1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-10-24 20:42:07 +00:00
Commit graph

5043 commits

Author SHA1 Message Date
Dan Klishch
ccd701809f Everywhere: Add deprecated_ prefix to JsonValue::to_byte_string
`JsonValue::to_byte_string` has peculiar type-erasure semantics which is
not usually intended. Unfortunately, it also has a very stereotypical
name which does not warn about unexpected behavior. So let's prefix it
with `deprecated_` to make new code use `as_string` if it just wants to
get string value or `serialized<StringBuilder>` if it needs to do proper
serialization.
2024-01-12 17:41:34 -07:00
Timothy Flynn
75262a92e1 LibJS: Update spec notes for a resizable ArrayBuffer workaround
This is a normative change in the ECMA-262 spec. See:
22de374

The issue noted here has been fixed in the same way that we previously
worked around it. Update the spec notes to match.
2024-01-12 07:09:54 -05:00
Andrew Kaster
6047f1adcb LibJS: Ensure JS::Date has a key function and its vtable is in LibJS
Without a key function, the vtable for this class can be emitted into
every shared object or executable that needs it. This can cause bugs and
bad behavior when trying to access the vtable or RTTI for the class.

This is most easily seen when trying to call ``is<JS::Date>``, which
currently will do a dynamic_cast. Based on compiler, linker and loader
choices about ordering, it's possible that the code checking the RTTI
and the code that created the object could have a different vtable and
type_info in mind, causing false negatives for the ``is`` check.
2024-01-12 09:11:18 +01:00
Timothy Flynn
6d1c10ed10 LibJS: Implement the GetSubstitution AO according to the spec
There was recently a normative change to this AO in ECMA-262. See:
5eaee2f

It turns out we already implemented this to align with web-reality
before it was codified in the spec. This was a bit difficult to reason
without spec text and with a somewhat ad-hoc implementation. So this
patch aligns our implementation with the spec. There should not be any
behavior change.
2024-01-04 12:43:10 +01:00
Timothy Flynn
8de1db7b78 LibJS: Avoid needless allocation in the StringToNumber AO 2024-01-04 12:43:10 +01:00
Timothy Flynn
a984067567 LibJS: Make the StringIndexOf AO public
It will be used outside of String.prototype.
2024-01-04 12:43:10 +01:00
Shannon Booth
f589bedb0d LibJS: Improve JS::modulo precision for large floating values
JS::modulo was yielding a result of '0' for the input:
```
modulo(1., 18446744073709551616.)
```

Instead of the expected '1'.

As far as I can tell the reason for this is that the repeated calls to
fmod is losing precision in the calculation, leading to the wrong
result. Fix this by only calling fmod once, and preserving the negative
value behaviour by an 'if' check.

Without this, the LibWeb text test:
`/Streams/ReadableByteStream-enqueue-respond.html`

Would hang forever after using this function in the IDL conversion of a
u64 in ConvertToInt.

This should also be more efficient :^)
2024-01-02 10:01:26 +01:00
Shannon Booth
986abe7047 LibJS: Rename IntlNumberIsNaNOrInfinity to NumberIsNaNOrInfinity
While only currently used in Intl in LibJS, this is a pretty generic
error and is useful elsewhere. Rename it to something more generic.
2024-01-02 10:01:26 +01:00
Shannon Booth
56ec36a9dc LibJS: Export MAX_ARRAY_LIKE_INDEX & NEGATIVE_ZERO_BITS in JS namespace 2024-01-02 10:01:26 +01:00
Andreas Kling
ee3d09f225 LibJS: Show class in SerenityOS mmap name for type-specific allocators 2023-12-31 15:35:56 +01:00
Andreas Kling
b6d4eea7ac LibJS: Never give back virtual memory once it belongs to a cell type
Instead of returning HeapBlock memory to the kernel (or a non-type
specific shared cache), we now keep a BlockAllocator per CellAllocator
and implement "deallocation" by basically informing the kernel that we
don't need the physical memory right now.

This is done with MADV_FREE or MADV_DONTNEED if available, but for other
platforms (including SerenityOS) we munmap and then re-mmap the memory
to achieve the same effect. It's definitely clunky, so I've added a
FIXME about implementing the madvise options on SerenityOS too.

The important outcome of this change is that GC types that use a
type-specific allocator become immune to use-after-free type confusion
attacks, since their virtual addresses will only ever be re-used for
the same exact type again and again.

Fixes #22274
2023-12-31 15:35:56 +01:00
Andreas Kling
0ad4be3d78 LibJS: Skip redundant UTF-8 validation in rope string resolution
When resolving a rope, we've already taken care to resolve it to
a UTF-8 byte stream. There's no need to do a separate pass just for
validating the data again.

