[webkit-changes] [286856] trunk/Source/JavaScriptCore
Title: [286856] trunk/Source/_javascript_Core
Revision 286856
Author tzaga...@apple.com
Date 2021-12-10 09:25:22 -0800 (Fri, 10 Dec 2021)
Log Message
Remove Mac-specific ARM64EHash implementation
https://bugs.webkit.org/show_bug.cgi?id=234150
Reviewed by Saam Barati.
Currently we have a weaker implementation of ARM64EHash on mac, but we measured it and it's not
any faster than the stricter version we use on iOS. We are removing the mac-specific version and
switching it to use the stricter version.
* assembler/AssemblerBuffer.h:
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (286855 => 286856)
--- trunk/Source/_javascript_Core/ChangeLog 2021-12-10 17:16:51 UTC (rev 286855)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-12-10 17:25:22 UTC (rev 286856)
@@ -1,3 +1,16 @@
+2021-12-10 Tadeu Zagallo
+
+Remove Mac-specific ARM64EHash implementation
+https://bugs.webkit.org/show_bug.cgi?id=234150
+
+Reviewed by Saam Barati.
+
+Currently we have a weaker implementation of ARM64EHash on mac, but we measured it and it's not
+any faster than the stricter version we use on iOS. We are removing the mac-specific version and
+switching it to use the stricter version.
+
+* assembler/AssemblerBuffer.h:
+
2021-12-10 Adrian Perez de Castro
Non-unified build fixes, mid December 2021 edition
Modified: trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h (286855 => 286856)
--- trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h 2021-12-10 17:16:51 UTC (rev 286855)
+++ trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h 2021-12-10 17:25:22 UTC (rev 286856)
@@ -203,29 +203,8 @@
};
#if CPU(ARM64E)
-#if PLATFORM(MAC)
class ARM64EHash {
public:
-ARM64EHash(void* initialHash)
-: m_hash(static_cast(bitwise_cast(initialHash)))
-{
-}
-
-ALWAYS_INLINE uint32_t update(uint32_t value, uint32_t, void*)
-{
-uint64_t input = value ^ m_hash;
-uint64_t a = static_cast(tagInt(input, static_cast(0)) >> 39);
-uint64_t b = tagInt(input, static_cast(0xb7e151628aed2a6a)) >> 23;
-m_hash = a ^ b;
-return m_hash;
-}
-
-private:
-uint32_t m_hash;
-};
-#else
-class ARM64EHash {
-public:
ARM64EHash(void* diversifier)
{
setUpdatedHash(0, 0, diversifier);
@@ -280,7 +259,6 @@
uint64_t m_hash;
};
-#endif // PLATFORM(MAC)
#endif // CPU(ARM64E)
class AssemblerBuffer {
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [286550] trunk
Title: [286550] trunk Revision 286550 Author tzaga...@apple.com Date 2021-12-06 10:46:03 -0800 (Mon, 06 Dec 2021) Log Message Restore navigator.hardwareConcurrency https://bugs.webkit.org/show_bug.cgi?id=233381 Reviewed by Saam Barati. LayoutTests/imported/w3c: * web-platform-tests/html/dom/idlharness.https-expected.txt: * web-platform-tests/html/dom/idlharness.worker-expected.txt: * web-platform-tests/workers/WorkerNavigator-hardware-concurrency.any.worker-expected.txt: Source/WebCore: Navigator.hardwareConcurrency was removed in r219379, but it is now used by emscripten to implement std::thread::hardware_concurrency() Test: fast/dom/navigator-hardwareConcurrency.html * page/Navigator.idl: * page/NavigatorBase.cpp: (WebCore::NavigatorBase::hardwareConcurrency): * page/NavigatorBase.h: * page/WorkerNavigator.idl: LayoutTests: * fast/dom/Window/resources/window-property-collector.js: (emitExpectedResult): * fast/dom/navigator-detached-no-crash-expected.txt: * fast/dom/navigator-hardwareConcurrency-expected.txt: Added. * fast/dom/navigator-hardwareConcurrency.html: Added. * fast/workers/resources/worker-navigator.js: * fast/workers/worker-navigator-expected.txt: * platform/glib/imported/w3c/web-platform-tests/html/dom/idlharness.worker-expected.txt: * platform/gtk/fast/dom/navigator-detached-no-crash-expected.txt: * platform/gtk/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt: * platform/ios-wk2/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt: * platform/ipad/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt: * platform/mac-wk1/fast/dom/navigator-detached-no-crash-expected.txt: * platform/mac-wk1/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt: * platform/mac-wk2/fast/dom/navigator-detached-no-crash-expected.txt: * platform/mac-wk2/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt: * platform/mac/fast/dom/navigator-detached-no-crash-expected.txt: * platform/win/fast/dom/navigator-detached-no-crash-expected.txt: * platform/wincairo/fast/dom/navigator-detached-no-crash-expected.txt: * platform/wpe/fast/dom/navigator-detached-no-crash-expected.txt: * platform/wpe/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt: Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/fast/dom/Window/resources/window-property-collector.js trunk/LayoutTests/fast/dom/navigator-detached-no-crash-expected.txt trunk/LayoutTests/fast/workers/resources/worker-navigator.js trunk/LayoutTests/fast/workers/worker-navigator-expected.txt trunk/LayoutTests/imported/w3c/ChangeLog trunk/LayoutTests/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/html/dom/idlharness.worker-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/workers/WorkerNavigator-hardware-concurrency.any.worker-expected.txt trunk/LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/dom/idlharness.worker-expected.txt trunk/LayoutTests/platform/gtk/fast/dom/navigator-detached-no-crash-expected.txt trunk/LayoutTests/platform/gtk/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt trunk/LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt trunk/LayoutTests/platform/ipad/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt trunk/LayoutTests/platform/mac/fast/dom/navigator-detached-no-crash-expected.txt trunk/LayoutTests/platform/mac-wk1/fast/dom/navigator-detached-no-crash-expected.txt trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt trunk/LayoutTests/platform/mac-wk2/fast/dom/navigator-detached-no-crash-expected.txt trunk/LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt trunk/LayoutTests/platform/win/fast/dom/navigator-detached-no-crash-expected.txt trunk/LayoutTests/platform/wincairo/fast/dom/navigator-detached-no-crash-expected.txt trunk/LayoutTests/platform/wpe/fast/dom/navigator-detached-no-crash-expected.txt trunk/LayoutTests/platform/wpe/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/page/Navigator.idl trunk/Source/WebCore/page/NavigatorBase.cpp trunk/Source/WebCore/page/NavigatorBase.h trunk/Source/WebCore/page/WorkerNavigator.idl Added Paths trunk/LayoutTests/fast/dom/navigator-hardwareConcurrency-expected.txt trunk/LayoutTests/fast/dom/navigator-hardwareConcurrency.html Diff Modified: trunk/LayoutTests/ChangeLog (286549 => 286550) --- trunk/LayoutTests/ChangeLog 2021-12-06 18:40:13 UTC (rev 286549) +++ trunk/LayoutTests/ChangeLog 2021-12-06 18:46:03 UTC (rev 286550) @@ -1,3 +1,33 @@ +2021-12-06 Tadeu Zagallo + +Restore navigator.hardwareConcurrency +https://bugs.webkit.org/show_bug.cgi?id=233381 + + +Reviewed by Saam
[webkit-changes] [284513] trunk/Source/JavaScriptCore
Title: [284513] trunk/Source/_javascript_Core Revision 284513 Author tzaga...@apple.com Date 2021-10-19 17:40:19 -0700 (Tue, 19 Oct 2021) Log Message Address post-landing feedback to wasm exceptions https://bugs.webkit.org/show_bug.cgi?id=231973 Reviewed by Saam Barati. Address comments left by Saam in https://bugs.webkit.org/show_bug.cgi?id=229681 after the patch landed. This includes deleting some unused code, and renaming a couple variables and methods, but the biggest change is copying the callee saves to VMEntry in the llint rethrow. * interpreter/Interpreter.cpp: (JSC::CatchInfo::CatchInfo): (JSC::UnwindFunctor::operator() const): * interpreter/Interpreter.h: (JSC::CatchInfo::CatchInfo): Deleted. * jit/JSInterfaceJIT.h: (JSC::JSInterfaceJIT::convertCalleeToVM): Deleted. * llint/WebAssembly.asm: * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::ControlData::ControlData): (JSC::Wasm::B3IRGenerator::ControlData::tryDepth const): (JSC::Wasm::B3IRGenerator::connectControlAtEntrypoint): (JSC::Wasm::B3IRGenerator::addLoop): (JSC::Wasm::B3IRGenerator::addTry): (JSC::Wasm::B3IRGenerator::preparePatchpointForExceptions): (JSC::Wasm::B3IRGenerator::emitCatchImpl): (JSC::Wasm::B3IRGenerator::addDelegateToUnreachable): (JSC::Wasm::B3IRGenerator::addThrow): (JSC::Wasm::B3IRGenerator::addRethrow): (JSC::Wasm::B3IRGenerator::addEndToUnreachable): (JSC::Wasm::B3IRGenerator::connectControlEntry): Deleted. * wasm/WasmCallee.h: (JSC::Wasm::Callee::llintFunctionCodeBlock const): (JSC::Wasm::Callee::functionCodeBlock const): Deleted. * wasm/WasmLLIntGenerator.cpp: (JSC::Wasm::LLIntGenerator::unifyValuesWithBlock): (JSC::Wasm::LLIntGenerator::addTry): (JSC::Wasm::LLIntGenerator::addThrow): (JSC::Wasm::LLIntGenerator::repatch): Deleted. * wasm/WasmOperations.cpp: (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): * wasm/WasmOperations.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/interpreter/Interpreter.cpp trunk/Source/_javascript_Core/interpreter/Interpreter.h trunk/Source/_javascript_Core/jit/JSInterfaceJIT.h trunk/Source/_javascript_Core/llint/WebAssembly.asm trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmCallee.h trunk/Source/_javascript_Core/wasm/WasmLLIntGenerator.cpp trunk/Source/_javascript_Core/wasm/WasmOperations.cpp trunk/Source/_javascript_Core/wasm/WasmOperations.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (284512 => 284513) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-20 00:30:31 UTC (rev 284512) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-20 00:40:19 UTC (rev 284513) @@ -1,3 +1,48 @@ +2021-10-19 Tadeu Zagallo + +Address post-landing feedback to wasm exceptions +https://bugs.webkit.org/show_bug.cgi?id=231973 + +Reviewed by Saam Barati. + +Address comments left by Saam in https://bugs.webkit.org/show_bug.cgi?id=229681 +after the patch landed. This includes deleting some unused code, and renaming a +couple variables and methods, but the biggest change is copying the callee saves +to VMEntry in the llint rethrow. + +* interpreter/Interpreter.cpp: +(JSC::CatchInfo::CatchInfo): +(JSC::UnwindFunctor::operator() const): +* interpreter/Interpreter.h: +(JSC::CatchInfo::CatchInfo): Deleted. +* jit/JSInterfaceJIT.h: +(JSC::JSInterfaceJIT::convertCalleeToVM): Deleted. +* llint/WebAssembly.asm: +* wasm/WasmB3IRGenerator.cpp: +(JSC::Wasm::B3IRGenerator::ControlData::ControlData): +(JSC::Wasm::B3IRGenerator::ControlData::tryDepth const): +(JSC::Wasm::B3IRGenerator::connectControlAtEntrypoint): +(JSC::Wasm::B3IRGenerator::addLoop): +(JSC::Wasm::B3IRGenerator::addTry): +(JSC::Wasm::B3IRGenerator::preparePatchpointForExceptions): +(JSC::Wasm::B3IRGenerator::emitCatchImpl): +(JSC::Wasm::B3IRGenerator::addDelegateToUnreachable): +(JSC::Wasm::B3IRGenerator::addThrow): +(JSC::Wasm::B3IRGenerator::addRethrow): +(JSC::Wasm::B3IRGenerator::addEndToUnreachable): +(JSC::Wasm::B3IRGenerator::connectControlEntry): Deleted. +* wasm/WasmCallee.h: +(JSC::Wasm::Callee::llintFunctionCodeBlock const): +(JSC::Wasm::Callee::functionCodeBlock const): Deleted. +* wasm/WasmLLIntGenerator.cpp: +(JSC::Wasm::LLIntGenerator::unifyValuesWithBlock): +(JSC::Wasm::LLIntGenerator::addTry): +(JSC::Wasm::LLIntGenerator::addThrow): +(JSC::Wasm::LLIntGenerator::repatch): Deleted. +* wasm/WasmOperations.cpp: +(JSC::Wasm::JSC_DEFINE_JIT_OPERATION): +* wasm/WasmOperations.h: + 2021-10-19 Alexey Proskuryakov Eagerly resolve python3 path in Makefiles Modified: trunk/Source/_javascript_Core/interpreter/Interpreter.cpp (284512 => 284513) --- trunk/Source/_javascript_Core/interpreter/Interpreter.cpp
[webkit-changes] [284212] trunk/Source/JavaScriptCore
Title: [284212] trunk/Source/_javascript_Core Revision 284212 Author tzaga...@apple.com Date 2021-10-14 16:15:15 -0700 (Thu, 14 Oct 2021) Log Message Wasm LLInt should zero bytecodeIndex before throwing https://bugs.webkit.org/show_bug.cgi?id=231688 Reviewed by Yusuke Suzuki. After r283852, the unwinder can now ask WebAssembly frames for their bytecodeIndex. We do write to the bytecodeIndex when throwing from the wasm `throw` opcode, but we failed to write when trapping (e.g. throwing an OOB or Unreachable). The value of the bytecodeIndex in this is case is not interesting, since these exceptions can't be caught from Wasm, all we need to know is ensure there isn't an invalid left-over value in that stack slot, so we zero it. * llint/WebAssembly.asm: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/llint/WebAssembly.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (284211 => 284212) --- trunk/Source/_javascript_Core/ChangeLog 2021-10-14 23:07:20 UTC (rev 284211) +++ trunk/Source/_javascript_Core/ChangeLog 2021-10-14 23:15:15 UTC (rev 284212) @@ -1,3 +1,20 @@ +2021-10-14 Tadeu Zagallo + +Wasm LLInt should zero bytecodeIndex before throwing +https://bugs.webkit.org/show_bug.cgi?id=231688 + + +Reviewed by Yusuke Suzuki. + +After r283852, the unwinder can now ask WebAssembly frames for their bytecodeIndex. +We do write to the bytecodeIndex when throwing from the wasm `throw` opcode, but we +failed to write when trapping (e.g. throwing an OOB or Unreachable). The value of +the bytecodeIndex in this is case is not interesting, since these exceptions can't be +caught from Wasm, all we need to know is ensure there isn't an invalid left-over +value in that stack slot, so we zero it. + +* llint/WebAssembly.asm: + 2021-10-14 Myles C. Maxfield All the SDKVariant.xcconfig files should match Modified: trunk/Source/_javascript_Core/llint/WebAssembly.asm (284211 => 284212) --- trunk/Source/_javascript_Core/llint/WebAssembly.asm 2021-10-14 23:07:20 UTC (rev 284211) +++ trunk/Source/_javascript_Core/llint/WebAssembly.asm 2021-10-14 23:15:15 UTC (rev 284212) @@ -548,6 +548,7 @@ move wasmInstance, a2 # Slow paths and the throwException macro store the exception code in the ArgumentCountIncludingThis slot loadi ArgumentCountIncludingThis + PayloadOffset[cfr], a3 +storei 0, ArgumentCountIncludingThis + TagOffset[cfr] cCall4(_slow_path_wasm_throw_exception) jumpToException() end) @@ -561,6 +562,7 @@ move constexpr Wasm::ExceptionType::OutOfBoundsMemoryAccess, a3 move 0, a1 move cfr, a0 +storei 0, ArgumentCountIncludingThis + TagOffset[cfr] cCall4(_slow_path_wasm_throw_exception) jumpToException() end ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [280505] trunk
Title: [280505] trunk
Revision 280505
Author tzaga...@apple.com
Date 2021-07-30 18:33:44 -0700 (Fri, 30 Jul 2021)
Log Message
putInlineFastReplacingStaticPropertyIfNeeded should handle custom values
https://bugs.webkit.org/show_bug.cgi?id=227963
Reviewed by Alexey Shvayka.
