[webkit-changes] [WebKit/WebKit] e2264e: Versioning.

Russell Epstein noreply at github.com
Tue Jan 23 07:28:30 PST 2024


  Branch: refs/heads/safari-7617.2.4.11-branch
  Home:   https://github.com/WebKit/WebKit
  Commit: e2264e53553ad93a2d56b2f77113cddd6c970aa8
      https://github.com/WebKit/WebKit/commit/e2264e53553ad93a2d56b2f77113cddd6c970aa8
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-19 (Tue, 19 Dec 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-617.2.4.11.1

Canonical link: https://commits.webkit.org/267815.657@safari-7617.2.4.11-branch


  Commit: 670a4adb29bf7be4a2564a5730afff199701aa5f
      https://github.com/WebKit/WebKit/commit/670a4adb29bf7be4a2564a5730afff199701aa5f
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-12-19 (Tue, 19 Dec 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7617.2.4.11.2

Canonical link: https://commits.webkit.org/267815.658@safari-7617.2.4.11-branch


  Commit: 8699d5fa7a975f4ab0c8bb10db77967d2b9fb962
      https://github.com/WebKit/WebKit/commit/8699d5fa7a975f4ab0c8bb10db77967d2b9fb962
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-20 (Wed, 20 Dec 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-617.2.4.11.3

Canonical link: https://commits.webkit.org/267815.659@safari-7617.2.4.11-branch


  Commit: b80a293b367b728053857f91999335a22abc64a1
      https://github.com/WebKit/WebKit/commit/b80a293b367b728053857f91999335a22abc64a1
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-20 (Wed, 20 Dec 2023)

  Changed paths:
    M Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.cpp
    M Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.h
    M Source/WebCore/Modules/encryptedmedia/NavigatorEME.cpp
    M Source/WebKit/UIProcess/MediaKeySystemPermissionRequestManagerProxy.cpp
    M Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.cpp
    M Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.h
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp
    M Source/WebKit/WebProcess/WebPage/WebPage.h
    M Source/WebKit/WebProcess/WebPage/WebPage.messages.in
    M Source/WebKitLegacy/mac/WebCoreSupport/WebMediaKeySystemClient.mm

  Log Message:
  -----------
  Cherry-pick 2bee8872e3b9. rdar://118004786

    REGRESSION (233845 at main): Crash in MediaKeySystemRequest::~MediaKeySystemRequest
    https://bugs.webkit.org/show_bug.cgi?id=266619
    rdar://118004786

    Reviewed by Jean-Yves Avenard.

    In 233845 at main, NavigatorEME::requestMediaKeySystemAccess moved the task that creates the CDM
    instance into a completion handler that's called asynchronously once the client allows media key
    access. The completion handler captured a raw pointer to the document, leading to a crash if the
    document is destroyed before the completion handler is called. Debug builds would also assert in
    CompletionHandler::~CompletionHandler because ActiveDOMObject::queueTaskInEventLoop would not
    invoke the task queued by MediaKeySystemRequest::allow - which captured a CompletionHandler - when
    scriptExecutionContext is null.

    Addressed the crash by capturing document as a WeakPtr and null-checking it prior to calling
    Document::postTask in NavigatorEME::requestMediaKeySystemAccess's allow callback. Addressed the
    assertion failure by removing the unnecessary asynchronous CompletionHandler from
    Messages::WebPage::MediaKeySystemWasGranted.

    * Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.cpp:
    (WebCore::MediaKeySystemRequest::allow):
    * Source/WebCore/Modules/encryptedmedia/MediaKeySystemRequest.h:
    * Source/WebCore/Modules/encryptedmedia/NavigatorEME.cpp:
    (WebCore::NavigatorEME::requestMediaKeySystemAccess):
    * Source/WebKit/UIProcess/MediaKeySystemPermissionRequestManagerProxy.cpp:
    (WebKit::MediaKeySystemPermissionRequestManagerProxy::grantRequest):
    * Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.cpp:
    (WebKit::MediaKeySystemPermissionRequestManager::mediaKeySystemWasGranted):
    * Source/WebKit/WebProcess/EncryptedMedia/MediaKeySystemPermissionRequestManager.h:
    * Source/WebKit/WebProcess/WebPage/WebPage.cpp:
    (WebKit::WebPage::mediaKeySystemWasGranted):
    * Source/WebKit/WebProcess/WebPage/WebPage.h:
    * Source/WebKit/WebProcess/WebPage/WebPage.messages.in:
    * Source/WebKitLegacy/mac/WebCoreSupport/WebMediaKeySystemClient.mm:
    (WebMediaKeySystemClient::requestMediaKeySystem):

    Canonical link: https://commits.webkit.org/267815.655@safari-7617-branch

Canonical link: https://commits.webkit.org/267815.660@safari-7617.2.4.11-branch


  Commit: 2b8379635f5e78119596fa059511847592056789
      https://github.com/WebKit/WebKit/commit/2b8379635f5e78119596fa059511847592056789
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-20 (Wed, 20 Dec 2023)

  Changed paths:
    M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp

  Log Message:
  -----------
  Cherry-pick 64a739754a58. rdar://117839300

    Ensure NetworkStorageManager gets destroyed on the main thread
    https://bugs.webkit.org/show_bug.cgi?id=266603
    rdar://117839300

    Reviewed by Chris Dumez and Alex Christensen.

    Dispatch a task to main thread to release ref of NetworkStorageManager in stopReceivingMessageFromConnection, which may
    help fix the crash under IDBStorageRegistry::removeConnectionToClient in rdar://117839300.

    * Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp:
    (WebKit::NetworkStorageManager::stopReceivingMessageFromConnection):

    Canonical link: https://commits.webkit.org/272313@main

Canonical link: https://commits.webkit.org/267815.661@safari-7617.2.4.11-branch


  Commit: 612bd2103522cff4b9f3dc831c47ff645c9d3de6
      https://github.com/WebKit/WebKit/commit/612bd2103522cff4b9f3dc831c47ff645c9d3de6
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2023-12-20 (Wed, 20 Dec 2023)

  Changed paths:
    M Source/WebKit/NetworkProcess/storage/NetworkStorageManager.cpp

  Log Message:
  -----------
  Revert "Cherry-pick 64a739754a58. rdar://117839300"

This reverts commit 2b8379635f5e78119596fa059511847592056789.

Canonical link: https://commits.webkit.org/267815.662@safari-7617.2.4.11-branch


  Commit: e53eb7ff29fe5a92db038b66a88f149afa30b60d
      https://github.com/WebKit/WebKit/commit/e53eb7ff29fe5a92db038b66a88f149afa30b60d
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2024-01-02 (Tue, 02 Jan 2024)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7617.2.4.11.4

Identifier: 267815.663 at safari-7617.2.4.11-branch


  Commit: fa8fab352aac3ce21160be2e0fd21ced7ff74f65
      https://github.com/WebKit/WebKit/commit/fa8fab352aac3ce21160be2e0fd21ced7ff74f65
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2024-01-03 (Wed, 03 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/heap/Heap.cpp
    M Source/JavaScriptCore/heap/Heap.h
    M Source/JavaScriptCore/runtime/VM.cpp
    M Source/WebCore/page/Page.cpp

  Log Message:
  -----------
  Apply patch. rdar://120425013

	[JSC] Prefer full GC on opportunistic GC when navigation happens
	https://bugs.webkit.org/show_bug.cgi?id=264492
	rdar://118179290

	Reviewed by Wenson Hsieh.

	Previously, when navigation happens, opportunistic GC may perform full GC.
	But this happens only when GC statistics says "we should do full GC instead of eden GC
	based on memory usage".

	But this happens only when navigation happens, and if we have enough time, then it is
	nice if we can just do full GC instead of eden GC even though we are not reaching to
	full GC threshold since (1) there are out-living objects and they can be collected only
	in full GC and (2) it is likely that most of objects are already garbage when navigation
	happens regardless of allocation threshold.

	This patch changes scheduleOpportunisticFullCollectionIfNeeded to attempt to perform full
	GC always when navigation happens.