This was noticeable in some profiles. I made a simple microbenchmark
that gets a 30% speed-up:

    ("x" + "y".repeat(100_000_000)).trimStart()
2023-12-30 13:49:50 +01:00
Andreas Kling
a285e36041 LibJS+AK: Make String.prototype.repeat() way faster
Instead of using a StringBuilder, add a String::repeated(String, N)
overload that takes advantage of knowing it's already all UTF-8.

This makes the following microbenchmark go 4x faster:

    "foo".repeat(100_000_000)

And for single character strings, we can even go 10x faster:

    "x".repeat(100_000_000)
2023-12-30 13:49:50 +01:00
Timothy Flynn
3f3686cf7b LibJS: Implement missing steps from the ArrayBuffer transfer proposal
We can now implement steps related to resizable ArrayBuffer objects. We
can also implement a couple of missing SharedArrayBuffer checks.

The original implementation of this proposal did not have any tests, so
tests are added here for the whole implementation.
2023-12-29 09:25:41 +01:00
Timothy Flynn
526a74f2f1 LibJS: Implement missing checks for SharedArrayBuffer values 2023-12-29 09:25:41 +01:00
Timothy Flynn
299c86db20 LibJS: Change error message for values that can't be a SharedArrayBuffer
This error will be used in contexts that apply to more than than the
|this| object.
2023-12-29 09:25:41 +01:00
Timothy Flynn
834ced9ef8 LibJS: Change error message for values that must be a SharedArrayBuffer
This error will be used in contexts that apply to more than TypedArrays.
2023-12-29 09:25:41 +01:00
Timothy Flynn
f1e01a681e LibJS: Implement missing conditional when creating a TypedArray subarray 2023-12-28 08:19:02 -05:00
Timothy Flynn
916cb256de LibJS: Ensure enlarged ArrayBuffers are filled with zeros
Otherwise, the newly allocated bytes are uninitialized, causing UB when
reading from the buffer immediately after an enlarging resize.
2023-12-27 19:30:39 +01:00
Timothy Flynn
cabd599c8b LibJS: Consolidate duplicate "errors" sections in LibJS tests
A couple of duplicate sections were errantly added in commit 9258d7b98a.
2023-12-27 19:30:39 +01:00
Shannon Booth
5d0fb4bac3 LibJS: Do not inherit TypedArray constructors from TypedArrayConstructor
In: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object

The spec says:
> is a constructor function object that all of the TypedArray
> constructor objects inherit from.

From what I understand from this, it effectively just means is that the
prototype for the constructor should simply be set to
TypedArrayConstructor. We _were_ doing that, but also inheriting from
it in C++.

This meant we were invoking TypedArrayConstructor::initialize for each
of the typed arrays. This is not actually what we want, since it means
that the 'of' and 'from' functions were being defined as native
properties in both the concrete typed array (e.g Uint8Array), and the
abstract TypedArray. Instead, the properties should only be defined and
inherited from the abstract TypedArray class.

Diff Tests:
    +4     -4 

Co-Authored-By: Andreas Kling <kling@serenityos.org>
2023-12-27 10:57:16 -05:00
Timothy Flynn
bf8107b247 LibJS: Update spec numbers for the Promise.withResolvers proposal
This proposal has been merged into the main ECMA-262 spec. See:
11cbf72
2023-12-26 12:07:50 -05:00
Timothy Flynn
edbc2a1031 LibJS: Update spec numbers for the Array Grouping proposal
This proposal has been merged into the main ECMA-262 spec. See:
3a9c9dc
2023-12-26 12:07:50 -05:00
Timothy Flynn
9258d7b98a LibJS+LibWeb: Implement resizable ArrayBuffer support for TypedArray
This is (part of) a normative change in the ECMA-262 spec. See:
a9ae96e
2023-12-26 11:16:10 +01:00
Timothy Flynn
c7fec9424c LibJS+LibWeb: Implement resizable ArrayBuffer support for DataView
This is (part of) a normative change in the ECMA-262 spec. See:
a9ae96e
2023-12-26 11:16:10 +01:00
Timothy Flynn
29ac6e3689 LibJS: Partially implement resizable ArrayBuffer objects
This is (part of) a normative change in the ECMA-262 spec. See:
a9ae96e

This implements just support for resizing ArrayBuffer objects. This does
not implement the SharedArrayBuffer changes, as we do not have enough
support to do so.
2023-12-26 11:16:10 +01:00
Timothy Flynn
a1e2f131c4 LibJS: Use existing AOs to validate bytecode/JIT TypedArray indices
The IsValidIntegerIndex AO performs the checks we are interested in. The
manual implementation we currently have will no longer compile once the
resizable ArrayBuffer spec is implemented. The AO will be updated with
the spec implementation, so let's use it now to avoid breakage.
2023-12-26 11:16:10 +01:00
Timothy Flynn
98cdf36fb0 LibJS: Rename TypedArray element get and set methods
This renames IntegerIndexedElementGet to TypedArrayGetElement, and
IntegerIndexedElementSet to TypedArraySetElement.

This also renames the indexedPosition variable inside these method
definitions to byteIndexInBuffer.

These are part of a couple editorial changes in the ECMA-262 spec. See:
03e4410
a1a4d48

The remainder of the changes in those commits apply to the resizable
ArrayBuffer spec, which is not implemented in LibJS as of this commit.
2023-12-26 11:16:10 +01:00
Timothy Flynn
4f32392426 LibJS: Update spec headers of ArrayBuffer, TypedArray, DataView, Atomics
After the resizable ArrayBuffer proposal was merged, a bunch of methods
had their spec numbers/headers changed. This patch just updates existing
methods to make future patches easier to grok.
2023-12-26 11:16:10 +01:00
Shannon Booth
95e9c89a15 LibJS: Update spec comments in Array.fromAsync
This was a normative change in the Array.fromAsync spec which we already
implemented :^). See:

https://github.com/tc39/proposal-array-from-async/commit/689d0d

I've left an existing FIXME in there for some other bug which we have
which is causing some test262 test cases to fail.
2023-12-23 20:22:42 -05:00
Andreas Kling
6c1fcc5f7e LibJS: Actually invoke the type-isolating cell allocators
Due to a `requires` mistake, we were always using the fallback
size-based cell allocators.

Also, now that we start using them, make them NeverDestroyed so
we don't try to deallocate them on program exit.
2023-12-23 23:02:10 +01:00
Andreas Kling
f4fa37afd2 LibJS+LibWeb: Add missing JS_DEFINE_ALLOCATOR() for a bunch of classes 2023-12-23 23:02:10 +01:00
Andreas Kling
11c968fa1f LibJS: Make Heap aware of all CellAllocators
Also add a link from HeapBlock to their owning CellAllocator.
This fixes an issue where the Heap would skip over non-size-based
cell allocators.
2023-12-23 23:02:10 +01:00
Shannon Booth
e2e7c4d574 Everywhere: Use to_number<T> instead of to_{int,uint,float,double}
In a bunch of cases, this actually ends up simplifying the code as
to_number will handle something such as:

```
Optional<I> opt;
if constexpr (IsSigned<I>)
    opt = view.to_int<I>();
else
    opt = view.to_uint<I>();
```

For us.

The main goal here however is to have a single generic number conversion
API between all of the String classes.
2023-12-23 20:41:07 +01:00
Andrew Kaster
82ec1ea75e LibJS: Provide better assertion for empty execution context stack
When calling `running_execution_context` from other VM APIs, and the
execution context stack is empty, the verification message is inlined
from AK::Vector. Add a specific VERIFY to `running_execution_context` to
help diagnose this issue better.
2023-12-19 21:08:05 +01:00
Andrew Kaster
d361221657 LibJS+LibWeb: Add JS::Value constructor for `JS::Handle<T>`
Similar to the constructors for ``JS::{Nonnull}GCPtr<T>``, this helper
avoids unnecessary .ptr() clutter when we want to construct Values.
2023-12-19 09:21:55 -07:00
Ali Mohammad Pur
5e1499d104 Everywhere: Rename {Deprecated => Byte}String
This commit un-deprecates DeprecatedString, and repurposes it as a byte
string.
As the null state has already been removed, there are no other
particularly hairy blockers in repurposing this type as a byte string
(what it _really_ is).

This commit is auto-generated:
  $ xs=$(ack -l \bDeprecatedString\b\|deprecated_string AK Userland \
    Meta Ports Ladybird Tests Kernel)
  $ perl -pie 's/\bDeprecatedString\b/ByteString/g;
    s/deprecated_string/byte_string/g' $xs
  $ clang-format --style=file -i \
    $(git diff --name-only | grep \.cpp\|\.h)
  $ gn format $(git ls-files '*.gn' '*.gni')
2023-12-17 18:25:10 +03:30
Andreas Kling
ed1ade0534 LibJS: Don't crash in CyclicModule::evaluate() when this == m_cycle_root
The spec allows this scenario, so I don't know why we would want to
assert that it doesn't happen.

