[webkit-changes] [295748] trunk
Title: [295748] trunk Revision 295748 Author sbar...@apple.com Date 2022-06-22 14:01:40 -0700 (Wed, 22 Jun 2022) Log Message Don't install webpushd on catalyst https://bugs.webkit.org/show_bug.cgi?id=241860 Reviewed by Alexey Proskuryakov. * Source/_javascript_Core/Configurations/SDKVariant.xcconfig: * Source/ThirdParty/ANGLE/Configurations/SDKVariant.xcconfig: * Source/ThirdParty/gtest/xcode/Config/SDKVariant.xcconfig: * Source/ThirdParty/libwebrtc/Configurations/SDKVariant.xcconfig: * Source/WTF/Configurations/SDKVariant.xcconfig: * Source/WebCore/Configurations/SDKVariant.xcconfig: * Source/WebCore/PAL/Configurations/SDKVariant.xcconfig: * Source/WebGPU/Configurations/SDKVariant.xcconfig: * Source/WebInspectorUI/Configurations/SDKVariant.xcconfig: * Source/WebKit/Configurations/BaseTarget.xcconfig: * Source/WebKit/Configurations/SDKVariant.xcconfig: * Source/WebKitLegacy/mac/Configurations/SDKVariant.xcconfig: * Source/bmalloc/Configurations/SDKVariant.xcconfig: Canonical link: https://commits.webkit.org/251753@main Modified Paths trunk/PerformanceTests/MediaTime/Configurations/SDKVariant.xcconfig trunk/Source/_javascript_Core/Configurations/SDKVariant.xcconfig trunk/Source/ThirdParty/ANGLE/Configurations/SDKVariant.xcconfig trunk/Source/ThirdParty/gtest/xcode/Config/SDKVariant.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/SDKVariant.xcconfig trunk/Source/WTF/Configurations/SDKVariant.xcconfig trunk/Source/WebCore/Configurations/SDKVariant.xcconfig trunk/Source/WebCore/PAL/Configurations/SDKVariant.xcconfig trunk/Source/WebGPU/Configurations/SDKVariant.xcconfig trunk/Source/WebInspectorUI/Configurations/SDKVariant.xcconfig trunk/Source/WebKit/Configurations/BaseTarget.xcconfig trunk/Source/WebKit/Configurations/SDKVariant.xcconfig trunk/Source/WebKitLegacy/mac/Configurations/SDKVariant.xcconfig trunk/Source/bmalloc/Configurations/SDKVariant.xcconfig trunk/Tools/ContentExtensionTester/Configurations/SDKVariant.xcconfig trunk/Tools/DumpRenderTree/mac/Configurations/SDKVariant.xcconfig trunk/Tools/ImageDiff/cg/Configurations/SDKVariant.xcconfig trunk/Tools/MiniBrowser/Configurations/SDKVariant.xcconfig trunk/Tools/MobileMiniBrowser/Configurations/SDKVariant.xcconfig trunk/Tools/TestWebKitAPI/Configurations/SDKVariant.xcconfig trunk/Tools/WebEditingTester/Configurations/SDKVariant.xcconfig trunk/Tools/WebKitTestRunner/Configurations/SDKVariant.xcconfig trunk/Tools/lldb/lldbWebKitTester/Configurations/SDKVariant.xcconfig trunk/Tools/sanitizer/sanitizer.xcconfig Diff Modified: trunk/PerformanceTests/MediaTime/Configurations/SDKVariant.xcconfig (295747 => 295748) --- trunk/PerformanceTests/MediaTime/Configurations/SDKVariant.xcconfig 2022-06-22 20:11:59 UTC (rev 295747) +++ trunk/PerformanceTests/MediaTime/Configurations/SDKVariant.xcconfig 2022-06-22 21:01:40 UTC (rev 295748) @@ -26,6 +26,16 @@ WK_NOT_NO = YES; WK_NOT_YES = NO; +WK_OR__ = NO +WK_OR_NO_NO = NO +WK_OR__NO = NO +WK_OR_NO_ = NO +WK_OR_YES_ = YES +WK_OR__YES = YES +WK_OR_YES_NO = YES +WK_OR_NO_YES = YES +WK_OR_YES_YES = YES + WK_DEFAULT_PLATFORM_NAME = $(WK_DEFAULT_PLATFORM_NAME_$(WK_EMPTY_$(FALLBACK_PLATFORM_NAME))); WK_DEFAULT_PLATFORM_NAME_YES = $(PLATFORM_NAME); WK_DEFAULT_PLATFORM_NAME_ = $(FALLBACK_PLATFORM_NAME); Modified: trunk/Source/_javascript_Core/Configurations/SDKVariant.xcconfig (295747 => 295748) --- trunk/Source/_javascript_Core/Configurations/SDKVariant.xcconfig 2022-06-22 20:11:59 UTC (rev 295747) +++ trunk/Source/_javascript_Core/Configurations/SDKVariant.xcconfig 2022-06-22 21:01:40 UTC (rev 295748) @@ -26,6 +26,16 @@ WK_NOT_NO = YES; WK_NOT_YES = NO; +WK_OR__ = NO +WK_OR_NO_NO = NO +WK_OR__NO = NO +WK_OR_NO_ = NO +WK_OR_YES_ = YES +WK_OR__YES = YES +WK_OR_YES_NO = YES +WK_OR_NO_YES = YES +WK_OR_YES_YES = YES + WK_DEFAULT_PLATFORM_NAME = $(WK_DEFAULT_PLATFORM_NAME_$(WK_EMPTY_$(FALLBACK_PLATFORM_NAME))); WK_DEFAULT_PLATFORM_NAME_YES = $(PLATFORM_NAME); WK_DEFAULT_PLATFORM_NAME_ = $(FALLBACK_PLATFORM_NAME); Modified: trunk/Source/ThirdParty/ANGLE/Configurations/SDKVariant.xcconfig (295747 => 295748) --- trunk/Source/ThirdParty/ANGLE/Configurations/SDKVariant.xcconfig 2022-06-22 20:11:59 UTC (rev 295747) +++ trunk/Source/ThirdParty/ANGLE/Configurations/SDKVariant.xcconfig 2022-06-22 21:01:40 UTC (rev 295748) @@ -26,6 +26,16 @@ WK_NOT_NO = YES; WK_NOT_YES = NO; +WK_OR__ = NO +WK_OR_NO_NO = NO +WK_OR__NO = NO +WK_OR_NO_ = NO +WK_OR_YES_ = YES +WK_OR__YES = YES +WK_OR_YES_NO = YES +WK_OR_NO_YES = YES +WK_OR_YES_YES = YES + WK_DEFAULT_PLATFORM_NAME = $(WK_DEFAULT_PLATFORM_NAME_$(WK_EMPTY_$(FALLBACK_PLATFORM_NAME))); WK_DEFAULT_PLATFORM_NAME_YES = $(PLATFORM_NAME); WK_DEFAULT_PLATFORM_NAME_ = $(FALLBACK_PLATFORM_NAME); Modified: trunk/Source/ThirdParty/gtest/xcode/Config/SDKVariant.xcconfig (295747 => 295748) --- trunk/Source/ThirdParty/gtest/xcode/Config/SDKVariant.xcconfig 2022-06-22 20:11:59 UTC (rev 295747) +++
[webkit-changes] [295606] trunk/Source/JavaScriptCore/b3/air/ AirAllocateRegistersAndStackAndGenerateCode.cpp
Title: [295606] trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp
Revision 295606
Author sbar...@apple.com
Date 2022-06-16 12:51:36 -0700 (Thu, 16 Jun 2022)
Log Message
Change how we rewind instructions in Air's O0 register allocator
https://bugs.webkit.org/show_bug.cgi?id=241687
Reviewed by Mark Lam.
* Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
(JSC::B3::Air::GenerateAndAllocateRegisters::generate):
Canonical link: https://commits.webkit.org/251611@main
Modified Paths
trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp
Diff
Modified: trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp (295605 => 295606)
--- trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp 2022-06-16 19:44:58 UTC (rev 295605)
+++ trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp 2022-06-16 19:51:36 UTC (rev 295606)
@@ -590,6 +590,7 @@
context.indexInBlock = instIndex;
Inst& inst = block->at(instIndex);
+Inst instCopy = inst;
m_namedUsedRegs = RegisterSet();
m_namedDefdRegs = RegisterSet();
@@ -753,26 +754,7 @@
if (!success) {
RELEASE_ASSERT(!isReplayingSameInst); // We should only need to do the below at most once per inst.
-// We need to capture the register state before we start spilling things
-// since we may have multiple arguments that are the same register.
-IndexMap allocationSnapshot = currentAllocation;
-
-// We rewind this Inst to be in its previous state, however, if any arg admits stack,
-// we move to providing that arg in stack form. This will allow us to fully allocate
-// this inst when we rewind.
-inst.forEachTmpFast([&] (Tmp& tmp) {
-if (!tmp.isReg())
-return;
-if (isDisallowedRegister(tmp.reg()))
-return;
-Tmp originalTmp = allocationSnapshot[tmp.reg()];
-if (originalTmp.isReg()) {
-ASSERT(tmp.reg() == originalTmp.reg());
-// This means this Inst referred to this reg directly. We leave these as is.
-return;
-}
-tmp = originalTmp;
-});
+inst = instCopy;
inst.forEachArg([&] (Arg& arg, Arg::Role, Bank, Width) {
if (arg.isTmp() && !arg.tmp().isReg() && inst.admitsStack(arg)) {
Tmp tmp = arg.tmp();
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295585] trunk/Source/JavaScriptCore
Title: [295585] trunk/Source/_javascript_Core
Revision 295585
Author sbar...@apple.com
Date 2022-06-15 22:31:25 -0700 (Wed, 15 Jun 2022)
Log Message
Don't clear both prototype ICs for LLInt iterator_next
https://bugs.webkit.org/show_bug.cgi?id=241663
Reviewed by Yusuke Suzuki.
If we use BytecodeIndex instead of a bytecode offset, we don't need to
clear both ICs. We can just clear the one that the watchpoint fired for.
* Source/_javascript_Core/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finalizeLLIntInlineCaches):
* Source/_javascript_Core/bytecode/CodeBlock.h:
* Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::initialize):
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
* Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
* Source/_javascript_Core/llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setupGetByIdPrototypeCache):
(JSC::LLInt::performLLIntGetByID):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
Canonical link: https://commits.webkit.org/251590@main
Modified Paths
trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp
trunk/Source/_javascript_Core/bytecode/CodeBlock.h
trunk/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp
trunk/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h
trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp
Diff
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (295584 => 295585)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2022-06-16 04:57:11 UTC (rev 295584)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2022-06-16 05:31:25 UTC (rev 295585)
@@ -1547,7 +1547,8 @@
// then cleared the cache without GCing in between.
m_llintGetByIdWatchpointMap.removeIf([&] (const StructureWatchpointMap::KeyValuePairType& pair) -> bool {
auto clear = [&] () {
-auto& instruction = instructions().at(std::get<1>(pair.key));
+BytecodeIndex bytecodeIndex = std::get<1>(pair.key);
+auto& instruction = instructions().at(bytecodeIndex.offset());
OpcodeID opcode = instruction->opcodeID();
switch (opcode) {
case op_get_by_id: {
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (295584 => 295585)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2022-06-16 04:57:11 UTC (rev 295584)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2022-06-16 05:31:25 UTC (rev 295585)
@@ -591,7 +591,7 @@
return m_unlinkedCode->llintExecuteCounter();
}
-typedef HashMap, FixedVector> StructureWatchpointMap;
+typedef HashMap, FixedVector> StructureWatchpointMap;
StructureWatchpointMap& llintGetByIdWatchpointMap() { return m_llintGetByIdWatchpointMap; }
// Functions for controlling when tiered compilation kicks in. This
Modified: trunk/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp (295584 => 295585)
--- trunk/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp 2022-06-16 04:57:11 UTC (rev 295584)
+++ trunk/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp 2022-06-16 05:31:25 UTC (rev 295585)
@@ -32,10 +32,10 @@
namespace JSC {
-LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint(CodeBlock* owner, const ObjectPropertyCondition& key, unsigned bytecodeOffset)
+LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint(CodeBlock* owner, const ObjectPropertyCondition& key, BytecodeIndex bytecodeIndex)
: Watchpoint(Watchpoint::Type::LLIntPrototypeLoadAdaptiveStructure)
, m_owner(owner)
-, m_bytecodeOffset(bytecodeOffset)
+, m_bytecodeIndex(bytecodeIndex)
, m_key(key)
{
RELEASE_ASSERT(key.watchingRequiresStructureTransitionWatchpoint());
@@ -45,14 +45,13 @@
LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint()
: Watchpoint(Watchpoint::Type::LLIntPrototypeLoadAdaptiveStructure)
, m_owner(nullptr)
-, m_bytecodeOffset(0)
{
}
-void LLIntPrototypeLoadAdaptiveStructureWatchpoint::initialize(CodeBlock* codeBlock, const ObjectPropertyCondition& key, unsigned bytecodeOffset)
+void LLIntPrototypeLoadAdaptiveStructureWatchpoint::initialize(CodeBlock* codeBlock, const ObjectPropertyCondition& key, BytecodeIndex bytecodeOffset)
{
m_owner = codeBlock;
-m_bytecodeOffset = bytecodeOffset;
+m_bytecodeIndex = bytecodeOffset;
m_key = key;
}
@@ -73,7 +72,7 @@
return;
}
-auto& instruction = m_owner->instructions().at(m_bytecodeOffset.get());
+auto& instruction = m_owner->instructions().at(m_bytecodeIndex.get().offset());
switch (instruction->opcodeID())
[webkit-changes] [294917] trunk/Source/JavaScriptCore
Title: [294917] trunk/Source/_javascript_Core
Revision 294917
Author sbar...@apple.com
Date 2022-05-26 17:56:40 -0700 (Thu, 26 May 2022)
Log Message
Rename putDirect to putDirectOffset
https://bugs.webkit.org/show_bug.cgi?id=240992
Reviewed by Mark Lam.
* Source/_javascript_Core/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/_javascript_Core/ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_JIT_OPERATION):
* Source/_javascript_Core/runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createEmpty):
* Source/_javascript_Core/runtime/CommonSlowPaths.cpp:
(JSC::JSC_DEFINE_COMMON_SLOW_PATH):
* Source/_javascript_Core/runtime/IteratorOperations.cpp:
(JSC::createIteratorResultObject):
* Source/_javascript_Core/runtime/JSONObject.cpp:
(JSC::Walker::walk):
* Source/_javascript_Core/runtime/JSObject.cpp:
(JSC::JSObject::setPrototypeDirect):
(JSC::JSObject::putDirectCustomGetterSetterWithoutTransition):
(JSC::JSObject::putDirectNonIndexAccessorWithoutTransition):
* Source/_javascript_Core/runtime/JSObject.h:
(JSC::JSObject::putDirectOffset):
(JSC::JSObject::putDirectWithoutBarrier):
(JSC::JSObject::putDirectUndefined): Deleted.
* Source/_javascript_Core/runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectWithoutTransition):
(JSC::JSObject::putDirectInternal):
* Source/_javascript_Core/runtime/ObjectConstructor.h:
(JSC::constructObjectFromPropertyDescriptor):
* Source/_javascript_Core/runtime/RegExpMatchesArray.h:
(JSC::createRegExpMatchesArray):
* Source/_javascript_Core/runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
Canonical link: https://commits.webkit.org/251035@main
Modified Paths
trunk/Source/_javascript_Core/dfg/DFGOperations.cpp
trunk/Source/_javascript_Core/ftl/FTLOperations.cpp
trunk/Source/_javascript_Core/runtime/ClonedArguments.cpp
trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp
trunk/Source/_javascript_Core/runtime/IteratorOperations.cpp
trunk/Source/_javascript_Core/runtime/JSONObject.cpp
trunk/Source/_javascript_Core/runtime/JSObject.cpp
trunk/Source/_javascript_Core/runtime/JSObject.h
trunk/Source/_javascript_Core/runtime/JSObjectInlines.h
trunk/Source/_javascript_Core/runtime/ObjectConstructor.h
trunk/Source/_javascript_Core/runtime/RegExpMatchesArray.h
trunk/Source/_javascript_Core/runtime/Structure.cpp
Diff
Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (294916 => 294917)
--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2022-05-27 00:50:02 UTC (rev 294916)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2022-05-27 00:56:40 UTC (rev 294917)
@@ -417,7 +417,7 @@
if (structure->hasPolyProto()) {
JSObject* prototype = allocationProfile->prototype();
ASSERT(prototype == jsCast(constructor)->prototypeForConstruction(vm, globalObject));
-result->putDirect(vm, knownPolyProtoOffset, prototype);
+result->putDirectOffset(vm, knownPolyProtoOffset, prototype);
prototype->didBecomePrototype();
ASSERT_WITH_MESSAGE(!hasIndexedProperties(result->indexingType()), "We rely on JSFinalObject not starting out with an indexing type otherwise we would potentially need to convert to slow put storage");
}
Modified: trunk/Source/_javascript_Core/ftl/FTLOperations.cpp (294916 => 294917)
--- trunk/Source/_javascript_Core/ftl/FTLOperations.cpp 2022-05-27 00:50:02 UTC (rev 294916)
+++ trunk/Source/_javascript_Core/ftl/FTLOperations.cpp 2022-05-27 00:56:40 UTC (rev 294917)
@@ -88,7 +88,7 @@
if (codeBlock->identifier(property.location().info()).impl() != entry.key())
continue;
-object->putDirect(vm, entry.offset(), JSValue::decode(values[i]));
+object->putDirectOffset(vm, entry.offset(), JSValue::decode(values[i]));
}
}
break;
@@ -225,7 +225,7 @@
// We use a random-ish number instead of a sensible value like
// undefined to make possible bugs easier to track.
for (const PropertyTableEntry& entry : structure->getPropertiesConcurrently())
-result->putDirect(vm, entry.offset(), jsNumber(19723));
+result->putDirectOffset(vm, entry.offset(), jsNumber(19723));
return result;
}
Modified: trunk/Source/_javascript_Core/runtime/ClonedArguments.cpp (294916 => 294917)
--- trunk/Source/_javascript_Core/runtime/ClonedArguments.cpp 2022-05-27 00:50:02 UTC (rev 294916)
+++ trunk/Source/_javascript_Core/runtime/ClonedArguments.cpp 2022-05-27 00:56:40 UTC (rev 294917)
@@ -69,7 +69,7 @@
result->finishCreation(vm);
result->m_callee.set(vm, result, callee);
-result->putDirect(vm, clonedArgumentsLengthPropertyOffset, jsNumber(length));
+result->putDirectOffset(vm, clonedArgumentsLengthPropertyOffset, jsNumber(length));
return result;
}
Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp (294916 => 294917)
---
[webkit-changes] [294284] trunk/Source/JavaScriptCore
Title: [294284] trunk/Source/_javascript_Core
Revision 294284
Author sbar...@apple.com
Date 2022-05-16 18:34:39 -0700 (Mon, 16 May 2022)
Log Message
Move around some NaN handling code
https://bugs.webkit.org/show_bug.cgi?id=240493
Reviewed by Yusuke Suzuki.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueRep):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::purifyNaN):
(JSC::FTL::DFG::LowerDFGToB3::compileValueRep):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Canonical link: https://commits.webkit.org/250628@main
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (294283 => 294284)
--- trunk/Source/_javascript_Core/ChangeLog 2022-05-17 01:32:50 UTC (rev 294283)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-05-17 01:34:39 UTC (rev 294284)
@@ -1,3 +1,18 @@
+2022-05-16 Saam Barati
+
+Move around some NaN handling code
+https://bugs.webkit.org/show_bug.cgi?id=240493
+
+
+Reviewed by Yusuke Suzuki.
+
+* dfg/DFGSpeculativeJIT.cpp:
+(JSC::DFG::SpeculativeJIT::compileValueRep):
+* ftl/FTLLowerDFGToB3.cpp:
+(JSC::FTL::DFG::LowerDFGToB3::purifyNaN):
+(JSC::FTL::DFG::LowerDFGToB3::compileValueRep):
+(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+
2022-05-16 Patrick Angle
Web Inspector: Regression(r266885) Crash sometimes when rehydrating imported audit results
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (294283 => 294284)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2022-05-17 01:32:50 UTC (rev 294283)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2022-05-17 01:34:39 UTC (rev 294284)
@@ -3484,7 +3484,7 @@
// anymore. Unfortunately, this would be unsound. If it's a GetLocal or if the value was
// subject to a prior SetLocal, filtering the value would imply that the corresponding
// local was purified.
-if (needsTypeCheck(node->child1(), ~SpecDoubleImpureNaN))
+if (m_state.forNode(node->child1()).couldBeType(SpecDoubleImpureNaN))
m_jit.purifyNaN(valueFPR);
boxDouble(valueFPR, resultRegs);
@@ -4007,6 +4007,7 @@
}
if (format == DataFormatJS) {
+m_jit.purifyNaN(resultReg);
m_jit.boxDouble(resultReg, resultRegs);
jsValueResult(resultRegs, node);
} else {
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (294283 => 294284)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2022-05-17 01:32:50 UTC (rev 294283)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2022-05-17 01:34:39 UTC (rev 294284)
@@ -1964,6 +1964,11 @@
setInt32(integerValue);
}
+LValue purifyNaN(LValue value)
+{
+return m_out.select(m_out.doubleEqual(value, value), value, m_out.constDouble(PNaN));
+}
+
void compileValueRep()
{
switch (m_node->child1().useKind()) {
@@ -1970,10 +1975,8 @@
case DoubleRepUse: {
LValue value = lowDouble(m_node->child1());
-if (m_interpreter.needsTypeCheck(m_node->child1(), ~SpecDoubleImpureNaN)) {
-value = m_out.select(
-m_out.doubleEqual(value, value), value, m_out.constDouble(PNaN));
-}
+if (abstractValue(m_node->child1()).couldBeType(SpecDoubleImpureNaN))
+value = purifyNaN(value);
setJSValue(boxDouble(value));
return;
@@ -13780,7 +13783,7 @@
else
genericResult = strictInt52ToJSValue(m_out.zeroExt(genericResult, Int64));
} else if (genericResult->type() == Double)
-genericResult = boxDouble(genericResult);
+genericResult = boxDouble(purifyNaN(genericResult));
results.append(m_out.anchor(genericResult));
m_out.jump(continuation);
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [294087] trunk/Source/JavaScriptCore
Title: [294087] trunk/Source/_javascript_Core
Revision 294087
Author sbar...@apple.com
Date 2022-05-11 19:06:37 -0700 (Wed, 11 May 2022)
Log Message
Better handle clobbered registers in O0 register allocation
https://bugs.webkit.org/show_bug.cgi?id=240205
Reviewed by Yusuke Suzuki.
This patch makes Air's O0 register allocator better handle clobbered
registers. We now model both early and late clobber directly, and use
this to perform a basic interference analysis when allocating a register
to a Tmp. An early clobber interferes with any Use in an instruction, and
any early Defs. A late clobber interferes with any Defs in an instruction,
and any late Uses. What this enables is an early Use can be allocated
to a register that is only late clobbered. And a result can be allocated
to a register that is only early clobbered.
Prior to this, the algorithm had a bug where a Use may be allocated to
a register that is early clobbered.
* b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
(JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
(JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
(JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
(JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
(JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
(JSC::B3::Air::GenerateAndAllocateRegisters::generate):
* b3/air/AirAllocateRegistersAndStackAndGenerateCode.h:
* b3/air/testair.cpp:
* jit/RegisterSet.h:
Canonical link: https://commits.webkit.org/250477@main
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp
trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.h
trunk/Source/_javascript_Core/b3/air/testair.cpp
trunk/Source/_javascript_Core/jit/RegisterSet.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (294086 => 294087)
--- trunk/Source/_javascript_Core/ChangeLog 2022-05-12 01:44:45 UTC (rev 294086)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-05-12 02:06:37 UTC (rev 294087)
@@ -1,3 +1,34 @@
+2022-05-08 Saam Barati
+
+Better handle clobbered registers in O0 register allocation
+https://bugs.webkit.org/show_bug.cgi?id=240205
+
+
+Reviewed by Yusuke Suzuki.
+
+This patch makes Air's O0 register allocator better handle clobbered
+registers. We now model both early and late clobber directly, and use
+this to perform a basic interference analysis when allocating a register
+to a Tmp. An early clobber interferes with any Use in an instruction, and
+any early Defs. A late clobber interferes with any Defs in an instruction,
+and any late Uses. What this enables is an early Use can be allocated
+to a register that is only late clobbered. And a result can be allocated
+to a register that is only early clobbered.
+
+Prior to this, the algorithm had a bug where a Use may be allocated to
+a register that is early clobbered.
+
+* b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
+(JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
+(JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
+(JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
+(JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
+(JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
+(JSC::B3::Air::GenerateAndAllocateRegisters::generate):
+* b3/air/AirAllocateRegistersAndStackAndGenerateCode.h:
+* b3/air/testair.cpp:
+* jit/RegisterSet.h:
+
2022-05-11 Patrick Angle
Web Inspector: Parse InjectedScriptSource as a built-in to get guaranteed non-user-overriden JSC built-ins
Modified: trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp (294086 => 294087)
--- trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp 2022-05-12 01:44:45 UTC (rev 294086)
+++ trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp 2022-05-12 02:06:37 UTC (rev 294087)
@@ -78,7 +78,7 @@
{
m_liveRangeEnd = TmpMap(m_code, 0);
-m_globalInstIndex = 0;
+m_globalInstIndex = 1;
for (BasicBlock* block : m_code) {
for (Tmp tmp : liveness.liveAtHead(block)) {
if (!tmp.isReg())
@@ -180,11 +180,12 @@
{
ASSERT(reg);
ASSERT(m_map[tmp].reg == reg);
+ASSERT(tmp.isReg() || m_liveRangeEnd[tmp] >= m_globalInstIndex);
flush(tmp, reg);
release(tmp, reg);
}
-ALWAYS_INLINE void GenerateAndAllocateRegisters::alloc(Tmp tmp, Reg reg, bool isDef)
+ALWAYS_INLINE void GenerateAndAllocateRegisters::alloc(Tmp tmp, Reg reg, Arg::Role role)
{
if (Tmp occupyingTmp = m_currentAllocation->at(reg))
spill(occupyingTmp, reg);
@@ -197,7 +198,7 @@
m_availableRegs[tmp.bank()].clear(reg);
[webkit-changes] [292926] trunk
Title: [292926] trunk
Revision 292926
Author sbar...@apple.com
Date 2022-04-15 15:56:46 -0700 (Fri, 15 Apr 2022)
Log Message
Unreviewed. Add my github into to contributors.json.
* metadata/contributors.json:
Modified Paths
trunk/ChangeLog
trunk/metadata/contributors.json
Diff
Modified: trunk/ChangeLog (292925 => 292926)
--- trunk/ChangeLog 2022-04-15 22:37:06 UTC (rev 292925)
+++ trunk/ChangeLog 2022-04-15 22:56:46 UTC (rev 292926)
@@ -1,3 +1,9 @@
+2022-04-15 Saam Barati
+
+Unreviewed. Add my github into to contributors.json.
+
+* metadata/contributors.json:
+
2022-04-14 Jonathan Bedard
Add .github/pull_request_template.md
Modified: trunk/metadata/contributors.json (292925 => 292926)
--- trunk/metadata/contributors.json 2022-04-15 22:37:06 UTC (rev 292925)
+++ trunk/metadata/contributors.json 2022-04-15 22:56:46 UTC (rev 292926)
@@ -5858,6 +5858,7 @@
"nicks" : [
"saamyjoon"
],
+ "github" : "saambarati",
"status" : "reviewer"
},
{
@@ -7169,4 +7170,4 @@
],
"status" : "reviewer"
}
-]
\ No newline at end of file
+]
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [292493] trunk/Source/JavaScriptCore
Title: [292493] trunk/Source/_javascript_Core Revision 292493 Author sbar...@apple.com Date 2022-04-06 12:35:37 -0700 (Wed, 06 Apr 2022) Log Message Call Structure::get instead of Structure::getConcurrently on the mutator thread https://bugs.webkit.org/show_bug.cgi?id=238823 Reviewed by Yusuke Suzuki. We try to call Structure::get instead of Structure::getConcurrently when we know for sure we're on the main thread. This is because getConcurrently is slower than get. * bytecode/AccessCase.cpp: (JSC::AccessCase::couldStillSucceed const): (JSC::AccessCase::generateImpl): * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp: (JSC::AdaptiveInferredPropertyValueWatchpointBase::install): * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install): * bytecode/ObjectPropertyCondition.cpp: (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint const): (JSC::ObjectPropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): (JSC::ObjectPropertyCondition::isStillValid const): (JSC::ObjectPropertyCondition::structureEnsuresValidity const): * bytecode/ObjectPropertyCondition.h: * bytecode/ObjectPropertyConditionSet.cpp: (JSC::ObjectPropertyConditionSet::structuresEnsureValidity const): (JSC::generateConditionsForPropertyMiss): (JSC::generateConditionsForPropertySetterMiss): (JSC::generateConditionsForPrototypePropertyHit): (JSC::generateConditionsForPrototypePropertyHitCustom): (JSC::generateConditionsForPrototypeEquivalenceConcurrently): (JSC::generateConditionsForPropertyMissConcurrently): (JSC::generateConditionsForPropertySetterMissConcurrently): (JSC::generateConditionForSelfEquivalence): (JSC::ObjectPropertyConditionSet::structuresEnsureValidityAssumingImpurePropertyWatchpoint const): Deleted. (JSC::ObjectPropertyConditionSet::isValidAndWatchable const): Deleted. * bytecode/ObjectPropertyConditionSet.h: * bytecode/PropertyCondition.cpp: (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): (JSC::watchabilityToConcurrency): (JSC::PropertyCondition::isStillValid const): (JSC::PropertyCondition::isWatchableWhenValid const): (JSC::PropertyCondition::isWatchableAssumingImpurePropertyWatchpoint const): (JSC::PropertyCondition::isWatchable const): * bytecode/PropertyCondition.h: * dfg/DFGAdaptiveStructureWatchpoint.cpp: (JSC::DFG::AdaptiveStructureWatchpoint::install): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::check): (JSC::DFG::ByteCodeParser::planLoad): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset): * dfg/DFGDesiredWatchpoints.h: (JSC::DFG::AdaptiveStructureWatchpointAdaptor::hasBeenInvalidated): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::watchCondition): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::setupGetByIdPrototypeCache): * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp: (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::install): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::tryInstallSpeciesWatchpoint): * runtime/JSObject.h: (JSC::JSObject::getDirect const): * runtime/Structure.h: (JSC::Structure::get): * runtime/StructureRareData.cpp: (JSC::StructureRareData::cacheSpecialPropertySlow): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/AccessCase.cpp trunk/Source/_javascript_Core/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp trunk/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp trunk/Source/_javascript_Core/bytecode/ObjectPropertyCondition.cpp trunk/Source/_javascript_Core/bytecode/ObjectPropertyCondition.h trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.cpp trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.h trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp trunk/Source/_javascript_Core/bytecode/PropertyCondition.h trunk/Source/_javascript_Core/dfg/DFGAdaptiveStructureWatchpoint.cpp trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp trunk/Source/_javascript_Core/dfg/DFGDesiredWatchpoints.h trunk/Source/_javascript_Core/dfg/DFGGraph.cpp trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp trunk/Source/_javascript_Core/runtime/JSObject.h trunk/Source/_javascript_Core/runtime/Structure.h trunk/Source/_javascript_Core/runtime/StructureRareData.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292492 => 292493) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-06 19:33:49 UTC (rev 292492) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-06 19:35:37 UTC (rev 292493) @@ -1,3 +1,72 @@ +2022-04-06 Saam Barati + +Call Structure::get instead of Structure::getConcurrently on the mutator thread +
[webkit-changes] [292369] trunk
Title: [292369] trunk
Revision 292369
Author sbar...@apple.com
Date 2022-04-04 20:32:00 -0700 (Mon, 04 Apr 2022)
Log Message
Turn off LLInt ICs in captive portal mode
https://bugs.webkit.org/show_bug.cgi?id=238778
Reviewed by Yusuke Suzuki.
Source/_javascript_Core:
* bytecode/CallLinkInfo.cpp:
(JSC::BaselineCallLinkInfo::initialize):
* bytecode/Repatch.cpp:
(JSC::unlinkCall):
* llint/LLIntCommon.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::performLLIntGetByID):
* runtime/OptionsList.h:
Source/WebKit:
* Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.h:
(WebKit::XPCServiceInitializer):
Tools:
* Scripts/run-jsc-stress-tests:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/CallLinkInfo.cpp
trunk/Source/_javascript_Core/bytecode/Repatch.cpp
trunk/Source/_javascript_Core/llint/LLIntCommon.h
trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp
trunk/Source/_javascript_Core/runtime/OptionsList.h
trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/Shared/EntryPointUtilities/Cocoa/XPCService/XPCServiceEntryPoint.h
trunk/Tools/ChangeLog
trunk/Tools/Scripts/run-jsc-stress-tests
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (292368 => 292369)
--- trunk/Source/_javascript_Core/ChangeLog 2022-04-05 03:29:17 UTC (rev 292368)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-04-05 03:32:00 UTC (rev 292369)
@@ -1,3 +1,21 @@
+2022-04-04 Saam Barati
+
+Turn off LLInt ICs in captive portal mode
+https://bugs.webkit.org/show_bug.cgi?id=238778
+
+
+Reviewed by Yusuke Suzuki.
+
+* bytecode/CallLinkInfo.cpp:
+(JSC::BaselineCallLinkInfo::initialize):
+* bytecode/Repatch.cpp:
+(JSC::unlinkCall):
+* llint/LLIntCommon.h:
+* llint/LLIntSlowPaths.cpp:
+(JSC::LLInt::LLINT_SLOW_PATH_DECL):
+(JSC::LLInt::performLLIntGetByID):
+* runtime/OptionsList.h:
+
2022-04-04 Geoffrey Garen
Only check isPagedOut() under memory pressure
Modified: trunk/Source/_javascript_Core/bytecode/CallLinkInfo.cpp (292368 => 292369)
--- trunk/Source/_javascript_Core/bytecode/CallLinkInfo.cpp 2022-04-05 03:29:17 UTC (rev 292368)
+++ trunk/Source/_javascript_Core/bytecode/CallLinkInfo.cpp 2022-04-05 03:32:00 UTC (rev 292369)
@@ -324,7 +324,10 @@
m_frameShuffleData = makeUnique(*frameShuffleData);
}
#endif
-setSlowPathCallDestination(vm.getCTILinkCall().code());
+if (LIKELY(Options::useLLIntICs()))
+setSlowPathCallDestination(vm.getCTILinkCall().code());
+else
+setSlowPathCallDestination(vm.getCTIVirtualCall(callMode()).retagged().code());
// If JIT is disabled, we should not support dynamically generated call IC.
if (!Options::useJIT())
disallowStubs();
Modified: trunk/Source/_javascript_Core/bytecode/Repatch.cpp (292368 => 292369)
--- trunk/Source/_javascript_Core/bytecode/Repatch.cpp 2022-04-05 03:29:17 UTC (rev 292368)
+++ trunk/Source/_javascript_Core/bytecode/Repatch.cpp 2022-04-05 03:32:00 UTC (rev 292369)
@@ -163,7 +163,10 @@
{
dataLogLnIf(Options::dumpDisassembly(), "Unlinking CallLinkInfo: ", RawPointer());
-revertCall(vm, callLinkInfo, vm.getCTILinkCall().retagged());
+if (UNLIKELY(!Options::useLLIntICs() && callLinkInfo.type() == CallLinkInfo::Type::Baseline))
+revertCall(vm, callLinkInfo, vm.getCTIVirtualCall(callLinkInfo.callMode()));
+else
+revertCall(vm, callLinkInfo, vm.getCTILinkCall().retagged());
}
MacroAssemblerCodePtr jsToWasmICCodePtr(VM& vm, CodeSpecializationKind kind, JSObject* callee)
Modified: trunk/Source/_javascript_Core/llint/LLIntCommon.h (292368 => 292369)
--- trunk/Source/_javascript_Core/llint/LLIntCommon.h 2022-04-05 03:29:17 UTC (rev 292368)
+++ trunk/Source/_javascript_Core/llint/LLIntCommon.h 2022-04-05 03:32:00 UTC (rev 292369)
@@ -38,6 +38,3 @@
#else
#define LLINT_ALWAYS_ALLOCATE_SLOW 0
#endif
-
-// Disable inline caching of get_by_id and put_by_id.
-#define LLINT_ALWAYS_ACCESS_SLOW 0
Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (292368 => 292369)
--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2022-04-05 03:29:17 UTC (rev 292368)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2022-04-05 03:32:00 UTC (rev 292369)
@@ -647,7 +647,7 @@
baseValue.getPropertySlot(globalObject, ident, slot);
JSValue result = slot.getPureResult();
-if (!LLINT_ALWAYS_ACCESS_SLOW && slot.isCacheable() && !slot.isUnset()) {
+if (Options::useLLIntICs() && slot.isCacheable() && !slot.isUnset()) {
ASSERT(!slot.isTaintedByOpaqueObject());
ASSERT(baseValue.isCell());
@@ -699,7 +699,7 @@
JSValue result = found ? slot.getValue(globalObject, ident) : jsUndefined();
LLINT_CHECK_EXCEPTION();
-if (!LLINT_ALWAYS_ACCESS_SLOW && slot.isCacheable() && !slot.isUnset()) {
+if (Options::useLLIntICs()
[webkit-changes] [291602] trunk/Source/JavaScriptCore
Title: [291602] trunk/Source/_javascript_Core Revision 291602 Author sbar...@apple.com Date 2022-03-21 20:54:43 -0700 (Mon, 21 Mar 2022) Log Message Fix bug in Relationship::mergeImpl https://bugs.webkit.org/show_bug.cgi?id=238183 Reviewed by Yusuke Suzuki. * dfg/DFGIntegerRangeOptimizationPhase.cpp: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (291601 => 291602) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-22 03:52:50 UTC (rev 291601) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-22 03:54:43 UTC (rev 291602) @@ -1,5 +1,15 @@ 2022-03-21 Saam Barati +Fix bug in Relationship::mergeImpl +https://bugs.webkit.org/show_bug.cgi?id=238183 + + +Reviewed by Yusuke Suzuki. + +* dfg/DFGIntegerRangeOptimizationPhase.cpp: + +2022-03-21 Saam Barati + AirFixObviousSpills needs to consider a PreIndex and PostIndex as clobbering the Reg used for indexing https://bugs.webkit.org/show_bug.cgi?id=238178 Modified: trunk/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp (291601 => 291602) --- trunk/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp 2022-03-22 03:52:50 UTC (rev 291601) +++ trunk/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp 2022-03-22 03:54:43 UTC (rev 291602) @@ -749,6 +749,9 @@ // // @a < @b + max(C, D + 1) +if (sumOverflows(other.m_offset, 1)) +return Relationship(); + int bestOffset = std::max(m_offset, other.m_offset + 1); // We have something like @a < @b + 2. We can't do it. ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291601] trunk/Source/JavaScriptCore
Title: [291601] trunk/Source/_javascript_Core
Revision 291601
Author sbar...@apple.com
Date 2022-03-21 20:52:50 -0700 (Mon, 21 Mar 2022)
Log Message
AirFixObviousSpills needs to consider a PreIndex and PostIndex as clobbering the Reg used for indexing
https://bugs.webkit.org/show_bug.cgi?id=238178
Reviewed by Mark Lam.
Inside AirFixObviousSpills, we run a basic alias analysis for StackSlots and
registers. For example, when we overwrite a register, we clear anything
it's aliased with. However, the way we were doing this was by looking at
each Arg that was Defd. However, this iteration was missing that
PostIndex/PreIndex mutate the register that feeds into the address Arg.
This patch fixes the issue by walking the instruction in such a way that
we visit all the Defs we care about, both Regs and StackSlots.
* b3/air/AirFixObviousSpills.cpp:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/b3/air/AirFixObviousSpills.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (291600 => 291601)
--- trunk/Source/_javascript_Core/ChangeLog 2022-03-22 03:49:48 UTC (rev 291600)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-03-22 03:52:50 UTC (rev 291601)
@@ -1,3 +1,21 @@
+2022-03-21 Saam Barati
+
+AirFixObviousSpills needs to consider a PreIndex and PostIndex as clobbering the Reg used for indexing
+https://bugs.webkit.org/show_bug.cgi?id=238178
+
+
+Reviewed by Mark Lam.
+
+Inside AirFixObviousSpills, we run a basic alias analysis for StackSlots and
+registers. For example, when we overwrite a register, we clear anything
+it's aliased with. However, the way we were doing this was by looking at
+each Arg that was Defd. However, this iteration was missing that
+PostIndex/PreIndex mutate the register that feeds into the address Arg.
+This patch fixes the issue by walking the instruction in such a way that
+we visit all the Defs we care about, both Regs and StackSlots.
+
+* b3/air/AirFixObviousSpills.cpp:
+
2022-03-21 Yusuke Suzuki
[JSC] ReferenceError when using extra parens in class fields
Modified: trunk/Source/_javascript_Core/b3/air/AirFixObviousSpills.cpp (291600 => 291601)
--- trunk/Source/_javascript_Core/b3/air/AirFixObviousSpills.cpp 2022-03-22 03:49:48 UTC (rev 291600)
+++ trunk/Source/_javascript_Core/b3/air/AirFixObviousSpills.cpp 2022-03-22 03:52:50 UTC (rev 291601)
@@ -188,14 +188,20 @@
if (AirFixObviousSpillsInternal::verbose)
dataLog("Executing ", inst, ": ", m_state, "\n");
-Inst::forEachDefWithExtraClobberedRegs(
-, ,
-[&] (const Arg& arg, Arg::Role, Bank, Width) {
+Inst::forEachDefWithExtraClobberedRegs(, ,
+[&] (const Reg& reg, Arg::Role, Bank, Width) {
if (AirFixObviousSpillsInternal::verbose)
-dataLog("Clobbering ", arg, "\n");
-m_state.clobber(arg);
+dataLog("Clobbering ", reg, "\n");
+m_state.clobber(reg);
});
-
+
+Inst::forEachDef(, ,
+[&] (StackSlot* slot, Arg::Role, Bank, Width) {
+if (AirFixObviousSpillsInternal::verbose)
+dataLog("Clobbering ", *slot, "\n");
+m_state.clobber(slot);
+});
+
forAllAliases(
[&] (const auto& alias) {
m_state.addAlias(alias);
@@ -558,31 +564,30 @@
return std::nullopt;
}
-void clobber(const Arg& arg)
+void clobber(const Reg& reg)
{
-if (arg.isReg()) {
-regConst.removeAllMatching(
-[&] (const RegConst& alias) -> bool {
-return alias.reg == arg.reg();
-});
-regSlot.removeAllMatching(
-[&] (const RegSlot& alias) -> bool {
-return alias.reg == arg.reg();
-});
-return;
-}
-if (arg.isStack()) {
-slotConst.removeAllMatching(
-[&] (const SlotConst& alias) -> bool {
-return alias.slot == arg.stackSlot();
-});
-regSlot.removeAllMatching(
-[&] (const RegSlot& alias) -> bool {
-return alias.slot == arg.stackSlot();
-});
-}
+regConst.removeAllMatching(
+[&] (const RegConst& alias) -> bool {
+return alias.reg == reg;
+});
+regSlot.removeAllMatching(
+[&] (const RegSlot& alias) -> bool {
+return alias.reg == reg;
+});
}
+void clobber(StackSlot* slot)
+{
+slotConst.removeAllMatching(
[webkit-changes] [291436] trunk/Tools
Title: [291436] trunk/Tools
Revision 291436
Author sbar...@apple.com
Date 2022-03-17 13:22:19 -0700 (Thu, 17 Mar 2022)
Log Message
compare-results should break down sync vs async time in Speedometer2
https://bugs.webkit.org/show_bug.cgi?id=237993
Reviewed by Alexey Shvayka.
* Scripts/compare-results:
(speedometer2Breakdown):
(speedometer2BreakdownSyncAsync):
(dumpBreakdowns):
(getOptions):
(main):
Modified Paths
trunk/Tools/ChangeLog
trunk/Tools/Scripts/compare-results
Diff
Modified: trunk/Tools/ChangeLog (291435 => 291436)
--- trunk/Tools/ChangeLog 2022-03-17 20:19:28 UTC (rev 291435)
+++ trunk/Tools/ChangeLog 2022-03-17 20:22:19 UTC (rev 291436)
@@ -1,3 +1,17 @@
+2022-03-17 Saam Barati
+
+compare-results should break down sync vs async time in Speedometer2
+https://bugs.webkit.org/show_bug.cgi?id=237993
+
+Reviewed by Alexey Shvayka.
+
+* Scripts/compare-results:
+(speedometer2Breakdown):
+(speedometer2BreakdownSyncAsync):
+(dumpBreakdowns):
+(getOptions):
+(main):
+
2022-03-17 Myles C. Maxfield
Delete Tools/jsc-cli in favor of the jsc target in _javascript_Core itself
Modified: trunk/Tools/Scripts/compare-results (291435 => 291436)
--- trunk/Tools/Scripts/compare-results 2022-03-17 20:19:28 UTC (rev 291435)
+++ trunk/Tools/Scripts/compare-results 2022-03-17 20:22:19 UTC (rev 291436)
@@ -72,6 +72,26 @@
result[test] = breakdown._results["Speedometer-2"]["tests"][test]["metrics"]["Time"]["Total"]["current"]
return result
+def speedometer2BreakdownSyncAsync(jsonObject):
+breakdown = BenchmarkResults(jsonObject)
+result = {}
+result[unitMarker] = "ms"
+for test in breakdown._results["Speedometer-2"]["tests"].keys():
+syncTime = None
+asyncTime = None
+for value in breakdown._results["Speedometer-2"]["tests"][test]["tests"].values():
+syncArray = value["tests"]["Sync"]["metrics"]["Time"][None]["current"]
+asyncArray = value["tests"]["Async"]["metrics"]["Time"][None]["current"]
+if not syncTime:
+syncTime = syncArray
+asyncTime = asyncArray
+else:
+syncTime = [x + y for x, y in zip(syncTime, syncArray)]
+asyncTime = [x + y for x, y in zip(asyncTime, asyncArray)]
+result[test + "-sync"] = syncTime
+result[test + "-async"] = asyncTime
+return result
+
def jetStream2Breakdown(jsonObject):
breakdown = BenchmarkResults(jsonObject)
result = {}
@@ -239,7 +259,7 @@
strings = []
strings.append("|{key:^{nameLength}}|{aScore:^{aLength}} |{bScore:^{bLength}} |{compare:^{ratioLength}}|{pMarker:^{pLength}}|".format(key="subtest", aScore=a[unitMarker], bScore=b[unitMarker], nameLength=nameLength, aLength=aLength, bLength=bLength , compare="b / a", ratioLength=ratioLength, pMarker=pValueHeader, pLength=pLength))
-for key in a.keys():
+for key in sorted(a.keys()):
if key == unitMarker:
continue
@@ -495,6 +515,9 @@
parser.add_argument("--breakdown", action=""
default=False, help="Print a per subtest breakdown.")
+parser.add_argument("--sync-vs-async", action=""
+default=False, help="Print a per subtest breakdown in Speedometer2 by sync and async time.")
+
return parser.parse_known_args()[0]
@@ -529,7 +552,10 @@
writeCSV(jetStream2Breakdown(a), jetStream2Breakdown(b), args.csv)
elif typeA == Speedometer2:
if args.breakdown:
-dumpBreakdowns(speedometer2Breakdown(a), speedometer2Breakdown(b))
+if args.sync_vs_async:
+dumpBreakdowns(speedometer2BreakdownSyncAsync(a), speedometer2BreakdownSyncAsync(b))
+else:
+dumpBreakdowns(speedometer2Breakdown(a), speedometer2Breakdown(b))
ttest(typeA, Speedometer2Results(a), Speedometer2Results(b))
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291325] trunk/Tools
Title: [291325] trunk/Tools Revision 291325 Author sbar...@apple.com Date 2022-03-15 19:35:33 -0700 (Tue, 15 Mar 2022) Log Message Add support for chrome-beta and chrome-dev to run-benchmark https://bugs.webkit.org/show_bug.cgi?id=237937 Reviewed by Stephanie Lewis. * Scripts/webkitpy/benchmark_runner/browser_driver/osx_chrome_driver.py: (set_binary_location_impl): (OSXChromeDriver._set_chrome_binary_location): (OSXChromeCanaryDriver): (OSXChromeCanaryDriver._set_chrome_binary_location): (OSXChromeBetaDriver): (OSXChromeBetaDriver._set_chrome_binary_location): (OSXChromeDevDriver): (OSXChromeDevDriver._set_chrome_binary_location): Modified Paths trunk/Tools/ChangeLog trunk/Tools/Scripts/webkitpy/benchmark_runner/browser_driver/osx_chrome_driver.py Diff Modified: trunk/Tools/ChangeLog (291324 => 291325) --- trunk/Tools/ChangeLog 2022-03-16 00:51:40 UTC (rev 291324) +++ trunk/Tools/ChangeLog 2022-03-16 02:35:33 UTC (rev 291325) @@ -1,3 +1,20 @@ +2022-03-15 Saam Barati + +Add support for chrome-beta and chrome-dev to run-benchmark +https://bugs.webkit.org/show_bug.cgi?id=237937 + +Reviewed by Stephanie Lewis. + +* Scripts/webkitpy/benchmark_runner/browser_driver/osx_chrome_driver.py: +(set_binary_location_impl): +(OSXChromeDriver._set_chrome_binary_location): +(OSXChromeCanaryDriver): +(OSXChromeCanaryDriver._set_chrome_binary_location): +(OSXChromeBetaDriver): +(OSXChromeBetaDriver._set_chrome_binary_location): +(OSXChromeDevDriver): +(OSXChromeDevDriver._set_chrome_binary_location): + 2022-03-15 Jonathan Bedard [Merge-Queue] Rename bugzilla_comment_text Modified: trunk/Tools/Scripts/webkitpy/benchmark_runner/browser_driver/osx_chrome_driver.py (291324 => 291325) --- trunk/Tools/Scripts/webkitpy/benchmark_runner/browser_driver/osx_chrome_driver.py 2022-03-16 00:51:40 UTC (rev 291324) +++ trunk/Tools/Scripts/webkitpy/benchmark_runner/browser_driver/osx_chrome_driver.py 2022-03-16 02:35:33 UTC (rev 291325) @@ -41,7 +41,14 @@ def _set_chrome_binary_location(self, options, browser_build_path): pass +def set_binary_location_impl(options, browser_build_path, app_name, process_name): +if not browser_build_path: +return +app_path = os.path.join(browser_build_path, app_name) +binary_path = os.path.join(app_path, "Contents/MacOS", process_name) +options.binary_location = binary_path + class OSXChromeDriver(OSXChromeDriverBase): process_name = 'Google Chrome' browser_name = 'chrome' @@ -49,14 +56,10 @@ bundle_id = 'com.google.Chrome' def _set_chrome_binary_location(self, options, browser_build_path): -if not browser_build_path: -return -app_path = os.path.join(browser_build_path, self.app_name) -binary_path = os.path.join(app_path, "Contents/MacOS", self.process_name) -options.binary_location = binary_path +set_binary_location_impl(options, browser_build_path, self.app_name, self.process_name) -class OSXChromeCanaryDriver(OSXBrowserDriver): +class OSXChromeCanaryDriver(OSXChromeDriverBase): process_name = 'Google Chrome Canary' browser_name = 'chrome-canary' app_name = 'Google Chrome Canary.app' @@ -63,8 +66,23 @@ bundle_id = 'com.google.Chrome.canary' def _set_chrome_binary_location(self, options, browser_build_path): -if not browser_build_path: -browser_build_path = '/Applications/' -app_path = os.path.join(browser_build_path, self.app_name) -binary_path = os.path.join(app_path, "Contents/MacOS", self.process_name) -options.binary_location = binary_path +set_binary_location_impl(options, browser_build_path, self.app_name, self.process_name) + + +class OSXChromeBetaDriver(OSXChromeDriverBase): +process_name = 'Google Chrome Beta' +browser_name = 'chrome-beta' +app_name = 'Google Chrome Beta.app' +bundle_id = 'com.google.Chrome.beta' + +def _set_chrome_binary_location(self, options, browser_build_path): +set_binary_location_impl(options, browser_build_path, self.app_name, self.process_name) + +class OSXChromeDevDriver(OSXChromeDriverBase): +process_name = 'Google Chrome Dev' +browser_name = 'chrome-dev' +app_name = 'Google Chrome Dev.app' +bundle_id = 'com.google.Chrome.dev' + +def _set_chrome_binary_location(self, options, browser_build_path): +set_binary_location_impl(options, browser_build_path, self.app_name, self.process_name) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291087] trunk/Source/JavaScriptCore
Title: [291087] trunk/Source/_javascript_Core Revision 291087 Author sbar...@apple.com Date 2022-03-09 19:31:10 -0800 (Wed, 09 Mar 2022) Log Message Limit WK_XCODE_SUPPORTS_LTO in _javascript_Core based on target OS https://bugs.webkit.org/show_bug.cgi?id=237682 Reviewed by Alexey Proskuryakov. * Configurations/Base.xcconfig: * Configurations/WebKitTargetConditionals.xcconfig: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/Configurations/Base.xcconfig trunk/Source/_javascript_Core/Configurations/WebKitTargetConditionals.xcconfig Diff Modified: trunk/Source/_javascript_Core/ChangeLog (291086 => 291087) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-10 03:18:08 UTC (rev 291086) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-10 03:31:10 UTC (rev 291087) @@ -1,3 +1,13 @@ +2022-03-09 Saam Barati + +Limit WK_XCODE_SUPPORTS_LTO in _javascript_Core based on target OS +https://bugs.webkit.org/show_bug.cgi?id=237682 + +Reviewed by Alexey Proskuryakov. + +* Configurations/Base.xcconfig: +* Configurations/WebKitTargetConditionals.xcconfig: + 2022-03-09 Carlos Garcia Campos [GTK][WPE] Stop using the env var WEBKIT_INSPECTOR_SERVER to connect to the inspector Modified: trunk/Source/_javascript_Core/Configurations/Base.xcconfig (291086 => 291087) --- trunk/Source/_javascript_Core/Configurations/Base.xcconfig 2022-03-10 03:18:08 UTC (rev 291086) +++ trunk/Source/_javascript_Core/Configurations/Base.xcconfig 2022-03-10 03:31:10 UTC (rev 291087) @@ -194,8 +194,11 @@ WK_LLVM_LTO_NO = NO; WK_LLVM_LTO_YES = $(WK_USER_LTO_MODE); -WK_XCODE_SUPPORTS_LTO = $(WK_NOT_$(WK_XCODE_VERSION_BEFORE_10_2_$(XCODE_VERSION_MAJOR))); -WK_XCODE_SUPPORTS_LTO[arch=arm*] = $(WK_NOT_$(WK_XCODE_VERSION_BEFORE_11_4_$(XCODE_VERSION_MAJOR))); +WK_XCODE_SUPPORTS_LTO[sdk=macos*] = $(WK_NOT_$(WK_MACOS_BEFORE_1300)); +WK_XCODE_SUPPORTS_LTO[sdk=iphone*] = $(WK_NOT_$(WK_IOS_BEFORE_16)); +WK_XCODE_SUPPORTS_LTO[sdk=appletv*] = $(WK_NOT_$(WK_TVOS_BEFORE_16)); +// FIXME: This can follow the above pattern once rdar://90049836 is resolved. +WK_XCODE_SUPPORTS_LTO[sdk=watch*] = NO; WK_XCODE_VERSION_BEFORE_10_2_0800 = YES; WK_XCODE_VERSION_BEFORE_10_2_0900 = YES; Modified: trunk/Source/_javascript_Core/Configurations/WebKitTargetConditionals.xcconfig (291086 => 291087) --- trunk/Source/_javascript_Core/Configurations/WebKitTargetConditionals.xcconfig 2022-03-10 03:18:08 UTC (rev 291086) +++ trunk/Source/_javascript_Core/Configurations/WebKitTargetConditionals.xcconfig 2022-03-10 03:31:10 UTC (rev 291087) @@ -217,3 +217,11 @@ WK_IOS_16 = $(WK_IOS_16_$(WK_IOS_BEFORE_16)); WK_IOS_16_ = _IOS_SINCE_16; WK_IOS_16_YES = _IOS_BEFORE_16; + + +// tvOS +WK_TVOS_BEFORE_16 = $(WK_TVOS_BEFORE_16_$(TVOS_DEPLOYMENT_TARGET:base)); +WK_TVOS_BEFORE_16_13 = YES; +WK_TVOS_BEFORE_16_14 = YES; +WK_TVOS_BEFORE_16_15 = YES; + ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [290993] trunk/Source/JavaScriptCore
Title: [290993] trunk/Source/_javascript_Core Revision 290993 Author sbar...@apple.com Date 2022-03-08 08:42:32 -0800 (Tue, 08 Mar 2022) Log Message [JSC] Enable ThinLTO https://bugs.webkit.org/show_bug.cgi?id=229019 Reviewed by Mark Lam. It's a 1% speedup on Speedometer2 across x86 and arm64, and 0.5-1% speedup on JetStream2 depending on the device. * Configurations/Base.xcconfig: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/Configurations/Base.xcconfig Diff Modified: trunk/Source/_javascript_Core/ChangeLog (290992 => 290993) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-08 16:24:11 UTC (rev 290992) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-08 16:42:32 UTC (rev 290993) @@ -1,3 +1,16 @@ +2022-03-08 Saam Barati + +[JSC] Enable ThinLTO +https://bugs.webkit.org/show_bug.cgi?id=229019 + + +Reviewed by Mark Lam. + +It's a 1% speedup on Speedometer2 across x86 and arm64, and 0.5-1% speedup on +JetStream2 depending on the device. + +* Configurations/Base.xcconfig: + 2022-03-08 Chris Dumez Unreviewed, reverting r290975. Modified: trunk/Source/_javascript_Core/Configurations/Base.xcconfig (290992 => 290993) --- trunk/Source/_javascript_Core/Configurations/Base.xcconfig 2022-03-08 16:24:11 UTC (rev 290992) +++ trunk/Source/_javascript_Core/Configurations/Base.xcconfig 2022-03-08 16:42:32 UTC (rev 290993) @@ -190,9 +190,7 @@ WK_WEBKITADDITIONS_INSTALL_PATH = /usr/local/include/WebKitAdditions WK_WEBKITADDITIONS_HEADERS_FOLDER_PATH = $(SDKROOT)/$(WK_WEBKITADDITIONS_INSTALL_PATH) -// Disable LTO for _javascript_Core, due to . Add back the following line and delete the one that says "LLVM_LTO = NO" when that issue is resolved. -// LLVM_LTO = $(WK_LLVM_LTO_$(WK_XCODE_SUPPORTS_LTO)); -LLVM_LTO = NO; +LLVM_LTO = $(WK_LLVM_LTO_$(WK_XCODE_SUPPORTS_LTO)); WK_LLVM_LTO_NO = NO; WK_LLVM_LTO_YES = $(WK_USER_LTO_MODE); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [290788] trunk/Source/JavaScriptCore
Title: [290788] trunk/Source/_javascript_Core Revision 290788 Author sbar...@apple.com Date 2022-03-03 11:51:30 -0800 (Thu, 03 Mar 2022) Log Message Add a DeferTraps scope https://bugs.webkit.org/show_bug.cgi?id=237306 Reviewed by Mark Lam. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::jettison): (JSC::CodeBlock::noticeIncomingCall): * bytecode/CodeBlock.h: * bytecode/RepatchInlines.h: (JSC::linkFor): (JSC::virtualForWithFunction): * dfg/DFGOperations.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION): * interpreter/Interpreter.cpp: (JSC::Interpreter::executeProgram): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): (JSC::Interpreter::execute): (JSC::Interpreter::executeModuleProgram): * interpreter/InterpreterInlines.h: (JSC::Interpreter::execute): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::setUpCall): * runtime/ExceptionScope.h: * runtime/ScriptExecutable.cpp: (JSC::ScriptExecutable::installCode): * runtime/VMTraps.cpp: (JSC::VMTraps::handleTraps): (JSC::VMTraps::takeTopPriorityTrap): * runtime/VMTraps.h: (JSC::VMTraps::needHandling const): (JSC::VMTraps::maybeNeedHandling const): (JSC::VMTraps::hasTrapBit): (JSC::VMTraps::setTrapBit): * runtime/VMTrapsInlines.h: (JSC::DeferTraps::DeferTraps): (JSC::DeferTraps::~DeferTraps): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/bytecode/RepatchInlines.h trunk/Source/_javascript_Core/dfg/DFGOperations.cpp trunk/Source/_javascript_Core/interpreter/Interpreter.cpp trunk/Source/_javascript_Core/interpreter/InterpreterInlines.h trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/runtime/ExceptionScope.h trunk/Source/_javascript_Core/runtime/ScriptExecutable.cpp trunk/Source/_javascript_Core/runtime/VMTraps.cpp trunk/Source/_javascript_Core/runtime/VMTraps.h trunk/Source/_javascript_Core/runtime/VMTrapsInlines.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (290787 => 290788) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-03 19:04:10 UTC (rev 290787) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-03 19:51:30 UTC (rev 290788) @@ -1,3 +1,46 @@ +2022-03-03 Saam Barati + +Add a DeferTraps scope +https://bugs.webkit.org/show_bug.cgi?id=237306 + + +Reviewed by Mark Lam. + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::CodeBlock): +(JSC::CodeBlock::jettison): +(JSC::CodeBlock::noticeIncomingCall): +* bytecode/CodeBlock.h: +* bytecode/RepatchInlines.h: +(JSC::linkFor): +(JSC::virtualForWithFunction): +* dfg/DFGOperations.cpp: +(JSC::DFG::JSC_DEFINE_JIT_OPERATION): +* interpreter/Interpreter.cpp: +(JSC::Interpreter::executeProgram): +(JSC::Interpreter::executeCall): +(JSC::Interpreter::executeConstruct): +(JSC::Interpreter::execute): +(JSC::Interpreter::executeModuleProgram): +* interpreter/InterpreterInlines.h: +(JSC::Interpreter::execute): +* llint/LLIntSlowPaths.cpp: +(JSC::LLInt::setUpCall): +* runtime/ExceptionScope.h: +* runtime/ScriptExecutable.cpp: +(JSC::ScriptExecutable::installCode): +* runtime/VMTraps.cpp: +(JSC::VMTraps::handleTraps): +(JSC::VMTraps::takeTopPriorityTrap): +* runtime/VMTraps.h: +(JSC::VMTraps::needHandling const): +(JSC::VMTraps::maybeNeedHandling const): +(JSC::VMTraps::hasTrapBit): +(JSC::VMTraps::setTrapBit): +* runtime/VMTrapsInlines.h: +(JSC::DeferTraps::DeferTraps): +(JSC::DeferTraps::~DeferTraps): + 2022-03-03 Adrian Perez de Castro Non-unified build fixes, early March 2022 edition Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (290787 => 290788) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2022-03-03 19:04:10 UTC (rev 290787) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2022-03-03 19:51:30 UTC (rev 290788) @@ -279,6 +279,7 @@ , m_didFailJITCompilation(false) , m_didFailFTLCompilation(false) , m_hasBeenCompiledWithFTL(false) +, m_isJettisoned(false) , m_numCalleeLocals(other.m_numCalleeLocals) , m_numVars(other.m_numVars) , m_numberOfArgumentsToSkip(other.m_numberOfArgumentsToSkip) @@ -330,6 +331,7 @@ , m_didFailJITCompilation(false) , m_didFailFTLCompilation(false) , m_hasBeenCompiledWithFTL(false) +, m_isJettisoned(false) , m_numCalleeLocals(unlinkedCodeBlock->numCalleeLocals()) , m_numVars(unlinkedCodeBlock->numVars()) , m_hasDebuggerStatement(false) @@ -2191,6 +2193,8 @@ VM& vm = *m_vm; +m_isJettisoned = true; + CodeBlock* codeBlock = this; // Placate GCC for use in CODEBLOCK_LOG_EVENT (does not like this). CODEBLOCK_LOG_EVENT(codeBlock,
[webkit-changes] [290717] trunk/Source/JavaScriptCore
Title: [290717] trunk/Source/_javascript_Core
Revision 290717
Author sbar...@apple.com
Date 2022-03-01 19:42:31 -0800 (Tue, 01 Mar 2022)
Log Message
Add a DeferTraps scope
https://bugs.webkit.org/show_bug.cgi?id=237306
Reviewed by Mark Lam.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::jettison):
(JSC::CodeBlock::noticeIncomingCall):
* bytecode/CodeBlock.h:
* bytecode/RepatchInlines.h:
(JSC::linkFor):
(JSC::virtualForWithFunction):
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeProgram):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::execute):
(JSC::Interpreter::executeModuleProgram):
* interpreter/InterpreterInlines.h:
(JSC::Interpreter::execute):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setUpCall):
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::installCode):
* runtime/VMTraps.cpp:
(JSC::VMTraps::handleTraps):
(JSC::VMTraps::takeTopPriorityTrap):
* runtime/VMTraps.h:
(JSC::VMTraps::needHandling const):
(JSC::VMTraps::hasTrapBit):
(JSC::VMTraps::setTrapBit):
* runtime/VMTrapsInlines.h:
(JSC::DeferTraps::DeferTraps):
(JSC::DeferTraps::~DeferTraps):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp
trunk/Source/_javascript_Core/bytecode/CodeBlock.h
trunk/Source/_javascript_Core/bytecode/RepatchInlines.h
trunk/Source/_javascript_Core/dfg/DFGOperations.cpp
trunk/Source/_javascript_Core/interpreter/Interpreter.cpp
trunk/Source/_javascript_Core/interpreter/InterpreterInlines.h
trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp
trunk/Source/_javascript_Core/runtime/ScriptExecutable.cpp
trunk/Source/_javascript_Core/runtime/VMTraps.cpp
trunk/Source/_javascript_Core/runtime/VMTraps.h
trunk/Source/_javascript_Core/runtime/VMTrapsInlines.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (290716 => 290717)
--- trunk/Source/_javascript_Core/ChangeLog 2022-03-02 02:11:05 UTC (rev 290716)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-03-02 03:42:31 UTC (rev 290717)
@@ -1,3 +1,44 @@
+2022-03-01 Saam Barati
+
+Add a DeferTraps scope
+https://bugs.webkit.org/show_bug.cgi?id=237306
+
+
+Reviewed by Mark Lam.
+
+* bytecode/CodeBlock.cpp:
+(JSC::CodeBlock::CodeBlock):
+(JSC::CodeBlock::jettison):
+(JSC::CodeBlock::noticeIncomingCall):
+* bytecode/CodeBlock.h:
+* bytecode/RepatchInlines.h:
+(JSC::linkFor):
+(JSC::virtualForWithFunction):
+* dfg/DFGOperations.cpp:
+(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+* interpreter/Interpreter.cpp:
+(JSC::Interpreter::executeProgram):
+(JSC::Interpreter::executeCall):
+(JSC::Interpreter::executeConstruct):
+(JSC::Interpreter::execute):
+(JSC::Interpreter::executeModuleProgram):
+* interpreter/InterpreterInlines.h:
+(JSC::Interpreter::execute):
+* llint/LLIntSlowPaths.cpp:
+(JSC::LLInt::setUpCall):
+* runtime/ScriptExecutable.cpp:
+(JSC::ScriptExecutable::installCode):
+* runtime/VMTraps.cpp:
+(JSC::VMTraps::handleTraps):
+(JSC::VMTraps::takeTopPriorityTrap):
+* runtime/VMTraps.h:
+(JSC::VMTraps::needHandling const):
+(JSC::VMTraps::hasTrapBit):
+(JSC::VMTraps::setTrapBit):
+* runtime/VMTrapsInlines.h:
+(JSC::DeferTraps::DeferTraps):
+(JSC::DeferTraps::~DeferTraps):
+
2022-03-01 Fujii Hironori
WTF::SentinelLinkedList::iterator should have operator++ for range-for loop
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (290716 => 290717)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2022-03-02 02:11:05 UTC (rev 290716)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2022-03-02 03:42:31 UTC (rev 290717)
@@ -279,6 +279,7 @@
, m_didFailJITCompilation(false)
, m_didFailFTLCompilation(false)
, m_hasBeenCompiledWithFTL(false)
+, m_isJettisoned(false)
, m_numCalleeLocals(other.m_numCalleeLocals)
, m_numVars(other.m_numVars)
, m_numberOfArgumentsToSkip(other.m_numberOfArgumentsToSkip)
@@ -330,6 +331,7 @@
, m_didFailJITCompilation(false)
, m_didFailFTLCompilation(false)
, m_hasBeenCompiledWithFTL(false)
+, m_isJettisoned(false)
, m_numCalleeLocals(unlinkedCodeBlock->numCalleeLocals())
, m_numVars(unlinkedCodeBlock->numVars())
, m_hasDebuggerStatement(false)
@@ -2190,6 +2192,8 @@
VM& vm = *m_vm;
+m_isJettisoned = true;
+
CodeBlock* codeBlock = this; // Placate GCC for use in CODEBLOCK_LOG_EVENT (does not like this).
CODEBLOCK_LOG_EVENT(codeBlock, "jettison", ("due to ", reason, ", counting = ", mode == CountReoptimization, ", detail = ", pointerDump(detail)));
@@ -2356,6 +2360,8 @@
void CodeBlock::noticeIncomingCall(CallFrame*
[webkit-changes] [290145] trunk/Source/ThirdParty/ANGLE
Title: [290145] trunk/Source/ThirdParty/ANGLE
Revision 290145
Author sbar...@apple.com
Date 2022-02-18 10:59:32 -0800 (Fri, 18 Feb 2022)
Log Message
Remove ANGLE-static.xcconfig
https://bugs.webkit.org/show_bug.cgi?id=236827
Reviewed by Dean Jackson.
It was unused.
* ANGLE.xcodeproj/project.pbxproj:
* Configurations/ANGLE-static.xcconfig: Removed.
* Configurations/Base.xcconfig:
Modified Paths
trunk/Source/ThirdParty/ANGLE/ANGLE.xcodeproj/project.pbxproj
trunk/Source/ThirdParty/ANGLE/ChangeLog
trunk/Source/ThirdParty/ANGLE/Configurations/Base.xcconfig
Removed Paths
trunk/Source/ThirdParty/ANGLE/Configurations/ANGLE-static.xcconfig
Diff
Modified: trunk/Source/ThirdParty/ANGLE/ANGLE.xcodeproj/project.pbxproj (290144 => 290145)
--- trunk/Source/ThirdParty/ANGLE/ANGLE.xcodeproj/project.pbxproj 2022-02-18 18:54:31 UTC (rev 290144)
+++ trunk/Source/ThirdParty/ANGLE/ANGLE.xcodeproj/project.pbxproj 2022-02-18 18:59:32 UTC (rev 290145)
@@ -1003,7 +1003,6 @@
31B1571F236B7FAE00CAA4FD /* SystemInfo_ios.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SystemInfo_ios.cpp; sourceTree = ""; };
31B15721236B803300CAA4FD /* SystemInfo_internal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SystemInfo_internal.h; sourceTree = ""; };
31CDFDEE24917F8900486F27 /* ANGLE-dynamic.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = "ANGLE-dynamic.xcconfig"; sourceTree = ""; };
- 31CDFDEF24917F8900486F27 /* ANGLE-static.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = "ANGLE-static.xcconfig"; sourceTree = ""; };
31CDFDF42491819E00486F27 /* libANGLE-shared.dylib */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.dylib"; includeInIndex = 0; path = "libANGLE-shared.dylib"; sourceTree = BUILT_PRODUCTS_DIR; };
5C1BAA961DFB60FF002906BB /* gl3.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = gl3.h; path = include/GLES3/gl3.h; sourceTree = ""; };
5C1BAA971DFB60FF002906BB /* gl3platform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = gl3platform.h; path = include/GLES3/gl3platform.h; sourceTree = ""; };
@@ -2693,7 +2692,6 @@
isa = PBXGroup;
children = (
31CDFDEE24917F8900486F27 /* ANGLE-dynamic.xcconfig */,
-31CDFDEF24917F8900486F27 /* ANGLE-static.xcconfig */,
FFE0D91526A0B4E80071ADAE /* AngleMetalLib.xcconfig */,
5D7C59C61208C68B001C873E /* Base.xcconfig */,
5D7C59C71208C68B001C873E /* DebugRelease.xcconfig */,
Modified: trunk/Source/ThirdParty/ANGLE/ChangeLog (290144 => 290145)
--- trunk/Source/ThirdParty/ANGLE/ChangeLog 2022-02-18 18:54:31 UTC (rev 290144)
+++ trunk/Source/ThirdParty/ANGLE/ChangeLog 2022-02-18 18:59:32 UTC (rev 290145)
@@ -1,3 +1,16 @@
+2022-02-18 Saam Barati
+
+Remove ANGLE-static.xcconfig
+https://bugs.webkit.org/show_bug.cgi?id=236827
+
+Reviewed by Dean Jackson.
+
+It was unused.
+
+* ANGLE.xcodeproj/project.pbxproj:
+* Configurations/ANGLE-static.xcconfig: Removed.
+* Configurations/Base.xcconfig:
+
2022-02-18 Adrian Perez de Castro
[CMake] Cannot find OpenGL when system provides opengl.pc instead of gl.pc
Deleted: trunk/Source/ThirdParty/ANGLE/Configurations/ANGLE-static.xcconfig (290144 => 290145)
--- trunk/Source/ThirdParty/ANGLE/Configurations/ANGLE-static.xcconfig 2022-02-18 18:54:31 UTC (rev 290144)
+++ trunk/Source/ThirdParty/ANGLE/Configurations/ANGLE-static.xcconfig 2022-02-18 18:59:32 UTC (rev 290145)
@@ -1,31 +0,0 @@
-#include "Version.xcconfig"
-#include "WebKitTargetConditionals.xcconfig"
-
-PRODUCT_NAME = ANGLE;
-EXECUTABLE_PREFIX = lib;
-
-ANGLE_OTHER_LDFLAGS = -allowable_client WebCore -allowable_client WebCoreTestSupport $(ANGLE_OTHER_LDFLAGS_$(WK_PLATFORM_NAME));
-ANGLE_OTHER_LDFLAGS_iphoneos = -framework IOSurface -lz;
-ANGLE_OTHER_LDFLAGS_iphonesimulator = $(ANGLE_OTHER_LDFLAGS_iphoneos);
-ANGLE_OTHER_LDFLAGS_watchos = $(ANGLE_OTHER_LDFLAGS_iphoneos);
-ANGLE_OTHER_LDFLAGS_watchsimulator = $(ANGLE_OTHER_LDFLAGS_iphonesimulator);
-ANGLE_OTHER_LDFLAGS_appletvos = $(ANGLE_OTHER_LDFLAGS_iphoneos);
-ANGLE_OTHER_LDFLAGS_appletvsimulator = $(ANGLE_OTHER_LDFLAGS_iphonesimulator);
-ANGLE_OTHER_LDFLAGS_maccatalyst = -framework IOKit -framework IOSurface -lz;
-ANGLE_OTHER_LDFLAGS_macosx = -framework IOKit -framework IOSurface -lz;
-
-INSTALL_PATH = $(ANGLE_INSTALL_PATH_PREFIX)/usr/local/lib;
-
-HEADER_SEARCH_PATHS = include src src/common/third_party/numerics third_party/base src/common/third_party/base third_party/zlib/google;
-
-ANGLE_HEADERS_FOLDER_PATH = /usr/local/include/ANGLE;
-
-PUBLIC_HEADERS_FOLDER_PATH = $(ANGLE_INSTALL_PATH_PREFIX)/usr/local/include/ANGLE;
-
-GCC_PREPROCESSOR_DEFINITIONS = $(DEBUG_DEFINES) LIBGLESV2_IMPLEMENTATION
[webkit-changes] [290117] trunk/Source
Title: [290117] trunk/Source Revision 290117 Author sbar...@apple.com Date 2022-02-18 00:16:54 -0800 (Fri, 18 Feb 2022) Log Message Add LC_SOURCE_VERSION to compile targets https://bugs.webkit.org/show_bug.cgi?id=236720 Reviewed by Michael Saboff. Source/_javascript_Core: * Configurations/JSC.xcconfig: * Configurations/_javascript_Core.xcconfig: * Configurations/TestAPI.xcconfig: * Configurations/ToolExecutable.xcconfig: * Configurations/Version.xcconfig: Source/ThirdParty/ANGLE: * Configurations/Base.xcconfig: * Configurations/Version.xcconfig: Source/ThirdParty/libwebrtc: * Configurations/Version.xcconfig: * Configurations/boringssl.xcconfig: * Configurations/libsrtp.xcconfig: * Configurations/libvpx.xcconfig: * Configurations/libwebm.xcconfig: * Configurations/libwebrtc.xcconfig: * Configurations/libyuv.xcconfig: * Configurations/opus.xcconfig: * Configurations/usrsctp.xcconfig: * Configurations/yasm.xcconfig: Source/WebCore: * Configurations/Version.xcconfig: * Configurations/WebCore.xcconfig: * Configurations/WebCoreTestSupport.xcconfig: Source/WebCore/PAL: * Configurations/Version.xcconfig: Source/WebGPU: * Configurations/Version.xcconfig: * Configurations/WGSL.xcconfig: * Configurations/WGSLUnitTests.xcconfig: * Configurations/WebGPU.xcconfig: Source/WebInspectorUI: * Configurations/Version.xcconfig: * Configurations/WebInspectorUIFramework.xcconfig: Source/WebKit: * Configurations/GPUService.xcconfig: * Configurations/NetworkService.xcconfig: * Configurations/Version.xcconfig: * Configurations/WebAuthnService.xcconfig: * Configurations/WebContentService.xcconfig: * Configurations/WebKit.xcconfig: * Configurations/WebKitSwift.xcconfig: * Configurations/adattributiond.xcconfig: * Configurations/webpushd.xcconfig: * Configurations/webpushtool.xcconfig: Source/WebKitLegacy/mac: * Configurations/Version.xcconfig: * Configurations/WebKitLegacy.xcconfig: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/Configurations/JSC.xcconfig trunk/Source/_javascript_Core/Configurations/_javascript_Core.xcconfig trunk/Source/_javascript_Core/Configurations/TestAPI.xcconfig trunk/Source/_javascript_Core/Configurations/ToolExecutable.xcconfig trunk/Source/_javascript_Core/Configurations/Version.xcconfig trunk/Source/ThirdParty/ANGLE/ChangeLog trunk/Source/ThirdParty/ANGLE/Configurations/Base.xcconfig trunk/Source/ThirdParty/ANGLE/Configurations/Version.xcconfig trunk/Source/ThirdParty/libwebrtc/ChangeLog trunk/Source/ThirdParty/libwebrtc/Configurations/Version.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/boringssl.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/libsrtp.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/libvpx.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/libwebm.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/libwebrtc.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/libyuv.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/opus.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/usrsctp.xcconfig trunk/Source/ThirdParty/libwebrtc/Configurations/yasm.xcconfig trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/Configurations/Version.xcconfig trunk/Source/WebCore/Configurations/WebCore.xcconfig trunk/Source/WebCore/Configurations/WebCoreTestSupport.xcconfig trunk/Source/WebCore/PAL/ChangeLog trunk/Source/WebCore/PAL/Configurations/Version.xcconfig trunk/Source/WebGPU/ChangeLog trunk/Source/WebGPU/Configurations/Version.xcconfig trunk/Source/WebGPU/Configurations/WGSL.xcconfig trunk/Source/WebGPU/Configurations/WGSLUnitTests.xcconfig trunk/Source/WebGPU/Configurations/WebGPU.xcconfig trunk/Source/WebInspectorUI/ChangeLog trunk/Source/WebInspectorUI/Configurations/Version.xcconfig trunk/Source/WebInspectorUI/Configurations/WebInspectorUIFramework.xcconfig trunk/Source/WebKit/ChangeLog trunk/Source/WebKit/Configurations/GPUService.xcconfig trunk/Source/WebKit/Configurations/NetworkService.xcconfig trunk/Source/WebKit/Configurations/Version.xcconfig trunk/Source/WebKit/Configurations/WebAuthnService.xcconfig trunk/Source/WebKit/Configurations/WebContentService.xcconfig trunk/Source/WebKit/Configurations/WebKit.xcconfig trunk/Source/WebKit/Configurations/WebKitSwift.xcconfig trunk/Source/WebKit/Configurations/adattributiond.xcconfig trunk/Source/WebKit/Configurations/webpushd.xcconfig trunk/Source/WebKit/Configurations/webpushtool.xcconfig trunk/Source/WebKitLegacy/mac/ChangeLog trunk/Source/WebKitLegacy/mac/Configurations/Version.xcconfig trunk/Source/WebKitLegacy/mac/Configurations/WebKitLegacy.xcconfig Diff Modified: trunk/Source/_javascript_Core/ChangeLog (290116 => 290117) --- trunk/Source/_javascript_Core/ChangeLog 2022-02-18 07:55:32 UTC (rev 290116) +++ trunk/Source/_javascript_Core/ChangeLog 2022-02-18 08:16:54 UTC (rev 290117) @@ -1,3 +1,17 @@ +2022-02-18 Saam Barati + +Add LC_SOURCE_VERSION to compile targets +
[webkit-changes] [289462] trunk
Title: [289462] trunk
Revision 289462
Author sbar...@apple.com
Date 2022-02-09 01:15:58 -0800 (Wed, 09 Feb 2022)
Log Message
Don't return an empty value from AbortController.signal.reason and make it harder to return empty values from JSValueInWrappedObject
https://bugs.webkit.org/show_bug.cgi?id=236318
Reviewed by Mark Lam.
Source/WebCore:
This patch makes it so we might not accidentally return the empty value to
_javascript_ code from JSValueInWrappedObject. Previously, JSValueInWrappedObject
had an "operator JSValue()" method. This patch removes that, adds a new
conversion method for converting between JSValueInWrappedObject and JSValue,
and makes JSValueInWrappedObject return undefined inside this method
when it used to return the empty value. This fixes a crash where we'd return
the empty value to JS JIT code, and crash dereferencing a nullptr. It's never
valid for a JS function call (or getter, etc) to return the empty value.
Test: fast/dom/AbortSignal-reason-crash-2.html
* Modules/webaudio/AudioBuffer.cpp:
(WebCore::AudioBuffer::getChannelData):
* Modules/webaudio/AudioWorkletProcessor.cpp:
(WebCore::toJSArray):
(WebCore::toJSObject):
(WebCore::AudioWorkletProcessor::buildJSArguments):
* bindings/js/JSCustomEventCustom.cpp:
(WebCore::JSCustomEvent::detail const):
* bindings/js/JSDOMConvertAny.h:
(WebCore::JSConverter::convert):
* bindings/js/JSMessageEventCustom.cpp:
(WebCore::JSMessageEvent::data const):
* bindings/js/JSPaymentMethodChangeEventCustom.cpp:
(WebCore::JSPaymentMethodChangeEvent::methodDetails const):
* bindings/js/JSPopStateEventCustom.cpp:
(WebCore::JSPopStateEvent::state const):
* bindings/js/JSValueInWrappedObject.h:
(WebCore::JSValueInWrappedObject::getValue const):
(WebCore::JSValueInWrappedObject::operator bool const):
(WebCore::cachedPropertyValue):
(WebCore::JSValueInWrappedObject::operator JSC::JSValue const): Deleted.
* dom/AbortSignal.cpp:
(WebCore::AbortSignal::signalFollow):
(WebCore::AbortSignal::throwIfAborted):
* dom/ErrorEvent.cpp:
(WebCore::ErrorEvent::error):
(WebCore::ErrorEvent::trySerializeError):
* dom/PopStateEvent.cpp:
(WebCore::PopStateEvent::trySerializeState):
* page/History.cpp:
(WebCore::History::cachedState):
LayoutTests:
* fast/dom/AbortSignal-reason-crash-2-expected.txt: Added.
* fast/dom/AbortSignal-reason-crash-2.html: Added.
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/Modules/webaudio/AudioBuffer.cpp
trunk/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
trunk/Source/WebCore/bindings/js/JSCustomEventCustom.cpp
trunk/Source/WebCore/bindings/js/JSDOMConvertAny.h
trunk/Source/WebCore/bindings/js/JSMessageEventCustom.cpp
trunk/Source/WebCore/bindings/js/JSPaymentMethodChangeEventCustom.cpp
trunk/Source/WebCore/bindings/js/JSPopStateEventCustom.cpp
trunk/Source/WebCore/bindings/js/JSValueInWrappedObject.h
trunk/Source/WebCore/dom/AbortSignal.cpp
trunk/Source/WebCore/dom/ErrorEvent.cpp
trunk/Source/WebCore/dom/PopStateEvent.cpp
trunk/Source/WebCore/page/History.cpp
Added Paths
trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2-expected.txt
trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2.html
Diff
Modified: trunk/LayoutTests/ChangeLog (289461 => 289462)
--- trunk/LayoutTests/ChangeLog 2022-02-09 09:14:53 UTC (rev 289461)
+++ trunk/LayoutTests/ChangeLog 2022-02-09 09:15:58 UTC (rev 289462)
@@ -1,3 +1,14 @@
+2022-02-09 Saam Barati
+
+Don't return an empty value from AbortController.signal.reason and make it harder to return empty values from JSValueInWrappedObject
+https://bugs.webkit.org/show_bug.cgi?id=236318
+
+
+Reviewed by Mark Lam.
+
+* fast/dom/AbortSignal-reason-crash-2-expected.txt: Added.
+* fast/dom/AbortSignal-reason-crash-2.html: Added.
+
2022-02-09 Diego Pino Garcia
[GTK][WPE] Update baselines after r288944
Added: trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2-expected.txt (0 => 289462)
--- trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2-expected.txt 2022-02-09 09:15:58 UTC (rev 289462)
@@ -0,0 +1,12 @@
+Test should not crash
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2.html (0 => 289462)
--- trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2.html (rev 0)
+++ trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-2.html 2022-02-09 09:15:58 UTC (rev 289462)
@@ -0,0 +1,26 @@
+
+
+
+
+
+description("Test should not crash");
+window.jsTestIsAsync = true;
+(async () => {
+try {
+let abortController = new AbortController();
+abortController.abort();
+GCController.collect();
+let x =
[webkit-changes] [289354] trunk/Source/JavaScriptCore
Title: [289354] trunk/Source/_javascript_Core
Revision 289354
Author sbar...@apple.com
Date 2022-02-07 19:00:28 -0800 (Mon, 07 Feb 2022)
Log Message
Wasm crash on https://copy.sh/v86/?profile=""
https://bugs.webkit.org/show_bug.cgi?id=236037
rdar://88358719
Reviewed by Mark Lam.
Lower stack args in Air had a bug where it was emitting a constant
materialization at the wrong instruction offset for certain types
of spill instructions. This happens when we have a stack slot that
is 8 bytes wide, but we're emitting a zero def Move32. We need to
zero the upper 4 bytes. However, there is also code inside lower
stack args that uses the temp register when encountering offsets
that are too large to encode in a single instruction. However,
this offset materialization code for the second Move32 to zero
the upper bytes was happening before the actual store. For example,
we'd end up with:
movz x16, #k
movz x16, #k2
stur x1, [x16]
stur zr, [x16]
instead of
movz x16, #k
stur x1, [x16]
movz x16, #k2
stur zr, [x16]
* b3/air/AirLowerStackArgs.cpp:
(JSC::B3::Air::lowerStackArgs):
* b3/air/testair.cpp:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/b3/air/AirLowerStackArgs.cpp
trunk/Source/_javascript_Core/b3/air/testair.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (289353 => 289354)
--- trunk/Source/_javascript_Core/ChangeLog 2022-02-08 02:58:30 UTC (rev 289353)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-02-08 03:00:28 UTC (rev 289354)
@@ -1,3 +1,36 @@
+2022-02-07 Saam Barati
+
+Wasm crash on https://copy.sh/v86/?profile=""
+https://bugs.webkit.org/show_bug.cgi?id=236037
+rdar://88358719
+
+Reviewed by Mark Lam.
+
+Lower stack args in Air had a bug where it was emitting a constant
+materialization at the wrong instruction offset for certain types
+of spill instructions. This happens when we have a stack slot that
+is 8 bytes wide, but we're emitting a zero def Move32. We need to
+zero the upper 4 bytes. However, there is also code inside lower
+stack args that uses the temp register when encountering offsets
+that are too large to encode in a single instruction. However,
+this offset materialization code for the second Move32 to zero
+the upper bytes was happening before the actual store. For example,
+we'd end up with:
+movz x16, #k
+movz x16, #k2
+stur x1, [x16]
+stur zr, [x16]
+
+instead of
+movz x16, #k
+stur x1, [x16]
+movz x16, #k2
+stur zr, [x16]
+
+* b3/air/AirLowerStackArgs.cpp:
+(JSC::B3::Air::lowerStackArgs):
+* b3/air/testair.cpp:
+
2022-02-06 Lauro Moura
Unreviewed, non-unified build fixes
Modified: trunk/Source/_javascript_Core/b3/air/AirLowerStackArgs.cpp (289353 => 289354)
--- trunk/Source/_javascript_Core/b3/air/AirLowerStackArgs.cpp 2022-02-08 02:58:30 UTC (rev 289353)
+++ trunk/Source/_javascript_Core/b3/air/AirLowerStackArgs.cpp 2022-02-08 03:00:28 UTC (rev 289354)
@@ -110,7 +110,7 @@
inst.forEachArg(
[&] (Arg& arg, Arg::Role role, Bank, Width width) {
-auto stackAddr = [&] (Value::OffsetType offsetFromFP) -> Arg {
+auto stackAddr = [&] (unsigned instIndex, Value::OffsetType offsetFromFP) -> Arg {
int32_t offsetFromSP = offsetFromFP + code.frameSize();
if (inst.admitsExtendedOffsetAddr(arg)) {
@@ -137,6 +137,7 @@
result = Arg::addr(tmp, 0);
return result;
#elif CPU(X86_64)
+UNUSED_PARAM(instIndex);
// Can't happen on x86: immediates are always big enough for frame size.
RELEASE_ASSERT_NOT_REACHED();
#else
@@ -171,13 +172,13 @@
RELEASE_ASSERT(isValidForm(storeOpcode, operandKind, Arg::Stack));
insertionSet.insert(
instIndex + 1, storeOpcode, inst.origin, operand,
-stackAddr(arg.offset() + 4 + slot->offsetFromFP()));
+stackAddr(instIndex + 1, arg.offset() + 4 + slot->offsetFromFP()));
}
-arg = stackAddr(arg.offset() + slot->offsetFromFP());
+arg = stackAddr(instIndex, arg.offset() + slot->offsetFromFP());
break;
}
case Arg::CallArg:
-arg = stackAddr(arg.offset() - code.frameSize());
+arg = stackAddr(instIndex, arg.offset() - code.frameSize());
break;
default:
break;
Modified: trunk/Source/_javascript_Core/b3/air/testair.cpp (289353 => 289354)
[webkit-changes] [289024] trunk/Source/JavaScriptCore
Title: [289024] trunk/Source/_javascript_Core
Revision 289024
Author sbar...@apple.com
Date 2022-02-02 20:16:14 -0800 (Wed, 02 Feb 2022)
Log Message
SecureARM64EHashPins should check g_jscConfig.useFastJITPermissions
https://bugs.webkit.org/show_bug.cgi?id=236055
Reviewed by Mark Lam.
* assembler/SecureARM64EHashPins.cpp:
(JSC::SecureARM64EHashPins::initializeAtStartup):
(JSC::SecureARM64EHashPins::allocatePinForCurrentThread):
(JSC::SecureARM64EHashPins::deallocatePinForCurrentThread):
* assembler/SecureARM64EHashPinsInlines.h:
(JSC::SecureARM64EHashPins::pinForCurrentThread):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/assembler/SecureARM64EHashPins.cpp
trunk/Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (289023 => 289024)
--- trunk/Source/_javascript_Core/ChangeLog 2022-02-03 02:19:08 UTC (rev 289023)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-02-03 04:16:14 UTC (rev 289024)
@@ -1,3 +1,18 @@
+2022-02-02 Saam Barati
+
+SecureARM64EHashPins should check g_jscConfig.useFastJITPermissions
+https://bugs.webkit.org/show_bug.cgi?id=236055
+
+
+Reviewed by Mark Lam.
+
+* assembler/SecureARM64EHashPins.cpp:
+(JSC::SecureARM64EHashPins::initializeAtStartup):
+(JSC::SecureARM64EHashPins::allocatePinForCurrentThread):
+(JSC::SecureARM64EHashPins::deallocatePinForCurrentThread):
+* assembler/SecureARM64EHashPinsInlines.h:
+(JSC::SecureARM64EHashPins::pinForCurrentThread):
+
2022-02-02 Alexey Shvayka
Speed-up JSON.stringify() by avoiding "toJSON" property lookups
Modified: trunk/Source/_javascript_Core/assembler/SecureARM64EHashPins.cpp (289023 => 289024)
--- trunk/Source/_javascript_Core/assembler/SecureARM64EHashPins.cpp 2022-02-03 02:19:08 UTC (rev 289023)
+++ trunk/Source/_javascript_Core/assembler/SecureARM64EHashPins.cpp 2022-02-03 04:16:14 UTC (rev 289024)
@@ -100,6 +100,9 @@
void SecureARM64EHashPins::initializeAtStartup()
{
+if (!g_jscConfig.useFastJITPermissions)
+return;
+
VALIDATE_THIS_VALUE();
RELEASE_ASSERT(!m_memory);
@@ -173,6 +176,9 @@
void SecureARM64EHashPins::allocatePinForCurrentThread()
{
+if (!g_jscConfig.useFastJITPermissions)
+return;
+
VALIDATE_THIS_VALUE();
Locker locker { hashPinsLock };
@@ -205,6 +211,9 @@
void SecureARM64EHashPins::deallocatePinForCurrentThread()
{
+if (!g_jscConfig.useFastJITPermissions)
+return;
+
VALIDATE_THIS_VALUE();
Locker locker { hashPinsLock };
Modified: trunk/Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h (289023 => 289024)
--- trunk/Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h 2022-02-03 02:19:08 UTC (rev 289023)
+++ trunk/Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h 2022-02-03 04:16:14 UTC (rev 289024)
@@ -101,7 +101,9 @@
ALWAYS_INLINE uint64_t SecureARM64EHashPins::pinForCurrentThread()
{
-return findFirstEntry().entry->pin;
+if (LIKELY(g_jscConfig.useFastJITPermissions))
+return findFirstEntry().entry->pin;
+return 1;
}
} // namespace JSC
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [288261] trunk/Source
Title: [288261] trunk/Source Revision 288261 Author sbar...@apple.com Date 2022-01-19 17:39:29 -0800 (Wed, 19 Jan 2022) Log Message Update ARM64EHash https://bugs.webkit.org/show_bug.cgi?id=235192 Reviewed by Mark Lam. Source/_javascript_Core: * CMakeLists.txt: * _javascript_Core.xcodeproj/project.pbxproj: * Sources.txt: * assembler/AssemblerBuffer.h: (JSC::ARM64EHash::ARM64EHash): (JSC::ARM64EHash::~ARM64EHash): (JSC::ARM64EHash::allocatePinForCurrentThreadAndInitializeHash): (JSC::ARM64EHash::deallocatePinForCurrentThread): (JSC::ARM64EHash::update): (JSC::ARM64EHash::pin): (JSC::ARM64EHash::currentHash): (JSC::ARM64EHash::setUpdatedHash): (JSC::AssemblerBuffer::AssemblerBuffer): (JSC::AssemblerBuffer::arm64eHash): (JSC::AssemblerBuffer::putIntegralUnchecked): (JSC::ARM64EHash::bitsForDiversifier): Deleted. * assembler/LinkBuffer.cpp: (JSC::LinkBuffer::copyCompactAndLinkCode): (JSC::LinkBuffer::allocate): * assembler/SecureARM64EHashPins.cpp: Added. (JSC::WriteToJITRegionScope::WriteToJITRegionScope): (JSC::WriteToJITRegionScope::~WriteToJITRegionScope): (JSC::ValidateNonReentrancyScope::ValidateNonReentrancyScope): (JSC::ValidateNonReentrancyScope::~ValidateNonReentrancyScope): (JSC::allocateInExecutableMemory): (JSC::SecureARM64EHashPins::Page::Page): (JSC::initializePage): (JSC::SecureARM64EHashPins::metadata): (JSC::SecureARM64EHashPins::initializeAtStartup): (JSC::SecureARM64EHashPins::allocatePinForCurrentThreadImpl): (JSC::SecureARM64EHashPins::allocatePinForCurrentThread): (JSC::SecureARM64EHashPins::deallocatePinForCurrentThread): * assembler/SecureARM64EHashPins.h: Added. (JSC::SecureARM64EHashPins::firstPage): * assembler/SecureARM64EHashPinsInlines.h: Added. (JSC::SecureARM64EHashPins::keyForCurrentThread): (JSC::SecureARM64EHashPins::forEachPage): (JSC::SecureARM64EHashPins::forEachEntry): (JSC::SecureARM64EHashPins::findFirstEntry): (JSC::SecureARM64EHashPins::pinForCurrentThread): * heap/MarkedBlock.h: * heap/MarkedSpace.h: * heap/SlotVisitor.h: * jit/BaselineJITPlan.cpp: (JSC::BaselineJITPlan::BaselineJITPlan): (JSC::BaselineJITPlan::compileInThreadImpl): * jit/ExecutableAllocator.cpp: * parser/Parser.h: * runtime/InitializeThreading.cpp: (JSC::initialize): * runtime/IterationStatus.h: Removed. * runtime/JSCConfig.h: * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::parseAndCompileAir): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::parseAndCompileB3): * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::compileFunction): Source/WTF: * WTF.xcodeproj/project.pbxproj: * wtf/Bitmap.h: (WTF::WordType>::set): (WTF::WordType>::forEachSetBit const): * wtf/CMakeLists.txt: * wtf/IterationStatus.h: Added. Modified Paths trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/Sources.txt trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h trunk/Source/_javascript_Core/assembler/LinkBuffer.cpp trunk/Source/_javascript_Core/heap/MarkedBlock.h trunk/Source/_javascript_Core/heap/MarkedSpace.h trunk/Source/_javascript_Core/heap/SlotVisitor.h trunk/Source/_javascript_Core/jit/BaselineJITPlan.cpp trunk/Source/_javascript_Core/jit/ExecutableAllocator.cpp trunk/Source/_javascript_Core/parser/Parser.h trunk/Source/_javascript_Core/runtime/InitializeThreading.cpp trunk/Source/_javascript_Core/runtime/JSCConfig.h trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp trunk/Source/WTF/ChangeLog trunk/Source/WTF/WTF.xcodeproj/project.pbxproj trunk/Source/WTF/wtf/Bitmap.h trunk/Source/WTF/wtf/CMakeLists.txt Added Paths trunk/Source/_javascript_Core/assembler/SecureARM64EHashPins.cpp trunk/Source/_javascript_Core/assembler/SecureARM64EHashPins.h trunk/Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h trunk/Source/WTF/wtf/IterationStatus.h Removed Paths trunk/Source/_javascript_Core/runtime/IterationStatus.h Diff Modified: trunk/Source/_javascript_Core/CMakeLists.txt (288260 => 288261) --- trunk/Source/_javascript_Core/CMakeLists.txt 2022-01-20 01:35:06 UTC (rev 288260) +++ trunk/Source/_javascript_Core/CMakeLists.txt 2022-01-20 01:39:29 UTC (rev 288261) @@ -593,6 +593,8 @@ assembler/RISCV64Assembler.h assembler/RISCV64Registers.h assembler/RegisterInfo.h +assembler/SecureARM64EHashPins.h +assembler/SecureARM64EHashPinsInlines.h assembler/X86Assembler.h assembler/X86Registers.h assembler/X86_64Registers.h @@ -1023,7 +1025,6 @@ runtime/InternalFunction.h runtime/Intrinsic.h runtime/IterationKind.h -runtime/IterationStatus.h runtime/IteratorOperations.h runtime/IteratorPrototype.h runtime/JSArray.h Modified: trunk/Source/_javascript_Core/ChangeLog (288260 => 288261) --- trunk/Source/_javascript_Core/ChangeLog 2022-01-20 01:35:06 UTC (rev 288260) +++
[webkit-changes] [288028] trunk/Source/JavaScriptCore
Title: [288028] trunk/Source/_javascript_Core
Revision 288028
Author sbar...@apple.com
Date 2022-01-14 13:07:47 -0800 (Fri, 14 Jan 2022)
Log Message
Make isJITPC fast
https://bugs.webkit.org/show_bug.cgi?id=235241
Reviewed by Yusuke Suzuki.
Make it an inlined function, and stop tagging g_jscConfig.startExecutableMemory
and g_jscConfig.endExecutableMemory, since they're in the Config page, and
not mutable after it's frozen.
* jit/ExecutableAllocator.cpp:
(JSC::initializeJITPageReservation):
(JSC::isJITPC): Deleted.
* jit/ExecutableAllocator.h:
(JSC::isJITPC):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/ExecutableAllocator.cpp
trunk/Source/_javascript_Core/jit/ExecutableAllocator.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (288027 => 288028)
--- trunk/Source/_javascript_Core/ChangeLog 2022-01-14 21:04:10 UTC (rev 288027)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-01-14 21:07:47 UTC (rev 288028)
@@ -1,5 +1,22 @@
2022-01-14 Saam Barati
+Make isJITPC fast
+https://bugs.webkit.org/show_bug.cgi?id=235241
+
+Reviewed by Yusuke Suzuki.
+
+Make it an inlined function, and stop tagging g_jscConfig.startExecutableMemory
+and g_jscConfig.endExecutableMemory, since they're in the Config page, and
+not mutable after it's frozen.
+
+* jit/ExecutableAllocator.cpp:
+(JSC::initializeJITPageReservation):
+(JSC::isJITPC): Deleted.
+* jit/ExecutableAllocator.h:
+(JSC::isJITPC):
+
+2022-01-14 Saam Barati
+
Use IRC for Wasm, and Briggs for JS on ARM64
https://bugs.webkit.org/show_bug.cgi?id=235235
Modified: trunk/Source/_javascript_Core/jit/ExecutableAllocator.cpp (288027 => 288028)
--- trunk/Source/_javascript_Core/jit/ExecutableAllocator.cpp 2022-01-14 21:04:10 UTC (rev 288027)
+++ trunk/Source/_javascript_Core/jit/ExecutableAllocator.cpp 2022-01-14 21:07:47 UTC (rev 288028)
@@ -400,8 +400,8 @@
#endif
void* reservationEnd = reinterpret_cast(reservation.base) + reservation.size;
-g_jscConfig.startExecutableMemory = tagCodePtr(reservation.base);
-g_jscConfig.endExecutableMemory = tagCodePtr(reservationEnd);
+g_jscConfig.startExecutableMemory = reservation.base;
+g_jscConfig.endExecutableMemory = reservationEnd;
#if !USE(SYSTEM_MALLOC) && ENABLE(UNIFIED_AND_FREEZABLE_CONFIG_RECORD)
WebConfig::g_config[0] = bitwise_cast(reservation.base);
@@ -471,9 +471,8 @@
m_reservation.deallocate();
}
-void* memoryStart() { return untagCodePtr(g_jscConfig.startExecutableMemory); }
-void* memoryEnd() { return untagCodePtr(g_jscConfig.endExecutableMemory); }
-bool isJITPC(void* pc) { return memoryStart() <= pc && pc < memoryEnd(); }
+void* memoryStart() { return g_jscConfig.startExecutableMemory; }
+void* memoryEnd() { return g_jscConfig.endExecutableMemory; }
bool isValid() { return !!m_reservation; }
RefPtr allocate(size_t sizeInBytes)
@@ -1129,12 +1128,6 @@
return allocator->memoryEnd();
}
-bool isJITPC(void* pc)
-{
-FixedVMPoolExecutableAllocator* allocator = g_jscConfig.fixedVMPoolExecutableAllocator;
-return allocator && allocator->isJITPC(pc);
-}
-
void dumpJITMemory(const void* dst, const void* src, size_t size)
{
RELEASE_ASSERT(Options::dumpJITMemoryPath());
Modified: trunk/Source/_javascript_Core/jit/ExecutableAllocator.h (288027 => 288028)
--- trunk/Source/_javascript_Core/jit/ExecutableAllocator.h 2022-01-14 21:04:10 UTC (rev 288027)
+++ trunk/Source/_javascript_Core/jit/ExecutableAllocator.h 2022-01-14 21:07:47 UTC (rev 288028)
@@ -108,7 +108,10 @@
return bitwise_cast(endOfFixedExecutableMemoryPoolImpl());
}
-JS_EXPORT_PRIVATE bool isJITPC(void* pc);
+ALWAYS_INLINE bool isJITPC(void* pc)
+{
+return g_jscConfig.startExecutableMemory <= pc && pc < g_jscConfig.endExecutableMemory;
+}
JS_EXPORT_PRIVATE void dumpJITMemory(const void*, const void*, size_t);
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [288023] trunk/Source/JavaScriptCore
Title: [288023] trunk/Source/_javascript_Core
Revision 288023
Author sbar...@apple.com
Date 2022-01-14 12:05:39 -0800 (Fri, 14 Jan 2022)
Log Message
Use IRC for Wasm, and Briggs for JS on ARM64
https://bugs.webkit.org/show_bug.cgi?id=235235
Reviewed by Yusuke Suzuki and Robin Morisset.
When I turned on IRC for everything in r287218, we saw some
regressions on iOS on JetStream2. So, this patch makes it so
JS code on arm64 goes back to using Briggs, and Wasm will
use IRC.
