[webkit-changes] [WebKit/WebKit] ea7efa: [JSC] Expose error messages from ShadowRealms to o...
Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: ea7efa2f7f885f2dc5d0dea65d185fb9974cbf58 https://github.com/WebKit/WebKit/commit/ea7efa2f7f885f2dc5d0dea65d185fb9974cbf58 Author: Caitlin Potter Date: 2023-01-04 (Wed, 04 Jan 2023) Changed paths: M JSTests/stress/shadow-realm-evaluate.js M Source/JavaScriptCore/runtime/Error.cpp M Source/JavaScriptCore/runtime/Error.h M Source/JavaScriptCore/runtime/ShadowRealmPrototype.cpp Log Message: --- [JSC] Expose error messages from ShadowRealms to outer realm https://bugs.webkit.org/show_bug.cgi?id=249324 Reviewed by Yusuke Suzuki. This adds stuff from a yet unmerged spec change from https://github.com/tc39/proposal-shadowrealm/pull/382. This particular implementation only concerns itself with converting a primitive exception to a String and using that as the TypeError message, or else accessing the own "message" property of an object and using that, which is sufficient to inherit messages from a native Error. A more robust approach could attempt to load "message" from the prototype chain, and could incorporate some limited source information from the source error into the new error message. Canonical link: https://commits.webkit.org/258438@main ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295459] trunk/Source
Title: [295459] trunk/Source Revision 295459 Author ca...@igalia.com Date 2022-06-10 12:01:43 -0700 (Fri, 10 Jun 2022) Log Message [Shadow Realms] Add feature flag to enable Exposed=* web APIs in ShadowRealms https://bugs.webkit.org/show_bug.cgi?id=241448 Reviewed by Yusuke Suzuki. No longer expose Web APIs to ShadowRealm by default. Instead, we enable this with a new setting WebAPIsInShadowRealmEnabled. Because the HTML integration aspect of the specification is still in the air, it's prudent to disable it by default, while still providing a feature flag for web-platform-tests. * Source/WTF/Scripts/Preferences/WebPreferencesExperimental.yaml: * Source/WebCore/bindings/js/WebCoreBuiltinNames.h: * Source/WebCore/bindings/scripts/preprocess-idls.pl: (GenerateConstructorAttributes): * Source/WebCore/bindings/scripts/test/JS/JSShadowRealmGlobalScope.cpp: (WebCore::JSShadowRealmGlobalScope::finishCreation): * Source/WebCore/bindings/scripts/test/ShadowRealmGlobalScopeConstructors.idl: Canonical link: https://commits.webkit.org/251465@main Modified Paths trunk/Source/WTF/Scripts/Preferences/WebPreferencesExperimental.yaml trunk/Source/WebCore/bindings/js/WebCoreBuiltinNames.h trunk/Source/WebCore/bindings/scripts/preprocess-idls.pl trunk/Source/WebCore/bindings/scripts/test/JS/JSShadowRealmGlobalScope.cpp trunk/Source/WebCore/bindings/scripts/test/ShadowRealmGlobalScopeConstructors.idl Diff Modified: trunk/Source/WTF/Scripts/Preferences/WebPreferencesExperimental.yaml (295458 => 295459) --- trunk/Source/WTF/Scripts/Preferences/WebPreferencesExperimental.yaml 2022-06-10 18:50:09 UTC (rev 295458) +++ trunk/Source/WTF/Scripts/Preferences/WebPreferencesExperimental.yaml 2022-06-10 19:01:43 UTC (rev 295459) @@ -1564,6 +1564,18 @@ WebKit: default: true +WebAPIsInShadowRealmEnabled: + type: bool + humanReadableName: "Web APIs in ShadowRealm" + humanReadableDescription: "Enable Web APIs to be exposed in ShadowRealm" + defaultValue: +WebKitLegacy: + default: false +WebKit: + default: false +WebCore: + default: false + WebAnimationsCompositeOperationsEnabled: type: bool humanReadableName: "Web Animations composite operations" Modified: trunk/Source/WebCore/bindings/js/WebCoreBuiltinNames.h (295458 => 295459) --- trunk/Source/WebCore/bindings/js/WebCoreBuiltinNames.h 2022-06-10 18:50:09 UTC (rev 295458) +++ trunk/Source/WebCore/bindings/js/WebCoreBuiltinNames.h 2022-06-10 19:01:43 UTC (rev 295459) @@ -39,6 +39,25 @@ #define WEBCORE_ADDITIONAL_PRIVATE_IDENTIFIERS(macro) #endif +#if !defined(WEBCORE_COMMON_PRIVATE_IDENTIFIERS_FOR_SHADOWREALM_EACH_PROPERTY_NAME) +// Dom APIs exposed to ShadowRealm are temporarily enabled via the WebAPIsInShadowRealmEnabled +// experimental feature. When this is resolved, these can be deleted. +#define WEBCORE_COMMON_PRIVATE_IDENTIFIERS_FOR_SHADOWREALM_EACH_PROPERTY_NAME(macro) \ +macro(AbortController) \ +macro(ByteLengthQueuingStrategy) \ +macro(CountQueuingStrategy) \ +macro(CustomEvent) \ +macro(ErrorEvent) \ +macro(Event) \ +macro(EventTarget) \ +macro(Performance) \ +macro(PromiseRejectionEvent) \ +macro(TextDecoder) \ +macro(TextEncoder) \ +macro(URL) \ +macro(URLSearchParams) +#endif + #define WEBCORE_COMMON_PRIVATE_IDENTIFIERS_EACH_PROPERTY_NAME(macro) \ macro(AbortSignal) \ macro(AbstractRange) \ @@ -608,6 +627,7 @@ macro(pendingAbortRequest) \ macro(writeRequests) \ WEBCORE_ADDITIONAL_PRIVATE_IDENTIFIERS(macro) \ +WEBCORE_COMMON_PRIVATE_IDENTIFIERS_FOR_SHADOWREALM_EACH_PROPERTY_NAME(macro) \ class WebCoreBuiltinNames { public: Modified: trunk/Source/WebCore/bindings/scripts/preprocess-idls.pl (295458 => 295459) --- trunk/Source/WebCore/bindings/scripts/preprocess-idls.pl 2022-06-10 18:50:09 UTC (rev 295458) +++ trunk/Source/WebCore/bindings/scripts/preprocess-idls.pl 2022-06-10 19:01:43 UTC (rev 295459) @@ -501,6 +501,15 @@ $extendedAttributes->{"Conditional"} = $existingConditional; } +if ($globalContext eq "ShadowRealm" && $extendedAttributes->{"Exposed"} eq "*") { +my $enabledBySetting = "WebAPIsInShadowRealmEnabled"; +my $existingEnabledBySetting = $extendedAttributes->{"EnabledBySetting"}; +if ($existingEnabledBySetting) { +$enabledBySetting .= "&" . $existingEnabledBySetting; +} +$extendedAttributes->{"EnabledBySetting"} = $enabledBySetting; +} + my $code = ""; my @extendedAttributesList; foreach my $attributeName (sort keys %{$extendedAttributes}) { Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSShadowRealmGlobalScope.cpp (295458 => 295459) --- trunk/Source/WebCore/bindings/scripts/test/JS/JSShadowRealmGlobalScope.cpp 2022-06-10 18:50:09 UTC (rev 295458) +++ trunk/Source/WebCore/bindings/scripts/test/JS/JSShadowRealmGlobalScope.cpp 2022-06-10 19:01:43 UTC (rev 295459) @@ -59,22 +59,18 @@ /* Hash
[webkit-changes] [292895] trunk
Title: [292895] trunk Revision 292895 Author ca...@igalia.com Date 2022-04-14 16:39:06 -0700 (Thu, 14 Apr 2022) Log Message [JSC] ShadowRealm global object has a mutable prototype https://bugs.webkit.org/show_bug.cgi?id=239332 Reviewed by Yusuke Suzuki. JSTests: * stress/shadow-realm-globalThis-mutable-prototype.js: Added. Source/_javascript_Core: This patch circumvents the `ASSERT(toThis() == this)` in JSObject::setPrototypeWithCycleCheck() when `this` is a GlobalObject. Ordinarily, GlobalObjects have the IsImmutablePrototypeExoticObject bit set and miss this pathway, however this is not the case for ShadowRealm Global Objects. In addition, the JSC internal version is also modified to have a mutable prototype in the same way as in WebCore. * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::deriveShadowRealmGlobalObject): (JSC::JSGlobalObject::createStructureForShadowRealm): * runtime/JSObject.cpp: (JSC::JSObject::setPrototypeWithCycleCheck): Source/WebCore: Hack: The IDL code generator now special cases ShadowRealmGlobalObject to remove the ImmutablePrototypeExoticObject bit from the inherited JSGlobalObject structure flags. As a result, this enables the assignment of a ShadowRealm's globalThis.__proto__, or overwriting the prototype with [Object / Reflect].setPrototypeOf(). Test: js/ShadowRealm-globalThis.html * bindings/scripts/CodeGeneratorJS.pm: (GenerateHeader): * bindings/scripts/test/JS/JSShadowRealmGlobalScope.h: LayoutTests: Add a new layout test to verify changes to verify that ShadowRealmGlobalObject has a properly mutable prototype. * js/ShadowRealm-globalThis-expected.txt: Added. * js/ShadowRealm-globalThis.html: Added. Modified Paths trunk/JSTests/ChangeLog trunk/LayoutTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSGlobalObject.h trunk/Source/_javascript_Core/runtime/JSObject.cpp trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm trunk/Source/WebCore/bindings/scripts/test/JS/JSShadowRealmGlobalScope.h Added Paths trunk/JSTests/stress/shadow-realm-globalThis-mutable-prototype.js trunk/LayoutTests/js/ShadowRealm-globalThis-expected.txt trunk/LayoutTests/js/ShadowRealm-globalThis.html Diff Modified: trunk/JSTests/ChangeLog (292894 => 292895) --- trunk/JSTests/ChangeLog 2022-04-14 23:36:49 UTC (rev 292894) +++ trunk/JSTests/ChangeLog 2022-04-14 23:39:06 UTC (rev 292895) @@ -1,3 +1,12 @@ +2022-04-14 Caitlin Potter + +[JSC] ShadowRealm global object has a mutable prototype +https://bugs.webkit.org/show_bug.cgi?id=239332 + +Reviewed by Yusuke Suzuki. + +* stress/shadow-realm-globalThis-mutable-prototype.js: Added. + 2022-04-14 Alexey Shvayka InternalFunction::createSubclassStructure() should use base object's global object Added: trunk/JSTests/stress/shadow-realm-globalThis-mutable-prototype.js (0 => 292895) --- trunk/JSTests/stress/shadow-realm-globalThis-mutable-prototype.js (rev 0) +++ trunk/JSTests/stress/shadow-realm-globalThis-mutable-prototype.js 2022-04-14 23:39:06 UTC (rev 292895) @@ -0,0 +1,39 @@ +//@ requireOptions("--useShadowRealm=1") + +let sr = new ShadowRealm; + +let install = sr.evaluate(` +(function(name, fn) { + globalThis[name] = fn; +}) +`); + +let log = function(...args) { + let string = args.join(" "); + print(string); + return string; +}; +install("log", log); + +// Test that the GlobalObject prototype is not immutable, +let MAX_ITER = 1; +sr.evaluate(` + var i = 1; + function test() { +globalThis.__proto__ = { x: i++ }; + } + for (let i = 0; i < ${MAX_ITER}; ++i) { +try { + test(); + if (globalThis.x !== i + 1) +throw new Error(\`Prototype not written successfully (Expected globalThis.x === \${i + 1}, but found \${globalThis.x})\`); +} catch (e) { + log(\`\${e}\`); + throw e; +} + } +`); + +if (sr.evaluate(`globalThis.x`) !== MAX_ITER) + throw new Error("Prototype invalid in separate eval"); + Modified: trunk/LayoutTests/ChangeLog (292894 => 292895) --- trunk/LayoutTests/ChangeLog 2022-04-14 23:36:49 UTC (rev 292894) +++ trunk/LayoutTests/ChangeLog 2022-04-14 23:39:06 UTC (rev 292895) @@ -1,3 +1,16 @@ +2022-04-14 Caitlin Potter + +[JSC] ShadowRealm global object has a mutable prototype +https://bugs.webkit.org/show_bug.cgi?id=239332 + +Reviewed by Yusuke Suzuki. + +Add a new layout test to verify changes to verify that ShadowRealmGlobalObject has a properly +mutable prototype. + +* js/ShadowRealm-globalThis-expected.txt: Added. +* js/ShadowRealm-globalThis.html: Added. + 2022-04-14 Nikolaos Mouchtaris calc(): Serialize top level min/max/hypot as calc() Added: trunk/LayoutTests/js/ShadowRealm-globalThis-expected.txt (0 => 292895) --- trunk/LayoutTests/js/ShadowRealm-globalThis-expected.txt (rev 0) +++
[webkit-changes] [289417] trunk
Title: [289417] trunk Revision 289417 Author ca...@igalia.com Date 2022-02-08 12:42:04 -0800 (Tue, 08 Feb 2022) Log Message [JSC] move function wrapping logic to a new Function type https://bugs.webkit.org/show_bug.cgi?id=235382 Reviewed by Yusuke Suzuki. JSTests: Adds a new file testing CopyNameAndLength stuff in the ShadowRealm proposal, and fix up assertions about this in shadow-realm-evaluate.js * stress/shadow-realm-evaluate.js: * stress/shadow-realm-remote-function-copy-length-and-name.js: Added. Source/_javascript_Core: In this initial patch, there is still a lot of JS-builtin machinery, including some duplicated functionality. Additionally, JIT support has not been incorporated yet. Broadly, the idea is that there are custom hooks for calling a JSRemoteFunction, which perform the wrapping functionality. This avoids the need for allocating closures which contain the wrapping logic. TODO: - JIT/DFG/FTL support - structure caching (unnecessary since these are not constructors?) - improved baseline perf * CMakeLists.txt: * _javascript_Core.xcodeproj/project.pbxproj: * Sources.txt: * assembler/LinkBuffer.h: * builtins/BuiltinNames.h: * builtins/ShadowRealmPrototype.js: * bytecode/LinkTimeConstant.h: * dfg/DFGSpeculativeJIT.cpp: * ftl/FTLLowerDFGToB3.cpp: * heap/Heap.cpp: * heap/Heap.h: * inspector/JSInjectedScriptHost.cpp: * interpreter/Interpreter.cpp: * jit/AssemblyHelpers.h: * jit/JITOperations.cpp: * jit/JITOperations.h: * jit/ThunkGenerators.cpp: * jit/ThunkGenerators.h: * jsc.cpp: * runtime/ErrorInstance.cpp: * runtime/FunctionPrototype.cpp: * runtime/InternalFunction.cpp: * runtime/Intrinsic.cpp: * runtime/Intrinsic.h: * runtime/JSCast.h: * runtime/JSFunction.cpp: * runtime/JSFunction.h: * runtime/JSFunctionInlines.h: * runtime/JSGlobalObject.cpp: * runtime/JSGlobalObject.h: * runtime/JSRemoteFunction.cpp: Added. * runtime/JSRemoteFunction.h: Added. * runtime/VM.cpp: * runtime/VM.h: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/shadow-realm-evaluate.js trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/Sources.txt trunk/Source/_javascript_Core/assembler/LinkBuffer.h trunk/Source/_javascript_Core/builtins/BuiltinNames.h trunk/Source/_javascript_Core/builtins/ShadowRealmPrototype.js trunk/Source/_javascript_Core/bytecode/LinkTimeConstant.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/heap/Heap.cpp trunk/Source/_javascript_Core/heap/Heap.h trunk/Source/_javascript_Core/inspector/JSInjectedScriptHost.cpp trunk/Source/_javascript_Core/interpreter/Interpreter.cpp trunk/Source/_javascript_Core/jit/AssemblyHelpers.h trunk/Source/_javascript_Core/jit/JITOperations.cpp trunk/Source/_javascript_Core/jit/JITOperations.h trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp trunk/Source/_javascript_Core/jit/ThunkGenerators.h trunk/Source/_javascript_Core/jsc.cpp trunk/Source/_javascript_Core/runtime/ErrorInstance.cpp trunk/Source/_javascript_Core/runtime/FunctionPrototype.cpp trunk/Source/_javascript_Core/runtime/InternalFunction.cpp trunk/Source/_javascript_Core/runtime/Intrinsic.cpp trunk/Source/_javascript_Core/runtime/Intrinsic.h trunk/Source/_javascript_Core/runtime/JSCast.h trunk/Source/_javascript_Core/runtime/JSFunction.cpp trunk/Source/_javascript_Core/runtime/JSFunction.h trunk/Source/_javascript_Core/runtime/JSFunctionInlines.h trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.h trunk/Source/_javascript_Core/runtime/VM.cpp trunk/Source/_javascript_Core/runtime/VM.h Added Paths trunk/JSTests/stress/shadow-realm-remote-function-copy-length-and-name.js trunk/Source/_javascript_Core/runtime/JSRemoteFunction.cpp trunk/Source/_javascript_Core/runtime/JSRemoteFunction.h Diff Modified: trunk/JSTests/ChangeLog (289416 => 289417) --- trunk/JSTests/ChangeLog 2022-02-08 20:25:39 UTC (rev 289416) +++ trunk/JSTests/ChangeLog 2022-02-08 20:42:04 UTC (rev 289417) @@ -1,3 +1,16 @@ +2022-02-08 Caitlin Potter + +[JSC] move function wrapping logic to a new Function type +https://bugs.webkit.org/show_bug.cgi?id=235382 + +Reviewed by Yusuke Suzuki. + +Adds a new file testing CopyNameAndLength stuff in the ShadowRealm proposal, +and fix up assertions about this in shadow-realm-evaluate.js + +* stress/shadow-realm-evaluate.js: +* stress/shadow-realm-remote-function-copy-length-and-name.js: Added. + 2022-02-06 Yusuke Suzuki [Wasm] ref.null check should be done first in B3 call_ref Modified: trunk/JSTests/stress/shadow-realm-evaluate.js (289416 => 289417) --- trunk/JSTests/stress/shadow-realm-evaluate.js 2022-02-08 20:25:39 UTC (rev 289416) +++ trunk/JSTests/stress/shadow-realm-evaluate.js 2022-02-08 20:42:04 UTC (rev
[webkit-changes] [287154] trunk/Source/JavaScriptCore
Title: [287154] trunk/Source/_javascript_Core Revision 287154 Author ca...@igalia.com Date 2021-12-16 13:05:43 -0800 (Thu, 16 Dec 2021) Log Message [JSC] only emit pointer validation for ARM64E https://bugs.webkit.org/show_bug.cgi?id=234402 Reviewed by Yusuke Suzuki and Mark Lam. JIT thunks no longer emit `push ; pop ;` on non-ARM64E arches with the emitPointerValidation macro. * jit/ThunkGenerators.cpp: (JSC::emitPointerValidation): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (287153 => 287154) --- trunk/Source/_javascript_Core/ChangeLog 2021-12-16 21:02:07 UTC (rev 287153) +++ trunk/Source/_javascript_Core/ChangeLog 2021-12-16 21:05:43 UTC (rev 287154) @@ -1,3 +1,16 @@ +2021-12-16 Caitlin Potter + +[JSC] only emit pointer validation for ARM64E +https://bugs.webkit.org/show_bug.cgi?id=234402 + +Reviewed by Yusuke Suzuki and Mark Lam. + +JIT thunks no longer emit `push ; pop ;` on +non-ARM64E arches with the emitPointerValidation macro. + +* jit/ThunkGenerators.cpp: +(JSC::emitPointerValidation): + 2021-12-16 Michael Saboff Create symlinks pointing to alternate root framework locations Modified: trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp (287153 => 287154) --- trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2021-12-16 21:02:07 UTC (rev 287153) +++ trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2021-12-16 21:05:43 UTC (rev 287154) @@ -148,6 +148,7 @@ template inline void emitPointerValidation(CCallHelpers& jit, GPRReg pointerGPR, TagType tag) { +#if CPU(ARM64E) if (!ASSERT_ENABLED) return; if (!Options::useJITCage()) { @@ -159,6 +160,11 @@ jit.validateUntaggedPtr(pointerGPR); jit.popToRestore(pointerGPR); } +#else +UNUSED_PARAM(jit); +UNUSED_PARAM(pointerGPR); +UNUSED_PARAM(tag); +#endif } // We will jump here if the JIT code tries to make a call, but the ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [285196] trunk/Source/WebCore
Title: [285196] trunk/Source/WebCore Revision 285196 Author ca...@igalia.com Date 2021-11-02 20:08:11 -0700 (Tue, 02 Nov 2021) Log Message [WebIDL] Support [Exposed=*] extended attribute https://bugs.webkit.org/show_bug.cgi?id=231082 Reviewed by Chris Dumez. Adds a shorthand to expose interfaces/attributes on Window, Workers*, and the forthcoming ShadowRealm global object. See https://github.com/heycam/webidl/issues/468 and https://github.com/heycam/webidl/pull/526 for details. * bindings/scripts/CodeGenerator.pm: (shouldPropertyBeExposed): * bindings/scripts/CodeGeneratorJS.pm: (GenerateRuntimeEnableConditionalStringForExposed): * bindings/scripts/IDLParser.pm: (parseExtendedAttributeRest2): * bindings/scripts/preprocess-idls.pl: * bindings/scripts/test/AudioWorkletGlobalScopeConstructors.idl: * bindings/scripts/test/DOMWindowConstructors.idl: * bindings/scripts/test/DedicatedWorkerGlobalScopeConstructors.idl: * bindings/scripts/test/ExposedStar.idl: Added. * bindings/scripts/test/JS/JSDOMWindow.cpp: (WebCore::jsDOMWindow_ExposedStarConstructorGetter): (WebCore::JSC_DEFINE_CUSTOM_GETTER): * bindings/scripts/test/JS/JSDedicatedWorkerGlobalScope.cpp: (WebCore::jsDedicatedWorkerGlobalScope_ExposedStarConstructorGetter): (WebCore::JSC_DEFINE_CUSTOM_GETTER): * bindings/scripts/test/JS/JSExposedStar.cpp: Added. (WebCore::JSExposedStarDOMConstructor::prototypeForStructure): (WebCore::JSExposedStarDOMConstructor::initializeProperties): (WebCore::JSExposedStarPrototype::finishCreation): (WebCore::JSExposedStar::JSExposedStar): (WebCore::JSExposedStar::finishCreation): (WebCore::JSExposedStar::createPrototype): (WebCore::JSExposedStar::prototype): (WebCore::JSExposedStar::getConstructor): (WebCore::JSC_DEFINE_CUSTOM_GETTER): (WebCore::jsExposedStarPrototypeFunction_operationForAllContextsBody): (WebCore::JSC_DEFINE_HOST_FUNCTION): (WebCore::jsExposedStarPrototypeFunction_operationJustForWindowContextsBody): (WebCore::jsExposedStarPrototypeFunction_operationJustForWorkerContextsBody): (WebCore::JSExposedStar::subspaceForImpl): (WebCore::JSExposedStar::analyzeHeap): (WebCore::toJSNewlyCreated): (WebCore::toJS): (WebCore::JSExposedStar::toWrapped): * bindings/scripts/test/JS/JSExposedStar.h: Added. (WebCore::JSExposedStar::create): (WebCore::JSExposedStar::createStructure): (WebCore::JSExposedStar::subspaceFor): (WebCore::JSExposedStar::wrapped const): (WebCore::toJS): (WebCore::toJSNewlyCreated): * bindings/scripts/test/JS/JSPaintWorkletGlobalScope.cpp: (WebCore::jsPaintWorkletGlobalScope_ExposedStarConstructorGetter): (WebCore::JSC_DEFINE_CUSTOM_GETTER): * bindings/scripts/test/JS/JSServiceWorkerGlobalScope.cpp: (WebCore::jsServiceWorkerGlobalScope_ExposedStarConstructorGetter): (WebCore::JSC_DEFINE_CUSTOM_GETTER): * bindings/scripts/test/PaintWorkletGlobalScopeConstructors.idl: * bindings/scripts/test/ServiceWorkerGlobalScopeConstructors.idl: * bindings/scripts/test/SupplementalDependencies.dep: Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/scripts/CodeGenerator.pm trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm trunk/Source/WebCore/bindings/scripts/IDLParser.pm trunk/Source/WebCore/bindings/scripts/preprocess-idls.pl trunk/Source/WebCore/bindings/scripts/test/AudioWorkletGlobalScopeConstructors.idl trunk/Source/WebCore/bindings/scripts/test/DOMWindowConstructors.idl trunk/Source/WebCore/bindings/scripts/test/DedicatedWorkerGlobalScopeConstructors.idl trunk/Source/WebCore/bindings/scripts/test/JS/JSDOMWindow.cpp trunk/Source/WebCore/bindings/scripts/test/JS/JSDedicatedWorkerGlobalScope.cpp trunk/Source/WebCore/bindings/scripts/test/JS/JSPaintWorkletGlobalScope.cpp trunk/Source/WebCore/bindings/scripts/test/JS/JSServiceWorkerGlobalScope.cpp trunk/Source/WebCore/bindings/scripts/test/PaintWorkletGlobalScopeConstructors.idl trunk/Source/WebCore/bindings/scripts/test/ServiceWorkerGlobalScopeConstructors.idl trunk/Source/WebCore/bindings/scripts/test/SupplementalDependencies.dep Added Paths trunk/Source/WebCore/bindings/scripts/test/ExposedStar.idl trunk/Source/WebCore/bindings/scripts/test/JS/JSExposedStar.cpp trunk/Source/WebCore/bindings/scripts/test/JS/JSExposedStar.h Diff Modified: trunk/Source/WebCore/ChangeLog (285195 => 285196) --- trunk/Source/WebCore/ChangeLog 2021-11-03 02:26:54 UTC (rev 285195) +++ trunk/Source/WebCore/ChangeLog 2021-11-03 03:08:11 UTC (rev 285196) @@ -1,3 +1,69 @@ +2021-11-02 Caitln Potter + +[WebIDL] Support [Exposed=*] extended attribute +https://bugs.webkit.org/show_bug.cgi?id=231082 + +Reviewed by Chris Dumez. + +Adds a shorthand to expose interfaces/attributes on Window, Workers*, +and the forthcoming ShadowRealm global object. + +See https://github.com/heycam/webidl/issues/468 and +https://github.com/heycam/webidl/pull/526 for details. + +* bindings/scripts/CodeGenerator.pm: +(shouldPropertyBeExposed): +*
[webkit-changes] [284310] trunk
Title: [284310] trunk Revision 284310 Author ca...@igalia.com Date 2021-10-16 01:22:59 -0700 (Sat, 16 Oct 2021) Log Message Add github username for myself https://bugs.webkit.org/show_bug.cgi?id=231857 Reviewed by Yusuke Suzuki. * metadata/contributors.json: Modified Paths trunk/ChangeLog trunk/metadata/contributors.json Diff Modified: trunk/ChangeLog (284309 => 284310) --- trunk/ChangeLog 2021-10-16 07:58:04 UTC (rev 284309) +++ trunk/ChangeLog 2021-10-16 08:22:59 UTC (rev 284310) @@ -1,3 +1,12 @@ +2021-10-16 Caitlin Potter + +Add github username for myself +https://bugs.webkit.org/show_bug.cgi?id=231857 + +Reviewed by Yusuke Suzuki. + +* metadata/contributors.json: + 2021-10-15 Basuke Suzuki Add flag to turn off Iso heap Modified: trunk/metadata/contributors.json (284309 => 284310) --- trunk/metadata/contributors.json 2021-10-16 07:58:04 UTC (rev 284309) +++ trunk/metadata/contributors.json 2021-10-16 08:22:59 UTC (rev 284310) @@ -1227,6 +1227,7 @@ "emails" : [ "ca...@igalia.com" ], + "github" : "caitp", "name" : "Caitlin Potter", "nicks" : [ "caitp" ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [268794] trunk
Title: [268794] trunk Revision 268794 Author ca...@igalia.com Date 2020-10-21 07:06:02 -0700 (Wed, 21 Oct 2020) Log Message [JSC] support op_get_private_name in DFG and FTL https://bugs.webkit.org/show_bug.cgi?id=214861 Reviewed by Filip Pizlo. JSTests: * microbenchmarks/class-fields-private/monomorphic-get-private-field.js: Added. * microbenchmarks/class-fields-private/polymorphic-get-private-field.js: Added. * stress/dfg-get-private-name-by-id-generic.js: Added. * stress/dfg-get-private-name-by-id-osr-bad-identifier.js: Added. * stress/dfg-get-private-name-by-id.js: Added. * stress/dfg-get-private-name-by-offset-osr-bad-identifier.js: Added. * stress/dfg-get-private-name-by-offset-osr-bad-structure.js: Added. * stress/dfg-get-private-name-by-offset.js: Added. * stress/dfg-get-private-name-by-val-generic.js: Added. * stress/ftl-get-private-name-by-id.js: Added. * stress/ftl-get-private-name-by-offset-multi.js: Added. * stress/get-private-name-with-constant-ident.js: Added. * stress/get-private-name-with-constant-symbol.js: Added. * stress/get-private-name-with-different-symbol.js: Added. Source/_javascript_Core: Adds DFG/FTL support for op_get_private_name. During DFG bytecode parsing, we will attempt, if deemed possible by the information available, to output a GetByOffset operation. If a single private field identifier is used in all cases (the common case), but there are too many structure variants, a GetPrivateNameById operation is emitted instead. Failing that, the GetPrivateName operation is produced, which produces a GetByVal IC like in the baseline JIT. In FTL, GetPrivateNameByID can be reduced to [Multi]GetByOffset in the DFGConstantFoldingPhase, or a GetByID IC when lowering to B3. * bytecode/GetByStatus.cpp: (JSC::GetByStatus::computeFromLLInt): * bytecode/StructureStubInfo.h: (JSC::appropriateOptimizingGetByIdFunction): (JSC::appropriateGenericGetByIdFunction): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::simplifyGetByStatus): (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::handleGetPrivateNameById): (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::convertToGetByOffset): (JSC::DFG::Node::convertToMultiGetByOffset): (JSC::DFG::Node::hasCacheableIdentifier): (JSC::DFG::Node::hasHeapPrediction): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetPrivateName): (JSC::DFG::SpeculativeJIT::compileGetPrivateNameByVal): (JSC::DFG::SpeculativeJIT::compileGetPrivateNameById): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::getPrivateName): (JSC::FTL::DFG::LowerDFGToB3::compileGetPrivateName): (JSC::FTL::DFG::LowerDFGToB3::compileGetPrivateNameById): * jit/ICStats.h: * jit/JITOperations.cpp: (JSC::getPrivateName): (JSC::JSC_DEFINE_JIT_OPERATION): * jit/JITOperations.h: * jit/Repatch.cpp: (JSC::appropriateOptimizingGetByFunction): (JSC::appropriateGetByFunction): (JSC::tryCacheGetBy): * jit/Repatch.h: * runtime/OptionsList.h: Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/GetByStatus.cpp trunk/Source/_javascript_Core/bytecode/StructureStubInfo.h trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGClobberize.h trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp trunk/Source/_javascript_Core/dfg/DFGNode.h trunk/Source/_javascript_Core/dfg/DFGNodeType.h trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/jit/ICStats.h trunk/Source/_javascript_Core/jit/JITOperations.cpp trunk/Source/_javascript_Core/jit/JITOperations.h trunk/Source/_javascript_Core/jit/Repatch.cpp trunk/Source/_javascript_Core/jit/Repatch.h
[webkit-changes] [265000] trunk
Title: [265000] trunk Revision 265000 Author ca...@igalia.com Date 2020-07-28 12:28:16 -0700 (Tue, 28 Jul 2020) Log Message [JSC] add IC support for op_get_private_name https://bugs.webkit.org/show_bug.cgi?id=213545 Reviewed by Saam Barati. JSTests: Add a crashtest for a crash in an earlier edition of the GPN IC patch. * stress/get-private-name-cache-failure.js: Added. Source/_javascript_Core: The baseline JIT now supports a fast path for op_private_name, using a variant of GetByVal IC. The generated AccessCase has the following qualities: - Always "direct", relying only on the current structure for cachebility - Never impure (DOM properties are not supported at this time, ProxyObjects are treated as JSObjects) Based on the microbenchmark reviewed on https://bugs.webkit.org/show_bug.cgi?id=213544, this sees an improvement of roughly 50% on average. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::reset): * bytecode/StructureStubInfo.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): * jit/ICStats.h: * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: * jit/JITInlineCacheGenerator.cpp: (JSC::JITGetByValGenerator::JITGetByValGenerator): * jit/JITInlineCacheGenerator.h: * jit/JITOperations.cpp: (JSC::getPrivateName): * jit/JITOperations.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::emit_op_get_private_name): (JSC::JIT::emitSlow_op_get_private_name): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::emit_op_get_private_name): (JSC::JIT::emitSlow_op_get_private_name): * jit/Repatch.cpp: (JSC::appropriateOptimizingGetByFunction): (JSC::appropriateGetByFunction): (JSC::tryCacheGetBy): * jit/Repatch.h: Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/StructureStubInfo.cpp trunk/Source/_javascript_Core/bytecode/StructureStubInfo.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/jit/ICStats.h trunk/Source/_javascript_Core/jit/JIT.cpp trunk/Source/_javascript_Core/jit/JIT.h trunk/Source/_javascript_Core/jit/JITInlineCacheGenerator.cpp trunk/Source/_javascript_Core/jit/JITInlineCacheGenerator.h trunk/Source/_javascript_Core/jit/JITOperations.cpp trunk/Source/_javascript_Core/jit/JITOperations.h trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp trunk/Source/_javascript_Core/jit/Repatch.cpp trunk/Source/_javascript_Core/jit/Repatch.h Added Paths trunk/JSTests/stress/get-private-name-cache-failure.js Diff Modified: trunk/JSTests/ChangeLog (264999 => 265000) --- trunk/JSTests/ChangeLog 2020-07-28 19:21:35 UTC (rev 264999) +++ trunk/JSTests/ChangeLog 2020-07-28 19:28:16 UTC (rev 265000) @@ -1,3 +1,14 @@ +2020-07-28 Caitlin Potter + +[JSC] add IC support for op_get_private_name +https://bugs.webkit.org/show_bug.cgi?id=213545 + +Reviewed by Saam Barati. + +Add a crashtest for a crash in an earlier edition of the GPN IC patch. + +* stress/get-private-name-cache-failure.js: Added. + 2020-07-27 Yusuke Suzuki [JSC][wasm] Truncating slightly less than INT32_MIN is incorrect Added: trunk/JSTests/stress/get-private-name-cache-failure.js (0 => 265000) --- trunk/JSTests/stress/get-private-name-cache-failure.js (rev 0) +++ trunk/JSTests/stress/get-private-name-cache-failure.js 2020-07-28 19:28:16 UTC (rev 265000) @@ -0,0 +1,42 @@ +//@requireOptions("--usePrivateClassFields=true", "--useLLInt=false", "--forceICFailure=true") +// Regression test: Ensure that we don't crash when op_get_private_field caching results in +// giving up on caching.` + +function assert(expr, message) { + if (!expr) +throw new Error(`Assertion Failed: ${message}`); +} +Object.assign(assert, { + equals(actual, expected) { +assert(actual === expected, `expected ${expected} but found ${actual}`); + }, + throws(fn, errorType) { +try { + fn(); +} catch (e) { + if (typeof errorType === "function") +assert(e instanceof errorType, `expected to throw ${errorType.name} but threw ${e}`); + return; +} +assert(false, `expected to throw, but no exception was thrown.`); + } +}); + +class C { + #x = 5; + get(o) { return o.#x; } +} +let get = C.prototype.get; +function testAccess() { + assert.equals(get(new C), 5); +} +noInline(testAccess); +function testThrows() { + assert.throws(() => get(globalThis), TypeError); +}
[webkit-changes] [264369] trunk/Source/JavaScriptCore
Title: [264369] trunk/Source/_javascript_Core Revision 264369 Author ca...@igalia.com Date 2020-07-14 12:50:03 -0700 (Tue, 14 Jul 2020) Log Message [JSC] fixup LLInt fast path in op_get_private_name https://bugs.webkit.org/show_bug.cgi?id=214311 Reviewed by Tadeu Zagallo. The LLInt slow path would previously always be taken in op_get_private_name, due to not comparing the operand field name's JSValue payload with the cached field name, but the register index itself. This fixup can't really be verified by tests, as it is primarily a minor performance improvement. * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (264368 => 264369) --- trunk/Source/_javascript_Core/ChangeLog 2020-07-14 19:27:34 UTC (rev 264368) +++ trunk/Source/_javascript_Core/ChangeLog 2020-07-14 19:50:03 UTC (rev 264369) @@ -1,3 +1,20 @@ +2020-07-14 Caitlin Potter + +[JSC] fixup LLInt fast path in op_get_private_name +https://bugs.webkit.org/show_bug.cgi?id=214311 + +Reviewed by Tadeu Zagallo. + +The LLInt slow path would previously always be taken in op_get_private_name, +due to not comparing the operand field name's JSValue payload with the cached +field name, but the register index itself. + +This fixup can't really be verified by tests, as it is primarily a +minor performance improvement. + +* llint/LowLevelInterpreter32_64.asm: +* llint/LowLevelInterpreter64.asm: + 2020-07-14 Xan Lopez [JSC] Remove compiler warning in JSBigInt Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (264368 => 264369) --- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2020-07-14 19:27:34 UTC (rev 264368) +++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2020-07-14 19:50:03 UTC (rev 264369) @@ -1601,7 +1601,8 @@ metadata(t5, t0) # Slow path if the private field is stale -get(m_property, t0) +get(m_property, t1) +loadConstantOrVariablePayloadUnchecked(size, t1, t0) loadp OpGetPrivateName::Metadata::m_property[t5], t1 bpneq t1, t0, .opGetPrivateNameSlow Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (264368 => 264369) --- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2020-07-14 19:27:34 UTC (rev 264368) +++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2020-07-14 19:50:03 UTC (rev 264369) @@ -1699,7 +1699,8 @@ metadata(t2, t0) # Slow path if the private field is stale -get(m_property, t0) +get(m_property, t1) +loadConstantOrVariable(size, t1, t0) loadp OpGetPrivateName::Metadata::m_property[t2], t1 bpneq t1, t0, .opGetPrivateNameSlow ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [263491] trunk/Source/JavaScriptCore
Title: [263491] trunk/Source/_javascript_Core Revision 263491 Author ca...@igalia.com Date 2020-06-24 19:05:51 -0700 (Wed, 24 Jun 2020) Log Message [JSC] handle Put/DefinePrivateField in resetPutByID https://bugs.webkit.org/show_bug.cgi?id=213583 Reviewed by Yusuke Suzuki. r262613 extends and uses PutByValDirect to support updating and defining private fields, in order to reuse the IC machinery. The necessary resetPutByID change was erroneously omitted, and is presented here. * jit/Repatch.cpp: (JSC::resetPutByID): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/Repatch.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (263490 => 263491) --- trunk/Source/_javascript_Core/ChangeLog 2020-06-25 01:43:05 UTC (rev 263490) +++ trunk/Source/_javascript_Core/ChangeLog 2020-06-25 02:05:51 UTC (rev 263491) @@ -1,3 +1,16 @@ +2020-06-24 Caitlin Potter + +[JSC] handle Put/DefinePrivateField in resetPutByID +https://bugs.webkit.org/show_bug.cgi?id=213583 + +Reviewed by Yusuke Suzuki. + +r262613 extends and uses PutByValDirect to support updating and defining private fields, in order to reuse +the IC machinery. The necessary resetPutByID change was erroneously omitted, and is presented here. + +* jit/Repatch.cpp: +(JSC::resetPutByID): + 2020-06-24 Yusuke Suzuki [JSC] llintTrue / jitTrue can encounter native functions Modified: trunk/Source/_javascript_Core/jit/Repatch.cpp (263490 => 263491) --- trunk/Source/_javascript_Core/jit/Repatch.cpp 2020-06-25 01:43:05 UTC (rev 263490) +++ trunk/Source/_javascript_Core/jit/Repatch.cpp 2020-06-25 02:05:51 UTC (rev 263491) @@ -1483,6 +1483,10 @@ optimizedFunction = operationPutByIdNonStrictOptimize; else if (unoptimizedFunction == operationPutByIdDirectStrict || unoptimizedFunction == operationPutByIdDirectStrictOptimize) optimizedFunction = operationPutByIdDirectStrictOptimize; +else if (unoptimizedFunction == operationPutByIdPutPrivateFieldStrict || unoptimizedFunction == operationPutByIdPutPrivateFieldStrictOptimize) +optimizedFunction = operationPutByIdPutPrivateFieldStrictOptimize; +else if (unoptimizedFunction == operationPutByIdDefinePrivateFieldStrict || unoptimizedFunction == operationPutByIdDefinePrivateFieldStrictOptimize) +optimizedFunction = operationPutByIdDefinePrivateFieldStrictOptimize; else { ASSERT(unoptimizedFunction == operationPutByIdDirectNonStrict || unoptimizedFunction == operationPutByIdDirectNonStrictOptimize); optimizedFunction = operationPutByIdDirectNonStrictOptimize; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [263454] trunk
Title: [263454] trunk Revision 263454 Author ca...@igalia.com Date 2020-06-24 07:48:34 -0700 (Wed, 24 Jun 2020) Log Message [JSC] add microbenchmark for op_get_private_name https://bugs.webkit.org/show_bug.cgi?id=213544 Reviewed by Yusuke Suzuki. Add machinery to add --usePrivateClassFields flag in a family of microbenchmarks. * Scripts/run-jsc-benchmarks: Modified Paths trunk/Tools/ChangeLog trunk/Tools/Scripts/run-jsc-benchmarks Added Paths trunk/JSTests/microbenchmarks/class-fields-private/ trunk/JSTests/microbenchmarks/class-fields-private/get-private-name.js Diff Added: trunk/JSTests/microbenchmarks/class-fields-private/get-private-name.js (0 => 263454) --- trunk/JSTests/microbenchmarks/class-fields-private/get-private-name.js (rev 0) +++ trunk/JSTests/microbenchmarks/class-fields-private/get-private-name.js 2020-06-24 14:48:34 UTC (rev 263454) @@ -0,0 +1,29 @@ +//@ requireOptions("--usePrivateClassFields=true") + +function assert(b, m = "Assertion failed") { +if (!b) +throw new Error(m); +} + +function test1() { +function factory(i) { +return new class { +#x = i; +get() { return this.#x; } +}; +} + +function foo(o, i) { +return o.get(); +} +noInline(foo); + +let a = factory(42); +let b = factory(43); +let start = Date.now(); +for (let i = 0; i < 1000; ++i) { +assert(foo(a, "a") === 42); +assert(foo(b, "b") === 43); +} +} +test1(); Modified: trunk/Tools/ChangeLog (263453 => 263454) --- trunk/Tools/ChangeLog 2020-06-24 14:07:32 UTC (rev 263453) +++ trunk/Tools/ChangeLog 2020-06-24 14:48:34 UTC (rev 263454) @@ -1,3 +1,15 @@ +2020-06-24 Caitlin Potter + +[JSC] add microbenchmark for op_get_private_name +https://bugs.webkit.org/show_bug.cgi?id=213544 + +Reviewed by Yusuke Suzuki. + +Add machinery to add --usePrivateClassFields flag in a family of +microbenchmarks. + +* Scripts/run-jsc-benchmarks: + 2020-06-24 Carlos Garcia Campos [GTK][WPE] Add API to allow applications to handle the HTTP authentication credential storage Modified: trunk/Tools/Scripts/run-jsc-benchmarks (263453 => 263454) --- trunk/Tools/Scripts/run-jsc-benchmarks 2020-06-24 14:07:32 UTC (rev 263453) +++ trunk/Tools/Scripts/run-jsc-benchmarks 2020-06-24 14:48:34 UTC (rev 263454) @@ -51,6 +51,7 @@ TAILBENCH_PATH = PERFORMANCETESTS_PATH + "TailBench9000" BIGINTBENCH_PATH = PERFORMANCETESTS_PATH + "BigIntBench" MICROBENCHMARKS_PATH = OPENSOURCE_PATH + "JSTests" + "microbenchmarks" +PRIVATEFIELDSBENCH_PATH = MICROBENCHMARKS_PATH + "class-fields-private" SLOW_MICROBENCHMARKS_PATH = OPENSOURCE_PATH + "JSTests" + "slowMicrobenchmarks" OPENSOURCE_OCTANE_PATH = PERFORMANCETESTS_PATH + "Octane" OCTANE_WRAPPER_PATH = OPENSOURCE_OCTANE_PATH + "wrappers" @@ -235,6 +236,7 @@ $includeSixSpeed = false $includeTailBench = true $includeBigIntBench = false +$includePrivateFieldsBench = false $measureGC=false $benchmarkPattern=nil $verbosity=0 @@ -1767,7 +1769,22 @@ end end +class PrivateFieldsBenchmark +include Benchmark +def initialize(name) +@name = name +end + +def emitRunCode(plan) +emitBenchRunCode(fullname, plan, SingleFileTimedBenchmarkParameters.new(ensureFile("PrivateFieldsBench-#{@name}", "#{PRIVATEFIELDSBENCH_PATH}/#{@name}.js"))) +end + +def environment +{"JSC_usePrivateClassFields" => "true"} +end +end + class MicrobenchmarksBenchmark include Benchmark @@ -2866,6 +2883,7 @@ ['--six-speed', GetoptLong::NO_ARGUMENT], ['--tail-bench', GetoptLong::NO_ARGUMENT], ['--big-int-bench', GetoptLong::NO_ARGUMENT], + ['--private-fields-bench', GetoptLong::NO_ARGUMENT], ['--benchmarks', GetoptLong::REQUIRED_ARGUMENT], ['--measure-gc', GetoptLong::OPTIONAL_ARGUMENT], ['--force-vm-kind', GetoptLong::REQUIRED_ARGUMENT], @@ -2984,6 +3002,9 @@ when '--big-int-bench' resetBenchOptionsIfNecessary $includeBigIntBench = true +when '--private-fields-bench' + resetBenchOptionsIfNecessary + $includePrivateFieldsBench = true when '--benchmarks' $benchmarkPattern = Regexp.new(arg) when '--measure-gc' @@ -3221,6 +3242,15 @@ end } + PRIVATEFIELDSBENCH = BenchmarkSuite.new("PrivateFieldsBench", :geometricMean, 0) + Dir.foreach(PRIVATEFIELDSBENCH_PATH) { +| filename | +if filename =~ /\.js$/ +name = $~.pre_match +PRIVATEFIELDSBENCH.add PrivateFieldsBenchmark.new(name) +end + } + MICROBENCHMARKS = BenchmarkSuite.new("Microbenchmarks", :geometricMean, 0) Dir.foreach(MICROBENCHMARKS_PATH) { | filename | @@ -3392,6 +3422,10 @@ $suites << BIGINTBENCH end + if $includePrivateFieldsBench and not PRIVATEFIELDSBENCH.empty? +$suites
[webkit-changes] [263046] trunk
Title: [263046] trunk Revision 263046 Author ca...@igalia.com Date 2020-06-15 11:35:28 -0700 (Mon, 15 Jun 2020) Log Message [JSC] add machinery to disable JIT tiers when experimental features are enabled https://bugs.webkit.org/show_bug.cgi?id=213193 Reviewed by Mark Lam. JSTests: * stress/get-private-name.js: * stress/put-by-val-direct-addprivate.js: * stress/put-by-val-direct-putprivate.js: Source/_javascript_Core: A new macro FOR_EACH_JSC_EXPERIMENTAL_OPTION() supplies flags indicating the supported JIT tiers (or, in the future, other options) of a particular feature, in an easy to understand format. These flags are then used to recompute dependent feature flags. This should simplify the incremental development of language features. * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * runtime/Options.cpp: (JSC::recomputeDependentOptions): * runtime/OptionsList.h: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/get-private-name.js trunk/JSTests/stress/put-by-val-direct-addprivate.js trunk/JSTests/stress/put-by-val-direct-putprivate.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGCapabilities.cpp trunk/Source/_javascript_Core/runtime/Options.cpp trunk/Source/_javascript_Core/runtime/OptionsList.h Diff Modified: trunk/JSTests/ChangeLog (263045 => 263046) --- trunk/JSTests/ChangeLog 2020-06-15 18:29:58 UTC (rev 263045) +++ trunk/JSTests/ChangeLog 2020-06-15 18:35:28 UTC (rev 263046) @@ -1,3 +1,14 @@ +2020-06-15 Caitlin Potter + +[JSC] add machinery to disable JIT tiers when experimental features are enabled +https://bugs.webkit.org/show_bug.cgi?id=213193 + +Reviewed by Mark Lam. + +* stress/get-private-name.js: +* stress/put-by-val-direct-addprivate.js: +* stress/put-by-val-direct-putprivate.js: + 2020-06-15 Alexey Shvayka super should not depend on __proto__ Modified: trunk/JSTests/stress/get-private-name.js (263045 => 263046) --- trunk/JSTests/stress/get-private-name.js 2020-06-15 18:29:58 UTC (rev 263045) +++ trunk/JSTests/stress/get-private-name.js 2020-06-15 18:35:28 UTC (rev 263046) @@ -1,6 +1,4 @@ -// FIXME: //@ requireOptions("--usePrivateClassFields=1") --- Run this in all variants once https://bugs.webkit.org/show_bug.cgi?id=212781 is fixed -//@ runNoJIT("--usePrivateClassFields=1") -//@ runNoLLInt("--usePrivateClassFields=1") +//@ requireOptions("--usePrivateClassFields=1") // GetPrivateName should throw when the receiver does not have the requested private property let i, threw = false; Modified: trunk/JSTests/stress/put-by-val-direct-addprivate.js (263045 => 263046) --- trunk/JSTests/stress/put-by-val-direct-addprivate.js 2020-06-15 18:29:58 UTC (rev 263045) +++ trunk/JSTests/stress/put-by-val-direct-addprivate.js 2020-06-15 18:35:28 UTC (rev 263046) @@ -1,7 +1,4 @@ -// TODO: //@ requireOptions("--usePrivateClassFields=1") -- Currently, eager JIT is not supported for private field access. -//@ runDefault("--usePrivateClassFields=1") -//@ runNoJIT("--usePrivateClassFields=1") -//@ runNoLLInt("--usePrivateClassFields=1") +//@ requireOptions("--usePrivateClassFields=1") // PrivateField "Create" access should throw if writing to a non-existent PrivateName. let c, i = 0, threw = false; Modified: trunk/JSTests/stress/put-by-val-direct-putprivate.js (263045 => 263046) --- trunk/JSTests/stress/put-by-val-direct-putprivate.js 2020-06-15 18:29:58 UTC (rev 263045) +++ trunk/JSTests/stress/put-by-val-direct-putprivate.js 2020-06-15 18:35:28 UTC (rev 263046) @@ -1,7 +1,4 @@ -// FIXME: //@ requireOptions("--usePrivateClassFields=1") -- Currently, eager JIT is not supported for private field access. https://bugs.webkit.org/show_bug.cgi?id=212784 -//@ runDefault("--usePrivateClassFields=1") -//@ runNoJIT("--usePrivateClassFields=1") -//@ runNoLLInt("--usePrivateClassFields=1") +//@ requireOptions("--usePrivateClassFields=1") // PrivateField "Put" access should throw if writing to a non-existent PrivateName. let c, i = 0, threw = false; Modified: trunk/Source/_javascript_Core/ChangeLog (263045 => 263046) --- trunk/Source/_javascript_Core/ChangeLog 2020-06-15 18:29:58 UTC (rev 263045) +++ trunk/Source/_javascript_Core/ChangeLog 2020-06-15 18:35:28 UTC (rev 263046) @@ -1,3 +1,23 @@ +2020-06-15 Caitlin Potter + +[JSC] add machinery to disable JIT tiers when experimental features are enabled +https://bugs.webkit.org/show_bug.cgi?id=213193 + +Reviewed by Mark Lam. + +A new macro FOR_EACH_JSC_EXPERIMENTAL_OPTION() supplies flags indicating the supported +JIT tiers (or, in the future, other options) of a particular feature, +in an easy to understand format. These flags are then used to +recompute dependent feature flags. + +This should simplify the incremental development of language features. + +* dfg/DFGCapabilities.cpp: +(JSC::DFG::capabilityLevel): +*
[webkit-changes] [262847] trunk/JSTests
Title: [262847] trunk/JSTests Revision 262847 Author ca...@igalia.com Date 2020-06-10 12:08:32 -0700 (Wed, 10 Jun 2020) Log Message [JSC] add stress test for op_get_private_name https://bugs.webkit.org/show_bug.cgi?id=213024 Reviewed by Mark Lam. * stress/get-private-name.js: Added. Modified Paths trunk/JSTests/ChangeLog Added Paths trunk/JSTests/stress/get-private-name.js Diff Modified: trunk/JSTests/ChangeLog (262846 => 262847) --- trunk/JSTests/ChangeLog 2020-06-10 19:04:56 UTC (rev 262846) +++ trunk/JSTests/ChangeLog 2020-06-10 19:08:32 UTC (rev 262847) @@ -1,3 +1,12 @@ +2020-06-10 Caitlin Potter + +[JSC] add stress test for op_get_private_name +https://bugs.webkit.org/show_bug.cgi?id=213024 + +Reviewed by Mark Lam. + +* stress/get-private-name.js: Added. + 2020-06-09 Mark Lam Stringifier::appendStringifiedValue() should not assume it is always safe to recurse. Added: trunk/JSTests/stress/get-private-name.js (0 => 262847) --- trunk/JSTests/stress/get-private-name.js (rev 0) +++ trunk/JSTests/stress/get-private-name.js 2020-06-10 19:08:32 UTC (rev 262847) @@ -0,0 +1,29 @@ +// FIXME: //@ requireOptions("--usePrivateClassFields=1") --- Run this in all variants once https://bugs.webkit.org/show_bug.cgi?id=212781 is fixed +//@ runNoJIT("--usePrivateClassFields=1") +//@ runNoLLInt("--usePrivateClassFields=1") + +// GetPrivateName should throw when the receiver does not have the requested private property +let i, threw = false; +class C { +#x = i; +constructor() { if (i === 30) return { [Symbol.toStringTag]: "without #x"}; } +static x(obj) { return obj.#x; } +get [Symbol.toStringTag]() { return "with #x"; } +} + +try { +for (i = 0; i < 50; ++i) { +let c = new C; +let result = C.x(c); +if (result !== i) +throw new Error(`Expected C.x(${c}) to be ${i}, but found ${result}`); +} +} catch (e) { +threw = true; +if (i !== 30 || e.constructor !== TypeError) { +throw e; +} +} + +if (!threw) +throw new Error("Expected TypeError, but no exception was thrown"); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [254801] trunk
Title: [254801] trunk Revision 254801 Author ca...@igalia.com Date 2020-01-18 15:14:31 -0800 (Sat, 18 Jan 2020) Log Message [JSC] add DFG/FTL support for op_to_property_key https://bugs.webkit.org/show_bug.cgi?id=206368 JSTests: Reviewed by Saam Barati. * stress/class-fields-to-property-key-const-string-ftl.js: Added. * stress/class-fields-to-property-key-const-symbol-ftl.js: Added. * stress/class-fields-to-property-key-slow-object-tostring-ftl.js: Added. * stress/class-fields-to-property-key-slow-object-valueof-ftl.js: Added. * stress/class-fields-to-property-key-string-object-ftl.js: Added. * stress/class-fields-to-property-key-string-or-string-object-ftl.js: Added. Source/_javascript_Core: Reviewed by Saam Barati. Implement DFG/FTL support for the op_to_property_key opcode. This operates similar to the LLInt and base JIT implementations, in which we avoid invoking the full ToPropertyKey operation if the source operand is already a String or Symbol at runtime. If DFG/FTL are confident the value will be a String or Symbol at compile time, the operation is omitted entirely in the final graph. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::convertToToString): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileToPrimitive): (JSC::DFG::SpeculativeJIT::compileToPropertyKey): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileToPropertyKey): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGCapabilities.cpp trunk/Source/_javascript_Core/dfg/DFGClobberize.h trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp trunk/Source/_javascript_Core/dfg/DFGNode.h trunk/Source/_javascript_Core/dfg/DFGNodeType.h trunk/Source/_javascript_Core/dfg/DFGOperations.cpp trunk/Source/_javascript_Core/dfg/DFGOperations.h trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp Added Paths trunk/JSTests/stress/class-fields-to-property-key-const-string-ftl.js trunk/JSTests/stress/class-fields-to-property-key-const-symbol-ftl.js trunk/JSTests/stress/class-fields-to-property-key-slow-object-tostring-ftl.js trunk/JSTests/stress/class-fields-to-property-key-slow-object-valueof-ftl.js trunk/JSTests/stress/class-fields-to-property-key-string-object-ftl.js trunk/JSTests/stress/class-fields-to-property-key-string-or-string-object-ftl.js Diff Modified: trunk/JSTests/ChangeLog (254800 => 254801) --- trunk/JSTests/ChangeLog 2020-01-18 20:35:11 UTC (rev 254800) +++ trunk/JSTests/ChangeLog 2020-01-18 23:14:31 UTC (rev 254801) @@ -1,3 +1,17 @@ +2020-01-18 Caitlin Potter + +[JSC] add DFG/FTL support for op_to_property_key +https://bugs.webkit.org/show_bug.cgi?id=206368 + +Reviewed by Saam Barati. + +* stress/class-fields-to-property-key-const-string-ftl.js: Added. +* stress/class-fields-to-property-key-const-symbol-ftl.js: Added. +* stress/class-fields-to-property-key-slow-object-tostring-ftl.js: Added. +* stress/class-fields-to-property-key-slow-object-valueof-ftl.js: Added. +* stress/class-fields-to-property-key-string-object-ftl.js: Added. +* stress/class-fields-to-property-key-string-or-string-object-ftl.js: Added. + 2020-01-17 Saam Barati Air O0 should have better stack allocation Added: trunk/JSTests/stress/class-fields-to-property-key-const-string-ftl.js (0 => 254801) --- trunk/JSTests/stress/class-fields-to-property-key-const-string-ftl.js (rev 0)
[webkit-changes] [244330] trunk
Title: [244330] trunk Revision 244330 Author ca...@igalia.com Date 2019-04-16 08:58:59 -0700 (Tue, 16 Apr 2019) Log Message [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames() https://bugs.webkit.org/show_bug.cgi?id=176810 Reviewed by Saam Barati. JSTests: Add tests for the DontEnum filtering, and variations of other tests take the DontEnum-filtering path. * stress/proxy-own-keys.js: (i.catch): (set assert): (set add): (let.set new): (get let): Source/_javascript_Core: This adds conditional logic following the invariant checks, to perform filtering in common uses of getOwnPropertyNames. While this would ideally only be done in JSPropertyNameEnumerator, adding the filtering to ProxyObject::performGetOwnPropertyNames maintains the invariant that the EnumerationMode is properly followed. This was originally rolled out in r244020, as DontEnum filtering code in ObjectConstructor.cpp's ownPropertyKeys() had not been removed. It's now redundant due to being handled in ProxyObject::getOwnPropertyNames(). * runtime/PropertyNameArray.h: (JSC::PropertyNameArray::reset): * runtime/ProxyObject.cpp: (JSC::ProxyObject::performGetOwnPropertyNames): Source/WebCore: Previously, there was a comment here indicating uncertainty of whether it was necessary to filter DontEnum properties explicitly or not. It turns out that it was necessary in the case of JSC ProxyObjects. This patch adds DontEnum filtering for ProxyObjects, however we continue to explicitly filter them in JSDOMConvertRecord, which needs to use the property descriptor after filtering. This change prevents observably fetching the property descriptor twice per property. * bindings/js/JSDOMConvertRecord.h: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/proxy-own-keys.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp trunk/Source/_javascript_Core/runtime/PropertyNameArray.h trunk/Source/_javascript_Core/runtime/ProxyObject.cpp trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSDOMConvertRecord.h Diff Modified: trunk/JSTests/ChangeLog (244329 => 244330) --- trunk/JSTests/ChangeLog 2019-04-16 09:41:00 UTC (rev 244329) +++ trunk/JSTests/ChangeLog 2019-04-16 15:58:59 UTC (rev 244330) @@ -1,3 +1,20 @@ +2019-04-16 Caitlin Potter + +[JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames() +https://bugs.webkit.org/show_bug.cgi?id=176810 + +Reviewed by Saam Barati. + +Add tests for the DontEnum filtering, and variations of other tests +take the DontEnum-filtering path. + +* stress/proxy-own-keys.js: +(i.catch): +(set assert): +(set add): +(let.set new): +(get let): + 2019-04-15 Saam barati Modify how we do SetArgument when we inline varargs calls Modified: trunk/JSTests/stress/proxy-own-keys.js (244329 => 244330) --- trunk/JSTests/stress/proxy-own-keys.js 2019-04-16 09:41:00 UTC (rev 244329) +++ trunk/JSTests/stress/proxy-own-keys.js 2019-04-16 15:58:59 UTC (rev 244330) @@ -135,6 +135,22 @@ assert(called); called = false; } + +for (let i = 0; i < 500; i++) { +let threw = false; +let foundKey = false; +try { +for (let k in proxy) +foundKey = true; +} catch(e) { +threw = true; +assert(e.toString() === "TypeError: Proxy object's non-extensible 'target' has configurable property 'x' that was not in the result from the 'ownKeys' trap"); +assert(!foundKey); +} +assert(threw); +assert(called); +called = false; +} } { @@ -166,6 +182,22 @@ assert(called); called = false; } + +for (let i = 0; i < 500; i++) { +let threw = false; +let reached = false; +try { +for (let k in proxy) +reached = true; +} catch (e) { +threw = true; +assert(e.toString() === "TypeError: Proxy handler's 'ownKeys' method returned a key that was not present in its non-extensible target"); +} +assert(threw); +assert(called); +assert(!reached); +called = false; +} } { @@ -667,3 +699,68 @@ error = null; } } + +{ +let error = null; +let s1 = Symbol(); +let s2 = Symbol(); +let target = Object.defineProperties({}, { +x: { +value: "X", +enumerable: true, +configurable: true, +}, +dontEnum1: { +value: "dont-enum", +enumerable: false, +configurable: true, +}, +y: { +get() { return "Y"; }, +enumerable: true, +configurable: true, +}, +dontEnum2: { +get() { return "dont-enum-accessor" }, +enumerable: false, +configurable: true +
[webkit-changes] [243943] trunk
Title: [243943] trunk Revision 243943 Author ca...@igalia.com Date 2019-04-05 14:28:10 -0700 (Fri, 05 Apr 2019) Log Message [JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames() https://bugs.webkit.org/show_bug.cgi?id=176810 Reviewed by Saam Barati. JSTests: Add tests for the DontEnum filtering, and variations of other tests take the DontEnum-filtering path. * stress/proxy-own-keys.js: (i.catch): (set assert): (set add): (let.set new): (get let): Source/_javascript_Core: This adds conditional logic following the invariant checks, to perform filtering in common uses of getOwnPropertyNames. While this would ideally only be done in JSPropertyNameEnumerator, adding the filtering to ProxyObject::performGetOwnPropertyNames maintains the invariant that the EnumerationMode is properly followed. * runtime/PropertyNameArray.h: (JSC::PropertyNameArray::reset): * runtime/ProxyObject.cpp: (JSC::ProxyObject::performGetOwnPropertyNames): Source/WebCore: Previously, there was a comment here indicating uncertainty of whether it was necessary to filter DontEnum properties explicitly or not. It turns out that it was necessary in the case of JSC ProxyObjects. This patch adds DontEnum filtering for ProxyObjects, however we continue to explicitly filter them in JSDOMConvertRecord, which needs to use the property descriptor after filtering. This change prevents observably fetching the property descriptor twice per property. * bindings/js/JSDOMConvertRecord.h: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/proxy-own-keys.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/PropertyNameArray.h trunk/Source/_javascript_Core/runtime/ProxyObject.cpp trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSDOMConvertRecord.h Diff Modified: trunk/JSTests/ChangeLog (243942 => 243943) --- trunk/JSTests/ChangeLog 2019-04-05 21:13:47 UTC (rev 243942) +++ trunk/JSTests/ChangeLog 2019-04-05 21:28:10 UTC (rev 243943) @@ -1,5 +1,22 @@ 2019-04-05 Caitlin Potter +[JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames() +https://bugs.webkit.org/show_bug.cgi?id=176810 + +Reviewed by Saam Barati. + +Add tests for the DontEnum filtering, and variations of other tests +take the DontEnum-filtering path. + +* stress/proxy-own-keys.js: +(i.catch): +(set assert): +(set add): +(let.set new): +(get let): + +2019-04-05 Caitlin Potter + [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys https://bugs.webkit.org/show_bug.cgi?id=185211 Modified: trunk/JSTests/stress/proxy-own-keys.js (243942 => 243943) --- trunk/JSTests/stress/proxy-own-keys.js 2019-04-05 21:13:47 UTC (rev 243942) +++ trunk/JSTests/stress/proxy-own-keys.js 2019-04-05 21:28:10 UTC (rev 243943) @@ -135,6 +135,22 @@ assert(called); called = false; } + +for (let i = 0; i < 500; i++) { +let threw = false; +let foundKey = false; +try { +for (let k in proxy) +foundKey = true; +} catch(e) { +threw = true; +assert(e.toString() === "TypeError: Proxy object's non-extensible 'target' has configurable property 'x' that was not in the result from the 'ownKeys' trap"); +assert(!foundKey); +} +assert(threw); +assert(called); +called = false; +} } { @@ -166,6 +182,22 @@ assert(called); called = false; } + +for (let i = 0; i < 500; i++) { +let threw = false; +let reached = false; +try { +for (let k in proxy) +reached = true; +} catch (e) { +threw = true; +assert(e.toString() === "TypeError: Proxy handler's 'ownKeys' method returned a key that was not present in its non-extensible target"); +} +assert(threw); +assert(called); +assert(!reached); +called = false; +} } { @@ -667,3 +699,68 @@ error = null; } } + +{ +let error = null; +let s1 = Symbol(); +let s2 = Symbol(); +let target = Object.defineProperties({}, { +x: { +value: "X", +enumerable: true, +configurable: true, +}, +dontEnum1: { +value: "dont-enum", +enumerable: false, +configurable: true, +}, +y: { +get() { return "Y"; }, +enumerable: true, +configurable: true, +}, +dontEnum2: { +get() { return "dont-enum-accessor" }, +enumerable: false, +configurable: true +}, +[s1]: { +value: "s1", +enumerable: true, +configurable: true, +}, +[s2]: { +value: "dont-enum-symbol", +enumerable:
[webkit-changes] [243933] trunk
Title: [243933] trunk Revision 243933 Author ca...@igalia.com Date 2019-04-05 06:45:08 -0700 (Fri, 05 Apr 2019) Log Message JSTests: [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys https://bugs.webkit.org/show_bug.cgi?id=185211 Reviewed by Saam Barati. This is for the normative spec change in https://github.com/tc39/ecma262/pull/833 This changes several assertions to expect a TypeError to be thrown (in some cases, changing thee expected message). * es6/Proxy_ownKeys_duplicates.js: (handler): (shouldThrow): (test): * stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js: (shouldThrow): * stress/proxy-own-keys.js: (i.catch): (assert): LayoutTests/imported/w3c: [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys https://bugs.webkit.org/show_bug.cgi?id=185211 Reviewed by Saam Barati. This is for the normative spec change in https://github.com/tc39/ecma262/pull/833 Change some test expectations which were previously expected to fail. * web-platform-tests/fetch/api/headers/headers-record-expected.txt: Source/_javascript_Core: [JSC] throw if ownKeys Proxy trap result contains duplicate keys https://bugs.webkit.org/show_bug.cgi?id=185211 Reviewed by Saam Barati. Implements the normative spec change in https://github.com/tc39/ecma262/pull/833 This involves tracking duplicate keys returned from the ownKeys trap in yet another HashTable, and may incur a minor performance penalty in some cases. This is not expected to significantly affect web performance. * runtime/ProxyObject.cpp: (JSC::ProxyObject::performGetOwnPropertyNames): Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/es6/Proxy_ownKeys_duplicates.js trunk/JSTests/stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js trunk/JSTests/stress/proxy-own-keys.js trunk/LayoutTests/imported/w3c/ChangeLog trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/headers/headers-record-expected.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/ProxyObject.cpp Diff Modified: trunk/JSTests/ChangeLog (243932 => 243933) --- trunk/JSTests/ChangeLog 2019-04-05 12:42:44 UTC (rev 243932) +++ trunk/JSTests/ChangeLog 2019-04-05 13:45:08 UTC (rev 243933) @@ -1,3 +1,25 @@ +2019-04-05 Caitlin Potter + +[JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys +https://bugs.webkit.org/show_bug.cgi?id=185211 + +Reviewed by Saam Barati. + +This is for the normative spec change in https://github.com/tc39/ecma262/pull/833 + +This changes several assertions to expect a TypeError to be thrown (in some cases, +changing thee expected message). + +* es6/Proxy_ownKeys_duplicates.js: +(handler): +(shouldThrow): +(test): +* stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js: +(shouldThrow): +* stress/proxy-own-keys.js: +(i.catch): +(assert): + 2019-04-04 Yusuke Suzuki [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode Modified: trunk/JSTests/es6/Proxy_ownKeys_duplicates.js (243932 => 243933) --- trunk/JSTests/es6/Proxy_ownKeys_duplicates.js 2019-04-05 12:42:44 UTC (rev 243932) +++ trunk/JSTests/es6/Proxy_ownKeys_duplicates.js 2019-04-05 13:45:08 UTC (rev 243933) @@ -1,30 +1,51 @@ +function handler(key) { +return { +getOwnPropertyDescriptor(t, n) { +// Required to prevent Object.keys() from discarding results +return { +enumerable: true, +configurable: true, +}; +}, +ownKeys(t) { +return [key, key]; +} +}; +} + +function shouldThrow(op, errorConstructor, desc) { +try { +op(); +} catch (e) { +if (!(e instanceof errorConstructor)) { +throw new Error(`threw ${e}, but should have thrown ${errorConstructor.name}`); +} +return; +} +throw new Error(`Expected ${desc || 'operation'} to throw ${errorConstructor.name}, but no exception thrown`); +} + function test() { var symbol = Symbol("test"); -var proxy = new Proxy({}, { -getOwnPropertyDescriptor(t, n) { -// Required to prevent Object.keys() from discarding results -return { -enumerable: true, -configurable: true -}; -}, -ownKeys: function (t) { -return ["A", "A", "0", "0", symbol, symbol]; -} -}); -var keys = Object.keys(proxy); -var names = Object.getOwnPropertyNames(proxy); -var symbols = Object.getOwnPropertySymbols(proxy); +var proxyNamed = new Proxy({}, handler("A")); +var proxyIndexed = new Proxy({}, handler(0)); +var proxySymbol = new Proxy({}, handler(symbol)); -if (keys.length === 4 && keys[0] === keys[1] && keys[2] === keys[3] && -keys[0] === "A" && keys[2] === "0" && -names.length === 4 && names[0] ===
[webkit-changes] [233037] trunk/Tools
Title: [233037] trunk/Tools Revision 233037 Author ca...@igalia.com Date 2018-06-21 06:57:50 -0700 (Thu, 21 Jun 2018) Log Message [Tools] add a --debug option to test262/Runner.pm for buildbots https://bugs.webkit.org/show_bug.cgi?id=186113 Reviewed by Michael Saboff. test262-runner runs Debug builds by default, but this allows us to be explicit about it in buildbots. * Scripts/test262/Runner.pm: (processCLI): Modified Paths trunk/Tools/ChangeLog trunk/Tools/Scripts/test262/Runner.pm Diff Modified: trunk/Tools/ChangeLog (233036 => 233037) --- trunk/Tools/ChangeLog 2018-06-21 13:37:05 UTC (rev 233036) +++ trunk/Tools/ChangeLog 2018-06-21 13:57:50 UTC (rev 233037) @@ -1,3 +1,16 @@ +2018-06-21 Caitlin Potter + +[Tools] add a --debug option to test262/Runner.pm for buildbots +https://bugs.webkit.org/show_bug.cgi?id=186113 + +Reviewed by Michael Saboff. + +test262-runner runs Debug builds by default, but this allows us to be +explicit about it in buildbots. + +* Scripts/test262/Runner.pm: +(processCLI): + 2018-06-21 Carlos Garcia Campos run-gtk-tests (glib/common.py) cannot determine build directory when webKitBranchBuild=true Modified: trunk/Tools/Scripts/test262/Runner.pm (233036 => 233037) --- trunk/Tools/Scripts/test262/Runner.pm 2018-06-21 13:37:05 UTC (rev 233036) +++ trunk/Tools/Scripts/test262/Runner.pm 2018-06-21 13:57:50 UTC (rev 233037) @@ -131,6 +131,7 @@ 'p|child-processes=i' => \$maxProcesses, 'h|help' => \$help, 'release' => \$release, +'debug' => sub { $release = 0; }, 'v|verbose' => \$verbose, 'f|features=s@' => \@features, 'c|config=s' => \$configFile, @@ -1229,6 +1230,10 @@ Use the Release build of JSC. Can only use if --jsc is not provided. The Debug build of JSC is used by default. +=item B<--debug> + +Use the Debug build of JSC. Can only use if --jsc is not provided. Negates the --release option. + =item B<--verbose, -v> Verbose output for test results. Includes error message for test. ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [232816] trunk/Source/JavaScriptCore
Title: [232816] trunk/Source/_javascript_Core Revision 232816 Author ca...@igalia.com Date 2018-06-13 15:51:29 -0700 (Wed, 13 Jun 2018) Log Message [LLInt] use loadp consistently for get_from_scope/put_to_scope https://bugs.webkit.org/show_bug.cgi?id=132333 Reviewed by Mark Lam. Using `loadis` for register indexes and `loadp` for constant scopes / symboltables makes sense, but is problematic for big-endian architectures. Consistently treating the operand as a pointer simplifies determining how to access the operand, and helps avoid bad accesses and crashes on big-endian ports. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecode/Instruction.h: * jit/JITOperations.cpp: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::tryCachePutToScopeGlobal): (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/Instruction.h trunk/Source/_javascript_Core/jit/JITOperations.cpp trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/runtime/CommonSlowPaths.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (232815 => 232816) --- trunk/Source/_javascript_Core/ChangeLog 2018-06-13 22:22:07 UTC (rev 232815) +++ trunk/Source/_javascript_Core/ChangeLog 2018-06-13 22:51:29 UTC (rev 232816) @@ -1,3 +1,30 @@ +2018-06-13 Caitlin Potter + +[LLInt] use loadp consistently for get_from_scope/put_to_scope +https://bugs.webkit.org/show_bug.cgi?id=132333 + +Reviewed by Mark Lam. + +Using `loadis` for register indexes and `loadp` for constant scopes / +symboltables makes sense, but is problematic for big-endian +architectures. + +Consistently treating the operand as a pointer simplifies determining +how to access the operand, and helps avoid bad accesses and crashes on +big-endian ports. + +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::finishCreation): +* bytecode/Instruction.h: +* jit/JITOperations.cpp: +* llint/LLIntSlowPaths.cpp: +(JSC::LLInt::LLINT_SLOW_PATH_DECL): +* llint/LowLevelInterpreter32_64.asm: +* llint/LowLevelInterpreter64.asm: +* runtime/CommonSlowPaths.h: +(JSC::CommonSlowPaths::tryCachePutToScopeGlobal): +(JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal): + 2018-06-13 Keith Miller AutomaticThread should have a way to provide a thread name Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (232815 => 232816) --- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2018-06-13 22:22:07 UTC (rev 232815) +++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2018-06-13 22:51:29 UTC (rev 232816) @@ -694,7 +694,7 @@ instructions[i + 5].u.watchpointSet = op.watchpointSet; else if (op.structure) instructions[i + 5].u.structure.set(vm, this, op.structure); -instructions[i + 6].u.pointer = reinterpret_cast(op.operand); +instructions[i + 6].u.operandPointer = op.operand; break; } @@ -731,7 +731,7 @@ op.watchpointSet->invalidate(vm, PutToScopeFireDetail(this, ident)); } else if (op.structure) instructions[i + 5].u.structure.set(vm, this, op.structure); -instructions[i + 6].u.pointer = reinterpret_cast(op.operand); +instructions[i + 6].u.operandPointer = op.operand; break; } Modified: trunk/Source/_javascript_Core/bytecode/Instruction.h (232815 => 232816) --- trunk/Source/_javascript_Core/bytecode/Instruction.h 2018-06-13 22:22:07 UTC (rev 232815) +++ trunk/Source/_javascript_Core/bytecode/Instruction.h 2018-06-13 22:51:29 UTC (rev 232816) @@ -123,6 +123,7 @@ Opcode opcode; int operand; unsigned unsignedValue; +intptr_t operandPointer; WriteBarrierBase structure; StructureID structureID; WriteBarrierBase symbolTable; Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (232815 => 232816) --- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2018-06-13 22:22:07 UTC (rev 232815) +++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2018-06-13 22:51:29 UTC (rev 232816) @@ -2381,7 +2381,7 @@ if (getPutInfo.resolveType() == LocalClosureVar) { JSLexicalEnvironment* environment = jsCast(scope); -environment->variableAt(ScopeOffset(pc[6].u.operand)).set(vm, environment, value); +environment->variableAt(ScopeOffset(pc[6].u.operandPointer)).set(vm, environment, value);
[webkit-changes] [232282] trunk/JSTests
Title: [232282] trunk/JSTests Revision 232282 Author ca...@igalia.com Date 2018-05-29 17:40:28 -0700 (Tue, 29 May 2018) Log Message [JSTests] update test262 expectations after r232261 https://bugs.webkit.org/show_bug.cgi?id=184267 Reviewed by Saam Barati. * test262/expectations.yaml: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/test262/expectations.yaml Diff Modified: trunk/JSTests/ChangeLog (232281 => 232282) --- trunk/JSTests/ChangeLog 2018-05-30 00:18:39 UTC (rev 232281) +++ trunk/JSTests/ChangeLog 2018-05-30 00:40:28 UTC (rev 232282) @@ -1,3 +1,12 @@ +2018-05-29 Caitlin Potter + +[JSTests] update test262 expectations after r232261 +https://bugs.webkit.org/show_bug.cgi?id=184267 + +Reviewed by Saam Barati. + +* test262/expectations.yaml: + 2018-05-29 Caio Lima [ESNext][BigInt] Implement support for "<" and ">" relational operation Modified: trunk/JSTests/test262/expectations.yaml (232281 => 232282) --- trunk/JSTests/test262/expectations.yaml 2018-05-30 00:18:39 UTC (rev 232281) +++ trunk/JSTests/test262/expectations.yaml 2018-05-30 00:40:28 UTC (rev 232282) @@ -624,12 +624,6 @@ test/built-ins/Array/proto-from-ctor-realm.js: default: 'Test262Error: Expected SameValue(«», «») to be true' strict mode: 'Test262Error: Expected SameValue(«», «») to be true' -test/built-ins/Array/prototype/concat/is-concat-spreadable-is-array-proxy-revoked.js: - default: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all' - strict mode: 'Test262Error: Expected a TypeError to be thrown but no exception was thrown at all' -test/built-ins/Array/prototype/concat/is-concat-spreadable-proxy.js: - default: 'Test262Error: Proxy for an array Expected SameValue(«1», «0») to be true' - strict mode: 'Test262Error: Proxy for an array Expected SameValue(«1», «0») to be true' test/built-ins/Array/prototype/filter/target-array-with-non-writable-property.js: default: 'TypeError: Attempted to assign to readonly property.' strict mode: 'TypeError: Attempted to assign to readonly property.' ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [232261] trunk
Title: [232261] trunk Revision 232261 Author ca...@igalia.com Date 2018-05-29 09:56:29 -0700 (Tue, 29 May 2018) Log Message [JSC] Fix Array.prototype.concat fast case when single argument is Proxy https://bugs.webkit.org/show_bug.cgi?id=184267 Reviewed by Saam Barati. JSTests: * stress/array-concat-fast-spread-proxy.js: Copied from JSTests/stress/array-concat-spread-proxy.js. (arrayEq): (catch): * stress/array-concat-spread-proxy.js: Source/_javascript_Core: Before this patch, the fast case for Array.prototype.concat was taken if there was a single argument passed to the function, which is either a non-JSCell, or an ObjectType JSCell not marked as concat-spreadable. This incorrectly prevented Proxy objects from being spread when they were the only argument passed to A.prototype.concat(), violating ECMA-262. * builtins/ArrayPrototype.js: (concat): Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/array-concat-spread-proxy.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/builtins/ArrayPrototype.js Added Paths trunk/JSTests/stress/array-concat-fast-spread-proxy.js Diff Modified: trunk/JSTests/ChangeLog (232260 => 232261) --- trunk/JSTests/ChangeLog 2018-05-29 16:50:12 UTC (rev 232260) +++ trunk/JSTests/ChangeLog 2018-05-29 16:56:29 UTC (rev 232261) @@ -1,3 +1,15 @@ +2018-05-29 Caitlin Potter + +[JSC] Fix Array.prototype.concat fast case when single argument is Proxy +https://bugs.webkit.org/show_bug.cgi?id=184267 + +Reviewed by Saam Barati. + +* stress/array-concat-fast-spread-proxy.js: Copied from JSTests/stress/array-concat-spread-proxy.js. +(arrayEq): +(catch): +* stress/array-concat-spread-proxy.js: + 2018-05-27 Caio Lima [ESNext][BigInt] Implement "+" and "-" unary operation Copied: trunk/JSTests/stress/array-concat-fast-spread-proxy.js (from rev 232260, trunk/JSTests/stress/array-concat-spread-proxy.js) (0 => 232261) --- trunk/JSTests/stress/array-concat-fast-spread-proxy.js (rev 0) +++ trunk/JSTests/stress/array-concat-fast-spread-proxy.js 2018-05-29 16:56:29 UTC (rev 232261) @@ -0,0 +1,41 @@ +// This file tests is concat spreadable when taking the fast path +// (single argument, JSArray receiver) + +function arrayEq(a, b) { +if (a.length !== b.length) +return false; +for (let i = 0; i < a.length; i++) { +if (a[i] !== b[i]) +return false; +} +return true; +} + + +{ +let array = [1,2,3]; +let {proxy:p, revoke} = Proxy.revocable([4, 5], {}); + +// Test it works with proxies by default +for (let i = 0; i < 1; i++) { +if (!arrayEq(Array.prototype.concat.call(array, p), [1,2,3,4,5])) +throw "failed normally with a proxy" +} + +// Test it works with spreadable false. +p[Symbol.isConcatSpreadable] = false; +for (let i = 0; i < 1; i++) { +if (!arrayEq(Array.prototype.concat.call(array,p), [1,2,3,p])) +throw "failed with no spread" +} + +p[Symbol.isConcatSpreadable] = undefined; +revoke(); +passed = true; +try { +Array.prototype.concat.call(array,p); +passed = false; +} catch (e) { } +if (!passed) +throw "failed to throw spreading revoked proxy"; +} Modified: trunk/JSTests/stress/array-concat-spread-proxy.js (232260 => 232261) --- trunk/JSTests/stress/array-concat-spread-proxy.js 2018-05-29 16:50:12 UTC (rev 232260) +++ trunk/JSTests/stress/array-concat-spread-proxy.js 2018-05-29 16:56:29 UTC (rev 232261) @@ -35,5 +35,6 @@ Array.prototype.concat.call(p,[]); passed = false; } catch (e) { } - +if (!passed) +throw "failed to throw spreading revoked proxy"; } Modified: trunk/Source/_javascript_Core/ChangeLog (232260 => 232261) --- trunk/Source/_javascript_Core/ChangeLog 2018-05-29 16:50:12 UTC (rev 232260) +++ trunk/Source/_javascript_Core/ChangeLog 2018-05-29 16:56:29 UTC (rev 232261) @@ -1,3 +1,19 @@ +2018-05-29 Caitlin Potter + +[JSC] Fix Array.prototype.concat fast case when single argument is Proxy +https://bugs.webkit.org/show_bug.cgi?id=184267 + +Reviewed by Saam Barati. + +Before this patch, the fast case for Array.prototype.concat was taken if +there was a single argument passed to the function, which is either a +non-JSCell, or an ObjectType JSCell not marked as concat-spreadable. +This incorrectly prevented Proxy objects from being spread when +they were the only argument passed to A.prototype.concat(), violating ECMA-262. + +* builtins/ArrayPrototype.js: +(concat): + 2018-05-27 Yusuke Suzuki [JSC] JSBigInt::digitDiv has undefined behavior which causes test failures Modified: trunk/Source/_javascript_Core/builtins/ArrayPrototype.js (232260 => 232261) --- trunk/Source/_javascript_Core/builtins/ArrayPrototype.js 2018-05-29 16:50:12
[webkit-changes] [229608] trunk
Title: [229608] trunk Revision 229608 Author ca...@igalia.com Date 2018-03-14 13:00:21 -0700 (Wed, 14 Mar 2018) Log Message [JSC] fix order of evaluation for ClassDefinitionEvaluation https://bugs.webkit.org/show_bug.cgi?id=183523 Reviewed by Keith Miller. Computed property names need to be evaluated in source order during class definition evaluation, as it's observable (and specified to work this way). This change improves compatibility with Chromium. JSTests: * stress/class_elements.js: Added. (test): (test.C.prototype.effect): (test.C.effect): (test.C.prototype.get effect): (test.C.prototype.set effect): (test.C): Source/_javascript_Core: * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::emitDefineClassElements): * bytecompiler/NodesCodegen.cpp: (JSC::PropertyListNode::emitBytecode): (JSC::ClassExprNode::emitBytecode): * parser/ASTBuilder.h: (JSC::ASTBuilder::createClassExpr): (JSC::ASTBuilder::createGetterOrSetterProperty): (JSC::ASTBuilder::createProperty): * parser/NodeConstructors.h: (JSC::PropertyNode::PropertyNode): (JSC::ClassExprNode::ClassExprNode): * parser/Nodes.cpp: (JSC::PropertyListNode::hasStaticallyNamedProperty): * parser/Nodes.h: (JSC::PropertyNode::isClassProperty const): (JSC::PropertyNode::isStaticClassProperty const): (JSC::PropertyNode::isInstanceClassProperty const): * parser/Parser.cpp: (JSC::Parser::parseClass): (JSC::Parser::parseProperty): (JSC::Parser::parseGetterSetter): * parser/Parser.h: * parser/SyntaxChecker.h: (JSC::SyntaxChecker::createClassExpr): (JSC::SyntaxChecker::createProperty): (JSC::SyntaxChecker::createGetterOrSetterProperty): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h trunk/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp trunk/Source/_javascript_Core/parser/ASTBuilder.h trunk/Source/_javascript_Core/parser/NodeConstructors.h trunk/Source/_javascript_Core/parser/Nodes.cpp trunk/Source/_javascript_Core/parser/Nodes.h trunk/Source/_javascript_Core/parser/Parser.cpp trunk/Source/_javascript_Core/parser/Parser.h trunk/Source/_javascript_Core/parser/SyntaxChecker.h Added Paths trunk/JSTests/stress/class_elements.js Diff Modified: trunk/JSTests/ChangeLog (229607 => 229608) --- trunk/JSTests/ChangeLog 2018-03-14 19:54:28 UTC (rev 229607) +++ trunk/JSTests/ChangeLog 2018-03-14 20:00:21 UTC (rev 229608) @@ -1,3 +1,23 @@ +2018-03-14 Caitlin Potter+ +[JSC] fix order of evaluation for ClassDefinitionEvaluation +https://bugs.webkit.org/show_bug.cgi?id=183523 + +Reviewed by Keith Miller. + +Computed property names need to be evaluated in source order during class +definition evaluation, as it's observable (and specified to work this way). + +This change improves compatibility with Chromium. + +* stress/class_elements.js: Added. +(test): +(test.C.prototype.effect): +(test.C.effect): +(test.C.prototype.get effect): +(test.C.prototype.set effect): +(test.C): + 2018-03-11 Yusuke Suzuki [DFG] AI should convert CreateThis to NewObject if the prototype object is proved Added: trunk/JSTests/stress/class_elements.js (0 => 229608) --- trunk/JSTests/stress/class_elements.js (rev 0) +++ trunk/JSTests/stress/class_elements.js 2018-03-14 20:00:21 UTC (rev 229608) @@ -0,0 +1,24 @@ +function test() { + +let log = []; +function effect(desc) { log.push(desc); return desc; } + +class C { + [effect("instance#1")]() {} + static [effect("static#2")]() {} + get [effect("instanceGetter#3")]() {} + static get [effect("staticGetter#4")]() {} + set [effect("instanceSetter#5")](v) {} + static [effect("staticSetter#6")](v) {} +} + +return log[0] === "instance#1" && + log[1] === "static#2" && + log[2] === "instanceGetter#3" && + log[3] === "staticGetter#4" && + log[4] === "instanceSetter#5" && + log[5] === "staticSetter#6"; +} + +if (!test()) +throw new Error("Test failed"); \ No newline at end of file Modified: trunk/Source/_javascript_Core/ChangeLog (229607 => 229608) --- trunk/Source/_javascript_Core/ChangeLog 2018-03-14 19:54:28 UTC (rev 229607) +++ trunk/Source/_javascript_Core/ChangeLog 2018-03-14 20:00:21 UTC (rev 229608) @@ -1,3 +1,43 @@ +2018-03-14 Caitlin Potter + +[JSC] fix order of evaluation for ClassDefinitionEvaluation +https://bugs.webkit.org/show_bug.cgi?id=183523 + +Reviewed by Keith Miller. + +Computed property names need to be evaluated in source order during class +definition evaluation, as it's observable (and specified to work this way). + +This change improves compatibility with Chromium. + +* bytecompiler/BytecodeGenerator.h: +(JSC::BytecodeGenerator::emitDefineClassElements): +* bytecompiler/NodesCodegen.cpp: +