	* Source/JavaScriptCore/heap/Heap.cpp:
	(JSC::Heap::scheduleOpportunisticFullCollectionIfNeeded):

	Canonical link: https://commits.webkit.org/270502@main

Canonical link: https://commits.webkit.org/267815.664@safari-7617.2.4.11-branch


  Commit: 52a4c3d1e2f593adf53e042b9d40f01127894b5c
      https://github.com/WebKit/WebKit/commit/52a4c3d1e2f593adf53e042b9d40f01127894b5c
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2024-01-03 (Wed, 03 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/CMakeLists.txt
    M Source/JavaScriptCore/heap/EdenGCActivityCallback.cpp
    M Source/JavaScriptCore/heap/EdenGCActivityCallback.h
    M Source/JavaScriptCore/heap/FullGCActivityCallback.cpp
    M Source/JavaScriptCore/heap/FullGCActivityCallback.h
    M Source/JavaScriptCore/heap/GCActivityCallback.cpp
    M Source/JavaScriptCore/heap/GCActivityCallback.h
    M Source/JavaScriptCore/heap/Heap.cpp
    M Source/JavaScriptCore/heap/Heap.h
    M Source/JavaScriptCore/heap/MarkedSpace.cpp
    M Source/JavaScriptCore/heap/MarkedSpace.h
    M Source/JavaScriptCore/runtime/DeferredWorkTimer.h
    M Source/JavaScriptCore/runtime/JSRunLoopTimer.h
    M Source/JavaScriptCore/runtime/VM.cpp
    M Source/WebCore/bindings/js/CommonVM.cpp
    M Source/WebCore/page/OpportunisticTaskScheduler.cpp
    M Source/WebCore/page/OpportunisticTaskScheduler.h

  Log Message:
  -----------
  Apply patch. rdar://120425220

	Adjust GC Timer a bit with heuristics to avoid running it while critical tasks are waiting
	https://bugs.webkit.org/show_bug.cgi?id=265055
	rdar://118574205

	Reviewed by Wenson Hsieh and Justin Michaud.

	We found that GC timer fires randomly and it runs GC at random timing. We should avoid
	running it when there is critical tasks are waiting. This patch starts with a naive simple
	approach which just defers this GC invocation with some threshold when there is a waiting task.
	We are not directly using OpportunisticTaskScheduler since it is active only when a page is visible
	and active, but we would like to run this GC for background page too. Eventually we would like
	to unify both into one global mechanism but we put it as a future work.

	* Source/JavaScriptCore/CMakeLists.txt:
	* Source/JavaScriptCore/heap/EdenGCActivityCallback.cpp:
	(JSC::EdenGCActivityCallback::EdenGCActivityCallback):
	(JSC::EdenGCActivityCallback::doCollection):
	* Source/JavaScriptCore/heap/EdenGCActivityCallback.h:
	(JSC::EdenGCActivityCallback::tryCreate):
	(): Deleted.
	(JSC::GCActivityCallback::tryCreateEdenTimer): Deleted.
	* Source/JavaScriptCore/heap/FullGCActivityCallback.cpp:
	(JSC::FullGCActivityCallback::FullGCActivityCallback):
	(JSC::FullGCActivityCallback::doCollection):
	* Source/JavaScriptCore/heap/FullGCActivityCallback.h:
	(JSC::FullGCActivityCallback::tryCreate):
	(): Deleted.
	(JSC::GCActivityCallback::tryCreateFullTimer): Deleted.
	* Source/JavaScriptCore/heap/GCActivityCallback.cpp:
	(JSC::GCActivityCallback::GCActivityCallback):
	(JSC::GCActivityCallback::scheduleTimer):
	* Source/JavaScriptCore/heap/GCActivityCallback.h:
	(JSC::GCActivityCallback::didGCRecently const):
	(JSC::GCActivityCallback::setDidGCRecently):
	(JSC::GCActivityCallback::GCActivityCallback):
	* Source/JavaScriptCore/heap/Heap.cpp:
	(JSC::Heap::Heap):
	(JSC::Heap::collect):
	(JSC::Heap::updateAllocationLimits):
	(JSC::Heap::collectNowFullIfNotDoneRecently):
	(JSC::Heap::setFullActivityCallback):
	(JSC::Heap::setEdenActivityCallback):
	* Source/JavaScriptCore/heap/Heap.h:
	* Source/JavaScriptCore/heap/MarkedSpace.cpp:
	(JSC::MarkedSpace::beginMarking):
	* Source/JavaScriptCore/heap/MarkedSpace.h:
	(JSC::MarkedSpace::edenVersion const):
	* Source/JavaScriptCore/runtime/DeferredWorkTimer.h:
	* Source/JavaScriptCore/runtime/JSRunLoopTimer.h:
	* Source/JavaScriptCore/runtime/VM.cpp:
	(JSC::VM::performOpportunisticallyScheduledTasks):
	* Source/WebCore/bindings/js/CommonVM.cpp:
	(WebCore::commonVMSlow):
	* Source/WebCore/page/OpportunisticTaskScheduler.cpp:
	(WebCore::OpportunisticTaskScheduler::runLoopObserverFired):
	(WebCore::isBusyForTimerBasedGC):
	(WebCore::OpportunisticTaskScheduler::FullGCActivityCallback::doCollection):
	(WebCore::OpportunisticTaskScheduler::EdenGCActivityCallback::doCollection):
	* Source/WebCore/page/OpportunisticTaskScheduler.h:
	(WebCore::OpportunisticTaskScheduler::create): Deleted.
	(WebCore::OpportunisticTaskScheduler::willQueueIdleCallback): Deleted.
	(WebCore::OpportunisticTaskScheduler::hasImminentlyScheduledWork const): Deleted.

	Canonical link: https://commits.webkit.org/270919@main

Canonical link: https://commits.webkit.org/267815.665@safari-7617.2.4.11-branch


  Commit: ce6f95e31db9c19a929543a68947e144248a3ef4
      https://github.com/WebKit/WebKit/commit/ce6f95e31db9c19a929543a68947e144248a3ef4
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2024-01-03 (Wed, 03 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.h
    M Source/JavaScriptCore/dfg/DFGPlan.cpp

  Log Message:
  -----------
  Apply patch. rdar://120424986

	[JSC] Insert more DFG safepoints during DFG ByteCodeParser
	https://bugs.webkit.org/show_bug.cgi?id=265559
	rdar://118959478

	Reviewed by Mark Lam.

	This patch adds more DFG safepoints into DFG ByteCodeParser so that
	we can stop DFG compiler threads when GC requests.

	* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
	(JSC::DFG::ByteCodeParser::pruneUnreachableNodes):
	(JSC::DFG::ByteCodeParser::parse):
	(JSC::DFG::parse):
	* Source/JavaScriptCore/dfg/DFGByteCodeParser.h:
	* Source/JavaScriptCore/dfg/DFGPlan.cpp:
	(JSC::DFG::Plan::compileInThreadImpl):

	Canonical link: https://commits.webkit.org/271320@main

Canonical link: https://commits.webkit.org/267815.666@safari-7617.2.4.11-branch


  Commit: cb17de6ba682d0459d80ca1631664b48d35b378a
      https://github.com/WebKit/WebKit/commit/cb17de6ba682d0459d80ca1631664b48d35b378a
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2024-01-03 (Wed, 03 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/heap/EdenGCActivityCallback.cpp
    M Source/JavaScriptCore/heap/EdenGCActivityCallback.h
    M Source/JavaScriptCore/heap/FullGCActivityCallback.cpp
    M Source/JavaScriptCore/heap/FullGCActivityCallback.h
    M Source/JavaScriptCore/heap/GCActivityCallback.cpp
    M Source/JavaScriptCore/heap/GCActivityCallback.h
    M Source/JavaScriptCore/heap/Synchronousness.h
    M Source/WebCore/page/OpportunisticTaskScheduler.cpp
    M Source/WebCore/page/OpportunisticTaskScheduler.h

  Log Message:
  -----------
  Apply patch. rdar://120425130

	[JSC] Use synchronous GCActivityCallback GC with RunLoopObserver
	https://bugs.webkit.org/show_bug.cgi?id=265515
	rdar://118930139

	Reviewed by Wenson Hsieh.

	Now we can schedule GC only when we are idle from GCActivityCallback. So we do not need to run async version.
	This patch changes two things.

	1. We set up RunLoopObserver and run GC when RunLoop gets idle state after GCActivityCallback detects GC opportunities.
	2. We use sync GC instead of async GC since we now run this only when we are idle. We do not need to run async version.

	* Source/JavaScriptCore/heap/EdenGCActivityCallback.cpp:
	(JSC::EdenGCActivityCallback::EdenGCActivityCallback):
	(JSC::EdenGCActivityCallback::doCollection):
	* Source/JavaScriptCore/heap/EdenGCActivityCallback.h:
	(JSC::EdenGCActivityCallback::tryCreate):
	* Source/JavaScriptCore/heap/FullGCActivityCallback.cpp:
	(JSC::FullGCActivityCallback::FullGCActivityCallback):
	(JSC::FullGCActivityCallback::doCollection):
	* Source/JavaScriptCore/heap/FullGCActivityCallback.h:
	(JSC::FullGCActivityCallback::tryCreate):
	* Source/JavaScriptCore/heap/GCActivityCallback.cpp:
	(JSC::GCActivityCallback::GCActivityCallback):
	* Source/JavaScriptCore/heap/GCActivityCallback.h:
	* Source/JavaScriptCore/heap/Synchronousness.h:
	* Source/WebCore/page/OpportunisticTaskScheduler.cpp:
	(WebCore::OpportunisticTaskScheduler::FullGCActivityCallback::FullGCActivityCallback):
	(WebCore::OpportunisticTaskScheduler::FullGCActivityCallback::doCollection):
	(WebCore::OpportunisticTaskScheduler::EdenGCActivityCallback::EdenGCActivityCallback):
	(WebCore::OpportunisticTaskScheduler::EdenGCActivityCallback::doCollection):
	* Source/WebCore/page/OpportunisticTaskScheduler.h:

	Canonical link: https://commits.webkit.org/271324@main

Canonical link: https://commits.webkit.org/267815.667@safari-7617.2.4.11-branch


  Commit: 142767571e4fee0dcf01aea1352976a4d067b088
      https://github.com/WebKit/WebKit/commit/142767571e4fee0dcf01aea1352976a4d067b088
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2024-01-03 (Wed, 03 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGCapabilities.cpp
    M Source/JavaScriptCore/dfg/DFGCapabilities.h
    M Source/JavaScriptCore/heap/LocalAllocatorInlines.h
    M Source/JavaScriptCore/jit/JITPlan.h
    M Source/JavaScriptCore/runtime/Options.cpp
    M Source/JavaScriptCore/runtime/OptionsList.h

  Log Message:
  -----------
  Apply patch. rdar://120424954

	[JSC] Adjust inlining options
	https://bugs.webkit.org/show_bug.cgi?id=266563
	rdar://119795209

	Reviewed by Justin Michaud.

	This patch extends JSC to have different inlining options for DFG and FTL.
	This is great since DFG and FTL have different purpose and we would like
	to make DFG smaller-compilation and faster and keeping FTL heavy and highly optimized.
	And then, we adjust these numbers based on benchmarks.

	1. DFG inlining heuristics becomes 80.
	2. FTL call inlining heuristics becomes 125.

	* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
	(JSC::CodeBlock::setupWithUnlinkedBaselineCode):
	(JSC::CodeBlock::computeCapabilityLevel):
	(JSC::CodeBlock::noticeIncomingCall):
	* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
	(JSC::DFG::ByteCodeParser::inliningCost):
	(JSC::DFG::ByteCodeParser::getInliningBalance):
	* Source/JavaScriptCore/dfg/DFGCapabilities.cpp:
	(JSC::DFG::mightInlineFunctionForCall):
	(JSC::DFG::mightInlineFunctionForClosureCall):
	(JSC::DFG::mightInlineFunctionForConstruct):
	* Source/JavaScriptCore/dfg/DFGCapabilities.h:
	(JSC::DFG::mightInlineFunctionForCall):
	(JSC::DFG::mightInlineFunctionForClosureCall):
	(JSC::DFG::mightInlineFunctionForConstruct):
	(JSC::DFG::functionForCallCapabilityLevel):
	(JSC::DFG::functionForConstructCapabilityLevel):
	(JSC::DFG::inlineFunctionForCallCapabilityLevel):
	(JSC::DFG::inlineFunctionForClosureCallCapabilityLevel):
	(JSC::DFG::inlineFunctionForConstructCapabilityLevel):
	(JSC::DFG::mightInlineFunctionFor):
	(JSC::DFG::mightInlineFunction):
	(JSC::DFG::inlineFunctionForCapabilityLevel):
	* Source/JavaScriptCore/heap/LocalAllocatorInlines.h:
	(JSC::LocalAllocator::allocate):
	* Source/JavaScriptCore/jit/JITPlan.h:
	(JSC::JITPlan::jitType const):
	* Source/JavaScriptCore/runtime/Options.cpp:
	(JSC::overrideDefaults):
	* Source/JavaScriptCore/runtime/OptionsList.h:

	Canonical link: https://commits.webkit.org/272208@main

Canonical link: https://commits.webkit.org/267815.668@safari-7617.2.4.11-branch


  Commit: e5b74b0190bfdee52e8e8f6ac6716515bcb0dc20
      https://github.com/WebKit/WebKit/commit/e5b74b0190bfdee52e8e8f6ac6716515bcb0dc20
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2024-01-03 (Wed, 03 Jan 2024)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-617.2.4.11.5

Canonical link: https://commits.webkit.org/267815.669@safari-7617.2.4.11-branch


  Commit: 06e557b830f66662abe27e7fff55838105936e64
      https://github.com/WebKit/WebKit/commit/06e557b830f66662abe27e7fff55838105936e64
  Author: Dan Robson <dtr_bugzilla at apple.com>
  Date:   2024-01-05 (Fri, 05 Jan 2024)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-617.2.4.11.6

Canonical link: https://commits.webkit.org/267815.670@safari-7617.2.4.11-branch


  Commit: 61d47f64edd9a39dc2c14fcb6f6dd944a359eb79
      https://github.com/WebKit/WebKit/commit/61d47f64edd9a39dc2c14fcb6f6dd944a359eb79
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2024-01-05 (Fri, 05 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
    M Source/JavaScriptCore/Sources.txt
    A Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp
    A Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h
    M Source/JavaScriptCore/dfg/DFGGraph.cpp
    M Source/JavaScriptCore/dfg/DFGPlan.cpp
    M Source/JavaScriptCore/dfg/DFGPlan.h

  Log Message:
  -----------
  Apply patch. rdar://120560604

	[JSC] DFG constant property load should check the validity at the main thread
	https://bugs.webkit.org/show_bug.cgi?id=267134
	rdar://120443399

	Reviewed by Mark Lam.

	Consider the following case,

	    CheckStructure O, S1 | S3
	    GetByOffset O, offset

	And S1 -> S2 -> S3 structure transition happens.
	By changing object concurrently with the compiler, it is possible that we will constant fold the property with O + S2.
	While we insert watchpoints into S1 and S3, we cannot notice the change of the property in S2.
	If we change O to S3 before running code, CheckStructure passes and we can use a value loaded from O + S2.

	1. If S1 and S3 transitions are both already watched by DFG / FTL, then we do not need to care about the issue.
	   CheckStructure ensures that O is S1 or S3. And both has watchpoints which fires when transition happens.
	   So, if we are transitioning from S1 to S2 while compiling, it already invalidates the code.
	2. If there is only one Structure (S1), then we can keep the current optimization by checking this condition at the main thread.
	   CheckStructure ensures that O is S1. And this means that if the assumption is met at the main thread, then we can continue
	   using this code safely. To check this condition, we added DesiredObjectProperties, which records JSObject*, offset, value, and structure.
	   And at the end of compilation, in the main thread, we check this assumption is still met.

	* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
	* Source/JavaScriptCore/Sources.txt:
	* Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp: Added.
	(JSC::DFG::DesiredObjectProperties::addLazily):
	(JSC::DFG::DesiredObjectProperties::areStillValidOnMainThread):
	* Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h: Added.
	* Source/JavaScriptCore/dfg/DFGGraph.cpp:
	(JSC::DFG::Graph::tryGetConstantProperty):
	* Source/JavaScriptCore/dfg/DFGPlan.cpp:
	(JSC::DFG::Plan::cancel):
	(JSC::DFG::Plan::isStillValidOnMainThread):
	* Source/JavaScriptCore/dfg/DFGPlan.h:

	Canonical link: https://commits.webkit.org/272448.7@safari-7618-branch


  Commit: 7efdaf176e13f84ad3dad9b0a0ad1662d842085e
      https://github.com/WebKit/WebKit/commit/7efdaf176e13f84ad3dad9b0a0ad1662d842085e
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2024-01-05 (Fri, 05 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

  Log Message:
  -----------
  Cherry-pick 31601205b6f3. rdar://120560604

    [JSC] DFG constant property load should check the validity at the main thread
    https://bugs.webkit.org/show_bug.cgi?id=267134
    rdar://120443399

    Reviewed by Mark Lam.

    Consider the following case,

        CheckStructure O, S1 | S3
        GetByOffset O, offset

    And S1 -> S2 -> S3 structure transition happens.
    By changing object concurrently with the compiler, it is possible that we will constant fold the property with O + S2.
    While we insert watchpoints into S1 and S3, we cannot notice the change of the property in S2.
    If we change O to S3 before running code, CheckStructure passes and we can use a value loaded from O + S2.

    1. If S1 and S3 transitions are both already watched by DFG / FTL, then we do not need to care about the issue.
       CheckStructure ensures that O is S1 or S3. And both has watchpoints which fires when transition happens.
       So, if we are transitioning from S1 to S2 while compiling, it already invalidates the code.
    2. If there is only one Structure (S1), then we can keep the current optimization by checking this condition at the main thread.
       CheckStructure ensures that O is S1. And this means that if the assumption is met at the main thread, then we can continue
       using this code safely. To check this condition, we added DesiredObjectProperties, which records JSObject*, offset, value, and structure.
       And at the end of compilation, in the main thread, we check this assumption is still met.

    * Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
    * Source/JavaScriptCore/Sources.txt:
    * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp: Added.
    (JSC::DFG::DesiredObjectProperties::addLazily):
    (JSC::DFG::DesiredObjectProperties::areStillValidOnMainThread):
    * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h: Added.
    * Source/JavaScriptCore/dfg/DFGGraph.cpp:
    (JSC::DFG::Graph::tryGetConstantProperty):
    * Source/JavaScriptCore/dfg/DFGPlan.cpp:
    (JSC::DFG::Plan::cancel):
    (JSC::DFG::Plan::isStillValidOnMainThread):
    * Source/JavaScriptCore/dfg/DFGPlan.h:

    Canonical link: https://commits.webkit.org/272448.7@safari-7618-branch

Canonical link: https://commits.webkit.org/267815.672@safari-7617.2.4.11-branch


  Commit: 4b73defb0b0b076f527fe2f657ab9e7fc543c244
      https://github.com/WebKit/WebKit/commit/4b73defb0b0b076f527fe2f657ab9e7fc543c244
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2024-01-05 (Fri, 05 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
    M Source/JavaScriptCore/Sources.txt
    R Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp
    R Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h
    M Source/JavaScriptCore/dfg/DFGGraph.cpp
    M Source/JavaScriptCore/dfg/DFGPlan.cpp
    M Source/JavaScriptCore/dfg/DFGPlan.h

  Log Message:
  -----------
  Cherry-pick a8b53bc4d7b3. rdar://120560604

    [JSC] Remove DFGDesiredObjectProperties
    https://bugs.webkit.org/show_bug.cgi?id=267134
    rdar://120443399

    Reviewed by Mark Lam.

    When we limit the structure only one, there is no way to change the property without firing
    property replacement watchpoint while keeping object's structure as specified. So removing DFGDesiredObjectProperties.

    * Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
    * Source/JavaScriptCore/Sources.txt:
    * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp: Removed.
    * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h: Removed.
    * Source/JavaScriptCore/dfg/DFGGraph.cpp:
    (JSC::DFG::Graph::tryGetConstantProperty):
    * Source/JavaScriptCore/dfg/DFGPlan.cpp:
    (JSC::DFG::Plan::cancel):
    (JSC::DFG::Plan::isStillValidOnMainThread):
    * Source/JavaScriptCore/dfg/DFGPlan.h:

    Canonical link: https://commits.webkit.org/272448.8@safari-7618-branch

Canonical link: https://commits.webkit.org/267815.673@safari-7617.2.4.11-branch


  Commit: 55f88a9a4f09b9e3accb5906014ea61121428236
      https://github.com/WebKit/WebKit/commit/55f88a9a4f09b9e3accb5906014ea61121428236
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2024-01-05 (Fri, 05 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
    M Source/JavaScriptCore/Sources.txt
    A Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp
    A Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h
    M Source/JavaScriptCore/dfg/DFGGraph.cpp
    M Source/JavaScriptCore/dfg/DFGPlan.cpp
    M Source/JavaScriptCore/dfg/DFGPlan.h

  Log Message:
  -----------
  Revert "Cherry-pick a8b53bc4d7b3. rdar://120560604"

This reverts commit 4b73defb0b0b076f527fe2f657ab9e7fc543c244.

Canonical link: https://commits.webkit.org/267815.674@safari-7617.2.4.11-branch


  Commit: 7579eda71a7786926c329a6151917f81f6bce3be
      https://github.com/WebKit/WebKit/commit/7579eda71a7786926c329a6151917f81f6bce3be
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2024-01-05 (Fri, 05 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

  Log Message:
  -----------
  Revert "Cherry-pick 31601205b6f3. rdar://120560604"

This reverts commit 7efdaf176e13f84ad3dad9b0a0ad1662d842085e.

Canonical link: https://commits.webkit.org/267815.675@safari-7617.2.4.11-branch


  Commit: d4a552350a90bee4118037d83f7dcfcab0184d19
      https://github.com/WebKit/WebKit/commit/d4a552350a90bee4118037d83f7dcfcab0184d19
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2024-01-05 (Fri, 05 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
    M Source/JavaScriptCore/Sources.txt
    R Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp
    R Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h
    M Source/JavaScriptCore/dfg/DFGGraph.cpp
    M Source/JavaScriptCore/dfg/DFGPlan.cpp
    M Source/JavaScriptCore/dfg/DFGPlan.h

  Log Message:
  -----------
  Revert "Apply patch. rdar://120560604"

This reverts commit 61d47f64edd9a39dc2c14fcb6f6dd944a359eb79.

Canonical link: https://commits.webkit.org/267815.676@safari-7617.2.4.11-branch


  Commit: 29fbd924925821f9321a1eed94fedbaabd934c33
      https://github.com/WebKit/WebKit/commit/29fbd924925821f9321a1eed94fedbaabd934c33
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2024-01-05 (Fri, 05 Jan 2024)

  Changed paths:
    M Source/JavaScriptCore/dfg/DFGGraph.cpp

  Log Message:
  -----------
  Apply patch. rdar://120560604

Canonical link: https://commits.webkit.org/267815.677@safari-7617.2.4.11-branch


  Commit: b895075bf89e27424146bbcfd138c6b14d3c7498
      https://github.com/WebKit/WebKit/commit/b895075bf89e27424146bbcfd138c6b14d3c7498
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2024-01-10 (Wed, 10 Jan 2024)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-617.2.4.11.7

Canonical link: https://commits.webkit.org/267815.678@safari-7617.2.4.11-branch


  Commit: 692ee545dbe93299189b974aa572c7fd4b6277bc
      https://github.com/WebKit/WebKit/commit/692ee545dbe93299189b974aa572c7fd4b6277bc
  Author: Russell Epstein <repstein at apple.com>
  Date:   2024-01-10 (Wed, 10 Jan 2024)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7617.2.4.11.8

Canonical link: https://commits.webkit.org/267815.679@safari-7617.2.4.11-branch


Compare: https://github.com/WebKit/WebKit/compare/e2264e53553a%5E...692ee545dbe9


More information about the webkit-changes mailing list