[webkit-changes] [295771] trunk
Title: [295771] trunk Revision 295771 Author ysuz...@apple.com Date 2022-06-23 01:23:58 -0700 (Thu, 23 Jun 2022) Log Message [WTF] Use CompactPtr in AtomStringTable if it is more efficient https://bugs.webkit.org/show_bug.cgi?id=241883 Reviewed by Darin Adler. 1. We add HashTable support for CompactPtr. Correctly setting up HashTraits and Hashers so that we can have HashSet>. 2. Use CompactPtr in AtomStringTable if it is more efficient than PackedPtr. Typically, this means we are in iOS. * Source/WTF/wtf/CompactPtr.h: (WTF::CompactPtr::CompactPtr): (WTF::CompactPtr::encode): (WTF::CompactPtr::decode): (WTF::CompactPtr::isHashTableDeletedValue const): (WTF::CompactPtrTraits::hashTableDeletedValue): (WTF::CompactPtrTraits::isHashTableDeletedValue): * Source/WTF/wtf/Forward.h: * Source/WTF/wtf/HashTraits.h: (WTF::HashTraits>::emptyValue): (WTF::HashTraits>::isEmptyValue): (WTF::HashTraits>::peek): * Source/WTF/wtf/text/AtomStringImpl.cpp: (WTF::UCharBufferTranslator::equal): (WTF::UCharBufferTranslator::translate): (WTF::HashAndUTF8CharactersTranslator::equal): (WTF::HashAndUTF8CharactersTranslator::translate): (WTF::SubstringTranslator::translate): (WTF::SubstringTranslator8::equal): (WTF::SubstringTranslator16::equal): (WTF::LCharBufferTranslator::equal): (WTF::LCharBufferTranslator::translate): (WTF::BufferFromStaticDataTranslator::equal): (WTF::BufferFromStaticDataTranslator::translate): * Source/WTF/wtf/text/AtomStringTable.h: * Tools/TestWebKitAPI/Tests/WTF/CompactPtr.cpp: (TestWebKitAPI::TEST): Canonical link: https://commits.webkit.org/251776@main Modified Paths trunk/Source/WTF/wtf/CompactPtr.h trunk/Source/WTF/wtf/Forward.h trunk/Source/WTF/wtf/HashTraits.h trunk/Source/WTF/wtf/text/AtomStringImpl.cpp trunk/Source/WTF/wtf/text/AtomStringTable.h trunk/Tools/TestWebKitAPI/Tests/WTF/CompactPtr.cpp Diff Modified: trunk/Source/WTF/wtf/CompactPtr.h (295770 => 295771) --- trunk/Source/WTF/wtf/CompactPtr.h 2022-06-23 07:45:56 UTC (rev 295770) +++ trunk/Source/WTF/wtf/CompactPtr.h 2022-06-23 08:23:58 UTC (rev 295771) @@ -27,6 +27,9 @@ #include #include +#include +#include +#include #include #include @@ -47,7 +50,6 @@ template class CompactPtr { WTF_MAKE_FAST_ALLOCATED; - public: #if HAVE(36BIT_ADDRESS) // The CompactPtr algorithm relies on being able to shift @@ -56,8 +58,10 @@ // loss is if the if the address is always 16 bytes aligned i.e. // the lower 4 bits is always 0. using StorageType = uint32_t; +static constexpr bool is32Bit = true; #else using StorageType = uintptr_t; +static constexpr bool is32Bit = false; #endif static constexpr bool isCompactedType = true; @@ -82,6 +86,8 @@ std::exchange(o.m_ptr, 0); } +ALWAYS_INLINE constexpr CompactPtr(HashTableDeletedValueType) : m_ptr(hashDeletedStorageValue) { } + ALWAYS_INLINE ~CompactPtr() = default; T& operator*() const { return *get(); } @@ -173,6 +179,7 @@ { uintptr_t intPtr = bitwise_cast(ptr); #if HAVE(36BIT_ADDRESS) +static_assert(alignof(T) >= (1ULL << bitsShift)); ASSERT(!(intPtr & alignmentMask)); StorageType encoded = static_cast(intPtr >> bitsShift); ASSERT(decode(encoded) == ptr); @@ -185,6 +192,7 @@ static ALWAYS_INLINE T* decode(StorageType ptr) { #if HAVE(36BIT_ADDRESS) +static_assert(alignof(T) >= (1ULL << bitsShift)); return bitwise_cast(static_cast(ptr) << bitsShift); #else return bitwise_cast(ptr); @@ -191,6 +199,8 @@ #endif } +bool isHashTableDeletedValue() const { return m_ptr == hashDeletedStorageValue; } + private: template friend class CompactPtr; @@ -197,6 +207,7 @@ static constexpr uint32_t bitsShift = 4; static constexpr uintptr_t alignmentMask = (1ull << bitsShift) - 1; +static constexpr StorageType hashDeletedStorageValue = 1; // 0x16 (encoded as 1) is within the first unmapped page for nullptr. Thus, it never appears. StorageType m_ptr { 0 }; }; @@ -219,6 +230,8 @@ using StorageType = CompactPtr; +static constexpr bool is32Bit = StorageType::is32Bit; + template static ALWAYS_INLINE T* exchange(StorageType& ptr, U&& newValue) { return ptr.exchange(newValue); } @@ -227,10 +240,12 @@ static ALWAYS_INLINE T* unwrap(const StorageType& ptr) { return ptr.get(); } -static StorageType hashTableDeletedValue() { return bitwise_cast(static_cast(-1)); } -static ALWAYS_INLINE bool isHashTableDeletedValue(const StorageType& ptr) { return ptr == hashTableDeletedValue(); } +static StorageType hashTableDeletedValue() { return StorageType { HashTableDeletedValue }; } +static ALWAYS_INLINE bool isHashTableDeletedValue(const StorageType& ptr) { return ptr.isHashTableDeletedValue(); } }; +template struct DefaultHash> : PtrHash> { }; + } // namespace WTF using WTF::CompactPtr; Modified: trunk/Source/WTF/wtf/Forward.h (295770 => 295771)
[webkit-changes] [295770] trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp
Title: [295770] trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp Revision 295770 Author ysuz...@apple.com Date 2022-06-23 00:45:56 -0700 (Thu, 23 Jun 2022) Log Message [JSC] Set up wasm stack |this| first https://bugs.webkit.org/show_bug.cgi?id=241907 rdar://problem/94397072 Reviewed by Mark Lam. We should set up the stack's |thisValue| first. * Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::AirIRGenerator): Canonical link: https://commits.webkit.org/251775@main Modified Paths trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp Diff Modified: trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp (295769 => 295770) --- trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp 2022-06-23 06:35:37 UTC (rev 295769) +++ trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp 2022-06-23 07:45:56 UTC (rev 295770) @@ -1014,14 +1014,20 @@ bool needUnderflowCheck = static_cast(checkSize) > Options::reservedZoneSize(); bool needsOverflowCheck = m_makesCalls || wasmFrameSize >= static_cast(minimumParentCheckSize) || needUnderflowCheck; +if ((needsOverflowCheck || m_usesInstanceValue) && Context::useFastTLS()) +jit.loadWasmContextInstance(m_prologueWasmContextGPR); + +// We need to setup JSWebAssemblyInstance in |this| slot first. +if (m_catchEntrypoints.size()) { +GPRReg scratch = wasmCallingConvention().prologueScratchGPRs[0]; +jit.loadPtr(CCallHelpers::Address(m_prologueWasmContextGPR, Instance::offsetOfOwner()), scratch); +jit.store64(scratch, CCallHelpers::Address(GPRInfo::callFrameRegister, CallFrameSlot::thisArgument * sizeof(Register))); +} + // This allows leaf functions to not do stack checks if their frame size is within // certain limits since their caller would have already done the check. if (needsOverflowCheck) { GPRReg scratch = wasmCallingConvention().prologueScratchGPRs[0]; - -if (Context::useFastTLS()) -jit.loadWasmContextInstance(m_prologueWasmContextGPR); - jit.addPtr(CCallHelpers::TrustedImm32(-checkSize), GPRInfo::callFrameRegister, scratch); MacroAssembler::JumpList overflow; if (UNLIKELY(needUnderflowCheck)) @@ -1030,16 +1036,8 @@ jit.addLinkTask([overflow] (LinkBuffer& linkBuffer) { linkBuffer.link(overflow, CodeLocationLabel(Thunks::singleton().stub(throwStackOverflowFromWasmThunkGenerator).code())); }); -} else if (m_usesInstanceValue && Context::useFastTLS()) { -// No overflow check is needed, but the instance values still needs to be correct. -jit.loadWasmContextInstance(m_prologueWasmContextGPR); } -if (m_catchEntrypoints.size()) { -GPRReg scratch = wasmCallingConvention().prologueScratchGPRs[0]; -jit.loadPtr(CCallHelpers::Address(m_prologueWasmContextGPR, Instance::offsetOfOwner()), scratch); -jit.store64(scratch, CCallHelpers::Address(GPRInfo::callFrameRegister, CallFrameSlot::thisArgument * sizeof(Register))); -} } }); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295763] trunk/.github/CODEOWNERS
Title: [295763] trunk/.github/CODEOWNERS Revision 295763 Author ysuz...@apple.com Date 2022-06-22 18:19:42 -0700 (Wed, 22 Jun 2022) Log Message Unreviewed, update .github/CODEOWNERS for TestWebKitAPI https://bugs.webkit.org/show_bug.cgi?id=241897 Update .github/CODEOWNERS to more correctly add reviewer requests for TestWebKitAPI. * .github/CODEOWNERS: Canonical link: https://commits.webkit.org/251768@main Modified Paths trunk/.github/CODEOWNERS Diff Modified: trunk/.github/CODEOWNERS (295762 => 295763) --- trunk/.github/CODEOWNERS 2022-06-23 01:03:50 UTC (rev 295762) +++ trunk/.github/CODEOWNERS 2022-06-23 01:19:42 UTC (rev 295763) @@ -38,6 +38,7 @@ /Tools/Scripts/libraries @JonWBedard /Tools/Scripts/libraries/webkitscmpy @facetothefate @JonWBedard +/Tools/TestWebKitAPI # @@ -49,6 +50,7 @@ # /Source/bmalloc @Constellation +/Tools/TestWebKitAPI/Tests/WTF/bmalloc @Constellation # @@ -55,6 +57,7 @@ /Source/_javascript_Core @WebKit/jsc-reviewers /JSTests @WebKit/jsc-reviewers /LayoutTests/js @WebKit/jsc-reviewers +/Tools/TestWebKitAPI/Tests/_javascript_Core @WebKit/jsc-reviewers # ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295710] trunk/JSTests/stress/ array-buffer-transfer-should-not-reduce-extra-memory-size.js
Title: [295710] trunk/JSTests/stress/array-buffer-transfer-should-not-reduce-extra-memory-size.js Revision 295710 Author ysuz...@apple.com Date 2022-06-21 18:34:32 -0700 (Tue, 21 Jun 2022) Log Message [JSC] Add tests ensuring that extraMemorySize is monotonically increasing until full-collection happens https://bugs.webkit.org/show_bug.cgi?id=241832 rdar://95384643 Reviewed by Mark Lam. This patch adds tests ensuring that extraMemorySize is monotonically increasing until full-collection happens. If this assumption is broken, GC scheduling can be confused. And we crash with existing assertions. * JSTests/stress/array-buffer-transfer-should-not-reduce-extra-memory-size.js: Added. Canonical link: https://commits.webkit.org/251715@main Added Paths trunk/JSTests/stress/array-buffer-transfer-should-not-reduce-extra-memory-size.js Diff Added: trunk/JSTests/stress/array-buffer-transfer-should-not-reduce-extra-memory-size.js (0 => 295710) --- trunk/JSTests/stress/array-buffer-transfer-should-not-reduce-extra-memory-size.js (rev 0) +++ trunk/JSTests/stress/array-buffer-transfer-should-not-reduce-extra-memory-size.js 2022-06-22 01:34:32 UTC (rev 295710) @@ -0,0 +1,2 @@ +for (let i = 0; i < 100; i++) +transferArrayBuffer(new Uint8Array(2 ** 21).buffer); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295703] trunk/Source/JavaScriptCore
Title: [295703] trunk/Source/_javascript_Core Revision 295703 Author ysuz...@apple.com Date 2022-06-21 16:57:05 -0700 (Tue, 21 Jun 2022) Log Message Unreviewed, revert "The extraMemorySize() get wrong when transferring ArrayBuffer from Worker VM" https://bugs.webkit.org/show_bug.cgi?id=241826 rdar://95384643 This reverts commit 71960bed2a3ee0917367bc4144911a9e8168deea. m_extraMemorySize must be monotonically increasing during GC cycles until full-collection happens. And after the full-collection, it is adjusted. We already adjusted it in sweep of m_arrayBuffer, so, we should not reduce that number. This is used for GC invocation scheduling. So, if we would like to have a number which more precisely reflecting the current status, then we should have yet another one. And we can still use extraMemorySize since it will be adjusted after the full-collection. So we can consider that transferred array-buffer is collected at the full-collection. Canonical link: https://commits.webkit.org/251708@main Modified Paths trunk/Source/_javascript_Core/heap/GCIncomingRefCountedSet.h trunk/Source/_javascript_Core/heap/GCIncomingRefCountedSetInlines.h trunk/Source/_javascript_Core/heap/Heap.cpp trunk/Source/_javascript_Core/heap/Heap.h trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp Diff Modified: trunk/Source/_javascript_Core/heap/GCIncomingRefCountedSet.h (295702 => 295703) --- trunk/Source/_javascript_Core/heap/GCIncomingRefCountedSet.h 2022-06-21 23:51:24 UTC (rev 295702) +++ trunk/Source/_javascript_Core/heap/GCIncomingRefCountedSet.h 2022-06-21 23:57:05 UTC (rev 295703) @@ -44,7 +44,6 @@ void sweep(VM&); size_t size() const { return m_bytes; }; -void reduceSize(size_t); private: Vector m_vector; Modified: trunk/Source/_javascript_Core/heap/GCIncomingRefCountedSetInlines.h (295702 => 295703) --- trunk/Source/_javascript_Core/heap/GCIncomingRefCountedSetInlines.h 2022-06-21 23:51:24 UTC (rev 295702) +++ trunk/Source/_javascript_Core/heap/GCIncomingRefCountedSetInlines.h 2022-06-21 23:57:05 UTC (rev 295703) @@ -72,23 +72,6 @@ m_vector[i--] = m_vector.last(); m_vector.removeLast(); } - -constexpr bool verify = false; -if constexpr (verify) { -CheckedSize size; -for (size_t i = m_vector.size(); i--;) { -T* object = m_vector[i]; -size += object->gcSizeEstimateInBytes(); -} -ASSERT(m_bytes == size); -} } -template -void GCIncomingRefCountedSet::reduceSize(size_t bytes) -{ -ASSERT(m_bytes >= bytes); -m_bytes -= bytes; -} - } // namespace JSC Modified: trunk/Source/_javascript_Core/heap/Heap.cpp (295702 => 295703) --- trunk/Source/_javascript_Core/heap/Heap.cpp 2022-06-21 23:51:24 UTC (rev 295702) +++ trunk/Source/_javascript_Core/heap/Heap.cpp 2022-06-21 23:57:05 UTC (rev 295703) @@ -659,11 +659,6 @@ } } -void Heap::reduceArrayBufferSize(size_t bytes) -{ -m_arrayBuffers.reduceSize(bytes); -} - template void Heap::finalizeMarkedUnconditionalFinalizers(CellSet& cellSet) { Modified: trunk/Source/_javascript_Core/heap/Heap.h (295702 => 295703) --- trunk/Source/_javascript_Core/heap/Heap.h 2022-06-21 23:51:24 UTC (rev 295702) +++ trunk/Source/_javascript_Core/heap/Heap.h 2022-06-21 23:57:05 UTC (rev 295703) @@ -439,7 +439,6 @@ const JITStubRoutineSet& jitStubRoutines() { return *m_jitStubRoutines; } void addReference(JSCell*, ArrayBuffer*); -void reduceArrayBufferSize(size_t bytes); bool isDeferred() const { return !!m_deferralDepth; } Modified: trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp (295702 => 295703) --- trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp 2022-06-21 23:51:24 UTC (rev 295702) +++ trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp 2022-06-21 23:57:05 UTC (rev 295703) @@ -303,11 +303,8 @@ return true; } -CheckedSize sizeReduced { gcSizeEstimateInBytes() }; result = WTFMove(m_contents); notifyDetaching(vm); -sizeReduced -= gcSizeEstimateInBytes(); -vm.heap.reduceArrayBufferSize(sizeReduced); return true; } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295693] trunk
Title: [295693] trunk Revision 295693 Author ysuz...@apple.com Date 2022-06-21 15:08:27 -0700 (Tue, 21 Jun 2022) Log Message [JSC] Fix Temporal regulateTime's constraints for milliseconds, microseconds, and nanoseconds https://bugs.webkit.org/show_bug.cgi?id=241818 rdar://95534859 Reviewed by Ross Kirsling. This patch fixes constraints for milliseconds, microseconds, and nanoseconds in constrainTime. It should be from 0 to 999, not to 1000[1]. [1]: https://tc39.es/proposal-temporal/#sec-temporal-constraintime * JSTests/stress/temporal-plaintime-tostring-1000-millisecond.js: Added. (shouldBe): (throw.new.Error): * Source/_javascript_Core/runtime/TemporalPlainTime.cpp: (JSC::constrainTime): Canonical link: https://commits.webkit.org/251698@main Modified Paths trunk/Source/_javascript_Core/runtime/TemporalPlainTime.cpp Added Paths trunk/JSTests/stress/temporal-plaintime-tostring-1000-millisecond.js Diff Added: trunk/JSTests/stress/temporal-plaintime-tostring-1000-millisecond.js (0 => 295693) --- trunk/JSTests/stress/temporal-plaintime-tostring-1000-millisecond.js (rev 0) +++ trunk/JSTests/stress/temporal-plaintime-tostring-1000-millisecond.js 2022-06-21 22:08:27 UTC (rev 295693) @@ -0,0 +1,43 @@ +//@ requireOptions("--useTemporal=1") + +function shouldBe(actual, expected) { +if (actual !== expected) +throw new Error('bad value: ' + actual); +} + +{ +let data = "" + hour: 0, + minute: 0, + second: 0, + millisecond: 1000, + microsecond: 0, + nanosecond: 0, +}).toString(); + +shouldBe(data, `00:00:00.999`); +} +{ +let data = "" + hour: 0, + minute: 0, + second: 0, + millisecond: 0, + microsecond: 1000, + nanosecond: 0, +}).toString(); + +shouldBe(data, `00:00:00.000999`); +} +{ +let data = "" + hour: 0, + minute: 0, + second: 0, + millisecond: 0, + microsecond: 0, + nanosecond: 1000, +}).toString(); + +shouldBe(data, `00:00:00.00999`); +} Modified: trunk/Source/_javascript_Core/runtime/TemporalPlainTime.cpp (295692 => 295693) --- trunk/Source/_javascript_Core/runtime/TemporalPlainTime.cpp 2022-06-21 22:00:27 UTC (rev 295692) +++ trunk/Source/_javascript_Core/runtime/TemporalPlainTime.cpp 2022-06-21 22:08:27 UTC (rev 295693) @@ -375,9 +375,9 @@ constrainToRange(duration.hours(), 0, 23), constrainToRange(duration.minutes(), 0, 59), constrainToRange(duration.seconds(), 0, 59), -constrainToRange(duration.milliseconds(), 0, 1000), -constrainToRange(duration.microseconds(), 0, 1000), -constrainToRange(duration.nanoseconds(), 0, 1000)); +constrainToRange(duration.milliseconds(), 0, 999), +constrainToRange(duration.microseconds(), 0, 999), +constrainToRange(duration.nanoseconds(), 0, 999)); } static ISO8601::PlainTime regulateTime(JSGlobalObject* globalObject, ISO8601::Duration&& duration, TemporalOverflow overflow) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295658] trunk
Title: [295658] trunk Revision 295658 Author ysuz...@apple.com Date 2022-06-17 23:46:29 -0700 (Fri, 17 Jun 2022) Log Message [JSC] Fix iterator_next's tmp liveness and OSR exit recovery https://bugs.webkit.org/show_bug.cgi?id=241702 Reviewed by Mark Lam. We fix two issues in iterator_next DFG handling. 1. Consider the following case, function inlinedGetterUsedByIteratorNext() { if (flag) ForceOSRExit() // Terminal ... } And we hit ForceOSRExit and do OSR exit. We are not reporting tmp (nextResult tmp in this case) as live at the terminal accidentally. As a result, when OSR exit is performed, it is dead. But this is still used after "done" lookup is finished since "value" lookup also uses this nextResult. As a result, we encounter an error since nextResult is not recovered after OSR exit. In this patch, we report liveness of tmp in flushForTerminalImpl to recover them. Strictly speaking, this code is slightly too conservative: for example, when OSR exit happens for inlined call of "value" getter, "value"'s requiring tmp is not necessary since this is the last checkpoint and this llint_slow_path_checkpoint_osr_exit_from_inlined_call is called after finishing the call => we finished all the things. For now, we align it to the other places since this is conservatively correct. In a future patch, we can make it more precisely modeled. 2. llint_slow_path_checkpoint_osr_exit_from_inlined_call should not use handleIteratorNextCheckpoint handleIteratorNextCheckpoint is not for inlined call. Inlined call is "OSR exit during the checkpoint's call". Thus, its checkpoint meaning is different from llint_slow_path_checkpoint_osr_exit: for example, when OSR exit happens for inlined call of "value" getter, all the operation is already done and only thing we need to do is storing the result value to the specified VirtualRegister position. On the other hand, in llint_slow_path_checkpoint_osr_exit, we should perform what we need to do in the last checkpoint sequence. This patch fixes iterator_next's definition in llint_slow_path_checkpoint_osr_exit_from_inlined_call since it is the only incorrect case. * JSTests/stress/osr-exit-iterator-next-get-by-id-value-access.js: Added. (result.get value): (result.get done): (iterator.next): (object.Symbol.iterator): (test): * JSTests/stress/osr-exit-iterator-next-get-by-id-value-exit.js: Added. (result.get value): (result.get done): (iterator.next): (object.Symbol.iterator): (test): * JSTests/stress/osr-exit-iterator-next-get-by-id.js: Added. (result.get value): (result.get done): (iterator.next): (object.Symbol.iterator): (test): * JSTests/stress/osr-exit-iterator-open-get-by-id.js: Added. (iterator.nextImpl): (iterator.get next): (object.Symbol.iterator): (test): * Source/_javascript_Core/dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::flushForTerminalImpl): * Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::callerReturnPC): (JSC::DFG::reifyInlinedCallFrames): * Source/_javascript_Core/llint/LLIntSlowPaths.cpp: (JSC::LLInt::handleIteratorNextCheckpoint): (JSC::LLInt::llint_slow_path_checkpoint_osr_exit_from_inlined_call): Canonical link: https://commits.webkit.org/251663@main Modified Paths trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp Added Paths trunk/JSTests/stress/osr-exit-iterator-next-get-by-id-value-access.js trunk/JSTests/stress/osr-exit-iterator-next-get-by-id-value-exit.js trunk/JSTests/stress/osr-exit-iterator-next-get-by-id.js trunk/JSTests/stress/osr-exit-iterator-open-get-by-id.js Diff Added: trunk/JSTests/stress/osr-exit-iterator-next-get-by-id-value-access.js (0 => 295658) --- trunk/JSTests/stress/osr-exit-iterator-next-get-by-id-value-access.js (rev 0) +++ trunk/JSTests/stress/osr-exit-iterator-next-get-by-id-value-access.js 2022-06-18 06:46:29 UTC (rev 295658) @@ -0,0 +1,41 @@ +var flag = 0; +var counter = 0; + +var result = { +get value() { +return 42; +}, +get done() { +if (flag) +OSRExit(); +++counter +return counter & 0x1; +}, +}; + +var iterator = { +next() { +return result; +} +}; + + +var object = { +[Symbol.iterator]() { +return iterator; +} +}; + +noDFG(Object.getOwnPropertyDescriptor(object, Symbol.iterator).value); + +function test() +{ +for (let i of object); +} +noInline(test); + +for (var i = 0; i < 1e6; ++i) +test(); +flag = 1; +for (var i = 0; i < 1e6; ++i) +test(); Added: trunk/JSTests/stress/osr-exit-iterator-next-get-by-id-value-exit.js (0 => 295658) --- trunk/JSTests/stress/osr-exit-iterator-next-get-by-id-value-exit.js (rev 0) +++ trunk/JSTests/stress/osr-exit-iterator-next-get-by-id-value-exit.js 2022-06-18 06:46:29 UTC (rev 295658) @@ -0,0 +1,41 @@ +var flag = 0; +var counter = 0; + +var result = { +get value() { +if (flag) +
[webkit-changes] [295622] trunk/.github/CODEOWNERS
Title: [295622] trunk/.github/CODEOWNERS Revision 295622 Author ysuz...@apple.com Date 2022-06-16 18:43:11 -0700 (Thu, 16 Jun 2022) Log Message Unreviewed, add bmalloc related information to .github/CODEOWNERS * .github/CODEOWNERS: Canonical link: https://commits.webkit.org/251627@main Modified Paths trunk/.github/CODEOWNERS Diff Modified: trunk/.github/CODEOWNERS (295621 => 295622) --- trunk/.github/CODEOWNERS 2022-06-17 01:38:03 UTC (rev 295621) +++ trunk/.github/CODEOWNERS 2022-06-17 01:43:11 UTC (rev 295622) @@ -48,6 +48,10 @@ # +/Source/bmalloc @Constellation + +# + /Source/_javascript_Core @WebKit/jsc-reviewers /JSTests @WebKit/jsc-reviewers /LayoutTests/js @WebKit/jsc-reviewers ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295614] trunk
Title: [295614] trunk Revision 295614 Author ysuz...@apple.com Date 2022-06-16 16:08:33 -0700 (Thu, 16 Jun 2022) Log Message [JSC] Always create StructureStubInfo for op_get_by_val https://bugs.webkit.org/show_bug.cgi?id=241669 rdar://75146284 Reviewed by Saam Barati and Mark Lam. DFG OSR exit requires StructureStubInfo for getter / setter calls. However very generic baseline JIT op_get_by_val does not create StructureStubInfo. It is possible that OSR exit crashes because of this missing StructureStubInfo. Let's consider the following edge case. 1. Now, Baseline detects that this is very generic op_get_by_val. So we do not create StructureStubInfo. 2. This function is inlined in DFG. And DFG emits IC for this GetByVal. 3. (2)'s DFG function collects information in DFG-level IC. And luckily, in this inlined call path, it was not so generic. 4. Then, due to different OSR exit or something, we recreate DFG code for this function with (2)'s inlining. 5. DFG detects that DFG-level IC has more specialized information. So it can inline getter call in this op_get_by_val. 6. Inside this getter, we perform OSR exit. 7. Looking into Baseline, and we found that there is no StructureStubInfo! We always create StructureStubInfo. In very generic op_get_by_val case, we create this with tookSlowPath = true. And we emit empty inline path to record doneLocation. So, OSR exit can jump to this place. We also clean up StructureStubInfo code. 1. "start" is renamed to startLocation. And we do not record it in DataIC case since it is not necessary. 2. Rename inlineSize to inlineCodeSize. 3. Add some assertions to ensure that this path is not used for DataIC case. 4. We also record opcode value in the crashing RELEASE_ASSERT to get more information if this does not fix the issue. * Source/_javascript_Core/bytecode/InlineAccess.cpp: (JSC::linkCodeInline): (JSC::InlineAccess::generateArrayLength): (JSC::InlineAccess::generateStringLength): (JSC::InlineAccess::rewireStubAsJumpInAccessNotUsingInlineAccess): (JSC::InlineAccess::rewireStubAsJumpInAccess): (JSC::InlineAccess::resetStubAsJumpInAccess): * Source/_javascript_Core/bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::initializeFromUnlinkedStructureStubInfo): (JSC::StructureStubInfo::initializeFromDFGUnlinkedStructureStubInfo): * Source/_javascript_Core/bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::inlineCodeSize const): (JSC::StructureStubInfo::inlineSize const): Deleted. * Source/_javascript_Core/dfg/DFGInlineCacheWrapperInlines.h: (JSC::DFG::InlineCacheWrapper::finalize): * Source/_javascript_Core/dfg/DFGJITCode.h: * Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::callerReturnPC): * Source/_javascript_Core/jit/JIT.cpp: (JSC::JIT::link): * Source/_javascript_Core/jit/JITInlineCacheGenerator.cpp: (JSC::JITInlineCacheGenerator::finalize): (JSC::JITGetByValGenerator::generateEmptyPath): * Source/_javascript_Core/jit/JITInlineCacheGenerator.h: * Source/_javascript_Core/jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_by_val): * JSTests/stress/get-by-val-generic-structurestubinfo.js: Added. (let.program): (runMono.let.o.get x): (runMono): (runPoly): Canonical link: https://commits.webkit.org/251619@main Modified Paths trunk/Source/_javascript_Core/bytecode/InlineAccess.cpp trunk/Source/_javascript_Core/bytecode/StructureStubInfo.cpp trunk/Source/_javascript_Core/bytecode/StructureStubInfo.h trunk/Source/_javascript_Core/dfg/DFGInlineCacheWrapperInlines.h trunk/Source/_javascript_Core/dfg/DFGJITCode.h trunk/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp trunk/Source/_javascript_Core/jit/JIT.cpp trunk/Source/_javascript_Core/jit/JITInlineCacheGenerator.cpp trunk/Source/_javascript_Core/jit/JITInlineCacheGenerator.h trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp Added Paths trunk/JSTests/stress/get-by-val-generic-structurestubinfo.js Diff Added: trunk/JSTests/stress/get-by-val-generic-structurestubinfo.js (0 => 295614) --- trunk/JSTests/stress/get-by-val-generic-structurestubinfo.js (rev 0) +++ trunk/JSTests/stress/get-by-val-generic-structurestubinfo.js 2022-06-16 23:08:33 UTC (rev 295614) @@ -0,0 +1,55 @@ +//@ requireOptions("--getByValICMaxNumberOfIdentifiers=2") + +let program = ` +function shouldBe(actual, expected) { +if (actual !== expected) +throw new Error('bad value: ' + actual); +} +noInline(shouldBe); + +function foo(o, p) { +return o[p]; +} +noInline(foo); + +function runMono() { +let o = { +get x() { +if ($vm.ftlTrue()) OSRExit(); +return 42; +} +}; +for (let i = 0; i < 100; ++i) { +shouldBe(foo(o, "x"), 42); +} +} + +function runPoly() { +let o = { +a: 1, +b: 2, +c: 4, +d: 4, +e: 4, +f: 4, +g: 4, +};
[webkit-changes] [295576] trunk/.github/CODEOWNERS
Title: [295576] trunk/.github/CODEOWNERS Revision 295576 Author ysuz...@apple.com Date 2022-06-15 15:46:27 -0700 (Wed, 15 Jun 2022) Log Message Add CODEOWNERS file to ping review request automatically to JSC reviewers https://bugs.webkit.org/show_bug.cgi?id=241058 Reviewed by Jonathan Bedard. This patch adds _javascript_Core CODEOWNERS configurations. By using this file, we can request reviews automatically based on modified files. I added jsc-reviewers group and this file configures that Source/_javascript_Core (except for inspector directory) PR will automatically set jsc-reviewers as a requested reviewer. * .github/CODEOWNERS: Added. Canonical link: https://commits.webkit.org/251581@main Modified Paths trunk/.github/CODEOWNERS Diff Modified: trunk/.github/CODEOWNERS (295575 => 295576) --- trunk/.github/CODEOWNERS 2022-06-15 22:29:03 UTC (rev 295575) +++ trunk/.github/CODEOWNERS 2022-06-15 22:46:27 UTC (rev 295576) @@ -31,6 +31,7 @@ /metadata @JonWBedard # + /Tools @JonWBedard /Tools/CISupport @aj062 @JonWBedard @ryanhaddad @@ -45,6 +46,14 @@ /Source/WebCore/platform/graphics/gstreamer @ntrrgc @calvaris @philn /Source/WebCore/platform/mediastream/gstreamer @calvaris @philn +# + +/Source/_javascript_Core @WebKit/jsc-reviewers +/JSTests @WebKit/jsc-reviewers +/LayoutTests/js @WebKit/jsc-reviewers + +# + /Source/_javascript_Core/debugger @dcrousso /Source/_javascript_Core/inspector @dcrousso /Source/WebCore/inspector @dcrousso ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295377] trunk/Source/JavaScriptCore/runtime
Title: [295377] trunk/Source/_javascript_Core/runtime Revision 295377 Author ysuz...@apple.com Date 2022-06-08 00:26:02 -0700 (Wed, 08 Jun 2022) Log Message [JSC] Clean up ArrayBufferContents https://bugs.webkit.org/show_bug.cgi?id=241368 Reviewed by Mark Lam. This patch simplifies ArrayBufferContents by using default member initializers and swap function. 1. Remove ArrayBufferContents::destroy since it is no longer necessary. 2. Move some of very small functions to header. 3. Use swap function and default member initializers to implement move assignment operator and move constructor. 4. Use non-Packed members. Originally it was effective since m_sizeInBytes was `unsigned`. But now, it is `size_t`, so using `Packed` does not save memory. 5. Remove ArrayBufferContents::transferTo since move constructor can do the same thing. 6. Remove ArrayBufferContents::clear since it is no longer used. * Source/_javascript_Core/runtime/ArrayBuffer.cpp: (JSC::ArrayBufferContents::transferTo): (JSC::ArrayBuffer::ArrayBuffer): (JSC::SharedArrayBufferContents::SharedArrayBufferContents): Deleted. (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): Deleted. (JSC::ArrayBufferContents::ArrayBufferContents): Deleted. (JSC::ArrayBufferContents::operator=): Deleted. (JSC::ArrayBufferContents::~ArrayBufferContents): Deleted. (JSC::ArrayBufferContents::clear): Deleted. (JSC::ArrayBufferContents::destroy): Deleted. (JSC::ArrayBufferContents::reset): Deleted. * Source/_javascript_Core/runtime/ArrayBuffer.h: (JSC::SharedArrayBufferContents::data const): Deleted. (JSC::ArrayBufferContents::operator bool): Deleted. (JSC::ArrayBufferContents::data const): Deleted. (JSC::ArrayBufferContents::dataWithoutPACValidation const): Deleted. (JSC::ArrayBufferContents::sizeInBytes const): Deleted. (JSC::ArrayBufferContents::isShared const): Deleted. (JSC::ArrayBuffer::sharingMode const): Deleted. (JSC::ArrayBuffer::isDetached): Deleted. (JSC::ArrayBuffer::detachingWatchpointSet): Deleted. (JSC::ArrayBuffer::offsetOfData): Deleted. (JSC::ArrayBuffer::~ArrayBuffer): Deleted. Canonical link: https://commits.webkit.org/251385@main Modified Paths trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp trunk/Source/_javascript_Core/runtime/ArrayBuffer.h Diff Modified: trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp (295376 => 295377) --- trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp 2022-06-08 05:20:39 UTC (rev 295376) +++ trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp 2022-06-08 07:26:02 UTC (rev 295377) @@ -42,73 +42,6 @@ return destructor.get().copyRef(); } -SharedArrayBufferContents::SharedArrayBufferContents(void* data, size_t size, ArrayBufferDestructorFunction&& destructor) -: m_data(data, size) -, m_destructor(WTFMove(destructor)) -, m_sizeInBytes(size) -{ -} - -SharedArrayBufferContents::~SharedArrayBufferContents() -{ -if (m_destructor) { -// FIXME: we shouldn't use getUnsafe here https://bugs.webkit.org/show_bug.cgi?id=197698 -m_destructor->run(m_data.getUnsafe()); -} -} - -ArrayBufferContents::ArrayBufferContents() -{ -reset(); -} - -ArrayBufferContents::ArrayBufferContents(ArrayBufferContents&& other) -{ -reset(); -other.transferTo(*this); -} - -ArrayBufferContents::ArrayBufferContents(void* data, size_t sizeInBytes, ArrayBufferDestructorFunction&& destructor) -: m_data(data, sizeInBytes) -, m_sizeInBytes(sizeInBytes) -{ -RELEASE_ASSERT(m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE); -m_destructor = WTFMove(destructor); -} - -ArrayBufferContents& ArrayBufferContents::operator=(ArrayBufferContents&& other) -{ -other.transferTo(*this); -return *this; -} - -ArrayBufferContents::~ArrayBufferContents() -{ -destroy(); -} - -void ArrayBufferContents::clear() -{ -destroy(); -reset(); -} - -void ArrayBufferContents::destroy() -{ -if (m_destructor) { -// FIXME: We shouldn't use getUnsafe here: https://bugs.webkit.org/show_bug.cgi?id=197698 -m_destructor->run(m_data.getUnsafe()); -} -} - -void ArrayBufferContents::reset() -{ -m_data = nullptr; -m_destructor = nullptr; -m_shared = nullptr; -m_sizeInBytes = 0; -} - void ArrayBufferContents::tryAllocate(size_t numElements, unsigned elementByteSize, InitializationPolicy policy) { CheckedSize sizeInBytes = numElements; @@ -143,17 +76,6 @@ m_destructor = nullptr; } -void ArrayBufferContents::transferTo(ArrayBufferContents& other) -{ -other.clear(); -other.m_data = m_data; -other.m_sizeInBytes = m_sizeInBytes; -RELEASE_ASSERT(other.m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE); -other.m_destructor = WTFMove(m_destructor); -other.m_shared = m_shared; -reset(); -} - void ArrayBufferContents::copyTo(ArrayBufferContents& other) { ASSERT(!other.m_data); @@ -285,9 +207,6 @@ ArrayBuffer::ArrayBuffer(ArrayBufferContents&& contents) : m_contents(WTFMove(contents)) -, m_pinCount(0) -,
[webkit-changes] [295258] trunk
Title: [295258] trunk Revision 295258 Author ysuz...@apple.com Date 2022-06-03 19:09:18 -0700 (Fri, 03 Jun 2022) Log Message [WTF] Handle "at" in Date parse heuristics to make Date picker work in CNBC.com https://bugs.webkit.org/show_bug.cgi?id=241258 rdar://93920424 Reviewed by Darin Adler. AppleICU changes Intl.DateTimeFormat's formatting result to align it to Apple HI. But we observed regression in CNBC.com since it reparses Intl.DateTimeFormat's string with Date constructor. Strictly speaking, there is no guarantee that code works. Date constructor's parsing is implementation-dependent, and the spec does not require that Intl.DateTimeFormat's output should be accepted by Date constructor. And this works only for English case anyway even before this AppleICU change: if date is formatted via `ja-JP`, then Date constructor does not accept it. But previously, this English case was working by chance, but now, new ICU format inserts "at" in the string, and it makes that string unaccepted in Date constructor. To workaround this web-compatibility issue, we extend our Date parsing heuristics to accept "at". This is OK since the goal of this heuristics is accepting wider range of date strings. Also it is OK that accepting English word "at" since this heuristics already handle weekday and month names in English. * JSTests/complex.yaml: * JSTests/complex/intl-date-time-format-date-parse.js: Added. (shouldBe): * Source/WTF/wtf/DateMath.cpp: (WTF::parseDateFromNullTerminatedCharacters): Canonical link: https://commits.webkit.org/251304@main Modified Paths trunk/JSTests/complex.yaml trunk/Source/WTF/wtf/DateMath.cpp Added Paths trunk/JSTests/complex/intl-date-time-format-date-parse.js Diff Added: trunk/JSTests/complex/intl-date-time-format-date-parse.js (0 => 295258) --- trunk/JSTests/complex/intl-date-time-format-date-parse.js (rev 0) +++ trunk/JSTests/complex/intl-date-time-format-date-parse.js 2022-06-04 02:09:18 UTC (rev 295258) @@ -0,0 +1,21 @@ +function shouldBe(actual, expected) { +if (actual !== expected) +throw new Error(`bad value: ${actual}, expected ${expected}`); +} + +let date = new Date(165419124); +let t = Intl.DateTimeFormat("en-US", { +timeZone: "America/New_York", +weekday: "short", +year: "numeric", +month: "short", +day: "numeric", +hour: "numeric", +minute: "numeric" +}).format(date); +let reparsed = new Date(t) +shouldBe(reparsed.getTime(), date.getTime()); + +// "at" case +shouldBe(new Date(`Thu, May 26, 2022, 6:27 PM`).getTime(), 165360402); +shouldBe(new Date(`Thu, May 26, 2022 at 6:27 PM`).getTime(), 165360402); Modified: trunk/JSTests/complex.yaml (295257 => 295258) --- trunk/JSTests/complex.yaml 2022-06-04 01:10:29 UTC (rev 295257) +++ trunk/JSTests/complex.yaml 2022-06-04 02:09:18 UTC (rev 295258) @@ -61,3 +61,6 @@ - path: complex/for-in-clobberize.js cmd: runComplexTest [], [], "", "--destroy-vm" + +- path: complex/intl-date-time-format-date-parse.js + cmd: runComplexTest [], [], "TZ=America/New_York" Modified: trunk/Source/WTF/wtf/DateMath.cpp (295257 => 295258) --- trunk/Source/WTF/wtf/DateMath.cpp 2022-06-04 01:10:29 UTC (rev 295257) +++ trunk/Source/WTF/wtf/DateMath.cpp 2022-06-04 02:09:18 UTC (rev 295258) @@ -836,7 +836,12 @@ year = std::nullopt; } else { // in the normal case (we parsed the year), advance to the next number -dateString = ++newPosStr; +// ' at 23:12:40 GMT' +if (isASCIISpace(newPosStr[0]) && isASCIIAlphaCaselessEqual(newPosStr[1], 'a') && isASCIIAlphaCaselessEqual(newPosStr[2], 't')) +newPosStr += 3; +else +++newPosStr; // space or comma +dateString = newPosStr; skipSpacesAndComments(dateString); } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295042] trunk/.clangd
Title: [295042] trunk/.clangd Revision 295042 Author ysuz...@apple.com Date 2022-05-30 21:50:57 -0700 (Mon, 30 May 2022) Log Message Clangd should always interpret headers as C++ https://bugs.webkit.org/show_bug.cgi?id=241118 Reviewed by Saam Barati. Attach `-xc++` flag to headers in .clangd to interpret all headers as C++ by default. * .clangd: Canonical link: https://commits.webkit.org/251137@main Modified Paths trunk/.clangd Diff Modified: trunk/.clangd (295041 => 295042) --- trunk/.clangd 2022-05-31 04:18:39 UTC (rev 295041) +++ trunk/.clangd 2022-05-31 04:50:57 UTC (rev 295042) @@ -1,7 +1,7 @@ If: PathMatch: [.*\.h] CompileFlags: -Add: [--include=config.h] +Add: [-xc++, --include=config.h] --- If: PathMatch: [.*\.cpp] ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295040] trunk/Source
Title: [295040] trunk/Source Revision 295040 Author ysuz...@apple.com Date 2022-05-30 21:13:54 -0700 (Mon, 30 May 2022) Log Message [JSC] Make VMEntryScope cheap https://bugs.webkit.org/show_bug.cgi?id=241091 Reviewed by Mark Lam. This patch makes VMEntryScope cheap. In some microbenchmarks, we observe repeated execution of VMEntryScope because of many ticks driven by microtasks. And currently VMEntryScope is designed to be non-cheap based on the assumption that this is not frequently executed. 1. We add isJSThread flag to Thread so that we can skip some of unnecessary initializations. 2. Appropriately set UNLIKELY / LIKELY for the major path. 3. Make DateCache::resetIfNecessary fast path inlined. ToT Time(doxbee-async-es2017-native): 24 ms. Time(doxbee-promises-es2015-native): 44.9 ms. Time(fibonacci-async-es2017-native): 197.6 ms. Time(parallel-async-es2017-native): 109.1 ms. Time(parallel-promises-es2015-native): 80.4 ms. Patched Time(doxbee-async-es2017-native): 21.4 ms. Time(doxbee-promises-es2015-native): 36.4 ms. Time(fibonacci-async-es2017-native): 168.1 ms. Time(parallel-async-es2017-native): 103.7 ms. Time(parallel-promises-es2015-native): 70.9 ms. * Source/_javascript_Core/runtime/JSDateMath.cpp: (JSC::DateCache::resetIfNecessarySlow): (JSC::DateCache::resetIfNecessary): Deleted. * Source/_javascript_Core/runtime/JSDateMath.h: (JSC::DateCache::resetIfNecessary): * Source/_javascript_Core/runtime/VM.h: (JSC::VM::firePrimitiveGigacageEnabledIfNecessary): * Source/_javascript_Core/runtime/VMEntryScope.cpp: (JSC::VMEntryScope::VMEntryScope): (JSC::VMEntryScope::~VMEntryScope): * Source/WTF/wtf/Threading.cpp: (WTF::Thread::registerJSThread): * Source/WTF/wtf/Threading.h: Canonical link: https://commits.webkit.org/251135@main Modified Paths trunk/Source/_javascript_Core/runtime/JSDateMath.cpp trunk/Source/_javascript_Core/runtime/JSDateMath.h trunk/Source/_javascript_Core/runtime/VM.h trunk/Source/_javascript_Core/runtime/VMEntryScope.cpp trunk/Source/WTF/wtf/Threading.cpp trunk/Source/WTF/wtf/Threading.h Diff Modified: trunk/Source/_javascript_Core/runtime/JSDateMath.cpp (295039 => 295040) --- trunk/Source/_javascript_Core/runtime/JSDateMath.cpp 2022-05-31 01:26:39 UTC (rev 295039) +++ trunk/Source/_javascript_Core/runtime/JSDateMath.cpp 2022-05-31 04:13:54 UTC (rev 295040) @@ -100,7 +100,7 @@ namespace JSC { #if PLATFORM(COCOA) -static std::atomic lastTimeZoneID { 1 }; +std::atomic lastTimeZoneID { 1 }; #endif #if HAVE(ICU_C_TIMEZONE_API) @@ -470,14 +470,8 @@ #endif } -void DateCache::resetIfNecessary() +void DateCache::resetIfNecessarySlow() { -#if PLATFORM(COCOA) -if (m_cachedTimezoneID == lastTimeZoneID) -return; -m_cachedTimezoneID = lastTimeZoneID; -#endif - // FIXME: We should clear it only when we know the timezone has been changed on Non-Cocoa platforms. // https://bugs.webkit.org/show_bug.cgi?id=218365 m_timeZoneCache.reset(); Modified: trunk/Source/_javascript_Core/runtime/JSDateMath.h (295039 => 295040) --- trunk/Source/_javascript_Core/runtime/JSDateMath.h 2022-05-31 01:26:39 UTC (rev 295039) +++ trunk/Source/_javascript_Core/runtime/JSDateMath.h 2022-05-31 04:13:54 UTC (rev 295040) @@ -54,6 +54,10 @@ static constexpr double minECMAScriptTime = -8.64E15; +#if PLATFORM(COCOA) +extern JS_EXPORT_PRIVATE std::atomic lastTimeZoneID; +#endif + // We do not expose icu::TimeZone in this header file. And we cannot use icu::TimeZone forward declaration // because icu namespace can be an alias to icu$verNum namespace. struct OpaqueICUTimeZoneDeleter { @@ -77,8 +81,18 @@ DateCache(); ~DateCache(); -JS_EXPORT_PRIVATE void resetIfNecessary(); +void resetIfNecessary() +{ +#if PLATFORM(COCOA) +if (LIKELY(m_cachedTimezoneID == lastTimeZoneID)) +return; +m_cachedTimezoneID = lastTimeZoneID; +#endif +resetIfNecessarySlow(); +} +JS_EXPORT_PRIVATE void resetIfNecessarySlow(); + String defaultTimeZone(); String timeZoneDisplayName(bool isDST); Ref cachedDateInstanceData(double millisecondsFromEpoch); Modified: trunk/Source/_javascript_Core/runtime/VM.h (295039 => 295040) --- trunk/Source/_javascript_Core/runtime/VM.h 2022-05-31 01:26:39 UTC (rev 295039) +++ trunk/Source/_javascript_Core/runtime/VM.h 2022-05-31 04:13:54 UTC (rev 295040) @@ -662,7 +662,7 @@ void firePrimitiveGigacageEnabledIfNecessary() { -if (m_needToFirePrimitiveGigacageEnabled) { +if (UNLIKELY(m_needToFirePrimitiveGigacageEnabled)) { m_needToFirePrimitiveGigacageEnabled = false; m_primitiveGigacageEnabled.fireAll(*this, "Primitive gigacage disabled asynchronously"); } Modified: trunk/Source/_javascript_Core/runtime/VMEntryScope.cpp (295039 => 295040) --- trunk/Source/_javascript_Core/runtime/VMEntryScope.cpp 2022-05-31 01:26:39 UTC (rev 295039) +++
[webkit-changes] [295036] trunk/Source/JavaScriptCore/heap
Title: [295036] trunk/Source/_javascript_Core/heap Revision 295036 Author ysuz...@apple.com Date 2022-05-30 16:41:10 -0700 (Mon, 30 May 2022) Log Message [JSC] Make Strong::set cheap https://bugs.webkit.org/show_bug.cgi?id=241090 Reviewed by Mark Lam. HandleSet::writeBarrier is frequently called because it is called every time we set a value in Strong<>. This patch optimizes it, 1. We should make it inline function since it has a super fast path major use can be covered. And this function is small. 2. We should not always remove a node from the list first. We should insert / remove it only when necessary. 3. Remove m_immediateList since it is not necessary. 4. Make HandleNode as a derived class of BasicRawSentinelNode to make implementation simpler. This change improves promise benchmarks score since promise uses microtasks which hold values via Strong<>. ToT Time(doxbee-async-bluebird): 42.8 ms. Time(doxbee-async-es2017-babel): 36.4 ms. Time(doxbee-async-es2017-native): 28.3 ms. Time(doxbee-promises-bluebird): 514.2 ms. Time(doxbee-promises-es2015-native): 44.8 ms. Time(fibonacci-async-es2017-babel): 380.5 ms. Time(fibonacci-async-es2017-native): 218.2 ms. Time(parallel-async-bluebird): 648.8 ms. Time(parallel-async-es2017-babel): 116.9 ms. Time(parallel-async-es2017-native): 115.6 ms. Time(parallel-promises-bluebird): 638 ms. Time(parallel-promises-es2015-native): 82 ms. Patched Time(doxbee-async-bluebird): 38 ms. Time(doxbee-async-es2017-babel): 27 ms. Time(doxbee-async-es2017-native): 19.5 ms. Time(doxbee-promises-bluebird): 508.3 ms. Time(doxbee-promises-es2015-native): 33.3 ms. Time(fibonacci-async-es2017-babel): 349.1 ms. Time(fibonacci-async-es2017-native): 151 ms. Time(parallel-async-bluebird): 639.6 ms. Time(parallel-async-es2017-babel): 100.9 ms. Time(parallel-async-es2017-native): 101.9 ms. Time(parallel-promises-bluebird): 614 ms. Time(parallel-promises-es2015-native): 70.9 ms. * Source/_javascript_Core/heap/HandleSet.cpp: (JSC::HandleSet::writeBarrier): Deleted. * Source/_javascript_Core/heap/HandleSet.h: (JSC::HandleSet::heapFor): (JSC::HandleSet::allocate): (JSC::HandleSet::deallocate): (JSC::HandleSet::writeBarrier): (JSC::HandleSet::toHandle): Deleted. (JSC::HandleSet::toNode): Deleted. (JSC::HandleNode::HandleNode): Deleted. (JSC::HandleNode::setPrev): Deleted. (JSC::HandleNode::prev): Deleted. (JSC::HandleNode::setNext): Deleted. (JSC::HandleNode::next): Deleted. * Source/_javascript_Core/heap/Strong.h: (JSC::Strong::set): Canonical link: https://commits.webkit.org/251131@main Modified Paths trunk/Source/_javascript_Core/heap/HandleSet.cpp trunk/Source/_javascript_Core/heap/HandleSet.h trunk/Source/_javascript_Core/heap/Strong.h Diff Modified: trunk/Source/_javascript_Core/heap/HandleSet.cpp (295035 => 295036) --- trunk/Source/_javascript_Core/heap/HandleSet.cpp 2022-05-30 22:10:58 UTC (rev 295035) +++ trunk/Source/_javascript_Core/heap/HandleSet.cpp 2022-05-30 23:41:10 UTC (rev 295036) @@ -70,27 +70,6 @@ template void HandleSet::visitStrongHandles(AbstractSlotVisitor&); template void HandleSet::visitStrongHandles(SlotVisitor&); -void HandleSet::writeBarrier(HandleSlot slot, const JSValue& value) -{ -if (!value == !*slot && slot->isCell() == value.isCell()) -return; - -Node* node = toNode(slot); -#if ENABLE(GC_VALIDATION) -RELEASE_ASSERT(isLiveNode(node)); -#endif -SentinelLinkedList::remove(node); -if (!value || !value.isCell()) { -m_immediateList.push(node); -return; -} - -m_strongList.push(node); -#if ENABLE(GC_VALIDATION) -RELEASE_ASSERT(isLiveNode(node)); -#endif -} - unsigned HandleSet::protectedGlobalObjectCount() { unsigned count = 0; Modified: trunk/Source/_javascript_Core/heap/HandleSet.h (295035 => 295036) --- trunk/Source/_javascript_Core/heap/HandleSet.h 2022-05-30 22:10:58 UTC (rev 295035) +++ trunk/Source/_javascript_Core/heap/HandleSet.h 2022-05-30 23:41:10 UTC (rev 295036) @@ -39,24 +39,20 @@ class VM; class JSValue; -class HandleNode { +class HandleNode final : public BasicRawSentinelNode { public: -HandleNode(WTF::SentinelTag); -HandleNode(); +HandleNode() = default; HandleSlot slot(); HandleSet* handleSet(); -void setPrev(HandleNode*); -HandleNode* prev(); +static HandleNode* toHandleNode(HandleSlot slot) +{ +return bitwise_cast(bitwise_cast(slot) - OBJECT_OFFSETOF(HandleNode, m_value)); +} -void setNext(HandleNode*); -HandleNode* next(); - private: -JSValue m_value; -HandleNode* m_prev; -HandleNode* m_next; +JSValue m_value { }; }; class HandleSet { @@ -74,7 +70,8 @@ template void visitStrongHandles(Visitor&); -JS_EXPORT_PRIVATE void writeBarrier(HandleSlot,
