https://bugs.webkit.org/show_bug.cgi?id=227830
Reviewed by Ross Kirsling.
JSTests:
* stress/intl-locale-info.js: Added.
(shouldBe):
(throw.new.Error):
(let.enGB.new.Intl.Locale.shouldBe):
(let.l.new.Intl.Locale.shouldBe):
* test262/config.yaml:
Source/JavaScriptCore:
This patch implements Intl.Locale's extension (Intl Locale Info proposal)[1], which is already stage 3.
Intl.Locale#{calendars,collations,hourCycles,numberingSystems,timeZones} can return array of preferred
configuration for the given locale. And Intl.Locale#textInfo can return text layout direction and Intl.Locale#weekInfo
can return weekday information (e.g. when weekend starts).
[1]: https://github.com/tc39/proposal-intl-locale-info
* runtime/IntlLocale.cpp:
(JSC::createArrayFromStringVector):
(JSC::IntlLocale::calendars):
(JSC::IntlLocale::collations):
(JSC::IntlLocale::hourCycles):
(JSC::IntlLocale::numberingSystems):
(JSC::IntlLocale::timeZones):
(JSC::IntlLocale::textInfo):
(JSC::IntlLocale::weekInfo):
* runtime/IntlLocale.h:
* runtime/IntlLocalePrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
Canonical link: https://commits.webkit.org/240789@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281374 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=229087
Reviewed by Filip Pizlo.
JSTests:
* stress/for-in-own-structure-and-generic-with-late-add-indexed.js: Added.
(test):
(Foo):
Source/JavaScriptCore:
Right now, this operation incorrectly assumes that EnumeratorNextUpdateIndexAndMode will guarantee
the mode matches the seen mode set. But no speculation is guaranteed and adding such a guarantee
would require adding checkpoints, which is likely not worth it. Instead, this patch just makes
sure we always handle the allocation for IndexedMode.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextUpdatePropertyName):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Canonical link: https://commits.webkit.org/240510@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281029 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=227944
Reviewed by Alexey Shvayka.
JSTests:
* test262/expectations.yaml:
Source/JavaScriptCore:
There are non-Latin1 white-spaces and line-terminators, but Lexer::scanRegExp's code did not assume that.
As a result, if there is a non-Latin1 white-spaces or line-terminators after RegExp, we raise SyntaxError
while this is valid. This patch fixes that.
* parser/Lexer.cpp:
(JSC::Lexer<T>::scanRegExp):
Canonical link: https://commits.webkit.org/240388@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280825 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=227989
Reviewed by Yusuke Suzuki.
JSTests:
* microbenchmarks/for-in-double-array-with-own-named.js: Added.
(test):
* microbenchmarks/for-in-double-array.js: Added.
(test):
* microbenchmarks/for-in-getters.js: Added.
(test):
* microbenchmarks/for-in-int32-array-with-own-named.js: Added.
(test):
* microbenchmarks/for-in-int32-array.js: Added.
(test):
* microbenchmarks/for-in-int32-object-with-own-named-and-getters.js: Added.
(test):
* microbenchmarks/for-in-int32-object-with-own-named.js: Added.
(test):
* microbenchmarks/for-in-object-with-own-named.js: Added.
(sum):
(opaqueSet):
* microbenchmarks/for-in-string-array.js: Added.
(test):
* microbenchmarks/for-of-iterate-array-map-set.js: Added.
(sum):
(let.generator):
* stress/for-in-array-mode.js:
(test):
* stress/for-in-base-reassigned-later.js:
* stress/for-in-delete-during-iteration.js:
* stress/for-in-primitive-index-on-prototype.js: Added.
(test):
* stress/for-in-tests.js:
* stress/has-own-property-structure-for-in-loop-correctness.js:
(test5):
Source/JavaScriptCore:
This patch redesigns how we implement for-in loops. Before this patch we would emit three copies of the for-in loop body. One for the indexed properties, one for the named-own properties, and one for generic properties (anything else). This had a couple of problems. Firstly, it meant bytecode size grew exponentially to number of nested for-in loops. This in turn meant DFG/FTL compilation took much longer.
Going off our experience with fast for-of, this patch turns for-in loops specializations into
a "fused" opcode that internally switches on the enumeration mode it currently sees. For example, if we are enumerating an own-named property, the new enumerator_get_by_val bytecode will check the enumerator cell's cached structure matches the base's then load the property offset directly.
There are four new opcodes this patch adds, which replace the various operations we had for the specialized loops previously. The new opcodes are EnumeratorGetByVal, EnumeratorInByVal, EnumeratorHasOwnProperty, and EnumeratorNext. The first three correspond to GetByVal, InByVal, and HasOwnProperty respectively. The EnumeratorNext opcode has three results in bytecode, the next enumeration value's mode, the index of the property name, and the property name string itself. When enumeration is done EnumeratorNext returns JS null as the property name string. Since the DFG doesn't support tuples yet this opcode is spilt into four new nodes. The first computes the updated index and mode for the next enumeration key, which is encoded into a single JS number. Then there are two nodes that extract the mode and index. Finally, the last new node produces the property name string or null based on the extracted mode and index.
Since, in most benchmarks, any given enumeration opcode tends to profile exactly one enumeration mode. This patch focuses primarily on reimplementing all the optimizations we have for any one specific mode. This means there are still potential optimizations for the multi-mode flavors of each new opcode.
The main optimizations implemented for each new opcode are:
EnumeratorNext:
1) IndexedMode loops are loaded and checked for presence inline (DFG/FTL).
2) NamedMode is computed inline as long as the cached structure on the enumerator cell matches the base (Baseline+). This can only differ if there's a transition.
3) property names are extracted from the cached buffer inline (Baseline+).
EnumeratorGetByVal:
EnumeratorInByVal:
EnumeratorHasOwnProperty:
1) IndexedMode has all the optimizations of a normal XByVal on indexed properties (DFG/FTL).
2) NamedMode will extract the value directly from the inline/out-of-line offset if the structure matches the enumerator's (Baseline+).
There are also a few interesting changes worth mentioning here:
1) If a for-in loop would produce an empty enumerator we now always
return the VMs empty enumerator. This has two benefits, most importantly, it distingishes between an unprofiled for-in loop and empty enumeration, which prevents OSR exit loops. Also, it means that the various Enumerator opcodes no longer need to handle undefined/null when `toObject`ing the base value.
2) The enumerator now contains a bit set of all the modes it will produce. This removes a few extra branches when speculating on the modes we will see in EnumeratorNext.
3) In the DFG, enumerator GetByVal relies on compileGetByVal to set the result it also passes a prefix callback which emits code after the various cases set up their operands but before code is emitting to help satisfy the branch over register allocation validation. Also, the array mode branch in compileGetByVal passes the data format that it would prefer, which for normal GetByVal is returned. For EnumeratorGetByVal, that preference is completely ignored and it always returns DataFormatJS.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::or8):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::or8):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::rshift64):
(JSC::MacroAssemblerX86_64::or8): Deleted.
* builtins/BuiltinNames.h:
* bytecode/BytecodeList.rb:
* bytecode/BytecodeUseDef.cpp:
(JSC::computeUsesForBytecodeIndexImpl):
(JSC::computeDefsForBytecodeIndexImpl):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecode/LinkTimeConstant.h:
* bytecode/Opcode.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::recordHasOwnPropertyInForInLoop):
(JSC::BytecodeGenerator::emitInByVal):
(JSC::BytecodeGenerator::emitGetByVal):
(JSC::BytecodeGenerator::emitEnumeratorNext):
(JSC::BytecodeGenerator::emitEnumeratorHasOwnProperty):
(JSC::BytecodeGenerator::pushForInScope):
(JSC::BytecodeGenerator::popForInScope):
(JSC::rewriteOp):
(JSC::ForInContext::finalize):
(JSC::BytecodeGenerator::findForInContext):
(JSC::BytecodeGenerator::recordHasOwnStructurePropertyInForInLoop): Deleted.
(JSC::BytecodeGenerator::emitGetEnumerableLength): Deleted.
(JSC::BytecodeGenerator::emitHasEnumerableIndexedProperty): Deleted.
(JSC::BytecodeGenerator::emitHasEnumerableStructureProperty): Deleted.
(JSC::BytecodeGenerator::emitHasEnumerableProperty): Deleted.
(JSC::BytecodeGenerator::emitHasOwnStructureProperty): Deleted.
(JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName): Deleted.
(JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName): Deleted.
(JSC::BytecodeGenerator::emitToIndexString): Deleted.
(JSC::BytecodeGenerator::pushIndexedForInScope): Deleted.
(JSC::BytecodeGenerator::popIndexedForInScope): Deleted.
(JSC::BytecodeGenerator::pushStructureForInScope): Deleted.
(JSC::BytecodeGenerator::popStructureForInScope): Deleted.
(JSC::StructureForInContext::finalize): Deleted.
(JSC::IndexedForInContext::finalize): Deleted.
(JSC::BytecodeGenerator::findStructureForInContext): Deleted.
* bytecompiler/BytecodeGenerator.h:
(JSC::ForInContext::isValid const):
(JSC::ForInContext::invalidate):
(JSC::ForInContext::local const):
(JSC::ForInContext::propertyName const):
(JSC::ForInContext::propertyOffset const):
(JSC::ForInContext::enumerator const):
(JSC::ForInContext::mode const):
(JSC::ForInContext::ForInContext):
(JSC::ForInContext::bodyBytecodeStartOffset const):
(JSC::ForInContext::type const): Deleted.
(JSC::ForInContext::isIndexedForInContext const): Deleted.
(JSC::ForInContext::isStructureForInContext const): Deleted.
(JSC::ForInContext::asIndexedForInContext): Deleted.
(JSC::ForInContext::asStructureForInContext): Deleted.
(JSC::StructureForInContext::StructureForInContext): Deleted.
(JSC::StructureForInContext::index const): Deleted.
(JSC::StructureForInContext::property const): Deleted.
(JSC::StructureForInContext::enumerator const): Deleted.
(JSC::StructureForInContext::baseVariable const): Deleted.
(JSC::StructureForInContext::addGetInst): Deleted.
(JSC::StructureForInContext::addInInst): Deleted.
(JSC::StructureForInContext::addHasOwnPropertyJump): Deleted.
(JSC::IndexedForInContext::IndexedForInContext): Deleted.
(JSC::IndexedForInContext::index const): Deleted.
(JSC::IndexedForInContext::addGetInst): Deleted.
* bytecompiler/NodesCodegen.cpp:
(JSC::HasOwnPropertyFunctionCallDotNode::emitBytecode):
(JSC::ForInNode::emitBytecode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::isSaneChain const):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::injectOSR):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::setJSArraySaneChainIfPossible):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGIntegerRangeOptimizationPhase.cpp:
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasStorageChild const):
(JSC::DFG::Node::storageChildIndex):
(JSC::DFG::Node::hasArrayMode):
(JSC::DFG::Node::hasEnumeratorMetadata const):
(JSC::DFG::Node::enumeratorMetadata):
* dfg/DFGNodeType.h:
* dfg/DFGOpInfo.h:
(JSC::DFG::OpInfo::OpInfo):
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSSALoweringPhase.cpp:
(JSC::DFG::SSALoweringPhase::handleNode):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
(JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
(JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextUpdateIndexAndMode):
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextExtractIndex):
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextExtractMode):
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextUpdatePropertyName):
(JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal):
(JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
(JSC::DFG::SpeculativeJIT::compileEnumeratorInByVal):
(JSC::DFG::SpeculativeJIT::compileEnumeratorHasOwnProperty):
(JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
(JSC::DFG::SpeculativeJIT::compileGetEnumerableLength): Deleted.
(JSC::DFG::SpeculativeJIT::compileHasEnumerableProperty): Deleted.
(JSC::DFG::SpeculativeJIT::compileToIndexString): Deleted.
(JSC::DFG::SpeculativeJIT::compileHasEnumerableStructureProperty): Deleted.
(JSC::DFG::SpeculativeJIT::compileHasOwnStructurePropertyImpl): Deleted.
(JSC::DFG::SpeculativeJIT::compileHasOwnStructureProperty): Deleted.
(JSC::DFG::SpeculativeJIT::compileInStructureProperty): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetEnumeratorPname): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetDirectPname): Deleted.
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::allocate):
(JSC::DFG::JSValueOperand::regs):
(JSC::DFG::JSValueOperand::gpr):
(JSC::DFG::StorageOperand::StorageOperand):
(JSC::DFG::StorageOperand::~StorageOperand):
(JSC::DFG::StorageOperand::emplace):
(JSC::DFG::JSValueRegsTemporary::operator bool):
(JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByVal):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByVal):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByValImpl):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAtImpl):
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* ftl/FTLOutput.h:
(JSC::FTL::Output::phi):
* generator/DSL.rb:
* interpreter/Register.h:
* interpreter/RegisterInlines.h:
(JSC::Register::operator=):
* jit/AssemblyHelpers.h:
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emit_op_has_structure_propertyImpl): Deleted.
(JSC::JIT::emit_op_has_enumerable_structure_property): Deleted.
(JSC::JIT::emit_op_has_own_structure_property): Deleted.
(JSC::JIT::emit_op_in_structure_property): Deleted.
(JSC::JIT::emit_op_has_enumerable_indexed_property): Deleted.
(JSC::JIT::emitSlow_op_has_enumerable_indexed_property): Deleted.
(JSC::JIT::emit_op_get_direct_pname): Deleted.
(JSC::JIT::emit_op_enumerator_structure_pname): Deleted.
(JSC::JIT::emit_op_enumerator_generic_pname): Deleted.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emit_op_has_structure_propertyImpl): Deleted.
(JSC::JIT::emit_op_has_enumerable_structure_property): Deleted.
(JSC::JIT::emit_op_has_own_structure_property): Deleted.
(JSC::JIT::emit_op_in_structure_property): Deleted.
(JSC::JIT::emit_op_has_enumerable_indexed_property): Deleted.
(JSC::JIT::emitSlow_op_has_enumerable_indexed_property): Deleted.
(JSC::JIT::emit_op_get_direct_pname): Deleted.
(JSC::JIT::emit_op_enumerator_structure_pname): Deleted.
(JSC::JIT::emit_op_enumerator_generic_pname): Deleted.
* jit/JITPropertyAccess.cpp:
(JSC::JIT::generateGetByValSlowCase):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emit_op_enumerator_next):
(JSC::JIT::emit_op_enumerator_get_by_val):
(JSC::JIT::emitSlow_op_enumerator_get_by_val):
(JSC::JIT::emit_enumerator_has_propertyImpl):
(JSC::JIT::emit_op_enumerator_in_by_val):
(JSC::JIT::emit_op_enumerator_has_own_property):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_enumerator_next):
(JSC::JIT::emit_op_enumerator_get_by_val):
(JSC::JIT::emitSlow_op_enumerator_get_by_val):
(JSC::JIT::emit_op_enumerator_in_by_val):
(JSC::JIT::emit_op_enumerator_has_own_property):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CommonSlowPaths.cpp:
(JSC::JSC_DEFINE_COMMON_SLOW_PATH):
* runtime/CommonSlowPaths.h:
* runtime/FileBasedFuzzerAgent.cpp:
(JSC::FileBasedFuzzerAgent::getPredictionInternal):
* runtime/FileBasedFuzzerAgentBase.cpp:
(JSC::FileBasedFuzzerAgentBase::opcodeAliasForLookupKey):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
(JSC::JSPropertyNameEnumerator::computeNext):
* runtime/JSPropertyNameEnumerator.h:
(JSC::propertyNameEnumerator):
* runtime/PredictionFileCreatingFuzzerAgent.cpp:
(JSC::PredictionFileCreatingFuzzerAgent::getPredictionInternal):
Canonical link: https://commits.webkit.org/240345@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280760 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=228839
Patch by Mikhail R. Gadelha <mikhail@igalia.com> on 2021-08-05
Reviewed by Yusuke Suzuki.
JSTests:
* stress/check-array-empty-32.js: Added.
(a.b.catch.print.c):
(a.b):
(a.e):
(a):
Source/JavaScriptCore:
Since empty values don't pass the cell check in 32 bits, we need to
guard the SpecEmpty check to only happen in 64 bits archs
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::checkArray):
Canonical link: https://commits.webkit.org/240307@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280716 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=228613
Reviewed by Saam Barati.
JSTests:
* stress/regexp-bm-search-character-non-fixed-size.js: Added.
(shouldBe):
* stress/regexp-bm-search-many-candidate-zero-length.js: Added.
(shouldBe):
(regexp.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.0.1.2.3.4.5.6.7.8.9.t.v.n.r):
* stress/regexp-bm-search-non-fixed-size.js: Added.
(shouldBe):
Source/JavaScriptCore:
This patch adds character-class support for BoyerMoore lookahead search in Yarr.
Currently, we only support fixed-sized character-class. We can extend it for repeat cases in the future.
To apply this character-class thing to jQuery's RegExp, we also allow non-fixed-sized disjunction.
For example, /aaaa.*|bbbb/'s disjunction is not fixed-sized. But still we can use (aaaa|bbbb) prefix since
this part is fixed-sized and we know minimum-size of this disjunction is 4.
Plus, instead of giving up BoyerMoore search when we found non-supported terms, we shorten BoyerMoore search
length not to include this term so that we can still have a chance to leverage BoyerMoore search. In the case
of /aaaa|bbbb|ccc(d|e|f)/, we previously gave up since it finds `(d|e|f)`. But now, instead we shorten the length
from 4 to 3, and construct search pattern with `aaa|bbb|ccc`.
This patch improves jquery-todomvc-regexp by 20%.
ToT Patched
jquery-todomvc-regexp 545.3561+-0.6968 ^ 451.6117+-0.4613 ^ definitely 1.2076x faster
This improves Speedometer2/jQuery-TodoMVC by 2%.
----------------------------------------------------------------------------------------------------------------------------------
| subtest | ms | ms | b / a | pValue (significance using False Discovery Rate) |
----------------------------------------------------------------------------------------------------------------------------------
| Elm-TodoMVC |123.470833 |123.550000 |1.000641 | 0.841600 |
| VueJS-TodoMVC |26.883333 |26.950000 |1.002480 | 0.846732 |
| EmberJS-TodoMVC |127.708333 |127.754167 |1.000359 | 0.934206 |
| BackboneJS-TodoMVC |50.545833 |50.445833 |0.998022 | 0.679610 |
| Preact-TodoMVC |20.879167 |20.791667 |0.995809 | 0.796541 |
| AngularJS-TodoMVC |137.479167 |137.275000 |0.998515 | 0.729817 |
| Vanilla-ES2015-TodoMVC |69.079167 |68.912500 |0.997587 | 0.524325 |
| Inferno-TodoMVC |65.604167 |66.120833 |1.007876 | 0.145549 |
| Flight-TodoMVC |77.029167 |76.708333 |0.995835 | 0.518562 |
| Angular2-TypeScript-TodoMVC |40.516667 |40.812500 |1.007302 | 0.513386 |
| VanillaJS-TodoMVC |54.762500 |54.895833 |1.002435 | 0.647381 |
| jQuery-TodoMVC |255.950000 |250.425000 |0.978414 | 0.000000 (significant) |
| EmberJS-Debug-TodoMVC |341.745833 |342.804167 |1.003097 | 0.219937 |
| React-TodoMVC |88.854167 |88.700000 |0.998265 | 0.568405 |
| React-Redux-TodoMVC |151.266667 |150.804167 |0.996942 | 0.256403 |
| Vanilla-ES2015-Babel-Webpack-TodoMVC |65.783333 |65.645833 |0.997910 | 0.437464 |
----------------------------------------------------------------------------------------------------------------------------------
a mean = 246.52898
b mean = 246.85128
pValue = 0.3927330278
(Bigger means are better.)
1.001 times better
Results ARE NOT significant
* yarr/YarrJIT.cpp:
(JSC::Yarr::BoyerMooreInfo::shortenLength):
(JSC::Yarr::BoyerMooreInfo::setAll):
(JSC::Yarr::BoyerMooreInfo::addCharacters):
(JSC::Yarr::BoyerMooreInfo::addRanges):
* yarr/YarrJIT.h:
(JSC::Yarr::BoyerMooreBitmap::add):
(JSC::Yarr::BoyerMooreBitmap::addCharacters):
(JSC::Yarr::BoyerMooreBitmap::addRanges):
(JSC::Yarr::BoyerMooreBitmap::setAll):
(JSC::Yarr::BoyerMooreBitmap::isAllSet const):
Canonical link: https://commits.webkit.org/240194@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280570 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=228595
Reviewed by Yusuke Suzuki.
JSTests:
Just a straightforward test that counts to 1M in a loop, to exercise both OSR entry and a loop with an argument at the same time.
100k iterations was not enough to reliably complete an OSR entry.
* wasm/stress/osr-entry-with-loop-arguments.js: Added.
(async test):
Source/JavaScriptCore:
This patch has two parts:
- improve the Wasm OSR code to fully support loop arguments (just some plumbing to make sure that the right values are propagated)
- improve the B3 validator to fix a hole I noticed while writing the first part: we were not detecting code that introduce Upsilons in the wrong blocks.
Naturally, this caused hard to debug issues, as B3 has no well-defined semantics for a Phi that is reached before the corresponding Upsilon(s).
* b3/B3Validate.cpp:
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
(JSC::Wasm::AirIRGenerator::addLoop):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
(JSC::Wasm::B3IRGenerator::addLoop):
* wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::addLoop):
Canonical link: https://commits.webkit.org/240139@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280507 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=227963
Reviewed by Alexey Shvayka.
JSTests:
* stress/reflect-set-custom-value.js:
Source/JavaScriptCore:
Follow up after r280463: as it turns out, putInlineFastReplacingStaticPropertyIfNeeded also needs to handle
custom values, similar to how definePropertyOnReceiverSlow was updated. This function will be called when the
target property of the receiver is a custom value and isn't reified. The previous test case was expanded to
test both the reified and non-reified cases.
* runtime/JSObject.cpp:
(JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded):
* tools/JSDollarVM.cpp:
Canonical link: https://commits.webkit.org/240137@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280505 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=227963
<rdar://80259710>
Reviewed by Alexey Shvayka.
JSTests:
* stress/reflect-set-custom-value.js: Added.
Source/JavaScriptCore:
definePropertyOnReceiver has a fast path if the slot is not opaque and the receiver doesn't
have a custom defineOwnProperty implementation, in which case it calls putInlineFast (and
transitively putDirectInternal<PutModePut>). The issue is that putDirectInternal does not
handle customValues correctly: it just overwrites the property without changing the attributes.
To fix that, we should first check if the property might be a custom value, and if that's the case
we now call `definePropertyOnReceiverSlow`, which has been updated to handle custom values correctly.
I also added assertions to putInlineFastReplacingStaticPropertyIfNeeded and putDirectInternal
to make sure we don't accidentally overwrite custom values in the future.
* runtime/JSObject.cpp:
(JSC::definePropertyOnReceiverSlow):
(JSC::JSObject::definePropertyOnReceiver):
(JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded):
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectInternal):
Canonical link: https://commits.webkit.org/240098@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280463 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=228301
Reviewed by Saam Barati.
JSTests:
* microbenchmarks/jquery-todomvc-regexp.js:
* stress/regexp--bm-search-long-character.js: Added.
(shouldBe):
* stress/regexp--bm-search-long-map.js: Added.
(shouldBe):
* stress/regexp-bitvector-reuse.js: Added.
(shouldBe):
* stress/regexp-non-ascii-bm-search-character.js: Added.
(shouldBe):
* stress/regexp-non-ascii-bm-search-map.js: Added.
(shouldBe):
Source/JavaScriptCore:
This patch emits skipping fast-path at the beginning of body alternatives with a large stride. So we can quickly discard unrelated characters
and attempt to find possibly related sequence in the long sequence. The method is derived from V8's implementation (with some extensions).
If we have a searching pattern /abcdef/, then we can check the 6th character against a set of {a, b, c, d, e, f}.
If it does not match, we can shift 6 characters. We use this strategy since this way can be extended easily to support
disjunction, character-class, and ignore-cases. For example, in the case of /(?:abc|def)/, we can check 3rd character
against {a, b, c, d, e, f} and shift 3 characters if it does not match.
Then, the best way to perform the above shifting is that finding the longest character sequence which does not have
many candidates. In the case of /[a-z]aaaaaaa[a-z]/, we can extract "aaaaaaa" sequence and check 8th character against {a}.
If it does not match, then we can shift 7 characters (length of "aaaaaaa"). This shifting is better than using "[a-z]aaaaaaa[a-z]"
sequence and {a-z} set since {a-z} set will almost always match.
We first collect possible characters for each character position. Then, apply heuristics to extract good character sequence from
that and construct fast searching with long stride.
Microbenchmark which performs RegExp ops in Speedometer2/jQuery-TodoMVC shows 25% improvement.
ToT Patched
jquery-todomvc-regexp 723.9739+-1.3997 ^ 579.1698+-1.2505 ^ definitely 1.2500x faster
This improves Speedometer2/jQuery-TodoMVC by 3%.
----------------------------------------------------------------------------------------------------------------------------------
| subtest | ms | ms | b / a | pValue (significance using False Discovery Rate) |
----------------------------------------------------------------------------------------------------------------------------------
| Elm-TodoMVC |123.365625 |123.456250 |1.000735 | 0.804077 |
| VueJS-TodoMVC |26.912500 |26.925000 |1.000464 | 0.969603 |
| EmberJS-TodoMVC |127.540625 |127.562500 |1.000172 | 0.960474 |
| BackboneJS-TodoMVC |50.606250 |50.518750 |0.998271 | 0.670313 |
| Preact-TodoMVC |21.018750 |20.850000 |0.991971 | 0.563818 |
| AngularJS-TodoMVC |136.943750 |137.271875 |1.002396 | 0.531513 |
| Vanilla-ES2015-TodoMVC |68.521875 |68.593750 |1.001049 | 0.701376 |
| Inferno-TodoMVC |65.559375 |65.803125 |1.003718 | 0.414418 |
| Flight-TodoMVC |77.284375 |76.715625 |0.992641 | 0.219870 |
| Angular2-TypeScript-TodoMVC |40.725000 |40.318750 |0.990025 | 0.281212 |
| VanillaJS-TodoMVC |55.209375 |54.715625 |0.991057 | 0.056921 |
| jQuery-TodoMVC |266.396875 |258.471875 |0.970251 | 0.000000 (significant) |
| EmberJS-Debug-TodoMVC |341.550000 |341.856250 |1.000897 | 0.618140 |
| React-TodoMVC |88.731250 |88.871875 |1.001585 | 0.512407 |
| React-Redux-TodoMVC |150.340625 |150.065625 |0.998171 | 0.412940 |
| Vanilla-ES2015-Babel-Webpack-TodoMVC |65.390625 |65.362500 |0.999570 | 0.834760 |
----------------------------------------------------------------------------------------------------------------------------------
a mean = 245.96997
b mean = 246.86366
pValue = 0.0061448402
(Bigger means are better.)
1.004 times better
Results ARE significant
* runtime/OptionsList.h:
* yarr/YarrJIT.cpp:
(JSC::Yarr::BoyerMooreInfo::BoyerMooreInfo):
(JSC::Yarr::BoyerMooreInfo::length const):
(JSC::Yarr::BoyerMooreInfo::set):
(JSC::Yarr::BoyerMooreInfo::index const):
(JSC::Yarr::BoyerMooreInfo::setIndex):
(JSC::Yarr::BoyerMooreInfo::create):
(JSC::Yarr::BoyerMooreInfo::findBestCharacterSequence const):
(JSC::Yarr::BoyerMooreInfo::findWorthwhileCharacterSequenceForLookahead const):
(JSC::Yarr::BoyerMooreInfo::createCandidateBitmap const):
* yarr/YarrJIT.h:
(JSC::Yarr::BoyerMooreBitmap::count const):
(JSC::Yarr::BoyerMooreBitmap::map const):
(JSC::Yarr::BoyerMooreBitmap::isMaskEffective const):
(JSC::Yarr::BoyerMooreBitmap::add):
(JSC::Yarr::BoyerMooreByteVector::BoyerMooreByteVector):
(JSC::Yarr::YarrCodeBlock::set8BitCode):
(JSC::Yarr::YarrCodeBlock::set16BitCode):
(JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
(JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
(JSC::Yarr::YarrCodeBlock::clear):
(JSC::Yarr::YarrCodeBlock::findSameVector const):
Source/WTF:
* wtf/BitVector.cpp:
(WTF::BitVector::dump const):
* wtf/Bitmap.h:
(WTF::WordType>::dump const):
* wtf/UniqueRef.h:
(WTF::makeUniqueRefFromNonNullUniquePtr):
(WTF::UniqueRef::UniqueRef):
Canonical link: https://commits.webkit.org/240087@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280452 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=158116
Reviewed by Yusuke Suzuki.
JSTests:
* ChakraCore/test/strict/19.function.baseline:
* ChakraCore/test/strict/22.callerCalleeArguments.baseline-jsc:
* microbenchmarks/function-prototype-get.js: Added.
* microbenchmarks/reflect-own-keys-function.js: Added.
* stress/for-in-shadow-non-enumerable.js:
* stress/function-hidden-as-caller.js:
* stress/has-own-property-arguments.js:
* stress/object-assign-fast-path.js:
* stress/put-to-proto-chain-overrides-put.js:
* stress/reflect-set.js:
* test262/config.yaml: Skip 3 test cases that are now incorrect.
* test262/expectations.yaml: Mark 2 test cases as passing.
Source/JavaScriptCore:
To ensure web-compatibility, only the safe subset of Function.prototype.{caller,arguments}
reflection proposal [1] is implemented, which is currently shipped in SpiderMonkey.
Complete list of differences from the proposed spec:
1. Cross-realm receiver function is allowed instead of throwing a TypeError.
Throwing is likely safe to ship, but #225997 needs to be fixed first for
custom properties to receive correct global object.
2. Cross-realm caller function is returned instead of `null`.
Hiding cross-realm caller may break things: we currently have a test for
the opposite behavior.
3. Defines "caller" and "arguments" setters that throw for disallowed receivers,
instead failing silently in sloppy mode.
This is actually more restrictive than the spec, which is preferable,
and aligns with V8 and SM.
Most importantly, this patch removes own "caller" and "arguments" properties from
sloppy mode ES5 functions. They were non-configurable, making it harder to use
their holder as a [[ProxyTarget]]. They were also non-writable, with a constantly
changing [[Value]], which violated the invariants of internal methods [2].
As a result, JSFunction methods are greatly simplified, especially defineOwnProperty()
and getOwnSpecialPropertyNames(). The latter is now 2.1x faster according to the
provided microbenchmark. Also, removes double "prototype" lookup from [[Get]],
which is a 10% progression.
[1]: https://github.com/claudepache/es-legacy-function-reflection
[2]: https://tc39.es/ecma262/#sec-invariants-of-the-essential-internal-methods
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::getOwnPropertySlot):
(JSC::ClonedArguments::materializeSpecials):
* runtime/FunctionExecutable.h:
* runtime/FunctionPrototype.cpp:
(JSC::FunctionPrototype::addFunctionProperties):
(JSC::isAllowedReceiverFunctionForCallerAndArguments):
(JSC::RetrieveArgumentsFunctor::RetrieveArgumentsFunctor):
(JSC::RetrieveArgumentsFunctor::result const):
(JSC::RetrieveArgumentsFunctor::operator() const):
(JSC::retrieveArguments):
(JSC::JSC_DEFINE_CUSTOM_GETTER):
(JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
(JSC::RetrieveCallerFunctionFunctor::result const):
(JSC::RetrieveCallerFunctionFunctor::operator() const):
(JSC::retrieveCallerFunction):
(JSC::JSC_DEFINE_CUSTOM_SETTER):
(JSC::FunctionPrototype::initRestrictedProperties): Deleted.
* runtime/FunctionPrototype.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::getOwnPropertySlot):
(JSC::JSFunction::getOwnSpecialPropertyNames):
(JSC::JSFunction::put):
(JSC::JSFunction::deleteProperty):
(JSC::JSFunction::defineOwnProperty):
(JSC::RetrieveArgumentsFunctor::RetrieveArgumentsFunctor): Deleted.
(JSC::RetrieveArgumentsFunctor::result const): Deleted.
(JSC::RetrieveArgumentsFunctor::operator() const): Deleted.
(JSC::retrieveArguments): Deleted.
(JSC::JSC_DEFINE_CUSTOM_GETTER): Deleted.
(JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor): Deleted.
(JSC::RetrieveCallerFunctionFunctor::result const): Deleted.
(JSC::RetrieveCallerFunctionFunctor::operator() const): Deleted.
(JSC::retrieveCallerFunction): Deleted.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildrenImpl):
* runtime/JSGlobalObject.h:
Remove unused m_throwTypeErrorGetterSetter and make [[ThrowTypeError]] lazily-created.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/JSGlobalObjectFunctions.h:
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectCustomGetterSetterWithoutTransition):
* runtime/JSObject.h:
LayoutTests:
* inspector/model/remote-object-get-properties-expected.txt:
* inspector/runtime/getDisplayableProperties-expected.txt:
* inspector/runtime/getProperties-expected.txt:
* js/Object-getOwnPropertyNames-expected.txt:
* js/basic-strict-mode-expected.txt:
* js/kde/function_arguments-expected.txt:
* js/kde/script-tests/function_arguments.js:
* js/non-strict-function-properties-expected.txt:
* js/script-tests/Object-getOwnPropertyNames.js:
* js/script-tests/basic-strict-mode.js:
* js/script-tests/non-strict-function-properties.js:
* js/script-tests/throw-type-error-is-unique.js:
Canonical link: https://commits.webkit.org/239947@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280289 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=225997
Reviewed by Yusuke Suzuki.
JSTests:
* stress/custom-get-set-proto-chain-put.js:
* stress/getter-setter-globalobject-in-ic-2.js: Added.
LayoutTests/imported/w3c:
* web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value-cross-realm-expected.txt: Added.
* web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value-cross-realm.html: Added.
* web-platform-tests/WebIDL/ecmascript-binding/invalid-this-value-cross-realm-expected.txt: Added.
* web-platform-tests/WebIDL/ecmascript-binding/invalid-this-value-cross-realm.html: Added.
* web-platform-tests/WebIDL/ecmascript-binding/support/create-realm.js: Added.
* web-platform-tests/WebIDL/ecmascript-binding/support/dummy-iframe.html: Added.
* web-platform-tests/html/browsers/origin/cross-origin-objects/window-location-and-location-href-cross-realm-set-expected.txt: Added.
* web-platform-tests/html/browsers/origin/cross-origin-objects/window-location-and-location-href-cross-realm-set.html: Added.
* web-platform-tests/html/webappapis/scripting/events/compile-event-handler-settings-objects-expected.txt:
* web-platform-tests/html/webappapis/scripting/processing-model-2/integration-with-the-javascript-job-queue/promise-job-incumbent-expected.txt:
* web-platform-tests/service-workers/service-worker/fetch-request-css-cross-origin.https-expected.txt:
* web-platform-tests/webrtc-encoded-transform/sframe-transform-readable.html:
All these are confirmed progressions.
* web-platform-tests/performance-timeline/supportedEntryTypes-cross-realm-access-expected.txt: Added.
* web-platform-tests/performance-timeline/supportedEntryTypes-cross-realm-access.html: Added.
Source/JavaScriptCore:
Just like JS built-ins, getter / setter functions of WebIDL attributes are created in realm
of their holder interface [1][2], which is their _current_ realm for throwing an error [3].
With this patch, custom properties get correct global object instead of lexical, including
when inline cached, aligning them with functions and regular accessors.
The latter allowed switching JS built-ins to CustomAccessor (e.g. Symbol#description),
which is slightly more efficient to call from C++, doesn't need reification on first access,
and has nicer signature.
Also, renames WASM accessors to drop "func" and removes unused function length parameter.
[1]: https://heycam.github.io/webidl/#dfn-attribute-getter (step 2)
[2]: https://heycam.github.io/webidl/#dfn-attribute-setter (step 5)
[3]: https://heycam.github.io/webidl/#ecmascript-throw
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* create_hash_table:
* interpreter/CallFrame.cpp:
(JSC::CallFrame::globalObjectOfClosestCodeBlock):
* interpreter/CallFrame.h:
* runtime/IntlCollatorPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* runtime/IntlLocalePrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* runtime/IntlNumberFormatPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* runtime/JSDataViewPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* runtime/JSObject.cpp:
(JSC::JSObject::putInlineSlow):
* runtime/PropertySlot.cpp:
(JSC::PropertySlot::customGetter const):
* runtime/PropertySlot.h:
(JSC::PropertySlot::getValue const):
* runtime/SymbolPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* tools/JSDollarVM.cpp:
* wasm/js/WebAssemblyInstancePrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
(JSC::JSC_DEFINE_HOST_FUNCTION): Deleted.
* wasm/js/WebAssemblyMemoryPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* wasm/js/WebAssemblyTablePrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
Source/WebCore:
This patch fixes cross-realm yet same-origin WebIDL attributes to throw errors in realm of
their accessor, while ensuring that `window.location` and `location.href` setters don't leak
cross-origin Object.prototype via thrown error.
Since Location setters relied on lexical global object to pass outgoing `document.referrer`,
they were updated to use IncumbentWindow as per spec [1]. callerGlobalObject() was reworked
to skip native / built-in callers and rely on VMEntryScope to accomodate top-level <script>
code navigating via Location setter, making the helper more versatile.
globalObjectOfClosestCodeBlock() fixed JSCustomSetterFunction instances and Location's
assign() / replace() methods to pass correct referrer.
Also, this change fixes static attributes like `PerformanceObserver.supportedEntryTypes`
to return wrappers of their realm instead of lexical.
[1] https://html.spec.whatwg.org/multipage/history.html#location-object-navigate (step 2)
Tests: imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value-cross-realm.html
imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/invalid-this-value-cross-realm.html
imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/window-location-and-location-href-cross-realm-set.html
imported/w3c/web-platform-tests/performance-timeline/supportedEntryTypes-cross-realm-access.html
* bindings/js/JSDOMGlobalObject.cpp:
(WebCore::callerGlobalObject): Deleted.
* bindings/js/JSDOMGlobalObject.h:
* bindings/js/JSDOMWindowBase.cpp:
(WebCore::incumbentDOMWindow):
* bindings/js/JSDOMWindowBase.h:
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::put):
* bindings/js/JSLocationCustom.cpp:
(WebCore::JSLocation::put):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateNamedGetterLambda):
(GenerateCallWithUsingReferences):
(GenerateCallWith):
Ensure IncumbentWindow comes before FirstWindow.
* bindings/scripts/test/JS/JSTestObj.cpp:
* bindings/scripts/test/TestObj.idl:
Remove attributes that relied on CallFrame since custom getters don't have it.
* page/Location.idl:
Remove [LegacyUnforgeable] from ancestorOrigins because it's set on the interface.
LayoutTests:
* fast/dom/HTMLObjectElement/object-as-frame-expected.txt:
* fast/dom/HTMLObjectElement/object-as-frame.html:
* fast/dom/HTMLObjectElement/resources: Added.
* fast/dom/HTMLObjectElement/resources/dummy-frame-1.html: Added.
* fast/dom/HTMLObjectElement/resources/dummy-frame-2.html: Added.
* fast/events/attribute-listener-cloned-from-frameless-doc-context-2.html:
* fast/events/attribute-listener-extracted-from-frameless-doc-context-2.html:
These tests used to pass as is, probably, due to combination of old (incorrect) behavior and
some implementation details of run-webkit-tests. They fail on MiniBrowser / Chrome / Firefox
unless modified not to use data:// protocol, which is not system under test.
* fast/frames/sandboxed-iframe-navigation-parent-expected.txt:
* fast/frames/sandboxed-iframe-navigation-parent.html:
* http/tests/security/frameNavigation/context-for-location-assign-expected.txt:
Revert the changes made in r174996. Location::assign() now uses correct (incumbent) Window
to set outgoing referrer and perform security checks, aligning WebKit with Chrome / Firefox.
* http/tests/security/frameNavigation/context-for-location-href-gopd-expected.txt: Added.
* http/tests/security/frameNavigation/context-for-location-href-gopd.html: Added.
Canonical link: https://commits.webkit.org/239923@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280256 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=228075
rdar://80762879
Reviewed by Frédéric Wang.
JSTests:
* stress/symbol-hasinstance-error.js: Added.
(shouldThrow):
(let.a):
Source/JavaScriptCore:
invalidParameterInstanceofSourceAppender can be invoked without `instanceof` expression since we can call
`[Symbol.hasInstance]` function directly, but the implementation did not assume that. This patch fixes
it to handle this direct call.
* runtime/ExceptionHelpers.cpp:
(JSC::invalidParameterInstanceofSourceAppender):
Canonical link: https://commits.webkit.org/239814@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280097 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=228088
rdar://80794604
Reviewed by Mark Lam.
JSTests:
* stress/in-by-variant-should-mark-cacheable-identifier.js: Added.
(foo):
(let.handler.has):
Source/JavaScriptCore:
After r278445, InByVariant holds CacheableIdentifier. And this can have
String/Symbol cells if this variant is generated by in_by_val. In that
case, we must visit this cell as GetByStatus / GetByVariant are doing.
* bytecode/InByStatus.cpp:
(JSC::InByStatus::visitAggregateImpl):
* bytecode/InByStatus.h:
* bytecode/InByVariant.cpp:
(JSC::InByVariant::visitAggregateImpl):
* bytecode/InByVariant.h:
* bytecode/RecordedStatuses.cpp:
(JSC::RecordedStatuses::visitAggregateImpl):
Canonical link: https://commits.webkit.org/239785@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280050 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=228040
Reviewed by Saam Barati.
In this new test case, only thing we care is regexp appears on sampling-profiler regardless of whether the other functions are inlined / tail-called or not.
We change the sampling-profiler/samplingProfiler.js runTest to add a mode which searches specific signature in the call tree.
* stress/sampling-profiler-regexp.js:
(platformSupportsSamplingProfiler):
* stress/sampling-profiler/samplingProfiler.js:
(doesTreeHaveStackTrace):
(runTest):
Canonical link: https://commits.webkit.org/239753@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280011 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=227988
<rdar://problem/80627901>
Reviewed by Mark Lam.
JSTests:
* stress/thunks-hash-map-should-grab-lock.js: Added.
Source/JavaScriptCore:
Both FTL::Thunks::keyForSlowPathCallThunk and FTL::Thunks::getSlowPathCallThunk
both touch the thunks hash map. In r278030, when I added the lock, I grabbed it
in getSlowPathCallThunk, but forgot to also grab it in keyForSlowPathCallThunk.
* ftl/FTLThunks.h:
(JSC::FTL::Thunks::keyForSlowPathCallThunk):
Canonical link: https://commits.webkit.org/239750@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280008 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=228031
rdar://80686425
Reviewed by Mark Lam.
JSTests:
* stress/regexp-dump-concurrently.js: Added.
(let.code):
Source/JavaScriptCore:
RegExp::dumpToStream's escapedPattern can return m_pattern. In that case, it is refed in the concurrent thread.
This is wrong since StringImpl must not be ref-ed concurrently. This patch just revert this function to the old behavior.
* runtime/RegExp.cpp:
(JSC::RegExp::dumpToStream):
Canonical link: https://commits.webkit.org/239740@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279997 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=227996
JSTests:
Reviewed by Mark Lam.
* complex.yaml:
* complex/intl-timezone-check.js: Added.
(shouldBe):
Source/JavaScriptCore:
rdar://80540300
Reviewed by Mark Lam.
We received the report that "UTC" can appear in Intl.DateTimeFormat's default timezone.
While we cannot reproduce it, this patch attempts to avoid using TimeZone from UCalendar
so that the code gets the same to the old defaultTimeZone implementation.
* runtime/JSDateMath.cpp:
(JSC::DateCache::defaultTimeZone):
(JSC::DateCache::timeZoneCacheSlow):
Canonical link: https://commits.webkit.org/239705@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279962 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=228003
rdar://78314543
Reviewed by Yusuke Suzuki.
JSTests:
* stress/waitUntilAllPlansForVMAreReady-should-be-notified-of-cancelled-plans-too.js: Added.
Source/JavaScriptCore:
Previously, it only gets notified when plans are done compiling. As a result, if
JITWorklist::waitUntilAllPlansForVMAreReady() found non-ready plans and started
waiting, and those plans were canceled, then JITWorklist::waitUntilAllPlansForVMAreReady()
can hang indefinitely.
This patch renames JITWorklist::::m_planCompiled to m_planCompiledOrCancelled,
and notifies it also when plans are cancelled.
* jit/JITWorklist.cpp:
(JSC::JITWorklist::waitUntilAllPlansForVMAreReady):
(JSC::JITWorklist::removeMatchingPlansForVM):
* jit/JITWorklist.h:
* jit/JITWorklistThread.cpp:
(JSC::JITWorklistThread::work):
Canonical link: https://commits.webkit.org/239704@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279961 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=227769
rdar://80264271
Reviewed by Saam Barati.
JSTests:
* stress/object-assign-undefined.js: Added.
(test):
Source/JavaScriptCore:
Object.assign can accept undefined or null as a second (or latter) parameters.
If it is passed, the parameter is just ignored. Previous DFG / FTL optimization patch
does not handle this case.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileObjectAssign):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileObjectAssign):
* runtime/ObjectConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/ObjectConstructorInlines.h:
(JSC::objectAssignFast):
Canonical link: https://commits.webkit.org/239495@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279690 268f45cc-cd09-0410-ab3c-d52691b4dbfc