[webkit-changes] [240248] trunk
Title: [240248] trunk Revision 240248 Author yusukesuz...@slowstart.org Date 2019-01-21 21:28:35 -0800 (Mon, 21 Jan 2019) Log Message Unreviewed, roll out r240220 due to date-format-xparb regression https://bugs.webkit.org/show_bug.cgi?id=193603 JSTests: * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: * stress/scope-operation-cache-global-property-before-deleting.js: Removed. * stress/scope-operation-cache-global-property-bump-counter.js: Removed. * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed. Source/_javascript_Core: * bytecode/BytecodeList.rb: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::notifyLexicalBindingShadowing): (JSC::CodeBlock::notifyLexicalBindingUpdate): Deleted. * bytecode/CodeBlock.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGDesiredGlobalProperties.cpp: (JSC::DFG::DesiredGlobalProperties::isStillValidOnMainThread): * dfg/DFGDesiredGlobalProperties.h: * dfg/DFGGraph.cpp: (JSC::DFG::Graph::watchGlobalProperty): Deleted. * dfg/DFGGraph.h: * dfg/DFGPlan.cpp: (JSC::DFG::Plan::isStillValidOnMainThread): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_resolve_scope): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_resolve_scope): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::tryCachePutToScopeGlobal): (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::notifyLexicalBindingShadowing): (JSC::JSGlobalObject::getReferencedPropertyWatchpointSet): (JSC::JSGlobalObject::ensureReferencedPropertyWatchpointSet): (JSC::JSGlobalObject::bumpGlobalLexicalBindingEpoch): Deleted. * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::globalLexicalBindingEpoch const): Deleted. (JSC::JSGlobalObject::globalLexicalBindingEpochOffset): Deleted. (JSC::JSGlobalObject::addressOfGlobalLexicalBindingEpoch): Deleted. * runtime/Options.cpp: (JSC::Options::initialize): (JSC::Options::setOptions): (JSC::Options::setOptionWithoutAlias): (JSC::correctOptions): Deleted. * runtime/Options.h: * runtime/ProgramExecutable.cpp: (JSC::ProgramExecutable::initializeGlobalProperties): Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/let-lexical-binding-shadow-existing-global-property-ftl.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/BytecodeList.rb trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGDesiredGlobalProperties.cpp trunk/Source/_javascript_Core/dfg/DFGDesiredGlobalProperties.h trunk/Source/_javascript_Core/dfg/DFGGraph.cpp trunk/Source/_javascript_Core/dfg/DFGGraph.h trunk/Source/_javascript_Core/dfg/DFGPlan.cpp trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp trunk/Source/_javascript_Core/runtime/CommonSlowPaths.h trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.h trunk/Source/_javascript_Core/runtime/Options.cpp trunk/Source/_javascript_Core/runtime/Options.h trunk/Source/_javascript_Core/runtime/ProgramExecutable.cpp Removed Paths trunk/JSTests/stress/scope-operation-cache-global-property-before-deleting.js trunk/JSTests/stress/scope-operation-cache-global-property-bump-counter.js trunk/JSTests/stress/scope-operation-cache-global-property-even-if-it-fails.js Diff Modified: trunk/JSTests/ChangeLog (240247 => 240248) --- trunk/JSTests/ChangeLog 2019-01-22 01:55:47 UTC (rev 240247) +++ trunk/JSTests/ChangeLog 2019-01-22 05:28:35 UTC (rev 240248) @@ -1,3 +1,13 @@ +2019-01-21 Yusuke Suzuki + +Unreviewed, roll out r240220 due to date-format-xparb regression +https://bugs.webkit.org/show_bug.cgi?id=193603 + +* stress/let-lexical-binding-shadow-existing-global-property-ftl.js: +* stress/scope-operation-cache-global-property-before-deleting.js: Removed. +* stress/scope-operation-cache-global-property-bump-counter.js: Removed. +* stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed. + 2019-01-21 Caio Lima DoesGC rule is wrong for nodes with BigIntUse Modified: trunk/JSTests/stress/let-lexical-binding-shadow-existing-global-property-ftl.js (240247 => 240248) --- trunk/JSTests/stress/let-lexical-binding-shadow-existing-global-property-ftl.js 2019-01-22 01:55:47 UTC (rev 240247) +++ trunk/JSTests/stress/let-lexical-binding-shadow-existing-global-property-ftl.js 2019-01-22 05:28:35 UTC (rev 240248) @@ -40,7 +40,6 @@ shouldBe(get(), 3); foo(); -shouldBe(glob
[webkit-changes] [240242] trunk/Source/JavaScriptCore
Title: [240242] trunk/Source/_javascript_Core
Revision 240242
Author yusukesuz...@slowstart.org
Date 2019-01-21 14:01:16 -0800 (Mon, 21 Jan 2019)
Log Message
[JSC] Lazily initialize JSModuleLoader
https://bugs.webkit.org/show_bug.cgi?id=193646
Reviewed by Keith Miller and Saam Barati.
Lazily initialize JSModuleLoader so that we do not need to initialize it until we need modules.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::moduleLoader const):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp
trunk/Source/_javascript_Core/runtime/JSGlobalObject.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (240241 => 240242)
--- trunk/Source/_javascript_Core/ChangeLog 2019-01-21 20:50:59 UTC (rev 240241)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-01-21 22:01:16 UTC (rev 240242)
@@ -1,3 +1,18 @@
+2019-01-21 Yusuke Suzuki
+
+[JSC] Lazily initialize JSModuleLoader
+https://bugs.webkit.org/show_bug.cgi?id=193646
+
+Reviewed by Keith Miller and Saam Barati.
+
+Lazily initialize JSModuleLoader so that we do not need to initialize it until we need modules.
+
+* runtime/JSGlobalObject.cpp:
+(JSC::JSGlobalObject::init):
+(JSC::JSGlobalObject::visitChildren):
+* runtime/JSGlobalObject.h:
+(JSC::JSGlobalObject::moduleLoader const):
+
2019-01-20 Yusuke Suzuki
[JSC] sub op with 0 should be optimized
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (240241 => 240242)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2019-01-21 20:50:59 UTC (rev 240241)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2019-01-21 22:01:16 UTC (rev 240242)
@@ -788,9 +788,14 @@
ReflectObject* reflectObject = ReflectObject::create(vm, this, ReflectObject::createStructure(vm, this, m_objectPrototype.get()));
putDirectWithoutTransition(vm, vm.propertyNames->Reflect, reflectObject, static_cast(PropertyAttribute::DontEnum));
-m_moduleLoader.set(vm, this, JSModuleLoader::create(globalExec(), vm, this, JSModuleLoader::createStructure(vm, this, jsNull(;
+m_moduleLoader.initLater(
+[] (const Initializer& init) {
+auto catchScope = DECLARE_CATCH_SCOPE(init.vm);
+init.set(JSModuleLoader::create(init.owner->globalExec(), init.vm, init.owner, JSModuleLoader::createStructure(init.vm, init.owner, jsNull(;
+catchScope.releaseAssertNoException();
+});
if (Options::exposeInternalModuleLoader())
-putDirectWithoutTransition(vm, vm.propertyNames->Loader, m_moduleLoader.get(), static_cast(PropertyAttribute::DontEnum));
+putDirectWithoutTransition(vm, vm.propertyNames->Loader, moduleLoader(), static_cast(PropertyAttribute::DontEnum));
JSFunction* builtinLog = JSFunction::create(vm, this, 1, vm.propertyNames->emptyIdentifier.string(), globalFuncBuiltinLog);
JSFunction* builtinDescribe = JSFunction::create(vm, this, 1, vm.propertyNames->emptyIdentifier.string(), globalFuncBuiltinDescribe);
@@ -1574,7 +1579,7 @@
visitor.append(thisObject->m_functionProtoHasInstanceSymbolFunction);
thisObject->m_throwTypeErrorGetterSetter.visit(visitor);
visitor.append(thisObject->m_throwTypeErrorArgumentsCalleeAndCallerGetterSetter);
-visitor.append(thisObject->m_moduleLoader);
+thisObject->m_moduleLoader.visit(visitor);
visitor.append(thisObject->m_objectPrototype);
visitor.append(thisObject->m_functionPrototype);
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.h (240241 => 240242)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2019-01-21 20:50:59 UTC (rev 240241)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2019-01-21 22:01:16 UTC (rev 240242)
@@ -300,7 +300,7 @@
WriteBarrier m_regExpProtoUnicodeGetter;
WriteBarrier m_throwTypeErrorArgumentsCalleeAndCallerGetterSetter;
-WriteBarrier m_moduleLoader;
+LazyProperty m_moduleLoader;
WriteBarrier m_objectPrototype;
WriteBarrier m_functionPrototype;
@@ -611,7 +611,7 @@
return m_throwTypeErrorArgumentsCalleeAndCallerGetterSetter.get();
}
-JSModuleLoader* moduleLoader() const { return m_moduleLoader.get(); }
+JSModuleLoader* moduleLoader() const { return m_moduleLoader.get(this); }
ObjectPrototype* objectPrototype() const { return m_objectPrototype.get(); }
FunctionPrototype* functionPrototype() const { return m_functionPrototype.get(); }
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [240241] trunk/Source/JavaScriptCore
Title: [240241] trunk/Source/_javascript_Core
Revision 240241
Author yusukesuz...@slowstart.org
Date 2019-01-21 12:50:59 -0800 (Mon, 21 Jan 2019)
Log Message
[JSC] sub op with 0 should be optimized
https://bugs.webkit.org/show_bug.cgi?id=190751
Reviewed by Mark Lam.
LLInt sometimes emit `subp 0, %rxx`. For example, `maxFrameExtentForSlowPathCall` is 0 in X86_64, ARM64, and ARM64E.
So `subp maxFrameExtentForSlowPathCall sp` becomes `subp 0, %rsp`. While `addp 0, %rsp` is removed in offlineasm,
sub operation does not have such an optimization. This patch applies the same optimization to sub operation already
done in add operation. Since the CPU flags changed in offlineasm's these operations are not considered (if these flags
are required, we use special branch operations instead), this optimization is sane.
One problem is that zero-extension of the 32bit register in 64bit architecture. If the instruction emission is skipped,
this won't be happen. Currently, we align our sub to add operation: we skip emission in this case.
* offlineasm/arm64.rb:
* offlineasm/x86.rb:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/offlineasm/arm64.rb
trunk/Source/_javascript_Core/offlineasm/x86.rb
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (240240 => 240241)
--- trunk/Source/_javascript_Core/ChangeLog 2019-01-21 20:15:53 UTC (rev 240240)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-01-21 20:50:59 UTC (rev 240241)
@@ -1,3 +1,22 @@
+2019-01-20 Yusuke Suzuki
+
+[JSC] sub op with 0 should be optimized
+https://bugs.webkit.org/show_bug.cgi?id=190751
+
+Reviewed by Mark Lam.
+
+LLInt sometimes emit `subp 0, %rxx`. For example, `maxFrameExtentForSlowPathCall` is 0 in X86_64, ARM64, and ARM64E.
+So `subp maxFrameExtentForSlowPathCall sp` becomes `subp 0, %rsp`. While `addp 0, %rsp` is removed in offlineasm,
+sub operation does not have such an optimization. This patch applies the same optimization to sub operation already
+done in add operation. Since the CPU flags changed in offlineasm's these operations are not considered (if these flags
+are required, we use special branch operations instead), this optimization is sane.
+
+One problem is that zero-extension of the 32bit register in 64bit architecture. If the instruction emission is skipped,
+this won't be happen. Currently, we align our sub to add operation: we skip emission in this case.
+
+* offlineasm/arm64.rb:
+* offlineasm/x86.rb:
+
2019-01-20 Saam Barati
DFG: When inlining DataView set* intrinsics we need to set undefined as our result
Modified: trunk/Source/_javascript_Core/offlineasm/arm64.rb (240240 => 240241)
--- trunk/Source/_javascript_Core/offlineasm/arm64.rb 2019-01-21 20:15:53 UTC (rev 240240)
+++ trunk/Source/_javascript_Core/offlineasm/arm64.rb 2019-01-21 20:50:59 UTC (rev 240241)
@@ -460,8 +460,8 @@
raise unless operands[2].register?
if operands[0].immediate?
-if operands[0].value == 0 and flag !~ /s$/
-unless operands[1] == operands[2]
+if operands[0].value == 0 and opcode !~ /s$/
+if operands[1] != operands[2]
$asm.puts "mov #{arm64FlippedOperands(operands[1..2], kind)}"
end
else
@@ -496,6 +496,30 @@
$asm.puts "madd #{arm64TACOperands(operands, kind)}, #{arm64GPRName('xzr', kind)}"
end
+def emitARM64Sub(opcode, operands, kind)
+if operands.size == 3
+raise unless operands[0].register?
+raise unless operands[2].register?
+
+if operands[1].immediate?
+if operands[1].value == 0 and opcode !~ /s$/
+if operands[0] != operands[2]
+$asm.puts "mov #{arm64FlippedOperands([operands[0], operands[2]], kind)}"
+end
+return
+end
+end
+end
+
+if operands.size == 2
+if operands[0].immediate? and operands[0].value == 0 and opcode !~ /s$/
+return
+end
+end
+
+emitARM64TAC(opcode, operands, kind)
+end
+
def emitARM64Unflipped(opcode, operands, kind)
$asm.puts "#{opcode} #{arm64Operands(operands, kind)}"
end
@@ -655,13 +679,13 @@
when "mulq"
emitARM64Mul('mul', operands, :quad)
when "subi"
-emitARM64TAC("sub", operands, :word)
+emitARM64Sub("sub", operands, :word)
when "subp"
-emitARM64TAC("sub", operands, :ptr)
+emitARM64Sub("sub", operands, :ptr)
when "subq"
-emitARM64TAC("sub", operands, :quad)
+emitARM64Sub("sub", operands, :quad)
when "subis"
-emitARM64TAC("subs", operands, :word)
+emitARM64Sub("subs", operands, :word)
when "negi"
$asm.puts "sub #{operands[0].arm64Operand(:word)}, wzr, #{operands[0].
[webkit-changes] [240228] trunk/Source/JavaScriptCore
Title: [240228] trunk/Source/_javascript_Core Revision 240228 Author yusukesuz...@slowstart.org Date 2019-01-20 21:49:37 -0800 (Sun, 20 Jan 2019) Log Message [JSC] Reduce size of SourceProvider https://bugs.webkit.org/show_bug.cgi?id=193544 Reviewed by Saam Barati. This patch attempts to reduce the dirty memory footprint by the following 3 optimizations. 1. Reordering the members of SourceProvider to reduce the size. This affects on JSC, and CachedScriptSourceProvider used in WebCore. 2. Create one SourceProvider for all the builtin code and use substring to create builtin JS functions. This reduces # of SourceProvider created for builtins. 3. Drop m_validated flag in SourceProvider since nobody uses it. It also deletes dead code in Parser.cpp. Unfortunately, MSVC does not accept super long C string literal. So instead, we construct combined string in a form of C array. * Scripts/tests/builtins/expected/_javascript_Core-Builtin.Promise-Combined.js-result: * Scripts/tests/builtins/expected/_javascript_Core-Builtin.prototype-Combined.js-result: * Scripts/tests/builtins/expected/_javascript_Core-BuiltinConstructor-Combined.js-result: * Scripts/tests/builtins/expected/_javascript_Core-InternalClashingNames-Combined.js-result: * Scripts/wkbuiltins/builtins_generate_combined_header.py: (BuiltinsCombinedHeaderGenerator.generate_output): * Scripts/wkbuiltins/builtins_generate_combined_implementation.py: (BuiltinsCombinedImplementationGenerator.generate_output): * Scripts/wkbuiltins/builtins_generate_separate_implementation.py: (BuiltinsSeparateImplementationGenerator.generate_output): * Scripts/wkbuiltins/builtins_generator.py: (BuiltinsGenerator.generate_embedded_code_data_for_function): (BuiltinsGenerator.generate_embedded_code_string_section_for_data): (BuiltinsGenerator.generate_embedded_code_string_section_for_function): Deleted. * builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::BuiltinExecutables): (JSC::JSC_FOREACH_BUILTIN_CODE): (JSC::BuiltinExecutables::createExecutable): * builtins/BuiltinExecutables.h: * parser/Parser.cpp: (JSC::Parser::Parser): (JSC::Parser::parseExpressionOrLabelStatement): (JSC::Parser::shouldCheckPropertyForUnderscoreProtoDuplicate): (JSC::Parser::parseObjectLiteral): (JSC::Parser::parseUnaryExpression): * parser/Parser.h: * parser/SourceCode.h: * parser/SourceProvider.cpp: (JSC::SourceProvider::SourceProvider): * parser/SourceProvider.h: (JSC::SourceProvider::isValid const): Deleted. (JSC::SourceProvider::setValid): Deleted. * runtime/CachedTypes.cpp: (JSC::CachedSourceProviderShape::encode): (JSC::CachedSourceProviderShape::decode const): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/Scripts/tests/builtins/expected/_javascript_Core-Builtin.Promise-Combined.js-result trunk/Source/_javascript_Core/Scripts/tests/builtins/expected/_javascript_Core-Builtin.prototype-Combined.js-result trunk/Source/_javascript_Core/Scripts/tests/builtins/expected/_javascript_Core-BuiltinConstructor-Combined.js-result trunk/Source/_javascript_Core/Scripts/tests/builtins/expected/_javascript_Core-InternalClashingNames-Combined.js-result trunk/Source/_javascript_Core/Scripts/wkbuiltins/builtins_generate_combined_header.py trunk/Source/_javascript_Core/Scripts/wkbuiltins/builtins_generate_combined_implementation.py trunk/Source/_javascript_Core/Scripts/wkbuiltins/builtins_generate_separate_implementation.py trunk/Source/_javascript_Core/Scripts/wkbuiltins/builtins_generator.py trunk/Source/_javascript_Core/builtins/BuiltinExecutables.cpp trunk/Source/_javascript_Core/builtins/BuiltinExecutables.h trunk/Source/_javascript_Core/parser/Parser.cpp trunk/Source/_javascript_Core/parser/Parser.h trunk/Source/_javascript_Core/parser/SourceCode.h trunk/Source/_javascript_Core/parser/SourceProvider.cpp trunk/Source/_javascript_Core/parser/SourceProvider.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (240227 => 240228) --- trunk/Source/_javascript_Core/ChangeLog 2019-01-21 05:40:20 UTC (rev 240227) +++ trunk/Source/_javascript_Core/ChangeLog 2019-01-21 05:49:37 UTC (rev 240228) @@ -1,3 +1,57 @@ +2019-01-20 Yusuke Suzuki + +[JSC] Reduce size of SourceProvider +https://bugs.webkit.org/show_bug.cgi?id=193544 + +Reviewed by Saam Barati. + +This patch attempts to reduce the dirty memory footprint by the following 3 optimizations. + +1. Reordering the members of SourceProvider to reduce the size. This affects on JSC, and CachedScriptSourceProvider used in WebCore. + +2. Create one SourceProvider for all the builtin code and use substring to create builtin JS functions. + This reduces # of SourceProvider created for builtins. + +3. Drop m_validated flag in SourceProvider since nobody uses it. It also deletes dead code in Parser.cpp. + +Unfortunately, MSVC does not accept super long C string literal. So instead, we construct combined string in a form of C array. +
[webkit-changes] [240217] trunk/Tools
Title: [240217] trunk/Tools
Revision 240217
Author yusukesuz...@slowstart.org
Date 2019-01-20 13:15:42 -0800 (Sun, 20 Jan 2019)
Log Message
Unreviewed, add my new email address
* Scripts/webkitpy/common/config/contributors.json:
Modified Paths
trunk/Tools/ChangeLog
trunk/Tools/Scripts/webkitpy/common/config/contributors.json
Diff
Modified: trunk/Tools/ChangeLog (240216 => 240217)
--- trunk/Tools/ChangeLog 2019-01-20 20:39:33 UTC (rev 240216)
+++ trunk/Tools/ChangeLog 2019-01-20 21:15:42 UTC (rev 240217)
@@ -1,3 +1,9 @@
+2019-01-20 Yusuke Suzuki
+
+Unreviewed, add my new email address
+
+* Scripts/webkitpy/common/config/contributors.json:
+
2019-01-19 Zalan Bujtas
[LFC][BFC] 's overflow property value is propagated to viewport
Modified: trunk/Tools/Scripts/webkitpy/common/config/contributors.json (240216 => 240217)
--- trunk/Tools/Scripts/webkitpy/common/config/contributors.json 2019-01-20 20:39:33 UTC (rev 240216)
+++ trunk/Tools/Scripts/webkitpy/common/config/contributors.json 2019-01-20 21:15:42 UTC (rev 240217)
@@ -6030,7 +6030,8 @@
"Yusuke Suzuki" : {
"emails" : [
"yusukesuz...@slowstart.org",
- "utatane@gmail.com"
+ "utatane@gmail.com",
+ "ysuz...@apple.com"
],
"expertise" : "JIT Compilers, CSS JIT, _javascript_/ECMAScript",
"nicks" : [
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [240216] trunk/Source/JavaScriptCore
Title: [240216] trunk/Source/_javascript_Core Revision 240216 Author yusukesuz...@slowstart.org Date 2019-01-20 12:39:33 -0800 (Sun, 20 Jan 2019) Log Message [JSC] Shrink data structure size in JSC/heap https://bugs.webkit.org/show_bug.cgi?id=193612 Reviewed by Saam Barati. This patch reduces the size of data structures in JSC/heap. Basically, we reorder the members to remove paddings. For Subspace, we drop CellAttributes `m_attributes`. Instead, we use `heapCellType->attributes()`. And we use FreeList::cellSize() instead of holding m_cellSize in LocalAllocator. This change reduces the size of JSC::VM too since it includes JSC::Heap. The size of VM becomes from 78208 to 76696. * heap/BlockDirectory.cpp: * heap/BlockDirectory.h: * heap/CollectionScope.h: * heap/CompleteSubspace.cpp: (JSC::CompleteSubspace::allocatorForSlow): * heap/FreeList.h: (JSC::FreeList::offsetOfCellSize): (JSC::FreeList::cellSize const): * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::updateObjectCounts): (JSC::Heap::addToRememberedSet): (JSC::Heap::runBeginPhase): (JSC::Heap::willStartCollection): (JSC::Heap::pruneStaleEntriesFromWeakGCMaps): (JSC::Heap::deleteSourceProviderCaches): (JSC::Heap::notifyIncrementalSweeper): (JSC::Heap::updateAllocationLimits): * heap/Heap.h: * heap/IsoAlignedMemoryAllocator.h: * heap/LargeAllocation.cpp: * heap/LocalAllocator.cpp: (JSC::LocalAllocator::LocalAllocator): * heap/LocalAllocator.h: (JSC::LocalAllocator::cellSize const): (JSC::LocalAllocator::offsetOfCellSize): * heap/MarkedSpace.cpp: (JSC::MarkedSpace::MarkedSpace): * heap/MarkedSpace.h: * heap/MarkingConstraint.h: * heap/Subspace.cpp: (JSC::Subspace::initialize): * heap/Subspace.h: (JSC::Subspace::attributes const): Deleted. * heap/SubspaceInlines.h: (JSC::Subspace::forEachMarkedCell): (JSC::Subspace::forEachMarkedCellInParallel): (JSC::Subspace::forEachLiveCell): (JSC::Subspace::attributes const): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/heap/BlockDirectory.cpp trunk/Source/_javascript_Core/heap/BlockDirectory.h trunk/Source/_javascript_Core/heap/CollectionScope.h trunk/Source/_javascript_Core/heap/CompleteSubspace.cpp trunk/Source/_javascript_Core/heap/FreeList.h trunk/Source/_javascript_Core/heap/Heap.cpp trunk/Source/_javascript_Core/heap/Heap.h trunk/Source/_javascript_Core/heap/IsoAlignedMemoryAllocator.h trunk/Source/_javascript_Core/heap/LargeAllocation.cpp trunk/Source/_javascript_Core/heap/LocalAllocator.cpp trunk/Source/_javascript_Core/heap/LocalAllocator.h trunk/Source/_javascript_Core/heap/MarkedSpace.cpp trunk/Source/_javascript_Core/heap/MarkedSpace.h trunk/Source/_javascript_Core/heap/MarkingConstraint.h trunk/Source/_javascript_Core/heap/Subspace.cpp trunk/Source/_javascript_Core/heap/Subspace.h trunk/Source/_javascript_Core/heap/SubspaceInlines.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (240215 => 240216) --- trunk/Source/_javascript_Core/ChangeLog 2019-01-20 20:37:30 UTC (rev 240215) +++ trunk/Source/_javascript_Core/ChangeLog 2019-01-20 20:39:33 UTC (rev 240216) @@ -1,3 +1,57 @@ +2019-01-20 Yusuke Suzuki + +[JSC] Shrink data structure size in JSC/heap +https://bugs.webkit.org/show_bug.cgi?id=193612 + +Reviewed by Saam Barati. + +This patch reduces the size of data structures in JSC/heap. Basically, we reorder the members to remove paddings. + +For Subspace, we drop CellAttributes `m_attributes`. Instead, we use `heapCellType->attributes()`. And we use +FreeList::cellSize() instead of holding m_cellSize in LocalAllocator. + +This change reduces the size of JSC::VM too since it includes JSC::Heap. The size of VM becomes from 78208 to 76696. + +* heap/BlockDirectory.cpp: +* heap/BlockDirectory.h: +* heap/CollectionScope.h: +* heap/CompleteSubspace.cpp: +(JSC::CompleteSubspace::allocatorForSlow): +* heap/FreeList.h: +(JSC::FreeList::offsetOfCellSize): +(JSC::FreeList::cellSize const): +* heap/Heap.cpp: +(JSC::Heap::Heap): +(JSC::Heap::updateObjectCounts): +(JSC::Heap::addToRememberedSet): +(JSC::Heap::runBeginPhase): +(JSC::Heap::willStartCollection): +(JSC::Heap::pruneStaleEntriesFromWeakGCMaps): +(JSC::Heap::deleteSourceProviderCaches): +(JSC::Heap::notifyIncrementalSweeper): +(JSC::Heap::updateAllocationLimits): +* heap/Heap.h: +* heap/IsoAlignedMemoryAllocator.h: +* heap/LargeAllocation.cpp: +* heap/LocalAllocator.cpp: +(JSC::LocalAllocator::LocalAllocator): +* heap/LocalAllocator.h: +(JSC::LocalAllocator::cellSize const): +(JSC::LocalAllocator::offsetOfCellSize): +* heap/MarkedSpace.cpp: +(JSC::MarkedSpace::MarkedSpace): +* heap/MarkedSpace.h: +* heap/MarkingConstraint.h: +* heap/Subspace.cpp: +(JSC::Subspace::initialize): +
[webkit-changes] [240204] trunk/Source/JavaScriptCore
Title: [240204] trunk/Source/_javascript_Core
Revision 240204
Author yusukesuz...@slowstart.org
Date 2019-01-19 15:15:15 -0800 (Sat, 19 Jan 2019)
Log Message
[JSC] Reorder JSSegmentedVariableObject member for preparation of JSGlobalObject memory reduction
https://bugs.webkit.org/show_bug.cgi?id=193609
Reviewed by Sam Weinig.
Basically, we should order the members in large => small order not to add paddings.
* runtime/JSSegmentedVariableObject.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSSegmentedVariableObject.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (240203 => 240204)
--- trunk/Source/_javascript_Core/ChangeLog 2019-01-19 17:38:40 UTC (rev 240203)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-01-19 23:15:15 UTC (rev 240204)
@@ -1,3 +1,14 @@
+2019-01-19 Yusuke Suzuki
+
+[JSC] Reorder JSSegmentedVariableObject member for preparation of JSGlobalObject memory reduction
+https://bugs.webkit.org/show_bug.cgi?id=193609
+
+Reviewed by Sam Weinig.
+
+Basically, we should order the members in large => small order not to add paddings.
+
+* runtime/JSSegmentedVariableObject.h:
+
2019-01-19 Antoine Quint
Add a POINTER_EVENTS feature flag
Modified: trunk/Source/_javascript_Core/runtime/JSSegmentedVariableObject.h (240203 => 240204)
--- trunk/Source/_javascript_Core/runtime/JSSegmentedVariableObject.h 2019-01-19 17:38:40 UTC (rev 240203)
+++ trunk/Source/_javascript_Core/runtime/JSSegmentedVariableObject.h 2019-01-19 23:15:15 UTC (rev 240204)
@@ -107,9 +107,9 @@
private:
SegmentedVector, 16> m_variables;
+PoisonedClassInfoPtr m_classInfo;
ConcurrentJSLock m_lock;
bool m_alreadyDestroyed { false }; // We use these assertions to check that we aren't doing ancient hacks that result in this being destroyed more than once.
-PoisonedClassInfoPtr m_classInfo;
};
} // namespace JSC
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [240113] trunk/Source/JavaScriptCore
Title: [240113] trunk/Source/_javascript_Core
Revision 240113
Author yusukesuz...@slowstart.org
Date 2019-01-17 09:32:38 -0800 (Thu, 17 Jan 2019)
Log Message
[JSC] Add generateHeapSnapshotForGCDebugging function to dump GCDebugging data
https://bugs.webkit.org/show_bug.cgi?id=193526
Reviewed by Michael Saboff.
This patch adds generateHeapSnapshotForGCDebugging to JSC shell to dump heap snapshot JSON string with GCDebugging option.
GCDebuggingSnapshot mode is slightly different from InspectorSnapshot in terms of both the output data and the behavior.
It always takes full snapshot, and it reports internal data too. This is useful to view the live heap objects after running
the code. Also, generateHeapSnapshotForGCDebugging returns String instead of parsing it to JSObject internally by calling
JSON.parse. If we convert the String to bunch of objects by using JSON.parse, it is difficult to call generateHeapSnapshotForGCDebugging
multiple times for debugging. Currently, it only generates a large string, which is easily distinguishable in the heap inspector tool.
* jsc.cpp:
(GlobalObject::finishCreation):
(functionGenerateHeapSnapshotForGCDebugging):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jsc.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (240112 => 240113)
--- trunk/Source/_javascript_Core/ChangeLog 2019-01-17 16:36:31 UTC (rev 240112)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-01-17 17:32:38 UTC (rev 240113)
@@ -1,5 +1,23 @@
2019-01-17 Yusuke Suzuki
+[JSC] Add generateHeapSnapshotForGCDebugging function to dump GCDebugging data
+https://bugs.webkit.org/show_bug.cgi?id=193526
+
+Reviewed by Michael Saboff.
+
+This patch adds generateHeapSnapshotForGCDebugging to JSC shell to dump heap snapshot JSON string with GCDebugging option.
+GCDebuggingSnapshot mode is slightly different from InspectorSnapshot in terms of both the output data and the behavior.
+It always takes full snapshot, and it reports internal data too. This is useful to view the live heap objects after running
+the code. Also, generateHeapSnapshotForGCDebugging returns String instead of parsing it to JSObject internally by calling
+JSON.parse. If we convert the String to bunch of objects by using JSON.parse, it is difficult to call generateHeapSnapshotForGCDebugging
+multiple times for debugging. Currently, it only generates a large string, which is easily distinguishable in the heap inspector tool.
+
+* jsc.cpp:
+(GlobalObject::finishCreation):
+(functionGenerateHeapSnapshotForGCDebugging):
+
+2019-01-17 Yusuke Suzuki
+
[JSC] ToThis omission in DFGByteCodeParser is wrong
https://bugs.webkit.org/show_bug.cgi?id=193513
Modified: trunk/Source/_javascript_Core/jsc.cpp (240112 => 240113)
--- trunk/Source/_javascript_Core/jsc.cpp 2019-01-17 16:36:31 UTC (rev 240112)
+++ trunk/Source/_javascript_Core/jsc.cpp 2019-01-17 17:32:38 UTC (rev 240113)
@@ -328,6 +328,7 @@
static EncodedJSValue JSC_HOST_CALL functionCheckModuleSyntax(ExecState*);
static EncodedJSValue JSC_HOST_CALL functionPlatformSupportsSamplingProfiler(ExecState*);
static EncodedJSValue JSC_HOST_CALL functionGenerateHeapSnapshot(ExecState*);
+static EncodedJSValue JSC_HOST_CALL functionGenerateHeapSnapshotForGCDebugging(ExecState*);
static EncodedJSValue JSC_HOST_CALL functionResetSuperSamplerState(ExecState*);
static EncodedJSValue JSC_HOST_CALL functionEnsureArrayStorage(ExecState*);
#if ENABLE(SAMPLING_PROFILER)
@@ -562,6 +563,7 @@
addFunction(vm, "platformSupportsSamplingProfiler", functionPlatformSupportsSamplingProfiler, 0);
addFunction(vm, "generateHeapSnapshot", functionGenerateHeapSnapshot, 0);
+addFunction(vm, "generateHeapSnapshotForGCDebugging", functionGenerateHeapSnapshotForGCDebugging, 0);
addFunction(vm, "resetSuperSamplerState", functionResetSuperSamplerState, 0);
addFunction(vm, "ensureArrayStorage", functionEnsureArrayStorage, 0);
#if ENABLE(SAMPLING_PROFILER)
@@ -2119,6 +2121,24 @@
return result;
}
+EncodedJSValue JSC_HOST_CALL functionGenerateHeapSnapshotForGCDebugging(ExecState* exec)
+{
+VM& vm = exec->vm();
+JSLockHolder lock(vm);
+auto scope = DECLARE_THROW_SCOPE(vm);
+String jsonString;
+{
+DeferGCForAWhile deferGC(vm.heap); // Prevent concurrent GC from interfering with the full GC that the snapshot does.
+
+HeapSnapshotBuilder snapshotBuilder(vm.ensureHeapProfiler(), HeapSnapshotBuilder::SnapshotType::GCDebuggingSnapshot);
+snapshotBuilder.buildSnapshot();
+
+jsonString = snapshotBuilder.json();
+}
+scope.releaseAssertNoException();
+return JSValue::encode(jsString(&vm, jsonString));
+}
+
EncodedJSValue JSC_HOST_CALL functionResetSuperSamplerState(ExecState*)
{
resetSuperSamplerState();
[webkit-changes] [240106] trunk
Title: [240106] trunk
Revision 240106
Author yusukesuz...@slowstart.org
Date 2019-01-17 00:10:53 -0800 (Thu, 17 Jan 2019)
Log Message
[JSC] ToThis omission in DFGByteCodeParser is wrong
https://bugs.webkit.org/show_bug.cgi?id=193513
Reviewed by Saam Barati.
JSTests:
* stress/to-this-omission-with-different-strict-modes.js: Added.
(thisA):
(thisAStrictWrapper):
Source/_javascript_Core:
DFGByteCodeParser omitted ToThis node when we have `ToThis(ToThis(value))`. This semantics is wrong if ToThis has different semantics
in the sloppy mode and the strict mode. If we convert `ToThisInSloppyMode(ToThisInStrictMode(boolean))` to `ToThisInStrictMode(boolean)`,
we get boolean instead of BooleanObject.
This optimization is introduced more than 7 years ago, and from that, we have several optimizations that can remove such ToThis nodes
in BytecodeParser, AI, and Fixup. Furthermore, this optimization is simply wrong since `toThis()` function of JSCell can be defined
as they want. Before ensuring all the toThis function is safe, we should not fold `ToThis(ToThis(value))` => `ToThis(value)`.
This patch just removes the problematic optimization. The performance numbers look neutral.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h
trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp
Added Paths
trunk/JSTests/stress/to-this-omission-with-different-strict-modes.js
Diff
Modified: trunk/JSTests/ChangeLog (240105 => 240106)
--- trunk/JSTests/ChangeLog 2019-01-17 07:46:10 UTC (rev 240105)
+++ trunk/JSTests/ChangeLog 2019-01-17 08:10:53 UTC (rev 240106)
@@ -1,3 +1,15 @@
+2019-01-17 Yusuke Suzuki
+
+[JSC] ToThis omission in DFGByteCodeParser is wrong
+https://bugs.webkit.org/show_bug.cgi?id=193513
+
+
+Reviewed by Saam Barati.
+
+* stress/to-this-omission-with-different-strict-modes.js: Added.
+(thisA):
+(thisAStrictWrapper):
+
2019-01-15 Mark Lam
JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
Added: trunk/JSTests/stress/to-this-omission-with-different-strict-modes.js (0 => 240106)
--- trunk/JSTests/stress/to-this-omission-with-different-strict-modes.js (rev 0)
+++ trunk/JSTests/stress/to-this-omission-with-different-strict-modes.js 2019-01-17 08:10:53 UTC (rev 240106)
@@ -0,0 +1,10 @@
+function thisA() {
+return this.a
+}
+function thisAStrictWrapper() {
+'use strict';
+thisA.apply(this);
+}
+let x = false;
+for (let j=0; j<1e4; j++)
+thisAStrictWrapper.call(x);
Modified: trunk/Source/_javascript_Core/ChangeLog (240105 => 240106)
--- trunk/Source/_javascript_Core/ChangeLog 2019-01-17 07:46:10 UTC (rev 240105)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-01-17 08:10:53 UTC (rev 240106)
@@ -1,3 +1,25 @@
+2019-01-17 Yusuke Suzuki
+
+[JSC] ToThis omission in DFGByteCodeParser is wrong
+https://bugs.webkit.org/show_bug.cgi?id=193513
+
+
+Reviewed by Saam Barati.
+
+DFGByteCodeParser omitted ToThis node when we have `ToThis(ToThis(value))`. This semantics is wrong if ToThis has different semantics
+in the sloppy mode and the strict mode. If we convert `ToThisInSloppyMode(ToThisInStrictMode(boolean))` to `ToThisInStrictMode(boolean)`,
+we get boolean instead of BooleanObject.
+
+This optimization is introduced more than 7 years ago, and from that, we have several optimizations that can remove such ToThis nodes
+in BytecodeParser, AI, and Fixup. Furthermore, this optimization is simply wrong since `toThis()` function of JSCell can be defined
+as they want. Before ensuring all the toThis function is safe, we should not fold `ToThis(ToThis(value))` => `ToThis(value)`.
+This patch just removes the problematic optimization. The performance numbers look neutral.
+
+* dfg/DFGAbstractInterpreterInlines.h:
+(JSC::DFG::AbstractInterpreter::executeEffects):
+* dfg/DFGByteCodeParser.cpp:
+(JSC::DFG::ByteCodeParser::parseBlock):
+
2019-01-16 Mark Lam
Refactor new bytecode structs so that the fields are prefixed with "m_".
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (240105 => 240106)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2019-01-17 07:46:10 UTC (rev 240105)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2019-01-17 08:10:53 UTC (rev 240106)
@@ -2549,31 +2549,27 @@
bool strictMode = m_graph.executableFor(node->origin.semantic)->isStrictMode();
ToThisResult result = isToThisAnIdentity(m_vm, strictMode, source);
-if (result != ToThisResult::Dynamic)
[webkit-changes] [240024] trunk
Title: [240024] trunk
Revision 240024
Author yusukesuz...@slowstart.org
Date 2019-01-15 18:17:31 -0800 (Tue, 15 Jan 2019)
Log Message
[JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
https://bugs.webkit.org/show_bug.cgi?id=193438
Reviewed by Saam Barati and Keith Miller.
JSTests:
Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
Then, GetByVal(String) crashed.
* stress/string-get-by-val-lowering.js: Added.
(shouldBe):
(test):
* stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
(Hello):
(foo):
Source/_javascript_Core:
GetByVal(Array::String) emits Check(String) before that. But AI can broaden type constraint in the second run.
After the first run removes Check(String), it would happen that AI starts saying the type of 1st child is not String.
To claim that it *is* a String type, we should use KnownStringUse here.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode): StringCharAt and GetByVal(Array::String) share the underlying compiler code. We should
change StringUse => KnownStringUse for StringCharAt too. And StringCharAt and StringCharCodeAt potentially have the same
problem. This patch fixes it too.
* dfg/DFGSSALoweringPhase.cpp:
(JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp
trunk/Source/_javascript_Core/dfg/DFGSSALoweringPhase.cpp
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
Added Paths
trunk/JSTests/stress/string-get-by-val-lowering.js
trunk/JSTests/stress/type-for-get-by-val-can-be-widen-after-ai.js
Diff
Modified: trunk/JSTests/ChangeLog (240023 => 240024)
--- trunk/JSTests/ChangeLog 2019-01-16 01:41:42 UTC (rev 240023)
+++ trunk/JSTests/ChangeLog 2019-01-16 02:17:31 UTC (rev 240024)
@@ -1,3 +1,21 @@
+2019-01-15 Yusuke Suzuki
+
+[JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
+https://bugs.webkit.org/show_bug.cgi?id=193438
+
+
+Reviewed by Saam Barati and Keith Miller.
+
+Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
+Then, GetByVal(String) crashed.
+
+* stress/string-get-by-val-lowering.js: Added.
+(shouldBe):
+(test):
+* stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
+(Hello):
+(foo):
+
2019-01-15 Tomas Popela
Unreviewed, skip JIT tests if it's not enabled
Added: trunk/JSTests/stress/string-get-by-val-lowering.js (0 => 240024)
--- trunk/JSTests/stress/string-get-by-val-lowering.js (rev 0)
+++ trunk/JSTests/stress/string-get-by-val-lowering.js 2019-01-16 02:17:31 UTC (rev 240024)
@@ -0,0 +1,17 @@
+function shouldBe(actual, expected) {
+if (actual !== expected)
+throw new Error('bad value: ' + actual);
+}
+noInline(shouldBe);
+
+function test(value)
+{
+return value[2];
+}
+noInline(test);
+
+for (var i = 0; i < 1e4; ++i) {
+shouldBe(test("Hello"), 'l');
+shouldBe(test("World"), 'r');
+shouldBe(test("Nice"), 'c');
+}
Added: trunk/JSTests/stress/type-for-get-by-val-can-be-widen-after-ai.js (0 => 240024)
--- trunk/JSTests/stress/type-for-get-by-val-can-be-widen-after-ai.js (rev 0)
+++ trunk/JSTests/stress/type-for-get-by-val-can-be-widen-after-ai.js 2019-01-16 02:17:31 UTC (rev 240024)
@@ -0,0 +1,25 @@
+//@ runDefault("--jitPolicyScale=0")
+// Run with for i in {1..1000}; do echo $i && VM=/path/to/WebKit/WebKitBuild/Debug/ && DYLD_FRAMEWORK_PATH=$VM $VM/jsc --useDollarVM=1 --jitPolicyScale=0 type-for-get-by-val-can-be-widen-after-ai.js ; done
+
+function Hello(y) {
+ this.y = y;
+ this.x = foo(this.y);
+}
+function foo(z) {
+ try {
+for (var i = 0; i < 1; i++) {
+ z[i];
+}
+ } catch {
+ }
+}
+new Hello('a');
+new Hello('a');
+for (let i = 0; i < 100; ++i) {
+ new Hello();
+}
+
+// Busy loop to let the crash reporter have a chance to capture the crash log for the Compiler thread.
+for (let i = 0; i < 100; ++i) {
+$vm.ftlTrue();
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (240023 => 240024)
--- trunk/Source/_javascript_Core/ChangeLog 2019-01-16 01:41:42 UTC (rev 240023)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-01-16 02:17:31 UTC (rev 240024)
@@ -1,3 +1,25 @@
+2019-01-15 Yusuke Suzuki
+
+[JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
+https://bugs.webkit.org/show_bug.cgi?id=193438
+
[webkit-changes] [239964] trunk
Title: [239964] trunk Revision 239964 Author yusukesuz...@slowstart.org Date 2019-01-14 17:26:43 -0800 (Mon, 14 Jan 2019) Log Message [JSC] AI should check the given constant's array type when folding GetByVal into constant https://bugs.webkit.org/show_bug.cgi?id=193413 Reviewed by Keith Miller. JSTests: This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`. It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI, but GetByVal does not have appropriate ArrayModes, JSC crashes. * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added. (compareArray): Source/_javascript_Core: If GetByVal's DFG::ArrayMode's type is Array::Double, we expect that the result of GetByVal is Double, since we already performed CheckStructure or CheckArray to ensure this array type. But this assumption on the given value becomes wrong in AI, since CheckStructure may not perform filtering. And the proven AbstractValue in GetByVal would not be expected one. We have the graph before performing constant folding. 53: GetLocal(Check:Untyped:@77, JS|MustGen|UseAsOther, Array, arg2(C/FlushedCell), R:Stack(7), bc#37, ExitValid) predicting Array 54:< 1:-> JSConstant(JS|PureNum|UseAsOther|UseAsInt|ReallyWantsInt, BoolInt32, Int32: 0, bc#37, ExitValid) 93: CheckStructure(Cell:@53, MustGen, [%C7:Array], R:JSCell_structureID, Exits, bc#37, ExitValid) 94:< 1:-> GetButterfly(Check:Cell:@53, Storage|PureInt, R:JSObject_butterfly, Exits, bc#37, ExitValid) 55: GetByVal(Check:KnownCell:@53, Check:Int32:@54, Check:Untyped:@94, Double|MustGen|VarArgs|PureInt, AnyIntAsDouble|NonIntAsdouble, Double+OriginalCopyOnWriteArray+SaneChain+AsIs+Read, R:Butterfly_publicLength,IndexedDoubleProperties, Exits, bc#37, ExitValid) predicting StringIdent|NonIntAsdouble And 53 is converted to JSConstant in the constant folding. It leads to constant folding attempt in GetByVal. 53:< 1:-> JSConstant(JS|UseAsOther, Array, Weak:Object: 0x117fb4370 with butterfly 0x8000e4050 (Structure %BV:Array), StructureID: 104, bc#37, ExitValid) 54:< 1:-> JSConstant(JS|PureNum|UseAsOther|UseAsInt|ReallyWantsInt, BoolInt32, Int32: 0, bc#37, ExitValid) 93: CheckStructure(Cell:@53, MustGen, [%C7:Array], R:JSCell_structureID, Exits, bc#37, ExitValid) 94:< 1:-> GetButterfly(Check:Cell:@53, Storage|PureInt, R:JSObject_butterfly, Exits, bc#37, ExitValid) 55: GetByVal(Check:KnownCell:@53, Check:Int32:@54, Check:Untyped:@94, Double|MustGen|VarArgs|PureInt, AnyIntAsDouble|NonIntAsdouble, Double+OriginalCopyOnWriteArray+SaneChain+AsIs+Read, R:Butterfly_publicLength,IndexedDoubleProperties, Exits, bc#37, ExitValid) predicting StringIdent|NonIntAsdouble GetByVal gets constant Array from @53, and attempt to perform constant folding by leverating CoW state: if the given array's butterfly is CoW and we performed CoW array check for this GetByVal, the array would not be changed as long as the check works. However, CheckStructure for @53 does not filter anything at AI. So, if @53 is CopyOnWrite | Contiguous array (not CopyOnWrite | Double array!), GetByVal will get a JSValue. But it does not meet the requirement of GetByVal since it has Double Array mode, and says it returns Double. Here, CheckStructure is valid because structure of the constant object would be changed. What we should do is additional CoW & ArrayShape check in GetByVal when folding since this node leverages CoW's interesting feature, "If CoW array check (CheckStructure etc.) is emitted by GetByVal's DFG::ArrayMode, the content is not changed from the creation!". This patch adds ArrayShape check in addition to CoW status check in GetByVal. Unfortunately, this crash is very flaky. In the above case, if @53 stays GetLocal after the constant folding phase, this issue does not occur. We can see this crash in r238109, but it is really hard to reproduce it in the current ToT. I verified this fix works in r238109 with the attached test. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::fixTypeForRepresentation): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGAbstractValue.cpp Added Paths trunk/JSTests/stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js Diff Modified: trunk/JSTests/ChangeLog (239963 => 239964) --- trunk/JSTests/ChangeLog 2019-01-15 00:55:51 UTC (rev 239963) +++ trunk/JSTests/ChangeLog 2019-01-15 01:26:43 UTC (rev 239964) @@ -1,3 +1,19 @@ +2019-01-14 Yusuke Suzuki + +[JSC] AI should check the given constant's array type when folding GetByVal into constant +https://bugs.webkit.
[webkit-changes] [239951] trunk
Title: [239951] trunk Revision 239951 Author yusukesuz...@slowstart.org Date 2019-01-14 14:31:06 -0800 (Mon, 14 Jan 2019) Log Message [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information https://bugs.webkit.org/show_bug.cgi?id=193372 Reviewed by Saam Barati. JSTests: * stress/typed-array-array-modes-profile.js: Added. (foo): Source/_javascript_Core: When RegisteredStructureSet is filtered with AbstractValue, we use structure, SpeculationType, and ArrayModes. However, we use asArrayModes() function with IndexingMode to compute the ArrayModes in AbstractValue. This is wrong since this discards TypedArray ArrayModes. As a result, if RegisteredStructureSet with TypedArrays is filtered with ArrayModes of AbstractValue populated from TypedArrays, we filter all the structures out since AbstractValue's ArrayModes become NonArray, which is wrong with the TypedArrays' ArrayModes. This leads to incorrect FTL code generation with MultiGetByOffset etc. nodes because, 1. AI think that this MultiGetByOffset never succeeds since all the values of RegisteredStructureSet are filtered out by the AbstractValue. 2. AI says the state of MultiGetByOffset is invalid since AI think it never succeeds. 3. So subsequent code becomes FTL crash code since AI think the execution should do OSR exit. 4. Then, FTL emits the code for MultiGetByOffset, and emits crash after that. 5. But in reality, the incoming value can match to the one of the RegisteredStructureSet value since (1)'s structures are incorrectly filtered by the incorrect ArrayModes. 6. Then, the execution goes on, and falls into the FTL crash. This patch fixes the incorrect ArrayModes calculation by the following changes 1. Rename asArrayModes to asArrayModesIgnoringTypedArrays. 2. Fix incorrect asArrayModesIgnoringTypedArrays use in our code. Use arrayModesFromStructure instead. 3. Fix OSR exit code which stores incorrect ArrayModes to the profiles. * bytecode/ArrayProfile.cpp: (JSC::dumpArrayModes): (JSC::ArrayProfile::computeUpdatedPrediction): * bytecode/ArrayProfile.h: (JSC::asArrayModesIgnoringTypedArrays): (JSC::arrayModesFromStructure): (JSC::arrayModesIncludeIgnoringTypedArrays): (JSC::shouldUseSlowPutArrayStorage): (JSC::shouldUseFastArrayStorage): (JSC::shouldUseContiguous): (JSC::shouldUseDouble): (JSC::shouldUseInt32): (JSC::asArrayModes): Deleted. (JSC::arrayModeFromStructure): Deleted. (JSC::arrayModesInclude): Deleted. * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::observeTransitions): (JSC::DFG::AbstractValue::set): (JSC::DFG::AbstractValue::mergeOSREntryValue): (JSC::DFG::AbstractValue::contains const): * dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::observeTransition): (JSC::DFG::AbstractValue::validate const): (JSC::DFG::AbstractValue::observeIndexingTypeTransition): * dfg/DFGArrayMode.cpp: (JSC::DFG::ArrayMode::fromObserved): (JSC::DFG::ArrayMode::alreadyChecked const): * dfg/DFGArrayMode.h: (JSC::DFG::ArrayMode::structureWouldPassArrayModeFiltering): (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const): (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::executeOSRExit): (JSC::DFG::OSRExit::compileExit): * dfg/DFGRegisteredStructureSet.cpp: (JSC::DFG::RegisteredStructureSet::filterArrayModes): (JSC::DFG::RegisteredStructureSet::arrayModesFromStructures const): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): * jit/JITInlines.h: (JSC::JIT::chooseArrayMode): (JSC::arrayProfileSaw): Deleted. * runtime/JSType.h: (JSC::isTypedArrayType): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/ArrayProfile.cpp trunk/Source/_javascript_Core/bytecode/ArrayProfile.h trunk/Source/_javascript_Core/dfg/DFGAbstractValue.cpp trunk/Source/_javascript_Core/dfg/DFGAbstractValue.h trunk/Source/_javascript_Core/dfg/DFGArrayMode.cpp trunk/Source/_javascript_Core/dfg/DFGArrayMode.h trunk/Source/_javascript_Core/dfg/DFGOSRExit.cpp trunk/Source/_javascript_Core/dfg/DFGRegisteredStructureSet.cpp trunk/Source/_javascript_Core/ftl/FTLOSRExitCompiler.cpp trunk/Source/_javascript_Core/jit/JITInlines.h trunk/Source/_javascript_Core/runtime/JSType.h Added Paths trunk/JSTests/stress/typed-array-array-modes-profile.js Diff Modified: trunk/JSTests/ChangeLog (239950 => 239951) --- trunk/JSTests/ChangeLog 2019-01-14 22:23:30 UTC (rev 239950) +++ trunk/JSTests/ChangeLog 2019-01-14 22:31:06 UTC (rev 239951) @@ -1,3 +1,13 @@ +2019-01-14 Yusuke Suzuki + +[JSC] Do not use asArrayModes() with Structures because it discards TypedArray information +https://bugs.webkit.org/show_bug.cgi?id=193372 + +Reviewed by Saam Barati. + +* stress/typed-array-array-modes-profile.js: Added. +(foo): + 2019-01-14 Mark Lam Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change). Added: trunk/JSTests/stress/typed-array-a
[webkit-changes] [239898] trunk/Source/JavaScriptCore
Title: [239898] trunk/Source/_javascript_Core Revision 239898 Author yusukesuz...@slowstart.org Date 2019-01-12 01:49:17 -0800 (Sat, 12 Jan 2019) Log Message Unreviewed, fix scope check assertions https://bugs.webkit.org/show_bug.cgi?id=193308 * bytecode/CodeBlock.cpp: (JSC::CodeBlock::notifyLexicalBindingShadowing): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::notifyLexicalBindingShadowing): * runtime/ProgramExecutable.cpp: (JSC::ProgramExecutable::initializeGlobalProperties): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp trunk/Source/_javascript_Core/runtime/ProgramExecutable.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (239897 => 239898) --- trunk/Source/_javascript_Core/ChangeLog 2019-01-12 07:42:11 UTC (rev 239897) +++ trunk/Source/_javascript_Core/ChangeLog 2019-01-12 09:49:17 UTC (rev 239898) @@ -1,3 +1,15 @@ +2019-01-12 Yusuke Suzuki + +Unreviewed, fix scope check assertions +https://bugs.webkit.org/show_bug.cgi?id=193308 + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::notifyLexicalBindingShadowing): +* runtime/JSGlobalObject.cpp: +(JSC::JSGlobalObject::notifyLexicalBindingShadowing): +* runtime/ProgramExecutable.cpp: +(JSC::ProgramExecutable::initializeGlobalProperties): + 2019-01-11 John Wilander Compile out Web API Statistics Collection Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (239897 => 239898) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2019-01-12 07:42:11 UTC (rev 239897) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2019-01-12 09:49:17 UTC (rev 239898) @@ -2676,7 +2676,7 @@ return; JSGlobalObject* globalObject = m_globalObject.get(); -auto throwScope = DECLARE_THROW_SCOPE(vm); +auto scope = DECLARE_THROW_SCOPE(vm); ConcurrentJSLocker locker(m_lock); @@ -2693,7 +2693,7 @@ // We pass JSGlobalLexicalScope as a start point of the scope chain. // It should immediately find the lexical binding because that's the reason why we perform this rewriting now. ResolveOp op = JSScope::abstractResolve(m_globalObject->globalExec(), bytecode.localScopeDepth, globalObject->globalScope(), ident, Get, bytecode.resolveType, InitializationMode::NotInitialization); -EXCEPTION_ASSERT_UNUSED(throwScope, !throwScope.exception()); +scope.releaseAssertNoException(); ASSERT(op.type == GlobalLexicalVarWithVarInjectionChecks || op.type == GlobalLexicalVar); metadata.resolveType = needsVarInjectionChecks(originalResolveType) ? GlobalLexicalVarWithVarInjectionChecks : GlobalLexicalVar; metadata.localScopeDepth = 0; @@ -2717,7 +2717,7 @@ // We pass JSGlobalLexicalScope as a start point of the scope chain. // It should immediately find the lexical binding because that's the reason why we perform this rewriting now. ResolveOp op = JSScope::abstractResolve(m_globalObject->globalExec(), bytecode.localScopeDepth, globalObject->globalScope(), ident, Get, bytecode.getPutInfo.resolveType(), InitializationMode::NotInitialization); -EXCEPTION_ASSERT_UNUSED(throwScope, !throwScope.exception()); +scope.releaseAssertNoException(); ASSERT(op.type == GlobalLexicalVarWithVarInjectionChecks || op.type == GlobalLexicalVar); metadata.getPutInfo = GetPutInfo(bytecode.getPutInfo.resolveMode(), needsVarInjectionChecks(originalResolveType) ? GlobalLexicalVarWithVarInjectionChecks : GlobalLexicalVar, bytecode.getPutInfo.initializationMode()); metadata.watchpointSet = op.watchpointSet; @@ -2738,7 +2738,7 @@ // We pass JSGlobalLexicalScope as a start point of the scope chain. // It should immediately find the lexical binding because that's the reason why we perform this rewriting now. ResolveOp op = JSScope::abstractResolve(m_globalObject->globalExec(), bytecode.symbolTableOrScopeDepth, globalObject->globalScope(), ident, Put, bytecode.getPutInfo.resolveType(), bytecode.getPutInfo.initializationMode()); -EXCEPTION_ASSERT_UNUSED(throwScope, !throwScope.exception()); +scope.releaseAssertNoException(); ASSERT(op.type == GlobalLexicalVarWithVarInjectionChecks || op.type == GlobalLexicalVar || op.type == Dynamic); ResolveType resolveType = op.type; Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (239897 => 239898) --- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2019-01-12 07:42:11 UTC (rev 239897) +++ trunk/Source/_javascript_Core/runt
[webkit-changes] [239879] trunk
Title: [239879] trunk
Revision 239879
Author yusukesuz...@slowstart.org
Date 2019-01-11 15:10:31 -0800 (Fri, 11 Jan 2019)
Log Message
[JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
https://bugs.webkit.org/show_bug.cgi?id=193308
Reviewed by Saam Barati.
JSTests:
* stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
(shouldThrow):
(shouldBe):
(foo):
(get shouldThrow):
* stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
(shouldThrow):
(shouldBe):
(foo):
(get shouldBe):
(get shouldThrow):
(get return):
* stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
(shouldThrow):
(shouldBe):
(foo):
(get shouldBe):
(get shouldThrow):
* stress/const-lexical-binding-shadow-existing-global-property.js: Added.
(shouldThrow):
(shouldBe):
(foo):
* stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
(shouldThrow):
(shouldBe):
(foo):
* stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
(shouldThrow):
* stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
(shouldThrow):
* stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
(shouldThrow):
(shouldBe):
(foo):
* stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
(shouldThrow):
(shouldBe):
(foo):
(get shouldBe):
(get shouldThrow):
(get return):
* stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
(shouldThrow):
(shouldBe):
(foo):
(get shouldBe):
(get shouldThrow):
* stress/let-lexical-binding-shadow-existing-global-property.js: Added.
(shouldThrow):
(shouldBe):
(foo):
* stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
(shouldThrow):
(shouldBe):
(foo):
Source/_javascript_Core:
Previously, we assumed that lexical bindings in JSGlobalLexicalEnvironment cannot shadow existing global properties.
However, it is wrong. According to the spec, we can shadow global properties if a property's attribute is configurable = true.
For example, we execute two scripts.
script1.js
bar = 42;
function load() { return bar; }
print(bar); // 42
print(load()); // 42
script2.js
let bar = 0; // This lexical binding can shadow the global.bar defined in script1.js
print(bar); // 0
print(load()); // 0
In JSC, we cache GlobalProperty resolve type and its associated information in op_resolve_type, op_get_from_scope, and op_put_to_scope.
They attempt to load a property from JSGlobalObject directly. However, once the newly added lexical binding starts shadowing this, our existing instructions
become invalid since they do not respect JSGlobalLexicalEnvironment.
In this patch, we fix this issue by introducing the following mechanisms.
1. We have a HashMap in JSGlobalObject. DFG and FTL create a watchpoint set with the property name if the generated code
depends on GlobalProperty condition of op_resolve_scope etc. These watchpoint will be fired when the shadowing happens, so that our generated DFG and FTL
code will be invalidated if it depends on the condition which is no longer valid.
2. When we detect shadowing, we iterate all the live CodeBlocks which globalObject is the target one. And we rewrite instructions in them from GlobalProperty
to GlobalLexicalVar (or Dynamic precisely). So, the subsequent LLInt code just works well. "Dynamic" conversion happens when your op_put_to_scope attempts to
put a value onto a const lexical binding. This fails and it should throw a type error.
3. GlobalProperty scope operations in Baseline JIT start checking ResolveType in metadata, and emit code for GlobalProperty and GlobalLexicalVar. Once the rewrite
happens, baseline JIT continues working because it checks the rewritten metadata's ResolveType.
We use this mechanism (which is similar to haveABadTime() thing) because,
1. Shadowing should be super rare. Before r214145, we made these cases as SytaxError. Thus, before r214145, this type of code cannot be executed in WebKit.
And the number of the live CodeBlocks for the given JSGlobalObject should be small. This supports introducing rather simple (but not so efficient) mechanism
instead of the complicated one.
2. Rewriting instructions immediately forces GlobalProperty => GlobalLexicalVar / Dynamic conversion in all the possible CodeBlock. This allows us to avoid
compilation failure loop in DFG and FTL: DFG and FTL codes are invalidated by the watchpoint, but we may attempt to compile the code with the invalidated watchpoint
and GlobalProperty status if we do not rewrite it. One possible other implementation is having and checking a counter in instruction, and every time we introduce
a new shadow binding, bump the counter. And eventually executed instruction will go to the slow path and rewrite itself. However, this way leaves the not-executed-again-yet
instructions as is, and DFG and FTL repeatedly fail to comp
[webkit-changes] [239612] trunk
Title: [239612] trunk Revision 239612 Author yusukesuz...@slowstart.org Date 2019-01-04 09:04:09 -0800 (Fri, 04 Jan 2019) Log Message [JSC] Optimize Object.prototype.toString https://bugs.webkit.org/show_bug.cgi?id=193031 Reviewed by Saam Barati. JSTests: * stress/object-tostring-changed-proto.js: Added. (shouldBe): (test): * stress/object-tostring-changed.js: Added. (shouldBe): (test): * stress/object-tostring-misc.js: Added. (shouldBe): (test): (i.switch): * stress/object-tostring-other.js: Added. (shouldBe): (test): * stress/object-tostring-untyped.js: Added. (shouldBe): (test): (i.switch): Source/_javascript_Core: Object.prototype.toString is frequently used for type checking. It is called many times in wtb-lebab.js. This patch optimizes Object.prototype.toString by the following two optimizations. 1. We should emit code looking up cached to string in DFG and FTL. toString's result is cached in the Structure. We emit a fast path code in DFG and FTL to lookup this cache. 2. We should not create objects for primitive values in major cases. When Object.prototype.toString(primitive) is called, this primitive is converted to an object by calling ToObject. But if the result is appropriately cached in the Structure, we should get it in the fast path without creating this object. When converting primitives to objects, Structures used in these newly created objects are known (Structure for StringObject etc.). So we can first query the cached string before actually converting primitives to objects. This patch improves wtb-lebab.js by roughly 2%. before:lebab: 8.90 runs/s after :lebab: 9.09 runs/s * _javascript_Core.xcodeproj/project.pbxproj: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixupObjectToString): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileObjectToString): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileObjectToString): * runtime/Intrinsic.cpp: (JSC::intrinsicName): * runtime/Intrinsic.h: * runtime/ObjectPrototype.cpp: (JSC::ObjectPrototype::finishCreation): (JSC::objectProtoFuncToString): * runtime/ObjectPrototype.h: * runtime/ObjectPrototypeInlines.h: Added. (JSC::structureForPrimitiveValue): (JSC::objectToString): * runtime/StructureRareData.h: Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGClobberize.h trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp trunk/Source/_javascript_Core/dfg/DFGNodeType.h trunk/Source/_javascript_Core/dfg/DFGOperations.cpp trunk/Source/_javascript_Core/dfg/DFGOperations.h trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/runtime/Intrinsic.cpp trunk/Source/_javascript_Core/runtime/Intrinsic.h trunk/Source/_javascript_Core/runtime/ObjectPrototype.cpp trunk/Source/_javascript_Core/runtime/ObjectPrototype.h trunk/Source/_javascript_Core/runtime/StructureRareData.h Added Paths trunk/JSTests/stress/object-tostring-changed-proto.js trunk/JSTests/stress/object-tostring-changed.js trunk/JSTests/stress/object-tostring-misc.js trunk/JSTests/stress/object-tostring-other.js trunk/JSTests/stress/object-tostring-untyped.js trunk/Source/_javascript_Core/runtime/ObjectPrototypeInlines.h Diff Modified: trunk/JSTests/ChangeLog (239611 => 239612) --- trunk/JSTests/ChangeLog 2019-01-04 16:44:43 UTC (rev 239611) +++ trunk/JSTests/ChangeLog 2019-01-04 17:04:09 UTC (rev 239612) @@ -1,3 +1,28 @@ +2019-01-02 Yusuke Suzuki + +[JSC] Optimize Object.prototype.toString +
[webkit-changes] [239567] trunk/Tools
Title: [239567] trunk/Tools
Revision 239567
Author yusukesuz...@slowstart.org
Date 2018-12-31 07:31:15 -0800 (Mon, 31 Dec 2018)
Log Message
.ycm_extra_conf.py should handle XXXInlines.h
https://bugs.webkit.org/show_bug.cgi?id=193055
Reviewed by Carlos Garcia Campos.
compile_commands.json database only records flags and options for cpp source files.
So, when we open headers, this database does not have any information for that.
Our .ycm_extra_conf.py alleviates this by using XXX.cpp's configuration for XXX.h.
But this mitigation does not handle XXXInlines.h well since we do not have XXXInlines.cpp.
This patch adds support for XXXInlines.h in .ycm_extra_conf.py. When XXXInlines.h is queried,
we attempt to find XXX.cpp and use the configuration if it exists.
* gtk/ycm_extra_conf.py:
(getImplementationFilename):
(FlagsForFile):
Modified Paths
trunk/Tools/ChangeLog
trunk/Tools/gtk/ycm_extra_conf.py
Diff
Modified: trunk/Tools/ChangeLog (239566 => 239567)
--- trunk/Tools/ChangeLog 2018-12-31 14:53:38 UTC (rev 239566)
+++ trunk/Tools/ChangeLog 2018-12-31 15:31:15 UTC (rev 239567)
@@ -1,3 +1,21 @@
+2018-12-29 Yusuke Suzuki
+
+.ycm_extra_conf.py should handle XXXInlines.h
+https://bugs.webkit.org/show_bug.cgi?id=193055
+
+Reviewed by Carlos Garcia Campos.
+
+compile_commands.json database only records flags and options for cpp source files.
+So, when we open headers, this database does not have any information for that.
+Our .ycm_extra_conf.py alleviates this by using XXX.cpp's configuration for XXX.h.
+But this mitigation does not handle XXXInlines.h well since we do not have XXXInlines.cpp.
+This patch adds support for XXXInlines.h in .ycm_extra_conf.py. When XXXInlines.h is queried,
+we attempt to find XXX.cpp and use the configuration if it exists.
+
+* gtk/ycm_extra_conf.py:
+(getImplementationFilename):
+(FlagsForFile):
+
2018-12-31 Carlos Garcia Campos
Unreviewed. Support PHP 7.3 in Debian.
Modified: trunk/Tools/gtk/ycm_extra_conf.py (239566 => 239567)
--- trunk/Tools/gtk/ycm_extra_conf.py 2018-12-31 14:53:38 UTC (rev 239566)
+++ trunk/Tools/gtk/ycm_extra_conf.py 2018-12-31 15:31:15 UTC (rev 239567)
@@ -81,6 +81,15 @@
return release_build_path if release_mtime >= debug_mtime else debug_build_path
+def getImplementationFilename(filename):
+alternative_extensions = ['.cpp', '.c']
+for alternative_extension in alternative_extensions:
+alternative_filename = filename[:-2] + alternative_extension
+if os.path.exists(alternative_filename):
+return alternative_filename
+return None
+
+
def FlagsForFile(filename, **kwargs):
"""This is the main entry point for YCM. Its interface is fixed.
@@ -97,14 +106,16 @@
# Headers can't be built, so we get the source file flags instead.
if filename.endswith('.h'):
-alternative_extensions = ['.cpp', '.c']
-for alternative_extension in alternative_extensions:
-alternative_filename = filename[:-2] + alternative_extension
-if os.path.exists(alternative_filename):
-filename = alternative_filename
-break
+implementationFilename = getImplementationFilename(filename)
+if implementationFilename:
+filename = implementationFilename
else:
-return result
+if not filename.endswith('Inlines.h'):
+return result
+implementationFilename = getImplementationFilename(filename[:-len('Inlines.h')] + '.h')
+if not implementationFilename:
+return result
+filename = implementationFilename
# Force config.h file inclusion, for GLib macros.
result['flags'].append("-includeconfig.h")
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [239562] trunk
Title: [239562] trunk
Revision 239562
Author yusukesuz...@slowstart.org
Date 2018-12-30 13:23:11 -0800 (Sun, 30 Dec 2018)
Log Message
gperf is only used in WebCore
https://bugs.webkit.org/show_bug.cgi?id=193061
Reviewed by Don Olmstead.
gperf is only used in WebCore. So if the port does not have WebCore,
it is not necessary. For example, JSCOnly port does not require it.
This patch removes gperf dependency in these ports by checking
ENABLE_WEBCORE.
* Source/cmake/WebKitCommon.cmake:
Modified Paths
trunk/ChangeLog
trunk/Source/cmake/WebKitCommon.cmake
Diff
Modified: trunk/ChangeLog (239561 => 239562)
--- trunk/ChangeLog 2018-12-30 21:19:09 UTC (rev 239561)
+++ trunk/ChangeLog 2018-12-30 21:23:11 UTC (rev 239562)
@@ -1,3 +1,17 @@
+2018-12-30 Yusuke Suzuki
+
+gperf is only used in WebCore
+https://bugs.webkit.org/show_bug.cgi?id=193061
+
+Reviewed by Don Olmstead.
+
+gperf is only used in WebCore. So if the port does not have WebCore,
+it is not necessary. For example, JSCOnly port does not require it.
+This patch removes gperf dependency in these ports by checking
+ENABLE_WEBCORE.
+
+* Source/cmake/WebKitCommon.cmake:
+
2018-12-28 Yusuke Suzuki
Add ENABLE_UNIFIED_BUILDS option to cmake ports
Modified: trunk/Source/cmake/WebKitCommon.cmake (239561 => 239562)
--- trunk/Source/cmake/WebKitCommon.cmake 2018-12-30 21:19:09 UTC (rev 239561)
+++ trunk/Source/cmake/WebKitCommon.cmake 2018-12-30 21:23:11 UTC (rev 239562)
@@ -13,9 +13,6 @@
list(APPEND CMAKE_PROGRAM_PATH $ENV{SystemDrive}/cygwin/bin)
endif ()
-# TODO Enforce version requirement for gperf
-find_package(Gperf 3.0.1 REQUIRED)
-
# TODO Enforce version requirement for perl
find_package(Perl 5.10.0 REQUIRED)
find_package(PerlModules COMPONENTS JSON::PP REQUIRED)
@@ -58,6 +55,13 @@
include(OptionsCommon)
include(Options${PORT})
+# Check gperf after including OptionsXXX.cmake since gperf is required only when ENABLE_WEBCORE is true,
+# and ENABLE_WEBCORE is configured in OptionsXXX.cmake.
+if (ENABLE_WEBCORE)
+# TODO Enforce version requirement for gperf
+find_package(Gperf 3.0.1 REQUIRED)
+endif ()
+
# -
# Job pool to avoid running too many memory hungry linker processes
# -
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [239561] trunk
Title: [239561] trunk
Revision 239561
Author yusukesuz...@slowstart.org
Date 2018-12-30 13:19:09 -0800 (Sun, 30 Dec 2018)
Log Message
Add ENABLE_UNIFIED_BUILDS option to cmake ports
https://bugs.webkit.org/show_bug.cgi?id=193045
Reviewed by Don Olmstead.
.:
This patch adds ENABLE_UNIFIED_BUILDS option to cmake ports, which allows us to disable Unified Builds in WebKit.
This makes `compile_commands.json` sane when the unified builds is disabled, and various tools can use this
compilation database. For example, YouCompleteMe completion server can use it.
* Source/cmake/WebKitFeatures.cmake:
* Source/cmake/WebKitMacros.cmake:
Source/WTF:
* Scripts/generate-unified-source-bundles.rb:
Modified Paths
trunk/ChangeLog
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/Scripts/generate-unified-source-bundles.rb
trunk/Source/cmake/WebKitFeatures.cmake
trunk/Source/cmake/WebKitMacros.cmake
Diff
Modified: trunk/ChangeLog (239560 => 239561)
--- trunk/ChangeLog 2018-12-30 20:53:48 UTC (rev 239560)
+++ trunk/ChangeLog 2018-12-30 21:19:09 UTC (rev 239561)
@@ -1,3 +1,17 @@
+2018-12-28 Yusuke Suzuki
+
+Add ENABLE_UNIFIED_BUILDS option to cmake ports
+https://bugs.webkit.org/show_bug.cgi?id=193045
+
+Reviewed by Don Olmstead.
+
+This patch adds ENABLE_UNIFIED_BUILDS option to cmake ports, which allows us to disable Unified Builds in WebKit.
+This makes `compile_commands.json` sane when the unified builds is disabled, and various tools can use this
+compilation database. For example, YouCompleteMe completion server can use it.
+
+* Source/cmake/WebKitFeatures.cmake:
+* Source/cmake/WebKitMacros.cmake:
+
2018-12-27 Alex Christensen
Resurrect Mac CMake build
Modified: trunk/Source/WTF/ChangeLog (239560 => 239561)
--- trunk/Source/WTF/ChangeLog 2018-12-30 20:53:48 UTC (rev 239560)
+++ trunk/Source/WTF/ChangeLog 2018-12-30 21:19:09 UTC (rev 239561)
@@ -1,3 +1,12 @@
+2018-12-28 Yusuke Suzuki
+
+Add ENABLE_UNIFIED_BUILDS option to cmake ports
+https://bugs.webkit.org/show_bug.cgi?id=193045
+
+Reviewed by Don Olmstead.
+
+* Scripts/generate-unified-source-bundles.rb:
+
2018-12-27 Alex Christensen
Resurrect Mac CMake build
Modified: trunk/Source/WTF/Scripts/generate-unified-source-bundles.rb (239560 => 239561)
--- trunk/Source/WTF/Scripts/generate-unified-source-bundles.rb 2018-12-30 20:53:48 UTC (rev 239560)
+++ trunk/Source/WTF/Scripts/generate-unified-source-bundles.rb 2018-12-30 21:19:09 UTC (rev 239561)
@@ -45,6 +45,7 @@
puts
puts "Optional arguments:"
puts "--print-bundled-sources Print bundled sources rather than generating sources"
+puts "--print-all-sources Print all sources rather than generating sources"
puts "--generate-xcfilelists Generate .xcfilelist files"
puts "--input-xcfilelist-path Path of the generated input .xcfilelist file"
puts "--output-xcfilelist-path Path of the generated output .xcfilelist file"
@@ -78,6 +79,7 @@
['--source-tree-path', '-s', GetoptLong::REQUIRED_ARGUMENT],
['--feature-flags', '-f', GetoptLong::REQUIRED_ARGUMENT],
['--print-bundled-sources', GetoptLong::NO_ARGUMENT],
+ ['--print-all-sources', GetoptLong::NO_ARGUMENT],
['--generate-xcfilelists', GetoptLong::NO_ARGUMENT],
['--input-xcfilelist-path', GetoptLong::REQUIRED_ARGUMENT],
['--output-xcfilelist-path', GetoptLong::REQUIRED_ARGUMENT],
@@ -98,6 +100,8 @@
arg.gsub(/\s+/, ";").split(";").map { |x| $featureFlags[x] = true }
when '--print-bundled-sources'
$mode = :PrintBundledSources
+when '--print-all-sources'
+$mode = :PrintAllSources
when '--generate-xcfilelists'
$mode = :GenerateXCFilelists
when '--input-xcfilelist-path'
@@ -323,6 +327,8 @@
case $mode
when :GenerateBundles, :GenerateXCFilelists
ProcessFileForUnifiedSourceGeneration(sourceFile)
+when :PrintAllSources
+$generatedSources << sourceFile
when :PrintBundledSources
$generatedSources << sourceFile if $bundleManagers[sourceFile.path.extname] && sourceFile.unifiable
end
Modified: trunk/Source/cmake/WebKitFeatures.cmake (239560 => 239561)
--- trunk/Source/cmake/WebKitFeatures.cmake 2018-12-30 20:53:48 UTC (rev 239560)
+++ trunk/Source/cmake/WebKitFeatures.cmake 2018-12-30 21:19:09 UTC (rev 239561)
@@ -192,6 +192,7 @@
WEBKIT_OPTION_DEFINE(ENABLE_TEXT_AUTOSIZING "Toggle automatic text size adjustment support" PRIVATE OFF)
WEBKIT_OPTION_DEFINE(ENABLE_TOUCH_EVENTS "Toggle Touch Events support" PRIVATE OFF)
WEBKIT_OPTION_DEFINE(ENABLE_TOUCH_SLIDER "Toggle Touch Slider support" PRIVATE OFF)
+WEBKIT_OPTION_DEFINE(ENABLE_UNIFIED_BUILDS "Toggle unified builds" PRIVATE ON)
WEBKIT_OPTION_DEFINE(ENABLE_USE
[webkit-changes] [239560] trunk/JSTests
Title: [239560] trunk/JSTests
Revision 239560
Author yusukesuz...@slowstart.org
Date 2018-12-30 12:53:48 -0800 (Sun, 30 Dec 2018)
Log Message
Unreviewed, JSTests gardening with memoryLimited
* stress/string-overflow-createError.js:
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/stress/string-overflow-createError.js
Diff
Modified: trunk/JSTests/ChangeLog (239559 => 239560)
--- trunk/JSTests/ChangeLog 2018-12-30 17:38:56 UTC (rev 239559)
+++ trunk/JSTests/ChangeLog 2018-12-30 20:53:48 UTC (rev 239560)
@@ -1,3 +1,9 @@
+2018-12-30 Yusuke Suzuki
+
+Unreviewed, JSTests gardening with memoryLimited
+
+* stress/string-overflow-createError.js:
+
2018-12-30 Ross Kirsling
[JSC] Identifier validity should be based on ID_Start / ID_Continue properties
Modified: trunk/JSTests/stress/string-overflow-createError.js (239559 => 239560)
--- trunk/JSTests/stress/string-overflow-createError.js 2018-12-30 17:38:56 UTC (rev 239559)
+++ trunk/JSTests/stress/string-overflow-createError.js 2018-12-30 20:53:48 UTC (rev 239560)
@@ -1,3 +1,4 @@
+//@ skip if $memoryLimited
var exception;
try {
bar = '2.3023e-320'
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [239557] trunk/Source
Title: [239557] trunk/Source
Revision 239557
Author yusukesuz...@slowstart.org
Date 2018-12-28 20:24:29 -0800 (Fri, 28 Dec 2018)
Log Message
[JSC] Remove one indirection in JSObject::toStringName
https://bugs.webkit.org/show_bug.cgi?id=193037
Reviewed by Keith Miller.
Source/_javascript_Core:
We should not have additional one-level indirection in JSObject::toStringName.
JSObject::toStringName is dispatched through methodTable. Even after that, we
need to call JSObject::className function through methodTable again. But className
function is rarely defined. So instead of introducing this indirection here,
classes having className functions should have toStringName function too. This can
remove one-level indirection in toStringName in major cases.
* API/JSCallbackObject.h:
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject::toStringName):
* debugger/DebuggerScope.cpp:
(JSC::DebuggerScope::toStringName):
* debugger/DebuggerScope.h:
* runtime/JSObject.cpp:
(JSC::JSObject::toStringName):
Source/WebCore:
Use old JSObject::toStringName function here.
* bindings/js/JSDOMConstructorBase.cpp:
(WebCore::JSDOMConstructorBase::className):
(WebCore::JSDOMConstructorBase::toStringName):
* bindings/js/JSDOMConstructorBase.h:
(WebCore::JSDOMConstructorBase::className): Deleted.
Modified Paths
trunk/Source/_javascript_Core/API/JSCallbackObject.h
trunk/Source/_javascript_Core/API/JSCallbackObjectFunctions.h
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/debugger/DebuggerScope.cpp
trunk/Source/_javascript_Core/debugger/DebuggerScope.h
trunk/Source/_javascript_Core/runtime/JSObject.cpp
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/bindings/js/JSDOMConstructorBase.cpp
trunk/Source/WebCore/bindings/js/JSDOMConstructorBase.h
Diff
Modified: trunk/Source/_javascript_Core/API/JSCallbackObject.h (239556 => 239557)
--- trunk/Source/_javascript_Core/API/JSCallbackObject.h 2018-12-27 16:13:47 UTC (rev 239556)
+++ trunk/Source/_javascript_Core/API/JSCallbackObject.h 2018-12-29 04:24:29 UTC (rev 239557)
@@ -187,6 +187,7 @@
private:
static String className(const JSObject*, VM&);
+static String toStringName(const JSObject*, ExecState*);
static JSValue defaultValue(const JSObject*, ExecState*, PreferredPrimitiveType);
Modified: trunk/Source/_javascript_Core/API/JSCallbackObjectFunctions.h (239556 => 239557)
--- trunk/Source/_javascript_Core/API/JSCallbackObjectFunctions.h 2018-12-27 16:13:47 UTC (rev 239556)
+++ trunk/Source/_javascript_Core/API/JSCallbackObjectFunctions.h 2018-12-29 04:24:29 UTC (rev 239557)
@@ -140,6 +140,15 @@
}
template
+String JSCallbackObject::toStringName(const JSObject* object, ExecState* exec)
+{
+VM& vm = exec->vm();
+const ClassInfo* info = object->classInfo(vm);
+ASSERT(info);
+return info->methodTable.className(object, vm);
+}
+
+template
bool JSCallbackObject::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
{
VM& vm = exec->vm();
Modified: trunk/Source/_javascript_Core/ChangeLog (239556 => 239557)
--- trunk/Source/_javascript_Core/ChangeLog 2018-12-27 16:13:47 UTC (rev 239556)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-12-29 04:24:29 UTC (rev 239557)
@@ -1,3 +1,26 @@
+2018-12-28 Yusuke Suzuki
+
+[JSC] Remove one indirection in JSObject::toStringName
+https://bugs.webkit.org/show_bug.cgi?id=193037
+
+Reviewed by Keith Miller.
+
+We should not have additional one-level indirection in JSObject::toStringName.
+JSObject::toStringName is dispatched through methodTable. Even after that, we
+need to call JSObject::className function through methodTable again. But className
+function is rarely defined. So instead of introducing this indirection here,
+classes having className functions should have toStringName function too. This can
+remove one-level indirection in toStringName in major cases.
+
+* API/JSCallbackObject.h:
+* API/JSCallbackObjectFunctions.h:
+(JSC::JSCallbackObject::toStringName):
+* debugger/DebuggerScope.cpp:
+(JSC::DebuggerScope::toStringName):
+* debugger/DebuggerScope.h:
+* runtime/JSObject.cpp:
+(JSC::JSObject::toStringName):
+
2018-12-27 Alex Christensen
Resurrect Mac CMake build
Modified: trunk/Source/_javascript_Core/debugger/DebuggerScope.cpp (239556 => 239557)
--- trunk/Source/_javascript_Core/debugger/DebuggerScope.cpp 2018-12-27 16:13:47 UTC (rev 239556)
+++ trunk/Source/_javascript_Core/debugger/DebuggerScope.cpp 2018-12-29 04:24:29 UTC (rev 239557)
@@ -77,6 +77,17 @@
return thisObject->methodTable(vm)->className(thisObject, vm);
}
+String DebuggerScope::toStringName(const JSObject* object, ExecState* exec)
+{
+const DebuggerScope* scope = jsCast(object);
+// We cannot assert that scope->isValid() because the TypeProfiler may encounter an invalidate
[webkit-changes] [239544] trunk
Title: [239544] trunk
Revision 239544
Author yusukesuz...@slowstart.org
Date 2018-12-23 02:09:09 -0800 (Sun, 23 Dec 2018)
Log Message
[BigInt] Support BigInt in JSON.stringify
https://bugs.webkit.org/show_bug.cgi?id=192624
Reviewed by Saam Barati.
JSTests:
* stress/big-int-json-stringify-to-json.js: Added.
(shouldBe):
(shouldThrow):
(BigInt.prototype.toJSON):
(shouldBe.JSON.stringify):
* stress/big-int-json-stringify.js: Added.
(shouldBe):
(shouldThrow):
Source/_javascript_Core:
This patch adds BigInt support to JSON.stringify, specified in [1].
[1]: https://tc39.github.io/proposal-bigint/#sec-serializejsonproperty
* runtime/JSONObject.cpp:
(JSC::unwrapBoxedPrimitive):
(JSC::Stringifier::toJSON):
(JSC::Stringifier::toJSONImpl):
(JSC::Stringifier::appendStringifiedValue):
LayoutTests:
The test is wrong according to the spec[1]. valueOf of Boolean object won't be called.
[1]: https://tc39.github.io/ecma262/#sec-serializejsonproperty
* js/resources/JSON-stringify.js:
* js/resources/json2-es5-compat.js:
(str):
Modified Paths
trunk/JSTests/ChangeLog
trunk/LayoutTests/ChangeLog
trunk/LayoutTests/js/resources/JSON-stringify.js
trunk/LayoutTests/js/resources/json2-es5-compat.js
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSONObject.cpp
Added Paths
trunk/JSTests/stress/big-int-json-stringify-to-json.js
trunk/JSTests/stress/big-int-json-stringify.js
Diff
Modified: trunk/JSTests/ChangeLog (239543 => 239544)
--- trunk/JSTests/ChangeLog 2018-12-23 06:38:24 UTC (rev 239543)
+++ trunk/JSTests/ChangeLog 2018-12-23 10:09:09 UTC (rev 239544)
@@ -1,3 +1,19 @@
+2018-12-13 Yusuke Suzuki
+
+[BigInt] Support BigInt in JSON.stringify
+https://bugs.webkit.org/show_bug.cgi?id=192624
+
+Reviewed by Saam Barati.
+
+* stress/big-int-json-stringify-to-json.js: Added.
+(shouldBe):
+(shouldThrow):
+(BigInt.prototype.toJSON):
+(shouldBe.JSON.stringify):
+* stress/big-int-json-stringify.js: Added.
+(shouldBe):
+(shouldThrow):
+
2018-12-20 Yusuke Suzuki
[JSC] Implement "well-formed JSON.stringify" proposal
Added: trunk/JSTests/stress/big-int-json-stringify-to-json.js (0 => 239544)
--- trunk/JSTests/stress/big-int-json-stringify-to-json.js (rev 0)
+++ trunk/JSTests/stress/big-int-json-stringify-to-json.js 2018-12-23 10:09:09 UTC (rev 239544)
@@ -0,0 +1,50 @@
+//@ runBigIntEnabled
+
+function shouldBe(actual, expected)
+{
+if (actual !== expected)
+throw new Error('bad value: ' + actual);
+}
+noInline(shouldBe);
+
+function shouldThrow(func, errorMessage) {
+var errorThrown = false;
+var error = null;
+try {
+func();
+} catch (e) {
+errorThrown = true;
+error = e;
+}
+if (!errorThrown)
+throw new Error('not thrown');
+if (String(error) !== errorMessage)
+throw new Error(`bad error: ${String(error)}`);
+}
+noInline(shouldThrow);
+
+var counter = 0;
+BigInt.prototype.toJSON = function () {
+++counter;
+return Number(String(this));
+};
+
+shouldBe(JSON.stringify(0n), `0`);
+shouldBe(counter, 1);
+
+shouldBe(JSON.stringify([0n]), `[0]`);
+shouldBe(counter, 2);
+
+shouldBe(JSON.stringify({hello:0n}), `{"hello":0}`);
+shouldBe(counter, 3);
+
+var bigIntObject = Object(0n);
+
+shouldBe(JSON.stringify(bigIntObject), `0`);
+shouldBe(counter, 4);
+
+shouldBe(JSON.stringify([bigIntObject]), `[0]`);
+shouldBe(counter, 5);
+
+shouldBe(JSON.stringify({hello:bigIntObject}), `{"hello":0}`);
+shouldBe(counter, 6);
Added: trunk/JSTests/stress/big-int-json-stringify.js (0 => 239544)
--- trunk/JSTests/stress/big-int-json-stringify.js (rev 0)
+++ trunk/JSTests/stress/big-int-json-stringify.js 2018-12-23 10:09:09 UTC (rev 239544)
@@ -0,0 +1,52 @@
+//@ runBigIntEnabled
+
+function shouldBe(actual, expected)
+{
+if (actual !== expected)
+throw new Error('bad value: ' + actual);
+}
+noInline(shouldBe);
+
+function shouldThrow(func, errorMessage) {
+var errorThrown = false;
+var error = null;
+try {
+func();
+} catch (e) {
+errorThrown = true;
+error = e;
+}
+if (!errorThrown)
+throw new Error('not thrown');
+if (String(error) !== errorMessage)
+throw new Error(`bad error: ${String(error)}`);
+}
+noInline(shouldThrow);
+
+shouldThrow(() => {
+JSON.stringify(0n);
+}, `TypeError: JSON.stringify cannot serialize BigInt.`);
+
+shouldThrow(() => {
+JSON.stringify([0n]);
+}, `TypeError: JSON.stringify cannot serialize BigInt.`);
+
+shouldThrow(() => {
+JSON.stringify({hello:0n});
+}, `TypeError: JSON.stringify cannot serialize BigInt.`);
+
+var bigIntObject = Object(0n);
+
+shouldThrow(() => {
+JSON.stringify(bigIntObject);
+}, `TypeError: JSON.stringify cannot serialize BigInt.`);
+
+shouldThrow(() => {
+JSON.stringify([bigIntObject]);
+}, `TypeError: JSON.stringify
[webkit-changes] [239537] trunk
Title: [239537] trunk
Revision 239537
Author yusukesuz...@slowstart.org
Date 2018-12-21 22:41:03 -0800 (Fri, 21 Dec 2018)
Log Message
[JSC] Implement "well-formed JSON.stringify" proposal
https://bugs.webkit.org/show_bug.cgi?id=191677
Reviewed by Darin Adler.
JSTests:
* stress/json-surrogate-pair.js: Added.
(shouldBe):
* test262/expectations.yaml:
Source/WTF:
This patch implements "well-formed JSON.stringify" proposal[1], which is now stage 3.
JSON.stringify appended surrogate pair codes even if it is not paired appropriately.
The proposal requires that broken surrogate pairs are unicode-escaped.
[1]: https://github.com/tc39/proposal-well-formed-stringify
* wtf/text/StringBuilderJSON.cpp:
(WTF::appendQuotedJSONStringInternal):
LayoutTests:
* css3/escape-dom-api-expected.txt:
* js/dom/webidl-type-mapping-expected.txt:
* js/resources/json2-es5-compat.js:
(isHighSurrogate):
(isLowSurrogate):
(isSurrogate):
(quote):
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/test262/expectations.yaml
trunk/LayoutTests/ChangeLog
trunk/LayoutTests/css3/escape-dom-api-expected.txt
trunk/LayoutTests/js/dom/webidl-type-mapping-expected.txt
trunk/LayoutTests/js/resources/json2-es5-compat.js
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/text/StringBuilderJSON.cpp
Added Paths
trunk/JSTests/stress/json-surrogate-pair.js
Diff
Modified: trunk/JSTests/ChangeLog (239536 => 239537)
--- trunk/JSTests/ChangeLog 2018-12-22 06:39:23 UTC (rev 239536)
+++ trunk/JSTests/ChangeLog 2018-12-22 06:41:03 UTC (rev 239537)
@@ -1,3 +1,14 @@
+2018-12-20 Yusuke Suzuki
+
+[JSC] Implement "well-formed JSON.stringify" proposal
+https://bugs.webkit.org/show_bug.cgi?id=191677
+
+Reviewed by Darin Adler.
+
+* stress/json-surrogate-pair.js: Added.
+(shouldBe):
+* test262/expectations.yaml:
+
2018-12-20 Keith Miller
Add support for globalThis
Added: trunk/JSTests/stress/json-surrogate-pair.js (0 => 239537)
--- trunk/JSTests/stress/json-surrogate-pair.js (rev 0)
+++ trunk/JSTests/stress/json-surrogate-pair.js 2018-12-22 06:41:03 UTC (rev 239537)
@@ -0,0 +1,14 @@
+function shouldBe(actual, expected) {
+if (actual !== expected)
+throw new Error('bad value: ' + actual);
+}
+
+shouldBe(JSON.stringify('𝌆'), `"𝌆"`);
+shouldBe(JSON.stringify('\uD834\uDF06'), `"𝌆"`);
+shouldBe(JSON.stringify('\uD834'), `"\\ud834"`);
+shouldBe(JSON.stringify('\uDF06'), `"\\udf06"`);
+shouldBe(JSON.stringify('\uDF06\uD834'), `"\\udf06\\ud834"`);
+shouldBe(JSON.stringify('\uDEAD'), `"\\udead"`);
+shouldBe(JSON.stringify('\uD834\uD834\uDF06'), `"\\ud834𝌆"`);
+shouldBe(JSON.stringify('\uD834a'), `"\\ud834a"`);
+shouldBe(JSON.stringify('\uD834\u0400'), `"\\ud834Ѐ"`);
Modified: trunk/JSTests/test262/expectations.yaml (239536 => 239537)
--- trunk/JSTests/test262/expectations.yaml 2018-12-22 06:39:23 UTC (rev 239536)
+++ trunk/JSTests/test262/expectations.yaml 2018-12-22 06:41:03 UTC (rev 239537)
@@ -1022,9 +1022,6 @@
test/built-ins/JSON/parse/reviver-array-length-get-err.js:
default: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all'
strict mode: 'Test262Error: Expected a Test262Error to be thrown but no exception was thrown at all'
-test/built-ins/JSON/stringify/string-escape-unicode.js:
- default: 'Test262Error: JSON.stringify("\uD834") Expected SameValue(«"í ´"», «"\ud834"») to be true'
- strict mode: 'Test262Error: JSON.stringify("\uD834") Expected SameValue(«"í ´"», «"\ud834"») to be true'
test/built-ins/Map/proto-from-ctor-realm.js:
default: 'Test262Error: Expected SameValue(«[object Map]», «[object Map]») to be true'
strict mode: 'Test262Error: Expected SameValue(«[object Map]», «[object Map]») to be true'
Modified: trunk/LayoutTests/ChangeLog (239536 => 239537)
--- trunk/LayoutTests/ChangeLog 2018-12-22 06:39:23 UTC (rev 239536)
+++ trunk/LayoutTests/ChangeLog 2018-12-22 06:41:03 UTC (rev 239537)
@@ -1,3 +1,18 @@
+2018-12-20 Yusuke Suzuki
+
+[JSC] Implement "well-formed JSON.stringify" proposal
+https://bugs.webkit.org/show_bug.cgi?id=191677
+
+Reviewed by Darin Adler.
+
+* css3/escape-dom-api-expected.txt:
+* js/dom/webidl-type-mapping-expected.txt:
+* js/resources/json2-es5-compat.js:
+(isHighSurrogate):
+(isLowSurrogate):
+(isSurrogate):
+(quote):
+
2018-12-21 Youenn Fablet
RTCRtpSender.setParameters() does set active parameter
Modified: trunk/LayoutTests/css3/escape-dom-api-expected.txt (239536 => 239537)
--- trunk/LayoutTests/css3/escape-dom-api-expected.txt 2018-12-22 06:39:23 UTC (rev 239536)
+++ trunk/LayoutTests/css3/escape-dom-api-expected.txt 2018-12-22 06:41:03 UTC (rev 239537)
@@ -61,8 +61,8 @@
PASS CSS.escape('ABCDEFGHIJKLMNOPQRSTUVWXYZ') is "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
PASS CSS.escape(' !xy') is "\\ \\!xy"
PASS CSS.escape('ð') is "ð"
-PASS CSS.escape
[webkit-changes] [239536] trunk/Source/JavaScriptCore
Title: [239536] trunk/Source/_javascript_Core Revision 239536 Author yusukesuz...@slowstart.org Date 2018-12-21 22:39:23 -0800 (Fri, 21 Dec 2018) Log Message [JSC] Use appendUnbarriered for cached own keys https://bugs.webkit.org/show_bug.cgi?id=192981 Reviewed by Saam Barati. m_cachedOwnKeys would be changed to sentinel after checking `thisObject->m_cachedOwnKeys.unvalidatedGet() != cachedOwnKeysSentinel()` and before executing `visitor.append(thisObject->m_cachedOwnKeys)`. We never do this now, but might in the future. To make the code safe, we should use appendUnbarriered to mark non sentinel cell. * runtime/StructureRareData.cpp: (JSC::StructureRareData::visitChildren): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/StructureRareData.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (239535 => 239536) --- trunk/Source/_javascript_Core/ChangeLog 2018-12-22 06:37:39 UTC (rev 239535) +++ trunk/Source/_javascript_Core/ChangeLog 2018-12-22 06:39:23 UTC (rev 239536) @@ -1,3 +1,17 @@ +2018-12-21 Yusuke Suzuki + +[JSC] Use appendUnbarriered for cached own keys +https://bugs.webkit.org/show_bug.cgi?id=192981 + +Reviewed by Saam Barati. + +m_cachedOwnKeys would be changed to sentinel after checking `thisObject->m_cachedOwnKeys.unvalidatedGet() != cachedOwnKeysSentinel()` +and before executing `visitor.append(thisObject->m_cachedOwnKeys)`. We never do this now, but might in the future. +To make the code safe, we should use appendUnbarriered to mark non sentinel cell. + +* runtime/StructureRareData.cpp: +(JSC::StructureRareData::visitChildren): + 2018-12-20 Yusuke Suzuki Use Ref<> as much as possible Modified: trunk/Source/_javascript_Core/runtime/StructureRareData.cpp (239535 => 239536) --- trunk/Source/_javascript_Core/runtime/StructureRareData.cpp 2018-12-22 06:37:39 UTC (rev 239535) +++ trunk/Source/_javascript_Core/runtime/StructureRareData.cpp 2018-12-22 06:39:23 UTC (rev 239536) @@ -71,8 +71,9 @@ visitor.append(thisObject->m_previous); visitor.append(thisObject->m_objectToStringValue); visitor.append(thisObject->m_cachedPropertyNameEnumerator); -if (thisObject->m_cachedOwnKeys.unvalidatedGet() != cachedOwnKeysSentinel()) -visitor.append(thisObject->m_cachedOwnKeys); +auto* cachedOwnKeys = thisObject->m_cachedOwnKeys.unvalidatedGet(); +if (cachedOwnKeys != cachedOwnKeysSentinel()) +visitor.appendUnbarriered(cachedOwnKeys); } // --- Object.prototype.toString() helper watchpoint classes --- ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [239324] trunk
Title: [239324] trunk Revision 239324 Author yusukesuz...@slowstart.org Date 2018-12-17 22:54:49 -0800 (Mon, 17 Dec 2018) Log Message [JSC] Optimize Object.keys by caching own keys results in StructureRareData https://bugs.webkit.org/show_bug.cgi?id=190047 Reviewed by Saam Barati. JSTests: * stress/object-keys-cached-zero.js: Added. (shouldBe): (test): * stress/object-keys-changed-attribute.js: Added. (shouldBe): (test): * stress/object-keys-changed-index.js: Added. (shouldBe): (test): * stress/object-keys-changed.js: Added. (shouldBe): (test): * stress/object-keys-indexed-non-cache.js: Added. (shouldBe): (test): * stress/object-keys-overrides-get-property-names.js: Added. (shouldBe): (test): (noInline): Source/_javascript_Core: Object.keys is one of the most frequently used function in web-tooling-benchmarks (WTB). Object.keys is dominant in lebab of WTB, and frequently called in babel and others. Since our Structure knows the shape of JSObject, we can cache the result of Object.keys in Structure (StructureRareData) as we cache JSPropertyNameEnumerator in StructureRareData. This patch caches the result of Object.keys in StructureRareData. The cached array is created as JSImmutableButterfly. And Object.keys creates CoW from this data. Currently, the lifetime strategy of this JSImmutableButterfly is the same to cached JSPropertyNameEnumerator. It is referenced from Structure, and collected when Structure is collected. This improves several benchmarks in SixSpeed. baseline patched object-assign.es5 350.1710+-3.6303 ^226.0368+-4.7558^ definitely 1.5492x faster for-of-object.es6 269.1941+-3.3430 ^127.9317+-2.3875^ definitely 2.1042x faster And it improves WTB lebab by 11.8%. Before: lebab: 6.10 runs/s After: lebab: 6.82 runs/s * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.cpp: (JSC::DFG::Node::convertToNewArrayBuffer): * dfg/DFGNode.h: * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileObjectKeys): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys): * runtime/Butterfly.h: (JSC::ContiguousData::Data::setStartingValue): * runtime/Intrinsic.cpp: (JSC::intrinsicName): * runtime/Intrinsic.h: * runtime/JSImmutableButterfly.h: (JSC::JSImmutableButterfly::JSImmutableButterfly): We set JSEmpty to the underlying butterfly storage if indexing type is Contiguous. Otherwise, JSImmutableButterfly is half-baked one until all the storage is filled with some meaningful values, it leads to crash if half-baked JSImmutableButterfly is exposed to GC. * runtime/ObjectConstructor.cpp: (JSC::ownPropertyKeys): * runtime/Structure.cpp: (JSC::Structure::canCachePropertyNameEnumerator const): * runtime/Structure.h: * runtime/StructureInlines.h: (JSC::Structure::setCachedOwnKeys): (JSC::Structure::cachedOwnKeys const): (JSC::Structure::cachedOwnKeysIgnoringSentinel const): (JSC::Structure::canCacheOwnKeys const): * runtime/StructureRareData.cpp: (JSC::StructureRareData::visitChildren): (JSC::StructureRareData::cachedPropertyNameEnumerator const): Deleted. (JSC::StructureRareData::setCachedPropertyNameEnumerator): Deleted. * runtime/StructureRareData.h: * runtime/StructureRareDataInlines.h: (JSC::StructureRareData::cachedPropertyNameEnumerator const): (JSC::StructureRareData::setCachedPropertyNameEnumerator): (JSC::StructureRareData::cachedOwnKeys const): (JSC::StructureRareData::cachedOwnKeysIgnoringSentinel const): (JSC::StructureRareData::cachedOwnKeysConcurrently const): (JSC::StructureRareData::setCachedOwnKeys): (JSC::StructureRareData::previousID const): Deleted. * runtime/VM.cpp: (JSC::VM::VM): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGClobberize.h trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp trunk/Source/_javascript_Core/dfg/DFGNode.cpp trunk/Sour
[webkit-changes] [239257] trunk/Source
Title: [239257] trunk/Source
Revision 239257
Author yusukesuz...@slowstart.org
Date 2018-12-15 22:12:53 -0800 (Sat, 15 Dec 2018)
Log Message
Unreviewed, suppress warnings in Linux
Source/bmalloc:
* bmalloc/Gigacage.cpp:
Source/_javascript_Core:
* jsc.cpp:
(jscmain):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jsc.cpp
trunk/Source/bmalloc/ChangeLog
trunk/Source/bmalloc/bmalloc/Gigacage.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (239256 => 239257)
--- trunk/Source/_javascript_Core/ChangeLog 2018-12-16 05:49:01 UTC (rev 239256)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-12-16 06:12:53 UTC (rev 239257)
@@ -1,5 +1,12 @@
2018-12-15 Yusuke Suzuki
+Unreviewed, suppress warnings in Linux
+
+* jsc.cpp:
+(jscmain):
+
+2018-12-15 Yusuke Suzuki
+
Null pointer dereference in JSC::WriteBarrierBase()
https://bugs.webkit.org/show_bug.cgi?id=191252
Modified: trunk/Source/_javascript_Core/jsc.cpp (239256 => 239257)
--- trunk/Source/_javascript_Core/jsc.cpp 2018-12-16 05:49:01 UTC (rev 239256)
+++ trunk/Source/_javascript_Core/jsc.cpp 2018-12-16 06:12:53 UTC (rev 239257)
@@ -2914,6 +2914,7 @@
int result = runJSC(
options, false,
[&] (VM& vm, GlobalObject* globalObject, bool& success) {
+UNUSED_PARAM(vm);
#if PLATFORM(COCOA)
vm.setOnEachMicrotaskTick(WTFMove(onEachMicrotaskTick));
#endif
Modified: trunk/Source/bmalloc/ChangeLog (239256 => 239257)
--- trunk/Source/bmalloc/ChangeLog 2018-12-16 05:49:01 UTC (rev 239256)
+++ trunk/Source/bmalloc/ChangeLog 2018-12-16 06:12:53 UTC (rev 239257)
@@ -1,3 +1,9 @@
+2018-12-15 Yusuke Suzuki
+
+Unreviewed, suppress warnings in Linux
+
+* bmalloc/Gigacage.cpp:
+
2018-12-14 Keith Miller
Gigacage runway should immediately follow the primitive cage
Modified: trunk/Source/bmalloc/bmalloc/Gigacage.cpp (239256 => 239257)
--- trunk/Source/bmalloc/bmalloc/Gigacage.cpp 2018-12-16 05:49:01 UTC (rev 239256)
+++ trunk/Source/bmalloc/bmalloc/Gigacage.cpp 2018-12-16 06:12:53 UTC (rev 239257)
@@ -108,6 +108,7 @@
case Kind::JSValue:
return static_cast(0);
}
+return static_cast(0);
}
#endif
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [239256] trunk/Source
Title: [239256] trunk/Source Revision 239256 Author yusukesuz...@slowstart.org Date 2018-12-15 21:49:01 -0800 (Sat, 15 Dec 2018) Log Message Null pointer dereference in JSC::WriteBarrierBase() https://bugs.webkit.org/show_bug.cgi?id=191252 Reviewed by Keith Miller. Source/_javascript_Core: JSPromiseDeferred::create can return nullptr and an exception if stack overflow happens. We would like to make it RELEASE_ASSERT since the current module mechanism is not immune to stack overflow. This patch renames JSPromiseDeferred::create to JSPromiseDeferred::tryCreate to tell that it can return nullptr. And we insert error checks or assertions after this call. * jsc.cpp: (GlobalObject::moduleLoaderImportModule): (GlobalObject::moduleLoaderFetch): * runtime/Completion.cpp: (JSC::rejectPromise): * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncImportModule): * runtime/JSInternalPromiseDeferred.cpp: (JSC::JSInternalPromiseDeferred::tryCreate): (JSC::JSInternalPromiseDeferred::create): Deleted. * runtime/JSInternalPromiseDeferred.h: * runtime/JSModuleLoader.cpp: (JSC::JSModuleLoader::importModule): (JSC::JSModuleLoader::resolve): (JSC::JSModuleLoader::fetch): (JSC::moduleLoaderParseModule): * runtime/JSPromise.h: * runtime/JSPromiseDeferred.cpp: (JSC::JSPromiseDeferred::tryCreate): * runtime/JSPromiseDeferred.h: * wasm/js/WebAssemblyPrototype.cpp: (JSC::webAssemblyCompileFunc): (JSC::webAssemblyInstantiateFunc): (JSC::webAssemblyCompileStreamingInternal): (JSC::webAssemblyInstantiateStreamingInternal): Source/WebCore: * bindings/js/JSCustomElementRegistryCustom.cpp: (WebCore::JSCustomElementRegistry::whenDefined): * bindings/js/JSDOMPromiseDeferred.cpp: (WebCore::createDeferredPromise): * bindings/js/JSDOMPromiseDeferred.h: (WebCore::DeferredPromise::create): (WebCore::callPromiseFunction): * bindings/js/JSDOMWindowBase.cpp: (WebCore::JSDOMWindowBase::moduleLoaderFetch): (WebCore::JSDOMWindowBase::moduleLoaderImportModule): * bindings/js/ScriptModuleLoader.cpp: (WebCore::ScriptModuleLoader::fetch): (WebCore::rejectPromise): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jsc.cpp trunk/Source/_javascript_Core/runtime/Completion.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp trunk/Source/_javascript_Core/runtime/JSInternalPromiseDeferred.cpp trunk/Source/_javascript_Core/runtime/JSInternalPromiseDeferred.h trunk/Source/_javascript_Core/runtime/JSModuleLoader.cpp trunk/Source/_javascript_Core/runtime/JSPromise.h trunk/Source/_javascript_Core/runtime/JSPromiseDeferred.cpp trunk/Source/_javascript_Core/runtime/JSPromiseDeferred.h trunk/Source/_javascript_Core/wasm/js/WebAssemblyPrototype.cpp trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSCustomElementRegistryCustom.cpp trunk/Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp trunk/Source/WebCore/bindings/js/JSDOMPromiseDeferred.h trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp trunk/Source/WebCore/bindings/js/ScriptModuleLoader.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (239255 => 239256) --- trunk/Source/_javascript_Core/ChangeLog 2018-12-16 00:21:25 UTC (rev 239255) +++ trunk/Source/_javascript_Core/ChangeLog 2018-12-16 05:49:01 UTC (rev 239256) @@ -1,3 +1,43 @@ +2018-12-15 Yusuke Suzuki + +Null pointer dereference in JSC::WriteBarrierBase() +https://bugs.webkit.org/show_bug.cgi?id=191252 + +Reviewed by Keith Miller. + +JSPromiseDeferred::create can return nullptr and an exception if stack overflow happens. +We would like to make it RELEASE_ASSERT since the current module mechanism is not immune +to stack overflow. + +This patch renames JSPromiseDeferred::create to JSPromiseDeferred::tryCreate to tell that +it can return nullptr. And we insert error checks or assertions after this call. + +* jsc.cpp: +(GlobalObject::moduleLoaderImportModule): +(GlobalObject::moduleLoaderFetch): +* runtime/Completion.cpp: +(JSC::rejectPromise): +* runtime/JSGlobalObjectFunctions.cpp: +(JSC::globalFuncImportModule): +* runtime/JSInternalPromiseDeferred.cpp: +(JSC::JSInternalPromiseDeferred::tryCreate): +(JSC::JSInternalPromiseDeferred::create): Deleted. +* runtime/JSInternalPromiseDeferred.h: +* runtime/JSModuleLoader.cpp: +(JSC::JSModuleLoader::importModule): +(JSC::JSModuleLoader::resolve): +(JSC::JSModuleLoader::fetch): +(JSC::moduleLoaderParseModule): +* runtime/JSPromise.h: +* runtime/JSPromiseDeferred.cpp: +(JSC::JSPromiseDeferred::tryCreate): +* runtime/JSPromiseDeferred.h: +* wasm/js/WebAssemblyPrototype.cpp: +(JSC::webAssemblyCompileFunc): +(JSC::webAssemblyInstantiateFunc): +(JSC::webAssemblyCompileStreamingInternal): +(JSC::webAssemblyInstantiateStreamingInternal): + 2018-12-15 Darin Adl
[webkit-changes] [239155] trunk/Source/JavaScriptCore
Title: [239155] trunk/Source/_javascript_Core
Revision 239155
Author yusukesuz...@slowstart.org
Date 2018-12-13 00:37:35 -0800 (Thu, 13 Dec 2018)
Log Message
Unreviewed, build fix after r239153, part 2
https://bugs.webkit.org/show_bug.cgi?id=190047
* runtime/StructureRareDataInlines.h:
(JSC::StructureRareData::cachedOwnKeys const):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/StructureRareDataInlines.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (239154 => 239155)
--- trunk/Source/_javascript_Core/ChangeLog 2018-12-13 08:06:30 UTC (rev 239154)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-12-13 08:37:35 UTC (rev 239155)
@@ -1,5 +1,13 @@
2018-12-13 Yusuke Suzuki
+Unreviewed, build fix after r239153, part 2
+https://bugs.webkit.org/show_bug.cgi?id=190047
+
+* runtime/StructureRareDataInlines.h:
+(JSC::StructureRareData::cachedOwnKeys const):
+
+2018-12-13 Yusuke Suzuki
+
Unreviewed, build fix after r239153
https://bugs.webkit.org/show_bug.cgi?id=190047
Modified: trunk/Source/_javascript_Core/runtime/StructureRareDataInlines.h (239154 => 239155)
--- trunk/Source/_javascript_Core/runtime/StructureRareDataInlines.h 2018-12-13 08:06:30 UTC (rev 239154)
+++ trunk/Source/_javascript_Core/runtime/StructureRareDataInlines.h 2018-12-13 08:37:35 UTC (rev 239155)
@@ -59,7 +59,7 @@
inline JSImmutableButterfly* StructureRareData::cachedOwnKeys() const
{
-ASSERT(!compilationOrGCThread());
+ASSERT(!isCompilationThread());
return m_cachedOwnKeys.get();
}
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [239154] trunk/Source/JavaScriptCore
Title: [239154] trunk/Source/_javascript_Core
Revision 239154
Author yusukesuz...@slowstart.org
Date 2018-12-13 00:06:30 -0800 (Thu, 13 Dec 2018)
Log Message
Unreviewed, build fix after r239153
https://bugs.webkit.org/show_bug.cgi?id=190047
* runtime/StructureRareDataInlines.h:
(JSC::StructureRareData::cachedOwnKeys const):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/StructureRareDataInlines.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (239153 => 239154)
--- trunk/Source/_javascript_Core/ChangeLog 2018-12-13 07:13:38 UTC (rev 239153)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-12-13 08:06:30 UTC (rev 239154)
@@ -1,3 +1,11 @@
+2018-12-13 Yusuke Suzuki
+
+Unreviewed, build fix after r239153
+https://bugs.webkit.org/show_bug.cgi?id=190047
+
+* runtime/StructureRareDataInlines.h:
+(JSC::StructureRareData::cachedOwnKeys const):
+
2018-12-10 Yusuke Suzuki
[JSC] Optimize Object.keys by caching own keys results in StructureRareData
Modified: trunk/Source/_javascript_Core/runtime/StructureRareDataInlines.h (239153 => 239154)
--- trunk/Source/_javascript_Core/runtime/StructureRareDataInlines.h 2018-12-13 07:13:38 UTC (rev 239153)
+++ trunk/Source/_javascript_Core/runtime/StructureRareDataInlines.h 2018-12-13 08:06:30 UTC (rev 239154)
@@ -59,7 +59,7 @@
inline JSImmutableButterfly* StructureRareData::cachedOwnKeys() const
{
-ASSERT(!compilationOrGCThread())
+ASSERT(!compilationOrGCThread());
return m_cachedOwnKeys.get();
}
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [239153] trunk
Title: [239153] trunk Revision 239153 Author yusukesuz...@slowstart.org Date 2018-12-12 23:13:38 -0800 (Wed, 12 Dec 2018) Log Message [JSC] Optimize Object.keys by caching own keys results in StructureRareData https://bugs.webkit.org/show_bug.cgi?id=190047 Reviewed by Keith Miller. JSTests: * stress/object-keys-cached-zero.js: Added. (shouldBe): (test): * stress/object-keys-changed-attribute.js: Added. (shouldBe): (test): * stress/object-keys-changed-index.js: Added. (shouldBe): (test): * stress/object-keys-changed.js: Added. (shouldBe): (test): * stress/object-keys-indexed-non-cache.js: Added. (shouldBe): (test): * stress/object-keys-overrides-get-property-names.js: Added. (shouldBe): (test): (noInline): Source/_javascript_Core: Object.keys is one of the most frequently used function in web-tooling-benchmarks (WTB). Object.keys is dominant in lebab of WTB, and frequently called in babel and others. Since our Structure knows the shape of JSObject, we can cache the result of Object.keys in Structure (StructureRareData) as we cache JSPropertyNameEnumerator in StructureRareData. This patch caches the result of Object.keys in StructureRareData. The cached array is created as JSImmutableButterfly. And Object.keys creates CoW from this data. Currently, the lifetime strategy of this JSImmutableButterfly is the same to cached JSPropertyNameEnumerator. It is referenced from Structure, and collected when Structure is collected. This improves several benchmarks in SixSpeed. baseline patched object-assign.es5 350.1710+-3.6303 ^226.0368+-4.7558^ definitely 1.5492x faster for-of-object.es6 269.1941+-3.3430 ^127.9317+-2.3875^ definitely 2.1042x faster And it improves WTB lebab by 11.8%. Before: lebab: 6.10 runs/s After: lebab: 6.82 runs/s * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.cpp: (JSC::DFG::Node::convertToNewArrayBuffer): * dfg/DFGNode.h: * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileObjectKeys): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys): * runtime/Intrinsic.cpp: (JSC::intrinsicName): * runtime/Intrinsic.h: * runtime/JSImmutableButterfly.h: (JSC::JSImmutableButterfly::createSentinel): * runtime/ObjectConstructor.cpp: (JSC::ownPropertyKeys): * runtime/Structure.cpp: (JSC::Structure::canCachePropertyNameEnumerator const): * runtime/Structure.h: * runtime/StructureInlines.h: (JSC::Structure::setCachedOwnKeys): (JSC::Structure::cachedOwnKeys const): (JSC::Structure::canCacheOwnKeys const): * runtime/StructureRareData.cpp: (JSC::StructureRareData::visitChildren): (JSC::StructureRareData::cachedPropertyNameEnumerator const): Deleted. (JSC::StructureRareData::setCachedPropertyNameEnumerator): Deleted. * runtime/StructureRareData.h: * runtime/StructureRareDataInlines.h: (JSC::StructureRareData::cachedPropertyNameEnumerator const): (JSC::StructureRareData::setCachedPropertyNameEnumerator): (JSC::StructureRareData::cachedOwnKeys const): (JSC::StructureRareData::cachedOwnKeysConcurrently const): (JSC::StructureRareData::setCachedOwnKeys): (JSC::StructureRareData::previousID const): Deleted. * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGClobberize.h trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp trunk/Source/_javascript_Core/dfg/DFGNode.cpp trunk/Source/_javascript_Core/dfg/DFGNode.h trunk/Source/_javascript_Core/dfg/DFGNodeType.h trunk/Source/_javascript_Core/dfg/DFGOperations.cpp trunk/Source/_javascript_Core/dfg/DFGOperations.h trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h trunk/Source/_javascript_Co
[webkit-changes] [239142] trunk
Title: [239142] trunk
Revision 239142
Author yusukesuz...@slowstart.org
Date 2018-12-12 18:09:28 -0800 (Wed, 12 Dec 2018)
Log Message
[DFG][FTL] Add NewSymbol
https://bugs.webkit.org/show_bug.cgi?id=192620
Reviewed by Saam Barati.
JSTests:
* microbenchmarks/symbol-creation.js: Added.
(test):
* stress/symbol-description-identity.js: Added.
(shouldBe):
(test):
* stress/symbol-identity.js: Added.
(shouldBe):
(test):
* stress/symbol-with-description-throw-error.js: Added.
(shouldBe):
(shouldThrow):
(test):
(object.toString):
Source/_javascript_Core:
This patch introduces NewSymbol DFG node into DFG and FTL tiers. The main goal of this patch is not optimize
NewSymbol code faster. Rather than that, this patch intends to offer SpecSymbol type information into DFG's
data flow to optimize generated code in FTL backend.
We add NewSymbol DFG node, which may take an argument. If an argument is not given, NewSymbol is for `Symbol()`.
If an argument is given, ToString is emitted to this argument before passing it to NewSymbol. So NewSymbol node
itself does not perform any type checks. ToString performs effects, but NewSymbol doesn't have any side observable
effects. So we can decouple Symbol(description) call into NewSymbol(ToString(description)).
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGMayExit.cpp:
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewSymbol):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStoreBarrierInsertionPhase.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h
trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp
trunk/Source/_javascript_Core/dfg/DFGClobberize.h
trunk/Source/_javascript_Core/dfg/DFGClobbersExitState.cpp
trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp
trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp
trunk/Source/_javascript_Core/dfg/DFGMayExit.cpp
trunk/Source/_javascript_Core/dfg/DFGNodeType.h
trunk/Source/_javascript_Core/dfg/DFGOperations.cpp
trunk/Source/_javascript_Core/dfg/DFGOperations.h
trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp
trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp
trunk/Source/_javascript_Core/dfg/DFGStoreBarrierInsertionPhase.cpp
trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
Added Paths
trunk/JSTests/microbenchmarks/symbol-creation.js
trunk/JSTests/stress/symbol-description-identity.js
trunk/JSTests/stress/symbol-identity.js
trunk/JSTests/stress/symbol-with-description-throw-error.js
Diff
Modified: trunk/JSTests/ChangeLog (239141 => 239142)
--- trunk/JSTests/ChangeLog 2018-12-13 02:01:37 UTC (rev 239141)
+++ trunk/JSTests/ChangeLog 2018-12-13 02:09:28 UTC (rev 239142)
@@ -1,5 +1,26 @@
2018-12-12 Yusuke Suzuki
+[DFG][FTL] Add NewSymbol
+https://bugs.webkit.org/show_bug.cgi?id=192620
+
+Reviewed by Saam Barati.
+
+* microbenchmarks/symbol-creation.js: Added.
+(test):
+* stress/symbol-description-identity.js: Added.
+(shouldBe):
+(test):
+* stress/symbol-identity.js: Added.
+(shouldBe):
+(test):
+* stress/symbol-with-description-throw-error.js: Added.
+(shouldBe):
+(shouldThrow):
+(test):
+(object.toString):
+
+2018-12-12 Yusuke Suzuki
+
[BigInt] Implement DFG/FTL typeof for BigInt
https://bugs.webkit.org/show_bug.cgi?id=192619
Added: trunk/JSTests/microbenchmarks/symbol-creation.js (0 => 239142)
--- trunk/JSTests/microbenchmarks/symbol-creation.js (rev 0)
+++ trunk/JSTests/microbenchmarks/symbol-creation.js 2018-12-13 02:09:28 UTC (rev 239142)
@@ -0,0 +1,8 @@
+function test()
+{
+return Symbol();
+}
+noInline(test);
+
+for (var i = 0; i < 4e5; ++i)
+test();
Added: trunk/JSTests/stress/symbol-description-identity.
[webkit-changes] [239141] trunk
Title: [239141] trunk
Revision 239141
Author yusukesuz...@slowstart.org
Date 2018-12-12 18:01:37 -0800 (Wed, 12 Dec 2018)
Log Message
[BigInt] Implement DFG/FTL typeof for BigInt
https://bugs.webkit.org/show_bug.cgi?id=192619
Reviewed by Keith Miller.
JSTests:
* stress/big-int-boolean-proven-type.js: Added.
(assert):
(bool):
* stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
(assert):
(typeOf):
(i.switch):
* stress/big-int-type-of-proven-type-non-constant.js: Added.
(assert):
(typeOf):
* stress/big-int-type-of.js:
(typeOf):
(func):
Source/_javascript_Core:
This patch implements typeof for BigInt in DFG and FTL. Our DFG and FTL tiers now correctly consider about BigInt
in the code generated for typeof.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::boolify): We add (SpecCell - SpecString) type filter for proven type since isString
check is already performed here.
(JSC::FTL::DFG::LowerDFGToB3::buildTypeOf): We use (SpecCell - SpecObject - SpecString) type filter for proven type
since String and Object are already checked here. If we know the proven type does not include Symbol type here, we
can omit the code for Symbol type.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitTypeOf):
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/stress/big-int-type-of.js
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
trunk/Source/_javascript_Core/jit/AssemblyHelpers.h
Added Paths
trunk/JSTests/stress/big-int-boolean-proven-type.js
trunk/JSTests/stress/big-int-type-of-proven-type-non-constant-including-symbol.js
trunk/JSTests/stress/big-int-type-of-proven-type-non-constant.js
Diff
Modified: trunk/JSTests/ChangeLog (239140 => 239141)
--- trunk/JSTests/ChangeLog 2018-12-13 01:32:58 UTC (rev 239140)
+++ trunk/JSTests/ChangeLog 2018-12-13 02:01:37 UTC (rev 239141)
@@ -1,3 +1,24 @@
+2018-12-12 Yusuke Suzuki
+
+[BigInt] Implement DFG/FTL typeof for BigInt
+https://bugs.webkit.org/show_bug.cgi?id=192619
+
+Reviewed by Keith Miller.
+
+* stress/big-int-boolean-proven-type.js: Added.
+(assert):
+(bool):
+* stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
+(assert):
+(typeOf):
+(i.switch):
+* stress/big-int-type-of-proven-type-non-constant.js: Added.
+(assert):
+(typeOf):
+* stress/big-int-type-of.js:
+(typeOf):
+(func):
+
2018-12-10 Mark Lam
PropertyAttribute needs a CustomValue bit.
Added: trunk/JSTests/stress/big-int-boolean-proven-type.js (0 => 239141)
--- trunk/JSTests/stress/big-int-boolean-proven-type.js (rev 0)
+++ trunk/JSTests/stress/big-int-boolean-proven-type.js 2018-12-13 02:01:37 UTC (rev 239141)
@@ -0,0 +1,21 @@
+//@ runBigIntEnabled
+
+function assert(a) {
+if (!a)
+throw new Error("Bad assertion");
+}
+
+function bool(n) {
+var value = "string";
+if (n & 0x1)
+value = 0n;
+return !!value;
+}
+noInline(bool);
+
+for (let i = 0; i < 1e6; i++) {
+if (i & 0x1)
+assert(bool(i) === false);
+else
+assert(bool(i) === true);
+}
Added: trunk/JSTests/stress/big-int-type-of-proven-type-non-constant-including-symbol.js (0 => 239141)
--- trunk/JSTests/stress/big-int-type-of-proven-type-non-constant-including-symbol.js (rev 0)
+++ trunk/JSTests/stress/big-int-type-of-proven-type-non-constant-including-symbol.js 2018-12-13 02:01:37 UTC (rev 239141)
@@ -0,0 +1,33 @@
+//@ runBigIntEnabled
+
+function assert(a) {
+if (!a)
+throw new Error("Bad assertion");
+}
+
+function typeOf(n) {
+var value = "string";
+var dispatcher = n % 3;
+if (dispatcher === 0)
+value = 1n;
+else if (dispatcher === 1)
+value = "string";
+else
+value = Symbol("symbol");
+return typeof value;
+}
+noInline(typeOf);
+
+for (let i = 0; i < 1e6; i++) {
+switch (i % 3) {
+case 0:
+assert(typeOf(i) === "bigint");
+break;
+case 1:
+assert(typeOf(i) === "string");
+break;
+case 2:
+assert(typeOf(i) === "symbol");
+break;
+}
+}
Added: trunk/JSTests/stress/big-int-type-of-proven-type-non-constant.js (0 => 239141)
--- trunk/JSTests/stress/big-int-type-of-proven-type-non-constant.js (rev 0)
+++ trunk/JSTests/stress/big-int-type-of-proven-type-non-constant.js 2018-12-13 02:01:37 UTC (rev 239141)
@@ -0,0 +1,21 @@
+//@ runBigIntEnabled
+
+function assert(a) {
+if (!a)
+throw new Error("Bad assertion");
+}
+
+function typeOf(n) {
+var value = "string";
+if (n & 0x1)
+value = 1n;
+return typeof value;
+}
+noInline(typeOf);
+
+for (let i = 0; i < 1e6; i++) {
+if (i & 0x1)
+assert(typeOf(i) === "bigint");
+else
+assert(typeOf(i) === "string");
+}
Modified: trunk/JSTests/stress/big
[webkit-changes] [239099] trunk/Source/JavaScriptCore
Title: [239099] trunk/Source/_javascript_Core Revision 239099 Author yusukesuz...@slowstart.org Date 2018-12-12 00:38:45 -0800 (Wed, 12 Dec 2018) Log Message [BigInt] Simplify boolean context evaluation by leveraging JSString::offsetOfLength() == JSBigInt::offsetOfLength() https://bugs.webkit.org/show_bug.cgi?id=192615 Reviewed by Saam Barati. JSString and JSBigInt have similar concept in terms of the implementation. Both are immutable, JSCells, and have length information. m_length is located just after JSCell header part, we can ensure `JSString::offsetOfLength() == JSBigInt::offsetOfLength()`, and it allows us to optimize the boolean context evaluation. This patch leverages the above information to reduce the code size for the boolean context evaluation. * ftl/FTLAbstractHeapRepository.cpp: (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::boolify): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitConvertValueToBoolean): (JSC::AssemblyHelpers::branchIfValue): * runtime/JSBigInt.cpp: (JSC::JSBigInt::JSBigInt): (JSC::JSBigInt::offsetOfLength): Deleted. * runtime/JSBigInt.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp trunk/Source/_javascript_Core/runtime/JSBigInt.cpp trunk/Source/_javascript_Core/runtime/JSBigInt.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (239098 => 239099) --- trunk/Source/_javascript_Core/ChangeLog 2018-12-12 05:54:17 UTC (rev 239098) +++ trunk/Source/_javascript_Core/ChangeLog 2018-12-12 08:38:45 UTC (rev 239099) @@ -1,3 +1,30 @@ +2018-12-11 Yusuke Suzuki + +[BigInt] Simplify boolean context evaluation by leveraging JSString::offsetOfLength() == JSBigInt::offsetOfLength() +https://bugs.webkit.org/show_bug.cgi?id=192615 + +Reviewed by Saam Barati. + +JSString and JSBigInt have similar concept in terms of the implementation. +Both are immutable, JSCells, and have length information. m_length is located +just after JSCell header part, we can ensure `JSString::offsetOfLength() == JSBigInt::offsetOfLength()`, +and it allows us to optimize the boolean context evaluation. + +This patch leverages the above information to reduce the code size for the boolean context evaluation. + +* ftl/FTLAbstractHeapRepository.cpp: +(JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): +* ftl/FTLAbstractHeapRepository.h: +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::boolify): +* jit/AssemblyHelpers.cpp: +(JSC::AssemblyHelpers::emitConvertValueToBoolean): +(JSC::AssemblyHelpers::branchIfValue): +* runtime/JSBigInt.cpp: +(JSC::JSBigInt::JSBigInt): +(JSC::JSBigInt::offsetOfLength): Deleted. +* runtime/JSBigInt.h: + 2018-12-11 Justin Michaud Implement feature flag for CSS Typed OM Modified: trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp (239098 => 239099) --- trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp 2018-12-12 05:54:17 UTC (rev 239098) +++ trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp 2018-12-12 08:38:45 UTC (rev 239099) @@ -61,6 +61,8 @@ , JSCell_freeListNext(JSCell_header) , ArrayStorage_publicLength(Butterfly_publicLength) , ArrayStorage_vectorLength(Butterfly_vectorLength) +, JSBigInt_length(JSBigIntOrString_length) +, JSString_length(JSBigIntOrString_length) #define INDEXED_ABSTRACT_HEAP_INITIALIZATION(name, offset, size) , name(&root, #name, offset, size) FOR_EACH_INDEXED_ABSTRACT_HEAP(INDEXED_ABSTRACT_HEAP_INITIALIZATION) @@ -78,6 +80,8 @@ RELEASE_ASSERT(JSCell_indexingTypeAndMisc.offset() + 2 == JSCell_typeInfoFlags.offset()); RELEASE_ASSERT(JSCell_indexingTypeAndMisc.offset() + 3 == JSCell_cellState.offset()); +RELEASE_ASSERT(JSBigInt::offsetOfLength() == JSString::offsetOfLength()); + JSCell_structureID.changeParent(&JSCell_header); JSCell_usefulBytes.changeParent(&JSCell_header); JSCell_indexingTypeAndMisc.changeParent(&JSCell_usefulBytes); Modified: trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h (239098 => 239099) --- trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h 2018-12-12 05:54:17 UTC (rev 239098) +++ trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h 2018-12-12 08:38:45 UTC (rev 239099) @@ -63,6 +63,7 @@ macro(JSArrayBufferView_length, JSArrayBufferView::offsetOfLength()) \ macro(JSArrayBufferView_mode, JSArrayBufferView::offsetOfMode()) \ macro(JSArrayBufferView_vector, JSArrayBufferView::offsetOfVector()) \ +macro(JSBigIntOrString_leng
[webkit-changes] [239021] trunk/Source/WTF
Title: [239021] trunk/Source/WTF
Revision 239021
Author yusukesuz...@slowstart.org
Date 2018-12-09 08:43:02 -0800 (Sun, 09 Dec 2018)
Log Message
Unreviewed, fix build failure on GCC 8.2, part 2
Add RefCountedArray::assign, and use it instead of operator= internally.
We should have operator=(const RefCountedArray&) since it will be automatically generated
if we do not have correct implementation here.
* wtf/RefCountedArray.h:
(WTF::RefCountedArray::operator=):
(WTF::RefCountedArray::assign):
Modified Paths
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/RefCountedArray.h
Diff
Modified: trunk/Source/WTF/ChangeLog (239020 => 239021)
--- trunk/Source/WTF/ChangeLog 2018-12-09 16:09:07 UTC (rev 239020)
+++ trunk/Source/WTF/ChangeLog 2018-12-09 16:43:02 UTC (rev 239021)
@@ -1,5 +1,17 @@
2018-12-09 Yusuke Suzuki
+Unreviewed, fix build failure on GCC 8.2, part 2
+
+Add RefCountedArray::assign, and use it instead of operator= internally.
+We should have operator=(const RefCountedArray&) since it will be automatically generated
+if we do not have correct implementation here.
+
+* wtf/RefCountedArray.h:
+(WTF::RefCountedArray::operator=):
+(WTF::RefCountedArray::assign):
+
+2018-12-09 Yusuke Suzuki
+
Unreviewed, fix build failure on GCC 8.2
We remove operator= call since it is not necessary.
Modified: trunk/Source/WTF/wtf/RefCountedArray.h (239020 => 239021)
--- trunk/Source/WTF/wtf/RefCountedArray.h 2018-12-09 16:09:07 UTC (rev 239020)
+++ trunk/Source/WTF/wtf/RefCountedArray.h 2018-12-09 16:43:02 UTC (rev 239021)
@@ -105,19 +105,12 @@
template
RefCountedArray& operator=(const RefCountedArray& other)
{
-T* oldData = data();
-T* otherData = const_cast(other.data());
-if (otherData)
-Header::fromPayload(otherData)->refCount++;
-m_data = otherData;
+return assign(other);
+}
-if (!oldData)
-return *this;
-if (--Header::fromPayload(oldData)->refCount)
-return *this;
-VectorTypeOperations::destruct(oldData, oldData + Header::fromPayload(oldData)->length);
-fastFree(Header::fromPayload(oldData));
-return *this;
+RefCountedArray& operator=(const RefCountedArray& other)
+{
+return assign(other);
}
~RefCountedArray()
@@ -198,6 +191,24 @@
bool operator==(const RefCountedArray& other) const { return this->operator==(other); }
private:
+template
+RefCountedArray& assign(const RefCountedArray& other)
+{
+T* oldData = data();
+T* otherData = const_cast(other.data());
+if (otherData)
+Header::fromPayload(otherData)->refCount++;
+m_data = otherData;
+
+if (!oldData)
+return *this;
+if (--Header::fromPayload(oldData)->refCount)
+return *this;
+VectorTypeOperations::destruct(oldData, oldData + Header::fromPayload(oldData)->length);
+fastFree(Header::fromPayload(oldData));
+return *this;
+}
+
struct Header {
unsigned refCount;
unsigned length;
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [239020] trunk/Source/WTF
Title: [239020] trunk/Source/WTF
Revision 239020
Author yusukesuz...@slowstart.org
Date 2018-12-09 08:09:07 -0800 (Sun, 09 Dec 2018)
Log Message
Unreviewed, fix build failure on GCC 8.2
We remove operator= call since it is not necessary.
This is a workaround. It seems that GCC 8.2 fails to parse this specialization.
* wtf/RefCountedArray.h:
Modified Paths
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/RefCountedArray.h
Diff
Modified: trunk/Source/WTF/ChangeLog (239019 => 239020)
--- trunk/Source/WTF/ChangeLog 2018-12-09 09:05:45 UTC (rev 239019)
+++ trunk/Source/WTF/ChangeLog 2018-12-09 16:09:07 UTC (rev 239020)
@@ -1,3 +1,12 @@
+2018-12-09 Yusuke Suzuki
+
+Unreviewed, fix build failure on GCC 8.2
+
+We remove operator= call since it is not necessary.
+This is a workaround. It seems that GCC 8.2 fails to parse this specialization.
+
+* wtf/RefCountedArray.h:
+
2018-12-08 Darin Adler
Fix stray-semicolon warning seen with a new version of clang in Xcode
Modified: trunk/Source/WTF/wtf/RefCountedArray.h (239019 => 239020)
--- trunk/Source/WTF/wtf/RefCountedArray.h 2018-12-09 09:05:45 UTC (rev 239019)
+++ trunk/Source/WTF/wtf/RefCountedArray.h 2018-12-09 16:09:07 UTC (rev 239020)
@@ -120,8 +120,6 @@
return *this;
}
-RefCountedArray& operator=(const RefCountedArray& other) { return this->operator=(other); }
-
~RefCountedArray()
{
if (!m_data)
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [238802] trunk/Source
Title: [238802] trunk/Source Revision 238802 Author yusukesuz...@slowstart.org Date 2018-12-03 09:50:20 -0800 (Mon, 03 Dec 2018) Log Message Use WallTime for file time https://bugs.webkit.org/show_bug.cgi?id=192287 Reviewed by Darin Adler. Source/WebCore: This patch changes a type of file time from double to WallTime to use strongly typed file time. No behavior change. * Modules/webdatabase/Database.cpp: (WebCore::Database::details const): * Modules/webdatabase/DatabaseDetails.h: (WebCore::DatabaseDetails::DatabaseDetails): (WebCore::DatabaseDetails::creationTime const): (WebCore::DatabaseDetails::modificationTime const): * Modules/webdatabase/DatabaseManager.cpp: (WebCore::DatabaseManager::ProposedDatabase::ProposedDatabase): * Modules/webdatabase/DatabaseTracker.cpp: (WebCore::DatabaseTracker::detailsForNameAndOrigin): * fileapi/AsyncFileStream.cpp: (WebCore::AsyncFileStream::getSize): * fileapi/AsyncFileStream.h: * fileapi/File.cpp: (WebCore::File::lastModified const): * page/Page.cpp: (WebCore::Page::userStyleSheetLocationChanged): (WebCore::Page::userStyleSheet const): * page/Page.h: * platform/FileMetadata.h: * platform/FileStream.cpp: (WebCore::FileStream::getSize): * platform/FileStream.h: * platform/FileSystem.cpp: (WebCore::FileSystem::getFileModificationTime): Deleted. * platform/FileSystem.h: (WebCore::FileSystem::invalidFileTime): Deleted. (WebCore::FileSystem::isValidFileTime): Deleted. * platform/glib/FileSystemGlib.cpp: (WebCore::FileSystem::getFileCreationTime): (WebCore::FileSystem::getFileModificationTime): (WebCore::FileSystem::fileMetadataUsingFunction): * platform/network/BlobDataFileReference.cpp: (WebCore::BlobDataFileReference::BlobDataFileReference): (WebCore::BlobDataFileReference::expectedModificationTime): * platform/network/BlobDataFileReference.h: * platform/network/FormData.cpp: (WebCore::FormData::appendFile): (WebCore::FormData::appendFileRange): * platform/network/FormData.h: (WebCore::FormDataElement::FormDataElement): (WebCore::FormDataElement::EncodedFileData::decode): * platform/network/cf/FormDataStreamCFNet.cpp: (WebCore::advanceCurrentStream): * platform/network/soup/ResourceRequestSoup.cpp: (WebCore::appendEncodedBlobItemToSoupMessageBody): * platform/posix/FileSystemPOSIX.cpp: (WebCore::FileSystem::getFileCreationTime): (WebCore::FileSystem::getFileModificationTime): * platform/sql/SQLiteFileSystem.cpp: (WebCore::SQLiteFileSystem::databaseCreationTime): (WebCore::SQLiteFileSystem::databaseModificationTime): * platform/sql/SQLiteFileSystem.h: * platform/win/FileSystemWin.cpp: (WebCore::FileSystem::getFileModificationTime): (WebCore::FileSystem::getFileCreationTime): (WebCore::FileSystem::findDataToFileMetadata): Source/WebKit: * Shared/SessionState.h: * Shared/WebCoreArgumentCoders.cpp: (IPC::ArgumentCoder::decode): * UIProcess/API/C/WKKeyValueStorageManager.cpp: (WKKeyValueStorageManagerGetStorageDetailsByOrigin): * UIProcess/API/glib/WebKitWebViewSessionState.cpp: (decodeHTTPBody): * UIProcess/Plugins/gtk/PluginInfoCache.cpp: (WebKit::PluginInfoCache::getPluginInfo): (WebKit::PluginInfoCache::updatePluginInfo): * UIProcess/ResourceLoadStatisticsPersistentStorage.cpp: (WebKit::hasFileChangedSince): * UIProcess/WebStorage/LocalStorageDatabaseTracker.cpp: (WebKit::LocalStorageDatabaseTracker::databasesModifiedSince): (WebKit::LocalStorageDatabaseTracker::originDetails): * UIProcess/WebStorage/LocalStorageDatabaseTracker.h: * UIProcess/mac/LegacySessionStateCoding.cpp: (WebKit::encodeFormDataElement): (WebKit::decodeFormDataElement): * WebProcess/MediaCache/WebMediaKeyStorageManager.cpp: (WebKit::removeAllMediaKeyStorageForOriginPath): (WebKit::WebMediaKeyStorageManager::deleteMediaKeyEntriesForOrigin): (WebKit::WebMediaKeyStorageManager::deleteMediaKeyEntriesModifiedBetweenDates): (WebKit::WebMediaKeyStorageManager::deleteAllMediaKeyEntries): * WebProcess/MediaCache/WebMediaKeyStorageManager.h: * WebProcess/WebCoreSupport/SessionStateConversion.cpp: (WebKit::toHTTPBody): (WebKit::toFormData): Source/WebKitLegacy/win: * Plugins/PluginDatabase.cpp: (WebCore::PluginDatabase::refresh): Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/Modules/webdatabase/Database.cpp trunk/Source/WebCore/Modules/webdatabase/DatabaseDetails.h trunk/Source/WebCore/Modules/webdatabase/DatabaseManager.cpp trunk/Source/WebCore/Modules/webdatabase/DatabaseTracker.cpp trunk/Source/WebCore/fileapi/AsyncFileStream.cpp trunk/Source/WebCore/fileapi/AsyncFileStream.h trunk/Source/WebCore/fileapi/File.cpp trunk/Source/WebCore/page/Page.cpp trunk/Source/WebCore/page/Page.h trunk/Source/WebCore/platform/FileMetadata.h trunk/Source/WebCore/platform/FileStream.cpp trunk/Source/WebCore/platform/FileStream.h trunk/Source/WebCore/platform/FileSystem.cpp trunk/Source/WebCore/platform/FileSystem.h trunk/Source/WebCore/platform/glib/FileSystemGlib.cpp trunk/Source/WebCore/platform/network/BlobDataFileReference.cpp trunk/Source/WebCore/platform/network/BlobDataFileReferen
[webkit-changes] [238778] trunk/Source/JavaScriptCore
Title: [238778] trunk/Source/_javascript_Core Revision 238778 Author yusukesuz...@slowstart.org Date 2018-12-01 00:38:53 -0800 (Sat, 01 Dec 2018) Log Message [JSC] Keep TypeMaybeBigInt small https://bugs.webkit.org/show_bug.cgi?id=192203 Reviewed by Saam Barati. As BigInt is being implemented, more and more bytecodes start returning BigInt. It means that ResultType of these bytecodes include TypeMaybeBigInt. However, TypeMaybeBigInt was large number 0x20, leading to wide instruction since ResultType easily becomes larger than 32 (e.g. TypeInt32 | TypeMaybeBigInt == 33). This patch sorts the numbers of TypeMaybeXXX based on the frequency of appearance in the code. * parser/ResultType.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/parser/ResultType.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (238777 => 238778) --- trunk/Source/_javascript_Core/ChangeLog 2018-12-01 06:17:55 UTC (rev 238777) +++ trunk/Source/_javascript_Core/ChangeLog 2018-12-01 08:38:53 UTC (rev 238778) @@ -1,3 +1,20 @@ +2018-11-29 Yusuke Suzuki + +[JSC] Keep TypeMaybeBigInt small +https://bugs.webkit.org/show_bug.cgi?id=192203 + +Reviewed by Saam Barati. + +As BigInt is being implemented, more and more bytecodes start returning BigInt. +It means that ResultType of these bytecodes include TypeMaybeBigInt. However, +TypeMaybeBigInt was large number 0x20, leading to wide instruction since ResultType +easily becomes larger than 32 (e.g. TypeInt32 | TypeMaybeBigInt == 33). + +This patch sorts the numbers of TypeMaybeXXX based on the frequency of appearance in +the code. + +* parser/ResultType.h: + 2018-11-30 Dean Jackson Try to fix Windows build by using strcmp instead of strcasecmp. Modified: trunk/Source/_javascript_Core/parser/ResultType.h (238777 => 238778) --- trunk/Source/_javascript_Core/parser/ResultType.h 2018-12-01 06:17:55 UTC (rev 238777) +++ trunk/Source/_javascript_Core/parser/ResultType.h 2018-12-01 08:38:53 UTC (rev 238778) @@ -32,15 +32,15 @@ friend struct OperandTypes; using Type = uint8_t; -static constexpr Type TypeInt32 = 1; -static constexpr Type TypeMaybeNumber = 0x02; -static constexpr Type TypeMaybeString = 0x04; -static constexpr Type TypeMaybeNull = 0x08; -static constexpr Type TypeMaybeBool = 0x10; -static constexpr Type TypeMaybeBigInt = 0x20; -static constexpr Type TypeMaybeOther = 0x40; +static constexpr Type TypeInt32 = 0x1 << 0; +static constexpr Type TypeMaybeNumber = 0x1 << 1; +static constexpr Type TypeMaybeString = 0x1 << 2; +static constexpr Type TypeMaybeBigInt = 0x1 << 3; +static constexpr Type TypeMaybeNull = 0x1 << 4; +static constexpr Type TypeMaybeBool = 0x1 << 5; +static constexpr Type TypeMaybeOther = 0x1 << 6; -static constexpr Type TypeBits = TypeMaybeNumber | TypeMaybeString | TypeMaybeNull | TypeMaybeBool | TypeMaybeBigInt | TypeMaybeOther; +static constexpr Type TypeBits = TypeMaybeNumber | TypeMaybeString | TypeMaybeBigInt | TypeMaybeNull | TypeMaybeBool | TypeMaybeOther; public: static constexpr int numBitsNeeded = 7; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [238435] trunk/Source/JavaScriptCore
Title: [238435] trunk/Source/_javascript_Core
Revision 238435
Author yusukesuz...@slowstart.org
Date 2018-11-21 18:57:14 -0800 (Wed, 21 Nov 2018)
Log Message
[JSC] Use ProtoCallFrame::numberOfRegisters instead of raw number `4`
https://bugs.webkit.org/show_bug.cgi?id=191877
Reviewed by Sam Weinig.
Instead of hard-coding `4` into LowLevelInterpreter, use ProtoCallFrame::numberOfRegisters.
* interpreter/ProtoCallFrame.h:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/interpreter/ProtoCallFrame.h
trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm
trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (238434 => 238435)
--- trunk/Source/_javascript_Core/ChangeLog 2018-11-22 02:12:04 UTC (rev 238434)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-11-22 02:57:14 UTC (rev 238435)
@@ -1,3 +1,16 @@
+2018-11-21 Yusuke Suzuki
+
+[JSC] Use ProtoCallFrame::numberOfRegisters instead of raw number `4`
+https://bugs.webkit.org/show_bug.cgi?id=191877
+
+Reviewed by Sam Weinig.
+
+Instead of hard-coding `4` into LowLevelInterpreter, use ProtoCallFrame::numberOfRegisters.
+
+* interpreter/ProtoCallFrame.h:
+* llint/LowLevelInterpreter32_64.asm:
+* llint/LowLevelInterpreter64.asm:
+
2018-11-21 Mark Lam
Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
Modified: trunk/Source/_javascript_Core/interpreter/ProtoCallFrame.h (238434 => 238435)
--- trunk/Source/_javascript_Core/interpreter/ProtoCallFrame.h 2018-11-22 02:12:04 UTC (rev 238434)
+++ trunk/Source/_javascript_Core/interpreter/ProtoCallFrame.h 2018-11-22 02:57:14 UTC (rev 238435)
@@ -35,6 +35,9 @@
struct JS_EXPORT_PRIVATE ProtoCallFrame {
WTF_FORBID_HEAP_ALLOCATION;
public:
+// CodeBlock, Callee, ArgumentCount, and |this|.
+static constexpr unsigned numberOfRegisters { 4 };
+
Register codeBlockValue;
Register calleeValue;
Register argCountAndCodeOriginValue;
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (238434 => 238435)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-11-22 02:12:04 UTC (rev 238434)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-11-22 02:57:14 UTC (rev 238435)
@@ -214,7 +214,7 @@
.stackHeightOK:
move t3, sp
-move 4, t3
+move (constexpr ProtoCallFrame::numberOfRegisters), t3
.copyHeaderLoop:
subi 1, t3
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (238434 => 238435)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2018-11-22 02:12:04 UTC (rev 238434)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2018-11-22 02:57:14 UTC (rev 238435)
@@ -201,7 +201,7 @@
.stackHeightOK:
move t3, sp
-move 4, t3
+move (constexpr ProtoCallFrame::numberOfRegisters), t3
.copyHeaderLoop:
# Copy the CodeBlock/Callee/ArgumentCount/|this| from protoCallFrame into the callee frame.
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [238376] trunk/Source/JavaScriptCore
Title: [238376] trunk/Source/_javascript_Core
Revision 238376
Author yusukesuz...@slowstart.org
Date 2018-11-19 08:49:43 -0800 (Mon, 19 Nov 2018)
Log Message
[WebAssembly] I64 arguments / return value check should be moved from callWebAssemblyFunction to JSToWasm wrapper
https://bugs.webkit.org/show_bug.cgi?id=190512
Reviewed by Keith Miller.
This patch moves I64 arguments / return value check from callWebAssemblyFunction to JSToWasm wrapper. Since this
check can be done when compiling the function, we should encode the result into the generated wrapper instead of
checking every time we call callWebAssemblyFunction. This change is also one of the steps removing callWebAssemblyFunction
entirely.
* wasm/WasmExceptionType.h:
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::callWebAssemblyFunction):
* wasm/js/WebAssemblyWrapperFunction.cpp:
(JSC::callWebAssemblyWrapperFunction):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/wasm/WasmExceptionType.h
trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp
trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp
trunk/Source/_javascript_Core/wasm/js/WebAssemblyWrapperFunction.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (238375 => 238376)
--- trunk/Source/_javascript_Core/ChangeLog 2018-11-19 16:31:22 UTC (rev 238375)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-11-19 16:49:43 UTC (rev 238376)
@@ -1,3 +1,23 @@
+2018-11-19 Yusuke Suzuki
+
+[WebAssembly] I64 arguments / return value check should be moved from callWebAssemblyFunction to JSToWasm wrapper
+https://bugs.webkit.org/show_bug.cgi?id=190512
+
+Reviewed by Keith Miller.
+
+This patch moves I64 arguments / return value check from callWebAssemblyFunction to JSToWasm wrapper. Since this
+check can be done when compiling the function, we should encode the result into the generated wrapper instead of
+checking every time we call callWebAssemblyFunction. This change is also one of the steps removing callWebAssemblyFunction
+entirely.
+
+* wasm/WasmExceptionType.h:
+* wasm/js/JSToWasm.cpp:
+(JSC::Wasm::createJSToWasmWrapper):
+* wasm/js/WebAssemblyFunction.cpp:
+(JSC::callWebAssemblyFunction):
+* wasm/js/WebAssemblyWrapperFunction.cpp:
+(JSC::callWebAssemblyWrapperFunction):
+
2018-11-12 Yusuke Suzuki
Consider removing double load for accessing the instructions from LLInt
Modified: trunk/Source/_javascript_Core/wasm/WasmExceptionType.h (238375 => 238376)
--- trunk/Source/_javascript_Core/wasm/WasmExceptionType.h 2018-11-19 16:31:22 UTC (rev 238375)
+++ trunk/Source/_javascript_Core/wasm/WasmExceptionType.h 2018-11-19 16:49:43 UTC (rev 238376)
@@ -40,7 +40,9 @@
macro(Unreachable, "Unreachable code should not be executed") \
macro(DivisionByZero, "Division by zero") \
macro(IntegerOverflow, "Integer overflow") \
-macro(StackOverflow, "Stack overflow")
+macro(StackOverflow, "Stack overflow") \
+macro(I64ArgumentType, "WebAssembly function with an i64 argument can't be called from _javascript_") \
+macro(I64ReturnType, "WebAssembly function that returns i64 can't be called from _javascript_")
enum class ExceptionType : uint32_t {
#define MAKE_ENUM(enumName, error) enumName,
Modified: trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp (238375 => 238376)
--- trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp 2018-11-19 16:31:22 UTC (rev 238375)
+++ trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp 2018-11-19 16:49:43 UTC (rev 238376)
@@ -30,9 +30,12 @@
#include "CCallHelpers.h"
#include "JSWebAssemblyInstance.h"
+#include "JSWebAssemblyRuntimeError.h"
+#include "MaxFrameExtentForSlowPathCall.h"
#include "WasmCallingConvention.h"
#include "WasmContextInlines.h"
#include "WasmSignatureInlines.h"
+#include "WasmToJS.h"
namespace JSC { namespace Wasm {
@@ -70,9 +73,12 @@
totalFrameSize -= sizeof(CallerFrameAndPC);
unsigned numGPRs = 0;
unsigned numFPRs = 0;
+bool argumentsIncludeI64 = false;
for (unsigned i = 0; i < signature.argumentCount(); i++) {
switch (signature.argument(i)) {
case Wasm::I64:
+argumentsIncludeI64 = true;
+FALLTHROUGH;
case Wasm::I32:
if (numGPRs >= wasmCallingConvention().m_gprArgs.size())
totalFrameSize += sizeof(void*);
@@ -102,6 +108,36 @@
jit.storePtr(reg, CCallHelpers::Address(GPRInfo::callFrameRegister, offset));
}
+if (argumentsIncludeI64 || signature.returnType() == Wasm::I64) {
+if (Context::useFastTLS())
+jit.loadWasmContextInstance(GPRInfo::argumentGPR2);
+else {
+// vmEntryToWasm passes the JSWebAssemblyInstance corresponding to Wasm::Context*'s
+// instance as the first JS argument when we're not using fast
[webkit-changes] [238367] trunk/Source/JavaScriptCore
Title: [238367] trunk/Source/_javascript_Core
Revision 238367
Author yusukesuz...@slowstart.org
Date 2018-11-18 22:51:54 -0800 (Sun, 18 Nov 2018)
Log Message
Consider removing double load for accessing the instructions from LLInt
https://bugs.webkit.org/show_bug.cgi?id=190932
Reviewed by Mark Lam.
Changing InstructionStream to RefCountedArray like structure involves so much changes
including BytecodeGraph, PreciseJumpTargets etc. Instead, CodeBlock simply hold a raw
pointer to the InstructionStream's data. Since InstructionStream is not changed
anymore, this pointer is valid while CodeBlock is live.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
* bytecode/CodeBlock.h:
* bytecode/InstructionStream.h:
(JSC::InstructionStream::rawPointer const):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp
trunk/Source/_javascript_Core/bytecode/CodeBlock.h
trunk/Source/_javascript_Core/bytecode/InstructionStream.h
trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm
trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm
trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (238366 => 238367)
--- trunk/Source/_javascript_Core/ChangeLog 2018-11-19 05:23:50 UTC (rev 238366)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-11-19 06:51:54 UTC (rev 238367)
@@ -1,3 +1,24 @@
+2018-11-12 Yusuke Suzuki
+
+Consider removing double load for accessing the instructions from LLInt
+https://bugs.webkit.org/show_bug.cgi?id=190932
+
+Reviewed by Mark Lam.
+
+Changing InstructionStream to RefCountedArray like structure involves so much changes
+including BytecodeGraph, PreciseJumpTargets etc. Instead, CodeBlock simply hold a raw
+pointer to the InstructionStream's data. Since InstructionStream is not changed
+anymore, this pointer is valid while CodeBlock is live.
+
+* bytecode/CodeBlock.cpp:
+(JSC::CodeBlock::CodeBlock):
+* bytecode/CodeBlock.h:
+* bytecode/InstructionStream.h:
+(JSC::InstructionStream::rawPointer const):
+* llint/LowLevelInterpreter.asm:
+* llint/LowLevelInterpreter32_64.asm:
+* llint/LowLevelInterpreter64.asm:
+
2018-11-18 Fujii Hironori
REGRESSION(r238039) WebCore::JSDOMGlobalObject::createStructure is using JSC::Structure::create without including StructureInlines.h
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (238366 => 238367)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2018-11-19 05:23:50 UTC (rev 238366)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2018-11-19 06:51:54 UTC (rev 238367)
@@ -303,8 +303,9 @@
, m_unlinkedCode(*other.vm(), this, other.m_unlinkedCode.get())
, m_ownerExecutable(*other.vm(), this, other.m_ownerExecutable.get())
, m_poisonedVM(other.m_poisonedVM)
+, m_instructions(other.m_instructions)
+, m_instructionsRawPointer(other.m_instructionsRawPointer)
, m_instructionCount(other.m_instructionCount)
-, m_instructions(other.m_instructions)
, m_thisRegister(other.m_thisRegister)
, m_scopeRegister(other.m_scopeRegister)
, m_hash(other.m_hash)
@@ -369,6 +370,7 @@
, m_ownerExecutable(*vm, this, ownerExecutable)
, m_poisonedVM(vm)
, m_instructions(&unlinkedCodeBlock->instructions())
+, m_instructionsRawPointer(m_instructions->rawPointer())
, m_thisRegister(unlinkedCodeBlock->thisRegister())
, m_scopeRegister(unlinkedCodeBlock->scopeRegister())
, m_source(WTFMove(sourceProvider))
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (238366 => 238367)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2018-11-19 05:23:50 UTC (rev 238366)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2018-11-19 06:51:54 UTC (rev 238367)
@@ -949,8 +949,9 @@
WriteBarrier m_ownerEdge;
Poisoned m_poisonedVM;
+const InstructionStream* m_instructions;
+const void* m_instructionsRawPointer { nullptr };
unsigned m_instructionCount { 0 };
-const InstructionStream* m_instructions;
VirtualRegister m_thisRegister;
VirtualRegister m_scopeRegister;
mutable CodeBlockHash m_hash;
Modified: trunk/Source/_javascript_Core/bytecode/InstructionStream.h (238366 => 238367)
--- trunk/Source/_javascript_Core/bytecode/InstructionStream.h 2018-11-19 05:23:50 UTC (rev 238366)
+++ trunk/Source/_javascript_Core/bytecode/InstructionStream.h 2018-11-19 06:51:54 UTC (rev 238367)
@@ -162,6 +162,11 @@
return m_instructions.size();
}
+const void* rawPointer() const
+{
+return m_instructions.data();
+}
+
protected:
explicit InstructionStream(InstructionBuffer&&);
Modified: trunk/Source/_javascript_Core/llint/LowLevelI
[webkit-changes] [238365] trunk
Title: [238365] trunk
Revision 238365
Author yusukesuz...@slowstart.org
Date 2018-11-18 11:10:08 -0800 (Sun, 18 Nov 2018)
Log Message
Unreviewed, rolling in the rest of r237254
https://bugs.webkit.org/show_bug.cgi?id=190340
JSTests:
* ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
* stress/function-cache-with-parameters-end-position.js: Added.
(shouldBe):
(shouldThrow):
(i.anonymous):
* stress/function-constructor-name.js: Added.
(shouldBe):
(GeneratorFunction):
(AsyncFunction.async):
(AsyncGeneratorFunction.async):
(anonymous):
(async.anonymous):
* test262/expectations.yaml:
LayoutTests/imported/w3c:
* web-platform-tests/html/webappapis/scripting/events/inline-event-handler-ordering-expected.txt:
* web-platform-tests/html/webappapis/scripting/events/invalid-uncompiled-raw-handler-compiled-late-expected.txt:
* web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-attribute-expected.txt:
* web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-body-onerror-expected.txt:
Source/_javascript_Core:
* parser/ParserModes.h:
* parser/ParserTokens.h:
(JSC::JSTextPosition::JSTextPosition):
(JSC::JSTokenLocation::JSTokenLocation): Deleted.
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
LayoutTests:
* fast/dom/attribute-event-listener-errors-expected.txt:
* fast/events/attribute-listener-deletion-crash-expected.txt:
* fast/events/window-onerror-syntax-error-in-attr-expected.txt:
* js/dom/invalid-syntax-for-function-expected.txt:
* js/dom/script-start-end-locations-expected.txt:
Modified Paths
trunk/JSTests/ChakraCore/test/Function/FuncBodyES5.baseline-jsc
trunk/JSTests/ChangeLog
trunk/JSTests/test262/expectations.yaml
trunk/LayoutTests/ChangeLog
trunk/LayoutTests/fast/dom/attribute-event-listener-errors-expected.txt
trunk/LayoutTests/fast/events/attribute-listener-deletion-crash-expected.txt
trunk/LayoutTests/fast/events/window-onerror-syntax-error-in-attr-expected.txt
trunk/LayoutTests/imported/w3c/ChangeLog
trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/scripting/events/inline-event-handler-ordering-expected.txt
trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/scripting/events/invalid-uncompiled-raw-handler-compiled-late-expected.txt
trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-attribute-expected.txt
trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-body-onerror-expected.txt
trunk/LayoutTests/js/dom/invalid-syntax-for-function-expected.txt
trunk/LayoutTests/js/dom/script-start-end-locations-expected.txt
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/parser/ParserModes.h
trunk/Source/_javascript_Core/parser/ParserTokens.h
trunk/Source/_javascript_Core/runtime/CodeCache.cpp
trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp
Added Paths
trunk/JSTests/stress/function-cache-with-parameters-end-position.js
trunk/JSTests/stress/function-constructor-name.js
Diff
Modified: trunk/JSTests/ChakraCore/test/Function/FuncBodyES5.baseline-jsc (238364 => 238365)
--- trunk/JSTests/ChakraCore/test/Function/FuncBodyES5.baseline-jsc 2018-11-18 18:20:03 UTC (rev 238364)
+++ trunk/JSTests/ChakraCore/test/Function/FuncBodyES5.baseline-jsc 2018-11-18 19:10:08 UTC (rev 238365)
@@ -9,13 +9,13 @@
PASS: 8: new Function succeeded as expected
PASS: 9: new Function succeeded as expected
PASS: 10: new Function succeeded as expected
-PASS: 100: new Function failed as expected. SyntaxError: Unexpected token '{'. Expected ')' to end a compound _expression_.
-PASS: 100: new Function failed as expected. SyntaxError: Unexpected token '{'. Expected ')' to end a compound _expression_.
-PASS: 101: new Function failed as expected. SyntaxError: Unexpected keyword 'function'. Expected ')' to end a compound _expression_.
-PASS: 102: new Function failed as expected. SyntaxError: Unexpected keyword 'function'. Expected ')' to end a compound _expression_.
-PASS: 103: new Function failed as expected. SyntaxError: Unexpected keyword 'function'. Expected ')' to end a compound _expression_.
-PASS: 104: new Function failed as expected. SyntaxError: Unexpected token ';'. Expected ')' to end a compound _expression_.
-PASS: 105: new Function failed as expected. SyntaxError: Unexpected token ';'. Expected ')' to end a compound _expression_.
+PASS: 100: new Function failed as expected. SyntaxError: Parser error
+PASS: 100: new Function failed as expected. SyntaxError: Parser error
+PASS: 101: new Function failed as expected. SyntaxError: Parser error
+PASS: 102: new Function failed as expected. SyntaxError: Parameters should match arguments offered as parameters in Function constructor.
+PASS: 103: new Function failed as expected. SyntaxError: Parser error
+PASS: 104: new Fun
[webkit-changes] [238361] trunk/Source/WebKit
Title: [238361] trunk/Source/WebKit
Revision 238361
Author yusukesuz...@slowstart.org
Date 2018-11-18 04:50:21 -0800 (Sun, 18 Nov 2018)
Log Message
Use Box instead of dispatch_semaphore_t
https://bugs.webkit.org/show_bug.cgi?id=189691
Reviewed by Ryosuke Niwa.
Use Box instead, which utilizes our WTF::Lock mechanism.
* NetworkProcess/watchos/NetworkProximityManager.mm:
(WebKit::NetworkProximityManager::updateRecommendation):
Modified Paths
trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/NetworkProcess/watchos/NetworkProximityManager.mm
Diff
Modified: trunk/Source/WebKit/ChangeLog (238360 => 238361)
--- trunk/Source/WebKit/ChangeLog 2018-11-18 06:17:44 UTC (rev 238360)
+++ trunk/Source/WebKit/ChangeLog 2018-11-18 12:50:21 UTC (rev 238361)
@@ -1,3 +1,15 @@
+2018-11-18 Yusuke Suzuki
+
+Use Box instead of dispatch_semaphore_t
+https://bugs.webkit.org/show_bug.cgi?id=189691
+
+Reviewed by Ryosuke Niwa.
+
+Use Box instead, which utilizes our WTF::Lock mechanism.
+
+* NetworkProcess/watchos/NetworkProximityManager.mm:
+(WebKit::NetworkProximityManager::updateRecommendation):
+
2018-11-17 Wenson Hsieh
[iOS] Remove all usages of UIItemProvider, UIItemProviderReading, and related classes
Modified: trunk/Source/WebKit/NetworkProcess/watchos/NetworkProximityManager.mm (238360 => 238361)
--- trunk/Source/WebKit/NetworkProcess/watchos/NetworkProximityManager.mm 2018-11-18 06:17:44 UTC (rev 238360)
+++ trunk/Source/WebKit/NetworkProcess/watchos/NetworkProximityManager.mm 2018-11-18 12:50:21 UTC (rev 238361)
@@ -35,8 +35,10 @@
#import
#import
#import
+#import
#import
#import
+#import
WTF_DECLARE_CF_TYPE_TRAIT(SCNetworkInterface);
@@ -298,13 +300,12 @@
RELEASE_LOG(ProximityNetworking, "Requesting an immediate recommendation from iRATManager.");
-auto semaphore = adoptOSObject(dispatch_semaphore_create(0));
+auto semaphore = Box::create();
[m_iRATInterface getProximityLinkRecommendation:NO recommendation:[this, semaphore](NSArray *recommendations) {
processRecommendations(recommendations);
-dispatch_semaphore_signal(semaphore.get());
+semaphore->signal();
}];
-
-dispatch_semaphore_wait(semaphore.get(), dispatch_time(DISPATCH_TIME_NOW, 1 * NSEC_PER_SEC));
+semaphore->waitFor(1_s);
}
void NetworkProximityManager::initialize(const NetworkProcessCreationParameters& parameters)
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [238185] trunk/Source/JavaScriptCore
Title: [238185] trunk/Source/_javascript_Core
Revision 238185
Author yusukesuz...@slowstart.org
Date 2018-11-14 10:49:22 -0800 (Wed, 14 Nov 2018)
Log Message
Unreviewed, rolling in CodeCache in r237254
https://bugs.webkit.org/show_bug.cgi?id=190340
Land the CodeCache part without adding an additional hash value.
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::fromGlobalCode):
* bytecode/UnlinkedFunctionExecutable.h:
* parser/SourceCodeKey.h:
(JSC::SourceCodeKey::SourceCodeKey):
(JSC::SourceCodeKey::operator== const):
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
* runtime/CodeCache.h:
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::fromGlobalCode):
* runtime/FunctionExecutable.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp
trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.h
trunk/Source/_javascript_Core/parser/SourceCodeKey.h
trunk/Source/_javascript_Core/runtime/CodeCache.cpp
trunk/Source/_javascript_Core/runtime/CodeCache.h
trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp
trunk/Source/_javascript_Core/runtime/FunctionExecutable.cpp
trunk/Source/_javascript_Core/runtime/FunctionExecutable.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (238184 => 238185)
--- trunk/Source/_javascript_Core/ChangeLog 2018-11-14 18:43:21 UTC (rev 238184)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-11-14 18:49:22 UTC (rev 238185)
@@ -1,3 +1,26 @@
+2018-11-14 Yusuke Suzuki
+
+Unreviewed, rolling in CodeCache in r237254
+https://bugs.webkit.org/show_bug.cgi?id=190340
+
+Land the CodeCache part without adding an additional hash value.
+
+* bytecode/UnlinkedFunctionExecutable.cpp:
+(JSC::UnlinkedFunctionExecutable::fromGlobalCode):
+* bytecode/UnlinkedFunctionExecutable.h:
+* parser/SourceCodeKey.h:
+(JSC::SourceCodeKey::SourceCodeKey):
+(JSC::SourceCodeKey::operator== const):
+* runtime/CodeCache.cpp:
+(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
+(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
+* runtime/CodeCache.h:
+* runtime/FunctionConstructor.cpp:
+(JSC::constructFunctionSkippingEvalEnabledCheck):
+* runtime/FunctionExecutable.cpp:
+(JSC::FunctionExecutable::fromGlobalCode):
+* runtime/FunctionExecutable.h:
+
2018-11-13 Saam Barati
ProxyObject should check for VMInquiry and return early before throwing a stack overflow exception
Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp (238184 => 238185)
--- trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp 2018-11-14 18:43:21 UTC (rev 238184)
+++ trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp 2018-11-14 18:49:22 UTC (rev 238185)
@@ -174,7 +174,7 @@
UnlinkedFunctionExecutable* UnlinkedFunctionExecutable::fromGlobalCode(
const Identifier& name, ExecState& exec, const SourceCode& source,
-JSObject*& exception, int overrideLineNumber)
+JSObject*& exception, int overrideLineNumber, std::optional functionConstructorParametersEndPosition)
{
ParserError error;
VM& vm = exec.vm();
@@ -181,7 +181,7 @@
auto& globalObject = *exec.lexicalGlobalObject();
CodeCache* codeCache = vm.codeCache();
DebuggerMode debuggerMode = globalObject.hasInteractiveDebugger() ? DebuggerOn : DebuggerOff;
-UnlinkedFunctionExecutable* executable = codeCache->getUnlinkedGlobalFunctionExecutable(vm, name, source, debuggerMode, error);
+UnlinkedFunctionExecutable* executable = codeCache->getUnlinkedGlobalFunctionExecutable(vm, name, source, debuggerMode, functionConstructorParametersEndPosition, error);
if (globalObject.hasDebugger())
globalObject.debugger()->sourceParsed(&exec, source.provider(), error.line(), error.message());
Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.h (238184 => 238185)
--- trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.h 2018-11-14 18:43:21 UTC (rev 238184)
+++ trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.h 2018-11-14 18:49:22 UTC (rev 238185)
@@ -107,7 +107,7 @@
static UnlinkedFunctionExecutable* fromGlobalCode(
const Identifier&, ExecState&, const SourceCode&, JSObject*& exception,
-int overrideLineNumber);
+int overrideLineNumber, std::optional functionConstructorParametersEndPosition);
JS_EXPORT_PRIVATE FunctionExecutable* link(VM&, const SourceCode& parentSource, std::optional overrideLineNumber = std::nullopt, Intrinsic = NoIntrinsic);
Modified: trunk/Source/_javascript_Core/parser/SourceCodeKey.h (238184 => 238185)
--- t
[webkit-changes] [238088] trunk/Source/WebCore
Title: [238088] trunk/Source/WebCore
Revision 238088
Author yusukesuz...@slowstart.org
Date 2018-11-12 08:48:22 -0800 (Mon, 12 Nov 2018)
Log Message
WTFMove(xxx) is used in arguments while other arguments touch xxx
https://bugs.webkit.org/show_bug.cgi?id=191544
Reviewed by Alex Christensen.
The order of the evaluation of C++ arguments is undefined. If we use WTFMove(xxx),
xxx should not be touched in the other arguments. This patch fixes such uses in
IDB code.
* Modules/indexeddb/IDBObjectStore.cpp:
(WebCore::IDBObjectStore::deleteIndex):
* Modules/indexeddb/IDBTransaction.cpp:
(WebCore::IDBTransaction::scheduleOperation):
* Modules/indexeddb/server/MemoryIDBBackingStore.cpp:
(WebCore::IDBServer::MemoryIDBBackingStore::registerObjectStore):
* Modules/indexeddb/server/MemoryObjectStore.cpp:
(WebCore::IDBServer::MemoryObjectStore::registerIndex):
Modified Paths
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/Modules/indexeddb/IDBObjectStore.cpp
trunk/Source/WebCore/Modules/indexeddb/IDBTransaction.cpp
trunk/Source/WebCore/Modules/indexeddb/server/MemoryIDBBackingStore.cpp
trunk/Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.cpp
Diff
Modified: trunk/Source/WebCore/ChangeLog (238087 => 238088)
--- trunk/Source/WebCore/ChangeLog 2018-11-12 16:18:08 UTC (rev 238087)
+++ trunk/Source/WebCore/ChangeLog 2018-11-12 16:48:22 UTC (rev 238088)
@@ -1,3 +1,23 @@
+2018-11-12 Yusuke Suzuki
+
+WTFMove(xxx) is used in arguments while other arguments touch xxx
+https://bugs.webkit.org/show_bug.cgi?id=191544
+
+Reviewed by Alex Christensen.
+
+The order of the evaluation of C++ arguments is undefined. If we use WTFMove(xxx),
+xxx should not be touched in the other arguments. This patch fixes such uses in
+IDB code.
+
+* Modules/indexeddb/IDBObjectStore.cpp:
+(WebCore::IDBObjectStore::deleteIndex):
+* Modules/indexeddb/IDBTransaction.cpp:
+(WebCore::IDBTransaction::scheduleOperation):
+* Modules/indexeddb/server/MemoryIDBBackingStore.cpp:
+(WebCore::IDBServer::MemoryIDBBackingStore::registerObjectStore):
+* Modules/indexeddb/server/MemoryObjectStore.cpp:
+(WebCore::IDBServer::MemoryObjectStore::registerIndex):
+
2018-11-12 Zalan Bujtas
[LFC][IFC] Construct dedicated runs when the inline element requires it.
Modified: trunk/Source/WebCore/Modules/indexeddb/IDBObjectStore.cpp (238087 => 238088)
--- trunk/Source/WebCore/Modules/indexeddb/IDBObjectStore.cpp 2018-11-12 16:18:08 UTC (rev 238087)
+++ trunk/Source/WebCore/Modules/indexeddb/IDBObjectStore.cpp 2018-11-12 16:48:22 UTC (rev 238088)
@@ -521,7 +521,8 @@
Locker locker(m_referencedIndexLock);
if (auto index = m_referencedIndexes.take(name)) {
index->markAsDeleted();
-m_deletedIndexes.add(index->info().identifier(), WTFMove(index));
+auto identifier = index->info().identifier();
+m_deletedIndexes.add(identifier, WTFMove(index));
}
}
Modified: trunk/Source/WebCore/Modules/indexeddb/IDBTransaction.cpp (238087 => 238088)
--- trunk/Source/WebCore/Modules/indexeddb/IDBTransaction.cpp 2018-11-12 16:18:08 UTC (rev 238087)
+++ trunk/Source/WebCore/Modules/indexeddb/IDBTransaction.cpp 2018-11-12 16:48:22 UTC (rev 238088)
@@ -377,8 +377,9 @@
ASSERT(!m_transactionOperationMap.contains(operation->identifier()));
ASSERT(&m_database->originThread() == &Thread::current());
+auto identifier = operation->identifier();
m_pendingTransactionOperationQueue.append(operation);
-m_transactionOperationMap.set(operation->identifier(), WTFMove(operation));
+m_transactionOperationMap.set(identifier, WTFMove(operation));
schedulePendingOperationTimer();
}
Modified: trunk/Source/WebCore/Modules/indexeddb/server/MemoryIDBBackingStore.cpp (238087 => 238088)
--- trunk/Source/WebCore/Modules/indexeddb/server/MemoryIDBBackingStore.cpp 2018-11-12 16:18:08 UTC (rev 238087)
+++ trunk/Source/WebCore/Modules/indexeddb/server/MemoryIDBBackingStore.cpp 2018-11-12 16:48:22 UTC (rev 238088)
@@ -555,8 +555,9 @@
ASSERT(!m_objectStoresByIdentifier.contains(objectStore->info().identifier()));
ASSERT(!m_objectStoresByName.contains(objectStore->info().name()));
+auto identifier = objectStore->info().identifier();
m_objectStoresByName.set(objectStore->info().name(), &objectStore.get());
-m_objectStoresByIdentifier.set(objectStore->info().identifier(), WTFMove(objectStore));
+m_objectStoresByIdentifier.set(identifier, WTFMove(objectStore));
}
void MemoryIDBBackingStore::unregisterObjectStore(MemoryObjectStore& objectStore)
Modified: trunk/Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.cpp (238087 => 238088)
--- trunk/Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.cpp 2018-11-12 16:18:08 UTC (rev 238087)
+++ trunk/Source/WebCore/Modules/indexeddb/server/MemoryObjectStore.cpp 2018-11-
[webkit-changes] [238085] trunk/Source/WebCore
Title: [238085] trunk/Source/WebCore
Revision 238085
Author yusukesuz...@slowstart.org
Date 2018-11-12 06:55:03 -0800 (Mon, 12 Nov 2018)
Log Message
IDBTransaction does not use "RefPtr self"
https://bugs.webkit.org/show_bug.cgi?id=190436
Reviewed by Alex Christensen.
It seems that `RefPtr self;` is not effective since it does not capture anything.
Use `protectedThis = makeRef(*this)` instead.
No behavior change.
* Modules/indexeddb/IDBTransaction.cpp:
(WebCore::IDBTransaction::IDBTransaction):
Modified Paths
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/Modules/indexeddb/IDBTransaction.cpp
Diff
Modified: trunk/Source/WebCore/ChangeLog (238084 => 238085)
--- trunk/Source/WebCore/ChangeLog 2018-11-12 14:40:26 UTC (rev 238084)
+++ trunk/Source/WebCore/ChangeLog 2018-11-12 14:55:03 UTC (rev 238085)
@@ -1,3 +1,18 @@
+2018-11-12 Yusuke Suzuki
+
+IDBTransaction does not use "RefPtr self"
+https://bugs.webkit.org/show_bug.cgi?id=190436
+
+Reviewed by Alex Christensen.
+
+It seems that `RefPtr self;` is not effective since it does not capture anything.
+Use `protectedThis = makeRef(*this)` instead.
+
+No behavior change.
+
+* Modules/indexeddb/IDBTransaction.cpp:
+(WebCore::IDBTransaction::IDBTransaction):
+
2018-11-12 Alicia Boya García
[MSE][GStreamer] Introduce AbortableTaskQueue
Modified: trunk/Source/WebCore/Modules/indexeddb/IDBTransaction.cpp (238084 => 238085)
--- trunk/Source/WebCore/Modules/indexeddb/IDBTransaction.cpp 2018-11-12 14:40:26 UTC (rev 238084)
+++ trunk/Source/WebCore/Modules/indexeddb/IDBTransaction.cpp 2018-11-12 14:55:03 UTC (rev 238085)
@@ -92,10 +92,9 @@
auto* context = scriptExecutionContext();
ASSERT(context);
-RefPtr self;
JSC::VM& vm = context->vm();
-vm.whenIdle([self, this]() {
-deactivate();
+vm.whenIdle([protectedThis = makeRef(*this)]() {
+protectedThis->deactivate();
});
establishOnServer();
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [238026] trunk/Source/JavaScriptCore
Title: [238026] trunk/Source/_javascript_Core
Revision 238026
Author yusukesuz...@slowstart.org
Date 2018-11-09 03:32:43 -0800 (Fri, 09 Nov 2018)
Log Message
Unreviewed, rolling in CodeCache in r237254
https://bugs.webkit.org/show_bug.cgi?id=190340
Land the CodeCache part, which uses DefaultHash<>::Hash instead of computeHash.
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::fromGlobalCode):
* bytecode/UnlinkedFunctionExecutable.h:
* parser/SourceCodeKey.h:
(JSC::SourceCodeKey::SourceCodeKey):
(JSC::SourceCodeKey::operator== const):
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
* runtime/CodeCache.h:
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::fromGlobalCode):
* runtime/FunctionExecutable.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp
trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.h
trunk/Source/_javascript_Core/parser/SourceCodeKey.h
trunk/Source/_javascript_Core/runtime/CodeCache.cpp
trunk/Source/_javascript_Core/runtime/CodeCache.h
trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp
trunk/Source/_javascript_Core/runtime/FunctionExecutable.cpp
trunk/Source/_javascript_Core/runtime/FunctionExecutable.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (238025 => 238026)
--- trunk/Source/_javascript_Core/ChangeLog 2018-11-09 10:53:33 UTC (rev 238025)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-11-09 11:32:43 UTC (rev 238026)
@@ -1,3 +1,26 @@
+2018-11-09 Yusuke Suzuki
+
+Unreviewed, rolling in CodeCache in r237254
+https://bugs.webkit.org/show_bug.cgi?id=190340
+
+Land the CodeCache part, which uses DefaultHash<>::Hash instead of computeHash.
+
+* bytecode/UnlinkedFunctionExecutable.cpp:
+(JSC::UnlinkedFunctionExecutable::fromGlobalCode):
+* bytecode/UnlinkedFunctionExecutable.h:
+* parser/SourceCodeKey.h:
+(JSC::SourceCodeKey::SourceCodeKey):
+(JSC::SourceCodeKey::operator== const):
+* runtime/CodeCache.cpp:
+(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
+(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
+* runtime/CodeCache.h:
+* runtime/FunctionConstructor.cpp:
+(JSC::constructFunctionSkippingEvalEnabledCheck):
+* runtime/FunctionExecutable.cpp:
+(JSC::FunctionExecutable::fromGlobalCode):
+* runtime/FunctionExecutable.h:
+
2018-11-08 Keith Miller
put_by_val opcodes need to add the number tag as a 64-bit register
Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp (238025 => 238026)
--- trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp 2018-11-09 10:53:33 UTC (rev 238025)
+++ trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp 2018-11-09 11:32:43 UTC (rev 238026)
@@ -174,7 +174,7 @@
UnlinkedFunctionExecutable* UnlinkedFunctionExecutable::fromGlobalCode(
const Identifier& name, ExecState& exec, const SourceCode& source,
-JSObject*& exception, int overrideLineNumber)
+JSObject*& exception, int overrideLineNumber, std::optional functionConstructorParametersEndPosition)
{
ParserError error;
VM& vm = exec.vm();
@@ -181,7 +181,7 @@
auto& globalObject = *exec.lexicalGlobalObject();
CodeCache* codeCache = vm.codeCache();
DebuggerMode debuggerMode = globalObject.hasInteractiveDebugger() ? DebuggerOn : DebuggerOff;
-UnlinkedFunctionExecutable* executable = codeCache->getUnlinkedGlobalFunctionExecutable(vm, name, source, debuggerMode, error);
+UnlinkedFunctionExecutable* executable = codeCache->getUnlinkedGlobalFunctionExecutable(vm, name, source, debuggerMode, functionConstructorParametersEndPosition, error);
if (globalObject.hasDebugger())
globalObject.debugger()->sourceParsed(&exec, source.provider(), error.line(), error.message());
Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.h (238025 => 238026)
--- trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.h 2018-11-09 10:53:33 UTC (rev 238025)
+++ trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.h 2018-11-09 11:32:43 UTC (rev 238026)
@@ -107,7 +107,7 @@
static UnlinkedFunctionExecutable* fromGlobalCode(
const Identifier&, ExecState&, const SourceCode&, JSObject*& exception,
-int overrideLineNumber);
+int overrideLineNumber, std::optional functionConstructorParametersEndPosition);
JS_EXPORT_PRIVATE FunctionExecutable* link(VM&, const SourceCode& parentSource, std::optional overrideLineNumber = std::nullopt, Intrinsic = NoIntrinsic);
Modified: trunk/Source/_javascript_Core/parser/SourceCodeKey.h (238025 => 238026)
--- tr
[webkit-changes] [237987] trunk/Source/JavaScriptCore
Title: [237987] trunk/Source/_javascript_Core Revision 237987 Author yusukesuz...@slowstart.org Date 2018-11-08 07:42:10 -0800 (Thu, 08 Nov 2018) Log Message Consider removing double load for accessing the MetadataTable from LLInt https://bugs.webkit.org/show_bug.cgi?id=190933 Reviewed by Keith Miller. This patch removes double load for accesses to MetadataTable from LLInt. MetadataTable is now specially RefCounted class, which has interesting memory layout. When refcount becomes 0, MetadataTable asks UnlinkedMetadataTable to destroy itself. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::estimatedSize): (JSC::CodeBlock::visitChildren): * bytecode/CodeBlock.h: (JSC::CodeBlock::metadata): * bytecode/CodeBlockInlines.h: (JSC::CodeBlock::forEachValueProfile): (JSC::CodeBlock::forEachArrayProfile): (JSC::CodeBlock::forEachArrayAllocationProfile): (JSC::CodeBlock::forEachObjectAllocationProfile): (JSC::CodeBlock::forEachLLIntCallLinkInfo): * bytecode/MetadataTable.cpp: (JSC::MetadataTable::MetadataTable): (JSC::MetadataTable::~MetadataTable): (JSC::MetadataTable::sizeInBytes): * bytecode/MetadataTable.h: (JSC::MetadataTable::get): (JSC::MetadataTable::forEach): (JSC::MetadataTable::ref const): (JSC::MetadataTable::deref const): (JSC::MetadataTable::refCount const): (JSC::MetadataTable::hasOneRef const): (JSC::MetadataTable::buffer): (JSC::MetadataTable::linkingData const): (JSC::MetadataTable::getImpl): * bytecode/UnlinkedMetadataTable.h: (JSC::UnlinkedMetadataTable::buffer const): * bytecode/UnlinkedMetadataTableInlines.h: (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable): (JSC::UnlinkedMetadataTable::~UnlinkedMetadataTable): (JSC::UnlinkedMetadataTable::addEntry): (JSC::UnlinkedMetadataTable::sizeInBytes): (JSC::UnlinkedMetadataTable::finalize): (JSC::UnlinkedMetadataTable::link): (JSC::UnlinkedMetadataTable::unlink): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/bytecode/CodeBlockInlines.h trunk/Source/_javascript_Core/bytecode/MetadataTable.cpp trunk/Source/_javascript_Core/bytecode/MetadataTable.h trunk/Source/_javascript_Core/bytecode/UnlinkedMetadataTable.h trunk/Source/_javascript_Core/bytecode/UnlinkedMetadataTableInlines.h trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (237986 => 237987) --- trunk/Source/_javascript_Core/ChangeLog 2018-11-08 15:36:05 UTC (rev 237986) +++ trunk/Source/_javascript_Core/ChangeLog 2018-11-08 15:42:10 UTC (rev 237987) @@ -1,3 +1,53 @@ +2018-11-07 Yusuke Suzuki + +Consider removing double load for accessing the MetadataTable from LLInt +https://bugs.webkit.org/show_bug.cgi?id=190933 + +Reviewed by Keith Miller. + +This patch removes double load for accesses to MetadataTable from LLInt. +MetadataTable is now specially RefCounted class, which has interesting memory layout. +When refcount becomes 0, MetadataTable asks UnlinkedMetadataTable to destroy itself. + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::finishCreation): +(JSC::CodeBlock::estimatedSize): +(JSC::CodeBlock::visitChildren): +* bytecode/CodeBlock.h: +(JSC::CodeBlock::metadata): +* bytecode/CodeBlockInlines.h: +(JSC::CodeBlock::forEachValueProfile): +(JSC::CodeBlock::forEachArrayProfile): +(JSC::CodeBlock::forEachArrayAllocationProfile): +(JSC::CodeBlock::forEachObjectAllocationProfile): +(JSC::CodeBlock::forEachLLIntCallLinkInfo): +* bytecode/MetadataTable.cpp: +(JSC::MetadataTable::MetadataTable): +(JSC::MetadataTable::~MetadataTable): +(JSC::MetadataTable::sizeInBytes): +* bytecode/MetadataTable.h: +(JSC::MetadataTable::get): +(JSC::MetadataTable::forEach): +(JSC::MetadataTable::ref const): +(JSC::MetadataTable::deref const): +(JSC::MetadataTable::refCount const): +(JSC::MetadataTable::hasOneRef const): +(JSC::MetadataTable::buffer): +(JSC::MetadataTable::linkingData const): +(JSC::MetadataTable::getImpl): +* bytecode/UnlinkedMetadataTable.h: +(JSC::UnlinkedMetadataTable::buffer const): +* bytecode/UnlinkedMetadataTableInlines.h: +(JSC::UnlinkedMetadataTable::UnlinkedMetadataTable): +(JSC::UnlinkedMetadataTable::~UnlinkedMetadataTable): +(JSC::UnlinkedMetadataTable::addEntry): +(JSC::UnlinkedMetadataTable::sizeInBytes): +(JSC::UnlinkedMetadataTable::finalize): +(JSC::UnlinkedMetadataTable::link): +(JSC::UnlinkedMetadataTable::unlink): +* llint/LowLevelInterpreter.asm: +* l
[webkit-changes] [237627] trunk/Source/JavaScriptCore
Title: [237627] trunk/Source/_javascript_Core Revision 237627 Author yusukesuz...@slowstart.org Date 2018-10-30 23:14:04 -0700 (Tue, 30 Oct 2018) Log Message [JSC][LLInt] Compact LLInt ASM code by removing unnecessary instructions https://bugs.webkit.org/show_bug.cgi?id=191092 Reviewed by Saam Barati. Looking through LLIntAssembly.h, we can find several inefficiencies. This patch fixes the following things to tighten LLInt ASM code. 1. Remove unnecessary load instructions. Use jmp with BaseIndex directly. 2. Introduce strength reduction for mul instructions in offlineasm layer. This is now critical since mul instruction is executed in `metadata` operation in LLInt. If the given immediate is a power of two, we convert it to lshift instruction. * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/instructions.rb: * offlineasm/x86.rb: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/offlineasm/arm64.rb trunk/Source/_javascript_Core/offlineasm/instructions.rb trunk/Source/_javascript_Core/offlineasm/x86.rb Diff Modified: trunk/Source/_javascript_Core/ChangeLog (237626 => 237627) --- trunk/Source/_javascript_Core/ChangeLog 2018-10-31 05:45:07 UTC (rev 237626) +++ trunk/Source/_javascript_Core/ChangeLog 2018-10-31 06:14:04 UTC (rev 237627) @@ -1,3 +1,24 @@ +2018-10-30 Yusuke Suzuki + +[JSC][LLInt] Compact LLInt ASM code by removing unnecessary instructions +https://bugs.webkit.org/show_bug.cgi?id=191092 + +Reviewed by Saam Barati. + +Looking through LLIntAssembly.h, we can find several inefficiencies. This patch fixes the +following things to tighten LLInt ASM code. + +1. Remove unnecessary load instructions. Use jmp with BaseIndex directly. +2. Introduce strength reduction for mul instructions in offlineasm layer. This is now critical +since mul instruction is executed in `metadata` operation in LLInt. If the given immediate is +a power of two, we convert it to lshift instruction. + +* llint/LowLevelInterpreter32_64.asm: +* llint/LowLevelInterpreter64.asm: +* offlineasm/arm64.rb: +* offlineasm/instructions.rb: +* offlineasm/x86.rb: + 2018-10-30 Don Olmstead [PlayStation] Enable _javascript_Core Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (237626 => 237627) --- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-10-31 05:45:07 UTC (rev 237626) +++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-10-31 06:14:04 UTC (rev 237627) @@ -26,15 +26,13 @@ macro nextInstruction() loadb [PC], t0 leap _g_opcodeMap, t1 -loadp [t1, t0, 4], t2 -jmp t2, BytecodePtrTag +jmp [t1, t0, 4], BytecodePtrTag end macro nextInstructionWide() loadi 1[PC], t0 leap _g_opcodeMapWide, t1 -loadp [t1, t0, 4], t2 -jmp t2, BytecodePtrTag +jmp [t1, t0, 4], BytecodePtrTag end macro getuOperandNarrow(op, field, dst) Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (237626 => 237627) --- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2018-10-31 05:45:07 UTC (rev 237626) +++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2018-10-31 06:14:04 UTC (rev 237627) @@ -28,15 +28,13 @@ macro nextInstruction() loadb [PB, PC, 1], t0 leap _g_opcodeMap, t1 -loadp [t1, t0, PtrSize], t2 -jmp t2, BytecodePtrTag +jmp [t1, t0, PtrSize], BytecodePtrTag end macro nextInstructionWide() loadi 1[PB, PC, 1], t0 leap _g_opcodeMapWide, t1 -loadp [t1, t0, PtrSize], t2 -jmp t2, BytecodePtrTag +jmp [t1, t0, PtrSize], BytecodePtrTag end macro getuOperandNarrow(op, field, dst) @@ -437,17 +435,30 @@ # Index and value must be different registers. Index may be clobbered. macro loadConstantOrVariable(size, index, value) -size(FirstConstantRegisterIndexNarrow, FirstConstantRegisterIndexWide, macro (FirstConstantRegisterIndex) -bpgteq index, FirstConstantRegisterIndex, .constant +macro loadNarrow() +bpgteq index, FirstConstantRegisterIndexNarrow, .constant loadq [cfr, index, 8], value jmp .done .constant: loadp CodeBlock[cfr], value loadp CodeBlock::m_constantRegisters + VectorBufferOffset[value], value -subp FirstConstantRegisterIndex, index +loadq -(FirstConstantRegisterIndexNarrow * 8)[value, index, 8], value +.done: +end + +macro loadWide() +bpgteq index, FirstConstantRegisterIndexWide, .constant +loadq [cfr, index, 8], value +jmp .done +.constant: +loadp CodeBlock[cfr], value +loadp CodeBlock::m_constantRegisters + VectorBufferOffset[value], value +
[webkit-changes] [237586] trunk/Source/JavaScriptCore
Title: [237586] trunk/Source/_javascript_Core
Revision 237586
Author yusukesuz...@slowstart.org
Date 2018-10-30 02:00:17 -0700 (Tue, 30 Oct 2018)
Log Message
"Unreviewed, partial rolling in r237254"
https://bugs.webkit.org/show_bug.cgi?id=190340
This only adds Parser.{cpp,h}. And it is not used in this patch.
It examines that the regression is related to exact Parser changes.
* parser/Parser.cpp:
(JSC::Parser::parseInner):
(JSC::Parser::parseSingleFunction):
(JSC::Parser::parseFunctionInfo):
(JSC::Parser::parseFunctionDeclaration):
(JSC::Parser::parseAsyncFunctionDeclaration):
* parser/Parser.h:
(JSC::Parser::parse):
(JSC::parse):
(JSC::parseFunctionForFunctionConstructor):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/parser/Parser.cpp
trunk/Source/_javascript_Core/parser/Parser.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (237585 => 237586)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-30 08:59:44 UTC (rev 237585)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-30 09:00:17 UTC (rev 237586)
@@ -1,3 +1,22 @@
+2018-10-30 Yusuke Suzuki
+
+"Unreviewed, partial rolling in r237254"
+https://bugs.webkit.org/show_bug.cgi?id=190340
+
+This only adds Parser.{cpp,h}. And it is not used in this patch.
+It examines that the regression is related to exact Parser changes.
+
+* parser/Parser.cpp:
+(JSC::Parser::parseInner):
+(JSC::Parser::parseSingleFunction):
+(JSC::Parser::parseFunctionInfo):
+(JSC::Parser::parseFunctionDeclaration):
+(JSC::Parser::parseAsyncFunctionDeclaration):
+* parser/Parser.h:
+(JSC::Parser::parse):
+(JSC::parse):
+(JSC::parseFunctionForFunctionConstructor):
+
2018-10-29 Mark Lam
Correctly detect string overflow when using the 'Function' constructor.
Modified: trunk/Source/_javascript_Core/parser/Parser.cpp (237585 => 237586)
--- trunk/Source/_javascript_Core/parser/Parser.cpp 2018-10-30 08:59:44 UTC (rev 237585)
+++ trunk/Source/_javascript_Core/parser/Parser.cpp 2018-10-30 09:00:17 UTC (rev 237586)
@@ -194,7 +194,7 @@
}
template
-String Parser::parseInner(const Identifier& calleeName, SourceParseMode parseMode)
+String Parser::parseInner(const Identifier& calleeName, SourceParseMode parseMode, ParsingContext parsingContext, std::optional functionConstructorParametersEndPosition)
{
String parseError = String();
@@ -238,6 +238,8 @@
sourceElements = parseGeneratorFunctionSourceElements(context, calleeName, CheckForStrictMode);
else if (isAsyncGeneratorWrapperParseMode(parseMode))
sourceElements = parseAsyncGeneratorFunctionSourceElements(context, parseMode, isArrowFunctionBodyExpression, CheckForStrictMode);
+else if (parsingContext == ParsingContext::FunctionConstructor)
+sourceElements = parseSingleFunction(context, functionConstructorParametersEndPosition);
else
sourceElements = parseSourceElements(context, CheckForStrictMode);
}
@@ -610,6 +612,38 @@
return sourceElements;
}
+
+template
+template TreeSourceElements Parser::parseSingleFunction(TreeBuilder& context, std::optional functionConstructorParametersEndPosition)
+{
+TreeSourceElements sourceElements = context.createSourceElements();
+TreeStatement statement = 0;
+switch (m_token.m_type) {
+case FUNCTION:
+statement = parseFunctionDeclaration(context, ExportType::NotExported, DeclarationDefaultContext::Standard, functionConstructorParametersEndPosition);
+break;
+case IDENT:
+if (*m_token.m_data.ident == m_vm->propertyNames->async && !m_token.m_data.escaped) {
+next();
+failIfFalse(match(FUNCTION) && !m_lexer->prevTerminator(), "Cannot parse the async function");
+statement = parseAsyncFunctionDeclaration(context, ExportType::NotExported, DeclarationDefaultContext::Standard, functionConstructorParametersEndPosition);
+break;
+}
+FALLTHROUGH;
+default:
+failDueToUnexpectedToken();
+break;
+}
+
+if (statement) {
+context.setEndOffset(statement, m_lastTokenEndPosition.offset);
+context.appendStatement(sourceElements, statement);
+}
+
+propagateError();
+return sourceElements;
+}
+
template
template TreeStatement Parser::parseStatementListItem(TreeBuilder& context, const Identifier*& directive, unsigned* directiveLiteralLength)
@@ -2263,7 +2297,7 @@
}
template
-template bool Parser::parseFunctionInfo(TreeBuilder& context, FunctionNameRequirements requirements, SourceParseMode mode, bool nameIsInContainingScope, ConstructorKind constructorKind, SuperBinding expectedSuperBinding, int functionKeywordStart, ParserFunctionInfo& functionInfo, FunctionDefinitionType functionDefinitionType)
+template bool Parser::parseFunctionInfo(TreeBuilder& context,
[webkit-changes] [237492] trunk/Source/JavaScriptCore
Title: [237492] trunk/Source/_javascript_Core
Revision 237492
Author yusukesuz...@slowstart.org
Date 2018-10-27 07:41:22 -0700 (Sat, 27 Oct 2018)
Log Message
Unreviewed, partial rolling in r237254
https://bugs.webkit.org/show_bug.cgi?id=190340
We do not use the added function right now to investigate what is the reason of the regression.
It also does not include any Parser.{h,cpp} changes to ensure that Parser.cpp's inlining decision
seems culprit of the regression on iOS devices.
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::fromGlobalCode):
* bytecode/UnlinkedFunctionExecutable.h:
* parser/SourceCodeKey.h:
(JSC::SourceCodeKey::SourceCodeKey):
(JSC::SourceCodeKey::operator== const):
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
* runtime/CodeCache.h:
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::fromGlobalCode):
* runtime/FunctionExecutable.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp
trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.h
trunk/Source/_javascript_Core/parser/SourceCodeKey.h
trunk/Source/_javascript_Core/runtime/CodeCache.cpp
trunk/Source/_javascript_Core/runtime/CodeCache.h
trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp
trunk/Source/_javascript_Core/runtime/FunctionExecutable.cpp
trunk/Source/_javascript_Core/runtime/FunctionExecutable.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (237491 => 237492)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-27 14:28:38 UTC (rev 237491)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-27 14:41:22 UTC (rev 237492)
@@ -1,3 +1,28 @@
+2018-10-27 Yusuke Suzuki
+
+Unreviewed, partial rolling in r237254
+https://bugs.webkit.org/show_bug.cgi?id=190340
+
+We do not use the added function right now to investigate what is the reason of the regression.
+It also does not include any Parser.{h,cpp} changes to ensure that Parser.cpp's inlining decision
+seems culprit of the regression on iOS devices.
+
+* bytecode/UnlinkedFunctionExecutable.cpp:
+(JSC::UnlinkedFunctionExecutable::fromGlobalCode):
+* bytecode/UnlinkedFunctionExecutable.h:
+* parser/SourceCodeKey.h:
+(JSC::SourceCodeKey::SourceCodeKey):
+(JSC::SourceCodeKey::operator== const):
+* runtime/CodeCache.cpp:
+(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
+(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
+* runtime/CodeCache.h:
+* runtime/FunctionConstructor.cpp:
+(JSC::constructFunctionSkippingEvalEnabledCheck):
+* runtime/FunctionExecutable.cpp:
+(JSC::FunctionExecutable::fromGlobalCode):
+* runtime/FunctionExecutable.h:
+
2018-10-26 Commit Queue
Unreviewed, rolling out r237479 and r237484.
Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp (237491 => 237492)
--- trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp 2018-10-27 14:28:38 UTC (rev 237491)
+++ trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp 2018-10-27 14:41:22 UTC (rev 237492)
@@ -174,7 +174,7 @@
UnlinkedFunctionExecutable* UnlinkedFunctionExecutable::fromGlobalCode(
const Identifier& name, ExecState& exec, const SourceCode& source,
-JSObject*& exception, int overrideLineNumber)
+JSObject*& exception, int overrideLineNumber, std::optional functionConstructorParametersEndPosition)
{
ParserError error;
VM& vm = exec.vm();
@@ -181,7 +181,7 @@
auto& globalObject = *exec.lexicalGlobalObject();
CodeCache* codeCache = vm.codeCache();
DebuggerMode debuggerMode = globalObject.hasInteractiveDebugger() ? DebuggerOn : DebuggerOff;
-UnlinkedFunctionExecutable* executable = codeCache->getUnlinkedGlobalFunctionExecutable(vm, name, source, debuggerMode, error);
+UnlinkedFunctionExecutable* executable = codeCache->getUnlinkedGlobalFunctionExecutable(vm, name, source, debuggerMode, functionConstructorParametersEndPosition, error);
if (globalObject.hasDebugger())
globalObject.debugger()->sourceParsed(&exec, source.provider(), error.line(), error.message());
Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.h (237491 => 237492)
--- trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.h 2018-10-27 14:28:38 UTC (rev 237491)
+++ trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.h 2018-10-27 14:41:22 UTC (rev 237492)
@@ -107,7 +107,7 @@
static UnlinkedFunctionExecutable* fromGlobalCode(
const Identifier&, ExecState&, const SourceCode&, JSObject*& exception,
-int overrideLineNumber);
+int overrideLineNumber, st
[webkit-changes] [237447] trunk/Source/JavaScriptCore
Title: [237447] trunk/Source/_javascript_Core
Revision 237447
Author yusukesuz...@slowstart.org
Date 2018-10-26 00:56:56 -0700 (Fri, 26 Oct 2018)
Log Message
[JSC] havingABadTimeWatchpoint is not required in Array#indexOf optimization
https://bugs.webkit.org/show_bug.cgi?id=190941
Reviewed by Saam Barati.
While "Rest" operation fast path requires havingABadTimeWatchpoint since it allocates
JSArray, Array#{indexOf,lastIndexOf} do not require it when we use the fast path for them.
This patch removes watching on havingABadTimeWatchpoint in Array#indexOf. The test causing
"havingABadTime" is already included in our test suites (e.g. array-indexof-have-a-bad-time.js).
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* runtime/JSArrayInlines.h:
(JSC::JSArray::canDoFastIndexedAccess):
* runtime/JSGlobalObject.h:
* runtime/JSGlobalObjectInlines.h:
(JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
(JSC::JSGlobalObject::isArrayPrototypeIndexedAccessFastAndNonObservable): Deleted.
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp
trunk/Source/_javascript_Core/runtime/JSArrayInlines.h
trunk/Source/_javascript_Core/runtime/JSGlobalObject.h
trunk/Source/_javascript_Core/runtime/JSGlobalObjectInlines.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (237446 => 237447)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-26 05:06:24 UTC (rev 237446)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-26 07:56:56 UTC (rev 237447)
@@ -1,5 +1,26 @@
2018-10-25 Yusuke Suzuki
+[JSC] havingABadTimeWatchpoint is not required in Array#indexOf optimization
+https://bugs.webkit.org/show_bug.cgi?id=190941
+
+Reviewed by Saam Barati.
+
+While "Rest" operation fast path requires havingABadTimeWatchpoint since it allocates
+JSArray, Array#{indexOf,lastIndexOf} do not require it when we use the fast path for them.
+This patch removes watching on havingABadTimeWatchpoint in Array#indexOf. The test causing
+"havingABadTime" is already included in our test suites (e.g. array-indexof-have-a-bad-time.js).
+
+* dfg/DFGByteCodeParser.cpp:
+(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+* runtime/JSArrayInlines.h:
+(JSC::JSArray::canDoFastIndexedAccess):
+* runtime/JSGlobalObject.h:
+* runtime/JSGlobalObjectInlines.h:
+(JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
+(JSC::JSGlobalObject::isArrayPrototypeIndexedAccessFastAndNonObservable): Deleted.
+
+2018-10-25 Yusuke Suzuki
+
Unreviewed, partial rolling in r237254
https://bugs.webkit.org/show_bug.cgi?id=190340
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (237446 => 237447)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2018-10-26 05:06:24 UTC (rev 237446)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2018-10-26 07:56:56 UTC (rev 237447)
@@ -2362,12 +2362,10 @@
// FIXME: We could easily relax the Array/Object.prototype transition as long as we OSR exitted if we saw a hole.
// https://bugs.webkit.org/show_bug.cgi?id=173171
-if (globalObject->havingABadTimeWatchpoint()->isStillValid()
-&& arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
+if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
&& objectPrototypeStructure->transitionWatchpointSetIsStillValid()
&& globalObject->arrayPrototypeChainIsSane()) {
-m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
Modified: trunk/Source/_javascript_Core/runtime/JSArrayInlines.h (237446 => 237447)
--- trunk/Source/_javascript_Core/runtime/JSArrayInlines.h 2018-10-26 05:06:24 UTC (rev 237446)
+++ trunk/Source/_javascript_Core/runtime/JSArrayInlines.h 2018-10-26 07:56:56 UTC (rev 237447)
@@ -74,7 +74,7 @@
inline bool JSArray::canDoFastIndexedAccess(VM& vm)
{
JSGlobalObject* globalObject = this->globalObject();
-if (!globalObject->isArrayPrototypeIndexedAccessFastAndNonObservable())
+if (!globalObject->arrayPrototypeChainIsSane())
return false;
Structure* structure = this->structure(vm);
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.h (237446 => 237447)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2018-10-26 05:06:24 UTC (rev 237446)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2018-10-26 07:56:56 UTC (rev 237447)
@@ -476,7 +476,6 @@
PoisonedUniquePtr> m_setPrototypeAddWatchpoint;
PoisonedUniquePtr> m_numberPrototypeToStringWatchpoint;
-bool isArrayProto
[webkit-changes] [237445] trunk/Source/JavaScriptCore
Title: [237445] trunk/Source/_javascript_Core
Revision 237445
Author yusukesuz...@slowstart.org
Date 2018-10-25 21:51:59 -0700 (Thu, 25 Oct 2018)
Log Message
Unreviewed, partial rolling in r237254
https://bugs.webkit.org/show_bug.cgi?id=190340
We do not use the added function right now to investigate what is the reason of the regression.
If it causes the regression, it seems that Parser.cpp's inlining decision seems culprit.
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::fromGlobalCode):
* bytecode/UnlinkedFunctionExecutable.h:
* parser/Parser.cpp:
(JSC::Parser::parseInner):
(JSC::Parser::parseSingleFunction):
(JSC::Parser::parseFunctionInfo):
(JSC::Parser::parseFunctionDeclaration):
(JSC::Parser::parseAsyncFunctionDeclaration):
* parser/Parser.h:
(JSC::Parser::parse):
(JSC::parse):
(JSC::parseFunctionForFunctionConstructor):
* parser/ParserModes.h:
* parser/ParserTokens.h:
(JSC::JSTextPosition::JSTextPosition):
(JSC::JSTokenLocation::JSTokenLocation): Deleted.
* parser/SourceCodeKey.h:
(JSC::SourceCodeKey::SourceCodeKey):
(JSC::SourceCodeKey::operator== const):
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
* runtime/CodeCache.h:
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::fromGlobalCode):
* runtime/FunctionExecutable.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp
trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.h
trunk/Source/_javascript_Core/parser/Parser.cpp
trunk/Source/_javascript_Core/parser/Parser.h
trunk/Source/_javascript_Core/parser/ParserModes.h
trunk/Source/_javascript_Core/parser/ParserTokens.h
trunk/Source/_javascript_Core/parser/SourceCodeKey.h
trunk/Source/_javascript_Core/runtime/CodeCache.cpp
trunk/Source/_javascript_Core/runtime/CodeCache.h
trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp
trunk/Source/_javascript_Core/runtime/FunctionExecutable.cpp
trunk/Source/_javascript_Core/runtime/FunctionExecutable.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (237444 => 237445)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-26 02:03:15 UTC (rev 237444)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-26 04:51:59 UTC (rev 237445)
@@ -1,3 +1,41 @@
+2018-10-25 Yusuke Suzuki
+
+Unreviewed, partial rolling in r237254
+https://bugs.webkit.org/show_bug.cgi?id=190340
+
+We do not use the added function right now to investigate what is the reason of the regression.
+If it causes the regression, it seems that Parser.cpp's inlining decision seems culprit.
+
+* bytecode/UnlinkedFunctionExecutable.cpp:
+(JSC::UnlinkedFunctionExecutable::fromGlobalCode):
+* bytecode/UnlinkedFunctionExecutable.h:
+* parser/Parser.cpp:
+(JSC::Parser::parseInner):
+(JSC::Parser::parseSingleFunction):
+(JSC::Parser::parseFunctionInfo):
+(JSC::Parser::parseFunctionDeclaration):
+(JSC::Parser::parseAsyncFunctionDeclaration):
+* parser/Parser.h:
+(JSC::Parser::parse):
+(JSC::parse):
+(JSC::parseFunctionForFunctionConstructor):
+* parser/ParserModes.h:
+* parser/ParserTokens.h:
+(JSC::JSTextPosition::JSTextPosition):
+(JSC::JSTokenLocation::JSTokenLocation): Deleted.
+* parser/SourceCodeKey.h:
+(JSC::SourceCodeKey::SourceCodeKey):
+(JSC::SourceCodeKey::operator== const):
+* runtime/CodeCache.cpp:
+(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
+(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
+* runtime/CodeCache.h:
+* runtime/FunctionConstructor.cpp:
+(JSC::constructFunctionSkippingEvalEnabledCheck):
+* runtime/FunctionExecutable.cpp:
+(JSC::FunctionExecutable::fromGlobalCode):
+* runtime/FunctionExecutable.h:
+
2018-10-25 Brent Fulgham
Unreviewed build fix for Visual Studio 2017
Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp (237444 => 237445)
--- trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp 2018-10-26 02:03:15 UTC (rev 237444)
+++ trunk/Source/_javascript_Core/bytecode/UnlinkedFunctionExecutable.cpp 2018-10-26 04:51:59 UTC (rev 237445)
@@ -174,7 +174,7 @@
UnlinkedFunctionExecutable* UnlinkedFunctionExecutable::fromGlobalCode(
const Identifier& name, ExecState& exec, const SourceCode& source,
-JSObject*& exception, int overrideLineNumber)
+JSObject*& exception, int overrideLineNumber, std::optional functionConstructorParametersEndPosition)
{
ParserError error;
VM& vm = exec.vm();
@@ -181,7 +181,7 @@
auto& globalObject = *exec.lexicalGlobalObject();
CodeCache* codeCache = vm.codeCache();
DebuggerM
[webkit-changes] [237254] trunk
Title: [237254] trunk
Revision 237254
Author yusukesuz...@slowstart.org
Date 2018-10-18 06:04:22 -0700 (Thu, 18 Oct 2018)
Log Message
[JSC] JSC should have "parseFunction" to optimize Function constructor
https://bugs.webkit.org/show_bug.cgi?id=190340
Reviewed by Mark Lam.
JSTests:
This patch fixes the line number of syntax errors raised by the Function constructor,
since we now parse the final code only once. And we no longer use block statement
for Function constructor's parsing.
* ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
* stress/function-cache-with-parameters-end-position.js: Added.
(shouldBe):
(shouldThrow):
(i.anonymous):
* stress/function-constructor-name.js: Added.
(shouldBe):
(GeneratorFunction):
(AsyncFunction.async):
(AsyncGeneratorFunction.async):
(anonymous):
(async.anonymous):
* test262/expectations.yaml:
LayoutTests/imported/w3c:
* web-platform-tests/html/webappapis/scripting/events/inline-event-handler-ordering-expected.txt:
* web-platform-tests/html/webappapis/scripting/events/invalid-uncompiled-raw-handler-compiled-late-expected.txt:
* web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-attribute-expected.txt:
* web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-body-onerror-expected.txt:
Source/_javascript_Core:
The current Function constructor is suboptimal. We parse the piece of the same code three times to meet
the spec requirement. (1) check parameters syntax, (2) check body syntax, and (3) parse the entire function.
And to parse 1-3 correctly, we create two strings, the parameters and the entire function. This operation
is really costly and ideally we should meet the above requirement by the one time parsing.
To meet the above requirement, we add a special function for Parser, parseSingleFunction. This function
takes `std::optional functionConstructorParametersEndPosition` and check this end position is correct in the parser.
For example, if we run the code,
Function('/*', '*/){')
According to the spec, this should produce '/*' parameter string and '*/){' body string. And parameter
string should be syntax-checked by the parser, and raise the error since it is incorrect. Instead of doing
that, in our implementation, we first create the entire string.
function anonymous(/*) {
*/){
}
And we parse it. At that time, we also pass the end position of the parameters to the parser. In the above case,
the position of the `function anonymous(/*)' <> is passed. And in the parser, we check that the last token
offset of the parameters is the given end position. This check allows us to raise the error correctly to the
above example while we parse the entire function only once. And we do not need to create two strings too.
This improves the performance of the Function constructor significantly. And web-tooling-benchmark/uglify-js is
significantly sped up (28.2%).
Before:
uglify-js: 2.94 runs/s
After:
uglify-js: 3.77 runs/s
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::fromGlobalCode):
* bytecode/UnlinkedFunctionExecutable.h:
* parser/Parser.cpp:
(JSC::Parser::parseInner):
(JSC::Parser::parseSingleFunction):
(JSC::Parser::parseFunctionInfo):
(JSC::Parser::parseFunctionDeclaration):
(JSC::Parser::parseAsyncFunctionDeclaration):
* parser/Parser.h:
(JSC::Parser::parse):
(JSC::parse):
(JSC::parseFunctionForFunctionConstructor):
* parser/ParserModes.h:
* parser/ParserTokens.h:
(JSC::JSTextPosition::JSTextPosition):
(JSC::JSTokenLocation::JSTokenLocation): Deleted.
* parser/SourceCodeKey.h:
(JSC::SourceCodeKey::SourceCodeKey):
(JSC::SourceCodeKey::operator== const):
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
* runtime/CodeCache.h:
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::fromGlobalCode):
* runtime/FunctionExecutable.h:
LayoutTests:
* fast/dom/attribute-event-listener-errors-expected.txt:
* fast/events/attribute-listener-deletion-crash-expected.txt:
* fast/events/window-onerror-syntax-error-in-attr-expected.txt:
* js/dom/invalid-syntax-for-function-expected.txt:
* js/dom/script-start-end-locations-expected.txt:
Modified Paths
trunk/JSTests/ChakraCore/test/Function/FuncBodyES5.baseline-jsc
trunk/JSTests/ChangeLog
trunk/JSTests/test262/expectations.yaml
trunk/LayoutTests/ChangeLog
trunk/LayoutTests/fast/dom/attribute-event-listener-errors-expected.txt
trunk/LayoutTests/fast/events/attribute-listener-deletion-crash-expected.txt
trunk/LayoutTests/fast/events/window-onerror-syntax-error-in-attr-expected.txt
trunk/LayoutTests/imported/w3c/ChangeLog
trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/scripting/events/inline-event-handler-ordering-expected.txt
trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/scripting/events/invalid-uncompiled
[webkit-changes] [237223] trunk/Source/JavaScriptCore
Title: [237223] trunk/Source/_javascript_Core
Revision 237223
Author yusukesuz...@slowstart.org
Date 2018-10-17 10:50:52 -0700 (Wed, 17 Oct 2018)
Log Message
[JSC] Use WTF::Function instead of std::function
https://bugs.webkit.org/show_bug.cgi?id=190665
Reviewed by Keith Miller.
We should use WTF::Function as much as possible. It allocates memory from bmalloc instead of standard malloc.
* runtime/JSNativeStdFunction.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSNativeStdFunction.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (237222 => 237223)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-17 17:49:15 UTC (rev 237222)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-17 17:50:52 UTC (rev 237223)
@@ -1,3 +1,14 @@
+2018-10-17 Yusuke Suzuki
+
+[JSC] Use WTF::Function instead of std::function
+https://bugs.webkit.org/show_bug.cgi?id=190665
+
+Reviewed by Keith Miller.
+
+We should use WTF::Function as much as possible. It allocates memory from bmalloc instead of standard malloc.
+
+* runtime/JSNativeStdFunction.h:
+
2018-10-17 Keith Miller
Remove debug logging from generate_offsets_extractor.rb
Modified: trunk/Source/_javascript_Core/runtime/JSNativeStdFunction.h (237222 => 237223)
--- trunk/Source/_javascript_Core/runtime/JSNativeStdFunction.h 2018-10-17 17:49:15 UTC (rev 237222)
+++ trunk/Source/_javascript_Core/runtime/JSNativeStdFunction.h 2018-10-17 17:50:52 UTC (rev 237223)
@@ -32,7 +32,7 @@
class JSGlobalObject;
class NativeStdFunctionCell;
-typedef std::function NativeStdFunction;
+using NativeStdFunction = WTF::Function;
class JSNativeStdFunction final : public JSFunction {
public:
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [237220] trunk/Source/JavaScriptCore
Title: [237220] trunk/Source/_javascript_Core Revision 237220 Author yusukesuz...@slowstart.org Date 2018-10-17 08:48:57 -0700 (Wed, 17 Oct 2018) Log Message [JSC] More aggressively use `constexpr` in LowLevelInterpreter.asm for constant values https://bugs.webkit.org/show_bug.cgi?id=190659 Reviewed by Keith Miller. Asking the actual constant value to the JSC binary is always the best way to get the correct value. The value is correctly updated once the original value is changed. We would like to encourage this approach more in LowLevelInterpreter.asm. This patch expands the coverage of this approach. We make ObservedType, ResultType, and ArithProfile constexpr-friendly to produce the magic value used in LowLevelInterpreter.asm at compiling time. This change allows us to easily extend ArithProfile in the future to adopt BigInt efficiently. We additionally use `constexpr` for several constant values in LowLevelInterpreter.asm. * assembler/MaxFrameExtentForSlowPathCall.h: Use this value in LowLevelInterpreter.asm directly. We also make them constexpr. And we add CPU(ARM64E). * bytecode/ArithProfile.h: (JSC::ObservedType::ObservedType): (JSC::ObservedType::sawInt32 const): (JSC::ObservedType::isOnlyInt32 const): (JSC::ObservedType::sawNumber const): (JSC::ObservedType::isOnlyNumber const): (JSC::ObservedType::sawNonNumber const): (JSC::ObservedType::isOnlyNonNumber const): (JSC::ObservedType::isEmpty const): (JSC::ObservedType::bits const): (JSC::ObservedType::withInt32 const): (JSC::ObservedType::withNumber const): (JSC::ObservedType::withNonNumber const): (JSC::ObservedType::withoutNonNumber const): (JSC::ObservedType::operator== const): (JSC::ArithProfile::ArithProfile): (JSC::ArithProfile::fromInt): (JSC::ArithProfile::observedUnaryInt): (JSC::ArithProfile::observedUnaryNumber): (JSC::ArithProfile::observedBinaryIntInt): (JSC::ArithProfile::observedBinaryNumberInt): (JSC::ArithProfile::observedBinaryIntNumber): (JSC::ArithProfile::observedBinaryNumberNumber): (JSC::ArithProfile::lhsObservedType const): (JSC::ArithProfile::rhsObservedType const): (JSC::ArithProfile::bits const): Make ObservedType and ArithProfile constexpr-friendly. * llint/LLIntData.cpp: (JSC::LLInt::Data::performAssertions): Make several ASSERTs to STATIC_ASSERTs. Remove some unnecessary checks. * llint/LLIntOffsetsExtractor.cpp: * llint/LowLevelInterpreter.asm: Remove unused constant values. Use constexpr more and more aggressively. * parser/ResultType.h: (JSC::ResultType::ResultType): (JSC::ResultType::isInt32 const): (JSC::ResultType::definitelyIsNumber const): (JSC::ResultType::definitelyIsString const): (JSC::ResultType::definitelyIsBoolean const): (JSC::ResultType::definitelyIsBigInt const): (JSC::ResultType::mightBeNumber const): (JSC::ResultType::isNotNumber const): (JSC::ResultType::mightBeBigInt const): (JSC::ResultType::isNotBigInt const): (JSC::ResultType::nullType): (JSC::ResultType::booleanType): (JSC::ResultType::numberType): (JSC::ResultType::numberTypeIsInt32): (JSC::ResultType::stringOrNumberType): (JSC::ResultType::addResultType): (JSC::ResultType::stringType): (JSC::ResultType::bigIntType): (JSC::ResultType::unknownType): (JSC::ResultType::forAdd): (JSC::ResultType::forLogicalOp): (JSC::ResultType::forBitOp): (JSC::ResultType::bits const): Make ResultType constexpr-friendly. * runtime/JSCJSValue.h: Use offsetof instead of OBJECT_OFFSETOF. It is OK since EncodedValueDescriptor is POD. This change makes TagOffset and PayloadOffset macros constexpr-friendly while OBJECT_OFFSETOF cannot be used in constexpr since it uses reinterpret_cast. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/MaxFrameExtentForSlowPathCall.h trunk/Source/_javascript_Core/bytecode/ArithProfile.h trunk/Source/_javascript_Core/llint/LLIntData.cpp trunk/Source/_javascript_Core/llint/LLIntOffsetsExtractor.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/parser/ResultType.h trunk/Source/_javascript_Core/runtime/JSCJSValue.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (237219 => 237220) --- trunk/Source/_javascript_Core/ChangeLog 2018-10-17 14:10:44 UTC (rev 237219) +++ trunk/Source/_javascript_Core/ChangeLog 2018-10-17 15:48:57 UTC (rev 237220) @@ -1,3 +1,89 @@ +2018-10-17 Yusuke Suzuki + +[JSC] More aggressively use `constexpr` in LowLevelInterpreter.asm for constant values +https://bugs.webkit.org/show_bug.cgi?id=190659 + +Reviewed by Keith Miller. + +Asking the actual constant value to the JSC binary is always the best way to get the correct value. +The value is correctly updated once the original value is changed. We would like to encourage this +approach more in LowLevelInterpreter.asm. + +This patch expands the coverage of this approach. We make ObservedType, ResultType, and ArithProfile +constexpr-friendly to produce the magic value used in LowLevelInt
[webkit-changes] [237108] trunk/Source/JavaScriptCore
Title: [237108] trunk/Source/_javascript_Core Revision 237108 Author yusukesuz...@slowstart.org Date 2018-10-15 08:07:29 -0700 (Mon, 15 Oct 2018) Log Message [JSC] Disable DOMJIT on 32bit architecture https://bugs.webkit.org/show_bug.cgi?id=190387 Reviewed by Mark Lam. We disable DOMJIT on 32bit architecture due to exhaustion of registers. * runtime/Options.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/Options.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (237107 => 237108) --- trunk/Source/_javascript_Core/ChangeLog 2018-10-15 15:02:59 UTC (rev 237107) +++ trunk/Source/_javascript_Core/ChangeLog 2018-10-15 15:07:29 UTC (rev 237108) @@ -1,3 +1,14 @@ +2018-10-15 Yusuke Suzuki + +[JSC] Disable DOMJIT on 32bit architecture +https://bugs.webkit.org/show_bug.cgi?id=190387 + +Reviewed by Mark Lam. + +We disable DOMJIT on 32bit architecture due to exhaustion of registers. + +* runtime/Options.h: + 2018-10-15 Alex Christensen Include EnumTraits.h less Modified: trunk/Source/_javascript_Core/runtime/Options.h (237107 => 237108) --- trunk/Source/_javascript_Core/runtime/Options.h 2018-10-15 15:02:59 UTC (rev 237107) +++ trunk/Source/_javascript_Core/runtime/Options.h 2018-10-15 15:07:29 UTC (rev 237108) @@ -134,7 +134,7 @@ v(bool, useBaselineJIT, true, Normal, "allows the baseline JIT to be used if true") \ v(bool, useDFGJIT, true, Normal, "allows the DFG JIT to be used if true") \ v(bool, useRegExpJIT, true, Normal, "allows the RegExp JIT to be used if true") \ -v(bool, useDOMJIT, true, Normal, "allows the DOMJIT to be used if true") \ +v(bool, useDOMJIT, is64Bit(), Normal, "allows the DOMJIT to be used if true") \ \ v(bool, reportMustSucceedExecutableAllocations, false, Normal, nullptr) \ \ ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [237097] trunk
Title: [237097] trunk Revision 237097 Author yusukesuz...@slowstart.org Date 2018-10-15 06:51:37 -0700 (Mon, 15 Oct 2018) Log Message [JSC] Remove Option::useAsyncIterator https://bugs.webkit.org/show_bug.cgi?id=190567 Reviewed by Saam Barati. .: * Source/cmake/WebKitFeatures.cmake: Source/_javascript_Core: Async iterator is enabled by default at 2017-08-09. It is already shipped in several releases, and we can think that it is already mature. Let's drop the option `Option::useAsyncIterator`. * Configurations/FeatureDefines.xcconfig: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon): (JSC::BytecodeGenerator::emitNewFunction): * parser/ASTBuilder.h: (JSC::ASTBuilder::createFunctionMetadata): * parser/Parser.cpp: (JSC::Parser::parseForStatement): (JSC::Parser::parseAsyncFunctionDeclaration): (JSC::Parser::parseClass): (JSC::Parser::parseProperty): (JSC::Parser::parseAsyncFunctionExpression): * runtime/Options.h: Source/WebCore: * Configurations/FeatureDefines.xcconfig: Source/WebCore/PAL: * Configurations/FeatureDefines.xcconfig: Source/WebKit: * Configurations/FeatureDefines.xcconfig: Source/WebKitLegacy/mac: * Configurations/FeatureDefines.xcconfig: Tools: * TestWebKitAPI/Configurations/FeatureDefines.xcconfig: Modified Paths trunk/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/Configurations/FeatureDefines.xcconfig trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/parser/ASTBuilder.h trunk/Source/_javascript_Core/parser/Parser.cpp trunk/Source/_javascript_Core/runtime/Options.h trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/Configurations/FeatureDefines.xcconfig trunk/Source/WebCore/PAL/ChangeLog trunk/Source/WebCore/PAL/Configurations/FeatureDefines.xcconfig trunk/Source/WebKit/ChangeLog trunk/Source/WebKit/Configurations/FeatureDefines.xcconfig trunk/Source/WebKitLegacy/mac/ChangeLog trunk/Source/WebKitLegacy/mac/Configurations/FeatureDefines.xcconfig trunk/Source/cmake/WebKitFeatures.cmake trunk/Tools/ChangeLog trunk/Tools/TestWebKitAPI/Configurations/FeatureDefines.xcconfig Diff Modified: trunk/ChangeLog (237096 => 237097) --- trunk/ChangeLog 2018-10-15 13:49:17 UTC (rev 237096) +++ trunk/ChangeLog 2018-10-15 13:51:37 UTC (rev 237097) @@ -1,3 +1,12 @@ +2018-10-14 Yusuke Suzuki + +[JSC] Remove Option::useAsyncIterator +https://bugs.webkit.org/show_bug.cgi?id=190567 + +Reviewed by Saam Barati. + +* Source/cmake/WebKitFeatures.cmake: + 2018-10-08 Justin Fan WebGPU: Rename old WebGPU prototype to WebMetal Modified: trunk/Source/_javascript_Core/ChangeLog (237096 => 237097) --- trunk/Source/_javascript_Core/ChangeLog 2018-10-15 13:49:17 UTC (rev 237096) +++ trunk/Source/_javascript_Core/ChangeLog 2018-10-15 13:51:37 UTC (rev 237097) @@ -1,5 +1,29 @@ 2018-10-14 Yusuke Suzuki +[JSC] Remove Option::useAsyncIterator +https://bugs.webkit.org/show_bug.cgi?id=190567 + +Reviewed by Saam Barati. + +Async iterator is enabled by default at 2017-08-09. It is already shipped in several releases, +and we can think that it is already mature. Let's drop the option `Option::useAsyncIterator`. + +* Configurations/FeatureDefines.xcconfig: +* bytecompiler/BytecodeGenerator.cpp: +(JSC::BytecodeGenerator::emitNewFunctionExpressionCommon): +(JSC::BytecodeGenerator::emitNewFunction): +* parser/ASTBuilder.h: +(JSC::ASTBuilder::createFunctionMetadata): +* parser/Parser.cpp: +(JSC::Parser::parseForStatement): +(JSC::Parser::parseAsyncFunctionDeclaration): +(JSC::Parser::parseClass): +(JSC::Parser::parseProperty): +(JSC::Parser::parseAsyncFunctionExpression): +* runtime/Options.h: + +2018-10-14 Yusuke Suzuki + [JSC] Remove Options::useObjectRestSpread https://bugs.webkit.org/show_bug.cgi?id=190568 Modified: trunk/Source/_javascript_Core/Configurations/FeatureDefines.xcconfig (237096 => 237097) --- trunk/Source/_javascript_Core/Configurations/FeatureDefines.xcconfig 2018-10-15 13:49:17 UTC (rev 237096) +++ trunk/Source/_javascript_Core/Configurations/FeatureDefines.xcconfig 2018-10-15 13:51:37 UTC (rev 237097) @@ -204,8 +204,6 @@ ENABLE_IOS_TOUCH_EVENTS = $(ENABLE_IOS_TOUCH_EVENTS_$(WK_COCOA_TOUCH)_WITH_INTERNAL_SDK_$(USE_INTERNAL_SDK)); ENABLE_IOS_TOUCH_EVENTS_cocoatouch_WITH_INTERNAL_SDK_YES = ENABLE_IOS_TOUCH_EVENTS; -ENABLE_JS_ASYNC_ITERATION = ENABLE_JS_ASYNC_ITERATION; - ENABLE_KEYBOARD_CODE_ATTRIBUTE = ENABLE_KEYBOARD_CODE_ATTRIBUTE; ENABLE_KEYBOARD_KEY_ATTRIBUTE = ENABLE_KEYBOARD_KEY_ATTRIBUTE; @@ -372,4 +370,4 @@ ENABLE_XSLT = ENABLE_XSLT; -FEATURE_DEFINES = $(ENABLE_3D_TRANSFORMS) $(ENABLE_ACCELERATED_2D_CANVAS) $(ENABLE_ACCELERATED_OVERFLOW_SCROLLING) $(ENABLE_APPLE_PAY) $(ENABLE_APPLE_PAY_SESSION_V3) $(ENABLE_APPLE_PAY_SESSIO
[webkit-changes] [237096] trunk/Source/JavaScriptCore
Title: [237096] trunk/Source/_javascript_Core
Revision 237096
Author yusukesuz...@slowstart.org
Date 2018-10-15 06:49:17 -0700 (Mon, 15 Oct 2018)
Log Message
[JSC] Remove Options::useObjectRestSpread
https://bugs.webkit.org/show_bug.cgi?id=190568
Reviewed by Saam Barati.
Options::useObjectRestSpread is enabled by default at 2017-06-27. It is already shipped in several releases,
and we can think that it is mature. Let's drop Options::useObjectRestSpread() flag.
* parser/Parser.cpp:
(JSC::Parser::Parser):
(JSC::Parser::parseDestructuringPattern):
(JSC::Parser::parseProperty):
* parser/Parser.h:
* runtime/Options.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/parser/Parser.cpp
trunk/Source/_javascript_Core/parser/Parser.h
trunk/Source/_javascript_Core/runtime/Options.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (237095 => 237096)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-15 13:48:11 UTC (rev 237095)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-15 13:49:17 UTC (rev 237096)
@@ -1,3 +1,20 @@
+2018-10-14 Yusuke Suzuki
+
+[JSC] Remove Options::useObjectRestSpread
+https://bugs.webkit.org/show_bug.cgi?id=190568
+
+Reviewed by Saam Barati.
+
+Options::useObjectRestSpread is enabled by default at 2017-06-27. It is already shipped in several releases,
+and we can think that it is mature. Let's drop Options::useObjectRestSpread() flag.
+
+* parser/Parser.cpp:
+(JSC::Parser::Parser):
+(JSC::Parser::parseDestructuringPattern):
+(JSC::Parser::parseProperty):
+* parser/Parser.h:
+* runtime/Options.h:
+
2018-10-13 Yusuke Suzuki
[JSC] JSON.stringify can accept call-with-no-arguments
Modified: trunk/Source/_javascript_Core/parser/Parser.cpp (237095 => 237096)
--- trunk/Source/_javascript_Core/parser/Parser.cpp 2018-10-15 13:48:11 UTC (rev 237095)
+++ trunk/Source/_javascript_Core/parser/Parser.cpp 2018-10-15 13:49:17 UTC (rev 237096)
@@ -147,7 +147,6 @@
m_token.m_location.lineStartOffset = source.startOffset();
m_functionCache = vm->addSourceProviderCache(source.provider());
m_expressionErrorClassifier = nullptr;
-m_useObjectRestSpread = Options::useObjectRestSpread();
ScopeRef scope = pushScope();
scope->setSourceParseMode(parseMode);
@@ -1174,7 +1173,7 @@
if (match(CLOSEBRACE))
break;
-if (match(DOTDOTDOT) && m_useObjectRestSpread) {
+if (match(DOTDOTDOT)) {
JSTokenLocation location = m_token.m_location;
next();
auto innerPattern = parseObjectRestBindingOrAssignmentElement(context, kind, exportType, duplicateIdentifier, bindingContext);
@@ -4046,17 +4045,14 @@
return context.createProperty(propertyName, node, static_cast(PropertyNode::Constant | PropertyNode::Computed), PropertyNode::Unknown, complete, SuperBinding::NotNeeded, ClassElementTag::No);
}
case DOTDOTDOT: {
-if (m_useObjectRestSpread) {
-auto spreadLocation = m_token.m_location;
-auto start = m_token.m_startPosition;
-auto divot = m_token.m_endPosition;
-next();
-TreeExpression elem = parseAssignmentExpressionOrPropagateErrorClass(context);
-failIfFalse(elem, "Cannot parse subject of a spread operation");
-auto node = context.createObjectSpreadExpression(spreadLocation, elem, start, divot, m_lastTokenEndPosition);
-return context.createProperty(node, PropertyNode::Spread, PropertyNode::Unknown, complete, SuperBinding::NotNeeded, ClassElementTag::No);
-}
-FALLTHROUGH;
+auto spreadLocation = m_token.m_location;
+auto start = m_token.m_startPosition;
+auto divot = m_token.m_endPosition;
+next();
+TreeExpression elem = parseAssignmentExpressionOrPropagateErrorClass(context);
+failIfFalse(elem, "Cannot parse subject of a spread operation");
+auto node = context.createObjectSpreadExpression(spreadLocation, elem, start, divot, m_lastTokenEndPosition);
+return context.createProperty(node, PropertyNode::Spread, PropertyNode::Unknown, complete, SuperBinding::NotNeeded, ClassElementTag::No);
}
default:
failIfFalse(m_token.m_type & KeywordTokenFlag, "Expected a property name");
Modified: trunk/Source/_javascript_Core/parser/Parser.h (237095 => 237096)
--- trunk/Source/_javascript_Core/parser/Parser.h 2018-10-15 13:48:11 UTC (rev 237095)
+++ trunk/Source/_javascript_Core/parser/Parser.h 2018-10-15 13:49:17 UTC (rev 237096)
@@ -1817,7 +1817,6 @@
ParserState m_parserState;
-bool m_useObjectRestSpread;
bool m_hasStackOverflow;
String m_errorMessage;
JSToken m_token;
Modified: trunk/Source/_javascript_Core/runtime/Options.h (237095 => 237096)
--- trunk/Source/_javascript_Core/runtime/Options.h
[webkit-changes] [237095] trunk
Title: [237095] trunk
Revision 237095
Author yusukesuz...@slowstart.org
Date 2018-10-15 06:48:11 -0700 (Mon, 15 Oct 2018)
Log Message
[JSC] JSON.stringify can accept call-with-no-arguments
https://bugs.webkit.org/show_bug.cgi?id=190343
Reviewed by Mark Lam.
JSTests:
* stress/json-stringify-no-arguments.js: Added.
(shouldBe):
Source/_javascript_Core:
JSON.stringify can accept `JSON.stringify()` call (call-with-no-arguments) according to the spec[1].
Instead of throwing an error, we should take the first argument as `undefined` if it is not given.
[1]: https://tc39.github.io/ecma262/#sec-json.stringify
* runtime/JSONObject.cpp:
(JSC::JSONProtoFuncStringify):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSONObject.cpp
Added Paths
trunk/JSTests/stress/json-stringify-no-arguments.js
Diff
Modified: trunk/JSTests/ChangeLog (237094 => 237095)
--- trunk/JSTests/ChangeLog 2018-10-15 12:27:37 UTC (rev 237094)
+++ trunk/JSTests/ChangeLog 2018-10-15 13:48:11 UTC (rev 237095)
@@ -1,3 +1,13 @@
+2018-10-13 Yusuke Suzuki
+
+[JSC] JSON.stringify can accept call-with-no-arguments
+https://bugs.webkit.org/show_bug.cgi?id=190343
+
+Reviewed by Mark Lam.
+
+* stress/json-stringify-no-arguments.js: Added.
+(shouldBe):
+
2018-10-08 Yusuke Suzuki
[JSC] JSC should have "parseFunction" to optimize Function constructor
Added: trunk/JSTests/stress/json-stringify-no-arguments.js (0 => 237095)
--- trunk/JSTests/stress/json-stringify-no-arguments.js (rev 0)
+++ trunk/JSTests/stress/json-stringify-no-arguments.js 2018-10-15 13:48:11 UTC (rev 237095)
@@ -0,0 +1,7 @@
+function shouldBe(actual, expected) {
+if (actual !== expected)
+throw new Error('bad value: ' + actual);
+}
+
+shouldBe(JSON.stringify(), undefined);
+shouldBe(JSON.stringify(undefined), undefined);
Modified: trunk/Source/_javascript_Core/ChangeLog (237094 => 237095)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-15 12:27:37 UTC (rev 237094)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-15 13:48:11 UTC (rev 237095)
@@ -1,3 +1,18 @@
+2018-10-13 Yusuke Suzuki
+
+[JSC] JSON.stringify can accept call-with-no-arguments
+https://bugs.webkit.org/show_bug.cgi?id=190343
+
+Reviewed by Mark Lam.
+
+JSON.stringify can accept `JSON.stringify()` call (call-with-no-arguments) according to the spec[1].
+Instead of throwing an error, we should take the first argument as `undefined` if it is not given.
+
+[1]: https://tc39.github.io/ecma262/#sec-json.stringify
+
+* runtime/JSONObject.cpp:
+(JSC::JSONProtoFuncStringify):
+
2018-10-12 Tadeu Zagallo
Gardening: Build fix after r237084.
Modified: trunk/Source/_javascript_Core/runtime/JSONObject.cpp (237094 => 237095)
--- trunk/Source/_javascript_Core/runtime/JSONObject.cpp 2018-10-15 12:27:37 UTC (rev 237094)
+++ trunk/Source/_javascript_Core/runtime/JSONObject.cpp 2018-10-15 13:48:11 UTC (rev 237095)
@@ -829,11 +829,9 @@
VM& vm = exec->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
-if (!exec->argumentCount())
-return throwVMError(exec, scope, createError(exec, "No input to stringify"_s));
Stringifier stringifier(exec, exec->argument(1), exec->argument(2));
RETURN_IF_EXCEPTION(scope, { });
-RELEASE_AND_RETURN(scope, JSValue::encode(stringifier.stringify(exec->uncheckedArgument(0;
+RELEASE_AND_RETURN(scope, JSValue::encode(stringifier.stringify(exec->argument(0;
}
JSValue JSONParse(ExecState* exec, const String& json)
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [237059] trunk/Source
Title: [237059] trunk/Source
Revision 237059
Author yusukesuz...@slowstart.org
Date 2018-10-11 18:32:19 -0700 (Thu, 11 Oct 2018)
Log Message
Use currentStackPointer more
https://bugs.webkit.org/show_bug.cgi?id=190503
Reviewed by Saam Barati.
Source/_javascript_Core:
* runtime/VM.cpp:
(JSC::VM::committedStackByteCount):
Source/WTF:
Use WTF::currentStackPointer more in WebKit to adopt ASAN detect_stack_use_after_return option.
* wtf/StackBounds.cpp:
(WTF::testStackDirection2):
(WTF::testStackDirection):
* wtf/ThreadingPthreads.cpp:
(WTF::Thread::signalHandlerSuspendResume):
(WTF::getApproximateStackPointer): Deleted.
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/VM.cpp
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/StackBounds.cpp
trunk/Source/WTF/wtf/ThreadingPthreads.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (237058 => 237059)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-12 00:23:08 UTC (rev 237058)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-12 01:32:19 UTC (rev 237059)
@@ -1,3 +1,13 @@
+2018-10-11 Yusuke Suzuki
+
+Use currentStackPointer more
+https://bugs.webkit.org/show_bug.cgi?id=190503
+
+Reviewed by Saam Barati.
+
+* runtime/VM.cpp:
+(JSC::VM::committedStackByteCount):
+
2018-10-08 Yusuke Suzuki
[JSC] JSC should have "parseFunction" to optimize Function constructor
Modified: trunk/Source/_javascript_Core/runtime/VM.cpp (237058 => 237059)
--- trunk/Source/_javascript_Core/runtime/VM.cpp 2018-10-12 00:23:08 UTC (rev 237058)
+++ trunk/Source/_javascript_Core/runtime/VM.cpp 2018-10-12 01:32:19 UTC (rev 237059)
@@ -1157,8 +1157,8 @@
// When using the C stack, we don't know how many stack pages are actually
// committed. So, we use the current stack usage as an estimate.
ASSERT(Thread::current().stack().isGrowingDownward());
-int8_t* current = reinterpret_cast(¤t);
-int8_t* high = reinterpret_cast(Thread::current().stack().origin());
+uint8_t* current = bitwise_cast(currentStackPointer());
+uint8_t* high = bitwise_cast(Thread::current().stack().origin());
return high - current;
#else
return CLoopStack::committedByteCount();
Modified: trunk/Source/WTF/ChangeLog (237058 => 237059)
--- trunk/Source/WTF/ChangeLog 2018-10-12 00:23:08 UTC (rev 237058)
+++ trunk/Source/WTF/ChangeLog 2018-10-12 01:32:19 UTC (rev 237059)
@@ -1,3 +1,19 @@
+2018-10-11 Yusuke Suzuki
+
+Use currentStackPointer more
+https://bugs.webkit.org/show_bug.cgi?id=190503
+
+Reviewed by Saam Barati.
+
+Use WTF::currentStackPointer more in WebKit to adopt ASAN detect_stack_use_after_return option.
+
+* wtf/StackBounds.cpp:
+(WTF::testStackDirection2):
+(WTF::testStackDirection):
+* wtf/ThreadingPthreads.cpp:
+(WTF::Thread::signalHandlerSuspendResume):
+(WTF::getApproximateStackPointer): Deleted.
+
2018-10-11 Ross Kirsling
[WTF] Semaphore.h conflicts with POSIX header
Modified: trunk/Source/WTF/wtf/StackBounds.cpp (237058 => 237059)
--- trunk/Source/WTF/wtf/StackBounds.cpp 2018-10-12 00:23:08 UTC (rev 237058)
+++ trunk/Source/WTF/wtf/StackBounds.cpp 2018-10-12 01:32:19 UTC (rev 237059)
@@ -50,17 +50,17 @@
return StackDirection::Downward;
}
#else
-static NEVER_INLINE NOT_TAIL_CALLED StackBounds::StackDirection testStackDirection2(volatile const int* pointer)
+static NEVER_INLINE NOT_TAIL_CALLED StackBounds::StackDirection testStackDirection2(volatile const uint8_t* pointer)
{
-volatile int stackValue = 42;
-return (pointer < &stackValue) ? StackBounds::StackDirection::Upward : StackBounds::StackDirection::Downward;
+volatile uint8_t* stackValue = bitwise_cast(currentStackPointer());
+return (pointer < stackValue) ? StackBounds::StackDirection::Upward : StackBounds::StackDirection::Downward;
}
static NEVER_INLINE NOT_TAIL_CALLED StackBounds::StackDirection testStackDirection()
{
NO_TAIL_CALLS();
-volatile int stackValue = 42;
-return testStackDirection2(&stackValue);
+volatile uint8_t* stackValue = bitwise_cast(currentStackPointer());
+return testStackDirection2(stackValue);
}
NEVER_INLINE StackBounds::StackDirection StackBounds::stackDirection()
Modified: trunk/Source/WTF/wtf/ThreadingPthreads.cpp (237058 => 237059)
--- trunk/Source/WTF/wtf/ThreadingPthreads.cpp 2018-10-12 00:23:08 UTC (rev 237058)
+++ trunk/Source/WTF/wtf/ThreadingPthreads.cpp 2018-10-12 01:32:19 UTC (rev 237059)
@@ -109,19 +109,6 @@
static constexpr const int SigThreadSuspendResume = SIGUSR1;
static std::atomic targetThread { nullptr };
-IGNORE_GCC_WARNINGS_BEGIN("return-local-addr")
-IGNORE_CLANG_WARNINGS_BEGIN("return-stack-address")
-
-static NEVER_INLINE void* getApproximateStackPointer()
-{
-volatile uintptr_t stackLocation;
-stackLocation = bitwise_cast(&stackLocation);
-return bitwise_cast(stack
[webkit-changes] [237054] trunk
Title: [237054] trunk
Revision 237054
Author yusukesuz...@slowstart.org
Date 2018-10-11 16:43:58 -0700 (Thu, 11 Oct 2018)
Log Message
[JSC] JSC should have "parseFunction" to optimize Function constructor
https://bugs.webkit.org/show_bug.cgi?id=190340
Reviewed by Mark Lam.
JSTests:
This patch fixes the line number of syntax errors raised by the Function constructor,
since we now parse the final code only once. And we no longer use block statement
for Function constructor's parsing.
* ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
* stress/function-cache-with-parameters-end-position.js: Added.
(shouldBe):
(shouldThrow):
(i.anonymous):
* stress/function-constructor-name.js: Added.
(shouldBe):
(GeneratorFunction):
(AsyncFunction.async):
(AsyncGeneratorFunction.async):
(anonymous):
(async.anonymous):
* test262/expectations.yaml:
LayoutTests/imported/w3c:
* web-platform-tests/html/webappapis/scripting/events/inline-event-handler-ordering-expected.txt:
* web-platform-tests/html/webappapis/scripting/events/invalid-uncompiled-raw-handler-compiled-late-expected.txt:
* web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-attribute-expected.txt:
* web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-in-body-onerror-expected.txt:
Source/_javascript_Core:
The current Function constructor is suboptimal. We parse the piece of the same code three times to meet
the spec requirement. (1) check parameters syntax, (2) check body syntax, and (3) parse the entire function.
And to parse 1-3 correctly, we create two strings, the parameters and the entire function. This operation
is really costly and ideally we should meet the above requirement by the one time parsing.
To meet the above requirement, we add a special function for Parser, parseSingleFunction. This function
takes `std::optional functionConstructorParametersEndPosition` and check this end position is correct in the parser.
For example, if we run the code,
Function('/*', '*/){')
According to the spec, this should produce '/*' parameter string and '*/){' body string. And parameter
string should be syntax-checked by the parser, and raise the error since it is incorrect. Instead of doing
that, in our implementation, we first create the entire string.
function anonymous(/*) {
*/){
}
And we parse it. At that time, we also pass the end position of the parameters to the parser. In the above case,
the position of the `function anonymous(/*)' <> is passed. And in the parser, we check that the last token
offset of the parameters is the given end position. This check allows us to raise the error correctly to the
above example while we parse the entire function only once. And we do not need to create two strings too.
This improves the performance of the Function constructor significantly. And web-tooling-benchmark/uglify-js is
significantly sped up (28.2%).
Before:
uglify-js: 2.94 runs/s
After:
uglify-js: 3.77 runs/s
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::fromGlobalCode):
* bytecode/UnlinkedFunctionExecutable.h:
* parser/Parser.cpp:
(JSC::Parser::parseInner):
(JSC::Parser::parseSingleFunction):
(JSC::Parser::parseFunctionInfo):
(JSC::Parser::parseFunctionDeclaration):
(JSC::Parser::parseAsyncFunctionDeclaration):
(JSC::Parser::parseClass):
(JSC::Parser::parsePropertyMethod):
(JSC::Parser::parseGetterSetter):
(JSC::Parser::parseFunctionExpression):
(JSC::Parser::parseAsyncFunctionExpression):
(JSC::Parser::parseArrowFunctionExpression):
* parser/Parser.h:
(JSC::Parser::parse):
(JSC::parse):
(JSC::parseFunctionForFunctionConstructor):
* parser/ParserModes.h:
* parser/ParserTokens.h:
(JSC::JSTextPosition::JSTextPosition):
(JSC::JSTokenLocation::JSTokenLocation): Deleted.
* parser/SourceCodeKey.h:
(JSC::SourceCodeKey::SourceCodeKey):
(JSC::SourceCodeKey::operator== const):
* runtime/CodeCache.cpp:
(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
* runtime/CodeCache.h:
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
* runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::fromGlobalCode):
* runtime/FunctionExecutable.h:
LayoutTests:
* fast/dom/attribute-event-listener-errors-expected.txt:
* fast/events/attribute-listener-deletion-crash-expected.txt:
* fast/events/window-onerror-syntax-error-in-attr-expected.txt:
* js/dom/invalid-syntax-for-function-expected.txt:
* js/dom/script-start-end-locations-expected.txt:
Modified Paths
trunk/JSTests/ChakraCore/test/Function/FuncBodyES5.baseline-jsc
trunk/JSTests/ChangeLog
trunk/JSTests/test262/expectations.yaml
trunk/LayoutTests/ChangeLog
trunk/LayoutTests/fast/dom/attribute-event-listener-errors-expected.txt
trunk/LayoutTests/fast/events/attribute-listener-deletion-crash-expected.txt
trunk/LayoutTests/fast/events/window-onerror-syntax-error-in-attr-expected.txt
trunk/LayoutTests/imported/w3c/ChangeLog
[webkit-changes] [237017] trunk/Source/WebCore
Title: [237017] trunk/Source/WebCore Revision 237017 Author yusukesuz...@slowstart.org Date 2018-10-10 14:23:42 -0700 (Wed, 10 Oct 2018) Log Message Unreviewed, add missing headers for inline functions https://bugs.webkit.org/show_bug.cgi?id=190429 * platform/graphics/avfoundation/cf/MediaPlayerPrivateAVFoundationCF.cpp: Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/platform/graphics/avfoundation/cf/MediaPlayerPrivateAVFoundationCF.cpp Diff Modified: trunk/Source/WebCore/ChangeLog (237016 => 237017) --- trunk/Source/WebCore/ChangeLog 2018-10-10 20:52:12 UTC (rev 237016) +++ trunk/Source/WebCore/ChangeLog 2018-10-10 21:23:42 UTC (rev 237017) @@ -1,3 +1,10 @@ +2018-10-10 Yusuke Suzuki + +Unreviewed, add missing headers for inline functions +https://bugs.webkit.org/show_bug.cgi?id=190429 + +* platform/graphics/avfoundation/cf/MediaPlayerPrivateAVFoundationCF.cpp: + 2018-10-10 Tim Horton Share more WKShareSheet code between macOS and iOS, and fix a few bugs Modified: trunk/Source/WebCore/platform/graphics/avfoundation/cf/MediaPlayerPrivateAVFoundationCF.cpp (237016 => 237017) --- trunk/Source/WebCore/platform/graphics/avfoundation/cf/MediaPlayerPrivateAVFoundationCF.cpp 2018-10-10 20:52:12 UTC (rev 237016) +++ trunk/Source/WebCore/platform/graphics/avfoundation/cf/MediaPlayerPrivateAVFoundationCF.cpp 2018-10-10 21:23:42 UTC (rev 237017) @@ -63,6 +63,7 @@ #include #if HAVE(AVFOUNDATION_LOADER_DELEGATE) && ENABLE(LEGACY_ENCRYPTED_MEDIA) #include <_javascript_Core/DataView.h> +#include <_javascript_Core/JSCInlines.h> #include <_javascript_Core/TypedArrayInlines.h> #include <_javascript_Core/Uint16Array.h> #endif ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [236999] trunk/Source/WebCore
Title: [236999] trunk/Source/WebCore
Revision 236999
Author yusukesuz...@slowstart.org
Date 2018-10-10 01:48:57 -0700 (Wed, 10 Oct 2018)
Log Message
XMLHttpRequest should use reportExtraMemoryAllocated/reportExtraMemoryVisited instead of deprecatedReportExtraMemory
https://bugs.webkit.org/show_bug.cgi?id=190279
Reviewed by Ryosuke Niwa.
This patch switches deprecatedReportExtraMemory to reportExtraMemoryAllocated/reportExtraMemoryVisited
in XMLHttpRequest. We report extra memory allocation when the readyState becomes DONE. And memoryCost
function returns the memory cost which is based on the readyState and m_responseBuilder.
We annotate XMLHttpRequest with ReportExtraMemoryCost to use reportExtraMemoryVisited automatically with
memoryCost() function.
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::changeState):
(WebCore::XMLHttpRequest::abort):
(WebCore::XMLHttpRequest::internalAbort):
(WebCore::XMLHttpRequest::networkErrorTimerFired):
(WebCore::XMLHttpRequest::memoryCost const):
(WebCore::XMLHttpRequest::didFinishLoading):
(WebCore::XMLHttpRequest::didReachTimeout):
(WebCore::XMLHttpRequest::dropProtection): Deleted.
* xml/XMLHttpRequest.h:
* xml/XMLHttpRequest.idl:
Modified Paths
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/xml/XMLHttpRequest.cpp
trunk/Source/WebCore/xml/XMLHttpRequest.h
trunk/Source/WebCore/xml/XMLHttpRequest.idl
Diff
Modified: trunk/Source/WebCore/ChangeLog (236998 => 236999)
--- trunk/Source/WebCore/ChangeLog 2018-10-10 06:55:24 UTC (rev 236998)
+++ trunk/Source/WebCore/ChangeLog 2018-10-10 08:48:57 UTC (rev 236999)
@@ -1,3 +1,28 @@
+2018-10-10 Yusuke Suzuki
+
+XMLHttpRequest should use reportExtraMemoryAllocated/reportExtraMemoryVisited instead of deprecatedReportExtraMemory
+https://bugs.webkit.org/show_bug.cgi?id=190279
+
+Reviewed by Ryosuke Niwa.
+
+This patch switches deprecatedReportExtraMemory to reportExtraMemoryAllocated/reportExtraMemoryVisited
+in XMLHttpRequest. We report extra memory allocation when the readyState becomes DONE. And memoryCost
+function returns the memory cost which is based on the readyState and m_responseBuilder.
+We annotate XMLHttpRequest with ReportExtraMemoryCost to use reportExtraMemoryVisited automatically with
+memoryCost() function.
+
+* xml/XMLHttpRequest.cpp:
+(WebCore::XMLHttpRequest::changeState):
+(WebCore::XMLHttpRequest::abort):
+(WebCore::XMLHttpRequest::internalAbort):
+(WebCore::XMLHttpRequest::networkErrorTimerFired):
+(WebCore::XMLHttpRequest::memoryCost const):
+(WebCore::XMLHttpRequest::didFinishLoading):
+(WebCore::XMLHttpRequest::didReachTimeout):
+(WebCore::XMLHttpRequest::dropProtection): Deleted.
+* xml/XMLHttpRequest.h:
+* xml/XMLHttpRequest.idl:
+
2018-10-09 Antoine Quint
Remove the frames() timing function
Modified: trunk/Source/WebCore/xml/XMLHttpRequest.cpp (236998 => 236999)
--- trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2018-10-10 06:55:24 UTC (rev 236998)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2018-10-10 08:48:57 UTC (rev 236999)
@@ -295,6 +295,19 @@
{
if (readyState() != newState) {
m_readyState = static_cast(newState);
+if (readyState() == DONE) {
+// The XHR object itself holds on to the responseText, and
+// thus has extra cost even independent of any
+// responseText or responseXML objects it has handed
+// out. But it is protected from GC while loading, so this
+// can't be recouped until the load is done, so only
+// report the extra cost at that point.
+if (auto* context = scriptExecutionContext()) {
+JSC::VM& vm = context->vm();
+JSC::JSLockHolder lock(vm);
+vm.heap.reportExtraMemoryAllocated(memoryCost());
+}
+}
callReadyStateChangeListener();
}
}
@@ -656,7 +669,7 @@
void XMLHttpRequest::abort()
{
-// internalAbort() calls dropProtection(), which may release the last reference.
+// internalAbort() calls unsetPendingActivity(this), which may release the last reference.
Ref protectedThis(*this);
m_wasAbortedByClient = true;
@@ -702,7 +715,7 @@
// Save this information to a local variable since we are going to drop protection.
bool newLoadStarted = m_loader;
-dropProtection();
+unsetPendingActivity(this);
return !newLoadStarted;
}
@@ -749,7 +762,7 @@
void XMLHttpRequest::networkErrorTimerFired()
{
networkError();
-dropProtection();
+unsetPendingActivity(this);
}
void XMLHttpRequest::abortError()
@@ -759,21 +772,11 @@
dispatchErrorEvents(eventNames().abortEvent);
}
-void XMLHttpRequest::dropProtection()
+size_t XMLHttpRequest::memoryCost() const
{
-// The XHR object itself holds on to the responseText, and
-// thus has extra
[webkit-changes] [236906] trunk/Source/JavaScriptCore
Title: [236906] trunk/Source/_javascript_Core
Revision 236906
Author yusukesuz...@slowstart.org
Date 2018-10-07 09:21:56 -0700 (Sun, 07 Oct 2018)
Log Message
[JSC][Linux] Use non-truncated name for JIT workers in Linux
https://bugs.webkit.org/show_bug.cgi?id=190339
Reviewed by Mark Lam.
The current thread names are meaningless in Linux environment. We do not want to
have truncated name in Linux: we want to have clear name in Linux. Instead, we
should have the name for Linux separately from the name used in the non-Linux
environments. This patch adds FTLWorker, DFGWorker, and JITWorker names for
Linux environment.
* dfg/DFGWorklist.cpp:
(JSC::DFG::createWorklistName):
(JSC::DFG::Worklist::Worklist):
(JSC::DFG::Worklist::create):
(JSC::DFG::ensureGlobalDFGWorklist):
(JSC::DFG::ensureGlobalFTLWorklist):
* dfg/DFGWorklist.h:
* jit/JITWorklist.cpp:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGWorklist.cpp
trunk/Source/_javascript_Core/dfg/DFGWorklist.h
trunk/Source/_javascript_Core/jit/JITWorklist.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (236905 => 236906)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-07 16:14:50 UTC (rev 236905)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-07 16:21:56 UTC (rev 236906)
@@ -1,5 +1,27 @@
2018-10-07 Yusuke Suzuki
+[JSC][Linux] Use non-truncated name for JIT workers in Linux
+https://bugs.webkit.org/show_bug.cgi?id=190339
+
+Reviewed by Mark Lam.
+
+The current thread names are meaningless in Linux environment. We do not want to
+have truncated name in Linux: we want to have clear name in Linux. Instead, we
+should have the name for Linux separately from the name used in the non-Linux
+environments. This patch adds FTLWorker, DFGWorker, and JITWorker names for
+Linux environment.
+
+* dfg/DFGWorklist.cpp:
+(JSC::DFG::createWorklistName):
+(JSC::DFG::Worklist::Worklist):
+(JSC::DFG::Worklist::create):
+(JSC::DFG::ensureGlobalDFGWorklist):
+(JSC::DFG::ensureGlobalFTLWorklist):
+* dfg/DFGWorklist.h:
+* jit/JITWorklist.cpp:
+
+2018-10-07 Yusuke Suzuki
+
Name Heap threads
https://bugs.webkit.org/show_bug.cgi?id=190337
Modified: trunk/Source/_javascript_Core/dfg/DFGWorklist.cpp (236905 => 236906)
--- trunk/Source/_javascript_Core/dfg/DFGWorklist.cpp 2018-10-07 16:14:50 UTC (rev 236905)
+++ trunk/Source/_javascript_Core/dfg/DFGWorklist.cpp 2018-10-07 16:21:56 UTC (rev 236906)
@@ -174,8 +174,17 @@
RefPtr m_plan;
};
-Worklist::Worklist(CString worklistName)
-: m_threadName(toCString(worklistName, " Worker Thread"))
+static CString createWorklistName(CString&& tierName)
+{
+#if OS(LINUX)
+return toCString(WTFMove(tierName), "Worker");
+#else
+return toCString(WTFMove(tierName), " Worklist Worker Thread");
+#endif
+}
+
+Worklist::Worklist(CString&& tierName)
+: m_threadName(createWorklistName(WTFMove(tierName)))
, m_lock(Box::create())
, m_planEnqueued(AutomaticThreadCondition::create())
, m_numberOfActiveThreads(0)
@@ -211,9 +220,9 @@
m_threads.append(WTFMove(data));
}
-Ref Worklist::create(CString worklistName, unsigned numberOfThreads, int relativePriority)
+Ref Worklist::create(CString&& tierName, unsigned numberOfThreads, int relativePriority)
{
-Ref result = adoptRef(*new Worklist(worklistName));
+Ref result = adoptRef(*new Worklist(WTFMove(tierName)));
result->finishCreation(numberOfThreads, relativePriority);
return result;
}
@@ -561,7 +570,7 @@
{
static std::once_flag initializeGlobalWorklistOnceFlag;
std::call_once(initializeGlobalWorklistOnceFlag, [] {
-theGlobalDFGWorklist = &Worklist::create("DFG Worklist", getNumberOfDFGCompilerThreads(), Options::priorityDeltaOfDFGCompilerThreads()).leakRef();
+theGlobalDFGWorklist = &Worklist::create("DFG", getNumberOfDFGCompilerThreads(), Options::priorityDeltaOfDFGCompilerThreads()).leakRef();
});
return *theGlobalDFGWorklist;
}
@@ -577,7 +586,7 @@
{
static std::once_flag initializeGlobalWorklistOnceFlag;
std::call_once(initializeGlobalWorklistOnceFlag, [] {
-theGlobalFTLWorklist = &Worklist::create("FTL Worklist", getNumberOfFTLCompilerThreads(), Options::priorityDeltaOfFTLCompilerThreads()).leakRef();
+theGlobalFTLWorklist = &Worklist::create("FTL", getNumberOfFTLCompilerThreads(), Options::priorityDeltaOfFTLCompilerThreads()).leakRef();
});
return *theGlobalFTLWorklist;
}
Modified: trunk/Source/_javascript_Core/dfg/DFGWorklist.h (236905 => 236906)
--- trunk/Source/_javascript_Core/dfg/DFGWorklist.h 2018-10-07 16:14:50 UTC (rev 236905)
+++ trunk/Source/_javascript_Core/dfg/DFGWorklist.h 2018-10-07 16:21:56 UTC (rev 236906)
@@ -47,7 +47,7 @@
~Worklist();
-static Ref create(CString worklistName, unsigned numberOfThreads, int re
[webkit-changes] [236905] trunk/Source
Title: [236905] trunk/Source
Revision 236905
Author yusukesuz...@slowstart.org
Date 2018-10-07 09:14:50 -0700 (Sun, 07 Oct 2018)
Log Message
Name Heap threads
https://bugs.webkit.org/show_bug.cgi?id=190337
Reviewed by Mark Lam.
Source/_javascript_Core:
Name heap threads as "Heap Helper Thread". In Linux, we name it "HeapHelper" since
Linux does not accept the name longer than 15. We do not want to use the short name
for non-Linux environment. And we want to have clear name in Linux: truncated name
is not good. So, having the two names is the only way.
* heap/HeapHelperPool.cpp:
(JSC::heapHelperPool):
Source/WTF:
Add a functionality naming threads of ParallelHelperPool.
* wtf/ParallelHelperPool.cpp:
(WTF::ParallelHelperPool::ParallelHelperPool):
* wtf/ParallelHelperPool.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/heap/HeapHelperPool.cpp
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/ParallelHelperPool.cpp
trunk/Source/WTF/wtf/ParallelHelperPool.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (236904 => 236905)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-07 09:32:52 UTC (rev 236904)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-07 16:14:50 UTC (rev 236905)
@@ -1,5 +1,20 @@
2018-10-07 Yusuke Suzuki
+Name Heap threads
+https://bugs.webkit.org/show_bug.cgi?id=190337
+
+Reviewed by Mark Lam.
+
+Name heap threads as "Heap Helper Thread". In Linux, we name it "HeapHelper" since
+Linux does not accept the name longer than 15. We do not want to use the short name
+for non-Linux environment. And we want to have clear name in Linux: truncated name
+is not good. So, having the two names is the only way.
+
+* heap/HeapHelperPool.cpp:
+(JSC::heapHelperPool):
+
+2018-10-07 Yusuke Suzuki
+
[JSC] Avoid creating ProgramExecutable in checkSyntax
https://bugs.webkit.org/show_bug.cgi?id=190332
Modified: trunk/Source/_javascript_Core/heap/HeapHelperPool.cpp (236904 => 236905)
--- trunk/Source/_javascript_Core/heap/HeapHelperPool.cpp 2018-10-07 09:32:52 UTC (rev 236904)
+++ trunk/Source/_javascript_Core/heap/HeapHelperPool.cpp 2018-10-07 16:14:50 UTC (rev 236905)
@@ -38,7 +38,12 @@
std::call_once(
initializeHelperPoolOnceFlag,
[] {
-helperPool = new ParallelHelperPool();
+#if OS(LINUX)
+const char* threadName = "HeapHelper";
+#else
+const char* threadName = "Heap Helper Thread";
+#endif
+helperPool = new ParallelHelperPool(threadName);
helperPool->ensureThreads(Options::numberOfGCMarkers() - 1);
});
return *helperPool;
Modified: trunk/Source/WTF/ChangeLog (236904 => 236905)
--- trunk/Source/WTF/ChangeLog 2018-10-07 09:32:52 UTC (rev 236904)
+++ trunk/Source/WTF/ChangeLog 2018-10-07 16:14:50 UTC (rev 236905)
@@ -1,3 +1,16 @@
+2018-10-07 Yusuke Suzuki
+
+Name Heap threads
+https://bugs.webkit.org/show_bug.cgi?id=190337
+
+Reviewed by Mark Lam.
+
+Add a functionality naming threads of ParallelHelperPool.
+
+* wtf/ParallelHelperPool.cpp:
+(WTF::ParallelHelperPool::ParallelHelperPool):
+* wtf/ParallelHelperPool.h:
+
2018-10-06 Mark Lam
Adding some temporary asserts to debug a mysterious ASAN bot crash.
Modified: trunk/Source/WTF/wtf/ParallelHelperPool.cpp (236904 => 236905)
--- trunk/Source/WTF/wtf/ParallelHelperPool.cpp 2018-10-07 09:32:52 UTC (rev 236904)
+++ trunk/Source/WTF/wtf/ParallelHelperPool.cpp 2018-10-07 16:14:50 UTC (rev 236905)
@@ -123,9 +123,10 @@
}
}
-ParallelHelperPool::ParallelHelperPool()
+ParallelHelperPool::ParallelHelperPool(CString&& threadName)
: m_lock(Box::create())
, m_workAvailableCondition(AutomaticThreadCondition::create())
+, m_threadName(WTFMove(threadName))
{
}
@@ -176,6 +177,11 @@
{
}
+const char* name() const override
+{
+return m_pool.m_threadName.data();
+}
+
protected:
PollResult poll(const AbstractLocker& locker) override
{
Modified: trunk/Source/WTF/wtf/ParallelHelperPool.h (236904 => 236905)
--- trunk/Source/WTF/wtf/ParallelHelperPool.h 2018-10-07 09:32:52 UTC (rev 236904)
+++ trunk/Source/WTF/wtf/ParallelHelperPool.h 2018-10-07 16:14:50 UTC (rev 236905)
@@ -35,6 +35,7 @@
#include
#include
#include
+#include
namespace WTF {
@@ -179,7 +180,7 @@
class ParallelHelperPool : public ThreadSafeRefCounted {
public:
-WTF_EXPORT_PRIVATE ParallelHelperPool();
+WTF_EXPORT_PRIVATE ParallelHelperPool(CString&& threadName);
WTF_EXPORT_PRIVATE ~ParallelHelperPool();
WTF_EXPORT_PRIVATE void ensureThreads(unsigned numThreads);
@@ -207,6 +208,7 @@
Vector m_clients;
Vector> m_threads;
+CString m_threadName;
unsigned m_numThreads { 0 }; // This can be larger than m_threads.size() because we start threads only once
[webkit-changes] [236904] trunk/Source/JavaScriptCore
Title: [236904] trunk/Source/_javascript_Core
Revision 236904
Author yusukesuz...@slowstart.org
Date 2018-10-07 02:32:52 -0700 (Sun, 07 Oct 2018)
Log Message
[JSC] Avoid creating ProgramExecutable in checkSyntax
https://bugs.webkit.org/show_bug.cgi?id=190332
Reviewed by Mark Lam.
uglify-js in web-tooling-benchmark executes massive number of Function constructor calls.
In Function constructor code, we perform checkSyntax for body and parameters. So fast checkSyntax
is important when the performance of Function constructor matters. Current checkSyntax code
unnecessarily allocates ProgramExecutable. This patch removes this allocation and improves
the benchmark score slightly.
Before:
uglify-js: 2.87 runs/s
After:
uglify-js: 2.94 runs/s
* runtime/Completion.cpp:
(JSC::checkSyntaxInternal):
(JSC::checkSyntax):
* runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::checkSyntax): Deleted.
* runtime/ProgramExecutable.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/Completion.cpp
trunk/Source/_javascript_Core/runtime/ProgramExecutable.cpp
trunk/Source/_javascript_Core/runtime/ProgramExecutable.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (236903 => 236904)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-07 02:48:38 UTC (rev 236903)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-07 09:32:52 UTC (rev 236904)
@@ -1,3 +1,28 @@
+2018-10-07 Yusuke Suzuki
+
+[JSC] Avoid creating ProgramExecutable in checkSyntax
+https://bugs.webkit.org/show_bug.cgi?id=190332
+
+Reviewed by Mark Lam.
+
+uglify-js in web-tooling-benchmark executes massive number of Function constructor calls.
+In Function constructor code, we perform checkSyntax for body and parameters. So fast checkSyntax
+is important when the performance of Function constructor matters. Current checkSyntax code
+unnecessarily allocates ProgramExecutable. This patch removes this allocation and improves
+the benchmark score slightly.
+
+Before:
+uglify-js: 2.87 runs/s
+After:
+uglify-js: 2.94 runs/s
+
+* runtime/Completion.cpp:
+(JSC::checkSyntaxInternal):
+(JSC::checkSyntax):
+* runtime/ProgramExecutable.cpp:
+(JSC::ProgramExecutable::checkSyntax): Deleted.
+* runtime/ProgramExecutable.h:
+
2018-10-06 Caio Lima
[ESNext][BigInt] Implement support for "|"
Modified: trunk/Source/_javascript_Core/runtime/Completion.cpp (236903 => 236904)
--- trunk/Source/_javascript_Core/runtime/Completion.cpp 2018-10-07 02:48:38 UTC (rev 236903)
+++ trunk/Source/_javascript_Core/runtime/Completion.cpp 2018-10-07 09:32:52 UTC (rev 236904)
@@ -44,6 +44,13 @@
namespace JSC {
+static inline bool checkSyntaxInternal(VM& vm, const SourceCode& source, ParserError& error)
+{
+return !!parse(
+&vm, source, Identifier(), JSParserBuiltinMode::NotBuiltin,
+JSParserStrictMode::NotStrict, JSParserScriptMode::Classic, SourceParseMode::ProgramMode, SuperBinding::NotNeeded, error);
+}
+
bool checkSyntax(ExecState* exec, const SourceCode& source, JSValue* returnedException)
{
VM& vm = exec->vm();
@@ -50,24 +57,20 @@
JSLockHolder lock(vm);
RELEASE_ASSERT(vm.atomicStringTable() == Thread::current().atomicStringTable());
-ProgramExecutable* program = ProgramExecutable::create(exec, source);
-JSObject* error = program->checkSyntax(exec);
-if (error) {
-if (returnedException)
-*returnedException = error;
-return false;
-}
+ParserError error;
+if (checkSyntaxInternal(vm, source, error))
+return true;
+ASSERT(error.isValid());
+if (returnedException)
+*returnedException = error.toErrorObject(exec->lexicalGlobalObject(), source);
+return false;
+}
-return true;
-}
-
bool checkSyntax(VM& vm, const SourceCode& source, ParserError& error)
{
JSLockHolder lock(vm);
RELEASE_ASSERT(vm.atomicStringTable() == Thread::current().atomicStringTable());
-return !!parse(
-&vm, source, Identifier(), JSParserBuiltinMode::NotBuiltin,
-JSParserStrictMode::NotStrict, JSParserScriptMode::Classic, SourceParseMode::ProgramMode, SuperBinding::NotNeeded, error);
+return checkSyntaxInternal(vm, source, error);
}
bool checkModuleSyntax(ExecState* exec, const SourceCode& source, ParserError& error)
Modified: trunk/Source/_javascript_Core/runtime/ProgramExecutable.cpp (236903 => 236904)
--- trunk/Source/_javascript_Core/runtime/ProgramExecutable.cpp 2018-10-07 02:48:38 UTC (rev 236903)
+++ trunk/Source/_javascript_Core/runtime/ProgramExecutable.cpp 2018-10-07 09:32:52 UTC (rev 236904)
@@ -58,20 +58,6 @@
static_cast(cell)->ProgramExecutable::~ProgramExecutable();
}
-JSObject* ProgramExecutable::checkSyntax(ExecState* exec)
-{
-ParserError error;
-VM* vm = &exec->vm();
-JSGlobalOb
[webkit-changes] [236900] trunk/Source/JavaScriptCore
Title: [236900] trunk/Source/_javascript_Core
Revision 236900
Author yusukesuz...@slowstart.org
Date 2018-10-06 12:49:45 -0700 (Sat, 06 Oct 2018)
Log Message
[JSC] Use new extra memory reporting in SparseArrayMap
https://bugs.webkit.org/show_bug.cgi?id=190278
Reviewed by Keith Miller.
This patch switches the extra memory reporting mechanism from deprecatedReportExtraMemory
to reportExtraMemoryAllocated & reportExtraMemoryVisited in SparseArrayMap.
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::add):
(JSC::SparseArrayValueMap::visitChildren):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/SparseArrayValueMap.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (236899 => 236900)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-06 19:10:31 UTC (rev 236899)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-06 19:49:45 UTC (rev 236900)
@@ -1,5 +1,19 @@
2018-10-05 Yusuke Suzuki
+[JSC] Use new extra memory reporting in SparseArrayMap
+https://bugs.webkit.org/show_bug.cgi?id=190278
+
+Reviewed by Keith Miller.
+
+This patch switches the extra memory reporting mechanism from deprecatedReportExtraMemory
+to reportExtraMemoryAllocated & reportExtraMemoryVisited in SparseArrayMap.
+
+* runtime/SparseArrayValueMap.cpp:
+(JSC::SparseArrayValueMap::add):
+(JSC::SparseArrayValueMap::visitChildren):
+
+2018-10-05 Yusuke Suzuki
+
[JSC][Linux] Support Perf JITDump logging
https://bugs.webkit.org/show_bug.cgi?id=189893
Modified: trunk/Source/_javascript_Core/runtime/SparseArrayValueMap.cpp (236899 => 236900)
--- trunk/Source/_javascript_Core/runtime/SparseArrayValueMap.cpp 2018-10-06 19:10:31 UTC (rev 236899)
+++ trunk/Source/_javascript_Core/runtime/SparseArrayValueMap.cpp 2018-10-06 19:49:45 UTC (rev 236900)
@@ -69,18 +69,18 @@
SparseArrayValueMap::AddResult SparseArrayValueMap::add(JSObject* array, unsigned i)
{
AddResult result;
-size_t capacity;
+size_t increasedCapacity = 0;
{
auto locker = holdLock(cellLock());
result = m_map.add(i, SparseArrayEntry());
-capacity = m_map.capacity();
+size_t capacity = m_map.capacity();
+if (capacity > m_reportedCapacity) {
+increasedCapacity = capacity - m_reportedCapacity;
+m_reportedCapacity = capacity;
+}
}
-if (capacity > m_reportedCapacity) {
-// FIXME: Adopt reportExtraMemoryVisited, and switch to reportExtraMemoryAllocated.
-// https://bugs.webkit.org/show_bug.cgi?id=142595
-Heap::heap(array)->deprecatedReportExtraMemory((capacity - m_reportedCapacity) * (sizeof(unsigned) + sizeof(WriteBarrier)));
-m_reportedCapacity = capacity;
-}
+if (increasedCapacity)
+Heap::heap(array)->reportExtraMemoryAllocated(increasedCapacity * sizeof(Map::KeyValuePairType));
return result;
}
@@ -212,15 +212,16 @@
return Base::get();
}
-void SparseArrayValueMap::visitChildren(JSCell* thisObject, SlotVisitor& visitor)
+void SparseArrayValueMap::visitChildren(JSCell* cell, SlotVisitor& visitor)
{
-Base::visitChildren(thisObject, visitor);
-
-auto locker = holdLock(thisObject->cellLock());
-SparseArrayValueMap* thisMap = jsCast(thisObject);
-iterator end = thisMap->m_map.end();
-for (iterator it = thisMap->m_map.begin(); it != end; ++it)
-visitor.append(it->value.asValue());
+Base::visitChildren(cell, visitor);
+SparseArrayValueMap* thisObject = jsCast(cell);
+{
+auto locker = holdLock(thisObject->cellLock());
+for (auto& entry : thisObject->m_map)
+visitor.append(entry.value.asValue());
+}
+visitor.reportExtraMemoryVisited(thisObject->m_reportedCapacity * sizeof(Map::KeyValuePairType));
}
} // namespace JSC
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [236883] trunk/Source
Title: [236883] trunk/Source
Revision 236883
Author yusukesuz...@slowstart.org
Date 2018-10-05 12:59:04 -0700 (Fri, 05 Oct 2018)
Log Message
[JSC][Linux] Support Perf JITDump logging
https://bugs.webkit.org/show_bug.cgi?id=189893
Reviewed by Mark Lam.
Source/_javascript_Core:
This patch adds Linux `perf` command's JIT Dump support. It allows JSC to tell perf about JIT code information.
We add a command line option, `--logJITCodeForPerf`, which dumps `jit-%pid.dump` in the current directory.
By using this dump and perf.data output, we can annotate JIT code with profiling information.
$ echo "(function f() { var s = 0; for (var i = 0; i < 10; i++) { s += i; } return s; })();" > test.js
$ perf record -k mono ../../WebKitBuild/perf/Release/bin/jsc test.js --logJITCodeForPerf=true
[ perf record: Woken up 1 times to write data ]
[ perf record: Captured and wrote 0.182 MB perf.data (4346 samples) ]
$ perf inject --jit -i perf.data -o perf.jit.data
$ perf report -i perf.jit.data
* Sources.txt:
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::finalizeCodeWithDisassembly):
* assembler/PerfLog.cpp: Added.
(JSC::PerfLog::singleton):
(JSC::generateTimestamp):
(JSC::getCurrentThreadID):
(JSC::PerfLog::PerfLog):
(JSC::PerfLog::write):
(JSC::PerfLog::flush):
(JSC::PerfLog::log):
* assembler/PerfLog.h: Added.
* jit/ExecutableAllocator.cpp:
(JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
* runtime/Options.cpp:
(JSC::Options::isAvailable):
* runtime/Options.h:
Source/WTF:
* wtf/PageReservation.h:
(WTF::PageReservation::reserveAndCommitWithGuardPages):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/Sources.txt
trunk/Source/_javascript_Core/assembler/LinkBuffer.cpp
trunk/Source/_javascript_Core/assembler/LinkBuffer.h
trunk/Source/_javascript_Core/jit/ExecutableAllocator.cpp
trunk/Source/_javascript_Core/runtime/Options.cpp
trunk/Source/_javascript_Core/runtime/Options.h
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/PageReservation.h
Added Paths
trunk/Source/_javascript_Core/assembler/PerfLog.cpp
trunk/Source/_javascript_Core/assembler/PerfLog.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (236882 => 236883)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-05 19:30:42 UTC (rev 236882)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-05 19:59:04 UTC (rev 236883)
@@ -1,3 +1,41 @@
+2018-10-05 Yusuke Suzuki
+
+[JSC][Linux] Support Perf JITDump logging
+https://bugs.webkit.org/show_bug.cgi?id=189893
+
+Reviewed by Mark Lam.
+
+This patch adds Linux `perf` command's JIT Dump support. It allows JSC to tell perf about JIT code information.
+We add a command line option, `--logJITCodeForPerf`, which dumps `jit-%pid.dump` in the current directory.
+By using this dump and perf.data output, we can annotate JIT code with profiling information.
+
+$ echo "(function f() { var s = 0; for (var i = 0; i < 10; i++) { s += i; } return s; })();" > test.js
+$ perf record -k mono ../../WebKitBuild/perf/Release/bin/jsc test.js --logJITCodeForPerf=true
+[ perf record: Woken up 1 times to write data ]
+[ perf record: Captured and wrote 0.182 MB perf.data (4346 samples) ]
+$ perf inject --jit -i perf.data -o perf.jit.data
+$ perf report -i perf.jit.data
+
+* Sources.txt:
+* assembler/LinkBuffer.cpp:
+(JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
+* assembler/LinkBuffer.h:
+(JSC::LinkBuffer::finalizeCodeWithDisassembly):
+* assembler/PerfLog.cpp: Added.
+(JSC::PerfLog::singleton):
+(JSC::generateTimestamp):
+(JSC::getCurrentThreadID):
+(JSC::PerfLog::PerfLog):
+(JSC::PerfLog::write):
+(JSC::PerfLog::flush):
+(JSC::PerfLog::log):
+* assembler/PerfLog.h: Added.
+* jit/ExecutableAllocator.cpp:
+(JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
+* runtime/Options.cpp:
+(JSC::Options::isAvailable):
+* runtime/Options.h:
+
2018-10-05 Mark Lam
Gardening: Build fix after r236880.
Modified: trunk/Source/_javascript_Core/Sources.txt (236882 => 236883)
--- trunk/Source/_javascript_Core/Sources.txt 2018-10-05 19:30:42 UTC (rev 236882)
+++ trunk/Source/_javascript_Core/Sources.txt 2018-10-05 19:59:04 UTC (rev 236883)
@@ -52,6 +52,7 @@
assembler/MacroAssemblerMIPS.cpp
assembler/MacroAssemblerPrinter.cpp
assembler/MacroAssemblerX86Common.cpp
+assembler/PerfLog.cpp
assembler/Printer.cpp
assembler/ProbeContext.cpp
assembler/ProbeStack.cpp
Modified: trunk/Source/_javascript_Core/assembler/LinkBuffer.cpp (236882 => 236883)
--- trunk/Source/_javascript_Core/assembler/LinkBuffer.cpp 2018-10-05 19:30:42 UTC (rev 236882)
+++ trunk/Source
[webkit-changes] [236758] trunk/Source/JavaScriptCore
Title: [236758] trunk/Source/_javascript_Core
Revision 236758
Author yusukesuz...@slowstart.org
Date 2018-10-02 12:01:28 -0700 (Tue, 02 Oct 2018)
Log Message
[JSC] Add stub of ExecutableAllocator used when JIT is disabled
https://bugs.webkit.org/show_bug.cgi?id=190215
Reviewed by Mark Lam.
When ENABLE(JIT) is disabled, we do not use JIT. But we ExecutableAllocator is still available since
it is guarded by ENABLE(ASSEMBLER). ENABLE(ASSEMBLER) is necessary for LLInt ASM interpreter since
our MacroAssembler tells machine architecture information. Eventually, we would like to decouple
this machine architecture information from MacroAssembler. But for now, we use ENABLE(ASSEMBLER)
for LLInt ASM interpreter even if JIT is disabled by ENABLE(JIT).
To ensure any executable memory allocation is not done, we add a stub of ExecutableAllocator for
non-JIT configurations. This does not have any functionality allocating executable memory, thus
any accidental operation cannot attempt to allocate executable memory if ENABLE(JIT) = OFF.
* jit/ExecutableAllocator.cpp:
(JSC::ExecutableAllocator::initializeAllocator):
(JSC::ExecutableAllocator::singleton):
* jit/ExecutableAllocator.h:
(JSC::ExecutableAllocator::isValid const):
(JSC::ExecutableAllocator::underMemoryPressure):
(JSC::ExecutableAllocator::memoryPressureMultiplier):
(JSC::ExecutableAllocator::dumpProfile):
(JSC::ExecutableAllocator::allocate):
(JSC::ExecutableAllocator::isValidExecutableMemory):
(JSC::ExecutableAllocator::committedByteCount):
(JSC::ExecutableAllocator::getLock const):
(JSC::performJITMemcpy):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/ExecutableAllocator.cpp
trunk/Source/_javascript_Core/jit/ExecutableAllocator.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (236757 => 236758)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-02 18:43:27 UTC (rev 236757)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-02 19:01:28 UTC (rev 236758)
@@ -1,3 +1,34 @@
+2018-10-02 Yusuke Suzuki
+
+[JSC] Add stub of ExecutableAllocator used when JIT is disabled
+https://bugs.webkit.org/show_bug.cgi?id=190215
+
+Reviewed by Mark Lam.
+
+When ENABLE(JIT) is disabled, we do not use JIT. But we ExecutableAllocator is still available since
+it is guarded by ENABLE(ASSEMBLER). ENABLE(ASSEMBLER) is necessary for LLInt ASM interpreter since
+our MacroAssembler tells machine architecture information. Eventually, we would like to decouple
+this machine architecture information from MacroAssembler. But for now, we use ENABLE(ASSEMBLER)
+for LLInt ASM interpreter even if JIT is disabled by ENABLE(JIT).
+
+To ensure any executable memory allocation is not done, we add a stub of ExecutableAllocator for
+non-JIT configurations. This does not have any functionality allocating executable memory, thus
+any accidental operation cannot attempt to allocate executable memory if ENABLE(JIT) = OFF.
+
+* jit/ExecutableAllocator.cpp:
+(JSC::ExecutableAllocator::initializeAllocator):
+(JSC::ExecutableAllocator::singleton):
+* jit/ExecutableAllocator.h:
+(JSC::ExecutableAllocator::isValid const):
+(JSC::ExecutableAllocator::underMemoryPressure):
+(JSC::ExecutableAllocator::memoryPressureMultiplier):
+(JSC::ExecutableAllocator::dumpProfile):
+(JSC::ExecutableAllocator::allocate):
+(JSC::ExecutableAllocator::isValidExecutableMemory):
+(JSC::ExecutableAllocator::committedByteCount):
+(JSC::ExecutableAllocator::getLock const):
+(JSC::performJITMemcpy):
+
2018-10-01 Dean Jackson
Remove CSS Animation Triggers
Modified: trunk/Source/_javascript_Core/jit/ExecutableAllocator.cpp (236757 => 236758)
--- trunk/Source/_javascript_Core/jit/ExecutableAllocator.cpp 2018-10-02 18:43:27 UTC (rev 236757)
+++ trunk/Source/_javascript_Core/jit/ExecutableAllocator.cpp 2018-10-02 19:01:28 UTC (rev 236758)
@@ -26,7 +26,7 @@
#include "config.h"
#include "ExecutableAllocator.h"
-#if ENABLE(ASSEMBLER)
+#if ENABLE(JIT)
#include "CodeProfiling.h"
#include "ExecutableAllocationFuzz.h"
@@ -497,4 +497,23 @@
}
-#endif // ENABLE(ASSEMBLER)
+#else // !ENABLE(JIT)
+
+namespace JSC {
+
+static ExecutableAllocator* executableAllocator;
+
+void ExecutableAllocator::initializeAllocator()
+{
+executableAllocator = new ExecutableAllocator;
+}
+
+ExecutableAllocator& ExecutableAllocator::singleton()
+{
+ASSERT(executableAllocator);
+return *executableAllocator;
+}
+
+} // namespace JSC
+
+#endif // ENABLE(JIT)
Modified: trunk/Source/_javascript_Core/jit/ExecutableAllocator.h (236757 => 236758)
--- trunk/Source/_javascript_Core/jit/ExecutableAllocator.h 2018-10-02 18:43:27 UTC (rev 236757)
+++ trunk/Source/_javascript_Core/jit/ExecutableAllocator.h 2018-10-02 19:01:28 UTC (rev 236758)
@@ -59,7 +59,7 @@
typedef WTF::MetaA
[webkit-changes] [236734] trunk/Source/JavaScriptCore
Title: [236734] trunk/Source/_javascript_Core
Revision 236734
Author yusukesuz...@slowstart.org
Date 2018-10-02 04:47:27 -0700 (Tue, 02 Oct 2018)
Log Message
[JSC] Add branchIfNaN and branchIfNotNaN
https://bugs.webkit.org/show_bug.cgi?id=190122
Reviewed by Mark Lam.
Add AssemblyHelpers::{branchIfNaN, branchIfNotNaN} to make code more readable.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::compileDoubleRep):
(JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
(JSC::DFG::SpeculativeJIT::compileSpread):
(JSC::DFG::SpeculativeJIT::compileNewArray):
(JSC::DFG::SpeculativeJIT::speculateRealNumber):
(JSC::DFG::SpeculativeJIT::speculateDoubleRepReal):
(JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
(JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::purifyNaN):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfNaN):
(JSC::AssemblyHelpers::branchIfNotNaN):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitFloatTypedArrayGetByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitGenericContiguousPutByVal):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp
trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp
trunk/Source/_javascript_Core/jit/AssemblyHelpers.h
trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp
trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp
trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (236733 => 236734)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-02 11:29:56 UTC (rev 236733)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-02 11:47:27 UTC (rev 236734)
@@ -1,3 +1,40 @@
+2018-10-01 Yusuke Suzuki
+
+[JSC] Add branchIfNaN and branchIfNotNaN
+https://bugs.webkit.org/show_bug.cgi?id=190122
+
+Reviewed by Mark Lam.
+
+Add AssemblyHelpers::{branchIfNaN, branchIfNotNaN} to make code more readable.
+
+* dfg/DFGSpeculativeJIT.cpp:
+(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
+(JSC::DFG::SpeculativeJIT::compileDoubleRep):
+(JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
+(JSC::DFG::SpeculativeJIT::compileSpread):
+(JSC::DFG::SpeculativeJIT::compileNewArray):
+(JSC::DFG::SpeculativeJIT::speculateRealNumber):
+(JSC::DFG::SpeculativeJIT::speculateDoubleRepReal):
+(JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
+(JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
+* dfg/DFGSpeculativeJIT32_64.cpp:
+(JSC::DFG::SpeculativeJIT::compile):
+* dfg/DFGSpeculativeJIT64.cpp:
+(JSC::DFG::SpeculativeJIT::compile):
+* jit/AssemblyHelpers.cpp:
+(JSC::AssemblyHelpers::purifyNaN):
+* jit/AssemblyHelpers.h:
+(JSC::AssemblyHelpers::branchIfNaN):
+(JSC::AssemblyHelpers::branchIfNotNaN):
+* jit/JITPropertyAccess.cpp:
+(JSC::JIT::emitGenericContiguousPutByVal):
+(JSC::JIT::emitDoubleLoad):
+(JSC::JIT::emitFloatTypedArrayGetByVal):
+* jit/JITPropertyAccess32_64.cpp:
+(JSC::JIT::emitGenericContiguousPutByVal):
+* wasm/js/JSToWasm.cpp:
+(JSC::Wasm::createJSToWasmWrapper):
+
2018-10-01 Mark Lam
Function.toString() should also copy the source code Functions that are class definitions.
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (236733 => 236734)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-10-02 11:29:56 UTC (rev 236733)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-10-02 11:47:27 UTC (rev 236734)
@@ -2057,8 +2057,7 @@
DFG_TYPE_CHECK(
JSValueRegs(), child3, SpecFullRealNumber,
-m_jit.branchDouble(
-MacroAssembler::DoubleNotEqualOrUnordered, valueReg, valueReg));
+m_jit.branchIfNaN(valueReg));
if (!m_compileOkay)
return;
@@ -2563,8 +2562,7 @@
unboxDouble(op1Regs.tagGPR(), op1Regs.payloadGPR(), resultFPR, tempFPR);
#endif
-JITCompiler::Jump done = m_jit.branchDouble(
-JITCompiler::DoubleEqual, resultFPR, resultFPR);
+JITCompiler::Jump done = m_jit.branchIfNotNaN(resultFPR);
DFG_TYPE_CHECK(
op1Regs, node->child1(), SpecBytecodeRealNumber, m_jit.branchIfNotInt32(op1Regs));
@@ -3028,7 +3026,7 @@
GPRTemporary result(this);
FPRReg fpr = valueOp.fp
[webkit-changes] [236651] trunk/Source/JavaScriptCore
Title: [236651] trunk/Source/_javascript_Core
Revision 236651
Author yusukesuz...@slowstart.org
Date 2018-10-01 02:25:41 -0700 (Mon, 01 Oct 2018)
Log Message
[WebAssembly] Move type conversion code of JSToWasm return type to JS wasm wrapper
https://bugs.webkit.org/show_bug.cgi?id=189498
Reviewed by Saam Barati.
To call JS-to-Wasm code we need to convert the result value from wasm function to
the JS type. Previously this is done by callWebAssemblyFunction by using swtich
over signature.returnType(). But since we know the value of `signature.returnType()`
at compiling phase, we can emit a small conversion code directly to JSToWasm glue
and remove this switch from callWebAssemblyFunction.
In JSToWasm glue code, we do not have tag registers. So we use DoNotHaveTagRegisters
in boxInt32 and boxDouble. Since boxDouble does not have DoNotHaveTagRegisters version,
we add an implementation for that.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::boxDouble):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::callWebAssemblyFunction):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/AssemblyHelpers.h
trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp
trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (236650 => 236651)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-01 08:04:52 UTC (rev 236650)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-01 09:25:41 UTC (rev 236651)
@@ -1,3 +1,27 @@
+2018-10-01 Yusuke Suzuki
+
+[WebAssembly] Move type conversion code of JSToWasm return type to JS wasm wrapper
+https://bugs.webkit.org/show_bug.cgi?id=189498
+
+Reviewed by Saam Barati.
+
+To call JS-to-Wasm code we need to convert the result value from wasm function to
+the JS type. Previously this is done by callWebAssemblyFunction by using swtich
+over signature.returnType(). But since we know the value of `signature.returnType()`
+at compiling phase, we can emit a small conversion code directly to JSToWasm glue
+and remove this switch from callWebAssemblyFunction.
+
+In JSToWasm glue code, we do not have tag registers. So we use DoNotHaveTagRegisters
+in boxInt32 and boxDouble. Since boxDouble does not have DoNotHaveTagRegisters version,
+we add an implementation for that.
+
+* jit/AssemblyHelpers.h:
+(JSC::AssemblyHelpers::boxDouble):
+* wasm/js/JSToWasm.cpp:
+(JSC::Wasm::createJSToWasmWrapper):
+* wasm/js/WebAssemblyFunction.cpp:
+(JSC::callWebAssemblyFunction):
+
2018-09-30 Caio Lima
[BigInt] BigInt.proptotype.toString is broken when radix is power of 2
Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.h (236650 => 236651)
--- trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2018-10-01 08:04:52 UTC (rev 236650)
+++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2018-10-01 09:25:41 UTC (rev 236651)
@@ -1244,11 +1244,15 @@
// These methods convert between doubles, and doubles boxed and JSValues.
#if USE(JSVALUE64)
-GPRReg boxDouble(FPRReg fpr, GPRReg gpr)
+GPRReg boxDouble(FPRReg fpr, GPRReg gpr, TagRegistersMode mode = HaveTagRegisters)
{
moveDoubleTo64(fpr, gpr);
-sub64(GPRInfo::tagTypeNumberRegister, gpr);
-jitAssertIsJSDouble(gpr);
+if (mode == DoNotHaveTagRegisters)
+sub64(TrustedImm64(TagTypeNumber), gpr);
+else {
+sub64(GPRInfo::tagTypeNumberRegister, gpr);
+jitAssertIsJSDouble(gpr);
+}
return gpr;
}
FPRReg unboxDoubleWithoutAssertions(GPRReg gpr, GPRReg resultGPR, FPRReg fpr)
@@ -1263,9 +1267,9 @@
return unboxDoubleWithoutAssertions(gpr, resultGPR, fpr);
}
-void boxDouble(FPRReg fpr, JSValueRegs regs)
+void boxDouble(FPRReg fpr, JSValueRegs regs, TagRegistersMode mode = HaveTagRegisters)
{
-boxDouble(fpr, regs.gpr());
+boxDouble(fpr, regs.gpr(), mode);
}
void unboxDoubleNonDestructive(JSValueRegs regs, FPRReg destFPR, GPRReg resultGPR, FPRReg)
Modified: trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp (236650 => 236651)
--- trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp 2018-10-01 08:04:52 UTC (rev 236650)
+++ trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp 2018-10-01 09:25:41 UTC (rev 236651)
@@ -209,11 +209,27 @@
}
switch (signature.returnType()) {
+case Wasm::Void:
+jit.moveTrustedValue(jsUndefined(), JSValueRegs { GPRInfo::returnValueGPR });
+break;
+case Wasm::I32:
+jit.zeroExtend32ToPtr(GPRInfo::returnValueGPR, GPRInfo::returnValueGPR);
+jit.boxInt32(GPRInfo::returnValueGPR, JSValueRegs { GPRInfo::returnValueGPR }, DoNotHaveTagRegisters);
+break;
case Wasm::F32:
-jit.moveFloatTo32(FPRInfo::retu
[webkit-changes] [236617] trunk
Title: [236617] trunk Revision 236617 Author yusukesuz...@slowstart.org Date 2018-09-28 15:32:34 -0700 (Fri, 28 Sep 2018) Log Message [WTF] Make isMainThread more reliable https://bugs.webkit.org/show_bug.cgi?id=189880 Reviewed by Mark Lam. .: * Source/cmake/OptionsCommon.cmake: Source/WTF: isMainThread() relied on Thread::current(). This API becomes broken in Windows when the Thread is about to be destroyed since TLS is already cleared. This causes a bug since `isMainThread()` is called in Thread::didExit in Windows. This patch makes this `isMainThread` more reliable in all the platforms. In Windows, we use `Thread::currentID()` instead of `Thread::current()` since `Thread::currentID` uses Win32 GetCurrentThreadId directly. In the other system, we use `pthread_main_np` or `pthread_self` instead. We also move `holdLock` code inside `if (shouldRemoveThreadFromThreadGroup())`. If the other thread takes a mutex and destroyed, this `holdLock` waits forever. This problem only happens in Windows since Windows calls TLS destructor for the main thread. * WTF.xcodeproj/project.pbxproj: * wtf/MainThread.cpp: (WTF::initializeMainThread): (): Deleted. (WTF::isMainThread): Deleted. (WTF::isMainThreadIfInitialized): Deleted. * wtf/Platform.h: * wtf/PlatformMac.cmake: * wtf/Threading.cpp: (WTF::Thread::didExit): * wtf/cocoa/MainThreadCocoa.mm: Renamed from Source/WTF/wtf/mac/MainThreadMac.mm. * wtf/generic/MainThreadGeneric.cpp: (WTF::initializeMainThreadPlatform): (WTF::isMainThread): (WTF::isMainThreadIfInitialized): * wtf/win/MainThreadWin.cpp: (WTF::initializeMainThreadPlatform): (WTF::isMainThread): (WTF::isMainThreadIfInitialized): Modified Paths trunk/ChangeLog trunk/Source/WTF/ChangeLog trunk/Source/WTF/WTF.xcodeproj/project.pbxproj trunk/Source/WTF/wtf/MainThread.cpp trunk/Source/WTF/wtf/Platform.h trunk/Source/WTF/wtf/PlatformMac.cmake trunk/Source/WTF/wtf/Threading.cpp trunk/Source/WTF/wtf/generic/MainThreadGeneric.cpp trunk/Source/WTF/wtf/win/MainThreadWin.cpp trunk/Source/cmake/OptionsCommon.cmake Added Paths trunk/Source/WTF/wtf/cocoa/MainThreadCocoa.mm Removed Paths trunk/Source/WTF/wtf/mac/MainThreadMac.mm Diff Modified: trunk/ChangeLog (236616 => 236617) --- trunk/ChangeLog 2018-09-28 22:12:07 UTC (rev 236616) +++ trunk/ChangeLog 2018-09-28 22:32:34 UTC (rev 236617) @@ -1,3 +1,12 @@ +2018-09-28 Yusuke Suzuki + +[WTF] Make isMainThread more reliable +https://bugs.webkit.org/show_bug.cgi?id=189880 + +Reviewed by Mark Lam. + +* Source/cmake/OptionsCommon.cmake: + 2018-09-21 Yusuke Suzuki [JSC] Enable LLInt ASM interpreter on X64 and ARM64 in non JIT configuration Modified: trunk/Source/WTF/ChangeLog (236616 => 236617) --- trunk/Source/WTF/ChangeLog 2018-09-28 22:12:07 UTC (rev 236616) +++ trunk/Source/WTF/ChangeLog 2018-09-28 22:32:34 UTC (rev 236617) @@ -1,3 +1,43 @@ +2018-09-28 Yusuke Suzuki + +[WTF] Make isMainThread more reliable +https://bugs.webkit.org/show_bug.cgi?id=189880 + +Reviewed by Mark Lam. + +isMainThread() relied on Thread::current(). This API becomes broken in Windows +when the Thread is about to be destroyed since TLS is already cleared. This causes +a bug since `isMainThread()` is called in Thread::didExit in Windows. + +This patch makes this `isMainThread` more reliable in all the platforms. In Windows, +we use `Thread::currentID()` instead of `Thread::current()` since `Thread::currentID` +uses Win32 GetCurrentThreadId directly. In the other system, we use `pthread_main_np` +or `pthread_self` instead. + +We also move `holdLock` code inside `if (shouldRemoveThreadFromThreadGroup())`. If +the other thread takes a mutex and destroyed, this `holdLock` waits forever. This problem +only happens in Windows since Windows calls TLS destructor for the main thread. + +* WTF.xcodeproj/project.pbxproj: +* wtf/MainThread.cpp: +(WTF::initializeMainThread): +(): Deleted. +(WTF::isMainThread): Deleted. +(WTF::isMainThreadIfInitialized): Deleted. +* wtf/Platform.h: +* wtf/PlatformMac.cmake: +* wtf/Threading.cpp: +(WTF::Thread::didExit): +* wtf/cocoa/MainThreadCocoa.mm: Renamed from Source/WTF/wtf/mac/MainThreadMac.mm. +* wtf/generic/MainThreadGeneric.cpp: +(WTF::initializeMainThreadPlatform): +(WTF::isMainThread): +(WTF::isMainThreadIfInitialized): +* wtf/win/MainThreadWin.cpp: +(WTF::initializeMainThreadPlatform): +(WTF::isMainThread): +(WTF::isMainThreadIfInitialized): + 2018-09-28 Commit Queue Unreviewed, rolling out r236605. Modified: trunk/Source/WTF/WTF.xcodeproj/project.pbxproj (236616 => 236617) --- trunk/Source/WTF/WTF.xcodeproj/project.pbxproj 2018-09-28 22:12:07 UTC (rev 236616) +++ trunk/Source/WTF/WTF.xcodeproj/project.pbxproj 2018-09-2
[webkit-changes] [236505] trunk/Source/JavaScriptCore
Title: [236505] trunk/Source/_javascript_Core
Revision 236505
Author yusukesuz...@slowstart.org
Date 2018-09-26 09:12:42 -0700 (Wed, 26 Sep 2018)
Log Message
Unreviewed, add scope verification handling
https://bugs.webkit.org/show_bug.cgi?id=189780
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncIndexOf):
(JSC::arrayProtoFuncLastIndexOf):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (236504 => 236505)
--- trunk/Source/_javascript_Core/ChangeLog 2018-09-26 16:12:34 UTC (rev 236504)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-09-26 16:12:42 UTC (rev 236505)
@@ -1,3 +1,12 @@
+2018-09-26 Yusuke Suzuki
+
+Unreviewed, add scope verification handling
+https://bugs.webkit.org/show_bug.cgi?id=189780
+
+* runtime/ArrayPrototype.cpp:
+(JSC::arrayProtoFuncIndexOf):
+(JSC::arrayProtoFuncLastIndexOf):
+
2018-09-26 Koby Boyango
[JSC] offlineasm parser should handle CRLF in asm files
Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (236504 => 236505)
--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2018-09-26 16:12:34 UTC (rev 236504)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2018-09-26 16:12:42 UTC (rev 236505)
@@ -1269,7 +1269,9 @@
JSValue searchElement = exec->argument(0);
if (isJSArray(thisObject)) {
-if (JSValue result = fastIndexOf(exec, vm, asArray(thisObject), length, searchElement, index))
+JSValue result = fastIndexOf(exec, vm, asArray(thisObject), length, searchElement, index);
+RETURN_IF_EXCEPTION(scope, { });
+if (result)
return JSValue::encode(result);
}
@@ -1318,7 +1320,9 @@
JSValue searchElement = exec->argument(0);
if (isJSArray(thisObject)) {
-if (JSValue result = fastIndexOf(exec, vm, asArray(thisObject), length, searchElement, index))
+JSValue result = fastIndexOf(exec, vm, asArray(thisObject), length, searchElement, index);
+RETURN_IF_EXCEPTION(scope, { });
+if (result)
return JSValue::encode(result);
}
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [236496] trunk
Title: [236496] trunk
Revision 236496
Author yusukesuz...@slowstart.org
Date 2018-09-25 22:16:22 -0700 (Tue, 25 Sep 2018)
Log Message
[JSC] Optimize Array#lastIndexOf
https://bugs.webkit.org/show_bug.cgi?id=189780
Reviewed by Saam Barati.
JSTests:
* stress/array-lastindexof-array-prototype-trap.js: Added.
(shouldBe):
(AncestorArray.prototype.get 2):
(AncestorArray):
* stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
(shouldBe):
* stress/array-lastindexof-hole-nan.js: Added.
(shouldBe):
(throw.new.Error):
* stress/array-lastindexof-infinity.js: Added.
(shouldBe):
(throw.new.Error):
* stress/array-lastindexof-negative-zero.js: Added.
(shouldBe):
(throw.new.Error):
* stress/array-lastindexof-own-getter.js: Added.
(shouldBe):
(throw.new.Error.get array):
(get array):
* stress/array-lastindexof-prototype-trap.js: Added.
(shouldBe):
(DerivedArray.prototype.get 2):
(DerivedArray):
Source/_javascript_Core:
Optimize Array#lastIndexOf as the same to Array#indexOf. We add a fast path
for JSArray with contiguous storage.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncLastIndexOf):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp
Added Paths
trunk/JSTests/stress/array-lastindexof-array-prototype-trap.js
trunk/JSTests/stress/array-lastindexof-cached-length.js
trunk/JSTests/stress/array-lastindexof-fast-path-effects.js
trunk/JSTests/stress/array-lastindexof-have-a-bad-time-c-runtime.js
trunk/JSTests/stress/array-lastindexof-hole-nan.js
trunk/JSTests/stress/array-lastindexof-infinity.js
trunk/JSTests/stress/array-lastindexof-negative-zero.js
trunk/JSTests/stress/array-lastindexof-own-getter.js
trunk/JSTests/stress/array-lastindexof-prototype-trap.js
Diff
Modified: trunk/JSTests/ChangeLog (236495 => 236496)
--- trunk/JSTests/ChangeLog 2018-09-26 03:14:09 UTC (rev 236495)
+++ trunk/JSTests/ChangeLog 2018-09-26 05:16:22 UTC (rev 236496)
@@ -1,3 +1,34 @@
+2018-09-20 Yusuke Suzuki
+
+[JSC] Optimize Array#lastIndexOf
+https://bugs.webkit.org/show_bug.cgi?id=189780
+
+Reviewed by Saam Barati.
+
+* stress/array-lastindexof-array-prototype-trap.js: Added.
+(shouldBe):
+(AncestorArray.prototype.get 2):
+(AncestorArray):
+* stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
+(shouldBe):
+* stress/array-lastindexof-hole-nan.js: Added.
+(shouldBe):
+(throw.new.Error):
+* stress/array-lastindexof-infinity.js: Added.
+(shouldBe):
+(throw.new.Error):
+* stress/array-lastindexof-negative-zero.js: Added.
+(shouldBe):
+(throw.new.Error):
+* stress/array-lastindexof-own-getter.js: Added.
+(shouldBe):
+(throw.new.Error.get array):
+(get array):
+* stress/array-lastindexof-prototype-trap.js: Added.
+(shouldBe):
+(DerivedArray.prototype.get 2):
+(DerivedArray):
+
2018-09-25 Saam Barati
Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
Added: trunk/JSTests/stress/array-lastindexof-array-prototype-trap.js (0 => 236496)
--- trunk/JSTests/stress/array-lastindexof-array-prototype-trap.js (rev 0)
+++ trunk/JSTests/stress/array-lastindexof-array-prototype-trap.js 2018-09-26 05:16:22 UTC (rev 236496)
@@ -0,0 +1,45 @@
+function shouldBe(actual, expected) {
+if (actual !== expected)
+throw new Error('bad value: ' + actual);
+}
+
+class AncestorArray extends Object {
+get 2() {
+this.called = true;
+return 42;
+}
+}
+
+Array.prototype.__proto__ = AncestorArray.prototype;
+
+{
+let array = [];
+array.length = 42;
+shouldBe(array.lastIndexOf(42), 2);
+shouldBe(array.called, true);
+}
+{
+let array = [20, 20];
+array.length = 42;
+shouldBe(array.lastIndexOf(42), 2);
+shouldBe(array.called, true);
+}
+{
+let array = ["Hello"];
+array.length = 42;
+shouldBe(array.lastIndexOf(42), 2);
+shouldBe(array.called, true);
+}
+{
+let array = [42.195];
+array.length = 42;
+shouldBe(array.lastIndexOf(42), 2);
+shouldBe(array.called, true);
+}
+{
+let array = ["Hello"];
+array.length = 42;
+ensureArrayStorage(array);
+shouldBe(array.lastIndexOf(42), 2);
+shouldBe(array.called, true);
+}
Added: trunk/JSTests/stress/array-lastindexof-cached-length.js (0 => 236496)
--- trunk/JSTests/stress/array-lastindexof-cached-length.js (rev 0)
+++ trunk/JSTests/stress/array-lastindexof-cached-length.js 2018-09-26 05:16:22 UTC (rev 236496)
@@ -0,0 +1,24 @@
+function assert(b) {
+if (!b)
+throw new Error;
+
+}
+
+const originalLength = 1;
+let arr = new Proxy([], {
+has(...args) {
+assert(parseInt(args[1]) < originalLength);
+assert(arg
[webkit-changes] [236381] trunk
Title: [236381] trunk Revision 236381 Author yusukesuz...@slowstart.org Date 2018-09-21 22:26:44 -0700 (Fri, 21 Sep 2018) Log Message [JSC] Enable LLInt ASM interpreter on X64 and ARM64 in non JIT configuration https://bugs.webkit.org/show_bug.cgi?id=189778 Reviewed by Keith Miller. .: ENABLE_SAMPLING_PROFILER does not depend on ENABLE_JIT now since it can be used with LLInt ASM interpreter. * Source/cmake/WebKitFeatures.cmake: Source/_javascript_Core: LLInt ASM interpreter is 2x and 15% faster than CLoop interpreter on Linux and macOS respectively. We would like to enable it for non JIT configurations in X86_64 and ARM64. This patch enables LLInt for non JIT builds in X86_64 and ARM64 architectures. Previously, we switch LLInt ASM interpreter and CLoop by using ENABLE(JIT) configuration. But it is wrong in the new scenario since we have a build configuration that uses LLInt ASM interpreter and JIT is disabled. We introduce ENABLE(C_LOOP) option, which represents that we use CLoop. And we replace ENABLE(JIT) with ENABLE(C_LOOP) if the previous ENABLE(JIT) is essentially just related to LLInt ASM interpreter and not related to JIT. We also replace some ENABLE(JIT) configurations with ENABLE(ASSEMBLER). ENABLE(ASSEMBLER) is now enabled even if we disable JIT since MacroAssembler has machine register information that is used in LLInt ASM interpreter. * API/tests/PingPongStackOverflowTest.cpp: (testPingPongStackOverflow): * CMakeLists.txt: * _javascript_Core.xcodeproj/project.pbxproj: * assembler/MaxFrameExtentForSlowPathCall.h: * bytecode/CallReturnOffsetToBytecodeOffset.h: Removed. It is no longer used. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecode/CodeBlock.h: (JSC::CodeBlock::calleeSaveRegisters const): (JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters): (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters): (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters): * bytecode/Opcode.h: (JSC::padOpcodeName): * heap/Heap.cpp: (JSC::Heap::gatherJSStackRoots): (JSC::Heap::stopThePeriphery): * interpreter/CLoopStack.cpp: * interpreter/CLoopStack.h: * interpreter/CLoopStackInlines.h: * interpreter/EntryFrame.h: * interpreter/Interpreter.cpp: (JSC::Interpreter::Interpreter): (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const): * interpreter/Interpreter.h: * interpreter/StackVisitor.cpp: (JSC::StackVisitor::Frame::calleeSaveRegisters): * interpreter/VMEntryRecord.h: * jit/ExecutableAllocator.h: * jit/FPRInfo.h: (WTF::printInternal): * jit/GPRInfo.cpp: * jit/GPRInfo.h: (WTF::printInternal): * jit/HostCallReturnValue.cpp: (JSC::getHostCallReturnValueWithExecState): Moved. They are used in LLInt ASM interpreter too. * jit/HostCallReturnValue.h: * jit/JITOperations.cpp: (JSC::getHostCallReturnValueWithExecState): Deleted. * jit/JITOperationsMSVC64.cpp: * jit/Reg.cpp: * jit/Reg.h: * jit/RegisterAtOffset.cpp: * jit/RegisterAtOffset.h: * jit/RegisterAtOffsetList.cpp: * jit/RegisterAtOffsetList.h: * jit/RegisterMap.h: * jit/RegisterSet.cpp: * jit/RegisterSet.h: * jit/TempRegisterSet.cpp: * jit/TempRegisterSet.h: * llint/LLIntCLoop.cpp: * llint/LLIntCLoop.h: * llint/LLIntData.cpp: (JSC::LLInt::initialize): (JSC::LLInt::Data::performAssertions): * llint/LLIntData.h: * llint/LLIntOfflineAsmConfig.h: * llint/LLIntOpcode.h: * llint/LLIntPCRanges.h: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LLIntSlowPaths.h: * llint/LLIntThunks.cpp: * llint/LowLevelInterpreter.cpp: * llint/LowLevelInterpreter.h: * runtime/JSCJSValue.h: * runtime/MachineContext.h: * runtime/SamplingProfiler.cpp: (JSC::SamplingProfiler::processUnverifiedStackTraces): Enable SamplingProfiler for LLInt ASM interpreter with non JIT configuration. * runtime/TestRunnerUtils.cpp: (JSC::optimizeNextInvocation): * runtime/VM.cpp: (JSC::VM::VM): (JSC::VM::getHostFunction): (JSC::VM::updateSoftReservedZoneSize): (JSC::sanitizeStackForVM): (JSC::VM::committedStackByteCount): * runtime/VM.h: * runtime/VMInlines.h: (JSC::VM::ensureStackCapacityFor): (JSC::VM::isSafeToRecurseSoft const): Source/WTF: This patch adds ENABLE(C_LOOP) which indicates we use CLoop as the interpreter. Previously, we used !ENABLE(JIT) for this configuration. But now, we have a build configuration that has LLInt ASM interpreter (not CLoop) and !ENABLE(JIT). We enable LLInt ASM interpreter for non JIT environment in X86_64 and ARM64 architectures. And we enable ENABLE(ASSEMBLER) for non JIT environment since it offers machine register information which is used for LLInt and SamplingProfiler. * wtf/Platform.h: Modified Paths trunk/ChangeLog trunk/Source/_javascript_Core/API/tests/PingPongStackOverflowTest.cpp trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/assembler/MaxFrameExtentForSlowPathCall.h trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trun
[webkit-changes] [236296] trunk/Source/JavaScriptCore
Title: [236296] trunk/Source/_javascript_Core
Revision 236296
Author yusukesuz...@slowstart.org
Date 2018-09-20 18:11:19 -0700 (Thu, 20 Sep 2018)
Log Message
[JSC] Heap::reportExtraMemoryVisited shows contention if we have many JSString
https://bugs.webkit.org/show_bug.cgi?id=189558
Reviewed by Mark Lam.
When running web-tooling-benchmark postcss test on Linux JSCOnly port, we get the following result in `perf report`.
10.95% AutomaticThread libJavaScriptCore.so.1.0.0 [.] JSC::Heap::reportExtraMemoryVisited
This is because postcss produces bunch of JSString, which require reportExtraMemoryVisited calls in JSString::visitChildren.
And since reportExtraMemoryVisited attempts to update atomic counter, if we have bunch of marking threads, it becomes super contended.
This patch reduces the frequency of updating the atomic counter. Each SlotVisitor has per-SlotVisitor m_extraMemorySize counter.
And we propagate this value to the global atomic counter when rebalance happens.
We also reduce HeapCell::heap() access by using `vm.heap`.
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::didStartMarking):
(JSC::SlotVisitor::propagateExternalMemoryVisitedIfNecessary):
(JSC::SlotVisitor::drain):
(JSC::SlotVisitor::performIncrementOfDraining):
* heap/SlotVisitor.h:
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::reportExtraMemoryVisited):
* runtime/JSString.cpp:
(JSC::JSRopeString::resolveRopeToAtomicString const):
(JSC::JSRopeString::resolveRope const):
* runtime/JSString.h:
(JSC::JSString::finishCreation):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::finishCreation):
* wasm/js/JSWebAssemblyMemory.cpp:
(JSC::JSWebAssemblyMemory::finishCreation):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/heap/SlotVisitor.cpp
trunk/Source/_javascript_Core/heap/SlotVisitor.h
trunk/Source/_javascript_Core/heap/SlotVisitorInlines.h
trunk/Source/_javascript_Core/runtime/JSString.cpp
trunk/Source/_javascript_Core/runtime/JSString.h
trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyInstance.cpp
trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyMemory.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (236295 => 236296)
--- trunk/Source/_javascript_Core/ChangeLog 2018-09-21 00:28:23 UTC (rev 236295)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-09-21 01:11:19 UTC (rev 236296)
@@ -1,3 +1,40 @@
+2018-09-20 Yusuke Suzuki
+
+[JSC] Heap::reportExtraMemoryVisited shows contention if we have many JSString
+https://bugs.webkit.org/show_bug.cgi?id=189558
+
+Reviewed by Mark Lam.
+
+When running web-tooling-benchmark postcss test on Linux JSCOnly port, we get the following result in `perf report`.
+
+10.95% AutomaticThread libJavaScriptCore.so.1.0.0 [.] JSC::Heap::reportExtraMemoryVisited
+
+This is because postcss produces bunch of JSString, which require reportExtraMemoryVisited calls in JSString::visitChildren.
+And since reportExtraMemoryVisited attempts to update atomic counter, if we have bunch of marking threads, it becomes super contended.
+
+This patch reduces the frequency of updating the atomic counter. Each SlotVisitor has per-SlotVisitor m_extraMemorySize counter.
+And we propagate this value to the global atomic counter when rebalance happens.
+
+We also reduce HeapCell::heap() access by using `vm.heap`.
+
+* heap/SlotVisitor.cpp:
+(JSC::SlotVisitor::didStartMarking):
+(JSC::SlotVisitor::propagateExternalMemoryVisitedIfNecessary):
+(JSC::SlotVisitor::drain):
+(JSC::SlotVisitor::performIncrementOfDraining):
+* heap/SlotVisitor.h:
+* heap/SlotVisitorInlines.h:
+(JSC::SlotVisitor::reportExtraMemoryVisited):
+* runtime/JSString.cpp:
+(JSC::JSRopeString::resolveRopeToAtomicString const):
+(JSC::JSRopeString::resolveRope const):
+* runtime/JSString.h:
+(JSC::JSString::finishCreation):
+* wasm/js/JSWebAssemblyInstance.cpp:
+(JSC::JSWebAssemblyInstance::finishCreation):
+* wasm/js/JSWebAssemblyMemory.cpp:
+(JSC::JSWebAssemblyMemory::finishCreation):
+
2018-09-20 Michael Saboff
Add functions to measure memory footprint to JSC
Modified: trunk/Source/_javascript_Core/heap/SlotVisitor.cpp (236295 => 236296)
--- trunk/Source/_javascript_Core/heap/SlotVisitor.cpp 2018-09-21 00:28:23 UTC (rev 236295)
+++ trunk/Source/_javascript_Core/heap/SlotVisitor.cpp 2018-09-21 01:11:19 UTC (rev 236296)
@@ -99,8 +99,17 @@
void SlotVisitor::didStartMarking()
{
-if (heap()->collectionScope() == CollectionScope::Eden)
-reset();
+auto scope = heap()->collectionScope();
+if (scope) {
+switch (*scope) {
+case CollectionScope::Eden:
+reset();
+break;
+case CollectionScope::Full:
+m_extraMemorySize = 0;
+break;
+}
+}
if (Heap
[webkit-changes] [236240] trunk
Title: [236240] trunk
Revision 236240
Author yusukesuz...@slowstart.org
Date 2018-09-19 22:54:27 -0700 (Wed, 19 Sep 2018)
Log Message
[JSC] Optimize Array#indexOf in C++ runtime
https://bugs.webkit.org/show_bug.cgi?id=189507
Reviewed by Saam Barati.
JSTests:
* stress/array-indexof-array-prototype-trap.js: Added.
(shouldBe):
(AncestorArray.prototype.get 2):
(AncestorArray):
* stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
(shouldBe):
* stress/array-indexof-hole-nan.js: Added.
(shouldBe):
(throw.new.Error):
* stress/array-indexof-infinity.js: Added.
(shouldBe):
(throw.new.Error):
* stress/array-indexof-negative-zero.js: Added.
(shouldBe):
(throw.new.Error):
* stress/array-indexof-own-getter.js: Added.
(shouldBe):
(throw.new.Error.get array):
(get array):
* stress/array-indexof-prototype-trap.js: Added.
(shouldBe):
(DerivedArray.prototype.get 2):
(DerivedArray):
Source/_javascript_Core:
C++ Array#indexOf runtime function takes so much time in babylon benchmark in
web-tooling-benchmark. While our DFG and FTL has Array#indexOf optimization
and actually it is working well, C++ Array#indexOf is called significant amount
of time before tiering up, and it takes 6.74% of jsc main thread samples according
to perf command in Linux. This is because C++ Array#indexOf is too generic and
misses the chance to optimize JSArray cases.
This patch adds JSArray fast path for Array#indexOf. If we know that indexed
access to the given JSArray is non-observable and indexing type is good for the fast
path, we go to the fast path. This makes sampling of Array#indexOf 3.83% in
babylon web-tooling-benchmark.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncIndexOf):
* runtime/JSArray.h:
* runtime/JSArrayInlines.h:
(JSC::JSArray::canDoFastIndexedAccess):
(JSC::toLength):
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::JSValue):
* runtime/JSGlobalObject.h:
* runtime/JSGlobalObjectInlines.h:
(JSC::JSGlobalObject::isArrayPrototypeIndexedAccessFastAndNonObservable):
(JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
* runtime/MathCommon.h:
(JSC::canBeStrictInt32):
(JSC::canBeInt32):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp
trunk/Source/_javascript_Core/runtime/JSArray.h
trunk/Source/_javascript_Core/runtime/JSArrayInlines.h
trunk/Source/_javascript_Core/runtime/JSCJSValueInlines.h
trunk/Source/_javascript_Core/runtime/JSGlobalObject.h
trunk/Source/_javascript_Core/runtime/JSGlobalObjectInlines.h
trunk/Source/_javascript_Core/runtime/MathCommon.h
Added Paths
trunk/JSTests/stress/array-indexof-array-prototype-trap.js
trunk/JSTests/stress/array-indexof-have-a-bad-time-c-runtime.js
trunk/JSTests/stress/array-indexof-hole-nan.js
trunk/JSTests/stress/array-indexof-infinity.js
trunk/JSTests/stress/array-indexof-negative-zero.js
trunk/JSTests/stress/array-indexof-own-getter.js
trunk/JSTests/stress/array-indexof-prototype-trap.js
Diff
Modified: trunk/JSTests/ChangeLog (236239 => 236240)
--- trunk/JSTests/ChangeLog 2018-09-20 03:41:38 UTC (rev 236239)
+++ trunk/JSTests/ChangeLog 2018-09-20 05:54:27 UTC (rev 236240)
@@ -1,3 +1,34 @@
+2018-09-19 Yusuke Suzuki
+
+[JSC] Optimize Array#indexOf in C++ runtime
+https://bugs.webkit.org/show_bug.cgi?id=189507
+
+Reviewed by Saam Barati.
+
+* stress/array-indexof-array-prototype-trap.js: Added.
+(shouldBe):
+(AncestorArray.prototype.get 2):
+(AncestorArray):
+* stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
+(shouldBe):
+* stress/array-indexof-hole-nan.js: Added.
+(shouldBe):
+(throw.new.Error):
+* stress/array-indexof-infinity.js: Added.
+(shouldBe):
+(throw.new.Error):
+* stress/array-indexof-negative-zero.js: Added.
+(shouldBe):
+(throw.new.Error):
+* stress/array-indexof-own-getter.js: Added.
+(shouldBe):
+(throw.new.Error.get array):
+(get array):
+* stress/array-indexof-prototype-trap.js: Added.
+(shouldBe):
+(DerivedArray.prototype.get 2):
+(DerivedArray):
+
2018-09-19 Saam barati
AI rule for MultiPutByOffset executes its effects in the wrong order
Added: trunk/JSTests/stress/array-indexof-array-prototype-trap.js (0 => 236240)
--- trunk/JSTests/stress/array-indexof-array-prototype-trap.js (rev 0)
+++ trunk/JSTests/stress/array-indexof-array-prototype-trap.js 2018-09-20 05:54:27 UTC (rev 236240)
@@ -0,0 +1,45 @@
+function shouldBe(actual, expected) {
+if (actual !== expected)
+throw new Error('bad value: ' + actual);
+}
+
+class AncestorArray extends Object {
+get 2() {
+this.called = true;
+return 42;
+}
+}
+
+Array.prototype.__proto__ = AncestorArray.prototype;
+
+{
+let array = [];
+array.length = 42;
+shouldBe(array.indexOf(42), 2);
+
[webkit-changes] [236101] trunk
Title: [236101] trunk Revision 236101 Author yusukesuz...@slowstart.org Date 2018-09-17 22:47:33 -0700 (Mon, 17 Sep 2018) Log Message [WTF] Use Semaphore and BinarySemaphore instead of dispatch_semaphore_t https://bugs.webkit.org/show_bug.cgi?id=185339 Patch by Yusuke Suzuki on 2018-09-17 Reviewed by Mark Lam. Source/WebCore: * fileapi/ThreadableBlobRegistry.cpp: (WebCore::ThreadableBlobRegistry::blobSize): * platform/cocoa/NetworkExtensionContentFilter.h: * platform/cocoa/NetworkExtensionContentFilter.mm: (WebCore::NetworkExtensionContentFilter::initialize): (WebCore::NetworkExtensionContentFilter::willSendRequest): (WebCore::NetworkExtensionContentFilter::responseReceived): (WebCore::NetworkExtensionContentFilter::addData): (WebCore::NetworkExtensionContentFilter::finishedAddingData): (WebCore::NetworkExtensionContentFilter::handleDecision): Use per-function BinarySemaphore instead of holding it in NetworkExtensionContentFilter's field. * platform/glib/FileMonitorGLib.cpp: (WebCore::FileMonitor::FileMonitor): (WebCore::FileMonitor::~FileMonitor): * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.h: * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm: (WebCore::MediaPlayerPrivateAVFoundationObjC::MediaPlayerPrivateAVFoundationObjC): (WebCore::MediaPlayerPrivateAVFoundationObjC::~MediaPlayerPrivateAVFoundationObjC): (WebCore::MediaPlayerPrivateAVFoundationObjC::waitForVideoOutputMediaDataWillChange): (WebCore::MediaPlayerPrivateAVFoundationObjC::outputMediaDataWillChange): Use BinarySemaphore. And remove unused dispatch_semaphore_t. * platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.h: * platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.mm: (-[WebAVStreamDataParserListener streamDataParserWillProvideContentKeyRequestInitializationData:forTrackID:]): (-[WebAVStreamDataParserListener streamDataParser:didProvideContentKeyRequestInitializationData:forTrackID:]): (WebCore::SourceBufferPrivateAVFObjC::SourceBufferPrivateAVFObjC): (WebCore::SourceBufferPrivateAVFObjC::~SourceBufferPrivateAVFObjC): (WebCore::SourceBufferPrivateAVFObjC::didProvideContentKeyRequestInitializationDataForTrackID): (WebCore::SourceBufferPrivateAVFObjC::abort): (WebCore::SourceBufferPrivateAVFObjC::setCDMSession): (WebCore::SourceBufferPrivateAVFObjC::setCDMInstance): Use Box and Box. * platform/graphics/cocoa/WebCoreDecompressionSession.h: * platform/graphics/cocoa/WebCoreDecompressionSession.mm: (WebCore::WebCoreDecompressionSession::WebCoreDecompressionSession): Remove unused dispatch_semaphore_t. * platform/network/cf/ResourceHandleCFNet.cpp: (WebCore::ResourceHandle::platformLoadResourceSynchronously): * platform/network/cf/ResourceHandleCFURLConnectionDelegateWithOperationQueue.cpp: (WebCore::getRunLoop): (WebCore::ResourceHandleCFURLConnectionDelegateWithOperationQueue::willSendRequest): (WebCore::ResourceHandleCFURLConnectionDelegateWithOperationQueue::didReceiveResponse): (WebCore::ResourceHandleCFURLConnectionDelegateWithOperationQueue::willCacheResponse): (WebCore::ResourceHandleCFURLConnectionDelegateWithOperationQueue::canRespondToProtectionSpace): * platform/network/mac/WebCoreResourceHandleAsOperationQueueDelegate.h: * platform/network/mac/WebCoreResourceHandleAsOperationQueueDelegate.mm: (-[WebCoreResourceHandleAsOperationQueueDelegate initWithHandle:messageQueue:]): (-[WebCoreResourceHandleAsOperationQueueDelegate detachHandle]): (-[WebCoreResourceHandleAsOperationQueueDelegate dealloc]): (-[WebCoreResourceHandleAsOperationQueueDelegate connection:willSendRequest:redirectResponse:]): (-[WebCoreResourceHandleAsOperationQueueDelegate connection:canAuthenticateAgainstProtectionSpace:]): (-[WebCoreResourceHandleAsOperationQueueDelegate connection:didReceiveResponse:]): (-[WebCoreResourceHandleAsOperationQueueDelegate connection:willCacheResponse:]): Use BinarySemaphore instead. Source/WebKit: * Platform/IPC/Connection.cpp: (IPC::Connection::SyncMessageState::wait): * Shared/mac/SecItemShim.cpp: (WebKit::sendSecItemRequest): Use BinarySemaphore. * UIProcess/ResourceLoadStatisticsPersistentStorage.cpp: (WebKit::ResourceLoadStatisticsPersistentStorage::finishAllPendingWorkSynchronously): * UIProcess/WebStorage/StorageManager.cpp: (WebKit::StorageManager::applicationWillTerminate): * UIProcess/ios/WKActionSheetAssistant.mm: (appLinkForURL): Use BinarySemaphore to wait for async completion handler. We also fix memory leak since the old code does not call dispatch_release for the used semaphore. Source/WTF: This patch adds WTF::Semaphore, which is based on WTF::Lock and WTF::Condition. * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/Semaphore.h: Added. (WTF::Semaphore::Semaphore): (WTF::Semaphore::signal): (WTF::Semaphore::waitUntil): (WTF::Semaphore::waitFor): (WTF::Semaphore::wait): * wtf/generic/WorkQueueGeneric.cpp: (WorkQueue::platformInitialize): * wtf/threads/BinarySemaphore.cpp: (WTF::BinarySemaphore::waitUntil):
[webkit-changes] [235989] trunk/Source/JavaScriptCore
Title: [235989] trunk/Source/_javascript_Core
Revision 235989
Author yusukesuz...@slowstart.org
Date 2018-09-13 14:49:47 -0700 (Thu, 13 Sep 2018)
Log Message
[WebAssembly] Inline WasmContext accessor functions
https://bugs.webkit.org/show_bug.cgi?id=189416
Reviewed by Saam Barati.
WasmContext accessor functions are very small while it resides in the critical path of
JS to Wasm function call. This patch makes them inline to improve performance.
This change improves a small benchmark (calling JS to Wasm function 1e7 times) from 320ms to 270ms.
* _javascript_Core.xcodeproj/project.pbxproj:
* Sources.txt:
* interpreter/CallFrame.cpp:
* jit/AssemblyHelpers.cpp:
* wasm/WasmB3IRGenerator.cpp:
* wasm/WasmContextInlines.h: Renamed from Source/_javascript_Core/wasm/WasmContext.cpp.
(JSC::Wasm::Context::useFastTLS):
(JSC::Wasm::Context::load const):
(JSC::Wasm::Context::store):
* wasm/WasmMemoryInformation.cpp:
* wasm/WasmModuleParser.cpp: Include due to changes of unified source combinations.
* wasm/js/JSToWasm.cpp:
* wasm/js/WebAssemblyFunction.cpp:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj
trunk/Source/_javascript_Core/Sources.txt
trunk/Source/_javascript_Core/interpreter/CallFrame.cpp
trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp
trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp
trunk/Source/_javascript_Core/wasm/WasmMemoryInformation.cpp
trunk/Source/_javascript_Core/wasm/WasmModuleParser.cpp
trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp
trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp
Added Paths
trunk/Source/_javascript_Core/wasm/WasmContextInlines.h
Removed Paths
trunk/Source/_javascript_Core/wasm/WasmContext.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (235988 => 235989)
--- trunk/Source/_javascript_Core/ChangeLog 2018-09-13 20:52:34 UTC (rev 235988)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-09-13 21:49:47 UTC (rev 235989)
@@ -1,3 +1,28 @@
+2018-09-13 Yusuke Suzuki
+
+[WebAssembly] Inline WasmContext accessor functions
+https://bugs.webkit.org/show_bug.cgi?id=189416
+
+Reviewed by Saam Barati.
+
+WasmContext accessor functions are very small while it resides in the critical path of
+JS to Wasm function call. This patch makes them inline to improve performance.
+This change improves a small benchmark (calling JS to Wasm function 1e7 times) from 320ms to 270ms.
+
+* _javascript_Core.xcodeproj/project.pbxproj:
+* Sources.txt:
+* interpreter/CallFrame.cpp:
+* jit/AssemblyHelpers.cpp:
+* wasm/WasmB3IRGenerator.cpp:
+* wasm/WasmContextInlines.h: Renamed from Source/_javascript_Core/wasm/WasmContext.cpp.
+(JSC::Wasm::Context::useFastTLS):
+(JSC::Wasm::Context::load const):
+(JSC::Wasm::Context::store):
+* wasm/WasmMemoryInformation.cpp:
+* wasm/WasmModuleParser.cpp: Include due to changes of unified source combinations.
+* wasm/js/JSToWasm.cpp:
+* wasm/js/WebAssemblyFunction.cpp:
+
2018-09-12 David Kilzer
Move _javascript_Core files to match Xcode project hierarchy
Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (235988 => 235989)
--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2018-09-13 20:52:34 UTC (rev 235988)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2018-09-13 21:49:47 UTC (rev 235989)
@@ -1523,6 +1523,7 @@
AD2FCC211DB59CB200B3E736 /* WebAssemblyTablePrototype.lut.h in Headers */ = {isa = PBXBuildFile; fileRef = AD2FCC151DB59C5900B3E736 /* WebAssemblyTablePrototype.lut.h */; };
AD2FCC2D1DB838FD00B3E736 /* WebAssemblyPrototype.h in Headers */ = {isa = PBXBuildFile; fileRef = AD2FCC271DB838C400B3E736 /* WebAssemblyPrototype.h */; settings = {ATTRIBUTES = (Private, ); }; };
AD412B341E7B2E9E008AF157 /* WasmContext.h in Headers */ = {isa = PBXBuildFile; fileRef = AD412B321E7B2E8A008AF157 /* WasmContext.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 7593C898BE714A64BE93A6E7 /* WasmContextInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = A27958D7FA1142B0AC9E364D /* WasmContextInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
AD4252511E5D0E14009D2A97 /* FullCodeOrigin.h in Headers */ = {isa = PBXBuildFile; fileRef = AD4252501E5D0DEB009D2A97 /* FullCodeOrigin.h */; };
AD4937C41DDBE6140077C807 /* AbstractModuleRecord.h in Headers */ = {isa = PBXBuildFile; fileRef = AD4937C21DDBE60A0077C807 /* AbstractModuleRecord.h */; settings = {ATTRIBUTES = (Private, ); }; };
AD4937C81DDD0AAE0077C807 /* WebAssemblyModuleRecord.h in Headers */ = {isa = PBXBuildFile; fileRef = AD4937C61DDCDCF00077C807 /* WebAssemblyModuleRecord.h */; };
@@ -4344,8 +4345,8 @@
AD2FCC261DB838C400B3E736 /* WebAssemblyPrototype.cpp */ = {isa = PBXFileReference; fileEncoding = 4; las
[webkit-changes] [235911] trunk/Source/WebCore
Title: [235911] trunk/Source/WebCore
Revision 235911
Author yusukesuz...@slowstart.org
Date 2018-09-11 12:34:56 -0700 (Tue, 11 Sep 2018)
Log Message
Shrink size of ResourseResponseBase
https://bugs.webkit.org/show_bug.cgi?id=189501
Reviewed by Simon Fraser.
We reduce the size of ResourceResponseBase by the following two optimizations.
1. Use bitfields for bool flags and reorder them.
2. Use Markable<> in CacheControlDirectives, which is held by ResourceResponseBase.
This patch reduces the size of ResourceResponseBase from 416 to 392 bytes.
No behavior change.
* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::responseReceived):
(WebCore::WebCoreAVFResourceLoader::fulfillRequestWithResource):
* platform/network/CacheValidation.h:
(WebCore::CacheControlDirectives::CacheControlDirectives):
* platform/network/ResourceResponseBase.cpp:
(WebCore::ResourceResponseBase::ResourceResponseBase):
(WebCore::ResourceResponseBase::contentRange const):
* platform/network/ResourceResponseBase.h:
(WebCore::ResourceResponseBase::decode):
Modified Paths
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm
trunk/Source/WebCore/platform/network/CacheValidation.h
trunk/Source/WebCore/platform/network/ResourceResponseBase.cpp
trunk/Source/WebCore/platform/network/ResourceResponseBase.h
Diff
Modified: trunk/Source/WebCore/ChangeLog (235910 => 235911)
--- trunk/Source/WebCore/ChangeLog 2018-09-11 19:30:46 UTC (rev 235910)
+++ trunk/Source/WebCore/ChangeLog 2018-09-11 19:34:56 UTC (rev 235911)
@@ -1,3 +1,31 @@
+2018-09-11 Yusuke Suzuki
+
+Shrink size of ResourseResponseBase
+https://bugs.webkit.org/show_bug.cgi?id=189501
+
+Reviewed by Simon Fraser.
+
+We reduce the size of ResourceResponseBase by the following two optimizations.
+
+1. Use bitfields for bool flags and reorder them.
+
+2. Use Markable<> in CacheControlDirectives, which is held by ResourceResponseBase.
+
+This patch reduces the size of ResourceResponseBase from 416 to 392 bytes.
+
+No behavior change.
+
+* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
+(WebCore::WebCoreAVFResourceLoader::responseReceived):
+(WebCore::WebCoreAVFResourceLoader::fulfillRequestWithResource):
+* platform/network/CacheValidation.h:
+(WebCore::CacheControlDirectives::CacheControlDirectives):
+* platform/network/ResourceResponseBase.cpp:
+(WebCore::ResourceResponseBase::ResourceResponseBase):
+(WebCore::ResourceResponseBase::contentRange const):
+* platform/network/ResourceResponseBase.h:
+(WebCore::ResourceResponseBase::decode):
+
2018-09-11 Michael Catanzaro
Unreviewed, fix some -Wreturn-type warnings
Modified: trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm (235910 => 235911)
--- trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm 2018-09-11 19:30:46 UTC (rev 235910)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm 2018-09-11 19:34:56 UTC (rev 235911)
@@ -136,7 +136,7 @@
[contentInfo setContentType:uti];
-ParsedContentRange& contentRange = m_resource->response().contentRange();
+const ParsedContentRange& contentRange = m_resource->response().contentRange();
[contentInfo setContentLength:contentRange.isValid() ? contentRange.instanceLength() : response.expectedContentLength()];
[contentInfo setByteRangeAccessSupported:YES];
@@ -181,7 +181,7 @@
return;
NSUInteger responseOffset = 0;
-ParsedContentRange contentRange = m_resource->response().contentRange();
+const ParsedContentRange& contentRange = m_resource->response().contentRange();
if (contentRange.isValid())
responseOffset = static_cast(contentRange.firstBytePosition());
Modified: trunk/Source/WebCore/platform/network/CacheValidation.h (235910 => 235911)
--- trunk/Source/WebCore/platform/network/CacheValidation.h 2018-09-11 19:30:46 UTC (rev 235910)
+++ trunk/Source/WebCore/platform/network/CacheValidation.h 2018-09-11 19:34:56 UTC (rev 235911)
@@ -26,6 +26,7 @@
#pragma once
#include
+#include
#include
#include
#include
@@ -60,12 +61,19 @@
WEBCORE_EXPORT bool redirectChainAllowsReuse(RedirectChainCacheStatus, ReuseExpiredRedirectionOrNot);
struct CacheControlDirectives {
-std::optional maxAge;
-std::optional maxStale;
-bool noCache { false };
-bool noStore { false };
-bool mustRevalidate { false };
-bool immutable { false };
+constexpr CacheControlDirectives()
+: noCache(false)
+, noStore(false)
+, mustRevalidate(false)
+, immutable(false)
+{ }
+
+Markable maxAge;
+Markable maxStale;
+bool noCache : 1;
+bool noStore : 1;
+
[webkit-changes] [235852] trunk
Title: [235852] trunk
Revision 235852
Author yusukesuz...@slowstart.org
Date 2018-09-10 11:19:09 -0700 (Mon, 10 Sep 2018)
Log Message
[WTF] Add Markable
https://bugs.webkit.org/show_bug.cgi?id=189231
Reviewed by Sam Weinig.
Source/WebCore:
Use Markable and Markable in ResourceResponseBase.
Since these fields are parsed results from http header fields, Seconds::nan() and WallTime::nan()
can be used as an empty value for these fields. Thus we can use Markable because it uses
these nan values as an empty values (they are configured by Seconds::MarkableTraits and WallTime::MarkableTraits).
This reduces the size of ResourceResponseBase from 448 to 416.
* platform/network/ResourceResponseBase.h:
Source/WTF:
We can represent a value with nullopt by using std::optional. However, std::optional has storage efficiency
problem. It always has a bool indicating that the value is nullopt or not. If we have a following class,
class A {
std::optional m_timeA;
std::optional m_timeB;
std::optional m_timeC;
};
This class has significant amount of padding between m_timeA / m_timeB, m_timeB / m_timeC due to the above bool.
If we know that WallTime has a value that represents invalid, we can use it instead and save the storage.
This is very similar problem to our HashTable implementation. In our HashTable implementation, we need Deleted
and Empty value, which can represent Deleted and Empty values without sacrificing storage efficiency.
We should have similar mechanism here. In this patch, we have WTF::Markable. Traits offers
`Traits::isEmptyValue(value)` and `Traits::emptyValue()`. Then, we use this empty value instead of having bool
flag. This way, we can make `sizeof(WTF::Markable) == sizeof(T)`.
This idea is inspired from https://github.com/akrzemi1/markable. But we would like to have WTF::Markable
here instead of importing it since we would like to have (1) integrated interfaces with std::optional and (2)
aligned function names to HashTraits' `isEmptyValue` and `emptyValue`.
* WTF.xcodeproj/project.pbxproj:
* wtf/CMakeLists.txt:
* wtf/Markable.h: Added.
(WTF::std::underlying_type::type>::max): EnumMarkableTraits can be used as an MarkableTraits for enum
values. We can specify a constant value as an empty value.
(WTF::IntegralMarkableTraits::isEmptyValue):
(WTF::IntegralMarkableTraits::emptyValue): IntegralMarkableTraits can be used as an MarkableTraits for integral
types including int etc.
(WTF::Markable::Markable):
(WTF::Markable::operator bool const):
(WTF::Markable::reset):
(WTF::Markable::value const):
(WTF::Markable::value):
(WTF::Markable::operator-> const):
(WTF::Markable::operator->):
(WTF::Markable::operator* const):
(WTF::Markable::operator*):
(WTF::Markable::operator std::optional):
(WTF::Markable::operator std::optional const): This operator allows us to cast Markable to
std::optional.
* wtf/MonotonicTime.h:
(WTF::MonotonicTime::MarkableTraits::isEmptyValue):
(WTF::MonotonicTime::MarkableTraits::emptyValue): MarkableTraits for MonotonicTime. MonotonicTime::nan() is used
as an empty value.
* wtf/Seconds.h:
(WTF::Seconds::MarkableTraits::isEmptyValue):
(WTF::Seconds::MarkableTraits::emptyValue): MarkableTraits for Seconds. Seconds::nan() is used as an empty value.
* wtf/WallTime.h:
(WTF::WallTime::nan):
(WTF::WallTime::MarkableTraits::isEmptyValue):
(WTF::WallTime::MarkableTraits::emptyValue): MarkableTraits for WallTime. WallTime::nan() is used as an empty value.
Tools:
Add tests for Markable.
* TestWebKitAPI/CMakeLists.txt:
* TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* TestWebKitAPI/Tests/WTF/Markable.cpp: Added.
(TestWebKitAPI::TEST):
Modified Paths
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/WTF.xcodeproj/project.pbxproj
trunk/Source/WTF/wtf/CMakeLists.txt
trunk/Source/WTF/wtf/MonotonicTime.h
trunk/Source/WTF/wtf/Seconds.h
trunk/Source/WTF/wtf/WallTime.h
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/platform/network/ResourceResponseBase.h
trunk/Tools/ChangeLog
trunk/Tools/TestWebKitAPI/CMakeLists.txt
trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
Added Paths
trunk/Source/WTF/wtf/Markable.h
trunk/Tools/TestWebKitAPI/Tests/WTF/Markable.cpp
Diff
Modified: trunk/Source/WTF/ChangeLog (235851 => 235852)
--- trunk/Source/WTF/ChangeLog 2018-09-10 18:16:37 UTC (rev 235851)
+++ trunk/Source/WTF/ChangeLog 2018-09-10 18:19:09 UTC (rev 235852)
@@ -1,3 +1,65 @@
+2018-09-10 Yusuke Suzuki
+
+[WTF] Add Markable
+https://bugs.webkit.org/show_bug.cgi?id=189231
+
+Reviewed by Sam Weinig.
+
+We can represent a value with nullopt by using std::optional. However, std::optional has storage efficiency
+problem. It always has a bool indicating that the value is nullopt or not. If we have a following class,
+
+class A {
+std::optional m_timeA;
+std::optional m_timeB;
+std::optional m_timeC;
+};
+
+This class has
[webkit-changes] [235831] trunk
Title: [235831] trunk
Revision 235831
Author yusukesuz...@slowstart.org
Date 2018-09-08 13:51:22 -0700 (Sat, 08 Sep 2018)
Log Message
[JSC] Remove loadModule function in jsc.cpp
https://bugs.webkit.org/show_bug.cgi?id=184808
Patch by Yusuke Suzuki on 2018-09-08
Reviewed by Darin Adler.
JSTests:
Use `import` _expression_ instead.
* modules/different-view.js:
(from.string_appeared_here.shouldThrow): Deleted.
* modules/fallback-ambiguous.js:
(from.string_appeared_here.shouldThrow): Deleted.
* modules/import-error.js:
(from.string_appeared_here.shouldThrow): Deleted.
(shouldThrow): Deleted.
* modules/indirect-export-error.js:
(from.string_appeared_here.shouldThrow): Deleted.
(shouldThrow): Deleted.
* modules/namespace-error.js:
(from.string_appeared_here.shouldThrow): Deleted.
Source/_javascript_Core:
Since we have `import`, we do not need to have `loadModule` function for testing purpose.
* jsc.cpp:
(GlobalObject::finishCreation):
(functionLoadModule): Deleted.
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/modules/different-view.js
trunk/JSTests/modules/fallback-ambiguous.js
trunk/JSTests/modules/import-error.js
trunk/JSTests/modules/indirect-export-error.js
trunk/JSTests/modules/namespace-error.js
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jsc.cpp
Diff
Modified: trunk/JSTests/ChangeLog (235830 => 235831)
--- trunk/JSTests/ChangeLog 2018-09-08 20:19:22 UTC (rev 235830)
+++ trunk/JSTests/ChangeLog 2018-09-08 20:51:22 UTC (rev 235831)
@@ -1,3 +1,25 @@
+2018-09-08 Yusuke Suzuki
+
+[JSC] Remove loadModule function in jsc.cpp
+https://bugs.webkit.org/show_bug.cgi?id=184808
+
+Reviewed by Darin Adler.
+
+Use `import` _expression_ instead.
+
+* modules/different-view.js:
+(from.string_appeared_here.shouldThrow): Deleted.
+* modules/fallback-ambiguous.js:
+(from.string_appeared_here.shouldThrow): Deleted.
+* modules/import-error.js:
+(from.string_appeared_here.shouldThrow): Deleted.
+(shouldThrow): Deleted.
+* modules/indirect-export-error.js:
+(from.string_appeared_here.shouldThrow): Deleted.
+(shouldThrow): Deleted.
+* modules/namespace-error.js:
+(from.string_appeared_here.shouldThrow): Deleted.
+
2018-09-07 Mark Lam
Ensure that handleIntrinsicCall() is only applied on op_call shaped instructions.
Modified: trunk/JSTests/modules/different-view.js (235830 => 235831)
--- trunk/JSTests/modules/different-view.js 2018-09-08 20:19:22 UTC (rev 235830)
+++ trunk/JSTests/modules/different-view.js 2018-09-08 20:51:22 UTC (rev 235831)
@@ -1,7 +1,5 @@
-import { shouldBe, shouldThrow } from "./resources/assert.js"
+import { shouldBe } from "./resources/assert.js"
-shouldThrow(() => {
-loadModule('./different-view/main.js');
-}, `SyntaxError: Importing binding name 'A' cannot be resolved due to ambiguous multiple bindings.`);
-
-
+import('./different-view/main.js').then($vm.abort, function (error) {
+shouldBe(String(error), `SyntaxError: Importing binding name 'A' cannot be resolved due to ambiguous multiple bindings.`);
+}).catch($vm.abort);
Modified: trunk/JSTests/modules/fallback-ambiguous.js (235830 => 235831)
--- trunk/JSTests/modules/fallback-ambiguous.js 2018-09-08 20:19:22 UTC (rev 235830)
+++ trunk/JSTests/modules/fallback-ambiguous.js 2018-09-08 20:51:22 UTC (rev 235831)
@@ -6,7 +6,8 @@
//| |
//v @
// (B)
-import { shouldThrow } from "./resources/assert.js"
-shouldThrow(() => {
-loadModule("./fallback-ambiguous/main.js");
-}, `SyntaxError: Indirectly exported binding name 'A' cannot be resolved due to ambiguous multiple bindings.`);
+import { shouldBe } from "./resources/assert.js"
+
+import('./fallback-ambiguous/main.js').then($vm.abort, function (error) {
+shouldBe(String(error), `SyntaxError: Indirectly exported binding name 'A' cannot be resolved due to ambiguous multiple bindings.`);
+}).catch($vm.abort);
Modified: trunk/JSTests/modules/import-error.js (235830 => 235831)
--- trunk/JSTests/modules/import-error.js 2018-09-08 20:19:22 UTC (rev 235830)
+++ trunk/JSTests/modules/import-error.js 2018-09-08 20:51:22 UTC (rev 235831)
@@ -1,13 +1,16 @@
-import { shouldBe, shouldThrow } from "./resources/assert.js"
+import { shouldBe } from "./resources/assert.js"
-shouldThrow(() => {
-loadModule('./import-error/import-not-found.js');
-}, `SyntaxError: Importing binding name 'B' is not found.`);
-
-shouldThrow(() => {
-loadModule('./import-error/import-ambiguous.js');
-}, `SyntaxError: Importing binding name 'B' cannot be resolved due to ambiguous multiple bindings.`);
-
-shouldThrow(() => {
-loadModule('./import-error/import-default-from-star.js');
-}, `SyntaxError: Importing binding name 'default' cannot be resolved by star export entries.`);
+Promise.all([
+import('./import-error/import-not-found.js')
+.then($vm.abort, function (er
[webkit-changes] [235829] trunk/Source/WebCore
Title: [235829] trunk/Source/WebCore
Revision 235829
Author yusukesuz...@slowstart.org
Date 2018-09-08 12:25:10 -0700 (Sat, 08 Sep 2018)
Log Message
[CSSJIT] Use lshiftPtr instead of mul32
https://bugs.webkit.org/show_bug.cgi?id=189451
Reviewed by Sam Weinig.
Use `value << 4` instead of `value * 16`. In 64bit environment, sizeof(Style::Relation) is 16,
so that we can use `value << 4` in CSS JIT.
No behavior change.
* cssjit/SelectorCompiler.cpp:
(WebCore::SelectorCompiler::SelectorCodeGenerator::generateAddStyleRelation):
Modified Paths
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/cssjit/SelectorCompiler.cpp
Diff
Modified: trunk/Source/WebCore/ChangeLog (235828 => 235829)
--- trunk/Source/WebCore/ChangeLog 2018-09-08 17:59:43 UTC (rev 235828)
+++ trunk/Source/WebCore/ChangeLog 2018-09-08 19:25:10 UTC (rev 235829)
@@ -1,3 +1,18 @@
+2018-09-08 Yusuke Suzuki
+
+[CSSJIT] Use lshiftPtr instead of mul32
+https://bugs.webkit.org/show_bug.cgi?id=189451
+
+Reviewed by Sam Weinig.
+
+Use `value << 4` instead of `value * 16`. In 64bit environment, sizeof(Style::Relation) is 16,
+so that we can use `value << 4` in CSS JIT.
+
+No behavior change.
+
+* cssjit/SelectorCompiler.cpp:
+(WebCore::SelectorCompiler::SelectorCodeGenerator::generateAddStyleRelation):
+
2018-09-07 Fujii Hironori
[Win][Clang] exceptionShouldTerminateProgram of StructuredExceptionHandlerSuppressor.cpp should take DWORD
Modified: trunk/Source/WebCore/cssjit/SelectorCompiler.cpp (235828 => 235829)
--- trunk/Source/WebCore/cssjit/SelectorCompiler.cpp 2018-09-08 17:59:43 UTC (rev 235828)
+++ trunk/Source/WebCore/cssjit/SelectorCompiler.cpp 2018-09-08 19:25:10 UTC (rev 235829)
@@ -2211,6 +2211,18 @@
auto dataAddress = vectorAddress.withOffset(Style::Relations::dataMemoryOffset());
auto sizeAddress = vectorAddress.withOffset(Style::Relations::sizeMemoryOffset());
+auto getLastRelationPointer = [&] (Assembler::RegisterID sizeAndTarget) {
+m_assembler.sub32(Assembler::TrustedImm32(1), sizeAndTarget);
+#if CPU(ADDRESS64)
+static_assert(sizeof(Style::Relation) == 16, "");
+static_assert(1 << 4 == 16, "");
+m_assembler.lshiftPtr(Assembler::TrustedImm32(4), sizeAndTarget);
+#else
+m_assembler.mul32(TrustedImm32(sizeof(Style::Relation)), sizeAndTarget, sizeAndTarget);
+#endif
+m_assembler.addPtr(dataAddress, sizeAndTarget);
+};
+
// For AffectsNextSibling we just increment the count if the previous added relation was in the same sibling chain.
Assembler::JumpList mergeSuccess;
if (relationType == Style::Relation::AffectsNextSibling) {
@@ -2223,9 +2235,7 @@
mergeFailure.append(m_assembler.branchTest32(Assembler::Zero, lastRelation));
// Style::Relation& lastRelation = checkingContext.styleRelations.last();
-m_assembler.sub32(Assembler::TrustedImm32(1), lastRelation);
-m_assembler.mul32(Assembler::TrustedImm32(sizeof(Style::Relation)), lastRelation, lastRelation);
-m_assembler.addPtr(dataAddress, lastRelation);
+getLastRelationPointer(lastRelation);
// if (lastRelation.type == Style::Relation::AffectsNextSibling)
Assembler::Address typeAddress(lastRelation, OBJECT_OFFSETOF(Style::Relation, type));
@@ -2259,9 +2269,7 @@
LocalRegister relationPointer(m_registerAllocator);
m_assembler.load32(sizeAddress, relationPointer);
-m_assembler.sub32(Assembler::TrustedImm32(1), relationPointer);
-m_assembler.mul32(Assembler::TrustedImm32(sizeof(Style::Relation)), relationPointer, relationPointer);
-m_assembler.addPtr(dataAddress, relationPointer);
+getLastRelationPointer(relationPointer);
Assembler::Address typeAddress(relationPointer, OBJECT_OFFSETOF(Style::Relation, type));
m_assembler.store32(Assembler::TrustedImm32(relationType), typeAddress);
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [235790] trunk
Title: [235790] trunk Revision 235790 Author yusukesuz...@slowstart.org Date 2018-09-07 12:44:48 -0700 (Fri, 07 Sep 2018) Log Message [DFG] DFG should handle String#toString https://bugs.webkit.org/show_bug.cgi?id=189151 Reviewed by Saam Barati. JSTests: The error message in String#toString and String#valueOf is poor, which will be handled in a separate bug[1]. [1]: https://bugs.webkit.org/show_bug.cgi?id=189357 * microbenchmarks/string-object-to-string.js: Added. (test): * microbenchmarks/string-object-value-of.js: Added. (test): * stress/string-to-string-error.js: Added. (shouldThrow): (test): * stress/string-to-string.js: Added. (shouldBe): (test1): (test2): (test3): * stress/string-value-of-error.js: Added. (shouldThrow): (test): * stress/string-value-of.js: Added. (shouldBe): (test1): (test2): (test3): Source/_javascript_Core: We handle String#toString and String#valueOf in DFG by introducing StringValueOf node. In the fixup phase, we attempt to lower StringValueOf to the existing ToString or Identity nodes. If we fail to lower it, we have StringValueOf(UntypedUse), which may raise an error if an argument is neither String nor StringObject. The error message in String#toString and String#valueOf is poor, which will be handled in a separate bug[1]. It improves simple microbenchmarks by 53.4 - 67.6%. baseline patched string-object-to-string 21.7308+-3.3147 ^ 12.9655+-0.0527^ definitely 1.6760x faster string-object-value-of20.1122+-0.0691 ^ 13.1134+-0.2482^ definitely 1.5337x faster [1]: https://bugs.webkit.org/show_bug.cgi?id=189357 * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixupStringValueOf): * dfg/DFGNode.h: (JSC::DFG::Node::convertToToString): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOrStringValueOf): (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf): (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor): Deleted. Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGClobberize.h trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp trunk/Source/_javascript_Core/dfg/DFGNode.h trunk/Source/_javascript_Core/dfg/DFGNodeType.h trunk/Source/_javascript_Core/dfg/DFGOperations.cpp trunk/Source/_javascript_Core/dfg/DFGOperations.h trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/runtime/StringConstructor.cpp trunk/Source/_javascript_Core/runtime/StringConstructor.h Added Paths trunk/JSTests/microbenchmarks/string-object-to-string.js trunk/JSTests/microbenchmarks/string-object-value-of.js trunk/JSTests/stress/string-to-string-error.js trunk/JSTests/stress/string-to-string.js trunk/JSTests/stress/string-value-of-error.js trunk/JSTests/stress/string-value-of.js Diff Modified: trunk/JSTests/ChangeLog (235789 => 235790) --- trunk/JSTests/ChangeLog 2018-09-07 18:49:23 UTC (rev 235789) +++ trunk/JSTests/ChangeLog 2018-09-07 19:44:48 UTC (rev 235790) @@ -1,3 +1,36 @@ +2018-09-06 Yusuke Suzuki + +[DFG] DFG should handle String#toString +https://bugs.webkit.org/show_bug.cgi?id=189151 + +Reviewed by Saam Barati. + +The error message in String#toString and String#valueOf is poor, which will be +handled in a separate bug[1]. + +[1]: https://bugs.webkit.org/show_bug.cgi?id=189357 + +* microbenchmarks/string-object-to-string.js: Added. +(test): +
[webkit-changes] [235786] trunk/Source/JavaScriptCore
Title: [235786] trunk/Source/_javascript_Core Revision 235786 Author yusukesuz...@slowstart.org Date 2018-09-07 10:29:04 -0700 (Fri, 07 Sep 2018) Log Message [WebAssembly] Optimize JS to Wasm call by using pointer of Signature as SignatureIndex https://bugs.webkit.org/show_bug.cgi?id=189401 Reviewed by Mark Lam. SignatureInformation is a global repository for Signature to make Signature atomic. It takes Ref&& and generates SignatureIndex. And we get const Signature& by using this SignatureIndex. However, converting SignatureIndex to const Signature& always looks up a hash table. This is costly since JS to Wasm calls always use Signature& to check types of arguments. Instead of using this hash table, this patch uses a pointer of Signature as SignatureIndex. This allows us to convert SignatureIndex to Signature by just casting it. We also optimize SignatureInformation::singleton by making an accessor function inlined. And we move ProtoCallFrame::init to the header since it's just setting values. This change significantly optimizes JS to wasm calls (1e7 times) from 600ms to 320ms. In the future, we can remove SignatureIndex by directly handling Ref: adding deref() of Signature which unregisters itself from SignatureInformation carefully. Or we can make SignatureIndex uint32_t by introducing a mechanism similar to StructureID. * _javascript_Core.xcodeproj/project.pbxproj: * Sources.txt: * interpreter/ProtoCallFrame.h: (JSC::ProtoCallFrame::init): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmBBQPlan.cpp: * wasm/WasmFormat.h: (JSC::Wasm::WasmToWasmImportableFunction::offsetOfSignatureIndex): * wasm/WasmFunctionParser.h: * wasm/WasmModule.h: * wasm/WasmOMGPlan.cpp: * wasm/WasmSectionParser.cpp: (JSC::Wasm::SectionParser::parseType): * wasm/WasmSignature.cpp: (JSC::Wasm::SignatureInformation::adopt): (JSC::Wasm::SignatureInformation::tryCleanup): (JSC::Wasm::SignatureInformation::singleton): Deleted. (JSC::Wasm::SignatureInformation::get): Deleted. * wasm/WasmSignature.h: (JSC::Wasm::Signature::index const): (JSC::Wasm::SignatureHash::SignatureHash): (JSC::Wasm::SignatureHash::hash): (JSC::Wasm::SignatureHash::isHashTableDeletedValue const): (JSC::Wasm::SignatureHash::empty): Deleted. (JSC::Wasm::SignatureHash::deleted): Deleted. * wasm/WasmSignatureInlines.h: Renamed from Source/_javascript_Core/interpreter/ProtoCallFrame.cpp. (JSC::Wasm::SignatureInformation::singleton): (JSC::Wasm::SignatureInformation::get): * wasm/js/JSToWasm.cpp: * wasm/js/JSWebAssemblyModule.h: * wasm/js/WasmToJS.cpp: (JSC::Wasm::wasmToJS): * wasm/js/WebAssemblyFunction.cpp: * wasm/js/WebAssemblyModuleRecord.cpp: * wasm/js/WebAssemblyWrapperFunction.cpp: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/Sources.txt trunk/Source/_javascript_Core/interpreter/ProtoCallFrame.h trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmBBQPlan.cpp trunk/Source/_javascript_Core/wasm/WasmFormat.h trunk/Source/_javascript_Core/wasm/WasmFunctionParser.h trunk/Source/_javascript_Core/wasm/WasmModule.h trunk/Source/_javascript_Core/wasm/WasmOMGPlan.cpp trunk/Source/_javascript_Core/wasm/WasmSectionParser.cpp trunk/Source/_javascript_Core/wasm/WasmSignature.cpp trunk/Source/_javascript_Core/wasm/WasmSignature.h trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyModule.h trunk/Source/_javascript_Core/wasm/js/WasmToJS.cpp trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp trunk/Source/_javascript_Core/wasm/js/WebAssemblyModuleRecord.cpp trunk/Source/_javascript_Core/wasm/js/WebAssemblyWrapperFunction.cpp Added Paths trunk/Source/_javascript_Core/wasm/WasmSignatureInlines.h Removed Paths trunk/Source/_javascript_Core/interpreter/ProtoCallFrame.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (235785 => 235786) --- trunk/Source/_javascript_Core/ChangeLog 2018-09-07 16:57:03 UTC (rev 235785) +++ trunk/Source/_javascript_Core/ChangeLog 2018-09-07 17:29:04 UTC (rev 235786) @@ -1,5 +1,67 @@ 2018-09-07 Yusuke Suzuki +[WebAssembly] Optimize JS to Wasm call by using pointer of Signature as SignatureIndex +https://bugs.webkit.org/show_bug.cgi?id=189401 + +Reviewed by Mark Lam. + +SignatureInformation is a global repository for Signature to make Signature atomic. +It takes Ref&& and generates SignatureIndex. And we get const Signature& +by using this SignatureIndex. However, converting SignatureIndex to const Signature& +always looks up a hash table. This is costly since JS to Wasm calls always use +Signature& to check types of arguments. + +Instead of using this hash table, this patch uses a pointer of Signature as SignatureIndex. +This allows us to convert SignatureIndex to Signature by just cas
[webkit-changes] [235785] trunk/Source/JavaScriptCore
Title: [235785] trunk/Source/_javascript_Core
Revision 235785
Author yusukesuz...@slowstart.org
Date 2018-09-07 09:57:03 -0700 (Fri, 07 Sep 2018)
Log Message
[JSC] Put .throwStackOverflow code after the fast path in LLInt doVMEntry
https://bugs.webkit.org/show_bug.cgi?id=189410
Reviewed by Mark Lam.
Put .throwStackOverflow code after the fast path in LLInt doVMEntry to
make doVMEntry code tight.
* llint/LLIntThunks.cpp:
(JSC::vmEntryToWasm): Deleted.
* llint/LLIntThunks.h:
(JSC::vmEntryToWasm):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/llint/LLIntThunks.cpp
trunk/Source/_javascript_Core/llint/LLIntThunks.h
trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm
trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (235784 => 235785)
--- trunk/Source/_javascript_Core/ChangeLog 2018-09-07 16:27:25 UTC (rev 235784)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-09-07 16:57:03 UTC (rev 235785)
@@ -1,3 +1,20 @@
+2018-09-07 Yusuke Suzuki
+
+[JSC] Put .throwStackOverflow code after the fast path in LLInt doVMEntry
+https://bugs.webkit.org/show_bug.cgi?id=189410
+
+Reviewed by Mark Lam.
+
+Put .throwStackOverflow code after the fast path in LLInt doVMEntry to
+make doVMEntry code tight.
+
+* llint/LLIntThunks.cpp:
+(JSC::vmEntryToWasm): Deleted.
+* llint/LLIntThunks.h:
+(JSC::vmEntryToWasm):
+* llint/LowLevelInterpreter32_64.asm:
+* llint/LowLevelInterpreter64.asm:
+
2018-09-06 Yusuke Suzuki
[WebAssembly] Optimize JS to Wasm call by removing Vector allocation
Modified: trunk/Source/_javascript_Core/llint/LLIntThunks.cpp (235784 => 235785)
--- trunk/Source/_javascript_Core/llint/LLIntThunks.cpp 2018-09-07 16:27:25 UTC (rev 235784)
+++ trunk/Source/_javascript_Core/llint/LLIntThunks.cpp 2018-09-07 16:57:03 UTC (rev 235785)
@@ -42,12 +42,6 @@
namespace JSC {
-EncodedJSValue JS_EXPORT_PRIVATE vmEntryToWasm(void* code, VM* vm, ProtoCallFrame* frame)
-{
-code = retagCodePtr(code);
-return vmEntryToJavaScript(code, vm, frame);
-}
-
#if ENABLE(JIT)
namespace LLInt {
Modified: trunk/Source/_javascript_Core/llint/LLIntThunks.h (235784 => 235785)
--- trunk/Source/_javascript_Core/llint/LLIntThunks.h 2018-09-07 16:27:25 UTC (rev 235784)
+++ trunk/Source/_javascript_Core/llint/LLIntThunks.h 2018-09-07 16:57:03 UTC (rev 235785)
@@ -38,7 +38,11 @@
EncodedJSValue vmEntryToNative(void*, VM*, ProtoCallFrame*);
}
-EncodedJSValue JS_EXPORT_PRIVATE vmEntryToWasm(void*, VM*, ProtoCallFrame*);
+inline EncodedJSValue vmEntryToWasm(void* code, VM* vm, ProtoCallFrame* frame)
+{
+code = retagCodePtr(code);
+return vmEntryToJavaScript(code, vm, frame);
+}
namespace LLInt {
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (235784 => 235785)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-09-07 16:27:25 UTC (rev 235784)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-09-07 16:57:03 UTC (rev 235785)
@@ -157,11 +157,6 @@
# before we start copying the args from the protoCallFrame below.
if C_LOOP
bpaeq t3, VM::m_cloopStackLimit[vm], .stackHeightOK
-else
-bpaeq t3, VM::m_softStackLimit[vm], .stackHeightOK
-end
-
-if C_LOOP
move entry, t4
move vm, t5
cloopCallSlowPath _llint_stack_check_at_vm_entry, vm, t3
@@ -173,38 +168,11 @@
.stackCheckFailed:
move t4, entry
move t5, vm
-end
-
-.throwStackOverflow:
-subp 8, sp # Align stack for cCall2() to make a call.
-move vm, a0
-move protoCallFrame, a1
-cCall2(_llint_throw_stack_overflow_error)
-
-if ARMv7
-vmEntryRecord(cfr, t3)
-move t3, sp
+jmp .throwStackOverflow
else
-vmEntryRecord(cfr, sp)
+bpb t3, VM::m_softStackLimit[vm], .throwStackOverflow
end
-loadp VMEntryRecord::m_vm[sp], t5
-loadp VMEntryRecord::m_prevTopCallFrame[sp], t4
-storep t4, VM::topCallFrame[t5]
-loadp VMEntryRecord::m_prevTopEntryFrame[sp], t4
-storep t4, VM::topEntryFrame[t5]
-
-if ARMv7
-subp cfr, CalleeRegisterSaveSize, t5
-move t5, sp
-else
-subp cfr, CalleeRegisterSaveSize, sp
-end
-
-popCalleeSaves()
-functionEpilogue()
-ret
-
.stackHeightOK:
move t3, sp
move 4, t3
@@ -270,6 +238,36 @@
popCalleeSaves()
functionEpilogue()
ret
+
+.throwStackOverflow:
+subp 8, sp # Align stack for cCall2() to make a call.
+move vm, a0
+move protoCallFrame, a1
+cCall2(_llint_throw_stack_overflow_error)
+
+if ARMv7
+vmEntryRecord(cfr, t3)
+move t3, sp
+else
+vmEntryRecord(cfr, sp)
+end
+
+loadp VMEntryRecord
[webkit-changes] [235778] trunk/Source/JavaScriptCore
Title: [235778] trunk/Source/_javascript_Core Revision 235778 Author yusukesuz...@slowstart.org Date 2018-09-06 21:40:12 -0700 (Thu, 06 Sep 2018) Log Message [WebAssembly] Optimize JS to Wasm call by removing Vector allocation https://bugs.webkit.org/show_bug.cgi?id=189353 Reviewed by Mark Lam. JS to Wasm call always allocates Vector for the arguments. This is really costly if the wasm function is small. This patch adds an initial size parameter to the Vector to avoid allocations for small sized arguments. * runtime/ArgList.h: * wasm/js/WebAssemblyFunction.cpp: (JSC::callWebAssemblyFunction): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/ArgList.h trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (235777 => 235778) --- trunk/Source/_javascript_Core/ChangeLog 2018-09-07 04:24:38 UTC (rev 235777) +++ trunk/Source/_javascript_Core/ChangeLog 2018-09-07 04:40:12 UTC (rev 235778) @@ -1,3 +1,17 @@ +2018-09-06 Yusuke Suzuki + +[WebAssembly] Optimize JS to Wasm call by removing Vector allocation +https://bugs.webkit.org/show_bug.cgi?id=189353 + +Reviewed by Mark Lam. + +JS to Wasm call always allocates Vector for the arguments. This is really costly if the wasm function is small. +This patch adds an initial size parameter to the Vector to avoid allocations for small sized arguments. + +* runtime/ArgList.h: +* wasm/js/WebAssemblyFunction.cpp: +(JSC::callWebAssemblyFunction): + 2018-08-31 Yusuke Suzuki [JSC] Clean up StructureStubClearingWatchpoint Modified: trunk/Source/_javascript_Core/runtime/ArgList.h (235777 => 235778) --- trunk/Source/_javascript_Core/runtime/ArgList.h 2018-09-07 04:24:38 UTC (rev 235777) +++ trunk/Source/_javascript_Core/runtime/ArgList.h 2018-09-07 04:40:12 UTC (rev 235778) @@ -34,12 +34,11 @@ friend class VM; friend class ArgList; -private: +public: using Base = RecordOverflow; static const size_t inlineCapacity = 8; typedef HashSet ListSet; -public: // Constructor for a read-write list, to which you may append values. // FIXME: Remove all clients of this API, then remove this API. MarkedArgumentBuffer() Modified: trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp (235777 => 235778) --- trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp 2018-09-07 04:24:38 UTC (rev 235777) +++ trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp 2018-09-07 04:40:12 UTC (rev 235778) @@ -83,7 +83,7 @@ if (Options::useTracePoints()) traceScope.emplace(WebAssemblyExecuteStart, WebAssemblyExecuteEnd); -Vector boxedArgs; +Vector boxedArgs; JSWebAssemblyInstance* instance = wasmFunction->instance(); Wasm::Instance* wasmInstance = &instance->instance(); // When we don't use fast TLS to store the context, the JS ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [235776] trunk/Source/JavaScriptCore
Title: [235776] trunk/Source/_javascript_Core
Revision 235776
Author yusukesuz...@slowstart.org
Date 2018-09-06 21:24:19 -0700 (Thu, 06 Sep 2018)
Log Message
[JSC] Clean up StructureStubClearingWatchpoint
https://bugs.webkit.org/show_bug.cgi?id=189156
Reviewed by Saam Barati.
Cleaning up StructureStubClearingWatchpoint by holding StructureStubClearingWatchpoint in Bag
in WatchpointsOnStructureStubInfo. This removes hacky linked list code for StructureStubClearingWatchpoint.
* bytecode/StructureStubClearingWatchpoint.cpp:
(JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
(JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint): Deleted.
(JSC::StructureStubClearingWatchpoint::push): Deleted.
(JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo): Deleted.
* bytecode/StructureStubClearingWatchpoint.h:
(JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.cpp
trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (235775 => 235776)
--- trunk/Source/_javascript_Core/ChangeLog 2018-09-07 03:04:53 UTC (rev 235775)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-09-07 04:24:19 UTC (rev 235776)
@@ -1,3 +1,21 @@
+2018-08-31 Yusuke Suzuki
+
+[JSC] Clean up StructureStubClearingWatchpoint
+https://bugs.webkit.org/show_bug.cgi?id=189156
+
+Reviewed by Saam Barati.
+
+Cleaning up StructureStubClearingWatchpoint by holding StructureStubClearingWatchpoint in Bag
+in WatchpointsOnStructureStubInfo. This removes hacky linked list code for StructureStubClearingWatchpoint.
+
+* bytecode/StructureStubClearingWatchpoint.cpp:
+(JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
+(JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint): Deleted.
+(JSC::StructureStubClearingWatchpoint::push): Deleted.
+(JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo): Deleted.
+* bytecode/StructureStubClearingWatchpoint.h:
+(JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
+
2018-09-06 Michael Saboff
Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
Modified: trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.cpp (235775 => 235776)
--- trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.cpp 2018-09-07 03:04:53 UTC (rev 235775)
+++ trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.cpp 2018-09-07 04:24:19 UTC (rev 235776)
@@ -34,20 +34,6 @@
namespace JSC {
-StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint()
-{
-for (auto current = WTFMove(m_next); current; current = WTFMove(current->m_next)) { }
-}
-
-StructureStubClearingWatchpoint* StructureStubClearingWatchpoint::push(
-const ObjectPropertyCondition& key,
-WatchpointsOnStructureStubInfo& holder,
-std::unique_ptr& head)
-{
-head = std::make_unique(key, holder, WTFMove(head));
-return head.get();
-}
-
void StructureStubClearingWatchpoint::fireInternal(VM& vm, const FireDetail&)
{
if (!m_key || !m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
@@ -68,13 +54,9 @@
m_key.object()->structure(vm)->addTransitionWatchpoint(this);
}
-WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo()
-{
-}
-
StructureStubClearingWatchpoint* WatchpointsOnStructureStubInfo::addWatchpoint(const ObjectPropertyCondition& key)
{
-return StructureStubClearingWatchpoint::push(key, *this, m_head);
+return m_watchpoints.add(key, *this);
}
StructureStubClearingWatchpoint* WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint(
Modified: trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.h (235775 => 235776)
--- trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.h 2018-09-07 03:04:53 UTC (rev 235775)
+++ trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.h 2018-09-07 04:24:19 UTC (rev 235776)
@@ -30,6 +30,7 @@
#if ENABLE(JIT)
+#include
#include
#include
@@ -45,20 +46,11 @@
public:
StructureStubClearingWatchpoint(
const ObjectPropertyCondition& key,
-WatchpointsOnStructureStubInfo& holder,
-std::unique_ptr next)
+WatchpointsOnStructureStubInfo& holder)
: m_key(key)
, m_holder(holder)
-, m_next(WTFMove(next))
{
}
-
-virtual ~StructureStubClearingWatchpoint();
-
-static StructureStubClearingWatchpoint* push(
-const ObjectPropertyCondition& key,
-WatchpointsOnStructureStubInfo& holder,
-std::unique_ptr& head);
protected:
void fireInternal(VM&, const FireDetail&) override;
@@ -66,7 +58,6 @@
private:
Object
[webkit-changes] [235589] trunk
Title: [235589] trunk
Revision 235589
Author yusukesuz...@slowstart.org
Date 2018-09-02 09:41:45 -0700 (Sun, 02 Sep 2018)
Log Message
Implement Object.fromEntries
https://bugs.webkit.org/show_bug.cgi?id=188481
Reviewed by Darin Adler.
JSTests:
* stress/object-from-entries.js: Added.
(shouldBe):
(shouldThrow):
(shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
(shouldBe.set get shouldThrow):
Source/_javascript_Core:
Object.fromEntries becomes stage 3[1]. This patch implements it by using builtin JS.
[1]: https://tc39.github.io/proposal-object-from-entries/
* builtins/ObjectConstructor.js:
(fromEntries):
* runtime/ObjectConstructor.cpp:
LayoutTests:
* js/Object-getOwnPropertyNames-expected.txt:
* js/script-tests/Object-getOwnPropertyNames.js:
Modified Paths
trunk/JSTests/ChangeLog
trunk/LayoutTests/ChangeLog
trunk/LayoutTests/js/Object-getOwnPropertyNames-expected.txt
trunk/LayoutTests/js/script-tests/Object-getOwnPropertyNames.js
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/builtins/ObjectConstructor.js
trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp
Added Paths
trunk/JSTests/stress/object-from-entries.js
Diff
Modified: trunk/JSTests/ChangeLog (235588 => 235589)
--- trunk/JSTests/ChangeLog 2018-09-02 05:35:49 UTC (rev 235588)
+++ trunk/JSTests/ChangeLog 2018-09-02 16:41:45 UTC (rev 235589)
@@ -1,3 +1,16 @@
+2018-09-02 Yusuke Suzuki
+
+Implement Object.fromEntries
+https://bugs.webkit.org/show_bug.cgi?id=188481
+
+Reviewed by Darin Adler.
+
+* stress/object-from-entries.js: Added.
+(shouldBe):
+(shouldThrow):
+(shouldBe.JSON.stringify.Object.getOwnPropertyDescriptor):
+(shouldBe.set get shouldThrow):
+
2018-08-24 Yusuke Suzuki
Function object should convert params to string before throw a parsing error
Added: trunk/JSTests/stress/object-from-entries.js (0 => 235589)
--- trunk/JSTests/stress/object-from-entries.js (rev 0)
+++ trunk/JSTests/stress/object-from-entries.js 2018-09-02 16:41:45 UTC (rev 235589)
@@ -0,0 +1,196 @@
+function shouldBe(actual, expected) {
+if (actual !== expected)
+throw new Error('bad value: ' + actual);
+}
+
+function shouldThrow(func, errorMessage) {
+var errorThrown = false;
+var error = null;
+try {
+func();
+} catch (e) {
+errorThrown = true;
+error = e;
+}
+if (!errorThrown)
+throw new Error('not thrown');
+if (String(error) !== errorMessage)
+throw new Error(`bad error: ${String(error)}`);
+}
+
+shouldBe(JSON.stringify(Object.getOwnPropertyDescriptor(Object, "fromEntries")), `{"writable":true,"enumerable":false,"configurable":true}`);
+shouldBe(Object.fromEntries.length, 1);
+
+shouldThrow(() => Object.fromEntries(null), `TypeError: null is not an object`);
+shouldThrow(() => Object.fromEntries(undefined), `TypeError: undefined is not an object`);
+shouldThrow(() => Object.fromEntries(0), `TypeError: undefined is not a function`);
+shouldThrow(() => Object.fromEntries(true), `TypeError: undefined is not a function`);
+shouldThrow(() => Object.fromEntries(Symbol("Cocoa")), `TypeError: undefined is not a function`);
+shouldThrow(() => Object.fromEntries("Cocoa"), `TypeError: Object.fromEntries requires the first iterable parameter yields objects`);
+shouldThrow(() => Object.fromEntries([0]), `TypeError: Object.fromEntries requires the first iterable parameter yields objects`);
+shouldThrow(() => Object.fromEntries([["Cocoa", "Cappuccino"], 0]), `TypeError: Object.fromEntries requires the first iterable parameter yields objects`);
+
+{
+let object = Object.fromEntries([]);
+shouldBe(JSON.stringify(object), `{}`);
+}
+{
+let object = Object.fromEntries([["Cocoa", "Cappuccino"]]);
+shouldBe(JSON.stringify(object), `{"Cocoa":"Cappuccino"}`);
+shouldBe(JSON.stringify(Object.getOwnPropertyDescriptor(object, "Cocoa")), `{"value":"Cappuccino","writable":true,"enumerable":true,"configurable":true}`);
+}
+{
+let obj = { abc: 1, def: 2, ghij: 3 };
+let res = Object.fromEntries(
+Object.entries(obj)
+.filter(([ key, val ]) => key.length === 3)
+.map(([ key, val ]) => [ key, val * 2 ])
+);
+shouldBe(JSON.stringify(res), `{"abc":2,"def":4}`);
+}
+{
+let map = new Map([ [ 'a', 1 ], [ 'b', 2 ], [ 'c', 3 ] ]);
+let obj = Object.fromEntries(map);
+shouldBe(JSON.stringify(obj), `{"a":1,"b":2,"c":3}`);
+}
+{
+let arr = [ { name: 'Alice', age: 40 }, { name: 'Bob', age: 36 } ];
+let obj = Object.fromEntries(arr.map(({ name, age }) => [ name, age ]));
+shouldBe(JSON.stringify(obj), `{"Alice":40,"Bob":36}`);
+}
+{
+Object.defineProperty(Object.prototype, "bad", {
+get() { throw new Error("out"); },
+set(v) { throw new Error("out"); }
+});
+shouldThrow(() => {
+let object = {};
+object.bad;
+}, `Error: ou
[webkit-changes] [235582] trunk
Title: [235582] trunk
Revision 235582
Author yusukesuz...@slowstart.org
Date 2018-09-01 01:03:43 -0700 (Sat, 01 Sep 2018)
Log Message
Function object should convert params to string before throw a parsing error
https://bugs.webkit.org/show_bug.cgi?id=188874
Reviewed by Darin Adler.
JSTests:
* stress/function-body-to-string-before-parameter-syntax-check.js: Added.
(shouldThrow):
Source/_javascript_Core:
ToString operation onto the `body` of the Function constructor should be performed
before checking syntax correctness of the parameters.
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp
Added Paths
trunk/JSTests/stress/function-body-to-string-before-parameter-syntax-check.js
Diff
Modified: trunk/JSTests/ChangeLog (235581 => 235582)
--- trunk/JSTests/ChangeLog 2018-09-01 02:30:42 UTC (rev 235581)
+++ trunk/JSTests/ChangeLog 2018-09-01 08:03:43 UTC (rev 235582)
@@ -1,3 +1,13 @@
+2018-08-24 Yusuke Suzuki
+
+Function object should convert params to string before throw a parsing error
+https://bugs.webkit.org/show_bug.cgi?id=188874
+
+Reviewed by Darin Adler.
+
+* stress/function-body-to-string-before-parameter-syntax-check.js: Added.
+(shouldThrow):
+
2018-08-31 Mark Lam
Fix exception check accounting in constructJSWebAssemblyCompileError().
Added: trunk/JSTests/stress/function-body-to-string-before-parameter-syntax-check.js (0 => 235582)
--- trunk/JSTests/stress/function-body-to-string-before-parameter-syntax-check.js (rev 0)
+++ trunk/JSTests/stress/function-body-to-string-before-parameter-syntax-check.js 2018-09-01 08:03:43 UTC (rev 235582)
@@ -0,0 +1,60 @@
+function shouldBe(actual, expected) {
+if (actual !== expected)
+throw new Error('bad value: ' + actual);
+}
+
+function shouldThrow(func, errorMessage) {
+var errorThrown = false;
+var error = null;
+try {
+func();
+} catch (e) {
+errorThrown = true;
+error = e;
+}
+if (!errorThrown)
+throw new Error('not thrown');
+if (String(error) !== errorMessage)
+throw new Error(`bad error: ${String(error)}`);
+}
+
+shouldThrow(() => {
+Function("@", { toString() { throw 42; } })
+}, `42`);
+
+var counter = 0;
+class Parameter {
+constructor(index)
+{
+this.index = index;
+}
+
+toString() {
+shouldBe(this.index, counter);
+counter++;
+return `x${this.index}`;
+}
+};
+
+class Body {
+constructor(index)
+{
+this.index = index;
+}
+
+toString() {
+shouldBe(this.index, counter);
+counter++;
+return `42`;
+}
+};
+
+var parameters = [];
+for (var i = 0; i < 50; ++i) {
+parameters.push(new Parameter(parameters.length));
+var args = parameters.slice();
+args.push(new Body(args.length));
+counter = 0;
+Function.apply(this, args);
+shouldBe(counter, args.length);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (235581 => 235582)
--- trunk/Source/_javascript_Core/ChangeLog 2018-09-01 02:30:42 UTC (rev 235581)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-09-01 08:03:43 UTC (rev 235582)
@@ -1,3 +1,16 @@
+2018-08-24 Yusuke Suzuki
+
+Function object should convert params to string before throw a parsing error
+https://bugs.webkit.org/show_bug.cgi?id=188874
+
+Reviewed by Darin Adler.
+
+ToString operation onto the `body` of the Function constructor should be performed
+before checking syntax correctness of the parameters.
+
+* runtime/FunctionConstructor.cpp:
+(JSC::constructFunctionSkippingEvalEnabledCheck):
+
2018-08-31 Mark Lam
Fix exception check accounting in constructJSWebAssemblyCompileError().
Modified: trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp (235581 => 235582)
--- trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp 2018-09-01 02:30:42 UTC (rev 235581)
+++ trunk/Source/_javascript_Core/runtime/FunctionConstructor.cpp 2018-09-01 08:03:43 UTC (rev 235582)
@@ -139,6 +139,8 @@
RETURN_IF_EXCEPTION(scope, nullptr);
parameterBuilder.append(viewWithString.view);
}
+auto body = args.at(args.size() - 1).toWTFString(exec);
+RETURN_IF_EXCEPTION(scope, nullptr);
{
// The spec mandates that the parameters parse as a valid parameter list
@@ -155,8 +157,6 @@
builder.append(parameterBuilder);
builder.appendLiteral(") {\n");
-auto body = args.at(args.size() - 1).toWTFString(exec);
-RETURN_IF_EXCEPTION(scope, nullptr);
checkBody(body);
RETURN_IF_EXCEPTION(scope, nullptr);
builder.append(body);
__
[webkit-changes] [235514] trunk
Title: [235514] trunk
Revision 235514
Author yusukesuz...@slowstart.org
Date 2018-08-30 12:05:34 -0700 (Thu, 30 Aug 2018)
Log Message
output of toString() of Generator is wrong
https://bugs.webkit.org/show_bug.cgi?id=188952
Reviewed by Saam Barati.
JSTests:
* stress/function-to-string.js: Added.
(shouldBe):
(shouldBe.test):
(test):
(shouldBe.async.test):
(async.test):
(shouldBe.async):
(async):
* test262/expectations.yaml:
Source/_javascript_Core:
Function#toString does not respect generator and async generator.
This patch fixes them and supports all the function types.
* runtime/FunctionPrototype.cpp:
(JSC::functionProtoFuncToString):
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/test262/expectations.yaml
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/FunctionPrototype.cpp
Added Paths
trunk/JSTests/stress/function-to-string.js
Diff
Modified: trunk/JSTests/ChangeLog (235513 => 235514)
--- trunk/JSTests/ChangeLog 2018-08-30 19:03:55 UTC (rev 235513)
+++ trunk/JSTests/ChangeLog 2018-08-30 19:05:34 UTC (rev 235514)
@@ -1,3 +1,20 @@
+2018-08-30 Yusuke Suzuki
+
+output of toString() of Generator is wrong
+https://bugs.webkit.org/show_bug.cgi?id=188952
+
+Reviewed by Saam Barati.
+
+* stress/function-to-string.js: Added.
+(shouldBe):
+(shouldBe.test):
+(test):
+(shouldBe.async.test):
+(async.test):
+(shouldBe.async):
+(async):
+* test262/expectations.yaml:
+
2018-08-29 Mark Lam
Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
Added: trunk/JSTests/stress/function-to-string.js (0 => 235514)
--- trunk/JSTests/stress/function-to-string.js (rev 0)
+++ trunk/JSTests/stress/function-to-string.js 2018-08-30 19:05:34 UTC (rev 235514)
@@ -0,0 +1,11 @@
+function shouldBe(actual, expected) {
+if (actual !== expected)
+throw new Error('bad value: ' + actual);
+}
+
+shouldBe((function test() { }).toString(), `function test() { }`);
+shouldBe((() => { }).toString(), `() => { }`);
+shouldBe((function* test() { }).toString(), `function* test() { }`);
+shouldBe((async function* test() { }).toString(), `async function* test() { }`);
+shouldBe((async function test() { }).toString(), `async function test() { }`);
+shouldBe((async () => { }).toString(), `async () => { }`);
Modified: trunk/JSTests/test262/expectations.yaml (235513 => 235514)
--- trunk/JSTests/test262/expectations.yaml 2018-08-30 19:03:55 UTC (rev 235513)
+++ trunk/JSTests/test262/expectations.yaml 2018-08-30 19:05:34 UTC (rev 235514)
@@ -909,8 +909,8 @@
default: "SyntaxError: Unexpected token '}'. Expected a ')' or a ',' after a parameter declaration."
strict mode: "SyntaxError: Unexpected token '}'. Expected a ')' or a ',' after a parameter declaration."
test/built-ins/Function/prototype/toString/async-arrow-function.js:
- default: "Test262Error: Conforms to NativeFunction Syntax: 'async function ( /* b */ a /* c */ , /* d */ b /* e */ ) /* f */ => /* g */ { /* h */ ; /* i */ }'.(async /* a */ ( /* b */ a /* c */ , /* d */ b /* e */ ) /* f */ => /* g */ { /* h */ ; /* i */ })"
- strict mode: "Test262Error: Conforms to NativeFunction Syntax: 'async function ( /* b */ a /* c */ , /* d */ b /* e */ ) /* f */ => /* g */ { /* h */ ; /* i */ }'.(async /* a */ ( /* b */ a /* c */ , /* d */ b /* e */ ) /* f */ => /* g */ { /* h */ ; /* i */ })"
+ default: "Test262Error: Conforms to NativeFunction Syntax: 'async ( /* b */ a /* c */ , /* d */ b /* e */ ) /* f */ => /* g */ { /* h */ ; /* i */ }'.(async /* a */ ( /* b */ a /* c */ , /* d */ b /* e */ ) /* f */ => /* g */ { /* h */ ; /* i */ })"
+ strict mode: "Test262Error: Conforms to NativeFunction Syntax: 'async ( /* b */ a /* c */ , /* d */ b /* e */ ) /* f */ => /* g */ { /* h */ ; /* i */ }'.(async /* a */ ( /* b */ a /* c */ , /* d */ b /* e */ ) /* f */ => /* g */ { /* h */ ; /* i */ })"
test/built-ins/Function/prototype/toString/async-function-declaration.js:
default: "Test262Error: Conforms to NativeFunction Syntax: 'async function f( /* c */ x /* d */ , /* e */ y /* f */ ) /* g */ { /* h */ ; /* i */ ; /* j */ }'.(async function /* a */ f /* b */ ( /* c */ x /* d */ , /* e */ y /* f */ ) /* g */ { /* h */ ; /* i */ ; /* j */ })"
strict mode: "Test262Error: Conforms to NativeFunction Syntax: 'async function f( /* c */ x /* d */ , /* e */ y /* f */ ) /* g */ { /* h */ ; /* i */ ; /* j */ }'.(async function /* a */ f /* b */ ( /* c */ x /* d */ , /* e */ y /* f */ ) /* g */ { /* h */ ; /* i */ ; /* j */ })"
@@ -942,14 +942,14 @@
default: "Test262Error: Conforms to NativeFunction Syntax: 'function F( /* c */ x /* d */ , /* e */ y /* f */ ) /* g */ { /* h */ ; /* i */ ; /* j */ }'.(function /* a */ F /* b */ ( /* c */ x /* d */ , /* e */ y /* f */ ) /* g */ { /* h */ ; /* i */ ; /* j */ })"
strict mode: "Test262Error: Conforms to NativeFunction Syntax
[webkit-changes] [235498] trunk/Source/WebCore
Title: [235498] trunk/Source/WebCore
Revision 235498
Author yusukesuz...@slowstart.org
Date 2018-08-30 03:24:15 -0700 (Thu, 30 Aug 2018)
Log Message
Unreviewed, add comments about enum names to bitfields
https://bugs.webkit.org/show_bug.cgi?id=188944
* xml/XMLHttpRequest.h:
Modified Paths
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/xml/XMLHttpRequest.h
Diff
Modified: trunk/Source/WebCore/ChangeLog (235497 => 235498)
--- trunk/Source/WebCore/ChangeLog 2018-08-30 10:17:36 UTC (rev 235497)
+++ trunk/Source/WebCore/ChangeLog 2018-08-30 10:24:15 UTC (rev 235498)
@@ -1,6 +1,13 @@
2018-08-30 Yusuke Suzuki
Unreviewed, add comments about enum names to bitfields
+https://bugs.webkit.org/show_bug.cgi?id=188944
+
+* xml/XMLHttpRequest.h:
+
+2018-08-30 Yusuke Suzuki
+
+Unreviewed, add comments about enum names to bitfields
https://bugs.webkit.org/show_bug.cgi?id=188945
* html/HTMLCollection.h:
Modified: trunk/Source/WebCore/xml/XMLHttpRequest.h (235497 => 235498)
--- trunk/Source/WebCore/xml/XMLHttpRequest.h 2018-08-30 10:17:36 UTC (rev 235497)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.h 2018-08-30 10:24:15 UTC (rev 235498)
@@ -199,8 +199,8 @@
unsigned m_wasAbortedByClient : 1;
unsigned m_responseCacheIsValid : 1;
unsigned m_dispatchErrorOnResuming : 1;
-unsigned m_readyState : 3;
-unsigned m_responseType : 3;
+unsigned m_readyState : 3; // State
+unsigned m_responseType : 3; // ResponseType
unsigned m_timeoutMilliseconds { 0 };
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [235497] trunk/Source/WebCore
Title: [235497] trunk/Source/WebCore Revision 235497 Author yusukesuz...@slowstart.org Date 2018-08-30 03:17:36 -0700 (Thu, 30 Aug 2018) Log Message Unreviewed, add comments about enum names to bitfields https://bugs.webkit.org/show_bug.cgi?id=188945 * html/HTMLCollection.h: Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/html/HTMLCollection.h Diff Modified: trunk/Source/WebCore/ChangeLog (235496 => 235497) --- trunk/Source/WebCore/ChangeLog 2018-08-30 05:05:19 UTC (rev 235496) +++ trunk/Source/WebCore/ChangeLog 2018-08-30 10:17:36 UTC (rev 235497) @@ -1,3 +1,10 @@ +2018-08-30 Yusuke Suzuki + +Unreviewed, add comments about enum names to bitfields +https://bugs.webkit.org/show_bug.cgi?id=188945 + +* html/HTMLCollection.h: + 2018-08-29 Andy Estes Addressed additional review feedback after r235342. Modified: trunk/Source/WebCore/html/HTMLCollection.h (235496 => 235497) --- trunk/Source/WebCore/html/HTMLCollection.h 2018-08-30 05:05:19 UTC (rev 235496) +++ trunk/Source/WebCore/html/HTMLCollection.h 2018-08-30 10:17:36 UTC (rev 235497) @@ -103,9 +103,9 @@ mutable Lock m_namedElementCacheAssignmentLock; -const unsigned m_collectionType : 5; -const unsigned m_invalidationType : 4; -const unsigned m_rootType : 1; +const unsigned m_collectionType : 5; // CollectionType +const unsigned m_invalidationType : 4; // NodeListInvalidationType +const unsigned m_rootType : 1; // RootType Ref m_ownerNode; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [235357] trunk/Source/WebCore
Title: [235357] trunk/Source/WebCore
Revision 235357
Author yusukesuz...@slowstart.org
Date 2018-08-27 01:52:40 -0700 (Mon, 27 Aug 2018)
Log Message
Shrink size of HTMLCollection
https://bugs.webkit.org/show_bug.cgi?id=188945
Reviewed by Darin Adler.
Shrink the size of HTMLCollection by reordering members.
No behavior change.
* html/HTMLCollection.cpp:
(WebCore::HTMLCollection::HTMLCollection):
* html/HTMLCollection.h:
Modified Paths
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/HTMLCollection.cpp
trunk/Source/WebCore/html/HTMLCollection.h
Diff
Modified: trunk/Source/WebCore/ChangeLog (235356 => 235357)
--- trunk/Source/WebCore/ChangeLog 2018-08-27 08:31:43 UTC (rev 235356)
+++ trunk/Source/WebCore/ChangeLog 2018-08-27 08:52:40 UTC (rev 235357)
@@ -1,5 +1,20 @@
2018-08-25 Yusuke Suzuki
+Shrink size of HTMLCollection
+https://bugs.webkit.org/show_bug.cgi?id=188945
+
+Reviewed by Darin Adler.
+
+Shrink the size of HTMLCollection by reordering members.
+
+No behavior change.
+
+* html/HTMLCollection.cpp:
+(WebCore::HTMLCollection::HTMLCollection):
+* html/HTMLCollection.h:
+
+2018-08-25 Yusuke Suzuki
+
Shrink size of XMLHttpRequest
https://bugs.webkit.org/show_bug.cgi?id=188944
Modified: trunk/Source/WebCore/html/HTMLCollection.cpp (235356 => 235357)
--- trunk/Source/WebCore/html/HTMLCollection.cpp 2018-08-27 08:31:43 UTC (rev 235356)
+++ trunk/Source/WebCore/html/HTMLCollection.cpp 2018-08-27 08:52:40 UTC (rev 235357)
@@ -108,10 +108,10 @@
}
HTMLCollection::HTMLCollection(ContainerNode& ownerNode, CollectionType type)
-: m_ownerNode(ownerNode)
-, m_collectionType(type)
+: m_collectionType(type)
, m_invalidationType(invalidationTypeExcludingIdAndNameAttributes(type))
, m_rootType(rootTypeFromCollectionType(type))
+, m_ownerNode(ownerNode)
{
ASSERT(m_rootType == static_cast(rootTypeFromCollectionType(type)));
ASSERT(m_invalidationType == static_cast(invalidationTypeExcludingIdAndNameAttributes(type)));
Modified: trunk/Source/WebCore/html/HTMLCollection.h (235356 => 235357)
--- trunk/Source/WebCore/html/HTMLCollection.h 2018-08-27 08:31:43 UTC (rev 235356)
+++ trunk/Source/WebCore/html/HTMLCollection.h 2018-08-27 08:52:40 UTC (rev 235357)
@@ -101,14 +101,15 @@
enum RootType { IsRootedAtNode, IsRootedAtDocument };
static RootType rootTypeFromCollectionType(CollectionType);
-Ref m_ownerNode;
+mutable Lock m_namedElementCacheAssignmentLock;
-mutable std::unique_ptr m_namedElementCache;
-mutable Lock m_namedElementCacheAssignmentLock;
-
const unsigned m_collectionType : 5;
const unsigned m_invalidationType : 4;
const unsigned m_rootType : 1;
+
+Ref m_ownerNode;
+
+mutable std::unique_ptr m_namedElementCache;
};
inline ContainerNode& HTMLCollection::rootNode() const
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [235356] trunk
Title: [235356] trunk
Revision 235356
Author yusukesuz...@slowstart.org
Date 2018-08-27 01:31:43 -0700 (Mon, 27 Aug 2018)
Log Message
[JSC] Array.prototype.reverse modifies JSImmutableButterfly
https://bugs.webkit.org/show_bug.cgi?id=188794
Reviewed by Saam Barati.
JSTests:
* stress/reverse-with-immutable-butterfly.js: Added.
(shouldBe):
(reverseInt):
(reverseDouble):
(reverseContiguous):
Source/_javascript_Core:
While Array.prototype.reverse modifies the butterfly of the given Array,
it does not account JSImmutableButterfly case. So it accidentally modifies
the content of JSImmutableButterfly.
This patch converts CoW arrays to writable arrays before reversing.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncReverse):
* runtime/JSObject.h:
(JSC::JSObject::ensureWritable):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp
trunk/Source/_javascript_Core/runtime/JSArray.cpp
trunk/Source/_javascript_Core/runtime/JSArrayInlines.h
trunk/Source/_javascript_Core/runtime/JSObject.cpp
trunk/Source/_javascript_Core/runtime/JSObject.h
Added Paths
trunk/JSTests/stress/reverse-with-immutable-butterfly.js
Diff
Modified: trunk/JSTests/ChangeLog (235355 => 235356)
--- trunk/JSTests/ChangeLog 2018-08-27 08:30:58 UTC (rev 235355)
+++ trunk/JSTests/ChangeLog 2018-08-27 08:31:43 UTC (rev 235356)
@@ -1,3 +1,16 @@
+2018-08-24 Yusuke Suzuki
+
+[JSC] Array.prototype.reverse modifies JSImmutableButterfly
+https://bugs.webkit.org/show_bug.cgi?id=188794
+
+Reviewed by Saam Barati.
+
+* stress/reverse-with-immutable-butterfly.js: Added.
+(shouldBe):
+(reverseInt):
+(reverseDouble):
+(reverseContiguous):
+
2018-08-22 Saam barati
Make data-view-access.js run less time to prevent timeouts on 32-bit
Added: trunk/JSTests/stress/reverse-with-immutable-butterfly.js (0 => 235356)
--- trunk/JSTests/stress/reverse-with-immutable-butterfly.js (rev 0)
+++ trunk/JSTests/stress/reverse-with-immutable-butterfly.js 2018-08-27 08:31:43 UTC (rev 235356)
@@ -0,0 +1,28 @@
+function shouldBe(actual, expected) {
+if (actual !== expected)
+throw new Error('bad value: ' + actual);
+}
+
+function reverseInt()
+{
+var array = [0, 1, 2, 3];
+return array.reverse();
+}
+
+function reverseDouble()
+{
+var array = [0.0, 1.1, 2.2, 3.3];
+return array.reverse();
+}
+
+function reverseContiguous()
+{
+var array = [0.0, 1.1, 2.2, 'hello'];
+return array.reverse();
+}
+
+for (var i = 0; i < 1e4; ++i) {
+shouldBe(JSON.stringify(reverseInt()), `[3,2,1,0]`);
+shouldBe(JSON.stringify(reverseDouble()), `[3.3,2.2,1.1,0]`);
+shouldBe(JSON.stringify(reverseContiguous()), `["hello",2.2,1.1,0]`);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (235355 => 235356)
--- trunk/Source/_javascript_Core/ChangeLog 2018-08-27 08:30:58 UTC (rev 235355)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-08-27 08:31:43 UTC (rev 235356)
@@ -1,3 +1,20 @@
+2018-08-24 Yusuke Suzuki
+
+[JSC] Array.prototype.reverse modifies JSImmutableButterfly
+https://bugs.webkit.org/show_bug.cgi?id=188794
+
+Reviewed by Saam Barati.
+
+While Array.prototype.reverse modifies the butterfly of the given Array,
+it does not account JSImmutableButterfly case. So it accidentally modifies
+the content of JSImmutableButterfly.
+This patch converts CoW arrays to writable arrays before reversing.
+
+* runtime/ArrayPrototype.cpp:
+(JSC::arrayProtoFuncReverse):
+* runtime/JSObject.h:
+(JSC::JSObject::ensureWritable):
+
2018-08-24 Michael Saboff
YARR: Update UCS canonicalization tables for Unicode 11
Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (235355 => 235356)
--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2018-08-27 08:30:58 UTC (rev 235355)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2018-08-27 08:31:43 UTC (rev 235356)
@@ -855,6 +855,8 @@
unsigned length = toLength(exec, thisObject);
RETURN_IF_EXCEPTION(scope, encodedJSValue());
+thisObject->ensureWritable(vm);
+
switch (thisObject->indexingType()) {
case ALL_CONTIGUOUS_INDEXING_TYPES:
case ALL_INT32_INDEXING_TYPES: {
Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (235355 => 235356)
--- trunk/Source/_javascript_Core/runtime/JSArray.cpp 2018-08-27 08:30:58 UTC (rev 235355)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp 2018-08-27 08:31:43 UTC (rev 235356)
@@ -287,8 +287,7 @@
return ordinarySetSlow(exec, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode());
}
-if (isCopyOnWrite(thisObject->indexingMode()))
-thisObject->convertFromCopyOnWrite(vm);
+thisObject->ensureWritable(vm);
if (propertyName == vm.propertyNames->length) {
[webkit-changes] [235355] trunk/Source
Title: [235355] trunk/Source
Revision 235355
Author yusukesuz...@slowstart.org
Date 2018-08-27 01:30:58 -0700 (Mon, 27 Aug 2018)
Log Message
Shrink size of XMLHttpRequest
https://bugs.webkit.org/show_bug.cgi?id=188944
Reviewed by Saam Barati.
Source/WebCore:
Shrink the size of XMLHttpRequest by packing bits and reordering members.
It reduces the size from 1248 to 1176.
No behavior change.
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::XMLHttpRequest):
(WebCore::XMLHttpRequest::responseText):
(WebCore::XMLHttpRequest::createResponseBlob):
(WebCore::XMLHttpRequest::createResponseArrayBuffer):
(WebCore::XMLHttpRequest::setResponseType):
(WebCore::XMLHttpRequest::changeState):
(WebCore::XMLHttpRequest::callReadyStateChangeListener):
(WebCore::XMLHttpRequest::setWithCredentials):
(WebCore::XMLHttpRequest::open):
(WebCore::XMLHttpRequest::prepareToSend):
(WebCore::XMLHttpRequest::createRequest):
(WebCore::XMLHttpRequest::abort):
(WebCore::XMLHttpRequest::overrideMimeType):
(WebCore::XMLHttpRequest::setRequestHeader):
(WebCore::XMLHttpRequest::getAllResponseHeaders const):
(WebCore::XMLHttpRequest::getResponseHeader const):
(WebCore::XMLHttpRequest::status const):
(WebCore::XMLHttpRequest::statusText const):
(WebCore::XMLHttpRequest::didFinishLoading):
(WebCore::XMLHttpRequest::createDecoder const):
(WebCore::XMLHttpRequest::didReceiveData):
(WebCore::XMLHttpRequest::didReachTimeout):
(WebCore::XMLHttpRequest::readyState const): Deleted.
* xml/XMLHttpRequest.h:
(WebCore::XMLHttpRequest::responseType const):
(WebCore::XMLHttpRequest::readyState const):
* xml/XMLHttpRequestProgressEventThrottle.cpp:
(WebCore::XMLHttpRequestProgressEventThrottle::XMLHttpRequestProgressEventThrottle):
* xml/XMLHttpRequestProgressEventThrottle.h:
Source/WTF:
StringBuilder is included in XMLHttpRequest. We reduce the size of StringBuilder too
by reordering members.
* wtf/text/StringBuilder.h:
(WTF::StringBuilder::StringBuilder):
Modified Paths
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/text/StringBuilder.h
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/xml/XMLHttpRequest.cpp
trunk/Source/WebCore/xml/XMLHttpRequest.h
trunk/Source/WebCore/xml/XMLHttpRequestProgressEventThrottle.cpp
trunk/Source/WebCore/xml/XMLHttpRequestProgressEventThrottle.h
Diff
Modified: trunk/Source/WTF/ChangeLog (235354 => 235355)
--- trunk/Source/WTF/ChangeLog 2018-08-27 07:48:54 UTC (rev 235354)
+++ trunk/Source/WTF/ChangeLog 2018-08-27 08:30:58 UTC (rev 235355)
@@ -1,3 +1,16 @@
+2018-08-25 Yusuke Suzuki
+
+Shrink size of XMLHttpRequest
+https://bugs.webkit.org/show_bug.cgi?id=188944
+
+Reviewed by Saam Barati.
+
+StringBuilder is included in XMLHttpRequest. We reduce the size of StringBuilder too
+by reordering members.
+
+* wtf/text/StringBuilder.h:
+(WTF::StringBuilder::StringBuilder):
+
2018-08-24 Tim Horton
Improve unified source generator script logging and error messages
Modified: trunk/Source/WTF/wtf/text/StringBuilder.h (235354 => 235355)
--- trunk/Source/WTF/wtf/text/StringBuilder.h 2018-08-27 07:48:54 UTC (rev 235354)
+++ trunk/Source/WTF/wtf/text/StringBuilder.h 2018-08-27 08:30:58 UTC (rev 235355)
@@ -40,9 +40,7 @@
public:
StringBuilder()
-: m_length(0)
-, m_is8Bit(true)
-, m_bufferCharacters8(nullptr)
+: m_bufferCharacters8(nullptr)
{
}
StringBuilder(StringBuilder&&) = default;
@@ -308,14 +306,14 @@
ALWAYS_INLINE CharType * getBufferCharacters();
WTF_EXPORT_PRIVATE void reifyString() const;
-unsigned m_length;
mutable String m_string;
RefPtr m_buffer;
-bool m_is8Bit;
union {
LChar* m_bufferCharacters8;
UChar* m_bufferCharacters16;
};
+unsigned m_length { 0 };
+bool m_is8Bit { true };
};
template <>
Modified: trunk/Source/WebCore/ChangeLog (235354 => 235355)
--- trunk/Source/WebCore/ChangeLog 2018-08-27 07:48:54 UTC (rev 235354)
+++ trunk/Source/WebCore/ChangeLog 2018-08-27 08:30:58 UTC (rev 235355)
@@ -1,3 +1,46 @@
+2018-08-25 Yusuke Suzuki
+
+Shrink size of XMLHttpRequest
+https://bugs.webkit.org/show_bug.cgi?id=188944
+
+Reviewed by Saam Barati.
+
+Shrink the size of XMLHttpRequest by packing bits and reordering members.
+It reduces the size from 1248 to 1176.
+
+No behavior change.
+
+* xml/XMLHttpRequest.cpp:
+(WebCore::XMLHttpRequest::XMLHttpRequest):
+(WebCore::XMLHttpRequest::responseText):
+(WebCore::XMLHttpRequest::createResponseBlob):
+(WebCore::XMLHttpRequest::createResponseArrayBuffer):
+(WebCore::XMLHttpRequest::setResponseType):
+(WebCore::XMLHttpRequest::changeState):
+(WebCore::XMLHttpRequest::callReadyStateChangeListener):
+(WebCore::XMLHttpRequest::setWithCredentials):
+(WebCore::XMLHttpRequest::open):
+(WebCore::XMLHttpRequest::prepareToSend):
+
[webkit-changes] [235161] trunk/Source/JavaScriptCore
Title: [235161] trunk/Source/_javascript_Core
Revision 235161
Author yusukesuz...@slowstart.org
Date 2018-08-21 22:05:08 -0700 (Tue, 21 Aug 2018)
Log Message
[JSC] HeapUtil should care about pointer overflow
https://bugs.webkit.org/show_bug.cgi?id=188740
Reviewed by Saam Barati.
`pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/heap/HeapUtil.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (235160 => 235161)
--- trunk/Source/_javascript_Core/ChangeLog 2018-08-22 05:02:56 UTC (rev 235160)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-08-22 05:05:08 UTC (rev 235161)
@@ -1,3 +1,17 @@
+2018-08-20 Yusuke Suzuki
+
+[JSC] HeapUtil should care about pointer overflow
+https://bugs.webkit.org/show_bug.cgi?id=188740
+
+Reviewed by Saam Barati.
+
+`pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
+For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
+with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
+
+* heap/HeapUtil.h:
+(JSC::HeapUtil::findGCObjectPointersForMarking):
+
2018-08-19 Yusuke Suzuki
[JSC] Should not rotate constant with 64
Modified: trunk/Source/_javascript_Core/heap/HeapUtil.h (235160 => 235161)
--- trunk/Source/_javascript_Core/heap/HeapUtil.h 2018-08-22 05:02:56 UTC (rev 235160)
+++ trunk/Source/_javascript_Core/heap/HeapUtil.h 2018-08-22 05:05:08 UTC (rev 235161)
@@ -84,7 +84,7 @@
// It's possible for a butterfly pointer to point past the end of a butterfly. Check this now.
if (pointer <= bitwise_cast(candidate) + sizeof(IndexingHeader)) {
// We may be interested in the last cell of the previous MarkedBlock.
-char* previousPointer = pointer - sizeof(IndexingHeader) - 1;
+char* previousPointer = bitwise_cast(bitwise_cast(pointer) - sizeof(IndexingHeader) - 1);
MarkedBlock* previousCandidate = MarkedBlock::blockFor(previousPointer);
if (!filter.ruleOut(bitwise_cast(previousCandidate))
&& set.contains(previousCandidate)
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [235160] trunk/Source/JavaScriptCore
Title: [235160] trunk/Source/_javascript_Core
Revision 235160
Author yusukesuz...@slowstart.org
Date 2018-08-21 22:02:56 -0700 (Tue, 21 Aug 2018)
Log Message
[JSC] Should not rotate constant with 64
https://bugs.webkit.org/show_bug.cgi?id=188556
Reviewed by Saam Barati.
To defend against JIT splaying, we rotate a constant with a randomly generated seed.
But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::generateRotationSeed):
(JSC::MacroAssembler::rotationBlindConstant):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/assembler/MacroAssembler.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (235159 => 235160)
--- trunk/Source/_javascript_Core/ChangeLog 2018-08-22 04:58:26 UTC (rev 235159)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-08-22 05:02:56 UTC (rev 235160)
@@ -1,3 +1,19 @@
+2018-08-19 Yusuke Suzuki
+
+[JSC] Should not rotate constant with 64
+https://bugs.webkit.org/show_bug.cgi?id=188556
+
+Reviewed by Saam Barati.
+
+To defend against JIT splaying, we rotate a constant with a randomly generated seed.
+But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
+where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
+the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
+
+* assembler/MacroAssembler.h:
+(JSC::MacroAssembler::generateRotationSeed):
+(JSC::MacroAssembler::rotationBlindConstant):
+
2018-08-21 Commit Queue
Unreviewed, rolling out r235107.
Modified: trunk/Source/_javascript_Core/assembler/MacroAssembler.h (235159 => 235160)
--- trunk/Source/_javascript_Core/assembler/MacroAssembler.h 2018-08-22 04:58:26 UTC (rev 235159)
+++ trunk/Source/_javascript_Core/assembler/MacroAssembler.h 2018-08-22 05:02:56 UTC (rev 235160)
@@ -1290,6 +1290,13 @@
return shouldBlindPointerForSpecificArch(value);
}
+
+uint8_t generateRotationSeed(size_t widthInBits)
+{
+// Generate the seed in [1, widthInBits - 1]. We should not generate widthInBits or 0
+// since it leads to `<< widthInBits` or `>> widthInBits`, which cause undefined behaviors.
+return (random() % (widthInBits - 1)) + 1;
+}
struct RotatedImmPtr {
RotatedImmPtr(uintptr_t v1, uint8_t v2)
@@ -1303,7 +1310,7 @@
RotatedImmPtr rotationBlindConstant(ImmPtr imm)
{
-uint8_t rotation = random() % (sizeof(void*) * 8);
+uint8_t rotation = generateRotationSeed(sizeof(void*) * 8);
uintptr_t value = imm.asTrustedImmPtr().asIntptr();
value = (value << rotation) | (value >> (sizeof(void*) * 8 - rotation));
return RotatedImmPtr(value, rotation);
@@ -1371,7 +1378,7 @@
RotatedImm64 rotationBlindConstant(Imm64 imm)
{
-uint8_t rotation = random() % (sizeof(int64_t) * 8);
+uint8_t rotation = generateRotationSeed(sizeof(int64_t) * 8);
uint64_t value = imm.asTrustedImm64().m_value;
value = (value << rotation) | (value >> (sizeof(int64_t) * 8 - rotation));
return RotatedImm64(value, rotation);
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [235159] trunk
Title: [235159] trunk
Revision 235159
Author yusukesuz...@slowstart.org
Date 2018-08-21 21:58:26 -0700 (Tue, 21 Aug 2018)
Log Message
Support "name" option for dedicated workers
https://bugs.webkit.org/show_bug.cgi?id=188779
Reviewed by Joseph Pecoraro.
LayoutTests/imported/w3c:
* web-platform-tests/workers/interfaces.worker-expected.txt:
* web-platform-tests/workers/name-property-expected.txt:
Source/WebCore:
This patch adds `new Worker(url, { name: "Worker Name" })` option support[1].
This name can be accessible from `self.name` of DedicatedWorkerGlobalScope.
It is useful for debugging dedicated workers if the inspector can show the
names of the workers. This enhancement is tracked by [2].
[1]: https://github.com/whatwg/html/issues/2477
[2]: https://bugs.webkit.org/show_bug.cgi?id=164678
Tests: http/wpt/workers/name-property-enhanced.html
http/wpt/workers/name-property-no-name.html
* workers/DedicatedWorkerGlobalScope.cpp:
(WebCore::DedicatedWorkerGlobalScope::create):
(WebCore::DedicatedWorkerGlobalScope::DedicatedWorkerGlobalScope):
Hold `name` member.
* workers/DedicatedWorkerGlobalScope.h:
* workers/DedicatedWorkerGlobalScope.idl:
Add `name` attribute.
* workers/DedicatedWorkerThread.cpp:
(WebCore::DedicatedWorkerThread::DedicatedWorkerThread):
(WebCore::DedicatedWorkerThread::createWorkerGlobalScope):
* workers/DedicatedWorkerThread.h:
* workers/Worker.cpp:
(WebCore::Worker::Worker):
(WebCore::Worker::create):
(WebCore::Worker::notifyFinished):
* workers/Worker.h:
* workers/Worker.idl:
Add WorkerOptions for dedicated worker creation.
* workers/WorkerGlobalScopeProxy.h:
* workers/WorkerMessagingProxy.cpp:
(WebCore::WorkerMessagingProxy::startWorkerGlobalScope):
* workers/WorkerMessagingProxy.h:
* workers/WorkerThread.cpp:
(WebCore::WorkerThreadStartupData::WorkerThreadStartupData):
Isolate copy the given `name` to pass the worker thread.
(WebCore::WorkerThread::WorkerThread):
(WebCore::WorkerThread::workerThread):
* workers/WorkerThread.h:
* workers/service/context/ServiceWorkerThread.cpp:
(WebCore::ServiceWorkerThread::ServiceWorkerThread):
(WebCore::ServiceWorkerThread::createWorkerGlobalScope):
* workers/service/context/ServiceWorkerThread.h:
LayoutTests:
* http/wpt/workers/name-property-enhanced-expected.txt: Added.
* http/wpt/workers/name-property-enhanced.html: Added.
* http/wpt/workers/name-property-no-name-expected.txt: Added.
* http/wpt/workers/name-property-no-name.html: Added.
* http/wpt/workers/support/name.js: Added.
(test):
* http/wpt/workers/support/no-name.js: Added.
(test):
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/LayoutTests/imported/w3c/ChangeLog
trunk/LayoutTests/imported/w3c/web-platform-tests/workers/interfaces.worker-expected.txt
trunk/LayoutTests/imported/w3c/web-platform-tests/workers/name-property-expected.txt
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp
trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.h
trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.idl
trunk/Source/WebCore/workers/DedicatedWorkerThread.cpp
trunk/Source/WebCore/workers/DedicatedWorkerThread.h
trunk/Source/WebCore/workers/Worker.cpp
trunk/Source/WebCore/workers/Worker.h
trunk/Source/WebCore/workers/Worker.idl
trunk/Source/WebCore/workers/WorkerGlobalScopeProxy.h
trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp
trunk/Source/WebCore/workers/WorkerMessagingProxy.h
trunk/Source/WebCore/workers/WorkerThread.cpp
trunk/Source/WebCore/workers/WorkerThread.h
trunk/Source/WebCore/workers/service/context/ServiceWorkerThread.cpp
trunk/Source/WebCore/workers/service/context/ServiceWorkerThread.h
Added Paths
trunk/LayoutTests/http/wpt/workers/name-property-enhanced-expected.txt
trunk/LayoutTests/http/wpt/workers/name-property-enhanced.html
trunk/LayoutTests/http/wpt/workers/name-property-no-name-expected.txt
trunk/LayoutTests/http/wpt/workers/name-property-no-name.html
trunk/LayoutTests/http/wpt/workers/support/
trunk/LayoutTests/http/wpt/workers/support/name.js
trunk/LayoutTests/http/wpt/workers/support/no-name.js
Diff
Modified: trunk/LayoutTests/ChangeLog (235158 => 235159)
--- trunk/LayoutTests/ChangeLog 2018-08-22 04:41:06 UTC (rev 235158)
+++ trunk/LayoutTests/ChangeLog 2018-08-22 04:58:26 UTC (rev 235159)
@@ -1,3 +1,19 @@
+2018-08-21 Yusuke Suzuki
+
+Support "name" option for dedicated workers
+https://bugs.webkit.org/show_bug.cgi?id=188779
+
+Reviewed by Joseph Pecoraro.
+
+* http/wpt/workers/name-property-enhanced-expected.txt: Added.
+* http/wpt/workers/name-property-enhanced.html: Added.
+* http/wpt/workers/name-property-no-name-expected.txt: Added.
+* http/wpt/workers/name-property-no-name.html: Added.
+* http/wpt/workers/support/name.js: Added.
+(test):
+* http/wpt/workers/support/no-name.js: Added.
+(test):
+
2018-08-21 Ryan Haddad
Unreviewed, rolling out r235128.
Added: trunk/LayoutTests
[webkit-changes] [235128] trunk
Title: [235128] trunk
Revision 235128
Author yusukesuz...@slowstart.org
Date 2018-08-21 11:40:03 -0700 (Tue, 21 Aug 2018)
Log Message
Support "name" option for dedicated workers
https://bugs.webkit.org/show_bug.cgi?id=188779
Reviewed by Joseph Pecoraro.
LayoutTests/imported/w3c:
* web-platform-tests/workers/interfaces.worker-expected.txt:
* web-platform-tests/workers/name-property-expected.txt:
Source/WebCore:
This patch adds `new Worker(url, { name: "Worker Name" })` option support[1].
This name can be accessible from `self.name` of DedicatedWorkerGlobalScope.
It is useful for debugging dedicated workers if the inspector can show the
names of the workers. This enhancement is tracked by [2].
[1]: https://github.com/whatwg/html/issues/2477
[2]: https://bugs.webkit.org/show_bug.cgi?id=164678
* workers/DedicatedWorkerGlobalScope.cpp:
(WebCore::DedicatedWorkerGlobalScope::create):
(WebCore::DedicatedWorkerGlobalScope::DedicatedWorkerGlobalScope):
Hold `name` member.
* workers/DedicatedWorkerGlobalScope.h:
* workers/DedicatedWorkerGlobalScope.idl:
Add `name` attribute.
* workers/DedicatedWorkerThread.cpp:
(WebCore::DedicatedWorkerThread::DedicatedWorkerThread):
(WebCore::DedicatedWorkerThread::createWorkerGlobalScope):
* workers/DedicatedWorkerThread.h:
* workers/Worker.cpp:
(WebCore::Worker::Worker):
(WebCore::Worker::create):
(WebCore::Worker::notifyFinished):
* workers/Worker.h:
* workers/Worker.idl:
Add WorkerOptions for dedicated worker creation.
* workers/WorkerGlobalScopeProxy.h:
* workers/WorkerMessagingProxy.cpp:
(WebCore::WorkerMessagingProxy::startWorkerGlobalScope):
* workers/WorkerMessagingProxy.h:
* workers/WorkerThread.cpp:
(WebCore::WorkerThreadStartupData::WorkerThreadStartupData):
Isolate copy the given `name` to pass the worker thread.
(WebCore::WorkerThread::WorkerThread):
(WebCore::WorkerThread::workerThread):
* workers/WorkerThread.h:
* workers/service/context/ServiceWorkerThread.cpp:
(WebCore::ServiceWorkerThread::ServiceWorkerThread):
(WebCore::ServiceWorkerThread::createWorkerGlobalScope):
* workers/service/context/ServiceWorkerThread.h:
LayoutTests:
* http/wpt/workers/name-property-enhanced-expected.txt: Added.
* http/wpt/workers/name-property-enhanced.html: Added.
* http/wpt/workers/support/name.js: Added.
(test):
* http/wpt/workers/support/no-name.js: Added.
(test):
Modified Paths
trunk/LayoutTests/ChangeLog
trunk/LayoutTests/imported/w3c/ChangeLog
trunk/LayoutTests/imported/w3c/web-platform-tests/workers/interfaces.worker-expected.txt
trunk/LayoutTests/imported/w3c/web-platform-tests/workers/name-property-expected.txt
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp
trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.h
trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.idl
trunk/Source/WebCore/workers/DedicatedWorkerThread.cpp
trunk/Source/WebCore/workers/DedicatedWorkerThread.h
trunk/Source/WebCore/workers/Worker.cpp
trunk/Source/WebCore/workers/Worker.h
trunk/Source/WebCore/workers/Worker.idl
trunk/Source/WebCore/workers/WorkerGlobalScopeProxy.h
trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp
trunk/Source/WebCore/workers/WorkerMessagingProxy.h
trunk/Source/WebCore/workers/WorkerThread.cpp
trunk/Source/WebCore/workers/WorkerThread.h
trunk/Source/WebCore/workers/service/context/ServiceWorkerThread.cpp
trunk/Source/WebCore/workers/service/context/ServiceWorkerThread.h
Added Paths
trunk/LayoutTests/http/wpt/workers/name-property-enhanced-expected.txt
trunk/LayoutTests/http/wpt/workers/name-property-enhanced.html
trunk/LayoutTests/http/wpt/workers/support/
trunk/LayoutTests/http/wpt/workers/support/name.js
trunk/LayoutTests/http/wpt/workers/support/no-name.js
Diff
Modified: trunk/LayoutTests/ChangeLog (235127 => 235128)
--- trunk/LayoutTests/ChangeLog 2018-08-21 18:12:35 UTC (rev 235127)
+++ trunk/LayoutTests/ChangeLog 2018-08-21 18:40:03 UTC (rev 235128)
@@ -1,3 +1,17 @@
+2018-08-21 Yusuke Suzuki
+
+Support "name" option for dedicated workers
+https://bugs.webkit.org/show_bug.cgi?id=188779
+
+Reviewed by Joseph Pecoraro.
+
+* http/wpt/workers/name-property-enhanced-expected.txt: Added.
+* http/wpt/workers/name-property-enhanced.html: Added.
+* http/wpt/workers/support/name.js: Added.
+(test):
+* http/wpt/workers/support/no-name.js: Added.
+(test):
+
2018-08-21 Simon Fraser
REGRESSION(r234993): Test results page ignores TestExpectations, shows 1800 failures
Added: trunk/LayoutTests/http/wpt/workers/name-property-enhanced-expected.txt (0 => 235128)
--- trunk/LayoutTests/http/wpt/workers/name-property-enhanced-expected.txt (rev 0)
+++ trunk/LayoutTests/http/wpt/workers/name-property-enhanced-expected.txt 2018-08-21 18:40:03 UTC (rev 235128)
@@ -0,0 +1,8 @@
+
+Harness Error (FAIL), message = 2 duplicate test names: "name property value for DedicatedWorkerGlobalScope", "name property i
[webkit-changes] [235104] trunk
Title: [235104] trunk
Revision 235104
Author yusukesuz...@slowstart.org
Date 2018-08-20 20:29:32 -0700 (Mon, 20 Aug 2018)
Log Message
[YARR] Extend size of fixed characters bulk matching in 64bit platform
https://bugs.webkit.org/show_bug.cgi?id=181989
Patch by Yusuke Suzuki on 2018-08-20
Reviewed by Michael Saboff.
JSTests:
* stress/characters-regexp-ignore-case.js: Added.
(shouldBe):
(testH):
(testHe):
(testHel):
(testHell):
(testHello):
(testHelloW):
(testHelloWo):
(testHelloWor):
(testHelloWorl):
(testHelloWorld):
* stress/characters-regexp.js: Added.
(shouldBe):
(testH):
(testHe):
(testHel):
(testHell):
(testHello):
(testHelloW):
(testHelloWo):
(testHelloWor):
(testHelloWorl):
(testHelloWorld):
Source/_javascript_Core:
This patch extends bulk matching style for fixed-sized characters.
In 64bit environment, the GPR can hold up to 8 characters. This change
reduces the code size since we can fuse multiple `mov` operations into one.
* assembler/LinkBuffer.h:
* runtime/Options.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
(JSC::Yarr::YarrGenerator::compile):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/assembler/LinkBuffer.h
trunk/Source/_javascript_Core/runtime/Options.h
trunk/Source/_javascript_Core/yarr/YarrJIT.cpp
Added Paths
trunk/JSTests/stress/characters-regexp-ignore-case.js
trunk/JSTests/stress/characters-regexp.js
Diff
Modified: trunk/JSTests/ChangeLog (235103 => 235104)
--- trunk/JSTests/ChangeLog 2018-08-21 02:15:28 UTC (rev 235103)
+++ trunk/JSTests/ChangeLog 2018-08-21 03:29:32 UTC (rev 235104)
@@ -1,3 +1,35 @@
+2018-08-20 Yusuke Suzuki
+
+[YARR] Extend size of fixed characters bulk matching in 64bit platform
+https://bugs.webkit.org/show_bug.cgi?id=181989
+
+Reviewed by Michael Saboff.
+
+* stress/characters-regexp-ignore-case.js: Added.
+(shouldBe):
+(testH):
+(testHe):
+(testHel):
+(testHell):
+(testHello):
+(testHelloW):
+(testHelloWo):
+(testHelloWor):
+(testHelloWorl):
+(testHelloWorld):
+* stress/characters-regexp.js: Added.
+(shouldBe):
+(testH):
+(testHe):
+(testHel):
+(testHell):
+(testHello):
+(testHelloW):
+(testHelloWo):
+(testHelloWor):
+(testHelloWorl):
+(testHelloWorld):
+
2018-08-17 Saam barati
intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
Added: trunk/JSTests/stress/characters-regexp-ignore-case.js (0 => 235104)
--- trunk/JSTests/stress/characters-regexp-ignore-case.js (rev 0)
+++ trunk/JSTests/stress/characters-regexp-ignore-case.js 2018-08-21 03:29:32 UTC (rev 235104)
@@ -0,0 +1,77 @@
+function shouldBe(actual, expected) {
+if (actual !== expected)
+throw new Error('bad value: ' + actual);
+}
+
+function testH(string) {
+return string.match(/h/i);
+}
+noInline(testH);
+
+function testHe(string) {
+return string.match(/he/i);
+}
+noInline(testHe);
+
+function testHel(string) {
+return string.match(/hel/i);
+}
+noInline(testHel);
+
+function testHell(string) {
+return string.match(/hell/i);
+}
+noInline(testHell);
+
+function testHello(string) {
+return string.match(/hello/i);
+}
+noInline(testHello);
+
+function testHelloW(string) {
+return string.match(/hellow/i);
+}
+noInline(testHelloW);
+
+function testHelloWo(string) {
+return string.match(/hellowo/i);
+}
+noInline(testHelloWo);
+
+function testHelloWor(string) {
+return string.match(/hellowor/i);
+}
+noInline(testHelloWor);
+
+function testHelloWorl(string) {
+return string.match(/helloworl/i);
+}
+noInline(testHelloWorl);
+
+function testHelloWorld(string) {
+return string.match(/helloworld/i);
+}
+noInline(testHelloWorld);
+
+for (var i = 0; i < 1e4; ++i) {
+shouldBe(testH("HelloWorld")[0], `H`);
+shouldBe(testHe("HelloWorld")[0], `He`);
+shouldBe(testHel("HelloWorld")[0], `Hel`);
+shouldBe(testHell("HelloWorld")[0], `Hell`);
+shouldBe(testHello("HelloWorld")[0], `Hello`);
+shouldBe(testHelloW("HelloWorld")[0], `HelloW`);
+shouldBe(testHelloWo("HelloWorld")[0], `HelloWo`);
+shouldBe(testHelloWor("HelloWorld")[0], `HelloWor`);
+shouldBe(testHelloWorl("HelloWorld")[0], `HelloWorl`);
+shouldBe(testHelloWorld("HelloWorld")[0], `HelloWorld`);
+shouldBe(testH("HelloWorldこんにちは")[0], `H`);
+shouldBe(testHe("HelloWorldこんにちは")[0], `He`);
+shouldBe(testHel("HelloWorldこんにちは")[0], `Hel`);
+shouldBe(testHell("HelloWorldこんにちは")[0], `Hell`);
+shouldBe(testHello("HelloWorldこんにちは")[0], `Hello`);
+shouldBe(testHelloW("HelloWorldこんにちは")[0], `HelloW`);
+shouldBe(testHelloWo("HelloWorldこんにちは")[0], `HelloWo`);
+shouldBe(testHelloWor("HelloWorldこんにちは")[0], `HelloWor`);
+shouldBe(testHel