JSTests:
* stress/reflect-set-custom-value.js:
Source/_javascript_Core:
Follow up after r280463: as it turns out, putInlineFastReplacingStaticPropertyIfNeeded also needs to handle
custom values, similar to how definePropertyOnReceiverSlow was updated. This function will be called when the
target property of the receiver is a custom value and isn't reified. The previous test case was expanded to
test both the reified and non-reified cases.
* runtime/JSObject.cpp:
(JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded):
* tools/JSDollarVM.cpp:
Modified Paths
trunk/JSTests/ChangeLog
trunk/JSTests/stress/reflect-set-custom-value.js
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSObject.cpp
trunk/Source/_javascript_Core/tools/JSDollarVM.cpp
Diff
Modified: trunk/JSTests/ChangeLog (280504 => 280505)
--- trunk/JSTests/ChangeLog 2021-07-31 00:07:37 UTC (rev 280504)
+++ trunk/JSTests/ChangeLog 2021-07-31 01:33:44 UTC (rev 280505)
@@ -1,3 +1,12 @@
+2021-07-30 Tadeu Zagallo
+
+putInlineFastReplacingStaticPropertyIfNeeded should handle custom values
+https://bugs.webkit.org/show_bug.cgi?id=227963
+
+Reviewed by Alexey Shvayka.
+
+* stress/reflect-set-custom-value.js:
+
2021-07-29 Tadeu Zagallo
definePropertyOnReceiver should check if receiver canPerformFastPutInline
Modified: trunk/JSTests/stress/reflect-set-custom-value.js (280504 => 280505)
--- trunk/JSTests/stress/reflect-set-custom-value.js 2021-07-31 00:07:37 UTC (rev 280504)
+++ trunk/JSTests/stress/reflect-set-custom-value.js 2021-07-31 01:33:44 UTC (rev 280505)
@@ -1,3 +1,14 @@
-const testGetterSetter = $vm.createCustomTestGetterSetter();
-Reflect.set({}, 'customValue', 'foo', testGetterSetter);
-testGetterSetter.customValue = 42;
+{
+// reified
+const testGetterSetter = $vm.createCustomTestGetterSetter();
+Reflect.set({}, 'customValue', 'foo', testGetterSetter);
+testGetterSetter.customValue = 42;
+}
+
+{
+// non-reified
+let tester = $vm.createStaticCustomValue();
+Reflect.set({}, "testStaticValueSetFlag", 'foo', tester);
+if (!tester.testStaticValueSetterCalled)
+throw new Error('Custom value overriden');
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (280504 => 280505)
--- trunk/Source/_javascript_Core/ChangeLog 2021-07-31 00:07:37 UTC (rev 280504)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-07-31 01:33:44 UTC (rev 280505)
@@ -1,3 +1,19 @@
+2021-07-30 Tadeu Zagallo
+
+putInlineFastReplacingStaticPropertyIfNeeded should handle custom values
+https://bugs.webkit.org/show_bug.cgi?id=227963
+
+Reviewed by Alexey Shvayka.
+
+Follow up after r280463: as it turns out, putInlineFastReplacingStaticPropertyIfNeeded also needs to handle
+custom values, similar to how definePropertyOnReceiverSlow was updated. This function will be called when the
+target property of the receiver is a custom value and isn't reified. The previous test case was expanded to
+test both the reified and non-reified cases.
+
+* runtime/JSObject.cpp:
+(JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded):
+* tools/JSDollarVM.cpp:
+
2021-07-30 Yusuke Suzuki
Unreviewed, fix wrong access width
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (280504 => 280505)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2021-07-31 00:07:37 UTC (rev 280504)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2021-07-31 01:33:44 UTC (rev 280505)
@@ -936,9 +936,13 @@
// FIXME: For an accessor with setter, the error message is misleading.
return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
}
+if (entry->value->attributes() & PropertyAttribute::CustomValue) {
+PutValueFunc customSetter = entry->value->propertyPutter();
+if (customSetter)
+RELEASE_AND_RETURN(scope, customSetter(structure->globalObject(), JSValue::encode(this), JSValue::encode(value), propertyName));
+}
// Avoid PutModePut because it fails for non-extensible structures.
-ASSERT(!(entry->value->attributes() & PropertyAttribute::CustomValue));
-putDirect(vm, propertyName, value, attributesForStructure(entry->value->attributes()), slot);
+putDirect(vm, propertyName, value, attributesForStructure(entry->value->attributes()) & ~PropertyAttribute::CustomValue, slot);
return true;
}
}
Modified: trunk/Source/_javascript_Core/tools/JSDollarVM.cpp (280504 =>
[webkit-changes] [280463] trunk
Title: [280463] trunk
Revision 280463
Author tzaga...@apple.com
Date 2021-07-29 19:00:36 -0700 (Thu, 29 Jul 2021)
Log Message
definePropertyOnReceiver should check if receiver canPerformFastPutInline
https://bugs.webkit.org/show_bug.cgi?id=227963
Reviewed by Alexey Shvayka.
JSTests:
* stress/reflect-set-custom-value.js: Added.
Source/_javascript_Core:
definePropertyOnReceiver has a fast path if the slot is not opaque and the receiver doesn't
have a custom defineOwnProperty implementation, in which case it calls putInlineFast (and
transitively putDirectInternal). The issue is that putDirectInternal does not
handle customValues correctly: it just overwrites the property without changing the attributes.
To fix that, we should first check if the property might be a custom value, and if that's the case
we now call `definePropertyOnReceiverSlow`, which has been updated to handle custom values correctly.
I also added assertions to putInlineFastReplacingStaticPropertyIfNeeded and putDirectInternal
to make sure we don't accidentally overwrite custom values in the future.
* runtime/JSObject.cpp:
(JSC::definePropertyOnReceiverSlow):
(JSC::JSObject::definePropertyOnReceiver):
(JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded):
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectInternal):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSObject.cpp
trunk/Source/_javascript_Core/runtime/JSObjectInlines.h
Added Paths
trunk/JSTests/stress/reflect-set-custom-value.js
Diff
Modified: trunk/JSTests/ChangeLog (280462 => 280463)
--- trunk/JSTests/ChangeLog 2021-07-30 01:51:18 UTC (rev 280462)
+++ trunk/JSTests/ChangeLog 2021-07-30 02:00:36 UTC (rev 280463)
@@ -1,3 +1,13 @@
+2021-07-29 Tadeu Zagallo
+
+definePropertyOnReceiver should check if receiver canPerformFastPutInline
+https://bugs.webkit.org/show_bug.cgi?id=227963
+
+
+Reviewed by Alexey Shvayka.
+
+* stress/reflect-set-custom-value.js: Added.
+
2021-07-29 Yusuke Suzuki and Alexey Shvayka
[JSC] Legacy RegExp fields should be accessors
Added: trunk/JSTests/stress/reflect-set-custom-value.js (0 => 280463)
--- trunk/JSTests/stress/reflect-set-custom-value.js (rev 0)
+++ trunk/JSTests/stress/reflect-set-custom-value.js 2021-07-30 02:00:36 UTC (rev 280463)
@@ -0,0 +1,3 @@
+const testGetterSetter = $vm.createCustomTestGetterSetter();
+Reflect.set({}, 'customValue', 'foo', testGetterSetter);
+testGetterSetter.customValue = 42;
Modified: trunk/Source/_javascript_Core/ChangeLog (280462 => 280463)
--- trunk/Source/_javascript_Core/ChangeLog 2021-07-30 01:51:18 UTC (rev 280462)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-07-30 02:00:36 UTC (rev 280463)
@@ -1,3 +1,27 @@
+2021-07-29 Tadeu Zagallo
+
+definePropertyOnReceiver should check if receiver canPerformFastPutInline
+https://bugs.webkit.org/show_bug.cgi?id=227963
+
+
+Reviewed by Alexey Shvayka.
+
+definePropertyOnReceiver has a fast path if the slot is not opaque and the receiver doesn't
+have a custom defineOwnProperty implementation, in which case it calls putInlineFast (and
+transitively putDirectInternal). The issue is that putDirectInternal does not
+handle customValues correctly: it just overwrites the property without changing the attributes.
+To fix that, we should first check if the property might be a custom value, and if that's the case
+we now call `definePropertyOnReceiverSlow`, which has been updated to handle custom values correctly.
+I also added assertions to putInlineFastReplacingStaticPropertyIfNeeded and putDirectInternal
+to make sure we don't accidentally overwrite custom values in the future.
+
+* runtime/JSObject.cpp:
+(JSC::definePropertyOnReceiverSlow):
+(JSC::JSObject::definePropertyOnReceiver):
+(JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded):
+* runtime/JSObjectInlines.h:
+(JSC::JSObject::putDirectInternal):
+
2021-07-29 Yusuke Suzuki and Alexey Shvayka
[JSC] Legacy RegExp fields should be accessors
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (280462 => 280463)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2021-07-30 01:51:18 UTC (rev 280462)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2021-07-30 02:00:36 UTC (rev 280463)
@@ -874,6 +874,12 @@
if (slot.attributes() & PropertyAttribute::ReadOnlyOrAccessorOrCustomAccessor)
return typeError(globalObject, scope, shouldThrow, ReadonlyPropertyWriteError);
+if (slot.attributes() & PropertyAttribute::CustomValue) {
+PutPropertySlot::PutValueFunc customSetter = slot.customSetter();
+if (customSetter)
+RELEASE_AND_RETURN(scope, customSetter(receiver->globalObject(vm),
[webkit-changes] [278937] trunk
Title: [278937] trunk
Revision 278937
Author tzaga...@apple.com
Date 2021-06-16 09:09:24 -0700 (Wed, 16 Jun 2021)
Log Message
AssemblyHelpers should save/restore callee save FPRs
https://bugs.webkit.org/show_bug.cgi?id=227052
Reviewed by Mark Lam.
JSTests:
* stress/callee-save-fpr.js: Added.
(_f):
(_g):
(_h):
(_i):
(assertEqual):
Source/_javascript_Core:
We have 3 functions in AssemblyHelpers to save and restore callee save registers that were filtering
out any FPRs. This is an issue since we do have callee save FPRs in arm64 and these functions can be
called from the FTL, and FTL uses those callee saves. The test case shows how that's an issue with tail
calls on FTL: the callee saves are correctly stored in the prologue and restored in the epilogue, but
when emitting a tail call we use AssemblyHelpers::emitRestoreCalleeSaves to restore the callee saves,
which doesn't restore FPRs. This results in the callee save FPRs being trashed. To fix this we just need
to stop filtering out the FPRs, if they are listed as used by the code block they should be saved/restored
accordingly. I also changed DFGOSREntry to stop filtering out the callee save FPRs and instead assert
there aren't any, since they aren't currently used in the DFG, but it could help avoid the same issue in
the future.
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
(JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
(JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
Modified Paths
trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGOSREntry.cpp
trunk/Source/_javascript_Core/jit/AssemblyHelpers.h
Added Paths
trunk/JSTests/stress/callee-save-fpr.js
Diff
Modified: trunk/JSTests/ChangeLog (278936 => 278937)
--- trunk/JSTests/ChangeLog 2021-06-16 15:41:15 UTC (rev 278936)
+++ trunk/JSTests/ChangeLog 2021-06-16 16:09:24 UTC (rev 278937)
@@ -1,3 +1,18 @@
+2021-06-16 Tadeu Zagallo
+
+AssemblyHelpers should save/restore callee save FPRs
+https://bugs.webkit.org/show_bug.cgi?id=227052
+
+
+Reviewed by Mark Lam.
+
+* stress/callee-save-fpr.js: Added.
+(_f):
+(_g):
+(_h):
+(_i):
+(assertEqual):
+
2021-06-15 Yusuke Suzuki
[JSC] Optimize JSON.parse with small content by dropping single character Identifier pool
Added: trunk/JSTests/stress/callee-save-fpr.js (0 => 278937)
--- trunk/JSTests/stress/callee-save-fpr.js (rev 0)
+++ trunk/JSTests/stress/callee-save-fpr.js 2021-06-16 16:09:24 UTC (rev 278937)
@@ -0,0 +1,103 @@
+'use strict';
+
+function _f(a1, a2, a, b, c, d, e, f, g, h, i, j, k, l, m, n, o) {
+a *= 1.1;
+b *= 1.2;
+c *= 1.3;
+d *= 1.4;
+e *= 1.5;
+f *= 1.6;
+g *= 1.7;
+h *= 1.8;
+i *= 1.9;
+j *= 2.1;
+k *= 2.2;
+l *= 2.3;
+m *= 2.4;
+n *= 2.5;
+o *= 2.6;
+
+a1[0] = a;
+a1[1] = b;
+a1[2] = c;
+a1[3] = d;
+a1[4] = e;
+a1[5] = f;
+a1[6] = g;
+a1[7] = h;
+a1[8] = i;
+a1[9] = j;
+a1[10] = k;
+a1[11] = l;
+a1[12] = m;
+a1[13] = n;
+a1[14] = o;
+
+_g(a1, a, b, c, d, e, f, g, h, i, j, k, l, m, n, o);
+
+a2[0] = a;
+a2[1] = b;
+a2[2] = c;
+a2[3] = d;
+a2[4] = e;
+a2[5] = f;
+a2[6] = g;
+a2[7] = h;
+a2[8] = i;
+a2[9] = j;
+a2[10] = k;
+a2[11] = l;
+a2[12] = m;
+a2[13] = n;
+a2[14] = o;
+}
+noInline(_f);
+
+function _g(x, a, b, c, d, e, f, g, h, i, j, k, l, m, n, o) {
+a *= 1.1;
+b *= 1.2;
+c *= 1.3;
+d *= 1.4;
+e *= 1.5;
+f *= 1.6;
+g *= 1.7;
+h *= 1.8;
+i *= 1.9;
+j *= 2.1;
+k *= 2.2;
+l *= 2.3;
+m *= 2.4;
+n *= 2.5;
+o *= 2.6;
+
+x[15] = a + b + c + d + e + f + g + h + i + j + k + l + m + n + o;
+_i(x);
+return _h(x, ...[a, b, c, d, e, f, g, h, i, j, k, l, m, n, o]);
+}
+noInline(_g);
+
+function _h(x, a, b, c, d, e, f, g, h, i, j, k, l, m, n, o) {
+}
+noInline(_h);
+
+function _i() { }
+noInline(_i);
+
+function assertEqual(x, y) {
+if (x !== y)
+throw new Error(`assertEqual: fail: ${x} !== ${y}`);
+}
+noInline(assertEqual);
+
+const count = 15;
+let args = [];
+for (let i = 1; i <= count; ++i)
+args.push(i);
+
+for (let i = 0; i < 1e5; ++i) {
+let a1 = new Float64Array(count);
+let a2 = new Float64Array(count);
+_f(a1, a2, ...args);
+for (let j = 0; j < count; ++j)
+assertEqual(a1[j], a2[j]);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (278936 => 278937)
--- trunk/Source/_javascript_Core/ChangeLog 2021-06-16 15:41:15 UTC (rev 278936)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-06-16 16:09:24 UTC (rev 278937)
@@ -1,3 +1,29 @@
+2021-06-16 Tadeu Zagallo
+
+AssemblyHelpers should save/restore callee save FPRs
+https://bugs.webkit.org/show_bug.cgi?id=227052
+
[webkit-changes] [278462] trunk
Title: [278462] trunk Revision 278462 Author tzaga...@apple.com Date 2021-06-04 08:58:13 -0700 (Fri, 04 Jun 2021) Log Message Optimize Function.prototype.toString https://bugs.webkit.org/show_bug.cgi?id=226418 Reviewed by Saam Barati. JSTests: * microbenchmarks/function-to-string.js: Added. (f): (C): (C.prototype.method1): (C.prototype.method2): (test): (test2): Source/_javascript_Core: Add caching to Function.prototype.toString. This is used heavily in Speedometer2, and repeatedly recomputing a string which is a constant is costly. We cache the results of toString in all cases except for bound functions. To make this work for bound functions, we'd need to add a new field they can use for this cache. For other functions, we cache it on the executable (either NativeExecutable or FunctionExecutable). The reason we can't do this on the executable for bound functions is that all bound functions share the same executable, but individual bound functions can have different names. The reason it's valid to cache the results in general is that a function's name field can't be changed from JS code -- it's non-writable. This patch also makes Function.prototype.toString an intrinsic in the DFG/FTL. We emit code on the fast path which reads the cached value if it's present. If not, we call into the slow path, which will compute the cached value for non bound functions, or compute the result for bound functions. I added a new microbenchmark that speeds up by >35x: function-to-string 2197.5952+-30.7118^ 59.9861+-2.5550^ definitely 36.6350x faster * CMakeLists.txt: * _javascript_Core.xcodeproj/project.pbxproj: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsicCall): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION): * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::getExecutable): (JSC::DFG::SpeculativeJIT::compileFunctionToString): (JSC::DFG::SpeculativeJIT::compileGetExecutable): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::getExecutable): (JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable): (JSC::FTL::DFG::LowerDFGToB3::compileFunctionToString): * runtime/FunctionExecutable.cpp: (JSC::FunctionExecutable::visitChildrenImpl): (JSC::FunctionExecutable::toStringSlow): * runtime/FunctionExecutable.h: * runtime/FunctionExecutableInlines.h: (JSC::FunctionExecutable::toString): * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::addFunctionProperties): (JSC::JSC_DEFINE_HOST_FUNCTION): * runtime/Intrinsic.cpp: (JSC::intrinsicName): * runtime/Intrinsic.h: * runtime/JSFunction.cpp: (JSC::JSFunction::toString): * runtime/JSFunction.h: * runtime/JSFunctionInlines.h: (JSC::JSFunction::asStringConcurrently const): * runtime/JSStringInlines.h: * runtime/NativeExecutable.cpp: (JSC::NativeExecutable::toStringSlow): (JSC::NativeExecutable::visitChildrenImpl): * runtime/NativeExecutable.h: Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGClobberize.h trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp trunk/Source/_javascript_Core/dfg/DFGNodeType.h trunk/Source/_javascript_Core/dfg/DFGOperations.cpp trunk/Source/_javascript_Core/dfg/DFGOperations.h trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/runtime/FunctionExecutable.cpp trunk/Source/_javascript_Core/runtime/FunctionExecutable.h trunk/Source/_javascript_Core/runtime/FunctionExecutableInlines.h trunk/Source/_javascript_Core/runtime/FunctionPrototype.cpp trunk/Source/_javascript_Core/runtime/Intrinsic.cpp
[webkit-changes] [278139] trunk/Source/JavaScriptCore
Title: [278139] trunk/Source/_javascript_Core
Revision 278139
Author tzaga...@apple.com
Date 2021-05-26 17:36:06 -0700 (Wed, 26 May 2021)
Log Message
REGRESSION: ASSERTION FAILED: !isCompilationThread() in JSC::Profiler::Database::addCompilation()
https://bugs.webkit.org/show_bug.cgi?id=226302
Reviewed by Saam Barati.
We started linking the JIT code in the compiler thread, which now triggers this assertion.
The assertion was introduce before a lock was held to modify the data structures in the
profiler database, but it's safe to remove it now.
* profiler/ProfilerDatabase.cpp:
(JSC::Profiler::Database::addCompilation):
Modified Paths
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/profiler/ProfilerDatabase.cpp
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (278138 => 278139)
--- trunk/Source/_javascript_Core/ChangeLog 2021-05-27 00:35:38 UTC (rev 278138)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-05-27 00:36:06 UTC (rev 278139)
@@ -1,3 +1,18 @@
+2021-05-26 Tadeu Zagallo
+
+REGRESSION: ASSERTION FAILED: !isCompilationThread() in JSC::Profiler::Database::addCompilation()
+https://bugs.webkit.org/show_bug.cgi?id=226302
+
+
+Reviewed by Saam Barati.
+
+We started linking the JIT code in the compiler thread, which now triggers this assertion.
+The assertion was introduce before a lock was held to modify the data structures in the
+profiler database, but it's safe to remove it now.
+
+* profiler/ProfilerDatabase.cpp:
+(JSC::Profiler::Database::addCompilation):
+
2021-05-26 Chris Dumez
Use UncheckedLock even less in _javascript_Core
Modified: trunk/Source/_javascript_Core/profiler/ProfilerDatabase.cpp (278138 => 278139)
--- trunk/Source/_javascript_Core/profiler/ProfilerDatabase.cpp 2021-05-27 00:35:38 UTC (rev 278138)
+++ trunk/Source/_javascript_Core/profiler/ProfilerDatabase.cpp 2021-05-27 00:36:06 UTC (rev 278139)
@@ -89,7 +89,6 @@
void Database::addCompilation(CodeBlock* codeBlock, Ref&& compilation)
{
Locker locker { m_lock };
-ASSERT(!isCompilationThread());
m_compilations.append(compilation.copyRef());
m_compilationMap.set(codeBlock, WTFMove(compilation));
___
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [275521] trunk
Title: [275521] trunk Revision 275521 Author tzaga...@apple.com Date 2021-04-06 09:05:01 -0700 (Tue, 06 Apr 2021) Log Message Handle OOM in ScriptExecutionContext::reportUnhandledPromiseRejection https://bugs.webkit.org/show_bug.cgi?id=223777 Reviewed by Yusuke Suzuki. Source/WebCore: It's possible to fail to allocate the error message in ScriptExecutionContext::reportUnhandledPromiseRejection, in which case we should report an OOM exception instead of crashing. Test: js/Promise-reject-large-string.html * dom/ScriptExecutionContext.cpp: (WebCore::ScriptExecutionContext::reportUnhandledPromiseRejection): LayoutTests: * js/dom/Promise-reject-large-string-expected.txt: Added. * js/dom/Promise-reject-large-string.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/dom/ScriptExecutionContext.cpp Added Paths trunk/LayoutTests/js/dom/Promise-reject-large-string-expected.txt trunk/LayoutTests/js/dom/Promise-reject-large-string.html Diff Modified: trunk/LayoutTests/ChangeLog (275520 => 275521) --- trunk/LayoutTests/ChangeLog 2021-04-06 16:00:49 UTC (rev 275520) +++ trunk/LayoutTests/ChangeLog 2021-04-06 16:05:01 UTC (rev 275521) @@ -1,3 +1,14 @@ +2021-04-06 Tadeu Zagallo + +Handle OOM in ScriptExecutionContext::reportUnhandledPromiseRejection +https://bugs.webkit.org/show_bug.cgi?id=223777 + + +Reviewed by Yusuke Suzuki. + +* js/dom/Promise-reject-large-string-expected.txt: Added. +* js/dom/Promise-reject-large-string.html: Added. + 2021-04-06 Philippe Normand REGRESSION(r274358) [GStreamer] http/tests/images/mp4-partial-load.html is flaky crashing inside GStreamer Added: trunk/LayoutTests/js/dom/Promise-reject-large-string-expected.txt (0 => 275521) --- trunk/LayoutTests/js/dom/Promise-reject-large-string-expected.txt (rev 0) +++ trunk/LayoutTests/js/dom/Promise-reject-large-string-expected.txt 2021-04-06 16:05:01 UTC (rev 275521) @@ -0,0 +1,5 @@ +CONSOLE MESSAGE: Unhandled Promise Rejection: ... +PASS successfullyParsed is true + +TEST COMPLETE + Added: trunk/LayoutTests/js/dom/Promise-reject-large-string.html (0 => 275521) --- trunk/LayoutTests/js/dom/Promise-reject-large-string.html (rev 0) +++ trunk/LayoutTests/js/dom/Promise-reject-large-string.html 2021-04-06 16:05:01 UTC (rev 275521) @@ -0,0 +1,14 @@ + + + +window.jsTestIsAsync = true; + + +