Changeset 231839 in webkit
- Timestamp:
- May 16, 2018 12:05:27 AM (6 years ago)
- Location:
- trunk/Source
- Files:
-
- 52 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/API/JSCallbackObject.h
r229413 r231839 135 135 public: 136 136 typedef Parent Base; 137 static const unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesGetPropertyNames | TypeOfShouldCallGetCallData;137 static const unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesGetPropertyNames | OverridesGetCallData; 138 138 139 139 ~JSCallbackObject(); -
trunk/Source/JavaScriptCore/ChangeLog
r231819 r231839 1 2018-05-15 Yusuke Suzuki <utatane.tea@gmail.com> 2 3 [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function 4 https://bugs.webkit.org/show_bug.cgi?id=185601 5 6 Reviewed by Saam Barati. 7 8 Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData 9 before calling getCallData when we would like to check whether a given object is callable 10 since getCallData is a virtual call. When we call the object anyway, directly calling getCallData 11 is fine. But if we would like to check whether the object is callable, we can have non 12 callable objects frequently. In that case, we should not call getCallData if we can avoid it. 13 14 To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable} 15 and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform 16 OverridesGetCallData checking before calling getCallData. 17 18 We found that this virtual call exists in JSON.stringify's critial path. Checking 19 OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%. 20 21 baseline patched 22 23 json-stringify-tinderbox 38.807+-0.350 ^ 37.216+-0.337 ^ definitely 1.0427x faster 24 25 In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path 26 since major cases are covered by this fast JSFunctionType checking. 27 28 * API/JSCallbackObject.h: 29 * dfg/DFGAbstractInterpreterInlines.h: 30 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 31 * dfg/DFGOperations.cpp: 32 * dfg/DFGSpeculativeJIT.cpp: 33 (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull): 34 (JSC::DFG::SpeculativeJIT::compileIsFunction): 35 * ftl/FTLLowerDFGToB3.cpp: 36 (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof): 37 * jit/AssemblyHelpers.h: 38 (JSC::AssemblyHelpers::emitTypeOf): 39 * runtime/ExceptionHelpers.cpp: 40 (JSC::createError): 41 (JSC::createInvalidFunctionApplyParameterError): 42 * runtime/FunctionPrototype.cpp: 43 (JSC::functionProtoFuncToString): 44 * runtime/InternalFunction.h: 45 * runtime/JSCJSValue.h: 46 * runtime/JSCJSValueInlines.h: 47 (JSC::JSValue::isFunction const): 48 (JSC::JSValue::isCallable const): 49 * runtime/JSCell.h: 50 * runtime/JSCellInlines.h: 51 (JSC::JSCell::isFunction): 52 ALWAYS_INLINE works well for my environment. 53 (JSC::JSCell::isCallable): 54 * runtime/JSFunction.h: 55 * runtime/JSONObject.cpp: 56 (JSC::Stringifier::toJSON): 57 (JSC::Stringifier::toJSONImpl): 58 (JSC::Stringifier::appendStringifiedValue): 59 * runtime/JSObjectInlines.h: 60 (JSC::createListFromArrayLike): 61 * runtime/JSTypeInfo.h: 62 (JSC::TypeInfo::overridesGetCallData const): 63 (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted. 64 * runtime/Operations.cpp: 65 (JSC::jsTypeStringForValue): 66 (JSC::jsIsObjectTypeOrNull): 67 * runtime/ProxyObject.h: 68 * runtime/RuntimeType.cpp: 69 (JSC::runtimeTypeForValue): 70 * runtime/RuntimeType.h: 71 * runtime/Structure.cpp: 72 (JSC::Structure::Structure): 73 * runtime/TypeProfilerLog.cpp: 74 (JSC::TypeProfilerLog::TypeProfilerLog): 75 (JSC::TypeProfilerLog::processLogEntries): 76 * runtime/TypeProfilerLog.h: 77 * runtime/VM.cpp: 78 (JSC::VM::enableTypeProfiler): 79 * tools/JSDollarVM.cpp: 80 (JSC::functionFindTypeForExpression): 81 (JSC::functionReturnTypeFor): 82 (JSC::functionHasBasicBlockExecuted): 83 (JSC::functionBasicBlockExecutionCount): 84 * wasm/js/JSWebAssemblyHelpers.h: 85 (JSC::getWasmBufferFromValue): 86 * wasm/js/JSWebAssemblyInstance.cpp: 87 (JSC::JSWebAssemblyInstance::create): 88 * wasm/js/WebAssemblyFunction.cpp: 89 (JSC::callWebAssemblyFunction): 90 * wasm/js/WebAssemblyInstanceConstructor.cpp: 91 (JSC::constructJSWebAssemblyInstance): 92 * wasm/js/WebAssemblyModuleRecord.cpp: 93 (JSC::WebAssemblyModuleRecord::link): 94 * wasm/js/WebAssemblyPrototype.cpp: 95 (JSC::webAssemblyInstantiateFunc): 96 (JSC::webAssemblyInstantiateStreamingInternal): 97 * wasm/js/WebAssemblyWrapperFunction.cpp: 98 (JSC::WebAssemblyWrapperFunction::finishCreation): 99 1 100 2018-05-15 Devin Rousso <webkit@devinrousso.com> 2 101 -
trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
r231607 r231839 1261 1261 if (object->type() == JSFunctionType) 1262 1262 setConstant(node, jsBoolean(false)); 1263 else if (!(object->inlineTypeFlags() & TypeOfShouldCallGetCallData))1263 else if (!(object->inlineTypeFlags() & OverridesGetCallData)) 1264 1264 setConstant(node, jsBoolean(!child.value().asCell()->structure()->masqueradesAsUndefined(m_codeBlock->globalObjectFor(node->origin.semantic)))); 1265 1265 else { … … 1276 1276 if (object->type() == JSFunctionType) 1277 1277 setConstant(node, jsBoolean(true)); 1278 else if (!(object->inlineTypeFlags() & TypeOfShouldCallGetCallData))1278 else if (!(object->inlineTypeFlags() & OverridesGetCallData)) 1279 1279 setConstant(node, jsBoolean(false)); 1280 1280 else { -
trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp
r231607 r231839 1742 1742 if (object->structure(vm)->masqueradesAsUndefined(globalObject)) 1743 1743 return false; 1744 if (object-> type() == JSFunctionType)1744 if (object->isFunction(vm)) 1745 1745 return false; 1746 if (object->inlineTypeFlags() & TypeOfShouldCallGetCallData) {1747 CallData callData;1748 if (object->methodTable(vm)->getCallData(object, callData) != CallType::None)1749 return false;1750 }1751 1752 1746 return true; 1753 1747 } … … 1762 1756 if (object->structure(vm)->masqueradesAsUndefined(globalObject)) 1763 1757 return false; 1764 if (object-> type() == JSFunctionType)1758 if (object->isFunction(vm)) 1765 1759 return true; 1766 if (object->inlineTypeFlags() & TypeOfShouldCallGetCallData) {1767 CallData callData;1768 if (object->methodTable(vm)->getCallData(object, callData) != CallType::None)1769 return true;1770 }1771 1772 1760 return false; 1773 1761 } … … 1782 1770 if (object->structure(vm)->masqueradesAsUndefined(globalObject)) 1783 1771 return vm.smallStrings.undefinedString(); 1784 if (object-> type() == JSFunctionType)1772 if (object->isFunction(vm)) 1785 1773 return vm.smallStrings.functionString(); 1786 if (object->inlineTypeFlags() & TypeOfShouldCallGetCallData) {1787 CallData callData;1788 if (object->methodTable(vm)->getCallData(object, callData) != CallType::None)1789 return vm.smallStrings.functionString();1790 }1791 1792 1774 return vm.smallStrings.objectString(); 1793 1775 } … … 1802 1784 if (object->structure(vm)->masqueradesAsUndefined(globalObject)) 1803 1785 return static_cast<int32_t>(TypeofType::Undefined); 1804 if (object-> type() == JSFunctionType)1786 if (object->isFunction(vm)) 1805 1787 return static_cast<int32_t>(TypeofType::Function); 1806 if (object->inlineTypeFlags() & TypeOfShouldCallGetCallData) {1807 CallData callData;1808 if (object->methodTable(vm)->getCallData(object, callData) != CallType::None)1809 return static_cast<int32_t>(TypeofType::Function);1810 }1811 1812 1788 return static_cast<int32_t>(TypeofType::Object); 1813 1789 } -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
r231286 r231839 8757 8757 JITCompiler::NonZero, 8758 8758 JITCompiler::Address(valueRegs.payloadGPR(), JSCell::typeInfoFlagsOffset()), 8759 TrustedImm32(MasqueradesAsUndefined | TypeOfShouldCallGetCallData));8759 TrustedImm32(MasqueradesAsUndefined | OverridesGetCallData)); 8760 8760 8761 8761 isNull.link(&m_jit); … … 8795 8795 JITCompiler::NonZero, 8796 8796 JITCompiler::Address(valueRegs.payloadGPR(), JSCell::typeInfoFlagsOffset()), 8797 TrustedImm32(MasqueradesAsUndefined | TypeOfShouldCallGetCallData));8797 TrustedImm32(MasqueradesAsUndefined | OverridesGetCallData)); 8798 8798 8799 8799 notCell.link(&m_jit); -
trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
r231471 r231839 15101 15101 return m_out.testNonZero32( 15102 15102 m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoFlags), 15103 m_out.constInt32(MasqueradesAsUndefined | TypeOfShouldCallGetCallData));15103 m_out.constInt32(MasqueradesAsUndefined | OverridesGetCallData)); 15104 15104 } 15105 15105 -
trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h
r230626 r231839 1529 1529 NonZero, 1530 1530 Address(cellGPR, JSCell::typeInfoFlagsOffset()), 1531 TrustedImm32(MasqueradesAsUndefined | TypeOfShouldCallGetCallData)));1531 TrustedImm32(MasqueradesAsUndefined | OverridesGetCallData))); 1532 1532 functor(TypeofType::Object, false); 1533 1533 -
trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp
r229410 r231839 271 271 String errorMessage = makeString(errorDescriptionForValue(exec, value)->value(exec), ' ', message); 272 272 scope.assertNoException(); 273 JSObject* exception = createTypeError(exec, errorMessage, appender, runtimeTypeForValue(v alue));273 JSObject* exception = createTypeError(exec, errorMessage, appender, runtimeTypeForValue(vm, value)); 274 274 ASSERT(exception->isErrorInstance()); 275 275 … … 279 279 JSObject* createInvalidFunctionApplyParameterError(ExecState* exec, JSValue value) 280 280 { 281 JSObject* exception = createTypeError(exec, makeString("second argument to Function.prototype.apply must be an Array-like object"), defaultSourceAppender, runtimeTypeForValue(value)); 281 VM& vm = exec->vm(); 282 JSObject* exception = createTypeError(exec, makeString("second argument to Function.prototype.apply must be an Array-like object"), defaultSourceAppender, runtimeTypeForValue(vm, value)); 282 283 ASSERT(exception->isErrorInstance()); 283 284 return exception; -
trunk/Source/JavaScriptCore/runtime/FunctionPrototype.cpp
r231015 r231839 126 126 if (thisValue.isObject()) { 127 127 JSObject* object = asObject(thisValue); 128 if (object->inlineTypeFlags() & TypeOfShouldCallGetCallData) { 129 CallData callData; 130 if (object->methodTable(vm)->getCallData(object, callData) != CallType::None) { 131 if (auto* classInfo = object->classInfo(vm)) { 132 scope.release(); 133 return JSValue::encode(jsMakeNontrivialString(exec, "function ", classInfo->className, "() {\n [native code]\n}")); 134 } 135 } 128 if (object->isFunction(vm)) { 129 scope.release(); 130 return JSValue::encode(jsMakeNontrivialString(exec, "function ", object->classInfo(vm)->className, "() {\n [native code]\n}")); 136 131 } 137 132 } -
trunk/Source/JavaScriptCore/runtime/InternalFunction.h
r230813 r231839 37 37 public: 38 38 typedef JSDestructibleObject Base; 39 static const unsigned StructureFlags = Base::StructureFlags | ImplementsHasInstance | ImplementsDefaultHasInstance | TypeOfShouldCallGetCallData;39 static const unsigned StructureFlags = Base::StructureFlags | ImplementsHasInstance | ImplementsDefaultHasInstance | OverridesGetCallData; 40 40 41 41 template<typename CellType> -
trunk/Source/JavaScriptCore/runtime/JSCJSValue.h
r231733 r231839 219 219 // Querying the type. 220 220 bool isEmpty() const; 221 bool isFunction() const; 222 bool isFunction(CallType&, CallData&) const; 223 bool isCallable(CallType&, CallData&) const; 221 bool isFunction(VM&) const; 222 bool isCallable(VM&, CallType&, CallData&) const; 224 223 bool isConstructor() const; 225 224 bool isConstructor(ConstructType&, ConstructData&) const; -
trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h
r231733 r231839 760 760 } 761 761 762 inline bool JSValue::isFunction( ) const762 inline bool JSValue::isFunction(VM& vm) const 763 763 { 764 764 if (!isCell()) 765 765 return false; 766 JSCell* cell = asCell(); 767 CallData ignored; 768 return cell->methodTable()->getCallData(cell, ignored) != CallType::None; 769 } 770 771 inline bool JSValue::isFunction(CallType& callType, CallData& callData) const 772 { 773 return isCallable(callType, callData); 774 } 775 776 inline bool JSValue::isCallable(CallType& callType, CallData& callData) const 766 return asCell()->isFunction(vm); 767 } 768 769 inline bool JSValue::isCallable(VM& vm, CallType& callType, CallData& callData) const 777 770 { 778 771 if (!isCell()) 779 772 return false; 780 JSCell* cell = asCell(); 781 callType = cell->methodTable()->getCallData(cell, callData); 782 return callType != CallType::None; 773 return asCell()->isCallable(vm, callType, callData); 783 774 } 784 775 -
trunk/Source/JavaScriptCore/runtime/JSCell.h
r231166 r231839 116 116 bool isCustomGetterSetter() const; 117 117 bool isProxy() const; 118 bool isFunction(VM&); 119 bool isCallable(VM&, CallType&, CallData&); 118 120 bool inherits(VM&, const ClassInfo*) const; 119 121 template<typename Target> bool inherits(VM&) const; … … 154 156 // Returns information about how to call/construct this cell as a function/constructor. May tell 155 157 // you that the cell is not callable or constructor (default is that it's not either). If it 156 // says that the function is callable, and the TypeOfShouldCallGetCallData type flag is set, and158 // says that the function is callable, and the OverridesGetCallData type flag is set, and 157 159 // this is an object, then typeof will return "function" instead of "object". These methods 158 160 // cannot change their minds and must be thread-safe. They are sometimes called from compiler -
trunk/Source/JavaScriptCore/runtime/JSCellInlines.h
r231172 r231839 219 219 } 220 220 221 ALWAYS_INLINE bool JSCell::isFunction(VM& vm) 222 { 223 if (type() == JSFunctionType) 224 return true; 225 if (inlineTypeFlags() & OverridesGetCallData) { 226 CallData ignoredCallData; 227 return methodTable(vm)->getCallData(this, ignoredCallData) != CallType::None; 228 } 229 return false; 230 } 231 232 inline bool JSCell::isCallable(VM& vm, CallType& callType, CallData& callData) 233 { 234 if (type() != JSFunctionType && !(inlineTypeFlags() & OverridesGetCallData)) 235 return false; 236 callType = methodTable(vm)->getCallData(this, callData); 237 return callType != CallType::None; 238 } 239 221 240 inline bool JSCell::isAPIValueWrapper() const 222 241 { -
trunk/Source/JavaScriptCore/runtime/JSFunction.h
r229547 r231839 70 70 71 71 typedef JSCallee Base; 72 const static unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames ;72 const static unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames | OverridesGetCallData; 73 73 74 74 static size_t allocationSize(Checked<size_t> inlineCapacity) -
trunk/Source/JavaScriptCore/runtime/JSONObject.cpp
r231310 r231839 112 112 113 113 JSValue toJSON(JSValue, const PropertyNameForFunctionCall&); 114 JSValue toJSONImpl( JSValue value, JSValue toJSONFunction, const PropertyNameForFunctionCall&);114 JSValue toJSONImpl(VM&, JSValue, JSValue toJSONFunction, const PropertyNameForFunctionCall&); 115 115 116 116 enum StringifyResult { StringifyFailed, StringifySucceeded, StringifyFailedDueToUndefinedOrSymbolValue }; … … 300 300 RETURN_IF_EXCEPTION(scope, { }); 301 301 scope.release(); 302 return toJSONImpl(v alue, toJSONFunction, propertyName);303 } 304 305 JSValue Stringifier::toJSONImpl( JSValue value, JSValue toJSONFunction, const PropertyNameForFunctionCall& propertyName)302 return toJSONImpl(vm, value, toJSONFunction, propertyName); 303 } 304 305 JSValue Stringifier::toJSONImpl(VM& vm, JSValue value, JSValue toJSONFunction, const PropertyNameForFunctionCall& propertyName) 306 306 { 307 307 CallType callType; 308 308 CallData callData; 309 if (!toJSONFunction.isCallable( callType, callData))309 if (!toJSONFunction.isCallable(vm, callType, callData)) 310 310 return value; 311 311 … … 381 381 382 382 JSObject* object = asObject(value); 383 384 CallData callData; 385 if (object->methodTable(vm)->getCallData(object, callData) != CallType::None) { 383 if (object->isFunction(vm)) { 386 384 if (holder.isArray()) { 387 385 builder.appendLiteral("null"); -
trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h
r231687 r231839 49 49 RETURN_IF_EXCEPTION(scope, void()); 50 50 51 RuntimeType type = runtimeTypeForValue( next);51 RuntimeType type = runtimeTypeForValue(vm, next); 52 52 if (!(type & legalTypesFilter)) { 53 53 throwTypeError(exec, scope, errorMessage); -
trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h
r231172 r231839 40 40 static const unsigned MasqueradesAsUndefined = 1; // WebCore uses MasqueradesAsUndefined to make document.all undetectable. 41 41 static const unsigned ImplementsDefaultHasInstance = 1 << 1; 42 static const unsigned TypeOfShouldCallGetCallData = 1 << 2; // Need this flag if you override getCallData() and you want typeof to use this to determine if it should say "function". Currently we always set this flag when we override getCallData().42 static const unsigned OverridesGetCallData = 1 << 2; // Need this flag if you implement [[Callable]] interface, which means overriding getCallData. The object may not be callable since getCallData can say it is not callable. 43 43 static const unsigned OverridesGetOwnPropertySlot = 1 << 3; 44 44 static const unsigned OverridesToThis = 1 << 4; // If this is false then this returns something other than 'this'. Non-object cells that are visible to JS have this set as do some exotic objects. … … 86 86 bool implementsHasInstance() const { return isSetOnFlags2(ImplementsHasInstance); } 87 87 bool implementsDefaultHasInstance() const { return isSetOnFlags1(ImplementsDefaultHasInstance); } 88 bool typeOfShouldCallGetCallData() const { return isSetOnFlags1(TypeOfShouldCallGetCallData); }88 bool overridesGetCallData() const { return isSetOnFlags1(OverridesGetCallData); } 89 89 bool overridesGetOwnPropertySlot() const { return overridesGetOwnPropertySlot(inlineTypeFlags()); } 90 90 static bool overridesGetOwnPropertySlot(InlineTypeFlags flags) { return flags & OverridesGetOwnPropertySlot; } -
trunk/Source/JavaScriptCore/runtime/Operations.cpp
r225799 r231839 91 91 if (object->structure(vm)->masqueradesAsUndefined(globalObject)) 92 92 return vm.smallStrings.undefinedString(); 93 if (object-> type() == JSFunctionType)93 if (object->isFunction(vm)) 94 94 return vm.smallStrings.functionString(); 95 if (object->inlineTypeFlags() & TypeOfShouldCallGetCallData) {96 CallData callData;97 JSObject* object = asObject(v);98 if (object->methodTable(vm)->getCallData(object, callData) != CallType::None)99 return vm.smallStrings.functionString();100 }101 95 } 102 96 return vm.smallStrings.objectString(); … … 120 114 if (asObject(v)->structure(vm)->masqueradesAsUndefined(callFrame->lexicalGlobalObject())) 121 115 return false; 122 CallData callData;123 116 JSObject* object = asObject(v); 124 if (object-> methodTable(vm)->getCallData(object, callData) != CallType::None)117 if (object->isFunction(vm)) 125 118 return false; 126 119 } -
trunk/Source/JavaScriptCore/runtime/ProxyObject.h
r229410 r231839 35 35 typedef JSNonFinalObject Base; 36 36 37 const static unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | TypeOfShouldCallGetCallData | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames | ProhibitsPropertyCaching;37 const static unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetCallData | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames | ProhibitsPropertyCaching; 38 38 39 39 static ProxyObject* create(ExecState* exec, JSGlobalObject* globalObject, JSValue target, JSValue handler) -
trunk/Source/JavaScriptCore/runtime/RuntimeType.cpp
r205462 r231839 33 33 namespace JSC { 34 34 35 RuntimeType runtimeTypeForValue( JSValue value)35 RuntimeType runtimeTypeForValue(VM& vm, JSValue value) 36 36 { 37 37 if (UNLIKELY(!value)) … … 52 52 if (value.isObject()) 53 53 return TypeObject; 54 if (value.isFunction( ))54 if (value.isFunction(vm)) 55 55 return TypeFunction; 56 56 if (value.isSymbol()) -
trunk/Source/JavaScriptCore/runtime/RuntimeType.h
r206525 r231839 49 49 50 50 class JSValue; 51 RuntimeType runtimeTypeForValue( JSValue);51 RuntimeType runtimeTypeForValue(VM&, JSValue); 52 52 String runtimeTypeAsString(RuntimeType); 53 53 -
trunk/Source/JavaScriptCore/runtime/Structure.cpp
r231703 r231839 209 209 ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); 210 210 ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); 211 ASSERT(!this->typeInfo().overridesGetCallData() || m_classInfo->methodTable.getCallData != &JSCell::getCallData); 211 212 } 212 213 … … 244 245 ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); 245 246 ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); 247 ASSERT(!this->typeInfo().overridesGetCallData() || m_classInfo->methodTable.getCallData != &JSCell::getCallData); 246 248 } 247 249 … … 287 289 ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); 288 290 ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); 291 ASSERT(!this->typeInfo().overridesGetCallData() || m_classInfo->methodTable.getCallData != &JSCell::getCallData); 289 292 } 290 293 -
trunk/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp
r229324 r231839 41 41 } 42 42 43 TypeProfilerLog::TypeProfilerLog() 44 : m_logSize(50000) 43 TypeProfilerLog::TypeProfilerLog(VM& vm) 44 : m_vm(vm) 45 , m_logSize(50000) 45 46 , m_logStartPtr(new LogEntry[m_logSize]) 46 47 , m_currentLogEntryPtr(m_logStartPtr) … … 96 97 } 97 98 98 RuntimeType type = runtimeTypeForValue( value);99 RuntimeType type = runtimeTypeForValue(m_vm, value); 99 100 TypeLocation* location = entry->location; 100 101 location->m_lastSeenType = type; -
trunk/Source/JavaScriptCore/runtime/TypeProfilerLog.h
r229309 r231839 54 54 55 55 56 TypeProfilerLog( );56 TypeProfilerLog(VM&); 57 57 ~TypeProfilerLog(); 58 58 … … 68 68 friend class LLIntOffsetsExtractor; 69 69 70 VM& m_vm; 70 71 unsigned m_logSize; 71 72 LogEntry* m_logStartPtr; -
trunk/Source/JavaScriptCore/runtime/VM.cpp
r231695 r231839 1044 1044 auto enableTypeProfiler = [this] () { 1045 1045 this->m_typeProfiler = std::make_unique<TypeProfiler>(); 1046 this->m_typeProfilerLog = std::make_unique<TypeProfilerLog>( );1046 this->m_typeProfilerLog = std::make_unique<TypeProfilerLog>(*this); 1047 1047 }; 1048 1048 -
trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp
r230956 r231839 1615 1615 1616 1616 JSValue functionValue = exec->argument(0); 1617 RELEASE_ASSERT(functionValue.isFunction( ));1617 RELEASE_ASSERT(functionValue.isFunction(vm)); 1618 1618 FunctionExecutable* executable = (jsDynamicCast<JSFunction*>(vm, functionValue.asCell()->getObject()))->jsExecutable(); 1619 1619 … … 1634 1634 1635 1635 JSValue functionValue = exec->argument(0); 1636 RELEASE_ASSERT(functionValue.isFunction( ));1636 RELEASE_ASSERT(functionValue.isFunction(vm)); 1637 1637 FunctionExecutable* executable = (jsDynamicCast<JSFunction*>(vm, functionValue.asCell()->getObject()))->jsExecutable(); 1638 1638 … … 1656 1656 1657 1657 JSValue functionValue = exec->argument(0); 1658 RELEASE_ASSERT(functionValue.isFunction( ));1658 RELEASE_ASSERT(functionValue.isFunction(vm)); 1659 1659 FunctionExecutable* executable = (jsDynamicCast<JSFunction*>(vm, functionValue.asCell()->getObject()))->jsExecutable(); 1660 1660 … … 1675 1675 1676 1676 JSValue functionValue = exec->argument(0); 1677 RELEASE_ASSERT(functionValue.isFunction( ));1677 RELEASE_ASSERT(functionValue.isFunction(vm)); 1678 1678 FunctionExecutable* executable = (jsDynamicCast<JSFunction*>(vm, functionValue.asCell()->getObject()))->jsExecutable(); 1679 1679 -
trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyHelpers.h
r230759 r231839 66 66 if (!(arrayBuffer || arrayBufferView)) { 67 67 throwException(exec, throwScope, createTypeError(exec, 68 ASCIILiteral("first argument must be an ArrayBufferView or an ArrayBuffer"), defaultSourceAppender, runtimeTypeForValue(v alue)));68 ASCIILiteral("first argument must be an ArrayBufferView or an ArrayBuffer"), defaultSourceAppender, runtimeTypeForValue(vm, value))); 69 69 return { nullptr, 0 }; 70 70 } … … 72 72 if (arrayBufferView ? arrayBufferView->isNeutered() : arrayBuffer->impl()->isNeutered()) { 73 73 throwException(exec, throwScope, createTypeError(exec, 74 ASCIILiteral("underlying TypedArray has been detatched from the ArrayBuffer"), defaultSourceAppender, runtimeTypeForValue(v alue)));74 ASCIILiteral("underlying TypedArray has been detatched from the ArrayBuffer"), defaultSourceAppender, runtimeTypeForValue(vm, value))); 75 75 return { nullptr, 0 }; 76 76 } -
trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
r230768 r231839 219 219 // 2. If Type(o) is not Object, throw a TypeError. 220 220 if (!importModuleValue.isObject()) 221 return exception(createTypeError(exec, importFailMessage(import, "import", "must be an object"), defaultSourceAppender, runtimeTypeForValue( importModuleValue)));221 return exception(createTypeError(exec, importFailMessage(import, "import", "must be an object"), defaultSourceAppender, runtimeTypeForValue(vm, importModuleValue))); 222 222 223 223 // 3. Let v be the value of performing Get(o, i.item_name) -
trunk/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
r230106 r231839 56 56 WebAssemblyFunction* wasmFunction = jsDynamicCast<WebAssemblyFunction*>(vm, exec->jsCallee()); 57 57 if (!wasmFunction) 58 return JSValue::encode(throwException(exec, scope, createTypeError(exec, "expected a WebAssembly function", defaultSourceAppender, runtimeTypeForValue( exec->jsCallee()))));58 return JSValue::encode(throwException(exec, scope, createTypeError(exec, "expected a WebAssembly function", defaultSourceAppender, runtimeTypeForValue(vm, exec->jsCallee())))); 59 59 Wasm::SignatureIndex signatureIndex = wasmFunction->signatureIndex(); 60 60 const Wasm::Signature& signature = Wasm::SignatureInformation::get(signatureIndex); -
trunk/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp
r230759 r231839 67 67 JSWebAssemblyModule* module = jsDynamicCast<JSWebAssemblyModule*>(vm, exec->argument(0)); 68 68 if (!module) 69 return JSValue::encode(throwException(exec, scope, createTypeError(exec, ASCIILiteral("first argument to WebAssembly.Instance must be a WebAssembly.Module"), defaultSourceAppender, runtimeTypeForValue( exec->argument(0)))));69 return JSValue::encode(throwException(exec, scope, createTypeError(exec, ASCIILiteral("first argument to WebAssembly.Instance must be a WebAssembly.Module"), defaultSourceAppender, runtimeTypeForValue(vm, exec->argument(0))))); 70 70 71 71 // If the importObject parameter is not undefined and Type(importObject) is not Object, a TypeError is thrown. … … 73 73 JSObject* importObject = importArgument.getObject(); 74 74 if (!importArgument.isUndefined() && !importObject) 75 return JSValue::encode(throwException(exec, scope, createTypeError(exec, ASCIILiteral("second argument to WebAssembly.Instance must be undefined or an Object"), defaultSourceAppender, runtimeTypeForValue( importArgument))));75 return JSValue::encode(throwException(exec, scope, createTypeError(exec, ASCIILiteral("second argument to WebAssembly.Instance must be undefined or an Object"), defaultSourceAppender, runtimeTypeForValue(vm, importArgument)))); 76 76 77 77 Structure* instanceStructure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), exec->lexicalGlobalObject()->WebAssemblyInstanceStructure()); -
trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp
r230768 r231839 137 137 // 2. If Type(o) is not Object, throw a TypeError. 138 138 if (!importModuleValue.isObject()) 139 return exception(createTypeError(exec, importFailMessage(import, "import", "must be an object"), defaultSourceAppender, runtimeTypeForValue( importModuleValue)));139 return exception(createTypeError(exec, importFailMessage(import, "import", "must be an object"), defaultSourceAppender, runtimeTypeForValue(vm, importModuleValue))); 140 140 141 141 // 3. Let v be the value of performing Get(o, i.item_name) … … 190 190 // 4. If i is a function import: 191 191 // i. If IsCallable(v) is false, throw a WebAssembly.LinkError. 192 if (!value.isFunction( ))192 if (!value.isFunction(vm)) 193 193 return exception(createJSWebAssemblyLinkError(exec, vm, importFailMessage(import, "import function", "must be callable"))); 194 194 -
trunk/Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp
r231194 r231839 272 272 if (UNLIKELY(!importArgument.isUndefined() && !importObject)) { 273 273 promise->reject(exec, createTypeError(exec, 274 ASCIILiteral("second argument to WebAssembly.instantiate must be undefined or an Object"), defaultSourceAppender, runtimeTypeForValue( importArgument)));274 ASCIILiteral("second argument to WebAssembly.instantiate must be undefined or an Object"), defaultSourceAppender, runtimeTypeForValue(vm, importArgument))); 275 275 CLEAR_AND_RETURN_IF_EXCEPTION(catchScope, JSValue::encode(promise->promise())); 276 276 } else { … … 341 341 if (UNLIKELY(!importArgument.isUndefined() && !importObject)) { 342 342 promise->reject(exec, createTypeError(exec, 343 ASCIILiteral("second argument to WebAssembly.instantiateStreaming must be undefined or an Object"), defaultSourceAppender, runtimeTypeForValue( importArgument)));343 ASCIILiteral("second argument to WebAssembly.instantiateStreaming must be undefined or an Object"), defaultSourceAppender, runtimeTypeForValue(vm, importArgument))); 344 344 CLEAR_AND_RETURN_IF_EXCEPTION(catchScope, JSValue::encode(promise->promise())); 345 345 } else { -
trunk/Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.cpp
r230096 r231839 73 73 { 74 74 Base::finishCreation(vm, executable, length, name, instance); 75 RELEASE_ASSERT(JSValue(function).isFunction( ));75 RELEASE_ASSERT(JSValue(function).isFunction(vm)); 76 76 m_function.set(vm, this, function); 77 77 } -
trunk/Source/WebCore/ChangeLog
r231838 r231839 1 2018-05-15 Yusuke Suzuki <utatane.tea@gmail.com> 2 3 [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function 4 https://bugs.webkit.org/show_bug.cgi?id=185601 5 6 Reviewed by Saam Barati. 7 8 No behavior change. 9 10 * Modules/plugins/QuickTimePluginReplacement.mm: 11 (WebCore::QuickTimePluginReplacement::ensureReplacementScriptInjected): 12 * bindings/js/JSCustomElementRegistryCustom.cpp: 13 (WebCore::getCustomElementCallback): 14 * bindings/js/JSDOMConstructorBase.h: 15 * bindings/js/JSDOMConvertCallbacks.h: 16 (WebCore::Converter<IDLCallbackFunction<T>>::convert): 17 * bindings/js/JSDOMPromise.cpp: 18 (WebCore::DOMPromise::whenSettled): 19 * bindings/js/ReadableStream.cpp: 20 (WebCore::ReadableStream::pipeTo): 21 (WebCore::ReadableStream::tee): 22 * bindings/js/ReadableStreamDefaultController.cpp: 23 (WebCore::ReadableStreamDefaultController::invoke): 24 * bindings/scripts/CodeGeneratorJS.pm: 25 (GenerateHeader): 26 (GenerateOverloadDispatcher): 27 * bindings/scripts/test/JS/JSTestObj.h: 28 * bindings/scripts/test/JS/JSTestPluginInterface.h: 29 * bridge/objc/objc_runtime.h: 30 * bridge/runtime_method.h: 31 * bridge/runtime_object.h: 32 * html/HTMLMediaElement.cpp: 33 (WebCore::HTMLMediaElement::ensureMediaControlsInjectedScript): 34 * testing/Internals.cpp: 35 (WebCore::Internals::parserMetaData): 36 (WebCore::Internals::cloneArrayBuffer): 37 1 38 2018-05-15 Matt Baker <mattbaker@apple.com> 2 39 -
trunk/Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm
r230211 r231839 160 160 161 161 JSC::JSValue replacementFunction = globalObject->get(exec, JSC::Identifier::fromString(exec, "createPluginReplacement")); 162 if (replacementFunction.isFunction( ))162 if (replacementFunction.isFunction(vm)) 163 163 return true; 164 164 -
trunk/Source/WebCore/bindings/js/JSCustomElementRegistryCustom.cpp
r223476 r231839 50 50 if (callback.isUndefined()) 51 51 return nullptr; 52 if (!callback.isFunction( )) {52 if (!callback.isFunction(vm)) { 53 53 throwTypeError(&state, scope, ASCIILiteral("A custom element callback must be a function")); 54 54 return nullptr; -
trunk/Source/WebCore/bindings/js/JSDOMConstructorBase.h
r211892 r231839 29 29 using Base = JSDOMObject; 30 30 31 static const unsigned StructureFlags = Base::StructureFlags | JSC::ImplementsHasInstance | JSC::ImplementsDefaultHasInstance | JSC:: TypeOfShouldCallGetCallData;31 static const unsigned StructureFlags = Base::StructureFlags | JSC::ImplementsHasInstance | JSC::ImplementsDefaultHasInstance | JSC::OverridesGetCallData; 32 32 static JSC::Structure* createStructure(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue); 33 33 -
trunk/Source/WebCore/bindings/js/JSDOMConvertCallbacks.h
r215777 r231839 41 41 auto scope = DECLARE_THROW_SCOPE(vm); 42 42 43 if (!value.isFunction( )) {43 if (!value.isFunction(vm)) { 44 44 exceptionThrower(state, scope); 45 45 return nullptr; -
trunk/Source/WebCore/bindings/js/JSDOMPromise.cpp
r228258 r231839 65 65 auto* promise = this->promise(); 66 66 auto thenFunction = promise->get(&state, privateName); 67 ASSERT(thenFunction.isFunction( ));67 ASSERT(thenFunction.isFunction(vm)); 68 68 69 69 JSC::MarkedArgumentBuffer arguments; -
trunk/Source/WebCore/bindings/js/ReadableStream.cpp
r229416 r231839 80 80 81 81 auto readableStreamPipeTo = m_globalObject->get(&state, privateName); 82 ASSERT(readableStreamPipeTo.isFunction( ));82 ASSERT(readableStreamPipeTo.isFunction(state.vm())); 83 83 84 84 MarkedArgumentBuffer arguments; … … 96 96 97 97 auto readableStreamTee = m_globalObject->get(&state, privateName); 98 ASSERT(readableStreamTee.isFunction( ));98 ASSERT(readableStreamTee.isFunction(state.vm())); 99 99 100 100 MarkedArgumentBuffer arguments; -
trunk/Source/WebCore/bindings/js/ReadableStreamDefaultController.cpp
r228218 r231839 58 58 RETURN_IF_EXCEPTION(scope, JSC::JSValue()); 59 59 60 if (!function.isFunction( )) {60 if (!function.isFunction(vm)) { 61 61 if (!function.isUndefined()) 62 62 throwTypeError(&state, scope, ASCIILiteral("ReadableStream trying to call a property that is not callable")); -
trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
r231622 r231839 2635 2635 push(@headerContent, " static JSC::CallType getCallData(JSC::JSCell*, JSC::CallData&);\n\n"); 2636 2636 $headerIncludes{"<JavaScriptCore/CallData.h>"} = 1; 2637 $structureFlags{"JSC:: TypeOfShouldCallGetCallData"} = 1;2637 $structureFlags{"JSC::OverridesGetCallData"} = 1; 2638 2638 } 2639 2639 … … 3420 3420 3421 3421 $overload = GetOverloadThatMatches($S, $d, \&$isObjectOrCallbackFunctionParameter); 3422 &$generateOverloadCallIfNecessary($overload, "distinguishingArg.isFunction( )");3422 &$generateOverloadCallIfNecessary($overload, "distinguishingArg.isFunction(vm)"); 3423 3423 3424 3424 # FIXME: Avoid invoking GetMethod(object, Symbol.iterator) again in convert<IDLSequence<T>>(...). -
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.h
r228038 r231839 76 76 JSC::JSValue testCustomReturnsOwnPromiseFunction(JSC::ExecState&); 77 77 public: 78 static const unsigned StructureFlags = JSC::HasStaticPropertyTable | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGet OwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::TypeOfShouldCallGetCallData| Base::StructureFlags;78 static const unsigned StructureFlags = JSC::HasStaticPropertyTable | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetCallData | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | Base::StructureFlags; 79 79 protected: 80 80 JSTestObj(JSC::Structure*, JSDOMGlobalObject&, Ref<TestObj>&&); -
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestPluginInterface.h
r228038 r231839 58 58 static JSC::JSValue getConstructor(JSC::VM&, const JSC::JSGlobalObject*); 59 59 public: 60 static const unsigned StructureFlags = JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGet OwnPropertySlot | JSC::TypeOfShouldCallGetCallData| Base::StructureFlags;60 static const unsigned StructureFlags = JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetCallData | JSC::OverridesGetOwnPropertySlot | Base::StructureFlags; 61 61 protected: 62 62 JSTestPluginInterface(JSC::Structure*, JSDOMGlobalObject&, Ref<TestPluginInterface>&&); -
trunk/Source/WebCore/bridge/objc/objc_runtime.h
r228218 r231839 94 94 public: 95 95 typedef JSDestructibleObject Base; 96 static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | TypeOfShouldCallGetCallData;96 static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetCallData; 97 97 98 98 static ObjcFallbackObjectImp* create(ExecState* exec, JSGlobalObject* globalObject, ObjcInstance* instance, const String& propertyName) -
trunk/Source/WebCore/bridge/runtime_method.h
r230813 r231839 36 36 public: 37 37 typedef InternalFunction Base; 38 static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | TypeOfShouldCallGetCallData;38 static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetCallData; 39 39 40 40 template<typename CellType> -
trunk/Source/WebCore/bridge/runtime_object.h
r228218 r231839 36 36 public: 37 37 typedef JSDestructibleObject Base; 38 static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames | TypeOfShouldCallGetCallData;38 static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames | OverridesGetCallData; 39 39 40 40 static RuntimeObject* create(VM& vm, Structure* structure, RefPtr<Instance>&& instance) -
trunk/Source/WebCore/html/HTMLMediaElement.cpp
r231817 r231839 7091 7091 7092 7092 JSC::JSValue functionValue = globalObject->get(exec, JSC::Identifier::fromString(exec, "createControls")); 7093 if (functionValue.isFunction( ))7093 if (functionValue.isFunction(vm)) 7094 7094 return true; 7095 7095 -
trunk/Source/WebCore/testing/Internals.cpp
r231817 r231839 2051 2051 CodeBlock* codeBlock = iter.codeBlock(); 2052 2052 executable = codeBlock->ownerScriptExecutable(); 2053 } else if (code.isFunction( )) {2053 } else if (code.isFunction(vm)) { 2054 2054 JSFunction* funcObj = JSC::jsCast<JSFunction*>(code.toObject(exec)); 2055 2055 executable = funcObj->jsExecutable(); … … 4027 4027 globalObject->methodTable(vm)->getOwnPropertySlot(globalObject, &state, privateName, propertySlot); 4028 4028 value = propertySlot.getValue(&state, privateName); 4029 ASSERT(value.isFunction( ));4029 ASSERT(value.isFunction(vm)); 4030 4030 4031 4031 JSObject* function = value.getObject(); -
trunk/Source/WebKit/ChangeLog
r231837 r231839 1 2018-05-15 Yusuke Suzuki <utatane.tea@gmail.com> 2 3 [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function 4 https://bugs.webkit.org/show_bug.cgi?id=185601 5 6 Reviewed by Saam Barati. 7 8 * WebProcess/Plugins/Netscape/JSNPObject.h: 9 1 10 2018-05-15 Sihui Liu <sihui_liu@apple.com> 2 11 -
trunk/Source/WebKit/WebProcess/Plugins/Netscape/JSNPObject.h
r230813 r231839 45 45 public: 46 46 typedef JSC::JSDestructibleObject Base; 47 static const unsigned StructureFlags = Base::StructureFlags | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC:: TypeOfShouldCallGetCallData;47 static const unsigned StructureFlags = Base::StructureFlags | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::OverridesGetCallData; 48 48 49 49 template<typename CellType>
Note: See TracChangeset
for help on using the changeset viewer.