2021-09-23 Philip Chimento <[email protected]>

Various tweaks in preparation for Temporal.Instant

https://bugs.webkit.org/show_bug.cgi?id=230331

Reviewed by Yusuke Suzuki.

* runtime/TemporalDuration.cpp:

(JSC::TemporalDuration::fromDurationLike): Use

temporalUnitPropertyName().

(JSC::TemporalDuration::toISO8601Duration): Improve error message to

include the invalid string.

(JSC::TemporalDuration::with const): Use temporalUnitPropertyName().

(JSC::TemporalDuration::toString): Use formatSecondsStringFraction().

* runtime/TemporalObject.cpp:

(JSC::ellipsizeAt): Add helper to ellipsize string at certain length.

(JSC::temporalUnitPropertyName): Move code from TemporalDuration into

a function which will be reused in other Temporal types.

(JSC::temporalFractionalSecondDigits): Handle NaN as per

specification, and improve error message to include the invalid

value.

(JSC::formatSecondsStringFraction): Move code from TemporalDuration

into a function which will be reused in other Temporal types.

* runtime/TemporalObject.h:

2021-09-23 Devin Rousso <[email protected]>

Web Inspector: Graphics: add instrumentation for new `CanvasRenderingContext2DSettings`

https://bugs.webkit.org/show_bug.cgi?id=225180

<rdar://problem/77587429>

Reviewed by BJ Burg.

* inspector/protocol/Canvas.json:

Add `colorSpace` and `desynchronized` to `Canvas.ContextAttributes`.

2021-09-23 Ross Kirsling <[email protected]>

[JSC] Handle syntactic production for `#x in expr` correctly

https://bugs.webkit.org/show_bug.cgi?id=230668

Reviewed by Yusuke Suzuki.

The production for `#x in expr` is easy to get wrong.

RelationalExpression[In, Yield, Await] :

ShiftExpression[?Yield, ?Await]

RelationalExpression[?In, ?Yield, ?Await] < ShiftExpression[?Yield, ?Await]

RelationalExpression[?In, ?Yield, ?Await] > ShiftExpression[?Yield, ?Await]

RelationalExpression[?In, ?Yield, ?Await] <= ShiftExpression[?Yield, ?Await]

RelationalExpression[?In, ?Yield, ?Await] >= ShiftExpression[?Yield, ?Await]

RelationalExpression[?In, ?Yield, ?Await] instanceof ShiftExpression[?Yield, ?Await]

[+In] RelationalExpression[+In, ?Yield, ?Await] in ShiftExpression[?Yield, ?Await]

[+In] PrivateIdentifier in ShiftExpression[?Yield, ?Await]

We were ensuring that a standalone private name `#x` is always followed by operator `in`;

this patch further ensures that that particular `in` can't have its LHS misparsed as a RelationalExpression.

* parser/Parser.cpp:

(JSC::Parser<LexerType>::parseBinaryExpression):

Verify the precedence of the topmost operator on the stack (if any) when parsing standalone `#x`.

2021-09-22 Mikhail R. Gadelha <[email protected]>

Null pointer dereference in JSC::GetByStatus

https://bugs.webkit.org/show_bug.cgi?id=229674

Reviewed by Yusuke Suzuki.

In GetByStatus::computeForStubInfoWithoutExitSiteFeedback, there are

several places that dereference the stubInfo argument when calling the

GetByStatus constructor. To prevent a nullptr dereference, the pointer

is not dereferenced anymore, and a check was added to check if stubInfo

is a valid pointer before accessing it.

* bytecode/GetByStatus.cpp:

(JSC::GetByStatus::GetByStatus):

(JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):

* bytecode/GetByStatus.h:

2021-09-22 Yusuke Suzuki <[email protected]>

[JSC] Filter algorithmic numbering systems from enumeration data

https://bugs.webkit.org/show_bug.cgi?id=230660

Reviewed by Ross Kirsling.

Algorithmic numbering systems' handling is not included in normal ICU build.

This patch filters out them from available numbering systems.

* runtime/IntlObject.cpp:

(JSC::availableNumberingSystems):

2021-09-22 Yusuke Suzuki <[email protected]>

[JSC] Adjust Intl currency enumeration

https://bugs.webkit.org/show_bug.cgi?id=230656

Reviewed by Ross Kirsling.

1. List up all available currencies.

2. Introduce a work-around for VES, LSM, and EQE

* runtime/IntlObject.cpp:

(JSC::availableCurrencies):

2021-09-22 Yusuke Suzuki <[email protected]>

[JSC] emoji and eor collations are missing

https://bugs.webkit.org/show_bug.cgi?id=230652

Reviewed by Ross Kirsling.

Due to ICU's bug, "emoji" and "eor" collations are missing from enumeration.

This patch adds work-around for this.

* runtime/IntlObject.cpp:

(JSC::availableCollations):

2021-09-22 Yusuke Suzuki <[email protected]>

[JSC] Intl unicode identifier type will reject underscore

https://bugs.webkit.org/show_bug.cgi?id=230645

Reviewed by Ross Kirsling.

We reject '_' since BCP-47 rejects it and we should follow BCP-47 in all Intl inputs.

* runtime/IntlObject.cpp:

(JSC::isUnicodeLocaleIdentifierType):

2021-09-21 Alexey Shvayka <[email protected]>

[WebIDL] DOM constructors should extend InternalFunction

https://bugs.webkit.org/show_bug.cgi?id=228763

Reviewed by Sam Weinig.

Introduce finishCreation(VM&) overload to preserve the current property order of

WebIDL constructors, and to defer a large code change needed for passing through

`length` / `name` parameters (bug #230584).

* runtime/InternalFunction.cpp:

(JSC::InternalFunction::InternalFunction):

(JSC::InternalFunction::finishCreation):

* runtime/InternalFunction.h:

2021-09-21 Chris Dumez <[email protected]>

Reduce use of makeRef() and use Ref { } instead

https://bugs.webkit.org/show_bug.cgi?id=230585

Reviewed by Alex Christensen.

* debugger/Debugger.cpp:

(JSC::Debugger::setBreakpoint):

(JSC::Debugger::schedulePauseForSpecialBreakpoint):

* llint/LLIntEntrypoint.cpp:

(JSC::LLInt::setFunctionEntrypoint):

(JSC::LLInt::setEvalEntrypoint):

(JSC::LLInt::setProgramEntrypoint):

(JSC::LLInt::setModuleProgramEntrypoint):

* runtime/JSString.cpp:

(JSC::JSRopeString::resolveRopeToExistingAtomString const):

* runtime/VM.cpp:

(JSC::jitCodeForCallTrampoline):

(JSC::jitCodeForConstructTrampoline):

* wasm/WasmCodeBlock.cpp:

(JSC::Wasm::CodeBlock::CodeBlock):

* wasm/WasmOMGForOSREntryPlan.cpp:

(JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan):

* wasm/WasmOMGPlan.cpp:

(JSC::Wasm::OMGPlan::OMGPlan):

* wasm/WasmSignature.cpp:

(JSC::Wasm::SignatureInformation::signatureFor):

* wasm/WasmSignatureInlines.h:

(JSC::Wasm::SignatureInformation::get):

* wasm/WasmSlowPaths.cpp:

(JSC::LLInt::jitCompileAndSetHeuristics):

* wasm/js/JSWebAssemblyInstance.h:

2021-09-21 Yusuke Suzuki <[email protected]>

[JSC] CompareStrictEq is omitting String check incorrectly

https://bugs.webkit.org/show_bug.cgi?id=230582

rdar://83237121

Reviewed by Mark Lam.

1. Add left and right prefixes to neitherDoubleNorHeapBigIntChild and notDoubleChild edges since

registers are named with left and right. Without this prefix, it is hard to follow in the code.

2. Remove leftGPR and rightGPR and use leftRegs.payloadGPR() and rightRegs.payloadGPR() to avoid

having different variables pointing to the same registers.

3. DFG needsTypeCheck is done with wrong type filters. As a result, necessary checks are omitted.

This patch fixes that. FTL does not have the same problem.

* dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compileNeitherDoubleNorHeapBigIntToNotDoubleStrictEquality):

* ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):

2021-09-21 Mark Lam <[email protected]>

Replace a few ASSERTs with static_asserts in the ARM64 MacroAssemblers.

https://bugs.webkit.org/show_bug.cgi?id=230569

Reviewed by Yusuke Suzuki.

* assembler/ARM64Assembler.h:

* assembler/ARM64EAssembler.h:

2021-09-21 Justin Michaud <[email protected]>

Differential testing: live statement don't execute

https://bugs.webkit.org/show_bug.cgi?id=229939

Reviewed by Saam Barati.

In statements are supposed to throw if they are applied to a non-object. We incorrectly converted

InByVals into HasIndexedProperty any time they were a cell, so we silently converted non-objects. Before converting

an InByVal, we first speculate that the base is an object now.

We do not always require an object edge for HasIndexedProperty because enumerator next() does not

throw if it encounters a cell that requires conversion during the call to toObject (for example, a

string literal). That is, we should silently convert the string during enumeration, but not for an

In statement, and so HasIndexedProperty is prepared to handle both cases.

* dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

(JSC::DFG::FixupPhase::convertToHasIndexedProperty):

2021-09-21 Mikhail R. Gadelha <[email protected]>

Prevent test from accessing FP registers if they are not available (e.g., arm softFP)

https://bugs.webkit.org/show_bug.cgi?id=230493

Unreviewed gardening.

The patch from https://bugs.webkit.org/show_bug.cgi?id=228543 introduced

explicity calls to FP registers, however, they are not available in archs

that emulate FPs. This patch adds an #ifdef to only enable the test if

the arch has FP registers.

* assembler/testmasm.cpp:

(JSC::testStoreBaseIndex):

2021-09-20 Chris Dumez <[email protected]>

Stop using makeRef(*this) / makeRefPtr(this)

https://bugs.webkit.org/show_bug.cgi?id=230464

Reviewed by Alex Christensen.

* inspector/InjectedScriptHost.cpp:

(Inspector::InjectedScriptHost::wrapper):

* inspector/remote/RemoteConnectionToTarget.cpp:

(Inspector::RemoteConnectionToTarget::close):

* inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:

(Inspector::RemoteConnectionToTarget::setup):

(Inspector::RemoteConnectionToTarget::close):

(Inspector::RemoteConnectionToTarget::sendMessageToTarget):

* wasm/WasmCodeBlock.cpp:

(JSC::Wasm::CodeBlock::compileAsync):

* wasm/WasmNameSection.h:

(JSC::Wasm::NameSection::get):

* wasm/WasmStreamingCompiler.cpp:

(JSC::Wasm::StreamingCompiler::didReceiveFunctionData):

2021-09-17 Mikhail R. Gadelha <[email protected]>

Fix CellTag being set 32 bits even if the base is not a cell

https://bugs.webkit.org/show_bug.cgi?id=230364

Reviewed by Yusuke Suzuki.

Initial patch by Caio Lima.

In 32 bits the tag of the base was not being preserved before calling

the slow path and was instead being always being set to cellTag.

This patch slightly changes the code to instead of setting the cellTag,

it now calls the slow path using only the payload if the base is a cell,

otherwise it uses tag+payload.

* dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):

2021-09-17 Yusuke Suzuki <[email protected]>

[JSC] Add fast property enumeration mode for JSON.stringify

https://bugs.webkit.org/show_bug.cgi?id=230393

Reviewed by Mark Lam.

We collected profiles and found several subtests are using JSON.stringify enough. And generated strings are many serialized leaf objects.

This patch adds fast object property enumeration. When we know that source object meets some conditions, we can say that,

as long as structure is not changed, we can continue using property names and offset collected from the structure.

This way removes non observable [[Get]] operations to accelerate JSON.stringify performance for major object iteration cases.

We also extend MarkedArgumentBuffer: introducing MarkedArgumentBufferWithSize which can take default inline capacity as a template

parameter. This is used in JSON.stringify to increase the buffer because now we also need to record structures in MarkedArgumentBuffer.

This offers 0.4% improvement in Speedometer2 (EmberJS-TodoMVC, Vanilla-XXX, EmberJS-Debug-TodoMVC, they have enough amount of JSON.stringify

time).

----------------------------------------------------------------------------------------------------------------------------------

| subtest | ms | ms | b / a | pValue (significance using False Discovery Rate) |

----------------------------------------------------------------------------------------------------------------------------------

| Elm-TodoMVC |117.710000 |117.751667 |1.000354 | 0.883246 |

| VueJS-TodoMVC |24.500000 |24.311667 |0.992313 | 0.365130 |

| EmberJS-TodoMVC |126.646667 |125.738333 |0.992828 | 0.002587 (significant) |

| BackboneJS-TodoMVC |47.873333 |47.911667 |1.000801 | 0.762509 |

| Preact-TodoMVC |17.020000 |17.070000 |1.002938 | 0.786799 |

| AngularJS-TodoMVC |129.856667 |129.353333 |0.996124 | 0.177632 |

| Vanilla-ES2015-TodoMVC |61.698333 |61.120000 |0.990626 | 0.000003 (significant) |

| Inferno-TodoMVC |62.840000 |62.496667 |0.994536 | 0.312340 |

| Flight-TodoMVC |77.095000 |76.936667 |0.997946 | 0.702724 |

| Angular2-TypeScript-TodoMVC |39.740000 |39.191667 |0.986202 | 0.053485 |

| VanillaJS-TodoMVC |49.008333 |48.346667 |0.986499 | 0.000638 (significant) |

| jQuery-TodoMVC |216.785000 |217.188333 |1.001861 | 0.270747 |

| EmberJS-Debug-TodoMVC |344.230000 |342.993333 |0.996407 | 0.012262 (significant) |

| React-TodoMVC |85.461667 |85.411667 |0.999415 | 0.758049 |

| React-Redux-TodoMVC |140.681667 |140.640000 |0.999704 | 0.871277 |

| Vanilla-ES2015-Babel-Webpack-TodoMVC |59.928333 |59.351667 |0.990377 | 0.000000 (significant) |

----------------------------------------------------------------------------------------------------------------------------------

a mean = 264.40650

b mean = 265.51533

pValue = 0.0005567357

(Bigger means are better.)

1.004 times better

Results ARE significant

* heap/Heap.cpp:

(JSC::Heap::addCoreConstraints):

* heap/Heap.h:

* heap/HeapInlines.h:

* runtime/ArgList.cpp:

(JSC::MarkedArgumentBufferBase::addMarkSet):

(JSC::MarkedArgumentBufferBase::markLists):

(JSC::MarkedArgumentBufferBase::slowEnsureCapacity):

(JSC::MarkedArgumentBufferBase::expandCapacity):

(JSC::MarkedArgumentBufferBase::slowAppend):

(JSC::MarkedArgumentBuffer::addMarkSet): Deleted.

(JSC::MarkedArgumentBuffer::markLists): Deleted.

(JSC::MarkedArgumentBuffer::slowEnsureCapacity): Deleted.

(JSC::MarkedArgumentBuffer::expandCapacity): Deleted.

(JSC::MarkedArgumentBuffer::slowAppend): Deleted.

* runtime/ArgList.h:

(JSC::MarkedArgumentBufferWithSize::MarkedArgumentBufferWithSize):

(JSC::MarkedArgumentBuffer::MarkedArgumentBuffer): Deleted.

(JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer): Deleted.

(JSC::MarkedArgumentBuffer::size const): Deleted.

(JSC::MarkedArgumentBuffer::isEmpty const): Deleted.

(JSC::MarkedArgumentBuffer::at const): Deleted.

(JSC::MarkedArgumentBuffer::clear): Deleted.

(JSC::MarkedArgumentBuffer::appendWithAction): Deleted.

(JSC::MarkedArgumentBuffer::append): Deleted.

(JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow): Deleted.

(JSC::MarkedArgumentBuffer::removeLast): Deleted.

(JSC::MarkedArgumentBuffer::last): Deleted.

(JSC::MarkedArgumentBuffer::takeLast): Deleted.

(JSC::MarkedArgumentBuffer::ensureCapacity): Deleted.

(JSC::MarkedArgumentBuffer::hasOverflowed): Deleted.

(JSC::MarkedArgumentBuffer::overflowCheckNotNeeded): Deleted.

(JSC::MarkedArgumentBuffer::fill): Deleted.

(JSC::MarkedArgumentBuffer::slotFor const): Deleted.

(JSC::MarkedArgumentBuffer::mallocBase): Deleted.

(JSC::MarkedArgumentBuffer::setNeedsOverflowCheck): Deleted.

(JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck): Deleted.

* runtime/JSONObject.cpp:

(JSC::Stringifier::Holder::hasFastObjectProperties const):

(JSC::Stringifier::appendStringifiedValue):

(JSC::Stringifier::Holder::Holder):

(JSC::Stringifier::Holder::appendNextProperty):

* runtime/ObjectConstructorInlines.h:

(JSC::canPerformFastPropertyEnumerationForJSONStringify):

2021-09-17 Ross Kirsling <[email protected]>

Unreviewed fix for JSCOnly build with ENABLE_DFG_JIT off.

* b3/testb3_1.cpp:

* wasm/WasmEntryPlan.cpp:

* wasm/WasmLLIntPlan.cpp:

* wasm/WasmOperations.cpp:

* wasm/WasmSignature.cpp:

* wasm/WasmSignature.h:

* wasm/generateWasmOpsHeader.py:

* wasm/js/JSToWasm.h:

2021-09-17 Angelos Oikonomopoulos <[email protected]>

Unbreak GCC_OFFLINEASM_SOURCE_MAP when LTO is in use

https://bugs.webkit.org/show_bug.cgi?id=230061

<rdar://problem/83166173>

Reviewed by Michael Catanzaro.

Our ASM postprocessing hack is incompatible with

LTO. Unconditionally disable LTO for LowLevelInterpreter.cxx when

GCC_OFFLINEASM_SOURCE_MAP is in use.

* CMakeLists.txt:

2021-09-17 Justin Michaud <[email protected]>

Improve access case printing and show inline capacity for structures

https://bugs.webkit.org/show_bug.cgi?id=230357

Reviewed by Saam Barati.

This just makes the printing of access cases slightly more readable.

* bytecode/AccessCase.cpp:

(JSC::AccessCase::dump const):

* bytecode/AccessCase.h:

(JSC::AccessCase::dumpImpl const):

* bytecode/GetterSetterAccessCase.cpp:

(JSC::GetterSetterAccessCase::dumpImpl const):

* bytecode/GetterSetterAccessCase.h:

* bytecode/InstanceOfAccessCase.cpp:

(JSC::InstanceOfAccessCase::dumpImpl const):

* bytecode/InstanceOfAccessCase.h:

* bytecode/ProxyableAccessCase.cpp:

(JSC::ProxyableAccessCase::dumpImpl const):

* bytecode/ProxyableAccessCase.h:

* heap/Heap.cpp:

(JSC::Heap::runEndPhase):

* runtime/JSCJSValue.cpp:

(JSC::JSValue::dumpInContextAssumingStructure const):

* runtime/Structure.cpp:

(JSC::Structure::dump const):

2021-09-17 Justin Michaud <[email protected]>

PutByVal and PutPrivateName ICs should emit a write barrier if a butterfly might be allocated

https://bugs.webkit.org/show_bug.cgi?id=230378

Reviewed by Yusuke Suzuki.

Right now, PutByVal and PutPrivateName check the value type to determine

if a write barrier is needed. For example, putting a primitive is considered

to not require a write barrier. This makes sense, except for the case when we

might allocate or re-allocate a butterfly in the IC. This does not emit a write

barrier, and so the GC might miss the new butterfly. That is somewhat undesirable.

This is a temporary conservative fix. If we don't write to the butterfly pointer,

then we still don't need a write barrier; this work is captured by

https://bugs.webkit.org/show_bug.cgi?id=230377

* dfg/DFGStoreBarrierInsertionPhase.cpp:

2021-09-16 Saam Barati <[email protected]>

Don't throw an exception in the middle of linking a CodeBlock

https://bugs.webkit.org/show_bug.cgi?id=230367

Reviewed by Yusuke Suzuki.

It's cleaner, and probably more correct, to wait until we're done linking

the instruction stream before throwing any exceptions from CodeBlock::finishCreation.

This guarantees, for example, that all metadata structs are initialized.

* bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finishCreation):

(JSC::CodeBlock::setConstantRegisters):

(JSC::CodeBlock::initializeTemplateObjects):

* bytecode/CodeBlock.h:

* runtime/JSScope.cpp:

(JSC::abstractAccess):

(JSC::JSScope::abstractResolve):

2021-09-16 Saam Barati <[email protected]>

Move some profiling to UnlinkedCodeBlock

https://bugs.webkit.org/show_bug.cgi?id=230078

<rdar://problem/82947571>

Reviewed by Yusuke Suzuki.

This patch adds UnlinkedValueProfile and UnlinkedArrayProfile to

UnlinkedCodeBlock. These profiles serialize the data in ValueProfile

and ArrayProfile. Each time a CodeBlock updates value profiles,

it mixes in up to date information from the unlinked profiles, and

also writes back data to the unlinked profiles, so the data is shared

between CodeBlocks of the same UnlinkedCodeBlock.

This patch also fixes a pre-existing bug where we would sometimes think

we had more metadata table entries than we really had in practice. This is

because MetadataTable::forEach used the next opcode's start pointer. That

pointer was aligned to that opcode's metadata alignment. So that might make

the previous opcode think it had an extra 1-7 entries (depending on size,

alignment, etc). This patch fixes that by having the next opcode's start

offset in the table always be the end offset of the previous opcode, and we

align the start pointer when using it.

This was measured as a ~0.5% speedup on Speedometer2.

* bytecode/ArrayProfile.h:

(JSC::UnlinkedArrayProfile::update):

* bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finishCreation):

(JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness):

(JSC::CodeBlock::updateAllArrayProfilePredictions):

(JSC::CodeBlock::updateAllArrayPredictions):

* bytecode/CodeBlock.h:

(JSC::CodeBlock::metadata):

* bytecode/CodeBlockInlines.h:

(JSC::CodeBlock::forEachArrayProfile): Deleted.

* bytecode/MetadataTable.cpp:

(JSC::DeallocTable::withOpcodeType):

* bytecode/MetadataTable.h:

(JSC::MetadataTable::get):

(JSC::MetadataTable::forEach):

(JSC::MetadataTable::getWithoutAligning):

(JSC::MetadataTable::getImpl): Deleted.

* bytecode/UnlinkedCodeBlock.cpp:

(JSC::UnlinkedCodeBlock::allocateSharedProfiles):

* bytecode/UnlinkedCodeBlock.h:

(JSC::UnlinkedCodeBlock::unlinkedValueProfile):

(JSC::UnlinkedCodeBlock::unlinkedArrayProfile):

* bytecode/UnlinkedCodeBlockGenerator.cpp:

(JSC::UnlinkedCodeBlockGenerator::finalize):

* bytecode/UnlinkedMetadataTable.cpp:

(JSC::UnlinkedMetadataTable::finalize):

* bytecode/UnlinkedMetadataTable.h:

(JSC::UnlinkedMetadataTable::isFinalized):

(JSC::UnlinkedMetadataTable::hasMetadata):

* bytecode/UnlinkedMetadataTableInlines.h:

(JSC::UnlinkedMetadataTable::numEntries):

* bytecode/ValueProfile.h:

(JSC::UnlinkedValueProfile::update):

* bytecompiler/BytecodeGenerator.h:

* llint/LowLevelInterpreter.asm:

* runtime/CachedTypes.cpp:

(JSC::CachedCodeBlock::numValueProfiles const):

(JSC::CachedCodeBlock::numArrayProfiles const):

(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):

(JSC::CachedCodeBlock<CodeBlockType>::encode):

2021-09-16 Commit Queue <[email protected]>

Unreviewed, reverting r282478.

https://bugs.webkit.org/show_bug.cgi?id=230358

Reverted changeset:

"Move some profiling to UnlinkedCodeBlock"

https://bugs.webkit.org/show_bug.cgi?id=230078

https://commits.webkit.org/r282478

2021-09-16 Mikhail R. Gadelha <[email protected]>

Fix crash in 32 bits due to not enough scratch registers available

https://bugs.webkit.org/show_bug.cgi?id=230241

Reviewed by Filip Pizlo.

Since patch 229229 (Polymorphic PutByVal) landed, jsc is now reaching

the case Transition in `AccessCase::generateImpl` which needs three

scratch registers when reallocating, but in ARMv7/MIPS, there are only

two registers available.

So in this patch, `AccessCase::createTransition` is changed to actually

check if there are enough registers available before creating the

AccessCase object.

* bytecode/AccessCase.cpp:

(JSC::AccessCase::generateImpl):

2021-09-15 Saam Barati <[email protected]>

Move some profiling to UnlinkedCodeBlock

https://bugs.webkit.org/show_bug.cgi?id=230078

<rdar://problem/82947571>

Reviewed by Yusuke Suzuki.

This patch moves ValueProfiles and ArrayProfiles for non-call opcodes into

UnlinkedCodeBlock. This way, the data is shared between the linked CodeBlocks

of the same UnlinkedCodeBlock. The profiling bet here is that when the same code

runs in a different global object, it largely runs in the same way. We've made

this same bet in other ways with our profiling, and it largely makes sense

to do for ValueProfile and ArrayProfile since they both hold global object

independent data.

Because ArrayProfiles are now shared between CodeBlocks, the existing m_usesOriginalArrayStructures

bit is slightly harder to track now, since the ArrayProfile may see inputs from a different

global object, an array may be an original array in one lexical global object,

but not another. So we now track when an ArrayProfile sees a different global

object than the lexical global object, and when we observe exits in the DFG,

we propagate that bit to the m_usesOriginalArrayStructures bit.

This patch also makes it so we no longer hold the CodeBlock lock when

processing ValueProfiles and ArrayProfiles. We now allow multiple compiler

threads to race against each other when updating these profiles. This is fine.

It may end up with incomplete data in the profiles, but it won't corrupt them.

This patch also makes it so we finalized visited UnlinkedCodeBlocks to finalize

their value profiles. We no longer do that work inside CodeBlock for the

ValueProfiles that UnlinkedCodeBlock owns. This also means that we have to

WriteBarrier UnlinkedCodeBlock when executing in the LLInt, Baseline, and

other areas, such as OSR exit, and in the GC when a CodeBlock was executing.

That way we're guaranteed to visit the UnlinkedCodeBlock, add it to the

visited set, and then finalize it at the end of GC.

This patch also makes it so that inside CodeBlock::finishCreation, we finish

linking before we do anything that can throw an exception. It's not valid to

finalize a CodeBlock that isn't linked.

This was measured as a 0.5-1% speedup on Speedometer2.

* bytecode/ArrayProfile.cpp:

(JSC::ArrayProfile::computeUpdatedPrediction):

(JSC::ArrayProfile::briefDescription):

(JSC::ArrayProfile::briefDescriptionWithoutUpdating):

* bytecode/ArrayProfile.h:

(JSC::ArrayProfile::ArrayProfile):

(JSC::ArrayProfile::observedArrayModes const):

(JSC::ArrayProfile::mayInterceptIndexedAccesses const):

(JSC::ArrayProfile::mayStoreToHole const):

(JSC::ArrayProfile::outOfBounds const):

(JSC::ArrayProfile::usesOriginalArrayStructures const):

(JSC::ArrayProfile::setDoesNotUseOriginalArrayStructures):

(JSC::ArrayProfile::observedDifferentGlobalObject const):

* bytecode/BytecodeList.rb:

* bytecode/BytecodeOperandsForCheckpoint.h:

(JSC::valueProfileForImpl):

* bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finishCreation):

(JSC::CodeBlock::setConstantRegisters):

(JSC::CodeBlock::initializeTemplateObjects):

(JSC::CodeBlock::setNumParameters):

(JSC::CodeBlock::visitChildren):

(JSC::CodeBlock::finalizeUnconditionally):

(JSC::CodeBlock::getArrayProfile):

(JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness):

(JSC::CodeBlock::updateAllArrayPredictions):

(JSC::CodeBlock::tryGetValueProfileForBytecodeIndex):

(JSC::CodeBlock::valueProfilePredictionForBytecodeIndex):

* bytecode/CodeBlock.h:

(JSC::CodeBlock::offsetOfUnlinkedCodeBlock):

(JSC::CodeBlock::numberOfArgumentValueProfiles):

(JSC::CodeBlock::valueProfileForArgument):

(JSC::CodeBlock::metadata):

* bytecode/CodeBlockInlines.h:

(JSC::CodeBlock::forEachValueProfile):

(JSC::CodeBlock::forEachArrayProfile):

* bytecode/DFGExitProfile.cpp:

(JSC::DFG::ExitProfile::hasAnyExitsAt const):

* bytecode/DFGExitProfile.h:

* bytecode/GetByIdMetadata.h:

(JSC::GetByIdModeMetadata::setArrayLengthMode):

* bytecode/LazyOperandValueProfile.cpp:

(JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):

(JSC::LazyOperandValueProfileParser::prediction const):

* bytecode/MetadataTable.cpp:

(JSC::DeallocTable::withOpcodeType):

* bytecode/MetadataTable.h:

(JSC::MetadataTable::get):

(JSC::MetadataTable::forEach):

(JSC::MetadataTable::getWithoutAligning):

(JSC::MetadataTable::getImpl): Deleted.

* bytecode/Opcode.h:

* bytecode/UnlinkedCodeBlock.cpp:

(JSC::UnlinkedCodeBlock::visitChildrenImpl):

(JSC::UnlinkedCodeBlock::allocateSharedProfiles):

(JSC::UnlinkedCodeBlock::finalizeUnconditionally):

* bytecode/UnlinkedCodeBlock.h:

(JSC::UnlinkedCodeBlock::hasAnyExitsAt const):

(JSC::UnlinkedCodeBlock::hasAnyExitsAt):

(JSC::UnlinkedCodeBlock::valueProfile):

(JSC::UnlinkedCodeBlock::arrayProfile):

(JSC::UnlinkedCodeBlock::numValueProfiles const):

(JSC::UnlinkedCodeBlock::numArrayProfiles const):

* bytecode/UnlinkedCodeBlockGenerator.cpp:

(JSC::UnlinkedCodeBlockGenerator::finalize):

* bytecode/UnlinkedMetadataTable.cpp:

(JSC::UnlinkedMetadataTable::finalize):

* bytecode/UnlinkedMetadataTable.h:

(JSC::UnlinkedMetadataTable::isFinalized):

(JSC::UnlinkedMetadataTable::hasMetadata):

* bytecode/UnlinkedMetadataTableInlines.h:

(JSC::UnlinkedMetadataTable::numEntries):

* bytecode/ValueProfile.h:

(JSC::ValueProfileBase::ValueProfileBase):

(JSC::ValueProfileBase::clearBuckets):

(JSC::ValueProfileBase::briefDescription):

(JSC::ValueProfileBase::computeUpdatedPrediction):

(JSC::ValueProfile::offsetOfFirstBucket):

(JSC::ValueProfileBase::classInfo const): Deleted.

* dfg/DFGArrayMode.cpp:

(JSC::DFG::ArrayMode::fromObserved):

* dfg/DFGArrayMode.h:

(JSC::DFG::ArrayMode::withSpeculationFromProfile const):

(JSC::DFG::ArrayMode::withProfile const):

* dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):

(JSC::DFG::ByteCodeParser::getArrayMode):

(JSC::DFG::ByteCodeParser::handleVarargsInlining):

(JSC::DFG::ByteCodeParser::parseBlock):

(JSC::DFG::ByteCodeParser::handlePutByVal):

* dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):

* dfg/DFGGraph.h:

* dfg/DFGOSRExitCompilerCommon.cpp:

(JSC::DFG::osrWriteBarrier):

(JSC::DFG::adjustAndJumpToTarget):

* dfg/DFGPredictionInjectionPhase.cpp:

(JSC::DFG::PredictionInjectionPhase::run):

* heap/CodeBlockSetInlines.h:

(JSC::CodeBlockSet::iterateViaSubspaces):

* heap/Heap.cpp:

(JSC::Heap::finalizeMarkedUnconditionalFinalizers):

(JSC::Heap::finalizeUnconditionalFinalizers):

(JSC::Heap::deleteUnmarkedCompiledCode):

(JSC::Heap::runEndPhase):

(JSC::Heap::addCoreConstraints):

* jit/JIT.h:

* jit/JITInlines.h:

(JSC::JIT::emitValueProfilingSiteIfProfiledOpcode):

* jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_enter):

(JSC::JIT::op_enter_handlerGenerator):

* jit/JITOperations.cpp:

(JSC::putByValOptimize):

(JSC::directPutByValOptimize):

(JSC::JSC_DEFINE_JIT_OPERATION):

* jit/JITPropertyAccess.cpp:

(JSC::JIT::emit_op_get_by_val):

(JSC::JIT::generateGetByValSlowCase):

(JSC::JIT::emit_op_put_by_val):

(JSC::JIT::emitSlow_op_put_by_val):

(JSC::JIT::emit_op_get_by_id):

(JSC::JIT::emit_op_in_by_val):

(JSC::JIT::emitSlow_op_in_by_val):

(JSC::JIT::generateOpGetFromScopeThunk):

(JSC::JIT::slow_op_get_from_scopeGenerator):

(JSC::JIT::emit_op_enumerator_get_by_val):

* jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emit_op_get_by_val):

(JSC::JIT::emitSlow_op_get_by_val):

(JSC::JIT::emit_op_put_by_val):

(JSC::JIT::emitSlow_op_put_by_val):

(JSC::JIT::emit_op_get_by_id):

(JSC::JIT::emit_op_in_by_val):

(JSC::JIT::emitSlow_op_in_by_val):

* llint/LLIntSlowPaths.cpp:

(JSC::LLInt::performLLIntGetByID):

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

(JSC::LLInt::getByVal):

* llint/LowLevelInterpreter.asm:

* llint/LowLevelInterpreter32_64.asm:

* llint/LowLevelInterpreter64.asm:

* profiler/ProfilerBytecodeSequence.cpp:

(JSC::Profiler::BytecodeSequence::BytecodeSequence):

* runtime/CachedTypes.cpp:

(JSC::CachedCodeBlock::numValueProfiles const):

(JSC::CachedCodeBlock::numArrayProfiles const):

(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):

(JSC::CachedCodeBlock<CodeBlockType>::encode):

* runtime/CommonSlowPaths.cpp:

(JSC::iteratorNextTryFastImpl):

(JSC::JSC_DEFINE_COMMON_SLOW_PATH):

* runtime/JSScope.cpp:

(JSC::abstractAccess):

(JSC::JSScope::abstractResolve):

* runtime/VM.cpp:

* runtime/VM.h:

(JSC::VM::forEachUnlinkedCodeBlockSpace):

(JSC::VM::forEachCodeBlockSpace): Deleted.

2021-09-15 Michael Catanzaro <[email protected]>

Avoid GCC warnings introduced in r282125

https://bugs.webkit.org/show_bug.cgi?id=230154

Reviewed by Fujii Hironori.

Yusuke suggested casting to UChar to avoid -Wswitch-out-of-range. This works!

Also, avoid -Wredundant-move by removing one unnecessary WTFMove.

* runtime/ISO8601.cpp:

(JSC::ISO8601::parseTimeZoneBracketedAnnotation):

(JSC::ISO8601::canBeTimeZone):

(JSC::ISO8601::parseTimeZone):

2021-09-15 Yusuke Suzuki <[email protected]>

[JSC] Optimize leaf object creation in JSON.parse

https://bugs.webkit.org/show_bug.cgi?id=230298

Reviewed by Keith Miller.

This patch optimizes JSON.parse.

1. Use table in isJSONWhiteSpace.

2. Extract primitive value creation as parsePrimitiveValue function to use it in different place.

3. Add leaf-object creation fast path. Previously, when creating a leaf-object from JSON.parse we

are too generic and jumping around the code. Instead we add a fast path that does not perform

unnecessary operations and code gets tight.

It offers 3-4% improvement in microbenchmarks.

ToT Patched

vanilla-es2015-babel-webpack-todomvc-json-parse

104.7169+-0.1113 ^ 101.4836+-0.2168 ^ definitely 1.0319x faster

flight-todomvc-json-parse 53.9074+-0.0957 ^ 52.1347+-0.0802 ^ definitely 1.0340x faster

vanilla-es2015-todomvc-json-parse 104.9373+-0.1631 ^ 101.4978+-0.1073 ^ definitely 1.0339x faster

vanilla-todomvc-json-parse 79.1330+-0.0963 ^ 76.7568+-0.1606 ^ definitely 1.0310x faster

This offers 0.2% improvement in Speedometer2.

----------------------------------------------------------------------------------------------------------------------------------

| subtest | ms | ms | b / a | pValue (significance using False Discovery Rate) |

----------------------------------------------------------------------------------------------------------------------------------

| Elm-TodoMVC |116.860000 |116.825000 |0.999700 | 0.901070 |

| VueJS-TodoMVC |24.658333 |24.763333 |1.004258 | 0.571728 |

| EmberJS-TodoMVC |126.666667 |126.335000 |0.997382 | 0.289517 |

| BackboneJS-TodoMVC |48.435000 |48.523333 |1.001824 | 0.455638 |

| Preact-TodoMVC |17.585000 |17.368333 |0.987679 | 0.247658 |

| AngularJS-TodoMVC |129.576667 |129.398333 |0.998624 | 0.625634 |

| Vanilla-ES2015-TodoMVC |62.746667 |62.241667 |0.991952 | 0.000019 (significant) |

| Inferno-TodoMVC |63.741667 |63.495000 |0.996130 | 0.448861 |

| Flight-TodoMVC |78.021667 |77.306667 |0.990836 | 0.087137 |

| Angular2-TypeScript-TodoMVC |39.823333 |39.923333 |1.002511 | 0.736279 |

| VanillaJS-TodoMVC |50.073333 |49.791667 |0.994375 | 0.136495 |

| jQuery-TodoMVC |221.300000 |221.586667 |1.001295 | 0.418008 |

| EmberJS-Debug-TodoMVC |340.145000 |339.965000 |0.999471 | 0.691490 |

| React-TodoMVC |85.698333 |85.650000 |0.999436 | 0.761586 |

| React-Redux-TodoMVC |140.510000 |140.785000 |1.001957 | 0.285922 |

| Vanilla-ES2015-Babel-Webpack-TodoMVC |60.928333 |60.500000 |0.992970 | 0.000069 (significant) |

----------------------------------------------------------------------------------------------------------------------------------

a mean = 262.15844

b mean = 262.72261

pValue = 0.0428052487

(Bigger means are better.)

1.002 times better

Results ARE significant

* runtime/LiteralParser.cpp:

(JSC::LiteralParser<CharType>::makeIdentifier):

(JSC::isJSONWhiteSpace):

(JSC::LiteralParser<CharType>::Lexer::lex):

(JSC::LiteralParser<CharType>::parsePrimitiveValue):

(JSC::LiteralParser<CharType>::parse):

* runtime/LiteralParser.h:

2021-09-14 Don Olmstead <[email protected]>

Non-unified build fixes, mid September 2021 edition

https://bugs.webkit.org/show_bug.cgi?id=230110

Unreviewed non-unified build fixes.

* runtime/TemporalPlainTimeConstructor.cpp:

* runtime/TemporalPlainTimePrototype.cpp:

2021-09-14 Ross Kirsling <[email protected]>

[Win] JSRemoteInspector.h missing stdint include

https://bugs.webkit.org/show_bug.cgi?id=230275

Reviewed by Don Olmstead.

* API/JSRemoteInspector.h:

Include stdint for uint8_t definition on Windows.

2021-09-14 Xan Lopez <[email protected]>

[JSC] Remove unnecessary exception checks in DFGOperations

https://bugs.webkit.org/show_bug.cgi?id=230247

Reviewed by Caio Araujo Neponoceno de Lima.

JSValue::decode cannot throw an exception, remove a couple of

unnecessary RETURN_IF_EXCEPTION() calls.

* dfg/DFGOperations.cpp:

(JSC::DFG::JSC_DEFINE_JIT_OPERATION):

2021-09-14 Xan López <[email protected]>

[JSC] ASSERT failed in stress/for-in-tests.js (32bit)

https://bugs.webkit.org/show_bug.cgi?id=229543

Reviewed by Yusuke Suzuki.

Since r280760 DFG::SpeculativeJIT::compileEnumeratorGetByVal uses

too many registers for 32bit. Revert to the slow path as a

temporary measure to avoid crashes, we'll try to reenable the

optimizations later on (see bug #230189).

* dfg/DFGOperations.cpp:

(JSC::DFG::JSC_DEFINE_JIT_OPERATION): define a generic call

operation for compileEnumeratorGetByVal.

* dfg/DFGOperations.h:

* dfg/DFGSpeculativeJIT.cpp: move the current version of

compileEnumeratorGetByVal to 64bit, since it won't work on 32bit.

* dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal): call the generic call op always.

* dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal): use the previous version here.

* runtime/CommonSlowPaths.cpp:

(JSC::JSC_DEFINE_COMMON_SLOW_PATH): refactor a bit the slow path

for enumeratorGetByVal so it can be called from DFG as a call

operation.

* runtime/CommonSlowPaths.h:

(JSC::CommonSlowPaths::opEnumeratorGetByVal):

2021-09-13 Xan López <[email protected]>

[JSC][32bit] in-by-val fails inside for-in loop after delete

https://bugs.webkit.org/show_bug.cgi?id=230150

Reviewed by Carlos Garcia Campos.

The order of payload and tag was reversed when constructing the

base value for compileEnumeratorHasProperty.

* dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):

2021-09-10 Stephan Szabo <[email protected]>

[PlayStation] Support running applications with ENABLE_STATIC_JSC=ON

https://bugs.webkit.org/show_bug.cgi?id=230170

Reviewed by Ross Kirsling.

Updating loading code to not load libJavaScriptCore shared library

if we are using a static version.

* shell/playstation/Initializer.cpp:

2021-09-09 Ross Kirsling <[email protected]>

[JSC] Clean up current state of Temporal API

https://bugs.webkit.org/show_bug.cgi?id=230130

Reviewed by Yusuke Suzuki.

This patch perfoms a variety of cleanup tasks following the implementation of Temporal.PlainTime.

1. Do away with the alias Subdurations and refer to ISO8601::Duration directly.

(But we can still say "subduration" when referring to a single ordered field, as in `largestSubduration`.)

2. Represent ToTemporalDuration, ToTemporalDurationRecord, and ToLimitedTemporalDuration more directly in code,

as TemporalDuration::{toTemporalDuration, fromDurationLike, toISO8601Duration}.

(Note: The last of these doesn't take a disallowedFields parameter;

Temporal.Instant can do this after the fact, since no one else makes use of this functionality.)

3. Extract intlOption<RoundingMode> into a helper function, `temporalRoundingMode`.

4. Remove largestSubplainTime(), which was declared but not defined.

5. Correct spelling of TemporalPlainTime::constrainTime().

* runtime/TemporalDuration.cpp:

(JSC::TemporalDuration::create):

(JSC::TemporalDuration::TemporalDuration):

(JSC::TemporalDuration::tryCreateIfValid):

(JSC::TemporalDuration::fromDurationLike): Added.

(JSC::TemporalDuration::toISO8601Duration): Added.

(JSC::TemporalDuration::toTemporalDuration): Added.

(JSC::TemporalDuration::from):

(JSC::totalNanoseconds):

(JSC::TemporalDuration::compare):

(JSC::TemporalDuration::sign):

(JSC::TemporalDuration::with const):

(JSC::TemporalDuration::negated const):

(JSC::TemporalDuration::abs const):

(JSC::largestSubduration): Added.

(JSC::TemporalDuration::balance):

(JSC::TemporalDuration::add const):

(JSC::TemporalDuration::subtract const):

(JSC::TemporalDuration::round):

(JSC::TemporalDuration::round const):

(JSC::TemporalDuration::total const):

(JSC::TemporalDuration::toString const):

(JSC::TemporalDuration::toString):

(JSC::TemporalDuration::fromNonDurationValue): Deleted.

(JSC::TemporalDuration::toDuration): Deleted.

(JSC::TemporalDuration::toDurationRecord): Deleted.

(JSC::TemporalDuration::largestSubduration const): Deleted.

* runtime/TemporalDuration.h:

* runtime/TemporalDurationConstructor.cpp:

* runtime/TemporalDurationPrototype.cpp:

* runtime/TemporalObject.cpp:

(JSC::temporalRoundingMode): Added.

* runtime/TemporalObject.h:

* runtime/TemporalPlainTime.cpp:

(JSC::TemporalPlainTime::round const):

(JSC::TemporalPlainTime::toString const):

(JSC::constrainTime): Added.

(JSC::regulateTime):

(JSC::TemporalPlainTime::add const):

(JSC::TemporalPlainTime::subtract const):

(JSC::extractDifferenceOptions):

(JSC::constraintTime): Deleted.

(JSC::toLimitedTemporalDuration): Deleted.

* runtime/TemporalPlainTime.h: