Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: f8284998946c00f1c6b4d8ea9aad813ba83616a7 https://github.com/WebKit/WebKit/commit/f8284998946c00f1c6b4d8ea9aad813ba83616a7 Author: Alexey Shvayka <ashva...@apple.com> Date: 2024-07-23 (Tue, 23 Jul 2024)
Changed paths: M Source/JavaScriptCore/API/JSScriptRef.cpp M Source/JavaScriptCore/API/glib/JSCContext.cpp M Source/JavaScriptCore/builtins/BuiltinExecutables.cpp M Source/JavaScriptCore/bytecode/BytecodeList.rb M Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h M Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp M Source/JavaScriptCore/debugger/DebuggerParseData.cpp M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp M Source/JavaScriptCore/dfg/DFGNode.h M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp M Source/JavaScriptCore/interpreter/Interpreter.cpp M Source/JavaScriptCore/interpreter/Interpreter.h M Source/JavaScriptCore/jit/JITCall.cpp M Source/JavaScriptCore/jit/JITOperations.cpp M Source/JavaScriptCore/jit/JITOperations.h M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp M Source/JavaScriptCore/parser/Parser.cpp M Source/JavaScriptCore/parser/Parser.h M Source/JavaScriptCore/parser/ParserModes.h M Source/JavaScriptCore/parser/SourceCodeKey.h M Source/JavaScriptCore/parser/SourceProviderCacheItem.h M Source/JavaScriptCore/runtime/CodeCache.cpp M Source/JavaScriptCore/runtime/CodeCache.h M Source/JavaScriptCore/runtime/Completion.cpp M Source/JavaScriptCore/runtime/DirectEvalExecutable.cpp M Source/JavaScriptCore/runtime/DirectEvalExecutable.h M Source/JavaScriptCore/runtime/EvalExecutable.cpp M Source/JavaScriptCore/runtime/EvalExecutable.h M Source/JavaScriptCore/runtime/GlobalExecutable.h M Source/JavaScriptCore/runtime/IndirectEvalExecutable.cpp M Source/JavaScriptCore/runtime/IndirectEvalExecutable.h M Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp M Source/JavaScriptCore/runtime/JSModuleLoader.cpp M Source/JavaScriptCore/runtime/ModuleProgramExecutable.cpp M Source/JavaScriptCore/runtime/ProgramExecutable.cpp M Source/JavaScriptCore/runtime/ScriptExecutable.h M Source/JavaScriptCore/runtime/ShadowRealmPrototype.cpp M Source/JavaScriptCore/tools/JSDollarVM.cpp Log Message: ----------- [JSC] Introduce TaintedByWithScopeLexicallyScopedFeature https://bugs.webkit.org/show_bug.cgi?id=276788 <rdar://problem/132024214> Reviewed by Yusuke Suzuki. This is a re-land of 281119@main but without SourceCodeKey hashing drive-by fix, which regressed JS3 scores on iOS by 2%. For the upcoming ToThis revamp (webkit.org/b/225397), we would need to determine during bytecode generation if a op_get_from_scope could possibly hit a JSWithScope; if it can, we would need to emit an additional bytecode op that would sanitize JSScope to a `this` value. Otherwise, we would pass `undefined` as `this` value. Leveraging LexicallyScopedFeatures, this patch introduces a mechanism to determine that, accounting for eval() and global scope extension. TaintedByWithScopeLexicallyScopedFeature flag is precisely set only inside `with` statement, and doesn't affect code that follows `with` in the same scope. Also, this change eplaces JSParserStrictMode and bool flags with LexicallyScopedFeatures, reducing the number of ways we pass strict mode to 2. No new tests, no behavior change. * Source/JavaScriptCore/API/JSScriptRef.cpp: (parseScript): * Source/JavaScriptCore/API/glib/JSCContext.cpp: (jsc_context_check_syntax): * Source/JavaScriptCore/builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::createExecutable): * Source/JavaScriptCore/bytecode/BytecodeList.rb: * Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp: (JSC::generateUnlinkedFunctionCodeBlock): (JSC::UnlinkedFunctionExecutable::fromGlobalCode): * Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::computeFeaturesForCallDirectEval): (JSC::BytecodeGenerator::emitCall): * Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h: * Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp: (JSC::DebuggerCallFrame::evaluateWithScopeExtension): * Source/JavaScriptCore/debugger/DebuggerParseData.cpp: (JSC::gatherDebuggerParseData): * Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * Source/JavaScriptCore/dfg/DFGNode.h: (JSC::DFG::Node::hasECMAMode): (JSC::DFG::Node::ecmaMode): (JSC::DFG::Node::lexicallyScopedFeatures): * Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * Source/JavaScriptCore/interpreter/Interpreter.cpp: (JSC::eval): (JSC::Interpreter::executeProgram): * Source/JavaScriptCore/interpreter/Interpreter.h: * Source/JavaScriptCore/jit/JITCall.cpp: (JSC::JIT::compileCallDirectEval): * Source/JavaScriptCore/jit/JITOperations.cpp: (JSC::JSC_DEFINE_JIT_OPERATION): * Source/JavaScriptCore/jit/JITOperations.h: (JSC::selectCallDirectEvalOperation): * Source/JavaScriptCore/llint/LLIntSlowPaths.cpp: (JSC::LLInt::commonCallDirectEval): * Source/JavaScriptCore/parser/Parser.cpp: (JSC::Parser<LexerType>::Parser): (JSC::Parser<LexerType>::parseWithStatement): * Source/JavaScriptCore/parser/Parser.h: (JSC::Scope::setLexicallyScopedFeatures): (JSC::Scope::setTaintedByWithScope): (JSC::parse): (JSC::parseRootNode): (JSC::parseFunctionForFunctionConstructor): * Source/JavaScriptCore/parser/ParserModes.h: * Source/JavaScriptCore/parser/SourceCodeKey.h: (JSC::SourceCodeFlags::SourceCodeFlags): (JSC::SourceCodeKey::SourceCodeKey): * Source/JavaScriptCore/parser/SourceProviderCacheItem.h: (JSC::SourceProviderCacheItem::lexicallyScopedFeatures const): (JSC::SourceProviderCacheItem::SourceProviderCacheItem): * Source/JavaScriptCore/runtime/CodeCache.cpp: (JSC::generateUnlinkedCodeBlockImpl): (JSC::generateUnlinkedCodeBlock): (JSC::generateUnlinkedCodeBlockForDirectEval): (JSC::recursivelyGenerateUnlinkedCodeBlockForProgram): (JSC::recursivelyGenerateUnlinkedCodeBlockForModuleProgram): (JSC::CodeCache::getUnlinkedGlobalCodeBlock): (JSC::CodeCache::getUnlinkedProgramCodeBlock): (JSC::CodeCache::getUnlinkedEvalCodeBlock): (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock): (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable): (JSC::sourceCodeKeyForSerializedBytecode): (JSC::sourceCodeKeyForSerializedProgram): (JSC::sourceCodeKeyForSerializedModule): (JSC::serializeBytecode): * Source/JavaScriptCore/runtime/CodeCache.h: * Source/JavaScriptCore/runtime/Completion.cpp: (JSC::checkSyntaxInternal): (JSC::checkModuleSyntax): (JSC::generateProgramBytecode): (JSC::generateModuleBytecode): * Source/JavaScriptCore/runtime/DirectEvalExecutable.cpp: (JSC::DirectEvalExecutable::create): (JSC::DirectEvalExecutable::DirectEvalExecutable): * Source/JavaScriptCore/runtime/DirectEvalExecutable.h: * Source/JavaScriptCore/runtime/EvalExecutable.cpp: (JSC::EvalExecutable::EvalExecutable): * Source/JavaScriptCore/runtime/EvalExecutable.h: * Source/JavaScriptCore/runtime/GlobalExecutable.h: (JSC::GlobalExecutable::GlobalExecutable): * Source/JavaScriptCore/runtime/IndirectEvalExecutable.cpp: (JSC::IndirectEvalExecutable::createImpl): (JSC::IndirectEvalExecutable::create): (JSC::IndirectEvalExecutable::tryCreate): (JSC::IndirectEvalExecutable::IndirectEvalExecutable): * Source/JavaScriptCore/runtime/IndirectEvalExecutable.h: * Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/runtime/JSModuleLoader.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/runtime/ModuleProgramExecutable.cpp: (JSC::ModuleProgramExecutable::ModuleProgramExecutable): * Source/JavaScriptCore/runtime/ProgramExecutable.cpp: (JSC::ProgramExecutable::ProgramExecutable): (JSC::ProgramExecutable::initializeGlobalProperties): * Source/JavaScriptCore/runtime/ScriptExecutable.h: (JSC::ScriptExecutable::lexicallyScopedFeatures): (JSC::ScriptExecutable::setTaintedByWithScope): * Source/JavaScriptCore/runtime/ShadowRealmPrototype.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/tools/JSDollarVM.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): (JSC::JSDollarVM::finishCreation): Canonical link: https://commits.webkit.org/281275@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes