haikuwebkit/LayoutTests/js/dfg-check-structure-elimina...

Tests that we do the right things when we prove that we can eliminate a structure check, but haven't proved that the value is definitely an object - i.e. we've proved that it's either an object with a specific structure, or it's not an object at all.

On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".


Caught exception: TypeError: null is not an object (evaluating 'o.g')
Passed some tests silently.

TEST COMPLETE
DFG should not elide CheckStructure if it's needed to perform a cell check https://bugs.webkit.org/show_bug.cgi?id=106074 Source/JavaScriptCore: Reviewed by Ryosuke Niwa. The problem here was that the constant folding phase was misinterpreting the meaning of the sets in DFG::AbstractValue. AbstractValue describes a constraint on the values that a variable (i.e. a DFG Node, or a virtual register, i.e. local or argument) may have. It does so by containing four sets: the set of JSValues (either empty, the singleton set containing one JSValue, or the set of all JSValues); the set of "current known" structures, i.e. the set of structures that you already know that this value may have right now (also either empty, the singleton set, or the set of all structures); the set of "future possible" structures, i.e. the set of structures that this value could have in the future if none of the structure transition watchpoints for those structures had fired (also empty, singleton, or all); and the set of types, which is a SpeculatedType bitmask. The correct way to interpret the sets is to think of the AbstractValue as the intersection of these three sets of values: - The set of JSValues that have a type that belongs to the m_type set. - If m_value is not the empty value then: the set of all JSValues that are == m_value; else: the set of all JSValues. where '==' is as defined by JSValue::operator==. - Union of { the set of all cells that have a structure that belongs to m_currentKnownStructure } and { the set of all JSValues that are not cells }. You can then further intersect this set with the following set, if you guard the code with watchpoints on all structures in the m_futurePossibleStructure: - Union of { the set of all cells that have a structure that belongs to m_futurePossibleStructure } and { the set of all JSValues that are not cells }. One way to think of this is that m_currentKnownStructure is filtered by m_futurePossibleStructure (i.e. is set to the intersection of m_currentKnownStructure and m_futurePossibleStructure), if the code for which you're doing this is always preceded by watchpoints on all structures in m_futurePossibleStructure, and is always before any side-effects that could change the structures of objects. The incorrect optimization related to CheckStructure. CheckStructure checks that the value is a cell, and that it has a particular structure. It was incorrectly assuming that you could eliminate the CheckStructure, if m_currentKnownStructure contained the structure that CheckStructure was checking. But this is not the case, since m_currentKnownStructure does not prove that the value is a cell with a particular structure; it only proves that if the value was a cell then it would have a particular structure. Hence, to eliminate CheckStructure, it is also necessary to check that AbstractValue::m_type contains only cells (i.e. isCellSpeculation(m_type) == true). It wasn't doing that, and this changes makes sure that it does do that. * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): LayoutTests: Reviewed by Ryosuke Niwa. * fast/js/dfg-check-structure-elimination-for-non-cell-expected.txt: Added. * fast/js/dfg-check-structure-elimination-for-non-cell.html: Added. * fast/js/jsc-test-list: * fast/js/script-tests/dfg-check-structure-elimination-for-non-cell.js: Added. (foo): (bar): (baz): Canonical link: https://commits.webkit.org/124335@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@138862 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2013-01-04 23:40:44 +00:00			`Tests that we do the right things when we prove that we can eliminate a structure check, but haven't proved that the value is definitely an object - i.e. we've proved that it's either an object with a specific structure, or it's not an object at all.`

			`On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".`


Fixed ASSERTION FAILED: callFrame == vm->topCallFrame in JSC::Interpreter::addStackTraceIfNecessary https://bugs.webkit.org/show_bug.cgi?id=118498 Patch by Chris Curtis <chris_curtis@apple.com> on 2013-07-18 Reviewed by Geoffrey Garen. Source/JavaScriptCore: * jit/JITStubs.cpp: (throwExceptionFromOpCall): Created new throwExceptionFromOpCall that takes in a functor that contains a function pointer (to create the errorObject) instead of a JSValue. Inside of throwExceptionFromOpCall the topCallFrame is being rolled back in order to handle the error throw. By passing the function pointer in, we can defer the creation of the error object until after topCallFrame has been rolled back. This allows the error object to be created with the appropriate top frame. DEFINE_STUB_FUNCTION(void, stack_check): DEFINE_STUB_FUNCTION(void, op_call_arityCheck): DEFINE_STUB_FUNCTION(void, op_construct_arityCheck): DEFINE_STUB_FUNCTION(EncodedJSValue, op_call_NotJSFunction): DEFINE_STUB_FUNCTION(EncodedJSValue, op_construct_NotJSConstruct): (JSC::ErrorFunctor::~ErrorFunctor): (JSC::ErrorWithExecFunctor::ErrorWithExecFunctor): (JSC::ErrorWithExecFunctor::operator()): (JSC::ErrorWithExecAndCalleeFunctor::ErrorWithExecAndCalleeFunctor): (JSC::ErrorWithExecAndCalleeFunctor::operator()): (JSC::ErrorWithExceptionFunctor::ErrorWithExceptionFunctor): (JSC::ErrorWithExceptionFunctor::operator()): (JSC::throwExceptionFromOpCall): In order to eliminate the need to duplicate code, an error functor was created for the 3 different throwExceptionFromOpCall handles. 1. The exception needs to be created, and the function pointer takes 1 parameter(callFrame->callerFrame()). 2. The exception needs to be created, and the function pointer takes 2 parameters (callFrame->callerFrame(), callFrame.calleeAsValue()). 3. The exception is already created. In this case, At the time when the error functor is called, vm.exception is returned. llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/ExceptionHelpers.cpp: (JSC::errorDescriptionForValue): (JSC::createError): (JSC::createInvalidParameterError): (JSC::createNotAConstructorError): (JSC::createNotAFunctionError): (JSC::createNotAnObjectError): * runtime/ExceptionHelpers.h: The function toString() was being used to stringify an object for an exception message. If the user wrote a toString() for that object, then the system would continue to evaluate that code. A new helper function was created to prevent the system to continue execution and exception creation from that execution. LayoutTests: New Tests to see if JSC evaluates user code after exception creation * fast/js/not-a-constructor-to-string-expected.txt: Added. * fast/js/not-a-constructor-to-string.html: Added. * fast/js/not-a-function-to-string-expected.txt: Added. * fast/js/not-a-function-to-string.html: Added. Modified test output of the object that was being evaluated at the time of the error. Only the error message has changed. * fast/dom/MutationObserver/mutation-record-constructor-expected.txt: * fast/dom/NodeList/nodelist-item-call-as-function-expected.txt: * fast/dom/Range/getClientRects-expected.txt: * fast/dom/SelectorAPI/dumpNodeList-almost-strict-expected.txt: * fast/dom/SelectorAPI/dumpNodeList-expected.txt: * fast/dom/call-a-constructor-as-a-function-expected.txt: * fast/dom/setPrimitiveValue-exceptions-expected.txt: * fast/events/window-onerror-exception-in-attr-expected.txt: * fast/forms/select-namedItem-expected.txt: * fast/js/arguments-expected.txt: * fast/js/array-prototype-properties-expected.txt: * fast/js/basic-strict-mode-expected.txt: * fast/js/date-toisostring-expected.txt: * fast/js/delete-getters-setters-expected.txt: * fast/js/dfg-check-structure-elimination-for-non-cell-expected.txt: * fast/js/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object-expected.txt: * fast/js/dfg-compare-final-object-to-final-object-or-other-when-proven-final-object-expected.txt: * fast/js/dfg-inline-arguments-use-from-all-the-places-broken-expected.txt: * fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object-expected.txt: * fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-proven-final-object-expected.txt: * fast/js/exception-expression-offset-expected.txt: * fast/js/exception-for-nonobject-expected.txt: * fast/js/exception-thrown-from-new-expected.txt: * fast/js/function-bind-expected.txt: * fast/js/instance-of-immediates-expected.txt: * fast/js/object-prototype-properties-expected.txt: * fast/regex/cross-frame-callable-expected.txt: * fast/xsl/transform-xhr-doc-expected.txt: * http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write-expected.txt: * http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt: * http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt: * http/tests/security/document-all-expected.txt: * http/tests/security/srcdoc-in-sandbox-cannot-access-parent-expected.txt: * http/tests/security/window-named-proto-expected.txt: * inspector/console/console-exception-stack-traces-expected.txt: * platform/efl/css3/selectors3/xhtml/css3-modsel-15c-expected.txt: * platform/efl/css3/selectors3/xml/css3-modsel-15c-expected.txt: * platform/efl/fast/events/updateLayoutForHitTest-expected.txt: * platform/efl/tables/mozilla_expected_failures/bugs/bug92868_1-expected.txt: * platform/gtk/css3/selectors3/xhtml/css3-modsel-15c-expected.txt: * platform/gtk/css3/selectors3/xml/css3-modsel-15c-expected.txt: * platform/gtk/fast/events/updateLayoutForHitTest-expected.txt: * platform/gtk/svg/custom/createelement-expected.txt: * platform/gtk/tables/mozilla_expected_failures/bugs/bug92868_1-expected.txt: * platform/mac-wk2/editing/spelling/markers-expected.txt: * platform/mac-wk2/plugins/npruntime/object-from-destroyed-plugin-expected.txt: Added. * platform/mac-wk2/plugins/npruntime/object-from-destroyed-plugin-in-subframe-expected.txt: Added. * platform/mac/css3/selectors3/xhtml/css3-modsel-15c-expected.txt: * platform/mac/css3/selectors3/xml/css3-modsel-15c-expected.txt: * platform/mac/fast/events/updateLayoutForHitTest-expected.txt: * platform/mac/tables/mozilla_expected_failures/bugs/bug92868_1-expected.txt: * platform/qt/css3/selectors3/xhtml/css3-modsel-15c-expected.txt: * platform/qt/css3/selectors3/xml/css3-modsel-15c-expected.txt: * platform/qt/svg/custom/createelement-expected.txt: * platform/qt/tables/mozilla_expected_failures/bugs/bug92868_1-expected.txt: * platform/win/fast/dom/call-a-constructor-as-a-function-expected.txt: * plugins/npruntime/object-from-destroyed-plugin-expected.txt: * plugins/npruntime/object-from-destroyed-plugin-in-subframe-expected.txt: * plugins/npruntime/plugin-scriptable-object-invoke-default-expected.txt: * sputnik/Conformance/08_Types/8.6_The_Object_Type/8.6.2_Internal_Properties_and_Methods/S8.6.2_A7-expected.txt: * sputnik/Conformance/13_Function_Definition/S13_A17_T2-expected.txt: * sputnik/Conformance/15_Native_Objects/15.1_The_Global_Object/S15.1_A1_T1-expected.txt: * sputnik/Conformance/15_Native_Objects/15.1_The_Global_Object/S15.1_A1_T2-expected.txt: * sputnik/Conformance/15_Native_Objects/15.1_The_Global_Object/S15.1_A2_T1-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/15.2.4.2_Object.prototype.toString/S15.2.4.2_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/15.2.4.3_Object.prototype.toLocaleString/S15.2.4.3_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/15.2.4.4_Object.prototype.valueOf/S15.2.4.4_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/15.2.4.5_Object.prototype.hasOwnProperty/S15.2.4.5_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/15.2.4.6_Object.prototype.isPrototypeOf/S15.2.4.6_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/15.2.4.7_Object.prototype.propertyIsEnumerable/S15.2.4.7_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/S15.2.4_A3-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/S15.2.4_A4-expected.txt: * sputnik/Conformance/15_Native_Objects/15.3_Function/15.3.4/15.3.4.2_Function.prototype.toString/S15.3.4.2_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.3_Function/15.3.4/S15.3.4_A5-expected.txt: * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.17_String.prototype.toLocaleLowerCase/S15.5.4.17_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A7-expected.txt: * svg/custom/createelement-expected.txt: * svg/custom/use-nested-missing-target-removed-expected.txt: * svg/dom/svgpath-out-of-bounds-getPathSeg-expected.txt: Canonical link: https://commits.webkit.org/136732@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@152871 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2013-07-18 23:24:13 +00:00			`Caught exception: TypeError: null is not an object (evaluating 'o.g')`
REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG https://bugs.webkit.org/show_bug.cgi?id=120781 Reviewed by Mark Hahnenberg. Roll this back in with a build fix. - Use some method table hacks to detect if the CheckStructure optimization is valid for to_this. - Introduce a FinalObjectUse and use it for ToThis->Identity conversion. This looks like it might be perf-neutral on the major benchmarks, but it introduces some horrible performance cliffs. For example if you add methods to the Array prototype, you'll get horrible performance cliffs. As in virtual calls to C++ every time you call a JS function even if it's inlined. LongSpider/3d-cube appears to hit this. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGRepatch.cpp: (JSC::DFG::emitPutTransitionStub): * dfg/DFGSafeToExecute.h: (JSC::DFG::SafeToExecuteEdge::operator()): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculateFinalObject): (JSC::DFG::SpeculativeJIT::speculate): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGUseKind.cpp: (WTF::printInternal): * dfg/DFGUseKind.h: (JSC::DFG::typeFilterFor): (JSC::DFG::isCell): Canonical link: https://commits.webkit.org/138810@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@155201 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2013-09-06 19:01:21 +00:00			`Passed some tests silently.`
DFG should not elide CheckStructure if it's needed to perform a cell check https://bugs.webkit.org/show_bug.cgi?id=106074 Source/JavaScriptCore: Reviewed by Ryosuke Niwa. The problem here was that the constant folding phase was misinterpreting the meaning of the sets in DFG::AbstractValue. AbstractValue describes a constraint on the values that a variable (i.e. a DFG Node, or a virtual register, i.e. local or argument) may have. It does so by containing four sets: the set of JSValues (either empty, the singleton set containing one JSValue, or the set of all JSValues); the set of "current known" structures, i.e. the set of structures that you already know that this value may have right now (also either empty, the singleton set, or the set of all structures); the set of "future possible" structures, i.e. the set of structures that this value could have in the future if none of the structure transition watchpoints for those structures had fired (also empty, singleton, or all); and the set of types, which is a SpeculatedType bitmask. The correct way to interpret the sets is to think of the AbstractValue as the intersection of these three sets of values: - The set of JSValues that have a type that belongs to the m_type set. - If m_value is not the empty value then: the set of all JSValues that are == m_value; else: the set of all JSValues. where '==' is as defined by JSValue::operator==. - Union of { the set of all cells that have a structure that belongs to m_currentKnownStructure } and { the set of all JSValues that are not cells }. You can then further intersect this set with the following set, if you guard the code with watchpoints on all structures in the m_futurePossibleStructure: - Union of { the set of all cells that have a structure that belongs to m_futurePossibleStructure } and { the set of all JSValues that are not cells }. One way to think of this is that m_currentKnownStructure is filtered by m_futurePossibleStructure (i.e. is set to the intersection of m_currentKnownStructure and m_futurePossibleStructure), if the code for which you're doing this is always preceded by watchpoints on all structures in m_futurePossibleStructure, and is always before any side-effects that could change the structures of objects. The incorrect optimization related to CheckStructure. CheckStructure checks that the value is a cell, and that it has a particular structure. It was incorrectly assuming that you could eliminate the CheckStructure, if m_currentKnownStructure contained the structure that CheckStructure was checking. But this is not the case, since m_currentKnownStructure does not prove that the value is a cell with a particular structure; it only proves that if the value was a cell then it would have a particular structure. Hence, to eliminate CheckStructure, it is also necessary to check that AbstractValue::m_type contains only cells (i.e. isCellSpeculation(m_type) == true). It wasn't doing that, and this changes makes sure that it does do that. * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): LayoutTests: Reviewed by Ryosuke Niwa. * fast/js/dfg-check-structure-elimination-for-non-cell-expected.txt: Added. * fast/js/dfg-check-structure-elimination-for-non-cell.html: Added. * fast/js/jsc-test-list: * fast/js/script-tests/dfg-check-structure-elimination-for-non-cell.js: Added. (foo): (bar): (baz): Canonical link: https://commits.webkit.org/124335@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@138862 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2013-01-04 23:40:44 +00:00
			`TEST COMPLETE`