks"); -}; - -auto genericResolveScopeGenerator = [] (VM& vm) { -return JIT::generateOpResolveScopeThunk(vm, std::nullopt, "Baseline: op_resolve_scope generic"); -}; - constexpr GPRReg metadataGPR = regT2; constexpr GPRReg scopeGPR = regT0; constexpr GPRReg bytecodeOffsetGPR = regT5; @@ -1985,11 +1973,24 @@ MacroAssemblerCodeRef code; if (profiledResolveType == ClosureVar) -code = vm.getCTIStub(closureVarGenerator); +code = vm.getCTIStub(generateOpResolveScopeThunk); else if (profiledResolveType == ClosureVarWithVarInjectionChecks) -code = vm.getCTIStub(closureVarWithVarInjectionChecksGenerator); +code = vm.getCTIStub(generateOpResolveScopeThunk); +else if (profiledResolveType == GlobalVar) +code = vm.getCTIStub(generateOpResolveScopeThunk); +else if (profiledResolveType == GlobalProperty) +code = vm.getCTIStub(generateOpResolveScopeThunk); +else if (profiledResolveType == GlobalLexicalVar) +code = vm.getCTIStub(generateOpResolveScopeThunk); +else if (profiledResolveType == GlobalVarWithVarInjectionChecks) +code = vm.getCTIStub(generateOpResolveScopeThunk); +else if (profiledResolveType == GlobalPropertyWithVarInjectionChecks) +code = vm.getCTIStub(generateOpResolveScopeThunk); +else if (profiledResolveType ==
[webkit-changes] [284036] trunk/Source/JavaScriptCore
Title: [284036] trunk/Source/_javascript_Core Revision 284036 Author sbar...@apple.com Date 2021-10-12 14:51:35 -0700 (Tue, 12 Oct 2021) Log Message Fix spec-correctness when inlining __proto__ intrinsic using get_by_id_with_this https://bugs.webkit.org/show_bug.cgi?id=231559 Reviewed by Yusuke Suzuki. My original fix in r283512 has some theoretical spec correctness issues. I'm not sure if they can be materialized or not since we only use get_by_id_with_this in very limited scenarios. However, this patch just makes it so we call the getter instead of attempting to inline it when using get_by_id_with_this. * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitLoadPrototypeWithoutCheck): Deleted. * jit/AssemblyHelpers.h: * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter): (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp trunk/Source/_javascript_Core/jit/AssemblyHelpers.h trunk/Source/_javascript_Core/jit/IntrinsicEmitter.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (284035 => 284036) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-12 21:46:35 UTC (rev 284035) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-12 21:51:35 UTC (rev 284036) @@ -1,3 +1,23 @@ +2021-10-12 Saam Barati + +Fix spec-correctness when inlining __proto__ intrinsic using get_by_id_with_this +https://bugs.webkit.org/show_bug.cgi?id=231559 + +Reviewed by Yusuke Suzuki. + +My original fix in r283512 has some theoretical spec correctness issues. +I'm not sure if they can be materialized or not since we only use +get_by_id_with_this in very limited scenarios. However, this patch just +makes it so we call the getter instead of attempting to inline it +when using get_by_id_with_this. + +* jit/AssemblyHelpers.cpp: +(JSC::AssemblyHelpers::emitLoadPrototypeWithoutCheck): Deleted. +* jit/AssemblyHelpers.h: +* jit/IntrinsicEmitter.cpp: +(JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter): +(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): + 2021-10-12 Alex Christensen Use STL instead of WTF::get_if, WTF::Monostate, WTF::visit, and WTF::holds_alternative Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp (284035 => 284036) --- trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp 2021-10-12 21:46:35 UTC (rev 284035) +++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp 2021-10-12 21:51:35 UTC (rev 284036) @@ -435,36 +435,6 @@ hasMonoProto.link(this); } -void AssemblyHelpers::emitLoadPrototypeWithoutCheck(VM& vm, GPRReg objectGPR, JSValueRegs resultRegs, GPRReg scratchGPR, GPRReg scratch2GPR) -{ -ASSERT(objectGPR != scratchGPR); -ASSERT(objectGPR != scratch2GPR); -ASSERT(resultRegs.payloadGPR() != scratchGPR); -ASSERT(resultRegs.payloadGPR() != scratch2GPR); -#if USE(JSVALUE32_64) -ASSERT(resultRegs.tagGPR() != scratchGPR); -ASSERT(resultRegs.tagGPR() != scratch2GPR); -#endif - -emitLoadStructure(vm, objectGPR, scratchGPR, scratch2GPR); -#if USE(JSVALUE64) -loadValue(MacroAssembler::Address(scratchGPR, Structure::prototypeOffset()), JSValueRegs(scratch2GPR)); -#else -load32(MacroAssembler::Address(scratchGPR, Structure::prototypeOffset() + TagOffset), scratch2GPR); -#endif -auto hasMonoProto = branchIfNotEmpty(scratch2GPR); -loadValue(MacroAssembler::Address(objectGPR, offsetRelativeToBase(knownPolyProtoOffset)), resultRegs); -auto done = jump(); -hasMonoProto.link(this); -#if USE(JSVALUE64) -move(scratch2GPR, resultRegs.payloadGPR()); -#else -load32(MacroAssembler::Address(scratchGPR, Structure::prototypeOffset() + PayloadOffset), resultRegs.payloadGPR()); -move(scratch2GPR, resultRegs.tagGPR()); -#endif -done.link(this); -} - void AssemblyHelpers::makeSpaceOnStackForCCall() { unsigned stackOffset = WTF::roundUpToMultipleOf(stackAlignmentBytes(), maxFrameExtentForSlowPathCall); Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.h (284035 => 284036) --- trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2021-10-12 21:46:35 UTC (rev 284035) +++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2021-10-12 21:51:35 UTC (rev 284036) @@ -1530,7 +1530,6 @@ void emitLoadStructure(VM&, RegisterID source, RegisterID dest, RegisterID scratch); void emitLoadPrototype(VM&, GPRReg objectGPR, JSValueRegs resultRegs, GPRReg scratchGPR, JumpList& slowPath); -void emitLoadPrototypeWithoutCheck(VM&, GPRReg objectGPR, JSValueRegs resultRegs, GPRReg scratchGPR, GPRReg scratch2GPR); void emitStoreStructureWithTypeInfo(TrustedImmPtr structure, RegisterID dest, RegisterID) { Modified: trunk/Source/_javascript_Core/jit/IntrinsicEmitter.cpp (284035 => 284036) ---
[webkit-changes] [283970] trunk/Source
Title: [283970] trunk/Source Revision 283970 Author sbar...@apple.com Date 2021-10-11 23:32:55 -0700 (Mon, 11 Oct 2021) Log Message Remove ImplicitAddress https://bugs.webkit.org/show_bug.cgi?id=230820 Reviewed by Yusuke Suzuki. Source/_javascript_Core: Because we rely on implicit conversion from RegisterID to int values, some compilers (aka MSVC) might convert a constant RegisterID that's passed in to nullptr instead of calling the implicit constructor in ImplicitAddress. For example, I got bit by this when I had code that did: loadPtr(regT0, xyz) This called the loadPtr(void*, RegisterID) function with nullptr passed as the first argument instead of the loadPtr(ImplicitAddress, RegisterID) function. Let's avoid any such problems in the future by just not using ImplicitAddress. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::ImplicitAddress::ImplicitAddress): Deleted. * assembler/MacroAssembler.h: (JSC::MacroAssembler::pushToSave): (JSC::MacroAssembler::popToRestore): (JSC::MacroAssembler::loadPtr): (JSC::MacroAssembler::storePtr): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::load64): (JSC::MacroAssemblerARM64::load32): (JSC::MacroAssemblerARM64::load16): (JSC::MacroAssemblerARM64::load16Unaligned): (JSC::MacroAssemblerARM64::load16SignedExtendTo32): (JSC::MacroAssemblerARM64::load8): (JSC::MacroAssemblerARM64::load8SignedExtendTo32): (JSC::MacroAssemblerARM64::store64): (JSC::MacroAssemblerARM64::store32): (JSC::MacroAssemblerARM64::store16): (JSC::MacroAssemblerARM64::store8): (JSC::MacroAssemblerARM64::loadDouble): (JSC::MacroAssemblerARM64::loadFloat): (JSC::MacroAssemblerARM64::storeDouble): (JSC::MacroAssemblerARM64::storeFloat): (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters): (JSC::MacroAssemblerARM64::popToRestore): (JSC::MacroAssemblerARM64::pushToSave): (JSC::MacroAssemblerARM64::storePtrWithPatch): (JSC::MacroAssemblerARM64::loadAcq8SignedExtendTo32): (JSC::MacroAssemblerARM64::loadAcq8): (JSC::MacroAssemblerARM64::storeRel8): (JSC::MacroAssemblerARM64::loadAcq16SignedExtendTo32): (JSC::MacroAssemblerARM64::loadAcq16): (JSC::MacroAssemblerARM64::storeRel16): (JSC::MacroAssemblerARM64::loadAcq32): (JSC::MacroAssemblerARM64::loadAcq64): (JSC::MacroAssemblerARM64::storeRel32): (JSC::MacroAssemblerARM64::storeRel64): (JSC::MacroAssemblerARM64::loadLink8): (JSC::MacroAssemblerARM64::loadLinkAcq8): (JSC::MacroAssemblerARM64::storeCond8): (JSC::MacroAssemblerARM64::storeCondRel8): (JSC::MacroAssemblerARM64::loadLink16): (JSC::MacroAssemblerARM64::loadLinkAcq16): (JSC::MacroAssemblerARM64::storeCond16): (JSC::MacroAssemblerARM64::storeCondRel16): (JSC::MacroAssemblerARM64::loadLink32): (JSC::MacroAssemblerARM64::loadLinkAcq32): (JSC::MacroAssemblerARM64::storeCond32): (JSC::MacroAssemblerARM64::storeCondRel32): (JSC::MacroAssemblerARM64::loadLink64): (JSC::MacroAssemblerARM64::loadLinkAcq64): (JSC::MacroAssemblerARM64::storeCond64): (JSC::MacroAssemblerARM64::storeCondRel64): (JSC::MacroAssemblerARM64::extractSimpleAddress): * assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::atomicXchgAdd8): (JSC::MacroAssemblerARM64E::atomicXchgAdd16): (JSC::MacroAssemblerARM64E::atomicXchgAdd32): (JSC::MacroAssemblerARM64E::atomicXchgAdd64): (JSC::MacroAssemblerARM64E::atomicXchgXor8): (JSC::MacroAssemblerARM64E::atomicXchgXor16): (JSC::MacroAssemblerARM64E::atomicXchgXor32): (JSC::MacroAssemblerARM64E::atomicXchgXor64): (JSC::MacroAssemblerARM64E::atomicXchgOr8): (JSC::MacroAssemblerARM64E::atomicXchgOr16): (JSC::MacroAssemblerARM64E::atomicXchgOr32): (JSC::MacroAssemblerARM64E::atomicXchgOr64): (JSC::MacroAssemblerARM64E::atomicXchgClear8): (JSC::MacroAssemblerARM64E::atomicXchgClear16): (JSC::MacroAssemblerARM64E::atomicXchgClear32): (JSC::MacroAssemblerARM64E::atomicXchgClear64): (JSC::MacroAssemblerARM64E::atomicXchg8): (JSC::MacroAssemblerARM64E::atomicXchg16): (JSC::MacroAssemblerARM64E::atomicXchg32): (JSC::MacroAssemblerARM64E::atomicXchg64): (JSC::MacroAssemblerARM64E::atomicStrongCAS8): (JSC::MacroAssemblerARM64E::atomicStrongCAS16): (JSC::MacroAssemblerARM64E::atomicStrongCAS32): (JSC::MacroAssemblerARM64E::atomicStrongCAS64): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::or8): (JSC::MacroAssemblerARMv7::or16): (JSC::MacroAssemblerARMv7::or32): (JSC::MacroAssemblerARMv7::load32): (JSC::MacroAssemblerARMv7::load8): (JSC::MacroAssemblerARMv7::load8SignedExtendTo32): (JSC::MacroAssemblerARMv7::load16): (JSC::MacroAssemblerARMv7::load16SignedExtendTo32): (JSC::MacroAssemblerARMv7::store32): (JSC::MacroAssemblerARMv7::store16): (JSC::MacroAssemblerARMv7::loadDouble): (JSC::MacroAssemblerARMv7::loadFloat): (JSC::MacroAssemblerARMv7::storeDouble): (JSC::MacroAssemblerARMv7::storeFloat): (JSC::MacroAssemblerARMv7::storePtrWithPatch): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::load8): (JSC::MacroAssemblerMIPS::load8SignedExtendTo32): (JSC::MacroAssemblerMIPS::load32):
[webkit-changes] [283954] trunk/Source/JavaScriptCore
Title: [283954] trunk/Source/_javascript_Core Revision 283954 Author sbar...@apple.com Date 2021-10-11 17:33:18 -0700 (Mon, 11 Oct 2021) Log Message Share more code that uses ScratchRegisterAllocator in the ICs https://bugs.webkit.org/show_bug.cgi?id=231125 Reviewed by Sam Weinig. We had the same code to allocate a scratch register allocator copy pasted all over the IC code. This patch refactors that to use a shared helper. Also, Delete was using a ScratchRegisterAllocator for no reason (it never allocated a scratch register), so I deleted that code. * bytecode/AccessCase.cpp: (JSC::AccessCase::generateWithGuard): (JSC::AccessCase::generateImpl): * bytecode/GetterSetterAccessCase.cpp: (JSC::GetterSetterAccessCase::emitDOMJITGetter): * bytecode/PolymorphicAccess.cpp: (JSC::AccessGenerationState::makeDefaultScratchAllocator): (JSC::PolymorphicAccess::regenerate): * bytecode/PolymorphicAccess.h: * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/AccessCase.cpp trunk/Source/_javascript_Core/bytecode/GetterSetterAccessCase.cpp trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.h trunk/Source/_javascript_Core/jit/IntrinsicEmitter.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (283953 => 283954) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-12 00:09:14 UTC (rev 283953) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-12 00:33:18 UTC (rev 283954) @@ -1,5 +1,31 @@ 2021-10-11 Saam Barati +Share more code that uses ScratchRegisterAllocator in the ICs +https://bugs.webkit.org/show_bug.cgi?id=231125 + + +Reviewed by Sam Weinig. + +We had the same code to allocate a scratch register allocator copy pasted +all over the IC code. This patch refactors that to use a shared helper. + +Also, Delete was using a ScratchRegisterAllocator for no reason (it never +allocated a scratch register), so I deleted that code. + +* bytecode/AccessCase.cpp: +(JSC::AccessCase::generateWithGuard): +(JSC::AccessCase::generateImpl): +* bytecode/GetterSetterAccessCase.cpp: +(JSC::GetterSetterAccessCase::emitDOMJITGetter): +* bytecode/PolymorphicAccess.cpp: +(JSC::AccessGenerationState::makeDefaultScratchAllocator): +(JSC::PolymorphicAccess::regenerate): +* bytecode/PolymorphicAccess.h: +* jit/IntrinsicEmitter.cpp: +(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): + +2021-10-11 Saam Barati + Don't branch around register allocation in DFG enumerator get by val and pass in the right LValue type to strictInt52ToJSValue https://bugs.webkit.org/show_bug.cgi?id=231465 Modified: trunk/Source/_javascript_Core/bytecode/AccessCase.cpp (283953 => 283954) --- trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2021-10-12 00:09:14 UTC (rev 283953) +++ trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2021-10-12 00:33:18 UTC (rev 283954) @@ -1098,14 +1098,7 @@ jit.load8(CCallHelpers::Address(baseGPR, JSCell::typeInfoTypeOffset()), scratchGPR); fallThrough.append(jit.branch32(CCallHelpers::NotEqual, scratchGPR, CCallHelpers::TrustedImm32(ScopedArgumentsType))); -ScratchRegisterAllocator allocator(stubInfo.usedRegisters); -allocator.lock(stubInfo.baseRegs()); -allocator.lock(valueRegs); -allocator.lock(stubInfo.propertyRegs()); -if (stubInfo.m_stubInfoGPR != InvalidGPRReg) -allocator.lock(stubInfo.m_stubInfoGPR); -ASSERT(stubInfo.m_arrayProfileGPR == InvalidGPRReg); -allocator.lock(scratchGPR); +auto allocator = state.makeDefaultScratchAllocator(scratchGPR); GPRReg scratch2GPR = allocator.allocateScratchGPR(); GPRReg scratch3GPR = allocator.allocateScratchGPR(); @@ -1198,14 +1191,7 @@ jit.load32(CCallHelpers::Address(baseGPR, JSArrayBufferView::offsetOfLength()), scratchGPR); state.failAndRepatch.append(jit.branch32(CCallHelpers::AboveOrEqual, propertyGPR, scratchGPR)); -ScratchRegisterAllocator allocator(stubInfo.usedRegisters); -allocator.lock(stubInfo.baseRegs()); -allocator.lock(valueRegs); -allocator.lock(stubInfo.propertyRegs()); -if (stubInfo.m_stubInfoGPR != InvalidGPRReg) -allocator.lock(stubInfo.m_stubInfoGPR); -ASSERT(stubInfo.m_arrayProfileGPR == InvalidGPRReg); -allocator.lock(scratchGPR); +auto allocator = state.makeDefaultScratchAllocator(scratchGPR); GPRReg scratch2GPR = allocator.allocateScratchGPR(); ScratchRegisterAllocator::PreservedState preservedState = allocator.preserveReusedRegistersByPushing( @@ -1284,14 +1270,7 @@
[webkit-changes] [283938] trunk
Title: [283938] trunk Revision 283938 Author sbar...@apple.com Date 2021-10-11 14:45:29 -0700 (Mon, 11 Oct 2021) Log Message Don't branch around register allocation in DFG enumerator get by val and pass in the right LValue type to strictInt52ToJSValue https://bugs.webkit.org/show_bug.cgi?id=231465 Reviewed by Yusuke Suzuki. JSTests: * stress/dont-branch-around-regalloc-enumerator-get-by-val.js: Added. (foo): Source/_javascript_Core: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult): (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp Added Paths trunk/JSTests/stress/dont-branch-around-regalloc-enumerator-get-by-val.js Diff Modified: trunk/JSTests/ChangeLog (283937 => 283938) --- trunk/JSTests/ChangeLog 2021-10-11 21:21:13 UTC (rev 283937) +++ trunk/JSTests/ChangeLog 2021-10-11 21:45:29 UTC (rev 283938) @@ -1,3 +1,14 @@ +2021-10-11 Saam Barati + +Don't branch around register allocation in DFG enumerator get by val and pass in the right LValue type to strictInt52ToJSValue +https://bugs.webkit.org/show_bug.cgi?id=231465 + + +Reviewed by Yusuke Suzuki. + +* stress/dont-branch-around-regalloc-enumerator-get-by-val.js: Added. +(foo): + 2021-10-09 Yusuke Suzuki [JSC] Refine RegExp#compile based on regexp-legacy-features proposal Added: trunk/JSTests/stress/dont-branch-around-regalloc-enumerator-get-by-val.js (0 => 283938) --- trunk/JSTests/stress/dont-branch-around-regalloc-enumerator-get-by-val.js (rev 0) +++ trunk/JSTests/stress/dont-branch-around-regalloc-enumerator-get-by-val.js 2021-10-11 21:45:29 UTC (rev 283938) @@ -0,0 +1,10 @@ +function foo(o) { +for (let p in o) { +o[p]; +} +} + +for (let i=0; i<1; i++) { +foo(new Uint32Array()); +foo({o:undefined}); +} Modified: trunk/Source/_javascript_Core/ChangeLog (283937 => 283938) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-11 21:21:13 UTC (rev 283937) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-11 21:45:29 UTC (rev 283938) @@ -1,3 +1,20 @@ +2021-10-11 Saam Barati + +Don't branch around register allocation in DFG enumerator get by val and pass in the right LValue type to strictInt52ToJSValue +https://bugs.webkit.org/show_bug.cgi?id=231465 + + +Reviewed by Yusuke Suzuki. + +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult): +(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): +* dfg/DFGSpeculativeJIT.h: +* dfg/DFGSpeculativeJIT64.cpp: +(JSC::DFG::SpeculativeJIT::compile): +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): + 2021-10-11 Geza Lore [JSC][ARMv7] Make LLInt CSR save/restore order match the JITs Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (283937 => 283938) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-10-11 21:21:13 UTC (rev 283937) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-10-11 21:45:29 UTC (rev 283938) @@ -3325,19 +3325,20 @@ } } -void SpeculativeJIT::setIntTypedArrayLoadResult(Node* node, JSValueRegs resultRegs, TypedArrayType type, bool canSpeculate, bool shouldBox) +void SpeculativeJIT::setIntTypedArrayLoadResult(Node* node, JSValueRegs resultRegs, TypedArrayType type, bool canSpeculate, bool shouldBox, FPRReg resultFPR) { bool isUInt32 = elementSize(type) == 4 && !isSigned(type); +if (isUInt32) +ASSERT(resultFPR != InvalidFPRReg); GPRReg resultReg = resultRegs.payloadGPR(); if (shouldBox) { if (isUInt32) { -FPRTemporary fresult(this); -m_jit.convertInt32ToDouble(resultReg, fresult.fpr()); +m_jit.convertInt32ToDouble(resultReg, resultFPR); JITCompiler::Jump positive = m_jit.branch32(MacroAssembler::GreaterThanOrEqual, resultReg, TrustedImm32(0)); -m_jit.addDouble(JITCompiler::AbsoluteAddress(::twoToThe32), fresult.fpr()); +m_jit.addDouble(JITCompiler::AbsoluteAddress(::twoToThe32), resultFPR); positive.link(_jit); -m_jit.boxDouble(fresult.fpr(), resultRegs); +m_jit.boxDouble(resultFPR, resultRegs); } else m_jit.boxInt32(resultRegs.payloadGPR(), resultRegs); jsValueResult(resultRegs, node); @@ -3365,12 +3366,11 @@ } #endif -
[webkit-changes] [283862] trunk/Source/JavaScriptCore
Title: [283862] trunk/Source/_javascript_Core Revision 283862 Author sbar...@apple.com Date 2021-10-08 20:29:53 -0700 (Fri, 08 Oct 2021) Log Message Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser https://bugs.webkit.org/show_bug.cgi?id=230823 Reviewed by Yusuke Suzuki. When I ported the phase to run right after bytecode parsing, I wanted to maintain the same behavior as the prior pass that ran after CPS rethreading. I noticed a slight bug in some of my logic that changed some of heuristics and how they'd effect double voting. The old patch was mimicking the "is loaded from" bit by using the NodeFlags. Howver, this has some issues with how this interacts with our other uses of NodeFlags. So, to make things simple, I just add a new "VariableIsUsed" bit. * dfg/DFGBackwardsPropagationPhase.cpp: (JSC::DFG::BackwardsPropagationPhase::propagate): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGBackwardsPropagationPhase.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (283861 => 283862) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-09 02:53:27 UTC (rev 283861) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-09 03:29:53 UTC (rev 283862) @@ -1,3 +1,24 @@ +2021-10-08 Saam Barati + +Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser +https://bugs.webkit.org/show_bug.cgi?id=230823 + + +Reviewed by Yusuke Suzuki. + +When I ported the phase to run right after bytecode parsing, I wanted +to maintain the same behavior as the prior pass that ran after CPS +rethreading. I noticed a slight bug in some of my logic that changed +some of heuristics and how they'd effect double voting. + +The old patch was mimicking the "is loaded from" bit by using the NodeFlags. +Howver, this has some issues with how this interacts with our other uses +of NodeFlags. So, to make things simple, I just add a new "VariableIsUsed" +bit. + +* dfg/DFGBackwardsPropagationPhase.cpp: +(JSC::DFG::BackwardsPropagationPhase::propagate): + 2021-10-08 Tadeu Zagallo and Keith Miller Implement the WebAssembly exception handling proposal Modified: trunk/Source/_javascript_Core/dfg/DFGBackwardsPropagationPhase.cpp (283861 => 283862) --- trunk/Source/_javascript_Core/dfg/DFGBackwardsPropagationPhase.cpp 2021-10-09 02:53:27 UTC (rev 283861) +++ trunk/Source/_javascript_Core/dfg/DFGBackwardsPropagationPhase.cpp 2021-10-09 03:29:53 UTC (rev 283862) @@ -32,6 +32,7 @@ #include "DFGGraph.h" #include "DFGPhase.h" #include "JSCJSValueInlines.h" +#include namespace JSC { namespace DFG { @@ -45,7 +46,7 @@ , m_flagsAtHead(graph) { } - + bool run() { for (BasicBlock* block : m_graph.blocksInNaturalOrder()) { @@ -214,6 +215,10 @@ return changed; } +static constexpr NodeFlags VariableIsUsed = 1 << (1 + WTF::getMSBSetConstexpr(NodeBytecodeBackPropMask)); +static_assert(!(VariableIsUsed & NodeBytecodeBackPropMask)); +static_assert(VariableIsUsed > NodeBytecodeBackPropMask, "Verify the above doesn't overflow"); + void propagate(Node* node) { NodeFlags flags = node->flags() & NodeBytecodeBackPropMask; @@ -221,9 +226,9 @@ switch (node->op()) { case GetLocal: { VariableAccessData* variableAccessData = node->variableAccessData(); -NodeFlags& flagsRef = m_currentFlags.operand(variableAccessData->operand()); -mergeFlags(flagsRef, flags); -variableAccessData->mergeFlags(flagsRef & ~NodeBytecodeUsesAsInt); // We don't care about cross-block uses-as-int for this. +flags |= m_currentFlags.operand(variableAccessData->operand()); +flags |= VariableIsUsed; +m_currentFlags.operand(variableAccessData->operand()) = flags; break; } @@ -232,10 +237,11 @@ Operand operand = variableAccessData->operand(); NodeFlags flags = m_currentFlags.operand(operand); -if (!flags) +if (!(flags & VariableIsUsed)) break; -RELEASE_ASSERT(!(flags & ~NodeBytecodeBackPropMask)); +flags &= NodeBytecodeBackPropMask; +flags &= ~NodeBytecodeUsesAsInt; // We don't care about cross-block uses-as-int. variableAccessData->mergeFlags(flags); // We union with NodeBytecodeUsesAsNumber to account for the fact that control flow may cause overflows that our modeling can't handle. @@ -248,11 +254,15 @@ case Flush: { VariableAccessData* variableAccessData = node->variableAccessData(); -NodeFlags& flagsRef = m_currentFlags.operand(variableAccessData->operand()); -mergeFlags(flagsRef,
[webkit-changes] [283818] trunk
Title: [283818] trunk Revision 283818 Author sbar...@apple.com Date 2021-10-08 12:01:43 -0700 (Fri, 08 Oct 2021) Log Message RegExpExec can't statically prove which of the two structures it will get in AI by just looking at the RegExp* https://bugs.webkit.org/show_bug.cgi?id=231382 Reviewed by Mark Lam. JSTests: * stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js: Added. (foo): Source/_javascript_Core: Because of the RegExp.prototype.compile API, we don't know if the RegExp produced by RegExpExec will have indices or not, because that bit of information can be reset by the RegExp.prototype.compile API. So, we conservatively say that it can produce either structure. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h Added Paths trunk/JSTests/stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js Diff Modified: trunk/JSTests/ChangeLog (283817 => 283818) --- trunk/JSTests/ChangeLog 2021-10-08 18:50:59 UTC (rev 283817) +++ trunk/JSTests/ChangeLog 2021-10-08 19:01:43 UTC (rev 283818) @@ -1,3 +1,14 @@ +2021-10-08 Saam Barati + +RegExpExec can't statically prove which of the two structures it will get in AI by just looking at the RegExp* +https://bugs.webkit.org/show_bug.cgi?id=231382 + + +Reviewed by Mark Lam. + +* stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js: Added. +(foo): + 2021-10-07 Philip Chimento [JSC] Temporal tweaks to pass more test262 tests Added: trunk/JSTests/stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js (0 => 283818) --- trunk/JSTests/stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js (rev 0) +++ trunk/JSTests/stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js 2021-10-08 19:01:43 UTC (rev 283818) @@ -0,0 +1,12 @@ +// This should not crash. + +function foo() { +let r = /a/; +r.compile(undefined, ...'d'); +let a = r.exec(/b/); +a.x; +} + +for (let i = 0; i < 1000; i++) { +foo(); +} Modified: trunk/Source/_javascript_Core/ChangeLog (283817 => 283818) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-08 18:50:59 UTC (rev 283817) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-08 19:01:43 UTC (rev 283818) @@ -1,3 +1,19 @@ +2021-10-08 Saam Barati + +RegExpExec can't statically prove which of the two structures it will get in AI by just looking at the RegExp* +https://bugs.webkit.org/show_bug.cgi?id=231382 + + +Reviewed by Mark Lam. + +Because of the RegExp.prototype.compile API, we don't know if the RegExp +produced by RegExpExec will have indices or not, because that bit of +information can be reset by the RegExp.prototype.compile API. So, we +conservatively say that it can produce either structure. + +* dfg/DFGAbstractInterpreterInlines.h: +(JSC::DFG::AbstractInterpreter::executeEffects): + 2021-10-07 Alexey Shvayka `highWaterMark` should be a readonly WebIDL attribute of queuing strategies Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (283817 => 283818) --- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2021-10-08 18:50:59 UTC (rev 283817) +++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2021-10-08 19:01:43 UTC (rev 283818) @@ -2615,24 +2615,9 @@ if (JSGlobalObject* globalObject = jsDynamicCast(m_vm, globalObjectValue)) { if (!globalObject->isHavingABadTime()) { m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint()); - -RegExp* regExp = nullptr; -if (node->op() == RegExpExec) { -if (Node* regExpObjectNode = node->child2().node()) { -if (RegExpObject* regExpObject = regExpObjectNode->dynamicCastConstant(m_vm)) -regExp = regExpObject->regExp(); -else if (regExpObjectNode->op() == NewRegexp) -regExp = regExpObjectNode->castOperand(); -} -} else if (node->op() == RegExpExecNonGlobalOrSticky) -regExp = node->castOperand(); - RegisteredStructureSet structureSet; -// If regExp is unknown, we need to put both regExp MatchesArray structure variants in our set. -if (!regExp || !regExp->hasIndices()) -structureSet.add(m_graph.registerStructure(globalObject->regExpMatchesArrayStructure())); -if (!regExp || regExp->hasIndices()) -
[webkit-changes] [283623] trunk
Title: [283623] trunk Revision 283623 Author sbar...@apple.com Date 2021-10-06 08:49:42 -0700 (Wed, 06 Oct 2021) Log Message Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser https://bugs.webkit.org/show_bug.cgi?id=230823 Reviewed by Robin Morisset. JSTests: * run-backwards-propagation-before-osr-exit-pruning.js: Added. (assert): (main.async v24): (main): Source/_javascript_Core: We've found yet another bug where pruning code after OSR exits before running backwards propagation leads to us breaking the spec in weird IR situations. In the particular test case here, we end up not thinking we care about negative zero for an ArithNegate, and we exit the program while recovering the value 0 instead of -0. Fundamentally, backwards propagation wants to see all bytecode uses. Therefore, it seems like a more sound strategy to run backwards propagation before we end up mucking with the graph. This patch makes it so we run backwards propagation inside bytecode parser before we prune the IR. That way, the phase sees the graph as if it's an IR over the whole bytecode graph. * bytecode/Operands.h: (JSC::Operands::operator!= const): * dfg/DFGBackwardsPropagationPhase.cpp: (JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase): (JSC::DFG::BackwardsPropagationPhase::run): (JSC::DFG::BackwardsPropagationPhase::mergeFlags): (JSC::DFG::BackwardsPropagationPhase::propagate): (JSC::DFG::performBackwardsPropagation): * dfg/DFGBackwardsPropagationPhase.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parse): * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * dfg/DFGUnificationPhase.cpp: (JSC::DFG::UnificationPhase::run): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/Operands.h trunk/Source/_javascript_Core/dfg/DFGBackwardsPropagationPhase.cpp trunk/Source/_javascript_Core/dfg/DFGBackwardsPropagationPhase.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGPlan.cpp trunk/Source/_javascript_Core/dfg/DFGUnificationPhase.cpp Added Paths trunk/JSTests/run-backwards-propagation-before-osr-exit-pruning.js Diff Modified: trunk/JSTests/ChangeLog (283622 => 283623) --- trunk/JSTests/ChangeLog 2021-10-06 15:43:37 UTC (rev 283622) +++ trunk/JSTests/ChangeLog 2021-10-06 15:49:42 UTC (rev 283623) @@ -1,3 +1,16 @@ +2021-10-06 Saam Barati + +Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser +https://bugs.webkit.org/show_bug.cgi?id=230823 + + +Reviewed by Robin Morisset. + +* run-backwards-propagation-before-osr-exit-pruning.js: Added. +(assert): +(main.async v24): +(main): + 2021-10-05 Saam Barati Don't pass DontBuildStrings to next token after parsing an empty parameter list Added: trunk/JSTests/run-backwards-propagation-before-osr-exit-pruning.js (0 => 283623) --- trunk/JSTests/run-backwards-propagation-before-osr-exit-pruning.js (rev 0) +++ trunk/JSTests/run-backwards-propagation-before-osr-exit-pruning.js 2021-10-06 15:49:42 UTC (rev 283623) @@ -0,0 +1,24 @@ +//@ runDefault("--validateOptions=true", "--useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useFTLJIT=true") + +function assert(b) { +if (!b) +throw new Error; +} +function main() { +let v38; +let v40; + +async function v24() { +const v33 = false; +const v34 = -v33; +const v37 = typeof search; +const v39 = v38 ? v30 : 1; +v40 = v34; + +for (let v41 = 0; v41 != 10; v41++) { } +} +[1,1,1].filter(v24); +assert(Object.is(v40, -0) === true); +assert(Object.is(v40, 0) === false); +} +main(); Modified: trunk/Source/_javascript_Core/ChangeLog (283622 => 283623) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-06 15:43:37 UTC (rev 283622) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-06 15:49:42 UTC (rev 283623) @@ -1,3 +1,40 @@ +2021-10-06 Saam Barati + +Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser +https://bugs.webkit.org/show_bug.cgi?id=230823 + + +Reviewed by Robin Morisset. + +We've found yet another bug where pruning code after OSR exits +before running backwards propagation leads to us breaking the spec +in weird IR situations. In the particular test case here, we end +up not thinking we care about negative zero for an ArithNegate, +and we exit the program while recovering the value 0 instead of
[webkit-changes] [283600] trunk
Title: [283600] trunk Revision 283600 Author sbar...@apple.com Date 2021-10-05 22:20:07 -0700 (Tue, 05 Oct 2021) Log Message Don't pass DontBuildStrings to next token after parsing an empty parameter list https://bugs.webkit.org/show_bug.cgi?id=225094 Reviewed by Yusuke Suzuki. JSTests: * stress/dont-pass-DontBuildStrings-when-building-empty-arguments-list.js: Added. (main.a.prototype.g.toString.string_appeared_here): (main.a): (main): Source/_javascript_Core: We might need the string, it turns out! * parser/Parser.cpp: (JSC::Parser::parseArguments): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/parser/Parser.cpp Added Paths trunk/JSTests/stress/dont-pass-DontBuildStrings-when-building-empty-arguments-list.js Diff Modified: trunk/JSTests/ChangeLog (283599 => 283600) --- trunk/JSTests/ChangeLog 2021-10-06 03:47:16 UTC (rev 283599) +++ trunk/JSTests/ChangeLog 2021-10-06 05:20:07 UTC (rev 283600) @@ -1,3 +1,16 @@ +2021-10-05 Saam Barati + +Don't pass DontBuildStrings to next token after parsing an empty parameter list +https://bugs.webkit.org/show_bug.cgi?id=225094 + + +Reviewed by Yusuke Suzuki. + +* stress/dont-pass-DontBuildStrings-when-building-empty-arguments-list.js: Added. +(main.a.prototype.g.toString.string_appeared_here): +(main.a): +(main): + 2021-10-05 Mark Lam CodeBlock should not add/remove LoopHintExecutionCounters. Added: trunk/JSTests/stress/dont-pass-DontBuildStrings-when-building-empty-arguments-list.js (0 => 283600) --- trunk/JSTests/stress/dont-pass-DontBuildStrings-when-building-empty-arguments-list.js (rev 0) +++ trunk/JSTests/stress/dont-pass-DontBuildStrings-when-building-empty-arguments-list.js 2021-10-06 05:20:07 UTC (rev 283600) @@ -0,0 +1,7 @@ +// This should not crash the parser. +function main() { +class a { +g = [].toString() +'a'(){} +} +} Modified: trunk/Source/_javascript_Core/ChangeLog (283599 => 283600) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-06 03:47:16 UTC (rev 283599) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-06 05:20:07 UTC (rev 283600) @@ -1,3 +1,16 @@ +2021-10-05 Saam Barati + +Don't pass DontBuildStrings to next token after parsing an empty parameter list +https://bugs.webkit.org/show_bug.cgi?id=225094 + + +Reviewed by Yusuke Suzuki. + +We might need the string, it turns out! + +* parser/Parser.cpp: +(JSC::Parser::parseArguments): + 2021-10-05 Patrick Angle Web Inspector: Show color space for canvases in the Graphics tab on the overview cards Modified: trunk/Source/_javascript_Core/parser/Parser.cpp (283599 => 283600) --- trunk/Source/_javascript_Core/parser/Parser.cpp 2021-10-06 03:47:16 UTC (rev 283599) +++ trunk/Source/_javascript_Core/parser/Parser.cpp 2021-10-06 05:20:07 UTC (rev 283600) @@ -4980,7 +4980,7 @@ consumeOrFailWithFlags(OPENPAREN, TreeBuilder::DontBuildStrings, "Expected opening '(' at start of argument list"); JSTokenLocation location(tokenLocation()); if (match(CLOSEPAREN)) { -next(TreeBuilder::DontBuildStrings); +next(); return context.createArguments(); } auto argumentsStart = m_token.m_startPosition; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [283527] trunk/Source/JavaScriptCore
Title: [283527] trunk/Source/_javascript_Core Revision 283527 Author sbar...@apple.com Date 2021-10-04 17:33:56 -0700 (Mon, 04 Oct 2021) Log Message Display return values in nicer way in the jsc REPL and add a prettyPrint function https://bugs.webkit.org/show_bug.cgi?id=230931 Reviewed by Tadeu Zagallo. Currently, print(1), print("1"), and print([1]) all print to stdout simply as "1" (without the quotes). Same for values when running the REPL. This isn't super helpful. Let's print quotes for strings, and brackets for arrays. This patch adds a prettyPrint function to do that, since we have a lot of tests that depend on the old print behavior. This patch also makes values printed in the REPL the new pretty style. * jsc.cpp: (toCString): (printInternal): (JSC_DEFINE_HOST_FUNCTION): (runInteractive): (cStringFromViewWithString): Deleted. * runtime/JSCJSValue.cpp: (JSC::JSValue::toWTFStringForConsole const): * runtime/JSCJSValue.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jsc.cpp trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp trunk/Source/_javascript_Core/runtime/JSCJSValue.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (283526 => 283527) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-04 23:50:37 UTC (rev 283526) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-05 00:33:56 UTC (rev 283527) @@ -1,5 +1,32 @@ 2021-10-04 Saam Barati +Display return values in nicer way in the jsc REPL and add a prettyPrint function +https://bugs.webkit.org/show_bug.cgi?id=230931 + + +Reviewed by Tadeu Zagallo. + +Currently, print(1), print("1"), and print([1]) all print to stdout +simply as "1" (without the quotes). Same for values when running the +REPL. This isn't super helpful. Let's print quotes for strings, and +brackets for arrays. This patch adds a prettyPrint function to do +that, since we have a lot of tests that depend on the old print behavior. + +This patch also makes values printed in the REPL the new pretty style. + + +* jsc.cpp: +(toCString): +(printInternal): +(JSC_DEFINE_HOST_FUNCTION): +(runInteractive): +(cStringFromViewWithString): Deleted. +* runtime/JSCJSValue.cpp: +(JSC::JSValue::toWTFStringForConsole const): +* runtime/JSCJSValue.h: + +2021-10-04 Saam Barati + IntrinsicGetterAccessCase implementation of __proto__ needs to handle get_by_id_with_this https://bugs.webkit.org/show_bug.cgi?id=229951 Modified: trunk/Source/_javascript_Core/jsc.cpp (283526 => 283527) --- trunk/Source/_javascript_Core/jsc.cpp 2021-10-04 23:50:37 UTC (rev 283526) +++ trunk/Source/_javascript_Core/jsc.cpp 2021-10-05 00:33:56 UTC (rev 283527) @@ -278,6 +278,7 @@ static JSC_DECLARE_HOST_FUNCTION(functionPrintStdOut); static JSC_DECLARE_HOST_FUNCTION(functionPrintStdErr); +static JSC_DECLARE_HOST_FUNCTION(functionPrettyPrint); static JSC_DECLARE_HOST_FUNCTION(functionDebug); static JSC_DECLARE_HOST_FUNCTION(functionDescribe); static JSC_DECLARE_HOST_FUNCTION(functionDescribeArray); @@ -527,6 +528,7 @@ addFunction(vm, "describeArray", functionDescribeArray, 1); addFunction(vm, "print", functionPrintStdOut, 1); addFunction(vm, "printErr", functionPrintStdErr, 1); +addFunction(vm, "prettyPrint", functionPrettyPrint, 1); addFunction(vm, "quit", functionQuit, 0); addFunction(vm, "gc", functionGCAndSweep, 0); addFunction(vm, "fullGC", functionFullGC, 0); @@ -1238,9 +1240,10 @@ return metaProperties; } -static CString cStringFromViewWithString(JSGlobalObject* globalObject, ThrowScope& scope, StringViewWithUnderlyingString& viewWithString) +template +static CString toCString(JSGlobalObject* globalObject, ThrowScope& scope, T& string) { -Expected expectedString = viewWithString.view.tryGetUtf8(); +Expected expectedString = string.tryGetUtf8(); if (expectedString) return expectedString.value(); switch (expectedString.error()) { @@ -1259,7 +1262,7 @@ return { }; } -static EncodedJSValue printInternal(JSGlobalObject* globalObject, CallFrame* callFrame, FILE* out) +static EncodedJSValue printInternal(JSGlobalObject* globalObject, CallFrame* callFrame, FILE* out, bool pretty) { VM& vm = globalObject->vm(); auto scope = DECLARE_THROW_SCOPE(vm); @@ -1277,13 +1280,11 @@ if (EOF == fputc(' ', out)) goto fail; -auto* jsString = callFrame->uncheckedArgument(i).toString(globalObject); +String string = pretty ? callFrame->uncheckedArgument(i).toWTFStringForConsole(globalObject) : callFrame->uncheckedArgument(i).toWTFString(globalObject); RETURN_IF_EXCEPTION(scope, { }); -auto viewWithString = jsString->viewWithUnderlyingString(globalObject); +auto cString =
[webkit-changes] [283512] trunk
Title: [283512] trunk Revision 283512 Author sbar...@apple.com Date 2021-10-04 12:58:05 -0700 (Mon, 04 Oct 2021) Log Message IntrinsicGetterAccessCase implementation of __proto__ needs to handle get_by_id_with_this https://bugs.webkit.org/show_bug.cgi?id=229951 Reviewed by Yusuke Suzuki. JSTests: * stress/run-proto-intrinsic-getter-with-this-value-in-get-by-id-with-this.js: Added. (assert): (main.v37): (main): Source/_javascript_Core: The whole point of get_by_id_with_this is to have different slot base values for |this| vs the slot base when invoking getters. However, our intrinsic getter inlining wasn't respecting this. This patch makes the __proto__ intrinsic getter do the right thing. For typed array intrinsic getters, if they have different |this| value vs slot base, we chose not to inline them, because the type checks are not on the |this| value, so they're not guaranteed to be typed arrays. We can improve upon this in the future. * bytecode/IntrinsicGetterAccessCase.h: * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitLoadPrototypeWithoutCheck): * jit/AssemblyHelpers.h: * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter): (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/Repatch.cpp: (JSC::tryCacheGetBy): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/IntrinsicGetterAccessCase.h trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp trunk/Source/_javascript_Core/jit/AssemblyHelpers.h trunk/Source/_javascript_Core/jit/IntrinsicEmitter.cpp trunk/Source/_javascript_Core/jit/Repatch.cpp Added Paths trunk/JSTests/stress/run-proto-intrinsic-getter-with-this-value-in-get-by-id-with-this.js Diff Modified: trunk/JSTests/ChangeLog (283511 => 283512) --- trunk/JSTests/ChangeLog 2021-10-04 19:48:22 UTC (rev 283511) +++ trunk/JSTests/ChangeLog 2021-10-04 19:58:05 UTC (rev 283512) @@ -1,3 +1,16 @@ +2021-10-04 Saam Barati + +IntrinsicGetterAccessCase implementation of __proto__ needs to handle get_by_id_with_this +https://bugs.webkit.org/show_bug.cgi?id=229951 + + +Reviewed by Yusuke Suzuki. + +* stress/run-proto-intrinsic-getter-with-this-value-in-get-by-id-with-this.js: Added. +(assert): +(main.v37): +(main): + 2021-10-02 Yusuke Suzuki [JSC] Update test262 config.yaml since OSS WebKit now uses ICU 64.2 header Added: trunk/JSTests/stress/run-proto-intrinsic-getter-with-this-value-in-get-by-id-with-this.js (0 => 283512) --- trunk/JSTests/stress/run-proto-intrinsic-getter-with-this-value-in-get-by-id-with-this.js (rev 0) +++ trunk/JSTests/stress/run-proto-intrinsic-getter-with-this-value-in-get-by-id-with-this.js 2021-10-04 19:58:05 UTC (rev 283512) @@ -0,0 +1,25 @@ +//@ runDefault("--forcePolyProto=true", "--validateOptions=true", "--useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useFTLJIT=true") + +function assert(b) { +if (!b) +throw new Error; +} + +function main() { +let v41; + +v37 = class V37 { +constructor() { +v41 = super.__proto__; +} +}; + +for (let v70 = 0; v70 < 100; v70++) { +new v37(); +assert(v41 !== null); +} + +} +noDFG(main); +noFTL(main); +main(); Modified: trunk/Source/_javascript_Core/ChangeLog (283511 => 283512) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-04 19:48:22 UTC (rev 283511) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-04 19:58:05 UTC (rev 283512) @@ -1,3 +1,30 @@ +2021-10-04 Saam Barati + +IntrinsicGetterAccessCase implementation of __proto__ needs to handle get_by_id_with_this +https://bugs.webkit.org/show_bug.cgi?id=229951 + + +Reviewed by Yusuke Suzuki. + +The whole point of get_by_id_with_this is to have different +slot base values for |this| vs the slot base when invoking +getters. However, our intrinsic getter inlining wasn't respecting +this. This patch makes the __proto__ intrinsic getter do the right +thing. For typed array intrinsic getters, if they have different +|this| value vs slot base, we chose not to inline them, because +the type checks are not on the |this| value, so they're not guaranteed +to be typed arrays. We can improve upon this in the future. + +* bytecode/IntrinsicGetterAccessCase.h: +* jit/AssemblyHelpers.cpp: +(JSC::AssemblyHelpers::emitLoadPrototypeWithoutCheck): +* jit/AssemblyHelpers.h: +* jit/IntrinsicEmitter.cpp: +(JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
[webkit-changes] [283344] trunk/Source/JavaScriptCore
Title: [283344] trunk/Source/_javascript_Core Revision 283344 Author sbar...@apple.com Date 2021-09-30 16:06:22 -0700 (Thu, 30 Sep 2021) Log Message Regressions (r283288): [ macOS Debug ] webgl/2.0.0/conformance/state/gl-object-get-calls.html is timing out https://bugs.webkit.org/show_bug.cgi?id=231024 Reviewed by Mark Lam. Speed up our debug assert by not using a probe. * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/JIT.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (283343 => 283344) --- trunk/Source/_javascript_Core/ChangeLog 2021-09-30 22:58:54 UTC (rev 283343) +++ trunk/Source/_javascript_Core/ChangeLog 2021-09-30 23:06:22 UTC (rev 283344) @@ -1,5 +1,18 @@ 2021-09-30 Saam Barati +Regressions (r283288): [ macOS Debug ] webgl/2.0.0/conformance/state/gl-object-get-calls.html is timing out +https://bugs.webkit.org/show_bug.cgi?id=231024 + + +Reviewed by Mark Lam. + +Speed up our debug assert by not using a probe. + +* jit/JIT.cpp: +(JSC::JIT::privateCompileMainPass): + +2021-09-30 Saam Barati + The DFG/FTL need to be aware that Proxy's can produce "function" for typeof and might be callable https://bugs.webkit.org/show_bug.cgi?id=230804 Modified: trunk/Source/_javascript_Core/jit/JIT.cpp (283343 => 283344) --- trunk/Source/_javascript_Core/jit/JIT.cpp 2021-09-30 22:58:54 UTC (rev 283343) +++ trunk/Source/_javascript_Core/jit/JIT.cpp 2021-09-30 23:06:22 UTC (rev 283344) @@ -272,13 +272,18 @@ #if ASSERT_ENABLED if (opcodeID != op_catch) { -probeDebug([=] (Probe::Context& ctx) { -CodeBlock* codeBlock = ctx.fp()->codeBlock(); -auto* constantPool = ctx.gpr(s_constantsGPR); -RELEASE_ASSERT(codeBlock->baselineJITConstantPool() == constantPool); -auto* metadata = ctx.gpr(s_metadataGPR); -RELEASE_ASSERT(codeBlock->metadataTable() == metadata); -}); +loadPtr(addressFor(CallFrameSlot::codeBlock), regT0); +loadPtr(Address(regT0, CodeBlock::offsetOfMetadataTable()), regT1); +loadPtr(Address(regT0, CodeBlock::offsetOfJITData()), regT0); +loadPtr(Address(regT0, CodeBlock::JITData::offsetOfJITConstantPool()), regT2); + +auto metadataOK = branchPtr(Equal, regT1, s_metadataGPR); +breakpoint(); +metadataOK.link(this); + +auto constantsOK = branchPtr(Equal, regT2, s_constantsGPR); +breakpoint(); +constantsOK.link(this); } #endif ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [283332] trunk
Title: [283332] trunk Revision 283332 Author sbar...@apple.com Date 2021-09-30 13:37:55 -0700 (Thu, 30 Sep 2021) Log Message The DFG/FTL need to be aware that Proxy's can produce "function" for typeof and might be callable https://bugs.webkit.org/show_bug.cgi?id=230804 Reviewed by Yusuke Suzuki. JSTests: * stress/ai-typeof-needs-to-be-aware-of-proxy-2.js: Added. (assert): (builtin.vm.createBuiltin): (builtin2.vm.createBuiltin): (let.p.new.Proxy): * stress/ai-typeof-needs-to-be-aware-of-proxy.js: Added. (assert): (builtin.vm.createBuiltin): (let.p.new.Proxy): * stress/is-callable-in-ftl-needs-to-be-aware-of-proxy.js: Added. (main): Source/_javascript_Core: This patch fixes a couple bugs: - We were constant folding typeof on ProxyObject to "object" even when ProxyObject might produce a callable Proxy, and hence, should produce "function". This was a bug in AI. - This also fixes a similar bug in IsCallable's implementation in the FTL where we assumed that ProxyObject's type can't be callable. * bytecode/SpeculatedType.h: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/SpeculatedType.h trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp Added Paths trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy-2.js trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy.js trunk/JSTests/stress/is-callable-in-ftl-needs-to-be-aware-of-proxy.js Diff Modified: trunk/JSTests/ChangeLog (283331 => 283332) --- trunk/JSTests/ChangeLog 2021-09-30 20:21:45 UTC (rev 283331) +++ trunk/JSTests/ChangeLog 2021-09-30 20:37:55 UTC (rev 283332) @@ -1,3 +1,23 @@ +2021-09-30 Saam Barati + +The DFG/FTL need to be aware that Proxy's can produce "function" for typeof and might be callable +https://bugs.webkit.org/show_bug.cgi?id=230804 + + +Reviewed by Yusuke Suzuki. + +* stress/ai-typeof-needs-to-be-aware-of-proxy-2.js: Added. +(assert): +(builtin.vm.createBuiltin): +(builtin2.vm.createBuiltin): +(let.p.new.Proxy): +* stress/ai-typeof-needs-to-be-aware-of-proxy.js: Added. +(assert): +(builtin.vm.createBuiltin): +(let.p.new.Proxy): +* stress/is-callable-in-ftl-needs-to-be-aware-of-proxy.js: Added. +(main): + 2021-09-29 Mark Lam DFG strength reduction on % operator should handle an INT_MIN divisor. Added: trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy-2.js (0 => 283332) --- trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy-2.js (rev 0) +++ trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy-2.js 2021-09-30 20:37:55 UTC (rev 283332) @@ -0,0 +1,29 @@ +function assert(b) { +if (!b) +throw new Error; +} + +var builtin = $vm.createBuiltin(`(function (a) { +if (@isProxyObject(a)) { +if (typeof a === "object") +return false; +} +return true; +})`); + +noInline(builtin); + +var builtin2 = $vm.createBuiltin(`(function (a) { +if (@isProxyObject(a)) { +if (typeof a === "function") +return true; +} +return false; +})`); +noInline(builtin2); + +let p = new Proxy(function(){}, {}); +for (let i = 0; i < 1; ++i) { +assert(builtin(p) === true); +assert(builtin2(p) === true); +} Added: trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy.js (0 => 283332) --- trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy.js (rev 0) +++ trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy.js 2021-09-30 20:37:55 UTC (rev 283332) @@ -0,0 +1,15 @@ +function assert(b) { +if (!b) +throw new Error; +} + +var builtin = $vm.createBuiltin(`(function (a) { +if (@isProxyObject(a)) +return typeof a; +})`); + +noInline(builtin); + +let p = new Proxy(function(){}, {}); +for (let i = 0; i < 1; ++i) +assert(builtin(p) === "function"); Added: trunk/JSTests/stress/is-callable-in-ftl-needs-to-be-aware-of-proxy.js (0 => 283332) --- trunk/JSTests/stress/is-callable-in-ftl-needs-to-be-aware-of-proxy.js (rev 0) +++ trunk/JSTests/stress/is-callable-in-ftl-needs-to-be-aware-of-proxy.js 2021-09-30 20:37:55 UTC (rev 283332) @@ -0,0 +1,16 @@ +//@ runDefault("--validateOptions=true --useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useFTLJIT=true") + +function main() { +let v162; +const v25
[webkit-changes] [283293] trunk
Title: [283293] trunk Revision 283293 Author sbar...@apple.com Date 2021-09-29 18:39:22 -0700 (Wed, 29 Sep 2021) Log Message Print values in a nicer way in the jsc shell https://bugs.webkit.org/show_bug.cgi?id=230931 Reviewed by Tadeu Zagallo. JSTests: * ChakraCore/test/jsc-lib.js: Source/_javascript_Core: Currently, print(1), print("1"), and print([1]) all print to stdout simply as "1" (without the quotes). Same for values when running the REPL. This isn't super helpful. Let's print quotes for strings, and brackets for arrays. Some tests rely on the old print behavior. Those tests now use the legacyPrint instead. * jsc.cpp: (toCString): (printInternal): (JSC_DEFINE_HOST_FUNCTION): (runInteractive): (cStringFromViewWithString): Deleted. * runtime/JSCJSValue.cpp: (JSC::JSValue::toWTFStringForConsole const): * runtime/JSCJSValue.h: LayoutTests: * resources/standalone-pre.js: Modified Paths trunk/JSTests/ChakraCore/test/jsc-lib.js trunk/JSTests/ChangeLog trunk/JSTests/exceptionFuzz/3d-cube.js trunk/JSTests/exceptionFuzz/date-format-xparb.js trunk/JSTests/exceptionFuzz/earley-boyer.js trunk/LayoutTests/ChangeLog trunk/LayoutTests/resources/standalone-pre.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jsc.cpp trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp trunk/Source/_javascript_Core/runtime/JSCJSValue.h Diff Modified: trunk/JSTests/ChakraCore/test/jsc-lib.js (283292 => 283293) --- trunk/JSTests/ChakraCore/test/jsc-lib.js 2021-09-30 01:25:13 UTC (rev 283292) +++ trunk/JSTests/ChakraCore/test/jsc-lib.js 2021-09-30 01:39:22 UTC (rev 283293) @@ -1,3 +1,5 @@ +print = legacyPrint; + WScript = { _jscGC: gc, _jscLoad: load, Modified: trunk/JSTests/ChangeLog (283292 => 283293) --- trunk/JSTests/ChangeLog 2021-09-30 01:25:13 UTC (rev 283292) +++ trunk/JSTests/ChangeLog 2021-09-30 01:39:22 UTC (rev 283293) @@ -1,5 +1,14 @@ 2021-09-29 Saam Barati +Print values in a nicer way in the jsc shell +https://bugs.webkit.org/show_bug.cgi?id=230931 + +Reviewed by Tadeu Zagallo. + +* ChakraCore/test/jsc-lib.js: + +2021-09-29 Saam Barati + We need to load the baseline JIT's constant pool register after OSR exit to checkpoints if we return to baseline code https://bugs.webkit.org/show_bug.cgi?id=230972 Modified: trunk/JSTests/exceptionFuzz/3d-cube.js (283292 => 283293) --- trunk/JSTests/exceptionFuzz/3d-cube.js 2021-09-30 01:25:13 UTC (rev 283292) +++ trunk/JSTests/exceptionFuzz/3d-cube.js 2021-09-30 01:39:22 UTC (rev 283293) @@ -358,5 +358,5 @@ })(); } catch (e) { -print("JSC EXCEPTION FUZZ: Caught exception: " + e); +legacyPrint("JSC EXCEPTION FUZZ: Caught exception: " + e); } Modified: trunk/JSTests/exceptionFuzz/date-format-xparb.js (283292 => 283293) --- trunk/JSTests/exceptionFuzz/date-format-xparb.js 2021-09-30 01:25:13 UTC (rev 283292) +++ trunk/JSTests/exceptionFuzz/date-format-xparb.js 2021-09-30 01:39:22 UTC (rev 283293) @@ -424,5 +424,5 @@ })(); } catch (e) { -print("JSC EXCEPTION FUZZ: Caught exception: " + e); +legacyPrint("JSC EXCEPTION FUZZ: Caught exception: " + e); } Modified: trunk/JSTests/exceptionFuzz/earley-boyer.js (283292 => 283293) --- trunk/JSTests/exceptionFuzz/earley-boyer.js 2021-09-30 01:25:13 UTC (rev 283292) +++ trunk/JSTests/exceptionFuzz/earley-boyer.js 2021-09-30 01:39:22 UTC (rev 283293) @@ -4684,6 +4684,6 @@ } })(); } catch (e) { -print("JSC EXCEPTION FUZZ: Caught exception: " + e); +legacyPrint("JSC EXCEPTION FUZZ: Caught exception: " + e); } Modified: trunk/LayoutTests/ChangeLog (283292 => 283293) --- trunk/LayoutTests/ChangeLog 2021-09-30 01:25:13 UTC (rev 283292) +++ trunk/LayoutTests/ChangeLog 2021-09-30 01:39:22 UTC (rev 283293) @@ -1,3 +1,12 @@ +2021-09-29 Saam Barati + +Print values in a nicer way in the jsc shell +https://bugs.webkit.org/show_bug.cgi?id=230931 + +Reviewed by Tadeu Zagallo. + +* resources/standalone-pre.js: + 2021-09-29 Chris Dumez [ iOS Debug ] http/tests/xmlhttprequest/access-control-preflight-credential-sync.html is a flaky crash Modified: trunk/LayoutTests/resources/standalone-pre.js (283292 => 283293) --- trunk/LayoutTests/resources/standalone-pre.js 2021-09-30 01:25:13 UTC (rev 283292) +++ trunk/LayoutTests/resources/standalone-pre.js 2021-09-30 01:39:22 UTC (rev 283293) @@ -13,6 +13,8 @@ didPassSomeTestsSilently = false; didFailSomeTests = false; +print = legacyPrint; + function description(msg) { print(msg); Modified: trunk/Source/_javascript_Core/ChangeLog (283292 => 283293) --- trunk/Source/_javascript_Core/ChangeLog 2021-09-30 01:25:13 UTC (rev 283292) +++ trunk/Source/_javascript_Core/ChangeLog 2021-09-30 01:39:22 UTC (rev 283293) @@ -1,5 +1,30 @@ 2021-09-29 Saam Barati +Print values in a nicer way in the jsc shell +https://bugs.webkit.org/show_bug.cgi?id=230931 + +Reviewed
[webkit-changes] [283288] trunk
Title: [283288] trunk Revision 283288 Author sbar...@apple.com Date 2021-09-29 17:47:41 -0700 (Wed, 29 Sep 2021) Log Message We need to load the baseline JIT's constant pool register after OSR exit to checkpoints if we return to baseline code https://bugs.webkit.org/show_bug.cgi?id=230972 Reviewed by Mark Lam and Yusuke Suzuki. JSTests: * stress/checkpoint-osr-exit-needs-to-reload-baseline-jit-constant-pool-gpr.js: Added. (empty): (empty2): (test): Source/_javascript_Core: Consider the following: - We have a CodeBlock A. - DFG or FTL compiles an exit to A when A is still LLInt code. This means the OSR exit code will materialize registers as if A is LLInt. - We tier up A to Baseline JIT code. - Now, we take the exit to A as if it's LLInt. But the checkpoint OSR exit code will actually jump to the tiered up baseline code when it's done, because it determines where to jump at runtime. Because of this, when we return from the checkpoint code, and if we are jumping into baseline code, we must always load the constant pool register. - There's no need to load the metadata register because that register is shared with LLInt code, and will already contain the right value. * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::dispatchToNextInstructionDuringExit): (JSC::LLInt::llint_slow_path_checkpoint_osr_exit_from_inlined_call): (JSC::LLInt::llint_slow_path_checkpoint_osr_exit): (JSC::LLInt::dispatchToNextInstruction): Deleted. * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/JIT.cpp trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm Added Paths trunk/JSTests/stress/checkpoint-osr-exit-needs-to-reload-baseline-jit-constant-pool-gpr.js Diff Modified: trunk/JSTests/ChangeLog (283287 => 283288) --- trunk/JSTests/ChangeLog 2021-09-30 00:21:20 UTC (rev 283287) +++ trunk/JSTests/ChangeLog 2021-09-30 00:47:41 UTC (rev 283288) @@ -1,5 +1,18 @@ 2021-09-29 Saam Barati +We need to load the baseline JIT's constant pool register after OSR exit to checkpoints if we return to baseline code +https://bugs.webkit.org/show_bug.cgi?id=230972 + + +Reviewed by Mark Lam and Yusuke Suzuki. + +* stress/checkpoint-osr-exit-needs-to-reload-baseline-jit-constant-pool-gpr.js: Added. +(empty): +(empty2): +(test): + +2021-09-29 Saam Barati + Code inside strength reduction can incorrectly prove that we know what lastIndex is https://bugs.webkit.org/show_bug.cgi?id=230802 Added: trunk/JSTests/stress/checkpoint-osr-exit-needs-to-reload-baseline-jit-constant-pool-gpr.js (0 => 283288) --- trunk/JSTests/stress/checkpoint-osr-exit-needs-to-reload-baseline-jit-constant-pool-gpr.js (rev 0) +++ trunk/JSTests/stress/checkpoint-osr-exit-needs-to-reload-baseline-jit-constant-pool-gpr.js 2021-09-30 00:47:41 UTC (rev 283288) @@ -0,0 +1,15 @@ +function empty() {} +function empty2() {} + +function test(arr) { +empty.apply(undefined, arr); +empty2(); +} + +for (let i = 0; i < 1; i++) { +let arr = []; +for (let j = 0; j < i+1; j++) { +arr.push(undefined); +} +test(arr); +} Modified: trunk/Source/_javascript_Core/ChangeLog (283287 => 283288) --- trunk/Source/_javascript_Core/ChangeLog 2021-09-30 00:21:20 UTC (rev 283287) +++ trunk/Source/_javascript_Core/ChangeLog 2021-09-30 00:47:41 UTC (rev 283288) @@ -1,3 +1,34 @@ +2021-09-29 Saam Barati + +We need to load the baseline JIT's constant pool register after OSR exit to checkpoints if we return to baseline code +https://bugs.webkit.org/show_bug.cgi?id=230972 + + +Reviewed by Mark Lam and Yusuke Suzuki. + +Consider the following: +- We have a CodeBlock A. +- DFG or FTL compiles an exit to A when A is still LLInt code. This means + the OSR exit code will materialize registers as if A is LLInt. +- We tier up A to Baseline JIT code. +- Now, we take the exit to A as if it's LLInt. But the checkpoint OSR exit + code will actually jump to the tiered up baseline code when it's done, + because it determines where to jump at runtime. Because of this, when + we return from the checkpoint code, and if we are jumping into baseline + code, we must always load the constant pool register. +- There's no need to load the metadata register because that register is + shared with LLInt code, and will already contain the right value. + +* jit/JIT.cpp: +(JSC::JIT::privateCompileMainPass): +* llint/LLIntSlowPaths.cpp: +(JSC::LLInt::dispatchToNextInstructionDuringExit): +
[webkit-changes] [283232] trunk
Title: [283232] trunk Revision 283232 Author sbar...@apple.com Date 2021-09-29 10:03:29 -0700 (Wed, 29 Sep 2021) Log Message Code inside strength reduction can incorrectly prove that we know what lastIndex is https://bugs.webkit.org/show_bug.cgi?id=230802 Reviewed by Mark Lam. JSTests: * stress/dont-fold-regexp-exec-when-we-dont-know-last-index-and-regexp-is-constant.js: Added. (assert): (let.reg.RegExp.foo.g.doExec): (noInline.doExec): Source/_javascript_Core: The phase was searching backwards in the graph to see if it found the RegExp node. However, the RegExp node might be a JSConstant. Hence, the program didn't allocate it. So we can't assume that we know what the lastIndex is. We were incorrectly assuming it was "0" in a program like this: a: JSConstant(RegExp) b: RegExpExec(@a) And we assumed we're invoking RegExpExec with lastIndex is 0, because we found our RegExp in a backwards search. This is likely because we're also matching NewRegExp nodes, in which case, it is valid to say lastIndex is 0. This caused us to return a constant value that would've been the exec result had we invoked it with a NewRegExpNode. * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::run): (JSC::DFG::StrengthReductionPhase::handleNode): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp Added Paths trunk/JSTests/stress/dont-fold-regexp-exec-when-we-dont-know-last-index-and-regexp-is-constant.js Diff Modified: trunk/JSTests/ChangeLog (283231 => 283232) --- trunk/JSTests/ChangeLog 2021-09-29 16:56:07 UTC (rev 283231) +++ trunk/JSTests/ChangeLog 2021-09-29 17:03:29 UTC (rev 283232) @@ -1,5 +1,18 @@ 2021-09-29 Saam Barati +Code inside strength reduction can incorrectly prove that we know what lastIndex is +https://bugs.webkit.org/show_bug.cgi?id=230802 + + +Reviewed by Mark Lam. + +* stress/dont-fold-regexp-exec-when-we-dont-know-last-index-and-regexp-is-constant.js: Added. +(assert): +(let.reg.RegExp.foo.g.doExec): +(noInline.doExec): + +2021-09-29 Saam Barati + DoesGCCheck does not use enough bits for nodeIndex https://bugs.webkit.org/show_bug.cgi?id=230915 Added: trunk/JSTests/stress/dont-fold-regexp-exec-when-we-dont-know-last-index-and-regexp-is-constant.js (0 => 283232) --- trunk/JSTests/stress/dont-fold-regexp-exec-when-we-dont-know-last-index-and-regexp-is-constant.js (rev 0) +++ trunk/JSTests/stress/dont-fold-regexp-exec-when-we-dont-know-last-index-and-regexp-is-constant.js 2021-09-29 17:03:29 UTC (rev 283232) @@ -0,0 +1,19 @@ +function assert(b) { +if (!b) +throw new Error; +} + +let reg = RegExp(/foo/g) +function doExec() { +return reg.exec("-foo"); +} +noInline(doExec) + +for (let i = 0; i < 1000; ++i) { +let r = doExec(); +if ((i % 2) === 0) +assert(r[0] === "foo"); +else +assert(r === null); +} + Modified: trunk/Source/_javascript_Core/ChangeLog (283231 => 283232) --- trunk/Source/_javascript_Core/ChangeLog 2021-09-29 16:56:07 UTC (rev 283231) +++ trunk/Source/_javascript_Core/ChangeLog 2021-09-29 17:03:29 UTC (rev 283232) @@ -1,3 +1,29 @@ +2021-09-29 Saam Barati + +Code inside strength reduction can incorrectly prove that we know what lastIndex is +https://bugs.webkit.org/show_bug.cgi?id=230802 + + +Reviewed by Mark Lam. + +The phase was searching backwards in the graph to see if it found the RegExp +node. However, the RegExp node might be a JSConstant. Hence, the program +didn't allocate it. So we can't assume that we know what the lastIndex is. +We were incorrectly assuming it was "0" in a program like this: +a: JSConstant(RegExp) +b: RegExpExec(@a) + +And we assumed we're invoking RegExpExec with lastIndex is 0, because we found +our RegExp in a backwards search. This is likely because we're also matching +NewRegExp nodes, in which case, it is valid to say lastIndex is 0. + +This caused us to return a constant value that would've been the exec +result had we invoked it with a NewRegExpNode. + +* dfg/DFGStrengthReductionPhase.cpp: +(JSC::DFG::StrengthReductionPhase::run): +(JSC::DFG::StrengthReductionPhase::handleNode): + 2021-09-29 Yusuke Suzuki [JSC] Use FixedVector in JITConstantPool Modified: trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp (283231 => 283232) --- trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp 2021-09-29 16:56:07 UTC (rev 283231) +++ trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp 2021-09-29 17:03:29 UTC (rev 283232) @@ -491,11 +491,13 @@ Node* regExpObjectNode = nullptr; RegExp* regExp = nullptr; +bool
[webkit-changes] [283231] trunk/JSTests
Title: [283231] trunk/JSTests Revision 283231 Author sbar...@apple.com Date 2021-09-29 09:56:07 -0700 (Wed, 29 Sep 2021) Log Message DoesGCCheck does not use enough bits for nodeIndex https://bugs.webkit.org/show_bug.cgi?id=230915 Unreviewed. Forgot to add a try/catch in the test. * stress/verify-can-gc-node-index.js: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/verify-can-gc-node-index.js Diff Modified: trunk/JSTests/ChangeLog (283230 => 283231) --- trunk/JSTests/ChangeLog 2021-09-29 16:54:57 UTC (rev 283230) +++ trunk/JSTests/ChangeLog 2021-09-29 16:56:07 UTC (rev 283231) @@ -1,3 +1,13 @@ +2021-09-29 Saam Barati + +DoesGCCheck does not use enough bits for nodeIndex +https://bugs.webkit.org/show_bug.cgi?id=230915 + + +Unreviewed. Forgot to add a try/catch in the test. + +* stress/verify-can-gc-node-index.js: + 2021-09-28 Saam Barati DoesGCCheck does not use enough bits for nodeIndex Modified: trunk/JSTests/stress/verify-can-gc-node-index.js (283230 => 283231) --- trunk/JSTests/stress/verify-can-gc-node-index.js 2021-09-29 16:54:57 UTC (rev 283230) +++ trunk/JSTests/stress/verify-can-gc-node-index.js 2021-09-29 16:56:07 UTC (rev 283231) @@ -16,4 +16,6 @@ f(); f(); }; -f(); +try { +f(); +} catch { } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [283207] trunk
Title: [283207] trunk Revision 283207 Author sbar...@apple.com Date 2021-09-28 18:33:02 -0700 (Tue, 28 Sep 2021) Log Message DoesGCCheck does not use enough bits for nodeIndex https://bugs.webkit.org/show_bug.cgi?id=230915 Reviewed by Mark Lam. JSTests: * stress/verify-can-gc-node-index.js: Added. (gen): (f): Source/_javascript_Core: * dfg/DFGDoesGCCheck.h: (JSC::DFG::DoesGCCheck::DoesGCCheck): (JSC::DFG::DoesGCCheck::encode): (JSC::DFG::DoesGCCheck::set): (JSC::DFG::DoesGCCheck::expectDoesGC const): (JSC::DFG::DoesGCCheck::isSpecial const): (JSC::DFG::DoesGCCheck::special): (JSC::DFG::DoesGCCheck::nodeOp): (JSC::DFG::DoesGCCheck::nodeIndex): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::compileExit): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileLoopHint): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGDoesGCCheck.h trunk/Source/_javascript_Core/dfg/DFGOSRExit.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/ftl/FTLOSRExitCompiler.cpp Added Paths trunk/JSTests/stress/verify-can-gc-node-index.js Diff Modified: trunk/JSTests/ChangeLog (283206 => 283207) --- trunk/JSTests/ChangeLog 2021-09-29 01:31:43 UTC (rev 283206) +++ trunk/JSTests/ChangeLog 2021-09-29 01:33:02 UTC (rev 283207) @@ -1,3 +1,15 @@ +2021-09-28 Saam Barati + +DoesGCCheck does not use enough bits for nodeIndex +https://bugs.webkit.org/show_bug.cgi?id=230915 + + +Reviewed by Mark Lam. + +* stress/verify-can-gc-node-index.js: Added. +(gen): +(f): + 2021-09-28 Alexey Shvayka Speed up setting JSFunction's "prototype" property Added: trunk/JSTests/stress/verify-can-gc-node-index.js (0 => 283207) --- trunk/JSTests/stress/verify-can-gc-node-index.js (rev 0) +++ trunk/JSTests/stress/verify-can-gc-node-index.js 2021-09-29 01:33:02 UTC (rev 283207) @@ -0,0 +1,19 @@ +//@ runDefault("--destroy-vm", "--maximumFunctionForCallInlineCandidateBytecodeCost=500", "--maximumInliningRecursion=5") + +function* gen() { +} +let g = gen(); +function f() { +g.next(); +f(); +f(); +f(); +f(); +f(); +f(); +f(); +f(); +f(); +f(); +}; +f(); Modified: trunk/Source/_javascript_Core/ChangeLog (283206 => 283207) --- trunk/Source/_javascript_Core/ChangeLog 2021-09-29 01:31:43 UTC (rev 283206) +++ trunk/Source/_javascript_Core/ChangeLog 2021-09-29 01:33:02 UTC (rev 283207) @@ -1,3 +1,34 @@ +2021-09-28 Saam Barati + +DoesGCCheck does not use enough bits for nodeIndex +https://bugs.webkit.org/show_bug.cgi?id=230915 + + +Reviewed by Mark Lam. + +* dfg/DFGDoesGCCheck.h: +(JSC::DFG::DoesGCCheck::DoesGCCheck): +(JSC::DFG::DoesGCCheck::encode): +(JSC::DFG::DoesGCCheck::set): +(JSC::DFG::DoesGCCheck::expectDoesGC const): +(JSC::DFG::DoesGCCheck::isSpecial const): +(JSC::DFG::DoesGCCheck::special): +(JSC::DFG::DoesGCCheck::nodeOp): +(JSC::DFG::DoesGCCheck::nodeIndex): +* dfg/DFGOSRExit.cpp: +(JSC::DFG::OSRExit::compileExit): +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::compileLoopHint): +* dfg/DFGSpeculativeJIT32_64.cpp: +(JSC::DFG::SpeculativeJIT::compile): +* dfg/DFGSpeculativeJIT64.cpp: +(JSC::DFG::SpeculativeJIT::compile): +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileNode): +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): +* ftl/FTLOSRExitCompiler.cpp: +(JSC::FTL::compileStub): + 2021-09-28 Alex Christensen Mostly fix Mac CMake build Modified: trunk/Source/_javascript_Core/dfg/DFGDoesGCCheck.h (283206 => 283207) --- trunk/Source/_javascript_Core/dfg/DFGDoesGCCheck.h 2021-09-29 01:31:43 UTC (rev 283206) +++ trunk/Source/_javascript_Core/dfg/DFGDoesGCCheck.h 2021-09-29 01:33:02 UTC (rev 283207) @@ -43,39 +43,42 @@ }; DoesGCCheck() -: m_value(encode(true, Special::Uninitialized)) -{ } +{ +u.encoded = encode(true, Special::Uninitialized); +} -static uint32_t encode(bool expectDoesGC, unsigned nodeIndex, unsigned nodeOp) +static uint64_t encode(bool expectDoesGC, unsigned nodeIndex, unsigned nodeOp) { -// We know nodeOp always fits because of the static_assert in DFGDoesGCCheck.cpp. -
[webkit-changes] [283168] trunk/Source/JavaScriptCore
Title: [283168] trunk/Source/_javascript_Core Revision 283168 Author sbar...@apple.com Date 2021-09-28 08:32:53 -0700 (Tue, 28 Sep 2021) Log Message Make byte codes with arithmetic profiles switch to using an index instead of a pointer in metadata https://bugs.webkit.org/show_bug.cgi?id=230798 Reviewed by Yusuke Suzuki. This patch makes each bytecode that uses a BinaryArithProfile/UnaryArithProfile have an index into a table instead of storing a pointer to the profile in its metadata. Then, we can just load the profile using the index in the bytecode, which saves memory. * bytecode/BytecodeList.rb: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::binaryArithProfileForPC): (JSC::CodeBlock::unaryArithProfileForPC): * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::allocateSharedProfiles): * bytecode/UnlinkedCodeBlock.h: * bytecode/UnlinkedCodeBlockGenerator.cpp: (JSC::UnlinkedCodeBlockGenerator::finalize): * bytecode/UnlinkedCodeBlockGenerator.h: (JSC::UnlinkedCodeBlockGenerator::addBinaryArithProfile): (JSC::UnlinkedCodeBlockGenerator::addUnaryArithProfile): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitUnaryOp): (JSC::BytecodeGenerator::emitInc): (JSC::BytecodeGenerator::emitDec): * bytecompiler/BytecodeGenerator.h: * jit/JITArithmetic.cpp: (JSC::JIT::emit_op_negate): (JSC::JIT::emit_op_add): (JSC::JIT::emit_op_div): (JSC::JIT::emit_op_mul): (JSC::JIT::emit_op_sub): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.cpp: (JSC::updateArithProfileForUnaryArithOp): (JSC::JSC_DEFINE_COMMON_SLOW_PATH): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/BytecodeList.rb trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlockGenerator.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlockGenerator.h trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h trunk/Source/_javascript_Core/jit/JITArithmetic.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/offlineasm/cloop.rb trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (283167 => 283168) --- trunk/Source/_javascript_Core/ChangeLog 2021-09-28 13:37:17 UTC (rev 283167) +++ trunk/Source/_javascript_Core/ChangeLog 2021-09-28 15:32:53 UTC (rev 283168) @@ -1,3 +1,45 @@ +2021-09-28 Saam Barati + +Make byte codes with arithmetic profiles switch to using an index instead of a pointer in metadata +https://bugs.webkit.org/show_bug.cgi?id=230798 + +Reviewed by Yusuke Suzuki. + +This patch makes each bytecode that uses a BinaryArithProfile/UnaryArithProfile +have an index into a table instead of storing a pointer to the profile in its metadata. +Then, we can just load the profile using the index in the bytecode, which saves memory. + +* bytecode/BytecodeList.rb: +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::finishCreation): +(JSC::CodeBlock::binaryArithProfileForPC): +(JSC::CodeBlock::unaryArithProfileForPC): +* bytecode/UnlinkedCodeBlock.cpp: +(JSC::UnlinkedCodeBlock::allocateSharedProfiles): +* bytecode/UnlinkedCodeBlock.h: +* bytecode/UnlinkedCodeBlockGenerator.cpp: +(JSC::UnlinkedCodeBlockGenerator::finalize): +* bytecode/UnlinkedCodeBlockGenerator.h: +(JSC::UnlinkedCodeBlockGenerator::addBinaryArithProfile): +(JSC::UnlinkedCodeBlockGenerator::addUnaryArithProfile): +* bytecompiler/BytecodeGenerator.cpp: +(JSC::BytecodeGenerator::emitUnaryOp): +(JSC::BytecodeGenerator::emitInc): +(JSC::BytecodeGenerator::emitDec): +* bytecompiler/BytecodeGenerator.h: +* jit/JITArithmetic.cpp: +(JSC::JIT::emit_op_negate): +(JSC::JIT::emit_op_add): +(JSC::JIT::emit_op_div): +(JSC::JIT::emit_op_mul): +(JSC::JIT::emit_op_sub): +* llint/LowLevelInterpreter.asm: +* llint/LowLevelInterpreter32_64.asm: +* llint/LowLevelInterpreter64.asm: +* runtime/CommonSlowPaths.cpp: +(JSC::updateArithProfileForUnaryArithOp): +(JSC::JSC_DEFINE_COMMON_SLOW_PATH): + 2021-09-28 Alexey Shvayka Speed up setting JSFunction's "prototype" property Modified: trunk/Source/_javascript_Core/bytecode/BytecodeList.rb (283167 => 283168) --- trunk/Source/_javascript_Core/bytecode/BytecodeList.rb 2021-09-28 13:37:17 UTC (rev 283167) +++
[webkit-changes] [283088] trunk/Source/JavaScriptCore
Title: [283088] trunk/Source/_javascript_Core Revision 283088 Author sbar...@apple.com Date 2021-09-26 10:23:15 -0700 (Sun, 26 Sep 2021) Log Message Make byte codes with arithmetic profiles switch to using an index instead of a pointer in metadata https://bugs.webkit.org/show_bug.cgi?id=230798 Reviewed by Yusuke Suzuki. This patch makes each bytecode that uses a BinaryArithProfile/UnaryArithProfile have an index into a table instead of storing a pointer to the profile in its metadata. Then, we can just load the profile using the index in the bytecode, which saves memory. * bytecode/BytecodeList.rb: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::binaryArithProfileForPC): (JSC::CodeBlock::unaryArithProfileForPC): * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::allocateSharedProfiles): * bytecode/UnlinkedCodeBlock.h: * bytecode/UnlinkedCodeBlockGenerator.cpp: (JSC::UnlinkedCodeBlockGenerator::finalize): * bytecode/UnlinkedCodeBlockGenerator.h: (JSC::UnlinkedCodeBlockGenerator::addBinaryArithProfile): (JSC::UnlinkedCodeBlockGenerator::addUnaryArithProfile): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitUnaryOp): (JSC::BytecodeGenerator::emitInc): (JSC::BytecodeGenerator::emitDec): * bytecompiler/BytecodeGenerator.h: * jit/JITArithmetic.cpp: (JSC::JIT::emit_op_negate): (JSC::JIT::emit_op_add): (JSC::JIT::emit_op_div): (JSC::JIT::emit_op_mul): (JSC::JIT::emit_op_sub): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.cpp: (JSC::updateArithProfileForUnaryArithOp): (JSC::JSC_DEFINE_COMMON_SLOW_PATH): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/BytecodeList.rb trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlockGenerator.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlockGenerator.h trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h trunk/Source/_javascript_Core/jit/JITArithmetic.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/offlineasm/cloop.rb trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (283087 => 283088) --- trunk/Source/_javascript_Core/ChangeLog 2021-09-26 13:47:42 UTC (rev 283087) +++ trunk/Source/_javascript_Core/ChangeLog 2021-09-26 17:23:15 UTC (rev 283088) @@ -1,3 +1,45 @@ +2021-09-26 Saam Barati + +Make byte codes with arithmetic profiles switch to using an index instead of a pointer in metadata +https://bugs.webkit.org/show_bug.cgi?id=230798 + +Reviewed by Yusuke Suzuki. + +This patch makes each bytecode that uses a BinaryArithProfile/UnaryArithProfile +have an index into a table instead of storing a pointer to the profile in its metadata. +Then, we can just load the profile using the index in the bytecode, which saves memory. + +* bytecode/BytecodeList.rb: +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::finishCreation): +(JSC::CodeBlock::binaryArithProfileForPC): +(JSC::CodeBlock::unaryArithProfileForPC): +* bytecode/UnlinkedCodeBlock.cpp: +(JSC::UnlinkedCodeBlock::allocateSharedProfiles): +* bytecode/UnlinkedCodeBlock.h: +* bytecode/UnlinkedCodeBlockGenerator.cpp: +(JSC::UnlinkedCodeBlockGenerator::finalize): +* bytecode/UnlinkedCodeBlockGenerator.h: +(JSC::UnlinkedCodeBlockGenerator::addBinaryArithProfile): +(JSC::UnlinkedCodeBlockGenerator::addUnaryArithProfile): +* bytecompiler/BytecodeGenerator.cpp: +(JSC::BytecodeGenerator::emitUnaryOp): +(JSC::BytecodeGenerator::emitInc): +(JSC::BytecodeGenerator::emitDec): +* bytecompiler/BytecodeGenerator.h: +* jit/JITArithmetic.cpp: +(JSC::JIT::emit_op_negate): +(JSC::JIT::emit_op_add): +(JSC::JIT::emit_op_div): +(JSC::JIT::emit_op_mul): +(JSC::JIT::emit_op_sub): +* llint/LowLevelInterpreter.asm: +* llint/LowLevelInterpreter32_64.asm: +* llint/LowLevelInterpreter64.asm: +* runtime/CommonSlowPaths.cpp: +(JSC::updateArithProfileForUnaryArithOp): +(JSC::JSC_DEFINE_COMMON_SLOW_PATH): + 2021-09-25 Saam Barati Build an unlinked baseline JIT Modified: trunk/Source/_javascript_Core/bytecode/BytecodeList.rb (283087 => 283088) --- trunk/Source/_javascript_Core/bytecode/BytecodeList.rb 2021-09-26 13:47:42 UTC (rev 283087) +++
[webkit-changes] [282624] trunk/Source/JavaScriptCore
Title: [282624] trunk/Source/_javascript_Core Revision 282624 Author sbar...@apple.com Date 2021-09-16 18:04:59 -0700 (Thu, 16 Sep 2021) Log Message Don't throw an exception in the middle of linking a CodeBlock https://bugs.webkit.org/show_bug.cgi?id=230367 Reviewed by Yusuke Suzuki. It's cleaner, and probably more correct, to wait until we're done linking the instruction stream before throwing any exceptions from CodeBlock::finishCreation. This guarantees, for example, that all metadata structs are initialized. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::setConstantRegisters): (JSC::CodeBlock::initializeTemplateObjects): * bytecode/CodeBlock.h: * runtime/JSScope.cpp: (JSC::abstractAccess): (JSC::JSScope::abstractResolve): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/runtime/JSScope.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (282623 => 282624) --- trunk/Source/_javascript_Core/ChangeLog 2021-09-17 00:53:50 UTC (rev 282623) +++ trunk/Source/_javascript_Core/ChangeLog 2021-09-17 01:04:59 UTC (rev 282624) @@ -1,5 +1,25 @@ 2021-09-16 Saam Barati +Don't throw an exception in the middle of linking a CodeBlock +https://bugs.webkit.org/show_bug.cgi?id=230367 + +Reviewed by Yusuke Suzuki. + +It's cleaner, and probably more correct, to wait until we're done linking +the instruction stream before throwing any exceptions from CodeBlock::finishCreation. +This guarantees, for example, that all metadata structs are initialized. + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::finishCreation): +(JSC::CodeBlock::setConstantRegisters): +(JSC::CodeBlock::initializeTemplateObjects): +* bytecode/CodeBlock.h: +* runtime/JSScope.cpp: +(JSC::abstractAccess): +(JSC::JSScope::abstractResolve): + +2021-09-16 Saam Barati + Move some profiling to UnlinkedCodeBlock https://bugs.webkit.org/show_bug.cgi?id=230078 Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (282623 => 282624) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-09-17 00:53:50 UTC (rev 282623) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-09-17 01:04:59 UTC (rev 282624) @@ -377,6 +377,8 @@ Base::finishCreation(vm); finishCreationCommon(vm); +ASSERT(vm.heap.isDeferred()); + auto throwScope = DECLARE_THROW_SCOPE(vm); if (m_unlinkedCode->wasCompiledWithTypeProfilerOpcodes() || m_unlinkedCode->wasCompiledWithControlFlowProfilerOpcodes()) @@ -383,8 +385,10 @@ vm.functionHasExecutedCache()->removeUnexecutedRange(ownerExecutable->sourceID(), ownerExecutable->typeProfilingStartOffset(vm), ownerExecutable->typeProfilingEndOffset(vm)); ScriptExecutable* topLevelExecutable = ownerExecutable->topLevelExecutable(); -setConstantRegisters(unlinkedCodeBlock->constantRegisters(), unlinkedCodeBlock->constantsSourceCodeRepresentation(), topLevelExecutable); -RETURN_IF_EXCEPTION(throwScope, false); +// We wait to initialize template objects until the end of finishCreation beecause it can +// throw. We rely on linking to put the CodeBlock into a coherent state, so we can't throw +// until we're all done linking. +Vector templateObjectIndices = setConstantRegisters(unlinkedCodeBlock->constantRegisters(), unlinkedCodeBlock->constantsSourceCodeRepresentation()); // We already have the cloned symbol table for the module environment since we need to instantiate // the module environments before linking the code block. We replace the stored symbol table with the already cloned one. @@ -435,7 +439,8 @@ // Bookkeep the strongly referenced module environments. HashSet stronglyReferencedModuleEnvironments; -auto link_profile = [&](const auto& /*instruction*/, auto /*bytecode*/, auto& /*metadata*/) { +auto link_profile = [&](const auto& /*instruction*/, auto /*bytecode*/, auto& metadata) { +static_assert(std::is_same_v); m_numberOfNonArgumentValueProfiles++; }; @@ -499,9 +504,9 @@ LINK(OpGetById, profile) -LINK(OpEnumeratorNext, profile) -LINK(OpEnumeratorInByVal, profile) -LINK(OpEnumeratorHasOwnProperty, profile) +LINK(OpEnumeratorNext) +LINK(OpEnumeratorInByVal) +LINK(OpEnumeratorHasOwnProperty) LINK(OpEnumeratorGetByVal, profile) LINK(OpCall, profile) @@ -563,7 +568,6 @@ RELEASE_ASSERT(bytecode.m_resolveType != ResolvedClosureVar); ResolveOp op = JSScope::abstractResolve(m_globalObject.get(), bytecode.m_localScopeDepth, scope, ident, Get, bytecode.m_resolveType, InitializationMode::NotInitialization); -RETURN_IF_EXCEPTION(throwScope, false);
[webkit-changes] [282621] trunk/Source/JavaScriptCore
Title: [282621] trunk/Source/_javascript_Core Revision 282621 Author sbar...@apple.com Date 2021-09-16 17:11:24 -0700 (Thu, 16 Sep 2021) Log Message Move some profiling to UnlinkedCodeBlock https://bugs.webkit.org/show_bug.cgi?id=230078 Reviewed by Yusuke Suzuki. This patch adds UnlinkedValueProfile and UnlinkedArrayProfile to UnlinkedCodeBlock. These profiles serialize the data in ValueProfile and ArrayProfile. Each time a CodeBlock updates value profiles, it mixes in up to date information from the unlinked profiles, and also writes back data to the unlinked profiles, so the data is shared between CodeBlocks of the same UnlinkedCodeBlock. This patch also fixes a pre-existing bug where we would sometimes think we had more metadata table entries than we really had in practice. This is because MetadataTable::forEach used the next opcode's start pointer. That pointer was aligned to that opcode's metadata alignment. So that might make the previous opcode think it had an extra 1-7 entries (depending on size, alignment, etc). This patch fixes that by having the next opcode's start offset in the table always be the end offset of the previous opcode, and we align the start pointer when using it. This was measured as a ~0.5% speedup on Speedometer2. * bytecode/ArrayProfile.h: (JSC::UnlinkedArrayProfile::update): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness): (JSC::CodeBlock::updateAllArrayProfilePredictions): (JSC::CodeBlock::updateAllArrayPredictions): * bytecode/CodeBlock.h: (JSC::CodeBlock::metadata): * bytecode/CodeBlockInlines.h: (JSC::CodeBlock::forEachArrayProfile): Deleted. * bytecode/MetadataTable.cpp: (JSC::DeallocTable::withOpcodeType): * bytecode/MetadataTable.h: (JSC::MetadataTable::get): (JSC::MetadataTable::forEach): (JSC::MetadataTable::getWithoutAligning): (JSC::MetadataTable::getImpl): Deleted. * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::allocateSharedProfiles): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::unlinkedValueProfile): (JSC::UnlinkedCodeBlock::unlinkedArrayProfile): * bytecode/UnlinkedCodeBlockGenerator.cpp: (JSC::UnlinkedCodeBlockGenerator::finalize): * bytecode/UnlinkedMetadataTable.cpp: (JSC::UnlinkedMetadataTable::finalize): * bytecode/UnlinkedMetadataTable.h: (JSC::UnlinkedMetadataTable::isFinalized): (JSC::UnlinkedMetadataTable::hasMetadata): * bytecode/UnlinkedMetadataTableInlines.h: (JSC::UnlinkedMetadataTable::numEntries): * bytecode/ValueProfile.h: (JSC::UnlinkedValueProfile::update): * bytecompiler/BytecodeGenerator.h: * llint/LowLevelInterpreter.asm: * runtime/CachedTypes.cpp: (JSC::CachedCodeBlock::numValueProfiles const): (JSC::CachedCodeBlock::numArrayProfiles const): (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): (JSC::CachedCodeBlock::encode): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/ArrayProfile.h trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/bytecode/CodeBlockInlines.h trunk/Source/_javascript_Core/bytecode/MetadataTable.cpp trunk/Source/_javascript_Core/bytecode/MetadataTable.h trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlockGenerator.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedMetadataTable.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedMetadataTable.h trunk/Source/_javascript_Core/bytecode/UnlinkedMetadataTableInlines.h trunk/Source/_javascript_Core/bytecode/ValueProfile.h trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/runtime/CachedTypes.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (282620 => 282621) --- trunk/Source/_javascript_Core/ChangeLog 2021-09-17 00:09:25 UTC (rev 282620) +++ trunk/Source/_javascript_Core/ChangeLog 2021-09-17 00:11:24 UTC (rev 282621) @@ -1,3 +1,71 @@ +2021-09-16 Saam Barati + +Move some profiling to UnlinkedCodeBlock +https://bugs.webkit.org/show_bug.cgi?id=230078 + + +Reviewed by Yusuke Suzuki. + +This patch adds UnlinkedValueProfile and UnlinkedArrayProfile to +UnlinkedCodeBlock. These profiles serialize the data in ValueProfile +and ArrayProfile. Each time a CodeBlock updates value profiles, +it mixes in up to date information from the unlinked profiles, and +also writes back data to the unlinked profiles, so the data is shared +between CodeBlocks of the same UnlinkedCodeBlock. + +This patch also fixes a pre-existing bug where we would sometimes think +we had more metadata table entries than we really had in practice. This is +because MetadataTable::forEach used the next opcode's start pointer. That +
[webkit-changes] [281826] trunk/Source/JavaScriptCore
Title: [281826] trunk/Source/_javascript_Core Revision 281826 Author sbar...@apple.com Date 2021-08-31 15:46:05 -0700 (Tue, 31 Aug 2021) Log Message Baseline JIT's in_by_val and emitHasPrivate should load the property before branching on if the base is a cell https://bugs.webkit.org/show_bug.cgi?id=229725 Reviewed by Keith Miller. If the base isn't a cell, we're calling the slow path with a random value in the property. This works, because the slow paths first branch on if the base is a cell or not, and throw an exception. But we fix this for our own sanity, since it's never a good idea to go to a slow path with a JSValue argument containing unknown bits. * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_in_by_val): (JSC::JIT::emitHasPrivate): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (281825 => 281826) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-31 22:08:04 UTC (rev 281825) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-31 22:46:05 UTC (rev 281826) @@ -1,3 +1,20 @@ +2021-08-31 Saam Barati + +Baseline JIT's in_by_val and emitHasPrivate should load the property before branching on if the base is a cell +https://bugs.webkit.org/show_bug.cgi?id=229725 + +Reviewed by Keith Miller. + +If the base isn't a cell, we're calling the slow path with a random value +in the property. This works, because the slow paths first branch on if +the base is a cell or not, and throw an exception. But we fix this for our +own sanity, since it's never a good idea to go to a slow path with a +JSValue argument containing unknown bits. + +* jit/JITPropertyAccess.cpp: +(JSC::JIT::emit_op_in_by_val): +(JSC::JIT::emitHasPrivate): + 2021-08-31 Aditi Singh Implement Object.hasOwn() Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (281825 => 281826) --- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-08-31 22:08:04 UTC (rev 281825) +++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-08-31 22:46:05 UTC (rev 281826) @@ -1514,8 +1514,8 @@ ArrayProfile* profile = "" emitGetVirtualRegister(base, regT0); +emitGetVirtualRegister(property, regT1); emitJumpSlowCaseIfNotJSCell(regT0, base); -emitGetVirtualRegister(property, regT1); emitArrayProfilingSiteWithCell(regT0, profile, regT2); JITInByValGenerator gen( @@ -1584,8 +1584,8 @@ void JIT::emitHasPrivate(VirtualRegister dst, VirtualRegister base, VirtualRegister propertyOrBrand, AccessType type) { emitGetVirtualRegister(base, regT0); +emitGetVirtualRegister(propertyOrBrand, regT1); emitJumpSlowCaseIfNotJSCell(regT0, base); -emitGetVirtualRegister(propertyOrBrand, regT1); JITInByValGenerator gen( m_codeBlock, JITType::BaselineJIT, CodeOrigin(m_bytecodeIndex), CallSiteIndex(m_bytecodeIndex), type, RegisterSet::stubUnavailableRegisters(), ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [281717] trunk/Source/JavaScriptCore
Title: [281717] trunk/Source/_javascript_Core Revision 281717 Author sbar...@apple.com Date 2021-08-27 12:53:12 -0700 (Fri, 27 Aug 2021) Log Message Update ARM64EHash https://bugs.webkit.org/show_bug.cgi?id=228962 Reviewed by Mark Lam. * assembler/AssemblerBuffer.h: (JSC::ARM64EHash::ARM64EHash): (JSC::ARM64EHash::update): (JSC::ARM64EHash::makeDiversifier): (JSC::ARM64EHash::nextValue): (JSC::ARM64EHash::bitsForDiversifier): (JSC::ARM64EHash::currentHash): (JSC::ARM64EHash::setUpdatedHash): (JSC::AssemblerBuffer::AssemblerBuffer): (JSC::AssemblerBuffer::putIntegralUnchecked): * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h trunk/Source/_javascript_Core/assembler/LinkBuffer.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (281716 => 281717) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-27 19:38:30 UTC (rev 281716) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-27 19:53:12 UTC (rev 281717) @@ -1,3 +1,24 @@ +2021-08-27 Saam Barati + +Update ARM64EHash +https://bugs.webkit.org/show_bug.cgi?id=228962 + + +Reviewed by Mark Lam. + +* assembler/AssemblerBuffer.h: +(JSC::ARM64EHash::ARM64EHash): +(JSC::ARM64EHash::update): +(JSC::ARM64EHash::makeDiversifier): +(JSC::ARM64EHash::nextValue): +(JSC::ARM64EHash::bitsForDiversifier): +(JSC::ARM64EHash::currentHash): +(JSC::ARM64EHash::setUpdatedHash): +(JSC::AssemblerBuffer::AssemblerBuffer): +(JSC::AssemblerBuffer::putIntegralUnchecked): +* assembler/LinkBuffer.cpp: +(JSC::LinkBuffer::copyCompactAndLinkCode): + 2021-08-27 Mikhail R. Gadelha Avoid increasing required alignment of target type warning on ARM 32 bits Modified: trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h (281716 => 281717) --- trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h 2021-08-27 19:38:30 UTC (rev 281716) +++ trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h 2021-08-27 19:53:12 UTC (rev 281717) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2019 Apple Inc. All rights reserved. + * Copyright (C) 2008-2021 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -203,14 +203,15 @@ }; #if CPU(ARM64E) +#if PLATFORM(MAC) class ARM64EHash { public: -ARM64EHash(uint32_t initialHash) -: m_hash(initialHash) +ARM64EHash(void* initialHash) +: m_hash(static_cast(bitwise_cast(initialHash))) { } -ALWAYS_INLINE uint32_t update(uint32_t value) +ALWAYS_INLINE uint32_t update(uint32_t value, uint32_t, void*) { uint64_t input = value ^ m_hash; uint64_t a = static_cast(tagInt(input, static_cast(0)) >> 39); @@ -222,8 +223,66 @@ private: uint32_t m_hash; }; -#endif +#else +class ARM64EHash { +public: +ARM64EHash(void* diversifier) +{ +setUpdatedHash(0, 0, diversifier); +} +ALWAYS_INLINE uint32_t update(uint32_t instruction, uint32_t index, void* diversifier) +{ +uint32_t currentHash = this->currentHash(index, diversifier); +uint64_t nextIndex = index + 1; +uint32_t output = nextValue(instruction, nextIndex, currentHash); +setUpdatedHash(output, nextIndex, diversifier); +return output; +} + +private: +static constexpr uint8_t initializationNamespace = 0x11; + +static ALWAYS_INLINE PtrTag makeDiversifier(uint8_t namespaceTag, uint64_t index, uint32_t value) +{ +// +return static_cast((static_cast(namespaceTag) << 56) + ((index & 0xFF) << 32) + value); +} + +static ALWAYS_INLINE uint32_t nextValue(uint64_t instruction, uint64_t index, uint32_t currentValue) +{ +uint64_t a = tagInt(instruction, makeDiversifier(0x12, index, currentValue)); +uint64_t b = tagInt(instruction, makeDiversifier(0x13, index, currentValue)); +return (a >> 39) ^ (b >> 23); +} + +static ALWAYS_INLINE uint32_t bitsForDiversifier(void* diversifier) +{ +return bitwise_cast(diversifier); +} + +ALWAYS_INLINE uint32_t currentHash(uint32_t index, void* diversifier) +{ +bool hashFieldIsTagged = index == 0; +if (hashFieldIsTagged) +return untagInt(m_hash, makeDiversifier(initializationNamespace, index, bitsForDiversifier(diversifier))); +return m_hash; +} + +ALWAYS_INLINE void setUpdatedHash(uint32_t value, uint32_t index, void* diversifier) +{ +bool
[webkit-changes] [281665] trunk
Title: [281665] trunk Revision 281665 Author sbar...@apple.com Date 2021-08-26 15:43:32 -0700 (Thu, 26 Aug 2021) Log Message r281485 was not sufficient in where it called disablePeepholeOptimization https://bugs.webkit.org/show_bug.cgi?id=229582 Reviewed by Yusuke Suzuki. JSTests: * stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite-2.js: Added. (foo): Source/_javascript_Core: r281485 accidentally deleted a place where we called disablePeepholeOptimization that was necessary. Basically, after we seek where the current instruction in BytecodeGenerator is, we need to disablePeepholeOptimization. * bytecompiler/BytecodeGenerator.cpp: (JSC::ForInContext::finalize): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp Added Paths trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite-2.js Diff Modified: trunk/JSTests/ChangeLog (281664 => 281665) --- trunk/JSTests/ChangeLog 2021-08-26 22:43:29 UTC (rev 281664) +++ trunk/JSTests/ChangeLog 2021-08-26 22:43:32 UTC (rev 281665) @@ -1,3 +1,14 @@ +2021-08-26 Saam Barati + +r281485 was not sufficient in where it called disablePeepholeOptimization +https://bugs.webkit.org/show_bug.cgi?id=229582 + + +Reviewed by Yusuke Suzuki. + +* stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite-2.js: Added. +(foo): + 2021-08-24 Yusuke Suzuki Update Intl tests to support ICU 68 Added: trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite-2.js (0 => 281665) --- trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite-2.js (rev 0) +++ trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite-2.js 2021-08-26 22:43:32 UTC (rev 281665) @@ -0,0 +1,12 @@ +function foo() { +for (var c in b) { +if (b.hasOwnProperty(c)) { +var e = b[c]; +c = "str"; +} +} +} + +try { +foo(); +} catch { } Modified: trunk/Source/_javascript_Core/ChangeLog (281664 => 281665) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-26 22:43:29 UTC (rev 281664) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-26 22:43:32 UTC (rev 281665) @@ -1,3 +1,18 @@ +2021-08-26 Saam Barati + +r281485 was not sufficient in where it called disablePeepholeOptimization +https://bugs.webkit.org/show_bug.cgi?id=229582 + + +Reviewed by Yusuke Suzuki. + +r281485 accidentally deleted a place where we called disablePeepholeOptimization +that was necessary. Basically, after we seek where the current instruction +in BytecodeGenerator is, we need to disablePeepholeOptimization. + +* bytecompiler/BytecodeGenerator.cpp: +(JSC::ForInContext::finalize): + 2021-08-26 Per Arne Vollan [AppleWin] JSC build failure Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (281664 => 281665) --- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2021-08-26 22:43:29 UTC (rev 281664) +++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2021-08-26 22:43:32 UTC (rev 281665) @@ -5386,6 +5386,7 @@ auto end = branchInstIndex + instruction->size(); generator.m_writer.seek(branchInstIndex); +generator.disablePeepholeOptimization(); OpJmp::emit(, BoundLabel(static_cast(newBranchTarget) - static_cast(branchInstIndex))); @@ -5393,9 +5394,8 @@ OpNop::emit(); } +generator.m_writer.seek(generator.m_writer.size()); generator.disablePeepholeOptimization(); // We might've just changed the last bytecode that was emitted. - -generator.m_writer.seek(generator.m_writer.size()); } void StaticPropertyAnalysis::record() ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [281485] trunk
Title: [281485] trunk Revision 281485 Author sbar...@apple.com Date 2021-08-23 19:59:56 -0700 (Mon, 23 Aug 2021) Log Message Disable peephole optimizations in the byte code generator after rewriting instructions for for-in https://bugs.webkit.org/show_bug.cgi?id=229420 Reviewed by Keith Miller. JSTests: * stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite.js: Added. (foo): Source/_javascript_Core: The final instruction in a for-in loop might be the get by val that we're rewriting because there was an escape. We won't ever actually do peephole optimizations on this get_by_val today, but it breaks some bookkeeping that the bytecode generator does. This patch makes sure the bookkeeping is up to date. * bytecompiler/BytecodeGenerator.cpp: (JSC::ForInContext::finalize): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp Added Paths trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite.js Diff Modified: trunk/JSTests/ChangeLog (281484 => 281485) --- trunk/JSTests/ChangeLog 2021-08-24 01:28:17 UTC (rev 281484) +++ trunk/JSTests/ChangeLog 2021-08-24 02:59:56 UTC (rev 281485) @@ -1,5 +1,16 @@ 2021-08-23 Saam Barati +Disable peephole optimizations in the byte code generator after rewriting instructions for for-in +https://bugs.webkit.org/show_bug.cgi?id=229420 + + +Reviewed by Keith Miller. + +* stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite.js: Added. +(foo): + +2021-08-23 Saam Barati + compileEnumeratorHasProperty uses flushRegisters incorrectly https://bugs.webkit.org/show_bug.cgi?id=229412 Added: trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite.js (0 => 281485) --- trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite.js (rev 0) +++ trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite.js 2021-08-24 02:59:56 UTC (rev 281485) @@ -0,0 +1,9 @@ +function foo() { +for (let x in []) { +x in undefined; +x = 0; +[][x]; +} +} +foo(); + Modified: trunk/Source/_javascript_Core/ChangeLog (281484 => 281485) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-24 01:28:17 UTC (rev 281484) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-24 02:59:56 UTC (rev 281485) @@ -1,5 +1,22 @@ 2021-08-23 Saam Barati +Disable peephole optimizations in the byte code generator after rewriting instructions for for-in +https://bugs.webkit.org/show_bug.cgi?id=229420 + + +Reviewed by Keith Miller. + +The final instruction in a for-in loop might be the get by val that +we're rewriting because there was an escape. We won't ever actually +do peephole optimizations on this get_by_val today, but it breaks +some bookkeeping that the bytecode generator does. This patch makes +sure the bookkeeping is up to date. + +* bytecompiler/BytecodeGenerator.cpp: +(JSC::ForInContext::finalize): + +2021-08-23 Saam Barati + compileEnumeratorHasProperty uses flushRegisters incorrectly https://bugs.webkit.org/show_bug.cgi?id=229412 Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (281484 => 281485) --- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2021-08-24 01:28:17 UTC (rev 281484) +++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2021-08-24 02:59:56 UTC (rev 281485) @@ -5369,9 +5369,6 @@ if (!escaped) return; -OpcodeID lastOpcodeID = generator.m_lastOpcodeID; -InstructionStream::MutableRef lastInstruction = generator.m_lastInstruction; - for (const auto& instTuple : m_getInsts) rewriteOp(generator, instTuple); @@ -5390,8 +5387,6 @@ generator.m_writer.seek(branchInstIndex); -generator.disablePeepholeOptimization(); - OpJmp::emit(, BoundLabel(static_cast(newBranchTarget) - static_cast(branchInstIndex))); while (generator.m_writer.position() < end) @@ -5398,11 +5393,9 @@ OpNop::emit(); } +generator.disablePeepholeOptimization(); // We might've just changed the last bytecode that was emitted. + generator.m_writer.seek(generator.m_writer.size()); -if (generator.m_lastInstruction.offset() + generator.m_lastInstruction->size() != generator.m_writer.size()) { -generator.m_lastOpcodeID = lastOpcodeID; -generator.m_lastInstruction = lastInstruction; -} } void StaticPropertyAnalysis::record() ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [281473] trunk
Title: [281473] trunk Revision 281473 Author sbar...@apple.com Date 2021-08-23 14:44:19 -0700 (Mon, 23 Aug 2021) Log Message compileEnumeratorHasProperty uses flushRegisters incorrectly https://bugs.webkit.org/show_bug.cgi?id=229412 Reviewed by Keith Miller. JSTests: * stress/for-in-has-own-property-shouldnt-flush-registers.js: Added. (foo): * stress/for-in-in-by-val-shouldnt-flush-registers.js: Added. (a.toString): Source/_javascript_Core: We were calling flushRegisters() inside code that isn't always runs inside the EnumeratorInByVal/EnumeratorHasOwnProperty nodes. That is a violation of how flushRegisters() must be used, since flushRegisters() updates global register allocation state, and therefore must run each time a node is run. To fix, we move flushRegisters() before the code starts emitting branches. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp Added Paths trunk/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js Diff Modified: trunk/JSTests/ChangeLog (281472 => 281473) --- trunk/JSTests/ChangeLog 2021-08-23 21:39:37 UTC (rev 281472) +++ trunk/JSTests/ChangeLog 2021-08-23 21:44:19 UTC (rev 281473) @@ -1,3 +1,16 @@ +2021-08-23 Saam Barati + +compileEnumeratorHasProperty uses flushRegisters incorrectly +https://bugs.webkit.org/show_bug.cgi?id=229412 + + +Reviewed by Keith Miller. + +* stress/for-in-has-own-property-shouldnt-flush-registers.js: Added. +(foo): +* stress/for-in-in-by-val-shouldnt-flush-registers.js: Added. +(a.toString): + 2021-08-22 Yusuke Suzuki [JSC] Remove already-shipped wasm option flags Added: trunk/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js (0 => 281473) --- trunk/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js (rev 0) +++ trunk/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js 2021-08-23 21:44:19 UTC (rev 281473) @@ -0,0 +1,11 @@ +function foo(o) { +for (let p in o) { +o.hasOwnProperty(p); +o.__proto__ = undefined; +} +} + +for (let i = 0; i < 10; ++i) { +foo({f:42}); +} + Added: trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js (0 => 281473) --- trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js (rev 0) +++ trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js 2021-08-23 21:44:19 UTC (rev 281473) @@ -0,0 +1,13 @@ +const a = [undefined]; +a.toString = ()=>{}; + +function foo() { +for (let x in a) { + x in a; + +x; +} +} + +for (let i=0; i<1; i++) { + foo(); +} Modified: trunk/Source/_javascript_Core/ChangeLog (281472 => 281473) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-23 21:39:37 UTC (rev 281472) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-23 21:44:19 UTC (rev 281473) @@ -1,3 +1,20 @@ +2021-08-23 Saam Barati + +compileEnumeratorHasProperty uses flushRegisters incorrectly +https://bugs.webkit.org/show_bug.cgi?id=229412 + + +Reviewed by Keith Miller. + +We were calling flushRegisters() inside code that isn't always runs inside the +EnumeratorInByVal/EnumeratorHasOwnProperty nodes. That is a violation of how +flushRegisters() must be used, since flushRegisters() updates global register +allocation state, and therefore must run each time a node is run. To fix, we +move flushRegisters() before the code starts emitting branches. + +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty): + 2021-08-23 Yusuke Suzuki [JSC] emitArrayProfilingSiteWithCell should not load indexingType unnecessarily Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (281472 => 281473) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-23 21:39:37 UTC (rev 281472) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-23 21:44:19 UTC (rev 281473) @@ -13692,6 +13692,8 @@ GPRReg modeGPR = mode.gpr(); GPRReg enumeratorGPR = enumerator.gpr(); +flushRegisters(); + JSValueRegsTemporary result(this); JSValueRegs resultRegs = result.regs(); @@ -13711,7 +13713,6 @@ operationCases.link(_jit); -flushRegisters(); #if USE(JSVALUE32_64) m_jit.move(TrustedImm32(JSValue::CellTag), resultRegs.tagGPR()); auto baseRegs = JSValueRegs(baseCellGPR, resultRegs.tagGPR()); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [281178] trunk/Source/JavaScriptCore
Title: [281178] trunk/Source/_javascript_Core Revision 281178 Author sbar...@apple.com Date 2021-08-17 19:27:03 -0700 (Tue, 17 Aug 2021) Log Message Add an option for canonicalizePrePostIncrements https://bugs.webkit.org/show_bug.cgi?id=229211 Reviewed by Mark Lam. The current phase has bugs. Let's disable it for now until the bugs are fixed. See discussion about the bugs I spotted in: https://bugs.webkit.org/show_bug.cgi?id=228538 * b3/B3Generate.cpp: (JSC::B3::generateToAir): * b3/testb3_3.cpp: (addShrTests): * runtime/OptionsList.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/b3/B3Generate.cpp trunk/Source/_javascript_Core/b3/testb3_3.cpp trunk/Source/_javascript_Core/runtime/OptionsList.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (281177 => 281178) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-18 02:20:25 UTC (rev 281177) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-18 02:27:03 UTC (rev 281178) @@ -1,3 +1,21 @@ +2021-08-17 Saam Barati + +Add an option for canonicalizePrePostIncrements +https://bugs.webkit.org/show_bug.cgi?id=229211 + + +Reviewed by Mark Lam. + +The current phase has bugs. Let's disable it for now until the bugs +are fixed. See discussion about the bugs I spotted in: +https://bugs.webkit.org/show_bug.cgi?id=228538 + +* b3/B3Generate.cpp: +(JSC::B3::generateToAir): +* b3/testb3_3.cpp: +(addShrTests): +* runtime/OptionsList.h: + 2021-08-16 Mark Lam Ensure that unused LLInt opcodes are not inadvertently used. Modified: trunk/Source/_javascript_Core/b3/B3Generate.cpp (281177 => 281178) --- trunk/Source/_javascript_Core/b3/B3Generate.cpp 2021-08-18 02:20:25 UTC (rev 281177) +++ trunk/Source/_javascript_Core/b3/B3Generate.cpp 2021-08-18 02:27:03 UTC (rev 281178) @@ -118,7 +118,7 @@ lowerMacrosAfterOptimizations(procedure); legalizeMemoryOffsets(procedure); moveConstants(procedure); -if (procedure.optLevel() >= 2) +if (Options::useB3CanonicalizePrePostIncrements() && procedure.optLevel() >= 2) canonicalizePrePostIncrements(procedure); eliminateDeadCode(procedure); Modified: trunk/Source/_javascript_Core/b3/testb3_3.cpp (281177 => 281178) --- trunk/Source/_javascript_Core/b3/testb3_3.cpp 2021-08-18 02:20:25 UTC (rev 281177) +++ trunk/Source/_javascript_Core/b3/testb3_3.cpp 2021-08-18 02:27:03 UTC (rev 281178) @@ -4097,15 +4097,17 @@ RUN(testZShrArgImm32(0x, 1)); RUN(testZShrArgImm32(0x, 63)); -RUN(testLoadPreIndex32()); -RUN(testLoadPreIndex64()); -RUN(testLoadPostIndex32()); -RUN(testLoadPostIndex64()); +if (Options::useB3CanonicalizePrePostIncrements()) { +RUN(testLoadPreIndex32()); +RUN(testLoadPreIndex64()); +RUN(testLoadPostIndex32()); +RUN(testLoadPostIndex64()); -RUN(testStorePreIndex32()); -RUN(testStorePreIndex64()); -RUN(testStorePostIndex32()); -RUN(testStorePostIndex64()); +RUN(testStorePreIndex32()); +RUN(testStorePreIndex64()); +RUN(testStorePostIndex32()); +RUN(testStorePostIndex64()); +} } #endif // ENABLE(B3_JIT) Modified: trunk/Source/_javascript_Core/runtime/OptionsList.h (281177 => 281178) --- trunk/Source/_javascript_Core/runtime/OptionsList.h 2021-08-18 02:20:25 UTC (rev 281177) +++ trunk/Source/_javascript_Core/runtime/OptionsList.h 2021-08-18 02:27:03 UTC (rev 281178) @@ -437,6 +437,7 @@ v(Unsigned, maxB3TailDupBlockSize, 3, Normal, nullptr) \ v(Unsigned, maxB3TailDupBlockSuccessors, 3, Normal, nullptr) \ v(Bool, useB3HoistLoopInvariantValues, false, Normal, nullptr) \ +v(Bool, useB3CanonicalizePrePostIncrements, false, Normal, nullptr) \ \ v(Bool, useDollarVM, false, Restricted, "installs the $vm debugging tool in global objects") \ v(OptionString, functionOverrides, nullptr, Restricted, "file with debugging overrides for function bodies") \ ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [280984] trunk/Source/JavaScriptCore
Title: [280984] trunk/Source/_javascript_Core Revision 280984 Author sbar...@apple.com Date 2021-08-12 13:45:02 -0700 (Thu, 12 Aug 2021) Log Message Update ARM64EHash https://bugs.webkit.org/show_bug.cgi?id=228962 Reviewed by Mark Lam. * assembler/AssemblerBuffer.h: (JSC::ARM64EHash::makeDiversifier): (JSC::ARM64EHash::nextValue): (JSC::ARM64EHash::bitsForDiversifier): (JSC::ARM64EHash::currentHash): (JSC::ARM64EHash::setUpdatedHash): (JSC::ARM64EHash::ARM64EHash): (JSC::ARM64EHash::update): (JSC::ARM64EHash::finalize): (JSC::AssemblerBuffer::AssemblerBuffer): (JSC::AssemblerBuffer::putIntegralUnchecked): (JSC::AssemblerBuffer::hash const): * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h trunk/Source/_javascript_Core/assembler/LinkBuffer.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (280983 => 280984) --- trunk/Source/_javascript_Core/ChangeLog 2021-08-12 20:35:58 UTC (rev 280983) +++ trunk/Source/_javascript_Core/ChangeLog 2021-08-12 20:45:02 UTC (rev 280984) @@ -1,3 +1,26 @@ +2021-08-12 Saam Barati + +Update ARM64EHash +https://bugs.webkit.org/show_bug.cgi?id=228962 + + +Reviewed by Mark Lam. + +* assembler/AssemblerBuffer.h: +(JSC::ARM64EHash::makeDiversifier): +(JSC::ARM64EHash::nextValue): +(JSC::ARM64EHash::bitsForDiversifier): +(JSC::ARM64EHash::currentHash): +(JSC::ARM64EHash::setUpdatedHash): +(JSC::ARM64EHash::ARM64EHash): +(JSC::ARM64EHash::update): +(JSC::ARM64EHash::finalize): +(JSC::AssemblerBuffer::AssemblerBuffer): +(JSC::AssemblerBuffer::putIntegralUnchecked): +(JSC::AssemblerBuffer::hash const): +* assembler/LinkBuffer.cpp: +(JSC::LinkBuffer::copyCompactAndLinkCode): + 2021-08-11 Yusuke Suzuki WTFCrash in JSC::Lexer::append8 Modified: trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h (280983 => 280984) --- trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h 2021-08-12 20:35:58 UTC (rev 280983) +++ trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h 2021-08-12 20:45:02 UTC (rev 280984) @@ -205,22 +205,62 @@ #if CPU(ARM64E) class ARM64EHash { public: -ARM64EHash(uint32_t initialHash) -: m_hash(initialHash) +static constexpr uint8_t initializationNamespace = 0x11; + +static ALWAYS_INLINE PtrTag makeDiversifier(uint8_t namespaceTag, uint64_t index, uint32_t value) { +// +return static_cast((static_cast(namespaceTag) << 56) + ((index & 0xFF) << 32) + static_cast(value)); } -ALWAYS_INLINE uint32_t update(uint32_t value) +static ALWAYS_INLINE uint32_t nextValue(uint64_t instruction, uint64_t index, uint32_t currentValue) { -uint64_t input = value ^ m_hash; -uint64_t a = static_cast(tagInt(input, static_cast(0)) >> 39); -uint64_t b = tagInt(input, static_cast(0xb7e151628aed2a6a)) >> 23; -m_hash = a ^ b; -return m_hash; +uint64_t a = tagInt(instruction, makeDiversifier(0x12, index, currentValue)); +uint64_t b = tagInt(instruction, makeDiversifier(0x13, index, currentValue)); +return static_cast((a >> 39) ^ (b >> 23)); } +static ALWAYS_INLINE uint32_t bitsForDiversifier(void* diversifier) +{ +return static_cast(bitwise_cast(diversifier)); +} + +ALWAYS_INLINE uint32_t currentHash(uint32_t index, void* diversifier) +{ +uint64_t result; +bool hashFieldIsTagged = index == 0; +if (hashFieldIsTagged) +result = untagInt(m_hash, makeDiversifier(initializationNamespace, index, bitsForDiversifier(diversifier))); +else +result = m_hash; +return static_cast(result); +} + +ALWAYS_INLINE void setUpdatedHash(uint32_t value, uint32_t index, void* diversifier) +{ +bool shouldTagHashField = index == 0; +if (shouldTagHashField) +m_hash = tagInt(static_cast(value), makeDiversifier(initializationNamespace, index, bitsForDiversifier(diversifier))); +else +m_hash = value; +} + +ARM64EHash(void* diversifier) +{ +setUpdatedHash(0, 0, diversifier); +} + +ALWAYS_INLINE uint32_t update(uint32_t instruction, uint32_t index, void* diversifier) +{ +uint32_t currentHash = this->currentHash(index, diversifier); +uint64_t nextIndex = index + 1; +uint32_t output = nextValue(instruction, nextIndex, currentHash); +setUpdatedHash(output, nextIndex, diversifier); +return output; +} + private: -
[webkit-changes] [280216] trunk/JSTests
Title: [280216] trunk/JSTests Revision 280216 Author sbar...@apple.com Date 2021-07-22 20:17:51 -0700 (Thu, 22 Jul 2021) Log Message JSTests/stress/test-out-of-memory shouldn't assume that we always OOM https://bugs.webkit.org/show_bug.cgi?id=228213 Reviewed by Mark Lam. * stress/test-out-of-memory.js: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/test-out-of-memory.js Diff Modified: trunk/JSTests/ChangeLog (280215 => 280216) --- trunk/JSTests/ChangeLog 2021-07-23 03:17:00 UTC (rev 280215) +++ trunk/JSTests/ChangeLog 2021-07-23 03:17:51 UTC (rev 280216) @@ -1,3 +1,12 @@ +2021-07-22 Saam Barati + +JSTests/stress/test-out-of-memory shouldn't assume that we always OOM +https://bugs.webkit.org/show_bug.cgi?id=228213 + +Reviewed by Mark Lam. + +* stress/test-out-of-memory.js: + 2021-07-22 Yusuke Suzuki Reduce iteration of microbenchmarks/memcpy-typed-loop.js Modified: trunk/JSTests/stress/test-out-of-memory.js (280215 => 280216) --- trunk/JSTests/stress/test-out-of-memory.js 2021-07-23 03:17:00 UTC (rev 280215) +++ trunk/JSTests/stress/test-out-of-memory.js 2021-07-23 03:17:51 UTC (rev 280216) @@ -23,5 +23,5 @@ exception = e; } -if (exception != "RangeError: Out of memory") +if (exception && exception != "RangeError: Out of memory") throw "FAILED"; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [280198] trunk