Fixes #22317

Also, -1 crash, +1 pass on test262 :^)
2023-12-16 19:39:23 +01:00
Andreas Kling
1e90379008 LibJS: Introduce "dictionary" mode for object shapes
This is similar to "unique" shapes, which were removed in commit
3d92c26445.

The key difference is that dictionary shapes don't have a serial number,
but instead have a "cacheable" flag.

Shapes become dictionaries after 64 transitions have occurred, at which
point no further transitions occur.

As long as properties are only added to a dictionary shape, it remains
cacheable. (Since if we've cached the shape pointer in an IC somewhere,
we know the IC is still valid.)

Deleting a property from a dictionary shape causes it to become an
uncacheable dictionary.

Note that deleting a property from a non-dictionary shape still performs
a delete transition.

This fixes an issue on Discord where Object.freeze() would eventually
OOM us, since they add more than 16000 properties to a single object
before freezing it.

It also yields a 15% speedup on Octane/pdfjs.js :^)
2023-12-16 14:25:58 +01:00
Aliaksandr Kalenik
b108d51c5b LibJS: Only consider VM-accessible execution contexts as strong roots
Partially reverts 3dc5f467a8 to fix
GC memory leak that happens because we treated all execution contexts
as strong roots.
2023-12-13 11:19:13 +01:00
Aliaksandr Kalenik
57e5abae92 LibJS+LibWebView+WebContent+Ladybird: Output GC-graph into a file
Instead of displaying a massive JSON in stdout, it's more practical
to save the GC-graph to a file.
2023-12-12 15:35:35 +01:00
Andreas Kling
ed1bee222b LibJS: Give Shape::TransitionType an underlying 8-bit type
This shrinks Shape by 8 bytes. :^)
2023-12-12 15:26:46 +01:00
Andreas Kling
6cbcd521a2 LibJS/JIT: Add fast path for UnaryMinus on Int32
5% speedup on Octane/mandreel.js :^)
2023-12-12 00:10:44 +01:00
Andreas Kling
8eacb81eba LibJS: Skip redundant marking of Shape property table keys
All the keys in a property table are guaranteed to be marked via
Shape::m_property_key in each step of the transition chain that leads
up to the Shape.
2023-12-11 20:36:15 +01:00
Andreas Kling
3d92c26445 LibJS: Stop making shapes unique
We previously had a concept of unique shapes, which meant that they
couldn't be shared between multiple objects.

Object shapes became unique in three situations:

- They were the shape of the global object.
- They had more than 100 properties added to them.
- They had one or more properties deleted from them.

Unfortunately, unique shapes presented an annoying problem for inline
caches, and we added a "unique shape serial number" for being able to
tell that a unique shape had been mutated.

This patch gets rid of the concept of unique shapes, simplifying all
the caching code, since inline caches can now simply perform a shape
check and then we're good.

To make this possible, we now have the concept of delete transitions,
which occur when a property is deleted from a shape.

Note that this patch by itself introduces a performance regression in
some situtations, since we now create a lot more shapes, and marking
their property keys can be very heavy. This will be addressed in a
subsequent patch.
2023-12-11 20:36:15 +01:00
Andreas Kling
ef86cf4646 LibJS: Mark forward shape transition keys
These should really be weakly held by the Shape, but we don't have a
mechanism for weak hashmap keys at the moment, so let's just mark
these for now so they don't go stale.
2023-12-11 20:36:15 +01:00
Aliaksandr Kalenik
6ac43274b2 LibWeb+LibJS: Use JS::GCPtr for pointers to GC-allocated objects
Fixes warnings found by LibJSGCVerifier
2023-12-11 16:55:25 +01:00
Andreas Kling
37b5c05ec5 LibJS: Add fast path for Uint8ClampedArray Get/Put
These are just like Uint8Array, except Put values have to be clamped
in the 0..255 range.

Takes CPU usage from 40% to 30% on the "Canvas Cycle" demo at
http://www.effectgames.com/demos/canvascycle/ :^)
2023-12-10 13:49:00 +01:00
Andreas Kling
463931384d LibJS: Don't use Handle<Value> for JS::Object private fields
There's no reason to use handles here, we can just mark private element
values from objects that store them.
2023-12-10 09:44:26 +01:00
Andreas Kling
d8be9ebc16 LibJS: Add fast path in ArrayIteratorPrototype::next()
When iterating over vanilla objects/arrays with normal property storage,
we can skip the generic Get mechanism in favor of looking directly at
property storage. This is essentially what we do in the bytecode path.
2023-12-09 00:20:25 +01:00