/
ChangeLog
20632 lines (16633 loc) · 851 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
2017-11-02 Filip Pizlo <fpizlo@apple.com>
AI does not correctly model the clobber case of ArithClz32
https://bugs.webkit.org/show_bug.cgi?id=179188
Reviewed by Michael Saboff.
The non-Int32 case clobbers the world because it may call valueOf.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2017-11-01 Michael Saboff <msaboff@apple.com>
Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
https://bugs.webkit.org/show_bug.cgi?id=179140
Reviewed by Saam Barati.
Added overflow checks to computation of arg count plus this.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
2018-01-03 Michael Saboff <msaboff@apple.com>
Disable SharedArrayBuffers from Web API
https://bugs.webkit.org/show_bug.cgi?id=181266
Reviewed by Saam Barati.
Removed SharedArrayBuffer prototype and structure from GlobalObject creation
to disable.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::arrayBufferPrototype const):
(JSC::JSGlobalObject::arrayBufferStructure const):
2017-11-27 JF Bastien <jfbastien@apple.com>
JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
https://bugs.webkit.org/show_bug.cgi?id=180051
<rdar://problem/35614371>
Reviewed by Saam Barati.
Checking for int32 isn't sufficient when uint32 is expected
afterwards. While we're here, also use Checked<>.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2017-11-03 Keith Miller <keith_miller@apple.com>
PutProperytSlot should inform the IC about the property before effects.
https://bugs.webkit.org/show_bug.cgi?id=179262
Reviewed by Mark Lam.
This patch fixes an issue where we choose to cache setters based on
incorrect information. If we did so we might end up OSR exiting
more than we would otherwise need to. The new model is that the
PutPropertySlot should inform the IC of what the property looked
like before any potential side effects might have occurred.
* runtime/JSObject.cpp:
(JSC::JSObject::putInlineSlow):
* runtime/Lookup.h:
(JSC::putEntry):
2017-10-19 Mark Lam <mark.lam@apple.com>
Stringifier::appendStringifiedValue() is missing an exception check.
https://bugs.webkit.org/show_bug.cgi?id=178386
<rdar://problem/35027610>
Reviewed by Saam Barati.
* runtime/JSONObject.cpp:
(JSC::Stringifier::appendStringifiedValue):
2017-10-18 Mark Lam <mark.lam@apple.com>
The compiler should always register a structure when it adds its transitionWatchPointSet.
https://bugs.webkit.org/show_bug.cgi?id=178420
<rdar://problem/34814024>
Reviewed by Saam Barati and Filip Pizlo.
Instead of invoking addLazily() to add a structure's transitionWatchpointSet, we
now invoke Graph::registerAndWatchStructureTransition() on the structure.
registerAndWatchStructureTransition() both registers the structure and add its
transitionWatchpointSet to the plan desired watchpoints.
Graph::registerAndWatchStructureTransition() is based on Graph::registerStructure()
except registerAndWatchStructureTransition() adds the structure's
transitionWatchpointSet unconditionally.
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine const):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::registerAndWatchStructureTransition):
* dfg/DFGGraph.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
- The second set of addLazily()s is redundant. This set is executed only when
prototypeChainIsSane is true, and prototypeChainIsSane can only be true if and
only if we've executed the if statement above it. That preceding if statement
already registerAndWatchStructureTransition() the same 2 structures. Hence,
this second set can be deleted.
* dfg/DFGWatchpointCollectionPhase.cpp:
(JSC::DFG::WatchpointCollectionPhase::addLazily):
- Deleted an unused function.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2017-11-14 Carlos Garcia Campos <cgarcia@igalia.com>
Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
https://bugs.webkit.org/show_bug.cgi?id=173793
Reviewed by Joseph Pecoraro.
Based on patch by Brian Burg.
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bindings/ScriptValue.cpp:
(Inspector::jsToInspectorValue):
(Inspector::toInspectorValue):
(Deprecated::ScriptValue::toInspectorValue const):
* bindings/ScriptValue.h:
* inspector/AsyncStackTrace.cpp:
* inspector/ConsoleMessage.cpp:
* inspector/ContentSearchUtilities.cpp:
* inspector/DeprecatedInspectorValues.cpp: Added.
* inspector/DeprecatedInspectorValues.h: Added.
Keep the old symbols around in JavaScriptCore so that builds with the
public iOS SDK continue to work. These older SDKs include a version of
WebInspector.framework that expects to find InspectorArray and other
symbols in JavaScriptCore.framework.
* inspector/InjectedScript.cpp:
(Inspector::InjectedScript::getFunctionDetails):
(Inspector::InjectedScript::functionDetails):
(Inspector::InjectedScript::getPreview):
(Inspector::InjectedScript::getProperties):
(Inspector::InjectedScript::getDisplayableProperties):
(Inspector::InjectedScript::getInternalProperties):
(Inspector::InjectedScript::getCollectionEntries):
(Inspector::InjectedScript::saveResult):
(Inspector::InjectedScript::wrapCallFrames const):
(Inspector::InjectedScript::wrapObject const):
(Inspector::InjectedScript::wrapTable const):
(Inspector::InjectedScript::previewValue const):
(Inspector::InjectedScript::setExceptionValue):
(Inspector::InjectedScript::clearExceptionValue):
(Inspector::InjectedScript::inspectObject):
(Inspector::InjectedScript::releaseObject):
* inspector/InjectedScriptBase.cpp:
(Inspector::InjectedScriptBase::makeCall):
(Inspector::InjectedScriptBase::makeEvalCall):
* inspector/InjectedScriptBase.h:
* inspector/InjectedScriptManager.cpp:
(Inspector::InjectedScriptManager::injectedScriptForObjectId):
* inspector/InspectorBackendDispatcher.cpp:
(Inspector::BackendDispatcher::CallbackBase::sendSuccess):
(Inspector::BackendDispatcher::dispatch):
(Inspector::BackendDispatcher::sendResponse):
(Inspector::BackendDispatcher::sendPendingErrors):
(Inspector::BackendDispatcher::getPropertyValue):
(Inspector::castToInteger):
(Inspector::castToNumber):
(Inspector::BackendDispatcher::getInteger):
(Inspector::BackendDispatcher::getDouble):
(Inspector::BackendDispatcher::getString):
(Inspector::BackendDispatcher::getBoolean):
(Inspector::BackendDispatcher::getObject):
(Inspector::BackendDispatcher::getArray):
(Inspector::BackendDispatcher::getValue):
* inspector/InspectorBackendDispatcher.h:
We need to keep around the sendResponse() variant with a parameter that
has the InspectorObject type, as older WebInspector.framework versions
expect this symbol to exist. Introduce a variant with arity 3 that can
be used in TOT so as to avoid having two methods with the same name, arity, and
different parameter types.
When system WebInspector.framework is updated, we can remove the legacy
method variant that uses the InspectorObject type. At that point, we can
transition TOT to use the 2-arity variant, and delete the 3-arity variant
when system WebInspector.framework is updated once more to use the 2-arity one.
* inspector/InspectorProtocolTypes.h:
(Inspector::Protocol::Array::openAccessors):
(Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
(Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
(Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
(Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
* inspector/ScriptCallFrame.cpp:
* inspector/ScriptCallStack.cpp:
* inspector/agents/InspectorAgent.cpp:
(Inspector::InspectorAgent::inspect):
* inspector/agents/InspectorAgent.h:
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::buildAssertPauseReason):
(Inspector::buildCSPViolationPauseReason):
(Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
(Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
(Inspector::buildObjectForBreakpointCookie):
(Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
(Inspector::parseLocation):
(Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
(Inspector::InspectorDebuggerAgent::setBreakpoint):
(Inspector::InspectorDebuggerAgent::continueToLocation):
(Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
(Inspector::InspectorDebuggerAgent::didParseSource):
(Inspector::InspectorDebuggerAgent::breakProgram):
* inspector/agents/InspectorDebuggerAgent.h:
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::callFunctionOn):
(Inspector::InspectorRuntimeAgent::saveResult):
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
(CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
* inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
(CppBackendDispatcherImplementationGenerator.generate_output):
(CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
* inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
(CppFrontendDispatcherHeaderGenerator.generate_output):
* inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
(CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
* inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
(_generate_unchecked_setter_for_member):
* inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
(CppProtocolTypesImplementationGenerator):
* inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
(ObjCBackendDispatcherImplementationGenerator.generate_output):
(ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
* inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
(ObjCFrontendDispatcherImplementationGenerator.generate_output):
(ObjCFrontendDispatcherImplementationGenerator._generate_event):
(ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
* inspector/scripts/codegen/generate_objc_internal_header.py:
(ObjCInternalHeaderGenerator.generate_output):
* inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
(ObjCProtocolTypesImplementationGenerator.generate_output):
* inspector/scripts/codegen/generator.py:
* inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/generic/expected/domain-availability.json-result:
* inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
* inspector/scripts/tests/generic/expected/enum-values.json-result:
* inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
* inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
* inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
* inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
* inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
* inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
* inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2017-11-08 Carlos Garcia Campos <cgarcia@igalia.com>
Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
https://bugs.webkit.org/show_bug.cgi?id=173619
Reviewed by Alex Christensen and Brian Burg.
Eventually all classes used for our JSON-RPC message passing should be outside
of the Inspector namespace since the protocol is used outside of Inspector code.
This will also allow us to unify the primitive JSON types with parameteric types
like Inspector::Protocol::Array<T> and other protocol-related types which don't
need to be in the Inspector namespace.
Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
patches, other clients will move to use JSON::Value and friends. When all uses are
changed, the actual implementation will be renamed. This patch just focuses on the typedef
and making changes in generated protocol code.
Original patch by Brian Burg, rebased and updated by me.
* inspector/InspectorValues.cpp:
* inspector/InspectorValues.h:
* inspector/scripts/codegen/cpp_generator.py:
(CppGenerator.cpp_protocol_type_for_type):
(CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
(CppGenerator.cpp_type_for_type_with_name):
(CppGenerator.cpp_type_for_stack_in_parameter):
* inspector/scripts/codegen/cpp_generator_templates.py:
(void):
* inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
(_generate_class_for_object_declaration):
(_generate_forward_declarations_for_binding_traits):
* inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
(CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
(CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
* inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
* inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/generic/expected/domain-availability.json-result:
* inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
* inspector/scripts/tests/generic/expected/enum-values.json-result:
* inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
* inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
* inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
* inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
* inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
* inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
* inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2017-09-06 Mark Lam <mark.lam@apple.com>
constructGenericTypedArrayViewWithArguments() is missing an exception check.
https://bugs.webkit.org/show_bug.cgi?id=176485
<rdar://problem/33898874>
Reviewed by Keith Miller.
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewWithArguments):
2017-10-24 Guillaume Emont <guijemont@igalia.com>
[mips] fix offsets of branches that have to go over a jump
https://bugs.webkit.org/show_bug.cgi?id=153464
The jump() function creates 8 instructions, but the offsets of branches
meant to go over them only account for 6. In most cases, this is not an
issue as the last two instructions of jump() would be nops, but in the
rarer case where the jump destination is in a different 256 MB segment,
MIPSAssembler::linkWithOffset() will rewrite the code in a way in which
the last 4 instructions would be a 2 instruction load (lui/ori) into
$t9, a "j $t9" and then a nop. The wrong offset will mean that the
previous branches meant to go over the whole jump will branch to the
"j $t9" instruction, which would jump to whatever is currently in $t9
(since lui/ori would not be executed).
Reviewed by Michael Catanzaro.
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::branchAdd32):
(JSC::MacroAssemblerMIPS::branchMul32):
(JSC::MacroAssemblerMIPS::branchSub32):
Fix the offsets of branches meant to go over code generated by jump().
2017-10-09 Oleksandr Skachkov <gskachkov@gmail.com>
Safari 10 /11 problem with if (!await get(something)).
https://bugs.webkit.org/show_bug.cgi?id=176685
Reviewed by Saam Barati.
Using unary operator before `await` lead to count it as identifier.
According to spec https://tc39.github.io/ecma262/#sec-async-function-definitions
and Note 1 `await` is as AwaitExpression and it is allowed to use unary operator
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parsePrimaryExpression):
2017-10-06 Robin Morisset <rmorisset@apple.com>
Avoid integer overflow in DFGStrengthReduction.cpp
https://bugs.webkit.org/show_bug.cgi?id=177944
Reviewed by Saam Barati.
The check that we won't do integer overflow by negating INT32_MIN was itself an integer overflow.
I think that signed integer overflow is undefined behaviour in C, so I replace it by an explicit check that value != INT32_MIN instead.
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
2017-10-05 Carlos Alberto Lopez Perez <clopez@igalia.com>
Generate a compile error if release is built without compiler optimizations
https://bugs.webkit.org/show_bug.cgi?id=177665
Reviewed by Brian Burg.
Pass -DRELEASE_WITHOUT_OPTIMIZATIONS to testair.cpp and testb3.cpp because
this files are compiled with -O0 for build speed reasons after r195639.
* JavaScriptCore.xcodeproj/project.pbxproj:
2017-09-27 Michael Saboff <msaboff@apple.com>
REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
https://bugs.webkit.org/show_bug.cgi?id=177570
Reviewed by Filip Pizlo.
The change in r210837 neglected to change the check in Interpreter::backtrackParentheses() that
greedy parenthesis have backtracked as far as possible. Prior to r210837 when non-zero minimum greedy
parenthesis were factored into a fixed component and then a zero-based variable component. After
r210837, the variable component is not zero based and the check needs to compare the
backTrack->matchAmount with the quantity iminimum count.
* yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::backtrackParentheses):
2017-09-27 Mark Lam <mark.lam@apple.com>
JSArray::canFastCopy() should fail if the source and destination arrays are the same.
https://bugs.webkit.org/show_bug.cgi?id=177584
<rdar://problem/34463903>
Reviewed by Saam Barati.
If the source and destination arrays are the same, we may be copying overlapping
regions. Hence, we need to take the slow path.
* runtime/JSArrayInlines.h:
(JSC::JSArray::canFastCopy):
2017-09-20 Alberto Garcia <berto@igalia.com>
Fix HPPA and Alpha builds
https://bugs.webkit.org/show_bug.cgi?id=177224
Reviewed by Alex Christensen.
* CMakeLists.txt:
2017-08-30 Saam Barati <sbarati@apple.com>
semicolon is being interpreted as an = in the LiteralParser
https://bugs.webkit.org/show_bug.cgi?id=176114
Reviewed by Oliver Hunt.
When lexing a semicolon in the LiteralParser, we were properly
setting the TokenType on the current token, however, we were
*returning* the wrong TokenType. The lex function both returns
the TokenType and sets it on the current token. Semicolon was
setting the TokenType to semicolon, but returning the TokenType
for '='. This caused programs like `x;123` to be interpreted as
`x=123`.
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::Lexer::lex):
(JSC::LiteralParser<CharType>::Lexer::next):
2017-08-26 Yusuke Suzuki <utatane.tea@gmail.com>
Merge WeakMapData into JSWeakMap and JSWeakSet
https://bugs.webkit.org/show_bug.cgi?id=143919
Reviewed by Darin Adler.
This patch changes WeakMapData from JSCell to JSDestructibleObject,
renaming it to WeakMapBase, and JSWeakMap and JSWeakSet simply inherit
it instead of separately allocating WeakMapData. This reduces memory
consumption and allocation times.
Also this patch a bit optimizes sizeof(DeadKeyCleaner) by dropping m_target
field. Since this class is always embedded in WeakMapBase, we can calculate
WeakMapBase address from the address of DeadKeyCleaner.
This patch does not include the optimization changing WeakMapData to Set
for JSWeakSet.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::weakMapSize):
(Inspector::JSInjectedScriptHost::weakMapEntries):
(Inspector::JSInjectedScriptHost::weakSetSize):
(Inspector::JSInjectedScriptHost::weakSetEntries):
* runtime/JSWeakMap.cpp:
(JSC::JSWeakMap::finishCreation): Deleted.
(JSC::JSWeakMap::visitChildren): Deleted.
* runtime/JSWeakMap.h:
(JSC::JSWeakMap::createStructure): Deleted.
(JSC::JSWeakMap::create): Deleted.
(JSC::JSWeakMap::weakMapData): Deleted.
(JSC::JSWeakMap::JSWeakMap): Deleted.
* runtime/JSWeakSet.cpp:
(JSC::JSWeakSet::finishCreation): Deleted.
(JSC::JSWeakSet::visitChildren): Deleted.
* runtime/JSWeakSet.h:
(JSC::JSWeakSet::createStructure): Deleted.
(JSC::JSWeakSet::create): Deleted.
(JSC::JSWeakSet::weakMapData): Deleted.
(JSC::JSWeakSet::JSWeakSet): Deleted.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* runtime/WeakMapBase.cpp: Renamed from Source/JavaScriptCore/runtime/WeakMapData.cpp.
(JSC::WeakMapBase::WeakMapBase):
(JSC::WeakMapBase::destroy):
(JSC::WeakMapBase::estimatedSize):
(JSC::WeakMapBase::visitChildren):
(JSC::WeakMapBase::set):
(JSC::WeakMapBase::get):
(JSC::WeakMapBase::remove):
(JSC::WeakMapBase::contains):
(JSC::WeakMapBase::clear):
(JSC::WeakMapBase::DeadKeyCleaner::target):
(JSC::WeakMapBase::DeadKeyCleaner::visitWeakReferences):
(JSC::WeakMapBase::DeadKeyCleaner::finalizeUnconditionally):
* runtime/WeakMapBase.h: Renamed from Source/JavaScriptCore/runtime/WeakMapData.h.
(JSC::WeakMapBase::size const):
* runtime/WeakMapPrototype.cpp:
(JSC::getWeakMap):
(JSC::protoFuncWeakMapDelete):
(JSC::protoFuncWeakMapGet):
(JSC::protoFuncWeakMapHas):
(JSC::protoFuncWeakMapSet):
(JSC::getWeakMapData): Deleted.
* runtime/WeakSetPrototype.cpp:
(JSC::getWeakSet):
(JSC::protoFuncWeakSetDelete):
(JSC::protoFuncWeakSetHas):
(JSC::protoFuncWeakSetAdd):
(JSC::getWeakMapData): Deleted.
2017-08-22 Saam Barati <sbarati@apple.com>
We are using valueProfileForBytecodeOffset when there may not be a value profile
https://bugs.webkit.org/show_bug.cgi?id=175812
Reviewed by Michael Saboff.
This patch uses the type system to aid the code around CodeBlock's ValueProfile
accessor methods. valueProfileForBytecodeOffset used to return ValueProfile*,
so there were callers of this that thought it could return nullptr when there
was no such ValueProfile. This was not the case, it always returned a non-null
pointer. This patch changes valueProfileForBytecodeOffset to return ValueProfile&
and adds a new tryGetValueProfileForBytecodeOffset method that returns ValueProfile*
and does the right thing if there is no such ValueProfile.
This patch also changes the other ValueProfile accessors on CodeBlock to
return ValueProfile& instead of ValueProfile*. Some callers handled the null
case unnecessarily, and using the type system to specify the result can't be
null removes these useless branches.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
(JSC::CodeBlock::dumpValueProfiles):
(JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
(JSC::CodeBlock::valueProfileForBytecodeOffset):
(JSC::CodeBlock::validate):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::valueProfileForArgument):
(JSC::CodeBlock::valueProfile):
(JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
(JSC::CodeBlock::getFromAllValueProfiles):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleInlining):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::methodOfGettingAValueProfileFor):
* dfg/DFGPredictionInjectionPhase.cpp:
(JSC::DFG::PredictionInjectionPhase::run):
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::emitValueProfilingSite):
* profiler/ProfilerBytecodeSequence.cpp:
(JSC::Profiler::BytecodeSequence::BytecodeSequence):
* tools/HeapVerifier.cpp:
(JSC::HeapVerifier::validateJSCell):
2017-08-17 JF Bastien <jfbastien@apple.com>
WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
https://bugs.webkit.org/show_bug.cgi?id=175693
<rdar://problem/33952443>
Reviewed by Saam Barati.
64-bit constants in an unreachable context were being decoded as
32-bit constants. This is pretty benign because unreachable code
shouldn't occur often. The effect is that 64-bit constants which
can't be encoded as 32-bit constants would cause the binary to be
rejected.
At the same time, 32-bit integer constants should be decoded as signed.
* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
2017-08-17 Jacobo Aragunde Pérez <jaragunde@igalia.com>
[WPE][GTK] Ensure proper casting of data in gvariants
https://bugs.webkit.org/show_bug.cgi?id=175667
Reviewed by Michael Catanzaro.
g_variant_new requires data to have the correct width for their types, using
casting if necessary. Some data of type `unsigned` were being saved to `guint64`
types without explicit casting, leading to undefined behavior in some platforms.
* inspector/remote/glib/RemoteInspectorGlib.cpp:
(Inspector::RemoteInspector::listingForInspectionTarget const):
(Inspector::RemoteInspector::listingForAutomationTarget const):
(Inspector::RemoteInspector::sendMessageToRemote):
2017-08-16 Csaba Osztrogonác <ossy@webkit.org>
Fix JSCOnly ARM buildbots after r220047 and r220184
https://bugs.webkit.org/show_bug.cgi?id=174993
Reviewed by Carlos Alberto Lopez Perez.
* CMakeLists.txt: Generate only one backend on Linux to save build time.
2017-08-15 Saam Barati <sbarati@apple.com>
Make VM::scratchBufferForSize thread safe
https://bugs.webkit.org/show_bug.cgi?id=175604
Reviewed by Geoffrey Garen and Mark Lam.
I want to use the VM::scratchBufferForSize in another patch I'm writing.
The use case for my other patch is to call it from the compiler thread.
When reading the code, I saw that this API was not thread safe. This patch
makes it thread safe. It actually turns out we were calling this API from
the compiler thread already when we created FTL::State for an FTL OSR entry
compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
is now correct with this patch.
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::~VM):
(JSC::VM::gatherConservativeRoots):
(JSC::VM::scratchBufferForSize):
* runtime/VM.h:
(JSC::VM::scratchBufferForSize): Deleted.
2017-08-14 Simon Fraser <simon.fraser@apple.com>
Remove Proximity Events and related code
https://bugs.webkit.org/show_bug.cgi?id=175545
Reviewed by Daniel Bates.
No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
and other related code.
* Configurations/FeatureDefines.xcconfig:
2017-08-14 Simon Fraser <simon.fraser@apple.com>
Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
https://bugs.webkit.org/show_bug.cgi?id=175504
Reviewed by Sam Weinig.
* Configurations/FeatureDefines.xcconfig:
2017-08-14 Simon Fraser <simon.fraser@apple.com>
Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
https://bugs.webkit.org/show_bug.cgi?id=175557
Reviewed by Jon Lee.
No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
* Configurations/FeatureDefines.xcconfig:
2017-08-10 Sam Weinig <sam@webkit.org>
WTF::Function does not allow for reference / non-default constructible return types
https://bugs.webkit.org/show_bug.cgi?id=175244
Reviewed by Chris Dumez.
* runtime/ArrayBuffer.cpp:
(JSC::ArrayBufferContents::transferTo):
Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
destroy call needed to be a no-op anyway, since the data is being moved.
2017-08-10 Mark Lam <mark.lam@apple.com>
Apply the UNLIKELY macro to some unlikely things.
https://bugs.webkit.org/show_bug.cgi?id=175440
<rdar://problem/33834767>
Reviewed by Yusuke Suzuki.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::jettison):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::handleVarargsCall):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::parseCodeBlock):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::JITCompiler):
(JSC::DFG::JITCompiler::linkOSRExits):
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::disassemble):
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::finalizeCommon):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::compileOSRExit):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::Plan):
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeCommon):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::compileWithoutLinking):
(JSC::JIT::link):
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::installCode):
* runtime/VM.cpp:
(JSC::VM::VM):
2017-08-09 Yusuke Suzuki <utatane.tea@gmail.com>
[WTF] ThreadSpecific should not introduce additional indirection
https://bugs.webkit.org/show_bug.cgi?id=175187
Reviewed by Mark Lam.
* runtime/Identifier.cpp:
2017-08-10 Tim Horton <timothy_horton@apple.com>
Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
https://bugs.webkit.org/show_bug.cgi?id=175436
<rdar://problem/33667497>
Reviewed by Simon Fraser.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::Interpreter):
2017-08-09 Caio Lima <ticaiolima@gmail.com>
[JSC] Create JSSet constructor that accepts it's size as parameter
https://bugs.webkit.org/show_bug.cgi?id=173297
Reviewed by Saam Barati.
This patch is adding a new constructor to JSSet that gives its
expected initial size. It is important to avoid re-hashing and mutiple
allocations when we know the final size of JSSet, such as in
CodeBlock::setConstantIdentifierSetRegisters.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setConstantIdentifierSetRegisters):
* runtime/HashMapImpl.h:
(JSC::HashMapImpl::HashMapImpl):
* runtime/JSSet.h:
2017-08-09 Caitlin Potter <caitp@igalia.com>
Early error on ANY operator before new.target
https://bugs.webkit.org/show_bug.cgi?id=157970
Reviewed by Saam Barati.
Instead of throwing if any unary operator precedes new.target, only
throw if the unary operator updates the reference.
The following become legal in JSC:
```
!new.target
~new.target
typeof new.target
delete new.target
void new.target
```
All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseUnaryExpression):
2017-08-09 Robin Morisset <rmorisset@apple.com>
Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
https://bugs.webkit.org/show_bug.cgi?id=175358
Reviewed by Mark Lam.
* jit/JITOperations.cpp:
* runtime/JSObjectInlines.h:
(JSC::JSObject::putInlineForJSObject):
2017-08-09 Oleksandr Skachkov <gskachkov@gmail.com>
REGRESSION: 2 test262/test/language/statements/async-function failures
https://bugs.webkit.org/show_bug.cgi?id=175334
Reviewed by Yusuke Suzuki.
Switch off useAsyncIterator by default
* runtime/Options.h:
2017-08-08 Filip Pizlo <fpizlo@apple.com>
ICs should do caging
https://bugs.webkit.org/show_bug.cgi?id=175295
Reviewed by Saam Barati.
Adds the appropriate cage() calls in our inline caches.
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/InlineAccess.cpp:
(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):
2017-08-08 Devin Rousso <drousso@apple.com>
Web Inspector: Canvas: support editing WebGL shaders
https://bugs.webkit.org/show_bug.cgi?id=124211
<rdar://problem/15448958>
Reviewed by Matt Baker.
* inspector/protocol/Canvas.json:
Add `updateShader` command that will change the given shader's source to the provided string,
recompile, and relink it to its associated program.
Drive-by: add description to `requestShaderSource` command.
2017-08-08 Robin Morisset <rmorisset@apple.com>
Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
https://bugs.webkit.org/show_bug.cgi?id=175347
Reviewed by Saam Barati.
This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
negligible considering how much more finishCreation does.
This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::setConstantIdentifierSetRegisters):
(JSC::CodeBlock::setConstantRegisters):
* bytecode/CodeBlock.h:
* runtime/ScriptExecutable.cpp:
(JSC::ScriptExecutable::newCodeBlockFor):
2017-08-08 Michael Catanzaro <mcatanzaro@igalia.com>
Unreviewed, fix Ubuntu LTS build
https://bugs.webkit.org/show_bug.cgi?id=174490
* inspector/remote/glib/RemoteInspectorGlib.cpp:
* inspector/remote/glib/RemoteInspectorServer.cpp:
2017-08-08 Filip Pizlo <fpizlo@apple.com>
Baseline JIT should do caging
https://bugs.webkit.org/show_bug.cgi?id=175037
Reviewed by Mark Lam.
Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
Also modifies FTL caging to be more defensive when caging is disabled.
Relanded with fixed AssemblyHelpers::cageConditionally().
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/InlineAccess.cpp:
(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::caged):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::cage):
(JSC::AssemblyHelpers::cageConditionally):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* jsc.cpp:
(jscmain):
(primitiveGigacageDisabled): Deleted.
2017-08-08 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r220368.
This change caused WK1 tests to exit early with crashes.
Reverted changeset:
"Baseline JIT should do caging"
https://bugs.webkit.org/show_bug.cgi?id=175037
http://trac.webkit.org/changeset/220368
2017-08-08 Michael Catanzaro <mcatanzaro@igalia.com>
[CMake] Properly test if compiler supports compiler flags
https://bugs.webkit.org/show_bug.cgi?id=174490
Reviewed by Konstantin Tokarev.
* API/tests/PingPongStackOverflowTest.cpp:
(testPingPongStackOverflow):
* API/tests/testapi.c:
* b3/testb3.cpp:
(JSC::B3::testPatchpointLotsOfLateAnys):
2017-08-06 Yusuke Suzuki <utatane.tea@gmail.com>
[Linux] Clear WasmMemory with madvice instead of memset
https://bugs.webkit.org/show_bug.cgi?id=175150
Reviewed by Filip Pizlo.
In Linux, zeroing pages with memset populates backing store.
Instead, we should use madvise with MADV_DONTNEED. It discards
pages. And if you access these pages, on-demand-zero-pages will
be shown.
We also commit grown pages in all OSes.
* wasm/WasmMemory.cpp:
(JSC::Wasm::commitZeroPages):
(JSC::Wasm::Memory::create):
(JSC::Wasm::Memory::grow):
2017-08-07 Robin Morisset <rmorisset@apple.com>
GetOwnProperty of TypedArray indexed fields is wrongly configurable
https://bugs.webkit.org/show_bug.cgi?id=175307
Reviewed by Saam Barati.
```
let a = new Uint8Array(10);
let b = Object.getOwnPropertyDescriptor(a, 0);
assert(b.configurable === false);
```
should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p)
that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
that says that typed arrays are integer indexed exotic objects.
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
2017-08-07 Filip Pizlo <fpizlo@apple.com>
Baseline JIT should do caging
https://bugs.webkit.org/show_bug.cgi?id=175037
Reviewed by Mark Lam.
Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
Also modifies FTL caging to be more defensive when caging is disabled.