This allows taking a snapshot of an object's state and then at a later point
checking invariants that we expect to hold for shapes. This will let us catch
bugs where an object or shape is mutated in ways that would be a problem for
JIT code.
Differential Revision: https://phabricator.services.mozilla.com/D111266
This commit adds a declarative `JS_FOR_WASM_FEATURES` macro which
expands for every WebAssembly proposal we are gating. Most feature
gating code is refactored to use this macro so that we have one place
we need to change to get the majority of this code working. The only
place that needs to be updated for new features is the browser pref
declaration code, as that cannot use this macro. This is documented
in the new WasmFeatures.h header.
The feature gating logic should work almost identically as before.
The changes are:
* All browser prefs are moved to StaticPrefList.yaml
* The code to enable a feature was conditionally compiled to not
enable the feature at variously stages of the "flag-flow". Now
the only place that is conditionally compiled to not work is
in the WasmXFlag functions. This is to make the macro simpler
and might be able to be reverted if need be.
* The flag for gc is shortened from gcTypes to gc so that the
existing usages of the wasmGcEnabled shell function don't have
to change.
This commit also has the effect of giving function-references/gc/
exception-handling a proper browser pref for enabling the features.
Differential Revision: https://phabricator.services.mozilla.com/D110820
There are a number of callers in Gecko, most of them are using this to iterate over an object
expected to be an array. This should be okay for now; if there are callers that need the
full length we can add a separate API that returns uint64_t.
This lets us remove ToLengthClamped and the GetLengthProperty overload returning uint32_t.
Differential Revision: https://phabricator.services.mozilla.com/D111389
I am not super happy with having to do `Rooted<PropertyDescriptor> desc(cx, *desc_);` in DebuggerObject::getOwnPropertyDescriptor.
However PropertyDescriptor::value() can't be resolved properly, unlike MutableHandle<PropertyDescriptor>::value().
I wonder if Maybe could return Handle/MutableHandle as well somehow.
Differential Revision: https://phabricator.services.mozilla.com/D110663
In order to correctly support this with the optimized storage for methods we
would need new bytecode like GetAliasedVar which is able to traverse
non-EnvironmentObject environments like DebugEnvironmentProxy.
Unfortunately, for safety this means we will ultimately disable this for a number of
different private field and accessor invocations.
Differential Revision: https://phabricator.services.mozilla.com/D109402
Note that starting the off-thread compile simply uses the existing
mechanisms. We only need a special "finish" function to avoid automatic
instantiation.
Differential Revision: https://phabricator.services.mozilla.com/D109958
While this API also parses to a Stencil, care must be taken by callers since
parsing JavaScript text as a module vs global script as different semantics
(as defined in ECMAScript spec).
Differential Revision: https://phabricator.services.mozilla.com/D109974
getCppEntryRegisters() for JIT frames delegates to jit::JitRuntime::getCppEntryRegisters(JitFrameLayout*), which retrieves relevant state registers pointing at the native calling frame.
For now implementations on all platforms do nothing. They will be implemented in subsequent patches and bugs, to be used with modified stack walkers, so that they may resume sampling past JIT frames -- see main bug 1635987.
Differential Revision: https://phabricator.services.mozilla.com/D109696
At this point the old GetterOp/SetterOp mechanism is only used for the special
array.length and ArgumentsObject properties. This means we no longer need the
generic GetterOp/SetterOp function pointers.
Instead, we now flag these properties as JSPROP_CUSTOM_DATA_PROP and use a nullptr
getter and setter. At the point where we used to call the old GetterOp/SetterOp,
we now dispatch on the JSClass and call the getter/setter code directly.
This still isn't perfect, but it unblocks further cleanup and optimization work.
For example, this patch also cleans up the Shape code to use JS objects directly
for getters/setters, instead of casting these objects to GetterOp/SetterOp.
We still use addAccessorProperty and putAccessorProperty to add/redefine the
custom data properties on array and arguments objects. When we change how the
accessor properties are implemented, we can rename this to addCustomDataProperty
and putCustomDataProperty and simplify the code more.
Differential Revision: https://phabricator.services.mozilla.com/D109516
GetterOp/SetterOp are now only used internally for array and arguments objects.
PropertyDescriptor no longer has to know about these properties.
Differential Revision: https://phabricator.services.mozilla.com/D109358
This commit adds rtt.sub as an instruction to form new RttValue's with
an explicit subtyping chain. This is implemented as a link from sub
rtt to parent rtt. Validation ensures that chains can only be formed
from a T <: U. Each execution of an rtt.sub instruction creates a new
rtt value. This may be changed in the future to align with the proper
spec semantics.
With rtt.sub, we can now implement ref.test/ref.cast/br_on_cast
instructions that operate on structs with an rtt. The subtyping
check is implemented as an instance call performing a linear
search through rtt chains.
Differential Revision: https://phabricator.services.mozilla.com/D104269
Support for `nullptr` context was added in bug 1229642 for the SPSProfiler. This
code is no longer present, so we can require a non-nullptr context in
CharsToNewUTF8CharsZ again.
Depends on D107473
Differential Revision: https://phabricator.services.mozilla.com/D107474
JSPropertySpec used this bit to distinguish accessor vs value properties. Fortunately
we have unused padding bytes so we can use a bool instead.
Differential Revision: https://phabricator.services.mozilla.com/D106283
Note that on 32-bit platforms, JSObject is still 8 bytes. This means we don't have
to worry about misaligned DoubleValue stores to fixed slots on ARM32/MIPS32.
Differential Revision: https://phabricator.services.mozilla.com/D106986
BaseShape stores the JSClass* too so this patch changes the code to get the JSClass*
from there instead of from the ObjectGroup.
Differential Revision: https://phabricator.services.mozilla.com/D106975
Note that on 32-bit platforms, JSObject is still 8 bytes. This means we don't have
to worry about misaligned DoubleValue stores to fixed slots on ARM32/MIPS32.
Differential Revision: https://phabricator.services.mozilla.com/D106986
Jan de Mooij
Ryan Hunt
Tooru Fujisawa
Yulia Startsev
smolnar
Brindusan Cristian
Tom Schuster
Alexandru Michis
Jason Orendorff
Matthew Gaudet
Ted Campbell
Gerald Squelart
Yoshi Cheng-Hao Huang
Simon Giesecke
Iain Ireland
André Bargull
Narcis Beleuzu