[webkit-changes] [295023] trunk/Source/WTF/wtf/CompactPtr.h
Title: [295023] trunk/Source/WTF/wtf/CompactPtr.h Revision 295023 Author ysuz...@apple.com Date 2022-05-30 03:02:22 -0700 (Mon, 30 May 2022) Log Message Unreviewed, build fix for iOS debug build * Source/WTF/wtf/CompactPtr.h: (WTF::CompactPtr::encode): (WTF::CompactPtr::decode): (WTF::CompactPtr::decode const): Deleted. Canonical link: https://commits.webkit.org/251118@main Modified Paths trunk/Source/WTF/wtf/CompactPtr.h Diff Modified: trunk/Source/WTF/wtf/CompactPtr.h (295022 => 295023) --- trunk/Source/WTF/wtf/CompactPtr.h 2022-05-30 10:00:00 UTC (rev 295022) +++ trunk/Source/WTF/wtf/CompactPtr.h 2022-05-30 10:02:22 UTC (rev 295023) @@ -169,13 +169,13 @@ set(t1); } -static ALWAYS_INLINE constexpr StorageType encode(T* ptr) +static ALWAYS_INLINE StorageType encode(T* ptr) { uintptr_t intPtr = bitwise_cast(ptr); #if HAVE(36BIT_ADDRESS) -ASSERT_UNDER_CONSTEXPR_CONTEXT(!(intPtr & alignmentMask)); -StorageType encoded = static_cast(intPtr >> bitsShift); -ASSERT_UNDER_CONSTEXPR_CONTEXT(decode(encoded) == ptr); +ASSERT(!(intPtr & alignmentMask)); +StorageType encoded = static_cast(intPtr >> bitsShift); +ASSERT(decode(encoded) == ptr); return encoded; #else return intPtr; @@ -182,12 +182,12 @@ #endif } -ALWAYS_INLINE constexpr T* decode(const StorageType& ptr) const +static ALWAYS_INLINE T* decode(StorageType ptr) { #if HAVE(36BIT_ADDRESS) -return reinterpret_cast(static_cast(ptr) << bitsShift); +return bitwise_cast(static_cast(ptr) << bitsShift); #else -return reinterpret_cast(ptr); +return bitwise_cast(ptr); #endif } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295022] trunk/Source/JavaScriptCore/runtime
Title: [295022] trunk/Source/_javascript_Core/runtime Revision 295022 Author ysuz...@apple.com Date 2022-05-30 03:00:00 -0700 (Mon, 30 May 2022) Log Message [JSC] Shrink BrandedStructure https://bugs.webkit.org/show_bug.cgi?id=241092 Reviewed by Mark Lam. Use CompactRefPtr and WriteBarrierStructureID to shrink sizeof(BrandedStructure) from 112 to 104. While it is not enough for 32byte alignment, anyway we can make it smaller, and if we make it 8byte smaller further, it will become 96bytes. * Source/_javascript_Core/runtime/BrandedStructure.cpp: (JSC::BrandedStructure::BrandedStructure): * Source/_javascript_Core/runtime/BrandedStructure.h: Canonical link: https://commits.webkit.org/251117@main Modified Paths trunk/Source/_javascript_Core/runtime/BrandedStructure.cpp trunk/Source/_javascript_Core/runtime/BrandedStructure.h Diff Modified: trunk/Source/_javascript_Core/runtime/BrandedStructure.cpp (295021 => 295022) --- trunk/Source/_javascript_Core/runtime/BrandedStructure.cpp 2022-05-30 08:29:03 UTC (rev 295021) +++ trunk/Source/_javascript_Core/runtime/BrandedStructure.cpp 2022-05-30 10:00:00 UTC (rev 295022) @@ -36,7 +36,7 @@ , m_brand(brandUid) { if (previous->isBrandedStructure()) -m_parentBrand.set(vm, this, jsCast(previous)); +m_parentBrand.set(vm, this, previous); this->setIsBrandedStructure(true); } @@ -43,7 +43,7 @@ BrandedStructure::BrandedStructure(VM& vm, BrandedStructure* previous) : Structure(vm, previous) , m_brand(previous->m_brand) -, m_parentBrand(vm, this, previous->m_parentBrand.get(), WriteBarrier::MayBeNull) +, m_parentBrand(vm, this, previous->m_parentBrand.get(), WriteBarrierStructureID::MayBeNull) { this->setIsBrandedStructure(true); } Modified: trunk/Source/_javascript_Core/runtime/BrandedStructure.h (295021 => 295022) --- trunk/Source/_javascript_Core/runtime/BrandedStructure.h 2022-05-30 08:29:03 UTC (rev 295021) +++ trunk/Source/_javascript_Core/runtime/BrandedStructure.h 2022-05-30 10:00:00 UTC (rev 295022) @@ -53,7 +53,7 @@ ALWAYS_INLINE bool checkBrand(Symbol* brand) { UniquedStringImpl* brandUid = >uid(); -for (BrandedStructure* currentStructure = this; currentStructure; currentStructure = currentStructure->m_parentBrand.get()) { +for (BrandedStructure* currentStructure = this; currentStructure; currentStructure = jsCast(currentStructure->m_parentBrand.get())) { if (brandUid == currentStructure->m_brand) return true; } @@ -78,8 +78,8 @@ m_brand = nullptr; } -RefPtr m_brand; -WriteBarrier m_parentBrand; +CompactRefPtr m_brand; +WriteBarrierStructureID m_parentBrand; friend class Structure; }; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295011] trunk
Title: [295011] trunk Revision 295011 Author ysuz...@apple.com Date 2022-05-29 01:14:12 -0700 (Sun, 29 May 2022) Log Message [JSC] Async / Await should not wrap awaited value with one tick https://bugs.webkit.org/show_bug.cgi?id=241072 Reviewed by Saam Barati. This patch integrates spec change[1], which removes one level tick count when resolving promise with await. Previously, regardless of whether the value is promise or not, we are always using resolveWithoutPromise, but it introduces one tick before the handlers are resolved. The spec change makes it that we can call performPromiseThen directly if the input value is promise, so we can skip one tick which looks up "then" and register handlers. This is beneficial for await performance and it also fixes a bug tested via test262 and attached test due to the spec change. We observed performance improvement in async + native promise tests. ToT Time(doxbee-async-es2017-native): 35.6 ms. Time(fibonacci-async-es2017-native): 292.3 ms. Time(parallel-async-es2017-native): 117.3 ms. Patched Time(doxbee-async-es2017-native): 24.2 ms. Time(fibonacci-async-es2017-native): 198.1 ms. Time(parallel-async-es2017-native): 109.5 ms. [1]: https://github.com/tc39/ecma262/pull/1250 * JSTests/stress/async-await-basic.js: * JSTests/stress/async-await-tick-count.js: Added. (shouldBe): (async returnDirectPrimitive): (async returnAwaitPrimitive): (async returnDirectPromisePrimitive): (async returnAwaitPromisePrimitive): (async test): (async tests): (globalThis.setUnhandledRejectionCallback.setUnhandledRejectionCallback): * JSTests/test262/expectations.yaml: * LayoutTests/inspector/canvas/recording-bitmaprenderer-frameCount-expected.txt: * LayoutTests/inspector/canvas/recording-bitmaprenderer-full-expected.txt: * LayoutTests/inspector/canvas/recording-bitmaprenderer-memoryLimit-expected.txt: * LayoutTests/inspector/console/message-stack-trace-expected.txt: * Source/_javascript_Core/builtins/AsyncFromSyncIteratorPrototype.js: * Source/_javascript_Core/builtins/AsyncFunctionPrototype.js: (globalPrivate.asyncFunctionResume): * Source/_javascript_Core/builtins/AsyncGeneratorPrototype.js: (globalPrivate.awaitValue): (globalPrivate.asyncGeneratorResumeNext): * Source/_javascript_Core/builtins/PromiseOperations.js: (globalPrivate.newPromiseCapabilitySlow): (globalPrivate.promiseResolve): (globalPrivate.promiseResolveSlow): (globalPrivate.promiseRejectSlow): (globalPrivate.resolvePromiseWithFirstResolvingFunctionCallCheck): (globalPrivate.fulfillPromiseWithFirstResolvingFunctionCallCheck): (globalPrivate.rejectPromiseWithFirstResolvingFunctionCallCheck): (globalPrivate.resolveWithoutPromiseForAsyncAwait): Canonical link: https://commits.webkit.org/251106@main Modified Paths trunk/JSTests/stress/async-await-basic.js trunk/JSTests/test262/expectations.yaml trunk/LayoutTests/inspector/canvas/recording-bitmaprenderer-frameCount-expected.txt trunk/LayoutTests/inspector/canvas/recording-bitmaprenderer-full-expected.txt trunk/LayoutTests/inspector/canvas/recording-bitmaprenderer-memoryLimit-expected.txt trunk/LayoutTests/inspector/console/message-stack-trace-expected.txt trunk/Source/_javascript_Core/builtins/AsyncFromSyncIteratorPrototype.js trunk/Source/_javascript_Core/builtins/AsyncFunctionPrototype.js trunk/Source/_javascript_Core/builtins/AsyncGeneratorPrototype.js trunk/Source/_javascript_Core/builtins/PromiseOperations.js Added Paths trunk/JSTests/stress/async-await-tick-count.js Diff Modified: trunk/JSTests/stress/async-await-basic.js (295010 => 295011) --- trunk/JSTests/stress/async-await-basic.js 2022-05-29 07:57:37 UTC (rev 295010) +++ trunk/JSTests/stress/async-await-basic.js 2022-05-29 08:14:12 UTC (rev 295011) @@ -332,4 +332,4 @@ awaitedPromisesAreWrapped(); Promise.resolve().then(() => log.push("Promise.resolve()")); drainMicrotasks(); -shouldBe("before|Promise.resolve()|after", log.join("|")); \ No newline at end of file +shouldBe("before|after|Promise.resolve()", log.join("|")); Added: trunk/JSTests/stress/async-await-tick-count.js (0 => 295011) --- trunk/JSTests/stress/async-await-tick-count.js (rev 0) +++ trunk/JSTests/stress/async-await-tick-count.js 2022-05-29 08:14:12 UTC (rev 295011) @@ -0,0 +1,60 @@ +if (globalThis.console) +globalThis.print = console.log.bind(console); + +function shouldBe(actual, expected) { +if (actual !== expected) +throw new Error('bad value: ' + actual); +} + +async function returnDirectPrimitive() { +return 1; +} + +async function returnAwaitPrimitive() { +return await 1; +} + +async function returnDirectPromisePrimitive() { +return Promise.resolve(1); +} + +async function returnAwaitPromisePrimitive() { +return await Promise.resolve(1); +} + +const resolved = Promise.resolve(); + +async function test(fn, expected) { +let done = false; +let count = 0; +fn().then(() => { done = true; }); + +function counter() {
[webkit-changes] [295002] trunk/Source
Title: [295002] trunk/Source Revision 295002 Author ysuz...@apple.com Date 2022-05-28 10:44:38 -0700 (Sat, 28 May 2022) Log Message Unreviewed, revert "[Xcode] Compute PGO profdata paths instead of searching for them at build time" This reverts commit 6dfb5dc2b3bcd083231cee3cacc599ca7f76998b because of Speedometer2 3% regression. Probably breaking PGO build. Canonical link: https://commits.webkit.org/251100@main Modified Paths trunk/Source/_javascript_Core/Configurations/_javascript_Core.xcconfig trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/WebCore/Configurations/WebCore.xcconfig trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj trunk/Source/WebKit/Configurations/BaseTarget.xcconfig trunk/Source/WebKit/WebKit.xcodeproj/project.pbxproj Removed Paths trunk/Source/_javascript_Core/Scripts/copy-profiling-data.sh Diff Modified: trunk/Source/_javascript_Core/Configurations/_javascript_Core.xcconfig (295001 => 295002) --- trunk/Source/_javascript_Core/Configurations/_javascript_Core.xcconfig 2022-05-28 16:31:20 UTC (rev 295001) +++ trunk/Source/_javascript_Core/Configurations/_javascript_Core.xcconfig 2022-05-28 17:44:38 UTC (rev 295002) @@ -40,11 +40,6 @@ SECTORDER_FLAGS_Production[sdk=iphoneos*] = -Wl,-order_file,$(SDKROOT)/AppleInternal/OrderFiles/_javascript_Core.order; SECTORDER_FLAGS_Production[sdk=macosx*] = -Wl,-order_file,_javascript_Core.order; -PROFILE_DATA_PATH = $(PROFILE_DATA_PATH_INTERNAL_$(USE_INTERNAL_SDK)); -PROFILE_DATA_PATH_INTERNAL_ = $(SRCROOT)/../../Tools/Profiling/Empty.profdata; -PROFILE_DATA_PATH_INTERNAL_YES = $(BUILT_PRODUCTS_DIR)/usr/local/include/WebKitAdditions/Profiling/_javascript_Core.profdata.compressed; -PROFILE_DATA_PATH_INTERNAL_YES[config=Production] = $(SDK_DIR)/usr/local/include/WebKitAdditions/Profiling/_javascript_Core.profdata.compressed; - PROFILE_DATA_FLAGS_ENABLED = -fprofile-instr-use=$(BUILT_PRODUCTS_DIR)/DerivedSources/_javascript_Core/_javascript_Core.profdata; PROFILE_DATA_FLAGS = $(PROFILE_DATA_FLAGS_$(CONFIGURATION)_$(WK_PLATFORM_NAME)); Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (295001 => 295002) --- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2022-05-28 16:31:20 UTC (rev 295001) +++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2022-05-28 17:44:38 UTC (rev 295002) @@ -1827,7 +1827,6 @@ DD41FA8627CDAD3200394D95 /* LowLevelInterpreter.asm in Sources */ = {isa = PBXBuildFile; fileRef = 86A054461556451B00445157 /* LowLevelInterpreter.asm */; }; DD41FA8727CDAD4300394D95 /* LowLevelInterpreter.asm in Sources */ = {isa = PBXBuildFile; fileRef = 86A054461556451B00445157 /* LowLevelInterpreter.asm */; }; DD41FA8927CDDDEF00394D95 /* LowLevelInterpreter.asm in Sources */ = {isa = PBXBuildFile; fileRef = 86A054461556451B00445157 /* LowLevelInterpreter.asm */; }; - DD5F74F9283EF58D0027A8C6 /* copy-profiling-data.sh in Headers */ = {isa = PBXBuildFile; fileRef = DD5F74F8283EF4380027A8C6 /* copy-profiling-data.sh */; settings = {ATTRIBUTES = (Private, ); }; }; DDB04F41278E569A008D3678 /* libWTF.a in Product Dependencies */ = {isa = PBXBuildFile; fileRef = 1498CAD3214656C400710879 /* libWTF.a */; }; DDB04F42278E56A2008D3678 /* libWTF.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1498CAD3214656C400710879 /* libWTF.a */; }; DDE99310278D087D00F60D26 /* libWebKitAdditions.a in Product Dependencies */ = {isa = PBXBuildFile; fileRef = DDE9930E278D086600F60D26 /* libWebKitAdditions.a */; }; @@ -5254,7 +5253,6 @@ DCF3D5681CD29468003D5C65 /* LazyPropertyInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LazyPropertyInlines.h; sourceTree = ""; }; DCFDFBD71D1F5D9800FE3D72 /* B3BottomProvider.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = B3BottomProvider.h; path = b3/B3BottomProvider.h; sourceTree = ""; }; DCFDFBD81D1F5D9800FE3D72 /* B3TypeMap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = B3TypeMap.h; path = b3/B3TypeMap.h; sourceTree = ""; }; - DD5F74F8283EF4380027A8C6 /* copy-profiling-data.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = "copy-profiling-data.sh"; sourceTree = ""; }; DDE9930E278D086600F60D26 /* libWebKitAdditions.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libWebKitAdditions.a; sourceTree = BUILT_PRODUCTS_DIR; }; DE26E9021CB5DD0500D2BE82 /* BuiltinExecutableCreator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = BuiltinExecutableCreator.h; sourceTree = ""; }; DE26E9061CB5DD9600D2BE82 /* BuiltinExecutableCreator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = BuiltinExecutableCreator.cpp; sourceTree = ""; }; @@ -9139,7 +9137,6 @@ children = (
[webkit-changes] [294619] trunk
Title: [294619] trunk Revision 294619 Author ysuz...@apple.com Date 2022-05-22 03:00:56 -0700 (Sun, 22 May 2022) Log Message Clear StructureCache if it has Structure with relevant JSGlobalObjects https://bugs.webkit.org/show_bug.cgi?id=240768 rdar://93232129 Reviewed by Saam Barati. We need to clear Structures in StructureCache when having-a-bad-time: it is possible that Structure could have this have-a-bad-time relevant JSGlobalObjects in its prototype chain. We are clearing it for InternalFunction's allocation cache. We should do the same thing for JSGlobalObject's StructureCache. This patch adds new watchpoint, structureCacheClearedWatchpoint. And use it in DFG. This watchpoint fires when the cache is cleared, and it can happen even though JSGlobalObject is not getting have-a-bad-time. * JSTests/stress/global-object-have-a-bad-time-dependency.js: Added. (shouldBe): (cons): * Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * Source/_javascript_Core/runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::JSGlobalObject): (JSC::JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut): (JSC::JSGlobalObject::clearStructureCache): * Source/_javascript_Core/runtime/JSGlobalObject.h: (JSC::JSGlobalObject::structureCacheClearedWatchpoint): (JSC::JSGlobalObject::isStructureCacheCleared const): * Source/_javascript_Core/runtime/StructureCache.h: (JSC::StructureCache::forEach): * Source/_javascript_Core/runtime/WeakGCMap.h: Canonical link: https://commits.webkit.org/250845@main Modified Paths trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp trunk/Source/_javascript_Core/dfg/DFGGraph.h trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.h trunk/Source/_javascript_Core/runtime/StructureCache.h trunk/Source/_javascript_Core/runtime/WeakGCMap.h trunk/Source/_javascript_Core/runtime/WeakGCMapInlines.h Added Paths trunk/JSTests/stress/global-object-have-a-bad-time-dependency.js Diff Added: trunk/JSTests/stress/global-object-have-a-bad-time-dependency.js (0 => 294619) --- trunk/JSTests/stress/global-object-have-a-bad-time-dependency.js (rev 0) +++ trunk/JSTests/stress/global-object-have-a-bad-time-dependency.js 2022-05-22 10:00:56 UTC (rev 294619) @@ -0,0 +1,30 @@ +function shouldBe(actual, expected) { +if (actual !== expected) +throw new Error('bad value: ' + actual); +} + +const alien_global_object = createGlobalObject(); + +const a = {}; +const b = alien_global_object.Object(); + +a.__proto__ = b; + +function cons() { + +} + +cons.prototype = a; + +// Cache +Reflect.construct(Array, [1.1, 2.2, 3.3], cons); + +// Clear rareData to avoid the check in ObjectsWithBrokenIndexingFinder::visit(JSObject* object). +cons.prototype = null; +cons.prototype = a; + +// Have a bad time. +b.__proto__ = new Proxy({}, {}); + +// This will create a double array having a Proxy object in its prototype chain. +shouldBe(!!describe(Reflect.construct(Array, [1.1, 2.2, 3.3], cons)).match(/ArrayWithSlowPutArrayStorage/), true); Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (294618 => 294619) --- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2022-05-22 02:34:32 UTC (rev 294618) +++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2022-05-22 10:00:56 UTC (rev 294619) @@ -3134,14 +3134,8 @@ structure = globalObject->nullPrototypeObjectStructure(); else if (base.isObject()) { // Having a bad time clears the structureCache, and so it should invalidate this structure. -bool isHavingABadTime = globalObject->isHavingABadTime(); -// Normally, we would always install a watchpoint. In this case, however, if we haveABadTime, we -// still want to optimize. There is no watchpoint for that case though, so we need to make sure this load -// does not get hoisted above the check. -WTF::loadLoadFence(); -if (!isHavingABadTime) -m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint()); -structure = globalObject->structureCache().emptyObjectStructureConcurrently(base.getObject(), JSFinalObject::defaultInlineCapacity); +if (m_graph.isWatchingStructureCacheClearedWatchpoint(globalObject)) +structure = globalObject->structureCache().emptyObjectStructureConcurrently(base.getObject(), JSFinalObject::defaultInlineCapacity); } if (structure) { Modified: trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp (294618 => 294619) ---
[webkit-changes] [294539] trunk/Source/WTF/wtf/win/ThreadingWin.cpp
Title: [294539] trunk/Source/WTF/wtf/win/ThreadingWin.cpp Revision 294539 Author ysuz...@apple.com Date 2022-05-20 02:16:59 -0700 (Fri, 20 May 2022) Log Message [Win] Destroy Thread::ClientData only when thread TLS is initialized https://bugs.webkit.org/show_bug.cgi?id=240707 Reviewed by Mark Lam. Move destruction under if (thread) check. * Source/WTF/wtf/win/ThreadingWin.cpp: (WTF::Thread::ThreadHolder::~ThreadHolder): Canonical link: https://commits.webkit.org/250793@main Modified Paths trunk/Source/WTF/wtf/win/ThreadingWin.cpp Diff Modified: trunk/Source/WTF/wtf/win/ThreadingWin.cpp (294538 => 294539) --- trunk/Source/WTF/wtf/win/ThreadingWin.cpp 2022-05-20 09:16:13 UTC (rev 294538) +++ trunk/Source/WTF/wtf/win/ThreadingWin.cpp 2022-05-20 09:16:59 UTC (rev 294539) @@ -269,8 +269,8 @@ // deadlock. if (isMainThread()) return; -thread->m_clientData = nullptr; if (thread) { +thread->m_clientData = nullptr; thread->specificStorage().destroySlots(); thread->didExit(); } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [294433] trunk/Source/JavaScriptCore/assembler/ SecureARM64EHashPinsInlines.h
Title: [294433] trunk/Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h Revision 294433 Author ysuz...@apple.com Date 2022-05-18 14:27:14 -0700 (Wed, 18 May 2022) Log Message Unreviewed, build fix after r294429 https://bugs.webkit.org/show_bug.cgi?id=240587 * Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h: (JSC::SecureARM64EHashPins::forEachPage): Canonical link: https://commits.webkit.org/250713@main Modified Paths trunk/Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h Diff Modified: trunk/Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h (294432 => 294433) --- trunk/Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h 2022-05-18 21:19:31 UTC (rev 294432) +++ trunk/Source/_javascript_Core/assembler/SecureARM64EHashPinsInlines.h 2022-05-18 21:27:14 UTC (rev 294433) @@ -54,7 +54,7 @@ RELEASE_ASSERT(isJITPC(page)); if (function(*page) == IterationStatus::Done) return; -page = page->next +page = page->next; } while (page); } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [294319] trunk/Source/JavaScriptCore
Title: [294319] trunk/Source/_javascript_Core Revision 294319 Author ysuz...@apple.com Date 2022-05-17 05:12:38 -0700 (Tue, 17 May 2022) Log Message [JSC] Always have non nullptr for WebAssembly.Memory buffer https://bugs.webkit.org/show_bug.cgi?id=240510 Reviewed by Mark Lam. This patch adds CagedUniquePtr to allocate a pointer for that. * Source/_javascript_Core/runtime/ArrayBuffer.cpp: (JSC::ArrayBuffer::makeShared): * Source/_javascript_Core/wasm/js/JSWebAssemblyMemory.cpp: (JSC::JSWebAssemblyMemory::buffer): Canonical link: https://commits.webkit.org/250639@main Modified Paths trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyMemory.cpp Diff Modified: trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp (294318 => 294319) --- trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp 2022-05-17 11:05:11 UTC (rev 294318) +++ trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp 2022-05-17 12:12:38 UTC (rev 294319) @@ -332,6 +332,7 @@ { m_contents.makeShared(); m_locked = true; +ASSERT(!isDetached()); } void ArrayBuffer::makeWasmMemory() Modified: trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyMemory.cpp (294318 => 294319) --- trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyMemory.cpp 2022-05-17 11:05:11 UTC (rev 294318) +++ trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyMemory.cpp 2022-05-17 12:12:38 UTC (rev 294319) @@ -90,8 +90,23 @@ } Ref protectedHandle = m_memory->handle(); -auto destructor = createSharedTask([protectedHandle = WTFMove(protectedHandle)] (void*) { }); -m_buffer = ArrayBuffer::createFromBytes(m_memory->memory(), m_memory->size(), WTFMove(destructor)); +CagedUniquePtr pointerForEmpty; + +void* memory = m_memory->memory(); +size_t size = m_memory->size(); +if (!memory) { +ASSERT(!size); +constexpr unsigned allocationSize = 1; +pointerForEmpty = CagedUniquePtr::tryCreate(allocationSize); +if (!pointerForEmpty) { +throwOutOfMemoryError(globalObject, throwScope); +return nullptr; +} +memory = pointerForEmpty.get(allocationSize); +} +ASSERT(memory); +auto destructor = createSharedTask([protectedHandle = WTFMove(protectedHandle), pointerForEmpty = WTFMove(pointerForEmpty)] (void*) { }); +m_buffer = ArrayBuffer::createFromBytes(memory, size, WTFMove(destructor)); m_buffer->makeWasmMemory(); if (m_memory->sharingMode() == Wasm::MemorySharingMode::Shared) m_buffer->makeShared(); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [294220] trunk/Source/bmalloc
Title: [294220] trunk/Source/bmalloc Revision 294220 Author ysuz...@apple.com Date 2022-05-15 19:32:13 -0700 (Sun, 15 May 2022) Log Message Unreviewed, revert r294214 partially https://bugs.webkit.org/show_bug.cgi?id=240292 These part is not cold code. We must not use PAS_ASSERT_WITH_DETAIL. * libpas/src/libpas/pas_local_allocator_config_kind.h: (pas_local_allocator_config_kind_create_normal): (pas_local_allocator_config_kind_create_primordial_partial): (pas_local_allocator_config_kind_create_bitfit): (pas_local_allocator_config_kind_get_segregated_page_config_kind): (pas_local_allocator_config_kind_get_bitfit_page_config_kind): (pas_local_allocator_config_kind_get_string): Modified Paths trunk/Source/bmalloc/ChangeLog trunk/Source/bmalloc/libpas/src/libpas/pas_local_allocator_config_kind.h Diff Modified: trunk/Source/bmalloc/ChangeLog (294219 => 294220) --- trunk/Source/bmalloc/ChangeLog 2022-05-16 01:44:00 UTC (rev 294219) +++ trunk/Source/bmalloc/ChangeLog 2022-05-16 02:32:13 UTC (rev 294220) @@ -1,3 +1,18 @@ +2022-05-15 Yusuke Suzuki + +Unreviewed, revert r294214 partially +https://bugs.webkit.org/show_bug.cgi?id=240292 + +These part is not cold code. We must not use PAS_ASSERT_WITH_DETAIL. + +* libpas/src/libpas/pas_local_allocator_config_kind.h: +(pas_local_allocator_config_kind_create_normal): +(pas_local_allocator_config_kind_create_primordial_partial): +(pas_local_allocator_config_kind_create_bitfit): +(pas_local_allocator_config_kind_get_segregated_page_config_kind): +(pas_local_allocator_config_kind_get_bitfit_page_config_kind): +(pas_local_allocator_config_kind_get_string): + 2022-05-14 Justin Michaud [LIBPAS] Add extra assert information to malloc enumeration API Modified: trunk/Source/bmalloc/libpas/src/libpas/pas_local_allocator_config_kind.h (294219 => 294220) --- trunk/Source/bmalloc/libpas/src/libpas/pas_local_allocator_config_kind.h 2022-05-16 01:44:00 UTC (rev 294219) +++ trunk/Source/bmalloc/libpas/src/libpas/pas_local_allocator_config_kind.h 2022-05-16 02:32:13 UTC (rev 294220) @@ -86,7 +86,7 @@ #include "pas_segregated_page_config_kind.def" #undef PAS_DEFINE_SEGREGATED_PAGE_CONFIG_KIND } -PAS_ASSERT_WITH_EXTRA_DETAIL(!"Should not be reached", kind); +PAS_ASSERT(!"Should not be reached"); return (pas_local_allocator_config_kind)0; } @@ -100,7 +100,7 @@ #include "pas_segregated_page_config_kind.def" #undef PAS_DEFINE_SEGREGATED_PAGE_CONFIG_KIND } -PAS_ASSERT_WITH_EXTRA_DETAIL(!"Should not be reached", kind); +PAS_ASSERT(!"Should not be reached"); return (pas_local_allocator_config_kind)0; } @@ -114,7 +114,7 @@ #include "pas_bitfit_page_config_kind.def" #undef PAS_DEFINE_BITFIT_PAGE_CONFIG_KIND } -PAS_ASSERT_WITH_EXTRA_DETAIL(!"Should not be reached", kind); +PAS_ASSERT(!"Should not be reached"); return (pas_local_allocator_config_kind)0; } @@ -129,7 +129,7 @@ #include "pas_segregated_page_config_kind.def" #undef PAS_DEFINE_SEGREGATED_PAGE_CONFIG_KIND default: -PAS_ASSERT_WITH_EXTRA_DETAIL(!"Should not be reached", kind); +PAS_ASSERT(!"Should not be reached"); return (pas_segregated_page_config_kind)0; } } @@ -144,7 +144,7 @@ #include "pas_bitfit_page_config_kind.def" #undef PAS_DEFINE_BITFIT_PAGE_CONFIG_KIND default: -PAS_ASSERT_WITH_EXTRA_DETAIL(!"Should not be reached", kind); +PAS_ASSERT(!"Should not be reached"); return (pas_bitfit_page_config_kind)0; } } @@ -170,7 +170,7 @@ #include "pas_bitfit_page_config_kind.def" #undef PAS_DEFINE_BITFIT_PAGE_CONFIG_KIND } -PAS_ASSERT_WITH_EXTRA_DETAIL(!"Should not be reached", kind); +PAS_ASSERT(!"Should not be reached"); return NULL; } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [294213] trunk/Source
Title: [294213] trunk/Source Revision 294213 Author ysuz...@apple.com Date 2022-05-14 17:47:31 -0700 (Sat, 14 May 2022) Log Message Put ThreadGlobalData in Thread https://bugs.webkit.org/show_bug.cgi?id=240116 Reviewed by Darin Adler and Mark Lam. This patch puts ThreadGlobalData into Thread's m_clientData field. Thread is stored in fast TLS, so accessing to this field is quite fast compared to the current ThreadSpecific one. At the same time, this change can remove a hack in ThreadGlobalData. Previously worker thread needs to tear down ThreadGlobalData explicitly because Thread::current() can be destroyed earlier than ThreadGlobalData. In that case, EventNames etc., which accesses to AtomString's destruction can have problem because of lack of Thread::current() access. But since we now move it to Thread, we can control how it is destroyed with Thread::current() precisely, and we can explicitly destroy it before Thread::current() is fully cleared. So we do not need to call it explicitly anymore. Currently, we are calling it just to make ThreadGlobalData destroyed for debugging. * Source/WebCore/PAL/pal/ThreadGlobalData.cpp: (PAL::ThreadGlobalData::ThreadGlobalData): (PAL::ThreadGlobalData::destroy): Deleted. * Source/WebCore/PAL/pal/ThreadGlobalData.h: (PAL::ThreadGlobalData::ThreadGlobalData::cachedConverterICU): Deleted. * Source/WTF/wtf/Threading.h: (WTF::Thread::Thread): * Source/WTF/wtf/posix/ThreadingPOSIX.cpp: (WTF::Thread::destructTLS): * Source/WTF/wtf/win/ThreadingWin.cpp: (WTF::Thread::ThreadHolder::~ThreadHolder): * Source/WebCore/platform/ThreadGlobalData.cpp: (WebCore::ThreadGlobalData::destroy): (WebCore::ThreadGlobalData::setWebCoreThreadData): (WebCore::threadGlobalData): Canonical link: https://commits.webkit.org/250571@main Modified Paths trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/Threading.h trunk/Source/WTF/wtf/posix/ThreadingPOSIX.cpp trunk/Source/WTF/wtf/win/ThreadingWin.cpp trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/PAL/ChangeLog trunk/Source/WebCore/PAL/pal/ThreadGlobalData.cpp trunk/Source/WebCore/PAL/pal/ThreadGlobalData.h trunk/Source/WebCore/platform/ThreadGlobalData.cpp Diff Modified: trunk/Source/WTF/ChangeLog (294212 => 294213) --- trunk/Source/WTF/ChangeLog 2022-05-15 00:45:16 UTC (rev 294212) +++ trunk/Source/WTF/ChangeLog 2022-05-15 00:47:31 UTC (rev 294213) @@ -1,3 +1,17 @@ +2022-05-08 Yusuke Suzuki + +Put ThreadGlobalData in Thread +https://bugs.webkit.org/show_bug.cgi?id=240116 + +Reviewed by Darin Adler and Mark Lam. + +* wtf/Threading.h: +(WTF::Thread::Thread): +* wtf/posix/ThreadingPOSIX.cpp: +(WTF::Thread::destructTLS): +* wtf/win/ThreadingWin.cpp: +(WTF::Thread::ThreadHolder::~ThreadHolder): + 2022-05-14 Tyler Wilcock AX: Remove CSSDisplayContentsAXSupportEnabled flag Modified: trunk/Source/WTF/wtf/Threading.h (294212 => 294213) --- trunk/Source/WTF/wtf/Threading.h 2022-05-15 00:45:16 UTC (rev 294212) +++ trunk/Source/WTF/wtf/Threading.h 2022-05-15 00:47:31 UTC (rev 294213) @@ -109,6 +109,11 @@ friend class ThreadGroup; friend WTF_EXPORT_PRIVATE void initialize(); +class ClientData : public ThreadSafeRefCounted { +public: +virtual ~ClientData() = default; +}; + WTF_EXPORT_PRIVATE ~Thread(); enum class QOS { @@ -347,14 +352,13 @@ static Lock s_allThreadsLock; JoinableState m_joinableState { Joinable }; -bool m_isShuttingDown : 1; -bool m_didExit : 1; -bool m_isDestroyedOnce : 1; -bool m_isCompilationThread: 1; -unsigned m_gcThreadType : 2; +bool m_isShuttingDown : 1 { false }; +bool m_didExit : 1 { false }; +bool m_isDestroyedOnce : 1 { false }; +bool m_isCompilationThread: 1 { false }; +bool m_didUnregisterFromAllThreads : 1 { false }; +unsigned m_gcThreadType : 2 { static_cast(GCThreadType::None) }; -bool m_didUnregisterFromAllThreads { false }; - // Lock & ParkingLot rely on ThreadSpecific. But Thread object can be destroyed even after ThreadSpecific things are destroyed. // Use WordLock since WordLock does not depend on ThreadSpecific and this "Thread". WordLock m_mutex; @@ -388,15 +392,11 @@ void* m_savedLastStackTop; public: void* m_apiData { nullptr }; +RefPtr m_clientData { nullptr }; }; inline Thread::Thread() -: m_isShuttingDown(false) -, m_didExit(false) -, m_isDestroyedOnce(false) -, m_isCompilationThread(false) -, m_gcThreadType(static_cast(GCThreadType::None)) -, m_uid(++s_uid) +: m_uid(++s_uid) { } Modified: trunk/Source/WTF/wtf/posix/ThreadingPOSIX.cpp (294212 => 294213) --- trunk/Source/WTF/wtf/posix/ThreadingPOSIX.cpp 2022-05-15 00:45:16 UTC (rev 294212) +++ trunk/Source/WTF/wtf/posix/ThreadingPOSIX.cpp 2022-05-15 00:47:31 UTC (rev 294213) @@ -556,6 +556,10 @@ _pthread_setspecific_direct(WTF_THREAD_DATA_KEY, thread);
[webkit-changes] [294209] trunk/Source
Title: [294209] trunk/Source Revision 294209 Author ysuz...@apple.com Date 2022-05-14 13:08:58 -0700 (Sat, 14 May 2022) Log Message Rename EventTrackingRegions::Event to EventTrackingRegions::EventType https://bugs.webkit.org/show_bug.cgi?id=240295 Reviewed by Darin Adler. This patch is follow-up after r293967 by Darin's comment. EventTrackingRegions::Event is not event actually, it is just an EventType. This patch renames it with EventType. We also rename variables "event" to "eventType". * Source/WebKit/Shared/WebCoreArgumentCoders.cpp: (IPC::ArgumentCoder::decode): * Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingCoordinatorProxy.cpp: (WebKit::RemoteScrollingCoordinatorProxy::eventTrackingTypeForPoint const): * Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingCoordinatorProxy.h: * Source/WebKit/UIProcess/WebPageProxy.cpp: (WebKit::WebPageProxy::updateTouchEventTracking): * Source/WebCore/page/DebugPageOverlays.cpp: (WebCore::NonFastScrollableRegionOverlay::drawRect): * Source/WebCore/page/Page.cpp: (WebCore::Page::touchEventRectsForEventForTesting): * Source/WebCore/page/Page.h: * Source/WebCore/page/scrolling/ScrollingCoordinator.cpp: (WebCore::ScrollingCoordinator::absoluteEventTrackingRegionsForFrame const): * Source/WebCore/page/scrolling/ScrollingTree.cpp: (WebCore::ScrollingTree::computeWheelProcessingSteps): (WebCore::ScrollingTree::eventTrackingTypeForPoint): * Source/WebCore/page/scrolling/ScrollingTree.h: * Source/WebCore/platform/EventTrackingRegions.cpp: (WebCore::EventTrackingRegions::eventName): (WebCore::EventTrackingRegions::eventNameAtomString): We add this function to have a way to get AtomString event name. It simplifies Internal code. (WebCore::EventTrackingRegions::trackingTypeForPoint): (WebCore::EventTrackingRegions::uniteSynchronousRegion): * Source/WebCore/platform/EventTrackingRegions.h: * Source/WebCore/testing/Internals.cpp: (WebCore::Internals::touchEventRectsForEvent): Canonical link: https://commits.webkit.org/250567@main Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/page/DebugPageOverlays.cpp trunk/Source/WebCore/page/Page.cpp trunk/Source/WebCore/page/Page.h trunk/Source/WebCore/page/scrolling/ScrollingCoordinator.cpp trunk/Source/WebCore/page/scrolling/ScrollingTree.cpp trunk/Source/WebCore/page/scrolling/ScrollingTree.h trunk/Source/WebCore/platform/EventTrackingRegions.cpp trunk/Source/WebCore/platform/EventTrackingRegions.h trunk/Source/WebCore/testing/Internals.cpp trunk/Source/WebKit/ChangeLog trunk/Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingCoordinatorProxy.cpp trunk/Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingCoordinatorProxy.h trunk/Source/WebKit/UIProcess/WebPageProxy.cpp Diff Modified: trunk/Source/WebCore/ChangeLog (294208 => 294209) --- trunk/Source/WebCore/ChangeLog 2022-05-14 19:15:53 UTC (rev 294208) +++ trunk/Source/WebCore/ChangeLog 2022-05-14 20:08:58 UTC (rev 294209) @@ -1,3 +1,34 @@ +2022-05-10 Yusuke Suzuki + +Rename EventTrackingRegions::Event to EventTrackingRegions::EventType +https://bugs.webkit.org/show_bug.cgi?id=240295 + +Reviewed by Darin Adler. + +This patch is follow-up after r293967 by Darin's comment. EventTrackingRegions::Event is not event actually, +it is just an EventType. This patch renames it with EventType. We also rename variables "event" to "eventType". + +* page/DebugPageOverlays.cpp: +(WebCore::NonFastScrollableRegionOverlay::drawRect): +* page/Page.cpp: +(WebCore::Page::touchEventRectsForEventForTesting): +* page/Page.h: +* page/scrolling/ScrollingCoordinator.cpp: +(WebCore::ScrollingCoordinator::absoluteEventTrackingRegionsForFrame const): +* page/scrolling/ScrollingTree.cpp: +(WebCore::ScrollingTree::computeWheelProcessingSteps): +(WebCore::ScrollingTree::eventTrackingTypeForPoint): +* page/scrolling/ScrollingTree.h: +* platform/EventTrackingRegions.cpp: +(WebCore::EventTrackingRegions::eventName): +(WebCore::EventTrackingRegions::eventNameAtomString): We add this function to have a way to get AtomString event name. +It simplifies Internal code. +(WebCore::EventTrackingRegions::trackingTypeForPoint): +(WebCore::EventTrackingRegions::uniteSynchronousRegion): +* platform/EventTrackingRegions.h: +* testing/Internals.cpp: +(WebCore::Internals::touchEventRectsForEvent): + 2022-05-14 Tyler Wilcock AX: Remove CSSDisplayContentsAXSupportEnabled flag Modified: trunk/Source/WebCore/page/DebugPageOverlays.cpp (294208 => 294209) --- trunk/Source/WebCore/page/DebugPageOverlays.cpp 2022-05-14 19:15:53 UTC (rev 294208) +++ trunk/Source/WebCore/page/DebugPageOverlays.cpp 2022-05-14 20:08:58 UTC (rev 294209) @@ -177,15 +177,15 @@ void NonFastScrollableRegionOverlay::drawRect(PageOverlay& pageOverlay, GraphicsContext& context, const IntRect&)
[webkit-changes] [294171] trunk/Tools
Title: [294171] trunk/Tools Revision 294171 Author ysuz...@apple.com Date 2022-05-13 14:12:31 -0700 (Fri, 13 May 2022) Log Message Use None for architecture when dump-class-layout does not have `-a` option https://bugs.webkit.org/show_bug.cgi?id=240395 Reviewed by Saam Barati and Simon Fraser. We can pass None to architecture, then SBDebugger::CreateTargetWithFileAndArch will call CreateTarget with nullptr architecture string. Then, TargetList constructs ArchSpec based on currently selected platform automatically and it covers most of cases. I tried it, and it worked with watchOS, macOS, iOS so far. So, we should just pass None to CreateTargetWithFileAndArch by default. * Tools/lldb/lldb_dump_class_layout.py: (LLDBDebuggerInstance.__init__): (LLDBDebuggerInstance.__del__): (LLDBDebuggerInstance._get_first_file_architecture): Deleted. Canonical link: https://commits.webkit.org/250539@main Modified Paths trunk/Tools/ChangeLog trunk/Tools/lldb/lldb_dump_class_layout.py Diff Modified: trunk/Tools/ChangeLog (294170 => 294171) --- trunk/Tools/ChangeLog 2022-05-13 19:38:21 UTC (rev 294170) +++ trunk/Tools/ChangeLog 2022-05-13 21:12:31 UTC (rev 294171) @@ -1,3 +1,21 @@ +2022-05-13 Yusuke Suzuki + +Use None for architecture when dump-class-layout does not have `-a` option +https://bugs.webkit.org/show_bug.cgi?id=240395 + +Reviewed by Saam Barati and Simon Fraser. + +We can pass None to architecture, then SBDebugger::CreateTargetWithFileAndArch +will call CreateTarget with nullptr architecture string. Then, TargetList constructs +ArchSpec based on currently selected platform automatically and it covers most of cases. +I tried it, and it worked with watchOS, macOS, iOS so far. +So, we should just pass None to CreateTargetWithFileAndArch by default. + +* lldb/lldb_dump_class_layout.py: +(LLDBDebuggerInstance.__init__): +(LLDBDebuggerInstance.__del__): +(LLDBDebuggerInstance._get_first_file_architecture): Deleted. + 2022-05-13 Commit Queue Unreviewed, reverting r294113. Modified: trunk/Tools/lldb/lldb_dump_class_layout.py (294170 => 294171) --- trunk/Tools/lldb/lldb_dump_class_layout.py 2022-05-13 19:38:21 UTC (rev 294170) +++ trunk/Tools/lldb/lldb_dump_class_layout.py 2022-05-13 21:12:31 UTC (rev 294171) @@ -381,11 +381,7 @@ self.debugger = lldb.SBDebugger.Create() self.debugger.SetAsync(False) -architecture = self.architecture -if not architecture: -architecture = self._get_first_file_architecture() - -self.target = self.debugger.CreateTargetWithFileAndArch(str(self.binary_path), architecture) +self.target = self.debugger.CreateTargetWithFileAndArch(str(self.binary_path), self.architecture) if not self.target: print("Failed to make target for " + self.binary_path) @@ -397,20 +393,6 @@ if lldb: lldb.SBDebugger.Destroy(self.debugger) -def _get_first_file_architecture(self): -p = re.compile(r'shared library +(\w+)$') -file_result = subprocess.check_output(["file", self.binary_path], encoding='UTF-8').split('\n') -arches = [] -for line in file_result: -match = p.search(line) -if match: -arches.append(match.group(1)) - -if len(arches) > 0: -return arches[0] - -return lldb.LLDB_ARCH_DEFAULT - def layout_for_classname(self, classname): types = self.module.FindTypes(classname) if types.GetSize(): ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [294047] trunk
Title: [294047] trunk Revision 294047 Author ysuz...@apple.com Date 2022-05-10 18:00:50 -0700 (Tue, 10 May 2022) Log Message Upstream TypedArray.prototype.fill speedup from bun https://bugs.webkit.org/show_bug.cgi?id=239891 Reviewed by Saam Barati. This patch imports bun's improvement in TypedArray#fill[1], bun is MIT licensed. We use memset and its variant to fill TypedArray if possible. Microbenchmarks show 5x improvement. ToT Patched typed-array-fill 1092.0348+-6.2496 ^221.3430+-9.1261^ definitely 4.9337x faster [1]: https://github.com/Jarred-Sumner/WebKit/commit/b06577c1f1de19d2ef3d4a87d14ea41909ddf5fc * JSTests/microbenchmarks/typed-array-fill.js: Added. * JSTests/stress/typed-array-fill-complicated.js: Added. (shouldBe): (throw.new.Error): * Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h: (JSC::speciesConstruct): (JSC::genericTypedArrayViewProtoFuncCopyWithin): (JSC::genericTypedArrayViewProtoFuncIncludes): (JSC::genericTypedArrayViewProtoFuncIndexOf): (JSC::genericTypedArrayViewProtoFuncJoin): (JSC::genericTypedArrayViewProtoFuncFill): (JSC::genericTypedArrayViewProtoFuncLastIndexOf): (JSC::genericTypedArrayViewProtoFuncReverse): (JSC::genericTypedArrayViewPrivateFuncSort): (JSC::genericTypedArrayViewProtoFuncSlice): (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate): Canonical link: https://commits.webkit.org/250455@main Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h Added Paths trunk/JSTests/microbenchmarks/typed-array-fill.js trunk/JSTests/stress/typed-array-fill-complicated.js Diff Modified: trunk/JSTests/ChangeLog (294046 => 294047) --- trunk/JSTests/ChangeLog 2022-05-11 00:53:30 UTC (rev 294046) +++ trunk/JSTests/ChangeLog 2022-05-11 01:00:50 UTC (rev 294047) @@ -1,3 +1,15 @@ +2022-05-09 Yusuke Suzuki + +Upstream TypedArray.prototype.fill speedup from bun +https://bugs.webkit.org/show_bug.cgi?id=239891 + +Reviewed by Saam Barati. + +* microbenchmarks/typed-array-fill.js: Added. +* stress/typed-array-fill-complicated.js: Added. +(shouldBe): +(throw.new.Error): + 2022-05-09 Ross Kirsling Temporal round and total methods should accept string param Added: trunk/JSTests/microbenchmarks/typed-array-fill.js (0 => 294047) --- trunk/JSTests/microbenchmarks/typed-array-fill.js (rev 0) +++ trunk/JSTests/microbenchmarks/typed-array-fill.js 2022-05-11 01:00:50 UTC (rev 294047) @@ -0,0 +1,11 @@ +var a1 = new Uint8Array(1024 * 1024 * 1); +var a2 = new Uint16Array(1024 * 1024 * 1); +var a3 = new Uint32Array(1024 * 1024 * 1); +var a4 = new Float64Array(1024 * 1024 * 1); + +for (var i = 0; i < 3e2; ++i) { +a1.fill(99); +a2.fill(99); +a3.fill(99); +a4.fill(99); +} Added: trunk/JSTests/stress/typed-array-fill-complicated.js (0 => 294047) --- trunk/JSTests/stress/typed-array-fill-complicated.js (rev 0) +++ trunk/JSTests/stress/typed-array-fill-complicated.js 2022-05-11 01:00:50 UTC (rev 294047) @@ -0,0 +1,22 @@ +function shouldBe(actual, expected) { +if (actual !== expected) +throw new Error('bad value: ' + actual); +} + +{ +let a0 = new Uint8Array(100); +shouldBe(a0[3], 0); +shouldBe(a0[4], 0); +a0.fill(42, 3, 4); +shouldBe(a0[3], 42); +shouldBe(a0[4], 0); +} +{ +let a0 = new Uint8Array(4); +shouldBe(a0[0], 0); +a0.fill(42, 0, 0); +shouldBe(a0[0], 0); +a0.fill(42, 3, 0); +for (let i = 0; i < 4; ++i) +shouldBe(a0[i], 0); +} Modified: trunk/Source/_javascript_Core/ChangeLog (294046 => 294047) --- trunk/Source/_javascript_Core/ChangeLog 2022-05-11 00:53:30 UTC (rev 294046) +++ trunk/Source/_javascript_Core/ChangeLog 2022-05-11 01:00:50 UTC (rev 294047) @@ -1,3 +1,33 @@ +2022-05-09 Yusuke Suzuki + +Upstream TypedArray.prototype.fill speedup from bun +https://bugs.webkit.org/show_bug.cgi?id=239891 + +Reviewed by Saam Barati. + +This patch imports bun's improvement in TypedArray#fill[1], bun is MIT licensed. +We use memset and its variant to fill TypedArray if possible. +Microbenchmarks show 5x improvement. + + ToT Patched + +typed-array-fill 1092.0348+-6.2496 ^221.3430+-9.1261^ definitely 4.9337x faster + +[1]: https://github.com/Jarred-Sumner/WebKit/commit/b06577c1f1de19d2ef3d4a87d14ea41909ddf5fc + +* runtime/JSGenericTypedArrayViewPrototypeFunctions.h: +(JSC::speciesConstruct): +(JSC::genericTypedArrayViewProtoFuncCopyWithin): +(JSC::genericTypedArrayViewProtoFuncIncludes): +(JSC::genericTypedArrayViewProtoFuncIndexOf): +(JSC::genericTypedArrayViewProtoFuncJoin):
[webkit-changes] [293985] trunk/Source/WebKit
Title: [293985] trunk/Source/WebKit Revision 293985 Author ysuz...@apple.com Date 2022-05-09 12:40:08 -0700 (Mon, 09 May 2022) Log Message Unreviewed, build fix for Internal iOS build https://bugs.webkit.org/show_bug.cgi?id=240206 * UIProcess/WebPageProxy.cpp: (WebKit::WebPageProxy::updateTouchEventTracking): Modified Paths trunk/Source/WebKit/ChangeLog trunk/Source/WebKit/UIProcess/WebPageProxy.cpp Diff Modified: trunk/Source/WebKit/ChangeLog (293984 => 293985) --- trunk/Source/WebKit/ChangeLog 2022-05-09 19:10:39 UTC (rev 293984) +++ trunk/Source/WebKit/ChangeLog 2022-05-09 19:40:08 UTC (rev 293985) @@ -1,3 +1,11 @@ +2022-05-09 Yusuke Suzuki + +Unreviewed, build fix for Internal iOS build +https://bugs.webkit.org/show_bug.cgi?id=240206 + +* UIProcess/WebPageProxy.cpp: +(WebKit::WebPageProxy::updateTouchEventTracking): + 2022-05-09 Ian Anderson WebKit has a broken module in Mac Catalyst Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (293984 => 293985) --- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2022-05-09 19:10:39 UTC (rev 293984) +++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2022-05-09 19:40:08 UTC (rev 293985) @@ -3065,7 +3065,6 @@ void WebPageProxy::updateTouchEventTracking(const WebTouchEvent& touchStartEvent) { #if ENABLE(ASYNC_SCROLLING) && PLATFORM(COCOA) -const EventNames& names = eventNames(); for (auto& touchPoint : touchStartEvent.touchPoints()) { IntPoint location = touchPoint.location(); auto updateTrackingType = [this, location](TrackingType& trackingType, EventTrackingRegions::Event event) { ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293967] trunk/Source
Title: [293967] trunk/Source Revision 293967 Author ysuz...@apple.com Date 2022-05-08 23:14:33 -0700 (Sun, 08 May 2022) Log Message Introduce EventTrackingRegions::Event enum https://bugs.webkit.org/show_bug.cgi?id=240206 Reviewed by Mark Lam. We noticed that EventNames 260~ AtomStrings are allocated in scrolling thread only because we are using eventNames() for EventTrackingRegions. But since use of it is limited, we can just use enum instead. 1. We can make EventTrackingRegions more efficient by using enum instead of String. 2. We can save memory by avoiding EventNames string allocations & AtomStringTable registration. 3. We can make this parameter more strictly typed compared to accepting any kind of Strings * Source/WebKit/Shared/RemoteLayerTree/RemoteScrollingCoordinatorTransaction.cpp: (WebKit::dump): * Source/WebKit/Shared/WebCoreArgumentCoders.cpp: (IPC::ArgumentCoder::decode): * Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingCoordinatorProxy.cpp: (WebKit::RemoteScrollingCoordinatorProxy::eventTrackingTypeForPoint const): * Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingCoordinatorProxy.h: * Source/WebKit/UIProcess/WebPageProxy.cpp: (WebKit::WebPageProxy::updateTouchEventTracking): * Source/WebCore/page/DebugPageOverlays.cpp: (WebCore::NonFastScrollableRegionOverlay::drawRect): * Source/WebCore/page/Page.cpp: (WebCore::Page::touchEventRectsForEventForTesting): * Source/WebCore/page/Page.h: * Source/WebCore/page/scrolling/ScrollingCoordinator.cpp: (WebCore::ScrollingCoordinator::absoluteEventTrackingRegionsForFrame const): * Source/WebCore/page/scrolling/ScrollingStateFrameScrollingNode.cpp: (WebCore::ScrollingStateFrameScrollingNode::dumpProperties const): * Source/WebCore/page/scrolling/ScrollingTree.cpp: (WebCore::ScrollingTree::computeWheelProcessingSteps): (WebCore::ScrollingTree::eventTrackingTypeForPoint): * Source/WebCore/page/scrolling/ScrollingTree.h: * Source/WebCore/platform/EventTrackingRegions.cpp: (WebCore::EventTrackingRegions::eventName): (WebCore::EventTrackingRegions::trackingTypeForPoint): (WebCore::EventTrackingRegions::uniteSynchronousRegion): * Source/WebCore/platform/EventTrackingRegions.h: * Source/WebCore/testing/Internals.cpp: (WebCore::Internals::touchEventRectsForEvent): * Source/WebCore/testing/Internals.h: Canonical link: https://commits.webkit.org/250405@main Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/page/DebugPageOverlays.cpp trunk/Source/WebCore/page/Page.cpp trunk/Source/WebCore/page/Page.h trunk/Source/WebCore/page/scrolling/ScrollingCoordinator.cpp trunk/Source/WebCore/page/scrolling/ScrollingStateFrameScrollingNode.cpp trunk/Source/WebCore/page/scrolling/ScrollingTree.cpp trunk/Source/WebCore/page/scrolling/ScrollingTree.h trunk/Source/WebCore/platform/EventTrackingRegions.cpp trunk/Source/WebCore/platform/EventTrackingRegions.h trunk/Source/WebCore/testing/Internals.cpp trunk/Source/WebCore/testing/Internals.h trunk/Source/WebKit/ChangeLog trunk/Source/WebKit/Shared/RemoteLayerTree/RemoteScrollingCoordinatorTransaction.cpp trunk/Source/WebKit/Shared/WebCoreArgumentCoders.cpp trunk/Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingCoordinatorProxy.cpp trunk/Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingCoordinatorProxy.h trunk/Source/WebKit/UIProcess/WebPageProxy.cpp Diff Modified: trunk/Source/WebCore/ChangeLog (293966 => 293967) --- trunk/Source/WebCore/ChangeLog 2022-05-09 04:05:08 UTC (rev 293966) +++ trunk/Source/WebCore/ChangeLog 2022-05-09 06:14:33 UTC (rev 293967) @@ -1,3 +1,39 @@ +2022-05-07 Yusuke Suzuki + +Introduce EventTrackingRegions::Event enum +https://bugs.webkit.org/show_bug.cgi?id=240206 + +Reviewed by Mark Lam. + +We noticed that EventNames 260~ AtomStrings are allocated in scrolling thread only because we are using +eventNames() for EventTrackingRegions. But since use of it is limited, we can just use enum instead. + +1. We can make EventTrackingRegions more efficient by using enum instead of String. +2. We can save memory by avoiding EventNames string allocations & AtomStringTable registration. +3. We can make this parameter more strictly typed compared to accepting any kind of Strings + +* page/DebugPageOverlays.cpp: +(WebCore::NonFastScrollableRegionOverlay::drawRect): +* page/Page.cpp: +(WebCore::Page::touchEventRectsForEventForTesting): +* page/Page.h: +* page/scrolling/ScrollingCoordinator.cpp: +(WebCore::ScrollingCoordinator::absoluteEventTrackingRegionsForFrame const): +* page/scrolling/ScrollingStateFrameScrollingNode.cpp: +(WebCore::ScrollingStateFrameScrollingNode::dumpProperties const): +* page/scrolling/ScrollingTree.cpp: +(WebCore::ScrollingTree::computeWheelProcessingSteps): +(WebCore::ScrollingTree::eventTrackingTypeForPoint): +*
[webkit-changes] [293925] trunk/Source/JavaScriptCore
Title: [293925] trunk/Source/_javascript_Core Revision 293925 Author ysuz...@apple.com Date 2022-05-06 14:54:27 -0700 (Fri, 06 May 2022) Log Message [JSC] Add more information about MarkedBlock assertion https://bugs.webkit.org/show_bug.cgi?id=240176 Reviewed by Mark Lam and Saam Barati. Collect more information about assertion via CRASH_WITH_INFO. * Source/_javascript_Core/heap/MarkedBlockInlines.h: (JSC::MarkedBlock::Handle::specializedSweep): Canonical link: https://commits.webkit.org/250372@main Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/heap/MarkedBlockInlines.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293924 => 293925) --- trunk/Source/_javascript_Core/ChangeLog 2022-05-06 21:51:59 UTC (rev 293924) +++ trunk/Source/_javascript_Core/ChangeLog 2022-05-06 21:54:27 UTC (rev 293925) @@ -1,3 +1,15 @@ +2022-05-06 Yusuke Suzuki + +[JSC] Add more information about MarkedBlock assertion +https://bugs.webkit.org/show_bug.cgi?id=240176 + +Reviewed by Mark Lam and Saam Barati. + +Collect more information about assertion via CRASH_WITH_INFO. + +* heap/MarkedBlockInlines.h: +(JSC::MarkedBlock::Handle::specializedSweep): + 2022-05-05 Ross Kirsling Temporal.Duration constructor should handle -0 properly Modified: trunk/Source/_javascript_Core/heap/MarkedBlockInlines.h (293924 => 293925) --- trunk/Source/_javascript_Core/heap/MarkedBlockInlines.h 2022-05-06 21:51:59 UTC (rev 293924) +++ trunk/Source/_javascript_Core/heap/MarkedBlockInlines.h 2022-05-06 21:54:27 UTC (rev 293925) @@ -282,8 +282,8 @@ char* startOfLastCell = static_cast(cellAlign(block.atoms() + m_endAtom - 1)); char* payloadEnd = startOfLastCell + cellSize; -RELEASE_ASSERT(payloadEnd - MarkedBlock::blockSize <= bitwise_cast()); char* payloadBegin = bitwise_cast(block.atoms()); +RELEASE_ASSERT(payloadEnd - MarkedBlock::blockSize <= bitwise_cast(), payloadBegin, payloadEnd, , cellSize, m_endAtom); if (sweepMode == SweepToFreeList) setIsFreeListed(); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293884] trunk/Source/WebCore
Title: [293884] trunk/Source/WebCore Revision 293884 Author ysuz...@apple.com Date 2022-05-06 01:18:54 -0700 (Fri, 06 May 2022) Log Message Make readArrayBufferViewImpl defensive https://bugs.webkit.org/show_bug.cgi?id=240154 rdar://92113248 Reviewed by Mark Lam. Check deserialized value's type before starting using it as JSArrayBuffer*. * Source/WebCore/bindings/js/SerializedScriptValue.cpp: (WebCore::CloneDeserializer::readArrayBufferViewImpl): Canonical link: https://commits.webkit.org/250342@main Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp Diff Modified: trunk/Source/WebCore/ChangeLog (293883 => 293884) --- trunk/Source/WebCore/ChangeLog 2022-05-06 07:43:24 UTC (rev 293883) +++ trunk/Source/WebCore/ChangeLog 2022-05-06 08:18:54 UTC (rev 293884) @@ -1,3 +1,16 @@ +2022-05-05 Yusuke Suzuki + +Make readArrayBufferViewImpl defensive +https://bugs.webkit.org/show_bug.cgi?id=240154 +rdar://92113248 + +Reviewed by Mark Lam. + +Check deserialized value's type before starting using it as JSArrayBuffer*. + +* bindings/js/SerializedScriptValue.cpp: +(WebCore::CloneDeserializer::readArrayBufferViewImpl): + 2022-05-06 Miguel Gomez [Nicosia] Images in webkit.org/blog/ don't show up with threaded rendering Modified: trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp (293883 => 293884) --- trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2022-05-06 07:43:24 UTC (rev 293883) +++ trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp 2022-05-06 08:18:54 UTC (rev 293884) @@ -2599,9 +2599,10 @@ LengthType byteLength; if (!read(byteLength)) return false; -JSObject* arrayBufferObj = asObject(readTerminal()); -if (!arrayBufferObj || !arrayBufferObj->inherits()) +JSValue arrayBufferValue = readTerminal(); +if (!arrayBufferValue || !arrayBufferValue.inherits()) return false; +JSObject* arrayBufferObj = asObject(arrayBufferValue); unsigned elementSize = typedArrayElementSize(arrayBufferViewSubtag); if (!elementSize) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293858] trunk/Source/JavaScriptCore
Title: [293858] trunk/Source/_javascript_Core Revision 293858 Author ysuz...@apple.com Date 2022-05-05 12:44:58 -0700 (Thu, 05 May 2022) Log Message Unreviewed, partial revert of r293813 because of proposal's issue. https://bugs.webkit.org/show_bug.cgi?id=240102 * runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/IntlNumberFormat.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293857 => 293858) --- trunk/Source/_javascript_Core/ChangeLog 2022-05-05 18:58:04 UTC (rev 293857) +++ trunk/Source/_javascript_Core/ChangeLog 2022-05-05 19:44:58 UTC (rev 293858) @@ -1,5 +1,13 @@ 2022-05-05 Yusuke Suzuki +Unreviewed, partial revert of r293813 because of proposal's issue. +https://bugs.webkit.org/show_bug.cgi?id=240102 + +* runtime/IntlNumberFormat.cpp: +(JSC::IntlNumberFormat::initializeNumberFormat): + +2022-05-05 Yusuke Suzuki + [JSC] Clean up StructureID related data https://bugs.webkit.org/show_bug.cgi?id=240114 Modified: trunk/Source/_javascript_Core/runtime/IntlNumberFormat.cpp (293857 => 293858) --- trunk/Source/_javascript_Core/runtime/IntlNumberFormat.cpp 2022-05-05 18:58:04 UTC (rev 293857) +++ trunk/Source/_javascript_Core/runtime/IntlNumberFormat.cpp 2022-05-05 19:44:58 UTC (rev 293858) @@ -399,10 +399,9 @@ throwTypeError(globalObject, scope, "rounding type is not fraction-digits while roundingIncrement is specified"_s); return; } -if (m_maximumFractionDigits != m_minimumFractionDigits) { -throwRangeError(globalObject, scope, "maximum and minimum fraction-digits are not equal while roundingIncrement is specified"_s); -return; -} +// FIXME: The proposal has m_maximumFractionDigits != m_minimumFractionDigits check here, but it breaks the use case. +// We intentionally do not follow to that here until the issue is fixed. +// https://github.com/tc39/proposal-intl-numberformat-v3/issues/97 } m_trailingZeroDisplay = intlOption(globalObject, options, vm.propertyNames->trailingZeroDisplay, { { "auto"_s, TrailingZeroDisplay::Auto }, { "stripIfInteger"_s, TrailingZeroDisplay::StripIfInteger } }, "trailingZeroDisplay must be either \"auto\" or \"stripIfInteger\""_s, TrailingZeroDisplay::Auto); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293847] trunk/Source/JavaScriptCore
Title: [293847] trunk/Source/_javascript_Core Revision 293847 Author ysuz...@apple.com Date 2022-05-05 11:26:07 -0700 (Thu, 05 May 2022) Log Message [JSC] Clean up StructureID related data https://bugs.webkit.org/show_bug.cgi?id=240114 Reviewed by Mark Lam. This patch moves structureHeapAddressSize to StructureID. And define it only when we use it. We also use decontaminate() in ADDRESS32 tryDecode. Strictly speaking, it is not necessary for now since 32bit environment does not have concurrent GC & concurrent JIT compiler, but it can have that. * Source/_javascript_Core/runtime/JSCConfig.h: * Source/_javascript_Core/runtime/StructureID.h: (JSC::StructureID::tryDecode const): Canonical link: https://commits.webkit.org/250318@main Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSCConfig.h trunk/Source/_javascript_Core/runtime/StructureID.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293846 => 293847) --- trunk/Source/_javascript_Core/ChangeLog 2022-05-05 18:00:15 UTC (rev 293846) +++ trunk/Source/_javascript_Core/ChangeLog 2022-05-05 18:26:07 UTC (rev 293847) @@ -1,3 +1,19 @@ +2022-05-05 Yusuke Suzuki + +[JSC] Clean up StructureID related data +https://bugs.webkit.org/show_bug.cgi?id=240114 + +Reviewed by Mark Lam. + +This patch moves structureHeapAddressSize to StructureID. And define it only when we use it. +We also use decontaminate() in ADDRESS32 tryDecode. Strictly speaking, it is not necessary +for now since 32bit environment does not have concurrent GC & concurrent JIT compiler, but +it can have that. + +* runtime/JSCConfig.h: +* runtime/StructureID.h: +(JSC::StructureID::tryDecode const): + 2022-05-05 Diego Pino Garcia [GCC] REGRESSION(r293605): error: cannot convert ‘’ to ‘unsigned char:3’ in initialization Modified: trunk/Source/_javascript_Core/runtime/JSCConfig.h (293846 => 293847) --- trunk/Source/_javascript_Core/runtime/JSCConfig.h 2022-05-05 18:00:15 UTC (rev 293846) +++ trunk/Source/_javascript_Core/runtime/JSCConfig.h 2022-05-05 18:26:07 UTC (rev 293847) @@ -41,14 +41,6 @@ using JITWriteSeparateHeapsFunction = void (*)(off_t, const void*, size_t); #endif -#if defined(STRUCTURE_HEAP_ADDRESS_SIZE_IN_MB) && STRUCTURE_HEAP_ADDRESS_SIZE_IN_MB > 0 -constexpr uintptr_t structureHeapAddressSize = STRUCTURE_HEAP_ADDRESS_SIZE_IN_MB * MB; -#elif PLATFORM(IOS_FAMILY) && CPU(ARM64) && !CPU(ARM64E) -constexpr uintptr_t structureHeapAddressSize = 512 * MB; -#else -constexpr uintptr_t structureHeapAddressSize = 4 * GB; -#endif - struct Config { static Config& singleton(); Modified: trunk/Source/_javascript_Core/runtime/StructureID.h (293846 => 293847) --- trunk/Source/_javascript_Core/runtime/StructureID.h 2022-05-05 18:00:15 UTC (rev 293846) +++ trunk/Source/_javascript_Core/runtime/StructureID.h 2022-05-05 18:26:07 UTC (rev 293847) @@ -34,8 +34,10 @@ class Structure; +#if CPU(ADDRESS64) + // We would like to define this value in PlatformEnable.h, but it is not possible since the following is relying on MACH_VM_MAX_ADDRESS. -#if CPU(ADDRESS64) && CPU(ARM64) && OS(DARWIN) +#if CPU(ARM64) && OS(DARWIN) #if MACH_VM_MAX_ADDRESS_RAW < (1ULL << 36) #define ENABLE_STRUCTURE_ID_WITH_SHIFT 1 static_assert(MACH_VM_MAX_ADDRESS_RAW == MACH_VM_MAX_ADDRESS); @@ -42,6 +44,18 @@ #endif #endif +#if !ENABLE(STRUCTURE_ID_WITH_SHIFT) +#if defined(STRUCTURE_HEAP_ADDRESS_SIZE_IN_MB) && STRUCTURE_HEAP_ADDRESS_SIZE_IN_MB > 0 +constexpr uintptr_t structureHeapAddressSize = STRUCTURE_HEAP_ADDRESS_SIZE_IN_MB * MB; +#elif PLATFORM(IOS_FAMILY) && CPU(ARM64) && !CPU(ARM64E) +constexpr uintptr_t structureHeapAddressSize = 512 * MB; +#else +constexpr uintptr_t structureHeapAddressSize = 4 * GB; +#endif +#endif // !ENABLE(STRUCTURE_ID_WITH_SHIFT) + +#endif // CPU(ADDRESS64) + class StructureID { public: static constexpr uint32_t nukedStructureIDBit = 1; @@ -145,7 +159,7 @@ ALWAYS_INLINE Structure* StructureID::tryDecode() const { -return reinterpret_cast(m_bits); +return reinterpret_cast(decontaminate().m_bits); } ALWAYS_INLINE StructureID StructureID::encode(const Structure* structure) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293813] trunk
Title: [293813] trunk Revision 293813 Author ysuz...@apple.com Date 2022-05-04 19:21:35 -0700 (Wed, 04 May 2022) Log Message [JSC] Intl.NumberFormat lacks some validation for rounding-increment https://bugs.webkit.org/show_bug.cgi?id=240102 Reviewed by Ross Kirsling. This patch adds some validations added in Intl.NumberFormat v3[1]. Important thing is one is TypeError and one is RangeError. Both are tested in test262. [1]: https://tc39.es/proposal-intl-numberformat-v3/out/numberformat/proposed.html#sec-initializenumberformat * JSTests/test262/expectations.yaml: * Source/_javascript_Core/runtime/IntlNumberFormat.cpp: (JSC::IntlNumberFormat::initializeNumberFormat): Canonical link: https://commits.webkit.org/250286@main Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/test262/expectations.yaml trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/IntlNumberFormat.cpp Diff Modified: trunk/JSTests/ChangeLog (293812 => 293813) --- trunk/JSTests/ChangeLog 2022-05-05 01:53:23 UTC (rev 293812) +++ trunk/JSTests/ChangeLog 2022-05-05 02:21:35 UTC (rev 293813) @@ -1,3 +1,12 @@ +2022-05-04 Yusuke Suzuki + +[JSC] Intl.NumberFormat lacks some validation for rounding-increment +https://bugs.webkit.org/show_bug.cgi?id=240102 + +Reviewed by Ross Kirsling. + +* test262/expectations.yaml: + 2022-05-04 Ross Kirsling Temporal.Duration constructor should throw on non-integers Modified: trunk/JSTests/test262/expectations.yaml (293812 => 293813) --- trunk/JSTests/test262/expectations.yaml 2022-05-05 01:53:23 UTC (rev 293812) +++ trunk/JSTests/test262/expectations.yaml 2022-05-05 02:21:35 UTC (rev 293813) @@ -1350,9 +1350,6 @@ test/intl402/Locale/prototype/minimize/removing-likely-subtags-first-adds-likely-subtags.js: default: 'Test262Error: "und".minimize() should be "en" Expected SameValue(«en-u-va-posix», «en») to be true' strict mode: 'Test262Error: "und".minimize() should be "en" Expected SameValue(«en-u-va-posix», «en») to be true' -test/intl402/NumberFormat/constructor-roundingIncrement-invalid.js: - default: 'Test262Error: 2, roundingType is "morePrecision" Expected a TypeError but got a RangeError' - strict mode: 'Test262Error: 2, roundingType is "morePrecision" Expected a TypeError but got a RangeError' test/intl402/NumberFormat/prototype/format/format-rounding-priority-less-precision.js: default: 'Test262Error: Formatted value for 1, en-US-u-nu-arab and options {"useGrouping":false,"roundingPriority":"lessPrecision","minimumSignificantDigits":3,"minimumFractionDigits":1} is ١٫٠٠; expected ١٫٠.' strict mode: 'Test262Error: Formatted value for 1, en-US-u-nu-arab and options {"useGrouping":false,"roundingPriority":"lessPrecision","minimumSignificantDigits":3,"minimumFractionDigits":1} is ١٫٠٠; expected ١٫٠.' Modified: trunk/Source/_javascript_Core/ChangeLog (293812 => 293813) --- trunk/Source/_javascript_Core/ChangeLog 2022-05-05 01:53:23 UTC (rev 293812) +++ trunk/Source/_javascript_Core/ChangeLog 2022-05-05 02:21:35 UTC (rev 293813) @@ -1,3 +1,19 @@ +2022-05-04 Yusuke Suzuki + +[JSC] Intl.NumberFormat lacks some validation for rounding-increment +https://bugs.webkit.org/show_bug.cgi?id=240102 + +Reviewed by Ross Kirsling. + +This patch adds some validations added in Intl.NumberFormat v3[1]. +Important thing is one is TypeError and one is RangeError. +Both are tested in test262. + +[1]: https://tc39.es/proposal-intl-numberformat-v3/out/numberformat/proposed.html#sec-initializenumberformat + +* runtime/IntlNumberFormat.cpp: +(JSC::IntlNumberFormat::initializeNumberFormat): + 2022-05-04 Ross Kirsling Temporal.Duration constructor should throw on non-integers Modified: trunk/Source/_javascript_Core/runtime/IntlNumberFormat.cpp (293812 => 293813) --- trunk/Source/_javascript_Core/runtime/IntlNumberFormat.cpp 2022-05-05 01:53:23 UTC (rev 293812) +++ trunk/Source/_javascript_Core/runtime/IntlNumberFormat.cpp 2022-05-05 02:21:35 UTC (rev 293813) @@ -394,9 +394,15 @@ throwRangeError(globalObject, scope, "roundingIncrement must be one of 1, 2, 5, 10, 20, 25, 50, 100, 200, 250, 500, 1000, 2000, 2500, 5000"_s); return; } -if (m_roundingIncrement != 1 && m_roundingType != IntlRoundingType::FractionDigits) { -throwRangeError(globalObject, scope, "rounding type is not fraction-digits while roundingIncrement is specified"_s); -return; +if (m_roundingIncrement != 1) { +if (m_roundingType != IntlRoundingType::FractionDigits) { +throwTypeError(globalObject, scope, "rounding type is not fraction-digits while roundingIncrement is specified"_s); +return; +} +if (m_maximumFractionDigits != m_minimumFractionDigits) { +throwRangeError(globalObject, scope, "maximum and minimum fraction-digits are not equal while
[webkit-changes] [293808] trunk
Title: [293808] trunk Revision 293808 Author ysuz...@apple.com Date 2022-05-04 17:51:07 -0700 (Wed, 04 May 2022) Log Message [JSC] Temporal.Instant since/until should not accept year / month / day / week units https://bugs.webkit.org/show_bug.cgi?id=240097 Reviewed by Ross Kirsling. Temporal.Instant.{since,until} should not accept year / month / day / week units as smallestUnit / largestUnit according to the spec [1,2]. But we missed that and crashing with the attached test. This patch fixes it. [1]: https://tc39.es/proposal-temporal/#sec-temporal.instant.prototype.until [2]: https://tc39.es/proposal-temporal/#sec-temporal.instant.prototype.since * JSTests/stress/temporal-instant-since-and-until-with-year-month-week-day.js: Added. (shouldThrow): (let.smallestUnit.of.units.shouldThrow): (let.largestUnit.of.units.shouldThrow): * Source/_javascript_Core/runtime/TemporalInstant.cpp: Canonical link: https://commits.webkit.org/250281@main Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/test262/expectations.yaml trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/TemporalInstant.cpp Added Paths trunk/JSTests/stress/temporal-instant-since-and-until-with-year-month-week-day.js Diff Modified: trunk/JSTests/ChangeLog (293807 => 293808) --- trunk/JSTests/ChangeLog 2022-05-05 00:44:40 UTC (rev 293807) +++ trunk/JSTests/ChangeLog 2022-05-05 00:51:07 UTC (rev 293808) @@ -1,3 +1,15 @@ +2022-05-04 Yusuke Suzuki + +[JSC] Temporal.Instant since/until should not accept year / month / day / week units +https://bugs.webkit.org/show_bug.cgi?id=240097 + +Reviewed by Ross Kirsling. + +* stress/temporal-instant-since-and-until-with-year-month-week-day.js: Added. +(shouldThrow): +(let.smallestUnit.of.units.shouldThrow): +(let.largestUnit.of.units.shouldThrow): + 2022-05-04 Keith Miller May 2022 test262 update Added: trunk/JSTests/stress/temporal-instant-since-and-until-with-year-month-week-day.js (0 => 293808) --- trunk/JSTests/stress/temporal-instant-since-and-until-with-year-month-week-day.js (rev 0) +++ trunk/JSTests/stress/temporal-instant-since-and-until-with-year-month-week-day.js 2022-05-05 00:51:07 UTC (rev 293808) @@ -0,0 +1,39 @@ +//@ requireOptions("--useTemporal=1") +function shouldThrow(func, errorMessage) { +var errorThrown = false; +var error = null; +try { +func(); +} catch (e) { +errorThrown = true; +error = e; +} +if (!errorThrown) +throw new Error('not thrown'); +if (String(error) !== errorMessage) +throw new Error(`bad error: ${String(error)}`); +} + +let earlier = new Temporal.Instant(1_000_000_000_000_000_000n); +let later = new Temporal.Instant(1_000_090_061_987_654_321n); +let units = [ "year", "month", "week", "day", ]; +for (let smallestUnit of units) { +shouldThrow(() => { +later.since(earlier, { smallestUnit }); +}, `RangeError: smallestUnit is a disallowed unit`); +} +for (let largestUnit of units) { +shouldThrow(() => { +later.since(earlier, { largestUnit }); +}, `RangeError: largestUnit is a disallowed unit`); +} +for (let smallestUnit of units) { +shouldThrow(() => { +earlier.until(later, { smallestUnit }); +}, `RangeError: smallestUnit is a disallowed unit`); +} +for (let largestUnit of units) { +shouldThrow(() => { +earlier.until(later, { largestUnit }); +}, `RangeError: largestUnit is a disallowed unit`); +} Modified: trunk/JSTests/test262/expectations.yaml (293807 => 293808) --- trunk/JSTests/test262/expectations.yaml 2022-05-05 00:44:40 UTC (rev 293807) +++ trunk/JSTests/test262/expectations.yaml 2022-05-05 00:51:07 UTC (rev 293808) @@ -1110,15 +1110,9 @@ test/built-ins/Temporal/Instant/prototype/round/smallestunit-string-shorthand.js: default: 'TypeError: options argument is not an object or undefined' strict mode: 'TypeError: options argument is not an object or undefined' -test/built-ins/Temporal/Instant/prototype/since/largestunit-invalid-string.js: - default: 'Test262Error: "year" is not a valid value for largestUnit Expected a RangeError to be thrown but no exception was thrown at all' - strict mode: 'Test262Error: "year" is not a valid value for largestUnit Expected a RangeError to be thrown but no exception was thrown at all' test/built-ins/Temporal/Instant/prototype/since/largestunit.js: default: 'Test262Error: does not include higher units than necessary (largest unit unspecified) nanoseconds result Expected SameValue(«40», «101») to be true' strict mode: 'Test262Error: does not include higher units than necessary (largest unit unspecified) nanoseconds result Expected SameValue(«40», «101») to be true' -test/built-ins/Temporal/Instant/prototype/since/smallestunit-invalid-string.js: - default: 'Test262Error: "year" is not a valid value for smallest unit Expected a RangeError to be
[webkit-changes] [293799] trunk/Source/JavaScriptCore
Title: [293799] trunk/Source/_javascript_Core Revision 293799 Author ysuz...@apple.com Date 2022-05-04 16:17:13 -0700 (Wed, 04 May 2022) Log Message [JSC] Use decontaminate in StructureID::decode https://bugs.webkit.org/show_bug.cgi?id=240088 Reviewed by Saam Barati and Mark Lam. We have a bug that ENABLE(STRUCTURE_ID_WITH_SHIFT) and CPU(ADDRESS32) version of StructureID::decode does not have decontaminate() call. It is wrong since these ID can be decoded concurrently. This patch fixes it. * Source/_javascript_Core/runtime/StructureID.h: (JSC::StructureID::decode const): Canonical link: https://commits.webkit.org/250273@main Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/StructureID.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293798 => 293799) --- trunk/Source/_javascript_Core/ChangeLog 2022-05-04 23:14:45 UTC (rev 293798) +++ trunk/Source/_javascript_Core/ChangeLog 2022-05-04 23:17:13 UTC (rev 293799) @@ -1,3 +1,16 @@ +2022-05-04 Yusuke Suzuki + +[JSC] Use decontaminate in StructureID::decode +https://bugs.webkit.org/show_bug.cgi?id=240088 + +Reviewed by Saam Barati and Mark Lam. + +We have a bug that ENABLE(STRUCTURE_ID_WITH_SHIFT) and CPU(ADDRESS32) version of StructureID::decode +does not have decontaminate() call. It is wrong since these ID can be decoded concurrently. This patch fixes it. + +* runtime/StructureID.h: +(JSC::StructureID::decode const): + 2022-05-04 Mark Lam Use IterationStatus in more places. Modified: trunk/Source/_javascript_Core/runtime/StructureID.h (293798 => 293799) --- trunk/Source/_javascript_Core/runtime/StructureID.h 2022-05-04 23:14:45 UTC (rev 293798) +++ trunk/Source/_javascript_Core/runtime/StructureID.h 2022-05-04 23:17:13 UTC (rev 293799) @@ -88,7 +88,7 @@ ALWAYS_INLINE Structure* StructureID::decode() const { ASSERT(decontaminate()); -return reinterpret_cast(static_cast(m_bits) << encodeShiftAmount); +return reinterpret_cast(static_cast(decontaminate().m_bits) << encodeShiftAmount); } ALWAYS_INLINE Structure* StructureID::tryDecode() const @@ -140,7 +140,7 @@ ALWAYS_INLINE Structure* StructureID::decode() const { ASSERT(decontaminate()); -return reinterpret_cast(m_bits); +return reinterpret_cast(decontaminate().m_bits); } ALWAYS_INLINE Structure* StructureID::tryDecode() const ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293768] trunk/Source/WTF
Title: [293768] trunk/Source/WTF Revision 293768 Author ysuz...@apple.com Date 2022-05-04 02:30:16 -0700 (Wed, 04 May 2022) Log Message [WTF] Initialize emptyString and nullString data at compile time https://bugs.webkit.org/show_bug.cgi?id=240054 Reviewed by Mark Lam. As we did for AtomString in r293757, we can initialize emptyString() and nullString() data at compile time. This patch does that for WTF::String. * Source/WTF/wtf/text/WTFString.cpp: (WTF::emptyString): Deleted. (WTF::nullString): Deleted. * Source/WTF/wtf/text/WTFString.h: (WTF::StaticString::StaticString): (WTF::nullString): (WTF::emptyString): Canonical link: https://commits.webkit.org/250247@main Modified Paths trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/text/WTFString.cpp trunk/Source/WTF/wtf/text/WTFString.h Diff Modified: trunk/Source/WTF/ChangeLog (293767 => 293768) --- trunk/Source/WTF/ChangeLog 2022-05-04 09:12:15 UTC (rev 293767) +++ trunk/Source/WTF/ChangeLog 2022-05-04 09:30:16 UTC (rev 293768) @@ -1,5 +1,23 @@ 2022-05-03 Yusuke Suzuki +[WTF] Initialize emptyString and nullString data at compile time +https://bugs.webkit.org/show_bug.cgi?id=240054 + +Reviewed by Mark Lam. + +As we did for AtomString in r293757, we can initialize emptyString() and nullString() +data at compile time. This patch does that for WTF::String. + +* wtf/text/WTFString.cpp: +(WTF::emptyString): Deleted. +(WTF::nullString): Deleted. +* wtf/text/WTFString.h: +(WTF::StaticString::StaticString): +(WTF::nullString): +(WTF::emptyString): + +2022-05-03 Yusuke Suzuki + [JSC] Initialize empty and null AtomString at compile time https://bugs.webkit.org/show_bug.cgi?id=240031 Modified: trunk/Source/WTF/wtf/text/WTFString.cpp (293767 => 293768) --- trunk/Source/WTF/wtf/text/WTFString.cpp 2022-05-04 09:12:15 UTC (rev 293767) +++ trunk/Source/WTF/wtf/text/WTFString.cpp 2022-05-04 09:30:16 UTC (rev 293768) @@ -635,18 +635,9 @@ return static_cast(toDoubleType(data, length, nullptr, parsedLength)); } -const String& emptyString() -{ -static NeverDestroyed emptyString(StringImpl::empty()); -return emptyString; -} +WTF_EXPORT_PRIVATE const StaticString nullStringData { nullptr }; +WTF_EXPORT_PRIVATE const StaticString emptyStringData { ::s_emptyAtomString }; -const String& nullString() -{ -static NeverDestroyed nullString; -return nullString; -} - } // namespace WTF #ifndef NDEBUG Modified: trunk/Source/WTF/wtf/text/WTFString.h (293767 => 293768) --- trunk/Source/WTF/wtf/text/WTFString.h 2022-05-04 09:12:15 UTC (rev 293767) +++ trunk/Source/WTF/wtf/text/WTFString.h 2022-05-04 09:30:16 UTC (rev 293768) @@ -380,9 +380,21 @@ template void appendNumber(Vector&, unsigned char number); // Shared global empty and null string. -WTF_EXPORT_PRIVATE const String& emptyString(); -WTF_EXPORT_PRIVATE const String& nullString(); +struct StaticString { +constexpr StaticString(StringImpl::StaticStringImpl* pointer) +: m_pointer(pointer) +{ +} +StringImpl::StaticStringImpl* m_pointer; +}; +static_assert(sizeof(String) == sizeof(StaticString), "String and StaticString must be the same size!"); +extern WTF_EXPORT_PRIVATE const StaticString nullStringData; +extern WTF_EXPORT_PRIVATE const StaticString emptyStringData; + +inline const String& nullString() { return *reinterpret_cast(); } +inline const String& emptyString() { return *reinterpret_cast(); } + template struct DefaultHash; template<> struct DefaultHash; template<> struct VectorTraits : VectorTraitsBase { ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293757] trunk/Source
Title: [293757] trunk/Source Revision 293757 Author ysuz...@apple.com Date 2022-05-03 19:27:25 -0700 (Tue, 03 May 2022) Log Message [JSC] Initialize empty and null AtomString at compile time https://bugs.webkit.org/show_bug.cgi?id=240031 Reviewed by Mark Lam. Because they are initialized from static data, we can just initialize them at compile time, and we do not need to have `AtomString::init`. * Source/WebKit/WebAuthnProcess/WebAuthnProcess.cpp: (WebKit::WebAuthnProcess::initializeWebAuthnProcess): * Source/WTF/wtf/Threading.cpp: (WTF::initialize): * Source/WTF/wtf/text/AtomString.cpp: (WTF::AtomString::init): Deleted. * Source/WTF/wtf/text/AtomString.h: (WTF::StaticAtomString::StaticAtomString): (WTF::nullAtom): (WTF::emptyAtom): * Source/WebCore/dom/make_names.pl: (printInit): Canonical link: https://commits.webkit.org/250236@main Modified Paths trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/Threading.cpp trunk/Source/WTF/wtf/text/AtomString.cpp trunk/Source/WTF/wtf/text/AtomString.h trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/dom/QualifiedName.cpp trunk/Source/WebCore/dom/make_names.pl trunk/Source/WebKit/ChangeLog trunk/Source/WebKit/WebAuthnProcess/WebAuthnProcess.cpp Diff Modified: trunk/Source/WTF/ChangeLog (293756 => 293757) --- trunk/Source/WTF/ChangeLog 2022-05-04 01:44:49 UTC (rev 293756) +++ trunk/Source/WTF/ChangeLog 2022-05-04 02:27:25 UTC (rev 293757) @@ -1,3 +1,22 @@ +2022-05-03 Yusuke Suzuki + +[JSC] Initialize empty and null AtomString at compile time +https://bugs.webkit.org/show_bug.cgi?id=240031 + +Reviewed by Mark Lam. + +Because they are initialized from static data, we can just initialize them +at compile time, and we do not need to have `AtomString::init`. + +* wtf/Threading.cpp: +(WTF::initialize): +* wtf/text/AtomString.cpp: +(WTF::AtomString::init): Deleted. +* wtf/text/AtomString.h: +(WTF::StaticAtomString::StaticAtomString): +(WTF::nullAtom): +(WTF::emptyAtom): + 2022-05-03 Chris Dumez REGRESSION (r293703): 358 JSC tests failing Modified: trunk/Source/WTF/wtf/Threading.cpp (293756 => 293757) --- trunk/Source/WTF/wtf/Threading.cpp 2022-05-04 01:44:49 UTC (rev 293756) +++ trunk/Source/WTF/wtf/Threading.cpp 2022-05-04 02:27:25 UTC (rev 293757) @@ -475,7 +475,6 @@ #if USE(PTHREADS) && HAVE(MACHINE_CONTEXT) SignalHandlers::initialize(); #endif -AtomString::init(); }); } Modified: trunk/Source/WTF/wtf/text/AtomString.cpp (293756 => 293757) --- trunk/Source/WTF/wtf/text/AtomString.cpp 2022-05-04 01:44:49 UTC (rev 293756) +++ trunk/Source/WTF/wtf/text/AtomString.cpp 2022-05-04 02:27:25 UTC (rev 293757) @@ -32,6 +32,9 @@ namespace WTF { +WTF_EXPORT_PRIVATE const StaticAtomString nullAtomData { nullptr }; +WTF_EXPORT_PRIVATE const StaticAtomString emptyAtomData { ::s_emptyAtomString }; + template ALWAYS_INLINE AtomString AtomString::convertASCIICase() const { @@ -134,18 +137,6 @@ #endif -WTF_EXPORT_PRIVATE LazyNeverDestroyed nullAtomData; -WTF_EXPORT_PRIVATE LazyNeverDestroyed emptyAtomData; - -void AtomString::init() -{ -static std::once_flag initializeKey; -std::call_once(initializeKey, [] { -nullAtomData.construct(); -emptyAtomData.construct(AtomString::fromLatin1("")); -}); -} - static inline StringBuilder replaceUnpairedSurrogatesWithReplacementCharacterInternal(StringView view) { // Slow path: https://infra.spec.whatwg.org/#_javascript_-string-convert Modified: trunk/Source/WTF/wtf/text/AtomString.h (293756 => 293757) --- trunk/Source/WTF/wtf/text/AtomString.h 2022-05-04 01:44:49 UTC (rev 293756) +++ trunk/Source/WTF/wtf/text/AtomString.h 2022-05-04 02:27:25 UTC (rev 293757) @@ -35,8 +35,6 @@ class AtomString final { WTF_MAKE_FAST_ALLOCATED; public: -WTF_EXPORT_PRIVATE static void init(); - AtomString(); AtomString(const LChar*, unsigned length); AtomString(const UChar*, unsigned length); @@ -279,13 +277,21 @@ #endif -// nullAtom and emptyAtom are special AtomString. They can be used from any threads since their StringImpls are not actually registered into AtomStringTable. -extern WTF_EXPORT_PRIVATE LazyNeverDestroyed nullAtomData; -extern WTF_EXPORT_PRIVATE LazyNeverDestroyed emptyAtomData; +struct StaticAtomString { +constexpr StaticAtomString(StringImpl::StaticStringImpl* pointer) +: m_pointer(pointer) +{ +} -inline const AtomString& nullAtom() { return nullAtomData.get(); } -inline const AtomString& emptyAtom() { return emptyAtomData.get(); } +StringImpl::StaticStringImpl* m_pointer; +}; +static_assert(sizeof(AtomString) == sizeof(StaticAtomString), "AtomString and StaticAtomString must be the same size!"); +extern WTF_EXPORT_PRIVATE const StaticAtomString nullAtomData; +extern WTF_EXPORT_PRIVATE const StaticAtomString emptyAtomData; +inline const AtomString& nullAtom() { return
[webkit-changes] [293746] trunk/Source/JavaScriptCore
Title: [293746] trunk/Source/_javascript_Core Revision 293746 Author ysuz...@apple.com Date 2022-05-03 16:27:42 -0700 (Tue, 03 May 2022) Log Message [JSC] Extend Structure heap size from 1GB to 4GB https://bugs.webkit.org/show_bug.cgi?id=240028 Reviewed by Saam Barati. 1GB was much smaller compared to StructureIDTable (which allowed 7GB). This patch extends 1GB to 4GB, that's maximum limit of the current encoding scheme (we can extend it further to 64GB if we introduce shift based on alignment, but currently not used). We use this 4GB on platforms which has enough virtual address space. * Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * Source/_javascript_Core/jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitNonNullDecodeStructureID): * Source/_javascript_Core/runtime/JSCConfig.h: Canonical link: https://commits.webkit.org/250234@main Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp trunk/Source/_javascript_Core/jit/AssemblyHelpers.h trunk/Source/_javascript_Core/runtime/JSCConfig.h trunk/Source/_javascript_Core/tools/IntegrityInlines.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293745 => 293746) --- trunk/Source/_javascript_Core/ChangeLog 2022-05-03 23:02:37 UTC (rev 293745) +++ trunk/Source/_javascript_Core/ChangeLog 2022-05-03 23:27:42 UTC (rev 293746) @@ -1,3 +1,21 @@ +2022-05-03 Yusuke Suzuki + +[JSC] Extend Structure heap size from 1GB to 4GB +https://bugs.webkit.org/show_bug.cgi?id=240028 + +Reviewed by Saam Barati. + +1GB was much smaller compared to StructureIDTable (which allowed 7GB). +This patch extends 1GB to 4GB, that's maximum limit of the current encoding scheme (we can +extend it further to 64GB if we introduce shift based on alignment, but currently not used). +We use this 4GB on platforms which has enough virtual address space. + +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): +* jit/AssemblyHelpers.cpp: +(JSC::AssemblyHelpers::emitNonNullDecodeStructureID): +* runtime/JSCConfig.h: + 2022-05-03 Philippe Normand and Pavel Feldman and Yury Semikhatsky [WK2] Add API to allow embedder to set a timezone override Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (293745 => 293746) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2022-05-03 23:02:37 UTC (rev 293745) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2022-05-03 23:27:42 UTC (rev 293746) @@ -14860,7 +14860,7 @@ slowCases.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR, CCallHelpers::TrustedImm32(JSFunction::rareDataTag))); m_jit.load32(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfInternalFunctionAllocationProfile() + InternalFunctionAllocationProfile::offsetOfStructureID() - JSFunction::rareDataTag), structureGPR); slowCases.append(m_jit.branchTest32(CCallHelpers::Zero, structureGPR)); -m_jit.emitNonNullDecodeStructureID(structureGPR, structureGPR); +m_jit.emitNonNullDecodeZeroExtendedStructureID(structureGPR, structureGPR); m_jit.move(TrustedImmPtr(node->isInternalPromise() ? JSInternalPromise::info() : JSPromise::info()), scratch1GPR); slowCases.append(m_jit.branchPtr(CCallHelpers::NotEqual, scratch1GPR, CCallHelpers::Address(structureGPR, Structure::classInfoOffset(; m_jit.loadLinkableConstant(JITCompiler::LinkableConstant(m_graph, globalObject), scratch1GPR); @@ -14909,7 +14909,7 @@ slowCases.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR, CCallHelpers::TrustedImm32(JSFunction::rareDataTag))); m_jit.load32(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfInternalFunctionAllocationProfile() + InternalFunctionAllocationProfile::offsetOfStructureID() - JSFunction::rareDataTag), structureGPR); slowCases.append(m_jit.branchTest32(CCallHelpers::Zero, structureGPR)); -m_jit.emitNonNullDecodeStructureID(structureGPR, structureGPR); +m_jit.emitNonNullDecodeZeroExtendedStructureID(structureGPR, structureGPR); m_jit.move(TrustedImmPtr(JSClass::info()), scratch1GPR); slowCases.append(m_jit.branchPtr(CCallHelpers::NotEqual, scratch1GPR, CCallHelpers::Address(structureGPR, Structure::classInfoOffset(; m_jit.loadLinkableConstant(JITCompiler::LinkableConstant(m_graph, globalObject), scratch1GPR); Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (293745 => 293746) --- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2022-05-03 23:02:37 UTC (rev 293745) +++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2022-05-03 23:27:42 UTC (rev 293746) @@ -21017,7 +21017,9 @@ #if ENABLE(STRUCTURE_ID_WITH_SHIFT) return
[webkit-changes] [293714] trunk
Title: [293714] trunk Revision 293714 Author ysuz...@apple.com Date 2022-05-02 22:07:01 -0700 (Mon, 02 May 2022) Log Message [JSC] Introduce unlinked version of invalidation https://bugs.webkit.org/show_bug.cgi?id=239887 Reviewed by Saam Barati. This patch makes invalidation mechanism unlinked for unlinked DFG. 1. We always use CheckTraps instead of InvalidationPoint with VMTraps so that we do not need to repatch existing code. 2. We introduce load-and-branch based InvalidationPoint for unlinked DFG so that we do not need to repatch it to jump to OSR exit when watchpoint fires. We store this condition in DFG::JITData so that code can quickly access to that. 3. We make isStillValid conditions in DFG::CommonData always true for unlinked DFG code. Instead, we check isJettisoned() condition of CodeBlock since it will become eventually per CodeBlock information (while this CodeBlock gets invalidated, unlinked DFG code itself can be used for the other CodeBlock). After this change, now, jumpReplacements for unlinked DFG becomes empty. We no longer repatch these invalidation points. * Source/_javascript_Core/bytecode/CodeBlock.cpp: (JSC::CodeBlock::jettison): (JSC::CodeBlock::hasInstalledVMTrapsBreakpoints const): (JSC::CodeBlock::canInstallVMTrapBreakpoints const): (JSC::CodeBlock::installVMTrapBreakpoints): (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const): Deleted. * Source/_javascript_Core/bytecode/CodeBlock.h: * Source/_javascript_Core/dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * Source/_javascript_Core/dfg/DFGCommonData.cpp: (JSC::DFG::CommonData::invalidate): (JSC::DFG::CommonData::~CommonData): (JSC::DFG::CommonData::installVMTrapBreakpoints): (JSC::DFG::CommonData::isVMTrapBreakpoint): * Source/_javascript_Core/dfg/DFGCommonData.h: (JSC::DFG::CommonData::CommonData): (JSC::DFG::CommonData::hasInstalledVMTrapsBreakpoints const): (JSC::DFG::CommonData::isStillValid const): * Source/_javascript_Core/dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * Source/_javascript_Core/dfg/DFGJITCode.cpp: (JSC::DFG::JITCode::JITCode): * Source/_javascript_Core/dfg/DFGJITCode.h: * Source/_javascript_Core/dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): * Source/_javascript_Core/dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): (JSC::DFG::prepareCatchOSREntry): * Source/_javascript_Core/dfg/DFGPlan.cpp: (JSC::DFG::Plan::finalize): * Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileInvalidationPoint): (JSC::DFG::SpeculativeJIT::compileCheckTraps): (JSC::DFG::SpeculativeJIT::emitInvalidationPoint): Deleted. * Source/_javascript_Core/dfg/DFGSpeculativeJIT.h: * Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * Source/_javascript_Core/ftl/FTLJITCode.cpp: (JSC::FTL::JITCode::JITCode): * Source/_javascript_Core/ftl/FTLJITCode.h: (JSC::FTL::JITCode::isUnlinked const): * Source/_javascript_Core/ftl/FTLOSREntry.cpp: (JSC::FTL::prepareOSREntry): * Source/_javascript_Core/jit/JITCode.cpp: (JSC::JITCode::isUnlinked const): * Source/_javascript_Core/jit/JITCode.h: * Source/_javascript_Core/runtime/VMTraps.cpp: (JSC::VMTraps::tryInstallTrapBreakpoints): (JSC::VMTraps::handleTraps): Canonical link: https://commits.webkit.org/250203@main Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGCommonData.cpp trunk/Source/_javascript_Core/dfg/DFGCommonData.h trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp trunk/Source/_javascript_Core/dfg/DFGJITCode.cpp trunk/Source/_javascript_Core/dfg/DFGJITCode.h trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp trunk/Source/_javascript_Core/dfg/DFGOSREntry.cpp trunk/Source/_javascript_Core/dfg/DFGPlan.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/ftl/FTLJITCode.cpp trunk/Source/_javascript_Core/ftl/FTLJITCode.h trunk/Source/_javascript_Core/ftl/FTLOSREntry.cpp trunk/Source/_javascript_Core/jit/JITCode.cpp trunk/Source/_javascript_Core/jit/JITCode.h trunk/Source/_javascript_Core/runtime/VMTraps.cpp Added Paths trunk/JSTests/stress/polling-based-trap-on-unlinked-dfg.js Diff Modified: trunk/JSTests/ChangeLog (293713 => 293714) --- trunk/JSTests/ChangeLog 2022-05-03 04:38:50 UTC (rev 293713) +++ trunk/JSTests/ChangeLog 2022-05-03 05:07:01 UTC (rev 293714) @@ -1,3 +1,13 @@ +2022-04-29 Yusuke Suzuki + +[JSC] Introduce unlinked version of invalidation +https://bugs.webkit.org/show_bug.cgi?id=239887 + +Reviewed by Saam Barati. + +
[webkit-changes] [293710] trunk/Source/JavaScriptCore
Title: [293710] trunk/Source/_javascript_Core Revision 293710 Author ysuz...@apple.com Date 2022-05-02 20:02:04 -0700 (Mon, 02 May 2022) Log Message [JSC] Introduce shifting Structure encoding https://bugs.webkit.org/show_bug.cgi?id=239957 Reviewed by Mark Lam. For platforms which have limited amount of virtual address space (<= 36 bits), this patch introduces shifting Structure encoding. We align Structure on a 32-bytes boundary instead of 16 bytes so that we can ensure that lower 5 bits are zero. Then, we can use 1 bit for nuke, and shifting 4 bits to convert 36 bit address to 32 bit StructureID. By using this mechanism, we do not need to allocate large virtual address space for these platforms. If we an address can have more than 36 bits, then we should just reserve a larger address region since we have enough address space. Current Structure size is 112 bytes, which is 3.5 atoms at 32 bytes / atom. Hence, this alignment costs us 16 bytes per Structure. Relanding with debug build failure & crash on static atomSize assumption in IsoSubspace. * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * heap/Heap.cpp: * heap/IsoSubspace.h: (JSC::GCClient::IsoSubspace::allocatorFor): * heap/IsoSubspaceInlines.h: (JSC::GCClient::IsoSubspace::allocate): * heap/StructureAlignedMemoryAllocator.cpp: (JSC::StructureMemoryManager::StructureMemoryManager): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitNonNullDecodeStructureID): * llint/LLIntOfflineAsmConfig.h: * llint/LowLevelInterpreter64.asm: * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::JSCell): * runtime/Structure.cpp: (JSC::Structure::Structure): * runtime/Structure.h: * runtime/StructureID.h: (JSC::StructureID::decode const): (JSC::StructureID::tryDecode const): (JSC::StructureID::encode): * tools/IntegrityInlines.h: (JSC::Integrity::auditStructureID): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/heap/Heap.cpp trunk/Source/_javascript_Core/heap/IsoSubspace.h trunk/Source/_javascript_Core/heap/IsoSubspaceInlines.h trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp trunk/Source/_javascript_Core/llint/LLIntOfflineAsmConfig.h trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/runtime/JSCell.h trunk/Source/_javascript_Core/runtime/JSCellInlines.h trunk/Source/_javascript_Core/runtime/Structure.cpp trunk/Source/_javascript_Core/runtime/Structure.h trunk/Source/_javascript_Core/runtime/StructureID.h trunk/Source/_javascript_Core/tools/IntegrityInlines.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293709 => 293710) --- trunk/Source/_javascript_Core/ChangeLog 2022-05-03 02:08:46 UTC (rev 293709) +++ trunk/Source/_javascript_Core/ChangeLog 2022-05-03 03:02:04 UTC (rev 293710) @@ -1,3 +1,46 @@ +2022-05-02 Yusuke Suzuki + +[JSC] Introduce shifting Structure encoding +https://bugs.webkit.org/show_bug.cgi?id=239957 + +Reviewed by Mark Lam. + +For platforms which have limited amount of virtual address space (<= 36 bits), this patch introduces +shifting Structure encoding. We align Structure on a 32-bytes boundary instead of 16 bytes so that +we can ensure that lower 5 bits are zero. Then, we can use 1 bit for nuke, and shifting 4 bits to +convert 36 bit address to 32 bit StructureID. By using this mechanism, we do not need to allocate +large virtual address space for these platforms. If we an address can have more than 36 bits, then +we should just reserve a larger address region since we have enough address space. Current Structure +size is 112 bytes, which is 3.5 atoms at 32 bytes / atom. Hence, this alignment costs us 16 bytes per +Structure. +Relanding with debug build failure & crash on static atomSize assumption in IsoSubspace. + +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): +* heap/Heap.cpp: +* heap/IsoSubspace.h: +(JSC::GCClient::IsoSubspace::allocatorFor): +* heap/IsoSubspaceInlines.h: +(JSC::GCClient::IsoSubspace::allocate): +* heap/StructureAlignedMemoryAllocator.cpp: +(JSC::StructureMemoryManager::StructureMemoryManager): +* jit/AssemblyHelpers.cpp: +(JSC::AssemblyHelpers::emitNonNullDecodeStructureID): +* llint/LLIntOfflineAsmConfig.h: +* llint/LowLevelInterpreter64.asm: +* runtime/JSCell.h: +* runtime/JSCellInlines.h: +(JSC::JSCell::JSCell): +* runtime/Structure.cpp: +(JSC::Structure::Structure): +* runtime/Structure.h: +* runtime/StructureID.h: +(JSC::StructureID::decode const): +(JSC::StructureID::tryDecode const): +(JSC::StructureID::encode): +*
[webkit-changes] [293708] trunk
Title: [293708] trunk Revision 293708 Author ysuz...@apple.com Date 2022-05-02 18:55:37 -0700 (Mon, 02 May 2022) Log Message [JSC] Add ISO8601 based Temporal.PlainDate getters https://bugs.webkit.org/show_bug.cgi?id=239949 Reviewed by Ross Kirsling and Dean Jackson. This patch adds missing getters of Temporal.PlainDate. Currently, we are not querying to Calendar. It will be wired once we bake Calendar completely. * JSTests/stress/temporal-plaindate.js: (print): (shouldBe): * Source/_javascript_Core/runtime/ISO8601.cpp: (JSC::ISO8601::dayOfWeek): (JSC::ISO8601::dayOfYear): (JSC::ISO8601::weekOfYear): (JSC::ISO8601::daysInMonth): (JSC::ISO8601::monthCode): * Source/_javascript_Core/runtime/ISO8601.h: * Source/_javascript_Core/runtime/TemporalPlainDate.cpp: (JSC::TemporalPlainDate::from): (JSC::TemporalPlainDate::monthCode const): (JSC::TemporalPlainDate::dayOfWeek const): (JSC::TemporalPlainDate::dayOfYear const): (JSC::TemporalPlainDate::weekOfYear const): * Source/_javascript_Core/runtime/TemporalPlainDate.h: * Source/_javascript_Core/runtime/TemporalPlainDatePrototype.cpp: (JSC::JSC_DEFINE_CUSTOM_GETTER): Canonical link: https://commits.webkit.org/250197@main Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/temporal-plaindate.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/ISO8601.cpp trunk/Source/_javascript_Core/runtime/ISO8601.h trunk/Source/_javascript_Core/runtime/TemporalPlainDate.cpp trunk/Source/_javascript_Core/runtime/TemporalPlainDate.h trunk/Source/_javascript_Core/runtime/TemporalPlainDatePrototype.cpp Diff Modified: trunk/JSTests/ChangeLog (293707 => 293708) --- trunk/JSTests/ChangeLog 2022-05-03 01:32:11 UTC (rev 293707) +++ trunk/JSTests/ChangeLog 2022-05-03 01:55:37 UTC (rev 293708) @@ -1,3 +1,14 @@ +2022-05-01 Yusuke Suzuki + +[JSC] Add ISO8601 based Temporal.PlainDate getters +https://bugs.webkit.org/show_bug.cgi?id=239949 + +Reviewed by Ross Kirsling and Dean Jackson. + +* stress/temporal-plaindate.js: +(print): +(shouldBe): + 2022-05-02 Angelos Oikonomopoulos new-largeish-contiguous-array-with-size.js: pick up leakFactor Modified: trunk/JSTests/stress/temporal-plaindate.js (293707 => 293708) --- trunk/JSTests/stress/temporal-plaindate.js 2022-05-03 01:32:11 UTC (rev 293707) +++ trunk/JSTests/stress/temporal-plaindate.js 2022-05-03 01:55:37 UTC (rev 293708) @@ -163,13 +163,164 @@ }, RangeError); } -// FIXME: This relies on Temporal.PlainDate.from(object). -// { -// let _one_ = Temporal.PlainDate.from('1001-01-01'); -// let two = Temporal.PlainDate.from('1002-01-01'); -// let three = Temporal.PlainDate.from('1000-02-02'); -// let four = Temporal.PlainDate.from('1001-01-02'); -// let five = Temporal.PlainDate.from('1001-02-01'); -// let sorted = [one, two, three, four, five].sort(Temporal.PlainDate.compare); -// shouldBe(sorted.join(' '), `1000-02-02 1001-01-01 1001-01-02 1001-02-01 1002-01-01`); -// } +{ +let _one_ = Temporal.PlainDate.from('1001-01-01'); +let two = Temporal.PlainDate.from('1002-01-01'); +let three = Temporal.PlainDate.from('1000-02-02'); +let four = Temporal.PlainDate.from('1001-01-02'); +let five = Temporal.PlainDate.from('1001-02-01'); +let sorted = [one, two, three, four, five].sort(Temporal.PlainDate.compare); +shouldBe(sorted.join(' '), `1000-02-02 1001-01-01 1001-01-02 1001-02-01 1002-01-01`); +} + +{ +for (let i = 0; i < 12; ++i) { +let dt = new Temporal.PlainDate(1995, 1 + i, 11 + i); +shouldBe(dt.monthCode, `M${String(1 + i).padStart(2, '0')}`); +} +} + +{ +let week = ['MON', 'TUE', 'WED', 'THU', 'FRI', 'SAT', 'SUN']; +for (let i = 0; i < 7; ++i) { +let dt = new Temporal.PlainDate(1995, 12, 11 + i); +shouldBe(week[dt.dayOfWeek - 1], week[i]); +} +} +{ +shouldBe(Temporal.PlainDate.from('1995-12-07').dayOfWeek, 4); +shouldBe(Temporal.PlainDate.from('1995-12-08').dayOfWeek, 5); +shouldBe(Temporal.PlainDate.from('1995-12-09').dayOfWeek, 6); +shouldBe(Temporal.PlainDate.from('1995-12-10').dayOfWeek, 7); +shouldBe(Temporal.PlainDate.from('1995-12-11').dayOfWeek, 1); +shouldBe(Temporal.PlainDate.from('1995-12-12').dayOfWeek, 2); +shouldBe(Temporal.PlainDate.from('1995-12-13').dayOfWeek, 3); +shouldBe(Temporal.PlainDate.from('1995-12-14').dayOfWeek, 4); +} + +{ +let tests = [ +[ '1995-01-01', 1 ], +[ '1995-12-07', 341 ], +[ '1995-12-31', 365 ], +[ '2000-01-01', 1 ], +[ '2000-12-07', 342 ], +[ '2000-12-31', 366 ], +[ '2004-01-01', 1 ], +[ '2004-12-07', 342 ], +[ '2004-12-31', 366 ], +[ '2100-01-01', 1 ], +[ '2100-12-07', 341 ], +[ '2100-12-31', 365 ], +]; +for (let test of tests) { +let dt = Temporal.PlainDate.from(test[0]); +shouldBe(dt.dayOfYear, test[1]); +} +}
[webkit-changes] [293693] trunk/Source/JavaScriptCore
Title: [293693] trunk/Source/_javascript_Core Revision 293693 Author ysuz...@apple.com Date 2022-05-02 15:58:40 -0700 (Mon, 02 May 2022) Log Message [JSC] Fix ASan crash due to CString ownership https://bugs.webkit.org/show_bug.cgi?id=239981 Reviewed by Darin Adler and Mark Lam. We need to ensure that CString is kept alive. * runtime/JSDateMath.cpp: (JSC::DateCache::timeZoneDisplayName): Canonical link: https://commits.webkit.org/250189@main Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSDateMath.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293692 => 293693) --- trunk/Source/_javascript_Core/ChangeLog 2022-05-02 22:49:23 UTC (rev 293692) +++ trunk/Source/_javascript_Core/ChangeLog 2022-05-02 22:58:40 UTC (rev 293693) @@ -1,3 +1,15 @@ +2022-05-02 Yusuke Suzuki + +[JSC] Fix ASan crash due to CString ownership +https://bugs.webkit.org/show_bug.cgi?id=239981 + +Reviewed by Darin Adler and Mark Lam. + +We need to ensure that CString is kept alive. + +* runtime/JSDateMath.cpp: +(JSC::DateCache::timeZoneDisplayName): + 2022-05-02 Justin Michaud Add option to JSC shell to wait for a USR2 signal before exiting to aid in collection of vmmaps Modified: trunk/Source/_javascript_Core/runtime/JSDateMath.cpp (293692 => 293693) --- trunk/Source/_javascript_Core/runtime/JSDateMath.cpp 2022-05-02 22:49:23 UTC (rev 293692) +++ trunk/Source/_javascript_Core/runtime/JSDateMath.cpp 2022-05-02 22:58:40 UTC (rev 293693) @@ -370,17 +370,16 @@ if (m_timeZoneStandardDisplayNameCache.isNull()) { #if HAVE(ICU_C_TIMEZONE_API) auto& timeZoneCache = *this->timeZoneCache(); -String languageString = defaultLanguage(); -const char* language = languageString.utf8().data(); +CString language = defaultLanguage().utf8(); { Vector standardDisplayNameBuffer; -auto status = callBufferProducingFunction(ucal_getTimeZoneDisplayName, timeZoneCache.m_calendar.get(), UCAL_STANDARD, language, standardDisplayNameBuffer); +auto status = callBufferProducingFunction(ucal_getTimeZoneDisplayName, timeZoneCache.m_calendar.get(), UCAL_STANDARD, language.data(), standardDisplayNameBuffer); if (U_SUCCESS(status)) m_timeZoneStandardDisplayNameCache = String::adopt(WTFMove(standardDisplayNameBuffer)); } { Vector dstDisplayNameBuffer; -auto status = callBufferProducingFunction(ucal_getTimeZoneDisplayName, timeZoneCache.m_calendar.get(), UCAL_DST, language, dstDisplayNameBuffer); +auto status = callBufferProducingFunction(ucal_getTimeZoneDisplayName, timeZoneCache.m_calendar.get(), UCAL_DST, language.data(), dstDisplayNameBuffer); if (U_SUCCESS(status)) m_timeZoneDSTDisplayNameCache = String::adopt(WTFMove(dstDisplayNameBuffer)); } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293680] trunk/Source/JavaScriptCore
Title: [293680] trunk/Source/_javascript_Core Revision 293680 Author ysuz...@apple.com Date 2022-05-02 13:15:44 -0700 (Mon, 02 May 2022) Log Message [JSC] Introduce shifting Structure encoding https://bugs.webkit.org/show_bug.cgi?id=239957 Reviewed by Mark Lam. For platforms which have limited amount of virtual address space (<= 36 bits), this patch introduces shifting Structure encoding. We align Structure on a 32-bytes boundary instead of 16 bytes so that we can ensure that lower 5 bits are zero. Then, we can use 1 bit for nuke, and shifting 4 bits to convert 36 bit address to 32 bit StructureID. By using this mechanism, we do not need to allocate large virtual address space for these platforms. If we an address can have more than 36 bits, then we should just reserve a larger address region since we have enough address space. Current Structure size is 112 bytes, which is 3.5 atoms at 32 bytes / atom. Hence, this alignment costs us 16 bytes per Structure. * Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * Source/_javascript_Core/heap/Heap.cpp: * Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp: * Source/_javascript_Core/jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitNonNullDecodeStructureID): * Source/_javascript_Core/llint/LLIntOfflineAsmConfig.h: * Source/_javascript_Core/llint/LowLevelInterpreter64.asm: * Source/_javascript_Core/runtime/JSCConfig.h: * Source/_javascript_Core/runtime/JSCell.h: (JSC::JSCell::atomSize): * Source/_javascript_Core/runtime/Structure.h: (JSC::Structure::atomSize): * Source/_javascript_Core/runtime/StructureID.h: (JSC::StructureID::decode const): (JSC::StructureID::tryDecode const): (JSC::StructureID::encode): * Source/_javascript_Core/tools/IntegrityInlines.h: (JSC::Integrity::auditStructureID): Canonical link: https://commits.webkit.org/250179@main Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/heap/Heap.cpp trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp trunk/Source/_javascript_Core/llint/LLIntOfflineAsmConfig.h trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/runtime/JSCell.h trunk/Source/_javascript_Core/runtime/JSCellInlines.h trunk/Source/_javascript_Core/runtime/Structure.cpp trunk/Source/_javascript_Core/runtime/Structure.h trunk/Source/_javascript_Core/runtime/StructureID.h trunk/Source/_javascript_Core/tools/IntegrityInlines.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293679 => 293680) --- trunk/Source/_javascript_Core/ChangeLog 2022-05-02 20:15:27 UTC (rev 293679) +++ trunk/Source/_javascript_Core/ChangeLog 2022-05-02 20:15:44 UTC (rev 293680) @@ -1,3 +1,39 @@ +2022-05-02 Yusuke Suzuki + +[JSC] Introduce shifting Structure encoding +https://bugs.webkit.org/show_bug.cgi?id=239957 + +Reviewed by Mark Lam. + +For platforms which have limited amount of virtual address space (<= 36 bits), this patch introduces +shifting Structure encoding. We align Structure on a 32-bytes boundary instead of 16 bytes so that +we can ensure that lower 5 bits are zero. Then, we can use 1 bit for nuke, and shifting 4 bits to +convert 36 bit address to 32 bit StructureID. By using this mechanism, we do not need to allocate +large virtual address space for these platforms. If we an address can have more than 36 bits, then +we should just reserve a larger address region since we have enough address space. Current Structure +size is 112 bytes, which is 3.5 atoms at 32 bytes / atom. Hence, this alignment costs us 16 bytes per +Structure. + +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): +* heap/Heap.cpp: +* heap/StructureAlignedMemoryAllocator.cpp: +* jit/AssemblyHelpers.cpp: +(JSC::AssemblyHelpers::emitNonNullDecodeStructureID): +* llint/LLIntOfflineAsmConfig.h: +* llint/LowLevelInterpreter64.asm: +* runtime/JSCConfig.h: +* runtime/JSCell.h: +(JSC::JSCell::atomSize): +* runtime/Structure.h: +(JSC::Structure::atomSize): +* runtime/StructureID.h: +(JSC::StructureID::decode const): +(JSC::StructureID::tryDecode const): +(JSC::StructureID::encode): +* tools/IntegrityInlines.h: +(JSC::Integrity::auditStructureID): + 2022-05-01 Yusuke Suzuki [JSC] Revive JSC's guard against speculation collection Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (293679 => 293680) --- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2022-05-02 20:15:27 UTC (rev 293679) +++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2022-05-02 20:15:44 UTC (rev 293680) @@ -21014,8 +21014,12
[webkit-changes] [293657] trunk/Source/JavaScriptCore
Title: [293657] trunk/Source/_javascript_Core Revision 293657 Author ysuz...@apple.com Date 2022-05-01 18:17:02 -0700 (Sun, 01 May 2022) Log Message [JSC] Revive JSC's guard against speculation collection https://bugs.webkit.org/show_bug.cgi?id=239939 Reviewed by Mark Lam. r288815 dropped JSC's guard against structures in speculation collection, but this is wrong. This patch reverts it back. * Source/_javascript_Core/bytecode/SpeculatedType.cpp: (JSC::speculationFromCell): * Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp: (JSC::StructureMemoryManager::StructureMemoryManager): (JSC::StructureMemoryManager::tryMallocStructureBlock): (JSC::StructureMemoryManager::freeStructureBlock): (JSC::StructureAlignedMemoryAllocator::initializeStructureAddressSpace): * Source/_javascript_Core/runtime/JSCConfig.h: * Source/_javascript_Core/runtime/StructureID.h: (JSC::StructureID::tryDecode const): Canonical link: https://commits.webkit.org/250161@main Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp trunk/Source/_javascript_Core/runtime/JSCConfig.h trunk/Source/_javascript_Core/runtime/StructureID.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293656 => 293657) --- trunk/Source/_javascript_Core/ChangeLog 2022-05-02 00:17:50 UTC (rev 293656) +++ trunk/Source/_javascript_Core/ChangeLog 2022-05-02 01:17:02 UTC (rev 293657) @@ -1,3 +1,24 @@ +2022-05-01 Yusuke Suzuki + +[JSC] Revive JSC's guard against speculation collection +https://bugs.webkit.org/show_bug.cgi?id=239939 + +Reviewed by Mark Lam. + +r288815 dropped JSC's guard against structures in speculation collection, but this is wrong. +This patch reverts it back. + +* bytecode/SpeculatedType.cpp: +(JSC::speculationFromCell): +* heap/StructureAlignedMemoryAllocator.cpp: +(JSC::StructureMemoryManager::StructureMemoryManager): +(JSC::StructureMemoryManager::tryMallocStructureBlock): +(JSC::StructureMemoryManager::freeStructureBlock): +(JSC::StructureAlignedMemoryAllocator::initializeStructureAddressSpace): +* runtime/JSCConfig.h: +* runtime/StructureID.h: +(JSC::StructureID::tryDecode const): + 2022-05-01 Zan Dobersek [RISCV64] Implement MacroAssembler::probe(), ctiMasmProbeTrampoline Modified: trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp (293656 => 293657) --- trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp 2022-05-02 00:17:50 UTC (rev 293656) +++ trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp 2022-05-02 01:17:02 UTC (rev 293657) @@ -596,7 +596,13 @@ } return SpecString; } -return speculationFromStructure(cell->structure()); +// FIXME: rdar://69036888: undo this when no longer needed. +auto* structure = cell->structureID().tryDecode(); +if (UNLIKELY(!isSanePointer(structure))) { +ASSERT_NOT_REACHED(); +return SpecNone; +} +return speculationFromStructure(structure); } SpeculatedType speculationFromValue(JSValue value) Modified: trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp (293656 => 293657) --- trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-05-02 00:17:50 UTC (rev 293656) +++ trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-05-02 01:17:02 UTC (rev 293657) @@ -75,14 +75,14 @@ // Don't use the first page because zero is used as the empty StructureID and the first allocation will conflict. m_usedBlocks.set(0); -m_mappedHeapSize = structureHeapAddressSize; +uintptr_t mappedHeapSize = structureHeapAddressSize; for (unsigned i = 0; i < 8; ++i) { -g_jscConfig.startOfStructureHeap = reinterpret_cast(OSAllocator::tryReserveUncommittedAligned(m_mappedHeapSize, structureHeapAddressSize, OSAllocator::FastMallocPages)); +g_jscConfig.startOfStructureHeap = reinterpret_cast(OSAllocator::tryReserveUncommittedAligned(mappedHeapSize, structureHeapAddressSize, OSAllocator::FastMallocPages)); if (g_jscConfig.startOfStructureHeap) break; -m_mappedHeapSize /= 2; +mappedHeapSize /= 2; } - +g_jscConfig.sizeOfStructureHeap = mappedHeapSize; RELEASE_ASSERT(g_jscConfig.startOfStructureHeap && ((g_jscConfig.startOfStructureHeap & ~structureIDMask) == g_jscConfig.startOfStructureHeap)); } @@ -94,8 +94,8 @@ constexpr size_t startIndex = 0; freeIndex = m_usedBlocks.findBit(startIndex, 0); ASSERT(freeIndex <= m_usedBlocks.bitCount()); -RELEASE_ASSERT(m_mappedHeapSize <= structureHeapAddressSize); -if (freeIndex * MarkedBlock::blockSize >= m_mappedHeapSize) +
[webkit-changes] [293629] trunk/Source/JavaScriptCore
Title: [293629] trunk/Source/_javascript_Core Revision 293629 Author ysuz...@apple.com Date 2022-04-29 13:05:32 -0700 (Fri, 29 Apr 2022) Log Message [JSC] Use FixedVector in JumpReplacements and VariableEventStream https://bugs.webkit.org/show_bug.cgi?id=239892 Reviewed by Mark Lam. 1. Introduce DFG::VariableEventStreamBuilder. And construct DFG::VariableEventStream from that builder when finailizing code generation. We also make it FixedVector. 2. Use FixedVector for JumpReplacements. * Source/_javascript_Core/dfg/DFGCommonData.cpp: (JSC::DFG::CommonData::shrinkToFit): * Source/_javascript_Core/dfg/DFGCommonData.h: * Source/_javascript_Core/dfg/DFGGenerationInfo.h: (JSC::DFG::GenerationInfo::noticeOSRBirth): (JSC::DFG::GenerationInfo::use): (JSC::DFG::GenerationInfo::spill): (JSC::DFG::GenerationInfo::setSpilled): (JSC::DFG::GenerationInfo::fillGPR): (JSC::DFG::GenerationInfo::fillJSValue): (JSC::DFG::GenerationInfo::fillCell): (JSC::DFG::GenerationInfo::fillInt32): (JSC::DFG::GenerationInfo::fillInt52): (JSC::DFG::GenerationInfo::fillStrictInt52): (JSC::DFG::GenerationInfo::fillBoolean): (JSC::DFG::GenerationInfo::fillDouble): (JSC::DFG::GenerationInfo::fillStorage): (JSC::DFG::GenerationInfo::appendBirth): (JSC::DFG::GenerationInfo::appendFill): (JSC::DFG::GenerationInfo::appendSpill): * Source/_javascript_Core/dfg/DFGJITCode.cpp: (JSC::DFG::JITCode::shrinkToFit): (JSC::DFG::JITCode::reconstruct): * Source/_javascript_Core/dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): (JSC::DFG::JITCompiler::compile): (JSC::DFG::JITCompiler::compileFunction): (JSC::DFG::JITCompiler::exceptionCheck): * Source/_javascript_Core/dfg/DFGSlowPathGenerator.h: (JSC::DFG::SlowPathGenerator::SlowPathGenerator): * Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::SpeculativeJIT): (JSC::DFG::SpeculativeJIT::speculationCheck): (JSC::DFG::SpeculativeJIT::emitInvalidationPoint): (JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda): (JSC::DFG::SpeculativeJIT::fillStorage): (JSC::DFG::SpeculativeJIT::compileDeleteById): (JSC::DFG::SpeculativeJIT::compileDeleteByVal): (JSC::DFG::SpeculativeJIT::compileInById): (JSC::DFG::SpeculativeJIT::compileInByVal): (JSC::DFG::SpeculativeJIT::compileHasPrivate): (JSC::DFG::SpeculativeJIT::noticeOSRBirth): (JSC::DFG::SpeculativeJIT::compileMovHint): (JSC::DFG::SpeculativeJIT::compileCurrentBlock): (JSC::DFG::SpeculativeJIT::compilePutByVal): * Source/_javascript_Core/dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::finalizeEventStream): (JSC::DFG::SpeculativeJIT::use): (JSC::DFG::SpeculativeJIT::spill): (JSC::DFG::SpeculativeJIT::recordSetLocal): * Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillJSValue): (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): (JSC::DFG::SpeculativeJIT::emitCall): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compileGetByVal): * Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillJSValue): (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): (JSC::DFG::SpeculativeJIT::emitCall): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::fillSpeculateBigInt32): (JSC::DFG::SpeculativeJIT::compileGetByVal): (JSC::DFG::SpeculativeJIT::compile): * Source/_javascript_Core/dfg/DFGVariableEventStream.cpp: (JSC::DFG::VariableEventStreamBuilder::logEvent): (JSC::DFG::VariableEventStream::reconstruct const): (JSC::DFG::VariableEventStream::logEvent): Deleted. * Source/_javascript_Core/dfg/DFGVariableEventStream.h: (JSC::DFG::VariableEventStream::VariableEventStream): (JSC::DFG::VariableEventStreamBuilder::appendAndLog): (JSC::DFG::VariableEventStreamBuilder::size const): (JSC::DFG::VariableEventStreamBuilder::finalize): (JSC::DFG::VariableEventStream::appendAndLog): Deleted. * Source/_javascript_Core/ftl/FTLLink.cpp: (JSC::FTL::link): * Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * Source/_javascript_Core/ftl/FTLState.h: Canonical link: https://commits.webkit.org/250135@main Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGCommonData.cpp trunk/Source/_javascript_Core/dfg/DFGCommonData.h trunk/Source/_javascript_Core/dfg/DFGGenerationInfo.h trunk/Source/_javascript_Core/dfg/DFGJITCode.cpp trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp trunk/Source/_javascript_Core/dfg/DFGSlowPathGenerator.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
[webkit-changes] [293623] trunk/Source/JavaScriptCore
Title: [293623] trunk/Source/_javascript_Core Revision 293623 Author ysuz...@apple.com Date 2022-04-29 11:11:19 -0700 (Fri, 29 Apr 2022) Log Message Unreviewed, remove unused variable https://bugs.webkit.org/show_bug.cgi?id=239828 * dfg/DFGGraph.cpp: (JSC::DFG::Graph::methodOfGettingAValueProfileFor): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGGraph.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293622 => 293623) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-29 18:08:24 UTC (rev 293622) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-29 18:11:19 UTC (rev 293623) @@ -1,3 +1,11 @@ +2022-04-29 Yusuke Suzuki + +Unreviewed, remove unused variable +https://bugs.webkit.org/show_bug.cgi?id=239828 + +* dfg/DFGGraph.cpp: +(JSC::DFG::Graph::methodOfGettingAValueProfileFor): + 2022-04-27 Yusuke Suzuki [JSC] Make DFG::OSRExit data unlinked Modified: trunk/Source/_javascript_Core/dfg/DFGGraph.cpp (293622 => 293623) --- trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2022-04-29 18:08:24 UTC (rev 293622) +++ trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2022-04-29 18:11:19 UTC (rev 293623) @@ -1716,9 +1716,9 @@ return MethodOfGettingAValueProfile::bytecodeValueProfile(node->origin.semantic); if (profiledBlock->hasBaselineJITProfiling()) { -if (BinaryArithProfile* result = profiledBlock->binaryArithProfileForBytecodeIndex(node->origin.semantic.bytecodeIndex())) +if (profiledBlock->binaryArithProfileForBytecodeIndex(node->origin.semantic.bytecodeIndex())) return MethodOfGettingAValueProfile::binaryArithProfile(node->origin.semantic); -if (UnaryArithProfile* result = profiledBlock->unaryArithProfileForBytecodeIndex(node->origin.semantic.bytecodeIndex())) +if (profiledBlock->unaryArithProfileForBytecodeIndex(node->origin.semantic.bytecodeIndex())) return MethodOfGettingAValueProfile::unaryArithProfile(node->origin.semantic); } } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293605] trunk/Source
Title: [293605] trunk/Source Revision 293605 Author ysuz...@apple.com Date 2022-04-28 21:12:55 -0700 (Thu, 28 Apr 2022) Log Message [JSC] Make DFG::OSRExit data unlinked https://bugs.webkit.org/show_bug.cgi?id=239828 Reviewed by Saam Barati. This patch makes DFG::OSRExit unlinked. While generated OSR exit code is linked version, we no longer put linked data to DFG::OSRExit so that unlinked DFG can use DFG::OSRExit. Key changes are two things. 1. Now, we always store compiled MacroAssemblerCodeRef in DFG::JITData regardless of whether we have linked / unlinked DFG. While linked DFG uses repatching to jump to this code, unlinked DFG looks into this vector in JITData and jump to that. 2. MethodOfGettingAValueProfile was including CodeBlock*, ValueProfile* in CodeBlock* etc., so it was linked data structure which unlinked DFG cannot use. Instead, we encode how to retrieve these pointers when generating OSR exit code actually, and just storing CodeOrigin, type, and Operand to make MethodOfGettingAValueProfile unlinked data structure. While CodeOrigin can include InlineCallFrame, but our first version of unlinked DFG will not perform inlining thus we will not include it. It also makes sizeof(MethodOfGettingAValueProfile) smaller from 32 bytes to 16 bytes (50% reduction). * Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h: (JSC::MacroAssemblerCodeRef::offsetOfCodePtr): * Source/_javascript_Core/bytecode/CodeBlock.cpp: (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted. * Source/_javascript_Core/bytecode/CodeBlock.h: * Source/_javascript_Core/bytecode/MethodOfGettingAValueProfile.cpp: (JSC::MethodOfGettingAValueProfile::emitReportValue const): (JSC::MethodOfGettingAValueProfile::fromLazyOperand): Deleted. (JSC::MethodOfGettingAValueProfile::reportValue): Deleted. * Source/_javascript_Core/bytecode/MethodOfGettingAValueProfile.h: (JSC::MethodOfGettingAValueProfile::unaryArithProfile): (JSC::MethodOfGettingAValueProfile::binaryArithProfile): (JSC::MethodOfGettingAValueProfile::argumentValueProfile): (JSC::MethodOfGettingAValueProfile::bytecodeValueProfile): (JSC::MethodOfGettingAValueProfile::lazyOperandValueProfile): (JSC::MethodOfGettingAValueProfile::operator bool const): (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile): Deleted. * Source/_javascript_Core/dfg/DFGGraph.cpp: (JSC::DFG::Graph::methodOfGettingAValueProfileFor): * Source/_javascript_Core/dfg/DFGJITCode.cpp: (JSC::DFG::JITCode::JITCode): (JSC::DFG::JITCode::findPC): * Source/_javascript_Core/dfg/DFGJITCode.h: * Source/_javascript_Core/dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::JITCompiler): (JSC::DFG::JITCompiler::linkOSRExits): (JSC::DFG::JITCompiler::link): * Source/_javascript_Core/dfg/DFGJITFinalizer.cpp: (JSC::DFG::JITFinalizer::finalize): * Source/_javascript_Core/dfg/DFGOSRExit.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION): (JSC::DFG::OSRExit::compileExit): (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted. * Source/_javascript_Core/dfg/DFGOSRExit.h: (JSC::DFG::OSRExit::codeLocationForRepatch const): (JSC::DFG::OSRExitState::OSRExitState): Deleted. * Source/_javascript_Core/dfg/DFGPlan.cpp: (JSC::DFG::Plan::finalizeJITData): * Source/_javascript_Core/dfg/DFGPlan.h: * Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lower): * Source/_javascript_Core/ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): * Source/WTF/wtf/FixedVector.h: Canonical link: https://commits.webkit.org/250111@main Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/CodeBlock.h trunk/Source/_javascript_Core/bytecode/MethodOfGettingAValueProfile.cpp trunk/Source/_javascript_Core/bytecode/MethodOfGettingAValueProfile.h trunk/Source/_javascript_Core/dfg/DFGGraph.cpp trunk/Source/_javascript_Core/dfg/DFGJITCode.cpp trunk/Source/_javascript_Core/dfg/DFGJITCode.h trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp trunk/Source/_javascript_Core/dfg/DFGJITFinalizer.cpp trunk/Source/_javascript_Core/dfg/DFGOSRExit.cpp trunk/Source/_javascript_Core/dfg/DFGOSRExit.h trunk/Source/_javascript_Core/dfg/DFGPlan.cpp trunk/Source/_javascript_Core/dfg/DFGPlan.h trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/ftl/FTLOSRExitCompiler.cpp trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/FixedVector.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293604 => 293605) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-29 02:24:50 UTC (rev 293604) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-29 04:12:55 UTC (rev 293605) @@ -1,3 +1,69 @@ +2022-04-27 Yusuke Suzuki + +[JSC] Make DFG::OSRExit data unlinked +https://bugs.webkit.org/show_bug.cgi?id=239828 + +Reviewed by Saam Barati. + +This patch makes DFG::OSRExit unlinked. While
[webkit-changes] [293601] trunk
Title: [293601] trunk Revision 293601 Author ysuz...@apple.com Date 2022-04-28 18:28:29 -0700 (Thu, 28 Apr 2022) Log Message Support C files in Unified Builds https://bugs.webkit.org/show_bug.cgi?id=239873 Reviewed by Mark Lam. This patch adds support for C (not CPP) files in Unified Builds so that we do not need to build Zydis in non-unified way. Also, this patch fixes a bug that we always generate empty UnifiedSource-1.xxx. It also fixes a bug that this script cannot handle 0 max bundle count. * Tools/TestWebKitAPI/Scripts/generate-unified-sources.sh: * Source/_javascript_Core/CMakeLists.txt: * Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj: * Source/_javascript_Core/Scripts/generate-unified-sources.sh: * Source/_javascript_Core/Sources.txt: * Source/_javascript_Core/UnifiedSources-output.xcfilelist: * Source/WebKit/Scripts/generate-unified-sources.sh: * Source/WebKitLegacy/scripts/generate-unified-sources.sh: * Source/WTF/Scripts/generate-unified-source-bundles.rb: * Source/WebCore/Scripts/generate-unified-sources.sh: Canonical link: https://commits.webkit.org/250107@main Modified Paths trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/Scripts/generate-unified-sources.sh trunk/Source/_javascript_Core/Sources.txt trunk/Source/_javascript_Core/UnifiedSources-output.xcfilelist trunk/Source/WTF/ChangeLog trunk/Source/WTF/Scripts/generate-unified-source-bundles.rb trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/Scripts/generate-unified-sources.sh trunk/Source/WebKit/ChangeLog trunk/Source/WebKit/Scripts/generate-unified-sources.sh trunk/Source/WebKitLegacy/ChangeLog trunk/Source/WebKitLegacy/scripts/generate-unified-sources.sh trunk/Tools/ChangeLog trunk/Tools/TestWebKitAPI/Scripts/generate-unified-sources.sh Diff Modified: trunk/Source/_javascript_Core/CMakeLists.txt (293600 => 293601) --- trunk/Source/_javascript_Core/CMakeLists.txt 2022-04-29 00:54:10 UTC (rev 293600) +++ trunk/Source/_javascript_Core/CMakeLists.txt 2022-04-29 01:28:29 UTC (rev 293601) @@ -1509,29 +1509,6 @@ endif () WEBKIT_COMPUTE_SOURCES(_javascript_Core) -list(APPEND _javascript_Core_SOURCES -disassembler/zydis/Zydis/Zycore.c -disassembler/zydis/Zydis/ZycoreAllocator.c -disassembler/zydis/Zydis/ZycoreBitset.c -disassembler/zydis/Zydis/ZycoreFormat.c -disassembler/zydis/Zydis/ZycoreList.c -disassembler/zydis/Zydis/ZycoreString.c -disassembler/zydis/Zydis/ZycoreVector.c -disassembler/zydis/Zydis/Zydis.c -disassembler/zydis/Zydis/ZydisDecoder.c -disassembler/zydis/Zydis/ZydisDecoderData.c -disassembler/zydis/Zydis/ZydisFormatter.c -disassembler/zydis/Zydis/ZydisFormatterATT.c -disassembler/zydis/Zydis/ZydisFormatterBase.c -disassembler/zydis/Zydis/ZydisFormatterBuffer.c -disassembler/zydis/Zydis/ZydisFormatterIntel.c -disassembler/zydis/Zydis/ZydisMetaInfo.c -disassembler/zydis/Zydis/ZydisMnemonic.c -disassembler/zydis/Zydis/ZydisRegister.c -disassembler/zydis/Zydis/ZydisSharedData.c -disassembler/zydis/Zydis/ZydisString.c -disassembler/zydis/Zydis/ZydisUtils.c -) WEBKIT_FRAMEWORK(_javascript_Core) WEBKIT_FRAMEWORK_TARGET(_javascript_Core) Modified: trunk/Source/_javascript_Core/ChangeLog (293600 => 293601) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-29 00:54:10 UTC (rev 293600) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-29 01:28:29 UTC (rev 293601) @@ -1,3 +1,19 @@ +2022-04-28 Yusuke Suzuki + +Support C files in Unified Builds +https://bugs.webkit.org/show_bug.cgi?id=239873 + +Reviewed by Mark Lam. + +This patch adds support for C (not CPP) files in Unified Builds +so that we do not need to build Zydis in non-unified way. + +* CMakeLists.txt: +* _javascript_Core.xcodeproj/project.pbxproj: +* Scripts/generate-unified-sources.sh: +* Sources.txt: +* UnifiedSources-output.xcfilelist: + 2022-04-28 Zan Dobersek [RISCV64] Implement MacroAssemblerRISCV64 branchAtomicWeakCAS{8,16,32,64} methods Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (293600 => 293601) --- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2022-04-29 00:54:10 UTC (rev 293600) +++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2022-04-29 01:28:29 UTC (rev 293601) @@ -1852,6 +1852,9 @@ E30E8A5426DE2E4800DA4915 /* TemporalTimeZonePrototype.h in Headers */ = {isa = PBXBuildFile; fileRef = E30E8A4E26DE2E4700DA4915 /* TemporalTimeZonePrototype.h */; }; E30E8A5626DE2E4800DA4915 /* TemporalTimeZone.h in Headers */ = {isa = PBXBuildFile; fileRef = E30E8A5026DE2E4800DA4915 /* TemporalTimeZone.h */; }; E30E8A5726DE2E4800DA4915 /* TemporalTimeZoneConstructor.h in Headers */ = {isa = PBXBuildFile;
[webkit-changes] [293579] trunk
Title: [293579] trunk Revision 293579 Author ysuz...@apple.com Date 2022-04-28 10:46:58 -0700 (Thu, 28 Apr 2022) Log Message [WTF] Use quadratic-probing instead of double-hashing https://bugs.webkit.org/show_bug.cgi?id=239813 Reviewed by Geoffrey Garen. If table size is always power-of-two, we can safely use quadratic-probing[1] even if the load exceeds 50%. Quadratic-probing and double-hashing have different tradeoff between clustering possibility and CPU cache friendliness. Double-hashing can avoid clustering more, but it is not CPU cache friendly. Quadratic-probing can cause clustering more but better for CPU cache. And while linear-probing caused a lot of trouble and not practical, quadratic-probing with 75% load factor is practical configuration which is used in production-ready hashtables e.g. Google's sparsetable / densetable[2]. This patch replaces WTF::HashTable's probing algorithm from double-hashing to quadratic-probing to make it more cache friendly while keeping reasonable clustering characteristics (compared to linear-probing etc.). Due to this cache friendliness, we get large performance improvements. 1. 0.52% improvement in Speedometer2 with 95% probability. 2. 0.72% improvement in JetStream2 with 98% probability. [1]: https://fgiesen.wordpress.com/2015/02/22/triangular-numbers-mod-2n/ [2]: http://goog-sparsehash.sourceforge.net/doc/implementation.html Canonical link: https://commits.webkit.org/250093@main Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/media/media-session/actionHandlerInternalMappings-expected.txt trunk/LayoutTests/platform/glib/accessibility/content-editable-as-textarea-expected.txt trunk/LayoutTests/platform/gtk/accessibility/native-text-control-attributed-string-expected.txt trunk/LayoutTests/storage/indexeddb/getdatabases-expected.txt trunk/LayoutTests/storage/indexeddb/getdatabases-private-expected.txt trunk/LayoutTests/storage/indexeddb/resources/getdatabases.js trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/HashTable.h Diff Modified: trunk/LayoutTests/ChangeLog (293578 => 293579) --- trunk/LayoutTests/ChangeLog 2022-04-28 17:40:36 UTC (rev 293578) +++ trunk/LayoutTests/ChangeLog 2022-04-28 17:46:58 UTC (rev 293579) @@ -1,3 +1,19 @@ +2022-04-28 Yusuke Suzuki + +[WTF] Use quadratic-probing instead of double-hashing +https://bugs.webkit.org/show_bug.cgi?id=239813 + +Reviewed by Geoffrey Garen. + +The following tests are relying on HashTable's ordering which is not guaranteed. + +* media/media-session/actionHandlerInternalMappings-expected.txt: +* platform/glib/accessibility/content-editable-as-textarea-expected.txt: +* platform/gtk/accessibility/native-text-control-attributed-string-expected.txt: +* storage/indexeddb/getdatabases-expected.txt: +* storage/indexeddb/getdatabases-private-expected.txt: +* storage/indexeddb/resources/getdatabases.js: + 2022-04-28 Antti Koivisto [ iOS ] tables/mozilla/bugs/bug26178.html is a constant failure Modified: trunk/LayoutTests/media/media-session/actionHandlerInternalMappings-expected.txt (293578 => 293579) --- trunk/LayoutTests/media/media-session/actionHandlerInternalMappings-expected.txt 2022-04-28 17:40:36 UTC (rev 293578) +++ trunk/LayoutTests/media/media-session/actionHandlerInternalMappings-expected.txt 2022-04-28 17:46:58 UTC (rev 293579) @@ -22,12 +22,12 @@ Command: SeekToPlaybackPositionCommand Iterate over all possible actions Command: PauseCommand +Command: PlayCommand Command: SkipBackwardCommand Command: SkipForwardCommand +Command: SeekToPlaybackPositionCommand +Command: PreviousTrackCommand Command: NextTrackCommand -Command: PreviousTrackCommand -Command: SeekToPlaybackPositionCommand -Command: PlayCommand Command: StopCommand Iterate over possible actions after video element src is cleared RUN(video.src = "" Modified: trunk/LayoutTests/platform/glib/accessibility/content-editable-as-textarea-expected.txt (293578 => 293579) --- trunk/LayoutTests/platform/glib/accessibility/content-editable-as-textarea-expected.txt 2022-04-28 17:40:36 UTC (rev 293578) +++ trunk/LayoutTests/platform/glib/accessibility/content-editable-as-textarea-expected.txt 2022-04-28 17:46:58 UTC (rev 293579) @@ -15,13 +15,13 @@ family-name:-webkit-standard editable:true strikethrough:false + direction:ltr style:normal fg-color:0,0,0 + weight:400 size:12pt - weight:400 invisible:false underline:none - direction:ltr Range attributes for 'ello<\n>': Range attributes for 'worl': weight:700 Modified: trunk/LayoutTests/platform/gtk/accessibility/native-text-control-attributed-string-expected.txt (293578 => 293579) --- trunk/LayoutTests/platform/gtk/accessibility/native-text-control-attributed-string-expected.txt 2022-04-28 17:40:36 UTC (rev 293578) +++ trunk/LayoutTests/platform/gtk/accessibility/native-text-control-attributed-string-expected.txt 2022-04-28 17:46:58
[webkit-changes] [293473] trunk
Title: [293473] trunk Revision 293473 Author ysuz...@apple.com Date 2022-04-26 15:22:00 -0700 (Tue, 26 Apr 2022) Log Message [JSC] Add forceUnlinkedDFG option https://bugs.webkit.org/show_bug.cgi?id=239751 Reviewed by Saam Barati. This patch adds forceUnlinkedDFG option to start running tests with unlinked DFG (while it is not truly unlinked yet). * Tools/Scripts/run-jsc-stress-tests: * Source/_javascript_Core/jit/JITOperations.cpp: (JSC::JSC_DEFINE_JIT_OPERATION): * Source/_javascript_Core/runtime/OptionsList.h: * JSTests/stress/arith-abs-on-various-types.js: * JSTests/stress/arith-abs-to-arith-negate-range-optimizaton.js: * JSTests/stress/arith-acos-on-various-types.js: * JSTests/stress/arith-acosh-on-various-types.js: * JSTests/stress/arith-asin-on-various-types.js: * JSTests/stress/arith-asinh-on-various-types.js: * JSTests/stress/arith-atan-on-various-types.js: * JSTests/stress/arith-atanh-on-various-types.js: * JSTests/stress/arith-cbrt-on-various-types.js: * JSTests/stress/arith-ceil-on-various-types.js: * JSTests/stress/arith-clz32-on-various-types.js: * JSTests/stress/arith-cos-on-various-types.js: * JSTests/stress/arith-cosh-on-various-types.js: * JSTests/stress/arith-expm1-on-various-types.js: * JSTests/stress/arith-floor-on-various-types.js: * JSTests/stress/arith-fround-on-various-types.js: * JSTests/stress/arith-log-on-various-types.js: * JSTests/stress/arith-log10-on-various-types.js: * JSTests/stress/arith-log2-on-various-types.js: * JSTests/stress/arith-round-on-various-types.js: * JSTests/stress/arith-sin-on-various-types.js: * JSTests/stress/arith-sinh-on-various-types.js: * JSTests/stress/arith-sqrt-on-various-types.js: * JSTests/stress/arith-tan-on-various-types.js: * JSTests/stress/arith-tanh-on-various-types.js: * JSTests/stress/arith-trunc-on-various-types.js: * JSTests/stress/fold-multi-get-by-offset-to-get-by-offset-with-watchpoint.js: Canonical link: https://commits.webkit.org/250009@main Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/arith-abs-on-various-types.js trunk/JSTests/stress/arith-abs-to-arith-negate-range-optimizaton.js trunk/JSTests/stress/arith-acos-on-various-types.js trunk/JSTests/stress/arith-acosh-on-various-types.js trunk/JSTests/stress/arith-asin-on-various-types.js trunk/JSTests/stress/arith-asinh-on-various-types.js trunk/JSTests/stress/arith-atan-on-various-types.js trunk/JSTests/stress/arith-atanh-on-various-types.js trunk/JSTests/stress/arith-cbrt-on-various-types.js trunk/JSTests/stress/arith-ceil-on-various-types.js trunk/JSTests/stress/arith-clz32-on-various-types.js trunk/JSTests/stress/arith-cos-on-various-types.js trunk/JSTests/stress/arith-cosh-on-various-types.js trunk/JSTests/stress/arith-expm1-on-various-types.js trunk/JSTests/stress/arith-floor-on-various-types.js trunk/JSTests/stress/arith-fround-on-various-types.js trunk/JSTests/stress/arith-log-on-various-types.js trunk/JSTests/stress/arith-log10-on-various-types.js trunk/JSTests/stress/arith-log2-on-various-types.js trunk/JSTests/stress/arith-round-on-various-types.js trunk/JSTests/stress/arith-sin-on-various-types.js trunk/JSTests/stress/arith-sinh-on-various-types.js trunk/JSTests/stress/arith-sqrt-on-various-types.js trunk/JSTests/stress/arith-tan-on-various-types.js trunk/JSTests/stress/arith-tanh-on-various-types.js trunk/JSTests/stress/arith-trunc-on-various-types.js trunk/JSTests/stress/fold-multi-get-by-offset-to-get-by-offset-with-watchpoint.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/JITOperations.cpp trunk/Source/_javascript_Core/runtime/Options.cpp trunk/Source/_javascript_Core/runtime/OptionsList.h trunk/Tools/ChangeLog trunk/Tools/Scripts/run-jsc-stress-tests Diff Modified: trunk/JSTests/ChangeLog (293472 => 293473) --- trunk/JSTests/ChangeLog 2022-04-26 22:18:33 UTC (rev 293472) +++ trunk/JSTests/ChangeLog 2022-04-26 22:22:00 UTC (rev 293473) @@ -1,3 +1,40 @@ +2022-04-26 Yusuke Suzuki + +[JSC] Add forceUnlinkedDFG option +https://bugs.webkit.org/show_bug.cgi?id=239751 + +Reviewed by Saam Barati. + +Attach `forceUnlinkedDFG=0` option to the following tests which require careful story of how DFG is compiled, which is changed with unlinked DFG. + +* stress/arith-abs-on-various-types.js: +* stress/arith-abs-to-arith-negate-range-optimizaton.js: +* stress/arith-acos-on-various-types.js: +* stress/arith-acosh-on-various-types.js: +* stress/arith-asin-on-various-types.js: +* stress/arith-asinh-on-various-types.js: +* stress/arith-atan-on-various-types.js: +* stress/arith-atanh-on-various-types.js: +* stress/arith-cbrt-on-various-types.js: +* stress/arith-ceil-on-various-types.js: +* stress/arith-clz32-on-various-types.js: +* stress/arith-cos-on-various-types.js: +* stress/arith-cosh-on-various-types.js: +* stress/arith-expm1-on-various-types.js: +*
[webkit-changes] [293348] trunk
Title: [293348] trunk Revision 293348 Author ysuz...@apple.com Date 2022-04-25 13:55:17 -0700 (Mon, 25 Apr 2022) Log Message [JSC] Enable change-array-by-copy https://bugs.webkit.org/show_bug.cgi?id=239678 Reviewed by Saam Barati. * Source/_javascript_Core/runtime/OptionsList.h: Canonical link: https://commits.webkit.org/249964@main Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/inspector/model/remote-object-get-properties-expected.txt trunk/LayoutTests/js/Object-getOwnPropertyNames-expected.txt trunk/LayoutTests/js/array-unscopables-properties-expected.txt trunk/LayoutTests/js/script-tests/Object-getOwnPropertyNames.js trunk/LayoutTests/js/script-tests/array-unscopables-properties.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/OptionsList.h Diff Modified: trunk/LayoutTests/ChangeLog (293347 => 293348) --- trunk/LayoutTests/ChangeLog 2022-04-25 20:52:15 UTC (rev 293347) +++ trunk/LayoutTests/ChangeLog 2022-04-25 20:55:17 UTC (rev 293348) @@ -1,3 +1,16 @@ +2022-04-22 Yusuke Suzuki + +[JSC] Enable change-array-by-copy +https://bugs.webkit.org/show_bug.cgi?id=239678 + +Reviewed by Saam Barati. + +* inspector/model/remote-object-get-properties-expected.txt: +* js/Object-getOwnPropertyNames-expected.txt: +* js/array-unscopables-properties-expected.txt: +* js/script-tests/Object-getOwnPropertyNames.js: +* js/script-tests/array-unscopables-properties.js: + 2022-04-25 Chris Fleizach AX: Don't expose aria-roledescription value on "generic" elements (e.g. div and span) unless explicit role value is also defined Modified: trunk/LayoutTests/inspector/model/remote-object-get-properties-expected.txt (293347 => 293348) --- trunk/LayoutTests/inspector/model/remote-object-get-properties-expected.txt 2022-04-25 20:52:15 UTC (rev 293347) +++ trunk/LayoutTests/inspector/model/remote-object-get-properties-expected.txt 2022-04-25 20:55:17 UTC (rev 293348) @@ -88,6 +88,10 @@ includes copyWithin at +toReversed +toSorted +toSpliced +with constructor Symbol(Symbol.iterator) Symbol(Symbol.unscopables) @@ -144,6 +148,10 @@ includes copyWithin at +toReversed +toSorted +toSpliced +with constructor Symbol(Symbol.iterator) Symbol(Symbol.unscopables) @@ -185,6 +193,10 @@ includes copyWithin at +toReversed +toSorted +toSpliced +with constructor Symbol(Symbol.iterator) Symbol(Symbol.unscopables) @@ -226,6 +238,10 @@ includes copyWithin at +toReversed +toSorted +toSpliced +with constructor Symbol(Symbol.iterator) Symbol(Symbol.unscopables) Modified: trunk/LayoutTests/js/Object-getOwnPropertyNames-expected.txt (293347 => 293348) --- trunk/LayoutTests/js/Object-getOwnPropertyNames-expected.txt 2022-04-25 20:52:15 UTC (rev 293347) +++ trunk/LayoutTests/js/Object-getOwnPropertyNames-expected.txt 2022-04-25 20:55:17 UTC (rev 293348) @@ -47,7 +47,7 @@ PASS getSortedOwnPropertyNames(Function) is ['length', 'name', 'prototype'] PASS getSortedOwnPropertyNames(Function.prototype) is ['apply', 'arguments', 'bind', 'call', 'caller', 'constructor', 'length', 'name', 'toString'] PASS getSortedOwnPropertyNames(Array) is ['from', 'isArray', 'length', 'name', 'of', 'prototype'] -PASS getSortedOwnPropertyNames(Array.prototype) is ['at', 'concat', 'constructor', 'copyWithin', 'entries', 'every', 'fill', 'filter', 'find', 'findIndex', 'findLast', 'findLastIndex', 'flat', 'flatMap', 'forEach', 'includes', 'indexOf', 'join', 'keys', 'lastIndexOf', 'length', 'map', 'pop', 'push', 'reduce', 'reduceRight', 'reverse', 'shift', 'slice', 'some', 'sort', 'splice', 'toLocaleString', 'toString', 'unshift', 'values'] +PASS getSortedOwnPropertyNames(Array.prototype) is ['at', 'concat', 'constructor', 'copyWithin', 'entries', 'every', 'fill', 'filter', 'find', 'findIndex', 'findLast', 'findLastIndex', 'flat', 'flatMap', 'forEach', 'includes', 'indexOf', 'join', 'keys', 'lastIndexOf', 'length', 'map', 'pop', 'push', 'reduce', 'reduceRight', 'reverse', 'shift', 'slice', 'some', 'sort', 'splice', 'toLocaleString', 'toReversed', 'toSorted', 'toSpliced', 'toString', 'unshift', 'values', 'with'] PASS getSortedOwnPropertyNames(String) is ['fromCharCode', 'fromCodePoint', 'length', 'name', 'prototype', 'raw'] PASS getSortedOwnPropertyNames(String.prototype) is ['anchor', 'at', 'big', 'blink', 'bold', 'charAt', 'charCodeAt', 'codePointAt', 'concat', 'constructor', 'endsWith', 'fixed', 'fontcolor', 'fontsize', 'includes', 'indexOf', 'italics', 'lastIndexOf', 'length', 'link', 'localeCompare', 'match', 'matchAll', 'normalize', 'padEnd', 'padStart', 'repeat', 'replace', 'replaceAll', 'search', 'slice', 'small', 'split', 'startsWith', 'strike', 'sub', 'substr', 'substring', 'sup', 'toLocaleLowerCase', 'toLocaleUpperCase', 'toLowerCase',
[webkit-changes] [293210] trunk
Title: [293210] trunk Revision 293210 Author ysuz...@apple.com Date 2022-04-21 22:41:35 -0700 (Thu, 21 Apr 2022) Log Message [JSC] PropertyTable should have compact mode https://bugs.webkit.org/show_bug.cgi?id=239451 Reviewed by Saam Barati. This patch introduces "compact" version of PropertyTable. PropertyTable needs to hold two kind of integers: index and property offset. But for most of objects, both are pretty small and they can fit in uint8_t. If we can use uint8_t for both, we can significantly reduce size of allocated memory for PropertyTable (only 40% of memory is required!). This is good for memory, but also good for performance. Now each CompactPropertyTableEntry is 8bytes while original PropertyMapEntry was 16bytes, so CompactPropertyTableEntry can fit in CPU cache well. Also, not allocating large amount of memory can reduce memory allocation / deallocation cost. One of costly destruction of GC-managed objects is PropertyTable (and CodeBlock), and we can reduce that cost by not allocating much memory. The approach is following. 1. For index vector, we use uint8_t if index can fit within uint8_t. 2. For proprety offset, we use uint8_t and CompactPropertyTableEntry if it is suitable. 3. Once the table gets non-compact, we keep it non-compact since we could have deleted index which has larger than uint8_t. We could improve this strategy when deleted indexes are cleared, but for now, we are taking simple approach. 4. We store isCompactFlag 1 bit in the pointer to the table. 5. We encapsulate functions modifying property table entry in PropertyTable itself, so we do not leak internal compact / non-compact mode to the user of PropertyTable. We remove begin() / end() iterators and instead use forEachproperty, which can implement iteration for each mode more efficiently. We have a further opportunity to improve this further: we can deploy 75% load factor only for compact table. Then we can increase threshold of compact table further and keep more and more tables compact mode. Plus, for small sized tables, small backing memory is better in terms of CPU cache hit (and that's measured in WTF::HashTable, and that's why WTF::Hashtable deploys 75% load factor only for small tables). This is left for the subsequent change. This change is neutral in JetStream2, 0.3% improvement in Speedometer2 with 80% confidence, and 0.41% improvement in RAMification with 95% confidence. * JSTests/stress/change-attribute-structure-transition.js: (shouldBe.JSON.stringify.sd): * Source/_javascript_Core/bytecode/ObjectAllocationProfileInlines.h: (JSC::ObjectAllocationProfileBase::initializeProfile): * Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * Source/_javascript_Core/dfg/DFGOperations.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION): * Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp: * Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * Source/_javascript_Core/ftl/FTLOperations.cpp: (JSC::FTL::JSC_DEFINE_JIT_OPERATION): * Source/_javascript_Core/runtime/ClonedArguments.h: * Source/_javascript_Core/runtime/IteratorOperations.cpp: (JSC::createIteratorResultObjectStructure): * Source/_javascript_Core/runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/_javascript_Core/runtime/JSONObject.cpp: (JSC::Stringifier::Holder::appendNextProperty): * Source/_javascript_Core/runtime/JSObject.cpp: (JSC::JSObject::analyzeHeap): * Source/_javascript_Core/runtime/JSObject.h: * Source/_javascript_Core/runtime/ObjectConstructor.h: (JSC::constructEmptyObject): (JSC::createDataPropertyDescriptorObjectStructure): (JSC::createAccessorPropertyDescriptorObjectStructure): * Source/_javascript_Core/runtime/ObjectConstructorInlines.h: (JSC::objectAssignFast): * Source/_javascript_Core/runtime/PropertyOffset.h: * Source/_javascript_Core/runtime/PropertySlot.h: * Source/_javascript_Core/runtime/PropertyTable.cpp: (JSC::PropertyTable::PropertyTable): (JSC::PropertyTable::finishCreation): (JSC::PropertyTable::visitChildrenImpl): (JSC::PropertyTable::~PropertyTable): (JSC::PropertyTable::seal): (JSC::PropertyTable::freeze): (JSC::PropertyTable::isSealed const): (JSC::PropertyTable::isFrozen const): (JSC::PropertyTable::renumberPropertyOffsets): * Source/_javascript_Core/runtime/PropertyTable.h: (JSC::isPowerOf2): (JSC::nextPowerOf2): (JSC::PropertyTable::findImpl): (JSC::PropertyTable::find): (JSC::PropertyTable::get): (JSC::PropertyTable::add): (JSC::PropertyTable::remove): (JSC::PropertyTable::take): (JSC::PropertyTable::updateAttributeIfExists): (JSC::PropertyTable::sizeInMemory): (JSC::PropertyTable::reinsert): (JSC::PropertyTable::rehash): (JSC::PropertyTable::skipDeletedEntries):
[webkit-changes] [293203] trunk/Source/JavaScriptCore
Title: [293203] trunk/Source/_javascript_Core Revision 293203 Author ysuz...@apple.com Date 2022-04-21 17:51:12 -0700 (Thu, 21 Apr 2022) Log Message [JSC] Remove TempRegisterSet https://bugs.webkit.org/show_bug.cgi?id=239578 Reviewed by Mark Lam. We can always use RegisterSet. TempRegisterSet can save several bytes, but we have no code using TempRegisterSet in heap-allocated classes. So, this does not make sense anymore. Instead of TempRegisterSet, we will consistently use RegisterSet to pass register info and ScratchRegisterAllocator to manage allocation of temp / scratch registers. We also remove the copyCalleeSavesToEntryFrameCalleeSavesBuffer function which takes no scratch register. It was using TempRegisterSet to allocate a scratch register, but the caller of this function was making assumptions on how TempRegisterSet will allocate that scratch. This is very fragile and dangerous. We should explicitly pass a scratch register instead in that case. * CMakeLists.txt: * _javascript_Core.xcodeproj/project.pbxproj: * Sources.txt: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lower): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer): Deleted. * jit/RegisterSet.h: * jit/ScratchRegisterAllocator.cpp: (JSC::ScratchRegisterAllocator::lock): (JSC::ScratchRegisterAllocator::allocateScratch): (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing): (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping): * jit/ScratchRegisterAllocator.h: * jit/TempRegisterSet.cpp: Removed. * jit/TempRegisterSet.h: Removed. * jit/ThunkGenerators.cpp: (JSC::handleExceptionGenerator): (JSC::handleExceptionWithCallFrameRollbackGenerator): (JSC::throwExceptionFromCallSlowPathGenerator): (JSC::nativeForGenerator): (JSC::boundFunctionCallGenerator): (JSC::remoteFunctionCallGenerator): * wasm/js/WasmToJS.cpp: (JSC::Wasm::wasmToJS): Modified Paths trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/Sources.txt trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp trunk/Source/_javascript_Core/jit/AssemblyHelpers.h trunk/Source/_javascript_Core/jit/RegisterSet.h trunk/Source/_javascript_Core/jit/ScratchRegisterAllocator.cpp trunk/Source/_javascript_Core/jit/ScratchRegisterAllocator.h trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp trunk/Source/_javascript_Core/wasm/js/WasmToJS.cpp Removed Paths trunk/Source/_javascript_Core/jit/TempRegisterSet.cpp trunk/Source/_javascript_Core/jit/TempRegisterSet.h Diff Modified: trunk/Source/_javascript_Core/CMakeLists.txt (293202 => 293203) --- trunk/Source/_javascript_Core/CMakeLists.txt 2022-04-22 00:17:19 UTC (rev 293202) +++ trunk/Source/_javascript_Core/CMakeLists.txt 2022-04-22 00:51:12 UTC (rev 293203) @@ -867,6 +867,7 @@ jit/RegisterAtOffsetList.h jit/RegisterMap.h jit/RegisterSet.h +jit/ScratchRegisterAllocator.h jit/Snippet.h jit/SnippetParams.h jit/SnippetReg.h @@ -873,7 +874,6 @@ jit/SnippetSlowPathCalls.h jit/SpillRegistersMode.h jit/TagRegistersMode.h -jit/TempRegisterSet.h jit/ThunkGenerator.h llint/LLIntOpcode.h Modified: trunk/Source/_javascript_Core/ChangeLog (293202 => 293203) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-22 00:17:19 UTC (rev 293202) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-22 00:51:12 UTC (rev 293203) @@ -1,3 +1,47 @@ +2022-04-21 Yusuke Suzuki + +[JSC] Remove TempRegisterSet +https://bugs.webkit.org/show_bug.cgi?id=239578 + +Reviewed by Mark Lam. + +We can always use RegisterSet. TempRegisterSet can save several bytes, but we have no code using TempRegisterSet in +heap-allocated classes. So, this does not make sense anymore. Instead of TempRegisterSet, we will consistently use +RegisterSet to pass register info and ScratchRegisterAllocator to manage allocation of temp / scratch registers. + +We also remove the copyCalleeSavesToEntryFrameCalleeSavesBuffer function which takes no scratch register. It was +using TempRegisterSet to allocate a scratch register, but the caller of this function was making assumptions on how +TempRegisterSet will allocate that scratch. This is very fragile and dangerous. We should explicitly pass a scratch +register instead in that case. + +* CMakeLists.txt: +* _javascript_Core.xcodeproj/project.pbxproj: +* Sources.txt: +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::lower): +* jit/AssemblyHelpers.cpp: +
[webkit-changes] [293202] trunk
Title: [293202] trunk Revision 293202 Author ysuz...@apple.com Date 2022-04-21 17:17:19 -0700 (Thu, 21 Apr 2022) Log Message [WTF] Add string concatenate adapter for UUID https://bugs.webkit.org/show_bug.cgi?id=239590 Reviewed by Chris Dumez and Darin Adler. This patch adds string concatenate adapter for UUID. UUID's stringifier consists of multiple string concatenate adapters. This patch adds WTF::handleWithAdapters so that we can define adapters once, and we can semi-automatically define length() and writeTo method for UUID. And we use UUID + makeString instead of createVersion4UUIDString. This is more efficient since we do not need to allocate string twice. * Source/WTF/wtf/UUID.cpp: (WTF::UUID::generateWeakRandomUUIDVersion4): (WTF::createVersion4UUIDString): (WTF::generateWeakRandomUUIDVersion4): Deleted. (WTF::UUID::toString const): Deleted. (WTF::createVersion4UUIDStringWeak): Deleted. * Source/WTF/wtf/UUID.h: (WTF::UUID::createVersion4Weak): (WTF::UUID::isHashTableDeletedValue const): (WTF::UUID::data const): (WTF::StringTypeAdapter::StringTypeAdapter): (WTF::StringTypeAdapter::length const): (WTF::StringTypeAdapter::is8Bit const): (WTF::StringTypeAdapter::writeTo const): * Source/WebCore/animation/KeyframeEffect.cpp: (WebCore::KeyframeEffect::copyPropertiesFromSource): (WebCore::KeyframeEffect::updateBlendingKeyframes): (WebCore::KeyframeEffect::computeCSSTransitionBlendingKeyframes): * Tools/TestWebKitAPI/Tests/WTF/UUID.cpp: (TEST): Canonical link: https://commits.webkit.org/249873@main Modified Paths trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/URL.cpp trunk/Source/WTF/wtf/UUID.cpp trunk/Source/WTF/wtf/UUID.h trunk/Source/WTF/wtf/text/StringConcatenate.h trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/Modules/webdatabase/DatabaseTracker.cpp trunk/Source/WebCore/animation/KeyframeEffect.cpp trunk/Source/WebCore/dom/Document.cpp trunk/Source/WebCore/fileapi/BlobURL.cpp trunk/Source/WebCore/fileapi/BlobURL.h trunk/Source/WebCore/loader/appcache/ApplicationCacheStorage.cpp trunk/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp trunk/Source/WebKit/ChangeLog trunk/Source/WebKit/NetworkProcess/NetworkProcess.cpp trunk/Source/WebKit/NetworkProcess/webrtc/NetworkMDNSRegister.cpp trunk/Source/WebKit/UIProcess/Automation/WebAutomationSession.cpp trunk/Source/WebKit/UIProcess/gtk/WaylandCompositor.cpp trunk/Source/WebKit/UIProcess/ios/WKModelView.mm trunk/Source/WebKit/WebProcess/Model/mac/ARKitInlinePreviewModelPlayerMac.mm trunk/Source/WebKitLegacy/ChangeLog trunk/Source/WebKitLegacy/WebCoreSupport/NetworkStorageSessionMap.cpp trunk/Tools/ChangeLog trunk/Tools/TestWebKitAPI/Tests/WTF/UUID.cpp Diff Modified: trunk/Source/WTF/ChangeLog (293201 => 293202) --- trunk/Source/WTF/ChangeLog 2022-04-22 00:09:20 UTC (rev 293201) +++ trunk/Source/WTF/ChangeLog 2022-04-22 00:17:19 UTC (rev 293202) @@ -1,3 +1,37 @@ +2022-04-20 Yusuke Suzuki + +[WTF] Add string concatenate adapter for UUID +https://bugs.webkit.org/show_bug.cgi?id=239590 + +Reviewed by Chris Dumez and Darin Adler. + +This patch adds string concatenate adapter for UUID. +UUID's stringifier consists of multiple string concatenate adapters. +This patch adds WTF::handleWithAdapters so that we can define adapters +once, and we can semi-automatically define length() and writeTo method for UUID. + +And we use UUID + makeString instead of createVersion4UUIDString. This is more +efficient since we do not need to allocate string twice. + +* wtf/URL.cpp: +(WTF::URL::fakeURLWithRelativePart): +* wtf/UUID.cpp: +(WTF::UUID::generateWeakRandomUUIDVersion4): +(WTF::UUID::toString const): +(WTF::createVersion4UUIDString): +(WTF::generateWeakRandomUUIDVersion4): Deleted. +(WTF::createVersion4UUIDStringWeak): Deleted. +* wtf/UUID.h: +(WTF::UUID::createVersion4Weak): +(WTF::UUID::data const): +(WTF::StringTypeAdapter::StringTypeAdapter): +(WTF::StringTypeAdapter::handle const): +(WTF::StringTypeAdapter::length const): +(WTF::StringTypeAdapter::is8Bit const): +(WTF::StringTypeAdapter::writeTo const): +* wtf/text/StringConcatenate.h: +(WTF::handleWithAdapters): + 2022-04-21 Brent Fulgham Remove XSS Auditor: Part 4 (Settings) Modified: trunk/Source/WTF/wtf/URL.cpp (293201 => 293202) --- trunk/Source/WTF/wtf/URL.cpp 2022-04-22 00:09:20 UTC (rev 293201) +++ trunk/Source/WTF/wtf/URL.cpp 2022-04-22 00:17:19 UTC (rev 293202) @@ -1048,13 +1048,13 @@ URL URL::fakeURLWithRelativePart(StringView relativePart) { -return URL(makeString("webkit-fake-url://", createVersion4UUIDString(), '/', relativePart)); +return URL(makeString("webkit-fake-url://"_s, UUID::createVersion4(), '/', relativePart)); } URL URL::fileURLWithFileSystemPath(StringView path) { return URL(makeString( -"file://", +
[webkit-changes] [293146] trunk/Source/JavaScriptCore
Title: [293146] trunk/Source/_javascript_Core Revision 293146 Author ysuz...@apple.com Date 2022-04-20 22:28:31 -0700 (Wed, 20 Apr 2022) Log Message [JSC] Remove TempRegisterSet https://bugs.webkit.org/show_bug.cgi?id=239578 Reviewed by Mark Lam. We can always use RegisterSet. TempRegisterSet can save several bytes, but we have no code using TempRegisterSet in heap-allocated class, so this does not make sense anymore. Instead of TempRegisterSet, we should consistently use ScratchRegisterAllocator. * Source/_javascript_Core/CMakeLists.txt: * Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj: * Source/_javascript_Core/Sources.txt: * Source/_javascript_Core/jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer): * Source/_javascript_Core/jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer): (JSC::AssemblyHelpers::copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer): Deleted. * Source/_javascript_Core/jit/RegisterSet.h: * Source/_javascript_Core/jit/ScratchRegisterAllocator.cpp: (JSC::ScratchRegisterAllocator::lock): (JSC::ScratchRegisterAllocator::allocateScratch): (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing): (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping): * Source/_javascript_Core/jit/ScratchRegisterAllocator.h: * Source/_javascript_Core/jit/TempRegisterSet.cpp: Removed. * Source/_javascript_Core/jit/TempRegisterSet.h: Removed. Canonical link: https://commits.webkit.org/249842@main Modified Paths trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/Sources.txt trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp trunk/Source/_javascript_Core/jit/AssemblyHelpers.h trunk/Source/_javascript_Core/jit/RegisterSet.h trunk/Source/_javascript_Core/jit/ScratchRegisterAllocator.cpp trunk/Source/_javascript_Core/jit/ScratchRegisterAllocator.h Removed Paths trunk/Source/_javascript_Core/jit/TempRegisterSet.cpp trunk/Source/_javascript_Core/jit/TempRegisterSet.h Diff Modified: trunk/Source/_javascript_Core/CMakeLists.txt (293145 => 293146) --- trunk/Source/_javascript_Core/CMakeLists.txt 2022-04-21 04:51:39 UTC (rev 293145) +++ trunk/Source/_javascript_Core/CMakeLists.txt 2022-04-21 05:28:31 UTC (rev 293146) @@ -867,6 +867,7 @@ jit/RegisterAtOffsetList.h jit/RegisterMap.h jit/RegisterSet.h +jit/ScratchRegisterAllocator.h jit/Snippet.h jit/SnippetParams.h jit/SnippetReg.h @@ -873,7 +874,6 @@ jit/SnippetSlowPathCalls.h jit/SpillRegistersMode.h jit/TagRegistersMode.h -jit/TempRegisterSet.h jit/ThunkGenerator.h llint/LLIntOpcode.h Modified: trunk/Source/_javascript_Core/ChangeLog (293145 => 293146) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-21 04:51:39 UTC (rev 293145) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-21 05:28:31 UTC (rev 293146) @@ -1,5 +1,34 @@ 2022-04-20 Yusuke Suzuki +[JSC] Remove TempRegisterSet +https://bugs.webkit.org/show_bug.cgi?id=239578 + +Reviewed by Mark Lam. + +We can always use RegisterSet. TempRegisterSet can save several bytes, but we have no code using TempRegisterSet in +heap-allocated class, so this does not make sense anymore. Instead of TempRegisterSet, we should consistently use +ScratchRegisterAllocator. + +* CMakeLists.txt: +* _javascript_Core.xcodeproj/project.pbxproj: +* Sources.txt: +* jit/AssemblyHelpers.cpp: +(JSC::AssemblyHelpers::copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer): +* jit/AssemblyHelpers.h: +(JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer): +(JSC::AssemblyHelpers::copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer): Deleted. +* jit/RegisterSet.h: +* jit/ScratchRegisterAllocator.cpp: +(JSC::ScratchRegisterAllocator::lock): +(JSC::ScratchRegisterAllocator::allocateScratch): +(JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing): +(JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping): +* jit/ScratchRegisterAllocator.h: +* jit/TempRegisterSet.cpp: Removed. +* jit/TempRegisterSet.h: Removed. + +2022-04-20 Yusuke Suzuki + Fix GPRInfo inconsistency in unlinked DFG bringup https://bugs.webkit.org/show_bug.cgi?id=239573 Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (293145 => 293146) --- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2022-04-21 04:51:39 UTC (rev 293145) +++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2022-04-21 05:28:31 UTC (rev
[webkit-changes] [293143] trunk/Tools
Title: [293143] trunk/Tools Revision 293143 Author ysuz...@apple.com Date 2022-04-20 21:08:17 -0700 (Wed, 20 Apr 2022) Log Message Generate well-formed JSON for compile_commands.json https://bugs.webkit.org/show_bug.cgi?id=239584 Reviewed by Mark Lam. Currently, compile_commands.json always has one trailing comma in the main array. While clangd does not care this, it is ill-formed JSON, and some other tools consuming compile_commands.json can fail. This patch makes it so that generated compile_commands.json has well-formed JSON. * Tools/Scripts/generate-compile-commands: Canonical link: https://commits.webkit.org/249841@main Modified Paths trunk/Tools/ChangeLog trunk/Tools/Scripts/generate-compile-commands Diff Modified: trunk/Tools/ChangeLog (293142 => 293143) --- trunk/Tools/ChangeLog 2022-04-21 03:56:58 UTC (rev 293142) +++ trunk/Tools/ChangeLog 2022-04-21 04:08:17 UTC (rev 293143) @@ -1,3 +1,16 @@ +2022-04-20 Yusuke Suzuki + +Generate well-formed JSON for compile_commands.json +https://bugs.webkit.org/show_bug.cgi?id=239584 + +Reviewed by Mark Lam. + +Currently, compile_commands.json always has one trailing comma in the main array. While clangd does not care this, +it is ill-formed JSON, and some other tools consuming compile_commands.json can fail. +This patch makes it so that generated compile_commands.json has well-formed JSON. + +* Scripts/generate-compile-commands: + 2022-04-20 Wenson Hsieh Avoid falling back to snapshots for transparent images when triggering batch text recognition Modified: trunk/Tools/Scripts/generate-compile-commands (293142 => 293143) --- trunk/Tools/Scripts/generate-compile-commands 2022-04-21 03:56:58 UTC (rev 293142) +++ trunk/Tools/Scripts/generate-compile-commands 2022-04-21 04:08:17 UTC (rev 293143) @@ -84,10 +84,12 @@ if third_party_regex.search(json_contents): continue +# -2 gets rid of the comma at the end of the file. +json_contents = json_contents[:-2] + # Try to load JSON File -try: -# -2 gets rid of the comma at the end of the file. -json.loads(json_contents[:-2]) +try: +json.loads(json_contents) except Exception: print("Invalid JSON File: " + j_file_name) continue @@ -106,14 +108,16 @@ # Write the new compile_commands.json file new_compile_commands_file = open("compile_commands.json", 'w') -new_compile_commands_file.write("[\n") +new_compile_commands_file.write("[") -# We should probably remove the trailing comma in the last entry, but -# clangd does not seem to mind. -for key in files.keys(): +for index, key in enumerate(files.keys()): +if index != 0: +new_compile_commands_file.write(",\n") +else: +new_compile_commands_file.write("\n") new_compile_commands_file.write(key) -new_compile_commands_file.write("]\n") +new_compile_commands_file.write("\n]\n") new_compile_commands_file.close() print("Generated Compile Commands!") ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293141] trunk/Source/JavaScriptCore
Title: [293141] trunk/Source/_javascript_Core Revision 293141 Author ysuz...@apple.com Date 2022-04-20 20:32:52 -0700 (Wed, 20 Apr 2022) Log Message Fix GPRInfo inconsistency in unlinked DFG bringup https://bugs.webkit.org/show_bug.cgi?id=239573 Reviewed by Mark Lam. Previously, we forgot changing GPRInfo::toIndex of x64 so that we got assertion in ScratchRegisterAllocator. This patch fixes it and test this consistency in testmasm. It allows unlinked DFG style register usage in x64, so we reenabled it again. * Source/_javascript_Core/assembler/testmasm.cpp: (JSC::testGPRInfoConsistency): * Source/_javascript_Core/dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * Source/_javascript_Core/jit/GPRInfo.h: (JSC::GPRInfo::toRegister): (JSC::GPRInfo::toArgumentRegister): (JSC::GPRInfo::toIndex): Canonical link: https://commits.webkit.org/249839@main Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/testmasm.cpp trunk/Source/_javascript_Core/dfg/DFGPlan.cpp trunk/Source/_javascript_Core/jit/GPRInfo.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293140 => 293141) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-21 02:48:24 UTC (rev 293140) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-21 03:32:52 UTC (rev 293141) @@ -1,3 +1,23 @@ +2022-04-20 Yusuke Suzuki + +Fix GPRInfo inconsistency in unlinked DFG bringup +https://bugs.webkit.org/show_bug.cgi?id=239573 + +Reviewed by Mark Lam. + +Previously, we forgot changing GPRInfo::toIndex of x64 so that we got assertion in ScratchRegisterAllocator. +This patch fixes it and test this consistency in testmasm. +It allows unlinked DFG style register usage in x64, so we reenabled it again. + +* assembler/testmasm.cpp: +(JSC::testGPRInfoConsistency): +* dfg/DFGPlan.cpp: +(JSC::DFG::Plan::compileInThreadImpl): +* jit/GPRInfo.h: +(JSC::GPRInfo::toRegister): +(JSC::GPRInfo::toArgumentRegister): +(JSC::GPRInfo::toIndex): + 2022-04-20 Zan Dobersek Unreviewed, RISC-V build fix. Modified: trunk/Source/_javascript_Core/assembler/testmasm.cpp (293140 => 293141) --- trunk/Source/_javascript_Core/assembler/testmasm.cpp 2022-04-21 02:48:24 UTC (rev 293140) +++ trunk/Source/_javascript_Core/assembler/testmasm.cpp 2022-04-21 03:32:52 UTC (rev 293141) @@ -5675,6 +5675,24 @@ CHECK_EQ(invoke(isNotType, ), true); } +static void testGPRInfoConsistency() +{ +for (unsigned index = 0; index < GPRInfo::numberOfRegisters; ++index) { +GPRReg reg = GPRInfo::toRegister(index); +CHECK_EQ(GPRInfo::toIndex(reg), index); +} +for (auto reg = CCallHelpers::firstRegister(); reg <= CCallHelpers::lastRegister(); reg = nextID(reg)) { +if (isSpecialGPR(reg)) +continue; +unsigned index = GPRInfo::toIndex(reg); +if (index == GPRInfo::InvalidIndex) { +CHECK_EQ(index >= GPRInfo::numberOfRegisters, true); +continue; +} +CHECK_EQ(index < GPRInfo::numberOfRegisters, true); +} +} + #define RUN(test) do { \ if (!shouldRun(#test)) \ break; \ @@ -5912,6 +5930,8 @@ RUN(testAndOrDouble()); +RUN(testGPRInfoConsistency()); + if (tasks.isEmpty()) usage(); Modified: trunk/Source/_javascript_Core/dfg/DFGPlan.cpp (293140 => 293141) --- trunk/Source/_javascript_Core/dfg/DFGPlan.cpp 2022-04-21 02:48:24 UTC (rev 293140) +++ trunk/Source/_javascript_Core/dfg/DFGPlan.cpp 2022-04-21 03:32:52 UTC (rev 293141) @@ -316,10 +316,6 @@ dfg.ensureCPSNaturalLoops(); } -// Currently, due to GPRInfo::numberOfRegisters issue, we cannot enable it on x64. -if (isX86_64()) -RELEASE_ASSERT(m_mode != JITCompilationMode::UnlinkedDFG); - switch (m_mode) { case JITCompilationMode::DFG: case JITCompilationMode::UnlinkedDFG: { Modified: trunk/Source/_javascript_Core/jit/GPRInfo.h (293140 => 293141) --- trunk/Source/_javascript_Core/jit/GPRInfo.h 2022-04-21 02:48:24 UTC (rev 293140) +++ trunk/Source/_javascript_Core/jit/GPRInfo.h 2022-04-21 03:32:52 UTC (rev 293141) @@ -384,7 +384,7 @@ static GPRReg toArgumentRegister(unsigned) { -UNREACHABLE_FOR_PLATFORM(); +ASSERT_NOT_REACHED(); return InvalidGPRReg; } @@ -393,8 +393,7 @@ ASSERT(reg != InvalidGPRReg); ASSERT(static_cast(reg) < 8); static const unsigned indexForRegister[8] = { 0, 2, 1, 3, InvalidIndex, InvalidIndex, 4, 5 }; -unsigned result = indexForRegister[reg]; -return result; +return indexForRegister[reg]; } static const char* debugName(GPRReg reg) @@ -420,7 +419,7 @@ class GPRInfo { public: typedef GPRReg RegisterType; -static constexpr unsigned numberOfRegisters = 11; +static
[webkit-changes] [293136] trunk
Title: [293136] trunk Revision 293136 Author ysuz...@apple.com Date 2022-04-20 18:30:19 -0700 (Wed, 20 Apr 2022) Log Message Unreviewed, add github accounts of Apple JSC reviewers * metadata/contributors.json: Modified Paths trunk/ChangeLog trunk/metadata/contributors.json Diff Modified: trunk/ChangeLog (293135 => 293136) --- trunk/ChangeLog 2022-04-21 01:24:25 UTC (rev 293135) +++ trunk/ChangeLog 2022-04-21 01:30:19 UTC (rev 293136) @@ -1,3 +1,9 @@ +2022-04-20 Yusuke Suzuki + +Unreviewed, add github accounts of Apple JSC reviewers + +* metadata/contributors.json: + 2022-04-19 Mark Lam Update my GitHub login. Modified: trunk/metadata/contributors.json (293135 => 293136) --- trunk/metadata/contributors.json 2022-04-21 01:24:25 UTC (rev 293135) +++ trunk/metadata/contributors.json 2022-04-21 01:30:19 UTC (rev 293136) @@ -3970,6 +3970,7 @@ "keith_mil...@apple.com" ], "expertise" : "_javascript_/ECMAScript", + "github" : "kmiller68", "name" : "Keith Miller", "nicks" : [ "keith_miller", @@ -4839,6 +4840,7 @@ "msab...@apple.com" ], "expertise" : "_javascript_/ECMAScript", + "github": "msaboff", "name" : "Michael Saboff", "nicks" : [ "msaboff" @@ -7177,4 +7179,4 @@ ], "status" : "reviewer" } -] \ No newline at end of file +] ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293058] branches/safari-613-branch/Source/JavaScriptCore
Title: [293058] branches/safari-613-branch/Source/_javascript_Core Revision 293058 Author ysuz...@apple.com Date 2022-04-19 19:47:07 -0700 (Tue, 19 Apr 2022) Log Message Cherry-pick r292493, rdar://91370257 Call Structure::get instead of Structure::getConcurrently on the mutator thread https://bugs.webkit.org/show_bug.cgi?id=238823 Reviewed by Yusuke Suzuki. We try to call Structure::get instead of Structure::getConcurrently when we know for sure we're on the main thread. This is because getConcurrently is slower than get. * bytecode/AccessCase.cpp: (JSC::AccessCase::couldStillSucceed const): (JSC::AccessCase::generateImpl): * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp: (JSC::AdaptiveInferredPropertyValueWatchpointBase::install): * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install): * bytecode/ObjectPropertyCondition.cpp: (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint const): (JSC::ObjectPropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): (JSC::ObjectPropertyCondition::isStillValid const): (JSC::ObjectPropertyCondition::structureEnsuresValidity const): * bytecode/ObjectPropertyCondition.h: * bytecode/ObjectPropertyConditionSet.cpp: (JSC::ObjectPropertyConditionSet::structuresEnsureValidity const): (JSC::generateConditionsForPropertyMiss): (JSC::generateConditionsForPropertySetterMiss): (JSC::generateConditionsForPrototypePropertyHit): (JSC::generateConditionsForPrototypePropertyHitCustom): (JSC::generateConditionsForPrototypeEquivalenceConcurrently): (JSC::generateConditionsForPropertyMissConcurrently): (JSC::generateConditionsForPropertySetterMissConcurrently): (JSC::generateConditionForSelfEquivalence): (JSC::ObjectPropertyConditionSet::structuresEnsureValidityAssumingImpurePropertyWatchpoint const): Deleted. (JSC::ObjectPropertyConditionSet::isValidAndWatchable const): Deleted. * bytecode/ObjectPropertyConditionSet.h: * bytecode/PropertyCondition.cpp: (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): (JSC::watchabilityToConcurrency): (JSC::PropertyCondition::isStillValid const): (JSC::PropertyCondition::isWatchableWhenValid const): (JSC::PropertyCondition::isWatchableAssumingImpurePropertyWatchpoint const): (JSC::PropertyCondition::isWatchable const): * bytecode/PropertyCondition.h: * dfg/DFGAdaptiveStructureWatchpoint.cpp: (JSC::DFG::AdaptiveStructureWatchpoint::install): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::check): (JSC::DFG::ByteCodeParser::planLoad): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset): * dfg/DFGDesiredWatchpoints.h: (JSC::DFG::AdaptiveStructureWatchpointAdaptor::hasBeenInvalidated): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::watchCondition): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::setupGetByIdPrototypeCache): * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp: (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::install): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::tryInstallSpeciesWatchpoint): * runtime/JSObject.h: (JSC::JSObject::getDirect const): * runtime/Structure.h: (JSC::Structure::get): * runtime/StructureRareData.cpp: (JSC::StructureRareData::cacheSpecialPropertySlow): Canonical link: https://commits.webkit.org/249341@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@292493 268f45cc-cd09-0410-ab3c-d52691b4dbfc Modified Paths branches/safari-613-branch/Source/_javascript_Core/ChangeLog branches/safari-613-branch/Source/_javascript_Core/bytecode/AccessCase.cpp branches/safari-613-branch/Source/_javascript_Core/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp branches/safari-613-branch/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp branches/safari-613-branch/Source/_javascript_Core/bytecode/ObjectPropertyCondition.cpp branches/safari-613-branch/Source/_javascript_Core/bytecode/ObjectPropertyCondition.h branches/safari-613-branch/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.cpp branches/safari-613-branch/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.h branches/safari-613-branch/Source/_javascript_Core/bytecode/PropertyCondition.cpp branches/safari-613-branch/Source/_javascript_Core/bytecode/PropertyCondition.h branches/safari-613-branch/Source/_javascript_Core/dfg/DFGAdaptiveStructureWatchpoint.cpp
[webkit-changes] [293057] branches/safari-613-branch/Source
Title: [293057] branches/safari-613-branch/Source Revision 293057 Author ysuz...@apple.com Date 2022-04-19 19:39:37 -0700 (Tue, 19 Apr 2022) Log Message Cherry-pick r292714, rdar://91584856 [JSC] Reduce use of unnecessary cryptographicallyRandom numbers https://bugs.webkit.org/show_bug.cgi?id=239026 Reviewed by Saam Barati. Source/_javascript_Core: This patch removes cryptographically random calls in some of super hot critical path. MarkedBlock's use is very hot and it appears on Speedometer2 artrace. But this is just a random shuffling of freelist, and WeakRandom is enough for that. This patch replaces them with WeakRandom. It offers 0.3% improvement in Speedometer2. * assembler/AbstractMacroAssembler.cpp: (JSC::AbstractMacroAssemblerBase::initializeRandom): (WTF::printInternal): * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssemblerBase::random): (JSC::AbstractMacroAssembler::AbstractMacroAssembler): (JSC::AbstractMacroAssembler::random): Deleted. * b3/air/AirCode.cpp: (JSC::B3::Air::Code::Code): * b3/air/AirCode.h: (JSC::B3::Air::Code::weakRandom): Deleted. * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::Handle::specializedSweep): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: (JSC::VM::heapRandom): Source/WebCore: We use createVersion4UUIDStringWeak since there is no need to use cryptographically random numbers for KeyframeEffect names. * animation/KeyframeEffect.cpp: (WebCore::KeyframeEffect::copyPropertiesFromSource): (WebCore::KeyframeEffect::updateBlendingKeyframes): (WebCore::KeyframeEffect::computeCSSTransitionBlendingKeyframes): Source/WTF: We add createVersion4UUIDStringWeak, which can generate UUID with WeakRandom numbers. * wtf/UUID.cpp: (WTF::convertRandomUInt128ToUUIDVersion4): (WTF::generateCryptographicallyRandomUUIDVersion4): (WTF::generateWeakRandomUUIDVersion4): (WTF::UUID::UUID): (WTF::createVersion4UUIDStringWeak): * wtf/UUID.h: * wtf/WeakRandom.h: Canonical link: https://commits.webkit.org/249504@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@292714 268f45cc-cd09-0410-ab3c-d52691b4dbfc Modified Paths branches/safari-613-branch/Source/_javascript_Core/ChangeLog branches/safari-613-branch/Source/_javascript_Core/assembler/AbstractMacroAssembler.cpp branches/safari-613-branch/Source/_javascript_Core/assembler/AbstractMacroAssembler.h branches/safari-613-branch/Source/_javascript_Core/b3/air/AirCode.cpp branches/safari-613-branch/Source/_javascript_Core/b3/air/AirCode.h branches/safari-613-branch/Source/_javascript_Core/heap/MarkedBlockInlines.h branches/safari-613-branch/Source/_javascript_Core/runtime/VM.cpp branches/safari-613-branch/Source/_javascript_Core/runtime/VM.h branches/safari-613-branch/Source/WTF/ChangeLog branches/safari-613-branch/Source/WTF/wtf/UUID.cpp branches/safari-613-branch/Source/WTF/wtf/UUID.h branches/safari-613-branch/Source/WTF/wtf/WeakRandom.h branches/safari-613-branch/Source/WebCore/ChangeLog branches/safari-613-branch/Source/WebCore/animation/KeyframeEffect.cpp Diff Modified: branches/safari-613-branch/Source/_javascript_Core/ChangeLog (293056 => 293057) --- branches/safari-613-branch/Source/_javascript_Core/ChangeLog 2022-04-20 02:32:43 UTC (rev 293056) +++ branches/safari-613-branch/Source/_javascript_Core/ChangeLog 2022-04-20 02:39:37 UTC (rev 293057) @@ -1,3 +1,33 @@ +2022-04-11 Yusuke Suzuki + +[JSC] Reduce use of unnecessary cryptographicallyRandom numbers +https://bugs.webkit.org/show_bug.cgi?id=239026 + +Reviewed by Saam Barati. + +This patch removes cryptographically random calls in some of super hot critical path. +MarkedBlock's use is very hot and it appears on Speedometer2 artrace. But this is just +a random shuffling of freelist, and WeakRandom is enough for that. This patch replaces +them with WeakRandom. It offers 0.3% improvement in Speedometer2. + +* assembler/AbstractMacroAssembler.cpp: +(JSC::AbstractMacroAssemblerBase::initializeRandom): +(WTF::printInternal): +* assembler/AbstractMacroAssembler.h: +(JSC::AbstractMacroAssemblerBase::random): +(JSC::AbstractMacroAssembler::AbstractMacroAssembler): +(JSC::AbstractMacroAssembler::random): Deleted. +* b3/air/AirCode.cpp: +(JSC::B3::Air::Code::Code): +* b3/air/AirCode.h: +(JSC::B3::Air::Code::weakRandom): Deleted. +* heap/MarkedBlockInlines.h: +(JSC::MarkedBlock::Handle::specializedSweep): +* runtime/VM.cpp: +(JSC::VM::VM): +* runtime/VM.h: +(JSC::VM::heapRandom): + 2022-04-10 Yusuke Suzuki [JSC] DFG / FTL should be aware of JSString's String replacement Modified: branches/safari-613-branch/Source/_javascript_Core/assembler/AbstractMacroAssembler.cpp
[webkit-changes] [293055] branches/safari-613-branch
Title: [293055] branches/safari-613-branch Revision 293055 Author ysuz...@apple.com Date 2022-04-19 19:24:24 -0700 (Tue, 19 Apr 2022) Log Message Cherry-pick r292697, rdar://91547350 [JSC] DFG / FTL should be aware of JSString's String replacement https://bugs.webkit.org/show_bug.cgi?id=238918 Reviewed by Saam Barati. JSTests: * stress/resolve-rope-get-by-val.js: Added. (shouldBe): (test): * stress/resolve-rope-string-char-at.js: Added. (shouldBe): (test): * stress/resolve-rope-string-char-code-at.js: Added. (shouldBe): (test): * stress/resolve-rope-string-code-point-at.js: Added. (shouldBe): (test): Source/_javascript_Core: After r289359, String in JSString* can be replaced even after it is resolved. When atomizing String inside JSString*, we may replace the existing one to new AtomStringImpl if different AtomStringImpl is already registered in the AtomStringTable. However, DFG / FTL GetIndexedPropertyStorage assumes that StringImpl* in JSString* never changes after resolving. And this is wrong. This patch decouples String handling in GetIndexedPropertyStorage as ResolveRope DFG node. GetIndexedPropertyStorage no longer handles JSString and it is now tailored to object cases. ResolveRope does not expose StringImpl::m_data pointer, and instead it keeps resolved JSString*. After this change, GetByVal(String:@0, Untyped:@1, GetIndexedProperty(String:@0)) is changed to GetByVal(ResolveRope(String:@0), Untyped:@1) Also, we revisit all the value(...) callsites (by changing function name) and ensure that we have no code assuming String cannot be changed after resolving. A/B test ensured that this is perf-neutral. * b3/B3Generate.cpp: (JSC::B3::generateToAir): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitEqualityOpImpl): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::checkArray): * dfg/DFGNode.h: (JSC::DFG::Node::hasStorageChild const): (JSC::DFG::Node::storageChildIndex): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION): * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt): (JSC::DFG::SpeculativeJIT::compileGetByValOnString): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::compileStringCodePointAt): * dfg/DFGTypeCheckHoistingPhase.cpp: (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLCompile.cpp: (JSC::FTL::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileResolveRope): (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAtImpl): (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt): (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt): * jsc.cpp: (JSC_DEFINE_HOST_FUNCTION): * runtime/HashMapImplInlines.h: (JSC::jsMapHashImpl): * runtime/InternalFunction.cpp: (JSC::InternalFunction::name): (JSC::InternalFunction::displayName): (JSC::InternalFunction::calculatedDisplayName): * runtime/InternalFunction.h: * runtime/JSBoundFunction.h: * runtime/JSCJSValueInlines.h: (JSC::toPreferredPrimitiveType): * runtime/JSModuleLoader.cpp: (JSC::JSModuleLoader::importModule): * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue): * runtime/JSPropertyNameEnumerator.cpp: (JSC::JSPropertyNameEnumerator::computeNext): * runtime/JSRemoteFunction.h: * runtime/Operations.h: (JSC::jsString): (JSC::compareBigIntToOtherPrimitive): (JSC::compareBigInt32ToOtherPrimitive): * runtime/RegExpMatchesArray.h: (JSC::createRegExpMatchesArray): * runtime/StringPrototype.cpp: (JSC::JSC_DEFINE_JIT_OPERATION): (JSC::JSC_DEFINE_HOST_FUNCTION): * runtime/SymbolConstructor.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * tools/JSDollarVM.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): Source/WebCore: * bindings/js/JSDOMWindowBase.cpp:
[webkit-changes] [293041] trunk/Source/JavaScriptCore
Title: [293041] trunk/Source/_javascript_Core Revision 293041 Author ysuz...@apple.com Date 2022-04-19 15:32:38 -0700 (Tue, 19 Apr 2022) Log Message REGRESSION(r292372): cloop crashes on s390x https://bugs.webkit.org/show_bug.cgi?id=238956 Reviewed by Mark Lam. * Source/_javascript_Core/jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::calleeFrameCodeBlockBeforeCall): (JSC::AssemblyHelpers::calleeFrameCodeBlockBeforeTailCall): * Source/_javascript_Core/jit/ThunkGenerators.cpp: (JSC::boundFunctionCallGenerator): (JSC::remoteFunctionCallGenerator): * Source/_javascript_Core/llint/LowLevelInterpreter.asm: Canonical link: https://commits.webkit.org/249780@main Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/AssemblyHelpers.h trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293040 => 293041) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-19 22:10:15 UTC (rev 293040) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-19 22:32:38 UTC (rev 293041) @@ -1,5 +1,22 @@ 2022-04-19 Yusuke Suzuki +REGRESSION(r292372): cloop crashes on s390x +https://bugs.webkit.org/show_bug.cgi?id=238956 + +Reviewed by Mark Lam. + +CodeBlock* is stored without tags. So we should just put it as a pointer without PayloadOffset. + +* jit/AssemblyHelpers.h: +(JSC::AssemblyHelpers::calleeFrameCodeBlockBeforeCall): +(JSC::AssemblyHelpers::calleeFrameCodeBlockBeforeTailCall): +* jit/ThunkGenerators.cpp: +(JSC::boundFunctionCallGenerator): +(JSC::remoteFunctionCallGenerator): +* llint/LowLevelInterpreter.asm: + +2022-04-19 Yusuke Suzuki + Unreviewed, disable UnlinkedDFG code in x64 https://bugs.webkit.org/show_bug.cgi?id=237863 Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.h (293040 => 293041) --- trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2022-04-19 22:10:15 UTC (rev 293040) +++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2022-04-19 22:32:38 UTC (rev 293041) @@ -1259,13 +1259,13 @@ static Address calleeFrameCodeBlockBeforeCall() { -return calleeFramePayloadSlot(CallFrameSlot::codeBlock); +return calleeFrameSlot(CallFrameSlot::codeBlock); } static Address calleeFrameCodeBlockBeforeTailCall() { // The stackPointerRegister state is "after the call, but before the function prologue". -return calleeFramePayloadSlot(CallFrameSlot::codeBlock).withOffset(sizeof(CallerFrameAndPC) - prologueStackPointerDelta()); +return calleeFrameSlot(CallFrameSlot::codeBlock).withOffset(sizeof(CallerFrameAndPC) - prologueStackPointerDelta()); } static GPRReg selectScratchGPR(RegisterSet preserved) Modified: trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp (293040 => 293041) --- trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2022-04-19 22:10:15 UTC (rev 293040) +++ trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2022-04-19 22:32:38 UTC (rev 293041) @@ -1405,7 +1405,7 @@ CCallHelpers::Address( GPRInfo::regT0, FunctionExecutable::offsetOfCodeBlockForCall()), GPRInfo::regT2); -jit.storeCell(GPRInfo::regT2, CCallHelpers::calleeFrameCodeBlockBeforeCall()); +jit.storePtr(GPRInfo::regT2, CCallHelpers::calleeFrameCodeBlockBeforeCall()); isNative.link(); @@ -1566,7 +1566,7 @@ emitPointerValidation(jit, GPRInfo::nonArgGPR0, OperationPtrTag); jit.call(GPRInfo::nonArgGPR0, OperationPtrTag); exceptionChecks.append(jit.emitJumpIfException(vm)); -jit.storeCell(GPRInfo::returnValueGPR2, CCallHelpers::calleeFrameCodeBlockBeforeCall()); +jit.storePtr(GPRInfo::returnValueGPR2, CCallHelpers::calleeFrameCodeBlockBeforeCall()); jit.move(GPRInfo::returnValueGPR, GPRInfo::regT2); auto materialized = jit.jump(); @@ -1576,7 +1576,7 @@ CCallHelpers::Address( GPRInfo::regT1, FunctionExecutable::offsetOfCodeBlockForCall()), GPRInfo::regT3); -jit.storeCell(GPRInfo::regT3, CCallHelpers::calleeFrameCodeBlockBeforeCall()); +jit.storePtr(GPRInfo::regT3, CCallHelpers::calleeFrameCodeBlockBeforeCall()); isNative.link(); materialized.link(); Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm (293040 => 293041) --- trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2022-04-19 22:10:15 UTC (rev 293040) +++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2022-04-19 22:32:38 UTC (rev 293041) @@ -1195,7 +1195,7 @@ end macro prepareForRegularCall(temp1, temp2, temp3, temp4, storeCodeBlock) -storeCodeBlock(CodeBlock + PayloadOffset - CallerFrameAndPCSize[sp]) +storeCodeBlock(CodeBlock - CallerFrameAndPCSize[sp]) end macro invokeForRegularCall(opcodeName, size, opcodeStruct,
[webkit-changes] [293020] trunk/Source/JavaScriptCore
Title: [293020] trunk/Source/_javascript_Core Revision 293020 Author ysuz...@apple.com Date 2022-04-19 10:19:43 -0700 (Tue, 19 Apr 2022) Log Message Unreviewed, disable UnlinkedDFG code in x64 https://bugs.webkit.org/show_bug.cgi?id=237863 * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * jit/GPRInfo.h: (JSC::GPRInfo::toRegister): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGPlan.cpp trunk/Source/_javascript_Core/jit/GPRInfo.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293019 => 293020) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-19 17:14:21 UTC (rev 293019) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-19 17:19:43 UTC (rev 293020) @@ -1,5 +1,15 @@ 2022-04-19 Yusuke Suzuki +Unreviewed, disable UnlinkedDFG code in x64 +https://bugs.webkit.org/show_bug.cgi?id=237863 + +* dfg/DFGPlan.cpp: +(JSC::DFG::Plan::compileInThreadImpl): +* jit/GPRInfo.h: +(JSC::GPRInfo::toRegister): + +2022-04-19 Yusuke Suzuki + Unreviewed, do not use RELEASE_ASSERT_NOT_REACHED in super hot path to suppress warnings https://bugs.webkit.org/show_bug.cgi?id=239290 Modified: trunk/Source/_javascript_Core/dfg/DFGPlan.cpp (293019 => 293020) --- trunk/Source/_javascript_Core/dfg/DFGPlan.cpp 2022-04-19 17:14:21 UTC (rev 293019) +++ trunk/Source/_javascript_Core/dfg/DFGPlan.cpp 2022-04-19 17:19:43 UTC (rev 293020) @@ -316,6 +316,10 @@ dfg.ensureCPSNaturalLoops(); } +// Currently, due to GPRInfo::numberOfRegisters issue, we cannot enable it on x64. +if (isX86_64()) +RELEASE_ASSERT(m_mode != JITCompilationMode::UnlinkedDFG); + switch (m_mode) { case JITCompilationMode::DFG: case JITCompilationMode::UnlinkedDFG: { Modified: trunk/Source/_javascript_Core/jit/GPRInfo.h (293019 => 293020) --- trunk/Source/_javascript_Core/jit/GPRInfo.h 2022-04-19 17:14:21 UTC (rev 293019) +++ trunk/Source/_javascript_Core/jit/GPRInfo.h 2022-04-19 17:19:43 UTC (rev 293020) @@ -420,7 +420,7 @@ class GPRInfo { public: typedef GPRReg RegisterType; -static constexpr unsigned numberOfRegisters = 10; +static constexpr unsigned numberOfRegisters = 11; static constexpr unsigned numberOfArgumentRegisters = NUMBER_OF_ARGUMENT_REGISTERS; // These registers match the baseline JIT. @@ -498,9 +498,9 @@ { ASSERT(index < numberOfRegisters); #if !OS(WINDOWS) -static const GPRReg registerForIndex[numberOfRegisters] = { regT0, regT1, regT2, regT3, regT4, regT5, regT6, regT7, regCS0, regCS1 }; +static const GPRReg registerForIndex[numberOfRegisters] = { regT0, regT1, regT2, regT3, regT4, regT5, regT6, regT7, regCS0, regCS1, regCS2 }; #else -static const GPRReg registerForIndex[numberOfRegisters] = { regT0, regT1, regT2, regT3, regT4, regT5, regCS0, regCS1, regCS2, regCS3 }; +static const GPRReg registerForIndex[numberOfRegisters] = { regT0, regT1, regT2, regT3, regT4, regT5, regCS0, regCS1, regCS2, regCS3, regCS4 }; #endif return registerForIndex[index]; } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [293018] trunk/Source/JavaScriptCore
Title: [293018] trunk/Source/_javascript_Core Revision 293018 Author ysuz...@apple.com Date 2022-04-19 09:45:18 -0700 (Tue, 19 Apr 2022) Log Message Unreviewed, do not use RELEASE_ASSERT_NOT_REACHED in super hot path to suppress warnings https://bugs.webkit.org/show_bug.cgi?id=239290 * bytecode/PropertyCondition.cpp: (JSC::watchabilityToConcurrency): * runtime/JSObject.h: (JSC::JSObject::getDirect const): * runtime/Structure.h: (JSC::Structure::get): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp trunk/Source/_javascript_Core/runtime/JSObject.h trunk/Source/_javascript_Core/runtime/Structure.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (293017 => 293018) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-19 15:58:10 UTC (rev 293017) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-19 16:45:18 UTC (rev 293018) @@ -1,3 +1,15 @@ +2022-04-19 Yusuke Suzuki + +Unreviewed, do not use RELEASE_ASSERT_NOT_REACHED in super hot path to suppress warnings +https://bugs.webkit.org/show_bug.cgi?id=239290 + +* bytecode/PropertyCondition.cpp: +(JSC::watchabilityToConcurrency): +* runtime/JSObject.h: +(JSC::JSObject::getDirect const): +* runtime/Structure.h: +(JSC::Structure::get): + 2022-04-19 Martin Robinson Fix the address sanitizer build when building with gcc Modified: trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp (293017 => 293018) --- trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp 2022-04-19 15:58:10 UTC (rev 293017) +++ trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp 2022-04-19 16:45:18 UTC (rev 293018) @@ -265,6 +265,7 @@ RELEASE_ASSERT_NOT_REACHED(); } +IGNORE_RETURN_TYPE_WARNINGS_BEGIN static ALWAYS_INLINE Concurrency watchabilityToConcurrency(PropertyCondition::WatchabilityEffort effort) { switch (effort) { @@ -273,8 +274,8 @@ case PropertyCondition::WatchabilityEffort::MakeNoChanges: return Concurrency::ConcurrentThread; } -RELEASE_ASSERT_NOT_REACHED(); } +IGNORE_RETURN_TYPE_WARNINGS_END bool PropertyCondition::validityRequiresImpurePropertyWatchpoint(Structure* structure) const { Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (293017 => 293018) --- trunk/Source/_javascript_Core/runtime/JSObject.h 2022-04-19 15:58:10 UTC (rev 293017) +++ trunk/Source/_javascript_Core/runtime/JSObject.h 2022-04-19 16:45:18 UTC (rev 293018) @@ -1406,6 +1406,7 @@ // past structure then it should be valid for any new structure. However, we may sometimes // shrink the butterfly when we are holding the Structure's ConcurrentJSLock, such as when we // flatten an object. +IGNORE_RETURN_TYPE_WARNINGS_BEGIN ALWAYS_INLINE JSValue JSObject::getDirect(Concurrency concurrency, Structure* expectedStructure, PropertyOffset offset) const { switch (concurrency) { @@ -1415,8 +1416,8 @@ case Concurrency::ConcurrentThread: return getDirectConcurrently(expectedStructure, offset); } -RELEASE_ASSERT_NOT_REACHED(); } +IGNORE_RETURN_TYPE_WARNINGS_END inline JSValue JSObject::getDirectConcurrently(Structure* structure, PropertyOffset offset) const { Modified: trunk/Source/_javascript_Core/runtime/Structure.h (293017 => 293018) --- trunk/Source/_javascript_Core/runtime/Structure.h 2022-04-19 15:58:10 UTC (rev 293017) +++ trunk/Source/_javascript_Core/runtime/Structure.h 2022-04-19 16:45:18 UTC (rev 293018) @@ -518,6 +518,7 @@ template void forEachProperty(VM&, const Functor&); +IGNORE_RETURN_TYPE_WARNINGS_BEGIN ALWAYS_INLINE PropertyOffset get(VM& vm, Concurrency concurrency, UniquedStringImpl* uid, unsigned& attributes) { switch (concurrency) { @@ -527,9 +528,10 @@ case Concurrency::ConcurrentThread: return getConcurrently(uid, attributes); } -RELEASE_ASSERT_NOT_REACHED(); } +IGNORE_RETURN_TYPE_WARNINGS_END +IGNORE_RETURN_TYPE_WARNINGS_BEGIN ALWAYS_INLINE PropertyOffset get(VM& vm, Concurrency concurrency, UniquedStringImpl* uid) { switch (concurrency) { @@ -539,8 +541,8 @@ case Concurrency::ConcurrentThread: return getConcurrently(uid); } -RELEASE_ASSERT_NOT_REACHED(); } +IGNORE_RETURN_TYPE_WARNINGS_END PropertyOffset getConcurrently(UniquedStringImpl* uid); PropertyOffset getConcurrently(UniquedStringImpl* uid, unsigned& attributes); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [292891] trunk/Source
Title: [292891] trunk/Source Revision 292891 Author ysuz...@apple.com Date 2022-04-14 14:56:27 -0700 (Thu, 14 Apr 2022) Log Message [JSC] Reduce use of CallFrame::deprecatedVM https://bugs.webkit.org/show_bug.cgi?id=239326 Reviewed by Devin Rousso. Reduce use of CallFrame::deprecatedVM, mainly in inspector related code to eventually remove CallFrame::deprecatedVM. * Source/_javascript_Core/debugger/Debugger.cpp: (JSC::Debugger::evaluateBreakpointCondition): (JSC::Debugger::evaluateBreakpointActions): (JSC::Debugger::exceptionOrCaughtValue): * Source/_javascript_Core/debugger/DebuggerCallFrame.cpp: (JSC::DebuggerCallFrame::globalObject): (JSC::DebuggerCallFrame::functionName const): (JSC::DebuggerCallFrame::scope): (JSC::DebuggerCallFrame::type const): (JSC::DebuggerCallFrame::evaluateWithScopeExtension): (JSC::DebuggerCallFrame::deprecatedVMEntryGlobalObject const): Deleted. * Source/_javascript_Core/debugger/DebuggerCallFrame.h: * Source/_javascript_Core/inspector/JSJavaScriptCallFrame.cpp: (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension): (Inspector::JSJavaScriptCallFrame::scopeDescriptions): (Inspector::JSJavaScriptCallFrame::functionName const): (Inspector::JSJavaScriptCallFrame::scopeChain const): (Inspector::JSJavaScriptCallFrame::type const): * Source/_javascript_Core/inspector/_javascript_CallFrame.h: (Inspector::_javascript_CallFrame::functionName const): (Inspector::_javascript_CallFrame::type const): (Inspector::_javascript_CallFrame::scopeChain const): (Inspector::_javascript_CallFrame::evaluateWithScopeExtension const): (Inspector::_javascript_CallFrame::deprecatedVMEntryGlobalObject const): Deleted. * Source/_javascript_Core/inspector/agents/InspectorDebuggerAgent.cpp: (Inspector::InspectorDebuggerAgent::debuggerScopeExtensionObject): (Inspector::InspectorDebuggerAgent::didPause): * Source/_javascript_Core/interpreter/Interpreter.cpp: (JSC::Interpreter::debug): Canonical link: https://commits.webkit.org/249661@main Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/debugger/Debugger.cpp trunk/Source/_javascript_Core/debugger/DebuggerCallFrame.cpp trunk/Source/_javascript_Core/debugger/DebuggerCallFrame.h trunk/Source/_javascript_Core/inspector/JSJavaScriptCallFrame.cpp trunk/Source/_javascript_Core/inspector/_javascript_CallFrame.h trunk/Source/_javascript_Core/inspector/agents/InspectorDebuggerAgent.cpp trunk/Source/_javascript_Core/interpreter/Interpreter.cpp trunk/Source/WebKitLegacy/mac/ChangeLog trunk/Source/WebKitLegacy/mac/WebView/WebScriptDebugger.mm Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292890 => 292891) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-14 21:15:31 UTC (rev 292890) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-14 21:56:27 UTC (rev 292891) @@ -1,3 +1,42 @@ +2022-04-14 Yusuke Suzuki + +[JSC] Reduce use of CallFrame::deprecatedVM +https://bugs.webkit.org/show_bug.cgi?id=239326 + +Reviewed by Devin Rousso. + +Reduce use of CallFrame::deprecatedVM, mainly in inspector related code to eventually remove CallFrame::deprecatedVM. + +* debugger/Debugger.cpp: +(JSC::Debugger::evaluateBreakpointCondition): +(JSC::Debugger::evaluateBreakpointActions): +(JSC::Debugger::exceptionOrCaughtValue): +* debugger/DebuggerCallFrame.cpp: +(JSC::DebuggerCallFrame::globalObject): +(JSC::DebuggerCallFrame::functionName const): +(JSC::DebuggerCallFrame::scope): +(JSC::DebuggerCallFrame::type const): +(JSC::DebuggerCallFrame::evaluateWithScopeExtension): +(JSC::DebuggerCallFrame::deprecatedVMEntryGlobalObject const): Deleted. +* debugger/DebuggerCallFrame.h: +* inspector/JSJavaScriptCallFrame.cpp: +(Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension): +(Inspector::JSJavaScriptCallFrame::scopeDescriptions): +(Inspector::JSJavaScriptCallFrame::functionName const): +(Inspector::JSJavaScriptCallFrame::scopeChain const): +(Inspector::JSJavaScriptCallFrame::type const): +* inspector/_javascript_CallFrame.h: +(Inspector::_javascript_CallFrame::functionName const): +(Inspector::_javascript_CallFrame::type const): +(Inspector::_javascript_CallFrame::scopeChain const): +(Inspector::_javascript_CallFrame::evaluateWithScopeExtension const): +(Inspector::_javascript_CallFrame::deprecatedVMEntryGlobalObject const): Deleted. +* inspector/agents/InspectorDebuggerAgent.cpp: +(Inspector::InspectorDebuggerAgent::debuggerScopeExtensionObject): +(Inspector::InspectorDebuggerAgent::didPause): +* interpreter/Interpreter.cpp: +(JSC::Interpreter::debug): + 2022-04-14 Alexey Shvayka InternalFunction::createSubclassStructure() should use base object's global object Modified: trunk/Source/_javascript_Core/debugger/Debugger.cpp (292890 =>
[webkit-changes] [292830] trunk/Source/JavaScriptCore
Title: [292830] trunk/Source/_javascript_Core Revision 292830 Author ysuz...@apple.com Date 2022-04-13 14:01:19 -0700 (Wed, 13 Apr 2022) Log Message [JSC] Remove DeprecatedCallFrameForDebugger https://bugs.webkit.org/show_bug.cgi?id=239045 Reviewed by Devin Rousso. We should not enlarge sizeof(JSGlobalObject) by having DeprecatedCallFrameForDebugger which is only used for Debugger, and it is used only when we have an error when evaluating top-level SyntaxError. This patch removes it: we introduce EmptyTopLevelCallFrameForDebugger which can be constructed on stack and we use it instead of DeprecatedCallFrameForDebugger. * Source/_javascript_Core/debugger/Debugger.cpp: (JSC::Debugger::updateCallFrame): (JSC::EmptyTopLevelCallFrameForDebugger::EmptyTopLevelCallFrameForDebugger): (JSC::EmptyTopLevelCallFrameForDebugger::asCallFrame): (JSC::Debugger::exception): * Source/_javascript_Core/debugger/DebuggerCallFrame.cpp: (JSC::DebuggerCallFrame::create): (JSC::DebuggerCallFrame::positionForCallFrame): * Source/_javascript_Core/interpreter/CallFrame.cpp: (JSC::CallFrame::convertToStackOverflowFrame): (JSC::CallFrame::initDeprecatedCallFrameForDebugger): Deleted. * Source/_javascript_Core/interpreter/CallFrame.h: (JSC::CallFrame::isEmptyTopLevelCallFrameForDebugger const): (JSC::CallFrame::isDeprecatedCallFrameForDebugger const): Deleted. * Source/_javascript_Core/interpreter/Interpreter.cpp: (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown): * Source/_javascript_Core/runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::deprecatedCallFrameForDebugger): Deleted. * Source/_javascript_Core/runtime/JSGlobalObject.h: * Source/_javascript_Core/runtime/VM.cpp: (JSC::VM::throwException): Canonical link: https://commits.webkit.org/249603@main Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/debugger/Debugger.cpp trunk/Source/_javascript_Core/debugger/DebuggerCallFrame.cpp trunk/Source/_javascript_Core/interpreter/CallFrame.cpp trunk/Source/_javascript_Core/interpreter/CallFrame.h trunk/Source/_javascript_Core/interpreter/Interpreter.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.h trunk/Source/_javascript_Core/runtime/VM.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292829 => 292830) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-13 20:50:40 UTC (rev 292829) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-13 21:01:19 UTC (rev 292830) @@ -1,3 +1,37 @@ +2022-04-13 Yusuke Suzuki + +[JSC] Remove DeprecatedCallFrameForDebugger +https://bugs.webkit.org/show_bug.cgi?id=239045 + +Reviewed by Devin Rousso. + +We should not enlarge sizeof(JSGlobalObject) by having DeprecatedCallFrameForDebugger which is only used for Debugger, and it is used +only when we have an error when evaluating top-level SyntaxError. This patch removes it: we introduce EmptyTopLevelCallFrameForDebugger +which can be constructed on stack and we use it instead of DeprecatedCallFrameForDebugger. + +* debugger/Debugger.cpp: +(JSC::Debugger::updateCallFrame): +(JSC::EmptyTopLevelCallFrameForDebugger::EmptyTopLevelCallFrameForDebugger): +(JSC::EmptyTopLevelCallFrameForDebugger::asCallFrame): +(JSC::Debugger::exception): +* debugger/DebuggerCallFrame.cpp: +(JSC::DebuggerCallFrame::create): +(JSC::DebuggerCallFrame::positionForCallFrame): +* interpreter/CallFrame.cpp: +(JSC::CallFrame::convertToStackOverflowFrame): +(JSC::CallFrame::initDeprecatedCallFrameForDebugger): Deleted. +* interpreter/CallFrame.h: +(JSC::CallFrame::isEmptyTopLevelCallFrameForDebugger const): +(JSC::CallFrame::isDeprecatedCallFrameForDebugger const): Deleted. +* interpreter/Interpreter.cpp: +(JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown): +* runtime/JSGlobalObject.cpp: +(JSC::JSGlobalObject::init): +(JSC::JSGlobalObject::deprecatedCallFrameForDebugger): Deleted. +* runtime/JSGlobalObject.h: +* runtime/VM.cpp: +(JSC::VM::throwException): + 2022-04-13 Chris Dumez Replace AtomString(const char*) with AtomString::fromLatin1(const char*) Modified: trunk/Source/_javascript_Core/debugger/Debugger.cpp (292829 => 292830) --- trunk/Source/_javascript_Core/debugger/Debugger.cpp 2022-04-13 20:50:40 UTC (rev 292829) +++ trunk/Source/_javascript_Core/debugger/Debugger.cpp 2022-04-13 21:01:19 UTC (rev 292830) @@ -1035,6 +1035,26 @@ return { }; } +class EmptyTopLevelCallFrameForDebugger { +public: +EmptyTopLevelCallFrameForDebugger(JSGlobalObject* globalObject) +{ +CallFrame* callFrame = asCallFrame(); +callFrame->setCodeBlock(nullptr); +callFrame->setCallerFrame(CallFrame::noCaller()); +callFrame->setReturnPC(nullptr); +
[webkit-changes] [292795] trunk/Source/JavaScriptCore
Title: [292795] trunk/Source/_javascript_Core Revision 292795 Author ysuz...@apple.com Date 2022-04-12 20:54:32 -0700 (Tue, 12 Apr 2022) Log Message [JSC] Move StructureCache from VM to JSGlobalObject https://bugs.webkit.org/show_bug.cgi?id=239044 Reviewed by Saam Barati. We should have StructureCache per JSGlobalObject since cached structures are tied to some of JSGlobalObject. This can (1) reduce size of each StructureCache, (2) destroy StructureCache timely at the destruction of JSGlobalObject, and (3) simplifies JSGlobalObject::haveABadTime handling in the compiler. * bytecode/InternalFunctionAllocationProfile.h: (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase): * bytecode/ObjectAllocationProfileInlines.h: (JSC::ObjectAllocationProfileBase::initializeProfile): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * runtime/InternalFunction.cpp: (JSC::InternalFunction::createSubclassStructure): * runtime/IteratorOperations.cpp: (JSC::createIteratorResultObjectStructure): * runtime/JSBoundFunction.cpp: (JSC::getBoundFunctionStructure): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::JSGlobalObject): (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut): (JSC::JSGlobalObject::haveABadTime): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::structureCache): * runtime/ObjectConstructor.h: (JSC::constructEmptyObject): (JSC::createDataPropertyDescriptorObjectStructure): (JSC::createAccessorPropertyDescriptorObjectStructure): * runtime/PrototypeKey.h: (JSC::PrototypeKey::PrototypeKey): (JSC::PrototypeKey::classInfo const): (JSC::PrototypeKey::operator== const): (JSC::PrototypeKey::hash const): (JSC::PrototypeKey::globalObject const): Deleted. * runtime/StructureCache.cpp: (JSC::StructureCache::createEmptyStructure): (JSC::StructureCache::emptyObjectStructureConcurrently): * runtime/StructureCache.h: * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/InternalFunctionAllocationProfile.h trunk/Source/_javascript_Core/bytecode/ObjectAllocationProfileInlines.h trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp trunk/Source/_javascript_Core/runtime/InternalFunction.cpp trunk/Source/_javascript_Core/runtime/IteratorOperations.cpp trunk/Source/_javascript_Core/runtime/JSBoundFunction.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.h trunk/Source/_javascript_Core/runtime/ObjectConstructor.h trunk/Source/_javascript_Core/runtime/PrototypeKey.h trunk/Source/_javascript_Core/runtime/StructureCache.cpp trunk/Source/_javascript_Core/runtime/StructureCache.h trunk/Source/_javascript_Core/runtime/VM.cpp trunk/Source/_javascript_Core/runtime/VM.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292794 => 292795) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-13 03:15:43 UTC (rev 292794) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-13 03:54:32 UTC (rev 292795) @@ -1,3 +1,53 @@ +2022-04-12 Yusuke Suzuki + +[JSC] Move StructureCache from VM to JSGlobalObject +https://bugs.webkit.org/show_bug.cgi?id=239044 + +Reviewed by Saam Barati. + +We should have StructureCache per JSGlobalObject since cached structures are tied to some of JSGlobalObject. +This can (1) reduce size of each StructureCache, (2) destroy StructureCache timely at the destruction of +JSGlobalObject, and (3) simplifies JSGlobalObject::haveABadTime handling in the compiler. + +* bytecode/InternalFunctionAllocationProfile.h: +(JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase): +* bytecode/ObjectAllocationProfileInlines.h: +(JSC::ObjectAllocationProfileBase::initializeProfile): +* dfg/DFGAbstractInterpreterInlines.h: +(JSC::DFG::AbstractInterpreter::executeEffects): +* dfg/DFGConstantFoldingPhase.cpp: +(JSC::DFG::ConstantFoldingPhase::foldConstants): +* runtime/InternalFunction.cpp: +(JSC::InternalFunction::createSubclassStructure): +* runtime/IteratorOperations.cpp: +(JSC::createIteratorResultObjectStructure): +* runtime/JSBoundFunction.cpp: +(JSC::getBoundFunctionStructure): +* runtime/JSGlobalObject.cpp: +(JSC::JSGlobalObject::JSGlobalObject): +(JSC::JSGlobalObject::init): +(JSC::JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut): +(JSC::JSGlobalObject::haveABadTime): +* runtime/JSGlobalObject.h: +(JSC::JSGlobalObject::structureCache): +* runtime/ObjectConstructor.h: +(JSC::constructEmptyObject): +
[webkit-changes] [292714] trunk/Source
Title: [292714] trunk/Source Revision 292714 Author ysuz...@apple.com Date 2022-04-11 13:10:44 -0700 (Mon, 11 Apr 2022) Log Message [JSC] Reduce use of unnecessary cryptographicallyRandom numbers https://bugs.webkit.org/show_bug.cgi?id=239026 Reviewed by Saam Barati. Source/_javascript_Core: This patch removes cryptographically random calls in some of super hot critical path. MarkedBlock's use is very hot and it appears on Speedometer2 artrace. But this is just a random shuffling of freelist, and WeakRandom is enough for that. This patch replaces them with WeakRandom. It offers 0.3% improvement in Speedometer2. * assembler/AbstractMacroAssembler.cpp: (JSC::AbstractMacroAssemblerBase::initializeRandom): (WTF::printInternal): * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssemblerBase::random): (JSC::AbstractMacroAssembler::AbstractMacroAssembler): (JSC::AbstractMacroAssembler::random): Deleted. * b3/air/AirCode.cpp: (JSC::B3::Air::Code::Code): * b3/air/AirCode.h: (JSC::B3::Air::Code::weakRandom): Deleted. * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::Handle::specializedSweep): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: (JSC::VM::heapRandom): Source/WebCore: We use createVersion4UUIDStringWeak since there is no need to use cryptographically random numbers for KeyframeEffect names. * animation/KeyframeEffect.cpp: (WebCore::KeyframeEffect::copyPropertiesFromSource): (WebCore::KeyframeEffect::updateBlendingKeyframes): (WebCore::KeyframeEffect::computeCSSTransitionBlendingKeyframes): Source/WTF: We add createVersion4UUIDStringWeak, which can generate UUID with WeakRandom numbers. * wtf/UUID.cpp: (WTF::convertRandomUInt128ToUUIDVersion4): (WTF::generateCryptographicallyRandomUUIDVersion4): (WTF::generateWeakRandomUUIDVersion4): (WTF::UUID::UUID): (WTF::createVersion4UUIDStringWeak): * wtf/UUID.h: * wtf/WeakRandom.h: Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/AbstractMacroAssembler.cpp trunk/Source/_javascript_Core/assembler/AbstractMacroAssembler.h trunk/Source/_javascript_Core/b3/air/AirCode.cpp trunk/Source/_javascript_Core/b3/air/AirCode.h trunk/Source/_javascript_Core/heap/MarkedBlockInlines.h trunk/Source/_javascript_Core/runtime/VM.cpp trunk/Source/_javascript_Core/runtime/VM.h trunk/Source/WTF/ChangeLog trunk/Source/WTF/wtf/UUID.cpp trunk/Source/WTF/wtf/UUID.h trunk/Source/WTF/wtf/WeakRandom.h trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/animation/KeyframeEffect.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292713 => 292714) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-11 20:04:18 UTC (rev 292713) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-11 20:10:44 UTC (rev 292714) @@ -1,5 +1,35 @@ 2022-04-11 Yusuke Suzuki +[JSC] Reduce use of unnecessary cryptographicallyRandom numbers +https://bugs.webkit.org/show_bug.cgi?id=239026 + +Reviewed by Saam Barati. + +This patch removes cryptographically random calls in some of super hot critical path. +MarkedBlock's use is very hot and it appears on Speedometer2 artrace. But this is just +a random shuffling of freelist, and WeakRandom is enough for that. This patch replaces +them with WeakRandom. It offers 0.3% improvement in Speedometer2. + +* assembler/AbstractMacroAssembler.cpp: +(JSC::AbstractMacroAssemblerBase::initializeRandom): +(WTF::printInternal): +* assembler/AbstractMacroAssembler.h: +(JSC::AbstractMacroAssemblerBase::random): +(JSC::AbstractMacroAssembler::AbstractMacroAssembler): +(JSC::AbstractMacroAssembler::random): Deleted. +* b3/air/AirCode.cpp: +(JSC::B3::Air::Code::Code): +* b3/air/AirCode.h: +(JSC::B3::Air::Code::weakRandom): Deleted. +* heap/MarkedBlockInlines.h: +(JSC::MarkedBlock::Handle::specializedSweep): +* runtime/VM.cpp: +(JSC::VM::VM): +* runtime/VM.h: +(JSC::VM::heapRandom): + +2022-04-11 Yusuke Suzuki + Unreviewed, use std::forward instead of WTFMove since it becomes template typename Vector&& https://bugs.webkit.org/show_bug.cgi?id=239025 Modified: trunk/Source/_javascript_Core/assembler/AbstractMacroAssembler.cpp (292713 => 292714) --- trunk/Source/_javascript_Core/assembler/AbstractMacroAssembler.cpp 2022-04-11 20:04:18 UTC (rev 292713) +++ trunk/Source/_javascript_Core/assembler/AbstractMacroAssembler.cpp 2022-04-11 20:10:44 UTC (rev 292714) @@ -30,17 +30,31 @@ #include +namespace JSC { + +void AbstractMacroAssemblerBase::initializeRandom() +{ +// No strong cryptographic characteristics are necessary. +static std::once_flag onceKey; +static uint32_t globalCounter; +std::call_once(onceKey, [&] { +globalCounter = cryptographicallyRandomNumber(); +}); +ASSERT(!m_randomSource); +m_randomSource.emplace(globalCounter++); +} + +} + namespace WTF {
[webkit-changes] [292713] trunk/Source/JavaScriptCore
Title: [292713] trunk/Source/_javascript_Core Revision 292713 Author ysuz...@apple.com Date 2022-04-11 13:04:18 -0700 (Mon, 11 Apr 2022) Log Message Unreviewed, use std::forward instead of WTFMove since it becomes template typename Vector&& https://bugs.webkit.org/show_bug.cgi?id=239025 * bytecode/ObjectPropertyConditionSet.h: (JSC::ObjectPropertyConditionSet::create): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292712 => 292713) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-11 19:02:22 UTC (rev 292712) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-11 20:04:18 UTC (rev 292713) @@ -1,3 +1,11 @@ +2022-04-11 Yusuke Suzuki + +Unreviewed, use std::forward instead of WTFMove since it becomes template typename Vector&& +https://bugs.webkit.org/show_bug.cgi?id=239025 + +* bytecode/ObjectPropertyConditionSet.h: +(JSC::ObjectPropertyConditionSet::create): + 2022-04-10 Chris Dumez Unreviewed WatchOS build fix. Modified: trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.h (292712 => 292713) --- trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.h 2022-04-11 19:02:22 UTC (rev 292712) +++ trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.h 2022-04-11 20:04:18 UTC (rev 292713) @@ -62,7 +62,7 @@ return ObjectPropertyConditionSet(); ObjectPropertyConditionSet result; -result.m_data = Conditions::createFromVector(WTFMove(vector)); +result.m_data = Conditions::createFromVector(std::forward(vector)); ASSERT(result.isValid()); return result; } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [292697] trunk
Title: [292697] trunk Revision 292697 Author ysuz...@apple.com Date 2022-04-10 21:57:33 -0700 (Sun, 10 Apr 2022) Log Message [JSC] DFG / FTL should be aware of JSString's String replacement https://bugs.webkit.org/show_bug.cgi?id=238918 Reviewed by Saam Barati. JSTests: * stress/resolve-rope-get-by-val.js: Added. (shouldBe): (test): * stress/resolve-rope-string-char-at.js: Added. (shouldBe): (test): * stress/resolve-rope-string-char-code-at.js: Added. (shouldBe): (test): * stress/resolve-rope-string-code-point-at.js: Added. (shouldBe): (test): Source/_javascript_Core: After r289359, String in JSString* can be replaced even after it is resolved. When atomizing String inside JSString*, we may replace the existing one to new AtomStringImpl if different AtomStringImpl is already registered in the AtomStringTable. However, DFG / FTL GetIndexedPropertyStorage assumes that StringImpl* in JSString* never changes after resolving. And this is wrong. This patch decouples String handling in GetIndexedPropertyStorage as ResolveRope DFG node. GetIndexedPropertyStorage no longer handles JSString and it is now tailored to object cases. ResolveRope does not expose StringImpl::m_data pointer, and instead it keeps resolved JSString*. After this change, GetByVal(String:@0, Untyped:@1, GetIndexedProperty(String:@0)) is changed to GetByVal(ResolveRope(String:@0), Untyped:@1) Also, we revisit all the value(...) callsites (by changing function name) and ensure that we have no code assuming String cannot be changed after resolving. A/B test ensured that this is perf-neutral. * b3/B3Generate.cpp: (JSC::B3::generateToAir): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitEqualityOpImpl): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::checkArray): * dfg/DFGNode.h: (JSC::DFG::Node::hasStorageChild const): (JSC::DFG::Node::storageChildIndex): * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION): * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt): (JSC::DFG::SpeculativeJIT::compileGetByValOnString): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::compileStringCodePointAt): * dfg/DFGTypeCheckHoistingPhase.cpp: (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLCompile.cpp: (JSC::FTL::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileNode): (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileResolveRope): (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAtImpl): (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt): (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt): * jsc.cpp: (JSC_DEFINE_HOST_FUNCTION): * runtime/HashMapImplInlines.h: (JSC::jsMapHashImpl): * runtime/InternalFunction.cpp: (JSC::InternalFunction::name): (JSC::InternalFunction::displayName): (JSC::InternalFunction::calculatedDisplayName): * runtime/InternalFunction.h: * runtime/JSBoundFunction.h: * runtime/JSCJSValueInlines.h: (JSC::toPreferredPrimitiveType): * runtime/JSModuleLoader.cpp: (JSC::JSModuleLoader::importModule): * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue): * runtime/JSPropertyNameEnumerator.cpp: (JSC::JSPropertyNameEnumerator::computeNext): * runtime/JSRemoteFunction.h: * runtime/Operations.h: (JSC::jsString): (JSC::compareBigIntToOtherPrimitive): (JSC::compareBigInt32ToOtherPrimitive): * runtime/RegExpMatchesArray.h: (JSC::createRegExpMatchesArray): * runtime/StringPrototype.cpp: (JSC::JSC_DEFINE_JIT_OPERATION): (JSC::JSC_DEFINE_HOST_FUNCTION): * runtime/SymbolConstructor.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * tools/JSDollarVM.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): Source/WebCore: * bindings/js/JSDOMWindowBase.cpp: (WebCore::JSDOMWindowBase::reportViolationForUnsafeEval): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/b3/B3Generate.cpp trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGClobberize.h trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp
[webkit-changes] [292682] trunk/Source/JavaScriptCore
Title: [292682] trunk/Source/_javascript_Core Revision 292682 Author ysuz...@apple.com Date 2022-04-09 15:25:24 -0700 (Sat, 09 Apr 2022) Log Message [JSC] Use Vector with inline capacity in ObjectPropertyConditionSet creation https://bugs.webkit.org/show_bug.cgi?id=239025 Reviewed by Keith Miller. Since we anyway allocate ThreadSafeRefCountedFixedVector in ObjectPropertyConditionSet, which has exact size, generateXXX and mergeWith should not allocate heap Vector just for temporarily collecting ObjectPropertyCondition. We pick 8 in generateXXX function and 16 for mergeWith function. This looks reasonable number and at least covers all cases in Speedometer2. * bytecode/ObjectPropertyConditionSet.cpp: (JSC::ObjectPropertyConditionSet::mergedWith const): (JSC::generateConditionsForPropertyMiss): (JSC::generateConditionsForPropertySetterMiss): (JSC::generateConditionsForPrototypePropertyHit): (JSC::generateConditionsForPrototypePropertyHitCustom): (JSC::generateConditionsForInstanceOf): (JSC::generateConditionsForPrototypeEquivalenceConcurrently): (JSC::generateConditionsForPropertyMissConcurrently): (JSC::generateConditionsForPropertySetterMissConcurrently): * bytecode/ObjectPropertyConditionSet.h: (JSC::ObjectPropertyConditionSet::create): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.cpp trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292681 => 292682) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-09 20:26:16 UTC (rev 292681) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-09 22:25:24 UTC (rev 292682) @@ -1,3 +1,27 @@ +2022-04-09 Yusuke Suzuki + +[JSC] Use Vector with inline capacity in ObjectPropertyConditionSet creation +https://bugs.webkit.org/show_bug.cgi?id=239025 + +Reviewed by Keith Miller. + +Since we anyway allocate ThreadSafeRefCountedFixedVector in ObjectPropertyConditionSet, which has exact size, +generateXXX and mergeWith should not allocate heap Vector just for temporarily collecting ObjectPropertyCondition. +We pick 8 in generateXXX function and 16 for mergeWith function. This looks reasonable number and at least covers all cases in Speedometer2. + +* bytecode/ObjectPropertyConditionSet.cpp: +(JSC::ObjectPropertyConditionSet::mergedWith const): +(JSC::generateConditionsForPropertyMiss): +(JSC::generateConditionsForPropertySetterMiss): +(JSC::generateConditionsForPrototypePropertyHit): +(JSC::generateConditionsForPrototypePropertyHitCustom): +(JSC::generateConditionsForInstanceOf): +(JSC::generateConditionsForPrototypeEquivalenceConcurrently): +(JSC::generateConditionsForPropertyMissConcurrently): +(JSC::generateConditionsForPropertySetterMissConcurrently): +* bytecode/ObjectPropertyConditionSet.h: +(JSC::ObjectPropertyConditionSet::create): + 2022-04-09 Adrian Perez de Castro [GTK][WPE] Missing inter-module documentation links Modified: trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.cpp (292681 => 292682) --- trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.cpp 2022-04-09 20:26:16 UTC (rev 292681) +++ trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.cpp 2022-04-09 22:25:24 UTC (rev 292682) @@ -102,7 +102,7 @@ if (!isValid() || !other.isValid()) return invalid(); -Vector result; +Vector result; if (!isEmpty()) result.append(m_data->begin(), m_data->size()); @@ -121,7 +121,7 @@ result.append(newCondition); } -return create(WTFMove(result)); +return ObjectPropertyConditionSet::create(WTFMove(result)); } bool ObjectPropertyConditionSet::structuresEnsureValidity() const @@ -247,7 +247,7 @@ ObjectPropertyConditionSet generateConditions( VM& vm, JSGlobalObject* globalObject, Structure* structure, JSObject* prototype, const Functor& functor) { -Vector conditions; +Vector conditions; for (;;) { if (ObjectPropertyConditionSetInternal::verbose) @@ -315,7 +315,7 @@ { return generateConditions( vm, globalObject, headStructure, nullptr, -[&] (Vector& conditions, JSObject* object) -> bool { +[&](auto& conditions, JSObject* object) -> bool { ObjectPropertyCondition result = generateCondition(vm, owner, object, uid, PropertyCondition::Absence, Concurrency::MainThread); if (!result) @@ -330,7 +330,7 @@ { return generateConditions( vm, globalObject, headStructure, nullptr, -[&] (Vector& conditions, JSObject* object) -> bool { +[&](auto& conditions, JSObject* object) -> bool { ObjectPropertyCondition result = generateCondition(vm, owner, object, uid,
[webkit-changes] [292594] trunk
Title: [292594] trunk Revision 292594 Author ysuz...@apple.com Date 2022-04-07 23:58:47 -0700 (Thu, 07 Apr 2022) Log Message [JSC] Fire structure transition watchpoint in Structure::finishCreation instead of Structure constructor https://bugs.webkit.org/show_bug.cgi?id=238980 Reviewed by Saam Barati. JSTests: * stress/heap-allocation-in-did-structure-transition-watchpoint.js: Added. (__isPropertyOfType): (__getProperties): (__getObjects): (__getRandomObject): (__getRandomProperty): (__callGC): (get var): Source/_javascript_Core: After https://github.com/WebKit/WebKit/commit/dc3a347474a183891f8e07966dc09e684d7a1d13 change, we start using Structure::get in the main thread. However one of the difference between Structure::get and Structure::getConcurrently is that it can allocate GC memory: PropertyTable can be materialized. Structure constructor was firing structure transition watchpoint. And some of watchpoints were using Structure::getConcurrently. That's fine before, but now, it becomes Structure::get. It is not OK since we cannot allocate GC memory inside constructor of GC managed objects. This patch split didTransitionFromThisStructure into didTransitionFromThisStructureWithoutFiringWatchpoint and fireStructureTransitionWatchpoint. And firing watchpoints in Structure::finishCreation instead of Structure constructor so that we can allocate GC memory while firing watchpoints. * runtime/BrandedStructure.cpp: (JSC::BrandedStructure::BrandedStructure): (JSC::BrandedStructure::create): * runtime/BrandedStructure.h: * runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::didTransitionFromThisStructureWithoutFiringWatchpoint const): (JSC::Structure::fireStructureTransitionWatchpoint const): (JSC::Structure::didTransitionFromThisStructure const): * runtime/Structure.h: (JSC::Structure::finishCreation): * runtime/StructureInlines.h: (JSC::Structure::create): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/BrandedStructure.cpp trunk/Source/_javascript_Core/runtime/BrandedStructure.h trunk/Source/_javascript_Core/runtime/Structure.cpp trunk/Source/_javascript_Core/runtime/Structure.h trunk/Source/_javascript_Core/runtime/StructureInlines.h Added Paths trunk/JSTests/stress/heap-allocation-in-did-structure-transition-watchpoint.js Diff Modified: trunk/JSTests/ChangeLog (292593 => 292594) --- trunk/JSTests/ChangeLog 2022-04-08 05:40:06 UTC (rev 292593) +++ trunk/JSTests/ChangeLog 2022-04-08 06:58:47 UTC (rev 292594) @@ -1,3 +1,19 @@ +2022-04-07 Yusuke Suzuki + +[JSC] Fire structure transition watchpoint in Structure::finishCreation instead of Structure constructor +https://bugs.webkit.org/show_bug.cgi?id=238980 + +Reviewed by Saam Barati. + +* stress/heap-allocation-in-did-structure-transition-watchpoint.js: Added. +(__isPropertyOfType): +(__getProperties): +(__getObjects): +(__getRandomObject): +(__getRandomProperty): +(__callGC): +(get var): + 2022-04-07 Geza Lore [JSC][ARMv7] Support proper near calls and JUMP_ISLANDS Added: trunk/JSTests/stress/heap-allocation-in-did-structure-transition-watchpoint.js (0 => 292594) --- trunk/JSTests/stress/heap-allocation-in-did-structure-transition-watchpoint.js (rev 0) +++ trunk/JSTests/stress/heap-allocation-in-did-structure-transition-watchpoint.js 2022-04-08 06:58:47 UTC (rev 292594) @@ -0,0 +1,33 @@ +function __isPropertyOfType() { +} +function __getProperties(obj) { + let properties = []; + for (let name of Object.getOwnPropertyNames(obj)) { + properties.push(); + } +} +function* __getObjects() { + let obj_names = __getProperties( 'object'); +} +function __getRandomObject() { + for (let obj of __getObjects()) { + } +} +function __getRandomProperty() { +} +(function () { + __callGC = function () { + gc(); + }; +})(); + Array.prototype[2] = undefined; +__getRandomObject(), { + get: function () { + } +}; +var __v_18 = Function(); + delete __v_18[__getRandomProperty()], __callGC(); + for (var __v_26 = 0; __v_26 < 10; ++__v_26) { + Object.defineProperty(Array.prototype, __v_26, { + }); + } \ No newline at end of file Modified: trunk/Source/_javascript_Core/ChangeLog (292593 => 292594) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-08 05:40:06 UTC (rev 292593) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-08 06:58:47 UTC (rev 292594) @@ -1,3 +1,36 @@ +2022-04-07 Yusuke Suzuki + +[JSC] Fire structure transition watchpoint in Structure::finishCreation instead of Structure constructor +https://bugs.webkit.org/show_bug.cgi?id=238980 + +Reviewed by Saam Barati. + +After https://github.com/WebKit/WebKit/commit/dc3a347474a183891f8e07966dc09e684d7a1d13 change, +we start using Structure::get in the main thread. However one of the difference
[webkit-changes] [292513] trunk/Source/bmalloc
Title: [292513] trunk/Source/bmalloc Revision 292513 Author ysuz...@apple.com Date 2022-04-06 15:47:34 -0700 (Wed, 06 Apr 2022) Log Message [libpas] Run TLC decommit rarely https://bugs.webkit.org/show_bug.cgi?id=238855 Reviewed by Saam Barati. We were running libpas TLC decommit every time. But it is too frequent. We should capture IsoHeap allocation pattern with much more longer period, and perform TLC decommit in such a low-frequency rate. This patch changes it so that we run it only once a 128 scavenger run. It is roughly once a 13 seconds. * libpas/src/libpas/pas_scavenger.c: (scavenger_thread_main): (pas_scavenger_clear_all_caches): * libpas/src/libpas/pas_thread_local_cache.c: (pas_thread_local_cache_for_all): * libpas/src/libpas/pas_thread_local_cache.h: * libpas/src/test/TLCDecommitTests.cpp: (std::testTLCDecommit): (std::testTLCDecommitThenDestroyImpl): (std::testTLCDecommitThenDeallocate): Modified Paths trunk/Source/bmalloc/ChangeLog trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.c trunk/Source/bmalloc/libpas/src/libpas/pas_thread_local_cache.c trunk/Source/bmalloc/libpas/src/libpas/pas_thread_local_cache.h trunk/Source/bmalloc/libpas/src/test/TLCDecommitTests.cpp Diff Modified: trunk/Source/bmalloc/ChangeLog (292512 => 292513) --- trunk/Source/bmalloc/ChangeLog 2022-04-06 22:41:39 UTC (rev 292512) +++ trunk/Source/bmalloc/ChangeLog 2022-04-06 22:47:34 UTC (rev 292513) @@ -1,3 +1,25 @@ +2022-04-06 Yusuke Suzuki + +[libpas] Run TLC decommit rarely +https://bugs.webkit.org/show_bug.cgi?id=238855 + +Reviewed by Saam Barati. + +We were running libpas TLC decommit every time. But it is too frequent. We should capture IsoHeap allocation pattern +with much more longer period, and perform TLC decommit in such a low-frequency rate. +This patch changes it so that we run it only once a 128 scavenger run. It is roughly once a 13 seconds. + +* libpas/src/libpas/pas_scavenger.c: +(scavenger_thread_main): +(pas_scavenger_clear_all_caches): +* libpas/src/libpas/pas_thread_local_cache.c: +(pas_thread_local_cache_for_all): +* libpas/src/libpas/pas_thread_local_cache.h: +* libpas/src/test/TLCDecommitTests.cpp: +(std::testTLCDecommit): +(std::testTLCDecommitThenDestroyImpl): +(std::testTLCDecommitThenDeallocate): + 2022-04-06 Commit Queue Unreviewed, reverting r292450. Modified: trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.c (292512 => 292513) --- trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.c 2022-04-06 22:41:39 UTC (rev 292512) +++ trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.c 2022-04-06 22:47:34 UTC (rev 292513) @@ -69,6 +69,10 @@ uint64_t pas_scavenger_max_epoch_delta = 300ll * 1000ll * 1000ll; #endif +static uint32_t pas_scavenger_tick_count = 0; +/* Run thread-local-cache decommit once a N. It should be power of two. */ +#define PAS_THREAD_LOCAL_CACHE_DECOMMIT_PERIOD_COUNT 128 /* Roughly speaking, it runs once per 13 seconds. */ + #if PAS_OS(DARWIN) static _Atomic qos_class_t pas_scavenger_requested_qos_class = QOS_CLASS_USER_INITIATED; @@ -192,6 +196,7 @@ double time_in_milliseconds; double absolute_timeout_in_milliseconds_for_period_sleep; pas_scavenger_activity_callback completion_callback; +pas_thread_local_cache_decommit_action thread_local_cache_decommit_action; bool should_go_again; uint64_t epoch; uint64_t delta; @@ -208,6 +213,7 @@ pthread_set_qos_class_self_np(configured_qos_class, 0); } #endif +++pas_scavenger_tick_count; should_go_again = false; @@ -229,9 +235,16 @@ pas_utility_heap_for_all_allocators(pas_allocator_scavenge_request_stop_action, pas_lock_is_not_held); +thread_local_cache_decommit_action = pas_thread_local_cache_decommit_no_action; +if ((pas_scavenger_tick_count % PAS_THREAD_LOCAL_CACHE_DECOMMIT_PERIOD_COUNT) == 0) { +if (verbose) +printf("Attempt to decommit unused TLC\n"); +thread_local_cache_decommit_action = pas_thread_local_cache_decommit_if_possible_action; +} should_go_again |= pas_thread_local_cache_for_all(pas_allocator_scavenge_request_stop_action, - pas_deallocator_scavenge_flush_log_if_clean_action); + pas_deallocator_scavenge_flush_log_if_clean_action, + thread_local_cache_decommit_action); should_go_again |= handle_expendable_memory(pas_expendable_memory_scavenge_periodic); @@ -502,7 +515,8 @@ pas_scavenger_clear_all_caches_except_remote_tlcs(); pas_thread_local_cache_for_all(pas_allocator_scavenge_force_stop_action, -
[webkit-changes] [292484] trunk
Title: [292484] trunk Revision 292484 Author ysuz...@apple.com Date 2022-04-06 11:48:46 -0700 (Wed, 06 Apr 2022) Log Message [JSC] Substring resolving should check 8bit / 16bit again https://bugs.webkit.org/show_bug.cgi?id=236775 Reviewed by Saam Barati. JSTests: * stress/8bit-16bit-atomize-conversion.js: Added. (main.v64): (main): Source/_javascript_Core: Substring JSString is wrapping JSString. Thus it is possible that underlying JSString's 8Bit / 16Bit status becomes different from substring JSString wrapper's bit. We should not assume they are the same. * runtime/JSString.cpp: (JSC::JSRopeString::resolveRopeInternal const): (JSC::JSRopeString::resolveRopeToAtomString const): (JSC::JSRopeString::resolveRopeToExistingAtomString const): (JSC::JSRopeString::resolveRopeInternal8 const): Deleted. (JSC::JSRopeString::resolveRopeInternal16 const): Deleted. * runtime/JSString.h: Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSString.cpp trunk/Source/_javascript_Core/runtime/JSString.h Added Paths trunk/JSTests/stress/8bit-16bit-atomize-conversion.js Diff Modified: trunk/JSTests/ChangeLog (292483 => 292484) --- trunk/JSTests/ChangeLog 2022-04-06 18:29:39 UTC (rev 292483) +++ trunk/JSTests/ChangeLog 2022-04-06 18:48:46 UTC (rev 292484) @@ -1,3 +1,15 @@ +2022-04-06 Yusuke Suzuki + +[JSC] Substring resolving should check 8bit / 16bit again +https://bugs.webkit.org/show_bug.cgi?id=236775 + + +Reviewed by Saam Barati. + +* stress/8bit-16bit-atomize-conversion.js: Added. +(main.v64): +(main): + 2022-04-06 Alexey Shvayka ICU was recently updated to use type="long" format if there is {month: "long"} Added: trunk/JSTests/stress/8bit-16bit-atomize-conversion.js (0 => 292484) --- trunk/JSTests/stress/8bit-16bit-atomize-conversion.js (rev 0) +++ trunk/JSTests/stress/8bit-16bit-atomize-conversion.js 2022-04-06 18:48:46 UTC (rev 292484) @@ -0,0 +1,18 @@ +function main() { +for (let v27 = 0; v27 < 100; v27++) { +const v44 = [0,0,1.1]; +const v61 = v44.toLocaleString(); +const v62 = eval(Math); +v63 = v61.substring(v62,v27); + +function v64() { +if (v62) { +Math[v61] = []; +} +const v82 = (-1.0).__proto__; +delete v82[v63]; +} +v64(); +} +} +main(); Modified: trunk/Source/_javascript_Core/ChangeLog (292483 => 292484) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-06 18:29:39 UTC (rev 292483) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-06 18:48:46 UTC (rev 292484) @@ -1,3 +1,22 @@ +2022-04-06 Yusuke Suzuki + +[JSC] Substring resolving should check 8bit / 16bit again +https://bugs.webkit.org/show_bug.cgi?id=236775 + + +Reviewed by Saam Barati. + +Substring JSString is wrapping JSString. Thus it is possible that underlying JSString's 8Bit / 16Bit status +becomes different from substring JSString wrapper's bit. We should not assume they are the same. + +* runtime/JSString.cpp: +(JSC::JSRopeString::resolveRopeInternal const): +(JSC::JSRopeString::resolveRopeToAtomString const): +(JSC::JSRopeString::resolveRopeToExistingAtomString const): +(JSC::JSRopeString::resolveRopeInternal8 const): Deleted. +(JSC::JSRopeString::resolveRopeInternal16 const): Deleted. +* runtime/JSString.h: + 2022-04-06 Chris Dumez Reduce number of conversions from StringView to String Modified: trunk/Source/_javascript_Core/runtime/JSString.cpp (292483 => 292484) --- trunk/Source/_javascript_Core/runtime/JSString.cpp 2022-04-06 18:29:39 UTC (rev 292483) +++ trunk/Source/_javascript_Core/runtime/JSString.cpp 2022-04-06 18:48:46 UTC (rev 292484) @@ -152,10 +152,17 @@ static constexpr unsigned maxLengthForOnStackResolve = 2048; -void JSRopeString::resolveRopeInternal8(LChar* buffer) const +template +void JSRopeString::resolveRopeInternal(CharacterType* buffer) const { if (isSubstring()) { -StringImpl::copyCharacters(buffer, substringBase()->valueInternal().characters8() + substringOffset(), length()); +// It is possible that underlying string becomes 8bit/16bit while wrapper substring is saying it is 16bit/8bit. +// But It is definitely true that substring part can be represented as its parent's status 8bit/16bit, which is described as CharacterType. +auto& string = substringBase()->valueInternal(); +if (string.is8Bit()) +StringImpl::copyCharacters(buffer, string.characters8() + substringOffset(), length()); +else +StringImpl::copyCharacters(buffer, string.characters16() + substringOffset(), length()); return; } @@ -162,17 +169,6 @@ resolveRopeInternalNoSubstring(buffer); } -void
[webkit-changes] [292450] trunk/Source/bmalloc
Title: [292450] trunk/Source/bmalloc Revision 292450 Author ysuz...@apple.com Date 2022-04-05 23:06:15 -0700 (Tue, 05 Apr 2022) Log Message [libpas] Run TLC decommit rarely https://bugs.webkit.org/show_bug.cgi?id=238855 Reviewed by Saam Barati. We were running libpas TLC decommit every time. But it is too frequent. We should capture IsoHeap allocation pattern with much more longer period, and perform TLC decommit in such a low-frequency rate. This patch changes it so that we run it only once a 128 scavenger run. It is roughly once a 13 seconds. * libpas/src/libpas/pas_scavenger.c: (scavenger_thread_main): (pas_scavenger_clear_all_caches): * libpas/src/libpas/pas_thread_local_cache.c: (pas_thread_local_cache_for_all): * libpas/src/libpas/pas_thread_local_cache.h: * libpas/src/test/TLCDecommitTests.cpp: (std::testTLCDecommit): (std::testTLCDecommitThenDestroyImpl): (std::testTLCDecommitThenDeallocate): Modified Paths trunk/Source/bmalloc/ChangeLog trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.c trunk/Source/bmalloc/libpas/src/libpas/pas_thread_local_cache.c trunk/Source/bmalloc/libpas/src/libpas/pas_thread_local_cache.h trunk/Source/bmalloc/libpas/src/test/TLCDecommitTests.cpp Diff Modified: trunk/Source/bmalloc/ChangeLog (292449 => 292450) --- trunk/Source/bmalloc/ChangeLog 2022-04-06 05:30:07 UTC (rev 292449) +++ trunk/Source/bmalloc/ChangeLog 2022-04-06 06:06:15 UTC (rev 292450) @@ -1,3 +1,25 @@ +2022-04-05 Yusuke Suzuki + +[libpas] Run TLC decommit rarely +https://bugs.webkit.org/show_bug.cgi?id=238855 + +Reviewed by Saam Barati. + +We were running libpas TLC decommit every time. But it is too frequent. We should capture IsoHeap allocation pattern +with much more longer period, and perform TLC decommit in such a low-frequency rate. +This patch changes it so that we run it only once a 128 scavenger run. It is roughly once a 13 seconds. + +* libpas/src/libpas/pas_scavenger.c: +(scavenger_thread_main): +(pas_scavenger_clear_all_caches): +* libpas/src/libpas/pas_thread_local_cache.c: +(pas_thread_local_cache_for_all): +* libpas/src/libpas/pas_thread_local_cache.h: +* libpas/src/test/TLCDecommitTests.cpp: +(std::testTLCDecommit): +(std::testTLCDecommitThenDestroyImpl): +(std::testTLCDecommitThenDeallocate): + 2022-04-05 Basuke Suzuki [PlayStation] Enable libpas. Modified: trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.c (292449 => 292450) --- trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.c 2022-04-06 05:30:07 UTC (rev 292449) +++ trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.c 2022-04-06 06:06:15 UTC (rev 292450) @@ -69,6 +69,10 @@ uint64_t pas_scavenger_max_epoch_delta = 300ll * 1000ll * 1000ll; #endif +static uint32_t pas_scavenger_tick_count = 0; +/* Run thread-local-cache decommit once a N. It should be power of two. */ +#define PAS_THREAD_LOCAL_CACHE_DECOMMIT_PERIOD_COUNT 128 /* Roughly speaking, it runs once per 13 seconds. */ + #if PAS_OS(DARWIN) static _Atomic qos_class_t pas_scavenger_requested_qos_class = QOS_CLASS_USER_INITIATED; @@ -192,6 +196,7 @@ double time_in_milliseconds; double absolute_timeout_in_milliseconds_for_period_sleep; pas_scavenger_activity_callback completion_callback; +pas_thread_local_cache_decommit_action thread_local_cache_decommit_action; bool should_go_again; uint64_t epoch; uint64_t delta; @@ -208,6 +213,7 @@ pthread_set_qos_class_self_np(configured_qos_class, 0); } #endif +++pas_scavenger_tick_count; should_go_again = false; @@ -229,9 +235,16 @@ pas_utility_heap_for_all_allocators(pas_allocator_scavenge_request_stop_action, pas_lock_is_not_held); +thread_local_cache_decommit_action = pas_thread_local_cache_decommit_no_action; +if ((pas_scavenger_tick_count % PAS_THREAD_LOCAL_CACHE_DECOMMIT_PERIOD_COUNT) == 0) { +if (verbose) +printf("Attempt to decommit unused TLC\n"); +thread_local_cache_decommit_action = pas_thread_local_cache_decommit_if_possible_action; +} should_go_again |= pas_thread_local_cache_for_all(pas_allocator_scavenge_request_stop_action, - pas_deallocator_scavenge_flush_log_if_clean_action); + pas_deallocator_scavenge_flush_log_if_clean_action, + thread_local_cache_decommit_action); should_go_again |= handle_expendable_memory(pas_expendable_memory_scavenge_periodic); @@ -502,7 +515,8 @@ pas_scavenger_clear_all_caches_except_remote_tlcs(); pas_thread_local_cache_for_all(pas_allocator_scavenge_force_stop_action, -
[webkit-changes] [292447] trunk/Source/JavaScriptCore
Title: [292447] trunk/Source/_javascript_Core Revision 292447 Author ysuz...@apple.com Date 2022-04-05 20:41:00 -0700 (Tue, 05 Apr 2022) Log Message [JSC] Use inlined assertion for CodeBlock type https://bugs.webkit.org/show_bug.cgi?id=238849 Reviewed by Michael Saboff. We introduced probeDebug-based CodeBlock assertion, but it is too slow and causing timeout on Debug JSC tests. Instead, we use inlined assertion which is much faster to prevent these Debug build timeout. * assembler/AbortReason.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileEntry): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCurrentBlock): * dfg/DFGThunks.cpp: (JSC::DFG::osrEntryThunkGenerator): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lower): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::jitAssertCodeBlockOnCallFrameWithType): (JSC::AssemblyHelpers::jitAssertCodeBlockOnCallFrameIsOptimizingJIT): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::jitAssertCodeBlockOnCallFrameWithType): (JSC::AssemblyHelpers::jitAssertCodeBlockOnCallFrameIsOptimizingJIT): * jit/JIT.cpp: (JSC::JIT::compileAndLinkWithoutFinalizing): * jit/JITCode.h: (JSC::JITCode::offsetOfJITType): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/AbortReason.h trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/dfg/DFGThunks.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp trunk/Source/_javascript_Core/jit/AssemblyHelpers.h trunk/Source/_javascript_Core/jit/JIT.cpp trunk/Source/_javascript_Core/jit/JITCode.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292446 => 292447) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-06 03:27:14 UTC (rev 292446) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-06 03:41:00 UTC (rev 292447) @@ -1,5 +1,35 @@ 2022-04-05 Yusuke Suzuki +[JSC] Use inlined assertion for CodeBlock type +https://bugs.webkit.org/show_bug.cgi?id=238849 + +Reviewed by Michael Saboff. + +We introduced probeDebug-based CodeBlock assertion, but it is too slow and causing timeout on Debug JSC tests. +Instead, we use inlined assertion which is much faster to prevent these Debug build timeout. + +* assembler/AbortReason.h: +* dfg/DFGJITCompiler.cpp: +(JSC::DFG::JITCompiler::compileEntry): +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::compileCurrentBlock): +* dfg/DFGThunks.cpp: +(JSC::DFG::osrEntryThunkGenerator): +* ftl/FTLLowerDFGToB3.cpp: +(JSC::FTL::DFG::LowerDFGToB3::lower): +* jit/AssemblyHelpers.cpp: +(JSC::AssemblyHelpers::jitAssertCodeBlockOnCallFrameWithType): +(JSC::AssemblyHelpers::jitAssertCodeBlockOnCallFrameIsOptimizingJIT): +* jit/AssemblyHelpers.h: +(JSC::AssemblyHelpers::jitAssertCodeBlockOnCallFrameWithType): +(JSC::AssemblyHelpers::jitAssertCodeBlockOnCallFrameIsOptimizingJIT): +* jit/JIT.cpp: +(JSC::JIT::compileAndLinkWithoutFinalizing): +* jit/JITCode.h: +(JSC::JITCode::offsetOfJITType): + +2022-04-05 Yusuke Suzuki + [JSC] Strictly annotate pointers with TrustedImmPtr in CCallHelpers https://bugs.webkit.org/show_bug.cgi?id=238827 Modified: trunk/Source/_javascript_Core/assembler/AbortReason.h (292446 => 292447) --- trunk/Source/_javascript_Core/assembler/AbortReason.h 2022-04-06 03:27:14 UTC (rev 292446) +++ trunk/Source/_javascript_Core/assembler/AbortReason.h 2022-04-06 03:41:00 UTC (rev 292447) @@ -42,6 +42,7 @@ AHIsNotJSNumber = 80, AHIsNotNull = 90, AHStackPointerMisaligned = 100, +AHInvalidCodeBlock= 101, AHStructureIDIsValid = 110, AHNotCellMaskNotInPlace = 120, AHNumberTagNotInPlace = 130, Modified: trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp (292446 => 292447) --- trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp 2022-04-06 03:27:14 UTC (rev 292446) +++ trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp 2022-04-06 03:41:00 UTC (rev 292447) @@ -111,12 +111,7 @@ // check) which will be dependent on stack layout. (We'd need to account for this in // both normal return code and when jumping to an exception handler). emitFunctionPrologue(); -#if ASSERT_ENABLED -probeDebug([=](Probe::Context& ctx) { -CodeBlock* codeBlock = ctx.fp()->codeBlock(); -RELEASE_ASSERT(codeBlock->jitType() == JITType::DFGJIT); -}); -#endif +jitAssertCodeBlockOnCallFrameWithType(GPRInfo::regT2, JITType::DFGJIT); } void JITCompiler::compileSetupRegistersForEntry()
[webkit-changes] [292374] trunk/Source/bmalloc
Title: [292374] trunk/Source/bmalloc Revision 292374 Author ysuz...@apple.com Date 2022-04-04 22:20:51 -0700 (Mon, 04 Apr 2022) Log Message [libpas] Do not need to call pthread_set_qos_class_self_np repeatedly https://bugs.webkit.org/show_bug.cgi?id=238785 Reviewed by Mark Lam. Let's remember previously set QOS class and avoid resetting it if the value is not changed. * bmalloc/bmalloc.cpp: (bmalloc::api::setScavengerThreadQOSClass): * libpas/src/libpas/pas_scavenger.c: (pas_scavenger_set_requested_qos_class): (scavenger_thread_main): * libpas/src/libpas/pas_scavenger.h: Modified Paths trunk/Source/bmalloc/ChangeLog trunk/Source/bmalloc/bmalloc/bmalloc.cpp trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.c trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.h Diff Modified: trunk/Source/bmalloc/ChangeLog (292373 => 292374) --- trunk/Source/bmalloc/ChangeLog 2022-04-05 04:18:13 UTC (rev 292373) +++ trunk/Source/bmalloc/ChangeLog 2022-04-05 05:20:51 UTC (rev 292374) @@ -1,3 +1,19 @@ +2022-04-04 Yusuke Suzuki + +[libpas] Do not need to call pthread_set_qos_class_self_np repeatedly +https://bugs.webkit.org/show_bug.cgi?id=238785 + +Reviewed by Mark Lam. + +Let's remember previously set QOS class and avoid resetting it if the value is not changed. + +* bmalloc/bmalloc.cpp: +(bmalloc::api::setScavengerThreadQOSClass): +* libpas/src/libpas/pas_scavenger.c: +(pas_scavenger_set_requested_qos_class): +(scavenger_thread_main): +* libpas/src/libpas/pas_scavenger.h: + 2022-03-29 Brandon Stewart Rename Libpas README to README.md Modified: trunk/Source/bmalloc/bmalloc/bmalloc.cpp (292373 => 292374) --- trunk/Source/bmalloc/bmalloc/bmalloc.cpp 2022-04-05 04:18:13 UTC (rev 292373) +++ trunk/Source/bmalloc/bmalloc/bmalloc.cpp 2022-04-05 05:20:51 UTC (rev 292374) @@ -160,7 +160,7 @@ void setScavengerThreadQOSClass(qos_class_t overrideClass) { #if BENABLE(LIBPAS) -pas_scavenger_requested_qos_class = overrideClass; +pas_scavenger_set_requested_qos_class(overrideClass); #endif #if !BUSE(LIBPAS) if (!DebugHeap::tryGet()) { Modified: trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.c (292373 => 292374) --- trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.c 2022-04-05 04:18:13 UTC (rev 292373) +++ trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.c 2022-04-05 05:20:51 UTC (rev 292374) @@ -70,7 +70,12 @@ #endif #if PAS_OS(DARWIN) -qos_class_t pas_scavenger_requested_qos_class = QOS_CLASS_USER_INITIATED; +static _Atomic qos_class_t pas_scavenger_requested_qos_class = QOS_CLASS_USER_INITIATED; + +void pas_scavenger_set_requested_qos_class(qos_class_t qos_class) +{ +pas_scavenger_requested_qos_class = qos_class; +} #endif pas_scavenger_activity_callback pas_scavenger_did_start_callback = NULL; @@ -151,6 +156,9 @@ { pas_scavenger_data* data; pas_scavenger_activity_callback did_start_callback; +#if PAS_OS(DARWIN) +qos_class_t configured_qos_class; +#endif PAS_UNUSED_PARAM(arg); @@ -173,6 +181,11 @@ data = "" +#if PAS_OS(DARWIN) +configured_qos_class = pas_scavenger_requested_qos_class; +pthread_set_qos_class_self_np(configured_qos_class, 0); +#endif + for (;;) { pas_page_sharing_pool_scavenge_result scavenge_result; bool should_shut_down; @@ -184,9 +197,16 @@ uint64_t delta; uint64_t max_epoch; bool did_overflow; +#if PAS_OS(DARWIN) +qos_class_t current_qos_class; +#endif #if PAS_OS(DARWIN) -pthread_set_qos_class_self_np(pas_scavenger_requested_qos_class, 0); +current_qos_class = pas_scavenger_requested_qos_class; +if (configured_qos_class != current_qos_class) { +configured_qos_class = current_qos_class; +pthread_set_qos_class_self_np(configured_qos_class, 0); +} #endif should_go_again = false; Modified: trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.h (292373 => 292374) --- trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.h 2022-04-05 04:18:13 UTC (rev 292373) +++ trunk/Source/bmalloc/libpas/src/libpas/pas_scavenger.h 2022-04-05 05:20:51 UTC (rev 292374) @@ -74,7 +74,7 @@ #if PAS_OS(DARWIN) /* It's legal to set this anytime. */ -PAS_API extern qos_class_t pas_scavenger_requested_qos_class; +PAS_API void pas_scavenger_set_requested_qos_class(qos_class_t); #endif typedef void (*pas_scavenger_activity_callback)(void); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [292373] trunk/Source/JavaScriptCore
Title: [292373] trunk/Source/_javascript_Core Revision 292373 Author ysuz...@apple.com Date 2022-04-04 21:18:13 -0700 (Mon, 04 Apr 2022) Log Message [JSC] Reduce sizeof(BaselineCallLinkInfo) to make bug 238535 good https://bugs.webkit.org/show_bug.cgi?id=238777 Reviewed by Mark Lam. https://bugs.webkit.org/show_bug.cgi?id=238535 adds one pointer to CallLinkInfo. To make BaselineCallLinkInfo small, this patch removes std::unique_ptr in BaselineCallLinkInfo since it can be computed in repatching code. * bytecode/CallLinkInfo.cpp: (JSC::BaselineCallLinkInfo::initialize): (JSC::OptimizingCallLinkInfo::setFrameShuffleData): (JSC::CallLinkInfo::setFrameShuffleData): Deleted. * bytecode/CallLinkInfo.h: (JSC::CallLinkInfo::frameShuffleData): Deleted. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * bytecode/Repatch.cpp: (JSC::linkPolymorphicCall): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/CallLinkInfo.cpp trunk/Source/_javascript_Core/bytecode/CallLinkInfo.h trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp trunk/Source/_javascript_Core/bytecode/Repatch.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292372 => 292373) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-05 04:10:35 UTC (rev 292372) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-05 04:18:13 UTC (rev 292373) @@ -1,5 +1,27 @@ 2022-04-04 Yusuke Suzuki +[JSC] Reduce sizeof(BaselineCallLinkInfo) to make bug 238535 good +https://bugs.webkit.org/show_bug.cgi?id=238777 + +Reviewed by Mark Lam. + +https://bugs.webkit.org/show_bug.cgi?id=238535 adds one pointer to CallLinkInfo. +To make BaselineCallLinkInfo small, this patch removes std::unique_ptr +in BaselineCallLinkInfo since it can be computed in repatching code. + +* bytecode/CallLinkInfo.cpp: +(JSC::BaselineCallLinkInfo::initialize): +(JSC::OptimizingCallLinkInfo::setFrameShuffleData): +(JSC::CallLinkInfo::setFrameShuffleData): Deleted. +* bytecode/CallLinkInfo.h: +(JSC::CallLinkInfo::frameShuffleData): Deleted. +* bytecode/CodeBlock.cpp: +(JSC::CodeBlock::finishCreation): +* bytecode/Repatch.cpp: +(JSC::linkPolymorphicCall): + +2022-04-04 Yusuke Suzuki + [JSC] Store CodeBlock in caller side https://bugs.webkit.org/show_bug.cgi?id=238535 Modified: trunk/Source/_javascript_Core/bytecode/CallLinkInfo.cpp (292372 => 292373) --- trunk/Source/_javascript_Core/bytecode/CallLinkInfo.cpp 2022-04-05 04:10:35 UTC (rev 292372) +++ trunk/Source/_javascript_Core/bytecode/CallLinkInfo.cpp 2022-04-05 04:18:13 UTC (rev 292373) @@ -315,9 +315,8 @@ } } -void BaselineCallLinkInfo::initialize(VM& vm, CallType callType, BytecodeIndex bytecodeIndex, CallFrameShuffleData* frameShuffleData) +void BaselineCallLinkInfo::initialize(VM& vm, CallType callType, BytecodeIndex bytecodeIndex) { -UNUSED_PARAM(frameShuffleData); m_type = static_cast(Type::Baseline); ASSERT(Type::Baseline == type()); m_useDataIC = static_cast(UseDataIC::Yes); @@ -324,12 +323,6 @@ ASSERT(UseDataIC::Yes == useDataIC()); m_codeOrigin = CodeOrigin(bytecodeIndex); m_callType = callType; -#if ENABLE(JIT) -if (frameShuffleData) { -// FIXME: It'd be nice if this were a refcounted data structure. -m_frameShuffleData = makeUnique(*frameShuffleData); -} -#endif if (LIKELY(Options::useLLIntICs())) setSlowPathCallDestination(vm.getCTILinkCall().code()); else @@ -341,7 +334,7 @@ #if ENABLE(JIT) -void CallLinkInfo::setFrameShuffleData(const CallFrameShuffleData& shuffleData) +void OptimizingCallLinkInfo::setFrameShuffleData(const CallFrameShuffleData& shuffleData) { m_frameShuffleData = makeUnique(shuffleData); m_frameShuffleData->shrinkToFit(); Modified: trunk/Source/_javascript_Core/bytecode/CallLinkInfo.h (292372 => 292373) --- trunk/Source/_javascript_Core/bytecode/CallLinkInfo.h 2022-04-05 04:10:35 UTC (rev 292372) +++ trunk/Source/_javascript_Core/bytecode/CallLinkInfo.h 2022-04-05 04:18:13 UTC (rev 292373) @@ -369,15 +369,6 @@ void visitWeak(VM&); -#if ENABLE(JIT) -void setFrameShuffleData(const CallFrameShuffleData&); - -const CallFrameShuffleData* frameShuffleData() -{ -return m_frameShuffleData.get(); -} -#endif - Type type() const { return static_cast(m_type); } protected: @@ -424,7 +415,6 @@ WriteBarrier m_lastSeenCalleeOrExecutable; #if ENABLE(JIT) RefPtr m_stub; -std::unique_ptr m_frameShuffleData; #endif CodeOrigin m_codeOrigin; bool m_hasSeenShouldRepatch : 1; @@ -450,7 +440,7 @@ { } -void initialize(VM&, CallType, BytecodeIndex, CallFrameShuffleData*); +void initialize(VM&, CallType, BytecodeIndex); void setCodeLocations(CodeLocationLabel doneLocation) { @@ -516,10 +506,18 @@
[webkit-changes] [292372] trunk/Source/JavaScriptCore
Title: [292372] trunk/Source/_javascript_Core Revision 292372 Author ysuz...@apple.com Date 2022-04-04 21:10:35 -0700 (Mon, 04 Apr 2022) Log Message [JSC] Store CodeBlock in caller side https://bugs.webkit.org/show_bug.cgi?id=238535 Reviewed by Saam Barati. This patch changes the calling convention of JS functions. Now, we need to store CodeBlock to the stack in the caller side instead. This helps LLInt, unlinked Baseline, and DFG since we no longer need to load CodeBlock from callee via costly dependent loads: unlinked ones cannot embed CodeBlock raw pointer into the machine code itself. So we needed to load it from callee. But now, caller puts the right CodeBlock pointer into the stack so we do not need that code. And in most cases, caller already knows CodeBlock since it is tied to actually used machine code pointer. OSR entry also materializes CodeBlock in the stack in the OSR entry side instead of doing it in the callee side. This contributes to 0.3% progression in Speedometer2. * assembler/CPU.h: (JSC::prologueStackPointerDelta): * bytecode/CallLinkInfo.cpp: (JSC::CallLinkInfo::setMonomorphicCallee): (JSC::CallLinkInfo::clearCallee): (JSC::CallLinkInfo::revertCallToStub): (JSC::CallLinkInfo::emitFastPathImpl): (JSC::CallLinkInfo::setStub): (JSC::OptimizingCallLinkInfo::emitDirectFastPath): (JSC::OptimizingCallLinkInfo::emitDirectTailCallFastPath): (JSC::OptimizingCallLinkInfo::initializeDirectCall): (JSC::OptimizingCallLinkInfo::setDirectCallTarget): * bytecode/CallLinkInfo.h: (JSC::CallLinkInfo::offsetOfCodeBlock): * bytecode/Repatch.cpp: (JSC::linkMonomorphicCall): (JSC::linkDirectCall): (JSC::linkPolymorphicCall): * bytecode/RepatchInlines.h: (JSC::virtualForWithFunction): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileEntry): * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): (JSC::DFG::prepareCatchOSREntry): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCurrentBlock): * dfg/DFGThunks.cpp: (JSC::DFG::osrEntryThunkGenerator): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLink.cpp: (JSC::FTL::link): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::lower): * interpreter/CallFrame.h: * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::calleeFrameCodeBlockBeforeCall): (JSC::AssemblyHelpers::calleeFrameCodeBlockBeforeTailCall): (JSC::AssemblyHelpers::prologueStackPointerDelta): Deleted. * jit/CCallHelpers.h: (JSC::CCallHelpers::prepareForTailCallSlow): * jit/JIT.cpp: (JSC::JIT::compileAndLinkWithoutFinalizing): (JSC::JIT::emitPutCodeBlockToFrameInPrologue): Deleted. * jit/JIT.h: * jit/JITOperations.cpp: (JSC::JSC_DEFINE_JIT_OPERATION): * jit/JITOperations.h: * jit/ThunkGenerators.cpp: (JSC::virtualThunkFor): (JSC::boundFunctionCallGenerator): (JSC::remoteFunctionCallGenerator): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * llint/WebAssembly.asm: * runtime/FunctionExecutable.h: * runtime/JSCast.h: * runtime/VM.cpp: (JSC::VM::getRemoteFunction): * wasm/WasmOperations.cpp: (JSC::Wasm::doOSREntry): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/CPU.h trunk/Source/_javascript_Core/bytecode/CallLinkInfo.cpp trunk/Source/_javascript_Core/bytecode/CallLinkInfo.h trunk/Source/_javascript_Core/bytecode/Repatch.cpp trunk/Source/_javascript_Core/bytecode/RepatchInlines.h trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp trunk/Source/_javascript_Core/dfg/DFGOSREntry.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/dfg/DFGThunks.cpp trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h trunk/Source/_javascript_Core/ftl/FTLLink.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/interpreter/CallFrame.h trunk/Source/_javascript_Core/jit/AssemblyHelpers.h trunk/Source/_javascript_Core/jit/CCallHelpers.h trunk/Source/_javascript_Core/jit/JIT.cpp trunk/Source/_javascript_Core/jit/JIT.h trunk/Source/_javascript_Core/jit/JITOperations.cpp trunk/Source/_javascript_Core/jit/JITOperations.h trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm trunk/Source/_javascript_Core/llint/WebAssembly.asm trunk/Source/_javascript_Core/runtime/FunctionExecutable.h trunk/Source/_javascript_Core/runtime/JSCast.h trunk/Source/_javascript_Core/runtime/VM.cpp trunk/Source/_javascript_Core/wasm/WasmOperations.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292371 => 292372) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-05 03:59:22 UTC (rev 292371) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-05 04:10:35 UTC (rev 292372) @@ -1,3 +1,82 @@ +2022-04-04 Yusuke Suzuki + +[JSC] Store CodeBlock in caller side +https://bugs.webkit.org/show_bug.cgi?id=238535 + +Reviewed by
[webkit-changes] [292242] trunk
Title: [292242] trunk Revision 292242 Author ysuz...@apple.com Date 2022-04-01 16:57:39 -0700 (Fri, 01 Apr 2022) Log Message Change one-shot maxTimerNestingLevel from 5 to 10 https://bugs.webkit.org/show_bug.cgi?id=237168 Reviewed by Sam Weinig, Saam Barati, and Cameron McCormack . Source/WebCore: Recently, we found from Chromium change[1] that changing this from 5 to 10 offers 10% Speedometer2 improvement because Speedometer2's setTimeout nesting level is typically 7-8. We discussed with folks including Chris, Maciej, Saam, and Cameron and for now, we increase this from 5 to 10 to align to Blink's change to keep these kind of web content fast. This is not aligned to the spec, and currently, we only apply it to one-shot timer. [1]: https://chromium-review.googlesource.com/c/chromium/src/+/3473463 * page/DOMTimer.cpp: (WebCore::DOMTimer::intervalClampedToMinimum const): (WebCore::DOMTimer::alignedFireTime const): LayoutTests: * fast/dom/timer-increase-min-interval.html: * fast/dom/timer-throttling-hidden-page-expected.txt: * fast/dom/timer-throttling-hidden-page.html: Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/fast/dom/timer-increase-min-interval.html trunk/LayoutTests/fast/dom/timer-throttling-hidden-page-expected.txt trunk/LayoutTests/fast/dom/timer-throttling-hidden-page.html trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/page/DOMTimer.cpp Diff Modified: trunk/LayoutTests/ChangeLog (292241 => 292242) --- trunk/LayoutTests/ChangeLog 2022-04-01 23:35:37 UTC (rev 292241) +++ trunk/LayoutTests/ChangeLog 2022-04-01 23:57:39 UTC (rev 292242) @@ -1,3 +1,14 @@ +2022-04-01 Yusuke Suzuki + +Change one-shot maxTimerNestingLevel from 5 to 10 +https://bugs.webkit.org/show_bug.cgi?id=237168 + +Reviewed by Sam Weinig, Saam Barati, and Cameron McCormack . + +* fast/dom/timer-increase-min-interval.html: +* fast/dom/timer-throttling-hidden-page-expected.txt: +* fast/dom/timer-throttling-hidden-page.html: + 2022-04-01 Jon Lee Unreviewed gardening. Modified: trunk/LayoutTests/fast/dom/timer-increase-min-interval.html (292241 => 292242) --- trunk/LayoutTests/fast/dom/timer-increase-min-interval.html 2022-04-01 23:35:37 UTC (rev 292241) +++ trunk/LayoutTests/fast/dom/timer-increase-min-interval.html 2022-04-01 23:57:39 UTC (rev 292242) @@ -17,7 +17,8 @@ function slowTimeoutHandler() { // Note: the count threshold is tied somewhat to the // maxTimerNestingLevel in DOMTimer.cpp. -if (count < 10) +// Up to 10, we use 1ms, and after that, it becomes 500ms. So, it should be 12. +if (count < 12) log("PASS"); else log("FAIL -- timeout ran " + count + " times"); Modified: trunk/LayoutTests/fast/dom/timer-throttling-hidden-page-expected.txt (292241 => 292242) --- trunk/LayoutTests/fast/dom/timer-throttling-hidden-page-expected.txt 2022-04-01 23:35:37 UTC (rev 292241) +++ trunk/LayoutTests/fast/dom/timer-throttling-hidden-page-expected.txt 2022-04-01 23:57:39 UTC (rev 292242) @@ -8,6 +8,11 @@ PASS internals.isTimerThrottled(timerHandle) is false PASS internals.isTimerThrottled(timerHandle) is false PASS internals.isTimerThrottled(timerHandle) is false +PASS internals.isTimerThrottled(timerHandle) is false +PASS internals.isTimerThrottled(timerHandle) is false +PASS internals.isTimerThrottled(timerHandle) is false +PASS internals.isTimerThrottled(timerHandle) is false +PASS internals.isTimerThrottled(timerHandle) is false PASS internals.isTimerThrottled(timerHandle) is true PASS successfullyParsed is true Modified: trunk/LayoutTests/fast/dom/timer-throttling-hidden-page.html (292241 => 292242) --- trunk/LayoutTests/fast/dom/timer-throttling-hidden-page.html 2022-04-01 23:35:37 UTC (rev 292241) +++ trunk/LayoutTests/fast/dom/timer-throttling-hidden-page.html 2022-04-01 23:57:39 UTC (rev 292242) @@ -7,7 +7,7 @@ let timerCount = 0; const timeoutInterval = 10; -const maxNestingLevel = 5; +const maxNestingLevel = 10; let timerHandle = 0; function testTimer() Modified: trunk/Source/WebCore/ChangeLog (292241 => 292242) --- trunk/Source/WebCore/ChangeLog 2022-04-01 23:35:37 UTC (rev 292241) +++ trunk/Source/WebCore/ChangeLog 2022-04-01 23:57:39 UTC (rev 292242) @@ -1,3 +1,21 @@ +2022-04-01 Yusuke Suzuki + +Change one-shot maxTimerNestingLevel from 5 to 10 +https://bugs.webkit.org/show_bug.cgi?id=237168 + +Reviewed by Sam Weinig, Saam Barati, and Cameron McCormack . + +Recently, we found from Chromium change[1] that changing this from 5 to 10 offers 10% Speedometer2 improvement +because Speedometer2's setTimeout nesting level is typically 7-8. We discussed with folks including Chris, Maciej, +Saam, and Cameron and for now, we increase this from 5 to 10 to align to Blink's change to keep these kind of web +content fast. This is not aligned to the spec, and
[webkit-changes] [292191] trunk/Source/JavaScriptCore
Title: [292191] trunk/Source/_javascript_Core Revision 292191 Author ysuz...@apple.com Date 2022-03-31 17:33:33 -0700 (Thu, 31 Mar 2022) Log Message [JSC] Remove ExecutableToCodeBlockEdge https://bugs.webkit.org/show_bug.cgi?id=238485 Reviewed by Keith Miller. It turned out that getting CodeBlock from JSFunction is critical. As we start using unlinked Baseline, we are loading CodeBlock from JSFunction instead of embedding it, and it roughly contributes to 0.5% regression in Speedometer2. It is also crucial to some other places: bound function thunk, remote function thunk, and virtual function calls. While the subsequent patch will embed CodeBlock into CallLinkInfo to make it fast, we also would like to keep loading CodeBlock from JSFunction faster since this is still used in bound function thunk etc. In this patch, we remove ExecutableToCodeBlockEdge to remove one-level indirection between Executable to CodeBlock. We can delegate ExecutableToCodeBlockEdge's job to existing Executables so that we can keep the current weak-edge feature without introducing ExecutableToCodeBlockEdge. It also removes ExecutableToCodeBlockEdge allocations and shrinks sizeof(CodeBlock) by 8 byte. We move key functions from ExecutableToCodeBlockEdge to ScriptExecutable, and we maintain Executable-to-CodeBlock edge in Executable side. Local testing showed that 0.3% progression in Speedometer2. * CMakeLists.txt: * _javascript_Core.xcodeproj/project.pbxproj: * Sources.txt: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): (JSC::CodeBlock::visitChildrenImpl): (JSC::CodeBlock::visitChildren): (JSC::CodeBlock::finalizeUnconditionally): (JSC::CodeBlock::stronglyVisitStrongReferences): (JSC::CodeBlock::finishCreationCommon): Deleted. * bytecode/CodeBlock.h: (JSC::CodeBlock::ownerEdge const): Deleted. * bytecode/ExecutableToCodeBlockEdge.cpp: Removed. * bytecode/ExecutableToCodeBlockEdge.h: Removed. * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::finalizeUnconditionalFinalizers): (JSC::Heap::deleteAllCodeBlocks): (JSC::Heap::addCoreConstraints): * heap/Heap.h: (JSC::Heap::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): (JSC::Heap::ScriptExecutableSpaceAndSet::setAndSpaceFor): (JSC::Heap::ScriptExecutableSpaceAndSet::clearableCodeSetFor): (JSC::Heap::ScriptExecutableSpaceAndSet::outputConstraintsSetFor): (JSC::Heap::ScriptExecutableSpaceAndSet::finalizerSetFor): * heap/IsoCellSet.h: * jit/JIT.cpp: (JSC::JIT::emitPutCodeBlockToFrameInPrologue): * llint/LowLevelInterpreter.asm: * runtime/DirectEvalExecutable.cpp: (JSC::DirectEvalExecutable::create): * runtime/EvalExecutable.cpp: (JSC::EvalExecutable::visitChildrenImpl): * runtime/EvalExecutable.h: (JSC::EvalExecutable::codeBlock const): (JSC::EvalExecutable::unlinkedCodeBlock const): (JSC::EvalExecutable::numVariables): (JSC::EvalExecutable::numFunctionHoistingCandidates): (JSC::EvalExecutable::numTopLevelFunctionDecls): (JSC::EvalExecutable::allowDirectEvalCache const): (JSC::EvalExecutable::codeBlock): Deleted. * runtime/FunctionExecutable.cpp: (JSC::FunctionExecutable::baselineCodeBlockFor): (JSC::shouldKeepInConstraintSet): (JSC::FunctionExecutable::visitChildrenImpl): (JSC::FunctionExecutable::visitOutputConstraintsImpl): * runtime/FunctionExecutable.h: * runtime/FunctionExecutableInlines.h: (JSC::FunctionExecutable::finalizeUnconditionally): (JSC::FunctionExecutable::replaceCodeBlockWith): (JSC::FunctionExecutable::toString): * runtime/GlobalExecutable.cpp: (JSC::GlobalExecutable::visitChildrenImpl): (JSC::GlobalExecutable::visitOutputConstraintsImpl): (JSC::GlobalExecutable::replaceCodeBlockWith): (JSC::GlobalExecutable::finalizeUnconditionally): * runtime/GlobalExecutable.h: (JSC::GlobalExecutable::codeBlock const): (JSC::GlobalExecutable::unlinkedCodeBlock const): * runtime/IndirectEvalExecutable.cpp: (JSC::IndirectEvalExecutable::createImpl): * runtime/JSFunction.cpp: * runtime/JSModuleRecord.cpp: (JSC::JSModuleRecord::link): (JSC::JSModuleRecord::instantiateDeclarations): * runtime/ModuleProgramExecutable.cpp: (JSC::ModuleProgramExecutable::create): (JSC::ModuleProgramExecutable::visitChildrenImpl): * runtime/ModuleProgramExecutable.h: * runtime/ProgramExecutable.cpp: (JSC::ProgramExecutable::initializeGlobalProperties): (JSC::ProgramExecutable::visitChildrenImpl): * runtime/ProgramExecutable.h: * runtime/ScriptExecutable.cpp: (JSC::ScriptExecutable::clearCode): (JSC::ScriptExecutable::installCode): (JSC::ScriptExecutable::hasClearableCode const): (JSC::ScriptExecutable::newCodeBlockFor): (JSC::ScriptExecutable::runConstraint): (JSC::ScriptExecutable::visitCodeBlockEdge): * runtime/ScriptExecutable.h: * runtime/ScriptExecutableInlines.h: Copied from Source/_javascript_Core/runtime/FunctionExecutableInlines.h. (JSC::ScriptExecutable::finalizeCodeBlockEdge): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: (JSC::VM::executableToCodeBlockEdgesWithConstraints): Deleted. (JSC::VM::executableToCodeBlockEdgesWithFinalizers): Deleted. Modified Paths
[webkit-changes] [292136] trunk/JSTests
Title: [292136] trunk/JSTests Revision 292136 Author ysuz...@apple.com Date 2022-03-30 19:10:11 -0700 (Wed, 30 Mar 2022) Log Message Remove useProbeOSRExit=1 flag from tests https://bugs.webkit.org/show_bug.cgi?id=238571 Reviewed by Saam Barati. This flag no longer exists. * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js trunk/JSTests/stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js Diff Modified: trunk/JSTests/ChangeLog (292135 => 292136) --- trunk/JSTests/ChangeLog 2022-03-31 01:52:05 UTC (rev 292135) +++ trunk/JSTests/ChangeLog 2022-03-31 02:10:11 UTC (rev 292136) @@ -1,3 +1,15 @@ +2022-03-30 Yusuke Suzuki + +Remove useProbeOSRExit=1 flag from tests +https://bugs.webkit.org/show_bug.cgi?id=238571 + +Reviewed by Saam Barati. + +This flag no longer exists. + +* stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: +* stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: + 2022-03-24 Yusuke Suzuki Add additional reported regression tests to ensure multiline token's column offset is reset Modified: trunk/JSTests/stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js (292135 => 292136) --- trunk/JSTests/stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js 2022-03-31 01:52:05 UTC (rev 292135) +++ trunk/JSTests/stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js 2022-03-31 02:10:11 UTC (rev 292136) @@ -1,4 +1,5 @@ -//@ requireOptions("--useProbeOSRExit=true", "--forceEagerCompilation=true") +//@ requireOptions("--forceEagerCompilation=true") +// Note that original test was using --useProbeOSRExit=1 // This test passes if it does not crash especially on ASAN builds. Modified: trunk/JSTests/stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js (292135 => 292136) --- trunk/JSTests/stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js 2022-03-31 01:52:05 UTC (rev 292135) +++ trunk/JSTests/stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js 2022-03-31 02:10:11 UTC (rev 292136) @@ -1,4 +1,5 @@ -//@ requireOptions("--useSamplingProfiler=true", "--useProbeOSRExit=true", "--useObjectAllocationSinking=false", "--sampleInterval=10") +//@ requireOptions("--useSamplingProfiler=true", "--useObjectAllocationSinking=false", "--sampleInterval=10") +// Note that original test was using --useProbeOSRExit=1 function foo(ranges) { const CHUNK_SIZE = 95; ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [292083] trunk/Source/JavaScriptCore
Title: [292083] trunk/Source/_javascript_Core Revision 292083 Author ysuz...@apple.com Date 2022-03-29 17:08:22 -0700 (Tue, 29 Mar 2022) Log Message [JSC] Use constants buffer to load JSGlobalObject in BaselineJIT thunks https://bugs.webkit.org/show_bug.cgi?id=238414 Reviewed by Saam Barati. Since these thunks are only called from BaselineJIT, we can assume constants buffer register. And since we are always using 0 index for JSGlobalObject, we can encode this into these shared thunks directly instead of loading CodeBlock pointer from the stack. We also fix using OBJECT_OFFSETOF for JSGlobalObject directly. We should use it as JSGlobalObject::offsetOfXXX to make it clean and make it annotated that these fields are accessed by JIT. This patch also removes UnusedPointer.h since it is no longer used. * CMakeLists.txt: * _javascript_Core.xcodeproj/project.pbxproj: * jit/JIT.cpp: (JSC::JIT::JIT): (JSC::JIT::emitVarReadOnlyCheck): * jit/JIT.h: * jit/JITInlines.h: (JSC::JIT::loadConstant): (JSC::JIT::loadGlobalObject): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_overrides_has_instance): (JSC::JIT::valueIsFalseyGenerator): (JSC::JIT::valueIsTruthyGenerator): (JSC::JIT::op_throw_handlerGenerator): (JSC::JIT::op_check_traps_handlerGenerator): * jit/JITPropertyAccess.cpp: (JSC::JIT::slow_op_get_by_val_callSlowOperationThenCheckExceptionGenerator): (JSC::JIT::slow_op_get_private_name_callSlowOperationThenCheckExceptionGenerator): (JSC::JIT::slow_op_put_by_val_callSlowOperationThenCheckExceptionGenerator): (JSC::JIT::slow_op_put_private_name_callSlowOperationThenCheckExceptionGenerator): (JSC::JIT::slow_op_del_by_id_callSlowOperationThenCheckExceptionGenerator): (JSC::JIT::slow_op_del_by_val_callSlowOperationThenCheckExceptionGenerator): (JSC::JIT::slow_op_get_by_id_callSlowOperationThenCheckExceptionGenerator): (JSC::JIT::slow_op_get_by_id_with_this_callSlowOperationThenCheckExceptionGenerator): (JSC::JIT::slow_op_put_by_id_callSlowOperationThenCheckExceptionGenerator): (JSC::JIT::generateOpResolveScopeThunk): (JSC::JIT::generateOpGetFromScopeThunk): (JSC::JIT::emitVarInjectionCheck): * jit/UnusedPointer.h: Removed. * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::offsetOfVarInjectionWatchpoint): (JSC::JSGlobalObject::offsetOfVarReadOnlyWatchpoint): (JSC::JSGlobalObject::offsetOfFunctionProtoHasInstanceSymbolFunction): Modified Paths trunk/Source/_javascript_Core/CMakeLists.txt trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/jit/JIT.cpp trunk/Source/_javascript_Core/jit/JIT.h trunk/Source/_javascript_Core/jit/JITInlines.h trunk/Source/_javascript_Core/jit/JITOpcodes.cpp trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.h Removed Paths trunk/Source/_javascript_Core/jit/UnusedPointer.h Diff Modified: trunk/Source/_javascript_Core/CMakeLists.txt (292082 => 292083) --- trunk/Source/_javascript_Core/CMakeLists.txt 2022-03-30 00:00:20 UTC (rev 292082) +++ trunk/Source/_javascript_Core/CMakeLists.txt 2022-03-30 00:08:22 UTC (rev 292083) @@ -876,7 +876,6 @@ jit/TagRegistersMode.h jit/TempRegisterSet.h jit/ThunkGenerator.h -jit/UnusedPointer.h llint/LLIntOpcode.h Modified: trunk/Source/_javascript_Core/ChangeLog (292082 => 292083) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-30 00:00:20 UTC (rev 292082) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-30 00:08:22 UTC (rev 292083) @@ -1,3 +1,55 @@ +2022-03-29 Yusuke Suzuki + +[JSC] Use constants buffer to load JSGlobalObject in BaselineJIT thunks +https://bugs.webkit.org/show_bug.cgi?id=238414 + +Reviewed by Saam Barati. + +Since these thunks are only called from BaselineJIT, we can assume constants +buffer register. And since we are always using 0 index for JSGlobalObject, +we can encode this into these shared thunks directly instead of loading +CodeBlock pointer from the stack. + +We also fix using OBJECT_OFFSETOF for JSGlobalObject directly. We should use +it as JSGlobalObject::offsetOfXXX to make it clean and make it annotated that +these fields are accessed by JIT. + +This patch also removes UnusedPointer.h since it is no longer used. + +* CMakeLists.txt: +* _javascript_Core.xcodeproj/project.pbxproj: +* jit/JIT.cpp: +(JSC::JIT::JIT): +(JSC::JIT::emitVarReadOnlyCheck): +* jit/JIT.h: +* jit/JITInlines.h: +(JSC::JIT::loadConstant): +(JSC::JIT::loadGlobalObject): +* jit/JITOpcodes.cpp: +(JSC::JIT::emit_op_overrides_has_instance): +(JSC::JIT::valueIsFalseyGenerator): +(JSC::JIT::valueIsTruthyGenerator): +(JSC::JIT::op_throw_handlerGenerator): +(JSC::JIT::op_check_traps_handlerGenerator): +* jit/JITPropertyAccess.cpp: +
[webkit-changes] [292078] trunk/Source/JavaScriptCore
Title: [292078] trunk/Source/_javascript_Core Revision 292078 Author ysuz...@apple.com Date 2022-03-29 15:54:07 -0700 (Tue, 29 Mar 2022) Log Message [JSC] Use spoolers in FTL OSR exit thunk https://bugs.webkit.org/show_bug.cgi?id=238444 Reviewed by Mark Lam. We deploy spoolers in FTL OSR exit thunk to reduce generated code size. This change reduces FTLOSRExit code size in JetStream2 by 35%. Before: FTLOSRExit: 803564 (784.730469 KB) count 363 avg size 2213 After: FTLOSRExit: 516432 (504.328125 KB) count 362 avg size 1426 * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::compileExit): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGOSRExit.cpp trunk/Source/_javascript_Core/ftl/FTLOSRExitCompiler.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292077 => 292078) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-29 22:22:20 UTC (rev 292077) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-29 22:54:07 UTC (rev 292078) @@ -1,3 +1,23 @@ +2022-03-29 Yusuke Suzuki + +[JSC] Use spoolers in FTL OSR exit thunk +https://bugs.webkit.org/show_bug.cgi?id=238444 + +Reviewed by Mark Lam. + +We deploy spoolers in FTL OSR exit thunk to reduce generated code size. +This change reduces FTLOSRExit code size in JetStream2 by 35%. + +Before: +FTLOSRExit: 803564 (784.730469 KB) count 363 avg size 2213 +After: +FTLOSRExit: 516432 (504.328125 KB) count 362 avg size 1426 + +* dfg/DFGOSRExit.cpp: +(JSC::DFG::OSRExit::compileExit): +* ftl/FTLOSRExitCompiler.cpp: +(JSC::FTL::compileStub): + 2022-03-29 Patrick Angle Web Inspector: Add check for null `entryScope` in JSC::Debugger::detach Modified: trunk/Source/_javascript_Core/dfg/DFGOSRExit.cpp (292077 => 292078) --- trunk/Source/_javascript_Core/dfg/DFGOSRExit.cpp 2022-03-29 22:22:20 UTC (rev 292077) +++ trunk/Source/_javascript_Core/dfg/DFGOSRExit.cpp 2022-03-29 22:54:07 UTC (rev 292078) @@ -430,10 +430,11 @@ // We also use the notCellMaskRegister as the scratch register, for the same reason. // FIXME: find a less gross way of doing this, maybe through delaying these operations until we actually have some spare registers around? profile.emitReportValue(jit, JSValueRegs(GPRInfo::numberTagRegister), GPRInfo::notCellMaskRegister, DoNotHaveTagRegisters); -jit.move(AssemblyHelpers::TrustedImm64(JSValue::NumberTag), GPRInfo::numberTagRegister); -} else +jit.emitMaterializeTagCheckRegisters(); +} else { profile.emitReportValue(jit, JSValueRegs(exit.m_jsValueSource.gpr()), GPRInfo::notCellMaskRegister, DoNotHaveTagRegisters); -jit.move(AssemblyHelpers::TrustedImm64(JSValue::NotCellMask), GPRInfo::notCellMaskRegister); +jit.move(AssemblyHelpers::TrustedImm64(JSValue::NotCellMask), GPRInfo::notCellMaskRegister); +} #else // not USE(JSVALUE64) if (exit.m_jsValueSource.isAddress()) { // Save a register so we can use it. @@ -778,7 +779,7 @@ #if USE(JSVALUE64) EncodedJSValue currentConstant = JSValue::encode(recovery.constant()); if (currentConstant == encodedJSUndefined()) { -if (!undefinedGPRIsInitialized) { +if (UNLIKELY(!undefinedGPRIsInitialized)) { jit.move(CCallHelpers::TrustedImm64(encodedJSUndefined()), undefinedGPR); undefinedGPRIsInitialized = true; } Modified: trunk/Source/_javascript_Core/ftl/FTLOSRExitCompiler.cpp (292077 => 292078) --- trunk/Source/_javascript_Core/ftl/FTLOSRExitCompiler.cpp 2022-03-29 22:22:20 UTC (rev 292077) +++ trunk/Source/_javascript_Core/ftl/FTLOSRExitCompiler.cpp 2022-03-29 22:54:07 UTC (rev 292078) @@ -28,6 +28,7 @@ #if ENABLE(FTL_JIT) +#include "AssemblyHelpersSpoolers.h" #include "BytecodeStructs.h" #include "CheckpointOSRExitSideState.h" #include "DFGOSRExitCompilerCommon.h" @@ -241,8 +242,7 @@ // Get the call frame and tag thingies. // Restore the exiting function's callFrame value into a regT4 -jit.move(MacroAssembler::TrustedImm64(JSValue::NumberTag), GPRInfo::numberTagRegister); -jit.move(MacroAssembler::TrustedImm64(JSValue::NotCellMask), GPRInfo::notCellMaskRegister); +jit.emitMaterializeTagCheckRegisters(); // Do some value profiling. if (exit.m_descriptor->m_profileDataFormat != DataFormatNone) { @@ -377,9 +377,65 @@ // Save all state from wherever the exit data tells us it was, into the appropriate place in // the scratch buffer. This also does the reboxing. -for (unsigned index = exit.m_descriptor->m_values.size(); index--;) { -recoverValue(exit.m_descriptor->m_values[index]); -
[webkit-changes] [292014] trunk/Source/JavaScriptCore
Title: [292014] trunk/Source/_javascript_Core Revision 292014 Author ysuz...@apple.com Date 2022-03-28 17:23:58 -0700 (Mon, 28 Mar 2022) Log Message [JSC] Clean up some 32bit load/store with 64bit load/store https://bugs.webkit.org/show_bug.cgi?id=238440 Reviewed by Mark Lam. 1. On OSR entry, we should copy values from scratch to stack via loadValue / storeValue instead of 32bit load/store. 2. We should initialize tail-call's argumentCountIncludingThis slot via store64. * dfg/DFGThunks.cpp: (JSC::DFG::osrEntryThunkGenerator): * jit/CallFrameShuffler.cpp: (JSC::CallFrameShuffler::prepareAny): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGThunks.cpp trunk/Source/_javascript_Core/jit/CallFrameShuffler.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292013 => 292014) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-29 00:22:21 UTC (rev 292013) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-29 00:23:58 UTC (rev 292014) @@ -1,3 +1,18 @@ +2022-03-28 Yusuke Suzuki + +[JSC] Clean up some 32bit load/store with 64bit load/store +https://bugs.webkit.org/show_bug.cgi?id=238440 + +Reviewed by Mark Lam. + +1. On OSR entry, we should copy values from scratch to stack via loadValue / storeValue instead of 32bit load/store. +2. We should initialize tail-call's argumentCountIncludingThis slot via store64. + +* dfg/DFGThunks.cpp: +(JSC::DFG::osrEntryThunkGenerator): +* jit/CallFrameShuffler.cpp: +(JSC::CallFrameShuffler::prepareAny): + 2022-03-28 Mark Lam The lazy symbolObjectStructure should be realized before we allocate a SymbolObject. Modified: trunk/Source/_javascript_Core/dfg/DFGThunks.cpp (292013 => 292014) --- trunk/Source/_javascript_Core/dfg/DFGThunks.cpp 2022-03-29 00:22:21 UTC (rev 292013) +++ trunk/Source/_javascript_Core/dfg/DFGThunks.cpp 2022-03-29 00:23:58 UTC (rev 292014) @@ -151,10 +151,8 @@ MacroAssembler::Label loop = jit.label(); jit.subPtr(MacroAssembler::TrustedImm32(1), GPRInfo::regT1); jit.negPtr(GPRInfo::regT1, GPRInfo::regT4); -jit.load32(MacroAssembler::BaseIndex(GPRInfo::regT0, GPRInfo::regT1, MacroAssembler::TimesEight, offsetOfLocals), GPRInfo::regT2); -jit.load32(MacroAssembler::BaseIndex(GPRInfo::regT0, GPRInfo::regT1, MacroAssembler::TimesEight, offsetOfLocals + sizeof(int32_t)), GPRInfo::regT3); -jit.store32(GPRInfo::regT2, MacroAssembler::BaseIndex(GPRInfo::callFrameRegister, GPRInfo::regT4, MacroAssembler::TimesEight, -static_cast(sizeof(Register; -jit.store32(GPRInfo::regT3, MacroAssembler::BaseIndex(GPRInfo::callFrameRegister, GPRInfo::regT4, MacroAssembler::TimesEight, -static_cast(sizeof(Register)) + static_cast(sizeof(int32_t; +jit.loadValue(MacroAssembler::BaseIndex(GPRInfo::regT0, GPRInfo::regT1, MacroAssembler::TimesEight, offsetOfLocals), JSRInfo::jsRegT32); +jit.storeValue(JSRInfo::jsRegT32, MacroAssembler::BaseIndex(GPRInfo::callFrameRegister, GPRInfo::regT4, MacroAssembler::TimesEight, -static_cast(sizeof(Register; jit.branchPtr(MacroAssembler::NotEqual, GPRInfo::regT1, MacroAssembler::TrustedImmPtr(bitwise_cast(-static_cast(CallFrame::headerSizeInRegisters.linkTo(loop, ); jit.loadPtr(MacroAssembler::Address(GPRInfo::regT0, offsetOfTargetPC), GPRInfo::regT1); Modified: trunk/Source/_javascript_Core/jit/CallFrameShuffler.cpp (292013 => 292014) --- trunk/Source/_javascript_Core/jit/CallFrameShuffler.cpp 2022-03-29 00:22:21 UTC (rev 292013) +++ trunk/Source/_javascript_Core/jit/CallFrameShuffler.cpp 2022-03-29 00:23:58 UTC (rev 292014) @@ -739,11 +739,14 @@ // m_newFrameBase, which could be a wanted register. if (verbose) dataLog(" * Storing the argument count into ", VirtualRegister { CallFrameSlot::argumentCountIncludingThis }, "\n"); -m_jit.store32(MacroAssembler::TrustedImm32(0), -addressForNew(VirtualRegister { CallFrameSlot::argumentCountIncludingThis }).withOffset(TagOffset)); RELEASE_ASSERT(m_numPassedArgs != UINT_MAX); -m_jit.store32(MacroAssembler::TrustedImm32(m_numPassedArgs), -addressForNew(VirtualRegister { CallFrameSlot::argumentCountIncludingThis }).withOffset(PayloadOffset)); +#if USE(JSVALUE64) +// Initialize CallFrameSlot::argumentCountIncludingThis's TagOffset and PayloadOffset with 0 and m_numPassedArgs. +m_jit.store64(MacroAssembler::TrustedImm32(m_numPassedArgs), addressForNew(VirtualRegister { CallFrameSlot::argumentCountIncludingThis })); +#else +m_jit.store32(MacroAssembler::TrustedImm32(0), addressForNew(VirtualRegister { CallFrameSlot::argumentCountIncludingThis }).withOffset(TagOffset)); +m_jit.store32(MacroAssembler::TrustedImm32(m_numPassedArgs), addressForNew(VirtualRegister { CallFrameSlot::argumentCountIncludingThis }).withOffset(PayloadOffset)); +#endif if (!isSlowPath()) { ASSERT(m_newFrameBase !=
[webkit-changes] [291937] trunk
Title: [291937] trunk Revision 291937 Author ysuz...@apple.com Date 2022-03-26 07:41:15 -0700 (Sat, 26 Mar 2022) Log Message Use unary static_assert https://bugs.webkit.org/show_bug.cgi?id=238412 Reviewed by Mark Lam. Source/bmalloc: * bmalloc/Algorithm.h: (bmalloc::isPowerOfTwo): * bmalloc/Gigacage.h: * bmalloc/IsoHeapImpl.h: Source/_javascript_Core: Replace `static_assert(..., "");` with `static_assert(...);` * assembler/ARM64Assembler.h: (JSC::ARM64Assembler::linkJumpOrCall): (JSC::ARM64Assembler::relinkJumpOrCall): * assembler/AssemblerBuffer.h: (JSC::AssemblerBuffer::putIntegralUnchecked): * assembler/MacroAssemblerCodeRef.h: * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h: * bytecode/ArrayProfile.h: * bytecode/CodeBlockHash.cpp: (JSC::CodeBlockHash::CodeBlockHash): * bytecode/ParseHash.cpp: (JSC::ParseHash::ParseHash): * bytecode/Watchpoint.h: * dfg/DFGNode.h: * dfg/DFGOperations.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION): * dfg/DFGSpeculativeJIT.cpp: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush): * jit/RegisterSet.cpp: (JSC::RegisterSet::llintBaselineCalleeSaveRegisters): (JSC::RegisterSet::dfgCalleeSaveRegisters): (JSC::RegisterSet::ftlCalleeSaveRegisters): * runtime/CachedBytecode.cpp: (JSC::CachedBytecode::commitUpdates const): * runtime/ClonedArguments.h: * runtime/DirectArguments.h: * runtime/DirectEvalExecutable.h: * runtime/ErrorConstructor.h: * runtime/IndirectEvalExecutable.h: * runtime/JSArrayBufferView.cpp: * runtime/JSBoundFunction.h: * runtime/JSLexicalEnvironment.h: (JSC::JSLexicalEnvironment::subspaceFor): * runtime/JSString.cpp: (JSC::JSRopeString::RopeBuilder::expand): * runtime/JSString.h: * runtime/NativeFunction.h: * runtime/Operations.h: (JSC::jsString): * runtime/RegExpObject.h: * runtime/ScopedArguments.h: * runtime/ScopedArgumentsTable.cpp: * runtime/TypedArrayAdaptors.h: (JSC::IntegralTypedArrayAdaptor::toJSValue): * runtime/TypedArrayType.h: * runtime/WeakMapImpl.h: * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::addCallIndirect): (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv): (JSC::Wasm::AirIRGenerator::emitModOrDiv): * yarr/YarrInterpreter.cpp: (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize): (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize): Source/WebCore: * Modules/entriesapi/FileSystemDirectoryEntry.h: * Modules/entriesapi/FileSystemFileEntry.h: * css/DOMMatrix.h: * cssjit/SelectorCompiler.cpp: (WebCore::SelectorCompiler::SelectorCodeGenerator::generateAddStyleRelation): * dom/DOMPoint.h: * dom/DOMRect.h: * html/HTMLAllCollection.h: * html/track/AudioTrackList.h: * html/track/VideoTrackList.h: * layout/formattingContexts/inline/InlineItem.cpp: * layout/formattingContexts/inline/InlineTextItem.cpp: * platform/KeyedCoding.h: (WebCore::KeyedDecoder::decodeBytes): * xml/XMLHttpRequestEventTarget.h: Source/WebKit: * Shared/API/c/WKContextMenuItem.cpp: * UIProcess/mac/LegacySessionStateCoding.cpp: (WebKit::HistoryEntryDataEncoder::encodeArithmeticType): (WebKit::HistoryEntryDataDecoder::decodeArithmeticType): Source/WTF: * wtf/CompactPointerTuple.h: * wtf/FastMalloc.h: * wtf/FunctionTraits.h: (WTF::slotsForCCallArgument): * wtf/Int128.cpp: * wtf/MallocPtr.h: * wtf/Markable.h: (WTF::std::underlying_type::type>::max): * wtf/PtrTag.h: (WTF::tagInt): * wtf/Seconds.h: * wtf/StdLibExtras.h: (WTF::roundUpToMultipleOf): * wtf/SystemFree.h: * wtf/UnalignedAccess.h: (WTF::unalignedLoad): (WTF::unalignedStore): * wtf/UniqueArray.h: (WTF::makeUniqueArray): * wtf/WTFAssertions.cpp: * wtf/text/StringConcatenate.h: (WTF::tryMakeStringFromAdapters): * wtf/text/StringImpl.h: * wtf/text/SymbolImpl.h: Tools: * TestWebKitAPI/Tests/WTF/EnumTraits.cpp: * TestWebKitAPI/Tests/WTF/HashMap.cpp: (TestWebKitAPI::TEST): * TestWebKitAPI/Tests/WTF/Int128.cpp: (TestWebKitAPI::TEST): * TestWebKitAPI/Tests/WTF/Packed.cpp: (TestWebKitAPI::TEST): * TestWebKitAPI/Tests/WTF/RobinHoodHashMap.cpp: (TestWebKitAPI::TEST): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/assembler/ARM64Assembler.h trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h trunk/Source/_javascript_Core/bytecode/AdaptiveInferredPropertyValueWatchpointBase.h trunk/Source/_javascript_Core/bytecode/ArrayProfile.h trunk/Source/_javascript_Core/bytecode/CodeBlockHash.cpp trunk/Source/_javascript_Core/bytecode/ParseHash.cpp trunk/Source/_javascript_Core/bytecode/Watchpoint.h trunk/Source/_javascript_Core/dfg/DFGNode.h trunk/Source/_javascript_Core/dfg/DFGOperations.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/jit/RegisterSet.cpp trunk/Source/_javascript_Core/runtime/CachedBytecode.cpp
[webkit-changes] [291935] trunk/Source/JavaScriptCore
Title: [291935] trunk/Source/_javascript_Core Revision 291935 Author ysuz...@apple.com Date 2022-03-26 04:38:22 -0700 (Sat, 26 Mar 2022) Log Message [JSC] Include argumentRegisters in identity of SlowPathCallKey when clobberAllRegsInFTLICSlowPath is enabled https://bugs.webkit.org/show_bug.cgi?id=238411 Reviewed by Mark Lam. While SlowPathCallKey includes argumentRegisters, it is not used for its identity check. But this argumentRegisters is effectual on the resulting code in FTLThunks if Options::clobberAllRegsInFTLICSlowPath is set. This causes x64 Debug JSC test failures after enabling DataIC because the same FTLThunks should not be picked for different argument registers when Options::clobberAllRegsInFTLICSlowPath is true. However, always including argumentRegisters in the identity check will cause a code size regression since we will lose a chance to duplicate thunks when argumentRegisters is ineffectual. Note that Options::clobberAllRegsInFTLICSlowPath is only set for debugging use cases. Hence, argumentRegisters is normally not effectual. In this patch, we include argumentRegisters in SlowPathCallKey's identity check only when Options::clobberAllRegsInFTLICSlowPath is set. And we also refactor SlowPathCallKey to reduce size of it from 40 to 24. * _javascript_Core.xcodeproj/project.pbxproj: * assembler/MacroAssemblerCodeRef.h: (JSC::CFunctionPtr::CFunctionPtr): (JSC::FunctionPtr::FunctionPtr): * ftl/FTLSlowPathCall.cpp: (JSC::FTL::SlowPathCallContext::keyWithTarget const): * ftl/FTLSlowPathCallKey.cpp: (JSC::FTL::SlowPathCallKey::dump const): * ftl/FTLSlowPathCallKey.h: (JSC::FTL::SlowPathCallKey::SlowPathCallKey): (JSC::FTL::SlowPathCallKey::callTarget const): (JSC::FTL::SlowPathCallKey::usedRegisters const): (JSC::FTL::SlowPathCallKey::argumentRegistersIfClobberingCheckIsEnabled const): (JSC::FTL::SlowPathCallKey::indirectOffset const): (JSC::FTL::SlowPathCallKey::withCallTarget): (JSC::FTL::SlowPathCallKey::isEmptyValue const): (JSC::FTL::SlowPathCallKey::isDeletedValue const): (JSC::FTL::SlowPathCallKey::operator== const): (JSC::FTL::SlowPathCallKey::hash const): (JSC::FTL::SlowPathCallKey::argumentRegisters const): Deleted. * ftl/FTLThunks.cpp: (JSC::FTL::registerClobberCheck): (JSC::FTL::slowPathCallThunkGenerator): * jit/HashableRegisterSet.h: Removed. * jit/RegisterSet.h: (JSC::RegisterSetHash::hash): (JSC::RegisterSetHash::equal): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h trunk/Source/_javascript_Core/ftl/FTLSlowPathCall.cpp trunk/Source/_javascript_Core/ftl/FTLSlowPathCall.h trunk/Source/_javascript_Core/ftl/FTLSlowPathCallKey.cpp trunk/Source/_javascript_Core/ftl/FTLSlowPathCallKey.h trunk/Source/_javascript_Core/ftl/FTLThunks.cpp trunk/Source/_javascript_Core/jit/RegisterSet.h Removed Paths trunk/Source/_javascript_Core/jit/HashableRegisterSet.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (291934 => 291935) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-26 09:17:21 UTC (rev 291934) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-26 11:38:22 UTC (rev 291935) @@ -1,3 +1,50 @@ +2022-03-26 Yusuke Suzuki + +[JSC] Include argumentRegisters in identity of SlowPathCallKey when clobberAllRegsInFTLICSlowPath is enabled +https://bugs.webkit.org/show_bug.cgi?id=238411 + +Reviewed by Mark Lam. + +While SlowPathCallKey includes argumentRegisters, it is not used for its identity check. But this argumentRegisters +is effectual on the resulting code in FTLThunks if Options::clobberAllRegsInFTLICSlowPath is set. This causes +x64 Debug JSC test failures after enabling DataIC because the same FTLThunks should not be picked for different +argument registers when Options::clobberAllRegsInFTLICSlowPath is true. + +However, always including argumentRegisters in the identity check will cause a code size regression since we will +lose a chance to duplicate thunks when argumentRegisters is ineffectual. Note that Options::clobberAllRegsInFTLICSlowPath +is only set for debugging use cases. Hence, argumentRegisters is normally not effectual. + +In this patch, we include argumentRegisters in SlowPathCallKey's identity check only when Options::clobberAllRegsInFTLICSlowPath +is set. And we also refactor SlowPathCallKey to reduce size of it from 40 to 24. + +* _javascript_Core.xcodeproj/project.pbxproj: +* assembler/MacroAssemblerCodeRef.h: +(JSC::CFunctionPtr::CFunctionPtr): +(JSC::FunctionPtr::FunctionPtr): +* ftl/FTLSlowPathCall.cpp: +(JSC::FTL::SlowPathCallContext::keyWithTarget const): +* ftl/FTLSlowPathCallKey.cpp: +(JSC::FTL::SlowPathCallKey::dump const): +* ftl/FTLSlowPathCallKey.h: +(JSC::FTL::SlowPathCallKey::SlowPathCallKey): +
[webkit-changes] [291932] trunk/Source/JavaScriptCore
Title: [291932] trunk/Source/_javascript_Core Revision 291932 Author ysuz...@apple.com Date 2022-03-25 21:30:10 -0700 (Fri, 25 Mar 2022) Log Message [JSC] Clean up DataIC polymorphic call code for OptimizingCallLinkInfo https://bugs.webkit.org/show_bug.cgi?id=238395 Reviewed by Saam Barati. When using DataIC, return address is already appropriate in non-tail call case in polymorphic call stub code. This patch cleans up the code to align it to DataIC BaselineCallLinkInfo. * bytecode/Repatch.cpp: (JSC::linkPolymorphicCall): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/Repatch.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (291931 => 291932) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-26 03:29:23 UTC (rev 291931) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-26 04:30:10 UTC (rev 291932) @@ -1,3 +1,17 @@ +2022-03-25 Yusuke Suzuki + +[JSC] Clean up DataIC polymorphic call code for OptimizingCallLinkInfo +https://bugs.webkit.org/show_bug.cgi?id=238395 + +Reviewed by Saam Barati. + +When using DataIC, return address is already appropriate in non-tail call case +in polymorphic call stub code. This patch cleans up the code to align it to +DataIC BaselineCallLinkInfo. + +* bytecode/Repatch.cpp: +(JSC::linkPolymorphicCall): + 2022-03-25 Commit Queue Unreviewed, reverting r291745. Modified: trunk/Source/_javascript_Core/bytecode/Repatch.cpp (291931 => 291932) --- trunk/Source/_javascript_Core/bytecode/Repatch.cpp 2022-03-26 03:29:23 UTC (rev 291931) +++ trunk/Source/_javascript_Core/bytecode/Repatch.cpp 2022-03-26 04:30:10 UTC (rev 291932) @@ -1877,14 +1877,10 @@ case CallLinkInfo::Type::Optimizing: { // While Baseline / LLInt shares BaselineCallLinkInfo, OptimizingCallLinkInfo is exclusively used for one JIT code. // Thus, we can safely use doneLocation. -if (!callLinkInfo.isTailCall()) { -// We were called from the fast path, get rid of any remnants of that -// which may exist. This really only matters for x86, which adjusts -// SP for calls. -stubJit.preserveReturnAddressAfterCall(GPRInfo::regT4); +if (callLinkInfo.isTailCall()) { +stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.doneLocation().untaggedExecutableAddress()), GPRInfo::regT4); +stubJit.restoreReturnAddressBeforeReturn(GPRInfo::regT4); } -stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.doneLocation().untaggedExecutableAddress()), GPRInfo::regT4); -stubJit.restoreReturnAddressBeforeReturn(GPRInfo::regT4); break; } } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291875] trunk/Source/JavaScriptCore
Title: [291875] trunk/Source/_javascript_Core Revision 291875 Author ysuz...@apple.com Date 2022-03-25 12:08:48 -0700 (Fri, 25 Mar 2022) Log Message [JSC] Use Data CallIC in unlinked DFG https://bugs.webkit.org/show_bug.cgi?id=238176 Reviewed by Saam Barati. This patch enables Data CallIC when Options::useDataICInOptimizingJIT() is true to pave the way to introducing unlinked DFG. The most complicated part is DFG tail call handling. We load CallLinkInfo in one non-callee-save register, and we set up CallFrameShuffleData to keep this value in the same register even after call frame shuffling for the tail call. This must be non-callee-save register since callee-save registers are restored to values of the one-level upper caller for the tail-call. We also clean up CallLinkInfo code so that many functions work well with DataIC. Currently, direct calls are not supported, and we will not emit direct calls when unlinked DFG is used. * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * bytecode/CallLinkInfo.cpp: (JSC::BaselineCallLinkInfo::initialize): (JSC::OptimizingCallLinkInfo::emitFastPath): (JSC::OptimizingCallLinkInfo::emitTailCallFastPath): (JSC::OptimizingCallLinkInfo::slowPathStart): (JSC::OptimizingCallLinkInfo::emitDirectFastPath): (JSC::OptimizingCallLinkInfo::emitDirectTailCallFastPath): * bytecode/CallLinkInfo.h: (JSC::CallLinkInfo::isDataIC const): (JSC::CallLinkInfo::useDataIC const): (JSC::CallLinkInfo::CallLinkInfo): (JSC::CallLinkInfo::setUsesDataICs): Deleted. * bytecode/Repatch.cpp: (JSC::linkPolymorphicCall): * dfg/DFGCommonData.h: (JSC::DFG::CommonData::addCallLinkInfo): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * jit/CCallHelpers.h: (JSC::CCallHelpers::prepareForTailCallSlow): * wasm/js/WasmToJS.cpp: (JSC::Wasm::wasmToJS): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/AccessCase.cpp trunk/Source/_javascript_Core/bytecode/CallLinkInfo.cpp trunk/Source/_javascript_Core/bytecode/CallLinkInfo.h trunk/Source/_javascript_Core/bytecode/Repatch.cpp trunk/Source/_javascript_Core/dfg/DFGCommonData.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/jit/CCallHelpers.h trunk/Source/_javascript_Core/wasm/js/WasmToJS.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (291874 => 291875) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-25 19:00:11 UTC (rev 291874) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-25 19:08:48 UTC (rev 291875) @@ -1,3 +1,54 @@ +2022-03-24 Yusuke Suzuki + +[JSC] Use Data CallIC in unlinked DFG +https://bugs.webkit.org/show_bug.cgi?id=238176 + +Reviewed by Saam Barati. + +This patch enables Data CallIC when Options::useDataICInOptimizingJIT() is true +to pave the way to introducing unlinked DFG. + +The most complicated part is DFG tail call handling. We load CallLinkInfo in one +non-callee-save register, and we set up CallFrameShuffleData to keep this value +in the same register even after call frame shuffling for the tail call. This must +be non-callee-save register since callee-save registers are restored to values +of the one-level upper caller for the tail-call. + +We also clean up CallLinkInfo code so that many functions work well with DataIC. +Currently, direct calls are not supported, and we will not emit direct calls when +unlinked DFG is used. + +* bytecode/AccessCase.cpp: +(JSC::AccessCase::generateImpl): +* bytecode/CallLinkInfo.cpp: +(JSC::BaselineCallLinkInfo::initialize): +(JSC::OptimizingCallLinkInfo::emitFastPath): +(JSC::OptimizingCallLinkInfo::emitTailCallFastPath): +(JSC::OptimizingCallLinkInfo::slowPathStart): +(JSC::OptimizingCallLinkInfo::emitDirectFastPath): +(JSC::OptimizingCallLinkInfo::emitDirectTailCallFastPath): +* bytecode/CallLinkInfo.h: +(JSC::CallLinkInfo::isDataIC const): +(JSC::CallLinkInfo::useDataIC const): +(JSC::CallLinkInfo::CallLinkInfo): +(JSC::CallLinkInfo::setUsesDataICs): Deleted. +* bytecode/Repatch.cpp: +(JSC::linkPolymorphicCall): +* dfg/DFGCommonData.h: +(JSC::DFG::CommonData::addCallLinkInfo): +* dfg/DFGSpeculativeJIT32_64.cpp: +(JSC::DFG::SpeculativeJIT::emitCall): +* dfg/DFGSpeculativeJIT64.cpp: +(JSC::DFG::SpeculativeJIT::emitCall): +* dfg/DFGStrengthReductionPhase.cpp: +
[webkit-changes] [291847] trunk/JSTests
Title: [291847] trunk/JSTests Revision 291847 Author ysuz...@apple.com Date 2022-03-24 21:14:29 -0700 (Thu, 24 Mar 2022) Log Message Add additional reported regression tests to ensure multiline token's column offset is reset https://bugs.webkit.org/show_bug.cgi?id=221548 Reviewed by Alexey Shvayka. The bug is fixed and tested in https://github.com/WebKit/WebKit/commit/6d1e5d9498f24805988ad81ca3228588dd000a51. But let's add reported regression tests to ensure that they will not reproduce. * stress/multiline-token-error-column.js: Added. (shouldBe): (throw.new.Error): Modified Paths trunk/JSTests/ChangeLog Added Paths trunk/JSTests/stress/multiline-token-error-column.js Diff Modified: trunk/JSTests/ChangeLog (291846 => 291847) --- trunk/JSTests/ChangeLog 2022-03-25 04:08:00 UTC (rev 291846) +++ trunk/JSTests/ChangeLog 2022-03-25 04:14:29 UTC (rev 291847) @@ -1,3 +1,17 @@ +2022-03-24 Yusuke Suzuki + +Add additional reported regression tests to ensure multiline token's column offset is reset +https://bugs.webkit.org/show_bug.cgi?id=221548 + +Reviewed by Alexey Shvayka. + +The bug is fixed and tested in https://github.com/WebKit/WebKit/commit/6d1e5d9498f24805988ad81ca3228588dd000a51. +But let's add reported regression tests to ensure that they will not reproduce. + +* stress/multiline-token-error-column.js: Added. +(shouldBe): +(throw.new.Error): + 2022-03-23 Geza Lore [JSC] Fix remoteFunctionCallGenerator on MIPS Added: trunk/JSTests/stress/multiline-token-error-column.js (0 => 291847) --- trunk/JSTests/stress/multiline-token-error-column.js (rev 0) +++ trunk/JSTests/stress/multiline-token-error-column.js 2022-03-25 04:14:29 UTC (rev 291847) @@ -0,0 +1,24 @@ +function shouldBe(actual, expected) { +if (actual !== expected) +throw new Error('bad value: ' + actual); +} + +{ +let { line, column } = (function() {/* + something about this comment means the line number gets reported incorrectly in the stack + */const e = new Error("new error"); return e; +})(); +shouldBe(line, 9); +shouldBe(column, 28); +} +{ +let { line, column } = (function() { +let s = ` +multi +line +string +`; const e = new Error("new error"); return e; +})(); +shouldBe(line, 20); +shouldBe(column, 23); +} ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291815] trunk/Source/JavaScriptCore
Title: [291815] trunk/Source/_javascript_Core Revision 291815 Author ysuz...@apple.com Date 2022-03-24 14:41:42 -0700 (Thu, 24 Mar 2022) Log Message [JSC] JSRemoteFunction thunk should materialize code-pointer https://bugs.webkit.org/show_bug.cgi?id=238313 Reviewed by Mark Lam. When invoking a JSRemoteFunction, we must first wrap the arguments passed to it. The wrapping operation may trigger a GC, and GC can jettison JIT code. As a result, even though we know that the target JSFunction has JIT code that we want to execute, the JIT code may be jettisoned (while wrapping the arguments for it) before we get to the call. This resulted in occasional crashes on the JSTests/stress/shadow-realm-evaluate.js test. This patch fixes this by doing a null check on the JIT code just before calling it, and if null (i.e. the JIT code has been jettisoned), re-materializing the JIT code first before making the call. * jit/JITOperations.cpp: (JSC::JSC_DEFINE_JIT_OPERATION): * jit/JITOperations.h: * jit/ThunkGenerators.cpp: (JSC::remoteFunctionCallGenerator): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/jit/JITOperations.cpp trunk/Source/_javascript_Core/jit/JITOperations.h trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (291814 => 291815) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-24 21:39:08 UTC (rev 291814) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-24 21:41:42 UTC (rev 291815) @@ -1,3 +1,26 @@ +2022-03-24 Yusuke Suzuki + +[JSC] JSRemoteFunction thunk should materialize code-pointer +https://bugs.webkit.org/show_bug.cgi?id=238313 + +Reviewed by Mark Lam. + +When invoking a JSRemoteFunction, we must first wrap the arguments passed to it. +The wrapping operation may trigger a GC, and GC can jettison JIT code. As a result, +even though we know that the target JSFunction has JIT code that we want to execute, +the JIT code may be jettisoned (while wrapping the arguments for it) before we get +to the call. This resulted in occasional crashes on the JSTests/stress/shadow-realm-evaluate.js test. + +This patch fixes this by doing a null check on the JIT code just before calling it, +and if null (i.e. the JIT code has been jettisoned), re-materializing the JIT code +first before making the call. + +* jit/JITOperations.cpp: +(JSC::JSC_DEFINE_JIT_OPERATION): +* jit/JITOperations.h: +* jit/ThunkGenerators.cpp: +(JSC::remoteFunctionCallGenerator): + 2022-03-23 Geza Lore [JSC] Fix remoteFunctionCallGenerator on MIPS Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (291814 => 291815) --- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2022-03-24 21:39:08 UTC (rev 291814) +++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2022-03-24 21:41:42 UTC (rev 291815) @@ -158,6 +158,34 @@ RELEASE_AND_RETURN(scope, JSValue::encode(getWrappedValue(globalObject, globalObject, JSValue::decode(encodedValue; } +JSC_DEFINE_JIT_OPERATION(operationMaterializeRemoteFunctionTargetCode, void*, (JSRemoteFunction* callee)) +{ +JSGlobalObject* globalObject = callee->globalObject(); +VM& vm = globalObject->vm(); + +CallFrame* callFrame = DECLARE_CALL_FRAME(vm); +JITOperationPrologueCallFrameTracer tracer(vm, callFrame); +auto throwScope = DECLARE_THROW_SCOPE(vm); + +ASSERT(isRemoteFunction(vm, callee)); + +auto* targetFunction = jsCast(callee->targetFunction()); // We call this function only when JSRemoteFunction's target is JSFunction. +ExecutableBase* executable = targetFunction->executable(); + +// Force the executable to cache its arity entrypoint. +{ +DeferTraps deferTraps(vm); // We can't jettison any code until after we link the call. +if (!executable->isHostFunction()) { +JSScope* scope = targetFunction->scopeUnchecked(); +FunctionExecutable* functionExecutable = static_cast(executable); +CodeBlock* codeBlockSlot = nullptr; +functionExecutable->prepareForExecution(vm, targetFunction, scope, CodeForCall, codeBlockSlot); +RETURN_IF_EXCEPTION(throwScope, nullptr); +} +return executable->entrypointFor(CodeForCall, MustCheckArity).executableAddress(); +} +} + JSC_DEFINE_JIT_OPERATION(operationThrowRemoteFunctionException, EncodedJSValue, (JSRemoteFunction* callee)) { JSGlobalObject* globalObject = callee->globalObject(); Modified: trunk/Source/_javascript_Core/jit/JITOperations.h (291814 => 291815) --- trunk/Source/_javascript_Core/jit/JITOperations.h 2022-03-24 21:39:08 UTC (rev 291814) +++ trunk/Source/_javascript_Core/jit/JITOperations.h 2022-03-24 21:41:42 UTC (rev 291815) @@ -161,6 +161,7 @@ JSC_DECLARE_JIT_OPERATION(operationThrowIteratorResultIsNotObject, void, (JSGlobalObject*));
[webkit-changes] [291756] trunk/Source/JavaScriptCore
Title: [291756] trunk/Source/_javascript_Core Revision 291756 Author ysuz...@apple.com Date 2022-03-23 11:47:18 -0700 (Wed, 23 Mar 2022) Log Message [JSC][MSVC] custom getter creation needs to include classInfo since MSVC ICF is not "safe" variant https://bugs.webkit.org/show_bug.cgi?id=238030 Reviewed by Alexey Shvayka. MSVC performs very aggressive ICF (identical code folding) and it even merges the identical two functions into one even though a pointer to this function is used. This means MSVC's ICF is not "safe"[1], and custom function weakmap is broken on MSVC since it is assuming function pointers are different for different functions. Unfortunately, it seems that there is no attribute / annotation to prevent this behavior, so we need to workaround it. Since JSCustomGetterFunction does separate thing based on attached DOMAttribute, we need to include const ClassInfo* into a key of JSCustomGetterFunction weakmap to ensure that two identical functions with different const ClassInfo* do not get the same JSCustomGetterFunction. [1]: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/36912.pdf * runtime/JSCustomGetterFunction.h: * runtime/JSCustomSetterFunction.h: * runtime/JSGlobalObject.h: * runtime/JSGlobalObjectInlines.h: (JSC::JSGlobalObject::WeakCustomGetterOrSetterHash::hash): * runtime/JSObject.cpp: (JSC::WeakCustomGetterOrSetterHashTranslator::hash): (JSC::WeakCustomGetterOrSetterHashTranslator::equal): (JSC::createCustomGetterFunction): (JSC::createCustomSetterFunction): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSCustomGetterFunction.h trunk/Source/_javascript_Core/runtime/JSCustomSetterFunction.h trunk/Source/_javascript_Core/runtime/JSGlobalObject.h trunk/Source/_javascript_Core/runtime/JSGlobalObjectInlines.h trunk/Source/_javascript_Core/runtime/JSObject.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (291755 => 291756) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-23 18:37:21 UTC (rev 291755) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-23 18:47:18 UTC (rev 291756) @@ -1,3 +1,31 @@ +2022-03-23 Yusuke Suzuki + +[JSC][MSVC] custom getter creation needs to include classInfo since MSVC ICF is not "safe" variant +https://bugs.webkit.org/show_bug.cgi?id=238030 + +Reviewed by Alexey Shvayka. + +MSVC performs very aggressive ICF (identical code folding) and it even merges the identical two functions +into one even though a pointer to this function is used. This means MSVC's ICF is not "safe"[1], and custom +function weakmap is broken on MSVC since it is assuming function pointers are different for different functions. +Unfortunately, it seems that there is no attribute / annotation to prevent this behavior, so we need to workaround it. +Since JSCustomGetterFunction does separate thing based on attached DOMAttribute, we need to include const ClassInfo* +into a key of JSCustomGetterFunction weakmap to ensure that two identical functions with different const ClassInfo* +do not get the same JSCustomGetterFunction. + +[1]: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/36912.pdf + +* runtime/JSCustomGetterFunction.h: +* runtime/JSCustomSetterFunction.h: +* runtime/JSGlobalObject.h: +* runtime/JSGlobalObjectInlines.h: +(JSC::JSGlobalObject::WeakCustomGetterOrSetterHash::hash): +* runtime/JSObject.cpp: +(JSC::WeakCustomGetterOrSetterHashTranslator::hash): +(JSC::WeakCustomGetterOrSetterHashTranslator::equal): +(JSC::createCustomGetterFunction): +(JSC::createCustomSetterFunction): + 2022-03-23 Chris Dumez Avoid unnecessary String constructor under FunctionExecutable::toStringSlow() Modified: trunk/Source/_javascript_Core/runtime/JSCustomGetterFunction.h (291755 => 291756) --- trunk/Source/_javascript_Core/runtime/JSCustomGetterFunction.h 2022-03-23 18:37:21 UTC (rev 291755) +++ trunk/Source/_javascript_Core/runtime/JSCustomGetterFunction.h 2022-03-23 18:47:18 UTC (rev 291756) @@ -59,6 +59,12 @@ CustomFunctionPointer getter() const { return m_getter; }; CustomFunctionPointer customFunctionPointer() const { return m_getter; }; std::optional domAttribute() const { return m_domAttribute; }; +const ClassInfo* slotBaseClassInfoIfExists() const +{ +if (m_domAttribute) +return m_domAttribute->classInfo; +return nullptr; +} private: JSCustomGetterFunction(VM&, NativeExecutable*, JSGlobalObject*, Structure*, const PropertyName&, CustomFunctionPointer, std::optional); Modified: trunk/Source/_javascript_Core/runtime/JSCustomSetterFunction.h (291755 => 291756) --- trunk/Source/_javascript_Core/runtime/JSCustomSetterFunction.h 2022-03-23 18:37:21 UTC (rev 291755) +++
[webkit-changes] [291752] trunk/Source/JavaScriptCore
Title: [291752] trunk/Source/_javascript_Core Revision 291752 Author ysuz...@apple.com Date 2022-03-23 10:58:27 -0700 (Wed, 23 Mar 2022) Log Message Unreviewed, fix DataIC's slowPathJump handling https://bugs.webkit.org/show_bug.cgi?id=231224 * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileInById): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (291751 => 291752) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-23 17:56:45 UTC (rev 291751) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-23 17:58:27 UTC (rev 291752) @@ -1,3 +1,11 @@ +2022-03-23 Yusuke Suzuki + +Unreviewed, fix DataIC's slowPathJump handling +https://bugs.webkit.org/show_bug.cgi?id=231224 + +* dfg/DFGSpeculativeJIT.cpp: +(JSC::DFG::SpeculativeJIT::compileInById): + 2022-03-23 Patrick Angle No breakpoints hit on github.com, and some are invalid Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (291751 => 291752) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2022-03-23 17:56:45 UTC (rev 291751) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2022-03-23 17:58:27 UTC (rev 291752) @@ -1365,7 +1365,8 @@ gen.generateFastPath(m_jit, scratchGPR); JITCompiler::JumpList slowCases; -slowCases.append(gen.slowPathJump()); +if (!JITCode::useDataIC(JITType::DFGJIT)) +slowCases.append(gen.slowPathJump()); std::unique_ptr slowPath; if (JITCode::useDataIC(JITType::DFGJIT)) { @@ -15847,7 +15848,8 @@ JITCompiler::JumpList slowCases; if (slowPathTarget.isSet()) slowCases.append(slowPathTarget); -slowCases.append(gen.slowPathJump()); +if (!JITCode::useDataIC(JITType::DFGJIT)) +slowCases.append(gen.slowPathJump()); std::unique_ptr slowPath; if (JITCode::useDataIC(JITType::DFGJIT)) { ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291736] trunk
Title: [291736] trunk Revision 291736 Author ysuz...@apple.com Date 2022-03-22 23:45:52 -0700 (Tue, 22 Mar 2022) Log Message [JSC] Test DFG / FTL DataIC https://bugs.webkit.org/show_bug.cgi?id=231224 Reviewed by Saam Barati. JSTests: * microbenchmarks/deltablue-varargs.js: * microbenchmarks/richards-try-catch.js: Source/_javascript_Core: This patch revives DataIC in DFG and FTL, and re-enable testing to make it usable for unlinked DFG. Currently, only x64 / ARM64 are supported. * bytecode/InlineAccess.cpp: (JSC::InlineAccess::isCacheableArrayLength): (JSC::InlineAccess::isCacheableStringLength): (JSC::InlineAccess::rewireStubAsJumpInAccess): (JSC::InlineAccess::resetStubAsJumpInAccess): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetById): (JSC::DFG::SpeculativeJIT::compileGetByIdFlush): (JSC::DFG::SpeculativeJIT::compileInById): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis): (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::cachedPutById): (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * jit/JITCode.h: (JSC::JITCode::useDataIC): * jit/JITInlineCacheGenerator.cpp: (JSC::JITByIdGenerator::generateFastCommon): (JSC::generateGetByIdInlineAccess): (JSC::JITGetByIdGenerator::generateFastPath): (JSC::JITGetByIdWithThisGenerator::generateFastPath): (JSC::generatePutByIdInlineAccess): (JSC::JITPutByIdGenerator::generateBaselineDataICFastPath): (JSC::JITPutByIdGenerator::generateFastPath): (JSC::JITDelByValGenerator::generateFastPath): (JSC::JITDelByIdGenerator::generateFastPath): (JSC::JITInByValGenerator::generateFastPath): (JSC::generateInByIdInlineAccess): (JSC::JITInByIdGenerator::generateFastPath): (JSC::JITInByIdGenerator::generateBaselineDataICFastPath): (JSC::JITInstanceOfGenerator::generateFastPath): (JSC::JITGetByValGenerator::generateFastPath): (JSC::JITPutByValGenerator::generateFastPath): (JSC::JITPrivateBrandAccessGenerator::generateFastPath): * jit/JITInlineCacheGenerator.h: (JSC::JITInlineCacheGenerator::reportSlowPathCall): (JSC::JITInlineCacheGenerator::slowPathBegin const): (JSC::JITByIdGenerator::slowPathJump const): (JSC::JITInByValGenerator::slowPathJump const): * runtime/Options.cpp: (JSC::Options::recomputeDependentOptions): * runtime/OptionsList.h: Tools: * Scripts/run-jsc-stress-tests: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/microbenchmarks/deltablue-varargs.js trunk/JSTests/microbenchmarks/richards-try-catch.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/bytecode/InlineAccess.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp trunk/Source/_javascript_Core/jit/JITCode.h trunk/Source/_javascript_Core/jit/JITInlineCacheGenerator.cpp trunk/Source/_javascript_Core/jit/JITInlineCacheGenerator.h trunk/Source/_javascript_Core/runtime/Options.cpp trunk/Source/_javascript_Core/runtime/OptionsList.h trunk/Tools/ChangeLog trunk/Tools/Scripts/run-jsc-stress-tests Diff Modified: trunk/JSTests/ChangeLog (291735 => 291736) --- trunk/JSTests/ChangeLog 2022-03-23 05:26:13 UTC (rev 291735) +++ trunk/JSTests/ChangeLog 2022-03-23 06:45:52 UTC (rev 291736) @@ -1,3 +1,13 @@ +2022-03-22 Yusuke Suzuki + +[JSC] Test DFG / FTL DataIC +https://bugs.webkit.org/show_bug.cgi?id=231224 + +Reviewed by Saam Barati. + +* microbenchmarks/deltablue-varargs.js: +* microbenchmarks/richards-try-catch.js: + 2022-03-21 Yusuke Suzuki [JSC] Change Date.parse to stop returning numbers with fractional part Modified: trunk/JSTests/microbenchmarks/deltablue-varargs.js (291735 => 291736) --- trunk/JSTests/microbenchmarks/deltablue-varargs.js 2022-03-23 05:26:13 UTC (rev 291735) +++ trunk/JSTests/microbenchmarks/deltablue-varargs.js 2022-03-23 06:45:52 UTC (rev 291736) @@ -1,5 +1,5 @@ //@ skip if $model == "Apple Watch Series 3" # added by mark-jsc-stress-test.py -//@ requireOptions("--useDataIC=true", "--useDataICSharing=true") +//@ requireOptions("--useDataICInOptimizingJIT=true", "--useDataICSharing=true") // Copyright 2008 the V8 project authors. All rights reserved. // Copyright 1996 John Maloney and Mario Wolczko. Modified: trunk/JSTests/microbenchmarks/richards-try-catch.js (291735 => 291736) --- trunk/JSTests/microbenchmarks/richards-try-catch.js 2022-03-23 05:26:13 UTC (rev 291735) +++ trunk/JSTests/microbenchmarks/richards-try-catch.js 2022-03-23 06:45:52 UTC (rev 291736) @@ -1,5 +1,5 @@ //@ skip if $model == "Apple Watch
[webkit-changes] [291603] trunk
Title: [291603] trunk Revision 291603 Author ysuz...@apple.com Date 2022-03-21 21:26:31 -0700 (Mon, 21 Mar 2022) Log Message [JSC] Change Date.parse to stop returning numbers with fractional part https://bugs.webkit.org/show_bug.cgi?id=238050 Reviewed by Saam Barati. JSTests: * stress/date-parse-timeclip.js: Added. (shouldBe): Source/_javascript_Core: Date.parse should return NaN or integer numbers[1,2]. This patch applies timeClip to the result of Date.parse to ensure that the returned value is time value. [1]: https://tc39.es/ecma262/multipage/numbers-and-dates.html#sec-date.parse [2]: https://tc39.es/ecma262/multipage/numbers-and-dates.html#sec-time-values-and-time-range * runtime/DateConstructor.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/DateConstructor.cpp Added Paths trunk/JSTests/stress/date-parse-timeclip.js Diff Modified: trunk/JSTests/ChangeLog (291602 => 291603) --- trunk/JSTests/ChangeLog 2022-03-22 03:54:43 UTC (rev 291602) +++ trunk/JSTests/ChangeLog 2022-03-22 04:26:31 UTC (rev 291603) @@ -1,5 +1,15 @@ 2022-03-21 Yusuke Suzuki +[JSC] Change Date.parse to stop returning numbers with fractional part +https://bugs.webkit.org/show_bug.cgi?id=238050 + +Reviewed by Saam Barati. + +* stress/date-parse-timeclip.js: Added. +(shouldBe): + +2022-03-21 Yusuke Suzuki + [JSC] ReferenceError when using extra parens in class fields https://bugs.webkit.org/show_bug.cgi?id=236843 Added: trunk/JSTests/stress/date-parse-timeclip.js (0 => 291603) --- trunk/JSTests/stress/date-parse-timeclip.js (rev 0) +++ trunk/JSTests/stress/date-parse-timeclip.js 2022-03-22 04:26:31 UTC (rev 291603) @@ -0,0 +1,22 @@ +function shouldBe(actual, expected) { +if (actual !== expected) +throw new Error('bad value: ' + actual); +} + +[ +"1970-01-01T00:00:00.00051Z", +"1969-12-31T23:59:59.999515625Z", +"1969-12-31T23:59:59.999015625Z", +].forEach(str => { +const tv = Date.parse(str); +shouldBe(Object.is(tv, 0), true); +shouldBe((new Date(str)).toISOString(), `1970-01-01T00:00:00.000Z`); +}); + +[ +0.51, +-0.484375, +-0.984375, +].forEach(value => { +shouldBe(new Date(value).valueOf(), 0); +}); Modified: trunk/Source/_javascript_Core/ChangeLog (291602 => 291603) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-22 03:54:43 UTC (rev 291602) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-22 04:26:31 UTC (rev 291603) @@ -1,3 +1,19 @@ +2022-03-21 Yusuke Suzuki + +[JSC] Change Date.parse to stop returning numbers with fractional part +https://bugs.webkit.org/show_bug.cgi?id=238050 + +Reviewed by Saam Barati. + +Date.parse should return NaN or integer numbers[1,2]. This patch applies timeClip +to the result of Date.parse to ensure that the returned value is time value. + +[1]: https://tc39.es/ecma262/multipage/numbers-and-dates.html#sec-date.parse +[2]: https://tc39.es/ecma262/multipage/numbers-and-dates.html#sec-time-values-and-time-range + +* runtime/DateConstructor.cpp: +(JSC::JSC_DEFINE_HOST_FUNCTION): + 2022-03-21 Saam Barati Fix bug in Relationship::mergeImpl Modified: trunk/Source/_javascript_Core/runtime/DateConstructor.cpp (291602 => 291603) --- trunk/Source/_javascript_Core/runtime/DateConstructor.cpp 2022-03-22 03:54:43 UTC (rev 291602) +++ trunk/Source/_javascript_Core/runtime/DateConstructor.cpp 2022-03-22 04:26:31 UTC (rev 291603) @@ -159,7 +159,7 @@ auto scope = DECLARE_THROW_SCOPE(vm); String dateStr = callFrame->argument(0).toWTFString(globalObject); RETURN_IF_EXCEPTION(scope, encodedJSValue()); -RELEASE_AND_RETURN(scope, JSValue::encode(jsNumber(vm.dateCache.parseDate(globalObject, vm, dateStr; +RELEASE_AND_RETURN(scope, JSValue::encode(jsNumber(timeClip(vm.dateCache.parseDate(globalObject, vm, dateStr); } JSValue dateNowImpl() ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [291577] trunk
Title: [291577] trunk Revision 291577 Author ysuz...@apple.com Date 2022-03-21 12:57:19 -0700 (Mon, 21 Mar 2022) Log Message [JSC] ReferenceError when using extra parens in class fields https://bugs.webkit.org/show_bug.cgi?id=236843 Reviewed by Saam Barati. JSTests: * stress/class-field-initializer-should-have-variable-scope.js: Added. (shouldBe): (test1.const.a.x.B): (test1): (test2.const.a.x.B): (test2): (test3.B.prototype.b): (test3.B): (test3): Source/_javascript_Core: class field initializer should create its own used-variables set to capture used variables separately from the other variables since it becomes independent CodeBlock internally later. The current code was wrong since, 1. Incorrectly using the current set of class-scope. 2. Incorrectly marking only the last set while parseAssignmentExpression can create a new set inside it. * parser/Parser.cpp: (JSC::Parser::parseClass): * parser/Parser.h: (JSC::Scope::markLastUsedVariablesSetAsCaptured): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/parser/Parser.cpp trunk/Source/_javascript_Core/parser/Parser.h Added Paths trunk/JSTests/stress/class-field-initializer-should-have-variable-scope.js Diff Modified: trunk/JSTests/ChangeLog (291576 => 291577) --- trunk/JSTests/ChangeLog 2022-03-21 19:42:26 UTC (rev 291576) +++ trunk/JSTests/ChangeLog 2022-03-21 19:57:19 UTC (rev 291577) @@ -1,3 +1,20 @@ +2022-03-21 Yusuke Suzuki + +[JSC] ReferenceError when using extra parens in class fields +https://bugs.webkit.org/show_bug.cgi?id=236843 + +Reviewed by Saam Barati. + +* stress/class-field-initializer-should-have-variable-scope.js: Added. +(shouldBe): +(test1.const.a.x.B): +(test1): +(test2.const.a.x.B): +(test2): +(test3.B.prototype.b): +(test3.B): +(test3): + 2022-03-08 Mark Lam Remove invalid ASSERT in LocaleIDBuilder::overrideLanguageScriptRegion(). Added: trunk/JSTests/stress/class-field-initializer-should-have-variable-scope.js (0 => 291577) --- trunk/JSTests/stress/class-field-initializer-should-have-variable-scope.js (rev 0) +++ trunk/JSTests/stress/class-field-initializer-should-have-variable-scope.js 2022-03-21 19:57:19 UTC (rev 291577) @@ -0,0 +1,37 @@ +function shouldBe(actual, expected) { +if (actual !== expected) +throw new Error('bad value: ' + actual); +} + +(function test1() { +const a = (x) => x + +class B { +c = a('OK'); +} + +shouldBe(new B().c, "OK"); +})(); + +(function test2() { +const a = (x) => x + +class B { +c = a(('OK')); +} + +shouldBe(new B().c, "OK"); +})(); + +(function test3() { +const a = (x) => x; +const b = 'ok'; + +class B { +[b]() { return 42; } +c = a('OK'); +} + +shouldBe(new B().c, "OK"); +shouldBe(new B().ok(), 42); +})(); Modified: trunk/Source/_javascript_Core/ChangeLog (291576 => 291577) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-21 19:42:26 UTC (rev 291576) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-21 19:57:19 UTC (rev 291577) @@ -1,3 +1,23 @@ +2022-03-21 Yusuke Suzuki + +[JSC] ReferenceError when using extra parens in class fields +https://bugs.webkit.org/show_bug.cgi?id=236843 + +Reviewed by Saam Barati. + +class field initializer should create its own used-variables set +to capture used variables separately from the other variables since +it becomes independent CodeBlock internally later. The current code +was wrong since, + +1. Incorrectly using the current set of class-scope. +2. Incorrectly marking only the last set while parseAssignmentExpression can create a new set inside it. + +* parser/Parser.cpp: +(JSC::Parser::parseClass): +* parser/Parser.h: +(JSC::Scope::markLastUsedVariablesSetAsCaptured): + 2022-03-21 Jonathan Bedard Unreviewed, reverting r291558. Modified: trunk/Source/_javascript_Core/parser/Parser.cpp (291576 => 291577) --- trunk/Source/_javascript_Core/parser/Parser.cpp 2022-03-21 19:42:26 UTC (rev 291576) +++ trunk/Source/_javascript_Core/parser/Parser.cpp 2022-03-21 19:57:19 UTC (rev 291577) @@ -3110,12 +3110,14 @@ TreeExpression initializer = 0; if (consume(EQUAL)) { +size_t usedVariablesSize = currentScope()->currentUsedVariablesSize(); +currentScope()->pushUsedVariableSet(); SetForScope overrideParsingClassFieldInitializer(m_parserState.isParsingClassFieldInitializer, true); classScope->setExpectedSuperBinding(SuperBinding::Needed); initializer = parseAssignmentExpression(context); classScope->setExpectedSuperBinding(SuperBinding::NotNeeded);
[webkit-changes] [291521] trunk/Source/JavaScriptCore
Title: [291521] trunk/Source/_javascript_Core Revision 291521 Author ysuz...@apple.com Date 2022-03-18 20:46:14 -0700 (Fri, 18 Mar 2022) Log Message [JSC] Further reduce # of registers used in RegExpTestInline https://bugs.webkit.org/show_bug.cgi?id=238105 Reviewed by Saam Barati. This patch further reduces # of registers used in RegExpTestInline. After flushRegisters(), we can use baseGPR for any purpose. We also remove x64 hack since we have enough registers for x64 even if we use one callee-save register in unlinked DFG. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compileRegExpTestInline): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (291520 => 291521) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-19 03:30:12 UTC (rev 291520) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-19 03:46:14 UTC (rev 291521) @@ -1,3 +1,18 @@ +2022-03-18 Yusuke Suzuki + +[JSC] Further reduce # of registers used in RegExpTestInline +https://bugs.webkit.org/show_bug.cgi?id=238105 + +Reviewed by Saam Barati. + +This patch further reduces # of registers used in RegExpTestInline. +After flushRegisters(), we can use baseGPR for any purpose. +We also remove x64 hack since we have enough registers for x64 even +if we use one callee-save register in unlinked DFG. + +* dfg/DFGSpeculativeJIT64.cpp: +(JSC::DFG::SpeculativeJIT::compileRegExpTestInline): + 2022-03-18 Devin Rousso Web Inspector: REGRESSION(?): Emulate User Gesture doesn't work Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (291520 => 291521) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2022-03-19 03:30:12 UTC (rev 291520) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2022-03-19 03:46:14 UTC (rev 291521) @@ -2699,6 +2699,10 @@ { RegExp* regExp = jsCast(node->cellOperand2()->value()); +auto jitCodeBlock = regExp->getRegExpJITCodeBlock(); +ASSERT(jitCodeBlock); +auto inlineCodeStats8Bit = jitCodeBlock->get8BitInlineStats(); + ASSERT(!regExp->globalOrSticky()); SpeculateCellOperand globalObject(this, node->child1()); @@ -2709,8 +2713,7 @@ GPRTemporary strLength(this); GPRTemporary output(this); GPRTemporary temp0(this); -GPRTemporary temp1(this); -std::optional temp2; +std::optional temp1; GPRReg globalObjectGPR = globalObject.gpr(); GPRReg baseGPR = base.gpr(); @@ -2719,19 +2722,12 @@ GPRReg outputGPR = output.gpr(); GPRReg strLengthGPR = strLength.gpr(); GPRReg temp0GPR = temp0.gpr(); -GPRReg temp1GPR = temp1.gpr(); -GPRReg temp2GPR = InvalidGPRReg; +GPRReg temp1GPR = InvalidGPRReg; -auto jitCodeBlock = regExp->getRegExpJITCodeBlock(); -ASSERT(jitCodeBlock); -auto inlineCodeStats8Bit = jitCodeBlock->get8BitInlineStats(); - -#if !CPU(X86_64) if (inlineCodeStats8Bit.needsTemp2()) { -temp2.emplace(this); -temp2GPR = temp2->gpr(); +temp1.emplace(this); +temp1GPR = temp1->gpr(); } -#endif speculateRegExpObject(node->child2(), baseGPR); @@ -2750,6 +2746,7 @@ m_jit.load32(MacroAssembler::Address(stringImplGPR, StringImpl::lengthMemoryOffset()), strLengthGPR); // Clobbering input registers is OK since we already called flushRegisters. +// slowCases jumps are already done. So we can modify baseGPR etc. Yarr::YarrJITRegisters yarrRegisters; yarrRegisters.input = stringDataGPR; yarrRegisters.index = stringImplGPR; @@ -2756,12 +2753,9 @@ yarrRegisters.length = strLengthGPR; yarrRegisters.output = outputGPR; yarrRegisters.regT0 = temp0GPR; -yarrRegisters.regT1 = temp1GPR; -#if CPU(X86_64) -temp2GPR = globalObjectGPR; -#endif +yarrRegisters.regT1 = baseGPR; if (inlineCodeStats8Bit.needsTemp2()) -yarrRegisters.regT2 = temp2GPR; +yarrRegisters.regT2 = temp1GPR; yarrRegisters.returnRegister = temp0GPR; yarrRegisters.returnRegister2 = stringDataGPR; @@ -2773,13 +2767,6 @@ auto failedMatch = m_jit.branch32(MacroAssembler::LessThan, yarrRegisters.returnRegister, TrustedImm32(0)); // Saved cached result -#if CPU(X86_64) -if (inlineCodeStats8Bit.needsTemp2()) { -// Since we reused globalObjectGPR for temp2, let's restore the global object. -m_jit.move(TrustedImmPtr::weakPointer(m_graph, jsCast(node->cellOperand()->value())), globalObjectGPR); -} -#endif - ptrdiff_t offset = JSGlobalObject::regExpGlobalDataOffset() + RegExpGlobalData::offsetOfCachedResult(); m_jit.storePtr(TrustedImmPtr::weakPointer(m_graph, regExp), JITCompiler::Address(globalObjectGPR, offset +
[webkit-changes] [291515] trunk/Source/JavaScriptCore
Title: [291515] trunk/Source/_javascript_Core Revision 291515 Author ysuz...@apple.com Date 2022-03-18 17:55:48 -0700 (Fri, 18 Mar 2022) Log Message [JSC] Reduce # of registers used in RegExpTestInline to allow using unlinked DFG in x64 https://bugs.webkit.org/show_bug.cgi?id=238092 Reviewed by Michael Saboff. This patch reduces # of registers used in RegExpTestInline implementation to make it work well for x64 unlinked DFG since it can reduce # of registers to use one callee-save register for constants buffer. We also add YarrJITRegisters::validate to ensure that used registers meet the invariants in YarrJIT. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compileRegExpTestInline): * yarr/YarrJIT.cpp: (JSC::Yarr::jitCompileInlinedTest): * yarr/YarrJITRegisters.h: (JSC::Yarr::YarrJITRegisters::validate): (JSC::Yarr::YarrJITRegisters::YarrJITRegisters): Deleted. Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp trunk/Source/_javascript_Core/yarr/YarrJIT.cpp trunk/Source/_javascript_Core/yarr/YarrJITRegisters.h Diff Modified: trunk/Source/_javascript_Core/ChangeLog (291514 => 291515) --- trunk/Source/_javascript_Core/ChangeLog 2022-03-19 00:46:37 UTC (rev 291514) +++ trunk/Source/_javascript_Core/ChangeLog 2022-03-19 00:55:48 UTC (rev 291515) @@ -1,3 +1,24 @@ +2022-03-18 Yusuke Suzuki + +[JSC] Reduce # of registers used in RegExpTestInline to allow using unlinked DFG in x64 +https://bugs.webkit.org/show_bug.cgi?id=238092 + +Reviewed by Michael Saboff. + +This patch reduces # of registers used in RegExpTestInline implementation to make it work +well for x64 unlinked DFG since it can reduce # of registers to use one callee-save register +for constants buffer. + +We also add YarrJITRegisters::validate to ensure that used registers meet the invariants in YarrJIT. + +* dfg/DFGSpeculativeJIT64.cpp: +(JSC::DFG::SpeculativeJIT::compileRegExpTestInline): +* yarr/YarrJIT.cpp: +(JSC::Yarr::jitCompileInlinedTest): +* yarr/YarrJITRegisters.h: +(JSC::Yarr::YarrJITRegisters::validate): +(JSC::Yarr::YarrJITRegisters::YarrJITRegisters): Deleted. + 2022-03-17 Keith Miller Fix crash in Bleacher Report due to bad JSObjectRef passed to API Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (291514 => 291515) --- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2022-03-19 00:46:37 UTC (rev 291514) +++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2022-03-19 00:55:48 UTC (rev 291515) @@ -2703,28 +2703,24 @@ SpeculateCellOperand globalObject(this, node->child1()); SpeculateCellOperand base(this, node->child2()); -GPRReg globalObjectGPR = globalObject.gpr(); -GPRReg baseGPR = base.gpr(); -GPRReg argumentGPR; -GPRFlushedCallResult result(this); -GPRReg resultGPR = result.gpr(); + GPRTemporary stringImpl(this); GPRTemporary stringData(this); GPRTemporary strLength(this); GPRTemporary output(this); -GPRTemporary result2(this); GPRTemporary temp0(this); GPRTemporary temp1(this); -GPRTemporary temp2; +std::optional temp2; + +GPRReg globalObjectGPR = globalObject.gpr(); +GPRReg baseGPR = base.gpr(); GPRReg stringImplGPR = stringImpl.gpr(); GPRReg stringDataGPR = stringData.gpr(); GPRReg outputGPR = output.gpr(); GPRReg strLengthGPR = strLength.gpr(); -GPRReg result2GPR = result2.gpr(); GPRReg temp0GPR = temp0.gpr(); GPRReg temp1GPR = temp1.gpr(); GPRReg temp2GPR = InvalidGPRReg; -GPRReg swapReg = InvalidGPRReg; auto jitCodeBlock = regExp->getRegExpJITCodeBlock(); ASSERT(jitCodeBlock); @@ -2732,44 +2728,31 @@ #if !CPU(X86_64) if (inlineCodeStats8Bit.needsTemp2()) { -GPRTemporary realTemp2(this); -temp2.adopt(realTemp2); -temp2GPR = temp2.gpr(); +temp2.emplace(this); +temp2GPR = temp2->gpr(); } #endif speculateRegExpObject(node->child2(), baseGPR); -MacroAssembler::JumpList done; -MacroAssembler::JumpList operationCases; +CCallHelpers::JumpList slowCases; -auto swapRegIfNeeded = [&] { -if (globalObjectGPR == resultGPR) { -swapReg = allocate(); -m_jit.move(globalObjectGPR, swapReg); -globalObjectGPR = swapReg; -} else if (baseGPR == resultGPR) { -swapReg = allocate(); -m_jit.move(baseGPR, swapReg); -baseGPR = swapReg; -} else if (argumentGPR == resultGPR) { -swapReg = allocate(); -m_jit.move(argumentGPR, swapReg); -argumentGPR = swapReg; -} -}; +auto regExpTestInlineCase = [&](GPRReg argumentGPR, CCallHelpers::JumpList& slowCases) { +m_jit.loadPtr(MacroAssembler::Address(argumentGPR, JSString::offsetOfValue()),