This helps avoid a lot of dynamic slot allocations on popular websites which
improves performance. AWSY seems unaffected.
Differential Revision: https://phabricator.services.mozilla.com/D107633
The html:dialog event can respond to [esc] keypresses itself. In that case,
we need to close the embedded dialog ourselves, or the UI ends up broken.
We also need to make sure that if e.g. the opening multiple pages from bookmarks warning is up,
and then the user tries to quit or in some other way opens another dialog, things don't break.
This also applies to tests that repeatedly invoke dialogs, where we need to wait for both
the SubDialog instance and the wrapping html:dialog element to agree on their state.
Differential Revision: https://phabricator.services.mozilla.com/D107463
I'm not sure why this wasn't found before, but it seems there's no pre-write barrier when changing the getter/setter objects. It's debateable whether this is required because the shape is newly created here and the getters/setters haven't had a chance to eacape by this point, but it seems safest just to add the barrier.
After adding the barrier it bacame aparrent we call the Shape consturctor for accessor shapes allocated by NativeObject::replaceWithNewEquivalentShape. I think this is UB. We at least need to initialize getters/setters for the barrier to work.
Differential Revision: https://phabricator.services.mozilla.com/D107494
On Android, we expect to use WebRender (Software OpenGL)"RenderCompositorOGLSWGL" instead of WebRender (Software)"RenderCompositorSWGL".
Differential Revision: https://phabricator.services.mozilla.com/D107969
When typing at edge of a link, editor splits the link element at the edge (i.e.,
creating an empty link element). Then, unlink the new link element (i.e.,
clearing the "link style"). At this time, `class` attribute and `style`
attribute are cloned to new `<span>` element for keeping the original style.
However, in this case, other browsers discard the specified style of the link.
On the other hand, when unlinking a link with `execCommand("unlink")`, the
other browsers keep specified style coming from `style` attribute.
Therefore, this patch adds new state to `PropItem`, which indicates whether
the `class` and `style` attribute should be cloned or discarded. And then,
when preparing for inserting text, this patch makes it pass to the utility
method.
For better compatibility, we should stop cloning `class` attribute, but not
in this bug because this patch should be minimized for requesting uplift to
beta channel.
Differential Revision: https://phabricator.services.mozilla.com/D107801
This commit implements the complete subtyping and equivalence algorithm
used for struct and array types. The algorithm is an implementation of
gfp^t [1] for the subtyping rules presented in the MVP. An simple
python implementation is given at the end of V8 MVP doc [2].
Two challenges were given for integrating this with our validation code.
* Subtyping checks require allocating in a cache, which may OOM. Code was
modified to handle this appropriately and abstracted across validation.
* The type assumption cache is not thread-safe and cannot exist in the
type context. Code was modified to store this in appropriate locations
and thread it through validation.
[1] Pierce, Benjamin C. Types and Programming Languages. definition 21.6.4
[2] https://docs.google.com/document/d/1yAWU3dbs8kUa_wcnnirDxUu9nEBsNfq0Xo90OWx6yuo/edit#heading=h.9dwoku9340md
Differential Revision: https://phabricator.services.mozilla.com/D105052
This commit reduces the register usage of the GC instructions to allow
this code to work on x86.
Specifically
* array.new switches to a decrement `length` to zero loop to drop the separate index register
* emitGcArraySet uses a manual lshift and rshift on the array index instead of a scratch register
* emitBarrieredStore is tweaked to preserve registers so we don't need an extra register
in emitGcArraySet
* struct.set uses the rdata register as a scratch pointer while loading the rdata pointer
* array.set shuffles the `value` operand from the top of the stack to the bottom, so that
we don't need it in a register until later in the instruction.
Differential Revision: https://phabricator.services.mozilla.com/D107777
This commit adds the zero/sign extension get instructions for
arrays and structs. The proposal specifies that these instructions
are used iff the field type is i8 or i16. Validation is updated
to check for this.
Differential Revision: https://phabricator.services.mozilla.com/D104277
This was only needed because at one point you could acquire the backing
storage of a TypedObject. Replace this with explicitly allocated data
to simplify OutlineTypedObject, along with removing the need to
have a separate object/owner pointer in baseline codegen.
Differential Revision: https://phabricator.services.mozilla.com/D104276
This commit adds ArrayType, extends TypedObject to support arrays, adds array
instructions to validation and the baseline compiler.
* ArrayType subtyping is initially shallow just like StructType.
* Every array value is an OutlineTypedObject to simplify codegen
* The length of an array is a uint32_t stored at the beginning of the object
* TypedObject trace lists were removed to simplify the implementation
* The implementation of gc object load/storing is factored out in the baseline
compiler to allow for sharing between struct.new/struct.get/struct.set/array.new
/array.get/array.set. This was the trickiest part and had the most churn.
* New methods are added for pushing/popping AnyReg from the value stack to share
code for gc set/get
* The only correct use of StructType.isInline_ is during struct.new, so the field
is removed and replaced with a direct check of if the struct's size is small
enough to be inline.
Differential Revision: https://phabricator.services.mozilla.com/D104275
This commit tries to add more type safety to the baseline compiler by adding a
new RegRef and moving all GC uses to use it.
A couple of notes on the changes.
* RegRef is used only for GC pointers. It is realized on the Stk as a separate type.
* RegPtr is used only for non-GC pointers. It is pushed on the Stk as a I32/I64 depending
on the host system. RegPtr is not a typedef of RegI32/RegI64 to get slightly more type
safety during codegeneration. This could be subverted through the Stk, but I think this is
a good compromise.
* ValType::hostPtr() is added for determining the wasm equivalent for a native ptr, I32/I64.
* BaseStackFrame::pushPtr/popPtr is renamed to pushGPR/popGPR to signify that it's
used for RegI32, RegPtr, and RegRef.
* AnyReg only operates on RegRef
* Stk only allows RegRef
* valueAddr used by PostBarrier is switched to be a RegPtr to avoid a type mismatch as
it is not a GC object, it only points into a GC object.
Differential Revision: https://phabricator.services.mozilla.com/D107307
This commit reorganizes the ValType class to be a base template PackedType<T>, which
is instantiated as a FieldType and ValType. This allows for some type safety
so that most code that never cares about I8/I16 doesn't need to be extended, while
still allowing sharing of implementation across ValType and FieldType.
I tried several different ways of achieving these goals, and this was the least
bad. I'm open to other alternatives.
StructType is extended to use FieldType for it's fields and struct instructions are
extended to handle this. The tricky case is struct.get which will zero extend the
packed fields. A later commit will make this spec compliant by adding get_u,get_s.
Differential Revision: https://phabricator.services.mozilla.com/D104274
This commit adds a version of the struct new instruction
which takes no initial values and gives each field the
default value.
Differential Revision: https://phabricator.services.mozilla.com/D104273
This commit adds rtt.sub as an instruction to form new RttValue's with
an explicit subtyping chain. This is implemented as a link from sub
rtt to parent rtt. Validation ensures that chains can only be formed
from a T <: U. Each execution of an rtt.sub instruction creates a new
rtt value. This may be changed in the future to align with the proper
spec semantics.
With rtt.sub, we can now implement ref.test/ref.cast/br_on_cast
instructions that operate on structs with an rtt. The subtyping
check is implemented as an instance call performing a linear
search through rtt chains.
Differential Revision: https://phabricator.services.mozilla.com/D104269
Julien Wajsberg
Chris H-C
Gregory Mierzwinski
Florian Quèze
Jan de Mooij
Simon Giesecke
Nikita Sen
Alexandre Poirot
Christian Holler
Benjamin Beurdouche
Gijs Kruitbosch
Emilio Cobos Álvarez
Butkovits Atila
Jonathan Kew
Timothy Nikkel
Jon Coppeard
Frederik Braun
Alex Henrie
André Bargull
sotaro
Nihanth Subramanya
Masayuki Nakano
Julian Descottes
Jan Varga
Ryan Hunt