Title: [280198] trunk Revision 280198 Author sbar...@apple.com Date 2021-07-22 14:37:02 -0700 (Thu, 22 Jul 2021) Log Message AirStackSlot's uint16_t byte size is too small https://bugs.webkit.org/show_bug.cgi?id=228193 Reviewed by Mark Lam. JSTests: * stress/stack-slot-needs-to-use-more-than-uint16.js: Added. Source/_javascript_Core: * b3/B3Procedure.cpp: (JSC::B3::Procedure::addStackSlot): * b3/B3Procedure.h: * b3/air/AirCode.cpp: (JSC::B3::Air::Code::addStackSlot): * b3/air/AirCode.h: * b3/air/AirStackSlot.cpp: (JSC::B3::Air::StackSlot::StackSlot): * b3/air/AirStackSlot.h: (JSC::B3::Air::StackSlot::ensureSize): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lower): * ftl/FTLOutput.cpp: (JSC::FTL::Output::lockedStackSlot): * ftl/FTLOutput.h: Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/b3/B3Procedure.cpp trunk/Source/_javascript_Core/b3/B3Procedure.h trunk/Source/_javascript_Core/b3/air/AirCode.cpp trunk/Source/_javascript_Core/b3/air/AirCode.h trunk/Source/_javascript_Core/b3/air/AirStackSlot.cpp trunk/Source/_javascript_Core/b3/air/AirStackSlot.h trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/ftl/FTLOutput.cpp trunk/Source/_javascript_Core/ftl/FTLOutput.h Added Paths trunk/JSTests/stress/stack-slot-needs-to-use-more-than-uint16.js Diff Modified: trunk/JSTests/ChangeLog (280197 => 280198) --- trunk/JSTests/ChangeLog 2021-07-22 21:30:12 UTC (rev 280197) +++ trunk/JSTests/ChangeLog 2021-07-22 21:37:02 UTC (rev 280198) @@ -1,3 +1,13 @@ +2021-07-22 Saam Barati + +AirStackSlot's uint16_t byte size is too small +https://bugs.webkit.org/show_bug.cgi?id=228193 + + +Reviewed by Mark Lam. + +* stress/stack-slot-needs-to-use-more-than-uint16.js: Added. + 2021-07-20 Yusuke Suzuki [JSC] invalidParameterInstanceofSourceAppender should care direct call of Symbol.hasInstance Added: trunk/JSTests/stress/stack-slot-needs-to-use-more-than-uint16.js (0 => 280198) --- trunk/JSTests/stress/stack-slot-needs-to-use-more-than-uint16.js (rev 0) +++ trunk/JSTests/stress/stack-slot-needs-to-use-more-than-uint16.js 2021-07-22 21:37:02 UTC (rev 280198) @@ -0,0 +1,8 @@ +//@ skip if $buildType == "debug" + +let script = '_,'.repeat(5000); +script += ''; +let g = new Function(script, 'if (0) g();'); +for (let i = 0; i < 1000; ++i) { + g(0); +} Modified: trunk/Source/_javascript_Core/ChangeLog (280197 => 280198) --- trunk/Source/_javascript_Core/ChangeLog 2021-07-22 21:30:12 UTC (rev 280197) +++ trunk/Source/_javascript_Core/ChangeLog 2021-07-22 21:37:02 UTC (rev 280198) @@ -1,5 +1,29 @@ 2021-07-22 Saam Barati +AirStackSlot's uint16_t byte size is too small +https://bugs.webkit.org/show_bug.cgi?id=228193 + + +Reviewed by Mark Lam. + +* b3/B3Procedure.cpp: +(JSC::B3::Procedure::addStackSlot): +* b3/B3Procedure.h: +* b3/air/AirCode.cpp: +(JSC::B3::Air::Code::addStackSlot): +* b3/air/AirCode.h: +* b3/air/AirStackSlot.cpp: +(JSC::B3::Air::StackSlot::StackSlot): +* b3/air/AirStackSlot.h: +(JSC::B3::Air::StackSlot::ensureSize): +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::lower): +* ftl/FTLOutput.cpp: +(JSC::FTL::Output::lockedStackSlot): +* ftl/FTLOutput.h: + +2021-07-22 Saam Barati + Fix uses of Dependency::fence with respect to the compiler outsmarting us https://bugs.webkit.org/show_bug.cgi?id=227757 Modified: trunk/Source/_javascript_Core/b3/B3Procedure.cpp (280197 => 280198) --- trunk/Source/_javascript_Core/b3/B3Procedure.cpp 2021-07-22 21:30:12 UTC (rev 280197) +++ trunk/Source/_javascript_Core/b3/B3Procedure.cpp 2021-07-22 21:37:02 UTC (rev 280198) @@ -73,7 +73,7 @@ return result; } -Air::StackSlot* Procedure::addStackSlot(unsigned byteSize) +Air::StackSlot* Procedure::addStackSlot(uint64_t byteSize) { return m_code->addStackSlot(byteSize, Air::StackSlotKind::Locked); } Modified: trunk/Source/_javascript_Core/b3/B3Procedure.h (280197 => 280198) --- trunk/Source/_javascript_Core/b3/B3Procedure.h 2021-07-22 21:30:12 UTC (rev 280197) +++ trunk/Source/_javascript_Core/b3/B3Procedure.h 2021-07-22 21:37:02 UTC (rev 280198) @@ -114,7 +114,7 @@ setBlockOrderImpl(blocks); } -JS_EXPORT_PRIVATE Air::StackSlot* addStackSlot(unsigned byteSize); +JS_EXPORT_PRIVATE Air::StackSlot* addStackSlot(uint64_t byteSize); JS_EXPORT_PRIVATE Variable* addVariable(Type); JS_EXPORT_PRIVATE Type addTuple(Vector&& types); Modified: trunk/Source/_javascript_Core/b3/air/AirCode.cpp (280197 => 280198) --- trunk/Source/_javascript_Core/b3/air/AirCode.cpp 2021-07-22 21:30:12 UTC (rev 280197) +++ trunk/Source/_javascript_Core/b3/air/AirCode.cpp 2021-07-22 21:37:02 UTC (rev 280198) @@
[webkit-changes] [280195] trunk/Source
Title: [280195] trunk/Source Revision 280195 Author sbar...@apple.com Date 2021-07-22 13:05:09 -0700 (Thu, 22 Jul 2021) Log Message Fix uses of Dependency::fence with respect to the compiler outsmarting us https://bugs.webkit.org/show_bug.cgi?id=227757 Reviewed by Robin Morisset. Source/_javascript_Core: We were running into issues on arm64 with respect to the memory model ordering of loads, and how the compiler optimized code around Dependency::fence. The issue manifested as calls to isMarked incorrectly returning true. To see the issue, let's consider a program like this: a = load(p1) b = load(p2) if (a != b) return; d = Dependency::fence(b) At the point of defining the dependency, the compiler has proven a == b. So, instead of building the dependency on the register used for b, we end up using the register for a. So the actual compiled code ends up with a dependency on load(p1), not load(p2). To fix this, we end up adding a new API, Dependency::loadEndFence(pointer, result), which is defined as: template static Dependency loadAndFence(T* pointer, T& output) { T value = *opaque(pointer); Dependency dependency = Dependency::fence(value); output = opaque(value); return dependency; } The reason for this is that it split "b" in the above program into two values, and the "b" the program compares against is not known to the compiler to be the same value that we build a dependency on. * heap/MarkedBlock.h: (JSC::MarkedBlock::aboutToMark): (JSC::MarkedBlock::isMarked): * runtime/JSObject.cpp: (JSC::JSObject::visitButterflyImpl): * runtime/JSObject.h: (JSC::JSObject::fencedButterfly): * runtime/SparseArrayValueMap.cpp: (JSC::SparseArrayEntry::getConcurrently): (JSC::SparseArrayEntry::getConcurrently const): Deleted. * runtime/SparseArrayValueMap.h: * runtime/Structure.h: (JSC::Structure::fencedIndexingMode): * runtime/StructureIDBlob.h: (JSC::StructureIDBlob::fencedIndexingModeIncludingHistory): Source/WTF: * wtf/Atomics.h: (WTF::opaque): (WTF::Dependency::loadAndFence): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/heap/MarkedBlock.h trunk/Source/_javascript_Core/runtime/JSObject.cpp trunk/Source/_javascript_Core/runtime/JSObject.h trunk/Source/_javascript_Core/runtime/SparseArrayValueMap.cpp trunk/Source/_javascript_Core/runtime/Structure.h trunk/Source/_javascript_Core/runtime/StructureIDBlob.h trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/Atomics.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (280194 => 280195) --- trunk/Source/_javascript_Core/ChangeLog 2021-07-22 20:04:10 UTC (rev 280194) +++ trunk/Source/_javascript_Core/ChangeLog 2021-07-22 20:05:09 UTC (rev 280195) @@ -1,3 +1,58 @@ +2021-07-22 Saam Barati + +Fix uses of Dependency::fence with respect to the compiler outsmarting us +https://bugs.webkit.org/show_bug.cgi?id=227757 + + +Reviewed by Robin Morisset. + +We were running into issues on arm64 with respect to the memory model +ordering of loads, and how the compiler optimized code around Dependency::fence. +The issue manifested as calls to isMarked incorrectly returning true. + +To see the issue, let's consider a program like this: +a = load(p1) +b = load(p2) +if (a != b) return; +d = Dependency::fence(b) + +At the point of defining the dependency, the compiler has proven +a == b. So, instead of building the dependency on the register used +for b, we end up using the register for a. So the actual compiled +code ends up with a dependency on load(p1), not load(p2). + +To fix this, we end up adding a new API, Dependency::loadEndFence(pointer, +result), which is defined as: + +template +static Dependency loadAndFence(T* pointer, T& output) +{ +T value = *opaque(pointer); +Dependency dependency = Dependency::fence(value); +output = opaque(value); +return dependency; +} + +The reason for this is that it split "b" in the above program into two values, +and the "b" the program compares against is not known to the compiler to be +the same value that we build a dependency on. + +* heap/MarkedBlock.h: +(JSC::MarkedBlock::aboutToMark): +(JSC::MarkedBlock::isMarked): +* runtime/JSObject.cpp: +(JSC::JSObject::visitButterflyImpl): +* runtime/JSObject.h: +(JSC::JSObject::fencedButterfly): +* runtime/SparseArrayValueMap.cpp: +(JSC::SparseArrayEntry::getConcurrently): +(JSC::SparseArrayEntry::getConcurrently const): Deleted. +* runtime/SparseArrayValueMap.h: +* runtime/Structure.h: +(JSC::Structure::fencedIndexingMode): +* runtime/StructureIDBlob.h: +(JSC::StructureIDBlob::fencedIndexingModeIncludingHistory): +
[webkit-changes] [280109] trunk/Tools
Title: [280109] trunk/Tools Revision 280109 Author sbar...@apple.com Date 2021-07-20 15:55:56 -0700 (Tue, 20 Jul 2021) Log Message Don't run ftl-eager-no-cjit on debug builds https://bugs.webkit.org/show_bug.cgi?id=228118 Reviewed by Mark Lam. Many debug JSC stress tests time out intermittently. All I see are under the ftl-eager-no-cjit mode. * Scripts/run-jsc-stress-tests: Modified Paths trunk/Tools/ChangeLog trunk/Tools/Scripts/run-jsc-stress-tests Diff Modified: trunk/Tools/ChangeLog (280108 => 280109) --- trunk/Tools/ChangeLog 2021-07-20 22:07:55 UTC (rev 280108) +++ trunk/Tools/ChangeLog 2021-07-20 22:55:56 UTC (rev 280109) @@ -1,3 +1,15 @@ +2021-07-20 Saam Barati + +Don't run ftl-eager-no-cjit on debug builds +https://bugs.webkit.org/show_bug.cgi?id=228118 + +Reviewed by Mark Lam. + +Many debug JSC stress tests time out intermittently. All I see are under +the ftl-eager-no-cjit mode. + +* Scripts/run-jsc-stress-tests: + 2021-07-20 Ayumi Kojima Adding myself to Contributors.json Modified: trunk/Tools/Scripts/run-jsc-stress-tests (280108 => 280109) --- trunk/Tools/Scripts/run-jsc-stress-tests 2021-07-20 22:07:55 UTC (rev 280108) +++ trunk/Tools/Scripts/run-jsc-stress-tests 2021-07-20 22:55:56 UTC (rev 280109) @@ -897,7 +897,7 @@ runNoFTL runFTLEager -runFTLEagerNoCJITValidate +runFTLEagerNoCJITValidate if $buildType == "release" runFTLNoCJITSmallPool return if $mode == "basic" @@ -937,7 +937,7 @@ runFTLNoCJITNoPutStackValidate runFTLNoCJITNoInlineValidate runFTLEager -runFTLEagerNoCJITValidate +runFTLEagerNoCJITValidate if $buildType == "release" end end end @@ -1008,7 +1008,7 @@ runFTLNoCJITNoPutStackValidate runFTLNoCJITNoInlineValidate runFTLEager -runFTLEagerNoCJITValidate +runFTLEagerNoCJITValidate if $buildType == "release" runFTLNoCJITSmallPool end end ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [280008] trunk
Title: [280008] trunk Revision 280008 Author sbar...@apple.com Date 2021-07-16 16:40:00 -0700 (Fri, 16 Jul 2021) Log Message Grab the lock in FTL::Thunks::keyForSlowPathCallThunk https://bugs.webkit.org/show_bug.cgi?id=227988 Reviewed by Mark Lam. JSTests: * stress/thunks-hash-map-should-grab-lock.js: Added. Source/_javascript_Core: Both FTL::Thunks::keyForSlowPathCallThunk and FTL::Thunks::getSlowPathCallThunk both touch the thunks hash map. In r278030, when I added the lock, I grabbed it in getSlowPathCallThunk, but forgot to also grab it in keyForSlowPathCallThunk. * ftl/FTLThunks.h: (JSC::FTL::Thunks::keyForSlowPathCallThunk): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/ftl/FTLThunks.h Added Paths trunk/JSTests/stress/thunks-hash-map-should-grab-lock.js Diff Modified: trunk/JSTests/ChangeLog (280007 => 280008) --- trunk/JSTests/ChangeLog 2021-07-16 23:23:44 UTC (rev 280007) +++ trunk/JSTests/ChangeLog 2021-07-16 23:40:00 UTC (rev 280008) @@ -1,3 +1,13 @@ +2021-07-16 Saam Barati + +Grab the lock in FTL::Thunks::keyForSlowPathCallThunk +https://bugs.webkit.org/show_bug.cgi?id=227988 + + +Reviewed by Mark Lam. + +* stress/thunks-hash-map-should-grab-lock.js: Added. + 2021-07-16 Yusuke Suzuki [JSC] RegExp::dumpToStream must not ref Strings since it is called concurrently Added: trunk/JSTests/stress/thunks-hash-map-should-grab-lock.js (0 => 280008) --- trunk/JSTests/stress/thunks-hash-map-should-grab-lock.js (rev 0) +++ trunk/JSTests/stress/thunks-hash-map-should-grab-lock.js 2021-07-16 23:40:00 UTC (rev 280008) @@ -0,0 +1,481 @@ +function main() { +const v4 = [5330.006088804686]; +const v5 = [-1809859085,-1809859085,-1809859085]; +const v6 = [noInline,5330.006088804686,-1809859085,noInline,noInline,noInline,v4]; +const v7 = {}; +const v8 = v7.__proto__; +function v9(v10,v11,v12) { +const v13 = 1; +} +function v14(v15,v16,v17,v18) { +function v19(v20,v21,v22) { +const v23 = isConcatSpreadable; +} +const v24 = v9 | v16; +switch (v18) { +default: +const v25 = 0; +const v26 = 2; +const v27 = 1; +const v30 = {constructor:5330.006088804686,e:Int16Array,length:-1000.0}; +const v36 = [64562.579056559596,64562.579056559596,64562.579056559596]; +const v38 = [1.0,1.0]; +const v39 = [1.7976931348623157e+308,1.7976931348623157e+308,1.7976931348623157e+308]; +const v40 = [-2147483649,-2147483649,-2147483649]; +const v41 = [Symbol,"symbol",-2147483649,v39]; +function v42(v43,v44) { +function v45(v46,v47) { +} +const v48 = 0; +let v49 = -449638095; +const v56 = [1098305835,1098305835,1098305835]; +const v57 = [3.0,v56,Uint8Array,100,v36,3.0,v40,1098305835,"f8bvzbzCeL"]; +for (let v60 = 0; v60 < 7; v60++) { +v49 *= "symbol"; +} +const v61 = 65537; +const v62 = 100; +} +const v67 = [-100.0,-100.0]; +const v68 = [3]; +const v69 = [placeholder,"EPSILON",3,3,3,"EPSILON",v68,-100.0,-100.0,v67]; +const v70 = {a:-100.0,c:v67,constructor:3,length:3,toString:placeholder}; +const v71 = {b:"EPSILON",constructor:v70,toString:placeholder,valueOf:v70}; +function v72(v73,v74,v75) { +return v74; +return "EPSILON"; +} +function v77(v78,...v79) { +"9007199254740991".toString = v78; +} +function v80(v81,v82,v83) { +const v85 = Object(); +const v86 = Object; +} +function v87(v88,v89) { +const v92 = [-9007199254740993,-9007199254740993,-9007199254740993,Reflect]; +} +function v93(v94,v95,v96,v97) { +v95 *= -100.0; +const v99 = Math.sinh(v87); +const v100 = v96[-9007199254740993]; +const v101 = v99 in v69; +const v104 = [2147483648,2147483648]; +let v107 = Array(1); +const v113 = ["symbol"]; +const v114 = [Proxy,v113,Uint16Array,3905494558,v113,"65536",v107,3,v113,v104]; +"9007199254740991".c = Proxy; +const v118 = [328474.42085578316]; +const v119 =
[webkit-changes] [279845] trunk/JSTests
Title: [279845] trunk/JSTests Revision 279845 Author sbar...@apple.com Date 2021-07-12 12:05:55 -0700 (Mon, 12 Jul 2021) Log Message Run some tests for fewer iterations to prevent test timeouts https://bugs.webkit.org/show_bug.cgi?id=227879 Reviewed by Mark Lam. * microbenchmarks/get-by-val-negative-array-index.js: * microbenchmarks/memcpy-typed-loop-small.js: * microbenchmarks/put-by-val-negative-array-index.js: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/microbenchmarks/get-by-val-negative-array-index.js trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js trunk/JSTests/microbenchmarks/put-by-val-negative-array-index.js Diff Modified: trunk/JSTests/ChangeLog (279844 => 279845) --- trunk/JSTests/ChangeLog 2021-07-12 18:56:16 UTC (rev 279844) +++ trunk/JSTests/ChangeLog 2021-07-12 19:05:55 UTC (rev 279845) @@ -1,5 +1,16 @@ 2021-07-12 Saam Barati +Run some tests for fewer iterations to prevent test timeouts +https://bugs.webkit.org/show_bug.cgi?id=227879 + +Reviewed by Mark Lam. + +* microbenchmarks/get-by-val-negative-array-index.js: +* microbenchmarks/memcpy-typed-loop-small.js: +* microbenchmarks/put-by-val-negative-array-index.js: + +2021-07-12 Saam Barati + stress/wasm-loop-consistency.js should require the --useExecutableAllocationFuzz=false JSC option https://bugs.webkit.org/show_bug.cgi?id=227876 Modified: trunk/JSTests/microbenchmarks/get-by-val-negative-array-index.js (279844 => 279845) --- trunk/JSTests/microbenchmarks/get-by-val-negative-array-index.js 2021-07-12 18:56:16 UTC (rev 279844) +++ trunk/JSTests/microbenchmarks/get-by-val-negative-array-index.js 2021-07-12 19:05:55 UTC (rev 279845) @@ -10,10 +10,10 @@ noInline(foo); const arr = new Array(10).fill({}); -for (let i = 0; i < 1e6; i++) { +for (let i = 0; i < 1e5; i++) { foo(arr, i % arr.length); } -for (let i = 0; i < 1e6; i++) { +for (let i = 0; i < 1e5; i++) { foo(arr, i % arr.length); if (!(i % arr.length)) foo(arr, -1); Modified: trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js (279844 => 279845) --- trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js 2021-07-12 18:56:16 UTC (rev 279844) +++ trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js 2021-07-12 19:05:55 UTC (rev 279845) @@ -16,7 +16,7 @@ arr1[i] = i } -for (let i=0; i<1_000_000; ++i) doTest(arr1, arr2) +for (let i=0; i<100_000; ++i) doTest(arr1, arr2) arr2 = new Int32Array(arr1.length) doTest(arr1, arr2) Modified: trunk/JSTests/microbenchmarks/put-by-val-negative-array-index.js (279844 => 279845) --- trunk/JSTests/microbenchmarks/put-by-val-negative-array-index.js 2021-07-12 18:56:16 UTC (rev 279844) +++ trunk/JSTests/microbenchmarks/put-by-val-negative-array-index.js 2021-07-12 19:05:55 UTC (rev 279845) @@ -11,10 +11,10 @@ const arr = new Array(10).fill({}); let result = 0; -for (let i = 0; i < 1e6; i++) { +for (let i = 0; i < 1e5; i++) { result += foo(arr, i % arr.length); } -for (let i = 0; i < 1e6; i++) { +for (let i = 0; i < 1e5; i++) { result += foo(arr, i % arr.length); if (!(i % arr.length)) result += foo(arr, -1); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279839] trunk/JSTests
Title: [279839] trunk/JSTests Revision 279839 Author sbar...@apple.com Date 2021-07-12 11:02:45 -0700 (Mon, 12 Jul 2021) Log Message stress/wasm-loop-consistency.js should require the --useExecutableAllocationFuzz=false JSC option https://bugs.webkit.org/show_bug.cgi?id=227876 Reviewed by Mark Lam. * stress/wasm-loop-consistency.js: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/wasm-loop-consistency.js Diff Modified: trunk/JSTests/ChangeLog (279838 => 279839) --- trunk/JSTests/ChangeLog 2021-07-12 17:59:36 UTC (rev 279838) +++ trunk/JSTests/ChangeLog 2021-07-12 18:02:45 UTC (rev 279839) @@ -1,3 +1,12 @@ +2021-07-12 Saam Barati + +stress/wasm-loop-consistency.js should require the --useExecutableAllocationFuzz=false JSC option +https://bugs.webkit.org/show_bug.cgi?id=227876 + +Reviewed by Mark Lam. + +* stress/wasm-loop-consistency.js: + 2021-07-10 Yusuke Suzuki [JSC] Update test262 Modified: trunk/JSTests/stress/wasm-loop-consistency.js (279838 => 279839) --- trunk/JSTests/stress/wasm-loop-consistency.js 2021-07-12 17:59:36 UTC (rev 279838) +++ trunk/JSTests/stress/wasm-loop-consistency.js 2021-07-12 18:02:45 UTC (rev 279839) @@ -1,3 +1,4 @@ +//@ requireOptions("--useExecutableAllocationFuzz=false") // https://bugs.webkit.org/show_bug.cgi?id=226012 if ($vm.isWasmSupported()) { // (module ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279813] trunk/Source/JavaScriptCore
Title: [279813] trunk/Source/_javascript_Core Revision 279813 Author sbar...@apple.com Date 2021-07-10 18:27:40 -0700 (Sat, 10 Jul 2021) Log Message Continue to consult InlineAccess's Structure even after switching to a stub IC https://bugs.webkit.org/show_bug.cgi?id=227785 Reviewed by Yusuke Suzuki. This patch fixes a crash in: stress/class-subclassing-function.js The bug is this: 1. We initialize a StructureStubInfo to be an inline self access doing a load based on structure S. 2. We transition to being a PolymorphicAccess based StructureStubInfo. But, we haven't generated code yet. We're in the buffered state. So we are still running the inline access from (1). But the StructureStubInfo thinks it's a "Stub". 3. S is collected 4. We continue to run code from (1), because when we finalize the IC during GC, it doesn't think it's an inline access. The fix is to always track the structure S that we used when generating the inline access, and to only stop tracking it once we've generated code for the Stub. * bytecode/AccessCase.cpp: (JSC::AccessCase::fromStructureStubInfo): (JSC::AccessCase::propagateTransitions const): * bytecode/AccessCase.h: * bytecode/GetByStatus.cpp: (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): * bytecode/InByStatus.cpp: (JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback): * bytecode/PolymorphicAccess.cpp: (JSC::PolymorphicAccess::propagateTransitions const): * bytecode/PolymorphicAccess.h: * bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeForStubInfo): * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::initGetByIdSelf): (JSC::StructureStubInfo::initPutByIdReplace): (JSC::StructureStubInfo::initInByIdSelf): (JSC::StructureStubInfo::addAccessCase): (JSC::StructureStubInfo::reset): (JSC::StructureStubInfo::visitWeakReferences): (JSC::StructureStubInfo::propagateTransitions): * bytecode/StructureStubInfo.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/AccessCase.cpp trunk/Source/_javascript_Core/bytecode/AccessCase.h trunk/Source/_javascript_Core/bytecode/GetByStatus.cpp trunk/Source/_javascript_Core/bytecode/InByStatus.cpp trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.h trunk/Source/_javascript_Core/bytecode/PutByIdStatus.cpp trunk/Source/_javascript_Core/bytecode/StructureStubInfo.cpp trunk/Source/_javascript_Core/bytecode/StructureStubInfo.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (279812 => 279813) --- trunk/Source/_javascript_Core/ChangeLog 2021-07-11 01:27:31 UTC (rev 279812) +++ trunk/Source/_javascript_Core/ChangeLog 2021-07-11 01:27:40 UTC (rev 279813) @@ -1,3 +1,47 @@ +2021-07-10 Saam Barati + +Continue to consult InlineAccess's Structure even after switching to a stub IC +https://bugs.webkit.org/show_bug.cgi?id=227785 + +Reviewed by Yusuke Suzuki. + +This patch fixes a crash in: stress/class-subclassing-function.js + +The bug is this: +1. We initialize a StructureStubInfo to be an inline self access doing a load based on structure S. +2. We transition to being a PolymorphicAccess based StructureStubInfo. But, we haven't +generated code yet. We're in the buffered state. So we are still running the inline access +from (1). But the StructureStubInfo thinks it's a "Stub". +3. S is collected +4. We continue to run code from (1), because when we finalize the IC during GC, it +doesn't think it's an inline access. + +The fix is to always track the structure S that we used when generating the inline +access, and to only stop tracking it once we've generated code for the Stub. + +* bytecode/AccessCase.cpp: +(JSC::AccessCase::fromStructureStubInfo): +(JSC::AccessCase::propagateTransitions const): +* bytecode/AccessCase.h: +* bytecode/GetByStatus.cpp: +(JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): +* bytecode/InByStatus.cpp: +(JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback): +* bytecode/PolymorphicAccess.cpp: +(JSC::PolymorphicAccess::propagateTransitions const): +* bytecode/PolymorphicAccess.h: +* bytecode/PutByIdStatus.cpp: +(JSC::PutByIdStatus::computeForStubInfo): +* bytecode/StructureStubInfo.cpp: +(JSC::StructureStubInfo::initGetByIdSelf): +(JSC::StructureStubInfo::initPutByIdReplace): +(JSC::StructureStubInfo::initInByIdSelf): +(JSC::StructureStubInfo::addAccessCase): +(JSC::StructureStubInfo::reset): +(JSC::StructureStubInfo::visitWeakReferences): +(JSC::StructureStubInfo::propagateTransitions): +* bytecode/StructureStubInfo.h: + 2021-07-10 Yusuke Suzuki [JSC] Workaround test262.report bug by making $ properties enumerable Modified:
[webkit-changes] [279707] trunk/Source/JavaScriptCore
Title: [279707] trunk/Source/_javascript_Core Revision 279707 Author sbar...@apple.com Date 2021-07-07 19:20:51 -0700 (Wed, 07 Jul 2021) Log Message JSArrayBufferView::byteOffsetConcurrently has a race when using PAC https://bugs.webkit.org/show_bug.cgi?id=227765 Reviewed by Mark Lam. We were calling JSArrayBufferView::vector(), which does PAC validation using the length() of the array. However, this can race with JSArrayBufferView::detach, which sets the length to zero, leading to sadness on the compiler thread. * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::vectorWithoutPACValidation const): * runtime/JSArrayBufferViewInlines.h: (JSC::JSArrayBufferView::byteOffsetImpl): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h trunk/Source/_javascript_Core/runtime/JSArrayBufferViewInlines.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (279706 => 279707) --- trunk/Source/_javascript_Core/ChangeLog 2021-07-08 02:19:19 UTC (rev 279706) +++ trunk/Source/_javascript_Core/ChangeLog 2021-07-08 02:20:51 UTC (rev 279707) @@ -1,3 +1,19 @@ +2021-07-07 Saam Barati + +JSArrayBufferView::byteOffsetConcurrently has a race when using PAC +https://bugs.webkit.org/show_bug.cgi?id=227765 + +Reviewed by Mark Lam. + +We were calling JSArrayBufferView::vector(), which does PAC validation +using the length() of the array. However, this can race with JSArrayBufferView::detach, +which sets the length to zero, leading to sadness on the compiler thread. + +* runtime/JSArrayBufferView.h: +(JSC::JSArrayBufferView::vectorWithoutPACValidation const): +* runtime/JSArrayBufferViewInlines.h: +(JSC::JSArrayBufferView::byteOffsetImpl): + 2021-07-07 Yusuke Suzuki [JSC] Fix Object.assign fast path to accept undefined/null Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h (279706 => 279707) --- trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h 2021-07-08 02:19:19 UTC (rev 279706) +++ trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h 2021-07-08 02:20:51 UTC (rev 279707) @@ -188,6 +188,7 @@ bool hasVector() const { return !!m_vector; } void* vector() const { return m_vector.getMayBeNull(length()); } +void* vectorWithoutPACValidation() const { return m_vector.getUnsafe(); } inline unsigned byteOffset(); inline std::optional byteOffsetConcurrently(); Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferViewInlines.h (279706 => 279707) --- trunk/Source/_javascript_Core/runtime/JSArrayBufferViewInlines.h 2021-07-08 02:19:19 UTC (rev 279706) +++ trunk/Source/_javascript_Core/runtime/JSArrayBufferViewInlines.h 2021-07-08 02:20:51 UTC (rev 279707) @@ -97,7 +97,7 @@ } ptrdiff_t delta = -bitwise_cast(vector()) - static_cast(buffer->data()); +bitwise_cast(vectorWithoutPACValidation()) - static_cast(buffer->data()); unsigned result = static_cast(delta); if (requester == Mutator) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279620] trunk/JSTests
Title: [279620] trunk/JSTests Revision 279620 Author sbar...@apple.com Date 2021-07-06 14:12:55 -0700 (Tue, 06 Jul 2021) Log Message Run microbenchmarks/memcpy-typed-loop-small.js for fewer iterations to avoid timeouts https://bugs.webkit.org/show_bug.cgi?id=227717 Reviewed by Robin Morisset. * microbenchmarks/memcpy-typed-loop-small.js: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js Diff Modified: trunk/JSTests/ChangeLog (279619 => 279620) --- trunk/JSTests/ChangeLog 2021-07-06 21:05:44 UTC (rev 279619) +++ trunk/JSTests/ChangeLog 2021-07-06 21:12:55 UTC (rev 279620) @@ -1,3 +1,12 @@ +2021-07-06 Saam Barati + +Run microbenchmarks/memcpy-typed-loop-small.js for fewer iterations to avoid timeouts +https://bugs.webkit.org/show_bug.cgi?id=227717 + +Reviewed by Robin Morisset. + +* microbenchmarks/memcpy-typed-loop-small.js: + 2021-07-05 Yusuke Suzuki [JSC] Optimize Object.assign and putDirectInternal Modified: trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js (279619 => 279620) --- trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js 2021-07-06 21:05:44 UTC (rev 279619) +++ trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js 2021-07-06 21:12:55 UTC (rev 279620) @@ -16,7 +16,7 @@ arr1[i] = i } -for (let i=0; i<5000; ++i) doTest(arr1, arr2) +for (let i=0; i<1_000_000; ++i) doTest(arr1, arr2) arr2 = new Int32Array(arr1.length) doTest(arr1, arr2) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279449] trunk
Title: [279449] trunk Revision 279449 Author sbar...@apple.com Date 2021-06-30 23:07:33 -0700 (Wed, 30 Jun 2021) Log Message Turn off data ICs by default https://bugs.webkit.org/show_bug.cgi?id=227334 Reviewed by Yusuke Suzuki. JSTests: * microbenchmarks/deltablue-varargs.js: * microbenchmarks/richards-try-catch.js: Source/_javascript_Core: There are GC crashes that are caused by access data IC sharing. This patch is both turning off data IC sharing by default, and turning off data ICs by default. We should re-enable this once we figure out the issue: https://bugs.webkit.org/show_bug.cgi?id=227551 Some of our testing modes are still running with data ICs on, so the code doesn't bit rot. And a select few tests are running with data IC sharing on, for similar reasons, even though we know it has issues. If those tests start crashing, we'll just disable sharing completely until the issue is resolved. * bytecode/PolymorphicAccess.cpp: (JSC::PolymorphicAccess::regenerate): * runtime/OptionsList.h: Tools: * Scripts/run-jsc-stress-tests: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/microbenchmarks/deltablue-varargs.js trunk/JSTests/microbenchmarks/richards-try-catch.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp trunk/Source/_javascript_Core/runtime/OptionsList.h trunk/Tools/ChangeLog trunk/Tools/Scripts/run-jsc-stress-tests Diff Modified: trunk/JSTests/ChangeLog (279448 => 279449) --- trunk/JSTests/ChangeLog 2021-07-01 02:12:20 UTC (rev 279448) +++ trunk/JSTests/ChangeLog 2021-07-01 06:07:33 UTC (rev 279449) @@ -1,3 +1,14 @@ +2021-06-30 Saam Barati + +Turn off data ICs by default +https://bugs.webkit.org/show_bug.cgi?id=227334 + + +Reviewed by Yusuke Suzuki. + +* microbenchmarks/deltablue-varargs.js: +* microbenchmarks/richards-try-catch.js: + 2021-06-30 Yusuke Suzuki [JSC] Stop generating default parameter code if class constructor is called without 'new' Modified: trunk/JSTests/microbenchmarks/deltablue-varargs.js (279448 => 279449) --- trunk/JSTests/microbenchmarks/deltablue-varargs.js 2021-07-01 02:12:20 UTC (rev 279448) +++ trunk/JSTests/microbenchmarks/deltablue-varargs.js 2021-07-01 06:07:33 UTC (rev 279449) @@ -1,4 +1,6 @@ //@ skip if $model == "Apple Watch Series 3" # added by mark-jsc-stress-test.py +//@ requireOptions("--useDataIC=true", "--useDataICSharing=true") + // Copyright 2008 the V8 project authors. All rights reserved. // Copyright 1996 John Maloney and Mario Wolczko. Modified: trunk/JSTests/microbenchmarks/richards-try-catch.js (279448 => 279449) --- trunk/JSTests/microbenchmarks/richards-try-catch.js 2021-07-01 02:12:20 UTC (rev 279448) +++ trunk/JSTests/microbenchmarks/richards-try-catch.js 2021-07-01 06:07:33 UTC (rev 279449) @@ -1,4 +1,6 @@ //@ skip if $model == "Apple Watch Series 3" # added by mark-jsc-stress-test.py +//@ requireOptions("--useDataIC=true", "--useDataICSharing=true") + // Copyright 2006-2008 the V8 project authors. All rights reserved. // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are Modified: trunk/Source/_javascript_Core/ChangeLog (279448 => 279449) --- trunk/Source/_javascript_Core/ChangeLog 2021-07-01 02:12:20 UTC (rev 279448) +++ trunk/Source/_javascript_Core/ChangeLog 2021-07-01 06:07:33 UTC (rev 279449) @@ -1,3 +1,27 @@ +2021-06-30 Saam Barati + +Turn off data ICs by default +https://bugs.webkit.org/show_bug.cgi?id=227334 + + +Reviewed by Yusuke Suzuki. + +There are GC crashes that are caused by access data IC sharing. This +patch is both turning off data IC sharing by default, and turning off data +ICs by default. + +We should re-enable this once we figure out the issue: +https://bugs.webkit.org/show_bug.cgi?id=227551 + +Some of our testing modes are still running with data ICs on, so the code doesn't +bit rot. And a select few tests are running with data IC sharing on, for +similar reasons, even though we know it has issues. If those tests start +crashing, we'll just disable sharing completely until the issue is resolved. + +* bytecode/PolymorphicAccess.cpp: +(JSC::PolymorphicAccess::regenerate): +* runtime/OptionsList.h: + 2021-06-30 Yusuke Suzuki [JSC] Stop generating default parameter code if class constructor is called without 'new' Modified: trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp (279448 => 279449) --- trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp 2021-07-01 02:12:20 UTC (rev 279448) +++ trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp 2021-07-01 06:07:33 UTC (rev 279449) @@ -522,7 +522,7 @@ bool doesCalls = false; bool doesJSGetterSetterCalls = false; -bool
[webkit-changes] [279177] trunk/JSTests
Title: [279177] trunk/JSTests Revision 279177 Author sbar...@apple.com Date 2021-06-23 11:49:44 -0700 (Wed, 23 Jun 2021) Log Message Bound stress/put-by-id-flags with a fixed number of iterations https://bugs.webkit.org/show_bug.cgi?id=227305 Reviewed by Mark Lam. * stress/put-by-id-flags.js: (numberOfDFGCompiles): Deleted. Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/put-by-id-flags.js Diff Modified: trunk/JSTests/ChangeLog (279176 => 279177) --- trunk/JSTests/ChangeLog 2021-06-23 18:38:56 UTC (rev 279176) +++ trunk/JSTests/ChangeLog 2021-06-23 18:49:44 UTC (rev 279177) @@ -1,5 +1,15 @@ 2021-06-23 Saam Barati +Bound stress/put-by-id-flags with a fixed number of iterations +https://bugs.webkit.org/show_bug.cgi?id=227305 + +Reviewed by Mark Lam. + +* stress/put-by-id-flags.js: +(numberOfDFGCompiles): Deleted. + +2021-06-23 Saam Barati + Run typedarray-intrinsic-getters-change-prototype for a fixed set of iterations https://bugs.webkit.org/show_bug.cgi?id=227304 Modified: trunk/JSTests/stress/put-by-id-flags.js (279176 => 279177) --- trunk/JSTests/stress/put-by-id-flags.js 2021-06-23 18:38:56 UTC (rev 279176) +++ trunk/JSTests/stress/put-by-id-flags.js 2021-06-23 18:49:44 UTC (rev 279177) @@ -13,10 +13,12 @@ f(x, 42); f(y, {}); -while (!numberOfDFGCompiles(g)) { +for (let i = 0; i < 1000; ++i) { optimizeNextInvocation(g); if (typeof g(x) !== 'number') throw 'failed warming up'; +if (numberOfDFGCompiles(g)) +break; } if (typeof g(y) !== 'string') ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279175] trunk/JSTests
Title: [279175] trunk/JSTests Revision 279175 Author sbar...@apple.com Date 2021-06-23 11:34:02 -0700 (Wed, 23 Jun 2021) Log Message Run typedarray-intrinsic-getters-change-prototype for a fixed set of iterations https://bugs.webkit.org/show_bug.cgi?id=227304 Reviewed by Mark Lam. * stress/typedarray-intrinsic-getters-change-prototype.js: (body): Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/typedarray-intrinsic-getters-change-prototype.js Diff Modified: trunk/JSTests/ChangeLog (279174 => 279175) --- trunk/JSTests/ChangeLog 2021-06-23 17:42:05 UTC (rev 279174) +++ trunk/JSTests/ChangeLog 2021-06-23 18:34:02 UTC (rev 279175) @@ -1,3 +1,13 @@ +2021-06-23 Saam Barati + +Run typedarray-intrinsic-getters-change-prototype for a fixed set of iterations +https://bugs.webkit.org/show_bug.cgi?id=227304 + +Reviewed by Mark Lam. + +* stress/typedarray-intrinsic-getters-change-prototype.js: +(body): + 2021-06-22 Saam Barati Don't assume stress/out-of-memory-while-constructing-BytecodeGenerator.js will OOM Modified: trunk/JSTests/stress/typedarray-intrinsic-getters-change-prototype.js (279174 => 279175) --- trunk/JSTests/stress/typedarray-intrinsic-getters-change-prototype.js 2021-06-23 17:42:05 UTC (rev 279174) +++ trunk/JSTests/stress/typedarray-intrinsic-getters-change-prototype.js 2021-06-23 18:34:02 UTC (rev 279175) @@ -18,7 +18,7 @@ let array = new Int32Array(15); -while(numberOfDFGCompiles(foo) < 1) { +for (let i = 0; i < 5000; ++i) { foo(array); bar(array); baz(array); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279167] trunk/Source/JavaScriptCore
Title: [279167] trunk/Source/_javascript_Core Revision 279167 Author sbar...@apple.com Date 2021-06-23 08:20:13 -0700 (Wed, 23 Jun 2021) Log Message Run lazy properties initializers under a DeferTerminationForAWhile scope https://bugs.webkit.org/show_bug.cgi?id=227271 Reviewed by Mark Lam. We don't expect that exceptions can be thrown when initializing a lazy property. Termination exceptions were preventing this from being true. The latest example found is inside JSModuleLoader when it asserts that no exception is thrown when creating its JSMap field. This patch makes it so termination exceptions can't be thrown when running lazy property initializers. * runtime/LazyPropertyInlines.h: (JSC::ElementType>::initLater): (JSC::ElementType>::callFunc): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/LazyPropertyInlines.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (279166 => 279167) --- trunk/Source/_javascript_Core/ChangeLog 2021-06-23 06:34:31 UTC (rev 279166) +++ trunk/Source/_javascript_Core/ChangeLog 2021-06-23 15:20:13 UTC (rev 279167) @@ -1,3 +1,21 @@ +2021-06-23 Saam Barati + +Run lazy properties initializers under a DeferTerminationForAWhile scope +https://bugs.webkit.org/show_bug.cgi?id=227271 + +Reviewed by Mark Lam. + +We don't expect that exceptions can be thrown when initializing +a lazy property. Termination exceptions were preventing this from +being true. The latest example found is inside JSModuleLoader when +it asserts that no exception is thrown when creating its JSMap field. +This patch makes it so termination exceptions can't be thrown when +running lazy property initializers. + +* runtime/LazyPropertyInlines.h: +(JSC::ElementType>::initLater): +(JSC::ElementType>::callFunc): + 2021-06-22 Yijia Huang Add a new pattern to instruction selector to utilize SMADDL supported by ARM64 Modified: trunk/Source/_javascript_Core/runtime/LazyPropertyInlines.h (279166 => 279167) --- trunk/Source/_javascript_Core/runtime/LazyPropertyInlines.h 2021-06-23 06:34:31 UTC (rev 279166) +++ trunk/Source/_javascript_Core/runtime/LazyPropertyInlines.h 2021-06-23 15:20:13 UTC (rev 279167) @@ -25,7 +25,9 @@ #pragma once +#include "DeferTermination.h" #include "Heap.h" +#include "VMTraps.h" #include namespace JSC { @@ -46,7 +48,7 @@ // may be used for things. We address this problem by indirecting through a global const // variable. The "theFunc" variable is guaranteed to be native-aligned, i.e. at least a // multiple of 4. -static const FuncType theFunc = callFunc; +static const FuncType theFunc = ; m_pointer = lazyTag | bitwise_cast(); } @@ -95,15 +97,12 @@ { if (initializer.property.m_pointer & initializingTag) return nullptr; + +DeferTerminationForAWhile deferTerminationForAWhile { initializer.vm }; initializer.property.m_pointer |= initializingTag; callStatelessLambda(initializer); -if (UNLIKELY(initializer.property.m_pointer & initializingTag)) { -VM& vm = initializer.vm; -RELEASE_ASSERT(vm.hasPendingTerminationException()); -RELEASE_ASSERT(initializer.property.m_pointer & lazyTag); -return nullptr; -} RELEASE_ASSERT(!(initializer.property.m_pointer & lazyTag)); +RELEASE_ASSERT(!(initializer.property.m_pointer & initializingTag)); return bitwise_cast(initializer.property.m_pointer); } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279132] trunk/JSTests
Title: [279132] trunk/JSTests Revision 279132 Author sbar...@apple.com Date 2021-06-22 11:48:07 -0700 (Tue, 22 Jun 2021) Log Message Don't assume stress/out-of-memory-while-constructing-BytecodeGenerator.js will OOM https://bugs.webkit.org/show_bug.cgi?id=227263 Reviewed by Yusuke Suzuki. * stress/out-of-memory-while-constructing-BytecodeGenerator.js: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/out-of-memory-while-constructing-BytecodeGenerator.js Diff Modified: trunk/JSTests/ChangeLog (279131 => 279132) --- trunk/JSTests/ChangeLog 2021-06-22 18:44:45 UTC (rev 279131) +++ trunk/JSTests/ChangeLog 2021-06-22 18:48:07 UTC (rev 279132) @@ -1,5 +1,14 @@ 2021-06-22 Saam Barati +Don't assume stress/out-of-memory-while-constructing-BytecodeGenerator.js will OOM +https://bugs.webkit.org/show_bug.cgi?id=227263 + +Reviewed by Yusuke Suzuki. + +* stress/out-of-memory-while-constructing-BytecodeGenerator.js: + +2021-06-22 Saam Barati + Run detach-buffer-during-iteration for fewer iterations https://bugs.webkit.org/show_bug.cgi?id=227262 Modified: trunk/JSTests/stress/out-of-memory-while-constructing-BytecodeGenerator.js (279131 => 279132) --- trunk/JSTests/stress/out-of-memory-while-constructing-BytecodeGenerator.js 2021-06-22 18:44:45 UTC (rev 279131) +++ trunk/JSTests/stress/out-of-memory-while-constructing-BytecodeGenerator.js 2021-06-22 18:48:07 UTC (rev 279132) @@ -29,5 +29,5 @@ exception = e; } -if (exception != "RangeError: Out of memory") +if (exception && exception != "RangeError: Out of memory") throw "FAIL"; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes