Diff
Modified: trunk/JSTests/ChangeLog (240326 => 240327)
--- trunk/JSTests/ChangeLog 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/JSTests/ChangeLog 2019-01-23 05:55:08 UTC (rev 240327)
@@ -1,3 +1,17 @@
+2019-01-22 Yusuke Suzuki <[email protected]>
+
+ REGRESSION(r239612) Crash at runtime due to broken DFG assumption
+ https://bugs.webkit.org/show_bug.cgi?id=193709
+ <rdar://problem/47363838>
+
+ Unreviewed, rollout to watch the tests.
+
+ * stress/object-tostring-changed-proto.js: Removed.
+ * stress/object-tostring-changed.js: Removed.
+ * stress/object-tostring-misc.js: Removed.
+ * stress/object-tostring-other.js: Removed.
+ * stress/object-tostring-untyped.js: Removed.
+
2019-01-22 Saam Barati <[email protected]>
Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
Deleted: trunk/JSTests/stress/object-tostring-changed-proto.js (240326 => 240327)
--- trunk/JSTests/stress/object-tostring-changed-proto.js 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/JSTests/stress/object-tostring-changed-proto.js 2019-01-23 05:55:08 UTC (rev 240327)
@@ -1,18 +0,0 @@
-function shouldBe(actual, expected)
-{
- if (actual !== expected)
- throw new Error('bad value: ' + actual);
-}
-noInline(shouldBe);
-
-function test(value)
-{
- return Object.prototype.toString.call(value);
-}
-noInline(test);
-
-var object = {};
-for (var i = 0; i < 1e5; ++i)
- shouldBe(test(object), `[object Object]`);
-Object.prototype[Symbol.toStringTag] = "Hello";
-shouldBe(test(object), `[object Hello]`);
Deleted: trunk/JSTests/stress/object-tostring-changed.js (240326 => 240327)
--- trunk/JSTests/stress/object-tostring-changed.js 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/JSTests/stress/object-tostring-changed.js 2019-01-23 05:55:08 UTC (rev 240327)
@@ -1,18 +0,0 @@
-function shouldBe(actual, expected)
-{
- if (actual !== expected)
- throw new Error('bad value: ' + actual);
-}
-noInline(shouldBe);
-
-function test(value)
-{
- return Object.prototype.toString.call(value);
-}
-noInline(test);
-
-var object = {};
-for (var i = 0; i < 1e5; ++i)
- shouldBe(test(object), `[object Object]`);
-object[Symbol.toStringTag] = "Hello";
-shouldBe(test(object), `[object Hello]`);
Deleted: trunk/JSTests/stress/object-tostring-misc.js (240326 => 240327)
--- trunk/JSTests/stress/object-tostring-misc.js 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/JSTests/stress/object-tostring-misc.js 2019-01-23 05:55:08 UTC (rev 240327)
@@ -1,26 +0,0 @@
-function shouldBe(actual, expected)
-{
- if (actual !== expected)
- throw new Error('bad value: ' + actual);
-}
-noInline(shouldBe);
-
-function test(value)
-{
- return Object.prototype.toString.call(value);
-}
-noInline(test);
-
-for (var i = 0; i < 1e6; ++i) {
- switch (i % 3) {
- case 0:
- shouldBe(test(null), `[object Null]`);
- break;
- case 1:
- shouldBe(test(undefined), `[object Undefined]`);
- break;
- case 2:
- shouldBe(test(true), `[object Boolean]`);
- break;
- }
-}
Deleted: trunk/JSTests/stress/object-tostring-other.js (240326 => 240327)
--- trunk/JSTests/stress/object-tostring-other.js 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/JSTests/stress/object-tostring-other.js 2019-01-23 05:55:08 UTC (rev 240327)
@@ -1,19 +0,0 @@
-function shouldBe(actual, expected)
-{
- if (actual !== expected)
- throw new Error('bad value: ' + actual);
-}
-noInline(shouldBe);
-
-function test(value)
-{
- return Object.prototype.toString.call(value);
-}
-noInline(test);
-
-for (var i = 0; i < 1e6; ++i) {
- if (i & 0x1)
- shouldBe(test(null), `[object Null]`);
- else
- shouldBe(test(undefined), `[object Undefined]`);
-}
Deleted: trunk/JSTests/stress/object-tostring-untyped.js (240326 => 240327)
--- trunk/JSTests/stress/object-tostring-untyped.js 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/JSTests/stress/object-tostring-untyped.js 2019-01-23 05:55:08 UTC (rev 240327)
@@ -1,50 +0,0 @@
-function shouldBe(actual, expected)
-{
- if (actual !== expected)
- throw new Error('bad value: ' + actual);
-}
-noInline(shouldBe);
-
-function test(value)
-{
- return Object.prototype.toString.call(value);
-}
-noInline(test);
-
-var value0 = {};
-var value1 = { [Symbol.toStringTag]: "Hello" };
-var value2 = new Date();
-var value3 = "Hello";
-var value4 = 42;
-var value5 = Symbol("Cocoa");
-var value6 = 42.195;
-var value7 = false;
-
-for (var i = 0; i < 1e6; ++i) {
- switch (i % 8) {
- case 0:
- shouldBe(test(value0), `[object Object]`);
- break;
- case 1:
- shouldBe(test(value1), `[object Hello]`);
- break;
- case 2:
- shouldBe(test(value2), `[object Date]`);
- break;
- case 3:
- shouldBe(test(value3), `[object String]`);
- break;
- case 4:
- shouldBe(test(value4), `[object Number]`);
- break;
- case 5:
- shouldBe(test(value5), `[object Symbol]`);
- break;
- case 6:
- shouldBe(test(value6), `[object Number]`);
- break;
- case 7:
- shouldBe(test(value7), `[object Boolean]`);
- break;
- }
-}
Modified: trunk/Source/_javascript_Core/ChangeLog (240326 => 240327)
--- trunk/Source/_javascript_Core/ChangeLog 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-01-23 05:55:08 UTC (rev 240327)
@@ -1,3 +1,53 @@
+2019-01-22 Yusuke Suzuki <[email protected]>
+
+ REGRESSION(r239612) Crash at runtime due to broken DFG assumption
+ https://bugs.webkit.org/show_bug.cgi?id=193709
+ <rdar://problem/47363838>
+
+ Unreviewed, rollout to watch the tests.
+
+ * _javascript_Core.xcodeproj/project.pbxproj:
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::fixupObjectToString): Deleted.
+ * dfg/DFGNodeType.h:
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileObjectToString): Deleted.
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLAbstractHeapRepository.h:
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+ (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
+ (JSC::FTL::DFG::LowerDFGToB3::compileObjectToString): Deleted.
+ * runtime/Intrinsic.cpp:
+ (JSC::intrinsicName):
+ * runtime/Intrinsic.h:
+ * runtime/ObjectPrototype.cpp:
+ (JSC::ObjectPrototype::finishCreation):
+ (JSC::objectProtoFuncToString):
+ * runtime/ObjectPrototype.h:
+ * runtime/ObjectPrototypeInlines.h: Removed.
+ * runtime/StructureRareData.h:
+
2019-01-22 Devin Rousso <[email protected]>
Web Inspector: expose Audit and Recording versions to the frontend
Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (240326 => 240327)
--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2019-01-23 05:55:08 UTC (rev 240327)
@@ -7014,7 +7014,6 @@
E3C295DC1ED2CBAA00D3016F /* ObjectPropertyChangeAdaptiveWatchpoint.h */,
BC2680C80E16D4E900A06E92 /* ObjectPrototype.cpp */,
BC2680C90E16D4E900A06E92 /* ObjectPrototype.h */,
- 6D0CC9E1CBC149AB8F403434 /* ObjectPrototypeInlines.h */,
F692A8770255597D01FF60F7 /* Operations.cpp */,
F692A8780255597D01FF60F7 /* Operations.h */,
0FE228EA1436AB2300196C48 /* Options.cpp */,
@@ -9463,7 +9462,6 @@
0FD3E40A1B618B6600C80E1E /* ObjectPropertyCondition.h in Headers */,
0FD3E40C1B618B6600C80E1E /* ObjectPropertyConditionSet.h in Headers */,
BC18C4460E16F5CD00B34460 /* ObjectPrototype.h in Headers */,
- 5E158AC350BC4EC7877DC0F4 /* ObjectPrototypeInlines.h in Headers */,
E124A8F70E555775003091F1 /* OpaqueJSString.h in Headers */,
14F79F70216EAFD200046D39 /* Opcode.h in Headers */,
FE64872E2141D04800AB0D3E /* OpcodeInlines.h in Headers */,
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (240326 => 240327)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2019-01-23 05:55:08 UTC (rev 240327)
@@ -2635,24 +2635,6 @@
break;
}
- case ObjectToString: {
- AbstractValue& source = forNode(node->child1());
- bool clobbering = node->child1().useKind() != OtherUse;
- if (JSValue sourceValue = source.m_value) {
- if (sourceValue.isUndefinedOrNull()) {
- if (clobbering)
- didFoldClobberWorld();
- setConstant(node, *m_graph.freeze(sourceValue.isUndefined() ? m_vm.smallStrings.undefinedObjectString() : m_vm.smallStrings.nullObjectString()));
- break;
- }
- }
-
- if (clobbering)
- clobberWorld();
- setTypeForNode(node, SpecString);
- break;
- }
-
case ToObject:
case CallObjectConstructor: {
AbstractValue& source = forNode(node->child1());
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (240326 => 240327)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2019-01-23 05:55:08 UTC (rev 240327)
@@ -2710,13 +2710,6 @@
return true;
}
- case ObjectPrototypeToStringIntrinsic: {
- insertChecks();
- Node* value = get(virtualRegisterForArgument(0, registerOffset));
- setResult(addToGraph(ObjectToString, value));
- return true;
- }
-
case ReflectGetPrototypeOfIntrinsic: {
if (argumentCountIncludingThis != 2)
return false;
Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (240326 => 240327)
--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2019-01-23 05:55:08 UTC (rev 240327)
@@ -678,20 +678,6 @@
write(Heap);
return;
- case ObjectToString:
- switch (node->child1().useKind()) {
- case OtherUse:
- def(PureValue(node));
- return;
- case UntypedUse:
- read(World);
- write(Heap);
- return;
- default:
- RELEASE_ASSERT_NOT_REACHED();
- return;
- }
-
case AtomicsAdd:
case AtomicsAnd:
case AtomicsCompareExchange:
Modified: trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp (240326 => 240327)
--- trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2019-01-23 05:55:08 UTC (rev 240327)
@@ -366,7 +366,6 @@
case StringReplaceRegExp:
case StringSlice:
case StringValueOf:
- case ObjectToString:
case CreateRest:
case ToLowerCase:
case CallDOMGetter:
Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (240326 => 240327)
--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2019-01-23 05:55:08 UTC (rev 240327)
@@ -2150,11 +2150,6 @@
break;
}
- case ObjectToString: {
- fixupObjectToString(node);
- break;
- }
-
case StringSlice: {
fixEdge<StringUse>(node->child1());
fixEdge<Int32Use>(node->child2());
@@ -2947,15 +2942,6 @@
}
}
- void fixupObjectToString(Node* node)
- {
- if (node->child1()->shouldSpeculateOther()) {
- fixEdge<OtherUse>(node->child1());
- node->clearFlags(NodeMustGenerate);
- return;
- }
- }
-
bool attemptToMakeFastStringAdd(Node* node)
{
bool goodToGo = true;
Modified: trunk/Source/_javascript_Core/dfg/DFGNodeType.h (240326 => 240327)
--- trunk/Source/_javascript_Core/dfg/DFGNodeType.h 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/dfg/DFGNodeType.h 2019-01-23 05:55:08 UTC (rev 240327)
@@ -266,7 +266,6 @@
macro(GetPrototypeOf, NodeMustGenerate | NodeResultJS) \
macro(ObjectCreate, NodeMustGenerate | NodeResultJS) \
macro(ObjectKeys, NodeMustGenerate | NodeResultJS) \
- macro(ObjectToString, NodeMustGenerate | NodeResultJS) \
\
/* Atomics object functions. */\
macro(AtomicsAdd, NodeResultJS | NodeMustGenerate | NodeHasVarArgs) \
Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (240326 => 240327)
--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp 2019-01-23 05:55:08 UTC (rev 240327)
@@ -63,7 +63,6 @@
#include "JSWeakSet.h"
#include "NumberConstructor.h"
#include "ObjectConstructor.h"
-#include "ObjectPrototypeInlines.h"
#include "Operations.h"
#include "ParseInt.h"
#include "RegExpConstructor.h"
@@ -72,7 +71,6 @@
#include "Repatch.h"
#include "ScopedArguments.h"
#include "StringConstructor.h"
-#include "StructureRareDataInlines.h"
#include "SuperSampler.h"
#include "Symbol.h"
#include "TypeProfilerLog.h"
@@ -2156,13 +2154,6 @@
return nullptr;
}
-JSString* JIT_OPERATION operationObjectToString(ExecState* exec, EncodedJSValue source)
-{
- VM& vm = exec->vm();
- NativeCallFrameTracer tracer(&vm, exec);
- return objectToString(exec, JSValue::decode(source));
-}
-
JSCell* JIT_OPERATION operationStringSubstr(ExecState* exec, JSCell* cell, int32_t from, int32_t span)
{
VM& vm = exec->vm();
Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.h (240326 => 240327)
--- trunk/Source/_javascript_Core/dfg/DFGOperations.h 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.h 2019-01-23 05:55:08 UTC (rev 240327)
@@ -205,7 +205,6 @@
JSCell* JIT_OPERATION operationStringSubstr(ExecState*, JSCell*, int32_t, int32_t);
JSString* JIT_OPERATION operationStringValueOf(ExecState*, EncodedJSValue);
JSString* JIT_OPERATION operationToLowerCase(ExecState*, JSString*, uint32_t);
-JSString* JIT_OPERATION operationObjectToString(ExecState*, EncodedJSValue);
char* JIT_OPERATION operationInt32ToString(ExecState*, int32_t, int32_t);
char* JIT_OPERATION operationInt52ToString(ExecState*, int64_t, int32_t);
Modified: trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp (240326 => 240327)
--- trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp 2019-01-23 05:55:08 UTC (rev 240327)
@@ -879,7 +879,6 @@
case StringValueOf:
case StringSlice:
case ToLowerCase:
- case ObjectToString:
setPrediction(SpecString);
break;
Modified: trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h (240326 => 240327)
--- trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2019-01-23 05:55:08 UTC (rev 240327)
@@ -453,7 +453,6 @@
case StringValueOf:
case StringSlice:
case ToLowerCase:
- case ObjectToString:
case GetMapBucket:
case GetMapBucketHead:
case GetMapBucketNext:
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (240326 => 240327)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-01-23 05:55:08 UTC (rev 240327)
@@ -12440,63 +12440,6 @@
}
}
-void SpeculativeJIT::compileObjectToString(Node* node)
-{
- switch (node->child1().useKind()) {
- case OtherUse: {
- JSValueOperand source(this, node->child1(), ManualOperandSpeculation);
- GPRTemporary result(this);
-
- JSValueRegs sourceRegs = source.jsValueRegs();
- GPRReg resultGPR = result.gpr();
-
- speculateOther(node->child1(), sourceRegs);
-
- auto isUndefined = m_jit.branchIfUndefined(sourceRegs);
- m_jit.move(TrustedImmPtr::weakPointer(m_jit.graph(), m_jit.vm()->smallStrings.nullObjectString()), resultGPR);
- auto done = m_jit.jump();
- isUndefined.link(&m_jit);
- m_jit.move(TrustedImmPtr::weakPointer(m_jit.graph(), m_jit.vm()->smallStrings.undefinedObjectString()), resultGPR);
- done.link(&m_jit);
-
- cellResult(resultGPR, node);
- return;
- }
- case UntypedUse: {
- JSValueOperand source(this, node->child1());
-
- JSValueRegs sourceRegs = source.jsValueRegs();
-
- GPRTemporary structure(this);
- GPRTemporary scratch(this);
-
- GPRReg structureGPR = structure.gpr();
- GPRReg scratchGPR = scratch.gpr();
-
- CCallHelpers::JumpList slowCases;
- slowCases.append(m_jit.branchIfNotCell(sourceRegs));
- slowCases.append(m_jit.branchIfNotObject(sourceRegs.payloadGPR()));
-
- m_jit.emitLoadStructure(*m_jit.vm(), sourceRegs.payloadGPR(), structureGPR, scratchGPR);
- m_jit.loadPtr(CCallHelpers::Address(structureGPR, Structure::previousOrRareDataOffset()), scratchGPR);
-
- slowCases.append(m_jit.branchTestPtr(CCallHelpers::Zero, scratchGPR));
- slowCases.append(m_jit.branch32(CCallHelpers::Equal, CCallHelpers::Address(scratchGPR, JSCell::structureIDOffset()), TrustedImm32(bitwise_cast<int32_t>(m_jit.vm()->structureStructure->structureID()))));
-
- m_jit.loadPtr(CCallHelpers::Address(scratchGPR, StructureRareData::offsetOfObjectToStringValue()), scratchGPR);
- slowCases.append(m_jit.branchTestPtr(CCallHelpers::Zero, scratchGPR));
-
- addSlowPathGenerator(slowPathCall(slowCases, this, operationObjectToString, scratchGPR, sourceRegs));
-
- cellResult(scratchGPR, node);
- return;
- }
- default:
- DFG_CRASH(m_graph, node, "Bad use kind");
- return;
- }
-}
-
void SpeculativeJIT::compileObjectCreate(Node* node)
{
switch (node->child1().useKind()) {
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (240326 => 240327)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2019-01-23 05:55:08 UTC (rev 240327)
@@ -1480,7 +1480,6 @@
void compileNewTypedArray(Node*);
void compileToThis(Node*);
void compileObjectKeys(Node*);
- void compileObjectToString(Node*);
void compileObjectCreate(Node*);
void compileCreateThis(Node*);
void compileNewObject(Node*);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (240326 => 240327)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2019-01-23 05:55:08 UTC (rev 240327)
@@ -3105,11 +3105,6 @@
compileToStringOrCallStringConstructorOrStringValueOf(node);
break;
}
-
- case ObjectToString: {
- compileObjectToString(node);
- break;
- }
case NewStringObject: {
compileNewStringObject(node);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (240326 => 240327)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2019-01-23 05:55:08 UTC (rev 240327)
@@ -3347,11 +3347,6 @@
compileToStringOrCallStringConstructorOrStringValueOf(node);
break;
}
-
- case ObjectToString: {
- compileObjectToString(node);
- break;
- }
case NewStringObject: {
compileNewStringObject(node);
Modified: trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h (240326 => 240327)
--- trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h 2019-01-23 05:55:08 UTC (rev 240327)
@@ -120,7 +120,6 @@
macro(Structure_prototype, Structure::prototypeOffset()) \
macro(Structure_structureID, Structure::structureIDOffset()) \
macro(StructureRareData_cachedOwnKeys, StructureRareData::offsetOfCachedOwnKeys()) \
- macro(StructureRareData_objectToStringValue, StructureRareData::offsetOfObjectToStringValue()) \
macro(HashMapImpl_capacity, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfCapacity()) \
macro(HashMapImpl_buffer, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfBuffer()) \
macro(HashMapImpl_head, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfHead()) \
Modified: trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp (240326 => 240327)
--- trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2019-01-23 05:55:08 UTC (rev 240327)
@@ -334,7 +334,6 @@
case StringValueOf:
case StringSlice:
case ToLowerCase:
- case ObjectToString:
case NumberToStringWithRadix:
case NumberToStringWithValidRadixConstant:
case CheckSubClass:
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (240326 => 240327)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-01-23 05:55:08 UTC (rev 240327)
@@ -937,9 +937,6 @@
case StringFromCharCode:
compileStringFromCharCode();
break;
- case ObjectToString:
- compileObjectToString();
- break;
case GetByOffset:
case GetGetterSetterByOffset:
compileGetByOffset();
@@ -6425,61 +6422,6 @@
break;
}
}
-
- void compileObjectToString()
- {
- switch (m_node->child1().useKind()) {
- case OtherUse: {
- speculate(m_node->child1());
- LValue source = lowJSValue(m_node->child1(), ManualOperandSpeculation);
- LValue result = m_out.select(m_out.equal(source, m_out.constInt64(ValueUndefined)),
- weakPointer(vm().smallStrings.undefinedObjectString()), weakPointer(vm().smallStrings.nullObjectString()));
- setJSValue(result);
- return;
- }
- case UntypedUse: {
- LBasicBlock cellCase = m_out.newBlock();
- LBasicBlock objectCase = m_out.newBlock();
- LBasicBlock notNullCase = m_out.newBlock();
- LBasicBlock rareDataCase = m_out.newBlock();
- LBasicBlock slowCase = m_out.newBlock();
- LBasicBlock continuation = m_out.newBlock();
-
- LValue source = lowJSValue(m_node->child1());
- m_out.branch(isCell(source, provenType(m_node->child1())), unsure(cellCase), unsure(slowCase));
-
- LBasicBlock lastNext = m_out.appendTo(cellCase, objectCase);
- m_out.branch(isObject(source, provenType(m_node->child1()) & SpecCell), unsure(objectCase), unsure(slowCase));
-
- m_out.appendTo(objectCase, notNullCase);
- LValue structure = loadStructure(source);
- LValue previousOrRareData = m_out.loadPtr(structure, m_heaps.Structure_previousOrRareData);
- m_out.branch(m_out.notNull(previousOrRareData), unsure(notNullCase), unsure(slowCase));
-
- m_out.appendTo(notNullCase, rareDataCase);
- m_out.branch(
- m_out.notEqual(m_out.load32(previousOrRareData, m_heaps.JSCell_structureID), m_out.constInt32(m_graph.m_vm.structureStructure->structureID())),
- unsure(rareDataCase), unsure(slowCase));
-
- m_out.appendTo(rareDataCase, slowCase);
- LValue objectToStringValue = m_out.loadPtr(previousOrRareData, m_heaps.StructureRareData_objectToStringValue);
- ValueFromBlock fastResult = m_out.anchor(objectToStringValue);
- m_out.branch(m_out.isNull(objectToStringValue), unsure(slowCase), unsure(continuation));
-
- m_out.appendTo(slowCase, continuation);
- LValue slowResultValue = vmCall(pointerType(), m_out.operation(operationObjectToString), m_callFrame, source);
- ValueFromBlock slowResult = m_out.anchor(slowResultValue);
- m_out.jump(continuation);
-
- m_out.appendTo(continuation, lastNext);
- setJSValue(m_out.phi(pointerType(), fastResult, slowResult));
- return;
- }
- default:
- DFG_CRASH(m_graph, m_node, "Bad use kind");
- return;
- }
- }
void compileToPrimitive()
{
Modified: trunk/Source/_javascript_Core/runtime/Intrinsic.cpp (240326 => 240327)
--- trunk/Source/_javascript_Core/runtime/Intrinsic.cpp 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/runtime/Intrinsic.cpp 2019-01-23 05:55:08 UTC (rev 240327)
@@ -121,8 +121,6 @@
return "ObjectIsIntrinsic";
case ObjectKeysIntrinsic:
return "ObjectKeysIntrinsic";
- case ObjectPrototypeToStringIntrinsic:
- return "ObjectPrototypeToStringIntrinsic";
case ReflectGetPrototypeOfIntrinsic:
return "ReflectGetPrototypeOfIntrinsic";
case StringPrototypeValueOfIntrinsic:
Modified: trunk/Source/_javascript_Core/runtime/Intrinsic.h (240326 => 240327)
--- trunk/Source/_javascript_Core/runtime/Intrinsic.h 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/runtime/Intrinsic.h 2019-01-23 05:55:08 UTC (rev 240327)
@@ -73,7 +73,6 @@
ObjectGetPrototypeOfIntrinsic,
ObjectIsIntrinsic,
ObjectKeysIntrinsic,
- ObjectPrototypeToStringIntrinsic,
ReflectGetPrototypeOfIntrinsic,
StringPrototypeValueOfIntrinsic,
StringPrototypeReplaceIntrinsic,
Modified: trunk/Source/_javascript_Core/runtime/ObjectPrototype.cpp (240326 => 240327)
--- trunk/Source/_javascript_Core/runtime/ObjectPrototype.cpp 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/runtime/ObjectPrototype.cpp 2019-01-23 05:55:08 UTC (rev 240327)
@@ -27,7 +27,6 @@
#include "JSFunction.h"
#include "JSString.h"
#include "JSCInlines.h"
-#include "ObjectPrototypeInlines.h"
#include "PropertySlot.h"
#include "StructureInlines.h"
#include "StructureRareDataInlines.h"
@@ -43,7 +42,6 @@
static EncodedJSValue JSC_HOST_CALL objectProtoFuncLookupSetter(ExecState*);
static EncodedJSValue JSC_HOST_CALL objectProtoFuncPropertyIsEnumerable(ExecState*);
static EncodedJSValue JSC_HOST_CALL objectProtoFuncToLocaleString(ExecState*);
-static EncodedJSValue JSC_HOST_CALL objectProtoFuncToString(ExecState*);
STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(ObjectPrototype);
@@ -60,7 +58,7 @@
ASSERT(inherits(vm, info()));
didBecomePrototype();
- JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->toString, objectProtoFuncToString, static_cast<unsigned>(PropertyAttribute::DontEnum), 0, ObjectPrototypeToStringIntrinsic);
+ JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->toString, objectProtoFuncToString, static_cast<unsigned>(PropertyAttribute::DontEnum), 0);
JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->toLocaleString, objectProtoFuncToLocaleString, static_cast<unsigned>(PropertyAttribute::DontEnum), 0);
JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->valueOf, objectProtoFuncValueOf, static_cast<unsigned>(PropertyAttribute::DontEnum), 0);
JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->hasOwnProperty, objectProtoFuncHasOwnProperty, static_cast<unsigned>(PropertyAttribute::DontEnum), 1, HasOwnPropertyIntrinsic);
@@ -313,8 +311,50 @@
EncodedJSValue JSC_HOST_CALL objectProtoFuncToString(ExecState* exec)
{
+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+
JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
- return JSValue::encode(objectToString(exec, thisValue));
+ if (thisValue.isUndefinedOrNull())
+ return JSValue::encode(thisValue.isUndefined() ? vm.smallStrings.undefinedObjectString() : vm.smallStrings.nullObjectString());
+ JSObject* thisObject = thisValue.toObject(exec);
+ EXCEPTION_ASSERT(!!scope.exception() == !thisObject);
+ if (!thisObject)
+ return JSValue::encode(jsUndefined());
+
+ auto result = thisObject->structure(vm)->objectToStringValue();
+ if (result)
+ return JSValue::encode(result);
+
+ PropertyName toStringTagSymbol = vm.propertyNames->toStringTagSymbol;
+ RELEASE_AND_RETURN(scope, JSValue::encode(thisObject->getPropertySlot(exec, toStringTagSymbol, [&] (bool found, PropertySlot& toStringTagSlot) -> JSValue {
+ if (found) {
+ JSValue stringTag = toStringTagSlot.getValue(exec, toStringTagSymbol);
+ RETURN_IF_EXCEPTION(scope, { });
+ if (stringTag.isString()) {
+ JSRopeString::RopeBuilder<RecordOverflow> ropeBuilder(vm);
+ ropeBuilder.append(vm.smallStrings.objectStringStart());
+ ropeBuilder.append(asString(stringTag));
+ ropeBuilder.append(vm.smallStrings.singleCharacterString(']'));
+ if (ropeBuilder.hasOverflowed())
+ return throwOutOfMemoryError(exec, scope);
+
+ JSString* result = ropeBuilder.release();
+ thisObject->structure(vm)->setObjectToStringValue(exec, vm, result, toStringTagSlot);
+ return result;
+ }
+ }
+
+ String tag = thisObject->methodTable(vm)->toStringName(thisObject, exec);
+ RETURN_IF_EXCEPTION(scope, { });
+ String newString = tryMakeString("[object ", WTFMove(tag), "]");
+ if (!newString)
+ return throwOutOfMemoryError(exec, scope);
+
+ auto result = jsNontrivialString(&vm, newString);
+ thisObject->structure(vm)->setObjectToStringValue(exec, vm, result, toStringTagSlot);
+ return result;
+ })));
}
} // namespace JSC
Modified: trunk/Source/_javascript_Core/runtime/ObjectPrototype.h (240326 => 240327)
--- trunk/Source/_javascript_Core/runtime/ObjectPrototype.h 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/runtime/ObjectPrototype.h 2019-01-23 05:55:08 UTC (rev 240327)
@@ -45,4 +45,6 @@
ObjectPrototype(VM&, Structure*);
};
+JS_EXPORT_PRIVATE EncodedJSValue JSC_HOST_CALL objectProtoFuncToString(ExecState*);
+
} // namespace JSC
Deleted: trunk/Source/_javascript_Core/runtime/ObjectPrototypeInlines.h (240326 => 240327)
--- trunk/Source/_javascript_Core/runtime/ObjectPrototypeInlines.h 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/runtime/ObjectPrototypeInlines.h 2019-01-23 05:55:08 UTC (rev 240327)
@@ -1,112 +0,0 @@
-/*
- * Copyright (C) 1999-2000 Harri Porten ([email protected])
- * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
- */
-
-#pragma once
-
-#include "JSCInlines.h"
-#include "JSObject.h"
-#include "JSString.h"
-#include "ObjectPrototype.h"
-#include "PropertySlot.h"
-#include "StructureInlines.h"
-#include "StructureRareDataInlines.h"
-
-namespace JSC {
-
-inline Structure* structureForPrimitiveValue(JSGlobalObject* globalObject, JSValue value)
-{
- if (value.isCell()) {
- if (value.isString())
- return globalObject->stringObjectStructure();
- if (value.isBigInt())
- return globalObject->bigIntObjectStructure();
- ASSERT(value.isSymbol());
- return globalObject->symbolObjectStructure();
- }
-
- if (value.isNumber())
- return globalObject->numberObjectStructure();
- if (value.isBoolean())
- return globalObject->booleanObjectStructure();
-
- ASSERT(value.isUndefinedOrNull());
- return nullptr;
-}
-
-ALWAYS_INLINE JSString* objectToString(ExecState* exec, JSValue thisValue)
-{
- VM& vm = exec->vm();
- auto scope = DECLARE_THROW_SCOPE(vm);
-
- JSObject* thisObject = nullptr;
- if (thisValue.isObject()) {
- thisObject = jsCast<JSObject*>(thisValue);
- if (auto* result = thisObject->structure(vm)->objectToStringValue())
- return result;
- } else {
- if (thisValue.isUndefinedOrNull())
- return thisValue.isUndefined() ? vm.smallStrings.undefinedObjectString() : vm.smallStrings.nullObjectString();
-
- auto* structure = structureForPrimitiveValue(exec->lexicalGlobalObject(), thisValue);
- ASSERT(structure);
- if (auto* result = structure->objectToStringValue())
- return result;
- thisObject = thisValue.toObject(exec);
- EXCEPTION_ASSERT(!!scope.exception() == !thisObject);
- if (!thisObject)
- return nullptr;
- }
-
- RELEASE_AND_RETURN(scope, thisObject->getPropertySlot(exec, vm.propertyNames->toStringTagSymbol, [&] (bool found, PropertySlot& toStringTagSlot) -> JSString* {
- auto scope = DECLARE_THROW_SCOPE(vm);
- if (found) {
- JSValue stringTag = toStringTagSlot.getValue(exec, vm.propertyNames->toStringTagSymbol);
- RETURN_IF_EXCEPTION(scope, { });
- if (stringTag.isString()) {
- JSRopeString::RopeBuilder<RecordOverflow> ropeBuilder(vm);
- ropeBuilder.append(vm.smallStrings.objectStringStart());
- ropeBuilder.append(asString(stringTag));
- ropeBuilder.append(vm.smallStrings.singleCharacterString(']'));
- if (ropeBuilder.hasOverflowed()) {
- throwOutOfMemoryError(exec, scope);
- return nullptr;
- }
-
- JSString* result = ropeBuilder.release();
- thisObject->structure(vm)->setObjectToStringValue(exec, vm, result, toStringTagSlot);
- return result;
- }
- }
-
- String tag = thisObject->methodTable(vm)->toStringName(thisObject, exec);
- RETURN_IF_EXCEPTION(scope, { });
- String newString = tryMakeString("[object ", WTFMove(tag), "]");
- if (!newString) {
- throwOutOfMemoryError(exec, scope);
- return nullptr;
- }
-
- auto result = jsNontrivialString(&vm, WTFMove(newString));
- thisObject->structure(vm)->setObjectToStringValue(exec, vm, result, toStringTagSlot);
- return result;
- }));
-}
-
-} // namespace JSC
Modified: trunk/Source/_javascript_Core/runtime/StructureRareData.h (240326 => 240327)
--- trunk/Source/_javascript_Core/runtime/StructureRareData.h 2019-01-23 05:42:06 UTC (rev 240326)
+++ trunk/Source/_javascript_Core/runtime/StructureRareData.h 2019-01-23 05:55:08 UTC (rev 240327)
@@ -81,11 +81,6 @@
void setSharedPolyProtoWatchpoint(Box<InlineWatchpointSet>&& sharedPolyProtoWatchpoint) { m_polyProtoWatchpoint = WTFMove(sharedPolyProtoWatchpoint); }
bool hasSharedPolyProtoWatchpoint() const { return static_cast<bool>(m_polyProtoWatchpoint); }
- static ptrdiff_t offsetOfObjectToStringValue()
- {
- return OBJECT_OFFSETOF(StructureRareData, m_objectToStringValue);
- }
-
static JSImmutableButterfly* cachedOwnKeysSentinel() { return bitwise_cast<JSImmutableButterfly*>(static_cast<uintptr_t>(1)); }
static ptrdiff_t offsetOfCachedOwnKeys()
