Bug 211020

Created attachment 397558 [details]
Patch

Created attachment 397560 [details]
Patch

Add JSC namespace in JSDOMWindowProperties.h.

Created attachment 397574 [details]
Patch

Drop WebAssembly[Symbol.toStringTag], fix global objects prototypes, and adjust tests.

Created attachment 397575 [details]
Patch

Add missing "$" in CodeGeneratorJS.pm.

Created attachment 397585 [details]
Patch

Adjust remaining tests and improve ChangeLog.

Comment on attachment 397585 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=397585&action=review

Looks great.

Is there a more efficient way of getting this behavior without explicitly putting the property in the prototype object at runtime? The change of the name seems fine, but I am a little sad to see all the putDirectWithoutTransition calls. Not really up to date enough on the latest about performance of the JavaScript runtime, so not really sure if this is a bad thing or not.

I also have feelings about code being written out over and over again by the code generator. I’d like to see us put a function somewhere that does this without always repeating toStringTagSymbol and DontEnum and ReadOnly, etc. Once we start generating code, it’s tempting to write out a lot, but I would have wanted the generated code to be more like this:

    setUpToStringTag(vm, "CSSValueList"_s);

That function would be in a plain old C++ source file.

> Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:4381
> +        push(@implContent, "    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsNontrivialString(vm, \"${visibleInterfaceName}\"_s), JSC::PropertyAttribute::DontEnum | JSC::PropertyAttribute::ReadOnly);\n");

This assumes that the visibleInterfaceName will never be a single character. If it is a single character, then we need to call jsString rather than jsNontrivialString. Probably a safe assumption -- what’s the chance of a single character DOM class name? -- but maybe we should put something in the perl code to check for this so it’s a compile time failure rather than a runtime failure.

> Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:7321
>          if (IsGlobalInterface($interface)) {
>              $structureFlags{"JSC::HasStaticPropertyTable"} = 1;

Could make this a one-liner with perl's suffix-style if statement.

> LayoutTests/ChangeLog:36
> +        * resources/idlharness.js: Remove asserts that were are commented out in upstream.

small mistake: "were are"

Created attachment 397689 [details]
Patch

Add assert before jsNontrivialString(), use suffix-style if statement, tweak ChangeLog, rebase on updated cross-realm tests expectations.

(In reply to Darin Adler from comment #6)

I appreciate the review and comprehensive comments!

> Is there a more efficient way of getting this behavior without explicitly
> putting the property in the prototype object at runtime? The change of the
> name seems fine, but I am a little sad to see all the
> putDirectWithoutTransition calls. Not really up to date enough on the latest
> about performance of the JavaScript runtime, so not really sure if this is a
> bad thing or not.

Given that WebIDL requires @@toStringTag as own property on interface prototypes (https://heycam.github.io/webidl/#dfn-class-string) to enable developers checking for cross-realm instances via `obj[Symbol.toStringTag]` instead of `Object.prototype.toString.call(obj).slice(8, -1)`, there is not much we could do.
If interface prototypes extended a common class, we could have define @@toStringTag as CustomValue though.

> I also have feelings about code being written out over and over again by the
> code generator. I’d like to see us put a function somewhere that does this
> without always repeating toStringTagSymbol and DontEnum and ReadOnly, etc.
> Once we start generating code, it’s tempting to write out a lot, but I would
> have wanted the generated code to be more like this:

I agree that code generator will benefit from changes like this and code removal in general (I have a change in mind that would simplify callback interfaces a bit),
yet I am not sure it worth extracting @@toStringTag due to its size/complexity, and to keep it consistent with other well-known symbols we emit in CodeGeneratorJS.pm.

(In reply to Alexey Shvayka from comment #8)
> I am not sure it worth extracting @@toStringTag due to its
> size/complexity, and to keep it consistent with other well-known symbols we
> emit in CodeGeneratorJS.pm.

My feedback also applies to other well-known symbols we emit in CodeGeneratorJS.pm. I think we should be putting as much of the code as possible in C++ source files rather than in the perl code generator as long as it doesn’t cause problems for complexity, performance, or clarity.

(In reply to Darin Adler from comment #6)
>     setUpToStringTag(vm, "CSSValueList"_s);
> 
> That function would be in a plain old C++ source file.

Since WebIDL interface prototypes extend JSNonFinalObject and are fully generated by Perl script, we can't define setUpToStringTag() as a method and would have to pass an additional argument: `setUpToStringTag(vm, this, "CSSValueList"_s);`. It doesn't feel right to me (in terms of OOP) that a function merely manipulates its object parameter.

Furthermore, I believe it is important to use putDirectWithoutTransition() performance-wise, which does not seem like a good fit inside a helper function (I could not `grep` any usages) as it expects certain object state that we can't guarantee outside of finishCreation().

(In reply to Alexey Shvayka from comment #10)
> Since WebIDL interface prototypes extend JSNonFinalObject and are fully
> generated by Perl script, we can't define setUpToStringTag() as a method and
> would have to pass an additional argument: `setUpToStringTag(vm, this,
> "CSSValueList"_s);`. It doesn't feel right to me (in terms of OOP) that a
> function merely manipulates its object parameter.

OK, but this seems like a straw man. Why can’t we create an abstract base class that’s derived from JSNonFinalObject instead of deriving directly from it?

> Furthermore, I believe it is important to use putDirectWithoutTransition()
> performance-wise, which does not seem like a good fit inside a helper
> function (I could not `grep` any usages) as it expects certain object state
> that we can't guarantee outside of finishCreation().

To me that just means we need an appropriately specific function name.

(In reply to Darin Adler from comment #11)
> Why can’t we create an abstract base class that’s derived from JSNonFinalObject instead of deriving directly from it?

With abstract base class, we can set correct `className` and define @@toStringTag without additional method:

  void JSPrototypeAbstract::finishCreation(VM& vm)
  {
      Base::finishCreation(vm);
      ASSERT(inherits(vm, info()));
      putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsNontrivialString(vm, info()->className), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
  }


> To me that just means we need an appropriately specific function name.

Alternatively, we can define JSObject::putToStringTagWithoutTransition(VM&), which will also expect correctly set `className`, and use it across Source/JSC (~30 call sites).
This helper will ensure not only correct descriptor attributes and usage of jsNontrivialString(), but also a consistent `className` value.

I think those are both good ideas. Thanks for considering some of these approaches that are a little heavier on code outside the code generator, and lighter on code inside it.

Created attachment 397855 [details]
Patch

Extract JSC_TO_STRING_TAG_WITHOUT_TRANSITION() macro.

Comment on attachment 397855 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=397855&action=review

Looks good.

> Source/JavaScriptCore/runtime/JSObject.h:1604
> +#define JSC_TO_STRING_TAG_WITHOUT_TRANSITION() \
> +    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, \
> +        jsNontrivialString(vm, info()->className), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly)

Why is this a macro rather than a function? The other macros in this file have arguments, and so I see why they are not just functions, but this seems different.

(In reply to Darin Adler from comment #15)
> Why is this a macro rather than a function? The other macros in this file
> have arguments, and so I see why they are not just functions, but this seems
> different.

It is a macro so we could do `info()->className` without resorting to methodTable and dynamic dispatch. If it was a function, it would not perfectly fit in with other putDirect* methods signature-wise as well IMO.

(In reply to Alexey Shvayka from comment #16)
> It is a macro so we could do `info()->className`

Got it.

Created attachment 397879 [details]
Patch

Adjust expectations for class-string-interface.any.js WPT test.

Created attachment 398126 [details]
Patch

dom/nodes/Document-createEvent.html is obsolete, revert expectations change.

Comment on attachment 398126 [details]
Patch

stress/array-buffer-view-watchpoint-can-be-fired-in-really-add-in-dfg.js failure on ARMv7 looks unrelated: https://bugs.webkit.org/show_bug.cgi?id=210717

Committed r260992: <https://trac.webkit.org/changeset/260992>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 398126 [details].

<rdar://problem/62714506>

Committed r260995: <https://trac.webkit.org/changeset/260995>

Are there any places where we can remove code that used to implement strings like "[object Window]" that are now correctly inherited from the prototype?

(In reply to Darin Adler from comment #24)
> Are there any places where we can remove code that used to implement strings
> like "[object Window]" that are now correctly inherited from the prototype?

Not exactly remove, but rather simplify: strings like "[object Window]" for instances are implemented by JSObject::toStringName(), which returns `className`. Now that strings are inherited from prototypes, we can just return "Object" or "Function" from JSObject::toStringName(), making sure pre-ES6 classes redefine it as per steps 5-13 of https://tc39.es/ecma262/#sec-object.prototype.tostring.

Once we do this, remaining tests cases in wpt/WebIDL/ecmascript-binding/class-string-interface.any.js will be fixed, as well as few test262 failures. Please follow the progress at https://bugs.webkit.org/show_bug.cgi?id=199138.