Google Git
Sign in
chromium/external/github.com/WebKit/webkit/13418e13ba9dd962d2c47cdef9957d609ab0fc63/./Source/JavaScriptCore/ChangeLog
blob: e0ff98c48375754dcd8ea7719f0b7e7ed2e1c3bf [file]
2021-04-15 Ruben Turcios <rubent_22@apple.com>
Cherry-pick r275924. rdar://problem/76707173
The watchdog should not fire when it's not active.
https://bugs.webkit.org/show_bug.cgi?id=224494
rdar://76581259
Reviewed by Saam Barati and Yusuke Suzuki.
The watchdog is only active when we have entered the VM. If we haven't entered
the VM, we postpone starting the watchdog. For example, see Watchdog::enteredVM()
and Watchdog::exitedVM().
The underlying timer may still fire the NeedWatchdogCheck event after
Watchdog::stopTimer() is called. So, we need to just ignore the event if the
watchdog isn't active.
* runtime/VMTraps.cpp:
(JSC::VMTraps::handleTraps):
* runtime/Watchdog.h:
(JSC::Watchdog::isActive const):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@275924 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-04-13 Mark Lam <mark.lam@apple.com>
The watchdog should not fire when it's not active.
https://bugs.webkit.org/show_bug.cgi?id=224494
rdar://76581259
Reviewed by Saam Barati and Yusuke Suzuki.
The watchdog is only active when we have entered the VM. If we haven't entered
the VM, we postpone starting the watchdog. For example, see Watchdog::enteredVM()
and Watchdog::exitedVM().
The underlying timer may still fire the NeedWatchdogCheck event after
Watchdog::stopTimer() is called. So, we need to just ignore the event if the
watchdog isn't active.
* runtime/VMTraps.cpp:
(JSC::VMTraps::handleTraps):
* runtime/Watchdog.h:
(JSC::Watchdog::isActive const):
2021-04-10 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] B3 reduce-double-to-float should reduce only when constant double is canonical one to reduced float value
https://bugs.webkit.org/show_bug.cgi?id=224403
<rdar://problem/76259599>
Reviewed by Mark Lam.
When reducing double-constant value to float in B3, we should check whether the double value is a canonical one
which can be converted back from the reduced float value. For example, double 1.1 is not the one since it is truncated
into float 1.1 by removing some bits.
static_cast<double>(static_cast<float>(1.1)) != 1.1
Reducing such a double to float changes the semantics.
* b3/B3ConstDoubleValue.cpp:
(JSC::B3::ConstDoubleValue::dumpMeta const):
* b3/B3ConstFloatValue.cpp:
(JSC::B3::ConstFloatValue::dumpMeta const):
* b3/B3ReduceDoubleToFloat.cpp:
* b3/B3ReduceStrength.cpp:
* b3/testb3.h:
(populateWithInterestingValues):
* b3/testb3_1.cpp:
(run):
* b3/testb3_3.cpp:
(testConvertDoubleToFloatToDouble):
(testConvertDoubleToFloatEqual):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::JSC_DEFINE_JIT_OPERATION_WITH_ATTRIBUTES):
(JSC::FTL::DFG::LowerDFGToB3::crash):
(JSC::FTL::DFG::ftlUnreachable): Deleted.
2021-04-10 Mark Lam <mark.lam@apple.com>
Enable VMTraps checks in RETURN_IF_EXCEPTION.
https://bugs.webkit.org/show_bug.cgi?id=224078
rdar://75037057
Reviewed by Keith Miller.
In pre-existing code, termination of a VM's execution can already be requested
asynchronously (with respect to the mutator thread). For example, sources of such
a request can be a watchdog timer firing, or a request to stop execution issued
from a main web thread to a worker thread.
This request is made by firing the VMTraps::NeedTermination event on VMTraps.
Firing the event here only means setting a flag to indicate the presence of the
request. We still have to wait till the mutator thread reaches one of the
pre-designated polling check points to call VMTraps::handleTraps() in order to
service the request. As a result of this need to wait for a polling check point,
if the mutator is executing in a long running C++ loop, then a termination request
may not be serviced for a long time.
However, we observed that a lot of our C++ loops already have RETURN_IF_EXCEPTION
checks. Hence, if we can check VMTraps::needHandling() there, we can service the
VMTraps events more frequently even in a lot of C++ loops, and get a better response.
Full details of what this patch changes:
1. Shorten some type and methods names in the VMTraps class to make code easier to
read e.g. EventType => Event, needTrapHandling => needHandling.
2. Remove the VMTraps::Mask class. Mask was introduced so that we can express a
concatenation of multiple VMTraps events to form a bit mask in a simple way.
In the end, it isn't flexible enough but makes the code more complicated than
necessary. It is now replaced by the simpler solution of using macros to define
the Events as bit fields. Having Events as bit fields intrinsically make them
easy to concatenate (bitwise or) or filter (bitwise and).
Also removed the unused VMTraps::Error class.
3. Make VMTraps::BitField a uint32_t. There was always unused padding in VMTraps
to allow for this. So, we'll just extend it to a full 32-bit to make it easier
to add more events in the future for other uses.
4. Add NeedExceptionHandling as a VMTrap::Event.
5. Make VMTraps::m_trapBits Atomic. This makes it easier to set and clear the
NeedExceptionHandling bit from the mutator without a lock.
6. RETURN_IF_EXCEPTION now checks VMTraps::m_trapBits (via VMTraps::needHandling())
instead of checking VM::m_exception. If the VMTraps::m_trapBits is non-null,
the macro will call VM:hasExceptionsAfterHandlingTraps() to service VMTraps
events as appropriate before returning whether an exception is being thrown.
The result of VM:hasExceptionsAfterHandlingTraps() will determine if
RETURN_IF_EXCEPTION returns or not.
VM:hasExceptionsAfterHandlingTraps() is intentionally designed to take a minimum
of arguments (just the VM as this pointer). This is because RETURN_IF_EXCEPTION
is called from many places, and we would like to minimize code size bloating
from this change.
7. Simplify paramaters of VMTraps::handleTraps().
NeedDebuggerBreak's callFrame argument was always vm.topCallFrame anyway.
So, the patch makes it explicit, and removes the callFrame parameter.
NeedWatchdogCheck's globalObject argument should have always been
vm.entryScope->globalObject(), and we can remove the globalObject parameter.
Before this, we pass in whichever globalObject was convenient to grab hold of.
However, the idea of the watchdog is to time out the current script executing
on the stack. Hence, it makes sense to identify thay script by the globalObject
in use at VM entry.
So far, the only clients that uses the watchdog mechanism only operates in
scenarios with only one globalObject anyway. So this formalization to use
VMEntryScope's globalObject does not change the expected behavior.
8. Make the execution of termination more robust. Before reading this, please
read the description of the Events in VMTraps.h first, especially the section
on NeedTermination.
Here's the life cycle of a termination:
a. a client requests termination of the current execution stack by calling
VM::notifyNeedTermination(). notifyNeedTermination() does 2 things:
i. fire the NeedTermination event on VMTraps.
ii. set the VM::m_terminationInProgress flag.
b. Firing the NeedTermination event on VMTraps means setting the NeedTermination
bit on VMTraps::m_trapBits. This bit will be polled by the mutator thread
later at various designated points (including RETURN_IF_EXCEPTION, which we
added in this patch).
Once the mutator sees the NeedTermination bit is set, it will clear the bit
and throw the TerminationException (see VMTraps::handleTraps()). This is
unless the mutator thread is currently in a DeferTermination scope (see (8)
below). If in a DeferTermination scope, then it will not throw the
TerminationException.
Since the NeedTermination bit is cleared, the VM will no longer call
VMTraps::handleTraps() to service the event. If the mutator thread is in
a DeferTermination scope, then on exiting the scope (at scope destruction),
the scope will see that VM::m_terminationInProgress is set, and throw the
deferred TerminationException then.
c. The TerminationException will trigger unwinding out of the current stack
until we get to the outermost VMEntryScope.
d. At the the outermost VMEntryScope, we will clear VM::m_terminationInProgress
if the NeedTermination bit in VMtraps::m_trapBits is cleared.
If the NeedTermination bit is set, then that means we haven't thrown the
TerminationException yet. Currently, clients expect that we must throw the
TerminationException if NeedTermination was requested (again, read comments
at the top of VMTraps.h).
If the NeedTermination bit is set, we'll leave VM::m_terminationInProgress
set until the next time we re-enter the VM and exit to the outermost
VMEntryScope.
e. The purpose of VM::m_terminationInProgress is to provide a summary of the
fact that the VM is in a state of trying to terminate the current stack.
Note that this state is first indicated by the NeedTermination bit being set
in VMTraps::m_trapBits. Then, in VMTraps::handleTraps(), the state is
handed of with the NeedTermination bit being cleared, and the
TerminationException being thrown.
While the VM is in this termination state, we need to prevent new DFG/FTL
JIT code from being compiled and run. The reason is the firing of the
NeedTermination event has invalidated DFG/FTL code on the stack, thereby
allowing their baseline / LLInt versions which have VMTraps polling checks
to run. We don't want to compile new DFG / FTL code and possibly get stuck
in loops in there before the termination is complete.
In operationOptimize(), we check if VM::m_terminationInProgress is set, and
prevent new DFG (and therefore FTL) code from being compiled if needed.
Note: it is easier to check a single flag, VM::m_terminationInProgress,
then to check both if the NeedTermination bit is set or if the
TerminationException is being being thrown.
9. One complication of being able to service VMTraps in RETURN_IF_EXCEPTION checks
is that some of our code (usually for lengthier initializations and bootstrapping)
currently does not handle exceptions well, e.g. JSGlobalObject::init(). They
rely on the code crashing if an exception is thrown while still initializing.
However, for a worker thread, a TerminationException (requested by the main
thread) may arrive before the initialization is complete. This can lead to
crashes because part of the initialization may be aborted in the presence of
an exception, while other parts still expect everything prior to have been
initialized correctly. For resource exhaustion cases (which is abnormal), it
is OK to crash. For the TerminationException (which can be part of normal
operation), we should not be crashing.
