[webkit-changes] [170586] trunk/LayoutTests
Title: [170586] trunk/LayoutTests Revision 170586 Author msab...@apple.com Date 2014-06-30 10:37:06 -0700 (Mon, 30 Jun 2014) Log Message Reduce memory required for js/typedarray-zero-size.js https://bugs.webkit.org/show_bug.cgi?id=134448 Reviewed by Darin Adler. Making the loop count down reduces memory usage from ~190MB to ~22MB while still testing the original issue. * js/script-tests/typedarray-zero-size.js: Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/js/script-tests/typedarray-zero-size.js Diff Modified: trunk/LayoutTests/ChangeLog (170585 => 170586) --- trunk/LayoutTests/ChangeLog 2014-06-30 16:59:24 UTC (rev 170585) +++ trunk/LayoutTests/ChangeLog 2014-06-30 17:37:06 UTC (rev 170586) @@ -1,3 +1,15 @@ +2014-06-30 Michael Saboff msab...@apple.com + +Reduce memory required for js/typedarray-zero-size.js +https://bugs.webkit.org/show_bug.cgi?id=134448 + +Reviewed by Darin Adler. + +Making the loop count down reduces memory usage from ~190MB to ~22MB while +still testing the original issue. + +* js/script-tests/typedarray-zero-size.js: + 2014-06-29 Yoav Weiss y...@yoav.ws Add support for HTMLImageElement's sizes attribute Modified: trunk/LayoutTests/js/script-tests/typedarray-zero-size.js (170585 => 170586) --- trunk/LayoutTests/js/script-tests/typedarray-zero-size.js 2014-06-30 16:59:24 UTC (rev 170585) +++ trunk/LayoutTests/js/script-tests/typedarray-zero-size.js 2014-06-30 17:37:06 UTC (rev 170586) @@ -10,7 +10,7 @@ var result = 0; -for (var i = 1; i 10001; i++) { +for (var i = 1; i 0; i--) { var newArray = foo(); var otherArray = new Array(i); for (var j = 0; j i; ++j) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [170591] trunk/LayoutTests
Title: [170591] trunk/LayoutTests Revision 170591 Author msab...@apple.com Date 2014-06-30 11:22:25 -0700 (Mon, 30 Jun 2014) Log Message Reduce memory required for js/typedarray-zero-size.js https://bugs.webkit.org/show_bug.cgi?id=134448 Reviewed by Mark Hahnenberg. Reduce the loop count from 1 to 4000 to further reduce memory requirements on older devices. * js/script-tests/typedarray-zero-size.js: Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/js/script-tests/typedarray-zero-size.js Diff Modified: trunk/LayoutTests/ChangeLog (170590 => 170591) --- trunk/LayoutTests/ChangeLog 2014-06-30 18:06:56 UTC (rev 170590) +++ trunk/LayoutTests/ChangeLog 2014-06-30 18:22:25 UTC (rev 170591) @@ -3,6 +3,18 @@ Reduce memory required for js/typedarray-zero-size.js https://bugs.webkit.org/show_bug.cgi?id=134448 +Reviewed by Mark Hahnenberg. + +Reduce the loop count from 1 to 4000 to further reduce memory requirements +on older devices. + +* js/script-tests/typedarray-zero-size.js: + +2014-06-30 Michael Saboff msab...@apple.com + +Reduce memory required for js/typedarray-zero-size.js +https://bugs.webkit.org/show_bug.cgi?id=134448 + Reviewed by Darin Adler. Making the loop count down reduces memory usage from ~190MB to ~22MB while Modified: trunk/LayoutTests/js/script-tests/typedarray-zero-size.js (170590 => 170591) --- trunk/LayoutTests/js/script-tests/typedarray-zero-size.js 2014-06-30 18:06:56 UTC (rev 170590) +++ trunk/LayoutTests/js/script-tests/typedarray-zero-size.js 2014-06-30 18:22:25 UTC (rev 170591) @@ -10,7 +10,7 @@ var result = 0; -for (var i = 1; i 0; i--) { +for (var i = 4000; i 0; i--) { var newArray = foo(); var otherArray = new Array(i); for (var j = 0; j i; ++j) @@ -18,5 +18,5 @@ result += otherArray[i - 1]; } -if (result != (1 * ) / 2) +if (result != (4000 * 3999) / 2) throw Bad result: + result; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [170601] trunk
Title: [170601] trunk Revision 170601 Author msab...@apple.com Date 2014-06-30 15:12:17 -0700 (Mon, 30 Jun 2014) Log Message Add option to run-jsc-stress-testes to filter out tests that use large heaps https://bugs.webkit.org/show_bug.cgi?id=134458 Reviewed by Filip Pizlo. Source/_javascript_Core: Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device. * tests/mozilla/mozilla-tests.yaml: Tools: Added new --memory-limited to filter out tests that have large heap usage. Such tests are either tagged with //@largeHeap or logic is added to their .yaml file. * Scripts/run-jsc-stress-tests: LayoutTests: * js/regress/script-tests/lots-of-fields.js: Added //@largeHeap tag to skip when running on a memoryLimited device. Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/js/regress/script-tests/lots-of-fields.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/tests/mozilla/mozilla-tests.yaml trunk/Tools/ChangeLog trunk/Tools/Scripts/run-jsc-stress-tests Diff Modified: trunk/LayoutTests/ChangeLog (170600 => 170601) --- trunk/LayoutTests/ChangeLog 2014-06-30 22:10:56 UTC (rev 170600) +++ trunk/LayoutTests/ChangeLog 2014-06-30 22:12:17 UTC (rev 170601) @@ -1,3 +1,13 @@ +2014-06-30 Michael Saboff msab...@apple.com + +Add option to run-jsc-stress-testes to filter out tests that use large heaps +https://bugs.webkit.org/show_bug.cgi?id=134458 + +Reviewed by Filip Pizlo. + +* js/regress/script-tests/lots-of-fields.js: Added //@largeHeap tag to skip when +running on a memoryLimited device. + 2014-06-30 Myles C. Maxfield mmaxfi...@apple.com Tiles on bottom of screen are not always allocated when necessary Modified: trunk/LayoutTests/js/regress/script-tests/lots-of-fields.js (170600 => 170601) --- trunk/LayoutTests/js/regress/script-tests/lots-of-fields.js 2014-06-30 22:10:56 UTC (rev 170600) +++ trunk/LayoutTests/js/regress/script-tests/lots-of-fields.js 2014-06-30 22:12:17 UTC (rev 170601) @@ -1,3 +1,6 @@ +// This test uses all available memory on some small memory devices. +//@largeHeap + function foo() { var result = 0; for (var i = 0; i 5000; ++i) { Modified: trunk/Source/_javascript_Core/ChangeLog (170600 => 170601) --- trunk/Source/_javascript_Core/ChangeLog 2014-06-30 22:10:56 UTC (rev 170600) +++ trunk/Source/_javascript_Core/ChangeLog 2014-06-30 22:12:17 UTC (rev 170601) @@ -1,3 +1,14 @@ +2014-06-30 Michael Saboff msab...@apple.com + +Add option to run-jsc-stress-testes to filter out tests that use large heaps +https://bugs.webkit.org/show_bug.cgi?id=134458 + +Reviewed by Filip Pizlo. + +Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device. + +* tests/mozilla/mozilla-tests.yaml: + 2014-06-30 Daniel Bates daba...@apple.com Avoid copying closed variables vector; actually use move semantics Modified: trunk/Source/_javascript_Core/tests/mozilla/mozilla-tests.yaml (170600 => 170601) --- trunk/Source/_javascript_Core/tests/mozilla/mozilla-tests.yaml 2014-06-30 22:10:56 UTC (rev 170600) +++ trunk/Source/_javascript_Core/tests/mozilla/mozilla-tests.yaml 2014-06-30 22:12:17 UTC (rev 170601) @@ -2113,7 +2113,7 @@ cmd: defaultRunMozillaTest :normal, ../shell.js - path: js1_5/Regress/regress-159334.js cmd: | - if $architecture !~ /x86/i and $hostOS == darwin + if ($architecture !~ /x86/i and $hostOS == darwin) or $memoryLimited skip else defaultRunMozillaTest :normal, ../shell.js Modified: trunk/Tools/ChangeLog (170600 => 170601) --- trunk/Tools/ChangeLog 2014-06-30 22:10:56 UTC (rev 170600) +++ trunk/Tools/ChangeLog 2014-06-30 22:12:17 UTC (rev 170601) @@ -1,3 +1,15 @@ +2014-06-30 Michael Saboff msab...@apple.com + +Add option to run-jsc-stress-testes to filter out tests that use large heaps +https://bugs.webkit.org/show_bug.cgi?id=134458 + +Reviewed by Filip Pizlo. + +Added new --memory-limited to filter out tests that have large heap usage. +Such tests are either tagged with //@largeHeap or logic is added to their .yaml file. + +* Scripts/run-jsc-stress-tests: + 2014-06-30 Myles C. Maxfield mmaxfi...@apple.com DRT in iOS sim crashes while loading fonts Modified: trunk/Tools/Scripts/run-jsc-stress-tests (170600 => 170601) --- trunk/Tools/Scripts/run-jsc-stress-tests 2014-06-30 22:10:56 UTC (rev 170600) +++ trunk/Tools/Scripts/run-jsc-stress-tests 2014-06-30 22:12:17 UTC (rev 170601) @@ -94,6 +94,7 @@ $jscPath = nil $copy = true $enableFTL = false +$memoryLimited = false $outputDir = Pathname.new(results) $verbosity = 0 $bundle = nil @@ -112,6 +113,8 @@ puts --no-copy Do not copy the _javascript_Core build product before testing. puts --jsc specifies an already present _javascript_Core to
[webkit-changes] [170602] trunk/LayoutTests
Title: [170602] trunk/LayoutTests Revision 170602 Author msab...@apple.com Date 2014-06-30 15:13:37 -0700 (Mon, 30 Jun 2014) Log Message js/script-tests/function-apply-many-args.js fails on ARM https://bugs.webkit.org/show_bug.cgi?id=126588 Reviewed by Mark Lam. Removed three test cases that fail on some platforms and pass on others due to stack size. Other test cases cover what will fit on a stack or what will throw an out of stack exception. * js/function-apply-many-args-expected.txt: * js/script-tests/function-apply-many-args.js: Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/js/function-apply-many-args-expected.txt trunk/LayoutTests/js/script-tests/function-apply-many-args.js Diff Modified: trunk/LayoutTests/ChangeLog (170601 => 170602) --- trunk/LayoutTests/ChangeLog 2014-06-30 22:12:17 UTC (rev 170601) +++ trunk/LayoutTests/ChangeLog 2014-06-30 22:13:37 UTC (rev 170602) @@ -1,5 +1,19 @@ 2014-06-30 Michael Saboff msab...@apple.com +js/script-tests/function-apply-many-args.js fails on ARM +https://bugs.webkit.org/show_bug.cgi?id=126588 + +Reviewed by Mark Lam. + +Removed three test cases that fail on some platforms and pass on others due +to stack size. Other test cases cover what will fit on a stack or what will +throw an out of stack exception. + +* js/function-apply-many-args-expected.txt: +* js/script-tests/function-apply-many-args.js: + +2014-06-30 Michael Saboff msab...@apple.com + Add option to run-jsc-stress-testes to filter out tests that use large heaps https://bugs.webkit.org/show_bug.cgi?id=134458 Modified: trunk/LayoutTests/js/function-apply-many-args-expected.txt (170601 => 170602) --- trunk/LayoutTests/js/function-apply-many-args-expected.txt 2014-06-30 22:12:17 UTC (rev 170601) +++ trunk/LayoutTests/js/function-apply-many-args-expected.txt 2014-06-30 22:13:37 UTC (rev 170602) @@ -17,7 +17,6 @@ PASS g.apply(null, [1]) is 1 PASS g.apply(null, new Array(10)) is 10 PASS g.apply(null, new Array(1000)) is 1000 -PASS g.apply(null, new Array(65536)) is 65536 PASS g.apply(null, new Array(65537)) threw exception RangeError: Maximum call stack size exceeded.. PASS g.apply(null, new Array(65537)) threw exception RangeError: Maximum call stack size exceeded.. PASS g.apply(null, bigArray) threw exception RangeError: Maximum call stack size exceeded.. @@ -27,7 +26,6 @@ PASS h.apply(null, [1]) is 1 PASS h.apply(null, new Array(10)) is 10 PASS h.apply(null, new Array(1000)) is 1000 -PASS h.apply(null, new Array(65536)) is 65536 PASS h.apply(null, new Array(65537)) threw exception RangeError: Maximum call stack size exceeded.. PASS h.apply(null, new Array(65537)) threw exception RangeError: Maximum call stack size exceeded.. PASS h.apply(null, bigArray) threw exception RangeError: Maximum call stack size exceeded.. @@ -36,7 +34,6 @@ PASS i.apply(null, [1]) is 1 PASS i.apply(null, new Array(10)) is 10 PASS i.apply(null, new Array(1000)) is 1000 -PASS i.apply(null, new Array(65536)) is 65536 PASS i.apply(null, new Array(65537)) threw exception RangeError: Maximum call stack size exceeded.. PASS i.apply(null, new Array(65537)) threw exception RangeError: Maximum call stack size exceeded.. PASS i.apply(null, bigArray) threw exception RangeError: Maximum call stack size exceeded.. Modified: trunk/LayoutTests/js/script-tests/function-apply-many-args.js (170601 => 170602) --- trunk/LayoutTests/js/script-tests/function-apply-many-args.js 2014-06-30 22:12:17 UTC (rev 170601) +++ trunk/LayoutTests/js/script-tests/function-apply-many-args.js 2014-06-30 22:13:37 UTC (rev 170602) @@ -25,7 +25,6 @@ shouldBe(g.apply(null, [1]), 1); shouldBe(g.apply(null, new Array(10)), 10); shouldBe(g.apply(null, new Array(1000)), 1000); -shouldBe(g.apply(null, new Array(65536)), 65536); shouldThrow(g.apply(null, new Array(65537))); shouldThrow(g.apply(null, new Array(65537))); shouldThrow(g.apply(null, bigArray)); @@ -1673,7 +1672,6 @@ shouldBe(h.apply(null, [1]), 1); shouldBe(h.apply(null, new Array(10)), 10); shouldBe(h.apply(null, new Array(1000)), 1000); -shouldBe(h.apply(null, new Array(65536)), 65536); shouldThrow(h.apply(null, new Array(65537))); shouldThrow(h.apply(null, new Array(65537))); shouldThrow(h.apply(null, bigArray)); @@ -1682,7 +1680,6 @@ shouldBe(i.apply(null, [1]), 1); shouldBe(i.apply(null, new Array(10)), 10); shouldBe(i.apply(null, new Array(1000)), 1000); -shouldBe(i.apply(null, new Array(65536)), 65536); shouldThrow(i.apply(null, new Array(65537))); shouldThrow(i.apply(null, new Array(65537))); shouldThrow(i.apply(null, bigArray)); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [172429] trunk/Source/JavaScriptCore
Title: [172429] trunk/Source/_javascript_Core Revision 172429 Author msab...@apple.com Date 2014-08-11 20:20:04 -0700 (Mon, 11 Aug 2014) Log Message Eliminate {push,pop}CalleeSaves in favor of individual pushes pops https://bugs.webkit.org/show_bug.cgi?id=127155 Reviewed by Geoffrey Garen. Eliminated the offline assembler instructions {push,pop}CalleeSaves as well as the ARM64 specific {push,pop}LRAndFP and replaced them with individual push and pop instructions. Where the registers referenced by the added push and pop instructions are not part of the offline assembler register aliases, used a newly added emit offline assembler instruction which takes a string literal and outputs that string as a native instruction. * llint/LowLevelInterpreter.asm: * offlineasm/arm.rb: * offlineasm/arm64.rb: * offlineasm/ast.rb: * offlineasm/cloop.rb: * offlineasm/instructions.rb: * offlineasm/mips.rb: * offlineasm/parser.rb: * offlineasm/sh4.rb: * offlineasm/transform.rb: * offlineasm/x86.rb: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/offlineasm/arm.rb trunk/Source/_javascript_Core/offlineasm/arm64.rb trunk/Source/_javascript_Core/offlineasm/ast.rb trunk/Source/_javascript_Core/offlineasm/cloop.rb trunk/Source/_javascript_Core/offlineasm/instructions.rb trunk/Source/_javascript_Core/offlineasm/mips.rb trunk/Source/_javascript_Core/offlineasm/parser.rb trunk/Source/_javascript_Core/offlineasm/sh4.rb trunk/Source/_javascript_Core/offlineasm/transform.rb trunk/Source/_javascript_Core/offlineasm/x86.rb Diff Modified: trunk/Source/_javascript_Core/ChangeLog (172428 => 172429) --- trunk/Source/_javascript_Core/ChangeLog 2014-08-12 03:01:52 UTC (rev 172428) +++ trunk/Source/_javascript_Core/ChangeLog 2014-08-12 03:20:04 UTC (rev 172429) @@ -1,3 +1,29 @@ +2014-08-11 Michael Saboff msab...@apple.com + +Eliminate {push,pop}CalleeSaves in favor of individual pushes pops +https://bugs.webkit.org/show_bug.cgi?id=127155 + +Reviewed by Geoffrey Garen. + +Eliminated the offline assembler instructions {push,pop}CalleeSaves as well as the +ARM64 specific {push,pop}LRAndFP and replaced them with individual push and pop +instructions. Where the registers referenced by the added push and pop instructions +are not part of the offline assembler register aliases, used a newly added emit +offline assembler instruction which takes a string literal and outputs that +string as a native instruction. + +* llint/LowLevelInterpreter.asm: +* offlineasm/arm.rb: +* offlineasm/arm64.rb: +* offlineasm/ast.rb: +* offlineasm/cloop.rb: +* offlineasm/instructions.rb: +* offlineasm/mips.rb: +* offlineasm/parser.rb: +* offlineasm/sh4.rb: +* offlineasm/transform.rb: +* offlineasm/x86.rb: + 2014-08-11 Mark Lam mark@apple.com Re-landing r172401 with fixed test. Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm (172428 => 172429) --- trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2014-08-12 03:01:52 UTC (rev 172428) +++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2014-08-12 03:20:04 UTC (rev 172429) @@ -246,6 +246,106 @@ end end +macro pushCalleeSaves() +if C_LOOP +elsif ARM or ARMv7_TRADITIONAL +emit push {r4-r10} +elsif ARMv7 +emit push {r4-r6, r8-r11} +elsif ARM64 +emit stp x20, x19, [sp, #-16]! +emit stp x22, x21, [sp, #-16]! +emit stp x24, x23, [sp, #-16]! +emit stp x26, x25, [sp, #-16]! +emit stp x28, x27, [sp, #-16]! +elsif MIPS +emit addiu $sp, $sp, -20 +emit sw $20, 16($sp) +emit sw $19, 12($sp) +emit sw $18, 8($sp) +emit sw $17, 4($sp) +emit sw $16, 0($sp) +elsif SH4 +emit mov.l r13, @-r15 +emit mov.l r11, @-r15 +emit mov.l r10, @-r15 +emit mov.l r9, @-r15 +emit mov.l r8, @-r15 +elsif X86 +emit push %esi +emit push %edi +emit push %ebx +elsif X86_WIN +emit push esi +emit push edi +emit push ebx +elsif X86_64 +emit push %r12 +emit push %r13 +emit push %r14 +emit push %r15 +emit push %rbx +elsif X86_64_WIN +emit push r12 +emit push r13 +emit push r14 +emit push r15 +emit push rbx +emit push rdi +emit push rsi +end +end + +macro popCalleeSaves() +if C_LOOP +elsif ARM or ARMv7_TRADITIONAL +emit pop {r4-r10} +elsif ARMv7 +emit pop {r4-r6, r8-r11} +elsif ARM64 +emit ldp x28, x27, [sp], #16 +emit ldp x26, x25, [sp], #16 +emit ldp x24, x23, [sp], #16 +emit ldp x22, x21, [sp], #16 +emit ldp x20, x19, [sp], #16 +
[webkit-changes] [172665] trunk/Source/JavaScriptCore
Title: [172665] trunk/Source/_javascript_Core Revision 172665 Author msab...@apple.com Date 2014-08-15 18:45:40 -0700 (Fri, 15 Aug 2014) Log Message Change callToJavaScript and callToNativeFunction so their callFrames match the native calling conventions https://bugs.webkit.org/show_bug.cgi?id=131578 Reviewed by Geoffrey Garen. Renamed callToJavaScript and callToNativeFunction to vmEntryToJavaScript and vmEntryToNative, respectively. Eliminated the sentinel frame and replaced it with the structure VMEntryRecord that appears in the locals area of a VM entry stack frame. Changed the order that vmEntryToJavaScript and vmEntryToNative creates their stack frames to be native calling convention compliant. That is to save prior frame pointer, save callee save registers, then allocate and populate the VMEntryRecord, and finally allocate a CallFrame for the JS function that vmEntryToJavaScript will invoke. The top most vm entry frame pointer is saved in VM::topVMEntryFrame. The vmEntry functions save prior contents of VM::topVMEntryFrame along with the VM and VM::topCallFrame in the VMEntryRecord it places on the stack. Starting at VM::topCallFrame, the stack can be walked using these VMEntryRecords. Arbitrary stack unwinding is now handled either iteratively by loading VM::topVMEntryFrame into a local variable and using CallFrame::callerFrame(VMEntryFrame*) or by using StackVisitor. Given that the stack is effectively a singly linked list, general stack unwinding needs to use one of these two methods. * _javascript_Core.vcxproj/_javascript_Core.vcxproj: * _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters: * _javascript_Core.xcodeproj/project.pbxproj: Addition of VMEntryRecord.h * bytecode/BytecodeList.json: Renaming of llint helper opcodes due to renaming callToJavaScript and callToNativeFunction. * debugger/Debugger.cpp: (JSC::Debugger::stepOutOfFunction): (JSC::Debugger::returnEvent): (JSC::Debugger::didExecuteProgram): * jsc.cpp: (functionDumpCallFrame): * jit/JITOperations.cpp: Changed unwinding to use CallFrame::callerFrame(VMEntryFrame*). * bytecode/CodeBlock.cpp: (JSC::RecursionCheckFunctor::RecursionCheckFunctor): (JSC::RecursionCheckFunctor::operator()): (JSC::RecursionCheckFunctor::didRecurse): (JSC::CodeBlock::noticeIncomingCall): * debugger/DebuggerCallFrame.cpp: (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor): (JSC::FindCallerMidStackFunctor::operator()): (JSC::FindCallerMidStackFunctor::getCallerFrame): (JSC::DebuggerCallFrame::callerFrame): * interpreter/VMInspector.cpp: (JSC::CountFramesFunctor::CountFramesFunctor): (JSC::CountFramesFunctor::operator()): (JSC::CountFramesFunctor::count): (JSC::VMInspector::countFrames): * runtime/VM.cpp: (JSC::VM::VM): (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): (JSC::VM::throwException): Changed unwinding to use StackVisitor including added functor classes. * interpreter/CallFrame.cpp: (JSC::CallFrame::callerFrame): Added new flavor of callerFrame() that can iteratively unwind the stack. * interpreter/CallFrame.h: (JSC::ExecState::callerFrame): Changed callerFrame() to use private common helper. (JSC::ExecState::callerFrameOrVMEntryFrame): Deleted. (JSC::ExecState::isVMEntrySentinel): Deleted. (JSC::ExecState::vmEntrySentinelCallerFrame): Deleted. (JSC::ExecState::initializeVMEntrySentinelFrame): Deleted. (JSC::ExecState::callerFrameSkippingVMEntrySentinel): Deleted. (JSC::ExecState::vmEntrySentinelCodeBlock): Deleted. * interpreter/CallFrame.h: (JSC::ExecState::init): (JSC::ExecState::topOfFrame): (JSC::ExecState::currentVPC): (JSC::ExecState::setCurrentVPC): Eliminated unneded checking of sentinel frame. * interpreter/Interpreter.cpp: (JSC::unwindCallFrame): (JSC::Interpreter::getStackTrace): Updated for unwidning changes. (JSC::Interpreter::unwind): Eliminated unneeded sentinel frame check. * interpreter/Interpreter.cpp: (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): * jit/JITStubs.h: * llint/LLIntThunks.cpp: (JSC::callToJavaScript): Deleted. (JSC::callToNativetion): Deleted. (JSC::vmEntryToJavaScript): (JSC::vmEntryToNative): * llint/LLIntThunks.h: Updated for vmEntryToJavaScript and vmEntryToNative name changes. * interpreter/Interpreter.h: (JSC::TopCallFrameSetter::TopCallFrameSetter): (JSC::TopCallFrameSetter::~TopCallFrameSetter): Eliminated unneeded sentinel frame check. * interpreter/Interpreter.h: (JSC::NativeCallFrameTracer::NativeCallFrameTracer): Removed sentinel specific constructor. * interpreter/StackVisitor.cpp: (JSC::StackVisitor::StackVisitor): (JSC::StackVisitor::readFrame): (JSC::StackVisitor::readNonInlinedFrame): (JSC::StackVisitor::readInlinedFrame): (JSC::StackVisitor::Frame::print): * interpreter/StackVisitor.h:
[webkit-changes] [172792] trunk/Source/JavaScriptCore
Title: [172792] trunk/Source/_javascript_Core Revision 172792 Author msab...@apple.com Date 2014-08-19 17:36:13 -0700 (Tue, 19 Aug 2014) Log Message Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js https://bugs.webkit.org/show_bug.cgi?id=136080 Reviewed by Mark Lam. Update VM::topVMEntryFrame via NativeCallFrameTracer() when we pass the caller's frame to NativeCallFrameTracer() as the callee's frame may be the first callee from an entry frame. In that case, the caller will have the prior VM entry frame. The new NativeCallFrameTracer with a VMEntryFrame parameter should be used when throwing an exception from a caller frame. The value to use for the VMEntryFrame should be a value possibly modified by CallFrame::callerFrame(*VMEntryFrame) used to find the caller. * interpreter/Interpreter.h: (JSC::NativeCallFrameTracer::NativeCallFrameTracer): Added a new constructor that takes a VMEntryFrame. Added an ASSERT to both constructors to check that the updated topCallFrame is below the current vmEntryFrame. * jit/JITOperations.cpp: (JSC::operationThrowStackOverflowError): (JSC::operationCallArityCheck): (JSC::operationConstructArityCheck): Set VM::topVMEntryFrame to the possibly updated VMEntryFrame after getting the caller's frame. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/interpreter/Interpreter.h trunk/Source/_javascript_Core/jit/JITOperations.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (172791 => 172792) --- trunk/Source/_javascript_Core/ChangeLog 2014-08-20 00:22:27 UTC (rev 172791) +++ trunk/Source/_javascript_Core/ChangeLog 2014-08-20 00:36:13 UTC (rev 172792) @@ -1,3 +1,29 @@ +2014-08-19 Michael Saboff msab...@apple.com + +Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js +https://bugs.webkit.org/show_bug.cgi?id=136080 + +Reviewed by Mark Lam. + +Update VM::topVMEntryFrame via NativeCallFrameTracer() when we pass the caller's frame +to NativeCallFrameTracer() as the callee's frame may be the first callee from an entry +frame. In that case, the caller will have the prior VM entry frame. + +The new NativeCallFrameTracer with a VMEntryFrame parameter should be used when throwing +an exception from a caller frame. The value to use for the VMEntryFrame should be a +value possibly modified by CallFrame::callerFrame(*VMEntryFrame) used to find the caller. + +* interpreter/Interpreter.h: +(JSC::NativeCallFrameTracer::NativeCallFrameTracer): Added a new constructor that takes a +VMEntryFrame. Added an ASSERT to both constructors to check that the updated topCallFrame +is below the current vmEntryFrame. + +* jit/JITOperations.cpp: +(JSC::operationThrowStackOverflowError): +(JSC::operationCallArityCheck): +(JSC::operationConstructArityCheck): +Set VM::topVMEntryFrame to the possibly updated VMEntryFrame after getting the caller's frame. + 2014-08-19 Andy Estes aes...@apple.com [Cocoa] Offline Assembler build phase fails when $BUILT_PRODUCTS_DIR contains spaces Modified: trunk/Source/_javascript_Core/interpreter/Interpreter.h (172791 => 172792) --- trunk/Source/_javascript_Core/interpreter/Interpreter.h 2014-08-20 00:22:27 UTC (rev 172791) +++ trunk/Source/_javascript_Core/interpreter/Interpreter.h 2014-08-20 00:36:13 UTC (rev 172792) @@ -175,8 +175,18 @@ { ASSERT(vm); ASSERT(callFrame); +ASSERT(callFrame vm-topVMEntryFrame); vm-topCallFrame = callFrame; } + +ALWAYS_INLINE NativeCallFrameTracer(VM* vm, VMEntryFrame* vmEntryFrame, CallFrame* callFrame) +{ +ASSERT(vm); +ASSERT(callFrame); +ASSERT(callFrame vmEntryFrame); +vm-topVMEntryFrame = vmEntryFrame; +vm-topCallFrame = callFrame; +} }; class Interpreter { Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (172791 => 172792) --- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2014-08-20 00:22:27 UTC (rev 172791) +++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2014-08-20 00:36:13 UTC (rev 172792) @@ -81,12 +81,12 @@ // We pass in our own code block, because the callframe hasn't been populated. VM* vm = codeBlock-vm(); -VMEntryFrame* topVMEntryFrame = vm-topVMEntryFrame; -CallFrame* callerFrame = exec-callerFrame(topVMEntryFrame); +VMEntryFrame* vmEntryFrame = vm-topVMEntryFrame; +CallFrame* callerFrame = exec-callerFrame(vmEntryFrame); if (!callerFrame) callerFrame = exec; -NativeCallFrameTracer tracer(vm, callerFrame); +NativeCallFrameTracer tracer(vm, vmEntryFrame, callerFrame); ErrorHandlingScope errorScope(*vm); vm-throwException(callerFrame, createStackOverflowError(callerFrame)); } @@ -94,15 +94,16 @@ int32_t JIT_OPERATION
[webkit-changes] [172807] trunk/Source/JavaScriptCore
Title: [172807] trunk/Source/_javascript_Core Revision 172807 Author msab...@apple.com Date 2014-08-20 13:28:24 -0700 (Wed, 20 Aug 2014) Log Message REGRESSION: Web Inspector crashes when reloading apple.com with Timeline recording active https://bugs.webkit.org/show_bug.cgi?id=136034 Reviewed by Mark Lam. DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle of the stack. Hardened StackVisitor to skip over the frames between the current top frame and the requested start frame. * interpreter/StackVisitor.cpp: (JSC::StackVisitor::StackVisitor): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/interpreter/StackVisitor.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (172806 => 172807) --- trunk/Source/_javascript_Core/ChangeLog 2014-08-20 20:19:50 UTC (rev 172806) +++ trunk/Source/_javascript_Core/ChangeLog 2014-08-20 20:28:24 UTC (rev 172807) @@ -1,3 +1,17 @@ +2014-08-20 Michael Saboff msab...@apple.com + +REGRESSION: Web Inspector crashes when reloading apple.com with Timeline recording active +https://bugs.webkit.org/show_bug.cgi?id=136034 + +Reviewed by Mark Lam. + +DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle +of the stack. Hardened StackVisitor to skip over the frames between the current top frame +and the requested start frame. + +* interpreter/StackVisitor.cpp: +(JSC::StackVisitor::StackVisitor): + 2014-08-20 Brent Fulgham bfulg...@apple.com [Win] _javascript_Core.dll is missing version information. Modified: trunk/Source/_javascript_Core/interpreter/StackVisitor.cpp (172806 => 172807) --- trunk/Source/_javascript_Core/interpreter/StackVisitor.cpp 2014-08-20 20:19:50 UTC (rev 172806) +++ trunk/Source/_javascript_Core/interpreter/StackVisitor.cpp 2014-08-20 20:28:24 UTC (rev 172807) @@ -38,12 +38,20 @@ StackVisitor::StackVisitor(CallFrame* startFrame) { m_frame.m_index = 0; -if (startFrame) +CallFrame* topFrame; +if (startFrame) { m_frame.m_VMEntryFrame = startFrame-vm().topVMEntryFrame; -else +topFrame = startFrame-vm().topCallFrame; +} else { m_frame.m_VMEntryFrame = 0; +topFrame = 0; +} m_frame.m_callerIsVMEntryFrame = false; -readFrame(startFrame); +readFrame(topFrame); + +// Find the frame the caller wants to start unwinding from. +while (m_frame.callFrame() m_frame.callFrame() != startFrame) +gotoNextFrame(); } void StackVisitor::gotoNextFrame() ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [172867] trunk/Source/JavaScriptCore
Title: [172867] trunk/Source/_javascript_Core Revision 172867 Author msab...@apple.com Date 2014-08-22 12:54:30 -0700 (Fri, 22 Aug 2014) Log Message REGRESSION(r163179): Sporadic crash in js/dom/line-column-numbers.html test https://bugs.webkit.org/show_bug.cgi?id=136111 Reviewed by Filip Pizlo. The problem was that we weren't properly handling VM::topVMEntryFrame in two ways. First in the case where we get an exception of a stack overflow during setup of the direct callee frame of a VM entry frame, we need to throw the exception in the caller's frame. This requires unrolling topVMEntryFrame while creating the exception object. This is accomplished with the renamed NativeCallFrameTracerWithRestore object. As part of this, split the JIT rollback exception handling to call a new helper, callLookupExceptionHandlerFromCallerFrame, which will unroll the callFrame and VMEntryFrame. Second, when we unwind to find a handler, we also need to unwind topVMCallFrame for the case where we end up (re)throwing another exception after entering the catch block, but before another vmEntry call. Added VM::vmEntryFrameForThrow as a way similar to VM::callFrameForThrow to pass the appropriate VMENtryFrame to the catch block. * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileExceptionHandlers): * ftl/FTLCompile.cpp: (JSC::FTL::fixFunctionBasedOnStackMaps): * jit/JIT.cpp: (JSC::JIT::privateCompileExceptionHandlers): Split out the unroll cases to use the new helper callLookupExceptionHandlerFromCallerFrame() to unwind both the callFrame and topVMEntryFrame. * interpreter/Interpreter.cpp: (JSC::UnwindFunctor::UnwindFunctor): (JSC::UnwindFunctor::operator()): (JSC::Interpreter::unwind): * jit/JITExceptions.cpp: (JSC::genericUnwind): Added VMEntryFrame as another component to unwind. * interpreter/Interpreter.h: (JSC::NativeCallFrameTracer::NativeCallFrameTracer): (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): Renamed and changed to save and restore topCallFrame and topVMEntryFrame around the setting of both values. * interpreter/StackVisitor.cpp: (JSC::StackVisitor::gotoNextFrame): (JSC::StackVisitor::readNonInlinedFrame): * interpreter/StackVisitor.h: (JSC::StackVisitor::Frame::vmEntryFrame): Added code to unwind the VMEntryFrame. * jit/CCallHelpers.h: (JSC::CCallHelpers::jumpToExceptionHandler): Updated comment to indicate that the value the handler should use for VM::topEntryFrame is in VM::vmEntryFrameForThrow. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_catch): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_catch): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: Added code to update VM::topVMEntryFrame from VM::vmEntryFrameForThrowOffset. * jit/JITOperations.cpp: * jit/JITOperations.h: (JSC::operationThrowStackOverflowError): (JSC::operationCallArityCheck): (JSC::operationConstructArityCheck): * runtime/VM.h: (JSC::VM::vmEntryFrameForThrowOffset): (JSC::VM::topVMEntryFrameOffset): Added as the side channel to return the topVMEntryFrame that the handler should use. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp trunk/Source/_javascript_Core/ftl/FTLCompile.cpp trunk/Source/_javascript_Core/interpreter/Interpreter.cpp trunk/Source/_javascript_Core/interpreter/Interpreter.h trunk/Source/_javascript_Core/interpreter/StackVisitor.cpp trunk/Source/_javascript_Core/interpreter/StackVisitor.h trunk/Source/_javascript_Core/jit/CCallHelpers.h trunk/Source/_javascript_Core/jit/JIT.cpp trunk/Source/_javascript_Core/jit/JITExceptions.cpp trunk/Source/_javascript_Core/jit/JITOpcodes.cpp trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp trunk/Source/_javascript_Core/jit/JITOperations.cpp trunk/Source/_javascript_Core/jit/JITOperations.h trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/runtime/VM.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (172866 => 172867) --- trunk/Source/_javascript_Core/ChangeLog 2014-08-22 19:39:51 UTC (rev 172866) +++ trunk/Source/_javascript_Core/ChangeLog 2014-08-22 19:54:30 UTC (rev 172867) @@ -1,3 +1,79 @@ +2014-08-21 Michael Saboff msab...@apple.com + +REGRESSION(r163179): Sporadic crash in js/dom/line-column-numbers.html test +https://bugs.webkit.org/show_bug.cgi?id=136111 + +Reviewed by Filip Pizlo. + +The problem was that we weren't properly handling VM::topVMEntryFrame in two ways. + +First in the case where we get an exception of a stack overflow during setup of the direct +callee frame of a VM entry frame, we need to throw the exception in the caller's frame. +This requires unrolling topVMEntryFrame while creating the exception object. This is +accomplished with the renamed
[webkit-changes] [172932] trunk/Source/JavaScriptCore
Title: [172932] trunk/Source/_javascript_Core Revision 172932 Author msab...@apple.com Date 2014-08-25 12:32:40 -0700 (Mon, 25 Aug 2014) Log Message After r172867 another crash in in js/dom/line-column-numbers.html https://bugs.webkit.org/show_bug.cgi?id=136192 Reviewed by Geoffrey Garen. In lookupExceptionHandlerFromCallerFrame(), We need to use the caller's CallFrame and VMEntryFrame when calling genericUnwind(). NativeCallFrameTracerWithRestore() does that for us. In general, NativeCallFrameTracerWithRestore(), restores the values because we may do more processing that requires the current callFrame and vmEntryFrame before we get to the catch handler where we change these to the catch values. In this particular case, that restoration isn't currently needed, but we add complexity and possible future confusion if we create another NativeCallFrameTracerXXX() version that doesn't restore the values. * jit/JITOperations.cpp: (JSC::lookupExceptionHandlerFromCallerFrame): Changed NativeCallFrameTracer() to NativeCallFrameTracerWithRestore() so that VM::topVMEntryFrame will be updated before calling genericUnwind(). Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/JITOperations.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (172931 => 172932) --- trunk/Source/_javascript_Core/ChangeLog 2014-08-25 18:46:01 UTC (rev 172931) +++ trunk/Source/_javascript_Core/ChangeLog 2014-08-25 19:32:40 UTC (rev 172932) @@ -1,3 +1,26 @@ +2014-08-22 Michael Saboff msab...@apple.com + +After r172867 another crash in in js/dom/line-column-numbers.html +https://bugs.webkit.org/show_bug.cgi?id=136192 + +Reviewed by Geoffrey Garen. + +In lookupExceptionHandlerFromCallerFrame(), We need to use the caller's CallFrame +and VMEntryFrame when calling genericUnwind(). NativeCallFrameTracerWithRestore() +does that for us. + +In general, NativeCallFrameTracerWithRestore(), restores the values because we may +do more processing that requires the current callFrame and vmEntryFrame before we +get to the catch handler where we change these to the catch values. In this +particular case, that restoration isn't currently needed, but we add complexity +and possible future confusion if we create another NativeCallFrameTracerXXX() +version that doesn't restore the values. + +* jit/JITOperations.cpp: +(JSC::lookupExceptionHandlerFromCallerFrame): Changed NativeCallFrameTracer() to +NativeCallFrameTracerWithRestore() so that VM::topVMEntryFrame will be updated +before calling genericUnwind(). + 2014-08-24 Brian J. Burg b...@cs.washington.edu Web Inspector: rename Inspector::TypeBuilder to Inspector::Protocol Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (172931 => 172932) --- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2014-08-25 18:46:01 UTC (rev 172931) +++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2014-08-25 19:32:40 UTC (rev 172932) @@ -1844,7 +1844,7 @@ CallFrame* callerFrame = exec-callerFrame(vmEntryFrame); ASSERT(callerFrame); -NativeCallFrameTracer tracer(vm, callerFrame); +NativeCallFrameTracerWithRestore tracer(vm, vmEntryFrame, callerFrame); JSValue exceptionValue = vm-exception(); ASSERT(exceptionValue); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [172959] trunk/Source/JavaScriptCore
Title: [172959] trunk/Source/_javascript_Core Revision 172959 Author msab...@apple.com Date 2014-08-26 08:55:01 -0700 (Tue, 26 Aug 2014) Log Message REGRESSION(r172794) + 32Bit build: ASSERT failures in for-in-tests.js tests. https://bugs.webkit.org/show_bug.cgi?id=136165 Reviewed by Mark Hahnenberg. Changed switch case GetDirectPname: to always use the slow path for X86 since it only has 6 registers available, but the code requires 7. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (172958 => 172959) --- trunk/Source/_javascript_Core/ChangeLog 2014-08-26 15:20:15 UTC (rev 172958) +++ trunk/Source/_javascript_Core/ChangeLog 2014-08-26 15:55:01 UTC (rev 172959) @@ -1,3 +1,16 @@ +2014-08-26 Michael Saboff msab...@apple.com + +REGRESSION(r172794) + 32Bit build: ASSERT failures in for-in-tests.js tests. +https://bugs.webkit.org/show_bug.cgi?id=136165 + +Reviewed by Mark Hahnenberg. + +Changed switch case GetDirectPname: to always use the slow path for X86 since it only has +6 registers available, but the code requires 7. + +* dfg/DFGSpeculativeJIT32_64.cpp: +(JSC::DFG::SpeculativeJIT::compile): + 2014-08-25 Saam Barati sbar...@apple.com TypeProfiler search breaks on return statements Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (172958 => 172959) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-08-26 15:20:15 UTC (rev 172958) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-08-26 15:55:01 UTC (rev 172959) @@ -4722,25 +4722,34 @@ case GetDirectPname: { Edge baseEdge = m_jit.graph().varArgChild(node, 0); Edge propertyEdge = m_jit.graph().varArgChild(node, 1); -Edge indexEdge = m_jit.graph().varArgChild(node, 2); -Edge enumeratorEdge = m_jit.graph().varArgChild(node, 3); SpeculateCellOperand base(this, baseEdge); SpeculateCellOperand property(this, propertyEdge); -SpeculateInt32Operand index(this, indexEdge); -SpeculateCellOperand enumerator(this, enumeratorEdge); GPRResult resultPayload(this); GPRResult2 resultTag(this); GPRTemporary scratch(this); GPRReg baseGPR = base.gpr(); GPRReg propertyGPR = property.gpr(); -GPRReg indexGPR = index.gpr(); -GPRReg enumeratorGPR = enumerator.gpr(); GPRReg resultTagGPR = resultTag.gpr(); GPRReg resultPayloadGPR = resultPayload.gpr(); GPRReg scratchGPR = scratch.gpr(); +#if CPU(X86) +// Not enough registers on X86 for this code, so always use the slow path. +flushRegisters(); +m_jit.move(MacroAssembler::TrustedImm32(JSValue::CellTag), scratchGPR); +callOperation(operationGetByValCell, resultTagGPR, resultPayloadGPR, baseGPR, scratchGPR, propertyGPR); +#else +Edge indexEdge = m_jit.graph().varArgChild(node, 2); +Edge enumeratorEdge = m_jit.graph().varArgChild(node, 3); + +SpeculateInt32Operand index(this, indexEdge); +SpeculateCellOperand enumerator(this, enumeratorEdge); + +GPRReg indexGPR = index.gpr(); +GPRReg enumeratorGPR = enumerator.gpr(); + // Check the structure m_jit.load32(MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()), scratchGPR); MacroAssembler::Jump wrongStructure = m_jit.branch32(MacroAssembler::NotEqual, @@ -4775,6 +4784,7 @@ m_jit.move(MacroAssembler::TrustedImm32(JSValue::CellTag), scratchGPR); addSlowPathGenerator(slowPathCall(wrongStructure, this, operationGetByValCell, resultTagGPR, resultPayloadGPR, baseGPR, scratchGPR, propertyGPR)); +#endif jsValueResult(resultTagGPR, resultPayloadGPR, node); break; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [172962] trunk/Source/JavaScriptCore
Title: [172962] trunk/Source/_javascript_Core Revision 172962 Author msab...@apple.com Date 2014-08-26 10:34:21 -0700 (Tue, 26 Aug 2014) Log Message REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result https://bugs.webkit.org/show_bug.cgi?id=136187 Reviewed by Mark Hahnenberg. Added two arg version for 32 bit builds of callOperation(J_JITOperation_ECJ, ...) that doesn't require a tag for the second argument, instead it fills in a CellTag. This is used for the slow case of the GetDirectPname case in SpeculativeJIT::compile since we haven't set up a register with a tag and we know that argument 2 is a cell. * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): New version with implicit CellTag. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): Eliminated extraneous filling of the scratchGPR with CellTag as it wasn't in the control flow for the slow path that needed the tag. Instead changed to calling new version of callOperation with an implicit CellTag. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (172961 => 172962) --- trunk/Source/_javascript_Core/ChangeLog 2014-08-26 16:46:10 UTC (rev 172961) +++ trunk/Source/_javascript_Core/ChangeLog 2014-08-26 17:34:21 UTC (rev 172962) @@ -1,3 +1,22 @@ +2014-08-26 Michael Saboff msab...@apple.com + +REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result +https://bugs.webkit.org/show_bug.cgi?id=136187 + +Reviewed by Mark Hahnenberg. + +Added two arg version for 32 bit builds of callOperation(J_JITOperation_ECJ, ...) that +doesn't require a tag for the second argument, instead it fills in a CellTag. This is +used for the slow case of the GetDirectPname case in SpeculativeJIT::compile since we +haven't set up a register with a tag and we know that argument 2 is a cell. + +* dfg/DFGSpeculativeJIT.h: +(JSC::DFG::SpeculativeJIT::callOperation): New version with implicit CellTag. +* dfg/DFGSpeculativeJIT32_64.cpp: +(JSC::DFG::SpeculativeJIT::compile): Eliminated extraneous filling of the scratchGPR +with CellTag as it wasn't in the control flow for the slow path that needed the tag. +Instead changed to calling new version of callOperation with an implicit CellTag. + 2014-08-26 Commit Queue commit-qu...@webkit.org Unreviewed, rolling out r172940. Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (172961 => 172962) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2014-08-26 16:46:10 UTC (rev 172961) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2014-08-26 17:34:21 UTC (rev 172962) @@ -1695,6 +1695,11 @@ m_jit.setupArgumentsWithExecState(arg1, arg2Payload, arg2Tag); return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag); } +JITCompiler::Call callOperation(J_JITOperation_ECJ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2Payload) +{ +m_jit.setupArgumentsWithExecState(arg1, arg2Payload, MacroAssembler::TrustedImm32(JSValue::CellTag)); +return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag); +} JITCompiler::Call callOperation(J_JITOperation_ECJ operation, JSValueRegs result, GPRReg arg1, JSValueRegs arg2) { m_jit.setupArgumentsWithExecState(arg1, arg2.payloadGPR(), arg2.tagGPR()); Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (172961 => 172962) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-08-26 16:46:10 UTC (rev 172961) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-08-26 17:34:21 UTC (rev 172962) @@ -4771,8 +4771,7 @@ done.link(m_jit); -m_jit.move(MacroAssembler::TrustedImm32(JSValue::CellTag), scratchGPR); -addSlowPathGenerator(slowPathCall(wrongStructure, this, operationGetByValCell, resultTagGPR, resultPayloadGPR, baseGPR, scratchGPR, propertyGPR)); +addSlowPathGenerator(slowPathCall(wrongStructure, this, operationGetByValCell, resultTagGPR, resultPayloadGPR, baseGPR, propertyGPR)); #endif jsValueResult(resultTagGPR, resultPayloadGPR, node); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [172978] trunk/Source/JavaScriptCore
Title: [172978] trunk/Source/_javascript_Core Revision 172978 Author msab...@apple.com Date 2014-08-26 15:08:42 -0700 (Tue, 26 Aug 2014) Log Message [Win] 64-bit _javascript_Core crashes on launch https://bugs.webkit.org/show_bug.cgi?id=136241 Reviewed by Mark Lam. * llint/LowLevelInterpreter.asm: (vmEntryRecord): X86_64_WIN doesn't use a0 (rax) for the first argument, it uses t2 (rcx). Changed to get the input parameter using the correct register. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (172977 => 172978) --- trunk/Source/_javascript_Core/ChangeLog 2014-08-26 21:39:51 UTC (rev 172977) +++ trunk/Source/_javascript_Core/ChangeLog 2014-08-26 22:08:42 UTC (rev 172978) @@ -1,3 +1,14 @@ +2014-08-26 Michael Saboff msab...@apple.com + +[Win] 64-bit _javascript_Core crashes on launch +https://bugs.webkit.org/show_bug.cgi?id=136241 + +Reviewed by Mark Lam. + +* llint/LowLevelInterpreter.asm: +(vmEntryRecord): X86_64_WIN doesn't use a0 (rax) for the first argument, it uses +t2 (rcx). Changed to get the input parameter using the correct register. + 2014-08-26 Saam Barati sbar...@apple.com TypeSet caches structureIDs even after the corresponding Structure could be GCed Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm (172977 => 172978) --- trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2014-08-26 21:39:51 UTC (rev 172977) +++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2014-08-26 22:08:42 UTC (rev 172978) @@ -748,7 +748,7 @@ if X86_64 const entryFrame = t4 const result = t0 -elsif X86 or X86_WIN +elsif X86 or X86_WIN or X86_64_WIN const entryFrame = t2 const result = t0 else ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [173282] trunk/Source/JavaScriptCore
Title: [173282] trunk/Source/_javascript_Core Revision 173282 Author msab...@apple.com Date 2014-09-04 14:23:38 -0700 (Thu, 04 Sep 2014) Log Message REGRESSION(r173031): crashes during run-layout-jsc on x86/Linux https://bugs.webkit.org/show_bug.cgi?id=136436 Reviewed by Geoffrey Garen. Instead of trying to calculate a stack pointer that allows for possible stacked argument space, just use the home stack pointer location. That stack pointer provides space for the worst case number of stacked arguments on architectures that use stacked arguments. It also provides stack space so that the return PC and caller frame pointer that are stored as part of making the call to operationCallEval will not override any part of the callee frame created on the stack. Changed compileCallEval() to use the stackPointer value of the calling function. That stack pointer is calculated to have enough space for outgoing stacked arguments. By moving the stack pointer to its home position, the caller frame and return PC are not set as part of making the call to operationCallEval(). Moved the explicit setting of the callerFrame field of the callee CallFrame from operationCallEval() to compileCallEval() since it has been the artifact of making a call for most architectures. Simplified the exception logic in compileCallEval() as a result of the change. To be compliant with the stack state expected by virtualCallThunkGenerator(), moved the stack pointer to point above the CallerFrameAndPC of the callee CallFrame. * jit/JIT.h: Changed callOperationNoExceptionCheck(J_JITOperation_EE, ...) to callOperation(J_JITOperation_EE, ...) as it now can do a typical exception check. * jit/JITCall.cpp jit/JITCall32_64.cpp: (JSC::JIT::compileCallEval): Use the home stack pointer when making the call to operationCallEval. Since the stack pointer adjustment no longer needs to be done after making the call to operationCallEval(), the exception check logic can be simplified. (JSC::JIT::compileCallEvalSlowCase): Restored the stack pointer to point to above the calleeFrame as this is what the generated thunk expects. * jit/JITInlines.h: (JSC::JIT::callOperation): Refactor of callOperationNoExceptionCheck with the addition of a standard exception check. (JSC::JIT::callOperationNoExceptionCheck): Deleted. * jit/JITOperations.cpp: (JSC::operationCallEval): Eliminated the explicit setting of caller frame as that is now done in the code generated by compileCallEval(). Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/JIT.h trunk/Source/_javascript_Core/jit/JITCall.cpp trunk/Source/_javascript_Core/jit/JITCall32_64.cpp trunk/Source/_javascript_Core/jit/JITInlines.h trunk/Source/_javascript_Core/jit/JITOperations.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (173281 => 173282) --- trunk/Source/_javascript_Core/ChangeLog 2014-09-04 21:20:12 UTC (rev 173281) +++ trunk/Source/_javascript_Core/ChangeLog 2014-09-04 21:23:38 UTC (rev 173282) @@ -1,3 +1,48 @@ +2014-09-04 Michael Saboff msab...@apple.com + +REGRESSION(r173031): crashes during run-layout-jsc on x86/Linux +https://bugs.webkit.org/show_bug.cgi?id=136436 + +Reviewed by Geoffrey Garen. + +Instead of trying to calculate a stack pointer that allows for possible +stacked argument space, just use the home stack pointer location. +That stack pointer provides space for the worst case number of stacked +arguments on architectures that use stacked arguments. It also provides +stack space so that the return PC and caller frame pointer that are stored +as part of making the call to operationCallEval will not override any part +of the callee frame created on the stack. + +Changed compileCallEval() to use the stackPointer value of the calling +function. That stack pointer is calculated to have enough space for +outgoing stacked arguments. By moving the stack pointer to its home +position, the caller frame and return PC are not set as part of making +the call to operationCallEval(). Moved the explicit setting of the +callerFrame field of the callee CallFrame from operationCallEval() to +compileCallEval() since it has been the artifact of making a call for +most architectures. Simplified the exception logic in compileCallEval() +as a result of the change. To be compliant with the stack state +expected by virtualCallThunkGenerator(), moved the stack pointer to +point above the CallerFrameAndPC of the callee CallFrame. + +* jit/JIT.h: Changed callOperationNoExceptionCheck(J_JITOperation_EE, ...) +to callOperation(J_JITOperation_EE, ...) as it now can do a typical exception +check. +* jit/JITCall.cpp jit/JITCall32_64.cpp: +(JSC::JIT::compileCallEval): Use the home stack pointer when making the call +to operationCallEval.
[webkit-changes] [173312] trunk/Source/JavaScriptCore
Title: [173312] trunk/Source/_javascript_Core Revision 173312 Author msab...@apple.com Date 2014-09-05 09:17:17 -0700 (Fri, 05 Sep 2014) Log Message ARM: Add more coverage to ARMv7 disassembler https://bugs.webkit.org/show_bug.cgi?id=136565 Reviewed by Mark Lam. Added ARMV7 disassembler support for Push/Pop multiple and floating point instructions VCMP, VCVT[R] between floating point and integer, and VLDR. * disassembler/ARMv7/ARMv7DOpcode.cpp: (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::appendRegisterList): (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPopMultiple::format): (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushMultiple::format): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::format): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::format): (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): * disassembler/ARMv7/ARMv7DOpcode.h: (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::registerList): (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::condition): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::condition): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::dBit): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vd): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::szBit): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::eBit): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::mBit): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vm): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::condition): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::dBit): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op2): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vd): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::szBit): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::mBit): (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vm): (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/disassembler/ARMv7/ARMv7DOpcode.cpp trunk/Source/_javascript_Core/disassembler/ARMv7/ARMv7DOpcode.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (173311 => 173312) --- trunk/Source/_javascript_Core/ChangeLog 2014-09-05 14:18:06 UTC (rev 173311) +++ trunk/Source/_javascript_Core/ChangeLog 2014-09-05 16:17:17 UTC (rev 173312) @@ -1,3 +1,45 @@ +2014-09-04 Michael Saboff msab...@apple.com + +ARM: Add more coverage to ARMv7 disassembler +https://bugs.webkit.org/show_bug.cgi?id=136565 + +Reviewed by Mark Lam. + +Added ARMV7 disassembler support for Push/Pop multiple and floating point instructions +VCMP, VCVT[R] between floating point and integer, and VLDR. + +* disassembler/ARMv7/ARMv7DOpcode.cpp: +(JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::appendRegisterList): +(JSC::ARMv7Disassembler::ARMv7DOpcodeDataPopMultiple::format): +(JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushMultiple::format): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::format): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::format): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): +* disassembler/ARMv7/ARMv7DOpcode.h: +(JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::registerList): +(JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::condition): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::condition): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::dBit): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vd): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::szBit): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::eBit): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::mBit): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vm): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::condition): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::dBit): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op2): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vd): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::szBit): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::mBit): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vm): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): +(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): +
[webkit-changes] [173330] trunk/LayoutTests
Title: [173330] trunk/LayoutTests Revision 173330 Author msab...@apple.com Date 2014-09-05 13:05:32 -0700 (Fri, 05 Sep 2014) Log Message ARM32 iOS: JSC Test math.js fails https://bugs.webkit.org/show_bug.cgi?id=136261 Reviewed by Geoffrey Garen. Split out the failing tests to a new test script math-denorm.js. Added check at the top of the new file to skip the tests when running on ARM for iOS. * js/math-denorm-expected.txt: Added. * js/math-expected.txt: * js/script-tests/math-denorm.js: Added. * js/script-tests/math.js: Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/js/math-expected.txt trunk/LayoutTests/js/script-tests/math.js Added Paths trunk/LayoutTests/js/math-denorm-expected.txt trunk/LayoutTests/js/script-tests/math-denorm.js Diff Modified: trunk/LayoutTests/ChangeLog (173329 => 173330) --- trunk/LayoutTests/ChangeLog 2014-09-05 20:05:19 UTC (rev 173329) +++ trunk/LayoutTests/ChangeLog 2014-09-05 20:05:32 UTC (rev 173330) @@ -1,3 +1,18 @@ +2014-09-04 Michael Saboff msab...@apple.com + +ARM32 iOS: JSC Test math.js fails +https://bugs.webkit.org/show_bug.cgi?id=136261 + +Reviewed by Geoffrey Garen. + +Split out the failing tests to a new test script math-denorm.js. Added check +at the top of the new file to skip the tests when running on ARM for iOS. + +* js/math-denorm-expected.txt: Added. +* js/math-expected.txt: +* js/script-tests/math-denorm.js: Added. +* js/script-tests/math.js: + 2014-09-05 Benjamin Poulain benja...@webkit.org Update the current matching of :read-only and :read-write to the latest spec Added: trunk/LayoutTests/js/math-denorm-expected.txt (0 => 173330) --- trunk/LayoutTests/js/math-denorm-expected.txt (rev 0) +++ trunk/LayoutTests/js/math-denorm-expected.txt 2014-09-05 20:05:32 UTC (rev 173330) @@ -0,0 +1,13 @@ +This test checks the behavior of the Math.ceil and Math.floor on denormalized FP values. + +On success, you will see a series of PASS messages, followed by TEST COMPLETE. + + +PASS Math.ceil(Number.MIN_VALUE) is 1 +PASS Math.ceil(-Number.MIN_VALUE) is -0 +PASS Math.floor(Number.MIN_VALUE) is 0 +PASS Math.floor(-Number.MIN_VALUE) is -1 +PASS successfullyParsed is true + +TEST COMPLETE + Modified: trunk/LayoutTests/js/math-expected.txt (173329 => 173330) --- trunk/LayoutTests/js/math-expected.txt 2014-09-05 20:05:19 UTC (rev 173329) +++ trunk/LayoutTests/js/math-expected.txt 2014-09-05 20:05:32 UTC (rev 173330) @@ -53,8 +53,6 @@ PASS Math.ceil(-1) is -1 PASS Math.ceil(1.1) is 2 PASS Math.ceil(-1.1) is -1 -PASS Math.ceil(Number.MIN_VALUE) is 1 -PASS Math.ceil(-Number.MIN_VALUE) is -0 PASS Math.ceil(Number.MAX_VALUE) is Number.MAX_VALUE PASS Math.ceil(-Number.MAX_VALUE) is -Number.MAX_VALUE PASS Math.ceil(Infinity) is Infinity @@ -77,8 +75,6 @@ PASS Math.floor(-1) is -1 PASS Math.floor(1.1) is 1 PASS Math.floor(-1.1) is -2 -PASS Math.floor(Number.MIN_VALUE) is 0 -PASS Math.floor(-Number.MIN_VALUE) is -1 PASS Math.floor(Number.MAX_VALUE) is Number.MAX_VALUE PASS Math.floor(-Number.MAX_VALUE) is -Number.MAX_VALUE PASS Math.floor(Infinity) is Infinity Added: trunk/LayoutTests/js/script-tests/math-denorm.js (0 => 173330) --- trunk/LayoutTests/js/script-tests/math-denorm.js (rev 0) +++ trunk/LayoutTests/js/script-tests/math-denorm.js 2014-09-05 20:05:32 UTC (rev 173330) @@ -0,0 +1,9 @@ +//@ skip if $architecture == arm and $hostOS == darwin + +description(This test checks the behavior of the Math.ceil and Math.floor on denormalized FP values.); + +shouldBe(Math.ceil(Number.MIN_VALUE), 1); +shouldBe(Math.ceil(-Number.MIN_VALUE), -0); + +shouldBe(Math.floor(Number.MIN_VALUE), 0); +shouldBe(Math.floor(-Number.MIN_VALUE), -1); Modified: trunk/LayoutTests/js/script-tests/math.js (173329 => 173330) --- trunk/LayoutTests/js/script-tests/math.js 2014-09-05 20:05:19 UTC (rev 173329) +++ trunk/LayoutTests/js/script-tests/math.js 2014-09-05 20:05:32 UTC (rev 173330) @@ -90,8 +90,6 @@ shouldBe(Math.ceil(-1), -1); shouldBe(Math.ceil(1.1), 2); shouldBe(Math.ceil(-1.1), -1); -shouldBe(Math.ceil(Number.MIN_VALUE), 1); -shouldBe(Math.ceil(-Number.MIN_VALUE), -0); shouldBe(Math.ceil(Number.MAX_VALUE), Number.MAX_VALUE); shouldBe(Math.ceil(-Number.MAX_VALUE), -Number.MAX_VALUE); shouldBe(Math.ceil(Infinity), Infinity); @@ -117,8 +115,6 @@ shouldBe(Math.floor(-1), -1); shouldBe(Math.floor(1.1), 1); shouldBe(Math.floor(-1.1), -2); -shouldBe(Math.floor(Number.MIN_VALUE), 0); -shouldBe(Math.floor(-Number.MIN_VALUE), -1); shouldBe(Math.floor(Number.MAX_VALUE), Number.MAX_VALUE); shouldBe(Math.floor(-Number.MAX_VALUE), -Number.MAX_VALUE); shouldBe(Math.floor(Infinity), Infinity); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [173541] trunk/Source
Title: [173541] trunk/Source Revision 173541 Author msab...@apple.com Date 2014-09-11 14:52:33 -0700 (Thu, 11 Sep 2014) Log Message Move JSScope out of JSFunction into separate JSCallee class https://bugs.webkit.org/show_bug.cgi?id=136725 Reviewed by Oliver Hunt. Created new JSCallee class that contains a JSScope*. Changed JSFunction to inherit from JSCallee. Source/_javascript_Core: * CMakeLists.txt: * _javascript_Core.vcxproj/_javascript_Core.vcxproj: * _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters: * _javascript_Core.xcodeproj/project.pbxproj: Build changes. Added JSCallee.cpp and JSCallee.h. * runtime/JSCallee.cpp: Added. (JSC::JSCallee::create): (JSC::JSCallee::destroy): (JSC::JSCallee::JSCallee): (JSC::JSCallee::finishCreation): (JSC::JSCallee::visitChildren): (JSC::JSCallee::getOwnPropertySlot): Pass through wrapper function. (JSC::JSCallee::getOwnNonIndexPropertyNames): Pass through wrapper function. (JSC::JSCallee::put): Pass through wrapper function. (JSC::JSCallee::deleteProperty): Pass through wrapper function. (JSC::JSCallee::defineOwnProperty): Pass through wrapper function. * runtime/JSCallee.h: Added. (JSC::JSCallee::scope): (JSC::JSCallee::scopeUnchecked): (JSC::JSCallee::setScope): (JSC::JSCallee::createStructure): (JSC::JSCallee::offsetOfScopeChain): * runtime/JSFunction.cpp: (JSC::JSFunction::JSFunction): (JSC::JSFunction::addNameScopeIfNeeded): (JSC::JSFunction::visitChildren): * runtime/JSFunction.h: (JSC::JSFunction::scope): Deleted. (JSC::JSFunction::scopeUnchecked): Deleted. (JSC::JSFunction::setScope): Deleted. (JSC::JSFunction::offsetOfScopeChain): Deleted. * runtime/JSFunctionInlines.h: (JSC::JSFunction::JSFunction): Changed to reference JSCallee and its methods. * runtime/JSType.h: Added JSCallee as a TypeEnum. Source/WebCore: * ForwardingHeaders/runtime/JSCallee.h: New forwarding header. Modified Paths trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/runtime/JSFunction.cpp trunk/Source/_javascript_Core/runtime/JSFunction.h trunk/Source/_javascript_Core/runtime/JSFunctionInlines.h trunk/Source/_javascript_Core/runtime/JSType.h trunk/Source/WebCore/ChangeLog Added Paths trunk/Source/_javascript_Core/runtime/JSCallee.cpp trunk/Source/_javascript_Core/runtime/JSCallee.h trunk/Source/WebCore/ForwardingHeaders/runtime/JSCallee.h Diff Modified: trunk/Source/_javascript_Core/CMakeLists.txt (173540 => 173541) --- trunk/Source/_javascript_Core/CMakeLists.txt 2014-09-11 21:45:45 UTC (rev 173540) +++ trunk/Source/_javascript_Core/CMakeLists.txt 2014-09-11 21:52:33 UTC (rev 173541) @@ -438,11 +438,13 @@ runtime/JSBoundFunction.cpp runtime/JSGlobalObjectDebuggable.cpp runtime/JSCJSValue.cpp +runtime/JSCallee.cpp runtime/JSCell.cpp runtime/JSConsole.cpp runtime/JSDataView.cpp runtime/JSDataViewPrototype.cpp runtime/JSDateMath.cpp +runtime/JSEnvironmentRecord.cpp runtime/JSFunction.cpp runtime/JSGlobalObject.cpp runtime/JSGlobalObjectFunctions.cpp @@ -471,7 +473,6 @@ runtime/JSTypedArrayConstructors.cpp runtime/JSTypedArrayPrototypes.cpp runtime/JSTypedArrays.cpp -runtime/JSEnvironmentRecord.cpp runtime/JSWeakMap.cpp runtime/JSWithScope.cpp runtime/JSWrapperObject.cpp Modified: trunk/Source/_javascript_Core/ChangeLog (173540 => 173541) --- trunk/Source/_javascript_Core/ChangeLog 2014-09-11 21:45:45 UTC (rev 173540) +++ trunk/Source/_javascript_Core/ChangeLog 2014-09-11 21:52:33 UTC (rev 173541) @@ -1,3 +1,53 @@ +2014-09-10 Michael Saboff msab...@apple.com + +Move JSScope out of JSFunction into separate JSCallee class +https://bugs.webkit.org/show_bug.cgi?id=136725 + +Reviewed by Oliver Hunt. + +Created new JSCallee class that contains a JSScope*. Changed JSFunction to inherit from +JSCallee. + +* CMakeLists.txt: +* _javascript_Core.vcxproj/_javascript_Core.vcxproj: +* _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters: +* _javascript_Core.xcodeproj/project.pbxproj: +Build changes. Added JSCallee.cpp and JSCallee.h. + +* runtime/JSCallee.cpp: Added. +(JSC::JSCallee::create): +(JSC::JSCallee::destroy): +(JSC::JSCallee::JSCallee): +(JSC::JSCallee::finishCreation): +(JSC::JSCallee::visitChildren): +(JSC::JSCallee::getOwnPropertySlot): Pass through wrapper function. +(JSC::JSCallee::getOwnNonIndexPropertyNames): Pass through wrapper function. +(JSC::JSCallee::put): Pass through wrapper function. +(JSC::JSCallee::deleteProperty): Pass through wrapper function. +
[webkit-changes] [173550] trunk/Tools
Title: [173550] trunk/Tools Revision 173550 Author msab...@apple.com Date 2014-09-11 18:04:05 -0700 (Thu, 11 Sep 2014) Log Message lldb_webkit.py:btjs doesn't work with release builds https://bugs.webkit.org/show_bug.cgi?id=136760 Reviewed by Jer Noble. If we can't get a result calling JSC::ExecState::describeFrame(), try calling the mangled name _ZN3JSC9ExecState13describeFrameEv. Also cleaned up the handling if we can't get a valid result from trying either call. In that case, we fallback to just showing the PC. Also added check for both entry points. If neither is found, we issue a warning and output the stack trace without _javascript_ annotations. * lldb/lldb_webkit.py: (btjs): Modified Paths trunk/Tools/ChangeLog trunk/Tools/lldb/lldb_webkit.py Diff Modified: trunk/Tools/ChangeLog (173549 => 173550) --- trunk/Tools/ChangeLog 2014-09-12 00:40:09 UTC (rev 173549) +++ trunk/Tools/ChangeLog 2014-09-12 01:04:05 UTC (rev 173550) @@ -1,3 +1,19 @@ +2014-09-11 Michael Saboff msab...@apple.com + +lldb_webkit.py:btjs doesn't work with release builds +https://bugs.webkit.org/show_bug.cgi?id=136760 + +Reviewed by Jer Noble. + +If we can't get a result calling JSC::ExecState::describeFrame(), try calling the +mangled name _ZN3JSC9ExecState13describeFrameEv. Also cleaned up the handling if +we can't get a valid result from trying either call. In that case, we fallback to +just showing the PC. Also added check for both entry points. If neither is found, +we issue a warning and output the stack trace without _javascript_ annotations. + +* lldb/lldb_webkit.py: +(btjs): + 2014-09-11 Rebecca Hauck rha...@adobe.com webkitpy test failures from import-w3c-tests Modified: trunk/Tools/lldb/lldb_webkit.py (173549 => 173550) --- trunk/Tools/lldb/lldb_webkit.py 2014-09-12 00:40:09 UTC (rev 173549) +++ trunk/Tools/lldb/lldb_webkit.py 2014-09-12 01:04:05 UTC (rev 173550) @@ -109,6 +109,14 @@ process = target.GetProcess() thread = process.GetSelectedThread() +if target.FindFunctions(JSC::ExecState::describeFrame).GetSize() or target.FindFunctions(_ZN3JSC9ExecState13describeFrameEv).GetSize(): +annotateJSFrames = True +else: +annotateJSFrames = False + +if not annotateJSFrames: +print Warning: Can't find JSC::ExecState::describeFrame() in executable to annotate _javascript_ frames + backtraceDepth = thread.GetNumFrames() if len(command) == 1: @@ -128,14 +136,17 @@ function = frame.GetFunction() -if not frame or not frame.GetSymbol() or frame.GetSymbol().GetName() == llint_entry: +if annotateJSFrames and not frame or not frame.GetSymbol() or frame.GetSymbol().GetName() == llint_entry: callFrame = frame.GetSP() -JSFrameDescription = frame.EvaluateExpression(((JSC::CallFrame*)0x%x)-describeFrame() % frame.GetFP()).GetSummary() -JSFrameDescription = string.strip(JSFrameDescription, '') -frameFormat = 'frame #{num}: {addr:' + addressFormat + '} {desc}' -print frameFormat.format(num=frame.GetFrameID(), addr=frame.GetPC(), desc=JSFrameDescription) -else: -print '%s' % frame +JSFrameDescription = frame.EvaluateExpression(((JSC::ExecState*)0x%x)-describeFrame() % frame.GetFP()).GetSummary() +if not JSFrameDescription: +JSFrameDescription = frame.EvaluateExpression((char*)_ZN3JSC9ExecState13describeFrameEv(0x%x) % frame.GetFP()).GetSummary() +if JSFrameDescription: +JSFrameDescription = string.strip(JSFrameDescription, '') +frameFormat = 'frame #{num}: {addr:' + addressFormat + '} {desc}' +print frameFormat.format(num=frame.GetFrameID(), addr=frame.GetPC(), desc=JSFrameDescription) +continue +print '%s' % frame # FIXME: Provide support for the following types: # def WTFVector_SummaryProvider(valobj, dict): ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [173600] trunk/Source/JavaScriptCore
Title: [173600] trunk/Source/_javascript_Core Revision 173600 Author msab...@apple.com Date 2014-09-12 22:21:44 -0700 (Fri, 12 Sep 2014) Log Message Add JSCallee to program and eval CallFrames https://bugs.webkit.org/show_bug.cgi?id=136785 Reviewed by Mark Lam. Populated Callee slot for program and call eval CallFrames with a JSCallee objects. Made supporting changes including adding a JSCallee structure to global object and adding JSCallee::create() method. Added code so that the newly added callee object won't be returned by Function.caller. Changed null pointer checks of callee to check the if the type is JSFunction* or JSCallee*. * debugger/DebuggerCallFrame.cpp: (JSC::DebuggerCallFrame::functionName): (JSC::DebuggerCallFrame::type): * profiler/LegacyProfiler.cpp: (JSC::LegacyProfiler::createCallIdentifier): * interpreter/Interpreter.cpp: (JSC::unwindCallFrame): Changed checks of callee is a JSFunction* or JSCallee* instead of just checking if it is null or not. * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): Create and use JSCallee objects for execute(EvalExecutable, ...) and execute(ProgramExecutable, ...) * jit/JITCode.cpp: (JSC::JITCode::execute): Use jsDynamicCast to cast only JSFunctions. * runtime/JSCallee.cpp: (JSC::JSCallee::create): Not used, therefore deleted. * runtime/JSCallee.h: (JSC::JSCallee::create): Added. * runtime/JSFunction.cpp: (JSC::JSFunction::callerGetter): Added test to return null for JSCallee's that aren't JSFunction's. This can only be the case when the JSCallee comes from a program or call eval CallFrame. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::reset): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::calleeStructure): Added new JSCallee structure. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/debugger/DebuggerCallFrame.cpp trunk/Source/_javascript_Core/interpreter/Interpreter.cpp trunk/Source/_javascript_Core/jit/JITCode.cpp trunk/Source/_javascript_Core/profiler/LegacyProfiler.cpp trunk/Source/_javascript_Core/runtime/JSCallee.cpp trunk/Source/_javascript_Core/runtime/JSCallee.h trunk/Source/_javascript_Core/runtime/JSFunction.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (173599 => 173600) --- trunk/Source/_javascript_Core/ChangeLog 2014-09-13 02:18:56 UTC (rev 173599) +++ trunk/Source/_javascript_Core/ChangeLog 2014-09-13 05:21:44 UTC (rev 173600) @@ -1,3 +1,51 @@ +2014-09-12 Michael Saboff msab...@apple.com + +Add JSCallee to program and eval CallFrames +https://bugs.webkit.org/show_bug.cgi?id=136785 + +Reviewed by Mark Lam. + +Populated Callee slot for program and call eval CallFrames with a JSCallee objects. +Made supporting changes including adding a JSCallee structure to global object and adding +JSCallee::create() method. Added code so that the newly added callee object won't be +returned by Function.caller. Changed null pointer checks of callee to check the if +the type is JSFunction* or JSCallee*. + +* debugger/DebuggerCallFrame.cpp: +(JSC::DebuggerCallFrame::functionName): +(JSC::DebuggerCallFrame::type): +* profiler/LegacyProfiler.cpp: +(JSC::LegacyProfiler::createCallIdentifier): +* interpreter/Interpreter.cpp: +(JSC::unwindCallFrame): +Changed checks of callee is a JSFunction* or JSCallee* instead of just checking +if it is null or not. + +* interpreter/Interpreter.cpp: +(JSC::Interpreter::execute): Create and use JSCallee objects for execute(EvalExecutable, ...) +and execute(ProgramExecutable, ...) + +* jit/JITCode.cpp: +(JSC::JITCode::execute): Use jsDynamicCast to cast only JSFunctions. + +* runtime/JSCallee.cpp: +(JSC::JSCallee::create): Not used, therefore deleted. + +* runtime/JSCallee.h: +(JSC::JSCallee::create): Added. + +* runtime/JSFunction.cpp: +(JSC::JSFunction::callerGetter): Added test to return null for JSCallee's that aren't +JSFunction's. This can only be the case when the JSCallee comes from a program or +call eval CallFrame. + +* runtime/JSGlobalObject.cpp: +(JSC::JSGlobalObject::reset): +(JSC::JSGlobalObject::visitChildren): +* runtime/JSGlobalObject.h: +(JSC::JSGlobalObject::calleeStructure): +Added new JSCallee structure. + 2014-09-10 Jon Honeycutt jhoneyc...@apple.com Re-add the request autocomplete feature Modified: trunk/Source/_javascript_Core/debugger/DebuggerCallFrame.cpp (173599 => 173600) --- trunk/Source/_javascript_Core/debugger/DebuggerCallFrame.cpp 2014-09-13 02:18:56 UTC (rev 173599) +++ trunk/Source/_javascript_Core/debugger/DebuggerCallFrame.cpp 2014-09-13 05:21:44
[webkit-changes] [173601] trunk/Source/JavaScriptCore
Title: [173601] trunk/Source/_javascript_Core Revision 173601 Author msab...@apple.com Date 2014-09-13 09:26:04 -0700 (Sat, 13 Sep 2014) Log Message Merge JSGlobalObject::reset() into ::init() https://bugs.webkit.org/show_bug.cgi?id=136800 Reviewed by Oliver Hunt. Moved the contents of reset() into init(). Note that the diff shows more changes. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): Moved body of reset() into init. (JSC::JSGlobalObject::put): (JSC::JSGlobalObject::defineOwnProperty): (JSC::JSGlobalObject::addGlobalVar): (JSC::JSGlobalObject::addFunction): (JSC::lastInPrototypeChain): (JSC::JSGlobalObject::reset): Deleted. * runtime/JSGlobalObject.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (173600 => 173601) --- trunk/Source/_javascript_Core/ChangeLog 2014-09-13 05:21:44 UTC (rev 173600) +++ trunk/Source/_javascript_Core/ChangeLog 2014-09-13 16:26:04 UTC (rev 173601) @@ -1,5 +1,25 @@ 2014-09-12 Michael Saboff msab...@apple.com +Merge JSGlobalObject::reset() into ::init() +https://bugs.webkit.org/show_bug.cgi?id=136800 + +Reviewed by Oliver Hunt. + +Moved the contents of reset() into init(). +Note that the diff shows more changes. + +* runtime/JSGlobalObject.cpp: +(JSC::JSGlobalObject::init): Moved body of reset() into init. +(JSC::JSGlobalObject::put): +(JSC::JSGlobalObject::defineOwnProperty): +(JSC::JSGlobalObject::addGlobalVar): +(JSC::JSGlobalObject::addFunction): +(JSC::lastInPrototypeChain): +(JSC::JSGlobalObject::reset): Deleted. +* runtime/JSGlobalObject.h: + +2014-09-12 Michael Saboff msab...@apple.com + Add JSCallee to program and eval CallFrames https://bugs.webkit.org/show_bug.cgi?id=136785 Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (173600 => 173601) --- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2014-09-13 05:21:44 UTC (rev 173600) +++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2014-09-13 16:26:04 UTC (rev 173601) @@ -215,70 +215,9 @@ m_consoleClient = m_inspectorController-consoleClient(); #endif -reset(prototype()); -} - -void JSGlobalObject::put(JSCell* cell, ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot slot) -{ -JSGlobalObject* thisObject = jsCastJSGlobalObject*(cell); -ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(thisObject)); - -if (symbolTablePut(thisObject, exec, propertyName, value, slot.isStrictMode())) -return; -Base::put(thisObject, exec, propertyName, value, slot); -} - -bool JSGlobalObject::defineOwnProperty(JSObject* object, ExecState* exec, PropertyName propertyName, const PropertyDescriptor descriptor, bool shouldThrow) -{ -JSGlobalObject* thisObject = jsCastJSGlobalObject*(object); -PropertySlot slot(thisObject); -// silently ignore attempts to add accessors aliasing vars. -if (descriptor.isAccessorDescriptor() symbolTableGet(thisObject, propertyName, slot)) -return false; -return Base::defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow); -} - -JSGlobalObject::NewGlobalVar JSGlobalObject::addGlobalVar(const Identifier ident, ConstantMode constantMode) -{ -ConcurrentJITLocker locker(symbolTable()-m_lock); -int index = symbolTable()-size(locker); -SymbolTableEntry newEntry(index, (constantMode == IsConstant) ? ReadOnly : 0); -if (constantMode == IsVariable) -newEntry.prepareToWatch(symbolTable()); -SymbolTable::Map::AddResult result = symbolTable()-add(locker, ident.impl(), newEntry); -if (result.isNewEntry) -addRegisters(1); -else -index = result.iterator-value.getIndex(); -NewGlobalVar var; -var.registerNumber = index; -var.set = result.iterator-value.watchpointSet(); -return var; -} - -void JSGlobalObject::addFunction(ExecState* exec, const Identifier propertyName, JSValue value) -{ -VM vm = exec-vm(); -removeDirect(vm, propertyName); // Newly declared functions overwrite existing properties. -NewGlobalVar var = addGlobalVar(propertyName, IsVariable); -registerAt(var.registerNumber).set(exec-vm(), this, value); -if (var.set) -var.set-notifyWrite(vm, value, VariableWriteFireDetail(this, propertyName)); -} - -static inline JSObject* lastInPrototypeChain(JSObject* object) -{ -JSObject* o = object; -while (o-prototype().isObject()) -o = asObject(o-prototype()); -return o; -} - -void JSGlobalObject::reset(JSValue prototype) -{ ExecState* exec = JSGlobalObject::globalExec(); VM vm = exec-vm(); - + m_functionPrototype.set(vm, this, FunctionPrototype::create(vm, FunctionPrototype::createStructure(vm, this,
[webkit-changes] [173636] trunk/Source/JavaScriptCore
Title: [173636] trunk/Source/_javascript_Core Revision 173636 Author msab...@apple.com Date 2014-09-15 15:58:54 -0700 (Mon, 15 Sep 2014) Log Message Create a JSCallee for GlobalExec object https://bugs.webkit.org/show_bug.cgi?id=136840 Reviewed by Geoffrey Garen. Added m_globalCallee, initialized it and then used it to set the globalExec's callee. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (173635 => 173636) --- trunk/Source/_javascript_Core/ChangeLog 2014-09-15 22:52:47 UTC (rev 173635) +++ trunk/Source/_javascript_Core/ChangeLog 2014-09-15 22:58:54 UTC (rev 173636) @@ -1,3 +1,17 @@ +2014-09-15 Michael Saboff msab...@apple.com + +Create a JSCallee for GlobalExec object +https://bugs.webkit.org/show_bug.cgi?id=136840 + +Reviewed by Geoffrey Garen. + +Added m_globalCallee, initialized it and then used it to set the globalExec's callee. + +* runtime/JSGlobalObject.cpp: +(JSC::JSGlobalObject::init): +(JSC::JSGlobalObject::visitChildren): +* runtime/JSGlobalObject.h: + 2014-09-14 Filip Pizlo fpi...@apple.com DFG ref count calculation should be reusable Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (173635 => 173636) --- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2014-09-15 22:52:47 UTC (rev 173635) +++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2014-09-15 22:58:54 UTC (rev 173636) @@ -220,6 +220,11 @@ m_functionPrototype.set(vm, this, FunctionPrototype::create(vm, FunctionPrototype::createStructure(vm, this, jsNull(; // The real prototype will be set once ObjectPrototype is created. m_calleeStructure.set(vm, this, JSCallee::createStructure(vm, this, jsNull())); + +// Need to create the callee structure (above) before creating the callee. +m_globalCallee.set(vm, this, JSCallee::create(vm, this, this)); +exec-setCallee(m_globalCallee.get()); + m_functionStructure.set(vm, this, JSFunction::createStructure(vm, this, m_functionPrototype.get())); m_boundFunctionStructure.set(vm, this, JSBoundFunction::createStructure(vm, this, m_functionPrototype.get())); m_namedFunctionStructure.set(vm, this, Structure::addPropertyTransition(vm, m_functionStructure.get(), vm.propertyNames-name, DontDelete | ReadOnly | DontEnum, m_functionNameOffset)); @@ -634,6 +639,7 @@ visitor.append(thisObject-m_globalThis); +visitor.append(thisObject-m_globalCallee); visitor.append(thisObject-m_regExpConstructor); visitor.append(thisObject-m_errorConstructor); visitor.append(thisObject-m_evalErrorConstructor); Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.h (173635 => 173636) --- trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2014-09-15 22:52:47 UTC (rev 173635) +++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2014-09-15 22:58:54 UTC (rev 173636) @@ -160,6 +160,7 @@ WriteBarrierJSObject m_globalThis; +WriteBarrierJSObject m_globalCallee; WriteBarrierRegExpConstructor m_regExpConstructor; WriteBarrierErrorConstructor m_errorConstructor; WriteBarrierNativeErrorConstructor m_evalErrorConstructor; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [173706] trunk/Source/JavaScriptCore
Title: [173706] trunk/Source/_javascript_Core Revision 173706 Author msab...@apple.com Date 2014-09-17 15:34:14 -0700 (Wed, 17 Sep 2014) Log Message Change CallFrame to use Callee instead of JSScope to implement vm() https://bugs.webkit.org/show_bug.cgi?id=136894 Reviewed by Geoffrey Garen. Added JSCell::vm() method that can be used on any JSObject. Changed CallFrame::vm() to use JSCell::vm with the Callee. Made similar changes in the LLInt. In support of this, changed JSGlobalObject::init() to take a VM parameter, as there is a chicken/egg problem with trying to use the Callee in the global exec before the Callee has been create. Besides, the vm is readily available in finishCreation(), the caller of init(). * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: Changed the calculation of CallFrame::VM to use the Callee instead of JSScope. * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::vm): New method for getting VM from the pointer. (JSC::ExecState::vm): Moved this method from JSScope.h to here since this file contains the implementation of JSCell::vm(), this file is included by all users of CallFrame::vm, and lastly putting it in CallFrameInlines.h required changing many other .h files and possible the WebCore generator generate-bindings.pl. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::finishCreation): Changed init() to take a VM parameter. * runtime/JSScope.h: (JSC::ExecState::vm): Deleted. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/runtime/JSCell.h trunk/Source/_javascript_Core/runtime/JSCellInlines.h trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.h trunk/Source/_javascript_Core/runtime/JSScope.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (173705 => 173706) --- trunk/Source/_javascript_Core/ChangeLog 2014-09-17 22:06:03 UTC (rev 173705) +++ trunk/Source/_javascript_Core/ChangeLog 2014-09-17 22:34:14 UTC (rev 173706) @@ -1,3 +1,38 @@ +2014-09-17 Michael Saboff msab...@apple.com + +Change CallFrame to use Callee instead of JSScope to implement vm() +https://bugs.webkit.org/show_bug.cgi?id=136894 + +Reviewed by Geoffrey Garen. + +Added JSCell::vm() method that can be used on any JSObject. Changed CallFrame::vm() to +use JSCell::vm with the Callee. Made similar changes in the LLInt. +In support of this, changed JSGlobalObject::init() to take a VM parameter, as there is +a chicken/egg problem with trying to use the Callee in the global exec before the Callee +has been create. Besides, the vm is readily available in finishCreation(), the caller of +init(). + +* llint/LowLevelInterpreter32_64.asm: +* llint/LowLevelInterpreter64.asm: +Changed the calculation of CallFrame::VM to use the Callee instead of JSScope. + +* runtime/JSCell.h: +* runtime/JSCellInlines.h: +(JSC::JSCell::vm): New method for getting VM from the pointer. +(JSC::ExecState::vm): Moved this method from JSScope.h to here since this file +contains the implementation of JSCell::vm(), this file is included by all users +of CallFrame::vm, and lastly putting it in CallFrameInlines.h required changing +many other .h files and possible the WebCore generator generate-bindings.pl. + +* runtime/JSGlobalObject.cpp: +(JSC::JSGlobalObject::init): +* runtime/JSGlobalObject.h: +(JSC::JSGlobalObject::finishCreation): +Changed init() to take a VM parameter. + +* runtime/JSScope.h: +(JSC::ExecState::vm): Deleted. + 2014-09-16 Filip Pizlo fpi...@apple.com Unreviewed, disable native inlining because it causes build failures. Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (173705 => 173706) --- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2014-09-17 22:06:03 UTC (rev 173705) +++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2014-09-17 22:34:14 UTC (rev 173706) @@ -387,7 +387,7 @@ end _handleUncaughtException: -loadp ScopeChain + PayloadOffset[cfr], t3 +loadp Callee + PayloadOffset[cfr], t3 andp MarkedBlockMask, t3 loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3 loadp VM::callFrameForThrow[t3], cfr @@ -689,7 +689,7 @@ end macro branchIfException(label) -loadp ScopeChain[cfr], t3 +loadp Callee[cfr], t3 andp MarkedBlockMask, t3 loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3 bieq VM::m_exception + TagOffset[t3], EmptyValueTag, .noException @@ -2036,7 +2036,7 @@ # the interpreter's throw trampoline (see _llint_throw_trampoline). # The
[webkit-changes] [174301] trunk/Source/JavaScriptCore
Title: [174301] trunk/Source/_javascript_Core Revision 174301 Author msab...@apple.com Date 2014-10-03 16:22:21 -0700 (Fri, 03 Oct 2014) Log Message REGRESSION(r174216): CodeBlock::dumpByteCodes crashes on op_push_name_scope https://bugs.webkit.org/show_bug.cgi?id=137412 Reviewed by Mark Lam. Added support for the JSNameScope::type opcode parameter in dumpBytecode(). * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (174300 => 174301) --- trunk/Source/_javascript_Core/ChangeLog 2014-10-03 23:17:00 UTC (rev 174300) +++ trunk/Source/_javascript_Core/ChangeLog 2014-10-03 23:22:21 UTC (rev 174301) @@ -1,3 +1,15 @@ +2014-10-03 Michael Saboff msab...@apple.com + +REGRESSION(r174216): CodeBlock::dumpByteCodes crashes on op_push_name_scope +https://bugs.webkit.org/show_bug.cgi?id=137412 + +Reviewed by Mark Lam. + +Added support for the JSNameScope::type opcode parameter in dumpBytecode(). + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::dumpBytecode): + 2014-10-03 Saam Barati saambara...@gmail.com Implement op_profile_type in the 32-bit baseline JIT Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (174300 => 174301) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2014-10-03 23:17:00 UTC (rev 174300) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2014-10-03 23:22:21 UTC (rev 174301) @@ -1445,8 +1445,9 @@ int id0 = (++it)-u.operand; int r1 = (++it)-u.operand; unsigned attributes = (++it)-u.operand; +JSNameScope::Type scopeType = (JSNameScope::Type)(++it)-u.operand; printLocationAndOp(out, exec, location, it, push_name_scope); -out.printf(%s, %s, %u, idName(id0, identifier(id0)).data(), registerName(r1).data(), attributes); +out.printf(%s, %s, %u %s, idName(id0, identifier(id0)).data(), registerName(r1).data(), attributes, (scopeType == JSNameScope::FunctionNameScope) ? functionScope : ((scopeType == JSNameScope::CatchScope) ? catchScope : unknownScopeType)); break; } case op_catch: { ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [174601] trunk/Tools
Title: [174601] trunk/Tools Revision 174601 Author msab...@apple.com Date 2014-10-10 10:47:52 -0700 (Fri, 10 Oct 2014) Log Message Add ability to select tarfile name in run-jsc-stress-tests https://bugs.webkit.org/show_bug.cgi?id=137614 Reviewed by Mark Hahnenberg. Added optional file name argument to the --tarball option. * Scripts/run-_javascript_core-tests: Added -- to terminate options so the first extra test given after the options wont be used for the optional tarball file name. * Scripts/run-jsc-stress-tests: Modified Paths trunk/Tools/ChangeLog trunk/Tools/Scripts/run-_javascript_core-tests trunk/Tools/Scripts/run-jsc-stress-tests Diff Modified: trunk/Tools/ChangeLog (174600 => 174601) --- trunk/Tools/ChangeLog 2014-10-10 17:42:54 UTC (rev 174600) +++ trunk/Tools/ChangeLog 2014-10-10 17:47:52 UTC (rev 174601) @@ -1,3 +1,16 @@ +2014-10-10 Michael Saboff msab...@apple.com + +Add ability to select tarfile name in run-jsc-stress-tests +https://bugs.webkit.org/show_bug.cgi?id=137614 + +Reviewed by Mark Hahnenberg. + +Added optional file name argument to the --tarball option. + +* Scripts/run-_javascript_core-tests: Added -- to terminate options so the first +extra test given after the options wont be used for the optional tarball file name. +* Scripts/run-jsc-stress-tests: + 2014-10-10 Chris Dumez cdu...@apple.com Unreviewed, update my information in contributors.json Modified: trunk/Tools/Scripts/run-_javascript_core-tests (174600 => 174601) --- trunk/Tools/Scripts/run-_javascript_core-tests 2014-10-10 17:42:54 UTC (rev 174600) +++ trunk/Tools/Scripts/run-_javascript_core-tests 2014-10-10 17:47:52 UTC (rev 174601) @@ -268,6 +268,10 @@ push(@jscStressDriverCmd, --remote); push(@jscStressDriverCmd, $remoteHost); } + +# End option processing, the rest of the arguments are tests +push((@jscStressDriverCmd, --); + if (defined($extraTests)) { push(@jscStressDriverCmd, $extraTests); } Modified: trunk/Tools/Scripts/run-jsc-stress-tests (174600 => 174601) --- trunk/Tools/Scripts/run-jsc-stress-tests 2014-10-10 17:42:54 UTC (rev 174600) +++ trunk/Tools/Scripts/run-jsc-stress-tests 2014-10-10 17:47:52 UTC (rev 174601) @@ -107,6 +107,7 @@ $verbosity = 0 $bundle = nil $tarball = false +$tarFileName = payload.tar.gz $copyVM = false $testRunnerType = :make $remoteUser = nil @@ -126,7 +127,7 @@ puts --output-dir (-o) Path where to put results. Default is #{$outputDir}. puts --verbose(-v) Print more things while running. puts --run-bundleRuns a bundle previously created by run-jsc-stress-tests. -puts --tarball Creates a tarball of the final bundle. +puts --tarball [fileName]Creates a tarball of the final bundle. Use name if supplied for tar file. puts --shell-runner Uses the shell-based test runner instead of the default make-based runner. puts In general the shell runner is slower than the make runner. puts --remoteSpecify a remote host on which to run tests. @@ -144,7 +145,7 @@ ['--memory-limited', GetoptLong::NO_ARGUMENT], ['--output-dir', '-o', GetoptLong::REQUIRED_ARGUMENT], ['--run-bundle', GetoptLong::REQUIRED_ARGUMENT], - ['--tarball', GetoptLong::NO_ARGUMENT], + ['--tarball', GetoptLong::OPTIONAL_ARGUMENT], ['--force-vm-copy', GetoptLong::NO_ARGUMENT], ['--shell-runner', GetoptLong::NO_ARGUMENT], ['--remote', GetoptLong::REQUIRED_ARGUMENT], @@ -171,6 +172,7 @@ when '--tarball' $tarball = true $copyVM = true +$tarFileName = arg unless arg == '' when '--force-vm-copy' $copyVM = true when '--shell-runner' @@ -1346,11 +1348,11 @@ } $remoteDirectory = JSON::parse(sshRead(cat ~/.bencher))[tempPath] -mysys(scp, -P, $remotePort.to_s, ($outputDir.dirname + payload.tar.gz).to_s, #{$remoteUser}@#{$remoteHost}:#{$remoteDirectory}) +mysys(scp, -P, $remotePort.to_s, ($outputDir.dirname + $tarFileName).to_s, #{$remoteUser}@#{$remoteHost}:#{$remoteDirectory}) remoteScript = \ remoteScript += cd #{$remoteDirectory} remoteScript += rm -rf #{$outputDir.basename} -remoteScript += tar xzf payload.tar.gz +remoteScript += tar xzf #{$tarFileName} remoteScript += cd #{$outputDir.basename}/.runner remoteScript += DYLD_FRAMEWORK_PATH=\$(cd #{$testingFrameworkPath.dirname}; pwd)\\\ sh runscript remoteScript += \ @@ -1393,7 +1395,7 @@ end def compressBundle -cmd = cd #{$outputDir}/.. tar -czf payload.tar.gz #{$outputDir.basename} +cmd = cd #{$outputDir}/.. tar -czf #{$tarFileName} #{$outputDir.basename}
[webkit-changes] [174749] trunk/Source/JavaScriptCore
Title: [174749] trunk/Source/_javascript_Core Revision 174749 Author msab...@apple.com Date 2014-10-15 17:14:28 -0700 (Wed, 15 Oct 2014) Log Message REGRESSION(r174025): remote inspector crashes frequently when executing inspector frontend's _javascript_ https://bugs.webkit.org/show_bug.cgi?id=137758 Rubber stamped by Filip Pizlo. Reverted r174025 for just PutByOffset Nodes. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (174748 => 174749) --- trunk/Source/_javascript_Core/ChangeLog 2014-10-16 00:13:17 UTC (rev 174748) +++ trunk/Source/_javascript_Core/ChangeLog 2014-10-16 00:14:28 UTC (rev 174749) @@ -1,3 +1,15 @@ +2014-10-15 Michael Saboff msab...@apple.com + +REGRESSION(r174025): remote inspector crashes frequently when executing inspector frontend's _javascript_ +https://bugs.webkit.org/show_bug.cgi?id=137758 + +Rubber stamped by Filip Pizlo. + +Reverted r174025 for just PutByOffset Nodes. + +* dfg/DFGFixupPhase.cpp: +(JSC::DFG::FixupPhase::fixupNode): + 2014-10-14 Gyuyoung Kim gyuyoung@samsung.com Clean up unnecessary PassOwnPtr.h inclusion Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (174748 => 174749) --- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2014-10-16 00:13:17 UTC (rev 174748) +++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2014-10-16 00:14:28 UTC (rev 174749) @@ -943,7 +943,7 @@ if (!node-child1()-hasStorageResult()) fixEdgeKnownCellUse(node-child1()); fixEdgeKnownCellUse(node-child2()); -insertStoreBarrier(m_indexInBlock, node-child2(), node-child3()); +insertStoreBarrier(m_indexInBlock, node-child2()); break; } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [174847] trunk
Title: [174847] trunk Revision 174847 Author msab...@apple.com Date 2014-10-17 15:58:33 -0700 (Fri, 17 Oct 2014) Log Message Don't create cached functions that access lexicalGlobalObject() https://bugs.webkit.org/show_bug.cgi?id=137839 Reviewed by Geoffrey Garen. Source/WebCore: Made it so that all the JSDOMWindow special functions blur(), close(), focus() and postMessage() are always created as needed for every prototype. Made it so that JSHTMLDocument does the same for open(). Updated test to account for these methods not being cached Updated tests accordingly. * bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::getOwnPropertySlot): Updated to always create cached versions of the special functions. * bindings/js/JSHTMLDocumentCustom.cpp: (WebCore::JSHTMLDocument::getOwnPropertySlot): Added to create an uncached open() method when it is first accessed. * html/HTMLDocument.idl: Added CustomGetOwnPropertySlot and implemented it in JSHTMLDocumentCustom.cpp. LayoutTests: Updadted test that check for * fast/dom/wrapper-scope-expected.txt: * fast/dom/wrapper-scope.html: Removed close and postMessage from functions to check for wrapper scope. * http/tests/security/cross-frame-access-put-expected.txt: * http/tests/security/resources/cross-frame-iframe-for-put-test.html: Removed blur, close and focus from the functions to test, since this tests that a parent's and child window's instances are the same. Now they are always different. * js/dom/global-function-resolve-expected.txt: * js/dom/script-tests/global-function-resolve.js: Removed close from this lists of functions to check. Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/fast/dom/wrapper-scope-expected.txt trunk/LayoutTests/fast/dom/wrapper-scope.html trunk/LayoutTests/http/tests/security/cross-frame-access-put-expected.txt trunk/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-put-test.html trunk/LayoutTests/js/dom/global-function-resolve-expected.txt trunk/LayoutTests/js/dom/script-tests/global-function-resolve.js trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp trunk/Source/WebCore/html/HTMLDocument.idl Diff Modified: trunk/LayoutTests/ChangeLog (174846 => 174847) --- trunk/LayoutTests/ChangeLog 2014-10-17 22:30:43 UTC (rev 174846) +++ trunk/LayoutTests/ChangeLog 2014-10-17 22:58:33 UTC (rev 174847) @@ -1,3 +1,25 @@ +2014-10-17 Michael Saboff msab...@apple.com + +Don't create cached functions that access lexicalGlobalObject() +https://bugs.webkit.org/show_bug.cgi?id=137839 + +Reviewed by Geoffrey Garen. + +Updadted test that check for + +* fast/dom/wrapper-scope-expected.txt: +* fast/dom/wrapper-scope.html: +Removed close and postMessage from functions to check for wrapper scope. + +* http/tests/security/cross-frame-access-put-expected.txt: +* http/tests/security/resources/cross-frame-iframe-for-put-test.html: +Removed blur, close and focus from the functions to test, since this tests that +a parent's and child window's instances are the same. Now they are always different. + +* js/dom/global-function-resolve-expected.txt: +* js/dom/script-tests/global-function-resolve.js: +Removed close from this lists of functions to check. + 2014-10-17 Benjamin Poulain benja...@webkit.org Make a better use of the available registers when compiling nested selector lists Modified: trunk/LayoutTests/fast/dom/wrapper-scope-expected.txt (174846 => 174847) --- trunk/LayoutTests/fast/dom/wrapper-scope-expected.txt 2014-10-17 22:30:43 UTC (rev 174846) +++ trunk/LayoutTests/fast/dom/wrapper-scope-expected.txt 2014-10-17 22:58:33 UTC (rev 174847) @@ -11,10 +11,6 @@ PASS inner.Window.constructor.isInner is true PASS inner.Window.constructor.prototype.isInner is true PASS inner.Window.__proto__.isInner is true -PASS inner.close.isInner is true -PASS inner.close.constructor.isInner is true -PASS inner.close.constructor.prototype.isInner is true -PASS inner.close.__proto__.isInner is true PASS inner.console.isInner is true PASS inner.console.constructor.isInner is true PASS inner.console.constructor.prototype.isInner is true @@ -35,10 +31,6 @@ PASS inner.navigator.constructor.isInner is true PASS inner.navigator.constructor.prototype.isInner is true PASS inner.navigator.__proto__.isInner is true -PASS inner.postMessage.isInner is true -PASS inner.postMessage.constructor.isInner is true -PASS inner.postMessage.constructor.prototype.isInner is true -PASS inner.postMessage.__proto__.isInner is true PASS inner.window.isInner is true PASS inner.window.constructor.isInner is true PASS inner.window.constructor.prototype.isInner is true Modified: trunk/LayoutTests/fast/dom/wrapper-scope.html (174846 => 174847) --- trunk/LayoutTests/fast/dom/wrapper-scope.html 2014-10-17 22:30:43 UTC
[webkit-changes] [174918] trunk/Source/WebCore
Title: [174918] trunk/Source/WebCore Revision 174918 Author msab...@apple.com Date 2014-10-20 18:21:03 -0700 (Mon, 20 Oct 2014) Log Message Make post checkin suggested changes to r174847 https://bugs.webkit.org/show_bug.cgi?id=137885 Reviewed by Mark Lam. Eliminated the creation of a temporary Identifier when comparing propertyName to open. Made the suggested post checkin change to put the declaration of entry into the if. * bindings/js/JSHTMLDocumentCustom.cpp: (WebCore::JSHTMLDocument::getOwnPropertySlot): Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp Diff Modified: trunk/Source/WebCore/ChangeLog (174917 => 174918) --- trunk/Source/WebCore/ChangeLog 2014-10-21 01:19:23 UTC (rev 174917) +++ trunk/Source/WebCore/ChangeLog 2014-10-21 01:21:03 UTC (rev 174918) @@ -1,3 +1,16 @@ +2014-10-20 Michael Saboff msab...@apple.com + +Make post checkin suggested changes to r174847 +https://bugs.webkit.org/show_bug.cgi?id=137885 + +Reviewed by Mark Lam. + +Eliminated the creation of a temporary Identifier when comparing propertyName to open. +Made the suggested post checkin change to put the declaration of entry into the if. + +* bindings/js/JSHTMLDocumentCustom.cpp: +(WebCore::JSHTMLDocument::getOwnPropertySlot): + 2014-10-20 Chris Dumez cdu...@apple.com Use is() / downcast() for SpinButtonElement Modified: trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp (174917 => 174918) --- trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp 2014-10-21 01:19:23 UTC (rev 174917) +++ trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp 2014-10-21 01:21:03 UTC (rev 174918) @@ -62,7 +62,7 @@ JSHTMLDocument* thisObject = jsCastJSHTMLDocument*(object); ASSERT_GC_OBJECT_INHERITS(thisObject, info()); -if (propertyName == Identifier(exec, open)) { +if (equal(propertyName.publicName(), open)) { slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetterjsHTMLDocumentPrototypeFunctionOpen, 2); return true; } @@ -72,8 +72,7 @@ return true; } -const HashTableValue* entry = JSHTMLDocument::info()-staticPropHashTable-entry(propertyName); -if (entry) { +if (const HashTableValue* entry = JSHTMLDocument::info()-staticPropHashTable-entry(propertyName)) { slot.setCacheableCustom(thisObject, entry-attributes(), entry-propertyGetter()); return true; } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [174985] trunk/Source/WebCore
Title: [174985] trunk/Source/WebCore Revision 174985 Author msab...@apple.com Date 2014-10-21 10:19:49 -0700 (Tue, 21 Oct 2014) Log Message Don't create cached functions for HTMLDocument.write*() https://bugs.webkit.org/show_bug.cgi?id=137906 Reviewed by Darin Adler. Made it so that JSHTMLDocument::write() and ::writeln() are always created for every prototype. This is similar to the change in r174847. * bindings/js/JSHTMLDocumentCustom.cpp: (WebCore::JSHTMLDocument::getOwnPropertySlot): * html/HTMLDocument.idl: Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp trunk/Source/WebCore/html/HTMLDocument.idl Diff Modified: trunk/Source/WebCore/ChangeLog (174984 => 174985) --- trunk/Source/WebCore/ChangeLog 2014-10-21 17:05:06 UTC (rev 174984) +++ trunk/Source/WebCore/ChangeLog 2014-10-21 17:19:49 UTC (rev 174985) @@ -1,3 +1,17 @@ +2014-10-20 Michael Saboff msab...@apple.com + +Don't create cached functions for HTMLDocument.write*() +https://bugs.webkit.org/show_bug.cgi?id=137906 + +Reviewed by Darin Adler. + +Made it so that JSHTMLDocument::write() and ::writeln() are always created for every prototype. +This is similar to the change in r174847. + +* bindings/js/JSHTMLDocumentCustom.cpp: +(WebCore::JSHTMLDocument::getOwnPropertySlot): +* html/HTMLDocument.idl: + 2014-10-21 Chris Dumez cdu...@apple.com REGRESSION(r174676): It broke the !ENABLE(VIDEO) build Modified: trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp (174984 => 174985) --- trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp 2014-10-21 17:05:06 UTC (rev 174984) +++ trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp 2014-10-21 17:19:49 UTC (rev 174985) @@ -66,6 +66,14 @@ slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetterjsHTMLDocumentPrototypeFunctionOpen, 2); return true; } +if (equal(propertyName.publicName(), write)) { +slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetterjsHTMLDocumentPrototypeFunctionWrite, 1); +return true; +} +if (equal(propertyName.publicName(), writeln)) { +slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetterjsHTMLDocumentPrototypeFunctionWriteln, 1); +return true; +} if (canGetItemsForName(exec, thisObject-impl(), propertyName)) { slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, thisObject-nameGetter); Modified: trunk/Source/WebCore/html/HTMLDocument.idl (174984 => 174985) --- trunk/Source/WebCore/html/HTMLDocument.idl 2014-10-21 17:05:06 UTC (rev 174984) +++ trunk/Source/WebCore/html/HTMLDocument.idl 2014-10-21 17:19:49 UTC (rev 174985) @@ -25,8 +25,8 @@ ] interface HTMLDocument : Document { [Custom, ForwardDeclareInHeader] void open(); void close(); -[Custom] void write([Default=Undefined] optional DOMString text); -[Custom] void writeln([Default=Undefined] optional DOMString text); +[Custom, ForwardDeclareInHeader] void write([Default=Undefined] optional DOMString text); +[Custom, ForwardDeclareInHeader] void writeln([Default=Undefined] optional DOMString text); readonly attribute HTMLCollection embeds; readonly attribute HTMLCollection plugins; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [174991] trunk/Source/WebCore/ChangeLog
Title: [174991] trunk/Source/WebCore/ChangeLog Revision 174991 Author msab...@apple.com Date 2014-10-21 11:19:34 -0700 (Tue, 21 Oct 2014) Log Message Updated ChangeLog entry to include tests that cover r174985 Modified Paths trunk/Source/WebCore/ChangeLog Diff Modified: trunk/Source/WebCore/ChangeLog (174990 => 174991) --- trunk/Source/WebCore/ChangeLog 2014-10-21 18:11:27 UTC (rev 174990) +++ trunk/Source/WebCore/ChangeLog 2014-10-21 18:19:34 UTC (rev 174991) @@ -50,6 +50,15 @@ Made it so that JSHTMLDocument::write() and ::writeln() are always created for every prototype. This is similar to the change in r174847. +This change is alread covered by the tests: +LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-write-lexical.html +LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-writeln-lexical.html +LayoutTests/http/tests/security/aboutBlank/security-context-write.html +LayoutTests/http/tests/security/aboutBlank/security-context-writeln.html +LayoutTests/http/tests/xmlhttprequest/request-from-popup.html +LayoutTests/http/tests/navigation/new-window-redirect-history.html +LayoutTests/http/tests/misc/window-open-then-write.html + * bindings/js/JSHTMLDocumentCustom.cpp: (WebCore::JSHTMLDocument::getOwnPropertySlot): * html/HTMLDocument.idl: ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [174996] trunk
Title: [174996] trunk Revision 174996 Author msab...@apple.com Date 2014-10-21 13:03:28 -0700 (Tue, 21 Oct 2014) Log Message Change native call frames to use the scope from their Callee instead of their caller's scope https://bugs.webkit.org/show_bug.cgi?id=137907 Source/_javascript_Core: Reviewed by Mark Lam. Changed setting of scope for native CallFrames to use the scope associated with the Callee instead of the caller's scope. * jit/ThunkGenerators.cpp: (JSC::nativeForGenerator): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: LayoutTests: Updated tests to reflect that the results of changing where a native call frame and therefore the lexicalGlobalObject came from. Verified that these tests changes are consistent with the HTML standard. These changes are also closer to the behavior of other browsers. Reviewed by Mark Lam. * fast/frames/sandboxed-iframe-navigation-parent-expected.txt: * fast/frames/sandboxed-iframe-navigation-parent.html: Changed the test and results to show that a sandboxed iframe can navigate its ancesters when it is sandbox with both allow-scripts and allow-same-origin. * http/tests/security/calling-versus-current.html: Updated the test to really have a different domain. We do a simple string comparison to check for that we are part of the same domain. The test expected that 0.0.1 was from the same domain as 127.0.0.1. Changed the test to try 0.0.2 and expect a security exception. * http/tests/security/frameNavigation/context-for-location-assign-expected.txt: Updated test results. * traversal/node-iterator-prototype-expected.txt: * traversal/node-iterator-prototype.html: Fixed as a result of this change. Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent-expected.txt trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent.html trunk/LayoutTests/http/tests/security/calling-versus-current.html trunk/LayoutTests/http/tests/security/frameNavigation/context-for-location-assign-expected.txt trunk/LayoutTests/traversal/node-iterator-prototype-expected.txt trunk/LayoutTests/traversal/node-iterator-prototype.html trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm Diff Modified: trunk/LayoutTests/ChangeLog (174995 => 174996) --- trunk/LayoutTests/ChangeLog 2014-10-21 19:53:35 UTC (rev 174995) +++ trunk/LayoutTests/ChangeLog 2014-10-21 20:03:28 UTC (rev 174996) @@ -1,3 +1,33 @@ +2014-10-21 Michael Saboff msab...@apple.com + +Change native call frames to use the scope from their Callee instead of their caller's scope +https://bugs.webkit.org/show_bug.cgi?id=137907 + +Updated tests to reflect that the results of changing where a native call frame +and therefore the lexicalGlobalObject came from. Verified that these tests changes +are consistent with the HTML standard. These changes are also closer to the behavior +of other browsers. + +Reviewed by Mark Lam. + +* fast/frames/sandboxed-iframe-navigation-parent-expected.txt: +* fast/frames/sandboxed-iframe-navigation-parent.html: +Changed the test and results to show that a sandboxed iframe can navigate its +ancesters when it is sandbox with both allow-scripts and allow-same-origin. + +* http/tests/security/calling-versus-current.html: +Updated the test to really have a different domain. We do a simple string comparison +to check for that we are part of the same domain. The test expected that 0.0.1 was +from the same domain as 127.0.0.1. Changed the test to try 0.0.2 and expect a +security exception. + +* http/tests/security/frameNavigation/context-for-location-assign-expected.txt: +Updated test results. + +* traversal/node-iterator-prototype-expected.txt: +* traversal/node-iterator-prototype.html: +Fixed as a result of this change. + 2014-10-21 Joanmarie Diggs jdi...@igalia.com AX: [ATK] CSS-generated text content not exposed to assistive technologies Modified: trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent-expected.txt (174995 => 174996) --- trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent-expected.txt 2014-10-21 19:53:35 UTC (rev 174995) +++ trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent-expected.txt 2014-10-21 20:03:28 UTC (rev 174996) @@ -1,9 +1,5 @@ -CONSOLE MESSAGE: Unsafe _javascript_ attempt to initiate navigation for frame with URL 'sandboxed-iframe-navigation-source.html'. The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors. +This test verifies that a sandboxed IFrame with the keywords allow-scripts and allow-same-origin is allowed to navigate an ancestor in
[webkit-changes] [174997] trunk/Source
Title: [174997] trunk/Source Revision 174997 Author msab...@apple.com Date 2014-10-21 13:43:18 -0700 (Tue, 21 Oct 2014) Log Message Add operator==(PropertyName, const char*) https://bugs.webkit.org/show_bug.cgi?id=137925 Reviewed by Mark Lam. Source/_javascript_Core: * runtime/PropertyName.h: (JSC::operator==): Added to simplify comparison with string literals. Source/WebCore: Use new == operator to compare a PropertyName with a string literal. * bindings/js/JSHTMLDocumentCustom.cpp: (WebCore::JSHTMLDocument::getOwnPropertySlot): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/PropertyName.h trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (174996 => 174997) --- trunk/Source/_javascript_Core/ChangeLog 2014-10-21 20:03:28 UTC (rev 174996) +++ trunk/Source/_javascript_Core/ChangeLog 2014-10-21 20:43:18 UTC (rev 174997) @@ -1,5 +1,16 @@ 2014-10-21 Michael Saboff msab...@apple.com +Add operator==(PropertyName, const char*) +https://bugs.webkit.org/show_bug.cgi?id=137925 + +Reviewed by Mark Lam. + +* runtime/PropertyName.h: +(JSC::operator==): Added to simplify comparison with string literals. + + +2014-10-21 Michael Saboff msab...@apple.com + Change native call frames to use the scope from their Callee instead of their caller's scope https://bugs.webkit.org/show_bug.cgi?id=137907 Modified: trunk/Source/_javascript_Core/runtime/PropertyName.h (174996 => 174997) --- trunk/Source/_javascript_Core/runtime/PropertyName.h 2014-10-21 20:03:28 UTC (rev 174996) +++ trunk/Source/_javascript_Core/runtime/PropertyName.h 2014-10-21 20:43:18 UTC (rev 174997) @@ -141,6 +141,11 @@ return a.uid() == b.uid(); } +inline bool operator==(PropertyName a, const char* b) +{ +return equal(a.uid(), b); +} + inline bool operator!=(PropertyName a, const Identifier b) { return a.uid() != b.impl(); Modified: trunk/Source/WebCore/ChangeLog (174996 => 174997) --- trunk/Source/WebCore/ChangeLog 2014-10-21 20:03:28 UTC (rev 174996) +++ trunk/Source/WebCore/ChangeLog 2014-10-21 20:43:18 UTC (rev 174997) @@ -1,3 +1,15 @@ +2014-10-21 Michael Saboff msab...@apple.com + +Add operator==(PropertyName, const char*) +https://bugs.webkit.org/show_bug.cgi?id=137925 + +Reviewed by Mark Lam. + +Use new == operator to compare a PropertyName with a string literal. + +* bindings/js/JSHTMLDocumentCustom.cpp: +(WebCore::JSHTMLDocument::getOwnPropertySlot): + 2014-10-21 Chris Dumez cdu...@apple.com Unreviewed iOS build fix after r174921. Modified: trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp (174996 => 174997) --- trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp 2014-10-21 20:03:28 UTC (rev 174996) +++ trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp 2014-10-21 20:43:18 UTC (rev 174997) @@ -62,15 +62,15 @@ JSHTMLDocument* thisObject = jsCastJSHTMLDocument*(object); ASSERT_GC_OBJECT_INHERITS(thisObject, info()); -if (equal(propertyName.publicName(), open)) { +if (propertyName == open) { slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetterjsHTMLDocumentPrototypeFunctionOpen, 2); return true; } -if (equal(propertyName.publicName(), write)) { +if (propertyName == write) { slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetterjsHTMLDocumentPrototypeFunctionWrite, 1); return true; } -if (equal(propertyName.publicName(), writeln)) { +if (propertyName == writeln) { slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetterjsHTMLDocumentPrototypeFunctionWriteln, 1); return true; } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [175058] trunk/Source/JavaScriptCore
Title: [175058] trunk/Source/_javascript_Core Revision 175058 Author msab...@apple.com Date 2014-10-22 11:59:04 -0700 (Wed, 22 Oct 2014) Log Message REGRESSION(r174996): Broke C_LOOP https://bugs.webkit.org/show_bug.cgi?id=137971 Reviewed by Mark Lam. Removed incorrect move to cfr (CallFrameRegister) before we make the call to a native function. After r174996, the source register for the move contained garbage causing the crash. The move to cfr before making the call to the native function is wrong and should have been removed some time ago. This brings the ARM64 / C_LOOP code path inline with the other CPU paths. Tested on ARM64 as well as a C_LOOP build. * llint/LowLevelInterpreter64.asm: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (175057 => 175058) --- trunk/Source/_javascript_Core/ChangeLog 2014-10-22 17:50:23 UTC (rev 175057) +++ trunk/Source/_javascript_Core/ChangeLog 2014-10-22 18:59:04 UTC (rev 175058) @@ -1,3 +1,18 @@ +2014-10-22 Michael Saboff msab...@apple.com + +REGRESSION(r174996): Broke C_LOOP +https://bugs.webkit.org/show_bug.cgi?id=137971 + +Reviewed by Mark Lam. + +Removed incorrect move to cfr (CallFrameRegister) before we make the call to a native function. +After r174996, the source register for the move contained garbage causing the crash. The move +to cfr before making the call to the native function is wrong and should have been removed +some time ago. This brings the ARM64 / C_LOOP code path inline with the other CPU paths. +Tested on ARM64 as well as a C_LOOP build. + +* llint/LowLevelInterpreter64.asm: + 2014-10-21 Mark Lam mark@apple.com Remove erroneous canUseJIT() in the intrinsics version of JITThunks::hostFunctionStub(). Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (175057 => 175058) --- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2014-10-22 17:50:23 UTC (rev 175057) +++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2014-10-22 18:59:04 UTC (rev 175058) @@ -1951,7 +1951,6 @@ move cfr, t0 loadp Callee[cfr], t1 loadp JSFunction::m_executable[t1], t1 -move t2, cfr # Restore cfr to avoid loading from stack if C_LOOP cloopCallNative executableOffsetToFunction[t1] else ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [175118] trunk/Source/JavaScriptCore
Title: [175118] trunk/Source/_javascript_Core Revision 175118 Author msab...@apple.com Date 2014-10-23 06:15:58 -0700 (Thu, 23 Oct 2014) Log Message Change CallFrame::lexicalGlobalObject() to use Callee instead of JSScope https://bugs.webkit.org/show_bug.cgi?id=136901 Reviewed by Mark Lam. Implement ExecState::lexicalGlobalObject() using Callee. * runtime/JSScope.h: (JSC::ExecState::lexicalGlobalObject): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSScope.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (175117 => 175118) --- trunk/Source/_javascript_Core/ChangeLog 2014-10-23 12:20:44 UTC (rev 175117) +++ trunk/Source/_javascript_Core/ChangeLog 2014-10-23 13:15:58 UTC (rev 175118) @@ -1,3 +1,15 @@ +2014-10-23 Michael Saboff msab...@apple.com + +Change CallFrame::lexicalGlobalObject() to use Callee instead of JSScope +https://bugs.webkit.org/show_bug.cgi?id=136901 + +Reviewed by Mark Lam. + +Implement ExecState::lexicalGlobalObject() using Callee. + +* runtime/JSScope.h: +(JSC::ExecState::lexicalGlobalObject): + 2014-10-22 Milan Crha mc...@redhat.com Prefix isnan() with std::. Modified: trunk/Source/_javascript_Core/runtime/JSScope.h (175117 => 175118) --- trunk/Source/_javascript_Core/runtime/JSScope.h 2014-10-23 12:20:44 UTC (rev 175117) +++ trunk/Source/_javascript_Core/runtime/JSScope.h 2014-10-23 13:15:58 UTC (rev 175118) @@ -241,7 +241,7 @@ inline JSGlobalObject* ExecState::lexicalGlobalObject() const { -return scope()-globalObject(); +return callee()-globalObject(); } inline JSObject* ExecState::globalThisValue() const ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [175141] trunk/Source/JavaScriptCore
Title: [175141] trunk/Source/_javascript_Core Revision 175141 Author msab...@apple.com Date 2014-10-23 13:54:22 -0700 (Thu, 23 Oct 2014) Log Message offsets.rb:183:in `buildOffsetsMap': unhandled exception - is offlineasm dependency tracking broken? (132668) https://bugs.webkit.org/show_bug.cgi?id=138017 Reviewed by Mark Lam. Removed from the nput file $(SRCROOT)/llint/LowLevelAssembler.asm and output file $(BUILT_PRODUCTS_DIR)/LLIntOffsets/LLIntDesiredOffsets.h from the Generate Derived Sources build phase in the LLInt Offset target. There is no need for Xcode to do any dependency checking with these files as the ruby script offlineasm/generate_offset_extractor.rb will do that for us. * _javascript_Core.xcodeproj/project.pbxproj: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj Diff Modified: trunk/Source/_javascript_Core/ChangeLog (175140 => 175141) --- trunk/Source/_javascript_Core/ChangeLog 2014-10-23 20:29:28 UTC (rev 175140) +++ trunk/Source/_javascript_Core/ChangeLog 2014-10-23 20:54:22 UTC (rev 175141) @@ -1,5 +1,20 @@ 2014-10-23 Michael Saboff msab...@apple.com +offsets.rb:183:in `buildOffsetsMap': unhandled exception - is offlineasm dependency tracking broken? (132668) +https://bugs.webkit.org/show_bug.cgi?id=138017 + +Reviewed by Mark Lam. + +Removed from the nput file $(SRCROOT)/llint/LowLevelAssembler.asm and output file +$(BUILT_PRODUCTS_DIR)/LLIntOffsets/LLIntDesiredOffsets.h from the Generate Derived Sources +build phase in the LLInt Offset target. There is no need for Xcode to do any dependency +checking with these files as the ruby script offlineasm/generate_offset_extractor.rb will +do that for us. + +* _javascript_Core.xcodeproj/project.pbxproj: + +2014-10-23 Michael Saboff msab...@apple.com + Change CallFrame::lexicalGlobalObject() to use Callee instead of JSScope https://bugs.webkit.org/show_bug.cgi?id=136901 Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (175140 => 175141) --- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2014-10-23 20:29:28 UTC (rev 175140) +++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2014-10-23 20:54:22 UTC (rev 175141) @@ -6367,11 +6367,9 @@ files = ( ); inputPaths = ( -$(SRCROOT)/llint/LowLevelAssembler.asm, ); name = Generate Derived Sources; outputPaths = ( -$(BUILT_PRODUCTS_DIR)/LLIntOffsets/LLIntDesiredOffsets.h, ); runOnlyForDeploymentPostprocessing = 0; shellPath = /bin/sh; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [175426] trunk/Source/JavaScriptCore
Title: [175426] trunk/Source/_javascript_Core Revision 175426 Author msab...@apple.com Date 2014-10-31 14:27:10 -0700 (Fri, 31 Oct 2014) Log Message Add scope operand to op_push_with_scope, op_push_name_scope and op_pop_scope https://bugs.webkit.org/show_bug.cgi?id=138252 Reviewed by Geoffrey Garen. Added scope operand to op_push_with_scope, op_push_name_scope and op_pop_scope. Although the scope register is filled in with the ScopeChain register for all three bytecodes, this operand is not used in the processing of the bytecodes. That will be addressed in a future patch. * bytecode/BytecodeList.json: Lengthened the three bytecodes. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): Added code to dump the scope operand. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): (JSC::BytecodeGenerator::emitPushWithScope): (JSC::BytecodeGenerator::emitPopScope): (JSC::BytecodeGenerator::emitComplexPopScopes): (JSC::BytecodeGenerator::emitPopScopes): (JSC::BytecodeGenerator::emitPushFunctionNameScope): (JSC::BytecodeGenerator::emitPushCatchScope): * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::scopeRegister): Added scope register to these emit functions and the bytecodes they emit. New m_scopeRegister and accessor. * bytecompiler/NodesCodegen.cpp: (JSC::ContinueNode::emitBytecode): (JSC::BreakNode::emitBytecode): (JSC::ReturnNode::emitBytecode): (JSC::WithNode::emitBytecode): (JSC::TryNode::emitBytecode): Created a RegisterID for the ScopeChain register and used it to emit the updated bytecodes. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_push_with_scope): (JSC::JIT::emit_op_push_name_scope): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_push_with_scope): (JSC::JIT::emit_op_push_name_scope): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LowLevelInterpreter.asm: Updated the operand indecies for the processing of the updated bytecodes. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/BytecodeList.json trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp trunk/Source/_javascript_Core/jit/JITOpcodes.cpp trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (175425 => 175426) --- trunk/Source/_javascript_Core/ChangeLog 2014-10-31 21:25:42 UTC (rev 175425) +++ trunk/Source/_javascript_Core/ChangeLog 2014-10-31 21:27:10 UTC (rev 175426) @@ -1,3 +1,51 @@ +2014-10-31 Michael Saboff msab...@apple.com + +Add scope operand to op_push_with_scope, op_push_name_scope and op_pop_scope +https://bugs.webkit.org/show_bug.cgi?id=138252 + +Reviewed by Geoffrey Garen. + +Added scope operand to op_push_with_scope, op_push_name_scope and op_pop_scope. +Although the scope register is filled in with the ScopeChain register for all +three bytecodes, this operand is not used in the processing of the bytecodes. +That will be addressed in a future patch. + +* bytecode/BytecodeList.json: Lengthened the three bytecodes. +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::dumpBytecode): Added code to dump the scope operand. +* bytecompiler/BytecodeGenerator.cpp: +(JSC::BytecodeGenerator::BytecodeGenerator): +(JSC::BytecodeGenerator::emitPushWithScope): +(JSC::BytecodeGenerator::emitPopScope): +(JSC::BytecodeGenerator::emitComplexPopScopes): +(JSC::BytecodeGenerator::emitPopScopes): +(JSC::BytecodeGenerator::emitPushFunctionNameScope): +(JSC::BytecodeGenerator::emitPushCatchScope): +* bytecompiler/BytecodeGenerator.h: +(JSC::BytecodeGenerator::scopeRegister): +Added scope register to these emit functions and the bytecodes they emit. +New m_scopeRegister and accessor. + +* bytecompiler/NodesCodegen.cpp: +(JSC::ContinueNode::emitBytecode): +(JSC::BreakNode::emitBytecode): +(JSC::ReturnNode::emitBytecode): +(JSC::WithNode::emitBytecode): +(JSC::TryNode::emitBytecode): +Created a RegisterID for the ScopeChain register and used it to emit the updated +bytecodes. + +* jit/JITOpcodes.cpp: +(JSC::JIT::emit_op_push_with_scope): +(JSC::JIT::emit_op_push_name_scope): +* jit/JITOpcodes32_64.cpp: +(JSC::JIT::emit_op_push_with_scope): +(JSC::JIT::emit_op_push_name_scope): +* llint/LLIntSlowPaths.cpp: +(JSC::LLInt::LLINT_SLOW_PATH_DECL): +* llint/LowLevelInterpreter.asm: +Updated the operand indecies for the processing of the updated bytecodes. + 2014-10-31
[webkit-changes] [175442] trunk/Tools
Title: [175442] trunk/Tools Revision 175442 Author msab...@apple.com Date 2014-10-31 17:23:29 -0700 (Fri, 31 Oct 2014) Log Message No way to specify target os or architecture when using the --no-copy option with run-jsc-stress-tests https://bugs.webkit.org/show_bug.cgi?id=138268 Reviewed by Andreas Kling. Added a --arch and --os option to set or override the values that are normally computed based on examining the _javascript_Core we want to test. * Scripts/run-jsc-stress-tests: Modified Paths trunk/Tools/ChangeLog trunk/Tools/Scripts/run-jsc-stress-tests Diff Modified: trunk/Tools/ChangeLog (175441 => 175442) --- trunk/Tools/ChangeLog 2014-11-01 00:12:51 UTC (rev 175441) +++ trunk/Tools/ChangeLog 2014-11-01 00:23:29 UTC (rev 175442) @@ -1,3 +1,15 @@ +2014-10-31 Michael Saboff msab...@apple.com + +No way to specify target os or architecture when using the --no-copy option with run-jsc-stress-tests +https://bugs.webkit.org/show_bug.cgi?id=138268 + +Reviewed by Andreas Kling. + +Added a --arch and --os option to set or override the values that are +normally computed based on examining the _javascript_Core we want to test. + +* Scripts/run-jsc-stress-tests: + 2014-10-31 Dan Bernstein m...@apple.com llvmForJSC build emits a linker warning that it can't find usr/local/LLVMForJavaScriptCore/lib under the build directory Modified: trunk/Tools/Scripts/run-jsc-stress-tests (175441 => 175442) --- trunk/Tools/Scripts/run-jsc-stress-tests 2014-11-01 00:12:51 UTC (rev 175441) +++ trunk/Tools/Scripts/run-jsc-stress-tests 2014-11-01 00:23:29 UTC (rev 175442) @@ -114,7 +114,10 @@ $remoteHost = nil $remotePort = nil $remoteDirectory = nil +$architecture = nil +$hostOS = nil + def usage puts run-jsc-stress-tests -j shell path collections path [collections path ...] puts @@ -128,6 +131,10 @@ puts --verbose(-v) Print more things while running. puts --run-bundleRuns a bundle previously created by run-jsc-stress-tests. puts --tarball [fileName]Creates a tarball of the final bundle. Use name if supplied for tar file. +puts --arch Specify architecture instead of determining from _javascript_Core build. +puts e.g. x86, x86_64, arm. +puts --osSpecify os instead of determining from _javascript_Core build. +puts e.g. darwin, linux windows. puts --shell-runner Uses the shell-based test runner instead of the default make-based runner. puts In general the shell runner is slower than the make runner. puts --remoteSpecify a remote host on which to run tests. @@ -147,6 +154,8 @@ ['--run-bundle', GetoptLong::REQUIRED_ARGUMENT], ['--tarball', GetoptLong::OPTIONAL_ARGUMENT], ['--force-vm-copy', GetoptLong::NO_ARGUMENT], + ['--arch', GetoptLong::REQUIRED_ARGUMENT], + ['--os', GetoptLong::REQUIRED_ARGUMENT], ['--shell-runner', GetoptLong::NO_ARGUMENT], ['--remote', GetoptLong::REQUIRED_ARGUMENT], ['--child-processes', '-c', GetoptLong::REQUIRED_ARGUMENT], @@ -186,6 +195,10 @@ $remoteUser, $remoteHost, $remotePort = uri.user, uri.host, uri.port when '--child-processes' $numProcessors = arg.to_i +when '--arch' +$architecture = arg +when '--os' +$hostOS = arg end } @@ -257,8 +270,8 @@ end end -$architecture = determineArchitecture -$hostOS = determineOS +$architecture = determineArchitecture unless $architecture +$hostOS = determineOS unless $hostOS $numFailures = 0 ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [175471] trunk/Source/JavaScriptCore
Title: [175471] trunk/Source/_javascript_Core Revision 175471 Author msab...@apple.com Date 2014-11-03 09:56:29 -0800 (Mon, 03 Nov 2014) Log Message Add scope operand to op_resolve_scope https://bugs.webkit.org/show_bug.cgi?id=138253 Reviewed by Mark Lam. Added scope operand to op_resolve_scope. Although the scope register is filled in with the ScopeChain register, this operand is not used in the processing of the bytecode. That will be addressed in a future patch. * bytecode/BytecodeList.json: Lengthened the three bytecodes. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): Added code to dump the scope operand. (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::finalizeUnconditionally): Updated the operand indecies for the processing of op_resolve_scope. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitResolveScope): (JSC::BytecodeGenerator::emitGetOwnScope): (JSC::BytecodeGenerator::emitReturn): Added scope register to these emit functions and the bytecodes they emit. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_resolve_scope): (JSC::JIT::emitSlow_op_resolve_scope): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_resolve_scope): (JSC::JIT::emitSlow_op_resolve_scope): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: Updated the operand indecies for the processing of op_resolve_scope. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/BytecodeList.json trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGCapabilities.cpp trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (175470 => 175471) --- trunk/Source/_javascript_Core/ChangeLog 2014-11-03 15:47:08 UTC (rev 175470) +++ trunk/Source/_javascript_Core/ChangeLog 2014-11-03 17:56:29 UTC (rev 175471) @@ -1,3 +1,44 @@ +2014-11-01 Michael Saboff msab...@apple.com + +Add scope operand to op_resolve_scope +https://bugs.webkit.org/show_bug.cgi?id=138253 + +Reviewed by Mark Lam. + +Added scope operand to op_resolve_scope. Although the scope register is filled in with +the ScopeChain register, this operand is not used in the processing of the bytecode. +That will be addressed in a future patch. + +* bytecode/BytecodeList.json: Lengthened the three bytecodes. +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::dumpBytecode): Added code to dump the scope operand. + +(JSC::CodeBlock::CodeBlock): +(JSC::CodeBlock::finalizeUnconditionally): +Updated the operand indecies for the processing of op_resolve_scope. + +* bytecompiler/BytecodeGenerator.cpp: +(JSC::BytecodeGenerator::emitResolveScope): +(JSC::BytecodeGenerator::emitGetOwnScope): +(JSC::BytecodeGenerator::emitReturn): +Added scope register to these emit functions and the bytecodes they emit. + +* dfg/DFGByteCodeParser.cpp: +(JSC::DFG::ByteCodeParser::parseBlock): +* dfg/DFGCapabilities.cpp: +(JSC::DFG::capabilityLevel): +* jit/JITPropertyAccess.cpp: +(JSC::JIT::emit_op_resolve_scope): +(JSC::JIT::emitSlow_op_resolve_scope): +* jit/JITPropertyAccess32_64.cpp: +(JSC::JIT::emit_op_resolve_scope): +(JSC::JIT::emitSlow_op_resolve_scope): +* llint/LLIntSlowPaths.cpp: +(JSC::LLInt::LLINT_SLOW_PATH_DECL): +* llint/LowLevelInterpreter32_64.asm: +* llint/LowLevelInterpreter64.asm: +Updated the operand indecies for the processing of op_resolve_scope. + 2014-11-01 Carlos Garcia Campos cgar...@igalia.com REGRESSION(CMake): Make it possible to build without introspection Modified: trunk/Source/_javascript_Core/bytecode/BytecodeList.json (175470 => 175471) --- trunk/Source/_javascript_Core/bytecode/BytecodeList.json 2014-11-03 15:47:08 UTC (rev 175470) +++ trunk/Source/_javascript_Core/bytecode/BytecodeList.json 2014-11-03 17:56:29 UTC (rev 175471) @@ -104,7 +104,7 @@ { name : op_construct_varargs, length : 9 }, { name : op_strcat, length : 4 }, { name : op_to_primitive, length : 3 }, -{ name : op_resolve_scope, length : 6 }, +{ name : op_resolve_scope, length : 7 }, { name : op_get_from_scope, length : 8 }, { name :
[webkit-changes] [175508] trunk/Source/JavaScriptCore
Title: [175508] trunk/Source/_javascript_Core Revision 175508 Author msab...@apple.com Date 2014-11-03 19:36:28 -0800 (Mon, 03 Nov 2014) Log Message Add get scope byte code https://bugs.webkit.org/show_bug.cgi?id=138326 Reviewed by Mark Lam. Added op_get_scope. Added implementations for the LLInt and baseline JIT. Provided nop implementation for DFG and FTL. The new byte code is emitted after op_enter for any function, program or eval. It is expected that the DFG will be implemented such that unneeded op_get_scope would be eliminated during DFG compilation. * bytecode/BytecodeList.json: * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset): Added new op_get_scope bytecode. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): (JSC::BytecodeGenerator::emitGetScope): * bytecompiler/BytecodeGenerator.h: Emit new op_get_scope bytecode. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): Added framework for new op_get_scope bytecode. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_get_scope): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_get_scope): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: Implementation of op_get_scope bytecode. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/BytecodeList.json trunk/Source/_javascript_Core/bytecode/BytecodeUseDef.h trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGCapabilities.cpp trunk/Source/_javascript_Core/jit/JIT.cpp trunk/Source/_javascript_Core/jit/JIT.h trunk/Source/_javascript_Core/jit/JITOpcodes.cpp trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (175507 => 175508) --- trunk/Source/_javascript_Core/ChangeLog 2014-11-04 03:04:31 UTC (rev 175507) +++ trunk/Source/_javascript_Core/ChangeLog 2014-11-04 03:36:28 UTC (rev 175508) @@ -1,3 +1,47 @@ +2014-11-03 Michael Saboff msab...@apple.com + +Add get scope byte code +https://bugs.webkit.org/show_bug.cgi?id=138326 + +Reviewed by Mark Lam. + +Added op_get_scope. Added implementations for the LLInt and baseline JIT. +Provided nop implementation for DFG and FTL. The new byte code is emitted +after op_enter for any function, program or eval. It is expected that the +DFG will be implemented such that unneeded op_get_scope would be eliminated +during DFG compilation. + +* bytecode/BytecodeList.json: +* bytecode/BytecodeUseDef.h: +(JSC::computeUsesForBytecodeOffset): +(JSC::computeDefsForBytecodeOffset): +Added new op_get_scope bytecode. + +* bytecompiler/BytecodeGenerator.cpp: +(JSC::BytecodeGenerator::BytecodeGenerator): +(JSC::BytecodeGenerator::emitGetScope): +* bytecompiler/BytecodeGenerator.h: +Emit new op_get_scope bytecode. + +* dfg/DFGByteCodeParser.cpp: +(JSC::DFG::ByteCodeParser::parseBlock): +* dfg/DFGCapabilities.cpp: +(JSC::DFG::capabilityLevel): +Added framework for new op_get_scope bytecode. + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::dumpBytecode): +* jit/JIT.cpp: +(JSC::JIT::privateCompileMainPass): +* jit/JIT.h: +* jit/JITOpcodes.cpp: +(JSC::JIT::emit_op_get_scope): +* jit/JITOpcodes32_64.cpp: +(JSC::JIT::emit_op_get_scope): +* llint/LowLevelInterpreter32_64.asm: +* llint/LowLevelInterpreter64.asm: +Implementation of op_get_scope bytecode. + 2014-11-03 Joseph Pecoraro pecor...@apple.com Web Inspector: Fix RWIProtocol 64-to-32 bit conversion warnings Modified: trunk/Source/_javascript_Core/bytecode/BytecodeList.json (175507 => 175508) --- trunk/Source/_javascript_Core/bytecode/BytecodeList.json 2014-11-04 03:04:31 UTC (rev 175507) +++ trunk/Source/_javascript_Core/bytecode/BytecodeList.json 2014-11-04 03:36:28 UTC (rev 175508) @@ -5,6 +5,7 @@ bytecodes : [ { name : op_enter, length : 1 }, { name : op_create_lexical_environment, length : 2 }, +{ name : op_get_scope, length : 2 }, { name : op_touch_entry, length : 1 }, { name : op_init_lazy_reg, length : 2 }, { name : op_create_arguments, length : 2 }, Modified:
[webkit-changes] [175509] trunk/Source/JavaScriptCore
Title: [175509] trunk/Source/_javascript_Core Revision 175509 Author msab...@apple.com Date 2014-11-03 19:53:18 -0800 (Mon, 03 Nov 2014) Log Message Update scope related slow path code to use scope register added to opcodes https://bugs.webkit.org/show_bug.cgi?id=138254 Reviewed by Mark Lam. Updated slow paths for op_pop_scope, op_push_name_scope and op_push_with_scope. Added scope register index parameter to the front of the relevant argument lists of the slow functions. In the case of op_push_name_scope for x86 (32 bit), there aren't enough registers to accomodate all the parameters. Therefore, added two new JSVALUE32_64 slow paths called operationPushCatchScope() and operationPushFunctionNameScope() to eliminate the last type argument. * assembler/MacroAssemblerCodeRef.h: (JSC::FunctionPtr::FunctionPtr): Added a new template to take 6 arguments. * jit/CCallHelpers.h: (JSC::CCallHelpers::setupArgumentsWithExecState): * jit/JIT.h: * jit/JITInlines.h: (JSC::JIT::callOperation): New variants of setupArgumentsWithExecState() and callOperation() to handle the new combinations of argument types and counts. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_push_with_scope): (JSC::JIT::emit_op_pop_scope): (JSC::JIT::emit_op_push_name_scope): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_push_with_scope): (JSC::JIT::emit_op_pop_scope): (JSC::JIT::emit_op_push_name_scope): Use the new slow paths. * jit/JITOperations.cpp: * jit/JITOperations.h: Updates to set the scope result using the scope register index. Added operationPushCatchScope() and operationPushFunctionNameScope(). * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): Updated the scope slow paths to use the scope register index in the instruction to read and write the register instead of using CallFrame::scope() and CallFrame::setScope(). Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h trunk/Source/_javascript_Core/jit/CCallHelpers.h trunk/Source/_javascript_Core/jit/JIT.h trunk/Source/_javascript_Core/jit/JITInlines.h trunk/Source/_javascript_Core/jit/JITOpcodes.cpp trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp trunk/Source/_javascript_Core/jit/JITOperations.cpp trunk/Source/_javascript_Core/jit/JITOperations.h trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (175508 => 175509) --- trunk/Source/_javascript_Core/ChangeLog 2014-11-04 03:36:28 UTC (rev 175508) +++ trunk/Source/_javascript_Core/ChangeLog 2014-11-04 03:53:18 UTC (rev 175509) @@ -1,5 +1,51 @@ 2014-11-03 Michael Saboff msab...@apple.com +Update scope related slow path code to use scope register added to opcodes +https://bugs.webkit.org/show_bug.cgi?id=138254 + +Reviewed by Mark Lam. + +Updated slow paths for op_pop_scope, op_push_name_scope and op_push_with_scope. +Added scope register index parameter to the front of the relevant argument lists of the +slow functions. In the case of op_push_name_scope for x86 (32 bit), there aren't enough +registers to accomodate all the parameters. Therefore, added two new JSVALUE32_64 slow +paths called operationPushCatchScope() and operationPushFunctionNameScope() to eliminate +the last type argument. + + +* assembler/MacroAssemblerCodeRef.h: +(JSC::FunctionPtr::FunctionPtr): Added a new template to take 6 arguments. + +* jit/CCallHelpers.h: +(JSC::CCallHelpers::setupArgumentsWithExecState): +* jit/JIT.h: +* jit/JITInlines.h: +(JSC::JIT::callOperation): +New variants of setupArgumentsWithExecState() and callOperation() to handle the new +combinations of argument types and counts. + +* jit/JITOpcodes.cpp: +(JSC::JIT::emit_op_push_with_scope): +(JSC::JIT::emit_op_pop_scope): +(JSC::JIT::emit_op_push_name_scope): +* jit/JITOpcodes32_64.cpp: +(JSC::JIT::emit_op_push_with_scope): +(JSC::JIT::emit_op_pop_scope): +(JSC::JIT::emit_op_push_name_scope): +Use the new slow paths. + +* jit/JITOperations.cpp: +* jit/JITOperations.h: +Updates to set the scope result using the scope register index. Added operationPushCatchScope() +and operationPushFunctionNameScope(). + +* llint/LLIntSlowPaths.cpp: +(JSC::LLInt::LLINT_SLOW_PATH_DECL): +Updated the scope slow paths to use the scope register index in the instruction to read and +write the register instead of using CallFrame::scope() and CallFrame::setScope(). + +2014-11-03 Michael Saboff msab...@apple.com + Add get scope byte code https://bugs.webkit.org/show_bug.cgi?id=138326 Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h (175508 => 175509) --- trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h
[webkit-changes] [175586] trunk/LayoutTests
Title: [175586] trunk/LayoutTests Revision 175586 Author msab...@apple.com Date 2014-11-04 16:26:08 -0800 (Tue, 04 Nov 2014) Log Message Disable flakey dfg-int8array.js and dfg-int16array.js tests for ARM64 https://bugs.webkit.org/show_bug.cgi?id=138379 Reviewed by Mark Lam. Disabled these test for ARM64. Will address the failures and then re-enable. * js/script-tests/dfg-int16array.js: * js/script-tests/dfg-int8array.js: Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/js/script-tests/dfg-int16array.js trunk/LayoutTests/js/script-tests/dfg-int8array.js Diff Modified: trunk/LayoutTests/ChangeLog (175585 => 175586) --- trunk/LayoutTests/ChangeLog 2014-11-05 00:22:46 UTC (rev 175585) +++ trunk/LayoutTests/ChangeLog 2014-11-05 00:26:08 UTC (rev 175586) @@ -1,3 +1,15 @@ +2014-11-04 Michael Saboff msab...@apple.com + +Disable flakey dfg-int8array.js and dfg-int16array.js tests for ARM64 +https://bugs.webkit.org/show_bug.cgi?id=138379 + +Reviewed by Mark Lam. + +Disabled these test for ARM64. Will address the failures and then re-enable. + +* js/script-tests/dfg-int16array.js: +* js/script-tests/dfg-int8array.js: + 2014-11-04 Myles C. Maxfield mmaxfi...@apple.com [OSX] CJK characters styled with font-family: cursive are italicized Modified: trunk/LayoutTests/js/script-tests/dfg-int16array.js (175585 => 175586) --- trunk/LayoutTests/js/script-tests/dfg-int16array.js 2014-11-05 00:22:46 UTC (rev 175585) +++ trunk/LayoutTests/js/script-tests/dfg-int16array.js 2014-11-05 00:26:08 UTC (rev 175586) @@ -1,3 +1,5 @@ +//@ skip if $architecture == arm64 and $hostOS == darwin + description( This tests that int16 arrays work in the DFG. ); Modified: trunk/LayoutTests/js/script-tests/dfg-int8array.js (175585 => 175586) --- trunk/LayoutTests/js/script-tests/dfg-int8array.js 2014-11-05 00:22:46 UTC (rev 175585) +++ trunk/LayoutTests/js/script-tests/dfg-int8array.js 2014-11-05 00:26:08 UTC (rev 175586) @@ -1,3 +1,5 @@ +//@ skip if $architecture == arm64 and $hostOS == darwin + description( This tests that int8 arrays work in the DFG. ); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [175587] trunk/Source/JavaScriptCore
Title: [175587] trunk/Source/_javascript_Core Revision 175587 Author msab...@apple.com Date 2014-11-04 16:29:21 -0800 (Tue, 04 Nov 2014) Log Message Disable flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64 https://bugs.webkit.org/show_bug.cgi?id=138381 Reviewed by Mark Lam. Disabled these test for ARM64. Will address the failures and then re-enable. * tests/stress/float32-repeat-out-of-bounds.js: * tests/stress/int8-repeat-out-of-bounds.js: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/tests/stress/float32-repeat-out-of-bounds.js trunk/Source/_javascript_Core/tests/stress/int8-repeat-out-of-bounds.js Diff Modified: trunk/Source/_javascript_Core/ChangeLog (175586 => 175587) --- trunk/Source/_javascript_Core/ChangeLog 2014-11-05 00:26:08 UTC (rev 175586) +++ trunk/Source/_javascript_Core/ChangeLog 2014-11-05 00:29:21 UTC (rev 175587) @@ -1,3 +1,15 @@ +2014-11-04 Michael Saboff msab...@apple.com + +Disable flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64 +https://bugs.webkit.org/show_bug.cgi?id=138381 + +Reviewed by Mark Lam. + +Disabled these test for ARM64. Will address the failures and then re-enable. + +* tests/stress/float32-repeat-out-of-bounds.js: +* tests/stress/int8-repeat-out-of-bounds.js: + 2014-11-04 Joseph Pecoraro pecor...@apple.com Web Inspector: Enum value collisions between different generators Modified: trunk/Source/_javascript_Core/tests/stress/float32-repeat-out-of-bounds.js (175586 => 175587) --- trunk/Source/_javascript_Core/tests/stress/float32-repeat-out-of-bounds.js 2014-11-05 00:26:08 UTC (rev 175586) +++ trunk/Source/_javascript_Core/tests/stress/float32-repeat-out-of-bounds.js 2014-11-05 00:29:21 UTC (rev 175587) @@ -1,3 +1,4 @@ +//@ skip if $architecture == arm64 and $hostOS == darwin //@ defaultNoEagerRun function foo(a) { Modified: trunk/Source/_javascript_Core/tests/stress/int8-repeat-out-of-bounds.js (175586 => 175587) --- trunk/Source/_javascript_Core/tests/stress/int8-repeat-out-of-bounds.js 2014-11-05 00:26:08 UTC (rev 175586) +++ trunk/Source/_javascript_Core/tests/stress/int8-repeat-out-of-bounds.js 2014-11-05 00:29:21 UTC (rev 175587) @@ -1,3 +1,4 @@ +//@ skip if $architecture == arm64 and $hostOS == darwin //@ defaultNoEagerRun function foo(a) { ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [175590] trunk/PerformanceTests/SunSpider
Title: [175590] trunk/PerformanceTests/SunSpider Revision 175590 Author msab...@apple.com Date 2014-11-04 16:53:55 -0800 (Tue, 04 Nov 2014) Log Message Disable failing v8-deltablue.js for ARM https://bugs.webkit.org/show_bug.cgi?id=138382 Reviewed by Geoffrey Garen. This test is failing on ARM 32 bit. * tests/v8-v6/v8-deltablue.js: Modified Paths trunk/PerformanceTests/SunSpider/ChangeLog trunk/PerformanceTests/SunSpider/tests/v8-v6/v8-deltablue.js Diff Modified: trunk/PerformanceTests/SunSpider/ChangeLog (175589 => 175590) --- trunk/PerformanceTests/SunSpider/ChangeLog 2014-11-05 00:35:29 UTC (rev 175589) +++ trunk/PerformanceTests/SunSpider/ChangeLog 2014-11-05 00:53:55 UTC (rev 175590) @@ -1,3 +1,14 @@ +2014-11-04 Michael Saboff msab...@apple.com + +Disable failing v8-deltablue.js for ARM +https://bugs.webkit.org/show_bug.cgi?id=138382 + +Reviewed by Geoffrey Garen. + +This test is failing on ARM 32 bit. + +* tests/v8-v6/v8-deltablue.js: + 2014-07-08 Gergo Balogh gbalogh.u-sze...@partner.samsung.com Add option to specify output file location in sunspider. Modified: trunk/PerformanceTests/SunSpider/tests/v8-v6/v8-deltablue.js (175589 => 175590) --- trunk/PerformanceTests/SunSpider/tests/v8-v6/v8-deltablue.js 2014-11-05 00:35:29 UTC (rev 175589) +++ trunk/PerformanceTests/SunSpider/tests/v8-v6/v8-deltablue.js 2014-11-05 00:53:55 UTC (rev 175590) @@ -1,3 +1,4 @@ +//@ skip if $architecture == arm and $hostOS == darwin // Copyright 2008 the V8 project authors. All rights reserved. // Copyright 1996 John Maloney and Mario Wolczko. ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [175644] trunk/Source/JavaScriptCore
Title: [175644] trunk/Source/_javascript_Core Revision 175644 Author msab...@apple.com Date 2014-11-05 15:20:28 -0800 (Wed, 05 Nov 2014) Log Message Disable flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64 https://bugs.webkit.org/show_bug.cgi?id=138381 Reviewed by Mark Lam. Disabled these test for ARM64. Will address the failures and then re-enable. * tests/stress/float32-repeat-out-of-bounds.js: * tests/stress/int8-repeat-out-of-bounds.js: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/tests/stress/float32-repeat-out-of-bounds.js trunk/Source/_javascript_Core/tests/stress/int8-repeat-out-of-bounds.js Diff Modified: trunk/Source/_javascript_Core/ChangeLog (175643 => 175644) --- trunk/Source/_javascript_Core/ChangeLog 2014-11-05 22:52:42 UTC (rev 175643) +++ trunk/Source/_javascript_Core/ChangeLog 2014-11-05 23:20:28 UTC (rev 175644) @@ -1,3 +1,15 @@ +2014-11-05 Michael Saboff msab...@apple.com + +Disable flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64 +https://bugs.webkit.org/show_bug.cgi?id=138381 + +Reviewed by Mark Lam. + +Disabled these test for ARM64. Will address the failures and then re-enable. + +* tests/stress/float32-repeat-out-of-bounds.js: +* tests/stress/int8-repeat-out-of-bounds.js: + 2014-11-05 Alexey Proskuryakov a...@apple.com Incorrect sandbox_check in RemoteInspector.mm Modified: trunk/Source/_javascript_Core/tests/stress/float32-repeat-out-of-bounds.js (175643 => 175644) --- trunk/Source/_javascript_Core/tests/stress/float32-repeat-out-of-bounds.js 2014-11-05 22:52:42 UTC (rev 175643) +++ trunk/Source/_javascript_Core/tests/stress/float32-repeat-out-of-bounds.js 2014-11-05 23:20:28 UTC (rev 175644) @@ -1,5 +1,4 @@ -//@ skip if $architecture == arm64 and $hostOS == darwin -//@ defaultNoEagerRun +//@ if $architecture == arm64 and $hostOS == darwin then skip else defaultNoEagerRun end function foo(a) { a[0] = 1; Modified: trunk/Source/_javascript_Core/tests/stress/int8-repeat-out-of-bounds.js (175643 => 175644) --- trunk/Source/_javascript_Core/tests/stress/int8-repeat-out-of-bounds.js 2014-11-05 22:52:42 UTC (rev 175643) +++ trunk/Source/_javascript_Core/tests/stress/int8-repeat-out-of-bounds.js 2014-11-05 23:20:28 UTC (rev 175644) @@ -1,5 +1,4 @@ -//@ skip if $architecture == arm64 and $hostOS == darwin -//@ defaultNoEagerRun +//@ if $architecture == arm64 and $hostOS == darwin then skip else defaultNoEagerRun end function foo(a) { a[0] = 1; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [175706] trunk/Source
Title: [175706] trunk/Source Revision 175706 Author msab...@apple.com Date 2014-11-06 11:47:17 -0800 (Thu, 06 Nov 2014) Log Message REGRESSION (r174985-174986): Site display disappears https://bugs.webkit.org/show_bug.cgi?id=138082 Reviewed by Geoffrey Garen. Source/_javascript_Core: In support of the change in WebCore, this adds a new functor class to unwind to our caller's frame possibly skipping of intermediate C++ frames. * interpreter/StackVisitor.h: (JSC::CallerFunctor::CallerFunctor): (JSC::CallerFunctor::callerFrame): (JSC::CallerFunctor::operator()): Source/WebCore: This effectively reverts to the behavior before r174985 by using the lexical global object of the caller's frame to find the active document. Before r174985, native functions are invoked with the ScopeShain of their caller. The lexical global object is accessed from the ScopeChain. * bindings/js/JSHTMLDocumentCustom.cpp: (WebCore::JSHTMLDocument::getOwnPropertySlot): (WebCore::findOwningDocument): (WebCore::documentWrite): (WebCore::JSHTMLDocument::write): (WebCore::JSHTMLDocument::writeln): * html/HTMLDocument.idl: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/interpreter/StackVisitor.h trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp trunk/Source/WebCore/html/HTMLDocument.idl Diff Modified: trunk/Source/_javascript_Core/ChangeLog (175705 => 175706) --- trunk/Source/_javascript_Core/ChangeLog 2014-11-06 19:38:51 UTC (rev 175705) +++ trunk/Source/_javascript_Core/ChangeLog 2014-11-06 19:47:17 UTC (rev 175706) @@ -1,3 +1,18 @@ +2014-11-06 Michael Saboff msab...@apple.com + +REGRESSION (r174985-174986): Site display disappears +https://bugs.webkit.org/show_bug.cgi?id=138082 + +Reviewed by Geoffrey Garen. + +In support of the change in WebCore, this adds a new functor class to unwind to our +caller's frame possibly skipping of intermediate C++ frames. + +* interpreter/StackVisitor.h: +(JSC::CallerFunctor::CallerFunctor): +(JSC::CallerFunctor::callerFrame): +(JSC::CallerFunctor::operator()): + 2014-11-06 Gyuyoung Kim gyuyoung@samsung.com Use std::unique_ptr in CodeBlock class Modified: trunk/Source/_javascript_Core/interpreter/StackVisitor.h (175705 => 175706) --- trunk/Source/_javascript_Core/interpreter/StackVisitor.h 2014-11-06 19:38:51 UTC (rev 175705) +++ trunk/Source/_javascript_Core/interpreter/StackVisitor.h 2014-11-06 19:47:17 UTC (rev 175706) @@ -150,6 +150,32 @@ Frame m_frame; }; +class CallerFunctor { +public: +CallerFunctor() +: m_hasSkippedFirstFrame(false) +, m_callerFrame(0) +{ +} + +CallFrame* callerFrame() const { return m_callerFrame; } + +StackVisitor::Status operator()(StackVisitor visitor) +{ +if (!m_hasSkippedFirstFrame) { +m_hasSkippedFirstFrame = true; +return StackVisitor::Continue; +} + +m_callerFrame = visitor-callFrame(); +return StackVisitor::Done; +} + +private: +bool m_hasSkippedFirstFrame; +CallFrame* m_callerFrame; +}; + } // namespace JSC #endif // StackVisitor_h Modified: trunk/Source/WebCore/ChangeLog (175705 => 175706) --- trunk/Source/WebCore/ChangeLog 2014-11-06 19:38:51 UTC (rev 175705) +++ trunk/Source/WebCore/ChangeLog 2014-11-06 19:47:17 UTC (rev 175706) @@ -1,3 +1,23 @@ +2014-11-06 Michael Saboff msab...@apple.com + +REGRESSION (r174985-174986): Site display disappears +https://bugs.webkit.org/show_bug.cgi?id=138082 + +Reviewed by Geoffrey Garen. + +This effectively reverts to the behavior before r174985 by using the +lexical global object of the caller's frame to find the active document. +Before r174985, native functions are invoked with the ScopeShain of their +caller. The lexical global object is accessed from the ScopeChain. + +* bindings/js/JSHTMLDocumentCustom.cpp: +(WebCore::JSHTMLDocument::getOwnPropertySlot): +(WebCore::findOwningDocument): +(WebCore::documentWrite): +(WebCore::JSHTMLDocument::write): +(WebCore::JSHTMLDocument::writeln): +* html/HTMLDocument.idl: + 2014-11-05 Sam Weinig s...@webkit.org Use std::unique_ptr for TileController Modified: trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp (175705 => 175706) --- trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp 2014-11-06 19:38:51 UTC (rev 175705) +++ trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp 2014-11-06 19:47:17 UTC (rev 175706) @@ -41,6 +41,7 @@ #include JSMainThreadExecState.h #include SegmentedString.h #include DocumentParser.h +#include interpreter/StackVisitor.h #include runtime/Error.h #include runtime/JSCell.h #include wtf/unicode/CharacterNames.h @@ -66,14 +67,6 @@ slot.setCustom(thisObject, ReadOnly | DontDelete |
[webkit-changes] [175762] trunk/Source/JavaScriptCore
Title: [175762] trunk/Source/_javascript_Core Revision 175762 Author msab...@apple.com Date 2014-11-07 13:58:43 -0800 (Fri, 07 Nov 2014) Log Message Update scope related slow path code to use scope register added to opcodes https://bugs.webkit.org/show_bug.cgi?id=138254 Reviewed by Mark Lam. Updated slow paths for op_pop_scope, op_push_name_scope and op_push_with_scope. Added scope register index parameter to the front of the relevant argument lists of the slow functions. In the case of op_push_name_scope for x86 (32 bit), there aren't enough registers to accomodate all the parameters. Therefore, added two new JSVALUE32_64 slow paths called operationPushCatchScope() and operationPushFunctionNameScope() to eliminate the last type argument. * assembler/MacroAssemblerCodeRef.h: (JSC::FunctionPtr::FunctionPtr): Added a new template to take 6 arguments. * jit/CCallHelpers.h: (JSC::CCallHelpers::setupArgumentsWithExecState): * jit/JIT.h: * jit/JITInlines.h: (JSC::JIT::callOperation): New variants of setupArgumentsWithExecState() and callOperation() to handle the new combinations of argument types and counts. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_push_with_scope): (JSC::JIT::emit_op_pop_scope): (JSC::JIT::emit_op_push_name_scope): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_push_with_scope): (JSC::JIT::emit_op_pop_scope): (JSC::JIT::emit_op_push_name_scope): Use the new slow paths. * jit/JITOperations.cpp: * jit/JITOperations.h: Updates to set the scope result using the scope register index. Added operationPushCatchScope() and operationPushFunctionNameScope(). * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): Updated the scope slow paths to use the scope register index in the instruction to read and write the register instead of using CallFrame::scope() and CallFrame::setScope(). Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h trunk/Source/_javascript_Core/jit/CCallHelpers.h trunk/Source/_javascript_Core/jit/JIT.h trunk/Source/_javascript_Core/jit/JITInlines.h trunk/Source/_javascript_Core/jit/JITOpcodes.cpp trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp trunk/Source/_javascript_Core/jit/JITOperations.cpp trunk/Source/_javascript_Core/jit/JITOperations.h trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (175761 => 175762) --- trunk/Source/_javascript_Core/ChangeLog 2014-11-07 21:29:45 UTC (rev 175761) +++ trunk/Source/_javascript_Core/ChangeLog 2014-11-07 21:58:43 UTC (rev 175762) @@ -1,3 +1,49 @@ +2014-11-07 Michael Saboff msab...@apple.com + +Update scope related slow path code to use scope register added to opcodes +https://bugs.webkit.org/show_bug.cgi?id=138254 + +Reviewed by Mark Lam. + +Updated slow paths for op_pop_scope, op_push_name_scope and op_push_with_scope. +Added scope register index parameter to the front of the relevant argument lists of the +slow functions. In the case of op_push_name_scope for x86 (32 bit), there aren't enough +registers to accomodate all the parameters. Therefore, added two new JSVALUE32_64 slow +paths called operationPushCatchScope() and operationPushFunctionNameScope() to eliminate +the last type argument. + + +* assembler/MacroAssemblerCodeRef.h: +(JSC::FunctionPtr::FunctionPtr): Added a new template to take 6 arguments. + +* jit/CCallHelpers.h: +(JSC::CCallHelpers::setupArgumentsWithExecState): +* jit/JIT.h: +* jit/JITInlines.h: +(JSC::JIT::callOperation): +New variants of setupArgumentsWithExecState() and callOperation() to handle the new +combinations of argument types and counts. + +* jit/JITOpcodes.cpp: +(JSC::JIT::emit_op_push_with_scope): +(JSC::JIT::emit_op_pop_scope): +(JSC::JIT::emit_op_push_name_scope): +* jit/JITOpcodes32_64.cpp: +(JSC::JIT::emit_op_push_with_scope): +(JSC::JIT::emit_op_pop_scope): +(JSC::JIT::emit_op_push_name_scope): +Use the new slow paths. + +* jit/JITOperations.cpp: +* jit/JITOperations.h: +Updates to set the scope result using the scope register index. Added operationPushCatchScope() +and operationPushFunctionNameScope(). + +* llint/LLIntSlowPaths.cpp: +(JSC::LLInt::LLINT_SLOW_PATH_DECL): +Updated the scope slow paths to use the scope register index in the instruction to read and +write the register instead of using CallFrame::scope() and CallFrame::setScope(). + 2014-11-07 Gyuyoung Kim gyuyoung@samsung.com Apply std::unique_ptr to slowPathCall() Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h (175761 => 175762) --- trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h 2014-11-07 21:29:45 UTC (rev 175761)
[webkit-changes] [175834] trunk/LayoutTests
Title: [175834] trunk/LayoutTests Revision 175834 Author msab...@apple.com Date 2014-11-10 15:23:49 -0800 (Mon, 10 Nov 2014) Log Message Add test for fix of REGRESSION (r174985-174986): Site display disappears https://bugs.webkit.org/show_bug.cgi?id=138470 Reviewed by Geoffrey Garen. This checks that document.write() and document.writeln() are cached and the same instance is always returned. * js/dom/document-write-functions-cached-expected.txt: Added. * js/dom/document-write-functions-cached.html: Added. Modified Paths trunk/LayoutTests/ChangeLog Added Paths trunk/LayoutTests/js/dom/document-write-functions-cached-expected.txt trunk/LayoutTests/js/dom/document-write-functions-cached.html Diff Modified: trunk/LayoutTests/ChangeLog (175833 => 175834) --- trunk/LayoutTests/ChangeLog 2014-11-10 22:48:10 UTC (rev 175833) +++ trunk/LayoutTests/ChangeLog 2014-11-10 23:23:49 UTC (rev 175834) @@ -1,3 +1,16 @@ +2014-11-10 Michael Saboff msab...@apple.com + +Add test for fix of REGRESSION (r174985-174986): Site display disappears +https://bugs.webkit.org/show_bug.cgi?id=138470 + +Reviewed by Geoffrey Garen. + +This checks that document.write() and document.writeln() are cached and the same instance +is always returned. + +* js/dom/document-write-functions-cached-expected.txt: Added. +* js/dom/document-write-functions-cached.html: Added. + 2014-11-04 Jer Noble jer.no...@apple.com REGRESSION(r174823): Several tests fail due to canplaythrough firing before tracks are available Added: trunk/LayoutTests/js/dom/document-write-functions-cached-expected.txt (0 => 175834) --- trunk/LayoutTests/js/dom/document-write-functions-cached-expected.txt (rev 0) +++ trunk/LayoutTests/js/dom/document-write-functions-cached-expected.txt 2014-11-10 23:23:49 UTC (rev 175834) @@ -0,0 +1,8 @@ +This page tests that the document functions write() and writeln() are cached. If the test passes, you'll see a PASS messages below. + +PASS: document.write is cached. +PASS: document.writeln is cached. +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/js/dom/document-write-functions-cached.html (0 => 175834) --- trunk/LayoutTests/js/dom/document-write-functions-cached.html (rev 0) +++ trunk/LayoutTests/js/dom/document-write-functions-cached.html 2014-11-10 23:23:49 UTC (rev 175834) @@ -0,0 +1,25 @@ +!DOCTYPE HTML +html +head +script src="" +/head +body +pThis page tests that the document functions write() and writeln() are cached. If the test passes, you'll see a PASS messages below./p +pre id=console/pre +script +if (document.write === document.write) +debug(PASS: document.write is cached.); +else +debug(FAIL: document.write is not cached, but should be.); + +if (document.writeln === document.writeln) +debug(PASS: document.writeln is cached.); +else +debug(FAIL: document.writeln is not cached, but should be.); + +if (this.testRunner) +testRunner.dumpAsText(); +/script +script src="" +/body +/html ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [175845] trunk/Source/JavaScriptCore
Title: [175845] trunk/Source/_javascript_Core Revision 175845 Author msab...@apple.com Date 2014-11-10 19:05:25 -0800 (Mon, 10 Nov 2014) Log Message Add scope operand to op_create_lexical_environment https://bugs.webkit.org/show_bug.cgi?id=138588 Reviewed by Geoffrey Garen. Added a second operand to op_create_lexical_environment that contains the scope register to update. Note that the DFG relies on operationCreateActivation() to update the scope register since we can't issue a set() with a non-local, non-argument register. This is temporary until the scope register is allocated as a local. * bytecode/BytecodeList.json: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): Added the scope register operand. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): Filled in the scope register operand. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_create_lexical_environment): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_create_lexical_environment): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: Set the scope register with the result of the appropriate create activation slow call. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/BytecodeList.json trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/jit/JITOpcodes.cpp trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (175844 => 175845) --- trunk/Source/_javascript_Core/ChangeLog 2014-11-11 01:47:36 UTC (rev 175844) +++ trunk/Source/_javascript_Core/ChangeLog 2014-11-11 03:05:25 UTC (rev 175845) @@ -1,3 +1,34 @@ +2014-11-10 Michael Saboff msab...@apple.com + +Add scope operand to op_create_lexical_environment +https://bugs.webkit.org/show_bug.cgi?id=138588 + +Reviewed by Geoffrey Garen. + +Added a second operand to op_create_lexical_environment that contains the scope register +to update. Note that the DFG relies on operationCreateActivation() to update the +scope register since we can't issue a set() with a non-local, non-argument register. +This is temporary until the scope register is allocated as a local. + +* bytecode/BytecodeList.json: +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::dumpBytecode): +Added the scope register operand. + +* bytecompiler/BytecodeGenerator.cpp: +(JSC::BytecodeGenerator::BytecodeGenerator): +Filled in the scope register operand. + +* jit/JITOpcodes.cpp: +(JSC::JIT::emit_op_create_lexical_environment): +* jit/JITOpcodes32_64.cpp: +(JSC::JIT::emit_op_create_lexical_environment): +* llint/LLIntSlowPaths.cpp: +(JSC::LLInt::LLINT_SLOW_PATH_DECL): +* llint/LowLevelInterpreter32_64.asm: +* llint/LowLevelInterpreter64.asm: +Set the scope register with the result of the appropriate create activation slow call. + 2014-11-09 Akos Kiss ak...@inf.u-szeged.hu Fix 'noreturn' function does return warning in LLVMOverrides.cpp Modified: trunk/Source/_javascript_Core/bytecode/BytecodeList.json (175844 => 175845) --- trunk/Source/_javascript_Core/bytecode/BytecodeList.json 2014-11-11 01:47:36 UTC (rev 175844) +++ trunk/Source/_javascript_Core/bytecode/BytecodeList.json 2014-11-11 03:05:25 UTC (rev 175845) @@ -4,7 +4,7 @@ macroNameComponent : BYTECODE, asmPrefix : llint_, bytecodes : [ { name : op_enter, length : 1 }, -{ name : op_create_lexical_environment, length : 2 }, +{ name : op_create_lexical_environment, length : 3 }, { name : op_get_scope, length : 2 }, { name : op_touch_entry, length : 1 }, { name : op_init_lazy_reg, length : 2 }, Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (175844 => 175845) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2014-11-11 01:47:36 UTC (rev 175844) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2014-11-11 03:05:25 UTC (rev 175845) @@ -745,7 +745,9 @@ } case op_create_lexical_environment: { int r0 = (++it)-u.operand; -printLocationOpAndRegisterOperand(out, exec, location, it, create_lexical_environment, r0); +int r1 = (++it)-u.operand; +printLocationAndOp(out, exec, location, it, create_lexical_environment); +out.printf(%s %s, registerName(r0).data(), registerName(r1).data()); break; } case op_get_scope: { Modified:
[webkit-changes] [175998] trunk/Source/JavaScriptCore
Title: [175998] trunk/Source/_javascript_Core Revision 175998 Author msab...@apple.com Date 2014-11-11 18:33:43 -0800 (Tue, 11 Nov 2014) Log Message Use scope register when processing op_resolve_scope in LLInt and Baseline JIT https://bugs.webkit.org/show_bug.cgi?id=138637 Reviewed by Mark Lam. Filled out op_resolve_scope processing to use the scope operand to access the current scope chain. * jit/JIT.h: * jit/JITInlines.h: (JSC::JIT::callOperation): * jit/JITOperations.cpp: * jit/JITOperations.h: Added scope virtual register parameter to emitResolveClosure(). Added new callOperation() to support the additional argument. * jit/JITPropertyAccess.cpp: (JSC::JIT::emitResolveClosure): (JSC::JIT::emit_op_resolve_scope): (JSC::JIT::emitSlow_op_resolve_scope): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emitResolveClosure): (JSC::JIT::emit_op_resolve_scope): (JSC::JIT::emitSlow_op_resolve_scope): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): Added scope parameter to emitResolveClosure(). Passed scope register index to slow path. Used scope virtual register instead of JSStack::ScopeChain. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/JIT.h trunk/Source/_javascript_Core/jit/JITInlines.h trunk/Source/_javascript_Core/jit/JITOperations.cpp trunk/Source/_javascript_Core/jit/JITOperations.h trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (175997 => 175998) --- trunk/Source/_javascript_Core/ChangeLog 2014-11-12 01:51:39 UTC (rev 175997) +++ trunk/Source/_javascript_Core/ChangeLog 2014-11-12 02:33:43 UTC (rev 175998) @@ -1,3 +1,34 @@ +2014-11-11 Michael Saboff msab...@apple.com + +Use scope register when processing op_resolve_scope in LLInt and Baseline JIT +https://bugs.webkit.org/show_bug.cgi?id=138637 + +Reviewed by Mark Lam. + +Filled out op_resolve_scope processing to use the scope operand to access the current +scope chain. + +* jit/JIT.h: +* jit/JITInlines.h: +(JSC::JIT::callOperation): +* jit/JITOperations.cpp: +* jit/JITOperations.h: +Added scope virtual register parameter to emitResolveClosure(). Added new callOperation() to +support the additional argument. + +* jit/JITPropertyAccess.cpp: +(JSC::JIT::emitResolveClosure): +(JSC::JIT::emit_op_resolve_scope): +(JSC::JIT::emitSlow_op_resolve_scope): +* jit/JITPropertyAccess32_64.cpp: +(JSC::JIT::emitResolveClosure): +(JSC::JIT::emit_op_resolve_scope): +(JSC::JIT::emitSlow_op_resolve_scope): +* llint/LLIntSlowPaths.cpp: +(JSC::LLInt::LLINT_SLOW_PATH_DECL): +Added scope parameter to emitResolveClosure(). Passed scope register index to slow path. +Used scope virtual register instead of JSStack::ScopeChain. + 2014-11-11 Joseph Pecoraro pecor...@apple.com Web Inspector: Don't require a debugger be attached for inspector auto attach Modified: trunk/Source/_javascript_Core/jit/JIT.h (175997 => 175998) --- trunk/Source/_javascript_Core/jit/JIT.h 2014-11-12 01:51:39 UTC (rev 175997) +++ trunk/Source/_javascript_Core/jit/JIT.h 2014-11-12 02:33:43 UTC (rev 175998) @@ -625,7 +625,7 @@ void emitRightShiftSlowCase(Instruction*, VectorSlowCaseEntry::iterator, bool isUnsigned); void emitVarInjectionCheck(bool needsVarInjectionChecks); -void emitResolveClosure(int dst, bool needsVarInjectionChecks, unsigned depth); +void emitResolveClosure(int dst, int scope, bool needsVarInjectionChecks, unsigned depth); void emitLoadWithStructureCheck(int scope, Structure** structureSlot); void emitGetGlobalProperty(uintptr_t* operandSlot); void emitGetGlobalVar(uintptr_t operand); @@ -705,6 +705,7 @@ MacroAssembler::Call callOperation(J_JITOperation_EP, int, void*); MacroAssembler::Call callOperation(WithProfileTag, J_JITOperation_EPc, int, Instruction*); MacroAssembler::Call callOperation(J_JITOperation_EZ, int, int32_t); +MacroAssembler::Call callOperation(J_JITOperation_EZZ, int, int32_t, int32_t); MacroAssembler::Call callOperation(P_JITOperation_EJS, GPRReg, size_t); MacroAssembler::Call callOperation(S_JITOperation_ECC, RegisterID, RegisterID); MacroAssembler::Call callOperation(S_JITOperation_EJ, RegisterID); Modified: trunk/Source/_javascript_Core/jit/JITInlines.h (175997 => 175998) --- trunk/Source/_javascript_Core/jit/JITInlines.h 2014-11-12 01:51:39 UTC (rev 175997) +++ trunk/Source/_javascript_Core/jit/JITInlines.h 2014-11-12 02:33:43 UTC (rev 175998) @@ -276,6 +276,12 @@ return appendCallWithExceptionCheckSetJSValueResult(operation, dst); } +ALWAYS_INLINE MacroAssembler::Call
[webkit-changes] [176005] trunk/Source/JavaScriptCore
Title: [176005] trunk/Source/_javascript_Core Revision 176005 Author msab...@apple.com Date 2014-11-11 22:00:42 -0800 (Tue, 11 Nov 2014) Log Message Change DFG to use scope operand for op_resolve_scope https://bugs.webkit.org/show_bug.cgi?id=138651 Reviewed by Geoffrey Garen. Changed to use the provided scope VirtualRegister. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::getScope): Changed to use an argument scope register. (JSC::DFG::ByteCodeParser::parseBlock): Created VirtualRegister from scope operand. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (176004 => 176005) --- trunk/Source/_javascript_Core/ChangeLog 2014-11-12 05:23:03 UTC (rev 176004) +++ trunk/Source/_javascript_Core/ChangeLog 2014-11-12 06:00:42 UTC (rev 176005) @@ -1,3 +1,16 @@ +2014-11-11 Michael Saboff msab...@apple.com + +Change DFG to use scope operand for op_resolve_scope +https://bugs.webkit.org/show_bug.cgi?id=138651 + +Reviewed by Geoffrey Garen. + +Changed to use the provided scope VirtualRegister. + +* dfg/DFGByteCodeParser.cpp: +(JSC::DFG::ByteCodeParser::getScope): Changed to use an argument scope register. +(JSC::DFG::ByteCodeParser::parseBlock): Created VirtualRegister from scope operand. + 2014-11-11 Gyuyoung Kim gyuyoung@samsung.com Remove IncrementalSweeper::create() Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (176004 => 176005) --- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2014-11-12 05:23:03 UTC (rev 176004) +++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2014-11-12 06:00:42 UTC (rev 176005) @@ -206,7 +206,7 @@ bool isDirect); void emitChecks(const ConstantStructureCheckVector); -Node* getScope(unsigned skipCount); +Node* getScope(VirtualRegister scopeChain, unsigned skipCount); void prepareToParseBlock(); void clearCaches(); @@ -2301,9 +2301,9 @@ m_constants.resize(0); } -Node* ByteCodeParser::getScope(unsigned skipCount) +Node* ByteCodeParser::getScope(VirtualRegister scopeChain, unsigned skipCount) { -Node* localBase = get(VirtualRegister(JSStack::ScopeChain)); +Node* localBase = get(scopeChain); for (unsigned n = skipCount; n--;) localBase = addToGraph(SkipScope, localBase); return localBase; @@ -3198,7 +3198,7 @@ set(VirtualRegister(dst), weakJSConstant(lexicalEnvironment)); break; } -set(VirtualRegister(dst), getScope(depth)); +set(VirtualRegister(dst), getScope(VirtualRegister(currentInstruction[2].u.operand), depth)); break; } case Dynamic: ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [176109] trunk/Source/JavaScriptCore
Title: [176109] trunk/Source/_javascript_Core Revision 176109 Author msab...@apple.com Date 2014-11-13 17:07:48 -0800 (Thu, 13 Nov 2014) Log Message Add scope operand to op_new_func* byte codes https://bugs.webkit.org/show_bug.cgi?id=138707 Reviewed by Mark Lam. Added scope operand to op_new_func and op_new_func_expr to replace the implicit use of exec-scope(). * bytecode/BytecodeList.json: Increased size of op_new_func op_new_func_expr bytecodes. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): Added scope operand to dump output. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitNewFunctionInternal): (JSC::BytecodeGenerator::emitNewFunctionExpression): Emit scope operand. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): Added new scope source nodes to NewFunction, NewFunctionExpression NewFunctionNoCheck. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): Use scope children when making new function JIT_Operation calls. Use JSScope* value instead of exec-scope(). * dfg/DFGOperations.h: * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): * jit/JIT.h: * jit/JITInlines.h: (JSC::JIT::callOperation): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_new_func): (JSC::JIT::emit_op_new_func_exp): * jit/JITOperations.cpp: * jit/JITOperations.h: Added new Jsc JIT_Operation parameter type for JSScope* values. Created declarations and definitions for new JIT_Operations with Jsc parameters. Use the JSScope* parameters in lieu of exec-scope() in operationNewFunction(). Removed comment for unused Jsa (JSLexicalEnvironment*) JIT_Operation parameter type. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): Use the scope operand instead of exec-scope(). * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: Changed the operand indecies for added scope operand. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/BytecodeList.json trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp trunk/Source/_javascript_Core/dfg/DFGOperations.cpp trunk/Source/_javascript_Core/dfg/DFGOperations.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/jit/JIT.h trunk/Source/_javascript_Core/jit/JITInlines.h trunk/Source/_javascript_Core/jit/JITOpcodes.cpp trunk/Source/_javascript_Core/jit/JITOperations.cpp trunk/Source/_javascript_Core/jit/JITOperations.h trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (176108 => 176109) --- trunk/Source/_javascript_Core/ChangeLog 2014-11-14 00:46:53 UTC (rev 176108) +++ trunk/Source/_javascript_Core/ChangeLog 2014-11-14 01:07:48 UTC (rev 176109) @@ -1,3 +1,65 @@ +2014-11-13 Michael Saboff msab...@apple.com + +Add scope operand to op_new_func* byte codes +https://bugs.webkit.org/show_bug.cgi?id=138707 + +Reviewed by Mark Lam. + +Added scope operand to op_new_func and op_new_func_expr to replace the implicit use +of exec-scope(). + +* bytecode/BytecodeList.json: Increased size of op_new_func op_new_func_expr bytecodes. + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::dumpBytecode): Added scope operand to dump output. + +* bytecompiler/BytecodeGenerator.cpp: +(JSC::BytecodeGenerator::emitNewFunctionInternal): +(JSC::BytecodeGenerator::emitNewFunctionExpression): +Emit scope operand. + +* dfg/DFGByteCodeParser.cpp: +(JSC::DFG::ByteCodeParser::parseBlock): +* dfg/DFGFixupPhase.cpp: +(JSC::DFG::FixupPhase::fixupNode): +Added new scope source nodes to NewFunction, NewFunctionExpression NewFunctionNoCheck. + +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): +(JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): +* dfg/DFGSpeculativeJIT32_64.cpp: +(JSC::DFG::SpeculativeJIT::compile): +* dfg/DFGSpeculativeJIT64.cpp: +(JSC::DFG::SpeculativeJIT::compile): +
[webkit-changes] [176479] trunk
Title: [176479] trunk Revision 176479 Author msab...@apple.com Date 2014-11-21 15:41:26 -0800 (Fri, 21 Nov 2014) Log Message Allocate local ScopeChain register https://bugs.webkit.org/show_bug.cgi?id=138793 Reviewed by Geoffrey Garen. Source/_javascript_Core: Now we allocate the scope register as a local. The allocated register is stored in the CodeBlock for use by other components. Update the DFG to work with a local scope register. Changed usage of JSStack::ScopeChain access to the CallFrame header to use the allocated local register. * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset): Updated to properly represent the operand inputs and bytecode result. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): * bytecode/CodeBlock.h: (JSC::CodeBlock::setScopeRegister): (JSC::CodeBlock::scopeRegister): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::setScopeRegister): (JSC::UnlinkedCodeBlock::scopeRegister): Added scope register member and accessors. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): (JSC::BytecodeGenerator::allocateAndEmitScope): * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::scopeRegister): Change m_scopeRegister to an allocated register. Added allocateAndEmitScope helper to allocate the scope register, set the CodeBlock with its value and emit op_get_scope. * debugger/DebuggerCallFrame.cpp: (JSC::DebuggerCallFrame::scope): Changed to access the scope using the new convention. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::get): (JSC::DFG::ByteCodeParser::flush): (JSC::DFG::ByteCodeParser::inlineCall): (JSC::DFG::ByteCodeParser::parseBlock): Changed op_create_lexical_environment to set the scope VirtualRegister operand. Filled out op_get_scope processing to emit a GetScope node putting the result in the scope VirtualRegister result operand. Added Phantoms where appropriate to keep the Scope register alive in places where it use is optimized away, but where the baseline JIT would need to use its value. Eliminated uses of JSStack::ScopeChain. * dfg/DFGStackLayoutPhase.cpp: (JSC::DFG::StackLayoutPhase::run): Make sure that the scope register stack location is allocated using the same place that the codeBlock expects. * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): Allow strength reduction of Flush to skip of GetScope nodes looking for a prior corresponding SetLocal. * interpreter/CallFrame.h: (JSC::ExecState::scope): (JSC::ExecState::setScope): Added new scope() and setScope() helpers that take a VirtualRegister offset. * interpreter/Interpreter.cpp: (JSC::eval): Changed eval() to get the scope from the caller's scope register instead of from the temporary frame created for eval. * interpreter/Interpreter.cpp: (JSC::Interpreter::unwind): Changed unwind() to manipulate the scope n the allocated register instead of from the call frame slot. * interpreter/StackVisitor.cpp: (JSC::StackVisitor::readNonInlinedFrame): (JSC::StackVisitor::readInlinedFrame): * interpreter/StackVisitor.h: (JSC::StackVisitor::Frame::callee): (JSC::StackVisitor::Frame::scope): Deleted. Eliminated the scope member as it needed to change and no StackVisitor users use it. * jit/JITOperations.cpp: (JSC::operationPushNameScope): (JSC::operationPushWithScope): * runtime/JSNameScope.h: (JSC::JSNameScope::create): * runtime/JSWithScope.h: (JSC::JSWithScope::create): Deleted. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted JSNameScope::create() and JSWithScope::create() flavors tht used the ScopeChain slot in the CallFrame header. Changed the only user of these function, op_push_name_scope and op_push_with_scope helpers, to use the remaining create variants that require explicit scope. Those operations get the scope from the register pointed to by their scope operands. * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: Changed resolveScope to use the allocated register. LayoutTests: New test that sets a breakpoint in a callee of a DFG caller. While stopped in the breakpoint, it modifies a global via the scope chain of the DFG caller as well as a local of the DFG caller. * inspector-protocol/debugger/resources/breakpoint.js: (notInlineable3): (dfgWithoutInline3): * inspector-protocol/debugger/setBreakpoint-dfg-callee-and-examine-dfg-local-expected.txt: Added. * inspector-protocol/debugger/setBreakpoint-dfg-callee-and-examine-dfg-local.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/inspector-protocol/debugger/resources/breakpoint.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/BytecodeUseDef.h trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/bytecode/UnlinkedCodeBlock.h trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp
[webkit-changes] [176506] trunk/Source/JavaScriptCore
Title: [176506] trunk/Source/_javascript_Core Revision 176506 Author msab...@apple.com Date 2014-11-22 11:07:26 -0800 (Sat, 22 Nov 2014) Log Message r176455: ASSERT(!m_vector.isEmpty()) in IntendedStructureChain.cpp(143) https://bugs.webkit.org/show_bug.cgi?id=139000 Reviewed by Darin Adler. Check that the chainCount is non-zero before using a StructureChain. * bytecode/ComplexGetStatus.cpp: (JSC::ComplexGetStatus::computeFor): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/ComplexGetStatus.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (176505 => 176506) --- trunk/Source/_javascript_Core/ChangeLog 2014-11-22 18:18:11 UTC (rev 176505) +++ trunk/Source/_javascript_Core/ChangeLog 2014-11-22 19:07:26 UTC (rev 176506) @@ -1,5 +1,17 @@ 2014-11-21 Michael Saboff msab...@apple.com +r176455: ASSERT(!m_vector.isEmpty()) in IntendedStructureChain.cpp(143) +https://bugs.webkit.org/show_bug.cgi?id=139000 + +Reviewed by Darin Adler. + +Check that the chainCount is non-zero before using a StructureChain. + +* bytecode/ComplexGetStatus.cpp: +(JSC::ComplexGetStatus::computeFor): + +2014-11-21 Michael Saboff msab...@apple.com + Allocate local ScopeChain register https://bugs.webkit.org/show_bug.cgi?id=138793 Modified: trunk/Source/_javascript_Core/bytecode/ComplexGetStatus.cpp (176505 => 176506) --- trunk/Source/_javascript_Core/bytecode/ComplexGetStatus.cpp 2014-11-22 18:18:11 UTC (rev 176505) +++ trunk/Source/_javascript_Core/bytecode/ComplexGetStatus.cpp 2014-11-22 19:07:26 UTC (rev 176506) @@ -46,7 +46,7 @@ ComplexGetStatus result; result.m_kind = Inlineable; -if (chain) { +if (chain chainCount) { result.m_chain = adoptRef(new IntendedStructureChain( profiledBlock, headStructure, chain, chainCount)); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [176624] trunk/Source/JavaScriptCore
Title: [176624] trunk/Source/_javascript_Core Revision 176624 Author msab...@apple.com Date 2014-12-01 18:50:15 -0800 (Mon, 01 Dec 2014) Log Message Crash (integer overflow) beneath ByteCodeParser::handleGetById typing in search field on weather.com https://bugs.webkit.org/show_bug.cgi?id=139165 Reviewed by Oliver Hunt. If we don't have any getById or putById variants, emit non-cached versions of these operations. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::handlePutById): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (176623 => 176624) --- trunk/Source/_javascript_Core/ChangeLog 2014-12-02 02:29:53 UTC (rev 176623) +++ trunk/Source/_javascript_Core/ChangeLog 2014-12-02 02:50:15 UTC (rev 176624) @@ -1,3 +1,16 @@ +2014-12-01 Michael Saboff msab...@apple.com + +Crash (integer overflow) beneath ByteCodeParser::handleGetById typing in search field on weather.com +https://bugs.webkit.org/show_bug.cgi?id=139165 + +Reviewed by Oliver Hunt. + +If we don't have any getById or putById variants, emit non-cached versions of these operations. + +* dfg/DFGByteCodeParser.cpp: +(JSC::DFG::ByteCodeParser::handleGetById): +(JSC::DFG::ByteCodeParser::handlePutById): + 2014-12-01 Andreas Kling akl...@apple.com Optimize constructing JSC::Identifier from AtomicString. Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (176623 => 176624) --- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2014-12-02 02:29:53 UTC (rev 176623) +++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2014-12-02 02:50:15 UTC (rev 176624) @@ -2018,7 +2018,7 @@ { NodeType getById = getByIdStatus.makesCalls() ? GetByIdFlush : GetById; -if (!getByIdStatus.isSimple() || !Options::enableAccessInlining()) { +if (!getByIdStatus.isSimple() || !getByIdStatus.numVariants() || !Options::enableAccessInlining()) { set(VirtualRegister(destinationOperand), addToGraph(getById, OpInfo(identifierNumber), OpInfo(prediction), base)); return; @@ -2133,7 +2133,7 @@ Node* base, unsigned identifierNumber, Node* value, const PutByIdStatus putByIdStatus, bool isDirect) { -if (!putByIdStatus.isSimple() || !Options::enableAccessInlining()) { +if (!putByIdStatus.isSimple() || !putByIdStatus.numVariants() || !Options::enableAccessInlining()) { if (!putByIdStatus.isSet()) addToGraph(ForceOSRExit); emitPutById(base, identifierNumber, value, putByIdStatus, isDirect); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [176625] trunk/Source/JavaScriptCore
Title: [176625] trunk/Source/_javascript_Core Revision 176625 Author msab...@apple.com Date 2014-12-01 20:09:24 -0800 (Mon, 01 Dec 2014) Log Message Remove GetMyScope node from DFG https://bugs.webkit.org/show_bug.cgi?id=139166 Reviewed by Oliver Hunt. Eliminated GetMyScope DFG node type. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreterAbstractStateType::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::isLiveInBytecode): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compileGetMyScope): Deleted. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGClobberize.h trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp trunk/Source/_javascript_Core/dfg/DFGGraph.cpp trunk/Source/_javascript_Core/dfg/DFGNodeType.h trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (176624 => 176625) --- trunk/Source/_javascript_Core/ChangeLog 2014-12-02 02:50:15 UTC (rev 176624) +++ trunk/Source/_javascript_Core/ChangeLog 2014-12-02 04:09:24 UTC (rev 176625) @@ -1,5 +1,39 @@ 2014-12-01 Michael Saboff msab...@apple.com +Remove GetMyScope node from DFG +https://bugs.webkit.org/show_bug.cgi?id=139166 + +Reviewed by Oliver Hunt. + +Eliminated GetMyScope DFG node type. + +* dfg/DFGAbstractInterpreterInlines.h: +(JSC::DFG::AbstractInterpreterAbstractStateType::executeEffects): +* dfg/DFGClobberize.h: +(JSC::DFG::clobberize): +* dfg/DFGDoesGC.cpp: +(JSC::DFG::doesGC): +* dfg/DFGFixupPhase.cpp: +(JSC::DFG::FixupPhase::fixupNode): +* dfg/DFGGraph.cpp: +(JSC::DFG::Graph::isLiveInBytecode): +* dfg/DFGNodeType.h: +* dfg/DFGPredictionPropagationPhase.cpp: +(JSC::DFG::PredictionPropagationPhase::propagate): +* dfg/DFGSafeToExecute.h: +(JSC::DFG::safeToExecute): +* dfg/DFGSpeculativeJIT32_64.cpp: +(JSC::DFG::SpeculativeJIT::compile): +* dfg/DFGSpeculativeJIT64.cpp: +(JSC::DFG::SpeculativeJIT::compile): +* ftl/FTLCapabilities.cpp: +(JSC::FTL::canCompile): +* ftl/FTLLowerDFGToLLVM.cpp: +(JSC::FTL::LowerDFGToLLVM::compileNode): +(JSC::FTL::LowerDFGToLLVM::compileGetMyScope): Deleted. + +2014-12-01 Michael Saboff msab...@apple.com + Crash (integer overflow) beneath ByteCodeParser::handleGetById typing in search field on weather.com https://bugs.webkit.org/show_bug.cgi?id=139165 Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (176624 => 176625) --- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2014-12-02 02:50:15 UTC (rev 176624) +++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2014-12-02 04:09:24 UTC (rev 176625) @@ -1408,7 +1408,6 @@ } case GetScope: // FIXME: We could get rid of these if we know that the JSFunction is a constant. https://bugs.webkit.org/show_bug.cgi?id=106202 -case GetMyScope: forNode(node).setType(SpecObjectOther); break; Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (176624 => 176625) --- trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2014-12-02 02:50:15 UTC (rev 176624) +++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2014-12-02 04:09:24 UTC (rev 176625) @@ -745,14 +745,6 @@ } } -case GetMyScope: -if (graph.m_codeBlock-needsActivation()) { -read(AbstractHeap(Variables, JSStack::ScopeChain)); -def(HeapLocation(VariableLoc, AbstractHeap(Variables, JSStack::ScopeChain)), node); -} else -def(PureValue(node)); -return; - case GetClosureRegisters: read(JSEnvironmentRecord_registers); def(HeapLocation(ClosureRegistersLoc, JSEnvironmentRecord_registers, node-child1()), node); Modified: trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp (176624 =>
[webkit-changes] [176700] trunk/Source/JavaScriptCore
Title: [176700] trunk/Source/_javascript_Core Revision 176700 Author msab...@apple.com Date 2014-12-02 16:49:19 -0800 (Tue, 02 Dec 2014) Log Message Change CallFrame::globalThisValue() to not use CallFrame::scope() https://bugs.webkit.org/show_bug.cgi?id=139202 Reviewed by Mark Lam. Changed to use the globalThis() on the globalObject associated with the callee. Moved the inline definition to JSGlobalObject.h instead of including JSGlobalObject.h in JSScope.h. Also moved it as JSScope objects are no longer involved in getting the value. * runtime/JSGlobalObject.h: (JSC::ExecState::globalThisValue): * runtime/JSScope.h: (JSC::ExecState::globalThisValue): Deleted. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSGlobalObject.h trunk/Source/_javascript_Core/runtime/JSScope.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (176699 => 176700) --- trunk/Source/_javascript_Core/ChangeLog 2014-12-03 00:39:34 UTC (rev 176699) +++ trunk/Source/_javascript_Core/ChangeLog 2014-12-03 00:49:19 UTC (rev 176700) @@ -1,3 +1,20 @@ +2014-12-02 Michael Saboff msab...@apple.com + +Change CallFrame::globalThisValue() to not use CallFrame::scope() +https://bugs.webkit.org/show_bug.cgi?id=139202 + +Reviewed by Mark Lam. + +Changed to use the globalThis() on the globalObject associated with the +callee. Moved the inline definition to JSGlobalObject.h instead of +including JSGlobalObject.h in JSScope.h. Also moved it as JSScope +objects are no longer involved in getting the value. + +* runtime/JSGlobalObject.h: +(JSC::ExecState::globalThisValue): +* runtime/JSScope.h: +(JSC::ExecState::globalThisValue): Deleted. + 2014-12-02 Matthew Mirman mmir...@apple.com Fixes inline cache fast path accessing nonexistant getters. Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.h (176699 => 176700) --- trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2014-12-03 00:39:34 UTC (rev 176699) +++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2014-12-03 00:49:19 UTC (rev 176700) @@ -674,6 +674,11 @@ return constructArrayNegativeIndexed(exec, profile, exec-lexicalGlobalObject(), values, length); } +inline JSObject* ExecState::globalThisValue() const +{ +return lexicalGlobalObject()-globalThis(); +} + inline JSObject* JSScope::globalThis() { return globalObject()-globalThis(); Modified: trunk/Source/_javascript_Core/runtime/JSScope.h (176699 => 176700) --- trunk/Source/_javascript_Core/runtime/JSScope.h 2014-12-03 00:39:34 UTC (rev 176699) +++ trunk/Source/_javascript_Core/runtime/JSScope.h 2014-12-03 00:49:19 UTC (rev 176700) @@ -244,11 +244,6 @@ return callee()-globalObject(); } -inline JSObject* ExecState::globalThisValue() const -{ -return scope()-globalThis(); -} - inline size_t JSScope::offsetOfNext() { return OBJECT_OFFSETOF(JSScope, m_next); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [176771] trunk/Source/JavaScriptCore
Title: [176771] trunk/Source/_javascript_Core Revision 176771 Author msab...@apple.com Date 2014-12-03 17:59:40 -0800 (Wed, 03 Dec 2014) Log Message REGRESSION (r176479): DFG ASSERTION beneath emitOSRExitCall running Kraken/imaging-gaussian-blur.js.ftl-no-cjit-osr-validation and other tests https://bugs.webkit.org/show_bug.cgi?id=139246 Reviewed by Geoffrey Garen. * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::buildExitArguments): The DFG_ASSERT that checks liveness at exit time doesn't properly handle the case where the local is not available at OSR exit time, but the local is live in the bytecode. This now happens with the allocated scope register when we are compiling for FTLForOSREntryMode due to DCE done when the control flow was changed and a new entrypoint was added in the OSR entrypoint creation phase. Therefore we silence the assert when compiling for FTLForOSREntryMode. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (176770 => 176771) --- trunk/Source/_javascript_Core/ChangeLog 2014-12-04 01:40:21 UTC (rev 176770) +++ trunk/Source/_javascript_Core/ChangeLog 2014-12-04 01:59:40 UTC (rev 176771) @@ -1,3 +1,20 @@ +2014-12-03 Michael Saboff msab...@apple.com + +REGRESSION (r176479): DFG ASSERTION beneath emitOSRExitCall running Kraken/imaging-gaussian-blur.js.ftl-no-cjit-osr-validation and other tests +https://bugs.webkit.org/show_bug.cgi?id=139246 + +Reviewed by Geoffrey Garen. + +* ftl/FTLLowerDFGToLLVM.cpp: +(JSC::FTL::LowerDFGToLLVM::buildExitArguments): +The DFG_ASSERT that checks liveness at exit time doesn't properly +handle the case where the local is not available at OSR exit time, +but the local is live in the bytecode. This now happens with the +allocated scope register when we are compiling for FTLForOSREntryMode +due to DCE done when the control flow was changed and a new entrypoint +was added in the OSR entrypoint creation phase. Therefore we silence +the assert when compiling for FTLForOSREntryMode. + 2014-12-03 Geoffrey Garen gga...@apple.com Removed the global parser arena Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp (176770 => 176771) --- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2014-12-04 01:40:21 UTC (rev 176770) +++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2014-12-04 01:59:40 UTC (rev 176771) @@ -6559,7 +6559,7 @@ if (Options::validateFTLOSRExitLiveness()) { DFG_ASSERT( m_graph, m_node, -!(availability.isDead() m_graph.isLiveInBytecode(VirtualRegister(operand), codeOrigin))); +(!(availability.isDead() m_graph.isLiveInBytecode(VirtualRegister(operand), codeOrigin))) || m_graph.m_plan.mode == FTLForOSREntryMode); } exit.m_values[i] = exitValueForAvailability(arguments, map, availability); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [177030] trunk
Title: [177030] trunk Revision 177030 Author msab...@apple.com Date 2014-12-09 11:52:40 -0800 (Tue, 09 Dec 2014) Log Message DFG Tries using an inner object's getter/setter when one hasn't been defined https://bugs.webkit.org/show_bug.cgi?id=139229 Reviewed by Filip Pizlo. Source/_javascript_Core: Added a new NullGetterFunction singleton class to use for getters and setters that haven't been set to a user defined value. The NullGetterFunction callReturnUndefined() and createReturnUndefined() methods return undefined. Changed all null checks of the getter and setter pointers to the newly added isGetterNull() and isSetterNull() helper methods. * CMakeLists.txt: * _javascript_Core.vcxproj/_javascript_Core.vcxproj: * _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters: * _javascript_Core.xcodeproj/project.pbxproj: Added NullGetterFunction.cpp .h to build files. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreterAbstractStateType::executeEffects): * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncLookupGetter): (JSC::objectProtoFuncLookupSetter): * runtime/PropertyDescriptor.cpp: (JSC::PropertyDescriptor::setDescriptor): (JSC::PropertyDescriptor::setAccessorDescriptor): Changed checking getter and setter to null to use new isGetterNull() and isSetterNull() helpers. * inspector/JSInjectedScriptHostPrototype.cpp: (Inspector::JSInjectedScriptHostPrototype::finishCreation): * inspector/JSJavaScriptCallFramePrototype.cpp: * jit/JITOperations.cpp: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/JSObject.cpp: (JSC::JSObject::putIndexedDescriptor): (JSC::putDescriptor): (JSC::JSObject::defineOwnNonIndexProperty): * runtime/MapPrototype.cpp: (JSC::MapPrototype::finishCreation): * runtime/SetPrototype.cpp: (JSC::SetPrototype::finishCreation): Updated calls to GetterSetter::create(), setGetter(), setSetter(), withGetter() and withSetter() to provide a global object. * runtime/GetterSetter.cpp: (JSC::GetterSetter::withGetter): (JSC::GetterSetter::withSetter): (JSC::callGetter): (JSC::callSetter): * runtime/GetterSetter.h: (JSC::GetterSetter::GetterSetter): (JSC::GetterSetter::create): (JSC::GetterSetter::isGetterNull): (JSC::GetterSetter::isSetterNull): (JSC::GetterSetter::setGetter): (JSC::GetterSetter::setSetter): Changed to use NullGetterFunction for unspecified getters / setters. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::createThrowTypeError): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::nullGetterFunction): (JSC::JSGlobalObject::evalFunction): Added m_nullGetterFunction singleton. Updated calls to GetterSetter::create(), setGetter() and setSetter() to provide a global object. * runtime/NullGetterFunction.cpp: Added. (JSC::callReturnUndefined): (JSC::constructReturnUndefined): (JSC::NullGetterFunction::getCallData): (JSC::NullGetterFunction::getConstructData): * runtime/NullGetterFunction.h: Added. (JSC::NullGetterFunction::create): (JSC::NullGetterFunction::createStructure): (JSC::NullGetterFunction::NullGetterFunction): New singleton class that returns undefined when called. LayoutTests: New regression test. * js/regress-139229-expected.txt: Added. * js/regress-139229.html: Added. * js/script-tests/regress-139229.js: Added. (InnerObjectNoGetter): (InnerObjectNoGetter.prototype.set enabled): (InnerObjectNoSetter): (InnerObjectNoSetter.prototype.get enabled): (OuterObject): (OuterObject.prototype.get enabled): (OuterObject.prototype.set enabled): Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/inspector/JSInjectedScriptHostPrototype.cpp trunk/Source/_javascript_Core/inspector/JSJavaScriptCallFramePrototype.cpp trunk/Source/_javascript_Core/jit/JITOperations.cpp trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/runtime/GetterSetter.cpp trunk/Source/_javascript_Core/runtime/GetterSetter.h trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.h trunk/Source/_javascript_Core/runtime/JSObject.cpp trunk/Source/_javascript_Core/runtime/MapPrototype.cpp trunk/Source/_javascript_Core/runtime/ObjectPrototype.cpp trunk/Source/_javascript_Core/runtime/PropertyDescriptor.cpp trunk/Source/_javascript_Core/runtime/SetPrototype.cpp Added Paths trunk/LayoutTests/js/regress-139229-expected.txt trunk/LayoutTests/js/regress-139229.html trunk/LayoutTests/js/script-tests/regress-139229.js trunk/Source/_javascript_Core/runtime/NullGetterFunction.cpp
[webkit-changes] [177146] trunk/Source/JavaScriptCore
Title: [177146] trunk/Source/_javascript_Core Revision 177146 Author msab...@apple.com Date 2014-12-11 08:41:33 -0800 (Thu, 11 Dec 2014) Log Message REGRESSION: Use of undefined CallFrame::ScopeChain value https://bugs.webkit.org/show_bug.cgi?id=139533 Reviewed by Mark Lam. Removed CallFrame::scope() and CallFrame::setScope() and eliminated or changed all usages of these funcitons. In some cases the scope is passed in or determined another way. In some cases the scope is used to calculate other values. Lastly were places where these functions where used that are no longer needed. For example when making a call, the caller's ScopeChain was copied to the callee's ScopeChain. This change no longer uses the ScopeChain call frame header slot. That slot will be removed in a future patch. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): * jit/JIT.h: * jit/JITInlines.h: (JSC::JIT::callOperation): * runtime/JSLexicalEnvironment.h: (JSC::JSLexicalEnvironment::create): (JSC::JSLexicalEnvironment::JSLexicalEnvironment): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_create_lexical_environment): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_create_lexical_environment): * jit/JITOperations.cpp: * jit/JITOperations.h: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::handleHostCall): (JSC::LLInt::setUpCall): (JSC::LLInt::llint_throw_stack_overflow_error): Pass the current scope value to the helper operationCreateActivation() and the call to JSLexicalEnvironment::create() instead of using the stack frame scope chain value. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): CreateActivation now has a second child, the scope. * interpreter/CallFrame.h: (JSC::ExecState::init): Deleted. This is dead code. (JSC::ExecState::scope): Deleted. (JSC::ExecState::setScope): Deleted. * interpreter/Interpreter.cpp: (JSC::Interpreter::dumpRegisters): Changed so we didn't access the scope chain slot. (JSC::Interpreter::execute): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): Changed process to find JSScope values on the stack or by some other means. * runtime/JSWithScope.h: (JSC::JSWithScope::JSWithScope): Deleted. Eliminated unused constructor. * runtime/StrictEvalActivation.cpp: (JSC::StrictEvalActivation::StrictEvalActivation): * runtime/StrictEvalActivation.h: (JSC::StrictEvalActivation::create): Changed to pass in the current scope. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/interpreter/CallFrame.h trunk/Source/_javascript_Core/interpreter/Interpreter.cpp trunk/Source/_javascript_Core/jit/JIT.h trunk/Source/_javascript_Core/jit/JITInlines.h trunk/Source/_javascript_Core/jit/JITOpcodes.cpp trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp trunk/Source/_javascript_Core/jit/JITOperations.cpp trunk/Source/_javascript_Core/jit/JITOperations.h trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/runtime/JSLexicalEnvironment.h trunk/Source/_javascript_Core/runtime/JSWithScope.h trunk/Source/_javascript_Core/runtime/StrictEvalActivation.cpp trunk/Source/_javascript_Core/runtime/StrictEvalActivation.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (177145 => 177146) --- trunk/Source/_javascript_Core/ChangeLog 2014-12-11 13:37:09 UTC (rev 177145) +++ trunk/Source/_javascript_Core/ChangeLog 2014-12-11 16:41:33 UTC (rev 177146) @@ -1,3 +1,75 @@ +2014-12-11 Michael Saboff msab...@apple.com + +REGRESSION: Use of undefined CallFrame::ScopeChain value +https://bugs.webkit.org/show_bug.cgi?id=139533 + +Reviewed by Mark Lam. + +Removed CallFrame::scope() and CallFrame::setScope() and eliminated or changed +all usages of these funcitons. In some cases the scope is passed in or determined +another way. In some cases the scope is used to calculate other values. Lastly +were places where these functions where used that are no longer needed. For +example when making a call, the caller's ScopeChain was copied to the callee's +ScopeChain. This change no longer uses the ScopeChain call frame header slot. +That slot will be removed in a future patch. + +* dfg/DFGByteCodeParser.cpp: +(JSC::DFG::ByteCodeParser::parseBlock): +* dfg/DFGSpeculativeJIT32_64.cpp: +(JSC::DFG::SpeculativeJIT::compile): +* dfg/DFGSpeculativeJIT64.cpp: +
[webkit-changes] [177203] trunk/LayoutTests
Title: [177203] trunk/LayoutTests Revision 177203 Author msab...@apple.com Date 2014-12-11 18:41:57 -0800 (Thu, 11 Dec 2014) Log Message Need a regression test for bug 139533 https://bugs.webkit.org/show_bug.cgi?id=139572 Reviewed by Mark Lam. * js/regress-139533-expected.txt: Added. * js/regress-139533.html: Added. * js/script-tests/regress-139533.js: Added. (.inner): (outer): (MyNumber): (MyNumber.prototype.toString): Modified Paths trunk/LayoutTests/ChangeLog Added Paths trunk/LayoutTests/js/regress-139533-expected.txt trunk/LayoutTests/js/regress-139533.html trunk/LayoutTests/js/script-tests/regress-139533.js Diff Modified: trunk/LayoutTests/ChangeLog (177202 => 177203) --- trunk/LayoutTests/ChangeLog 2014-12-12 02:26:36 UTC (rev 177202) +++ trunk/LayoutTests/ChangeLog 2014-12-12 02:41:57 UTC (rev 177203) @@ -1,3 +1,18 @@ +2014-12-11 Michael Saboff msab...@apple.com + +Need a regression test for bug 139533 +https://bugs.webkit.org/show_bug.cgi?id=139572 + +Reviewed by Mark Lam. + +* js/regress-139533-expected.txt: Added. +* js/regress-139533.html: Added. +* js/script-tests/regress-139533.js: Added. +(.inner): +(outer): +(MyNumber): +(MyNumber.prototype.toString): + 2014-12-11 Simon Fraser simon.fra...@apple.com Transform-style should not kill position:fixed Added: trunk/LayoutTests/js/regress-139533-expected.txt (0 => 177203) --- trunk/LayoutTests/js/regress-139533-expected.txt (rev 0) +++ trunk/LayoutTests/js/regress-139533-expected.txt 2014-12-12 02:41:57 UTC (rev 177203) @@ -0,0 +1,9 @@ +Regression test for https://webkit.org/b/139533. This test should not crash. + +On success, you will see a series of PASS messages, followed by TEST COMPLETE. + + +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/js/regress-139533.html (0 => 177203) --- trunk/LayoutTests/js/regress-139533.html (rev 0) +++ trunk/LayoutTests/js/regress-139533.html 2014-12-12 02:41:57 UTC (rev 177203) @@ -0,0 +1,10 @@ +!DOCTYPE HTML PUBLIC -//IETF//DTD HTML//EN +html +head +script src="" +/head +body +script src="" +script src="" +/body +/html Added: trunk/LayoutTests/js/script-tests/regress-139533.js (0 => 177203) --- trunk/LayoutTests/js/script-tests/regress-139533.js (rev 0) +++ trunk/LayoutTests/js/script-tests/regress-139533.js 2014-12-12 02:41:57 UTC (rev 177203) @@ -0,0 +1,41 @@ +description( +Regression test for https://webkit.org/b/139533. This test should not crash. +); + +function outer(index, obj) +{ +function inner(arg) +{ +return arg + obj.addend; +} + +return inner(index); +} + +obj = { addend : 1 }; + +// Create an object that will require calling defaultValue which is a native function call +function MyNumber() +{ +} +MyNumber.prototype.toString = function() { return ; }; + +var limit = 1000; +var result = 0; + +for (var i = 0; i limit; ++i) { +// The problem fixed in bug 139533 was that the ScopeChain slot of the call frame header +// is not being restored by OSR exit handler (nor should it). In some cases, especially +// when we inline we end up overwriting the memory with some other value. +// After tiering up into the DFG, change the addend of obj. This will do two things: +// 1) We should OSR exit with a BadType (addend is no longer an integer) +// 2) In the next call to inner, we will call jsAddSlowCase which will make a +//native call to get the default value of obj.addend. +// The OSR exit handler will not restore the ScopeChain slot in the header therefore +// the value might be anything. The native call will copy the ScopeChain slot from +// inner to the frame for the native call. +if (i == limit - 10) +obj.addend = new MyNumber(); + +result = outer(i, obj); +} ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [177460] trunk
Title: [177460] trunk Revision 177460 Author msab...@apple.com Date 2014-12-17 13:38:43 -0800 (Wed, 17 Dec 2014) Log Message Tests with infinite recursion frequently crash https://bugs.webkit.org/show_bug.cgi?id=139548 Reviewed by Geoffrey Garen. Source/_javascript_Core: While unwinding, if the call frame doesn't have a codeblock, then we are in native code, handle appropriately. * interpreter/Interpreter.cpp: (JSC::unwindCallFrame): (JSC::UnwindFunctor::operator()): Added checks for null CodeBlock. (JSC::Interpreter::unwind): Removed wrong ASSERT. LayoutTests: New test that exercises the various places that we do stack overflow checks. * TestExpectations: * js/regress-139548-expected.txt: Added. * js/regress-139548.html: Added. * js/script-tests/regress-139548.js: Added. (ToStringObj): (ToStringObj.prototype.toString): (makeArgsArray): (recurseNoDFG): (recurse): (probeAndRecurse): Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/TestExpectations trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/interpreter/Interpreter.cpp Added Paths trunk/LayoutTests/js/regress-139548-expected.txt trunk/LayoutTests/js/regress-139548.html trunk/LayoutTests/js/script-tests/regress-139548.js Diff Modified: trunk/LayoutTests/ChangeLog (177459 => 177460) --- trunk/LayoutTests/ChangeLog 2014-12-17 21:19:21 UTC (rev 177459) +++ trunk/LayoutTests/ChangeLog 2014-12-17 21:38:43 UTC (rev 177460) @@ -1,3 +1,23 @@ +2014-12-17 Michael Saboff msab...@apple.com + +Tests with infinite recursion frequently crash +https://bugs.webkit.org/show_bug.cgi?id=139548 + +Reviewed by Geoffrey Garen. + +New test that exercises the various places that we do stack overflow checks. + +* TestExpectations: +* js/regress-139548-expected.txt: Added. +* js/regress-139548.html: Added. +* js/script-tests/regress-139548.js: Added. +(ToStringObj): +(ToStringObj.prototype.toString): +(makeArgsArray): +(recurseNoDFG): +(recurse): +(probeAndRecurse): + 2014-12-16 Shivakumar JM shiva...@samsung.com text node should not be created, On setting document.title to the empty string. Modified: trunk/LayoutTests/TestExpectations (177459 => 177460) --- trunk/LayoutTests/TestExpectations 2014-12-17 21:19:21 UTC (rev 177459) +++ trunk/LayoutTests/TestExpectations 2014-12-17 21:38:43 UTC (rev 177460) @@ -324,10 +324,6 @@ [ Debug ] fast/history/history-back-while-pdf-in-pagecache.html [ Skip ] webkit.org/b/121628 [ Release ] fast/history/history-back-while-pdf-in-pagecache.html [ Pass ImageOnlyFailure ] -# Catching infinite recursion is broken. -webkit.org/b/139548 fast/workers/worker-constructor.html [ Skip ] -webkit.org/b/139548 fast/xmlhttprequest/xmlhttprequest-recursive-sync-event.html [ Skip ] - # Network process disk cache is not enabled yet webkit.org/b/30322 http/tests/cache/disk-cache-validation.html [ Skip ] Added: trunk/LayoutTests/js/regress-139548-expected.txt (0 => 177460) --- trunk/LayoutTests/js/regress-139548-expected.txt (rev 0) +++ trunk/LayoutTests/js/regress-139548-expected.txt 2014-12-17 21:38:43 UTC (rev 177460) @@ -0,0 +1,9 @@ +Regression test for https://webkit.org/b/139548. This test should not crash. + +On success, you will see a series of PASS messages, followed by TEST COMPLETE. + + +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/js/regress-139548.html (0 => 177460) --- trunk/LayoutTests/js/regress-139548.html (rev 0) +++ trunk/LayoutTests/js/regress-139548.html 2014-12-17 21:38:43 UTC (rev 177460) @@ -0,0 +1,10 @@ +!DOCTYPE HTML PUBLIC -//IETF//DTD HTML//EN +html +head +script src="" +/head +body +script src="" +script src="" +/body +/html Added: trunk/LayoutTests/js/script-tests/regress-139548.js (0 => 177460) --- trunk/LayoutTests/js/script-tests/regress-139548.js (rev 0) +++ trunk/LayoutTests/js/script-tests/regress-139548.js 2014-12-17 21:38:43 UTC (rev 177460) @@ -0,0 +1,108 @@ +description(Regression test for https://webkit.org/b/139548. This test should not crash.); + +var maxArgCount = 8; +var argIncrement = 1; + +function ToStringObj() +{ +s: +} + +// Want a function that a native C++ function can call. +ToStringObj.prototype.toString = function() { this.s = new String(); return this.s; }; + +var myObj = new ToStringObj(); + +function makeArgsArray(firstArg, argCount) +{ +var args = [firstArg]; +for (var argIndex = 1; argIndex argCount; argIndex++) +args.push(argIndex); + +return args; +} + +function recurseNoDFG(depth) +{ +var s = ; +if (depth = 0) +return 0; + +for (var i = 1; i maxArgCount; i += argIncrement) { +try { +s = myObj.toLocaleString(); +return recurseNoDFG.apply(this, makeArgsArray(depth - 1, i)); +} catch (e) { +if (e
[webkit-changes] [177578] trunk
Title: [177578] trunk Revision 177578 Author msab...@apple.com Date 2014-12-19 10:48:25 -0800 (Fri, 19 Dec 2014) Log Message REGRESSION(174226): Captured arguments in a using function compiled by the DFG have the initial value when the closure was invoked https://bugs.webkit.org/show_bug.cgi?id=139808 Reviewed by Oliver Hunt. Source/_javascript_Core: There are three changes here. 1) Create a VariableWatchpointSet for captured arguments variables. 2) Properly use the VariableWatchpointSet* found in op_put_to_scope in the 64 bit LLInt code. 3) Add the same putLocalClosureVar path to the 32 bit LLInt code that exists in the 64 bit version. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: LayoutTests: New regression test. * js/regress-139808-expected.txt: Added. * js/regress-139808.html: Added. * js/script-tests/regress-139808.js: Added. (theClosureFunction.rot13): (theClosureFunction): Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm Added Paths trunk/LayoutTests/js/regress-139808-expected.txt trunk/LayoutTests/js/regress-139808.html trunk/LayoutTests/js/script-tests/regress-139808.js Diff Modified: trunk/LayoutTests/ChangeLog (177577 => 177578) --- trunk/LayoutTests/ChangeLog 2014-12-19 18:43:33 UTC (rev 177577) +++ trunk/LayoutTests/ChangeLog 2014-12-19 18:48:25 UTC (rev 177578) @@ -1,3 +1,18 @@ +2014-12-19 Michael Saboff msab...@apple.com + +REGRESSION(174226): Captured arguments in a using function compiled by the DFG have the initial value when the closure was invoked +https://bugs.webkit.org/show_bug.cgi?id=139808 + +Reviewed by Oliver Hunt. + +New regression test. + +* js/regress-139808-expected.txt: Added. +* js/regress-139808.html: Added. +* js/script-tests/regress-139808.js: Added. +(theClosureFunction.rot13): +(theClosureFunction): + 2014-12-19 Alexey Proskuryakov a...@apple.com Updte WebKit2 test expectations based on what bots see now. Added: trunk/LayoutTests/js/regress-139808-expected.txt (0 => 177578) --- trunk/LayoutTests/js/regress-139808-expected.txt (rev 0) +++ trunk/LayoutTests/js/regress-139808-expected.txt 2014-12-19 18:48:25 UTC (rev 177578) @@ -0,0 +1,9 @@ +Regression test for https://webkit.org/b/139808. This test should run without any exceptions. + +On success, you will see a series of PASS messages, followed by TEST COMPLETE. + + +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/js/regress-139808.html (0 => 177578) --- trunk/LayoutTests/js/regress-139808.html (rev 0) +++ trunk/LayoutTests/js/regress-139808.html 2014-12-19 18:48:25 UTC (rev 177578) @@ -0,0 +1,10 @@ +!DOCTYPE HTML PUBLIC -//IETF//DTD HTML//EN +html +head +script src="" +/head +body +script src="" +script src="" +/body +/html Added: trunk/LayoutTests/js/script-tests/regress-139808.js (0 => 177578) --- trunk/LayoutTests/js/script-tests/regress-139808.js (rev 0) +++ trunk/LayoutTests/js/script-tests/regress-139808.js 2014-12-19 18:48:25 UTC (rev 177578) @@ -0,0 +1,47 @@ +description( +Regression test for https://webkit.org/b/139808. This test should run without any exceptions. +); + +function theClosureFunction(a) +{ +var o = { +1: Gur dhvpx oebja sbk whzcrq bire gur ynml qbt\'f onpx., +2: Abj vf gur gvzr sbe nyy zra gb pbzr gb gur nvq bs gurve cnegl., +3: N zna n cyna n pnany, Cnanzn. +}; + +var expect = { +1: The quick brown fox jumped over the lazy dog\'s back., +2: Now is the time for all men to come to the aid of their party., +3: A man a plan a canal, Panama. +}; + +e = expect[a] +a = o[a]; + +var rot13 = function(startIndex) { +result = ; + +for (var i = startIndex; i a.length; i++) { +c = a.charAt(i); +if (c = 'a' c = 'z') +c = String.fromCharCode((a.charCodeAt(i) - 84) % 26 + 97); +else if (c = 'A' c = 'Z') +c = String.fromCharCode((a.charCodeAt(i) - 52) % 26 + 65); + + result += c; + } + + return result; +} + +// Call in a loop to tier up to DFG +for (var i = 0; i 1000; i++) +s = rot13(0); + +return s == e; +} + +for (var i = 1; i = 3; i++) +if (!theClosureFunction(i)) +throw Incorrect result calling theClosureFunction; Modified: trunk/Source/_javascript_Core/ChangeLog (177577 => 177578) --- trunk/Source/_javascript_Core/ChangeLog 2014-12-19 18:43:33 UTC (rev 177577) +++ trunk/Source/_javascript_Core/ChangeLog 2014-12-19 18:48:25 UTC (rev 177578) @@ -1,3
[webkit-changes] [179015] trunk/Source/JavaScriptCore
Title: [179015] trunk/Source/_javascript_Core Revision 179015 Author msab...@apple.com Date 2015-01-23 11:52:25 -0800 (Fri, 23 Jan 2015) Log Message Immediate crash when setting JS breakpoint https://bugs.webkit.org/show_bug.cgi?id=140811 Reviewed by Mark Lam. When the DFG stack layout phase doesn't allocate a register for the scope register, it incorrectly sets the scope register in the code block to a bad value, one with an offset of 0. Changed it so that we set the code block's scope register to the invalid VirtualRegister instead. No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug. We crash with that ASSERT in testapi and likely many other tests as well. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): * bytecode/CodeBlock.h: (JSC::CodeBlock::setScopeRegister): (JSC::CodeBlock::scopeRegister): Added ASSERTs to catch any future improper setting of the code block's scope register. * dfg/DFGStackLayoutPhase.cpp: (JSC::DFG::StackLayoutPhase::run): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/dfg/DFGStackLayoutPhase.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (179014 => 179015) --- trunk/Source/_javascript_Core/ChangeLog 2015-01-23 19:43:20 UTC (rev 179014) +++ trunk/Source/_javascript_Core/ChangeLog 2015-01-23 19:52:25 UTC (rev 179015) @@ -1,3 +1,28 @@ +2015-01-23 Michael Saboff msab...@apple.com + +Immediate crash when setting JS breakpoint +https://bugs.webkit.org/show_bug.cgi?id=140811 + +Reviewed by Mark Lam. + +When the DFG stack layout phase doesn't allocate a register for the scope register, +it incorrectly sets the scope register in the code block to a bad value, one with +an offset of 0. Changed it so that we set the code block's scope register to the +invalid VirtualRegister instead. + +No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug. +We crash with that ASSERT in testapi and likely many other tests as well. + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::CodeBlock): +* bytecode/CodeBlock.h: +(JSC::CodeBlock::setScopeRegister): +(JSC::CodeBlock::scopeRegister): +Added ASSERTs to catch any future improper setting of the code block's scope register. + +* dfg/DFGStackLayoutPhase.cpp: +(JSC::DFG::StackLayoutPhase::run): + 2015-01-22 Mark Hahnenberg mhahn...@gmail.com EdenCollections unnecessarily visit SmallStrings Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (179014 => 179015) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2015-01-23 19:43:20 UTC (rev 179014) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2015-01-23 19:52:25 UTC (rev 179015) @@ -1663,7 +1663,8 @@ #endif { ASSERT(m_heap-isDeferred()); - +ASSERT(m_scopeRegister.isLocal()); + if (SymbolTable* symbolTable = other.symbolTable()) m_symbolTable.set(*m_vm, m_ownerExecutable.get(), symbolTable); @@ -1719,6 +1720,7 @@ #endif { ASSERT(m_heap-isDeferred()); +ASSERT(m_scopeRegister.isLocal()); bool didCloneSymbolTable = false; Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (179014 => 179015) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2015-01-23 19:43:20 UTC (rev 179014) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2015-01-23 19:52:25 UTC (rev 179015) @@ -324,12 +324,12 @@ void setScopeRegister(VirtualRegister scopeRegister) { +ASSERT(scopeRegister.isLocal() || !scopeRegister.isValid()); m_scopeRegister = scopeRegister; } VirtualRegister scopeRegister() const { -ASSERT(m_scopeRegister.isValid()); return m_scopeRegister; } Modified: trunk/Source/_javascript_Core/dfg/DFGStackLayoutPhase.cpp (179014 => 179015) --- trunk/Source/_javascript_Core/dfg/DFGStackLayoutPhase.cpp 2015-01-23 19:43:20 UTC (rev 179014) +++ trunk/Source/_javascript_Core/dfg/DFGStackLayoutPhase.cpp 2015-01-23 19:52:25 UTC (rev 179015) @@ -169,8 +169,8 @@ } if (codeBlock()-scopeRegister().isValid()) { -codeBlock()-setScopeRegister( -virtualRegisterForLocal(allocation[codeBlock()-scopeRegister().toLocal()])); +unsigned scopeRegisterAllocation = allocation[codeBlock()-scopeRegister().toLocal()]; +codeBlock()-setScopeRegister(scopeRegisterAllocation == UINT_MAX ? VirtualRegister() : virtualRegisterForLocal(scopeRegisterAllocation)); } for (unsigned i = m_graph.m_inlineVariableData.size(); i--;) { ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [179728] trunk/Source/JavaScriptCore
Title: [179728] trunk/Source/_javascript_Core Revision 179728 Author msab...@apple.com Date 2015-02-05 17:12:00 -0800 (Thu, 05 Feb 2015) Log Message CodeCache is not thread safe when adding the same source from two different threads https://bugs.webkit.org/show_bug.cgi?id=141275 Reviewed by Mark Lam. The issue for this bug is that one thread, takes a cache miss in CodeCache::getGlobalCodeBlock, but in the process creates a cache entry with a nullptr UnlinkedCodeBlockType* which it will fill in later in the function. During the body of that function, it allocates objects that may garbage collect. During that garbage collection, we drop the all locks. While the locks are released by the first thread, another thread can enter the VM and might have exactly the same source and enter CodeCache::getGlobalCodeBlock() itself. When it looks up the code block, it sees it as a cache it and uses the nullptr UnlinkedCodeBlockType* and crashes. This fixes the problem by not dropping the locks during garbage collection. There are other likely scenarios where we have a data structure like this code cache in an unsafe state for arbitrary reentrance. Moved the functionality of DelayedReleaseScope directly into Heap. Changed it into a simple list that is cleared with the new function Heap::releaseDelayedReleasedObjects. Now we accumulate objects to be released and release them when all locks are dropped or when destroying the Heap. This eliminated the dropping and reaquiring of locks associated with the old scope form of this list. Given that all functionality of DelayedReleaseScope is now used and referenced by Heap and the lock management no longer needs to be done, just made the list a member of Heap. We do need to guard against the case that releasing an object can create more objects by calling into JS. That is why releaseDelayedReleasedObjects() is written to remove an object to release so that we aren't recursively in Vector code. The other thing we do in releaseDelayedReleasedObjects() is to guard against recursive calls to itself using the m_delayedReleaseRecursionCount. We only release at the first entry into the function. This case is already tested by testapi.mm. * heap/DelayedReleaseScope.h: Removed file * API/JSAPIWrapperObject.mm: * API/ObjCCallbackFunction.mm: * _javascript_Core.vcxproj/_javascript_Core.vcxproj: * _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters: * _javascript_Core.xcodeproj/project.pbxproj: * heap/IncrementalSweeper.cpp: (JSC::IncrementalSweeper::doSweep): * heap/MarkedAllocator.cpp: (JSC::MarkedAllocator::tryAllocateHelper): (JSC::MarkedAllocator::tryAllocate): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::sweep): * heap/MarkedSpace.cpp: (JSC::MarkedSpace::MarkedSpace): (JSC::MarkedSpace::lastChanceToFinalize): (JSC::MarkedSpace::didFinishIterating): * heap/MarkedSpace.h: * heap/Heap.cpp: (JSC::Heap::collectAllGarbage): (JSC::Heap::zombifyDeadObjects): Removed references to DelayedReleaseScope and DelayedReleaseScope.h. * heap/Heap.cpp: (JSC::Heap::Heap): Initialized m_delayedReleaseRecursionCount. (JSC::Heap::lastChanceToFinalize): Call releaseDelayedObjectsNow() as the VM is going away. (JSC::Heap::releaseDelayedReleasedObjects): New function that released the accumulated delayed release objects. * heap/Heap.h: (JSC::Heap::m_delayedReleaseObjects): List of objects to be released later. (JSC::Heap::m_delayedReleaseRecursionCount): Counter to indicate that releaseDelayedReleasedObjects is being called recursively. * heap/HeapInlines.h: (JSC::Heap::releaseSoon): Changed location of list to add delayed release objects. * runtime/JSLock.cpp: (JSC::JSLock::willReleaseLock): Call Heap::releaseDelayedObjectsNow() when releasing the lock. Modified Paths trunk/Source/_javascript_Core/API/JSAPIWrapperObject.mm trunk/Source/_javascript_Core/API/ObjCCallbackFunction.mm trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/heap/Heap.cpp trunk/Source/_javascript_Core/heap/Heap.h trunk/Source/_javascript_Core/heap/HeapInlines.h trunk/Source/_javascript_Core/heap/IncrementalSweeper.cpp trunk/Source/_javascript_Core/heap/MarkedAllocator.cpp trunk/Source/_javascript_Core/heap/MarkedBlock.cpp trunk/Source/_javascript_Core/heap/MarkedSpace.cpp trunk/Source/_javascript_Core/heap/MarkedSpace.h trunk/Source/_javascript_Core/runtime/JSLock.cpp Removed Paths trunk/Source/_javascript_Core/heap/DelayedReleaseScope.h Diff Modified: trunk/Source/_javascript_Core/API/JSAPIWrapperObject.mm (179727 => 179728) --- trunk/Source/_javascript_Core/API/JSAPIWrapperObject.mm 2015-02-06 01:07:51 UTC (rev 179727) +++ trunk/Source/_javascript_Core/API/JSAPIWrapperObject.mm 2015-02-06 01:12:00 UTC (rev 179728) @@ -26,7 +26,6 @@
[webkit-changes] [178432] trunk
Title: [178432] trunk Revision 178432 Author msab...@apple.com Date 2015-01-14 11:38:21 -0800 (Wed, 14 Jan 2015) Log Message REGRESSION (r174226): Header on huffingtonpost.com is too large https://bugs.webkit.org/show_bug.cgi?id=140306 Reviewed by Geoffrey Garen. Source/_javascript_Core: BytecodeGenerator::willResolveToArguments() is used to check to see if we can use the arguments register or whether we need to resolve arguments. If the arguments have been captured, then they are stored in the lexical environment and the arguments register is not used. Changed BytecodeGenerator::willResolveToArguments() to also check to see if the arguments register is captured. Renamed the function to willResolveToArgumentsRegister() to better indicate what we are checking. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::willResolveToArgumentsRegister): (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): (JSC::BytecodeGenerator::emitCall): (JSC::BytecodeGenerator::emitConstruct): (JSC::BytecodeGenerator::emitEnumeration): (JSC::BytecodeGenerator::willResolveToArguments): Deleted. * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::BracketAccessorNode::emitBytecode): (JSC::DotAccessorNode::emitBytecode): (JSC::getArgumentByVal): (JSC::ApplyFunctionCallDotNode::emitBytecode): (JSC::ArrayPatternNode::emitDirectBinding): LayoutTests: Updated js/arguments-iterator to test changing argument to array values. Removed tests that changed arguments to a string and an object as they were bogus and didn't test what the appeared to test. for .. of works on iterable objects only. Added new regression test, js/regress-140306. * js/arguments-iterator-expected.txt: * js/regress-140306-expected.txt: Added. * js/regress-140306.html: Added. * js/script-tests/arguments-iterator.js: (testEmptyArrayArguments): (testArrayArguments): (testOverwrittenArguments): Deleted. (testNullArguments): Deleted. (testNonArrayLikeArguments): Deleted. * js/script-tests/regress-140306.js: Added. (checkArgs): (applyToArgs): Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/js/arguments-iterator-expected.txt trunk/LayoutTests/js/script-tests/arguments-iterator.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp Added Paths trunk/LayoutTests/js/regress-140306-expected.txt trunk/LayoutTests/js/regress-140306.html trunk/LayoutTests/js/script-tests/regress-140306.js Diff Modified: trunk/LayoutTests/ChangeLog (178431 => 178432) --- trunk/LayoutTests/ChangeLog 2015-01-14 19:08:29 UTC (rev 178431) +++ trunk/LayoutTests/ChangeLog 2015-01-14 19:38:21 UTC (rev 178432) @@ -1,5 +1,32 @@ 2015-01-14 Michael Saboff msab...@apple.com +REGRESSION (r174226): Header on huffingtonpost.com is too large +https://bugs.webkit.org/show_bug.cgi?id=140306 + +Reviewed by Geoffrey Garen. + +Updated js/arguments-iterator to test changing argument to array values. +Removed tests that changed arguments to a string and an object as they were +bogus and didn't test what the appeared to test. +for .. of works on iterable objects only. + +Added new regression test, js/regress-140306. + +* js/arguments-iterator-expected.txt: +* js/regress-140306-expected.txt: Added. +* js/regress-140306.html: Added. +* js/script-tests/arguments-iterator.js: +(testEmptyArrayArguments): +(testArrayArguments): +(testOverwrittenArguments): Deleted. +(testNullArguments): Deleted. +(testNonArrayLikeArguments): Deleted. +* js/script-tests/regress-140306.js: Added. +(checkArgs): +(applyToArgs): + +2015-01-14 Michael Saboff msab...@apple.com + _javascript_ identifier incorrectly parsed if the prefix before an escape sequence is a keyword https://bugs.webkit.org/show_bug.cgi?id=140420 Modified: trunk/LayoutTests/js/arguments-iterator-expected.txt (178431 => 178432) --- trunk/LayoutTests/js/arguments-iterator-expected.txt 2015-01-14 19:08:29 UTC (rev 178431) +++ trunk/LayoutTests/js/arguments-iterator-expected.txt 2015-01-14 19:38:21 UTC (rev 178432) @@ -36,36 +36,24 @@ PASS actualArgumentsLength is iteratedArgumentsLength PASS arg === realArg is true PASS actualArgumentsLength is iteratedArgumentsLength +PASS testEmptyArrayArguments('a') is true +PASS testEmptyArrayArguments() is true PASS arg === realArg is true PASS arg === realArg is true PASS arg === realArg is true -PASS arg === realArg is true -PASS arg === realArg is true -PASS arg === realArg is true PASS actualArgumentsLength is iteratedArgumentsLength PASS arg === realArg is true PASS arg === realArg is true PASS arg === realArg is true -PASS arg === realArg is true -PASS arg === realArg is true -PASS arg
[webkit-changes] [178427] trunk
Title: [178427] trunk Revision 178427 Author msab...@apple.com Date 2015-01-14 10:48:58 -0800 (Wed, 14 Jan 2015) Log Message _javascript_ identifier incorrectly parsed if the prefix before an escape sequence is a keyword https://bugs.webkit.org/show_bug.cgi?id=140420 Reviewed by Oliver Hunt. Source/_javascript_Core: Added new function isIdentPartIncludingEscape() that performs the original isIdentPart() followed by a check for a valid unicode escape. If there is a unicode escape, its resolved value is checked with isIdentPart(). * KeywordLookupGenerator.py: (Trie.printSubTreeAsC): (Trie.printAsC): * parser/Lexer.cpp: (JSC::isUnicodeEscapeIdentPart): (JSC::isIdentPartIncludingEscape): LayoutTests: New regression test. * js/regress-140420-expected.txt: Added. * js/regress-140420.html: Added. * js/script-tests/regress-140420.js: Added. (with): (this): Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/KeywordLookupGenerator.py trunk/Source/_javascript_Core/parser/Lexer.cpp Added Paths trunk/LayoutTests/js/regress-140420-expected.txt trunk/LayoutTests/js/regress-140420.html trunk/LayoutTests/js/script-tests/regress-140420.js Diff Modified: trunk/LayoutTests/ChangeLog (178426 => 178427) --- trunk/LayoutTests/ChangeLog 2015-01-14 18:43:05 UTC (rev 178426) +++ trunk/LayoutTests/ChangeLog 2015-01-14 18:48:58 UTC (rev 178427) @@ -1,3 +1,18 @@ +2015-01-14 Michael Saboff msab...@apple.com + +_javascript_ identifier incorrectly parsed if the prefix before an escape sequence is a keyword +https://bugs.webkit.org/show_bug.cgi?id=140420 + +Reviewed by Oliver Hunt. + +New regression test. + +* js/regress-140420-expected.txt: Added. +* js/regress-140420.html: Added. +* js/script-tests/regress-140420.js: Added. +(with): +(this): + 2015-01-14 Jer Noble jer.no...@apple.com Null-deref crash when seeking immediately before looping. Added: trunk/LayoutTests/js/regress-140420-expected.txt (0 => 178427) --- trunk/LayoutTests/js/regress-140420-expected.txt (rev 0) +++ trunk/LayoutTests/js/regress-140420-expected.txt 2015-01-14 18:48:58 UTC (rev 178427) @@ -0,0 +1,9 @@ +Regression test for https://webkit.org/b/140420. This test should run without throwing an exception. + +On success, you will see a series of PASS messages, followed by TEST COMPLETE. + + +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/js/regress-140420.html (0 => 178427) --- trunk/LayoutTests/js/regress-140420.html (rev 0) +++ trunk/LayoutTests/js/regress-140420.html 2015-01-14 18:48:58 UTC (rev 178427) @@ -0,0 +1,10 @@ +!DOCTYPE HTML PUBLIC -//IETF//DTD HTML//EN +html +head +script src="" +/head +body +script src="" +script src="" +/body +/html Added: trunk/LayoutTests/js/script-tests/regress-140420.js (0 => 178427) --- trunk/LayoutTests/js/script-tests/regress-140420.js (rev 0) +++ trunk/LayoutTests/js/script-tests/regress-140420.js 2015-01-14 18:48:58 UTC (rev 178427) @@ -0,0 +1,19 @@ +description( +Regression test for https://webkit.org/b/140420. This test should run without throwing an exception. +); + +function with\u00d1i\u00f1a(in\u00c7aVa) +{ +return in\u00c7aVa + 1; +} + +function this\u038f\u03c1\u03b1() +{ +return\u038f\u03c1\u03b1 = new Date() + +return return\u038f\u03c1\u03b1; +} + +var var\u00c9ternit\u00e9 = with\u00d1i\u00f1a(1000); + +var var\u03a4\u03ce\u03c1\u03b1 = this\u038f\u03c1\u03b1(); Modified: trunk/Source/_javascript_Core/ChangeLog (178426 => 178427) --- trunk/Source/_javascript_Core/ChangeLog 2015-01-14 18:43:05 UTC (rev 178426) +++ trunk/Source/_javascript_Core/ChangeLog 2015-01-14 18:48:58 UTC (rev 178427) @@ -1,3 +1,21 @@ +2015-01-14 Michael Saboff msab...@apple.com + +_javascript_ identifier incorrectly parsed if the prefix before an escape sequence is a keyword +https://bugs.webkit.org/show_bug.cgi?id=140420 + +Reviewed by Oliver Hunt. + +Added new function isIdentPartIncludingEscape() that performs the original +isIdentPart() followed by a check for a valid unicode escape. If there is a +unicode escape, its resolved value is checked with isIdentPart(). + +* KeywordLookupGenerator.py: +(Trie.printSubTreeAsC): +(Trie.printAsC): +* parser/Lexer.cpp: +(JSC::isUnicodeEscapeIdentPart): +(JSC::isIdentPartIncludingEscape): + 2015-01-13 Joseph Pecoraro pecor...@apple.com Web Inspector: Remove unused ResizeImage and DecodeImageData timeline events Modified: trunk/Source/_javascript_Core/KeywordLookupGenerator.py (178426 => 178427) --- trunk/Source/_javascript_Core/KeywordLookupGenerator.py 2015-01-14 18:43:05 UTC (rev 178426) +++ trunk/Source/_javascript_Core/KeywordLookupGenerator.py 2015-01-14 18:48:58 UTC (rev 178427) @@
[webkit-changes] [178698] trunk/LayoutTests
Title: [178698] trunk/LayoutTests Revision 178698 Author msab...@apple.com Date 2015-01-19 21:58:26 -0800 (Mon, 19 Jan 2015) Log Message Re-enable js/dom/string-replace-exception-crash.html as root problem is fixed. https://bugs.webkit.org/show_bug.cgi?id=140666 Rubber Stamped by Filip Pizlo. * platform/mac/TestExpectations: Re-enabled js/dom/string-replace-exception-crash.html. Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/platform/mac/TestExpectations Diff Modified: trunk/LayoutTests/ChangeLog (178697 => 178698) --- trunk/LayoutTests/ChangeLog 2015-01-20 05:55:43 UTC (rev 178697) +++ trunk/LayoutTests/ChangeLog 2015-01-20 05:58:26 UTC (rev 178698) @@ -1,5 +1,15 @@ 2015-01-19 Michael Saboff msab...@apple.com +Re-enable js/dom/string-replace-exception-crash.html as root problem is fixed. +https://bugs.webkit.org/show_bug.cgi?id=140666 + +Rubber Stamped by Filip Pizlo. + +* platform/mac/TestExpectations: +Re-enabled js/dom/string-replace-exception-crash.html. + +2015-01-19 Michael Saboff msab...@apple.com + A cached null setter should throw a TypeException when called in strict mode and doesn't https://bugs.webkit.org/show_bug.cgi?id=139418 Modified: trunk/LayoutTests/platform/mac/TestExpectations (178697 => 178698) --- trunk/LayoutTests/platform/mac/TestExpectations 2015-01-20 05:55:43 UTC (rev 178697) +++ trunk/LayoutTests/platform/mac/TestExpectations 2015-01-20 05:58:26 UTC (rev 178698) @@ -917,8 +917,6 @@ webkit.org/b/135133 [ MountainLion ] fast/layers/no-clipping-overflow-hidden-added-after-transform.html [ Pass ImageOnlyFailure ] -webkit.org/b/136717 js/dom/string-replace-exception-crash.html [ Skip ] - webkit.org/b/136718 fast/dynamic/layer-no-longer-paginated.html [ Skip ] webkit.org/b/137737 accessibility/table-cells-roles.html [ Skip ] ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [178696] trunk
Title: [178696] trunk Revision 178696 Author msab...@apple.com Date 2015-01-19 21:28:04 -0800 (Mon, 19 Jan 2015) Log Message A cached null setter should throw a TypeException when called in strict mode and doesn't https://bugs.webkit.org/show_bug.cgi?id=139418 Reviewed by Filip Pizlo. Source/_javascript_Core: Made a new NullSetterFunction class similar to NullGetterFunction. The difference is that NullSetterFunction will throw a TypeError per the ECMA262 spec for a strict mode caller. * CMakeLists.txt: * _javascript_Core.vcxproj/_javascript_Core.vcxproj: * _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters: * _javascript_Core.xcodeproj/project.pbxproj: Added new files NullSetterFunction.cpp and NullSetterFunction.h. * runtime/GetterSetter.h: (JSC::GetterSetter::GetterSetter): (JSC::GetterSetter::isSetterNull): (JSC::GetterSetter::setSetter): Change setter instances from using NullGetterFunction to using NullSetterFunction. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::nullSetterFunction): Added m_nullSetterFunction and accessor. * runtime/NullSetterFunction.cpp: Added. (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor): (JSC::GetCallerStrictnessFunctor::operator()): (JSC::GetCallerStrictnessFunctor::callerIsStrict): (JSC::callerIsStrict): Method to determine if the caller is in strict mode. (JSC::callReturnUndefined): (JSC::constructReturnUndefined): (JSC::NullSetterFunction::getCallData): (JSC::NullSetterFunction::getConstructData): * runtime/NullSetterFunction.h: Added. (JSC::NullSetterFunction::create): (JSC::NullSetterFunction::createStructure): (JSC::NullSetterFunction::NullSetterFunction): Class with handlers for a null setter. LayoutTests: New regression test. * js/regress-139418-expected.txt: Added. * js/regress-139418.html: Added. * js/script-tests/regress-139418.js: Added. (InnerObjectNoSetter): (InnerObjectNoSetter.prototype.get enabled): (StrictOuterObject): (StrictOuterObject.prototype.get enabled): (StrictOuterObject.prototype.set enabled): Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/runtime/GetterSetter.h trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.h Added Paths trunk/LayoutTests/js/regress-139418-expected.txt trunk/LayoutTests/js/regress-139418.html trunk/LayoutTests/js/script-tests/regress-139418.js trunk/Source/_javascript_Core/runtime/NullSetterFunction.cpp trunk/Source/_javascript_Core/runtime/NullSetterFunction.h Diff Modified: trunk/LayoutTests/ChangeLog (178695 => 178696) --- trunk/LayoutTests/ChangeLog 2015-01-20 05:17:07 UTC (rev 178695) +++ trunk/LayoutTests/ChangeLog 2015-01-20 05:28:04 UTC (rev 178696) @@ -1,3 +1,21 @@ +2015-01-19 Michael Saboff msab...@apple.com + +A cached null setter should throw a TypeException when called in strict mode and doesn't +https://bugs.webkit.org/show_bug.cgi?id=139418 + +Reviewed by Filip Pizlo. + +New regression test. + +* js/regress-139418-expected.txt: Added. +* js/regress-139418.html: Added. +* js/script-tests/regress-139418.js: Added. +(InnerObjectNoSetter): +(InnerObjectNoSetter.prototype.get enabled): +(StrictOuterObject): +(StrictOuterObject.prototype.get enabled): +(StrictOuterObject.prototype.set enabled): + 2015-01-19 Myles C. Maxfield mmaxfi...@apple.com [SVG - OTF Converter] Flip the switch on Added: trunk/LayoutTests/js/regress-139418-expected.txt (0 => 178696) --- trunk/LayoutTests/js/regress-139418-expected.txt (rev 0) +++ trunk/LayoutTests/js/regress-139418-expected.txt 2015-01-20 05:28:04 UTC (rev 178696) @@ -0,0 +1,9 @@ +Regression test for https://webkit.org/b/139418. + +On success, you will see a series of PASS messages, followed by TEST COMPLETE. + + +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/js/regress-139418.html (0 => 178696) --- trunk/LayoutTests/js/regress-139418.html (rev 0) +++ trunk/LayoutTests/js/regress-139418.html 2015-01-20 05:28:04 UTC (rev 178696) @@ -0,0 +1,10 @@ +!DOCTYPE HTML PUBLIC -//IETF//DTD HTML//EN +html +head +script src="" +/head +body +script src="" +script src="" +/body +/html Added: trunk/LayoutTests/js/script-tests/regress-139418.js (0 => 178696) --- trunk/LayoutTests/js/script-tests/regress-139418.js (rev 0) +++ trunk/LayoutTests/js/script-tests/regress-139418.js 2015-01-20 05:28:04 UTC (rev 178696) @@ -0,0 +1,54 @@ +description( +Regression test
[webkit-changes] [178855] trunk/Source/JavaScriptCore
Title: [178855] trunk/Source/_javascript_Core Revision 178855 Author msab...@apple.com Date 2015-01-21 11:46:13 -0800 (Wed, 21 Jan 2015) Log Message Eliminate construct methods from NullGetterFunction and NullSetterFunction classes https://bugs.webkit.org/show_bug.cgi?id=140708 Reviewed by Mark Lam. Eliminated construct methods and change getConstructData() for both classes to return ConstructTypeNone as they can never be called. * runtime/NullGetterFunction.cpp: (JSC::NullGetterFunction::getConstructData): (JSC::constructReturnUndefined): Deleted. * runtime/NullSetterFunction.cpp: (JSC::NullSetterFunction::getConstructData): (JSC::constructReturnUndefined): Deleted. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/NullGetterFunction.cpp trunk/Source/_javascript_Core/runtime/NullSetterFunction.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (178854 => 178855) --- trunk/Source/_javascript_Core/ChangeLog 2015-01-21 19:35:08 UTC (rev 178854) +++ trunk/Source/_javascript_Core/ChangeLog 2015-01-21 19:46:13 UTC (rev 178855) @@ -1,3 +1,20 @@ +2015-01-21 Michael Saboff msab...@apple.com + +Eliminate construct methods from NullGetterFunction and NullSetterFunction classes +https://bugs.webkit.org/show_bug.cgi?id=140708 + +Reviewed by Mark Lam. + +Eliminated construct methods and change getConstructData() for both classes to return +ConstructTypeNone as they can never be called. + +* runtime/NullGetterFunction.cpp: +(JSC::NullGetterFunction::getConstructData): +(JSC::constructReturnUndefined): Deleted. +* runtime/NullSetterFunction.cpp: +(JSC::NullSetterFunction::getConstructData): +(JSC::constructReturnUndefined): Deleted. + 2015-01-21 Csaba Osztrogonác o...@webkit.org Remove ENABLE(INSPECTOR) ifdef guards Modified: trunk/Source/_javascript_Core/runtime/NullGetterFunction.cpp (178854 => 178855) --- trunk/Source/_javascript_Core/runtime/NullGetterFunction.cpp 2015-01-21 19:35:08 UTC (rev 178854) +++ trunk/Source/_javascript_Core/runtime/NullGetterFunction.cpp 2015-01-21 19:46:13 UTC (rev 178855) @@ -38,21 +38,15 @@ return JSValue::encode(jsUndefined()); } -static EncodedJSValue JSC_HOST_CALL constructReturnUndefined(ExecState*) -{ -return JSValue::encode(jsUndefined()); -} - CallType NullGetterFunction::getCallData(JSCell*, CallData callData) { callData.native.function = callReturnUndefined; return CallTypeHost; } -ConstructType NullGetterFunction::getConstructData(JSCell*, ConstructData constructData) +ConstructType NullGetterFunction::getConstructData(JSCell*, ConstructData) { -constructData.native.function = constructReturnUndefined; -return ConstructTypeHost; +return ConstructTypeNone; } } Modified: trunk/Source/_javascript_Core/runtime/NullSetterFunction.cpp (178854 => 178855) --- trunk/Source/_javascript_Core/runtime/NullSetterFunction.cpp 2015-01-21 19:35:08 UTC (rev 178854) +++ trunk/Source/_javascript_Core/runtime/NullSetterFunction.cpp 2015-01-21 19:46:13 UTC (rev 178855) @@ -76,23 +76,15 @@ return JSValue::encode(jsUndefined()); } -static EncodedJSValue JSC_HOST_CALL constructReturnUndefined(ExecState* exec) -{ -if (callerIsStrict(exec)) -return JSValue::encode(throwTypeError(exec, ASCIILiteral(Setting a property that has only a getter))); -return JSValue::encode(jsUndefined()); -} - CallType NullSetterFunction::getCallData(JSCell*, CallData callData) { callData.native.function = callReturnUndefined; return CallTypeHost; } -ConstructType NullSetterFunction::getConstructData(JSCell*, ConstructData constructData) +ConstructType NullSetterFunction::getConstructData(JSCell*, ConstructData) { -constructData.native.function = constructReturnUndefined; -return ConstructTypeHost; +return ConstructTypeNone; } } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [178856] trunk/Source/JavaScriptCore
Title: [178856] trunk/Source/_javascript_Core Revision 178856 Author msab...@apple.com Date 2015-01-21 13:43:55 -0800 (Wed, 21 Jan 2015) Log Message Eliminate Scope slot from _javascript_ CallFrame https://bugs.webkit.org/show_bug.cgi?id=136724 Reviewed by Geoffrey Garen. This finishes the removal of the scope chain slot from the call frame header. * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::reifyInlinedCallFrames): * dfg/DFGPreciseLocalClobberize.h: (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * ftl/FTLJSCall.cpp: (JSC::FTL::JSCall::emit): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): * interpreter/JSStack.h: * interpreter/VMInspector.cpp: (JSC::VMInspector::dumpFrame): * jit/JITCall.cpp: (JSC::JIT::compileOpCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCall): * jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileCTINativeCall): * jit/Repatch.cpp: (JSC::generateByIdStub): (JSC::linkClosureCall): * jit/ThunkGenerators.cpp: (JSC::virtualForThunkGenerator): (JSC::nativeForGenerator): Deleted ScopeChain slot from JSStack. Removed all code where ScopeChain was being read or set. In most cases this was where we make JS calls. * interpreter/CallFrameClosure.h: (JSC::CallFrameClosure::setArgument): (JSC::CallFrameClosure::resetCallFrame): Deleted. * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): (JSC::Interpreter::prepareForRepeatCall): * interpreter/ProtoCallFrame.cpp: (JSC::ProtoCallFrame::init): * interpreter/ProtoCallFrame.h: (JSC::ProtoCallFrame::scope): Deleted. (JSC::ProtoCallFrame::setScope): Deleted. * llint/LLIntData.cpp: (JSC::LLInt::Data::performAssertions): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: Removed the related scopeChainValue member from ProtoCallFrame. Reduced the number of registers that needed to be copied from the ProtoCallFrame to a callee's frame from 5 to 4. * llint/LowLevelInterpreter32_64.asm: In addition to the prior changes, also deleted the unused macro getDeBruijnScope. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp trunk/Source/_javascript_Core/dfg/DFGPreciseLocalClobberize.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/ftl/FTLJSCall.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp trunk/Source/_javascript_Core/interpreter/CallFrameClosure.h trunk/Source/_javascript_Core/interpreter/Interpreter.cpp trunk/Source/_javascript_Core/interpreter/JSStack.h trunk/Source/_javascript_Core/interpreter/ProtoCallFrame.cpp trunk/Source/_javascript_Core/interpreter/ProtoCallFrame.h trunk/Source/_javascript_Core/interpreter/VMInspector.cpp trunk/Source/_javascript_Core/jit/JITCall.cpp trunk/Source/_javascript_Core/jit/JITCall32_64.cpp trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp trunk/Source/_javascript_Core/jit/Repatch.cpp trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp trunk/Source/_javascript_Core/llint/LLIntData.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (178855 => 178856) --- trunk/Source/_javascript_Core/ChangeLog 2015-01-21 19:46:13 UTC (rev 178855) +++ trunk/Source/_javascript_Core/ChangeLog 2015-01-21 21:43:55 UTC (rev 178856) @@ -1,5 +1,69 @@ 2015-01-21 Michael Saboff msab...@apple.com +Eliminate Scope slot from _javascript_ CallFrame +https://bugs.webkit.org/show_bug.cgi?id=136724 + +Reviewed by Geoffrey Garen. + +This finishes the removal of the scope chain slot from the call frame header. + +* dfg/DFGOSRExitCompilerCommon.cpp: +(JSC::DFG::reifyInlinedCallFrames): +* dfg/DFGPreciseLocalClobberize.h: +(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): +* dfg/DFGSpeculativeJIT32_64.cpp: +(JSC::DFG::SpeculativeJIT::emitCall): +* dfg/DFGSpeculativeJIT64.cpp: +(JSC::DFG::SpeculativeJIT::emitCall): +* ftl/FTLJSCall.cpp: +(JSC::FTL::JSCall::emit): +* ftl/FTLLowerDFGToLLVM.cpp: +(JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): +(JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): +* interpreter/JSStack.h: +* interpreter/VMInspector.cpp: +(JSC::VMInspector::dumpFrame): +* jit/JITCall.cpp: +(JSC::JIT::compileOpCall): +* jit/JITCall32_64.cpp: +(JSC::JIT::compileOpCall): +* jit/JITOpcodes32_64.cpp: +
[webkit-changes] [178629] trunk
Title: [178629] trunk Revision 178629 Author msab...@apple.com Date 2015-01-17 16:20:49 -0800 (Sat, 17 Jan 2015) Log Message Crash in JSScope::resolve() on tools.ups.com https://bugs.webkit.org/show_bug.cgi?id=140579 Reviewed by Geoffrey Garen. Source/_javascript_Core: For op_resolve_scope of a global property or variable that needs to check for the var injection check watchpoint, we need to keep the scope around with a Phantom. The baseline JIT slowpath for op_resolve_scope needs the scope value if the watchpoint fired. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): LayoutTests: New regression test. * js/regress-140579-expected.txt: Added. * js/regress-140579.html: Added. * js/script-tests/regress-140579.js: Added. (Test.this.isString): (Test.this.test): (Test): Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp Added Paths trunk/LayoutTests/js/regress-140579-expected.txt trunk/LayoutTests/js/regress-140579.html trunk/LayoutTests/js/script-tests/regress-140579.js Diff Modified: trunk/LayoutTests/ChangeLog (178628 => 178629) --- trunk/LayoutTests/ChangeLog 2015-01-17 22:51:47 UTC (rev 178628) +++ trunk/LayoutTests/ChangeLog 2015-01-18 00:20:49 UTC (rev 178629) @@ -1,3 +1,19 @@ +2015-01-17 Michael Saboff msab...@apple.com + +Crash in JSScope::resolve() on tools.ups.com +https://bugs.webkit.org/show_bug.cgi?id=140579 + +Reviewed by Geoffrey Garen. + +New regression test. + +* js/regress-140579-expected.txt: Added. +* js/regress-140579.html: Added. +* js/script-tests/regress-140579.js: Added. +(Test.this.isString): +(Test.this.test): +(Test): + 2015-01-17 Chris Dumez cdu...@apple.com Converting time, angle and frequency units in CSS calc() function Added: trunk/LayoutTests/js/regress-140579-expected.txt (0 => 178629) --- trunk/LayoutTests/js/regress-140579-expected.txt (rev 0) +++ trunk/LayoutTests/js/regress-140579-expected.txt 2015-01-18 00:20:49 UTC (rev 178629) @@ -0,0 +1,10 @@ +Regression test for https://webkit.org/b/140579. This test should run without crashing. + +On success, you will see a series of PASS messages, followed by TEST COMPLETE. + + +PASS o.test() == 5000 is true +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/js/regress-140579.html (0 => 178629) --- trunk/LayoutTests/js/regress-140579.html (rev 0) +++ trunk/LayoutTests/js/regress-140579.html 2015-01-18 00:20:49 UTC (rev 178629) @@ -0,0 +1,10 @@ +!DOCTYPE HTML PUBLIC -//IETF//DTD HTML//EN +html +head +script src="" +/head +body +script src="" +script src="" +/body +/html Added: trunk/LayoutTests/js/script-tests/regress-140579.js (0 => 178629) --- trunk/LayoutTests/js/script-tests/regress-140579.js (rev 0) +++ trunk/LayoutTests/js/script-tests/regress-140579.js 2015-01-18 00:20:49 UTC (rev 178629) @@ -0,0 +1,35 @@ +description( +Regression test for https://webkit.org/b/140579. This test should run without crashing. +); + +function Test(maxCount) +{ +this.dummy = eval(0); + +this.isString = function(v) { +return (typeof v == string || v instanceof String); +}; + +this.test = function() +{ +var count = eval(0); +var s = abc; + +for (var i = 0; i maxCount; i++) { +if (i == 4500) { +s = new String(xyz); // Cause a BadType OSR exit in isString() + eval(var x = 3;); // Fire var injection watchpoint + } + +if (this.isString(s)) +count++; +} + +return count; +}; +} + +o = new Test(5000); + +shouldBeTrue(o.test() == 5000); + Modified: trunk/Source/_javascript_Core/ChangeLog (178628 => 178629) --- trunk/Source/_javascript_Core/ChangeLog 2015-01-17 22:51:47 UTC (rev 178628) +++ trunk/Source/_javascript_Core/ChangeLog 2015-01-18 00:20:49 UTC (rev 178629) @@ -1,3 +1,18 @@ +2015-01-17 Michael Saboff msab...@apple.com + +Crash in JSScope::resolve() on tools.ups.com +https://bugs.webkit.org/show_bug.cgi?id=140579 + +Reviewed by Geoffrey Garen. + +For op_resolve_scope of a global property or variable that needs to check for the var +injection check watchpoint, we need to keep the scope around with a Phantom. The +baseline JIT slowpath for op_resolve_scope needs the scope value if the watchpoint +fired. + +* dfg/DFGByteCodeParser.cpp: +(JSC::DFG::ByteCodeParser::parseBlock): + 2015-01-16 Brian J. Burg b...@cs.washington.edu Web Inspector: code generator should introduce typedefs for protocol types that are arrays Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (178628 => 178629) --- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2015-01-17 22:51:47 UTC (rev 178628)
[webkit-changes] [178966] trunk
Title: [178966] trunk Revision 178966 Author msab...@apple.com Date 2015-01-22 16:15:51 -0800 (Thu, 22 Jan 2015) Log Message REGRESSION (174847): can't view NHK(Japan's national public broadcasting organization)’s news pages https://bugs.webkit.org/show_bug.cgi?id=140794 Reviewed by Anders Carlsson. Source/WebCore: If a document.open has been set, return it instead of always returning a new, non-cached instance of jsHTMLDocumentPrototypeFunctionOpen. Test: js/dom/document-overwrite-open.html * bindings/js/JSHTMLDocumentCustom.cpp: (WebCore::JSHTMLDocument::getOwnPropertySlot): LayoutTests: * js/dom/document-overwrite-open-expected.txt: Added. * js/dom/document-overwrite-open.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp Added Paths trunk/LayoutTests/js/dom/document-overwrite-open-expected.txt trunk/LayoutTests/js/dom/document-overwrite-open.html Diff Modified: trunk/LayoutTests/ChangeLog (178965 => 178966) --- trunk/LayoutTests/ChangeLog 2015-01-22 23:46:41 UTC (rev 178965) +++ trunk/LayoutTests/ChangeLog 2015-01-23 00:15:51 UTC (rev 178966) @@ -1,3 +1,13 @@ +2015-01-22 Michael Saboff msab...@apple.com + +REGRESSION (174847): can't view NHK(Japan's national public broadcasting organization)’s news pages +https://bugs.webkit.org/show_bug.cgi?id=140794 + +Reviewed by Anders Carlsson. + +* js/dom/document-overwrite-open-expected.txt: Added. +* js/dom/document-overwrite-open.html: Added. + 2015-01-22 Roger Fong roger_f...@apple.com [WebGL2] Create empty interface files for new WebGL2 objects. Added: trunk/LayoutTests/js/dom/document-overwrite-open-expected.txt (0 => 178966) --- trunk/LayoutTests/js/dom/document-overwrite-open-expected.txt (rev 0) +++ trunk/LayoutTests/js/dom/document-overwrite-open-expected.txt 2015-01-23 00:15:51 UTC (rev 178966) @@ -0,0 +1,7 @@ +This page tests that the document function open() can be overwritten with a user provided function. If the test passes, you'll see PASS messages below. + +PASS: document.open was overwritten. +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/js/dom/document-overwrite-open.html (0 => 178966) --- trunk/LayoutTests/js/dom/document-overwrite-open.html (rev 0) +++ trunk/LayoutTests/js/dom/document-overwrite-open.html 2015-01-23 00:15:51 UTC (rev 178966) @@ -0,0 +1,22 @@ +!DOCTYPE HTML +html +head +script src="" +/head +body +pThis page tests that the document function open() can be overwritten with a user provided function. If the test passes, you'll see PASS messages below./p +pre id=console/pre +script + +document.open = function() { +debug(PASS: document.open was overwritten.); +} + +document.open(); + +if (this.testRunner) +testRunner.dumpAsText(); +/script +script src="" +/body +/html Modified: trunk/Source/WebCore/ChangeLog (178965 => 178966) --- trunk/Source/WebCore/ChangeLog 2015-01-22 23:46:41 UTC (rev 178965) +++ trunk/Source/WebCore/ChangeLog 2015-01-23 00:15:51 UTC (rev 178966) @@ -1,3 +1,18 @@ +2015-01-22 Michael Saboff msab...@apple.com + +REGRESSION (174847): can't view NHK(Japan's national public broadcasting organization)’s news pages +https://bugs.webkit.org/show_bug.cgi?id=140794 + +Reviewed by Anders Carlsson. + +If a document.open has been set, return it instead of always returning a new, +non-cached instance of jsHTMLDocumentPrototypeFunctionOpen. + +Test: js/dom/document-overwrite-open.html + +* bindings/js/JSHTMLDocumentCustom.cpp: +(WebCore::JSHTMLDocument::getOwnPropertySlot): + 2015-01-22 Zalan Bujtas za...@apple.com Simple line layout: Reset LineState when starting a new line. Modified: trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp (178965 => 178966) --- trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp 2015-01-22 23:46:41 UTC (rev 178965) +++ trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp 2015-01-23 00:15:51 UTC (rev 178966) @@ -64,6 +64,9 @@ ASSERT_GC_OBJECT_INHERITS(thisObject, info()); if (propertyName == open) { +if (Base::getOwnPropertySlot(thisObject, exec, propertyName, slot)) +return true; + slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetterjsHTMLDocumentPrototypeFunctionOpen, 2); return true; } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [178728] trunk/Source/JavaScriptCore
Title: [178728] trunk/Source/_javascript_Core Revision 178728 Author msab...@apple.com Date 2015-01-20 11:35:29 -0800 (Tue, 20 Jan 2015) Log Message REGRESSION(178696): Sporadic crashes while garbage collecting https://bugs.webkit.org/show_bug.cgi?id=140688 Reviewed by Geoffrey Garen. Added missing visitor.append(thisObject-m_nullSetterFunction). * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::visitChildren): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (178727 => 178728) --- trunk/Source/_javascript_Core/ChangeLog 2015-01-20 19:29:46 UTC (rev 178727) +++ trunk/Source/_javascript_Core/ChangeLog 2015-01-20 19:35:29 UTC (rev 178728) @@ -1,3 +1,15 @@ +2015-01-20 Michael Saboff msab...@apple.com + +REGRESSION(178696): Sporadic crashes while garbage collecting +https://bugs.webkit.org/show_bug.cgi?id=140688 + +Reviewed by Geoffrey Garen. + +Added missing visitor.append(thisObject-m_nullSetterFunction). + +* runtime/JSGlobalObject.cpp: +(JSC::JSGlobalObject::visitChildren): + 2015-01-19 Brian J. Burg b...@cs.washington.edu Web Replay: code generator should take supplemental specifications and allow cross-framework references Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (178727 => 178728) --- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2015-01-20 19:29:46 UTC (rev 178727) +++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2015-01-20 19:35:29 UTC (rev 178728) @@ -656,6 +656,7 @@ #endif visitor.append(thisObject-m_nullGetterFunction); +visitor.append(thisObject-m_nullSetterFunction); visitor.append(thisObject-m_evalFunction); visitor.append(thisObject-m_callFunction); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [178591] trunk
Title: [178591] trunk Revision 178591 Author msab...@apple.com Date 2015-01-16 12:40:22 -0800 (Fri, 16 Jan 2015) Log Message REGRESSION (r174226): Header on huffingtonpost.com is too large https://bugs.webkit.org/show_bug.cgi?id=140306 Reviewed by Filip Pizlo. Source/_javascript_Core: BytecodeGenerator::willResolveToArguments() is used to check to see if we can use the arguments register or whether we need to resolve arguments. If the arguments have been captured, then they are stored in the lexical environment and the arguments register is not used. Changed BytecodeGenerator::willResolveToArguments() to also check to see if the arguments register is captured. Renamed the function to willResolveToArgumentsRegister() to better indicate what we are checking. Aligned 32 and 64 bit paths in ArgumentsRecoveryGenerator::generateFor() for creating an arguments object that was optimized out of an inlined callFrame. The 32 bit path incorrectly calculated the location of the reified callee frame. This alignment resulted in the removal of operationCreateInlinedArgumentsDuringOSRExit() * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::willResolveToArgumentsRegister): (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): (JSC::BytecodeGenerator::emitCall): (JSC::BytecodeGenerator::emitConstruct): (JSC::BytecodeGenerator::emitEnumeration): (JSC::BytecodeGenerator::willResolveToArguments): Deleted. * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::BracketAccessorNode::emitBytecode): (JSC::DotAccessorNode::emitBytecode): (JSC::getArgumentByVal): (JSC::ApplyFunctionCallDotNode::emitBytecode): (JSC::ArrayPatternNode::emitDirectBinding): * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): * dfg/DFGOperations.cpp: (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted. * dfg/DFGOperations.h: (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted. LayoutTests: Updated js/arguments-iterator to test changing argument to array values. Removed tests that changed arguments to a string and an object as they were bogus and didn't test what the appeared to test. for .. of works on iterable objects only. Added new regression test, js/regress-140306. * js/arguments-iterator-expected.txt: * js/regress-140306-expected.txt: Added. * js/regress-140306.html: Added. * js/script-tests/arguments-iterator.js: (testEmptyArrayArguments): (testArrayArguments): (testOverwrittenArguments): Deleted. (testNullArguments): Deleted. (testNonArrayLikeArguments): Deleted. * js/script-tests/regress-140306.js: Added. (checkArgs): (applyToArgs): Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/js/arguments-iterator-expected.txt trunk/LayoutTests/js/script-tests/arguments-iterator.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp trunk/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp trunk/Source/_javascript_Core/dfg/DFGOperations.cpp trunk/Source/_javascript_Core/dfg/DFGOperations.h Added Paths trunk/LayoutTests/js/regress-140306-expected.txt trunk/LayoutTests/js/regress-140306.html trunk/LayoutTests/js/script-tests/regress-140306.js Diff Modified: trunk/LayoutTests/ChangeLog (178590 => 178591) --- trunk/LayoutTests/ChangeLog 2015-01-16 20:22:58 UTC (rev 178590) +++ trunk/LayoutTests/ChangeLog 2015-01-16 20:40:22 UTC (rev 178591) @@ -1,3 +1,30 @@ +2015-01-16 Michael Saboff msab...@apple.com + +REGRESSION (r174226): Header on huffingtonpost.com is too large +https://bugs.webkit.org/show_bug.cgi?id=140306 + +Reviewed by Filip Pizlo. + +Updated js/arguments-iterator to test changing argument to array values. +Removed tests that changed arguments to a string and an object as they were +bogus and didn't test what the appeared to test. +for .. of works on iterable objects only. + +Added new regression test, js/regress-140306. + +* js/arguments-iterator-expected.txt: +* js/regress-140306-expected.txt: Added. +* js/regress-140306.html: Added. +* js/script-tests/arguments-iterator.js: +(testEmptyArrayArguments): +(testArrayArguments): +(testOverwrittenArguments): Deleted. +(testNullArguments): Deleted. +(testNonArrayLikeArguments): Deleted. +* js/script-tests/regress-140306.js: Added. +(checkArgs): +(applyToArgs): + 2015-01-16 Jeremy Jones jere...@apple.com [mac] Fix test expectations after r178310. Modified: trunk/LayoutTests/js/arguments-iterator-expected.txt (178590 => 178591) --- trunk/LayoutTests/js/arguments-iterator-expected.txt 2015-01-16 20:22:58 UTC (rev 178590) +++ trunk/LayoutTests/js/arguments-iterator-expected.txt 2015-01-16 20:40:22 UTC (rev 178591) @@
[webkit-changes] [178614] trunk/LayoutTests
Title: [178614] trunk/LayoutTests Revision 178614 Author msab...@apple.com Date 2015-01-16 16:37:08 -0800 (Fri, 16 Jan 2015) Log Message REGRESSION(178591): js/slow-stress/call-spread.html js/slow-stress/new-spread.html https://bugs.webkit.org/show_bug.cgi?id=140574 Rubber stamped by Oliver Hunt. Changed the loop counts in the test to lower values to speed up the tests. * js/slow-stress/script-tests/call-spread.js: (test2): (test3): * js/slow-stress/script-tests/new-spread.js: (test2): (test3): Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/js/slow-stress/script-tests/call-spread.js trunk/LayoutTests/js/slow-stress/script-tests/new-spread.js Diff Modified: trunk/LayoutTests/ChangeLog (178613 => 178614) --- trunk/LayoutTests/ChangeLog 2015-01-17 00:35:49 UTC (rev 178613) +++ trunk/LayoutTests/ChangeLog 2015-01-17 00:37:08 UTC (rev 178614) @@ -1,3 +1,19 @@ +2015-01-16 Michael Saboff msab...@apple.com + +REGRESSION(178591): js/slow-stress/call-spread.html js/slow-stress/new-spread.html +https://bugs.webkit.org/show_bug.cgi?id=140574 + +Rubber stamped by Oliver Hunt. + +Changed the loop counts in the test to lower values to speed up the tests. + +* js/slow-stress/script-tests/call-spread.js: +(test2): +(test3): +* js/slow-stress/script-tests/new-spread.js: +(test2): +(test3): + 2015-01-16 Zalan Bujtas za...@apple.com When border-radius is present, inset/outset/groove/ridge border color changes. Modified: trunk/LayoutTests/js/slow-stress/script-tests/call-spread.js (178613 => 178614) --- trunk/LayoutTests/js/slow-stress/script-tests/call-spread.js 2015-01-17 00:35:49 UTC (rev 178613) +++ trunk/LayoutTests/js/slow-stress/script-tests/call-spread.js 2015-01-17 00:37:08 UTC (rev 178614) @@ -9,14 +9,14 @@ var arrayArguments = [2, 3, 4] var result = 0; -for (var i = 0; i 100; i++) +for (var i = 0; i 5; i++) result += testFunction(...arrayArguments); -for (var i = 0; i 100; i++) +for (var i = 0; i 5; i++) result += testFunction(...[1, 2, result, 4]); function test2() { -for (var i = 0; i 100; i++) +for (var i = 0; i 5; i++) result += testFunction(...arguments); } @@ -25,11 +25,11 @@ function test3() { aliasedArguments = arguments; -for (var i = 0; i 100; i++) +for (var i = 0; i 5; i++) result += testFunction(...aliasedArguments); } test3(1,2,result,4) -if (result != -856444619779264) -throw Result was + result + expected -856444619779264; \ No newline at end of file +if (result != 43424761715344) +throw Result was + result + expected 43424761715344; Modified: trunk/LayoutTests/js/slow-stress/script-tests/new-spread.js (178613 => 178614) --- trunk/LayoutTests/js/slow-stress/script-tests/new-spread.js 2015-01-17 00:35:49 UTC (rev 178613) +++ trunk/LayoutTests/js/slow-stress/script-tests/new-spread.js 2015-01-17 00:37:08 UTC (rev 178614) @@ -9,14 +9,14 @@ var arrayArguments = [2, 3, 4] var result = 0; -for (var i = 0; i 100; i++) +for (var i = 0; i 5; i++) new testFunction(...arrayArguments); -for (var i = 0; i 100; i++) +for (var i = 0; i 5; i++) new testFunction(...[1, 2, result, 4]); function test2() { -for (var i = 0; i 100; i++) +for (var i = 0; i 5; i++) new testFunction(...arguments); } @@ -25,11 +25,11 @@ function test3() { aliasedArguments = arguments; -for (var i = 0; i 100; i++) +for (var i = 0; i 5; i++) new testFunction(...aliasedArguments); } test3(1,2,result,4) -if (result != -2371153088) -throw Result was + result + expected -2371153088; \ No newline at end of file +if (result != 2642352784) +throw Result was + result + expected 2642352784; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [180247] trunk/Source/JavaScriptCore
Title: [180247] trunk/Source/_javascript_Core Revision 180247 Author msab...@apple.com Date 2015-02-17 18:38:16 -0800 (Tue, 17 Feb 2015) Log Message CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode https://bugs.webkit.org/show_bug.cgi?id=141730 Reviewed by Geoffrey Garen. Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures while processing DFG lowering. For debug builds, the failures are logged identical to the way the DFG_CRASH() reports them. For release builds, the failures are reported and that FTL compilation is terminated, but the process is allowed to continue. Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and line number are reported at the point of the inconsistancy. Converted instances of DFG_CRASH to LOWERING_FAILED. * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that will fail the FTL compile. * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): Added new member variable, m_loweringSucceeded, to stop compilation on the first reported failure. * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::lower): * ftl/FTLLowerDFGToLLVM.h: Added check for compilation failures and now report those failures via a boolean return value. * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::createPhiVariables): (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compileUpsilon): (JSC::FTL::LowerDFGToLLVM::compilePhi): (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): (JSC::FTL::LowerDFGToLLVM::compileValueRep): (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): (JSC::FTL::LowerDFGToLLVM::compilePutLocal): (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub): (JSC::FTL::LowerDFGToLLVM::compileArithMul): (JSC::FTL::LowerDFGToLLVM::compileArithDiv): (JSC::FTL::LowerDFGToLLVM::compileArithMod): (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): (JSC::FTL::LowerDFGToLLVM::compileArithAbs): (JSC::FTL::LowerDFGToLLVM::compileArithNegate): (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): (JSC::FTL::LowerDFGToLLVM::compileGetById): (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): (JSC::FTL::LowerDFGToLLVM::compileGetByVal): (JSC::FTL::LowerDFGToLLVM::compilePutByVal): (JSC::FTL::LowerDFGToLLVM::compileArrayPush): (JSC::FTL::LowerDFGToLLVM::compileArrayPop): (JSC::FTL::LowerDFGToLLVM::compileNewArray): (JSC::FTL::LowerDFGToLLVM::compileToString): (JSC::FTL::LowerDFGToLLVM::compileMakeRope): (JSC::FTL::LowerDFGToLLVM::compileCompareEq): (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): (JSC::FTL::LowerDFGToLLVM::compileSwitch): (JSC::FTL::LowerDFGToLLVM::compare): (JSC::FTL::LowerDFGToLLVM::boolify): (JSC::FTL::LowerDFGToLLVM::opposite): (JSC::FTL::LowerDFGToLLVM::lowJSValue): (JSC::FTL::LowerDFGToLLVM::speculate): (JSC::FTL::LowerDFGToLLVM::isArrayType): (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability): (JSC::FTL::LowerDFGToLLVM::exitValueForNode): (JSC::FTL::LowerDFGToLLVM::setInt52): Changed DFG_CRASH() to LOWERING_FAILED(). Updated related control flow as appropriate. (JSC::FTL::LowerDFGToLLVM::loweringFailed): New error reporting member function. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGPlan.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (180246 => 180247) --- trunk/Source/_javascript_Core/ChangeLog 2015-02-18 00:38:02 UTC (rev 180246) +++ trunk/Source/_javascript_Core/ChangeLog 2015-02-18 02:38:16 UTC (rev 180247) @@ -1,3 +1,77 @@ +2015-02-17 Michael Saboff msab...@apple.com + +CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode +https://bugs.webkit.org/show_bug.cgi?id=141730 + +Reviewed by Geoffrey Garen. + +Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures +while processing DFG lowering. For debug builds, the failures are logged identical +to the way the DFG_CRASH() reports them. For release builds, the failures are reported +and that FTL compilation is terminated, but the process is allowed to continue. +Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and +line number are reported at the point of the inconsistancy. + +Converted instances of DFG_CRASH to LOWERING_FAILED. + +* dfg/DFGPlan.cpp: +(JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that +will fail the FTL compile. + +* ftl/FTLLowerDFGToLLVM.cpp: +(JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): +Added new member variable, m_loweringSucceeded, to stop compilation on the first +reported failure. + +* ftl/FTLLowerDFGToLLVM.cpp: +(JSC::FTL::LowerDFGToLLVM::lower): +
[webkit-changes] [180270] trunk/Source/JavaScriptCore
Title: [180270] trunk/Source/_javascript_Core Revision 180270 Author msab...@apple.com Date 2015-02-18 10:23:14 -0800 (Wed, 18 Feb 2015) Log Message Unreviewed, Restoring the C LOOP insta-crash fix in r180184. Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm. After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1). * llint/LowLevelInterpreter.asm: Fixed a typo. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (180269 => 180270) --- trunk/Source/_javascript_Core/ChangeLog 2015-02-18 18:22:26 UTC (rev 180269) +++ trunk/Source/_javascript_Core/ChangeLog 2015-02-18 18:23:14 UTC (rev 180270) @@ -1,3 +1,12 @@ +2015-02-17 Michael Saboff msab...@apple.com + +Unreviewed, Restoring the C LOOP insta-crash fix in r180184. + +Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm. +After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1). + +* llint/LowLevelInterpreter.asm: Fixed a typo. + 2015-02-18 Csaba Osztrogonác o...@webkit.org URTBF after r180258 to fix Windows build. Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm (180269 => 180270) --- trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2015-02-18 18:22:26 UTC (rev 180269) +++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2015-02-18 18:23:14 UTC (rev 180270) @@ -633,7 +633,7 @@ .stackHeightOKGetCodeBlock: # Stack check slow path returned that the stack was ok. # Since they were clobbered, need to get CodeBlock and new sp -codeBlockSetter(t1) +codeBlockGetter(t1) getFrameRegisterSizeForCodeBlock(t1, t0) subp cfr, t0, t0 ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [180184] trunk/Source/JavaScriptCore
Title: [180184] trunk/Source/_javascript_Core Revision 180184 Author msab...@apple.com Date 2015-02-16 16:08:17 -0800 (Mon, 16 Feb 2015) Log Message REGRESSION(r180060): C Loop crashes https://bugs.webkit.org/show_bug.cgi?id=141671 Reviewed by Geoffrey Garen. Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm. After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1). Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's frame. This isn't needed, since this helper is only called to check the stack on entry. Any exception will be handled by a call ancestor. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception. * llint/LowLevelInterpreter.asm: Fixed a typo. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (180183 => 180184) --- trunk/Source/_javascript_Core/ChangeLog 2015-02-17 00:02:44 UTC (rev 180183) +++ trunk/Source/_javascript_Core/ChangeLog 2015-02-17 00:08:17 UTC (rev 180184) @@ -1,3 +1,20 @@ +2015-02-16 Michael Saboff msab...@apple.com + +REGRESSION(r180060): C Loop crashes +https://bugs.webkit.org/show_bug.cgi?id=141671 + +Reviewed by Geoffrey Garen. + +Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm. +After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1). +Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's +frame. This isn't needed, since this helper is only called to check the stack on entry. Any +exception will be handled by a call ancestor. + +* llint/LLIntSlowPaths.cpp: +(JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception. +* llint/LowLevelInterpreter.asm: Fixed a typo. + 2015-02-16 Joseph Pecoraro pecor...@apple.com Web Inspector: Scope details sidebar should label objects with constructor names Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (180183 => 180184) --- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2015-02-17 00:02:44 UTC (rev 180183) +++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2015-02-17 00:08:17 UTC (rev 180184) @@ -490,7 +490,6 @@ LLINT_RETURN_TWO(pc, 0); #endif -exec = exec-callerFrame(vm.topVMEntryFrame); vm.topCallFrame = exec; ErrorHandlingScope errorScope(vm); CommonSlowPaths::interpreterThrowInCaller(exec, createStackOverflowError(exec)); Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm (180183 => 180184) --- trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2015-02-17 00:02:44 UTC (rev 180183) +++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2015-02-17 00:08:17 UTC (rev 180184) @@ -631,7 +631,7 @@ .stackHeightOKGetCodeBlock: # Stack check slow path returned that the stack was ok. # Since they were clobbered, need to get CodeBlock and new sp -codeBlockSetter(t1) +codeBlockGetter(t1) getFrameRegisterSizeForCodeBlock(t1, t0) subp cfr, t0, t0 ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [179202] trunk/Source/JavaScriptCore
Title: [179202] trunk/Source/_javascript_Core Revision 179202 Author msab...@apple.com Date 2015-01-27 12:25:04 -0800 (Tue, 27 Jan 2015) Log Message REGRESSION(r178591): 20% regression in Octane box2d https://bugs.webkit.org/show_bug.cgi?id=140948 Reviewed by Geoffrey Garen. Added check that we have a lexical environment to the arguments is captured check. It doesn't make sense to resolve arguments when it really isn't captured. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (179201 => 179202) --- trunk/Source/_javascript_Core/ChangeLog 2015-01-27 20:16:31 UTC (rev 179201) +++ trunk/Source/_javascript_Core/ChangeLog 2015-01-27 20:25:04 UTC (rev 179202) @@ -1,3 +1,16 @@ +2015-01-27 Michael Saboff msab...@apple.com + +REGRESSION(r178591): 20% regression in Octane box2d +https://bugs.webkit.org/show_bug.cgi?id=140948 + +Reviewed by Geoffrey Garen. + +Added check that we have a lexical environment to the arguments is captured check. +It doesn't make sense to resolve arguments when it really isn't captured. + +* bytecompiler/BytecodeGenerator.cpp: +(JSC::BytecodeGenerator::willResolveToArgumentsRegister): + 2015-01-26 Geoffrey Garen gga...@apple.com Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (179201 => 179202) --- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2015-01-27 20:16:31 UTC (rev 179201) +++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2015-01-27 20:25:04 UTC (rev 179202) @@ -575,7 +575,7 @@ if (entry.isNull()) return false; -if (m_localArgumentsRegister isCaptured(m_localArgumentsRegister-index())) +if (m_localArgumentsRegister isCaptured(m_localArgumentsRegister-index()) m_lexicalEnvironmentRegister) return false; if (m_codeBlock-usesArguments() m_codeType == FunctionCode m_localArgumentsRegister) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [179035] trunk/Source/JavaScriptCore
Title: [179035] trunk/Source/_javascript_Core Revision 179035 Author msab...@apple.com Date 2015-01-23 15:48:14 -0800 (Fri, 23 Jan 2015) Log Message LayoutTests/js/script-tests/reentrant-caching.js crashing on 32 bit builds https://bugs.webkit.org/show_bug.cgi?id=140843 Reviewed by Oliver Hunt. When we are in vmEntryToJavaScript, we keep the stack pointer at an alignment sutiable for pointing to a call frame header, which is the alignment post making a call. We adjust the sp when calling to JS code, but don't adjust it before calling the out of stack handler. * llint/LowLevelInterpreter32_64.asm: Moved stack point down 8 bytes to get it aligned. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (179034 => 179035) --- trunk/Source/_javascript_Core/ChangeLog 2015-01-23 23:37:25 UTC (rev 179034) +++ trunk/Source/_javascript_Core/ChangeLog 2015-01-23 23:48:14 UTC (rev 179035) @@ -1,3 +1,18 @@ +2015-01-23 Michael Saboff msab...@apple.com + +LayoutTests/js/script-tests/reentrant-caching.js crashing on 32 bit builds +https://bugs.webkit.org/show_bug.cgi?id=140843 + +Reviewed by Oliver Hunt. + +When we are in vmEntryToJavaScript, we keep the stack pointer at an +alignment sutiable for pointing to a call frame header, which is the +alignment post making a call. We adjust the sp when calling to JS code, +but don't adjust it before calling the out of stack handler. + +* llint/LowLevelInterpreter32_64.asm: +Moved stack point down 8 bytes to get it aligned. + 2015-01-23 Joseph Pecoraro pecor...@apple.com Web Inspector: Object Previews in the Console Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (179034 => 179035) --- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2015-01-23 23:37:25 UTC (rev 179034) +++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2015-01-23 23:48:14 UTC (rev 179035) @@ -259,6 +259,7 @@ move temp3, vm end +subp 8, sp # Align stack for cCall2() to make a call. cCall2(_llint_throw_stack_overflow_error, vm, protoCallFrame) if ARMv7 ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [179457] trunk
Title: [179457] trunk Revision 179457 Author msab...@apple.com Date 2015-01-31 19:58:39 -0800 (Sat, 31 Jan 2015) Log Message Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1 https://bugs.webkit.org/show_bug.cgi?id=14 Reviewed by Filip Pizlo. Source/_javascript_Core: In LowerDFGToLLVM::compileNode(), if we determine while compiling a node that we would have exited, we don't need to process the OSR availability or abstract interpreter. * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): Broke this out a a separate method since we need to call it at the top and near the bottom of compileNode(). (JSC::FTL::LowerDFGToLLVM::compileNode): LayoutTests: New tests. * js/regress-14-expected.txt: Added. * js/regress-14.html: Added. * js/script-tests/regress-14.js: Added. (MyObject): (foo): (.result): (bar): Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp Added Paths trunk/LayoutTests/js/regress-14-expected.txt trunk/LayoutTests/js/regress-14.html trunk/LayoutTests/js/script-tests/regress-14.js Diff Modified: trunk/LayoutTests/ChangeLog (179456 => 179457) --- trunk/LayoutTests/ChangeLog 2015-02-01 03:11:14 UTC (rev 179456) +++ trunk/LayoutTests/ChangeLog 2015-02-01 03:58:39 UTC (rev 179457) @@ -1,3 +1,20 @@ +2015-01-31 Michael Saboff msab...@apple.com + +Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1 +https://bugs.webkit.org/show_bug.cgi?id=14 + +Reviewed by Filip Pizlo. + +New tests. + +* js/regress-14-expected.txt: Added. +* js/regress-14.html: Added. +* js/script-tests/regress-14.js: Added. +(MyObject): +(foo): +(.result): +(bar): + 2015-01-31 Antti Koivisto an...@apple.com Enable WebKit disk cache on OS X Added: trunk/LayoutTests/js/regress-14-expected.txt (0 => 179457) --- trunk/LayoutTests/js/regress-14-expected.txt (rev 0) +++ trunk/LayoutTests/js/regress-14-expected.txt 2015-02-01 03:58:39 UTC (rev 179457) @@ -0,0 +1,9 @@ +Regression test for https://webkit.org/b/14. This test should run without crashing. + +On success, you will see a series of PASS messages, followed by TEST COMPLETE. + + +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/js/regress-14.html (0 => 179457) --- trunk/LayoutTests/js/regress-14.html (rev 0) +++ trunk/LayoutTests/js/regress-14.html 2015-02-01 03:58:39 UTC (rev 179457) @@ -0,0 +1,10 @@ +!DOCTYPE HTML PUBLIC -//IETF//DTD HTML//EN +html +head +script src="" +/head +body +script src="" +script src="" +/body +/html Added: trunk/LayoutTests/js/script-tests/regress-14.js (0 => 179457) --- trunk/LayoutTests/js/script-tests/regress-14.js (rev 0) +++ trunk/LayoutTests/js/script-tests/regress-14.js 2015-02-01 03:58:39 UTC (rev 179457) @@ -0,0 +1,57 @@ +description( +Regression test for https://webkit.org/b/14. This test should run without crashing. +); + +function MyObject(v) { +this.v = v; +} + +function foo(o, a, b, c) { +// Don't do anything real but have some control flow. This causes the PutLocals for a, +// b, and c to survive into SSA form. But we don't have any effects, so sinking will be +// successful. +if (o.v) +return o; +else +return z; +} + +function bar(o, y) { +var a = y; +var b = y + 1; +var c = y + 2; +var d = y + 3; +var e = y + 4; +var f = y + 5; +var g = y + 6; +var h = y + 7; +var i = y + 8; +var j = y + 9; +var k = y + 10; +var result = function(p, q) { +var x = new MyObject(a + b + c + d + e + f + g + h + i + j + k); +if (q) { +// Make it appear that it's possible to clobber those closure variables, so that we +// load from them again down below. +a = b = c = d = e = f = g = h = i = j = k = 42; +} +if (p) +x = foo(o, 1, 2, 3) +else +x = five; +return x.v + a + b + c + d + e + f + g + h + i + j + k; +}; +noInline(result); +return result; +} + +var o = new MyObject(42); +var z = new MyObject(0); +var five = new MyObject(5); + +for (var i = 0; i 10; ++i) { +var result = bar(o, i)(true, false); +if (result != 42 + 11 * i + 55) +throw Error: bad result: + result; +} + Modified: trunk/Source/_javascript_Core/ChangeLog (179456 => 179457) --- trunk/Source/_javascript_Core/ChangeLog 2015-02-01 03:11:14 UTC (rev 179456) +++ trunk/Source/_javascript_Core/ChangeLog 2015-02-01 03:58:39 UTC (rev 179457) @@ -1,3 +1,18 @@ +2015-01-31 Michael Saboff
[webkit-changes] [178232] trunk
Title: [178232] trunk Revision 178232 Author msab...@apple.com Date 2015-01-09 18:44:56 -0800 (Fri, 09 Jan 2015) Log Message Breakpoint doesn't fire in this HTML5 game https://bugs.webkit.org/show_bug.cgi?id=140269 Reviewed by Mark Lam. Source/_javascript_Core: When parsing a single line cached function, use the lineStartOffset of the location where we found the cached function instead of the cached lineStartOffset. The cache location's lineStartOffset has not been adjusted for any possible containing functions. This change is not needed for multi-line cached functions. Consider the single line source: function outer(){function inner1(){doStuff();}; (function inner2() {doMoreStuff()})()} The first parser pass, we parse and cache inner1() and inner2() with a lineStartOffset of 0. Later when we parse outer() and find inner1() in the cache, SourceCode start character is at outer()'s outermost open brace. That is what we should use for lineStartOffset for inner1(). When done parsing inner1() we set the parsing token to the saved location for inner1(), including the lineStartOffset of 0. We need to use the value of lineStartOffset before we started parsing inner1(). That is what the fix does. When we parse inner2() the lineStartOffset will be correct. For a multi-line function, the close brace is guaranteed to be on a different line than the open brace. Hence, its lineStartOffset will not change with the change of the SourceCode start character * parser/Parser.cpp: (JSC::ParserLexerType::parseFunctionInfo): LayoutTests: New tests that set breakpoints in functions with various line split combinations. * inspector/debugger/breakpoint-columns-expected.txt: Added. * inspector/debugger/breakpoint-columns.html: Added. * inspector/debugger/resources/column-breakpoints-1.js: Added. (columnTest1.x): (columnTest1): (columnTest2.x): (columnTest2.f): (columnTest3.x): (columnTest3.f): (runColumnTest1): (runColumnTest2): (runColumnTest3): * inspector/debugger/resources/column-breakpoints-2.js: Added. (columnTest4.x): (columnTest4.f): (columnTest5.x): (columnTest5): (runColumnTest4): (runColumnTest5): Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/parser/Parser.cpp Added Paths trunk/LayoutTests/inspector/debugger/breakpoint-columns-expected.txt trunk/LayoutTests/inspector/debugger/breakpoint-columns.html trunk/LayoutTests/inspector/debugger/resources/column-breakpoints-1.js trunk/LayoutTests/inspector/debugger/resources/column-breakpoints-2.js Diff Modified: trunk/LayoutTests/ChangeLog (178231 => 178232) --- trunk/LayoutTests/ChangeLog 2015-01-10 02:12:01 UTC (rev 178231) +++ trunk/LayoutTests/ChangeLog 2015-01-10 02:44:56 UTC (rev 178232) @@ -1,3 +1,33 @@ +2015-01-09 Michael Saboff msab...@apple.com + +Breakpoint doesn't fire in this HTML5 game +https://bugs.webkit.org/show_bug.cgi?id=140269 + +Reviewed by Mark Lam. + +New tests that set breakpoints in functions with various line split +combinations. + +* inspector/debugger/breakpoint-columns-expected.txt: Added. +* inspector/debugger/breakpoint-columns.html: Added. +* inspector/debugger/resources/column-breakpoints-1.js: Added. +(columnTest1.x): +(columnTest1): +(columnTest2.x): +(columnTest2.f): +(columnTest3.x): +(columnTest3.f): +(runColumnTest1): +(runColumnTest2): +(runColumnTest3): +* inspector/debugger/resources/column-breakpoints-2.js: Added. +(columnTest4.x): +(columnTest4.f): +(columnTest5.x): +(columnTest5): +(runColumnTest4): +(runColumnTest5): + 2015-01-09 Zalan Bujtas za...@apple.com Calling clearSelection on a detached RenderObject leads to segfault. Added: trunk/LayoutTests/inspector/debugger/breakpoint-columns-expected.txt (0 => 178232) --- trunk/LayoutTests/inspector/debugger/breakpoint-columns-expected.txt (rev 0) +++ trunk/LayoutTests/inspector/debugger/breakpoint-columns-expected.txt 2015-01-10 02:44:56 UTC (rev 178232) @@ -0,0 +1,19 @@ +CONSOLE MESSAGE: line 1: Paused at line: 0, column: 79 +CONSOLE MESSAGE: line 1: column test 1 +CONSOLE MESSAGE: line 1: Paused at line: 6, column: 21 +CONSOLE MESSAGE: line 7: column test 2 +CONSOLE MESSAGE: line 1: Paused at line: 15, column: 8 +CONSOLE MESSAGE: line 16: column test 3 +CONSOLE MESSAGE: line 1: Paused at line: 5, column: 8 +CONSOLE MESSAGE: line 6: column test 4 +CONSOLE MESSAGE: line 1: Paused at line: 11, column: 79 +CONSOLE MESSAGE: line 12: column test 5 +Testing that breakpoints can be set at various line / column combinations. + +Hit breakpoint at line: 0, column: 79 +Hit breakpoint at line: 6, column: 21 +Hit breakpoint at line: 15, column: 8 +Hit breakpoint at line: 5, column: 8 +Hit breakpoint at line: 11, column: 79 +Tests done + Added:
[webkit-changes] [178266] trunk/Source/JavaScriptCore
Title: [178266] trunk/Source/_javascript_Core Revision 178266 Author msab...@apple.com Date 2015-01-12 08:29:22 -0800 (Mon, 12 Jan 2015) Log Message Local JSArray* keys in objectConstructorKeys() is not marked during garbage collection https://bugs.webkit.org/show_bug.cgi?id=140348 Reviewed by Mark Lam. Move the address of the local variable that is used to demarcate the top of the stack for conservative roots down to MachineThreads::gatherFromCurrentThread() since it also gets the register values using setjmp(). That way we don't lose any callee save register contents between Heap::markRoots(), where it was set, and gatherFromCurrentThread(). If we lose any JSObject* that are only in callee save registers, they will be GC'ed erroneously. * heap/Heap.cpp: (JSC::Heap::markRoots): (JSC::Heap::gatherStackRoots): * heap/Heap.h: * heap/MachineStackMarker.cpp: (JSC::MachineThreads::gatherFromCurrentThread): (JSC::MachineThreads::gatherConservativeRoots): * heap/MachineStackMarker.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/heap/Heap.cpp trunk/Source/_javascript_Core/heap/Heap.h trunk/Source/_javascript_Core/heap/MachineStackMarker.cpp trunk/Source/_javascript_Core/heap/MachineStackMarker.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (178265 => 178266) --- trunk/Source/_javascript_Core/ChangeLog 2015-01-12 16:22:50 UTC (rev 178265) +++ trunk/Source/_javascript_Core/ChangeLog 2015-01-12 16:29:22 UTC (rev 178266) @@ -1,3 +1,26 @@ +2015-01-12 Michael Saboff msab...@apple.com + +Local JSArray* keys in objectConstructorKeys() is not marked during garbage collection +https://bugs.webkit.org/show_bug.cgi?id=140348 + +Reviewed by Mark Lam. + +Move the address of the local variable that is used to demarcate the top of the stack for +conservative roots down to MachineThreads::gatherFromCurrentThread() since it also gets +the register values using setjmp(). That way we don't lose any callee save register +contents between Heap::markRoots(), where it was set, and gatherFromCurrentThread(). +If we lose any JSObject* that are only in callee save registers, they will be GC'ed +erroneously. + +* heap/Heap.cpp: +(JSC::Heap::markRoots): +(JSC::Heap::gatherStackRoots): +* heap/Heap.h: +* heap/MachineStackMarker.cpp: +(JSC::MachineThreads::gatherFromCurrentThread): +(JSC::MachineThreads::gatherConservativeRoots): +* heap/MachineStackMarker.h: + 2015-01-11 Eric Carlson eric.carl...@apple.com Fix typo in testate.c error messages Modified: trunk/Source/_javascript_Core/heap/Heap.cpp (178265 => 178266) --- trunk/Source/_javascript_Core/heap/Heap.cpp 2015-01-12 16:22:50 UTC (rev 178265) +++ trunk/Source/_javascript_Core/heap/Heap.cpp 2015-01-12 16:29:22 UTC (rev 178266) @@ -504,9 +504,8 @@ // We gather conservative roots before clearing mark bits because conservative // gathering uses the mark bits to determine whether a reference is valid. -void* dummy; ConservativeRoots conservativeRoots(m_objectSpace.blocks(), m_storageSpace); -gatherStackRoots(conservativeRoots, dummy); +gatherStackRoots(conservativeRoots); gatherJSStackRoots(conservativeRoots); gatherScratchBufferRoots(conservativeRoots); @@ -566,11 +565,11 @@ m_storageSpace.doneCopying(); } -void Heap::gatherStackRoots(ConservativeRoots roots, void** dummy) +void Heap::gatherStackRoots(ConservativeRoots roots) { GCPHASE(GatherStackRoots); m_jitStubRoutines.clearMarks(); -m_machineThreads.gatherConservativeRoots(roots, m_jitStubRoutines, m_codeBlocks, dummy); +m_machineThreads.gatherConservativeRoots(roots, m_jitStubRoutines, m_codeBlocks); } void Heap::gatherJSStackRoots(ConservativeRoots roots) Modified: trunk/Source/_javascript_Core/heap/Heap.h (178265 => 178266) --- trunk/Source/_javascript_Core/heap/Heap.h 2015-01-12 16:22:50 UTC (rev 178265) +++ trunk/Source/_javascript_Core/heap/Heap.h 2015-01-12 16:29:22 UTC (rev 178266) @@ -275,7 +275,7 @@ void stopAllocation(); void markRoots(double gcStartTime); -void gatherStackRoots(ConservativeRoots, void** dummy); +void gatherStackRoots(ConservativeRoots); void gatherJSStackRoots(ConservativeRoots); void gatherScratchBufferRoots(ConservativeRoots); void clearLivenessData(); Modified: trunk/Source/_javascript_Core/heap/MachineStackMarker.cpp (178265 => 178266) --- trunk/Source/_javascript_Core/heap/MachineStackMarker.cpp 2015-01-12 16:22:50 UTC (rev 178265) +++ trunk/Source/_javascript_Core/heap/MachineStackMarker.cpp 2015-01-12 16:29:22 UTC (rev 178266) @@ -221,10 +221,11 @@ #define REGISTER_BUFFER_ALIGNMENT #endif -void MachineThreads::gatherFromCurrentThread(ConservativeRoots conservativeRoots, JITStubRoutineSet jitStubRoutines, CodeBlockSet codeBlocks, void* stackCurrent) +void
[webkit-changes] [178364] trunk/Source/JavaScriptCore
Title: [178364] trunk/Source/_javascript_Core Revision 178364 Author msab...@apple.com Date 2015-01-13 09:46:40 -0800 (Tue, 13 Jan 2015) Log Message Local JSArray* keys in objectConstructorKeys() is not marked during garbage collection https://bugs.webkit.org/show_bug.cgi?id=140348 Reviewed by Mark Lam. We used to read registers in MachineThreads::gatherFromCurrentThread(), but that is too late because those registers may have been spilled on the stack and replaced with other values by the time we call down to gatherFromCurrentThread(). Now we get the register contents at the same place that we demarcate the current top of stack using the address of a local variable, in Heap::markRoots(). The register contents buffer is passed along with the demarcation pointer. These need to be done at this level in the call tree and no lower, as markRoots() calls various functions that visit object pointers that may be latter proven dead. Any of those pointers that are left on the stack or in registers could be incorrectly marked as live if we scan the stack contents from a called function or one of its callees. The stack demarcation pointer and register saving need to be done in the same function so that we have a consistent stack, active and spilled registers. Because we don't want to make unnecessary calls to get the register contents, we use a macro to allocated, and possibly align, the register structure and get the actual register contents. * heap/Heap.cpp: (JSC::Heap::markRoots): (JSC::Heap::gatherStackRoots): * heap/Heap.h: * heap/MachineStackMarker.cpp: (JSC::MachineThreads::gatherFromCurrentThread): (JSC::MachineThreads::gatherConservativeRoots): * heap/MachineStackMarker.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/heap/Heap.cpp trunk/Source/_javascript_Core/heap/Heap.h trunk/Source/_javascript_Core/heap/MachineStackMarker.cpp trunk/Source/_javascript_Core/heap/MachineStackMarker.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (178363 => 178364) --- trunk/Source/_javascript_Core/ChangeLog 2015-01-13 16:59:49 UTC (rev 178363) +++ trunk/Source/_javascript_Core/ChangeLog 2015-01-13 17:46:40 UTC (rev 178364) @@ -1,3 +1,38 @@ +2015-01-12 Michael Saboff msab...@apple.com + +Local JSArray* keys in objectConstructorKeys() is not marked during garbage collection +https://bugs.webkit.org/show_bug.cgi?id=140348 + +Reviewed by Mark Lam. + +We used to read registers in MachineThreads::gatherFromCurrentThread(), but that is too late +because those registers may have been spilled on the stack and replaced with other values by +the time we call down to gatherFromCurrentThread(). + +Now we get the register contents at the same place that we demarcate the current top of +stack using the address of a local variable, in Heap::markRoots(). The register contents +buffer is passed along with the demarcation pointer. These need to be done at this level +in the call tree and no lower, as markRoots() calls various functions that visit object +pointers that may be latter proven dead. Any of those pointers that are left on the +stack or in registers could be incorrectly marked as live if we scan the stack contents +from a called function or one of its callees. The stack demarcation pointer and register +saving need to be done in the same function so that we have a consistent stack, active +and spilled registers. + +Because we don't want to make unnecessary calls to get the register contents, we use +a macro to allocated, and possibly align, the register structure and get the actual +register contents. + + +* heap/Heap.cpp: +(JSC::Heap::markRoots): +(JSC::Heap::gatherStackRoots): +* heap/Heap.h: +* heap/MachineStackMarker.cpp: +(JSC::MachineThreads::gatherFromCurrentThread): +(JSC::MachineThreads::gatherConservativeRoots): +* heap/MachineStackMarker.h: + 2015-01-12 Benjamin Poulain benja...@webkit.org Add basic pattern matching support to the url filters Modified: trunk/Source/_javascript_Core/heap/Heap.cpp (178363 => 178364) --- trunk/Source/_javascript_Core/heap/Heap.cpp 2015-01-13 16:59:49 UTC (rev 178363) +++ trunk/Source/_javascript_Core/heap/Heap.cpp 2015-01-13 17:46:40 UTC (rev 178364) @@ -505,8 +505,9 @@ // We gather conservative roots before clearing mark bits because conservative // gathering uses the mark bits to determine whether a reference is valid. void* dummy; +ALLOCATE_AND_GET_REGISTER_STATE(registers); ConservativeRoots conservativeRoots(m_objectSpace.blocks(), m_storageSpace); -gatherStackRoots(conservativeRoots, dummy); +gatherStackRoots(conservativeRoots, dummy, registers); gatherJSStackRoots(conservativeRoots); gatherScratchBufferRoots(conservativeRoots); @@ -566,11
[webkit-changes] [179882] trunk/Source/JavaScriptCore
Title: [179882] trunk/Source/_javascript_Core Revision 179882 Author msab...@apple.com Date 2015-02-10 13:59:54 -0800 (Tue, 10 Feb 2015) Log Message Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq https://bugs.webkit.org/show_bug.cgi?id=139398 Reviewed by Filip Pizlo. Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later was determined to be reachable. When we go to lower to LLVM, the edges for the CompareStrictEq node are UntypedUse which we can't compile. Fixed this by checking that the IR before lowering can still be handled by the FTL. Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts a SetArgument to a GetArgument. Before this change FTL::canCompile() would never see a GetArgument node. With the check right before lowering, we see this node. * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering to verify that after all the transformations we still have valid IR for the FTL. * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGPlan.cpp trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (179881 => 179882) --- trunk/Source/_javascript_Core/ChangeLog 2015-02-10 21:56:29 UTC (rev 179881) +++ trunk/Source/_javascript_Core/ChangeLog 2015-02-10 21:59:54 UTC (rev 179882) @@ -1,3 +1,25 @@ +2015-02-10 Michael Saboff msab...@apple.com + +Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq +https://bugs.webkit.org/show_bug.cgi?id=139398 + +Reviewed by Filip Pizlo. + +Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later +was determined to be reachable. When we go to lower to LLVM, the edges for the CompareStrictEq +node are UntypedUse which we can't compile. Fixed this by checking that the IR before +lowering can still be handled by the FTL. + +Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts +a SetArgument to a GetArgument. Before this change FTL::canCompile() would never see a GetArgument +node. With the check right before lowering, we see this node. + +* dfg/DFGPlan.cpp: +(JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering +to verify that after all the transformations we still have valid IR for the FTL. +* ftl/FTLCapabilities.cpp: +(JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile. + 2015-02-10 Filip Pizlo fpi...@apple.com Remove unused DFG::SpeculativeJIT::calleeFrameOffset(). Modified: trunk/Source/_javascript_Core/dfg/DFGPlan.cpp (179881 => 179882) --- trunk/Source/_javascript_Core/dfg/DFGPlan.cpp 2015-02-10 21:56:29 UTC (rev 179881) +++ trunk/Source/_javascript_Core/dfg/DFGPlan.cpp 2015-02-10 21:59:54 UTC (rev 179882) @@ -364,6 +364,11 @@ performOSRAvailabilityAnalysis(dfg); performWatchpointCollection(dfg); +if (FTL::canCompile(dfg) == FTL::CannotCompile) { +finalizer = std::make_uniqueFailedFinalizer(*this); +return FailPath; +} + dumpAndVerifyGraph(dfg, Graph just before FTL lowering:); bool haveLLVM; @@ -379,7 +384,7 @@ finalizer = std::make_uniqueFailedFinalizer(*this); return FailPath; } - + FTL::State state(dfg); FTL::lowerDFGToLLVM(state); Modified: trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp (179881 => 179882) --- trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2015-02-10 21:56:29 UTC (rev 179881) +++ trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2015-02-10 21:59:54 UTC (rev 179882) @@ -51,6 +51,7 @@ case KillLocal: case MovHint: case ZombieHint: +case GetArgument: case Phantom: case HardPhantom: case Flush: ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [180060] trunk
Title: [180060] trunk Revision 180060 Author msab...@apple.com Date 2015-02-13 10:57:57 -0800 (Fri, 13 Feb 2015) Log Message Google doc spreadsheet reproducibly crashes when sorting https://bugs.webkit.org/show_bug.cgi?id=141098 Reviewed by Oliver Hunt. Source/_javascript_Core: Moved the stack check to before the callee registers are allocated in the prologue() by movving it from the functionInitialization() macro. This way we can check the stack before moving the stack pointer, avoiding a crash during a call instruction. Before this change, we weren't even checking the stack for program and eval execution. Made a couple of supporting changes. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::llint_stack_check): We can't just go up one frame as we may be processing an exception to an entry frame. * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: (llint_throw_from_slow_path_trampoline): Changed method to get the vm from the code block to not use the codeBlock, since we may need to continue from an exception in a native function. LayoutTests: New test. * js/regress-141098-expected.txt: Added. * js/regress-141098.html: Added. * js/script-tests/regress-141098.js: Added. (probeAndRecurse): Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm Added Paths trunk/LayoutTests/js/regress-141098-expected.txt trunk/LayoutTests/js/regress-141098.html trunk/LayoutTests/js/script-tests/regress-141098.js Diff Modified: trunk/LayoutTests/ChangeLog (180059 => 180060) --- trunk/LayoutTests/ChangeLog 2015-02-13 18:46:04 UTC (rev 180059) +++ trunk/LayoutTests/ChangeLog 2015-02-13 18:57:57 UTC (rev 180060) @@ -1,3 +1,17 @@ +2015-02-13 Michael Saboff msab...@apple.com + +Google doc spreadsheet reproducibly crashes when sorting +https://bugs.webkit.org/show_bug.cgi?id=141098 + +Reviewed by Oliver Hunt. + +New test. + +* js/regress-141098-expected.txt: Added. +* js/regress-141098.html: Added. +* js/script-tests/regress-141098.js: Added. +(probeAndRecurse): + 2015-02-13 ChangSeok Oh changseok...@collabora.com Div having contentEditable and display:grid cannot be edited if it is empty. Added: trunk/LayoutTests/js/regress-141098-expected.txt (0 => 180060) --- trunk/LayoutTests/js/regress-141098-expected.txt (rev 0) +++ trunk/LayoutTests/js/regress-141098-expected.txt 2015-02-13 18:57:57 UTC (rev 180060) @@ -0,0 +1,9 @@ +Regression test for https://webkit.org/b/141098. Make sure eval() properly handles running out of stack space. This test should run without crashing. + +On success, you will see a series of PASS messages, followed by TEST COMPLETE. + + +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/js/regress-141098.html (0 => 180060) --- trunk/LayoutTests/js/regress-141098.html (rev 0) +++ trunk/LayoutTests/js/regress-141098.html 2015-02-13 18:57:57 UTC (rev 180060) @@ -0,0 +1,10 @@ +!DOCTYPE HTML PUBLIC -//IETF//DTD HTML//EN +html +head +script src="" +/head +body +script src="" +script src="" +/body +/html Added: trunk/LayoutTests/js/script-tests/regress-141098.js (0 => 180060) --- trunk/LayoutTests/js/script-tests/regress-141098.js (rev 0) +++ trunk/LayoutTests/js/script-tests/regress-141098.js 2015-02-13 18:57:57 UTC (rev 180060) @@ -0,0 +1,46 @@ +description(Regression test for https://webkit.org/b/141098. Make sure eval() properly handles running out of stack space. This test should run without crashing.); + +function probeAndRecurse(depth) +{ +var result; + +// Probe stack depth +try { +result = probeAndRecurse(depth+1); +if (result 0) +return result + 1; +else if (result 0) +return result; +} catch (e) { +// Go up a many frames and then create an _expression_ to eval that will consume the stack using +// callee registers. +return -60; +} + +try { +var count = 1; + +for (var i = 0; i 40; count *= 10, i++) { +evalStringPrefix = { var first = + count + ; ; +var evalStringBody = ; + +for (var varIndex = 0; varIndex count; varIndex++) +evalStringBody += var s + varIndex + = + varIndex + ;; + +evalStringBody += var value = [; +for (var varIndex = 0; varIndex count; varIndex++) { +if (varIndex 0) +evalStringBody += , ; +evalStringBody += s + varIndex; +} +evalStringBody += ]; ; + + var evalResult = eval({ + evalStringBody
[webkit-changes] [180083] trunk/Source/JavaScriptCore
Title: [180083] trunk/Source/_javascript_Core Revision 180083 Author msab...@apple.com Date 2015-02-13 14:46:50 -0800 (Fri, 13 Feb 2015) Log Message REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled. https://bugs.webkit.org/show_bug.cgi?id=141577 Reviewed by Benjamin Poulain. Changed the prologue of the baseline JIT to check for stack space for all types of code blocks. Previously, it was only checking Function. Now it checks Program and Eval as well. * jit/JIT.cpp: (JSC::JIT::privateCompile): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/JIT.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (180082 => 180083) --- trunk/Source/_javascript_Core/ChangeLog 2015-02-13 22:40:34 UTC (rev 180082) +++ trunk/Source/_javascript_Core/ChangeLog 2015-02-13 22:46:50 UTC (rev 180083) @@ -1,3 +1,17 @@ +2015-02-13 Michael Saboff msab...@apple.com + +REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled. +https://bugs.webkit.org/show_bug.cgi?id=141577 + +Reviewed by Benjamin Poulain. + +Changed the prologue of the baseline JIT to check for stack space for all +types of code blocks. Previously, it was only checking Function. Now +it checks Program and Eval as well. + +* jit/JIT.cpp: +(JSC::JIT::privateCompile): + 2015-02-13 Benjamin Poulain bpoul...@apple.com Generate incq instead of addq when the immediate value is one Modified: trunk/Source/_javascript_Core/jit/JIT.cpp (180082 => 180083) --- trunk/Source/_javascript_Core/jit/JIT.cpp 2015-02-13 22:40:34 UTC (rev 180082) +++ trunk/Source/_javascript_Core/jit/JIT.cpp 2015-02-13 22:46:50 UTC (rev 180083) @@ -523,7 +523,6 @@ sampleInstruction(m_codeBlock-instructions().begin()); #endif -Jump stackOverflow; if (m_codeBlock-codeType() == FunctionCode) { ASSERT(m_bytecodeOffset == (unsigned)-1); if (shouldEmitProfiling()) { @@ -542,12 +541,12 @@ emitValueProfilingSite(m_codeBlock-valueProfileForArgument(argument)); } } - -addPtr(TrustedImm32(stackPointerOffsetFor(m_codeBlock) * sizeof(Register)), callFrameRegister, regT1); -stackOverflow = branchPtr(Above, AbsoluteAddress(m_vm-addressOfStackLimit()), regT1); } -addPtr(TrustedImm32(stackPointerOffsetFor(m_codeBlock) * sizeof(Register)), callFrameRegister, stackPointerRegister); +addPtr(TrustedImm32(stackPointerOffsetFor(m_codeBlock) * sizeof(Register)), callFrameRegister, regT1); +Jump stackOverflow = branchPtr(Above, AbsoluteAddress(m_vm-addressOfStackLimit()), regT1); + +move(regT1, stackPointerRegister); checkStackPointerAlignment(); privateCompileMainPass(); @@ -557,14 +556,14 @@ if (m_disassembler) m_disassembler-setEndOfSlowPath(label()); +stackOverflow.link(this); +m_bytecodeOffset = 0; +if (maxFrameExtentForSlowPathCall) +addPtr(TrustedImm32(-maxFrameExtentForSlowPathCall), stackPointerRegister); +callOperationWithCallFrameRollbackOnException(operationThrowStackOverflowError, m_codeBlock); + Label arityCheck; if (m_codeBlock-codeType() == FunctionCode) { -stackOverflow.link(this); -m_bytecodeOffset = 0; -if (maxFrameExtentForSlowPathCall) -addPtr(TrustedImm32(-maxFrameExtentForSlowPathCall), stackPointerRegister); -callOperationWithCallFrameRollbackOnException(operationThrowStackOverflowError, m_codeBlock); - arityCheck = label(); store8(TrustedImm32(0), m_codeBlock-m_shouldAlwaysBeInlined); emitFunctionPrologue(); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [177871] trunk
Title: [177871] trunk Revision 177871 Author msab...@apple.com Date 2015-01-03 19:47:25 -0800 (Sat, 03 Jan 2015) Log Message Crash in operationNewFunction when scrolling on Google+ https://bugs.webkit.org/show_bug.cgi?id=140033 Reviewed by Oliver Hunt. Source/_javascript_Core: In DFG code, the scope register can be eliminated because all uses have been dead code eliminated. In the case where one of the uses was creating a function that is never used, the baseline code will still create the function. If we OSR exit to a path where that function gets created, check the scope register value and set the new, but dead, function to undefined instead of creating a new function. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_new_func_exp): LayoutTests: New regerssion test. * js/regress-140033-expected.txt: Added. * js/regress-140033.html: Added. * js/script-tests/regress-140033.js: Added. (.unused): (defineADeadFunction): Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/JITOpcodes.cpp Added Paths trunk/LayoutTests/js/regress-140033-expected.txt trunk/LayoutTests/js/regress-140033.html trunk/LayoutTests/js/script-tests/regress-140033.js Diff Modified: trunk/LayoutTests/ChangeLog (177870 => 177871) --- trunk/LayoutTests/ChangeLog 2015-01-02 22:49:44 UTC (rev 177870) +++ trunk/LayoutTests/ChangeLog 2015-01-04 03:47:25 UTC (rev 177871) @@ -1,3 +1,18 @@ +2015-01-03 Michael Saboff msab...@apple.com + +Crash in operationNewFunction when scrolling on Google+ +https://bugs.webkit.org/show_bug.cgi?id=140033 + +Reviewed by Oliver Hunt. + +New regerssion test. + +* js/regress-140033-expected.txt: Added. +* js/regress-140033.html: Added. +* js/script-tests/regress-140033.js: Added. +(.unused): +(defineADeadFunction): + 2015-01-02 Anders Carlsson ander...@apple.com Get rid of storage tracker layout tests Added: trunk/LayoutTests/js/regress-140033-expected.txt (0 => 177871) --- trunk/LayoutTests/js/regress-140033-expected.txt (rev 0) +++ trunk/LayoutTests/js/regress-140033-expected.txt 2015-01-04 03:47:25 UTC (rev 177871) @@ -0,0 +1,9 @@ +Regression test for https://webkit.org/b/140033. This test should run without crashing. + +On success, you will see a series of PASS messages, followed by TEST COMPLETE. + + +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/js/regress-140033.html (0 => 177871) --- trunk/LayoutTests/js/regress-140033.html (rev 0) +++ trunk/LayoutTests/js/regress-140033.html 2015-01-04 03:47:25 UTC (rev 177871) @@ -0,0 +1,10 @@ +!DOCTYPE HTML PUBLIC -//IETF//DTD HTML//EN +html +head +script src="" +/head +body +script src="" +script src="" +/body +/html Added: trunk/LayoutTests/js/script-tests/regress-140033.js (0 => 177871) --- trunk/LayoutTests/js/script-tests/regress-140033.js (rev 0) +++ trunk/LayoutTests/js/script-tests/regress-140033.js 2015-01-04 03:47:25 UTC (rev 177871) @@ -0,0 +1,23 @@ +description( +Regression test for https://webkit.org/b/140033. This test should run without crashing. +); + +function defineADeadFunction(x, y) +{ +var u; +var a = u; +var b = x; + +if (x 1500) +b -= y; + +var unused = function() { +return 42; +} + +return b; +} + +var result = 0; +for (var i = 1; i 2000; i++) +result += defineADeadFunction(i, ); Modified: trunk/Source/_javascript_Core/ChangeLog (177870 => 177871) --- trunk/Source/_javascript_Core/ChangeLog 2015-01-02 22:49:44 UTC (rev 177870) +++ trunk/Source/_javascript_Core/ChangeLog 2015-01-04 03:47:25 UTC (rev 177871) @@ -1,3 +1,19 @@ +2015-01-03 Michael Saboff msab...@apple.com + +Crash in operationNewFunction when scrolling on Google+ +https://bugs.webkit.org/show_bug.cgi?id=140033 + +Reviewed by Oliver Hunt. + +In DFG code, the scope register can be eliminated because all uses have been +dead code eliminated. In the case where one of the uses was creating a function +that is never used, the baseline code will still create the function. If we OSR +exit to a path where that function gets created, check the scope register value +and set the new, but dead, function to undefined instead of creating a new function. + +* jit/JITOpcodes.cpp: +(JSC::JIT::emit_op_new_func_exp): + 2015-01-01 Yusuke Suzuki utatane@gmail.com String includes methods perform toString on searchString before toInt32 on a offset Modified: trunk/Source/_javascript_Core/jit/JITOpcodes.cpp (177870 => 177871) --- trunk/Source/_javascript_Core/jit/JITOpcodes.cpp 2015-01-02 22:49:44 UTC (rev 177870) +++ trunk/Source/_javascript_Core/jit/JITOpcodes.cpp 2015-01-04 03:47:25 UTC (rev 177871) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009, 2012, 2013, 2014 Apple Inc. All
[webkit-changes] [180317] trunk/Source/JavaScriptCore
Title: [180317] trunk/Source/_javascript_Core Revision 180317 Author msab...@apple.com Date 2015-02-18 15:52:16 -0800 (Wed, 18 Feb 2015) Log Message Rollout r180247 r180249 from trunk https://bugs.webkit.org/show_bug.cgi?id=141773 Reviewed by Filip Pizlo. Theses changes makes sense to fix the crash reported in https://bugs.webkit.org/show_bug.cgi?id=141730 only for branches. The change to fail the FTL compile but continue running is not comprehensive enough for general use on trunk. * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): (JSC::FTL::LowerDFGToLLVM::lower): (JSC::FTL::LowerDFGToLLVM::createPhiVariables): (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compileUpsilon): (JSC::FTL::LowerDFGToLLVM::compilePhi): (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): (JSC::FTL::LowerDFGToLLVM::compileValueRep): (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): (JSC::FTL::LowerDFGToLLVM::compilePutLocal): (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub): (JSC::FTL::LowerDFGToLLVM::compileArithMul): (JSC::FTL::LowerDFGToLLVM::compileArithDiv): (JSC::FTL::LowerDFGToLLVM::compileArithMod): (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): (JSC::FTL::LowerDFGToLLVM::compileArithAbs): (JSC::FTL::LowerDFGToLLVM::compileArithNegate): (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): (JSC::FTL::LowerDFGToLLVM::compileGetById): (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): (JSC::FTL::LowerDFGToLLVM::compileGetByVal): (JSC::FTL::LowerDFGToLLVM::compilePutByVal): (JSC::FTL::LowerDFGToLLVM::compileArrayPush): (JSC::FTL::LowerDFGToLLVM::compileArrayPop): (JSC::FTL::LowerDFGToLLVM::compileNewArray): (JSC::FTL::LowerDFGToLLVM::compileToString): (JSC::FTL::LowerDFGToLLVM::compileMakeRope): (JSC::FTL::LowerDFGToLLVM::compileCompareEq): (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): (JSC::FTL::LowerDFGToLLVM::compileSwitch): (JSC::FTL::LowerDFGToLLVM::compare): (JSC::FTL::LowerDFGToLLVM::boolify): (JSC::FTL::LowerDFGToLLVM::opposite): (JSC::FTL::LowerDFGToLLVM::lowJSValue): (JSC::FTL::LowerDFGToLLVM::speculate): (JSC::FTL::LowerDFGToLLVM::isArrayType): (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability): (JSC::FTL::LowerDFGToLLVM::exitValueForNode): (JSC::FTL::LowerDFGToLLVM::setInt52): (JSC::FTL::lowerDFGToLLVM): (JSC::FTL::LowerDFGToLLVM::loweringFailed): Deleted. * ftl/FTLLowerDFGToLLVM.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGPlan.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (180316 => 180317) --- trunk/Source/_javascript_Core/ChangeLog 2015-02-18 23:50:12 UTC (rev 180316) +++ trunk/Source/_javascript_Core/ChangeLog 2015-02-18 23:52:16 UTC (rev 180317) @@ -1,3 +1,61 @@ +2015-02-18 Michael Saboff msab...@apple.com + +Rollout r180247 r180249 from trunk +https://bugs.webkit.org/show_bug.cgi?id=141773 + +Reviewed by Filip Pizlo. + +Theses changes makes sense to fix the crash reported in https://bugs.webkit.org/show_bug.cgi?id=141730 +only for branches. The change to fail the FTL compile but continue running is not comprehensive +enough for general use on trunk. + +* dfg/DFGPlan.cpp: +(JSC::DFG::Plan::compileInThreadImpl): +* ftl/FTLLowerDFGToLLVM.cpp: +(JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): +(JSC::FTL::LowerDFGToLLVM::lower): +(JSC::FTL::LowerDFGToLLVM::createPhiVariables): +(JSC::FTL::LowerDFGToLLVM::compileNode): +(JSC::FTL::LowerDFGToLLVM::compileUpsilon): +(JSC::FTL::LowerDFGToLLVM::compilePhi): +(JSC::FTL::LowerDFGToLLVM::compileDoubleRep): +(JSC::FTL::LowerDFGToLLVM::compileValueRep): +(JSC::FTL::LowerDFGToLLVM::compileValueToInt32): +(JSC::FTL::LowerDFGToLLVM::compilePutLocal): +(JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub): +(JSC::FTL::LowerDFGToLLVM::compileArithMul): +(JSC::FTL::LowerDFGToLLVM::compileArithDiv): +(JSC::FTL::LowerDFGToLLVM::compileArithMod): +(JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): +(JSC::FTL::LowerDFGToLLVM::compileArithAbs): +(JSC::FTL::LowerDFGToLLVM::compileArithNegate): +(JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): +(JSC::FTL::LowerDFGToLLVM::compileGetById): +(JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): +(JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): +(JSC::FTL::LowerDFGToLLVM::compileGetByVal): +(JSC::FTL::LowerDFGToLLVM::compilePutByVal): +(JSC::FTL::LowerDFGToLLVM::compileArrayPush): +(JSC::FTL::LowerDFGToLLVM::compileArrayPop): +(JSC::FTL::LowerDFGToLLVM::compileNewArray): +
[webkit-changes] [180453] trunk/LayoutTests
Title: [180453] trunk/LayoutTests Revision 180453 Author msab...@apple.com Date 2015-02-20 14:21:47 -0800 (Fri, 20 Feb 2015) Log Message Layout Test js/regress-141098.html is failing on 32-bit Machines https://bugs.webkit.org/show_bug.cgi?id=141848 Reviewed by Geoffrey Garen. It appears that different control flow paths in probeAndRecurse() allowed the second time through the test to recurse deeper before getting to the point of overflowing the stack. Restructured the test so that the exact same control flow in probeAndRecurse() is used both times we call it, including probing the depth of the stack. Now we pass a flag that indicates whether or not we should try ever expanding eval strings or reuse the most recent eval string. * js/script-tests/regress-141098.js: (testEval): (probeAndRecurse): Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/js/script-tests/regress-141098.js Diff Modified: trunk/LayoutTests/ChangeLog (180452 => 180453) --- trunk/LayoutTests/ChangeLog 2015-02-20 21:51:37 UTC (rev 180452) +++ trunk/LayoutTests/ChangeLog 2015-02-20 22:21:47 UTC (rev 180453) @@ -1,3 +1,21 @@ +2015-02-20 Michael Saboff msab...@apple.com + +Layout Test js/regress-141098.html is failing on 32-bit Machines +https://bugs.webkit.org/show_bug.cgi?id=141848 + +Reviewed by Geoffrey Garen. + +It appears that different control flow paths in probeAndRecurse() allowed the second time +through the test to recurse deeper before getting to the point of overflowing the stack. +Restructured the test so that the exact same control flow in probeAndRecurse() is used +both times we call it, including probing the depth of the stack. Now we pass a flag that +indicates whether or not we should try ever expanding eval strings or reuse the most +recent eval string. + +* js/script-tests/regress-141098.js: +(testEval): +(probeAndRecurse): + 2015-02-20 Brent Fulgham bfulg...@apple.com Skip failing JSC stress test to get bots green. Modified: trunk/LayoutTests/js/script-tests/regress-141098.js (180452 => 180453) --- trunk/LayoutTests/js/script-tests/regress-141098.js 2015-02-20 21:51:37 UTC (rev 180452) +++ trunk/LayoutTests/js/script-tests/regress-141098.js 2015-02-20 22:21:47 UTC (rev 180453) @@ -1,5 +1,3 @@ -//@ skip - description(Regression test for https://webkit.org/b/141098. Make sure eval() properly handles running out of stack space. This test should run without crashing.); // The tiering up to test higher levels of optimization will only test the DFG @@ -12,9 +10,9 @@ var result; var count = 1; -if (!maxIterations) { +if (!maxIterations) var result = eval(lastEvalString); -} else { +else { for (var iter = 0; iter maxIterations; count *= 4, iter++) { var evalString = \dummy\.valueOf(; @@ -26,7 +24,8 @@ evalString += );; -lastEvalString = evalString; +if (maxIterations 1) +lastEvalString = evalString; result = eval(evalString); } } @@ -34,33 +33,30 @@ return result; } -function probeAndRecurse(depth) +function probeAndRecurse(depth, reuseEvalString) { var result; // Probe stack depth -if (depth 0) { -try { -result = probeAndRecurse(depth+1); +try { +result = probeAndRecurse(depth+1, reuseEvalString); -if (!result) { -try { -testEval(1); -} catch (e) { -return -49; -} -} else -return result + 1 -} catch (e) { -// We exceeded stack space, now return up the stack until we can execute a simple eval. -// Then run an eval test to exceed stack. -return -49; -} -} else if (depth != 0) -return probeAndRecurse(depth+1); +if (!result) { +try { +testEval(1); +} catch (e) { +return -49; +} +} else +return result + 1 +} catch (e) { +// We exceeded stack space, now return up the stack until we can execute a simple eval. +// Then run an eval test to exceed stack. +return -49; +} try { -testEval((depth 0) ? 20 : 0); +testEval(reuseEvalString ? 0 : 20); } catch (e) { testPassed(Exception: + e); } @@ -68,7 +64,7 @@ return 1; } -var depth = probeAndRecurse(1); +var depth = probeAndRecurse(0, false); // Tier up the eval'ed code. // When run with run-jsc-stress-tests and it's agressive options, this low of a count will @@ -76,4 +72,4 @@ for (var i = 0; i 200; i++) testEval(0); -probeAndRecurse(-depth); +probeAndRecurse(0, true); ___ webkit-changes mailing list
[webkit-changes] [181501] trunk/Source/WTF
Title: [181501] trunk/Source/WTF Revision 181501 Author msab...@apple.com Date 2015-03-14 14:42:20 -0700 (Sat, 14 Mar 2015) Log Message Disable Yarr JIT for ARMv7k https://bugs.webkit.org/show_bug.cgi?id=142645 Rubber stamped by Geoffrey Garen. Changed the setting of ENABLE_YARR_JIT to be predicated on ENABLED_JIT. * wtf/Platform.h: Modified Paths trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/Platform.h Diff Modified: trunk/Source/WTF/ChangeLog (181500 => 181501) --- trunk/Source/WTF/ChangeLog 2015-03-14 20:49:50 UTC (rev 181500) +++ trunk/Source/WTF/ChangeLog 2015-03-14 21:42:20 UTC (rev 181501) @@ -1,5 +1,16 @@ 2015-03-14 Michael Saboff msab...@apple.com +Disable Yarr JIT for ARMv7k +https://bugs.webkit.org/show_bug.cgi?id=142645 + +Rubber stamped by Geoffrey Garen. + +Changed the setting of ENABLE_YARR_JIT to be predicated on ENABLED_JIT. + +* wtf/Platform.h: + +2015-03-14 Michael Saboff msab...@apple.com + ES6: Add binary and octal literal support https://bugs.webkit.org/show_bug.cgi?id=142681 Modified: trunk/Source/WTF/wtf/Platform.h (181500 => 181501) --- trunk/Source/WTF/wtf/Platform.h 2015-03-14 20:49:50 UTC (rev 181500) +++ trunk/Source/WTF/wtf/Platform.h 2015-03-14 21:42:20 UTC (rev 181501) @@ -663,11 +663,6 @@ #define ENABLE_JIT 1 #endif -/* Disable the YARR JIT for ARMv7k */ -#if !defined(ENABLE_YARR_JIT) CPU(APPLE_ARMV7K) -#define ENABLE_YARR_JIT 0 -#endif - /* Do we have LLVM? */ #if !defined(HAVE_LLVM) OS(DARWIN) !PLATFORM(EFL) !PLATFORM(GTK) ENABLE(FTL_JIT) (CPU(X86_64) || CPU(ARM64)) #define HAVE_LLVM 1 @@ -825,7 +820,7 @@ #define ENABLE_REGEXP_TRACING 0 /* Yet Another Regex Runtime - turned on by default for JIT enabled ports. */ -#if !defined(ENABLE_YARR_JIT) +#if !defined(ENABLE_YARR_JIT) ENABLE(JIT) #define ENABLE_YARR_JIT 1 /* Setting this flag compares JIT results with interpreter results. */ ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [181628] trunk/Source
Title: [181628] trunk/Source Revision 181628 Author msab...@apple.com Date 2015-03-17 02:33:30 -0700 (Tue, 17 Mar 2015) Log Message Windows X86-64 should use the fixed executable allocator https://bugs.webkit.org/show_bug.cgi?id=142749 Reviewed by Filip Pizlo. Source/_javascript_Core: Added jit/ExecutableAllocatorFixedVMPool.cpp to Windows build. * _javascript_Core.vcxproj/_javascript_Core.vcxproj: * _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters: * jit/ExecutableAllocatorFixedVMPool.cpp: Don't include unistd.h on Windows. Source/WTF: Set ENABLE_EXECUTABLE_ALLOCATOR_FIXED for Windows. Needed to export MetaAllocator::currentStatistics() for use in _javascript_Core. * wtf/MetaAllocator.h: * wtf/Platform.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters trunk/Source/_javascript_Core/jit/ExecutableAllocatorFixedVMPool.cpp trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/MetaAllocator.h trunk/Source/WTF/wtf/Platform.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (181627 => 181628) --- trunk/Source/_javascript_Core/ChangeLog 2015-03-17 09:03:15 UTC (rev 181627) +++ trunk/Source/_javascript_Core/ChangeLog 2015-03-17 09:33:30 UTC (rev 181628) @@ -1,3 +1,16 @@ +2015-03-17 Michael Saboff msab...@apple.com + +Windows X86-64 should use the fixed executable allocator +https://bugs.webkit.org/show_bug.cgi?id=142749 + +Reviewed by Filip Pizlo. + +Added jit/ExecutableAllocatorFixedVMPool.cpp to Windows build. + +* _javascript_Core.vcxproj/_javascript_Core.vcxproj: +* _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters: +* jit/ExecutableAllocatorFixedVMPool.cpp: Don't include unistd.h on Windows. + 2015-03-17 Matt Baker mattba...@apple.com Web Inspector: Show rendering frames (and FPS) in Layout and Rendering timeline Modified: trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj (181627 => 181628) --- trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj 2015-03-17 09:03:15 UTC (rev 181627) +++ trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj 2015-03-17 09:33:30 UTC (rev 181628) @@ -599,6 +599,7 @@ ClCompile Include=..\jit\AssemblyHelpers.cpp / ClCompile Include=..\jit\BinarySwitch.cpp / ClCompile Include=..\jit\ExecutableAllocator.cpp / +ClCompile Include=..\jit\ExecutableAllocatorFixedVMPool.cpp / ClCompile Include=..\jit\GCAwareJITStubRoutine.cpp / ClCompile Include=..\jit\HostCallReturnValue.cpp / ClCompile Include=..\jit\JIT.cpp / @@ -1772,4 +1773,4 @@ ImportGroup Label=ExtensionTargets Import Project=$(VCTargetsPath)\BuildCustomizations\masm.targets / /ImportGroup -/Project +/Project \ No newline at end of file Modified: trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters (181627 => 181628) --- trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters 2015-03-17 09:03:15 UTC (rev 181627) +++ trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters 2015-03-17 09:33:30 UTC (rev 181628) @@ -1752,9 +1752,6 @@ ClCompile Include=..\jit\BinarySwitch.cpp Filterjit/Filter /ClCompile -ClCompile Include=..\dfg\DFGPutLocalSinkingPhase.cpp - Filterdfg/Filter -/ClCompile ClCompile Include=..\jit\PolymorphicCallStubRoutine.cpp Filterjit/Filter /ClCompile @@ -1765,6 +1762,14 @@ ClCompile Include=_javascript_CoreDLL.cpp FilterAPI/Filter /ClCompile +ClCompile Include=..\dfg\DFGPutStackSinkingPhase.cpp / +ClCompile Include=..\ftl\FTLJSCallBase.cpp / +ClCompile Include=..\ftl\FTLJSCallVarargs.cpp / +ClCompile Include=..\runtime\JSCatchScope.cpp / +ClCompile Include=..\runtime\JSFunctionNameScope.cpp / +ClCompile Include=..\jit\ExecutableAllocatorFixedVMPool.cpp + Filterjit/Filter +/ClCompile /ItemGroup ItemGroup ClInclude Include=..\API\APICallbackFunction.h @@ -4214,13 +4219,16 @@ ClInclude Include=..\dfg\DFGPreciseLocalClobberize.h Filterdfg/Filter /ClInclude -ClInclude Include=..\dfg\DFGPutLocalSinkingPhase.h - Filterdfg/Filter -/ClInclude ClInclude Include=..\jit\PolymorphicCallStubRoutine.h Filterjit/Filter /ClInclude ClInclude Include=..\jit\SetupVarargsFrame.h / +ClInclude Include=..\dfg\DFGPutStackSinkingPhase.h / +ClInclude Include=..\ftl\FTLJSCallBase.h / +ClInclude Include=..\ftl\FTLJSCallVarargs.h / +ClInclude Include=..\runtime\JSCatchScope.h / +ClInclude Include=..\runtime\JSFunctionNameScope.h / +ClInclude Include=..\runtime\MathCommon.h / /ItemGroup ItemGroup None Include=_javascript_CorePreLink.cmd / @@
[webkit-changes] [181750] branches/safari-600.1.17-branch/Source
Title: [181750] branches/safari-600.1.17-branch/Source Revision 181750 Author msab...@apple.com Date 2015-03-19 10:52:02 -0700 (Thu, 19 Mar 2015) Log Message Merged r181628. rdar://problem/19804738 2015-03-16 Michael Saboff msab...@apple.com Windows X86-64 should use the fixed executable allocator https://bugs.webkit.org/show_bug.cgi?id=142749 Reviewed by Filip Pizlo. Source/_javascript_Core: Added jit/ExecutableAllocatorFixedVMPool.cpp to Windows build. * _javascript_Core.vcxproj/_javascript_Core.vcxproj: * _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters: * jit/ExecutableAllocatorFixedVMPool.cpp: Don't include unistd.h on Windows. Source/WTF: Set ENABLE_EXECUTABLE_ALLOCATOR_FIXED for Windows. Needed to export MetaAllocator::currentStatistics() for use in _javascript_Core. * wtf/MetaAllocator.h: * wtf/Platform.h: Modified Paths branches/safari-600.1.17-branch/Source/_javascript_Core/ChangeLog branches/safari-600.1.17-branch/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj branches/safari-600.1.17-branch/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters branches/safari-600.1.17-branch/Source/_javascript_Core/jit/ExecutableAllocatorFixedVMPool.cpp branches/safari-600.1.17-branch/Source/WTF/ChangeLog branches/safari-600.1.17-branch/Source/WTF/wtf/MetaAllocator.h branches/safari-600.1.17-branch/Source/WTF/wtf/Platform.h Diff Modified: branches/safari-600.1.17-branch/Source/_javascript_Core/ChangeLog (181749 => 181750) --- branches/safari-600.1.17-branch/Source/_javascript_Core/ChangeLog 2015-03-19 17:14:59 UTC (rev 181749) +++ branches/safari-600.1.17-branch/Source/_javascript_Core/ChangeLog 2015-03-19 17:52:02 UTC (rev 181750) @@ -1,3 +1,20 @@ +2015-03-19 Michael Saboff msab...@apple.com + +Merge r181628. rdar://problem/19804738 + +2015-03-16 Michael Saboff msab...@apple.com + +Windows X86-64 should use the fixed executable allocator +https://bugs.webkit.org/show_bug.cgi?id=142749 + +Reviewed by Filip Pizlo. + +Added jit/ExecutableAllocatorFixedVMPool.cpp to Windows build. + +* _javascript_Core.vcxproj/_javascript_Core.vcxproj: +* _javascript_Core.vcxproj/_javascript_Core.vcxproj.filters: +* jit/ExecutableAllocatorFixedVMPool.cpp: Don't include unistd.h on Windows. + 2015-02-11 Brent Fulgham bfulg...@apple.com Merge r179993. rdar://problem/19803642 Modified: branches/safari-600.1.17-branch/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj (181749 => 181750) --- branches/safari-600.1.17-branch/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj 2015-03-19 17:14:59 UTC (rev 181749) +++ branches/safari-600.1.17-branch/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj 2015-03-19 17:52:02 UTC (rev 181750) @@ -569,6 +569,7 @@ ClCompile Include=..\jit\AssemblyHelpers.cpp / ClCompile Include=..\jit\ClosureCallStubRoutine.cpp / ClCompile Include=..\jit\ExecutableAllocator.cpp / +ClCompile Include=..\jit\ExecutableAllocatorFixedVMPool.cpp / ClCompile Include=..\jit\GCAwareJITStubRoutine.cpp / ClCompile Include=..\jit\HostCallReturnValue.cpp / ClCompile Include=..\jit\JIT.cpp / Modified: branches/safari-600.1.17-branch/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters (181749 => 181750) --- branches/safari-600.1.17-branch/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters 2015-03-19 17:14:59 UTC (rev 181749) +++ branches/safari-600.1.17-branch/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj.filters 2015-03-19 17:52:02 UTC (rev 181750) @@ -1611,6 +1611,9 @@ ClCompile Include=_javascript_CoreDLL.cpp FilterAPI/Filter /ClCompile +ClCompile Include=..\jit\ExecutableAllocatorFixedVMPool.cpp + Filterjit/Filter +/ClCompile /ItemGroup ItemGroup ClInclude Include=..\API\APICallbackFunction.h Modified: branches/safari-600.1.17-branch/Source/_javascript_Core/jit/ExecutableAllocatorFixedVMPool.cpp (181749 => 181750) --- branches/safari-600.1.17-branch/Source/_javascript_Core/jit/ExecutableAllocatorFixedVMPool.cpp 2015-03-19 17:14:59 UTC (rev 181749) +++ branches/safari-600.1.17-branch/Source/_javascript_Core/jit/ExecutableAllocatorFixedVMPool.cpp 2015-03-19 17:52:02 UTC (rev 181750) @@ -32,7 +32,9 @@ #include CodeProfiling.h #include errno.h +#if !PLATFORM(WIN) #include unistd.h +#endif #include wtf/MetaAllocator.h #include wtf/PageReservation.h #include wtf/VMTags.h Modified: branches/safari-600.1.17-branch/Source/WTF/ChangeLog (181749 => 181750) --- branches/safari-600.1.17-branch/Source/WTF/ChangeLog 2015-03-19 17:14:59 UTC (rev 181749) +++ branches/safari-600.1.17-branch/Source/WTF/ChangeLog 2015-03-19 17:52:02 UTC (rev 181750)
[webkit-changes] [181497] trunk
Title: [181497] trunk Revision 181497 Author msab...@apple.com Date 2015-03-14 09:29:20 -0700 (Sat, 14 Mar 2015) Log Message ES6: Add binary and octal literal support https://bugs.webkit.org/show_bug.cgi?id=142681 Reviewed by Ryosuke Niwa. Source/_javascript_Core: Added a binary literal parser function, parseBinary(), to Lexer patterned after the octal parser. Refactored the parseBinary, parseOctal and parseDecimal to use a constant size for the number of characters to try and handle directly. Factored out the shifting past any prefix to be handled by the caller. Added binary and octal parsing to toDouble() via helper functions. * parser/Lexer.cpp: (JSC::LexerT::parseHex): (JSC::LexerT::parseBinary): (JSC::LexerT::parseOctal): (JSC::LexerT::parseDecimal): (JSC::LexerT::lex): * parser/Lexer.h: * parser/ParserTokens.h: * runtime/JSGlobalObjectFunctions.cpp: (JSC::jsBinaryIntegerLiteral): (JSC::jsOctalIntegerLiteral): (JSC::toDouble): Source/WTF: * wtf/ASCIICType.h: (WTF::isASCIIBinaryDigit): New support function. (WTF::isASCIIOctalDigit): Updated to use logical and () instead of binary and (). LayoutTests: New tests. * js/binary-literals-expected.txt: Added. * js/binary-literals.html: Added. * js/octal-literals-expected.txt: Added. * js/octal-literals.html: Added. * js/script-tests/binary-literals.js: Added. * js/script-tests/octal-literals.js: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/parser/Lexer.cpp trunk/Source/_javascript_Core/parser/Lexer.h trunk/Source/_javascript_Core/parser/ParserTokens.h trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/ASCIICType.h Added Paths trunk/LayoutTests/js/binary-literals-expected.txt trunk/LayoutTests/js/binary-literals.html trunk/LayoutTests/js/octal-literals-expected.txt trunk/LayoutTests/js/octal-literals.html trunk/LayoutTests/js/script-tests/binary-literals.js trunk/LayoutTests/js/script-tests/octal-literals.js Diff Modified: trunk/LayoutTests/ChangeLog (181496 => 181497) --- trunk/LayoutTests/ChangeLog 2015-03-14 02:57:54 UTC (rev 181496) +++ trunk/LayoutTests/ChangeLog 2015-03-14 16:29:20 UTC (rev 181497) @@ -1,3 +1,19 @@ +2015-03-14 Michael Saboff msab...@apple.com + +ES6: Add binary and octal literal support +https://bugs.webkit.org/show_bug.cgi?id=142681 + +Reviewed by Ryosuke Niwa. + +New tests. + +* js/binary-literals-expected.txt: Added. +* js/binary-literals.html: Added. +* js/octal-literals-expected.txt: Added. +* js/octal-literals.html: Added. +* js/script-tests/binary-literals.js: Added. +* js/script-tests/octal-literals.js: Added. + 2015-03-13 Ryosuke Niwa rn...@webkit.org Class constructor should throw TypeError when called Added: trunk/LayoutTests/js/binary-literals-expected.txt (0 => 181497) --- trunk/LayoutTests/js/binary-literals-expected.txt (rev 0) +++ trunk/LayoutTests/js/binary-literals-expected.txt 2015-03-14 16:29:20 UTC (rev 181497) @@ -0,0 +1,43 @@ +Make sure that we correctly handle binary literals + +On success, you will see a series of PASS messages, followed by TEST COMPLETE. + + +PASS 0b0 is 0 +PASS 0b1 is 1 +PASS 0B1 is 1 +PASS 0b is 0 +PASS 0B2 threw exception SyntaxError: No binary digits after '0b'. +PASS 0ba threw exception SyntaxError: No binary digits after '0b'. +PASS 0b0.0 threw exception SyntaxError: Unexpected number '.0'. Parse error.. +PASS x=0b1y=42 threw exception SyntaxError: No space between binary literal and identifier. +PASS 0b1010 is 0xa +PASS 0b0001001000110100010101100111 is 0x01234567 +PASS 0b10001001101010001100 is 0x89abcdef +PASS 0o1 is 3.00300673152188e+256 +PASS 0b0 is 9007199254740990 +PASS 0b1 is 9007199254740991 +PASS 0b10 is 18014398509481982 +PASS 0b11 is 18014398509481984 +PASS !!0b1 is true +PASS !!0b0 is false +PASS Number('0b0') is 0 +PASS Number('0b1') is 1 +PASS Number('0B1') is 1 +PASS Number('0b') is 0 +PASS Number('0B2') is NaN +PASS Number('0ba') is NaN +PASS Number('0b0.0') is NaN +PASS Number('0b1010') is 0xa +PASS Number('0b0001001000110100010101100111') is 0x01234567 +PASS Number('0b10001001101010001100') is 0x89abcdef +PASS Number('0b0') is 9007199254740990 +PASS
[webkit-changes] [181462] trunk/Source/WTF
Title: [181462] trunk/Source/WTF Revision 181462 Author msab...@apple.com Date 2015-03-12 17:40:46 -0700 (Thu, 12 Mar 2015) Log Message Disable Yarr JIT for ARMv7k https://bugs.webkit.org/show_bug.cgi?id=142645 Reviewed by Oliver Hunt. Make the setting of ENABLE_YARR_JIT match ENABLE_JIT for ARMv7k. * wtf/Platform.h: Modified Paths trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/Platform.h Diff Modified: trunk/Source/WTF/ChangeLog (181461 => 181462) --- trunk/Source/WTF/ChangeLog 2015-03-13 00:20:18 UTC (rev 181461) +++ trunk/Source/WTF/ChangeLog 2015-03-13 00:40:46 UTC (rev 181462) @@ -1,3 +1,14 @@ +2015-03-12 Michael Saboff msab...@apple.com + +Disable Yarr JIT for ARMv7k +https://bugs.webkit.org/show_bug.cgi?id=142645 + +Reviewed by Oliver Hunt. + +Make the setting of ENABLE_YARR_JIT match ENABLE_JIT for ARMv7k. + +* wtf/Platform.h: + 2015-03-12 Mark Lam mark@apple.com Change WTF::ByteSpinLock to use std::atomic. Modified: trunk/Source/WTF/wtf/Platform.h (181461 => 181462) --- trunk/Source/WTF/wtf/Platform.h 2015-03-13 00:20:18 UTC (rev 181461) +++ trunk/Source/WTF/wtf/Platform.h 2015-03-13 00:40:46 UTC (rev 181462) @@ -656,13 +656,18 @@ #endif #endif /* !defined(WTF_USE_JSVALUE64) !defined(WTF_USE_JSVALUE32_64) */ -/* The JIT is enabled by default on all x86, x86-64, ARM MIPS platforms except ARMv7k and Windows. */ +/* The JIT is enabled by default on all x86, x86-64, ARM MIPS platforms except ARMv7k. */ #if !defined(ENABLE_JIT) \ (CPU(X86) || CPU(X86_64) || CPU(ARM) || CPU(ARM64) || CPU(MIPS)) \ !CPU(APPLE_ARMV7K) #define ENABLE_JIT 1 #endif +/* Disable the YARR JIT for ARMv7k */ +#if !defined(ENABLE_YARR_JIT) CPU(APPLE_ARMV7K) +#define ENABLE_YARR_JIT 0 +#endif + /* Do we have LLVM? */ #if !defined(HAVE_LLVM) OS(DARWIN) !PLATFORM(EFL) !PLATFORM(GTK) ENABLE(FTL_JIT) (CPU(X86_64) || CPU(ARM64)) #define HAVE_LLVM 1 ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [181891] trunk
Title: [181891] trunk Revision 181891 Author msab...@apple.com Date 2015-03-24 03:05:21 -0700 (Tue, 24 Mar 2015) Log Message REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated https://bugs.webkit.org/show_bug.cgi?id=142856 Reviewed by Filip Pizlo. Source/_javascript_Core: Refactored the way the for .. in enumeration over objects is done. We used to make three C++ calls to get info for three loops to iterate over indexed properties, structure properties and other properties, respectively. We still have the three loops, but now we make one C++ call to get all the info needed for all loops before we exectue any enumeration. The JSPropertyEnumerator has a count of the indexed properties and a list of named properties. The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex) and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex); Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and op_next_enumerator_pname. Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname. The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what end value we stop iterating on. Made corresponding node changes to the DFG and FTL for the bytecode changes. * bytecode/BytecodeList.json: * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitGetPropertyEnumerator): (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName): (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName): (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted. (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted. (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted. * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::ForInNode::emitMultiLoopBytecode): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreterAbstractStateType::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength): (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator): (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname): (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname): (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted. (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted. (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted. * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_enumerator_structure_pname): (JSC::JIT::emit_op_enumerator_generic_pname): (JSC::JIT::emit_op_get_property_enumerator): (JSC::JIT::emit_op_next_enumerator_pname): Deleted. (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted. (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted. * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_enumerator_structure_pname): (JSC::JIT::emit_op_enumerator_generic_pname): (JSC::JIT::emit_op_next_enumerator_pname): Deleted. * jit/JITOperations.cpp: * jit/JITOperations.h: * llint/LowLevelInterpreter.asm: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: * runtime/JSPropertyNameEnumerator.cpp: (JSC::JSPropertyNameEnumerator::create): (JSC::JSPropertyNameEnumerator::finishCreation): * runtime/JSPropertyNameEnumerator.h: (JSC::JSPropertyNameEnumerator::indexedLength): (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex): (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex): (JSC::JSPropertyNameEnumerator::indexedLengthOffset): (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset): (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset): (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset): (JSC::propertyNameEnumerator): (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted. (JSC::structurePropertyNameEnumerator): Deleted. (JSC::genericPropertyNameEnumerator): Deleted. *
[webkit-changes] [181890] trunk/Source/JavaScriptCore
Title: [181890] trunk/Source/_javascript_Core Revision 181890 Author msab...@apple.com Date 2015-03-24 02:22:34 -0700 (Tue, 24 Mar 2015) Log Message Unreviewed build fix for debug builds. * runtime/ExceptionHelpers.cpp: (JSC::invalidParameterInSourceAppender): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (181889 => 181890) --- trunk/Source/_javascript_Core/ChangeLog 2015-03-24 07:30:05 UTC (rev 181889) +++ trunk/Source/_javascript_Core/ChangeLog 2015-03-24 09:22:34 UTC (rev 181890) @@ -1,3 +1,10 @@ +2015-03-24 Michael Saboff msab...@apple.com + +Unreviewed build fix for debug builds. + +* runtime/ExceptionHelpers.cpp: +(JSC::invalidParameterInSourceAppender): + 2015-03-24 Saam Barati saambara...@gmail.com Improve error messages in JSC Modified: trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp (181889 => 181890) --- trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp 2015-03-24 07:30:05 UTC (rev 181889) +++ trunk/Source/_javascript_Core/runtime/ExceptionHelpers.cpp 2015-03-24 09:22:34 UTC (rev 181890) @@ -208,8 +208,6 @@ static String invalidParameterInSourceAppender(const String originalMessage, const String sourceText, RuntimeType, ErrorInstance::SourceTextWhereErrorOccurred occurrence) { -ASSERT(type != TypeObject); - if (occurrence == ErrorInstance::FoundApproximateSource) return defaultApproximateSourceError(originalMessage, sourceText); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [182158] trunk/Source/JavaScriptCore
Title: [182158] trunk/Source/_javascript_Core Revision 182158 Author msab...@apple.com Date 2015-03-30 15:58:22 -0700 (Mon, 30 Mar 2015) Log Message Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64 https://bugs.webkit.org/show_bug.cgi?id=138391 Reviewed by Mark Lam. Re-enabling these tests as I can't get them to fail on local iOS test devices. There have been many changes since these tests were disabled. I'll watch automated test results for failures. If there are failures running automated testing, it might be due to the device's relative CPU performance. * tests/stress/float32-repeat-out-of-bounds.js: * tests/stress/int8-repeat-out-of-bounds.js: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/tests/stress/float32-repeat-out-of-bounds.js trunk/Source/_javascript_Core/tests/stress/int8-repeat-out-of-bounds.js Diff Modified: trunk/Source/_javascript_Core/ChangeLog (182157 => 182158) --- trunk/Source/_javascript_Core/ChangeLog 2015-03-30 22:47:05 UTC (rev 182157) +++ trunk/Source/_javascript_Core/ChangeLog 2015-03-30 22:58:22 UTC (rev 182158) @@ -1,3 +1,18 @@ +2015-03-30 Michael Saboff msab...@apple.com + +Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64 +https://bugs.webkit.org/show_bug.cgi?id=138391 + +Reviewed by Mark Lam. + +Re-enabling these tests as I can't get them to fail on local iOS test devices. +There have been many changes since these tests were disabled. +I'll watch automated test results for failures. If there are failures running automated +testing, it might be due to the device's relative CPU performance. + +* tests/stress/float32-repeat-out-of-bounds.js: +* tests/stress/int8-repeat-out-of-bounds.js: + 2015-03-30 Joseph Pecoraro pecor...@apple.com Web Inspector: Regression: Preview for [[null]] shouldn't be [] Modified: trunk/Source/_javascript_Core/tests/stress/float32-repeat-out-of-bounds.js (182157 => 182158) --- trunk/Source/_javascript_Core/tests/stress/float32-repeat-out-of-bounds.js 2015-03-30 22:47:05 UTC (rev 182157) +++ trunk/Source/_javascript_Core/tests/stress/float32-repeat-out-of-bounds.js 2015-03-30 22:58:22 UTC (rev 182158) @@ -1,4 +1,4 @@ -//@ if $architecture == arm64 and $hostOS == darwin then skip else defaultNoEagerRun end +//@ defaultNoEagerRun function foo(a) { a[0] = 1; Modified: trunk/Source/_javascript_Core/tests/stress/int8-repeat-out-of-bounds.js (182157 => 182158) --- trunk/Source/_javascript_Core/tests/stress/int8-repeat-out-of-bounds.js 2015-03-30 22:47:05 UTC (rev 182157) +++ trunk/Source/_javascript_Core/tests/stress/int8-repeat-out-of-bounds.js 2015-03-30 22:58:22 UTC (rev 182158) @@ -1,4 +1,4 @@ -//@ if $architecture == arm64 and $hostOS == darwin then skip else defaultNoEagerRun end +//@ defaultNoEagerRun function foo(a) { a[0] = 1; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [182170] trunk/PerformanceTests/SunSpider
Title: [182170] trunk/PerformanceTests/SunSpider Revision 182170 Author msab...@apple.com Date 2015-03-30 18:21:21 -0700 (Mon, 30 Mar 2015) Log Message Fix failing v8-deltablue.js for ARM https://bugs.webkit.org/show_bug.cgi?id=138392 Rubber-stamped by Mark Lam. Re-enable this test for ARM32 on iOS as the tests now run without issues. * tests/v8-v6/v8-deltablue.js: Modified Paths trunk/PerformanceTests/SunSpider/ChangeLog trunk/PerformanceTests/SunSpider/tests/v8-v6/v8-deltablue.js Diff Modified: trunk/PerformanceTests/SunSpider/ChangeLog (182169 => 182170) --- trunk/PerformanceTests/SunSpider/ChangeLog 2015-03-31 01:09:08 UTC (rev 182169) +++ trunk/PerformanceTests/SunSpider/ChangeLog 2015-03-31 01:21:21 UTC (rev 182170) @@ -1,3 +1,14 @@ +2015-03-30 Michael Saboff msab...@apple.com + +Fix failing v8-deltablue.js for ARM +https://bugs.webkit.org/show_bug.cgi?id=138392 + +Rubber-stamped by Mark Lam. + +Re-enable this test for ARM32 on iOS as the tests now run without issues. + +* tests/v8-v6/v8-deltablue.js: + 2015-02-25 Benjamin Poulain bpoul...@apple.com CodeBlock crashes when dumping op_push_name_scope Modified: trunk/PerformanceTests/SunSpider/tests/v8-v6/v8-deltablue.js (182169 => 182170) --- trunk/PerformanceTests/SunSpider/tests/v8-v6/v8-deltablue.js 2015-03-31 01:09:08 UTC (rev 182169) +++ trunk/PerformanceTests/SunSpider/tests/v8-v6/v8-deltablue.js 2015-03-31 01:21:21 UTC (rev 182170) @@ -1,4 +1,3 @@ -//@ skip if $architecture == arm and $hostOS == darwin // Copyright 2008 the V8 project authors. All rights reserved. // Copyright 1996 John Maloney and Mario Wolczko. ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [182058] trunk
Title: [182058] trunk Revision 182058 Author msab...@apple.com Date 2015-03-27 07:28:34 -0700 (Fri, 27 Mar 2015) Log Message Objects with numeric properties intermittently get a phantom 'length' property https://bugs.webkit.org/show_bug.cgi?id=142792 Reviewed by Csaba Osztrogonác. Source/_javascript_Core: Fixed a (greater than) that should be a (right shift) in the code that disassembles test and branch instructions. This function is used for linking tbz/tbnz branches between two seperately JIT'ed sections of code. Sometime we'd create a bogus tbz instruction in the failure case checks in the GetById array length stub created for obj.length access. If the failure case code address was at a negative offset from the stub, we'd look for bit 1 being set when we should have been looking for bit 0. * assembler/ARM64Assembler.h: (JSC::ARM64Assembler::disassembleTestAndBranchImmediate): LayoutTests: New regression test. * js/regress-142792-expected.txt: Added. * js/regress-142792.html: Added. * js/script-tests/regress-142792.js: Added. (isArrayLike): (filter): Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/ARM64Assembler.h Added Paths trunk/LayoutTests/js/regress-142792-expected.txt trunk/LayoutTests/js/regress-142792.html trunk/LayoutTests/js/script-tests/regress-142792.js Diff Modified: trunk/LayoutTests/ChangeLog (182057 => 182058) --- trunk/LayoutTests/ChangeLog 2015-03-27 11:08:49 UTC (rev 182057) +++ trunk/LayoutTests/ChangeLog 2015-03-27 14:28:34 UTC (rev 182058) @@ -1,3 +1,18 @@ +2015-03-27 Michael Saboff msab...@apple.com + +Objects with numeric properties intermittently get a phantom 'length' property +https://bugs.webkit.org/show_bug.cgi?id=142792 + +Reviewed by Csaba Osztrogonác. + +New regression test. + +* js/regress-142792-expected.txt: Added. +* js/regress-142792.html: Added. +* js/script-tests/regress-142792.js: Added. +(isArrayLike): +(filter): + 2015-03-26 Zalan Bujtas za...@apple.com Inline continuation code should not take anonymous containing wrapper granted. Added: trunk/LayoutTests/js/regress-142792-expected.txt (0 => 182058) --- trunk/LayoutTests/js/regress-142792-expected.txt (rev 0) +++ trunk/LayoutTests/js/regress-142792-expected.txt 2015-03-27 14:28:34 UTC (rev 182058) @@ -0,0 +1,10 @@ +Verify that objects with numeric named properties don't set length like an array. + +On success, you will see a series of PASS messages, followed by TEST COMPLETE. + + +PASS Correct number of iterated keys: 3 +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/js/regress-142792.html (0 => 182058) --- trunk/LayoutTests/js/regress-142792.html (rev 0) +++ trunk/LayoutTests/js/regress-142792.html 2015-03-27 14:28:34 UTC (rev 182058) @@ -0,0 +1,10 @@ +!DOCTYPE HTML PUBLIC -//IETF//DTD HTML//EN +html +head +script src="" +/head +body +script src="" +script src="" +/body +/html Added: trunk/LayoutTests/js/script-tests/regress-142792.js (0 => 182058) --- trunk/LayoutTests/js/script-tests/regress-142792.js (rev 0) +++ trunk/LayoutTests/js/script-tests/regress-142792.js 2015-03-27 14:28:34 UTC (rev 182058) @@ -0,0 +1,52 @@ +description(Verify that objects with numeric named properties don't set length like an array.); + +var numOfIterations = 1; +var count = 0; +var obj = { +1: 'foo', +8: 'bar', +50: 'baz' +}; + +var expectedCount = Object.keys(obj).length; + +function isArrayLike(collection) { +var length = collection collection.length; + +return typeof length == 'number'; +} + +function filter(obj, callback, context) { +var results = []; +var i, length; + +if (isArrayLike(obj)) { +for (i = 0, length = obj.length; i length; i++) { +var value = obj[i]; +if (callback(value)) +results.push(value); +} +} else { +for (var key in obj) { +var value = obj[key]; +if (callback(value)) +results.push(value); +} +} + +return results; +} + +for (var i = 0; i numOfIterations; i++) { +filter([], function() { return true; }); +} + +filter(obj, function() { +count++; +return true; +}); + +if (count !== expectedCount) +testFailed(Incorrect number of iterated keys: + count + , expected: + expectedCount); +else +testPassed(Correct number of iterated keys: + count); Modified: trunk/Source/_javascript_Core/ChangeLog (182057 => 182058) --- trunk/Source/_javascript_Core/ChangeLog 2015-03-27 11:08:49 UTC (rev 182057) +++ trunk/Source/_javascript_Core/ChangeLog 2015-03-27 14:28:34 UTC (rev 182058) @@ -1,3 +1,20 @@ +2015-03-27 Michael Saboff msab...@apple.com + +Objects with numeric properties intermittently get a phantom 'length' property +
[webkit-changes] [180992] trunk/Source/JavaScriptCore
Title: [180992] trunk/Source/_javascript_Core Revision 180992 Author msab...@apple.com Date 2015-03-03 21:33:37 -0800 (Tue, 03 Mar 2015) Log Message DelayedReleaseScope drops locks during GC which can cause a thread switch and code reentry https://bugs.webkit.org/show_bug.cgi?id=141275 Reviewed by Geoffrey Garen. The original issue is that the CodeCache uses an unsafe method to add new UnlinkedCodeBlocks. It basically adds a null UnlinkedCodeBlock if there isn't a cached entry and then later updates the null entry to the result of the compilation. If during that compilation and related processing we need to garbage collect, the DelayedReleaseScope would drop locks possibly allowing another thread to try to get the same source out of the CodeCache. This second thread would find the null entry and crash. The fix is to move the processing of DelayedReleaseScope to when we drop locks and not drop locks during GC. That was done in the original patch with the new function releaseDelayedReleasedObjects(). Updated releaseDelayedReleasedObjects() so that objects are released with all locks dropped. Now its processing follows these steps Increment recursion counter and do recursion check and exit if recursing While there are objects to release ASSERT that lock is held by current thread Take all items from delayed release Vector and put into temporary Vector Release API lock Release and clear items from temporary vector Reaquire API lock This meets the requirement that we release while the API lock is released and it is safer processing of the delayed release Vector. Added new regression test to testapi. Also added comment describing how recursion into releaseDelayedReleasedObjects() is prevented. * API/tests/Regress141275.h: Added. * API/tests/Regress141275.mm: Added. (+[JSTEvaluatorTask evaluatorTaskWithEvaluateBlock:completionHandler:]): (-[JSTEvaluator init]): (-[JSTEvaluator initWithScript:]): (-[JSTEvaluator _accessPendingTasksWithBlock:]): (-[JSTEvaluator insertSignPostWithCompletion:]): (-[JSTEvaluator evaluateScript:completion:]): (-[JSTEvaluator evaluateBlock:completion:]): (-[JSTEvaluator waitForTasksDoneAndReportResults]): (__JSTRunLoopSourceScheduleCallBack): (__JSTRunLoopSourcePerformCallBack): (__JSTRunLoopSourceCancelCallBack): (-[JSTEvaluator _jsThreadMain]): (-[JSTEvaluator _sourceScheduledOnRunLoop:]): (-[JSTEvaluator _setupEvaluatorThreadContextIfNeeded]): (-[JSTEvaluator _callCompletionHandler:ifNeededWithError:]): (-[JSTEvaluator _sourcePerform]): (-[JSTEvaluator _sourceCanceledOnRunLoop:]): (runRegress141275): * API/tests/testapi.mm: (testObjectiveCAPI): * _javascript_Core.xcodeproj/project.pbxproj: * heap/Heap.cpp: (JSC::Heap::releaseDelayedReleasedObjects): * runtime/JSLock.cpp: (JSC::JSLock::unlock): Modified Paths trunk/Source/_javascript_Core/API/tests/testapi.mm trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/heap/Heap.cpp trunk/Source/_javascript_Core/runtime/JSLock.cpp Added Paths trunk/Source/_javascript_Core/API/tests/Regress141275.h trunk/Source/_javascript_Core/API/tests/Regress141275.mm Diff Added: trunk/Source/_javascript_Core/API/tests/Regress141275.h (0 => 180992) --- trunk/Source/_javascript_Core/API/tests/Regress141275.h (rev 0) +++ trunk/Source/_javascript_Core/API/tests/Regress141275.h 2015-03-04 05:33:37 UTC (rev 180992) @@ -0,0 +1,34 @@ +/* + * Copyright (C) 2015 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + *notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + *notice, this list of conditions and the following disclaimer in the + *documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + */ + +#import Foundation/Foundation.h +#import _javascript_Core/_javascript_Core.h + +#if