* b3/air/AirAllocateRegistersByGraphColoring.cpp:
* b3/air/AirCode.h:
(JSC::B3::Air::Code::setForceIRCRegisterAllocation):
(JSC::B3::Air::Code::forceIRCRegisterAllocation):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::parseAndCompileB3):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp
trunk/Source/_javascript_Core/b3/air/AirCode.h
trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (288022 => 288023)
--- trunk/Source/_javascript_Core/ChangeLog 2022-01-14 19:57:25 UTC (rev 288022)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-01-14 20:05:39 UTC (rev 288023)
@@ -1,3 +1,23 @@
+2022-01-14 Saam Barati
+
+Use IRC for Wasm, and Briggs for JS on ARM64
+https://bugs.webkit.org/show_bug.cgi?id=235235
+
+
+Reviewed by Yusuke Suzuki and Robin Morisset.
+
+When I turned on IRC for everything in r287218, we saw some
+regressions on iOS on JetStream2. So, this patch makes it so
+JS code on arm64 goes back to using Briggs, and Wasm will
+use IRC.
+
+* b3/air/AirAllocateRegistersByGraphColoring.cpp:
+* b3/air/AirCode.h:
+(JSC::B3::Air::Code::setForceIRCRegisterAllocation):
+(JSC::B3::Air::Code::forceIRCRegisterAllocation):
+* wasm/WasmB3IRGenerator.cpp:
+(JSC::Wasm::parseAndCompileB3):
+
2022-01-13 Zan Dobersek
[RISCV64] riscv64 backend should lower offlineasm instructions
Modified: trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp (288022 => 288023)
--- trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp 2022-01-14 19:57:25 UTC (rev 288022)
+++ trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp 2022-01-14 20:05:39 UTC (rev 288023)
@@ -1815,8 +1815,14 @@
return false;
};
-auto useIRC = [] {
-return Options::airForceIRCAllocator() || !Options::airForceBriggsAllocator();
+auto useIRC = [&] {
+if (Options::airForceBriggsAllocator())
+return false;
+if (m_code.forceIRCRegisterAllocation() || Options::airForceIRCAllocator())
+return true;
+if (isARM64())
+return false;
+return true;
};
if (m_code.numTmps(bank) < WTF::maxSizeForSmallInterferenceGraph) {
Modified: trunk/Source/_javascript_Core/b3/air/AirCode.h (288022 => 288023)
--- trunk/Source/_javascript_Core/b3/air/AirCode.h 2022-01-14 19:57:25 UTC (rev 288022)
+++ trunk/Source/_javascript_Core/b3/air/AirCode.h 2022-01-14 20:05:39 UTC (rev 288023)
@@ -361,6 +361,9 @@
void emitEpilogue(CCallHelpers&);
std::unique_ptr m_generateAndAllocateRegisters;
+
+void setForceIRCRegisterAllocation() { m_forceIRC = true; }
+bool forceIRCRegisterAllocation() { return m_forceIRC; }
private:
friend class ::JSC::B3::Procedure;
@@ -400,6 +403,7 @@
unsigned m_optLevel { defaultOptLevel() };
bool m_stackIsAllocated { false };
bool m_preserveB3Origins { true };
+bool m_forceIRC { false };
RegisterAtOffsetList m_uncorrectedCalleeSaveRegisterAtOffsetList;
RegisterSet m_calleeSaveRegisters;
StackSlot* m_calleeSaveStackSlot { nullptr };
Modified: trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (288022 => 288023)
--- trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2022-01-14 19:57:25 UTC (rev 288022)
+++ trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2022-01-14 20:05:39 UTC (rev 288023)
@@ -3174,6 +3174,8 @@
? Options::webAssemblyBBQB3OptimizationLevel()
: Options::webAssemblyOMGOptimizationLevel());
+procedure.code().setForceIRCRegisterAllocation();
+
B3IRGenerator irGenerator(info, procedure, result.get(), unlinkedWasmToWasmCalls, result->osrEntryScratchBufferSize, mode, compilationMode, functionIndex, loopIndexForOSREntry, tierUp);
FunctionParser parser(irGenerator, function.data.data(), function.data.size(), signature, info);
WASM_FAIL_IF_HELPER_FAILS(parser.parse());
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [288002] trunk/Source/JavaScriptCore
Title: [288002] trunk/Source/_javascript_Core
Revision 288002
Author sbar...@apple.com
Date 2022-01-13 18:40:08 -0800 (Thu, 13 Jan 2022)
Log Message
Link Wasm code on the same thread that JITs
https://bugs.webkit.org/show_bug.cgi?id=235201
Reviewed by Yusuke Suzuki and Mark Lam.
This is preparing us for the changes that'll be needed by
https://bugs.webkit.org/show_bug.cgi?id=235192.
It should also be a small perf improvement, as we're now linking
in parallel instead of doing it after all compilations have finished.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::parseAndCompileB3):
* wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::prepareImpl):
(JSC::Wasm::BBQPlan::compileFunction):
(JSC::Wasm::BBQPlan::didCompleteCompilation):
(JSC::Wasm::BBQPlan::initializeCallees):
* wasm/WasmBBQPlan.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp
trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp
trunk/Source/_javascript_Core/wasm/WasmBBQPlan.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (288001 => 288002)
--- trunk/Source/_javascript_Core/ChangeLog 2022-01-14 01:57:40 UTC (rev 288001)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-01-14 02:40:08 UTC (rev 288002)
@@ -1,3 +1,25 @@
+2022-01-13 Saam Barati
+
+Link Wasm code on the same thread that JITs
+https://bugs.webkit.org/show_bug.cgi?id=235201
+
+Reviewed by Yusuke Suzuki and Mark Lam.
+
+This is preparing us for the changes that'll be needed by
+https://bugs.webkit.org/show_bug.cgi?id=235192.
+
+It should also be a small perf improvement, as we're now linking
+in parallel instead of doing it after all compilations have finished.
+
+* wasm/WasmB3IRGenerator.cpp:
+(JSC::Wasm::parseAndCompileB3):
+* wasm/WasmBBQPlan.cpp:
+(JSC::Wasm::BBQPlan::prepareImpl):
+(JSC::Wasm::BBQPlan::compileFunction):
+(JSC::Wasm::BBQPlan::didCompleteCompilation):
+(JSC::Wasm::BBQPlan::initializeCallees):
+* wasm/WasmBBQPlan.h:
+
2022-01-13 Elliott Williams
[XCBuild] Add "product dependencies" which influence workspace build order
Modified: trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (288001 => 288002)
--- trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2022-01-14 01:57:40 UTC (rev 288001)
+++ trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2022-01-14 02:40:08 UTC (rev 288002)
@@ -3150,7 +3150,6 @@
if (shouldDumpIRFor(functionIndex + info.importFunctionCount()))
procedure.setShouldDumpIR();
-compilationContext.wasmEntrypointJIT = makeUnique();
if (Options::useSamplingProfiler()) {
// FIXME: We should do this based on VM relevant info.
Modified: trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp (288001 => 288002)
--- trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp 2022-01-14 01:57:40 UTC (rev 288001)
+++ trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp 2022-01-14 02:40:08 UTC (rev 288002)
@@ -63,6 +63,7 @@
{
const auto& functions = m_moduleInformation->functions;
if (!tryReserveCapacity(m_wasmInternalFunctions, functions.size(), " WebAssembly functions")
+|| !tryReserveCapacity(m_wasmInternalFunctionLinkBuffers, functions.size(), " compilation contexts")
|| !tryReserveCapacity(m_compilationContexts, functions.size(), " compilation contexts")
|| !tryReserveCapacity(m_tierUpCounts, functions.size(), " tier-up counts")
|| !tryReserveCapacity(m_allLoopEntrypoints, functions.size(), " loop entrypoints"))
@@ -69,6 +70,7 @@
return false;
m_wasmInternalFunctions.resize(functions.size());
+m_wasmInternalFunctionLinkBuffers.resize(functions.size());
m_exceptionHandlerLocations.resize(functions.size());
m_compilationContexts.resize(functions.size());
m_tierUpCounts.resize(functions.size());
@@ -182,12 +184,21 @@
m_tierUpCounts[functionIndex] = nullptr;
m_wasmInternalFunctions[functionIndex] = compileFunction(functionIndex, m_compilationContexts[functionIndex], m_unlinkedWasmToWasmCalls[functionIndex], m_tierUpCounts[functionIndex].get());
+{
+auto linkBuffer = makeUnique(*m_compilationContexts[functionIndex].wasmEntrypointJIT, nullptr, LinkBuffer::Profile::Wasm, JITCompilationCanFail);
+if (linkBuffer->isValid())
+m_wasmInternalFunctionLinkBuffers[functionIndex] = WTFMove(linkBuffer);
+}
if (m_exportedFunctionIndices.contains(functionIndex) || m_moduleInformation->referencedFunctions().contains(functionIndex)) {
Locker locker { m_lock };
SignatureIndex signatureIndex = m_moduleInformation->internalFunctionSignatureIndices[functionIndex];
const Signature& signature = SignatureInformation::get(signatureIndex);
-auto result = m_embedderToWasmInternalFunctions.add(functionIndex,
[webkit-changes] [287864] trunk/Source/JavaScriptCore
Title: [287864] trunk/Source/_javascript_Core Revision 287864 Author sbar...@apple.com Date 2022-01-10 17:36:00 -0800 (Mon, 10 Jan 2022) Log Message Allow loop tier up to the Air tier https://bugs.webkit.org/show_bug.cgi?id=234587 Reviewed by Yusuke Suzuki. This patch adds loop tier up from LLInt -> Air. To implement this, we use EntrySwitch to point at each loop header, making each loop an entrypoint. This is unlike BBQ->OMG tier up, where we compile a special OSR entry OMG callee. This seems like a good architecture for the Air tier, since we might end up with slightly worse throughput, but we won't need a different compilation for loops vs call entrypoints. This patch also fixes a bug in Air's O0 register allocation where it didn't properly account for all named registers in an instruction. There was a silly bug where we asked each arg if it were a temp, instead of asking the Inst for each of its temps, since an Arg can be an address but still use temps. * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: (JSC::B3::Air::GenerateAndAllocateRegisters::generate): * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::emitLoad): (JSC::Wasm::AirIRGenerator::AirIRGenerator): (JSC::Wasm::AirIRGenerator::finalizeEntrypoints): (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): (JSC::Wasm::AirIRGenerator::addLoop): (JSC::Wasm::parseAndCompileAir): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::B3IRGenerator): (JSC::Wasm::parseAndCompileB3): (JSC::Wasm::parseAndCompile): Deleted. * wasm/WasmB3IRGenerator.h: * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::prepareImpl): (JSC::Wasm::BBQPlan::work): (JSC::Wasm::BBQPlan::compileFunction): (JSC::Wasm::BBQPlan::didCompleteCompilation): (JSC::Wasm::BBQPlan::initializeCallees): * wasm/WasmBBQPlan.h: * wasm/WasmCallee.h: * wasm/WasmCalleeGroup.h: * wasm/WasmFormat.h: * wasm/WasmIRGeneratorHelpers.h: (JSC::Wasm::computeExceptionHandlerAndLoopEntrypointLocations): (JSC::Wasm::computeExceptionHandlerLocations): * wasm/WasmLLIntPlan.cpp: (JSC::Wasm::LLIntPlan::didCompleteCompilation): * wasm/WasmOMGPlan.cpp: (JSC::Wasm::OMGPlan::work): * wasm/WasmOSREntryPlan.cpp: (JSC::Wasm::OSREntryPlan::work): * wasm/WasmSlowPaths.cpp: (JSC::LLInt::WASM_SLOW_PATH_DECL): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.h trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp trunk/Source/_javascript_Core/wasm/WasmBBQPlan.h trunk/Source/_javascript_Core/wasm/WasmCallee.h trunk/Source/_javascript_Core/wasm/WasmCalleeGroup.h trunk/Source/_javascript_Core/wasm/WasmFormat.h trunk/Source/_javascript_Core/wasm/WasmIRGeneratorHelpers.h trunk/Source/_javascript_Core/wasm/WasmLLIntPlan.cpp trunk/Source/_javascript_Core/wasm/WasmOMGPlan.cpp trunk/Source/_javascript_Core/wasm/WasmOSREntryPlan.cpp trunk/Source/_javascript_Core/wasm/WasmSlowPaths.cpp trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (287863 => 287864) --- trunk/Source/_javascript_Core/ChangeLog 2022-01-10 23:48:40 UTC (rev 287863) +++ trunk/Source/_javascript_Core/ChangeLog 2022-01-11 01:36:00 UTC (rev 287864) @@ -1,3 +1,62 @@ +2022-01-10 Saam Barati + +Allow loop tier up to the Air tier +https://bugs.webkit.org/show_bug.cgi?id=234587 + + +Reviewed by Yusuke Suzuki. + +This patch adds loop tier up from LLInt -> Air. To implement this, we use +EntrySwitch to point at each loop header, making each loop an entrypoint. +This is unlike BBQ->OMG tier up, where we compile a special OSR entry OMG +callee. This seems like a good architecture for the Air tier, since we might end +up with slightly worse throughput, but we won't need a different compilation +for loops vs call entrypoints. + +This patch also fixes a bug in Air's O0 register allocation where it +didn't properly account for all named registers in an instruction. There +was a silly bug where we asked each arg if it were a temp, instead of +asking the Inst for each of its temps, since an Arg can be an address +but still use temps. + +* b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: +(JSC::B3::Air::GenerateAndAllocateRegisters::generate): +* wasm/WasmAirIRGenerator.cpp: +(JSC::Wasm::AirIRGenerator::emitLoad): +(JSC::Wasm::AirIRGenerator::AirIRGenerator): +(JSC::Wasm::AirIRGenerator::finalizeEntrypoints): +(JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): +(JSC::Wasm::AirIRGenerator::addLoop): +(JSC::Wasm::parseAndCompileAir): +* wasm/WasmB3IRGenerator.cpp: +
[webkit-changes] [287806] trunk/Source/JavaScriptCore
Title: [287806] trunk/Source/_javascript_Core
Revision 287806
Author sbar...@apple.com
Date 2022-01-07 19:42:42 -0800 (Fri, 07 Jan 2022)
Log Message
Unreviewed. Appease an assertion that was broken by r287801 by slightly
refactoring code so we don't clobber the same named register twice.
* b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
(JSC::B3::Air::GenerateAndAllocateRegisters::generate):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (287805 => 287806)
--- trunk/Source/_javascript_Core/ChangeLog 2022-01-08 03:18:59 UTC (rev 287805)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-01-08 03:42:42 UTC (rev 287806)
@@ -1,5 +1,13 @@
2022-01-07 Saam Barati
+Unreviewed. Appease an assertion that was broken by r287801 by slightly
+refactoring code so we don't clobber the same named register twice.
+
+* b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
+(JSC::B3::Air::GenerateAndAllocateRegisters::generate):
+
+2022-01-07 Saam Barati
+
Add support for Wasm exceptions in the Air generator
https://bugs.webkit.org/show_bug.cgi?id=231211
Modified: trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp (287805 => 287806)
--- trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp 2022-01-08 03:18:59 UTC (rev 287805)
+++ trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp 2022-01-08 03:42:42 UTC (rev 287806)
@@ -758,8 +758,8 @@
ASSERT_UNUSED(jump, !jump.isSet());
allocNamed(earlyNextClobberedRegisters, true);
+clobberedRegisters.merge(earlyNextClobberedRegisters);
clobber(clobberedRegisters);
-clobber(earlyNextClobberedRegisters);
} else {
ASSERT(needsToGenerate);
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [287801] trunk/Source/JavaScriptCore
Title: [287801] trunk/Source/_javascript_Core Revision 287801 Author sbar...@apple.com Date 2022-01-07 17:57:04 -0800 (Fri, 07 Jan 2022) Log Message Add support for Wasm exceptions in the Air generator https://bugs.webkit.org/show_bug.cgi?id=231211 Reviewed by Filip Pizlo. This patch adds support to Air for Wasm exceptions. The implementation is very similar to how we implement it in the B3 Wasm tier. This patch shares code with the B3 tier where it can. This patch also fixes a bug where you the early clobbered registers of a patchpoint could prevent the prior instruction from register allocating. For example, you can have the instructions I1, I2. Where I2 clobbers the entire register file. It doesn't mean I1 shouldn't be able to allocate registers. Instead, the clobber should occur after I1 executes. This patch fixes the issue. * _javascript_Core.xcodeproj/project.pbxproj: * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: (JSC::B3::Air::GenerateAndAllocateRegisters::generate): * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::ControlData::ControlData): (JSC::Wasm::AirIRGenerator::ControlData::isTry): (JSC::Wasm::AirIRGenerator::ControlData::isCatch): (JSC::Wasm::AirIRGenerator::ControlData::convertTryToCatch): (JSC::Wasm::AirIRGenerator::ControlData::convertTryToCatchAll): (JSC::Wasm::AirIRGenerator::ControlData::tryStart const): (JSC::Wasm::AirIRGenerator::ControlData::tryEnd const): (JSC::Wasm::AirIRGenerator::ControlData::tryDepth const): (JSC::Wasm::AirIRGenerator::ControlData::catchKind const): (JSC::Wasm::AirIRGenerator::ControlData::exception const): (JSC::Wasm::AirIRGenerator::emitCallPatchpoint): (JSC::Wasm::AirIRGenerator::addStackMap): (JSC::Wasm::AirIRGenerator::takeStackmaps): (JSC::Wasm::AirIRGenerator::takeExceptionHandlers): (JSC::Wasm::AirIRGenerator::newTmp): (JSC::Wasm::AirIRGenerator::emitPatchpoint): (JSC::Wasm::AirIRGenerator::emitLoad): (JSC::Wasm::AirIRGenerator::AirIRGenerator): (JSC::Wasm::AirIRGenerator::finalizeEntrypoints): (JSC::Wasm::AirIRGenerator::forEachLiveValue): (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck): (JSC::Wasm::AirIRGenerator::addTry): (JSC::Wasm::AirIRGenerator::addCatch): (JSC::Wasm::AirIRGenerator::addCatchAll): (JSC::Wasm::AirIRGenerator::addCatchToUnreachable): (JSC::Wasm::AirIRGenerator::addCatchAllToUnreachable): (JSC::Wasm::AirIRGenerator::emitCatchImpl): (JSC::Wasm::AirIRGenerator::addDelegate): (JSC::Wasm::AirIRGenerator::addDelegateToUnreachable): (JSC::Wasm::AirIRGenerator::addThrow): (JSC::Wasm::AirIRGenerator::addRethrow): (JSC::Wasm::AirIRGenerator::addEndToUnreachable): (JSC::Wasm::AirIRGenerator::addCall): (JSC::Wasm::AirIRGenerator::emitIndirectCall): (JSC::Wasm::parseAndCompileAir): (JSC::Wasm::AirIRGenerator::preparePatchpointForExceptions): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::insertEntrySwitch): (JSC::Wasm::B3IRGenerator::emitCatchImpl): (JSC::Wasm::B3IRGenerator::addThrow): (JSC::Wasm::B3IRGenerator::addRethrow): (JSC::Wasm::PatchpointExceptionHandle::generate const): Deleted. (JSC::Wasm::buildEntryBufferForCatch): Deleted. (JSC::Wasm::computeExceptionHandlerLocations): Deleted. * wasm/WasmB3IRGenerator.h: * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::compileFunction): * wasm/WasmIRGeneratorHelpers.h: Added. (JSC::Wasm::PatchpointExceptionHandle::generate const): (JSC::Wasm::computeExceptionHandlerLocations): (JSC::Wasm::emitRethrowImpl): (JSC::Wasm::emitThrowImpl): (JSC::Wasm::buildEntryBufferForCatch): (JSC::Wasm::emitCatchPrologueShared): * wasm/WasmLLIntGenerator.cpp: (JSC::Wasm::LLIntGenerator::finalize): * wasm/WasmModuleInformation.h: * wasm/WasmOMGPlan.cpp: * wasm/WasmOSREntryPlan.cpp: * wasm/WasmStreamingParser.cpp: (JSC::Wasm::StreamingParser::parseCodeSectionSize): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.h trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp trunk/Source/_javascript_Core/wasm/WasmLLIntGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmModuleInformation.h trunk/Source/_javascript_Core/wasm/WasmOMGPlan.cpp trunk/Source/_javascript_Core/wasm/WasmOSREntryPlan.cpp trunk/Source/_javascript_Core/wasm/WasmStreamingParser.cpp Added Paths trunk/Source/_javascript_Core/wasm/WasmIRGeneratorHelpers.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (287800 => 287801) --- trunk/Source/_javascript_Core/ChangeLog 2022-01-08 01:52:18 UTC (rev 287800) +++ trunk/Source/_javascript_Core/ChangeLog 2022-01-08 01:57:04 UTC (rev 287801) @@ -1,3 +1,88 @@ +2022-01-07 Saam Barati + +Add support for Wasm exceptions in the Air generator +https://bugs.webkit.org/show_bug.cgi?id=231211 + + +Reviewed
[webkit-changes] [287738] trunk
Title: [287738] trunk
Revision 287738
Author sbar...@apple.com
Date 2022-01-06 20:54:03 -0800 (Thu, 06 Jan 2022)
Log Message
preparePatchpointForExceptions needs to handle tuples
https://bugs.webkit.org/show_bug.cgi?id=234909
Reviewed by Yusuke Suzuki.
JSTests:
Add support to the builder to have functions return tuples.
* wasm/Builder.js:
(const._normalizeFunctionSignature):
(const._maybeRegisterType):
* wasm/Builder_WebAssemblyBinary.js:
(const.emitters.Type):
* wasm/stress/exception-throw-from-function-returning-tuple.js: Added.
(import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.testCatchWithExceptionThrownFromFunctionReturningTuple):
Source/_javascript_Core:
We got the offsets wrong when building a stackmap in B3IRGenerator
for exception sites. We need to index into StackmapGenerationParams
differently from indexing into the patchpoint's children. StackmapGenerationParams
reserves its first N entries for the N return values. The patchpoint's
children contains no results though, so we don't need to account for
the number of return values when indexing into the children() vector
of the PatchpointValue. To make this code simpler, we keep track of the
number of live values we need when throwing. These values are both
at the end of StackmapGenerationParams and at the end of the children()
vector. So we just look at the last "number of live values" in both
vectors to get the correct ValueRep and correct type. The code for
calls also didn't account for the fact that call arguments will be
appended after the live values we're building into a stackmap. This
patch fixes that code to always put the live values last.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::PatchpointExceptionHandle::generate const):
(JSC::Wasm::B3IRGenerator::preparePatchpointForExceptions):
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/wasm/Builder.js
trunk/JSTests/wasm/Builder_WebAssemblyBinary.js
trunk/JSTests/wasm/self-test/test_BuilderJSON.js
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp
Added Paths
trunk/JSTests/wasm/stress/exception-throw-from-function-returning-tuple.js
Diff
Modified: trunk/JSTests/ChangeLog (287737 => 287738)
--- trunk/JSTests/ChangeLog 2022-01-07 04:28:29 UTC (rev 287737)
+++ trunk/JSTests/ChangeLog 2022-01-07 04:54:03 UTC (rev 287738)
@@ -1,3 +1,20 @@
+2022-01-06 Saam Barati
+
+preparePatchpointForExceptions needs to handle tuples
+https://bugs.webkit.org/show_bug.cgi?id=234909
+
+Reviewed by Yusuke Suzuki.
+
+Add support to the builder to have functions return tuples.
+
+* wasm/Builder.js:
+(const._normalizeFunctionSignature):
+(const._maybeRegisterType):
+* wasm/Builder_WebAssemblyBinary.js:
+(const.emitters.Type):
+* wasm/stress/exception-throw-from-function-returning-tuple.js: Added.
+(import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.testCatchWithExceptionThrownFromFunctionReturningTuple):
+
2022-01-03 Yusuke Suzuki
Array.prototype.toLocaleString does not respect deletion of Object.prototype.toLocaleString
Modified: trunk/JSTests/wasm/Builder.js (287737 => 287738)
--- trunk/JSTests/wasm/Builder.js 2022-01-07 04:28:29 UTC (rev 287737)
+++ trunk/JSTests/wasm/Builder.js 2022-01-07 04:54:03 UTC (rev 287738)
@@ -46,10 +46,16 @@
assert.isArray(params);
for (const p of params)
assert.truthy(WASM.isValidValueType(p) || p === "void", `Type parameter ${p} needs a valid value type`);
-if (typeof(ret) === "undefined")
-ret = "void";
-assert.isNotArray(ret, `Multiple return values not supported by WebAssembly yet`);
-assert.truthy(WASM.isValidBlockType(ret), `Type return ${ret} must be valid block type`);
+if (typeof ret === "undefined")
+ret = [];
+else if (typeof ret === "string") {
+if (ret === "void")
+ret = [];
+else
+ret = [ret];
+}
+for (let type of ret)
+assert.truthy(WASM.isValidBlockType(type), `Type return ${type} must be valid block type`);
return [params, ret];
};
@@ -77,14 +83,19 @@
const [params, ret] = _normalizeFunctionSignature(type.params, type.ret);
assert.isNotUndef(typeSection, `Can not add type if a type section is not present`);
// Try reusing an equivalent type from the type section.
-types:
for (let i = 0; i !== typeSection.data.length; ++i) {
+let shallowEqual = (a, b) => {
+if (a.length !== b.length)
+return false;
+for (let i = 0; i < a.length; ++i) {
+if (a[i] !== b[i])
+return false;
+}
+return true;
+};
+
const t = typeSection.data[i];
-if (t.ret === ret && params.length === t.params.length) {
-for (let j = 0; j !== t.params.length; ++j) {
-
[webkit-changes] [287379] trunk
Title: [287379] trunk
Revision 287379
Author sbar...@apple.com
Date 2021-12-22 17:12:14 -0800 (Wed, 22 Dec 2021)
Log Message
LLInt should loop OSR into BBQ and BBQ should loop OSR into OMG
https://bugs.webkit.org/show_bug.cgi?id=234542
Reviewed by Yusuke Suzuki.
JSTests:
* wasm/wast-tests/harness.js:
Source/_javascript_Core:
It's a startup perf improvement on some Wasm benchmarks I'm running to have
Wasm LLInt do loop OSR entry into BBQ instead of OMG. This improves this
benchmark by 5%. There is probably more perf to be had here. Currently,
we're just OSR entering into B3 BBQ O1. However, in the future, we should
just compile a single Air BBQ Callee that allows for OSR entry at loop
boundaries. Maybe we can model this using EntrySwitch without any real
harm to throughput.
* _javascript_Core.xcodeproj/project.pbxproj:
* Sources.txt:
* assembler/MacroAssemblerCodeRef.cpp:
(JSC::shouldDumpDisassemblyFor):
* jsc.cpp:
(JSC_DEFINE_HOST_FUNCTION):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::parseAndCompile):
* wasm/WasmCallee.h:
(JSC::Wasm::Callee::setOSREntryCallee): Deleted.
* wasm/WasmCalleeGroup.h:
* wasm/WasmCompilationMode.cpp:
(JSC::Wasm::makeString):
* wasm/WasmCompilationMode.h:
(JSC::Wasm::isOSREntry):
(JSC::Wasm::isAnyBBQ):
(JSC::Wasm::isAnyOMG):
* wasm/WasmOMGForOSREntryPlan.cpp: Removed.
* wasm/WasmOMGForOSREntryPlan.h: Removed.
* wasm/WasmOSREntryPlan.cpp: Copied from Source/_javascript_Core/wasm/WasmOMGForOSREntryPlan.cpp.
(JSC::Wasm::OSREntryPlan::OSREntryPlan):
(JSC::Wasm::OSREntryPlan::work):
(JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan): Deleted.
(JSC::Wasm::OMGForOSREntryPlan::work): Deleted.
* wasm/WasmOSREntryPlan.h: Copied from Source/_javascript_Core/wasm/WasmOMGForOSREntryPlan.h.
* wasm/WasmOperations.cpp:
(JSC::Wasm::doOSREntry):
(JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::updateCallSitesToCallUs):
* wasm/WasmSlowPaths.cpp:
(JSC::LLInt::WASM_SLOW_PATH_DECL):
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/stress/callerIsOMGCompiled-should-be-robust.js
trunk/JSTests/wasm/wast-tests/harness.js
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj
trunk/Source/_javascript_Core/Sources.txt
trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.cpp
trunk/Source/_javascript_Core/jsc.cpp
trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp
trunk/Source/_javascript_Core/wasm/WasmCallee.h
trunk/Source/_javascript_Core/wasm/WasmCalleeGroup.h
trunk/Source/_javascript_Core/wasm/WasmCompilationMode.cpp
trunk/Source/_javascript_Core/wasm/WasmCompilationMode.h
trunk/Source/_javascript_Core/wasm/WasmOperations.cpp
trunk/Source/_javascript_Core/wasm/WasmPlan.cpp
trunk/Source/_javascript_Core/wasm/WasmSlowPaths.cpp
Added Paths
trunk/Source/_javascript_Core/wasm/WasmOSREntryPlan.cpp
trunk/Source/_javascript_Core/wasm/WasmOSREntryPlan.h
Removed Paths
trunk/Source/_javascript_Core/wasm/WasmOMGForOSREntryPlan.cpp
trunk/Source/_javascript_Core/wasm/WasmOMGForOSREntryPlan.h
Diff
Modified: trunk/JSTests/ChangeLog (287378 => 287379)
--- trunk/JSTests/ChangeLog 2021-12-23 00:49:44 UTC (rev 287378)
+++ trunk/JSTests/ChangeLog 2021-12-23 01:12:14 UTC (rev 287379)
@@ -1,3 +1,12 @@
+2021-12-22 Saam Barati
+
+LLInt should loop OSR into BBQ and BBQ should loop OSR into OMG
+https://bugs.webkit.org/show_bug.cgi?id=234542
+
+Reviewed by Yusuke Suzuki.
+
+* wasm/wast-tests/harness.js:
+
2021-12-19 Ross Kirsling
[JSC] OpPow should have a "small int exponent" fast path at lower tiers
Modified: trunk/JSTests/stress/callerIsOMGCompiled-should-be-robust.js (287378 => 287379)
--- trunk/JSTests/stress/callerIsOMGCompiled-should-be-robust.js 2021-12-23 00:49:44 UTC (rev 287378)
+++ trunk/JSTests/stress/callerIsOMGCompiled-should-be-robust.js 2021-12-23 01:12:14 UTC (rev 287379)
@@ -1,2 +1,2 @@
-setUnhandledRejectionCallback(callerIsOMGCompiled);
+setUnhandledRejectionCallback(callerIsBBQOrOMGCompiled);
Promise.reject();
Modified: trunk/JSTests/wasm/wast-tests/harness.js (287378 => 287379)
--- trunk/JSTests/wasm/wast-tests/harness.js 2021-12-23 00:49:44 UTC (rev 287378)
+++ trunk/JSTests/wasm/wast-tests/harness.js 2021-12-23 01:12:14 UTC (rev 287379)
@@ -4,6 +4,7 @@
};
globalThis.__linear_memory = new WebAssembly.Memory({ initial: 1 });
+globalThis.callerIsOMGCompiled = callerIsBBQOrOMGCompiled; // Can't change the .wast easily...
async function runWasmFile(filePath) {
let blob = readFile(filePath, "binary");
Modified: trunk/Source/_javascript_Core/ChangeLog (287378 => 287379)
--- trunk/Source/_javascript_Core/ChangeLog 2021-12-23 00:49:44 UTC (rev 287378)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-12-23 01:12:14 UTC (rev 287379)
@@ -1,3 +1,52 @@
+2021-12-22 Saam Barati
+
+LLInt should loop OSR into BBQ and BBQ should loop OSR into OMG
+
[webkit-changes] [287218] trunk/Source/JavaScriptCore
Title: [287218] trunk/Source/_javascript_Core
Revision 287218
Author sbar...@apple.com
Date 2021-12-17 19:35:22 -0800 (Fri, 17 Dec 2021)
Log Message
Use IRC by default on arm64
https://bugs.webkit.org/show_bug.cgi?id=234449
Reviewed by Yusuke Suzuki.
I'm seeing a Wasm perf improvement on some benchmarks of ~12% by switching
from Briggs to IRC. Let's make IRC the default on arm64.
* b3/air/AirAllocateRegistersByGraphColoring.cpp:
* b3/air/AirAllocateRegistersByGraphColoring.h:
(JSC::B3::Air::useIRC): Deleted.
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp
trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (287217 => 287218)
--- trunk/Source/_javascript_Core/ChangeLog 2021-12-18 03:06:39 UTC (rev 287217)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-12-18 03:35:22 UTC (rev 287218)
@@ -1,5 +1,19 @@
2021-12-17 Saam Barati
+Use IRC by default on arm64
+https://bugs.webkit.org/show_bug.cgi?id=234449
+
+Reviewed by Yusuke Suzuki.
+
+I'm seeing a Wasm perf improvement on some benchmarks of ~12% by switching
+from Briggs to IRC. Let's make IRC the default on arm64.
+
+* b3/air/AirAllocateRegistersByGraphColoring.cpp:
+* b3/air/AirAllocateRegistersByGraphColoring.h:
+(JSC::B3::Air::useIRC): Deleted.
+
+2021-12-17 Saam Barati
+
Support WasmAddress in B3 CSE
https://bugs.webkit.org/show_bug.cgi?id=234051
Modified: trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp (287217 => 287218)
--- trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp 2021-12-18 03:06:39 UTC (rev 287217)
+++ trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.cpp 2021-12-18 03:35:22 UTC (rev 287218)
@@ -1815,6 +1815,10 @@
return false;
};
+auto useIRC = [] {
+return Options::airForceIRCAllocator() || !Options::airForceBriggsAllocator();
+};
+
if (m_code.numTmps(bank) < WTF::maxSizeForSmallInterferenceGraph) {
if (useIRC()) {
ColoringAllocator allocator(m_code, m_tmpWidth, m_useCounts, unspillableTmps);
Modified: trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.h (287217 => 287218)
--- trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.h 2021-12-18 03:06:39 UTC (rev 287217)
+++ trunk/Source/_javascript_Core/b3/air/AirAllocateRegistersByGraphColoring.h 2021-12-18 03:35:22 UTC (rev 287218)
@@ -34,12 +34,6 @@
class Code;
-inline bool useIRC()
-{
-return Options::airForceIRCAllocator()
-|| (!isARM64() && !Options::airForceBriggsAllocator());
-}
-
// We have two register allocators, both fundamentally derived from Chaitin's Yorktown
// allocator:
// http://cs.gmu.edu/~white/CS640/p98-chaitin.pdf
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [287203] trunk/Source/JavaScriptCore
Title: [287203] trunk/Source/_javascript_Core
Revision 287203
Author sbar...@apple.com
Date 2021-12-17 13:05:42 -0800 (Fri, 17 Dec 2021)
Log Message
Support WasmAddress in B3 CSE
https://bugs.webkit.org/show_bug.cgi?id=234051
Reviewed by Filip Pizlo and Yusuke Suzuki.
This patch adds support in B3's CSE phase to handle WasmAddressValue computations.
The reason this can't partake in pure CSE is that WasmAddressValue reads pinned.
To support this, we keep track of which blocks write pinned. If we're trying to
replace a value V2 with V1 because it appears there is a redundancy, we check if
any paths from V1 to V2 write pinned. If none do, we proceed with the replacement.
* b3/B3EliminateCommonSubexpressions.cpp:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/b3/B3EliminateCommonSubexpressions.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (287202 => 287203)
--- trunk/Source/_javascript_Core/ChangeLog 2021-12-17 20:55:28 UTC (rev 287202)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-12-17 21:05:42 UTC (rev 287203)
@@ -1,3 +1,19 @@
+2021-12-17 Saam Barati
+
+Support WasmAddress in B3 CSE
+https://bugs.webkit.org/show_bug.cgi?id=234051
+
+
+Reviewed by Filip Pizlo and Yusuke Suzuki.
+
+This patch adds support in B3's CSE phase to handle WasmAddressValue computations.
+The reason this can't partake in pure CSE is that WasmAddressValue reads pinned.
+To support this, we keep track of which blocks write pinned. If we're trying to
+replace a value V2 with V1 because it appears there is a redundancy, we check if
+any paths from V1 to V2 write pinned. If none do, we proceed with the replacement.
+
+* b3/B3EliminateCommonSubexpressions.cpp:
+
2021-12-17 Zan Dobersek
[RISCV64] Implement linking and patching support in RISCV64Assembler
Modified: trunk/Source/_javascript_Core/b3/B3EliminateCommonSubexpressions.cpp (287202 => 287203)
--- trunk/Source/_javascript_Core/b3/B3EliminateCommonSubexpressions.cpp 2021-12-17 20:55:28 UTC (rev 287202)
+++ trunk/Source/_javascript_Core/b3/B3EliminateCommonSubexpressions.cpp 2021-12-17 21:05:42 UTC (rev 287203)
@@ -42,6 +42,7 @@
#include
#include
#include
+#include
namespace JSC { namespace B3 {
@@ -144,10 +145,14 @@
RangeSet reads; // This only gets used for forward store elimination.
RangeSet writes; // This gets used for both load and store elimination.
-bool fence;
+bool fence { false };
+bool writesPinned { false };
MemoryValueMap storesAtHead;
MemoryValueMap memoryValuesAtTail;
+
+// This Maps x->y in "y = WasmAddress(@x)"
+HashMap m_candidateWasmAddressesAtTail;
};
class CSE {
@@ -188,6 +193,14 @@
if (memory)
data.memoryValuesAtTail.add(memory);
+
+if (WasmAddressValue* wasmAddress = value->as())
+data.m_candidateWasmAddressesAtTail.add(wasmAddress->child(0), wasmAddress);
+
+if (effects.writesPinned) {
+data.writesPinned = true;
+data.m_candidateWasmAddressesAtTail.clear();
+}
}
if (B3EliminateCommonSubexpressionsInternal::verbose)
@@ -237,15 +250,28 @@
if (m_pureCSE.process(m_value, m_dominators)) {
ASSERT(!m_value->effects().writes);
+ASSERT(!m_value->effects().writesPinned);
m_changed = true;
return;
}
+if (WasmAddressValue* wasmAddress = m_value->as()) {
+processWasmAddressValue(wasmAddress);
+return;
+}
+
+Effects effects = m_value->effects();
+
+if (effects.writesPinned) {
+m_data.writesPinned = true;
+m_data.m_candidateWasmAddressesAtTail.clear();
+}
+
MemoryValue* memory = m_value->as();
if (memory && processMemoryBeforeClobber(memory))
return;
-if (HeapRange writes = m_value->effects().writes)
+if (HeapRange writes = effects.writes)
clobber(m_data, writes);
if (memory)
@@ -694,6 +720,59 @@
return matches;
}
+void processWasmAddressValue(WasmAddressValue* wasmAddress)
+{
+Value* ptr = wasmAddress->child(0);
+
+if (Value* replacement = m_data.m_candidateWasmAddressesAtTail.get(ptr)) {
+wasmAddress->replaceWithIdentity(replacement);
+m_changed = true;
+return;
+}
+
+auto addPtrOnScopeExit = makeScopeExit([&] {
+m_data.m_candidateWasmAddressesAtTail.add(ptr, wasmAddress);
+});
+
+if (m_data.writesPinned) {
+// Someone before us in this block wrote to pinned. So we have no
+// hope of finding a match if the above search failed.
+return;
+}
+
+Value*
[webkit-changes] [287160] trunk/Source/JavaScriptCore
Title: [287160] trunk/Source/_javascript_Core Revision 287160 Author sbar...@apple.com Date 2021-12-16 15:30:22 -0800 (Thu, 16 Dec 2021) Log Message Use arm64's fmax/fmin instructions in Wasm https://bugs.webkit.org/show_bug.cgi?id=234367 Reviewed by Keith Miller. This patch adds support in B3 for FMax and FMin. We use this for Wasm's f32/64 min/max operations. On arm64, we select the arm64 fmin/fmax instructions for these B3 opcodes. On x86, we lower these to control flow to calculate the result inside of lower macros. This speeds up Wasm programs that make heavy usage of min/max. * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::floatMax): (JSC::MacroAssemblerARM64::floatMin): (JSC::MacroAssemblerARM64::doubleMax): (JSC::MacroAssemblerARM64::doubleMin): * b3/B3Common.h: (JSC::B3::fMax): (JSC::B3::fMin): * b3/B3ConstDoubleValue.cpp: (JSC::B3::ConstDoubleValue::fMinConstant const): (JSC::B3::ConstDoubleValue::fMaxConstant const): * b3/B3ConstDoubleValue.h: * b3/B3ConstFloatValue.cpp: (JSC::B3::ConstFloatValue::fMinConstant const): (JSC::B3::ConstFloatValue::fMaxConstant const): * b3/B3ConstFloatValue.h: * b3/B3LowerMacros.cpp: * b3/B3LowerToAir.cpp: * b3/B3Opcode.cpp: (WTF::printInternal): * b3/B3Opcode.h: * b3/B3ReduceStrength.cpp: * b3/B3Validate.cpp: * b3/B3Value.cpp: (JSC::B3::Value::fMinConstant const): (JSC::B3::Value::fMaxConstant const): (JSC::B3::Value::effects const): (JSC::B3::Value::key const): (JSC::B3::Value::typeFor): * b3/B3Value.h: * b3/B3ValueInlines.h: * b3/B3ValueKey.cpp: (JSC::B3::ValueKey::materialize const): * b3/air/AirOpcode.opcodes: * b3/testb3.h: * b3/testb3_1.cpp: (run): * b3/testb3_7.cpp: (testFMaxMin): (testFloatMaxMin): (testDoubleMaxMin): * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::addFloatingPointMinOrMax): (JSC::Wasm::AirIRGenerator::addOp): * wasm/wasm.json: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.h trunk/Source/_javascript_Core/b3/B3Common.h trunk/Source/_javascript_Core/b3/B3ConstDoubleValue.cpp trunk/Source/_javascript_Core/b3/B3ConstDoubleValue.h trunk/Source/_javascript_Core/b3/B3ConstFloatValue.cpp trunk/Source/_javascript_Core/b3/B3ConstFloatValue.h trunk/Source/_javascript_Core/b3/B3LowerMacros.cpp trunk/Source/_javascript_Core/b3/B3LowerToAir.cpp trunk/Source/_javascript_Core/b3/B3Opcode.cpp trunk/Source/_javascript_Core/b3/B3Opcode.h trunk/Source/_javascript_Core/b3/B3ReduceStrength.cpp trunk/Source/_javascript_Core/b3/B3Validate.cpp trunk/Source/_javascript_Core/b3/B3Value.cpp trunk/Source/_javascript_Core/b3/B3Value.h trunk/Source/_javascript_Core/b3/B3ValueInlines.h trunk/Source/_javascript_Core/b3/B3ValueKey.cpp trunk/Source/_javascript_Core/b3/air/AirOpcode.opcodes trunk/Source/_javascript_Core/b3/testb3.h trunk/Source/_javascript_Core/b3/testb3_1.cpp trunk/Source/_javascript_Core/b3/testb3_7.cpp trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp trunk/Source/_javascript_Core/wasm/wasm.json Diff Modified: trunk/Source/_javascript_Core/ChangeLog (287159 => 287160) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-16 22:37:47 UTC (rev 287159) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-16 23:30:22 UTC (rev 287160) @@ -1,3 +1,63 @@ +2021-12-16 Saam Barati + +Use arm64's fmax/fmin instructions in Wasm +https://bugs.webkit.org/show_bug.cgi?id=234367 + +Reviewed by Keith Miller. + +This patch adds support in B3 for FMax and FMin. We use this for Wasm's f32/64 +min/max operations. On arm64, we select the arm64 fmin/fmax instructions +for these B3 opcodes. On x86, we lower these to control flow to calculate the +result inside of lower macros. + +This speeds up Wasm programs that make heavy usage of min/max. + +* assembler/MacroAssemblerARM64.h: +(JSC::MacroAssemblerARM64::floatMax): +(JSC::MacroAssemblerARM64::floatMin): +(JSC::MacroAssemblerARM64::doubleMax): +(JSC::MacroAssemblerARM64::doubleMin): +* b3/B3Common.h: +(JSC::B3::fMax): +(JSC::B3::fMin): +* b3/B3ConstDoubleValue.cpp: +(JSC::B3::ConstDoubleValue::fMinConstant const): +(JSC::B3::ConstDoubleValue::fMaxConstant const): +* b3/B3ConstDoubleValue.h: +* b3/B3ConstFloatValue.cpp: +(JSC::B3::ConstFloatValue::fMinConstant const): +(JSC::B3::ConstFloatValue::fMaxConstant const): +* b3/B3ConstFloatValue.h: +* b3/B3LowerMacros.cpp: +* b3/B3LowerToAir.cpp: +* b3/B3Opcode.cpp: +(WTF::printInternal): +* b3/B3Opcode.h: +* b3/B3ReduceStrength.cpp: +* b3/B3Validate.cpp: +* b3/B3Value.cpp: +(JSC::B3::Value::fMinConstant const): +(JSC::B3::Value::fMaxConstant const): +(JSC::B3::Value::effects const): +(JSC::B3::Value::key const): +(JSC::B3::Value::typeFor): +* b3/B3Value.h:
[webkit-changes] [287012] trunk/Source/JavaScriptCore
Title: [287012] trunk/Source/_javascript_Core
Revision 287012
Author sbar...@apple.com
Date 2021-12-13 23:07:39 -0800 (Mon, 13 Dec 2021)
Log Message
WasmB3IRGenerator should estimate static execution counts
https://bugs.webkit.org/show_bug.cgi?id=234284
Reviewed by Filip Pizlo.
This enables the register allocator to make better decisions.
* _javascript_Core.xcodeproj/project.pbxproj:
* Sources.txt:
* b3/B3BasicBlock.h:
(JSC::B3::BasicBlock::setFrequency):
* b3/B3EstimateStaticExecutionCounts.cpp: Added.
(JSC::B3::estimateStaticExecutionCounts):
* b3/B3EstimateStaticExecutionCounts.h: Added.
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::parseAndCompile):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj
trunk/Source/_javascript_Core/Sources.txt
trunk/Source/_javascript_Core/b3/B3BasicBlock.h
trunk/Source/_javascript_Core/b3/B3Procedure.h
trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp
Added Paths
trunk/Source/_javascript_Core/b3/B3EstimateStaticExecutionCounts.cpp
trunk/Source/_javascript_Core/b3/B3EstimateStaticExecutionCounts.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (287011 => 287012)
--- trunk/Source/_javascript_Core/ChangeLog 2021-12-14 04:55:38 UTC (rev 287011)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-12-14 07:07:39 UTC (rev 287012)
@@ -1,3 +1,22 @@
+2021-12-13 Saam Barati
+
+WasmB3IRGenerator should estimate static execution counts
+https://bugs.webkit.org/show_bug.cgi?id=234284
+
+Reviewed by Filip Pizlo.
+
+This enables the register allocator to make better decisions.
+
+* _javascript_Core.xcodeproj/project.pbxproj:
+* Sources.txt:
+* b3/B3BasicBlock.h:
+(JSC::B3::BasicBlock::setFrequency):
+* b3/B3EstimateStaticExecutionCounts.cpp: Added.
+(JSC::B3::estimateStaticExecutionCounts):
+* b3/B3EstimateStaticExecutionCounts.h: Added.
+* wasm/WasmB3IRGenerator.cpp:
+(JSC::Wasm::parseAndCompile):
+
2021-12-13 Brady Eidson
Teach webpushtool to register and "host" the daemon.
Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (287011 => 287012)
--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2021-12-14 04:55:38 UTC (rev 287011)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2021-12-14 07:07:39 UTC (rev 287012)
@@ -906,6 +906,8 @@
52CD0F5E2242F569004A18A5 /* _javascript_Core.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 932F5BD90822A1C700736975 /* _javascript_Core.framework */; };
52CD0F682242F71C004A18A5 /* testdfg.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 52CD0F672242F71C004A18A5 /* testdfg.cpp */; };
52DD000826E039B90054E408 /* BaselineJITCode.h in Headers */ = {isa = PBXBuildFile; fileRef = 52DD000626E039B30054E408 /* BaselineJITCode.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 52E65A1C27682760002B4C0A /* B3EstimateStaticExecutionCounts.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 52E65A1A27682760002B4C0A /* B3EstimateStaticExecutionCounts.cpp */; };
+ 52E65A1E27682771002B4C0A /* B3EstimateStaticExecutionCounts.h in Headers */ = {isa = PBXBuildFile; fileRef = 52E65A1B27682760002B4C0A /* B3EstimateStaticExecutionCounts.h */; };
52EED7942492B870008F4C93 /* FunctionAllowlist.h in Headers */ = {isa = PBXBuildFile; fileRef = 52EED7932492B868008F4C93 /* FunctionAllowlist.h */; };
52F6C35E1E71EB080081F4CC /* WebAssemblyWrapperFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = 52F6C35C1E71EB080081F4CC /* WebAssemblyWrapperFunction.h */; };
530A66B91FA3E78B0026A545 /* UnifiedSource3-mm.mm in Sources */ = {isa = PBXBuildFile; fileRef = 530A66B11FA3E77A0026A545 /* UnifiedSource3-mm.mm */; };
@@ -3717,6 +3719,8 @@
52D1308F221CE03A009C836C /* foo.js */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode._javascript_; path = foo.js; sourceTree = ""; };
52DD000626E039B30054E408 /* BaselineJITCode.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = BaselineJITCode.h; sourceTree = ""; };
52DD000726E039B40054E408 /* BaselineJITCode.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = BaselineJITCode.cpp; sourceTree = ""; };
+ 52E65A1A27682760002B4C0A /* B3EstimateStaticExecutionCounts.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = B3EstimateStaticExecutionCounts.cpp; path = b3/B3EstimateStaticExecutionCounts.cpp; sourceTree = ""; };
+ 52E65A1B27682760002B4C0A /* B3EstimateStaticExecutionCounts.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = B3EstimateStaticExecutionCounts.h; path = b3/B3EstimateStaticExecutionCounts.h; sourceTree = ""; };
52EED7922492B868008F4C93 /* FunctionAllowlist.cpp */ = {isa = PBXFileReference; lastKnownFileType =
[webkit-changes] [286920] trunk/Source/JavaScriptCore
Title: [286920] trunk/Source/_javascript_Core Revision 286920 Author sbar...@apple.com Date 2021-12-11 16:39:57 -0800 (Sat, 11 Dec 2021) Log Message Teach the sampling profiler how to display origin data for B3 Wasm https://bugs.webkit.org/show_bug.cgi?id=234097 Reviewed by Yusuke Suzuki. This teaches the SamplingProfiler how to gather origin data for Wasm. We reuse the PCToCodeOriginMap from JS, and store the wasm function offset data inside of CodeOrigin's BytecodeIndex. For now, this patch is only doing this for B3, because the Air backend doesn't currently generate filled in OpcodeOrigin data. We'll fix that in: https://bugs.webkit.org/show_bug.cgi?id=234182 Also, this capability isn't yet supported in Web Inspector. We'll want to do that in a future change as we improve Web Inspector's ability to debug Wasm code. When that time comes, we'll have to generate the PCToCodeOriginMap based on debugging info, and not just 'useSamplingProfiler' JSC option. The data now shows up like this for hottest bytecodes: Hottest bytecodes as 524'.wasm-function[2373]:OMG:0x21a' 414'.wasm-function[2363]:OMG:0x1ae' 395'.wasm-function[2373]:OMG:0x418' 354'.wasm-function[2373]:OMG:0x34f' 270'.wasm-function[2373]:OMG:0x352' 256'.wasm-function[2363]:OMG:0x152' * ftl/FTLCompile.cpp: (JSC::FTL::compile): * jit/PCToCodeOriginMap.cpp: (JSC::PCToCodeOriginMapBuilder::PCToCodeOriginMapBuilder): * jit/PCToCodeOriginMap.h: * runtime/SamplingProfiler.cpp: (JSC::FrameWalker::recordJITFrame): (JSC::SamplingProfiler::processUnverifiedStackTraces): (JSC::SamplingProfiler::reportTopBytecodes): * runtime/SamplingProfiler.h: * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::origin): (JSC::Wasm::parseAndCompileAir): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::parseAndCompile): (JSC::Wasm::computePCToCodeOriginMap): * wasm/WasmB3IRGenerator.h: (): Deleted. * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::work): (JSC::Wasm::BBQPlan::didCompleteCompilation): (JSC::Wasm::BBQPlan::initializeCallees): * wasm/WasmCalleeRegistry.h: (JSC::Wasm::CalleeRegistry::unregisterCallee): (JSC::Wasm::CalleeRegistry::addPCToCodeOriginMap): (JSC::Wasm::CalleeRegistry::WTF_REQUIRES_LOCK): * wasm/WasmOMGPlan.cpp: (JSC::Wasm::OMGPlan::work): * wasm/WasmOpcodeOrigin.h: (JSC::Wasm::OpcodeOrigin::OpcodeOrigin): Modified Paths trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/ftl/FTLCompile.cpp trunk/Source/_javascript_Core/jit/PCToCodeOriginMap.cpp trunk/Source/_javascript_Core/jit/PCToCodeOriginMap.h trunk/Source/_javascript_Core/runtime/SamplingProfiler.cpp trunk/Source/_javascript_Core/runtime/SamplingProfiler.h trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.h trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp trunk/Source/_javascript_Core/wasm/WasmCalleeRegistry.h trunk/Source/_javascript_Core/wasm/WasmOMGPlan.cpp trunk/Source/_javascript_Core/wasm/WasmOpcodeOrigin.h Diff Modified: trunk/Source/_javascript_Core/CMakeLists.txt (286919 => 286920) --- trunk/Source/_javascript_Core/CMakeLists.txt 2021-12-12 00:38:08 UTC (rev 286919) +++ trunk/Source/_javascript_Core/CMakeLists.txt 2021-12-12 00:39:57 UTC (rev 286920) @@ -878,6 +878,7 @@ jit/JITOperations.h jit/JITStubRoutine.h jit/JITThunks.h +jit/PCToCodeOriginMap.h jit/PolymorphicCallStubRoutine.h jit/Reg.h jit/RegisterAtOffset.h Modified: trunk/Source/_javascript_Core/ChangeLog (286919 => 286920) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-12 00:38:08 UTC (rev 286919) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-12 00:39:57 UTC (rev 286920) @@ -1,3 +1,66 @@ +2021-12-11 Saam Barati + +Teach the sampling profiler how to display origin data for B3 Wasm +https://bugs.webkit.org/show_bug.cgi?id=234097 + +Reviewed by Yusuke Suzuki. + +This teaches the SamplingProfiler how to gather origin data for +Wasm. We reuse the PCToCodeOriginMap from JS, and store the wasm +function offset data inside of CodeOrigin's BytecodeIndex. + +For now, this patch is only doing this for B3, because the Air backend +doesn't currently generate filled in OpcodeOrigin data. We'll fix that +in: https://bugs.webkit.org/show_bug.cgi?id=234182 + +Also, this capability isn't yet supported in Web Inspector. We'll want +to do that in a future change as we improve Web Inspector's ability to +debug Wasm code. When that time comes, we'll have to generate the +PCToCodeOriginMap based on debugging info, and not just 'useSamplingProfiler' +JSC option. + +The data now shows up like this for hottest bytecodes: + +Hottest bytecodes as + 524'.wasm-function[2373]:OMG:0x21a' +
[webkit-changes] [286802] trunk/Source/JavaScriptCore
Title: [286802] trunk/Source/_javascript_Core
Revision 286802
Author sbar...@apple.com
Date 2021-12-09 13:49:45 -0800 (Thu, 09 Dec 2021)
Log Message
Procedure::setNeedsPCToOriginMap should call Code::forcePreservationOfB3Origins
https://bugs.webkit.org/show_bug.cgi?id=234093
Reviewed by Yusuke Suzuki.
We need to do this to ensure the sampling profiler works in FTL.
The reason this was sometimes working was Air::Code's constructor
was looking at Procedure's m_needsPCToOriginMap before it was initialized,
in its constructor. This is because Procedure was constructing Code
before all its fields were initialized. This patch fixes that bug to
construct Code after Procedure has all its fields initialized.
* b3/B3Procedure.cpp:
(JSC::B3::Procedure::Procedure):
(JSC::B3::Procedure::setNeedsPCToOriginMap):
* b3/B3Procedure.h:
(JSC::B3::Procedure::setNeedsPCToOriginMap): Deleted.
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/b3/B3Procedure.cpp
trunk/Source/_javascript_Core/b3/B3Procedure.h
trunk/Source/_javascript_Core/b3/air/AirCode.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (286801 => 286802)
--- trunk/Source/_javascript_Core/ChangeLog 2021-12-09 21:28:22 UTC (rev 286801)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-12-09 21:49:45 UTC (rev 286802)
@@ -1,5 +1,25 @@
2021-12-09 Saam Barati
+Procedure::setNeedsPCToOriginMap should call Code::forcePreservationOfB3Origins
+https://bugs.webkit.org/show_bug.cgi?id=234093
+
+Reviewed by Yusuke Suzuki.
+
+We need to do this to ensure the sampling profiler works in FTL.
+The reason this was sometimes working was Air::Code's constructor
+was looking at Procedure's m_needsPCToOriginMap before it was initialized,
+in its constructor. This is because Procedure was constructing Code
+before all its fields were initialized. This patch fixes that bug to
+construct Code after Procedure has all its fields initialized.
+
+* b3/B3Procedure.cpp:
+(JSC::B3::Procedure::Procedure):
+(JSC::B3::Procedure::setNeedsPCToOriginMap):
+* b3/B3Procedure.h:
+(JSC::B3::Procedure::setNeedsPCToOriginMap): Deleted.
+
+2021-12-09 Saam Barati
+
Add an option to dump the B3 IR for an allowlist of Wasm function indices
https://bugs.webkit.org/show_bug.cgi?id=234028
Modified: trunk/Source/_javascript_Core/b3/B3Procedure.cpp (286801 => 286802)
--- trunk/Source/_javascript_Core/b3/B3Procedure.cpp 2021-12-09 21:28:22 UTC (rev 286801)
+++ trunk/Source/_javascript_Core/b3/B3Procedure.cpp 2021-12-09 21:49:45 UTC (rev 286802)
@@ -48,8 +48,10 @@
: m_cfg(new CFG(*this))
, m_lastPhaseName("initial")
, m_byproducts(makeUnique())
-, m_code(new Air::Code(*this))
{
+// Initialize all our fields before constructing Air::Code since
+// it looks into our fields.
+m_code = std::unique_ptr(new Air::Code(*this));
m_code->setNumEntrypoints(m_numEntrypoints);
}
@@ -486,6 +488,12 @@
m_code->forcePreservationOfB3Origins();
}
+void Procedure::setNeedsPCToOriginMap()
+{
+m_needsPCToOriginMap = true;
+m_code->forcePreservationOfB3Origins();
+}
+
} } // namespace JSC::B3
#endif // ENABLE(B3_JIT)
Modified: trunk/Source/_javascript_Core/b3/B3Procedure.h (286801 => 286802)
--- trunk/Source/_javascript_Core/b3/B3Procedure.h 2021-12-09 21:28:22 UTC (rev 286801)
+++ trunk/Source/_javascript_Core/b3/B3Procedure.h 2021-12-09 21:49:45 UTC (rev 286802)
@@ -275,7 +275,7 @@
JS_EXPORT_PRIVATE RegisterSet mutableGPRs();
JS_EXPORT_PRIVATE RegisterSet mutableFPRs();
-void setNeedsPCToOriginMap() { m_needsPCToOriginMap = true; }
+void setNeedsPCToOriginMap();
bool needsPCToOriginMap() { return m_needsPCToOriginMap; }
JS_EXPORT_PRIVATE void freeUnneededB3ValuesAfterLowering();
Modified: trunk/Source/_javascript_Core/b3/air/AirCode.cpp (286801 => 286802)
--- trunk/Source/_javascript_Core/b3/air/AirCode.cpp 2021-12-09 21:28:22 UTC (rev 286801)
+++ trunk/Source/_javascript_Core/b3/air/AirCode.cpp 2021-12-09 21:49:45 UTC (rev 286802)
@@ -56,7 +56,7 @@
Code::Code(Procedure& proc)
: m_proc(proc)
, m_cfg(new CFG(*this))
-, m_preserveB3Origins(proc.needsPCToOriginMap() || Options::dumpAirGraphAtEachPhase() || Options::dumpFTLDisassembly())
+, m_preserveB3Origins(Options::dumpAirGraphAtEachPhase() || Options::dumpFTLDisassembly())
, m_lastPhaseName("initial")
, m_defaultPrologueGenerator(createSharedTask())
{
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [286790] trunk/Source/JavaScriptCore
Title: [286790] trunk/Source/_javascript_Core
Revision 286790
Author sbar...@apple.com
Date 2021-12-09 11:07:58 -0800 (Thu, 09 Dec 2021)
Log Message
Add an option to dump the B3 IR for an allowlist of Wasm function indices
https://bugs.webkit.org/show_bug.cgi?id=234028
Reviewed by Tadeu Zagallo.
* b3/B3Common.cpp:
(JSC::B3::shouldDumpIR):
* b3/B3Common.h:
* b3/B3Generate.cpp:
(JSC::B3::generateToAir):
* b3/B3Procedure.cpp:
(JSC::B3::Procedure::dump const):
(JSC::B3::Procedure::setShouldDumpIR):
* b3/B3Procedure.h:
(JSC::B3::Procedure::shouldDumpIR const):
* b3/air/AirGenerate.cpp:
(JSC::B3::Air::prepareForGeneration):
* b3/testb3.h:
(shouldBeVerbose):
(lowerToAirForTesting):
* b3/testb3_6.cpp:
(testInterpreter):
(testMoveConstants):
* b3/testb3_7.cpp:
(testReduceStrengthReassociation):
* runtime/OptionsList.h:
* tools/FunctionAllowlist.cpp:
(JSC::FunctionAllowlist::shouldDumpWasmFunction const):
* tools/FunctionAllowlist.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::shouldDumpIRFor):
(JSC::Wasm::parseAndCompile):
* wasm/WasmOMGForOSREntryPlan.cpp:
(JSC::Wasm::OMGForOSREntryPlan::work):
* wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/b3/B3Common.cpp
trunk/Source/_javascript_Core/b3/B3Common.h
trunk/Source/_javascript_Core/b3/B3Generate.cpp
trunk/Source/_javascript_Core/b3/B3Procedure.cpp
trunk/Source/_javascript_Core/b3/B3Procedure.h
trunk/Source/_javascript_Core/b3/air/AirGenerate.cpp
trunk/Source/_javascript_Core/b3/testb3.h
trunk/Source/_javascript_Core/b3/testb3_6.cpp
trunk/Source/_javascript_Core/b3/testb3_7.cpp
trunk/Source/_javascript_Core/runtime/OptionsList.h
trunk/Source/_javascript_Core/tools/FunctionAllowlist.cpp
trunk/Source/_javascript_Core/tools/FunctionAllowlist.h
trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp
trunk/Source/_javascript_Core/wasm/WasmOMGForOSREntryPlan.cpp
trunk/Source/_javascript_Core/wasm/WasmOMGPlan.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (286789 => 286790)
--- trunk/Source/_javascript_Core/ChangeLog 2021-12-09 19:01:10 UTC (rev 286789)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-12-09 19:07:58 UTC (rev 286790)
@@ -1,3 +1,42 @@
+2021-12-09 Saam Barati
+
+Add an option to dump the B3 IR for an allowlist of Wasm function indices
+https://bugs.webkit.org/show_bug.cgi?id=234028
+
+Reviewed by Tadeu Zagallo.
+
+* b3/B3Common.cpp:
+(JSC::B3::shouldDumpIR):
+* b3/B3Common.h:
+* b3/B3Generate.cpp:
+(JSC::B3::generateToAir):
+* b3/B3Procedure.cpp:
+(JSC::B3::Procedure::dump const):
+(JSC::B3::Procedure::setShouldDumpIR):
+* b3/B3Procedure.h:
+(JSC::B3::Procedure::shouldDumpIR const):
+* b3/air/AirGenerate.cpp:
+(JSC::B3::Air::prepareForGeneration):
+* b3/testb3.h:
+(shouldBeVerbose):
+(lowerToAirForTesting):
+* b3/testb3_6.cpp:
+(testInterpreter):
+(testMoveConstants):
+* b3/testb3_7.cpp:
+(testReduceStrengthReassociation):
+* runtime/OptionsList.h:
+* tools/FunctionAllowlist.cpp:
+(JSC::FunctionAllowlist::shouldDumpWasmFunction const):
+* tools/FunctionAllowlist.h:
+* wasm/WasmB3IRGenerator.cpp:
+(JSC::Wasm::shouldDumpIRFor):
+(JSC::Wasm::parseAndCompile):
+* wasm/WasmOMGForOSREntryPlan.cpp:
+(JSC::Wasm::OMGForOSREntryPlan::work):
+* wasm/WasmOMGPlan.cpp:
+(JSC::Wasm::OMGPlan::work):
+
2021-12-09 Yusuke Suzuki
[JSC] Introduce BaselineCallLinkInfo and OptimizingCallLinkInfo to shrink sizeof(BaselineCallLinkInfo)
Modified: trunk/Source/_javascript_Core/b3/B3Common.cpp (286789 => 286790)
--- trunk/Source/_javascript_Core/b3/B3Common.cpp 2021-12-09 19:01:10 UTC (rev 286789)
+++ trunk/Source/_javascript_Core/b3/B3Common.cpp 2021-12-09 19:07:58 UTC (rev 286790)
@@ -36,8 +36,11 @@
const char* const tierName = "b3 ";
-bool shouldDumpIR(B3CompilationMode mode)
+bool shouldDumpIR(Procedure& procedure, B3CompilationMode mode)
{
+if (procedure.shouldDumpIR())
+return true;
+
#if ENABLE(FTL_JIT)
return FTL::verboseCompilationEnabled() || FTL::shouldDumpDisassembly() || shouldDumpIRAtEachPhase(mode);
#else
Modified: trunk/Source/_javascript_Core/b3/B3Common.h (286789 => 286790)
--- trunk/Source/_javascript_Core/b3/B3Common.h 2021-12-09 19:01:10 UTC (rev 286789)
+++ trunk/Source/_javascript_Core/b3/B3Common.h 2021-12-09 19:07:58 UTC (rev 286790)
@@ -34,6 +34,8 @@
namespace JSC { namespace B3 {
+class Procedure;
+
extern const char* const tierName;
enum B3CompilationMode {
@@ -41,7 +43,7 @@
AirMode
};
-JS_EXPORT_PRIVATE bool shouldDumpIR(B3CompilationMode);
+JS_EXPORT_PRIVATE bool shouldDumpIR(Procedure&, B3CompilationMode);
bool shouldDumpIRAtEachPhase(B3CompilationMode);
bool shouldValidateIR();
bool
[webkit-changes] [286639] trunk
Title: [286639] trunk
Revision 286639
Author sbar...@apple.com
Date 2021-12-07 19:59:13 -0800 (Tue, 07 Dec 2021)
Log Message
TypedArray prototype set should go down the fast path when using non clamped integer types of the same byte size
https://bugs.webkit.org/show_bug.cgi?id=233905
Reviewed by Keith Miller.
JSTests:
* microbenchmarks/typed-array-prototype-set.js: Added.
* microbenchmarks/typed-array-prototype-set-order.js: Added.
* stress/typed-array-prototype-set.js: Added.
Source/_javascript_Core:
We can use memmove in this scenario because the bitpattern of the
data between the signed and unsigned values will be the same.
This patch also fixes a bug where we were looking at the wrong
pointer when determining to do a forward or backwards loop in
our memmove. We were looking at the vector instead of vector+offset.
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView::set):
LayoutTests:
* js/script-tests/typedarray-set-overlapping-elements-of-same-size.js:
* js/typedarray-set-overlapping-elements-of-same-size-expected.txt:
Modified Paths
trunk/JSTests/ChangeLog
trunk/LayoutTests/ChangeLog
trunk/LayoutTests/js/script-tests/typedarray-set-overlapping-elements-of-same-size.js
trunk/LayoutTests/js/typedarray-set-overlapping-elements-of-same-size-expected.txt
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h
Added Paths
trunk/JSTests/microbenchmarks/typed-array-prototype-set.js
trunk/JSTests/stress/typed-array-prototype-set-order.js
trunk/JSTests/stress/typed-array-prototype-set.js
Diff
Modified: trunk/JSTests/ChangeLog (286638 => 286639)
--- trunk/JSTests/ChangeLog 2021-12-08 02:49:51 UTC (rev 286638)
+++ trunk/JSTests/ChangeLog 2021-12-08 03:59:13 UTC (rev 286639)
@@ -1,3 +1,14 @@
+2021-12-07 Saam Barati
+
+TypedArray prototype set should go down the fast path when using non clamped integer types of the same byte size
+https://bugs.webkit.org/show_bug.cgi?id=233905
+
+Reviewed by Keith Miller.
+
+* microbenchmarks/typed-array-prototype-set.js: Added.
+* microbenchmarks/typed-array-prototype-set-order.js: Added.
+* stress/typed-array-prototype-set.js: Added.
+
2021-12-02 Yusuke Suzuki
[JSC] shell's $.globalObjectFor is not safe for non object cells
Added: trunk/JSTests/microbenchmarks/typed-array-prototype-set.js (0 => 286639)
--- trunk/JSTests/microbenchmarks/typed-array-prototype-set.js (rev 0)
+++ trunk/JSTests/microbenchmarks/typed-array-prototype-set.js 2021-12-08 03:59:13 UTC (rev 286639)
@@ -0,0 +1,46 @@
+function test() {
+let x = new Int8Array(1);
+let y = new Uint8Array(1);
+for (let i = 0; i < x.length; ++i)
+x[i] = i;
+for (let i = 0; i < 500; ++i)
+y.set(x);
+for (let i = 0; i < 500; ++i)
+x.set(y);
+}
+
+function test2() {
+let x = new Int16Array(1);
+let y = new Uint16Array(1);
+for (let i = 0; i < x.length; ++i)
+x[i] = i;
+for (let i = 0; i < 500; ++i)
+y.set(x);
+for (let i = 0; i < 500; ++i)
+x.set(y);
+}
+
+function test3() {
+let x = new Int32Array(1);
+let y = new Uint32Array(1);
+for (let i = 0; i < x.length; ++i)
+x[i] = i;
+for (let i = 0; i < 500; ++i)
+y.set(x);
+for (let i = 0; i < 500; ++i)
+x.set(y);
+}
+
+function test4() {
+let x = new Uint8ClampedArray(1);
+let y = new Int8Array(1);
+for (let i = 0; i < x.length; ++i)
+x[i] = i;
+for (let i = 0; i < 500; ++i)
+y.set(x);
+}
+
+test();
+test2();
+test3();
+test4();
Added: trunk/JSTests/stress/typed-array-prototype-set-order.js (0 => 286639)
--- trunk/JSTests/stress/typed-array-prototype-set-order.js (rev 0)
+++ trunk/JSTests/stress/typed-array-prototype-set-order.js 2021-12-08 03:59:13 UTC (rev 286639)
@@ -0,0 +1,13 @@
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+function foo(n) {
+var array = new Uint8ClampedArray(n + 1);
+for (var i = 0; i < n; ++i)
+array[i] = 42 + i;
+array.set(new Int8Array(array.buffer, 0, n), 1);
+return array;
+}
+assert(foo(10).toString() === "42,42,43,44,45,46,47,48,49,50,51");
Added: trunk/JSTests/stress/typed-array-prototype-set.js (0 => 286639)
--- trunk/JSTests/stress/typed-array-prototype-set.js (rev 0)
+++ trunk/JSTests/stress/typed-array-prototype-set.js 2021-12-08 03:59:13 UTC (rev 286639)
@@ -0,0 +1,67 @@
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+function test1() {
+let x = new Int8Array(1);
+let y = new Uint8Array(1);
+x[0] = -1;
+y.set(x);
+assert(y[0] === 255);
+}
+test1();
+
+function test2() {
+let x = new Int8Array(1);
+let y = new Uint8Array(1);
+y[0] = 255;
+x.set(y);
+assert(x[0] === -1);
+}
+test2();
+
+function test3() {
+
[webkit-changes] [286471] trunk/Source/JavaScriptCore
Title: [286471] trunk/Source/_javascript_Core
Revision 286471
Author sbar...@apple.com
Date 2021-12-02 18:06:24 -0800 (Thu, 02 Dec 2021)
Log Message
Lower structureHeapAddressSize on more memory limited ARM64 devices
https://bugs.webkit.org/show_bug.cgi?id=233786
Reviewed by Yusuke Suzuki.
Some processes using JSC are failing the mmap for the 1GB region.
Let's lower the region size to 512MB on lower memory iOS devices.
* runtime/JSCConfig.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSCConfig.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (286470 => 286471)
--- trunk/Source/_javascript_Core/ChangeLog 2021-12-03 01:42:15 UTC (rev 286470)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-12-03 02:06:24 UTC (rev 286471)
@@ -1,5 +1,18 @@
2021-12-02 Saam Barati
+Lower structureHeapAddressSize on more memory limited ARM64 devices
+https://bugs.webkit.org/show_bug.cgi?id=233786
+
+
+Reviewed by Yusuke Suzuki.
+
+Some processes using JSC are failing the mmap for the 1GB region.
+Let's lower the region size to 512MB on lower memory iOS devices.
+
+* runtime/JSCConfig.h:
+
+2021-12-02 Saam Barati
+
Fix OOM crash in JSValue::toWTFStringForConsole
https://bugs.webkit.org/show_bug.cgi?id=233775
Modified: trunk/Source/_javascript_Core/runtime/JSCConfig.h (286470 => 286471)
--- trunk/Source/_javascript_Core/runtime/JSCConfig.h 2021-12-03 01:42:15 UTC (rev 286470)
+++ trunk/Source/_javascript_Core/runtime/JSCConfig.h 2021-12-03 02:06:24 UTC (rev 286471)
@@ -40,7 +40,11 @@
using JITWriteSeparateHeapsFunction = void (*)(off_t, const void*, size_t);
#endif
+#if PLATFORM(IOS_FAMILY) && CPU(ARM64) && !CPU(ARM64E)
+constexpr uintptr_t structureHeapAddressSize = 512 * MB;
+#else
constexpr uintptr_t structureHeapAddressSize = 1 * GB;
+#endif
struct Config {
static Config& singleton();
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [286462] trunk
Title: [286462] trunk
Revision 286462
Author sbar...@apple.com
Date 2021-12-02 16:12:52 -0800 (Thu, 02 Dec 2021)
Log Message
Fix OOM crash in JSValue::toWTFStringForConsole
https://bugs.webkit.org/show_bug.cgi?id=233775
Reviewed by Mark Lam.
JSTests:
* stress/pretty-print-oom.js: Added.
Source/_javascript_Core:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::toWTFStringForConsole const):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp
Added Paths
trunk/JSTests/stress/pretty-print-oom.js
Diff
Modified: trunk/JSTests/ChangeLog (286461 => 286462)
--- trunk/JSTests/ChangeLog 2021-12-02 23:49:57 UTC (rev 286461)
+++ trunk/JSTests/ChangeLog 2021-12-03 00:12:52 UTC (rev 286462)
@@ -1,3 +1,13 @@
+2021-12-02 Saam Barati
+
+Fix OOM crash in JSValue::toWTFStringForConsole
+https://bugs.webkit.org/show_bug.cgi?id=233775
+
+
+Reviewed by Mark Lam.
+
+* stress/pretty-print-oom.js: Added.
+
2021-11-30 Saam Barati
GetMyArgumentByValOutOfBounds needs to check for negative indices
Added: trunk/JSTests/stress/pretty-print-oom.js (0 => 286462)
--- trunk/JSTests/stress/pretty-print-oom.js (rev 0)
+++ trunk/JSTests/stress/pretty-print-oom.js 2021-12-03 00:12:52 UTC (rev 286462)
@@ -0,0 +1,4 @@
+//@ skip if $memoryLimited
+//@ runNoisyTestDefault
+
+prettyPrint('a'.repeat(2 ** 31 - 1));
Modified: trunk/Source/_javascript_Core/ChangeLog (286461 => 286462)
--- trunk/Source/_javascript_Core/ChangeLog 2021-12-02 23:49:57 UTC (rev 286461)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-12-03 00:12:52 UTC (rev 286462)
@@ -1,3 +1,14 @@
+2021-12-02 Saam Barati
+
+Fix OOM crash in JSValue::toWTFStringForConsole
+https://bugs.webkit.org/show_bug.cgi?id=233775
+
+
+Reviewed by Mark Lam.
+
+* runtime/JSCJSValue.cpp:
+(JSC::JSValue::toWTFStringForConsole const):
+
2021-12-02 Zan Dobersek
[RISCV64] Fix effective address loading for LabelReferences with offsets
Modified: trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp (286461 => 286462)
--- trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp 2021-12-02 23:49:57 UTC (rev 286461)
+++ trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp 2021-12-03 00:12:52 UTC (rev 286462)
@@ -474,9 +474,9 @@
String result = string->value(globalObject);
RETURN_IF_EXCEPTION(scope, { });
if (isString())
-return makeString("\"", result, "\"");
+return tryMakeString("\"", result, "\"");
if (jsDynamicCast(vm, *this))
-return makeString("[", result, "]");
+return tryMakeString("[", result, "]");
return result;
}
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [286312] trunk
Title: [286312] trunk
Revision 286312
Author sbar...@apple.com
Date 2021-11-30 12:00:44 -0800 (Tue, 30 Nov 2021)
Log Message
GetMyArgumentByValOutOfBounds needs to check for negative indices
https://bugs.webkit.org/show_bug.cgi?id=232966
Reviewed by Yusuke Suzuki.
JSTests:
* get-my-argument-by-val-negative-1.js: Added.
* get-my-argument-by-val-negative-2.js: Added.
* get-my-argument-by-val-negative-3.js: Added.
Source/_javascript_Core:
Negative indices inside of GetMyArgumentByValOutOfBounds would cause
us to have the resulting value be undefined, instead of a full blown
lookup that properly consults the prototype chain and such. The reason for
this is negative indices would show up as "out of bounds", which would
lead this node to result in undefined. But negative indices really should
be treated as string property names, and can't be treated like normal out
of bounds positive integers.
This patch makes it so we speculate that we don't see negative indices. If
we do see negative indices, we stop performing the transformation inside
of arguments elimination so we don't end up in an OSR exit loop.
* dfg/DFGArgumentsEliminationPhase.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
Added Paths
trunk/JSTests/get-my-argument-by-val-negative-1.js
trunk/JSTests/get-my-argument-by-val-negative-2.js
trunk/JSTests/get-my-argument-by-val-negative-3.js
Diff
Modified: trunk/JSTests/ChangeLog (286311 => 286312)
--- trunk/JSTests/ChangeLog 2021-11-30 19:52:28 UTC (rev 286311)
+++ trunk/JSTests/ChangeLog 2021-11-30 20:00:44 UTC (rev 286312)
@@ -1,3 +1,15 @@
+2021-11-30 Saam Barati
+
+GetMyArgumentByValOutOfBounds needs to check for negative indices
+https://bugs.webkit.org/show_bug.cgi?id=232966
+
+
+Reviewed by Yusuke Suzuki.
+
+* get-my-argument-by-val-negative-1.js: Added.
+* get-my-argument-by-val-negative-2.js: Added.
+* get-my-argument-by-val-negative-3.js: Added.
+
2021-11-29 Yusuke Suzuki
[JSC] jumpForTypedArrayOutOfBounds should use asAnyInt since it uses isAnyInt
Added: trunk/JSTests/get-my-argument-by-val-negative-1.js (0 => 286312)
--- trunk/JSTests/get-my-argument-by-val-negative-1.js (rev 0)
+++ trunk/JSTests/get-my-argument-by-val-negative-1.js 2021-11-30 20:00:44 UTC (rev 286312)
@@ -0,0 +1,25 @@
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+function main() {
+let result;
+
+const v13 = [0, 0];
+Array.prototype[-80887344] = v13;
+
+const func = (i, ...rest) => {
+result = rest[i];
+};
+noInline(func);
+
+for (let v30 = 0; v30 < 1; v30++) {
+func(0);
+}
+
+func(-80887344);
+assert(result === v13);
+}
+noDFG(main);
+main();
Added: trunk/JSTests/get-my-argument-by-val-negative-2.js (0 => 286312)
--- trunk/JSTests/get-my-argument-by-val-negative-2.js (rev 0)
+++ trunk/JSTests/get-my-argument-by-val-negative-2.js 2021-11-30 20:00:44 UTC (rev 286312)
@@ -0,0 +1,25 @@
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+function main() {
+let result;
+
+const v13 = [0, 0];
+Object.prototype[-80887344] = v13;
+
+const func = function func(i) {
+result = arguments[i];
+};
+noInline(func);
+
+for (let v30 = 0; v30 < 1; v30++) {
+func(3);
+}
+
+func(-80887344);
+assert(result === v13);
+}
+noDFG(main);
+main();
Added: trunk/JSTests/get-my-argument-by-val-negative-3.js (0 => 286312)
--- trunk/JSTests/get-my-argument-by-val-negative-3.js (rev 0)
+++ trunk/JSTests/get-my-argument-by-val-negative-3.js 2021-11-30 20:00:44 UTC (rev 286312)
@@ -0,0 +1,25 @@
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+function main() {
+let result;
+
+const v13 = [0, 0];
+Array.prototype[-1] = v13;
+
+const func = function func(i, ...args) {
+result = args[i];
+};
+noInline(func);
+
+for (let v30 = 0; v30 < 1; v30++) {
+func(1000, 10);
+}
+
+func(-1, 10);
+assert(result === v13);
+}
+noDFG(main);
+main();
Modified: trunk/Source/_javascript_Core/ChangeLog (286311 => 286312)
--- trunk/Source/_javascript_Core/ChangeLog 2021-11-30 19:52:28 UTC (rev 286311)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-11-30 20:00:44 UTC (rev 286312)
@@ -1,3 +1,27 @@
+2021-11-30 Saam Barati
+
+GetMyArgumentByValOutOfBounds needs to check for negative indices
+https://bugs.webkit.org/show_bug.cgi?id=232966
+
+
+Reviewed by Yusuke Suzuki.
+
+Negative indices inside of GetMyArgumentByValOutOfBounds would cause
+us to have the resulting value be
[webkit-changes] [286278] trunk
Title: [286278] trunk
Revision 286278
Author sbar...@apple.com
Date 2021-11-29 17:58:37 -0800 (Mon, 29 Nov 2021)
Log Message
FTL's implementation of HasIndexedProperty for InBounds accesses checks the inverse of what it should be checking when exiting by seeing a hole
https://bugs.webkit.org/show_bug.cgi?id=233408
Reviewed by Mark Lam.
JSTests:
* stress/in-by-val-has-indexed-property-ftl-3.js: Added.
* stress/in-by-val-has-indexed-property-ftl-2.js: Added.
* stress/in-by-val-has-indexed-property-ftl.js: Added.
Source/_javascript_Core:
The implementation of an InBounds HasIndexedProperty in FTL, when speculating, we
would exit when we did not see a hole, not when we did see a hole. This is
the inverse of what we need to do, we should exit when we do see a hole.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* tools/JSDollarVM.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSDollarVM::finishCreation):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
trunk/Source/_javascript_Core/tools/JSDollarVM.cpp
Added Paths
trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-2.js
trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-3.js
trunk/JSTests/stress/in-by-val-has-indexed-property-ftl.js
Diff
Modified: trunk/JSTests/ChangeLog (286277 => 286278)
--- trunk/JSTests/ChangeLog 2021-11-30 01:42:49 UTC (rev 286277)
+++ trunk/JSTests/ChangeLog 2021-11-30 01:58:37 UTC (rev 286278)
@@ -1,3 +1,15 @@
+2021-11-29 Saam Barati
+
+FTL's implementation of HasIndexedProperty for InBounds accesses checks the inverse of what it should be checking when exiting by seeing a hole
+https://bugs.webkit.org/show_bug.cgi?id=233408
+
+
+Reviewed by Mark Lam.
+
+* stress/in-by-val-has-indexed-property-ftl-3.js: Added.
+* stress/in-by-val-has-indexed-property-ftl-2.js: Added.
+* stress/in-by-val-has-indexed-property-ftl.js: Added.
+
2021-11-29 Yusuke Suzuki
[JSC] slice should be aware of TerminationException
Added: trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-2.js (0 => 286278)
--- trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-2.js (rev 0)
+++ trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-2.js 2021-11-30 01:58:37 UTC (rev 286278)
@@ -0,0 +1,28 @@
+//@ runDefault("--validateOptions=true", "--useConcurrentJIT=false", "--useConcurrentGC=false", "--validateBCE=true", "--thresholdForJITSoon=1", "--thresholdForJITAfterWarmUp=7", "--thresholdForOptimizeAfterWarmUp=7", "--thresholdForOptimizeAfterLongWarmUp=7", "--thresholdForOptimizeSoon=1", "--thresholdForFTLOptimizeAfterWarmUp=10")
+
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+function main() {
+let v17 = {__proto__:[42,1]};
+v17[2] = 4;
+
+let v92 = 0;
+for (let v95 = 0; v95 < 100; v95++) {
+function doEvery(e, i) {
+assert(e === 42);
+assert(i === 0);
+function doMap() {
+v139 = v92++;
+}
+noInline(doMap);
+[0].map(doMap);
+}
+noInline(doEvery);
+v17.every(doEvery);
+}
+assert(v139 === 99);
+}
+main();
Added: trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-3.js (0 => 286278)
--- trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-3.js (rev 0)
+++ trunk/JSTests/stress/in-by-val-has-indexed-property-ftl-3.js 2021-11-30 01:58:37 UTC (rev 286278)
@@ -0,0 +1,97 @@
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+function test1() {
+function func(b, o) {
+if (b)
+return 2 in o;
+return false;
+}
+noInline(func);
+
+let o = {__proto__:[0, 1]};
+o[3] = 42;
+
+for (let i = 0; i < 100; ++i) {
+func(true, o);
+func(false, o);
+}
+
+for (let i = 0; i < 1; ++i) {
+assert(!func(false, o));
+}
+assert(!func(true, o));
+}
+test1();
+
+function test2() {
+function func(b, o) {
+if (b)
+return 2 in o;
+return false;
+}
+noInline(func);
+
+let o = {__proto__:[0, 1]};
+o[3] = {};
+
+for (let i = 0; i < 100; ++i) {
+func(true, o);
+func(false, o);
+}
+
+for (let i = 0; i < 1; ++i) {
+assert(!func(false, o));
+}
+assert(!func(true, o));
+}
+test2();
+
+function test3() {
+function func(b, o) {
+if (b)
+return 2 in o;
+return false;
+}
+noInline(func);
+
+let o = {__proto__:[0, 1]};
+o[3] = 42.2;
+
+for (let i = 0; i < 100; ++i) {
+func(true, o);
+func(false, o);
+}
+
+for (let i = 0; i < 1; ++i) {
+assert(!func(false, o));
+}
+assert(!func(true, o));
+}
+test3();
+
+function test4() {
+function func(b, o) {
+
[webkit-changes] [286070] trunk
Title: [286070] trunk
Revision 286070
Author sbar...@apple.com
Date 2021-11-19 11:36:35 -0800 (Fri, 19 Nov 2021)
Log Message
Fix assertion added in r285592
https://bugs.webkit.org/show_bug.cgi?id=233373
JSTests:
Reviewed by Keith Miller.
* stress/validate-assert-uid-is-not-index-or-it-is-symbol.js: Added.
(main.v11):
(main.v29):
(main):
Source/_javascript_Core:
rdar://85451012
Reviewed by Keith Miller.
The assertion added in r285592 should not apply to Symbols. This patch
fixes that error. We don't care if a Symbol can be parsed as an index
since the string value in a Symbol is just its description, not the
actual property.
* dfg/DFGValidate.cpp:
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGValidate.cpp
Added Paths
trunk/JSTests/stress/validate-assert-uid-is-not-index-or-it-is-symbol.js
Diff
Modified: trunk/JSTests/ChangeLog (286069 => 286070)
--- trunk/JSTests/ChangeLog 2021-11-19 19:17:04 UTC (rev 286069)
+++ trunk/JSTests/ChangeLog 2021-11-19 19:36:35 UTC (rev 286070)
@@ -1,3 +1,15 @@
+2021-11-19 Saam Barati
+
+Fix assertion added in r285592
+https://bugs.webkit.org/show_bug.cgi?id=233373
+
+Reviewed by Keith Miller.
+
+* stress/validate-assert-uid-is-not-index-or-it-is-symbol.js: Added.
+(main.v11):
+(main.v29):
+(main):
+
2021-11-19 Joseph Griego
[JSC] Shadow realms: set correct Function prototype on wrapped functions
Added: trunk/JSTests/stress/validate-assert-uid-is-not-index-or-it-is-symbol.js (0 => 286070)
--- trunk/JSTests/stress/validate-assert-uid-is-not-index-or-it-is-symbol.js (rev 0)
+++ trunk/JSTests/stress/validate-assert-uid-is-not-index-or-it-is-symbol.js 2021-11-19 19:36:35 UTC (rev 286070)
@@ -0,0 +1,26 @@
+//@ runDefault("--validateGraphAtEachPhase=1", "--useConcurrentJIT=false", "--thresholdForJITAfterWarmUp=1")
+
+function main() {
+ let v8 = 0;
+ let v9 = Symbol(v8);
+
+ let v10 = 0;
+ function v11(v12,v13) {
+ ++v10;
+ }
+
+ let v27 = 0;
+ while (v27 < 4096) {
+ function v29(v30,v31) {
+ do {
+ arguments[v9] = ReferenceError;
+ const v42 = v8++;
+ } while (v8 < 3);
+ v51 = ++v27;
+ }
+ const v53 = new Promise(v29);
+ }
+}
+noDFG(main);
+noFTL(main);
+main();
Modified: trunk/Source/_javascript_Core/ChangeLog (286069 => 286070)
--- trunk/Source/_javascript_Core/ChangeLog 2021-11-19 19:17:04 UTC (rev 286069)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-11-19 19:36:35 UTC (rev 286070)
@@ -1,3 +1,18 @@
+2021-11-19 Saam Barati
+
+Fix assertion added in r285592
+https://bugs.webkit.org/show_bug.cgi?id=233373
+rdar://85451012
+
+Reviewed by Keith Miller.
+
+The assertion added in r285592 should not apply to Symbols. This patch
+fixes that error. We don't care if a Symbol can be parsed as an index
+since the string value in a Symbol is just its description, not the
+actual property.
+
+* dfg/DFGValidate.cpp:
+
2021-11-19 Joseph Griego
[JSC] Shadow realms: set correct Function prototype on wrapped functions
Modified: trunk/Source/_javascript_Core/dfg/DFGValidate.cpp (286069 => 286070)
--- trunk/Source/_javascript_Core/dfg/DFGValidate.cpp 2021-11-19 19:17:04 UTC (rev 286069)
+++ trunk/Source/_javascript_Core/dfg/DFGValidate.cpp 2021-11-19 19:36:35 UTC (rev 286070)
@@ -238,7 +238,7 @@
if (node->hasCacheableIdentifier()) {
auto* uid = node->cacheableIdentifier().uid();
-VALIDATE((node), !parseIndex(*uid));
+VALIDATE((node), uid->isSymbol() || !parseIndex(*uid));
}
switch (node->op()) {
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [285971] trunk
Title: [285971] trunk
Revision 285971
Author sbar...@apple.com
Date 2021-11-17 18:47:45 -0800 (Wed, 17 Nov 2021)
Log Message
Run the memmove fast path in JSGenericTypedArrayView::set when using a combination of Uint8 and Uint8Clamped
https://bugs.webkit.org/show_bug.cgi?id=233271
Reviewed by Yusuke Suzuki.
JSTests:
* microbenchmarks/typed-array-set-uint8-and-uint8clamped.js: Added.
Source/_javascript_Core:
We have a fast path for running memmove when both the thing being
copied from and the thing being copied to have the same typed array
type. However, when copying from a Uint8Array into a Uint8ClampedArray,
or vice versa, we were going down the slow path. In this case,
we can still take the fast path, since we're guaranteed that storing
into a Uint8ClampedArray from a Uint8Array will never actually need
to clamp values. And when storing from a Uint8ClampedArray into a
Uint8Array, the values can trivially be copied over.
This patch is a 100x speedup on the attached microbenchmark.
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView::set):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h
Added Paths
trunk/JSTests/microbenchmarks/typed-array-set-uint8-and-uint8clamped.js
Diff
Modified: trunk/JSTests/ChangeLog (285970 => 285971)
--- trunk/JSTests/ChangeLog 2021-11-18 02:29:46 UTC (rev 285970)
+++ trunk/JSTests/ChangeLog 2021-11-18 02:47:45 UTC (rev 285971)
@@ -1,3 +1,13 @@
+2021-11-17 Saam Barati
+
+Run the memmove fast path in JSGenericTypedArrayView::set when using a combination of Uint8 and Uint8Clamped
+https://bugs.webkit.org/show_bug.cgi?id=233271
+
+
+Reviewed by Yusuke Suzuki.
+
+* microbenchmarks/typed-array-set-uint8-and-uint8clamped.js: Added.
+
2021-11-15 Yusuke Suzuki
[JSC] Use operation path when PutByVal child1 is not speculated as a Cell
Added: trunk/JSTests/microbenchmarks/typed-array-set-uint8-and-uint8clamped.js (0 => 285971)
--- trunk/JSTests/microbenchmarks/typed-array-set-uint8-and-uint8clamped.js (rev 0)
+++ trunk/JSTests/microbenchmarks/typed-array-set-uint8-and-uint8clamped.js 2021-11-18 02:47:45 UTC (rev 285971)
@@ -0,0 +1,10 @@
+let x = new Uint8Array(1);
+let y = new Uint8ClampedArray(1);
+
+let start = Date.now();
+for (let i = 0; i < 1; ++i) {
+x.set(y);
+y.set(x);
+}
+if (false)
+print(Date.now() - start);
Modified: trunk/Source/_javascript_Core/ChangeLog (285970 => 285971)
--- trunk/Source/_javascript_Core/ChangeLog 2021-11-18 02:29:46 UTC (rev 285970)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-11-18 02:47:45 UTC (rev 285971)
@@ -1,3 +1,25 @@
+2021-11-17 Saam Barati
+
+Run the memmove fast path in JSGenericTypedArrayView::set when using a combination of Uint8 and Uint8Clamped
+https://bugs.webkit.org/show_bug.cgi?id=233271
+
+
+Reviewed by Yusuke Suzuki.
+
+We have a fast path for running memmove when both the thing being
+copied from and the thing being copied to have the same typed array
+type. However, when copying from a Uint8Array into a Uint8ClampedArray,
+or vice versa, we were going down the slow path. In this case,
+we can still take the fast path, since we're guaranteed that storing
+into a Uint8ClampedArray from a Uint8Array will never actually need
+to clamp values. And when storing from a Uint8ClampedArray into a
+Uint8Array, the values can trivially be copied over.
+
+This patch is a 100x speedup on the attached microbenchmark.
+
+* runtime/JSGenericTypedArrayViewInlines.h:
+(JSC::JSGenericTypedArrayView::set):
+
2021-11-17 Yusuke Suzuki
[JSC] Revise JSON.parse atomize policy
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h (285970 => 285971)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2021-11-18 02:29:46 UTC (rev 285970)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2021-11-18 02:47:45 UTC (rev 285971)
@@ -255,10 +255,8 @@
VM& vm = globalObject->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
-const ClassInfo* ci = object->classInfo(vm);
-if (ci->typedArrayStorageType == Adaptor::typeValue) {
-// The super fast case: we can just memmove since we're the same type.
-JSGenericTypedArrayView* other = jsCast(object);
+auto memmoveFastPath = [&] (auto* other) {
+// The super fast case: we can just memmove since we're the same underlying storage type.
length = std::min(length, other->length());
RELEASE_ASSERT(other->canAccessRangeQuickly(objectOffset, length));
@@ -267,8 +265,22 @@
if (!success)
return false;
+RELEASE_ASSERT((std::is_same_vtypedVector())>));
[webkit-changes] [285592] trunk
Title: [285592] trunk
Revision 285592
Author sbar...@apple.com
Date 2021-11-10 10:54:59 -0800 (Wed, 10 Nov 2021)
Log Message
in_by_val should not constant fold to in_by_id when the property is a property index
https://bugs.webkit.org/show_bug.cgi?id=232753
Reviewed by Yusuke Suzuki.
JSTests:
* stress/dont-in-by-id-when-index-2.js: Added.
(assert):
(main.v179):
(main.async v244):
(main):
* stress/dont-in-by-id-when-index.js: Added.
(assert):
(test):
Source/_javascript_Core:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter::executeEffects):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGValidate.cpp:
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h
trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp
trunk/Source/_javascript_Core/dfg/DFGValidate.cpp
Added Paths
trunk/JSTests/stress/dont-in-by-id-when-index-2.js
trunk/JSTests/stress/dont-in-by-id-when-index.js
Diff
Modified: trunk/JSTests/ChangeLog (285591 => 285592)
--- trunk/JSTests/ChangeLog 2021-11-10 18:46:31 UTC (rev 285591)
+++ trunk/JSTests/ChangeLog 2021-11-10 18:54:59 UTC (rev 285592)
@@ -1,3 +1,19 @@
+2021-11-10 Saam Barati
+
+in_by_val should not constant fold to in_by_id when the property is a property index
+https://bugs.webkit.org/show_bug.cgi?id=232753
+
+Reviewed by Yusuke Suzuki.
+
+* stress/dont-in-by-id-when-index-2.js: Added.
+(assert):
+(main.v179):
+(main.async v244):
+(main):
+* stress/dont-in-by-id-when-index.js: Added.
+(assert):
+(test):
+
2021-11-10 Xan Lopez
[JSC][32bit] Unskip JSTests/stress/json-stringify-string-builder-overflow.js
Added: trunk/JSTests/stress/dont-in-by-id-when-index-2.js (0 => 285592)
--- trunk/JSTests/stress/dont-in-by-id-when-index-2.js (rev 0)
+++ trunk/JSTests/stress/dont-in-by-id-when-index-2.js 2021-11-10 18:54:59 UTC (rev 285592)
@@ -0,0 +1,37 @@
+//@ runDefault("--validateOptions=true", "--useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useFTLJIT=0")
+
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+function main() {
+let v249;
+
+const v178 = [];
+
+v179 = class V179 {
+constructor(v181,v182,v183) {
+}
+};
+
+const v195 = [v178,v179,1];
+const v203 = {};
+const v204 = [v179,v195];
+const v205 = v204.toLocaleString();
+
+for (const v223 of v205) {
+const v232 = {};
+v232[v223] = "number";
+
+async function v244() {
+v249 = "1" in v232;
+const v250 = 0;
+}
+v244();
+}
+
+assert(v249 === true);
+}
+
+main();
Added: trunk/JSTests/stress/dont-in-by-id-when-index.js (0 => 285592)
--- trunk/JSTests/stress/dont-in-by-id-when-index.js (rev 0)
+++ trunk/JSTests/stress/dont-in-by-id-when-index.js 2021-11-10 18:54:59 UTC (rev 285592)
@@ -0,0 +1,15 @@
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+function test(obj) {
+return "1" in obj;
+}
+noInline(test);
+
+let o = [10, {}];
+
+for (let i = 0; i < 1; ++i) {
+assert(test(o) === true);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (285591 => 285592)
--- trunk/Source/_javascript_Core/ChangeLog 2021-11-10 18:46:31 UTC (rev 285591)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-11-10 18:54:59 UTC (rev 285592)
@@ -1,3 +1,16 @@
+2021-11-10 Saam Barati
+
+in_by_val should not constant fold to in_by_id when the property is a property index
+https://bugs.webkit.org/show_bug.cgi?id=232753
+
+Reviewed by Yusuke Suzuki.
+
+* dfg/DFGAbstractInterpreterInlines.h:
+(JSC::DFG::AbstractInterpreter::executeEffects):
+* dfg/DFGConstantFoldingPhase.cpp:
+(JSC::DFG::ConstantFoldingPhase::foldConstants):
+* dfg/DFGValidate.cpp:
+
2021-11-09 Commit Queue
Unreviewed, reverting r285246.
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (285591 => 285592)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2021-11-10 18:46:31 UTC (rev 285591)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2021-11-10 18:54:59 UTC (rev 285592)
@@ -4248,7 +4248,7 @@
if (JSValue constant = property.value()) {
if (constant.isString()) {
JSString* string = asString(constant);
-if (CacheableIdentifier::isCacheableIdentifierCell(string))
+if
[webkit-changes] [285525] trunk
Title: [285525] trunk
Revision 285525
Author sbar...@apple.com
Date 2021-11-09 12:49:41 -0800 (Tue, 09 Nov 2021)
Log Message
When inlining NewSymbol in the DFG don't universally call ToString on the input
https://bugs.webkit.org/show_bug.cgi?id=232754
Reviewed by Robin Morisset.
JSTests:
* stress/inline-new-symbol-dfg-undefined-first-arg.js: Added.
(assert):
(foo):
Source/_javascript_Core:
When inlining Symbol(x) in the DFG, we were always calling ToString on x.
However, this is wrong spec wise. If x is undefined, the symbol should
produce a description value of `undefined`, but calling ToString on x was causing
us to produce a description with the string `"undefined"`.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGMayExit.cpp:
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewSymbol):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h
trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp
trunk/Source/_javascript_Core/dfg/DFGClobberize.h
trunk/Source/_javascript_Core/dfg/DFGClobbersExitState.cpp
trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp
trunk/Source/_javascript_Core/dfg/DFGMayExit.cpp
trunk/Source/_javascript_Core/dfg/DFGNodeType.h
trunk/Source/_javascript_Core/dfg/DFGOperations.cpp
trunk/Source/_javascript_Core/dfg/DFGOperations.h
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
Added Paths
trunk/JSTests/stress/inline-new-symbol-dfg-undefined-first-arg.js
Diff
Modified: trunk/JSTests/ChangeLog (285524 => 285525)
--- trunk/JSTests/ChangeLog 2021-11-09 20:44:59 UTC (rev 285524)
+++ trunk/JSTests/ChangeLog 2021-11-09 20:49:41 UTC (rev 285525)
@@ -1,3 +1,14 @@
+2021-11-09 Saam Barati
+
+When inlining NewSymbol in the DFG don't universally call ToString on the input
+https://bugs.webkit.org/show_bug.cgi?id=232754
+
+Reviewed by Robin Morisset.
+
+* stress/inline-new-symbol-dfg-undefined-first-arg.js: Added.
+(assert):
+(foo):
+
2021-11-09 Angelos Oikonomopoulos
Unskip array-buffer-view-watchpoint-can-be-fired-in-really-add-in-dfg on ARM
Added: trunk/JSTests/stress/inline-new-symbol-dfg-undefined-first-arg.js (0 => 285525)
--- trunk/JSTests/stress/inline-new-symbol-dfg-undefined-first-arg.js (rev 0)
+++ trunk/JSTests/stress/inline-new-symbol-dfg-undefined-first-arg.js 2021-11-09 20:49:41 UTC (rev 285525)
@@ -0,0 +1,13 @@
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+function foo(arg) {
+return Symbol(arg);
+}
+noInline(foo);
+
+for (let i = 0; i < 1; ++i) {
+assert(foo(undefined).description === undefined);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (285524 => 285525)
--- trunk/Source/_javascript_Core/ChangeLog 2021-11-09 20:44:59 UTC (rev 285524)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-11-09 20:49:41 UTC (rev 285525)
@@ -1,3 +1,35 @@
+2021-11-09 Saam Barati
+
+When inlining NewSymbol in the DFG don't universally call ToString on the input
+https://bugs.webkit.org/show_bug.cgi?id=232754
+
+Reviewed by Robin Morisset.
+
+When inlining Symbol(x) in the DFG, we were always calling ToString on x.
+However, this is wrong spec wise. If x is undefined, the symbol should
+produce a description value of `undefined`, but calling ToString on x was causing
+us to produce a description with the string `"undefined"`.
+
+* dfg/DFGAbstractInterpreterInlines.h:
+(JSC::DFG::AbstractInterpreter::executeEffects):
+* dfg/DFGByteCodeParser.cpp:
+(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+* dfg/DFGClobberize.h:
+(JSC::DFG::clobberize):
+* dfg/DFGClobbersExitState.cpp:
+(JSC::DFG::clobbersExitState):
+* dfg/DFGFixupPhase.cpp:
+(JSC::DFG::FixupPhase::fixupNode):
+* dfg/DFGMayExit.cpp:
+* dfg/DFGNodeType.h:
+* dfg/DFGOperations.cpp:
+(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+* dfg/DFGOperations.h:
+* dfg/DFGSpeculativeJIT.cpp:
+(JSC::DFG::SpeculativeJIT::compileNewSymbol):
+* ftl/FTLLowerDFGToB3.cpp:
+(JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol):
+
2021-11-09 Yusuke Suzuki
Unreviewed, suppress scope check failures on Debug JSC tests
Modified:
[webkit-changes] [285406] trunk
Title: [285406] trunk
Revision 285406
Author sbar...@apple.com
Date 2021-11-08 09:05:33 -0800 (Mon, 08 Nov 2021)
Log Message
We need to PreferNumber when calling toPrimitive for negate
https://bugs.webkit.org/show_bug.cgi?id=232679
Reviewed by Alexey Shvayka.
JSTests:
* stress/negate-prefer-number-to-primitive.js
Source/_javascript_Core:
We were forgetting to do this in a few implementations of the negate
bytecode. So depending on which variant you took, you could get different
results.
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/JITOperations.cpp
Added Paths
trunk/JSTests/stress/negate-prefer-number-to-primitive.js
Diff
Modified: trunk/JSTests/ChangeLog (285405 => 285406)
--- trunk/JSTests/ChangeLog 2021-11-08 16:58:13 UTC (rev 285405)
+++ trunk/JSTests/ChangeLog 2021-11-08 17:05:33 UTC (rev 285406)
@@ -1,3 +1,12 @@
+2021-11-08 Saam Barati
+
+We need to PreferNumber when calling toPrimitive for negate
+https://bugs.webkit.org/show_bug.cgi?id=232679
+
+Reviewed by Alexey Shvayka.
+
+* stress/negate-prefer-number-to-primitive.js
+
2021-11-05 Russell Epstein
Cherry-pick r284635. rdar://problem/85039977
Added: trunk/JSTests/stress/negate-prefer-number-to-primitive.js (0 => 285406)
--- trunk/JSTests/stress/negate-prefer-number-to-primitive.js (rev 0)
+++ trunk/JSTests/stress/negate-prefer-number-to-primitive.js 2021-11-08 17:05:33 UTC (rev 285406)
@@ -0,0 +1,22 @@
+//@ runDefault("--validateOptions=true", "--useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useFTLJIT=1")
+
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+function main() {
+let result;
+for (let i = 0; i < 7; ++i) {
+function f() {
+"a".charCodeAt(undefined);
+const v44 = new Date(123);
+result = -v44;
+for (let j = -4096; j < 100; j++) { }
+}
+noInline(f);
+f();
+assert(result === -123);
+}
+}
+main();
Modified: trunk/Source/_javascript_Core/ChangeLog (285405 => 285406)
--- trunk/Source/_javascript_Core/ChangeLog 2021-11-08 16:58:13 UTC (rev 285405)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-11-08 17:05:33 UTC (rev 285406)
@@ -1,3 +1,17 @@
+2021-11-08 Saam Barati
+
+We need to PreferNumber when calling toPrimitive for negate
+https://bugs.webkit.org/show_bug.cgi?id=232679
+
+Reviewed by Alexey Shvayka.
+
+We were forgetting to do this in a few implementations of the negate
+bytecode. So depending on which variant you took, you could get different
+results.
+
+* jit/JITOperations.cpp:
+(JSC::JSC_DEFINE_JIT_OPERATION):
+
2021-11-05 Russell Epstein
Cherry-pick r284635. rdar://problem/85039977
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (285405 => 285406)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2021-11-08 16:58:13 UTC (rev 285405)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2021-11-08 17:05:33 UTC (rev 285406)
@@ -3411,7 +3411,7 @@
JSValue operand = JSValue::decode(encodedOperand);
arithProfile->observeArg(operand);
-JSValue primValue = operand.toPrimitive(globalObject);
+JSValue primValue = operand.toPrimitive(globalObject, PreferNumber);
RETURN_IF_EXCEPTION(scope, encodedJSValue());
#if USE(BIGINT32)
@@ -3455,7 +3455,7 @@
callFrame->codeBlock()->dumpMathICStats();
#endif
-JSValue primValue = operand.toPrimitive(globalObject);
+JSValue primValue = operand.toPrimitive(globalObject, PreferNumber);
RETURN_IF_EXCEPTION(scope, encodedJSValue());
#if USE(BIGINT32)
@@ -3498,7 +3498,7 @@
callFrame->codeBlock()->dumpMathICStats();
#endif
-JSValue primValue = operand.toPrimitive(globalObject);
+JSValue primValue = operand.toPrimitive(globalObject, PreferNumber);
RETURN_IF_EXCEPTION(scope, encodedJSValue());
#if USE(BIGINT32)
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [285167] trunk
Title: [285167] trunk
Revision 285167
Author sbar...@apple.com
Date 2021-11-02 10:25:46 -0700 (Tue, 02 Nov 2021)
Log Message
EnumeratorGetByVal for IndexedMode+OwnStructureMode doesn't always recover the property name
https://bugs.webkit.org/show_bug.cgi?id=231321
Reviewed by Yusuke Suzuki.
JSTests:
* stress/enumerator-get-by-val-needs-to-recover-property-name.js: Added.
Source/_javascript_Core:
When running an EnumeratorGetByVal in IndexedMode+OwnStructureMode, we may
go to the slow path. However, we were incorrectly going to the slow path
before recovering the actual property name. Instead, we were passing in
the integer index value to the get by val.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
Added Paths
trunk/JSTests/stress/enumerator-get-by-val-needs-to-recover-property-name.js
Diff
Modified: trunk/JSTests/ChangeLog (285166 => 285167)
--- trunk/JSTests/ChangeLog 2021-11-02 17:11:54 UTC (rev 285166)
+++ trunk/JSTests/ChangeLog 2021-11-02 17:25:46 UTC (rev 285167)
@@ -1,3 +1,13 @@
+2021-11-02 Saam Barati
+
+EnumeratorGetByVal for IndexedMode+OwnStructureMode doesn't always recover the property name
+https://bugs.webkit.org/show_bug.cgi?id=231321
+
+
+Reviewed by Yusuke Suzuki.
+
+* stress/enumerator-get-by-val-needs-to-recover-property-name.js: Added.
+
2021-11-01 Saam Barati
ArrayBuffer species watchpoint being invalidated doesn't mean it's not an ArrayBuffer constructor from the same global object
Added: trunk/JSTests/stress/enumerator-get-by-val-needs-to-recover-property-name.js (0 => 285167)
--- trunk/JSTests/stress/enumerator-get-by-val-needs-to-recover-property-name.js (rev 0)
+++ trunk/JSTests/stress/enumerator-get-by-val-needs-to-recover-property-name.js 2021-11-02 17:25:46 UTC (rev 285167)
@@ -0,0 +1,32 @@
+//@ runDefault("--validateOptions=true", "--useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useFTLJIT=true")
+
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+function main() {
+let result;
+const v35 = [0, 0, {b:"A"}];
+
+async function v36(arr) {
+edenGC(); // This is needed
+for (let i = 0; i < 2; i++) {
+const v201 = `
+var someVar; // this is needed
+
+for (let j = 0; j < 6; j++) { }
+
+const v222 = {"__proto__":[[]], "a":0, "b":0};
+for (const prop in v222) {
+result = arr[prop];
+v222.__proto__ = {};
+}
+`;
+eval(v201); // moving code out of eval breaks differential
+}
+}
+v35.filter(v36);
+assert(result === "A");
+}
+main();
Modified: trunk/Source/_javascript_Core/ChangeLog (285166 => 285167)
--- trunk/Source/_javascript_Core/ChangeLog 2021-11-02 17:11:54 UTC (rev 285166)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-11-02 17:25:46 UTC (rev 285167)
@@ -1,3 +1,21 @@
+2021-11-02 Saam Barati
+
+EnumeratorGetByVal for IndexedMode+OwnStructureMode doesn't always recover the property name
+https://bugs.webkit.org/show_bug.cgi?id=231321
+
+
+Reviewed by Yusuke Suzuki.
+
+When running an EnumeratorGetByVal in IndexedMode+OwnStructureMode, we may
+go to the slow path. However, we were incorrectly going to the slow path
+before recovering the actual property name. Instead, we were passing in
+the integer index value to the get by val.
+
+* dfg/DFGSpeculativeJIT.cpp:
+(JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal):
+* ftl/FTLLowerDFGToB3.cpp:
+(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+
2021-11-02 Patrick Angle
WebDriver: [Cocoa] support `acceptInsecureCerts` capability
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (285166 => 285167)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-11-02 17:11:54 UTC (rev 285166)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-11-02 17:25:46 UTC (rev 285167)
@@ -15875,7 +15875,7 @@
JSValueRegs resultRegs;
GPRReg indexGPR;
GPRReg enumeratorGPR;
-MacroAssembler::Jump badStructureSlowPath;
+MacroAssembler::JumpList recoverGenericCase;
compileGetByVal(node,
[webkit-changes] [285123] trunk
Title: [285123] trunk
Revision 285123
Author sbar...@apple.com
Date 2021-11-01 13:10:24 -0700 (Mon, 01 Nov 2021)
Log Message
ArrayBuffer species watchpoint being invalidated doesn't mean it's not an ArrayBuffer constructor from the same global object
https://bugs.webkit.org/show_bug.cgi?id=231322
Reviewed by Yusuke Suzuki.
JSTests:
* stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js: Added.
(main.async v23):
(main):
Source/_javascript_Core:
We were relying on the watchpoint to tell us if the Array species watchpoint
for 'constructor' is set to the right value. However, the watchpoint being
fired doesn't guarantee that it won't be the right value. For example, we
might not be able to install the watchpoint because the replacement watchpoint
may already be fired.
* runtime/JSArrayBufferPrototype.cpp:
(JSC::arrayBufferSpeciesConstructorSlow):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSArrayBufferPrototype.cpp
Added Paths
trunk/JSTests/stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js
Diff
Modified: trunk/JSTests/ChangeLog (285122 => 285123)
--- trunk/JSTests/ChangeLog 2021-11-01 20:08:01 UTC (rev 285122)
+++ trunk/JSTests/ChangeLog 2021-11-01 20:10:24 UTC (rev 285123)
@@ -1,3 +1,15 @@
+2021-11-01 Saam Barati
+
+ArrayBuffer species watchpoint being invalidated doesn't mean it's not an ArrayBuffer constructor from the same global object
+https://bugs.webkit.org/show_bug.cgi?id=231322
+
+
+Reviewed by Yusuke Suzuki.
+
+* stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js: Added.
+(main.async v23):
+(main):
+
2021-11-01 Robin Morisset
JSGenericTypedArrayView::set crashes if the length + objectOffset is > UINT32_MAX
Added: trunk/JSTests/stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js (0 => 285123)
--- trunk/JSTests/stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js (rev 0)
+++ trunk/JSTests/stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js 2021-11-01 20:10:24 UTC (rev 285123)
@@ -0,0 +1,16 @@
+//@ runDefault("--useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useConcurrentJIT=0", "--dumpFTLDisassembly=0", "--useFTLJIT=0")
+
+function main() {
+async function v23(v24) {
+for (let v30 = 0; v30 < 6; v30++) { }
+ArrayBuffer.prototype.constructor = ArrayBuffer;
+}
+
+const v22 = [0, 0, 0];
+const v35 = v22.filter(v23);
+
+const v37 = [0, 0, 0]
+const v42 = new Uint8ClampedArray(v37);
+const v43 = new Uint32Array(v42);
+}
+main();
Modified: trunk/Source/_javascript_Core/ChangeLog (285122 => 285123)
--- trunk/Source/_javascript_Core/ChangeLog 2021-11-01 20:08:01 UTC (rev 285122)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-11-01 20:10:24 UTC (rev 285123)
@@ -1,3 +1,20 @@
+2021-11-01 Saam Barati
+
+ArrayBuffer species watchpoint being invalidated doesn't mean it's not an ArrayBuffer constructor from the same global object
+https://bugs.webkit.org/show_bug.cgi?id=231322
+
+
+Reviewed by Yusuke Suzuki.
+
+We were relying on the watchpoint to tell us if the Array species watchpoint
+for 'constructor' is set to the right value. However, the watchpoint being
+fired doesn't guarantee that it won't be the right value. For example, we
+might not be able to install the watchpoint because the replacement watchpoint
+may already be fired.
+
+* runtime/JSArrayBufferPrototype.cpp:
+(JSC::arrayBufferSpeciesConstructorSlow):
+
2021-11-01 Robin Morisset
JSGenericTypedArrayView::set crashes if the length + objectOffset is > UINT32_MAX
Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferPrototype.cpp (285122 => 285123)
--- trunk/Source/_javascript_Core/runtime/JSArrayBufferPrototype.cpp 2021-11-01 20:08:01 UTC (rev 285122)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferPrototype.cpp 2021-11-01 20:10:24 UTC (rev 285123)
@@ -52,9 +52,8 @@
if (constructor.isConstructor(vm)) {
JSObject* constructorObject = jsCast(constructor);
JSGlobalObject* globalObjectFromConstructor = constructorObject->globalObject(vm);
-bool isArrayBufferConstructorFromAnotherRealm = globalObject != globalObjectFromConstructor
-&& constructorObject == globalObjectFromConstructor->arrayBufferConstructor(mode);
-if
[webkit-changes] [285036] trunk/Source/WTF
Title: [285036] trunk/Source/WTF Revision 285036 Author sbar...@apple.com Date 2021-10-29 10:17:22 -0700 (Fri, 29 Oct 2021) Log Message Disable ENABLE_JIT on arm64_32 https://bugs.webkit.org/show_bug.cgi?id=232468 Reviewed by Yusuke Suzuki. We were disabling JIT via a runtime configuration before since we haven't yet implemented the JIT on arm64_32. However, not compiling ENABLE(JIT) code on arm64_32 saves 11MB in the binary size of _javascript_Core. In my local compiles, I'm going from 24M to 13M. * wtf/PlatformEnable.h: Modified Paths trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/PlatformEnable.h Diff Modified: trunk/Source/WTF/ChangeLog (285035 => 285036) --- trunk/Source/WTF/ChangeLog 2021-10-29 16:50:16 UTC (rev 285035) +++ trunk/Source/WTF/ChangeLog 2021-10-29 17:17:22 UTC (rev 285036) @@ -1,3 +1,18 @@ +2021-10-29 Saam Barati + +Disable ENABLE_JIT on arm64_32 +https://bugs.webkit.org/show_bug.cgi?id=232468 + +Reviewed by Yusuke Suzuki. + +We were disabling JIT via a runtime configuration before since we haven't +yet implemented the JIT on arm64_32. However, not compiling ENABLE(JIT) +code on arm64_32 saves 11MB in the binary size of _javascript_Core. + +In my local compiles, I'm going from 24M to 13M. + +* wtf/PlatformEnable.h: + 2021-10-28 Adrian Perez de Castro [WTF] Use mcontext_t on OpenBSD Modified: trunk/Source/WTF/wtf/PlatformEnable.h (285035 => 285036) --- trunk/Source/WTF/wtf/PlatformEnable.h 2021-10-29 16:50:16 UTC (rev 285035) +++ trunk/Source/WTF/wtf/PlatformEnable.h 2021-10-29 17:17:22 UTC (rev 285036) @@ -576,7 +576,7 @@ #endif /* The JIT is enabled by default on all x86-64 & ARM64 platforms. */ -#if !defined(ENABLE_JIT) && (CPU(X86_64) || CPU(ARM64)) && !CPU(APPLE_ARMV7K) +#if !defined(ENABLE_JIT) && (CPU(X86_64) || (CPU(ARM64) && CPU(ADDRESS64))) #define ENABLE_JIT 1 #endif @@ -600,7 +600,7 @@ #endif #if !defined(ENABLE_C_LOOP) -#if ENABLE(JIT) || CPU(X86_64) || (CPU(ARM64) && !defined(__ILP32__)) +#if ENABLE(JIT) || CPU(X86_64) || CPU(ARM64) #define ENABLE_C_LOOP 0 #else #define ENABLE_C_LOOP 1 ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [285004] trunk/Source/JavaScriptCore
Title: [285004] trunk/Source/_javascript_Core
Revision 285004
Author sbar...@apple.com
Date 2021-10-28 14:22:35 -0700 (Thu, 28 Oct 2021)
Log Message
Don't call type() on Structure, instead call type() on its typeInfo()
https://bugs.webkit.org/show_bug.cgi?id=232414
Reviewed by Yusuke Suzuki.
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* runtime/Structure.h:
(JSC::Structure::type):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGOperations.cpp
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
trunk/Source/_javascript_Core/runtime/Structure.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (285003 => 285004)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-28 21:21:39 UTC (rev 285003)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-28 21:22:35 UTC (rev 285004)
@@ -1,3 +1,19 @@
+2021-10-28 Saam Barati
+
+Don't call type() on Structure, instead call type() on its typeInfo()
+https://bugs.webkit.org/show_bug.cgi?id=232414
+
+Reviewed by Yusuke Suzuki.
+
+* dfg/DFGOperations.cpp:
+(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+* dfg/DFGSpeculativeJIT.cpp:
+(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+* ftl/FTLLowerDFGToB3.cpp:
+(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+* runtime/Structure.h:
+(JSC::Structure::type):
+
2021-10-27 Dmitry Bezhetskov
[WASM-Function-References] Add call_ref spec tests
Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (285003 => 285004)
--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2021-10-28 21:21:39 UTC (rev 285003)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2021-10-28 21:22:35 UTC (rev 285004)
@@ -3114,7 +3114,7 @@
length * sizeof(EncodedJSValue));
}
-if (structure->type() == JSType::ArrayType)
+if (structure->typeInfo().type() == JSType::ArrayType)
return bitwise_cast(JSArray::createWithButterfly(vm, nullptr, structure, butterfly));
return bitwise_cast(JSFinalObject::createWithButterfly(vm, structure, butterfly));
}
@@ -3130,7 +3130,7 @@
vm, nullptr, 0, structure->outOfLineCapacity(), false, IndexingHeader(), 0);
}
-if (structure->type() == JSType::ArrayType)
+if (structure->typeInfo().type() == JSType::ArrayType)
return JSArray::createWithButterfly(vm, nullptr, structure, butterfly);
return JSFinalObject::createWithButterfly(vm, structure, butterfly);
}
@@ -3152,7 +3152,7 @@
sizeof(EncodedJSValue) * length);
}
-if (structure->type() == JSType::ArrayType)
+if (structure->typeInfo().type() == JSType::ArrayType)
return JSArray::createWithButterfly(vm, nullptr, structure, butterfly);
return JSFinalObject::createWithButterfly(vm, structure, butterfly);
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (285003 => 285004)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-10-28 21:21:39 UTC (rev 285003)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-10-28 21:22:35 UTC (rev 285004)
@@ -134,7 +134,7 @@
}
Allocator allocator;
-if (structure->type() == JSType::ArrayType)
+if (structure->typeInfo().type() == JSType::ArrayType)
allocator = allocatorForNonVirtualConcurrently(vm, JSArray::allocationSize(inlineCapacity), AllocatorForMode::AllocatorIfExists);
else
allocator = allocatorForNonVirtualConcurrently(vm, JSFinalObject::allocationSize(inlineCapacity), AllocatorForMode::AllocatorIfExists);
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (285003 => 285004)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-10-28 21:21:39 UTC (rev 285003)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-10-28 21:22:35 UTC (rev 285004)
@@ -13866,7 +13866,7 @@
if (structure->outOfLineCapacity() || hasIndexedProperties(structure->indexingType())) {
Allocator cellAllocator;
-if (structure->type() == JSType::ArrayType)
+if (structure->typeInfo().type() == JSType::ArrayType)
cellAllocator = allocatorForNonVirtualConcurrently(vm(), JSArray::allocationSize(structure->inlineCapacity()), AllocatorForMode::AllocatorIfExists);
else
cellAllocator = allocatorForNonVirtualConcurrently(vm(), JSFinalObject::allocationSize(structure->inlineCapacity()), AllocatorForMode::AllocatorIfExists);
Modified: trunk/Source/_javascript_Core/runtime/Structure.h (285003 => 285004)
--- trunk/Source/_javascript_Core/runtime/Structure.h 2021-10-28 21:21:39 UTC (rev
[webkit-changes] [284699] trunk/Source/JavaScriptCore
Title: [284699] trunk/Source/_javascript_Core
Revision 284699
Author sbar...@apple.com
Date 2021-10-22 11:23:09 -0700 (Fri, 22 Oct 2021)
Log Message
canDoFastSpread should also check that the Structure is from the global object we're watching
https://bugs.webkit.org/show_bug.cgi?id=231976
Reviewed by Keith Miller.
Just reorder the checks for clarity.
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::canDoFastSpread):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGGraph.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (284698 => 284699)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-22 18:22:22 UTC (rev 284698)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-22 18:23:09 UTC (rev 284699)
@@ -1,3 +1,16 @@
+2021-10-22 Saam Barati
+
+canDoFastSpread should also check that the Structure is from the global object we're watching
+https://bugs.webkit.org/show_bug.cgi?id=231976
+
+
+Reviewed by Keith Miller.
+
+Just reorder the checks for clarity.
+
+* dfg/DFGGraph.cpp:
+(JSC::DFG::Graph::canDoFastSpread):
+
2021-10-22 Robin Morisset
--reportBytecodeCompileTimes=1 should correctly report the bytecode size
Modified: trunk/Source/_javascript_Core/dfg/DFGGraph.cpp (284698 => 284699)
--- trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2021-10-22 18:22:22 UTC (rev 284698)
+++ trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2021-10-22 18:23:09 UTC (rev 284699)
@@ -1847,8 +1847,8 @@
ArrayPrototype* arrayPrototype = globalObject->arrayPrototype();
bool allGood = true;
value.m_structure.forEach([&] (RegisteredStructure structure) {
-allGood &= structure->hasMonoProto()
-&& structure->globalObject() == globalObject
+allGood &= structure->globalObject() == globalObject
+&& structure->hasMonoProto()
&& structure->storedPrototype() == arrayPrototype
&& !structure->isDictionary()
&& structure->getConcurrently(m_vm.propertyNames->iteratorSymbol.impl()) == invalidOffset
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [284664] trunk/Source
Title: [284664] trunk/Source
Revision 284664
Author sbar...@apple.com
Date 2021-10-21 21:31:45 -0700 (Thu, 21 Oct 2021)
Log Message
Clean up some code around checking the state of Watchpoints
https://bugs.webkit.org/show_bug.cgi?id=232111
Reviewed by Yusuke Suzuki.
Source/_javascript_Core:
No need to have state() and stateOnJSThread(), since they're now the same.
Also, there is no need to check the allocation watchpoint twice for the
function/internal function allocation profiles.
* bytecode/Watchpoint.h:
(JSC::WatchpointSet::isStillValid const):
(JSC::WatchpointSet::stateOnJSThread const): Deleted.
(JSC::WatchpointSet::isStillValidOnJSThread const): Deleted.
(JSC::InlineWatchpointSet::stateOnJSThread const): Deleted.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* runtime/ArrayPrototype.cpp:
(JSC::speciesWatchpointIsValid):
(JSC::canUseDefaultArrayJoinForToString):
* runtime/InferredValue.h:
(JSC::InferredValue::notifyWrite):
(JSC::InferredValue::stateOnJSThread const): Deleted.
* runtime/JSArrayBufferPrototypeInlines.h:
(JSC::speciesWatchpointIsValid):
* runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
Source/WebCore:
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::getOwnPropertySlot):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/Watchpoint.h
trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h
trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp
trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp
trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp
trunk/Source/_javascript_Core/runtime/InferredValue.h
trunk/Source/_javascript_Core/runtime/JSArrayBufferPrototypeInlines.h
trunk/Source/_javascript_Core/runtime/ObjectPropertyChangeAdaptiveWatchpoint.h
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (284663 => 284664)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-22 02:15:01 UTC (rev 284663)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-22 04:31:45 UTC (rev 284664)
@@ -1,3 +1,36 @@
+2021-10-21 Saam Barati
+
+Clean up some code around checking the state of Watchpoints
+https://bugs.webkit.org/show_bug.cgi?id=232111
+
+Reviewed by Yusuke Suzuki.
+
+No need to have state() and stateOnJSThread(), since they're now the same.
+Also, there is no need to check the allocation watchpoint twice for the
+function/internal function allocation profiles.
+
+* bytecode/Watchpoint.h:
+(JSC::WatchpointSet::isStillValid const):
+(JSC::WatchpointSet::stateOnJSThread const): Deleted.
+(JSC::WatchpointSet::isStillValidOnJSThread const): Deleted.
+(JSC::InlineWatchpointSet::stateOnJSThread const): Deleted.
+* dfg/DFGAbstractInterpreterInlines.h:
+(JSC::DFG::AbstractInterpreter::executeEffects):
+* dfg/DFGByteCodeParser.cpp:
+(JSC::DFG::ByteCodeParser::parseBlock):
+(JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject):
+* dfg/DFGConstantFoldingPhase.cpp:
+(JSC::DFG::ConstantFoldingPhase::foldConstants):
+* runtime/ArrayPrototype.cpp:
+(JSC::speciesWatchpointIsValid):
+(JSC::canUseDefaultArrayJoinForToString):
+* runtime/InferredValue.h:
+(JSC::InferredValue::notifyWrite):
+(JSC::InferredValue::stateOnJSThread const): Deleted.
+* runtime/JSArrayBufferPrototypeInlines.h:
+(JSC::speciesWatchpointIsValid):
+* runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
+
2021-10-21 Mark Lam
Remove an unused field: Heap::m_copyingRememberedSet.
Modified: trunk/Source/_javascript_Core/bytecode/Watchpoint.h (284663 => 284664)
--- trunk/Source/_javascript_Core/bytecode/Watchpoint.h 2021-10-22 02:15:01 UTC (rev 284663)
+++ trunk/Source/_javascript_Core/bytecode/Watchpoint.h 2021-10-22 04:31:45 UTC (rev 284664)
@@ -190,17 +190,14 @@
return adoptRef(*new WatchpointSet(state));
}
-// Fast way of getting the state, which only works from the main thread.
-WatchpointState stateOnJSThread() const
-{
-return static_cast(m_state);
-}
-
-// It is safe to call this from another thread. It may return an old
-// state. Guarantees that if *first* read the state() of the thing being
-// watched and it returned IsWatched and *second* you actually read its
-// value then it's safe to assume that if the state being watched changes
-// then also the watchpoint state() will change to IsInvalidated.
+// It is always safe to call this from the main thread.
+// It is also safe to call this
[webkit-changes] [284506] trunk/Source/JavaScriptCore
Title: [284506] trunk/Source/_javascript_Core
Revision 284506
Author sbar...@apple.com
Date 2021-10-19 15:48:26 -0700 (Tue, 19 Oct 2021)
Log Message
canDoFastSpread should also check that the Structure is from the global object we're watching
https://bugs.webkit.org/show_bug.cgi?id=231976
Reviewed by Keith Miller.
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::canDoFastSpread):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGGraph.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (284505 => 284506)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-19 22:37:56 UTC (rev 284505)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-19 22:48:26 UTC (rev 284506)
@@ -1,3 +1,14 @@
+2021-10-19 Saam Barati
+
+canDoFastSpread should also check that the Structure is from the global object we're watching
+https://bugs.webkit.org/show_bug.cgi?id=231976
+
+
+Reviewed by Keith Miller.
+
+* dfg/DFGGraph.cpp:
+(JSC::DFG::Graph::canDoFastSpread):
+
2021-10-19 Chris Dumez
[clang 13] Suppress sign comparison warnings
Modified: trunk/Source/_javascript_Core/dfg/DFGGraph.cpp (284505 => 284506)
--- trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2021-10-19 22:37:56 UTC (rev 284505)
+++ trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2021-10-19 22:48:26 UTC (rev 284506)
@@ -1843,10 +1843,12 @@
if (!value.m_structure.isFinite())
return false;
-ArrayPrototype* arrayPrototype = globalObjectFor(node->child1()->origin.semantic)->arrayPrototype();
+JSGlobalObject* globalObject = globalObjectFor(node->child1()->origin.semantic);
+ArrayPrototype* arrayPrototype = globalObject->arrayPrototype();
bool allGood = true;
value.m_structure.forEach([&] (RegisteredStructure structure) {
allGood &= structure->hasMonoProto()
+&& structure->globalObject() == globalObject
&& structure->storedPrototype() == arrayPrototype
&& !structure->isDictionary()
&& structure->getConcurrently(m_vm.propertyNames->iteratorSymbol.impl()) == invalidOffset
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [284396] trunk/Source/JavaScriptCore
Title: [284396] trunk/Source/_javascript_Core
Revision 284396
Author sbar...@apple.com
Date 2021-10-18 13:41:50 -0700 (Mon, 18 Oct 2021)
Log Message
Don't load metadata base pointer in EXTRA_CTI_THUNKS
https://bugs.webkit.org/show_bug.cgi?id=231850
Reviewed by Yusuke Suzuki.
We were loading the metadata table base pointer dynamically. But in
unlinked baseline JIT, it's already pinned in a register. Let's just
use the register instead of recomputing what's already there. This is
a small speedup in throughput of unlinked baseline JIT code for scope
operations.
* jit/JITPropertyAccess.cpp:
(JSC::JIT::generateOpResolveScopeThunk):
(JSC::JIT::generateOpGetFromScopeThunk):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (284395 => 284396)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-18 20:34:22 UTC (rev 284395)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-18 20:41:50 UTC (rev 284396)
@@ -1,3 +1,20 @@
+2021-10-18 Saam Barati
+
+Don't load metadata base pointer in EXTRA_CTI_THUNKS
+https://bugs.webkit.org/show_bug.cgi?id=231850
+
+Reviewed by Yusuke Suzuki.
+
+We were loading the metadata table base pointer dynamically. But in
+unlinked baseline JIT, it's already pinned in a register. Let's just
+use the register instead of recomputing what's already there. This is
+a small speedup in throughput of unlinked baseline JIT code for scope
+operations.
+
+* jit/JITPropertyAccess.cpp:
+(JSC::JIT::generateOpResolveScopeThunk):
+(JSC::JIT::generateOpGetFromScopeThunk):
+
2021-10-18 Yusuke Suzuki
[JSC] Use USE(LARGE_TYPED_ARRAY)
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (284395 => 284396)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-10-18 20:34:22 UTC (rev 284395)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-10-18 20:41:50 UTC (rev 284396)
@@ -1961,7 +1961,7 @@
if (profiledResolveType == ModuleVar)
loadPtrFromMetadata(bytecode, OpResolveScope::Metadata::offsetOfLexicalEnvironment(), regT0);
else {
-ptrdiff_t metadataOffset = m_unlinkedCodeBlock->metadata().offsetInMetadataTable(bytecode);
+uint32_t metadataOffset = m_unlinkedCodeBlock->metadata().offsetInMetadataTable(bytecode);
constexpr GPRReg metadataGPR = regT2;
constexpr GPRReg scopeGPR = regT0;
@@ -1968,7 +1968,8 @@
constexpr GPRReg bytecodeOffsetGPR = regT5;
emitGetVirtualRegister(scope, scopeGPR);
-move(TrustedImmPtr(metadataOffset), metadataGPR);
+addPtr(TrustedImm32(metadataOffset), s_metadataGPR, metadataGPR);
+
move(TrustedImm32(bytecodeOffset), bytecodeOffsetGPR);
MacroAssemblerCodeRef code;
@@ -2015,10 +2016,6 @@
jit.tagReturnAddress();
-jit.loadPtr(addressFor(CallFrameSlot::codeBlock), regT3);
-jit.loadPtr(Address(regT3, CodeBlock::offsetOfMetadataTable()), regT3);
-jit.addPtr(regT3, metadataGPR);
-
JumpList slowCase;
auto doVarInjectionCheck = [&] (bool needsVarInjectionChecks, GPRReg globalObjectGPR = InvalidGPRReg) {
@@ -2368,10 +2365,10 @@
constexpr GPRReg scopeGPR = regT2;
constexpr GPRReg bytecodeOffsetGPR = regT5;
-ptrdiff_t metadataOffset = m_unlinkedCodeBlock->metadata().offsetInMetadataTable(bytecode);
+uint32_t metadataOffset = m_unlinkedCodeBlock->metadata().offsetInMetadataTable(bytecode);
emitGetVirtualRegister(scope, scopeGPR);
-move(TrustedImmPtr(metadataOffset), metadataGPR);
+addPtr(TrustedImm32(metadataOffset), s_metadataGPR, metadataGPR);
move(TrustedImm32(bytecodeOffset), bytecodeOffsetGPR);
MacroAssemblerCodeRef code;
@@ -2411,10 +2408,6 @@
jit.tagReturnAddress();
-jit.loadPtr(addressFor(CallFrameSlot::codeBlock), regT3);
-jit.loadPtr(Address(regT3, CodeBlock::offsetOfMetadataTable()), regT3);
-jit.addPtr(regT3, metadataGPR);
-
JumpList slowCase;
auto doVarInjectionCheck = [&] (bool needsVarInjectionChecks) {
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [284224] trunk/Source/JavaScriptCore
Title: [284224] trunk/Source/_javascript_Core
Revision 284224
Author sbar...@apple.com
Date 2021-10-14 18:49:44 -0700 (Thu, 14 Oct 2021)
Log Message
Make unlinked Baseline JIT scope operations bias the order of checks to the ResolveType that profiling tells us we are likely to be
https://bugs.webkit.org/show_bug.cgi?id=231715
Reviewed by Yusuke Suzuki.
This is a small throughout win in the code generated by unlinked baseline JIT.
* jit/JIT.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_resolve_scope):
(JSC::JIT::generateOpResolveScopeThunk):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::generateOpGetFromScopeThunk):
(JSC::JIT::emit_op_put_to_scope):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/JIT.h
trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (284223 => 284224)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-15 01:44:56 UTC (rev 284223)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-15 01:49:44 UTC (rev 284224)
@@ -1,3 +1,20 @@
+2021-10-14 Saam Barati
+
+Make unlinked Baseline JIT scope operations bias the order of checks to the ResolveType that profiling tells us we are likely to be
+https://bugs.webkit.org/show_bug.cgi?id=231715
+
+Reviewed by Yusuke Suzuki.
+
+This is a small throughout win in the code generated by unlinked baseline JIT.
+
+* jit/JIT.h:
+* jit/JITPropertyAccess.cpp:
+(JSC::JIT::emit_op_resolve_scope):
+(JSC::JIT::generateOpResolveScopeThunk):
+(JSC::JIT::emit_op_get_from_scope):
+(JSC::JIT::generateOpGetFromScopeThunk):
+(JSC::JIT::emit_op_put_to_scope):
+
2021-10-14 Alex Christensen
Remove Variant.h
Modified: trunk/Source/_javascript_Core/jit/JIT.h (284223 => 284224)
--- trunk/Source/_javascript_Core/jit/JIT.h 2021-10-15 01:44:56 UTC (rev 284223)
+++ trunk/Source/_javascript_Core/jit/JIT.h 2021-10-15 01:49:44 UTC (rev 284224)
@@ -751,8 +751,10 @@
static MacroAssemblerCodeRef slow_op_get_from_scopeGenerator(VM&);
static MacroAssemblerCodeRef slow_op_resolve_scopeGenerator(VM&);
-static MacroAssemblerCodeRef generateOpGetFromScopeThunk(VM&, std::optional, const char* thunkName);
-static MacroAssemblerCodeRef generateOpResolveScopeThunk(VM&, std::optional, const char* thunkName);
+template
+static MacroAssemblerCodeRef generateOpGetFromScopeThunk(VM&);
+template
+static MacroAssemblerCodeRef generateOpResolveScopeThunk(VM&);
#endif // ENABLE(EXTRA_CTI_THUNKS)
Jump getSlowCase(Vector::iterator& iter)
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (284223 => 284224)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-10-15 01:44:56 UTC (rev 284223)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-10-15 01:49:44 UTC (rev 284224)
@@ -1963,18 +1963,6 @@
else {
ptrdiff_t metadataOffset = m_unlinkedCodeBlock->metadata().offsetInMetadataTable(bytecode);
-auto closureVarGenerator = [] (VM& vm) {
-return JIT::generateOpResolveScopeThunk(vm, ClosureVar, "Baseline: op_resolve_scope ClosureVar");
-};
-
-auto closureVarWithVarInjectionChecksGenerator = [] (VM& vm) {
-return JIT::generateOpResolveScopeThunk(vm, ClosureVarWithVarInjectionChecks, "Baseline: op_resolve_scope ClosureVarWithVarInjectionChecks");
-};
-
-auto genericResolveScopeGenerator = [] (VM& vm) {
-return JIT::generateOpResolveScopeThunk(vm, std::nullopt, "Baseline: op_resolve_scope generic");
-};
-
constexpr GPRReg metadataGPR = regT2;
constexpr GPRReg scopeGPR = regT0;
constexpr GPRReg bytecodeOffsetGPR = regT5;
@@ -1985,11 +1973,24 @@
MacroAssemblerCodeRef code;
if (profiledResolveType == ClosureVar)
-code = vm.getCTIStub(closureVarGenerator);
+code = vm.getCTIStub(generateOpResolveScopeThunk);
else if (profiledResolveType == ClosureVarWithVarInjectionChecks)
-code = vm.getCTIStub(closureVarWithVarInjectionChecksGenerator);
+code = vm.getCTIStub(generateOpResolveScopeThunk);
+else if (profiledResolveType == GlobalVar)
+code = vm.getCTIStub(generateOpResolveScopeThunk);
+else if (profiledResolveType == GlobalProperty)
+code = vm.getCTIStub(generateOpResolveScopeThunk);
+else if (profiledResolveType == GlobalLexicalVar)
+code = vm.getCTIStub(generateOpResolveScopeThunk);
+else if (profiledResolveType == GlobalVarWithVarInjectionChecks)
+code = vm.getCTIStub(generateOpResolveScopeThunk);
+else if (profiledResolveType == GlobalPropertyWithVarInjectionChecks)
+code = vm.getCTIStub(generateOpResolveScopeThunk);
+else if (profiledResolveType ==
[webkit-changes] [284036] trunk/Source/JavaScriptCore
Title: [284036] trunk/Source/_javascript_Core
Revision 284036
Author sbar...@apple.com
Date 2021-10-12 14:51:35 -0700 (Tue, 12 Oct 2021)
Log Message
Fix spec-correctness when inlining __proto__ intrinsic using get_by_id_with_this
https://bugs.webkit.org/show_bug.cgi?id=231559
Reviewed by Yusuke Suzuki.
My original fix in r283512 has some theoretical spec correctness issues.
I'm not sure if they can be materialized or not since we only use
get_by_id_with_this in very limited scenarios. However, this patch just
makes it so we call the getter instead of attempting to inline it
when using get_by_id_with_this.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitLoadPrototypeWithoutCheck): Deleted.
* jit/AssemblyHelpers.h:
* jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp
trunk/Source/_javascript_Core/jit/AssemblyHelpers.h
trunk/Source/_javascript_Core/jit/IntrinsicEmitter.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (284035 => 284036)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-12 21:46:35 UTC (rev 284035)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-12 21:51:35 UTC (rev 284036)
@@ -1,3 +1,23 @@
+2021-10-12 Saam Barati
+
+Fix spec-correctness when inlining __proto__ intrinsic using get_by_id_with_this
+https://bugs.webkit.org/show_bug.cgi?id=231559
+
+Reviewed by Yusuke Suzuki.
+
+My original fix in r283512 has some theoretical spec correctness issues.
+I'm not sure if they can be materialized or not since we only use
+get_by_id_with_this in very limited scenarios. However, this patch just
+makes it so we call the getter instead of attempting to inline it
+when using get_by_id_with_this.
+
+* jit/AssemblyHelpers.cpp:
+(JSC::AssemblyHelpers::emitLoadPrototypeWithoutCheck): Deleted.
+* jit/AssemblyHelpers.h:
+* jit/IntrinsicEmitter.cpp:
+(JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
+(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
+
2021-10-12 Alex Christensen
Use STL instead of WTF::get_if, WTF::Monostate, WTF::visit, and WTF::holds_alternative
Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp (284035 => 284036)
--- trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp 2021-10-12 21:46:35 UTC (rev 284035)
+++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp 2021-10-12 21:51:35 UTC (rev 284036)
@@ -435,36 +435,6 @@
hasMonoProto.link(this);
}
-void AssemblyHelpers::emitLoadPrototypeWithoutCheck(VM& vm, GPRReg objectGPR, JSValueRegs resultRegs, GPRReg scratchGPR, GPRReg scratch2GPR)
-{
-ASSERT(objectGPR != scratchGPR);
-ASSERT(objectGPR != scratch2GPR);
-ASSERT(resultRegs.payloadGPR() != scratchGPR);
-ASSERT(resultRegs.payloadGPR() != scratch2GPR);
-#if USE(JSVALUE32_64)
-ASSERT(resultRegs.tagGPR() != scratchGPR);
-ASSERT(resultRegs.tagGPR() != scratch2GPR);
-#endif
-
-emitLoadStructure(vm, objectGPR, scratchGPR, scratch2GPR);
-#if USE(JSVALUE64)
-loadValue(MacroAssembler::Address(scratchGPR, Structure::prototypeOffset()), JSValueRegs(scratch2GPR));
-#else
-load32(MacroAssembler::Address(scratchGPR, Structure::prototypeOffset() + TagOffset), scratch2GPR);
-#endif
-auto hasMonoProto = branchIfNotEmpty(scratch2GPR);
-loadValue(MacroAssembler::Address(objectGPR, offsetRelativeToBase(knownPolyProtoOffset)), resultRegs);
-auto done = jump();
-hasMonoProto.link(this);
-#if USE(JSVALUE64)
-move(scratch2GPR, resultRegs.payloadGPR());
-#else
-load32(MacroAssembler::Address(scratchGPR, Structure::prototypeOffset() + PayloadOffset), resultRegs.payloadGPR());
-move(scratch2GPR, resultRegs.tagGPR());
-#endif
-done.link(this);
-}
-
void AssemblyHelpers::makeSpaceOnStackForCCall()
{
unsigned stackOffset = WTF::roundUpToMultipleOf(stackAlignmentBytes(), maxFrameExtentForSlowPathCall);
Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.h (284035 => 284036)
--- trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2021-10-12 21:46:35 UTC (rev 284035)
+++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2021-10-12 21:51:35 UTC (rev 284036)
@@ -1530,7 +1530,6 @@
void emitLoadStructure(VM&, RegisterID source, RegisterID dest, RegisterID scratch);
void emitLoadPrototype(VM&, GPRReg objectGPR, JSValueRegs resultRegs, GPRReg scratchGPR, JumpList& slowPath);
-void emitLoadPrototypeWithoutCheck(VM&, GPRReg objectGPR, JSValueRegs resultRegs, GPRReg scratchGPR, GPRReg scratch2GPR);
void emitStoreStructureWithTypeInfo(TrustedImmPtr structure, RegisterID dest, RegisterID)
{
Modified: trunk/Source/_javascript_Core/jit/IntrinsicEmitter.cpp (284035 => 284036)
---
[webkit-changes] [283970] trunk/Source
Title: [283970] trunk/Source Revision 283970 Author sbar...@apple.com Date 2021-10-11 23:32:55 -0700 (Mon, 11 Oct 2021) Log Message Remove ImplicitAddress https://bugs.webkit.org/show_bug.cgi?id=230820 Reviewed by Yusuke Suzuki. Source/_javascript_Core: Because we rely on implicit conversion from RegisterID to int values, some compilers (aka MSVC) might convert a constant RegisterID that's passed in to nullptr instead of calling the implicit constructor in ImplicitAddress. For example, I got bit by this when I had code that did: loadPtr(regT0, xyz) This called the loadPtr(void*, RegisterID) function with nullptr passed as the first argument instead of the loadPtr(ImplicitAddress, RegisterID) function. Let's avoid any such problems in the future by just not using ImplicitAddress. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::ImplicitAddress::ImplicitAddress): Deleted. * assembler/MacroAssembler.h: (JSC::MacroAssembler::pushToSave): (JSC::MacroAssembler::popToRestore): (JSC::MacroAssembler::loadPtr): (JSC::MacroAssembler::storePtr): * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::load64): (JSC::MacroAssemblerARM64::load32): (JSC::MacroAssemblerARM64::load16): (JSC::MacroAssemblerARM64::load16Unaligned): (JSC::MacroAssemblerARM64::load16SignedExtendTo32): (JSC::MacroAssemblerARM64::load8): (JSC::MacroAssemblerARM64::load8SignedExtendTo32): (JSC::MacroAssemblerARM64::store64): (JSC::MacroAssemblerARM64::store32): (JSC::MacroAssemblerARM64::store16): (JSC::MacroAssemblerARM64::store8): (JSC::MacroAssemblerARM64::loadDouble): (JSC::MacroAssemblerARM64::loadFloat): (JSC::MacroAssemblerARM64::storeDouble): (JSC::MacroAssemblerARM64::storeFloat): (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters): (JSC::MacroAssemblerARM64::popToRestore): (JSC::MacroAssemblerARM64::pushToSave): (JSC::MacroAssemblerARM64::storePtrWithPatch): (JSC::MacroAssemblerARM64::loadAcq8SignedExtendTo32): (JSC::MacroAssemblerARM64::loadAcq8): (JSC::MacroAssemblerARM64::storeRel8): (JSC::MacroAssemblerARM64::loadAcq16SignedExtendTo32): (JSC::MacroAssemblerARM64::loadAcq16): (JSC::MacroAssemblerARM64::storeRel16): (JSC::MacroAssemblerARM64::loadAcq32): (JSC::MacroAssemblerARM64::loadAcq64): (JSC::MacroAssemblerARM64::storeRel32): (JSC::MacroAssemblerARM64::storeRel64): (JSC::MacroAssemblerARM64::loadLink8): (JSC::MacroAssemblerARM64::loadLinkAcq8): (JSC::MacroAssemblerARM64::storeCond8): (JSC::MacroAssemblerARM64::storeCondRel8): (JSC::MacroAssemblerARM64::loadLink16): (JSC::MacroAssemblerARM64::loadLinkAcq16): (JSC::MacroAssemblerARM64::storeCond16): (JSC::MacroAssemblerARM64::storeCondRel16): (JSC::MacroAssemblerARM64::loadLink32): (JSC::MacroAssemblerARM64::loadLinkAcq32): (JSC::MacroAssemblerARM64::storeCond32): (JSC::MacroAssemblerARM64::storeCondRel32): (JSC::MacroAssemblerARM64::loadLink64): (JSC::MacroAssemblerARM64::loadLinkAcq64): (JSC::MacroAssemblerARM64::storeCond64): (JSC::MacroAssemblerARM64::storeCondRel64): (JSC::MacroAssemblerARM64::extractSimpleAddress): * assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::atomicXchgAdd8): (JSC::MacroAssemblerARM64E::atomicXchgAdd16): (JSC::MacroAssemblerARM64E::atomicXchgAdd32): (JSC::MacroAssemblerARM64E::atomicXchgAdd64): (JSC::MacroAssemblerARM64E::atomicXchgXor8): (JSC::MacroAssemblerARM64E::atomicXchgXor16): (JSC::MacroAssemblerARM64E::atomicXchgXor32): (JSC::MacroAssemblerARM64E::atomicXchgXor64): (JSC::MacroAssemblerARM64E::atomicXchgOr8): (JSC::MacroAssemblerARM64E::atomicXchgOr16): (JSC::MacroAssemblerARM64E::atomicXchgOr32): (JSC::MacroAssemblerARM64E::atomicXchgOr64): (JSC::MacroAssemblerARM64E::atomicXchgClear8): (JSC::MacroAssemblerARM64E::atomicXchgClear16): (JSC::MacroAssemblerARM64E::atomicXchgClear32): (JSC::MacroAssemblerARM64E::atomicXchgClear64): (JSC::MacroAssemblerARM64E::atomicXchg8): (JSC::MacroAssemblerARM64E::atomicXchg16): (JSC::MacroAssemblerARM64E::atomicXchg32): (JSC::MacroAssemblerARM64E::atomicXchg64): (JSC::MacroAssemblerARM64E::atomicStrongCAS8): (JSC::MacroAssemblerARM64E::atomicStrongCAS16): (JSC::MacroAssemblerARM64E::atomicStrongCAS32): (JSC::MacroAssemblerARM64E::atomicStrongCAS64): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::or8): (JSC::MacroAssemblerARMv7::or16): (JSC::MacroAssemblerARMv7::or32): (JSC::MacroAssemblerARMv7::load32): (JSC::MacroAssemblerARMv7::load8): (JSC::MacroAssemblerARMv7::load8SignedExtendTo32): (JSC::MacroAssemblerARMv7::load16): (JSC::MacroAssemblerARMv7::load16SignedExtendTo32): (JSC::MacroAssemblerARMv7::store32): (JSC::MacroAssemblerARMv7::store16): (JSC::MacroAssemblerARMv7::loadDouble): (JSC::MacroAssemblerARMv7::loadFloat): (JSC::MacroAssemblerARMv7::storeDouble): (JSC::MacroAssemblerARMv7::storeFloat): (JSC::MacroAssemblerARMv7::storePtrWithPatch): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::load8): (JSC::MacroAssemblerMIPS::load8SignedExtendTo32): (JSC::MacroAssemblerMIPS::load32):
[webkit-changes] [283954] trunk/Source/JavaScriptCore
Title: [283954] trunk/Source/_javascript_Core Revision 283954 Author sbar...@apple.com Date 2021-10-11 17:33:18 -0700 (Mon, 11 Oct 2021) Log Message Share more code that uses ScratchRegisterAllocator in the ICs https://bugs.webkit.org/show_bug.cgi?id=231125 Reviewed by Sam Weinig. We had the same code to allocate a scratch register allocator copy pasted all over the IC code. This patch refactors that to use a shared helper. Also, Delete was using a ScratchRegisterAllocator for no reason (it never allocated a scratch register), so I deleted that code. * bytecode/AccessCase.cpp: (JSC::AccessCase::generateWithGuard): (JSC::AccessCase::generateImpl): * bytecode/GetterSetterAccessCase.cpp: (JSC::GetterSetterAccessCase::emitDOMJITGetter): * bytecode/PolymorphicAccess.cpp: (JSC::AccessGenerationState::makeDefaultScratchAllocator): (JSC::PolymorphicAccess::regenerate): * bytecode/PolymorphicAccess.h: * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/AccessCase.cpp trunk/Source/_javascript_Core/bytecode/GetterSetterAccessCase.cpp trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.h trunk/Source/_javascript_Core/jit/IntrinsicEmitter.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (283953 => 283954) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-12 00:09:14 UTC (rev 283953) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-12 00:33:18 UTC (rev 283954) @@ -1,5 +1,31 @@ 2021-10-11 Saam Barati +Share more code that uses ScratchRegisterAllocator in the ICs +https://bugs.webkit.org/show_bug.cgi?id=231125 + + +Reviewed by Sam Weinig. + +We had the same code to allocate a scratch register allocator copy pasted +all over the IC code. This patch refactors that to use a shared helper. + +Also, Delete was using a ScratchRegisterAllocator for no reason (it never +allocated a scratch register), so I deleted that code. + +* bytecode/AccessCase.cpp: +(JSC::AccessCase::generateWithGuard): +(JSC::AccessCase::generateImpl): +* bytecode/GetterSetterAccessCase.cpp: +(JSC::GetterSetterAccessCase::emitDOMJITGetter): +* bytecode/PolymorphicAccess.cpp: +(JSC::AccessGenerationState::makeDefaultScratchAllocator): +(JSC::PolymorphicAccess::regenerate): +* bytecode/PolymorphicAccess.h: +* jit/IntrinsicEmitter.cpp: +(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): + +2021-10-11 Saam Barati + Don't branch around register allocation in DFG enumerator get by val and pass in the right LValue type to strictInt52ToJSValue https://bugs.webkit.org/show_bug.cgi?id=231465 Modified: trunk/Source/_javascript_Core/bytecode/AccessCase.cpp (283953 => 283954) --- trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2021-10-12 00:09:14 UTC (rev 283953) +++ trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2021-10-12 00:33:18 UTC (rev 283954) @@ -1098,14 +1098,7 @@ jit.load8(CCallHelpers::Address(baseGPR, JSCell::typeInfoTypeOffset()), scratchGPR); fallThrough.append(jit.branch32(CCallHelpers::NotEqual, scratchGPR, CCallHelpers::TrustedImm32(ScopedArgumentsType))); -ScratchRegisterAllocator allocator(stubInfo.usedRegisters); -allocator.lock(stubInfo.baseRegs()); -allocator.lock(valueRegs); -allocator.lock(stubInfo.propertyRegs()); -if (stubInfo.m_stubInfoGPR != InvalidGPRReg) -allocator.lock(stubInfo.m_stubInfoGPR); -ASSERT(stubInfo.m_arrayProfileGPR == InvalidGPRReg); -allocator.lock(scratchGPR); +auto allocator = state.makeDefaultScratchAllocator(scratchGPR); GPRReg scratch2GPR = allocator.allocateScratchGPR(); GPRReg scratch3GPR = allocator.allocateScratchGPR(); @@ -1198,14 +1191,7 @@ jit.load32(CCallHelpers::Address(baseGPR, JSArrayBufferView::offsetOfLength()), scratchGPR); state.failAndRepatch.append(jit.branch32(CCallHelpers::AboveOrEqual, propertyGPR, scratchGPR)); -ScratchRegisterAllocator allocator(stubInfo.usedRegisters); -allocator.lock(stubInfo.baseRegs()); -allocator.lock(valueRegs); -allocator.lock(stubInfo.propertyRegs()); -if (stubInfo.m_stubInfoGPR != InvalidGPRReg) -allocator.lock(stubInfo.m_stubInfoGPR); -ASSERT(stubInfo.m_arrayProfileGPR == InvalidGPRReg); -allocator.lock(scratchGPR); +auto allocator = state.makeDefaultScratchAllocator(scratchGPR); GPRReg scratch2GPR = allocator.allocateScratchGPR(); ScratchRegisterAllocator::PreservedState preservedState = allocator.preserveReusedRegistersByPushing( @@ -1284,14 +1270,7 @@
[webkit-changes] [283938] trunk
Title: [283938] trunk
Revision 283938
Author sbar...@apple.com
Date 2021-10-11 14:45:29 -0700 (Mon, 11 Oct 2021)
Log Message
Don't branch around register allocation in DFG enumerator get by val and pass in the right LValue type to strictInt52ToJSValue
https://bugs.webkit.org/show_bug.cgi?id=231465
Reviewed by Yusuke Suzuki.
JSTests:
* stress/dont-branch-around-regalloc-enumerator-get-by-val.js: Added.
(foo):
Source/_javascript_Core:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
Added Paths
trunk/JSTests/stress/dont-branch-around-regalloc-enumerator-get-by-val.js
Diff
Modified: trunk/JSTests/ChangeLog (283937 => 283938)
--- trunk/JSTests/ChangeLog 2021-10-11 21:21:13 UTC (rev 283937)
+++ trunk/JSTests/ChangeLog 2021-10-11 21:45:29 UTC (rev 283938)
@@ -1,3 +1,14 @@
+2021-10-11 Saam Barati
+
+Don't branch around register allocation in DFG enumerator get by val and pass in the right LValue type to strictInt52ToJSValue
+https://bugs.webkit.org/show_bug.cgi?id=231465
+
+
+Reviewed by Yusuke Suzuki.
+
+* stress/dont-branch-around-regalloc-enumerator-get-by-val.js: Added.
+(foo):
+
2021-10-09 Yusuke Suzuki
[JSC] Refine RegExp#compile based on regexp-legacy-features proposal
Added: trunk/JSTests/stress/dont-branch-around-regalloc-enumerator-get-by-val.js (0 => 283938)
--- trunk/JSTests/stress/dont-branch-around-regalloc-enumerator-get-by-val.js (rev 0)
+++ trunk/JSTests/stress/dont-branch-around-regalloc-enumerator-get-by-val.js 2021-10-11 21:45:29 UTC (rev 283938)
@@ -0,0 +1,10 @@
+function foo(o) {
+for (let p in o) {
+o[p];
+}
+}
+
+for (let i=0; i<1; i++) {
+foo(new Uint32Array());
+foo({o:undefined});
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (283937 => 283938)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-11 21:21:13 UTC (rev 283937)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-11 21:45:29 UTC (rev 283938)
@@ -1,3 +1,20 @@
+2021-10-11 Saam Barati
+
+Don't branch around register allocation in DFG enumerator get by val and pass in the right LValue type to strictInt52ToJSValue
+https://bugs.webkit.org/show_bug.cgi?id=231465
+
+
+Reviewed by Yusuke Suzuki.
+
+* dfg/DFGSpeculativeJIT.cpp:
+(JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
+(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+* dfg/DFGSpeculativeJIT.h:
+* dfg/DFGSpeculativeJIT64.cpp:
+(JSC::DFG::SpeculativeJIT::compile):
+* ftl/FTLLowerDFGToB3.cpp:
+(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+
2021-10-11 Geza Lore
[JSC][ARMv7] Make LLInt CSR save/restore order match the JITs
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (283937 => 283938)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-10-11 21:21:13 UTC (rev 283937)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-10-11 21:45:29 UTC (rev 283938)
@@ -3325,19 +3325,20 @@
}
}
-void SpeculativeJIT::setIntTypedArrayLoadResult(Node* node, JSValueRegs resultRegs, TypedArrayType type, bool canSpeculate, bool shouldBox)
+void SpeculativeJIT::setIntTypedArrayLoadResult(Node* node, JSValueRegs resultRegs, TypedArrayType type, bool canSpeculate, bool shouldBox, FPRReg resultFPR)
{
bool isUInt32 = elementSize(type) == 4 && !isSigned(type);
+if (isUInt32)
+ASSERT(resultFPR != InvalidFPRReg);
GPRReg resultReg = resultRegs.payloadGPR();
if (shouldBox) {
if (isUInt32) {
-FPRTemporary fresult(this);
-m_jit.convertInt32ToDouble(resultReg, fresult.fpr());
+m_jit.convertInt32ToDouble(resultReg, resultFPR);
JITCompiler::Jump positive = m_jit.branch32(MacroAssembler::GreaterThanOrEqual, resultReg, TrustedImm32(0));
-m_jit.addDouble(JITCompiler::AbsoluteAddress(::twoToThe32), fresult.fpr());
+m_jit.addDouble(JITCompiler::AbsoluteAddress(::twoToThe32), resultFPR);
positive.link(_jit);
-m_jit.boxDouble(fresult.fpr(), resultRegs);
+m_jit.boxDouble(resultFPR, resultRegs);
} else
m_jit.boxInt32(resultRegs.payloadGPR(), resultRegs);
jsValueResult(resultRegs, node);
@@ -3365,12 +3366,11 @@
}
#endif
-
[webkit-changes] [283862] trunk/Source/JavaScriptCore
Title: [283862] trunk/Source/_javascript_Core
Revision 283862
Author sbar...@apple.com
Date 2021-10-08 20:29:53 -0700 (Fri, 08 Oct 2021)
Log Message
Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser
https://bugs.webkit.org/show_bug.cgi?id=230823
Reviewed by Yusuke Suzuki.
When I ported the phase to run right after bytecode parsing, I wanted
to maintain the same behavior as the prior pass that ran after CPS
rethreading. I noticed a slight bug in some of my logic that changed
some of heuristics and how they'd effect double voting.
The old patch was mimicking the "is loaded from" bit by using the NodeFlags.
Howver, this has some issues with how this interacts with our other uses
of NodeFlags. So, to make things simple, I just add a new "VariableIsUsed"
bit.
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGBackwardsPropagationPhase.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (283861 => 283862)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-09 02:53:27 UTC (rev 283861)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-09 03:29:53 UTC (rev 283862)
@@ -1,3 +1,24 @@
+2021-10-08 Saam Barati
+
+Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser
+https://bugs.webkit.org/show_bug.cgi?id=230823
+
+
+Reviewed by Yusuke Suzuki.
+
+When I ported the phase to run right after bytecode parsing, I wanted
+to maintain the same behavior as the prior pass that ran after CPS
+rethreading. I noticed a slight bug in some of my logic that changed
+some of heuristics and how they'd effect double voting.
+
+The old patch was mimicking the "is loaded from" bit by using the NodeFlags.
+Howver, this has some issues with how this interacts with our other uses
+of NodeFlags. So, to make things simple, I just add a new "VariableIsUsed"
+bit.
+
+* dfg/DFGBackwardsPropagationPhase.cpp:
+(JSC::DFG::BackwardsPropagationPhase::propagate):
+
2021-10-08 Tadeu Zagallo and Keith Miller
Implement the WebAssembly exception handling proposal
Modified: trunk/Source/_javascript_Core/dfg/DFGBackwardsPropagationPhase.cpp (283861 => 283862)
--- trunk/Source/_javascript_Core/dfg/DFGBackwardsPropagationPhase.cpp 2021-10-09 02:53:27 UTC (rev 283861)
+++ trunk/Source/_javascript_Core/dfg/DFGBackwardsPropagationPhase.cpp 2021-10-09 03:29:53 UTC (rev 283862)
@@ -32,6 +32,7 @@
#include "DFGGraph.h"
#include "DFGPhase.h"
#include "JSCJSValueInlines.h"
+#include
namespace JSC { namespace DFG {
@@ -45,7 +46,7 @@
, m_flagsAtHead(graph)
{
}
-
+
bool run()
{
for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
@@ -214,6 +215,10 @@
return changed;
}
+static constexpr NodeFlags VariableIsUsed = 1 << (1 + WTF::getMSBSetConstexpr(NodeBytecodeBackPropMask));
+static_assert(!(VariableIsUsed & NodeBytecodeBackPropMask));
+static_assert(VariableIsUsed > NodeBytecodeBackPropMask, "Verify the above doesn't overflow");
+
void propagate(Node* node)
{
NodeFlags flags = node->flags() & NodeBytecodeBackPropMask;
@@ -221,9 +226,9 @@
switch (node->op()) {
case GetLocal: {
VariableAccessData* variableAccessData = node->variableAccessData();
-NodeFlags& flagsRef = m_currentFlags.operand(variableAccessData->operand());
-mergeFlags(flagsRef, flags);
-variableAccessData->mergeFlags(flagsRef & ~NodeBytecodeUsesAsInt); // We don't care about cross-block uses-as-int for this.
+flags |= m_currentFlags.operand(variableAccessData->operand());
+flags |= VariableIsUsed;
+m_currentFlags.operand(variableAccessData->operand()) = flags;
break;
}
@@ -232,10 +237,11 @@
Operand operand = variableAccessData->operand();
NodeFlags flags = m_currentFlags.operand(operand);
-if (!flags)
+if (!(flags & VariableIsUsed))
break;
-RELEASE_ASSERT(!(flags & ~NodeBytecodeBackPropMask));
+flags &= NodeBytecodeBackPropMask;
+flags &= ~NodeBytecodeUsesAsInt; // We don't care about cross-block uses-as-int.
variableAccessData->mergeFlags(flags);
// We union with NodeBytecodeUsesAsNumber to account for the fact that control flow may cause overflows that our modeling can't handle.
@@ -248,11 +254,15 @@
case Flush: {
VariableAccessData* variableAccessData = node->variableAccessData();
-NodeFlags& flagsRef = m_currentFlags.operand(variableAccessData->operand());
-mergeFlags(flagsRef,
[webkit-changes] [283818] trunk
Title: [283818] trunk
Revision 283818
Author sbar...@apple.com
Date 2021-10-08 12:01:43 -0700 (Fri, 08 Oct 2021)
Log Message
RegExpExec can't statically prove which of the two structures it will get in AI by just looking at the RegExp*
https://bugs.webkit.org/show_bug.cgi?id=231382
Reviewed by Mark Lam.
JSTests:
* stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js: Added.
(foo):
Source/_javascript_Core:
Because of the RegExp.prototype.compile API, we don't know if the RegExp
produced by RegExpExec will have indices or not, because that bit of
information can be reset by the RegExp.prototype.compile API. So, we
conservatively say that it can produce either structure.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter::executeEffects):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h
Added Paths
trunk/JSTests/stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js
Diff
Modified: trunk/JSTests/ChangeLog (283817 => 283818)
--- trunk/JSTests/ChangeLog 2021-10-08 18:50:59 UTC (rev 283817)
+++ trunk/JSTests/ChangeLog 2021-10-08 19:01:43 UTC (rev 283818)
@@ -1,3 +1,14 @@
+2021-10-08 Saam Barati
+
+RegExpExec can't statically prove which of the two structures it will get in AI by just looking at the RegExp*
+https://bugs.webkit.org/show_bug.cgi?id=231382
+
+
+Reviewed by Mark Lam.
+
+* stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js: Added.
+(foo):
+
2021-10-07 Philip Chimento
[JSC] Temporal tweaks to pass more test262 tests
Added: trunk/JSTests/stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js (0 => 283818)
--- trunk/JSTests/stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js (rev 0)
+++ trunk/JSTests/stress/reg-exp-exec-cant-prove-which-structure-it-produces-in-ai.js 2021-10-08 19:01:43 UTC (rev 283818)
@@ -0,0 +1,12 @@
+// This should not crash.
+
+function foo() {
+let r = /a/;
+r.compile(undefined, ...'d');
+let a = r.exec(/b/);
+a.x;
+}
+
+for (let i = 0; i < 1000; i++) {
+foo();
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (283817 => 283818)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-08 18:50:59 UTC (rev 283817)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-08 19:01:43 UTC (rev 283818)
@@ -1,3 +1,19 @@
+2021-10-08 Saam Barati
+
+RegExpExec can't statically prove which of the two structures it will get in AI by just looking at the RegExp*
+https://bugs.webkit.org/show_bug.cgi?id=231382
+
+
+Reviewed by Mark Lam.
+
+Because of the RegExp.prototype.compile API, we don't know if the RegExp
+produced by RegExpExec will have indices or not, because that bit of
+information can be reset by the RegExp.prototype.compile API. So, we
+conservatively say that it can produce either structure.
+
+* dfg/DFGAbstractInterpreterInlines.h:
+(JSC::DFG::AbstractInterpreter::executeEffects):
+
2021-10-07 Alexey Shvayka
`highWaterMark` should be a readonly WebIDL attribute of queuing strategies
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (283817 => 283818)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2021-10-08 18:50:59 UTC (rev 283817)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2021-10-08 19:01:43 UTC (rev 283818)
@@ -2615,24 +2615,9 @@
if (JSGlobalObject* globalObject = jsDynamicCast(m_vm, globalObjectValue)) {
if (!globalObject->isHavingABadTime()) {
m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
-
-RegExp* regExp = nullptr;
-if (node->op() == RegExpExec) {
-if (Node* regExpObjectNode = node->child2().node()) {
-if (RegExpObject* regExpObject = regExpObjectNode->dynamicCastConstant(m_vm))
-regExp = regExpObject->regExp();
-else if (regExpObjectNode->op() == NewRegexp)
-regExp = regExpObjectNode->castOperand();
-}
-} else if (node->op() == RegExpExecNonGlobalOrSticky)
-regExp = node->castOperand();
-
RegisteredStructureSet structureSet;
-// If regExp is unknown, we need to put both regExp MatchesArray structure variants in our set.
-if (!regExp || !regExp->hasIndices())
-structureSet.add(m_graph.registerStructure(globalObject->regExpMatchesArrayStructure()));
-if (!regExp || regExp->hasIndices())
-
[webkit-changes] [283623] trunk
Title: [283623] trunk
Revision 283623
Author sbar...@apple.com
Date 2021-10-06 08:49:42 -0700 (Wed, 06 Oct 2021)
Log Message
Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser
https://bugs.webkit.org/show_bug.cgi?id=230823
Reviewed by Robin Morisset.
JSTests:
* run-backwards-propagation-before-osr-exit-pruning.js: Added.
(assert):
(main.async v24):
(main):
Source/_javascript_Core:
We've found yet another bug where pruning code after OSR exits
before running backwards propagation leads to us breaking the spec
in weird IR situations. In the particular test case here, we end
up not thinking we care about negative zero for an ArithNegate,
and we exit the program while recovering the value 0 instead of -0.
Fundamentally, backwards propagation wants to see all bytecode uses.
Therefore, it seems like a more sound strategy to run backwards propagation
before we end up mucking with the graph. This patch makes it so we run
backwards propagation inside bytecode parser before we prune the IR.
That way, the phase sees the graph as if it's an IR over the whole bytecode
graph.
* bytecode/Operands.h:
(JSC::Operands::operator!= const):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase):
(JSC::DFG::BackwardsPropagationPhase::run):
(JSC::DFG::BackwardsPropagationPhase::mergeFlags):
(JSC::DFG::BackwardsPropagationPhase::propagate):
(JSC::DFG::performBackwardsPropagation):
* dfg/DFGBackwardsPropagationPhase.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parse):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGUnificationPhase.cpp:
(JSC::DFG::UnificationPhase::run):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/Operands.h
trunk/Source/_javascript_Core/dfg/DFGBackwardsPropagationPhase.cpp
trunk/Source/_javascript_Core/dfg/DFGBackwardsPropagationPhase.h
trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp
trunk/Source/_javascript_Core/dfg/DFGPlan.cpp
trunk/Source/_javascript_Core/dfg/DFGUnificationPhase.cpp
Added Paths
trunk/JSTests/run-backwards-propagation-before-osr-exit-pruning.js
Diff
Modified: trunk/JSTests/ChangeLog (283622 => 283623)
--- trunk/JSTests/ChangeLog 2021-10-06 15:43:37 UTC (rev 283622)
+++ trunk/JSTests/ChangeLog 2021-10-06 15:49:42 UTC (rev 283623)
@@ -1,3 +1,16 @@
+2021-10-06 Saam Barati
+
+Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser
+https://bugs.webkit.org/show_bug.cgi?id=230823
+
+
+Reviewed by Robin Morisset.
+
+* run-backwards-propagation-before-osr-exit-pruning.js: Added.
+(assert):
+(main.async v24):
+(main):
+
2021-10-05 Saam Barati
Don't pass DontBuildStrings to next token after parsing an empty parameter list
Added: trunk/JSTests/run-backwards-propagation-before-osr-exit-pruning.js (0 => 283623)
--- trunk/JSTests/run-backwards-propagation-before-osr-exit-pruning.js (rev 0)
+++ trunk/JSTests/run-backwards-propagation-before-osr-exit-pruning.js 2021-10-06 15:49:42 UTC (rev 283623)
@@ -0,0 +1,24 @@
+//@ runDefault("--validateOptions=true", "--useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useFTLJIT=true")
+
+function assert(b) {
+if (!b)
+throw new Error;
+}
+function main() {
+let v38;
+let v40;
+
+async function v24() {
+const v33 = false;
+const v34 = -v33;
+const v37 = typeof search;
+const v39 = v38 ? v30 : 1;
+v40 = v34;
+
+for (let v41 = 0; v41 != 10; v41++) { }
+}
+[1,1,1].filter(v24);
+assert(Object.is(v40, -0) === true);
+assert(Object.is(v40, 0) === false);
+}
+main();
Modified: trunk/Source/_javascript_Core/ChangeLog (283622 => 283623)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-06 15:43:37 UTC (rev 283622)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-06 15:49:42 UTC (rev 283623)
@@ -1,3 +1,40 @@
+2021-10-06 Saam Barati
+
+Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser
+https://bugs.webkit.org/show_bug.cgi?id=230823
+
+
+Reviewed by Robin Morisset.
+
+We've found yet another bug where pruning code after OSR exits
+before running backwards propagation leads to us breaking the spec
+in weird IR situations. In the particular test case here, we end
+up not thinking we care about negative zero for an ArithNegate,
+and we exit the program while recovering the value 0 instead of
[webkit-changes] [283600] trunk
Title: [283600] trunk
Revision 283600
Author sbar...@apple.com
Date 2021-10-05 22:20:07 -0700 (Tue, 05 Oct 2021)
Log Message
Don't pass DontBuildStrings to next token after parsing an empty parameter list
https://bugs.webkit.org/show_bug.cgi?id=225094
Reviewed by Yusuke Suzuki.
JSTests:
* stress/dont-pass-DontBuildStrings-when-building-empty-arguments-list.js: Added.
(main.a.prototype.g.toString.string_appeared_here):
(main.a):
(main):
Source/_javascript_Core:
We might need the string, it turns out!
* parser/Parser.cpp:
(JSC::Parser::parseArguments):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/parser/Parser.cpp
Added Paths
trunk/JSTests/stress/dont-pass-DontBuildStrings-when-building-empty-arguments-list.js
Diff
Modified: trunk/JSTests/ChangeLog (283599 => 283600)
--- trunk/JSTests/ChangeLog 2021-10-06 03:47:16 UTC (rev 283599)
+++ trunk/JSTests/ChangeLog 2021-10-06 05:20:07 UTC (rev 283600)
@@ -1,3 +1,16 @@
+2021-10-05 Saam Barati
+
+Don't pass DontBuildStrings to next token after parsing an empty parameter list
+https://bugs.webkit.org/show_bug.cgi?id=225094
+
+
+Reviewed by Yusuke Suzuki.
+
+* stress/dont-pass-DontBuildStrings-when-building-empty-arguments-list.js: Added.
+(main.a.prototype.g.toString.string_appeared_here):
+(main.a):
+(main):
+
2021-10-05 Mark Lam
CodeBlock should not add/remove LoopHintExecutionCounters.
Added: trunk/JSTests/stress/dont-pass-DontBuildStrings-when-building-empty-arguments-list.js (0 => 283600)
--- trunk/JSTests/stress/dont-pass-DontBuildStrings-when-building-empty-arguments-list.js (rev 0)
+++ trunk/JSTests/stress/dont-pass-DontBuildStrings-when-building-empty-arguments-list.js 2021-10-06 05:20:07 UTC (rev 283600)
@@ -0,0 +1,7 @@
+// This should not crash the parser.
+function main() {
+class a {
+g = [].toString()
+'a'(){}
+}
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (283599 => 283600)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-06 03:47:16 UTC (rev 283599)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-06 05:20:07 UTC (rev 283600)
@@ -1,3 +1,16 @@
+2021-10-05 Saam Barati
+
+Don't pass DontBuildStrings to next token after parsing an empty parameter list
+https://bugs.webkit.org/show_bug.cgi?id=225094
+
+
+Reviewed by Yusuke Suzuki.
+
+We might need the string, it turns out!
+
+* parser/Parser.cpp:
+(JSC::Parser::parseArguments):
+
2021-10-05 Patrick Angle
Web Inspector: Show color space for canvases in the Graphics tab on the overview cards
Modified: trunk/Source/_javascript_Core/parser/Parser.cpp (283599 => 283600)
--- trunk/Source/_javascript_Core/parser/Parser.cpp 2021-10-06 03:47:16 UTC (rev 283599)
+++ trunk/Source/_javascript_Core/parser/Parser.cpp 2021-10-06 05:20:07 UTC (rev 283600)
@@ -4980,7 +4980,7 @@
consumeOrFailWithFlags(OPENPAREN, TreeBuilder::DontBuildStrings, "Expected opening '(' at start of argument list");
JSTokenLocation location(tokenLocation());
if (match(CLOSEPAREN)) {
-next(TreeBuilder::DontBuildStrings);
+next();
return context.createArguments();
}
auto argumentsStart = m_token.m_startPosition;
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [283527] trunk/Source/JavaScriptCore
Title: [283527] trunk/Source/_javascript_Core
Revision 283527
Author sbar...@apple.com
Date 2021-10-04 17:33:56 -0700 (Mon, 04 Oct 2021)
Log Message
Display return values in nicer way in the jsc REPL and add a prettyPrint function
https://bugs.webkit.org/show_bug.cgi?id=230931
Reviewed by Tadeu Zagallo.
Currently, print(1), print("1"), and print([1]) all print to stdout
simply as "1" (without the quotes). Same for values when running the
REPL. This isn't super helpful. Let's print quotes for strings, and
brackets for arrays. This patch adds a prettyPrint function to do
that, since we have a lot of tests that depend on the old print behavior.
This patch also makes values printed in the REPL the new pretty style.
* jsc.cpp:
(toCString):
(printInternal):
(JSC_DEFINE_HOST_FUNCTION):
(runInteractive):
(cStringFromViewWithString): Deleted.
* runtime/JSCJSValue.cpp:
(JSC::JSValue::toWTFStringForConsole const):
* runtime/JSCJSValue.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jsc.cpp
trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp
trunk/Source/_javascript_Core/runtime/JSCJSValue.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (283526 => 283527)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-04 23:50:37 UTC (rev 283526)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-05 00:33:56 UTC (rev 283527)
@@ -1,5 +1,32 @@
2021-10-04 Saam Barati
+Display return values in nicer way in the jsc REPL and add a prettyPrint function
+https://bugs.webkit.org/show_bug.cgi?id=230931
+
+
+Reviewed by Tadeu Zagallo.
+
+Currently, print(1), print("1"), and print([1]) all print to stdout
+simply as "1" (without the quotes). Same for values when running the
+REPL. This isn't super helpful. Let's print quotes for strings, and
+brackets for arrays. This patch adds a prettyPrint function to do
+that, since we have a lot of tests that depend on the old print behavior.
+
+This patch also makes values printed in the REPL the new pretty style.
+
+
+* jsc.cpp:
+(toCString):
+(printInternal):
+(JSC_DEFINE_HOST_FUNCTION):
+(runInteractive):
+(cStringFromViewWithString): Deleted.
+* runtime/JSCJSValue.cpp:
+(JSC::JSValue::toWTFStringForConsole const):
+* runtime/JSCJSValue.h:
+
+2021-10-04 Saam Barati
+
IntrinsicGetterAccessCase implementation of __proto__ needs to handle get_by_id_with_this
https://bugs.webkit.org/show_bug.cgi?id=229951
Modified: trunk/Source/_javascript_Core/jsc.cpp (283526 => 283527)
--- trunk/Source/_javascript_Core/jsc.cpp 2021-10-04 23:50:37 UTC (rev 283526)
+++ trunk/Source/_javascript_Core/jsc.cpp 2021-10-05 00:33:56 UTC (rev 283527)
@@ -278,6 +278,7 @@
static JSC_DECLARE_HOST_FUNCTION(functionPrintStdOut);
static JSC_DECLARE_HOST_FUNCTION(functionPrintStdErr);
+static JSC_DECLARE_HOST_FUNCTION(functionPrettyPrint);
static JSC_DECLARE_HOST_FUNCTION(functionDebug);
static JSC_DECLARE_HOST_FUNCTION(functionDescribe);
static JSC_DECLARE_HOST_FUNCTION(functionDescribeArray);
@@ -527,6 +528,7 @@
addFunction(vm, "describeArray", functionDescribeArray, 1);
addFunction(vm, "print", functionPrintStdOut, 1);
addFunction(vm, "printErr", functionPrintStdErr, 1);
+addFunction(vm, "prettyPrint", functionPrettyPrint, 1);
addFunction(vm, "quit", functionQuit, 0);
addFunction(vm, "gc", functionGCAndSweep, 0);
addFunction(vm, "fullGC", functionFullGC, 0);
@@ -1238,9 +1240,10 @@
return metaProperties;
}
-static CString cStringFromViewWithString(JSGlobalObject* globalObject, ThrowScope& scope, StringViewWithUnderlyingString& viewWithString)
+template
+static CString toCString(JSGlobalObject* globalObject, ThrowScope& scope, T& string)
{
-Expected expectedString = viewWithString.view.tryGetUtf8();
+Expected expectedString = string.tryGetUtf8();
if (expectedString)
return expectedString.value();
switch (expectedString.error()) {
@@ -1259,7 +1262,7 @@
return { };
}
-static EncodedJSValue printInternal(JSGlobalObject* globalObject, CallFrame* callFrame, FILE* out)
+static EncodedJSValue printInternal(JSGlobalObject* globalObject, CallFrame* callFrame, FILE* out, bool pretty)
{
VM& vm = globalObject->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
@@ -1277,13 +1280,11 @@
if (EOF == fputc(' ', out))
goto fail;
-auto* jsString = callFrame->uncheckedArgument(i).toString(globalObject);
+String string = pretty ? callFrame->uncheckedArgument(i).toWTFStringForConsole(globalObject) : callFrame->uncheckedArgument(i).toWTFString(globalObject);
RETURN_IF_EXCEPTION(scope, { });
-auto viewWithString = jsString->viewWithUnderlyingString(globalObject);
+auto cString =
[webkit-changes] [283512] trunk
Title: [283512] trunk
Revision 283512
Author sbar...@apple.com
Date 2021-10-04 12:58:05 -0700 (Mon, 04 Oct 2021)
Log Message
IntrinsicGetterAccessCase implementation of __proto__ needs to handle get_by_id_with_this
https://bugs.webkit.org/show_bug.cgi?id=229951
Reviewed by Yusuke Suzuki.
JSTests:
* stress/run-proto-intrinsic-getter-with-this-value-in-get-by-id-with-this.js: Added.
(assert):
(main.v37):
(main):
Source/_javascript_Core:
The whole point of get_by_id_with_this is to have different
slot base values for |this| vs the slot base when invoking
getters. However, our intrinsic getter inlining wasn't respecting
this. This patch makes the __proto__ intrinsic getter do the right
thing. For typed array intrinsic getters, if they have different
|this| value vs slot base, we chose not to inline them, because
the type checks are not on the |this| value, so they're not guaranteed
to be typed arrays. We can improve upon this in the future.
* bytecode/IntrinsicGetterAccessCase.h:
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitLoadPrototypeWithoutCheck):
* jit/AssemblyHelpers.h:
* jit/IntrinsicEmitter.cpp:
(JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
* jit/Repatch.cpp:
(JSC::tryCacheGetBy):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/IntrinsicGetterAccessCase.h
trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp
trunk/Source/_javascript_Core/jit/AssemblyHelpers.h
trunk/Source/_javascript_Core/jit/IntrinsicEmitter.cpp
trunk/Source/_javascript_Core/jit/Repatch.cpp
Added Paths
trunk/JSTests/stress/run-proto-intrinsic-getter-with-this-value-in-get-by-id-with-this.js
Diff
Modified: trunk/JSTests/ChangeLog (283511 => 283512)
--- trunk/JSTests/ChangeLog 2021-10-04 19:48:22 UTC (rev 283511)
+++ trunk/JSTests/ChangeLog 2021-10-04 19:58:05 UTC (rev 283512)
@@ -1,3 +1,16 @@
+2021-10-04 Saam Barati
+
+IntrinsicGetterAccessCase implementation of __proto__ needs to handle get_by_id_with_this
+https://bugs.webkit.org/show_bug.cgi?id=229951
+
+
+Reviewed by Yusuke Suzuki.
+
+* stress/run-proto-intrinsic-getter-with-this-value-in-get-by-id-with-this.js: Added.
+(assert):
+(main.v37):
+(main):
+
2021-10-02 Yusuke Suzuki
[JSC] Update test262 config.yaml since OSS WebKit now uses ICU 64.2 header
Added: trunk/JSTests/stress/run-proto-intrinsic-getter-with-this-value-in-get-by-id-with-this.js (0 => 283512)
--- trunk/JSTests/stress/run-proto-intrinsic-getter-with-this-value-in-get-by-id-with-this.js (rev 0)
+++ trunk/JSTests/stress/run-proto-intrinsic-getter-with-this-value-in-get-by-id-with-this.js 2021-10-04 19:58:05 UTC (rev 283512)
@@ -0,0 +1,25 @@
+//@ runDefault("--forcePolyProto=true", "--validateOptions=true", "--useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useFTLJIT=true")
+
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+function main() {
+let v41;
+
+v37 = class V37 {
+constructor() {
+v41 = super.__proto__;
+}
+};
+
+for (let v70 = 0; v70 < 100; v70++) {
+new v37();
+assert(v41 !== null);
+}
+
+}
+noDFG(main);
+noFTL(main);
+main();
Modified: trunk/Source/_javascript_Core/ChangeLog (283511 => 283512)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-04 19:48:22 UTC (rev 283511)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-04 19:58:05 UTC (rev 283512)
@@ -1,3 +1,30 @@
+2021-10-04 Saam Barati
+
+IntrinsicGetterAccessCase implementation of __proto__ needs to handle get_by_id_with_this
+https://bugs.webkit.org/show_bug.cgi?id=229951
+
+
+Reviewed by Yusuke Suzuki.
+
+The whole point of get_by_id_with_this is to have different
+slot base values for |this| vs the slot base when invoking
+getters. However, our intrinsic getter inlining wasn't respecting
+this. This patch makes the __proto__ intrinsic getter do the right
+thing. For typed array intrinsic getters, if they have different
+|this| value vs slot base, we chose not to inline them, because
+the type checks are not on the |this| value, so they're not guaranteed
+to be typed arrays. We can improve upon this in the future.
+
+* bytecode/IntrinsicGetterAccessCase.h:
+* jit/AssemblyHelpers.cpp:
+(JSC::AssemblyHelpers::emitLoadPrototypeWithoutCheck):
+* jit/AssemblyHelpers.h:
+* jit/IntrinsicEmitter.cpp:
+(JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
[webkit-changes] [283344] trunk/Source/JavaScriptCore
Title: [283344] trunk/Source/_javascript_Core
Revision 283344
Author sbar...@apple.com
Date 2021-09-30 16:06:22 -0700 (Thu, 30 Sep 2021)
Log Message
Regressions (r283288): [ macOS Debug ] webgl/2.0.0/conformance/state/gl-object-get-calls.html is timing out
https://bugs.webkit.org/show_bug.cgi?id=231024
Reviewed by Mark Lam.
Speed up our debug assert by not using a probe.
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/JIT.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (283343 => 283344)
--- trunk/Source/_javascript_Core/ChangeLog 2021-09-30 22:58:54 UTC (rev 283343)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-09-30 23:06:22 UTC (rev 283344)
@@ -1,5 +1,18 @@
2021-09-30 Saam Barati
+Regressions (r283288): [ macOS Debug ] webgl/2.0.0/conformance/state/gl-object-get-calls.html is timing out
+https://bugs.webkit.org/show_bug.cgi?id=231024
+
+
+Reviewed by Mark Lam.
+
+Speed up our debug assert by not using a probe.
+
+* jit/JIT.cpp:
+(JSC::JIT::privateCompileMainPass):
+
+2021-09-30 Saam Barati
+
The DFG/FTL need to be aware that Proxy's can produce "function" for typeof and might be callable
https://bugs.webkit.org/show_bug.cgi?id=230804
Modified: trunk/Source/_javascript_Core/jit/JIT.cpp (283343 => 283344)
--- trunk/Source/_javascript_Core/jit/JIT.cpp 2021-09-30 22:58:54 UTC (rev 283343)
+++ trunk/Source/_javascript_Core/jit/JIT.cpp 2021-09-30 23:06:22 UTC (rev 283344)
@@ -272,13 +272,18 @@
#if ASSERT_ENABLED
if (opcodeID != op_catch) {
-probeDebug([=] (Probe::Context& ctx) {
-CodeBlock* codeBlock = ctx.fp()->codeBlock();
-auto* constantPool = ctx.gpr(s_constantsGPR);
-RELEASE_ASSERT(codeBlock->baselineJITConstantPool() == constantPool);
-auto* metadata = ctx.gpr(s_metadataGPR);
-RELEASE_ASSERT(codeBlock->metadataTable() == metadata);
-});
+loadPtr(addressFor(CallFrameSlot::codeBlock), regT0);
+loadPtr(Address(regT0, CodeBlock::offsetOfMetadataTable()), regT1);
+loadPtr(Address(regT0, CodeBlock::offsetOfJITData()), regT0);
+loadPtr(Address(regT0, CodeBlock::JITData::offsetOfJITConstantPool()), regT2);
+
+auto metadataOK = branchPtr(Equal, regT1, s_metadataGPR);
+breakpoint();
+metadataOK.link(this);
+
+auto constantsOK = branchPtr(Equal, regT2, s_constantsGPR);
+breakpoint();
+constantsOK.link(this);
}
#endif
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [283332] trunk
Title: [283332] trunk
Revision 283332
Author sbar...@apple.com
Date 2021-09-30 13:37:55 -0700 (Thu, 30 Sep 2021)
Log Message
The DFG/FTL need to be aware that Proxy's can produce "function" for typeof and might be callable
https://bugs.webkit.org/show_bug.cgi?id=230804
Reviewed by Yusuke Suzuki.
JSTests:
* stress/ai-typeof-needs-to-be-aware-of-proxy-2.js: Added.
(assert):
(builtin.vm.createBuiltin):
(builtin2.vm.createBuiltin):
(let.p.new.Proxy):
* stress/ai-typeof-needs-to-be-aware-of-proxy.js: Added.
(assert):
(builtin.vm.createBuiltin):
(let.p.new.Proxy):
* stress/is-callable-in-ftl-needs-to-be-aware-of-proxy.js: Added.
(main):
Source/_javascript_Core:
This patch fixes a couple bugs:
- We were constant folding typeof on ProxyObject to "object"
even when ProxyObject might produce a callable Proxy, and hence,
should produce "function". This was a bug in AI.
- This also fixes a similar bug in IsCallable's implementation in
the FTL where we assumed that ProxyObject's type can't be callable.
* bytecode/SpeculatedType.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter::executeEffects):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/SpeculatedType.h
trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
Added Paths
trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy-2.js
trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy.js
trunk/JSTests/stress/is-callable-in-ftl-needs-to-be-aware-of-proxy.js
Diff
Modified: trunk/JSTests/ChangeLog (283331 => 283332)
--- trunk/JSTests/ChangeLog 2021-09-30 20:21:45 UTC (rev 283331)
+++ trunk/JSTests/ChangeLog 2021-09-30 20:37:55 UTC (rev 283332)
@@ -1,3 +1,23 @@
+2021-09-30 Saam Barati
+
+The DFG/FTL need to be aware that Proxy's can produce "function" for typeof and might be callable
+https://bugs.webkit.org/show_bug.cgi?id=230804
+
+
+Reviewed by Yusuke Suzuki.
+
+* stress/ai-typeof-needs-to-be-aware-of-proxy-2.js: Added.
+(assert):
+(builtin.vm.createBuiltin):
+(builtin2.vm.createBuiltin):
+(let.p.new.Proxy):
+* stress/ai-typeof-needs-to-be-aware-of-proxy.js: Added.
+(assert):
+(builtin.vm.createBuiltin):
+(let.p.new.Proxy):
+* stress/is-callable-in-ftl-needs-to-be-aware-of-proxy.js: Added.
+(main):
+
2021-09-29 Mark Lam
DFG strength reduction on % operator should handle an INT_MIN divisor.
Added: trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy-2.js (0 => 283332)
--- trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy-2.js (rev 0)
+++ trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy-2.js 2021-09-30 20:37:55 UTC (rev 283332)
@@ -0,0 +1,29 @@
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+var builtin = $vm.createBuiltin(`(function (a) {
+if (@isProxyObject(a)) {
+if (typeof a === "object")
+return false;
+}
+return true;
+})`);
+
+noInline(builtin);
+
+var builtin2 = $vm.createBuiltin(`(function (a) {
+if (@isProxyObject(a)) {
+if (typeof a === "function")
+return true;
+}
+return false;
+})`);
+noInline(builtin2);
+
+let p = new Proxy(function(){}, {});
+for (let i = 0; i < 1; ++i) {
+assert(builtin(p) === true);
+assert(builtin2(p) === true);
+}
Added: trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy.js (0 => 283332)
--- trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy.js (rev 0)
+++ trunk/JSTests/stress/ai-typeof-needs-to-be-aware-of-proxy.js 2021-09-30 20:37:55 UTC (rev 283332)
@@ -0,0 +1,15 @@
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+var builtin = $vm.createBuiltin(`(function (a) {
+if (@isProxyObject(a))
+return typeof a;
+})`);
+
+noInline(builtin);
+
+let p = new Proxy(function(){}, {});
+for (let i = 0; i < 1; ++i)
+assert(builtin(p) === "function");
Added: trunk/JSTests/stress/is-callable-in-ftl-needs-to-be-aware-of-proxy.js (0 => 283332)
--- trunk/JSTests/stress/is-callable-in-ftl-needs-to-be-aware-of-proxy.js (rev 0)
+++ trunk/JSTests/stress/is-callable-in-ftl-needs-to-be-aware-of-proxy.js 2021-09-30 20:37:55 UTC (rev 283332)
@@ -0,0 +1,16 @@
+//@ runDefault("--validateOptions=true --useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useFTLJIT=true")
+
+function main() {
+let v162;
+const v25
[webkit-changes] [283293] trunk
Title: [283293] trunk
Revision 283293
Author sbar...@apple.com
Date 2021-09-29 18:39:22 -0700 (Wed, 29 Sep 2021)
Log Message
Print values in a nicer way in the jsc shell
https://bugs.webkit.org/show_bug.cgi?id=230931
Reviewed by Tadeu Zagallo.
JSTests:
* ChakraCore/test/jsc-lib.js:
Source/_javascript_Core:
Currently, print(1), print("1"), and print([1]) all print to stdout
simply as "1" (without the quotes). Same for values when running the
REPL. This isn't super helpful. Let's print quotes for strings, and
brackets for arrays.
Some tests rely on the old print behavior. Those tests now use the legacyPrint
instead.
* jsc.cpp:
(toCString):
(printInternal):
(JSC_DEFINE_HOST_FUNCTION):
(runInteractive):
(cStringFromViewWithString): Deleted.
* runtime/JSCJSValue.cpp:
(JSC::JSValue::toWTFStringForConsole const):
* runtime/JSCJSValue.h:
LayoutTests:
* resources/standalone-pre.js:
Modified Paths
trunk/JSTests/ChakraCore/test/jsc-lib.js
trunk/JSTests/ChangeLog
trunk/JSTests/exceptionFuzz/3d-cube.js
trunk/JSTests/exceptionFuzz/date-format-xparb.js
trunk/JSTests/exceptionFuzz/earley-boyer.js
trunk/LayoutTests/ChangeLog
trunk/LayoutTests/resources/standalone-pre.js
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jsc.cpp
trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp
trunk/Source/_javascript_Core/runtime/JSCJSValue.h
Diff
Modified: trunk/JSTests/ChakraCore/test/jsc-lib.js (283292 => 283293)
--- trunk/JSTests/ChakraCore/test/jsc-lib.js 2021-09-30 01:25:13 UTC (rev 283292)
+++ trunk/JSTests/ChakraCore/test/jsc-lib.js 2021-09-30 01:39:22 UTC (rev 283293)
@@ -1,3 +1,5 @@
+print = legacyPrint;
+
WScript = {
_jscGC: gc,
_jscLoad: load,
Modified: trunk/JSTests/ChangeLog (283292 => 283293)
--- trunk/JSTests/ChangeLog 2021-09-30 01:25:13 UTC (rev 283292)
+++ trunk/JSTests/ChangeLog 2021-09-30 01:39:22 UTC (rev 283293)
@@ -1,5 +1,14 @@
2021-09-29 Saam Barati
+Print values in a nicer way in the jsc shell
+https://bugs.webkit.org/show_bug.cgi?id=230931
+
+Reviewed by Tadeu Zagallo.
+
+* ChakraCore/test/jsc-lib.js:
+
+2021-09-29 Saam Barati
+
We need to load the baseline JIT's constant pool register after OSR exit to checkpoints if we return to baseline code
https://bugs.webkit.org/show_bug.cgi?id=230972
Modified: trunk/JSTests/exceptionFuzz/3d-cube.js (283292 => 283293)
--- trunk/JSTests/exceptionFuzz/3d-cube.js 2021-09-30 01:25:13 UTC (rev 283292)
+++ trunk/JSTests/exceptionFuzz/3d-cube.js 2021-09-30 01:39:22 UTC (rev 283293)
@@ -358,5 +358,5 @@
})();
} catch (e) {
-print("JSC EXCEPTION FUZZ: Caught exception: " + e);
+legacyPrint("JSC EXCEPTION FUZZ: Caught exception: " + e);
}
Modified: trunk/JSTests/exceptionFuzz/date-format-xparb.js (283292 => 283293)
--- trunk/JSTests/exceptionFuzz/date-format-xparb.js 2021-09-30 01:25:13 UTC (rev 283292)
+++ trunk/JSTests/exceptionFuzz/date-format-xparb.js 2021-09-30 01:39:22 UTC (rev 283293)
@@ -424,5 +424,5 @@
})();
} catch (e) {
-print("JSC EXCEPTION FUZZ: Caught exception: " + e);
+legacyPrint("JSC EXCEPTION FUZZ: Caught exception: " + e);
}
Modified: trunk/JSTests/exceptionFuzz/earley-boyer.js (283292 => 283293)
--- trunk/JSTests/exceptionFuzz/earley-boyer.js 2021-09-30 01:25:13 UTC (rev 283292)
+++ trunk/JSTests/exceptionFuzz/earley-boyer.js 2021-09-30 01:39:22 UTC (rev 283293)
@@ -4684,6 +4684,6 @@
}
})();
} catch (e) {
-print("JSC EXCEPTION FUZZ: Caught exception: " + e);
+legacyPrint("JSC EXCEPTION FUZZ: Caught exception: " + e);
}
Modified: trunk/LayoutTests/ChangeLog (283292 => 283293)
--- trunk/LayoutTests/ChangeLog 2021-09-30 01:25:13 UTC (rev 283292)
+++ trunk/LayoutTests/ChangeLog 2021-09-30 01:39:22 UTC (rev 283293)
@@ -1,3 +1,12 @@
+2021-09-29 Saam Barati
+
+Print values in a nicer way in the jsc shell
+https://bugs.webkit.org/show_bug.cgi?id=230931
+
+Reviewed by Tadeu Zagallo.
+
+* resources/standalone-pre.js:
+
2021-09-29 Chris Dumez
[ iOS Debug ] http/tests/xmlhttprequest/access-control-preflight-credential-sync.html is a flaky crash
Modified: trunk/LayoutTests/resources/standalone-pre.js (283292 => 283293)
--- trunk/LayoutTests/resources/standalone-pre.js 2021-09-30 01:25:13 UTC (rev 283292)
+++ trunk/LayoutTests/resources/standalone-pre.js 2021-09-30 01:39:22 UTC (rev 283293)
@@ -13,6 +13,8 @@
didPassSomeTestsSilently = false;
didFailSomeTests = false;
+print = legacyPrint;
+
function description(msg)
{
print(msg);
Modified: trunk/Source/_javascript_Core/ChangeLog (283292 => 283293)
--- trunk/Source/_javascript_Core/ChangeLog 2021-09-30 01:25:13 UTC (rev 283292)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-09-30 01:39:22 UTC (rev 283293)
@@ -1,5 +1,30 @@
2021-09-29 Saam Barati
+Print values in a nicer way in the jsc shell
+https://bugs.webkit.org/show_bug.cgi?id=230931
+
+Reviewed
[webkit-changes] [283288] trunk
Title: [283288] trunk
Revision 283288
Author sbar...@apple.com
Date 2021-09-29 17:47:41 -0700 (Wed, 29 Sep 2021)
Log Message
We need to load the baseline JIT's constant pool register after OSR exit to checkpoints if we return to baseline code
https://bugs.webkit.org/show_bug.cgi?id=230972
Reviewed by Mark Lam and Yusuke Suzuki.
JSTests:
* stress/checkpoint-osr-exit-needs-to-reload-baseline-jit-constant-pool-gpr.js: Added.
(empty):
(empty2):
(test):
Source/_javascript_Core:
Consider the following:
- We have a CodeBlock A.
- DFG or FTL compiles an exit to A when A is still LLInt code. This means
the OSR exit code will materialize registers as if A is LLInt.
- We tier up A to Baseline JIT code.
- Now, we take the exit to A as if it's LLInt. But the checkpoint OSR exit
code will actually jump to the tiered up baseline code when it's done,
because it determines where to jump at runtime. Because of this, when
we return from the checkpoint code, and if we are jumping into baseline
code, we must always load the constant pool register.
- There's no need to load the metadata register because that register is
shared with LLInt code, and will already contain the right value.
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::dispatchToNextInstructionDuringExit):
(JSC::LLInt::llint_slow_path_checkpoint_osr_exit_from_inlined_call):
(JSC::LLInt::llint_slow_path_checkpoint_osr_exit):
(JSC::LLInt::dispatchToNextInstruction): Deleted.
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/JIT.cpp
trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp
trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm
trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm
Added Paths
trunk/JSTests/stress/checkpoint-osr-exit-needs-to-reload-baseline-jit-constant-pool-gpr.js
Diff
Modified: trunk/JSTests/ChangeLog (283287 => 283288)
--- trunk/JSTests/ChangeLog 2021-09-30 00:21:20 UTC (rev 283287)
+++ trunk/JSTests/ChangeLog 2021-09-30 00:47:41 UTC (rev 283288)
@@ -1,5 +1,18 @@
2021-09-29 Saam Barati
+We need to load the baseline JIT's constant pool register after OSR exit to checkpoints if we return to baseline code
+https://bugs.webkit.org/show_bug.cgi?id=230972
+
+
+Reviewed by Mark Lam and Yusuke Suzuki.
+
+* stress/checkpoint-osr-exit-needs-to-reload-baseline-jit-constant-pool-gpr.js: Added.
+(empty):
+(empty2):
+(test):
+
+2021-09-29 Saam Barati
+
Code inside strength reduction can incorrectly prove that we know what lastIndex is
https://bugs.webkit.org/show_bug.cgi?id=230802
Added: trunk/JSTests/stress/checkpoint-osr-exit-needs-to-reload-baseline-jit-constant-pool-gpr.js (0 => 283288)
--- trunk/JSTests/stress/checkpoint-osr-exit-needs-to-reload-baseline-jit-constant-pool-gpr.js (rev 0)
+++ trunk/JSTests/stress/checkpoint-osr-exit-needs-to-reload-baseline-jit-constant-pool-gpr.js 2021-09-30 00:47:41 UTC (rev 283288)
@@ -0,0 +1,15 @@
+function empty() {}
+function empty2() {}
+
+function test(arr) {
+empty.apply(undefined, arr);
+empty2();
+}
+
+for (let i = 0; i < 1; i++) {
+let arr = [];
+for (let j = 0; j < i+1; j++) {
+arr.push(undefined);
+}
+test(arr);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (283287 => 283288)
--- trunk/Source/_javascript_Core/ChangeLog 2021-09-30 00:21:20 UTC (rev 283287)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-09-30 00:47:41 UTC (rev 283288)
@@ -1,3 +1,34 @@
+2021-09-29 Saam Barati
+
+We need to load the baseline JIT's constant pool register after OSR exit to checkpoints if we return to baseline code
+https://bugs.webkit.org/show_bug.cgi?id=230972
+
+
+Reviewed by Mark Lam and Yusuke Suzuki.
+
+Consider the following:
+- We have a CodeBlock A.
+- DFG or FTL compiles an exit to A when A is still LLInt code. This means
+ the OSR exit code will materialize registers as if A is LLInt.
+- We tier up A to Baseline JIT code.
+- Now, we take the exit to A as if it's LLInt. But the checkpoint OSR exit
+ code will actually jump to the tiered up baseline code when it's done,
+ because it determines where to jump at runtime. Because of this, when
+ we return from the checkpoint code, and if we are jumping into baseline
+ code, we must always load the constant pool register.
+- There's no need to load the metadata register because that register is
+ shared with LLInt code, and will already contain the right value.
+
+* jit/JIT.cpp:
+(JSC::JIT::privateCompileMainPass):
+* llint/LLIntSlowPaths.cpp:
+(JSC::LLInt::dispatchToNextInstructionDuringExit):
+
[webkit-changes] [283232] trunk
Title: [283232] trunk
Revision 283232
Author sbar...@apple.com
Date 2021-09-29 10:03:29 -0700 (Wed, 29 Sep 2021)
Log Message
Code inside strength reduction can incorrectly prove that we know what lastIndex is
https://bugs.webkit.org/show_bug.cgi?id=230802
Reviewed by Mark Lam.
JSTests:
* stress/dont-fold-regexp-exec-when-we-dont-know-last-index-and-regexp-is-constant.js: Added.
(assert):
(let.reg.RegExp.foo.g.doExec):
(noInline.doExec):
Source/_javascript_Core:
The phase was searching backwards in the graph to see if it found the RegExp
node. However, the RegExp node might be a JSConstant. Hence, the program
didn't allocate it. So we can't assume that we know what the lastIndex is.
We were incorrectly assuming it was "0" in a program like this:
a: JSConstant(RegExp)
b: RegExpExec(@a)
And we assumed we're invoking RegExpExec with lastIndex is 0, because we found
our RegExp in a backwards search. This is likely because we're also matching
NewRegExp nodes, in which case, it is valid to say lastIndex is 0.
This caused us to return a constant value that would've been the exec
result had we invoked it with a NewRegExpNode.
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::run):
(JSC::DFG::StrengthReductionPhase::handleNode):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp
Added Paths
trunk/JSTests/stress/dont-fold-regexp-exec-when-we-dont-know-last-index-and-regexp-is-constant.js
Diff
Modified: trunk/JSTests/ChangeLog (283231 => 283232)
--- trunk/JSTests/ChangeLog 2021-09-29 16:56:07 UTC (rev 283231)
+++ trunk/JSTests/ChangeLog 2021-09-29 17:03:29 UTC (rev 283232)
@@ -1,5 +1,18 @@
2021-09-29 Saam Barati
+Code inside strength reduction can incorrectly prove that we know what lastIndex is
+https://bugs.webkit.org/show_bug.cgi?id=230802
+
+
+Reviewed by Mark Lam.
+
+* stress/dont-fold-regexp-exec-when-we-dont-know-last-index-and-regexp-is-constant.js: Added.
+(assert):
+(let.reg.RegExp.foo.g.doExec):
+(noInline.doExec):
+
+2021-09-29 Saam Barati
+
DoesGCCheck does not use enough bits for nodeIndex
https://bugs.webkit.org/show_bug.cgi?id=230915
Added: trunk/JSTests/stress/dont-fold-regexp-exec-when-we-dont-know-last-index-and-regexp-is-constant.js (0 => 283232)
--- trunk/JSTests/stress/dont-fold-regexp-exec-when-we-dont-know-last-index-and-regexp-is-constant.js (rev 0)
+++ trunk/JSTests/stress/dont-fold-regexp-exec-when-we-dont-know-last-index-and-regexp-is-constant.js 2021-09-29 17:03:29 UTC (rev 283232)
@@ -0,0 +1,19 @@
+function assert(b) {
+if (!b)
+throw new Error;
+}
+
+let reg = RegExp(/foo/g)
+function doExec() {
+return reg.exec("-foo");
+}
+noInline(doExec)
+
+for (let i = 0; i < 1000; ++i) {
+let r = doExec();
+if ((i % 2) === 0)
+assert(r[0] === "foo");
+else
+assert(r === null);
+}
+
Modified: trunk/Source/_javascript_Core/ChangeLog (283231 => 283232)
--- trunk/Source/_javascript_Core/ChangeLog 2021-09-29 16:56:07 UTC (rev 283231)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-09-29 17:03:29 UTC (rev 283232)
@@ -1,3 +1,29 @@
+2021-09-29 Saam Barati
+
+Code inside strength reduction can incorrectly prove that we know what lastIndex is
+https://bugs.webkit.org/show_bug.cgi?id=230802
+
+
+Reviewed by Mark Lam.
+
+The phase was searching backwards in the graph to see if it found the RegExp
+node. However, the RegExp node might be a JSConstant. Hence, the program
+didn't allocate it. So we can't assume that we know what the lastIndex is.
+We were incorrectly assuming it was "0" in a program like this:
+a: JSConstant(RegExp)
+b: RegExpExec(@a)
+
+And we assumed we're invoking RegExpExec with lastIndex is 0, because we found
+our RegExp in a backwards search. This is likely because we're also matching
+NewRegExp nodes, in which case, it is valid to say lastIndex is 0.
+
+This caused us to return a constant value that would've been the exec
+result had we invoked it with a NewRegExpNode.
+
+* dfg/DFGStrengthReductionPhase.cpp:
+(JSC::DFG::StrengthReductionPhase::run):
+(JSC::DFG::StrengthReductionPhase::handleNode):
+
2021-09-29 Yusuke Suzuki
[JSC] Use FixedVector in JITConstantPool
Modified: trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp (283231 => 283232)
--- trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp 2021-09-29 16:56:07 UTC (rev 283231)
+++ trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp 2021-09-29 17:03:29 UTC (rev 283232)
@@ -491,11 +491,13 @@
Node* regExpObjectNode = nullptr;
RegExp* regExp = nullptr;
+bool
[webkit-changes] [283231] trunk/JSTests
Title: [283231] trunk/JSTests
Revision 283231
Author sbar...@apple.com
Date 2021-09-29 09:56:07 -0700 (Wed, 29 Sep 2021)
Log Message
DoesGCCheck does not use enough bits for nodeIndex
https://bugs.webkit.org/show_bug.cgi?id=230915
Unreviewed. Forgot to add a try/catch in the test.
* stress/verify-can-gc-node-index.js:
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/stress/verify-can-gc-node-index.js
Diff
Modified: trunk/JSTests/ChangeLog (283230 => 283231)
--- trunk/JSTests/ChangeLog 2021-09-29 16:54:57 UTC (rev 283230)
+++ trunk/JSTests/ChangeLog 2021-09-29 16:56:07 UTC (rev 283231)
@@ -1,3 +1,13 @@
+2021-09-29 Saam Barati
+
+DoesGCCheck does not use enough bits for nodeIndex
+https://bugs.webkit.org/show_bug.cgi?id=230915
+
+
+Unreviewed. Forgot to add a try/catch in the test.
+
+* stress/verify-can-gc-node-index.js:
+
2021-09-28 Saam Barati
DoesGCCheck does not use enough bits for nodeIndex
Modified: trunk/JSTests/stress/verify-can-gc-node-index.js (283230 => 283231)
--- trunk/JSTests/stress/verify-can-gc-node-index.js 2021-09-29 16:54:57 UTC (rev 283230)
+++ trunk/JSTests/stress/verify-can-gc-node-index.js 2021-09-29 16:56:07 UTC (rev 283231)
@@ -16,4 +16,6 @@
f();
f();
};
-f();
+try {
+f();
+} catch { }
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [283207] trunk
Title: [283207] trunk
Revision 283207
Author sbar...@apple.com
Date 2021-09-28 18:33:02 -0700 (Tue, 28 Sep 2021)
Log Message
DoesGCCheck does not use enough bits for nodeIndex
https://bugs.webkit.org/show_bug.cgi?id=230915
Reviewed by Mark Lam.
JSTests:
* stress/verify-can-gc-node-index.js: Added.
(gen):
(f):
Source/_javascript_Core:
* dfg/DFGDoesGCCheck.h:
(JSC::DFG::DoesGCCheck::DoesGCCheck):
(JSC::DFG::DoesGCCheck::encode):
(JSC::DFG::DoesGCCheck::set):
(JSC::DFG::DoesGCCheck::expectDoesGC const):
(JSC::DFG::DoesGCCheck::isSpecial const):
(JSC::DFG::DoesGCCheck::special):
(JSC::DFG::DoesGCCheck::nodeOp):
(JSC::DFG::DoesGCCheck::nodeIndex):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::compileExit):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileLoopHint):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGDoesGCCheck.h
trunk/Source/_javascript_Core/dfg/DFGOSRExit.cpp
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
trunk/Source/_javascript_Core/ftl/FTLOSRExitCompiler.cpp
Added Paths
trunk/JSTests/stress/verify-can-gc-node-index.js
Diff
Modified: trunk/JSTests/ChangeLog (283206 => 283207)
--- trunk/JSTests/ChangeLog 2021-09-29 01:31:43 UTC (rev 283206)
+++ trunk/JSTests/ChangeLog 2021-09-29 01:33:02 UTC (rev 283207)
@@ -1,3 +1,15 @@
+2021-09-28 Saam Barati
+
+DoesGCCheck does not use enough bits for nodeIndex
+https://bugs.webkit.org/show_bug.cgi?id=230915
+
+
+Reviewed by Mark Lam.
+
+* stress/verify-can-gc-node-index.js: Added.
+(gen):
+(f):
+
2021-09-28 Alexey Shvayka
Speed up setting JSFunction's "prototype" property
Added: trunk/JSTests/stress/verify-can-gc-node-index.js (0 => 283207)
--- trunk/JSTests/stress/verify-can-gc-node-index.js (rev 0)
+++ trunk/JSTests/stress/verify-can-gc-node-index.js 2021-09-29 01:33:02 UTC (rev 283207)
@@ -0,0 +1,19 @@
+//@ runDefault("--destroy-vm", "--maximumFunctionForCallInlineCandidateBytecodeCost=500", "--maximumInliningRecursion=5")
+
+function* gen() {
+}
+let g = gen();
+function f() {
+g.next();
+f();
+f();
+f();
+f();
+f();
+f();
+f();
+f();
+f();
+f();
+};
+f();
Modified: trunk/Source/_javascript_Core/ChangeLog (283206 => 283207)
--- trunk/Source/_javascript_Core/ChangeLog 2021-09-29 01:31:43 UTC (rev 283206)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-09-29 01:33:02 UTC (rev 283207)
@@ -1,3 +1,34 @@
+2021-09-28 Saam Barati
+
+DoesGCCheck does not use enough bits for nodeIndex
+https://bugs.webkit.org/show_bug.cgi?id=230915
+
+
+Reviewed by Mark Lam.
+
+* dfg/DFGDoesGCCheck.h:
+(JSC::DFG::DoesGCCheck::DoesGCCheck):
+(JSC::DFG::DoesGCCheck::encode):
+(JSC::DFG::DoesGCCheck::set):
+(JSC::DFG::DoesGCCheck::expectDoesGC const):
+(JSC::DFG::DoesGCCheck::isSpecial const):
+(JSC::DFG::DoesGCCheck::special):
+(JSC::DFG::DoesGCCheck::nodeOp):
+(JSC::DFG::DoesGCCheck::nodeIndex):
+* dfg/DFGOSRExit.cpp:
+(JSC::DFG::OSRExit::compileExit):
+* dfg/DFGSpeculativeJIT.cpp:
+(JSC::DFG::SpeculativeJIT::compileLoopHint):
+* dfg/DFGSpeculativeJIT32_64.cpp:
+(JSC::DFG::SpeculativeJIT::compile):
+* dfg/DFGSpeculativeJIT64.cpp:
+(JSC::DFG::SpeculativeJIT::compile):
+* ftl/FTLLowerDFGToB3.cpp:
+(JSC::FTL::DFG::LowerDFGToB3::compileNode):
+(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+* ftl/FTLOSRExitCompiler.cpp:
+(JSC::FTL::compileStub):
+
2021-09-28 Alex Christensen
Mostly fix Mac CMake build
Modified: trunk/Source/_javascript_Core/dfg/DFGDoesGCCheck.h (283206 => 283207)
--- trunk/Source/_javascript_Core/dfg/DFGDoesGCCheck.h 2021-09-29 01:31:43 UTC (rev 283206)
+++ trunk/Source/_javascript_Core/dfg/DFGDoesGCCheck.h 2021-09-29 01:33:02 UTC (rev 283207)
@@ -43,39 +43,42 @@
};
DoesGCCheck()
-: m_value(encode(true, Special::Uninitialized))
-{ }
+{
+u.encoded = encode(true, Special::Uninitialized);
+}
-static uint32_t encode(bool expectDoesGC, unsigned nodeIndex, unsigned nodeOp)
+static uint64_t encode(bool expectDoesGC, unsigned nodeIndex, unsigned nodeOp)
{
-// We know nodeOp always fits because of the static_assert in DFGDoesGCCheck.cpp.
-
[webkit-changes] [283168] trunk/Source/JavaScriptCore
Title: [283168] trunk/Source/_javascript_Core Revision 283168 Author sbar...@apple.com Date 2021-09-28 08:32:53 -0700 (Tue, 28 Sep 2021) Log Message Make byte codes with arithmetic profiles switch to using an index instead of a pointer in metadata https://bugs.webkit.org/show_bug.cgi?id=230798 Reviewed by Yusuke Suzuki. This patch makes each bytecode that uses a BinaryArithProfile/UnaryArithProfile have an index into a table instead of storing a pointer to the profile in its metadata. Then, we can just load the profile using the index in the bytecode, which saves memory. * bytecode/BytecodeList.rb: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::binaryArithProfileForPC): (JSC::CodeBlock::unaryArithProfileForPC): * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::allocateSharedProfiles): * bytecode/UnlinkedCodeBlock.h: * bytecode/UnlinkedCodeBlockGenerator.cpp: (JSC::UnlinkedCodeBlockGenerator::finalize): * bytecode/UnlinkedCodeBlockGenerator.h: (JSC::UnlinkedCodeBlockGenerator::addBinaryArithProfile): (JSC::UnlinkedCodeBlockGenerator::addUnaryArithProfile): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitUnaryOp): (JSC::BytecodeGenerator::emitInc): (JSC::BytecodeGenerator::emitDec): * bytecompiler/BytecodeGenerator.h: * jit/JITArithmetic.cpp: (JSC::JIT::emit_op_negate): (JSC::JIT::emit_op_add): (JSC::JIT::emit_op_div): (JSC::JIT::emit_op_mul): (JSC::JIT::emit_op_sub): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.cpp: (JSC::updateArithProfileForUnaryArithOp): (JSC::JSC_DEFINE_COMMON_SLOW_PATH): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/BytecodeList.rb trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlockGenerator.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlockGenerator.h trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h trunk/Source/_javascript_Core/jit/JITArithmetic.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/offlineasm/cloop.rb trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (283167 => 283168) --- trunk/Source/_javascript_Core/ChangeLog 2021-09-28 13:37:17 UTC (rev 283167) +++ trunk/Source/_javascript_Core/ChangeLog 2021-09-28 15:32:53 UTC (rev 283168) @@ -1,3 +1,45 @@ +2021-09-28 Saam Barati + +Make byte codes with arithmetic profiles switch to using an index instead of a pointer in metadata +https://bugs.webkit.org/show_bug.cgi?id=230798 + +Reviewed by Yusuke Suzuki. + +This patch makes each bytecode that uses a BinaryArithProfile/UnaryArithProfile +have an index into a table instead of storing a pointer to the profile in its metadata. +Then, we can just load the profile using the index in the bytecode, which saves memory. + +* bytecode/BytecodeList.rb: +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::finishCreation): +(JSC::CodeBlock::binaryArithProfileForPC): +(JSC::CodeBlock::unaryArithProfileForPC): +* bytecode/UnlinkedCodeBlock.cpp: +(JSC::UnlinkedCodeBlock::allocateSharedProfiles): +* bytecode/UnlinkedCodeBlock.h: +* bytecode/UnlinkedCodeBlockGenerator.cpp: +(JSC::UnlinkedCodeBlockGenerator::finalize): +* bytecode/UnlinkedCodeBlockGenerator.h: +(JSC::UnlinkedCodeBlockGenerator::addBinaryArithProfile): +(JSC::UnlinkedCodeBlockGenerator::addUnaryArithProfile): +* bytecompiler/BytecodeGenerator.cpp: +(JSC::BytecodeGenerator::emitUnaryOp): +(JSC::BytecodeGenerator::emitInc): +(JSC::BytecodeGenerator::emitDec): +* bytecompiler/BytecodeGenerator.h: +* jit/JITArithmetic.cpp: +(JSC::JIT::emit_op_negate): +(JSC::JIT::emit_op_add): +(JSC::JIT::emit_op_div): +(JSC::JIT::emit_op_mul): +(JSC::JIT::emit_op_sub): +* llint/LowLevelInterpreter.asm: +* llint/LowLevelInterpreter32_64.asm: +* llint/LowLevelInterpreter64.asm: +* runtime/CommonSlowPaths.cpp: +(JSC::updateArithProfileForUnaryArithOp): +(JSC::JSC_DEFINE_COMMON_SLOW_PATH): + 2021-09-28 Alexey Shvayka Speed up setting JSFunction's "prototype" property Modified: trunk/Source/_javascript_Core/bytecode/BytecodeList.rb (283167 => 283168) --- trunk/Source/_javascript_Core/bytecode/BytecodeList.rb 2021-09-28 13:37:17 UTC (rev 283167) +++
[webkit-changes] [283088] trunk/Source/JavaScriptCore
Title: [283088] trunk/Source/_javascript_Core Revision 283088 Author sbar...@apple.com Date 2021-09-26 10:23:15 -0700 (Sun, 26 Sep 2021) Log Message Make byte codes with arithmetic profiles switch to using an index instead of a pointer in metadata https://bugs.webkit.org/show_bug.cgi?id=230798 Reviewed by Yusuke Suzuki. This patch makes each bytecode that uses a BinaryArithProfile/UnaryArithProfile have an index into a table instead of storing a pointer to the profile in its metadata. Then, we can just load the profile using the index in the bytecode, which saves memory. * bytecode/BytecodeList.rb: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::binaryArithProfileForPC): (JSC::CodeBlock::unaryArithProfileForPC): * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::allocateSharedProfiles): * bytecode/UnlinkedCodeBlock.h: * bytecode/UnlinkedCodeBlockGenerator.cpp: (JSC::UnlinkedCodeBlockGenerator::finalize): * bytecode/UnlinkedCodeBlockGenerator.h: (JSC::UnlinkedCodeBlockGenerator::addBinaryArithProfile): (JSC::UnlinkedCodeBlockGenerator::addUnaryArithProfile): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitUnaryOp): (JSC::BytecodeGenerator::emitInc): (JSC::BytecodeGenerator::emitDec): * bytecompiler/BytecodeGenerator.h: * jit/JITArithmetic.cpp: (JSC::JIT::emit_op_negate): (JSC::JIT::emit_op_add): (JSC::JIT::emit_op_div): (JSC::JIT::emit_op_mul): (JSC::JIT::emit_op_sub): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.cpp: (JSC::updateArithProfileForUnaryArithOp): (JSC::JSC_DEFINE_COMMON_SLOW_PATH): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/BytecodeList.rb trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlockGenerator.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlockGenerator.h trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h trunk/Source/_javascript_Core/jit/JITArithmetic.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/offlineasm/cloop.rb trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (283087 => 283088) --- trunk/Source/_javascript_Core/ChangeLog 2021-09-26 13:47:42 UTC (rev 283087) +++ trunk/Source/_javascript_Core/ChangeLog 2021-09-26 17:23:15 UTC (rev 283088) @@ -1,3 +1,45 @@ +2021-09-26 Saam Barati + +Make byte codes with arithmetic profiles switch to using an index instead of a pointer in metadata +https://bugs.webkit.org/show_bug.cgi?id=230798 + +Reviewed by Yusuke Suzuki. + +This patch makes each bytecode that uses a BinaryArithProfile/UnaryArithProfile +have an index into a table instead of storing a pointer to the profile in its metadata. +Then, we can just load the profile using the index in the bytecode, which saves memory. + +* bytecode/BytecodeList.rb: +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::finishCreation): +(JSC::CodeBlock::binaryArithProfileForPC): +(JSC::CodeBlock::unaryArithProfileForPC): +* bytecode/UnlinkedCodeBlock.cpp: +(JSC::UnlinkedCodeBlock::allocateSharedProfiles): +* bytecode/UnlinkedCodeBlock.h: +* bytecode/UnlinkedCodeBlockGenerator.cpp: +(JSC::UnlinkedCodeBlockGenerator::finalize): +* bytecode/UnlinkedCodeBlockGenerator.h: +(JSC::UnlinkedCodeBlockGenerator::addBinaryArithProfile): +(JSC::UnlinkedCodeBlockGenerator::addUnaryArithProfile): +* bytecompiler/BytecodeGenerator.cpp: +(JSC::BytecodeGenerator::emitUnaryOp): +(JSC::BytecodeGenerator::emitInc): +(JSC::BytecodeGenerator::emitDec): +* bytecompiler/BytecodeGenerator.h: +* jit/JITArithmetic.cpp: +(JSC::JIT::emit_op_negate): +(JSC::JIT::emit_op_add): +(JSC::JIT::emit_op_div): +(JSC::JIT::emit_op_mul): +(JSC::JIT::emit_op_sub): +* llint/LowLevelInterpreter.asm: +* llint/LowLevelInterpreter32_64.asm: +* llint/LowLevelInterpreter64.asm: +* runtime/CommonSlowPaths.cpp: +(JSC::updateArithProfileForUnaryArithOp): +(JSC::JSC_DEFINE_COMMON_SLOW_PATH): + 2021-09-25 Saam Barati Build an unlinked baseline JIT Modified: trunk/Source/_javascript_Core/bytecode/BytecodeList.rb (283087 => 283088) --- trunk/Source/_javascript_Core/bytecode/BytecodeList.rb 2021-09-26 13:47:42 UTC (rev 283087) +++
[webkit-changes] [282624] trunk/Source/JavaScriptCore
Title: [282624] trunk/Source/_javascript_Core
Revision 282624
Author sbar...@apple.com
Date 2021-09-16 18:04:59 -0700 (Thu, 16 Sep 2021)
Log Message
Don't throw an exception in the middle of linking a CodeBlock
https://bugs.webkit.org/show_bug.cgi?id=230367
Reviewed by Yusuke Suzuki.
It's cleaner, and probably more correct, to wait until we're done linking
the instruction stream before throwing any exceptions from CodeBlock::finishCreation.
This guarantees, for example, that all metadata structs are initialized.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::setConstantRegisters):
(JSC::CodeBlock::initializeTemplateObjects):
* bytecode/CodeBlock.h:
* runtime/JSScope.cpp:
(JSC::abstractAccess):
(JSC::JSScope::abstractResolve):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp
trunk/Source/_javascript_Core/bytecode/CodeBlock.h
trunk/Source/_javascript_Core/runtime/JSScope.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (282623 => 282624)
--- trunk/Source/_javascript_Core/ChangeLog 2021-09-17 00:53:50 UTC (rev 282623)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-09-17 01:04:59 UTC (rev 282624)
@@ -1,5 +1,25 @@
2021-09-16 Saam Barati
+Don't throw an exception in the middle of linking a CodeBlock
+https://bugs.webkit.org/show_bug.cgi?id=230367
+
+Reviewed by Yusuke Suzuki.
+
+It's cleaner, and probably more correct, to wait until we're done linking
+the instruction stream before throwing any exceptions from CodeBlock::finishCreation.
+This guarantees, for example, that all metadata structs are initialized.
+
+* bytecode/CodeBlock.cpp:
+(JSC::CodeBlock::finishCreation):
+(JSC::CodeBlock::setConstantRegisters):
+(JSC::CodeBlock::initializeTemplateObjects):
+* bytecode/CodeBlock.h:
+* runtime/JSScope.cpp:
+(JSC::abstractAccess):
+(JSC::JSScope::abstractResolve):
+
+2021-09-16 Saam Barati
+
Move some profiling to UnlinkedCodeBlock
https://bugs.webkit.org/show_bug.cgi?id=230078
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (282623 => 282624)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-09-17 00:53:50 UTC (rev 282623)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2021-09-17 01:04:59 UTC (rev 282624)
@@ -377,6 +377,8 @@
Base::finishCreation(vm);
finishCreationCommon(vm);
+ASSERT(vm.heap.isDeferred());
+
auto throwScope = DECLARE_THROW_SCOPE(vm);
if (m_unlinkedCode->wasCompiledWithTypeProfilerOpcodes() || m_unlinkedCode->wasCompiledWithControlFlowProfilerOpcodes())
@@ -383,8 +385,10 @@
vm.functionHasExecutedCache()->removeUnexecutedRange(ownerExecutable->sourceID(), ownerExecutable->typeProfilingStartOffset(vm), ownerExecutable->typeProfilingEndOffset(vm));
ScriptExecutable* topLevelExecutable = ownerExecutable->topLevelExecutable();
-setConstantRegisters(unlinkedCodeBlock->constantRegisters(), unlinkedCodeBlock->constantsSourceCodeRepresentation(), topLevelExecutable);
-RETURN_IF_EXCEPTION(throwScope, false);
+// We wait to initialize template objects until the end of finishCreation beecause it can
+// throw. We rely on linking to put the CodeBlock into a coherent state, so we can't throw
+// until we're all done linking.
+Vector templateObjectIndices = setConstantRegisters(unlinkedCodeBlock->constantRegisters(), unlinkedCodeBlock->constantsSourceCodeRepresentation());
// We already have the cloned symbol table for the module environment since we need to instantiate
// the module environments before linking the code block. We replace the stored symbol table with the already cloned one.
@@ -435,7 +439,8 @@
// Bookkeep the strongly referenced module environments.
HashSet stronglyReferencedModuleEnvironments;
-auto link_profile = [&](const auto& /*instruction*/, auto /*bytecode*/, auto& /*metadata*/) {
+auto link_profile = [&](const auto& /*instruction*/, auto /*bytecode*/, auto& metadata) {
+static_assert(std::is_same_v);
m_numberOfNonArgumentValueProfiles++;
};
@@ -499,9 +504,9 @@
LINK(OpGetById, profile)
-LINK(OpEnumeratorNext, profile)
-LINK(OpEnumeratorInByVal, profile)
-LINK(OpEnumeratorHasOwnProperty, profile)
+LINK(OpEnumeratorNext)
+LINK(OpEnumeratorInByVal)
+LINK(OpEnumeratorHasOwnProperty)
LINK(OpEnumeratorGetByVal, profile)
LINK(OpCall, profile)
@@ -563,7 +568,6 @@
RELEASE_ASSERT(bytecode.m_resolveType != ResolvedClosureVar);
ResolveOp op = JSScope::abstractResolve(m_globalObject.get(), bytecode.m_localScopeDepth, scope, ident, Get, bytecode.m_resolveType, InitializationMode::NotInitialization);
-RETURN_IF_EXCEPTION(throwScope, false);
[webkit-changes] [282621] trunk/Source/JavaScriptCore
Title: [282621] trunk/Source/_javascript_Core Revision 282621 Author sbar...@apple.com Date 2021-09-16 17:11:24 -0700 (Thu, 16 Sep 2021) Log Message Move some profiling to UnlinkedCodeBlock https://bugs.webkit.org/show_bug.cgi?id=230078 Reviewed by Yusuke Suzuki. This patch adds UnlinkedValueProfile and UnlinkedArrayProfile to UnlinkedCodeBlock. These profiles serialize the data in ValueProfile and ArrayProfile. Each time a CodeBlock updates value profiles, it mixes in up to date information from the unlinked profiles, and also writes back data to the unlinked profiles, so the data is shared between CodeBlocks of the same UnlinkedCodeBlock. This patch also fixes a pre-existing bug where we would sometimes think we had more metadata table entries than we really had in practice. This is because MetadataTable::forEach used the next opcode's start pointer. That pointer was aligned to that opcode's metadata alignment. So that might make the previous opcode think it had an extra 1-7 entries (depending on size, alignment, etc). This patch fixes that by having the next opcode's start offset in the table always be the end offset of the previous opcode, and we align the start pointer when using it. This was measured as a ~0.5% speedup on Speedometer2. * bytecode/ArrayProfile.h: (JSC::UnlinkedArrayProfile::update): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness): (JSC::CodeBlock::updateAllArrayProfilePredictions): (JSC::CodeBlock::updateAllArrayPredictions): * bytecode/CodeBlock.h: (JSC::CodeBlock::metadata): * bytecode/CodeBlockInlines.h: (JSC::CodeBlock::forEachArrayProfile): Deleted. * bytecode/MetadataTable.cpp: (JSC::DeallocTable::withOpcodeType): * bytecode/MetadataTable.h: (JSC::MetadataTable::get): (JSC::MetadataTable::forEach): (JSC::MetadataTable::getWithoutAligning): (JSC::MetadataTable::getImpl): Deleted. * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::allocateSharedProfiles): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::unlinkedValueProfile): (JSC::UnlinkedCodeBlock::unlinkedArrayProfile): * bytecode/UnlinkedCodeBlockGenerator.cpp: (JSC::UnlinkedCodeBlockGenerator::finalize): * bytecode/UnlinkedMetadataTable.cpp: (JSC::UnlinkedMetadataTable::finalize): * bytecode/UnlinkedMetadataTable.h: (JSC::UnlinkedMetadataTable::isFinalized): (JSC::UnlinkedMetadataTable::hasMetadata): * bytecode/UnlinkedMetadataTableInlines.h: (JSC::UnlinkedMetadataTable::numEntries): * bytecode/ValueProfile.h: (JSC::UnlinkedValueProfile::update): * bytecompiler/BytecodeGenerator.h: * llint/LowLevelInterpreter.asm: * runtime/CachedTypes.cpp: (JSC::CachedCodeBlock::numValueProfiles const): (JSC::CachedCodeBlock::numArrayProfiles const): (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): (JSC::CachedCodeBlock::encode): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/ArrayProfile.h trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/bytecode/CodeBlockInlines.h trunk/Source/_javascript_Core/bytecode/MetadataTable.cpp trunk/Source/_javascript_Core/bytecode/MetadataTable.h trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlockGenerator.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedMetadataTable.cpp trunk/Source/_javascript_Core/bytecode/UnlinkedMetadataTable.h trunk/Source/_javascript_Core/bytecode/UnlinkedMetadataTableInlines.h trunk/Source/_javascript_Core/bytecode/ValueProfile.h trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/runtime/CachedTypes.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (282620 => 282621) --- trunk/Source/_javascript_Core/ChangeLog 2021-09-17 00:09:25 UTC (rev 282620) +++ trunk/Source/_javascript_Core/ChangeLog 2021-09-17 00:11:24 UTC (rev 282621) @@ -1,3 +1,71 @@ +2021-09-16 Saam Barati + +Move some profiling to UnlinkedCodeBlock +https://bugs.webkit.org/show_bug.cgi?id=230078 + + +Reviewed by Yusuke Suzuki. + +This patch adds UnlinkedValueProfile and UnlinkedArrayProfile to +UnlinkedCodeBlock. These profiles serialize the data in ValueProfile +and ArrayProfile. Each time a CodeBlock updates value profiles, +it mixes in up to date information from the unlinked profiles, and +also writes back data to the unlinked profiles, so the data is shared +between CodeBlocks of the same UnlinkedCodeBlock. + +This patch also fixes a pre-existing bug where we would sometimes think +we had more metadata table entries than we really had in practice. This is +because MetadataTable::forEach used the next opcode's start pointer. That +
[webkit-changes] [281826] trunk/Source/JavaScriptCore
Title: [281826] trunk/Source/_javascript_Core
Revision 281826
Author sbar...@apple.com
Date 2021-08-31 15:46:05 -0700 (Tue, 31 Aug 2021)
Log Message
Baseline JIT's in_by_val and emitHasPrivate should load the property before branching on if the base is a cell
https://bugs.webkit.org/show_bug.cgi?id=229725
Reviewed by Keith Miller.
If the base isn't a cell, we're calling the slow path with a random value
in the property. This works, because the slow paths first branch on if
the base is a cell or not, and throw an exception. But we fix this for our
own sanity, since it's never a good idea to go to a slow path with a
JSValue argument containing unknown bits.
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_in_by_val):
(JSC::JIT::emitHasPrivate):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (281825 => 281826)
--- trunk/Source/_javascript_Core/ChangeLog 2021-08-31 22:08:04 UTC (rev 281825)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-08-31 22:46:05 UTC (rev 281826)
@@ -1,3 +1,20 @@
+2021-08-31 Saam Barati
+
+Baseline JIT's in_by_val and emitHasPrivate should load the property before branching on if the base is a cell
+https://bugs.webkit.org/show_bug.cgi?id=229725
+
+Reviewed by Keith Miller.
+
+If the base isn't a cell, we're calling the slow path with a random value
+in the property. This works, because the slow paths first branch on if
+the base is a cell or not, and throw an exception. But we fix this for our
+own sanity, since it's never a good idea to go to a slow path with a
+JSValue argument containing unknown bits.
+
+* jit/JITPropertyAccess.cpp:
+(JSC::JIT::emit_op_in_by_val):
+(JSC::JIT::emitHasPrivate):
+
2021-08-31 Aditi Singh
Implement Object.hasOwn()
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (281825 => 281826)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-08-31 22:08:04 UTC (rev 281825)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-08-31 22:46:05 UTC (rev 281826)
@@ -1514,8 +1514,8 @@
ArrayProfile* profile = ""
emitGetVirtualRegister(base, regT0);
+emitGetVirtualRegister(property, regT1);
emitJumpSlowCaseIfNotJSCell(regT0, base);
-emitGetVirtualRegister(property, regT1);
emitArrayProfilingSiteWithCell(regT0, profile, regT2);
JITInByValGenerator gen(
@@ -1584,8 +1584,8 @@
void JIT::emitHasPrivate(VirtualRegister dst, VirtualRegister base, VirtualRegister propertyOrBrand, AccessType type)
{
emitGetVirtualRegister(base, regT0);
+emitGetVirtualRegister(propertyOrBrand, regT1);
emitJumpSlowCaseIfNotJSCell(regT0, base);
-emitGetVirtualRegister(propertyOrBrand, regT1);
JITInByValGenerator gen(
m_codeBlock, JITType::BaselineJIT, CodeOrigin(m_bytecodeIndex), CallSiteIndex(m_bytecodeIndex), type, RegisterSet::stubUnavailableRegisters(),
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [281717] trunk/Source/JavaScriptCore
Title: [281717] trunk/Source/_javascript_Core
Revision 281717
Author sbar...@apple.com
Date 2021-08-27 12:53:12 -0700 (Fri, 27 Aug 2021)
Log Message
Update ARM64EHash
https://bugs.webkit.org/show_bug.cgi?id=228962
Reviewed by Mark Lam.
* assembler/AssemblerBuffer.h:
(JSC::ARM64EHash::ARM64EHash):
(JSC::ARM64EHash::update):
(JSC::ARM64EHash::makeDiversifier):
(JSC::ARM64EHash::nextValue):
(JSC::ARM64EHash::bitsForDiversifier):
(JSC::ARM64EHash::currentHash):
(JSC::ARM64EHash::setUpdatedHash):
(JSC::AssemblerBuffer::AssemblerBuffer):
(JSC::AssemblerBuffer::putIntegralUnchecked):
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::copyCompactAndLinkCode):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h
trunk/Source/_javascript_Core/assembler/LinkBuffer.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (281716 => 281717)
--- trunk/Source/_javascript_Core/ChangeLog 2021-08-27 19:38:30 UTC (rev 281716)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-08-27 19:53:12 UTC (rev 281717)
@@ -1,3 +1,24 @@
+2021-08-27 Saam Barati
+
+Update ARM64EHash
+https://bugs.webkit.org/show_bug.cgi?id=228962
+
+
+Reviewed by Mark Lam.
+
+* assembler/AssemblerBuffer.h:
+(JSC::ARM64EHash::ARM64EHash):
+(JSC::ARM64EHash::update):
+(JSC::ARM64EHash::makeDiversifier):
+(JSC::ARM64EHash::nextValue):
+(JSC::ARM64EHash::bitsForDiversifier):
+(JSC::ARM64EHash::currentHash):
+(JSC::ARM64EHash::setUpdatedHash):
+(JSC::AssemblerBuffer::AssemblerBuffer):
+(JSC::AssemblerBuffer::putIntegralUnchecked):
+* assembler/LinkBuffer.cpp:
+(JSC::LinkBuffer::copyCompactAndLinkCode):
+
2021-08-27 Mikhail R. Gadelha
Avoid increasing required alignment of target type warning on ARM 32 bits
Modified: trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h (281716 => 281717)
--- trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h 2021-08-27 19:38:30 UTC (rev 281716)
+++ trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h 2021-08-27 19:53:12 UTC (rev 281717)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -203,14 +203,15 @@
};
#if CPU(ARM64E)
+#if PLATFORM(MAC)
class ARM64EHash {
public:
-ARM64EHash(uint32_t initialHash)
-: m_hash(initialHash)
+ARM64EHash(void* initialHash)
+: m_hash(static_cast(bitwise_cast(initialHash)))
{
}
-ALWAYS_INLINE uint32_t update(uint32_t value)
+ALWAYS_INLINE uint32_t update(uint32_t value, uint32_t, void*)
{
uint64_t input = value ^ m_hash;
uint64_t a = static_cast(tagInt(input, static_cast(0)) >> 39);
@@ -222,8 +223,66 @@
private:
uint32_t m_hash;
};
-#endif
+#else
+class ARM64EHash {
+public:
+ARM64EHash(void* diversifier)
+{
+setUpdatedHash(0, 0, diversifier);
+}
+ALWAYS_INLINE uint32_t update(uint32_t instruction, uint32_t index, void* diversifier)
+{
+uint32_t currentHash = this->currentHash(index, diversifier);
+uint64_t nextIndex = index + 1;
+uint32_t output = nextValue(instruction, nextIndex, currentHash);
+setUpdatedHash(output, nextIndex, diversifier);
+return output;
+}
+
+private:
+static constexpr uint8_t initializationNamespace = 0x11;
+
+static ALWAYS_INLINE PtrTag makeDiversifier(uint8_t namespaceTag, uint64_t index, uint32_t value)
+{
+//
+return static_cast((static_cast(namespaceTag) << 56) + ((index & 0xFF) << 32) + value);
+}
+
+static ALWAYS_INLINE uint32_t nextValue(uint64_t instruction, uint64_t index, uint32_t currentValue)
+{
+uint64_t a = tagInt(instruction, makeDiversifier(0x12, index, currentValue));
+uint64_t b = tagInt(instruction, makeDiversifier(0x13, index, currentValue));
+return (a >> 39) ^ (b >> 23);
+}
+
+static ALWAYS_INLINE uint32_t bitsForDiversifier(void* diversifier)
+{
+return bitwise_cast(diversifier);
+}
+
+ALWAYS_INLINE uint32_t currentHash(uint32_t index, void* diversifier)
+{
+bool hashFieldIsTagged = index == 0;
+if (hashFieldIsTagged)
+return untagInt(m_hash, makeDiversifier(initializationNamespace, index, bitsForDiversifier(diversifier)));
+return m_hash;
+}
+
+ALWAYS_INLINE void setUpdatedHash(uint32_t value, uint32_t index, void* diversifier)
+{
+bool
[webkit-changes] [281665] trunk
Title: [281665] trunk
Revision 281665
Author sbar...@apple.com
Date 2021-08-26 15:43:32 -0700 (Thu, 26 Aug 2021)
Log Message
r281485 was not sufficient in where it called disablePeepholeOptimization
https://bugs.webkit.org/show_bug.cgi?id=229582
Reviewed by Yusuke Suzuki.
JSTests:
* stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite-2.js: Added.
(foo):
Source/_javascript_Core:
r281485 accidentally deleted a place where we called disablePeepholeOptimization
that was necessary. Basically, after we seek where the current instruction
in BytecodeGenerator is, we need to disablePeepholeOptimization.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::ForInContext::finalize):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp
Added Paths
trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite-2.js
Diff
Modified: trunk/JSTests/ChangeLog (281664 => 281665)
--- trunk/JSTests/ChangeLog 2021-08-26 22:43:29 UTC (rev 281664)
+++ trunk/JSTests/ChangeLog 2021-08-26 22:43:32 UTC (rev 281665)
@@ -1,3 +1,14 @@
+2021-08-26 Saam Barati
+
+r281485 was not sufficient in where it called disablePeepholeOptimization
+https://bugs.webkit.org/show_bug.cgi?id=229582
+
+
+Reviewed by Yusuke Suzuki.
+
+* stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite-2.js: Added.
+(foo):
+
2021-08-24 Yusuke Suzuki
Update Intl tests to support ICU 68
Added: trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite-2.js (0 => 281665)
--- trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite-2.js (rev 0)
+++ trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite-2.js 2021-08-26 22:43:32 UTC (rev 281665)
@@ -0,0 +1,12 @@
+function foo() {
+for (var c in b) {
+if (b.hasOwnProperty(c)) {
+var e = b[c];
+c = "str";
+}
+}
+}
+
+try {
+foo();
+} catch { }
Modified: trunk/Source/_javascript_Core/ChangeLog (281664 => 281665)
--- trunk/Source/_javascript_Core/ChangeLog 2021-08-26 22:43:29 UTC (rev 281664)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-08-26 22:43:32 UTC (rev 281665)
@@ -1,3 +1,18 @@
+2021-08-26 Saam Barati
+
+r281485 was not sufficient in where it called disablePeepholeOptimization
+https://bugs.webkit.org/show_bug.cgi?id=229582
+
+
+Reviewed by Yusuke Suzuki.
+
+r281485 accidentally deleted a place where we called disablePeepholeOptimization
+that was necessary. Basically, after we seek where the current instruction
+in BytecodeGenerator is, we need to disablePeepholeOptimization.
+
+* bytecompiler/BytecodeGenerator.cpp:
+(JSC::ForInContext::finalize):
+
2021-08-26 Per Arne Vollan
[AppleWin] JSC build failure
Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (281664 => 281665)
--- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2021-08-26 22:43:29 UTC (rev 281664)
+++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2021-08-26 22:43:32 UTC (rev 281665)
@@ -5386,6 +5386,7 @@
auto end = branchInstIndex + instruction->size();
generator.m_writer.seek(branchInstIndex);
+generator.disablePeepholeOptimization();
OpJmp::emit(, BoundLabel(static_cast(newBranchTarget) - static_cast(branchInstIndex)));
@@ -5393,9 +5394,8 @@
OpNop::emit();
}
+generator.m_writer.seek(generator.m_writer.size());
generator.disablePeepholeOptimization(); // We might've just changed the last bytecode that was emitted.
-
-generator.m_writer.seek(generator.m_writer.size());
}
void StaticPropertyAnalysis::record()
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [281485] trunk
Title: [281485] trunk
Revision 281485
Author sbar...@apple.com
Date 2021-08-23 19:59:56 -0700 (Mon, 23 Aug 2021)
Log Message
Disable peephole optimizations in the byte code generator after rewriting instructions for for-in
https://bugs.webkit.org/show_bug.cgi?id=229420
Reviewed by Keith Miller.
JSTests:
* stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite.js: Added.
(foo):
Source/_javascript_Core:
The final instruction in a for-in loop might be the get by val that
we're rewriting because there was an escape. We won't ever actually
do peephole optimizations on this get_by_val today, but it breaks
some bookkeeping that the bytecode generator does. This patch makes
sure the bookkeeping is up to date.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::ForInContext::finalize):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp
Added Paths
trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite.js
Diff
Modified: trunk/JSTests/ChangeLog (281484 => 281485)
--- trunk/JSTests/ChangeLog 2021-08-24 01:28:17 UTC (rev 281484)
+++ trunk/JSTests/ChangeLog 2021-08-24 02:59:56 UTC (rev 281485)
@@ -1,5 +1,16 @@
2021-08-23 Saam Barati
+Disable peephole optimizations in the byte code generator after rewriting instructions for for-in
+https://bugs.webkit.org/show_bug.cgi?id=229420
+
+
+Reviewed by Keith Miller.
+
+* stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite.js: Added.
+(foo):
+
+2021-08-23 Saam Barati
+
compileEnumeratorHasProperty uses flushRegisters incorrectly
https://bugs.webkit.org/show_bug.cgi?id=229412
Added: trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite.js (0 => 281485)
--- trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite.js (rev 0)
+++ trunk/JSTests/stress/for-in-disable-bytecode-generator-peephole-optimizations-after-rewrite.js 2021-08-24 02:59:56 UTC (rev 281485)
@@ -0,0 +1,9 @@
+function foo() {
+for (let x in []) {
+x in undefined;
+x = 0;
+[][x];
+}
+}
+foo();
+
Modified: trunk/Source/_javascript_Core/ChangeLog (281484 => 281485)
--- trunk/Source/_javascript_Core/ChangeLog 2021-08-24 01:28:17 UTC (rev 281484)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-08-24 02:59:56 UTC (rev 281485)
@@ -1,5 +1,22 @@
2021-08-23 Saam Barati
+Disable peephole optimizations in the byte code generator after rewriting instructions for for-in
+https://bugs.webkit.org/show_bug.cgi?id=229420
+
+
+Reviewed by Keith Miller.
+
+The final instruction in a for-in loop might be the get by val that
+we're rewriting because there was an escape. We won't ever actually
+do peephole optimizations on this get_by_val today, but it breaks
+some bookkeeping that the bytecode generator does. This patch makes
+sure the bookkeeping is up to date.
+
+* bytecompiler/BytecodeGenerator.cpp:
+(JSC::ForInContext::finalize):
+
+2021-08-23 Saam Barati
+
compileEnumeratorHasProperty uses flushRegisters incorrectly
https://bugs.webkit.org/show_bug.cgi?id=229412
Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (281484 => 281485)
--- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2021-08-24 01:28:17 UTC (rev 281484)
+++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2021-08-24 02:59:56 UTC (rev 281485)
@@ -5369,9 +5369,6 @@
if (!escaped)
return;
-OpcodeID lastOpcodeID = generator.m_lastOpcodeID;
-InstructionStream::MutableRef lastInstruction = generator.m_lastInstruction;
-
for (const auto& instTuple : m_getInsts)
rewriteOp(generator, instTuple);
@@ -5390,8 +5387,6 @@
generator.m_writer.seek(branchInstIndex);
-generator.disablePeepholeOptimization();
-
OpJmp::emit(, BoundLabel(static_cast(newBranchTarget) - static_cast(branchInstIndex)));
while (generator.m_writer.position() < end)
@@ -5398,11 +5393,9 @@
OpNop::emit();
}
+generator.disablePeepholeOptimization(); // We might've just changed the last bytecode that was emitted.
+
generator.m_writer.seek(generator.m_writer.size());
-if (generator.m_lastInstruction.offset() + generator.m_lastInstruction->size() != generator.m_writer.size()) {
-generator.m_lastOpcodeID = lastOpcodeID;
-generator.m_lastInstruction = lastInstruction;
-}
}
void StaticPropertyAnalysis::record()
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [281473] trunk
Title: [281473] trunk
Revision 281473
Author sbar...@apple.com
Date 2021-08-23 14:44:19 -0700 (Mon, 23 Aug 2021)
Log Message
compileEnumeratorHasProperty uses flushRegisters incorrectly
https://bugs.webkit.org/show_bug.cgi?id=229412
Reviewed by Keith Miller.
JSTests:
* stress/for-in-has-own-property-shouldnt-flush-registers.js: Added.
(foo):
* stress/for-in-in-by-val-shouldnt-flush-registers.js: Added.
(a.toString):
Source/_javascript_Core:
We were calling flushRegisters() inside code that isn't always runs inside the
EnumeratorInByVal/EnumeratorHasOwnProperty nodes. That is a violation of how
flushRegisters() must be used, since flushRegisters() updates global register
allocation state, and therefore must run each time a node is run. To fix, we
move flushRegisters() before the code starts emitting branches.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
Added Paths
trunk/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js
trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js
Diff
Modified: trunk/JSTests/ChangeLog (281472 => 281473)
--- trunk/JSTests/ChangeLog 2021-08-23 21:39:37 UTC (rev 281472)
+++ trunk/JSTests/ChangeLog 2021-08-23 21:44:19 UTC (rev 281473)
@@ -1,3 +1,16 @@
+2021-08-23 Saam Barati
+
+compileEnumeratorHasProperty uses flushRegisters incorrectly
+https://bugs.webkit.org/show_bug.cgi?id=229412
+
+
+Reviewed by Keith Miller.
+
+* stress/for-in-has-own-property-shouldnt-flush-registers.js: Added.
+(foo):
+* stress/for-in-in-by-val-shouldnt-flush-registers.js: Added.
+(a.toString):
+
2021-08-22 Yusuke Suzuki
[JSC] Remove already-shipped wasm option flags
Added: trunk/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js (0 => 281473)
--- trunk/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js (rev 0)
+++ trunk/JSTests/stress/for-in-has-own-property-shouldnt-flush-registers.js 2021-08-23 21:44:19 UTC (rev 281473)
@@ -0,0 +1,11 @@
+function foo(o) {
+for (let p in o) {
+o.hasOwnProperty(p);
+o.__proto__ = undefined;
+}
+}
+
+for (let i = 0; i < 10; ++i) {
+foo({f:42});
+}
+
Added: trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js (0 => 281473)
--- trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js (rev 0)
+++ trunk/JSTests/stress/for-in-in-by-val-shouldnt-flush-registers.js 2021-08-23 21:44:19 UTC (rev 281473)
@@ -0,0 +1,13 @@
+const a = [undefined];
+a.toString = ()=>{};
+
+function foo() {
+for (let x in a) {
+ x in a;
+ +x;
+}
+}
+
+for (let i=0; i<1; i++) {
+ foo();
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (281472 => 281473)
--- trunk/Source/_javascript_Core/ChangeLog 2021-08-23 21:39:37 UTC (rev 281472)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-08-23 21:44:19 UTC (rev 281473)
@@ -1,3 +1,20 @@
+2021-08-23 Saam Barati
+
+compileEnumeratorHasProperty uses flushRegisters incorrectly
+https://bugs.webkit.org/show_bug.cgi?id=229412
+
+
+Reviewed by Keith Miller.
+
+We were calling flushRegisters() inside code that isn't always runs inside the
+EnumeratorInByVal/EnumeratorHasOwnProperty nodes. That is a violation of how
+flushRegisters() must be used, since flushRegisters() updates global register
+allocation state, and therefore must run each time a node is run. To fix, we
+move flushRegisters() before the code starts emitting branches.
+
+* dfg/DFGSpeculativeJIT.cpp:
+(JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
+
2021-08-23 Yusuke Suzuki
[JSC] emitArrayProfilingSiteWithCell should not load indexingType unnecessarily
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (281472 => 281473)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-23 21:39:37 UTC (rev 281472)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-08-23 21:44:19 UTC (rev 281473)
@@ -13692,6 +13692,8 @@
GPRReg modeGPR = mode.gpr();
GPRReg enumeratorGPR = enumerator.gpr();
+flushRegisters();
+
JSValueRegsTemporary result(this);
JSValueRegs resultRegs = result.regs();
@@ -13711,7 +13713,6 @@
operationCases.link(_jit);
-flushRegisters();
#if USE(JSVALUE32_64)
m_jit.move(TrustedImm32(JSValue::CellTag), resultRegs.tagGPR());
auto baseRegs = JSValueRegs(baseCellGPR, resultRegs.tagGPR());
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [281178] trunk/Source/JavaScriptCore
Title: [281178] trunk/Source/_javascript_Core
Revision 281178
Author sbar...@apple.com
Date 2021-08-17 19:27:03 -0700 (Tue, 17 Aug 2021)
Log Message
Add an option for canonicalizePrePostIncrements
https://bugs.webkit.org/show_bug.cgi?id=229211
Reviewed by Mark Lam.
The current phase has bugs. Let's disable it for now until the bugs
are fixed. See discussion about the bugs I spotted in:
https://bugs.webkit.org/show_bug.cgi?id=228538
* b3/B3Generate.cpp:
(JSC::B3::generateToAir):
* b3/testb3_3.cpp:
(addShrTests):
* runtime/OptionsList.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/b3/B3Generate.cpp
trunk/Source/_javascript_Core/b3/testb3_3.cpp
trunk/Source/_javascript_Core/runtime/OptionsList.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (281177 => 281178)
--- trunk/Source/_javascript_Core/ChangeLog 2021-08-18 02:20:25 UTC (rev 281177)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-08-18 02:27:03 UTC (rev 281178)
@@ -1,3 +1,21 @@
+2021-08-17 Saam Barati
+
+Add an option for canonicalizePrePostIncrements
+https://bugs.webkit.org/show_bug.cgi?id=229211
+
+
+Reviewed by Mark Lam.
+
+The current phase has bugs. Let's disable it for now until the bugs
+are fixed. See discussion about the bugs I spotted in:
+https://bugs.webkit.org/show_bug.cgi?id=228538
+
+* b3/B3Generate.cpp:
+(JSC::B3::generateToAir):
+* b3/testb3_3.cpp:
+(addShrTests):
+* runtime/OptionsList.h:
+
2021-08-16 Mark Lam
Ensure that unused LLInt opcodes are not inadvertently used.
Modified: trunk/Source/_javascript_Core/b3/B3Generate.cpp (281177 => 281178)
--- trunk/Source/_javascript_Core/b3/B3Generate.cpp 2021-08-18 02:20:25 UTC (rev 281177)
+++ trunk/Source/_javascript_Core/b3/B3Generate.cpp 2021-08-18 02:27:03 UTC (rev 281178)
@@ -118,7 +118,7 @@
lowerMacrosAfterOptimizations(procedure);
legalizeMemoryOffsets(procedure);
moveConstants(procedure);
-if (procedure.optLevel() >= 2)
+if (Options::useB3CanonicalizePrePostIncrements() && procedure.optLevel() >= 2)
canonicalizePrePostIncrements(procedure);
eliminateDeadCode(procedure);
Modified: trunk/Source/_javascript_Core/b3/testb3_3.cpp (281177 => 281178)
--- trunk/Source/_javascript_Core/b3/testb3_3.cpp 2021-08-18 02:20:25 UTC (rev 281177)
+++ trunk/Source/_javascript_Core/b3/testb3_3.cpp 2021-08-18 02:27:03 UTC (rev 281178)
@@ -4097,15 +4097,17 @@
RUN(testZShrArgImm32(0x, 1));
RUN(testZShrArgImm32(0x, 63));
-RUN(testLoadPreIndex32());
-RUN(testLoadPreIndex64());
-RUN(testLoadPostIndex32());
-RUN(testLoadPostIndex64());
+if (Options::useB3CanonicalizePrePostIncrements()) {
+RUN(testLoadPreIndex32());
+RUN(testLoadPreIndex64());
+RUN(testLoadPostIndex32());
+RUN(testLoadPostIndex64());
-RUN(testStorePreIndex32());
-RUN(testStorePreIndex64());
-RUN(testStorePostIndex32());
-RUN(testStorePostIndex64());
+RUN(testStorePreIndex32());
+RUN(testStorePreIndex64());
+RUN(testStorePostIndex32());
+RUN(testStorePostIndex64());
+}
}
#endif // ENABLE(B3_JIT)
Modified: trunk/Source/_javascript_Core/runtime/OptionsList.h (281177 => 281178)
--- trunk/Source/_javascript_Core/runtime/OptionsList.h 2021-08-18 02:20:25 UTC (rev 281177)
+++ trunk/Source/_javascript_Core/runtime/OptionsList.h 2021-08-18 02:27:03 UTC (rev 281178)
@@ -437,6 +437,7 @@
v(Unsigned, maxB3TailDupBlockSize, 3, Normal, nullptr) \
v(Unsigned, maxB3TailDupBlockSuccessors, 3, Normal, nullptr) \
v(Bool, useB3HoistLoopInvariantValues, false, Normal, nullptr) \
+v(Bool, useB3CanonicalizePrePostIncrements, false, Normal, nullptr) \
\
v(Bool, useDollarVM, false, Restricted, "installs the $vm debugging tool in global objects") \
v(OptionString, functionOverrides, nullptr, Restricted, "file with debugging overrides for function bodies") \
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [280984] trunk/Source/JavaScriptCore
Title: [280984] trunk/Source/_javascript_Core
Revision 280984
Author sbar...@apple.com
Date 2021-08-12 13:45:02 -0700 (Thu, 12 Aug 2021)
Log Message
Update ARM64EHash
https://bugs.webkit.org/show_bug.cgi?id=228962
Reviewed by Mark Lam.
* assembler/AssemblerBuffer.h:
(JSC::ARM64EHash::makeDiversifier):
(JSC::ARM64EHash::nextValue):
(JSC::ARM64EHash::bitsForDiversifier):
(JSC::ARM64EHash::currentHash):
(JSC::ARM64EHash::setUpdatedHash):
(JSC::ARM64EHash::ARM64EHash):
(JSC::ARM64EHash::update):
(JSC::ARM64EHash::finalize):
(JSC::AssemblerBuffer::AssemblerBuffer):
(JSC::AssemblerBuffer::putIntegralUnchecked):
(JSC::AssemblerBuffer::hash const):
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::copyCompactAndLinkCode):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h
trunk/Source/_javascript_Core/assembler/LinkBuffer.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (280983 => 280984)
--- trunk/Source/_javascript_Core/ChangeLog 2021-08-12 20:35:58 UTC (rev 280983)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-08-12 20:45:02 UTC (rev 280984)
@@ -1,3 +1,26 @@
+2021-08-12 Saam Barati
+
+Update ARM64EHash
+https://bugs.webkit.org/show_bug.cgi?id=228962
+
+
+Reviewed by Mark Lam.
+
+* assembler/AssemblerBuffer.h:
+(JSC::ARM64EHash::makeDiversifier):
+(JSC::ARM64EHash::nextValue):
+(JSC::ARM64EHash::bitsForDiversifier):
+(JSC::ARM64EHash::currentHash):
+(JSC::ARM64EHash::setUpdatedHash):
+(JSC::ARM64EHash::ARM64EHash):
+(JSC::ARM64EHash::update):
+(JSC::ARM64EHash::finalize):
+(JSC::AssemblerBuffer::AssemblerBuffer):
+(JSC::AssemblerBuffer::putIntegralUnchecked):
+(JSC::AssemblerBuffer::hash const):
+* assembler/LinkBuffer.cpp:
+(JSC::LinkBuffer::copyCompactAndLinkCode):
+
2021-08-11 Yusuke Suzuki
WTFCrash in JSC::Lexer::append8
Modified: trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h (280983 => 280984)
--- trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h 2021-08-12 20:35:58 UTC (rev 280983)
+++ trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h 2021-08-12 20:45:02 UTC (rev 280984)
@@ -205,22 +205,62 @@
#if CPU(ARM64E)
class ARM64EHash {
public:
-ARM64EHash(uint32_t initialHash)
-: m_hash(initialHash)
+static constexpr uint8_t initializationNamespace = 0x11;
+
+static ALWAYS_INLINE PtrTag makeDiversifier(uint8_t namespaceTag, uint64_t index, uint32_t value)
{
+//
+return static_cast((static_cast(namespaceTag) << 56) + ((index & 0xFF) << 32) + static_cast(value));
}
-ALWAYS_INLINE uint32_t update(uint32_t value)
+static ALWAYS_INLINE uint32_t nextValue(uint64_t instruction, uint64_t index, uint32_t currentValue)
{
-uint64_t input = value ^ m_hash;
-uint64_t a = static_cast(tagInt(input, static_cast(0)) >> 39);
-uint64_t b = tagInt(input, static_cast(0xb7e151628aed2a6a)) >> 23;
-m_hash = a ^ b;
-return m_hash;
+uint64_t a = tagInt(instruction, makeDiversifier(0x12, index, currentValue));
+uint64_t b = tagInt(instruction, makeDiversifier(0x13, index, currentValue));
+return static_cast((a >> 39) ^ (b >> 23));
}
+static ALWAYS_INLINE uint32_t bitsForDiversifier(void* diversifier)
+{
+return static_cast(bitwise_cast(diversifier));
+}
+
+ALWAYS_INLINE uint32_t currentHash(uint32_t index, void* diversifier)
+{
+uint64_t result;
+bool hashFieldIsTagged = index == 0;
+if (hashFieldIsTagged)
+result = untagInt(m_hash, makeDiversifier(initializationNamespace, index, bitsForDiversifier(diversifier)));
+else
+result = m_hash;
+return static_cast(result);
+}
+
+ALWAYS_INLINE void setUpdatedHash(uint32_t value, uint32_t index, void* diversifier)
+{
+bool shouldTagHashField = index == 0;
+if (shouldTagHashField)
+m_hash = tagInt(static_cast(value), makeDiversifier(initializationNamespace, index, bitsForDiversifier(diversifier)));
+else
+m_hash = value;
+}
+
+ARM64EHash(void* diversifier)
+{
+setUpdatedHash(0, 0, diversifier);
+}
+
+ALWAYS_INLINE uint32_t update(uint32_t instruction, uint32_t index, void* diversifier)
+{
+uint32_t currentHash = this->currentHash(index, diversifier);
+uint64_t nextIndex = index + 1;
+uint32_t output = nextValue(instruction, nextIndex, currentHash);
+setUpdatedHash(output, nextIndex, diversifier);
+return output;
+}
+
private:
-
[webkit-changes] [280216] trunk/JSTests
Title: [280216] trunk/JSTests Revision 280216 Author sbar...@apple.com Date 2021-07-22 20:17:51 -0700 (Thu, 22 Jul 2021) Log Message JSTests/stress/test-out-of-memory shouldn't assume that we always OOM https://bugs.webkit.org/show_bug.cgi?id=228213 Reviewed by Mark Lam. * stress/test-out-of-memory.js: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/test-out-of-memory.js Diff Modified: trunk/JSTests/ChangeLog (280215 => 280216) --- trunk/JSTests/ChangeLog 2021-07-23 03:17:00 UTC (rev 280215) +++ trunk/JSTests/ChangeLog 2021-07-23 03:17:51 UTC (rev 280216) @@ -1,3 +1,12 @@ +2021-07-22 Saam Barati + +JSTests/stress/test-out-of-memory shouldn't assume that we always OOM +https://bugs.webkit.org/show_bug.cgi?id=228213 + +Reviewed by Mark Lam. + +* stress/test-out-of-memory.js: + 2021-07-22 Yusuke Suzuki Reduce iteration of microbenchmarks/memcpy-typed-loop.js Modified: trunk/JSTests/stress/test-out-of-memory.js (280215 => 280216) --- trunk/JSTests/stress/test-out-of-memory.js 2021-07-23 03:17:00 UTC (rev 280215) +++ trunk/JSTests/stress/test-out-of-memory.js 2021-07-23 03:17:51 UTC (rev 280216) @@ -23,5 +23,5 @@ exception = e; } -if (exception != "RangeError: Out of memory") +if (exception && exception != "RangeError: Out of memory") throw "FAILED"; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [280198] trunk
Title: [280198] trunk
Revision 280198
Author sbar...@apple.com
Date 2021-07-22 14:37:02 -0700 (Thu, 22 Jul 2021)
Log Message
AirStackSlot's uint16_t byte size is too small
https://bugs.webkit.org/show_bug.cgi?id=228193
Reviewed by Mark Lam.
JSTests:
* stress/stack-slot-needs-to-use-more-than-uint16.js: Added.
Source/_javascript_Core:
* b3/B3Procedure.cpp:
(JSC::B3::Procedure::addStackSlot):
* b3/B3Procedure.h:
* b3/air/AirCode.cpp:
(JSC::B3::Air::Code::addStackSlot):
* b3/air/AirCode.h:
* b3/air/AirStackSlot.cpp:
(JSC::B3::Air::StackSlot::StackSlot):
* b3/air/AirStackSlot.h:
(JSC::B3::Air::StackSlot::ensureSize):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
* ftl/FTLOutput.cpp:
(JSC::FTL::Output::lockedStackSlot):
* ftl/FTLOutput.h:
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/b3/B3Procedure.cpp
trunk/Source/_javascript_Core/b3/B3Procedure.h
trunk/Source/_javascript_Core/b3/air/AirCode.cpp
trunk/Source/_javascript_Core/b3/air/AirCode.h
trunk/Source/_javascript_Core/b3/air/AirStackSlot.cpp
trunk/Source/_javascript_Core/b3/air/AirStackSlot.h
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
trunk/Source/_javascript_Core/ftl/FTLOutput.cpp
trunk/Source/_javascript_Core/ftl/FTLOutput.h
Added Paths
trunk/JSTests/stress/stack-slot-needs-to-use-more-than-uint16.js
Diff
Modified: trunk/JSTests/ChangeLog (280197 => 280198)
--- trunk/JSTests/ChangeLog 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/JSTests/ChangeLog 2021-07-22 21:37:02 UTC (rev 280198)
@@ -1,3 +1,13 @@
+2021-07-22 Saam Barati
+
+AirStackSlot's uint16_t byte size is too small
+https://bugs.webkit.org/show_bug.cgi?id=228193
+
+
+Reviewed by Mark Lam.
+
+* stress/stack-slot-needs-to-use-more-than-uint16.js: Added.
+
2021-07-20 Yusuke Suzuki
[JSC] invalidParameterInstanceofSourceAppender should care direct call of Symbol.hasInstance
Added: trunk/JSTests/stress/stack-slot-needs-to-use-more-than-uint16.js (0 => 280198)
--- trunk/JSTests/stress/stack-slot-needs-to-use-more-than-uint16.js (rev 0)
+++ trunk/JSTests/stress/stack-slot-needs-to-use-more-than-uint16.js 2021-07-22 21:37:02 UTC (rev 280198)
@@ -0,0 +1,8 @@
+//@ skip if $buildType == "debug"
+
+let script = '_,'.repeat(5000);
+script += '';
+let g = new Function(script, 'if (0) g();');
+for (let i = 0; i < 1000; ++i) {
+ g(0);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (280197 => 280198)
--- trunk/Source/_javascript_Core/ChangeLog 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-07-22 21:37:02 UTC (rev 280198)
@@ -1,5 +1,29 @@
2021-07-22 Saam Barati
+AirStackSlot's uint16_t byte size is too small
+https://bugs.webkit.org/show_bug.cgi?id=228193
+
+
+Reviewed by Mark Lam.
+
+* b3/B3Procedure.cpp:
+(JSC::B3::Procedure::addStackSlot):
+* b3/B3Procedure.h:
+* b3/air/AirCode.cpp:
+(JSC::B3::Air::Code::addStackSlot):
+* b3/air/AirCode.h:
+* b3/air/AirStackSlot.cpp:
+(JSC::B3::Air::StackSlot::StackSlot):
+* b3/air/AirStackSlot.h:
+(JSC::B3::Air::StackSlot::ensureSize):
+* ftl/FTLLowerDFGToB3.cpp:
+(JSC::FTL::DFG::LowerDFGToB3::lower):
+* ftl/FTLOutput.cpp:
+(JSC::FTL::Output::lockedStackSlot):
+* ftl/FTLOutput.h:
+
+2021-07-22 Saam Barati
+
Fix uses of Dependency::fence with respect to the compiler outsmarting us
https://bugs.webkit.org/show_bug.cgi?id=227757
Modified: trunk/Source/_javascript_Core/b3/B3Procedure.cpp (280197 => 280198)
--- trunk/Source/_javascript_Core/b3/B3Procedure.cpp 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/Source/_javascript_Core/b3/B3Procedure.cpp 2021-07-22 21:37:02 UTC (rev 280198)
@@ -73,7 +73,7 @@
return result;
}
-Air::StackSlot* Procedure::addStackSlot(unsigned byteSize)
+Air::StackSlot* Procedure::addStackSlot(uint64_t byteSize)
{
return m_code->addStackSlot(byteSize, Air::StackSlotKind::Locked);
}
Modified: trunk/Source/_javascript_Core/b3/B3Procedure.h (280197 => 280198)
--- trunk/Source/_javascript_Core/b3/B3Procedure.h 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/Source/_javascript_Core/b3/B3Procedure.h 2021-07-22 21:37:02 UTC (rev 280198)
@@ -114,7 +114,7 @@
setBlockOrderImpl(blocks);
}
-JS_EXPORT_PRIVATE Air::StackSlot* addStackSlot(unsigned byteSize);
+JS_EXPORT_PRIVATE Air::StackSlot* addStackSlot(uint64_t byteSize);
JS_EXPORT_PRIVATE Variable* addVariable(Type);
JS_EXPORT_PRIVATE Type addTuple(Vector&& types);
Modified: trunk/Source/_javascript_Core/b3/air/AirCode.cpp (280197 => 280198)
--- trunk/Source/_javascript_Core/b3/air/AirCode.cpp 2021-07-22 21:30:12 UTC (rev 280197)
+++ trunk/Source/_javascript_Core/b3/air/AirCode.cpp 2021-07-22 21:37:02 UTC (rev 280198)
@@
[webkit-changes] [280195] trunk/Source
Title: [280195] trunk/Source
Revision 280195
Author sbar...@apple.com
Date 2021-07-22 13:05:09 -0700 (Thu, 22 Jul 2021)
Log Message
Fix uses of Dependency::fence with respect to the compiler outsmarting us
https://bugs.webkit.org/show_bug.cgi?id=227757
Reviewed by Robin Morisset.
Source/_javascript_Core:
We were running into issues on arm64 with respect to the memory model
ordering of loads, and how the compiler optimized code around Dependency::fence.
The issue manifested as calls to isMarked incorrectly returning true.
To see the issue, let's consider a program like this:
a = load(p1)
b = load(p2)
if (a != b) return;
d = Dependency::fence(b)
At the point of defining the dependency, the compiler has proven
a == b. So, instead of building the dependency on the register used
for b, we end up using the register for a. So the actual compiled
code ends up with a dependency on load(p1), not load(p2).
To fix this, we end up adding a new API, Dependency::loadEndFence(pointer,
result), which is defined as:
template
static Dependency loadAndFence(T* pointer, T& output)
{
T value = *opaque(pointer);
Dependency dependency = Dependency::fence(value);
output = opaque(value);
return dependency;
}
The reason for this is that it split "b" in the above program into two values,
and the "b" the program compares against is not known to the compiler to be
the same value that we build a dependency on.
* heap/MarkedBlock.h:
(JSC::MarkedBlock::aboutToMark):
(JSC::MarkedBlock::isMarked):
* runtime/JSObject.cpp:
(JSC::JSObject::visitButterflyImpl):
* runtime/JSObject.h:
(JSC::JSObject::fencedButterfly):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayEntry::getConcurrently):
(JSC::SparseArrayEntry::getConcurrently const): Deleted.
* runtime/SparseArrayValueMap.h:
* runtime/Structure.h:
(JSC::Structure::fencedIndexingMode):
* runtime/StructureIDBlob.h:
(JSC::StructureIDBlob::fencedIndexingModeIncludingHistory):
Source/WTF:
* wtf/Atomics.h:
(WTF::opaque):
(WTF::Dependency::loadAndFence):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/heap/MarkedBlock.h
trunk/Source/_javascript_Core/runtime/JSObject.cpp
trunk/Source/_javascript_Core/runtime/JSObject.h
trunk/Source/_javascript_Core/runtime/SparseArrayValueMap.cpp
trunk/Source/_javascript_Core/runtime/Structure.h
trunk/Source/_javascript_Core/runtime/StructureIDBlob.h
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/Atomics.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (280194 => 280195)
--- trunk/Source/_javascript_Core/ChangeLog 2021-07-22 20:04:10 UTC (rev 280194)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-07-22 20:05:09 UTC (rev 280195)
@@ -1,3 +1,58 @@
+2021-07-22 Saam Barati
+
+Fix uses of Dependency::fence with respect to the compiler outsmarting us
+https://bugs.webkit.org/show_bug.cgi?id=227757
+
+
+Reviewed by Robin Morisset.
+
+We were running into issues on arm64 with respect to the memory model
+ordering of loads, and how the compiler optimized code around Dependency::fence.
+The issue manifested as calls to isMarked incorrectly returning true.
+
+To see the issue, let's consider a program like this:
+a = load(p1)
+b = load(p2)
+if (a != b) return;
+d = Dependency::fence(b)
+
+At the point of defining the dependency, the compiler has proven
+a == b. So, instead of building the dependency on the register used
+for b, we end up using the register for a. So the actual compiled
+code ends up with a dependency on load(p1), not load(p2).
+
+To fix this, we end up adding a new API, Dependency::loadEndFence(pointer,
+result), which is defined as:
+
+template
+static Dependency loadAndFence(T* pointer, T& output)
+{
+T value = *opaque(pointer);
+Dependency dependency = Dependency::fence(value);
+output = opaque(value);
+return dependency;
+}
+
+The reason for this is that it split "b" in the above program into two values,
+and the "b" the program compares against is not known to the compiler to be
+the same value that we build a dependency on.
+
+* heap/MarkedBlock.h:
+(JSC::MarkedBlock::aboutToMark):
+(JSC::MarkedBlock::isMarked):
+* runtime/JSObject.cpp:
+(JSC::JSObject::visitButterflyImpl):
+* runtime/JSObject.h:
+(JSC::JSObject::fencedButterfly):
+* runtime/SparseArrayValueMap.cpp:
+(JSC::SparseArrayEntry::getConcurrently):
+(JSC::SparseArrayEntry::getConcurrently const): Deleted.
+* runtime/SparseArrayValueMap.h:
+* runtime/Structure.h:
+(JSC::Structure::fencedIndexingMode):
+* runtime/StructureIDBlob.h:
+(JSC::StructureIDBlob::fencedIndexingModeIncludingHistory):
+
[webkit-changes] [280109] trunk/Tools
Title: [280109] trunk/Tools Revision 280109 Author sbar...@apple.com Date 2021-07-20 15:55:56 -0700 (Tue, 20 Jul 2021) Log Message Don't run ftl-eager-no-cjit on debug builds https://bugs.webkit.org/show_bug.cgi?id=228118 Reviewed by Mark Lam. Many debug JSC stress tests time out intermittently. All I see are under the ftl-eager-no-cjit mode. * Scripts/run-jsc-stress-tests: Modified Paths trunk/Tools/ChangeLog trunk/Tools/Scripts/run-jsc-stress-tests Diff Modified: trunk/Tools/ChangeLog (280108 => 280109) --- trunk/Tools/ChangeLog 2021-07-20 22:07:55 UTC (rev 280108) +++ trunk/Tools/ChangeLog 2021-07-20 22:55:56 UTC (rev 280109) @@ -1,3 +1,15 @@ +2021-07-20 Saam Barati + +Don't run ftl-eager-no-cjit on debug builds +https://bugs.webkit.org/show_bug.cgi?id=228118 + +Reviewed by Mark Lam. + +Many debug JSC stress tests time out intermittently. All I see are under +the ftl-eager-no-cjit mode. + +* Scripts/run-jsc-stress-tests: + 2021-07-20 Ayumi Kojima Adding myself to Contributors.json Modified: trunk/Tools/Scripts/run-jsc-stress-tests (280108 => 280109) --- trunk/Tools/Scripts/run-jsc-stress-tests 2021-07-20 22:07:55 UTC (rev 280108) +++ trunk/Tools/Scripts/run-jsc-stress-tests 2021-07-20 22:55:56 UTC (rev 280109) @@ -897,7 +897,7 @@ runNoFTL runFTLEager -runFTLEagerNoCJITValidate +runFTLEagerNoCJITValidate if $buildType == "release" runFTLNoCJITSmallPool return if $mode == "basic" @@ -937,7 +937,7 @@ runFTLNoCJITNoPutStackValidate runFTLNoCJITNoInlineValidate runFTLEager -runFTLEagerNoCJITValidate +runFTLEagerNoCJITValidate if $buildType == "release" end end end @@ -1008,7 +1008,7 @@ runFTLNoCJITNoPutStackValidate runFTLNoCJITNoInlineValidate runFTLEager -runFTLEagerNoCJITValidate +runFTLEagerNoCJITValidate if $buildType == "release" runFTLNoCJITSmallPool end end ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [280008] trunk
Title: [280008] trunk
Revision 280008
Author sbar...@apple.com
Date 2021-07-16 16:40:00 -0700 (Fri, 16 Jul 2021)
Log Message
Grab the lock in FTL::Thunks::keyForSlowPathCallThunk
https://bugs.webkit.org/show_bug.cgi?id=227988
Reviewed by Mark Lam.
JSTests:
* stress/thunks-hash-map-should-grab-lock.js: Added.
Source/_javascript_Core:
Both FTL::Thunks::keyForSlowPathCallThunk and FTL::Thunks::getSlowPathCallThunk
both touch the thunks hash map. In r278030, when I added the lock, I grabbed it
in getSlowPathCallThunk, but forgot to also grab it in keyForSlowPathCallThunk.
* ftl/FTLThunks.h:
(JSC::FTL::Thunks::keyForSlowPathCallThunk):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/ftl/FTLThunks.h
Added Paths
trunk/JSTests/stress/thunks-hash-map-should-grab-lock.js
Diff
Modified: trunk/JSTests/ChangeLog (280007 => 280008)
--- trunk/JSTests/ChangeLog 2021-07-16 23:23:44 UTC (rev 280007)
+++ trunk/JSTests/ChangeLog 2021-07-16 23:40:00 UTC (rev 280008)
@@ -1,3 +1,13 @@
+2021-07-16 Saam Barati
+
+Grab the lock in FTL::Thunks::keyForSlowPathCallThunk
+https://bugs.webkit.org/show_bug.cgi?id=227988
+
+
+Reviewed by Mark Lam.
+
+* stress/thunks-hash-map-should-grab-lock.js: Added.
+
2021-07-16 Yusuke Suzuki
[JSC] RegExp::dumpToStream must not ref Strings since it is called concurrently
Added: trunk/JSTests/stress/thunks-hash-map-should-grab-lock.js (0 => 280008)
--- trunk/JSTests/stress/thunks-hash-map-should-grab-lock.js (rev 0)
+++ trunk/JSTests/stress/thunks-hash-map-should-grab-lock.js 2021-07-16 23:40:00 UTC (rev 280008)
@@ -0,0 +1,481 @@
+function main() {
+const v4 = [5330.006088804686];
+const v5 = [-1809859085,-1809859085,-1809859085];
+const v6 = [noInline,5330.006088804686,-1809859085,noInline,noInline,noInline,v4];
+const v7 = {};
+const v8 = v7.__proto__;
+function v9(v10,v11,v12) {
+const v13 = 1;
+}
+function v14(v15,v16,v17,v18) {
+function v19(v20,v21,v22) {
+const v23 = isConcatSpreadable;
+}
+const v24 = v9 | v16;
+switch (v18) {
+default:
+const v25 = 0;
+const v26 = 2;
+const v27 = 1;
+const v30 = {constructor:5330.006088804686,e:Int16Array,length:-1000.0};
+const v36 = [64562.579056559596,64562.579056559596,64562.579056559596];
+const v38 = [1.0,1.0];
+const v39 = [1.7976931348623157e+308,1.7976931348623157e+308,1.7976931348623157e+308];
+const v40 = [-2147483649,-2147483649,-2147483649];
+const v41 = [Symbol,"symbol",-2147483649,v39];
+function v42(v43,v44) {
+function v45(v46,v47) {
+}
+const v48 = 0;
+let v49 = -449638095;
+const v56 = [1098305835,1098305835,1098305835];
+const v57 = [3.0,v56,Uint8Array,100,v36,3.0,v40,1098305835,"f8bvzbzCeL"];
+for (let v60 = 0; v60 < 7; v60++) {
+v49 *= "symbol";
+}
+const v61 = 65537;
+const v62 = 100;
+}
+const v67 = [-100.0,-100.0];
+const v68 = [3];
+const v69 = [placeholder,"EPSILON",3,3,3,"EPSILON",v68,-100.0,-100.0,v67];
+const v70 = {a:-100.0,c:v67,constructor:3,length:3,toString:placeholder};
+const v71 = {b:"EPSILON",constructor:v70,toString:placeholder,valueOf:v70};
+function v72(v73,v74,v75) {
+return v74;
+return "EPSILON";
+}
+function v77(v78,...v79) {
+"9007199254740991".toString = v78;
+}
+function v80(v81,v82,v83) {
+const v85 = Object();
+const v86 = Object;
+}
+function v87(v88,v89) {
+const v92 = [-9007199254740993,-9007199254740993,-9007199254740993,Reflect];
+}
+function v93(v94,v95,v96,v97) {
+v95 *= -100.0;
+const v99 = Math.sinh(v87);
+const v100 = v96[-9007199254740993];
+const v101 = v99 in v69;
+const v104 = [2147483648,2147483648];
+let v107 = Array(1);
+const v113 = ["symbol"];
+const v114 = [Proxy,v113,Uint16Array,3905494558,v113,"65536",v107,3,v113,v104];
+"9007199254740991".c = Proxy;
+const v118 = [328474.42085578316];
+const v119 =
[webkit-changes] [279845] trunk/JSTests
Title: [279845] trunk/JSTests
Revision 279845
Author sbar...@apple.com
Date 2021-07-12 12:05:55 -0700 (Mon, 12 Jul 2021)
Log Message
Run some tests for fewer iterations to prevent test timeouts
https://bugs.webkit.org/show_bug.cgi?id=227879
Reviewed by Mark Lam.
* microbenchmarks/get-by-val-negative-array-index.js:
* microbenchmarks/memcpy-typed-loop-small.js:
* microbenchmarks/put-by-val-negative-array-index.js:
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/microbenchmarks/get-by-val-negative-array-index.js
trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js
trunk/JSTests/microbenchmarks/put-by-val-negative-array-index.js
Diff
Modified: trunk/JSTests/ChangeLog (279844 => 279845)
--- trunk/JSTests/ChangeLog 2021-07-12 18:56:16 UTC (rev 279844)
+++ trunk/JSTests/ChangeLog 2021-07-12 19:05:55 UTC (rev 279845)
@@ -1,5 +1,16 @@
2021-07-12 Saam Barati
+Run some tests for fewer iterations to prevent test timeouts
+https://bugs.webkit.org/show_bug.cgi?id=227879
+
+Reviewed by Mark Lam.
+
+* microbenchmarks/get-by-val-negative-array-index.js:
+* microbenchmarks/memcpy-typed-loop-small.js:
+* microbenchmarks/put-by-val-negative-array-index.js:
+
+2021-07-12 Saam Barati
+
stress/wasm-loop-consistency.js should require the --useExecutableAllocationFuzz=false JSC option
https://bugs.webkit.org/show_bug.cgi?id=227876
Modified: trunk/JSTests/microbenchmarks/get-by-val-negative-array-index.js (279844 => 279845)
--- trunk/JSTests/microbenchmarks/get-by-val-negative-array-index.js 2021-07-12 18:56:16 UTC (rev 279844)
+++ trunk/JSTests/microbenchmarks/get-by-val-negative-array-index.js 2021-07-12 19:05:55 UTC (rev 279845)
@@ -10,10 +10,10 @@
noInline(foo);
const arr = new Array(10).fill({});
-for (let i = 0; i < 1e6; i++) {
+for (let i = 0; i < 1e5; i++) {
foo(arr, i % arr.length);
}
-for (let i = 0; i < 1e6; i++) {
+for (let i = 0; i < 1e5; i++) {
foo(arr, i % arr.length);
if (!(i % arr.length))
foo(arr, -1);
Modified: trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js (279844 => 279845)
--- trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js 2021-07-12 18:56:16 UTC (rev 279844)
+++ trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js 2021-07-12 19:05:55 UTC (rev 279845)
@@ -16,7 +16,7 @@
arr1[i] = i
}
-for (let i=0; i<1_000_000; ++i) doTest(arr1, arr2)
+for (let i=0; i<100_000; ++i) doTest(arr1, arr2)
arr2 = new Int32Array(arr1.length)
doTest(arr1, arr2)
Modified: trunk/JSTests/microbenchmarks/put-by-val-negative-array-index.js (279844 => 279845)
--- trunk/JSTests/microbenchmarks/put-by-val-negative-array-index.js 2021-07-12 18:56:16 UTC (rev 279844)
+++ trunk/JSTests/microbenchmarks/put-by-val-negative-array-index.js 2021-07-12 19:05:55 UTC (rev 279845)
@@ -11,10 +11,10 @@
const arr = new Array(10).fill({});
let result = 0;
-for (let i = 0; i < 1e6; i++) {
+for (let i = 0; i < 1e5; i++) {
result += foo(arr, i % arr.length);
}
-for (let i = 0; i < 1e6; i++) {
+for (let i = 0; i < 1e5; i++) {
result += foo(arr, i % arr.length);
if (!(i % arr.length))
result += foo(arr, -1);
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279839] trunk/JSTests
Title: [279839] trunk/JSTests
Revision 279839
Author sbar...@apple.com
Date 2021-07-12 11:02:45 -0700 (Mon, 12 Jul 2021)
Log Message
stress/wasm-loop-consistency.js should require the --useExecutableAllocationFuzz=false JSC option
https://bugs.webkit.org/show_bug.cgi?id=227876
Reviewed by Mark Lam.
* stress/wasm-loop-consistency.js:
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/stress/wasm-loop-consistency.js
Diff
Modified: trunk/JSTests/ChangeLog (279838 => 279839)
--- trunk/JSTests/ChangeLog 2021-07-12 17:59:36 UTC (rev 279838)
+++ trunk/JSTests/ChangeLog 2021-07-12 18:02:45 UTC (rev 279839)
@@ -1,3 +1,12 @@
+2021-07-12 Saam Barati
+
+stress/wasm-loop-consistency.js should require the --useExecutableAllocationFuzz=false JSC option
+https://bugs.webkit.org/show_bug.cgi?id=227876
+
+Reviewed by Mark Lam.
+
+* stress/wasm-loop-consistency.js:
+
2021-07-10 Yusuke Suzuki
[JSC] Update test262
Modified: trunk/JSTests/stress/wasm-loop-consistency.js (279838 => 279839)
--- trunk/JSTests/stress/wasm-loop-consistency.js 2021-07-12 17:59:36 UTC (rev 279838)
+++ trunk/JSTests/stress/wasm-loop-consistency.js 2021-07-12 18:02:45 UTC (rev 279839)
@@ -1,3 +1,4 @@
+//@ requireOptions("--useExecutableAllocationFuzz=false")
// https://bugs.webkit.org/show_bug.cgi?id=226012
if ($vm.isWasmSupported()) {
// (module
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279813] trunk/Source/JavaScriptCore
Title: [279813] trunk/Source/_javascript_Core Revision 279813 Author sbar...@apple.com Date 2021-07-10 18:27:40 -0700 (Sat, 10 Jul 2021) Log Message Continue to consult InlineAccess's Structure even after switching to a stub IC https://bugs.webkit.org/show_bug.cgi?id=227785 Reviewed by Yusuke Suzuki. This patch fixes a crash in: stress/class-subclassing-function.js The bug is this: 1. We initialize a StructureStubInfo to be an inline self access doing a load based on structure S. 2. We transition to being a PolymorphicAccess based StructureStubInfo. But, we haven't generated code yet. We're in the buffered state. So we are still running the inline access from (1). But the StructureStubInfo thinks it's a "Stub". 3. S is collected 4. We continue to run code from (1), because when we finalize the IC during GC, it doesn't think it's an inline access. The fix is to always track the structure S that we used when generating the inline access, and to only stop tracking it once we've generated code for the Stub. * bytecode/AccessCase.cpp: (JSC::AccessCase::fromStructureStubInfo): (JSC::AccessCase::propagateTransitions const): * bytecode/AccessCase.h: * bytecode/GetByStatus.cpp: (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): * bytecode/InByStatus.cpp: (JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback): * bytecode/PolymorphicAccess.cpp: (JSC::PolymorphicAccess::propagateTransitions const): * bytecode/PolymorphicAccess.h: * bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeForStubInfo): * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::initGetByIdSelf): (JSC::StructureStubInfo::initPutByIdReplace): (JSC::StructureStubInfo::initInByIdSelf): (JSC::StructureStubInfo::addAccessCase): (JSC::StructureStubInfo::reset): (JSC::StructureStubInfo::visitWeakReferences): (JSC::StructureStubInfo::propagateTransitions): * bytecode/StructureStubInfo.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/AccessCase.cpp trunk/Source/_javascript_Core/bytecode/AccessCase.h trunk/Source/_javascript_Core/bytecode/GetByStatus.cpp trunk/Source/_javascript_Core/bytecode/InByStatus.cpp trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.h trunk/Source/_javascript_Core/bytecode/PutByIdStatus.cpp trunk/Source/_javascript_Core/bytecode/StructureStubInfo.cpp trunk/Source/_javascript_Core/bytecode/StructureStubInfo.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (279812 => 279813) --- trunk/Source/_javascript_Core/ChangeLog 2021-07-11 01:27:31 UTC (rev 279812) +++ trunk/Source/_javascript_Core/ChangeLog 2021-07-11 01:27:40 UTC (rev 279813) @@ -1,3 +1,47 @@ +2021-07-10 Saam Barati + +Continue to consult InlineAccess's Structure even after switching to a stub IC +https://bugs.webkit.org/show_bug.cgi?id=227785 + +Reviewed by Yusuke Suzuki. + +This patch fixes a crash in: stress/class-subclassing-function.js + +The bug is this: +1. We initialize a StructureStubInfo to be an inline self access doing a load based on structure S. +2. We transition to being a PolymorphicAccess based StructureStubInfo. But, we haven't +generated code yet. We're in the buffered state. So we are still running the inline access +from (1). But the StructureStubInfo thinks it's a "Stub". +3. S is collected +4. We continue to run code from (1), because when we finalize the IC during GC, it +doesn't think it's an inline access. + +The fix is to always track the structure S that we used when generating the inline +access, and to only stop tracking it once we've generated code for the Stub. + +* bytecode/AccessCase.cpp: +(JSC::AccessCase::fromStructureStubInfo): +(JSC::AccessCase::propagateTransitions const): +* bytecode/AccessCase.h: +* bytecode/GetByStatus.cpp: +(JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback): +* bytecode/InByStatus.cpp: +(JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback): +* bytecode/PolymorphicAccess.cpp: +(JSC::PolymorphicAccess::propagateTransitions const): +* bytecode/PolymorphicAccess.h: +* bytecode/PutByIdStatus.cpp: +(JSC::PutByIdStatus::computeForStubInfo): +* bytecode/StructureStubInfo.cpp: +(JSC::StructureStubInfo::initGetByIdSelf): +(JSC::StructureStubInfo::initPutByIdReplace): +(JSC::StructureStubInfo::initInByIdSelf): +(JSC::StructureStubInfo::addAccessCase): +(JSC::StructureStubInfo::reset): +(JSC::StructureStubInfo::visitWeakReferences): +(JSC::StructureStubInfo::propagateTransitions): +* bytecode/StructureStubInfo.h: + 2021-07-10 Yusuke Suzuki [JSC] Workaround test262.report bug by making $ properties enumerable Modified:
[webkit-changes] [279707] trunk/Source/JavaScriptCore
Title: [279707] trunk/Source/_javascript_Core
Revision 279707
Author sbar...@apple.com
Date 2021-07-07 19:20:51 -0700 (Wed, 07 Jul 2021)
Log Message
JSArrayBufferView::byteOffsetConcurrently has a race when using PAC
https://bugs.webkit.org/show_bug.cgi?id=227765
Reviewed by Mark Lam.
We were calling JSArrayBufferView::vector(), which does PAC validation
using the length() of the array. However, this can race with JSArrayBufferView::detach,
which sets the length to zero, leading to sadness on the compiler thread.
* runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::vectorWithoutPACValidation const):
* runtime/JSArrayBufferViewInlines.h:
(JSC::JSArrayBufferView::byteOffsetImpl):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h
trunk/Source/_javascript_Core/runtime/JSArrayBufferViewInlines.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (279706 => 279707)
--- trunk/Source/_javascript_Core/ChangeLog 2021-07-08 02:19:19 UTC (rev 279706)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-07-08 02:20:51 UTC (rev 279707)
@@ -1,3 +1,19 @@
+2021-07-07 Saam Barati
+
+JSArrayBufferView::byteOffsetConcurrently has a race when using PAC
+https://bugs.webkit.org/show_bug.cgi?id=227765
+
+Reviewed by Mark Lam.
+
+We were calling JSArrayBufferView::vector(), which does PAC validation
+using the length() of the array. However, this can race with JSArrayBufferView::detach,
+which sets the length to zero, leading to sadness on the compiler thread.
+
+* runtime/JSArrayBufferView.h:
+(JSC::JSArrayBufferView::vectorWithoutPACValidation const):
+* runtime/JSArrayBufferViewInlines.h:
+(JSC::JSArrayBufferView::byteOffsetImpl):
+
2021-07-07 Yusuke Suzuki
[JSC] Fix Object.assign fast path to accept undefined/null
Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h (279706 => 279707)
--- trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h 2021-07-08 02:19:19 UTC (rev 279706)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h 2021-07-08 02:20:51 UTC (rev 279707)
@@ -188,6 +188,7 @@
bool hasVector() const { return !!m_vector; }
void* vector() const { return m_vector.getMayBeNull(length()); }
+void* vectorWithoutPACValidation() const { return m_vector.getUnsafe(); }
inline unsigned byteOffset();
inline std::optional byteOffsetConcurrently();
Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferViewInlines.h (279706 => 279707)
--- trunk/Source/_javascript_Core/runtime/JSArrayBufferViewInlines.h 2021-07-08 02:19:19 UTC (rev 279706)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferViewInlines.h 2021-07-08 02:20:51 UTC (rev 279707)
@@ -97,7 +97,7 @@
}
ptrdiff_t delta =
-bitwise_cast(vector()) - static_cast(buffer->data());
+bitwise_cast(vectorWithoutPACValidation()) - static_cast(buffer->data());
unsigned result = static_cast(delta);
if (requester == Mutator)
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279620] trunk/JSTests
Title: [279620] trunk/JSTests Revision 279620 Author sbar...@apple.com Date 2021-07-06 14:12:55 -0700 (Tue, 06 Jul 2021) Log Message Run microbenchmarks/memcpy-typed-loop-small.js for fewer iterations to avoid timeouts https://bugs.webkit.org/show_bug.cgi?id=227717 Reviewed by Robin Morisset. * microbenchmarks/memcpy-typed-loop-small.js: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js Diff Modified: trunk/JSTests/ChangeLog (279619 => 279620) --- trunk/JSTests/ChangeLog 2021-07-06 21:05:44 UTC (rev 279619) +++ trunk/JSTests/ChangeLog 2021-07-06 21:12:55 UTC (rev 279620) @@ -1,3 +1,12 @@ +2021-07-06 Saam Barati + +Run microbenchmarks/memcpy-typed-loop-small.js for fewer iterations to avoid timeouts +https://bugs.webkit.org/show_bug.cgi?id=227717 + +Reviewed by Robin Morisset. + +* microbenchmarks/memcpy-typed-loop-small.js: + 2021-07-05 Yusuke Suzuki [JSC] Optimize Object.assign and putDirectInternal Modified: trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js (279619 => 279620) --- trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js 2021-07-06 21:05:44 UTC (rev 279619) +++ trunk/JSTests/microbenchmarks/memcpy-typed-loop-small.js 2021-07-06 21:12:55 UTC (rev 279620) @@ -16,7 +16,7 @@ arr1[i] = i } -for (let i=0; i<5000; ++i) doTest(arr1, arr2) +for (let i=0; i<1_000_000; ++i) doTest(arr1, arr2) arr2 = new Int32Array(arr1.length) doTest(arr1, arr2) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279449] trunk
Title: [279449] trunk
Revision 279449
Author sbar...@apple.com
Date 2021-06-30 23:07:33 -0700 (Wed, 30 Jun 2021)
Log Message
Turn off data ICs by default
https://bugs.webkit.org/show_bug.cgi?id=227334
Reviewed by Yusuke Suzuki.
JSTests:
* microbenchmarks/deltablue-varargs.js:
* microbenchmarks/richards-try-catch.js:
Source/_javascript_Core:
There are GC crashes that are caused by access data IC sharing. This
patch is both turning off data IC sharing by default, and turning off data
ICs by default.
We should re-enable this once we figure out the issue:
https://bugs.webkit.org/show_bug.cgi?id=227551
Some of our testing modes are still running with data ICs on, so the code doesn't
bit rot. And a select few tests are running with data IC sharing on, for
similar reasons, even though we know it has issues. If those tests start
crashing, we'll just disable sharing completely until the issue is resolved.
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* runtime/OptionsList.h:
Tools:
* Scripts/run-jsc-stress-tests:
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/microbenchmarks/deltablue-varargs.js
trunk/JSTests/microbenchmarks/richards-try-catch.js
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp
trunk/Source/_javascript_Core/runtime/OptionsList.h
trunk/Tools/ChangeLog
trunk/Tools/Scripts/run-jsc-stress-tests
Diff
Modified: trunk/JSTests/ChangeLog (279448 => 279449)
--- trunk/JSTests/ChangeLog 2021-07-01 02:12:20 UTC (rev 279448)
+++ trunk/JSTests/ChangeLog 2021-07-01 06:07:33 UTC (rev 279449)
@@ -1,3 +1,14 @@
+2021-06-30 Saam Barati
+
+Turn off data ICs by default
+https://bugs.webkit.org/show_bug.cgi?id=227334
+
+
+Reviewed by Yusuke Suzuki.
+
+* microbenchmarks/deltablue-varargs.js:
+* microbenchmarks/richards-try-catch.js:
+
2021-06-30 Yusuke Suzuki
[JSC] Stop generating default parameter code if class constructor is called without 'new'
Modified: trunk/JSTests/microbenchmarks/deltablue-varargs.js (279448 => 279449)
--- trunk/JSTests/microbenchmarks/deltablue-varargs.js 2021-07-01 02:12:20 UTC (rev 279448)
+++ trunk/JSTests/microbenchmarks/deltablue-varargs.js 2021-07-01 06:07:33 UTC (rev 279449)
@@ -1,4 +1,6 @@
//@ skip if $model == "Apple Watch Series 3" # added by mark-jsc-stress-test.py
+//@ requireOptions("--useDataIC=true", "--useDataICSharing=true")
+
// Copyright 2008 the V8 project authors. All rights reserved.
// Copyright 1996 John Maloney and Mario Wolczko.
Modified: trunk/JSTests/microbenchmarks/richards-try-catch.js (279448 => 279449)
--- trunk/JSTests/microbenchmarks/richards-try-catch.js 2021-07-01 02:12:20 UTC (rev 279448)
+++ trunk/JSTests/microbenchmarks/richards-try-catch.js 2021-07-01 06:07:33 UTC (rev 279449)
@@ -1,4 +1,6 @@
//@ skip if $model == "Apple Watch Series 3" # added by mark-jsc-stress-test.py
+//@ requireOptions("--useDataIC=true", "--useDataICSharing=true")
+
// Copyright 2006-2008 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
Modified: trunk/Source/_javascript_Core/ChangeLog (279448 => 279449)
--- trunk/Source/_javascript_Core/ChangeLog 2021-07-01 02:12:20 UTC (rev 279448)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-07-01 06:07:33 UTC (rev 279449)
@@ -1,3 +1,27 @@
+2021-06-30 Saam Barati
+
+Turn off data ICs by default
+https://bugs.webkit.org/show_bug.cgi?id=227334
+
+
+Reviewed by Yusuke Suzuki.
+
+There are GC crashes that are caused by access data IC sharing. This
+patch is both turning off data IC sharing by default, and turning off data
+ICs by default.
+
+We should re-enable this once we figure out the issue:
+https://bugs.webkit.org/show_bug.cgi?id=227551
+
+Some of our testing modes are still running with data ICs on, so the code doesn't
+bit rot. And a select few tests are running with data IC sharing on, for
+similar reasons, even though we know it has issues. If those tests start
+crashing, we'll just disable sharing completely until the issue is resolved.
+
+* bytecode/PolymorphicAccess.cpp:
+(JSC::PolymorphicAccess::regenerate):
+* runtime/OptionsList.h:
+
2021-06-30 Yusuke Suzuki
[JSC] Stop generating default parameter code if class constructor is called without 'new'
Modified: trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp (279448 => 279449)
--- trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp 2021-07-01 02:12:20 UTC (rev 279448)
+++ trunk/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp 2021-07-01 06:07:33 UTC (rev 279449)
@@ -522,7 +522,7 @@
bool doesCalls = false;
bool doesJSGetterSetterCalls = false;
-bool
[webkit-changes] [279177] trunk/JSTests
Title: [279177] trunk/JSTests
Revision 279177
Author sbar...@apple.com
Date 2021-06-23 11:49:44 -0700 (Wed, 23 Jun 2021)
Log Message
Bound stress/put-by-id-flags with a fixed number of iterations
https://bugs.webkit.org/show_bug.cgi?id=227305
Reviewed by Mark Lam.
* stress/put-by-id-flags.js:
(numberOfDFGCompiles): Deleted.
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/stress/put-by-id-flags.js
Diff
Modified: trunk/JSTests/ChangeLog (279176 => 279177)
--- trunk/JSTests/ChangeLog 2021-06-23 18:38:56 UTC (rev 279176)
+++ trunk/JSTests/ChangeLog 2021-06-23 18:49:44 UTC (rev 279177)
@@ -1,5 +1,15 @@
2021-06-23 Saam Barati
+Bound stress/put-by-id-flags with a fixed number of iterations
+https://bugs.webkit.org/show_bug.cgi?id=227305
+
+Reviewed by Mark Lam.
+
+* stress/put-by-id-flags.js:
+(numberOfDFGCompiles): Deleted.
+
+2021-06-23 Saam Barati
+
Run typedarray-intrinsic-getters-change-prototype for a fixed set of iterations
https://bugs.webkit.org/show_bug.cgi?id=227304
Modified: trunk/JSTests/stress/put-by-id-flags.js (279176 => 279177)
--- trunk/JSTests/stress/put-by-id-flags.js 2021-06-23 18:38:56 UTC (rev 279176)
+++ trunk/JSTests/stress/put-by-id-flags.js 2021-06-23 18:49:44 UTC (rev 279177)
@@ -13,10 +13,12 @@
f(x, 42);
f(y, {});
-while (!numberOfDFGCompiles(g)) {
+for (let i = 0; i < 1000; ++i) {
optimizeNextInvocation(g);
if (typeof g(x) !== 'number')
throw 'failed warming up';
+if (numberOfDFGCompiles(g))
+break;
}
if (typeof g(y) !== 'string')
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279175] trunk/JSTests
Title: [279175] trunk/JSTests
Revision 279175
Author sbar...@apple.com
Date 2021-06-23 11:34:02 -0700 (Wed, 23 Jun 2021)
Log Message
Run typedarray-intrinsic-getters-change-prototype for a fixed set of iterations
https://bugs.webkit.org/show_bug.cgi?id=227304
Reviewed by Mark Lam.
* stress/typedarray-intrinsic-getters-change-prototype.js:
(body):
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/stress/typedarray-intrinsic-getters-change-prototype.js
Diff
Modified: trunk/JSTests/ChangeLog (279174 => 279175)
--- trunk/JSTests/ChangeLog 2021-06-23 17:42:05 UTC (rev 279174)
+++ trunk/JSTests/ChangeLog 2021-06-23 18:34:02 UTC (rev 279175)
@@ -1,3 +1,13 @@
+2021-06-23 Saam Barati
+
+Run typedarray-intrinsic-getters-change-prototype for a fixed set of iterations
+https://bugs.webkit.org/show_bug.cgi?id=227304
+
+Reviewed by Mark Lam.
+
+* stress/typedarray-intrinsic-getters-change-prototype.js:
+(body):
+
2021-06-22 Saam Barati
Don't assume stress/out-of-memory-while-constructing-BytecodeGenerator.js will OOM
Modified: trunk/JSTests/stress/typedarray-intrinsic-getters-change-prototype.js (279174 => 279175)
--- trunk/JSTests/stress/typedarray-intrinsic-getters-change-prototype.js 2021-06-23 17:42:05 UTC (rev 279174)
+++ trunk/JSTests/stress/typedarray-intrinsic-getters-change-prototype.js 2021-06-23 18:34:02 UTC (rev 279175)
@@ -18,7 +18,7 @@
let array = new Int32Array(15);
-while(numberOfDFGCompiles(foo) < 1) {
+for (let i = 0; i < 5000; ++i) {
foo(array);
bar(array);
baz(array);
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279167] trunk/Source/JavaScriptCore
Title: [279167] trunk/Source/_javascript_Core
Revision 279167
Author sbar...@apple.com
Date 2021-06-23 08:20:13 -0700 (Wed, 23 Jun 2021)
Log Message
Run lazy properties initializers under a DeferTerminationForAWhile scope
https://bugs.webkit.org/show_bug.cgi?id=227271
Reviewed by Mark Lam.
We don't expect that exceptions can be thrown when initializing
a lazy property. Termination exceptions were preventing this from
being true. The latest example found is inside JSModuleLoader when
it asserts that no exception is thrown when creating its JSMap field.
This patch makes it so termination exceptions can't be thrown when
running lazy property initializers.
* runtime/LazyPropertyInlines.h:
(JSC::ElementType>::initLater):
(JSC::ElementType>::callFunc):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/LazyPropertyInlines.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (279166 => 279167)
--- trunk/Source/_javascript_Core/ChangeLog 2021-06-23 06:34:31 UTC (rev 279166)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-06-23 15:20:13 UTC (rev 279167)
@@ -1,3 +1,21 @@
+2021-06-23 Saam Barati
+
+Run lazy properties initializers under a DeferTerminationForAWhile scope
+https://bugs.webkit.org/show_bug.cgi?id=227271
+
+Reviewed by Mark Lam.
+
+We don't expect that exceptions can be thrown when initializing
+a lazy property. Termination exceptions were preventing this from
+being true. The latest example found is inside JSModuleLoader when
+it asserts that no exception is thrown when creating its JSMap field.
+This patch makes it so termination exceptions can't be thrown when
+running lazy property initializers.
+
+* runtime/LazyPropertyInlines.h:
+(JSC::ElementType>::initLater):
+(JSC::ElementType>::callFunc):
+
2021-06-22 Yijia Huang
Add a new pattern to instruction selector to utilize SMADDL supported by ARM64
Modified: trunk/Source/_javascript_Core/runtime/LazyPropertyInlines.h (279166 => 279167)
--- trunk/Source/_javascript_Core/runtime/LazyPropertyInlines.h 2021-06-23 06:34:31 UTC (rev 279166)
+++ trunk/Source/_javascript_Core/runtime/LazyPropertyInlines.h 2021-06-23 15:20:13 UTC (rev 279167)
@@ -25,7 +25,9 @@
#pragma once
+#include "DeferTermination.h"
#include "Heap.h"
+#include "VMTraps.h"
#include
namespace JSC {
@@ -46,7 +48,7 @@
// may be used for things. We address this problem by indirecting through a global const
// variable. The "theFunc" variable is guaranteed to be native-aligned, i.e. at least a
// multiple of 4.
-static const FuncType theFunc = callFunc;
+static const FuncType theFunc = ;
m_pointer = lazyTag | bitwise_cast();
}
@@ -95,15 +97,12 @@
{
if (initializer.property.m_pointer & initializingTag)
return nullptr;
+
+DeferTerminationForAWhile deferTerminationForAWhile { initializer.vm };
initializer.property.m_pointer |= initializingTag;
callStatelessLambda(initializer);
-if (UNLIKELY(initializer.property.m_pointer & initializingTag)) {
-VM& vm = initializer.vm;
-RELEASE_ASSERT(vm.hasPendingTerminationException());
-RELEASE_ASSERT(initializer.property.m_pointer & lazyTag);
-return nullptr;
-}
RELEASE_ASSERT(!(initializer.property.m_pointer & lazyTag));
+RELEASE_ASSERT(!(initializer.property.m_pointer & initializingTag));
return bitwise_cast(initializer.property.m_pointer);
}
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [279132] trunk/JSTests
Title: [279132] trunk/JSTests Revision 279132 Author sbar...@apple.com Date 2021-06-22 11:48:07 -0700 (Tue, 22 Jun 2021) Log Message Don't assume stress/out-of-memory-while-constructing-BytecodeGenerator.js will OOM https://bugs.webkit.org/show_bug.cgi?id=227263 Reviewed by Yusuke Suzuki. * stress/out-of-memory-while-constructing-BytecodeGenerator.js: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/out-of-memory-while-constructing-BytecodeGenerator.js Diff Modified: trunk/JSTests/ChangeLog (279131 => 279132) --- trunk/JSTests/ChangeLog 2021-06-22 18:44:45 UTC (rev 279131) +++ trunk/JSTests/ChangeLog 2021-06-22 18:48:07 UTC (rev 279132) @@ -1,5 +1,14 @@ 2021-06-22 Saam Barati +Don't assume stress/out-of-memory-while-constructing-BytecodeGenerator.js will OOM +https://bugs.webkit.org/show_bug.cgi?id=227263 + +Reviewed by Yusuke Suzuki. + +* stress/out-of-memory-while-constructing-BytecodeGenerator.js: + +2021-06-22 Saam Barati + Run detach-buffer-during-iteration for fewer iterations https://bugs.webkit.org/show_bug.cgi?id=227262 Modified: trunk/JSTests/stress/out-of-memory-while-constructing-BytecodeGenerator.js (279131 => 279132) --- trunk/JSTests/stress/out-of-memory-while-constructing-BytecodeGenerator.js 2021-06-22 18:44:45 UTC (rev 279131) +++ trunk/JSTests/stress/out-of-memory-while-constructing-BytecodeGenerator.js 2021-06-22 18:48:07 UTC (rev 279132) @@ -29,5 +29,5 @@ exception = e; } -if (exception != "RangeError: Out of memory") +if (exception && exception != "RangeError: Out of memory") throw "FAIL"; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