To work around this, we introduce a DeferTermination RAII scope object that we
deploy in this type of initialization code. With the scope in effect,
a. if a TerminationException arrives but hasn't been thrown yet, it will be
deferred till the scope ends before being thrown.
b. if a TerminationException has already been thrown, the scope will stash
the exception, clear it from the VM so that the initialization code can
run to completion, and then re-throw the exception when the scope ends.
Currently, we only need to use the DeferTermination scope in a few places
where we know that initialization code will only run for a short period of time.
DeferTermination should not be used for code that can block waiting on an
external event for a long time. Obviously, doing so will prevent the VM
termination mechanism from working.
10. Replaced llint_slow_path_check_if_exception_is_uncatchable_and_notify_profiler
and operationCheckIfExceptionIsUncatchableAndNotifyProfiler with
llint_slow_path_retrieve_and_clear_exception_if_catchable and
operationRetrieveAndClearExceptionIfCatchable.
The 2 runtime functions doesn't actually do anything to notify a profiler.
So, we drop that part of the name.
After returning from these runtime functions respectively, the previous LLInt
and JIT code, which calls these runtimes functions, would go on to load
VM::m_exception, and then store a nullptr there to clear it. This is wasteful.
This patch changes the runtime function to clear and return the Exception
instead. As a result, the calling LLInt and JIT code is simplified a bit.
Note also that clearing an exception now also entails clearing the
NeedExceptionHandling bit in VMTraps::m_trapBits in an atomic way. The above
change makes it easy to do this clearing with C++ code.
11. Fix ScriptFunctionCall::call() to handle exceptions correctly. Previously,
it had one case where it propagates an exception, while another eats it.
Change this function to eat the exception in both cases. This is approproiate
because ScriptFunctionCall is only used to execute some Inspector instrumentation
calls. It doesn't make sense to propagate the exception back to user code.
12. Fix the lazy initialization of JSGlobalObject::m_defaultCollator to be able to
handle the TerminationException.
13. Not related to TerminationException, but this patch also fixes
MarkedArgumentBuffer::expandCapacity() to use Gigacage::tryMalloc() instead of
Gigacage::malloc(). This is needed as one of the fixes to make the
accompanying test case work.
This patch increases code size by 320K (144K for JSC, 176K for WebCore) measured
on x86_64.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::branchTest32):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::branchTest32):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::branchTest32):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::branchTest32):
* bindings/ScriptFunctionCall.cpp:
(Deprecated::ScriptFunctionCall::call):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCheckTraps):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeProgram):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::execute):
(JSC::Interpreter::executeModuleProgram):
* interpreter/InterpreterInlines.h:
(JSC::Interpreter::execute):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_check_traps):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_catch):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* jit/JITOperations.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/ArgList.cpp:
(JSC::MarkedArgumentBuffer::expandCapacity):
* runtime/DeferTermination.h: Added.
(JSC::DeferTermination::DeferTermination):
(JSC::DeferTermination::~DeferTermination):
* runtime/ExceptionScope.h:
(JSC::ExceptionScope::exception const):
(JSC::ExceptionScope::exception): Deleted.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::finishCreation):
* runtime/LazyPropertyInlines.h:
(JSC::ElementType>::callFunc):
* runtime/StringPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/VM.cpp:
(JSC::VM::hasExceptionsAfterHandlingTraps):
(JSC::VM::clearException):
(JSC::VM::setException):
(JSC::VM::throwTerminationException):
(JSC::VM::throwException):
* runtime/VM.h:
(JSC::VM::terminationInProgress const):
(JSC::VM::setTerminationInProgress):
(JSC::VM::notifyNeedTermination):
(JSC::VM::DeferExceptionScope::DeferExceptionScope):
(JSC::VM::DeferExceptionScope::~DeferExceptionScope):
(JSC::VM::handleTraps): Deleted.
(JSC::VM::needTrapHandling): Deleted.
(JSC::VM::needTrapHandlingAddress): Deleted.
(JSC::VM::setException): Deleted.
(JSC::VM::clearException): Deleted.
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::~VMEntryScope):
* runtime/VMTraps.cpp:
(JSC::VMTraps::tryInstallTrapBreakpoints):
(JSC::VMTraps::fireTrap):
(JSC::VMTraps::handleTraps):
(JSC::VMTraps::takeTopPriorityTrap):
(JSC::VMTraps::deferTermination):
(JSC::VMTraps::undoDeferTermination):
* runtime/VMTraps.h:
(JSC::VMTraps::onlyContainsAsyncEvents):
(JSC::VMTraps::needHandling const):
(JSC::VMTraps::trapBitsAddress):
(JSC::VMTraps::isDeferringTermination const):
(JSC::VMTraps::notifyGrabAllLocks):
(JSC::VMTraps::hasTrapBit):
(JSC::VMTraps::clearTrapBit):
(JSC::VMTraps::setTrapBit):
(JSC::VMTraps::Mask::Mask): Deleted.
(JSC::VMTraps::Mask::allEventTypes): Deleted.
(JSC::VMTraps::Mask::bits const): Deleted.
(JSC::VMTraps::Mask::init): Deleted.
(JSC::VMTraps::interruptingTraps): Deleted.
(JSC::VMTraps::needTrapHandling): Deleted.
(JSC::VMTraps::needTrapHandlingAddress): Deleted.
(JSC::VMTraps::hasTrapForEvent): Deleted.
(JSC::VMTraps::setTrapForEvent): Deleted.
(JSC::VMTraps::clearTrapForEvent): Deleted.
2021-04-09 Alexey Shvayka <shvaikalesh@gmail.com>
Remove className() and toStringName() from the method table
https://bugs.webkit.org/show_bug.cgi?id=224247
Reviewed by Darin Adler.
ES6 introduced Symbol.toStringTag to customize Object.prototype.toString return value.
It was adopted by WebIDL spec, Chrome's DevTools, Node.js etc. There is no reason to
keep 2 method table methods, each with only 1 call site, instead of using the symbol.
Also, it's a bit confusing that for some objects, method table's className() returns
different result than JSCell::className(VM&).
This change:
1. Removes JSProxy's className() / toStringName() methods because its target() is a
global object that never has these overrides and uses Symbol.toStringTag instead.
2. Removes DebuggerScope's className() / toStringName() overrides because its objectAtScope()
has these methods extremely rarely (e.g. `with (new Date) {}`), and its not displayed
by Web Inspector.
3. Merges JSCallbackObject's className() / toStringName() methods into Symbol.toStringTag
branch of getOwnPropertySlot(), with permissive property attributes. To avoid any possible
breakage, we make sure that it will be shadowed by a structure property.
4. Reworks JSObject::calculatedClassName() to rely on Symbol.toStringTag, matching Chrome's
DevTools behavior. On its own, it's a nice change for Web Inspector. We make sure to
lookup Symbol.toStringTag if `constructor.name` inference fails to avoid confusion when
extending builtins.
5. Removes now unused className() from the method table.
6. Removes toStringName() override from JSFinalizationRegistry because its builtin tag [1]
is already "Object".
7. Introduces BooleanObjectType for Boolean wrapper object, and Boolean.prototype as it's
also required to have a [[BooleanData]] internal slot [2].
8. Reworks Object.prototype.toString to determine builtin tag [1] based on JSType rather than
performing method table call. It's guaranteed that a) the set of types we are checking
against won't be expanded, and b) objects with these types have correct `className`.
9. Removes now unused toStringTag() from the method table.
This patch is performance-neutral and carefully preserves current behavior for API objects,
including isPokerBros() hack.
[1]: https://tc39.es/ecma262/#sec-object.prototype.tostring (steps 5-14)
[2]: https://tc39.es/ecma262/#sec-properties-of-the-boolean-prototype-object
* API/JSCallbackObject.h:
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
(JSC::JSCallbackObject<Parent>::className): Deleted.
(JSC::JSCallbackObject<Parent>::toStringName): Deleted.
* API/tests/testapiScripts/testapi.js:
* debugger/DebuggerScope.cpp:
(JSC::DebuggerScope::className): Deleted.
(JSC::DebuggerScope::toStringName): Deleted.
* debugger/DebuggerScope.h:
* runtime/BooleanObject.cpp:
(JSC::BooleanObject::toStringName): Deleted.
* runtime/BooleanObject.h:
(JSC::BooleanObject::createStructure):
* runtime/BooleanPrototype.h:
* runtime/ClassInfo.h:
* runtime/DateInstance.cpp:
(JSC::DateInstance::toStringName): Deleted.
* runtime/DateInstance.h:
* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::toStringName): Deleted.
* runtime/ErrorInstance.h:
* runtime/JSCell.cpp:
(JSC::JSCell::className): Deleted.
(JSC::JSCell::toStringName): Deleted.
* runtime/JSCell.h:
* runtime/JSFinalizationRegistry.cpp:
(JSC::JSFinalizationRegistry::toStringName): Deleted.
* runtime/JSFinalizationRegistry.h:
* runtime/JSObject.cpp:
(JSC::JSObject::calculatedClassName):
(JSC::JSObject::className): Deleted.
(JSC::isPokerBros): Deleted.
(JSC::JSObject::toStringName): Deleted.
* runtime/JSObject.h:
* runtime/JSProxy.cpp:
(JSC::JSProxy::className): Deleted.
(JSC::JSProxy::toStringName): Deleted.
* runtime/JSProxy.h:
* runtime/JSType.cpp:
(WTF::printInternal):
* runtime/JSType.h:
* runtime/NumberObject.cpp:
(JSC::NumberObject::toStringName): Deleted.
* runtime/NumberObject.h:
(JSC::NumberObject::createStructure):
* runtime/ObjectPrototype.cpp:
(JSC::isPokerBros):
(JSC::inferBuiltinTag):
(JSC::objectPrototypeToString):
1. Removes jsNontrivialString() because it's assertion may fail in case of iOS hack.
2. Utilizes AtomStringImpl to avoid allocating StringImpl for a small fixed set of strings.
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::toStringName): Deleted.
* runtime/RegExpObject.h:
* runtime/StringObject.cpp:
(JSC::StringObject::toStringName): Deleted.
* runtime/StringObject.h:
2021-04-08 Khem Raj <raj.khem@gmail.com>
[WPE] Build fixes for musl C library on Linux
https://bugs.webkit.org/show_bug.cgi?id=210068
Reviewed by Carlos Alberto Lopez Perez.
Use OS(LINUX) to include musl in platform test
for linux and consolidate all linux platfrom
under same test. Use smaller limits for JSC
stack size per thread and reserved zone size.
* runtime/MachineContext.h:
(JSC::MachineContext::stackPointerImpl):
(JSC::MachineContext::framePointerImpl):
(JSC::MachineContext::instructionPointerImpl):
(JSC::MachineContext::argumentPointer<1>):
(JSC::MachineContext::llintInstructionPointer):
* runtime/OptionsList.h:
2021-04-07 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] DUCET level-1 weighs are equal if characters are alphabets
https://bugs.webkit.org/show_bug.cgi?id=224047
Reviewed by Saam Barati and Mark Lam.
ASCII comparison optimization was based on that DUCET level-1 weights are all different (except for 0000 case), but this was wrong.
If we have the same latin letters with different capitalization, then they have the same level-1 weight ('A' v.s. 'a').
In this patch,
1. If we found that the result of level-1 weight comparison is equal, and characters are not equal, then we do level-3 weight comparison.
We do not perform level-2 since they are all the same weight in ASCII (excluding control characters) region.
2. We do not perform level-4 weight comparison since level-1 and level-3 comparison must distinguish the strings. Level-1 weights are equal
only when characters are the same latin letters. And level-3 weight puts different weights for capital latin letters. Since we already know
that these strings are different while they are equal in level-1 weight comparison, the only case is that they have same latin letters in
the same position. In that case, level-3 weight must say different results for these characters so that we never meet "equal" status in
level-3 weight comparison if characters are different.
* runtime/IntlObject.cpp:
* runtime/IntlObject.h:
* runtime/IntlObjectInlines.h:
(JSC::canUseASCIIUCADUCETComparison):
(JSC::compareASCIIWithUCADUCETLevel3):
(JSC::compareASCIIWithUCADUCET):
2021-04-02 Darin Adler <darin@apple.com>
Use Hasher more, remove IntegerHasher, fix hashing-related mistakes
https://bugs.webkit.org/show_bug.cgi?id=224138
Reviewed by Chris Dumez.
* bytecode/BytecodeIndex.h:
(JSC::BytecodeIndex::hash const): Remove unneeded WTF prefix on call
to intHash.
* ftl/FTLAbstractHeap.h: Use HashTraits instead of WTF::GenericHashTraits.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::validateAIState): Remove unneeded WTF
prefix on call to intHash.
* wasm/WasmLLIntGenerator.cpp: Use HashTraits instead of WTF::GenericHashTraits.
2021-04-07 Mark Lam <mark.lam@apple.com>
Rename and make the TerminationException a singleton.
https://bugs.webkit.org/show_bug.cgi?id=224295
Reviewed by Keith Miller.
We previously call it the TerminatedExecutionException, which is a mouthful but
adds no meaningful information. It's now renamed to TerminationException.
We can make it a singleton because the TerminationException is just a VM internal
mechanism for implementing the termination of the current execution stack. It
should never be exposed to user JS code, and therefore, there is no value in
making it a JS object. Making it a singleton simplifies the code.
A TerminationException is now implemented as an Exception cell which holds a
Symbol with the name "TerminationError". The TerminationException is only created
if needed e.g. if the JSC watchdog is created, or if the VM is for a Worker thread
which needs to be able to handle termination requests.
We'll also stop notifying the debugger when we throw the TerminationException.
This is because the TerminationException is not like ordinary exceptions that
should be reported to the debugger. The fact that the TerminationException uses
the exception handling mechanism is just a VM internal implementation detail.
It is not meaningful to report it to the debugger as an exception.
* API/JSContext.mm:
(-[JSContext evaluateJSScript:]):
* API/tests/ExecutionTimeLimitTest.cpp:
(testExecutionTimeLimit):
* bindings/ScriptFunctionCall.cpp:
(Deprecated::ScriptFunctionCall::call):
* heap/Heap.cpp:
(JSC::Heap::addCoreConstraints):
* inspector/InjectedScriptManager.cpp:
(Inspector::InjectedScriptManager::injectedScriptFor):
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::reportAPIException):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::unwind):
(JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* jsc.cpp:
(checkException):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/ExceptionHelpers.cpp:
(JSC::TerminatedExecutionError::defaultValue): Deleted.
(JSC::createTerminatedExecutionException): Deleted.
(JSC::isTerminatedExecutionException): Deleted.
(JSC::throwTerminatedExecutionException): Deleted.
* runtime/ExceptionHelpers.h:
(): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::get const):
* runtime/JSPromise.cpp:
(JSC::JSPromise::rejectWithCaughtException):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::ensureWatchdog):
(JSC::VM::ensureTerminationException):
(JSC::VM::throwTerminationException):
(JSC::VM::throwException):
* runtime/VM.h:
(JSC::VM::terminationException const):
(JSC::VM::isTerminationException const):
* runtime/VMTraps.cpp:
(JSC::VMTraps::handleTraps):
2021-04-07 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use FixedVector more in bytecode dir and JumpTable
https://bugs.webkit.org/show_bug.cgi?id=224275
Reviewed by Michael Saboff and Mark Lam.
1. Use FixedVector more in bytecode/ directory's long-living data structures.
2. Use FixedVector in SimpleJumpTable. This involves LLInt changes because we need to access FixedVector data from LLInt.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecode/InlineCallFrame.cpp:
(JSC::InlineCallFrame::dumpInContext const):
* bytecode/InlineCallFrame.h:
* bytecode/JumpTable.h:
(JSC::SimpleJumpTable::clear):
* bytecode/ObjectPropertyConditionSet.cpp:
(JSC::ObjectPropertyConditionSet::mergedWith const):
(JSC::ObjectPropertyConditionSet::dumpInContext const):
(JSC::ObjectPropertyConditionSet::isValidAndWatchable const):
* bytecode/ObjectPropertyConditionSet.h:
(JSC::ObjectPropertyConditionSet::create):
(JSC::ObjectPropertyConditionSet::isValid const):
(JSC::ObjectPropertyConditionSet::size const):
(JSC::ObjectPropertyConditionSet::begin const):
(JSC::ObjectPropertyConditionSet::end const):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
(JSC::DFG::ByteCodeParser::flushImpl):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::validateReferences):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::isLiveInBytecode):
* dfg/DFGGraph.h:
* dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
* dfg/DFGStackLayoutPhase.cpp:
(JSC::DFG::StackLayoutPhase::run):
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::argumentsStart):
* jit/SetupVarargsFrame.cpp:
(JSC::emitSetupVarargsFrameFastCase):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createWithInlineFrame):
2021-04-07 Mark Lam <mark.lam@apple.com>
Fix a typo in JITUncoughtExceptionAfterCall.
https://bugs.webkit.org/show_bug.cgi?id=224290
Reviewed by Keith Miller.
* assembler/AbortReason.h:
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::jitReleaseAssertNoException):
2021-04-06 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] WasmMemory caging should care about nullptr
https://bugs.webkit.org/show_bug.cgi?id=224268
<rdar://problem/74654838>
Reviewed by Mark Lam.
1. Fix Wasm::MemoryHandle::boundsCheckingSize. We should just return m_mappedCapacity here since UINT32_MAX is not 4GB.
This checking size can include redzone for fast-memory, but this is OK: bounds-check pass in LLInt (in upper tiers, we
do not use bounds-check for fast-memory), and access to redzone, then fault occurs and signal handler can make it error
since signal handler is checking whether the access is within Memory::fastMappedBytes which includes redzone.
2. Fix caging of wasm memory-base pointer in LLInt. We should use pointer sized length since it can be larger than 4GB.
And we should handle nullptr case correctly: Wasm::MemoryHandle's memory can be nullptr when mapped size is zero.
caging needs to handle this case as we do in CagedPtr::getMayBeNull.
* assembler/MacroAssemblerARM64E.h:
(JSC::MacroAssemblerARM64E::untagArrayPtrLength32):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
* llint/LowLevelInterpreter64.asm:
* llint/WebAssembly.asm:
* offlineasm/arm64e.rb:
* offlineasm/ast.rb:
* offlineasm/instructions.rb:
* runtime/CagedBarrierPtr.h:
(JSC::CagedBarrierPtr::CagedBarrierPtr):
(JSC::CagedBarrierPtr::set):
(JSC::CagedBarrierPtr::get const):
(JSC::CagedBarrierPtr::getMayBeNull const):
(JSC::CagedBarrierPtr::at const):
(JSC::CagedBarrierPtr::setWithoutBarrier):
* wasm/WasmInstance.h:
(JSC::Wasm::Instance::updateCachedMemory):
* wasm/WasmMemory.cpp:
(JSC::Wasm::MemoryHandle::MemoryHandle):
* wasm/WasmMemory.h:
2021-04-06 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use FixedVector more in JSC
https://bugs.webkit.org/show_bug.cgi?id=224255
Reviewed by Mark Lam.
Use FixedVector more aggressively. This reduces sizeof(Holder) since sizeof(FixedVector) is 8
while sizeof(Vector) is 16. And since this allocates just-fit size, this does not waste memory.
* bytecode/BytecodeLivenessAnalysis.cpp:
(JSC::BytecodeLivenessAnalysis::computeFullLiveness):
* bytecode/BytecodeLivenessAnalysis.h:
* bytecode/FullBytecodeLiveness.h:
(JSC::FullBytecodeLiveness::FullBytecodeLiveness):
* bytecode/UnlinkedEvalCodeBlock.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::livenessFor):
* ftl/FTLForOSREntryJITCode.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
* ftl/FTLOSRExit.h:
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileRecovery):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::sweepPreciseAllocations):
* jit/RegisterAtOffsetList.cpp:
(JSC::RegisterAtOffsetList::RegisterAtOffsetList):
* jit/RegisterAtOffsetList.h:
(JSC::RegisterAtOffsetList::begin const):
(JSC::RegisterAtOffsetList::end const):
(JSC::RegisterAtOffsetList::clear): Deleted.
* runtime/JSGlobalObject.h:
* runtime/JSModuleNamespaceObject.cpp:
(JSC::JSModuleNamespaceObject::finishCreation):
* runtime/JSModuleNamespaceObject.h:
* yarr/YarrPattern.h:
(JSC::Yarr::YarrPattern::resetForReparsing):
2021-04-06 Alexey Shvayka <shvaikalesh@gmail.com>
Symbol and BigInt wrapper objects should perform OrdinaryToPrimitive
https://bugs.webkit.org/show_bug.cgi?id=224208
Reviewed by Yusuke Suzuki.
ES6 introduced Symbol.toPrimitive as the only way to override ToPrimitive;
if it's nullish, OrdinaryToPrimitive [1] is performed unconditionally.
This patch removes two redundant defaultValue() overrides, fixing JSC to call
(possibly userland) toString() / valueOf() methods of a) Symbol objects whose
Symbol.toPrimitive was removed, and b) BigInt wrapper objects.
Aligns JSC with V8 and SpiderMonkey. Coercion of primitives is unaffected.
Also, removes dummy BigIntObject::internalValue() override.
[1]: https://tc39.es/ecma262/#sec-toprimitive (step 2.d)
* runtime/BigIntObject.cpp:
(JSC::BigIntObject::defaultValue): Deleted.
* runtime/BigIntObject.h:
* runtime/SymbolObject.cpp:
(JSC::SymbolObject::defaultValue): Deleted.
* runtime/SymbolObject.h:
2021-04-06 Alexey Shvayka <shvaikalesh@gmail.com>
Array's toString() is incorrect if join() is non-callable
https://bugs.webkit.org/show_bug.cgi?id=224215
Reviewed by Yusuke Suzuki.
This patch exposes objectPrototypeToString() to be used by Array.prototype.toString
if "join" lookup doesn't return a callable value [1].
Fixes Array's toString() to return the correct tag instead of internal `className`,
perform Symbol.toStringTag lookup, and throw for revoked Proxy objects.
Aligns JSC with V8 and SpiderMonkey.
Also, a few objectPrototypeToString() tweaks: a bit nicer `undefined` / `null`
checks and simpler toObject() exception handling.
[1]: https://tc39.es/ecma262/#sec-array.prototype.tostring (step 3)
* runtime/ArrayPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/ObjectPrototype.cpp:
(JSC::objectPrototypeToString):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/ObjectPrototype.h:
2021-04-06 Yusuke Suzuki <ysuzuki@apple.com>
[WTF] Introduce FixedVector and use it for FixedOperands
https://bugs.webkit.org/show_bug.cgi?id=224171
Reviewed by Mark Lam.
Define FixedOperands<T> which uses FixedVector for its storage. We use FixedOperands in FTL::OSRExitDescriptor.
We also replace RefCountedArray<T> with FixedVector<T> if they are not requiring RefCountedArray<T>'s ref-counting
semantics.
* bytecode/BytecodeGeneratorification.cpp:
(JSC::BytecodeGeneratorification::run):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::setConstantRegisters):
(JSC::CodeBlock::setNumParameters):
(JSC::CodeBlock::setRareCaseProfiles):
(JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
* bytecode/CodeBlock.h:
* bytecode/Operands.h:
(JSC::Operands::Operands):
* bytecode/OperandsInlines.h:
(JSC::U>::dumpInContext const):
(JSC::U>::dump const):
(JSC::Operands<T>::dumpInContext const): Deleted.
(JSC::Operands<T>::dump const): Deleted.
* bytecode/PolyProtoAccessChain.h:
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::regenerate):
* bytecode/PolymorphicAccess.h:
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo):
(JSC::UnlinkedCodeBlock::expressionRangeForBytecodeIndex const):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::expressionInfo):
(JSC::UnlinkedCodeBlock::identifiers const):
(JSC::UnlinkedCodeBlock::constantRegisters):
(JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation):
(JSC::UnlinkedCodeBlock::constantIdentifierSets):
(JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets const):
* bytecode/UnlinkedFunctionExecutable.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::prepareJumpTableForSwitch):
* dfg/DFGJITCode.h:
* dfg/DFGPlan.h:
(JSC::DFG::Plan::tierUpInLoopHierarchy):
* ftl/FTLOSRExit.h:
* jit/GCAwareJITStubRoutine.h:
* jit/JIT.cpp:
(JSC::JIT::privateCompileSlowCases):
* jit/PolymorphicCallStubRoutine.h:
* llint/LLIntOffsetsExtractor.cpp:
* llint/LowLevelInterpreter.asm:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseClassFieldInitializerSourceElements):
* parser/Parser.h:
(JSC::Parser<LexerType>::parse):
(JSC::parse):
* runtime/CachedTypes.cpp:
(JSC::CachedVector::encode):
(JSC::CachedVector::decode const):
* wasm/js/JSWebAssemblyInstance.h:
2021-04-05 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Shrink some of Vectors in JSC
https://bugs.webkit.org/show_bug.cgi?id=224162
Reviewed by Simon Fraser.
1. Add XXXStatus::shrinkToFit to shrink underlying dynamic Vectors.
2. Replace tierUpInLoopHierarchy's Vector with RefCountedArray since it is constructed-once-lookup-only data.
3. Use MemoryCompactLookupOnlyRobinHoodHashSet for StringTables since this is constructed-once-lookup-only data. We also add
MemoryCompactLookupOnlyRobinHoodHashSet support for CachedTypes.
4. Use resizeToFit for StringSwitchJumpTables and SwitchJumpTables.
5. JITStubRoutineSet's Vector should be shrunk.
6. BlockDirectoryBits's Vector's initial size should be small.
7. Make PolyProtoAccessChain RefCounted, and use RefCountedArray for its Vector<StructureID>. And remove PolyProtoAccessChain::clone.
Just having Ref is enough since this is immutable data.
8. Use RefCountedArray for UnlinkedFunctionExecutable's m_classFieldLocations.
9. Use RefCountedArray for JSWebAssemblyInstance.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::AccessCase):
(JSC::AccessCase::create):
(JSC::AccessCase::createTransition):
* bytecode/AccessCase.h:
(JSC::AccessCase::AccessCase): Deleted.
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::setFrameShuffleData):
* bytecode/CheckPrivateBrandStatus.cpp:
(JSC::CheckPrivateBrandStatus::shrinkToFit):
(JSC::CheckPrivateBrandStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::CheckPrivateBrandStatus::merge):
* bytecode/CheckPrivateBrandStatus.h:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecode/DeleteByStatus.cpp:
(JSC::DeleteByStatus::shrinkToFit):
(JSC::DeleteByStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::DeleteByStatus::merge):
* bytecode/DeleteByStatus.h:
* bytecode/GetByStatus.cpp:
(JSC::GetByStatus::shrinkToFit):
(JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::GetByStatus::computeFor):
(JSC::GetByStatus::merge):
* bytecode/GetByStatus.h:
* bytecode/GetterSetterAccessCase.cpp:
(JSC::GetterSetterAccessCase::GetterSetterAccessCase):
(JSC::GetterSetterAccessCase::create):
* bytecode/GetterSetterAccessCase.h:
* bytecode/InByIdStatus.cpp:
(JSC::InByIdStatus::shrinkToFit):
(JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::InByIdStatus::merge):
* bytecode/InByIdStatus.h:
* bytecode/InstanceOfStatus.cpp:
(JSC::InstanceOfStatus::shrinkToFit):
(JSC::InstanceOfStatus::computeForStubInfo):
* bytecode/InstanceOfStatus.h:
* bytecode/IntrinsicGetterAccessCase.cpp:
(JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
(JSC::IntrinsicGetterAccessCase::create):
* bytecode/IntrinsicGetterAccessCase.h:
* bytecode/JumpTable.h:
* bytecode/PolyProtoAccessChain.cpp:
(JSC::PolyProtoAccessChain::tryCreate):
(JSC::PolyProtoAccessChain::create): Deleted.
* bytecode/PolyProtoAccessChain.h:
(JSC::PolyProtoAccessChain::clone): Deleted.
(JSC::PolyProtoAccessChain::chain const): Deleted.
(JSC::PolyProtoAccessChain::operator!= const): Deleted.
(JSC::PolyProtoAccessChain::forEach const): Deleted.
(JSC::PolyProtoAccessChain::slotBaseStructure const): Deleted.
* bytecode/PolymorphicAccess.cpp:
(JSC::PolymorphicAccess::visitWeak const):
(JSC::PolymorphicAccess::regenerate):
* bytecode/PolymorphicAccess.h:
* bytecode/ProxyableAccessCase.cpp:
(JSC::ProxyableAccessCase::ProxyableAccessCase):
(JSC::ProxyableAccessCase::create):
* bytecode/ProxyableAccessCase.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::shrinkToFit):
(JSC::PutByIdStatus::computeForStubInfo):
(JSC::PutByIdStatus::computeFor):
(JSC::PutByIdStatus::merge):
* bytecode/PutByIdStatus.h:
* bytecode/SetPrivateBrandStatus.cpp:
(JSC::SetPrivateBrandStatus::shrinkToFit):
(JSC::SetPrivateBrandStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::SetPrivateBrandStatus::merge):
* bytecode/SetPrivateBrandStatus.h:
* bytecode/UnlinkedCodeBlock.h:
* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::generateUnlinkedFunctionCodeBlock):
* bytecode/UnlinkedFunctionExecutable.h:
* dfg/DFGJITCode.h:
* dfg/DFGPlan.h:
(JSC::DFG::Plan::tierUpInLoopHierarchy):
* dfg/DFGTierUpCheckInjectionPhase.cpp:
(JSC::DFG::TierUpCheckInjectionPhase::run):
* heap/BlockDirectoryBits.h:
* heap/JITStubRoutineSet.cpp:
(JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
* jit/CallFrameShuffleData.h:
(JSC::CallFrameShuffleData::shrinkToFit):
* jit/GCAwareJITStubRoutine.h:
* jit/PolymorphicCallStubRoutine.h:
* jit/Repatch.cpp:
(JSC::tryCacheGetBy):
(JSC::tryCachePutByID):
(JSC::tryCacheInByID):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseClassFieldInitializerSourceElements):
* parser/Parser.h:
(JSC::Parser<LexerType>::parse):
(JSC::parse):
* runtime/CachedTypes.cpp:
(JSC::CachedFunctionExecutableRareData::encode):
(JSC::CachedFunctionExecutableRareData::decode const):
* runtime/VM.cpp:
(JSC::VM::popAllCheckpointOSRSideStateUntil):
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::visitChildrenImpl):
* wasm/js/JSWebAssemblyInstance.h:
2021-04-05 Alex Christensen <achristensen@webkit.org>
Resurrect Mac CMake build
https://bugs.webkit.org/show_bug.cgi?id=224084
Reviewed by Tim Horton.
* PlatformMac.cmake:
2021-04-05 Keith Miller <keith_miller@apple.com>
DFG arity fixup nodes should exit to the caller's call opcode
https://bugs.webkit.org/show_bug.cgi?id=223278
Reviewed by Saam Barati.
Right now when we do arity fixup in the DFG we model it in the
same way that it executes, which means all the nodes are part of
the callee. Unfortunately, this causes PhantomInsertionPhase to
think those nodes could be replacing previously defined
VirtualRegisters as they are part of the callee's header (always
alive). When PhantomInsertionPhase then inserts a Phantom it will
put that node in the caller's frame as that's the first ExitOK
node. The caller however may have no knowledge of that
VirtualRegister though. For example:
--> foo: loc10 is a local in foo.
...
1: MovHint(loc10)
2: SetLocal(loc10)
<-- foo // loc10 ten is now out of scope for the InlineCallFrame of the caller.
...
// Phantom will be inserted here refering to loc10, which doesn't make sense.
--> bar // loc10 is an argument to bar and needs arity fixup.
... // All of these nodes are ExitInvalid
3: MovHint(loc10, ExitInvalid)
4: SetLocal(loc10, ExitInvalid)
...
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::currentNodeOrigin):
(JSC::DFG::ByteCodeParser::inlineCall):
2021-04-02 Alexey Shvayka <shvaikalesh@gmail.com>
Reduce bytecode instruction count emitted for `class extends`
https://bugs.webkit.org/show_bug.cgi?id=223884
Reviewed by Yusuke Suzuki.
This patch adds a variant of globalFuncSetPrototypeDirect() that throws on
invalid [[Prototype]] values (instead of ignoring them) and utilizes it in
ClassExprNode::emitBytecode(), removing equivalent checks.
Throwing for invalid `superclass.prototype` value after setting the [[Prototype]]
of `constructor` is unobservable because it's a newly created extensible object
and `superclass` is a proven object.
The fact that [[Prototype]] set can throw only in case of `superclass.prototype`
allows keeping descriptive error message via custom appender. To find "extends"
in a source code, ClassExprNode is made an instance of ThrowableExpressionData.
This change reduces the number of emitted bytecodes by 4, and fixes IsConstructor's
error [1] to point to correct source code location.
[1]: https://tc39.es/ecma262/#sec-runtime-semantics-classdefinitionevaluation (step 5.f)
* builtins/BuiltinNames.h:
* bytecode/LinkTimeConstant.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitDirectSetPrototypeOf):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::PropertyListNode::emitPutConstantProperty):
(JSC::ClassExprNode::emitBytecode):
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createClassExpr):
* parser/Nodes.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseClass):
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::createClassExpr):
* runtime/ExceptionHelpers.cpp:
(JSC::invalidPrototypeSourceAppender):
(JSC::createInvalidPrototypeError):
* runtime/ExceptionHelpers.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/JSGlobalObjectFunctions.h:
2021-04-02 Jessica Tallon <jtallon@igalia.com>
Add type method to WebAssembly.Memory, WebAssembly.Table & WebAssembly.Global objects
https://bugs.webkit.org/show_bug.cgi?id=222412
Reviewed by Yusuke Suzuki.
This adds a type method to several WASM objects as part of the work to add WASM
type reflections to the JS-API. The methods return a JSON object which describes
the type of the object and can be passed to the constructor to create a new wasm
object of that type.
* wasm/js/JSWebAssemblyGlobal.cpp:
(JSC::JSWebAssemblyGlobal::type):
* wasm/js/JSWebAssemblyGlobal.h:
* wasm/js/JSWebAssemblyMemory.cpp:
(JSC::JSWebAssemblyMemory::type):
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::type):
* wasm/js/JSWebAssemblyTable.h:
* wasm/js/WebAssemblyGlobalPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* wasm/js/WebAssemblyGlobalPrototype.h:
* wasm/js/WebAssemblyMemoryPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* wasm/js/WebAssemblyTablePrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
2021-04-01 Yusuke Suzuki <ysuzuki@apple.com>
[WTF] Introduce RobinHoodHashTable
https://bugs.webkit.org/show_bug.cgi?id=223895
Reviewed by Fil Pizlo.
* builtins/BuiltinNames.cpp:
(JSC::lookUpPrivateNameImpl):
(JSC::lookUpWellKnownSymbolImpl):
* builtins/BuiltinNames.h:
* bytecode/BytecodeIntrinsicRegistry.h:
* runtime/Identifier.h:
* runtime/IntlCollator.cpp:
(JSC::IntlCollator::initializeCollator):
(JSC::IntlCollator::checkICULocaleInvariants):
* runtime/IntlCollator.h:
* runtime/IntlDateTimeFormat.cpp:
(JSC::IntlDateTimeFormat::initializeDateTimeFormat):
* runtime/IntlDateTimeFormatConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/IntlDisplayNames.cpp:
(JSC::IntlDisplayNames::initializeDisplayNames):
* runtime/IntlDisplayNamesConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/IntlListFormat.cpp:
(JSC::IntlListFormat::initializeListFormat):
* runtime/IntlListFormatConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/IntlNumberFormat.cpp:
(JSC::IntlNumberFormat::initializeNumberFormat):
* runtime/IntlNumberFormatConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/IntlObject.cpp:
(JSC::addScriptlessLocaleIfNeeded):
(JSC::intlAvailableLocales):
(JSC::intlCollatorAvailableLocales):
(JSC::intlSegmenterAvailableLocales):
(JSC::bestAvailableLocale):
(JSC::lookupMatcher):
(JSC::bestFitMatcher):
(JSC::resolveLocale):
(JSC::lookupSupportedLocales):
(JSC::bestFitSupportedLocales):
(JSC::supportedLocales):
* runtime/IntlObject.h:
(JSC::intlDateTimeFormatAvailableLocales):
(JSC::intlDisplayNamesAvailableLocales):
(JSC::intlNumberFormatAvailableLocales):
(JSC::intlPluralRulesAvailableLocales):
(JSC::intlRelativeTimeFormatAvailableLocales):
(JSC::intlListFormatAvailableLocales):
* runtime/IntlPluralRules.cpp:
(JSC::IntlPluralRules::initializePluralRules):
* runtime/IntlPluralRulesConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/IntlRelativeTimeFormat.cpp:
(JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat):
* runtime/IntlRelativeTimeFormatConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/IntlSegmenter.cpp:
(JSC::IntlSegmenter::initializeSegmenter):
* runtime/IntlSegmenterConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/RegExpCache.h:
* runtime/RegExpKey.h:
2021-04-01 Yusuke Suzuki <ysuzuki@apple.com>
REGRESSION(r274724): JITCage trampoline needs to be adjusted
https://bugs.webkit.org/show_bug.cgi?id=224065
Reviewed by Saam Barati.
r274724 introduced a new parameter to custom setters, but it didn't change the parameter recognization of JITCage trampolines for custom accessors.
As a result, we are jumping with the wrong pointer, and crash when custom setter is called with JITCage.
This patch fixes the above bug.
1. Now, custom getter and custom setter have different number of parameters. We should have two different trampolines to invoke it. We remove vmEntryCustomAccessor, and
add vmEntryCustomGetter/vmEntryCustomSetter.
2. vmEntryCustomSetter should use a4 parameter as a executable address for trampoline.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
* llint/LLIntThunks.cpp:
* llint/LLIntThunks.h:
* llint/LowLevelInterpreter.asm:
* offlineasm/arm64.rb:
* offlineasm/registers.rb:
* runtime/PropertySlot.h:
2021-04-01 Ross Kirsling <ross.kirsling@sony.com>
[JSC] Use ucal_getTimeZoneOffsetFromLocal if ICU 69 is present
https://bugs.webkit.org/show_bug.cgi?id=224075
Reviewed by Yusuke Suzuki.
Apple ICU 68 cherry picked ucal_getTimeZoneOffsetFromLocal (see r223783),
but now that ICU 69 is in RC, we can go ahead and update the #if for non-Apple platforms.
* runtime/JSDateMath.cpp:
2021-04-01 Tadeu Zagallo <tzagallo@apple.com>
Remove use of ENABLE from API header
https://bugs.webkit.org/show_bug.cgi?id=224060
<rdar://76111678>
Reviewed by Mark Lam.
The use of the ENABLE macro in these API headers has caused build failures. Instead of
conditionally exposing these API methods we make them into no-ops if DFG is disabled.
* API/JSVirtualMachine.mm:
(+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
(+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
* API/JSVirtualMachinePrivate.h:
2021-04-01 Alexey Shvayka <shvaikalesh@gmail.com>
Optimize createListFromArrayLike() and Proxy's [[OwnPropertyKeys]] method
https://bugs.webkit.org/show_bug.cgi?id=223928
Reviewed by Yusuke Suzuki.
createListFromArrayLike() changes:
1. Use toLength() / getIndex() methods that have fast paths.
2. Remove RuntimeTypeMask and error messages from its signature: type checks are better
performed in advance / inside a functor to keep the helper more versatile.
3. Invert functor's return value to align with Structure::forEachProperty() and friends.
4. Rename it to forEachInArrayLike() as no list is actually returned.
ProxyObject::performGetOwnPropertyNames() changes:
1. Remove RuntimeTypeMask filtering as it's already performed by PropertyNameArray::add().
2. Store target's keys in a HashSet for faster insertion / search.
3. Don't populate `targetConfigurableKeys` for extensible target as it won't be used [1].
4. Leverage return value of HashSet::remove() instead of using a helper.
This patch advances Proxy's [[OwnPropertyKeys]] microbenchmarks by 20-30%,
mainly due to createListFromArrayLike() changes. No behavior changes.
Also, utilizes forEachInArrayLike() for allow list of JSON.stringify().
[1]: https://tc39.es/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-ownpropertykeys (step 20)
* runtime/JSONObject.cpp:
(JSC::Stringifier::Stringifier):
* runtime/JSObject.h:
(JSC::JSObject::getIndex const):
* runtime/JSObjectInlines.h:
(JSC::forEachInArrayLike):
(JSC::createListFromArrayLike): Deleted.
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::performGetOwnPropertyNames):
* runtime/ReflectObject.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
2021-03-31 David Kilzer <ddkilzer@apple.com>
UBSan: JSC::Parser<LexerType>::parseProperty(): runtime error: load of value nnn, which is not a valid value for type 'bool'
<https://webkit.org/b/223896>
<rdar://problem/75970132>
Reviewed by Darin Adler.
Based on a suggestion by Darin Adler.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseProperty):
- Change 'escaped' to 'wasUnescapedIdent' to avoid the undefined
behavior since m_token.m_data.escaped is only set in the case
when an identifer is parsed (in Lexer<>::parseIdentifer()),
not a string (in Lexer<>::parseString()). This simplifies the
logic later in the method.
2021-03-31 Mark Lam <mark.lam@apple.com>
Missing exception check in HashMapImpl::add().
https://bugs.webkit.org/show_bug.cgi?id=224007
rdar://76053163
Reviewed by Saam Barati.
* runtime/HashMapImpl.h:
(JSC::HashMapImpl::add):
2021-03-31 Xan Lopez <xan@igalia.com>
[JSC] Remove warnings about unnecessary operator= for ARMv7Assembler LinkRecord
https://bugs.webkit.org/show_bug.cgi?id=223916
Reviewed by Darin Adler.
Many years ago we defined an assignment operator for LinkRecord in
order to speed up build times (see #90930). Recent GCC versions
tell us that if we do that we almost certainly want to define a
copy constructor too. The ARM64Assembler file already does it, so
do it too for ARMv7 to remove the warnings.
* assembler/ARM64Assembler.h:
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::LinkRecord::LinkRecord):
(JSC::ARMv7Assembler::LinkRecord::operator=):
2021-03-31 Alexey Shvayka <shvaikalesh@gmail.com>
Optimize constructors of ES6 collections
https://bugs.webkit.org/show_bug.cgi?id=223953
Reviewed by Yusuke Suzuki.
This patch speeds up the constructors by avoiding call() for non-observable
"set" / "add" methods and using getIndex() for Map / WeakMap collections.
For Map / Set, this change leverages existing cloning helpers, which rely on
watchpoints, to avoid even a method lookup. However, slower path is used for
subclasses. Results in 1.9x speed-up for common case.
For WeakMap / WeakSet, adder function is checked by C++ pointer, which enables
fast path even for cross-realm subclasses. Results in 2.3x progression.
Both approaches require special handling of a cross-realm NewTarget to ensure
that raised exceptions (OOM / TypeError) belong to realm of the adder function,
and not to constructor's or NewTarget's.
Also, adds descriptve error messages for non-callable "set" / "add" properties.
* runtime/JSMap.cpp:
(JSC::JSMap::isSetFastAndNonObservable):
(JSC::JSMap::canCloneFastAndNonObservable): Deleted.
* runtime/JSMap.h:
* runtime/JSSet.cpp:
(JSC::JSSet::isAddFastAndNonObservable):
(JSC::JSSet::canCloneFastAndNonObservable): Deleted.
* runtime/JSSet.h:
* runtime/MapConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/SetConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/WeakMapConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/WeakMapPrototype.cpp:
(JSC::WeakMapPrototype::finishCreation):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/WeakMapPrototype.h:
* runtime/WeakSetConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/WeakSetPrototype.cpp:
(JSC::WeakSetPrototype::finishCreation):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/WeakSetPrototype.h:
2021-03-30 Devin Rousso <drousso@apple.com>
REGRESSION(r274607): media controls script is visible in Web Inspector even without the engineering "Show WebKit-internal scripts" enabled
https://bugs.webkit.org/show_bug.cgi?id=223961
Reviewed by Yusuke Suzuki.
It turns out that Web Inspector will only ignore scripts that have a source URL directive
that matches `__InjectedScript_*.js`, not those that have a (source) URL matching that.
In addition to Web Inspector ignoring these scripts in the UI, it will also cause the
`Debugger` to not pause in scripts with a matching source URL directive (unless the
local build engineering only "Pause in WebKit-internal scripts" is enabled).
* Scripts/make-js-file-arrays.py:
(main):
Add a `//# sourceURL=__InjectedScript_*.js` to the contents before it's encoded.
2021-03-30 Sam Weinig <weinig@apple.com>
JSGlobalObject's m_customGetterFunctionMap and m_customSetterFunctionMap should be sets, not maps, and should use both the identifier and function pointer as the key
https://bugs.webkit.org/show_bug.cgi?id=223613
Reviewed by Saam Barati.
- Adds a generic WeakGCSet class to go with the existing WeakGCMap.
- Renames WeakGCMapBase to WeakGCHashTable, moves it to its own file
and now uses it as the base class of both WeakGCSet and WeakGCMap.
- Replaces JSGlobalObject's customGetterFunctionMap/customSetterFunctionMap
with customGetterFunctionSet/customSetterFunctionSet, using the new
WeakGCSet, and updates them to use both the function pointer and
property name for the key, rather than just the function pointer which
is what the previous code did. This allows multiple custom functions
to use the same underlying function pointer as long as they have distinct
property names, which is going to be used to optimize the bindings for
CSSStyleDeclaration.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
Add new files.
* heap/Heap.cpp:
(JSC::Heap::runEndPhase):
(JSC::Heap::pruneStaleEntriesFromWeakGCHashTables):
(JSC::Heap::registerWeakGCHashTable):
(JSC::Heap::unregisterWeakGCHashTable):
(JSC::Heap::pruneStaleEntriesFromWeakGCMaps): Deleted.
(JSC::Heap::registerWeakGCMap): Deleted.
(JSC::Heap::unregisterWeakGCMap): Deleted.
* heap/Heap.h:
Update for new name. WeakGCMapBase -> WeakGCHashTable.
* runtime/JSCInlines.h:
Add WeakGCSetInlines.h
* runtime/JSCustomGetterFunction.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSCustomGetterFunction::JSCustomGetterFunction):
(JSC::JSCustomGetterFunction::create):
* runtime/JSCustomGetterFunction.h:
* runtime/JSCustomSetterFunction.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSCustomSetterFunction::JSCustomSetterFunction):
(JSC::JSCustomSetterFunction::create):
* runtime/JSCustomSetterFunction.h:
Add helper type CustomFunctionPointer and helper function customFunctionPointer()
to allow some generic hashing code to run on either JSCustomGetterFunction
or JSCustomSetterFunction.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::WeakCustomGetterOrSetterHash::hash):
(JSC::JSGlobalObject::WeakCustomGetterOrSetterHash::equal):
(JSC::JSGlobalObject::customGetterFunctionSet):
(JSC::JSGlobalObject::customSetterFunctionSet):
(JSC::JSGlobalObject::customGetterFunctionMap): Deleted.
(JSC::JSGlobalObject::customSetterFunctionMap): Deleted.
Replace m_customGetterFunctionMap/m_customSetterFunctionMap with
m_customGetterFunctionSet/m_customSetterFunctionSet. As the key is included
in the value, it saves space to use a set rather than a map. We now also
hash and compare both the function pointer and the property name to allow
sharing implementations.
* runtime/JSObject.cpp:
(JSC::WeakCustomGetterOrSetterHashTranslator::hash):
(JSC::WeakCustomGetterOrSetterHashTranslator::equal):
(JSC::createCustomGetterFunction):
(JSC::createCustomSetterFunction):
Update creation functions to use the new sets, making use of the
ensureValue function and a HashTranslator allowing the use of a
std::pair<PropertyName, FunctionPointer> as an alternative lookup
key. This allows us to avoid creating the JSCustomGetterFunction/JSCustomSetterFunction
pointer if one with the same property name and function pointer are
already in the set.
* runtime/WeakGCHashTable.h: Added.
(JSC::WeakGCHashTable::~WeakGCHashTable):
Moved from WeakGCMap and renamed as it is now the base of both
WeakGCMap and WeakGCSet.
* runtime/WeakGCMap.h:
Update to use new WeakGCHashTable base class.
* runtime/WeakGCMapInlines.h:
(JSC::KeyTraitsArg>::WeakGCMap):
(JSC::KeyTraitsArg>::~WeakGCMap):
Update for new Heap function names for WeakGCHashTable.
* runtime/WeakGCSet.h: Added.
* runtime/WeakGCSetInlines.h: Added.
(JSC::TraitsArg>::WeakGCSet):
(JSC::TraitsArg>::~WeakGCSet):
(JSC::TraitsArg>::find):
(JSC::TraitsArg>::find const):
(JSC::TraitsArg>::contains const):
(JSC::TraitsArg>::pruneStaleEntries):
Added a minimal WeakGCSet based on WeakGCMap.
2021-03-30 Mark Lam <mark.lam@apple.com>
Add disableForwardingVPrintfStdErrToOSLog() and use it in the jsc shell.
https://bugs.webkit.org/show_bug.cgi?id=223963
Reviewed by Saam Barati.
This prevents automatic forwarding of vprintf_stderr_common() to os_log_with_args(),
which results in duplicate output when using the jsc shell. As a result, ASSERT
fail messages and crash stack traces will be more readable.
* jsc.cpp:
(main):
2021-03-30 Mark Lam <mark.lam@apple.com>
Add Options::exitOnResourceExhaustion() to enable exiting instead of crashing on resource exhaustion.
https://bugs.webkit.org/show_bug.cgi?id=223959
rdar://63934158
Reviewed by Tadeu Zagallo.
This is useful to unblock fuzzers from false positive crashes due to resource
exhaustion. Currently, this is only applied to StructureID exhaustion.
Since we're adding this facility, we might as well implement it in such a way that
it can be easily deployed for other types of resource exhaustion as well.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* runtime/OptionsList.h:
* runtime/ResourceExhaustion.cpp: Added.
(JSC::handleResourceExhaustion):
* runtime/ResourceExhaustion.h: Added.
* runtime/StructureIDTable.cpp:
(JSC::StructureIDTable::resize):
2021-03-30 Ryan Haddad <ryanhaddad@apple.com>
Ensure that GlobalPropertyInfo is allocated on the stack.
https://bugs.webkit.org/show_bug.cgi?id=223911
Unreviewed test gardening.
Rebaseline builtins generator tests after r275212.
* Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2021-03-30 Mark Lam <mark.lam@apple.com>
Add more information to GC verifier verbose dumps.
https://bugs.webkit.org/show_bug.cgi?id=223951
Reviewed by Yusuke Suzuki.
* heap/VerifierSlotVisitor.cpp:
(JSC::VerifierSlotVisitor::dumpMarkerData):
2021-03-30 Mark Lam <mark.lam@apple.com>
Ensure that GlobalPropertyInfo is allocated on the stack.
https://bugs.webkit.org/show_bug.cgi?id=223911
rdar://75865742
Reviewed by Yusuke Suzuki.
We rely on GlobalPropertyInfo being allocated on the stack to allow its JSValue
value to be scanned by the GC. Unfortunately, an ASAN compilation would choose
to allocate the GlobalPropertyInfo on a side buffer instead of directly on the
stack. This prevents the GC from doing the needed scan.
We'll fix this by suppressing ASAN on the functions that allocated GlobalPropertyInfo
arrays. Also added an ASSERT in the GlobalPropertyInfo constructor to assert that
it is allocated on the stack.
* Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py:
(BuiltinsInternalsWrapperImplementationGenerator.generate_initialize_method):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::initStaticGlobals):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::exposeDollarVM):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::GlobalPropertyInfo::GlobalPropertyInfo):
2021-03-29 Xan López <xan@igalia.com>
[JSC] Use helper method when possible to store data in the callframe header
https://bugs.webkit.org/show_bug.cgi?id=223432
Reviewed by Yusuke Suzuki.
A bunch of the direct stores to the callframe header are zeroing
out the codeblock slot. Create a helper method to do that and use
it accordingly. For the rest, use emitPutToCallFrameHeader, which
already does the right thing. Also, remove a lot of unused helper
methods in AssemblyHelpers (which have been updated for no reason
throughout the years).
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitPutToCallFrameHeaderBeforePrologue): Deleted.
(JSC::AssemblyHelpers::emitPutPayloadToCallFrameHeaderBeforePrologue): Deleted.
(JSC::AssemblyHelpers::emitPutTagToCallFrameHeaderBeforePrologue): Deleted.
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2021-03-28 Sam Weinig <weinig@apple.com>
Remove ENABLE_INDEXED_DATABASE & ENABLE_INDEXED_DATABASE_IN_WORKERS, it seems like it is on for all ports
https://bugs.webkit.org/show_bug.cgi?id=223810
Reviewed by Simon Fraser.
* inspector/protocol/IndexedDB.json:
Update for remove ENABLE_INDEXED_DATABASE conditional.
2021-03-26 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use AppleICU SPI for canonicalization
https://bugs.webkit.org/show_bug.cgi?id=223552
Reviewed by Ryosuke Niwa.
uloc_canonicalize does not perform alias mapping. This is different from ECMA402's canonicalization requirement.
ICU C++ icu::Locale can canonicalize locale ID with alias mapping, but this is not exposed to C API.
In this patch, we adopt AppleICU SPI "ualoc_canonicalForm" added in rdar://74314220. This canonicalization can perform
alias mapping too. We do not extend uloc_canonicalize since this API explicitly says "It does NOT map aliased names in any way."[1].
In [2], we are tracking upstreaming of this new SPI. Once it is upstreamed to the mainline ICU, we will switch to that.
[1]: https://unicode-org.github.io/icu-docs/apidoc/dev/icu4c/uloc_8h.html#a69b148194cf57ac40d4bb15c5b905260
[2]: https://unicode-org.atlassian.net/browse/ICU-21506
* runtime/IntlLocale.cpp:
(JSC::LocaleIDBuilder::initialize):
(JSC::LocaleIDBuilder::toCanonical):
* runtime/IntlObject.cpp:
(JSC::localeIDBufferForLanguageTagWithNullTerminator):
(JSC::canonicalizeLanguageTag):
(JSC::canonicalizeLocaleIDWithoutNullTerminator):
(JSC::localeIDBufferForLanguageTag): Deleted.
* runtime/IntlObject.h:
2021-03-26 Don Olmstead <don.olmstead@sony.com>
[CMake] Deprecate using DERIVED_SOURCES_DIR/FOWARDING_HEADERS_DIR directly
https://bugs.webkit.org/show_bug.cgi?id=223763
Reviewed by Michael Catanzaro.
Remove any usages of DERIVED_SOURCES_DIR and FOWARDING_HEADERS_DIR.
* CMakeLists.txt:
* PlatformMac.cmake:
2021-03-26 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use new Apple ICU APIs to avoid C++ ICU API usage
https://bugs.webkit.org/show_bug.cgi?id=223783
<rdar://problem/75060240>
Reviewed by Mark Lam.
This patch adopts ICU 69's draft APIs to avoid using ICU C++ APIs in newer macOS build.
AppleICU adopts these draft APIs so that we can use it even in ICU 68 if ICU is AppleICU.
The API is ucal_getTimeZoneOffsetFromLocal, which is back-ported from ICU 69[1].
The purpose of this API is that calculating timezone offset and dst offset from *local* time.
[1]: https://github.com/unicode-org/icu/commit/53aa0505c5f95a8cebbd7b4421d474fd2a790b80
* runtime/IntlDateTimeFormat.cpp:
* runtime/JSDateMath.cpp:
(JSC::OpaqueICUTimeZoneDeleter::operator()):
(JSC::DateCache::calculateLocalTimeOffset):
(JSC::DateCache::defaultTimeZone):
(JSC::DateCache::timeZoneCacheSlow):
* runtime/JSDateMath.h:
2021-03-26 Jessie Berlin <jberlin@webkit.org>
Update the BEFORE/SINCE, SYSTEM_VERSION_PREFIX, and MACOSX_DEPLOYMENT_TARGET flags
https://bugs.webkit.org/show_bug.cgi?id=223779
Reviewed by Tim Horton.
* Configurations/DebugRelease.xcconfig:
* Configurations/Version.xcconfig:
* Configurations/WebKitTargetConditionals.xcconfig:
2021-03-25 Saam Barati <sbarati@apple.com>
validate untagArrayPtr
https://bugs.webkit.org/show_bug.cgi?id=214953
<rdar://problem/66391434>
Reviewed by Mark Lam.
This patch adds validation to untagArrayPtr along paths where we don't
immediately store/load from the result.
This patch also changes the removeArrayPtrTag macro assembler function to
use a bitwise and instead of xpacd to strip the tag, because it's faster.
* assembler/MacroAssemblerARM64E.h:
(JSC::MacroAssemblerARM64E::untagArrayPtr):
(JSC::MacroAssemblerARM64E::removeArrayPtrTag):
* assembler/testmasm.cpp:
(JSC::testCagePreservesPACFailureBit):
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr):
(JSC::FTL::DFG::LowerDFGToB3::caged):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::cageWithoutUntagging):
(JSC::AssemblyHelpers::cageConditionallyAndUntag):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::cageWithoutUntagging): Deleted.
(JSC::AssemblyHelpers::cageConditionally): Deleted.
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::AirIRGenerator::addCallIndirect):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::jsCallEntrypointSlow):
2021-03-25 Jessie Berlin <jberlin@webkit.org>
Remove 10.13 DEPLOYMENT_TARGETs and SYSTEM_VERSION_PREFIXs
https://bugs.webkit.org/show_bug.cgi?id=223765
Reviewed by Tim Horton.
* Configurations/Base.xcconfig:
* Configurations/DebugRelease.xcconfig:
* Configurations/Version.xcconfig:
2021-03-25 Carlos Garcia Campos <cgarcia@igalia.com>
[GTK][WPE] JSC crashes if a function expects a parameter but doesn't receive any
https://bugs.webkit.org/show_bug.cgi?id=223646
Reviewed by Adrian Perez de Castro.
Handle the case of receiving fewer argumens than expected in function calls and constructors. We pass undefined
for the expected arguments that are missing. We were not correctly handling the case of converting undefined and
null values to JSCValue, so this patch fixes that case too.
* API/glib/JSCCallbackFunction.cpp:
(JSC::JSCCallbackFunction::call):
(JSC::JSCCallbackFunction::construct):
* API/glib/JSCContext.cpp:
(jscContextJSValueToWrappedObject):
(jscContextJSValueToGValue):
2021-03-24 Michael Saboff <msaboff@apple.com>
[YARR] Interpreter incorrectly matches non-BMP characters with multiple . w/dotAll flag
https://bugs.webkit.org/show_bug.cgi?id=223666
Reviewed by Mark Lam.
In checkCharacterClassDontAdvanceInputForNonBMP(), we need to check for input.readChecked() returning -1
and return that the character class didn't match.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::checkCharacterClassDontAdvanceInputForNonBMP):
2021-03-24 Saam Barati <sbarati@apple.com>
r271034 added code in constant folding phase that's unreachable given current invariants of our ICs and PutByIdStatus
https://bugs.webkit.org/show_bug.cgi?id=223625
Reviewed by Yusuke Suzuki.
The code was doing a lot of wrong things by making bad assumptions about the
invariants of PutByIdVariants. Replace PutByIdVariants never have object
property condition sets, since we always replace on the self object (and don't
look at the prototype chain). This patch clears up the code to make it
clearer what the invariants are.
With respect to the original fix about not emitting a PutByOffset for a
Replace on a Structure that has an unfired replacement watchpoint set,
that was already handled by the PutByIdStatus::computeFor variant we're
calling inside of constant folding. It will return TakesSlowPathif it
encounters a Replace where the Structure still has an unfired watchpoint.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):
2021-03-24 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Rope string equal operation should first check length
https://bugs.webkit.org/show_bug.cgi?id=223678
Reviewed by Mark Lam.
This can avoid eagerly resolving rope strings if it is not necessary.
* runtime/JSString.cpp:
(JSC::JSString::equalSlowCase const):
2021-03-23 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Functor for WeakGCMap::ensureValue must not invoke GC
https://bugs.webkit.org/show_bug.cgi?id=223629
<rdar://problem/75619217>
Reviewed by Mark Lam.
The functor for WeakGCMap::ensureValue must not invoke GC. GC can prune entries in WeakGCMap.
So we can modify underlying HashMap while we are just touching it for HashMap::ensure. This
can corrupt HashMap. To ensure this invariant, we put DisallowGC for WeakGCMap::ensureValue.
So we cannot invoke GC in the functor of that function (otherwise, assertion hits).
And we use DeferGC in createCustomGetterFunction / createCustomSetterFunction to avoid invoking
GC in WeakGCMap::ensureValue. This defers GC invocation until this DeferGC scope is destroyed,
and ensures that functor invoked by WeakGCMap::ensureValue will not cause GC.
* runtime/JSObject.cpp:
(JSC::createCustomGetterFunction):
(JSC::createCustomSetterFunction):
(JSC::JSObject::getOwnPropertyDescriptor):
* runtime/WeakGCMap.h:
2021-03-23 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Use ErrorInstance for AggregateError
https://bugs.webkit.org/show_bug.cgi?id=223626
Reviewed by Darin Adler.
From r274609, WebAssembly errors start using normal ErrorInstance. We apply the same thing to AggregateError too.
This patch removes AggregateError class, and just generating ErrorInstance.
* runtime/AggregateError.cpp:
(JSC::createAggregateError):
(JSC::AggregateError::AggregateError): Deleted.
(JSC::AggregateError::finishCreation): Deleted.
(JSC::AggregateError::create): Deleted.
* runtime/AggregateError.h:
(): Deleted.
* runtime/AggregateErrorConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::initializeAggregateErrorConstructor):
2021-03-23 Robin Morisset <rmorisset@apple.com>
Object.freeze(this) at the global scope can lose a reference to a WatchpointSet
https://bugs.webkit.org/show_bug.cgi?id=223608
Reviewed by Yusuke Suzuki.
When freezing the global object, we should make a proper copy of symbol table entries, to keep any outstanding reference to the WatchpointSet.
We cannot use pack(), because it does not support FatEntries.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::defineOwnProperty):
* runtime/JSSymbolTableObject.h:
(JSC::symbolTableGet):
* runtime/SymbolTable.h:
(JSC::SymbolTableEntry::setReadOnly):
2021-03-22 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] JSCustomGetterFunction/JSCustomSetterFunction should use Identifier for their field
https://bugs.webkit.org/show_bug.cgi?id=223588
Reviewed by Mark Lam and Saam Barati.
PropertyName is the holder for passing it as an argument, and it does not ref/deref underlying UniqueStringImpl.
We should use Identifier to keep it strongly ref-ed in JSCustomGetterFunction/JSCustomSetterFunction.
And we should make JSCustomGetterFunction/JSCustomSetterFunction destructible objects since Identifier needs to
deref underlying UniqueStringImpl when destroying these functions.
* runtime/JSCustomGetterFunction.cpp:
(JSC::JSCustomGetterFunction::JSCustomGetterFunction):
(JSC::JSCustomGetterFunction::destroy):
* runtime/JSCustomGetterFunction.h:
* runtime/JSCustomSetterFunction.cpp:
(JSC::JSCustomSetterFunction::JSCustomSetterFunction):
(JSC::JSCustomSetterFunction::destroy):
* runtime/JSCustomSetterFunction.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2021-03-22 Saam Barati <sbarati@apple.com>
LiteralParser shouldn't make error messages of length ~2^31
https://bugs.webkit.org/show_bug.cgi?id=223483
<rdar://75572255>
Reviewed by Robin Morisset.
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::parse):
2021-03-22 Michael Saboff <msaboff@apple.com>
[YARR] Interpreter incorrectly matches non-BMP characters with multiple .
https://bugs.webkit.org/show_bug.cgi?id=223498
Reviewed by Yusuke Suzuki.
We need to check that we read an actual character before seeing if it is part of a character class.
In the case where we are checking that a character is not in a character class, like .,
the failed to read result from input.readChecked(), -1, is not part of the newline character class.
This will allow regular expressions that require more than the number of characters in a string
to match.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::checkCharacterClass):
2021-03-22 Ross Kirsling <ross.kirsling@sony.com>
Unreviewed, fix Mac and non-unified JSCOnly builds
https://bugs.webkit.org/show_bug.cgi?id=223546
* wasm/WasmGlobal.h:
* wasm/WasmTable.h:
* wasm/js/JSWebAssemblyCompileError.cpp:
* wasm/js/JSWebAssemblyLinkError.cpp:
* wasm/js/JSWebAssemblyRuntimeError.cpp:
Add missing includes for non-unified JSC build.
2021-03-22 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] Intl.Locale should not assume is8Bit
https://bugs.webkit.org/show_bug.cgi?id=223553
Reviewed by Ross Kirsling.
is8Bit or not is not guaranteed if it is an user-input. For example, "test日本語".substring(0, 3) should be non 8Bit string.
Intl.Locale has several places that assumed that input should be 8Bit if they are ASCII. This patch fixes it.
* runtime/IntlLocale.cpp:
(JSC::LocaleIDBuilder::overrideLanguageScriptRegion):
(JSC::LocaleIDBuilder::setKeywordValue):
2021-03-22 Sam Weinig <weinig@apple.com>
Use the PropertyName parameter passed to custom getters/setters rather than a redundant const char* in DOM attribute prologues
https://bugs.webkit.org/show_bug.cgi?id=223542
Reviewed by Alexey Shvayka.
Add throwVMDOMAttributeSetterTypeError to match existing throwVMDOMAttributeGetterTypeError and move
additional helpers used by WebCore here to avoid redundant work.
Removes some now unused functions.
* runtime/Error.cpp:
(JSC::createGetterTypeError):
(JSC::makeDOMAttributeGetterTypeErrorMessage):
(JSC::makeDOMAttributeSetterTypeErrorMessage):
(JSC::throwDOMAttributeGetterTypeError):
(JSC::throwDOMAttributeSetterTypeError):
(JSC::throwGetterTypeError): Deleted.
* runtime/Error.h:
(JSC::throwVMRangeError):
(JSC::throwVMDOMAttributeSetterTypeError):
(JSC::throwVMGetterTypeError): Deleted.
2021-03-22 Tyler Wilcock <twilco.o@protonmail.com>
AppleWin can't start due to "Failed to determine path to AAS directory." because iTunes changed the registry key
https://bugs.webkit.org/show_bug.cgi?id=219015
Reviewed by Alex Christensen.
It appears that iTunes no longer sets the Apple Application Support
registry entry. Fall back to trying to find the iTunes installation
directory if the AAS directory is not present.
* shell/DLLLauncherMain.cpp:
(iTunesDirectory): Added.
(modifyPath):
2021-03-19 Darin Adler <darin@apple.com>
[Cocoa] Make it possible to release a WKWebView on a non-main thread without a crash due to WKScriptMessage race
https://bugs.webkit.org/show_bug.cgi?id=222336
Reviewed by Chris Dumez.
* API/ObjcRuntimeExtras.h: Removed declarations of objc_initWeak and objc_destroyWeak, since
these are already in <wtf/spi/cocoa/objcSPI.h>.
2021-03-19 Mark Lam <mark.lam@apple.com>
BrandedStructure should keep its members alive.
https://bugs.webkit.org/show_bug.cgi?id=223495
rdar://75565765
Reviewed by Saam Barati.
Normally, each type of JSCell would have its own structure (and therefore, its own
ClassInfo, MethodTable, etc), which would have handled visiting m_parentBrand.
Similarly, it would have its own destructor, which would deref m_brand.
However, the design of BrandedStructure is not like other JSCells. As present,
we have chosen to go with having BrandedStructure look exactly like a regular
Structure, except that its isBrandedStructure flag is set to true.
This design has advantages because we do checks all over the system for whether
a cell is a Structure by simply comparing its structureID to structureStructure's
structureID. By virtue of BrandedStructure having the same structure as Structure,
none of this code need to change.
The downside is that we need to enhance Structure's methods to check if it is
actually working on an instance of BrandedStructure, and do some additional work.
This patch fixes 2 bugs:
1. m_parentBrand was not visited by visitChildren().
Structure::visitChildrenImpl() now calls BrandedStructure::visitAdditionalChildren()
to handle this.
2. m_brand needs to be ref'ed.
In Structure::setBrandTransition(), if the BrandedStructure is a dictionary,
then its m_transitionPropertyName will be cleared. m_transitionPropertyName
was the only means by which the UniqueStringImpl pointed to by m_brand was
ref'ed. The fix is to make m_brand a RefPtr.
Hence, it follows that we also need to deref m_brand on destruction.
Structure's destructor now calls BrandedStructure::destruct() to handle this.
* runtime/BrandedStructure.h:
* runtime/Structure.cpp:
(JSC::Structure::~Structure):
(JSC::Structure::visitChildrenImpl):
2021-03-19 Sam Weinig <weinig@apple.com>
Add PropertyName parameter to custom setters to allow shared implementations to do late name lookup
https://bugs.webkit.org/show_bug.cgi?id=223413
Reviewed by Alexey Shvayka.
Make custom setters match custom getters by adding a PropertyName parameter.
This will be used by the CSSStyleDeclaration bindings to avoid > 1000 copies
of the same getter/setter code, which will instead be able to differentiate
using the name.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* jsc.cpp:
(JSC_DEFINE_CUSTOM_SETTER):
* runtime/CustomGetterSetter.cpp:
(JSC::callCustomSetter):
* runtime/CustomGetterSetter.h:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
* runtime/JSCustomSetterFunction.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSCustomSetterFunction::JSCustomSetterFunction):
(JSC::JSCustomSetterFunction::create):
* runtime/JSCustomSetterFunction.h:
* runtime/JSObject.cpp:
(JSC::JSObject::putInlineSlow):
* runtime/Lookup.h:
(JSC::putEntry):
* runtime/PropertySlot.h:
* runtime/RegExpConstructor.cpp:
(JSC::JSC_DEFINE_CUSTOM_SETTER):
* runtime/RegExpObject.cpp:
(JSC::JSC_DEFINE_CUSTOM_SETTER):
* tools/JSDollarVM.cpp:
== Rolled over to ChangeLog-2021-03-18 ==